.text:00401000 ; =========================================================================== .text:00401000 .text:00401000 ; Segment type: Pure code .text:00401000 ; Segment permissions: Read/Execute .text:00401000 _text segment para public 'CODE' use32 .text:00401000 assume cs:_text .text:00401000 ;org 401000h .text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing .text:00401000 .text:00401000 loc_401000: ; CODE XREF: .text:00403DA4 .text:00401000 83 DA 66 sbb edx, 66h .text:00401003 28 D1 sub cl, dl .text:00401005 C6 05 5C 71 40 00+ mov byte_40715C, 0F7h .text:0040100C 01 05 F3 71 40 00 add dword ptr unk_4071F3, eax .text:00401012 01 05 0F 71 40 00 add dword_40710E+1, eax .text:00401018 00 E2 add dl, ah .text:0040101A 29 1D EC 71 40 00 sub dword_4071E9+3, ebx .text:00401020 88 2D 8E 70 40 00 mov byte ptr dword_40708D+1, ch .text:00401026 C6 05 BB 70 40 00+ mov byte ptr dword_4070BB, 0ADh .text:0040102D 29 3D 39 70 40 00 sub dword ptr unk_407039, edi .text:00401033 11 15 A8 71 40 00 adc dword ptr byte_4071A8, edx .text:00401039 8A 15 A8 71 40 00 mov dl, byte_4071A8 .text:0040103F 31 3D 06 70 40 00 xor dword_407005+1, edi .text:00401045 83 C2 A6 add edx, 0FFFFFFA6h .text:00401048 83 E1 38 and ecx, 38h .text:0040104B 01 1D B7 71 40 00 add dword ptr unk_4071B7, ebx .text:00401051 C6 05 7E 71 40 00+ mov byte_40717E, 2Ah .text:00401058 6A 01 push 1 ; sera dépilé plus bas avant un test pipeau .text:0040105A 8B 35 50 71 40 00 mov esi, dword_40714F+1 .text:00401060 83 D7 4E adc edi, 4Eh .text:00401063 89 1D 17 70 40 00 mov dword ptr byte_407017, ebx .text:00401069 8B 3D 21 71 40 00 mov edi, dword ptr unk_407121 .text:0040106F 8B 0D F5 71 40 00 mov ecx, dword ptr byte_4071F5 .text:00401075 29 15 E4 70 40 00 sub dword_4070E2+2, edx .text:0040107B 83 C3 A4 add ebx, 0FFFFFFA4h .text:0040107E 00 E8 add al, ch .text:00401080 89 3D 96 71 40 00 mov dword_407194+2, edi .text:00401086 19 05 9F 71 40 00 sbb dword_40719E+1, eax .text:0040108C 8B 0D 9A 70 40 00 mov ecx, dword ptr unk_40709A .text:00401092 8B 35 22 71 40 00 mov esi, dword_407122 .text:00401098 8B 15 62 70 40 00 mov edx, dword_40705F+3 .text:0040109E 83 C6 4D add esi, 4Dh .text:004010A1 C6 05 9E 70 40 00+ mov byte_40709E, 5Bh .text:004010A8 C6 05 05 71 40 00+ mov byte ptr dword_407105, 3Ch .text:004010AF .text:004010AF loc_4010AF: ; CODE XREF: .text:004010FD .text:004010AF 68 E8 03 00 00 push 3E8h ; On attend une seconde .text:004010B4 6A FF push 0FFFFFFFFh ; -1 = INVALID_HANDLE_VALUE = le pseudo-handle du process courant .text:004010B6 8D 3D 1C 51 40 00 lea edi, WaitForSingleObject .text:004010BC FF 17 call dword ptr [edi] .text:004010BE 08 35 CC 70 40 00 or byte ptr dword_4070CB+1, dh .text:004010C4 8B 1D 14 70 40 00 mov ebx, dword_407011+3 .text:004010CA 31 05 14 71 40 00 xor dword_407113+1, eax .text:004010D0 89 15 92 71 40 00 mov dword ptr unk_407192, edx .text:004010D6 01 F2 add edx, esi .text:004010D8 00 CC add ah, cl .text:004010DA 8B 3D 31 71 40 00 mov edi, dword_407130+1 .text:004010E0 29 C6 sub esi, eax .text:004010E2 01 D8 add eax, ebx .text:004010E4 30 CA xor dl, cl .text:004010E6 01 F0 add eax, esi .text:004010E8 01 CA add edx, ecx .text:004010EA C6 05 10 71 40 00+ mov byte ptr dword_40710E+2, 0FCh .text:004010F1 00 FB add bl, bh .text:004010F3 31 FA xor edx, edi .text:004010F5 A1 49 70 40 00 mov eax, dword_407047+2 .text:004010FA FF 0C 24 dec dword ptr [esp] ; On décrémente le DWORD pointé par ESP (ie le "push 1" en0x401058) .text:004010FD 75 B0 jnz short loc_4010AF ; Si < 0, on retourne attendre, mais comme le DWORD pointé par ESP .text:004010FD ; est forcément maintenant identique à 0, on continue... .text:004010FF 83 E2 B0 and edx, 0FFFFFFB0h .text:00401102 83 F1 A1 xor ecx, 0FFFFFFA1h .text:00401105 C6 05 29 71 40 00+ mov byte_407129, 0D6h .text:0040110C 83 DB B7 sbb ebx, 0FFFFFFB7h .text:0040110F A1 5F 71 40 00 mov eax, dword_40715D+2 .text:00401114 82 CE 21 or dh, 21h .text:00401117 C6 05 1D 70 40 00+ mov byte ptr dword_40701A+3, 2 .text:0040111E 83 E0 C0 and eax, 0FFFFFFC0h .text:00401121 C6 05 28 70 40 00+ mov byte_407028, 6Fh .text:00401128 11 CB adc ebx, ecx .text:0040112A C6 05 15 70 40 00+ mov byte ptr unk_407015, 31h .text:00401131 83 DE F9 sbb esi, 0FFFFFFF9h .text:00401134 00 F9 add cl, bh .text:00401136 29 0D 64 71 40 00 sub dword_407162+2, ecx .text:0040113C 83 C7 E8 add edi, 0FFFFFFE8h .text:0040113F 8A 15 BB 70 40 00 mov dl, byte ptr dword_4070BB .text:00401145 01 FA add edx, edi .text:00401147 09 05 94 71 40 00 or dword_407194, eax .text:0040114D 8B 3D F5 71 40 00 mov edi, dword ptr byte_4071F5 .text:00401153 09 0D C6 70 40 00 or dword_4070C3+3, ecx .text:00401159 83 C4 04 add esp, 4 ; On corrige la pile : on vire le 1 qu'on avait poussé plus haut pour rigoler .text:0040115C 19 1D 34 71 40 00 sbb dword_407134, ebx .text:00401162 83 C1 B6 add ecx, 0FFFFFFB6h .text:00401165 18 35 8C 70 40 00 sbb byte_40708C, dh .text:0040116B C6 05 1F 70 40 00+ mov byte ptr dword_40701E+1, 3Ah .text:00401172 83 CF 17 or edi, 17h .text:00401175 83 C0 CA add eax, 0FFFFFFCAh .text:00401178 29 CE sub esi, ecx .text:0040117A 8B 3D AE 70 40 00 mov edi, dword_4070AC+2 .text:00401180 C6 05 39 70 40 00+ mov byte ptr unk_407039, 56h .text:00401187 C6 05 27 71 40 00+ mov byte_407127, 0E3h .text:0040118E 8B 3D 43 70 40 00 mov edi, dword ptr byte_407043 .text:00401194 A1 0E 70 40 00 mov eax, dword_40700B+3 .text:00401199 29 D6 sub esi, edx .text:0040119B 8B 15 56 70 40 00 mov edx, dword_407055+1 .text:004011A1 19 15 F1 71 40 00 sbb dword ptr byte_4071F1, edx .text:004011A7 83 DF 03 sbb edi, 3 .text:004011AA 83 EF 60 sub edi, 60h .text:004011AD 83 E8 E2 sub eax, 0FFFFFFE2h .text:004011B0 A3 25 71 40 00 mov dword_407122+3, eax .text:004011B5 8D 15 10 72 40 00 lea edx, aKernel32_dll ; EDX pointe sur "Kernel32.dll" .text:004011BB 01 1D B3 71 40 00 add dword_4071B3, ebx .text:004011C1 C6 05 90 70 40 00+ mov byte ptr dword_40708D+3, 27h .text:004011C8 89 0D B3 70 40 00 mov dword_4070B2+1, ecx .text:004011CE 29 C6 sub esi, eax .text:004011D0 31 35 BA 71 40 00 xor dword_4071B9+1, esi .text:004011D6 01 DF add edi, ebx .text:004011D8 83 C0 9B add eax, 0FFFFFF9Bh .text:004011DB 83 E7 80 and edi, 0FFFFFF80h .text:004011DE 83 D9 00 sbb ecx, 0 .text:004011E1 C6 05 75 70 40 00+ mov byte_407075, 0ADh .text:004011E8 C6 05 38 71 40 00+ mov byte ptr dword_407138, 0FFh .text:004011EF C6 05 23 71 40 00+ mov byte ptr dword_407122+1, 65h .text:004011F6 29 35 4B 71 40 00 sub dword_407149+2, esi .text:004011FC 18 C0 sbb al, al .text:004011FE 00 1D 21 70 40 00 add byte ptr dword_40701E+3, bl .text:00401204 83 C1 B6 add ecx, 0FFFFFFB6h .text:00401207 83 F7 8D xor edi, 0FFFFFF8Dh .text:0040120A 83 E1 80 and ecx, 0FFFFFF80h .text:0040120D 52 push edx ; On empile le pointeur sur "Kernel32.dll" .text:0040120E 01 D7 add edi, edx .text:00401210 01 D3 add ebx, edx .text:00401212 82 E5 B5 and ch, 0B5h .text:00401215 01 C9 add ecx, ecx .text:00401217 31 05 CF 70 40 00 xor dword ptr byte_4070CF, eax .text:0040121D 83 DE A9 sbb esi, 0FFFFFFA9h .text:00401220 29 FA sub edx, edi .text:00401222 19 F1 sbb ecx, esi .text:00401224 83 D1 08 adc ecx, 8 .text:00401227 83 C1 74 add ecx, 74h .text:0040122A 09 15 CF 71 40 00 or dword ptr byte_4071CF, edx .text:00401230 C6 05 F3 71 40 00+ mov byte ptr unk_4071F3, 56h .text:00401237 82 E2 CD and dl, 0CDh .text:0040123A 31 C6 xor esi, eax .text:0040123C A1 D3 70 40 00 mov eax, dword ptr unk_4070D3 .text:00401241 8B 35 38 51 40 00 mov esi, ds:GetModuleHandleA .text:00401247 FF D6 call esi ; GetModuleHandleA ; Et on va chercher le handle de Kernel32.dll .text:00401249 50 push eax ; On sauve la réponse... .text:0040124A 5B pop ebx ; ...dans EBX .text:0040124B 8B 0D E5 71 40 00 mov ecx, dword ptr byte_4071E5 .text:00401251 8B 35 C0 71 40 00 mov esi, dword_4071BD+3 .text:00401257 11 C1 adc ecx, eax .text:00401259 A1 F3 70 40 00 mov eax, dword ptr byte_4070F3 .text:0040125E 01 D1 add ecx, edx .text:00401260 31 15 43 70 40 00 xor dword ptr byte_407043, edx .text:00401266 11 0D 30 70 40 00 adc dword_40702D+3, ecx .text:0040126C 83 C7 62 add edi, 62h .text:0040126F C6 05 CA 70 40 00+ mov byte ptr dword_4070C7+3, 2Dh .text:00401276 C6 05 98 70 40 00+ mov byte ptr dword_407096+2, 98h .text:0040127D 19 0D DB 71 40 00 sbb dword_4071DA+1, ecx .text:00401283 19 CE sbb esi, ecx .text:00401285 89 3D 02 71 40 00 mov dword ptr byte_407102, edi .text:0040128B 89 0D B2 71 40 00 mov dword_4071AF+3, ecx .text:00401291 83 F0 7E xor eax, 7Eh .text:00401294 29 15 1A 70 40 00 sub dword_40701A, edx .text:0040129A 8A 0D AD 70 40 00 mov cl, byte ptr dword_4070AC+1 .text:004012A0 21 15 81 70 40 00 and dword_407080+1, edx .text:004012A6 89 1D 08 72 40 00 mov hKernel32dll, ebx ; On met le handle sur Kernel32 au chaud .text:004012AC 83 C8 AC or eax, 0FFFFFFACh .text:004012AF 8B 3D 4E 70 40 00 mov edi, dword_40704C+2 .text:004012B5 10 35 24 70 40 00 adc byte ptr dword_407024, dh .text:004012BB 29 35 4C 70 40 00 sub dword_40704C, esi .text:004012C1 29 C2 sub edx, eax .text:004012C3 11 D0 adc eax, edx .text:004012C5 21 15 5D 70 40 00 and dword_40705A+3, edx .text:004012CB 28 E0 sub al, ah .text:004012CD 8B 0D 02 71 40 00 mov ecx, dword ptr byte_407102 .text:004012D3 01 C9 add ecx, ecx .text:004012D5 8B 35 37 70 40 00 mov esi, dword_407035+2 .text:004012DB 19 C1 sbb ecx, eax .text:004012DD C6 05 E5 70 40 00+ mov byte ptr dword_4070E2+3, 94h .text:004012E4 83 E7 81 and edi, 0FFFFFF81h .text:004012E7 19 C6 sbb esi, eax .text:004012E9 01 C6 add esi, eax .text:004012EB A1 F3 70 40 00 mov eax, dword ptr byte_4070F3 .text:004012F0 29 0D 8C 71 40 00 sub dword ptr unk_40718C, ecx .text:004012F6 31 05 D9 70 40 00 xor dword_4070D7+2, eax .text:004012FC 83 C3 3C add ebx, 3Ch ; EBX va pointer vers le header PE de kernel32 (DOS Header + 0x3C) .text:004012FF 83 E1 64 and ecx, 64h .text:00401302 8A 0D E3 70 40 00 mov cl, byte ptr dword_4070E2+1 .text:00401308 8B 15 E1 70 40 00 mov edx, dword ptr unk_4070E1 .text:0040130E C6 05 6E 70 40 00+ mov byte ptr dword_40706E, 0D8h .text:00401315 19 0D 65 71 40 00 sbb dword_407162+3, ecx .text:0040131B 30 05 61 71 40 00 xor byte_407161, al .text:00401321 19 C6 sbb esi, eax .text:00401323 01 CA add edx, ecx .text:00401325 C6 05 68 71 40 00+ mov byte ptr dword_407166+2, 7Fh .text:0040132C 29 05 85 71 40 00 sub dword_407184+1, eax .text:00401332 8B 35 8E 71 40 00 mov esi, dword_40718D+1 .text:00401338 C6 05 F2 70 40 00+ mov byte_4070F2, 40h .text:0040133F C6 05 86 71 40 00+ mov byte ptr dword_407184+2, 8Dh .text:00401346 83 CE 5C or esi, 5Ch .text:00401349 88 15 CF 70 40 00 mov byte_4070CF, dl .text:0040134F C6 05 60 71 40 00+ mov byte ptr dword_40715D+3, 9Dh .text:00401356 01 F9 add ecx, edi .text:00401358 82 D4 16 adc ah, 16h .text:0040135B 8B 1B mov ebx, [ebx] ; EBX contient maintenant l'offset du header PE de Kernel32 .text:0040135D 11 C9 adc ecx, ecx .text:0040135F 29 D7 sub edi, edx .text:00401361 83 DE FE sbb esi, 0FFFFFFFEh .text:00401364 01 3D 47 70 40 00 add dword_407047, edi .text:0040136A C6 05 51 71 40 00+ mov byte ptr dword_40714F+2, 8Ah .text:00401371 C6 05 D1 70 40 00+ mov byte_4070D1, 5Fh .text:00401378 31 35 0D 70 40 00 xor dword_40700B+2, esi .text:0040137E 29 35 1F 70 40 00 sub dword_40701E+1, esi .text:00401384 C6 05 D0 71 40 00+ mov byte ptr unk_4071D0, 3Ah .text:0040138B 11 15 16 71 40 00 adc dword_407113+3, edx .text:00401391 82 E6 67 and dh, 67h .text:00401394 C6 05 7C 71 40 00+ mov byte ptr dword_40717A+2, 33h .text:0040139B 8A 35 D4 70 40 00 mov dh, byte_4070D4 .text:004013A1 C6 05 2F 71 40 00+ mov byte_40712F, 7Bh .text:004013A8 01 F2 add edx, esi .text:004013AA C6 05 9D 70 40 00+ mov byte_40709D, 0A3h .text:004013B1 03 1D 08 72 40 00 add ebx, hKernel32dll ; EBX pointe maintenant sur le Header PE de Kernel32.dll en mémoire .text:004013B7 83 DE EB sbb esi, 0FFFFFFEBh .text:004013BA C6 05 35 70 40 00+ mov byte ptr dword_407035, 86h .text:004013C1 29 0D EB 70 40 00 sub dword_4070EA+1, ecx .text:004013C7 C6 05 56 71 40 00+ mov byte ptr unk_407156, 58h .text:004013CE C6 05 9E 71 40 00+ mov byte ptr dword_40719E, 3Ch .text:004013D5 8B 35 74 70 40 00 mov esi, dword ptr unk_407074 .text:004013DB 83 E0 E7 and eax, 0FFFFFFE7h .text:004013DE 83 C0 9C add eax, 0FFFFFF9Ch .text:004013E1 C6 05 82 71 40 00+ mov byte_407182, 4Eh .text:004013E8 83 D2 87 adc edx, 0FFFFFF87h .text:004013EB C6 05 86 70 40 00+ mov byte ptr dword_407086, 0F0h .text:004013F2 8B 15 95 71 40 00 mov edx, dword_407194+1 .text:004013F8 29 CF sub edi, ecx .text:004013FA 8B 0D 22 70 40 00 mov ecx, dword ptr byte_407022 .text:00401400 29 CA sub edx, ecx .text:00401402 83 D6 8A adc esi, 0FFFFFF8Ah .text:00401405 C6 05 A2 71 40 00+ mov byte ptr dword_4071A2, 32h .text:0040140C C6 05 43 71 40 00+ mov byte ptr dword_407142+1, 6Eh .text:00401413 83 F0 6A xor eax, 6Ah .text:00401416 11 35 92 71 40 00 adc dword ptr unk_407192, esi .text:0040141C 81 C3 A4 00 00 00 add ebx, 0A4h ; EBX va pointer 164 octets après le début de la signature 'PE'. Donc a priori sur la taille de la table de relocation de kernel32 ??? .text:00401422 19 CE sbb esi, ecx .text:00401424 11 35 17 71 40 00 adc dword_407117, esi .text:0040142A C6 05 B3 70 40 00+ mov byte ptr dword_4070B2+1, 0C2h .text:00401431 C6 05 C2 71 40 00+ mov byte ptr dword_4071C2, 67h .text:00401438 8B 3D 41 71 40 00 mov edi, dword_40713E+3 .text:0040143E 11 05 3E 71 40 00 adc dword_40713E, eax .text:00401444 8A 2D 9C 71 40 00 mov ch, byte ptr dword_40719A+2 .text:0040144A 83 EE FB sub esi, 0FFFFFFFBh .text:0040144D 19 35 18 71 40 00 sbb dword_407117+1, esi .text:00401453 28 EE sub dh, ch .text:00401455 8B 35 26 71 40 00 mov esi, dword ptr byte_407126 .text:0040145B 19 0D 58 71 40 00 sbb dword_407158, ecx .text:00401461 11 0D B9 71 40 00 adc dword_4071B9, ecx .text:00401467 8A 35 72 71 40 00 mov dh, byte ptr dword_407170+2 .text:0040146D 30 CD xor ch, cl .text:0040146F 82 C6 56 add dh, 56h .text:00401472 66 81 FD 00 FE cmp bp, 0FE00h .text:00401477 0F 82 38 29 00 00 jb endProc ; Là on s'en va pour de vrai... Critère = valeur de BP. Pourquoi ? .text:00401477 ; [A CREUSER] .text:0040147D 81 3B 00 60 00 00 cmp dword ptr [ebx], 6000h ; On compare la taille de la table de relocation de Kernel32 avec la valeur 0x6000. .text:0040147D ; Si la taille de la table est inférieure, on va s'en aller... pourquoi ? .text:0040147D ; [A CREUSER] .text:00401483 0F 87 4D 14 00 00 ja DecodageProc ; Là on se dit qu'on va aller déchiffrer des trucs... .text:00401489 29 C0 sub eax, eax .text:0040148B C6 05 13 70 40 00+ mov byte ptr dword_407011+2, 45h .text:00401492 31 35 CD 71 40 00 xor dword ptr byte_4071CD, esi .text:00401498 C6 05 B1 70 40 00+ mov byte_4070B1, 3Eh .text:0040149F 09 0D 78 70 40 00 or dword_407076+2, ecx .text:004014A5 C6 05 D4 70 40 00+ mov byte_4070D4, 0AEh .text:004014AC 21 1D 6B 71 40 00 and dword_40716B, ebx .text:004014B2 21 35 7E 70 40 00 and dword_40707B+3, esi .text:004014B8 83 DB 04 sbb ebx, 4 .text:004014BB 89 1D D7 71 40 00 mov dword_4071D5+2, ebx .text:004014C1 8A 0D 5F 70 40 00 mov cl, byte ptr dword_40705F .text:004014C7 21 15 49 70 40 00 and dword_407047+2, edx .text:004014CD 8A 3D 46 71 40 00 mov bh, byte_407146 .text:004014D3 83 E0 A3 and eax, 0FFFFFFA3h .text:004014D6 31 FB xor ebx, edi .text:004014D8 8D 35 46 63 EB 77 lea esi, ds:77EB6346h .text:004014DE 83 E8 9C sub eax, 0FFFFFF9Ch .text:004014E1 00 2D 36 70 40 00 add byte ptr dword_407035+1, ch .text:004014E7 83 E7 38 and edi, 38h .text:004014EA 8B 15 FF 70 40 00 mov edx, dword_4070FD+2 .text:004014F0 19 3D 43 71 40 00 sbb dword_407142+1, edi .text:004014F6 82 C3 77 add bl, 77h .text:004014F9 83 C9 28 or ecx, 28h .text:004014FC C6 05 A2 71 40 00+ mov byte ptr dword_4071A2, 5Dh .text:00401503 09 15 66 71 40 00 or dword_407166, edx .text:00401509 8A 3D 73 71 40 00 mov bh, byte ptr dword_407170+3 .text:0040150F C6 05 C8 70 40 00+ mov byte ptr dword_4070C7+1, 0ACh .text:00401516 8B 3D AC 70 40 00 mov edi, dword_4070AC .text:0040151C 19 D1 sbb ecx, edx .text:0040151E 01 C1 add ecx, eax .text:00401520 83 D8 74 sbb eax, 74h .text:00401523 8B 1D 41 70 40 00 mov ebx, dword ptr unk_407041 .text:00401529 81 EE 91 25 AB 77 sub esi, 77AB2591h ; ESI = 0x403DB5 (0x77EB6346-0x77AB2591)=> adresse d'une fin de fonction ! .text:0040152F 8B 15 A7 71 40 00 mov edx, dword ptr unk_4071A7 .text:00401535 20 35 4C 70 40 00 and byte ptr dword_40704C, dh .text:0040153B 83 F2 6B xor edx, 6Bh .text:0040153E 83 EF 4C sub edi, 4Ch .text:00401541 C6 05 78 70 40 00+ mov byte ptr dword_407076+2, 0C3h .text:00401548 8B 1D DA 71 40 00 mov ebx, dword_4071DA .text:0040154E 83 CB 8C or ebx, 0FFFFFF8Ch .text:00401551 8B 3D C5 70 40 00 mov edi, dword_4070C3+2 .text:00401557 A1 59 70 40 00 mov eax, dword ptr byte_407059 .text:0040155C 8B 15 09 71 40 00 mov edx, dword ptr byte_407109 .text:00401562 83 E8 4A sub eax, 4Ah .text:00401565 83 C0 25 add eax, 25h .text:00401568 11 0D 83 70 40 00 adc dword_407080+3, ecx .text:0040156E C6 05 1A 70 40 00+ mov byte ptr dword_40701A, 0FBh .text:00401575 19 FF sbb edi, edi .text:00401577 89 3D F8 70 40 00 mov dword_4070F6+2, edi .text:0040157D C6 05 0F 71 40 00+ mov byte ptr dword_40710E+1, 0C9h .text:00401584 8B 1D B3 71 40 00 mov ebx, dword_4071B3 .text:0040158A 83 E0 59 and eax, 59h .text:0040158D 56 push esi ; On empile l'adresse sur laquelle on va sauter avec le retn situé un peu plus loin... donc on ira en 0x403DB5 .text:0040158E 8B 3D 3C 70 40 00 mov edi, dword_40703A+2 .text:00401594 01 F3 add ebx, esi .text:00401596 19 35 04 71 40 00 sbb dword ptr byte_407104, esi .text:0040159C 8B 3D C7 71 40 00 mov edi, dword_4071C7 .text:004015A2 21 1D 14 71 40 00 and dword_407113+1, ebx .text:004015A8 83 D9 E7 sbb ecx, 0FFFFFFE7h .text:004015AB 01 FF add edi, edi .text:004015AD 8B 1D 08 70 40 00 mov ebx, dword_407005+3 .text:004015B3 8B 3D B6 71 40 00 mov edi, dword_4071B3+3 .text:004015B9 C6 05 5C 70 40 00+ mov byte ptr dword_40705A+2, 19h .text:004015C0 C6 05 AE 71 40 00+ mov byte ptr unk_4071AE, 13h .text:004015C7 83 F3 D3 xor ebx, 0FFFFFFD3h .text:004015CA 8B 15 A9 70 40 00 mov edx, dword_4070A7+2 .text:004015D0 8A 1D CB 70 40 00 mov bl, byte ptr dword_4070CB .text:004015D6 01 C2 add edx, eax .text:004015D8 29 1D 7E 70 40 00 sub dword_40707B+3, ebx .text:004015DE 19 0D A6 70 40 00 sbb dword ptr unk_4070A6, ecx .text:004015E4 01 D1 add ecx, edx .text:004015E6 C3 retn .text:004015E6 ; ---------------------------------------------------------------------------