Disassembly of File: main.exe T.DateStamp = 47E118D5: Wed Mar 19 05:44:53 2008 Code Offset = 00001000, Code Size = 00003000 Data Offset = 00005000, Data Size = 00001000 Number of Objects = 0003 (dec), Imagebase = 00400000h Object01: .text RVA: 00001000 Offset: 00001000 Size: 00003000 Flags: 60000020 Object02: .rdata RVA: 00004000 Offset: 00004000 Size: 00001000 Flags: 40000040 Object03: .data RVA: 00005000 Offset: 00005000 Size: 00001000 Flags: C0000040 +++++++++++++++++++ RESOURCE INFORMATION +++++++++++++++++++ There are no Resources in This Application. +++++++++++++++++++ IMPORTED FUNCTIONS +++++++++++++++++++ Number of Imported Modules = 1 (decimal) Import Module 001: KERNEL32.dll +++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++++ Import Module 001: KERNEL32.dll Addr:000044AC hint(00CA) Name: GetCommandLineA Addr:000044BE hint(0174) Name: GetVersion Addr:000044CC hint(007D) Name: ExitProcess Addr:000044DA hint(029E) Name: TerminateProcess Addr:000044EE hint(00F7) Name: GetCurrentProcess Addr:00004502 hint(02AD) Name: UnhandledExceptionFilter Addr:0000451E hint(0124) Name: GetModuleFileNameA Addr:00004534 hint(00B2) Name: FreeEnvironmentStringsA Addr:0000454E hint(00B3) Name: FreeEnvironmentStringsW Addr:00004568 hint(02D2) Name: WideCharToMultiByte Addr:0000457E hint(0106) Name: GetEnvironmentStrings Addr:00004596 hint(0108) Name: GetEnvironmentStringsW Addr:000045B0 hint(026D) Name: SetHandleCount Addr:000045C2 hint(0152) Name: GetStdHandle Addr:000045D2 hint(0115) Name: GetFileType Addr:000045E0 hint(0150) Name: GetStartupInfoA Addr:000045F2 hint(019D) Name: HeapDestroy Addr:00004600 hint(019B) Name: HeapCreate Addr:0000460E hint(02BF) Name: VirtualFree Addr:0000461C hint(019F) Name: HeapFree Addr:00004628 hint(022F) Name: RtlUnwind Addr:00004634 hint(02DF) Name: WriteFile Addr:00004640 hint(0199) Name: HeapAlloc Addr:0000464C hint(00BF) Name: GetCPInfo Addr:00004658 hint(00B9) Name: GetACP Addr:00004662 hint(0131) Name: GetOEMCP Addr:0000466E hint(02BB) Name: VirtualAlloc Addr:0000467E hint(01A2) Name: HeapReAlloc Addr:0000468C hint(013E) Name: GetProcAddress Addr:0000469E hint(01C2) Name: LoadLibraryA Addr:000046AE hint(01E4) Name: MultiByteToWideChar Addr:000046C4 hint(01BF) Name: LCMapStringA Addr:000046D4 hint(01C0) Name: LCMapStringW Addr:000046E4 hint(0153) Name: GetStringTypeA Addr:000046F6 hint(0156) Name: GetStringTypeW +++++++++++++++++++ EXPORTED FUNCTIONS +++++++++++++++++++ Number of Exported Functions = 0 (decimal) +++++++++++++++++++ Possible Strings Inside Code Block +++++++++++++++++++ :004011F6....NullString..YYh P@ :004017F8....NullString..DSUVWh :004019E3....NullString..SVWUj :00401F6E....NullString..Y;5@T@ :00401F95....NullString..0B=hR@ +++++++++++++++++++ DEBUG SYMBOLS LISTING +++++++++++++++++++ Trying to load with base = 00400000 ImageSize : 24576 NumSyms : 0 SymType : No symbols are loaded ModuleName : main ImageName : main.exe LoadedImageName : E:\Documents and Settings\Skan\Desktop\C\Release\main.exe LoadedImageBase : 00400000 +++++++++++++++++++ ASSEMBLY CODE LISTING +++++++++++++++++++ //********************** Start of Code in Object CODE ************** Program Entry Point = 00401010 (main.exe File Offset:00001000) ========= :00401000 C3 ret :00401001 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ............... //******************** Program Entry Point ******** :00401010 55 push ebp :00401011 8BEC mov ebp, esp :00401013 6AFF push -001 :00401015 6890404000 push 00404090 :0040101A 68D81A4000 push 00401AD8 :0040101F 64A100000000 mov eax, dword fs:[00000000] :00401025 50 push eax :00401026 64892500000000 mov dword fs:[00000000], esp :0040102D 83EC10 sub esp, 010 :00401030 53 push ebx :00401031 56 push esi :00401032 57 push edi :00401033 8965E8 mov dword[ebp-18], esp :00401036 FF1504404000 call dword[00404004 ->000044BE GetVersion] ;;call KERNEL32.GetVersion :0040103C 33D2 xor edx, edx :0040103E 8AD4 mov dl, ah :00401040 8915A4524000 mov dword[004052A4], edx :00401046 8BC8 mov ecx, eax :00401048 81E1FF000000 and ecx, 000000FF :0040104E 890DA0524000 mov dword[004052A0], ecx :00401054 C1E108 shl ecx, 08 :00401057 03CA add ecx, edx :00401059 890D9C524000 mov dword[0040529C], ecx :0040105F C1E810 shr eax, 10 :00401062 A398524000 mov dword[00405298], eax :00401067 6A00 push 000 :00401069 E833090000 call 004019A1 :0040106E 59 pop ecx :0040106F 85C0 test eax, eax :00401071 7508 jne 0040107B :00401073 6A1C push 01C :00401075 E89A000000 call 00401114 :0040107A 59 pop ecx --------- :0040107B 8365FC00 and dword[ebp-04], 000 :0040107F E872070000 call 004017F6 :00401084 FF1500404000 call dword[00404000 ->000044AC GetCommandLineA] ;;call KERNEL32.GetCommandLineA :0040108A A398574000 mov dword[00405798], eax :0040108F E830060000 call 004016C4 :00401094 A380524000 mov dword[00405280], eax :00401099 E8D9030000 call 00401477 :0040109E E81B030000 call 004013BE :004010A3 E890000000 call 00401138 :004010A8 A1B4524000 mov eax, dword[004052B4] :004010AD A3B8524000 mov dword[004052B8], eax :004010B2 50 push eax :004010B3 FF35AC524000 push dword[004052AC] :004010B9 FF35A8524000 push dword[004052A8] :004010BF E83CFFFFFF call 00401000 :004010C4 83C40C add esp, 00C :004010C7 8945E4 mov dword[ebp-1C], eax :004010CA 50 push eax :004010CB E895000000 call 00401165 :004010D0 8B45EC mov eax, dword[ebp-14] :004010D3 8B08 mov ecx, dword[eax] :004010D5 8B09 mov ecx, dword[ecx] :004010D7 894DE0 mov dword[ebp-20], ecx :004010DA 50 push eax :004010DB 51 push ecx :004010DC E859010000 call 0040123A :004010E1 59 pop ecx :004010E2 59 pop ecx :004010E3 C3 ret :004010E4 8B65E8 mov esp, dword[ebp-18] :004010E7 FF75E0 push dword[ebp-20] :004010EA E887000000 call 00401176 ========= :004010EF 833D8852400002 cmp dword[00405288], 002 :004010F6 7405 je 004010FD :004010F8 E8B30A0000 call 00401BB0 --------- :004010FD FF742404 push dword[esp+04] :00401101 E8E30A0000 call 00401BE9 :00401106 68FF000000 push 000000FF :0040110B FF1530504000 call dword[00405030] ;; 00401176 :00401111 59 pop ecx :00401112 59 pop ecx :00401113 C3 ret ========= :00401114 833D8852400002 cmp dword[00405288], 002 :0040111B 7405 je 00401122 :0040111D E88E0A0000 call 00401BB0 --------- :00401122 FF742404 push dword[esp+04] :00401126 E8BE0A0000 call 00401BE9 :0040112B 59 pop ecx :0040112C 68FF000000 push 000000FF :00401131 FF1508404000 call dword[00404008 ->000044CC ExitProcess] ;;call KERNEL32.ExitProcess :00401137 C3 ret ========= :00401138 A194574000 mov eax, dword[00405794] :0040113D 85C0 test eax, eax :0040113F 7402 je 00401143 :00401141 FFD0 call eax --------- :00401143 6810504000 push 00405010 :00401148 6808504000 push 00405008 :0040114D E8CE000000 call 00401220 :00401152 6804504000 push 00405004 :00401157 6800504000 push 00405000 :0040115C E8BF000000 call 00401220 :00401161 83C410 add esp, 010 :00401164 C3 ret ========= :00401165 6A00 push 000 :00401167 6A00 push 000 :00401169 FF74240C push dword[esp+0C] :0040116D E815000000 call 00401187 :00401172 83C40C add esp, 00C :00401175 C3 ret ========= :00401176 6A00 push 000 :00401178 6A01 push 001 :0040117A FF74240C push dword[esp+0C] :0040117E E804000000 call 00401187 :00401183 83C40C add esp, 00C :00401186 C3 ret ========= :00401187 57 push edi :00401188 6A01 push 001 :0040118A 5F pop edi :0040118B 393DD4524000 cmp dword[004052D4], edi :00401191 7511 jne 004011A4 :00401193 FF742408 push dword[esp+08] :00401197 FF1510404000 call dword[00404010 ->000044EE GetCurrentProcess] ;;call KERNEL32.GetCurrentProcess :0040119D 50 push eax :0040119E FF150C404000 call dword[0040400C ->000044DA TerminateProcess] ;;call KERNEL32.TerminateProcess --------- :004011A4 837C240C00 cmp dword[esp+0C], 000 :004011A9 53 push ebx :004011AA 8B5C2414 mov ebx, dword[esp+14] :004011AE 893DD0524000 mov dword[004052D0], edi :004011B4 881DCC524000 mov byte[004052CC], bl :004011BA 753C jne 004011F8 :004011BC A190574000 mov eax, dword[00405790] :004011C1 85C0 test eax, eax :004011C3 7422 je 004011E7 :004011C5 8B0D8C574000 mov ecx, dword[0040578C] :004011CB 56 push esi :004011CC 8D71FC lea esi, dword[ecx-04] :004011CF 3BF0 cmp esi, eax :004011D1 7213 jc 004011E6 --------- :004011D3 8B06 mov eax, dword[esi] :004011D5 85C0 test eax, eax :004011D7 7402 je 004011DB :004011D9 FFD0 call eax --------- :004011DB 83EE04 sub esi, 004 :004011DE 3B3590574000 cmp esi, dword[00405790] :004011E4 73ED jae 004011D3 --------- :004011E6 5E pop esi --------- :004011E7 6818504000 push 00405018 :004011EC 6814504000 push 00405014 :004011F1 E82A000000 call 00401220 :004011F6 59 pop ecx :004011F7 59 pop ecx --------- :004011F8 6820504000 push 00405020 :004011FD 681C504000 push 0040501C :00401202 E819000000 call 00401220 :00401207 59 pop ecx :00401208 59 pop ecx :00401209 85DB test ebx, ebx :0040120B 5B pop ebx :0040120C 7510 jne 0040121E :0040120E FF742408 push dword[esp+08] :00401212 893DD4524000 mov dword[004052D4], edi :00401218 FF1508404000 call dword[00404008 ->000044CC ExitProcess] ;;call KERNEL32.ExitProcess --------- :0040121E 5F pop edi :0040121F C3 ret ========= :00401220 56 push esi :00401221 8B742408 mov esi, dword[esp+08] --------- :00401225 3B74240C cmp esi, dword[esp+0C] :00401229 730D jae 00401238 :0040122B 8B06 mov eax, dword[esi] :0040122D 85C0 test eax, eax :0040122F 7402 je 00401233 :00401231 FFD0 call eax --------- :00401233 83C604 add esi, 004 :00401236 EBED jmp 00401225 --------- :00401238 5E pop esi :00401239 C3 ret ========= :0040123A 55 push ebp :0040123B 8BEC mov ebp, esp :0040123D 53 push ebx :0040123E FF7508 push dword[ebp+08] :00401241 E835010000 call 0040137B :00401246 85C0 test eax, eax :00401248 59 pop ecx :00401249 0F8420010000 je 0040136F :0040124F 8B5808 mov ebx, dword[eax+08] :00401252 85DB test ebx, ebx :00401254 0F8415010000 je 0040136F :0040125A 83FB05 cmp ebx, 005 :0040125D 750C jne 0040126B :0040125F 83600800 and dword[eax+08], 000 :00401263 6A01 push 001 :00401265 58 pop eax :00401266 E90D010000 jmp 00401378 --------- :0040126B 83FB01 cmp ebx, 001 :0040126E 0F84F6000000 je 0040136A :00401274 8B0DD8524000 mov ecx, dword[004052D8] :0040127A 894D08 mov dword[ebp+08], ecx :0040127D 8B4D0C mov ecx, dword[ebp+0C] :00401280 890DD8524000 mov dword[004052D8], ecx :00401286 8B4804 mov ecx, dword[eax+04] :00401289 83F908 cmp ecx, 008 :0040128C 0F85C8000000 jne 0040135A :00401292 8B0DB0504000 mov ecx, dword[004050B0] :00401298 8B15B4504000 mov edx, dword[004050B4] :0040129E 03D1 add edx, ecx :004012A0 56 push esi :004012A1 3BCA cmp ecx, edx :004012A3 7D15 jge 004012BA :004012A5 8D3449 lea esi, dword[ecx+2*ecx] :004012A8 2BD1 sub edx, ecx :004012AA 8D34B540504000 lea esi, dword[4*esi+00405040] --------- :004012B1 832600 and dword[esi], 000 :004012B4 83C60C add esi, 00C :004012B7 4A dec edx :004012B8 75F7 jne 004012B1 --------- :004012BA 8B00 mov eax, dword[eax] :004012BC 8B35BC504000 mov esi, dword[004050BC] :004012C2 3D8E0000C0 cmp eax, C000008E :004012C7 750C jne 004012D5 :004012C9 C705BC50400083000000 mov dword[004050BC], 00000083 :004012D3 EB70 jmp 00401345 --------- :004012D5 3D900000C0 cmp eax, C0000090 :004012DA 750C jne 004012E8 :004012DC C705BC50400081000000 mov dword[004050BC], 00000081 :004012E6 EB5D jmp 00401345 --------- :004012E8 3D910000C0 cmp eax, C0000091 :004012ED 750C jne 004012FB :004012EF C705BC50400084000000 mov dword[004050BC], 00000084 :004012F9 EB4A jmp 00401345 --------- :004012FB 3D930000C0 cmp eax, C0000093 :00401300 750C jne 0040130E :00401302 C705BC50400085000000 mov dword[004050BC], 00000085 :0040130C EB37 jmp 00401345 --------- :0040130E 3D8D0000C0 cmp eax, C000008D :00401313 750C jne 00401321 :00401315 C705BC50400082000000 mov dword[004050BC], 00000082 :0040131F EB24 jmp 00401345 --------- :00401321 3D8F0000C0 cmp eax, C000008F :00401326 750C jne 00401334 :00401328 C705BC50400086000000 mov dword[004050BC], 00000086 :00401332 EB11 jmp 00401345 --------- :00401334 3D920000C0 cmp eax, C0000092 :00401339 750A jne 00401345 :0040133B C705BC5040008A000000 mov dword[004050BC], 0000008A --------- :00401345 FF35BC504000 push dword[004050BC] :0040134B 6A08 push 008 :0040134D FFD3 call ebx :0040134F 59 pop ecx :00401350 8935BC504000 mov dword[004050BC], esi :00401356 59 pop ecx :00401357 5E pop esi :00401358 EB08 jmp 00401362 --------- :0040135A 83600800 and dword[eax+08], 000 :0040135E 51 push ecx :0040135F FFD3 call ebx :00401361 59 pop ecx --------- :00401362 8B4508 mov eax, dword[ebp+08] :00401365 A3D8524000 mov dword[004052D8], eax --------- :0040136A 83C8FF or eax, -001 :0040136D EB09 jmp 00401378 --------- :0040136F FF750C push dword[ebp+0C] :00401372 FF1514404000 call dword[00404014 ->00004502 UnhandledExceptionFilter] ;;call KERNEL32.UnhandledExceptionFilter --------- :00401378 5B pop ebx :00401379 5D pop ebp :0040137A C3 ret ========= :0040137B 8B542404 mov edx, dword[esp+04] :0040137F 8B0DB8504000 mov ecx, dword[004050B8] :00401385 391538504000 cmp dword[00405038], edx :0040138B 56 push esi :0040138C B838504000 mov eax, 00405038 :00401391 7415 je 004013A8 :00401393 8D3449 lea esi, dword[ecx+2*ecx] :00401396 8D34B538504000 lea esi, dword[4*esi+00405038] --------- :0040139D 83C00C add eax, 00C :004013A0 3BC6 cmp eax, esi :004013A2 7304 jae 004013A8 :004013A4 3910 cmp dword[eax], edx :004013A6 75F5 jne 0040139D --------- :004013A8 8D0C49 lea ecx, dword[ecx+2*ecx] :004013AB 5E pop esi :004013AC 8D0C8D38504000 lea ecx, dword[4*ecx+00405038] :004013B3 3BC1 cmp eax, ecx :004013B5 7304 jae 004013BB :004013B7 3910 cmp dword[eax], edx :004013B9 7402 je 004013BD --------- :004013BB 33C0 xor eax, eax --------- :004013BD C3 ret ========= :004013BE 53 push ebx :004013BF 33DB xor ebx, ebx :004013C1 391D88574000 cmp dword[00405788], ebx :004013C7 56 push esi :004013C8 57 push edi :004013C9 7505 jne 004013D0 :004013CB E84F0F0000 call 0040231F --------- :004013D0 8B3580524000 mov esi, dword[00405280] :004013D6 33FF xor edi, edi --------- :004013D8 8A06 mov al, byte[esi] :004013DA 3AC3 cmp al, bl :004013DC 7412 je 004013F0 :004013DE 3C3D cmp al, 3D :004013E0 7401 je 004013E3 :004013E2 47 inc edi --------- :004013E3 56 push esi :004013E4 E8F70A0000 call 00401EE0 :004013E9 59 pop ecx :004013EA 8D740601 lea esi, dword[esi+eax+01] :004013EE EBE8 jmp 004013D8 --------- :004013F0 8D04BD04000000 lea eax, dword[4*edi+00000004] :004013F7 50 push eax :004013F8 E8630A0000 call 00401E60 :004013FD 8BF0 mov esi, eax :004013FF 59 pop ecx :00401400 3BF3 cmp esi, ebx :00401402 8935B4524000 mov dword[004052B4], esi :00401408 7508 jne 00401412 :0040140A 6A09 push 009 :0040140C E8DEFCFFFF call 004010EF :00401411 59 pop ecx --------- :00401412 8B3D80524000 mov edi, dword[00405280] :00401418 381F cmp byte[edi], bl :0040141A 7439 je 00401455 :0040141C 55 push ebp --------- :0040141D 57 push edi :0040141E E8BD0A0000 call 00401EE0 :00401423 8BE8 mov ebp, eax :00401425 59 pop ecx :00401426 45 inc ebp :00401427 803F3D cmp byte[edi], 3D :0040142A 7422 je 0040144E :0040142C 55 push ebp :0040142D E82E0A0000 call 00401E60 :00401432 3BC3 cmp eax, ebx :00401434 59 pop ecx :00401435 8906 mov dword[esi], eax :00401437 7508 jne 00401441 :00401439 6A09 push 009 :0040143B E8AFFCFFFF call 004010EF :00401440 59 pop ecx --------- :00401441 57 push edi :00401442 FF36 push dword[esi] :00401444 E827090000 call 00401D70 :00401449 59 pop ecx :0040144A 83C604 add esi, 004 :0040144D 59 pop ecx --------- :0040144E 03FD add edi, ebp :00401450 381F cmp byte[edi], bl :00401452 75C9 jne 0040141D :00401454 5D pop ebp --------- :00401455 FF3580524000 push dword[00405280] :0040145B E8DC080000 call 00401D3C :00401460 59 pop ecx :00401461 891D80524000 mov dword[00405280], ebx :00401467 891E mov dword[esi], ebx :00401469 5F pop edi :0040146A 5E pop esi :0040146B C7058457400001000000 mov dword[00405784], 00000001 :00401475 5B pop ebx :00401476 C3 ret ========= :00401477 55 push ebp :00401478 8BEC mov ebp, esp :0040147A 51 push ecx :0040147B 51 push ecx :0040147C 53 push ebx :0040147D 33DB xor ebx, ebx :0040147F 391D88574000 cmp dword[00405788], ebx :00401485 56 push esi :00401486 57 push edi :00401487 7505 jne 0040148E :00401489 E8910E0000 call 0040231F --------- :0040148E BEDC524000 mov esi, 004052DC :00401493 6804010000 push 00000104 :00401498 56 push esi :00401499 53 push ebx :0040149A FF1518404000 call dword[00404018 ->0000451E GetModuleFileNameA] ;;call KERNEL32.GetModuleFileNameA :004014A0 A198574000 mov eax, dword[00405798] :004014A5 8935C4524000 mov dword[004052C4], esi :004014AB 8BFE mov edi, esi :004014AD 3818 cmp byte[eax], bl :004014AF 7402 je 004014B3 :004014B1 8BF8 mov edi, eax --------- :004014B3 8D45F8 lea eax, dword[ebp-08] :004014B6 50 push eax :004014B7 8D45FC lea eax, dword[ebp-04] :004014BA 50 push eax :004014BB 53 push ebx :004014BC 53 push ebx :004014BD 57 push edi :004014BE E84D000000 call 00401510 :004014C3 8B45F8 mov eax, dword[ebp-08] :004014C6 8B4DFC mov ecx, dword[ebp-04] :004014C9 8D0488 lea eax, dword[eax+4*ecx] :004014CC 50 push eax :004014CD E88E090000 call 00401E60 :004014D2 8BF0 mov esi, eax :004014D4 83C418 add esp, 018 :004014D7 3BF3 cmp esi, ebx :004014D9 7508 jne 004014E3 :004014DB 6A08 push 008 :004014DD E80DFCFFFF call 004010EF :004014E2 59 pop ecx --------- :004014E3 8D45F8 lea eax, dword[ebp-08] :004014E6 50 push eax :004014E7 8D45FC lea eax, dword[ebp-04] :004014EA 50 push eax :004014EB 8B45FC mov eax, dword[ebp-04] :004014EE 8D0486 lea eax, dword[esi+4*eax] :004014F1 50 push eax :004014F2 56 push esi :004014F3 57 push edi :004014F4 E817000000 call 00401510 :004014F9 8B45FC mov eax, dword[ebp-04] :004014FC 83C414 add esp, 014 :004014FF 48 dec eax :00401500 8935AC524000 mov dword[004052AC], esi :00401506 5F pop edi :00401507 5E pop esi :00401508 A3A8524000 mov dword[004052A8], eax :0040150D 5B pop ebx :0040150E C9 leave :0040150F C3 ret ========= :00401510 55 push ebp :00401511 8BEC mov ebp, esp :00401513 8B4D18 mov ecx, dword[ebp+18] :00401516 8B4514 mov eax, dword[ebp+14] :00401519 53 push ebx :0040151A 56 push esi :0040151B 832100 and dword[ecx], 000 :0040151E 8B7510 mov esi, dword[ebp+10] :00401521 57 push edi :00401522 8B7D0C mov edi, dword[ebp+0C] :00401525 C70001000000 mov dword[eax], 00000001 :0040152B 8B4508 mov eax, dword[ebp+08] :0040152E 85FF test edi, edi :00401530 7408 je 0040153A :00401532 8937 mov dword[edi], esi :00401534 83C704 add edi, 004 :00401537 897D0C mov dword[ebp+0C], edi --------- :0040153A 803822 cmp byte[eax], 22 :0040153D 7544 jne 00401583 --------- :0040153F 8A5001 mov dl, byte[eax+01] :00401542 40 inc eax :00401543 80FA22 cmp dl, 22 :00401546 7429 je 00401571 :00401548 84D2 test dl, dl :0040154A 7425 je 00401571 :0040154C 0FB6D2 movzx edx, dl :0040154F F6826155400004 test byte[edx+00405561], 04 :00401556 740C je 00401564 :00401558 FF01 inc dword[ecx] :0040155A 85F6 test esi, esi :0040155C 7406 je 00401564 :0040155E 8A10 mov dl, byte[eax] :00401560 8816 mov byte[esi], dl :00401562 46 inc esi :00401563 40 inc eax --------- :00401564 FF01 inc dword[ecx] :00401566 85F6 test esi, esi :00401568 74D5 je 0040153F :0040156A 8A10 mov dl, byte[eax] :0040156C 8816 mov byte[esi], dl :0040156E 46 inc esi :0040156F EBCE jmp 0040153F --------- :00401571 FF01 inc dword[ecx] :00401573 85F6 test esi, esi :00401575 7404 je 0040157B :00401577 802600 and byte[esi], 00 :0040157A 46 inc esi --------- :0040157B 803822 cmp byte[eax], 22 :0040157E 7546 jne 004015C6 :00401580 40 inc eax :00401581 EB43 jmp 004015C6 --------- :00401583 FF01 inc dword[ecx] :00401585 85F6 test esi, esi :00401587 7405 je 0040158E :00401589 8A10 mov dl, byte[eax] :0040158B 8816 mov byte[esi], dl :0040158D 46 inc esi --------- :0040158E 8A10 mov dl, byte[eax] :00401590 40 inc eax :00401591 0FB6DA movzx ebx, dl :00401594 F6836155400004 test byte[ebx+00405561], 04 :0040159B 740C je 004015A9 :0040159D FF01 inc dword[ecx] :0040159F 85F6 test esi, esi :004015A1 7405 je 004015A8 :004015A3 8A18 mov bl, byte[eax] :004015A5 881E mov byte[esi], bl :004015A7 46 inc esi --------- :004015A8 40 inc eax --------- :004015A9 80FA20 cmp dl, 20 :004015AC 7409 je 004015B7 :004015AE 84D2 test dl, dl :004015B0 7409 je 004015BB :004015B2 80FA09 cmp dl, 09 :004015B5 75CC jne 00401583 --------- :004015B7 84D2 test dl, dl :004015B9 7503 jne 004015BE --------- :004015BB 48 dec eax :004015BC EB08 jmp 004015C6 --------- :004015BE 85F6 test esi, esi :004015C0 7404 je 004015C6 :004015C2 8066FF00 and byte[esi-01], 00 --------- :004015C6 83651800 and dword[ebp+18], 000 --------- :004015CA 803800 cmp byte[eax], 00 :004015CD 0F84E0000000 je 004016B3 --------- :004015D3 8A10 mov dl, byte[eax] :004015D5 80FA20 cmp dl, 20 :004015D8 7405 je 004015DF :004015DA 80FA09 cmp dl, 09 :004015DD 7503 jne 004015E2 --------- :004015DF 40 inc eax :004015E0 EBF1 jmp 004015D3 --------- :004015E2 803800 cmp byte[eax], 00 :004015E5 0F84C8000000 je 004016B3 :004015EB 85FF test edi, edi :004015ED 7408 je 004015F7 :004015EF 8937 mov dword[edi], esi :004015F1 83C704 add edi, 004 :004015F4 897D0C mov dword[ebp+0C], edi --------- :004015F7 8B5514 mov edx, dword[ebp+14] :004015FA FF02 inc dword[edx] --------- :004015FC C7450801000000 mov dword[ebp+08], 00000001 :00401603 33DB xor ebx, ebx --------- :00401605 80385C cmp byte[eax], 5C :00401608 7504 jne 0040160E :0040160A 40 inc eax :0040160B 43 inc ebx :0040160C EBF7 jmp 00401605 --------- :0040160E 803822 cmp byte[eax], 22 :00401611 752C jne 0040163F :00401613 F6C301 test bl, 01 :00401616 7525 jne 0040163D :00401618 33FF xor edi, edi :0040161A 397D18 cmp dword[ebp+18], edi :0040161D 740D je 0040162C :0040161F 80780122 cmp byte[eax+01], 22 :00401623 8D5001 lea edx, dword[eax+01] :00401626 7504 jne 0040162C :00401628 8BC2 mov eax, edx :0040162A EB03 jmp 0040162F --------- :0040162C 897D08 mov dword[ebp+08], edi --------- :0040162F 8B7D0C mov edi, dword[ebp+0C] :00401632 33D2 xor edx, edx :00401634 395518 cmp dword[ebp+18], edx :00401637 0F94C2 sete dl :0040163A 895518 mov dword[ebp+18], edx --------- :0040163D D1EB shr ebx, 1 --------- :0040163F 8BD3 mov edx, ebx :00401641 4B dec ebx :00401642 85D2 test edx, edx :00401644 740E je 00401654 :00401646 43 inc ebx --------- :00401647 85F6 test esi, esi :00401649 7404 je 0040164F :0040164B C6065C mov byte[esi], 5C :0040164E 46 inc esi --------- :0040164F FF01 inc dword[ecx] :00401651 4B dec ebx :00401652 75F3 jne 00401647 --------- :00401654 8A10 mov dl, byte[eax] :00401656 84D2 test dl, dl :00401658 744A je 004016A4 :0040165A 837D1800 cmp dword[ebp+18], 000 :0040165E 750A jne 0040166A :00401660 80FA20 cmp dl, 20 :00401663 743F je 004016A4 :00401665 80FA09 cmp dl, 09 :00401668 743A je 004016A4 --------- :0040166A 837D0800 cmp dword[ebp+08], 000 :0040166E 742E je 0040169E :00401670 85F6 test esi, esi :00401672 7419 je 0040168D :00401674 0FB6DA movzx ebx, dl :00401677 F6836155400004 test byte[ebx+00405561], 04 :0040167E 7406 je 00401686 :00401680 8816 mov byte[esi], dl :00401682 46 inc esi :00401683 40 inc eax :00401684 FF01 inc dword[ecx] --------- :00401686 8A10 mov dl, byte[eax] :00401688 8816 mov byte[esi], dl :0040168A 46 inc esi :0040168B EB0F jmp 0040169C --------- :0040168D 0FB6D2 movzx edx, dl :00401690 F6826155400004 test byte[edx+00405561], 04 :00401697 7403 je 0040169C :00401699 40 inc eax :0040169A FF01 inc dword[ecx] --------- :0040169C FF01 inc dword[ecx] --------- :0040169E 40 inc eax :0040169F E958FFFFFF jmp 004015FC --------- :004016A4 85F6 test esi, esi :004016A6 7404 je 004016AC :004016A8 802600 and byte[esi], 00 :004016AB 46 inc esi --------- :004016AC FF01 inc dword[ecx] :004016AE E917FFFFFF jmp 004015CA --------- :004016B3 85FF test edi, edi :004016B5 7403 je 004016BA :004016B7 832700 and dword[edi], 000 --------- :004016BA 8B4514 mov eax, dword[ebp+14] :004016BD 5F pop edi :004016BE 5E pop esi :004016BF 5B pop ebx :004016C0 FF00 inc dword[eax] :004016C2 5D pop ebp :004016C3 C3 ret ========= :004016C4 51 push ecx :004016C5 51 push ecx :004016C6 A1E0534000 mov eax, dword[004053E0] :004016CB 53 push ebx :004016CC 55 push ebp :004016CD 8B2D2C404000 mov ebp, dword[0040402C ->00004596 GetEnvironmentStringsW] :004016D3 56 push esi :004016D4 57 push edi :004016D5 33DB xor ebx, ebx :004016D7 33F6 xor esi, esi :004016D9 33FF xor edi, edi :004016DB 3BC3 cmp eax, ebx :004016DD 7533 jne 00401712 :004016DF FFD5 call ebp ;;call KERNEL32.GetEnvironmentStringsW :004016E1 8BF0 mov esi, eax :004016E3 3BF3 cmp esi, ebx :004016E5 740C je 004016F3 :004016E7 C705E053400001000000 mov dword[004053E0], 00000001 :004016F1 EB28 jmp 0040171B --------- :004016F3 FF1528404000 call dword[00404028 ->0000457E GetEnvironmentStrings] ;;call KERNEL32.GetEnvironmentStrings :004016F9 8BF8 mov edi, eax :004016FB 3BFB cmp edi, ebx :004016FD 0F84EA000000 je 004017ED :00401703 C705E053400002000000 mov dword[004053E0], 00000002 :0040170D E98F000000 jmp 004017A1 --------- :00401712 83F801 cmp eax, 001 :00401715 0F8581000000 jne 0040179C --------- :0040171B 3BF3 cmp esi, ebx :0040171D 750C jne 0040172B :0040171F FFD5 call ebp :00401721 8BF0 mov esi, eax :00401723 3BF3 cmp esi, ebx :00401725 0F84C2000000 je 004017ED --------- :0040172B 66391E cmp word[esi], bx :0040172E 8BC6 mov eax, esi :00401730 740E je 00401740 --------- :00401732 40 inc eax :00401733 40 inc eax :00401734 663918 cmp word[eax], bx :00401737 75F9 jne 00401732 :00401739 40 inc eax :0040173A 40 inc eax :0040173B 663918 cmp word[eax], bx :0040173E 75F2 jne 00401732 --------- :00401740 2BC6 sub eax, esi :00401742 8B3D24404000 mov edi, dword[00404024 ->00004568 WideCharToMultiByte] :00401748 D1F8 sar eax, 1 :0040174A 53 push ebx :0040174B 53 push ebx :0040174C 40 inc eax :0040174D 53 push ebx :0040174E 53 push ebx :0040174F 50 push eax :00401750 56 push esi :00401751 53 push ebx :00401752 53 push ebx :00401753 89442434 mov dword[esp+34], eax :00401757 FFD7 call edi ;;call KERNEL32.WideCharToMultiByte :00401759 8BE8 mov ebp, eax :0040175B 3BEB cmp ebp, ebx :0040175D 7432 je 00401791 :0040175F 55 push ebp :00401760 E8FB060000 call 00401E60 :00401765 3BC3 cmp eax, ebx :00401767 59 pop ecx :00401768 89442410 mov dword[esp+10], eax :0040176C 7423 je 00401791 :0040176E 53 push ebx :0040176F 53 push ebx :00401770 55 push ebp :00401771 50 push eax :00401772 FF742424 push dword[esp+24] :00401776 56 push esi :00401777 53 push ebx :00401778 53 push ebx :00401779 FFD7 call edi ;;call KERNEL32.WideCharToMultiByte :0040177B 85C0 test eax, eax :0040177D 750E jne 0040178D :0040177F FF742410 push dword[esp+10] :00401783 E8B4050000 call 00401D3C :00401788 59 pop ecx :00401789 895C2410 mov dword[esp+10], ebx --------- :0040178D 8B5C2410 mov ebx, dword[esp+10] --------- :00401791 56 push esi :00401792 FF1520404000 call dword[00404020 ->0000454E FreeEnvironmentStringsW] ;;call KERNEL32.FreeEnvironmentStringsW :00401798 8BC3 mov eax, ebx :0040179A EB53 jmp 004017EF --------- :0040179C 83F802 cmp eax, 002 :0040179F 754C jne 004017ED --------- :004017A1 3BFB cmp edi, ebx :004017A3 750C jne 004017B1 :004017A5 FF1528404000 call dword[00404028 ->0000457E GetEnvironmentStrings] ;;call KERNEL32.GetEnvironmentStrings :004017AB 8BF8 mov edi, eax :004017AD 3BFB cmp edi, ebx :004017AF 743C je 004017ED --------- :004017B1 381F cmp byte[edi], bl :004017B3 8BC7 mov eax, edi :004017B5 740A je 004017C1 --------- :004017B7 40 inc eax :004017B8 3818 cmp byte[eax], bl :004017BA 75FB jne 004017B7 :004017BC 40 inc eax :004017BD 3818 cmp byte[eax], bl :004017BF 75F6 jne 004017B7 --------- :004017C1 2BC7 sub eax, edi :004017C3 40 inc eax :004017C4 8BE8 mov ebp, eax :004017C6 55 push ebp :004017C7 E894060000 call 00401E60 :004017CC 8BF0 mov esi, eax :004017CE 59 pop ecx :004017CF 3BF3 cmp esi, ebx :004017D1 7504 jne 004017D7 :004017D3 33F6 xor esi, esi :004017D5 EB0B jmp 004017E2 --------- :004017D7 55 push ebp :004017D8 57 push edi :004017D9 56 push esi :004017DA E8610B0000 call 00402340 :004017DF 83C40C add esp, 00C --------- :004017E2 57 push edi :004017E3 FF151C404000 call dword[0040401C ->00004534 FreeEnvironmentStringsA] ;;call KERNEL32.FreeEnvironmentStringsA :004017E9 8BC6 mov eax, esi :004017EB EB02 jmp 004017EF --------- :004017ED 33C0 xor eax, eax --------- :004017EF 5F pop edi :004017F0 5E pop esi :004017F1 5D pop ebp :004017F2 5B pop ebx :004017F3 59 pop ecx :004017F4 59 pop ecx :004017F5 C3 ret ========= :004017F6 83EC44 sub esp, 044 :004017F9 53 push ebx :004017FA 55 push ebp :004017FB 56 push esi :004017FC 57 push edi :004017FD 6800010000 push 00000100 :00401802 E859060000 call 00401E60 :00401807 8BF0 mov esi, eax :00401809 59 pop ecx :0040180A 85F6 test esi, esi :0040180C 7508 jne 00401816 :0040180E 6A1B push 01B :00401810 E8DAF8FFFF call 004010EF :00401815 59 pop ecx --------- :00401816 893580564000 mov dword[00405680], esi :0040181C C7058057400020000000 mov dword[00405780], 00000020 :00401826 8D8600010000 lea eax, dword[esi+00000100] --------- :0040182C 3BF0 cmp esi, eax :0040182E 731A jae 0040184A :00401830 80660400 and byte[esi+04], 00 :00401834 830EFF or dword[esi], -001 :00401837 C646050A mov byte[esi+05], 0A :0040183B A180564000 mov eax, dword[00405680] :00401840 83C608 add esi, 008 :00401843 0500010000 add eax, 00000100 :00401848 EBE2 jmp 0040182C --------- :0040184A 8D442410 lea eax, dword[esp+10] :0040184E 50 push eax :0040184F FF153C404000 call dword[0040403C ->000045E0 GetStartupInfoA] ;;call KERNEL32.GetStartupInfoA :00401855 66837C244200 cmp word[esp+42], 000 :0040185B 0F84C5000000 je 00401926 :00401861 8B442444 mov eax, dword[esp+44] :00401865 85C0 test eax, eax :00401867 0F84B9000000 je 00401926 :0040186D 8B30 mov esi, dword[eax] :0040186F 8D6804 lea ebp, dword[eax+04] :00401872 B800080000 mov eax, 00000800 :00401877 3BF0 cmp esi, eax :00401879 8D1C2E lea ebx, dword[esi+ebp] :0040187C 7C02 jl 00401880 :0040187E 8BF0 mov esi, eax --------- :00401880 393580574000 cmp dword[00405780], esi :00401886 7D52 jge 004018DA :00401888 BF84564000 mov edi, 00405684 --------- :0040188D 6800010000 push 00000100 :00401892 E8C9050000 call 00401E60 :00401897 85C0 test eax, eax :00401899 59 pop ecx :0040189A 7438 je 004018D4 :0040189C 83058057400020 add dword[00405780], 020 :004018A3 8907 mov dword[edi], eax :004018A5 8D8800010000 lea ecx, dword[eax+00000100] --------- :004018AB 3BC1 cmp eax, ecx :004018AD 7318 jae 004018C7 :004018AF 80600400 and byte[eax+04], 00 :004018B3 8308FF or dword[eax], -001 :004018B6 C640050A mov byte[eax+05], 0A :004018BA 8B0F mov ecx, dword[edi] :004018BC 83C008 add eax, 008 :004018BF 81C100010000 add ecx, 00000100 :004018C5 EBE4 jmp 004018AB --------- :004018C7 83C704 add edi, 004 :004018CA 393580574000 cmp dword[00405780], esi :004018D0 7CBB jl 0040188D :004018D2 EB06 jmp 004018DA --------- :004018D4 8B3580574000 mov esi, dword[00405780] --------- :004018DA 33FF xor edi, edi :004018DC 85F6 test esi, esi :004018DE 7E46 jle 00401926 --------- :004018E0 8B03 mov eax, dword[ebx] :004018E2 83F8FF cmp eax, -001 :004018E5 7436 je 0040191D :004018E7 8A4D00 mov cl, byte[ebp+00] :004018EA F6C101 test cl, 01 :004018ED 742E je 0040191D :004018EF F6C108 test cl, 08 :004018F2 750B jne 004018FF :004018F4 50 push eax :004018F5 FF1538404000 call dword[00404038 ->000045D2 GetFileType] ;;call KERNEL32.GetFileType :004018FB 85C0 test eax, eax :004018FD 741E je 0040191D --------- :004018FF 8BC7 mov eax, edi :00401901 8BCF mov ecx, edi :00401903 C1F805 sar eax, 05 :00401906 83E11F and ecx, 01F :00401909 8B048580564000 mov eax, dword[4*eax+00405680] :00401910 8D04C8 lea eax, dword[eax+8*ecx] :00401913 8B0B mov ecx, dword[ebx] :00401915 8908 mov dword[eax], ecx :00401917 8A4D00 mov cl, byte[ebp+00] :0040191A 884804 mov byte[eax+04], cl --------- :0040191D 47 inc edi :0040191E 45 inc ebp :0040191F 83C304 add ebx, 004 :00401922 3BFE cmp edi, esi :00401924 7CBA jl 004018E0 --------- :00401926 33DB xor ebx, ebx --------- :00401928 A180564000 mov eax, dword[00405680] :0040192D 833CD8FF cmp dword[eax+8*ebx], -001 :00401931 8D34D8 lea esi, dword[eax+8*ebx] :00401934 754D jne 00401983 :00401936 85DB test ebx, ebx :00401938 C6460481 mov byte[esi+04], -7F :0040193C 7505 jne 00401943 :0040193E 6AF6 push -00A :00401940 58 pop eax :00401941 EB0A jmp 0040194D --------- :00401943 8BC3 mov eax, ebx :00401945 48 dec eax :00401946 F7D8 neg eax :00401948 1BC0 sbb eax, eax :0040194A 83C0F5 add eax, -00B --------- :0040194D 50 push eax :0040194E FF1534404000 call dword[00404034 ->000045C2 GetStdHandle] ;;call KERNEL32.GetStdHandle :00401954 8BF8 mov edi, eax :00401956 83FFFF cmp edi, -001 :00401959 7417 je 00401972 :0040195B 57 push edi :0040195C FF1538404000 call dword[00404038 ->000045D2 GetFileType] ;;call KERNEL32.GetFileType :00401962 85C0 test eax, eax :00401964 740C je 00401972 :00401966 25FF000000 and eax, 000000FF :0040196B 893E mov dword[esi], edi :0040196D 83F802 cmp eax, 002 :00401970 7506 jne 00401978 --------- :00401972 804E0440 or byte[esi+04], 40 :00401976 EB0F jmp 00401987 --------- :00401978 83F803 cmp eax, 003 :0040197B 750A jne 00401987 :0040197D 804E0408 or byte[esi+04], 08 :00401981 EB04 jmp 00401987 --------- :00401983 804E0480 or byte[esi+04], -80 --------- :00401987 43 inc ebx :00401988 83FB03 cmp ebx, 003 :0040198B 7C9B jl 00401928 :0040198D FF3580574000 push dword[00405780] :00401993 FF1530404000 call dword[00404030 ->000045B0 SetHandleCount] ;;call KERNEL32.SetHandleCount :00401999 5F pop edi :0040199A 5E pop esi :0040199B 5D pop ebp :0040199C 5B pop ebx :0040199D 83C444 add esp, 044 :004019A0 C3 ret ========= :004019A1 33C0 xor eax, eax :004019A3 6A00 push 000 :004019A5 39442408 cmp dword[esp+08], eax :004019A9 6800100000 push 00001000 :004019AE 0F94C0 sete al :004019B1 50 push eax :004019B2 FF1544404000 call dword[00404044 ->00004600 HeapCreate] ;;call KERNEL32.HeapCreate :004019B8 85C0 test eax, eax :004019BA A368564000 mov dword[00405668], eax :004019BF 7415 je 004019D6 :004019C1 E8AF0C0000 call 00402675 :004019C6 85C0 test eax, eax :004019C8 750F jne 004019D9 :004019CA FF3568564000 push dword[00405668] :004019D0 FF1540404000 call dword[00404040 ->000045F2 HeapDestroy] ;;call KERNEL32.HeapDestroy --------- :004019D6 33C0 xor eax, eax :004019D8 C3 ret --------- :004019D9 6A01 push 001 :004019DB 58 pop eax :004019DC C3 ret :004019DD CC CC CC ... ========= :004019E0 55 push ebp :004019E1 8BEC mov ebp, esp :004019E3 53 push ebx :004019E4 56 push esi :004019E5 57 push edi :004019E6 55 push ebp :004019E7 6A00 push 000 :004019E9 6A00 push 000 :004019EB 68F8194000 push 004019F8 :004019F0 FF7508 push dword[ebp+08] :004019F3 E8E01D0000 call 004037D8 ;;call KERNEL32.RtlUnwind --------- :004019F8 5D pop ebp :004019F9 5F pop edi :004019FA 5E pop esi :004019FB 5B pop ebx :004019FC 8BE5 mov esp, ebp :004019FE 5D pop ebp :004019FF C3 ret --------- :00401A00 8B4C2404 mov ecx, dword[esp+04] :00401A04 F7410406000000 test dword[ecx+04], 00000006 :00401A0B B801000000 mov eax, 00000001 :00401A10 740F je 00401A21 :00401A12 8B442408 mov eax, dword[esp+08] :00401A16 8B542410 mov edx, dword[esp+10] :00401A1A 8902 mov dword[edx], eax :00401A1C B803000000 mov eax, 00000003 --------- :00401A21 C3 ret ========= :00401A22 53 push ebx :00401A23 56 push esi :00401A24 57 push edi :00401A25 8B442410 mov eax, dword[esp+10] :00401A29 50 push eax :00401A2A 6AFE push -002 :00401A2C 68001A4000 push 00401A00 :00401A31 64FF3500000000 push dword fs:[00000000] :00401A38 64892500000000 mov dword fs:[00000000], esp --------- :00401A3F 8B442420 mov eax, dword[esp+20] :00401A43 8B5808 mov ebx, dword[eax+08] :00401A46 8B700C mov esi, dword[eax+0C] :00401A49 83FEFF cmp esi, -001 :00401A4C 742E je 00401A7C :00401A4E 3B742424 cmp esi, dword[esp+24] :00401A52 7428 je 00401A7C :00401A54 8D3476 lea esi, dword[esi+2*esi] :00401A57 8B0CB3 mov ecx, dword[ebx+4*esi] :00401A5A 894C2408 mov dword[esp+08], ecx :00401A5E 89480C mov dword[eax+0C], ecx :00401A61 837CB30400 cmp dword[ebx+4*esi+04], 000 :00401A66 7512 jne 00401A7A :00401A68 6801010000 push 00000101 :00401A6D 8B44B308 mov eax, dword[ebx+4*esi+08] :00401A71 E840000000 call 00401AB6 :00401A76 FF54B308 call dword[ebx+4*esi+08] --------- :00401A7A EBC3 jmp 00401A3F --------- :00401A7C 648F0500000000 pop dword fs:[00000000] :00401A83 83C40C add esp, 00C :00401A86 5F pop edi :00401A87 5E pop esi :00401A88 5B pop ebx :00401A89 C3 ret :00401A8A 33C0 xor eax, eax :00401A8C 648B0D00000000 mov ecx, dword fs:[00000000] :00401A93 817904001A4000 cmp dword[ecx+04], 00401A00 :00401A9A 7510 jne 00401AAC :00401A9C 8B510C mov edx, dword[ecx+0C] :00401A9F 8B520C mov edx, dword[edx+0C] :00401AA2 395108 cmp dword[ecx+08], edx :00401AA5 7505 jne 00401AAC :00401AA7 B801000000 mov eax, 00000001 --------- :00401AAC C3 ret :00401AAD 53 push ebx :00401AAE 51 push ecx :00401AAF BBCC504000 mov ebx, 004050CC :00401AB4 EB0A jmp 00401AC0 ========= :00401AB6 53 push ebx :00401AB7 51 push ecx :00401AB8 BBCC504000 mov ebx, 004050CC :00401ABD 8B4D08 mov ecx, dword[ebp+08] --------- :00401AC0 894B08 mov dword[ebx+08], ecx :00401AC3 894304 mov dword[ebx+04], eax :00401AC6 896B0C mov dword[ebx+0C], ebp :00401AC9 59 pop ecx :00401ACA 5B pop ebx :00401ACB C20400 ret 0004 :00401ACE CC CC 56 43 32 30 58 43 30 30 ..VC20XC00 --------- :00401AD8 55 push ebp :00401AD9 8BEC mov ebp, esp :00401ADB 83EC08 sub esp, 008 :00401ADE 53 push ebx :00401ADF 56 push esi :00401AE0 57 push edi :00401AE1 55 push ebp :00401AE2 FC cld :00401AE3 8B5D0C mov ebx, dword[ebp+0C] :00401AE6 8B4508 mov eax, dword[ebp+08] :00401AE9 F7400406000000 test dword[eax+04], 00000006 :00401AF0 0F8582000000 jne 00401B78 :00401AF6 8945F8 mov dword[ebp-08], eax :00401AF9 8B4510 mov eax, dword[ebp+10] :00401AFC 8945FC mov dword[ebp-04], eax :00401AFF 8D45F8 lea eax, dword[ebp-08] :00401B02 8943FC mov dword[ebx-04], eax :00401B05 8B730C mov esi, dword[ebx+0C] :00401B08 8B7B08 mov edi, dword[ebx+08] --------- :00401B0B 83FEFF cmp esi, -001 :00401B0E 7461 je 00401B71 :00401B10 8D0C76 lea ecx, dword[esi+2*esi] :00401B13 837C8F0400 cmp dword[edi+4*ecx+04], 000 :00401B18 7445 je 00401B5F :00401B1A 56 push esi :00401B1B 55 push ebp :00401B1C 8D6B10 lea ebp, dword[ebx+10] :00401B1F FF548F04 call dword[edi+4*ecx+04] :00401B23 5D pop ebp :00401B24 5E pop esi :00401B25 8B5D0C mov ebx, dword[ebp+0C] :00401B28 0BC0 or eax, eax :00401B2A 7433 je 00401B5F :00401B2C 783C js 00401B6A :00401B2E 8B7B08 mov edi, dword[ebx+08] :00401B31 53 push ebx :00401B32 E8A9FEFFFF call 004019E0 :00401B37 83C404 add esp, 004 :00401B3A 8D6B10 lea ebp, dword[ebx+10] :00401B3D 56 push esi :00401B3E 53 push ebx :00401B3F E8DEFEFFFF call 00401A22 :00401B44 83C408 add esp, 008 :00401B47 8D0C76 lea ecx, dword[esi+2*esi] :00401B4A 6A01 push 001 :00401B4C 8B448F08 mov eax, dword[edi+4*ecx+08] :00401B50 E861FFFFFF call 00401AB6 :00401B55 8B048F mov eax, dword[edi+4*ecx] :00401B58 89430C mov dword[ebx+0C], eax :00401B5B FF548F08 call dword[edi+4*ecx+08] --------- :00401B5F 8B7B08 mov edi, dword[ebx+08] :00401B62 8D0C76 lea ecx, dword[esi+2*esi] :00401B65 8B348F mov esi, dword[edi+4*ecx] :00401B68 EBA1 jmp 00401B0B --------- :00401B6A B800000000 mov eax, 00000000 :00401B6F EB1C jmp 00401B8D --------- :00401B71 B801000000 mov eax, 00000001 :00401B76 EB15 jmp 00401B8D --------- :00401B78 55 push ebp :00401B79 8D6B10 lea ebp, dword[ebx+10] :00401B7C 6AFF push -001 :00401B7E 53 push ebx :00401B7F E89EFEFFFF call 00401A22 :00401B84 83C408 add esp, 008 :00401B87 5D pop ebp :00401B88 B801000000 mov eax, 00000001 --------- :00401B8D 5D pop ebp :00401B8E 5F pop edi :00401B8F 5E pop esi :00401B90 5B pop ebx :00401B91 8BE5 mov esp, ebp :00401B93 5D pop ebp :00401B94 C3 ret :00401B95 55 push ebp :00401B96 8B4C2408 mov ecx, dword[esp+08] :00401B9A 8B29 mov ebp, dword[ecx] :00401B9C 8B411C mov eax, dword[ecx+1C] :00401B9F 50 push eax :00401BA0 8B4118 mov eax, dword[ecx+18] :00401BA3 50 push eax :00401BA4 E879FEFFFF call 00401A22 :00401BA9 83C408 add esp, 008 :00401BAC 5D pop ebp :00401BAD C20400 ret 0004 ========= :00401BB0 A188524000 mov eax, dword[00405288] :00401BB5 83F801 cmp eax, 001 :00401BB8 740D je 00401BC7 :00401BBA 85C0 test eax, eax :00401BBC 752A jne 00401BE8 :00401BBE 833D3450400001 cmp dword[00405034], 001 :00401BC5 7521 jne 00401BE8 --------- :00401BC7 68FC000000 push 000000FC :00401BCC E818000000 call 00401BE9 :00401BD1 A1E4534000 mov eax, dword[004053E4] :00401BD6 59 pop ecx :00401BD7 85C0 test eax, eax :00401BD9 7402 je 00401BDD :00401BDB FFD0 call eax --------- :00401BDD 68FF000000 push 000000FF :00401BE2 E802000000 call 00401BE9 :00401BE7 59 pop ecx --------- :00401BE8 C3 ret ========= :00401BE9 55 push ebp :00401BEA 8BEC mov ebp, esp :00401BEC 81ECA4010000 sub esp, 000001A4 :00401BF2 8B5508 mov edx, dword[ebp+08] :00401BF5 33C9 xor ecx, ecx :00401BF7 B8E0504000 mov eax, 004050E0 --------- :00401BFC 3B10 cmp edx, dword[eax] :00401BFE 740B je 00401C0B :00401C00 83C008 add eax, 008 :00401C03 41 inc ecx :00401C04 3D70514000 cmp eax, 00405170 :00401C09 7CF1 jl 00401BFC --------- :00401C0B 56 push esi :00401C0C 8BF1 mov esi, ecx :00401C0E C1E603 shl esi, 03 :00401C11 3B96E0504000 cmp edx, dword[esi+004050E0] :00401C17 0F851C010000 jne 00401D39 :00401C1D A188524000 mov eax, dword[00405288] :00401C22 83F801 cmp eax, 001 :00401C25 0F84E8000000 je 00401D13 :00401C2B 85C0 test eax, eax :00401C2D 750D jne 00401C3C :00401C2F 833D3450400001 cmp dword[00405034], 001 :00401C36 0F84D7000000 je 00401D13 --------- :00401C3C 81FAFC000000 cmp edx, 000000FC :00401C42 0F84F1000000 je 00401D39 :00401C48 8D855CFEFFFF lea eax, dword[ebp+FFFFFE5C] :00401C4E 6804010000 push 00000104 :00401C53 50 push eax :00401C54 6A00 push 000 :00401C56 FF1518404000 call dword[00404018 ->0000451E GetModuleFileNameA] ;;call KERNEL32.GetModuleFileNameA :00401C5C 85C0 test eax, eax :00401C5E 7513 jne 00401C73 :00401C60 8D855CFEFFFF lea eax, dword[ebp+FFFFFE5C] :00401C66 6874434000 push 00404374 (StringData)"" :00401C6B 50 push eax :00401C6C E8FF000000 call 00401D70 :00401C71 59 pop ecx :00401C72 59 pop ecx --------- :00401C73 8D855CFEFFFF lea eax, dword[ebp+FFFFFE5C] :00401C79 57 push edi :00401C7A 50 push eax :00401C7B 8DBD5CFEFFFF lea edi, dword[ebp+FFFFFE5C] :00401C81 E85A020000 call 00401EE0 :00401C86 40 inc eax :00401C87 59 pop ecx :00401C88 83F83C cmp eax, 03C :00401C8B 7629 jbe 00401CB6 :00401C8D 8D855CFEFFFF lea eax, dword[ebp+FFFFFE5C] :00401C93 50 push eax :00401C94 E847020000 call 00401EE0 :00401C99 8BF8 mov edi, eax :00401C9B 8D855CFEFFFF lea eax, dword[ebp+FFFFFE5C] :00401CA1 83E83B sub eax, 03B :00401CA4 6A03 push 003 :00401CA6 03F8 add edi, eax :00401CA8 6870434000 push 00404370 (StringData)"..." :00401CAD 57 push edi :00401CAE E89D120000 call 00402F50 :00401CB3 83C410 add esp, 010 --------- :00401CB6 8D8560FFFFFF lea eax, dword[ebp+FFFFFF60] :00401CBC 6854434000 push 00404354 :00401CC1 50 push eax :00401CC2 E8A9000000 call 00401D70 :00401CC7 8D8560FFFFFF lea eax, dword[ebp+FFFFFF60] :00401CCD 57 push edi :00401CCE 50 push eax :00401CCF E8AC000000 call 00401D80 :00401CD4 8D8560FFFFFF lea eax, dword[ebp+FFFFFF60] :00401CDA 6850434000 push 00404350 (StringData)" " :00401CDF 50 push eax :00401CE0 E89B000000 call 00401D80 :00401CE5 FFB6E4504000 push dword[esi+004050E4] :00401CEB 8D8560FFFFFF lea eax, dword[ebp+FFFFFF60] :00401CF1 50 push eax :00401CF2 E889000000 call 00401D80 :00401CF7 6810200100 push 00012010 :00401CFC 8D8560FFFFFF lea eax, dword[ebp+FFFFFF60] :00401D02 6828434000 push 00404328 (StringData)"Microsoft Visual C++ Runtime Library" :00401D07 50 push eax :00401D08 E8B1110000 call 00402EBE :00401D0D 83C42C add esp, 02C :00401D10 5F pop edi :00401D11 EB26 jmp 00401D39 --------- :00401D13 8D4508 lea eax, dword[ebp+08] :00401D16 8DB6E4504000 lea esi, dword[esi+004050E4] :00401D1C 6A00 push 000 :00401D1E 50 push eax :00401D1F FF36 push dword[esi] :00401D21 E8BA010000 call 00401EE0 :00401D26 59 pop ecx :00401D27 50 push eax :00401D28 FF36 push dword[esi] :00401D2A 6AF4 push -00C :00401D2C FF1534404000 call dword[00404034 ->000045C2 GetStdHandle] ;;call KERNEL32.GetStdHandle :00401D32 50 push eax :00401D33 FF1554404000 call dword[00404054 ->00004634 WriteFile] ;;call KERNEL32.WriteFile --------- :00401D39 5E pop esi :00401D3A C9 leave :00401D3B C3 ret ========= :00401D3C 56 push esi :00401D3D 8B742408 mov esi, dword[esp+08] :00401D41 85F6 test esi, esi :00401D43 7424 je 00401D69 :00401D45 56 push esi :00401D46 E868090000 call 004026B3 :00401D4B 59 pop ecx :00401D4C 85C0 test eax, eax :00401D4E 56 push esi :00401D4F 740A je 00401D5B :00401D51 50 push eax :00401D52 E887090000 call 004026DE :00401D57 59 pop ecx :00401D58 59 pop ecx :00401D59 5E pop esi :00401D5A C3 ret --------- :00401D5B 6A00 push 000 :00401D5D FF3568564000 push dword[00405668] :00401D63 FF154C404000 call dword[0040404C ->0000461C HeapFree] ;;call KERNEL32.HeapFree --------- :00401D69 5E pop esi :00401D6A C3 ret :00401D6B CC CC CC CC CC ..... ========= :00401D70 57 push edi :00401D71 8B7C2408 mov edi, dword[esp+08] :00401D75 EB6A jmp 00401DE1 :00401D77 8DA42400000000 lea esp, dword[esp+00000000] :00401D7E 8BFF mov edi, edi ========= :00401D80 8B4C2404 mov ecx, dword[esp+04] :00401D84 57 push edi :00401D85 F7C103000000 test ecx, 00000003 :00401D8B 740F je 00401D9C --------- :00401D8D 8A01 mov al, byte[ecx] :00401D8F 41 inc ecx :00401D90 84C0 test al, al :00401D92 743B je 00401DCF :00401D94 F7C103000000 test ecx, 00000003 :00401D9A 75F1 jne 00401D8D --------- :00401D9C 8B01 mov eax, dword[ecx] :00401D9E BAFFFEFE7E mov edx, 7EFEFEFF :00401DA3 03D0 add edx, eax :00401DA5 83F0FF xor eax, -001 :00401DA8 33C2 xor eax, edx :00401DAA 83C104 add ecx, 004 :00401DAD A900010181 test eax, 81010100 :00401DB2 74E8 je 00401D9C :00401DB4 8B41FC mov eax, dword[ecx-04] :00401DB7 84C0 test al, al :00401DB9 7423 je 00401DDE :00401DBB 84E4 test ah, ah :00401DBD 741A je 00401DD9 :00401DBF A90000FF00 test eax, 00FF0000 :00401DC4 740E je 00401DD4 :00401DC6 A9000000FF test eax, FF000000 :00401DCB 7402 je 00401DCF :00401DCD EBCD jmp 00401D9C --------- :00401DCF 8D79FF lea edi, dword[ecx-01] :00401DD2 EB0D jmp 00401DE1 --------- :00401DD4 8D79FE lea edi, dword[ecx-02] :00401DD7 EB08 jmp 00401DE1 --------- :00401DD9 8D79FD lea edi, dword[ecx-03] :00401DDC EB03 jmp 00401DE1 --------- :00401DDE 8D79FC lea edi, dword[ecx-04] --------- :00401DE1 8B4C240C mov ecx, dword[esp+0C] :00401DE5 F7C103000000 test ecx, 00000003 :00401DEB 7419 je 00401E06 --------- :00401DED 8A11 mov dl, byte[ecx] :00401DEF 41 inc ecx :00401DF0 84D2 test dl, dl :00401DF2 7464 je 00401E58 :00401DF4 8817 mov byte[edi], dl :00401DF6 47 inc edi :00401DF7 F7C103000000 test ecx, 00000003 :00401DFD 75EE jne 00401DED :00401DFF EB05 jmp 00401E06 --------- :00401E01 8917 mov dword[edi], edx :00401E03 83C704 add edi, 004 --------- :00401E06 BAFFFEFE7E mov edx, 7EFEFEFF :00401E0B 8B01 mov eax, dword[ecx] :00401E0D 03D0 add edx, eax :00401E0F 83F0FF xor eax, -001 :00401E12 33C2 xor eax, edx :00401E14 8B11 mov edx, dword[ecx] :00401E16 83C104 add ecx, 004 :00401E19 A900010181 test eax, 81010100 :00401E1E 74E1 je 00401E01 :00401E20 84D2 test dl, dl :00401E22 7434 je 00401E58 :00401E24 84F6 test dh, dh :00401E26 7427 je 00401E4F :00401E28 F7C20000FF00 test edx, 00FF0000 :00401E2E 7412 je 00401E42 :00401E30 F7C2000000FF test edx, FF000000 :00401E36 7402 je 00401E3A :00401E38 EBC7 jmp 00401E01 --------- :00401E3A 8917 mov dword[edi], edx :00401E3C 8B442408 mov eax, dword[esp+08] :00401E40 5F pop edi :00401E41 C3 ret --------- :00401E42 668917 mov word[edi], dx :00401E45 8B442408 mov eax, dword[esp+08] :00401E49 C6470200 mov byte[edi+02], 00 :00401E4D 5F pop edi :00401E4E C3 ret --------- :00401E4F 668917 mov word[edi], dx :00401E52 8B442408 mov eax, dword[esp+08] :00401E56 5F pop edi :00401E57 C3 ret --------- :00401E58 8817 mov byte[edi], dl :00401E5A 8B442408 mov eax, dword[esp+08] :00401E5E 5F pop edi :00401E5F C3 ret ========= :00401E60 FF35F8534000 push dword[004053F8] :00401E66 FF742408 push dword[esp+08] :00401E6A E803000000 call 00401E72 :00401E6F 59 pop ecx :00401E70 59 pop ecx :00401E71 C3 ret ========= :00401E72 837C2404E0 cmp dword[esp+04], -020 :00401E77 7722 ja 00401E9B --------- :00401E79 FF742404 push dword[esp+04] :00401E7D E81C000000 call 00401E9E :00401E82 85C0 test eax, eax :00401E84 59 pop ecx :00401E85 7516 jne 00401E9D :00401E87 39442408 cmp dword[esp+08], eax :00401E8B 7410 je 00401E9D :00401E8D FF742404 push dword[esp+04] :00401E91 E8B8110000 call 0040304E :00401E96 85C0 test eax, eax :00401E98 59 pop ecx :00401E99 75DE jne 00401E79 --------- :00401E9B 33C0 xor eax, eax --------- :00401E9D C3 ret ========= :00401E9E 56 push esi :00401E9F 8B742408 mov esi, dword[esp+08] :00401EA3 3B3570524000 cmp esi, dword[00405270] :00401EA9 770B ja 00401EB6 :00401EAB 56 push esi :00401EAC E8580B0000 call 00402A09 :00401EB1 85C0 test eax, eax :00401EB3 59 pop ecx :00401EB4 751C jne 00401ED2 --------- :00401EB6 85F6 test esi, esi :00401EB8 7503 jne 00401EBD :00401EBA 6A01 push 001 :00401EBC 5E pop esi --------- :00401EBD 83C60F add esi, 00F :00401EC0 83E6F0 and esi, -010 :00401EC3 56 push esi :00401EC4 6A00 push 000 :00401EC6 FF3568564000 push dword[00405668] :00401ECC FF1558404000 call dword[00404058 ->00004640 HeapAlloc] ;;call KERNEL32.HeapAlloc --------- :00401ED2 5E pop esi :00401ED3 C3 ret :00401ED4 CC CC CC CC CC CC CC CC CC CC CC CC ............ ========= :00401EE0 8B4C2404 mov ecx, dword[esp+04] :00401EE4 F7C103000000 test ecx, 00000003 :00401EEA 7414 je 00401F00 --------- :00401EEC 8A01 mov al, byte[ecx] :00401EEE 41 inc ecx :00401EEF 84C0 test al, al :00401EF1 7440 je 00401F33 :00401EF3 F7C103000000 test ecx, 00000003 :00401EF9 75F1 jne 00401EEC :00401EFB 0500000000 add eax, 00000000 --------- :00401F00 8B01 mov eax, dword[ecx] :00401F02 BAFFFEFE7E mov edx, 7EFEFEFF :00401F07 03D0 add edx, eax :00401F09 83F0FF xor eax, -001 :00401F0C 33C2 xor eax, edx :00401F0E 83C104 add ecx, 004 :00401F11 A900010181 test eax, 81010100 :00401F16 74E8 je 00401F00 :00401F18 8B41FC mov eax, dword[ecx-04] :00401F1B 84C0 test al, al :00401F1D 7432 je 00401F51 :00401F1F 84E4 test ah, ah :00401F21 7424 je 00401F47 :00401F23 A90000FF00 test eax, 00FF0000 :00401F28 7413 je 00401F3D :00401F2A A9000000FF test eax, FF000000 :00401F2F 7402 je 00401F33 :00401F31 EBCD jmp 00401F00 --------- :00401F33 8D41FF lea eax, dword[ecx-01] :00401F36 8B4C2404 mov ecx, dword[esp+04] :00401F3A 2BC1 sub eax, ecx :00401F3C C3 ret --------- :00401F3D 8D41FE lea eax, dword[ecx-02] :00401F40 8B4C2404 mov ecx, dword[esp+04] :00401F44 2BC1 sub eax, ecx :00401F46 C3 ret --------- :00401F47 8D41FD lea eax, dword[ecx-03] :00401F4A 8B4C2404 mov ecx, dword[esp+04] :00401F4E 2BC1 sub eax, ecx :00401F50 C3 ret --------- :00401F51 8D41FC lea eax, dword[ecx-04] :00401F54 8B4C2404 mov ecx, dword[esp+04] :00401F58 2BC1 sub eax, ecx :00401F5A C3 ret ========= :00401F5B 55 push ebp :00401F5C 8BEC mov ebp, esp :00401F5E 83EC18 sub esp, 018 :00401F61 53 push ebx :00401F62 56 push esi :00401F63 57 push edi :00401F64 FF7508 push dword[ebp+08] :00401F67 E888010000 call 004020F4 :00401F6C 8BF0 mov esi, eax :00401F6E 59 pop ecx :00401F6F 3B3540544000 cmp esi, dword[00405440] :00401F75 897508 mov dword[ebp+08], esi :00401F78 0F846A010000 je 004020E8 :00401F7E 33DB xor ebx, ebx :00401F80 3BF3 cmp esi, ebx :00401F82 0F8456010000 je 004020DE :00401F88 33D2 xor edx, edx :00401F8A B878514000 mov eax, 00405178 --------- :00401F8F 3930 cmp dword[eax], esi :00401F91 7472 je 00402005 :00401F93 83C030 add eax, 030 :00401F96 42 inc edx :00401F97 3D68524000 cmp eax, 00405268 :00401F9C 7CF1 jl 00401F8F :00401F9E 8D45E8 lea eax, dword[ebp-18] :00401FA1 50 push eax :00401FA2 56 push esi :00401FA3 FF155C404000 call dword[0040405C ->0000464C GetCPInfo] ;;call KERNEL32.GetCPInfo :00401FA9 83F801 cmp eax, 001 :00401FAC 0F8524010000 jne 004020D6 :00401FB2 6A40 push 040 :00401FB4 33C0 xor eax, eax :00401FB6 59 pop ecx :00401FB7 BF60554000 mov edi, 00405560 :00401FBC 837DE801 cmp dword[ebp-18], 001 :00401FC0 893540544000 mov dword[00405440], esi :00401FC6 F3AB rep stosd :00401FC8 AA stosb :00401FC9 891D64564000 mov dword[00405664], ebx :00401FCF 0F86EF000000 jbe 004020C4 :00401FD5 807DEE00 cmp byte[ebp-12], 00 :00401FD9 0F84BB000000 je 0040209A :00401FDF 8D4DEF lea ecx, dword[ebp-11] --------- :00401FE2 8A11 mov dl, byte[ecx] :00401FE4 84D2 test dl, dl :00401FE6 0F84AE000000 je 0040209A :00401FEC 0FB641FF movzx eax, byte[ecx-01] :00401FF0 0FB6D2 movzx edx, dl --------- :00401FF3 3BC2 cmp eax, edx :00401FF5 0F8793000000 ja 0040208E :00401FFB 80886155400004 or byte[eax+00405561], 04 :00402002 40 inc eax :00402003 EBEE jmp 00401FF3 --------- :00402005 6A40 push 040 :00402007 33C0 xor eax, eax :00402009 59 pop ecx :0040200A BF60554000 mov edi, 00405560 :0040200F F3AB rep stosd :00402011 8D3452 lea esi, dword[edx+2*edx] :00402014 895DFC mov dword[ebp-04], ebx :00402017 C1E604 shl esi, 04 :0040201A AA stosb :0040201B 8D9E88514000 lea ebx, dword[esi+00405188] --------- :00402021 803B00 cmp byte[ebx], 00 :00402024 8BCB mov ecx, ebx :00402026 742C je 00402054 --------- :00402028 8A5101 mov dl, byte[ecx+01] :0040202B 84D2 test dl, dl :0040202D 7425 je 00402054 :0040202F 0FB601 movzx eax, byte[ecx] :00402032 0FB6FA movzx edi, dl :00402035 3BC7 cmp eax, edi :00402037 7714 ja 0040204D :00402039 8B55FC mov edx, dword[ebp-04] :0040203C 8A9270514000 mov dl, byte[edx+00405170] --------- :00402042 089061554000 or byte[eax+00405561], dl :00402048 40 inc eax :00402049 3BC7 cmp eax, edi :0040204B 76F5 jbe 00402042 --------- :0040204D 41 inc ecx :0040204E 41 inc ecx :0040204F 803900 cmp byte[ecx], 00 :00402052 75D4 jne 00402028 --------- :00402054 FF45FC inc dword[ebp-04] :00402057 83C308 add ebx, 008 :0040205A 837DFC04 cmp dword[ebp-04], 004 :0040205E 72C1 jc 00402021 :00402060 8B4508 mov eax, dword[ebp+08] :00402063 C7055C54400001000000 mov dword[0040545C], 00000001 :0040206D 50 push eax :0040206E A340544000 mov dword[00405440], eax :00402073 E8C6000000 call 0040213E :00402078 8DB67C514000 lea esi, dword[esi+0040517C] :0040207E BF50544000 mov edi, 00405450 :00402083 A5 movsd :00402084 A5 movsd :00402085 59 pop ecx :00402086 A364564000 mov dword[00405664], eax :0040208B A5 movsd :0040208C EB55 jmp 004020E3 --------- :0040208E 41 inc ecx :0040208F 41 inc ecx :00402090 8079FF00 cmp byte[ecx-01], 00 :00402094 0F8548FFFFFF jne 00401FE2 --------- :0040209A 6A01 push 001 :0040209C 58 pop eax --------- :0040209D 80886155400008 or byte[eax+00405561], 08 :004020A4 40 inc eax :004020A5 3DFF000000 cmp eax, 000000FF :004020AA 72F1 jc 0040209D :004020AC 56 push esi :004020AD E88C000000 call 0040213E :004020B2 59 pop ecx :004020B3 A364564000 mov dword[00405664], eax :004020B8 C7055C54400001000000 mov dword[0040545C], 00000001 :004020C2 EB06 jmp 004020CA --------- :004020C4 891D5C544000 mov dword[0040545C], ebx --------- :004020CA 33C0 xor eax, eax :004020CC BF50544000 mov edi, 00405450 :004020D1 AB stosd :004020D2 AB stosd :004020D3 AB stosd :004020D4 EB0D jmp 004020E3 --------- :004020D6 391DE8534000 cmp dword[004053E8], ebx :004020DC 740E je 004020EC --------- :004020DE E88E000000 call 00402171 --------- :004020E3 E8B2000000 call 0040219A --------- :004020E8 33C0 xor eax, eax :004020EA EB03 jmp 004020EF --------- :004020EC 83C8FF or eax, -001 --------- :004020EF 5F pop edi :004020F0 5E pop esi :004020F1 5B pop ebx :004020F2 C9 leave :004020F3 C3 ret ========= :004020F4 8B442404 mov eax, dword[esp+04] :004020F8 8325E853400000 and dword[004053E8], 000 :004020FF 83F8FE cmp eax, -002 :00402102 7510 jne 00402114 :00402104 C705E853400001000000 mov dword[004053E8], 00000001 :0040210E FF2564404000 jmp dword[00404064 ->00004662 GetOEMCP] ;;call KERNEL32.GetOEMCP --------- :00402114 83F8FD cmp eax, -003 :00402117 7510 jne 00402129 :00402119 C705E853400001000000 mov dword[004053E8], 00000001 :00402123 FF2560404000 jmp dword[00404060 ->00004658 GetACP] ;;call KERNEL32.GetACP --------- :00402129 83F8FC cmp eax, -004 :0040212C 750F jne 0040213D :0040212E A118544000 mov eax, dword[00405418] :00402133 C705E853400001000000 mov dword[004053E8], 00000001 --------- :0040213D C3 ret ========= :0040213E 8B442404 mov eax, dword[esp+04] :00402142 2DA4030000 sub eax, 000003A4 :00402147 7422 je 0040216B :00402149 83E804 sub eax, 004 :0040214C 7417 je 00402165 :0040214E 83E80D sub eax, 00D :00402151 740C je 0040215F :00402153 48 dec eax :00402154 7403 je 00402159 :00402156 33C0 xor eax, eax :00402158 C3 ret --------- :00402159 B804040000 mov eax, 00000404 :0040215E C3 ret --------- :0040215F B812040000 mov eax, 00000412 :00402164 C3 ret --------- :00402165 B804080000 mov eax, 00000804 :0040216A C3 ret --------- :0040216B B811040000 mov eax, 00000411 :00402170 C3 ret ========= :00402171 57 push edi :00402172 6A40 push 040 :00402174 59 pop ecx :00402175 33C0 xor eax, eax :00402177 BF60554000 mov edi, 00405560 :0040217C F3AB rep stosd :0040217E AA stosb :0040217F 33C0 xor eax, eax :00402181 BF50544000 mov edi, 00405450 :00402186 A340544000 mov dword[00405440], eax :0040218B A35C544000 mov dword[0040545C], eax :00402190 A364564000 mov dword[00405664], eax :00402195 AB stosd :00402196 AB stosd :00402197 AB stosd :00402198 5F pop edi :00402199 C3 ret ========= :0040219A 55 push ebp :0040219B 8BEC mov ebp, esp :0040219D 81EC14050000 sub esp, 00000514 :004021A3 8D45EC lea eax, dword[ebp-14] :004021A6 56 push esi :004021A7 50 push eax :004021A8 FF3540544000 push dword[00405440] :004021AE FF155C404000 call dword[0040405C ->0000464C GetCPInfo] ;;call KERNEL32.GetCPInfo :004021B4 83F801 cmp eax, 001 :004021B7 0F8516010000 jne 004022D3 :004021BD 33C0 xor eax, eax :004021BF BE00010000 mov esi, 00000100 --------- :004021C4 888405ECFEFFFF mov byte[ebp+eax+FFFFFEEC], al :004021CB 40 inc eax :004021CC 3BC6 cmp eax, esi :004021CE 72F4 jc 004021C4 :004021D0 8A45F2 mov al, byte[ebp-0E] :004021D3 C685ECFEFFFF20 mov byte[ebp+FFFFFEEC], 20 :004021DA 84C0 test al, al :004021DC 7437 je 00402215 :004021DE 53 push ebx :004021DF 57 push edi :004021E0 8D55F3 lea edx, dword[ebp-0D] --------- :004021E3 0FB60A movzx ecx, byte[edx] :004021E6 0FB6C0 movzx eax, al :004021E9 3BC1 cmp eax, ecx :004021EB 771D ja 0040220A :004021ED 2BC8 sub ecx, eax :004021EF 8DBC05ECFEFFFF lea edi, dword[ebp+eax+FFFFFEEC] :004021F6 41 inc ecx :004021F7 B820202020 mov eax, 20202020 :004021FC 8BD9 mov ebx, ecx :004021FE C1E902 shr ecx, 02 :00402201 F3AB rep stosd :00402203 8BCB mov ecx, ebx :00402205 83E103 and ecx, 003 :00402208 F3AA rep stosb --------- :0040220A 42 inc edx :0040220B 42 inc edx :0040220C 8A42FF mov al, byte[edx-01] :0040220F 84C0 test al, al :00402211 75D0 jne 004021E3 :00402213 5F pop edi :00402214 5B pop ebx --------- :00402215 6A00 push 000 :00402217 8D85ECFAFFFF lea eax, dword[ebp+FFFFFAEC] :0040221D FF3564564000 push dword[00405664] :00402223 FF3540544000 push dword[00405440] :00402229 50 push eax :0040222A 8D85ECFEFFFF lea eax, dword[ebp+FFFFFEEC] :00402230 56 push esi :00402231 50 push eax :00402232 6A01 push 001 :00402234 E87F100000 call 004032B8 :00402239 6A00 push 000 :0040223B 8D85ECFDFFFF lea eax, dword[ebp+FFFFFDEC] :00402241 FF3540544000 push dword[00405440] :00402247 56 push esi :00402248 50 push eax :00402249 8D85ECFEFFFF lea eax, dword[ebp+FFFFFEEC] :0040224F 56 push esi :00402250 50 push eax :00402251 56 push esi :00402252 FF3564564000 push dword[00405664] :00402258 E80C0E0000 call 00403069 :0040225D 6A00 push 000 :0040225F 8D85ECFCFFFF lea eax, dword[ebp+FFFFFCEC] :00402265 FF3540544000 push dword[00405440] :0040226B 56 push esi :0040226C 50 push eax :0040226D 8D85ECFEFFFF lea eax, dword[ebp+FFFFFEEC] :00402273 56 push esi :00402274 50 push eax :00402275 6800020000 push 00000200 :0040227A FF3564564000 push dword[00405664] :00402280 E8E40D0000 call 00403069 :00402285 83C45C add esp, 05C :00402288 33C0 xor eax, eax :0040228A 8D8DECFAFFFF lea ecx, dword[ebp+FFFFFAEC] --------- :00402290 668B11 mov dx, word[ecx] :00402293 F6C201 test dl, 01 :00402296 7416 je 004022AE :00402298 80886155400010 or byte[eax+00405561], 10 :0040229F 8A9405ECFDFFFF mov dl, byte[ebp+eax+FFFFFDEC] --------- :004022A6 889060544000 mov byte[eax+00405460], dl :004022AC EB1C jmp 004022CA --------- :004022AE F6C202 test dl, 02 :004022B1 7410 je 004022C3 :004022B3 80886155400020 or byte[eax+00405561], 20 :004022BA 8A9405ECFCFFFF mov dl, byte[ebp+eax+FFFFFCEC] :004022C1 EBE3 jmp 004022A6 --------- :004022C3 80A06054400000 and byte[eax+00405460], 00 --------- :004022CA 40 inc eax :004022CB 41 inc ecx :004022CC 41 inc ecx :004022CD 3BC6 cmp eax, esi :004022CF 72BF jc 00402290 :004022D1 EB49 jmp 0040231C --------- :004022D3 33C0 xor eax, eax :004022D5 BE00010000 mov esi, 00000100 --------- :004022DA 83F841 cmp eax, 041 :004022DD 7219 jc 004022F8 :004022DF 83F85A cmp eax, 05A :004022E2 7714 ja 004022F8 :004022E4 80886155400010 or byte[eax+00405561], 10 :004022EB 8AC8 mov cl, al :004022ED 80C120 add cl, 20 --------- :004022F0 888860544000 mov byte[eax+00405460], cl :004022F6 EB1F jmp 00402317 --------- :004022F8 83F861 cmp eax, 061 :004022FB 7213 jc 00402310 :004022FD 83F87A cmp eax, 07A :00402300 770E ja 00402310 :00402302 80886155400020 or byte[eax+00405561], 20 :00402309 8AC8 mov cl, al :0040230B 80E920 sub cl, 20 :0040230E EBE0 jmp 004022F0 --------- :00402310 80A06054400000 and byte[eax+00405460], 00 --------- :00402317 40 inc eax :00402318 3BC6 cmp eax, esi :0040231A 72BE jc 004022DA --------- :0040231C 5E pop esi :0040231D C9 leave :0040231E C3 ret ========= :0040231F 833D8857400000 cmp dword[00405788], 000 :00402326 7512 jne 0040233A :00402328 6AFD push -003 :0040232A E82CFCFFFF call 00401F5B :0040232F 59 pop ecx :00402330 C7058857400001000000 mov dword[00405788], 00000001 --------- :0040233A C3 ret :0040233B CC CC CC CC CC ..... ========= :00402340 55 push ebp :00402341 8BEC mov ebp, esp :00402343 57 push edi :00402344 56 push esi :00402345 8B750C mov esi, dword[ebp+0C] :00402348 8B4D10 mov ecx, dword[ebp+10] :0040234B 8B7D08 mov edi, dword[ebp+08] :0040234E 8BC1 mov eax, ecx :00402350 8BD1 mov edx, ecx :00402352 03C6 add eax, esi :00402354 3BFE cmp edi, esi :00402356 7608 jbe 00402360 :00402358 3BF8 cmp edi, eax :0040235A 0F8278010000 jb 004024D8 --------- :00402360 F7C703000000 test edi, 00000003 :00402366 7514 jne 0040237C :00402368 C1E902 shr ecx, 02 :0040236B 83E203 and edx, 003 :0040236E 83F908 cmp ecx, 008 :00402371 7229 jc 0040239C :00402373 F3A5 rep movsd :00402375 FF249588244000 jmp dword[4*edx+00402488] --------- :0040237C 8BC7 mov eax, edi :0040237E BA03000000 mov edx, 00000003 :00402383 83E904 sub ecx, 004 :00402386 720C jc 00402394 :00402388 83E003 and eax, 003 :0040238B 03C8 add ecx, eax :0040238D FF2485A0234000 jmp dword[4*eax+004023A0] --------- :00402394 FF248D98244000 jmp dword[4*ecx+00402498] :0040239B 90 FF 24 8D 1C ..$.. :004023A0 24400090 DWORD 90004024 ;; $A‘ :004023A4 B0234000 DWORD 004023B0 ;; .#@. :004023A8 DC234000 DWORD 004023DC ;; .#@. :004023AC 00244000 DWORD 00402400 ;; .$@. --------- :004023B0 23D1 and edx, ecx :004023B2 8A06 mov al, byte[esi] :004023B4 8807 mov byte[edi], al :004023B6 8A4601 mov al, byte[esi+01] :004023B9 884701 mov byte[edi+01], al :004023BC 8A4602 mov al, byte[esi+02] :004023BF C1E902 shr ecx, 02 :004023C2 884702 mov byte[edi+02], al :004023C5 83C603 add esi, 003 :004023C8 83C703 add edi, 003 :004023CB 83F908 cmp ecx, 008 :004023CE 72CC jc 0040239C :004023D0 F3A5 rep movsd :004023D2 FF249588244000 jmp dword[4*edx+00402488] :004023D9 8D4900 lea ecx, dword[ecx+00] --------- :004023DC 23D1 and edx, ecx :004023DE 8A06 mov al, byte[esi] :004023E0 8807 mov byte[edi], al :004023E2 8A4601 mov al, byte[esi+01] :004023E5 C1E902 shr ecx, 02 :004023E8 884701 mov byte[edi+01], al :004023EB 83C602 add esi, 002 :004023EE 83C702 add edi, 002 :004023F1 83F908 cmp ecx, 008 :004023F4 72A6 jc 0040239C :004023F6 F3A5 rep movsd :004023F8 FF249588244000 jmp dword[4*edx+00402488] :004023FF 90 . --------- :00402400 23D1 and edx, ecx :00402402 8A06 mov al, byte[esi] :00402404 8807 mov byte[edi], al :00402406 46 inc esi :00402407 C1E902 shr ecx, 02 :0040240A 47 inc edi :0040240B 83F908 cmp ecx, 008 :0040240E 728C jc 0040239C :00402410 F3A5 rep movsd :00402412 FF249588244000 jmp dword[4*edx+00402488] :00402419 8D 49 00 .I. :0040241C 7F244000 DWORD 0040247F ;; .$@. :00402420 6C244000 DWORD 0040246C ;; l$@. :00402424 64244000 DWORD 00402464 ;; d$@. :00402428 5C244000 DWORD 0040245C ;; \$@. :0040242C 54244000 DWORD 00402454 ;; T$@. :00402430 4C244000 DWORD 0040244C ;; L$@. :00402434 44244000 DWORD 00402444 ;; D$@. :00402438 3C244000 DWORD 0040243C ;; <$@. --------- :0040243C 8B448EE4 mov eax, dword[esi+4*ecx-1C] :00402440 89448FE4 mov dword[edi+4*ecx-1C], eax --------- :00402444 8B448EE8 mov eax, dword[esi+4*ecx-18] :00402448 89448FE8 mov dword[edi+4*ecx-18], eax --------- :0040244C 8B448EEC mov eax, dword[esi+4*ecx-14] :00402450 89448FEC mov dword[edi+4*ecx-14], eax --------- :00402454 8B448EF0 mov eax, dword[esi+4*ecx-10] :00402458 89448FF0 mov dword[edi+4*ecx-10], eax --------- :0040245C 8B448EF4 mov eax, dword[esi+4*ecx-0C] :00402460 89448FF4 mov dword[edi+4*ecx-0C], eax --------- :00402464 8B448EF8 mov eax, dword[esi+4*ecx-08] :00402468 89448FF8 mov dword[edi+4*ecx-08], eax --------- :0040246C 8B448EFC mov eax, dword[esi+4*ecx-04] :00402470 89448FFC mov dword[edi+4*ecx-04], eax :00402474 8D048D00000000 lea eax, dword[4*ecx+00000000] :0040247B 03F0 add esi, eax :0040247D 03F8 add edi, eax :0040247F FF249588244000 jmp dword[4*edx+00402488] :00402486 8B FF .. :00402488 98244000 DWORD 00402498 ;; .$@. :0040248C A0244000 DWORD 004024A0 ;; .$@. :00402490 AC244000 DWORD 004024AC ;; .$@. :00402494 C0244000 DWORD 004024C0 ;; .$@. --------- :00402498 8B4508 mov eax, dword[ebp+08] :0040249B 5E pop esi :0040249C 5F pop edi :0040249D C9 leave :0040249E C3 ret :0040249F 90 . --------- :004024A0 8A06 mov al, byte[esi] :004024A2 8807 mov byte[edi], al :004024A4 8B4508 mov eax, dword[ebp+08] :004024A7 5E pop esi :004024A8 5F pop edi :004024A9 C9 leave :004024AA C3 ret :004024AB 90 . --------- :004024AC 8A06 mov al, byte[esi] :004024AE 8807 mov byte[edi], al :004024B0 8A4601 mov al, byte[esi+01] :004024B3 884701 mov byte[edi+01], al :004024B6 8B4508 mov eax, dword[ebp+08] :004024B9 5E pop esi :004024BA 5F pop edi :004024BB C9 leave :004024BC C3 ret :004024BD 8D4900 lea ecx, dword[ecx+00] --------- :004024C0 8A06 mov al, byte[esi] :004024C2 8807 mov byte[edi], al :004024C4 8A4601 mov al, byte[esi+01] :004024C7 884701 mov byte[edi+01], al :004024CA 8A4602 mov al, byte[esi+02] :004024CD 884702 mov byte[edi+02], al :004024D0 8B4508 mov eax, dword[ebp+08] :004024D3 5E pop esi :004024D4 5F pop edi :004024D5 C9 leave :004024D6 C3 ret :004024D7 90 . --------- :004024D8 8D7431FC lea esi, dword[ecx+esi-04] :004024DC 8D7C39FC lea edi, dword[ecx+edi-04] :004024E0 F7C703000000 test edi, 00000003 :004024E6 7524 jne 0040250C :004024E8 C1E902 shr ecx, 02 :004024EB 83E203 and edx, 003 :004024EE 83F908 cmp ecx, 008 :004024F1 720D jc 00402500 :004024F3 FD std :004024F4 F3A5 rep movsd :004024F6 FC cld :004024F7 FF249520264000 jmp dword[4*edx+00402620] :004024FE 8BFF mov edi, edi --------- :00402500 F7D9 neg ecx :00402502 FF248DD0254000 jmp dword[4*ecx+004025D0] :00402509 8D4900 lea ecx, dword[ecx+00] --------- :0040250C 8BC7 mov eax, edi :0040250E BA03000000 mov edx, 00000003 :00402513 83F904 cmp ecx, 004 :00402516 720C jc 00402524 :00402518 83E003 and eax, 003 :0040251B 2BC8 sub ecx, eax :0040251D FF248528254000 jmp dword[4*eax+00402528] :00402524 FF 24 8D 20 .$. :00402528 26400090 DWORD 90004026 ;; .A‘ :0040252C 38254000 DWORD 00402538 ;; 8%@. :00402530 58254000 DWORD 00402558 ;; X%@. :00402534 80254000 DWORD 00402580 ;; .%@. --------- :00402538 8A4603 mov al, byte[esi+03] :0040253B 23D1 and edx, ecx :0040253D 884703 mov byte[edi+03], al :00402540 4E dec esi :00402541 C1E902 shr ecx, 02 :00402544 4F dec edi :00402545 83F908 cmp ecx, 008 :00402548 72B6 jc 00402500 :0040254A FD std :0040254B F3A5 rep movsd :0040254D FC cld :0040254E FF249520264000 jmp dword[4*edx+00402620] :00402555 8D4900 lea ecx, dword[ecx+00] --------- :00402558 8A4603 mov al, byte[esi+03] :0040255B 23D1 and edx, ecx :0040255D 884703 mov byte[edi+03], al :00402560 8A4602 mov al, byte[esi+02] :00402563 C1E902 shr ecx, 02 :00402566 884702 mov byte[edi+02], al :00402569 83EE02 sub esi, 002 :0040256C 83EF02 sub edi, 002 :0040256F 83F908 cmp ecx, 008 :00402572 728C jc 00402500 :00402574 FD std :00402575 F3A5 rep movsd :00402577 FC cld :00402578 FF249520264000 jmp dword[4*edx+00402620] :0040257F 90 . --------- :00402580 8A4603 mov al, byte[esi+03] :00402583 23D1 and edx, ecx :00402585 884703 mov byte[edi+03], al :00402588 8A4602 mov al, byte[esi+02] :0040258B 884702 mov byte[edi+02], al :0040258E 8A4601 mov al, byte[esi+01] :00402591 C1E902 shr ecx, 02 :00402594 884701 mov byte[edi+01], al :00402597 83EE03 sub esi, 003 :0040259A 83EF03 sub edi, 003 :0040259D 83F908 cmp ecx, 008 :004025A0 0F825AFFFFFF jb 00402500 :004025A6 FD std :004025A7 F3A5 rep movsd :004025A9 FC cld :004025AA FF249520264000 jmp dword[4*edx+00402620] :004025B1 8D 49 00 .I. :004025B4 D4254000 DWORD 004025D4 ;; .%@. :004025B8 DC254000 DWORD 004025DC ;; .%@. :004025BC E4254000 DWORD 004025E4 ;; .%@. :004025C0 EC254000 DWORD 004025EC ;; .%@. :004025C4 F4254000 DWORD 004025F4 ;; .%@. :004025C8 FC254000 DWORD 004025FC ;; .%@. :004025CC 04264000 DWORD 00402604 ;; .&@. :004025D0 17264000 DWORD 00402617 ;; .&@. :004025D4 8B448E1C mov eax, dword[esi+4*ecx+1C] :004025D8 89448F1C mov dword[edi+4*ecx+1C], eax --------- :004025DC 8B448E18 mov eax, dword[esi+4*ecx+18] :004025E0 89448F18 mov dword[edi+4*ecx+18], eax --------- :004025E4 8B448E14 mov eax, dword[esi+4*ecx+14] :004025E8 89448F14 mov dword[edi+4*ecx+14], eax --------- :004025EC 8B448E10 mov eax, dword[esi+4*ecx+10] :004025F0 89448F10 mov dword[edi+4*ecx+10], eax --------- :004025F4 8B448E0C mov eax, dword[esi+4*ecx+0C] :004025F8 89448F0C mov dword[edi+4*ecx+0C], eax --------- :004025FC 8B448E08 mov eax, dword[esi+4*ecx+08] :00402600 89448F08 mov dword[edi+4*ecx+08], eax --------- :00402604 8B448E04 mov eax, dword[esi+4*ecx+04] :00402608 89448F04 mov dword[edi+4*ecx+04], eax :0040260C 8D048D00000000 lea eax, dword[4*ecx+00000000] :00402613 03F0 add esi, eax :00402615 03F8 add edi, eax --------- :00402617 FF249520264000 jmp dword[4*edx+00402620] :0040261E 8B FF .. :00402620 30264000 DWORD 00402630 ;; 0&@. :00402624 38264000 DWORD 00402638 ;; 8&@. :00402628 48264000 DWORD 00402648 ;; H&@. :0040262C 5C264000 DWORD 0040265C ;; \&@. --------- :00402630 8B4508 mov eax, dword[ebp+08] :00402633 5E pop esi :00402634 5F pop edi :00402635 C9 leave :00402636 C3 ret :00402637 90 . --------- :00402638 8A4603 mov al, byte[esi+03] :0040263B 884703 mov byte[edi+03], al :0040263E 8B4508 mov eax, dword[ebp+08] :00402641 5E pop esi :00402642 5F pop edi :00402643 C9 leave :00402644 C3 ret :00402645 8D4900 lea ecx, dword[ecx+00] --------- :00402648 8A4603 mov al, byte[esi+03] :0040264B 884703 mov byte[edi+03], al :0040264E 8A4602 mov al, byte[esi+02] :00402651 884702 mov byte[edi+02], al :00402654 8B4508 mov eax, dword[ebp+08] :00402657 5E pop esi :00402658 5F pop edi :00402659 C9 leave :0040265A C3 ret :0040265B 90 . --------- :0040265C 8A4603 mov al, byte[esi+03] :0040265F 884703 mov byte[edi+03], al :00402662 8A4602 mov al, byte[esi+02] :00402665 884702 mov byte[edi+02], al :00402668 8A4601 mov al, byte[esi+01] :0040266B 884701 mov byte[edi+01], al :0040266E 8B4508 mov eax, dword[ebp+08] :00402671 5E pop esi :00402672 5F pop edi :00402673 C9 leave :00402674 C3 ret ========= :00402675 6840010000 push 00000140 :0040267A 6A00 push 000 :0040267C FF3568564000 push dword[00405668] :00402682 FF1558404000 call dword[00404058 ->00004640 HeapAlloc] ;;call KERNEL32.HeapAlloc :00402688 85C0 test eax, eax :0040268A A33C544000 mov dword[0040543C], eax :0040268F 7501 jne 00402692 :00402691 C3 ret --------- :00402692 83253454400000 and dword[00405434], 000 :00402699 83253854400000 and dword[00405438], 000 :004026A0 6A01 push 001 :004026A2 A330544000 mov dword[00405430], eax :004026A7 C7052854400010000000 mov dword[00405428], 00000010 :004026B1 58 pop eax :004026B2 C3 ret ========= :004026B3 A138544000 mov eax, dword[00405438] :004026B8 8D0C80 lea ecx, dword[eax+4*eax] :004026BB A13C544000 mov eax, dword[0040543C] :004026C0 8D0C88 lea ecx, dword[eax+4*ecx] --------- :004026C3 3BC1 cmp eax, ecx :004026C5 7314 jae 004026DB :004026C7 8B542404 mov edx, dword[esp+04] :004026CB 2B500C sub edx, dword[eax+0C] :004026CE 81FA00001000 cmp edx, 00100000 :004026D4 7207 jc 004026DD :004026D6 83C014 add eax, 014 :004026D9 EBE8 jmp 004026C3 --------- :004026DB 33C0 xor eax, eax --------- :004026DD C3 ret ========= :004026DE 55 push ebp :004026DF 8BEC mov ebp, esp :004026E1 83EC14 sub esp, 014 :004026E4 8B550C mov edx, dword[ebp+0C] :004026E7 8B4D08 mov ecx, dword[ebp+08] :004026EA 53 push ebx :004026EB 56 push esi :004026EC 8B4110 mov eax, dword[ecx+10] :004026EF 8BF2 mov esi, edx :004026F1 2B710C sub esi, dword[ecx+0C] :004026F4 8B5AFC mov ebx, dword[edx-04] :004026F7 83C2FC add edx, -004 :004026FA 57 push edi :004026FB C1EE0F shr esi, 0F :004026FE 8BCE mov ecx, esi :00402700 8B7AFC mov edi, dword[edx-04] :00402703 69C904020000 imul ecx, 00000204 :00402709 4B dec ebx :0040270A 897DFC mov dword[ebp-04], edi :0040270D 8D8C0144010000 lea ecx, dword[ecx+eax+00000144] :00402714 895DF4 mov dword[ebp-0C], ebx :00402717 894DF0 mov dword[ebp-10], ecx :0040271A 8B0C13 mov ecx, dword[ebx+edx] :0040271D F6C101 test cl, 01 :00402720 894DF8 mov dword[ebp-08], ecx :00402723 757F jne 004027A4 :00402725 C1F904 sar ecx, 04 :00402728 6A3F push 03F :0040272A 49 dec ecx :0040272B 5F pop edi :0040272C 894D0C mov dword[ebp+0C], ecx :0040272F 3BCF cmp ecx, edi :00402731 7603 jbe 00402736 :00402733 897D0C mov dword[ebp+0C], edi --------- :00402736 8B4C1304 mov ecx, dword[ebx+edx+04] :0040273A 3B4C1308 cmp ecx, dword[ebx+edx+08] :0040273E 7548 jne 00402788 :00402740 8B4D0C mov ecx, dword[ebp+0C] :00402743 83F920 cmp ecx, 020 :00402746 731C jae 00402764 :00402748 BF00000080 mov edi, 80000000 :0040274D D3EF shr edi, cl :0040274F 8D4C0104 lea ecx, dword[ecx+eax+04] :00402753 F7D7 not edi :00402755 217CB044 and dword[eax+4*esi+44], edi :00402759 FE09 dec byte[ecx] :0040275B 752B jne 00402788 :0040275D 8B4D08 mov ecx, dword[ebp+08] :00402760 2139 and dword[ecx], edi :00402762 EB24 jmp 00402788 --------- :00402764 83C1E0 add ecx, -020 :00402767 BF00000080 mov edi, 80000000 :0040276C D3EF shr edi, cl :0040276E 8B4D0C mov ecx, dword[ebp+0C] :00402771 8D4C0104 lea ecx, dword[ecx+eax+04] :00402775 F7D7 not edi :00402777 21BCB0C4000000 and dword[eax+4*esi+000000C4], edi :0040277E FE09 dec byte[ecx] :00402780 7506 jne 00402788 :00402782 8B4D08 mov ecx, dword[ebp+08] :00402785 217904 and dword[ecx+04], edi --------- :00402788 8B4C1308 mov ecx, dword[ebx+edx+08] :0040278C 8B7C1304 mov edi, dword[ebx+edx+04] :00402790 897904 mov dword[ecx+04], edi :00402793 8B4C1304 mov ecx, dword[ebx+edx+04] :00402797 8B7C1308 mov edi, dword[ebx+edx+08] :0040279B 035DF8 add ebx, dword[ebp-08] :0040279E 897908 mov dword[ecx+08], edi :004027A1 895DF4 mov dword[ebp-0C], ebx --------- :004027A4 8BFB mov edi, ebx :004027A6 C1FF04 sar edi, 04 :004027A9 4F dec edi :004027AA 83FF3F cmp edi, 03F :004027AD 7603 jbe 004027B2 :004027AF 6A3F push 03F :004027B1 5F pop edi --------- :004027B2 8B4DFC mov ecx, dword[ebp-04] :004027B5 83E101 and ecx, 001 :004027B8 894DEC mov dword[ebp-14], ecx :004027BB 0F85A0000000 jne 00402861 :004027C1 2B55FC sub edx, dword[ebp-04] :004027C4 8B4DFC mov ecx, dword[ebp-04] :004027C7 C1F904 sar ecx, 04 :004027CA 6A3F push 03F :004027CC 8955F8 mov dword[ebp-08], edx :004027CF 49 dec ecx :004027D0 5A pop edx :004027D1 3BCA cmp ecx, edx :004027D3 894D0C mov dword[ebp+0C], ecx :004027D6 7605 jbe 004027DD :004027D8 89550C mov dword[ebp+0C], edx :004027DB 8BCA mov ecx, edx --------- :004027DD 035DFC add ebx, dword[ebp-04] :004027E0 8BFB mov edi, ebx :004027E2 895DF4 mov dword[ebp-0C], ebx :004027E5 C1FF04 sar edi, 04 :004027E8 4F dec edi :004027E9 3BFA cmp edi, edx :004027EB 7602 jbe 004027EF :004027ED 8BFA mov edi, edx --------- :004027EF 3BCF cmp ecx, edi :004027F1 746B je 0040285E :004027F3 8B4DF8 mov ecx, dword[ebp-08] :004027F6 8B5104 mov edx, dword[ecx+04] :004027F9 3B5108 cmp edx, dword[ecx+08] :004027FC 7548 jne 00402846 :004027FE 8B4D0C mov ecx, dword[ebp+0C] :00402801 83F920 cmp ecx, 020 :00402804 731C jae 00402822 :00402806 BA00000080 mov edx, 80000000 :0040280B D3EA shr edx, cl :0040280D 8D4C0104 lea ecx, dword[ecx+eax+04] :00402811 F7D2 not edx :00402813 2154B044 and dword[eax+4*esi+44], edx :00402817 FE09 dec byte[ecx] :00402819 752B jne 00402846 :0040281B 8B4D08 mov ecx, dword[ebp+08] :0040281E 2111 and dword[ecx], edx :00402820 EB24 jmp 00402846 --------- :00402822 83C1E0 add ecx, -020 :00402825 BA00000080 mov edx, 80000000 :0040282A D3EA shr edx, cl :0040282C 8B4D0C mov ecx, dword[ebp+0C] :0040282F 8D4C0104 lea ecx, dword[ecx+eax+04] :00402833 F7D2 not edx :00402835 2194B0C4000000 and dword[eax+4*esi+000000C4], edx :0040283C FE09 dec byte[ecx] :0040283E 7506 jne 00402846 :00402840 8B4D08 mov ecx, dword[ebp+08] :00402843 215104 and dword[ecx+04], edx --------- :00402846 8B4DF8 mov ecx, dword[ebp-08] :00402849 8B5108 mov edx, dword[ecx+08] :0040284C 8B4904 mov ecx, dword[ecx+04] :0040284F 894A04 mov dword[edx+04], ecx :00402852 8B4DF8 mov ecx, dword[ebp-08] :00402855 8B5104 mov edx, dword[ecx+04] :00402858 8B4908 mov ecx, dword[ecx+08] :0040285B 894A08 mov dword[edx+08], ecx --------- :0040285E 8B55F8 mov edx, dword[ebp-08] --------- :00402861 837DEC00 cmp dword[ebp-14], 000 :00402865 7509 jne 00402870 :00402867 397D0C cmp dword[ebp+0C], edi :0040286A 0F8489000000 je 004028F9 --------- :00402870 8B4DF0 mov ecx, dword[ebp-10] :00402873 8D0CF9 lea ecx, dword[ecx+8*edi] :00402876 8B4904 mov ecx, dword[ecx+04] :00402879 894A04 mov dword[edx+04], ecx :0040287C 8B4DF0 mov ecx, dword[ebp-10] :0040287F 8D0CF9 lea ecx, dword[ecx+8*edi] :00402882 894A08 mov dword[edx+08], ecx :00402885 895104 mov dword[ecx+04], edx :00402888 8B4A04 mov ecx, dword[edx+04] :0040288B 895108 mov dword[ecx+08], edx :0040288E 8B4A04 mov ecx, dword[edx+04] :00402891 3B4A08 cmp ecx, dword[edx+08] :00402894 7563 jne 004028F9 :00402896 8A4C0704 mov cl, byte[edi+eax+04] :0040289A 83FF20 cmp edi, 020 :0040289D 884D0F mov byte[ebp+0F], cl :004028A0 FEC1 inc cl :004028A2 884C0704 mov byte[edi+eax+04], cl :004028A6 7325 jae 004028CD :004028A8 807D0F00 cmp byte[ebp+0F], 00 :004028AC 750E jne 004028BC :004028AE BB00000080 mov ebx, 80000000 :004028B3 8BCF mov ecx, edi :004028B5 D3EB shr ebx, cl :004028B7 8B4D08 mov ecx, dword[ebp+08] :004028BA 0919 or dword[ecx], ebx --------- :004028BC BB00000080 mov ebx, 80000000 :004028C1 8BCF mov ecx, edi :004028C3 D3EB shr ebx, cl :004028C5 8D44B044 lea eax, dword[eax+4*esi+44] :004028C9 0918 or dword[eax], ebx :004028CB EB29 jmp 004028F6 --------- :004028CD 807D0F00 cmp byte[ebp+0F], 00 :004028D1 7510 jne 004028E3 :004028D3 8D4FE0 lea ecx, dword[edi-20] :004028D6 BB00000080 mov ebx, 80000000 :004028DB D3EB shr ebx, cl :004028DD 8B4D08 mov ecx, dword[ebp+08] :004028E0 095904 or dword[ecx+04], ebx --------- :004028E3 8D4FE0 lea ecx, dword[edi-20] :004028E6 BF00000080 mov edi, 80000000 :004028EB D3EF shr edi, cl :004028ED 8D84B0C4000000 lea eax, dword[eax+4*esi+000000C4] :004028F4 0938 or dword[eax], edi --------- :004028F6 8B5DF4 mov ebx, dword[ebp-0C] --------- :004028F9 8B45F0 mov eax, dword[ebp-10] :004028FC 891A mov dword[edx], ebx :004028FE 895C13FC mov dword[ebx+edx-04], ebx :00402902 FF08 dec dword[eax] :00402904 0F85FA000000 jne 00402A04 :0040290A A134544000 mov eax, dword[00405434] :0040290F 85C0 test eax, eax :00402911 0F84DF000000 je 004029F6 :00402917 8B0D2C544000 mov ecx, dword[0040542C] :0040291D 8B3D48404000 mov edi, dword[00404048 ->0000460E VirtualFree] :00402923 C1E10F shl ecx, 0F :00402926 03480C add ecx, dword[eax+0C] :00402929 BB00800000 mov ebx, 00008000 :0040292E 6800400000 push 00004000 :00402933 53 push ebx :00402934 51 push ecx :00402935 FFD7 call edi ;;call KERNEL32.VirtualFree :00402937 8B0D2C544000 mov ecx, dword[0040542C] :0040293D A134544000 mov eax, dword[00405434] :00402942 BA00000080 mov edx, 80000000 :00402947 D3EA shr edx, cl :00402949 095008 or dword[eax+08], edx :0040294C A134544000 mov eax, dword[00405434] :00402951 8B0D2C544000 mov ecx, dword[0040542C] :00402957 8B4010 mov eax, dword[eax+10] :0040295A 83A488C400000000 and dword[eax+4*ecx+000000C4], 000 :00402962 A134544000 mov eax, dword[00405434] :00402967 8B4010 mov eax, dword[eax+10] :0040296A FE4843 dec byte[eax+43] :0040296D A134544000 mov eax, dword[00405434] :00402972 8B4810 mov ecx, dword[eax+10] :00402975 80794300 cmp byte[ecx+43], 00 :00402979 7509 jne 00402984 :0040297B 836004FE and dword[eax+04], -002 :0040297F A134544000 mov eax, dword[00405434] --------- :00402984 837808FF cmp dword[eax+08], -001 :00402988 756C jne 004029F6 :0040298A 53 push ebx :0040298B 6A00 push 000 :0040298D FF700C push dword[eax+0C] :00402990 FFD7 call edi ;;call KERNEL32.VirtualFree :00402992 A134544000 mov eax, dword[00405434] :00402997 FF7010 push dword[eax+10] :0040299A 6A00 push 000 :0040299C FF3568564000 push dword[00405668] :004029A2 FF154C404000 call dword[0040404C ->0000461C HeapFree] ;;call KERNEL32.HeapFree :004029A8 A138544000 mov eax, dword[00405438] :004029AD 8B153C544000 mov edx, dword[0040543C] :004029B3 8D0480 lea eax, dword[eax+4*eax] :004029B6 C1E002 shl eax, 02 :004029B9 8BC8 mov ecx, eax :004029BB A134544000 mov eax, dword[00405434] :004029C0 2BC8 sub ecx, eax :004029C2 8D4C11EC lea ecx, dword[ecx+edx-14] :004029C6 51 push ecx :004029C7 8D4814 lea ecx, dword[eax+14] :004029CA 51 push ecx :004029CB 50 push eax :004029CC E83F0A0000 call 00403410 :004029D1 8B4508 mov eax, dword[ebp+08] :004029D4 83C40C add esp, 00C :004029D7 FF0D38544000 dec dword[00405438] :004029DD 3B0534544000 cmp eax, dword[00405434] :004029E3 7603 jbe 004029E8 :004029E5 83E814 sub eax, 014 --------- :004029E8 8B0D3C544000 mov ecx, dword[0040543C] :004029EE 890D30544000 mov dword[00405430], ecx :004029F4 EB03 jmp 004029F9 --------- :004029F6 8B4508 mov eax, dword[ebp+08] --------- :004029F9 A334544000 mov dword[00405434], eax :004029FE 89352C544000 mov dword[0040542C], esi --------- :00402A04 5F pop edi :00402A05 5E pop esi :00402A06 5B pop ebx :00402A07 C9 leave :00402A08 C3 ret ========= :00402A09 55 push ebp :00402A0A 8BEC mov ebp, esp :00402A0C 83EC14 sub esp, 014 :00402A0F A138544000 mov eax, dword[00405438] :00402A14 8B153C544000 mov edx, dword[0040543C] :00402A1A 53 push ebx :00402A1B 56 push esi :00402A1C 8D0480 lea eax, dword[eax+4*eax] :00402A1F 57 push edi :00402A20 8D3C82 lea edi, dword[edx+4*eax] :00402A23 8B4508 mov eax, dword[ebp+08] :00402A26 897DFC mov dword[ebp-04], edi :00402A29 8D4817 lea ecx, dword[eax+17] :00402A2C 83E1F0 and ecx, -010 :00402A2F 894DF0 mov dword[ebp-10], ecx :00402A32 C1F904 sar ecx, 04 :00402A35 49 dec ecx :00402A36 83F920 cmp ecx, 020 :00402A39 7D0E jge 00402A49 :00402A3B 83CEFF or esi, -001 :00402A3E D3EE shr esi, cl :00402A40 834DF8FF or dword[ebp-08], -001 :00402A44 8975F4 mov dword[ebp-0C], esi :00402A47 EB10 jmp 00402A59 --------- :00402A49 83C1E0 add ecx, -020 :00402A4C 83C8FF or eax, -001 :00402A4F 33F6 xor esi, esi :00402A51 D3E8 shr eax, cl :00402A53 8975F4 mov dword[ebp-0C], esi :00402A56 8945F8 mov dword[ebp-08], eax --------- :00402A59 A130544000 mov eax, dword[00405430] :00402A5E 8BD8 mov ebx, eax :00402A60 3BDF cmp ebx, edi :00402A62 895D08 mov dword[ebp+08], ebx :00402A65 7319 jae 00402A80 --------- :00402A67 8B4B04 mov ecx, dword[ebx+04] :00402A6A 8B3B mov edi, dword[ebx] :00402A6C 234DF8 and ecx, dword[ebp-08] :00402A6F 23FE and edi, esi :00402A71 0BCF or ecx, edi :00402A73 750B jne 00402A80 :00402A75 83C314 add ebx, 014 :00402A78 3B5DFC cmp ebx, dword[ebp-04] :00402A7B 895D08 mov dword[ebp+08], ebx :00402A7E 72E7 jc 00402A67 --------- :00402A80 3B5DFC cmp ebx, dword[ebp-04] :00402A83 7579 jne 00402AFE :00402A85 8BDA mov ebx, edx --------- :00402A87 3BD8 cmp ebx, eax :00402A89 895D08 mov dword[ebp+08], ebx :00402A8C 7315 jae 00402AA3 :00402A8E 8B4B04 mov ecx, dword[ebx+04] :00402A91 8B3B mov edi, dword[ebx] :00402A93 234DF8 and ecx, dword[ebp-08] :00402A96 23FE and edi, esi :00402A98 0BCF or ecx, edi :00402A9A 7505 jne 00402AA1 :00402A9C 83C314 add ebx, 014 :00402A9F EBE6 jmp 00402A87 --------- :00402AA1 3BD8 cmp ebx, eax --------- :00402AA3 7559 jne 00402AFE --------- :00402AA5 3B5DFC cmp ebx, dword[ebp-04] :00402AA8 7311 jae 00402ABB :00402AAA 837B0800 cmp dword[ebx+08], 000 :00402AAE 7508 jne 00402AB8 :00402AB0 83C314 add ebx, 014 :00402AB3 895D08 mov dword[ebp+08], ebx :00402AB6 EBED jmp 00402AA5 --------- :00402AB8 3B5DFC cmp ebx, dword[ebp-04] --------- :00402ABB 7526 jne 00402AE3 :00402ABD 8BDA mov ebx, edx --------- :00402ABF 3BD8 cmp ebx, eax :00402AC1 895D08 mov dword[ebp+08], ebx :00402AC4 730D jae 00402AD3 :00402AC6 837B0800 cmp dword[ebx+08], 000 :00402ACA 7505 jne 00402AD1 :00402ACC 83C314 add ebx, 014 :00402ACF EBEE jmp 00402ABF --------- :00402AD1 3BD8 cmp ebx, eax --------- :00402AD3 750E jne 00402AE3 :00402AD5 E838020000 call 00402D12 :00402ADA 8BD8 mov ebx, eax :00402ADC 85DB test ebx, ebx :00402ADE 895D08 mov dword[ebp+08], ebx :00402AE1 7414 je 00402AF7 --------- :00402AE3 53 push ebx :00402AE4 E8DA020000 call 00402DC3 :00402AE9 59 pop ecx :00402AEA 8B4B10 mov ecx, dword[ebx+10] :00402AED 8901 mov dword[ecx], eax :00402AEF 8B4310 mov eax, dword[ebx+10] :00402AF2 8338FF cmp dword[eax], -001 :00402AF5 7507 jne 00402AFE --------- :00402AF7 33C0 xor eax, eax :00402AF9 E90F020000 jmp 00402D0D --------- :00402AFE 891D30544000 mov dword[00405430], ebx :00402B04 8B4310 mov eax, dword[ebx+10] :00402B07 8B10 mov edx, dword[eax] :00402B09 83FAFF cmp edx, -001 :00402B0C 8955FC mov dword[ebp-04], edx :00402B0F 7414 je 00402B25 :00402B11 8B8C90C4000000 mov ecx, dword[eax+4*edx+000000C4] :00402B18 8B7C9044 mov edi, dword[eax+4*edx+44] :00402B1C 234DF8 and ecx, dword[ebp-08] :00402B1F 23FE and edi, esi :00402B21 0BCF or ecx, edi :00402B23 7537 jne 00402B5C --------- :00402B25 8B90C4000000 mov edx, dword[eax+000000C4] :00402B2B 8B7044 mov esi, dword[eax+44] :00402B2E 2355F8 and edx, dword[ebp-08] :00402B31 2375F4 and esi, dword[ebp-0C] :00402B34 8365FC00 and dword[ebp-04], 000 :00402B38 8D4844 lea ecx, dword[eax+44] :00402B3B 0BD6 or edx, esi :00402B3D 8B75F4 mov esi, dword[ebp-0C] :00402B40 7517 jne 00402B59 --------- :00402B42 8B9184000000 mov edx, dword[ecx+00000084] :00402B48 FF45FC inc dword[ebp-04] :00402B4B 2355F8 and edx, dword[ebp-08] :00402B4E 83C104 add ecx, 004 :00402B51 8BFE mov edi, esi :00402B53 2339 and edi, dword[ecx] :00402B55 0BD7 or edx, edi :00402B57 74E9 je 00402B42 --------- :00402B59 8B55FC mov edx, dword[ebp-04] --------- :00402B5C 8BCA mov ecx, edx :00402B5E 33FF xor edi, edi :00402B60 69C904020000 imul ecx, 00000204 :00402B66 8D8C0144010000 lea ecx, dword[ecx+eax+00000144] :00402B6D 894DF4 mov dword[ebp-0C], ecx :00402B70 8B4C9044 mov ecx, dword[eax+4*edx+44] :00402B74 23CE and ecx, esi :00402B76 750D jne 00402B85 :00402B78 8B8C90C4000000 mov ecx, dword[eax+4*edx+000000C4] :00402B7F 6A20 push 020 :00402B81 234DF8 and ecx, dword[ebp-08] :00402B84 5F pop edi --------- :00402B85 85C9 test ecx, ecx :00402B87 7C05 jl 00402B8E :00402B89 D1E1 shl ecx, 1 :00402B8B 47 inc edi :00402B8C EBF7 jmp 00402B85 --------- :00402B8E 8B4DF4 mov ecx, dword[ebp-0C] :00402B91 8B54F904 mov edx, dword[ecx+8*edi+04] :00402B95 8B0A mov ecx, dword[edx] :00402B97 2B4DF0 sub ecx, dword[ebp-10] :00402B9A 8BF1 mov esi, ecx :00402B9C 894DF8 mov dword[ebp-08], ecx :00402B9F C1FE04 sar esi, 04 :00402BA2 4E dec esi :00402BA3 83FE3F cmp esi, 03F :00402BA6 7E03 jle 00402BAB :00402BA8 6A3F push 03F :00402BAA 5E pop esi --------- :00402BAB 3BF7 cmp esi, edi :00402BAD 0F840D010000 je 00402CC0 :00402BB3 8B4A04 mov ecx, dword[edx+04] :00402BB6 3B4A08 cmp ecx, dword[edx+08] :00402BB9 7561 jne 00402C1C :00402BBB 83FF20 cmp edi, 020 :00402BBE 7D2B jge 00402BEB :00402BC0 BB00000080 mov ebx, 80000000 :00402BC5 8BCF mov ecx, edi :00402BC7 D3EB shr ebx, cl :00402BC9 8B4DFC mov ecx, dword[ebp-04] :00402BCC 8D7C3804 lea edi, dword[eax+edi+04] :00402BD0 F7D3 not ebx :00402BD2 895DEC mov dword[ebp-14], ebx :00402BD5 235C8844 and ebx, dword[eax+4*ecx+44] :00402BD9 895C8844 mov dword[eax+4*ecx+44], ebx :00402BDD FE0F dec byte[edi] :00402BDF 7538 jne 00402C19 :00402BE1 8B5D08 mov ebx, dword[ebp+08] :00402BE4 8B4DEC mov ecx, dword[ebp-14] :00402BE7 210B and dword[ebx], ecx :00402BE9 EB31 jmp 00402C1C --------- :00402BEB 8D4FE0 lea ecx, dword[edi-20] :00402BEE BB00000080 mov ebx, 80000000 :00402BF3 D3EB shr ebx, cl :00402BF5 8B4DFC mov ecx, dword[ebp-04] :00402BF8 8D7C3804 lea edi, dword[eax+edi+04] :00402BFC 8D8C88C4000000 lea ecx, dword[eax+4*ecx+000000C4] :00402C03 F7D3 not ebx :00402C05 2119 and dword[ecx], ebx :00402C07 FE0F dec byte[edi] :00402C09 895DEC mov dword[ebp-14], ebx :00402C0C 750B jne 00402C19 :00402C0E 8B5D08 mov ebx, dword[ebp+08] :00402C11 8B4DEC mov ecx, dword[ebp-14] :00402C14 214B04 and dword[ebx+04], ecx :00402C17 EB03 jmp 00402C1C --------- :00402C19 8B5D08 mov ebx, dword[ebp+08] --------- :00402C1C 8B4A08 mov ecx, dword[edx+08] :00402C1F 8B7A04 mov edi, dword[edx+04] :00402C22 837DF800 cmp dword[ebp-08], 000 :00402C26 897904 mov dword[ecx+04], edi :00402C29 8B4A04 mov ecx, dword[edx+04] :00402C2C 8B7A08 mov edi, dword[edx+08] :00402C2F 897908 mov dword[ecx+08], edi :00402C32 0F8494000000 je 00402CCC :00402C38 8B4DF4 mov ecx, dword[ebp-0C] :00402C3B 8B7CF104 mov edi, dword[ecx+8*esi+04] :00402C3F 8D0CF1 lea ecx, dword[ecx+8*esi] :00402C42 897A04 mov dword[edx+04], edi :00402C45 894A08 mov dword[edx+08], ecx :00402C48 895104 mov dword[ecx+04], edx :00402C4B 8B4A04 mov ecx, dword[edx+04] :00402C4E 895108 mov dword[ecx+08], edx :00402C51 8B4A04 mov ecx, dword[edx+04] :00402C54 3B4A08 cmp ecx, dword[edx+08] :00402C57 7564 jne 00402CBD :00402C59 8A4C0604 mov cl, byte[esi+eax+04] :00402C5D 83FE20 cmp esi, 020 :00402C60 884D0B mov byte[ebp+0B], cl :00402C63 7D29 jge 00402C8E :00402C65 FEC1 inc cl :00402C67 807D0B00 cmp byte[ebp+0B], 00 :00402C6B 884C0604 mov byte[esi+eax+04], cl :00402C6F 750B jne 00402C7C :00402C71 BF00000080 mov edi, 80000000 :00402C76 8BCE mov ecx, esi :00402C78 D3EF shr edi, cl :00402C7A 093B or dword[ebx], edi --------- :00402C7C BF00000080 mov edi, 80000000 :00402C81 8BCE mov ecx, esi :00402C83 D3EF shr edi, cl :00402C85 8B4DFC mov ecx, dword[ebp-04] :00402C88 097C8844 or dword[eax+4*ecx+44], edi :00402C8C EB2F jmp 00402CBD --------- :00402C8E FEC1 inc cl :00402C90 807D0B00 cmp byte[ebp+0B], 00 :00402C94 884C0604 mov byte[esi+eax+04], cl :00402C98 750D jne 00402CA7 :00402C9A 8D4EE0 lea ecx, dword[esi-20] :00402C9D BF00000080 mov edi, 80000000 :00402CA2 D3EF shr edi, cl :00402CA4 097B04 or dword[ebx+04], edi --------- :00402CA7 8B4DFC mov ecx, dword[ebp-04] :00402CAA 8DBC88C4000000 lea edi, dword[eax+4*ecx+000000C4] :00402CB1 8D4EE0 lea ecx, dword[esi-20] :00402CB4 BE00000080 mov esi, 80000000 :00402CB9 D3EE shr esi, cl :00402CBB 0937 or dword[edi], esi --------- :00402CBD 8B4DF8 mov ecx, dword[ebp-08] --------- :00402CC0 85C9 test ecx, ecx :00402CC2 740B je 00402CCF :00402CC4 890A mov dword[edx], ecx :00402CC6 894C11FC mov dword[ecx+edx-04], ecx :00402CCA EB03 jmp 00402CCF --------- :00402CCC 8B4DF8 mov ecx, dword[ebp-08] --------- :00402CCF 8B75F0 mov esi, dword[ebp-10] :00402CD2 03D1 add edx, ecx :00402CD4 8D4E01 lea ecx, dword[esi+01] :00402CD7 890A mov dword[edx], ecx :00402CD9 894C32FC mov dword[edx+esi-04], ecx :00402CDD 8B75F4 mov esi, dword[ebp-0C] :00402CE0 8B0E mov ecx, dword[esi] :00402CE2 85C9 test ecx, ecx :00402CE4 8D7901 lea edi, dword[ecx+01] :00402CE7 893E mov dword[esi], edi :00402CE9 751A jne 00402D05 :00402CEB 3B1D34544000 cmp ebx, dword[00405434] :00402CF1 7512 jne 00402D05 :00402CF3 8B4DFC mov ecx, dword[ebp-04] :00402CF6 3B0D2C544000 cmp ecx, dword[0040542C] :00402CFC 7507 jne 00402D05 :00402CFE 83253454400000 and dword[00405434], 000 --------- :00402D05 8B4DFC mov ecx, dword[ebp-04] :00402D08 8908 mov dword[eax], ecx :00402D0A 8D4204 lea eax, dword[edx+04] --------- :00402D0D 5F pop edi :00402D0E 5E pop esi :00402D0F 5B pop ebx :00402D10 C9 leave :00402D11 C3 ret ========= :00402D12 A138544000 mov eax, dword[00405438] :00402D17 8B0D28544000 mov ecx, dword[00405428] :00402D1D 56 push esi :00402D1E 57 push edi :00402D1F 33FF xor edi, edi :00402D21 3BC1 cmp eax, ecx :00402D23 7530 jne 00402D55 :00402D25 8D448950 lea eax, dword[ecx+4*ecx+50] :00402D29 C1E002 shl eax, 02 :00402D2C 50 push eax :00402D2D FF353C544000 push dword[0040543C] :00402D33 57 push edi :00402D34 FF3568564000 push dword[00405668] :00402D3A FF156C404000 call dword[0040406C ->0000467E HeapReAlloc] ;;call KERNEL32.HeapReAlloc :00402D40 3BC7 cmp eax, edi :00402D42 7461 je 00402DA5 :00402D44 83052854400010 add dword[00405428], 010 :00402D4B A33C544000 mov dword[0040543C], eax :00402D50 A138544000 mov eax, dword[00405438] --------- :00402D55 8B0D3C544000 mov ecx, dword[0040543C] :00402D5B 68C4410000 push 000041C4 :00402D60 6A08 push 008 :00402D62 8D0480 lea eax, dword[eax+4*eax] :00402D65 FF3568564000 push dword[00405668] :00402D6B 8D3481 lea esi, dword[ecx+4*eax] :00402D6E FF1558404000 call dword[00404058 ->00004640 HeapAlloc] ;;call KERNEL32.HeapAlloc :00402D74 3BC7 cmp eax, edi :00402D76 894610 mov dword[esi+10], eax :00402D79 742A je 00402DA5 :00402D7B 6A04 push 004 :00402D7D 6800200000 push 00002000 :00402D82 6800001000 push 00100000 :00402D87 57 push edi :00402D88 FF1568404000 call dword[00404068 ->0000466E VirtualAlloc] ;;call KERNEL32.VirtualAlloc :00402D8E 3BC7 cmp eax, edi :00402D90 89460C mov dword[esi+0C], eax :00402D93 7514 jne 00402DA9 :00402D95 FF7610 push dword[esi+10] :00402D98 57 push edi :00402D99 FF3568564000 push dword[00405668] :00402D9F FF154C404000 call dword[0040404C ->0000461C HeapFree] ;;call KERNEL32.HeapFree --------- :00402DA5 33C0 xor eax, eax :00402DA7 EB17 jmp 00402DC0 --------- :00402DA9 834E08FF or dword[esi+08], -001 :00402DAD 893E mov dword[esi], edi :00402DAF 897E04 mov dword[esi+04], edi :00402DB2 FF0538544000 inc dword[00405438] :00402DB8 8B4610 mov eax, dword[esi+10] :00402DBB 8308FF or dword[eax], -001 :00402DBE 8BC6 mov eax, esi --------- :00402DC0 5F pop edi :00402DC1 5E pop esi :00402DC2 C3 ret ========= :00402DC3 55 push ebp :00402DC4 8BEC mov ebp, esp :00402DC6 51 push ecx :00402DC7 8B4D08 mov ecx, dword[ebp+08] :00402DCA 53 push ebx :00402DCB 56 push esi :00402DCC 57 push edi :00402DCD 8B7110 mov esi, dword[ecx+10] :00402DD0 8B4108 mov eax, dword[ecx+08] :00402DD3 33DB xor ebx, ebx --------- :00402DD5 85C0 test eax, eax :00402DD7 7C05 jl 00402DDE :00402DD9 D1E0 shl eax, 1 :00402DDB 43 inc ebx :00402DDC EBF7 jmp 00402DD5 --------- :00402DDE 8BC3 mov eax, ebx :00402DE0 6A3F push 03F :00402DE2 69C004020000 imul eax, 00000204 :00402DE8 5A pop edx :00402DE9 8D843044010000 lea eax, dword[eax+esi+00000144] :00402DF0 8945FC mov dword[ebp-04], eax --------- :00402DF3 894008 mov dword[eax+08], eax :00402DF6 894004 mov dword[eax+04], eax :00402DF9 83C008 add eax, 008 :00402DFC 4A dec edx :00402DFD 75F4 jne 00402DF3 :00402DFF 8BFB mov edi, ebx :00402E01 6A04 push 004 :00402E03 C1E70F shl edi, 0F :00402E06 03790C add edi, dword[ecx+0C] :00402E09 6800100000 push 00001000 :00402E0E 6800800000 push 00008000 :00402E13 57 push edi :00402E14 FF1568404000 call dword[00404068 ->0000466E VirtualAlloc] ;;call KERNEL32.VirtualAlloc :00402E1A 85C0 test eax, eax :00402E1C 7508 jne 00402E26 :00402E1E 83C8FF or eax, -001 :00402E21 E993000000 jmp 00402EB9 --------- :00402E26 8D9700700000 lea edx, dword[edi+00007000] :00402E2C 3BFA cmp edi, edx :00402E2E 773C ja 00402E6C :00402E30 8D4710 lea eax, dword[edi+10] --------- :00402E33 8348F8FF or dword[eax-08], -001 :00402E37 8388EC0F0000FF or dword[eax+00000FEC], -001 :00402E3E 8D88FC0F0000 lea ecx, dword[eax+00000FFC] :00402E44 C740FCF00F0000 mov dword[eax-04], 00000FF0 :00402E4B 8908 mov dword[eax], ecx :00402E4D 8D88FCEFFFFF lea ecx, dword[eax+FFFFEFFC] :00402E53 894804 mov dword[eax+04], ecx :00402E56 C780E80F0000F00F0000 mov dword[eax+00000FE8], 00000FF0 :00402E60 0500100000 add eax, 00001000 :00402E65 8D48F0 lea ecx, dword[eax-10] :00402E68 3BCA cmp ecx, edx :00402E6A 76C7 jbe 00402E33 --------- :00402E6C 8B45FC mov eax, dword[ebp-04] :00402E6F 8D4F0C lea ecx, dword[edi+0C] :00402E72 05F8010000 add eax, 000001F8 :00402E77 6A01 push 001 :00402E79 5F pop edi :00402E7A 894804 mov dword[eax+04], ecx :00402E7D 894108 mov dword[ecx+08], eax :00402E80 8D4A0C lea ecx, dword[edx+0C] :00402E83 894808 mov dword[eax+08], ecx :00402E86 894104 mov dword[ecx+04], eax :00402E89 83649E4400 and dword[esi+4*ebx+44], 000 :00402E8E 89BC9EC4000000 mov dword[esi+4*ebx+000000C4], edi :00402E95 8A4643 mov al, byte[esi+43] :00402E98 8AC8 mov cl, al :00402E9A FEC1 inc cl :00402E9C 84C0 test al, al :00402E9E 8B4508 mov eax, dword[ebp+08] :00402EA1 884E43 mov byte[esi+43], cl :00402EA4 7503 jne 00402EA9 :00402EA6 097804 or dword[eax+04], edi --------- :00402EA9 BA00000080 mov edx, 80000000 :00402EAE 8BCB mov ecx, ebx :00402EB0 D3EA shr edx, cl :00402EB2 F7D2 not edx :00402EB4 215008 and dword[eax+08], edx :00402EB7 8BC3 mov eax, ebx --------- :00402EB9 5F pop edi :00402EBA 5E pop esi :00402EBB 5B pop ebx :00402EBC C9 leave :00402EBD C3 ret ========= :00402EBE 53 push ebx :00402EBF 33DB xor ebx, ebx :00402EC1 391DEC534000 cmp dword[004053EC], ebx :00402EC7 56 push esi :00402EC8 57 push edi :00402EC9 7542 jne 00402F0D :00402ECB 68BC434000 push 004043BC (StringData)"user32.dll" :00402ED0 FF1574404000 call dword[00404074 ->0000469E LoadLibraryA] ;;call KERNEL32.LoadLibraryA :00402ED6 8BF8 mov edi, eax :00402ED8 3BFB cmp edi, ebx :00402EDA 7467 je 00402F43 :00402EDC 8B3570404000 mov esi, dword[00404070 ->0000468C GetProcAddress] :00402EE2 68B0434000 push 004043B0 (StringData)"MessageBoxA" :00402EE7 57 push edi :00402EE8 FFD6 call esi ;;call KERNEL32.GetProcAddress :00402EEA 85C0 test eax, eax :00402EEC A3EC534000 mov dword[004053EC], eax :00402EF1 7450 je 00402F43 :00402EF3 68A0434000 push 004043A0 (StringData)"GetActiveWindow" :00402EF8 57 push edi :00402EF9 FFD6 call esi ;;call KERNEL32.GetProcAddress :00402EFB 688C434000 push 0040438C (StringData)"GetLastActivePopup" :00402F00 57 push edi :00402F01 A3F0534000 mov dword[004053F0], eax :00402F06 FFD6 call esi ;;call KERNEL32.GetProcAddress :00402F08 A3F4534000 mov dword[004053F4], eax --------- :00402F0D A1F0534000 mov eax, dword[004053F0] :00402F12 85C0 test eax, eax :00402F14 7416 je 00402F2C :00402F16 FFD0 call eax :00402F18 8BD8 mov ebx, eax :00402F1A 85DB test ebx, ebx :00402F1C 740E je 00402F2C :00402F1E A1F4534000 mov eax, dword[004053F4] :00402F23 85C0 test eax, eax :00402F25 7405 je 00402F2C :00402F27 53 push ebx :00402F28 FFD0 call eax :00402F2A 8BD8 mov ebx, eax --------- :00402F2C FF742418 push dword[esp+18] :00402F30 FF742418 push dword[esp+18] :00402F34 FF742418 push dword[esp+18] :00402F38 53 push ebx :00402F39 FF15EC534000 call dword[004053EC] --------- :00402F3F 5F pop edi :00402F40 5E pop esi :00402F41 5B pop ebx :00402F42 C3 ret --------- :00402F43 33C0 xor eax, eax :00402F45 EBF8 jmp 00402F3F :00402F47 CC . :00402F48 CCCCCCCCCCCCCC :00402F4F CC int 03 ========= :00402F50 8B4C240C mov ecx, dword[esp+0C] :00402F54 57 push edi :00402F55 85C9 test ecx, ecx :00402F57 747A je 00402FD3 :00402F59 56 push esi :00402F5A 53 push ebx :00402F5B 8BD9 mov ebx, ecx :00402F5D 8B742414 mov esi, dword[esp+14] :00402F61 F7C603000000 test esi, 00000003 :00402F67 8B7C2410 mov edi, dword[esp+10] :00402F6B 7507 jne 00402F74 :00402F6D C1E902 shr ecx, 02 :00402F70 756F jne 00402FE1 :00402F72 EB21 jmp 00402F95 --------- :00402F74 8A06 mov al, byte[esi] :00402F76 46 inc esi :00402F77 8807 mov byte[edi], al :00402F79 47 inc edi :00402F7A 49 dec ecx :00402F7B 7425 je 00402FA2 :00402F7D 84C0 test al, al :00402F7F 7429 je 00402FAA :00402F81 F7C603000000 test esi, 00000003 :00402F87 75EB jne 00402F74 :00402F89 8BD9 mov ebx, ecx :00402F8B C1E902 shr ecx, 02 :00402F8E 7551 jne 00402FE1 --------- :00402F90 83E303 and ebx, 003 :00402F93 740D je 00402FA2 --------- :00402F95 8A06 mov al, byte[esi] :00402F97 46 inc esi :00402F98 8807 mov byte[edi], al :00402F9A 47 inc edi :00402F9B 84C0 test al, al :00402F9D 742F je 00402FCE :00402F9F 4B dec ebx :00402FA0 75F3 jne 00402F95 --------- :00402FA2 8B442410 mov eax, dword[esp+10] :00402FA6 5B pop ebx :00402FA7 5E pop esi :00402FA8 5F pop edi :00402FA9 C3 ret --------- :00402FAA F7C703000000 test edi, 00000003 :00402FB0 7412 je 00402FC4 --------- :00402FB2 8807 mov byte[edi], al :00402FB4 47 inc edi :00402FB5 49 dec ecx :00402FB6 0F848A000000 je 00403046 :00402FBC F7C703000000 test edi, 00000003 :00402FC2 75EE jne 00402FB2 --------- :00402FC4 8BD9 mov ebx, ecx :00402FC6 C1E902 shr ecx, 02 :00402FC9 756C jne 00403037 --------- :00402FCB 8807 mov byte[edi], al :00402FCD 47 inc edi --------- :00402FCE 4B dec ebx :00402FCF 75FA jne 00402FCB :00402FD1 5B pop ebx :00402FD2 5E pop esi --------- :00402FD3 8B442408 mov eax, dword[esp+08] :00402FD7 5F pop edi :00402FD8 C3 ret --------- :00402FD9 8917 mov dword[edi], edx :00402FDB 83C704 add edi, 004 :00402FDE 49 dec ecx :00402FDF 74AF je 00402F90 --------- :00402FE1 BAFFFEFE7E mov edx, 7EFEFEFF :00402FE6 8B06 mov eax, dword[esi] :00402FE8 03D0 add edx, eax :00402FEA 83F0FF xor eax, -001 :00402FED 33C2 xor eax, edx :00402FEF 8B16 mov edx, dword[esi] :00402FF1 83C604 add esi, 004 :00402FF4 A900010181 test eax, 81010100 :00402FF9 74DE je 00402FD9 :00402FFB 84D2 test dl, dl :00402FFD 742C je 0040302B :00402FFF 84F6 test dh, dh :00403001 741E je 00403021 :00403003 F7C20000FF00 test edx, 00FF0000 :00403009 740C je 00403017 :0040300B F7C2000000FF test edx, FF000000 :00403011 75C6 jne 00402FD9 :00403013 8917 mov dword[edi], edx :00403015 EB18 jmp 0040302F --------- :00403017 81E2FFFF0000 and edx, 0000FFFF :0040301D 8917 mov dword[edi], edx :0040301F EB0E jmp 0040302F --------- :00403021 81E2FF000000 and edx, 000000FF :00403027 8917 mov dword[edi], edx :00403029 EB04 jmp 0040302F --------- :0040302B 33D2 xor edx, edx :0040302D 8917 mov dword[edi], edx --------- :0040302F 83C704 add edi, 004 :00403032 33C0 xor eax, eax :00403034 49 dec ecx :00403035 740A je 00403041 --------- :00403037 33C0 xor eax, eax --------- :00403039 8907 mov dword[edi], eax :0040303B 83C704 add edi, 004 :0040303E 49 dec ecx :0040303F 75F8 jne 00403039 --------- :00403041 83E303 and ebx, 003 :00403044 7585 jne 00402FCB --------- :00403046 8B442410 mov eax, dword[esp+10] :0040304A 5B pop ebx :0040304B 5E pop esi :0040304C 5F pop edi :0040304D C3 ret ========= :0040304E A1FC534000 mov eax, dword[004053FC] :00403053 85C0 test eax, eax :00403055 740F je 00403066 :00403057 FF742404 push dword[esp+04] :0040305B FFD0 call eax :0040305D 85C0 test eax, eax :0040305F 59 pop ecx :00403060 7404 je 00403066 :00403062 6A01 push 001 :00403064 58 pop eax :00403065 C3 ret --------- :00403066 33C0 xor eax, eax :00403068 C3 ret ========= :00403069 55 push ebp :0040306A 8BEC mov ebp, esp :0040306C 6AFF push -001 :0040306E 68D0434000 push 004043D0 :00403073 68D81A4000 push 00401AD8 :00403078 64A100000000 mov eax, dword fs:[00000000] :0040307E 50 push eax :0040307F 64892500000000 mov dword fs:[00000000], esp :00403086 83EC1C sub esp, 01C :00403089 53 push ebx :0040308A 56 push esi :0040308B 57 push edi :0040308C 8965E8 mov dword[ebp-18], esp :0040308F 33FF xor edi, edi :00403091 393D20544000 cmp dword[00405420], edi :00403097 7546 jne 004030DF :00403099 57 push edi :0040309A 57 push edi :0040309B 6A01 push 001 :0040309D 5B pop ebx :0040309E 53 push ebx :0040309F 68CC434000 push 004043CC :004030A4 BE00010000 mov esi, 00000100 :004030A9 56 push esi :004030AA 57 push edi :004030AB FF1580404000 call dword[00404080 ->000046D4 LCMapStringW] ;;call KERNEL32.LCMapStringW :004030B1 85C0 test eax, eax :004030B3 7408 je 004030BD :004030B5 891D20544000 mov dword[00405420], ebx :004030BB EB22 jmp 004030DF --------- :004030BD 57 push edi :004030BE 57 push edi :004030BF 53 push ebx :004030C0 68C8434000 push 004043C8 :004030C5 56 push esi :004030C6 57 push edi :004030C7 FF157C404000 call dword[0040407C ->000046C4 LCMapStringA] ;;call KERNEL32.LCMapStringA :004030CD 85C0 test eax, eax :004030CF 0F8422010000 je 004031F7 :004030D5 C7052054400002000000 mov dword[00405420], 00000002 --------- :004030DF 397D14 cmp dword[ebp+14], edi :004030E2 7E10 jle 004030F4 :004030E4 FF7514 push dword[ebp+14] :004030E7 FF7510 push dword[ebp+10] :004030EA E89E010000 call 0040328D :004030EF 59 pop ecx :004030F0 59 pop ecx :004030F1 894514 mov dword[ebp+14], eax --------- :004030F4 A120544000 mov eax, dword[00405420] :004030F9 83F802 cmp eax, 002 :004030FC 751D jne 0040311B :004030FE FF751C push dword[ebp+1C] :00403101 FF7518 push dword[ebp+18] :00403104 FF7514 push dword[ebp+14] :00403107 FF7510 push dword[ebp+10] :0040310A FF750C push dword[ebp+0C] :0040310D FF7508 push dword[ebp+08] :00403110 FF157C404000 call dword[0040407C ->000046C4 LCMapStringA] ;;call KERNEL32.LCMapStringA :00403116 E9DE000000 jmp 004031F9 --------- :0040311B 83F801 cmp eax, 001 :0040311E 0F85D3000000 jne 004031F7 :00403124 397D20 cmp dword[ebp+20], edi :00403127 7508 jne 00403131 :00403129 A118544000 mov eax, dword[00405418] :0040312E 894520 mov dword[ebp+20], eax --------- :00403131 57 push edi :00403132 57 push edi :00403133 FF7514 push dword[ebp+14] :00403136 FF7510 push dword[ebp+10] :00403139 8B4524 mov eax, dword[ebp+24] :0040313C F7D8 neg eax :0040313E 1BC0 sbb eax, eax :00403140 83E008 and eax, 008 :00403143 40 inc eax :00403144 50 push eax :00403145 FF7520 push dword[ebp+20] :00403148 FF1578404000 call dword[00404078 ->000046AE MultiByteToWideChar] ;;call KERNEL32.MultiByteToWideChar :0040314E 8BD8 mov ebx, eax :00403150 895DE4 mov dword[ebp-1C], ebx :00403153 3BDF cmp ebx, edi :00403155 0F849C000000 je 004031F7 :0040315B 897DFC mov dword[ebp-04], edi :0040315E 8D041B lea eax, dword[ebx+ebx] :00403161 83C003 add eax, 003 :00403164 24FC and al, -04 :00403166 E8E5050000 call 00403750 :0040316B 8965E8 mov dword[ebp-18], esp :0040316E 8BC4 mov eax, esp :00403170 8945DC mov dword[ebp-24], eax :00403173 834DFCFF or dword[ebp-04], -001 :00403177 EB13 jmp 0040318C :00403179 6A01 push 001 :0040317B 58 pop eax :0040317C C3 ret :0040317D 8B65E8 mov esp, dword[ebp-18] :00403180 33FF xor edi, edi :00403182 897DDC mov dword[ebp-24], edi :00403185 834DFCFF or dword[ebp-04], -001 :00403189 8B5DE4 mov ebx, dword[ebp-1C] --------- :0040318C 397DDC cmp dword[ebp-24], edi :0040318F 7466 je 004031F7 :00403191 53 push ebx :00403192 FF75DC push dword[ebp-24] :00403195 FF7514 push dword[ebp+14] :00403198 FF7510 push dword[ebp+10] :0040319B 6A01 push 001 :0040319D FF7520 push dword[ebp+20] :004031A0 FF1578404000 call dword[00404078 ->000046AE MultiByteToWideChar] ;;call KERNEL32.MultiByteToWideChar :004031A6 85C0 test eax, eax :004031A8 744D je 004031F7 :004031AA 57 push edi :004031AB 57 push edi :004031AC 53 push ebx :004031AD FF75DC push dword[ebp-24] :004031B0 FF750C push dword[ebp+0C] :004031B3 FF7508 push dword[ebp+08] :004031B6 FF1580404000 call dword[00404080 ->000046D4 LCMapStringW] ;;call KERNEL32.LCMapStringW :004031BC 8BF0 mov esi, eax :004031BE 8975D8 mov dword[ebp-28], esi :004031C1 3BF7 cmp esi, edi :004031C3 7432 je 004031F7 :004031C5 F6450D04 test byte[ebp+0D], 04 :004031C9 7440 je 0040320B :004031CB 397D1C cmp dword[ebp+1C], edi :004031CE 0F84B2000000 je 00403286 :004031D4 3B751C cmp esi, dword[ebp+1C] :004031D7 7F1E jg 004031F7 :004031D9 FF751C push dword[ebp+1C] :004031DC FF7518 push dword[ebp+18] :004031DF 53 push ebx :004031E0 FF75DC push dword[ebp-24] :004031E3 FF750C push dword[ebp+0C] :004031E6 FF7508 push dword[ebp+08] :004031E9 FF1580404000 call dword[00404080 ->000046D4 LCMapStringW] ;;call KERNEL32.LCMapStringW :004031EF 85C0 test eax, eax :004031F1 0F858F000000 jne 00403286 --------- :004031F7 33C0 xor eax, eax --------- :004031F9 8D65C8 lea esp, dword[ebp-38] :004031FC 8B4DF0 mov ecx, dword[ebp-10] :004031FF 64890D00000000 mov dword fs:[00000000], ecx :00403206 5F pop edi :00403207 5E pop esi :00403208 5B pop ebx :00403209 C9 leave :0040320A C3 ret --------- :0040320B C745FC01000000 mov dword[ebp-04], 00000001 :00403212 8D0436 lea eax, dword[esi+esi] :00403215 83C003 add eax, 003 :00403218 24FC and al, -04 :0040321A E831050000 call 00403750 :0040321F 8965E8 mov dword[ebp-18], esp :00403222 8BDC mov ebx, esp :00403224 895DE0 mov dword[ebp-20], ebx :00403227 834DFCFF or dword[ebp-04], -001 :0040322B EB12 jmp 0040323F :0040322D 6A01 push 001 :0040322F 58 pop eax :00403230 C3 ret :00403231 8B65E8 mov esp, dword[ebp-18] :00403234 33FF xor edi, edi :00403236 33DB xor ebx, ebx :00403238 834DFCFF or dword[ebp-04], -001 :0040323C 8B75D8 mov esi, dword[ebp-28] --------- :0040323F 3BDF cmp ebx, edi :00403241 74B4 je 004031F7 :00403243 56 push esi :00403244 53 push ebx :00403245 FF75E4 push dword[ebp-1C] :00403248 FF75DC push dword[ebp-24] :0040324B FF750C push dword[ebp+0C] :0040324E FF7508 push dword[ebp+08] :00403251 FF1580404000 call dword[00404080 ->000046D4 LCMapStringW] ;;call KERNEL32.LCMapStringW :00403257 85C0 test eax, eax :00403259 749C je 004031F7 :0040325B 397D1C cmp dword[ebp+1C], edi :0040325E 57 push edi :0040325F 57 push edi :00403260 7504 jne 00403266 :00403262 57 push edi :00403263 57 push edi :00403264 EB06 jmp 0040326C --------- :00403266 FF751C push dword[ebp+1C] :00403269 FF7518 push dword[ebp+18] --------- :0040326C 56 push esi :0040326D 53 push ebx :0040326E 6820020000 push 00000220 :00403273 FF7520 push dword[ebp+20] :00403276 FF1524404000 call dword[00404024 ->00004568 WideCharToMultiByte] ;;call KERNEL32.WideCharToMultiByte :0040327C 8BF0 mov esi, eax :0040327E 3BF7 cmp esi, edi :00403280 0F8471FFFFFF je 004031F7 --------- :00403286 8BC6 mov eax, esi :00403288 E96CFFFFFF jmp 004031F9 ========= :0040328D 8B542408 mov edx, dword[esp+08] :00403291 8B442404 mov eax, dword[esp+04] :00403295 85D2 test edx, edx :00403297 56 push esi :00403298 8D4AFF lea ecx, dword[edx-01] :0040329B 740D je 004032AA --------- :0040329D 803800 cmp byte[eax], 00 :004032A0 7408 je 004032AA :004032A2 40 inc eax :004032A3 8BF1 mov esi, ecx :004032A5 49 dec ecx :004032A6 85F6 test esi, esi :004032A8 75F3 jne 0040329D --------- :004032AA 803800 cmp byte[eax], 00 :004032AD 5E pop esi :004032AE 7505 jne 004032B5 :004032B0 2B442404 sub eax, dword[esp+04] :004032B4 C3 ret --------- :004032B5 8BC2 mov eax, edx :004032B7 C3 ret ========= :004032B8 55 push ebp :004032B9 8BEC mov ebp, esp :004032BB 6AFF push -001 :004032BD 68E8434000 push 004043E8 :004032C2 68D81A4000 push 00401AD8 :004032C7 64A100000000 mov eax, dword fs:[00000000] :004032CD 50 push eax :004032CE 64892500000000 mov dword fs:[00000000], esp :004032D5 83EC18 sub esp, 018 :004032D8 53 push ebx :004032D9 56 push esi :004032DA 57 push edi :004032DB 8965E8 mov dword[ebp-18], esp :004032DE A124544000 mov eax, dword[00405424] :004032E3 33DB xor ebx, ebx :004032E5 3BC3 cmp eax, ebx :004032E7 753E jne 00403327 :004032E9 8D45E4 lea eax, dword[ebp-1C] :004032EC 50 push eax :004032ED 6A01 push 001 :004032EF 5E pop esi :004032F0 56 push esi :004032F1 68CC434000 push 004043CC :004032F6 56 push esi :004032F7 FF1588404000 call dword[00404088 ->000046F6 GetStringTypeW] ;;call KERNEL32.GetStringTypeW :004032FD 85C0 test eax, eax :004032FF 7404 je 00403305 :00403301 8BC6 mov eax, esi :00403303 EB1D jmp 00403322 --------- :00403305 8D45E4 lea eax, dword[ebp-1C] :00403308 50 push eax :00403309 56 push esi :0040330A 68C8434000 push 004043C8 :0040330F 56 push esi :00403310 53 push ebx :00403311 FF1584404000 call dword[00404084 ->000046E4 GetStringTypeA] ;;call KERNEL32.GetStringTypeA :00403317 85C0 test eax, eax :00403319 0F84CE000000 je 004033ED :0040331F 6A02 push 002 :00403321 58 pop eax --------- :00403322 A324544000 mov dword[00405424], eax --------- :00403327 83F802 cmp eax, 002 :0040332A 7524 jne 00403350 :0040332C 8B451C mov eax, dword[ebp+1C] :0040332F 3BC3 cmp eax, ebx :00403331 7505 jne 00403338 :00403333 A108544000 mov eax, dword[00405408] --------- :00403338 FF7514 push dword[ebp+14] :0040333B FF7510 push dword[ebp+10] :0040333E FF750C push dword[ebp+0C] :00403341 FF7508 push dword[ebp+08] :00403344 50 push eax :00403345 FF1584404000 call dword[00404084 ->000046E4 GetStringTypeA] ;;call KERNEL32.GetStringTypeA :0040334B E99F000000 jmp 004033EF --------- :00403350 83F801 cmp eax, 001 :00403353 0F8594000000 jne 004033ED :00403359 395D18 cmp dword[ebp+18], ebx :0040335C 7508 jne 00403366 :0040335E A118544000 mov eax, dword[00405418] :00403363 894518 mov dword[ebp+18], eax --------- :00403366 53 push ebx :00403367 53 push ebx :00403368 FF7510 push dword[ebp+10] :0040336B FF750C push dword[ebp+0C] :0040336E 8B4520 mov eax, dword[ebp+20] :00403371 F7D8 neg eax :00403373 1BC0 sbb eax, eax :00403375 83E008 and eax, 008 :00403378 40 inc eax :00403379 50 push eax :0040337A FF7518 push dword[ebp+18] :0040337D FF1578404000 call dword[00404078 ->000046AE MultiByteToWideChar] ;;call KERNEL32.MultiByteToWideChar :00403383 8945E0 mov dword[ebp-20], eax :00403386 3BC3 cmp eax, ebx :00403388 7463 je 004033ED :0040338A 895DFC mov dword[ebp-04], ebx :0040338D 8D3C00 lea edi, dword[eax+eax] :00403390 8BC7 mov eax, edi :00403392 83C003 add eax, 003 :00403395 24FC and al, -04 :00403397 E8B4030000 call 00403750 :0040339C 8965E8 mov dword[ebp-18], esp :0040339F 8BF4 mov esi, esp :004033A1 8975DC mov dword[ebp-24], esi :004033A4 57 push edi :004033A5 53 push ebx :004033A6 56 push esi :004033A7 E8D4030000 call 00403780 :004033AC 83C40C add esp, 00C :004033AF EB0B jmp 004033BC :004033B1 6A01 push 001 :004033B3 58 pop eax :004033B4 C3 ret :004033B5 8B65E8 mov esp, dword[ebp-18] :004033B8 33DB xor ebx, ebx :004033BA 33F6 xor esi, esi --------- :004033BC 834DFCFF or dword[ebp-04], -001 :004033C0 3BF3 cmp esi, ebx :004033C2 7429 je 004033ED :004033C4 FF75E0 push dword[ebp-20] :004033C7 56 push esi :004033C8 FF7510 push dword[ebp+10] :004033CB FF750C push dword[ebp+0C] :004033CE 6A01 push 001 :004033D0 FF7518 push dword[ebp+18] :004033D3 FF1578404000 call dword[00404078 ->000046AE MultiByteToWideChar] ;;call KERNEL32.MultiByteToWideChar :004033D9 3BC3 cmp eax, ebx :004033DB 7410 je 004033ED :004033DD FF7514 push dword[ebp+14] :004033E0 50 push eax :004033E1 56 push esi :004033E2 FF7508 push dword[ebp+08] :004033E5 FF1588404000 call dword[00404088 ->000046F6 GetStringTypeW] ;;call KERNEL32.GetStringTypeW :004033EB EB02 jmp 004033EF --------- :004033ED 33C0 xor eax, eax --------- :004033EF 8D65CC lea esp, dword[ebp-34] :004033F2 8B4DF0 mov ecx, dword[ebp-10] :004033F5 64890D00000000 mov dword fs:[00000000], ecx :004033FC 5F pop edi :004033FD 5E pop esi :004033FE 5B pop ebx :004033FF C9 leave :00403400 C3 ret :00403401 CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ............... ========= :00403410 55 push ebp :00403411 8BEC mov ebp, esp :00403413 57 push edi :00403414 56 push esi :00403415 8B750C mov esi, dword[ebp+0C] :00403418 8B4D10 mov ecx, dword[ebp+10] :0040341B 8B7D08 mov edi, dword[ebp+08] :0040341E 8BC1 mov eax, ecx :00403420 8BD1 mov edx, ecx :00403422 03C6 add eax, esi :00403424 3BFE cmp edi, esi :00403426 7608 jbe 00403430 :00403428 3BF8 cmp edi, eax :0040342A 0F8278010000 jb 004035A8 --------- :00403430 F7C703000000 test edi, 00000003 :00403436 7514 jne 0040344C :00403438 C1E902 shr ecx, 02 :0040343B 83E203 and edx, 003 :0040343E 83F908 cmp ecx, 008 :00403441 7229 jc 0040346C :00403443 F3A5 rep movsd :00403445 FF249558354000 jmp dword[4*edx+00403558] --------- :0040344C 8BC7 mov eax, edi :0040344E BA03000000 mov edx, 00000003 :00403453 83E904 sub ecx, 004 :00403456 720C jc 00403464 :00403458 83E003 and eax, 003 :0040345B 03C8 add ecx, eax :0040345D FF248570344000 jmp dword[4*eax+00403470] --------- :00403464 FF248D68354000 jmp dword[4*ecx+00403568] :0040346B 90 FF 24 8D EC ..$.. :00403470 34400090 DWORD 90004034 ;; 4A‘ :00403474 80344000 DWORD 00403480 ;; .4@. :00403478 AC344000 DWORD 004034AC ;; .4@. :0040347C D0344000 DWORD 004034D0 ;; .4@. --------- :00403480 23D1 and edx, ecx :00403482 8A06 mov al, byte[esi] :00403484 8807 mov byte[edi], al :00403486 8A4601 mov al, byte[esi+01] :00403489 884701 mov byte[edi+01], al :0040348C 8A4602 mov al, byte[esi+02] :0040348F C1E902 shr ecx, 02 :00403492 884702 mov byte[edi+02], al :00403495 83C603 add esi, 003 :00403498 83C703 add edi, 003 :0040349B 83F908 cmp ecx, 008 :0040349E 72CC jc 0040346C :004034A0 F3A5 rep movsd :004034A2 FF249558354000 jmp dword[4*edx+00403558] :004034A9 8D4900 lea ecx, dword[ecx+00] --------- :004034AC 23D1 and edx, ecx :004034AE 8A06 mov al, byte[esi] :004034B0 8807 mov byte[edi], al :004034B2 8A4601 mov al, byte[esi+01] :004034B5 C1E902 shr ecx, 02 :004034B8 884701 mov byte[edi+01], al :004034BB 83C602 add esi, 002 :004034BE 83C702 add edi, 002 :004034C1 83F908 cmp ecx, 008 :004034C4 72A6 jc 0040346C :004034C6 F3A5 rep movsd :004034C8 FF249558354000 jmp dword[4*edx+00403558] :004034CF 90 . --------- :004034D0 23D1 and edx, ecx :004034D2 8A06 mov al, byte[esi] :004034D4 8807 mov byte[edi], al :004034D6 46 inc esi :004034D7 C1E902 shr ecx, 02 :004034DA 47 inc edi :004034DB 83F908 cmp ecx, 008 :004034DE 728C jc 0040346C :004034E0 F3A5 rep movsd :004034E2 FF249558354000 jmp dword[4*edx+00403558] :004034E9 8D 49 00 .I. :004034EC 4F354000 DWORD 0040354F ;; O5@. :004034F0 3C354000 DWORD 0040353C ;; <5@. :004034F4 34354000 DWORD 00403534 ;; 45@. :004034F8 2C354000 DWORD 0040352C ;; ,5@. :004034FC 24354000 DWORD 00403524 ;; $5@. :00403500 1C354000 DWORD 0040351C ;; .5@. :00403504 14354000 DWORD 00403514 ;; .5@. :00403508 0C354000 DWORD 0040350C ;; .5@. --------- :0040350C 8B448EE4 mov eax, dword[esi+4*ecx-1C] :00403510 89448FE4 mov dword[edi+4*ecx-1C], eax --------- :00403514 8B448EE8 mov eax, dword[esi+4*ecx-18] :00403518 89448FE8 mov dword[edi+4*ecx-18], eax --------- :0040351C 8B448EEC mov eax, dword[esi+4*ecx-14] :00403520 89448FEC mov dword[edi+4*ecx-14], eax --------- :00403524 8B448EF0 mov eax, dword[esi+4*ecx-10] :00403528 89448FF0 mov dword[edi+4*ecx-10], eax --------- :0040352C 8B448EF4 mov eax, dword[esi+4*ecx-0C] :00403530 89448FF4 mov dword[edi+4*ecx-0C], eax --------- :00403534 8B448EF8 mov eax, dword[esi+4*ecx-08] :00403538 89448FF8 mov dword[edi+4*ecx-08], eax --------- :0040353C 8B448EFC mov eax, dword[esi+4*ecx-04] :00403540 89448FFC mov dword[edi+4*ecx-04], eax :00403544 8D048D00000000 lea eax, dword[4*ecx+00000000] :0040354B 03F0 add esi, eax :0040354D 03F8 add edi, eax :0040354F FF249558354000 jmp dword[4*edx+00403558] :00403556 8B FF .. :00403558 68354000 DWORD 00403568 ;; h5@. :0040355C 70354000 DWORD 00403570 ;; p5@. :00403560 7C354000 DWORD 0040357C ;; |5@. :00403564 90354000 DWORD 00403590 ;; .5@. --------- :00403568 8B4508 mov eax, dword[ebp+08] :0040356B 5E pop esi :0040356C 5F pop edi :0040356D C9 leave :0040356E C3 ret :0040356F 90 . --------- :00403570 8A06 mov al, byte[esi] :00403572 8807 mov byte[edi], al :00403574 8B4508 mov eax, dword[ebp+08] :00403577 5E pop esi :00403578 5F pop edi :00403579 C9 leave :0040357A C3 ret :0040357B 90 . --------- :0040357C 8A06 mov al, byte[esi] :0040357E 8807 mov byte[edi], al :00403580 8A4601 mov al, byte[esi+01] :00403583 884701 mov byte[edi+01], al :00403586 8B4508 mov eax, dword[ebp+08] :00403589 5E pop esi :0040358A 5F pop edi :0040358B C9 leave :0040358C C3 ret :0040358D 8D4900 lea ecx, dword[ecx+00] --------- :00403590 8A06 mov al, byte[esi] :00403592 8807 mov byte[edi], al :00403594 8A4601 mov al, byte[esi+01] :00403597 884701 mov byte[edi+01], al :0040359A 8A4602 mov al, byte[esi+02] :0040359D 884702 mov byte[edi+02], al :004035A0 8B4508 mov eax, dword[ebp+08] :004035A3 5E pop esi :004035A4 5F pop edi :004035A5 C9 leave :004035A6 C3 ret :004035A7 90 . --------- :004035A8 8D7431FC lea esi, dword[ecx+esi-04] :004035AC 8D7C39FC lea edi, dword[ecx+edi-04] :004035B0 F7C703000000 test edi, 00000003 :004035B6 7524 jne 004035DC :004035B8 C1E902 shr ecx, 02 :004035BB 83E203 and edx, 003 :004035BE 83F908 cmp ecx, 008 :004035C1 720D jc 004035D0 :004035C3 FD std :004035C4 F3A5 rep movsd :004035C6 FC cld :004035C7 FF2495F0364000 jmp dword[4*edx+004036F0] :004035CE 8BFF mov edi, edi --------- :004035D0 F7D9 neg ecx :004035D2 FF248DA0364000 jmp dword[4*ecx+004036A0] :004035D9 8D4900 lea ecx, dword[ecx+00] --------- :004035DC 8BC7 mov eax, edi :004035DE BA03000000 mov edx, 00000003 :004035E3 83F904 cmp ecx, 004 :004035E6 720C jc 004035F4 :004035E8 83E003 and eax, 003 :004035EB 2BC8 sub ecx, eax :004035ED FF2485F8354000 jmp dword[4*eax+004035F8] :004035F4 FF 24 8D F0 .$.. :004035F8 36400090 DWORD 90004036 ;; 6A‘ :004035FC 08364000 DWORD 00403608 ;; .6@. :00403600 28364000 DWORD 00403628 ;; (6@. :00403604 50364000 DWORD 00403650 ;; P6@. --------- :00403608 8A4603 mov al, byte[esi+03] :0040360B 23D1 and edx, ecx :0040360D 884703 mov byte[edi+03], al :00403610 4E dec esi :00403611 C1E902 shr ecx, 02 :00403614 4F dec edi :00403615 83F908 cmp ecx, 008 :00403618 72B6 jc 004035D0 :0040361A FD std :0040361B F3A5 rep movsd :0040361D FC cld :0040361E FF2495F0364000 jmp dword[4*edx+004036F0] :00403625 8D4900 lea ecx, dword[ecx+00] --------- :00403628 8A4603 mov al, byte[esi+03] :0040362B 23D1 and edx, ecx :0040362D 884703 mov byte[edi+03], al :00403630 8A4602 mov al, byte[esi+02] :00403633 C1E902 shr ecx, 02 :00403636 884702 mov byte[edi+02], al :00403639 83EE02 sub esi, 002 :0040363C 83EF02 sub edi, 002 :0040363F 83F908 cmp ecx, 008 :00403642 728C jc 004035D0 :00403644 FD std :00403645 F3A5 rep movsd :00403647 FC cld :00403648 FF2495F0364000 jmp dword[4*edx+004036F0] :0040364F 90 . --------- :00403650 8A4603 mov al, byte[esi+03] :00403653 23D1 and edx, ecx :00403655 884703 mov byte[edi+03], al :00403658 8A4602 mov al, byte[esi+02] :0040365B 884702 mov byte[edi+02], al :0040365E 8A4601 mov al, byte[esi+01] :00403661 C1E902 shr ecx, 02 :00403664 884701 mov byte[edi+01], al :00403667 83EE03 sub esi, 003 :0040366A 83EF03 sub edi, 003 :0040366D 83F908 cmp ecx, 008 :00403670 0F825AFFFFFF jb 004035D0 :00403676 FD std :00403677 F3A5 rep movsd :00403679 FC cld :0040367A FF2495F0364000 jmp dword[4*edx+004036F0] :00403681 8D 49 00 .I. :00403684 A4364000 DWORD 004036A4 ;; .6@. :00403688 AC364000 DWORD 004036AC ;; .6@. :0040368C B4364000 DWORD 004036B4 ;; .6@. :00403690 BC364000 DWORD 004036BC ;; .6@. :00403694 C4364000 DWORD 004036C4 ;; .6@. :00403698 CC364000 DWORD 004036CC ;; .6@. :0040369C D4364000 DWORD 004036D4 ;; .6@. :004036A0 E7364000 DWORD 004036E7 ;; .6@. :004036A4 8B448E1C mov eax, dword[esi+4*ecx+1C] :004036A8 89448F1C mov dword[edi+4*ecx+1C], eax --------- :004036AC 8B448E18 mov eax, dword[esi+4*ecx+18] :004036B0 89448F18 mov dword[edi+4*ecx+18], eax --------- :004036B4 8B448E14 mov eax, dword[esi+4*ecx+14] :004036B8 89448F14 mov dword[edi+4*ecx+14], eax --------- :004036BC 8B448E10 mov eax, dword[esi+4*ecx+10] :004036C0 89448F10 mov dword[edi+4*ecx+10], eax --------- :004036C4 8B448E0C mov eax, dword[esi+4*ecx+0C] :004036C8 89448F0C mov dword[edi+4*ecx+0C], eax --------- :004036CC 8B448E08 mov eax, dword[esi+4*ecx+08] :004036D0 89448F08 mov dword[edi+4*ecx+08], eax --------- :004036D4 8B448E04 mov eax, dword[esi+4*ecx+04] :004036D8 89448F04 mov dword[edi+4*ecx+04], eax :004036DC 8D048D00000000 lea eax, dword[4*ecx+00000000] :004036E3 03F0 add esi, eax :004036E5 03F8 add edi, eax --------- :004036E7 FF2495F0364000 jmp dword[4*edx+004036F0] :004036EE 8B FF .. :004036F0 00374000 DWORD 00403700 ;; .7@. :004036F4 08374000 DWORD 00403708 ;; .7@. :004036F8 18374000 DWORD 00403718 ;; .7@. :004036FC 2C374000 DWORD 0040372C ;; ,7@. --------- :00403700 8B4508 mov eax, dword[ebp+08] :00403703 5E pop esi :00403704 5F pop edi :00403705 C9 leave :00403706 C3 ret :00403707 90 . --------- :00403708 8A4603 mov al, byte[esi+03] :0040370B 884703 mov byte[edi+03], al :0040370E 8B4508 mov eax, dword[ebp+08] :00403711 5E pop esi :00403712 5F pop edi :00403713 C9 leave :00403714 C3 ret :00403715 8D4900 lea ecx, dword[ecx+00] --------- :00403718 8A4603 mov al, byte[esi+03] :0040371B 884703 mov byte[edi+03], al :0040371E 8A4602 mov al, byte[esi+02] :00403721 884702 mov byte[edi+02], al :00403724 8B4508 mov eax, dword[ebp+08] :00403727 5E pop esi :00403728 5F pop edi :00403729 C9 leave :0040372A C3 ret :0040372B 90 . --------- :0040372C 8A4603 mov al, byte[esi+03] :0040372F 884703 mov byte[edi+03], al :00403732 8A4602 mov al, byte[esi+02] :00403735 884702 mov byte[edi+02], al :00403738 8A4601 mov al, byte[esi+01] :0040373B 884701 mov byte[edi+01], al :0040373E 8B4508 mov eax, dword[ebp+08] :00403741 5E pop esi :00403742 5F pop edi :00403743 C9 leave :00403744 C3 ret :00403745 CC CC CC CC CC CC CC CC CC CC CC ........... ========= :00403750 51 push ecx :00403751 3D00100000 cmp eax, 00001000 :00403756 8D4C2408 lea ecx, dword[esp+08] :0040375A 7214 jc 00403770 --------- :0040375C 81E900100000 sub ecx, 00001000 :00403762 2D00100000 sub eax, 00001000 :00403767 8501 test dword[ecx], eax :00403769 3D00100000 cmp eax, 00001000 :0040376E 73EC jae 0040375C --------- :00403770 2BC8 sub ecx, eax :00403772 8BC4 mov eax, esp :00403774 8501 test dword[ecx], eax :00403776 8BE1 mov esp, ecx :00403778 8B08 mov ecx, dword[eax] :0040377A 8B4004 mov eax, dword[eax+04] :0040377D 50 push eax :0040377E C3 ret :0040377F CC . ========= :00403780 8B54240C mov edx, dword[esp+0C] :00403784 8B4C2404 mov ecx, dword[esp+04] :00403788 85D2 test edx, edx :0040378A 7447 je 004037D3 :0040378C 33C0 xor eax, eax :0040378E 8A442408 mov al, byte[esp+08] :00403792 57 push edi :00403793 8BF9 mov edi, ecx :00403795 83FA04 cmp edx, 004 :00403798 722D jc 004037C7 :0040379A F7D9 neg ecx :0040379C 83E103 and ecx, 003 :0040379F 7408 je 004037A9 :004037A1 2BD1 sub edx, ecx --------- :004037A3 8807 mov byte[edi], al :004037A5 47 inc edi :004037A6 49 dec ecx :004037A7 75FA jne 004037A3 --------- :004037A9 8BC8 mov ecx, eax :004037AB C1E008 shl eax, 08 :004037AE 03C1 add eax, ecx :004037B0 8BC8 mov ecx, eax :004037B2 C1E010 shl eax, 10 :004037B5 03C1 add eax, ecx :004037B7 8BCA mov ecx, edx :004037B9 83E203 and edx, 003 :004037BC C1E902 shr ecx, 02 :004037BF 7406 je 004037C7 :004037C1 F3AB rep stosd :004037C3 85D2 test edx, edx :004037C5 7406 je 004037CD --------- :004037C7 8807 mov byte[edi], al :004037C9 47 inc edi :004037CA 4A dec edx :004037CB 75FA jne 004037C7 --------- :004037CD 8B442408 mov eax, dword[esp+08] :004037D1 5F pop edi :004037D2 C3 ret --------- :004037D3 8B442404 mov eax, dword[esp+04] :004037D7 C3 ret ========= :004037D8 FF2550404000 jmp dword[00404050 ->00004628 RtlUnwind] ;;call KERNEL32.RtlUnwind :004037DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004037EE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004037FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040380E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040381E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040382E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040383E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040384E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040385E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040386E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040387E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040388E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040389E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004038AE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004038BE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004038CE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004038DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004038EE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004038FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040390E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040391E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040392E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040393E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040394E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040395E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040396E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040397E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040398E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :0040399E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004039AE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004039BE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004039CE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004039DE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004039EE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :004039FE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A3E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403A9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403AAE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403ABE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403ACE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403ADE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403AEE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403AFE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B3E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403B9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403BAE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403BBE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403BCE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403BDE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403BEE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403BFE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C3E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403C9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403CAE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403CBE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403CCE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403CDE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403CEE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403CFE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D3E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403D9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403DAE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403DBE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403DCE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403DDE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403DEE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403DFE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E3E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403E9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403EAE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403EBE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403ECE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403EDE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403EEE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403EFE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F0E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F3E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F4E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F7E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403F9E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403FAE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403FBE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403FCE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403FDE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403FEE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ :00403FFE 00 00 .. *************** Cross Reference Listing **************** ==00401000::004010BF, ==004010EF::0040140C,0040143B,004014DD,00401810, ==00401114::00401075, ==00401138::004010A3, ==00401165::004010CB, ==00401176::004010EA,0040110B, ==00401187::0040116D,0040117E, ==00401220::0040114D,0040115C,004011F1,00401202, ==0040123A::004010DC, --0040135A::0040128C, --0040136A::0040126E, --0040136F::00401249,00401254, --00401378::00401266, ==0040137B::00401241, ==004013BE::0040109E, ==00401477::00401099, ==00401510::004014BE,004014F4, --004015CA::004016AE, --004015FC::0040169F, --004016B3::004015CD,004015E5, ==004016C4::0040108F, --0040179C::00401715, --004017A1::0040170D, --004017ED::004016FD,00401725, ==004017F6::0040107F, --00401926::0040185B,00401867, ==004019A1::00401069, ==004019E0::00401B32, --004019F8::004019EB, --00401A00::00401A2C, ==00401A22::00401B3F,00401B7F,00401BA4, ==00401AB6::00401A71,00401B50, --00401AD8::0040101A,00403073,004032C2, --00401B78::00401AF0, ==00401BB0::004010F8,0040111D, ==00401BE9::00401101,00401126,00401BCC,00401BE2, --00401D13::00401C25,00401C36, --00401D39::00401C17,00401C42, ==00401D3C::0040145B,00401783, ==00401D70::00401444,00401C6C,00401CC2, ==00401D80::00401CCF,00401CE0,00401CF2, ==00401E60::004013F8,0040142D,004014CD,00401760,004017C7,00401802,00401892, ==00401E72::00401E6A, ==00401E9E::00401E7D, ==00401EE0::004013E4,0040141E,00401C81,00401C94,00401D21, ==00401F5B::0040232A, --00401FE2::00402094, --0040208E::00401FF5, --0040209A::00401FD9,00401FE6, --004020C4::00401FCF, --004020D6::00401FAC, --004020DE::00401F82, --004020E8::00401F78, ==004020F4::00401F67, ==0040213E::00402073,004020AD, ==00402171::004020DE, ==0040219A::004020E3, --004022D3::004021B7, ==0040231F::004013CB,00401489, ==00402340::004017DA, --004023B0::004023A4, --004023DC::004023A8, --00402400::004023AC, --0040243C::00402438, --00402444::00402434, --0040244C::00402430, --00402454::0040242C, --0040245C::00402428, --00402464::00402424, --0040246C::00402420, --00402498::00402394,00402488, --004024A0::0040248C, --004024AC::00402490, --004024C0::00402494, --004024D8::0040235A, --00402500::004025A0, --00402538::0040252C, --00402558::00402530, --00402580::00402534, --004025DC::004025B8, --004025E4::004025BC, --004025EC::004025C0, --004025F4::004025C4, --004025FC::004025C8, --00402604::004025CC, --00402617::004025D0, --00402630::00402620, --00402638::00402624, --00402648::00402628, --0040265C::0040262C, ==00402675::004019C1, ==004026B3::00401D46, ==004026DE::00401D52, --00402861::004027BB, --004028F9::0040286A, --004029F6::00402911, --00402A04::00402904, ==00402A09::00401EAC, --00402CC0::00402BAD, --00402CCC::00402C32, --00402D0D::00402AF9, ==00402D12::00402AD5, ==00402DC3::00402AE4, --00402EB9::00402E21, ==00402EBE::00401D08, ==00402F50::00401CAE, --00403046::00402FB6, ==0040304E::00401E91, ==00403069::00402258,00402280, --004031F7::004030CF,0040311E,00403155,00403280, --004031F9::00403116,00403288, --00403286::004031CE,004031F1, ==0040328D::004030EA, ==004032B8::00402234, --004033ED::00403319,00403353, --004033EF::0040334B, ==00403410::004029CC, --00403480::00403474, --004034AC::00403478, --004034D0::0040347C, --0040350C::00403508, --00403514::00403504, --0040351C::00403500, --00403524::004034FC, --0040352C::004034F8, --00403534::004034F4, --0040353C::004034F0, --00403568::00403464,00403558, --00403570::0040355C, --0040357C::00403560, --00403590::00403564, --004035A8::0040342A, --004035D0::00403670, --00403608::004035FC, --00403628::00403600, --00403650::00403604, --004036AC::00403688, --004036B4::0040368C, --004036BC::00403690, --004036C4::00403694, --004036CC::00403698, --004036D4::0040369C, --004036E7::004036A0, --00403700::004036F0, --00403708::004036F4, --00403718::004036F8, --0040372C::004036FC, ==00403750::00403166,0040321A,00403397, ==00403780::004033A7, ==004037D8::004019F3, *************** END OF LISTING **********************************