Module five inside packed sample with SHA1: 37f6f1f59bf7952fd7182deeb07d4cd0d367dd59
The below dissassembly output is part of the blog:
Hancitor packer demystified
If you landed here via Google, you probably want to go to the
home page
instead
.text:00401001
8B EC
mov
ebp
,
esp
.text:00401003
83 3D 08 70 40 00 00
cmp
ds
:
dword_407008
,
0
.text:0040100A
75 0B
jnz
short
loc_401017
.text:0040100C
FF 15 0C 20 40 00
call
ds
:
off_40200C
; getprocessheap
.text:00401012
A3 08 70 40 00
mov
ds
:
dword_407008
,
eax
.text:00401017 .text:00401017
loc_401017
:
; CODE XREF: my_alloc_heap+A↑j
.text:00401017
83 3D 08 70 40 00 00
cmp
ds
:
dword_407008
,
0
.text:0040101E
74 15
jz
short
loc_401035
.text:00401020
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401023
50
push
eax
.text:00401024
6A 00
push 0
.text:00401026
8B 0D 08 70 40 00
mov
ecx
,
ds
:
dword_407008
.text:0040102C
51
push
ecx
.text:0040102D .text:0040102D
loc_40102D
:
; ntdll_RtlAllocateHeap
.text:0040102D
FF 15 04 20 40 00
call
ds
:
off_402004
.text:00401033
EB 02
jmp
short
loc_401037
.text:00401035
; ---------------------------------------------------------------------------
.text:00401035 .text:00401035
loc_401035
:
; CODE XREF: my_alloc_heap+1E↑j
.text:00401035
33 C0
xor
eax
,
eax
.text:00401037 .text:00401037
loc_401037
:
; CODE XREF: my_alloc_heap+33↑j
.text:00401037
5D
pop
ebp
.text:00401038
C3
retn
.text:00401038
; ---------------------------------------------------------------------------
.text:00401039
CC
db
0CCh
; Ì
.text:0040103A
CC
db
0CCh
; Ì
.text:0040103B
CC
db
0CCh
; Ì
.text:0040103B
my_alloc_heap
endp .text:0040103B .text:0040103C
CC
db
0CCh
; Ì
.text:0040103D
CC
db
0CCh
; Ì
.text:0040103E
CC
db
0CCh
; Ì
.text:0040103F
CC
db
0CCh
; Ì
.text:00401040 .text:00401040
; =============== S U B R O U T I N E =======================================
.text:00401040 .text:00401040
; Attributes: bp-based frame
.text:00401040 .text:00401040
my_heapfree
proc near
; CODE XREF: my_decrypt+11E↓p
.text:00401040
; my_decrypt+130↓p ...
.text:00401040 .text:00401040
arg_0
=
dword ptr
8
.text:00401040 .text:00401040
55
push
ebp
.text:00401041
8B EC
mov
ebp
,
esp
.text:00401043
83 3D 08 70 40 00 00
cmp
ds
:
dword_407008
,
0
.text:0040104A
74 13
jz
short
loc_40105F
.text:0040104C
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:0040104F
50
push
eax
.text:00401050 .text:00401050
loc_401050
:
.text:00401050
6A 00
push 0
.text:00401052
8B 0D 08 70 40 00
mov
ecx
,
ds
:
dword_407008
.text:00401058
51
push
ecx
.text:00401059
FF 15 08 20 40 00
call
ds
:
off_402008
.text:0040105F .text:0040105F
loc_40105F
:
; CODE XREF: my_heapfree+A↑j
.text:0040105F
5D
pop
ebp
.text:00401060
C3
retn
.text:00401060
my_heapfree
endp .text:00401060 .text:00401060
; ---------------------------------------------------------------------------
.text:00401061
CC CC CC CC CC CC CC CC CC CC+
align
10h
.text:00401070 .text:00401070
; =============== S U B R O U T I N E =======================================
.text:00401070 .text:00401070
; Attributes: bp-based frame
.text:00401070 .text:00401070
sub_401070
proc near
; CODE XREF: sub_401150+2B↓p
.text:00401070
; my_alloc_exe_in_memory_region+E0↓p ...
.text:00401070 .text:00401070
var_8
=
dword ptr
-8
.text:00401070
var_4
=
dword ptr
-4
.text:00401070
arg_0
=
dword ptr
8
.text:00401070
arg_4
=
dword ptr
0Ch
.text:00401070
arg_8
=
dword ptr
10h
.text:00401070 .text:00401070
55
push
ebp
.text:00401071
8B EC
mov
ebp
,
esp
.text:00401073
83 EC 08
sub
esp
,
8
.text:00401076
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401079
89 45 F8
mov
[
ebp
+
var_8
],
eax
.text:0040107C .text:0040107C
loc_40107C
:
; CODE XREF: sub_401070+3D↓j
.text:0040107C
8B 4D 10
mov
ecx
, [
ebp
+
arg_8
]
.text:0040107F
89 4D FC
mov
[
ebp
+
var_4
],
ecx
.text:00401082
8B 55 10
mov
edx
, [
ebp
+
arg_8
]
.text:00401085
83 EA 01
sub
edx
,
1
.text:00401088
89 55 10
mov
[
ebp
+
arg_8
],
edx
.text:0040108B
83 7D FC 00
cmp
[
ebp
+
var_4
],
0
.text:0040108F
74 1E
jz
short
loc_4010AF
.text:00401091
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401094
8B 4D 0C
mov
ecx
, [
ebp
+
arg_4
]
.text:00401097
8A 11
mov
dl
, [
ecx
]
.text:00401099
88 10
mov
[
eax
],
dl
.text:0040109B
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:0040109E
83 C0 01
add
eax
,
1
.text:004010A1
89 45 08
mov
[
ebp
+
arg_0
],
eax
.text:004010A4
8B 4D 0C
mov
ecx
, [
ebp
+
arg_4
]
.text:004010A7
83 C1 01
add
ecx
,
1
.text:004010AA
89 4D 0C
mov
[
ebp
+
arg_4
],
ecx
.text:004010AD
EB CD
jmp
short
loc_40107C
.text:004010AF
; ---------------------------------------------------------------------------
.text:004010AF .text:004010AF
loc_4010AF
:
; CODE XREF: sub_401070+1F↑j
.text:004010AF
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:004010B2
8B E5
mov
esp
,
ebp
.text:004010B4
5D
pop
ebp
.text:004010B5
C3
retn
.text:004010B5
sub_401070
endp .text:004010B5 .text:004010B5
; ---------------------------------------------------------------------------
.text:004010B6
CC CC CC CC CC CC CC CC CC CC
align
10h
.text:004010C0 .text:004010C0
; =============== S U B R O U T I N E =======================================
.text:004010C0 .text:004010C0
; Attributes: bp-based frame
.text:004010C0 .text:004010C0
sub_4010C0
proc near .text:004010C0 .text:004010C0
var_8
=
dword ptr
-8
.text:004010C0
var_4
=
dword ptr
-4
.text:004010C0
arg_0
=
dword ptr
8
.text:004010C0
arg_4
=
byte ptr
0Ch
.text:004010C0
arg_8
=
dword ptr
10h
.text:004010C0 .text:004010C0
55
push
ebp
.text:004010C1
8B EC
mov
ebp
,
esp
.text:004010C3
83 EC 08
sub
esp
,
8
.text:004010C6
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:004010C9
89 45 F8
mov
[
ebp
+
var_8
],
eax
.text:004010CC .text:004010CC
loc_4010CC
:
; CODE XREF: sub_4010C0+32↓j
.text:004010CC
8B 4D 10
mov
ecx
, [
ebp
+
arg_8
]
.text:004010CF
89 4D FC
mov
[
ebp
+
var_4
],
ecx
.text:004010D2
8B 55 10
mov
edx
, [
ebp
+
arg_8
]
.text:004010D5
83 EA 01
sub
edx
,
1
.text:004010D8
89 55 10
mov
[
ebp
+
arg_8
],
edx
.text:004010DB
83 7D FC 00
cmp
[
ebp
+
var_4
],
0
.text:004010DF
74 13
jz
short
loc_4010F4
.text:004010E1
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:004010E4
8A 4D 0C
mov
cl
, [
ebp
+
arg_4
]
.text:004010E7
88 08
mov
[
eax
],
cl
.text:004010E9
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:004010EC
83 C2 01
add
edx
,
1
.text:004010EF
89 55 08
mov
[
ebp
+
arg_0
],
edx
.text:004010F2
EB D8
jmp
short
loc_4010CC
.text:004010F4
; ---------------------------------------------------------------------------
.text:004010F4 .text:004010F4
loc_4010F4
:
; CODE XREF: sub_4010C0+1F↑j
.text:004010F4
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:004010F7
8B E5
mov
esp
,
ebp
.text:004010F9
5D
pop
ebp
.text:004010FA
C3
retn
.text:004010FA
sub_4010C0
endp .text:004010FA .text:004010FA
; ---------------------------------------------------------------------------
.text:004010FB
CC CC CC CC CC
align
10h
.text:00401100 .text:00401100
; =============== S U B R O U T I N E =======================================
.text:00401100 .text:00401100
; Attributes: bp-based frame
.text:00401100 .text:00401100
sub_401100
proc near
; CODE XREF: sub_401450+2B↓p
.text:00401100 .text:00401100
var_4
=
dword ptr
-4
.text:00401100
arg_0
=
dword ptr
8
.text:00401100 .text:00401100
55
push
ebp
.text:00401101
8B EC
mov
ebp
,
esp
.text:00401103
51
push
ecx
.text:00401104
C7 45 FC 00 00 00 00
mov
[
ebp
+
var_4
],
0
.text:0040110B
EB 09
jmp
short
loc_401116
.text:0040110D
; ---------------------------------------------------------------------------
.text:0040110D .text:0040110D
loc_40110D
:
; CODE XREF: sub_401100:loc_401137↓j
.text:0040110D
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:00401110
83 C0 01
add
eax
,
1
.text:00401113
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:00401116 .text:00401116
loc_401116
:
; CODE XREF: sub_401100+B↑j
.text:00401116
83 7D FC 08
cmp
[
ebp
+
var_4
],
8
.text:0040111A
73 1D
jnb
short
loc_401139
.text:0040111C
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:0040111F
03 4D FC
add
ecx
, [
ebp
+
var_4
]
.text:00401122
0F B6 11
movzx
edx
,
byte ptr
[
ecx
]
.text:00401125
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:00401128
0F B6 88 00 70 40 00
movzx
ecx
,
byte ptr
[
eax
+
407000h
]
.text:0040112F
3B D1
cmp
edx
,
ecx
.text:00401131
74 04
jz
short
loc_401137
.text:00401133
33 C0
xor
eax
,
eax
.text:00401135
EB 07
jmp
short
loc_40113E
.text:00401137
; ---------------------------------------------------------------------------
.text:00401137 .text:00401137
loc_401137
:
; CODE XREF: sub_401100+31↑j
.text:00401137
EB D4
jmp
short
loc_40110D
.text:00401139
; ---------------------------------------------------------------------------
.text:00401139 .text:00401139
loc_401139
:
; CODE XREF: sub_401100+1A↑j
.text:00401139
B8 01 00 00 00
mov
eax
,
1
.text:0040113E .text:0040113E
loc_40113E
:
; CODE XREF: sub_401100+35↑j
.text:0040113E
8B E5
mov
esp
,
ebp
.text:00401140
5D
pop
ebp
.text:00401141
C3
retn
.text:00401141
sub_401100
endp .text:00401141 .text:00401141
; ---------------------------------------------------------------------------
.text:00401142
CC CC CC CC CC CC CC CC CC CC+
align
10h
.text:00401150 .text:00401150
; =============== S U B R O U T I N E =======================================
.text:00401150 .text:00401150
; Attributes: bp-based frame
.text:00401150 .text:00401150
sub_401150
proc near
; CODE XREF: my_module_five+4F↓p
.text:00401150
; DATA XREF: sub_4011F0+41↓o ...
.text:00401150 .text:00401150
var_4
=
dword ptr
-4
.text:00401150
arg_0
=
dword ptr
8
.text:00401150
arg_4
=
dword ptr
0Ch
.text:00401150 .text:00401150
55
push
ebp
.text:00401151
8B EC
mov
ebp
,
esp
.text:00401153
51
push
ecx
.text:00401154
8B 45 0C
mov
eax
, [
ebp
+
arg_4
]
.text:00401157
50
push
eax
.text:00401158
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:0040115B
51
push
ecx
.text:0040115C
E8 EF 02 00 00
call
sub_401450
.text:00401161
83 C4 08
add
esp
,
8
.text:00401164
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:00401167
83 7D FC 00
cmp
[
ebp
+
var_4
],
0
.text:0040116B
74 1D
jz
short
loc_40118A
.text:0040116D
68 08 20 00 00
push 2008h
.text:00401172
68 70 4A 40 00
push 404A70h
.text:00401177
8B 55 FC
mov
edx
, [
ebp
+
var_4
]
.text:0040117A
52
push
edx
.text:0040117B
E8 F0 FE FF FF
call
sub_401070
.text:00401180
83 C4 0C
add
esp
,
0Ch
.text:00401183
B8 01 00 00 00
mov
eax
,
1
.text:00401188
EB 02
jmp
short
loc_40118C
.text:0040118A
; ---------------------------------------------------------------------------
.text:0040118A .text:0040118A
loc_40118A
:
; CODE XREF: sub_401150+1B↑j
.text:0040118A
33 C0
xor
eax
,
eax
.text:0040118C .text:0040118C
loc_40118C
:
; CODE XREF: sub_401150+38↑j
.text:0040118C
8B E5
mov
esp
,
ebp
.text:0040118E
5D
pop
ebp
.text:0040118F
C3
retn
.text:0040118F
sub_401150
endp .text:0040118F .text:00401190 .text:00401190
; =============== S U B R O U T I N E =======================================
.text:00401190 .text:00401190
; Attributes: bp-based frame
.text:00401190 .text:00401190
sub_401190
proc near
; CODE XREF: sub_4011F0+6C↓p
.text:00401190
; sub_4011F0+84↓p ...
.text:00401190 .text:00401190
var_8
=
dword ptr
-8
.text:00401190
var_4
=
dword ptr
-4
.text:00401190
arg_0
=
dword ptr
8
.text:00401190
arg_4
=
byte ptr
0Ch
.text:00401190 .text:00401190
55
push
ebp
.text:00401191
8B EC
mov
ebp
,
esp
.text:00401193
83 EC 08
sub
esp
,
8
.text:00401196
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401199
83 78 08 00
cmp
dword ptr
[
eax
+
8
],
0
.text:0040119D
75 3E
jnz
short
loc_4011DD
.text:0040119F
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:004011A2
8B 11
mov
edx
, [
ecx
]
.text:004011A4
89 55 F8
mov
[
ebp
+
var_8
],
edx
.text:004011A7
C7 45 FC 00 00 00 00
mov
[
ebp
+
var_4
],
0
.text:004011AE
EB 09
jmp
short
loc_4011B9
.text:004011B0
; ---------------------------------------------------------------------------
.text:004011B0 .text:004011B0
loc_4011B0
:
; CODE XREF: sub_401190+4B↓j
.text:004011B0
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:004011B3
83 C0 01
add
eax
,
1
.text:004011B6
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:004011B9 .text:004011B9
loc_4011B9
:
; CODE XREF: sub_401190+1E↑j
.text:004011B9
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:004011BC
8B 55 FC
mov
edx
, [
ebp
+
var_4
]
.text:004011BF
3B 51 04
cmp
edx
, [
ecx
+
4
]
.text:004011C2
73 19
jnb
short
loc_4011DD
.text:004011C4
0F B6 45 0C
movzx
eax
, [
ebp
+
arg_4
]
.text:004011C8
8B 4D F8
mov
ecx
, [
ebp
+
var_8
]
.text:004011CB
03 4D FC
add
ecx
, [
ebp
+
var_4
]
.text:004011CE
0F B6 11
movzx
edx
,
byte ptr
[
ecx
]
.text:004011D1
33 D0
xor
edx
,
eax
.text:004011D3
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:004011D6
03 45 FC
add
eax
, [
ebp
+
var_4
]
.text:004011D9
88 10
mov
[
eax
],
dl
.text:004011DB
EB D3
jmp
short
loc_4011B0
.text:004011DD
; ---------------------------------------------------------------------------
.text:004011DD .text:004011DD
loc_4011DD
:
; CODE XREF: sub_401190+D↑j
.text:004011DD
; sub_401190+32↑j
.text:004011DD
8B E5
mov
esp
,
ebp
.text:004011DF
5D
pop
ebp
.text:004011E0
C3
retn
.text:004011E0
sub_401190
endp .text:004011E0 .text:004011E0
; ---------------------------------------------------------------------------
.text:004011E1
CC CC CC CC CC CC CC CC CC CC+
align
10h
.text:004011F0 .text:004011F0
; =============== S U B R O U T I N E =======================================
.text:004011F0 .text:004011F0
; Attributes: bp-based frame
.text:004011F0 .text:004011F0
sub_4011F0
proc near
; CODE XREF: my_module_five+8E↓p
.text:004011F0
; my_module_four+5↓p
.text:004011F0 .text:004011F0
arg_0
=
dword ptr
8
.text:004011F0 .text:004011F0
55
push
ebp
.text:004011F1
8B EC
mov
ebp
,
esp
.text:004011F3
83 7D 08 01
cmp
[
ebp
+
arg_0
],
1
.text:004011F7
75 52
jnz
short
loc_40124B
.text:004011F9
68 A0 12 40 00
push
offset
my_decrypt
.text:004011FE
B8 0C 00 00 00
mov
eax
,
0Ch
.text:00401203
6B C8 00
imul
ecx
,
eax
,
0
.text:00401206
81 C1 0C 70 40 00
add
ecx
,
40700Ch
.text:0040120C
51
push
ecx
.text:0040120D
E8 8E 02 00 00
call
sub_4014A0
.text:00401212
83 C4 08
add
esp
,
8
.text:00401215
68 F0 17 40 00
push 4017F0h
.text:0040121A
BA 0C 00 00 00
mov
edx
,
0Ch
.text:0040121F
C1 E2 00
shl
edx
,
0
.text:00401222
81 C2 0C 70 40 00
add
edx
,
40700Ch
.text:00401228
52
push
edx
.text:00401229
E8 72 02 00 00
call
sub_4014A0
.text:0040122E
83 C4 08
add
esp
,
8
.text:00401231
68 50 11 40 00
push
offset
sub_401150
.text:00401236
B8 0C 00 00 00
mov
eax
,
0Ch
.text:0040123B
D1 E0
shl
eax
,
1
.text:0040123D
05 0C 70 40 00
add
eax
,
40700Ch
.text:00401242
50
push
eax
.text:00401243
E8 58 02 00 00
call
sub_4014A0
.text:00401248
83 C4 08
add
esp
,
8
.text:0040124B .text:0040124B
loc_40124B
:
; CODE XREF: sub_4011F0+7↑j
.text:0040124B
6A 54
push 54h
.text:0040124D
B9 0C 00 00 00
mov
ecx
,
0Ch
.text:00401252
6B D1 00
imul
edx
,
ecx
,
0
.text:00401255
81 C2 0C 70 40 00
add
edx
,
40700Ch
.text:0040125B
52
push
edx
.text:0040125C
E8 2F FF FF FF
call
sub_401190
.text:00401261
83 C4 08
add
esp
,
8
.text:00401264
6A 38
push 38h
.text:00401266
B8 0C 00 00 00
mov
eax
,
0Ch
.text:0040126B
C1 E0 00
shl
eax
,
0
.text:0040126E
05 0C 70 40 00
add
eax
,
40700Ch
.text:00401273
50
push
eax
.text:00401274
E8 17 FF FF FF
call
sub_401190
.text:00401279
83 C4 08
add
esp
,
8
.text:0040127C
68 BE 00 00 00
push 0BEh
.text:00401281
B9 0C 00 00 00
mov
ecx
,
0Ch
.text:00401286
D1 E1
shl
ecx
,
1
.text:00401288
81 C1 0C 70 40 00
add
ecx
,
40700Ch
.text:0040128E
51
push
ecx
.text:0040128F
E8 FC FE FF FF
call
sub_401190
.text:00401294
83 C4 08
add
esp
,
8
.text:00401297
5D
pop
ebp
.text:00401298
C3
retn
.text:00401298
sub_4011F0
endp .text:00401298 .text:00401298
; ---------------------------------------------------------------------------
.text:00401299
CC CC CC CC CC CC CC
align
10h
.text:004012A0 .text:004012A0
; =============== S U B R O U T I N E =======================================
.text:004012A0 .text:004012A0
; Attributes: bp-based frame
.text:004012A0 .text:004012A0
my_decrypt
proc near
; CODE XREF: my_module_five+21↓p
.text:004012A0
; DATA XREF: sub_4011F0+9↑o ...
.text:004012A0 .text:004012A0
var_24
=
dword ptr
-24h
.text:004012A0
var_20
=
dword ptr
-20h
.text:004012A0
var_1C
=
dword ptr
-1Ch
.text:004012A0
var_18
=
dword ptr
-18h
.text:004012A0
var_14
=
dword ptr
-14h
.text:004012A0
var_10
=
dword ptr
-10h
.text:004012A0
var_C
=
dword ptr
-0Ch
.text:004012A0
var_8
=
dword ptr
-8
.text:004012A0
var_4
=
dword ptr
-4
.text:004012A0
arg_0
=
dword ptr
8
.text:004012A0 .text:004012A0
55
push
ebp
.text:004012A1
8B EC
mov
ebp
,
esp
.text:004012A3
83 EC 24
sub
esp
,
24h
.text:004012A6
C7 45 FC 04 2A 00 00
mov
[
ebp
+
var_4
],
2A04h
.text:004012AD
6B 45 FC 05
imul
eax
, [
ebp
+
var_4
], 5
.text:004012B1
89 45 E0
mov
[
ebp
+
var_20
],
eax
.text:004012B4
8B 4D FC
mov
ecx
, [
ebp
+
var_4
]
.text:004012B7
51
push
ecx
.text:004012B8
E8 43 FD FF FF
call
my_alloc_heap
.text:004012BD
83 C4 04
add
esp
,
4
.text:004012C0
89 45 F8
mov
[
ebp
+
var_8
],
eax
.text:004012C3
8B 55 E0
mov
edx
, [
ebp
+
var_20
]
.text:004012C6
52
push
edx
.text:004012C7
E8 34 FD FF FF
call
my_alloc_heap
.text:004012CC
83 C4 04
add
esp
,
4
.text:004012CF
89 45 E4
mov
[
ebp
+
var_1C
],
eax
.text:004012D2
C7 45 F4 00 00 00 00
mov
[
ebp
+
var_C
],
0
.text:004012D9
EB 09
jmp
short
loc_4012E4
.text:004012DB
; ---------------------------------------------------------------------------
.text:004012DB .text:004012DB
loc_4012DB
:
; CODE XREF: my_decrypt+61↓j
.text:004012DB
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:004012DE
83 C0 04
add
eax
,
4
.text:004012E1
89 45 F4
mov
[
ebp
+
var_C
],
eax
.text:004012E4 .text:004012E4
loc_4012E4
:
; CODE XREF: my_decrypt+39↑j
.text:004012E4
8B 4D F4
mov
ecx
, [
ebp
+
var_C
]
.text:004012E7
3B 4D FC
cmp
ecx
, [
ebp
+
var_4
]
.text:004012EA
73 17
jnb
short
loc_401303
.text:004012EC
8B 55 F4
mov
edx
, [
ebp
+
var_C
]
.text:004012EF
0F B6 82 48 20 40 00
movzx
eax
,
byte ptr
[
edx
+
402048h
]
.text:004012F6
83 F0 68
xor
eax
,
68h
.text:004012F9
8B 4D F8
mov
ecx
, [
ebp
+
var_8
]
.text:004012FC
03 4D F4
add
ecx
, [
ebp
+
var_C
]
.text:004012FF
88 01
mov
[
ecx
],
al
.text:00401301
EB D8
jmp
short
loc_4012DB
.text:00401303
; ---------------------------------------------------------------------------
.text:00401303 .text:00401303
loc_401303
:
; CODE XREF: my_decrypt+4A↑j
.text:00401303
C7 45 F0 01 00 00 00
mov
[
ebp
+
var_10
],
1
.text:0040130A
EB 09
jmp
short
loc_401315
.text:0040130C
; ---------------------------------------------------------------------------
.text:0040130C .text:0040130C
loc_40130C
:
; CODE XREF: my_decrypt+95↓j
.text:0040130C
8B 55 F0
mov
edx
, [
ebp
+
var_10
]
.text:0040130F
83 C2 04
add
edx
,
4
.text:00401312
89 55 F0
mov
[
ebp
+
var_10
],
edx
.text:00401315 .text:00401315
loc_401315
:
; CODE XREF: my_decrypt+6A↑j
.text:00401315
8B 45 F0
mov
eax
, [
ebp
+
var_10
]
.text:00401318
3B 45 FC
cmp
eax
, [
ebp
+
var_4
]
.text:0040131B
73 1A
jnb
short
loc_401337
.text:0040131D
8B 4D F0
mov
ecx
, [
ebp
+
var_10
]
.text:00401320
0F B6 91 48 20 40 00
movzx
edx
,
byte ptr
[
ecx
+
402048h
]
.text:00401327
81 F2 8A 00 00 00
xor
edx
,
8Ah
.text:0040132D
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:00401330
03 45 F0
add
eax
, [
ebp
+
var_10
]
.text:00401333
88 10
mov
[
eax
],
dl
.text:00401335
EB D5
jmp
short
loc_40130C
.text:00401337
; ---------------------------------------------------------------------------
.text:00401337 .text:00401337
loc_401337
:
; CODE XREF: my_decrypt+7B↑j
.text:00401337
C7 45 EC 02 00 00 00
mov
[
ebp
+
var_14
],
2
.text:0040133E
EB 09
jmp
short
loc_401349
.text:00401340
; ---------------------------------------------------------------------------
.text:00401340 .text:00401340
loc_401340
:
; CODE XREF: my_decrypt+C6↓j
.text:00401340
8B 4D EC
mov
ecx
, [
ebp
+
var_14
]
.text:00401343
83 C1 04
add
ecx
,
4
.text:00401346
89 4D EC
mov
[
ebp
+
var_14
],
ecx
.text:00401349 .text:00401349
loc_401349
:
; CODE XREF: my_decrypt+9E↑j
.text:00401349
8B 55 EC
mov
edx
, [
ebp
+
var_14
]
.text:0040134C
3B 55 FC
cmp
edx
, [
ebp
+
var_4
]
.text:0040134F
73 17
jnb
short
loc_401368
.text:00401351
8B 45 EC
mov
eax
, [
ebp
+
var_14
]
.text:00401354
0F B6 88 48 20 40 00
movzx
ecx
,
byte ptr
[
eax
+
402048h
]
.text:0040135B
83 F1 49
xor
ecx
,
49h
.text:0040135E
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:00401361
03 55 EC
add
edx
, [
ebp
+
var_14
]
.text:00401364
88 0A
mov
[
edx
],
cl
.text:00401366
EB D8
jmp
short
loc_401340
.text:00401368
; ---------------------------------------------------------------------------
.text:00401368 .text:00401368
loc_401368
:
; CODE XREF: my_decrypt+AF↑j
.text:00401368
C7 45 E8 03 00 00 00
mov
[
ebp
+
var_18
],
3
.text:0040136F
EB 09
jmp
short
loc_40137A
.text:00401371
; ---------------------------------------------------------------------------
.text:00401371 .text:00401371
loc_401371
:
; CODE XREF: my_decrypt+F9↓j
.text:00401371
8B 45 E8
mov
eax
, [
ebp
+
var_18
]
.text:00401374
83 C0 04
add
eax
,
4
.text:00401377
89 45 E8
mov
[
ebp
+
var_18
],
eax
.text:0040137A .text:0040137A
loc_40137A
:
; CODE XREF: my_decrypt+CF↑j
.text:0040137A
8B 4D E8
mov
ecx
, [
ebp
+
var_18
]
.text:0040137D
3B 4D FC
cmp
ecx
, [
ebp
+
var_4
]
.text:00401380
73 19
jnb
short
loc_40139B
.text:00401382
8B 55 E8
mov
edx
, [
ebp
+
var_18
]
.text:00401385
0F B6 82 48 20 40 00
movzx
eax
,
byte ptr
[
edx
+
402048h
]
.text:0040138C
35 EC 00 00 00
xor
eax
,
0ECh
.text:00401391
8B 4D F8
mov
ecx
, [
ebp
+
var_8
]
.text:00401394
03 4D E8
add
ecx
, [
ebp
+
var_18
]
.text:00401397
88 01
mov
[
ecx
],
al
.text:00401399
EB D6
jmp
short
loc_401371
.text:0040139B
; ---------------------------------------------------------------------------
.text:0040139B .text:0040139B
loc_40139B
:
; CODE XREF: my_decrypt+E0↑j
.text:0040139B
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:0040139E
52
push
edx
.text:0040139F
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:004013A2
50
push
eax
.text:004013A3
8B 4D F8
mov
ecx
, [
ebp
+
var_8
]
.text:004013A6
51
push
ecx
.text:004013A7
8B 55 E0
mov
edx
, [
ebp
+
var_20
]
.text:004013AA
52
push
edx
.text:004013AB
8B 45 E4
mov
eax
, [
ebp
+
var_1C
]
.text:004013AE
50
push
eax
.text:004013AF
6A 02
push 2
.text:004013B1
FF 15 40 20 40 00
call
ds
:
off_402040
.text:004013B7
89 45 DC
mov
[
ebp
+
var_24
],
eax
.text:004013BA
8B 4D F8
mov
ecx
, [
ebp
+
var_8
]
.text:004013BD
51
push
ecx
.text:004013BE
E8 7D FC FF FF
call
my_heapfree
.text:004013C3
83 C4 04
add
esp
,
4
.text:004013C6
83 7D DC 00
cmp
[
ebp
+
var_24
],
0
.text:004013CA
74 1C
jz
short
loc_4013E8
.text:004013CC
8B 55 E4
mov
edx
, [
ebp
+
var_1C
]
.text:004013CF
52
push
edx
.text:004013D0
E8 6B FC FF FF
call
my_heapfree
.text:004013D5
83 C4 04
add
esp
,
4
.text:004013D8
C7 45 E4 00 00 00 00
mov
[
ebp
+
var_1C
],
0
.text:004013DF
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:004013E2
C7 00 00 00 00 00
mov
dword ptr
[
eax
],
0
.text:004013E8 .text:004013E8
loc_4013E8
:
; CODE XREF: my_decrypt+12A↑j
.text:004013E8
8B 45 E4
mov
eax
, [
ebp
+
var_1C
]
.text:004013EB
8B E5
mov
esp
,
ebp
.text:004013ED
5D
pop
ebp
.text:004013EE
C3
retn
.text:004013EE
my_decrypt
endp .text:004013EE .text:004013EE
; ---------------------------------------------------------------------------
.text:004013EF
CC
align
10h
.text:004013F0 .text:004013F0
; =============== S U B R O U T I N E =======================================
.text:004013F0 .text:004013F0
; Attributes: bp-based frame
.text:004013F0 .text:004013F0
sub_4013F0
proc near
; CODE XREF: my_module_five+18↓p
.text:004013F0
55
push
ebp
.text:004013F1
8B EC
mov
ebp
,
esp
.text:004013F3
6A 54
push 54h
.text:004013F5
B8 0C 00 00 00
mov
eax
,
0Ch
.text:004013FA
6B C8 00
imul
ecx
,
eax
,
0
.text:004013FD
81 C1 0C 70 40 00
add
ecx
,
40700Ch
.text:00401403
51
push
ecx
.text:00401404
E8 87 FD FF FF
call
sub_401190
.text:00401409
83 C4 08
add
esp
,
8
.text:0040140C
6A 38
push 38h
.text:0040140E
BA 0C 00 00 00
mov
edx
,
0Ch
.text:00401413
C1 E2 00
shl
edx
,
0
.text:00401416
81 C2 0C 70 40 00
add
edx
,
40700Ch
.text:0040141C
52
push
edx
.text:0040141D
E8 6E FD FF FF
call
sub_401190
.text:00401422
83 C4 08
add
esp
,
8
.text:00401425
68 BE 00 00 00
push 0BEh
.text:0040142A
B8 0C 00 00 00
mov
eax
,
0Ch
.text:0040142F
D1 E0
shl
eax
,
1
.text:00401431
05 0C 70 40 00
add
eax
,
40700Ch
.text:00401436
50
push
eax
.text:00401437
E8 54 FD FF FF
call
sub_401190
.text:0040143C
83 C4 08
add
esp
,
8
.text:0040143F
5D
pop
ebp
.text:00401440
C3
retn
.text:00401440
sub_4013F0
endp .text:00401440 .text:00401440
; ---------------------------------------------------------------------------
.text:00401441
CC CC CC CC CC CC CC CC CC CC+
align
10h
.text:00401450 .text:00401450
; =============== S U B R O U T I N E =======================================
.text:00401450 .text:00401450
; Attributes: bp-based frame
.text:00401450 .text:00401450
sub_401450
proc near
; CODE XREF: sub_401150+C↑p
.text:00401450 .text:00401450
var_4
=
dword ptr
-4
.text:00401450
arg_0
=
dword ptr
8
.text:00401450
arg_4
=
dword ptr
0Ch
.text:00401450 .text:00401450
55
push
ebp
.text:00401451
8B EC
mov
ebp
,
esp
.text:00401453
51
push
ecx
.text:00401454
C7 45 FC 00 00 00 00
mov
[
ebp
+
var_4
],
0
.text:0040145B
EB 12
jmp
short
loc_40146F
.text:0040145D
; ---------------------------------------------------------------------------
.text:0040145D .text:0040145D
loc_40145D
:
; CODE XREF: sub_401450:loc_40148D↓j
.text:0040145D
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:00401460
83 C0 01
add
eax
,
1
.text:00401463
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:00401466
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:00401469
83 C1 01
add
ecx
,
1
.text:0040146C
89 4D 08
mov
[
ebp
+
arg_0
],
ecx
.text:0040146F .text:0040146F
loc_40146F
:
; CODE XREF: sub_401450+B↑j
.text:0040146F
8B 55 FC
mov
edx
, [
ebp
+
var_4
]
.text:00401472
3B 55 0C
cmp
edx
, [
ebp
+
arg_4
]
.text:00401475
73 18
jnb
short
loc_40148F
.text:00401477
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:0040147A
50
push
eax
.text:0040147B
E8 80 FC FF FF
call
sub_401100
.text:00401480
83 C4 04
add
esp
,
4
.text:00401483
83 F8 01
cmp
eax
,
1
.text:00401486
75 05
jnz
short
loc_40148D
.text:00401488
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:0040148B
EB 04
jmp
short
loc_401491
.text:0040148D
; ---------------------------------------------------------------------------
.text:0040148D .text:0040148D
loc_40148D
:
; CODE XREF: sub_401450+36↑j
.text:0040148D
EB CE
jmp
short
loc_40145D
.text:0040148F
; ---------------------------------------------------------------------------
.text:0040148F .text:0040148F
loc_40148F
:
; CODE XREF: sub_401450+25↑j
.text:0040148F
33 C0
xor
eax
,
eax
.text:00401491 .text:00401491
loc_401491
:
; CODE XREF: sub_401450+3B↑j
.text:00401491
8B E5
mov
esp
,
ebp
.text:00401493
5D
pop
ebp
.text:00401494
C3
retn
.text:00401494
sub_401450
endp .text:00401494 .text:00401494
; ---------------------------------------------------------------------------
.text:00401495
CC CC CC CC CC CC CC CC CC CC+
align
10h
.text:004014A0 .text:004014A0
; =============== S U B R O U T I N E =======================================
.text:004014A0 .text:004014A0
; Attributes: bp-based frame
.text:004014A0 .text:004014A0
sub_4014A0
proc near
; CODE XREF: sub_4011F0+1D↑p
.text:004014A0
; sub_4011F0+39↑p ...
.text:004014A0 .text:004014A0
arg_0
=
dword ptr
8
.text:004014A0
arg_4
=
dword ptr
0Ch
.text:004014A0 .text:004014A0
55
push
ebp
.text:004014A1
8B EC
mov
ebp
,
esp
.text:004014A3
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:004014A6
8B 4D 0C
mov
ecx
, [
ebp
+
arg_4
]
.text:004014A9
89 08
mov
[
eax
],
ecx
.text:004014AB
8B 55 0C
mov
edx
, [
ebp
+
arg_4
]
.text:004014AE
52
push
edx
.text:004014AF
E8 3C 00 00 00
call
sub_4014F0
.text:004014B4
83 C4 04
add
esp
,
4
.text:004014B7
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:004014BA
89 41 08
mov
[
ecx
+
8
],
eax
.text:004014BD
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:004014C0
83 7A 08 01
cmp
dword ptr
[
edx
+
8
],
1
.text:004014C4
75 0C
jnz
short
loc_4014D2
.text:004014C6
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:004014C9
C7 40 04 00 00 00 00
mov
dword ptr
[
eax
+
4
],
0
.text:004014D0
EB 17
jmp
short
loc_4014E9
.text:004014D2
; ---------------------------------------------------------------------------
.text:004014D2 .text:004014D2
loc_4014D2
:
; CODE XREF: sub_4014A0+24↑j
.text:004014D2
68 00 04 00 00
push 400h
.text:004014D7
8B 4D 0C
mov
ecx
, [
ebp
+
arg_4
]
.text:004014DA
51
push
ecx
.text:004014DB
E8 90 02 00 00
call
sub_401770
.text:004014E0
83 C4 08
add
esp
,
8
.text:004014E3
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:004014E6
89 42 04
mov
[
edx
+
4
],
eax
.text:004014E9 .text:004014E9
loc_4014E9
:
; CODE XREF: sub_4014A0+30↑j
.text:004014E9
5D
pop
ebp
.text:004014EA
C3
retn
.text:004014EA
sub_4014A0
endp .text:004014EA .text:004014EA
; ---------------------------------------------------------------------------
.text:004014EB
CC CC CC CC CC
align
10h
.text:004014F0 .text:004014F0
; =============== S U B R O U T I N E =======================================
.text:004014F0 .text:004014F0
; Attributes: bp-based frame
.text:004014F0 .text:004014F0
sub_4014F0
proc near
; CODE XREF: sub_4014A0+F↑p
.text:004014F0 .text:004014F0
var_1C
=
byte ptr
-1Ch
.text:004014F0
var_8
=
dword ptr
-8
.text:004014F0
arg_0
=
dword ptr
8
.text:004014F0 .text:004014F0
55
push
ebp
.text:004014F1
8B EC
mov
ebp
,
esp
.text:004014F3
83 EC 1C
sub
esp
,
1Ch
.text:004014F6
6A 1C
push 1Ch
.text:004014F8
8D 45 E4
lea
eax
, [
ebp
+
var_1C
]
.text:004014FB
50
push
eax
.text:004014FC
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:004014FF
51
push
ecx
.text:00401500
FF 15 10 20 40 00
call
ds
:
off_402010
.text:00401506
83 F8 1C
cmp
eax
,
1Ch
.text:00401509
75 0C
jnz
short
loc_401517
.text:0040150B
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:0040150E
83 E2 04
and
edx
,
4
.text:00401511
74 04
jz
short
loc_401517
.text:00401513
33 C0
xor
eax
,
eax
.text:00401515
EB 05
jmp
short
loc_40151C
.text:00401517
; ---------------------------------------------------------------------------
.text:00401517 .text:00401517
loc_401517
:
; CODE XREF: sub_4014F0+19↑j
.text:00401517
; sub_4014F0+21↑j
.text:00401517
B8 01 00 00 00
mov
eax
,
1
.text:0040151C .text:0040151C
loc_40151C
:
; CODE XREF: sub_4014F0+25↑j
.text:0040151C
8B E5
mov
esp
,
ebp
.text:0040151E
5D
pop
ebp
.text:0040151F
C3
retn
.text:0040151F
sub_4014F0
endp .text:0040151F .text:00401520 .text:00401520
; =============== S U B R O U T I N E =======================================
.text:00401520 .text:00401520
; Attributes: bp-based frame
.text:00401520 .text:00401520
my_module_five
proc far
; CODE XREF: my_registered_window_callback_function+30↓p
.text:00401520 .text:00401520
my_allocated_region
=
byte ptr
-14h
.text:00401520
my_EP
=
dword ptr
-10h
.text:00401520
my_exe_entrypoint
=
dword ptr
-0Ch
.text:00401520
FinalUncompressedSize
=
dword ptr
-8
.text:00401520
my_unpacked_pe
=
dword ptr
-4
.text:00401520 .text:00401520
55
push
ebp
.text:00401521
8B EC
mov
ebp
,
esp
.text:00401523
83 EC 14
sub
esp
,
14h
.text:00401526
B8 01 00 00 00
mov
eax
,
1
.text:0040152B
6B C8 00
imul
ecx
,
eax
,
0
.text:0040152E
0F B6 91 4C 4A 40 00
movzx
edx
,
byte ptr
[
ecx
+
404A4Ch
]
.text:00401535
89 55 F8
mov
[
ebp
+
FinalUncompressedSize
],
edx
.text:00401538
E8 B3 FE FF FF
call
sub_4013F0
.text:0040153D
8D 45 F8
lea
eax
, [
ebp
+
FinalUncompressedSize
]
.text:00401540
50
push
eax
.text:00401541
E8 5A FD FF FF
call
my_decrypt
.text:00401546
83 C4 04
add
esp
,
4
.text:00401549
89 45 FC
mov
[
ebp
+
my_unpacked_pe
],
eax
.text:0040154C
83 7D FC 00
cmp
[
ebp
+
my_unpacked_pe
],
0
.text:00401550
0F 84 82 00 00 00
jz
loc_4015D8
.text:00401556
8B 4D FC
mov
ecx
, [
ebp
+
my_unpacked_pe
]
.text:00401559
51
push
ecx
.text:0040155A
E8 D1 01 00 00
call
my_check_mz
.text:0040155F
83 C4 04
add
esp
,
4
.text:00401562
83 F8 01
cmp
eax
,
1
.text:00401565
75 71
jnz
short
loc_4015D8
.text:00401567
8B 55 F8
mov
edx
, [
ebp
+
FinalUncompressedSize
]
.text:0040156A
52
push
edx
; 0x6000
.text:0040156B
8B 45 FC
mov
eax
, [
ebp
+
my_unpacked_pe
]
.text:0040156E
50
push
eax
.text:0040156F
E8 DC FB FF FF
call
sub_401150
.text:00401574
83 C4 08
add
esp
,
8
.text:00401577
83 F8 01
cmp
eax
,
1
.text:0040157A
75 43
jnz
short
loc_4015BF
.text:0040157C
8D 4D F4
lea
ecx
, [
ebp
-
0Ch
]
.text:0040157F
51
push
ecx
.text:00401580
8D 55 EC
lea
edx
, [
ebp
+
my_allocated_region
]
.text:00401583
52
push
edx
.text:00401584
8B 45 F8
mov
eax
, [
ebp
+
FinalUncompressedSize
]
.text:00401587
50
push
eax
.text:00401588
8B 4D FC
mov
ecx
, [
ebp
+
my_unpacked_pe
]
.text:0040158B
51
push
ecx
.text:0040158C
E8 5F 02 00 00
call
my_alloc_exe_in_memory_region
.text:00401591 .text:00401591
loc_401591
:
.text:00401591
83 C4 10
add
esp
,
10h
.text:00401594
83 F8 01
cmp
eax
,
1
.text:00401597
75 26
jnz
short
loc_4015BF
.text:00401599
8B 55 FC
mov
edx
, [
ebp
+
my_unpacked_pe
]
.text:0040159C
52
push
edx
.text:0040159D
E8 9E FA FF FF
call
my_heapfree
.text:004015A2
83 C4 04
add
esp
,
4
.text:004015A5
C7 45 FC 00 00 00 00
mov
[
ebp
+
my_unpacked_pe
],
0
.text:004015AC
6A 00
push 0
.text:004015AE
E8 3D FC FF FF
call
sub_4011F0
.text:004015B3 .text:004015B3
loc_4015B3
:
.text:004015B3
83 C4 04
add
esp
,
4
.text:004015B6
8B 45 F4
mov
eax
, [
ebp
+
my_exe_entrypoint
]
.text:004015B9
89 45 F0
mov
[
ebp
+
my_EP
],
eax
.text:004015BC
FF 55 F0
call
[
ebp
+
my_EP
]
; jump to module six
.text:004015BF .text:004015BF
loc_4015BF
:
; CODE XREF: my_module_five+5A↑j
.text:004015BF
; my_module_five+77↑j
.text:004015BF
83 7D FC 00
cmp
[
ebp
+
my_unpacked_pe
],
0
.text:004015C3
74 13
jz
short
loc_4015D8
.text:004015C5 .text:004015C5
loc_4015C5
:
.text:004015C5
8B 4D FC
mov
ecx
, [
ebp
+
my_unpacked_pe
]
.text:004015C8
51
push
ecx
.text:004015C9
E8 72 FA FF FF
call
my_heapfree
.text:004015CE
83 C4 04
add
esp
,
4
.text:004015D1
C7 45 FC 00 00 00 00
mov
[
ebp
+
my_unpacked_pe
],
0
.text:004015D8 .text:004015D8
loc_4015D8
:
; CODE XREF: my_module_five+30↑j
.text:004015D8
; my_module_five+45↑j ...
.text:004015D8
6A 00
push 0
.text:004015DA
FF 15 14 20 40 00
call
ds
:
off_402014
; exitprocess
.text:004015E0
8B E5
mov
esp
,
ebp
.text:004015E2
5D
pop
ebp
.text:004015E3
C3
retn
.text:004015E3
; ---------------------------------------------------------------------------
.text:004015E4
CC CC CC CC
dd
0CCCCCCCCh .text:004015E4
my_module_five
endp .text:004015E4 .text:004015E8
CC CC CC CC
dd
0CCCCCCCCh .text:004015EC
CC CC CC CC
dd
0CCCCCCCCh
.text:004015F0 .text:004015F0
; =============== S U B R O U T I N E =======================================
.text:004015F0 .text:004015F0
; Attributes: bp-based frame
.text:004015F0 .text:004015F0
my_module_four
proc near
; DATA XREF: debug028:00230B0D↑o
.text:004015F0
; .text:004092AE↓o
.text:004015F0
55
push
ebp
.text:004015F1 .text:004015F1
loc_4015F1
:
.text:004015F1
8B EC
mov
ebp
,
esp
.text:004015F3
6A 01
push 1
.text:004015F5
E8 F6 FB FF FF
call
sub_4011F0
.text:004015FA
83 C4 04
add
esp
,
4
.text:004015FD
E8 0E 00 00 00
call
near ptr
sub_401610
.text:00401602
6A 00
push 0
.text:00401604
FF 15 14 20 40 00
call
ds
:
off_402014
; exitprocess
.text:0040160A
5D
pop
ebp
.text:0040160B
C3
retn
.text:0040160B
my_module_four
endp .text:0040160B .text:0040160B
; ---------------------------------------------------------------------------
.text:0040160C
CC
db
0CCh
; Ì
.text:0040160D
CC
db
0CCh
; Ì
.text:0040160E
CC
db
0CCh
; Ì
.text:0040160F
CC
db
0CCh
; Ì
.text:00401610 .text:00401610
; =============== S U B R O U T I N E =======================================
.text:00401610 .text:00401610
; Attributes: bp-based frame
.text:00401610 .text:00401610
sub_401610
proc far
; CODE XREF: my_module_four+D↑p
.text:00401610 .text:00401610
var_72E98140
=
byte ptr
-72E98140h
.text:00401610
var_AF1FBB
=
byte ptr
-0AF1FBBh
.text:00401610
var_50
=
dword ptr
-50h
.text:00401610
var_48
=
dword ptr
-48h
.text:00401610
var_3C
=
dword ptr
-3Ch
.text:00401610
var_28
=
dword ptr
-28h
.text:00401610
var_20
=
byte ptr
-20h
.text:00401610
var_4
=
dword ptr
-4
.text:00401610 .text:00401610
55
push
ebp
.text:00401611
8B EC
mov
ebp
,
esp
.text:00401613
83 EC 50
sub
esp
,
50h
.text:00401616
6A 30
push 30h
.text:00401618
6A 00
push 0
.text:0040161A
8D 45 B0
lea
eax
, [
ebp
+
var_50
]
.text:0040161D
50
push
eax
.text:0040161D
; ---------------------------------------------------------------------------
.text:0040161E
E8
db
0E8h
; è
.text:0040161F
9D
db
9Dh
.text:00401620
FA
db
0FAh
; ú
.text:00401621
FF
db
0FFh
; ÿ
.text:00401622
FF
db
0FFh
; ÿ
.text:00401623
; ---------------------------------------------------------------------------
.text:00401623
83 C4 0C
add
esp
,
0Ch
.text:00401626
C7 45 B0 30 00 00 00
mov
[
ebp
+
var_50
],
30h
.text:0040162D
C7 45 B8 D0 16 40 00
mov
[
ebp
+
var_48
],
offset
my_registered_window_callback_function
.text:00401634
C7 45 C4 00 00 00 00
mov
[
ebp
+
var_3C
],
0
.text:0040163B
C7 45 D8 88 6A 40 00
mov
[
ebp
+
var_28
],
offset
aMainwnd
; "MainWnd"
.text:00401642
8D 4D B0
lea
ecx
, [
ebp
+
var_50
]
.text:00401645
51
push
ecx
.text:00401646
FF 15 34 20 40 00
call
ds
:
off_402034
.text:0040164C
0F B7 D0
movzx
edx
,
ax
.text:0040164F
85 D2
test
edx
,
edx
.text:0040164F
; ---------------------------------------------------------------------------
.text:00401651
75
db
75h
; u
.text:00401652
02 EB
add
ch
,
bl
.text:00401654
69 6A 00 6A 00 6A 00
imul
ebp
, [
edx
+
0
],
6A006Ah
.text:0040165B
6A FD
push 0FFFFFFFDh
.text:0040165D
6A 00
push 0
.text:0040165D
; ---------------------------------------------------------------------------
.text:0040165F
6A
db
6Ah
; j
.text:00401660
00 6A 00
add
[
edx
+
0
],
ch
.text:00401663
6A 00
push 0
.text:00401665
6A 00
push 0
.text:00401667
6A 00
push 0
.text:00401669
68 90 6A 40 00
push
offset
aMainwnd_0
; "MainWnd"
.text:0040166E
6A 00
push 0
.text:00401670 .text:00401670
loc_401670
:
.text:00401670
FF 15 38 20 40 00
call
ds
:
off_402038
.text:00401676
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:00401679
83 7D FC 00
cmp
[
ebp
+
var_4
],
0
.text:0040167D .text:0040167D
loc_40167D
:
.text:0040167D
75 02
jnz
short near ptr
unk_401681
.text:0040167F .text:0040167F
loc_40167F
:
.text:0040167F
EB 3D
jmp
short
loc_4016BE
.text:0040167F
; ---------------------------------------------------------------------------
.text:00401681
6A
unk_401681
db
6Ah
; j
; CODE XREF: sub_401610:loc_40167D↑j
.text:00401682
00 6A 64
add
[
edx
+
64h
],
ch
.text:00401685
68 E8 03 00 00
push 3E8h
.text:00401685
; ---------------------------------------------------------------------------
.text:0040168A
8B
db
8Bh
; ‹
.text:0040168B
45
inc
ebp
.text:0040168C
FC
cld
.text:0040168D
50
push
eax
.text:0040168E
FF 15 20 20 40 00
call
ds
:
off_402020
.text:00401694 .text:00401694
loc_401694
:
; CODE XREF: sub_401610+AC↓j
.text:00401694
6A 00
push 0
.text:00401696
6A 00
push 0
.text:00401698
6A 00
push 0
.text:00401698
; ---------------------------------------------------------------------------
.text:0040169A
8D
db
8Dh
.text:0040169B
4D
dec
ebp
.text:0040169B
; ---------------------------------------------------------------------------
.text:0040169C
E0
db
0E0h
; à
.text:0040169D
; ---------------------------------------------------------------------------
.text:0040169D
51
push
ecx
.text:0040169E
FF 15 24 20 40 00
call
ds
:
off_402024
.text:004016A4
85 C0
test
eax
,
eax
.text:004016A6
7E 16
jle
short
loc_4016BE
.text:004016A8
8D 55 E0
lea
edx
, [
ebp
+
var_20
]
.text:004016AB .text:004016AB
loc_4016AB
:
.text:004016AB
52
push
edx
.text:004016AB
; ---------------------------------------------------------------------------
.text:004016AC
FF
db
0FFh
; ÿ
.text:004016AD
15
db
15h
.text:004016AE
28
db
28h
; (
.text:004016AF
20
db
20h
.text:004016B0
40
db
40h
; @
.text:004016B1 .text:004016B1
loc_4016B1
:
.text:004016B1
00 8D 45 E0 50 FF
add
[
ebp
+
var_AF1FBB
],
cl
.text:004016B7
15 2C 20 40 00
adc
eax
,
offset
off_40202C
.text:004016BC
EB D6
jmp
short
loc_401694
.text:004016BE
; ---------------------------------------------------------------------------
.text:004016BE .text:004016BE
loc_4016BE
:
; CODE XREF: sub_401610:loc_40167F↑j
.text:004016BE
; sub_401610+96↑j
.text:004016BE
8B E5
mov
esp
,
ebp
.text:004016C0
5D
pop
ebp
.text:004016C1
C3
retn
.text:004016C1
; ---------------------------------------------------------------------------
.text:004016C2
CC
db
0CCh
; Ì
.text:004016C2
sub_401610
endp
; sp-analysis failed
.text:004016C2 .text:004016C3
CC
db
0CCh
; Ì
.text:004016C4
CC
db
0CCh
; Ì
.text:004016C5
CC
db
0CCh
; Ì
.text:004016C6
CC
db
0CCh
; Ì
.text:004016C7
CC
db
0CCh
; Ì
.text:004016C8
CC
db
0CCh
; Ì
.text:004016C9
CC
db
0CCh
; Ì
.text:004016CA
CC
db
0CCh
; Ì
.text:004016CB
CC
db
0CCh
; Ì
.text:004016CC
CC
db
0CCh
; Ì
.text:004016CD
CC
db
0CCh
; Ì
.text:004016CE
CC
db
0CCh
; Ì
.text:004016CF
CC
db
0CCh
; Ì
.text:004016D0 .text:004016D0
; =============== S U B R O U T I N E =======================================
.text:004016D0 .text:004016D0
; Attributes: bp-based frame
.text:004016D0 .text:004016D0
my_registered_window_callback_function
proc near .text:004016D0
; DATA XREF: sub_401610+1D↑o
.text:004016D0 .text:004016D0
var_4
=
dword ptr
-4
.text:004016D0
arg_0
=
dword ptr
8
.text:004016D0
arg_4
=
dword ptr
0Ch
.text:004016D0
arg_8
=
dword ptr
10h
.text:004016D0
arg_C
=
dword ptr
14h
.text:004016D0 .text:004016D0
55
push
ebp
.text:004016D1
8B EC
mov
ebp
,
esp
.text:004016D3
51
push
ecx
.text:004016D4
8B 45 0C
mov
eax
, [
ebp
+
arg_4
]
.text:004016D7
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:004016DA
81 7D FC 13 01 00 00
cmp
[
ebp
+
var_4
],
113h
.text:004016E1
74 02
jz
short
loc_4016E5
.text:004016E3
EB 24
jmp
short
loc_401709
.text:004016E5
; ---------------------------------------------------------------------------
.text:004016E5 .text:004016E5
loc_4016E5
:
; CODE XREF: my_registered_window_callback_function+11↑j
.text:004016E5
8B 0D 30 70 40 00
mov
ecx
,
ds
:
dword_407030
.text:004016EB
83 C1 01
add
ecx
,
1
.text:004016EE
89 0D 30 70 40 00
mov
ds
:
dword_407030
,
ecx
.text:004016F4
81 3D 30 70 40 00 C8 00 00 00
cmp
ds
:
dword_407030
,
0C8h
.text:004016FE
75 05
jnz
short
loc_401705
.text:00401700
E8 1B FE FF FF
call
near ptr
my_module_five
.text:00401705 .text:00401705
loc_401705
:
; CODE XREF: my_registered_window_callback_function+2E↑j
.text:00401705
33 C0
xor
eax
,
eax
.text:00401707
EB 16
jmp
short
loc_40171F
.text:00401709
; ---------------------------------------------------------------------------
.text:00401709 .text:00401709
loc_401709
:
; CODE XREF: my_registered_window_callback_function+13↑j
.text:00401709
8B 55 14
mov
edx
, [
ebp
+
arg_C
]
.text:0040170C
52
push
edx
.text:0040170D
8B 45 10
mov
eax
, [
ebp
+
arg_8
]
.text:00401710
50
push
eax
.text:00401711
8B 4D 0C
mov
ecx
, [
ebp
+
arg_4
]
.text:00401714
51
push
ecx
.text:00401715 .text:00401715
loc_401715
:
.text:00401715
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:00401718
52
push
edx
.text:00401719
FF 15 30 20 40 00
call
ds
:
off_402030
.text:0040171F .text:0040171F
loc_40171F
:
; CODE XREF: my_registered_window_callback_function+37↑j
.text:0040171F
8B E5
mov
esp
,
ebp
.text:00401721
5D
pop
ebp
.text:00401722
C2 10 00
retn 10h
.text:00401722
my_registered_window_callback_function
endp
; sp-analysis failed
.text:00401722 .text:00401722
; ---------------------------------------------------------------------------
.text:00401725
CC
db
0CCh
; Ì
.text:00401726
CC
db
0CCh
; Ì
.text:00401727
CC
db
0CCh
; Ì
.text:00401728
CC
db
0CCh
; Ì
.text:00401729
CC
db
0CCh
; Ì
.text:0040172A
CC
db
0CCh
; Ì
.text:0040172B
CC
db
0CCh
; Ì
.text:0040172C
CC
db
0CCh
; Ì
.text:0040172D
CC
db
0CCh
; Ì
.text:0040172E
CC
db
0CCh
; Ì
.text:0040172F
CC
db
0CCh
; Ì
.text:00401730 .text:00401730
; =============== S U B R O U T I N E =======================================
.text:00401730 .text:00401730
; Attributes: bp-based frame
.text:00401730 .text:00401730
my_check_mz
proc near
; CODE XREF: my_module_five+3A↑p
.text:00401730 .text:00401730
var_4
=
dword ptr
-4
.text:00401730
arg_0
=
dword ptr
8
.text:00401730 .text:00401730
55
push
ebp
.text:00401731
8B EC
mov
ebp
,
esp
.text:00401733
51
push
ecx
.text:00401734
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401737
89 45 FC
mov
[
ebp
+
var_4
],
eax
.text:0040173A
B9 01 00 00 00
mov
ecx
,
1
.text:0040173F
6B D1 00
imul
edx
,
ecx
,
0
.text:00401742
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:00401745
0F BE 0C 10
movsx
ecx
,
byte ptr
[
eax
+
edx
]
.text:00401749
83 F9 4D
cmp
ecx
, '
M'
.text:0040174C
75 14
jnz
short
loc_401762
.text:0040174E
BA 01 00 00 00
mov
edx
,
1
.text:00401753
C1 E2 00
shl
edx
,
0
.text:00401756
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:00401759
0F BE 0C 10
movsx
ecx
,
byte ptr
[
eax
+
edx
]
.text:0040175D
83 F9 5A
cmp
ecx
, '
Z'
.text:00401760
74 04
jz
short
loc_401766
.text:00401762 .text:00401762
loc_401762
:
; CODE XREF: my_check_mz+1C↑j
.text:00401762
33 C0
xor
eax
,
eax
.text:00401764
EB 05
jmp
short
loc_40176B
.text:00401766
; ---------------------------------------------------------------------------
.text:00401766 .text:00401766
loc_401766
:
; CODE XREF: my_check_mz+30↑j
.text:00401766
B8 01 00 00 00
mov
eax
,
1
.text:0040176B .text:0040176B
loc_40176B
:
; CODE XREF: my_check_mz+34↑j
.text:0040176B
8B E5
mov
esp
,
ebp
.text:0040176D
5D
pop
ebp
.text:0040176E
C3
retn
.text:0040176E
my_check_mz
endp .text:0040176E .text:0040176E
; ---------------------------------------------------------------------------
.text:0040176F
CC
align
10h
.text:00401770 .text:00401770
; =============== S U B R O U T I N E =======================================
.text:00401770 .text:00401770
; Attributes: bp-based frame
.text:00401770 .text:00401770
sub_401770
proc near
; CODE XREF: sub_4014A0+3B↑p
.text:00401770 .text:00401770
var_8
=
dword ptr
-8
.text:00401770
var_4
=
dword ptr
-4
.text:00401770
arg_0
=
dword ptr
8
.text:00401770
arg_4
=
dword ptr
0Ch
.text:00401770 .text:00401770
55
push
ebp
.text:00401771
8B EC
mov
ebp
,
esp
.text:00401773
83 EC 08
sub
esp
,
8
.text:00401776
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401779
89 45 F8
mov
[
ebp
+
var_8
],
eax
.text:0040177C
C7 45 FC 03 00 00 00
mov
[
ebp
+
var_4
],
3
.text:00401783
EB 09
jmp
short
loc_40178E
.text:00401785
; ---------------------------------------------------------------------------
.text:00401785 .text:00401785
loc_401785
:
; CODE XREF: sub_401770:loc_4017DE↓j
.text:00401785
8B 4D FC
mov
ecx
, [
ebp
+
var_4
]
.text:00401788
83 C1 01
add
ecx
,
1
.text:0040178B
89 4D FC
mov
[
ebp
+
var_4
],
ecx
.text:0040178E .text:0040178E
loc_40178E
:
; CODE XREF: sub_401770+13↑j
.text:0040178E
8B 55 FC
mov
edx
, [
ebp
+
var_4
]
.text:00401791
3B 55 0C
cmp
edx
, [
ebp
+
arg_4
]
.text:00401794
73 4A
jnb
short
loc_4017E0
.text:00401796
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:00401799
03 45 FC
add
eax
, [
ebp
+
var_4
]
.text:0040179C
0F B6 48 FD
movzx
ecx
,
byte ptr
[
eax
-
3
]
.text:004017A0
81 F9 8B 00 00 00
cmp
ecx
,
8Bh
.text:004017A6
75 36
jnz
short
loc_4017DE
.text:004017A8
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:004017AB
03 55 FC
add
edx
, [
ebp
+
var_4
]
.text:004017AE
0F B6 42 FE
movzx
eax
,
byte ptr
[
edx
-
2
]
.text:004017B2
3D E5 00 00 00
cmp
eax
,
0E5h
.text:004017B7
75 25
jnz
short
loc_4017DE
.text:004017B9
8B 4D F8
mov
ecx
, [
ebp
+
var_8
]
.text:004017BC
03 4D FC
add
ecx
, [
ebp
+
var_4
]
.text:004017BF
0F B6 51 FF
movzx
edx
,
byte ptr
[
ecx
-
1
]
.text:004017C3
83 FA 5D
cmp
edx
,
5Dh
.text:004017C6
75 16
jnz
short
loc_4017DE
.text:004017C8
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:004017CB
03 45 FC
add
eax
, [
ebp
+
var_4
]
.text:004017CE
0F B6 08
movzx
ecx
,
byte ptr
[
eax
]
.text:004017D1
81 F9 C3 00 00 00
cmp
ecx
,
0C3h
.text:004017D7
75 05
jnz
short
loc_4017DE
.text:004017D9
8B 45 FC
mov
eax
, [
ebp
+
var_4
]
.text:004017DC
EB 04
jmp
short
loc_4017E2
.text:004017DE
; ---------------------------------------------------------------------------
.text:004017DE .text:004017DE
loc_4017DE
:
; CODE XREF: sub_401770+36↑j
.text:004017DE
; sub_401770+47↑j ...
.text:004017DE
EB A5
jmp
short
loc_401785
.text:004017E0
; ---------------------------------------------------------------------------
.text:004017E0 .text:004017E0
loc_4017E0
:
; CODE XREF: sub_401770+24↑j
.text:004017E0
33 C0
xor
eax
,
eax
.text:004017E2 .text:004017E2
loc_4017E2
:
; CODE XREF: sub_401770+6C↑j
.text:004017E2
8B E5
mov
esp
,
ebp
.text:004017E4
5D
pop
ebp
.text:004017E5
C3
retn
.text:004017E5
sub_401770
endp .text:004017E5 .text:004017E5
; ---------------------------------------------------------------------------
.text:004017E6
CC CC CC CC CC CC CC CC CC CC
align
10h
.text:004017F0 .text:004017F0
; =============== S U B R O U T I N E =======================================
.text:004017F0 .text:004017F0
; Attributes: bp-based frame
.text:004017F0 .text:004017F0
my_alloc_exe_in_memory_region
proc near
; CODE XREF: my_module_five+6C↑p
.text:004017F0
; DATA XREF: .text:off_407018↓o
.text:004017F0 .text:004017F0
var_18
=
dword ptr
-18h
.text:004017F0
var_14
=
dword ptr
-14h
.text:004017F0
var_10
=
dword ptr
-10h
.text:004017F0
var_C
=
dword ptr
-0Ch
.text:004017F0
var_8
=
dword ptr
-8
.text:004017F0
my_allocated_region
=
dword ptr
-4
.text:004017F0
my_unpacked_pe
=
dword ptr
8
.text:004017F0
FinalUncompressedSize
=
dword ptr
0Ch
.text:004017F0
arg_8
=
dword ptr
10h
.text:004017F0
arg_C
=
dword ptr
14h
.text:004017F0 .text:004017F0
55
push
ebp
.text:004017F1
8B EC
mov
ebp
,
esp
.text:004017F3
83 EC 18
sub
esp
,
18h
.text:004017F6
8B 45 08
mov
eax
, [
ebp
+
my_unpacked_pe
]
.text:004017F9
8B 4D 08
mov
ecx
, [
ebp
+
my_unpacked_pe
]
.text:004017FC
03 48 3C
add
ecx
, [
eax
+
3Ch
]
.text:004017FF
89 4D EC
mov
[
ebp
+
var_14
],
ecx
.text:00401802
8B 55 EC
mov
edx
, [
ebp
+
var_14
]
.text:00401805
8B 42 34
mov
eax
, [
edx
+
34h
]
.text:00401808
89 45 F4
mov
[
ebp
+
var_C
],
eax
.text:0040180B
8B 4D EC
mov
ecx
, [
ebp
+
var_14
]
.text:0040180E
8B 51 50
mov
edx
, [
ecx
+
50h
]
.text:00401811
89 55 F0
mov
[
ebp
+
var_10
],
edx
.text:00401814
C7 45 F8 00 00 00 00
mov
[
ebp
+
var_8
],
0
.text:0040181B
C7 45 FC 00 00 00 00
mov
[
ebp
+
my_allocated_region
],
0
.text:00401822
C7 45 E8 00 00 00 00
mov
[
ebp
+
var_18
],
0
.text:00401829 .text:00401829
loc_401829
:
; CODE XREF: my_alloc_exe_in_memory_region+F1↓j
.text:00401829
6A 40
push 40h
.text:0040182B
68 00 30 00 00
push 3000h
.text:00401830
8B 45 F0
mov
eax
, [
ebp
+
var_10
]
.text:00401833
50
push
eax
.text:00401834
8B 4D F4
mov
ecx
, [
ebp
+
var_C
]
.text:00401837
51
push
ecx
.text:00401838
FF 15 18 20 40 00
call
ds
:
off_402018
; virtualloc
.text:0040183E
89 45 FC
mov
[
ebp
+
my_allocated_region
],
eax
.text:00401841
83 7D FC 00
cmp
[
ebp
+
my_allocated_region
],
0
.text:00401845
75 1C
jnz
short
loc_401863
.text:00401847
6A 40
push 40h
.text:00401849
68 00 30 00 00
push 3000h
.text:0040184E
8B 55 F0
mov
edx
, [
ebp
+
var_10
]
.text:00401851
52
push
edx
.text:00401852
6A 00
push 0
.text:00401854 .text:00401854
loc_401854
:
; virtualalloc
.text:00401854
FF 15 18 20 40 00
call
ds
:
off_402018
.text:0040185A
89 45 FC
mov
[
ebp
+
my_allocated_region
],
eax
.text:0040185D
8B 45 FC
mov
eax
, [
ebp
+
my_allocated_region
]
.text:00401860
89 45 F4
mov
[
ebp
+
var_C
],
eax
.text:00401863 .text:00401863
loc_401863
:
; CODE XREF: my_alloc_exe_in_memory_region+55↑j
.text:00401863
83 7D FC 00
cmp
[
ebp
+
my_allocated_region
],
0
.text:00401867
75 02
jnz
short
loc_40186B
.text:00401869
EB 7C
jmp
short
loc_4018E7
.text:0040186B
; ---------------------------------------------------------------------------
.text:0040186B .text:0040186B
loc_40186B
:
; CODE XREF: my_alloc_exe_in_memory_region+77↑j
.text:0040186B
8B 4D F0
mov
ecx
, [
ebp
+
var_10
]
.text:0040186E
51
push
ecx
.text:0040186F
E8 8C F7 FF FF
call
my_alloc_heap
.text:00401874
83 C4 04
add
esp
,
4
.text:00401877
89 45 F8
mov
[
ebp
+
var_8
],
eax
.text:0040187A .text:0040187A
loc_40187A
:
.text:0040187A
83 7D F8 00
cmp
[
ebp
+
var_8
],
0
.text:0040187E
75 02
jnz
short
loc_401882
.text:00401880
EB 65
jmp
short
loc_4018E7
.text:00401882
; ---------------------------------------------------------------------------
.text:00401882 .text:00401882
loc_401882
:
; CODE XREF: my_alloc_exe_in_memory_region+8E↑j
.text:00401882
8B 55 F4
mov
edx
, [
ebp
+
var_C
]
.text:00401885
52
push
edx
.text:00401886
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:00401889
50
push
eax
.text:0040188A
8B 4D 0C
mov
ecx
, [
ebp
+
FinalUncompressedSize
]
.text:0040188D
51
push
ecx
.text:0040188E
8B 55 08
mov
edx
, [
ebp
+
my_unpacked_pe
]
.text:00401891
52
push
edx
.text:00401892
E8 99 01 00 00
call
sub_401A30
.text:00401897
83 C4 10
add
esp
,
10h
.text:0040189A
85 C0
test
eax
,
eax
.text:0040189C
74 24
jz
short
loc_4018C2
.text:0040189E
83 7D 10 00
cmp
[
ebp
+
arg_8
],
0
.text:004018A2
74 08
jz
short
loc_4018AC
.text:004018A4
8B 45 10
mov
eax
, [
ebp
+
arg_8
]
.text:004018A7
8B 4D F4
mov
ecx
, [
ebp
+
var_C
]
.text:004018AA
89 08
mov
[
eax
],
ecx
.text:004018AC .text:004018AC
loc_4018AC
:
; CODE XREF: my_alloc_exe_in_memory_region+B2↑j
.text:004018AC
83 7D 14 00
cmp
[
ebp
+
arg_C
],
0
.text:004018B0
74 0E
jz
short
loc_4018C0
.text:004018B2
8B 55 EC
mov
edx
, [
ebp
+
var_14
]
.text:004018B5
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:004018B8 .text:004018B8
loc_4018B8
:
.text:004018B8
03 42 28
add
eax
, [
edx
+
28h
]
.text:004018BB
8B 4D 14
mov
ecx
, [
ebp
+
arg_C
]
.text:004018BE
89 01
mov
[
ecx
],
eax
.text:004018C0 .text:004018C0
loc_4018C0
:
; CODE XREF: my_alloc_exe_in_memory_region+C0↑j
.text:004018C0
EB 02
jmp
short
loc_4018C4
.text:004018C2
; ---------------------------------------------------------------------------
.text:004018C2 .text:004018C2
loc_4018C2
:
; CODE XREF: my_alloc_exe_in_memory_region+AC↑j
.text:004018C2
EB 23
jmp
short
loc_4018E7
.text:004018C4
; ---------------------------------------------------------------------------
.text:004018C4 .text:004018C4
loc_4018C4
:
; CODE XREF: my_alloc_exe_in_memory_region:loc_4018C0↑j
.text:004018C4
8B 55 F0
mov
edx
, [
ebp
+
var_10
]
.text:004018C7
52
push
edx
.text:004018C8
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:004018CB
50
push
eax
.text:004018CC
8B 4D FC
mov
ecx
, [
ebp
+
my_allocated_region
]
.text:004018CF
51
push
ecx
.text:004018D0
E8 9B F7 FF FF
call
sub_401070
.text:004018D5
83 C4 0C
add
esp
,
0Ch
.text:004018D8
C7 45 E8 01 00 00 00
mov
[
ebp
+
var_18
],
1
.text:004018DF
33 D2
xor
edx
,
edx
.text:004018E1
0F 85 42 FF FF FF
jnz
loc_401829
.text:004018E7 .text:004018E7
loc_4018E7
:
; CODE XREF: my_alloc_exe_in_memory_region+79↑j
.text:004018E7
; my_alloc_exe_in_memory_region+90↑j ...
.text:004018E7
83 7D F8 00
cmp
[
ebp
+
var_8
],
0
.text:004018EB
74 0C
jz
short
loc_4018F9
.text:004018ED
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:004018F0
50
push
eax
.text:004018F1
E8 4A F7 FF FF
call
my_heapfree
.text:004018F6
83 C4 04
add
esp
,
4
.text:004018F9 .text:004018F9
loc_4018F9
:
; CODE XREF: my_alloc_exe_in_memory_region+FB↑j
.text:004018F9
83 7D FC 00
cmp
[
ebp
+
my_allocated_region
],
0
.text:004018FD
74 19
jz
short
loc_401918
.text:004018FF
83 7D E8 00
cmp
[
ebp
+
var_18
],
0
.text:00401903
75 13
jnz
short
loc_401918
.text:00401905
68 00 80 00 00
push 8000h
.text:0040190A
8B 4D F0
mov
ecx
, [
ebp
+
var_10
]
.text:0040190D
51
push
ecx
.text:0040190E
8B 55 FC
mov
edx
, [
ebp
+
my_allocated_region
]
.text:00401911
52
push
edx
.text:00401912
FF 15 00 20 40 00
call
ds
:
off_402000
; virtualfree
.text:00401918 .text:00401918
loc_401918
:
; CODE XREF: my_alloc_exe_in_memory_region+10D↑j
.text:00401918
; my_alloc_exe_in_memory_region+113↑j
.text:00401918
8B 45 E8
mov
eax
, [
ebp
+
var_18
]
.text:0040191B
8B E5
mov
esp
,
ebp
.text:0040191D
5D
pop
ebp
.text:0040191E
C3
retn
.text:0040191E
my_alloc_exe_in_memory_region
endp .text:0040191E .text:0040191E
; ---------------------------------------------------------------------------
.text:0040191F
CC
align
10h
.text:00401920 .text:00401920
; =============== S U B R O U T I N E =======================================
.text:00401920 .text:00401920
; Attributes: bp-based frame
.text:00401920 .text:00401920
sub_401920
proc near
; CODE XREF: sub_401A30+A5↓p
.text:00401920 .text:00401920
var_2C
=
dword ptr
-2Ch
.text:00401920
var_28
=
dword ptr
-28h
.text:00401920
var_24
=
dword ptr
-24h
.text:00401920
var_20
=
dword ptr
-20h
.text:00401920
var_1C
=
dword ptr
-1Ch
.text:00401920
var_18
=
dword ptr
-18h
.text:00401920
var_14
=
dword ptr
-14h
.text:00401920
var_10
=
dword ptr
-10h
.text:00401920
var_C
=
dword ptr
-0Ch
.text:00401920
var_8
=
dword ptr
-8
.text:00401920
var_4
=
word ptr
-4
.text:00401920
arg_0
=
dword ptr
8
.text:00401920
arg_4
=
dword ptr
0Ch
.text:00401920 .text:00401920
55
push
ebp
.text:00401921
8B EC
mov
ebp
,
esp
.text:00401923
83 EC 2C
sub
esp
,
2Ch
.text:00401926
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401929
89 45 DC
mov
[
ebp
+
var_24
],
eax
.text:0040192C
8B 4D DC
mov
ecx
, [
ebp
+
var_24
]
.text:0040192F
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:00401932
03 51 3C
add
edx
, [
ecx
+
3Ch
]
.text:00401935 .text:00401935
loc_401935
:
.text:00401935
89 55 E4
mov
[
ebp
+
var_1C
],
edx
.text:00401938
B8 08 00 00 00
mov
eax
,
8
.text:0040193D
6B C8 05
imul
ecx
,
eax
,
5
.text:00401940
8B 55 E4
mov
edx
, [
ebp
+
var_1C
]
.text:00401943
8D 44 0A 78
lea
eax
, [
edx
+
ecx
+
78h
]
.text:00401947
89 45 F0
mov
[
ebp
+
var_10
],
eax
.text:0040194A
8B 4D F0
mov
ecx
, [
ebp
+
var_10
]
.text:0040194D
8B 11
mov
edx
, [
ecx
]
.text:0040194F
89 55 D8
mov
[
ebp
+
var_28
],
edx
.text:00401952
8B 45 F0
mov
eax
, [
ebp
+
var_10
]
.text:00401955
8B 48 04
mov
ecx
, [
eax
+
4
]
.text:00401958
89 4D E8
mov
[
ebp
+
var_18
],
ecx
.text:0040195B
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:0040195E
03 55 D8
add
edx
, [
ebp
+
var_28
]
.text:00401961
89 55 F4
mov
[
ebp
+
var_C
],
edx
.text:00401964
8B 45 F0
mov
eax
, [
ebp
+
var_10
]
.text:00401967
83 78 04 00
cmp
dword ptr
[
eax
+
4
],
0
.text:0040196B
75 07
jnz
short
loc_401974
.text:0040196D
33 C0
xor
eax
,
eax
.text:0040196F
E9 B2 00 00 00
jmp
loc_401A26
.text:00401974
; ---------------------------------------------------------------------------
.text:00401974 .text:00401974
loc_401974
:
; CODE XREF: sub_401920+4B↑j
.text:00401974
; sub_401920+F3↓j
.text:00401974
83 7D E8 00
cmp
[
ebp
+
var_18
],
0
.text:00401978
0F 84 9A 00 00 00
jz
loc_401A18
.text:0040197E
8B 4D F4
mov
ecx
, [
ebp
+
var_C
]
.text:00401981
8B 51 04
mov
edx
, [
ecx
+
4
]
.text:00401984
83 EA 08
sub
edx
,
8
.text:00401987
D1 EA
shr
edx
,
1
.text:00401989
89 55 D4
mov
[
ebp
+
var_2C
],
edx
.text:0040198C
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:0040198F
83 C0 08
add
eax
,
8
.text:00401992
89 45 F8
mov
[
ebp
+
var_8
],
eax
.text:00401995
C7 45 EC 00 00 00 00
mov
[
ebp
+
var_14
],
0
.text:0040199C
EB 09
jmp
short
loc_4019A7
.text:0040199E
; ---------------------------------------------------------------------------
.text:0040199E .text:0040199E
loc_40199E
:
; CODE XREF: sub_401920+DF↓j
.text:0040199E
8B 4D EC
mov
ecx
, [
ebp
+
var_14
]
.text:004019A1
83 C1 01
add
ecx
,
1
.text:004019A4
89 4D EC
mov
[
ebp
+
var_14
],
ecx
.text:004019A7 .text:004019A7
loc_4019A7
:
; CODE XREF: sub_401920+7C↑j
.text:004019A7
8B 55 EC
mov
edx
, [
ebp
+
var_14
]
.text:004019AA
3B 55 D4
cmp
edx
, [
ebp
+
var_2C
]
.text:004019AD
73 52
jnb
short
loc_401A01
.text:004019AF
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:004019B2
0F B7 08
movzx
ecx
,
word ptr
[
eax
]
.text:004019B5
81 E1 00 F0 00 00
and
ecx
,
0F000h
.text:004019BB
C1 F9 0C
sar
ecx
,
0Ch
.text:004019BE
66 89 4D FC
mov
[
ebp
+
var_4
],
cx
.text:004019C2
0F B7 55 FC
movzx
edx
, [
ebp
+
var_4
]
.text:004019C6
83 FA 03
cmp
edx
,
3
.text:004019C9
75 2B
jnz
short
loc_4019F6
.text:004019CB
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:004019CE
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:004019D1
03 08
add
ecx
, [
eax
]
.text:004019D3
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:004019D6
0F B7 02
movzx
eax
,
word ptr
[
edx
]
.text:004019D9
25 FF 0F 00 00
and
eax
,
0FFFh
.text:004019DE
03 C8
add
ecx
,
eax
.text:004019E0
89 4D E0
mov
[
ebp
+
var_20
],
ecx
.text:004019E3
8B 4D E0
mov
ecx
, [
ebp
+
var_20
]
.text:004019E6
8B 55 E4
mov
edx
, [
ebp
+
var_1C
]
.text:004019E9
8B 01
mov
eax
, [
ecx
]
.text:004019EB
2B 42 34
sub
eax
, [
edx
+
34h
]
.text:004019EE
03 45 0C
add
eax
, [
ebp
+
arg_4
]
.text:004019F1
8B 4D E0
mov
ecx
, [
ebp
+
var_20
]
.text:004019F4
89 01
mov
[
ecx
],
eax
.text:004019F6 .text:004019F6
loc_4019F6
:
; CODE XREF: sub_401920+A9↑j
.text:004019F6
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:004019F9
83 C2 02
add
edx
,
2
.text:004019FC
89 55 F8
mov
[
ebp
+
var_8
],
edx
.text:004019FF
EB 9D
jmp
short
loc_40199E
.text:00401A01
; ---------------------------------------------------------------------------
.text:00401A01 .text:00401A01
loc_401A01
:
; CODE XREF: sub_401920+8D↑j
.text:00401A01
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:00401A04
8B 4D E8
mov
ecx
, [
ebp
+
var_18
]
.text:00401A07
2B 48 04
sub
ecx
, [
eax
+
4
]
.text:00401A0A
89 4D E8
mov
[
ebp
+
var_18
],
ecx
.text:00401A0D
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:00401A10
89 55 F4
mov
[
ebp
+
var_C
],
edx
.text:00401A13
E9 5C FF FF FF
jmp
loc_401974
.text:00401A18
; ---------------------------------------------------------------------------
.text:00401A18 .text:00401A18
loc_401A18
:
; CODE XREF: sub_401920+58↑j
.text:00401A18
8B 45 E4
mov
eax
, [
ebp
+
var_1C
]
.text:00401A1B
8B 4D 0C
mov
ecx
, [
ebp
+
arg_4
]
.text:00401A1E
89 48 34
mov
[
eax
+
34h
],
ecx
.text:00401A21
B8 01 00 00 00
mov
eax
,
1
.text:00401A26 .text:00401A26
loc_401A26
:
; CODE XREF: sub_401920+4F↑j
.text:00401A26
8B E5
mov
esp
,
ebp
.text:00401A28
5D
pop
ebp
.text:00401A29
C3
retn
.text:00401A29
sub_401920
endp .text:00401A29 .text:00401A29
; ---------------------------------------------------------------------------
.text:00401A2A
CC CC CC CC CC CC
align
10h
.text:00401A30 .text:00401A30
; =============== S U B R O U T I N E =======================================
.text:00401A30 .text:00401A30
; Attributes: bp-based frame
.text:00401A30 .text:00401A30
sub_401A30
proc near
; CODE XREF: my_alloc_exe_in_memory_region+A2↑p
.text:00401A30 .text:00401A30
var_10
=
dword ptr
-10h
.text:00401A30
var_C
=
dword ptr
-0Ch
.text:00401A30
var_8
=
dword ptr
-8
.text:00401A30
var_4
=
dword ptr
-4
.text:00401A30
arg_0
=
dword ptr
8
.text:00401A30
arg_8
=
dword ptr
10h
.text:00401A30
arg_C
=
dword ptr
14h
.text:00401A30 .text:00401A30
55
push
ebp
.text:00401A31
8B EC
mov
ebp
,
esp
.text:00401A33
83 EC 10
sub
esp
,
10h
.text:00401A36
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401A39
89 45 F0
mov
[
ebp
+
var_10
],
eax
.text:00401A3C
8B 4D F0
mov
ecx
, [
ebp
+
var_10
]
.text:00401A3F
8B 55 08
mov
edx
, [
ebp
+
arg_0
]
.text:00401A42
03 51 3C
add
edx
, [
ecx
+
3Ch
]
.text:00401A45
89 55 F8
mov
[
ebp
+
var_8
],
edx
.text:00401A48
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:00401A4B
0F B7 48 14
movzx
ecx
,
word ptr
[
eax
+
14h
]
.text:00401A4F
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:00401A52
8D 44 0A 18
lea
eax
, [
edx
+
ecx
+
18h
]
.text:00401A56
89 45 F4
mov
[
ebp
+
var_C
],
eax
.text:00401A59
8B 4D F8
mov
ecx
, [
ebp
+
var_8
]
.text:00401A5C
8B 51 54
mov
edx
, [
ecx
+
54h
]
.text:00401A5F
52
push
edx
.text:00401A60
8B 45 08
mov
eax
, [
ebp
+
arg_0
]
.text:00401A63
50
push
eax
.text:00401A64
8B 4D 10
mov
ecx
, [
ebp
+
arg_8
]
.text:00401A67
51
push
ecx
.text:00401A68
E8 03 F6 FF FF
call
sub_401070
.text:00401A6D
83 C4 0C
add
esp
,
0Ch
.text:00401A70
C7 45 FC 00 00 00 00
mov
[
ebp
+
var_4
],
0
.text:00401A77
EB 09
jmp
short
loc_401A82
.text:00401A79
; ---------------------------------------------------------------------------
.text:00401A79 .text:00401A79
loc_401A79
:
; CODE XREF: sub_401A30+90↓j
.text:00401A79
8B 55 FC
mov
edx
, [
ebp
+
var_4
]
.text:00401A7C
83 C2 01
add
edx
,
1
.text:00401A7F
89 55 FC
mov
[
ebp
+
var_4
],
edx
.text:00401A82 .text:00401A82
loc_401A82
:
; CODE XREF: sub_401A30+47↑j
.text:00401A82
8B 45 F8
mov
eax
, [
ebp
+
var_8
]
.text:00401A85
0F B7 48 06
movzx
ecx
,
word ptr
[
eax
+
6
]
.text:00401A89
39 4D FC
cmp
[
ebp
+
var_4
],
ecx
.text:00401A8C
73 34
jnb
short
loc_401AC2
.text:00401A8E
6B 55 FC 28
imul
edx
, [
ebp
+
var_4
], 28h
.text:00401A92
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:00401A95
8B 4C 10 10
mov
ecx
, [
eax
+
edx
+
10h
]
.text:00401A99
51
push
ecx
.text:00401A9A
6B 55 FC 28
imul
edx
, [
ebp
+
var_4
], 28h
.text:00401A9E
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:00401AA1
8B 4D 08
mov
ecx
, [
ebp
+
arg_0
]
.text:00401AA4
03 4C 10 14
add
ecx
, [
eax
+
edx
+
14h
]
.text:00401AA8
51
push
ecx
.text:00401AA9
6B 55 FC 28
imul
edx
, [
ebp
+
var_4
], 28h
.text:00401AAD
8B 45 F4
mov
eax
, [
ebp
+
var_C
]
.text:00401AB0
8B 4D 10
mov
ecx
, [
ebp
+
arg_8
]
.text:00401AB3
03 4C 10 0C
add
ecx
, [
eax
+
edx
+
0Ch
]
.text:00401AB7
51
push
ecx
.text:00401AB8
E8 B3 F5 FF FF
call
sub_401070
.text:00401ABD
83 C4 0C
add
esp
,
0Ch
.text:00401AC0
EB B7
jmp
short
loc_401A79
.text:00401AC2
; ---------------------------------------------------------------------------
.text:00401AC2 .text:00401AC2
loc_401AC2
:
; CODE XREF: sub_401A30+5C↑j
.text:00401AC2
8B 55 F8
mov
edx
, [
ebp
+
var_8
]
.text:00401AC5
8B 42 34
mov
eax
, [
edx
+
34h
]
.text:00401AC8
3B 45 14
cmp
eax
, [
ebp
+
arg_C
]
.text:00401ACB
74 12
jz
short
loc_401ADF
.text:00401ACD
8B 4D 14
mov
ecx
, [
ebp
+
arg_C
]
.text:00401AD0
51
push
ecx
.text:00401AD1
8B 55 10
mov
edx
, [
ebp
+
arg_8
]
.text:00401AD4
52
push
edx
.text:00401AD5
E8 46 FE FF FF
call
sub_401920
.text:00401ADA
83 C4 08
add
esp
,
8
.text:00401ADD
EB 05
jmp
short
loc_401AE4
.text:00401ADF
; ---------------------------------------------------------------------------
.text:00401ADF .text:00401ADF
loc_401ADF
:
; CODE XREF: sub_401A30+9B↑j
.text:00401ADF
B8 01 00 00 00
mov
eax
,
1
.text:00401AE4 .text:00401AE4
loc_401AE4
:
; CODE XREF: sub_401A30+AD↑j
.text:00401AE4
8B E5
mov
esp
,
ebp
.text:00401AE6
5D
pop
ebp
.text:00401AE7
C3
retn
.text:00401AE7
sub_401A30
endp .text:00401AE7 .text:00401AE7
; ---------------------------------------------------------------------------
.text:00401AE8
00 00 00 00 00 00 00 00 00 00+
align
800h .text:00402000
4A 18 B6 75
off_402000
dd offset
kernel32_VirtualFree
.text:00402000
; DATA XREF: my_alloc_exe_in_memory_region+122↑r
.text:00402004
C6 E0 E2 77
off_402004
dd offset
ntdll_RtlAllocateHeap
.text:00402004
; DATA XREF: my_alloc_heap:loc_40102D↑r
.text:00402008
A9 14 B6 75
off_402008
dd offset
kernel32_HeapFree
; DATA XREF: my_heapfree+19↑r
.text:0040200C
C9 14 B6 75
off_40200C
dd offset
kernel32_GetProcessHeap
.text:0040200C
; DATA XREF: my_alloc_heap+C↑r
.text:00402010
22 44 B6 75
off_402010
dd offset
kernel32_VirtualQuery
.text:00402010
; DATA XREF: sub_4014F0+10↑r
.text:00402014
D8 79 B6 75
off_402014
dd offset
kernel32_ExitProcess
.text:00402014
; DATA XREF: my_module_five+BA↑r
.text:00402014
; my_module_four+14↑r
.text:00402018
32 18 B6 75
off_402018
dd offset
kernel32_VirtualAlloc
.text:00402018
; DATA XREF: my_alloc_exe_in_memory_region+48↑r
.text:00402018
; my_alloc_exe_in_memory_region:loc_401854↑r
.text:0040201C
00 00 00 00
align
10h .text:00402020
0B 7A 7E 77
off_402020
dd offset
user32_SetTimer
; DATA XREF: sub_401610+7E↑r
.text:00402024
E3 7B 7E 77
off_402024
dd offset
user32_GetMessageA
; DATA XREF: sub_401610+8E↑r
.text:00402028
19 78 7E 77
dd offset
user32_TranslateMessage
.text:0040202C
CB 7B 7E 77
off_40202C
dd offset
user32_DispatchMessageA
.text:0040202C
; DATA XREF: sub_401610+A7↑o
.text:00402030
13 F9 E4 77
off_402030
dd offset
ntdll_NtdllDefWindowProc_A
.text:00402030
; DATA XREF: my_registered_window_callback_function+49↑r
.text:00402034
B8 DB 7E 77
off_402034
dd offset
user32_RegisterClassExA
.text:00402034
; DATA XREF: sub_401610+36↑r
.text:00402038
4E D2 7E 77
off_402038
dd offset
user32_CreateWindowExA
.text:00402038
; DATA XREF: sub_401610:loc_401670↑r
.text:0040203C
00 00 00 00
align
10h .text:00402040
31 FF EB 77
off_402040
dd offset
ntdll_RtlDecompressBuffer
.text:00402040
; DATA XREF: my_decrypt+111↑r
.text:00402044
00 00 00 00
align
8