API tools faq
paste
Guest User

pto

a guest
Feb 28th, 2015
468
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 29.36 KB | None | 0 0
raw download clone embed print report
  1. //-------------------------------------------------------------------------
  2. // Data declarations
  3.  
  4. extern _UNKNOWN loc_401A87; // weak
  5. extern _UNKNOWN loc_406E89; // weak
  6. extern char aGetprocesswind[]; // idb
  7. extern char aGetuserobjecti[]; // idb
  8. extern char aGetlastactivep[]; // idb
  9. extern char aGetactivewindo[]; // idb
  10. extern char aMessageboxw[]; // idb
  11. extern const WCHAR aUser32_dll[]; // idb
  12. extern char buf[8]; // idb
  13. extern int dword_40AA24; // weak
  14. extern int dword_40AA28; // weak
  15. extern __int16 word_40AA2C; // weak
  16. extern char byte_40AA2E; // weak
  17. extern int dword_40AA30; // weak
  18. extern int dword_40AA34; // weak
  19. extern int dword_40AA38; // weak
  20. extern __int16 word_40AA3C; // weak
  21. extern char byte_40AA3E; // weak
  22. extern _WORD aPLd[36]; // idb
  23. extern const WCHAR LibFileName[]; // idb
  24. extern char ProcName[]; // idb
  25. extern wchar_t aMemoryWritingE[25]; // weak
  26. extern wchar_t aThreadSuspendE[25]; // weak
  27. extern wchar_t aThreadResumeEr[24]; // weak
  28. extern wchar_t aMemoryProtecti[28]; // weak
  29. extern wchar_t aMemoryReadingE[25]; // weak
  30. extern wchar_t aFunctionNotFou[22]; // weak
  31. extern wchar_t aErrorOpeningPr[25]; // weak
  32. extern char aConnect[]; // idb
  33. extern wchar_t aAllWritesSuces[26]; // weak
  34. extern wchar_t aMemoryAllocati[28]; // weak
  35. extern wchar_t aUnableToGetPro[32]; // weak
  36. extern char cp[]; // idb
  37. extern wchar_t aAuthenticating[24]; // weak
  38. extern wchar_t asc_40AD04[2]; // weak
  39. extern wchar_t asc_40AD08[2]; // weak
  40. extern wchar_t aAcceptFailedD[17]; // weak
  41. extern wchar_t aListenFailedD[17]; // weak
  42. extern wchar_t aBindsocketFail[21]; // weak
  43. extern wchar_t aSocketCreation[26]; // weak
  44. extern wchar_t aMemoryAlloca_0[28]; // weak
  45. extern wchar_t a_ini[5]; // weak
  46. extern const WCHAR KeyName[]; // idb
  47. extern const WCHAR AppName[]; // idb
  48. extern wchar_t aExecutableFile[25]; // weak
  49. extern wchar_t aSelectApplicat[30]; // weak
  50. extern char a83_222_115_46[]; // idb
  51. extern wchar_t aCreatingProces[24]; // weak
  52. extern wchar_t aOk[4]; // weak
  53. extern wchar_t aPatchOk___[13]; // weak
  54. extern wchar_t aResumethreadEr[23]; // weak
  55. extern wchar_t aPatchFailed___[17]; // weak
  56. extern wchar_t aInitialization[26]; // weak
  57. extern wchar_t aCreateProcessE[25]; // weak
  58. extern _UNKNOWN unk_40B040; // weak
  59. extern _UNKNOWN unk_40B048; // weak
  60. extern int __security_cookie; // weak
  61. extern void *off_40C180; // weak
  62. extern HANDLE hConsoleOutput; // idb
  63. extern PVOID dword_40D754; // idb
  64. extern PVOID dword_40D768; // idb
  65. extern PVOID dword_40DAEC; // idb
  66. extern int dword_40DAFC; // weak
  67. extern PVOID dword_40DB00; // idb
  68. extern PVOID dword_40DB04; // idb
  69. extern PVOID dword_40DB08; // idb
  70. extern PVOID dword_40DB0C; // idb
  71. extern PVOID dword_40DB10; // idb
  72. extern int dword_40DB44; // weak
  73. extern int dword_40DB48; // weak
  74. extern UINT uNumber; // idb
  75. extern int dword_40DB60[]; // weak
  76.  
  77. //-------------------------------------------------------------------------
  78. // Function declarations
  79.  
  80. // bool __usercall sub_401000<al>(DWORD a1<eax>, void *hThread);
  81. bool __fastcall sub_4011C0(HANDLE hThread, DWORD dwProcessId, DWORD dwProcessIda, int a4);
  82. int __cdecl sub_401430();
  83. // bool __usercall sub_401610<al>(void *a1<ebx>, void *a2);
  84. int __cdecl main(int argc, const char **argv, const char **envp);
  85. // void *__cdecl malloc(size_t);
  86. // wchar_t *__cdecl wcsncpy(wchar_t *, const wchar_t *, size_t);
  87. signed int __cdecl sub_4019F3(int a1, char a2);
  88. // int *__cdecl _errno();
  89. // unsigned __int32 *__cdecl __doserrno();
  90. void *__cdecl sub_4022D6(void *a1);
  91. void **__cdecl sub_40230D();
  92. // _DWORD __cdecl _lock_file2(_DWORD, _DWORD); weak
  93. // _DWORD __cdecl _unlock_file2(_DWORD, _DWORD); weak
  94. // int __cdecl _stbuf(FILE *); idb
  95. // _DWORD __cdecl _ftbuf(_DWORD, FILE *); weak
  96. // _DWORD __cdecl _woutput_l(_DWORD, _DWORD, _DWORD, _DWORD); weak
  97. void *__cdecl sub_403285(void *a1);
  98. // int _invalid_parameter_noinfo(void); weak
  99. int (*__cdecl sub_403D26())(void);
  100. int (*__cdecl sub_403D4C())(void);
  101. // int _encoded_null(void); weak
  102. void __cdecl sub_404281();
  103. PVOID __cdecl sub_4044D5();
  104. int __cdecl sub_404694(int a1);
  105. int __cdecl sub_4049DB(int a1, int a2, int a3);
  106. // _DWORD __cdecl flsall(_DWORD); weak
  107. int __cdecl sub_405086();
  108. // void *__cdecl memset(void *, int, size_t);
  109. // int __cdecl _write_nolock(int, int, DWORD nNumberOfBytesToWrite); idb
  110. int __cdecl sub_406DBD(int, int, DWORD nNumberOfBytesToWrite); // idb
  111. int __cdecl sub_407CA0();
  112. // _DWORD __cdecl __lock_fhandle(_DWORD); weak
  113. // _DWORD __cdecl _unlock_fhandle(_DWORD); weak
  114. BOOL __cdecl sub_4084A8();
  115. // BOOL __stdcall GetOpenFileNameW(LPOPENFILENAMEW);
  116. // DWORD __stdcall GetPrivateProfileStringW(LPCWSTR lpAppName, LPCWSTR lpKeyName, LPCWSTR lpDefault, LPWSTR lpReturnedString, DWORD nSize, LPCWSTR lpFileName);
  117. // HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);
  118. // HMODULE __stdcall LoadLibraryW(LPCWSTR lpLibFileName);
  119. // void __stdcall Sleep(DWORD dwMilliseconds);
  120. // BOOL __stdcall ReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead);
  121. // BOOL __stdcall TerminateProcess(HANDLE hProcess, UINT uExitCode);
  122. // DWORD __stdcall GetModuleFileNameW(HMODULE hModule, LPWSTR lpFilename, DWORD nSize);
  123. // HANDLE __stdcall CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
  124. // HMODULE __stdcall GetModuleHandleW(LPCWSTR lpModuleName);
  125. // DWORD __stdcall GetLastError();
  126. // FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName);
  127. // BOOL __stdcall VirtualProtectEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect);
  128. // LPVOID __stdcall VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);
  129. // BOOL __stdcall CloseHandle(HANDLE hObject);
  130. // BOOL __stdcall WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten);
  131. // DWORD __stdcall SuspendThread(HANDLE hThread);
  132. // DWORD __stdcall ResumeThread(HANDLE hThread);
  133. // BOOL __stdcall WritePrivateProfileStringW(LPCWSTR lpAppName, LPCWSTR lpKeyName, LPCWSTR lpString, LPCWSTR lpFileName);
  134. // BOOL __stdcall CreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
  135. // BOOL __stdcall IsProcessorFeaturePresent(DWORD ProcessorFeature);
  136. // PVOID __stdcall DecodePointer(PVOID Ptr);
  137. // PVOID __stdcall EncodePointer(PVOID Ptr);
  138. // int __stdcall WSAStartup(WORD wVersionRequested, LPWSADATA lpWSAData);
  139. // unsigned __int32 __stdcall inet_addr(const char *cp);
  140. // int __stdcall WSAGetLastError();
  141. // u_short __stdcall htons(u_short hostshort);
  142. // int __stdcall recv(SOCKET s, char *buf, int len, int flags);
  143. // int __stdcall bind(SOCKET s, const struct sockaddr *name, int namelen);
  144. // SOCKET __stdcall socket(int af, int type, int protocol);
  145. // int __stdcall closesocket(SOCKET s);
  146. // int __stdcall send(SOCKET s, const char *buf, int len, int flags);
  147. // int __stdcall listen(SOCKET s, int backlog);
  148. // SOCKET __stdcall accept(SOCKET s, struct sockaddr *addr, int *addrlen);
  149.  
  150.  
  151. //----- (00401000) --------------------------------------------------------
  152. bool __usercall sub_401000<al>(DWORD a1<eax>, void *hThread)
  153. {
  154. HANDLE v2; // edi@1
  155. HMODULE v3; // eax@2
  156. FARPROC v4; // esi@2
  157. int v5; // eax@3
  158. char v7; // al@19
  159. int v8; // [sp-Ch] [bp-28h]@12
  160. char v9; // [sp-8h] [bp-24h]@12
  161. int v10; // [sp+8h] [bp-14h]@1
  162. int v11; // [sp+Ch] [bp-10h]@1
  163. DWORD flOldProtect; // [sp+10h] [bp-Ch]@6
  164. SIZE_T NumberOfBytesWritten; // [sp+14h] [bp-8h]@4
  165. int Buffer; // [sp+18h] [bp-4h]@3
  166.  
  167. v10 = 65259;
  168. v11 = 0;
  169. v2 = OpenProcess(0x38u, 0, a1);
  170. if ( v2 )
  171. {
  172. LoadLibraryW(L"ws2_32.dll");
  173. v3 = GetModuleHandleW(L"ws2_32.dll");
  174. v4 = GetProcAddress(v3, "WSAStartup");
  175. if ( !v4 )
  176. {
  177. v9 = GetLastError();
  178. v8 = (int)L"Function not found:%d";
  179. goto LABEL_18;
  180. }
  181. Buffer = 0;
  182. ResumeThread(hThread);
  183. v5 = 0;
  184. if ( 0 != *(_WORD *)v4 )
  185. {
  186. do
  187. {
  188. ReadProcessMemory(v2, v4, &Buffer, 2u, &NumberOfBytesWritten);
  189. v5 = Buffer;
  190. }
  191. while ( Buffer != *(_WORD *)v4 );
  192. }
  193. if ( v5 != *(_WORD *)v4 )
  194. {
  195. v9 = GetLastError();
  196. v8 = (int)L"Memory reading error:%d\n";
  197. goto LABEL_18;
  198. }
  199. if ( !VirtualProtectEx(v2, v4, 2u, 0x40u, &flOldProtect) )
  200. {
  201. v9 = GetLastError();
  202. v8 = (int)L"Memory protection error:%d\n";
  203. goto LABEL_18;
  204. }
  205. if ( WriteProcessMemory(v2, v4, &v10, 2u, &NumberOfBytesWritten) )
  206. {
  207. if ( ResumeThread(hThread) == -1 )
  208. {
  209. v9 = GetLastError();
  210. v8 = (int)L"Thread resume error:%d\n";
  211. goto LABEL_18;
  212. }
  213. Sleep(0x1388u);
  214. if ( SuspendThread(hThread) == -1 )
  215. {
  216. v9 = GetLastError();
  217. v8 = (int)L"Thread suspend error:%d\n";
  218. goto LABEL_18;
  219. }
  220. if ( WriteProcessMemory(v2, v4, v4, 2u, &NumberOfBytesWritten) )
  221. {
  222. VirtualProtectEx(v2, v4, 2u, flOldProtect, &flOldProtect);
  223. v11 = 1;
  224. CloseHandle(v2);
  225. return v11 != 0;
  226. }
  227. }
  228. v9 = GetLastError();
  229. v8 = (int)L"Memory writing error:%d\n";
  230. LABEL_18:
  231. sub_4019F3(v8, v9);
  232. CloseHandle(v2);
  233. return v11 != 0;
  234. }
  235. v7 = GetLastError();
  236. sub_4019F3((int)L"Error opening process:%d", v7);
  237. return v11 != 0;
  238. }
  239. // 40AAAC: using guessed type wchar_t aMemoryWritingE[25];
  240. // 40AAE0: using guessed type wchar_t aThreadSuspendE[25];
  241. // 40AB14: using guessed type wchar_t aThreadResumeEr[24];
  242. // 40AB44: using guessed type wchar_t aMemoryProtecti[28];
  243. // 40AB7C: using guessed type wchar_t aMemoryReadingE[25];
  244. // 40ABB0: using guessed type wchar_t aFunctionNotFou[22];
  245. // 40ABDC: using guessed type wchar_t aErrorOpeningPr[25];
  246.  
  247. //----- (004011C0) --------------------------------------------------------
  248. bool __fastcall sub_4011C0(HANDLE hThread, DWORD dwProcessId, DWORD dwProcessIda, int a4)
  249. {
  250. HANDLE v4; // esi@1
  251. HANDLE v5; // ebx@1
  252. HMODULE v6; // eax@2
  253. void *v7; // eax@3
  254. void *v8; // esi@4
  255. char *v9; // edx@4
  256. int v11; // [sp-8h] [bp-B4h]@11
  257. char v12; // [sp-4h] [bp-B0h]@11
  258. char v13; // [sp+0h] [bp-ACh]@0
  259. DWORD flOldProtect; // [sp+Ch] [bp-A0h]@4
  260. char v15; // [sp+10h] [bp-9Ch]@5
  261. LPVOID lpBaseAddress; // [sp+14h] [bp-98h]@3
  262. HANDLE hThreada; // [sp+18h] [bp-94h]@1
  263. void *v18; // [sp+1Ch] [bp-90h]@3
  264. char v19; // [sp+20h] [bp-8Ch]@4
  265. char *v20; // [sp+21h] [bp-8Bh]@4
  266. int v21; // [sp+28h] [bp-84h]@1
  267. LPVOID Buffer; // [sp+2Ch] [bp-80h]@2
  268. SIZE_T NumberOfBytesWritten; // [sp+34h] [bp-78h]@2
  269. char v24; // [sp+38h] [bp-74h]@4
  270. __int16 v25; // [sp+7Ch] [bp-30h]@4
  271. int v26; // [sp+7Eh] [bp-2Eh]@4
  272. int v27; // [sp+84h] [bp-28h]@4
  273. int v28; // [sp+88h] [bp-24h]@4
  274. __int16 v29; // [sp+8Ch] [bp-20h]@4
  275. char v30; // [sp+8Eh] [bp-1Eh]@4
  276. int v31; // [sp+8Fh] [bp-1Dh]@4
  277. int v32; // [sp+93h] [bp-19h]@4
  278. int v33; // [sp+97h] [bp-15h]@4
  279. int v34; // [sp+9Bh] [bp-11h]@4
  280. __int16 v35; // [sp+9Fh] [bp-Dh]@4
  281. char v36; // [sp+A1h] [bp-Bh]@4
  282. char *v37; // [sp+A2h] [bp-Ah]@4
  283. unsigned int v38; // [sp+A8h] [bp-4h]@1
  284. int v39; // [sp+ACh] [bp+0h]@1
  285.  
  286. v38 = (unsigned int)&v39 ^ __security_cookie;
  287. v4 = hThread;
  288. hThreada = hThread;
  289. v21 = 0;
  290. v5 = OpenProcess(0x38u, 0, dwProcessIda);
  291. if ( !v5 )
  292. {
  293. v12 = GetLastError();
  294. v11 = (int)L"Error opening process:%d";
  295. goto LABEL_12;
  296. }
  297. SuspendThread(v4);
  298. NumberOfBytesWritten = 0;
  299. LoadLibraryW(L"ws2_32.dll");
  300. v6 = GetModuleHandleW(L"ws2_32.dll");
  301. Buffer = GetProcAddress(v6, "connect");
  302. if ( !Buffer )
  303. {
  304. sub_4019F3((int)L"Unable to get procedure address", v13);
  305. goto LABEL_13;
  306. }
  307. v7 = VirtualAllocEx(v5, 0, 0x6Cu, 0x1000u, 0x40u);
  308. lpBaseAddress = v7;
  309. v18 = (char *)v7 + 34;
  310. if ( !v7 )
  311. {
  312. v12 = GetLastError();
  313. v11 = (int)L"Memory allocation error:%d\n";
  314. goto LABEL_12;
  315. }
  316. memcpy(&v24, "P>‹D$ Æ", 0x44u);
  317. v20 = (char *)v7 - 10179175;
  318. v27 = dword_40AA24;
  319. v28 = dword_40AA28;
  320. v29 = word_40AA2C;
  321. v30 = byte_40AA2E;
  322. v32 = dword_40AA30;
  323. v33 = dword_40AA34;
  324. v34 = dword_40AA38;
  325. v35 = word_40AA3C;
  326. v36 = byte_40AA3E;
  327. v25 = aPLd[34];
  328. v8 = Buffer;
  329. v31 = a4;
  330. v9 = (char *)(Buffer - v7);
  331. *(LPVOID *)((char *)&Buffer + 1) = (LPVOID)(v7 - Buffer - 5);
  332. v26 = 10179135 - (_DWORD)((char *)v7 + 34);
  333. v19 = -23;
  334. v37 = v9 - 29;
  335. LOBYTE(Buffer) = -23;
  336. if ( !VirtualProtectEx(v5, v8, 5u, 0x40u, &flOldProtect)
  337. || !VirtualProtectEx(v5, (LPVOID)0x9B5284, 5u, 0x40u, (PDWORD)&v15) )
  338. {
  339. v12 = GetLastError();
  340. v11 = (int)L"Memory protection error:%d\n";
  341. goto LABEL_12;
  342. }
  343. if ( !WriteProcessMemory(v5, v8, &Buffer, 5u, &NumberOfBytesWritten)
  344. || !WriteProcessMemory(v5, lpBaseAddress, &v27, 0x22u, &NumberOfBytesWritten)
  345. || !WriteProcessMemory(v5, (LPVOID)0x9B5284, &v19, 5u, &NumberOfBytesWritten)
  346. || !WriteProcessMemory(v5, v18, &v24, 0x4Au, &NumberOfBytesWritten) )
  347. {
  348. v12 = GetLastError();
  349. v11 = (int)L"Memory writing error:%d\n";
  350. LABEL_12:
  351. sub_4019F3(v11, v12);
  352. LABEL_13:
  353. TerminateProcess(v5, 0);
  354. return v21 != 0;
  355. }
  356. sub_4019F3((int)L"All writes sucessfull...\n", v13);
  357. v21 = 1;
  358. ResumeThread(hThreada);
  359. return v21 != 0;
  360. }
  361. // 40AA24: using guessed type int dword_40AA24;
  362. // 40AA28: using guessed type int dword_40AA28;
  363. // 40AA2C: using guessed type __int16 word_40AA2C;
  364. // 40AA2E: using guessed type char byte_40AA2E;
  365. // 40AA30: using guessed type int dword_40AA30;
  366. // 40AA34: using guessed type int dword_40AA34;
  367. // 40AA38: using guessed type int dword_40AA38;
  368. // 40AA3C: using guessed type __int16 word_40AA3C;
  369. // 40AA3E: using guessed type char byte_40AA3E;
  370. // 40AAAC: using guessed type wchar_t aMemoryWritingE[25];
  371. // 40AB44: using guessed type wchar_t aMemoryProtecti[28];
  372. // 40ABDC: using guessed type wchar_t aErrorOpeningPr[25];
  373. // 40AC18: using guessed type wchar_t aAllWritesSuces[26];
  374. // 40AC4C: using guessed type wchar_t aMemoryAllocati[28];
  375. // 40AC88: using guessed type wchar_t aUnableToGetPro[32];
  376. // 40C004: using guessed type int __security_cookie;
  377.  
  378. //----- (00401430) --------------------------------------------------------
  379. int __cdecl sub_401430()
  380. {
  381. SOCKET v0; // edi@2
  382. SOCKET v1; // esi@6
  383. int v2; // edi@7
  384. int v3; // eax@8
  385. char v4; // al@11
  386. int result; // eax@12
  387. int v6; // [sp-8h] [bp-1D8h]@14
  388. char v7; // [sp-4h] [bp-1D4h]@14
  389. char v8; // [sp+0h] [bp-1D0h]@0
  390. char v9; // [sp+0h] [bp-1D0h]@5
  391. void *buf; // [sp+Ch] [bp-1C4h]@1
  392. int addrlen; // [sp+10h] [bp-1C0h]@4
  393. SOCKET v13; // [sp+14h] [bp-1BCh]@2
  394. struct WSAData WSAData; // [sp+18h] [bp-1B8h]@2
  395. struct sockaddr addr; // [sp+1ACh] [bp-24h]@6
  396. struct sockaddr name; // [sp+1BCh] [bp-14h]@3
  397. unsigned int v17; // [sp+1CCh] [bp-4h]@1
  398. int v18; // [sp+1D0h] [bp+0h]@1
  399.  
  400. v17 = (unsigned int)&v18 ^ __security_cookie;
  401. buf = malloc(0x112u);
  402. if ( !buf )
  403. {
  404. v7 = GetLastError();
  405. v6 = (int)L"Memory allocation failed:%d";
  406. return sub_4019F3(v6, v7);
  407. }
  408. memset(&WSAData, 0, 0x190u);
  409. WSAStartup(0x202u, &WSAData);
  410. v0 = socket(2, 1, 6);
  411. v13 = v0;
  412. if ( v0 == -1 )
  413. {
  414. v7 = WSAGetLastError();
  415. v6 = (int)L"Socket creation failed:%d";
  416. return sub_4019F3(v6, v7);
  417. }
  418. *(_DWORD *)&name.sa_family = 0;
  419. *(_DWORD *)&name.sa_data[2] = 0;
  420. *(_DWORD *)&name.sa_data[6] = 0;
  421. *(_DWORD *)&name.sa_data[10] = 0;
  422. name.sa_family = 2;
  423. *(_DWORD *)&name.sa_data[2] = inet_addr("127.0.0.1");
  424. *(_WORD *)&name.sa_data[0] = htons(0x1446u);
  425. if ( bind(v0, &name, 16) == -1 )
  426. {
  427. v7 = WSAGetLastError();
  428. v6 = (int)L"Bindsocket failed:%d";
  429. return sub_4019F3(v6, v7);
  430. }
  431. addrlen = 16;
  432. if ( listen(v0, 10) == -1 )
  433. {
  434. v7 = WSAGetLastError();
  435. v6 = (int)L"Listen failed:%d";
  436. return sub_4019F3(v6, v7);
  437. }
  438. sub_4019F3((int)L"Authenticating keys...\n", v8);
  439. do
  440. {
  441. v1 = accept(v0, &addr, &addrlen);
  442. if ( v1 == -1 )
  443. {
  444. v4 = WSAGetLastError();
  445. sub_4019F3((int)L"Accept failed:%d", v4);
  446. }
  447. else
  448. {
  449. sub_4019F3((int)L"<", v9);
  450. v2 = 274;
  451. do
  452. {
  453. v3 = recv(v1, (char *)buf, v2, 0);
  454. if ( v3 == -1 )
  455. break;
  456. v2 -= v3;
  457. }
  458. while ( v2 );
  459. sub_4019F3((int)L">", v9);
  460. send(v1, "KlëºÐh¼3", 26, 0);
  461. v0 = v13;
  462. }
  463. result = closesocket(v1);
  464. }
  465. while ( v1 != -1 );
  466. return result;
  467. }
  468. // 40ACD4: using guessed type wchar_t aAuthenticating[24];
  469. // 40AD04: using guessed type wchar_t asc_40AD04[2];
  470. // 40AD08: using guessed type wchar_t asc_40AD08[2];
  471. // 40AD0C: using guessed type wchar_t aAcceptFailedD[17];
  472. // 40AD30: using guessed type wchar_t aListenFailedD[17];
  473. // 40AD54: using guessed type wchar_t aBindsocketFail[21];
  474. // 40AD80: using guessed type wchar_t aSocketCreation[26];
  475. // 40ADB4: using guessed type wchar_t aMemoryAlloca_0[28];
  476. // 40C004: using guessed type int __security_cookie;
  477.  
  478. //----- (00401610) --------------------------------------------------------
  479. bool __usercall sub_401610<al>(void *a1<ebx>, void *a2)
  480. {
  481. void *v2; // edi@1
  482. DWORD v3; // esi@1
  483. bool v4; // zf@1
  484. int v5; // eax@6
  485. __int16 v6; // cx@7
  486. void *v7; // eax@8
  487. __int16 v8; // cx@9
  488. HANDLE v9; // eax@12
  489. void *v10; // esi@14
  490. __int16 v11; // ax@15
  491. bool v12; // zf@16
  492. struct tagOFNW v14; // [sp+8h] [bp-64h]@11
  493. int v15; // [sp+64h] [bp-8h]@1
  494.  
  495. v15 = 0;
  496. memset(a1, 0, 0x208u);
  497. memset(a2, 0, 0x208u);
  498. v2 = malloc(0x410u);
  499. v3 = GetModuleFileNameW(0, (LPWSTR)v2, 0x104u);
  500. v4 = v3 == 0;
  501. if ( (signed int)v3 > 0 )
  502. {
  503. do
  504. {
  505. if ( *((_WORD *)v2 + v3) == 46 )
  506. break;
  507. --v3;
  508. }
  509. while ( (signed int)v3 > 0 );
  510. v4 = v3 == 0;
  511. }
  512. if ( !v4 )
  513. {
  514. v5 = (int)L".ini";
  515. do
  516. {
  517. v6 = *(_WORD *)v5;
  518. *(_WORD *)((char *)v2 + 2 * v3 - (_DWORD)L".ini" + v5) = *(_WORD *)v5;
  519. v5 += 2;
  520. }
  521. while ( v6 );
  522. }
  523. GetPrivateProfileStringW(L"cfg", L"Exec", 0, (LPWSTR)a1, 0x104u, (LPCWSTR)v2);
  524. v7 = a1;
  525. do
  526. {
  527. v8 = *(_WORD *)v7;
  528. v7 = (char *)v7 + 2;
  529. }
  530. while ( v8 );
  531. if ( !((signed int)(v7 - ((char *)a1 + 2)) >> 1) )
  532. {
  533. memset(&v14, 0, 0x58u);
  534. v14.lpstrFilter = L"Executable files (*.exe)";
  535. v14.nMaxFile = 260;
  536. v14.lpstrFile = (LPWSTR)a1;
  537. v14.lpstrTitle = L"Select application executable";
  538. v14.lStructSize = 88;
  539. if ( !GetOpenFileNameW(&v14) || (v9 = CreateFileW((LPCWSTR)v2, 0x40000000u, 2u, 0, 2u, 0, 0)) == 0 )
  540. {
  541. LABEL_19:
  542. v12 = v3 == 0;
  543. goto LABEL_20;
  544. }
  545. CloseHandle(v9);
  546. WritePrivateProfileStringW(L"cfg", L"Exec", (LPCWSTR)a1, (LPCWSTR)v2);
  547. }
  548. v10 = a1;
  549. v15 = 1;
  550. do
  551. {
  552. v11 = *(_WORD *)v10;
  553. v10 = (char *)v10 + 2;
  554. }
  555. while ( v11 );
  556. v3 = (signed int)(v10 - ((char *)a1 + 2)) >> 1;
  557. v12 = v3 == 0;
  558. if ( (signed int)v3 > 0 )
  559. {
  560. do
  561. {
  562. if ( *((_WORD *)a1 + v3) == 92 )
  563. break;
  564. --v3;
  565. }
  566. while ( (signed int)v3 > 0 );
  567. goto LABEL_19;
  568. }
  569. LABEL_20:
  570. if ( !v12 )
  571. {
  572. wcsncpy((wchar_t *)a2, (const wchar_t *)a1, v3 + 1);
  573. *((_WORD *)a2 + v3 + 1) = 0;
  574. }
  575. return v15 != 0;
  576. }
  577. // 40ADEC: using guessed type wchar_t a_ini[5];
  578. // 40AE10: using guessed type wchar_t aExecutableFile[25];
  579. // 40AE54: using guessed type wchar_t aSelectApplicat[30];
  580.  
  581. //----- (00401790) --------------------------------------------------------
  582. int __cdecl main(int argc, const char **argv, const char **envp)
  583. {
  584. void *v3; // ebx@1
  585. void *v4; // esi@1
  586. int v5; // eax@4
  587. DWORD v6; // edx@4
  588. int result; // eax@6
  589. char v8; // al@7
  590. char v9; // al@11
  591. int v10; // [sp-4h] [bp-64h]@8
  592. char v11; // [sp+0h] [bp-60h]@0
  593. char v12; // [sp+0h] [bp-60h]@3
  594. struct _PROCESS_INFORMATION ProcessInformation; // [sp+8h] [bp-58h]@2
  595. struct _STARTUPINFOW StartupInfo; // [sp+18h] [bp-48h]@2
  596.  
  597. v3 = malloc(0x208u);
  598. v4 = malloc(0x208u);
  599. if ( !sub_401610(v3, v4) )
  600. return 0;
  601. memset(&StartupInfo, 0, 0x44u);
  602. StartupInfo.cb = 68;
  603. ProcessInformation.hProcess = 0;
  604. ProcessInformation.hThread = 0;
  605. ProcessInformation.dwProcessId = 0;
  606. ProcessInformation.dwThreadId = 0;
  607. sub_4019F3((int)L"Creating process %ws...", (char)v3);
  608. if ( !CreateProcessW((LPCWSTR)v3, 0, 0, 0, 0, 4u, 0, (LPCWSTR)v4, &StartupInfo, &ProcessInformation) )
  609. {
  610. v9 = GetLastError();
  611. sub_4019F3((int)L"Create process error %d\n", v9);
  612. return 0;
  613. }
  614. sub_4019F3((int)L"OK\n", v11);
  615. if ( !sub_401000(ProcessInformation.dwProcessId, ProcessInformation.hThread) )
  616. {
  617. v10 = (int)L"Initialization Failed...\n";
  618. goto LABEL_10;
  619. }
  620. v5 = inet_addr("83.222.115.46");
  621. if ( !sub_4011C0(ProcessInformation.hThread, v6, ProcessInformation.dwProcessId, v5) )
  622. {
  623. v10 = (int)L"Patch Failed...\n";
  624. LABEL_10:
  625. sub_4019F3(v10, v12);
  626. TerminateProcess(ProcessInformation.hProcess, 0);
  627. return 0;
  628. }
  629. sub_4019F3((int)L"Patch OK...\n", v12);
  630. if ( ResumeThread(ProcessInformation.hThread) == -1 )
  631. {
  632. v8 = GetLastError();
  633. sub_4019F3((int)L"ResumeThread error %d\n", v8);
  634. TerminateProcess(ProcessInformation.hProcess, 0);
  635. result = 0;
  636. }
  637. else
  638. {
  639. sub_401430();
  640. result = 0;
  641. }
  642. return result;
  643. }
  644. // 40AEA0: using guessed type wchar_t aCreatingProces[24];
  645. // 40AED0: using guessed type wchar_t aOk[4];
  646. // 40AED8: using guessed type wchar_t aPatchOk___[13];
  647. // 40AEF4: using guessed type wchar_t aResumethreadEr[23];
  648. // 40AF24: using guessed type wchar_t aPatchFailed___[17];
  649. // 40AF48: using guessed type wchar_t aInitialization[26];
  650. // 40AF7C: using guessed type wchar_t aCreateProcessE[25];
  651.  
  652. //----- (004019F3) --------------------------------------------------------
  653. signed int __cdecl sub_4019F3(int a1, char a2)
  654. {
  655. signed int result; // eax@2
  656. void **v3; // eax@3
  657. void **v4; // eax@3
  658. int v5; // edi@3
  659. void **v6; // eax@3
  660. void **v7; // eax@3
  661. void **v8; // eax@3
  662.  
  663. if ( a1 != 0 )
  664. {
  665. v3 = sub_40230D();
  666. _lock_file2(1, v3 + 8);
  667. v4 = sub_40230D();
  668. v5 = _stbuf((FILE *)v4 + 1);
  669. v6 = sub_40230D();
  670. _woutput_l(v6 + 8, a1, 0, &a2);
  671. v7 = sub_40230D();
  672. _ftbuf(v5, (FILE *)v7 + 1);
  673. v8 = sub_40230D();
  674. result = _unlock_file2(1, v8 + 8);
  675. }
  676. else
  677. {
  678. *_errno() = 22;
  679. _invalid_parameter_noinfo();
  680. result = -1;
  681. }
  682. return result;
  683. }
  684. // 402425: using guessed type _DWORD __cdecl _lock_file2(_DWORD, _DWORD);
  685. // 402493: using guessed type _DWORD __cdecl _unlock_file2(_DWORD, _DWORD);
  686. // 40255E: using guessed type _DWORD __cdecl _ftbuf(_DWORD, FILE *);
  687. // 4026C1: using guessed type _DWORD __cdecl _woutput_l(_DWORD, _DWORD, _DWORD, _DWORD);
  688. // 40340F: using guessed type int _invalid_parameter_noinfo(void);
  689.  
  690. //----- (004022D6) --------------------------------------------------------
  691. void *__cdecl sub_4022D6(void *a1)
  692. {
  693. void *result; // eax@1
  694.  
  695. result = a1;
  696. dword_40D754 = a1;
  697. return result;
  698. }
  699.  
  700. //----- (0040230D) --------------------------------------------------------
  701. void **__cdecl sub_40230D()
  702. {
  703. return &off_40C180;
  704. }
  705. // 40C180: using guessed type void *off_40C180;
  706.  
  707. //----- (00403285) --------------------------------------------------------
  708. void *__cdecl sub_403285(void *a1)
  709. {
  710. void *result; // eax@1
  711.  
  712. result = a1;
  713. dword_40D768 = a1;
  714. return result;
  715. }
  716.  
  717. //----- (00403D26) --------------------------------------------------------
  718. int (*__cdecl sub_403D26())(void)
  719. {
  720. int (*result)(void); // eax@1
  721. unsigned int v1; // edi@1
  722.  
  723. result = (int (*)(void))&unk_40B040;
  724. v1 = (unsigned int)&unk_40B040;
  725. if ( &unk_40B040 < &unk_40B040 )
  726. {
  727. do
  728. {
  729. result = *(int (**)(void))v1;
  730. if ( *(_DWORD *)v1 )
  731. result = (int (*)(void))result();
  732. v1 += 4;
  733. }
  734. while ( v1 < (unsigned int)&unk_40B040 );
  735. }
  736. return result;
  737. }
  738.  
  739. //----- (00403D4C) --------------------------------------------------------
  740. int (*__cdecl sub_403D4C())(void)
  741. {
  742. int (*result)(void); // eax@1
  743. unsigned int v1; // edi@1
  744.  
  745. result = (int (*)(void))&unk_40B048;
  746. v1 = (unsigned int)&unk_40B048;
  747. if ( &unk_40B048 < &unk_40B048 )
  748. {
  749. do
  750. {
  751. result = *(int (**)(void))v1;
  752. if ( *(_DWORD *)v1 )
  753. result = (int (*)(void))result();
  754. v1 += 4;
  755. }
  756. while ( v1 < (unsigned int)&unk_40B048 );
  757. }
  758. return result;
  759. }
  760.  
  761. //----- (00404281) --------------------------------------------------------
  762. void __cdecl sub_404281()
  763. {
  764. dword_40DB48 = 0;
  765. }
  766. // 40DB48: using guessed type int dword_40DB48;
  767.  
  768. //----- (004044D5) --------------------------------------------------------
  769. PVOID __cdecl sub_4044D5()
  770. {
  771. return DecodePointer(dword_40DAEC);
  772. }
  773.  
  774. //----- (00404694) --------------------------------------------------------
  775. int __cdecl sub_404694(int a1)
  776. {
  777. int result; // eax@1
  778.  
  779. result = a1;
  780. dword_40DAFC = a1;
  781. return result;
  782. }
  783. // 40DAFC: using guessed type int dword_40DAFC;
  784.  
  785. //----- (004049DB) --------------------------------------------------------
  786. int __cdecl sub_4049DB(int a1, int a2, int a3)
  787. {
  788. HMODULE v3; // eax@2
  789. HMODULE v4; // ebx@2
  790. FARPROC v5; // eax@3
  791. FARPROC v6; // eax@4
  792. FARPROC v7; // eax@4
  793. FARPROC v8; // eax@4
  794. FARPROC v9; // eax@5
  795. int (*v10)(void); // edi@8
  796. PVOID v11; // eax@8
  797. PVOID v12; // ebx@8
  798. int v13; // eax@10
  799. int (*v14)(void); // eax@15
  800. PVOID v15; // eax@18
  801. PVOID v16; // eax@20
  802. char v18; // [sp+Ch] [bp-24h]@11
  803. int v19; // [sp+10h] [bp-20h]@1
  804. int v20; // [sp+14h] [bp-1Ch]@1
  805. void *v21; // [sp+18h] [bp-18h]@1
  806. int v22; // [sp+1Ch] [bp-14h]@1
  807. char v23; // [sp+20h] [bp-10h]@11
  808. char v24; // [sp+28h] [bp-8h]@12
  809. unsigned int v25; // [sp+2Ch] [bp-4h]@1
  810. int v26; // [sp+30h] [bp+0h]@1
  811.  
  812. v25 = (unsigned int)&v26 ^ __security_cookie;
  813. v19 = a1;
  814. v20 = a2;
  815. v22 = 0;
  816. v21 = (void *)_encoded_null();
  817. if ( !dword_40DB00 )
  818. {
  819. v3 = LoadLibraryW(L"USER32.DLL");
  820. v4 = v3;
  821. if ( !v3 || (v5 = GetProcAddress(v3, "MessageBoxW")) == 0 )
  822. return 0;
  823. dword_40DB00 = EncodePointer(v5);
  824. v6 = GetProcAddress(v4, "GetActiveWindow");
  825. dword_40DB04 = EncodePointer(v6);
  826. v7 = GetProcAddress(v4, "GetLastActivePopup");
  827. dword_40DB08 = EncodePointer(v7);
  828. v8 = GetProcAddress(v4, "GetUserObjectInformationW");
  829. dword_40DB10 = EncodePointer(v8);
  830. if ( dword_40DB10 )
  831. {
  832. v9 = GetProcAddress(v4, "GetProcessWindowStation");
  833. dword_40DB0C = EncodePointer(v9);
  834. }
  835. }
  836. if ( dword_40DB0C == v21
  837. || dword_40DB10 == v21
  838. || (v10 = (int (*)(void))DecodePointer(dword_40DB0C), v11 = DecodePointer(dword_40DB10), v12 = v11, !v10)
  839. || !v11
  840. || (v13 = v10()) != 0
  841. && ((int (__stdcall *)(int, signed int, char *, signed int, char *))v12)(v13, 1, &v23, 12, &v18)
  842. && v24 & 1 )
  843. {
  844. if ( dword_40DB04 != v21 )
  845. {
  846. v14 = (int (*)(void))DecodePointer(dword_40DB04);
  847. if ( v14 )
  848. {
  849. v22 = v14();
  850. if ( v22 )
  851. {
  852. if ( dword_40DB08 != v21 )
  853. {
  854. v15 = DecodePointer(dword_40DB08);
  855. if ( v15 )
  856. v22 = ((int (__stdcall *)(int))v15)(v22);
  857. }
  858. }
  859. }
  860. }
  861. }
  862. else
  863. {
  864. a3 |= 0x200000u;
  865. }
  866. v16 = DecodePointer(dword_40DB00);
  867. if ( v16 )
  868. return ((int (__stdcall *)(int, int, int, int))v16)(v22, v19, v20, a3);
  869. return 0;
  870. }
  871. // 403D72: using guessed type int _encoded_null(void);
  872. // 40C004: using guessed type int __security_cookie;
  873.  
  874. //----- (00405086) --------------------------------------------------------
  875. int __cdecl sub_405086()
  876. {
  877. return flsall(1);
  878. }
  879. // 404FAC: using guessed type _DWORD __cdecl flsall(_DWORD);
  880.  
  881. //----- (00406DBD) --------------------------------------------------------
  882. signed int __cdecl sub_406DBD(int a1, int a2, DWORD nNumberOfBytesToWrite)
  883. {
  884. int *v4; // edi@7
  885. int v5; // esi@7
  886.  
  887. if ( a1 == -2 )
  888. {
  889. *__doserrno() = 0;
  890. *_errno() = 9;
  891. return -1;
  892. }
  893. if ( a1 < 0 || a1 >= uNumber || (v4 = &dword_40DB60[a1 >> 5], v5 = (a1 & 0x1F) << 6, !(*(_BYTE *)(*v4 + v5 + 4) & 1)) )
  894. {
  895. *__doserrno() = 0;
  896. *_errno() = 9;
  897. _invalid_parameter_noinfo();
  898. return -1;
  899. }
  900. __lock_fhandle(a1);
  901. if ( *(_BYTE *)(*v4 + v5 + 4) & 1 )
  902. {
  903. _write_nolock(a1, a2, nNumberOfBytesToWrite);
  904. }
  905. else
  906. {
  907. *_errno() = 9;
  908. *__doserrno() = 0;
  909. }
  910. return _unlock_fhandle(a1);
  911. }
  912. // 40340F: using guessed type int _invalid_parameter_noinfo(void);
  913. // 40837A: using guessed type _DWORD __cdecl __lock_fhandle(_DWORD);
  914. // 408419: using guessed type _DWORD __cdecl _unlock_fhandle(_DWORD);
  915. // 40DB60: using guessed type int dword_40DB60[];
  916.  
  917. //----- (00407CA0) --------------------------------------------------------
  918. int __cdecl sub_407CA0()
  919. {
  920. dword_40DB44 = IsProcessorFeaturePresent(0xAu);
  921. return 0;
  922. }
  923. // 40DB44: using guessed type int dword_40DB44;
  924.  
  925. //----- (004084A8) --------------------------------------------------------
  926. BOOL __cdecl sub_4084A8()
  927. {
  928. BOOL result; // eax@1
  929.  
  930. result = (BOOL)hConsoleOutput;
  931. if ( hConsoleOutput != (HANDLE)-1 )
  932. {
  933. if ( hConsoleOutput != (HANDLE)-2 )
  934. result = CloseHandle(hConsoleOutput);
  935. }
  936. return result;
  937. }
  938.  
  939. // ALL OK, 19 function(s) have been successfully decompiled
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!