1 System snapshot taken on 2/12/07 4:16:42 AM. 2 3 *----> Summary/Overview <----* 4 5 NSISDL.DLL attempted to read from memory that does not exist. 6 It may be using an uninitialized variable, or it may be 7 attempting to access memory after having freed it. 8 9 Module Name: NSISDL.DLL 10 11 Application Name: Debian-svn45063.exe 12 13 -------------------- 14 Windows 95/98 VMware SVGA Display Driver does not appear to be 15 a Windows 95 Plug-and-Play compatible display driver. 16 17 Module Name: vmx_svga.drv 18 Description: Windows 95/98 VMware SVGA Display Driver 19 Version: build-29996 20 Product: VMware SVGA II (FIFO) 21 Manufacturer: VMware, Inc. 22 23 User's Remarks: 24 25 26 *----> System Information <----* 27 28 Microsoft Windows 98 4.10.2222 A 29 Clean install using Full OEM CD 30 /T:C:\WININST0.400 /SrcDir=X:\WIN98 /IE /NF /IZ /IS /IQ /IT /II /NR /II /C /U:xxxxxxxxxxxxxxxxx 31 IE 5 5.00.2614.3500 32 Uptime: 0:00:04:06 33 Normal mode 34 On "WIN98" as "%NAME%" 35 36 GenuineIntel x86 Family 15 Model 2 Stepping 4 37 192MB RAM 38 86% system resources free 39 Windows-managed swap file on drive C (7931MB free) 40 Temporary files on drive C (7931MB free) 41 42 *----> Task list <----* 43 44 Program 45 Type 46 Path 47 ------------ 48 49 1. Kernel32.dll 50 4.10.2222 51 Microsoft Corporation 52 53 2. MSGSRV32.EXE 54 4.10.2222 55 Microsoft Corporation 56 57 3. Mprexe.exe 58 4.10.1998 59 Microsoft Corporation 60 61 4. Mstask.exe 62 4.71.1959.1 63 Microsoft Corporation 64 65 5. Vmwareservice.exe 66 1.0.1 build-29996 67 VMware, Inc. 68 69 6. Explorer.exe 70 4.72.3110.1 71 Microsoft Corporation 72 73 7. Taskmon.exe 74 4.10.1998 75 Microsoft Corporation 76 77 8. Systray.exe 78 4.10.2222 79 Microsoft Corporation 80 81 9. Vmwaretray.exe 82 1.0.1 build-29996 83 VMware, Inc. 84 85 10. Vmwareuser.exe 86 1.0.1 build-29996 87 VMware, Inc. 88 89 11. Debian-svn45063.exe 90 91 92 93 12. Drwatson.exe 94 4.03 95 Microsoft Corporation 96 97 *----> Startup Items <----* 98 99 Name 100 Loaded from 101 Command 102 ------------------- 103 104 1. ScanRegistry 105 Registry (Machine Run) 106 C:\WINDOWS\scanregw.exe /autorun 107 108 2. TaskMonitor 109 Registry (Machine Run) 110 C:\WINDOWS\taskmon.exe 111 112 3. SystemTray 113 Registry (Machine Run) 114 SysTray.Exe 115 116 4. LoadPowerProfile 117 Registry (Machine Run) 118 Rundll32.exe powrprof.dll,LoadCurrentPwrScheme 119 120 5. VMware Tools 121 Registry (Machine Run) 122 C:\Program Files\VMware\VMware Tools\VMwareTray.exe 123 124 6. VMware User Process 125 Registry (Machine Run) 126 C:\Program Files\VMware\VMware Tools\VMwareUser.exe 127 128 7. LoadPowerProfile 129 Registry (Machine Service) 130 Rundll32.exe powrprof.dll,LoadCurrentPwrScheme 131 132 8. SchedulingAgent 133 Registry (Machine Service) 134 C:\WINDOWS\SYSTEM\mstask.exe 135 136 9. VMTools 137 Registry (Machine Service) 138 C:\Program Files\VMware\VMware Tools\VMwareService.exe 139 140 *----> System Hooks <----* 141 142 Hook type 143 Hooked by 144 Application 145 DLL path 146 Application path 147 ------------------------ 148 149 1. Mouse 150 Hook.dll 151 VMWAREUSER.EXE 152 C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\Hook.dll 153 C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE 154 155 *----> Kernel Drivers <----* 156 157 Driver 158 Loaded from 159 Type 160 Likely path 161 ------------------- 162 163 1. VMM 164 165 Microsoft Corporation 166 Virtual Machine Manager 167 168 2. MTRR 169 170 Microsoft Corporation 171 ? 172 173 3. VCACHE 174 175 Microsoft Corporation 176 Cache manager 177 178 4. PERF 179 180 Microsoft Corporation 181 System Monitor data collection driver 182 183 5. VFIXD 184 1.00.02 185 Intel Corporation 186 Compatibility VxD 187 188 6. VPOWERD 189 4.10.2222 190 Microsoft Corporation 191 VPOWERD Virtual Device (Version 4.0) 192 193 7. VPICD 194 195 Microsoft Corporation 196 Hardware interrupt manager 197 198 8. VrtwD 199 1.1.075.3 200 Intel Corporation 201 Real-Time Clock VxD 202 203 9. VTD 204 205 Microsoft Corporation 206 Timer device driver 207 208 10. VWIN32 209 210 Microsoft Corporation 211 Win32 subsystem driver 212 213 11. VXDLDR 214 215 Microsoft Corporation 216 Dynamic device driver loader 217 218 12. NTKERN 219 220 Microsoft Corporation 221 Windows Driver Model 222 223 13. CONFIGMG 224 225 Microsoft Corporation 226 Configuration manager 227 228 14. PCI 229 4.10.2222 230 Microsoft Corporation 231 PCI Virtual Device (Version 4.0) 232 233 15. ISAPNP 234 4.10.1998 235 Microsoft Corporation 236 ISAPNP Virtual Device (Version 4.0) 237 238 16. ACPI 239 240 Microsoft Corporation 241 ? 242 243 17. VCDFSD 244 245 Microsoft Corporation 246 CD-ROM filesystem driver 247 248 18. IOS 249 250 Microsoft Corporation 251 I/O Supervisor 252 253 19. PAGEFILE 254 255 Microsoft Corporation 256 Swapfile driver 257 258 20. PAGESWAP 259 260 Microsoft Corporation 261 Swapfile manager 262 263 21. PARITY 264 265 Microsoft Corporation 266 Memory parity driver 267 268 22. REBOOT 269 270 Microsoft Corporation 271 Ctrl+Alt+Del manager 272 273 23. EBIOS 274 275 Microsoft Corporation 276 Extended BIOS driver 277 278 24. VDD 279 280 Microsoft Corporation 281 Display driver 282 283 25. VMX_SVGA 284 285 286 287 288 26. VSD 289 290 Microsoft Corporation 291 Speaker driver 292 293 27. COMBUFF 294 295 Microsoft Corporation 296 Communications buffer driver 297 298 28. VCD 299 300 Microsoft Corporation 301 Communications port driver 302 303 29. VMOUSE 304 305 Microsoft Corporation 306 Mouse driver 307 308 30. MSMINI 309 4.10.1998 310 Microsoft Corporation 311 MSMINI Virtual Device (Version 4.0) 312 313 31. ENABLE 314 315 Microsoft Corporation 316 Accessibility driver 317 318 32. VKD 319 320 Microsoft Corporation 321 Keyboard driver 322 323 33. VPD 324 325 Microsoft Corporation 326 Printer driver 327 328 34. INT13 329 330 Microsoft Corporation 331 BIOS hard disk emulation driver 332 333 35. VMCPD 334 335 Microsoft Corporation 336 Math coprocessor driver 337 338 36. BIOSXLAT 339 340 Microsoft Corporation 341 BIOS emulation driver 342 343 37. VNETBIOS 344 4.10.1998 345 Microsoft Corporation 346 VNETBIOS Virtual Device (Version 4.0) 347 348 38. NDIS 349 4.10.2222 350 Microsoft Corporation 351 NDIS Virtual Device (Version 4.0) 352 353 39. PPPMAC 354 4.10.2222 355 Microsoft Corporation 356 Windows Virtual PPP Driver 357 358 40. VTDI 359 4.10.1998 360 Microsoft Corporation 361 Windows TDI Support Driver 362 363 41. WSOCK2 364 4.10.1998 365 Microsoft Corporation 366 Windows Sockets Driver 2 TCP/IP only. 367 368 42. VIP 369 4.10.2222 370 Microsoft Corporation 371 Windows IP Driver 372 373 43. MSTCP 374 4.10.2222 375 Microsoft Corporation 376 Windows TCP Driver 377 378 44. VDHCP 379 4.10.2161 380 Microsoft Corporation 381 DHCP VxD Driver 382 383 45. VNBT 384 4.10.2148 385 Microsoft Corporation 386 VNBT VxD Driver 387 388 46. AFVXD 389 4.10.2222 390 Microsoft Corporation 391 Windows Sockets VTDI Driver 392 393 47. DOSMGR 394 395 Microsoft Corporation 396 MS-DOS emulation manager 397 398 48. VMPOLL 399 400 Microsoft Corporation 401 System idle-time driver 402 403 49. JAVASUP 404 5.00.3167 405 Microsoft Corporation 406 Microsoft® Virtual Machine Helper Device for Java 407 408 50. VCOMM 409 410 Microsoft Corporation 411 Communications port Plug and Play driver 412 413 51. VCOND 414 415 Microsoft Corporation 416 Console subsystem driver 417 418 52. VTDAPI 419 420 Microsoft Corporation 421 Multimedia timer driver 422 423 53. VFLATD 424 425 Microsoft Corporation 426 Linear aperture video driver 427 428 54. Display1 429 430 431 432 433 55. APIX 434 4.00.952 435 Microsoft Corporation 436 APIX Virtual Device (Version 4.0) 437 438 56. CDTSD 439 4.10.1998 440 Microsoft Corporation 441 CDTSD Virtual Device (Version 4.0) 442 443 57. CDVSD 444 4.10.2222 445 Microsoft Corporation 446 CDVSD Virtual Device (Version 4.0) 447 448 58. DiskTSD 449 4.10.2222 450 Microsoft Corporation 451 DiskTSD Virtual Device (Version 4.0) 452 453 59. scsi1hlp 454 4.10.1998 455 Microsoft Corporation 456 scsi1hlp Virtual Device (Version 4.0) 457 458 60. voltrack 459 4.10.1998 460 Microsoft Corporation 461 voltrack Virtual Device (Version 4.0) 462 463 61. BIGMEM 464 4.10.1998 465 Microsoft Corporation 466 BIGMEM Virtual Device (Version 4.0) 467 468 62. SPAP 469 4.10.2222 470 Microsoft Corporation 471 SPAP Virtual Device (Version 4.0) 472 473 63. HSFLOP 474 4.10.2222 475 Microsoft Corporation 476 HSFLOP Virtual Device (Version 4.0) 477 478 64. SCSIPORT 479 4.10.2222 480 Microsoft Corporation 481 SCSIPORT Virtual Device (Version 4.0) 482 483 65. ESDI_506 484 4.10.2222 485 Microsoft Corporation 486 ESDI_506 Virtual Device (Version 4.0) 487 488 66. LPTENUM 489 4.10.1998 490 Microsoft Corporation 491 LPTENUM Virtual Device (Version 4.0) 492 493 67. SERENUM 494 4.10.2222 495 Microsoft Corporation 496 SERENUM Virtual Device (Version 4.0) 497 498 68. sage 499 4.71.1016 500 Microsoft Corporation 501 sage Virtual Device (Version 4.0) 502 503 69. WSHTCP 504 4.10.1998 505 Microsoft Corporation 506 Windows Sockets TCP helper Driver 507 508 70. FIOLOG 509 4.10.1998 510 Microsoft Corporation 511 File I/O Logging VxD for Application Defrag 512 513 71. mmdevldr 514 4.10.1998 515 Microsoft Corporation 516 mmdevldr Virtual Device (Version 4.0) 517 518 72. vjoyd 519 4.05.01.1998 520 Microsoft Corporation 521 Joystick Virtual Device 522 523 73. VDMAD 524 525 Microsoft Corporation 526 Direct Memory Access controller driver 527 528 74. V86MMGR 529 530 Microsoft Corporation 531 MS-DOS memory manager 532 533 75. SPOOLER 534 535 Microsoft Corporation 536 Print spooler 537 538 76. UDF 539 540 Microsoft Corporation 541 ? 542 543 77. VFAT 544 545 Microsoft Corporation 546 FAT filesystem driver 547 548 78. VDEF 549 550 Microsoft Corporation 551 Default filesystem driver 552 553 79. CDFS 554 4.10.1998 555 Microsoft Corporation 556 CDFS Virtual Device (Version 4.0) 557 558 80. IFSMGR 559 560 Microsoft Corporation 561 File system manager 562 563 81. VFBACKUP 564 565 Microsoft Corporation 566 Floppy backup helper driver 567 568 82. SHELL 569 570 Microsoft Corporation 571 Shell device driver 572 573 83. DRWATSON 574 4.03 575 Microsoft Corporation 576 Dr. Watson for Windows 98 577 578 84. buslogic 579 5.01 580 BusLogic,Inc. 581 Multimaster Adapter Miniport Driver 582 583 85. wmidrv 584 585 586 587 588 86. cmbatt 589 590 591 592 593 87. hidvkd 594 595 596 597 598 88. compbatt 599 600 601 602 603 89. BATTC 604 605 606 607 608 90. acpi 609 610 Microsoft Corporation 611 ? 612 613 91. swenum 614 615 616 617 618 92. ks 619 620 621 622 623 93. update 624 625 626 627 628 94. wdmfs 629 630 631 632 633 *----> User-Mode Drivers <----* 634 635 Driver 636 Type 637 Path 638 ------------ 639 640 1. mmsystem.dll 641 4.03.1998 642 Microsoft Corporation 643 644 2. power.drv 645 4.10.1998 646 Microsoft Corporation 647 648 *----> MS-DOS Drivers <----* 649 650 Name 651 Type 652 ------------ 653 654 1. HIMEM 655 Device driver 656 657 2. DBLBUFF 658 Device driver 659 660 3. IFSHLP 661 Device driver 662 663 *----> 32-bit Modules <----* 664 665 Name 666 Date 667 Address 668 Path 669 --------------- 670 671 1. NSISDL.DLL 672 673 674 675 676 2. WS2_32.DLL 677 4.10.2222 678 Microsoft Corporation 679 Windows Socket 2.0 32-Bit DLL 680 681 3. WININET.DLL 682 5.00.2614.3500 683 Microsoft Corporation 684 Internet Extensions for Win32 685 686 4. WS2HELP.DLL 687 4.10.1998 688 Microsoft Corporation 689 Windows Socket 2.0 Helper for Windows 98 690 691 5. MSVCRT.DLL 692 6.00.8797.0 693 Microsoft Corporation 694 Microsoft (R) C Runtime Library 695 696 6. RICHED20.DLL 697 5.30.23.1200 698 Microsoft Corporation 699 Rich Text Edit Control, v3.0 700 701 7. HOOK.DLL 702 703 704 705 706 8. DEBIAN-SVN45063.EXE 707 708 709 710 711 9. VERSION.DLL 712 4.10.1998 713 Microsoft Corporation 714 Win32 VERSION core component 715 716 10. SHELL32.DLL 717 4.72.3612.1700 718 Microsoft Corporation 719 Windows Shell Common Dll 720 721 11. SHLWAPI.DLL 722 5.00.2614.3500 723 Microsoft Corporation 724 Shell Light-weight Utility Library 725 726 12. OLE32.DLL 727 4.71.2900 728 Microsoft Corporation 729 Microsoft OLE for Windows and Windows NT 730 731 13. COMCTL32.DLL 732 5.80 733 Microsoft Corporation 734 Common Controls Library 735 736 14. USER32.DLL 737 4.10.2222 738 Microsoft Corporation 739 Win32 USER32 core component 740 741 15. GDI32.DLL 742 4.10.1998 743 Microsoft Corporation 744 Win32 GDI core component 745 746 16. ADVAPI32.DLL 747 4.80.1675 748 Microsoft Corporation 749 Win32 ADVAPI32 core component 750 751 17. KERNEL32.DLL 752 4.10.2222 753 Microsoft Corporation 754 Win32 Kernel core component 755 756 *----> 16-bit Modules <----* 757 758 Name 759 Type 760 Path 761 ------------ 762 763 1. KERNEL 764 4.10.1998 765 Microsoft Corporation 766 767 2. SYSTEM 768 4.10.1998 769 Microsoft Corporation 770 771 3. KEYBOARD 772 4.10.2222 773 Microsoft Corporation 774 775 4. MOUSE 776 9.01.0.000 777 Microsoft Corporation 778 779 5. DISPLAY 780 build-29996 781 VMware, Inc. 782 783 6. DIBENG 784 4.10.1998 785 Microsoft Corporation 786 787 7. SOUND 788 4.10.1998 789 Microsoft Corporation 790 791 8. COMM 792 4.10.1998 793 Microsoft Corporation 794 795 9. GDI 796 4.10.2222 797 Microsoft Corporation 798 799 10. USER 800 4.10.2222 801 Microsoft Corporation 802 803 11. DDEML 804 4.10.1998 805 Microsoft Corporation 806 807 12. MSPLUS 808 4.40.500 809 Microsoft Corporation 810 811 13. MSGSRV32 812 4.10.2222 813 Microsoft Corporation 814 815 14. MMSYSTEM 816 4.03.1998 817 Microsoft Corporation 818 819 15. POWER 820 4.10.1998 821 Microsoft Corporation 822 823 16. LZEXPAND 824 4.00.429 825 Microsoft Corporation 826 827 17. VER 828 4.10.1998 829 Microsoft Corporation 830 831 18. SHELL 832 4.10.1998 833 Microsoft Corporation 834 835 19. COMMCTRL 836 4.10.1998 837 Microsoft Corporation 838 839 20. COMMDLG 840 4.00.950 841 Microsoft Corporation 842 843 21. SYSTHUNK 844 4.10.1998 845 Microsoft Corporation 846 847 22. OLECLI 848 1.20.000 849 Microsoft Corporation 850 851 23. OLESVR 852 1.10.000 853 Microsoft Corporation 854 855 24. DCIMAN 856 4.03.1998 857 Intel(R) Corp., Microsoft Corp. 858 859 25. MSVIDEO 860 4.03.1998 861 Microsoft Corporation 862 863 26. AVICAP 864 4.03.1998 865 Microsoft Corporation 866 867 27. WIN87EM 868 869 870 871 28. PIFMGR 872 4.10.2222 873 Microsoft Corporation 874 875 29. TOOLHELP 876 4.10.1998 877 Microsoft Corporation 878 879 *----> Details <----* 880 881 Command line: "D:\debian-svn45063.exe" 882 883 Trap 0e 0000 - Invalid page fault 884 eax=00000041 ebx=012b0440 ecx=00000000 edx=ffffffff esi=00000000 edi=013aed90 885 eip=6ae47ce3 esp=013aece0 ebp=013aed38 -- -- -- nv up EI NG nz AC PE CF 886 cs=0167 ss=016f ds=016f es=016f fs=2ee7 gs=0000 887 NSISDL.DLL:.text+0x6ce3: 888 >0167:6ae47ce3 833b54 cmp dword ptr [ebx],+54 889 890 sel type base lim/bot 891 ---- ---- -------- -------- 892 cs 0167 r-x- 00000000 ffbfffff 893 ss 016f rw-e 00000000 000087a0 894 ds 016f rw-e 00000000 000087a0 895 es 016f rw-e 00000000 000087a0 896 fs 2ee7 rw-- 818359d0 00000037 897 gs 0000 ---- 898 899 stack base: 011b0000 900 TIB limits: 013ad000 - 013b0000 901 902 -- exception record -- 903 904 Exception Code: c0000005 (access violation) 905 Exception Address: 6ae47ce3 (NSISDL.DLL:.text+0x6ce3) 906 Exception Info: 00000000 907 012b0440 908 909 NSISDL.DLL:.text+0x6ce3: 910 >0167:6ae47ce3 833b54 cmp dword ptr [ebx],+54 911 912 0167:6ae47ccc 8d742600 lea esi,[esi] 913 0167:6ae47cd0 01c9 add ecx,ecx 914 0167:6ae47cd2 4a dec edx 915 0167:6ae47cd3 780e js 6ae47ce3 = NSISDL.DLL:.text+0x6ce3 916 0167:6ae47cd5 807c15a841 cmp byte ptr [ebp+edx-58],41 917 0167:6ae47cda 75f4 jnz 6ae47cd0 = NSISDL.DLL:.text+0x6cd0 918 0167:6ae47cdc 09cb or ebx,ecx 919 0167:6ae47cde 01c9 add ecx,ecx 920 0167:6ae47ce0 4a dec edx 921 0167:6ae47ce1 79f2 jns 6ae47cd5 = NSISDL.DLL:.text+0x6cd5 922 NSISDL.DLL:.text+0x6ce3: 923 *0167:6ae47ce3 833b54 cmp dword ptr [ebx],+54 924 0167:6ae47ce6 7507 jnz 6ae47cef = NSISDL.DLL:.text+0x6cef 925 0167:6ae47ce8 89d8 mov eax,ebx 926 0167:6ae47cea 8b5dfc mov ebx,dword ptr [ebp-04] 927 0167:6ae47ced c9 leave 928 0167:6ae47cee c3 retd 929 0167:6ae47cef 50 push eax 930 0167:6ae47cf0 68f7000000 push 000000f7 931 0167:6ae47cf5 6844a4e46a push 6ae4a444 932 0167:6ae47cfa 68bca4e46a push 6ae4a4bc 933 0167:6ae47cff e83c0f0000 call 6ae48c40 = MSVCRT.DLL!_assert 934 935 -------------------- 936 937 938 -- stack summary -- 939 940 016f:013aed38 0167:6ae47ce3 NSISDL.DLL:.text+0x6ce3 941 (00000000,00000000,00000000,00000000, 942 00000000,00000000,00000000,00000000) 943 016f:013aedf8 0167:6ae47f59 NSISDL.DLL:.text+0x6f59 944 (00000000,00000000,00000000,818342e4, 945 00000008,818359c8,013afcb8,6ae44429) 946 016f:013aee18 0167:6ae480c9 NSISDL.DLL:.text+0x70c9 947 (013aee7c,00000000,00000000,00000000, 948 00000000,00000000,00000000,00000000) 949 016f:013afcb8 0167:6ae44429 NSISDL.DLL:.text+0x3429 950 (00000404,00000400,0042d000,0040f840, 951 0040c000,0040f850,00000000,00000000) 952 016f:013aff38 0167:00403255 DEBIAN-SVN45063.EXE:.text+0x2255 953 (00441f5c,00000402,00002af8,00000000, 954 00000000,00000000,00000000,00000000) 955 016f:013aff68 0167:00401874 DEBIAN-SVN45063.EXE:.text+0x874 956 (000000dd,00000534,013affbc,bffc05b4, 957 bff79198,ffffffff,013affcc,00440318) 958 016f:013aff98 0167:00407bd7 DEBIAN-SVN45063.EXE:.text+0x6bd7 959 (00000534,818359c8,00000008,818342e4, 960 00000007,013affa4,013aeb10,ffffffff) 961 016f:013affcc 0167:bff88f20 KERNEL32!ThreadStartup 962 963 -- stack trace -- 964 965 016f:013aed38 0167:6ae47ce3 NSISDL.DLL:.text+0x6ce3 966 (00000000,00000000,00000000,00000000, 967 00000000,00000000,00000000,00000000) 968 0167:6ae47ccc 8d742600 lea esi,[esi] 969 0167:6ae47cd0 01c9 add ecx,ecx 970 0167:6ae47cd2 4a dec edx 971 0167:6ae47cd3 780e js 6ae47ce3 = NSISDL.DLL:.text+0x6ce3 972 0167:6ae47cd5 807c15a841 cmp byte ptr [ebp+edx-58],41 973 0167:6ae47cda 75f4 jnz 6ae47cd0 = NSISDL.DLL:.text+0x6cd0 974 0167:6ae47cdc 09cb or ebx,ecx 975 0167:6ae47cde 01c9 add ecx,ecx 976 0167:6ae47ce0 4a dec edx 977 0167:6ae47ce1 79f2 jns 6ae47cd5 = NSISDL.DLL:.text+0x6cd5 978 NSISDL.DLL:.text+0x6ce3: 979 *0167:6ae47ce3 833b54 cmp dword ptr [ebx],+54 980 0167:6ae47ce6 7507 jnz 6ae47cef = NSISDL.DLL:.text+0x6cef 981 0167:6ae47ce8 89d8 mov eax,ebx 982 0167:6ae47cea 8b5dfc mov ebx,dword ptr [ebp-04] 983 0167:6ae47ced c9 leave 984 0167:6ae47cee c3 retd 985 0167:6ae47cef 50 push eax 986 0167:6ae47cf0 68f7000000 push 000000f7 987 0167:6ae47cf5 6844a4e46a push 6ae4a444 988 0167:6ae47cfa 68bca4e46a push 6ae4a4bc 989 0167:6ae47cff e83c0f0000 call 6ae48c40 = MSVCRT.DLL!_assert 990 991 -------------------- 992 993 016f:013aedf8 0167:6ae47f59 NSISDL.DLL:.text+0x6f59 994 (00000000,00000000,00000000,818342e4, 995 00000008,818359c8,013afcb8,6ae44429) 996 0167:6ae47f35 57 push edi 997 0167:6ae47f36 e8350d0000 call 6ae48c70 = KERNEL32.DLL!FindAtomA 998 0167:6ae47f3b 83c40c add esp,+0c 999 0167:6ae47f3e 25ffff0000 and eax,0000ffff 1000 0167:6ae47f43 e858fdffff call 6ae47ca0 = NSISDL.DLL:.text+0x6ca0 1001 0167:6ae47f48 83c410 add esp,+10 1002 0167:6ae47f4b 89c6 mov esi,eax 1003 0167:6ae47f4d eb0c jmp 6ae47f5b = NSISDL.DLL:.text+0x6f5b 1004 0167:6ae47f4f 25ffff0000 and eax,0000ffff 1005 0167:6ae47f54 e847fdffff call 6ae47ca0 = NSISDL.DLL:.text+0x6ca0 1006 NSISDL.DLL:.text+0x6f59: 1007 *0167:6ae47f59 89c6 mov esi,eax 1008 0167:6ae47f5b 8d4604 lea eax,[esi+04] 1009 0167:6ae47f5e 89358045e56a mov dword ptr [6ae54580],esi 1010 0167:6ae47f64 a37045e56a mov dword ptr [6ae54570],eax 1011 0167:6ae47f69 8d4608 lea eax,[esi+08] 1012 0167:6ae47f6c a39045e56a mov dword ptr [6ae54590],eax 1013 0167:6ae47f71 8d65f4 lea esp,[ebp-0c] 1014 0167:6ae47f74 5b pop ebx 1015 0167:6ae47f75 5e pop esi 1016 0167:6ae47f76 5f pop edi 1017 0167:6ae47f77 5d pop ebp 1018 1019 -------------------- 1020 1021 016f:013aee18 0167:6ae480c9 NSISDL.DLL:.text+0x70c9 1022 (013aee7c,00000000,00000000,00000000, 1023 00000000,00000000,00000000,00000000) 1024 0167:6ae480b4 8b4228 mov eax,dword ptr [edx+28] 1025 0167:6ae480b7 8907 mov dword ptr [edi],eax 1026 0167:6ae480b9 897a28 mov dword ptr [edx+28],edi 1027 0167:6ae480bc 8d65f4 lea esp,[ebp-0c] 1028 0167:6ae480bf 5b pop ebx 1029 0167:6ae480c0 5e pop esi 1030 0167:6ae480c1 5f pop edi 1031 0167:6ae480c2 5d pop ebp 1032 0167:6ae480c3 c3 retd 1033 0167:6ae480c4 e857fcffff call 6ae47d20 = NSISDL.DLL:.text+0x6d20 1034 NSISDL.DLL:.text+0x70c9: 1035 *0167:6ae480c9 8b158045e56a mov edx,dword ptr [6ae54580] 1036 0167:6ae480cf 8b422c mov eax,dword ptr [edx+2c] 1037 0167:6ae480d2 85c0 test eax,eax 1038 0167:6ae480d4 79d7 jns 6ae480ad = NSISDL.DLL:.text+0x70ad 1039 0167:6ae480d6 e825ffffff call 6ae48000 = NSISDL.DLL:.text+0x7000 1040 0167:6ae480db 8b158045e56a mov edx,dword ptr [6ae54580] 1041 0167:6ae480e1 8b722c mov esi,dword ptr [edx+2c] 1042 0167:6ae480e4 85f6 test esi,esi 1043 0167:6ae480e6 74cc jz 6ae480b4 = NSISDL.DLL:.text+0x70b4 1044 0167:6ae480e8 8b5a30 mov ebx,dword ptr [edx+30] 1045 0167:6ae480eb e8c00b0000 call 6ae48cb0 = KERNEL32.DLL!GetLastError 1046 1047 -------------------- 1048 1049 016f:013afcb8 0167:6ae44429 NSISDL.DLL:.text+0x3429 1050 (00000404,00000400,0042d000,0040f840, 1051 0040c000,0040f850,00000000,00000000) 1052 0167:6ae44407 f1 int 1 1053 0167:6ae44408 ff ?db ff 1054 0167:6ae44409 ff8d55e88910 dec dword ptr [ebp+1089e855] 1055 0167:6ae4440f ba454be46a mov edx,6ae44b45 1056 0167:6ae44414 895004 mov dword ptr [eax+04],edx 1057 0167:6ae44417 896008 mov dword ptr [eax+08],esp 1058 0167:6ae4441a 8d85c4f1ffff lea eax,[ebp-00000e3c] 1059 0167:6ae44420 83ec0c sub esp,+0c 1060 0167:6ae44423 50 push eax 1061 0167:6ae44424 e8673c0000 call 6ae48090 = NSISDL.DLL:.text+0x7090 1062 NSISDL.DLL:.text+0x3429: 1063 *0167:6ae44429 83c410 add esp,+10 1064 0167:6ae4442c c785e4f3ffff00000000 mov dword ptr [ebp-00000c1c],00000000 1065 0167:6ae44436 c785e0f3ffff30750000 mov dword ptr [ebp-00000c20],00007530 1066 0167:6ae44440 c785dcf3ffff01000000 mov dword ptr [ebp-00000c24],00000001 1067 0167:6ae4444a c785d8f3ffff00000000 mov dword ptr [ebp-00000c28],00000000 1068 0167:6ae44454 c785d4f3ffff00000000 mov dword ptr [ebp-00000c2c],00000000 1069 0167:6ae4445e 8b450c mov eax,dword ptr [ebp+0c] 1070 0167:6ae44461 a338c0e46a mov dword ptr [6ae4c038],eax 1071 0167:6ae44466 8b ?db 8b 1072 0167:6ae44467 45 inc ebp 1073 0167:6ae44468 14 ?db 14 1074 1075 -------------------- 1076 1077 016f:013aff38 0167:00403255 DEBIAN-SVN45063.EXE:.text+0x2255 1078 (00441f5c,00000402,00002af8,00000000, 1079 00000000,00000000,00000000,00000000) 1080 0167:00403230 8b459c mov eax,dword ptr [ebp-64] 1081 0167:00403233 8945a0 mov dword ptr [ebp-60],eax 1082 0167:00403236 83ec0c sub esp,+0c 1083 0167:00403239 6800c04000 push 0040c000 1084 0167:0040323e 6840f84000 push 0040f840 1085 0167:00403243 6800d04200 push 0042d000 1086 0167:00403248 6800040000 push 00000400 1087 0167:0040324d ff75dc push dword ptr [ebp-24] 1088 0167:00403250 8b45a0 mov eax,dword ptr [ebp-60] 1089 0167:00403253 ffd0 call eax 1090 DEBIAN-SVN45063.EXE:.text+0x2255: 1091 *0167:00403255 83c420 add esp,+20 1092 0167:00403258 eb13 jmp 0040326d = DEBIAN-SVN45063.EXE:.text+0x226d 1093 0167:0040325a 83ec08 sub esp,+08 1094 0167:0040325d ffb574ffffff push dword ptr [ebp-0000008c] 1095 0167:00403263 6af7 push -09 1096 0167:00403265 e8dc470000 call 00407a46 = DEBIAN-SVN45063.EXE:.text+0x6a46 1097 0167:0040326a 83c408 add esp,+08 1098 0167:0040326d 837dc800 cmp dword ptr [ebp-38],+00 1099 0167:00403271 752f jnz 004032a2 = DEBIAN-SVN45063.EXE:.text+0x22a2 1100 0167:00403273 83ec0c sub esp,+0c 1101 0167:00403276 ffb56cffffff push dword ptr [ebp-00000094] 1102 1103 -------------------- 1104 1105 016f:013aff68 0167:00401874 DEBIAN-SVN45063.EXE:.text+0x874 1106 (000000dd,00000534,013affbc,bffc05b4, 1107 bff79198,ffffffff,013affcc,00440318) 1108 0167:00401853 e9e4000000 jmp 0040193c = DEBIAN-SVN45063.EXE:.text+0x93c 1109 0167:00401858 83ec0c sub esp,+0c 1110 0167:0040185b 8b5508 mov edx,dword ptr [ebp+08] 1111 0167:0040185e 89d0 mov eax,edx 1112 0167:00401860 c1e003 shl eax,03 1113 0167:00401863 29d0 sub eax,edx 1114 0167:00401865 c1e002 shl eax,02 1115 0167:00401868 0305a0944200 add eax,dword ptr [004294a0] 1116 0167:0040186e 50 push eax 1117 0167:0040186f e8e6020000 call 00401b5a = DEBIAN-SVN45063.EXE:.text+0xb5a 1118 DEBIAN-SVN45063.EXE:.text+0x874: 1119 *0167:00401874 83c40c add esp,+0c 1120 0167:00401877 8945fc mov dword ptr [ebp-04],eax 1121 0167:0040187a 817dfcffffff7f cmp dword ptr [ebp-04],7fffffff 1122 0167:00401881 750c jnz 0040188f = DEBIAN-SVN45063.EXE:.text+0x88f 1123 0167:00401883 c745f4ffffff7f mov dword ptr [ebp-0c],7fffffff 1124 0167:0040188a e9ad000000 jmp 0040193c = DEBIAN-SVN45063.EXE:.text+0x93c 1125 0167:0040188f 8b45fc mov eax,dword ptr [ebp-04] 1126 0167:00401892 8945f0 mov dword ptr [ebp-10],eax 1127 0167:00401895 837dfc00 cmp dword ptr [ebp-04],+00 1128 0167:00401899 791d jns 004018b8 = DEBIAN-SVN45063.EXE:.text+0x8b8 1129 0167:0040189b 83ec0c sub esp,+0c 1130 1131 -------------------- 1132 1133 016f:013aff98 0167:00407bd7 DEBIAN-SVN45063.EXE:.text+0x6bd7 1134 (00000534,818359c8,00000008,818342e4, 1135 00000007,013affa4,013aeb10,ffffffff) 1136 0167:00407bb9 8b45f4 mov eax,dword ptr [ebp-0c] 1137 0167:00407bbc 8b4008 mov eax,dword ptr [eax+08] 1138 0167:00407bbf 83e001 and eax,+01 1139 0167:00407bc2 85c0 test eax,eax 1140 0167:00407bc4 7420 jz 00407be6 = DEBIAN-SVN45063.EXE:.text+0x6be6 1141 0167:00407bc6 83ec08 sub esp,+08 1142 0167:00407bc9 ff75f8 push dword ptr [ebp-08] 1143 0167:00407bcc 8b45f4 mov eax,dword ptr [ebp-0c] 1144 0167:00407bcf ff700c push dword ptr [eax+0c] 1145 0167:00407bd2 e8499cffff call 00401820 = DEBIAN-SVN45063.EXE:.text+0x820 1146 DEBIAN-SVN45063.EXE:.text+0x6bd7: 1147 *0167:00407bd7 83c408 add esp,+08 1148 0167:00407bda 85c0 test eax,eax 1149 0167:00407bdc 7408 jz 00407be6 = DEBIAN-SVN45063.EXE:.text+0x6be6 1150 0167:00407bde ff053c944200 inc dword ptr [0042943c] 1151 0167:00407be4 eb0b jmp 00407bf1 = DEBIAN-SVN45063.EXE:.text+0x6bf1 1152 0167:00407be6 8d45f4 lea eax,[ebp-0c] 1153 0167:00407be9 810018040000 add dword ptr [eax],00000418 1154 0167:00407bef ebbd jmp 00407bae = DEBIAN-SVN45063.EXE:.text+0x6bae 1155 0167:00407bf1 83ec0c sub esp,+0c 1156 0167:00407bf4 6804040000 push 00000404 1157 0167:00407bf9 e8eddaffff call 004056eb = DEBIAN-SVN45063.EXE:.text+0x46eb 1158 1159 -------------------- 1160 1161 016f:013affcc 0167:bff88f20 KERNEL32!ThreadStartup 1162 1163 -- stack dump -- 1164 1165 013aece0 61616161 1166 013aece4 41616161 1167 013aece8 61416161 1168 013aecec 41416141 1169 013aecf0 61616161 1170 013aecf4 61614161 1171 ... 1172 013aecfc 61616161 1173 013aed00 42494c2d 1174 013aed04 57434347 1175 013aed08 452d3233 1176 013aed0c 2d332d48 1177 013aed10 4a4c4a53 1178 013aed14 4854472d 1179 013aed18 494d2d52 1180 013aed1c 3357474e 1181 013aed20 00000032 1182 013aed24 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 1183 013aed28 013aedf8 -> 18 ee 3a 01 c9 80 e4 6a 00 00 00 00 00 00 00 00 ..:....j........ 1184 013aed2c 6ae47dcc = NSISDL.DLL:.text+0x6dcc 1185 1186 -------------------- 1187 1188 0167:6ae47d9b 41 inc ecx 1189 0167:6ae47d9c c745a441414141 mov dword ptr [ebp-5c],41414141 1190 0167:6ae47da3 c745a841414141 mov dword ptr [ebp-58],41414141 1191 0167:6ae47daa c745ac41414141 mov dword ptr [ebp-54],41414141 1192 0167:6ae47db1 c745b041414141 mov dword ptr [ebp-50],41414141 1193 0167:6ae47db8 c745b441414141 mov dword ptr [ebp-4c],41414141 1194 0167:6ae47dbf 668945d8 mov word ptr [ebp-28],ax 1195 0167:6ae47dc3 8d7d98 lea edi,[ebp-68] 1196 0167:6ae47dc6 57 push edi 1197 0167:6ae47dc7 e8a40e0000 call 6ae48c70 = KERNEL32.DLL!FindAtomA 1198 NSISDL.DLL:.text+0x6dcc: 1199 *0167:6ae47dcc 83c40c add esp,+0c 1200 0167:6ae47dcf 6685c0 test ax,ax 1201 0167:6ae47dd2 0f8577010000 jnz 6ae47f4f = NSISDL.DLL:.text+0x6f4f 1202 0167:6ae47dd8 83ec0c sub esp,+0c 1203 0167:6ae47ddb 6a54 push +54 1204 0167:6ae47ddd e80e0e0000 call 6ae48bf0 = MSVCRT.DLL!malloc 1205 0167:6ae47de2 83c410 add esp,+10 1206 0167:6ae47de5 89c6 mov esi,eax 1207 0167:6ae47de7 85c0 test eax,eax 1208 0167:6ae47de9 0f84a1010000 jz 6ae47f90 = NSISDL.DLL:.text+0x6f90 1209 0167:6ae47def 53 push ebx 1210 1211 -------------------- 1212 1213 1214 013aed30 80006dd8 -> 01 00 00 00 fc f3 00 bf 40 0e 00 00 00 00 0f 00 ........@....... 1215 013aed34 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 1216 013aed38 013aedf8 -> 18 ee 3a 01 c9 80 e4 6a 00 00 00 00 00 00 00 00 ..:....j........ 1217 013aed3c 6ae47f59 = NSISDL.DLL:.text+0x6f59 1218 1219 -------------------- 1220 1221 0167:6ae47f35 57 push edi 1222 0167:6ae47f36 e8350d0000 call 6ae48c70 = KERNEL32.DLL!FindAtomA 1223 0167:6ae47f3b 83c40c add esp,+0c 1224 0167:6ae47f3e 25ffff0000 and eax,0000ffff 1225 0167:6ae47f43 e858fdffff call 6ae47ca0 = NSISDL.DLL:.text+0x6ca0 1226 0167:6ae47f48 83c410 add esp,+10 1227 0167:6ae47f4b 89c6 mov esi,eax 1228 0167:6ae47f4d eb0c jmp 6ae47f5b = NSISDL.DLL:.text+0x6f5b 1229 0167:6ae47f4f 25ffff0000 and eax,0000ffff 1230 0167:6ae47f54 e847fdffff call 6ae47ca0 = NSISDL.DLL:.text+0x6ca0 1231 NSISDL.DLL:.text+0x6f59: 1232 *0167:6ae47f59 89c6 mov esi,eax 1233 0167:6ae47f5b 8d4604 lea eax,[esi+04] 1234 0167:6ae47f5e 89358045e56a mov dword ptr [6ae54580],esi 1235 0167:6ae47f64 a37045e56a mov dword ptr [6ae54570],eax 1236 0167:6ae47f69 8d4608 lea eax,[esi+08] 1237 0167:6ae47f6c a39045e56a mov dword ptr [6ae54590],eax 1238 0167:6ae47f71 8d65f4 lea esp,[ebp-0c] 1239 0167:6ae47f74 5b pop ebx 1240 0167:6ae47f75 5e pop esi 1241 0167:6ae47f76 5f pop edi 1242 0167:6ae47f77 5d pop ebp 1243 1244 -------------------- 1245 1246 1247 013aed40 00000000 1248 ... 1249 013aed90 41414141 1250 ... 1251 013aedb0 42494c2d 1252 013aedb4 57434347 1253 013aedb8 452d3233 1254 013aedbc 2d332d48 1255 013aedc0 4a4c4a53 1256 013aedc4 4854472d 1257 013aedc8 494d2d52 1258 013aedcc 3357474e 1259 013aedd0 00000032 1260 013aedd4 00000000 1261 ... 1262 013aedec 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 1263 013aedf0 00000008 1264 013aedf4 013aee7c -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1265 013aedf8 013aee18 -> b8 fc 3a 01 29 44 e4 6a 7c ee 3a 01 00 00 00 00 ..:.)D.j|.:..... 1266 013aedfc 6ae480c9 = NSISDL.DLL:.text+0x70c9 1267 1268 -------------------- 1269 1270 0167:6ae480b4 8b4228 mov eax,dword ptr [edx+28] 1271 0167:6ae480b7 8907 mov dword ptr [edi],eax 1272 0167:6ae480b9 897a28 mov dword ptr [edx+28],edi 1273 0167:6ae480bc 8d65f4 lea esp,[ebp-0c] 1274 0167:6ae480bf 5b pop ebx 1275 0167:6ae480c0 5e pop esi 1276 0167:6ae480c1 5f pop edi 1277 0167:6ae480c2 5d pop ebp 1278 0167:6ae480c3 c3 retd 1279 0167:6ae480c4 e857fcffff call 6ae47d20 = NSISDL.DLL:.text+0x6d20 1280 NSISDL.DLL:.text+0x70c9: 1281 *0167:6ae480c9 8b158045e56a mov edx,dword ptr [6ae54580] 1282 0167:6ae480cf 8b422c mov eax,dword ptr [edx+2c] 1283 0167:6ae480d2 85c0 test eax,eax 1284 0167:6ae480d4 79d7 jns 6ae480ad = NSISDL.DLL:.text+0x70ad 1285 0167:6ae480d6 e825ffffff call 6ae48000 = NSISDL.DLL:.text+0x7000 1286 0167:6ae480db 8b158045e56a mov edx,dword ptr [6ae54580] 1287 0167:6ae480e1 8b722c mov esi,dword ptr [edx+2c] 1288 0167:6ae480e4 85f6 test esi,esi 1289 0167:6ae480e6 74cc jz 6ae480b4 = NSISDL.DLL:.text+0x70b4 1290 0167:6ae480e8 8b5a30 mov ebx,dword ptr [edx+30] 1291 0167:6ae480eb e8c00b0000 call 6ae48cb0 = KERNEL32.DLL!GetLastError 1292 1293 -------------------- 1294 1295 1296 013aee00 00000000 1297 ... 1298 013aee0c 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 1299 013aee10 00000008 1300 013aee14 818359c8 -> 07 00 00 00 d0 46 4f c1 d8 ea 3a 01 00 00 3b 01 .....FO...:...;. 1301 013aee18 013afcb8 -> 38 ff 3a 01 55 32 40 00 04 04 00 00 00 04 00 00 8.:.U2@......... 1302 013aee1c 6ae44429 = NSISDL.DLL:.text+0x3429 1303 1304 -------------------- 1305 1306 0167:6ae44407 f1 int 1 1307 0167:6ae44408 ff ?db ff 1308 0167:6ae44409 ff8d55e88910 dec dword ptr [ebp+1089e855] 1309 0167:6ae4440f ba454be46a mov edx,6ae44b45 1310 0167:6ae44414 895004 mov dword ptr [eax+04],edx 1311 0167:6ae44417 896008 mov dword ptr [eax+08],esp 1312 0167:6ae4441a 8d85c4f1ffff lea eax,[ebp-00000e3c] 1313 0167:6ae44420 83ec0c sub esp,+0c 1314 0167:6ae44423 50 push eax 1315 0167:6ae44424 e8673c0000 call 6ae48090 = NSISDL.DLL:.text+0x7090 1316 NSISDL.DLL:.text+0x3429: 1317 *0167:6ae44429 83c410 add esp,+10 1318 0167:6ae4442c c785e4f3ffff00000000 mov dword ptr [ebp-00000c1c],00000000 1319 0167:6ae44436 c785e0f3ffff30750000 mov dword ptr [ebp-00000c20],00007530 1320 0167:6ae44440 c785dcf3ffff01000000 mov dword ptr [ebp-00000c24],00000001 1321 0167:6ae4444a c785d8f3ffff00000000 mov dword ptr [ebp-00000c28],00000000 1322 0167:6ae44454 c785d4f3ffff00000000 mov dword ptr [ebp-00000c2c],00000000 1323 0167:6ae4445e 8b450c mov eax,dword ptr [ebp+0c] 1324 0167:6ae44461 a338c0e46a mov dword ptr [6ae4c038],eax 1325 0167:6ae44466 8b ?db 8b 1326 0167:6ae44467 45 inc ebp 1327 0167:6ae44468 14 ?db 14 1328 1329 -------------------- 1330 1331 1332 013aee20 013aee7c -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1333 013aee24 00000000 1334 ... 1335 013aee94 6ae45bb0 = NSISDL.DLL:.text+0x4bb0 1336 -> 55 89 e5 57 56 53 81 ec ac 00 00 00 8d 45 e8 89 U..WVS.......E.. 1337 013aee98 6ae48e54 = NSISDL.DLL:.text+0x7e54 1338 -> ff ff 01 02 00 00 00 00 ff 00 0d 01 04 00 00 01 ................ 1339 013aee9c 013afca0 -> 0b 94 f9 bf 00 50 e5 6a 00 00 00 00 e4 42 83 81 .....P.j.....B.. 1340 013aeea0 6ae44b45 = NSISDL.DLL:.text+0x3b45 1341 -> 8d 6d 18 8b 95 cc f1 ff ff 89 95 b0 f1 ff ff 8b .m.............. 1342 013aeea4 013aee30 -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1343 013aeea8 00000000 1344 ... 1345 013af428 81d164d4 -> 09 04 00 00 e4 04 00 00 00 00 00 00 ce 93 d2 81 ................ 1346 013af42c 00000200 1347 013af430 00000000 1348 013af434 013af840 -> 00 00 00 00 20 9b c0 70 c4 00 00 00 f0 f8 3a 01 .... ..p......:. 1349 013af438 00000000 1350 ... 1351 013af440 00000100 1352 013af444 013afa40 -> 67 a5 f7 bf 00 b0 80 81 40 00 00 00 00 00 00 00 g.......@....... 1353 013af448 000164d4 1354 013af44c 013af480 -> d8 f4 3a 01 44 ee 00 78 00 00 00 00 00 02 00 00 ..:.D..x........ 1355 013af450 bff7bd5f = KERNEL32.DLL:.text+0x2d5f 1356 1357 -------------------- 1358 1359 0167:bff7bd44 eb2b jmp bff7bd71 = KERNEL32.DLL:.text+0x2d71 1360 0167:bff7bd46 bf01000000 mov edi,00000001 1361 0167:bff7bd4b ff75fc push dword ptr [ebp-04] 1362 0167:bff7bd4e 57 push edi 1363 0167:bff7bd4f ff751c push dword ptr [ebp+1c] 1364 0167:bff7bd52 ff7518 push dword ptr [ebp+18] 1365 0167:bff7bd55 50 push eax 1366 0167:bff7bd56 ff7510 push dword ptr [ebp+10] 1367 0167:bff7bd59 56 push esi 1368 0167:bff7bd5a e81b000000 call bff7bd7a = KERNEL32.DLL:.text+0x2d7a 1369 KERNEL32.DLL:.text+0x2d5f: 1370 *0167:bff7bd5f eb10 jmp bff7bd71 = KERNEL32.DLL:.text+0x2d71 1371 0167:bff7bd61 68ec030000 push 000003ec 1372 0167:bff7bd66 eb02 jmp bff7bd6a = KERNEL32.DLL:.text+0x2d6a 1373 0167:bff7bd68 6a57 push +57 1374 0167:bff7bd6a e863420000 call bff7ffd2 = KERNEL32.DLL!SetLastError 1375 0167:bff7bd6f 33c0 xor eax,eax 1376 0167:bff7bd71 5f pop edi 1377 0167:bff7bd72 5e pop esi 1378 0167:bff7bd73 5b pop ebx 1379 0167:bff7bd74 8be5 mov esp,ebp 1380 0167:bff7bd76 5d pop ebp 1381 1382 -------------------- 1383 1384 1385 013af454 81d164d4 -> 09 04 00 00 e4 04 00 00 00 00 00 00 ce 93 d2 81 ................ 1386 013af458 013af940 -> 00 00 00 76 00 00 00 00 77 69 6e 69 6e 65 74 2e ...v....wininet. 1387 013af45c 00000100 1388 013af460 013af740 -> 58 5f 83 81 6c 5f 83 81 f0 31 4f c1 0c 0d 0e 0f X_..l_...1O..... 1389 013af464 00000100 1390 013af468 00000000 1391 ... 1392 013af474 00000100 1393 013af478 000004e4 1394 013af47c 00000000 1395 013af480 013af4d8 -> 54 fa 3a 01 67 42 00 78 00 00 00 00 00 02 00 00 T.:.gB.x........ 1396 013af484 7800ee44 = MSVCRT.DLL:.text+0xde44 1397 1398 -------------------- 1399 1400 0167:7800ee1b 747d jz 7800ee9a = MSVCRT.DLL:.text+0xde9a 1401 0167:7800ee1d c705e0ab037802000000 mov dword ptr [7803abe0],00000002 1402 0167:7800ee27 e9e254ffff jmp 7800430e = MSVCRT.DLL:.text+0x330e 1403 0167:7800ee2c ff751c push dword ptr [ebp+1c] 1404 0167:7800ee2f ff7518 push dword ptr [ebp+18] 1405 0167:7800ee32 ff7514 push dword ptr [ebp+14] 1406 0167:7800ee35 ff7510 push dword ptr [ebp+10] 1407 0167:7800ee38 ff750c push dword ptr [ebp+0c] 1408 0167:7800ee3b ff7508 push dword ptr [ebp+08] 1409 0167:7800ee3e ff1500110378 call dword ptr [78031100] -> KERNEL32.DLL!LCMapStringA 1410 MSVCRT.DLL:.text+0xde44: 1411 *0167:7800ee44 e90056ffff jmp 78004449 = MSVCRT.DLL:.text+0x3449 1412 0167:7800ee49 a154a10378 mov eax,dword ptr [7803a154] 1413 0167:7800ee4e 894520 mov dword ptr [ebp+20],eax 1414 0167:7800ee51 e9ed54ffff jmp 78004343 = MSVCRT.DLL:.text+0x3343 1415 0167:7800ee56 6a01 push +01 1416 0167:7800ee58 58 pop eax 1417 0167:7800ee59 c3 retd 1418 0167:7800ee5a 8b65e8 mov esp,dword ptr [ebp-18] 1419 0167:7800ee5d 33ff xor edi,edi 1420 0167:7800ee5f 897ddc mov dword ptr [ebp-24],edi 1421 0167:7800ee62 834dfcff or dword ptr [ebp-04],-01 1422 1423 -------------------- 1424 1425 1426 013af488 00000000 1427 013af48c 00000200 1428 013af490 013af940 -> 00 00 00 76 00 00 00 00 77 69 6e 69 6e 65 74 2e ...v....wininet. 1429 013af494 00000100 1430 013af498 013af740 -> 58 5f 83 81 6c 5f 83 81 f0 31 4f c1 0c 0d 0e 0f X_..l_...1O..... 1431 013af49c 00000100 1432 013af4a0 7803a9bc = MSVCRT.DLL:.data+0x29bc 1433 -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1434 013af4a4 00000100 1435 013af4a8 000004e4 1436 013af4ac 00000100 1437 013af4b0 013af940 -> 00 00 00 76 00 00 00 00 77 69 6e 69 6e 65 74 2e ...v....wininet. 1438 013af4b4 00000100 1439 013af4b8 013af840 -> 00 00 00 00 20 9b c0 70 c4 00 00 00 f0 f8 3a 01 .... ..p......:. 1440 013af4bc 00000100 1441 013af4c0 013af4a0 -> bc a9 03 78 00 01 00 00 e4 04 00 00 00 01 00 00 ...x............ 1442 013af4c4 00000100 1443 013af4c8 013afc4c -> 01 00 00 00 b4 05 fc bf 0c 5a 83 81 00 00 00 00 .........Z...... 1444 013af4cc 7800e9bc = MSVCRT.DLL!_except_handler3 1445 -> 55 8b ec 83 ec 08 53 56 57 55 fc 8b 5d 0c 8b 45 U.....SVWU..]..E 1446 013af4d0 780313c8 = MSVCRT.DLL:.rdata+0x3c8 1447 -> ff ff ff ff 56 ee 00 78 5a ee 00 78 ff ff ff ff ....V..xZ..x.... 1448 013af4d4 ffffffff 1449 013af4d8 013afa54 -> 00 fc 82 81 84 fa 3a 01 cc 2a f9 bf f0 6e 83 81 ......:..*...n.. 1450 013af4dc 78004267 = MSVCRT.DLL:.text+0x3267 1451 1452 -------------------- 1453 1454 0167:78004241 8d85ecfcffff lea eax,[ebp-00000314] 1455 0167:78004247 ff35a8a90378 push dword ptr [7803a9a8] 1456 0167:7800424d 56 push esi 1457 0167:7800424e 50 push eax 1458 0167:7800424f 8d85ecfeffff lea eax,[ebp-00000114] 1459 0167:78004255 56 push esi 1460 0167:78004256 50 push eax 1461 0167:78004257 6800020000 push 00000200 1462 0167:7800425c ff35c4aa0378 push dword ptr [7803aac4] 1463 0167:78004262 e851000000 call 780042b8 = MSVCRT.DLL!__crtLCMapStringA 1464 MSVCRT.DLL:.text+0x3267: 1465 *0167:78004267 83c45c add esp,+5c 1466 0167:7800426a 33c0 xor eax,eax 1467 0167:7800426c 8d8decfaffff lea ecx,[ebp-00000514] 1468 0167:78004272 eb2b jmp 7800429f = MSVCRT.DLL:.text+0x329f 1469 0167:78004274 8088c1a9037810 or byte ptr [eax+7803a9c1],10 1470 0167:7800427b 8a9405ecfdffff mov dl,byte ptr [ebp+eax-00000214] 1471 0167:78004282 eb0e jmp 78004292 = MSVCRT.DLL:.text+0x3292 1472 0167:78004284 8088c1a9037820 or byte ptr [eax+7803a9c1],20 1473 0167:7800428b 8a9405ecfcffff mov dl,byte ptr [ebp+eax-00000314] 1474 0167:78004292 8890e0aa0378 mov byte ptr [eax+7803aae0],dl 1475 0167:78004298 40 inc eax 1476 1477 -------------------- 1478 1479 1480 013af4e0 00000000 1481 013af4e4 00000200 1482 013af4e8 013af940 -> 00 00 00 76 00 00 00 00 77 69 6e 69 6e 65 74 2e ...v....wininet. 1483 013af4ec 00000100 1484 013af4f0 013af740 -> 58 5f 83 81 6c 5f 83 81 f0 31 4f c1 0c 0d 0e 0f X_..l_...1O..... 1485 013af4f4 00000100 1486 013af4f8 000004e4 1487 013af4fc 00000000 1488 ... 1489 013af504 00000100 1490 013af508 013af940 -> 00 00 00 76 00 00 00 00 77 69 6e 69 6e 65 74 2e ...v....wininet. 1491 013af50c 00000100 1492 013af510 013af840 -> 00 00 00 00 20 9b c0 70 c4 00 00 00 f0 f8 3a 01 .... ..p......:. 1493 013af514 00000100 1494 013af518 000004e4 1495 013af51c 00000000 1496 013af520 00000001 1497 013af524 013af940 -> 00 00 00 76 00 00 00 00 77 69 6e 69 6e 65 74 2e ...v....wininet. 1498 013af528 00000100 1499 013af52c 013af540 -> 48 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 H. . . . . . . . 1500 013af530 000004e4 1501 013af534 00000000 1502 ... 1503 013af53c 00000001 1504 013af540 00200048 1505 013af544 00200020 1506 ... 1507 013af550 00680020 1508 013af554 00280028 1509 ... 1510 013af55c 00200020 1511 ... 1512 013af580 00100048 1513 013af584 7629de2d = WININET.DLL!InternetSetOptionW 1514 -> 55 8b ec 51 51 8b 45 0c 53 56 57 33 db 33 ff 33 U..QQ.E.SVW3.3.3 1515 013af588 000000fa 1516 013af58c 013af7e0 -> 00 00 06 60 e2 13 f7 bf 81 62 07 00 6c f8 3a 01 ...`.....b..l.:. 1517 013af590 00000011 1518 013af594 00000000 1519 013af598 bff86b28 = KERNEL32.DLL:.text+0xdb28 1520 1521 -------------------- 1522 1523 0167:bff86b0b 50 push eax 1524 0167:bff86b0c e8cda6feff call bff711de = KERNEL32.DLL:_FREQASM+0x1de 1525 0167:bff86b11 eb0a jmp bff86b1d = KERNEL32.DLL:.text+0xdb1d 1526 0167:bff86b13 8b45f8 mov eax,dword ptr [ebp-08] 1527 0167:bff86b16 3818 cmp byte ptr [eax],bl 1528 0167:bff86b18 7503 jnz bff86b1d = KERNEL32.DLL:.text+0xdb1d 1529 0167:bff86b1a 8858ff mov byte ptr [eax-01],bl 1530 0167:bff86b1d a1109dfcbf mov eax,dword ptr [bffc9d10] 1531 0167:bff86b22 50 push eax 1532 0167:bff86b23 e88cd6feff call bff741b4 = KERNEL32.DLL!97 1533 KERNEL32.DLL:.text+0xdb28: 1534 *0167:bff86b28 8d85ecfeffff lea eax,[ebp-00000114] 1535 0167:bff86b2e 50 push eax 1536 0167:bff86b2f e87d74ffff call bff7dfb1 = KERNEL32.DLL:.text+0x4fb1 1537 0167:bff86b34 50 push eax 1538 0167:bff86b35 e8f16effff call bff7da2b = KERNEL32.DLL:.text+0x4a2b 1539 0167:bff86b3a 8bf0 mov esi,eax 1540 0167:bff86b3c a1109dfcbf mov eax,dword ptr [bffc9d10] 1541 0167:bff86b41 50 push eax 1542 0167:bff86b42 e8a6d6feff call bff741ed = KERNEL32.DLL!98 1543 0167:bff86b47 85f6 test esi,esi 1544 0167:bff86b49 7507 jnz bff86b52 = KERNEL32.DLL:.text+0xdb52 1545 1546 -------------------- 1547 1548 1549 013af59c 013af6e0 -> bf ed 29 76 d4 f0 2d 76 01 00 00 00 01 00 00 00 ..)v..-v........ 1550 013af5a0 bff7dfbf = KERNEL32.DLL:.text+0x4fbf 1551 1552 -------------------- 1553 1554 0167:bff7dfab 85c0 test eax,eax 1555 0167:bff7dfad 75f4 jnz bff7dfa3 = KERNEL32.DLL:.text+0x4fa3 1556 0167:bff7dfaf ebb1 jmp bff7df62 = KERNEL32.DLL:.text+0x4f62 1557 0167:bff7dfb1 53 push ebx 1558 0167:bff7dfb2 56 push esi 1559 0167:bff7dfb3 8b5c240c mov ebx,dword ptr [esp+0c] 1560 0167:bff7dfb7 57 push edi 1561 0167:bff7dfb8 55 push ebp 1562 0167:bff7dfb9 53 push ebx 1563 0167:bff7dfba e8b131ffff call bff71170 = KERNEL32.DLL:_FREQASM+0x170 1564 KERNEL32.DLL:.text+0x4fbf: 1565 *0167:bff7dfbf 8bd0 mov edx,eax 1566 0167:bff7dfc1 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 1567 0167:bff7dfc6 8b08 mov ecx,dword ptr [eax] 1568 0167:bff7dfc8 8b414c mov eax,dword ptr [ecx+4c] 1569 0167:bff7dfcb 85c0 test eax,eax 1570 0167:bff7dfcd 0f8493000000 jz bff7e066 = KERNEL32.DLL:.text+0x5066 1571 0167:bff7dfd3 8b35249cfcbf mov esi,dword ptr [bffc9c24] 1572 0167:bff7dfd9 0fbf4810 movsx ecx,word ptr [eax+10] 1573 0167:bff7dfdd 8b2c8e mov ebp,dword ptr [esi+ecx*4] 1574 0167:bff7dfe0 0fb74d16 movzx ecx,word ptr [ebp+16] 1575 0167:bff7dfe4 3bca cmp ecx,edx 1576 1577 -------------------- 1578 1579 1580 013af5a4 013af5cc -> 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 01 01 01 KERNEL32.DLL.... 1581 013af5a8 013af6e0 -> bf ed 29 76 d4 f0 2d 76 01 00 00 00 01 00 00 00 ..)v..-v........ 1582 013af5ac 00000000 1583 013af5b0 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 1584 1585 -------------------- 1586 1587 0167:bff741dd 51 push ecx 1588 0167:bff741de 52 push edx 1589 0167:bff741df 681d002a00 push 002a001d 1590 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 1591 0167:bff741e9 59 pop ecx 1592 0167:bff741ea 5a pop edx 1593 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 1594 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 1595 0167:bff741f1 50 push eax 1596 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 1597 KERNEL32.DLL:_FREQASM+0x31f7: 1598 *0167:bff741f7 58 pop eax 1599 0167:bff741f8 c20400 retd 0004 1600 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 1601 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 1602 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 1603 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 1604 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 1605 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 1606 0167:bff74212 ff4a04 dec dword ptr [edx+04] 1607 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 1608 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 1609 1610 -------------------- 1611 1612 1613 013af5b4 bffc9490 = KERNEL32.DLL:.data+0x490 1614 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1615 013af5b8 bff86b47 = KERNEL32.DLL:.text+0xdb47 1616 1617 -------------------- 1618 1619 0167:bff86b23 e88cd6feff call bff741b4 = KERNEL32.DLL!97 1620 0167:bff86b28 8d85ecfeffff lea eax,[ebp-00000114] 1621 0167:bff86b2e 50 push eax 1622 0167:bff86b2f e87d74ffff call bff7dfb1 = KERNEL32.DLL:.text+0x4fb1 1623 0167:bff86b34 50 push eax 1624 0167:bff86b35 e8f16effff call bff7da2b = KERNEL32.DLL:.text+0x4a2b 1625 0167:bff86b3a 8bf0 mov esi,eax 1626 0167:bff86b3c a1109dfcbf mov eax,dword ptr [bffc9d10] 1627 0167:bff86b41 50 push eax 1628 0167:bff86b42 e8a6d6feff call bff741ed = KERNEL32.DLL!98 1629 KERNEL32.DLL:.text+0xdb47: 1630 *0167:bff86b47 85f6 test esi,esi 1631 0167:bff86b49 7507 jnz bff86b52 = KERNEL32.DLL:.text+0xdb52 1632 0167:bff86b4b 6a7e push +7e 1633 0167:bff86b4d e84e5effff call bff7c9a0 = KERNEL32.DLL:.text+0x39a0 1634 0167:bff86b52 85ff test edi,edi 1635 0167:bff86b54 7416 jz bff86b6c = KERNEL32.DLL:.text+0xdb6c 1636 0167:bff86b56 53 push ebx 1637 0167:bff86b57 ff75fc push dword ptr [ebp-04] 1638 0167:bff86b5a e8a16c0100 call bff9d800 = KERNEL32.DLL:.text+0x24800 1639 0167:bff86b5f a1e09cfcbf mov eax,dword ptr [bffc9ce0] 1640 0167:bff86b64 8b08 mov ecx,dword ptr [eax] 1641 1642 -------------------- 1643 1644 1645 013af5bc bffc9490 = KERNEL32.DLL:.data+0x490 1646 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1647 013af5c0 00000001 1648 013af5c4 bff842b1 = KERNEL32.DLL!InitializeCriticalSection 1649 1650 -------------------- 1651 1652 0167:bff84297 75e8 jnz bff84281 = KERNEL32.DLL:.text+0xb281 1653 0167:bff84299 b801000000 mov eax,00000001 1654 0167:bff8429e c60700 mov byte ptr [edi],00 1655 0167:bff842a1 eb09 jmp bff842ac = KERNEL32.DLL:.text+0xb2ac 1656 0167:bff842a3 6a57 push +57 1657 0167:bff842a5 e828bdffff call bff7ffd2 = KERNEL32.DLL!SetLastError 1658 0167:bff842aa 33c0 xor eax,eax 1659 0167:bff842ac 5f pop edi 1660 0167:bff842ad 5e pop esi 1661 0167:bff842ae c20800 retd 0008 1662 KERNEL32.DLL!InitializeCriticalSection: 1663 *0167:bff842b1 55 push ebp 1664 0167:bff842b2 8bec mov ebp,esp 1665 0167:bff842b4 56 push esi 1666 0167:bff842b5 8b4508 mov eax,dword ptr [ebp+08] 1667 0167:bff842b8 8b10 mov edx,dword ptr [eax] 1668 0167:bff842ba 8910 mov dword ptr [eax],edx 1669 0167:bff842bc a1109dfcbf mov eax,dword ptr [bffc9d10] 1670 0167:bff842c1 50 push eax 1671 0167:bff842c2 e8edfefeff call bff741b4 = KERNEL32.DLL!97 1672 0167:bff842c7 ff7508 push dword ptr [ebp+08] 1673 0167:bff842ca e892d0ffff call bff81361 = KERNEL32.DLL:.text+0x8361 1674 1675 -------------------- 1676 1677 1678 013af5c8 00000000 1679 013af5cc 4e52454b 1680 013af5d0 32334c45 1681 013af5d4 4c4c442e 1682 013af5d8 01010100 1683 013af5dc 01010101 1684 ... 1685 013af5f4 00100101 1686 013af5f8 00100010 1687 ... 1688 013af600 01820010 1689 013af604 01820182 1690 ... 1691 013af60c bff713ee = KERNEL32.DLL:_FREQASM+0x3ee 1692 1693 -------------------- 1694 1695 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 1696 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1697 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1698 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1699 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1700 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 1701 0167:bff713d8 8f0424 pop dword ptr [esp] 1702 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1703 0167:bff713e2 b801000100 mov eax,00010001 1704 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1705 KERNEL32.DLL:_FREQASM+0x3ee: 1706 *0167:bff713ee b843002a00 mov eax,002a0043 1707 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1708 0167:bff713fa 83c414 add esp,+14 1709 0167:bff713fd 0fb7c8 movzx ecx,ax 1710 0167:bff71400 0fa4d310 shld ebx,edx,10 1711 0167:bff71404 c0e302 shl bl,02 1712 0167:bff71407 6681ea0010 sub dx,1000 1713 0167:bff7140c 0fbfc2 movsx eax,dx 1714 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 1715 0167:bff71414 55 push ebp 1716 0167:bff71415 53 push ebx 1717 1718 -------------------- 1719 1720 1721 013af610 00000167 1722 013af614 bff7eaf9 = KERNEL32.DLL:.text+0x5af9 1723 1724 -------------------- 1725 1726 0167:bff7eade c1e710 shl edi,10 1727 0167:bff7eae1 015dfc add dword ptr [ebp-04],ebx 1728 0167:bff7eae4 097dfc or dword ptr [ebp-04],edi 1729 0167:bff7eae7 015df8 add dword ptr [ebp-08],ebx 1730 0167:bff7eaea ff7518 push dword ptr [ebp+18] 1731 0167:bff7eaed ff75fc push dword ptr [ebp-04] 1732 0167:bff7eaf0 56 push esi 1733 0167:bff7eaf1 6a01 push +01 1734 0167:bff7eaf3 ff75f8 push dword ptr [ebp-08] 1735 0167:bff7eaf6 ff551c call dword ptr [ebp+1c] 1736 KERNEL32.DLL:.text+0x5af9: 1737 *0167:bff7eaf9 5f pop edi 1738 0167:bff7eafa 5e pop esi 1739 0167:bff7eafb 5b pop ebx 1740 0167:bff7eafc 8be5 mov esp,ebp 1741 0167:bff7eafe 5d pop ebp 1742 0167:bff7eaff c21800 retd 0018 1743 0167:bff7eb02 8b442404 mov eax,dword ptr [esp+04] 1744 0167:bff7eb06 8b4c2408 mov ecx,dword ptr [esp+08] 1745 0167:bff7eb0a 3bc1 cmp eax,ecx 1746 0167:bff7eb0c 7308 jnc bff7eb16 = KERNEL32.DLL:.text+0x5b16 1747 0167:bff7eb0e 8b10 mov edx,dword ptr [eax] 1748 1749 -------------------- 1750 1751 1752 013af618 000762e1 1753 013af61c bff713e2 = KERNEL32.DLL:_FREQASM+0x3e2 1754 1755 -------------------- 1756 1757 0167:bff713c5 c20400 retd 0004 1758 0167:bff713c8 33c0 xor eax,eax 1759 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 1760 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1761 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1762 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1763 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1764 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 1765 0167:bff713d8 8f0424 pop dword ptr [esp] 1766 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1767 KERNEL32.DLL:_FREQASM+0x3e2: 1768 *0167:bff713e2 b801000100 mov eax,00010001 1769 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1770 0167:bff713ee b843002a00 mov eax,002a0043 1771 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1772 0167:bff713fa 83c414 add esp,+14 1773 0167:bff713fd 0fb7c8 movzx ecx,ax 1774 0167:bff71400 0fa4d310 shld ebx,edx,10 1775 0167:bff71404 c0e302 shl bl,02 1776 0167:bff71407 6681ea0010 sub dx,1000 1777 0167:bff7140c 0fbfc2 movsx eax,dx 1778 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 1779 1780 -------------------- 1781 1782 1783 013af620 00000167 1784 013af624 bff916bb = KERNEL32.DLL:.text+0x186bb 1785 1786 -------------------- 1787 1788 0167:bff91699 8d4e14 lea ecx,[esi+14] 1789 0167:bff9169c c745f480000000 mov dword ptr [ebp-0c],00000080 1790 0167:bff916a3 50 push eax 1791 0167:bff916a4 51 push ecx 1792 0167:bff916a5 6a00 push +00 1793 0167:bff916a7 6a00 push +00 1794 0167:bff916a9 688094f7bf push bff79480 1795 0167:bff916ae ff75f8 push dword ptr [ebp-08] 1796 0167:bff916b1 681a000100 push 0001001a 1797 0167:bff916b6 e819fdfdff call bff713d4 = KERNEL32.DLL!1 1798 KERNEL32.DLL:.text+0x186bb: 1799 *0167:bff916bb ff75f8 push dword ptr [ebp-08] 1800 0167:bff916be 6813000100 push 00010013 1801 0167:bff916c3 85c0 test eax,eax 1802 0167:bff916c5 7464 jz bff9172b = KERNEL32.DLL:.text+0x1872b 1803 0167:bff916c7 e808fdfdff call bff713d4 = KERNEL32.DLL!1 1804 0167:bff916cc 6a00 push +00 1805 0167:bff916ce 8d4614 lea eax,[esi+14] 1806 0167:bff916d1 6880000000 push 00000080 1807 0167:bff916d6 50 push eax 1808 0167:bff916d7 e855fafdff call bff71131 = KERNEL32.DLL:_FREQASM+0x131 1809 0167:bff916dc 813e9c000000 cmp dword ptr [esi],0000009c 1810 1811 -------------------- 1812 1813 1814 013af628 c29e5320 -> 00 00 00 00 00 00 00 00 a0 13 9a c2 06 00 00 00 ................ 1815 013af62c bff79480 = KERNEL32.DLL:.text+0x480 1816 -> 53 75 62 56 65 72 73 69 6f 6e 4e 75 6d 62 65 72 SubVersionNumber 1817 013af630 bff713e2 = KERNEL32.DLL:_FREQASM+0x3e2 1818 1819 -------------------- 1820 1821 0167:bff713c5 c20400 retd 0004 1822 0167:bff713c8 33c0 xor eax,eax 1823 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 1824 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1825 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1826 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1827 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 1828 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 1829 0167:bff713d8 8f0424 pop dword ptr [esp] 1830 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1831 KERNEL32.DLL:_FREQASM+0x3e2: 1832 *0167:bff713e2 b801000100 mov eax,00010001 1833 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1834 0167:bff713ee b843002a00 mov eax,002a0043 1835 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 1836 0167:bff713fa 83c414 add esp,+14 1837 0167:bff713fd 0fb7c8 movzx ecx,ax 1838 0167:bff71400 0fa4d310 shld ebx,edx,10 1839 0167:bff71404 c0e302 shl bl,02 1840 0167:bff71407 6681ea0010 sub dx,1000 1841 0167:bff7140c 0fbfc2 movsx eax,dx 1842 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 1843 1844 -------------------- 1845 1846 1847 013af634 013af674 -> 00 00 44 00 90 0a f8 00 40 00 00 00 00 00 00 00 ..D.....@....... 1848 013af638 000d314c 1849 013af63c 81836e94 -> 24 00 00 a0 04 00 00 00 00 00 00 00 00 00 00 00 $............... 1850 013af640 00000024 1851 013af644 bff7a3a0 = KERNEL32.DLL:.text+0x13a0 1852 1853 -------------------- 1854 1855 0167:bff7a385 2bfb sub edi,ebx 1856 0167:bff7a387 57 push edi 1857 0167:bff7a388 894108 mov dword ptr [ecx+08],eax 1858 0167:bff7a38b 8b5604 mov edx,dword ptr [esi+04] 1859 0167:bff7a38e 8b4608 mov eax,dword ptr [esi+08] 1860 0167:bff7a391 895004 mov dword ptr [eax+04],edx 1861 0167:bff7a394 8d041e lea eax,[esi+ebx] 1862 0167:bff7a397 50 push eax 1863 0167:bff7a398 ff7508 push dword ptr [ebp+08] 1864 0167:bff7a39b e871fdffff call bff7a111 = KERNEL32.DLL:.text+0x1111 1865 KERNEL32.DLL:.text+0x13a0: 1866 *0167:bff7a3a0 eb36 jmp bff7a3d8 = KERNEL32.DLL:.text+0x13d8 1867 0167:bff7a3a2 8b4d08 mov ecx,dword ptr [ebp+08] 1868 0167:bff7a3a5 0fb64170 movzx eax,byte ptr [ecx+70] 1869 0167:bff7a3a9 0b45f4 or eax,dword ptr [ebp-0c] 1870 0167:bff7a3ac 50 push eax 1871 0167:bff7a3ad 8b45f8 mov eax,dword ptr [ebp-08] 1872 0167:bff7a3b0 2b45fc sub eax,dword ptr [ebp-04] 1873 0167:bff7a3b3 50 push eax 1874 0167:bff7a3b4 ff75fc push dword ptr [ebp-04] 1875 0167:bff7a3b7 e8f6feffff call bff7a2b2 = KERNEL32.DLL:.text+0x12b2 1876 0167:bff7a3bc 85c0 test eax,eax 1877 1878 -------------------- 1879 1880 1881 013af648 8180b000 -> 00 00 10 00 00 00 00 00 20 00 00 00 01 00 00 a0 ........ ....... 1882 013af64c 013af68c -> b4 f6 3a 01 50 a5 f7 bf 00 00 44 00 67 a5 f7 bf ..:.P.....D.g... 1883 013af650 00000020 1884 013af654 00f80a90 -> 40 00 00 a0 c8 f0 2d 76 c8 f0 2d 76 cb 0e fc ff @.....-v..-v.... 1885 013af658 00000040 1886 013af65c bff7a3a0 = KERNEL32.DLL:.text+0x13a0 1887 1888 -------------------- 1889 1890 0167:bff7a385 2bfb sub edi,ebx 1891 0167:bff7a387 57 push edi 1892 0167:bff7a388 894108 mov dword ptr [ecx+08],eax 1893 0167:bff7a38b 8b5604 mov edx,dword ptr [esi+04] 1894 0167:bff7a38e 8b4608 mov eax,dword ptr [esi+08] 1895 0167:bff7a391 895004 mov dword ptr [eax+04],edx 1896 0167:bff7a394 8d041e lea eax,[esi+ebx] 1897 0167:bff7a397 50 push eax 1898 0167:bff7a398 ff7508 push dword ptr [ebp+08] 1899 0167:bff7a39b e871fdffff call bff7a111 = KERNEL32.DLL:.text+0x1111 1900 KERNEL32.DLL:.text+0x13a0: 1901 *0167:bff7a3a0 eb36 jmp bff7a3d8 = KERNEL32.DLL:.text+0x13d8 1902 0167:bff7a3a2 8b4d08 mov ecx,dword ptr [ebp+08] 1903 0167:bff7a3a5 0fb64170 movzx eax,byte ptr [ecx+70] 1904 0167:bff7a3a9 0b45f4 or eax,dword ptr [ebp-0c] 1905 0167:bff7a3ac 50 push eax 1906 0167:bff7a3ad 8b45f8 mov eax,dword ptr [ebp-08] 1907 0167:bff7a3b0 2b45fc sub eax,dword ptr [ebp-04] 1908 0167:bff7a3b3 50 push eax 1909 0167:bff7a3b4 ff75fc push dword ptr [ebp-04] 1910 0167:bff7a3b7 e8f6feffff call bff7a2b2 = KERNEL32.DLL:.text+0x12b2 1911 0167:bff7a3bc 85c0 test eax,eax 1912 1913 -------------------- 1914 1915 1916 013af660 00440000 -> 00 10 10 00 00 00 78 00 20 00 00 00 01 00 00 a0 ......x. ....... 1917 013af664 00f80ad0 -> 21 00 00 a0 1c 00 44 00 4c 03 54 00 00 00 00 00 !.....D.L.T..... 1918 013af668 00000020 1919 013af66c 00000000 1920 013af670 0044000c -> 01 00 00 a0 ec 0f 54 00 e8 47 45 00 80 00 00 00 ......T..GE..... 1921 013af674 00440000 -> 00 10 10 00 00 00 78 00 20 00 00 00 01 00 00 a0 ......x. ....... 1922 013af678 00f80a90 -> 40 00 00 a0 c8 f0 2d 76 c8 f0 2d 76 cb 0e fc ff @.....-v..-v.... 1923 013af67c 00000040 1924 013af680 00000000 1925 013af684 00000f80 1926 013af688 00000f81 1927 013af68c 013af6b4 -> d8 f6 3a 01 98 b4 f7 bf 00 00 44 00 d5 b4 f7 bf ..:.......D..... 1928 013af690 bff7a550 = KERNEL32.DLL:.text+0x1550 1929 1930 -------------------- 1931 1932 0167:bff7a532 8b4604 mov eax,dword ptr [esi+04] 1933 0167:bff7a535 8b4dfc mov ecx,dword ptr [ebp-04] 1934 0167:bff7a538 894104 mov dword ptr [ecx+04],eax 1935 0167:bff7a53b 894e04 mov dword ptr [esi+04],ecx 1936 0167:bff7a53e e953ffffff jmp bff7a496 = KERNEL32.DLL:.text+0x1496 1937 0167:bff7a543 ff7510 push dword ptr [ebp+10] 1938 0167:bff7a546 ff750c push dword ptr [ebp+0c] 1939 0167:bff7a549 53 push ebx 1940 0167:bff7a54a 56 push esi 1941 0167:bff7a54b e8a6fdffff call bff7a2f6 = KERNEL32.DLL:.text+0x12f6 1942 KERNEL32.DLL:.text+0x1550: 1943 *0167:bff7a550 89450c mov dword ptr [ebp+0c],eax 1944 0167:bff7a553 85c0 test eax,eax 1945 0167:bff7a555 7436 jz bff7a58d = KERNEL32.DLL:.text+0x158d 1946 0167:bff7a557 ff7510 push dword ptr [ebp+10] 1947 0167:bff7a55a 56 push esi 1948 0167:bff7a55b 0d000000a0 or eax,a0000000 1949 0167:bff7a560 8903 mov dword ptr [ebx],eax 1950 0167:bff7a562 e889fbffff call bff7a0f0 = KERNEL32.DLL:.text+0x10f0 1951 0167:bff7a567 8d4304 lea eax,[ebx+04] 1952 0167:bff7a56a eb49 jmp bff7a5b5 = KERNEL32.DLL:.text+0x15b5 1953 0167:bff7a56c 6a08 push +08 1954 1955 -------------------- 1956 1957 1958 013af694 00440000 -> 00 10 10 00 00 00 78 00 20 00 00 00 01 00 00 a0 ......x. ....... 1959 013af698 bff7a567 = KERNEL32.DLL:.text+0x1567 1960 1961 -------------------- 1962 1963 0167:bff7a54a 56 push esi 1964 0167:bff7a54b e8a6fdffff call bff7a2f6 = KERNEL32.DLL:.text+0x12f6 1965 0167:bff7a550 89450c mov dword ptr [ebp+0c],eax 1966 0167:bff7a553 85c0 test eax,eax 1967 0167:bff7a555 7436 jz bff7a58d = KERNEL32.DLL:.text+0x158d 1968 0167:bff7a557 ff7510 push dword ptr [ebp+10] 1969 0167:bff7a55a 56 push esi 1970 0167:bff7a55b 0d000000a0 or eax,a0000000 1971 0167:bff7a560 8903 mov dword ptr [ebx],eax 1972 0167:bff7a562 e889fbffff call bff7a0f0 = KERNEL32.DLL:.text+0x10f0 1973 KERNEL32.DLL:.text+0x1567: 1974 *0167:bff7a567 8d4304 lea eax,[ebx+04] 1975 0167:bff7a56a eb49 jmp bff7a5b5 = KERNEL32.DLL:.text+0x15b5 1976 0167:bff7a56c 6a08 push +08 1977 0167:bff7a56e e82d240000 call bff7c9a0 = KERNEL32.DLL:.text+0x39a0 1978 0167:bff7a573 eb18 jmp bff7a58d = KERNEL32.DLL:.text+0x158d 1979 0167:bff7a575 6a08 push +08 1980 0167:bff7a577 e824240000 call bff7c9a0 = KERNEL32.DLL:.text+0x39a0 1981 0167:bff7a57c eb0f jmp bff7a58d = KERNEL32.DLL:.text+0x158d 1982 0167:bff7a57e 6a10 push +10 1983 0167:bff7a580 ff75fc push dword ptr [ebp-04] 1984 0167:bff7a583 680a000100 push 0001000a 1985 1986 -------------------- 1987 1988 1989 013af69c 00440000 -> 00 10 10 00 00 00 78 00 20 00 00 00 01 00 00 a0 ......x. ....... 1990 013af6a0 00000041 1991 ... 1992 013af6a8 00000000 1993 ... 1994 013af6b0 013af6dc -> 94 0a f8 00 bf ed 29 76 d4 f0 2d 76 01 00 00 00 ......)v..-v.... 1995 013af6b4 013af6d8 -> 98 6e 83 81 94 0a f8 00 bf ed 29 76 d4 f0 2d 76 .n........)v..-v 1996 013af6b8 bff7b498 = KERNEL32.DLL:.text+0x2498 1997 1998 -------------------- 1999 2000 0167:bff7b476 8d7e02 lea edi,[esi+02] 2001 0167:bff7b479 c70700000000 mov dword ptr [edi],00000000 2002 0167:bff7b47f eb42 jmp bff7b4c3 = KERNEL32.DLL:.text+0x24c3 2003 0167:bff7b481 83cf01 or edi,+01 2004 0167:bff7b484 8b0de49cfcbf mov ecx,dword ptr [bffc9ce4] 2005 0167:bff7b48a 57 push edi 2006 0167:bff7b48b 8b11 mov edx,dword ptr [ecx] 2007 0167:bff7b48d ff750c push dword ptr [ebp+0c] 2008 0167:bff7b490 ff7218 push dword ptr [edx+18] 2009 0167:bff7b493 e8b2efffff call bff7a44a = KERNEL32.DLL:.text+0x144a 2010 KERNEL32.DLL:.text+0x2498: 2011 *0167:bff7b498 8bf8 mov edi,eax 2012 0167:bff7b49a 85ff test edi,edi 2013 0167:bff7b49c 7525 jnz bff7b4c3 = KERNEL32.DLL:.text+0x24c3 2014 0167:bff7b49e 8b75fc mov esi,dword ptr [ebp-04] 2015 0167:bff7b4a1 85db test ebx,ebx 2016 0167:bff7b4a3 741c jz bff7b4c1 = KERNEL32.DLL:.text+0x24c1 2017 0167:bff7b4a5 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 2018 0167:bff7b4aa 8b08 mov ecx,dword ptr [eax] 2019 0167:bff7b4ac 8b5158 mov edx,dword ptr [ecx+58] 2020 0167:bff7b4af 895602 mov dword ptr [esi+02],edx 2021 0167:bff7b4b2 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 2022 2023 -------------------- 2024 2025 2026 013af6bc 00440000 -> 00 10 10 00 00 00 78 00 20 00 00 00 01 00 00 a0 ......x. ....... 2027 013af6c0 bff7b4d5 = KERNEL32.DLL:.text+0x24d5 2028 2029 -------------------- 2030 2031 0167:bff7b4b2 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 2032 0167:bff7b4b7 8b08 mov ecx,dword ptr [eax] 2033 0167:bff7b4b9 897158 mov dword ptr [ecx+58],esi 2034 0167:bff7b4bc 66c7064653 mov word ptr [esi],5346 2035 0167:bff7b4c1 33ff xor edi,edi 2036 0167:bff7b4c3 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 2037 0167:bff7b4c8 8b08 mov ecx,dword ptr [eax] 2038 0167:bff7b4ca 8b5118 mov edx,dword ptr [ecx+18] 2039 0167:bff7b4cd ff724c push dword ptr [edx+4c] 2040 0167:bff7b4d0 e8198effff call bff742ee = KERNEL32.DLL:_FREQASM+0x32ee 2041 KERNEL32.DLL:.text+0x24d5: 2042 *0167:bff7b4d5 8bc7 mov eax,edi 2043 0167:bff7b4d7 5f pop edi 2044 0167:bff7b4d8 5e pop esi 2045 0167:bff7b4d9 5b pop ebx 2046 0167:bff7b4da 8be5 mov esp,ebp 2047 0167:bff7b4dc 5d pop ebp 2048 0167:bff7b4dd c20800 retd 0008 2049 0167:bff7b4e0 33d2 xor edx,edx 2050 0167:bff7b4e2 8b442404 mov eax,dword ptr [esp+04] 2051 0167:bff7b4e6 803830 cmp byte ptr [eax],30 2052 0167:bff7b4e9 7c17 jl bff7b502 = KERNEL32.DLL:.text+0x2502 2053 2054 -------------------- 2055 2056 2057 013af6c4 81834b84 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2058 013af6c8 762df0d4 = WININET.DLL:.data+0xd4 2059 -> 04 00 00 00 98 6e 83 81 00 00 00 00 00 00 00 00 .....n.......... 2060 013af6cc 00000000 2061 013af6d0 762df0c8 = WININET.DLL:.data+0xc8 2062 -> 94 0a f8 00 94 0a f8 00 01 00 00 00 04 00 00 00 ................ 2063 013af6d4 bff7b9c5 = KERNEL32.DLL:.text+0x29c5 2064 2065 -------------------- 2066 2067 0167:bff7b9a9 e81389ffff call bff742c1 = KERNEL32.DLL:_FREQASM+0x32c1 2068 0167:bff7b9ae 5e pop esi 2069 0167:bff7b9af c20400 retd 0004 2070 0167:bff7b9b2 56 push esi 2071 0167:bff7b9b3 8b742408 mov esi,dword ptr [esp+08] 2072 0167:bff7b9b7 8a06 mov al,byte ptr [esi] 2073 0167:bff7b9b9 3c04 cmp al,04 2074 0167:bff7b9bb 7508 jnz bff7b9c5 = KERNEL32.DLL:.text+0x29c5 2075 0167:bff7b9bd ff7604 push dword ptr [esi+04] 2076 0167:bff7b9c0 e82989ffff call bff742ee = KERNEL32.DLL:_FREQASM+0x32ee 2077 KERNEL32.DLL:.text+0x29c5: 2078 *0167:bff7b9c5 5e pop esi 2079 0167:bff7b9c6 c20400 retd 0004 2080 0167:bff7b9c9 64a100000000 mov eax,dword ptr fs:[00000000] 2081 0167:bff7b9cf 55 push ebp 2082 0167:bff7b9d0 8bec mov ebp,esp 2083 0167:bff7b9d2 6aff push -01 2084 0167:bff7b9d4 685092f7bf push bff79250 2085 0167:bff7b9d9 68b405fcbf push bffc05b4 2086 0167:bff7b9de 50 push eax 2087 0167:bff7b9df 8b4508 mov eax,dword ptr [ebp+08] 2088 0167:bff7b9e2 64892500000000 mov dword ptr fs:[00000000],esp 2089 2090 -------------------- 2091 2092 2093 013af6d8 81836e98 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2094 013af6dc 00f80a94 -> c8 f0 2d 76 c8 f0 2d 76 cb 0e fc ff 00 00 00 00 ..-v..-v........ 2095 013af6e0 7629edbf = WININET.DLL:.text+0x1ddbf 2096 2097 -------------------- 2098 2099 0167:7629ed94 8192000057ff15581128 adc dword ptr [edx+ff570000],28115815 2100 0167:7629ed9e 76a1 jbe 7629ed41 = WININET.DLL:.text+0x1dd41 2101 0167:7629eda0 c8f02d76 enter 2df0,76 2102 0167:7629eda4 895e04 mov dword ptr [esi+04],ebx 2103 0167:7629eda7 8906 mov dword ptr [esi],eax 2104 0167:7629eda9 57 push edi 2105 0167:7629edaa 897004 mov dword ptr [eax+04],esi 2106 0167:7629edad ff05d0f02d76 inc dword ptr [762df0d0] 2107 0167:7629edb3 8935c8f02d76 mov dword ptr [762df0c8],esi 2108 0167:7629edb9 ff1550112876 call dword ptr [76281150] -> KERNEL32.DLL!LeaveCriticalSection 2109 WININET.DLL:.text+0x1ddbf: 2110 *0167:7629edbf 8bc6 mov eax,esi 2111 0167:7629edc1 5f pop edi 2112 0167:7629edc2 5e pop esi 2113 0167:7629edc3 5d pop ebp 2114 0167:7629edc4 5b pop ebx 2115 0167:7629edc5 c20400 retd 0004 2116 0167:7629edc8 57 push edi 2117 0167:7629edc9 891dccf02d76 mov dword ptr [762df0cc],ebx 2118 0167:7629edcf 891dc8f02d76 mov dword ptr [762df0c8],ebx 2119 0167:7629edd5 ff1598112876 call dword ptr [76281198] -> KERNEL32.DLL!InitializeCriticalSection 2120 0167:7629eddb 2135d0f02d76 and dword ptr [762df0d0],esi 2121 2122 -------------------- 2123 2124 2125 013af6e4 762df0d4 = WININET.DLL:.data+0xd4 2126 -> 04 00 00 00 98 6e 83 81 00 00 00 00 00 00 00 00 .....n.......... 2127 013af6e8 00000001 2128 ... 2129 013af6f0 013af71c -> f7 41 f7 bf 08 00 00 00 8b 69 f7 bf c0 94 fc bf .A.......i...... 2130 013af6f4 00000000 2131 013af6f8 762813f4 = WININET.DLL:.text+0x3f4 2132 2133 -------------------- 2134 2135 0167:762813c4 f38b442404 ? rep mov eax,dword ptr [esp+04] 2136 0167:762813c9 6838f02d76 push 762df038 2137 0167:762813ce a310f02d76 mov dword ptr [762df010],eax 2138 0167:762813d3 e84ac60100 call 7629da22 = WININET.DLL:.text+0x1ca22 2139 0167:762813d8 6818f02d76 push 762df018 2140 0167:762813dd a30cf02d76 mov dword ptr [762df00c],eax 2141 0167:762813e2 ff1598112876 call dword ptr [76281198] -> KERNEL32.DLL!InitializeCriticalSection 2142 0167:762813e8 e877c60100 call 7629da64 = WININET.DLL:.text+0x1ca64 2143 0167:762813ed 6a01 push +01 2144 0167:762813ef e840d90100 call 7629ed34 = WININET.DLL:.text+0x1dd34 2145 WININET.DLL:.text+0x3f4: 2146 *0167:762813f4 85c0 test eax,eax 2147 0167:762813f6 74c3 jz 762813bb = WININET.DLL:.text+0x3bb 2148 0167:762813f8 ebbe jmp 762813b8 = WININET.DLL:.text+0x3b8 2149 0167:762813fa 33c0 xor eax,eax 2150 0167:762813fc 394c240c cmp dword ptr [esp+0c],ecx 2151 0167:76281400 c70508f02d7601000000 mov dword ptr [762df008],00000001 2152 0167:7628140a 0f94c0 setz al 2153 0167:7628140d 3bc1 cmp eax,ecx 2154 0167:7628140f a33cf02d76 mov dword ptr [762df03c],eax 2155 0167:76281414 7512 jnz 76281428 = WININET.DLL:.text+0x428 2156 0167:76281416 e864e40100 call 7629f87f = WININET.DLL:.text+0x1e87f 2157 2158 -------------------- 2159 2160 2161 013af6fc 00000001 2162 013af700 7628134f = WININET.DLL:.text+0x34f 2163 2164 -------------------- 2165 2166 0167:76281336 56 push esi 2167 0167:76281337 ff7508 push dword ptr [ebp+08] 2168 0167:7628133a e807010000 call 76281446 = WININET.DLL:.text+0x446 2169 0167:7628133f 8bf8 mov edi,eax 2170 0167:76281341 85ff test edi,edi 2171 0167:76281343 740c jz 76281351 = WININET.DLL:.text+0x351 2172 0167:76281345 53 push ebx 2173 0167:76281346 56 push esi 2174 0167:76281347 ff7508 push dword ptr [ebp+08] 2175 0167:7628134a e858000000 call 762813a7 = WININET.DLL:.text+0x3a7 2176 WININET.DLL:.text+0x34f: 2177 *0167:7628134f 8bf8 mov edi,eax 2178 0167:76281351 85f6 test esi,esi 2179 0167:76281353 7416 jz 7628136b = WININET.DLL:.text+0x36b 2180 0167:76281355 83fe03 cmp esi,+03 2181 0167:76281358 7411 jz 7628136b = WININET.DLL:.text+0x36b 2182 0167:7628135a 8bc7 mov eax,edi 2183 0167:7628135c 5f pop edi 2184 0167:7628135d 5e pop esi 2185 0167:7628135e 5b pop ebx 2186 0167:7628135f 5d pop ebp 2187 0167:76281360 c20c00 retd 000c 2188 2189 -------------------- 2190 2191 2192 013af704 76280000 = WININET.DLL+0x0 2193 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 2194 013af708 00000001 2195 013af70c 00000000 2196 ... 2197 013af714 76280000 = WININET.DLL+0x0 2198 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 2199 013af718 81835a0c -> 08 00 00 00 03 01 00 00 e7 2e 00 00 00 00 00 00 ................ 2200 013af71c bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 2201 2202 -------------------- 2203 2204 0167:bff741dd 51 push ecx 2205 0167:bff741de 52 push edx 2206 0167:bff741df 681d002a00 push 002a001d 2207 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 2208 0167:bff741e9 59 pop ecx 2209 0167:bff741ea 5a pop edx 2210 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 2211 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 2212 0167:bff741f1 50 push eax 2213 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 2214 KERNEL32.DLL:_FREQASM+0x31f7: 2215 *0167:bff741f7 58 pop eax 2216 0167:bff741f8 c20400 retd 0004 2217 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 2218 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 2219 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 2220 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 2221 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 2222 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 2223 0167:bff74212 ff4a04 dec dword ptr [edx+04] 2224 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 2225 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 2226 2227 -------------------- 2228 2229 2230 013af720 00000008 2231 013af724 bff7698b = KERNEL32.DLL:_FREQASM+0x598b 2232 2233 -------------------- 2234 2235 0167:bff76969 7512 jnz bff7697d = KERNEL32.DLL:_FREQASM+0x597d 2236 0167:bff7696b a801 test al,01 2237 0167:bff7696d 7520 jnz bff7698f = KERNEL32.DLL:_FREQASM+0x598f 2238 0167:bff7696f 8b15bca0fcbf mov edx,dword ptr [bffca0bc] 2239 0167:bff76975 8911 mov dword ptr [ecx],edx 2240 0167:bff76977 890dbca0fcbf mov dword ptr [bffca0bc],ecx 2241 0167:bff7697d a804 test al,04 2242 0167:bff7697f 75d6 jnz bff76957 = KERNEL32.DLL:_FREQASM+0x5957 2243 0167:bff76981 68c094fcbf push bffc94c0 2244 0167:bff76986 e862d8ffff call bff741ed = KERNEL32.DLL!98 2245 KERNEL32.DLL:_FREQASM+0x598b: 2246 *0167:bff7698b c9 leave 2247 0167:bff7698c c20400 retd 0004 2248 0167:bff7698f 50 push eax 2249 0167:bff76990 51 push ecx 2250 0167:bff76991 e8f1640000 call bff7ce87 = KERNEL32.DLL:.text+0x3e87 2251 0167:bff76996 58 pop eax 2252 0167:bff76997 ebe4 jmp bff7697d = KERNEL32.DLL:_FREQASM+0x597d 2253 0167:bff76999 64ff3500000000 push dword ptr fs:[00000000] 2254 0167:bff769a0 55 push ebp 2255 0167:bff769a1 8d4c2404 lea ecx,[esp+04] 2256 0167:bff769a5 16 push ss 2257 2258 -------------------- 2259 2260 2261 013af728 bffc94c0 = KERNEL32.DLL:.data+0x4c0 2262 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2263 013af72c 013af8e4 -> 14 f9 3a 01 a0 c8 f7 bf 88 5f 81 81 d1 00 00 00 ..:......_...... 2264 013af730 bff769d5 = KERNEL32.DLL:_FREQASM+0x59d5 2265 2266 -------------------- 2267 2268 0167:bff769b3 e8e1ffffff call bff76999 = KERNEL32.DLL:_FREQASM+0x5999 2269 0167:bff769b8 a1e09cfcbf mov eax,dword ptr [bffc9ce0] 2270 0167:bff769bd 8b00 mov eax,dword ptr [eax] 2271 0167:bff769bf 8b4878 mov ecx,dword ptr [eax+78] 2272 0167:bff769c2 e304 jecxz bff769c8 = KERNEL32.DLL:_FREQASM+0x59c8 2273 0167:bff769c4 83490420 or dword ptr [ecx+04],+20 2274 0167:bff769c8 c3 retd 2275 0167:bff769c9 a1e09cfcbf mov eax,dword ptr [bffc9ce0] 2276 0167:bff769ce ff30 push dword ptr [eax] 2277 0167:bff769d0 e875ffffff call bff7694a = KERNEL32.DLL:_FREQASM+0x594a 2278 KERNEL32.DLL:_FREQASM+0x59d5: 2279 *0167:bff769d5 c3 retd 2280 0167:bff769d6 cc int 3 2281 0167:bff769d7 cc int 3 2282 0167:bff769d8 55 push ebp 2283 0167:bff769d9 8bec mov ebp,esp 2284 0167:bff769db 57 push edi 2285 0167:bff769dc 53 push ebx 2286 0167:bff769dd ff35109dfcbf push dword ptr [bffc9d10] 2287 0167:bff769e3 e8ccd7ffff call bff741b4 = KERNEL32.DLL!97 2288 0167:bff769e8 8b7d08 mov edi,dword ptr [ebp+08] 2289 0167:bff769eb b904000000 mov ecx,00000004 2290 2291 -------------------- 2292 2293 2294 013af734 818359c8 -> 07 00 00 00 d0 46 4f c1 d8 ea 3a 01 00 00 3b 01 .....FO...:...;. 2295 013af738 bff7de32 = KERNEL32.DLL:.text+0x4e32 2296 2297 -------------------- 2298 2299 0167:bff7de07 ff75d8 push dword ptr [ebp-28] 2300 0167:bff7de0a e825fd0100 call bff9db34 = KERNEL32.DLL!UnhandledExceptionFilter 2301 0167:bff7de0f c3 retd 2302 0167:bff7de10 8b65e8 mov esp,dword ptr [ebp-18] 2303 0167:bff7de13 c745e401000000 mov dword ptr [ebp-1c],00000001 2304 0167:bff7de1a 8d8564feffff lea eax,[ebp-0000019c] 2305 0167:bff7de20 50 push eax 2306 0167:bff7de21 e836d00200 call bffaae5c = KERNEL32.DLL:.text+0x31e5c 2307 0167:bff7de26 c745fcffffffff mov dword ptr [ebp-04],ffffffff 2308 0167:bff7de2d e8978bffff call bff769c9 = KERNEL32.DLL:_FREQASM+0x59c9 2309 KERNEL32.DLL:.text+0x4e32: 2310 *0167:bff7de32 8b45dc mov eax,dword ptr [ebp-24] 2311 0167:bff7de35 8020ef and byte ptr [eax],ef 2312 0167:bff7de38 8b45e4 mov eax,dword ptr [ebp-1c] 2313 0167:bff7de3b eb02 jmp bff7de3f = KERNEL32.DLL:.text+0x4e3f 2314 0167:bff7de3d 33c0 xor eax,eax 2315 0167:bff7de3f 8b4df0 mov ecx,dword ptr [ebp-10] 2316 0167:bff7de42 5f pop edi 2317 0167:bff7de43 64890d00000000 mov dword ptr fs:[00000000],ecx 2318 0167:bff7de4a 5e pop esi 2319 0167:bff7de4b 5b pop ebx 2320 0167:bff7de4c 8be5 mov esp,ebp 2321 2322 -------------------- 2323 2324 2325 013af73c 81835f84 -> 24 00 00 a0 04 00 00 00 00 00 00 00 00 00 00 00 $............... 2326 013af740 81835f58 -> 00 58 83 81 cc 57 83 81 70 c1 82 81 00 00 00 00 .X...W..p....... 2327 013af744 81835f6c -> 08 02 04 00 e4 42 83 81 30 4b 83 81 00 4a 83 81 .....B..0K...J.. 2328 013af748 c14f31f0 -> 01 00 00 00 c8 59 83 81 e4 42 83 81 00 24 4f c1 .....Y...B...$O. 2329 013af74c 0f0e0d0c 2330 013af750 13121110 2331 013af754 17161514 2332 013af758 1b1a1918 2333 013af75c 1f1e1d1c 2334 013af760 23222120 2335 013af764 27262524 2336 013af768 00000001 2337 013af76c 00000000 2338 013af770 013af78c -> a4 f7 3a 01 28 b8 f7 bf ee 13 f7 bf 67 01 00 00 ..:.(.......g... 2339 013af774 bff7b77b = KERNEL32.DLL:.text+0x277b 2340 2341 -------------------- 2342 2343 0167:bff7b75c a1109dfcbf mov eax,dword ptr [bffc9d10] 2344 0167:bff7b761 8bec mov ebp,esp 2345 0167:bff7b763 56 push esi 2346 0167:bff7b764 50 push eax 2347 0167:bff7b765 e84a8affff call bff741b4 = KERNEL32.DLL!97 2348 0167:bff7b76a ff7514 push dword ptr [ebp+14] 2349 0167:bff7b76d ff7510 push dword ptr [ebp+10] 2350 0167:bff7b770 ff750c push dword ptr [ebp+0c] 2351 0167:bff7b773 ff7508 push dword ptr [ebp+08] 2352 0167:bff7b776 e890fdffff call bff7b50b = KERNEL32.DLL:.text+0x250b 2353 KERNEL32.DLL:.text+0x277b: 2354 *0167:bff7b77b 8bf0 mov esi,eax 2355 0167:bff7b77d 85f6 test esi,esi 2356 0167:bff7b77f 740a jz bff7b78b = KERNEL32.DLL:.text+0x278b 2357 0167:bff7b781 f6451380 test byte ptr [ebp+13],80 2358 0167:bff7b785 7404 jz bff7b78b = KERNEL32.DLL:.text+0x278b 2359 0167:bff7b787 66ff4602 inc word ptr [esi+02] 2360 0167:bff7b78b a1109dfcbf mov eax,dword ptr [bffc9d10] 2361 0167:bff7b790 50 push eax 2362 0167:bff7b791 e8578affff call bff741ed = KERNEL32.DLL!98 2363 0167:bff7b796 8bc6 mov eax,esi 2364 0167:bff7b798 5e pop esi 2365 2366 -------------------- 2367 2368 2369 013af778 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 2370 2371 -------------------- 2372 2373 0167:bff741dd 51 push ecx 2374 0167:bff741de 52 push edx 2375 0167:bff741df 681d002a00 push 002a001d 2376 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 2377 0167:bff741e9 59 pop ecx 2378 0167:bff741ea 5a pop edx 2379 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 2380 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 2381 0167:bff741f1 50 push eax 2382 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 2383 KERNEL32.DLL:_FREQASM+0x31f7: 2384 *0167:bff741f7 58 pop eax 2385 0167:bff741f8 c20400 retd 0004 2386 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 2387 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 2388 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 2389 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 2390 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 2391 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 2392 0167:bff74212 ff4a04 dec dword ptr [edx+04] 2393 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 2394 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 2395 2396 -------------------- 2397 2398 2399 013af77c bffc9490 = KERNEL32.DLL:.data+0x490 2400 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2401 013af780 bff7b796 = KERNEL32.DLL:.text+0x2796 2402 2403 -------------------- 2404 2405 0167:bff7b776 e890fdffff call bff7b50b = KERNEL32.DLL:.text+0x250b 2406 0167:bff7b77b 8bf0 mov esi,eax 2407 0167:bff7b77d 85f6 test esi,esi 2408 0167:bff7b77f 740a jz bff7b78b = KERNEL32.DLL:.text+0x278b 2409 0167:bff7b781 f6451380 test byte ptr [ebp+13],80 2410 0167:bff7b785 7404 jz bff7b78b = KERNEL32.DLL:.text+0x278b 2411 0167:bff7b787 66ff4602 inc word ptr [esi+02] 2412 0167:bff7b78b a1109dfcbf mov eax,dword ptr [bffc9d10] 2413 0167:bff7b790 50 push eax 2414 0167:bff7b791 e8578affff call bff741ed = KERNEL32.DLL!98 2415 KERNEL32.DLL:.text+0x2796: 2416 *0167:bff7b796 8bc6 mov eax,esi 2417 0167:bff7b798 5e pop esi 2418 0167:bff7b799 5d pop ebp 2419 0167:bff7b79a c21000 retd 0010 2420 0167:bff7b79d 55 push ebp 2421 0167:bff7b79e 8bec mov ebp,esp 2422 0167:bff7b7a0 53 push ebx 2423 0167:bff7b7a1 56 push esi 2424 0167:bff7b7a2 57 push edi 2425 0167:bff7b7a3 33ff xor edi,edi 2426 0167:bff7b7a5 837d1801 cmp dword ptr [ebp+18],+01 2427 2428 -------------------- 2429 2430 2431 013af784 bffc9490 = KERNEL32.DLL:.data+0x490 2432 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2433 013af788 00000000 2434 013af78c 013af7a4 -> 01 00 00 00 08 00 00 00 02 00 b8 00 00 00 06 60 ...............` 2435 013af790 bff7b828 = KERNEL32.DLL:.text+0x2828 2436 2437 -------------------- 2438 2439 0167:bff7b80b 5b pop ebx 2440 0167:bff7b80c c20800 retd 0008 2441 0167:bff7b80f 55 push ebp 2442 0167:bff7b810 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 2443 0167:bff7b815 8bec mov ebp,esp 2444 0167:bff7b817 ff742410 push dword ptr [esp+10] 2445 0167:bff7b81b ff750c push dword ptr [ebp+0c] 2446 0167:bff7b81e ff7508 push dword ptr [ebp+08] 2447 0167:bff7b821 ff30 push dword ptr [eax] 2448 0167:bff7b823 e833ffffff call bff7b75b = KERNEL32.DLL:.text+0x275b 2449 KERNEL32.DLL:.text+0x2828: 2450 *0167:bff7b828 5d pop ebp 2451 0167:bff7b829 c20c00 retd 000c 2452 0167:bff7b82c 55 push ebp 2453 0167:bff7b82d 8bec mov ebp,esp 2454 0167:bff7b82f 50 push eax 2455 0167:bff7b830 a1109dfcbf mov eax,dword ptr [bffc9d10] 2456 0167:bff7b835 50 push eax 2457 0167:bff7b836 e87989ffff call bff741b4 = KERNEL32.DLL!97 2458 0167:bff7b83b ff7508 push dword ptr [ebp+08] 2459 0167:bff7b83e e8d1fdffff call bff7b614 = KERNEL32.DLL:.text+0x2614 2460 0167:bff7b843 a1109dfcbf mov eax,dword ptr [bffc9d10] 2461 2462 -------------------- 2463 2464 2465 013af794 bff713ee = KERNEL32.DLL:_FREQASM+0x3ee 2466 2467 -------------------- 2468 2469 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 2470 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2471 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2472 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2473 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2474 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 2475 0167:bff713d8 8f0424 pop dword ptr [esp] 2476 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2477 0167:bff713e2 b801000100 mov eax,00010001 2478 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2479 KERNEL32.DLL:_FREQASM+0x3ee: 2480 *0167:bff713ee b843002a00 mov eax,002a0043 2481 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2482 0167:bff713fa 83c414 add esp,+14 2483 0167:bff713fd 0fb7c8 movzx ecx,ax 2484 0167:bff71400 0fa4d310 shld ebx,edx,10 2485 0167:bff71404 c0e302 shl bl,02 2486 0167:bff71407 6681ea0010 sub dx,1000 2487 0167:bff7140c 0fbfc2 movsx eax,dx 2488 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 2489 0167:bff71414 55 push ebp 2490 0167:bff71415 53 push ebx 2491 2492 -------------------- 2493 2494 2495 013af798 00000167 2496 013af79c bff7ead5 = KERNEL32.DLL:.text+0x5ad5 2497 2498 -------------------- 2499 2500 0167:bff7eab8 8b354c95fcbf mov esi,dword ptr [bffc954c] 2501 0167:bff7eabe b801000000 mov eax,00000001 2502 0167:bff7eac3 85db test ebx,ebx 2503 0167:bff7eac5 740e jz bff7ead5 = KERNEL32.DLL:.text+0x5ad5 2504 0167:bff7eac7 ff7518 push dword ptr [ebp+18] 2505 0167:bff7eaca ff75fc push dword ptr [ebp-04] 2506 0167:bff7eacd 56 push esi 2507 0167:bff7eace 53 push ebx 2508 0167:bff7eacf ff75f8 push dword ptr [ebp-08] 2509 0167:bff7ead2 ff551c call dword ptr [ebp+1c] 2510 KERNEL32.DLL:.text+0x5ad5: 2511 *0167:bff7ead5 85c0 test eax,eax 2512 0167:bff7ead7 7420 jz bff7eaf9 = KERNEL32.DLL:.text+0x5af9 2513 0167:bff7ead9 83e707 and edi,+07 2514 0167:bff7eadc 741b jz bff7eaf9 = KERNEL32.DLL:.text+0x5af9 2515 0167:bff7eade c1e710 shl edi,10 2516 0167:bff7eae1 015dfc add dword ptr [ebp-04],ebx 2517 0167:bff7eae4 097dfc or dword ptr [ebp-04],edi 2518 0167:bff7eae7 015df8 add dword ptr [ebp-08],ebx 2519 0167:bff7eaea ff7518 push dword ptr [ebp+18] 2520 0167:bff7eaed ff75fc push dword ptr [ebp-04] 2521 0167:bff7eaf0 56 push esi 2522 2523 -------------------- 2524 2525 2526 013af7a0 00076281 2527 013af7a4 00000001 2528 013af7a8 00000008 2529 013af7ac 00b80002 -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2530 013af7b0 60060000 2531 013af7b4 00000000 2532 013af7b8 76281000 = WININET.DLL:.text+0x0 2533 -> b2 a3 bd 70 00 2b be 70 f6 1c bd 70 af 43 bd 70 ...p.+.p...p.C.p 2534 013af7bc 81816080 -> 2e 74 65 78 74 00 00 00 68 d3 05 00 00 10 00 00 .text...h....... 2535 013af7c0 00076281 2536 013af7c4 00b80002 -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2537 013af7c8 013af818 -> c4 00 00 00 4c f8 3a 01 02 00 00 00 00 00 00 00 ....L.:......... 2538 013af7cc bff88698 = KERNEL32.DLL:.text+0xf698 2539 2540 -------------------- 2541 2542 0167:bff8867e 8b4324 mov eax,dword ptr [ebx+24] 2543 0167:bff88681 0d00000080 or eax,80000000 2544 0167:bff88686 50 push eax 2545 0167:bff88687 51 push ecx 2546 0167:bff88688 8b4314 mov eax,dword ptr [ebx+14] 2547 0167:bff8868b 0345f8 add eax,dword ptr [ebp-08] 2548 0167:bff8868e 50 push eax 2549 0167:bff8868f 56 push esi 2550 0167:bff88690 ff7508 push dword ptr [ebp+08] 2551 0167:bff88693 e88f63ffff call bff7ea27 = KERNEL32.DLL:.text+0x5a27 2552 KERNEL32.DLL:.text+0xf698: 2553 *0167:bff88698 85c0 test eax,eax 2554 0167:bff8869a 7409 jz bff886a5 = KERNEL32.DLL:.text+0xf6a5 2555 0167:bff8869c c745fc01000000 mov dword ptr [ebp-04],00000001 2556 0167:bff886a3 eb07 jmp bff886ac = KERNEL32.DLL:.text+0xf6ac 2557 0167:bff886a5 c745fc00000000 mov dword ptr [ebp-04],00000000 2558 0167:bff886ac 85ff test edi,edi 2559 0167:bff886ae 7418 jz bff886c8 = KERNEL32.DLL:.text+0xf6c8 2560 0167:bff886b0 837dfc00 cmp dword ptr [ebp-04],+00 2561 0167:bff886b4 740c jz bff886c2 = KERNEL32.DLL:.text+0xf6c2 2562 0167:bff886b6 6800100000 push 00001000 2563 0167:bff886bb 57 push edi 2564 2565 -------------------- 2566 2567 2568 013af7d0 c14f0017 -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2569 013af7d4 76281000 = WININET.DLL:.text+0x0 2570 -> b2 a3 bd 70 00 2b be 70 f6 1c bd 70 af 43 bd 70 ...p.+.p...p.C.p 2571 013af7d8 013afa69 -> 00 00 00 cc 6e 83 81 f7 41 f7 bf 90 94 fc bf 3d ....n...A......= 2572 013af7dc 0000005f 2573 013af7e0 60060000 2574 013af7e4 bff713e2 = KERNEL32.DLL:_FREQASM+0x3e2 2575 2576 -------------------- 2577 2578 0167:bff713c5 c20400 retd 0004 2579 0167:bff713c8 33c0 xor eax,eax 2580 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 2581 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2582 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2583 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2584 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2585 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 2586 0167:bff713d8 8f0424 pop dword ptr [esp] 2587 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2588 KERNEL32.DLL:_FREQASM+0x3e2: 2589 *0167:bff713e2 b801000100 mov eax,00010001 2590 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2591 0167:bff713ee b843002a00 mov eax,002a0043 2592 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2593 0167:bff713fa 83c414 add esp,+14 2594 0167:bff713fd 0fb7c8 movzx ecx,ax 2595 0167:bff71400 0fa4d310 shld ebx,edx,10 2596 0167:bff71404 c0e302 shl bl,02 2597 0167:bff71407 6681ea0010 sub dx,1000 2598 0167:bff7140c 0fbfc2 movsx eax,dx 2599 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 2600 2601 -------------------- 2602 2603 2604 013af7e8 00076281 2605 013af7ec 013af86c -> dd 62 07 00 81 62 07 00 00 00 00 00 00 00 00 00 .b...b.......... 2606 013af7f0 00076281 2607 013af7f4 76281000 = WININET.DLL:.text+0x0 2608 -> b2 a3 bd 70 00 2b be 70 f6 1c bd 70 af 43 bd 70 ...p.+.p...p.C.p 2609 013af7f8 76280000 = WININET.DLL+0x0 2610 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 2611 013af7fc 00000001 2612 013af800 00061000 2613 013af804 00001000 2614 013af808 00000004 2615 013af80c 00020000 2616 013af810 00000000 2617 013af814 762dd390 = WININET.DLL:.text+0x5c390 2618 -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2619 013af818 000000c4 2620 013af81c 013af84c -> f0 f8 3a 01 01 00 00 00 7c 3b 81 81 0f 3b f8 bf ..:.....|;...;.. 2621 013af820 00000002 2622 013af824 00000000 2623 ... 2624 013af844 70c09b20 = SHLWAPI.DLL:.text+0x38b20 2625 -> 00 00 00 00 91 20 17 37 00 00 00 00 ea ac 03 00 ..... .7........ 2626 013af848 000000c4 2627 013af84c 013af8f0 -> d1 00 00 00 e4 42 83 81 00 00 00 00 00 00 28 76 .....B........(v 2628 013af850 00000001 2629 013af854 81813b7c -> 50 45 00 00 4c 01 04 00 3e 63 17 37 00 00 00 00 PE..L...>c.7.... 2630 013af858 bff83b0f = KERNEL32.DLL:.text+0xab0f 2631 2632 -------------------- 2633 2634 0167:bff83aee 8945d8 mov dword ptr [ebp-28],eax 2635 0167:bff83af1 0f86a1010000 jbe bff83c98 = KERNEL32.DLL:.text+0xac98 2636 0167:bff83af7 8b4508 mov eax,dword ptr [ebp+08] 2637 0167:bff83afa 83c01c add eax,+1c 2638 0167:bff83afd 8945b4 mov dword ptr [ebp-4c],eax 2639 0167:bff83b00 8b45b4 mov eax,dword ptr [ebp-4c] 2640 0167:bff83b03 8b30 mov esi,dword ptr [eax] 2641 0167:bff83b05 668b4e10 mov cx,word ptr [esi+10] 2642 0167:bff83b09 51 push ecx 2643 0167:bff83b0a e803a4ffff call bff7df12 = KERNEL32.DLL:.text+0x4f12 2644 KERNEL32.DLL:.text+0xab0f: 2645 *0167:bff83b0f 8945e0 mov dword ptr [ebp-20],eax 2646 0167:bff83b12 8b45e4 mov eax,dword ptr [ebp-1c] 2647 0167:bff83b15 83c004 add eax,+04 2648 0167:bff83b18 8945c0 mov dword ptr [ebp-40],eax 2649 0167:bff83b1b 8b00 mov eax,dword ptr [eax] 2650 0167:bff83b1d 85c0 test eax,eax 2651 0167:bff83b1f 7424 jz bff83b45 = KERNEL32.DLL:.text+0xab45 2652 0167:bff83b21 8b4de0 mov ecx,dword ptr [ebp-20] 2653 0167:bff83b24 394108 cmp dword ptr [ecx+08],eax 2654 0167:bff83b27 751c jnz bff83b45 = KERNEL32.DLL:.text+0xab45 2655 0167:bff83b29 8b0d249cfcbf mov ecx,dword ptr [bffc9c24] 2656 2657 -------------------- 2658 2659 2660 013af85c 00000003 2661 013af860 81835f58 -> 00 58 83 81 cc 57 83 81 70 c1 82 81 00 00 00 00 .X...W..p....... 2662 013af864 81835f6c -> 08 02 04 00 e4 42 83 81 30 4b 83 81 00 4a 83 81 .....B..0K...J.. 2663 013af868 00000004 2664 013af86c 000762dd 2665 013af870 00076281 2666 013af874 00000000 2667 ... 2668 013af894 00076281 2669 013af898 81834b30 -> c8 4a 83 81 f8 4a 83 81 5c 4e 82 81 78 6a 83 81 .J...J..\N..xj.. 2670 013af89c 81835f74 -> 30 4b 83 81 00 4a 83 81 24 4a 83 81 9c 4a 83 81 0K...J..$J...J.. 2671 013af8a0 81810f08 -> 00 00 00 00 88 5f 81 81 ff ff ff ff 48 0f 81 81 ....._......H... 2672 013af8a4 81835f84 -> 24 00 00 a0 04 00 00 00 00 00 00 00 00 00 00 00 $............... 2673 013af8a8 81835f6c -> 08 02 04 00 e4 42 83 81 30 4b 83 81 00 4a 83 81 .....B..0K...J.. 2674 013af8ac 70be0a9c = SHLWAPI.DLL!StrCatBuffA 2675 -> 55 8b ec 56 8b 75 08 33 c9 8b c6 38 0e 74 08 40 U..V.u.3...8.t.@ 2676 013af8b0 762dffff = WININET.DLL:.data+0xfff 2677 -> 00 08 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ................ 2678 013af8b4 76281304 = WININET.DLL:.text+0x304 2679 -> 55 8b ec 53 56 8b 75 0c 57 6a 01 5f 3b f7 74 4f U..SV.u.Wj._;.tO 2680 013af8b8 00000001 2681 013af8bc 81815fbc -> 00 00 28 76 00 10 00 00 00 10 00 00 05 00 00 00 ..(v............ 2682 013af8c0 81835a0c -> 08 00 00 00 03 01 00 00 e7 2e 00 00 00 00 00 00 ................ 2683 013af8c4 00000000 2684 ... 2685 013af8cc 013af73c -> 84 5f 83 81 58 5f 83 81 6c 5f 83 81 f0 31 4f c1 ._..X_..l_...1O. 2686 013af8d0 8180ce74 -> 50 45 00 00 4c 01 05 00 cd a1 20 37 00 00 00 00 PE..L..... 7.... 2687 013af8d4 013afc4c -> 01 00 00 00 b4 05 fc bf 0c 5a 83 81 00 00 00 00 .........Z...... 2688 013af8d8 bffc05b4 = KERNEL32.DLL:.text+0x475b4 2689 -> 55 8b ec 83 ec 08 53 56 57 55 fc 8b 5d 0c 8b 45 U.....SVWU..]..E 2690 013af8dc 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 2691 ... 2692 013af8e4 013af914 -> 90 fa 3a 01 f7 41 f7 bf 44 43 83 81 ec 03 f8 bf ..:..A..DC...... 2693 013af8e8 bff7c8a0 = KERNEL32.DLL:.text+0x38a0 2694 2695 -------------------- 2696 2697 0167:bff7c883 5d pop ebp 2698 0167:bff7c884 c20c00 retd 000c 2699 0167:bff7c887 8b45ec mov eax,dword ptr [ebp-14] 2700 0167:bff7c88a 8b75fc mov esi,dword ptr [ebp-04] 2701 0167:bff7c88d 8b55f8 mov edx,dword ptr [ebp-08] 2702 0167:bff7c890 0fbf0470 movsx eax,word ptr [eax+esi*2] 2703 0167:bff7c894 034210 add eax,dword ptr [edx+10] 2704 0167:bff7c897 50 push eax 2705 0167:bff7c898 ff7508 push dword ptr [ebp+08] 2706 0167:bff7c89b e85ffdffff call bff7c5ff = KERNEL32.DLL:.text+0x35ff 2707 KERNEL32.DLL:.text+0x38a0: 2708 *0167:bff7c8a0 ebdc jmp bff7c87e = KERNEL32.DLL:.text+0x387e 2709 0167:bff7c8a2 ff74240c push dword ptr [esp+0c] 2710 0167:bff7c8a6 ff74240c push dword ptr [esp+0c] 2711 0167:bff7c8aa ff74240c push dword ptr [esp+0c] 2712 0167:bff7c8ae e853d20100 call bff99b06 = KERNEL32.DLL:.text+0x20b06 2713 0167:bff7c8b3 3d01000040 cmp eax,40000001 2714 0167:bff7c8b8 74e8 jz bff7c8a2 = KERNEL32.DLL:.text+0x38a2 2715 0167:bff7c8ba c20c00 retd 000c 2716 0167:bff7c8bd 6a00 push +00 2717 0167:bff7c8bf ff74240c push dword ptr [esp+0c] 2718 0167:bff7c8c3 ff74240c push dword ptr [esp+0c] 2719 2720 -------------------- 2721 2722 2723 013af8ec 81815f88 -> 50 45 00 00 4c 01 04 00 2f a2 20 37 00 00 00 00 PE..L.../. 7.... 2724 013af8f0 000000d1 2725 013af8f4 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 2726 013af8f8 00000000 2727 013af8fc 76280000 = WININET.DLL+0x0 2728 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 2729 013af900 762dbed0 = WININET.DLL:.text+0x5aed0 2730 -> 0e 00 0f 00 10 00 11 00 12 00 13 00 14 00 15 00 ................ 2731 013af904 762dbb90 = WININET.DLL:.text+0x5ab90 2732 -> cd c0 05 00 e2 c0 05 00 f7 c0 05 00 10 c1 05 00 ................ 2733 013af908 0000005f 2734 013af90c 762db800 = WININET.DLL:.text+0x5a800 2735 -> 00 00 00 00 a3 28 17 37 00 00 00 00 70 c0 05 00 .....(.7....p... 2736 013af910 0000005f 2737 013af914 013afa90 -> b2 30 00 76 f7 41 f7 bf c9 59 83 81 f3 68 f7 bf .0.v.A...Y...h.. 2738 013af918 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 2739 2740 -------------------- 2741 2742 0167:bff741dd 51 push ecx 2743 0167:bff741de 52 push edx 2744 0167:bff741df 681d002a00 push 002a001d 2745 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 2746 0167:bff741e9 59 pop ecx 2747 0167:bff741ea 5a pop edx 2748 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 2749 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 2750 0167:bff741f1 50 push eax 2751 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 2752 KERNEL32.DLL:_FREQASM+0x31f7: 2753 *0167:bff741f7 58 pop eax 2754 0167:bff741f8 c20400 retd 0004 2755 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 2756 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 2757 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 2758 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 2759 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 2760 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 2761 0167:bff74212 ff4a04 dec dword ptr [edx+04] 2762 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 2763 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 2764 2765 -------------------- 2766 2767 2768 013af91c 81834344 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2769 013af920 bff803ec = KERNEL32.DLL:.text+0x73ec 2770 2771 -------------------- 2772 2773 0167:bff803cf 740b jz bff803dc = KERNEL32.DLL:.text+0x73dc 2774 0167:bff803d1 85f6 test esi,esi 2775 0167:bff803d3 7507 jnz bff803dc = KERNEL32.DLL:.text+0x73dc 2776 0167:bff803d5 6a7f push +7f 2777 0167:bff803d7 e8c4c5ffff call bff7c9a0 = KERNEL32.DLL:.text+0x39a0 2778 0167:bff803dc a1e49cfcbf mov eax,dword ptr [bffc9ce4] 2779 0167:bff803e1 8b00 mov eax,dword ptr [eax] 2780 0167:bff803e3 83c060 add eax,+60 2781 0167:bff803e6 50 push eax 2782 0167:bff803e7 e8013effff call bff741ed = KERNEL32.DLL!98 2783 KERNEL32.DLL:.text+0x73ec: 2784 *0167:bff803ec 8bc6 mov eax,esi 2785 0167:bff803ee 5f pop edi 2786 0167:bff803ef 5e pop esi 2787 0167:bff803f0 5b pop ebx 2788 0167:bff803f1 c20800 retd 0008 2789 0167:bff803f4 56 push esi 2790 0167:bff803f5 57 push edi 2791 0167:bff803f6 68a095fcbf push bffc95a0 2792 0167:bff803fb e8b43dffff call bff741b4 = KERNEL32.DLL!97 2793 0167:bff80400 833db098fcbf00 cmp dword ptr [bffc98b0],+00 2794 0167:bff80407 7523 jnz bff8042c = KERNEL32.DLL:.text+0x742c 2795 2796 -------------------- 2797 2798 2799 013af924 bff713e2 = KERNEL32.DLL:_FREQASM+0x3e2 2800 2801 -------------------- 2802 2803 0167:bff713c5 c20400 retd 0004 2804 0167:bff713c8 33c0 xor eax,eax 2805 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 2806 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2807 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2808 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2809 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 2810 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 2811 0167:bff713d8 8f0424 pop dword ptr [esp] 2812 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2813 KERNEL32.DLL:_FREQASM+0x3e2: 2814 *0167:bff713e2 b801000100 mov eax,00010001 2815 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2816 0167:bff713ee b843002a00 mov eax,002a0043 2817 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 2818 0167:bff713fa 83c414 add esp,+14 2819 0167:bff713fd 0fb7c8 movzx ecx,ax 2820 0167:bff71400 0fa4d310 shld ebx,edx,10 2821 0167:bff71404 c0e302 shl bl,02 2822 0167:bff71407 6681ea0010 sub dx,1000 2823 0167:bff7140c 0fbfc2 movsx eax,dx 2824 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 2825 2826 -------------------- 2827 2828 2829 013af928 00000167 2830 013af92c bfe8165f = ADVAPI32.DLL:.text+0x65f 2831 2832 -------------------- 2833 2834 0167:bfe81641 c21800 retd 0018 2835 0167:bfe81644 56 push esi 2836 0167:bfe81645 8b742408 mov esi,dword ptr [esp+08] 2837 0167:bfe81649 56 push esi 2838 0167:bfe8164a e8defcffff call bfe8132d = ADVAPI32.DLL:.text+0x32d 2839 0167:bfe8164f 85c0 test eax,eax 2840 0167:bfe81651 740e jz bfe81661 = ADVAPI32.DLL:.text+0x661 2841 0167:bfe81653 56 push esi 2842 0167:bfe81654 6813000100 push 00010013 2843 0167:bfe81659 ff15d8d0e8bf call dword ptr [bfe8d0d8] -> KERNEL32.DLL!1 2844 ADVAPI32.DLL:.text+0x65f: 2845 *0167:bfe8165f eb18 jmp bfe81679 = ADVAPI32.DLL:.text+0x679 2846 0167:bfe81661 6894c0e8bf push bfe8c094 2847 0167:bfe81666 e8dcfcffff call bfe81347 = ADVAPI32.DLL:.text+0x347 2848 0167:bfe8166b 85c0 test eax,eax 2849 0167:bfe8166d 7405 jz bfe81674 = ADVAPI32.DLL:.text+0x674 2850 0167:bfe8166f 56 push esi 2851 0167:bfe81670 ffd0 call eax 2852 0167:bfe81672 eb05 jmp bfe81679 = ADVAPI32.DLL:.text+0x679 2853 0167:bfe81674 b85a040000 mov eax,0000045a 2854 0167:bfe81679 5e pop esi 2855 0167:bfe8167a c20400 retd 0004 2856 2857 -------------------- 2858 2859 2860 013af930 c29e54c0 -> 00 00 00 00 00 00 00 00 a0 13 9a c2 b0 0a 00 00 ................ 2861 013af934 bff773a9 = KERNEL32.DLL!lstrlen 2862 2863 -------------------- 2864 2865 0167:bff7738d ff7024 push dword ptr [eax+24] 2866 0167:bff77390 ff7020 push dword ptr [eax+20] 2867 0167:bff77393 e8469effff call bff711de = KERNEL32.DLL:_FREQASM+0x1de 2868 0167:bff77398 648f0500000000 pop dword ptr fs:[00000000] 2869 0167:bff7739f 83c408 add esp,+08 2870 0167:bff773a2 5d pop ebp 2871 0167:bff773a3 5f pop edi 2872 0167:bff773a4 5e pop esi 2873 0167:bff773a5 5b pop ebx 2874 0167:bff773a6 c20800 retd 0008 2875 KERNEL32.DLL!lstrlen: 2876 *0167:bff773a9 53 push ebx 2877 0167:bff773aa 56 push esi 2878 0167:bff773ab 57 push edi 2879 0167:bff773ac 55 push ebp 2880 0167:bff773ad 68f1000000 push 000000f1 2881 0167:bff773b2 68671dfabf push bffa1d67 2882 0167:bff773b7 64ff3500000000 push dword ptr fs:[00000000] 2883 0167:bff773be 64892500000000 mov dword ptr fs:[00000000],esp 2884 0167:bff773c5 8bc4 mov eax,esp 2885 0167:bff773c7 ff7020 push dword ptr [eax+20] 2886 0167:bff773ca e8a19dffff call bff71170 = KERNEL32.DLL:_FREQASM+0x170 2887 2888 -------------------- 2889 2890 2891 013af938 76002233 = WS2_32.DLL:.text+0x1233 2892 2893 -------------------- 2894 2895 0167:76002212 1588f20076 adc eax,7600f288 2896 0167:76002217 3bc7 cmp eax,edi 2897 0167:76002219 a304d40076 mov dword ptr [7600d404],eax 2898 0167:7600221e 7405 jz 76002225 = WS2_32.DLL:.text+0x1225 2899 0167:76002220 6a01 push +01 2900 0167:76002222 5f pop edi 2901 0167:76002223 eb05 jmp 7600222a = WS2_32.DLL:.text+0x122a 2902 0167:76002225 e80f000000 call 76002239 = WS2_32.DLL:.text+0x1239 2903 0167:7600222a ff75fc push dword ptr [ebp-04] 2904 0167:7600222d ff151cf20076 call dword ptr [7600f21c] -> ADVAPI32.DLL!RegCloseKey 2905 WS2_32.DLL:.text+0x1233: 2906 *0167:76002233 5e pop esi 2907 0167:76002234 8bc7 mov eax,edi 2908 0167:76002236 5f pop edi 2909 0167:76002237 c9 leave 2910 0167:76002238 c3 retd 2911 0167:76002239 a100d40076 mov eax,dword ptr [7600d400] 2912 0167:7600223e 85c0 test eax,eax 2913 0167:76002240 7415 jz 76002257 = WS2_32.DLL:.text+0x1257 2914 0167:76002242 50 push eax 2915 0167:76002243 ff154cf20076 call dword ptr [7600f24c] -> KERNEL32.DLL!FreeLibrary 2916 0167:76002249 832500d4007600 and dword ptr [7600d400],+00 2917 2918 -------------------- 2919 2920 2921 013af93c c29e54c0 -> 00 00 00 00 00 00 00 00 a0 13 9a c2 b0 0a 00 00 ................ 2922 013af940 76000000 = WS2_32.DLL+0x0 2923 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 2924 013af944 00000000 2925 013af948 696e6977 2926 013af94c 2e74656e 2927 013af950 006c6c64 2928 013af954 bffc9490 = KERNEL32.DLL:.data+0x490 2929 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 2930 013af958 00000000 2931 013af95c 00000004 2932 013af960 0000c000 2933 013af964 4e52454b 2934 013af968 32334c45 2935 013af96c 4c4c442e 2936 013af970 33323100 2937 013af974 37363534 2938 013af978 3b3a3938 2939 013af97c 3f3e3d3c 2940 013af980 43424140 2941 013af984 47464544 2942 013af988 4b4a4948 2943 013af98c 4f4e4d4c 2944 013af990 53525150 2945 013af994 57565554 2946 013af998 5b5a5958 2947 013af99c 5f5e5d5c 2948 013af9a0 63626160 2949 013af9a4 013af9e4 -> c8 6e 83 81 24 00 00 00 a0 a3 f7 bf 00 b0 80 81 .n..$........... 2950 013af9a8 013afa50 -> f7 41 f7 bf 00 fc 82 81 84 fa 3a 01 cc 2a f9 bf .A........:..*.. 2951 013af9ac 00000b65 2952 013af9b0 ce9d5222 -> 20 07 20 07 20 07 20 07 20 07 20 07 20 07 20 07 . . . . . . . . 2953 013af9b4 b2f147b6 2954 013af9b8 00002327 2955 013af9bc 00000001 2956 013af9c0 013af9e4 -> c8 6e 83 81 24 00 00 00 a0 a3 f7 bf 00 b0 80 81 .n..$........... 2957 013af9c4 bff9e539 = KERNEL32.DLL:.text+0x25539 2958 2959 -------------------- 2960 2961 0167:bff9e519 ff750c push dword ptr [ebp+0c] 2962 0167:bff9e51c 52 push edx 2963 0167:bff9e51d 8945f8 mov dword ptr [ebp-08],eax 2964 0167:bff9e520 ff75f8 push dword ptr [ebp-08] 2965 0167:bff9e523 e82485fdff call bff76a4c = KERNEL32.DLL!72 2966 0167:bff9e528 6810270000 push 00002710 2967 0167:bff9e52d 8945f8 mov dword ptr [ebp-08],eax 2968 0167:bff9e530 52 push edx 2969 0167:bff9e531 ff75f8 push dword ptr [ebp-08] 2970 0167:bff9e534 e8c385fdff call bff76afc = KERNEL32.DLL!78 2971 KERNEL32.DLL:.text+0x25539: 2972 *0167:bff9e539 8b4d10 mov ecx,dword ptr [ebp+10] 2973 0167:bff9e53c 8901 mov dword ptr [ecx],eax 2974 0167:bff9e53e 895104 mov dword ptr [ecx+04],edx 2975 0167:bff9e541 8be5 mov esp,ebp 2976 0167:bff9e543 5d pop ebp 2977 0167:bff9e544 c20c00 retd 000c 2978 0167:bff9e547 55 push ebp 2979 0167:bff9e548 8b4c2408 mov ecx,dword ptr [esp+08] 2980 0167:bff9e54c 668b01 mov ax,word ptr [ecx] 2981 0167:bff9e54f 8bec mov ebp,esp 2982 0167:bff9e551 668b5102 mov dx,word ptr [ecx+02] 2983 2984 -------------------- 2985 2986 2987 013af9c8 e661a17c 2988 013af9cc 00000ba7 2989 013af9d0 00002710 2990 013af9d4 e661a17c 2991 013af9d8 00000000 2992 013af9dc 013afa1c -> 00 b0 80 81 ec 6e 83 81 40 00 00 00 00 00 00 00 .....n..@....... 2993 013af9e0 000d3118 2994 013af9e4 81836ec8 -> 24 00 00 a0 04 00 00 00 00 00 00 00 00 00 00 00 $............... 2995 013af9e8 00000024 2996 013af9ec bff7a3a0 = KERNEL32.DLL:.text+0x13a0 2997 2998 -------------------- 2999 3000 0167:bff7a385 2bfb sub edi,ebx 3001 0167:bff7a387 57 push edi 3002 0167:bff7a388 894108 mov dword ptr [ecx+08],eax 3003 0167:bff7a38b 8b5604 mov edx,dword ptr [esi+04] 3004 0167:bff7a38e 8b4608 mov eax,dword ptr [esi+08] 3005 0167:bff7a391 895004 mov dword ptr [eax+04],edx 3006 0167:bff7a394 8d041e lea eax,[esi+ebx] 3007 0167:bff7a397 50 push eax 3008 0167:bff7a398 ff7508 push dword ptr [ebp+08] 3009 0167:bff7a39b e871fdffff call bff7a111 = KERNEL32.DLL:.text+0x1111 3010 KERNEL32.DLL:.text+0x13a0: 3011 *0167:bff7a3a0 eb36 jmp bff7a3d8 = KERNEL32.DLL:.text+0x13d8 3012 0167:bff7a3a2 8b4d08 mov ecx,dword ptr [ebp+08] 3013 0167:bff7a3a5 0fb64170 movzx eax,byte ptr [ecx+70] 3014 0167:bff7a3a9 0b45f4 or eax,dword ptr [ebp-0c] 3015 0167:bff7a3ac 50 push eax 3016 0167:bff7a3ad 8b45f8 mov eax,dword ptr [ebp-08] 3017 0167:bff7a3b0 2b45fc sub eax,dword ptr [ebp-04] 3018 0167:bff7a3b3 50 push eax 3019 0167:bff7a3b4 ff75fc push dword ptr [ebp-04] 3020 0167:bff7a3b7 e8f6feffff call bff7a2b2 = KERNEL32.DLL:.text+0x12b2 3021 0167:bff7a3bc 85c0 test eax,eax 3022 3023 -------------------- 3024 3025 3026 013af9f0 8180b000 -> 00 00 10 00 00 00 00 00 20 00 00 00 01 00 00 a0 ........ ....... 3027 013af9f4 013afa34 -> f0 31 4f c1 5c fa 3a 01 0e a1 f7 bf 67 a5 f7 bf .1O.\.:.....g... 3028 013af9f8 000d3108 3029 013af9fc 81836eec -> 10 00 00 a0 00 fc 82 81 00 fc 82 81 00 fc 82 81 ................ 3030 013afa00 00000010 3031 013afa04 bff7a3a0 = KERNEL32.DLL:.text+0x13a0 3032 3033 -------------------- 3034 3035 0167:bff7a385 2bfb sub edi,ebx 3036 0167:bff7a387 57 push edi 3037 0167:bff7a388 894108 mov dword ptr [ecx+08],eax 3038 0167:bff7a38b 8b5604 mov edx,dword ptr [esi+04] 3039 0167:bff7a38e 8b4608 mov eax,dword ptr [esi+08] 3040 0167:bff7a391 895004 mov dword ptr [eax+04],edx 3041 0167:bff7a394 8d041e lea eax,[esi+ebx] 3042 0167:bff7a397 50 push eax 3043 0167:bff7a398 ff7508 push dword ptr [ebp+08] 3044 0167:bff7a39b e871fdffff call bff7a111 = KERNEL32.DLL:.text+0x1111 3045 KERNEL32.DLL:.text+0x13a0: 3046 *0167:bff7a3a0 eb36 jmp bff7a3d8 = KERNEL32.DLL:.text+0x13d8 3047 0167:bff7a3a2 8b4d08 mov ecx,dword ptr [ebp+08] 3048 0167:bff7a3a5 0fb64170 movzx eax,byte ptr [ecx+70] 3049 0167:bff7a3a9 0b45f4 or eax,dword ptr [ebp-0c] 3050 0167:bff7a3ac 50 push eax 3051 0167:bff7a3ad 8b45f8 mov eax,dword ptr [ebp-08] 3052 0167:bff7a3b0 2b45fc sub eax,dword ptr [ebp-04] 3053 0167:bff7a3b3 50 push eax 3054 0167:bff7a3b4 ff75fc push dword ptr [ebp-04] 3055 0167:bff7a3b7 e8f6feffff call bff7a2b2 = KERNEL32.DLL:.text+0x12b2 3056 0167:bff7a3bc 85c0 test eax,eax 3057 3058 -------------------- 3059 3060 3061 013afa08 8180b000 -> 00 00 10 00 00 00 00 00 20 00 00 00 01 00 00 a0 ........ ....... 3062 013afa0c 81836efc -> 2c 02 00 a0 07 00 00 00 10 95 4c c1 ec fb 77 00 ,.........L...w. 3063 013afa10 000d3108 3064 013afa14 00000000 3065 013afa18 8180b00c -> 01 00 00 a0 1c b0 80 81 14 74 83 81 80 00 00 00 .........t...... 3066 013afa1c 8180b000 -> 00 00 10 00 00 00 00 00 20 00 00 00 01 00 00 a0 ........ ....... 3067 013afa20 81836eec -> 10 00 00 a0 00 fc 82 81 00 fc 82 81 00 fc 82 81 ................ 3068 013afa24 00000040 3069 013afa28 00000000 3070 013afa2c 8180b050 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3071 013afa30 8180b00c -> 01 00 00 a0 1c b0 80 81 14 74 83 81 80 00 00 00 .........t...... 3072 013afa34 c14f31f0 -> 01 00 00 00 c8 59 83 81 e4 42 83 81 00 24 4f c1 .....Y...B...$O. 3073 013afa38 013afa5c -> cc 2a f9 bf f0 6e 83 81 00 fc 82 81 00 00 00 00 .*...n.......... 3074 013afa3c bff7a10e = KERNEL32.DLL:.text+0x110e 3075 3076 -------------------- 3077 3078 0167:bff7a0ea fa cli 3079 0167:bff7a0eb bf4ec3fabf mov edi,bffac34e 3080 0167:bff7a0f0 8b442404 mov eax,dword ptr [esp+04] 3081 0167:bff7a0f4 0fb64870 movzx ecx,byte ptr [eax+70] 3082 0167:bff7a0f8 0b4c2408 or ecx,dword ptr [esp+08] 3083 0167:bff7a0fc f6c101 test cl,01 3084 0167:bff7a0ff 750d jnz bff7a10e = KERNEL32.DLL:.text+0x110e 3085 0167:bff7a101 ff704c push dword ptr [eax+4c] 3086 0167:bff7a104 e8e5a1ffff call bff742ee = KERNEL32.DLL:_FREQASM+0x32ee 3087 0167:bff7a109 e83e010000 call bff7a24c = KERNEL32.DLL:.text+0x124c 3088 KERNEL32.DLL:.text+0x110e: 3089 *0167:bff7a10e c20800 retd 0008 3090 0167:bff7a111 53 push ebx 3091 0167:bff7a112 56 push esi 3092 0167:bff7a113 8b742410 mov esi,dword ptr [esp+10] 3093 0167:bff7a117 57 push edi 3094 0167:bff7a118 8b7c2418 mov edi,dword ptr [esp+18] 3095 0167:bff7a11c 55 push ebp 3096 0167:bff7a11d ba00001000 mov edx,00100000 3097 0167:bff7a122 8d1c3e lea ebx,[esi+edi] 3098 0167:bff7a125 8b03 mov eax,dword ptr [ebx] 3099 0167:bff7a127 a801 test al,01 3100 3101 -------------------- 3102 3103 3104 013afa40 bff7a567 = KERNEL32.DLL:.text+0x1567 3105 3106 -------------------- 3107 3108 0167:bff7a54a 56 push esi 3109 0167:bff7a54b e8a6fdffff call bff7a2f6 = KERNEL32.DLL:.text+0x12f6 3110 0167:bff7a550 89450c mov dword ptr [ebp+0c],eax 3111 0167:bff7a553 85c0 test eax,eax 3112 0167:bff7a555 7436 jz bff7a58d = KERNEL32.DLL:.text+0x158d 3113 0167:bff7a557 ff7510 push dword ptr [ebp+10] 3114 0167:bff7a55a 56 push esi 3115 0167:bff7a55b 0d000000a0 or eax,a0000000 3116 0167:bff7a560 8903 mov dword ptr [ebx],eax 3117 0167:bff7a562 e889fbffff call bff7a0f0 = KERNEL32.DLL:.text+0x10f0 3118 KERNEL32.DLL:.text+0x1567: 3119 *0167:bff7a567 8d4304 lea eax,[ebx+04] 3120 0167:bff7a56a eb49 jmp bff7a5b5 = KERNEL32.DLL:.text+0x15b5 3121 0167:bff7a56c 6a08 push +08 3122 0167:bff7a56e e82d240000 call bff7c9a0 = KERNEL32.DLL:.text+0x39a0 3123 0167:bff7a573 eb18 jmp bff7a58d = KERNEL32.DLL:.text+0x158d 3124 0167:bff7a575 6a08 push +08 3125 0167:bff7a577 e824240000 call bff7c9a0 = KERNEL32.DLL:.text+0x39a0 3126 0167:bff7a57c eb0f jmp bff7a58d = KERNEL32.DLL:.text+0x158d 3127 0167:bff7a57e 6a10 push +10 3128 0167:bff7a580 ff75fc push dword ptr [ebp-04] 3129 0167:bff7a583 680a000100 push 0001000a 3130 3131 -------------------- 3132 3133 3134 013afa44 8180b000 -> 00 00 10 00 00 00 00 00 20 00 00 00 01 00 00 a0 ........ ....... 3135 013afa48 00000040 3136 013afa4c 00000000 3137 013afa50 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 3138 3139 -------------------- 3140 3141 0167:bff741dd 51 push ecx 3142 0167:bff741de 52 push edx 3143 0167:bff741df 681d002a00 push 002a001d 3144 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 3145 0167:bff741e9 59 pop ecx 3146 0167:bff741ea 5a pop edx 3147 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 3148 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 3149 0167:bff741f1 50 push eax 3150 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 3151 KERNEL32.DLL:_FREQASM+0x31f7: 3152 *0167:bff741f7 58 pop eax 3153 0167:bff741f8 c20400 retd 0004 3154 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 3155 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 3156 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 3157 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 3158 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 3159 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 3160 0167:bff74212 ff4a04 dec dword ptr [edx+04] 3161 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 3162 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 3163 3164 -------------------- 3165 3166 3167 013afa54 8182fc00 -> 00 00 00 00 00 00 00 00 e4 42 83 81 00 00 00 00 .........B...... 3168 013afa58 013afa84 -> 5c fc 3a 01 49 16 00 76 01 00 00 00 b2 30 00 76 \.:.I..v.....0.v 3169 013afa5c bff92acc = KERNEL32.DLL:.text+0x19acc 3170 3171 -------------------- 3172 3173 0167:bff92aac e843d9feff call bff803f4 = KERNEL32.DLL:.text+0x73f4 3174 0167:bff92ab1 8bf0 mov esi,eax 3175 0167:bff92ab3 85f6 test esi,esi 3176 0167:bff92ab5 7415 jz bff92acc = KERNEL32.DLL:.text+0x19acc 3177 0167:bff92ab7 ff742410 push dword ptr [esp+10] 3178 0167:bff92abb 56 push esi 3179 0167:bff92abc ff742410 push dword ptr [esp+10] 3180 0167:bff92ac0 8b442418 mov eax,dword ptr [esp+18] 3181 0167:bff92ac4 894608 mov dword ptr [esi+08],eax 3182 0167:bff92ac7 e88ed9feff call bff8045a = KERNEL32.DLL:.text+0x745a 3183 KERNEL32.DLL:.text+0x19acc: 3184 *0167:bff92acc 8bc6 mov eax,esi 3185 0167:bff92ace 5e pop esi 3186 0167:bff92acf c20c00 retd 000c 3187 0167:bff92ad2 ff742404 push dword ptr [esp+04] 3188 0167:bff92ad6 e80c16ffff call bff840e7 = KERNEL32.DLL:.text+0xb0e7 3189 0167:bff92adb 85c0 test eax,eax 3190 0167:bff92add 7406 jz bff92ae5 = KERNEL32.DLL:.text+0x19ae5 3191 0167:bff92adf 50 push eax 3192 0167:bff92ae0 e8e0c8feff call bff7f3c5 = KERNEL32.DLL:.text+0x63c5 3193 0167:bff92ae5 c20400 retd 0004 3194 0167:bff92ae8 55 push ebp 3195 3196 -------------------- 3197 3198 3199 013afa60 81836ef0 -> 00 fc 82 81 00 fc 82 81 00 fc 82 81 2c 02 00 a0 ............,... 3200 013afa64 8182fc00 -> 00 00 00 00 00 00 00 00 e4 42 83 81 00 00 00 00 .........B...... 3201 013afa68 00000000 3202 013afa6c 81836ecc -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3203 013afa70 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 3204 3205 -------------------- 3206 3207 0167:bff741dd 51 push ecx 3208 0167:bff741de 52 push edx 3209 0167:bff741df 681d002a00 push 002a001d 3210 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 3211 0167:bff741e9 59 pop ecx 3212 0167:bff741ea 5a pop edx 3213 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 3214 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 3215 0167:bff741f1 50 push eax 3216 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 3217 KERNEL32.DLL:_FREQASM+0x31f7: 3218 *0167:bff741f7 58 pop eax 3219 0167:bff741f8 c20400 retd 0004 3220 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 3221 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 3222 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 3223 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 3224 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 3225 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 3226 0167:bff74212 ff4a04 dec dword ptr [edx+04] 3227 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 3228 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 3229 3230 -------------------- 3231 3232 3233 013afa74 bffc9490 = KERNEL32.DLL:.data+0x490 3234 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3235 013afa78 bff8433d = KERNEL32.DLL:.text+0xb33d 3236 3237 -------------------- 3238 3239 0167:bff8431f c60004 mov byte ptr [eax],04 3240 0167:bff84322 8b4508 mov eax,dword ptr [ebp+08] 3241 0167:bff84325 89461c mov dword ptr [esi+1c],eax 3242 0167:bff84328 eb08 jmp bff84332 = KERNEL32.DLL:.text+0xb332 3243 0167:bff8432a 56 push esi 3244 0167:bff8432b e82b4f0000 call bff8925b = KERNEL32.DLL:.text+0x1025b 3245 0167:bff84330 33f6 xor esi,esi 3246 0167:bff84332 a1109dfcbf mov eax,dword ptr [bffc9d10] 3247 0167:bff84337 50 push eax 3248 0167:bff84338 e8b0fefeff call bff741ed = KERNEL32.DLL!98 3249 KERNEL32.DLL:.text+0xb33d: 3250 *0167:bff8433d 33c0 xor eax,eax 3251 0167:bff8433f 85f6 test esi,esi 3252 0167:bff84341 750d jnz bff84350 = KERNEL32.DLL:.text+0xb350 3253 0167:bff84343 50 push eax 3254 0167:bff84344 50 push eax 3255 0167:bff84345 50 push eax 3256 0167:bff84346 68050000c0 push c0000005 3257 0167:bff8434b e88324ffff call bff767d3 = KERNEL32.DLL:_FREQASM+0x57d3 3258 0167:bff84350 5e pop esi 3259 0167:bff84351 5d pop ebp 3260 0167:bff84352 c20400 retd 0004 3261 3262 -------------------- 3263 3264 3265 013afa7c bffc9490 = KERNEL32.DLL:.data+0x490 3266 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3267 013afa80 76000000 = WS2_32.DLL+0x0 3268 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 3269 013afa84 013afc5c -> 00 00 00 00 d0 fa 3a 01 90 94 fc bf bc ff 3a 01 ......:.......:. 3270 013afa88 76001649 = WS2_32.DLL:.text+0x649 3271 3272 -------------------- 3273 3274 0167:7600162c 8bc3 mov eax,ebx 3275 0167:7600162e 5f pop edi 3276 0167:7600162f 5e pop esi 3277 0167:76001630 5b pop ebx 3278 0167:76001631 c9 leave 3279 0167:76001632 c20c00 retd 000c 3280 0167:76001635 8b442404 mov eax,dword ptr [esp+04] 3281 0167:76001639 68d8e30076 push 7600e3d8 3282 0167:7600163e a3fce30076 mov dword ptr [7600e3fc],eax 3283 0167:76001643 ff1538f20076 call dword ptr [7600f238] -> KERNEL32.DLL!InitializeCriticalSection 3284 WS2_32.DLL:.text+0x649: 3285 *0167:76001649 6a01 push +01 3286 0167:7600164b 58 pop eax 3287 0167:7600164c c3 retd 3288 0167:7600164d 68d8e30076 push 7600e3d8 3289 0167:76001652 ff153cf20076 call dword ptr [7600f23c] -> KERNEL32.DLL!DeleteCriticalSection 3290 0167:76001658 c3 retd 3291 0167:76001659 51 push ecx 3292 0167:7600165a 51 push ecx 3293 0167:7600165b 53 push ebx 3294 0167:7600165c 33db xor ebx,ebx 3295 0167:7600165e 391df0e30076 cmp dword ptr [7600e3f0],ebx 3296 3297 -------------------- 3298 3299 3300 013afa8c 00000001 3301 013afa90 760030b2 = WS2_32.DLL:.text+0x20b2 3302 3303 -------------------- 3304 3305 0167:76003086 7565 jnz 760030ed = WS2_32.DLL:.text+0x20ed 3306 0167:76003088 e84b0a0000 call 76003ad8 = WS2_32.DLL:.text+0x2ad8 3307 0167:7600308d eb5e jmp 760030ed = WS2_32.DLL:.text+0x20ed 3308 0167:7600308f ff15a4f20076 call dword ptr [7600f2a4] -> KERNEL32.DLL!TlsAlloc 3309 0167:76003095 a380d50076 mov dword ptr [7600d580],eax 3310 0167:7600309a e81b6f0000 call 76009fba = WS2_32.DLL:.text+0x8fba 3311 0167:7600309f e80b6f0000 call 76009faf = WS2_32.DLL:.text+0x8faf 3312 0167:760030a4 e8a6f0ffff call 7600214f = WS2_32.DLL:.text+0x114f 3313 0167:760030a9 ff742404 push dword ptr [esp+04] 3314 0167:760030ad e883e5ffff call 76001635 = WS2_32.DLL:.text+0x635 3315 WS2_32.DLL:.text+0x20b2: 3316 *0167:760030b2 59 pop ecx 3317 0167:760030b3 eb38 jmp 760030ed = WS2_32.DLL:.text+0x20ed 3318 0167:760030b5 837c240c00 cmp dword ptr [esp+0c],+00 3319 0167:760030ba 750a jnz 760030c6 = WS2_32.DLL:.text+0x20c6 3320 0167:760030bc e8056f0000 call 76009fc6 = WS2_32.DLL:.text+0x8fc6 3321 0167:760030c1 e887e5ffff call 7600164d = WS2_32.DLL:.text+0x64d 3322 0167:760030c6 e86ef1ffff call 76002239 = WS2_32.DLL:.text+0x1239 3323 0167:760030cb a180d50076 mov eax,dword ptr [7600d580] 3324 0167:760030d0 c7050ce3007668300076 mov dword ptr [7600e30c],76003068 3325 0167:760030da 83f8ff cmp eax,-01 3326 0167:760030dd 740e jz 760030ed = WS2_32.DLL:.text+0x20ed 3327 3328 -------------------- 3329 3330 3331 013afa94 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 3332 3333 -------------------- 3334 3335 0167:bff741dd 51 push ecx 3336 0167:bff741de 52 push edx 3337 0167:bff741df 681d002a00 push 002a001d 3338 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 3339 0167:bff741e9 59 pop ecx 3340 0167:bff741ea 5a pop edx 3341 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 3342 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 3343 0167:bff741f1 50 push eax 3344 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 3345 KERNEL32.DLL:_FREQASM+0x31f7: 3346 *0167:bff741f7 58 pop eax 3347 0167:bff741f8 c20400 retd 0004 3348 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 3349 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 3350 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 3351 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 3352 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 3353 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 3354 0167:bff74212 ff4a04 dec dword ptr [edx+04] 3355 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 3356 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 3357 3358 -------------------- 3359 3360 3361 013afa98 818359c9 -> 00 00 00 d0 46 4f c1 d8 ea 3a 01 00 00 3b 01 00 ....FO...:...;.. 3362 013afa9c bff768f3 = KERNEL32.DLL:_FREQASM+0x58f3 3363 3364 -------------------- 3365 3366 0167:bff768e0 fc cld 3367 0167:bff768e1 a5 movs dword ptr es:[edi],dword ptr ds:[esi] 3368 0167:bff768e2 a5 movs dword ptr es:[edi],dword ptr ds:[esi] 3369 0167:bff768e3 a5 movs dword ptr es:[edi],dword ptr ds:[esi] 3370 0167:bff768e4 a5 movs dword ptr es:[edi],dword ptr ds:[esi] 3371 0167:bff768e5 a5 movs dword ptr es:[edi],dword ptr ds:[esi] 3372 0167:bff768e6 a5 movs dword ptr es:[edi],dword ptr ds:[esi] 3373 0167:bff768e7 0c01 or al,01 3374 0167:bff768e9 68c094fcbf push bffc94c0 3375 0167:bff768ee e8fad8ffff call bff741ed = KERNEL32.DLL!98 3376 KERNEL32.DLL:_FREQASM+0x58f3: 3377 *0167:bff768f3 5f pop edi 3378 0167:bff768f4 5e pop esi 3379 0167:bff768f5 c9 leave 3380 0167:bff768f6 c21800 retd 0018 3381 0167:bff768f9 833db8a0fcbf00 cmp dword ptr [bffca0b8],+00 3382 0167:bff76900 7416 jz bff76918 = KERNEL32.DLL:_FREQASM+0x5918 3383 0167:bff76902 6a20 push +20 3384 0167:bff76904 e8d99b0000 call bff804e2 = KERNEL32.DLL:.text+0x74e2 3385 0167:bff76909 0bc0 or eax,eax 3386 0167:bff7690b 74dc jz bff768e9 = KERNEL32.DLL:_FREQASM+0x58e9 3387 0167:bff7690d 8bf8 mov edi,eax 3388 3389 -------------------- 3390 3391 3392 013afaa0 bffc94c0 = KERNEL32.DLL:.data+0x4c0 3393 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3394 013afaa4 00000000 3395 013afaa8 6ae40000 = NSISDL.DLL+0x0 3396 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 3397 013afaac 013afc78 -> 00 00 00 00 ac fc 3a 01 a0 c8 f7 bf fc 6a 83 81 ......:......j.. 3398 013afab0 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 3399 3400 -------------------- 3401 3402 0167:bff741dd 51 push ecx 3403 0167:bff741de 52 push edx 3404 0167:bff741df 681d002a00 push 002a001d 3405 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 3406 0167:bff741e9 59 pop ecx 3407 0167:bff741ea 5a pop edx 3408 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 3409 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 3410 0167:bff741f1 50 push eax 3411 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 3412 KERNEL32.DLL:_FREQASM+0x31f7: 3413 *0167:bff741f7 58 pop eax 3414 0167:bff741f8 c20400 retd 0004 3415 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 3416 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 3417 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 3418 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 3419 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 3420 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 3421 0167:bff74212 ff4a04 dec dword ptr [edx+04] 3422 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 3423 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 3424 3425 -------------------- 3426 3427 3428 013afab4 00000008 3429 013afab8 bff7698b = KERNEL32.DLL:_FREQASM+0x598b 3430 3431 -------------------- 3432 3433 0167:bff76969 7512 jnz bff7697d = KERNEL32.DLL:_FREQASM+0x597d 3434 0167:bff7696b a801 test al,01 3435 0167:bff7696d 7520 jnz bff7698f = KERNEL32.DLL:_FREQASM+0x598f 3436 0167:bff7696f 8b15bca0fcbf mov edx,dword ptr [bffca0bc] 3437 0167:bff76975 8911 mov dword ptr [ecx],edx 3438 0167:bff76977 890dbca0fcbf mov dword ptr [bffca0bc],ecx 3439 0167:bff7697d a804 test al,04 3440 0167:bff7697f 75d6 jnz bff76957 = KERNEL32.DLL:_FREQASM+0x5957 3441 0167:bff76981 68c094fcbf push bffc94c0 3442 0167:bff76986 e862d8ffff call bff741ed = KERNEL32.DLL!98 3443 KERNEL32.DLL:_FREQASM+0x598b: 3444 *0167:bff7698b c9 leave 3445 0167:bff7698c c20400 retd 0004 3446 0167:bff7698f 50 push eax 3447 0167:bff76990 51 push ecx 3448 0167:bff76991 e8f1640000 call bff7ce87 = KERNEL32.DLL:.text+0x3e87 3449 0167:bff76996 58 pop eax 3450 0167:bff76997 ebe4 jmp bff7697d = KERNEL32.DLL:_FREQASM+0x597d 3451 0167:bff76999 64ff3500000000 push dword ptr fs:[00000000] 3452 0167:bff769a0 55 push ebp 3453 0167:bff769a1 8d4c2404 lea ecx,[esp+04] 3454 0167:bff769a5 16 push ss 3455 3456 -------------------- 3457 3458 3459 013afabc bffc94c0 = KERNEL32.DLL:.data+0x4c0 3460 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3461 013afac0 013afc78 -> 00 00 00 00 ac fc 3a 01 a0 c8 f7 bf fc 6a 83 81 ......:......j.. 3462 013afac4 bff769d5 = KERNEL32.DLL:_FREQASM+0x59d5 3463 3464 -------------------- 3465 3466 0167:bff769b3 e8e1ffffff call bff76999 = KERNEL32.DLL:_FREQASM+0x5999 3467 0167:bff769b8 a1e09cfcbf mov eax,dword ptr [bffc9ce0] 3468 0167:bff769bd 8b00 mov eax,dword ptr [eax] 3469 0167:bff769bf 8b4878 mov ecx,dword ptr [eax+78] 3470 0167:bff769c2 e304 jecxz bff769c8 = KERNEL32.DLL:_FREQASM+0x59c8 3471 0167:bff769c4 83490420 or dword ptr [ecx+04],+20 3472 0167:bff769c8 c3 retd 3473 0167:bff769c9 a1e09cfcbf mov eax,dword ptr [bffc9ce0] 3474 0167:bff769ce ff30 push dword ptr [eax] 3475 0167:bff769d0 e875ffffff call bff7694a = KERNEL32.DLL:_FREQASM+0x594a 3476 KERNEL32.DLL:_FREQASM+0x59d5: 3477 *0167:bff769d5 c3 retd 3478 0167:bff769d6 cc int 3 3479 0167:bff769d7 cc int 3 3480 0167:bff769d8 55 push ebp 3481 0167:bff769d9 8bec mov ebp,esp 3482 0167:bff769db 57 push edi 3483 0167:bff769dc 53 push ebx 3484 0167:bff769dd ff35109dfcbf push dword ptr [bffc9d10] 3485 0167:bff769e3 e8ccd7ffff call bff741b4 = KERNEL32.DLL!97 3486 0167:bff769e8 8b7d08 mov edi,dword ptr [ebp+08] 3487 0167:bff769eb b904000000 mov ecx,00000004 3488 3489 -------------------- 3490 3491 3492 013afac8 818359c8 -> 07 00 00 00 d0 46 4f c1 d8 ea 3a 01 00 00 3b 01 .....FO...:...;. 3493 013afacc bff7de32 = KERNEL32.DLL:.text+0x4e32 3494 3495 -------------------- 3496 3497 0167:bff7de07 ff75d8 push dword ptr [ebp-28] 3498 0167:bff7de0a e825fd0100 call bff9db34 = KERNEL32.DLL!UnhandledExceptionFilter 3499 0167:bff7de0f c3 retd 3500 0167:bff7de10 8b65e8 mov esp,dword ptr [ebp-18] 3501 0167:bff7de13 c745e401000000 mov dword ptr [ebp-1c],00000001 3502 0167:bff7de1a 8d8564feffff lea eax,[ebp-0000019c] 3503 0167:bff7de20 50 push eax 3504 0167:bff7de21 e836d00200 call bffaae5c = KERNEL32.DLL:.text+0x31e5c 3505 0167:bff7de26 c745fcffffffff mov dword ptr [ebp-04],ffffffff 3506 0167:bff7de2d e8978bffff call bff769c9 = KERNEL32.DLL:_FREQASM+0x59c9 3507 KERNEL32.DLL:.text+0x4e32: 3508 *0167:bff7de32 8b45dc mov eax,dword ptr [ebp-24] 3509 0167:bff7de35 8020ef and byte ptr [eax],ef 3510 0167:bff7de38 8b45e4 mov eax,dword ptr [ebp-1c] 3511 0167:bff7de3b eb02 jmp bff7de3f = KERNEL32.DLL:.text+0x4e3f 3512 0167:bff7de3d 33c0 xor eax,eax 3513 0167:bff7de3f 8b4df0 mov ecx,dword ptr [ebp-10] 3514 0167:bff7de42 5f pop edi 3515 0167:bff7de43 64890d00000000 mov dword ptr fs:[00000000],ecx 3516 0167:bff7de4a 5e pop esi 3517 0167:bff7de4b 5b pop ebx 3518 0167:bff7de4c 8be5 mov esp,ebp 3519 3520 -------------------- 3521 3522 3523 013afad0 81834fac -> 24 00 00 a0 8c 4e 83 81 00 58 83 81 bc 0a 81 81 $....N...X...... 3524 013afad4 81834f7c -> cc 57 83 81 00 00 00 00 00 00 00 00 00 00 00 00 .W.............. 3525 013afad8 81834f90 -> 08 02 05 00 e4 42 83 81 00 4a 83 81 24 4a 83 81 .....B...J..$J.. 3526 013afadc c14f31f0 -> 01 00 00 00 c8 59 83 81 e4 42 83 81 00 24 4f c1 .....Y...B...$O. 3527 013afae0 00000000 3528 013afae4 00000001 3529 013afae8 00000000 3530 013afaec 013afb08 -> 20 fb 3a 01 28 b8 f7 bf ee 13 f7 bf 67 01 00 00 .:.(.......g... 3531 013afaf0 bff7b77b = KERNEL32.DLL:.text+0x277b 3532 3533 -------------------- 3534 3535 0167:bff7b75c a1109dfcbf mov eax,dword ptr [bffc9d10] 3536 0167:bff7b761 8bec mov ebp,esp 3537 0167:bff7b763 56 push esi 3538 0167:bff7b764 50 push eax 3539 0167:bff7b765 e84a8affff call bff741b4 = KERNEL32.DLL!97 3540 0167:bff7b76a ff7514 push dword ptr [ebp+14] 3541 0167:bff7b76d ff7510 push dword ptr [ebp+10] 3542 0167:bff7b770 ff750c push dword ptr [ebp+0c] 3543 0167:bff7b773 ff7508 push dword ptr [ebp+08] 3544 0167:bff7b776 e890fdffff call bff7b50b = KERNEL32.DLL:.text+0x250b 3545 KERNEL32.DLL:.text+0x277b: 3546 *0167:bff7b77b 8bf0 mov esi,eax 3547 0167:bff7b77d 85f6 test esi,esi 3548 0167:bff7b77f 740a jz bff7b78b = KERNEL32.DLL:.text+0x278b 3549 0167:bff7b781 f6451380 test byte ptr [ebp+13],80 3550 0167:bff7b785 7404 jz bff7b78b = KERNEL32.DLL:.text+0x278b 3551 0167:bff7b787 66ff4602 inc word ptr [esi+02] 3552 0167:bff7b78b a1109dfcbf mov eax,dword ptr [bffc9d10] 3553 0167:bff7b790 50 push eax 3554 0167:bff7b791 e8578affff call bff741ed = KERNEL32.DLL!98 3555 0167:bff7b796 8bc6 mov eax,esi 3556 0167:bff7b798 5e pop esi 3557 3558 -------------------- 3559 3560 3561 013afaf4 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 3562 3563 -------------------- 3564 3565 0167:bff741dd 51 push ecx 3566 0167:bff741de 52 push edx 3567 0167:bff741df 681d002a00 push 002a001d 3568 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 3569 0167:bff741e9 59 pop ecx 3570 0167:bff741ea 5a pop edx 3571 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 3572 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 3573 0167:bff741f1 50 push eax 3574 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 3575 KERNEL32.DLL:_FREQASM+0x31f7: 3576 *0167:bff741f7 58 pop eax 3577 0167:bff741f8 c20400 retd 0004 3578 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 3579 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 3580 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 3581 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 3582 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 3583 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 3584 0167:bff74212 ff4a04 dec dword ptr [edx+04] 3585 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 3586 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 3587 3588 -------------------- 3589 3590 3591 013afaf8 bffc9490 = KERNEL32.DLL:.data+0x490 3592 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3593 013afafc bff7b796 = KERNEL32.DLL:.text+0x2796 3594 3595 -------------------- 3596 3597 0167:bff7b776 e890fdffff call bff7b50b = KERNEL32.DLL:.text+0x250b 3598 0167:bff7b77b 8bf0 mov esi,eax 3599 0167:bff7b77d 85f6 test esi,esi 3600 0167:bff7b77f 740a jz bff7b78b = KERNEL32.DLL:.text+0x278b 3601 0167:bff7b781 f6451380 test byte ptr [ebp+13],80 3602 0167:bff7b785 7404 jz bff7b78b = KERNEL32.DLL:.text+0x278b 3603 0167:bff7b787 66ff4602 inc word ptr [esi+02] 3604 0167:bff7b78b a1109dfcbf mov eax,dword ptr [bffc9d10] 3605 0167:bff7b790 50 push eax 3606 0167:bff7b791 e8578affff call bff741ed = KERNEL32.DLL!98 3607 KERNEL32.DLL:.text+0x2796: 3608 *0167:bff7b796 8bc6 mov eax,esi 3609 0167:bff7b798 5e pop esi 3610 0167:bff7b799 5d pop ebp 3611 0167:bff7b79a c21000 retd 0010 3612 0167:bff7b79d 55 push ebp 3613 0167:bff7b79e 8bec mov ebp,esp 3614 0167:bff7b7a0 53 push ebx 3615 0167:bff7b7a1 56 push esi 3616 0167:bff7b7a2 57 push edi 3617 0167:bff7b7a3 33ff xor edi,edi 3618 0167:bff7b7a5 837d1801 cmp dword ptr [ebp+18],+01 3619 3620 -------------------- 3621 3622 3623 013afb00 bffc9490 = KERNEL32.DLL:.data+0x490 3624 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3625 013afb04 00000000 3626 013afb08 013afb20 -> 01 00 00 00 08 00 00 00 0f 00 50 00 00 00 06 60 ..........P....` 3627 013afb0c bff7b828 = KERNEL32.DLL:.text+0x2828 3628 3629 -------------------- 3630 3631 0167:bff7b80b 5b pop ebx 3632 0167:bff7b80c c20800 retd 0008 3633 0167:bff7b80f 55 push ebp 3634 0167:bff7b810 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 3635 0167:bff7b815 8bec mov ebp,esp 3636 0167:bff7b817 ff742410 push dword ptr [esp+10] 3637 0167:bff7b81b ff750c push dword ptr [ebp+0c] 3638 0167:bff7b81e ff7508 push dword ptr [ebp+08] 3639 0167:bff7b821 ff30 push dword ptr [eax] 3640 0167:bff7b823 e833ffffff call bff7b75b = KERNEL32.DLL:.text+0x275b 3641 KERNEL32.DLL:.text+0x2828: 3642 *0167:bff7b828 5d pop ebp 3643 0167:bff7b829 c20c00 retd 000c 3644 0167:bff7b82c 55 push ebp 3645 0167:bff7b82d 8bec mov ebp,esp 3646 0167:bff7b82f 50 push eax 3647 0167:bff7b830 a1109dfcbf mov eax,dword ptr [bffc9d10] 3648 0167:bff7b835 50 push eax 3649 0167:bff7b836 e87989ffff call bff741b4 = KERNEL32.DLL!97 3650 0167:bff7b83b ff7508 push dword ptr [ebp+08] 3651 0167:bff7b83e e8d1fdffff call bff7b614 = KERNEL32.DLL:.text+0x2614 3652 0167:bff7b843 a1109dfcbf mov eax,dword ptr [bffc9d10] 3653 3654 -------------------- 3655 3656 3657 013afb10 bff713ee = KERNEL32.DLL:_FREQASM+0x3ee 3658 3659 -------------------- 3660 3661 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 3662 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3663 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3664 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3665 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3666 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 3667 0167:bff713d8 8f0424 pop dword ptr [esp] 3668 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 3669 0167:bff713e2 b801000100 mov eax,00010001 3670 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 3671 KERNEL32.DLL:_FREQASM+0x3ee: 3672 *0167:bff713ee b843002a00 mov eax,002a0043 3673 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 3674 0167:bff713fa 83c414 add esp,+14 3675 0167:bff713fd 0fb7c8 movzx ecx,ax 3676 0167:bff71400 0fa4d310 shld ebx,edx,10 3677 0167:bff71404 c0e302 shl bl,02 3678 0167:bff71407 6681ea0010 sub dx,1000 3679 0167:bff7140c 0fbfc2 movsx eax,dx 3680 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 3681 0167:bff71414 55 push ebp 3682 0167:bff71415 53 push ebx 3683 3684 -------------------- 3685 3686 3687 013afb14 00000167 3688 013afb18 bff7ead5 = KERNEL32.DLL:.text+0x5ad5 3689 3690 -------------------- 3691 3692 0167:bff7eab8 8b354c95fcbf mov esi,dword ptr [bffc954c] 3693 0167:bff7eabe b801000000 mov eax,00000001 3694 0167:bff7eac3 85db test ebx,ebx 3695 0167:bff7eac5 740e jz bff7ead5 = KERNEL32.DLL:.text+0x5ad5 3696 0167:bff7eac7 ff7518 push dword ptr [ebp+18] 3697 0167:bff7eaca ff75fc push dword ptr [ebp-04] 3698 0167:bff7eacd 56 push esi 3699 0167:bff7eace 53 push ebx 3700 0167:bff7eacf ff75f8 push dword ptr [ebp-08] 3701 0167:bff7ead2 ff551c call dword ptr [ebp+1c] 3702 KERNEL32.DLL:.text+0x5ad5: 3703 *0167:bff7ead5 85c0 test eax,eax 3704 0167:bff7ead7 7420 jz bff7eaf9 = KERNEL32.DLL:.text+0x5af9 3705 0167:bff7ead9 83e707 and edi,+07 3706 0167:bff7eadc 741b jz bff7eaf9 = KERNEL32.DLL:.text+0x5af9 3707 0167:bff7eade c1e710 shl edi,10 3708 0167:bff7eae1 015dfc add dword ptr [ebp-04],ebx 3709 0167:bff7eae4 097dfc or dword ptr [ebp-04],edi 3710 0167:bff7eae7 015df8 add dword ptr [ebp-08],ebx 3711 0167:bff7eaea ff7518 push dword ptr [ebp+18] 3712 0167:bff7eaed ff75fc push dword ptr [ebp-04] 3713 0167:bff7eaf0 56 push esi 3714 3715 -------------------- 3716 3717 3718 013afb1c 0007600f 3719 013afb20 00000001 3720 013afb24 00000008 3721 013afb28 0050000f 3722 013afb2c 60060000 3723 013afb30 00000000 3724 013afb34 7600f000 = WS2_32.DLL:.idata+0x0 3725 -> 8c f0 00 00 cd a1 20 37 ff ff ff ff 44 f4 00 00 ...... 7....D... 3726 013afb38 818107d0 -> 2e 69 64 61 74 61 00 00 ec 09 00 00 00 f0 00 00 .idata.......... 3727 013afb3c 0007600f 3728 013afb40 0050000f 3729 013afb44 013afb94 -> 64 f0 00 76 01 00 00 00 00 00 00 00 00 00 00 00 d..v............ 3730 013afb48 bff88698 = KERNEL32.DLL:.text+0xf698 3731 3732 -------------------- 3733 3734 0167:bff8867e 8b4324 mov eax,dword ptr [ebx+24] 3735 0167:bff88681 0d00000080 or eax,80000000 3736 0167:bff88686 50 push eax 3737 0167:bff88687 51 push ecx 3738 0167:bff88688 8b4314 mov eax,dword ptr [ebx+14] 3739 0167:bff8868b 0345f8 add eax,dword ptr [ebp-08] 3740 0167:bff8868e 50 push eax 3741 0167:bff8868f 56 push esi 3742 0167:bff88690 ff7508 push dword ptr [ebp+08] 3743 0167:bff88693 e88f63ffff call bff7ea27 = KERNEL32.DLL:.text+0x5a27 3744 KERNEL32.DLL:.text+0xf698: 3745 *0167:bff88698 85c0 test eax,eax 3746 0167:bff8869a 7409 jz bff886a5 = KERNEL32.DLL:.text+0xf6a5 3747 0167:bff8869c c745fc01000000 mov dword ptr [ebp-04],00000001 3748 0167:bff886a3 eb07 jmp bff886ac = KERNEL32.DLL:.text+0xf6ac 3749 0167:bff886a5 c745fc00000000 mov dword ptr [ebp-04],00000000 3750 0167:bff886ac 85ff test edi,edi 3751 0167:bff886ae 7418 jz bff886c8 = KERNEL32.DLL:.text+0xf6c8 3752 0167:bff886b0 837dfc00 cmp dword ptr [ebp-04],+00 3753 0167:bff886b4 740c jz bff886c2 = KERNEL32.DLL:.text+0xf6c2 3754 0167:bff886b6 6800100000 push 00001000 3755 0167:bff886bb 57 push edi 3756 3757 -------------------- 3758 3759 3760 013afb4c 7600000a = WS2_32.DLL+0xa 3761 -> 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 ..............@. 3762 013afb50 7600f000 = WS2_32.DLL:.idata+0x0 3763 -> 8c f0 00 00 cd a1 20 37 ff ff ff ff 44 f4 00 00 ...... 7....D... 3764 013afb54 0000f000 3765 013afb58 00001000 3766 013afb5c 60060000 3767 013afb60 bff713e2 = KERNEL32.DLL:_FREQASM+0x3e2 3768 3769 -------------------- 3770 3771 0167:bff713c5 c20400 retd 0004 3772 0167:bff713c8 33c0 xor eax,eax 3773 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 3774 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3775 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3776 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3777 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 3778 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 3779 0167:bff713d8 8f0424 pop dword ptr [esp] 3780 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 3781 KERNEL32.DLL:_FREQASM+0x3e2: 3782 *0167:bff713e2 b801000100 mov eax,00010001 3783 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 3784 0167:bff713ee b843002a00 mov eax,002a0043 3785 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 3786 0167:bff713fa 83c414 add esp,+14 3787 0167:bff713fd 0fb7c8 movzx ecx,ax 3788 0167:bff71400 0fa4d310 shld ebx,edx,10 3789 0167:bff71404 c0e302 shl bl,02 3790 0167:bff71407 6681ea0010 sub dx,1000 3791 0167:bff7140c 0fbfc2 movsx eax,dx 3792 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 3793 3794 -------------------- 3795 3796 3797 013afb64 0007600f 3798 013afb68 013afbe8 -> 60 06 81 81 6c 00 00 00 ae 67 e5 6a 7c 4f 83 81 `...l....g.j|O.. 3799 013afb6c 0007600f 3800 013afb70 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 3801 013afb74 00000000 3802 013afb78 00000001 3803 013afb7c 00003000 3804 013afb80 00001000 3805 013afb84 00000002 3806 013afb88 00020000 3807 013afb8c 00000000 3808 013afb90 7600f064 = WS2_32.DLL:.idata+0x64 3809 -> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3810 ... 3811 013afb98 00000001 3812 013afb9c 00000000 3813 ... 3814 013afbb4 00000001 3815 013afbb8 00000000 3816 ... 3817 013afbd8 7600b090 = WS2_32.DLL:.rdata+0x90 3818 -> 00 00 00 00 c6 e7 1f 37 00 00 00 00 0a bb 00 00 .......7........ 3819 013afbdc 0000006a 3820 013afbe0 013afc84 -> fc 6a 83 81 01 00 00 00 e4 42 83 81 00 00 00 00 .j.......B...... 3821 013afbe4 00000001 3822 013afbe8 81810660 -> 50 45 00 00 4c 01 06 00 31 a2 20 37 00 00 00 00 PE..L...1. 7.... 3823 013afbec 0000006c 3824 013afbf0 6ae567ae = NSISDL.DLL:.idata+0x7ae 3825 -> 73 6f 63 6b 65 74 00 00 00 00 00 60 01 00 00 60 socket.....`...` 3826 013afbf4 81834f7c -> cc 57 83 81 00 00 00 00 00 00 00 00 00 00 00 00 .W.............. 3827 013afbf8 81834f90 -> 08 02 05 00 e4 42 83 81 00 4a 83 81 24 4a 83 81 .....B...J..$J.. 3828 013afbfc 00000005 3829 013afc00 00000000 3830 ... 3831 013afc28 013affff -> 00 ýþÿÿÌÌÌÌÌÌÌÌÌÌÌ . 3832 013afc2c 76003078 = WS2_32.DLL:.text+0x2078 3833 3834 -------------------- 3835 3836 0167:76003060 59 pop ecx 3837 0167:76003061 5f pop edi 3838 0167:76003062 5e pop esi 3839 0167:76003063 5b pop ebx 3840 0167:76003064 c9 leave 3841 0167:76003065 c20800 retd 0008 3842 0167:76003068 8b44240c mov eax,dword ptr [esp+0c] 3843 0167:7600306c c7006b270000 mov dword ptr [eax],0000276b 3844 0167:76003072 83c8ff or eax,-01 3845 0167:76003075 c20c00 retd 000c 3846 WS2_32.DLL:.text+0x2078: 3847 *0167:76003078 8b442408 mov eax,dword ptr [esp+08] 3848 0167:7600307c 83e800 sub eax,+00 3849 0167:7600307f 7434 jz 760030b5 = WS2_32.DLL:.text+0x20b5 3850 0167:76003081 48 dec eax 3851 0167:76003082 740b jz 7600308f = WS2_32.DLL:.text+0x208f 3852 0167:76003084 48 dec eax 3853 0167:76003085 48 dec eax 3854 0167:76003086 7565 jnz 760030ed = WS2_32.DLL:.text+0x20ed 3855 0167:76003088 e84b0a0000 call 76003ad8 = WS2_32.DLL:.text+0x2ad8 3856 0167:7600308d eb5e jmp 760030ed = WS2_32.DLL:.text+0x20ed 3857 0167:7600308f ff15a4f20076 call dword ptr [7600f2a4] -> KERNEL32.DLL!TlsAlloc 3858 3859 -------------------- 3860 3861 3862 013afc30 00000001 3863 013afc34 bffc05b4 = KERNEL32.DLL:.text+0x475b4 3864 -> 55 8b ec 83 ec 08 53 56 57 55 fc 8b 5d 0c 8b 45 U.....SVWU..]..E 3865 013afc38 81835a0c -> 08 00 00 00 03 01 00 00 e7 2e 00 00 00 00 00 00 ................ 3866 013afc3c 00000000 3867 ... 3868 013afc44 013affff -> 00 ýþÿÿÌÌÌÌÌÌÌÌÌÌÌ . 3869 013afc48 6ae4434c = NSISDL.DLL:.text+0x334c 3870 -> 55 89 e5 8b 45 08 a3 20 c0 e4 6a b8 01 00 00 00 U...E.. ..j..... 3871 013afc4c 00000001 3872 013afc50 bffc05b4 = KERNEL32.DLL:.text+0x475b4 3873 -> 55 8b ec 83 ec 08 53 56 57 55 fc 8b 5d 0c 8b 45 U.....SVWU..]..E 3874 013afc54 81835a0c -> 08 00 00 00 03 01 00 00 e7 2e 00 00 00 00 00 00 ................ 3875 013afc58 00000000 3876 ... 3877 013afc60 013afad0 -> ac 4f 83 81 7c 4f 83 81 90 4f 83 81 f0 31 4f c1 .O..|O...O...1O. 3878 013afc64 bffc9490 = KERNEL32.DLL:.data+0x490 3879 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3880 013afc68 013affbc -> ff ff ff ff b4 05 fc bf 50 90 f7 bf 00 00 00 00 ........P....... 3881 013afc6c bffc05b4 = KERNEL32.DLL:.text+0x475b4 3882 -> 55 8b ec 83 ec 08 53 56 57 55 fc 8b 5d 0c 8b 45 U.....SVWU..]..E 3883 013afc70 bff79198 = KERNEL32.DLL:.text+0x198 3884 -> ff ff ff ff 01 de f7 bf 10 de f7 bf 00 00 00 00 ................ 3885 013afc74 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 3886 013afc78 00000000 3887 013afc7c 013afcac -> e4 42 83 81 08 00 00 00 c8 59 83 81 38 ff 3a 01 .B.......Y..8.:. 3888 013afc80 bff7c8a0 = KERNEL32.DLL:.text+0x38a0 3889 3890 -------------------- 3891 3892 0167:bff7c883 5d pop ebp 3893 0167:bff7c884 c20c00 retd 000c 3894 0167:bff7c887 8b45ec mov eax,dword ptr [ebp-14] 3895 0167:bff7c88a 8b75fc mov esi,dword ptr [ebp-04] 3896 0167:bff7c88d 8b55f8 mov edx,dword ptr [ebp-08] 3897 0167:bff7c890 0fbf0470 movsx eax,word ptr [eax+esi*2] 3898 0167:bff7c894 034210 add eax,dword ptr [edx+10] 3899 0167:bff7c897 50 push eax 3900 0167:bff7c898 ff7508 push dword ptr [ebp+08] 3901 0167:bff7c89b e85ffdffff call bff7c5ff = KERNEL32.DLL:.text+0x35ff 3902 KERNEL32.DLL:.text+0x38a0: 3903 *0167:bff7c8a0 ebdc jmp bff7c87e = KERNEL32.DLL:.text+0x387e 3904 0167:bff7c8a2 ff74240c push dword ptr [esp+0c] 3905 0167:bff7c8a6 ff74240c push dword ptr [esp+0c] 3906 0167:bff7c8aa ff74240c push dword ptr [esp+0c] 3907 0167:bff7c8ae e853d20100 call bff99b06 = KERNEL32.DLL:.text+0x20b06 3908 0167:bff7c8b3 3d01000040 cmp eax,40000001 3909 0167:bff7c8b8 74e8 jz bff7c8a2 = KERNEL32.DLL:.text+0x38a2 3910 0167:bff7c8ba c20c00 retd 000c 3911 0167:bff7c8bd 6a00 push +00 3912 0167:bff7c8bf ff74240c push dword ptr [esp+0c] 3913 0167:bff7c8c3 ff74240c push dword ptr [esp+0c] 3914 3915 -------------------- 3916 3917 3918 013afc84 81836afc -> 50 45 00 00 4c 01 09 00 7f 32 bf 45 00 7a 06 00 PE..L....2.E.z.. 3919 013afc88 00000001 3920 013afc8c 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 3921 013afc90 00000000 3922 013afc94 6ae40000 = NSISDL.DLL+0x0 3923 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 3924 013afc98 6ae55038 = NSISDL.DLL:.edata+0x38 3925 -> 00 00 01 00 4e 53 49 53 64 6c 2e 64 6c 6c 00 64 ....NSISdl.dll.d 3926 013afc9c 6ae55030 = NSISDL.DLL:.edata+0x30 3927 -> 47 50 01 00 50 50 01 00 00 00 01 00 4e 53 49 53 GP..PP......NSIS 3928 013afca0 bff9940b = KERNEL32.DLL:.text+0x2040b 3929 3930 -------------------- 3931 3932 0167:bff993e8 6a00 push +00 3933 0167:bff993ea ff35049dfcbf push dword ptr [bffc9d04] 3934 0167:bff993f0 e818b7fdff call bff74b0d = KERNEL32.DLL:_FREQASM+0x3b0d 3935 0167:bff993f5 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 3936 0167:bff993fa 8b00 mov eax,dword ptr [eax] 3937 0167:bff993fc 83c060 add eax,+60 3938 0167:bff993ff 50 push eax 3939 0167:bff99400 e8e8adfdff call bff741ed = KERNEL32.DLL!98 3940 0167:bff99405 56 push esi 3941 0167:bff99406 e82046feff call bff7da2b = KERNEL32.DLL:.text+0x4a2b 3942 KERNEL32.DLL:.text+0x2040b: 3943 *0167:bff9940b 5f pop edi 3944 0167:bff9940c 5e pop esi 3945 0167:bff9940d 5b pop ebx 3946 0167:bff9940e 8be5 mov esp,ebp 3947 0167:bff99410 5d pop ebp 3948 0167:bff99411 c20800 retd 0008 3949 0167:bff99414 55 push ebp 3950 0167:bff99415 8bec mov ebp,esp 3951 0167:bff99417 81ec14010000 sub esp,00000114 3952 0167:bff9941d 53 push ebx 3953 0167:bff9941e 56 push esi 3954 3955 -------------------- 3956 3957 3958 013afca4 6ae55000 = NSISDL.DLL:.edata+0x0 3959 -> 00 00 00 00 7f 32 bf 45 00 00 00 00 3c 50 01 00 .....2.E.... 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 3962 013afcb0 00000008 3963 013afcb4 818359c8 -> 07 00 00 00 d0 46 4f c1 d8 ea 3a 01 00 00 3b 01 .....FO...:...;. 3964 013afcb8 013aff38 -> 68 ff 3a 01 74 18 40 00 5c 1f 44 00 02 04 00 00 h.:.t.@.\.D..... 3965 013afcbc 00403255 = DEBIAN-SVN45063.EXE:.text+0x2255 3966 3967 -------------------- 3968 3969 0167:00403230 8b459c mov eax,dword ptr [ebp-64] 3970 0167:00403233 8945a0 mov dword ptr [ebp-60],eax 3971 0167:00403236 83ec0c sub esp,+0c 3972 0167:00403239 6800c04000 push 0040c000 3973 0167:0040323e 6840f84000 push 0040f840 3974 0167:00403243 6800d04200 push 0042d000 3975 0167:00403248 6800040000 push 00000400 3976 0167:0040324d ff75dc push dword ptr [ebp-24] 3977 0167:00403250 8b45a0 mov eax,dword ptr [ebp-60] 3978 0167:00403253 ffd0 call eax 3979 DEBIAN-SVN45063.EXE:.text+0x2255: 3980 *0167:00403255 83c420 add esp,+20 3981 0167:00403258 eb13 jmp 0040326d = DEBIAN-SVN45063.EXE:.text+0x226d 3982 0167:0040325a 83ec08 sub esp,+08 3983 0167:0040325d ffb574ffffff push dword ptr [ebp-0000008c] 3984 0167:00403263 6af7 push -09 3985 0167:00403265 e8dc470000 call 00407a46 = DEBIAN-SVN45063.EXE:.text+0x6a46 3986 0167:0040326a 83c408 add esp,+08 3987 0167:0040326d 837dc800 cmp dword ptr [ebp-38],+00 3988 0167:00403271 752f jnz 004032a2 = DEBIAN-SVN45063.EXE:.text+0x22a2 3989 0167:00403273 83ec0c sub esp,+0c 3990 0167:00403276 ffb56cffffff push dword ptr [ebp-00000094] 3991 3992 -------------------- 3993 3994 3995 013afcc0 00000404 3996 013afcc4 00000400 3997 013afcc8 0042d000 = DEBIAN-SVN45063.EXE:.ndata+0x0 3998 -> 64 65 62 69 61 6e 00 31 00 65 6e 76 65 72 00 72 debian.1.enver.r 3999 013afccc 0040f840 = DEBIAN-SVN45063.EXE:.bss+0x840 4000 -> e4 43 45 00 00 00 00 00 00 00 00 00 00 00 00 00 .CE............. 4001 013afcd0 0040c000 = DEBIAN-SVN45063.EXE:.data+0x0 4002 -> 30 94 42 00 20 18 40 00 35 92 40 00 06 00 00 00 0.B. .@.5.@..... 4003 013afcd4 0040f850 = DEBIAN-SVN45063.EXE:.bss+0x850 4004 -> 64 6f 77 6e 6c 6f 61 64 00 53 5c 54 45 4d 50 5c download.S\TEMP\ 4005 013afcd8 00000000 4006 ... 4007 013afd14 00000001 4008 013afd18 00000000 4009 013afd1c 00000090 4010 013afd20 00000110 4011 013afd24 00000000 4012 013afd28 00000128 4013 013afd2c 0000f378 4014 013afd30 010a0a80 -> cb 0e fc ff ff ff ff ff 00 00 00 00 00 00 00 00 ................ 4015 013afd34 10001a3e = HOOK.DLL:.text+0xa3e 4016 4017 -------------------- 4018 4019 0167:10001a20 8945e4 mov dword ptr [ebp-1c],eax 4020 0167:10001a23 834dfcff or dword ptr [ebp-04],-01 4021 0167:10001a27 e84a000000 call 10001a76 = HOOK.DLL:.text+0xa76 4022 0167:10001a2c 8b7de4 mov edi,dword ptr [ebp-1c] 4023 0167:10001a2f 85ff test edi,edi 4024 0167:10001a31 7412 jz 10001a45 = HOOK.DLL:.text+0xa45 4025 0167:10001a33 ff75e0 push dword ptr [ebp-20] 4026 0167:10001a36 6a00 push +00 4027 0167:10001a38 57 push edi 4028 0167:10001a39 e832210000 call 10003b70 = HOOK.DLL:.text+0x2b70 4029 HOOK.DLL:.text+0xa3e: 4030 *0167:10001a3e 83c40c add esp,+0c 4031 0167:10001a41 85ff test edi,edi 4032 0167:10001a43 753a jnz 10001a7f = HOOK.DLL:.text+0xa7f 4033 0167:10001a45 56 push esi 4034 0167:10001a46 6a08 push +08 4035 0167:10001a48 ff3500900010 push dword ptr [10009000] 4036 0167:10001a4e ff1544600010 call dword ptr [10006044] -> KERNEL32.DLL!HeapAlloc 4037 0167:10001a54 8bf8 mov edi,eax 4038 0167:10001a56 85ff test edi,edi 4039 0167:10001a58 7525 jnz 10001a7f = HOOK.DLL:.text+0xa7f 4040 0167:10001a5a 393de48b0010 cmp dword ptr [10008be4],edi 4041 4042 -------------------- 4043 4044 4045 013afd38 010a0a80 -> cb 0e fc ff ff ff ff ff 00 00 00 00 00 00 00 00 ................ 4046 013afd3c 00000000 4047 013afd40 10001a86 = HOOK.DLL:.text+0xa86 4048 4049 -------------------- 4050 4051 0167:10001a69 85c0 test eax,eax 4052 0167:10001a6b 0f8576ffffff jnz 100019e7 = HOOK.DLL:.text+0x9e7 4053 0167:10001a71 eb0e jmp 10001a81 = HOOK.DLL:.text+0xa81 4054 0167:10001a73 8b750c mov esi,dword ptr [ebp+0c] 4055 0167:10001a76 6a04 push +04 4056 0167:10001a78 e8220d0000 call 1000279f = HOOK.DLL:.text+0x179f 4057 0167:10001a7d 59 pop ecx 4058 0167:10001a7e c3 retd 4059 0167:10001a7f 8bc7 mov eax,edi 4060 0167:10001a81 e8b1090000 call 10002437 = HOOK.DLL:.text+0x1437 4061 HOOK.DLL:.text+0xa86: 4062 *0167:10001a86 c3 retd 4063 0167:10001a87 83ec48 sub esp,+48 4064 0167:10001a8a 53 push ebx 4065 0167:10001a8b bb80040000 mov ebx,00000480 4066 0167:10001a90 53 push ebx 4067 0167:10001a91 e87c220000 call 10003d12 = HOOK.DLL:.text+0x2d12 4068 0167:10001a96 85c0 test eax,eax 4069 0167:10001a98 59 pop ecx 4070 0167:10001a99 7508 jnz 10001aa3 = HOOK.DLL:.text+0xaa3 4071 0167:10001a9b 83c8ff or eax,-01 4072 0167:10001a9e e9dd010000 jmp 10001c80 = HOOK.DLL:.text+0xc80 4073 4074 -------------------- 4075 4076 4077 013afd44 00000000 4078 013afd48 00000002 4079 013afd4c 81835a0c -> 08 00 00 00 03 01 00 00 e7 2e 00 00 00 00 00 00 ................ 4080 013afd50 0000008c 4081 013afd54 010a0a80 -> cb 0e fc ff ff ff ff ff 00 00 00 00 00 00 00 00 ................ 4082 013afd58 8de82eff 4083 013afd5c ffffffff 4084 013afd60 013afd7c -> e2 13 f7 bf 67 01 00 00 32 9b f9 bf f7 41 f7 bf ....g...2....A.. 4085 013afd64 bff7b77b = KERNEL32.DLL:.text+0x277b 4086 4087 -------------------- 4088 4089 0167:bff7b75c a1109dfcbf mov eax,dword ptr [bffc9d10] 4090 0167:bff7b761 8bec mov ebp,esp 4091 0167:bff7b763 56 push esi 4092 0167:bff7b764 50 push eax 4093 0167:bff7b765 e84a8affff call bff741b4 = KERNEL32.DLL!97 4094 0167:bff7b76a ff7514 push dword ptr [ebp+14] 4095 0167:bff7b76d ff7510 push dword ptr [ebp+10] 4096 0167:bff7b770 ff750c push dword ptr [ebp+0c] 4097 0167:bff7b773 ff7508 push dword ptr [ebp+08] 4098 0167:bff7b776 e890fdffff call bff7b50b = KERNEL32.DLL:.text+0x250b 4099 KERNEL32.DLL:.text+0x277b: 4100 *0167:bff7b77b 8bf0 mov esi,eax 4101 0167:bff7b77d 85f6 test esi,esi 4102 0167:bff7b77f 740a jz bff7b78b = KERNEL32.DLL:.text+0x278b 4103 0167:bff7b781 f6451380 test byte ptr [ebp+13],80 4104 0167:bff7b785 7404 jz bff7b78b = KERNEL32.DLL:.text+0x278b 4105 0167:bff7b787 66ff4602 inc word ptr [esi+02] 4106 0167:bff7b78b a1109dfcbf mov eax,dword ptr [bffc9d10] 4107 0167:bff7b790 50 push eax 4108 0167:bff7b791 e8578affff call bff741ed = KERNEL32.DLL!98 4109 0167:bff7b796 8bc6 mov eax,esi 4110 0167:bff7b798 5e pop esi 4111 4112 -------------------- 4113 4114 4115 013afd68 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 4116 4117 -------------------- 4118 4119 0167:bff741dd 51 push ecx 4120 0167:bff741de 52 push edx 4121 0167:bff741df 681d002a00 push 002a001d 4122 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 4123 0167:bff741e9 59 pop ecx 4124 0167:bff741ea 5a pop edx 4125 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 4126 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 4127 0167:bff741f1 50 push eax 4128 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 4129 KERNEL32.DLL:_FREQASM+0x31f7: 4130 *0167:bff741f7 58 pop eax 4131 0167:bff741f8 c20400 retd 0004 4132 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 4133 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 4134 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 4135 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 4136 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 4137 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 4138 0167:bff74212 ff4a04 dec dword ptr [edx+04] 4139 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 4140 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 4141 4142 -------------------- 4143 4144 4145 013afd6c bffc9490 = KERNEL32.DLL:.data+0x490 4146 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4147 013afd70 bff7b796 = KERNEL32.DLL:.text+0x2796 4148 4149 -------------------- 4150 4151 0167:bff7b776 e890fdffff call bff7b50b = KERNEL32.DLL:.text+0x250b 4152 0167:bff7b77b 8bf0 mov esi,eax 4153 0167:bff7b77d 85f6 test esi,esi 4154 0167:bff7b77f 740a jz bff7b78b = KERNEL32.DLL:.text+0x278b 4155 0167:bff7b781 f6451380 test byte ptr [ebp+13],80 4156 0167:bff7b785 7404 jz bff7b78b = KERNEL32.DLL:.text+0x278b 4157 0167:bff7b787 66ff4602 inc word ptr [esi+02] 4158 0167:bff7b78b a1109dfcbf mov eax,dword ptr [bffc9d10] 4159 0167:bff7b790 50 push eax 4160 0167:bff7b791 e8578affff call bff741ed = KERNEL32.DLL!98 4161 KERNEL32.DLL:.text+0x2796: 4162 *0167:bff7b796 8bc6 mov eax,esi 4163 0167:bff7b798 5e pop esi 4164 0167:bff7b799 5d pop ebp 4165 0167:bff7b79a c21000 retd 0010 4166 0167:bff7b79d 55 push ebp 4167 0167:bff7b79e 8bec mov ebp,esp 4168 0167:bff7b7a0 53 push ebx 4169 0167:bff7b7a1 56 push esi 4170 0167:bff7b7a2 57 push edi 4171 0167:bff7b7a3 33ff xor edi,edi 4172 0167:bff7b7a5 837d1801 cmp dword ptr [ebp+18],+01 4173 4174 -------------------- 4175 4176 4177 013afd74 bffc9490 = KERNEL32.DLL:.data+0x490 4178 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4179 013afd78 ffffffff 4180 013afd7c bff713e2 = KERNEL32.DLL:_FREQASM+0x3e2 4181 4182 -------------------- 4183 4184 0167:bff713c5 c20400 retd 0004 4185 0167:bff713c8 33c0 xor eax,eax 4186 0167:bff713ca ebf7 jmp bff713c3 = KERNEL32.DLL:_FREQASM+0x3c3 4187 0167:bff713cc ebfa jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 4188 0167:bff713ce ebf8 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 4189 0167:bff713d0 ebf6 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 4190 0167:bff713d2 ebf4 jmp bff713c8 = KERNEL32.DLL:_FREQASM+0x3c8 4191 0167:bff713d4 8b442404 mov eax,dword ptr [esp+04] 4192 0167:bff713d8 8f0424 pop dword ptr [esp] 4193 0167:bff713db 2eff1d3497fcbf call fword ptr ss:[bffc9734] 4194 KERNEL32.DLL:_FREQASM+0x3e2: 4195 *0167:bff713e2 b801000100 mov eax,00010001 4196 0167:bff713e7 2eff1d3497fcbf call fword ptr ss:[bffc9734] 4197 0167:bff713ee b843002a00 mov eax,002a0043 4198 0167:bff713f3 2eff1d3497fcbf call fword ptr ss:[bffc9734] 4199 0167:bff713fa 83c414 add esp,+14 4200 0167:bff713fd 0fb7c8 movzx ecx,ax 4201 0167:bff71400 0fa4d310 shld ebx,edx,10 4202 0167:bff71404 c0e302 shl bl,02 4203 0167:bff71407 6681ea0010 sub dx,1000 4204 0167:bff7140c 0fbfc2 movsx eax,dx 4205 0167:bff7140f e9d1000000 jmp bff714e5 = KERNEL32.DLL:_FREQASM+0x4e5 4206 4207 -------------------- 4208 4209 4210 013afd80 00000167 4211 013afd84 bff99b32 = KERNEL32.DLL:.text+0x20b32 4212 4213 -------------------- 4214 4215 0167:bff99b0f e818b5feff call bff8502c = KERNEL32.DLL:.text+0xc02c 4216 0167:bff99b14 85c0 test eax,eax 4217 0167:bff99b16 7407 jz bff99b1f = KERNEL32.DLL:.text+0x20b1f 4218 0167:bff99b18 bec0000000 mov esi,000000c0 4219 0167:bff99b1d eb21 jmp bff99b40 = KERNEL32.DLL:.text+0x20b40 4220 0167:bff99b1f 56 push esi 4221 0167:bff99b20 ff742410 push dword ptr [esp+10] 4222 0167:bff99b24 ff742410 push dword ptr [esp+10] 4223 0167:bff99b28 685c002a00 push 002a005c 4224 0167:bff99b2d e8a278fdff call bff713d4 = KERNEL32.DLL!1 4225 KERNEL32.DLL:.text+0x20b32: 4226 *0167:bff99b32 3dc0000000 cmp eax,000000c0 4227 0167:bff99b37 8bf0 mov esi,eax 4228 0167:bff99b39 7505 jnz bff99b40 = KERNEL32.DLL:.text+0x20b40 4229 0167:bff99b3b e8ecb4feff call bff8502c = KERNEL32.DLL:.text+0xc02c 4230 0167:bff99b40 8bc6 mov eax,esi 4231 0167:bff99b42 5e pop esi 4232 0167:bff99b43 c20c00 retd 000c 4233 0167:bff99b46 6a05 push +05 4234 0167:bff99b48 6a28 push +28 4235 0167:bff99b4a e8d732feff call bff7ce26 = KERNEL32.DLL:.text+0x3e26 4236 0167:bff99b4f 85c0 test eax,eax 4237 4238 -------------------- 4239 4240 4241 013afd88 bff741f7 = KERNEL32.DLL:_FREQASM+0x31f7 4242 4243 -------------------- 4244 4245 0167:bff741dd 51 push ecx 4246 0167:bff741de 52 push edx 4247 0167:bff741df 681d002a00 push 002a001d 4248 0167:bff741e4 e8ebd1ffff call bff713d4 = KERNEL32.DLL!1 4249 0167:bff741e9 59 pop ecx 4250 0167:bff741ea 5a pop edx 4251 0167:bff741eb ebe8 jmp bff741d5 = KERNEL32.DLL:_FREQASM+0x31d5 4252 0167:bff741ed 8b542404 mov edx,dword ptr [esp+04] 4253 0167:bff741f1 50 push eax 4254 0167:bff741f2 e804000000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 4255 KERNEL32.DLL:_FREQASM+0x31f7: 4256 *0167:bff741f7 58 pop eax 4257 0167:bff741f8 c20400 retd 0004 4258 0167:bff741fb 833dec9cfcbf01 cmp dword ptr [bffc9cec],+01 4259 0167:bff74202 7c32 jl bff74236 = KERNEL32.DLL:_FREQASM+0x3236 4260 0167:bff74204 3b157094fcbf cmp edx,dword ptr [bffc9470] 4261 0167:bff7420a 7506 jnz bff74212 = KERNEL32.DLL:_FREQASM+0x3212 4262 0167:bff7420c 837a0401 cmp dword ptr [edx+04],+01 4263 0167:bff74210 7426 jz bff74238 = KERNEL32.DLL:_FREQASM+0x3238 4264 0167:bff74212 ff4a04 dec dword ptr [edx+04] 4265 0167:bff74215 754a jnz bff74261 = KERNEL32.DLL:_FREQASM+0x3261 4266 0167:bff74217 c7420800000000 mov dword ptr [edx+08],00000000 4267 4268 -------------------- 4269 4270 4271 013afd8c bffc9490 = KERNEL32.DLL:.data+0x490 4272 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4273 013afd90 bff7b84e = KERNEL32.DLL:.text+0x284e 4274 4275 -------------------- 4276 4277 0167:bff7b82d 8bec mov ebp,esp 4278 0167:bff7b82f 50 push eax 4279 0167:bff7b830 a1109dfcbf mov eax,dword ptr [bffc9d10] 4280 0167:bff7b835 50 push eax 4281 0167:bff7b836 e87989ffff call bff741b4 = KERNEL32.DLL!97 4282 0167:bff7b83b ff7508 push dword ptr [ebp+08] 4283 0167:bff7b83e e8d1fdffff call bff7b614 = KERNEL32.DLL:.text+0x2614 4284 0167:bff7b843 a1109dfcbf mov eax,dword ptr [bffc9d10] 4285 0167:bff7b848 50 push eax 4286 0167:bff7b849 e89f89ffff call bff741ed = KERNEL32.DLL!98 4287 KERNEL32.DLL:.text+0x284e: 4288 *0167:bff7b84e 58 pop eax 4289 0167:bff7b84f 5d pop ebp 4290 0167:bff7b850 c20400 retd 0004 4291 0167:bff7b853 64a100000000 mov eax,dword ptr fs:[00000000] 4292 0167:bff7b859 55 push ebp 4293 0167:bff7b85a 8bec mov ebp,esp 4294 0167:bff7b85c 6aff push -01 4295 0167:bff7b85e 683092f7bf push bff79230 4296 0167:bff7b863 68b405fcbf push bffc05b4 4297 0167:bff7b868 50 push eax 4298 0167:bff7b869 64892500000000 mov dword ptr fs:[00000000],esp 4299 4300 -------------------- 4301 4302 4303 013afd94 00000000 4304 013afd98 c14f46f0 -> 02 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4305 013afd9c c14f31f0 -> 01 00 00 00 c8 59 83 81 e4 42 83 81 00 24 4f c1 .....Y...B...$O. 4306 013afda0 013afdcc -> b8 19 f7 bf 1a 8e 3a 01 bc ff 3a 01 6d 18 f7 bf ......:...:.m... 4307 013afda4 bff92cec = KERNEL32.DLL:.text+0x19cec 4308 4309 -------------------- 4310 4311 0167:bff92ccd 85ff test edi,edi 4312 0167:bff92ccf 7416 jz bff92ce7 = KERNEL32.DLL:.text+0x19ce7 4313 0167:bff92cd1 ff742414 push dword ptr [esp+14] 4314 0167:bff92cd5 ff742414 push dword ptr [esp+14] 4315 0167:bff92cd9 57 push edi 4316 0167:bff92cda e8276e0000 call bff99b06 = KERNEL32.DLL:.text+0x20b06 4317 0167:bff92cdf 8bf0 mov esi,eax 4318 0167:bff92ce1 57 push edi 4319 0167:bff92ce2 e8458bfeff call bff7b82c = KERNEL32.DLL:.text+0x282c 4320 0167:bff92ce7 e86075feff call bff7a24c = KERNEL32.DLL:.text+0x124c 4321 KERNEL32.DLL:.text+0x19cec: 4322 *0167:bff92cec 81fe01000040 cmp esi,40000001 4323 0167:bff92cf2 74bd jz bff92cb1 = KERNEL32.DLL:.text+0x19cb1 4324 0167:bff92cf4 81fec0000000 cmp esi,000000c0 4325 0167:bff92cfa 7505 jnz bff92d01 = KERNEL32.DLL:.text+0x19d01 4326 0167:bff92cfc e82b23ffff call bff8502c = KERNEL32.DLL:.text+0xc02c 4327 0167:bff92d01 8bc6 mov eax,esi 4328 0167:bff92d03 5f pop edi 4329 0167:bff92d04 5e pop esi 4330 0167:bff92d05 c20c00 retd 000c 4331 0167:bff92d08 ff742404 push dword ptr [esp+04] 4332 0167:bff92d0c 6809002a00 push 002a0009 4333 4334 -------------------- 4335 4336 4337 013afda8 8de82eff 4338 013afdac 0000016f 4339 013afdb0 bff7c8cc = KERNEL32.DLL:.text+0x38cc 4340 4341 -------------------- 4342 4343 0167:bff7c8a6 ff74240c push dword ptr [esp+0c] 4344 0167:bff7c8aa ff74240c push dword ptr [esp+0c] 4345 0167:bff7c8ae e853d20100 call bff99b06 = KERNEL32.DLL:.text+0x20b06 4346 0167:bff7c8b3 3d01000040 cmp eax,40000001 4347 0167:bff7c8b8 74e8 jz bff7c8a2 = KERNEL32.DLL:.text+0x38a2 4348 0167:bff7c8ba c20c00 retd 000c 4349 0167:bff7c8bd 6a00 push +00 4350 0167:bff7c8bf ff74240c push dword ptr [esp+0c] 4351 0167:bff7c8c3 ff74240c push dword ptr [esp+0c] 4352 0167:bff7c8c7 e8e3630100 call bff92caf = KERNEL32.DLL!WaitForSingleObjectEx 4353 KERNEL32.DLL:.text+0x38cc: 4354 *0167:bff7c8cc c20800 retd 0008 4355 0167:bff7c8cf 8b542404 mov edx,dword ptr [esp+04] 4356 0167:bff7c8d3 56 push esi 4357 0167:bff7c8d4 57 push edi 4358 0167:bff7c8d5 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 4359 0167:bff7c8da 8b38 mov edi,dword ptr [eax] 4360 0167:bff7c8dc 8b8798000000 mov eax,dword ptr [edi+00000098] 4361 0167:bff7c8e2 85c0 test eax,eax 4362 0167:bff7c8e4 7415 jz bff7c8fb = KERNEL32.DLL:.text+0x38fb 4363 0167:bff7c8e6 8b35249cfcbf mov esi,dword ptr [bffc9c24] 4364 0167:bff7c8ec 0fbf4810 movsx ecx,word ptr [eax+10] 4365 4366 -------------------- 4367 4368 4369 013afdb4 453a4dd0 4370 013afdb8 ffffffff 4371 013afdbc bff71826 = KERNEL32.DLL:_FREQASM+0x826 4372 4373 -------------------- 4374 4375 0167:bff717ff 6664c7051e000000ffff mov word ptr fs:[0000001e],ffff 4376 0167:bff71809 c3 retd 4377 0167:bff7180a 52 push edx 4378 0167:bff7180b 50 push eax 4379 0167:bff7180c a1e89cfcbf mov eax,dword ptr [bffc9ce8] 4380 0167:bff71811 8b00 mov eax,dword ptr [eax] 4381 0167:bff71813 39059894fcbf cmp dword ptr [bffc9498],eax 4382 0167:bff71819 7413 jz bff7182e = KERNEL32.DLL:_FREQASM+0x82e 4383 0167:bff7181b 8b157094fcbf mov edx,dword ptr [bffc9470] 4384 0167:bff71821 e891290000 call bff741b7 = KERNEL32.DLL:_FREQASM+0x31b7 4385 KERNEL32.DLL:_FREQASM+0x826: 4386 *0167:bff71826 6664ff051e000000 inc word ptr fs:[0000001e] 4387 0167:bff7182e 58 pop eax 4388 0167:bff7182f 5a pop edx 4389 0167:bff71830 c3 retd 4390 0167:bff71831 ff7316 push dword ptr [ebx+16] 4391 0167:bff71834 ff731a push dword ptr [ebx+1a] 4392 0167:bff71837 ff731e push dword ptr [ebx+1e] 4393 0167:bff7183a ff7322 push dword ptr [ebx+22] 4394 0167:bff7183d 8b157094fcbf mov edx,dword ptr [bffc9470] 4395 0167:bff71843 e8b3290000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 4396 0167:bff71848 6664c7051e000000ffff mov word ptr fs:[0000001e],ffff 4397 4398 -------------------- 4399 4400 4401 013afdc0 00000000 4402 013afdc4 bffc9490 = KERNEL32.DLL:.data+0x490 4403 -> 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 4404 013afdc8 bff94222 = KERNEL32.DLL:.text+0x1b222 4405 4406 -------------------- 4407 4408 0167:bff941fa ff7316 push dword ptr [ebx+16] 4409 0167:bff941fd ff731a push dword ptr [ebx+1a] 4410 0167:bff94200 ff731e push dword ptr [ebx+1e] 4411 0167:bff94203 e8c3fffeff call bff841cb = KERNEL32.DLL!VirtualFree 4412 0167:bff94208 e9c3f9ffff jmp bff93bd0 = KERNEL32.DLL:.text+0x1abd0 4413 0167:bff9420d ff7316 push dword ptr [ebx+16] 4414 0167:bff94210 ff731a push dword ptr [ebx+1a] 4415 0167:bff94213 e8cdd5fdff call bff717e5 = KERNEL32.DLL!K32Thk1632Prolog 4416 0167:bff94218 e8a086feff call bff7c8bd = KERNEL32.DLL!WaitForSingleObject 4417 0167:bff9421d e8e8d5fdff call bff7180a = KERNEL32.DLL!K32Thk1632Epilog 4418 KERNEL32.DLL:.text+0x1b222: 4419 *0167:bff94222 8bd0 mov edx,eax 4420 0167:bff94224 c1c210 rol edx,10 4421 0167:bff94227 e994f9ffff jmp bff93bc0 = KERNEL32.DLL:.text+0x1abc0 4422 0167:bff9422c ff7316 push dword ptr [ebx+16] 4423 0167:bff9422f e8e3cfffff call bff91217 = KERNEL32.DLL:.text+0x18217 4424 0167:bff94234 e977f9ffff jmp bff93bb0 = KERNEL32.DLL:.text+0x1abb0 4425 0167:bff94239 33c0 xor eax,eax 4426 0167:bff9423b 50 push eax 4427 0167:bff9423c 50 push eax 4428 0167:bff9423d 50 push eax 4429 0167:bff9423e 8b4316 mov eax,dword ptr [ebx+16] 4430 4431 -------------------- 4432 4433 4434 013afdcc bff719b8 = KERNEL32.DLL:_FREQASM+0x9b8 4435 4436 -------------------- 4437 4438 0167:bff71991 51 push ecx 4439 0167:bff71992 c1cf10 ror edi,10 4440 0167:bff71995 6664873d0e000000 xchg word ptr fs:[0000000e],di 4441 0167:bff7199d 57 push edi 4442 0167:bff7199e 686d18f7bf push bff7186d 4443 0167:bff719a3 64ff3500000000 push dword ptr fs:[00000000] 4444 0167:bff719aa 64892500000000 mov dword ptr fs:[00000000],esp 4445 0167:bff719b1 55 push ebp 4446 0167:bff719b2 8d6c24fc lea ebp,[esp-04] 4447 0167:bff719b6 ffd2 call edx 4448 KERNEL32.DLL:_FREQASM+0x9b8: 4449 *0167:bff719b8 5d pop ebp 4450 0167:bff719b9 0fb6c9 movzx ecx,cl 4451 0167:bff719bc 648f0500000000 pop dword ptr fs:[00000000] 4452 0167:bff719c3 8d642404 lea esp,[esp+04] 4453 0167:bff719c7 5f pop edi 4454 0167:bff719c8 6664893d0e000000 mov word ptr fs:[0000000e],di 4455 0167:bff719d0 5b pop ebx 4456 0167:bff719d1 660fb22424 lss sp,dword ptr [esp] 4457 0167:bff719d6 6664891d1e000000 mov word ptr fs:[0000001e],bx 4458 0167:bff719de 5b pop ebx 4459 0167:bff719df 0bdb or ebx,ebx 4460 4461 -------------------- 4462 4463 4464 013afdd0 013a8e1a 4465 013afdd4 013affbc -> ff ff ff ff b4 05 fc bf 50 90 f7 bf 00 00 00 00 ........P....... 4466 013afdd8 bff7186d = KERNEL32.DLL:_FREQASM+0x86d 4467 4468 -------------------- 4469 4470 0167:bff7183d 8b157094fcbf mov edx,dword ptr [bffc9470] 4471 0167:bff71843 e8b3290000 call bff741fb = KERNEL32.DLL:_FREQASM+0x31fb 4472 0167:bff71848 6664c7051e000000ffff mov word ptr fs:[0000001e],ffff 4473 0167:bff71852 ff5326 call dword ptr [ebx+26] 4474 0167:bff71855 8b157094fcbf mov edx,dword ptr [bffc9470] 4475 0167:bff7185b e857290000 call bff741b7 = KERNEL32.DLL:_FREQASM+0x31b7 4476 0167:bff71860 6664ff051e000000 inc word ptr fs:[0000001e] 4477 0167:bff71868 b114 mov cl,14 4478 0167:bff7186a 8be5 mov esp,ebp 4479 0167:bff7186c c3 retd 4480 KERNEL32.DLL:_FREQASM+0x86d: 4481 *0167:bff7186d 8b442404 mov eax,dword ptr [esp+04] 4482 0167:bff71871 f7400406000000 test dword ptr [eax+04],00000006 4483 0167:bff71878 7419 jz bff71893 = KERNEL32.DLL:_FREQASM+0x893 4484 0167:bff7187a 8b442408 mov eax,dword ptr [esp+08] 4485 0167:bff7187e 8178046d18f7bf cmp dword ptr [eax+04],bff7186d 4486 0167:bff71885 750c jnz bff71893 = KERNEL32.DLL:_FREQASM+0x893 4487 0167:bff71887 668b4808 mov cx,word ptr [eax+08] 4488 0167:bff7188b 6664890d0e000000 mov word ptr fs:[0000000e],cx 4489 0167:bff71893 b801000000 mov eax,00000001 4490 0167:bff71898 c3 retd 4491 0167:bff71899 9d popfd 4492 4493 -------------------- 4494 4495 4496 013afddc 8de82eff 4497 013afde0 00000000 4498 013afde4 2f5f8de8 4499 013afde8 00000000 4500 013afdec 00000202 4501 013afdf0 00000000 4502 013afdf4 00008000 4503 013afdf8 4b284b2c 4504 013afdfc 4b2cfff4 4505 013afe00 2beb13f0 4506 013afe04 333e4b2c 4507 013afe08 4b2c4b2c 4508 013afe0c 8e1e16df 4509 013afe10 17cf2208 4510 013afe14 00004b2c 4511 013afe18 8e284b2c 4512 013afe1c 8e2e16df 4513 013afe20 000121b0 4514 013afe24 50444b2c 4515 013afe28 207b8e4a 4516 013afe2c 8e4a16df 4517 013afe30 17cf2119 4518 013afe34 4b2c0001 4519 013afe38 000c0000 4520 013afe3c 00008183 4521 013afe40 00004b2c 4522 013afe44 29048000 4523 013afe48 8e960000 4524 013afe4c 00001c00 4525 013afe50 00000000 4526 013afe54 00002f67 4527 013afe58 00002eef 4528 013afe5c 00000000 4529 013afe60 17d70e3e 4530 013afe64 17cf1c19 4531 013afe68 000c8f10 4532 013afe6c 00000000 4533 013afe70 17d70e3e 4534 013afe74 00000018 4535 013afe78 00410050 = DEBIAN-SVN45063.EXE:.bss+0x1050 4536 -> 43 3a 5c 57 49 4e 44 4f 57 53 5c 54 45 4d 50 5c C:\WINDOWS\TEMP\ 4537 013afe7c 00000000 4538 013afe80 43580005 4539 013afe84 00000534 4540 013afe88 00012eef 4541 013afe8c 00000000 4542 013afe90 29040000 4543 013afe94 8ec20000 4544 013afe98 29041950 4545 013afe9c 00000000 4546 ... 4547 013afea4 6ae40000 = NSISDL.DLL+0x0 4548 -> 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 4549 013afea8 0040fc50 = DEBIAN-SVN45063.EXE:.bss+0xc50 4550 -> 43 3a 5c 57 49 4e 44 4f 57 53 5c 54 45 4d 50 5c C:\WINDOWS\TEMP\ 4551 013afeac 0040f850 = DEBIAN-SVN45063.EXE:.bss+0x850 4552 -> 64 6f 77 6e 6c 6f 61 64 00 53 5c 54 45 4d 50 5c download.S\TEMP\ 4553 013afeb0 00000000 4554 ... 4555 013afeb8 ffffffff 4556 013afebc 00010000 4557 013afec0 8ee216df 4558 013afec4 17d70328 4559 013afec8 00000000 4560 013afecc ffffffff 4561 013afed0 00000000 4562 013afed4 6ae443e4 = NSISDL.DLL!download 4563 -> 55 89 e5 57 56 53 81 ec 7c 0e 00 00 c7 85 dc f1 U..WVS..|....... 4564 ... 4565 013afedc 00025044 4566 013afee0 8f10032d 4567 013afee4 16ff3847 4568 013afee8 00000000 4569 013afeec 2af80000 4570 013afef0 0000002c 4571 013afef4 0000070e 4572 013afef8 0000073c 4573 013afefc 00000000 4574 ... 4575 013aff04 00000001 4576 013aff08 00000000 4577 013aff0c 16ff2d8c 4578 013aff10 00000000 4579 013aff14 00000404 4580 013aff18 005fc000 4581 013aff1c 005f0800 4582 013aff20 00410450 = DEBIAN-SVN45063.EXE:.bss+0x1450 4583 -> 43 3a 5c 57 49 4e 44 4f 57 53 5c 54 45 4d 50 5c C:\WINDOWS\TEMP\ 4584 013aff24 00410050 = DEBIAN-SVN45063.EXE:.bss+0x1050 4585 -> 43 3a 5c 57 49 4e 44 4f 57 53 5c 54 45 4d 50 5c C:\WINDOWS\TEMP\ 4586 013aff28 0040fc50 = DEBIAN-SVN45063.EXE:.bss+0xc50 4587 -> 43 3a 5c 57 49 4e 44 4f 57 53 5c 54 45 4d 50 5c C:\WINDOWS\TEMP\ 4588 013aff2c 0040f850 = DEBIAN-SVN45063.EXE:.bss+0x850 4589 -> 64 6f 77 6e 6c 6f 61 64 00 53 5c 54 45 4d 50 5c download.S\TEMP\ 4590 013aff30 013aff68 -> 98 ff 3a 01 d7 7b 40 00 dd 00 00 00 34 05 00 00 ..:..{@.....4... 4591 013aff34 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 4592 013aff38 013aff68 -> 98 ff 3a 01 d7 7b 40 00 dd 00 00 00 34 05 00 00 ..:..{@.....4... 4593 013aff3c 00401874 = DEBIAN-SVN45063.EXE:.text+0x874 4594 4595 -------------------- 4596 4597 0167:00401853 e9e4000000 jmp 0040193c = DEBIAN-SVN45063.EXE:.text+0x93c 4598 0167:00401858 83ec0c sub esp,+0c 4599 0167:0040185b 8b5508 mov edx,dword ptr [ebp+08] 4600 0167:0040185e 89d0 mov eax,edx 4601 0167:00401860 c1e003 shl eax,03 4602 0167:00401863 29d0 sub eax,edx 4603 0167:00401865 c1e002 shl eax,02 4604 0167:00401868 0305a0944200 add eax,dword ptr [004294a0] 4605 0167:0040186e 50 push eax 4606 0167:0040186f e8e6020000 call 00401b5a = DEBIAN-SVN45063.EXE:.text+0xb5a 4607 DEBIAN-SVN45063.EXE:.text+0x874: 4608 *0167:00401874 83c40c add esp,+0c 4609 0167:00401877 8945fc mov dword ptr [ebp-04],eax 4610 0167:0040187a 817dfcffffff7f cmp dword ptr [ebp-04],7fffffff 4611 0167:00401881 750c jnz 0040188f = DEBIAN-SVN45063.EXE:.text+0x88f 4612 0167:00401883 c745f4ffffff7f mov dword ptr [ebp-0c],7fffffff 4613 0167:0040188a e9ad000000 jmp 0040193c = DEBIAN-SVN45063.EXE:.text+0x93c 4614 0167:0040188f 8b45fc mov eax,dword ptr [ebp-04] 4615 0167:00401892 8945f0 mov dword ptr [ebp-10],eax 4616 0167:00401895 837dfc00 cmp dword ptr [ebp-04],+00 4617 0167:00401899 791d jns 004018b8 = DEBIAN-SVN45063.EXE:.text+0x8b8 4618 0167:0040189b 83ec0c sub esp,+0c 4619 4620 -------------------- 4621 4622 4623 013aff40 00441f5c -> 2c 00 00 00 0e 07 00 00 3c 07 00 00 00 00 00 00 ,.......<....... 4624 013aff44 00000402 4625 013aff48 00002af8 4626 013aff4c 00000000 4627 ... 4628 013aff60 000000cc 4629 013aff64 00000001 4630 013aff68 013aff98 -> cc ff 3a 01 20 8f f8 bf 34 05 00 00 c8 59 83 81 ..:. ...4....Y.. 4631 013aff6c 00407bd7 = DEBIAN-SVN45063.EXE:.text+0x6bd7 4632 4633 -------------------- 4634 4635 0167:00407bb9 8b45f4 mov eax,dword ptr [ebp-0c] 4636 0167:00407bbc 8b4008 mov eax,dword ptr [eax+08] 4637 0167:00407bbf 83e001 and eax,+01 4638 0167:00407bc2 85c0 test eax,eax 4639 0167:00407bc4 7420 jz 00407be6 = DEBIAN-SVN45063.EXE:.text+0x6be6 4640 0167:00407bc6 83ec08 sub esp,+08 4641 0167:00407bc9 ff75f8 push dword ptr [ebp-08] 4642 0167:00407bcc 8b45f4 mov eax,dword ptr [ebp-0c] 4643 0167:00407bcf ff700c push dword ptr [eax+0c] 4644 0167:00407bd2 e8499cffff call 00401820 = DEBIAN-SVN45063.EXE:.text+0x820 4645 DEBIAN-SVN45063.EXE:.text+0x6bd7: 4646 *0167:00407bd7 83c408 add esp,+08 4647 0167:00407bda 85c0 test eax,eax 4648 0167:00407bdc 7408 jz 00407be6 = DEBIAN-SVN45063.EXE:.text+0x6be6 4649 0167:00407bde ff053c944200 inc dword ptr [0042943c] 4650 0167:00407be4 eb0b jmp 00407bf1 = DEBIAN-SVN45063.EXE:.text+0x6bf1 4651 0167:00407be6 8d45f4 lea eax,[ebp-0c] 4652 0167:00407be9 810018040000 add dword ptr [eax],00000418 4653 0167:00407bef ebbd jmp 00407bae = DEBIAN-SVN45063.EXE:.text+0x6bae 4654 0167:00407bf1 83ec0c sub esp,+0c 4655 0167:00407bf4 6804040000 push 00000404 4656 0167:00407bf9 e8eddaffff call 004056eb = DEBIAN-SVN45063.EXE:.text+0x46eb 4657 4658 -------------------- 4659 4660 4661 013aff70 000000dd 4662 013aff74 00000534 4663 013aff78 013affbc -> ff ff ff ff b4 05 fc bf 50 90 f7 bf 00 00 00 00 ........P....... 4664 013aff7c bffc05b4 = KERNEL32.DLL:.text+0x475b4 4665 -> 55 8b ec 83 ec 08 53 56 57 55 fc 8b 5d 0c 8b 45 U.....SVWU..]..E 4666 013aff80 bff79198 = KERNEL32.DLL:.text+0x198 4667 -> ff ff ff ff 01 de f7 bf 10 de f7 bf 00 00 00 00 ................ 4668 013aff84 ffffffff 4669 013aff88 013affcc -> ec ff 3a 01 ef 69 f8 bf 72 7b 40 00 34 05 00 00 ..:..i..r{@.4... 4670 013aff8c 00440318 -> 54 06 00 00 00 00 00 00 01 00 00 00 c7 00 00 00 T............... 4671 013aff90 00000534 4672 013aff94 00000000 4673 013aff98 013affcc -> ec ff 3a 01 ef 69 f8 bf 72 7b 40 00 34 05 00 00 ..:..i..r{@.4... 4674 013aff9c bff88f20 = KERNEL32!ThreadStartup 4675 4676 -------------------- 4677 4678 0167:bff88f02 53 push ebx 4679 0167:bff88f03 56 push esi 4680 0167:bff88f04 57 push edi 4681 0167:bff88f05 8965e8 mov dword ptr [ebp-18],esp 4682 0167:bff88f08 c745fc00000000 mov dword ptr [ebp-04],00000000 4683 0167:bff88f0f f6451090 test byte ptr [ebp+10],90 4684 0167:bff88f13 7505 jnz bff88f1a = KERNEL32.DLL:.text+0xff1a 4685 0167:bff88f15 e854edffff call bff87c6e = KERNEL32.DLL:.text+0xec6e 4686 0167:bff88f1a ff750c push dword ptr [ebp+0c] 4687 0167:bff88f1d ff5508 call dword ptr [ebp+08] 4688 KERNEL32!ThreadStartup: 4689 *0167:bff88f20 8945e4 mov dword ptr [ebp-1c],eax 4690 0167:bff88f23 eb1e jmp bff88f43 = KERNEL32.DLL:.text+0xff43 4691 0167:bff88f25 ff75ec push dword ptr [ebp-14] 4692 0167:bff88f28 e8074c0100 call bff9db34 = KERNEL32.DLL!UnhandledExceptionFilter 4693 0167:bff88f2d c3 retd 4694 0167:bff88f2e 8b65e8 mov esp,dword ptr [ebp-18] 4695 0167:bff88f31 a1e49cfcbf mov eax,dword ptr [bffc9ce4] 4696 0167:bff88f36 8b00 mov eax,dword ptr [eax] 4697 0167:bff88f38 80482308 or byte ptr [eax+23],08 4698 0167:bff88f3c 6aff push -01 4699 0167:bff88f3e e88c420000 call bff8d1cf = KERNEL32.DLL:.text+0x141cf 4700 4701 -------------------- 4702 4703 4704 013affa0 00000534 4705 013affa4 818359c8 -> 07 00 00 00 d0 46 4f c1 d8 ea 3a 01 00 00 3b 01 .....FO...:...;. 4706 013affa8 00000008 4707 013affac 818342e4 -> 06 00 06 00 c0 23 4f c1 00 00 00 00 00 00 00 00 .....#O......... 4708 013affb0 00000007 4709 013affb4 013affa4 -> c8 59 83 81 08 00 00 00 e4 42 83 81 07 00 00 00 .Y.......B...... 4710 013affb8 013aeb10 -> e8 eb 3a 01 04 ec 3a 01 3c eb 3a 01 49 68 f7 bf ..:...:.<.:.Ih.. 4711 013affbc ffffffff 4712 013affc0 bffc05b4 = KERNEL32.DLL:.text+0x475b4 4713 -> 55 8b ec 83 ec 08 53 56 57 55 fc 8b 5d 0c 8b 45 U.....SVWU..]..E 4714 013affc4 bff79050 = KERNEL32.DLL:.text+0x50 4715 -> ff ff ff ff 25 8f f8 bf 2e 8f f8 bf 00 00 00 00 ....%........... 4716 013affc8 00000000 4717 013affcc 013affec -> 00 00 00 00 ec 68 f8 bf 72 7b 40 00 34 05 00 00 .....h..r{@.4... 4718 013affd0 bff869ef = KERNEL32.DLL:.text+0xd9ef 4719 4720 -------------------- 4721 4722 0167:bff869ca 6800060000 push 00000600 4723 0167:bff869cf e841abffff call bff81515 = KERNEL32.DLL:.text+0x8515 4724 0167:bff869d4 ff7510 push dword ptr [ebp+10] 4725 0167:bff869d7 ff750c push dword ptr [ebp+0c] 4726 0167:bff869da ff7508 push dword ptr [ebp+08] 4727 0167:bff869dd f6451001 test byte ptr [ebp+10],01 4728 0167:bff869e1 7407 jz bff869ea = KERNEL32.DLL:.text+0xd9ea 4729 0167:bff869e3 e8d9330000 call bff89dc1 = KERNEL32.DLL:.text+0x10dc1 4730 0167:bff869e8 eb05 jmp bff869ef = KERNEL32.DLL:.text+0xd9ef 4731 0167:bff869ea e8f3240000 call bff88ee2 = KERNEL32.DLL:.text+0xfee2 4732 KERNEL32.DLL:.text+0xd9ef: 4733 *0167:bff869ef 50 push eax 4734 0167:bff869f0 e813350000 call bff89f08 = KERNEL32.DLL!ExitThread 4735 0167:bff869f5 5f pop edi 4736 0167:bff869f6 5e pop esi 4737 0167:bff869f7 5b pop ebx 4738 0167:bff869f8 5d pop ebp 4739 0167:bff869f9 c20c00 retd 000c 4740 0167:bff869fc 56 push esi 4741 0167:bff869fd 57 push edi 4742 0167:bff869fe 8b7c240c mov edi,dword ptr [esp+0c] 4743 0167:bff86a02 8b7738 mov esi,dword ptr [edi+38] 4744 4745 -------------------- 4746 4747 4748 013affd4 00407b72 = DEBIAN-SVN45063.EXE:.text+0x6b72 4749 4750 -------------------- 4751 4752 0167:00407b54 e897300000 call 0040abf0 = USER32.DLL!SendMessageA 4753 0167:00407b59 8b45c0 mov eax,dword ptr [ebp-40] 4754 0167:00407b5c 83e001 and eax,+01 4755 0167:00407b5f 85c0 test eax,eax 4756 0167:00407b61 740b jz 00407b6e = DEBIAN-SVN45063.EXE:.text+0x6b6e 4757 0167:00407b63 8b45bc mov eax,dword ptr [ebp-44] 4758 0167:00407b66 0518624200 add eax,00426218 4759 0167:00407b6b c60000 mov byte ptr [eax],00 4760 0167:00407b6e c9 leave 4761 0167:00407b6f c20800 retd 0008 4762 DEBIAN-SVN45063.EXE:.text+0x6b72: 4763 *0167:00407b72 55 push ebp 4764 0167:00407b73 89e5 mov ebp,esp 4765 0167:00407b75 83ec18 sub esp,+18 4766 0167:00407b78 a19c944200 mov eax,dword ptr [0042949c] 4767 0167:00407b7d 8945fc mov dword ptr [ebp-04],eax 4768 0167:00407b80 8b4508 mov eax,dword ptr [ebp+08] 4769 0167:00407b83 8945f8 mov dword ptr [ebp-08],eax 4770 0167:00407b86 a198944200 mov eax,dword ptr [00429498] 4771 0167:00407b8b 8945f4 mov dword ptr [ebp-0c],eax 4772 0167:00407b8e 83ec0c sub esp,+0c 4773 0167:00407b91 6a00 push +00 4774 4775 -------------------- 4776 4777 4778 013affd8 00000534 4779 013affdc 00000008 4780 013affe0 00000000 4781 ... 4782 013afff0 bff868ec = KERNEL32.DLL:.text+0xd8ec 4783 4784 -------------------- 4785 4786 0167:bff868d5 56 push esi 4787 0167:bff868d6 e862a60000 call bff90f3d = KERNEL32.DLL:.text+0x17f3d 4788 0167:bff868db ff8610020000 inc dword ptr [esi+00000210] 4789 0167:bff868e1 8bc6 mov eax,esi 4790 0167:bff868e3 5f pop edi 4791 0167:bff868e4 5e pop esi 4792 0167:bff868e5 5b pop ebx 4793 0167:bff868e6 8be5 mov esp,ebp 4794 0167:bff868e8 5d pop ebp 4795 0167:bff868e9 c21400 retd 0014 4796 KERNEL32.DLL:.text+0xd8ec: 4797 *0167:bff868ec 55 push ebp 4798 0167:bff868ed a1e09cfcbf mov eax,dword ptr [bffc9ce0] 4799 0167:bff868f2 8bec mov ebp,esp 4800 0167:bff868f4 8b0de49cfcbf mov ecx,dword ptr [bffc9ce4] 4801 0167:bff868fa 53 push ebx 4802 0167:bff868fb 56 push esi 4803 0167:bff868fc 57 push edi 4804 0167:bff868fd 8b19 mov ebx,dword ptr [ecx] 4805 0167:bff868ff f6451010 test byte ptr [ebp+10],10 4806 0167:bff86903 8b38 mov edi,dword ptr [eax] 4807 0167:bff86905 740a jz bff86911 = KERNEL32.DLL:.text+0xd911 4808 4809 -------------------- 4810 4811 4812 013afff4 00407b72 = DEBIAN-SVN45063.EXE:.text+0x6b72 4813 4814 -------------------- 4815 4816 0167:00407b54 e897300000 call 0040abf0 = USER32.DLL!SendMessageA 4817 0167:00407b59 8b45c0 mov eax,dword ptr [ebp-40] 4818 0167:00407b5c 83e001 and eax,+01 4819 0167:00407b5f 85c0 test eax,eax 4820 0167:00407b61 740b jz 00407b6e = DEBIAN-SVN45063.EXE:.text+0x6b6e 4821 0167:00407b63 8b45bc mov eax,dword ptr [ebp-44] 4822 0167:00407b66 0518624200 add eax,00426218 4823 0167:00407b6b c60000 mov byte ptr [eax],00 4824 0167:00407b6e c9 leave 4825 0167:00407b6f c20800 retd 0008 4826 DEBIAN-SVN45063.EXE:.text+0x6b72: 4827 *0167:00407b72 55 push ebp 4828 0167:00407b73 89e5 mov ebp,esp 4829 0167:00407b75 83ec18 sub esp,+18 4830 0167:00407b78 a19c944200 mov eax,dword ptr [0042949c] 4831 0167:00407b7d 8945fc mov dword ptr [ebp-04],eax 4832 0167:00407b80 8b4508 mov eax,dword ptr [ebp+08] 4833 0167:00407b83 8945f8 mov dword ptr [ebp-08],eax 4834 0167:00407b86 a198944200 mov eax,dword ptr [00429498] 4835 0167:00407b8b 8945f4 mov dword ptr [ebp-0c],eax 4836 0167:00407b8e 83ec0c sub esp,+0c 4837 0167:00407b91 6a00 push +00 4838 4839 -------------------- 4840 4841 4842 013afff8 00000534 4843 013afffc 00000008 4844 4845