.text:0040465F .text:0040465F loc_40465F: ; CODE XREF: .text:00409BE .text:0040465F xor esi, eax .text:00404661 mov byte ptr dword_40F0DF+1, 9Bh .text:00404668 add ecx, edi .text:0040466A add ecx, ebx .text:0040466C xor dl, dh .text:0040466E sub ah, 0FFh .text:00404671 mov byte ptr dword_40F1E1+2, bl .text:00404677 xor dword_40F167+1, edi .text:0040467D adc edi, 0FFFFFF81h .text:00404680 mov ch, byte_40F1AA .text:00404686 add dword ptr unk_40F036, eax .text:0040468C mov byte ptr dword_40F0FD+1, 0BFh .text:00404693 xor esi, 0FFFFFFABh .text:00404696 mov eax, dword_40F146 .text:0040469B mov byte ptr dword_40F043+2, 82h .text:004046A2 push 1 ; Stacking 1 for future use (may be a parameter of packaging tool used ?). Corresponds to the number of seconds to wait for ourselves. .text:004046A4 sbb esi, 61h .text:004046A7 sbb edx, eax .text:004046A9 sub edx, 0FFFFFFDDh .text:004046AC or esi, 0FFFFFFD0h .text:004046AF sbb ebx, 19h .text:004046B2 sub edi, esi .text:004046B4 mov byte ptr dword_40F085, 3Ch .text:004046BB mov byte_40F09B, 0D4h .text:004046C2 sbb edx, 0FFFFFF9Bh .text:004046C5 xor byte ptr dword_40F142, dh .text:004046CB xor edx, ecx .text:004046CD mov dword_40F010+3, esi .text:004046D3 and ebx, 0FFFFFF8Eh .text:004046D6 mov byte ptr dword_40F094+3, 52h .text:004046DD add dword_40F094+1, ebx .text:004046E3 .text:004046E3 loc_4046E3: ; CODE XREF: .text:0040473Ej .text:004046E3 push 3E8h .text:004046E8 push 0FFFFFFFFh .text:004046EA lea ebx, WaitForSingleObject .text:004046F0 call dword ptr [ebx] ; WaitForSingleObject ( -1, 1000 ); .text:004046F0 ; is equivalent to : .text:004046F0 ; WaitForSingleObject ( GetCurrentProcess(), 1000 ); .text:004046F0 ; witch results in waiting 1s ! .text:004046F2 mov byte ptr dword_40F0B8+1, 5 .text:004046F9 add ebx, 0Ch .text:004046FC add edi, 0FFFFFFB7h .text:004046FF add dword_40F0DF+1, edx .text:00404705 or dword ptr byte_40F141, ecx .text:0040470B or dword_40F16B+1, esi .text:00404711 sbb eax, edi .text:00404713 mov byte ptr dword_40F0CF+1, 0ACh .text:0040471A mov byte ptr dword_40F142, 73h .text:00404721 adc edi, 44h .text:00404724 mov edx, dword_40F08E .text:0040472A add esi, edx .text:0040472C sbb ecx, esi .text:0040472E mov esi, dword ptr byte_40F125 .text:00404734 mov byte ptr dword_40F1B7+1, 37h .text:0040473B dec dword ptr [esp] ; Decrementing first DWORD on the stack, which contains 1 .text:0040473E jnz short loc_4046E3 .text:00404740 mov ecx, dword ptr byte_40F0E4 .text:00404746 adc edi, 48h .text:00404749 adc eax, esi .text:0040474B adc dword_40F1D5, ecx .text:00404751 mov byte ptr dword_40F0B1+2, 0C7h .text:00404758 add edx, 0FFFFFFBBh .text:0040475B mov byte ptr dword_40F00C, 1Eh .text:00404762 xor ebx, ecx .text:00404764 mov byte_40F0AF, 0E7h .text:0040476B sub eax, eax .text:0040476D mov cl, byte ptr dword_40F071+2 .text:00404773 xor eax, edx .text:00404775 or ecx, 0FFFFFFD9h .text:00404778 xor edx, ecx .text:0040477A add edi, 43h .text:0040477D add esp, 4 ; Deleting the number of seconds to wait pushed in 0x4046A2 .text:00404780 and edx, 5Ch .text:00404783 mov eax, dword_40F0A5 .text:00404788 mov ecx, dword_40F16B+1 .text:0040478E mov byte ptr dword_40F0D6, 0C9h .text:00404795 mov edi, dword_40F0EE+3 .text:0040479B adc eax, 0FFFFFFFBh .text:0040479E sub ebx, esi .text:004047A0 mov ecx, dword_40F1D1+3 .text:004047A6 sbb esi, 0FFFFFFF7h .text:004047A9 mov ch, byte ptr dword_40F197+3 .text:004047AF sbb ebx, 0FFFFFFE0h .text:004047B2 mov byte_40F132, 52h .text:004047B9 adc dl, dl .text:004047BB add dword_40F085+1, eax .text:004047C1 xor edi, 30h .text:004047C4 lea eax, aGdi32_dll ; Getting a reference to "gdi32.dll" string .text:004047CA mov dword_40F14A+2, ecx .text:004047D0 sub edi, 30h .text:004047D3 adc dh, ch .text:004047D5 sub dword_40F00C+1, ebx .text:004047DB mov byte ptr dword_40F0A9+2, 11h .text:004047E2 sbb dword_40F1D9+3, edi .text:004047E8 sbb edi, edx .text:004047EA mov edx, dword_40F138+2 .text:004047F0 add bh, dl .text:004047F2 adc edx, edx .text:004047F4 sbb dword_40F18A+3, ecx .text:004047FA xor edx, edi .text:004047FC sub ecx, ebx .text:004047FE xor ebx, 4Ch .text:00404801 mov bh, byte ptr dword_40F0DB+2 .text:00404807 push eax ; Stacking the "gdi32.dll" string reference .text:00404808 sbb ebx, eax .text:0040480A xor byte ptr dword_40F026+1, ah .text:00404810 sbb dword_40F0DF, ecx .text:00404816 sub dword_40F0A1+2, edx .text:0040481C sbb esi, 70h .text:0040481F sub dword_40F19B+1, ebx .text:00404825 mov ecx, dword_40F060+3 .text:0040482B sub ebx, 0FFFFFFF5h .text:0040482E xor edx, ecx .text:00404830 or edi, 0FFFFFFD8h .text:00404833 mov ecx, dword_40F008+3 .text:00404839 and esi, 7 .text:0040483C sbb eax, ebx .text:0040483E add esi, ecx .text:00404840 sbb edi, eax .text:00404842 mov ebx, ds:GetModuleHandleA .text:00404848 call ebx ; GetModuleHandle ( "gdi32.dll" ); .text:0040484A push eax .text:0040484B pop ebx ; EBX = GDI32.DLL handle .text:0040484C mov ecx, dword_40F142+1 .text:00404852 sbb byte ptr dword_40F1BB+1, dl .text:00404858 mov byte ptr dword_40F058, 9Fh .text:0040485F and eax, 0FFFFFFEAh .text:00404862 mov al, byte ptr unk_40F0E6 .text:00404867 or ecx, 7Eh .text:0040486A and dword_40F0C0+3, edi .text:00404870 adc edx, 59h .text:00404873 sbb eax, eax .text:00404875 xor eax, 0 .text:00404878 mov byte ptr dword_40F1D1, 85h .text:0040487F sbb eax, edi .text:00404881 sub dh, ah .text:00404883 add byte ptr dword_40F06D+3, al .text:00404889 mov byte_40F0CC, 0Ch .text:00404890 mov dword_40F212, ebx ; Saving gdi32 handle (ie gdi32 dos header address) .text:00404896 mov byte ptr dword_40F19B+3, 50h .text:0040489D mov byte_40F112, 0BEh .text:004048A4 mov byte ptr dword_40F07A+2, 0FCh .text:004048AB mov eax, dword_40F02A+1 .text:004048B0 sbb eax, esi .text:004048B2 mov byte ptr dword_40F065+1, 0B6h .text:004048B9 sub esi, 0 .text:004048BC mov byte ptr dword_40F1DD+3, 23h .text:004048C3 sub eax, 0Ch .text:004048C6 sbb edi, 7Fh .text:004048C9 sub dword_40F02A+2, eax .text:004048CF sbb ch, 55h .text:004048D2 mov edi, dword_40F085 .text:004048D8 mov eax, dword ptr byte_40F07E .text:004048DD mov edx, dword_40F1C7+2 .text:004048E3 add ebx, 3Ch ; EBX refers to GDI32 PE Header offset .text:004048E6 or eax, 0FFFFFF8Ch .text:004048E9 sbb dword_40F1A6, edi .text:004048EF mov esi, dword_40F16B+3 .text:004048F5 mov byte ptr dword_40F1D9+2, 97h .text:004048FC add byte ptr dword_40F060+1, cl .text:00404902 add edi, esi .text:00404904 mov esi, dword_40F02A+3 .text:0040490A mov byte_40F0E5, 61h .text:00404911 mov byte ptr dword_40F0D6+2, 5Dh .text:00404918 mov byte ptr dword_40F113+1, 4Dh .text:0040491F sbb dword_40F1B3+1, eax .text:00404925 mov byte ptr dword_40F18A+3, 0EFh .text:0040492C mov byte ptr unk_40F0D5, 0FAh .text:00404933 add edx, 33h .text:00404936 adc ecx, 0FFFFFFFCh .text:00404939 mov ebx, [ebx] ; EBX = gdi32 PE Header Offset .text:0040493B sbb esi, edi .text:0040493D add edi, 2Dh .text:00404940 add ecx, esi .text:00404942 xor dword_40F14E+1, edx .text:00404948 xor dh, 85h .text:0040494B add edx, 73h .text:0040494E mov edi, dword_40F008+2 .text:00404954 mov edx, dword_40F13D+3 .text:0040495A add edi, 0FFFFFFB3h .text:0040495D xor edx, ecx .text:0040495F mov ch, byte ptr dword_40F004 .text:00404965 sbb ch, 80h .text:00404968 mov byte ptr unk_40F195, 0A4h .text:0040496F and dword ptr unk_40F19F, esi .text:00404975 sub edi, edi .text:00404977 add ebx, dword_40F212 ; EBX refers GDI32 PE Header .text:0040497D sub ecx, 0FFFFFFCBh .text:00404980 xor dword_40F179, esi .text:00404986 or ecx, 0Ah .text:00404989 add edi, esi .text:0040498B mov eax, dword ptr byte_40F0FC .text:00404990 mov esi, dword_40F190+1 .text:00404996 mov byte ptr dword_40F1EE+2, 54h .text:0040499D adc esi, esi .text:0040499F mov edi, dword ptr unk_40F0CD .text:004049A5 sbb dword_40F07A+2, eax .text:004049AB and dword_40F1E5+1, esi .text:004049B1 mov byte ptr dword_40F09C+1, 3Eh .text:004049B8 add ecx, 0FFFFFFACh .text:004049BB sbb dword_40F0CF+1, esi .text:004049C1 or dword_40F071+3, esi .text:004049C7 add ebx, 0A4h ; EBX refers gdi32 relocation table size .text:004049CD sub ecx, 12h .text:004049D0 mov dword_40F01D, edi .text:004049D6 or dword_40F1E5+2, esi .text:004049DC add dh, 30h .text:004049DF mov byte ptr dword_40F081+3, 45h .text:004049E6 mov dl, byte ptr dword_40F02E .text:004049EC or dword_40F026+1, esi .text:004049F2 add esi, ecx .text:004049F4 sub al, dl .text:004049F6 sbb edx, edx .text:004049F8 add eax, 0FFFFFFAAh .text:004049FB add ecx, esi .text:004049FD add dword_40F113, edi .text:00404A03 sub ch, 0A9h .text:00404A06 add edi, edx .text:00404A08 cmp bp, 0FE00h .text:00404A0D jb loc_4033C4 ; If BP < 0xFE00, we left... Why ? Anti-VM or anti-sandbox ? .text:00404A13 cmp dword ptr [ebx], 1000h ; If gdi32 relocation table size is above 0x1000, continue .text:00404A19 ja loc_40C0B3 ; ====================> this is the way to the continuation... .text:00404A1F ; .text:00404A1F ; .text:00404A1F ; ...and this is the way to a prematured end ! .text:00404A1F xor ah, 28h .text:00404A22 sbb ebx, ebx .text:00404A24 sbb eax, 0FFFFFF96h .text:00404A27 mov byte ptr unk_40F101, 53h .text:00404A2E mov byte ptr dword_40F0A9, 6Ah .text:00404A35 add ecx, 0FFFFFF96h .text:00404A38 adc dh, dh .text:00404A3A mov ecx, dword ptr unk_40F1AE .text:00404A40 sub eax, esi .text:00404A42 mov byte ptr unk_40F170, 6Bh .text:00404A49 mov esi, dword ptr unk_40F09A .text:00404A4F mov byte ptr dword_40F0DB, 84h .text:00404A56 mov byte ptr dword_40F043+2, 27h .text:00404A5D sbb ebx, 0FFFFFFF2h .text:00404A60 mov byte ptr dword_40F11C+3, 0FFh .text:00404A67 lea edi, ds:6F23AE59h ; EDI=0x6F23AE59 .text:00404A6D sub dword_40F0FD, edx .text:00404A73 mov byte ptr dword_40F0BC+2, 6Fh .text:00404A7A xor edx, eax .text:00404A7C mov byte ptr dword_40F186+3, 0CCh .text:00404A83 sbb dword_40F113+1, edx .text:00404A89 sub ch, 9Ah .text:00404A8C or dword ptr unk_40F130, ebx .text:00404A92 sbb eax, ecx .text:00404A94 mov ecx, dword_40F065+1 .text:00404A9A mov byte ptr dword_40F094+1, 42h .text:00404AA1 sub cl, 7Dh .text:00404AA4 sbb esi, 0FFFFFFCDh .text:00404AA7 mov byte_40F194, ch .text:00404AAD mov byte ptr dword_40F1B7+2, 0F2h .text:00404AB4 mov edx, dword ptr unk_40F1CF .text:00404ABA sub edi, 6EE37A95h ; EDI=0x6F23AE59-0x6EE37A95=0x4033C4 .text:00404AC0 mov byte ptr dword_40F0A1+1, 0F6h .text:00404AC7 and edx, 0FFFFFFE0h .text:00404ACA xor eax, edx .text:00404ACC mov byte ptr dword_40F1F9+2, 12h .text:00404AD3 sub ecx, 2Bh .text:00404AD6 and ecx, 7Fh .text:00404AD9 and dword_40F01D+3, edx .text:00404ADF add dword ptr unk_40F16F, ecx .text:00404AE5 and dword_40F0A1, edx .text:00404AEB sbb dword ptr unk_40F1CF, eax .text:00404AF1 add al, 0Fh .text:00404AF3 mov byte ptr dword_40F190+1, 0D1h .text:00404AFA sbb dword_40F118+3, edx .text:00404B00 mov edx, dword_40F190+1 .text:00404B06 and dword_40F13D+2, ebx .text:00404B0C push edi ; Stacking EDI, the next retn instruction will unstack it and put it in EIP. We will be back at 0x4033C4 .text:00404B0D or edx, 4 .text:00404B10 xor edi, eax .text:00404B12 or dword ptr unk_40F18F, edi .text:00404B18 xor esi, 0FFFFFFC1h .text:00404B1B add edx, 39h .text:00404B1E add dword_40F0A9+2, ecx .text:00404B24 sub dword_40F1AF+3, eax .text:00404B2A mov byte ptr dword_40F060, 9Eh .text:00404B31 sub edi, eax .text:00404B33 sub edx, ebx .text:00404B35 xor esi, 41h .text:00404B38 mov ebx, dword ptr byte_40F038 .text:00404B3E sub esi, ecx .text:00404B40 or edi, 2Eh .text:00404B43 add ecx, edx .text:00404B45 retn ; =====> Going to 0x4033C4...