IDA0$@) B-tree v 1.5 (C) Pol 1990T 1   D!gw c.8VPELB  0 @ .@SECX = Indice de l'adresse de l'api dans le tableau AddressOfFunctions'NCan't find name (hint: use manual arg).N$IMAGE_OPTIONAL_HEADER32.LoaderFlags.~NSYSTEMTIME.wDay .SAIDA)metapcI @@?0@?0@0@ < str_a=dFP@@3 .@S0GetProcAddress(hKernel32, "IsDebuggerPresent"); .P@ .A@? .A@ .P@ .A@m .P@ .A@1 .P@4P.9N.text . S@ @ A: .P@5v .A@6 .A@5R .A@3T     Ȼ DZ Ƨ ŝ ē É  u k a W M C 9 / %                 { q g ] S I ? 5 + !                 w m c Y O E ; 1 '        ~ } | { z y x w v u} ts si r_ qU pK oA n7 m- l# k j i h g f e d c b a ` _ ^ ] \ [y Zo Ye X[ WQ VG U= T3 S) R Q P  O N M L K J I H G F E D C B Au @k ?a >W =M  = < ; : 9 8 7 6 5 4 3 2 1 0 / .z -p ,f +\ *R )H (> '4 &* %  $ #  " !             v l b X N D : 0 &            /X@"~m}|{zyx/w/vuts/rq/ponmlBkj0ihg!f eLdcba`_R^]e\[ZY|X+WkV9UpTSRQPlO$NMLK+JkI9HZGFE+DkC9BpA@?9>/=1<;:98765343210/).-9,+n*)y('&%>$v#y"!N Ry9k9y9kS.      bZBP3PBP3PBN3 yRZ `jZ X jZ2:6!:2A@F A2 yRZFM ZZ Z_~m{0y>t~}'|{zypxwUvNuDtQsBrNq+pLo>n?m>lKk7j9ihEgfedcba`S_^]\[bZQYXWVUTSRQ/PONM8LKJIHGFEDC8BA@?>=<;p:98765,4+3 .A@2 z p f \ R H > 4 *                  v l b X N D : 0 &                 | r h ^ T J @ 6 , "  ~ } | { z y x w v u t s r q p ox nn md lZ kP jF i< h2 g( f e d  c b a ` _ ^ ] \ [ Z Y X W V~ Ut Tj S` RV QL PB O8 N. M$ L K J I H G F E D C B A @ ? > =  54 4* 3  2 1  0 / . - , + * ) ( ' & % $ # "v !l b X N D : 0 &                 | r h ^ T J @ 6 , " /  . - , + * ) ( ' & % $ # " ! w m c Y O E ; 1 '                  } s i _ U K A 770-/6.%-, +h*)d('l&%$#"!  Jw N u{` ,  u  +8lUtu oW|Duu 2E0nvv D:Bo2RnETAEU~#g;5q/ACM; aOCny+ud3CA N~}A|`{qzayxJwvtutserqponmUlkjPi*hgfe}dcba`_^]m\[Z9YpX8WV5UTS2RaQPONMLkKJBI5H4GFeED,C'A@B.N $ nmSerNAN $ nmSerEAN $ FileInfo.V!F:\ForumCrack\BugTrack\Virus.exe#  # qf _ XI>1%@ )55AjT5 H 2 g= DS?}t&R]G5y# QuZ_  iiiJ fW?(4ul]>QaEN:9$-/!  } v ocWL@4)    ui]QE9." |pdXL@4 - &  F   +p  Q <  .maM  0 @Y L!v_@/   D      f R@ 6 , "   K  dzSzx lpStringdLd .@S  SSizeOf(Dword)lpLibFileNameS0 P=HMODULE=LPCSTRAN LoadLibraryA A@PStartFixImports(NextApi TestOrdinal*AddressOfDataRVA2VADecryptApiStringDecryptApiStrLoop+Next_IIDTestFirstThunkQuit.S d@N FixImportsSNext IMAGE_IMPORT_DESCRIPTORS Next ApiSSauvegarde l'adresse de l'apiS)ECX = Nombre de caracatres de la chaineS EDI = NameSEDI = IMAGE_IMPORT_BY_NAMEA@lA@SYesS Next ApiS Is Ordinal?A@DA@sSNext IMAGE_IMPORT_DESCRIPTORyS SIZE_OF_IMAGE_IMPORT_DESCRIPTORnSAddresseOfData Null?A@SEDI = VA AddressOfDataSEAX = FirstThunkA@$SFirstThunk Null?S FirstThunkS d@NCheckKernelUserd@d@3X@x@d@d@X@}}x@sd@kd@S @DAcd@D@Xd@Pd@A@0A@N@ID.OFT>x@E:X@33x@:1X@E,X@*x@"X@x@"X@x@ X@x@ X@x@X@x@x@X@x@x@,X@x@x@X@x@sX@*X@X@<source destination0 0S@l J J  ANaP_depack_asm_fastAS S S S sS cS PS &S S S S S S S S S S S S S |S  `S 'D@_#S X@"A@X@ A@x@"SEAX = Adresse de l'apiSEAX = RVA de l'apiS)Calcul l'indice pour le tableau de DWORD w vx un td sZ rP qF p< o2 n( m l k  j i h g f e d c b a ` _ ^ ]~ \t [j Z` YV XL WB V8 U. T$ S R Q P O N M L K J I H G F E D Cz Bp Af @\ ?R >H => <4 ;* :  9 8  7 6 5 4 3 2 1 0 / . - , + * )v (l 'b &X %N $D #: "0 !&                 | r h ^ T J @ 6 , "                w m c Y O E ; 1 '               ߑ އ } s i _ U K A 7 - #          ʿ ɵ ȫ ǡ Ɨ ō ă y o e [ Q G = 3 )                  u k a W M C 9 / %    { q g ] S I ? 5 + !    ~ } | { z y x w vw um tc sY rO qE p; o1 n' m l k j i h g f e d c bu ak `a _W ^M ]C \9 [/ Z% Y X W V U T S R Q P O N M L K J I{ Hq Gg F] ES DI C? B5 A+ @! ? >  = < ; : 9 8 7 6 5 4 3 2 1 0 /w .m -c ,Y +O *E ); (1 '' & % $  # " !           } s i _ U K A 7 - #                x ~n }d |Z {P zF y< x2 w( v u t  s r q p o n m l k j i h g f~ et dj c` bV aL `B _8 ^. ]$ \ [ Z Y X W V U T S R Q P O N M Lz Kp Jf I\ HR GH F> E4 D* C  B A  @ ? > = < ; : 9 8 7 6 5 4 3 2v 1l 0b /X .N -D ,: +0 *& ) ( ' & % $ # " !        | r h ^ T J @ 6 , "                 ****NE*j@"2~}|-{z*yjx=wvut*sjr:q*po-n*ml*kjj:i6hgfe)d*cjb>aQ`_^-]\*[jZ@Y&XWV*UjTAS.RQ)P*ONMLXK\J]IHGFE*D*C*B5A@*?*>,=<;:*9j8C7C6543d2-1*0j/:.*-,+i*)*(j':&.%$#-"!* jA6)*j=])*j@   *  k***7-*jA2)*j=])*j@*kzq***9-*jA.)*j=}E*j@*kvv***7E0?'LpEXEWar~}| {zyxwvutsr"qnponmlkjvihgifepd/c~bma`_^]h\'[sZzYXWfV&UTSR]QPNONMLKiJITHGEFQEDCuBAL@ ?]>I=<;F:9S8Z765{43>2}1+0./.-8,w+.*,)('R&1%8$#s"s! ( b%%!)e     'hh? S6r)j  `F,P]EC Hl3-<.')L .A@/ \ [ Z Y X W V U T S R Q P O N M Ly Kr Jk Id H] GV FO EH DA C: B3 A, @% ? > = <  ; : 9 8 7 6 5 4 3 2 1 0 / . - , + * ) (} 'v &o %h $a #Z "S !L E > 7 0 ) "                         z s l e] V O H A : 3 , %                        } v o h a Z S L E > 7 0 ) "               ù ²        z s l e ^ W P I B ; 4 - &                        ~ w p i b [ T M F ? 8 1 * #           ~ } | { z y x w v u t s r q{ pt om nf m_ lX kQ jJ iC h< g5 f. e' d  c b a  ` _ ^ ] \ [ Z Y X W V U T S R Q P O N| Mu Ln Kg J` IY HR GK FD E= D6 C/ B( A! @ ? >  = < ; : 9 8 7 6 5 4 3 2 1 0 / . - , + * )y (r 'k &d %] $V #O "H !A : 3 , %                         } v o h a ZR K D = 6 / ( !                        y r k d ] V O H A : 3 , %               ~ } | { z y x w v u} tv so rh qa pZ oS nL mE l> k7 j0 i) h" g f e  d c b a ` _ ^ ] \ [ Z Y X W V U T S R Q Pz Os Nl Me L^ KW JP II HB G; F4 E- D& C B A @  ? > = < ; : 9 8 7 6 5 4 3 2 1 0 / . - ,~ +w *p )i (b '[ &T % $ # " !              x q j c \ U N G @ 9 2 + $       T~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      ~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!       .P@  {pdYC8,   uj^S5)aVJ?$ znbZH=2& {ocX=1 * # |peOD8,!  t m[PA* bKWt.!Q] uh jQA,+ +2 _E: T#/=Hv o h` Y D& |qd?Sf0%wl6  E:e ,Z!NB3(Pu$d0dS0ddd½S0ddd½S0ddSœNDebuggerPresentS(Restaure la valeur sauvegarde au dbut{S/Patche le PUSH pour le faire pointer sur l'OEPoS eax = OEP VASLoadLibraryA("User32.dll");S d@ ,S + ImageBase$SVOffset de la 1re sectionX@dzA{D@S"JMP Layer05_Start // Layer02_EndSJMP OEPNOEPJmpuS d@d@ gS  4 *             ߨ ޞ ݔ ܊ ۀ v l b X N D : 0 &           Ǹ u k a W M C 9 / %                 { q g ] S I ? 5 + !                 w m c Y O E ; 1 '             ~ } | { z} ys xi w_ vU uK tA s7 r- q# p o n m l k j i h g f e d c b a `y _o ^e ][ \Q [G Z= Y3 X) W V U  T S R Q P O N M L K J I H G Fu Ek Da CW BM AC @9 ?/ >% = < ; : 9 8 7 6 5 4 3 2 1 0 / . -{ ,q +g *] )S (I '? &5 %+ $! # "  !              w m c Y O E ; 1 '                /z .p -f ,\ +R *H )> (4 '* &  % $  # " !            v l b X N D : 0 &              h g f{ eq dg c] bS aI `? _5 ^+ ]! \ [  Z Y X W V U T S R Q P O N M Lw Km Jc IY HO GE F; E1 D' C B A  @ ? > = < ; : 9 8 7 6 5 4 3} 2s 1i 0_ /U .K -A ,7 +- *# ) ( ' & % $ # " !        y o e [ Q G = 3 )                  =p   ,PMo j]2^,-/.&i?;>CG@l?8Il7Qt/Lv*ORK@5c~}| {zeyExw}v~ut0sr#qponRmlk jihg`f7efdckba`i_^z]\u[ ZsYXfWVUbT_S^R]Q]POrN,MXLWKVJTIHGyFE"DC\B AZ@?O><=<E;:V98Q76W54:3K21>0;/:.9-93rqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDC0B ,+*)4(3'2&3%$h#)"!s ,p Q03f i     S d Lsw(.w d9)7 .A@T z y x w v u t s r q p ou nk ma lW kM jC i9 h/ g% f e d c b a ` _ ^ ] \ [ Z Y X W V{ Uq Tg S] RS QI P? O5 N+ M! L K  J I H G F E D C B A @ ? > =  4 *                  v l b X N D : 0 &              ~ } | {| zr yh x^ wT vJ u@ t6 s, r" q p o n m l k j i h g f e d c b ax `n _d ^Z ]P \F [< Z2 Y( X W V  U T S R Q P O N M L K J I H~ Gt Fj E` DV CL BB A8 @. ?$ > = < ; : 9 8 7 6 5 4 3 2 1 0 / .z -p ,f +\ *R )H (> '4 &* %  $ #  " !             v l b X N D : 0 &            k 6\vBMFw8K7y/<|Q4%c=_i V~}|D{zyxwvuttsr~qp{o:nnmilkjfihsg2ffetdcb:a;`k_i^]h\'[qZuYXWYVU`TSIRHQPO:NYM\LK J I HGFED CBIA8@?>O=<O;3:98p76543k21]0d/.-:,C+6*u) ('&%$#)"!< 'f1`5#]  G    `R| 3ZAcpkx*m$`9yn'T_#Sn_30WD0N}2|>2[H/<h-%U8)] .A@&T          ~ t j ` V L B 8 . $              ߘ ގ ݄ z p f \ R H > 4 *           ɼ Ȳ Ǩ ƞ Ŕ Ċ À v l b X N D : 0 &                 | r h ^ T J @ 6 , "                 x n d Z P F < 2 (         ~ } | { z y x w v~ ut tj s` rV qL pB o8 n. m$ l k j i h g f e d c b a ` _ ^ ] \z [p Zf Y\ XR WH V> U4 T* S  R Q  P O N M L K J I H G F E D C Bv Al @b ?X >N =D <: ;0 :& 9 8 7 6 5 4 3 2 1 0 / . - , + * )| (r 'h &^ %T $J #@ "6 !, "                 x n d Z P F < 2 (         P O N M L K J I H} Gs Fi E_ DU CK BA A7 @- ?# > = < ; : 9 8 7 6 5 4 3 2 1 0 / .y -o ,e +[ *Q )G (= '3 &) % $ #  " !             u k a W M C 9 / %            QPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      5~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      4 .A@3T            u k a W M C 9 / %                 { q g ] S I ? 5 ~+ }! | {  z y x w v u t s r q p o n m lw km jc iY hO gE f; e1 d' c b a  ` _ ^ ] \ [ Z Y X W V U T S} Rs Qi P_ OU NK MA L7 K- J# I H G F E D C B A @ ? > = < ; : 9y 8o 7e 6[ 5Q 4G 3= 23 1) 0 / .  - , + * ) ( ' & % $ # " !  u k a W M C 9 / %                 { q g ] S I ?4 *                  v l b X N D : 0 &              ~ } | {| zr yh x^ wT vJ u@ t6 s, r" q p o n m l k j i h g f e d c b ax `n _d ^Z ]P \F [< Z2 Y( X W V  U T S R Q P O N M L K J I H~ Gt Fj E` DV CL BB A8 @. ?$ > = < ; : 9 8 7 6 5 4 3 2 1 0 / .z -p ,f +\ *R )H (> '4 &* %  $ #  " !             v l b X N D : 0 &            ~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      6~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUT .A@5SzO.  & h6yQ;n_ UC 5 '      3 cF   sP bS I7 )        k O A   % 3 ]: I   Sa r    !        | ` R  ( 6 D nJ Y cq      saG2&ykaUK9A5+   zkZG7-i[M7T$ }9~lZH6$=%A%ASSSSSSSSx%AlpString$AzLLLLLLLLSL#Az        S "Az00000000S0!AzS Az½½½½½½½½S½comment (hint: delete comment)Afind alternative string for an operand (hint: delete alt. string)an't disassembleCODE:BoolVar@'ttention! Probably erroneous situation..Already data or code (hint: make 'unexplored') VirtualAlloc @ StrKernel32@ID.OFT@@GetProcAddress@text9rdata;.idataA xref windowsFwindow configurationK vmm functionsuser1 ructs'tkargs propagatedb sarray* ourcefiles)ignature names% sarray segs  sarrayregspatches original userDullsubs$NnmSerEA oader name7libfuncs&mports gnore micro pflags id numbersy sarray#uncs"numV8 4 30 var_2Carg_0 s . r9. r8s. r7var_4source destination. r4str_Apiw hKernel32vsu. rtr3sxups sarray fileregionsums( entry pointsauto type callees, PE header8MARKSFileInfo Compiler $B readyLN$ Auto+0000z0000S0AN-IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinalsN&IMAGE_EXPORT_DIRECTORY.AddressOfNamesN*IMAGE_EXPORT_DIRECTORY.AddressOfFunctionsN%IMAGE_EXPORT_DIRECTORY.NumberOfNamesN)IMAGE_EXPORT_DIRECTORY.NumberOfFunctionsNIMAGE_EXPORT_DIRECTORY.BaseNIMAGE_EXPORT_DIRECTORY.NameN$IMAGE_EXPORT_DIRECTORY.MinorVersionN$IMAGE_EXPORT_DIRECTORY.MajorVersionN%IMAGE_EXPORT_DIRECTORY.TimeDateStampN'IMAGE_EXPORT_DIRECTORY.CharacteristicsNIMAGE_EXPORT_DIRECTORYMe          D@œœœzœœœœSœAN $ fr9.var_2C N $ fr9.var_30 N $ fr9.var_8 N $ fr9.arg_0 N $ fr9.var_4 N $ fr9. sN $ fr9. rN$ fr9M5  #      S N!IMAGE_SECTION_HEADER.VirtualSizeN%IMAGE_SECTION_HEADER.CharacteristicsN)IMAGE_SECTION_HEADER.NumberOfLinenumbersN)IMAGE_SECTION_HEADER.NumberOfRelocationsN*IMAGE_SECTION_HEADER.PointerToLinenumbersN*IMAGE_SECTION_HEADER.PointerToRelocationsN&IMAGE_SECTION_HEADER.PointerToRawDataN#IMAGE_SECTION_HEADER.SizeOfRawDataN$IMAGE_SECTION_HEADER.VirtualAddressNIMAGE_SECTION_HEADER.NameNIMAGE_SECTION_HEADERMV0        D?dN IMAGE_NT_HEADERS.OptionalHeaderAdN&IMAGE_OPTIONAL_HEADER32.DataDirectoryANIMAGE_DATA_DIRECTORY.SizeN$IMAGE_DATA_DIRECTORY.VirtualAddressNIMAGE_DATA_DIRECTORYM0  D?(.N,IMAGE_OPTIONAL_HEADER32.NumberOfRvaAndSizes D C B A @ ? > = < ; : 9 8 7 6 5 4y 3r 2k 1d 0] /V .O -H ,A +: *3 ), (% ' & % $  # " !                 } v o h a Z S L E > 7 0 ) "                       y r k d ] V O H A : 3 , %               м ϵ ή ͧ ̠ ˙ ʒ ɋ Ȅ } v o h a Z S L E > 7 0 ) "                        z s l e ^ W P I B ; 4 - &                        ~~ }w |p {i zb y[ xT wM vF u? t8 s1 r* q# p o n m l k j i h g f e d c b a ` _ ^ ] \ [ Z Y{ Xt Wm Vf U_ TX SQ RJ QC P< O5 N. M' L  K J I  H G F E D C B A @ ? > = < ; : 9 8 7 6 5 4x 3q 2j 1c 0\ /U .N -G ,@ +9 *2 )+ ($ ' & % $ # " !                 | u n g ` Y R K D = 6 / ( !    } | { z y x w v u t s r q p o n m l k jx iq hj gc f\ eU dN cG b@ a9 `2 _+ ^$ ] \ [ Z Y X W V U T S R Q P O N M L K J I H G F| Eu Dn Cg B` AY @R ?K >D == <6 ;/ :( 9! 8 7 6  5 4 3 2 1 0 / . - , + * ) ( ' & % $ # " !y r k d ] V O H A : 3 , %                      ~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      ~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!       .P@e } | { z y x w v u t s r q p o n my lr kk jd i] hV gO fH eA d: c3 b, a% ` _ ^ ]  \ [ Z Y X W V U T S R Q P  O N M L K J I H G F E D C B A @ ? > = < ;y :r 9k 8d 7] 6V 5O 4H 3A 2: 13 0, /% . - , +  * ) ( ' & % $ # " !          } v o h a Z S L E > 7 0 ) "                        y r k d ] V O H A : 3 , %               ˼ ʵ ɮ ȧ Ǡ ƙ Œ ċ Ä } v o h a Z S L E > 7 0 ) "                        z s l e ^ W P I B ; 4 - &                   ~ } | { z y~ xw wp vi ub t[ sT rM qF p? o8 n1 m* l# k j i h g f e d c b a ` _ ^ ] \ [ Z Y X W V U T{ St Rm Qf P_ OX NQ MJ LC K< J5 I. H' G  F E D  C B A @ ? > = < ; : 9 8 7 6 5 4 3 2 1 0 /x .q -j ,c +\ *U )N (G '@ &9 %2 $+ #$ " !                      | u n g ` Y R K D = 6 /    / . -{ ,t +m *f )_ (X 'Q &J %C $< #5 ". !'                          x q j c \ U N G @8 k1 j* i# h g f e d c b a ` _ ^ ] \ [ Z Y X W V U T S R Q{ Pt Om Nf M_ LX KQ JJ IC H< G5 F. E' D  C B A  @ ? > = < ; : 9 8 7 6 5 4 3 2 1 0 / . - ,x +q *j )c (\ 'U &N %G $@ #9 "2 !+ $                        | u n g ` Y R K D< N5 M. L' K  J I H  G F E D C B A @ ? > = < ; : 9 8 7 6 5 4 3x 2q 1j 0c /\ .U -N ,G +@ *9 )2 (+ '$ & % $ # " !                  | u n g ` Y R K D = 6 / ( !  /~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      ONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      43rqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDC0B  .P@%                 y r k d ] V O H A : 3 , %                   ~ } | { z y} xv wo vh ua tZ sS rL qE p> o7 n0 m) l" k j i  h g f e d c b a ` _ ^ ] \ [ Z Y X W V U Tz Ss Rl Qe P^ OW NP MI LB K; J4 I- H& G F E D  C B A @ ? > = < ; : 9 8 7 6 5 4 3 2 1 0~ /w .p -i ,b +[ *T )M (F '? &8 %1 $* ## " !                      { t m f _ X Q J C < 5 .& t s r q  p o n m l k j i h g f e d c b a ` _ ^ ]~ \w [p Zi Yb X[ WT VM UF T? S8 R1 Q* P# O N M L K J I H G F E D C B A @ ? > = < ; : 9 8{ 7t 6m 5f 4_ 3X 2Q 1J 0C /< .5 -. ,' +  * ) (  ' & % $ # " !              x q j c \ U N G @ 9 2 + $       utsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      5~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSR .P@4Q         ~ } | { z y x w vy ur tk sd r] qV pO oH nA m: l3 k, j% i h g f  e d c b a ` _ ^ ] \ [ Z Y X W V U T S R} Qv Po Oh Na MZ LS KL JE I> H7 G0 F) E" D C B  A @ ? > = < ; : 9 8 7 6 5 4 3 2 1 0 / . -z ,s +l *e )^ (W 'P &I %B $; #4 "- !&                         ~ w p i b [ T M F ?7 0 ) "                 ߫ ޤ ݝ ܖ ۏ ڈ ف z s l e ^ W P I B ; 4 - &                        ~ w p i b [ T M F ? 8 1 * #                        { t m f _ X Q J C < 5 . '      ~ } | { z y x w v u t s r q p o n m l k jx iq hj gc f\ eU dN cG b@ a9 `2 _+ ^$ ] \ [ Z Y X W V U T S R Q P O N M L K J I H G F| Eu Dn Cg B` AY @R ?K >D == <6 ;/ :( 9! 8 7 6  5 4 3 2 1 0 / . - , + * ) ( ' & % $ # " !y r k d ] V O H A : 3 , %                      sfVC 9 /$     : 0%   lD+ ?uA?_e!@<:@!@;:!?9:S?"?>? N$ segsS`&XA=Freeware version N$ user1N $ idpflags AN$ ignore microN$ vmm functionsS@]A!S KERNEL32N $ importsA@N $ fixups~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      6~}|{zyx .P@5w S\.  ~j[GE6)n_DBH[< 2& D        "     v        u8_s*\  ufQO=$,   : 0 &   ;wh ^ T J @ 6 , "  ~    we3   G8A?A@SA?A@SA@Z{@@Ps A@A@SA?S?r?r0A?NB&?BS?%?BO@Oa@!N3The decision made by IDA was wrong and rolled back@ '@' @ NExecution flows beyond limits3@3PL,N$ auto type calleesF@D@ ~THD5'A N'Can't find name (hint: use manual arg)A@WVPELB  0 @P@( g(ZeGun1@@(ZeGun00@(.rdataZ @S(.text@N $ PE header? @@@8A?$Portable executable for IBM PC (PE)Spe.ldw7N$ loader nameN$ Auto6Z5P4F3<221(0/.+A -N$ sourcefiles sarray*AV) )N$ sourcefilesYON$ enums(APN $ structs&N $ libfuncs%N$ signature names$N $ nullsubsSr?@'@3@O@@@@N$ funcs sarray#AV"6"N$ funcsN7Decision to convert to instruction/data is made by IDA" A?N)Attention! Probably erroneous situation.N/Failed to trace the value of the stack pointerNToo many linesN/Already data or code (hint: make 'unexplored')NCan't disassemble@,NIndirect execution flowN,Can't find references (hint: redo analisys)N*Can't find comment (hint: delete comment)NHCan't find alternative string for an operand (hint: delete alt. string)N-Can't find offset base (hint: delete offset)S?@@ @N$ fileregions sarrayAV  @"@ @ @@ @@S? ??N$ fileregionsN$ MARKSS@startN$ entry pointsI@A@@S?B??@@@ @ @ @N$ regs sarrayAVX&@  %@ &@%@@&@&?N$ regsS??@@ @ @N$ segs sarray AV _ . S@ !@ =: I H G F E D C B A @ ? >u =k u =n  D7 C0 B) A" @ ? >  = < ; : 9 8 7 6 5 4 3 2 1 0 / . - , + * )z (s 'l &e %^ $W #P "I !B ; 4 - &                         ~ w p i b [[~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!      ~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCP@BN $ patches .A@6dvUJ>2%uj ^ RF3 fvO,D ? ,t :     c )    ] # wl]R;2 +     W  ?  _     |bH {ZNC7,%~rf[O H6+  |p i bNC8,! th\TB7,  vj_I>2&vk_SA6+ bVK# {ocWOC;/' dAX?qX<<XXX?X?X?X?X?X?X?X?YSS S S LA PN GetImageBaseS(; Section 3. (virtual address 00003000)@S(; Section 2. (virtual address 00002000)S X?ZYS LANstr_Kernel32_dll_1rS1`)  X?x?X?x?X?x?X?x?x?x?X?x?X?llx?rqX?iix?qZx?d AdAdAdAzS (ddddAGSDOS - N%str_ThisProgramCannotBeRunInDosMode_NAd .?AS/Sauvegarde Layer02_End pour le Ret en 00401190rSJmp Layer02_StartPNDecryptLayer02YS d$AdA@S Nstr_Kernel32_dll_0LA` D@gNOriginalEntryPointNVSizeNVOffsetN ImageBaseoD@,D@$d@S SEBX = Kernel32_ImageBased@X@bS yN Push_IsDebugNstr_IsdebuggerpresentgAbx@y`S#Sauvegarde l'ImageBase de Kernel32d@X@QS ZN IBaseFoundXx@LQx@ZX@XGSGarde le HiWordCS;Sous systeme NT, [ESP+24] contient une adresse de Kernel32Ax@<X@A>>; @; and was loaded because the user ordered to load it explicitlyB; The code at 003FE000-003FF000 is hidden from normal disassembly; SSauvegarde des registresNstartD@A; Alignment : 16 bytes ?4; Flags E0000040: Data Executable Readable Writable+; Offset to raw data for section: 000006006; Section size in file : 00001000 ( 4096.)6; Virtual size : 00001000 ( 4096.); Alignment : 16 bytes ?4; Flags E0000040: Data Executable Readable Writable+; Offset to raw data for section: 000004006; Section size in file : 00000200 ( 512.)6; Virtual size : 0000005A ( 90.); Alignment : 16 bytes ?4; Flags E0000040: Data Executable Readable Writable+; Offset to raw data for section: 000000006; Section size in file : 00000000 ( 0.)6; Virtual size : 000008A2 ( 2210.)(; Section 1. (virtual address 00001000)4; Format : Portable executable for IBM PC (PE)S1; File Name : F:\ForumCrack\BugTrack\Virus.exe instance ofis a-part ofNODE$ $ MAX LINK oe[QG=3)  s^H4'  _muj[OA2" I!*%?s eiZ=  2 uh?IR@2 P"#` $.nYr Ls\H2%  qc UG 9+.s`L2     y dWJ ; . zkaF4& BoZE9)X({j8 NameOrdinalss.AddressOfFunctions)NAttention! Probably erroneous situation.NBoolVar@NCODE:NCan't disassemblHNCan't find alternative string for an operand (hint: delete alt. s*NCan't find comment (hint: delete co'NCan't find name (hint: use manua-NCan't find offset base (hint: delete offset) NameOrdinalss.AddressOfFunctionsNamesumberOfFunctionsBaseName inorVersion MajorVersion TimeDateStampCharacteristicsEXPORT_DIRECTORYDebuggerPresent@ oadLibraryA@1L?Size.CharacteristicsumberOfLinenumbers RelocationsPointerToLinenumbers elocationsRawData SizeOfRawDataVirtualAddressNameSECTION_HEADEROptionalHeader DataDirectory.SizeVirtualAddressMAGE_DATA_DIRECTORYNumberOfRvaAndSizes LoaderFlagspCommitReserve StackCommitReservellCharacteristicsubsystemCheckSumHeadersImageWin32VersionValueSubsystemVersionSubsystemVersioninorImageVersionjorImageVersionOperatingSystemVersionOperatingSystemVersionpart ofs a ninstance of Virtualalloc@ User32_dllF@ ThisProgramCannotBeRunInDosMode_N? Loadlibrarya@_0L@ Kernel32_dll@Isdebuggerpresentg@ systemtime@r_Getprocaddress@start@ hKernel32@aP_depack_asm_fast@1=ZeGun0<Size@VOffset@User32_ImageBase@ oo many lines2The decision made by IDA was wrong and rolled back!ysTime@ucturesEtrLen3@Year{Secondonth|nute MillisecondsHourOfWeek}.wDay~ SYSTEMTIMEz Root Node Quit_BadDate@ VirtualAlloc @ User32.dllQ@strGetSystemTime@ LoadLibrayA@StrGetProcAddress@ ush_IsDebugy@ PackedCode@riginalEntryPoint @OEPJmp@NTDLL_ImageBase@ MACRO_IMAGEO4_End@3_End@2_Endq@1_End[@10_End@@9_End*@8_End@5_End@Start@4_End@Start@2_End@StartB@ Layer01_Ends@Kernel32_ImageBase@ndirect execution flow portDirectory@mageBase@ TimeDateStampOriginalFirstThunkName orwarderChain .FirstThunkPORT_DIRECTORY VXD_SIGNATURES_LER S2_SIGNATUREQUninitializedDatanitializedData izeOfCodeSectionAlignment LinkerVersion LinkerVersionMagic ImageBase FileAlignmentData BaseOfCode.AddressOfEntryPointOPTIONAL_HEADER32 SIGNATURET Signature .FileHeader NT_HEADERS TimeDateStampSizeOfOptionalHeaderPointerToSymbolTableymbolsNumberOfSectionsMachine.Characteristics FILE_HEADER SIGNATUREPssp2resvnonfooemidinallocxallocmagicrlclfanewipumsrlcarhdrp.e_cblp OS_HEADERviewsMBx DA View-AC IBaseFoundZ@EADER>HDR?Time@ ProcAddress@ ModuleHandleA @ GetImageBaseL@ ixImports'@.Failed to trace the value of the stack pointerExecution flows beyond limits5@4@3i@2N@18@10 @9@8@7@6<@5@4@3@2P@ ryptLayer01:@4cision to convert to instruction/data is made by IDA heckKernelUserO@ references (hint: redo analisys)Ozs`Q G6, 6 kYA+~\/ } s i[ Q G<*   q g ]C4 *iTE ;* <H6 kcI/=%@O@O@6'@_@ &@6@ Q@Al@6@M_@PM@g3@Q@Q_@ L_@N6@O_@OM@QM@M@OM@T6@O_@PM@NX@!N|@NX@N&@P&@ Q@N|@ NX@N&@ M@O_@LM@OM@RM@RX@P&@M@ Np@M@T@P @T@ MX@QM@OM@Hr@"9@J@=@.@ <@.@Hr@:@I@:@X@7@Z@8@F@FZ@J@7'@_@zD@MJ1{|}~}NSYSTEMTIME.wDayOfWeek|NSYSTEMTIME.wMonth{NSYSTEMTIME.wYearN SYSTEMTIMEN $ id numbers yHstructs S O@P@d@N IDA View-B xAwN$ fr3.str_ApivN$ fr3.hKernel32uN $ fr3. stN $ fr3. rN$ fr3sM utv w bN$ stkargs propagatedN$ frnumVA NIMAGE_NT_SIGNATUREPTAPENIMAGE_VXD_SIGNATUREPLESAsTNIMAGE_OS2_SIGNATURE_LEPRALENIMAGE_OS2_SIGNATUREPQANENIMAGE_DOS_SIGNATUREPPAMZN MACRO_IMAGEZMQPUNREELSOAVMN IDA viewsLN $ Auto readyN$ window configurationucturesn{"Strings windowXt{" Names window,:{"B{" IDA View-ASHex View{"Functions windowBW{"KHEnums{"FN$ xref windowsSp EN StructuresSؼ3,} w$ꚵ-̻tfEA ;X mR\d0P2lܮv?on?bf(\5FFכ"Q}\ogc 8 cXDN$ original userS9s@7s@=@6@ Q@Al@6@M_@PM@g3@Q@Q_@ L_@N6@O_@OM@QM@M@OM@T6@O_@PM@NX@!N|@NX@N&@P&@ Q@N|@ NX@N&@ M@O_@LM@OM@RM@RX@P&@M@ Np@M@T@P @T@ MX@QM@OM@Hr@"9@J@=@.@ <@.@Hr@:@I@:@X@7@Z@8@F@FZ@J@7'@_@N IDA View-A CAN $ Compiler $BBAN.idata@S@ GetModuleHandleA?NHDR>NHEADER=NZeGun1@1?0>`1L+1N0B1QD1N0U1p20 2'@20t`2>2y02200230 3{@3m0`3~303_3Z034 0 4ZZ@40`4 404M4F0450 5@5`55p5P50560 6ZR@6y0`6 60660627A0  7F@@7A02`7:!760:727Z0j78 0 8X@8 0Z`8j`80 8808Z9R0y 9 @903`9N909B9P093:P0 :B@:0P`::30P::B0:Zb;0 ; @;0`;.;0;Sk;90y;<90k <9y@<0<y=0n =9@=0)`==0=3=0=>0 >1@>/09`>>p09>k+>0>Z9?k0+ ?@?0$`?l?0?p?90k?+|@0 @e@@0R`@@0@L@ 0!@A00 AB@A0`A/A0/AA0/A/B0 B@Bm0"`BB0@BX/B?0/BC0 Ca@C0`CWCE0CCX0CEpD0 DL@D0'`D?0DE0D7*D*0*DvE0 Ev@E0`EE0kE*E0E@jF*0 FE}@F0`F=Fj0*F)F0F.AGj0* G-@G09`G**G*0qGGz0GHk0 H@H0`H*H0H@Hj0*H)]I0 I=@Ij0*`I)I0I2AIj0*I-J07 J**@J*0`JJ0Jk 0 *@0`@j0*)]0=j0* )@0`6Aj0*-0.:j0* i@0`*:j0*-d0CC0j *@0`,**05**0*0 ]\@X0`*0).A0j*0& @j@*0`-0Q>j*0)06 :j@*0`*-0*:j*0=0j *@-0`20"@j0*E0 N@0`***0*0L) 0 '@ 0`  0  .0  0 @ <0`  -0  0 3l H0  @ 0C`  0 E 0  0 ]@ 0`  P0  ,0F  `0   @ 0` j) 0  0 0 @0`r000 6@0`S 0?h0h0' @0`00e)!0 %%@b0 `(0ss081R0 ,.@w08`.0+}>0{Z0S F@0`I] 0Lu0QE0T i@0`N0]0&f0 zs@'0h`0m~/0pi0 v@0`0n"00 @ 0`0rm&00 @0`00]0) 8@0`U0%-h0</0 @H0[`2>0|20}0 N@00`DW0003_n0 @0S`#0_T0'n0y @0`9`0$m*00 xk@0`0pc0A0 Z@0`03 0|R 0` @ 0G`  0  ] 0# 5!0` !1f@!'0`!!0<!)!0!"0  "u6@"C0:`""d0]"k"0"#p0 #3@#O0`#O#08#I# 0#$0  $  @$0\`$Y:$0$HI$0`$Y%0 %uq@%'0h`%i%k0;%:%0t%f2&s0 &f@&0i`&n:&{0&~&0t&'0 '@'D0`''0''0V'(0  (i@(0`((0_((0=()0 )c@)0%`)4)0)Q)|0)</*0 *@*0`*y*07**0K*+08 +wF@+M0`+B+0+v+0+,0 ,\@,0`,,06, ,0,k-0 -7@-0`-)-90-d-0- .0w ..@.0`.(.0.w.0./0 /s@/0`/L/0// 0/d00 0S@00 `000i00 0f03100 1Q @1p0`11,0s1)1h01322304 2@209`29:2;0>2K2:02W3Q0 3V@3E0`3<O30Z3 \30"3y40 4TV@4W0X`4,r40]4]^4_0b45f0 5s @5u0`5z5i05k50f57`60 6 @60`6R606#6006~}70E 7e@7 0`77c057707@80 8@80`8K8R08O80*890v 9L@90`990/9tQ909:07 :lI@:08`::0?:l:0@:;0G ;@;0C`;>;;0?;i;&0.;/-<,0^ <@<0`<2<0<]<0 0  >@>0`>p>0>=>0>? ?@?`??p?P?0?@ @@@`@@p@P@0@A08 A @Ap`APA0AA0LA B0 B @B`BBpBPB0BC  C @C `C Cp CP C0 C D  D @D `D Dp DP D0 D E  E @E `E Ep EP E0 E F  F @F `F Fp FP F0 F G  G @G `G Gp GP G0 G H H@H`HHpHPH0HI I@I`IIpIPI0IJ J@J`JJpJPJ0JK K@K`KKpKPK0KL L@L`LLpLPL0LM M@M`MMpMPM0MN N@N`NNpNPN0NO O@O`OOpOPO0OP P@P`PPpPPP0PQ0K QER@QN0E`QL3Q20.QdlQl0QR R@R`RRpRPR0RS  S @S `S Sp SP S0 S T  T @T `T Tp TP T0 T U  U @U `U Up UP U0 U V  V @V `V Vp VP V0 V W  W @W `W Wp WP W0 W X X@X`XXpXPX0XY Y@Y`YYpYPY0YZ Z@Z`ZZpZPZ0Z[ [@[`[[p[P[0[\ \@\`\\p\P\0\] ]@]`]]p]P]0]^ ^@^`^^p^P^0^_ _@_`__p_P_0_` `@````p`P`0`a0 a@aj0`aa0$aNTaD0La>b0z b'@bx0$`bhb0b?b0bc0 c@c0`ccb0c88c0.cXd0@ d @d0t`d)/dP0dd00dB?eS0 eh@e0`eM'e0eqe0eP;fX0 f@f 0`ff0f^f0fUg0` g@g0d`gg0gg0gh0 hE@h0`huh0hh0hiC0: i:@i0`ii0:ii0iPj0^ j@ju0`jhj{0'j?j0RjXak0$ kE@k04`k8kJ0kk0pk^lC04 l@@l0"`llM0l l0Al6mD0 m)@mP0`m mu0 mm^0Pm n0 n@nX0`nn80nTn0nqo00 o@o0`oo$ 0Pp`@ 0Pp`@ 0Pp`@ 0Pp`@ 0Pp`@ 0Pp`@ 0Pp`@ 0Pp`@ 0Pp`@  0 P p  ` @    0 P p  ` @    ~0 ~P ~p ~ `~ @~  ~ ~ }0 }P }p } `} @}  } } |0 |P |p | `| @|  | |{0{P{p{`{@{ {{z0zPzpz`z@z zzy0yPypy`y@y yyx0xPxpx`x@x xxw0wPwpw`w@w wwv0vPvpv`v@v vvu0uPupu`u@u uut0tPtpt`t@t tts0sPsps`s@s ssr0rPrpr`r@r rrq0qPqpq`q@q qqp0pPppp`p@p ppo0oPopo`o@o oon0nPnpn`n@n nnm0mPmpm`m@m mml0lPlpl`l@l llk0kPkpk`k@k kkj0jPjpj`j@j jj i0 iP ip i `i @i  i i!h0!hP!hp!h!`h!@h! h!h"g0"gP"gp"g"`g"@g" g"g#f0#fP#fp#f#`f#@f# f#f$e0$eP$ep$e$`e$@e$ e$e%d0%dP%dp%d%`d%@d% d%d&c0&cP&cp&c&`c&@c& c&c'b0'bP'bp'b'`b'@b' b'b(a0(aP(ap(a(`a(@a( a(a)`0)`P)`p)`)``)@`) `)`*_0*_P*_p*_*`_*@_* _*_+^0+^P+^p+^+`^+@^+ ^+^,]0,]P,]p,],`],@], ],]-\0-\P-\p-\-`\-@\- \-\.[0.[P.[p.[.`[.@[. [.[/Z0/ZP/Zp/Z/`Z/@Z/ Z/Z0Y00YP0Yp0Y0`Y0@Y0 Y0Y1X01XP1Xp1X1`X1@X1 X1X2W02WP2Wp2W2`W2@W2 W2W3V03VP3Vp3V3`V3@V3 V3V4U04UP4Up4U4`U4@U4 U4U5T05TP5Tp5T5`T5@T5 T5T6S06SP6Sp6S6`S6@S6 S6S7R07RP7Rp7R7`R7@R7 R7R8Q08QP8Qp8Q8`Q8@Q8 Q8Q9P09PP9Pp9P9`P9@P9 P9P:O0:OP:Op:O:`O:@O: O:O;N0;NP;Np;N;`N;@N; N;N<M0<MP<Mp<M<`M<@M< M<M=L0=LP=Lp=L=`L=@L= L=L>K0>KP>Kp>K>`K>@K> K>K?J0?JP?Jp?J?`J?@J? J?J@I0@IP@Ip@I@`I@@I@ I@IAH0AHPAHpAHA`HA@HA HAHBG0BGPBGpBGB`GB@GB GBGCF0CFPCFpCFC`FC@FC FCFDE0DEPDEpDED`ED@ED EDEED0EDPEDpEDE`DE@DE DEDFC0FCPFCpFCF`CF@CF CFCGB0GBPGBpGBG`BG@BG BGBHA0HAPHApHAH`AH@AH AHAI@0I@PI@pI@I`@I@@I @I@J?0J?PJ?pJ?J`?J@?J ?J?K>0K>PK>pK>K`>K@>K >K>L=0L=PL=pL=L`=L@=L =L=M<0M<PM<pM<M`<M@<M <M<N;0N;PN;pN;N`;N@;N ;N;O:0O:PO:pO:O`:O@:O :O:P90P9PP9pP9P`9P@9P 9P9Q80Q8PQ8pQ8Q`8Q@8Q 8Q8R70R7PR7pR7R`7R@7R 7R7S60S6PS6pS6S`6S@6S 6S6T50T5PT5pT5T`5T@5T 5T5U40U4PU4pU4U`4U@4U 4U4V30V3PV3pV3V`3V@3V 3V3W20W2PW2pW2W`2W@2W 2W2X10X1PX1pX1X`1X@1X 1X1Y00Y0PY0pY0Y`0Y@0Y 0Y0Z/0Z/PZ/pZ/Z`/Z@/Z /Z/[.0[.P[.p[.[`.[@.[ .[.\-0\-P\-p\-\`-\@-\ -\-],0],P],p],]`,]@,] ,],^+0^+P^+p^+^`+^@+^ +^+_*0_*P_*p_*_`*_@*_ *_*`)0`)P`)p`)``)`@)` )`)a(0a(Pa(pa(a`(a@(a (a(b'0b'Pb'pb'b`'b@'b 'b'c&0c&Pc&pc&c`&c@&c &c&d%0d%Pd%pd%d`%d@%d %d%e$0e$Pe$pe$e`$e@$e $e$f#0f#Pf#pf#f`#f@#f #f#g"0g"Pg"pg"g`"g@"g "g"h!0h!Ph!ph!h`!h@!h !h!i 0i Pi pi i` i@ i i j0jPjpjj`j@j jk0kPkpkk`k@k kl0lPlpll`l@l lm0mPmpmm`m@m mn0nPnpnn`n@n no0oPopoo`o@o op0pPpppp`p@p pq0qPqpqq`q@q qr0rPrprr`r@r rs0sPspss`s@s st0tPtptt`t@t tu0uPupuu`u@u uv0vPvpvv`v@v vw0wPwpww`w@w wx0xPxpxx`x@x xy0yPypyy`y@y yz0zPzpzz`z@z z{0{P{p{{`{@{ {| 0| P| p| |` |@ | | } 0} P} p} }` }@ } } ~ 0~ P~ p~ ~` ~@ ~ ~  0 P p ` @    0 P p ` @ Ѐ  0Pp`@Ё 0Pp`@Ђ 0Pp`@Ѓ 0Pp`@Є 0Pp`@Ѕ 0Pp`@І 0Pp`@Ї 0Pp`@Ј 0Pp`@Љ