BOOL ImpersonateAndCheckAccess(PCtxtHandle phContext,
PSECURITY_DESCRIPTOR psdSD,
PDWORD pdwAccessGranted) {
HANDLE hToken = NULL;
// AccessCheck() variables
DWORD dwAccessDesired = MAXIMUM_ALLOWED;
PRIVILEGE_SET PrivilegeSet;
DWORD dwPrivSetSize = sizeof(PRIVILEGE_SET);
BOOL fAccessGranted = FALSE;
GENERIC_MAPPING GenericMapping = { vncGenericRead, vncGenericWrite,
vncGenericExecute, vncGenericAll };
// This only does something if we want to use generic access
// rights, like GENERIC_ALL, in our call to AccessCheck().
MapGenericMask(&dwAccessDesired, &GenericMapping);
// AccessCheck() requires an impersonation token.
if ((fn._ImpersonateSecurityContext(phContext) == SEC_E_OK)
&& OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken)
&& AccessCheck(psdSD, hToken, dwAccessDesired, &GenericMapping,
&PrivilegeSet, &dwPrivSetSize, pdwAccessGranted, &fAccessGranted)) {
// Restrict access to relevant rights only
fAccessGranted = AreAnyAccessesGranted(*pdwAccessGranted, ViewOnly | Interact);
}
// End impersonation
fn._RevertSecurityContext(phContext);
// Close handles
if (hToken)
CloseHandle(hToken);
return fAccessGranted;
}
// address: 0x401000
void _start(unsigned int param1) {
short ax; // r0
unsigned char cl; // r9
__size32 eax; // r24
unsigned int eax_2; // r24{28}
__size32 eax_3; // r24{245}
__size32 ebp; // r29
unsigned int ebx; // r27
int *ebx_1; // r27
unsigned int ebx_2; // r27{31}
unsigned int ebx_3; // r27{47}
__size32 ebx_4; // r27{168}
__size32 ebx_5; // r27{172}
int *ebx_6; // r27{311}
unsigned int ebx_7; // r27{238}
__size32 ebx_8; // r27{305}
int ecx; // r25
__size32 *ecx_1; // r25
__size32 *ecx_2; // r25{260}
unsigned int ecx_3; // r25{160}
unsigned int edi; // r31
int edx; // r26
unsigned int esi; // r30
__size32 *esi_1; // r30
unsigned int esi_10; // r30{247}
unsigned int esi_11; // r30{286}
unsigned int esi_12; // r30{271}
unsigned int esi_13; // r30{262}
union { unsigned int x7; __size32 * x8; } esi_14; // r30{313}
unsigned int esi_2; // r30{12}
unsigned int esi_3; // r30{57}
unsigned int esi_4; // r30{69}
unsigned int esi_5; // r30{101}
unsigned int esi_6; // r30{128}
__size32 *esi_7; // r30{218}
union { unsigned int x7; __size32 * x8; } esi_8; // r30{185}
unsigned int esi_9; // r30{253}
int esp; // r28
void *esp_1; // r28{42}
void *esp_2; // r28{298}
unsigned int local0; // m[esp - 36]
unsigned int local12; // m[esp - 36]{350}
unsigned int local13; // ebx_7{238}
unsigned int local14; // esi_10{247}
unsigned int local15; // param1{248}
unsigned int local16; // esi_9{253}
unsigned int local17; // esi_13{262}
unsigned int local18; // esi_12{271}
unsigned int local19; // esi_11{286}
__size32 local20; // ebx_8{305}
union { unsigned int x7; __size32 * x8; } local21; // esi_14{313}
__size32 *local22; // esi_7{331}
union { __size32 * x5; unsigned int x6; } local23; // ecx{340}
esi_2 = 0;
eax_2 = AddAce();
local14 = esi_2;
local15 = param1;
ebx_2 = eax_2 + 22;
eax = AreAnyAccessesGranted(); /* Warning: also results in ecx, esp_1 */
local13 = ebx_2;
if (eax == 0) {
ebx_3 = eax_2 - 12;
local13 = ebx_3;
}
ebx_7 = local13;
eax = 0;
do {
eax_3 = eax;
esi_10 = local14;
param1 = local15;
local16 = esi_10;
if (esi_10 == ebx_7) {
esi_3 = 0;
local16 = esi_3;
}
esi_9 = local16;
edi = ecx + param1 * 4 + esi_9;
cl = *(esi_9 + 0x404000);
ecx = ecx >> 8 & 0xffffff | (cl);
*(char*)(eax_3 + 0x401190) = *(eax_3 + 0x401190) ^ cl;
eax = eax_3 + 1;
esi_4 = esi_9 + 1;
local14 = esi_4;
local15 = edi;
local17 = esi_4;
} while (eax_3 + 1 < 0x1440);
ecx_1 = 0x402490;
ebx_1 = 0xf0400f10;
local0 = 0;
edi = esi_9 + edi * 4 + 1;
do {
ecx_2 = ecx_1;
esi_13 = local17;
local12 = local0;
eax = *(ecx_2 + 4);
edi = (eax - 8) / 2 + edi * 8;
edx = ecx_2 + 8;
local19 = esi_13;
if ((int)((eax - 8) / 2) > 0) {
esi_5 = (eax - 8) / 2;
local18 = esi_5;
do {
esi_12 = local18;
eax = *(unsigned short*)edx;
edi = eax & 0xf000;
if ((eax & 0xf000) == 0x3000) {
eax = (eax & 0xfff) + *ecx_2;
*(__size32*)(eax + 0x400f10) = *(eax + 0x400f10) - 0xfbff0f0;
}
edx++;
esi_6 = esi_12 - 1;
local18 = esi_6;
local19 = esi_6;
} while (esi_12 != 1);
}
esi_11 = local19;
eax = *(ecx_2 + 4);
ax = (unsigned short) eax;
ecx_1 = ecx_2 + eax;
cl = (unsigned char) ecx_2 + eax;
local0 = local12 + eax;
local17 = esi_11;
local23 = ecx_1;
} while (local12 + eax < 228);
esi_1 = 0x401c84;
edi += edi;
flags = SUBFLAGS32(*0x401c94, 0, global10);
if (*0x401c94 != 0) {
do {
esp_2 = esp_1;
esi_14 = esi_1;
edx = *(esi_14 + 12);
*(__size32*)(esp_2 - 4) = edx + 0x400f10;
eax = LoadLibraryA(*(esp_2 - 4)); /* Warning: also results in ecx_3 */
local21 = esi_14;
local22 = esi_14;
local22 = esi_14;
edx = eax;
*(union { unsigned int x3; void * x4; }*)(esp_2 + 20) = eax;
ecx = ecx_3 * 3;
cl = (unsigned char) ecx_3 * 3;
if (eax != 0) {
ebx_4 = *esi_14;
local20 = ebx_4;
if (ebx_4 == 0) {
ebx_5 = *(esi_14 + 16);
local20 = ebx_5;
}
ebx_8 = local20;
edi = *(esi_14 + 16);
ebx_1 = ebx_8 + 0x400f10;
edi += 0x400f10;
if (*(ebx_8 + 0x400f10) != 0) {
L10:
ebx_6 = ebx_1;
esi_14 = local21;
esi_8 = edi + esi_14 * 4;
eax = *ebx_6;
local21 = esi_8;
if (eax >= 0) {
cl = (unsigned char) eax + 0x400f12;
*(__size32*)(esp_2 - 4) = eax + 0x400f12;
goto L7;
} else {
*(unsigned int*)(esp_2 - 4) = ((unsigned short) eax);
}
L7:
*(union { unsigned int x3; void * x4; }*)(esp_2 - 8) = edx;
eax = GetProcAddress(*(esp_2 - 8), *(esp_2 - 4)); /* Warning: also results in ecx */
*(__size32*)edi = eax;
ebx_1 = ebx_6 + 4;
eax = ebx_6 + (eax + 1) * 4;
ax = (unsigned short) eax;
edi += 4;
if (*(ebx_6 + 4) != 0) {
edx = *(esp_2 + 20);
goto L10;
}
esi_7 = *(esp_2 + 16);
local22 = esi_7;
}
}
esp_1 = esp_2;
esi_7 = local22;
esi_1 = esi_7 + 20;
tmp1 = *(esi_7 + 36);
flags = SUBFLAGS32(*(esi_7 + 36), 0, tmp1);
*(void **)(esp_2 + 16) = esi_7 + 20;
local23 = ecx;
} while (*(esi_7 + 36) != 0);
}
ecx = local23;
(*0x401960)(pc, -1, -1, 0, 0, 0x401c84, 0, 0, param1, esi, ebp, ebx, ax, cl, eax, ecx, 0x401960, ebx_1, 0x400f10, esi_1, edi, flags, ZF, CF);
*(__size32*)(esp - 4) = 0;
ExitProcess(*(esp - 4));
return;
}
