//******************** Program Entry Point ********
:00404E9C A1E4634000              mov eax, dword ptr [004063E4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404EA8(C)
|
:00404EA1 48                      dec eax
:00404EA2 81384D5A9000            cmp dword ptr [eax], 00905A4D		;find 'MZ' header
:00404EA8 75F7                    jne 00404EA1
:00404EAA 03403C                  add eax, dword ptr [eax+3C]		;get into header
:00404EAD 8B5834                  mov ebx, dword ptr [eax+34]
:00404EB0 891DA6584000            mov dword ptr [004058A6], ebx		;get image base
:00404EB6 8B4078                  mov eax, dword ptr [eax+78]		;get import section
:00404EB9 0305A6584000            add eax, dword ptr [004058A6]
:00404EBF 8B5824                  mov ebx, dword ptr [eax+24]		;get NameOrdinals
:00404EC2 031DA6584000            add ebx, dword ptr [004058A6]
:00404EC8 891DAA584000            mov dword ptr [004058AA], ebx
:00404ECE 8B5820                  mov ebx, dword ptr [eax+20]		;get AddressOfNames
:00404ED1 031DA6584000            add ebx, dword ptr [004058A6]
:00404ED7 891DAE584000            mov dword ptr [004058AE], ebx
:00404EDD 8B581C                  mov ebx, dword ptr [eax+1C]		;get AddressOfFcts
:00404EE0 031DA6584000            add ebx, dword ptr [004058A6]
:00404EE6 891DB2584000            mov dword ptr [004058B2], ebx
:00404EEC 90                      nop

* Possible StringData Ref from Data Obj ->"LoadLibraryA"
                                  |
:00404EED 6882584000              push 00405882
:00404EF2 E856000000              call 00404F4D				;get api offset
:00404EF7 A39E584000              mov dword ptr [0040589E], eax		;save offset

* Possible StringData Ref from Data Obj ->"cryptpadv2.dll"
                                  |
:00404EFC 684C584000              push 0040584C
:00404F01 FF159E584000            call dword ptr [0040589E]		;load dll
:00404F07 A35B584000              mov dword ptr [0040585B], eax

* Possible StringData Ref from Data Obj ->"GetProcAddress"
                                  |
:00404F0C 688F584000              push 0040588F
:00404F11 E837000000              call 00404F4D				;get api offset
:00404F16 A3A2584000              mov dword ptr [004058A2], eax

* Possible StringData Ref from Data Obj ->"ReadFile_replace"
                                  |
:00404F1B 685F584000              push 0040585F
:00404F20 FF355B584000            push dword ptr [0040585B]
:00404F26 FF15A2584000            call dword ptr [004058A2]		;get replace offset
:00404F2C A3E4634000              mov dword ptr [004063E4], eax		;patch iat

* Possible StringData Ref from Data Obj ->"WriteFile_replace"
                                  |
:00404F31 6870584000              push 00405870
:00404F36 FF355B584000            push dword ptr [0040585B]
:00404F3C FF15A2584000            call dword ptr [004058A2]
:00404F42 A364634000              mov dword ptr [00406364], eax
:00404F47 E980C1FFFF              jmp 004010CC
:00404F4C 90                      nop

* Referenced by a CALL at Addresses:
|:00404EF2   , :00404F11   
|
:00404F4D 8B3DAE584000            mov edi, dword ptr [004058AE]
:00404F53 8B35B2584000            mov esi, dword ptr [004058B2]
:00404F59 FC                      cld
:00404F5A B9FFFFFFFF              mov ecx, FFFFFFFF

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404F77(C), :00404F82(C)
|
:00404F5F 41                      inc ecx
:00404F60 8B5C2404                mov ebx, dword ptr [esp+04]
:00404F64 8B17                    mov edx, dword ptr [edi]
:00404F66 0315A6584000            add edx, dword ptr [004058A6]
:00404F6C 83C704                  add edi, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404F7B(U)
|
:00404F6F 8A02                    mov al, byte ptr [edx]
:00404F71 84C0                    test al, al
:00404F73 740B                    je 00404F80
:00404F75 3A03                    cmp al, byte ptr [ebx]
:00404F77 75E6                    jne 00404F5F
:00404F79 43                      inc ebx
:00404F7A 42                      inc edx
:00404F7B E9EFFFFFFF              jmp 00404F6F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404F73(C)
|
:00404F80 3A03                    cmp al, byte ptr [ebx]
:00404F82 75DB                    jne 00404F5F
:00404F84 8B3DAA584000            mov edi, dword ptr [004058AA]
:00404F8A D1E1                    shl ecx, 1
:00404F8C 0FB70439                movzx eax, word ptr [ecx+edi]
:00404F90 8B0486                  mov eax, dword ptr [esi+4*eax]
:00404F93 0305A6584000            add eax, dword ptr [004058A6]
:00404F99 C20400                  ret 0004
