head 1.1; access; symbols; locks; strict; comment @# @; expand @o@; 1.1 date 2011.03.01.18.28.21; author wvholst; state Exp; branches; next ; desc @none @ 1.1 log @save attachment @ text @
; ; +-------------------------------------------------------------------------+ ; ¦ This file is generated by The Interactive Disassembler (IDA) ¦ ; ¦ Copyright (c) 2010 by Hex-Rays SA, <support@@hex-rays.com> ¦ ; ¦ Licensed to: Freeware version ¦ ; +-------------------------------------------------------------------------+ ; ; Input MD5 : 519B4A93DA63DEE92FAA64A433C61D86 ; File Name : Z:\home\wvholst\Downloads\win32\EP10eDrv.sys ; Format : Portable executable for 80386 (PE) ; Imagebase : 10000 ; Section 1. (virtual address 00001000) ; Virtual size : 0000808F ( 32911.) ; Section size in file : 00008200 ( 33280.) ; Offset to raw data for section: 00000400 ; Flags 68000020: Text Not pageable Executable Readable ; Alignment : default unicode macro page,string,zero irpc c,<string> db '&c', page endm ifnb <zero> dw zero endif endm .686p .mmx .model flat ; Segment type: Pure code ; Segment permissions: Read/Execute _text segment para public 'CODE' use32 assume cs:_text ;org 11000h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing sub_11000 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] push ebx mov ebx, [eax] mov eax, [eax+4] push ebp mov ebp, ds:ExAllocatePoolWithTag push esi push edi push 774E6350h push 568h push 0 mov esi, ecx mov [esp+1Ch+arg_0], eax call ebp ; ExAllocatePoolWithTag mov edi, eax test edi, edi jz short loc_11049 push 568h push 0 push edi call memset add esp, 0Ch push 0 push ebx mov ecx, edi call sub_13280 jmp short loc_1104B loc_11049: xor eax, eax loc_1104B: push 774E6350h push 568h push 0 mov [esi], eax call ebp ; ExAllocatePoolWithTag mov edi, eax test edi, edi jz short loc_1108B push 568h push 0 push edi call memset mov ecx, [esp+1Ch+arg_0] add esp, 0Ch push 1 push ecx mov ecx, edi call sub_13280 pop edi mov [esi+4], eax mov eax, esi pop esi pop ebp pop ebx retn 4 loc_1108B: xor eax, eax pop edi mov [esi+4], eax mov eax, esi pop esi pop ebp pop ebx retn 4 sub_11000 endp align 10h sub_110A0 proc near push esi mov esi, ecx mov ecx, [esi] call sub_13380 mov ecx, [esi+4] pop esi jmp sub_13380 sub_110A0 endp align 10h sub_110C0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp [esp+arg_0], 0 jz short loc_110D7 mov eax, [esp+arg_4] mov ecx, [ecx+4] push eax call sub_11650 retn 8 loc_110D7: mov edx, [esp+arg_4] mov ecx, [ecx] push edx call sub_11650 retn 8 sub_110C0 endp align 10h sub_110F0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp [esp+arg_0], 0 jz short loc_11107 mov eax, [esp+arg_4] mov ecx, [ecx+4] push eax call sub_116F0 retn 8 loc_11107: mov edx, [esp+arg_4] mov ecx, [ecx] push edx call sub_116F0 retn 8 sub_110F0 endp align 10h sub_11120 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp [esp+arg_0], 0 jz short loc_11137 mov eax, [esp+arg_4] mov ecx, [ecx+4] push eax call sub_11760 retn 8 loc_11137: mov edx, [esp+arg_4] mov ecx, [ecx] push edx call sub_11760 retn 8 sub_11120 endp align 10h sub_11150 proc near arg_0= dword ptr 4 cmp [esp+arg_0], 0 jz short loc_11162 mov ecx, [ecx+4] call sub_117A0 retn 4 loc_11162: mov ecx, [ecx] call sub_117A0 retn 4 sub_11150 endp align 10h sub_11170 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp [esp+arg_0], 0 push esi push edi mov edi, [esp+8+arg_4] mov esi, ecx push edi jz short loc_11190 mov ecx, [esi+4] call sub_117D0 mov [esi+10h], edi pop edi pop esi retn 8 loc_11190: mov ecx, [esi] call sub_117D0 mov [esi+10h], edi pop edi pop esi retn 8 sub_11170 endp align 10h sub_111A0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 ; FUNCTION CHUNK AT .text:00011B20 SIZE 00000044 BYTES mov eax, [esp+arg_4] test eax, eax jz short loc_111B4 mov [esp+arg_4], eax mov ecx, [ecx+4] jmp loc_11B20 loc_111B4: mov [esp+arg_4], 0 mov ecx, [ecx] jmp loc_11B20 sub_111A0 endp align 10h sub_111D0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h ; FUNCTION CHUNK AT .text:00011B70 SIZE 000000D7 BYTES mov ecx, [ecx] jmp loc_11B70 sub_111D0 endp align 10h sub_111E0 proc near var_24= dword ptr -24h var_18= dword ptr -18h var_C= dword ptr -0Ch arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_10= dword ptr 14h ; FUNCTION CHUNK AT .text:00011C50 SIZE 0000005F BYTES ; FUNCTION CHUNK AT .text:00016710 SIZE 0000023A BYTES mov eax, [esp+arg_0] cmp eax, 7 ; switch 8 cases ja locret_11270 ; default jmp ds:off_11274[eax*4] ; switch jump loc_111F4: ; case 0x0 mov ecx, [ecx] mov [esp+arg_0], 0 jmp loc_11C50 loc_11203: ; case 0x1 mov ecx, [ecx] mov [esp+arg_0], 1 jmp loc_11C50 loc_11212: ; case 0x2 mov ecx, [ecx+4] mov [esp+arg_0], 0 jmp loc_11C50 loc_11222: ; case 0x3 mov ecx, [ecx+4] mov [esp+arg_0], 1 jmp loc_11C50 loc_11232: ; case 0x4 mov ecx, [ecx] mov [esp+arg_0], 2 jmp loc_11C50 loc_11241: ; case 0x5 mov ecx, [ecx] mov [esp+arg_0], 3 jmp loc_11C50 loc_11250: ; case 0x6 mov ecx, [ecx+4] mov [esp+arg_0], 2 jmp loc_11C50 loc_11260: ; case 0x7 mov ecx, [ecx+4] mov [esp+arg_0], 3 jmp loc_11C50 locret_11270: ; default retn 14h sub_111E0 endp align 4 off_11274 dd offset loc_111F4 ; jump table for switch statement dd offset loc_11203 dd offset loc_11212 dd offset loc_11222 dd offset loc_11232 dd offset loc_11241 dd offset loc_11250 dd offset loc_11260 align 10h sub_112A0 proc near arg_0= dword ptr 4 ; FUNCTION CHUNK AT .text:00011CC0 SIZE 0000000B BYTES ; FUNCTION CHUNK AT .text:00016950 SIZE 0000003A BYTES mov ecx, [ecx] jmp loc_11CC0 sub_112A0 endp align 10h sub_112B0 proc near ; FUNCTION CHUNK AT .text:00011CD0 SIZE 0000000B BYTES mov ecx, [ecx] jmp loc_11CD0 sub_112B0 endp align 10h sub_112C0 proc near mov ecx, [ecx+4] jmp loc_11CC0 sub_112C0 endp align 10h sub_112D0 proc near mov ecx, [ecx+4] jmp loc_11CD0 sub_112D0 endp align 10h sub_112E0 proc near mov ecx, [ecx] jmp sub_11CE0 sub_112E0 endp align 10h sub_112F0 proc near arg_0= dword ptr 4 ; FUNCTION CHUNK AT .text:00011D70 SIZE 0000004B BYTES mov ecx, [ecx] jmp loc_11D70 sub_112F0 endp align 10h sub_11300 proc near mov ecx, [ecx+4] jmp sub_11CE0 sub_11300 endp align 10h sub_11310 proc near mov ecx, [ecx+4] jmp loc_11D70 sub_11310 endp align 10h sub_11320 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 ; FUNCTION CHUNK AT .text:00011DC0 SIZE 0000000B BYTES ; FUNCTION CHUNK AT .text:00016990 SIZE 00000041 BYTES mov ecx, [ecx] jmp loc_11DC0 sub_11320 endp align 10h sub_11330 proc near ; FUNCTION CHUNK AT .text:00011DD0 SIZE 0000000B BYTES mov ecx, [ecx] jmp loc_11DD0 sub_11330 endp align 10h sub_11340 proc near mov ecx, [ecx+4] jmp loc_11DC0 sub_11340 endp align 10h sub_11350 proc near mov ecx, [ecx+4] jmp loc_11DD0 sub_11350 endp align 10h sub_11360 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h cmp [esp+arg_0], 0 jz short loc_11381 mov eax, [esp+arg_C] mov edx, [esp+arg_8] mov ecx, [ecx+4] push eax mov eax, [esp+4+arg_4] push edx push eax call sub_11DE0 retn 10h loc_11381: mov edx, [esp+arg_C] mov eax, [esp+arg_8] mov ecx, [ecx] push edx mov edx, [esp+4+arg_4] push eax push edx call sub_11DE0 retn 10h sub_11360 endp align 10h sub_113A0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch cmp [esp+arg_0], 0 mov eax, [esp+arg_8] mov edx, [esp+arg_4] push eax push edx jz short loc_113BC mov ecx, [ecx+4] call sub_11E10 retn 0Ch loc_113BC: mov ecx, [ecx] call sub_11E10 retn 0Ch sub_113A0 endp align 10h sub_113D0 proc near arg_0= dword ptr 4 ; FUNCTION CHUNK AT .text:00011E40 SIZE 00000026 BYTES mov ecx, [ecx] jmp loc_11E40 sub_113D0 endp align 10h sub_113E0 proc near arg_0= dword ptr 0Ch arg_4= dword ptr 10h push esi push edi mov edi, [esp+arg_0] test edi, edi mov esi, ecx jz short loc_11411 mov ecx, [esi] push ebx mov ebx, [esp+4+arg_4] push ebx push edi call sub_11E70 mov ecx, [esi+4] add ebx, 600h push ebx add edi, 600h push edi call sub_11E70 pop ebx loc_11411: pop edi pop esi retn 8 sub_113E0 endp align 10h sub_11420 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h ; FUNCTION CHUNK AT .text:00012EB0 SIZE 000000A8 BYTES mov eax, [esp+arg_4] cmp eax, 4 jge short loc_11434 mov ecx, [ecx] mov [esp+arg_4], eax jmp loc_12EB0 loc_11434: mov ecx, [ecx+4] add eax, 0FFFFFFFCh mov [esp+arg_4], eax jmp loc_12EB0 sub_11420 endp align 10h sub_11450 proc near arg_0= dword ptr 0Ch push esi push edi mov edi, [esp+arg_0] mov esi, ecx mov ecx, [esi+4] push edi call sub_12F60 mov ecx, [esi] push edi call sub_12F60 pop edi pop esi retn 4 sub_11450 endp align 10h sub_11470 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 ; FUNCTION CHUNK AT .text:00012480 SIZE 00000051 BYTES mov edx, [esp+arg_4] xor eax, eax cmp edx, 7 ; switch 8 cases ja short locret_114B8 ; default jmp ds:off_114BC[edx*4] ; switch jump loc_11482: ; case 0x0 mov [esp+arg_4], eax mov ecx, [ecx] jmp loc_12480 loc_1148D: ; case 0x2 mov [esp+arg_4], 2 mov ecx, [ecx] jmp loc_12480 loc_1149C: ; case 0x4 mov [esp+arg_4], eax mov ecx, [ecx+4] jmp loc_12480 loc_114A8: ; case 0x6 mov [esp+arg_4], 2 mov ecx, [ecx+4] jmp loc_12480 locret_114B8: ; default retn 8 sub_11470 endp align 4 off_114BC dd offset loc_11482 ; jump table for switch statement dd offset loc_11482 dd offset loc_1148D dd offset loc_1148D dd offset loc_1149C dd offset loc_1149C dd offset loc_114A8 dd offset loc_114A8 align 10h sub_114E0 proc near arg_0= dword ptr 4 mov edx, [esp+arg_0] mov ecx, [ecx+edx*4] xor eax, eax test ecx, ecx jz short locret_114F2 call sub_124E0 locret_114F2: retn 4 sub_114E0 endp align 10h sub_11500 proc near arg_0= dword ptr 0Ch push esi push edi mov edi, [esp+arg_0] mov esi, ecx mov ecx, [esi] push edi call sub_12820 mov ecx, [esi+4] push edi call sub_12820 pop edi pop esi retn 4 sub_11500 endp align 10h sub_11520 proc near arg_0= dword ptr 0Ch push esi push edi mov edi, [esp+arg_0] mov esi, ecx mov ecx, [esi] push edi call sub_16150 mov ecx, [esi+4] push edi call sub_16150 pop edi pop esi retn 4 sub_11520 endp align 10h sub_11540 proc near push ebx push ebp mov ebp, ds:ExFreePool push esi push edi mov ebx, ecx xor edi, edi mov edi, edi loc_11550: mov esi, [ebx+edi*4] test esi, esi jz short loc_11568 mov ecx, esi call sub_12A90 push esi call ebp ; ExFreePool mov dword ptr [ebx+edi*4], 0 loc_11568: add edi, 1 cmp edi, 2 jl short loc_11550 pop edi pop esi pop ebp pop ebx retn sub_11540 endp align 10h sub_11580 proc near arg_0= dword ptr 4 arg_4= byte ptr 8 cmp dword ptr [ecx+4], 0 jz short locret_1159B mov eax, [ecx] mov cl, [esp+arg_4] mov edx, [esp+arg_0] push 1 mov [edx+eax], cl call ds:KeStallExecutionProcessor locret_1159B: retn 8 sub_11580 endp align 10h sub_115A0 proc near arg_0= dword ptr 4 arg_4= word ptr 8 cmp dword ptr [ecx+4], 0 jz short locret_115BD mov eax, [ecx] mov cx, [esp+arg_4] mov edx, [esp+arg_0] push 1 mov [edx+eax], cx call ds:KeStallExecutionProcessor locret_115BD: retn 8 sub_115A0 endp sub_115C0 proc near arg_0= dword ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_115CF xor al, al pop esi retn 4 loc_115CF: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov ecx, [esp+arg_0] mov al, [ecx+eax] pop esi retn 4 sub_115C0 endp align 10h sub_115F0 proc near var_18= dword ptr -18h var_14= dword ptr -14h var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 arg_0= dword ptr 4 sub esp, 10h push ebx mov ebx, ds:KeQuerySystemTime push ebp push esi push edi lea eax, [esp+20h+var_8] push eax call ebx ; KeQuerySystemTime mov esi, [esp+28h] mov ebp, [esp+20h+arg_0] mov edi, ds:KeStallExecutionProcessor loc_11612: push 32h call edi ; KeStallExecutionProcessor lea ecx, [esp+20h+var_10] push ecx call ebx ; KeQuerySystemTime mov ecx, [esp+20h+var_10] sub ecx, [esp+20h+var_8] mov eax, [esp+20h+var_C] sbb eax, [esp+1Ch] cmp eax, esi jl short loc_11612 jg short loc_11637 cmp ecx, ebp jb short loc_11612 loc_11637: pop edi pop esi pop ebp pop ebx add esp, 10h retn 8 sub_115F0 endp align 10h sub_11650 proc near arg_0= dword ptr 8 push ebx mov ebx, [esp+arg_0] cmp ebx, 1 push esi push edi mov esi, ecx mov eax, 50000000h jnz short loc_11668 mov eax, 52000000h loc_11668: cmp dword ptr [esi+4], 0 mov edi, ds:KeStallExecutionProcessor jz short loc_116B2 mov ecx, [esi] and eax, 0FF37FFFFh or eax, 78000h push 1 mov [ecx+404h], eax call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_116B2 mov edx, [esi] push 1 mov word ptr [edx+40Ch], 301h call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_116B2 mov eax, [esi] push 1 mov byte ptr [eax+404h], 0Fh call edi ; KeStallExecutionProcessor loc_116B2: mov ecx, esi call sub_163D0 test ebx, ebx jnz short loc_116C4 and eax, 0FFFFFDFFh jmp short loc_116C9 loc_116C4: or eax, 200h loc_116C9: cmp dword ptr [esi+4], 0 jz short loc_116DB mov ecx, [esi] push 1 mov [ecx+404h], eax call edi ; KeStallExecutionProcessor loc_116DB: xor eax, eax pop edi mov [esi+51Ch], eax pop esi pop ebx retn 4 sub_11650 endp align 10h sub_116F0 proc near arg_0= dword ptr 10h push ebx push ebp push esi mov esi, ds:PcGetTimeInterval push edi push 0 push 0 mov ebp, ecx call esi ; PcGetTimeInterval mov ebx, edx mov edi, eax push ebx push edi call esi ; PcGetTimeInterval test edx, edx ja short loc_11758 jb short loc_11717 cmp eax, 7A120h jnb short loc_11758 loc_11717: cmp dword ptr [ebp+4], 0 jnz short loc_11721 xor al, al jmp short loc_11732 loc_11721: push 1 call ds:KeStallExecutionProcessor mov eax, [ebp+0] mov al, [eax+404h] loc_11732: test al, al jns short loc_1174C push ebx push edi call esi ; PcGetTimeInterval test edx, edx ja short loc_11758 cmp eax, 7A120h jb short loc_11717 pop edi pop esi pop ebp pop ebx retn 4 loc_1174C: mov ecx, [esp+4+arg_0] push ecx mov ecx, ebp call sub_163A0 loc_11758: pop edi pop esi pop ebp pop ebx retn 4 sub_116F0 endp align 10h sub_11760 proc near arg_0= dword ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1176D xor al, al jmp short loc_1177D loc_1176D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+404h] loc_1177D: test al, 40h jz short loc_11787 xor eax, eax pop esi retn 4 loc_11787: mov ecx, esi call sub_163F0 mov ecx, [esp+arg_0] mov [ecx], al mov eax, 1 pop esi retn 4 sub_11760 endp align 10h sub_117A0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_117B3 xor al, al movzx eax, al shr eax, 7 pop esi retn loc_117B3: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+404h] movzx eax, al shr eax, 7 pop esi retn sub_117A0 endp align 10h sub_117D0 proc near arg_0= dword ptr 0Ch push esi push edi mov esi, ecx call sub_163D0 mov edi, [esp+arg_0] xor ecx, ecx and eax, 0FEFFFFFFh test edi, edi setnz cl and ecx, 1 shl ecx, 18h or eax, ecx cmp dword ptr [esi+4], 0 jz short loc_11807 mov edx, [esi] push 1 mov [edx+404h], eax call ds:KeStallExecutionProcessor loc_11807: mov [esi+51Ch], edi pop edi pop esi retn 4 sub_117D0 endp align 10h sub_11820 proc near var_4= dword ptr -4 arg_0= word ptr 4 arg_4= byte ptr 8 sub esp, 8 push ebx mov ebx, ds:PcGetTimeInterval push ebp push esi push edi push 0 push 0 mov esi, ecx call ebx ; PcGetTimeInterval mov edi, ds:KeStallExecutionProcessor mov ebp, eax mov [esp+18h+var_4], edx loc_11841: push 460h mov ecx, esi call sub_16500 test al, al jns short loc_1187E push 64h call edi ; KeStallExecutionProcessor mov eax, [esp+18h+var_4] push eax push ebp call ebx ; PcGetTimeInterval test edx, edx ja short loc_11868 cmp eax, 0BEBC200h jb short loc_11841 loc_11868: push 460h mov ecx, esi call sub_16500 pop edi pop esi pop ebp pop ebx add esp, 8 retn 8 loc_1187E: cmp dword ptr [esi+4], 0 jz short loc_118DD movzx ecx, [esp+18h+arg_0] mov edx, [esi] shl ecx, 8 or ecx, 10000A0h push 1 mov [edx+460h], ecx call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_118DD mov eax, [esi] push 1 mov dword ptr [eax+464h], 0E0000010h call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_118DD mov ecx, [esi] mov dl, [esp+18h+arg_4] push 1 mov [ecx+470h], dl call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_118DD mov eax, [esi] push 1 mov byte ptr [eax+464h], 90h call edi ; KeStallExecutionProcessor loc_118DD: push 64h call edi ; KeStallExecutionProcessor pop edi pop esi pop ebp pop ebx add esp, 8 retn 8 sub_11820 endp align 10h sub_118F0 proc near var_18= dword ptr -18h var_14= dword ptr -14h var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 var_4= dword ptr -4 arg_0= byte ptr 4 arg_1= byte ptr 5 arg_C= dword ptr 10h sub esp, 8 mov eax, [esp+8+arg_C] push ebx mov ebx, ds:PcGetTimeInterval push ebp push esi push edi push 0 push 0 mov esi, ecx mov byte ptr [eax], 0FFh call ebx ; PcGetTimeInterval mov edi, dword ptr [esp+18h+arg_0] mov ebp, ds:KeStallExecutionProcessor mov [esp+18h+var_8], eax mov [esp+18h+var_4], edx mov edi, edi loc_11920: push edi mov ecx, esi call sub_16500 test al, al jns short loc_11956 push 64h call ebp ; KeStallExecutionProcessor mov ecx, [esp+18h+var_4] mov edx, [esp+18h+var_8] push ecx push edx call ebx ; PcGetTimeInterval test edx, edx ja short loc_11947 cmp eax, 1312D00h jb short loc_11920 loc_11947: pop edi pop esi pop ebp mov eax, 0C00000B5h pop ebx add esp, 8 retn 10h loc_11956: movzx eax, byte ptr [esp+20h] push eax push edi mov ecx, esi call sub_16410 movzx ecx, byte ptr [esp+24h] push ecx push edi mov ecx, esi call sub_16440 movzx edx, byte ptr [esp+25h] push edx push edi mov ecx, esi call sub_16480 push 1 push edi mov ecx, esi call sub_164C0 cmp dword ptr [esi+4], 0 jz short loc_119AF mov eax, [esi] push 1 mov dword ptr [eax+edi+4], 0E0000450h call ebp ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_119AF mov ecx, [esi] push 1 mov byte ptr [ecx+edi+4], 0D0h call ebp ; KeStallExecutionProcessor loc_119AF: push 0 push 0 call ebx ; PcGetTimeInterval mov [esp+18h+var_8], eax mov [esp+18h+var_4], edx lea ecx, [ecx+0] loc_119C0: push edi mov ecx, esi call sub_16500 test al, al jns short loc_119F6 push 64h call ebp ; KeStallExecutionProcessor mov edx, [esp+18h+var_4] mov eax, [esp+18h+var_8] push edx push eax call ebx ; PcGetTimeInterval test edx, edx ja short loc_119E7 cmp eax, 1312D00h jb short loc_119C0 loc_119E7: pop edi pop esi pop ebp mov eax, 0C00000B5h pop ebx add esp, 8 retn 10h loc_119F6: push edi mov ecx, esi call sub_16530 mov edx, [esp+18h+arg_C] mov [esp+20h], ax test dword ptr [esp+20h], 8000h mov cl, al mov [edx], cl jz short loc_11A29 cmp dword ptr [esi+4], 0 jz short loc_11A29 mov eax, [esi] push 1 mov dword ptr [eax+edi+4], 0E0000450h call ebp ; KeStallExecutionProcessor loc_11A29: pop edi pop esi pop ebp xor eax, eax pop ebx add esp, 8 retn 10h sub_118F0 endp align 10h sub_11A40 proc near var_8= dword ptr -8 var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= byte ptr 8 arg_8= word ptr 0Ch arg_C= byte ptr 10h sub esp, 8 push ebx mov ebx, ds:PcGetTimeInterval push ebp push esi push edi push 0 push 0 mov esi, ecx call ebx ; PcGetTimeInterval mov edi, [esp+18h+arg_0] mov ebp, ds:KeStallExecutionProcessor mov [esp+18h+var_8], eax mov [esp+18h+var_4], edx loc_11A67: push edi mov ecx, esi call sub_16500 test al, al jns short loc_11A9D push 64h call ebp ; KeStallExecutionProcessor mov eax, [esp+18h+var_4] mov ecx, [esp+18h+var_8] push eax push ecx call ebx ; PcGetTimeInterval test edx, edx ja short loc_11A8E cmp eax, 1312D00h jb short loc_11A67 loc_11A8E: pop edi pop esi pop ebp mov eax, 0C00000B5h pop ebx add esp, 8 retn 10h loc_11A9D: movzx edx, [esp+18h+arg_4] push edx push edi mov ecx, esi call sub_16410 mov bx, [esp+18h+arg_8] movzx eax, bl push eax push edi mov ecx, esi call sub_16440 movzx ecx, bh push ecx push edi mov ecx, esi call sub_16480 push 1 push edi mov ecx, esi call sub_164C0 cmp dword ptr [esi+4], 0 jz short loc_11B0B mov edx, [esi] push 1 mov dword ptr [edx+edi+4], 0E1000010h call ebp ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_11B0B mov eax, [esi] mov cl, [esp+18h+arg_C] push 1 mov [eax+edi+10h], cl call ebp ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_11B0B mov edx, [esi] push 1 mov byte ptr [edx+edi+4], 90h call ebp ; KeStallExecutionProcessor loc_11B0B: pop edi pop esi pop ebp xor eax, eax pop ebx add esp, 8 retn 10h sub_11A40 endp align 10h ; START OF FUNCTION CHUNK FOR sub_111A0 loc_11B20: cmp [esp+arg_0], 0 push esi mov esi, ecx jz short loc_11B4A cmp dword ptr [esi+4], 0 jnz short loc_11B36 loc_11B30: xor eax, eax pop esi retn 8 loc_11B36: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+184h] pop esi retn 8 loc_11B4A: cmp dword ptr [esi+4], 0 jz short loc_11B30 push 1 call ds:KeStallExecutionProcessor mov ecx, [esi] mov eax, [ecx+180h] pop esi retn 8 ; END OF FUNCTION CHUNK FOR sub_111A0 align 10h ; START OF FUNCTION CHUNK FOR sub_111D0 loc_11B70: push esi mov esi, ecx call sub_16360 mov edx, [esp+4+arg_8] xor ecx, ecx and eax, 0BFFFFFFCh cmp [esp+4+arg_0], ecx setnz cl and edx, 1 and ecx, 1 shl ecx, 1Dh or ecx, edx add ecx, ecx or eax, ecx mov ecx, [esp+4+arg_4] and ecx, 1 or eax, ecx mov ecx, [esp+4+arg_C] cmp ecx, 7D00h jg short loc_11BF8 jz short loc_11BEC cmp ecx, 3E80h jz short loc_11BE0 cmp ecx, 5622h jz short loc_11BD4 cmp ecx, 5DC0h jnz short loc_11C28 and eax, 0FFFF6FFFh or eax, 6000h jmp short loc_11C2D loc_11BD4: and eax, 0FFFF4FFFh or eax, 4000h jmp short loc_11C2D loc_11BE0: and eax, 0FFFF7FFFh or eax, 7000h jmp short loc_11C2D loc_11BEC: and eax, 0FFFF3FFFh or eax, 3000h jmp short loc_11C2D loc_11BF8: cmp ecx, 0AC44h jz short loc_11C28 cmp ecx, 0BB80h jz short loc_11C1C cmp ecx, offset loc_17700 jnz short loc_11C28 and eax, 0FFFFAFFFh or eax, 0A000h jmp short loc_11C2D loc_11C1C: and eax, 0FFFF2FFFh or eax, 2000h jmp short loc_11C2D loc_11C28: and eax, 0FFFF0FFFh loc_11C2D: cmp dword ptr [esi+4], 0 jz short loc_11C43 mov edx, [esi] push 1 mov [edx+1A0h], eax call ds:KeStallExecutionProcessor loc_11C43: pop esi retn 10h ; END OF FUNCTION CHUNK FOR sub_111D0 align 10h ; START OF FUNCTION CHUNK FOR sub_111E0 loc_11C50: mov eax, [esp+arg_0] cmp eax, 3 ; switch 4 cases ja short locret_11CAC ; default jmp ds:off_11CB0[eax*4] ; switch jump loc_11C60: ; case 0x0 mov ecx, [ecx+508h] mov [esp+arg_0], 0 jmp loc_16710 loc_11C73: ; case 0x1 mov ecx, [ecx+50Ch] mov [esp+arg_0], 0 jmp loc_16710 loc_11C86: ; case 0x2 mov ecx, [ecx+508h] mov [esp+arg_0], 1 jmp loc_16710 loc_11C99: ; case 0x3 mov ecx, [ecx+50Ch] mov [esp+arg_0], 1 jmp loc_16710 locret_11CAC: ; default retn 14h ; END OF FUNCTION CHUNK FOR sub_111E0 align 10h off_11CB0 dd offset loc_11C60 ; jump table for switch statement dd offset loc_11C73 dd offset loc_11C86 dd offset loc_11C99 ; START OF FUNCTION CHUNK FOR sub_112A0 loc_11CC0: mov ecx, [ecx+508h] jmp loc_16950 ; END OF FUNCTION CHUNK FOR sub_112A0 align 10h ; START OF FUNCTION CHUNK FOR sub_112B0 loc_11CD0: mov ecx, [ecx+50Ch] jmp loc_16950 ; END OF FUNCTION CHUNK FOR sub_112B0 align 10h sub_11CE0 proc near arg_0= dword ptr 10h push ebx push esi push edi mov esi, ecx xor edi, edi call sub_16590 mov ecx, esi mov bl, al call sub_162A0 mov ecx, [esp+arg_0] cmp ecx, 3 ; switch 4 cases ja short loc_11D0A ; default jmp ds:off_11D5C[ecx*4] ; switch jump loc_11D05: ; case 0x0 xor edi, edi loc_11D07: and bl, 0DFh loc_11D0A: ; default and al, 0DFh loc_11D0C: cmp dword ptr [esi+4], 0 jz short loc_11D22 mov ecx, [esi] push 1 mov [ecx+189h], al call ds:KeStallExecutionProcessor loc_11D22: movzx edx, bl push edx mov ecx, esi call sub_165B0 mov ecx, [esi+508h] push edi call sub_169E0 pop edi pop esi pop ebx retn 4 loc_11D3F: ; case 0x1 mov edi, 1 jmp short loc_11D07 loc_11D46: ; case 0x2 mov edi, 1 or bl, 20h jmp short loc_11D0A ; default loc_11D50: ; case 0x3 xor edi, edi and bl, 0DFh or al, 20h jmp short loc_11D0C sub_11CE0 endp align 4 off_11D5C dd offset loc_11D05 ; jump table for switch statement dd offset loc_11D3F dd offset loc_11D46 dd offset loc_11D50 align 10h ; START OF FUNCTION CHUNK FOR sub_112F0 loc_11D70: push esi push edi mov edi, ecx xor esi, esi call sub_16590 mov ecx, [esp+8+arg_0] sub ecx, esi jz short loc_11D9B sub ecx, 1 jz short loc_11D94 sub ecx, 1 jnz short loc_11D9F lea esi, [ecx+1] or al, 40h jmp short loc_11D9F loc_11D94: mov esi, 1 jmp short loc_11D9D loc_11D9B: xor esi, esi loc_11D9D: and al, 0BFh loc_11D9F: movzx eax, al push eax mov ecx, edi call sub_165B0 mov ecx, [edi+50Ch] push esi call sub_169E0 pop edi pop esi retn 4 ; END OF FUNCTION CHUNK FOR sub_112F0 align 10h ; START OF FUNCTION CHUNK FOR sub_11320 loc_11DC0: mov ecx, [ecx+508h] jmp loc_16990 ; END OF FUNCTION CHUNK FOR sub_11320 align 10h ; START OF FUNCTION CHUNK FOR sub_11330 loc_11DD0: mov ecx, [ecx+50Ch] jmp loc_16990 ; END OF FUNCTION CHUNK FOR sub_11330 align 10h sub_11DE0 proc near arg_0= word ptr 4 arg_4= word ptr 8 arg_8= dword ptr 0Ch mov ax, [esp+arg_0] cmp ax, 2 jnb short locret_11E05 mov edx, [esp+arg_8] push edx movzx edx, [esp+4+arg_4] movzx eax, ax mov ecx, [ecx+eax*4+508h] push edx call sub_16680 locret_11E05: retn 0Ch sub_11DE0 endp align 10h sub_11E10 proc near arg_0= word ptr 4 arg_4= word ptr 8 mov dx, [esp+arg_0] xor eax, eax cmp dx, 2 jnb short locret_11E35 movzx eax, [esp+arg_4] movzx edx, dx mov ecx, [ecx+edx*4+508h] push eax call sub_166C0 movzx eax, ax locret_11E35: retn 8 sub_11E10 endp align 10h ; START OF FUNCTION CHUNK FOR sub_113D0 loc_11E40: push esi mov esi, ecx call sub_16590 and al, 7Fh cmp [esp+4+arg_0], 0 setnz cl shl cl, 7 or al, cl movzx edx, al push edx mov ecx, esi call sub_165B0 pop esi retn 4 ; END OF FUNCTION CHUNK FOR sub_113D0 align 10h sub_11E70 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_0] test esi, esi jz short loc_11EB4 mov edx, [esp+arg_4] push edi lea eax, [edx+100h] and eax, 0FFFFFF00h mov edi, eax sub edi, edx add edi, esi cmp dword ptr [ecx+4], 0 mov [ecx+558h], edi mov [ecx+55Ch], eax pop edi jz short loc_11EB4 mov ecx, [ecx] add eax, 500h push 1 mov [ecx+70h], eax call ds:KeStallExecutionProcessor loc_11EB4: pop esi retn 8 sub_11E70 endp align 10h sub_11EC0 proc near var_8= dword ptr -8 var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch sub esp, 8 push ebx mov ebx, [esp+0Ch+arg_0] push ebp lea ebp, [ebx-80h] cmp ebp, 60h push esi mov esi, ecx mov [esp+14h+arg_0], ebp ja loc_12090 movzx eax, ss:byte_120A4[ebp] jmp ds:off_1209C[eax*4] loc_11EEA: cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_11F04 mov ecx, [esi] push 1 mov dword ptr [ebx+ecx], 0FF000000h call edi ; KeStallExecutionProcessor loc_11F04: movzx edx, ss:byte_1211C[ebp] jmp ds:off_12108[edx*4] loc_11F12: push 2 push 192h jmp short loc_11F34 loc_11F1B: push 2 push 196h jmp short loc_11F34 loc_11F24: push 2 push 19Ah jmp short loc_11F34 loc_11F2D: push 2 push 19Eh loc_11F34: mov ecx, esi call sub_11580 cmp dword ptr [esi+4], 0 jz short loc_11F4B mov eax, [esi] push 1 mov byte ptr [ebx+eax], 1 call edi ; KeStallExecutionProcessor loc_11F4B: mov ebp, ds:PcGetTimeInterval push 0 push 0 call ebp ; PcGetTimeInterval mov [esp+18h+var_8], eax mov [esp+18h+var_4], edx nop loc_11F60: push ebx mov ecx, esi call sub_161F0 test al, 1 jnz short loc_11F87 push 64h call edi ; KeStallExecutionProcessor mov ecx, [esp+18h+var_4] mov edx, [esp+18h+var_8] push ecx push edx call ebp ; PcGetTimeInterval test edx, edx ja short loc_11F87 cmp eax, 1312D00h jb short loc_11F60 loc_11F87: cmp dword ptr [esi+4], 0 jz short loc_11FBF mov eax, [esi] push 1 mov byte ptr [ebx+eax], 0 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_11FBF mov ecx, [esi] mov edx, [esp+18h+arg_4] push 1 mov [ecx+ebx+18h], edx call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_11FBF mov eax, [esi] push 1 mov dword ptr [eax+ebx+1Ch], 0 call edi ; KeStallExecutionProcessor loc_11FBF: mov ecx, [esp+18h+arg_0] movzx edx, ds:byte_1218C[ecx] jmp ds:off_12180[edx*4] loc_11FD1: push 77h lea eax, [ebx+10h] push eax jmp short loc_11FE2 loc_11FD9: push 0BFh lea ecx, [ebx+10h] push ecx loc_11FE2: mov ecx, esi call sub_115A0 loc_11FE9: cmp dword ptr [esi+4], 0 jz short loc_12011 mov edx, [esi] push 1 mov word ptr [edx+ebx+0Eh], 4 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_12011 mov eax, [esi] push 1 mov byte ptr [eax+ebx+0Ch], 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 loc_12011: mov ebp, [esp+18h+arg_8] jz short loc_12025 mov edx, [esi] lea ecx, [ebp+ebp+0] push 1 mov [edx+ebx+8], ecx call edi ; KeStallExecutionProcessor loc_12025: mov ecx, [esp+18h+arg_0] movzx edx, ds:byte_12204[ecx] shr ebp, 3 movzx eax, bp jmp ds:off_121F0[edx*4] loc_1203D: push eax push 190h mov ecx, esi call sub_115A0 pop edi pop esi pop ebp pop ebx add esp, 8 retn 0Ch loc_12054: push eax push 194h mov ecx, esi call sub_115A0 pop edi pop esi pop ebp pop ebx add esp, 8 retn 0Ch loc_1206B: push eax push 198h mov ecx, esi call sub_115A0 pop edi pop esi pop ebp pop ebx add esp, 8 retn 0Ch loc_12082: push eax push 19Ch mov ecx, esi call sub_115A0 loc_1208F: pop edi loc_12090: pop esi pop ebp pop ebx add esp, 8 retn 0Ch sub_11EC0 endp align 4 off_1209C dd offset loc_11EEA dd offset loc_12090 byte_120A4 db 0 db 3 dup(1) dd 7 dup(1010101h), 1010100h, 7 dup(1010101h) dd 1010100h, 7 dup(1010101h), 498D00h off_12108 dd offset loc_11F12 dd offset loc_11F1B dd offset loc_11F24 dd offset loc_11F2D dd offset loc_1208F byte_1211C db 0 db 3 dup(4) dd 7 dup(4040404h), 4040401h, 7 dup(4040404h) dd 4040402h, 7 dup(4040404h), 498D03h off_12180 dd offset loc_11FD1 dd offset loc_11FD9 dd offset loc_11FE9 byte_1218C db 0 db 3 dup(2) dd 7 dup(2020202h), 2020200h, 7 dup(2020202h) dd 2020201h, 7 dup(2020202h), 498D01h off_121F0 dd offset loc_1203D dd offset loc_12054 dd offset loc_1206B dd offset loc_12082 dd offset loc_1208F byte_12204 db 0 db 3 dup(4) dd 7 dup(4040404h), 4040401h, 7 dup(4040404h) dd 4040402h, 7 dup(4040404h), 0CCCCCC03h dd 2 dup(0CCCCCCCCh) sub_12270 proc near arg_0= dword ptr 8 push ebx mov ebx, [esp+arg_0] push esi mov esi, ecx cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_12290 mov eax, [esi] push 1 mov byte ptr [eax+ebx+3], 0FFh call edi ; KeStallExecutionProcessor loc_12290: lea eax, [ebx-80h] cmp eax, 60h ja loc_12326 movzx ecx, ds:byte_12340[eax] jmp ds:off_1232C[ecx*4] loc_122AA: cmp dword ptr [esi+4], 0 jz short loc_1230A mov edx, [esi] mov byte ptr [edx+192h], 3 jmp short loc_12306 loc_122BB: cmp dword ptr [esi+4], 0 jz short loc_1230A mov eax, [esi] mov byte ptr [eax+196h], 3 jmp short loc_12306 loc_122CC: cmp dword ptr [esi+564h], 0 jnz short loc_122E6 cmp dword ptr [esi+4], 0 jz short loc_1230A mov ecx, [esi] mov byte ptr [ecx+19Ah], 7 jmp short loc_12306 loc_122E6: cmp dword ptr [esi+4], 0 jz short loc_1230A mov edx, [esi] mov byte ptr [edx+19Ah], 3 jmp short loc_12306 loc_122F7: cmp dword ptr [esi+4], 0 jz short loc_1230A mov eax, [esi] mov byte ptr [eax+19Eh], 3 loc_12306: push 1 call edi ; KeStallExecutionProcessor loc_1230A: push ebx mov ecx, esi call sub_161F0 test al, 2 jnz short loc_12326 cmp dword ptr [esi+4], 0 jz short loc_12326 mov ecx, [esi] push 1 mov byte ptr [ebx+ecx], 2 call edi ; KeStallExecutionProcessor loc_12326: pop edi pop esi pop ebx retn 4 sub_12270 endp off_1232C dd offset loc_122AA dd offset loc_122BB dd offset loc_122CC dd offset loc_122F7 dd offset loc_12326 byte_12340 db 0 db 3 dup(4) dd 7 dup(4040404h), 4040401h, 7 dup(4040404h) dd 4040402h, 7 dup(4040404h), 0CCCCCC03h dd 3 dup(0CCCCCCCCh) sub_123B0 proc near arg_0= dword ptr 4 mov edx, [esp+arg_0] lea eax, [edx-80h] cmp eax, 60h ja short locret_123FA movzx eax, ds:byte_12414[eax] jmp ds:off_12400[eax*4] loc_123CA: xor eax, eax jmp short loc_123E1 loc_123CE: mov eax, 1 jmp short loc_123E1 loc_123D5: mov eax, 2 jmp short loc_123E1 loc_123DC: mov eax, 3 loc_123E1: push esi mov esi, [ecx+560h] shl eax, 8 add eax, [ecx+55Ch] push esi push eax push edx call sub_11EC0 pop esi locret_123FA: retn 4 sub_123B0 endp align 10h off_12400 dd offset loc_123CA dd offset loc_123CE dd offset loc_123D5 dd offset loc_123DC dd offset locret_123FA byte_12414 db 0 db 3 dup(4) dd 7 dup(4040404h), 4040401h, 7 dup(4040404h) dd 4040402h, 7 dup(4040404h), 0CCCCCC03h dd 2 dup(0CCCCCCCCh) ; START OF FUNCTION CHUNK FOR sub_11470 loc_12480: cmp [esp+arg_0], 0 mov eax, [esp+arg_4] jz short loc_124AE test eax, eax jz short loc_124A1 cmp eax, 1 jz short loc_124A1 push 0A0h call sub_16500 retn 8 loc_124A1: push 80h call sub_16500 retn 8 loc_124AE: test eax, eax jz short loc_124C4 cmp eax, 1 jz short loc_124C4 push 0E0h call sub_16500 retn 8 loc_124C4: push 0C0h call sub_16500 retn 8 ; END OF FUNCTION CHUNK FOR sub_11470 align 10h sub_124E0 proc near var_4= dword ptr -4 push ecx push ebx push ebp push esi push edi mov esi, ecx xor ebp, ebp call sub_16600 mov edi, ds:KeStallExecutionProcessor mov ebx, eax and eax, 1 mov [esp+14h+var_4], ebx jnz short loc_12508 test bl, 0Eh jz loc_12673 loc_12508: test eax, eax jz short loc_12562 push 80h mov ecx, esi call sub_16220 mov ecx, esi mov bl, al call sub_162E0 test eax, offset dword_20000 jz short loc_12541 cmp [esi+4], ebp jz short loc_1253C mov ecx, [esi] shr eax, 10h push 1 mov [ecx+192h], al call edi ; KeStallExecutionProcessor loc_1253C: mov ebp, 100h loc_12541: test bl, 4 jz short loc_1255E cmp dword ptr [esi+4], 0 jz short loc_12558 mov edx, [esi] push 1 mov [edx+83h], bl call edi ; KeStallExecutionProcessor loc_12558: or ebp, 100h loc_1255E: mov ebx, [esp+14h+var_4] loc_12562: test bl, 2 jz short loc_125BF push 0A0h mov ecx, esi call sub_16220 mov ecx, esi mov bl, al call sub_16300 test eax, offset dword_20000 jz short loc_1259E cmp dword ptr [esi+4], 0 jz short loc_12598 mov ecx, [esi] shr eax, 10h push 1 mov [ecx+196h], al call edi ; KeStallExecutionProcessor loc_12598: or ebp, 200h loc_1259E: test bl, 4 jz short loc_125BB cmp dword ptr [esi+4], 0 jz short loc_125B5 mov edx, [esi] push 1 mov [edx+0A3h], bl call edi ; KeStallExecutionProcessor loc_125B5: or ebp, 200h loc_125BB: mov ebx, [esp+14h+var_4] loc_125BF: test bl, 4 jz short loc_1261C push 0C0h mov ecx, esi call sub_16220 mov ecx, esi mov bl, al call sub_16320 test eax, offset dword_20000 jz short loc_125FB cmp dword ptr [esi+4], 0 jz short loc_125F5 mov ecx, [esi] shr eax, 10h push 1 mov [ecx+19Ah], al call edi ; KeStallExecutionProcessor loc_125F5: or ebp, 300h loc_125FB: test bl, 4 jz short loc_12618 cmp dword ptr [esi+4], 0 jz short loc_12612 mov edx, [esi] push 1 mov [edx+0C3h], bl call edi ; KeStallExecutionProcessor loc_12612: or ebp, 300h loc_12618: mov ebx, [esp+14h+var_4] loc_1261C: test bl, 8 jz short loc_12673 push 0E0h mov ecx, esi call sub_16220 mov ecx, esi mov bl, al call sub_16340 test eax, offset dword_20000 jz short loc_12655 cmp dword ptr [esi+4], 0 jz short loc_12652 mov ecx, [esi] shr eax, 10h push 1 mov [ecx+19Eh], al call edi ; KeStallExecutionProcessor loc_12652: or ebp, 2 loc_12655: test bl, 4 jz short loc_1266F cmp dword ptr [esi+4], 0 jz short loc_1266C mov edx, [esi] push 1 mov [edx+0E3h], bl call edi ; KeStallExecutionProcessor loc_1266C: or ebp, 2 loc_1266F: mov ebx, [esp+14h+var_4] loc_12673: test ebx, 10000h jz short loc_126D8 cmp dword ptr [esi+4], 0 jnz short loc_12685 xor bl, bl jmp short loc_12691 loc_12685: push 1 call edi ; KeStallExecutionProcessor mov eax, [esi] mov bl, [eax+404h] loc_12691: test bl, 0Fh jz short loc_126D4 cmp dword ptr [esi+4], 0 jz short loc_126AD mov edx, [esi] mov cl, bl or cl, 0Fh push 1 mov [edx+404h], cl call edi ; KeStallExecutionProcessor loc_126AD: test bl, 2 jz short loc_126C9 cmp dword ptr [esi+564h], 0 jnz short loc_126C3 or ebp, offset dword_20000 jmp short loc_126C9 loc_126C3: or ebp, 40000h loc_126C9: test bl, 1 jz short loc_126D4 or ebp, 10000h loc_126D4: mov ebx, [esp+14h+var_4] loc_126D8: test ebx, 0FF00h jz short loc_126FD mov ecx, esi call sub_165E0 test al, al jz short loc_126FD cmp dword ptr [esi+4], 0 jz short loc_126FD mov ecx, [esi] push 1 mov [ecx+484h], al call edi ; KeStallExecutionProcessor loc_126FD: test ebx, 100000h jz short loc_1272B cmp dword ptr [esi+4], 0 jz short loc_1272B push 1 call edi ; KeStallExecutionProcessor mov eax, [esi] mov cl, [eax+435h] test cl, cl jz short loc_1272B cmp dword ptr [esi+4], 0 jz short loc_1272B push 1 mov [eax+435h], cl call edi ; KeStallExecutionProcessor loc_1272B: test ebx, 200000h jz short loc_12759 cmp dword ptr [esi+4], 0 jz short loc_12759 push 1 call edi ; KeStallExecutionProcessor mov eax, [esi] mov cl, [eax+455h] test cl, cl jz short loc_12759 cmp dword ptr [esi+4], 0 jz short loc_12759 push 1 mov [eax+455h], cl call edi ; KeStallExecutionProcessor loc_12759: test ebx, 40000h jz short loc_12787 cmp dword ptr [esi+4], 0 jz short loc_12787 push 1 call edi ; KeStallExecutionProcessor mov eax, [esi] mov cl, [eax+467h] test cl, cl jz short loc_12787 cmp dword ptr [esi+4], 0 jz short loc_12787 push 1 mov [eax+467h], cl call edi ; KeStallExecutionProcessor loc_12787: test ebx, 80000h jz short loc_127B5 cmp dword ptr [esi+4], 0 jz short loc_127B5 push 1 call edi ; KeStallExecutionProcessor mov eax, [esi] mov cl, [eax+4C7h] test cl, cl jz short loc_127B5 cmp dword ptr [esi+4], 0 jz short loc_127B5 push 1 mov [eax+4C7h], cl call edi ; KeStallExecutionProcessor loc_127B5: test bl, 40h jz short loc_127E0 cmp dword ptr [esi+4], 0 jz short loc_127E0 push 1 call edi ; KeStallExecutionProcessor mov eax, [esi] mov cl, [eax+1CDh] test cl, cl jz short loc_127E0 cmp dword ptr [esi+4], 0 jz short loc_127E0 push 1 mov [eax+1CDh], cl call edi ; KeStallExecutionProcessor loc_127E0: test bl, bl jns short loc_1280A cmp dword ptr [esi+4], 0 jz short loc_1280A push 1 call edi ; KeStallExecutionProcessor mov eax, [esi] mov cl, [eax+4A1h] test cl, cl jz short loc_1280A cmp dword ptr [esi+4], 0 jz short loc_1280A push 1 mov [eax+4A1h], cl call edi ; KeStallExecutionProcessor loc_1280A: pop edi pop esi mov eax, ebp pop ebp pop ebx pop ecx retn sub_124E0 endp align 10h sub_12820 proc near arg_0= dword ptr 10h push ebx push esi push edi mov esi, ecx call sub_16590 mov edi, [esp+arg_0] mov bl, al and bl, 0FAh cmp edi, 7D00h jg short loc_128AA jz short loc_128A1 cmp edi, 3E80h jg short loc_1287F jz short loc_12873 cmp edi, 1F40h jz short loc_12867 cmp edi, 2B11h jnz loc_128EA mov word ptr [esp+arg_0], 4300h jmp loc_128FF loc_12867: mov word ptr [esp+arg_0], 500h jmp loc_128FF loc_12873: mov word ptr [esp+arg_0], 200h jmp loc_128FF loc_1287F: cmp edi, 5622h jz short loc_12898 cmp edi, 5DC0h jnz short loc_128EA mov word ptr [esp+arg_0], 100h jmp short loc_128FF loc_12898: mov word ptr [esp+arg_0], 4100h jmp short loc_128FF loc_128A1: mov word ptr [esp+arg_0], 0A00h jmp short loc_128FF loc_128AA: cmp edi, offset loc_15888 jg short loc_128E2 jz short loc_128D9 cmp edi, 0AC44h jz short loc_128D0 cmp edi, 0BB80h jnz short loc_128EA mov word ptr [esp+arg_0], 0 and bl, 0FAh jmp short loc_128FF loc_128D0: mov word ptr [esp+arg_0], 4000h jmp short loc_128FF loc_128D9: mov word ptr [esp+arg_0], 4800h jmp short loc_128FC loc_128E2: cmp edi, offset loc_17700 jz short loc_128F5 loc_128EA: pop edi pop esi mov eax, 0C00000BBh pop ebx retn 4 loc_128F5: mov word ptr [esp+arg_0], 800h loc_128FC: or bl, 5 loc_128FF: push ebp mov ebp, [esp+4+arg_0] and ebp, 0FFB1h or ebp, 31h cmp dword ptr [esi+4], 0 jz short loc_1296D mov eax, [esi] push 1 mov [eax+92h], bp call ds:KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1296D mov ecx, [esi] push 1 mov [ecx+0B2h], bp call ds:KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1296D mov edx, [esi] push 1 mov [edx+0D2h], bp call ds:KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1296D mov eax, [esi] mov [eax+0F2h], bp mov ebp, ds:KeStallExecutionProcessor push 1 call ebp ; KeStallExecutionProcessor jmp short loc_12973 loc_1296D: mov ebp, ds:KeStallExecutionProcessor loc_12973: movzx ecx, bl push ecx mov ecx, esi call sub_165B0 mov ecx, esi call sub_162C0 test al, 0Fh jz short loc_1299D cmp dword ptr [esi+4], 0 jz short loc_1299D mov edx, [esi] and al, 0F0h push 1 mov [edx+18Ah], al call ebp ; KeStallExecutionProcessor loc_1299D: mov ecx, esi call sub_16360 cmp edi, 7D00h jg short loc_12A27 jz short loc_12A1B cmp edi, 3E80h jg short loc_129F3 jz short loc_129E7 cmp edi, 1F40h jz short loc_129DB cmp edi, 2B11h jnz loc_12A66 and eax, 0FFFF5FFFh or eax, 5000h jmp loc_12A66 loc_129DB: and eax, 0FFFF9FFFh or eax, 9000h jmp short loc_12A66 loc_129E7: and eax, 0FFFF7FFFh or eax, 7000h jmp short loc_12A66 loc_129F3: cmp edi, 5622h jz short loc_12A0F cmp edi, 5DC0h jnz short loc_12A66 and eax, 0FFFF6FFFh or eax, 6000h jmp short loc_12A66 loc_12A0F: and eax, 0FFFF4FFFh or eax, 4000h jmp short loc_12A66 loc_12A1B: and eax, 0FFFF3FFFh or eax, 3000h jmp short loc_12A66 loc_12A27: cmp edi, offset loc_15888 jg short loc_12A54 jz short loc_12A5C cmp edi, 0AC44h jz short loc_12A4D cmp edi, 0BB80h jnz short loc_12A66 and eax, 0FFFF2FFFh or eax, 2000h jmp short loc_12A66 loc_12A4D: and eax, 0FFFF0FFFh jmp short loc_12A66 loc_12A54: cmp edi, offset loc_17700 jnz short loc_12A66 loc_12A5C: and eax, 0FFFFAFFFh or eax, 0A000h loc_12A66: cmp dword ptr [esi+4], 0 jz short loc_12A78 mov ecx, [esi] push 1 mov [ecx+1A0h], eax call ebp ; KeStallExecutionProcessor loc_12A78: pop ebp pop edi pop esi xor eax, eax pop ebx retn 4 sub_12820 endp align 10h sub_12A90 proc near var_4= dword ptr -4 ; FUNCTION CHUNK AT .text:00016140 SIZE 0000000F BYTES push ecx push ebx push ebp mov ebp, ds:ExFreePool push esi push edi mov [esp+14h+var_4], ecx lea edi, [ecx+508h] mov ebx, 2 lea ebx, [ebx+0] loc_12AB0: mov esi, [edi] test esi, esi jz short loc_12AC6 mov ecx, esi call sub_16670 push esi call ebp ; ExFreePool mov dword ptr [edi], 0 loc_12AC6: add edi, 4 sub ebx, 1 jnz short loc_12AB0 mov ecx, [esp+14h+var_4] pop edi pop esi pop ebp pop ebx add esp, 4 jmp loc_16140 sub_12A90 endp align 10h loc_12AE0: mov ecx, [esp+10h] test ecx, ecx jz short loc_12B0A mov eax, [esp+0Ch] mov edx, [esp+8] push eax mov eax, [esp+8] push edx push eax push 4C0h call sub_11A40 test eax, eax jge short loc_12B0A xor al, al retn 10h loc_12B0A: mov al, 1 retn 10h align 10h loc_12B10: mov ecx, [esp+10h] test ecx, ecx jz short loc_12B3A mov edx, [esp+8] lea eax, [esp+10h] push eax mov eax, [esp+8] push edx push eax push 4C0h call sub_118F0 test eax, eax jge short loc_12B3A xor al, al retn 10h loc_12B3A: mov al, [esp+10h] retn 10h align 10h sub_12B50 proc near var_1= byte ptr -1 arg_0= dword ptr 4 push ecx mov edx, [esp+4+arg_0] lea eax, [esp+3] push eax push edx push 0A0h push 460h mov [esp+14h+var_1], 0 call sub_118F0 mov al, [esp+4+var_1] pop ecx retn 4 sub_12B50 endp align 10h sub_12B80 proc near push ebx push ebp push esi push edi push 0FFh mov esi, ecx call sub_16560 push 8Ah mov ecx, esi call sub_165B0 mov edi, ds:KeStallExecutionProcessor push 3E8h call edi ; KeStallExecutionProcessor mov ebp, 5 mov edi, edi loc_12BB0: xor ebx, ebx loc_12BB2: test bl, bl push 0F9h mov ecx, esi push 1 jnz short loc_12BC3 push 34h jmp short loc_12BC5 loc_12BC3: push 36h loc_12BC5: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0F9h mov ecx, esi push 3 jnz short loc_12BE4 push 34h jmp short loc_12BE6 loc_12BE4: push 36h loc_12BE6: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 80h mov ecx, esi push 5 jnz short loc_12C05 push 34h jmp short loc_12C07 loc_12C05: push 36h loc_12C07: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 7 jnz short loc_12C23 push 34h jmp short loc_12C25 loc_12C23: push 36h loc_12C25: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 9 jnz short loc_12C41 push 34h jmp short loc_12C43 loc_12C41: push 36h loc_12C43: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0FFh mov ecx, esi push 0Bh jnz short loc_12C62 push 34h jmp short loc_12C64 loc_12C62: push 36h loc_12C64: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 0Ch jnz short loc_12C80 push 34h jmp short loc_12C82 loc_12C80: push 36h loc_12C82: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 95h mov ecx, esi push 0Eh jnz short loc_12CA1 push 34h jmp short loc_12CA3 loc_12CA1: push 36h loc_12CA3: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 10h jnz short loc_12CBF push 34h jmp short loc_12CC1 loc_12CBF: push 36h loc_12CC1: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 12h jnz short loc_12CDD push 34h jmp short loc_12CDF loc_12CDD: push 36h loc_12CDF: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 22h mov ecx, esi push 14h jnz short loc_12CFB push 34h jmp short loc_12CFD loc_12CFB: push 36h loc_12CFD: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 22h mov ecx, esi push 16h jnz short loc_12D19 push 34h jmp short loc_12D1B loc_12D19: push 36h loc_12D1B: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 22h mov ecx, esi push 18h jnz short loc_12D37 push 34h jmp short loc_12D39 loc_12D37: push 36h loc_12D39: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 1Ah jnz short loc_12D55 push 34h jmp short loc_12D57 loc_12D55: push 36h loc_12D57: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0CFh mov ecx, esi push 1Dh jnz short loc_12D76 push 34h jmp short loc_12D78 loc_12D76: push 36h loc_12D78: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0CFh mov ecx, esi push 1Fh jnz short loc_12D97 push 34h jmp short loc_12D99 loc_12D97: push 36h loc_12D99: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 7Ah mov ecx, esi push 20h jnz short loc_12DB5 push 34h jmp short loc_12DB7 loc_12DB5: push 36h loc_12DB7: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 22h jnz short loc_12DD3 push 34h jmp short loc_12DD5 loc_12DD3: push 36h loc_12DD5: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 32h mov ecx, esi push 24h jnz short loc_12DF1 push 34h jmp short loc_12DF3 loc_12DF1: push 36h loc_12DF3: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0 mov ecx, esi push 26h jnz short loc_12E0F push 34h jmp short loc_12E11 loc_12E0F: push 36h loc_12E11: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 0BCh mov ecx, esi push 28h jnz short loc_12E30 push 34h jmp short loc_12E32 loc_12E30: push 36h loc_12E32: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 2 mov ecx, esi push 2Ah jnz short loc_12E4E push 34h jmp short loc_12E50 loc_12E4E: push 36h loc_12E50: push 4C0h call sub_11A40 push 2 call edi test bl, bl push 1 mov ecx, esi push 2Ch jnz short loc_12E6C push 34h jmp short loc_12E6E loc_12E6C: push 36h loc_12E6E: push 4C0h call sub_11A40 push 2 call edi add ebx, 1 cmp ebx, 2 jl loc_12BB2 push 3E8h call edi sub ebp, 1 jnz loc_12BB0 push 0Ah mov ecx, esi call sub_165B0 pop edi pop esi pop ebp pop ebx retn sub_12B80 endp align 10h ; START OF FUNCTION CHUNK FOR sub_11420 loc_12EB0: mov eax, [esp+arg_C] push ebx push ebp shr eax, 1 xor ebx, ebx cmp [esp+8+arg_0], ebx push esi push edi mov [ecx+560h], eax jz short loc_12EE3 cmp [esp+10h+arg_4], ebx jnz short loc_12ED7 xor eax, eax mov edi, 80h jmp short loc_12EFF loc_12ED7: mov eax, 1 mov edi, 0A0h jmp short loc_12EFF loc_12EE3: cmp [esp+10h+arg_4], ebx jnz short loc_12EF5 mov eax, 2 mov edi, 0C0h jmp short loc_12EFF loc_12EF5: mov eax, 3 mov edi, 0E0h loc_12EFF: mov edx, [ecx+55Ch] shl eax, 8 mov esi, eax mov eax, [ecx+558h] add eax, esi add edx, esi mov esi, [esp+10h+arg_8] mov [eax], esi mov [eax+4], ebx mov ebp, [ecx+560h] mov [eax+8], ebp mov [eax+0Ch], ebx mov ebp, [ecx+560h] add ebp, esi mov [eax+10h], ebp mov [eax+14h], ebx mov esi, [ecx+560h] mov [eax+18h], esi mov [eax+1Ch], ebx mov eax, [ecx+560h] push eax push edx push edi call sub_11EC0 pop edi pop esi pop ebp pop ebx retn 10h ; END OF FUNCTION CHUNK FOR sub_11420 align 10h sub_12F60 proc near var_14= dword ptr -14h var_4= dword ptr -4 arg_0= dword ptr 4 push ecx cmp [esp+4+arg_0], 0 push esi push edi mov esi, ecx jz short loc_12FE3 push 0A0h call sub_12270 push 80h mov ecx, esi call sub_12270 cmp dword ptr [esi+4], 0 mov edi, ds:KeStallExecutionProcessor jz short loc_12FAE mov eax, [esi] push 1 mov byte ptr [eax+0E3h], 0FFh call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_12FAE mov ecx, [esi] push 1 mov byte ptr [ecx+19Eh], 3 call edi ; KeStallExecutionProcessor loc_12FAE: push 0E0h mov ecx, esi call sub_161F0 test al, 2 jnz short loc_12FD1 cmp dword ptr [esi+4], 0 jz short loc_12FD1 mov edx, [esi] push 1 mov byte ptr [edx+0E0h], 2 call edi ; KeStallExecutionProcessor loc_12FD1: push 0C0h mov ecx, esi call sub_12270 pop edi pop esi pop ecx retn 4 loc_12FE3: mov eax, [esi+55Ch] mov edi, ds:KeStallExecutionProcessor add eax, 200h cmp dword ptr [esi+4], 0 mov [esp+0Ch+var_4], eax mov eax, [esi+560h] mov [esp+0Ch+arg_0], eax jz short loc_13018 mov ecx, [esi] push 1 mov dword ptr [ecx+0C0h], 0FF000000h call edi ; KeStallExecutionProcessor loc_13018: push 2 push 19Ah mov ecx, esi call sub_11580 cmp dword ptr [esi+4], 0 jz short loc_13039 mov edx, [esi] push 1 mov byte ptr [edx+0C0h], 1 call edi ; KeStallExecutionProcessor loc_13039: push ebx push ebp push 0 push 0 call ds:PcGetTimeInterval mov ebx, eax mov ebp, edx lea esp, [esp+0] loc_13050: push 0C0h mov ecx, esi call sub_161F0 test al, 1 jnz short loc_13077 push 64h call edi ; KeStallExecutionProcessor push ebp push ebx call ds:PcGetTimeInterval test edx, edx ja short loc_13077 cmp eax, 1312D00h jb short loc_13050 loc_13077: cmp dword ptr [esi+4], 0 jz short loc_130B6 mov eax, [esi] push 1 mov byte ptr [eax+0C0h], 0 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_130B6 mov ecx, [esi] mov edx, [esp+14h+var_4] push 1 mov [ecx+0D8h], edx call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_130B6 mov eax, [esi] push 1 mov dword ptr [eax+0DCh], 0 call edi ; KeStallExecutionProcessor loc_130B6: push 0BFh push 0D0h mov ecx, esi call sub_115A0 cmp dword ptr [esi+4], 0 jz short loc_1310A mov ecx, [esi] push 1 mov word ptr [ecx+0CEh], 4 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1310A mov edx, [esi] push 1 mov byte ptr [edx+0CCh], 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1310A mov ebx, [esp+14h+arg_0] mov ecx, [esi] lea eax, [ebx+ebx] push 1 mov [ecx+0C8h], eax call edi ; KeStallExecutionProcessor jmp short loc_1310E loc_1310A: mov ebx, [esp+14h+arg_0] loc_1310E: shr ebx, 3 movzx eax, bx push eax push 198h mov ecx, esi call sub_115A0 mov eax, [esi+55Ch] mov edx, [esi+560h] add eax, 300h cmp dword ptr [esi+4], 0 mov [esp+14h+var_4], eax mov [esp+14h+arg_0], edx jz short loc_13150 mov eax, [esi] push 1 mov dword ptr [eax+0E0h], 0FF000000h call edi ; KeStallExecutionProcessor loc_13150: push 2 push 19Eh mov ecx, esi call sub_11580 cmp dword ptr [esi+4], 0 jz short loc_13171 mov ecx, [esi] push 1 mov byte ptr [ecx+0E0h], 1 call edi ; KeStallExecutionProcessor loc_13171: push 0 push 0 call ds:PcGetTimeInterval mov ebp, eax mov ebx, edx nop loc_13180: push 0E0h mov ecx, esi call sub_161F0 test al, 1 jnz short loc_131A7 push 64h call edi ; KeStallExecutionProcessor push ebx push ebp call ds:PcGetTimeInterval test edx, edx ja short loc_131A7 cmp eax, 1312D00h jb short loc_13180 loc_131A7: cmp dword ptr [esi+4], 0 jz short loc_131E6 mov edx, [esi] push 1 mov byte ptr [edx+0E0h], 0 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_131E6 mov eax, [esi] mov ecx, [esp+14h+var_4] push 1 mov [eax+0F8h], ecx call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_131E6 mov edx, [esi] push 1 mov dword ptr [edx+0FCh], 0 call edi ; KeStallExecutionProcessor loc_131E6: push 0BFh push 0F0h mov ecx, esi call sub_115A0 cmp dword ptr [esi+4], 0 jz short loc_1323A mov eax, [esi] push 1 mov word ptr [eax+0EEh], 4 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1323A mov ecx, [esi] push 1 mov byte ptr [ecx+0ECh], 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1323A mov ebx, [esp+14h+arg_0] mov eax, [esi] lea edx, [ebx+ebx] push 1 mov [eax+0E8h], edx call edi ; KeStallExecutionProcessor jmp short loc_1323E loc_1323A: mov ebx, [esp+14h+arg_0] loc_1323E: shr ebx, 3 movzx eax, bx push eax push 19Ch mov ecx, esi call sub_115A0 push 80h mov ecx, esi call sub_123B0 push 0A0h mov ecx, esi call sub_123B0 pop ebp pop ebx pop edi pop esi pop ecx retn 4 sub_12F60 endp align 10h sub_13280 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_0] push ebx push esi push edi push eax mov esi, ecx call sub_16100 mov ecx, [esp+0Ch+arg_4] mov ebx, ds:ExAllocatePoolWithTag push 774E6350h push 70h push 0 mov [esi+564h], ecx call ebx ; ExAllocatePoolWithTag mov edi, eax test edi, edi jz short loc_132D3 push 70h push 0 push edi call memset add esp, 0Ch push esi push 34h push offset loc_12B10 push offset loc_12AE0 mov ecx, edi call sub_16620 jmp short loc_132D5 loc_132D3: xor eax, eax loc_132D5: push 774E6350h push 70h push 0 mov [esi+508h], eax call ebx ; ExAllocatePoolWithTag mov edi, eax test edi, edi jz short loc_1331B push 70h push 0 push edi call memset add esp, 0Ch push esi push 36h push offset loc_12B10 push offset loc_12AE0 mov ecx, edi call sub_16620 mov [esi+50Ch], eax pop edi mov eax, esi pop esi pop ebx retn 8 loc_1331B: xor eax, eax mov [esi+50Ch], eax pop edi mov eax, esi pop esi pop ebx retn 8 sub_13280 endp align 10h sub_13330 proc near var_1= byte ptr -1 push ecx push ebp push esi mov ebp, ecx push edi lea edi, [ebp+530h] xor esi, esi mov edi, edi loc_13340: lea eax, [esp+0Fh] push eax push esi push 0A0h push 460h mov ecx, ebp mov [esp+20h+var_1], 0 call sub_118F0 mov cl, [esp+10h+var_1] mov [edi], cl add esi, 1 add edi, 1 cmp si, 28h jb short loc_13340 pop edi pop esi xor eax, eax pop ebp pop ecx retn sub_13330 endp align 10h sub_13380 proc near var_C= dword ptr -0Ch push ecx push ebx push esi push edi mov esi, ecx call sub_161D0 mov ebx, ds:KeStallExecutionProcessor mov edi, eax and edi, 7FFFFFFFh cmp dword ptr [esi+4], 0 jz short loc_133A8 mov eax, [esi] push 1 mov [eax+8], edi call ebx ; KeStallExecutionProcessor loc_133A8: push 0 push 1E8480h mov ecx, esi call sub_115F0 cmp dword ptr [esi+4], 0 jz short loc_133CB mov ecx, [esi] or edi, 80000000h push 1 mov [ecx+8], edi call ebx ; KeStallExecutionProcessor loc_133CB: push 0 push 1E8480h mov ecx, esi call sub_115F0 cmp dword ptr [esi+4], 0 jz short loc_133F5 mov edx, [esi] push 1 mov dword ptr [edx+4E4h], 38000h call ebx ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jnz short loc_133F9 loc_133F5: xor edi, edi jmp short loc_13405 loc_133F9: push 1 call ebx ; KeStallExecutionProcessor mov eax, [esi] mov edi, [eax+4E0h] loc_13405: push ebp mov ebp, 14h jmp short loc_13410 align 10h loc_13410: or edi, 400000h cmp dword ptr [esi+4], 0 jz short loc_13428 mov ecx, [esi] push 1 mov [ecx+4E0h], edi call ebx loc_13428: and edi, 0FFBFFFFFh cmp dword ptr [esi+4], 0 jz short loc_13440 mov edx, [esi] push 1 mov [edx+4E0h], edi call ebx loc_13440: sub ebp, 1 jnz short loc_13410 mov ecx, esi call sub_16280 and al, 0F8h cmp [esi+4], ebp jz short loc_1345F mov ecx, [esi] push 1 mov [ecx+188h], al call ebx loc_1345F: mov ecx, esi call sub_162A0 and al, 98h cmp dword ptr [esi+4], 0 jz short loc_1347A mov edx, [esi] push 1 mov [edx+189h], al call ebx loc_1347A: xor eax, eax cmp [esi+564h], eax jnz short loc_13489 mov eax, 80000000h loc_13489: cmp dword ptr [esi+4], 0 jz short loc_134B1 mov ecx, [esi] push 1 mov [ecx+1A0h], eax call ebx cmp dword ptr [esi+4], 0 jz short loc_134B1 mov edx, [esi] push 1 mov dword ptr [edx+1B0h], 80000000h call ebx loc_134B1: mov edi, [esp+10h] xor ebp, ebp loc_134B7: ; switch 4 cases cmp ebp, 3 ja short loc_134DD ; default jmp ds:off_1357C[ebp*4] ; switch jump loc_134C3: ; case 0x0 mov edi, 80h jmp short loc_134DD ; default loc_134CA: ; case 0x1 mov edi, 0A0h jmp short loc_134DD ; default loc_134D1: ; case 0x2 mov edi, 0C0h jmp short loc_134DD ; default loc_134D8: ; case 0x3 mov edi, 0E0h loc_134DD: ; default push edi mov ecx, esi call sub_16250 and ax, 0FFB1h or ax, 4031h cmp dword ptr [esi+4], 0 jz short loc_134FE mov ecx, [esi] push 1 mov [ecx+edi+12h], ax call ebx loc_134FE: add ebp, 1 cmp ebp, 4 jl short loc_134B7 mov ecx, esi call sub_13330 mov ecx, esi call sub_12B80 xor edi, edi cmp [esi+4], edi pop ebp jz short loc_13552 mov edx, [esi] push 1 mov dword ptr [edx+404h], 50078000h call ebx cmp [esi+4], edi jz short loc_13552 mov eax, [esi] push 1 mov word ptr [eax+40Ch], 301h call ebx cmp [esi+4], edi jz short loc_13552 mov ecx, [esi] push 1 mov byte ptr [ecx+404h], 0Fh call ebx loc_13552: mov ecx, esi call sub_163D0 and eax, 0FFFFFDFFh cmp [esi+4], edi jz short loc_1356F mov edx, [esi] push 1 mov [edx+404h], eax call ebx loc_1356F: mov [esi+51Ch], edi pop edi pop esi pop ebx pop ecx retn sub_13380 endp align 4 off_1357C dd offset loc_134C3 ; jump table for switch statement dd offset loc_134CA dd offset loc_134D1 dd offset loc_134D8 align 10h sub_13590 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_4] push esi push eax mov esi, ecx call sub_11000 mov ecx, [esp+4+arg_0] xor eax, eax mov [esi+554h], eax mov [esi+550h], eax mov [esi+1EA0h], eax mov [esi+20h], ecx mov dword ptr [esi+24h], 0FFFFFFFFh mov eax, esi pop esi retn 0Ch sub_13590 endp align 10h sub_135D0 proc near push esi push 1 mov esi, ecx call sub_113D0 mov ecx, esi call sub_110A0 mov eax, [esi+54Ch] test eax, eax jz short loc_135F2 mov dword ptr [eax+24h], 1 loc_135F2: mov eax, [esi+0E50h] test eax, eax jz short loc_13603 push eax call ds:ExFreePool loc_13603: mov ecx, esi pop esi jmp sub_11540 sub_135D0 endp align 10h sub_13610 proc near mov eax, 8 retn sub_13610 endp align 10h ; Attributes: thunk sub_13620 proc near jmp sub_114E0 sub_13620 endp align 10h sub_13630 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] push esi push edi xor edi, edi cmp eax, 1 mov esi, ecx mov [esi+8], edi jnz short loc_1364D mov ecx, [esi+54Ch] mov [ecx+30h], edi jmp short loc_13656 loc_1364D: mov edx, [esi+54Ch] mov [edx+30h], edi loc_13656: cmp [esi+54Ch], edi jz short loc_1367C push eax mov ecx, esi mov [esi+0E5Ch], edi call sub_11450 mov eax, [esi+54Ch] cmp eax, edi jz short loc_1367C mov ecx, [esi+24h] mov [eax+1Ch], ecx loc_1367C: pop edi pop esi retn 4 sub_13630 endp align 10h ; START OF FUNCTION CHUNK FOR sub_17600 loc_13690: mov eax, [ecx+54Ch] mov eax, [eax] retn ; END OF FUNCTION CHUNK FOR sub_17600 align 10h sub_136A0 proc near mov eax, [ecx+54Ch] test eax, eax jz short loc_136CA cmp dword ptr [ecx+0A78h], 0 jnz short loc_136BC cmp dword ptr [ecx+0A7Ch], 0 jz short loc_136CA loc_136BC: mov ecx, 9 cmp ecx, [eax+30h] sbb eax, eax add eax, 1 retn loc_136CA: xor eax, eax retn sub_136A0 endp align 10h ; START OF FUNCTION CHUNK FOR sub_177D0 loc_136D0: mov eax, [esp+arg_4] push esi mov esi, ecx mov ecx, [esp+4+arg_0] push eax push ecx mov ecx, esi call sub_11470 mov edx, [esi+54Ch] mov ecx, [edx] shr eax, 3 add eax, 1 add ecx, ecx cmp eax, ecx pop esi jbe short locret_136FB sub eax, ecx locret_136FB: retn 8 ; END OF FUNCTION CHUNK FOR sub_177D0 align 10h sub_13700 proc near arg_0= dword ptr 4 mov eax, [ecx+54Ch] mov ecx, [esp+arg_0] mov [eax+44h], ecx retn 4 sub_13700 endp sub_13710 proc near push ebx push esi mov esi, ecx mov ecx, [esi] push edi call sub_16380 test eax, 800000h jz loc_137C9 mov ecx, eax shr ecx, 18h and ecx, 0Fh cmp ecx, 0Ah ja short loc_137AE movzx ecx, ds:byte_1389C[ecx] jmp ds:off_13888[ecx*4] loc_13742: mov edx, [esi+54Ch] mov dword ptr [edx+50h], 0AC44h mov ecx, [esi+54Ch] and eax, 1 mov [ecx+54h], eax jmp short loc_137D6 loc_1375D: mov ecx, [esi+54Ch] mov dword ptr [ecx+50h], 0BB80h mov ecx, [esi+54Ch] and eax, 1 mov [ecx+54h], eax jmp short loc_137D6 loc_13778: mov edx, [esi+54Ch] mov dword ptr [edx+50h], 7D00h mov ecx, [esi+54Ch] and eax, 1 mov [ecx+54h], eax jmp short loc_137D6 loc_13793: mov ecx, [esi+54Ch] mov dword ptr [ecx+50h], offset loc_17700 mov ecx, [esi+54Ch] and eax, 1 mov [ecx+54h], eax jmp short loc_137D6 loc_137AE: mov edx, [esi+54Ch] mov dword ptr [edx+50h], 0 mov ecx, [esi+54Ch] and eax, 1 mov [ecx+54h], eax jmp short loc_137D6 loc_137C9: mov edx, [esi+54Ch] mov dword ptr [edx+50h], 0 loc_137D6: xor ebx, ebx xor edi, edi lea ebx, [ebx+0] loc_137E0: push 0 push ebx mov ecx, esi call sub_111A0 mov edx, [esi+54Ch] movzx ecx, ah mov [edi+edx+60h], ecx mov edx, [esi+54Ch] mov ecx, eax and ecx, 0FFh mov [edi+edx+64h], ecx mov edx, [esi+54Ch] mov ecx, eax shr ecx, 18h mov [edi+edx+68h], ecx mov ecx, [esi+54Ch] shr eax, 10h and eax, 0FFh push 4 mov [edi+ecx+6Ch], eax push ebx mov ecx, esi call sub_111A0 mov ecx, [esi+54Ch] movzx edx, ah mov [edi+ecx+70h], edx mov ecx, [esi+54Ch] mov edx, eax and edx, 0FFh mov [edi+ecx+74h], edx mov ecx, [esi+54Ch] mov edx, eax shr edx, 18h mov [edi+ecx+78h], edx mov edx, [esi+54Ch] shr eax, 10h and eax, 0FFh mov [edi+edx+7Ch], eax add edi, 20h add ebx, 1 cmp edi, 40h jl loc_137E0 pop edi pop esi pop ebx retn sub_13710 endp ; sp = -10h align 4 off_13888 dd offset loc_13742 dd offset loc_1375D dd offset loc_13778 dd offset loc_13793 dd offset loc_137AE byte_1389C db 0 db 4, 1, 2 dd 4040404h, 0CC030404h, 2 dup(0CCCCCCCCh) dd 83F18B56h, 0E54BEh, 8B570000h, 750C247Ch dd 247E3905h, 0E8571C74h, 0FFFFDC34h, 127CC085h dd 54C868Bh, 7E890000h, 1C788924h, 170BE89h dd 5E5F0000h, 0CC0004C2h, 2 dup(0CCCCCCCCh) sub_138F0 proc near lea eax, [ecx+30h] retn sub_138F0 endp align 10h mov eax, [ecx+54Ch] mov ecx, [esp+4] mov [eax+2Ch], ecx retn 4 db 8Bh ; ï db 44h ; D db 24h ; $ db 4 db 89h ; ë db 81h ; ü db 54h ; T db 0Eh db 0 db 0 db 0C2h ; - db 4 db 0 align 10h sub_13920 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch mov eax, [esp+arg_0] sub eax, 1 jnz short locret_1393D mov eax, [esp+arg_4] mov ecx, [esp+arg_8] mov dword ptr [eax], 0 mov dword ptr [ecx], 60h locret_1393D: retn 0Ch sub_13920 endp sub_13940 proc near mov edx, [ecx+54Ch] xor eax, eax test edx, edx jz short locret_1395C mov eax, [ecx+550h] imul eax, [edx] lea eax, ds:20h[eax*8] locret_1395C: retn sub_13940 endp align 10h sub_13960 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch mov edx, [esp+arg_0] mov eax, ecx mov ecx, [esp+arg_4] push esi lea edx, [ecx+edx*2+29Ah] mov ecx, [esp+4+arg_8] mov eax, [eax+edx*4] mov esi, 1 shl esi, cl and eax, esi pop esi retn 0Ch sub_13960 endp align 10h sub_13990 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_10= dword ptr 14h arg_14= dword ptr 18h mov edx, [esp+arg_0] mov eax, [esp+arg_4] lea eax, [eax+edx*2] mov edx, [esp+arg_8] lea eax, [edx+eax*8] mov edx, [esp+arg_C] lea eax, [edx+eax*2] mov edx, [esp+arg_10] mov [ecx+eax*8+568h], edx mov edx, [esp+arg_14] mov [ecx+eax*8+56Ch], edx retn 18h sub_13990 endp align 10h sub_139D0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch mov eax, [esp+arg_4] mov ecx, [esp+arg_0] mov edx, [ecx] mov ecx, [ecx+4] push esi mov esi, [eax] test esi, esi mov eax, [eax+4] jz short loc_13A43 test edx, edx jz short loc_13A43 push edi mov edi, [esp+8+arg_8] test edi, edi jle short loc_13A42 push ebx push ebp lea ebx, ds:0[eax*4] lea ebp, ds:0[ecx*4] loc_13A04: mov eax, [edx] test eax, eax mov ecx, [esi] jle short loc_13A22 test ecx, ecx jle short loc_13A20 add eax, ecx cmp eax, 7FFFFFFFh jbe short loc_13A35 mov eax, 7FFFFFFFh jmp short loc_13A35 loc_13A20: test eax, eax loc_13A22: jge short loc_13A33 test ecx, ecx jge short loc_13A33 add eax, ecx js short loc_13A35 mov eax, 80000000h jmp short loc_13A35 loc_13A33: add eax, ecx loc_13A35: mov [edx], eax add esi, ebx add edx, ebp sub edi, 1 jnz short loc_13A04 pop ebp pop ebx loc_13A42: pop edi loc_13A43: pop esi retn 0Ch sub_139D0 endp align 10h ; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND] align 10h push ebx push esi push edi mov edi, [esp+10h] xor ebx, ebx push ebx push edi mov esi, ecx call sub_110C0 push ebx push edi mov ecx, esi mov [esi+edi*4+0E88h], ebx mov [esi+edi*4+0E78h], ebx mov [esi+edi*4+0E80h], ebx mov [esi+edi*4+0E70h], ebx call sub_11170 pop edi pop esi pop ebx retn 4 align 10h mov eax, [esp+4] xor edx, edx push 1 push eax mov [ecx+eax*4+0E88h], edx mov [ecx+eax*4+0E78h], edx mov [ecx+eax*4+0E80h], edx mov [ecx+eax*4+0E70h], edx call sub_110C0 retn 4 align 10h mov edx, [esp+4] mov eax, [ecx+edx*4+0E78h] cmp eax, [ecx+edx*4+0E88h] jz short loc_13B19 push esi mov esi, [ecx+edx*4+0E88h] mov eax, edx shl eax, 0Ah add eax, esi movzx eax, byte ptr [eax+ecx+1690h] add esi, 1 and esi, 800003FFh jns short loc_13B0E dec esi or esi, 0FFFFFC00h inc esi loc_13B0E: mov [ecx+edx*4+0E88h], esi pop esi retn 4 loc_13B19: or eax, 0FFFFFFFFh retn 4 align 10h sub_13B20 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] mov edx, [ecx+eax*4+0E78h] push ebx xor ebx, ebx cmp edx, [ecx+eax*4+0E88h] setnz bl mov eax, ebx pop ebx retn 4 sub_13B20 endp align 10h mov eax, [esp+4] push eax call sub_11150 neg eax sbb eax, eax neg eax retn 4 align 10h movzx eax, byte ptr [esp+8] mov edx, [esp+4] push eax push edx call sub_110F0 mov eax, 1 retn 8 align 10h mov eax, 1 retn align 10h sub_13B90 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp [esp+arg_0], 0 push esi push edi mov edi, [esp+8+arg_4] mov esi, ecx jnz loc_13C28 push 0 push edi call sub_11170 mov eax, [esi+edi*4+0E70h] cmp eax, [esi+edi*4+0E80h] jz short loc_13C07 mov eax, [esi+edi*4+0E80h] mov ecx, edi shl ecx, 0Ah add ecx, eax movzx ecx, byte ptr [ecx+esi+0E90h] add eax, 1 and eax, 800003FFh jns short loc_13BE2 dec eax or eax, 0FFFFFC00h inc eax loc_13BE2: movzx edx, cl push edx mov byte ptr [esp+0Ch+arg_4], cl push edi mov ecx, esi mov [esi+edi*4+0E80h], eax call sub_110F0 movzx eax, byte ptr [esp+8+arg_4] mov ecx, [esi+54Ch] mov [ecx+34h], eax loc_13C07: mov edx, [esi+edi*4+0E70h] cmp edx, [esi+edi*4+0E80h] jz short loc_13C21 push 1 push edi mov ecx, esi call sub_11170 loc_13C21: pop edi xor eax, eax pop esi retn 8 loc_13C28: lea eax, [esp+8+arg_4] push eax push edi call sub_11120 test eax, eax jz short loc_13C21 push ebx mov ebx, edi shl ebx, 0Ah lea ecx, [ecx+0] loc_13C40: mov edx, [esi+edi*4+0E78h] mov al, byte ptr [esp+0Ch+arg_4] lea ecx, [ebx+esi] mov [ecx+edx+1690h], al mov ecx, [esi+edi*4+0E78h] add ecx, 1 and ecx, 800003FFh jns short loc_13C6F dec ecx or ecx, 0FFFFFC00h inc ecx loc_13C6F: movzx edx, byte ptr [esp+0Ch+arg_4] mov [esi+edi*4+0E78h], ecx mov eax, [esi+54Ch] lea ecx, [esp+0Ch+arg_4] push ecx push edi mov ecx, esi mov [eax+38h], edx call sub_11120 test eax, eax jnz short loc_13C40 pop ebx pop edi mov eax, 1 pop esi retn 8 sub_13B90 endp sub_13CA0 proc near var_48= dword ptr -48h var_34= dword ptr -34h var_30= dword ptr -30h var_2C= dword ptr -2Ch var_28= dword ptr -28h var_18= dword ptr -18h var_10= dword ptr -10h var_C= dword ptr -0Ch mov ecx, [ecx+20h] sub esp, 10h push edi lea eax, [esp+14h+var_C] push eax push 1F0000h push 2 push ecx call ds:IoOpenDeviceRegistryKey mov edi, eax test edi, edi jl short loc_13D3A push ebx push esi push offset aMixeresp1010e ; "MixerESP1010e" lea edx, [esp+18h] push edx call ds:RtlInitUnicodeString mov ebx, [esp+24h] lea eax, [ebx+34h] push eax push 1 mov [esp+14h], eax call ds:ExAllocatePool mov esi, eax test esi, esi jz short loc_13D38 mov ecx, [esp+0Ch] lea eax, [esp+0Ch] push eax mov eax, [esp+14h] push ecx push esi push 1 lea edx, [esp+24h] push edx push eax call ds:ZwQueryValueKey mov edi, eax test edi, edi jl short loc_13D31 mov eax, [esi+0Ch] cmp ebx, eax jnz short loc_13D2C mov ecx, [esi+8] mov edx, [esp+20h] push eax add ecx, esi push ecx push edx call memcpy add esp, 0Ch jmp short loc_13D31 loc_13D2C: mov edi, 0C0000023h loc_13D31: push esi call ds:ExFreePool loc_13D38: pop esi pop ebx loc_13D3A: mov eax, [esp+8] push eax call ds:ZwClose mov eax, edi pop edi add esp, 10h retn 8 sub_13CA0 endp ; sp = 8 align 10h sub_13D50 proc near var_C= dword ptr -0Ch var_8= dword ptr -8 var_4= dword ptr -4 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_28= dword ptr 2Ch mov ecx, [ecx+20h] sub esp, 0Ch push esi lea eax, [esp+10h+var_C] push eax push 1F0000h push 2 push ecx call ds:IoOpenDeviceRegistryKey mov esi, eax test esi, esi jl short loc_13DA0 push offset aMixeresp1010e ; "MixerESP1010e" lea edx, [esp+14h+var_8] push edx call ds:RtlInitUnicodeString mov eax, [esp+8+arg_C] mov ecx, [esp+8+arg_8] push eax mov eax, [esp+0Ch+var_4] push ecx push 4 push 0 lea edx, [esp+18h] push edx push eax call ds:ZwSetValueKey mov esi, eax loc_13DA0: mov ecx, [esp-28h+arg_28] push ecx call ds:ZwClose mov eax, esi pop esi add esp, 0Ch retn 8 sub_13D50 endp ; sp = 38h align 10h ; START OF FUNCTION CHUNK FOR sub_17810 loc_13DC0: mov eax, [esp+arg_0] cmp eax, 1000011h jz loc_13E57 cmp eax, 1000111h jz short loc_13E1C cmp eax, 1000211h jnz locret_13EBF ; default mov eax, [esp+arg_C] sub eax, 1 jz short loc_13E08 sub eax, 1 jnz locret_13EBF ; default mov eax, [esp+arg_8] mov edx, [esp+arg_4] mov ecx, [ecx+4] push eax push edx call sub_11820 retn 14h loc_13E08: mov eax, [esp+arg_8] mov edx, [esp+arg_4] mov ecx, [ecx] push eax push edx call sub_11820 retn 14h loc_13E1C: mov eax, [esp+arg_C] sub eax, 1 jz short loc_13E33 sub eax, 1 jnz locret_13EBF ; default mov ecx, [ecx+4] jmp short loc_13E35 loc_13E33: mov ecx, [ecx] loc_13E35: cmp dword ptr [ecx+4], 0 jz locret_13EBF ; default mov eax, [ecx] mov cl, byte ptr [esp+arg_8] mov edx, [esp+arg_4] push 1 mov [edx+eax], cl call ds:KeStallExecutionProcessor retn 14h loc_13E57: mov eax, [esp+arg_C] add eax, 0FFFFFFFFh ; switch 4 cases cmp eax, 3 ja short locret_13EBF ; default jmp ds:off_13EC4[eax*4] ; switch jump loc_13E6A: ; case 0x1 mov eax, [esp+arg_8] mov edx, [esp+arg_4] push eax push edx push 0 push 0 call sub_11360 retn 14h loc_13E80: ; case 0x2 mov eax, [esp+arg_8] mov edx, [esp+arg_4] push eax push edx push 1 push 0 call sub_11360 retn 14h loc_13E96: ; case 0x3 mov eax, [esp+arg_8] mov edx, [esp+arg_4] push eax push edx push 0 push 1 call sub_11360 retn 14h loc_13EAC: ; case 0x4 mov eax, [esp+arg_8] mov edx, [esp+arg_4] push eax push edx push 1 push 1 call sub_11360 locret_13EBF: ; default retn 14h ; END OF FUNCTION CHUNK FOR sub_17810 align 4 off_13EC4 dd offset loc_13E6A ; jump table for switch statement dd offset loc_13E80 dd offset loc_13E96 dd offset loc_13EAC align 10h ; START OF FUNCTION CHUNK FOR sub_17820 loc_13EE0: mov edx, [esp+arg_0] xor eax, eax cmp edx, 1000011h jz loc_13F73 cmp edx, 1000111h jz short loc_13F3C cmp edx, 1000211h jnz locret_13FD3 ; default mov edx, [esp+arg_8] sub edx, 1 jz short loc_13F2A sub edx, 1 jnz locret_13FD3 ; default mov eax, [esp+arg_4] mov ecx, [ecx] push eax call sub_12B50 movzx eax, al retn 10h loc_13F2A: mov edx, [esp+arg_4] mov ecx, [ecx] push edx call sub_12B50 movzx eax, al retn 10h loc_13F3C: mov edx, [esp+arg_8] sub edx, 1 jz short loc_13F61 sub edx, 1 jnz locret_13FD3 ; default mov eax, [esp+arg_4] mov ecx, [ecx+4] push eax call sub_115C0 movzx eax, al retn 10h loc_13F61: mov edx, [esp+arg_4] mov ecx, [ecx] push edx call sub_115C0 movzx eax, al retn 10h loc_13F73: mov edx, [esp+arg_8] add edx, 0FFFFFFFFh ; switch 4 cases cmp edx, 3 ja short locret_13FD3 ; default jmp ds:off_13FD8[edx*4] ; switch jump loc_13F86: ; case 0x1 mov eax, [esp+arg_4] push eax push 0 push 0 call sub_113A0 movzx eax, ax retn 10h loc_13F9A: ; case 0x2 mov edx, [esp+arg_4] push edx push 1 push 0 call sub_113A0 movzx eax, ax retn 10h loc_13FAE: ; case 0x3 mov eax, [esp+arg_4] push eax push 0 push 1 call sub_113A0 movzx eax, ax retn 10h loc_13FC2: ; case 0x4 mov edx, [esp+arg_4] push edx push 1 push 1 call sub_113A0 movzx eax, ax locret_13FD3: ; default retn 10h ; END OF FUNCTION CHUNK FOR sub_17820 align 4 off_13FD8 dd offset loc_13F86 ; jump table for switch statement dd offset loc_13F9A dd offset loc_13FAE dd offset loc_13FC2 align 10h sub_13FF0 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push esi mov esi, ecx cmp dword ptr [esi+54Ch], 0 jnz short loc_14002 xor eax, eax pop esi retn 8 loc_14002: mov eax, [esp+arg_4] mov ecx, [esp+arg_0] push edi push eax push ecx mov ecx, esi xor edi, edi call sub_11470 shr eax, 3 jz short loc_14025 mov edx, [esi+54Ch] cmp eax, [edx] jb short loc_14049 loc_14025: mov ecx, [esi+54Ch] mov ecx, [ecx] cmp eax, ecx jz short loc_1403A jbe short loc_14043 lea edx, [ecx+ecx] cmp eax, edx jnb short loc_14043 loc_1403A: xor edi, edi mov eax, edi pop edi pop esi retn 8 loc_14043: add ecx, ecx cmp eax, ecx jnz short loc_1404E loc_14049: mov edi, 1 loc_1404E: mov eax, edi pop edi pop esi retn 8 sub_13FF0 endp align 10h sub_14060 proc near var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 var_4= dword ptr -4 sub esp, 10h push ebx push ebp push esi push edi xor ebx, ebx push 40000h mov edi, 1 push ebx mov esi, ecx mov [esp+28h+var_10], ebx mov [esp+28h+var_C], edi mov [esp+28h+var_8], 2 mov [esp+28h+var_4], 3 call ds:ExAllocatePool mov [esi+0E50h], eax lea ebx, [ebx+0] loc_140A0: mov ecx, [esp+ebx*4+20h+var_10] lea edx, ds:0[ecx*8] lea ebp, [edx+0BDh] shl edx, 4 mov [edx+esi+0BD4h], edi shl ebp, 4 mov [esi+ebp], eax add eax, 1000h mov edx, ecx shl edx, 7 mov [edx+esi+0BD8h], eax mov [edx+esi+0BDCh], edi add edx, esi add eax, 1000h lea edx, ds:0[ecx*8] lea ebp, [edx+0BEh] shl edx, 4 mov [edx+esi+0BE4h], edi shl ebp, 4 mov [esi+ebp], eax add eax, 1000h mov edx, ecx shl edx, 7 mov [edx+esi+0BE8h], eax mov [edx+esi+0BECh], edi add edx, esi add eax, 1000h lea edx, ds:0[ecx*8] lea ebp, [edx+0BFh] shl edx, 4 mov [edx+esi+0BF4h], edi shl ebp, 4 mov [esi+ebp], eax add eax, 1000h mov edx, ecx shl edx, 7 mov [edx+esi+0BF8h], eax mov [edx+esi+0BFCh], edi add edx, esi add eax, 1000h lea edx, [ecx+18h] shl edx, 7 mov [edx+esi], eax mov edx, ecx shl edx, 7 mov [edx+esi+0C04h], edi add eax, 1000h mov edx, ecx shl edx, 7 mov [edx+esi+0C08h], eax add edx, esi mov [edx+0C0Ch], edi lea edx, ds:0[ecx*8] lea ebp, [edx+0C1h] shl edx, 4 mov [edx+esi+0C14h], edi add eax, 1000h shl ebp, 4 mov [esi+ebp], eax mov edx, ecx shl edx, 7 add edx, esi mov [edx+0C1Ch], edi add eax, 1000h mov [edx+0C18h], eax lea edx, ds:0[ecx*8] lea ebp, [edx+0C2h] shl edx, 4 mov [edx+esi+0C24h], edi add eax, 1000h shl ebp, 4 mov [esi+ebp], eax mov edx, ecx shl edx, 7 add edx, esi add eax, 1000h mov [edx+0C28h], eax mov [edx+0C2Ch], edi lea edx, ds:0[ecx*8] add eax, 1000h lea ebp, [edx+0C3h] shl edx, 4 mov [edx+esi+0C34h], edi shl ebp, 4 mov [esi+ebp], eax mov edx, ecx shl edx, 7 add eax, 1000h add edx, esi mov [edx+0C38h], eax mov [edx+0C3Ch], edi lea edx, ds:0[ecx*8] add eax, 1000h lea ebp, [edx+0C4h] shl ebp, 4 mov [esi+ebp], eax shl ecx, 7 shl edx, 4 add eax, 1000h add ecx, esi mov [edx+esi+0C44h], edi mov [ecx+0C48h], eax add ebx, edi add eax, 1000h cmp ebx, 4 mov [ecx+0C4Ch], edi jl loc_140A0 pop edi pop esi pop ebp pop ebx add esp, 10h retn sub_14060 endp align 10h sub_14290 proc near var_88= dword ptr -88h var_84= dword ptr -84h var_78= dword ptr -78h var_68= dword ptr -68h var_58= dword ptr -58h var_48= dword ptr -48h var_38= dword ptr -38h var_28= dword ptr -28h var_18= dword ptr -18h var_8= dword ptr -8 var_4= dword ptr -4 sub esp, 8 push ebx push ebp push esi mov esi, ecx mov ecx, [esi+54Ch] mov edx, [ecx] mov ebx, [esi+0E68h] push edi mov edi, [esi+0E60h] mov [ecx+5Ch], ebx mov ecx, [esi+54Ch] mov [ecx], edx mov ebp, [esi+0E64h] lea eax, ds:0[edx*4] mov edx, [esi+54Ch] mov [edx+0A0h], edi mov ecx, [esi+54Ch] mov ebx, 2 mov [ecx+0A4h], ebx mov ecx, [esi+54Ch] lea edx, [edi+4] mov [ecx+0B0h], edx mov edx, [esi+54Ch] mov [edx+0B4h], ebx mov edx, [esi+54Ch] add eax, eax lea ecx, [eax+edi] mov [edx+0A8h], ecx mov edx, [esi+54Ch] mov [edx+0ACh], ebx mov edx, [esi+54Ch] mov [esp+18h+var_8], eax add ecx, 4 add eax, eax push eax mov [edx+0B8h], ecx mov ecx, [esi+54Ch] push ebp push 0 mov [ecx+0BCh], ebx push 0 mov ecx, esi mov [esp+28h+var_4], edi call sub_11420 mov edx, [esi+54Ch] mov eax, [esp+28h+var_18] add eax, eax add edi, eax mov eax, [esp+28h+var_18] mov [edx+0C0h], edi mov ecx, [esi+54Ch] mov [ecx+0C4h], ebx mov ecx, [esi+54Ch] lea edx, [edi+4] mov [ecx+0D0h], edx mov edx, [esi+54Ch] mov ecx, [esp+28h+var_18] mov [edx+0D4h], ebx mov edx, [esi+54Ch] add ecx, edi mov [edx+0C8h], ecx mov edx, [esi+54Ch] mov [edx+0CCh], ebx mov edx, [esi+54Ch] add eax, eax add ecx, 4 push eax add ebp, eax mov [edx+0D8h], ecx mov ecx, [esi+54Ch] push ebp push ebx mov [ecx+0DCh], ebx push 0 mov ecx, esi call sub_11420 mov eax, [esp+38h+var_28] mov edx, [esi+54Ch] add eax, eax add edi, eax add ebp, eax mov [edx+0E0h], edi mov ecx, [esi+54Ch] mov [ecx+0E4h], ebx mov ecx, [esi+54Ch] lea edx, [edi+4] mov [ecx+0F0h], edx mov edx, [esi+54Ch] mov ecx, [esp+38h+var_28] mov [edx+0F4h], ebx mov edx, [esi+54Ch] add ecx, edi mov [edx+0E8h], ecx mov edx, [esi+54Ch] mov [edx+0ECh], ebx mov edx, [esi+54Ch] add ecx, 4 push eax mov [edx+0F8h], ecx mov ecx, [esi+54Ch] push ebp push 4 mov [ecx+0FCh], ebx push 0 mov ecx, esi call sub_11420 mov edx, [esi+54Ch] mov eax, [esp+48h+var_38] add eax, eax add edi, eax mov [edx+100h], edi mov ecx, [esi+54Ch] mov [ecx+104h], ebx mov ecx, [esi+54Ch] lea edx, [edi+4] mov [ecx+110h], edx mov edx, [esi+54Ch] mov ecx, [esp+48h+var_38] mov [edx+114h], ebx mov edx, [esi+54Ch] add ecx, edi mov [edx+108h], ecx mov edx, [esi+54Ch] mov [edx+10Ch], ebx mov edx, [esi+54Ch] add ecx, 4 push eax add ebp, eax mov [edx+118h], ecx mov ecx, [esi+54Ch] push ebp push 6 mov [ecx+11Ch], ebx push 0 mov ecx, esi call sub_11420 mov edx, [esi+54Ch] mov eax, [esp+58h+var_48] add eax, eax add edi, eax mov [edx+120h], edi add ebp, eax mov eax, [esi+54Ch] mov [eax+124h], ebx mov edx, [esi+54Ch] lea ecx, [edi+4] mov [edx+130h], ecx mov eax, [esi+54Ch] mov ecx, [esp+58h+var_48] mov [eax+134h], ebx mov edx, [esi+54Ch] lea eax, [edi+ecx] mov [edx+128h], eax mov edx, [esi+54Ch] mov [edx+12Ch], ebx mov edx, [esi+54Ch] add eax, 4 mov [edx+138h], eax mov eax, [esi+54Ch] mov [eax+13Ch], ebx lea eax, [ecx+ecx] push eax push ebp push 0 push 1 mov ecx, esi call sub_11420 mov ecx, [esi+54Ch] mov eax, [esp+68h+var_58] add eax, eax add edi, eax mov [ecx+140h], edi mov edx, [esi+54Ch] mov [edx+144h], ebx mov edx, [esi+54Ch] lea ecx, [edi+4] mov [edx+150h], ecx mov ecx, [esi+54Ch] mov edx, [esp+68h+var_58] mov [ecx+154h], ebx lea ecx, [edi+edx] mov edx, [esi+54Ch] mov [edx+148h], ecx mov edx, [esi+54Ch] mov [edx+14Ch], ebx mov edx, [esi+54Ch] add ecx, 4 push eax add ebp, eax mov [edx+158h], ecx mov ecx, [esi+54Ch] push ebp push ebx mov [ecx+15Ch], ebx push 1 mov ecx, esi call sub_11420 mov edx, [esi+54Ch] mov eax, [esp+78h+var_68] add eax, eax add edi, eax mov [edx+160h], edi mov ecx, [esi+54Ch] mov [ecx+164h], ebx mov ecx, [esi+54Ch] lea edx, [edi+4] mov [ecx+170h], edx mov edx, [esi+54Ch] mov ecx, [esp+78h+var_68] mov [edx+174h], ebx mov edx, [esi+54Ch] add ecx, edi mov [edx+168h], ecx mov edx, [esi+54Ch] mov [edx+16Ch], ebx mov edx, [esi+54Ch] add ecx, 4 push eax add ebp, eax mov [edx+178h], ecx mov ecx, [esi+54Ch] push ebp push 4 mov [ecx+17Ch], ebx push 1 mov ecx, esi call sub_11420 mov edx, [esi+54Ch] mov eax, [esp+88h+var_78] add eax, eax add edi, eax mov [edx+180h], edi mov ecx, [esi+54Ch] mov [ecx+184h], ebx mov ecx, [esi+54Ch] lea edx, [edi+4] mov [ecx+190h], edx mov edx, [esi+54Ch] mov ecx, [esp+88h+var_78] mov [edx+194h], ebx mov edx, [esi+54Ch] add edi, ecx mov [edx+188h], edi mov ecx, [esi+54Ch] mov [ecx+18Ch], ebx mov edx, [esi+54Ch] push eax add eax, ebp add edi, 4 mov [edx+198h], edi mov ecx, [esi+54Ch] push eax push 6 mov [ecx+19Ch], ebx push 1 mov ecx, esi call sub_11420 mov eax, [esp+98h+var_88] mov edx, [esp+98h+var_84] add eax, eax add eax, eax add eax, eax push eax push 0 push edx call memset add esp, 0Ch push 32h call ds:KeStallExecutionProcessor pop edi pop esi pop ebp pop ebx add esp, 8 retn sub_14290 endp ; sp = -80h align 10h sub_14720 proc near push esi push edi push 0 push 0 mov esi, ecx call sub_13FF0 push 0 mov edi, 1 push edi mov ecx, esi mov [esi+550h], eax call sub_13FF0 mov [esi+554h], eax mov eax, [esi+54Ch] test eax, eax jz short loc_1475B mov ecx, [esi+550h] mov [eax+10h], ecx loc_1475B: mov [esi+1E90h], edi mov [esi+1E94h], edi pop edi pop esi retn sub_14720 endp align 10h sub_14770 proc near var_4= dword ptr -4 push ecx push ebx push ebp push esi mov ebx, 0FFFFF44Ch push edi sub ebx, ecx lea esi, [ecx+0C54h] mov [esp+14h+var_4], 8 lea ebx, [ebx+0] loc_14790: mov ebp, 2 loc_14795: mov edx, [ecx+54Ch] mov edi, [edx] lea eax, [ebx+esi] add eax, edx mov edx, [eax] test edx, edx mov eax, [eax+4] jz short loc_147C0 test edi, edi jle short loc_147C0 add eax, eax add eax, eax loc_147B3: mov dword ptr [edx], 0 add edx, eax sub edi, 1 jnz short loc_147B3 loc_147C0: mov eax, [ecx+54Ch] mov edx, [eax] mov eax, [esi-84h] test eax, eax mov edi, [esi-80h] jz short loc_147ED test edx, edx jle short loc_147ED add edi, edi add edi, edi lea ecx, [ecx+0] loc_147E0: mov dword ptr [eax], 0 add eax, edi sub edx, 1 jnz short loc_147E0 loc_147ED: mov eax, [esi-4] test eax, eax mov edx, [ecx+54Ch] mov edx, [edx] mov edi, [esi] jz short loc_1481D test edx, edx jle short loc_1481D add edi, edi add edi, edi jmp short loc_14810 align 10h loc_14810: mov dword ptr [eax], 0 add eax, edi sub edx, 1 jnz short loc_14810 loc_1481D: mov eax, [ecx+54Ch] mov edx, [eax] mov eax, [esi+7Ch] test eax, eax mov edi, [esi+80h] jz short loc_1484D test edx, edx jle short loc_1484D add edi, edi add edi, edi lea ebx, [ebx+0] loc_14840: mov dword ptr [eax], 0 add eax, edi sub edx, 1 jnz short loc_14840 loc_1484D: add esi, 8 sub ebp, 1 jnz loc_14795 sub [esp+14h+var_4], 1 jnz loc_14790 pop edi pop esi pop ebp pop ebx pop ecx retn sub_14770 endp align 10h sub_14870 proc near var_F4= dword ptr -0F4h var_E4= dword ptr -0E4h var_E0= dword ptr -0E0h var_DC= dword ptr -0DCh var_D8= dword ptr -0D8h var_D4= dword ptr -0D4h var_D0= dword ptr -0D0h var_CC= dword ptr -0CCh var_C8= dword ptr -0C8h var_C4= dword ptr -0C4h var_C0= dword ptr -0C0h var_BC= dword ptr -0BCh var_B8= dword ptr -0B8h var_B4= dword ptr -0B4h var_B0= dword ptr -0B0h var_AC= dword ptr -0ACh var_A8= dword ptr -0A8h var_A4= dword ptr -0A4h var_A0= dword ptr -0A0h var_9C= dword ptr -9Ch sub esp, 0E4h push ebx push ebp push esi push edi mov esi, ecx mov [esp+0F4h+var_E4], 0 mov ebx, 14h lea esp, [esp+0] loc_14890: mov ecx, [esi+54Ch] test ecx, ecx jnz short loc_1489E xor eax, eax jmp short loc_148E6 loc_1489E: mov eax, [esp+0F4h+var_E4] push eax xor edi, edi push edi mov ecx, esi call sub_11470 shr eax, 3 jz short loc_148BC mov ecx, [esi+54Ch] cmp eax, [ecx] jb short loc_148DF loc_148BC: mov ecx, [esi+54Ch] mov edx, [ecx] cmp eax, edx jnz short loc_148CC xor edi, edi jmp short loc_148E4 loc_148CC: jbe short loc_148D9 lea ebp, [edx+edx] cmp eax, ebp jnb short loc_148D9 xor edi, edi jmp short loc_148E4 loc_148D9: add edx, edx cmp eax, edx jnz short loc_148E4 loc_148DF: mov edi, 1 loc_148E4: mov eax, edi loc_148E6: add eax, ebx lea edx, [ecx+eax*8] mov eax, [edx] test eax, eax mov ecx, [ecx] mov edx, [edx+4] jz short loc_1490D test ecx, ecx jle short loc_1490D add edx, edx add edx, edx mov edi, edi loc_14900: mov dword ptr [eax], 0 add eax, edx sub ecx, 1 jnz short loc_14900 loc_1490D: add [esp+0F4h+var_E4], 1 add ebx, 2 cmp ebx, 24h jl loc_14890 cmp dword ptr [esi+1E94h], 1 jnz loc_14B58 xor ebx, ebx mov [esp+0F4h+var_E0], ebx loc_14931: lea eax, ds:0[ebx*8] cmp dword ptr [eax+esi+0A6Ch], 0 jz loc_14B34 cmp ebx, 2 jnz short loc_1495F mov ecx, [esi+54Ch] test ecx, ecx jz short loc_1495F cmp dword ptr [ecx+30h], 0Ah jnb short loc_1495F add dword ptr [ecx+30h], 1 loc_1495F: lea ecx, [eax+eax*2] xor ebp, ebp lea edx, [esi+ecx*8+190h] mov [esp+0F4h+var_E4], ebp mov [esp+0F4h+var_DC], 24h mov [esp+0F4h+var_D4], edx jmp short loc_14980 align 10h loc_14980: mov edx, 1 mov ecx, ebp shl edx, cl lea eax, ds:0[ebx*8] mov [esp+0F4h+var_D0], eax test [eax+esi+0A6Ch], edx jz loc_14B14 mov ecx, [esi+54Ch] test ecx, ecx jnz short loc_149AF xor edx, edx jmp short loc_149F8 loc_149AF: push ebp push 1 mov ecx, esi xor edi, edi call sub_11470 shr eax, 3 jz short loc_149CA mov ecx, [esi+54Ch] cmp eax, [ecx] jb short loc_149F1 loc_149CA: mov ecx, [esi+54Ch] mov edx, [ecx] cmp eax, edx jnz short loc_149DA xor edi, edi jmp short loc_149F6 loc_149DA: jbe short loc_149EB lea ebx, [edx+edx] cmp eax, ebx mov ebx, [esp+0F4h+var_E0] jnb short loc_149EB xor edi, edi jmp short loc_149F6 loc_149EB: add edx, edx cmp eax, edx jnz short loc_149F6 loc_149F1: mov edi, 1 loc_149F6: mov edx, edi loc_149F8: mov edi, ebx shl edi, 4 lea eax, [edi+ebp] lea eax, [esi+eax*4+0AB0h] mov [esp+0F4h+var_CC], eax mov eax, [eax] mov [esp+0F4h+var_D8], eax mov eax, [esp+0F4h+var_D4] cmp dword ptr [eax], 0 jz loc_14BF5 test ecx, ecx jnz short loc_14A26 xor eax, eax jmp short loc_14A72 loc_14A26: xor ebx, ebx push ebp push ebx mov ecx, esi mov [esp+0FCh+var_C8], ebx call sub_11470 shr eax, 3 jz short loc_14A44 mov ecx, [esi+54Ch] cmp eax, [ecx] jb short loc_14A6B loc_14A44: mov ecx, [esi+54Ch] mov edx, [ecx] cmp eax, edx jnz short loc_14A54 xor ebx, ebx jmp short loc_14A70 loc_14A54: jbe short loc_14A65 lea ebx, [edx+edx] cmp eax, ebx jnb short loc_14A61 xor ebx, ebx jmp short loc_14A70 loc_14A61: mov ebx, [esp+0F4h+var_C8] loc_14A65: add edx, edx cmp eax, edx jnz short loc_14A70 loc_14A6B: mov ebx, 1 loc_14A70: mov eax, ebx loc_14A72: mov edx, [esp+0F4h+var_D0] mov ecx, [ecx] add edx, ebp lea eax, [eax+edx*2+17Ah] lea edx, [esi+eax*8] mov eax, [esp+0F4h+var_D8] add ebp, edi lea eax, [eax+ebp*2] mov ebx, [esi+eax*8+5E8h] mov ebp, [edx+4] lea edi, [esi+eax*8+5E8h] mov eax, [edx] test eax, eax mov edi, [edi+4] jz short loc_14ACF test ebx, ebx jz short loc_14ACF test ecx, ecx jle short loc_14ACF add ebp, ebp add edi, edi add ebp, ebp add edi, edi mov [esp+0F4h+var_D0], edi jmp short loc_14AC0 align 10h loc_14AC0: mov edi, [eax] mov [ebx], edi add ebx, [esp+0F4h+var_D0] add eax, ebp sub ecx, 1 jnz short loc_14AC0 loc_14ACF: mov eax, [edx] test eax, eax mov ecx, [esi+54Ch] mov ecx, [ecx] mov edx, [edx+4] jz short loc_14AFD test ecx, ecx jle short loc_14AFD add edx, edx add edx, edx jmp short loc_14AF0 align 10h loc_14AF0: mov dword ptr [eax], 0 add eax, edx sub ecx, 1 jnz short loc_14AF0 loc_14AFD: mov ebp, [esp+0F4h+var_E4] loc_14B01: mov edx, [esp+0F4h+var_CC] mov ebx, [esp+0F4h+var_E0] xor ecx, ecx cmp [esp+0F4h+var_D8], ecx setz cl mov [edx], ecx loc_14B14: mov eax, [esp+0F4h+var_DC] add [esp+0F4h+var_D4], 18h add eax, 2 add ebp, 1 cmp eax, 34h mov [esp+0F4h+var_E4], ebp mov [esp+0F4h+var_DC], eax jl loc_14980 loc_14B34: add ebx, 1 cmp ebx, 5 mov [esp+0F4h+var_E0], ebx jl loc_14931 mov dword ptr [esi+1E94h], 0 mov dword ptr [esi+1E9Ch], 1 loc_14B58: xor eax, eax cmp dword ptr [esi+1E90h], 1 mov [esp+0F4h+var_C0], eax mov [esp+0F4h+var_BC], eax mov [esp+0F4h+var_B8], eax mov [esp+0F4h+var_B4], eax mov [esp+0F4h+var_B0], eax mov [esp+0F4h+var_AC], eax mov [esp+0F4h+var_A8], eax mov [esp+0F4h+var_A4], eax jnz loc_1518E mov [esp+0F4h+var_E0], eax lea eax, [esi+1A0h] mov [esp+0F4h+var_E4], eax mov eax, 0FFFFF598h mov ebx, 2A4h lea ebp, [esi+0A68h] sub eax, esi mov [esp+0F4h+var_C8], ebx mov [esp+0F4h+var_D4], ebp mov [esp+0F4h+var_D0], eax loc_14BB3: cmp [esp+0F4h+var_E0], 2 jz loc_14D9D cmp dword ptr [ebp+0], 0 jz loc_14D9D xor edi, edi mov [esp+0F4h+var_DC], 14h loc_14BD2: mov edx, 1 mov ecx, edi shl edx, cl test [ebp+0], edx jz loc_14D86 mov edx, [esi+54Ch] test edx, edx jnz short loc_14C58 xor ecx, ecx jmp loc_14CA8 loc_14BF5: mov eax, [esp+0F4h+var_DC] add eax, edx lea edx, [ecx+eax*8] mov ecx, [ecx] lea eax, [edi+ebp] mov edi, [esp+0F4h+var_D8] lea eax, [edi+eax*2] mov ebx, [esi+eax*8+5E8h] lea edi, [esi+eax*8+5E8h] mov eax, [edx] test eax, eax mov edx, [edx+4] mov edi, [edi+4] jz loc_14B01 test ebx, ebx jz loc_14B01 test ecx, ecx jle loc_14B01 add edx, edx add edi, edi add edx, edx add edi, edi mov [esp+0F4h+var_D0], edi loc_14C44: mov edi, [eax] mov [ebx], edi add ebx, [esp+0F4h+var_D0] add eax, edx sub ecx, 1 jnz short loc_14C44 jmp loc_14B01 loc_14C58: xor ebp, ebp push edi push ebp mov ecx, esi mov [esp+0FCh+var_CC], ebp call sub_11470 shr eax, 3 jz short loc_14C76 mov edx, [esi+54Ch] cmp eax, [edx] jb short loc_14C9D loc_14C76: mov edx, [esi+54Ch] mov ecx, [edx] cmp eax, ecx jnz short loc_14C86 xor ebp, ebp jmp short loc_14CA2 loc_14C86: jbe short loc_14C97 lea ebp, [ecx+ecx] cmp eax, ebp jnb short loc_14C93 xor ebp, ebp jmp short loc_14CA2 loc_14C93: mov ebp, [esp+0F4h+var_CC] loc_14C97: add ecx, ecx cmp eax, ecx jnz short loc_14CA2 loc_14C9D: mov ebp, 1 loc_14CA2: mov ecx, ebp mov ebp, [esp+0F4h+var_D4] loc_14CA8: add [esp+edi*4+0F4h+var_C0], 1 lea eax, [ebx+edi] lea eax, [esi+eax*4] mov [esp+0F4h+var_C4], eax mov eax, [eax] mov [esp+0F4h+var_D8], eax add ebx, edi lea eax, [eax+ebx*2] lea ebx, [esi+eax*8-24D8h] mov eax, [esp+0F4h+var_DC] add eax, ecx lea ecx, [edx+eax*8] mov eax, [esp+0F4h+var_D0] add eax, ebp add eax, edi lea eax, [eax+eax*2] cmp dword ptr [esi+eax*8+18Ch], 0 jz short loc_14D1F mov eax, [esp+0F4h+var_E4] cmp dword ptr [eax], 1 jnz short loc_14D1F mov eax, [ecx] test eax, eax mov edx, [edx] mov ecx, [ecx+4] jz short loc_14D6F test edx, edx jle short loc_14D6F lea ebx, ds:0[ecx*4] mov ecx, edx jmp short loc_14D10 align 10h loc_14D10: mov dword ptr [eax], 0 add eax, ebx sub ecx, 1 jnz short loc_14D10 jmp short loc_14D6F loc_14D1F: cmp [esp+edi*4+0F4h+var_C0], 1 jle short loc_14D34 mov edx, [edx] push edx push ebx push ecx mov ecx, esi call sub_139D0 jmp short loc_14D6F loc_14D34: mov eax, [ebx] test eax, eax mov ebp, [edx] mov edx, [ecx] mov ebx, [ebx+4] mov ecx, [ecx+4] jz short loc_14D6F test edx, edx jz short loc_14D6F test ebp, ebp jle short loc_14D6F add ebx, ebx add ecx, ecx add ebx, ebx add ecx, ecx mov [esp+0F4h+var_CC], ecx mov ecx, ebp lea ebx, [ebx+0] loc_14D60: mov ebp, [eax] mov [edx], ebp add edx, [esp+0F4h+var_CC] add eax, ebx sub ecx, 1 jnz short loc_14D60 loc_14D6F: mov eax, [esp+0F4h+var_C4] mov ebx, [esp+0F4h+var_C8] mov ebp, [esp+0F4h+var_D4] xor edx, edx cmp [esp+0F4h+var_D8], edx setz dl mov [eax], edx loc_14D86: mov eax, [esp+0F4h+var_DC] add eax, 2 add edi, 1 cmp eax, 24h mov [esp+0F4h+var_DC], eax jl loc_14BD2 loc_14D9D: add [esp+0F4h+var_E0], 1 add [esp+0F4h+var_E4], 0C0h add ebx, 10h add ebp, 8 cmp ebx, 2E4h mov [esp+0F4h+var_D4], ebp mov [esp+0F4h+var_C8], ebx jl loc_14BB3 mov ecx, [esi+54Ch] xor ebp, ebp cmp [ecx+4Ch], ebp mov [esp+0F4h+var_E4], ebp jz loc_14F01 mov [esp+0F4h+var_D8], 14h loc_14DE1: mov ecx, [esi+54Ch] xor edi, edi test ecx, ecx jz short loc_14E2E push ebp push 1 mov ecx, esi call sub_11470 shr eax, 3 jz short loc_14E06 mov ecx, [esi+54Ch] cmp eax, [ecx] jb short loc_14E29 loc_14E06: mov ecx, [esi+54Ch] mov edx, [ecx] cmp eax, edx jnz short loc_14E16 xor edi, edi jmp short loc_14E2E loc_14E16: jbe short loc_14E23 lea ebx, [edx+edx] cmp eax, ebx jnb short loc_14E23 xor edi, edi jmp short loc_14E2E loc_14E23: add edx, edx cmp eax, edx jnz short loc_14E2E loc_14E29: mov edi, 1 loc_14E2E: mov eax, [esp+0F4h+var_D8] add eax, edi test ecx, ecx lea ebx, [ecx+eax*8+80h] jnz short loc_14E43 xor eax, eax jmp short loc_14E8B loc_14E43: push ebp xor edi, edi push edi mov ecx, esi call sub_11470 shr eax, 3 jz short loc_14E5D mov ecx, [esi+54Ch] cmp eax, [ecx] jb short loc_14E80 loc_14E5D: mov ecx, [esi+54Ch] mov edx, [ecx] cmp eax, edx jnz short loc_14E6D xor edi, edi jmp short loc_14E85 loc_14E6D: jbe short loc_14E7A lea ebp, [edx+edx] cmp eax, ebp jnb short loc_14E7A xor edi, edi jmp short loc_14E85 loc_14E7A: add edx, edx cmp eax, edx jnz short loc_14E85 loc_14E80: mov edi, 1 loc_14E85: mov ebp, [esp+0F4h+var_E4] mov eax, edi loc_14E8B: mov edx, [esp+0F4h+var_D8] add edx, eax cmp [esp+ebp*4+0F4h+var_C0], 0 lea edi, [ecx+edx*8] jle short loc_14EA9 mov eax, [ecx] push eax push ebx push edi mov ecx, esi call sub_139D0 jmp short loc_14EDD loc_14EA9: mov eax, [ebx] test eax, eax mov edx, [edi] mov ecx, [ecx] mov ebx, [ebx+4] mov edi, [edi+4] jz short loc_14EDD test edx, edx jz short loc_14EDD test ecx, ecx jle short loc_14EDD add ebx, ebx add edi, edi add ebx, ebx add edi, edi lea esp, [esp+0] loc_14ED0: mov ebp, [eax] mov [edx], ebp add eax, ebx add edx, edi sub ecx, 1 jnz short loc_14ED0 loc_14EDD: mov eax, [esp+0F4h+var_D8] mov ebp, [esp+0F4h+var_E4] add eax, 2 add ebp, 1 cmp eax, 18h mov [esp+0F4h+var_E4], ebp mov [esp+0F4h+var_D8], eax jl loc_14DE1 jmp loc_14FB0 loc_14F01: mov ebx, 14h jmp short loc_14F10 align 10h loc_14F10: cmp [esp+ebp*4+0F4h+var_C0], 0 jnz loc_14F9D mov ecx, [esi+54Ch] test ecx, ecx jnz short loc_14F29 xor eax, eax jmp short loc_14F71 loc_14F29: push ebp xor edi, edi push edi mov ecx, esi call sub_11470 shr eax, 3 jz short loc_14F43 mov ecx, [esi+54Ch] cmp eax, [ecx] jb short loc_14F66 loc_14F43: mov ecx, [esi+54Ch] mov edx, [ecx] cmp eax, edx jnz short loc_14F53 xor edi, edi jmp short loc_14F6B loc_14F53: jbe short loc_14F60 lea ebp, [edx+edx] cmp eax, ebp jnb short loc_14F60 xor edi, edi jmp short loc_14F6B loc_14F60: add edx, edx cmp eax, edx jnz short loc_14F6B loc_14F66: mov edi, 1 loc_14F6B: mov ebp, [esp+0F4h+var_E4] mov eax, edi loc_14F71: add eax, ebx lea edx, [ecx+eax*8] mov eax, [edx] test eax, eax mov ecx, [ecx] mov edx, [edx+4] jz short loc_14F9D test ecx, ecx jle short loc_14F9D add edx, edx add edx, edx lea esp, [esp+0] loc_14F90: mov dword ptr [eax], 0 add eax, edx sub ecx, 1 jnz short loc_14F90 loc_14F9D: add ebp, 1 add ebx, 2 cmp ebx, 18h mov [esp+0F4h+var_E4], ebp jl loc_14F10 loc_14FB0: xor ebx, ebx push 9Ch lea eax, [esp+0F8h+var_9C] push ebx push eax mov [esp+100h+var_A0], ebx call memset add esp, 0Ch mov [esp+0F4h+var_E0], ebx lea ecx, [ecx+0] loc_14FD0: cmp ebx, 2 jz loc_1516A cmp dword ptr [esi+ebx*8+0A68h], 0 jnz short loc_14FEC cmp ebx, 4 jnz loc_1516A loc_14FEC: mov [esp+0F4h+var_E4], 0 mov [esp+0F4h+var_DC], 24h lea esp, [esp+0] loc_15000: mov ecx, [esp+0F4h+var_E4] mov edx, 1 shl edx, cl test [esi+ebx*8+0A68h], edx jnz short loc_1501D cmp ebx, 4 jnz loc_15151 loc_1501D: mov eax, [esp+0F4h+var_E4] lea eax, [eax+ebx*8] lea ecx, [eax+eax*2] cmp dword ptr [esi+ecx*8+18Ch], 0 lea eax, [esi+ecx*8] jz loc_15151 mov ecx, [eax+194h] mov eax, [eax+19Ch] lea ebp, [eax+ecx*8] add [esp+ebp*4+0F4h+var_A0], 1 cmp ebx, 4 mov edx, [esp+ebp*4+0F4h+var_A0] mov [esp+0F4h+var_C4], edx jnz short loc_150CA mov edx, [esi+54Ch] xor edi, edi test edx, edx jz short loc_150BF mov eax, [esp+0F4h+var_E4] push eax push edi mov ecx, esi call sub_11470 shr eax, 3 jz short loc_15081 mov edx, [esi+54Ch] cmp eax, [edx] jb short loc_150BA loc_15081: mov edx, [esi+54Ch] mov ecx, [edx] cmp eax, ecx jnz short loc_1509A mov eax, [esp+0F4h+var_DC] xor edi, edi mov edi, eax lea edx, [edx+edi*8] jmp short loc_150EE loc_1509A: jbe short loc_150B4 lea ebx, [ecx+ecx] cmp eax, ebx mov ebx, [esp+0F4h+var_E0] jnb short loc_150B4 mov eax, [esp+0F4h+var_DC] xor edi, edi mov edi, eax lea edx, [edx+edi*8] jmp short loc_150EE loc_150B4: add ecx, ecx cmp eax, ecx jnz short loc_150BF loc_150BA: mov edi, 1 loc_150BF: mov eax, [esp+0F4h+var_DC] add edi, eax lea edx, [edx+edi*8] jmp short loc_150EE loc_150CA: mov edi, [esp+0F4h+var_E4] mov eax, ebx shl eax, 4 xor edx, edx lea ecx, [edi+eax] cmp [esi+ecx*4+0A90h], edx setz dl add edi, eax lea eax, [edx+edi*2] lea edx, [esi+eax*8+568h] loc_150EE: cmp [esp+0F4h+var_C4], 1 mov ecx, [esi+550h] lea eax, [ecx+ebp*2+17Ah] mov ecx, [esi+54Ch] lea edi, [esi+eax*8] jle short loc_15119 mov eax, [ecx] push eax push edx push edi mov ecx, esi call sub_139D0 jmp short loc_15151 loc_15119: mov eax, [edx] test eax, eax mov ebp, [ecx] mov ecx, [edi] mov edx, [edx+4] mov edi, [edi+4] jz short loc_15151 test ecx, ecx jz short loc_15151 test ebp, ebp jle short loc_15151 add edi, edi lea ebx, ds:0[edx*4] add edi, edi mov edx, ebp mov edi, edi loc_15140: mov ebp, [eax] mov [ecx], ebp add eax, ebx add ecx, edi sub edx, 1 jnz short loc_15140 mov ebx, [esp+0F4h+var_E0] loc_15151: mov eax, [esp+0F4h+var_DC] add [esp+0F4h+var_E4], 1 add eax, 2 cmp eax, 34h mov [esp+0F4h+var_DC], eax jl loc_15000 loc_1516A: add ebx, 1 cmp ebx, 5 mov [esp+0F4h+var_E0], ebx jl loc_14FD0 mov dword ptr [esi+1E90h], 0 mov dword ptr [esi+1E98h], 1 loc_1518E: pop edi pop esi pop ebp pop ebx add esp, 0E4h retn sub_14870 endp align 10h sub_151A0 proc near var_14= dword ptr -14h var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 var_4= dword ptr -4 sub esp, 14h mov eax, [ecx+550h] mov [esp+14h+var_4], ecx mov ecx, [ecx+54Ch] cmp dword ptr [ecx+3Ch], 1 jnz loc_15253 push ebx push ebp push esi lea edx, ds:0A0h[eax*8] push edi mov [esp+24h+var_8], edx lea edi, ds:0C0h[eax*8] mov [esp+24h+var_C], 3 jmp short loc_151E0 align 10h loc_151E0: mov ebx, [esp+24h+var_8] mov [esp+24h+var_14], ebx mov [esp+24h+var_10], 2 loc_151F0: mov eax, [esp+24h+var_4] mov eax, [eax+54Ch] mov edx, [ebx+eax] test edx, edx mov ecx, [eax] mov esi, [edi+eax] mov ebp, [ebx+eax+4] mov eax, [edi+eax+4] jz short loc_15237 test esi, esi jz short loc_15237 test ecx, ecx jle short loc_15237 lea ebx, ds:0[ebp*4] lea ebp, ds:0[eax*4] mov eax, ecx loc_15226: mov ecx, [edx] mov [esi], ecx add edx, ebx add esi, ebp sub eax, 1 jnz short loc_15226 mov ebx, [esp+24h+var_14] loc_15237: add ebx, 10h add edi, 10h sub [esp+24h+var_10], 1 mov [esp+24h+var_14], ebx jnz short loc_151F0 sub [esp+24h+var_C], 1 jnz short loc_151E0 pop edi pop esi pop ebp pop ebx loc_15253: add esp, 14h retn sub_151A0 endp align 10h sub_15260 proc near var_EC= dword ptr -0ECh var_DC= dword ptr -0DCh var_D8= dword ptr -0D8h var_D4= dword ptr -0D4h var_D0= dword ptr -0D0h var_CC= dword ptr -0CCh var_C8= dword ptr -0C8h var_C4= dword ptr -0C4h var_C0= dword ptr -0C0h var_BC= dword ptr -0BCh var_B8= dword ptr -0B8h var_B4= dword ptr -0B4h var_B0= dword ptr -0B0h var_AC= dword ptr -0ACh var_A8= dword ptr -0A8h var_A4= dword ptr -0A4h var_A0= dword ptr -0A0h var_9C= dword ptr -9Ch arg_0= dword ptr 4 sub esp, 0DCh xor eax, eax push ebx push ebp push esi push edi mov ebx, ecx mov ebp, eax mov edi, eax mov [esp+0ECh+var_D4], ebx mov [esp+0ECh+var_C8], eax mov [esp+0ECh+var_C4], eax mov [esp+0ECh+var_C0], eax mov [esp+0ECh+var_BC], eax mov [esp+0ECh+var_B8], eax mov [esp+0ECh+var_B4], eax mov [esp+0ECh+var_B0], eax mov [esp+0ECh+var_AC], ebp mov [esp+0ECh+var_A8], edi lea edx, [ebx+0A68h] lea esi, [eax+4] loc_152A3: mov ecx, [edx] test ecx, ecx jz short loc_15306 test cl, 1 jz short loc_152B7 add [esp+0ECh+var_C4], 1 mov ebx, [esp+0ECh+var_D4] loc_152B7: test cl, 2 jz short loc_152C5 add [esp+0ECh+var_C0], 1 mov ebx, [esp+0ECh+var_D4] loc_152C5: test cl, 4 jz short loc_152D3 add [esp+0ECh+var_BC], 1 mov ebx, [esp+0ECh+var_D4] loc_152D3: test cl, 8 jz short loc_152E1 add [esp+0ECh+var_B8], 1 mov ebx, [esp+0ECh+var_D4] loc_152E1: test cl, 10h jz short loc_152EF add [esp+0ECh+var_B4], 1 mov ebx, [esp+0ECh+var_D4] loc_152EF: test cl, 20h jz short loc_152F7 add eax, 1 loc_152F7: test cl, 40h jz short loc_152FF add ebp, 1 loc_152FF: test cl, cl jns short loc_15306 add edi, 1 loc_15306: add edx, 8 sub esi, 1 jnz short loc_152A3 mov ecx, [esp+0ECh+arg_0] mov [esp+0ECh+var_B0], eax lea eax, [ebx+30Ch] mov [esp+0ECh+var_D0], eax lea eax, [ebx+ecx*8+768h] mov [esp+0ECh+var_A8], edi mov [esp+0ECh+var_AC], ebp mov [esp+0ECh+var_D8], esi mov [esp+0ECh+var_CC], 14h mov [esp+0ECh+var_A4], eax mov [esp+0ECh+var_DC], eax jmp short loc_15350 align 10h loc_15350: mov ecx, [esp+0ECh+var_D8] mov edx, 1 shl edx, cl test [ebx+0A78h], edx jz loc_1545D mov ecx, [ebx+54Ch] test ecx, ecx jnz short loc_15375 xor eax, eax jmp short loc_153BD loc_15375: mov eax, [esp+0ECh+var_D8] push eax xor esi, esi push esi mov ecx, ebx call sub_11470 shr eax, 3 jz short loc_15393 mov ecx, [ebx+54Ch] cmp eax, [ecx] jb short loc_153B6 loc_15393: mov ecx, [ebx+54Ch] mov edx, [ecx] cmp eax, edx jnz short loc_153A3 xor esi, esi jmp short loc_153BB loc_153A3: jbe short loc_153B0 lea edi, [edx+edx] cmp eax, edi jnb short loc_153B0 xor esi, esi jmp short loc_153BB loc_153B0: add edx, edx cmp eax, edx jnz short loc_153BB loc_153B6: mov esi, 1 loc_153BB: mov eax, esi loc_153BD: mov edx, [esp+0ECh+var_CC] add edx, eax mov [esp+0ECh+var_C8], eax lea eax, [ecx+edx*8] mov edx, [esp+0ECh+var_D0] cmp dword ptr [edx], 0 jz short loc_15403 cmp dword ptr [ebx+320h], 1 jnz short loc_15403 mov edx, [eax] test edx, edx mov ecx, [ecx] mov eax, [eax+4] jz short loc_1545D test ecx, ecx jle short loc_1545D lea esi, ds:0[eax*4] mov eax, ecx loc_153F4: mov dword ptr [edx], 0 add edx, esi sub eax, 1 jnz short loc_153F4 jmp short loc_1545D loc_15403: mov edx, [esp+0ECh+var_D8] cmp [esp+edx*4+0ECh+var_C4], 1 jle short loc_15420 mov ecx, [ecx] mov edx, [esp+0ECh+var_DC] push ecx push edx push eax mov ecx, ebx call sub_139D0 jmp short loc_1545D loc_15420: mov esi, [esp+0ECh+var_DC] mov ebp, [ecx] mov ecx, [esi] test ecx, ecx mov edx, [eax] mov esi, [esi+4] mov eax, [eax+4] jz short loc_1545D test edx, edx jz short loc_1545D test ebp, ebp jle short loc_1545D add esi, esi lea edi, ds:0[eax*4] add esi, esi mov eax, ebp lea esp, [esp+0] loc_15450: mov ebp, [ecx] mov [edx], ebp add ecx, esi add edx, edi sub eax, 1 jnz short loc_15450 loc_1545D: mov eax, [esp+0ECh+var_CC] add [esp+0ECh+var_D8], 1 add [esp+0ECh+var_DC], 10h add [esp+0ECh+var_D0], 18h add eax, 2 cmp eax, 24h mov [esp+0ECh+var_CC], eax jl loc_15350 xor esi, esi cmp [esp+0ECh+var_C4], esi jnz short loc_1548E cmp [esp+0ECh+var_C0], esi jz short loc_15495 loc_1548E: mov ecx, ebx call sub_151A0 loc_15495: push 9Ch lea eax, [esp+0F0h+var_9C] push esi push eax mov [esp+0F8h+var_A0], esi call memset lea eax, [ebx+0A68h] add esp, 0Ch mov [esp+0ECh+var_D0], eax loc_154B6: mov ecx, [esp+0ECh+var_D0] mov ebp, [ecx] test ebp, ebp jnz short loc_154C9 cmp esi, 4 jnz loc_155D5 loc_154C9: xor edx, edx jmp short loc_154D0 align 10h loc_154D0: mov eax, 1 mov ecx, edx shl eax, cl test eax, ebp jnz short loc_154E2 cmp esi, 4 jnz short loc_1550D loc_154E2: lea eax, [edx+esi*8] lea ecx, [eax+eax*2] cmp dword ptr [ebx+ecx*8+18Ch], 0 lea eax, [ebx+ecx*8] jz short loc_1550D mov ecx, [eax+194h] mov eax, [eax+19Ch] lea eax, [eax+ecx*8] add [esp+eax*4+0ECh+var_A0], 1 lea eax, [esp+eax*4+0ECh+var_A0] loc_1550D: lea edi, [edx+2] lea ecx, [edi-1] mov eax, 1 shl eax, cl test eax, ebp jnz short loc_15523 cmp esi, 4 jnz short loc_1554E loc_15523: lea eax, [edx+esi*8] lea ecx, [eax+eax*2] cmp dword ptr [ebx+ecx*8+1A4h], 0 lea eax, [ebx+ecx*8] jz short loc_1554E mov ecx, [eax+1ACh] mov eax, [eax+1B4h] lea eax, [eax+ecx*8] add [esp+eax*4+0ECh+var_A0], 1 lea eax, [esp+eax*4+0ECh+var_A0] loc_1554E: mov eax, 1 mov ecx, edi shl eax, cl test eax, ebp jnz short loc_15560 cmp esi, 4 jnz short loc_1558B loc_15560: lea eax, [edx+esi*8] lea ecx, [eax+eax*2] cmp dword ptr [ebx+ecx*8+1BCh], 0 lea eax, [ebx+ecx*8] jz short loc_1558B mov ecx, [eax+1C4h] mov eax, [eax+1CCh] lea eax, [eax+ecx*8] add [esp+eax*4+0ECh+var_A0], 1 lea eax, [esp+eax*4+0ECh+var_A0] loc_1558B: lea ecx, [edi+1] mov eax, 1 shl eax, cl test eax, ebp jnz short loc_1559E cmp esi, 4 jnz short loc_155C9 loc_1559E: lea eax, [edx+esi*8] lea ecx, [eax+eax*2] cmp dword ptr [ebx+ecx*8+1D4h], 0 lea eax, [ebx+ecx*8] jz short loc_155C9 mov ecx, [eax+1DCh] mov eax, [eax+1E4h] lea eax, [eax+ecx*8] add [esp+eax*4+0ECh+var_A0], 1 lea eax, [esp+eax*4+0ECh+var_A0] loc_155C9: add edx, 4 cmp edx, 8 jl loc_154D0 loc_155D5: add [esp+0ECh+var_D0], 8 add esi, 1 cmp esi, 5 jl loc_154B6 mov edx, [esp+0ECh+var_D4] mov ebx, [esp+0ECh+var_A4] add edx, 314h mov [esp+0ECh+var_D8], 0 mov [esp+0ECh+var_DC], edx loc_15600: mov ecx, [esp+0ECh+var_D8] mov eax, 1 shl eax, cl mov ecx, [esp+0ECh+var_D4] test [ecx+0A78h], eax jz short loc_1568E mov edx, [esp+0ECh+var_DC] cmp dword ptr [edx-8], 0 jz short loc_1568E mov ecx, edx mov eax, [ecx] mov ecx, [ecx+8] lea eax, [ecx+eax*8] cmp [esp+eax*4+0ECh+var_A0], 1 mov ecx, [esp+0ECh+var_C8] lea edx, [ecx+eax*2+17Ah] mov ecx, [esp+0ECh+var_D4] lea edx, [ecx+edx*8] jle short loc_15656 mov eax, [ecx+54Ch] mov eax, [eax] push eax push ebx push edx call sub_139D0 jmp short loc_1568E loc_15656: mov ecx, [ecx+54Ch] mov eax, [ebx] test eax, eax mov ebp, [ecx] mov ecx, [edx] mov esi, [ebx+4] mov edx, [edx+4] jz short loc_1568E test ecx, ecx jz short loc_1568E test ebp, ebp jle short loc_1568E add esi, esi lea edi, ds:0[edx*4] add esi, esi mov edx, ebp loc_15681: mov ebp, [eax] mov [ecx], ebp add eax, esi add ecx, edi sub edx, 1 jnz short loc_15681 loc_1568E: mov eax, [esp+0ECh+var_D8] add [esp+0ECh+var_DC], 18h add eax, 1 add ebx, 10h cmp eax, 8 mov [esp+0ECh+var_D8], eax jl loc_15600 pop edi pop esi pop ebp pop ebx add esp, 0DCh retn 8 sub_15260 endp align 10h mov eax, [esp+4] test eax, eax jnz short loc_156CE mov eax, [ecx+24h] retn 4 loc_156CE: mov edx, [ecx+24h] cmp edx, eax mov [esp+4], edx jnz short loc_156DE mov eax, edx retn 4 loc_156DE: push ebx push ebp push esi xor esi, esi push edi lea edx, [ecx+0A68h] lea ebp, [esi+5] lea ecx, [ecx+0] loc_156F0: mov edi, edx mov ebx, 2 loc_156F7: mov edx, [edi] test dl, 1 jz short loc_15701 add esi, 1 loc_15701: test dl, 2 jz short loc_15709 add esi, 1 loc_15709: test dl, 4 jz short loc_15711 add esi, 1 loc_15711: test dl, 8 jz short loc_15719 add esi, 1 loc_15719: test dl, 10h jz short loc_15721 add esi, 1 loc_15721: test dl, 20h jz short loc_15729 add esi, 1 loc_15729: test dl, 40h jz short loc_15731 add esi, 1 loc_15731: test dl, dl jns short loc_15738 add esi, 1 loc_15738: add edi, 4 sub ebx, 1 jnz short loc_156F7 sub ebp, 1 mov edx, edi jnz short loc_156F0 add ecx, 770h lea edi, [ebx+2] loc_15750: mov edx, 8 loc_15755: cmp dword ptr [ecx-8], 0 jz short loc_1575E add esi, 1 loc_1575E: cmp dword ptr [ecx], 0 jz short loc_15766 add esi, 1 loc_15766: add ecx, 10h sub edx, 1 jnz short loc_15755 sub edi, 1 jnz short loc_15750 pop edi test esi, esi pop esi pop ebp pop ebx jnz short loc_157AC cmp eax, 2EE00h jz short locret_157B0 cmp eax, 2AF80h jz short locret_157B0 cmp eax, offset loc_17700 jz short locret_157B0 cmp eax, offset loc_15888 jz short locret_157B0 cmp eax, 0BB80h jz short locret_157B0 cmp eax, 0AC44h jz short locret_157B0 cmp eax, 7D00h jz short locret_157B0 loc_157AC: mov eax, [esp+4] locret_157B0: retn 4 align 10h sub_157C0 proc near var_44= dword ptr -44h var_3C= dword ptr -3Ch var_34= dword ptr -34h var_2C= dword ptr -2Ch var_10= dword ptr -10h var_C= dword ptr -0Ch var_4= dword ptr -4 arg_0= dword ptr 4 sub esp, 10h push ebx push ebp push esi mov esi, [esp+1Ch+arg_0] mov ebx, ecx lea eax, [ebx+30h] lea ecx, [esi+10Ch] lea edx, [ebx+13Ch] push edi xor ebp, ebp lea edi, [esi+0Ch] mov [esp+20h+var_4], eax mov [esp+20h+var_10], eax mov [esp+20h+var_C], ecx mov [esp+20h+arg_0], edx loc_157F1: cmp ebp, 4 jge short loc_1583C mov edx, [eax] cmp edx, [edi-0Ch] jnz short loc_15822 mov edx, [eax+4] cmp edx, [edi-8] jnz short loc_15822 mov edx, [eax+8] cmp edx, [edi-4] jnz short loc_15822 mov edx, [eax+0Ch] cmp edx, [edi] jnz short loc_15822 mov edx, [esp+20h+arg_0] mov edx, [edx] cmp edx, [ecx] jz loc_158B5 loc_15822: mov eax, [ecx] mov ecx, [edi-8] mov edx, [edi-0Ch] push ecx mov ecx, [edi] push edx lea edx, [ecx+eax+6Fh] mov ecx, [edi-4] push edx lea edx, [ecx+eax+6Fh] jmp short loc_158A8 loc_1583C: lea ecx, [edi-0Ch] cmp eax, ecx jnz short loc_1587C mov edx, [eax+8] cmp edx, [edi-4] jnz short loc_1587C mov ecx, [eax+0Ch] cmp ecx, [edi] jnz short loc_1587C mov edx, [ebx+0F0h] cmp edx, [esi+0C0h] jnz short loc_1587C mov ecx, [ebx+0F4h] cmp ecx, [esi+0C4h] jnz short loc_1587C mov edx, [ebx+0F8h] cmp edx, [esi+0C8h] jz short loc_158B5 loc_1587C: mov eax, [esi+0C0h] mov ecx, [edi-8] mov edx, [edi-0Ch] loc_15888: add ecx, eax add edx, eax mov eax, [esi+0C8h] push ecx mov ecx, [edi] push edx lea edx, [eax+ecx+3Fh] mov eax, [edi-4] mov ecx, [esi+0C4h] push edx lea edx, [eax+ecx+3Fh] loc_158A8: push edx push ebp mov ecx, ebx call sub_111E0 mov eax, [esp+20h+var_10] loc_158B5: mov ecx, [esp+20h+var_C] add [esp+20h+arg_0], 4 add ebp, 1 add ecx, 4 add eax, 18h add edi, 18h cmp ebp, 8 mov [esp+20h+var_C], ecx mov [esp+20h+var_10], eax jl loc_157F1 xor edi, edi lea ecx, [ecx+0] loc_158E0: lea eax, [edi+edi*2+33h] mov eax, [esi+eax*4] lea ecx, [edi+edi*2+3Fh] cmp [ebx+ecx*4], eax jnz short loc_15907 lea ecx, [edi+edi*2] add ecx, ecx add ecx, ecx mov edx, [ecx+ebx+100h] cmp edx, [ecx+esi+0D0h] jz short loc_15961 ; default loc_15907: ; switch 4 cases cmp edi, 3 ja short loc_15961 ; default jmp ds:off_15B60[edi*4] ; switch jump loc_15913: ; case 0x0 push eax mov eax, [esi+0D0h] add eax, 49h push eax mov ecx, ebx call sub_11320 jmp short loc_15961 ; default loc_15927: ; case 0x1 mov ecx, [esi+0DCh] add ecx, 49h push eax push ecx mov ecx, ebx call sub_11330 jmp short loc_15961 ; default loc_1593B: ; case 0x2 mov edx, [esi+0E8h] push eax add edx, 49h push edx mov ecx, ebx call sub_11340 jmp short loc_15961 ; default loc_1594F: ; case 0x3 push eax mov eax, [esi+0F4h] add eax, 49h push eax mov ecx, ebx call sub_11350 loc_15961: ; default add edi, 1 cmp edi, 4 jl loc_158E0 mov edi, [esi+140h] cmp [ebx+24h], edi jz short loc_15996 push edi mov ecx, ebx call sub_11500 test eax, eax jl short loc_15996 mov ecx, [ebx+54Ch] mov [ebx+24h], edi mov [ecx+1Ch], edi mov [ebx+170h], edi loc_15996: mov eax, [esi+130h] cmp [ebx+160h], eax jnz short loc_159B2 mov edx, [ebx+15Ch] cmp edx, [esi+12Ch] jz short loc_159D5 loc_159B2: mov edx, [ebx+0E54h] mov [ebx+0E58h], eax mov ecx, [esi+140h] push ecx push edx push eax mov eax, [esi+12Ch] push eax mov ecx, ebx call sub_111D0 loc_159D5: mov ecx, [ebx+164h] cmp ecx, [esi+134h] jz short loc_15A1A mov ecx, [ebx] call sub_16380 mov edi, [ebx] cmp dword ptr [edi+4], 0 jz short loc_15A1A xor edx, edx cmp [esi+134h], edx push 1 setnz dl shl edx, 1Eh xor edx, eax and edx, 40000000h xor edx, eax mov eax, [edi] mov [eax+1B0h], edx call ds:KeStallExecutionProcessor loc_15A1A: mov eax, [esi+0FCh] cmp [ebx+12Ch], eax jz short loc_15A30 push eax mov ecx, ebx call sub_112A0 loc_15A30: mov eax, [esi+100h] cmp [ebx+130h], eax jz short loc_15A46 push eax mov ecx, ebx call sub_112B0 loc_15A46: mov eax, [esi+104h] cmp [ebx+134h], eax jz short loc_15A5C push eax mov ecx, ebx call sub_112C0 loc_15A5C: mov eax, [esi+108h] cmp [ebx+138h], eax jz short loc_15A72 push eax mov ecx, ebx call sub_112D0 loc_15A72: mov eax, [esi+11Ch] cmp [ebx+14Ch], eax jz short loc_15A88 push eax mov ecx, ebx call sub_112E0 loc_15A88: mov eax, [esi+120h] cmp [ebx+150h], eax jz short loc_15A9E push eax mov ecx, ebx call sub_112F0 loc_15A9E: mov eax, [esi+124h] cmp [ebx+154h], eax jz short loc_15AB4 push eax mov ecx, ebx call sub_11300 loc_15AB4: mov eax, [esi+128h] cmp [ebx+158h], eax jz short loc_15ACA push eax mov ecx, ebx call sub_11310 loc_15ACA: mov eax, 1 cmp [esi+0FCh], eax jnz short loc_15AEB cmp dword ptr [esi+11Ch], 3 jnz short loc_15AEB mov ecx, [ebx+54Ch] mov [ecx+4Ch], eax jmp short loc_15AF8 loc_15AEB: mov edx, [ebx+54Ch] mov dword ptr [edx+4Ch], 0 loc_15AF8: mov edi, [esp+58h+var_3C] lea eax, [esp+58h+var_34] push eax push 1F0000h mov ecx, 147h rep movsd mov ecx, [ebx+20h] push 2 push ecx call ds:IoOpenDeviceRegistryKey test eax, eax pop edi pop esi pop ebp pop ebx jl short loc_15B4F push offset aMixeresp1010e ; "MixerESP1010e" lea edx, [esp+4Ch+var_44] push edx call ds:RtlInitUnicodeString mov eax, [esp+40h+var_34] mov edx, [esp+40h+var_2C] push 51Ch push eax push 4 push 0 lea ecx, [esp+50h+var_3C] push ecx push edx call ds:ZwSetValueKey loc_15B4F: mov eax, [esp+10h+arg_0] push eax call ds:ZwClose add esp, 10h retn 4 sub_157C0 endp off_15B60 dd offset loc_15913 ; jump table for switch statement dd offset loc_15927 dd offset loc_1593B dd offset loc_1594F sub_15B70 proc near push esi xor eax, eax push edi add ecx, 0A68h lea edi, [eax+5] lea ecx, [ecx+0] loc_15B80: mov edx, ecx mov esi, 2 loc_15B87: mov ecx, [edx] test cl, 1 jz short loc_15B93 mov eax, 1 loc_15B93: test cl, 2 jz short loc_15B9D mov eax, 1 loc_15B9D: test cl, 4 jz short loc_15BA7 mov eax, 1 loc_15BA7: test cl, 8 jz short loc_15BB1 mov eax, 1 loc_15BB1: test cl, 10h jz short loc_15BBB mov eax, 1 loc_15BBB: test cl, 20h jz short loc_15BC5 mov eax, 1 loc_15BC5: test cl, 40h jz short loc_15BCF mov eax, 1 loc_15BCF: test cl, cl jns short loc_15BD8 mov eax, 1 loc_15BD8: add edx, 4 sub esi, 1 jnz short loc_15B87 sub edi, 1 mov ecx, edx jnz short loc_15B80 pop edi pop esi retn sub_15B70 endp align 10h sub_15BF0 proc near arg_0= dword ptr 10h arg_4= dword ptr 14h arg_8= dword ptr 18h arg_C= dword ptr 1Ch push ebx push esi push edi xor edi, edi cmp [esp+arg_C], edi mov esi, ecx jz short loc_15C27 push ebp call sub_15B70 mov ecx, [esp+4+arg_0] mov ebx, [esp+4+arg_4] lea edx, [ebx+ecx*2+29Ah] mov ecx, [esp+4+arg_8] mov ebp, 1 shl ebp, cl lea edx, [esi+edx*4] or [edx], ebp cmp eax, edi pop ebp jmp short loc_15C51 loc_15C27: mov edx, [esp+arg_0] mov ebx, [esp+arg_4] mov ecx, [esp+arg_8] lea eax, [ebx+edx*2+29Ah] mov edx, 1 shl edx, cl lea eax, [esi+eax*4] mov ecx, esi not edx and [eax], edx call sub_15B70 test eax, eax loc_15C51: jnz loc_15CD7 mov ecx, esi call sub_14770 mov eax, [esi+54Ch] mov [esi+8], edi mov [eax+30h], edi cmp [esi+54Ch], edi jz short loc_15C90 push edi mov ecx, esi mov [esi+0E5Ch], edi call sub_11450 mov eax, [esi+54Ch] cmp eax, edi jz short loc_15C90 mov ecx, [esi+24h] mov [eax+1Ch], ecx loc_15C90: push edi push 30D40h mov ecx, esi call sub_115F0 mov ecx, esi call sub_14290 mov edx, [esi+54Ch] mov [esi+8], edi mov [edx+30h], edi cmp [esi+54Ch], edi jz short loc_15CD7 push 1 mov ecx, esi mov [esi+0E5Ch], edi call sub_11450 mov eax, [esi+54Ch] cmp eax, edi jz short loc_15CD7 mov ecx, [esi+24h] mov [eax+1Ch], ecx loc_15CD7: mov edx, [esp+arg_0] mov ecx, [esp+arg_8] lea eax, [ebx+edx*2] lea edx, [ecx+eax*8] mov [esi+edx*4+0A90h], edi mov eax, [esi+550h] pop edi pop esi pop ebx retn 10h sub_15BF0 endp align 10h sub_15D00 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h arg_10= dword ptr 18h push ebx mov ebx, [esp+arg_0] push ebp mov ebp, [esp+4+arg_C] push esi push edi lea edi, [ebp-1A0h] push edi push 0 push ebx mov esi, ecx call memset mov eax, [esp+18h+arg_4] shr edi, 1 lea ecx, [edi+eax] add esp, 0Ch push ecx add edi, ebx push edi mov ecx, esi call sub_113E0 mov ecx, [esp+0Ch+arg_10] cmp ecx, 30h jb short loc_15D45 cmp ecx, 400h jbe short loc_15D4A loc_15D45: mov ecx, 400h loc_15D4A: mov eax, [esp+0Ch+arg_8] mov [esi+54Ch], eax mov [eax+5Ch], eax mov edi, [esi+54Ch] mov [edi], ecx lea edx, ds:0[ecx*8] mov ecx, [esi+54Ch] mov dword ptr [ecx+4], 2 mov edi, [esi+54Ch] lea ecx, ds:0[edx*4] shr ecx, 1 mov [edi+8], ecx mov edi, [esi+54Ch] mov [edi+0Ch], ecx add edx, ebx mov [esi+55Ch], edx mov edx, [esp+0Ch+arg_4] mov ecx, esi mov [esi+558h], ebx mov [esi+0E60h], ebx mov [esi+0E64h], edx mov [esi+0E68h], eax mov [esi+0E6Ch], ebp call sub_14290 pop edi pop esi pop ebp pop ebx retn 14h sub_15D00 endp align 10h ; Attributes: bp-based frame sub_15DD0 proc near var_524= dword ptr -524h var_520= dword ptr -520h var_51C= dword ptr -51Ch var_518= dword ptr -518h var_514= dword ptr -514h var_510= dword ptr -510h var_50C= dword ptr -50Ch var_508= dword ptr -508h var_504= dword ptr -504h var_500= dword ptr -500h var_4FC= dword ptr -4FCh var_4F8= dword ptr -4F8h var_4F4= dword ptr -4F4h var_4F0= dword ptr -4F0h var_4EC= dword ptr -4ECh var_4E8= dword ptr -4E8h var_4E4= dword ptr -4E4h var_4E0= dword ptr -4E0h var_4DC= dword ptr -4DCh var_4D8= dword ptr -4D8h var_4D4= dword ptr -4D4h var_4D0= dword ptr -4D0h var_4CC= dword ptr -4CCh var_4C8= dword ptr -4C8h var_4C4= dword ptr -4C4h var_4C0= dword ptr -4C0h var_4BC= dword ptr -4BCh var_4B8= dword ptr -4B8h var_4B4= dword ptr -4B4h var_4B0= dword ptr -4B0h var_4AC= dword ptr -4ACh var_4A8= dword ptr -4A8h var_4A4= dword ptr -4A4h var_4A0= dword ptr -4A0h var_49C= dword ptr -49Ch var_498= dword ptr -498h var_494= dword ptr -494h var_490= dword ptr -490h var_48C= dword ptr -48Ch var_488= dword ptr -488h var_484= dword ptr -484h var_480= dword ptr -480h var_47C= dword ptr -47Ch var_478= dword ptr -478h var_474= dword ptr -474h var_470= dword ptr -470h var_46C= dword ptr -46Ch var_468= dword ptr -468h var_464= dword ptr -464h var_460= dword ptr -460h var_45C= dword ptr -45Ch var_458= dword ptr -458h var_454= dword ptr -454h var_450= dword ptr -450h var_44C= dword ptr -44Ch var_448= dword ptr -448h var_444= dword ptr -444h var_440= dword ptr -440h var_43C= dword ptr -43Ch var_438= dword ptr -438h var_434= dword ptr -434h var_430= dword ptr -430h var_42C= dword ptr -42Ch var_428= dword ptr -428h var_424= dword ptr -424h var_420= dword ptr -420h var_41C= dword ptr -41Ch var_418= dword ptr -418h var_414= dword ptr -414h var_410= dword ptr -410h var_40C= dword ptr -40Ch var_408= dword ptr -408h var_404= dword ptr -404h var_400= dword ptr -400h var_3FC= dword ptr -3FCh var_3F8= dword ptr -3F8h var_3F4= dword ptr -3F4h var_3F0= dword ptr -3F0h var_3EC= dword ptr -3ECh var_3E8= dword ptr -3E8h var_3E4= dword ptr -3E4h var_3E0= dword ptr -3E0h var_3DC= dword ptr -3DCh var_3D8= dword ptr -3D8h var_3D4= dword ptr -3D4h var_3D0= dword ptr -3D0h var_3CC= dword ptr -3CCh var_3C8= dword ptr -3C8h var_3C4= dword ptr -3C4h arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h arg_10= dword ptr 18h push ebp mov ebp, esp and esp, 0FFFFFFF8h sub esp, 524h push ebx push esi push edi mov esi, ecx mov [esp+530h+var_524], esi mov eax, 60h xor ebx, ebx mov ecx, 1 mov [esp+530h+var_518], eax mov [esp+530h+var_514], eax mov [esp+530h+var_500], eax mov [esp+530h+var_4FC], eax mov [esp+530h+var_4E8], eax mov [esp+530h+var_4E4], eax mov [esp+530h+var_4D0], eax mov [esp+530h+var_4CC], eax mov [esp+530h+var_4B8], eax mov [esp+530h+var_4B4], eax mov [esp+530h+var_4A0], eax mov [esp+530h+var_49C], eax mov [esp+530h+var_488], eax mov [esp+530h+var_484], eax mov [esp+530h+var_470], eax mov [esp+530h+var_46C], eax mov [esp+530h+var_45C], eax mov [esp+530h+var_458], eax mov eax, 30h mov [esp+530h+var_520], ebx mov [esp+530h+var_51C], ebx mov [esp+530h+var_510], ebx mov [esp+530h+var_50C], ebx mov [esp+530h+var_508], ebx mov [esp+530h+var_504], ebx mov [esp+530h+var_4F8], ebx mov [esp+530h+var_4F4], ebx mov [esp+530h+var_4F0], ebx mov [esp+530h+var_4EC], ebx mov [esp+530h+var_4E0], ebx mov [esp+530h+var_4DC], ebx mov [esp+530h+var_4D8], ebx mov [esp+530h+var_4D4], ebx mov [esp+530h+var_4C8], ebx mov [esp+530h+var_4C4], ebx mov [esp+530h+var_4C0], ebx mov [esp+530h+var_4BC], ebx mov [esp+530h+var_4B0], ebx mov [esp+530h+var_4AC], ebx mov [esp+530h+var_4A8], ebx mov [esp+530h+var_4A4], ebx mov [esp+530h+var_498], ebx mov [esp+530h+var_494], ebx mov [esp+530h+var_490], ebx mov [esp+530h+var_48C], ebx mov [esp+530h+var_480], ebx mov [esp+530h+var_47C], ebx mov [esp+530h+var_478], ebx mov [esp+530h+var_474], ebx mov [esp+530h+var_468], ebx mov [esp+530h+var_464], ebx mov [esp+530h+var_460], ebx mov [esp+530h+var_454], ecx mov [esp+530h+var_450], eax mov [esp+530h+var_44C], eax mov [esp+530h+var_448], ecx mov [esp+530h+var_444], eax mov [esp+530h+var_440], eax mov [esp+530h+var_43C], ecx mov [esp+530h+var_438], eax mov [esp+530h+var_434], eax mov [esp+530h+var_430], ecx mov [esp+530h+var_42C], eax mov [esp+530h+var_428], eax mov [esp+530h+var_424], ebx mov [esp+530h+var_420], ebx mov [esp+530h+var_41C], ebx mov [esp+530h+var_418], ebx mov [esp+530h+var_414], ebx mov [esp+530h+var_410], ebx mov [esp+530h+var_40C], ebx mov [esp+530h+var_408], ebx mov [esp+530h+var_404], ebx push 3C0h lea eax, [esp+534h+var_3C4] push ebx push eax mov [esp+53Ch+var_400], ebx mov [esp+53Ch+var_3FC], ebx mov [esp+53Ch+var_3F8], ebx mov [esp+53Ch+var_3F4], ebx mov [esp+53Ch+var_3F0], ebx mov [esp+53Ch+var_3EC], ebx mov [esp+53Ch+var_3E8], ebx mov [esp+53Ch+var_3E4], ebx mov [esp+53Ch+var_3E0], 0AC44h mov [esp+53Ch+var_3DC], 400h mov [esp+53Ch+var_3D8], ebx mov [esp+53Ch+var_3D4], ecx mov [esp+53Ch+var_3D0], ebx mov [esp+53Ch+var_3CC], ecx mov [esp+53Ch+var_3C8], ebx call memset add esp, 0Ch mov ecx, esi call sub_110A0 cmp [ebp+arg_10], ebx jz short loc_16041 add esi, 30h mov ecx, 147h lea edi, [esp+530h+var_520] rep movsd mov esi, [esp+530h+var_524] jmp short loc_16052 loc_16041: push 51Ch lea ecx, [esp+534h+var_520] push ecx mov ecx, esi call sub_13CA0 loc_16052: mov edx, [esp+530h+var_3DC] mov eax, [ebp+arg_C] mov ecx, [ebp+arg_8] push edx mov edx, [ebp+arg_4] add eax, 1A0h push eax mov eax, [ebp+arg_0] push ecx push edx push eax mov ecx, esi call sub_15D00 mov ecx, [esi+54Ch] mov eax, [esp+530h+var_3D8] mov [ecx+24h], ebx mov edx, [esi+54Ch] mov [edx+20h], eax mov ecx, [esi+54Ch] mov [esi+8], ebx mov [ecx+30h], ebx mov edx, [esi+54Ch] mov eax, [esi+1Ch] push 51Ch lea edi, [esi+30h] push 0Fh mov [edx+48h], eax push edi mov dword ptr [esi+24h], 0FFFFFFFFh call memset add esp, 0Ch lea ecx, [esp+530h+var_520] push ecx mov ecx, esi call sub_157C0 cmp [ebp+arg_10], ebx mov ecx, 147h lea esi, [esp+530h+var_520] rep movsd jnz short loc_160E6 mov ecx, [esp+530h+var_524] call sub_14060 loc_160E6: pop edi pop esi xor eax, eax pop ebx mov esp, ebp pop ebp retn 14h sub_15DD0 endp align 10h sub_16100 proc near var_4= dword ptr -4 arg_0= dword ptr 4 sub esp, 8 mov eax, [esp+8+arg_0] push esi mov esi, ecx xor ecx, ecx push ecx push 4000h cdq push ecx push eax mov [esp+1Ch+var_4], edx call ds:MmMapIoSpace mov [esi], eax mov dword ptr [esi+4], 1 mov eax, esi pop esi add esp, 8 retn 4 sub_16100 endp align 10h ; START OF FUNCTION CHUNK FOR sub_12A90 loc_16140: mov eax, [ecx] push 4000h push eax call ds:MmUnmapIoSpace retn ; END OF FUNCTION CHUNK FOR sub_12A90 align 10h sub_16150 proc near arg_0= dword ptr 0Ch push ebx push esi mov esi, [esp+arg_0] xor eax, eax loc_16158: test esi, esi mov edx, [ecx] jz short loc_1618F mov dl, [eax+edx] mov [ecx+eax+8], dl mov edx, [ecx] mov dl, [edx+eax+1] mov [ecx+eax+9], dl mov edx, [ecx] mov dl, [edx+eax+2] mov [ecx+eax+0Ah], dl mov edx, [ecx] mov dl, [edx+eax+3] mov [ecx+eax+0Bh], dl mov edx, [ecx] mov dl, [edx+eax+4] mov [ecx+eax+0Ch], dl jmp short loc_161BE loc_1618F: mov bl, [ecx+eax+8] mov [eax+edx], bl mov edx, [ecx] mov bl, [ecx+eax+9] mov [edx+eax+1], bl mov edx, [ecx] mov bl, [ecx+eax+0Ah] mov [edx+eax+2], bl mov edx, [ecx] mov bl, [ecx+eax+0Bh] mov [edx+eax+3], bl mov edx, [ecx] mov bl, [ecx+eax+0Ch] mov [edx+eax+4], bl loc_161BE: add eax, 5 cmp eax, 500h jl short loc_16158 mov [ecx+4], esi pop esi pop ebx retn 4 sub_16150 endp sub_161D0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_161DD xor eax, eax pop esi retn loc_161DD: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+8] pop esi retn sub_161D0 endp align 10h sub_161F0 proc near arg_0= dword ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_161FF xor eax, eax pop esi retn 4 loc_161FF: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov ecx, [esp+arg_0] mov eax, [ecx+eax] pop esi retn 4 sub_161F0 endp align 10h sub_16220 proc near arg_0= dword ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1622F xor al, al pop esi retn 4 loc_1622F: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov ecx, [esp+arg_0] mov al, [eax+ecx+3] pop esi retn 4 sub_16220 endp align 10h sub_16250 proc near arg_0= dword ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1625F xor eax, eax pop esi retn 4 loc_1625F: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov ecx, [esp+arg_0] movzx eax, word ptr [eax+ecx+12h] pop esi retn 4 sub_16250 endp align 10h sub_16280 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1628D xor al, al pop esi retn loc_1628D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+188h] pop esi retn sub_16280 endp align 10h sub_162A0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_162AD xor al, al pop esi retn loc_162AD: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+189h] pop esi retn sub_162A0 endp align 10h sub_162C0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_162CD xor al, al pop esi retn loc_162CD: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+18Ah] pop esi retn sub_162C0 endp align 10h sub_162E0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_162ED xor eax, eax pop esi retn loc_162ED: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+190h] pop esi retn sub_162E0 endp align 10h sub_16300 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1630D xor eax, eax pop esi retn loc_1630D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+194h] pop esi retn sub_16300 endp align 10h sub_16320 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1632D xor eax, eax pop esi retn loc_1632D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+198h] pop esi retn sub_16320 endp align 10h sub_16340 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1634D xor eax, eax pop esi retn loc_1634D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+19Ch] pop esi retn sub_16340 endp align 10h sub_16360 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1636D xor eax, eax pop esi retn loc_1636D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+1A0h] pop esi retn sub_16360 endp align 10h sub_16380 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1638D xor eax, eax pop esi retn loc_1638D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+1B0h] pop esi retn sub_16380 endp align 10h sub_163A0 proc near arg_0= byte ptr 4 cmp dword ptr [ecx+4], 0 jz short locret_163C0 mov eax, [ecx] mov cl, [esp+arg_0] mov [eax+400h], cl mov dword ptr [esp+arg_0], 1 jmp ds:KeStallExecutionProcessor locret_163C0: retn 4 sub_163A0 endp align 10h sub_163D0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_163DD xor eax, eax pop esi retn loc_163DD: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+404h] pop esi retn sub_163D0 endp align 10h sub_163F0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_163FD xor al, al pop esi retn loc_163FD: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+408h] pop esi retn sub_163F0 endp align 10h sub_16410 proc near arg_0= dword ptr 8 arg_4= byte ptr 0Ch push esi mov esi, ecx cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_1643B push 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1643B mov eax, [esi] mov cl, [esp+4+arg_4] mov edx, [esp+4+arg_0] push 1 mov [edx+eax], cl call edi ; KeStallExecutionProcessor loc_1643B: pop edi pop esi retn 8 sub_16410 endp sub_16440 proc near arg_0= dword ptr 8 arg_4= byte ptr 0Ch push esi mov esi, ecx cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_1646C push 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1646C mov eax, [esi] mov cl, [esp+4+arg_4] mov edx, [esp+4+arg_0] push 1 mov [eax+edx+1], cl call edi ; KeStallExecutionProcessor loc_1646C: pop edi pop esi retn 8 sub_16440 endp align 10h sub_16480 proc near arg_0= dword ptr 8 arg_4= byte ptr 0Ch push esi mov esi, ecx cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_164AC push 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_164AC mov eax, [esi] mov cl, [esp+4+arg_4] mov edx, [esp+4+arg_0] push 1 mov [eax+edx+2], cl call edi ; KeStallExecutionProcessor loc_164AC: pop edi pop esi retn 8 sub_16480 endp align 10h sub_164C0 proc near arg_0= dword ptr 8 arg_4= byte ptr 0Ch push esi mov esi, ecx cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_164EC push 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_164EC mov eax, [esi] mov cl, [esp+4+arg_4] mov edx, [esp+4+arg_0] push 1 mov [eax+edx+3], cl call edi ; KeStallExecutionProcessor loc_164EC: pop edi pop esi retn 8 sub_164C0 endp align 10h sub_16500 proc near arg_0= dword ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1650F xor eax, eax pop esi retn 4 loc_1650F: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov ecx, [esp+arg_0] mov eax, [eax+ecx+4] pop esi retn 4 sub_16500 endp align 10h sub_16530 proc near arg_0= dword ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1653F xor eax, eax pop esi retn 4 loc_1653F: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov ecx, [esp+arg_0] movzx eax, word ptr [eax+ecx+14h] pop esi retn 4 sub_16530 endp align 10h sub_16560 proc near arg_0= byte ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_1658A push 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_1658A mov eax, [esi] mov cl, [esp+4+arg_0] push 1 mov [eax+480h], cl call edi ; KeStallExecutionProcessor loc_1658A: pop edi pop esi retn 4 sub_16560 endp align 10h sub_16590 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1659D xor al, al pop esi retn loc_1659D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+481h] pop esi retn sub_16590 endp align 10h sub_165B0 proc near arg_0= byte ptr 8 push esi mov esi, ecx cmp dword ptr [esi+4], 0 push edi mov edi, ds:KeStallExecutionProcessor jz short loc_165DA push 1 call edi ; KeStallExecutionProcessor cmp dword ptr [esi+4], 0 jz short loc_165DA mov eax, [esi] mov cl, [esp+4+arg_0] push 1 mov [eax+481h], cl call edi ; KeStallExecutionProcessor loc_165DA: pop edi pop esi retn 4 sub_165B0 endp align 10h sub_165E0 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_165ED xor al, al pop esi retn loc_165ED: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov al, [eax+484h] pop esi retn sub_165E0 endp align 10h sub_16600 proc near push esi mov esi, ecx cmp dword ptr [esi+4], 0 jnz short loc_1660D xor eax, eax pop esi retn loc_1660D: push 1 call ds:KeStallExecutionProcessor mov eax, [esi] mov eax, [eax+4B0h] pop esi retn sub_16600 endp align 10h sub_16620 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h mov edx, [esp+arg_4] mov eax, ecx mov ecx, [esp+arg_0] mov [eax], ecx mov ecx, [esp+arg_8] mov [eax+4], edx mov edx, [esp+arg_C] mov [eax+8], ecx mov [eax+0Ch], edx lea edx, [eax+12h] mov ecx, 18h jmp short loc_16650 align 10h loc_16650: mov word ptr [edx-2], 0 mov byte ptr [edx], 0 add edx, 4 sub ecx, 1 jnz short loc_16650 retn 10h sub_16620 endp align 10h sub_16670 proc near xor eax, eax mov [ecx], eax mov [ecx+4], eax mov [ecx+8], eax retn sub_16670 endp align 10h sub_16680 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov edx, [esp+arg_0] cmp edx, 18h jge short locret_166B4 mov eax, [esp+arg_4] or byte ptr [ecx+edx*4+12h], 8 mov [ecx+edx*4+10h], ax push esi mov esi, [ecx+0Ch] push esi movzx esi, al shr eax, 8 and eax, 1 add edx, edx push esi or eax, edx push eax mov eax, [ecx+8] mov ecx, [ecx] push eax call ecx pop esi locret_166B4: retn 8 sub_16680 endp align 10h sub_166C0 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] cmp eax, 18h jl short loc_166D0 or ax, 0FFFFh retn 4 loc_166D0: test byte ptr [ecx+eax*4+12h], 8 push ebx lea ebx, [eax+eax] jz short loc_166E4 movzx eax, word ptr [ecx+eax*4+10h] pop ebx retn 4 loc_166E4: mov eax, [ecx+0Ch] mov edx, [ecx+8] push eax mov eax, [ecx+4] push 0 push ebx push edx call eax and bl, 1 xor ecx, ecx mov ch, bl pop ebx movzx eax, cx retn 4 sub_166C0 endp align 10h ; START OF FUNCTION CHUNK FOR sub_111E0 loc_16710: mov eax, [esp+arg_0] sub eax, 0 push ebx push esi mov esi, ecx jz loc_167EC sub eax, 1 jz short loc_16772 sub eax, 1 jnz loc_16941 mov ecx, [esp+8+arg_4] mov eax, [esp+8+arg_C] and ecx, 7Fh neg eax sbb eax, eax or byte ptr [esi+1Ah], 8 not eax and eax, ecx or eax, 100h mov [esi+18h], ax mov ecx, [esi+0Ch] movzx edx, al and eax, 100h push ecx mov ecx, [esi] or eax, 400h push edx shr eax, 8 push eax mov eax, [esi+8] push eax call ecx pop esi pop ebx retn 14h loc_16772: mov eax, [esp+8+arg_C] mov ebx, [esp+8+arg_10] neg eax sbb eax, eax not eax and eax, [esp+8+arg_4] or eax, 100h neg ebx sbb ebx, ebx or byte ptr [esi+1Eh], 8 mov [esi+1Ch], ax mov edx, [esi+0Ch] movzx ecx, al and eax, 100h push edx mov edx, [esi+8] or eax, 600h push ecx shr eax, 8 not ebx and ebx, [esp+10h+arg_8] push eax mov eax, [esi] push edx or ebx, 100h call eax or byte ptr [esi+22h], 8 mov [esi+20h], bx mov ecx, [esi+0Ch] mov eax, [esi+8] movzx edx, bl push ecx mov ecx, [esi] and ebx, 100h or ebx, 800h push edx shr ebx, 8 push ebx push eax call ecx pop esi pop ebx retn 14h loc_167EC: test byte ptr [esi+66h], 8 jz short loc_167F8 movzx ebx, word ptr [esi+64h] jmp short loc_1680B loc_167F8: mov edx, [esi+0Ch] mov eax, [esi+8] mov ecx, [esi+4] push edx push 0 push 2Ah push eax call ecx xor ebx, ebx loc_1680B: movzx edx, bl movzx eax, bl push ebp and edx, 80h and eax, 40h and ebx, 1Fh cmp dword ptr [esp+1Ch], 0 push edi mov edi, edx mov ebp, eax jz short loc_16869 test di, di jnz loc_168F4 or byte ptr [esi+66h], 8 mov ecx, ebp or ecx, 80h or ebx, ecx mov [esi+64h], bx mov edx, [esi+0Ch] push edx mov edx, [esi+8] mov ecx, ebx and ecx, 100h movzx eax, bl push eax mov eax, [esi] or ecx, 2A00h shr ecx, 8 push ecx push edx call eax jmp short loc_168B0 loc_16869: test di, di jz short loc_16898 or byte ptr [esi+66h], 8 or ebx, ebp mov [esi+64h], bx mov ecx, [esi+0Ch] push ecx mov ecx, [esi+8] mov eax, ebx and eax, 100h movzx edx, bl push edx mov edx, [esi] or eax, 2A00h shr eax, 8 push eax push ecx call edx loc_16898: mov eax, [esp+30h+var_18] and eax, 0FFh loc_168A1: or eax, 100h push eax push 0Eh mov ecx, esi call sub_16680 loc_168B0: cmp [esp+30h+var_C], 0 jz short loc_168F8 test bp, bp jnz loc_16946 or byte ptr [esi+66h], 8 or edi, 40h or ebx, edi mov [esi+64h], bx mov eax, [esi+0Ch] mov edx, [esi+8] movzx ecx, bl push eax mov eax, [esi] and ebx, 100h or ebx, 2A00h push ecx shr ebx, 8 push ebx push edx call eax pop edi pop ebp pop esi pop ebx retn 14h loc_168F4: xor eax, eax jmp short loc_168A1 loc_168F8: test bp, bp jz short loc_16927 or byte ptr [esi+66h], 8 or ebx, edi mov [esi+64h], bx mov ecx, [esi+0Ch] mov eax, [esi+8] movzx edx, bl push ecx mov ecx, [esi] and ebx, 100h or ebx, 2A00h push edx shr ebx, 8 push ebx push eax call ecx loc_16927: mov eax, [esp+40h+var_24] and eax, 0FFh loc_16930: or eax, 100h push eax push 0Fh mov ecx, esi call sub_16680 pop edi pop ebp loc_16941: pop esi pop ebx retn 14h loc_16946: xor eax, eax jmp short loc_16930 ; END OF FUNCTION CHUNK FOR sub_111E0 align 10h ; START OF FUNCTION CHUNK FOR sub_112A0 loc_16950: cmp [esp+arg_0], 0 mov eax, 1 jz short loc_16961 mov eax, 5 loc_16961: mov edx, [ecx+0Ch] or byte ptr [ecx+6Ah], 8 mov [ecx+68h], ax push edx movzx edx, al and eax, 100h or eax, 2C00h push edx shr eax, 8 push eax mov eax, [ecx+8] mov ecx, [ecx] push eax call ecx retn 4 ; END OF FUNCTION CHUNK FOR sub_112A0 align 10h ; START OF FUNCTION CHUNK FOR sub_11320 loc_16990: mov edx, [esp+arg_0] mov eax, [esp+arg_4] and edx, 7Fh neg eax sbb eax, eax or byte ptr [ecx+1Ah], 8 not eax and eax, edx or eax, 100h mov [ecx+18h], ax mov edx, [ecx+0Ch] push edx movzx edx, al and eax, 100h or eax, 400h push edx shr eax, 8 push eax mov eax, [ecx+8] mov ecx, [ecx] push eax call ecx retn 8 ; END OF FUNCTION CHUNK FOR sub_11320 align 10h sub_169E0 proc near var_8= dword ptr -8 push esi mov esi, ecx test byte ptr [esi+66h], 8 jz short loc_169EF movzx eax, word ptr [esi+64h] jmp short loc_16A02 loc_169EF: mov eax, [esi+0Ch] mov ecx, [esi+8] mov edx, [esi+4] push eax push 0 push 2Ah push ecx call edx xor eax, eax loc_16A02: mov ecx, [esp+8] and eax, 1E0h sub ecx, 0 jz short loc_16A1A sub ecx, 1 jnz short loc_16A1D or eax, 8 jmp short loc_16A1D loc_16A1A: or eax, 2 loc_16A1D: or byte ptr [esi+66h], 8 mov [esi+64h], ax mov ecx, [esi+0Ch] movzx edx, al and eax, 100h push ecx mov ecx, [esi] or eax, 2A00h push edx shr eax, 8 push eax mov eax, [esi+8] push eax call ecx pop esi retn 4 sub_169E0 endp align 10h sub_16A50 proc near var_C= dword ptr -0Ch arg_4= dword ptr 0Ch push ebp mov ebp, [esp+arg_4] test ebp, ebp jz loc_16B2C mov ecx, [ebp+1A3Ch] call sub_14870 mov eax, [ebp+19D8h] test eax, eax jz short loc_16A7D push 0 push 0 push eax call ds:KeSetEvent loc_16A7D: mov eax, [ebp+1A3Ch] push ebx mov ebx, 1 cmp [eax+1E9Ch], ebx push esi push edi jnz short loc_16AD7 lea esi, [ebp+0DF4h] lea edi, [ebx+4] lea esp, [esp+0] loc_16AA0: cmp [esi-8], ebx jnz short loc_16AB0 mov ecx, [esi] mov edx, [esi-4] push ecx push 2 push ebx call edx loc_16AB0: cmp [esi+10h], ebx jnz short loc_16AC1 mov eax, [esi+18h] mov ecx, [esi+14h] push eax push 4 push ebx call ecx loc_16AC1: add esi, 0C0h sub edi, ebx jnz short loc_16AA0 mov edx, [ebp+1A3Ch] mov [edx+1E9Ch], edi loc_16AD7: mov eax, [ebp+1A3Ch] cmp [eax+1E98h], ebx jnz short loc_16B29 lea esi, [ebp+20Ch] mov edi, 5 loc_16AF0: cmp [esi-38h], ebx jnz short loc_16B02 mov ecx, [esi-30h] mov edx, [esi-34h] push ecx push 0 push 0 call edx loc_16B02: cmp [esi-8], ebx jnz short loc_16B13 mov eax, [esi] mov ecx, [esi-4] push eax push 4 push 0 call ecx loc_16B13: add esi, 0C0h sub edi, ebx jnz short loc_16AF0 mov edx, [ebp+1A3Ch] mov [edx+1E98h], edi loc_16B29: pop edi pop esi pop ebx loc_16B2C: pop ebp retn 10h sub_16A50 endp sub_16B30 proc near arg_4= dword ptr 0Ch push ebx mov ebx, [esp+arg_4] test ebx, ebx jz short loc_16B70 push esi push edi xor edi, edi lea esi, [ebx+11Ch] loc_16B43: mov ecx, [ebx+1A3Ch] push edi call sub_13B20 test eax, eax jz short loc_16B63 mov eax, [esi] test eax, eax jz short loc_16B63 push eax mov eax, [esi-4] push 0 push 1 call eax loc_16B63: add edi, 1 add esi, 0Ch cmp edi, 2 jl short loc_16B43 pop edi pop esi loc_16B70: pop ebx retn 10h sub_16B30 endp align 10h sub_16B80 proc near arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_4] test esi, esi jnz short loc_16B8F xor al, al pop esi retn 8 loc_16B8F: mov ecx, [esi+1A3Ch] push ebx push ebp push edi xor ebp, ebp push ebp xor ebx, ebx call sub_13620 mov edi, eax test edi, edi jnz short loc_16BC9 mov esi, [esi+1A3Ch] cmp [esi+54Ch], ebx jz short loc_16BC0 mov esi, [esi+54Ch] add dword ptr [esi+28h], 1 loc_16BC0: pop edi pop ebp pop ebx xor al, al pop esi retn 8 loc_16BC9: test edi, 100h jz short loc_16BE6 mov eax, [esi+1A3Ch] or dword ptr [eax+0E5Ch], 100h mov ebx, 1 loc_16BE6: test edi, 200h jz short loc_16C01 mov eax, [esi+1A3Ch] or dword ptr [eax+0E5Ch], 200h add ebx, 1 loc_16C01: test edi, 10000h jz short loc_16C21 mov ecx, [esi+1A3Ch] push 0 push 0 call sub_13B90 test eax, eax jz short loc_16C21 mov ebp, 1 loc_16C21: test edi, offset dword_20000 jz short loc_16C3F mov ecx, [esi+1A3Ch] push 0 push 1 call sub_13B90 test eax, eax jz short loc_16C3F add ebp, 1 loc_16C3F: test edi, 40000h jz short loc_16C5D mov ecx, [esi+1A3Ch] push 1 push 1 call sub_13B90 test eax, eax jz short loc_16C5D add ebp, 1 loc_16C5D: mov ecx, [esi+1A3Ch] call nullsub_1 test bp, bp mov edi, ds:KeInsertQueueDpc jz short loc_16C84 mov eax, [esi+1A18h] test eax, eax jz short loc_16C84 push 0 push 0 push eax call edi ; KeInsertQueueDpc loc_16C84: test bx, bx jz short loc_16D02 mov ecx, [esi+1A3Ch] cmp dword ptr [ecx+0E5Ch], 300h jnz short loc_16D02 call sub_14720 mov eax, [esi+1A3Ch] mov dword ptr [eax+0E5Ch], 0 mov ecx, [esi+1A3Ch] mov eax, 1 cmp [ecx+1E90h], eax jnz short loc_16D02 mov edx, ecx cmp [edx+1E94h], eax jnz short loc_16D02 mov eax, [esi+1A14h] test eax, eax jz short loc_16CDE push 0 push 0 push eax call edi ; KeInsertQueueDpc loc_16CDE: cmp dword ptr [esi+1A24h], 0 jz short loc_16D02 mov ecx, [esi+1A3Ch] call sub_13940 mov ecx, [esi+1A28h] mov edx, [esi+1A24h] push ecx push eax call edx loc_16D02: pop edi pop ebp pop ebx mov al, 1 pop esi retn 8 sub_16B80 endp ; sp = 10h align 10h sub_16D10 proc near arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_4] test esi, esi jnz short loc_16D1F xor al, al pop esi retn 8 loc_16D1F: mov ecx, [esi+1A3Ch] push ebx push ebp push edi push 1 xor ebx, ebx xor ebp, ebp call sub_13620 mov edi, eax test edi, edi jnz short loc_16D5A mov esi, [esi+1A3Ch] cmp [esi+54Ch], ebx jz short loc_16D51 mov eax, [esi+54Ch] add dword ptr [eax+28h], 1 loc_16D51: pop edi pop ebp pop ebx xor al, al pop esi retn 8 loc_16D5A: test edi, 100h jz short loc_16D77 mov eax, [esi+1A3Ch] or dword ptr [eax+0E5Ch], 100h mov ebx, 1 loc_16D77: test edi, 200h jz short loc_16D92 mov eax, [esi+1A3Ch] or dword ptr [eax+0E5Ch], 200h add ebx, 1 loc_16D92: test edi, 10000h jz short loc_16DB2 mov ecx, [esi+1A3Ch] push 0 push 0 call sub_13B90 test eax, eax jz short loc_16DB2 mov ebp, 1 loc_16DB2: test edi, offset dword_20000 jz short loc_16DD0 mov ecx, [esi+1A3Ch] push 0 push 1 call sub_13B90 test eax, eax jz short loc_16DD0 add ebp, 1 loc_16DD0: test edi, 40000h jz short loc_16DEE mov ecx, [esi+1A3Ch] push 1 push 1 call sub_13B90 test eax, eax jz short loc_16DEE add ebp, 1 loc_16DEE: mov ecx, [esi+1A3Ch] call nullsub_1 test bp, bp mov edi, ds:KeInsertQueueDpc jz short loc_16E15 mov eax, [esi+1A18h] test eax, eax jz short loc_16E15 push 0 push 0 push eax call edi ; KeInsertQueueDpc loc_16E15: test bx, bx jz short loc_16E93 mov ecx, [esi+1A3Ch] cmp dword ptr [ecx+0E5Ch], 300h jnz short loc_16E93 call sub_14720 mov eax, [esi+1A3Ch] mov dword ptr [eax+0E5Ch], 0 mov ecx, [esi+1A3Ch] mov eax, 1 cmp [ecx+1E90h], eax jnz short loc_16E93 mov edx, ecx cmp [edx+1E94h], eax jnz short loc_16E93 mov eax, [esi+1A14h] test eax, eax jz short loc_16E6F push 0 push 0 push eax call edi ; KeInsertQueueDpc loc_16E6F: cmp dword ptr [esi+1A24h], 0 jz short loc_16E93 mov ecx, [esi+1A3Ch] call sub_13940 mov ecx, [esi+1A28h] mov edx, [esi+1A24h] push ecx push eax call edx loc_16E93: pop edi pop ebp pop ebx mov al, 1 pop esi retn 8 sub_16D10 endp ; sp = 10h align 10h sub_16EA0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_10= dword ptr 14h mov eax, [esp+arg_0] mov edx, [esp+arg_8] shl eax, 4 add eax, [esp+arg_4] push esi mov esi, [esp+4+arg_10] shl eax, 4 add eax, edx xor edx, edx test esi, esi setnz dl push edi lea edi, [eax+eax*2+75h] lea eax, [eax+eax*2] lea eax, [ecx+eax*4] mov [eax+1DCh], esi mov [ecx+edi*4], edx mov ecx, [esp+8+arg_C] pop edi mov [eax+1D8h], ecx pop esi retn 14h sub_16EA0 endp align 10h sub_16EF0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch mov eax, [esp+arg_0] mov edx, [esp+arg_8] lea eax, [eax+eax*2] lea eax, [ecx+eax*4] mov ecx, [esp+arg_4] mov [eax+118h], ecx mov [eax+11Ch], edx retn 0Ch sub_16EF0 endp align 10h sub_16F20 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h arg_10= dword ptr 18h arg_14= dword ptr 1Ch arg_18= dword ptr 20h push ebx mov ebx, [esp+arg_10] push ebp push esi mov ebp, ebx neg ebp sbb ebp, ebp push edi mov edi, ecx mov ecx, [esp+0Ch+arg_4] xor edx, edx lea eax, [ecx+1] and ebp, 4 cmp eax, 5 setz dl xor esi, esi mov eax, edx cmp eax, esi mov [esp+0Ch+arg_4], eax jnz short loc_16FB5 mov eax, [esp+0Ch+arg_C] cmp eax, esi jbe loc_17054 mov esi, [esp+0Ch+arg_10] lea ebx, [ecx+ecx] mov [esp+0Ch+arg_C], eax loc_16F65: mov eax, [esp+0Ch+arg_18] mov ecx, [esp+0Ch+arg_0] push eax push esi push 0 push ebx push ecx mov ecx, [edi+1A3Ch] push 0 call sub_13990 mov edx, [esp+0Ch+arg_18] mov eax, [esp+0Ch+arg_14] push edx mov edx, [esp+10h+arg_0] lea ecx, [esi+eax] push ecx mov ecx, [edi+1A3Ch] push 1 push ebx push edx push 0 call sub_13990 add esi, ebp add ebx, 1 sub [esp+0Ch+arg_C], 1 jnz short loc_16F65 pop edi pop esi pop ebp pop ebx retn 1Ch loc_16FB5: cmp [esp+0Ch+arg_8], 4 mov [esp+0Ch+arg_10], esi jnz short loc_16FDF mov ecx, [edi+1A3Ch] call sub_13610 mov ecx, [edi+1A1Ch] mov [esp+0Ch+arg_10], eax xor eax, eax cmp ebx, esi setnz al mov [ecx+58h], eax loc_16FDF: cmp [esp+0Ch+arg_C], esi jbe short loc_17054 jmp short loc_16FF0 align 10h loc_16FF0: mov edx, [esp+0Ch+arg_18] mov eax, ds:dword_1D4D0[esi*4] add eax, [esp+0Ch+arg_10] mov ecx, [esp+0Ch+arg_0] push edx mov edx, [esp+10h+arg_4] push ebx push 0 push eax push ecx mov ecx, [edi+1A3Ch] push edx call sub_13990 mov eax, [esp+0Ch+arg_18] mov ecx, [esp+0Ch+arg_14] push eax mov eax, ds:dword_1D4D0[esi*4] add eax, [esp+10h+arg_10] lea edx, [ebx+ecx] mov ecx, [esp+10h+arg_0] push edx mov edx, [esp+14h+arg_4] push 1 push eax push ecx mov ecx, [edi+1A3Ch] push edx call sub_13990 add esi, 1 add ebx, ebp cmp esi, [esp+0Ch+arg_C] jb short loc_16FF0 loc_17054: pop edi pop esi pop ebp pop ebx retn 1Ch sub_16F20 endp align 10h sub_17060 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h push ebx mov ebx, [esp+arg_4] push ebp push esi push edi mov edi, ecx xor ecx, ecx lea eax, [ebx+1] cmp eax, 5 setz cl push eax mov ebp, ecx mov ecx, [edi+1A3Ch] call sub_13700 xor esi, esi cmp ebp, esi jnz short loc_170C6 mov ebp, [esp+0Ch+arg_C] cmp ebp, esi jbe loc_17126 jmp short loc_170A0 align 10h loc_170A0: mov eax, [esp+0Ch+arg_0] mov ecx, [edi+1A3Ch] push 1 lea edx, [esi+ebx*2] push edx push eax push 0 call sub_15BF0 add esi, 1 cmp esi, ebp jb short loc_170A0 pop edi pop esi pop ebp pop ebx retn 10h loc_170C6: cmp [esp+0Ch+arg_8], 4 mov [esp+0Ch+arg_4], esi jnz short loc_170E0 mov ecx, [edi+1A3Ch] call sub_13610 mov [esp+0Ch+arg_4], eax loc_170E0: mov ebx, [esp+0Ch+arg_C] xor esi, esi test ebx, ebx jbe short loc_17126 lea ebx, [ebx+0] loc_170F0: cmp ebx, 4 jbe short loc_170FE mov eax, ds:dword_1D450[esi*4] jmp short loc_17105 loc_170FE: mov eax, ds:dword_1D4D0[esi*4] loc_17105: mov ecx, [esp+0Ch+arg_4] mov edx, [esp+0Ch+arg_0] push 1 add eax, ecx mov ecx, [edi+1A3Ch] push eax push edx push ebp call sub_15BF0 add esi, 1 cmp esi, ebx jb short loc_170F0 loc_17126: pop edi pop esi pop ebp pop ebx retn 10h sub_17060 endp align 10h sub_17130 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h push ebp mov ebp, [esp+arg_0] cmp ebp, 4 push edi mov edi, ecx jnz short loc_1714F mov ecx, [edi+1A3Ch] push 0 call sub_13630 pop edi pop ebp retn 10h loc_1714F: mov eax, [esp+4+arg_4] add eax, 1 xor ecx, ecx cmp eax, 5 setz cl push ebx push esi xor esi, esi mov eax, ecx cmp eax, esi mov [esp+0Ch+arg_0], eax jnz short loc_171A6 mov ebx, [esp+0Ch+arg_C] cmp ebx, esi jbe loc_17209 jmp short loc_17180 align 10h loc_17180: mov edx, [esp+0Ch+arg_4] mov ecx, [edi+1A3Ch] push 0 lea eax, [esi+edx*2] push eax push ebp push 0 call sub_15BF0 add esi, 1 cmp esi, ebx jb short loc_17180 pop esi pop ebx pop edi pop ebp retn 10h loc_171A6: cmp [esp+0Ch+arg_8], 4 mov [esp+0Ch+arg_4], esi jnz short loc_171C9 mov ecx, [edi+1A3Ch] call sub_13610 mov ecx, [edi+1A1Ch] mov [esp+0Ch+arg_4], eax mov [ecx+58h], esi loc_171C9: mov ebx, [esp+0Ch+arg_C] xor esi, esi test ebx, ebx jbe short loc_17209 loc_171D3: cmp ebx, 4 jbe short loc_171E1 mov eax, ds:dword_1D450[esi*4] jmp short loc_171E8 loc_171E1: mov eax, ds:dword_1D4D0[esi*4] loc_171E8: mov edx, [esp+0Ch+arg_4] mov ecx, [edi+1A3Ch] push 0 add eax, edx push eax mov eax, [esp+14h+arg_0] push ebp push eax call sub_15BF0 add esi, 1 cmp esi, ebx jb short loc_171D3 loc_17209: pop esi pop ebx pop edi pop ebp retn 10h sub_17130 endp dword_17210 dd 1424448Bh, 8BF18B56h, 1A3C8Eh, 0EDE85000h dd 8BFFFFC6h, 510C244Ch, 1A3C8E8Bh, 7DE80000h dd 8BFFFFC6h, 8B142454h, 1A3C8Eh, 0BDE85200h dd 33FFFFC6h, 14C25EC0h, 0CCCCCC00h, 0CCCCCCCCh dd 1A3C898Bh, 65E90000h, 0CCFFFFE4h, 0CCCCCCCCh dd 332C418Bh, 89C23BD2h, 51893451h, 8B0B7530h dd 1A3C89h, 0C906E900h, 0CCC3FFFFh, 0CCCCCCCCh dd 4189C033h, 30418934h, 1A3C898Bh, 0BDE90000h dd 0CCFFFFC7h, 3 dup(0CCCCCCCCh), 2444B60Fh dd 24448904h, 3C898B04h, 0E900001Ah, 0FFFFC81Ch dd 3 dup(0CCCCCCCCh), 824448Bh, 7501F883h dd 44B60F20h, 44830424h, 83013081h, 130817Ch dd 898B2B75h, 1A3Ch, 0C7BAE850h, 8C2FFFFh dd 75C08500h, 44B60F18h, 44830424h, 75FF3081h dd 3C898B0Ch, 5000001Ah, 0FFC75BE8h, 8C2FFh dd 2 dup(0CCCCCCCCh), 424448Bh, 548B60Fh dd 450B60Fh, 8B51008Bh, 1A3C88h, 35E85200h dd 0B0FFFFC8h, 4C201h, 5308EC83h, 10245C8Ah dd 0C3B60F56h, 8E8BF18Bh, 1A3Ch, 0C7F6E850h dd 0C085FFFFh, 335E0A74h, 0C4835BC0h, 8C208h dd 8A08468Bh, 8D18244Ch, 52082454h push (offset dword_17210+100h) push eax mov [esp+14h], esi mov [esp+18h], bl mov [esp+19h], cl call ds:KeSynchronizeExecution pop esi mov eax, 1 pop ebx add esp, 8 retn 8 align 10h ; Attributes: bp-based frame sub_17390 proc near var_528= dword ptr -528h var_524= dword ptr -524h var_520= dword ptr -520h var_460= dword ptr -460h var_45C= dword ptr -45Ch var_458= dword ptr -458h arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h push ebp mov ebp, esp and esp, 0FFFFFFF8h sub esp, 52Ch push ebx push esi mov ebx, ecx mov ecx, [ebx+1A3Ch] push edi call sub_138F0 mov ecx, 147h mov esi, eax lea edi, [esp+538h+var_520] rep movsd xor esi, esi cmp [ebp+arg_0], esi jnz loc_17498 mov eax, [ebp+arg_4] sub eax, esi jz short loc_173F7 sub eax, 1 jnz loc_17475 cmp [ebx+1A34h], esi jz short loc_173EB mov [ebx+1A34h], esi pop edi pop esi pop ebx mov esp, ebp pop ebp retn 10h loc_173EB: mov eax, [ebp+arg_8] mov [esp+538h+var_460], eax jmp short loc_17475 loc_173F7: cmp [ebx+1A30h], esi jz short loc_1740E mov [ebx+1A30h], esi pop edi pop esi pop ebx mov esp, ebp pop ebp retn 10h loc_1740E: lea ecx, [esp+538h+var_528] push ecx mov ecx, [ebx+1A3Ch] lea edx, [esp+53Ch+var_524] push edx push 1 call sub_13920 mov eax, [esp+538h+var_524] mov edx, [esp+538h+var_528] cmp eax, edx jle short loc_1743E mov ecx, eax sub ecx, edx imul ecx, [ebp+arg_8] shr ecx, 4 jmp short loc_1744B loc_1743E: mov ecx, edx sub ecx, eax imul ecx, [ebp+arg_8] shr ecx, 4 add ecx, eax loc_1744B: cmp eax, edx jle short loc_1745A sub eax, edx imul eax, [ebp+arg_C] shr eax, 4 jmp short loc_17467 loc_1745A: sub edx, eax imul edx, [ebp+arg_C] shr edx, 4 add edx, eax mov eax, edx loc_17467: mov [esp+538h+var_45C], ecx mov [esp+538h+var_458], eax loc_17475: mov ecx, [ebx+1A3Ch] lea eax, [esp+538h+var_520] push eax call sub_157C0 mov ebx, [ebx+19D4h] cmp ebx, esi jz short loc_17498 push esi push esi push ebx call ds:KeSetEvent loc_17498: pop edi pop esi pop ebx mov esp, ebp pop ebp retn 10h sub_17390 endp align 10h sub_174B0 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] mov ecx, [ecx+1A3Ch] push 51Ch push eax call sub_13D50 retn 4 sub_174B0 endp align 10h sub_174D0 proc near mov ecx, [ecx+1A3Ch] jmp sub_138F0 sub_174D0 endp align 10h sub_174E0 proc near mov ecx, [ecx+1A3Ch] jmp sub_157C0 sub_174E0 endp align 10h sub_174F0 proc near var_14= dword ptr -14h var_C= dword ptr -0Ch arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch cmp [esp+arg_0], 1 push esi mov esi, ecx jnz short loc_17534 mov eax, [esi+1A1Ch] push 0 push 0 push 0 push 1A0h push eax call ds:IoAllocateMdl mov esi, [esp+4+arg_4] push eax mov [esi], eax call ds:MmBuildMdlForNonPagedPool mov ecx, [esi] push 1 push ecx call ds:MmMapLockedPages mov edx, [esp+4+arg_8] mov [edx], eax pop esi retn 0Ch loc_17534: mov ecx, [esp+4+arg_8] mov edx, [ecx] push edi mov edi, [esp+8+arg_4] mov eax, [edi] push eax push edx call ds:MmUnmapLockedPages mov eax, [edi] push eax call ds:IoFreeMdl pop edi mov dword ptr [esi+1A20h], 0 pop esi retn 0Ch sub_174F0 endp align 10h sub_17570 proc near var_14= dword ptr -14h var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch push ecx push ebx mov ebx, [esp+8+arg_8] push ebp mov ebp, [esp+0Ch+arg_8] push esi push edi mov edi, ecx mov [esp+14h+var_4], 1 xor esi, esi lea esp, [esp+0] loc_17590: mov eax, [esp+14h+arg_0] test [esp+14h+var_4], eax jz short loc_175AD mov ecx, [edi+1A3Ch] push ebp push esi push 0 push 2 call sub_15BF0 mov ebx, eax loc_175AD: mov ecx, [esp+14h+arg_4] test [esp+14h+var_4], ecx jz short loc_175CA mov ecx, [edi+1A3Ch] push ebp push esi push 1 push 2 call sub_15BF0 mov ebx, eax loc_175CA: shl [esp+14h+var_4], 1 add esi, 1 cmp esi, 8 jb short loc_17590 mov ecx, [edi+1A3Ch] call sub_14770 pop edi pop esi pop ebp mov eax, ebx pop ebx pop ecx retn 0Ch sub_17570 endp align 10h ; [00000003 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND] align 10h sub_17600 proc near ; FUNCTION CHUNK AT .text:00013690 SIZE 00000009 BYTES mov ecx, [ecx+1A3Ch] jmp loc_13690 sub_17600 endp align 10h sub_17610 proc near mov ecx, [ecx+1A3Ch] jmp sub_13710 sub_17610 endp align 10h sub_17620 proc near mov ecx, [ecx+1A3Ch] jmp nullsub_1 sub_17620 endp align 10h ; [00000003 BYTES: COLLAPSED FUNCTION nullsub_3. PRESS KEYPAD "+" TO EXPAND] align 10h sub_17640 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_10= dword ptr 14h mov eax, [esp+arg_10] mov edx, [esp+arg_C] mov ecx, [ecx+1A3Ch] push eax mov eax, [esp+4+arg_8] push edx mov edx, [esp+8+arg_4] push eax mov eax, [esp+0Ch+arg_0] push edx push eax push 2 call sub_13990 retn 14h sub_17640 endp align 10h sub_17670 proc near var_C= dword ptr -0Ch var_8= dword ptr -8 var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 sub esp, 0Ch mov eax, [esp+0Ch+arg_0] push ebx mov ebx, [esp+10h+arg_0] push ebp mov ebp, [esp+14h+arg_4] push esi shr eax, 10h push edi mov edi, ecx mov [esp+1Ch+var_4], eax mov [esp+1Ch+var_C], 1 xor esi, esi mov [esp+1Ch+var_8], 10h mov edi, edi loc_176A0: mov eax, [esp+1Ch+var_C] and eax, [esp+1Ch+arg_0] test ax, ax jz short loc_176C0 mov ecx, [edi+1A3Ch] push ebp push esi push 0 push 2 call sub_15BF0 mov ebx, eax loc_176C0: mov ecx, [esp+1Ch+var_C] and ecx, [esp+1Ch+var_4] test cx, cx jz short loc_176E0 mov ecx, [edi+1A3Ch] push ebp push esi push 1 push 2 call sub_15BF0 mov ebx, eax loc_176E0: shl [esp+1Ch+var_C], 1 add esi, 1 sub [esp+1Ch+var_8], 1 jnz short loc_176A0 test ebp, ebp jnz short loc_176FD mov ecx, [edi+1A3Ch] call sub_14770 loc_176FD: pop edi pop esi pop ebp loc_17700: mov eax, ebx pop ebx add esp, 0Ch retn 8 sub_17670 endp align 10h sub_17710 proc near mov eax, [ecx+1A2Ch] mov dword ptr [ecx+1A2Ch], 0 retn sub_17710 endp align 10h sub_17730 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_10= dword ptr 14h mov eax, [esp+arg_10] mov edx, [esp+arg_C] mov ecx, [ecx+1A3Ch] push eax mov eax, [esp+4+arg_8] push edx mov edx, [esp+8+arg_4] push eax mov eax, [esp+0Ch+arg_0] push edx push eax push 3 call sub_13990 retn 14h sub_17730 endp align 10h sub_17760 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h push ebx mov ebx, [esp+arg_8] push ebp push esi push edi mov edi, ecx mov ebp, 1 xor esi, esi loc_17771: mov eax, [esp+0Ch+arg_0] test ebp, eax jz short loc_1778A mov ecx, [edi+1A3Ch] push ebx push esi push 1 push 3 call sub_15BF0 loc_1778A: mov ecx, [esp+0Ch+arg_4] test ebp, ecx jz short loc_177A3 mov ecx, [edi+1A3Ch] push ebx push esi push 0 push 3 call sub_15BF0 loc_177A3: add esi, 1 add ebp, ebp cmp esi, 20h jb short loc_17771 test ebx, ebx jnz short loc_177BC mov ecx, [edi+1A3Ch] call sub_14770 loc_177BC: pop edi pop esi pop ebp pop ebx retn 0Ch sub_17760 endp align 10h sub_177D0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 ; FUNCTION CHUNK AT .text:000136D0 SIZE 0000002E BYTES mov ecx, [ecx+1A3Ch] jmp loc_136D0 sub_177D0 endp align 10h sub_177E0 proc near mov ecx, [ecx+1A3Ch] call sub_13940 retn 4 sub_177E0 endp align 10h sub_177F0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_0] mov edx, [esp+arg_4] mov [ecx+1A24h], eax mov [ecx+1A28h], edx retn 8 sub_177F0 endp align 10h sub_17810 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h ; FUNCTION CHUNK AT .text:00013DC0 SIZE 00000102 BYTES mov ecx, [ecx+1A3Ch] jmp loc_13DC0 sub_17810 endp align 10h sub_17820 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch ; FUNCTION CHUNK AT .text:00013EE0 SIZE 000000F6 BYTES mov ecx, [ecx+1A3Ch] jmp loc_13EE0 sub_17820 endp align 10h sub_17830 proc near push ebx push ebp push esi push edi mov ebp, ecx xor ebx, ebx jmp short loc_17840 align 10h loc_17840: xor edi, edi loc_17842: xor esi, esi loc_17844: mov ecx, [ebp+1A3Ch] push esi push edi push ebx call sub_13960 test eax, eax jnz short loc_17873 add esi, 1 cmp esi, 8 jl short loc_17844 add edi, 1 cmp edi, 2 jl short loc_17842 add ebx, 1 cmp ebx, 5 jl short loc_17840 pop edi pop esi pop ebp pop ebx retn loc_17873: pop edi pop esi pop ebp mov eax, 1 pop ebx retn sub_17830 endp align 10h sub_17880 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp [esp+arg_4], 1 push ebx push ebp push esi push edi mov ebx, ecx jnz short loc_178BE xor ebp, ebp nop loc_17890: xor edi, edi loc_17892: xor esi, esi loc_17894: mov ecx, [ebx+1A3Ch] push esi push edi push ebp call sub_13960 test eax, eax jnz short loc_1790F add esi, 1 cmp esi, 8 jl short loc_17894 add edi, 1 cmp edi, 2 jl short loc_17892 add ebp, 1 cmp ebp, 5 jl short loc_17890 loc_178BE: mov ecx, [ebx+1A3Ch] push 0 call sub_13630 mov eax, [esp+10h+arg_0] mov ecx, [ebx+20h] mov edx, [ebx+1A1Ch] push eax mov eax, [ebx+18h] push ecx mov ecx, [ebx+14h] push edx push eax push ecx mov ecx, [ebx+1A3Ch] call sub_15D00 push 32h call ds:KeStallExecutionProcessor mov ecx, [ebx+1A3Ch] push 1 call sub_13630 pop edi pop esi pop ebp mov eax, 1 pop ebx retn 8 loc_1790F: pop edi pop esi pop ebp xor eax, eax pop ebx retn 8 sub_17880 endp align 10h sub_17920 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch mov ecx, [esp+arg_0] mov eax, [esp+arg_8] push esi mov esi, [esp+4+arg_4] xor dl, dl mov [ecx+18h], esi mov [ecx+1Ch], eax call ds:IofCompleteRequest mov eax, esi pop esi retn 0Ch sub_17920 endp align 10h sub_17950 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov ecx, [esp+arg_0] push esi mov esi, [esp+4+arg_4] xor dl, dl mov [ecx+18h], esi call ds:IofCompleteRequest mov eax, esi pop esi retn 8 sub_17950 endp align 10h loc_17970: mov eax, [esp+4] mov ecx, [eax+28h] test byte ptr [ecx], 1 jz short loc_17985 mov [esp+4], eax jmp loc_18F10 loc_17985: mov [esp+4], eax jmp loc_1AFA0 align 10h loc_17990: mov eax, [esp+0Ch] push 0 push 0 push eax call ds:KeSetEvent mov eax, 0C0000016h retn 0Ch align 10h sub_179B0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_0] mov edx, [eax] mov ecx, [esp+arg_4] cmp edx, [ecx] jnz short loc_179DE mov edx, [eax+4] cmp edx, [ecx+4] jnz short loc_179DE mov edx, [eax+8] cmp edx, [ecx+8] jnz short loc_179DE mov eax, [eax+0Ch] cmp eax, [ecx+0Ch] jnz short loc_179DE mov eax, 1 retn 8 loc_179DE: xor eax, eax retn 8 sub_179B0 endp align 10h sub_179F0 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] test eax, eax jz short locret_179FF push eax call ds:ExFreePool locret_179FF: retn sub_179F0 endp sub_17A00 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov ecx, ds:dword_1D580 mov eax, [esp+arg_0] mov [eax], ecx mov edx, ds:dword_1D584 mov [eax+4], edx mov ecx, ds:dword_1D588 mov [eax+8], ecx mov dl, ds:byte_1D58C mov ecx, dword_1E1F4 mov [eax+0Ch], dl mov edx, [esp+arg_4] mov [eax+44h], ecx mov ecx, [edx+8] mov [eax+40h], ecx xor eax, eax retn 8 sub_17A00 endp align 10h sub_17A40 proc near var_1C= dword ptr -1Ch var_18= dword ptr -18h var_14= dword ptr -14h var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 arg_0= dword ptr 4 arg_18= dword ptr 1Ch arg_1C= dword ptr 20h arg_20= dword ptr 24h arg_2C= dword ptr 30h arg_48= dword ptr 4Ch sub esp, 0Ch push ebx push esi push edi mov edi, [esp+18h+arg_0] push 0 lea esi, [edi+0Ch] push esi mov [esp+20h+var_C], 0 call ds:IoSetDeviceInterfaceState lea eax, [esp+18h+var_C] push eax push 0F003Fh push esi call ds:IoOpenDeviceInterfaceRegistryKey mov esi, ds:RtlInitUnicodeString push offset aGetinterfaceca ; "GetInterfaceCallback" lea ecx, [esp+28h+var_14] push ecx mov [esp+2Ch+var_8], 0 call esi ; RtlInitUnicodeString mov ecx, [esp+1Ch+var_10] mov ebx, ds:ZwSetValueKey push 4 lea edx, [esp+20h] push edx push 4 push 0 lea eax, [esp+2Ch+var_C] push eax push ecx call ebx ; ZwSetValueKey push offset aDeviceextensio ; "DeviceExtension" lea edx, [esp-10h+arg_20] push edx call esi ; RtlInitUnicodeString mov edx, [esp+0Ch] push 4 lea eax, [esp+20h] push eax push 4 push 0 lea ecx, [esp+20h] push ecx push edx call ebx ; ZwSetValueKey mov eax, [edi+8] mov ecx, [eax] mov edx, [ecx+8] push eax call edx mov eax, [esp+0Ch] push eax call ds:ZwClose pop edi pop esi pop ebx add esp, 0Ch retn 4 sub_17A40 endp ; sp = 60h align 10h sub_17AF0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch mov eax, [esp+arg_4] mov ecx, [eax] cmp ecx, ds:dword_1D560 mov edx, [eax+4] push esi jnz short loc_17B20 cmp edx, ds:dword_1D564 jnz short loc_17B20 mov esi, [eax+8] cmp esi, ds:dword_1D568 jnz short loc_17B20 mov esi, [eax+0Ch] cmp esi, ds:dword_1D56C jz short loc_17B59 loc_17B20: cmp ecx, ds:dword_1D5DC jnz short loc_17B46 cmp edx, ds:dword_1D5E0 jnz short loc_17B46 mov edx, [eax+8] cmp edx, ds:dword_1D5E4 jnz short loc_17B46 mov eax, [eax+0Ch] cmp eax, ds:dword_1D5E8 jz short loc_17B59 loc_17B46: mov edx, [esp+4+arg_8] mov dword ptr [edx], 0 loc_17B50: mov eax, 0C000000Dh pop esi retn 0Ch loc_17B59: mov eax, [esp+4+arg_0] mov ecx, [esp+4+arg_8] add eax, 0FFFFFFFCh test eax, eax mov [ecx], eax jz short loc_17B50 mov ecx, [eax] mov edx, [ecx+4] push eax call edx xor eax, eax pop esi retn 0Ch sub_17AF0 endp align 10h sub_17B80 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] mov eax, [eax+0Ch] mov ecx, [eax] mov [esp+arg_0], eax mov eax, [ecx] jmp eax sub_17B80 endp align 10h sub_17BA0 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] mov eax, [eax+0Ch] mov ecx, [eax] mov [esp+arg_0], eax mov edx, [ecx+4] jmp edx sub_17BA0 endp align 10h sub_17BC0 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] mov eax, [eax+0Ch] mov ecx, [eax] mov [esp+arg_0], eax mov edx, [ecx+8] jmp edx sub_17BC0 endp align 10h sub_17BE0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h mov eax, [esp+arg_4] push ebx push ebp add eax, 0FFFFF000h cmp eax, 17h push esi push edi ja loc_180B5 movzx eax, ds:byte_180EC[eax] jmp ds:off_180C0[eax*4] loc_17C04: mov ecx, [esp+10h+arg_C] pop edi pop esi pop ebp mov dword ptr [ecx+10h], offset dword_20000 xor eax, eax pop ebx retn 10h loc_17C18: mov ebp, [esp+10h+arg_C] push 364h push 0 push ebp call memset mov dx, ds:word_1D624 mov al, ds:byte_1D626 mov ecx, ds:dword_1D610 mov ebx, [esp+1Ch+arg_8] mov [ebp+0], ecx mov word ptr [esp+1Ch+arg_C], dx mov edx, ds:dword_1D614 mov [ebp+4], edx mov byte ptr [esp+1Ch+arg_C+2], al mov eax, ds:dword_1D618 mov [ebp+8], eax mov ecx, ds:dword_1D61C mov al, bl add esp, 0Ch add al, 31h mov [ebp+0Ch], ecx mov edx, ds:dword_1D620 mov byte ptr [esp+10h+arg_C+1], al lea eax, [esp+10h+arg_C] mov [ebp+10h], edx mov ecx, eax nop loc_17C80: mov dl, [eax] add eax, 1 test dl, dl jnz short loc_17C80 mov edi, ebp sub eax, ecx mov esi, ecx add edi, 0FFFFFFFFh loc_17C92: mov cl, [edi+1] add edi, 1 test cl, cl jnz short loc_17C92 mov ecx, eax shr ecx, 2 rep movsd mov ecx, eax and ecx, 3 rep movsb mov eax, 8 mov [ebp+44h], eax mov [ebp+40h], eax mov dword ptr [ebp+48h], 1Fh mov dword ptr [ebp+4Ch], 400h mov dword ptr [ebp+50h], 2 xor eax, eax lea ecx, [ebp+58h] nop loc_17CD0: mov dword ptr [ecx], 0 add eax, 1 add ecx, 4 cmp eax, [ebp+40h] jb short loc_17CD0 mov ecx, dword_1E1D0[ebx*4] call sub_17600 add eax, eax add eax, eax add eax, eax mov [ebp+258h], eax mov ecx, dword_1E1D0[ebx*4] call sub_17600 add eax, eax add eax, eax pop edi add eax, eax pop esi mov [ebp+25Ch], eax pop ebp xor eax, eax pop ebx retn 10h loc_17D1A: mov ebp, [esp+10h+arg_C] mov eax, [ebp+400h] mov esi, [esp+10h+arg_8] shr eax, 1 xor edi, edi mov [esp+10h+arg_4], eax add ebp, 300h loc_17D36: cmp dword ptr [ebp-100h], 1 jnz short loc_17D75 cmp edi, 8 jnb short loc_17D75 mov ebx, [ebp+0] mov ecx, dword_1E1D0[esi*4] push 1 push ebx push 0 push edi push 1 call sub_17730 mov ecx, [esp+10h+arg_4] push 1 add ebx, ecx mov ecx, dword_1E1D0[esi*4] push ebx push 1 push edi push 1 call sub_17730 loc_17D75: cmp dword ptr [ebp-300h], 1 jnz short loc_17DB7 cmp edi, 8 jnb short loc_17DB7 mov ebx, [ebp-200h] mov ecx, dword_1E1D0[esi*4] push 1 push ebx push 0 push edi push 0 call sub_17730 mov edx, [esp+10h+arg_4] mov ecx, dword_1E1D0[esi*4] push 1 add ebx, edx push ebx push 1 push edi push 0 call sub_17730 loc_17DB7: add edi, 1 add ebp, 4 cmp edi, 40h jb loc_17D36 mov edi, [esp+10h+arg_0] mov esi, [esp+10h+arg_C] add edi, 14h mov ecx, 102h rep movsd pop edi pop esi pop ebp xor eax, eax pop ebx retn 10h loc_17DE1: mov ebp, [esp+10h+arg_0] mov edi, [esp+10h+arg_8] xor esi, esi mov ebx, 1 loc_17DF0: cmp [ebp+esi*4+214h], ebx jnz short loc_17E23 cmp esi, 8 jnb short loc_17E23 mov ecx, dword_1E1D0[edi*4] push ebx push 0 push 0 push esi push ebx call sub_17730 mov ecx, dword_1E1D0[edi*4] push ebx push 0 push ebx push esi push ebx call sub_17730 loc_17E23: cmp [ebp+esi*4+14h], ebx jnz short loc_17E55 cmp esi, 8 ja short loc_17E55 mov ecx, dword_1E1D0[edi*4] push ebx push 0 push 0 push esi push 0 call sub_17730 mov ecx, dword_1E1D0[edi*4] push ebx push 0 push ebx push esi push 0 call sub_17730 loc_17E55: add esi, ebx cmp esi, 40h jb short loc_17DF0 pop edi pop esi pop ebp xor eax, eax pop ebx retn 10h loc_17E65: mov esi, [esp+10h+arg_0] xor ebp, ebp mov ebx, 1 xor ecx, ecx xor eax, eax mov [esi+430h], ebx mov [esi+434h], ebp cmp [esi+214h], ebx jnz short loc_17E8A mov ecx, ebx loc_17E8A: cmp [esi+218h], ebx jnz short loc_17E95 or ecx, 2 loc_17E95: cmp [esi+21Ch], ebx jnz short loc_17EA0 or ecx, 4 loc_17EA0: cmp [esi+220h], ebx jnz short loc_17EAB or ecx, 8 loc_17EAB: cmp [esi+224h], ebx jnz short loc_17EB6 or ecx, 10h loc_17EB6: cmp [esi+228h], ebx jnz short loc_17EC1 or ecx, 20h loc_17EC1: cmp [esi+22Ch], ebx jnz short loc_17ECC or ecx, 40h loc_17ECC: cmp [esi+230h], ebx jnz short loc_17EDA or ecx, 80h loc_17EDA: cmp [esi+14h], ebx jnz short loc_17EE1 mov eax, ebx loc_17EE1: cmp [esi+18h], ebx jnz short loc_17EE9 or eax, 2 loc_17EE9: cmp [esi+1Ch], ebx jnz short loc_17EF1 or eax, 4 loc_17EF1: cmp [esi+20h], ebx jnz short loc_17EF9 or eax, 8 loc_17EF9: cmp [esi+24h], ebx jnz short loc_17F01 or eax, 10h loc_17F01: cmp [esi+28h], ebx jnz short loc_17F09 or eax, 20h loc_17F09: cmp [esi+2Ch], ebx jnz short loc_17F11 or eax, 40h loc_17F11: cmp [esi+30h], ebx jnz short loc_17F1B or eax, 80h loc_17F1B: mov edi, [esp+10h+arg_8] push ebx push eax push ecx mov ecx, dword_1E1D0[edi*4] call sub_17760 mov eax, [esi+10h] mov ecx, [eax+1Ch] mov edx, [eax+18h] push ecx mov ecx, dword_1E1D0[edi*4] push edx call sub_177F0 push ebx jmp loc_18023 loc_17F4B: mov esi, [esp+10h+arg_0] xor ebp, ebp mov ebx, 1 xor ecx, ecx xor eax, eax mov [esi+430h], ebp mov [esi+434h], ebp cmp [esi+214h], ebx jnz short loc_17F70 mov ecx, ebx loc_17F70: cmp [esi+218h], ebx jnz short loc_17F7B or ecx, 2 loc_17F7B: cmp [esi+21Ch], ebx jnz short loc_17F86 or ecx, 4 loc_17F86: cmp [esi+220h], ebx jnz short loc_17F91 or ecx, 8 loc_17F91: cmp [esi+224h], ebx jnz short loc_17F9C or ecx, 10h loc_17F9C: cmp [esi+228h], ebx jnz short loc_17FA7 or ecx, 20h loc_17FA7: cmp [esi+22Ch], ebx jnz short loc_17FB2 or ecx, 40h loc_17FB2: cmp [esi+230h], ebx jnz short loc_17FC0 or ecx, 80h loc_17FC0: cmp [esi+14h], ebx jnz short loc_17FC7 mov eax, ebx loc_17FC7: cmp [esi+18h], ebx jnz short loc_17FCF or eax, 2 loc_17FCF: cmp [esi+1Ch], ebx jnz short loc_17FD7 or eax, 4 loc_17FD7: cmp [esi+20h], ebx jnz short loc_17FDF or eax, 8 loc_17FDF: cmp [esi+24h], ebx jnz short loc_17FE7 or eax, 10h loc_17FE7: cmp [esi+28h], ebx jnz short loc_17FEF or eax, 20h loc_17FEF: cmp [esi+2Ch], ebx jnz short loc_17FF7 or eax, 40h loc_17FF7: cmp [esi+30h], ebx jnz short loc_18001 or eax, 80h loc_18001: mov edi, [esp+10h+arg_8] push ebp push eax push ecx mov ecx, dword_1E1D0[edi*4] call sub_17760 mov ecx, dword_1E1D0[edi*4] push ebp push ebp call sub_177F0 push ebp loc_18023: mov ecx, dword_1E1D0[edi*4] call nullsub_2 pop edi mov [esi+41Ch], ebp mov [esi+424h], ebx pop esi pop ebp xor eax, eax pop ebx retn 10h loc_18044: mov esi, [esp+10h+arg_0] cmp dword ptr [esi+430h], 0 jz short loc_180B5 mov eax, [esi+434h] mov ecx, [esp+10h+arg_8] mov ecx, dword_1E1D0[ecx*4] push eax call sub_177E0 pop edi mov [esi+42Ch], eax pop esi pop ebp pop ebx retn 10h loc_18075: mov edx, [esp+10h+arg_8] mov ecx, dword_1E1D0[edx*4] call sub_17600 mov ecx, [esp+10h+arg_C] pop edi pop esi pop ebp mov [ecx+4], eax xor eax, eax pop ebx retn 10h loc_18095: mov esi, [esp+10h+arg_C] push 90h xor edi, edi push edi push esi call memset add esp, 0Ch mov [esi], edi mov [esi+4], edi mov [esi+8], edi mov [esi+0Ch], edi loc_180B5: pop edi pop esi pop ebp xor eax, eax pop ebx retn 10h sub_17BE0 endp align 10h off_180C0 dd offset loc_17C04 dd offset loc_17C18 dd offset loc_17D1A dd offset loc_17DE1 dd offset loc_17E65 dd offset loc_17F4B dd offset loc_18044 dd offset loc_18075 dd offset loc_18095 dd offset loc_180B5 dd offset loc_180B5 byte_180EC db 0 db 1, 2, 3 dword_180F0 dd 60A0504h, 0A070A0Ah, 0A0A0A0Ah, 80A0A0Ah dd 9090A09h, 3 dup(0CCCCCCCCh), 424448Bh dd 8B10488Bh, 89082454h, 488B1451h, 24548B10h dd 1851890Ch, 8B10408Bh, 8910244Ch, 0C0331C48h dd 0CC0010C2h, 2 dup(0CCCCCCCCh) sub_18140 proc near mov eax, dword_1E1F0 push eax call sub_17A40 mov ecx, dword_1E1F0 push ecx call ds:ExFreePool retn sub_18140 endp align 10h sub_18160 proc near arg_0= dword ptr 4 mov eax, dword_1E1FC mov ecx, [esp+arg_0] mov dword_1E1D0[eax*4], ecx add eax, 1 mov dword_1E1FC, eax retn 4 sub_18160 endp align 10h sub_18180 proc near arg_0= byte ptr 4 sub ecx, 4 jmp loc_18190 align 10h loc_18190: push esi mov esi, ecx lea ecx, [esi+4] mov dword ptr [esi], offset off_1D5FC mov dword ptr [ecx], offset off_1D5EC call sub_18FBE test [esp+4+arg_0], 1 jz short loc_181B5 push esi call ds:ExFreePool loc_181B5: mov eax, esi pop esi retn 4 sub_18180 endp align 10h sub_181C0 proc near arg_0= dword ptr 8 push esi push 706E5748h push 438h push 0 call ds:ExAllocatePoolWithTag mov esi, eax test esi, esi jz short loc_18217 push edi push 438h push 0 push esi call memset add esp, 0Ch lea edi, [esi+4] push 0 mov ecx, edi call sub_19049 mov eax, [esp+4+arg_0] mov dword ptr [esi], offset off_1D5FC mov dword ptr [edi], offset off_1D5EC mov [eax], esi mov ecx, [esi] mov edx, [ecx+4] push esi call edx pop edi xor eax, eax pop esi retn 4 loc_18217: mov eax, 0C000009Ah pop esi retn 4 sub_181C0 endp sub_18220 proc near var_24= dword ptr -24h var_1C= dword ptr -1Ch var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 arg_0= dword ptr 4 arg_4= dword ptr 8 arg_10= dword ptr 14h arg_18= dword ptr 1Ch arg_24= dword ptr 28h arg_28= dword ptr 2Ch arg_58= dword ptr 5Ch sub esp, 8 push esi push edi lea eax, [esp+10h+var_8] push eax call sub_181C0 mov edi, [esp+10h+arg_4] mov eax, [esp+10h+var_8] mov ecx, [esp+10h+arg_0] lea esi, [edi+0Ch] push esi push 0 push offset unk_1D570 mov [edi+8], eax push ecx mov [eax+10h], edi call ds:IoRegisterDeviceInterface test eax, eax jnz loc_182E6 push ebx push ebp lea edx, [esp+28h+var_8] push edx push 0F003Fh push esi mov [esp+34h+var_8], eax call ds:IoOpenDeviceInterfaceRegistryKey mov ebx, ds:RtlInitUnicodeString push offset aGetinterfaceca ; "GetInterfaceCallback" lea eax, [esp+38h+var_24] push eax call ebx ; RtlInitUnicodeString mov eax, [esp+2Ch+var_C] mov ebp, ds:ZwSetValueKey push 4 lea ecx, [esp+30h+var_10] push ecx push 4 push 0 lea edx, [esp+3Ch+var_1C] push edx push eax mov [esp+44h+var_10], offset sub_17A00 call ebp ; ZwSetValueKey push offset aDeviceextensio ; "DeviceExtension" lea ecx, [esp+arg_10] push ecx call ebx ; RtlInitUnicodeString mov ecx, [esp-0Ch+arg_28] push 4 lea edx, [esp-8+arg_24] push edx push 4 push 0 lea eax, [esp+4+arg_18] push eax push ecx mov [esp+0Ch+arg_24], edi call ebp ; ZwSetValueKey mov edx, [esp-3Ch+arg_58] push edx call ds:ZwClose push 1 push esi call ds:IoSetDeviceInterfaceState pop ebp pop ebx loc_182E6: pop edi mov eax, 1 pop esi add esp, 8 retn 8 sub_18220 endp ; sp = 54h align 10h sub_18300 proc near arg_0= dword ptr 4 mov eax, [esp+arg_0] push 20h push 0 mov dword_1E1F4, eax call ds:ExAllocatePool mov ecx, dword_1E200 push eax push ecx mov dword_1E1F0, eax call sub_18220 retn 4 sub_18300 endp align 10h sub_18330 proc near arg_0= dword ptr 8 push ebx mov ebx, ds:ExAllocatePool push esi push edi push 0Ch push 0 call ebx ; ExAllocatePool mov edi, [esp+8+arg_0] push edi push 0 mov esi, eax call ebx ; ExAllocatePool push 0 push 0 push 0 push edi push eax mov [esi+4], eax call ds:IoAllocateMdl push eax mov [esi], eax call ds:MmBuildMdlForNonPagedPool mov eax, [esi] push 1 push eax call ds:MmMapLockedPages mov ecx, [esi+4] push edi push 0 push ecx mov [esi+8], eax call memset add esp, 0Ch pop edi mov eax, esi pop esi pop ebx retn 4 sub_18330 endp align 10h sub_18390 proc near arg_0= dword ptr 8 push esi mov esi, [esp+arg_0] mov eax, [esi] mov ecx, [esi+8] push edi push eax push ecx call ds:MmUnmapLockedPages mov edx, [esi] push edx call ds:IoFreeMdl mov eax, [esi+4] mov edi, ds:ExFreePool push eax call edi ; ExFreePool push esi call edi ; ExFreePool pop edi pop esi retn 4 sub_18390 endp sub_183C0 proc near arg_0= byte ptr 8 push esi movzx esi, [esp+arg_0] or esi, 0FFFF8000h shl esi, 5 and edx, 1Fh or esi, edx add esi, esi add esi, esi add esi, esi and ecx, 7 or esi, ecx shl esi, 8 and eax, 0FCh or esi, eax push esi mov esi, ds:WRITE_PORT_ULONG push 0CF8h call esi ; WRITE_PORT_ULONG mov eax, [esp+0Ch] push eax push 0CFCh call esi ; WRITE_PORT_ULONG pop esi retn 8 sub_183C0 endp align 10h sub_18410 proc near arg_0= byte ptr 8 push esi movzx esi, [esp+arg_0] or esi, 0FFFF8000h shl esi, 5 and edx, 1Fh or esi, edx add esi, esi add esi, esi add esi, esi and ecx, 7 or esi, ecx shl esi, 8 and eax, 0FCh or esi, eax push esi push 0CF8h call ds:WRITE_PORT_ULONG pop esi mov dword ptr [esp-4+arg_0], 0CFCh jmp ds:READ_PORT_ULONG sub_18410 endp align 10h sub_18460 proc near var_14= byte ptr -14h var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 var_4= dword ptr -4 sub esp, 10h push ebx push ebp push esi push edi mov edi, ds:IoGetDeviceProperty mov esi, eax lea eax, [esp+20h+var_C] push eax lea ecx, [esp+24h+var_4] push ecx push 4 push 0Eh push esi call edi ; IoGetDeviceProperty lea edx, [esp+20h+var_C] push edx lea eax, [esp+24h+var_8] push eax push 4 push 10h push esi call edi ; IoGetDeviceProperty mov ecx, [esp+20h+var_8] movzx edx, word ptr [esp+20h+var_4] mov eax, ecx movzx ebp, cx mov edi, ds:WRITE_PORT_ULONG movzx ecx, dl shl ecx, 5 shr eax, 10h mov esi, eax and esi, 1Fh or ecx, esi add ecx, ecx add ecx, ecx mov [esp+20h+var_10], edx add ecx, ecx mov edx, ebp and edx, 7 or ecx, edx shl ecx, 8 or ecx, 80000004h push ecx push 0CF8h call edi ; WRITE_PORT_ULONG push 0CFCh call ds:READ_PORT_ULONG mov ebx, eax test bl, 5 jnz short loc_1851B movzx eax, byte ptr [esp+20h+var_10] shl eax, 5 or eax, esi add eax, eax add eax, eax add eax, eax mov ecx, ebp and ecx, 7 or eax, ecx shl eax, 8 or eax, 80000004h push eax push 0CF8h call edi ; WRITE_PORT_ULONG or ebx, 5 push ebx push 0CFCh call edi ; WRITE_PORT_ULONG loc_1851B: movzx edi, byte ptr [esp+20h+var_10] or edi, 0FFFF8000h shl edi, 5 or edi, esi add edi, edi add edi, edi add edi, edi and ebp, 7 or edi, ebp xor ebx, ebx shl edi, 8 jmp short loc_18540 align 10h loc_18540: movzx edx, bl add dl, dl add dl, dl and edx, 0FCh or edx, edi push edx push 0CF8h call ds:WRITE_PORT_ULONG push 0CFCh call ds:READ_PORT_ULONG mov dword_1E458[ebx*4], eax add ebx, 1 cmp ebx, 10h jl short loc_18540 pop edi pop esi pop ebp pop ebx add esp, 10h retn sub_18460 endp align 10h sub_18580 proc near var_14= dword ptr -14h var_10= dword ptr -10h var_C= dword ptr -0Ch var_8= dword ptr -8 var_4= dword ptr -4 sub esp, 14h push ebx push ebp push esi push edi mov edi, ds:IoGetDeviceProperty mov esi, eax lea eax, [esp+24h+var_10] push eax lea ecx, [esp+28h+var_8] push ecx push 4 push 0Eh push esi call edi ; IoGetDeviceProperty lea edx, [esp+24h+var_10] push edx lea eax, [esp+28h+var_C] push eax push 4 push 10h push esi call edi ; IoGetDeviceProperty mov ecx, [esp+24h+var_C] movzx edx, word ptr [esp+24h+var_8] mov eax, ecx movzx edi, cx mov esi, ds:WRITE_PORT_ULONG movzx ecx, dl shl ecx, 5 shr eax, 10h mov ebp, eax and ebp, 1Fh or ecx, ebp add ecx, ecx add ecx, ecx mov [esp+24h+var_14], edx add ecx, ecx mov edx, edi and edx, 7 or ecx, edx shl ecx, 8 or ecx, 80000004h push ecx push 0CF8h mov [esp+2Ch+var_4], edi call esi ; WRITE_PORT_ULONG push 0CFCh call ds:READ_PORT_ULONG mov ebx, eax test bl, 5 jnz short loc_1863D movzx eax, byte ptr [esp+24h+var_14] shl eax, 5 or eax, ebp add eax, eax add eax, eax add eax, eax and edi, 7 or eax, edi shl eax, 8 or eax, 80000004h push eax push 0CF8h call esi ; WRITE_PORT_ULONG or ebx, 5 push ebx push 0CFCh call esi ; WRITE_PORT_ULONG loc_1863D: movzx edi, byte ptr [esp+24h+var_14] mov eax, [esp+24h+var_4] or edi, 0FFFF8000h shl edi, 5 or edi, ebp add edi, edi add edi, edi add edi, edi and eax, 7 or edi, eax xor ebx, ebx shl edi, 8 loc_18661: mov ebp, dword_1E458[ebx*4] movzx ecx, bl add cl, cl add cl, cl and ecx, 0FCh or ecx, edi push ecx push 0CF8h call esi ; WRITE_PORT_ULONG push ebp push 0CFCh call esi ; WRITE_PORT_ULONG push 80h call ds:READ_PORT_UCHAR add ebx, 1 cmp ebx, 10h jl short loc_18661 pop edi pop esi pop ebp pop ebx add esp, 14h retn sub_18580 endp align 10h sub_186B0 proc near var_8C= dword ptr -8Ch var_84= dword ptr -84h var_6C= dword ptr -6Ch var_5C= dword ptr -5Ch var_58= dword ptr -58h var_54= dword ptr -54h var_50= dword ptr -50h var_4C= dword ptr -4Ch var_48= dword ptr -48h var_44= dword ptr -44h var_40= dword ptr -40h var_38= dword ptr -38h var_30= dword ptr -30h var_8= dword ptr -8 arg_0= dword ptr 4 arg_4= dword ptr 8 sub esp, 58h cmp [esp+58h+arg_4], 0FFFFFFFFh jnz short loc_186C5 mov eax, 1 add esp, 58h retn 8 loc_186C5: push ebx push ebp push esi mov esi, [esp+64h+arg_0] push edi mov edi, ds:IoGetDeviceProperty lea eax, [esp+68h+var_54] push eax lea ecx, [esp+6Ch+var_50] push ecx push 4 push 0Eh push esi call edi ; IoGetDeviceProperty lea edx, [esp+68h+var_54] push edx lea eax, [esp+6Ch+var_4C] push eax push 4 push 10h push esi call edi ; IoGetDeviceProperty mov ecx, [esp+68h+var_50] mov eax, [esp+68h+var_4C] movzx ebx, cx movzx edx, cx mov esi, ds:WRITE_PORT_ULONG mov edi, eax movzx ecx, bl or ecx, 0FFFF8000h shl ecx, 5 shr edi, 10h mov ebp, edi and ebp, 1Fh or ecx, ebp mov [esp+68h+arg_0], edx movzx edx, ax add ecx, ecx movzx eax, ax add ecx, ecx mov [esp+68h+var_48], eax add ecx, ecx and eax, 7 or ecx, eax shl ecx, 8 push ecx push 0CF8h mov [esp+70h+var_58], edx mov [esp+70h+var_44], ebp call esi ; WRITE_PORT_ULONG push 0CFCh call ds:READ_PORT_ULONG cmp eax, 17121412h jz loc_188EF mov edx, [esp+68h+arg_0] mov ecx, [esp+68h+var_58] push edx mov eax, 4 mov edx, edi call sub_18410 test al, 5 jnz short loc_18795 mov ecx, [esp+6Ch+var_5C] or eax, 5 push eax mov eax, [esp+70h] push eax mov eax, 4 mov edx, edi call sub_183C0 loc_18795: mov eax, [esp+6Ch+var_4C] and ebx, 0FFh mov edi, ebx or edi, 0FFFF8000h shl edi, 5 or edi, ebp add edi, edi add edi, edi and eax, 7 add edi, edi or edi, eax lea ecx, [esp+6Ch+var_44] shl edi, 8 mov [esp+6Ch+var_4C], eax xor ebp, ebp mov [esp+6Ch], ecx jmp short loc_187D0 align 10h loc_187D0: mov edx, ebp and edx, 0FCh or edx, edi push edx push 0CF8h call esi push 0CFCh call ds:READ_PORT_ULONG mov ecx, [esp+6Ch] mov [ecx], eax add ebp, 4 add ecx, 4 cmp bp, 40h mov [esp+6Ch], ecx jb short loc_187D0 shl ebx, 5 or ebx, [esp+24h] add ebx, ebx add ebx, ebx add ebx, ebx or ebx, [esp+58h+var_38] mov ebp, ebx shl ebp, 8 mov ebx, ebp or ebx, 80000084h push ebx push 0CF8h call esi push 3 push 0CFCh call esi push 0 push 0F4240h call sub_115F0 push ebx push 0CF8h call esi push 0 push 0CFCh call esi push 0 push 1E8480h call sub_115F0 mov ebx, ebp or ebx, 80000004h push ebx push 0CF8h call esi push 0CFCh call ds:READ_PORT_ULONG test al, 5 mov [esp+6Ch], eax jnz short loc_18895 push ebx push 0CF8h call esi mov eax, [esp+6Ch] or eax, 5 push eax push 0CFCh call esi loc_18895: lea eax, [esp+58h+var_30] xor ebx, ebx mov [esp+6Ch], eax nop loc_188A0: mov ecx, ebx and ecx, 0FCh or ecx, edi push ecx push 0CF8h call esi mov edx, [esp+6Ch] mov eax, [edx] push eax push 0CFCh call esi add dword ptr [esp+6Ch], 4 add ebx, 4 cmp bx, 40h jb short loc_188A0 mov edi, ebp or edi, 8000002Ch push edi push 0CF8h call esi push 0CFCh call ds:READ_PORT_ULONG cmp eax, [esp+70h] jnz short loc_188FE loc_188EF: pop edi pop esi pop ebp mov eax, 1 pop ebx add esp, 58h retn 8 loc_188FE: or ebp, 80000040h push ebp push 0CF8h call esi push 800000h push 0CFCh call esi mov ebx, ds:READ_PORT_UCHAR push 80h call ebx ; READ_PORT_UCHAR push edi push 0CF8h call esi mov ecx, [esp+70h] push ecx push 0CFCh call esi push 80h call ebx ; READ_PORT_UCHAR push ebp push 0CF8h call esi push 0 push 0CFCh call esi push 80h call ebx ; READ_PORT_UCHAR push edi push 0CF8h call esi push 0CFCh call ds:READ_PORT_ULONG xor edx, edx cmp eax, [esp+68h+arg_4] pop edi setz dl pop esi pop ebp pop ebx mov eax, edx add esp, 58h retn 8 sub_186B0 endp sub_18980 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp [esp+arg_0], 0 mov eax, [esp+arg_4] jnz short loc_18993 call sub_18460 retn 8 loc_18993: call sub_18580 retn 8 sub_18980 endp align 10h sub_189A0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_4] mov ecx, [esp+arg_0] push esi push edi mov esi, 10h nop loc_189B0: mov edx, [ecx] cmp edx, [eax] jnz short loc_189C8 sub esi, 4 add eax, 4 add ecx, 4 cmp esi, 4 jnb short loc_189B0 test esi, esi jz short loc_18A31 loc_189C8: movzx edx, byte ptr [ecx] movzx edi, byte ptr [eax] sub edx, edi jnz short loc_18A17 sub esi, 1 add eax, 1 add ecx, 1 test esi, esi jz short loc_18A31 movzx edx, byte ptr [ecx] movzx edi, byte ptr [eax] sub edx, edi jnz short loc_18A17 sub esi, 1 add eax, 1 add ecx, 1 test esi, esi jz short loc_18A31 movzx edx, byte ptr [ecx] movzx edi, byte ptr [eax] sub edx, edi jnz short loc_18A17 sub esi, 1 add eax, 1 add ecx, 1 test esi, esi jz short loc_18A31 movzx edx, byte ptr [ecx] movzx eax, byte ptr [eax] sub edx, eax jz short loc_18A31 loc_18A17: test edx, edx mov eax, 1 jg short loc_18A33 or eax, 0FFFFFFFFh xor ecx, ecx test eax, eax setz cl pop edi pop esi mov eax, ecx retn 8 loc_18A31: xor eax, eax loc_18A33: xor ecx, ecx test eax, eax setz cl pop edi pop esi mov eax, ecx retn 8 sub_189A0 endp align 10h sub_18A50 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch mov ecx, [esp+arg_0] push esi call ds:ObfDereferenceObject mov eax, [esp+4+arg_4] cmp dword ptr [eax+18h], 0C00000BBh mov ecx, [eax+60h] mov esi, [ecx+4] jnz short loc_18A7E cmp [esp+4+arg_8], 0 jz short loc_18A8A mov dword ptr [esi+18h], 0C0000001h jmp short loc_18A8A loc_18A7E: mov edx, [eax+18h] mov [esi+18h], edx mov ecx, [eax+1Ch] mov [esi+1Ch], ecx loc_18A8A: mov edx, [eax+1Ch] push eax mov [esi+1Ch], edx call ds:IoFreeIrp xor dl, dl mov ecx, esi call ds:IofCompleteRequest mov eax, 0C0000016h pop esi retn 0Ch sub_18A50 endp align 10h loc_18AB0: mov eax, [esp+8] mov ecx, [eax+18h] mov eax, [esp+0Ch] push 1 push eax mov [eax+0Ch], ecx call sub_18B50 retn 0Ch align 10h loc_18AD0: mov eax, [esp+4] push eax mov eax, [eax+60h] mov ecx, [eax-10h] push ecx call ds:PoCallDriver retn 4 align 10h sub_18AF0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 cmp byte_1E1C8, 0 jz short loc_18B3C call ds:KeGetCurrentIrql test al, al jz short loc_18B3C mov ecx, [esp+arg_4] mov eax, [ecx+60h] or byte ptr [eax+3], 1 mov eax, [ecx+60h] mov edx, [esp+arg_0] mov [eax-10h], edx lea eax, [ecx+40h] push 1 push eax mov dword ptr [eax+8], offset loc_18AD0 mov [eax+0Ch], ecx mov dword ptr [eax], 0 call ds:ExQueueWorkItem mov eax, 103h retn 8 loc_18B3C: jmp ds:PoCallDriver sub_18AF0 endp align 10h sub_18B50 proc near var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 arg_8= dword ptr 0Ch arg_C= dword ptr 10h arg_14= dword ptr 18h arg_18= dword ptr 1Ch push ecx push ebx push ebp mov ebp, [esp+0Ch+arg_0] push esi push edi mov edi, [ebp+4] test edi, edi mov [esp+14h+var_4], 0FFFFFFFFh mov [esp+14h+arg_0], edi jz short loc_18B71 mov esi, [edi+60h] jmp short loc_18B73 loc_18B71: xor esi, esi loc_18B73: mov eax, [ebp+8] mov ecx, [esp+14h+arg_4] mov ebx, [ebp+0] lea edx, [ecx+eax*2] add edx, eax mov eax, dword_1E110[edx*4] sub eax, 1 cmp eax, 11h jbe short loc_18BA4 pop edi pop esi pop ebp mov eax, 0C0000001h pop ebx pop ecx retn 8 align 10h loc_18BA0: mov ecx, [esp+arg_18] loc_18BA4: mov edx, [esp+arg_C] jmp ds:off_18E88[eax*4] loc_18BAF: mov eax, [edi+60h] or byte ptr [eax+3], 1 push edi lea eax, [ebx+20h] push eax mov [esp+8+arg_C], 103h call sub_18F50 cmp dword ptr [esi+8], 0 jnz short loc_18BF8 mov ecx, [esi+0Ch] cmp ecx, [ebx+4Ch] jge short loc_18BE7 mov ecx, 3 mov dword ptr [ebp+8], 1 jmp loc_18D80 loc_18BE7: mov ecx, 6 mov dword ptr [ebp+8], 3 jmp loc_18D80 loc_18BF8: mov dword ptr [ebp+8], 0Bh mov ecx, 2 jmp loc_18D80 loc_18C09: cmp byte ptr [esi+1], 2 jnz short loc_18C32 mov edx, [esi+0Ch] cmp edx, [ebx+48h] jge short loc_18C28 mov ecx, 3 mov dword ptr [ebp+8], 5 jmp loc_18D80 loc_18C28: mov ecx, 0Dh jmp loc_18D80 loc_18C32: mov eax, [esi+0Ch] cmp eax, [ebx+48h] jge short loc_18C4B mov ecx, 3 mov dword ptr [ebp+8], 9 jmp loc_18D80 loc_18C4B: mov ecx, 11h jmp loc_18D80 loc_18C55: cmp dword ptr [ebp+0Ch], 0 jl loc_18D7B cmp byte ptr [esi+1], 2 jnz short loc_18C6B mov ecx, [esi+0Ch] mov [ebx+4Ch], ecx loc_18C6B: mov ecx, 6 mov dword ptr [ebp+8], 2 mov [esp+arg_C], 0C0000016h jmp loc_18D80 loc_18C84: cmp byte ptr [esi+1], 2 jnz loc_18D7B mov edx, [esi+0Ch] mov [ebx+4Ch], edx jmp loc_18D7B loc_18C99: mov eax, [esi+0Ch] cmp eax, 1 jnz short loc_18CB4 mov [ebp+14h], eax mov al, [esi+1] mov [ebp+1Ch], al mov ecx, 7 jmp loc_18D80 loc_18CB4: mov eax, [ebx+eax*4+60h] cmp eax, 4 jge short loc_18CC2 mov eax, 4 loc_18CC2: mov [ebp+14h], eax mov al, [esi+1] mov [ebp+1Ch], al mov ecx, 7 jmp loc_18D80 loc_18CD5: cmp byte_1E1C8, 0 jz short loc_18CFF mov ecx, [ebp+14h] cmp ecx, [ebx+48h] jnz short loc_18CFF mov eax, [ebp+8] lea edx, [eax+eax*2] mov dword ptr [ebp+0Ch], 0 mov ecx, dword_1E118[edx*4] jmp loc_18D80 loc_18CFF: mov eax, [ebp+14h] mov ecx, [ebx+18h] push 0 push ebp push offset loc_18ED0 push eax movzx eax, byte ptr [ebp+1Ch] push eax push ecx call ds:PoRequestPowerIrp test eax, eax jge loc_18E60 mov [ebp+0Ch], eax jmp short loc_18D7B loc_18D27: push edi call ds:PoStartNextPowerIrp cmp [esp+arg_18], 1 jnz short loc_18D4D mov edx, [ebp+0Ch] push edi lea ecx, [ebx+20h] push ecx mov [esp+8+arg_C], edx call sub_18F90 mov ecx, 9 jmp short loc_18D80 loc_18D4D: mov eax, [ebp+0Ch] xor dl, dl mov ecx, edi mov [edi+18h], eax call ds:IofCompleteRequest push edi lea ecx, [ebx+20h] push ecx call sub_18F90 mov ecx, 9 jmp short loc_18D80 loc_18D6E: cmp edx, 0FFFFFFFFh loc_18D71: jnz short loc_18D7B mov [esp+arg_C], 0 loc_18D7B: mov ecx, 8 loc_18D80: lea eax, [ecx-1] cmp eax, 11h jbe loc_18BA0 pop edi pop esi pop ebp mov eax, 0C0000001h pop ebx pop ecx retn 8 loc_18D99: cmp edx, 0FFFFFFFFh jnz short loc_18DA6 mov [esp+arg_C], 0 loc_18DA6: cmp dword ptr [ebp+0Ch], 0 jl short loc_18D7B mov dword ptr [ebp+8], 4 mov ecx, 3 jmp short loc_18D80 loc_18DBA: cmp dword ptr [ebp+0Ch], 0 jl short loc_18D7B cmp byte ptr [esi+1], 2 jnz short loc_18D7B mov edx, [ebx+48h] mov [ebp+18h], edx mov eax, [esi+0Ch] mov [esp+arg_C], 0C0000016h mov [ebx+48h], eax mov ecx, 0Fh jmp short loc_18D80 loc_18DE1: cmp ecx, 2 jmp short loc_18D71 loc_18DE6: mov ecx, 0Eh jmp short loc_18D80 loc_18DED: cmp ecx, 2 jnz short loc_18DFA mov [esp+arg_C], 0 loc_18DFA: mov dword ptr [ebp+8], 6 mov eax, [esi+0Ch] cmp eax, [ebx+48h] mov ecx, 3 jle loc_18D80 mov [ebx+48h], eax jmp loc_18D80 loc_18E1A: mov dword ptr [ebp+8], 0Ah mov ecx, 3 jmp loc_18D80 loc_18E2B: mov esi, [edi+60h] lea eax, [esi-24h] mov edi, eax mov ecx, 7 rep movsd mov ecx, [esp+arg_14] mov byte ptr [eax+3], 0 mov eax, [ecx+60h] sub eax, 24h push ecx mov dword ptr [eax+1Ch], offset loc_18AB0 mov [eax+20h], ebp mov byte ptr [eax+3], 0E0h mov ecx, [ebx+14h] push ecx call sub_18AF0 loc_18E60: mov eax, [esp+arg_C] pop edi pop esi pop ebp pop ebx pop ecx retn 8 loc_18E6C: push ebp mov dword ptr [ebp+8], 0Ch call ds:ExFreePool mov eax, [esp+arg_C] pop edi pop esi pop ebp pop ebx pop ecx retn 8 sub_18B50 endp ; sp = 14h align 4 off_18E88 dd offset loc_18BAF dd offset loc_18C09 dd offset loc_18E2B dd offset loc_18C55 dd offset loc_18C84 dd offset loc_18C99 dd offset loc_18CD5 dd offset loc_18D27 dd offset loc_18E6C dd offset loc_18D6E dd offset loc_18D99 dd offset loc_18DBA dd offset loc_18DE6 dd offset loc_18DED dd offset loc_18DE1 dd offset loc_18D7B dd offset loc_18E1A dd offset loc_18D7B loc_18ED0: mov eax, [esp+14h] mov ecx, [eax] mov eax, [esp+10h] push 2 push eax mov [eax+0Ch], ecx call sub_18B50 retn 14h align 10h sub_18EF0 proc near arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_4] push esi call ds:PoStartNextPowerIrp push 0 push 0 push esi call sub_17920 pop esi retn 8 sub_18EF0 endp align 10h loc_18F10: push esi mov esi, [esp+0Ch] mov eax, [esi+60h] movzx eax, byte ptr [eax+1] cmp eax, 4 push esi jb short loc_18F36 call ds:PoStartNextPowerIrp push 0 push 0 push esi call sub_17920 pop esi retn 8 loc_18F36: mov ecx, [esp+0Ch] mov edx, off_1E1AC[eax*4] push ecx call edx ; sub_18EF0 pop esi retn 8 align 10h sub_18F50 proc near arg_0= dword ptr 8 push esi mov esi, [esp+arg_0] mov ecx, esi call ds:InterlockedIncrement cmp byte ptr [esi+4], 0 jz short loc_18F84 mov ecx, esi call ds:InterlockedDecrement test eax, eax jnz short loc_18F7B push eax push eax add esi, 8 push esi call ds:KeSetEvent loc_18F7B: mov eax, 0C0000056h pop esi retn 8 loc_18F84: xor eax, eax pop esi retn 8 sub_18F50 endp align 10h sub_18F90 proc near arg_0= dword ptr 8 push esi mov esi, [esp+arg_0] mov ecx, esi call ds:InterlockedDecrement test eax, eax jnz short loc_18FAD push eax push eax add esi, 8 push esi call ds:KeSetEvent loc_18FAD: pop esi retn 8 sub_18F90 endp align 2 ; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND] sub_18FBE proc near mov dword ptr [ecx], offset off_1D69C retn sub_18FBE endp ; Attributes: bp-based frame sub_18FC5 proc near arg_0= dword ptr 8 mov edi, edi push ebp mov ebp, esp push esi mov esi, [ebp+arg_0] add esi, 4 mov ecx, esi call ds:InterlockedIncrement mov eax, [esi] pop esi pop ebp retn 4 sub_18FC5 endp ; Attributes: bp-based frame sub_18FE0 proc near arg_0= dword ptr 8 mov edi, edi push ebp mov ebp, esp push esi push edi mov edi, [ebp+arg_0] lea esi, [edi+4] mov ecx, esi call ds:InterlockedDecrement test eax, eax jnz short loc_19008 inc dword ptr [esi] mov eax, [edi] push 1 mov ecx, edi call dword ptr [eax+0Ch] xor eax, eax jmp short loc_1900A loc_19008: mov eax, [esi] loc_1900A: pop edi pop esi pop ebp retn 4 sub_18FE0 endp ; Attributes: bp-based frame sub_19010 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h mov edi, edi push ebp mov ebp, esp push offset dword_1D560 push [ebp+arg_4] call sub_179B0 mov ecx, eax mov eax, [ebp+arg_8] neg ecx sbb ecx, ecx and ecx, [ebp+arg_0] mov [eax], ecx mov eax, ecx test eax, eax jz short loc_19040 mov ecx, [eax] push eax call dword ptr [ecx+4] xor eax, eax jmp short loc_19045 loc_19040: mov eax, 0C000000Dh loc_19045: pop ebp retn 0Ch sub_19010 endp ; Attributes: bp-based frame sub_19049 proc near arg_0= dword ptr 8 mov edi, edi push ebp mov ebp, esp mov eax, ecx mov ecx, [ebp+arg_0] and dword ptr [eax+4], 0 test ecx, ecx mov dword ptr [eax], offset off_1D69C jz short loc_19066 mov [eax+8], ecx jmp short loc_19069 loc_19066: mov [eax+8], eax loc_19069: pop ebp retn 4 sub_19049 endp ; Attributes: bp-based frame sub_1906D proc near arg_0= byte ptr 8 mov edi, edi push ebp mov ebp, esp test [ebp+arg_0], 1 push esi mov esi, ecx mov dword ptr [esi], offset off_1D69C jz short loc_19088 push esi call sub_179F0 pop ecx loc_19088: mov eax, esi pop esi pop ebp retn 4 sub_1906D endp align 200h _text ends ; Section 2. (virtual address 0000A000) ; Virtual size : 00001121 ( 4385.) ; Section size in file : 00001200 ( 4608.) ; Offset to raw data for section: 00008600 ; Flags 68000020: Text Not pageable Executable Readable ; Alignment : default ; Segment type: Pure code ; Segment permissions: Read/Execute page segment para public 'CODE' use32 assume cs:page ;org 1A000h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing loc_1A000: mov dword ptr [esp+4], offset unk_1E1C0 jmp ds:RtlFreeUnicodeString align 10h sub_1A010 proc near var_54= dword ptr -54h var_48= dword ptr -48h var_44= dword ptr -44h var_40= dword ptr -40h var_3C= dword ptr -3Ch var_34= dword ptr -34h var_30= dword ptr -30h var_28= dword ptr -28h var_24= dword ptr -24h var_20= dword ptr -20h var_1C= dword ptr -1Ch var_18= dword ptr -18h arg_0= dword ptr 4 sub esp, 8 push ebx mov ebx, [esp+0Ch+arg_0] lea eax, [esp+0Ch+arg_0] push eax push 0 push 100h push 22h push 0 push 0E4h push ebx call ds:IoCreateDevice test eax, eax mov [esp+4], eax jl loc_1A155 mov ecx, [esp+10h] push ebp push esi mov esi, [ecx+28h] push edi push 1 push ebx call ds:IoGetDriverObjectExtension mov edx, [esp+18h+arg_0] mov ebp, [esp+20h] push 0 push 0 mov edi, eax push 0 lea eax, [esi+20h] push eax mov [esi+10h], edx mov [esi+18h], ebp mov [esi+1Ch], ebx call sub_1B0A0 mov dword ptr [esi+40h], 0 mov ecx, [esp+18h+arg_0] push ebp push ecx call ds:IoAttachDeviceToDeviceStack test eax, eax mov [esi+14h], eax jnz short loc_1A0CD cmp [esi+3Ch], eax mov dword ptr [esp+10h], 0C00002B6h jz short loc_1A0A6 lea eax, [esi+38h] push eax call ds:RtlFreeUnicodeString loc_1A0A6: mov esi, [esi+14h] test esi, esi jz short loc_1A0B4 push esi call ds:IoDetachDevice loc_1A0B4: mov ecx, [esp+18h+arg_0] push ecx call ds:IoDeleteDevice mov eax, [esp+10h] pop edi pop esi pop ebp pop ebx add esp, 8 retn 8 loc_1A0CD: mov eax, [esp+18h+arg_0] or dword ptr [eax+1Ch], 2000h mov ebx, 1 mov eax, ebx push eax mov [esi+4Ch], ebx mov [esi+48h], ebx mov edx, [esp+1Ch+arg_0] push ebx push edx call ds:PoSetPowerState mov eax, [esp+18h+arg_0] and dword ptr [eax+1Ch], 0FFFFFF7Fh mov ecx, [esi+18h] lea edx, [esp+14h] push edx lea eax, [esp+24h] push eax push 4 push 10h push ecx call ds:IoGetDeviceProperty mov eax, [esp+20h] mov ecx, [edi+4] xor edx, edx shr eax, 10h test ax, ax setnz dl cmp ecx, [edi+0Ch] mov [edi+8], edx jnb short loc_1A14E movzx edx, ax add edx, ebx mov [esi+8], edx mov eax, [edi+8] lea eax, [eax+eax*2] cmp dword ptr [edi+eax*8+14h], 0 lea eax, [edi+eax*8] jnz short loc_1A14E mov ecx, [esp+18h+arg_0] mov [eax+18h], ecx loc_1A14E: mov eax, [esp+10h] pop edi pop esi pop ebp loc_1A155: pop ebx add esp, 8 retn 8 sub_1A010 endp align 10h loc_1A160: mov eax, [esp+4] mov ecx, [eax+28h] test byte ptr [ecx], 1 jz short loc_1A175 mov [esp+4], eax jmp loc_1AF70 loc_1A175: mov [esp+4], eax jmp loc_1AAD0 align 10h sub_1A180 proc near var_4= dword ptr -4 arg_0= dword ptr 4 mov eax, [esp+arg_0] push ebp mov ebp, ds:IoDeleteDevice push esi mov esi, [eax+28h] push edi xor edi, edi cmp [esi+0D0h], edi jbe short loc_1A1B9 push ebx lea ebx, [esi+90h] loc_1A1A1: mov eax, [ebx] test eax, eax jz short loc_1A1AA push eax call ebp ; IoDeleteDevice loc_1A1AA: add edi, 1 add ebx, 4 cmp edi, [esi+0D0h] jb short loc_1A1A1 pop ebx loc_1A1B9: cmp dword ptr [esi+0DCh], 0 jz short loc_1A1D1 push 0 lea ecx, [esi+0D8h] push ecx call ds:IoSetDeviceInterfaceState loc_1A1D1: lea edx, [esi+38h] push edx call ds:RtlFreeUnicodeString mov esi, [esi+14h] test esi, esi jz short loc_1A1E9 push esi call ds:IoDetachDevice loc_1A1E9: mov eax, [esp+0Ch+arg_0] push eax call ebp ; IoDeleteDevice pop edi pop esi pop ebp retn 4 sub_1A180 endp align 10h loc_1A200: push ecx mov eax, [esp+8] mov eax, [eax+28h] push ebp push esi mov esi, [esp+14h] push edi mov [esp+14h], eax add eax, 20h push esi push eax mov [esp+14h], eax call sub_18F50 mov edi, eax xor ebp, ebp cmp edi, ebp jge short loc_1A242 xor dl, dl mov ecx, esi mov [esi+18h], edi mov [esi+1Ch], ebp call ds:IofCompleteRequest mov eax, edi pop edi pop esi pop ebp pop ecx retn 8 loc_1A242: push ebx mov ebx, [esi+60h] cmp dword ptr [ebx+0Ch], 2A3BB8h jnz short loc_1A26E mov ecx, [esp+18h] mov ecx, [ecx+0E0h] cmp ecx, ebp jz short loc_1A26E mov eax, [esi+0Ch] push eax push ecx call sub_1FB60 mov ebp, [ebx+4] mov edi, eax jmp short loc_1A273 loc_1A26E: mov edi, 0C0000010h loc_1A273: mov edx, [esp+10h] push esi push edx call sub_18F90 xor dl, dl mov ecx, esi mov [esi+18h], edi mov [esi+1Ch], ebp call ds:IofCompleteRequest pop ebx mov eax, edi pop edi pop esi pop ebp pop ecx retn 8 align 10h loc_1A2A0: mov eax, [esp+4] mov ecx, [eax+28h] add ecx, 4 call ds:InterlockedIncrement mov ecx, [esp+8] xor eax, eax xor dl, dl mov [ecx+18h], eax mov [ecx+1Ch], eax call ds:IofCompleteRequest xor eax, eax retn 8 align 10h loc_1A2D0: mov eax, [esp+4] mov ecx, [eax+28h] add ecx, 4 call ds:InterlockedDecrement mov ecx, [esp+8] xor eax, eax xor dl, dl mov [ecx+18h], eax mov [ecx+1Ch], eax call ds:IofCompleteRequest xor eax, eax retn 8 align 10h sub_1A300 proc near var_10= dword ptr -10h arg_0= dword ptr 4 arg_4= dword ptr 8 sub esp, 10h push ebx push esi push edi push 0 push 0 lea eax, [esp+24h+var_10] push eax call ds:KeInitializeEvent mov ebx, [esp+1Ch+arg_4] mov esi, [ebx+60h] mov edx, [esp+1Ch+arg_0] lea eax, [esi-24h] mov edi, eax mov ecx, 7 rep movsd mov byte ptr [eax+3], 0 mov eax, [ebx+60h] sub eax, 24h lea ecx, [esp+1Ch+var_10] mov dword ptr [eax+1Ch], offset loc_17990 mov [eax+20h], ecx mov byte ptr [eax+3], 0E0h mov eax, [edx+28h] mov ecx, [eax+14h] mov edx, ebx call ds:IofCallDriver push 0 push 0 push 0 push 0 lea ecx, [esp+2Ch+var_10] push ecx call ds:KeWaitForSingleObject mov eax, [ebx+18h] pop edi pop esi pop ebx add esp, 10h retn 8 sub_1A300 endp align 10h sub_1A380 proc near var_8= dword ptr -8 var_4= dword ptr -4 arg_0= dword ptr 4 push esi mov esi, [esp+4+arg_0] mov ecx, [esi+1Ch] lea eax, [esp+4+arg_0] push eax push 0 push 180h push 22h push 0 push 10h push ecx call ds:IoCreateDevice test eax, eax jl short loc_1A3E4 mov edx, [esp+10h+var_8] mov eax, [edx+28h] mov dword ptr [eax], 1 mov ecx, [esp+10h+var_8] mov [eax+8], ecx mov edx, [esi+10h] mov ecx, [esp+10h+var_4] mov [eax+0Ch], edx mov edx, [esp+10h] mov [eax+4], ecx mov eax, [esp+10h+var_8] and dword ptr [eax+1Ch], 0FFFFFF7Fh mov eax, [esp+10h+var_8] mov [edx], eax add dword ptr [esi+0D0h], 1 xor eax, eax loc_1A3E4: pop esi retn 0Ch sub_1A380 endp ; sp = -0Ch align 10h sub_1A3F0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov edx, [esp+arg_4] add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov eax, [esp+arg_0] mov eax, [eax+28h] mov ecx, [eax+14h] call ds:IofCallDriver retn 8 sub_1A3F0 endp align 10h sub_1A410 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_0] push edi mov edi, [eax+28h] cmp dword ptr [edi+40h], 3 jnz short loc_1A444 push esi mov esi, [esp+8+arg_4] push esi push eax call sub_1A300 test eax, eax jl short loc_1A434 mov ecx, [edi+44h] mov [edi+40h], ecx loc_1A434: mov edx, [esi+1Ch] push edx push eax push esi call sub_17920 pop esi pop edi retn 8 loc_1A444: mov edx, [esp+4+arg_4] add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov eax, [eax+28h] mov ecx, [eax+14h] call ds:IofCallDriver pop edi retn 8 sub_1A410 endp sub_1A460 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_0] push edi mov edi, [eax+28h] cmp dword ptr [edi+40h], 2 jnz short loc_1A495 push esi mov esi, [esp+8+arg_4] push esi push eax call sub_1A300 test eax, eax jl short loc_1A485 mov dword ptr [edi+40h], 1 loc_1A485: mov ecx, [esi+1Ch] push ecx push eax push esi call sub_17920 pop esi pop edi retn 8 loc_1A495: mov edx, [esp+4+arg_4] add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov eax, [eax+28h] mov ecx, [eax+14h] call ds:IofCallDriver pop edi retn 8 sub_1A460 endp align 10h sub_1A4C0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov ecx, [esp+arg_0] push ebx mov ebx, [esp+4+arg_4] mov eax, [ebx+60h] push esi mov esi, [ecx+28h] push edi mov edi, [eax+4] mov edx, 1 cmp [edi+2], dx jnb short loc_1A4FC add [ebx+23h], dl add eax, 24h mov [ebx+60h], eax mov ecx, [ecx+28h] mov ecx, [ecx+14h] mov edx, ebx call ds:IofCallDriver pop edi pop esi pop ebx retn 8 loc_1A4FC: push ebx push ecx call sub_1A300 test eax, eax jl short loc_1A517 mov edx, [ebx+60h] lea edi, [esi+50h] mov esi, [edx+4] mov ecx, 10h rep movsd loc_1A517: mov ecx, [ebx+1Ch] push ecx push eax push ebx call sub_17920 pop edi pop esi pop ebx retn 8 sub_1A4C0 endp align 10h sub_1A530 proc near var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 push ecx mov ecx, [esp+4+arg_0] mov edx, [ecx+28h] push edi mov edi, [esp+8+arg_4] mov eax, [edi+60h] cmp dword ptr [eax+4], 0 mov [esp+8+var_4], edx jz short loc_1A567 add byte ptr [edi+23h], 1 add eax, 24h mov [edi+60h], eax mov ecx, [ecx+28h] mov ecx, [ecx+14h] mov edx, edi call ds:IofCallDriver pop edi pop ecx retn 8 loc_1A567: push ebx mov ebx, [edi+1Ch] test ebx, ebx push ebp push esi mov [esp+14h+arg_4], 0 push 504F5752h jz short loc_1A5AD mov ebp, [ebx] lea ebp, ds:0Ch[ebp*4] push ebp push 1 call ds:ExAllocatePoolWithTag mov esi, eax test esi, esi jz short loc_1A612 add ebp, 0FFFFFFF8h push ebp push ebx push esi call memcpy add esp, 0Ch push ebx call ds:ExFreePool jmp short loc_1A5CB loc_1A5AD: mov eax, [edx+0D0h] lea ecx, ds:8[eax*4] push ecx push 1 call ds:ExAllocatePoolWithTag mov esi, eax mov dword ptr [esi], 0 loc_1A5CB: mov eax, [esp+14h+var_4] xor ebp, ebp cmp [eax+0D0h], ebp jbe short loc_1A609 lea ebx, [eax+90h] nop loc_1A5E0: mov ecx, [ebx] test ecx, ecx jz short loc_1A5FB call ds:ObfReferenceObject mov eax, [ebx] mov edx, [esi] mov [esi+edx*4+4], eax add dword ptr [esi], 1 mov eax, [esp+14h+var_4] loc_1A5FB: add ebp, 1 add ebx, 4 cmp ebp, [eax+0D0h] jb short loc_1A5E0 loc_1A609: mov eax, [esp+14h+arg_4] mov [edi+1Ch], esi jmp short loc_1A617 loc_1A612: mov eax, 0C000009Ah loc_1A617: add byte ptr [edi+23h], 1 add dword ptr [edi+60h], 24h mov ecx, [esp+14h+arg_0] mov [edi+18h], eax mov eax, [ecx+28h] mov ecx, [eax+14h] mov edx, edi call ds:IofCallDriver pop esi pop ebp pop ebx pop edi pop ecx retn 8 sub_1A530 endp align 10h sub_1A640 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_0] mov eax, [esi+28h] cmp dword ptr [eax+0D4h], 0 jz short loc_1A664 mov eax, [esp+arg_4] push 0C0000001h push eax call sub_17950 pop esi retn 8 loc_1A664: mov ecx, [eax+40h] cmp ecx, 1 jnz short loc_1A693 cmp byte_1E1C8, 0 jz short loc_1A693 mov edx, [eax+10h] cmp dword ptr [edx+4], 0 jz short loc_1A693 mov eax, [esp+arg_4] push 0 push 80000011h push eax call sub_17920 pop esi retn 8 loc_1A693: mov edx, [esp+arg_4] mov [eax+44h], ecx mov dword ptr [eax+40h], 3 add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov eax, [esi+28h] mov ecx, [eax+14h] call ds:IofCallDriver pop esi retn 8 sub_1A640 endp align 10h sub_1A6C0 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov ecx, [esp+arg_0] mov eax, [ecx+28h] cmp dword ptr [eax+0D4h], 0 jz short loc_1A6E2 mov eax, [esp+arg_4] push 0C0000001h push eax call sub_17950 retn 8 loc_1A6E2: cmp dword ptr [eax+40h], 1 mov edx, [esp+arg_4] jz short loc_1A703 add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov ecx, [ecx+28h] mov ecx, [ecx+14h] call ds:IofCallDriver retn 8 loc_1A703: mov dword ptr [eax+40h], 2 add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov eax, [ecx+28h] mov ecx, [eax+14h] call ds:IofCallDriver retn 8 sub_1A6C0 endp align 10h sub_1A730 proc near push ebp mov ebp, [eax+28h] mov eax, [eax+8] push esi push edi push 1 push eax call ds:IoGetDriverObjectExtension mov esi, eax xor edi, edi cmp [esi+10h], edi jz short loc_1A765 mov edx, [esi+44h] mov ecx, [esi+18h] push ebx mov ebx, [ecx+28h] push edx call sub_1F610 mov [esi+44h], edi mov [ebx+0E0h], edi pop ebx loc_1A765: mov eax, [ebp+8] cmp eax, edi jz short loc_1A792 add eax, 0FFFFFFFFh mov [esi+8], eax lea eax, [eax+eax*2] cmp [esi+eax*8+14h], edi lea eax, [esi+eax*8] jz short loc_1A792 mov [eax+18h], edi mov eax, [esi+8] lea ecx, [eax+eax*2] mov [esi+ecx*8+14h], edi add dword ptr [esi+4], 0FFFFFFFFh mov [esi+10h], edi loc_1A792: pop edi pop esi pop ebp retn sub_1A730 endp ; sp = 0Ch align 10h sub_1A7A0 proc near var_54= dword ptr -54h var_50= dword ptr -50h var_4C= byte ptr -4Ch var_48= dword ptr -48h var_44= dword ptr -44h var_40= dword ptr -40h var_3C= dword ptr -3Ch var_38= dword ptr -38h var_34= dword ptr -34h arg_0= dword ptr 4 sub esp, 54h mov edx, [esp+54h+arg_0] push ebx push ebp xor ebp, ebp xor bl, bl cmp ecx, ebp push edi mov edi, [edx+28h] mov [esp+60h+var_44], ebp mov [esp+60h+var_50], ebp mov [esp+60h+var_4C], bl mov [esp+60h+var_54], ebp mov [esp+60h+var_48], ebp jz loc_1A95D cmp eax, ebp jz loc_1A95D mov ecx, [ecx+4] add eax, 8 cmp ecx, ebp push esi jbe short loc_1A824 lea edx, [esp+64h+var_40] mov esi, ecx loc_1A7E6: movzx ecx, byte ptr [eax] sub ecx, 1 jz short loc_1A810 sub ecx, 1 jz short loc_1A801 sub ecx, 1 jnz short loc_1A818 mov ecx, [eax+4] mov [esp+64h+var_50], ecx jmp short loc_1A818 loc_1A801: mov ecx, [eax+0Ch] mov ebp, [eax+8] mov bl, [eax+4] mov [esp+64h+var_54], ecx jmp short loc_1A818 loc_1A810: mov ecx, [eax+4] mov [edx], ecx add edx, 4 loc_1A818: add eax, 10h sub esi, 1 jnz short loc_1A7E6 mov [esp+64h+var_4C], bl loc_1A824: mov edx, [esp+64h+arg_0] mov eax, [edx+8] push 1 push eax call ds:IoGetDriverObjectExtension mov esi, eax mov eax, [edi+8] test eax, eax jz short loc_1A893 add eax, 0FFFFFFFFh mov [esi+8], eax lea ecx, [eax+eax*2] cmp dword ptr [esi+ecx*8+14h], 0 lea eax, [esi+ecx*8] jnz short loc_1A893 cmp dword ptr [eax+18h], 0 jz short loc_1A893 mov ecx, 1 mov [eax+14h], ecx mov eax, [esi+8] lea edx, [eax+eax*2] mov eax, [esp+58h+var_44] mov [esi+edx*8+1Ch], eax mov eax, [esi+8] lea edx, [eax+eax*2] mov [esi+edx*8+20h], ebp mov eax, [esi+8] lea eax, [eax+eax*2] mov [esi+eax*8+24h], bl mov eax, [esi+8] lea edx, [eax+eax*2] mov eax, [esp+58h+var_48] mov [esi+edx*8+28h], eax add [esi+4], ecx jmp short loc_1A898 loc_1A893: mov ecx, 1 loc_1A898: cmp dword ptr [esi+14h], 0 jz short loc_1A8B3 cmp dword ptr [esi+18h], 0 jz short loc_1A8B3 cmp dword ptr [esi+2Ch], 0 jz short loc_1A8B3 cmp dword ptr [esi+30h], 0 jz short loc_1A8B3 mov [esi+10h], ecx loc_1A8B3: cmp dword ptr [esi+10h], 0 jz loc_1A94F mov edx, [edi+18h] mov eax, [esp+58h+var_48] lea ecx, [esp+58h+var_3C] push ecx mov ecx, [esp+5Ch+var_40] push edx push eax push ecx push ebp lea edx, [esp+6Ch+var_34] push edx push esi call sub_1F590 test eax, eax mov [edi+0E0h], eax mov dword ptr [edi+0D0h], 0 jz short loc_1A915 mov eax, [edi+18h] lea ebp, [edi+0D8h] push ebp push 0 push offset unk_1D550 push eax call ds:IoRegisterDeviceInterface test eax, eax jl short loc_1A915 push 1 push ebp call ds:IoSetDeviceInterfaceState loc_1A915: mov eax, [edi+0E0h] mov edx, [esi+30h] mov ecx, [esi+18h] mov [esi+44h], eax mov edx, [edx+28h] mov ecx, [ecx+28h] mov [edx+0E0h], eax mov [ecx+0E0h], eax lea eax, [edi+90h] push eax push 1 push edi call sub_1A380 pop esi pop edi pop ebp pop ebx add esp, 54h retn 4 loc_1A94F: mov eax, [esp+58h+var_38] pop esi pop edi pop ebp pop ebx add esp, 54h retn 4 loc_1A95D: pop edi pop ebp mov eax, 0C0000182h pop ebx add esp, 54h retn 4 sub_1A7A0 endp align 10h sub_1A970 proc near arg_0= dword ptr 10h arg_4= dword ptr 14h push ebx push esi push edi mov edi, [esp+arg_0] mov ebx, [edi+28h] mov eax, [ebx+40h] cmp eax, 3 jz short loc_1A98E cmp eax, 4 jz short loc_1A98E mov eax, edi call sub_1A730 loc_1A98E: mov esi, [esp+arg_4] mov dword ptr [ebx+40h], 5 push esi add ebx, 20h push ebx call sub_1B0D0 mov eax, edi call sub_1A730 add byte ptr [esi+23h], 1 add dword ptr [esi+60h], 24h mov eax, [edi+28h] mov ecx, [eax+14h] mov edx, esi call ds:IofCallDriver push edi mov esi, eax call sub_1A180 pop edi mov eax, esi pop esi pop ebx retn 8 sub_1A970 endp sub_1A9D0 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_0] mov eax, [esi+28h] mov ecx, [eax+18h] push edi push 41543134h push ecx call sub_186B0 mov edi, [esp+4+arg_4] push edi push esi call sub_1A300 test eax, eax jge short loc_1AA06 mov edx, [edi+1Ch] push edx push eax push edi call sub_17920 pop edi pop esi retn 8 loc_1AA06: mov edx, [edi+60h] mov eax, [edx+4] test eax, eax push ebx mov ebx, [esi+28h] jz short loc_1AA19 lea ecx, [eax+0Ch] jmp short loc_1AA1B loc_1AA19: xor ecx, ecx loc_1AA1B: mov edx, [edx+8] test edx, edx jz short loc_1AA27 lea eax, [edx+0Ch] jmp short loc_1AA29 loc_1AA27: xor eax, eax loc_1AA29: push esi call sub_1A7A0 test eax, eax jl short loc_1AA3A mov dword ptr [ebx+40h], 1 loc_1AA3A: push 0 push eax push edi call sub_17920 pop ebx pop edi pop esi retn 8 sub_1A9D0 endp align 10h sub_1AA50 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_0] push edi mov edi, [esi+28h] cmp dword ptr [edi+40h], 2 jnz short loc_1AA6D mov eax, esi call sub_1A730 mov dword ptr [edi+40h], 0 loc_1AA6D: mov edx, [esp+4+arg_4] add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov esi, [esi+28h] mov ecx, [esi+14h] call ds:IofCallDriver pop edi pop esi retn 8 sub_1AA50 endp align 10h sub_1AA90 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_0] mov eax, [esi+28h] mov dword ptr [eax+40h], 4 mov eax, esi call sub_1A730 mov edx, [esp+arg_4] add byte ptr [edx+23h], 1 add dword ptr [edx+60h], 24h mov dword ptr [edx+18h], 0 mov esi, [esi+28h] mov ecx, [esi+14h] call ds:IofCallDriver pop esi retn 8 sub_1AA90 endp align 10h loc_1AAD0: push ebx mov ebx, [esp+8] mov eax, [ebx+28h] push esi mov esi, [esp+10h] push edi lea edi, [eax+20h] push esi push edi call sub_18F50 test eax, eax jge short loc_1AAFB push 0 push eax push esi call sub_17920 pop edi pop esi pop ebx retn 8 loc_1AAFB: mov eax, [esi+60h] push ebp movzx ebp, byte ptr [eax+1] cmp ebp, 18h jb short loc_1AB32 add byte ptr [esi+23h], 1 add eax, 24h mov [esi+60h], eax mov ebx, [ebx+28h] mov ecx, [ebx+14h] mov edx, esi call ds:IofCallDriver push esi push edi mov ebx, eax call sub_18F90 pop ebp pop edi pop esi mov eax, ebx pop ebx retn 8 loc_1AB32: mov eax, off_1E028[ebp*4] push esi push ebx call eax ; sub_1A9D0 cmp ebp, 2 mov ebx, eax jz short loc_1AB4B push esi push edi call sub_18F90 loc_1AB4B: pop ebp pop edi pop esi mov eax, ebx pop ebx retn 8 align 10h sub_1AB60 proc near var_80= dword ptr -80h arg_0= dword ptr 4 arg_4= dword ptr 8 sub esp, 80h mov eax, [esp+80h+arg_0] push ebp push esi mov esi, [eax+28h] push 7Eh lea ecx, [esp+8Ch+var_80+2] push 0 push ecx mov word ptr [esp+94h+var_80], 0 call memset mov ebp, [esp+94h+arg_4] mov edx, [ebp+60h] mov eax, [edx+4] add esp, 0Ch sub eax, 0 jz short loc_1ABF5 sub eax, 1 jz short loc_1ABD7 sub eax, 2 jz short loc_1ABBE push 0 push 0C00000BBh push ebp call sub_17920 pop esi pop ebp add esp, 80h retn 8 loc_1ABBE: mov eax, [esi+4] push eax lea ecx, [esp+8Ch+var_80] push offset a04d ; "%04d" push ecx call ds:swprintf add esp, 0Ch jmp short loc_1AC16 loc_1ABD7: mov edx, [esi+4] push edx push offset aEsiEsp1010e ; "ESI\\ESP1010e" lea eax, [esp+90h+var_80] push offset aWs_02d ; "%ws_%02d" push eax call ds:swprintf add esp, 10h jmp short loc_1AC16 loc_1ABF5: mov ecx, [esi+4] push ecx push offset aEsp1010e ; "ESP1010e" push offset aEsi ; "ESI" lea edx, [esp+94h+var_80] push offset aWsWs_02d ; "%ws\\%ws_%02d" push edx call ds:swprintf add esp, 14h loc_1AC16: lea eax, [esp+88h+var_80] lea edx, [eax+2] lea ecx, [ecx+0] loc_1AC20: mov cx, [eax] add eax, 2 test cx, cx jnz short loc_1AC20 sub eax, edx push edi sar eax, 1 mov edi, eax push 504F5752h lea eax, [edi+edi+4] push eax push 1 call ds:ExAllocatePoolWithTag test eax, eax jnz short loc_1AC60 push eax push 0C000009Ah push ebp call sub_17920 pop edi pop esi pop ebp add esp, 80h retn 8 loc_1AC60: lea ecx, [esp+8Ch+var_80] mov esi, eax mov edx, ecx sub esi, edx lea ebx, [ebx+0] loc_1AC70: movzx edx, word ptr [ecx] mov [esi+ecx], dx add ecx, 2 test dx, dx jnz short loc_1AC70 push eax push 0 push ebp mov [eax+edi*2+2], dx call sub_17920 pop edi pop esi pop ebp add esp, 80h retn 8 sub_1AB60 endp align 10h sub_1ACA0 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push ebx mov ebx, [esp+arg_4] mov eax, [ebx+60h] cmp dword ptr [eax+4], 4 push ebp mov ebp, [ebx+1Ch] push edi mov edi, [ebx+18h] jnz short loc_1ACFB push esi push 504F5752h push 8 push 1 call ds:ExAllocatePoolWithTag mov esi, eax test esi, esi jz short loc_1ACE3 mov ecx, [esp+0Ch+arg_0] mov dword ptr [esi], 1 mov [esi+4], ecx call ds:ObfReferenceObject xor edi, edi jmp short loc_1ACE8 loc_1ACE3: mov edi, 0C000009Ah loc_1ACE8: test esi, esi jz short loc_1ACFA test ebp, ebp jz short loc_1ACF7 push ebp call ds:ExFreePool loc_1ACF7: mov [ebx+1Ch], esi loc_1ACFA: pop esi loc_1ACFB: xor dl, dl mov ecx, ebx mov [ebx+18h], edi call ds:IofCompleteRequest mov eax, edi pop edi pop ebp pop ebx retn 8 sub_1ACA0 endp sub_1AD10 proc near arg_4= dword ptr 8 mov ecx, [esp+arg_4] push esi mov esi, [ecx+18h] xor dl, dl call ds:IofCompleteRequest mov eax, esi pop esi retn 8 sub_1AD10 endp align 10h sub_1AD30 proc near var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_0] mov ecx, [eax+28h] mov eax, [ecx+0Ch] push ebx push ebp push esi mov esi, [esp+0Ch+arg_4] mov ebx, [esi+60h] push eax call ds:IoGetAttachedDeviceReference mov ebp, eax movzx edx, byte ptr [ebp+30h] add dl, 1 push 0 push edx call ds:IoAllocateIrp test eax, eax jnz short loc_1AD76 mov eax, [esi+1Ch] push eax push 0C000009Ah push esi call sub_17920 pop esi pop ebp pop ebx retn 8 loc_1AD76: mov ecx, [eax+60h] mov [ecx-20h], esi sub ecx, 24h mov [ecx+14h], ebp add dword ptr [eax+60h], 0FFFFFFDCh mov edx, [eax+60h] add byte ptr [eax+23h], 0FFh add edx, 0FFFFFFDCh push edi mov esi, ebx mov ecx, 7 mov edi, edx rep movsd mov byte ptr [edx+3], 0 mov bl, [ebx+1] cmp bl, 19h pop edi jnb short loc_1ADB4 movzx ecx, bl mov dl, byte_1E088[ecx] jmp short loc_1ADB6 loc_1ADB4: mov dl, 1 loc_1ADB6: mov ecx, [eax+60h] sub ecx, 24h movzx edx, dl mov [ecx+20h], edx mov dword ptr [ecx+1Ch], offset sub_18A50 mov byte ptr [ecx+3], 0E0h mov ecx, [esp+0Ch+arg_4] mov dword ptr [eax+18h], 0C00000BBh mov ecx, [ecx+60h] or byte ptr [ecx+3], 1 mov edx, eax mov ecx, ebp call ds:IofCallDriver pop esi pop ebp mov eax, 103h pop ebx retn 8 sub_1AD30 endp align 10h sub_1AE00 proc near arg_4= dword ptr 8 mov ecx, [esp+arg_4] xor dl, dl mov dword ptr [ecx+18h], 0 call ds:IofCompleteRequest xor eax, eax retn 8 sub_1AE00 endp align 10h sub_1AE20 proc near arg_0= dword ptr 4 mov ecx, [esp+arg_0] add ecx, 0D4h call ds:InterlockedIncrement retn 4 sub_1AE20 endp align 10h sub_1AE40 proc near arg_0= dword ptr 4 mov ecx, [esp+arg_0] add ecx, 0D4h call ds:InterlockedDecrement retn 4 sub_1AE40 endp align 10h sub_1AE60 proc near arg_0= dword ptr 4 arg_4= dword ptr 8 mov eax, [esp+arg_0] mov ecx, [eax+28h] mov edx, [ecx+0Ch] mov eax, [edx+28h] cmp dword ptr [eax+0D4h], 0 lea ecx, [eax+0D4h] jle short loc_1AE82 call ds:InterlockedDecrement loc_1AE82: mov ecx, [esp+arg_4] xor dl, dl mov dword ptr [ecx+18h], 0 call ds:IofCompleteRequest xor eax, eax retn 8 sub_1AE60 endp align 10h sub_1AEA0 proc near arg_0= dword ptr 0Ch arg_4= dword ptr 10h push esi push edi mov edi, [esp+arg_4] mov esi, [edi+60h] mov eax, [esi+4] push offset unk_1D550 push eax call sub_189A0 test eax, eax jnz short loc_1AECB mov ecx, [esp+arg_0] push edi push ecx call sub_1AD30 pop edi pop esi retn 8 loc_1AECB: movzx ecx, word ptr [esi+0Ah] mov eax, 1 cmp cx, ax jnb short loc_1AEF0 movzx eax, cx test ax, ax jnz short loc_1AEF0 loc_1AEE1: mov edx, [edi+18h] push edx push edi call sub_17950 pop edi pop esi retn 8 loc_1AEF0: mov ecx, [esp+arg_0] mov edx, [ecx+28h] mov ecx, [edx+0Ch] mov ecx, [ecx+28h] movzx eax, ax sub eax, 1 jnz short loc_1AEE1 cmp word ptr [esi+8], 1Ch jnb short loc_1AF1C push 0C000000Dh push edi call sub_17950 pop edi pop esi retn 8 loc_1AF1C: mov eax, [esi+0Ch] mov [eax+4], ecx mov word ptr [eax], 1Ch mov word ptr [eax+2], 1 mov dword ptr [eax+8], offset sub_1AE20 mov dword ptr [eax+0Ch], offset sub_1AE40 mov dword ptr [eax+10h], offset loc_1F000 mov esi, [ecx+0E0h] mov [eax+14h], esi mov edx, [edx+4] add ecx, 0D4h mov [eax+18h], edx call ds:InterlockedIncrement push 0 push 0 push edi call sub_17920 pop edi pop esi retn 8 sub_1AEA0 endp align 10h loc_1AF70: mov ecx, [esp+8] mov eax, [ecx+60h] movzx eax, byte ptr [eax+1] cmp eax, 19h jb short loc_1AF92 push esi mov esi, [ecx+18h] xor dl, dl call ds:IofCompleteRequest mov eax, esi pop esi retn 8 loc_1AF92: mov edx, off_1E0A8[eax*4] mov [esp+8], ecx jmp edx align 10h loc_1AFA0: mov eax, [esp+4] push ebx push esi mov esi, [esp+10h] push edi mov edi, [eax+28h] push esi lea ebx, [edi+20h] push ebx call sub_18F50 test eax, eax jge short loc_1AFCB push 0 push eax push esi call sub_17920 pop edi pop esi pop ebx retn 8 loc_1AFCB: mov eax, [esi+60h] movzx ecx, byte ptr [eax+1] cmp ecx, 2 jz short loc_1B007 cmp ecx, 3 jz short loc_1B03E push esi call ds:PoStartNextPowerIrp add byte ptr [esi+23h], 1 add dword ptr [esi+60h], 24h mov ecx, [edi+14h] push esi push ecx call ds:PoCallDriver push esi push ebx mov edi, eax call sub_18F90 mov eax, edi pop edi pop esi pop ebx retn 8 loc_1B007: mov ecx, 1 cmp [eax+8], ecx jnz short loc_1B03E mov eax, [eax+0Ch] sub eax, ecx jz short loc_1B02C sub eax, 3 jnz short loc_1B03E cmp [edi+8], ecx jnz short loc_1B03E mov edx, [edi+0E0h] push eax push edx jmp short loc_1B039 loc_1B02C: cmp [edi+8], ecx jnz short loc_1B03E mov eax, [edi+0E0h] push ecx push eax loc_1B039: call sub_1F210 loc_1B03E: push 504F5752h push 20h push 0 call ds:ExAllocatePoolWithTag test eax, eax jnz short loc_1B06D push 0C000009Ah push esi call sub_17950 push esi push ebx mov edi, eax call sub_18F90 mov eax, edi pop edi pop esi pop ebx retn 8 loc_1B06D: xor ecx, ecx mov [eax+8], ecx mov [eax+0Ch], ecx mov [eax+10h], ecx mov [eax+14h], ecx mov [eax+18h], ecx push ecx mov [eax+1Ch], ecx push eax mov [eax], edi mov [eax+4], esi call sub_18B50 push esi push ebx mov edi, eax call sub_18F90 mov eax, edi pop edi pop esi pop ebx retn 8 align 10h sub_1B0A0 proc near arg_0= dword ptr 8 push esi mov esi, [esp+arg_0] push 0 push 0 lea eax, [esi+8] push eax call ds:KeInitializeEvent mov dword ptr [esi], 1 mov byte ptr [esi+4], 0 pop esi retn 10h sub_1B0A0 endp align 10h sub_1B0D0 proc near arg_0= dword ptr 8 push ebx mov ebx, ds:InterlockedDecrement push esi mov esi, [esp+4+arg_0] push edi mov ecx, esi mov byte ptr [esi+4], 1 call ebx ; InterlockedDecrement test eax, eax mov edi, ds:KeSetEvent jnz short loc_1B0F9 push 0 push 0 lea eax, [esi+8] push eax call edi ; KeSetEvent loc_1B0F9: mov ecx, esi call ebx ; InterlockedDecrement test eax, eax jnz short loc_1B109 push eax push eax lea ecx, [esi+8] push ecx call edi ; KeSetEvent loc_1B109: push 0 push 0 push 0 push 0 add esi, 8 push esi call ds:KeWaitForSingleObject pop edi pop esi pop ebx retn 8 sub_1B0D0 endp align 100h page ends ; Section 3. (virtual address 0000C000) ; Virtual size : 00000101 ( 257.) ; Section size in file : 00000200 ( 512.) ; Offset to raw data for section: 00009800 ; Flags 68000020: Text Not pageable Executable Readable ; Alignment : default ; Segment type: Pure code ; Segment permissions: Read/Execute init segment para public 'CODE' use32 assume cs:init ;org 1C000h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing public start start proc near var_14= dword ptr -14h var_8= dword ptr -8 arg_0= dword ptr 8 push esi mov esi, [esp+arg_0] push edi lea eax, [esp+4+arg_0] push eax push 48h push 1 push esi call ds:IoAllocateDriverObjectExtension test eax, eax jl short loc_1C040 mov ecx, [esp+4+arg_0] push 48h push 0 push ecx call memset mov edx, [esp+10h+arg_0] mov dword ptr [edx], 48h mov eax, [esp+10h+arg_0] add esp, 0Ch mov dword ptr [eax+0Ch], 2 loc_1C040: mov edi, ds:IoIsWdmVersionAvailable push 0 push 1 call edi ; IoIsWdmVersionAvailable test al, al jnz short loc_1C05A pop edi mov eax, 0C0000001h pop esi retn 8 loc_1C05A: push 10h push 1 call edi ; IoIsWdmVersionAvailable mov edi, [esp+10h] test al, al setz cl mov byte_1E1C8, cl movzx edx, word ptr [edi] push 504F5752h add edx, 2 push edx push 1 call ds:ExAllocatePoolWithTag test eax, eax mov dword_1E1C4, eax jnz short loc_1C096 pop edi mov eax, 0C000009Ah pop esi retn 8 loc_1C096: mov ax, [edi] push edi add ax, 2 push offset unk_1E1C0 mov word_1E1C2, ax call ds:RtlCopyUnicodeString movzx ecx, word ptr [edi] mov edx, dword_1E1C4 shr ecx, 1 mov word ptr [edx+ecx*2], 0 mov eax, [esi+18h] mov dword ptr [esi+34h], offset loc_1A000 mov dword ptr [eax+4], offset sub_1A010 pop edi mov dword ptr [esi+38h], offset loc_1A2A0 mov dword ptr [esi+40h], offset loc_1A2D0 mov dword ptr [esi+70h], offset loc_1A200 mov dword ptr [esi+90h], offset loc_17970 mov dword ptr [esi+0A4h], offset loc_1A160 xor eax, eax pop esi retn 8 start endp align 100h init ends ; Section 4. (virtual address 0000D000) ; Virtual size : 000006AC ( 1708.) ; Section size in file : 00000800 ( 2048.) ; Offset to raw data for section: 00009A00 ; Flags 48000040: Data Not pageable Readable ; Alignment : default ; ; Imports from HAL.dll ; ; Segment type: Externs ; _idata extrn READ_PORT_UCHAR:dword extrn READ_PORT_ULONG:dword extrn WRITE_PORT_ULONG:dword extrn KeStallExecutionProcessor:dword extrn KeGetCurrentIrql:dword ; ; Imports from ntoskrnl.exe ; extrn RtlInitUnicodeString:dword extrn IoOpenDeviceRegistryKey:dword extrn __imp_memcpy:dword extrn ZwSetValueKey:dword extrn MmMapIoSpace:dword extrn MmUnmapIoSpace:dword extrn ExFreePoolWithTag:dword extrn KeSetEvent:dword extrn KeInsertQueueDpc:dword extrn KeSynchronizeExecution:dword extrn IoFreeMdl:dword extrn MmUnmapLockedPages:dword extrn MmMapLockedPages:dword extrn MmBuildMdlForNonPagedPool:dword extrn IoAllocateMdl:dword extrn IoConnectInterrupt:dword extrn KeInitializeDpc:dword extrn MmGetPhysicalAddress:dword extrn MmAllocateContiguousMemory:dword extrn MmFreeContiguousMemory:dword extrn KeRemoveQueueDpc:dword extrn IoDisconnectInterrupt:dword extrn RtlFreeUnicodeString:dword extrn IoGetDeviceProperty:dword extrn PoSetPowerState:dword extrn ExAllocatePool:dword extrn IoDetachDevice:dword extrn IoAttachDeviceToDeviceStack:dword extrn IoGetDriverObjectExtension:dword extrn IoCreateDevice:dword extrn IofCompleteRequest:dword extrn IoSetDeviceInterfaceState:dword extrn IoIsWdmVersionAvailable:dword extrn InterlockedIncrement:dword extrn InterlockedDecrement:dword extrn KeWaitForSingleObject:dword extrn IofCallDriver:dword extrn KeInitializeEvent:dword extrn RtlCopyUnicodeString:dword extrn IoAllocateDriverObjectExtension:dword extrn IoOpenDeviceInterfaceRegistryKey:dword extrn IoRegisterDeviceInterface:dword extrn ObReferenceObjectByHandle:dword extrn ObfReferenceObject:dword extrn swprintf:dword extrn IoFreeIrp:dword extrn ObfDereferenceObject:dword extrn IoAllocateIrp:dword extrn IoGetAttachedDeviceReference:dword extrn PoCallDriver:dword extrn PoStartNextPowerIrp:dword extrn PoRequestPowerIrp:dword extrn ExQueueWorkItem:dword extrn ZwQueryValueKey:dword extrn ZwClose:dword extrn KeQuerySystemTime:dword extrn ExFreePool:dword extrn __imp_memset:dword extrn IoDeleteDevice:dword extrn ExAllocatePoolWithTag:dword ; ; Imports from portcls.sys ; extrn PcGetTimeInterval:dword ; Segment type: Pure data ; Segment permissions: Read _rdata segment para public 'DATA' use32 assume cs:_rdata ;org 1D114h align 8 aMixeresp1010e: unicode 0, <MixerESP1010e>,0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 7Fh ; db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0 db 0 db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 1 db 0 db 0 db 0 db 7Fh ; db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 1 db 0 db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 1 db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 2 db 0 db 0 db 0 db 7Fh ; db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 2 db 0 db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 2 db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 3 db 0 db 0 db 0 db 0FFh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 3 db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 4 db 0 db 0 db 0 db 0FFh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 4 db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 5 db 0 db 0 db 0 db 0FFh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 5 db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 6 db 0 db 0 db 0 db 3 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 7 db 0 db 0 db 0 db 1 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 7 db 0 db 0 db 0 db 2 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 7 db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 7 db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 7 db 0 db 0 db 0 db 0F0h ; = db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 8 db 0 db 0 db 0 db 1 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 9 db 0 db 0 db 0 db 1 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 9 db 0 db 0 db 0 db 6 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ah db 0 db 0 db 0 db 3 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ah db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ah db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ah db 0 db 0 db 0 db 30h ; 0 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Bh db 0 db 0 db 0 db 3 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Bh db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Bh db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Bh db 0 db 0 db 0 db 30h ; 0 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Bh db 0 db 0 db 0 db 40h ; @@ db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Bh db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ch db 0 db 0 db 0 db 7 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ch db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ch db 0 db 0 db 0 db 70h ; p db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ch db 0 db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Ch db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 0Dh db 0 db 0 db 0 db 1 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Dh db 0 db 0 db 0 db 2 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Dh db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Dh db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Dh db 0 db 0 db 0 db 40h ; @@ db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Eh db 0 db 0 db 0 db 0FFh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Eh db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 0Fh db 0 db 0 db 0 db 0FFh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 0Fh db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 10h db 0 db 0 db 0 db 0Fh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 10h db 0 db 0 db 0 db 70h ; p db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 10h db 0 db 0 db 0 db 80h ; Ç db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 11h db 0 db 0 db 0 db 0Fh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 11h db 0 db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 11h db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 12h db 0 db 0 db 0 db 0Fh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 12h db 0 db 0 db 0 db 0F0h ; = db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 13h db 0 db 0 db 0 db 1 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 13h db 0 db 0 db 0 db 1Ch db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 14h db 0 db 0 db 0 db 0Fh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 14h db 0 db 0 db 0 db 70h ; p db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 15h db 0 db 0 db 0 db 1Fh db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 15h db 0 db 0 db 0 db 40h ; @@ db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 15h db 0 db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 15h db 0 db 0 db 0 db 0 db 1 db 0 db 0 db 2 db 3 db 0 db 0 db 16h db 0 db 0 db 0 db 3 db 0 db 0 db 0 db 2 db 3 db 0 db 0 db 17h db 0 db 0 db 0 db 0FFh db 1 db 0 db 0 db 2 db 3 db 0 db 0 dword_1D450 dd 0 db 1 db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 5 db 0 db 0 db 0 db 2 db 0 db 0 db 0 db 3 db 0 db 0 db 0 db 6 db 0 db 0 db 0 db 7 db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 9 db 0 db 0 db 0 db 0Ah db 0 db 0 db 0 db 0Bh db 0 db 0 db 0 db 0Ch db 0 db 0 db 0 db 0Dh db 0 db 0 db 0 db 0Eh db 0 db 0 db 0 db 0Fh db 0 db 0 db 0 db 10h db 0 db 0 db 0 db 11h db 0 db 0 db 0 db 12h db 0 db 0 db 0 db 13h db 0 db 0 db 0 db 14h db 0 db 0 db 0 db 15h db 0 db 0 db 0 db 16h db 0 db 0 db 0 db 17h db 0 db 0 db 0 db 18h db 0 db 0 db 0 db 19h db 0 db 0 db 0 db 1Ah db 0 db 0 db 0 db 1Bh db 0 db 0 db 0 db 1Ch db 0 db 0 db 0 db 1Dh db 0 db 0 db 0 db 1Eh db 0 db 0 db 0 db 1Fh db 0 db 0 db 0 dword_1D4D0 dd 0 db 1 db 0 db 0 db 0 db 2 db 0 db 0 db 0 db 3 db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 5 db 0 db 0 db 0 db 6 db 0 db 0 db 0 db 7 db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 9 db 0 db 0 db 0 db 0Ah db 0 db 0 db 0 db 0Bh db 0 db 0 db 0 db 0Ch db 0 db 0 db 0 db 0Dh db 0 db 0 db 0 db 0Eh db 0 db 0 db 0 db 0Fh db 0 db 0 db 0 db 10h db 0 db 0 db 0 db 11h db 0 db 0 db 0 db 12h db 0 db 0 db 0 db 13h db 0 db 0 db 0 db 14h db 0 db 0 db 0 db 15h db 0 db 0 db 0 db 16h db 0 db 0 db 0 db 17h db 0 db 0 db 0 db 18h db 0 db 0 db 0 db 19h db 0 db 0 db 0 db 1Ah db 0 db 0 db 0 db 1Bh db 0 db 0 db 0 db 1Ch db 0 db 0 db 0 db 1Dh db 0 db 0 db 0 db 1Eh db 0 db 0 db 0 db 1Fh db 0 db 0 db 0 unk_1D550 db 0Eh db 48h ; H db 65h ; e db 0ACh ; ¼ db 0FCh ; n db 96h ; û db 0Dh db 45h ; E db 88h ; ê db 2Eh ; . db 0E2h ; G db 58h ; X db 0D1h ; - db 4 db 42h ; B db 3Dh ; = dword_1D560 dd 0 dword_1D564 dd 0 dword_1D568 dd 0C00000h dword_1D56C dd 46000000h unk_1D570 db 40h ; @@ db 0D5h ; + db 1Dh db 1Ah db 0D5h ; + db 0Bh db 0D5h ; + db 11h db 9Ah ; Ü db 47h ; G db 0 db 0E0h ; a db 29h ; ) db 9 db 5Ch ; \ db 67h ; g dword_1D580 dd 30315045h dword_1D584 dd 76724465h dword_1D588 dd 7379732Eh byte_1D58C db 0 align 10h aDeviceextensio: unicode 0, <DeviceExtension>,0 aGetinterfaceca: unicode 0, <GetInterfaceCallback>,0 align 4 dword_1D5DC dd 0B253E1h dword_1D5E0 dd 11D5099Dh dword_1D5E4 dd 0E000479Ah dword_1D5E8 dd 675C0929h off_1D5EC dd offset sub_17AF0 dd offset sub_18FC5 dd offset sub_18FE0 dd offset sub_18180 off_1D5FC dd offset sub_17B80 dd offset sub_17BA0 dd offset sub_17BC0 dd offset sub_17BE0 dd offset dword_180F0+20h dword_1D610 dd 20495345h dword_1D614 dd 31505345h dword_1D618 dd 65303130h dword_1D61C dd 47202D20h dword_1D620 dd 464953h word_1D624 dw 3020h byte_1D626 db 0 align 4 aWsWs_02d: unicode 0, <%ws\%ws_%02d>,0 align 4 aEsi: unicode 0, <ESI>,0 aEsp1010e: unicode 0, <ESP1010e>,0 align 10h aWs_02d: unicode 0, <%ws_%02d>,0 align 4 aEsiEsp1010e: unicode 0, <ESI\ESP1010e>,0 align 10h a04d: unicode 0, <%04d>,0 align 4 off_1D69C dd offset sub_19010 dd offset sub_18FC5 dd offset sub_18FE0 dd offset sub_1906D align 200h _rdata ends ; Section 5. (virtual address 0000E000) ; Virtual size : 00000498 ( 1176.) ; Section size in file : 00000200 ( 512.) ; Offset to raw data for section: 0000A200 ; Flags C8000040: Data Not pageable Readable Writable ; Alignment : default ; Segment type: Pure data ; Segment permissions: Read/Write _data segment para public 'DATA' use32 assume cs:_data ;org 1E000h aHw db 'hw : ',0 align 4 aWm db 'wm : ',0 align 10h aCom db 'COM: ',0 align 4 aIo db 'Io : ',0 align 10h aPci db 'PCI: ',0 align 4 off_1E028 dd offset sub_1A9D0 dd offset sub_1A640 dd offset sub_1A970 dd offset sub_1A410 dd offset sub_1AA50 dd offset sub_1A6C0 dd offset sub_1A460 dd offset sub_1A530 dd offset sub_1A3F0 dd offset sub_1A4C0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1A3F0 dd offset sub_1AA90 byte_1E088 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 1 db 1 db 1 db 1 db 0 db 0 db 1 db 0 db 0 db 1 db 0 db 0 db 0 db 0 db 0 db 0 db 0 off_1E0A8 dd offset sub_1AE00 dd offset sub_1AE00 dd offset sub_1AE60 dd offset sub_1AE00 dd offset sub_1AE00 dd offset sub_1AE00 dd offset sub_1AE00 dd offset sub_1ACA0 dd offset sub_1AEA0 dd offset sub_1AD30 dd offset sub_1AE00 dd offset sub_1AE00 dd offset sub_1AD10 dd offset sub_1AE00 dd offset sub_1AE00 dd offset sub_1AD30 dd offset sub_1AD30 dd offset sub_1AD30 dd offset sub_1AD30 dd offset sub_1AB60 dd offset sub_1AD30 dd offset sub_1AD30 dd offset sub_1AD30 dd offset sub_1AE00 dd offset sub_1AD30 align 10h dword_1E110 dd 1 align 8 dword_1E118 dd 0 align 10h db 4 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0Ah db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0Bh db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 5 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0Ch db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 8 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0Eh db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0Fh db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 10h db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 12h db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 2 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 off_1E1AC dd offset sub_18EF0 dd offset sub_18EF0 dd offset sub_18EF0 dd offset sub_18EF0 align 10h unk_1E1C0 db 0 db 0 word_1E1C2 dw 0 dword_1E1C4 dd 0 byte_1E1C8 db 0 align 10h dword_1E1D0 dd 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 dword_1E1F0 dd 0 dword_1E1F4 dd 0 db 0 db 0 db 0 db 0 dword_1E1FC dd 0 dword_1E200 dd ? dword_1E204 dd ? dword_1E208 dd ? dword_1E20C dd ? db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; dword_1E458 dd ? db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; db ? ; _data ends ; Section 6. (virtual address 0000F000) ; Virtual size : 00000BA8 ( 2984.) ; Section size in file : 00000C00 ( 3072.) ; Offset to raw data for section: 0000A400 ; Flags 60000020: Text Executable Readable ; Alignment : default ; Segment type: Pure code ; Segment permissions: Read/Execute PAGE segment para public 'CODE' use32 assume cs:PAGE ;org 1F000h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing loc_1F000: mov eax, [esp+8] cmp eax, 12h ja locret_1F1BB push esi jmp ds:off_1F1C0[eax*4] loc_1F015: mov eax, [esp+10h] mov ecx, [eax+10h] mov edx, [eax+0Ch] push ecx mov ecx, [eax+8] push edx mov edx, [eax+4] mov eax, [eax] push ecx mov ecx, [esp+14h] push edx push eax call sub_16EA0 pop esi retn 0Ch loc_1F039: mov eax, [esp+10h] mov ecx, [eax+8] mov edx, [eax+4] mov eax, [eax] push ecx mov ecx, [esp+0Ch] push edx push eax call sub_16EF0 pop esi retn 0Ch loc_1F055: mov eax, [esp+10h] mov ecx, [eax+18h] mov edx, [eax+14h] push ecx mov ecx, [eax+10h] push edx mov edx, [eax+0Ch] push ecx mov ecx, [eax+8] push edx mov edx, [eax+4] mov eax, [eax] push ecx mov ecx, [esp+1Ch] push edx push eax call sub_16F20 pop esi retn 0Ch loc_1F081: mov eax, [esp+10h] mov ecx, [eax+0Ch] mov edx, [eax+8] push ecx mov ecx, [eax+4] push edx mov edx, [eax] push ecx mov ecx, [esp+14h] push edx call sub_17060 pop esi retn 0Ch loc_1F0A1: mov eax, [esp+10h] mov ecx, [eax+0Ch] mov edx, [eax+8] push ecx mov ecx, [eax+4] push edx mov edx, [eax] push ecx mov ecx, [esp+14h] push edx call sub_17130 pop esi retn 0Ch loc_1F0C1: mov esi, [esp+10h] mov eax, [esi+10h] mov ecx, [esi+0Ch] mov edx, [esi+8] push eax mov eax, [esi+4] push ecx mov ecx, [esi] push edx push eax push ecx mov ecx, [esp+1Ch] call near ptr dword_17210 mov [esi+14h], eax pop esi retn 0Ch loc_1F0E8: mov esi, [esp+10h] mov edx, [esi] mov ecx, [esp+8] push edx call near ptr dword_17210+40h mov [esi+4], eax pop esi retn 0Ch loc_1F0FF: mov ecx, [esp+8] call near ptr dword_17210+50h mov ecx, [esp+10h] mov [ecx], eax pop esi retn 0Ch loc_1F112: mov ecx, [esp+8] call near ptr dword_17210+70h pop esi retn 0Ch loc_1F11F: mov esi, [esp+10h] movzx edx, byte ptr [esi+1] movzx eax, byte ptr [esi] mov ecx, [esp+8] push edx push eax call near ptr dword_17210+120h mov [esi+4], eax pop esi retn 0Ch loc_1F13C: mov esi, [esp+10h] movzx ecx, byte ptr [esi] push ecx mov ecx, [esp+0Ch] call near ptr dword_17210+90h movzx edx, ax mov [esi+4], edx pop esi retn 0Ch loc_1F157: mov eax, [esp+10h] mov ecx, [eax+4] movzx edx, byte ptr [eax] push ecx mov ecx, [esp+0Ch] push edx call near ptr dword_17210+0B0h pop esi retn 0Ch loc_1F170: mov ecx, [esp+8] call sub_17600 mov ecx, [esp+10h] mov [ecx], eax pop esi retn 0Ch loc_1F183: mov eax, [esp+10h] mov edx, [eax+0Ch] mov ecx, [eax+8] push edx mov edx, [eax+4] mov eax, [eax] push ecx mov ecx, [esp+10h] push edx push eax call sub_17390 pop esi retn 0Ch loc_1F1A3: mov esi, [esp+10h] mov ecx, [esi+4] mov edx, [esi] push ecx mov ecx, [esp+0Ch] push edx call sub_177D0 mov [esi+8], eax loc_1F1BA: pop esi locret_1F1BB: retn 0Ch align 10h off_1F1C0 dd offset loc_1F015 dd offset loc_1F039 dd offset loc_1F055 dd offset loc_1F081 dd offset loc_1F0A1 dd offset loc_1F0C1 dd offset loc_1F0E8 dd offset loc_1F0FF dd offset loc_1F112 dd offset loc_1F11F dd offset loc_1F13C dd offset loc_1F157 dd offset loc_1F170 dd offset loc_1F1BA dd offset loc_1F1BA dd offset loc_1F1BA dd offset loc_1F1BA dd offset loc_1F183 dd offset loc_1F1A3 align 10h sub_1F210 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch push esi mov esi, [esp+arg_0] test esi, esi jz loc_1F2A7 push edi mov edi, [esp+4+arg_4] test edi, edi jnz short loc_1F232 mov ecx, [esi+1A3Ch] push edi call sub_13630 loc_1F232: mov eax, [esi+1A38h] push eax push edi call sub_18980 cmp edi, 1 jnz short loc_1F255 mov ecx, [esi+1A38h] push 41543134h push ecx call sub_186B0 loc_1F255: mov ecx, [esi+1A3Ch] push edi call sub_11520 cmp edi, 1 pop edi jnz short loc_1F2A7 mov edx, [esi+1A1Ch] mov eax, [esi+18h] mov ecx, [esi+14h] push 1 push 40000h push edx push eax push ecx mov ecx, [esi+1A3Ch] mov dword ptr [esi+1A30h], 1 mov dword ptr [esi+1A34h], 1 call sub_15DD0 mov ecx, [esi+1A3Ch] call sub_14290 loc_1F2A7: pop esi retn 8 sub_1F210 endp align 10h sub_1F2B0 proc near var_18= dword ptr -18h var_8= dword ptr -8 var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 arg_14= dword ptr 18h mov eax, [esp+arg_14] sub esp, 8 push ebx push ebp push esi push edi mov esi, ecx push 41543134h mov edi, 1 push eax mov [esi+1A30h], edi mov [esi+1A34h], edi mov [esi+1A38h], eax call sub_186B0 xor ebx, ebx mov [esi+1A2Ch], ebx lea eax, [esi+0DDCh] lea edx, [edi+0Fh] loc_1F2F0: mov ecx, 10h loc_1F2F5: mov [eax-0C00h], ebx mov [eax], ebx add eax, 0Ch sub ecx, edi jnz short loc_1F2F5 sub edx, edi jnz short loc_1F2F0 lea ecx, [esi+19D4h] lea eax, [esi+11Ch] mov edx, 10h lea esp, [esp+0] loc_1F320: mov [eax-0C0h], ebx mov [eax], ebx mov [ecx], ebx add ecx, 4 add eax, 0Ch sub edx, edi jnz short loc_1F320 mov edi, [esp+18h+arg_0] mov eax, [edi+1Ch] mov ecx, [edi+34h] push 774E6350h push 2E44h push ebx mov [esp+24h+var_8], eax mov [esp+24h+var_4], ecx call ds:ExAllocatePoolWithTag mov ebp, eax cmp ebp, ebx jz short loc_1F384 push 2E44h push ebx push ebp call memset mov edx, [esp+24h+arg_4] mov ecx, [esp+24h+arg_14] add esp, 0Ch push edx lea eax, [esp+1Ch+var_8] push eax push ecx mov ecx, ebp call sub_13590 jmp short loc_1F386 loc_1F384: xor eax, eax loc_1F386: xor ecx, ecx mov [esi+1A3Ch], eax push ecx or eax, 0FFFFFFFFh push eax push 401A0h mov dword ptr [esi+20h], 401A0h call ds:MmAllocateContiguousMemory cmp eax, ebx mov [esi+14h], eax jz loc_1F4C3 push eax call ds:MmGetPhysicalAddress mov ecx, [esi+20h] push ecx mov [esi+18h], eax mov eax, [esi+14h] mov [esi+1Ch], edx lea edx, [eax+40000h] push ebx push eax mov [esi+1A1Ch], edx mov [esi+1A20h], ebx mov [esi+28h], ebx call memset mov edx, [esi+1A1Ch] mov eax, [esi+18h] mov ecx, [esi+14h] add esp, 0Ch push ebx push 40000h push edx push eax push ecx mov ecx, [esi+1A3Ch] call sub_15DD0 cmp eax, ebx jl loc_1F4C8 push 20h mov [esi+1A24h], ebx push ebx mov ebx, ds:ExAllocatePool call ebx ; ExAllocatePool mov ebp, ds:KeInitializeDpc push esi push offset sub_16A50 push eax mov [esi+1A14h], eax call ebp ; KeInitializeDpc push 20h push 0 call ebx ; ExAllocatePool push esi push offset sub_16B30 push eax mov [esi+1A18h], eax call ebp ; KeInitializeDpc mov edx, [edi+28h] movzx eax, byte ptr [edi+24h] mov ebp, ds:IoConnectInterrupt push 0 push edx push 1 push 0 push eax push eax mov eax, [edi+20h] push eax push 0 push esi push offset sub_16B80 lea ebx, [esi+8] push ebx call ebp ; IoConnectInterrupt test eax, eax jl short loc_1F4C3 cmp dword ptr [ebx], 0 jz short loc_1F4C3 mov edx, [edi+40h] movzx eax, byte ptr [edi+3Ch] push 0 push edx push 1 push 0 push eax push eax mov eax, [edi+38h] push eax push 0 push esi lea ecx, [esi+0Ch] push offset sub_16D10 push ecx call ebp ; IoConnectInterrupt mov edi, eax test edi, edi jl short loc_1F4C3 cmp dword ptr [esi+0Ch], 0 jz short loc_1F4C3 cmp dword ptr [ebx], 0 jz short loc_1F4C3 mov ecx, [esi+1A3Ch] push 1 call sub_13630 mov eax, edi pop edi pop esi pop ebp pop ebx add esp, 8 retn 18h loc_1F4C3: mov eax, 0C000009Ah loc_1F4C8: pop edi pop esi pop ebp pop ebx add esp, 8 retn 18h sub_1F2B0 endp align 10h sub_1F4E0 proc near var_8= dword ptr -8 push ebp push esi push edi mov esi, ecx mov ecx, [esi+1A3Ch] xor ebp, ebp push ebp call sub_13630 mov eax, [esi+8] cmp eax, ebp mov edi, ds:IoDisconnectInterrupt jz short loc_1F506 push eax call edi ; IoDisconnectInterrupt mov [esi+8], ebp loc_1F506: mov eax, [esi+0Ch] cmp eax, ebp jz short loc_1F513 push eax call edi ; IoDisconnectInterrupt mov [esi+0Ch], ebp loc_1F513: mov edi, ds:KeRemoveQueueDpc lea esp, [esp+0] loc_1F520: mov eax, [esi+1A14h] push eax call edi ; KeRemoveQueueDpc test al, al jnz short loc_1F520 lea ecx, [ecx+0] loc_1F530: mov ecx, [esi+1A18h] push ecx call edi ; KeRemoveQueueDpc test al, al jnz short loc_1F530 mov edx, [esi+1A14h] push ebx mov ebx, ds:ExFreePoolWithTag push ebp push edx call ebx ; ExFreePoolWithTag mov eax, [esi+1A18h] push ebp push eax mov [esi+1A14h], ebp call ebx ; ExFreePoolWithTag mov edi, [esi+1A3Ch] cmp edi, ebp mov [esi+1A18h], ebp jz short loc_1F579 mov ecx, edi call sub_135D0 push ebp push edi call ebx ; ExFreePoolWithTag loc_1F579: mov eax, [esi+14h] cmp eax, ebp pop ebx jz short loc_1F58B push eax call ds:MmFreeContiguousMemory mov [esi+14h], ebp loc_1F58B: pop edi pop esi pop ebp retn sub_1F4E0 endp ; sp = 8 align 10h sub_1F590 proc near arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h arg_10= dword ptr 18h arg_14= dword ptr 1Ch arg_18= dword ptr 20h push esi push 774E6350h push 1A40h push 0 call ds:ExAllocatePoolWithTag mov esi, eax test esi, esi jz short loc_1F5CF push 1A40h push 0 push esi call memset add esp, 0Ch mov dword ptr [esi+1A30h], 0 mov dword ptr [esi+1A34h], 0 jmp short loc_1F5D1 loc_1F5CF: xor esi, esi loc_1F5D1: mov eax, [esp+arg_14] mov ecx, [esp+arg_10] mov edx, [esp+arg_C] push eax mov eax, [esp+4+arg_8] push ecx mov ecx, [esp+8+arg_4] push edx mov edx, [esp+0Ch+arg_0] push eax push ecx push edx mov ecx, esi call sub_1F2B0 mov ecx, esi call near ptr dword_17210+50h mov ecx, [esp+arg_18] push esi mov [ecx], eax call sub_18160 mov eax, esi pop esi retn 1Ch sub_1F590 endp align 10h sub_1F610 proc near arg_0= dword ptr 8 push esi mov esi, [esp+arg_0] test esi, esi jz short loc_1F629 mov ecx, esi call sub_1F4E0 push 0 push esi call ds:ExFreePoolWithTag loc_1F629: pop esi retn 4 sub_1F610 endp ; sp = 4 align 10h ; START OF FUNCTION CHUNK FOR sub_1FB60 loc_1F630: push esi mov esi, [esp+4+arg_4] mov eax, [esi+8] push edi add eax, 0FFFFFFFFh xor edi, edi cmp eax, 4 ; switch 5 cases ja loc_1F6C8 ; default jmp ds:off_1F6D4[eax*4] ; switch jump loc_1F64E: ; case 0x0 mov eax, edi pop edi mov dword ptr [esi+0Ch], 31505345h mov dword ptr [esi+10h], 654F3130h pop esi retn 8 loc_1F663: ; case 0x1 mov eax, [esi+14h] push eax call sub_18300 mov eax, edi pop edi pop esi retn 8 loc_1F673: ; case 0x2 call sub_18140 mov eax, edi pop edi pop esi retn 8 loc_1F67F: ; case 0x3 mov edx, [esi+24h] mov ecx, [esi+20h] mov eax, [esi+18h] push ebx mov ebx, [esi+28h] push edx push ecx mov ecx, [esp+14h+arg_0] push eax push ebx call sub_17820 mov [esi+1Ch], eax pop ebx mov eax, edi pop edi pop esi retn 8 loc_1F6A4: ; case 0x4 mov ecx, [esi+24h] mov edx, [esi+20h] mov eax, [esi+1Ch] push ecx mov ecx, [esi+18h] push edx mov edx, [esi+28h] push eax push ecx mov ecx, [esp+18h+arg_0] push edx call sub_17810 mov eax, edi pop edi pop esi retn 8 loc_1F6C8: ; default pop edi mov eax, 0C000000Dh pop esi retn 8 ; END OF FUNCTION CHUNK FOR sub_1FB60 align 4 off_1F6D4 dd offset loc_1F64E ; jump table for switch statement dd offset loc_1F663 dd offset loc_1F673 dd offset loc_1F67F dd offset loc_1F6A4 align 10h ; START OF FUNCTION CHUNK FOR sub_1FB60 loc_1F6F0: push ecx push ebx push esi mov esi, [esp+0Ch+arg_4] mov eax, [esi+8] add eax, 0FFFFFFFFh cmp eax, 0Ah push edi mov [esp+10h+var_4], 0 ja loc_1F960 jmp ds:off_1F974[eax*4] loc_1F716: xor ebx, ebx cmp dword_1E204, ebx jz short loc_1F766 mov edi, [esp+10h+arg_0] test edi, edi mov ebx, 1 jz short loc_1F766 mov ecx, [edi+1A3Ch] test ecx, ecx jz short loc_1F766 push 0 push 0 push 2 call sub_13960 test eax, eax jnz short loc_1F759 mov ecx, [edi+1A3Ch] push eax push ebx push 2 call sub_13960 test eax, eax jz short loc_1F766 loc_1F759: mov ecx, [edi+1A3Ch] call sub_136A0 mov ebx, eax loc_1F766: mov eax, [esp+10h+var_4] pop edi mov [esi+40h], ebx pop esi pop ebx pop ecx retn 8 loc_1F774: mov esi, [esi+10h] test esi, esi jnz short loc_1F790 mov eax, [esp+10h+arg_0] pop edi mov [eax+19D8h], esi mov eax, [esp+0Ch+var_4] pop esi pop ebx pop ecx retn 8 loc_1F790: push 0 push offset dword_1E20C push 1 push 0 push 0 push esi call ds:ObReferenceObjectByHandle mov ecx, [esp+28h+var_14] mov edx, dword_1E20C pop edi pop esi mov [esp+20h+var_1C], eax mov [ecx+19D8h], edx pop ebx pop ecx retn 8 loc_1F7BF: mov eax, [esi+20h] mov ecx, [esp+10h+arg_0] push 0 push 0 push 0 push eax push 0 call near ptr dword_17210 pop edi pop esi mov [esp+1Ch+var_18], eax pop ebx pop ecx retn 8 loc_1F7DF: mov eax, dword_1E204 mov edx, [eax+4] sub edx, [eax+8] mov ecx, [esi+38h] add edx, [esi+30h] mov eax, [esi+2Ch] push ecx mov ecx, [esi+28h] push edx mov edx, [esi+24h] push eax push ecx mov ecx, [esp+20h+arg_0] push edx call sub_17640 mov eax, [esp+10h+var_4] pop edi pop esi pop ebx pop ecx retn 8 loc_1F812: cmp dword ptr [esi+40h], 0 mov edi, [esp+10h+arg_0] jz short loc_1F825 push 1 mov ecx, edi call nullsub_2 loc_1F825: mov eax, [esi+40h] mov ecx, [esi+3Ch] push eax push ecx mov ecx, edi call sub_17670 cmp dword ptr [esi+40h], 0 mov ebx, eax jnz short loc_1F845 push 0 mov ecx, edi call nullsub_2 loc_1F845: mov eax, [esp+10h+var_4] pop edi mov [esi+40h], ebx pop esi pop ebx pop ecx retn 8 loc_1F853: mov edi, [esi+44h] test edi, edi jnz short loc_1F877 mov edx, dword_1E204 push edx call sub_18390 mov eax, [esp+10h+var_4] mov dword_1E204, edi pop edi pop esi pop ebx pop ecx retn 8 loc_1F877: cmp dword_1E204, 0 jz short loc_1F8BB mov eax, [esp+10h+arg_0] mov ecx, [eax+1A3Ch] call sub_136A0 test eax, eax jz short loc_1F8AF mov ecx, [esi+48h] pop edi mov [esp+0Ch+var_4], 0C0000001h mov eax, [esp+0Ch+var_4] pop esi mov dword ptr [ecx], 0 pop ebx pop ecx retn 8 loc_1F8AF: mov edx, dword_1E204 push edx call sub_18390 loc_1F8BB: push edi call sub_18330 mov ecx, [esi+48h] mov edx, [eax+8] pop edi pop esi mov dword_1E204, eax mov eax, [esp+8+var_4] mov [ecx], edx pop ebx pop ecx retn 8 loc_1F8D9: mov eax, [esi+40h] mov ecx, [esp+10h+arg_0] mov ecx, [ecx+1A3Ch] push eax call sub_13630 mov eax, [esp+10h+var_4] pop edi pop esi pop ebx pop ecx retn 8 loc_1F8F7: mov edx, [esi+74h] mov eax, [esi+70h] mov ecx, [esp+10h+arg_0] mov ecx, [ecx+1A3Ch] push edx push eax call sub_15260 mov eax, [esp+10h+var_4] pop edi pop esi pop ebx pop ecx retn 8 loc_1F919: mov edx, [esi+40h] mov edi, [esp+10h+arg_0] push edx mov ecx, edi call nullsub_2 mov eax, [esi+40h] mov ecx, [esi+5Ch] mov edx, [esi+58h] push eax push ecx push edx mov ecx, edi call sub_17570 pop edi mov [esi+40h], eax mov eax, [esp+0Ch+var_4] pop esi pop ebx pop ecx retn 8 loc_1F949: mov ecx, [esp+10h+arg_0] call sub_17710 pop edi mov [esi+40h], eax mov eax, [esp+0Ch+var_4] pop esi pop ebx pop ecx retn 8 loc_1F960: pop edi mov [esp+0Ch+var_4], 0C000000Dh mov eax, [esp+0Ch+var_4] pop esi pop ebx pop ecx retn 8 ; END OF FUNCTION CHUNK FOR sub_1FB60 align 4 off_1F974 dd offset loc_1F774 dd offset loc_1F7BF dd offset loc_1F7DF dd offset loc_1F812 dd offset loc_1F853 dd offset loc_1F960 dd offset loc_1F919 dd offset loc_1F8D9 dd offset loc_1F716 dd offset loc_1F8F7 dd offset loc_1F949 ; START OF FUNCTION CHUNK FOR sub_1FB60 loc_1F9A0: push ecx push ebx push esi push edi mov edi, [esp+10h+arg_4] mov eax, [edi+8] add eax, 0FFFFFFFFh xor ebx, ebx cmp eax, 0Ah ; switch 11 cases ja short loc_1FA2C ; default jmp ds:off_1FB34[eax*4] ; switch jump loc_1F9BC: ; case 0x9 mov eax, [edi+10h] mov esi, [esp+10h+arg_0] push eax mov ecx, esi call sub_174E0 mov ecx, esi call sub_174D0 push eax mov ecx, esi call sub_174B0 pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1F9E3: ; case 0x0 mov ecx, [esp+10h+arg_0] call sub_174D0 mov edi, [edi+10h] mov esi, eax mov ecx, 147h rep movsd pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FA01: ; case 0x1 mov ecx, [edi+10h] push ecx mov ecx, [esp+14h+arg_0] call sub_174E0 pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FA17: ; case 0x3 mov edx, [edi+2Ch] mov eax, [edi+28h] mov ecx, [esp+10h+arg_0] push edx push eax call sub_17880 test eax, eax jnz short loc_1FA31 loc_1FA2C: ; default mov ebx, 0C000000Dh loc_1FA31: pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FA3A: ; case 0x4 mov ecx, [esp+10h+arg_0] call sub_17600 mov [edi+28h], eax pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FA4F: ; case 0x2 mov ecx, [edi+20h] mov edx, [edi+18h] mov [esp+10h+var_4], ecx lea eax, [esp+10h+arg_4] push eax lea ecx, [esp+14h+var_4] mov [esp+14h+arg_4], edx mov edx, [edi+0Ch] push ecx mov ecx, [esp+18h+arg_0] push edx call sub_174F0 mov eax, [esp+10h+arg_4] mov ecx, [esp+10h+var_4] mov [edi+18h], eax mov [edi+20h], ecx pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FA8B: ; case 0x5 mov ecx, [esp+10h+arg_0] call sub_17610 pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FA9D: ; case 0xA mov ecx, [esp+10h+arg_0] call sub_17830 mov [edi+50h], eax pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FAB2: ; case 0x8 mov ecx, [esp+10h+arg_0] call sub_17620 pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FAC4: ; case 0x6 mov edx, [edi+44h] mov eax, [edi+40h] mov ecx, [edi+3Ch] push edx mov edx, [edi+38h] push eax mov eax, [edi+34h] push ecx mov ecx, [edi+30h] push edx push eax push ecx mov ecx, [esp+28h+arg_0] call nullsub_3 pop edi pop esi mov eax, ebx pop ebx pop ecx retn 8 loc_1FAEE: ; case 0x7 mov edi, [edi+48h] cmp edi, ebx jnz short loc_1FB08 mov edx, [esp+10h+arg_0] pop edi pop esi mov [edx+19D4h], ebx mov eax, ebx pop ebx pop ecx retn 8 loc_1FB08: push ebx push offset dword_1E208 push 1 push ebx push ebx push edi call ds:ObReferenceObjectByHandle mov ecx, dword_1E208 mov ebx, eax mov eax, [esp+28h+var_14] pop edi mov [eax+19D4h], ecx pop esi mov eax, ebx pop ebx pop ecx retn 8 ; END OF FUNCTION CHUNK FOR sub_1FB60 off_1FB34 dd offset loc_1F9E3 ; jump table for switch statement dd offset loc_1FA01 dd offset loc_1FA4F dd offset loc_1FA17 dd offset loc_1FA3A dd offset loc_1FA8B dd offset loc_1FAC4 dd offset loc_1FAEE dd offset loc_1FAB2 dd offset loc_1F9BC dd offset loc_1FA9D sub_1FB60 proc near var_1C= dword ptr -1Ch var_18= dword ptr -18h var_14= dword ptr -14h var_4= dword ptr -4 arg_0= dword ptr 4 arg_4= dword ptr 8 ; FUNCTION CHUNK AT PAGE:0001F630 SIZE 000000A2 BYTES ; FUNCTION CHUNK AT PAGE:0001F6F0 SIZE 00000283 BYTES ; FUNCTION CHUNK AT PAGE:0001F9A0 SIZE 00000194 BYTES mov eax, [esp+8] mov ecx, [eax] add ecx, 0FFFFFFFFh ; switch 4 cases cmp ecx, 3 ja short loc_1FB90 ; default jmp ds:off_1FB98[ecx*4] ; switch jump loc_1FB75: ; case 0x1 mov [esp+8], eax jmp loc_1F630 loc_1FB7E: ; case 0x2 mov [esp+8], eax jmp loc_1F6F0 loc_1FB87: ; case 0x3 mov [esp+8], eax jmp loc_1F9A0 loc_1FB90: ; default mov eax, 0C000000Dh retn 8 sub_1FB60 endp ; sp = -18h off_1FB98 dd offset loc_1FB75 ; jump table for switch statement dd offset loc_1FB7E dd offset loc_1FB87 dd offset loc_1FB90 align 80h PAGE ends ; Section 7. (virtual address 00010000) ; Virtual size : 000006FA ( 1786.) ; Section size in file : 00000800 ( 2048.) ; Offset to raw data for section: 0000B000 ; Flags E2000020: Text Discardable Executable Readable Writable ; Alignment : default ; Segment type: Pure code ; Segment permissions: Read/Write/Execute INIT segment para public 'CODE' use32 assume cs:INIT ;org 20000h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing dword_20000 dd 10068h, 2 dup(0) dd 1065Ch, 0D018h, 10050h, 2 dup(0) dd 106D2h, 0D000h, 1015Ch, 2 dup(0) dd 106EEh, 0D10Ch, 5 dup(0) dd 106ACh, 1069Ah, 10686h, 1066Ah, 106BEh dd 0 dd 101D6h, 101EEh, 10208h, 10212h, 10222h dd 10232h, 10244h, 10258h, 10266h, 1027Ah dd 10294h, 102A0h, 102B6h, 102CAh, 102E6h dd 102F6h, 1030Ch, 1031Eh, 10336h, 10354h dd 1036Eh, 10382h, 1039Ah, 103B2h, 103C8h dd 101C4h, 103ECh, 103FEh, 1041Ch, 1043Ah dd 1044Ch, 10462h, 1047Eh, 10498h, 104B0h dd 104C8h, 104E0h, 104F0h, 10504h, 1051Ch dd 1053Eh, 10562h, 1057Eh, 1059Ah, 105B0h dd 105BCh, 105C8h, 105E0h, 105F0h, 10610h dd 10620h, 10636h, 1064Ah, 101B2h, 101A8h dd 10194h, 10186h, 1017Ch, 103DAh, 10164h dd 0 dd 106DAh, 0 db 67h ; g align 2 aExallocatepool db 'ExAllocatePoolWithTag',0 aPMemset db 'p',7,'memset',0 align 2 db '|',0 aExfreepool db 'ExFreePool',0 align 4 db 0E9h ; T db 2, 4Bh, 65h aQuerysystemtim db 'QuerySystemTime',0 dd 775A0699h, 736F6C43h, 7010065h, 7551775Ah dd 56797265h, 65756C61h, 79654Bh, 78450064h dd 6F6C6C41h, 65746163h, 6C6F6F50h, 5460000h aRtlinitunicode db 'RtlInitUnicodeString',0 align 2 dw 21Ah aIoopendevicere db 'IoOpenDeviceRegistryKey',0 aNMemcpy db 'n',7,'memcpy',0 align 2 aZwsetvaluekey db '(',7,'ZwSetValueKey',0 dw 381h aMmmapiospace db 'MmMapIoSpace',0 align 2 dw 3A1h aMmunmapiospace db 'MmUnmapIoSpace',0 align 4 db '}',0 aExfreepoolwith db 'ExFreePoolWithTag',0 dd 654B0313h, 45746553h, 746E6576h, 2D40000h dd 6E49654Bh, 74726573h, 75657551h, 63704465h dd 3240000h aKesynchronizee db 'KeSynchronizeExecution',0 align 4 db 0E9h ; T db 1, 49h, 6Fh aFreemdl db 'FreeMdl',0 db 0A2h ; ó db 3, 4Dh, 6Dh aUnmaplockedpag db 'UnmapLockedPages',0 align 2 dw 382h aMmmaplockedpag db 'MmMapLockedPages',0 align 2 dw 360h aMmbuildmdlforn db 'MmBuildMdlForNonPagedPool',0 dw 1A0h aIoallocatemdl db 'IoAllocateMdl',0 dw 1BDh aIoconnectinter db 'IoConnectInterrupt',0 align 4 retn db 2, 4Bh, 65h aInitializedpc db 'InitializeDpc',0 dw 370h aMmgetphysicala db 'MmGetPhysicalAddress',0 align 2 dw 358h aMmallocatecont db 'MmAllocateContiguousMemory',0 align 4 db 6Bh ; k db 3, 4Dh, 6Dh aFreecontiguous db 'FreeContiguousMemory',0 align 2 dw 305h aKeremovequeued db 'KeRemoveQueueDpc',0 align 2 dw 1DCh aIodisconnectin db 'IoDisconnectInterrupt',0 dw 527h aRtlfreeunicode db 'RtlFreeUnicodeString',0 align 2 dw 1F8h aIogetdevicepro db 'IoGetDeviceProperty',0 dd 6F500441h, 50746553h, 7265776Fh, 74617453h dd 1D50065h, 65446F49h, 6574656Ch, 69766544h dd 6563h, 6F4901D8h, 61746544h, 65446863h dd 65636976h, 1A90000h aIoattachdevice db 'IoAttachDeviceToDeviceStack',0 db 0FDh ; ² db 1, 49h, 6Fh aGetdriverobjec db 'GetDriverObjectExtension',0 align 2 dw 1C1h aIocreatedevice db 'IoCreateDevice',0 align 4 db 82h ; é db 2, 49h, 6Fh aFcompletereque db 'fCompleteRequest',0 align 2 dw 243h aIosetdeviceint db 'IoSetDeviceInterfaceState',0 dw 217h aIoiswdmversion db 'IoIsWdmVersionAvailable',0 db 94h ; ö db 1, 49h, 6Eh aTerlockedincre db 'terlockedIncrement',0 align 10h db 91h ; æ db 1, 49h, 6Eh aTerlockeddecre db 'terlockedDecrement',0 align 4 db 30h ; 0 db 3, 4Bh, 65h aWaitforsingleo db 'WaitForSingleObject',0 db 81h ; ü db 2, 49h, 6Fh aFcalldriver db 'fCallDriver',0 db 0C4h ; - db 2, 4Bh, 65h aInitializeeven db 'InitializeEvent',0 db 0E6h ; µ db 4, 52h, 74h aLcopyunicodest db 'lCopyUnicodeString',0 align 4 db 9Dh ; ¥ db 1, 49h, 6Fh aAllocatedriver db 'AllocateDriverObjectExtension',0 dw 219h aIoopendevicein db 'IoOpenDeviceInterfaceRegistryKey',0 align 2 dw 22Ch aIoregisterdevi db 'IoRegisterDeviceInterface',0 dw 423h aObreferenceobj db 'ObReferenceObjectByHandle',0 dw 42Ch aObfreferenceob db 'ObfReferenceObject',0 align 10h aBSwprintf db 'ü',7,'swprintf',0 align 4 db 0E8h ; F db 1, 49h, 6Fh aFreeirp db 'FreeIrp',0 db 2Bh ; + db 4, 4Fh, 62h aFdereferenceob db 'fDereferenceObject',0 align 10h db 9Fh ; ƒ db 1, 49h, 6Fh aAllocateirp db 'AllocateIrp',0 db 0EEh ; e db 1, 49h, 6Fh aGetattacheddev db 'GetAttachedDeviceReference',0 align 10h db 33h ; 3 db 4, 50h, 6Fh aCalldriver db 'CallDriver',0 align 10h db 45h ; E db 4, 50h, 6Fh aStartnextpower db 'StartNextPowerIrp',0 dw 43Dh aPorequestpower db 'PoRequestPowerIrp',0 aG db 'ú',0 aExqueueworkite db 'ExQueueWorkItem',0 aNtoskrnl_exe db 'ntoskrnl.exe',0 align 2 aU db 'U',0 aKestallexecuti db 'KeStallExecutionProcessor',0 aF db 'f',0 aWrite_port_ulo db 'WRITE_PORT_ULONG',0 align 2 db '`',0 aRead_port_ulon db 'READ_PORT_ULONG',0 a_ db '_',0 aRead_port_ucha db 'READ_PORT_UCHAR',0 db 'L',0 aKegetcurrentir db 'KeGetCurrentIrql',0 align 2 aHal_dll db 'HAL.dll',0 dw 0Fh aPcgettimeinter db 'PcGetTimeInterval',0 aPortcls_sys db 'portcls.sys',0 align 200h INIT ends ; Section 8. (virtual address 00011000) ; Virtual size : 000000B0 ( 176.) ; Section size in file : 00000200 ( 512.) ; Offset to raw data for section: 0000B800 ; Flags 40000040: Data Readable ; Alignment : default ; Segment type: Pure data ; Segment permissions: Read _rsrc segment para public 'DATA' use32 assume cs:_rsrc ;org 21000h db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 0 db 0 db 1 db 0 db 18h db 0 db 0 db 0 db 18h db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 0 db 0 db 1 db 0 db 1 db 0 db 0 db 0 db 30h ; 0 db 0 db 0 db 80h ; Ç db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 4 db 0 db 0 db 0 db 0 db 0 db 1 db 0 db 9 db 4 db 0 db 0 db 48h ; H db 0 db 0 db 0 db 58h ; X db 10h db 1 db 0 db 56h ; V db 0 db 0 db 0 db 0E4h ; S db 4 db 0 db 0 db 0 db 0 db 0 db 0 db 3Ch ; < db 61h ; a db 73h ; s db 73h ; s db 65h ; e db 6Dh ; m db 62h ; b db 6Ch ; l db 79h ; y db 20h db 78h ; x db 6Dh ; m db 6Ch ; l db 6Eh ; n db 73h ; s db 3Dh ; = db 22h ; " db 75h ; u db 72h ; r db 6Eh ; n db 3Ah ; : db 73h ; s db 63h ; c db 68h ; h db 65h ; e db 6Dh ; m db 61h ; a db 73h ; s db 2Dh ; - db 6Dh ; m db 69h ; i db 63h ; c db 72h ; r db 6Fh ; o db 73h ; s db 6Fh ; o db 66h ; f db 74h ; t db 2Dh ; - db 63h ; c db 6Fh ; o db 6Dh ; m db 3Ah ; : db 61h ; a db 73h ; s db 6Dh ; m db 2Eh ; . db 76h ; v db 31h ; 1 db 22h ; " db 20h db 6Dh ; m db 61h ; a db 6Eh ; n db 69h ; i db 66h ; f db 65h ; e db 73h ; s db 74h ; t db 56h ; V db 65h ; e db 72h ; r db 73h ; s db 69h ; i db 6Fh ; o db 6Eh ; n db 3Dh ; = db 22h ; " db 31h ; 1 db 2Eh ; . db 30h ; 0 db 22h ; " db 3Eh ; > db 0Dh db 0Ah db 3Ch ; < db 2Fh ; / db 61h ; a db 73h ; s db 73h ; s db 65h ; e db 6Dh ; m db 62h ; b db 6Ch ; l db 79h ; y db 3Eh ; > db 50h ; P db 41h ; A db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G db 58h ; X db 58h ; X db 50h ; P db 41h ; A db 44h ; D db 44h ; D db 49h ; I db 4Eh ; N db 47h ; G _rsrc ends end start@