head 1.1; access; symbols; locks; strict; comment @# @; expand @o@; 1.1 date 2011.03.01.18.28.21; author wvholst; state Exp; branches; next ; desc @none @ 1.1 log @save attachment @ text @ IDA - Z:\home\wvholst\Documents\EP10eDrv.idb (EP10eDrv.sys)
;
; +-------------------------------------------------------------------------+
; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
; ¦     Copyright (c) 2010 by Hex-Rays SA, <support@@hex-rays.com>           ¦
; ¦                      Licensed to: Freeware version                      ¦
; +-------------------------------------------------------------------------+
;
; Input MD5   : 519B4A93DA63DEE92FAA64A433C61D86

; File Name   : Z:\home\wvholst\Downloads\win32\EP10eDrv.sys
; Format      : Portable executable for 80386 (PE)
; Imagebase   : 10000
; Section 1. (virtual address 00001000)
; Virtual size                  : 0000808F (  32911.)
; Section size in file          : 00008200 (  33280.)
; Offset to raw data for section: 00000400
; Flags 68000020: Text Not pageable Executable Readable
; Alignment     : default


unicode         macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm

.686p
.mmx
.model flat


; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 11000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing



sub_11000 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
push    ebx
mov     ebx, [eax]
mov     eax, [eax+4]
push    ebp
mov     ebp, ds:ExAllocatePoolWithTag
push    esi
push    edi
push    774E6350h
push    568h
push    0
mov     esi, ecx
mov     [esp+1Ch+arg_0], eax
call    ebp ; ExAllocatePoolWithTag
mov     edi, eax
test    edi, edi
jz      short loc_11049
push    568h
push    0
push    edi
call    memset
add     esp, 0Ch
push    0
push    ebx
mov     ecx, edi
call    sub_13280
jmp     short loc_1104B

loc_11049:
xor     eax, eax

loc_1104B:
push    774E6350h
push    568h
push    0
mov     [esi], eax
call    ebp ; ExAllocatePoolWithTag
mov     edi, eax
test    edi, edi
jz      short loc_1108B
push    568h
push    0
push    edi
call    memset
mov     ecx, [esp+1Ch+arg_0]
add     esp, 0Ch
push    1
push    ecx
mov     ecx, edi
call    sub_13280
pop     edi
mov     [esi+4], eax
mov     eax, esi
pop     esi
pop     ebp
pop     ebx
retn    4

loc_1108B:
xor     eax, eax
pop     edi
mov     [esi+4], eax
mov     eax, esi
pop     esi
pop     ebp
pop     ebx
retn    4
sub_11000 endp

align 10h



sub_110A0 proc near
push    esi
mov     esi, ecx
mov     ecx, [esi]
call    sub_13380
mov     ecx, [esi+4]
pop     esi
jmp     sub_13380
sub_110A0 endp

align 10h



sub_110C0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     [esp+arg_0], 0
jz      short loc_110D7
mov     eax, [esp+arg_4]
mov     ecx, [ecx+4]
push    eax
call    sub_11650
retn    8

loc_110D7:
mov     edx, [esp+arg_4]
mov     ecx, [ecx]
push    edx
call    sub_11650
retn    8
sub_110C0 endp

align 10h



sub_110F0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     [esp+arg_0], 0
jz      short loc_11107
mov     eax, [esp+arg_4]
mov     ecx, [ecx+4]
push    eax
call    sub_116F0
retn    8

loc_11107:
mov     edx, [esp+arg_4]
mov     ecx, [ecx]
push    edx
call    sub_116F0
retn    8
sub_110F0 endp

align 10h



sub_11120 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     [esp+arg_0], 0
jz      short loc_11137
mov     eax, [esp+arg_4]
mov     ecx, [ecx+4]
push    eax
call    sub_11760
retn    8

loc_11137:
mov     edx, [esp+arg_4]
mov     ecx, [ecx]
push    edx
call    sub_11760
retn    8
sub_11120 endp

align 10h



sub_11150 proc near

arg_0= dword ptr  4

cmp     [esp+arg_0], 0
jz      short loc_11162
mov     ecx, [ecx+4]
call    sub_117A0
retn    4

loc_11162:
mov     ecx, [ecx]
call    sub_117A0
retn    4
sub_11150 endp

align 10h



sub_11170 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     [esp+arg_0], 0
push    esi
push    edi
mov     edi, [esp+8+arg_4]
mov     esi, ecx
push    edi
jz      short loc_11190
mov     ecx, [esi+4]
call    sub_117D0
mov     [esi+10h], edi
pop     edi
pop     esi
retn    8

loc_11190:
mov     ecx, [esi]
call    sub_117D0
mov     [esi+10h], edi
pop     edi
pop     esi
retn    8
sub_11170 endp

align 10h



sub_111A0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

; FUNCTION CHUNK AT .text:00011B20 SIZE 00000044 BYTES

mov     eax, [esp+arg_4]
test    eax, eax
jz      short loc_111B4
mov     [esp+arg_4], eax
mov     ecx, [ecx+4]
jmp     loc_11B20

loc_111B4:
mov     [esp+arg_4], 0
mov     ecx, [ecx]
jmp     loc_11B20
sub_111A0 endp

align 10h



sub_111D0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h

; FUNCTION CHUNK AT .text:00011B70 SIZE 000000D7 BYTES

mov     ecx, [ecx]
jmp     loc_11B70
sub_111D0 endp

align 10h



sub_111E0 proc near

var_24= dword ptr -24h
var_18= dword ptr -18h
var_C= dword ptr -0Ch
arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h
arg_10= dword ptr  14h

; FUNCTION CHUNK AT .text:00011C50 SIZE 0000005F BYTES
; FUNCTION CHUNK AT .text:00016710 SIZE 0000023A BYTES

mov     eax, [esp+arg_0]
cmp     eax, 7          ; switch 8 cases
ja      locret_11270    ; default
jmp     ds:off_11274[eax*4] ; switch jump

loc_111F4:              ; case 0x0
mov     ecx, [ecx]
mov     [esp+arg_0], 0
jmp     loc_11C50

loc_11203:              ; case 0x1
mov     ecx, [ecx]
mov     [esp+arg_0], 1
jmp     loc_11C50

loc_11212:              ; case 0x2
mov     ecx, [ecx+4]
mov     [esp+arg_0], 0
jmp     loc_11C50

loc_11222:              ; case 0x3
mov     ecx, [ecx+4]
mov     [esp+arg_0], 1
jmp     loc_11C50

loc_11232:              ; case 0x4
mov     ecx, [ecx]
mov     [esp+arg_0], 2
jmp     loc_11C50

loc_11241:              ; case 0x5
mov     ecx, [ecx]
mov     [esp+arg_0], 3
jmp     loc_11C50

loc_11250:              ; case 0x6
mov     ecx, [ecx+4]
mov     [esp+arg_0], 2
jmp     loc_11C50

loc_11260:              ; case 0x7
mov     ecx, [ecx+4]
mov     [esp+arg_0], 3
jmp     loc_11C50

locret_11270:           ; default
retn    14h
sub_111E0 endp

align 4
off_11274 dd offset loc_111F4 ; jump table for switch statement
dd offset loc_11203
dd offset loc_11212
dd offset loc_11222
dd offset loc_11232
dd offset loc_11241
dd offset loc_11250
dd offset loc_11260
align 10h



sub_112A0 proc near

arg_0= dword ptr  4

; FUNCTION CHUNK AT .text:00011CC0 SIZE 0000000B BYTES
; FUNCTION CHUNK AT .text:00016950 SIZE 0000003A BYTES

mov     ecx, [ecx]
jmp     loc_11CC0
sub_112A0 endp

align 10h



sub_112B0 proc near

; FUNCTION CHUNK AT .text:00011CD0 SIZE 0000000B BYTES

mov     ecx, [ecx]
jmp     loc_11CD0
sub_112B0 endp

align 10h



sub_112C0 proc near
mov     ecx, [ecx+4]
jmp     loc_11CC0
sub_112C0 endp

align 10h



sub_112D0 proc near
mov     ecx, [ecx+4]
jmp     loc_11CD0
sub_112D0 endp

align 10h



sub_112E0 proc near
mov     ecx, [ecx]
jmp     sub_11CE0
sub_112E0 endp

align 10h



sub_112F0 proc near

arg_0= dword ptr  4

; FUNCTION CHUNK AT .text:00011D70 SIZE 0000004B BYTES

mov     ecx, [ecx]
jmp     loc_11D70
sub_112F0 endp

align 10h



sub_11300 proc near
mov     ecx, [ecx+4]
jmp     sub_11CE0
sub_11300 endp

align 10h



sub_11310 proc near
mov     ecx, [ecx+4]
jmp     loc_11D70
sub_11310 endp

align 10h



sub_11320 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

; FUNCTION CHUNK AT .text:00011DC0 SIZE 0000000B BYTES
; FUNCTION CHUNK AT .text:00016990 SIZE 00000041 BYTES

mov     ecx, [ecx]
jmp     loc_11DC0
sub_11320 endp

align 10h



sub_11330 proc near

; FUNCTION CHUNK AT .text:00011DD0 SIZE 0000000B BYTES

mov     ecx, [ecx]
jmp     loc_11DD0
sub_11330 endp

align 10h



sub_11340 proc near
mov     ecx, [ecx+4]
jmp     loc_11DC0
sub_11340 endp

align 10h



sub_11350 proc near
mov     ecx, [ecx+4]
jmp     loc_11DD0
sub_11350 endp

align 10h



sub_11360 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h

cmp     [esp+arg_0], 0
jz      short loc_11381
mov     eax, [esp+arg_C]
mov     edx, [esp+arg_8]
mov     ecx, [ecx+4]
push    eax
mov     eax, [esp+4+arg_4]
push    edx
push    eax
call    sub_11DE0
retn    10h

loc_11381:
mov     edx, [esp+arg_C]
mov     eax, [esp+arg_8]
mov     ecx, [ecx]
push    edx
mov     edx, [esp+4+arg_4]
push    eax
push    edx
call    sub_11DE0
retn    10h
sub_11360 endp

align 10h



sub_113A0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

cmp     [esp+arg_0], 0
mov     eax, [esp+arg_8]
mov     edx, [esp+arg_4]
push    eax
push    edx
jz      short loc_113BC
mov     ecx, [ecx+4]
call    sub_11E10
retn    0Ch

loc_113BC:
mov     ecx, [ecx]
call    sub_11E10
retn    0Ch
sub_113A0 endp

align 10h



sub_113D0 proc near

arg_0= dword ptr  4

; FUNCTION CHUNK AT .text:00011E40 SIZE 00000026 BYTES

mov     ecx, [ecx]
jmp     loc_11E40
sub_113D0 endp

align 10h



sub_113E0 proc near

arg_0= dword ptr  0Ch
arg_4= dword ptr  10h

push    esi
push    edi
mov     edi, [esp+arg_0]
test    edi, edi
mov     esi, ecx
jz      short loc_11411
mov     ecx, [esi]
push    ebx
mov     ebx, [esp+4+arg_4]
push    ebx
push    edi
call    sub_11E70
mov     ecx, [esi+4]
add     ebx, 600h
push    ebx
add     edi, 600h
push    edi
call    sub_11E70
pop     ebx

loc_11411:
pop     edi
pop     esi
retn    8
sub_113E0 endp

align 10h



sub_11420 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h

; FUNCTION CHUNK AT .text:00012EB0 SIZE 000000A8 BYTES

mov     eax, [esp+arg_4]
cmp     eax, 4
jge     short loc_11434
mov     ecx, [ecx]
mov     [esp+arg_4], eax
jmp     loc_12EB0

loc_11434:
mov     ecx, [ecx+4]
add     eax, 0FFFFFFFCh
mov     [esp+arg_4], eax
jmp     loc_12EB0
sub_11420 endp

align 10h



sub_11450 proc near

arg_0= dword ptr  0Ch

push    esi
push    edi
mov     edi, [esp+arg_0]
mov     esi, ecx
mov     ecx, [esi+4]
push    edi
call    sub_12F60
mov     ecx, [esi]
push    edi
call    sub_12F60
pop     edi
pop     esi
retn    4
sub_11450 endp

align 10h



sub_11470 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

; FUNCTION CHUNK AT .text:00012480 SIZE 00000051 BYTES

mov     edx, [esp+arg_4]
xor     eax, eax
cmp     edx, 7          ; switch 8 cases
ja      short locret_114B8 ; default
jmp     ds:off_114BC[edx*4] ; switch jump

loc_11482:              ; case 0x0
mov     [esp+arg_4], eax
mov     ecx, [ecx]
jmp     loc_12480

loc_1148D:              ; case 0x2
mov     [esp+arg_4], 2
mov     ecx, [ecx]
jmp     loc_12480

loc_1149C:              ; case 0x4
mov     [esp+arg_4], eax
mov     ecx, [ecx+4]
jmp     loc_12480

loc_114A8:              ; case 0x6
mov     [esp+arg_4], 2
mov     ecx, [ecx+4]
jmp     loc_12480

locret_114B8:           ; default
retn    8
sub_11470 endp

align 4
off_114BC dd offset loc_11482 ; jump table for switch statement
dd offset loc_11482
dd offset loc_1148D
dd offset loc_1148D
dd offset loc_1149C
dd offset loc_1149C
dd offset loc_114A8
dd offset loc_114A8
align 10h



sub_114E0 proc near

arg_0= dword ptr  4

mov     edx, [esp+arg_0]
mov     ecx, [ecx+edx*4]
xor     eax, eax
test    ecx, ecx
jz      short locret_114F2
call    sub_124E0

locret_114F2:
retn    4
sub_114E0 endp

align 10h



sub_11500 proc near

arg_0= dword ptr  0Ch

push    esi
push    edi
mov     edi, [esp+arg_0]
mov     esi, ecx
mov     ecx, [esi]
push    edi
call    sub_12820
mov     ecx, [esi+4]
push    edi
call    sub_12820
pop     edi
pop     esi
retn    4
sub_11500 endp

align 10h



sub_11520 proc near

arg_0= dword ptr  0Ch

push    esi
push    edi
mov     edi, [esp+arg_0]
mov     esi, ecx
mov     ecx, [esi]
push    edi
call    sub_16150
mov     ecx, [esi+4]
push    edi
call    sub_16150
pop     edi
pop     esi
retn    4
sub_11520 endp

align 10h



sub_11540 proc near
push    ebx
push    ebp
mov     ebp, ds:ExFreePool
push    esi
push    edi
mov     ebx, ecx
xor     edi, edi
mov     edi, edi

loc_11550:
mov     esi, [ebx+edi*4]
test    esi, esi
jz      short loc_11568
mov     ecx, esi
call    sub_12A90
push    esi
call    ebp ; ExFreePool
mov     dword ptr [ebx+edi*4], 0

loc_11568:
add     edi, 1
cmp     edi, 2
jl      short loc_11550
pop     edi
pop     esi
pop     ebp
pop     ebx
retn
sub_11540 endp

align 10h



sub_11580 proc near

arg_0= dword ptr  4
arg_4= byte ptr  8

cmp     dword ptr [ecx+4], 0
jz      short locret_1159B
mov     eax, [ecx]
mov     cl, [esp+arg_4]
mov     edx, [esp+arg_0]
push    1
mov     [edx+eax], cl
call    ds:KeStallExecutionProcessor

locret_1159B:
retn    8
sub_11580 endp

align 10h



sub_115A0 proc near

arg_0= dword ptr  4
arg_4= word ptr  8

cmp     dword ptr [ecx+4], 0
jz      short locret_115BD
mov     eax, [ecx]
mov     cx, [esp+arg_4]
mov     edx, [esp+arg_0]
push    1
mov     [edx+eax], cx
call    ds:KeStallExecutionProcessor

locret_115BD:
retn    8
sub_115A0 endp




sub_115C0 proc near

arg_0= dword ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_115CF
xor     al, al
pop     esi
retn    4

loc_115CF:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     ecx, [esp+arg_0]
mov     al, [ecx+eax]
pop     esi
retn    4
sub_115C0 endp

align 10h



sub_115F0 proc near

var_18= dword ptr -18h
var_14= dword ptr -14h
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
arg_0= dword ptr  4

sub     esp, 10h
push    ebx
mov     ebx, ds:KeQuerySystemTime
push    ebp
push    esi
push    edi
lea     eax, [esp+20h+var_8]
push    eax
call    ebx ; KeQuerySystemTime
mov     esi, [esp+28h]
mov     ebp, [esp+20h+arg_0]
mov     edi, ds:KeStallExecutionProcessor

loc_11612:
push    32h
call    edi ; KeStallExecutionProcessor
lea     ecx, [esp+20h+var_10]
push    ecx
call    ebx ; KeQuerySystemTime
mov     ecx, [esp+20h+var_10]
sub     ecx, [esp+20h+var_8]
mov     eax, [esp+20h+var_C]
sbb     eax, [esp+1Ch]
cmp     eax, esi
jl      short loc_11612
jg      short loc_11637
cmp     ecx, ebp
jb      short loc_11612

loc_11637:
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 10h
retn    8
sub_115F0 endp

align 10h



sub_11650 proc near

arg_0= dword ptr  8

push    ebx
mov     ebx, [esp+arg_0]
cmp     ebx, 1
push    esi
push    edi
mov     esi, ecx
mov     eax, 50000000h
jnz     short loc_11668
mov     eax, 52000000h

loc_11668:
cmp     dword ptr [esi+4], 0
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_116B2
mov     ecx, [esi]
and     eax, 0FF37FFFFh
or      eax, 78000h
push    1
mov     [ecx+404h], eax
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_116B2
mov     edx, [esi]
push    1
mov     word ptr [edx+40Ch], 301h
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_116B2
mov     eax, [esi]
push    1
mov     byte ptr [eax+404h], 0Fh
call    edi ; KeStallExecutionProcessor

loc_116B2:
mov     ecx, esi
call    sub_163D0
test    ebx, ebx
jnz     short loc_116C4
and     eax, 0FFFFFDFFh
jmp     short loc_116C9

loc_116C4:
or      eax, 200h

loc_116C9:
cmp     dword ptr [esi+4], 0
jz      short loc_116DB
mov     ecx, [esi]
push    1
mov     [ecx+404h], eax
call    edi ; KeStallExecutionProcessor

loc_116DB:
xor     eax, eax
pop     edi
mov     [esi+51Ch], eax
pop     esi
pop     ebx
retn    4
sub_11650 endp

align 10h



sub_116F0 proc near

arg_0= dword ptr  10h

push    ebx
push    ebp
push    esi
mov     esi, ds:PcGetTimeInterval
push    edi
push    0
push    0
mov     ebp, ecx
call    esi ; PcGetTimeInterval
mov     ebx, edx
mov     edi, eax
push    ebx
push    edi
call    esi ; PcGetTimeInterval
test    edx, edx
ja      short loc_11758
jb      short loc_11717
cmp     eax, 7A120h
jnb     short loc_11758

loc_11717:
cmp     dword ptr [ebp+4], 0
jnz     short loc_11721
xor     al, al
jmp     short loc_11732

loc_11721:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [ebp+0]
mov     al, [eax+404h]

loc_11732:
test    al, al
jns     short loc_1174C
push    ebx
push    edi
call    esi ; PcGetTimeInterval
test    edx, edx
ja      short loc_11758
cmp     eax, 7A120h
jb      short loc_11717
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    4

loc_1174C:
mov     ecx, [esp+4+arg_0]
push    ecx
mov     ecx, ebp
call    sub_163A0

loc_11758:
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    4
sub_116F0 endp

align 10h



sub_11760 proc near

arg_0= dword ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1176D
xor     al, al
jmp     short loc_1177D

loc_1176D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+404h]

loc_1177D:
test    al, 40h
jz      short loc_11787
xor     eax, eax
pop     esi
retn    4

loc_11787:
mov     ecx, esi
call    sub_163F0
mov     ecx, [esp+arg_0]
mov     [ecx], al
mov     eax, 1
pop     esi
retn    4
sub_11760 endp

align 10h



sub_117A0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_117B3
xor     al, al
movzx   eax, al
shr     eax, 7
pop     esi
retn

loc_117B3:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+404h]
movzx   eax, al
shr     eax, 7
pop     esi
retn
sub_117A0 endp

align 10h



sub_117D0 proc near

arg_0= dword ptr  0Ch

push    esi
push    edi
mov     esi, ecx
call    sub_163D0
mov     edi, [esp+arg_0]
xor     ecx, ecx
and     eax, 0FEFFFFFFh
test    edi, edi
setnz   cl
and     ecx, 1
shl     ecx, 18h
or      eax, ecx
cmp     dword ptr [esi+4], 0
jz      short loc_11807
mov     edx, [esi]
push    1
mov     [edx+404h], eax
call    ds:KeStallExecutionProcessor

loc_11807:
mov     [esi+51Ch], edi
pop     edi
pop     esi
retn    4
sub_117D0 endp

align 10h



sub_11820 proc near

var_4= dword ptr -4
arg_0= word ptr  4
arg_4= byte ptr  8

sub     esp, 8
push    ebx
mov     ebx, ds:PcGetTimeInterval
push    ebp
push    esi
push    edi
push    0
push    0
mov     esi, ecx
call    ebx ; PcGetTimeInterval
mov     edi, ds:KeStallExecutionProcessor
mov     ebp, eax
mov     [esp+18h+var_4], edx

loc_11841:
push    460h
mov     ecx, esi
call    sub_16500
test    al, al
jns     short loc_1187E
push    64h
call    edi ; KeStallExecutionProcessor
mov     eax, [esp+18h+var_4]
push    eax
push    ebp
call    ebx ; PcGetTimeInterval
test    edx, edx
ja      short loc_11868
cmp     eax, 0BEBC200h
jb      short loc_11841

loc_11868:
push    460h
mov     ecx, esi
call    sub_16500
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    8

loc_1187E:
cmp     dword ptr [esi+4], 0
jz      short loc_118DD
movzx   ecx, [esp+18h+arg_0]
mov     edx, [esi]
shl     ecx, 8
or      ecx, 10000A0h
push    1
mov     [edx+460h], ecx
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_118DD
mov     eax, [esi]
push    1
mov     dword ptr [eax+464h], 0E0000010h
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_118DD
mov     ecx, [esi]
mov     dl, [esp+18h+arg_4]
push    1
mov     [ecx+470h], dl
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_118DD
mov     eax, [esi]
push    1
mov     byte ptr [eax+464h], 90h
call    edi ; KeStallExecutionProcessor

loc_118DD:
push    64h
call    edi ; KeStallExecutionProcessor
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    8
sub_11820 endp

align 10h



sub_118F0 proc near

var_18= dword ptr -18h
var_14= dword ptr -14h
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4
arg_0= byte ptr  4
arg_1= byte ptr  5
arg_C= dword ptr  10h

sub     esp, 8
mov     eax, [esp+8+arg_C]
push    ebx
mov     ebx, ds:PcGetTimeInterval
push    ebp
push    esi
push    edi
push    0
push    0
mov     esi, ecx
mov     byte ptr [eax], 0FFh
call    ebx ; PcGetTimeInterval
mov     edi, dword ptr [esp+18h+arg_0]
mov     ebp, ds:KeStallExecutionProcessor
mov     [esp+18h+var_8], eax
mov     [esp+18h+var_4], edx
mov     edi, edi

loc_11920:
push    edi
mov     ecx, esi
call    sub_16500
test    al, al
jns     short loc_11956
push    64h
call    ebp ; KeStallExecutionProcessor
mov     ecx, [esp+18h+var_4]
mov     edx, [esp+18h+var_8]
push    ecx
push    edx
call    ebx ; PcGetTimeInterval
test    edx, edx
ja      short loc_11947
cmp     eax, 1312D00h
jb      short loc_11920

loc_11947:
pop     edi
pop     esi
pop     ebp
mov     eax, 0C00000B5h
pop     ebx
add     esp, 8
retn    10h

loc_11956:
movzx   eax, byte ptr [esp+20h]
push    eax
push    edi
mov     ecx, esi
call    sub_16410
movzx   ecx, byte ptr [esp+24h]
push    ecx
push    edi
mov     ecx, esi
call    sub_16440
movzx   edx, byte ptr [esp+25h]
push    edx
push    edi
mov     ecx, esi
call    sub_16480
push    1
push    edi
mov     ecx, esi
call    sub_164C0
cmp     dword ptr [esi+4], 0
jz      short loc_119AF
mov     eax, [esi]
push    1
mov     dword ptr [eax+edi+4], 0E0000450h
call    ebp ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_119AF
mov     ecx, [esi]
push    1
mov     byte ptr [ecx+edi+4], 0D0h
call    ebp ; KeStallExecutionProcessor

loc_119AF:
push    0
push    0
call    ebx ; PcGetTimeInterval
mov     [esp+18h+var_8], eax
mov     [esp+18h+var_4], edx
lea     ecx, [ecx+0]

loc_119C0:
push    edi
mov     ecx, esi
call    sub_16500
test    al, al
jns     short loc_119F6
push    64h
call    ebp ; KeStallExecutionProcessor
mov     edx, [esp+18h+var_4]
mov     eax, [esp+18h+var_8]
push    edx
push    eax
call    ebx ; PcGetTimeInterval
test    edx, edx
ja      short loc_119E7
cmp     eax, 1312D00h
jb      short loc_119C0

loc_119E7:
pop     edi
pop     esi
pop     ebp
mov     eax, 0C00000B5h
pop     ebx
add     esp, 8
retn    10h

loc_119F6:
push    edi
mov     ecx, esi
call    sub_16530
mov     edx, [esp+18h+arg_C]
mov     [esp+20h], ax
test    dword ptr [esp+20h], 8000h
mov     cl, al
mov     [edx], cl
jz      short loc_11A29
cmp     dword ptr [esi+4], 0
jz      short loc_11A29
mov     eax, [esi]
push    1
mov     dword ptr [eax+edi+4], 0E0000450h
call    ebp ; KeStallExecutionProcessor

loc_11A29:
pop     edi
pop     esi
pop     ebp
xor     eax, eax
pop     ebx
add     esp, 8
retn    10h
sub_118F0 endp

align 10h



sub_11A40 proc near

var_8= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= byte ptr  8
arg_8= word ptr  0Ch
arg_C= byte ptr  10h

sub     esp, 8
push    ebx
mov     ebx, ds:PcGetTimeInterval
push    ebp
push    esi
push    edi
push    0
push    0
mov     esi, ecx
call    ebx ; PcGetTimeInterval
mov     edi, [esp+18h+arg_0]
mov     ebp, ds:KeStallExecutionProcessor
mov     [esp+18h+var_8], eax
mov     [esp+18h+var_4], edx

loc_11A67:
push    edi
mov     ecx, esi
call    sub_16500
test    al, al
jns     short loc_11A9D
push    64h
call    ebp ; KeStallExecutionProcessor
mov     eax, [esp+18h+var_4]
mov     ecx, [esp+18h+var_8]
push    eax
push    ecx
call    ebx ; PcGetTimeInterval
test    edx, edx
ja      short loc_11A8E
cmp     eax, 1312D00h
jb      short loc_11A67

loc_11A8E:
pop     edi
pop     esi
pop     ebp
mov     eax, 0C00000B5h
pop     ebx
add     esp, 8
retn    10h

loc_11A9D:
movzx   edx, [esp+18h+arg_4]
push    edx
push    edi
mov     ecx, esi
call    sub_16410
mov     bx, [esp+18h+arg_8]
movzx   eax, bl
push    eax
push    edi
mov     ecx, esi
call    sub_16440
movzx   ecx, bh
push    ecx
push    edi
mov     ecx, esi
call    sub_16480
push    1
push    edi
mov     ecx, esi
call    sub_164C0
cmp     dword ptr [esi+4], 0
jz      short loc_11B0B
mov     edx, [esi]
push    1
mov     dword ptr [edx+edi+4], 0E1000010h
call    ebp ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_11B0B
mov     eax, [esi]
mov     cl, [esp+18h+arg_C]
push    1
mov     [eax+edi+10h], cl
call    ebp ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_11B0B
mov     edx, [esi]
push    1
mov     byte ptr [edx+edi+4], 90h
call    ebp ; KeStallExecutionProcessor

loc_11B0B:
pop     edi
pop     esi
pop     ebp
xor     eax, eax
pop     ebx
add     esp, 8
retn    10h
sub_11A40 endp

align 10h
; START OF FUNCTION CHUNK FOR sub_111A0

loc_11B20:
cmp     [esp+arg_0], 0
push    esi
mov     esi, ecx
jz      short loc_11B4A
cmp     dword ptr [esi+4], 0
jnz     short loc_11B36

loc_11B30:
xor     eax, eax
pop     esi
retn    8

loc_11B36:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+184h]
pop     esi
retn    8

loc_11B4A:
cmp     dword ptr [esi+4], 0
jz      short loc_11B30
push    1
call    ds:KeStallExecutionProcessor
mov     ecx, [esi]
mov     eax, [ecx+180h]
pop     esi
retn    8
; END OF FUNCTION CHUNK FOR sub_111A0
align 10h
; START OF FUNCTION CHUNK FOR sub_111D0

loc_11B70:
push    esi
mov     esi, ecx
call    sub_16360
mov     edx, [esp+4+arg_8]
xor     ecx, ecx
and     eax, 0BFFFFFFCh
cmp     [esp+4+arg_0], ecx
setnz   cl
and     edx, 1
and     ecx, 1
shl     ecx, 1Dh
or      ecx, edx
add     ecx, ecx
or      eax, ecx
mov     ecx, [esp+4+arg_4]
and     ecx, 1
or      eax, ecx
mov     ecx, [esp+4+arg_C]
cmp     ecx, 7D00h
jg      short loc_11BF8
jz      short loc_11BEC
cmp     ecx, 3E80h
jz      short loc_11BE0
cmp     ecx, 5622h
jz      short loc_11BD4
cmp     ecx, 5DC0h
jnz     short loc_11C28
and     eax, 0FFFF6FFFh
or      eax, 6000h
jmp     short loc_11C2D

loc_11BD4:
and     eax, 0FFFF4FFFh
or      eax, 4000h
jmp     short loc_11C2D

loc_11BE0:
and     eax, 0FFFF7FFFh
or      eax, 7000h
jmp     short loc_11C2D

loc_11BEC:
and     eax, 0FFFF3FFFh
or      eax, 3000h
jmp     short loc_11C2D

loc_11BF8:
cmp     ecx, 0AC44h
jz      short loc_11C28
cmp     ecx, 0BB80h
jz      short loc_11C1C
cmp     ecx, offset loc_17700
jnz     short loc_11C28
and     eax, 0FFFFAFFFh
or      eax, 0A000h
jmp     short loc_11C2D

loc_11C1C:
and     eax, 0FFFF2FFFh
or      eax, 2000h
jmp     short loc_11C2D

loc_11C28:
and     eax, 0FFFF0FFFh

loc_11C2D:
cmp     dword ptr [esi+4], 0
jz      short loc_11C43
mov     edx, [esi]
push    1
mov     [edx+1A0h], eax
call    ds:KeStallExecutionProcessor

loc_11C43:
pop     esi
retn    10h
; END OF FUNCTION CHUNK FOR sub_111D0
align 10h
; START OF FUNCTION CHUNK FOR sub_111E0

loc_11C50:
mov     eax, [esp+arg_0]
cmp     eax, 3          ; switch 4 cases
ja      short locret_11CAC ; default
jmp     ds:off_11CB0[eax*4] ; switch jump

loc_11C60:              ; case 0x0
mov     ecx, [ecx+508h]
mov     [esp+arg_0], 0
jmp     loc_16710

loc_11C73:              ; case 0x1
mov     ecx, [ecx+50Ch]
mov     [esp+arg_0], 0
jmp     loc_16710

loc_11C86:              ; case 0x2
mov     ecx, [ecx+508h]
mov     [esp+arg_0], 1
jmp     loc_16710

loc_11C99:              ; case 0x3
mov     ecx, [ecx+50Ch]
mov     [esp+arg_0], 1
jmp     loc_16710

locret_11CAC:           ; default
retn    14h
; END OF FUNCTION CHUNK FOR sub_111E0
align 10h
off_11CB0 dd offset loc_11C60 ; jump table for switch statement
dd offset loc_11C73
dd offset loc_11C86
dd offset loc_11C99
; START OF FUNCTION CHUNK FOR sub_112A0

loc_11CC0:
mov     ecx, [ecx+508h]
jmp     loc_16950
; END OF FUNCTION CHUNK FOR sub_112A0
align 10h
; START OF FUNCTION CHUNK FOR sub_112B0

loc_11CD0:
mov     ecx, [ecx+50Ch]
jmp     loc_16950
; END OF FUNCTION CHUNK FOR sub_112B0
align 10h



sub_11CE0 proc near

arg_0= dword ptr  10h

push    ebx
push    esi
push    edi
mov     esi, ecx
xor     edi, edi
call    sub_16590
mov     ecx, esi
mov     bl, al
call    sub_162A0
mov     ecx, [esp+arg_0]
cmp     ecx, 3          ; switch 4 cases
ja      short loc_11D0A ; default
jmp     ds:off_11D5C[ecx*4] ; switch jump

loc_11D05:              ; case 0x0
xor     edi, edi

loc_11D07:
and     bl, 0DFh

loc_11D0A:              ; default
and     al, 0DFh

loc_11D0C:
cmp     dword ptr [esi+4], 0
jz      short loc_11D22
mov     ecx, [esi]
push    1
mov     [ecx+189h], al
call    ds:KeStallExecutionProcessor

loc_11D22:
movzx   edx, bl
push    edx
mov     ecx, esi
call    sub_165B0
mov     ecx, [esi+508h]
push    edi
call    sub_169E0
pop     edi
pop     esi
pop     ebx
retn    4

loc_11D3F:              ; case 0x1
mov     edi, 1
jmp     short loc_11D07

loc_11D46:              ; case 0x2
mov     edi, 1
or      bl, 20h
jmp     short loc_11D0A ; default

loc_11D50:              ; case 0x3
xor     edi, edi
and     bl, 0DFh
or      al, 20h
jmp     short loc_11D0C
sub_11CE0 endp

align 4
off_11D5C dd offset loc_11D05 ; jump table for switch statement
dd offset loc_11D3F
dd offset loc_11D46
dd offset loc_11D50
align 10h
; START OF FUNCTION CHUNK FOR sub_112F0

loc_11D70:
push    esi
push    edi
mov     edi, ecx
xor     esi, esi
call    sub_16590
mov     ecx, [esp+8+arg_0]
sub     ecx, esi
jz      short loc_11D9B
sub     ecx, 1
jz      short loc_11D94
sub     ecx, 1
jnz     short loc_11D9F
lea     esi, [ecx+1]
or      al, 40h
jmp     short loc_11D9F

loc_11D94:
mov     esi, 1
jmp     short loc_11D9D

loc_11D9B:
xor     esi, esi

loc_11D9D:
and     al, 0BFh

loc_11D9F:
movzx   eax, al
push    eax
mov     ecx, edi
call    sub_165B0
mov     ecx, [edi+50Ch]
push    esi
call    sub_169E0
pop     edi
pop     esi
retn    4
; END OF FUNCTION CHUNK FOR sub_112F0
align 10h
; START OF FUNCTION CHUNK FOR sub_11320

loc_11DC0:
mov     ecx, [ecx+508h]
jmp     loc_16990
; END OF FUNCTION CHUNK FOR sub_11320
align 10h
; START OF FUNCTION CHUNK FOR sub_11330

loc_11DD0:
mov     ecx, [ecx+50Ch]
jmp     loc_16990
; END OF FUNCTION CHUNK FOR sub_11330
align 10h



sub_11DE0 proc near

arg_0= word ptr  4
arg_4= word ptr  8
arg_8= dword ptr  0Ch

mov     ax, [esp+arg_0]
cmp     ax, 2
jnb     short locret_11E05
mov     edx, [esp+arg_8]
push    edx
movzx   edx, [esp+4+arg_4]
movzx   eax, ax
mov     ecx, [ecx+eax*4+508h]
push    edx
call    sub_16680

locret_11E05:
retn    0Ch
sub_11DE0 endp

align 10h



sub_11E10 proc near

arg_0= word ptr  4
arg_4= word ptr  8

mov     dx, [esp+arg_0]
xor     eax, eax
cmp     dx, 2
jnb     short locret_11E35
movzx   eax, [esp+arg_4]
movzx   edx, dx
mov     ecx, [ecx+edx*4+508h]
push    eax
call    sub_166C0
movzx   eax, ax

locret_11E35:
retn    8
sub_11E10 endp

align 10h
; START OF FUNCTION CHUNK FOR sub_113D0

loc_11E40:
push    esi
mov     esi, ecx
call    sub_16590
and     al, 7Fh
cmp     [esp+4+arg_0], 0
setnz   cl
shl     cl, 7
or      al, cl
movzx   edx, al
push    edx
mov     ecx, esi
call    sub_165B0
pop     esi
retn    4
; END OF FUNCTION CHUNK FOR sub_113D0
align 10h



sub_11E70 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_0]
test    esi, esi
jz      short loc_11EB4
mov     edx, [esp+arg_4]
push    edi
lea     eax, [edx+100h]
and     eax, 0FFFFFF00h
mov     edi, eax
sub     edi, edx
add     edi, esi
cmp     dword ptr [ecx+4], 0
mov     [ecx+558h], edi
mov     [ecx+55Ch], eax
pop     edi
jz      short loc_11EB4
mov     ecx, [ecx]
add     eax, 500h
push    1
mov     [ecx+70h], eax
call    ds:KeStallExecutionProcessor

loc_11EB4:
pop     esi
retn    8
sub_11E70 endp

align 10h



sub_11EC0 proc near

var_8= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

sub     esp, 8
push    ebx
mov     ebx, [esp+0Ch+arg_0]
push    ebp
lea     ebp, [ebx-80h]
cmp     ebp, 60h
push    esi
mov     esi, ecx
mov     [esp+14h+arg_0], ebp
ja      loc_12090
movzx   eax, ss:byte_120A4[ebp]
jmp     ds:off_1209C[eax*4]

loc_11EEA:
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_11F04
mov     ecx, [esi]
push    1
mov     dword ptr [ebx+ecx], 0FF000000h
call    edi ; KeStallExecutionProcessor

loc_11F04:
movzx   edx, ss:byte_1211C[ebp]
jmp     ds:off_12108[edx*4]

loc_11F12:
push    2
push    192h
jmp     short loc_11F34

loc_11F1B:
push    2
push    196h
jmp     short loc_11F34

loc_11F24:
push    2
push    19Ah
jmp     short loc_11F34

loc_11F2D:
push    2
push    19Eh

loc_11F34:
mov     ecx, esi
call    sub_11580
cmp     dword ptr [esi+4], 0
jz      short loc_11F4B
mov     eax, [esi]
push    1
mov     byte ptr [ebx+eax], 1
call    edi ; KeStallExecutionProcessor

loc_11F4B:
mov     ebp, ds:PcGetTimeInterval
push    0
push    0
call    ebp ; PcGetTimeInterval
mov     [esp+18h+var_8], eax
mov     [esp+18h+var_4], edx
nop

loc_11F60:
push    ebx
mov     ecx, esi
call    sub_161F0
test    al, 1
jnz     short loc_11F87
push    64h
call    edi ; KeStallExecutionProcessor
mov     ecx, [esp+18h+var_4]
mov     edx, [esp+18h+var_8]
push    ecx
push    edx
call    ebp ; PcGetTimeInterval
test    edx, edx
ja      short loc_11F87
cmp     eax, 1312D00h
jb      short loc_11F60

loc_11F87:
cmp     dword ptr [esi+4], 0
jz      short loc_11FBF
mov     eax, [esi]
push    1
mov     byte ptr [ebx+eax], 0
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_11FBF
mov     ecx, [esi]
mov     edx, [esp+18h+arg_4]
push    1
mov     [ecx+ebx+18h], edx
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_11FBF
mov     eax, [esi]
push    1
mov     dword ptr [eax+ebx+1Ch], 0
call    edi ; KeStallExecutionProcessor

loc_11FBF:
mov     ecx, [esp+18h+arg_0]
movzx   edx, ds:byte_1218C[ecx]
jmp     ds:off_12180[edx*4]

loc_11FD1:
push    77h
lea     eax, [ebx+10h]
push    eax
jmp     short loc_11FE2

loc_11FD9:
push    0BFh
lea     ecx, [ebx+10h]
push    ecx

loc_11FE2:
mov     ecx, esi
call    sub_115A0

loc_11FE9:
cmp     dword ptr [esi+4], 0
jz      short loc_12011
mov     edx, [esi]
push    1
mov     word ptr [edx+ebx+0Eh], 4
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_12011
mov     eax, [esi]
push    1
mov     byte ptr [eax+ebx+0Ch], 1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0

loc_12011:
mov     ebp, [esp+18h+arg_8]
jz      short loc_12025
mov     edx, [esi]
lea     ecx, [ebp+ebp+0]
push    1
mov     [edx+ebx+8], ecx
call    edi ; KeStallExecutionProcessor

loc_12025:
mov     ecx, [esp+18h+arg_0]
movzx   edx, ds:byte_12204[ecx]
shr     ebp, 3
movzx   eax, bp
jmp     ds:off_121F0[edx*4]

loc_1203D:
push    eax
push    190h
mov     ecx, esi
call    sub_115A0
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    0Ch

loc_12054:
push    eax
push    194h
mov     ecx, esi
call    sub_115A0
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    0Ch

loc_1206B:
push    eax
push    198h
mov     ecx, esi
call    sub_115A0
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    0Ch

loc_12082:
push    eax
push    19Ch
mov     ecx, esi
call    sub_115A0

loc_1208F:
pop     edi

loc_12090:
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    0Ch
sub_11EC0 endp

align 4
off_1209C dd offset loc_11EEA
dd offset loc_12090
byte_120A4 db 0
db 3 dup(1)
dd 7 dup(1010101h), 1010100h, 7 dup(1010101h)
dd 1010100h, 7 dup(1010101h), 498D00h
off_12108 dd offset loc_11F12
dd offset loc_11F1B
dd offset loc_11F24
dd offset loc_11F2D
dd offset loc_1208F
byte_1211C db 0
db 3 dup(4)
dd 7 dup(4040404h), 4040401h, 7 dup(4040404h)
dd 4040402h, 7 dup(4040404h), 498D03h
off_12180 dd offset loc_11FD1
dd offset loc_11FD9
dd offset loc_11FE9
byte_1218C db 0
db 3 dup(2)
dd 7 dup(2020202h), 2020200h, 7 dup(2020202h)
dd 2020201h, 7 dup(2020202h), 498D01h
off_121F0 dd offset loc_1203D
dd offset loc_12054
dd offset loc_1206B
dd offset loc_12082
dd offset loc_1208F
byte_12204 db 0
db 3 dup(4)
dd 7 dup(4040404h), 4040401h, 7 dup(4040404h)
dd 4040402h, 7 dup(4040404h), 0CCCCCC03h
dd 2 dup(0CCCCCCCCh)



sub_12270 proc near

arg_0= dword ptr  8

push    ebx
mov     ebx, [esp+arg_0]
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_12290
mov     eax, [esi]
push    1
mov     byte ptr [eax+ebx+3], 0FFh
call    edi ; KeStallExecutionProcessor

loc_12290:
lea     eax, [ebx-80h]
cmp     eax, 60h
ja      loc_12326
movzx   ecx, ds:byte_12340[eax]
jmp     ds:off_1232C[ecx*4]

loc_122AA:
cmp     dword ptr [esi+4], 0
jz      short loc_1230A
mov     edx, [esi]
mov     byte ptr [edx+192h], 3
jmp     short loc_12306

loc_122BB:
cmp     dword ptr [esi+4], 0
jz      short loc_1230A
mov     eax, [esi]
mov     byte ptr [eax+196h], 3
jmp     short loc_12306

loc_122CC:
cmp     dword ptr [esi+564h], 0
jnz     short loc_122E6
cmp     dword ptr [esi+4], 0
jz      short loc_1230A
mov     ecx, [esi]
mov     byte ptr [ecx+19Ah], 7
jmp     short loc_12306

loc_122E6:
cmp     dword ptr [esi+4], 0
jz      short loc_1230A
mov     edx, [esi]
mov     byte ptr [edx+19Ah], 3
jmp     short loc_12306

loc_122F7:
cmp     dword ptr [esi+4], 0
jz      short loc_1230A
mov     eax, [esi]
mov     byte ptr [eax+19Eh], 3

loc_12306:
push    1
call    edi ; KeStallExecutionProcessor

loc_1230A:
push    ebx
mov     ecx, esi
call    sub_161F0
test    al, 2
jnz     short loc_12326
cmp     dword ptr [esi+4], 0
jz      short loc_12326
mov     ecx, [esi]
push    1
mov     byte ptr [ebx+ecx], 2
call    edi ; KeStallExecutionProcessor

loc_12326:
pop     edi
pop     esi
pop     ebx
retn    4
sub_12270 endp

off_1232C dd offset loc_122AA
dd offset loc_122BB
dd offset loc_122CC
dd offset loc_122F7
dd offset loc_12326
byte_12340 db 0
db 3 dup(4)
dd 7 dup(4040404h), 4040401h, 7 dup(4040404h)
dd 4040402h, 7 dup(4040404h), 0CCCCCC03h
dd 3 dup(0CCCCCCCCh)



sub_123B0 proc near

arg_0= dword ptr  4

mov     edx, [esp+arg_0]
lea     eax, [edx-80h]
cmp     eax, 60h
ja      short locret_123FA
movzx   eax, ds:byte_12414[eax]
jmp     ds:off_12400[eax*4]

loc_123CA:
xor     eax, eax
jmp     short loc_123E1

loc_123CE:
mov     eax, 1
jmp     short loc_123E1

loc_123D5:
mov     eax, 2
jmp     short loc_123E1

loc_123DC:
mov     eax, 3

loc_123E1:
push    esi
mov     esi, [ecx+560h]
shl     eax, 8
add     eax, [ecx+55Ch]
push    esi
push    eax
push    edx
call    sub_11EC0
pop     esi

locret_123FA:
retn    4
sub_123B0 endp

align 10h
off_12400 dd offset loc_123CA
dd offset loc_123CE
dd offset loc_123D5
dd offset loc_123DC
dd offset locret_123FA
byte_12414 db 0
db 3 dup(4)
dd 7 dup(4040404h), 4040401h, 7 dup(4040404h)
dd 4040402h, 7 dup(4040404h), 0CCCCCC03h
dd 2 dup(0CCCCCCCCh)
; START OF FUNCTION CHUNK FOR sub_11470

loc_12480:
cmp     [esp+arg_0], 0
mov     eax, [esp+arg_4]
jz      short loc_124AE
test    eax, eax
jz      short loc_124A1
cmp     eax, 1
jz      short loc_124A1
push    0A0h
call    sub_16500
retn    8

loc_124A1:
push    80h
call    sub_16500
retn    8

loc_124AE:
test    eax, eax
jz      short loc_124C4
cmp     eax, 1
jz      short loc_124C4
push    0E0h
call    sub_16500
retn    8

loc_124C4:
push    0C0h
call    sub_16500
retn    8
; END OF FUNCTION CHUNK FOR sub_11470
align 10h



sub_124E0 proc near

var_4= dword ptr -4

push    ecx
push    ebx
push    ebp
push    esi
push    edi
mov     esi, ecx
xor     ebp, ebp
call    sub_16600
mov     edi, ds:KeStallExecutionProcessor
mov     ebx, eax
and     eax, 1
mov     [esp+14h+var_4], ebx
jnz     short loc_12508
test    bl, 0Eh
jz      loc_12673

loc_12508:
test    eax, eax
jz      short loc_12562
push    80h
mov     ecx, esi
call    sub_16220
mov     ecx, esi
mov     bl, al
call    sub_162E0
test    eax, offset dword_20000
jz      short loc_12541
cmp     [esi+4], ebp
jz      short loc_1253C
mov     ecx, [esi]
shr     eax, 10h
push    1
mov     [ecx+192h], al
call    edi ; KeStallExecutionProcessor

loc_1253C:
mov     ebp, 100h

loc_12541:
test    bl, 4
jz      short loc_1255E
cmp     dword ptr [esi+4], 0
jz      short loc_12558
mov     edx, [esi]
push    1
mov     [edx+83h], bl
call    edi ; KeStallExecutionProcessor

loc_12558:
or      ebp, 100h

loc_1255E:
mov     ebx, [esp+14h+var_4]

loc_12562:
test    bl, 2
jz      short loc_125BF
push    0A0h
mov     ecx, esi
call    sub_16220
mov     ecx, esi
mov     bl, al
call    sub_16300
test    eax, offset dword_20000
jz      short loc_1259E
cmp     dword ptr [esi+4], 0
jz      short loc_12598
mov     ecx, [esi]
shr     eax, 10h
push    1
mov     [ecx+196h], al
call    edi ; KeStallExecutionProcessor

loc_12598:
or      ebp, 200h

loc_1259E:
test    bl, 4
jz      short loc_125BB
cmp     dword ptr [esi+4], 0
jz      short loc_125B5
mov     edx, [esi]
push    1
mov     [edx+0A3h], bl
call    edi ; KeStallExecutionProcessor

loc_125B5:
or      ebp, 200h

loc_125BB:
mov     ebx, [esp+14h+var_4]

loc_125BF:
test    bl, 4
jz      short loc_1261C
push    0C0h
mov     ecx, esi
call    sub_16220
mov     ecx, esi
mov     bl, al
call    sub_16320
test    eax, offset dword_20000
jz      short loc_125FB
cmp     dword ptr [esi+4], 0
jz      short loc_125F5
mov     ecx, [esi]
shr     eax, 10h
push    1
mov     [ecx+19Ah], al
call    edi ; KeStallExecutionProcessor

loc_125F5:
or      ebp, 300h

loc_125FB:
test    bl, 4
jz      short loc_12618
cmp     dword ptr [esi+4], 0
jz      short loc_12612
mov     edx, [esi]
push    1
mov     [edx+0C3h], bl
call    edi ; KeStallExecutionProcessor

loc_12612:
or      ebp, 300h

loc_12618:
mov     ebx, [esp+14h+var_4]

loc_1261C:
test    bl, 8
jz      short loc_12673
push    0E0h
mov     ecx, esi
call    sub_16220
mov     ecx, esi
mov     bl, al
call    sub_16340
test    eax, offset dword_20000
jz      short loc_12655
cmp     dword ptr [esi+4], 0
jz      short loc_12652
mov     ecx, [esi]
shr     eax, 10h
push    1
mov     [ecx+19Eh], al
call    edi ; KeStallExecutionProcessor

loc_12652:
or      ebp, 2

loc_12655:
test    bl, 4
jz      short loc_1266F
cmp     dword ptr [esi+4], 0
jz      short loc_1266C
mov     edx, [esi]
push    1
mov     [edx+0E3h], bl
call    edi ; KeStallExecutionProcessor

loc_1266C:
or      ebp, 2

loc_1266F:
mov     ebx, [esp+14h+var_4]

loc_12673:
test    ebx, 10000h
jz      short loc_126D8
cmp     dword ptr [esi+4], 0
jnz     short loc_12685
xor     bl, bl
jmp     short loc_12691

loc_12685:
push    1
call    edi ; KeStallExecutionProcessor
mov     eax, [esi]
mov     bl, [eax+404h]

loc_12691:
test    bl, 0Fh
jz      short loc_126D4
cmp     dword ptr [esi+4], 0
jz      short loc_126AD
mov     edx, [esi]
mov     cl, bl
or      cl, 0Fh
push    1
mov     [edx+404h], cl
call    edi ; KeStallExecutionProcessor

loc_126AD:
test    bl, 2
jz      short loc_126C9
cmp     dword ptr [esi+564h], 0
jnz     short loc_126C3
or      ebp, offset dword_20000
jmp     short loc_126C9

loc_126C3:
or      ebp, 40000h

loc_126C9:
test    bl, 1
jz      short loc_126D4
or      ebp, 10000h

loc_126D4:
mov     ebx, [esp+14h+var_4]

loc_126D8:
test    ebx, 0FF00h
jz      short loc_126FD
mov     ecx, esi
call    sub_165E0
test    al, al
jz      short loc_126FD
cmp     dword ptr [esi+4], 0
jz      short loc_126FD
mov     ecx, [esi]
push    1
mov     [ecx+484h], al
call    edi ; KeStallExecutionProcessor

loc_126FD:
test    ebx, 100000h
jz      short loc_1272B
cmp     dword ptr [esi+4], 0
jz      short loc_1272B
push    1
call    edi ; KeStallExecutionProcessor
mov     eax, [esi]
mov     cl, [eax+435h]
test    cl, cl
jz      short loc_1272B
cmp     dword ptr [esi+4], 0
jz      short loc_1272B
push    1
mov     [eax+435h], cl
call    edi ; KeStallExecutionProcessor

loc_1272B:
test    ebx, 200000h
jz      short loc_12759
cmp     dword ptr [esi+4], 0
jz      short loc_12759
push    1
call    edi ; KeStallExecutionProcessor
mov     eax, [esi]
mov     cl, [eax+455h]
test    cl, cl
jz      short loc_12759
cmp     dword ptr [esi+4], 0
jz      short loc_12759
push    1
mov     [eax+455h], cl
call    edi ; KeStallExecutionProcessor

loc_12759:
test    ebx, 40000h
jz      short loc_12787
cmp     dword ptr [esi+4], 0
jz      short loc_12787
push    1
call    edi ; KeStallExecutionProcessor
mov     eax, [esi]
mov     cl, [eax+467h]
test    cl, cl
jz      short loc_12787
cmp     dword ptr [esi+4], 0
jz      short loc_12787
push    1
mov     [eax+467h], cl
call    edi ; KeStallExecutionProcessor

loc_12787:
test    ebx, 80000h
jz      short loc_127B5
cmp     dword ptr [esi+4], 0
jz      short loc_127B5
push    1
call    edi ; KeStallExecutionProcessor
mov     eax, [esi]
mov     cl, [eax+4C7h]
test    cl, cl
jz      short loc_127B5
cmp     dword ptr [esi+4], 0
jz      short loc_127B5
push    1
mov     [eax+4C7h], cl
call    edi ; KeStallExecutionProcessor

loc_127B5:
test    bl, 40h
jz      short loc_127E0
cmp     dword ptr [esi+4], 0
jz      short loc_127E0
push    1
call    edi ; KeStallExecutionProcessor
mov     eax, [esi]
mov     cl, [eax+1CDh]
test    cl, cl
jz      short loc_127E0
cmp     dword ptr [esi+4], 0
jz      short loc_127E0
push    1
mov     [eax+1CDh], cl
call    edi ; KeStallExecutionProcessor

loc_127E0:
test    bl, bl
jns     short loc_1280A
cmp     dword ptr [esi+4], 0
jz      short loc_1280A
push    1
call    edi ; KeStallExecutionProcessor
mov     eax, [esi]
mov     cl, [eax+4A1h]
test    cl, cl
jz      short loc_1280A
cmp     dword ptr [esi+4], 0
jz      short loc_1280A
push    1
mov     [eax+4A1h], cl
call    edi ; KeStallExecutionProcessor

loc_1280A:
pop     edi
pop     esi
mov     eax, ebp
pop     ebp
pop     ebx
pop     ecx
retn
sub_124E0 endp

align 10h



sub_12820 proc near

arg_0= dword ptr  10h

push    ebx
push    esi
push    edi
mov     esi, ecx
call    sub_16590
mov     edi, [esp+arg_0]
mov     bl, al
and     bl, 0FAh
cmp     edi, 7D00h
jg      short loc_128AA
jz      short loc_128A1
cmp     edi, 3E80h
jg      short loc_1287F
jz      short loc_12873
cmp     edi, 1F40h
jz      short loc_12867
cmp     edi, 2B11h
jnz     loc_128EA
mov     word ptr [esp+arg_0], 4300h
jmp     loc_128FF

loc_12867:
mov     word ptr [esp+arg_0], 500h
jmp     loc_128FF

loc_12873:
mov     word ptr [esp+arg_0], 200h
jmp     loc_128FF

loc_1287F:
cmp     edi, 5622h
jz      short loc_12898
cmp     edi, 5DC0h
jnz     short loc_128EA
mov     word ptr [esp+arg_0], 100h
jmp     short loc_128FF

loc_12898:
mov     word ptr [esp+arg_0], 4100h
jmp     short loc_128FF

loc_128A1:
mov     word ptr [esp+arg_0], 0A00h
jmp     short loc_128FF

loc_128AA:
cmp     edi, offset loc_15888
jg      short loc_128E2
jz      short loc_128D9
cmp     edi, 0AC44h
jz      short loc_128D0
cmp     edi, 0BB80h
jnz     short loc_128EA
mov     word ptr [esp+arg_0], 0
and     bl, 0FAh
jmp     short loc_128FF

loc_128D0:
mov     word ptr [esp+arg_0], 4000h
jmp     short loc_128FF

loc_128D9:
mov     word ptr [esp+arg_0], 4800h
jmp     short loc_128FC

loc_128E2:
cmp     edi, offset loc_17700
jz      short loc_128F5

loc_128EA:
pop     edi
pop     esi
mov     eax, 0C00000BBh
pop     ebx
retn    4

loc_128F5:
mov     word ptr [esp+arg_0], 800h

loc_128FC:
or      bl, 5

loc_128FF:
push    ebp
mov     ebp, [esp+4+arg_0]
and     ebp, 0FFB1h
or      ebp, 31h
cmp     dword ptr [esi+4], 0
jz      short loc_1296D
mov     eax, [esi]
push    1
mov     [eax+92h], bp
call    ds:KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1296D
mov     ecx, [esi]
push    1
mov     [ecx+0B2h], bp
call    ds:KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1296D
mov     edx, [esi]
push    1
mov     [edx+0D2h], bp
call    ds:KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1296D
mov     eax, [esi]
mov     [eax+0F2h], bp
mov     ebp, ds:KeStallExecutionProcessor
push    1
call    ebp ; KeStallExecutionProcessor
jmp     short loc_12973

loc_1296D:
mov     ebp, ds:KeStallExecutionProcessor

loc_12973:
movzx   ecx, bl
push    ecx
mov     ecx, esi
call    sub_165B0
mov     ecx, esi
call    sub_162C0
test    al, 0Fh
jz      short loc_1299D
cmp     dword ptr [esi+4], 0
jz      short loc_1299D
mov     edx, [esi]
and     al, 0F0h
push    1
mov     [edx+18Ah], al
call    ebp ; KeStallExecutionProcessor

loc_1299D:
mov     ecx, esi
call    sub_16360
cmp     edi, 7D00h
jg      short loc_12A27
jz      short loc_12A1B
cmp     edi, 3E80h
jg      short loc_129F3
jz      short loc_129E7
cmp     edi, 1F40h
jz      short loc_129DB
cmp     edi, 2B11h
jnz     loc_12A66
and     eax, 0FFFF5FFFh
or      eax, 5000h
jmp     loc_12A66

loc_129DB:
and     eax, 0FFFF9FFFh
or      eax, 9000h
jmp     short loc_12A66

loc_129E7:
and     eax, 0FFFF7FFFh
or      eax, 7000h
jmp     short loc_12A66

loc_129F3:
cmp     edi, 5622h
jz      short loc_12A0F
cmp     edi, 5DC0h
jnz     short loc_12A66
and     eax, 0FFFF6FFFh
or      eax, 6000h
jmp     short loc_12A66

loc_12A0F:
and     eax, 0FFFF4FFFh
or      eax, 4000h
jmp     short loc_12A66

loc_12A1B:
and     eax, 0FFFF3FFFh
or      eax, 3000h
jmp     short loc_12A66

loc_12A27:
cmp     edi, offset loc_15888
jg      short loc_12A54
jz      short loc_12A5C
cmp     edi, 0AC44h
jz      short loc_12A4D
cmp     edi, 0BB80h
jnz     short loc_12A66
and     eax, 0FFFF2FFFh
or      eax, 2000h
jmp     short loc_12A66

loc_12A4D:
and     eax, 0FFFF0FFFh
jmp     short loc_12A66

loc_12A54:
cmp     edi, offset loc_17700
jnz     short loc_12A66

loc_12A5C:
and     eax, 0FFFFAFFFh
or      eax, 0A000h

loc_12A66:
cmp     dword ptr [esi+4], 0
jz      short loc_12A78
mov     ecx, [esi]
push    1
mov     [ecx+1A0h], eax
call    ebp ; KeStallExecutionProcessor

loc_12A78:
pop     ebp
pop     edi
pop     esi
xor     eax, eax
pop     ebx
retn    4
sub_12820 endp

align 10h



sub_12A90 proc near

var_4= dword ptr -4

; FUNCTION CHUNK AT .text:00016140 SIZE 0000000F BYTES

push    ecx
push    ebx
push    ebp
mov     ebp, ds:ExFreePool
push    esi
push    edi
mov     [esp+14h+var_4], ecx
lea     edi, [ecx+508h]
mov     ebx, 2
lea     ebx, [ebx+0]

loc_12AB0:
mov     esi, [edi]
test    esi, esi
jz      short loc_12AC6
mov     ecx, esi
call    sub_16670
push    esi
call    ebp ; ExFreePool
mov     dword ptr [edi], 0

loc_12AC6:
add     edi, 4
sub     ebx, 1
jnz     short loc_12AB0
mov     ecx, [esp+14h+var_4]
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 4
jmp     loc_16140
sub_12A90 endp

align 10h

loc_12AE0:
mov     ecx, [esp+10h]
test    ecx, ecx
jz      short loc_12B0A
mov     eax, [esp+0Ch]
mov     edx, [esp+8]
push    eax
mov     eax, [esp+8]
push    edx
push    eax
push    4C0h
call    sub_11A40
test    eax, eax
jge     short loc_12B0A
xor     al, al
retn    10h

loc_12B0A:
mov     al, 1
retn    10h
align 10h

loc_12B10:
mov     ecx, [esp+10h]
test    ecx, ecx
jz      short loc_12B3A
mov     edx, [esp+8]
lea     eax, [esp+10h]
push    eax
mov     eax, [esp+8]
push    edx
push    eax
push    4C0h
call    sub_118F0
test    eax, eax
jge     short loc_12B3A
xor     al, al
retn    10h

loc_12B3A:
mov     al, [esp+10h]
retn    10h
align 10h



sub_12B50 proc near

var_1= byte ptr -1
arg_0= dword ptr  4

push    ecx
mov     edx, [esp+4+arg_0]
lea     eax, [esp+3]
push    eax
push    edx
push    0A0h
push    460h
mov     [esp+14h+var_1], 0
call    sub_118F0
mov     al, [esp+4+var_1]
pop     ecx
retn    4
sub_12B50 endp

align 10h



sub_12B80 proc near
push    ebx
push    ebp
push    esi
push    edi
push    0FFh
mov     esi, ecx
call    sub_16560
push    8Ah
mov     ecx, esi
call    sub_165B0
mov     edi, ds:KeStallExecutionProcessor
push    3E8h
call    edi ; KeStallExecutionProcessor
mov     ebp, 5
mov     edi, edi

loc_12BB0:
xor     ebx, ebx

loc_12BB2:
test    bl, bl
push    0F9h
mov     ecx, esi
push    1
jnz     short loc_12BC3
push    34h
jmp     short loc_12BC5

loc_12BC3:
push    36h

loc_12BC5:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0F9h
mov     ecx, esi
push    3
jnz     short loc_12BE4
push    34h
jmp     short loc_12BE6

loc_12BE4:
push    36h

loc_12BE6:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    80h
mov     ecx, esi
push    5
jnz     short loc_12C05
push    34h
jmp     short loc_12C07

loc_12C05:
push    36h

loc_12C07:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    7
jnz     short loc_12C23
push    34h
jmp     short loc_12C25

loc_12C23:
push    36h

loc_12C25:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    9
jnz     short loc_12C41
push    34h
jmp     short loc_12C43

loc_12C41:
push    36h

loc_12C43:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0FFh
mov     ecx, esi
push    0Bh
jnz     short loc_12C62
push    34h
jmp     short loc_12C64

loc_12C62:
push    36h

loc_12C64:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    0Ch
jnz     short loc_12C80
push    34h
jmp     short loc_12C82

loc_12C80:
push    36h

loc_12C82:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    95h
mov     ecx, esi
push    0Eh
jnz     short loc_12CA1
push    34h
jmp     short loc_12CA3

loc_12CA1:
push    36h

loc_12CA3:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    10h
jnz     short loc_12CBF
push    34h
jmp     short loc_12CC1

loc_12CBF:
push    36h

loc_12CC1:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    12h
jnz     short loc_12CDD
push    34h
jmp     short loc_12CDF

loc_12CDD:
push    36h

loc_12CDF:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    22h
mov     ecx, esi
push    14h
jnz     short loc_12CFB
push    34h
jmp     short loc_12CFD

loc_12CFB:
push    36h

loc_12CFD:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    22h
mov     ecx, esi
push    16h
jnz     short loc_12D19
push    34h
jmp     short loc_12D1B

loc_12D19:
push    36h

loc_12D1B:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    22h
mov     ecx, esi
push    18h
jnz     short loc_12D37
push    34h
jmp     short loc_12D39

loc_12D37:
push    36h

loc_12D39:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    1Ah
jnz     short loc_12D55
push    34h
jmp     short loc_12D57

loc_12D55:
push    36h

loc_12D57:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0CFh
mov     ecx, esi
push    1Dh
jnz     short loc_12D76
push    34h
jmp     short loc_12D78

loc_12D76:
push    36h

loc_12D78:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0CFh
mov     ecx, esi
push    1Fh
jnz     short loc_12D97
push    34h
jmp     short loc_12D99

loc_12D97:
push    36h

loc_12D99:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    7Ah
mov     ecx, esi
push    20h
jnz     short loc_12DB5
push    34h
jmp     short loc_12DB7

loc_12DB5:
push    36h

loc_12DB7:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    22h
jnz     short loc_12DD3
push    34h
jmp     short loc_12DD5

loc_12DD3:
push    36h

loc_12DD5:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    32h
mov     ecx, esi
push    24h
jnz     short loc_12DF1
push    34h
jmp     short loc_12DF3

loc_12DF1:
push    36h

loc_12DF3:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0
mov     ecx, esi
push    26h
jnz     short loc_12E0F
push    34h
jmp     short loc_12E11

loc_12E0F:
push    36h

loc_12E11:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    0BCh
mov     ecx, esi
push    28h
jnz     short loc_12E30
push    34h
jmp     short loc_12E32

loc_12E30:
push    36h

loc_12E32:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    2
mov     ecx, esi
push    2Ah
jnz     short loc_12E4E
push    34h
jmp     short loc_12E50

loc_12E4E:
push    36h

loc_12E50:
push    4C0h
call    sub_11A40
push    2
call    edi
test    bl, bl
push    1
mov     ecx, esi
push    2Ch
jnz     short loc_12E6C
push    34h
jmp     short loc_12E6E

loc_12E6C:
push    36h

loc_12E6E:
push    4C0h
call    sub_11A40
push    2
call    edi
add     ebx, 1
cmp     ebx, 2
jl      loc_12BB2
push    3E8h
call    edi
sub     ebp, 1
jnz     loc_12BB0
push    0Ah
mov     ecx, esi
call    sub_165B0
pop     edi
pop     esi
pop     ebp
pop     ebx
retn
sub_12B80 endp

align 10h
; START OF FUNCTION CHUNK FOR sub_11420

loc_12EB0:
mov     eax, [esp+arg_C]
push    ebx
push    ebp
shr     eax, 1
xor     ebx, ebx
cmp     [esp+8+arg_0], ebx
push    esi
push    edi
mov     [ecx+560h], eax
jz      short loc_12EE3
cmp     [esp+10h+arg_4], ebx
jnz     short loc_12ED7
xor     eax, eax
mov     edi, 80h
jmp     short loc_12EFF

loc_12ED7:
mov     eax, 1
mov     edi, 0A0h
jmp     short loc_12EFF

loc_12EE3:
cmp     [esp+10h+arg_4], ebx
jnz     short loc_12EF5
mov     eax, 2
mov     edi, 0C0h
jmp     short loc_12EFF

loc_12EF5:
mov     eax, 3
mov     edi, 0E0h

loc_12EFF:
mov     edx, [ecx+55Ch]
shl     eax, 8
mov     esi, eax
mov     eax, [ecx+558h]
add     eax, esi
add     edx, esi
mov     esi, [esp+10h+arg_8]
mov     [eax], esi
mov     [eax+4], ebx
mov     ebp, [ecx+560h]
mov     [eax+8], ebp
mov     [eax+0Ch], ebx
mov     ebp, [ecx+560h]
add     ebp, esi
mov     [eax+10h], ebp
mov     [eax+14h], ebx
mov     esi, [ecx+560h]
mov     [eax+18h], esi
mov     [eax+1Ch], ebx
mov     eax, [ecx+560h]
push    eax
push    edx
push    edi
call    sub_11EC0
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    10h
; END OF FUNCTION CHUNK FOR sub_11420
align 10h



sub_12F60 proc near

var_14= dword ptr -14h
var_4= dword ptr -4
arg_0= dword ptr  4

push    ecx
cmp     [esp+4+arg_0], 0
push    esi
push    edi
mov     esi, ecx
jz      short loc_12FE3
push    0A0h
call    sub_12270
push    80h
mov     ecx, esi
call    sub_12270
cmp     dword ptr [esi+4], 0
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_12FAE
mov     eax, [esi]
push    1
mov     byte ptr [eax+0E3h], 0FFh
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_12FAE
mov     ecx, [esi]
push    1
mov     byte ptr [ecx+19Eh], 3
call    edi ; KeStallExecutionProcessor

loc_12FAE:
push    0E0h
mov     ecx, esi
call    sub_161F0
test    al, 2
jnz     short loc_12FD1
cmp     dword ptr [esi+4], 0
jz      short loc_12FD1
mov     edx, [esi]
push    1
mov     byte ptr [edx+0E0h], 2
call    edi ; KeStallExecutionProcessor

loc_12FD1:
push    0C0h
mov     ecx, esi
call    sub_12270
pop     edi
pop     esi
pop     ecx
retn    4

loc_12FE3:
mov     eax, [esi+55Ch]
mov     edi, ds:KeStallExecutionProcessor
add     eax, 200h
cmp     dword ptr [esi+4], 0
mov     [esp+0Ch+var_4], eax
mov     eax, [esi+560h]
mov     [esp+0Ch+arg_0], eax
jz      short loc_13018
mov     ecx, [esi]
push    1
mov     dword ptr [ecx+0C0h], 0FF000000h
call    edi ; KeStallExecutionProcessor

loc_13018:
push    2
push    19Ah
mov     ecx, esi
call    sub_11580
cmp     dword ptr [esi+4], 0
jz      short loc_13039
mov     edx, [esi]
push    1
mov     byte ptr [edx+0C0h], 1
call    edi ; KeStallExecutionProcessor

loc_13039:
push    ebx
push    ebp
push    0
push    0
call    ds:PcGetTimeInterval
mov     ebx, eax
mov     ebp, edx
lea     esp, [esp+0]

loc_13050:
push    0C0h
mov     ecx, esi
call    sub_161F0
test    al, 1
jnz     short loc_13077
push    64h
call    edi ; KeStallExecutionProcessor
push    ebp
push    ebx
call    ds:PcGetTimeInterval
test    edx, edx
ja      short loc_13077
cmp     eax, 1312D00h
jb      short loc_13050

loc_13077:
cmp     dword ptr [esi+4], 0
jz      short loc_130B6
mov     eax, [esi]
push    1
mov     byte ptr [eax+0C0h], 0
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_130B6
mov     ecx, [esi]
mov     edx, [esp+14h+var_4]
push    1
mov     [ecx+0D8h], edx
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_130B6
mov     eax, [esi]
push    1
mov     dword ptr [eax+0DCh], 0
call    edi ; KeStallExecutionProcessor

loc_130B6:
push    0BFh
push    0D0h
mov     ecx, esi
call    sub_115A0
cmp     dword ptr [esi+4], 0
jz      short loc_1310A
mov     ecx, [esi]
push    1
mov     word ptr [ecx+0CEh], 4
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1310A
mov     edx, [esi]
push    1
mov     byte ptr [edx+0CCh], 1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1310A
mov     ebx, [esp+14h+arg_0]
mov     ecx, [esi]
lea     eax, [ebx+ebx]
push    1
mov     [ecx+0C8h], eax
call    edi ; KeStallExecutionProcessor
jmp     short loc_1310E

loc_1310A:
mov     ebx, [esp+14h+arg_0]

loc_1310E:
shr     ebx, 3
movzx   eax, bx
push    eax
push    198h
mov     ecx, esi
call    sub_115A0
mov     eax, [esi+55Ch]
mov     edx, [esi+560h]
add     eax, 300h
cmp     dword ptr [esi+4], 0
mov     [esp+14h+var_4], eax
mov     [esp+14h+arg_0], edx
jz      short loc_13150
mov     eax, [esi]
push    1
mov     dword ptr [eax+0E0h], 0FF000000h
call    edi ; KeStallExecutionProcessor

loc_13150:
push    2
push    19Eh
mov     ecx, esi
call    sub_11580
cmp     dword ptr [esi+4], 0
jz      short loc_13171
mov     ecx, [esi]
push    1
mov     byte ptr [ecx+0E0h], 1
call    edi ; KeStallExecutionProcessor

loc_13171:
push    0
push    0
call    ds:PcGetTimeInterval
mov     ebp, eax
mov     ebx, edx
nop

loc_13180:
push    0E0h
mov     ecx, esi
call    sub_161F0
test    al, 1
jnz     short loc_131A7
push    64h
call    edi ; KeStallExecutionProcessor
push    ebx
push    ebp
call    ds:PcGetTimeInterval
test    edx, edx
ja      short loc_131A7
cmp     eax, 1312D00h
jb      short loc_13180

loc_131A7:
cmp     dword ptr [esi+4], 0
jz      short loc_131E6
mov     edx, [esi]
push    1
mov     byte ptr [edx+0E0h], 0
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_131E6
mov     eax, [esi]
mov     ecx, [esp+14h+var_4]
push    1
mov     [eax+0F8h], ecx
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_131E6
mov     edx, [esi]
push    1
mov     dword ptr [edx+0FCh], 0
call    edi ; KeStallExecutionProcessor

loc_131E6:
push    0BFh
push    0F0h
mov     ecx, esi
call    sub_115A0
cmp     dword ptr [esi+4], 0
jz      short loc_1323A
mov     eax, [esi]
push    1
mov     word ptr [eax+0EEh], 4
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1323A
mov     ecx, [esi]
push    1
mov     byte ptr [ecx+0ECh], 1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1323A
mov     ebx, [esp+14h+arg_0]
mov     eax, [esi]
lea     edx, [ebx+ebx]
push    1
mov     [eax+0E8h], edx
call    edi ; KeStallExecutionProcessor
jmp     short loc_1323E

loc_1323A:
mov     ebx, [esp+14h+arg_0]

loc_1323E:
shr     ebx, 3
movzx   eax, bx
push    eax
push    19Ch
mov     ecx, esi
call    sub_115A0
push    80h
mov     ecx, esi
call    sub_123B0
push    0A0h
mov     ecx, esi
call    sub_123B0
pop     ebp
pop     ebx
pop     edi
pop     esi
pop     ecx
retn    4
sub_12F60 endp

align 10h



sub_13280 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_0]
push    ebx
push    esi
push    edi
push    eax
mov     esi, ecx
call    sub_16100
mov     ecx, [esp+0Ch+arg_4]
mov     ebx, ds:ExAllocatePoolWithTag
push    774E6350h
push    70h
push    0
mov     [esi+564h], ecx
call    ebx ; ExAllocatePoolWithTag
mov     edi, eax
test    edi, edi
jz      short loc_132D3
push    70h
push    0
push    edi
call    memset
add     esp, 0Ch
push    esi
push    34h
push    offset loc_12B10
push    offset loc_12AE0
mov     ecx, edi
call    sub_16620
jmp     short loc_132D5

loc_132D3:
xor     eax, eax

loc_132D5:
push    774E6350h
push    70h
push    0
mov     [esi+508h], eax
call    ebx ; ExAllocatePoolWithTag
mov     edi, eax
test    edi, edi
jz      short loc_1331B
push    70h
push    0
push    edi
call    memset
add     esp, 0Ch
push    esi
push    36h
push    offset loc_12B10
push    offset loc_12AE0
mov     ecx, edi
call    sub_16620
mov     [esi+50Ch], eax
pop     edi
mov     eax, esi
pop     esi
pop     ebx
retn    8

loc_1331B:
xor     eax, eax
mov     [esi+50Ch], eax
pop     edi
mov     eax, esi
pop     esi
pop     ebx
retn    8
sub_13280 endp

align 10h



sub_13330 proc near

var_1= byte ptr -1

push    ecx
push    ebp
push    esi
mov     ebp, ecx
push    edi
lea     edi, [ebp+530h]
xor     esi, esi
mov     edi, edi

loc_13340:
lea     eax, [esp+0Fh]
push    eax
push    esi
push    0A0h
push    460h
mov     ecx, ebp
mov     [esp+20h+var_1], 0
call    sub_118F0
mov     cl, [esp+10h+var_1]
mov     [edi], cl
add     esi, 1
add     edi, 1
cmp     si, 28h
jb      short loc_13340
pop     edi
pop     esi
xor     eax, eax
pop     ebp
pop     ecx
retn
sub_13330 endp

align 10h



sub_13380 proc near

var_C= dword ptr -0Ch

push    ecx
push    ebx
push    esi
push    edi
mov     esi, ecx
call    sub_161D0
mov     ebx, ds:KeStallExecutionProcessor
mov     edi, eax
and     edi, 7FFFFFFFh
cmp     dword ptr [esi+4], 0
jz      short loc_133A8
mov     eax, [esi]
push    1
mov     [eax+8], edi
call    ebx ; KeStallExecutionProcessor

loc_133A8:
push    0
push    1E8480h
mov     ecx, esi
call    sub_115F0
cmp     dword ptr [esi+4], 0
jz      short loc_133CB
mov     ecx, [esi]
or      edi, 80000000h
push    1
mov     [ecx+8], edi
call    ebx ; KeStallExecutionProcessor

loc_133CB:
push    0
push    1E8480h
mov     ecx, esi
call    sub_115F0
cmp     dword ptr [esi+4], 0
jz      short loc_133F5
mov     edx, [esi]
push    1
mov     dword ptr [edx+4E4h], 38000h
call    ebx ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jnz     short loc_133F9

loc_133F5:
xor     edi, edi
jmp     short loc_13405

loc_133F9:
push    1
call    ebx ; KeStallExecutionProcessor
mov     eax, [esi]
mov     edi, [eax+4E0h]

loc_13405:
push    ebp
mov     ebp, 14h
jmp     short loc_13410
align 10h

loc_13410:
or      edi, 400000h
cmp     dword ptr [esi+4], 0
jz      short loc_13428
mov     ecx, [esi]
push    1
mov     [ecx+4E0h], edi
call    ebx

loc_13428:
and     edi, 0FFBFFFFFh
cmp     dword ptr [esi+4], 0
jz      short loc_13440
mov     edx, [esi]
push    1
mov     [edx+4E0h], edi
call    ebx

loc_13440:
sub     ebp, 1
jnz     short loc_13410
mov     ecx, esi
call    sub_16280
and     al, 0F8h
cmp     [esi+4], ebp
jz      short loc_1345F
mov     ecx, [esi]
push    1
mov     [ecx+188h], al
call    ebx

loc_1345F:
mov     ecx, esi
call    sub_162A0
and     al, 98h
cmp     dword ptr [esi+4], 0
jz      short loc_1347A
mov     edx, [esi]
push    1
mov     [edx+189h], al
call    ebx

loc_1347A:
xor     eax, eax
cmp     [esi+564h], eax
jnz     short loc_13489
mov     eax, 80000000h

loc_13489:
cmp     dword ptr [esi+4], 0
jz      short loc_134B1
mov     ecx, [esi]
push    1
mov     [ecx+1A0h], eax
call    ebx
cmp     dword ptr [esi+4], 0
jz      short loc_134B1
mov     edx, [esi]
push    1
mov     dword ptr [edx+1B0h], 80000000h
call    ebx

loc_134B1:
mov     edi, [esp+10h]
xor     ebp, ebp

loc_134B7:              ; switch 4 cases
cmp     ebp, 3
ja      short loc_134DD ; default
jmp     ds:off_1357C[ebp*4] ; switch jump

loc_134C3:              ; case 0x0
mov     edi, 80h
jmp     short loc_134DD ; default

loc_134CA:              ; case 0x1
mov     edi, 0A0h
jmp     short loc_134DD ; default

loc_134D1:              ; case 0x2
mov     edi, 0C0h
jmp     short loc_134DD ; default

loc_134D8:              ; case 0x3
mov     edi, 0E0h

loc_134DD:              ; default
push    edi
mov     ecx, esi
call    sub_16250
and     ax, 0FFB1h
or      ax, 4031h
cmp     dword ptr [esi+4], 0
jz      short loc_134FE
mov     ecx, [esi]
push    1
mov     [ecx+edi+12h], ax
call    ebx

loc_134FE:
add     ebp, 1
cmp     ebp, 4
jl      short loc_134B7
mov     ecx, esi
call    sub_13330
mov     ecx, esi
call    sub_12B80
xor     edi, edi
cmp     [esi+4], edi
pop     ebp
jz      short loc_13552
mov     edx, [esi]
push    1
mov     dword ptr [edx+404h], 50078000h
call    ebx
cmp     [esi+4], edi
jz      short loc_13552
mov     eax, [esi]
push    1
mov     word ptr [eax+40Ch], 301h
call    ebx
cmp     [esi+4], edi
jz      short loc_13552
mov     ecx, [esi]
push    1
mov     byte ptr [ecx+404h], 0Fh
call    ebx

loc_13552:
mov     ecx, esi
call    sub_163D0
and     eax, 0FFFFFDFFh
cmp     [esi+4], edi
jz      short loc_1356F
mov     edx, [esi]
push    1
mov     [edx+404h], eax
call    ebx

loc_1356F:
mov     [esi+51Ch], edi
pop     edi
pop     esi
pop     ebx
pop     ecx
retn
sub_13380 endp

align 4
off_1357C dd offset loc_134C3 ; jump table for switch statement
dd offset loc_134CA
dd offset loc_134D1
dd offset loc_134D8
align 10h



sub_13590 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_4]
push    esi
push    eax
mov     esi, ecx
call    sub_11000
mov     ecx, [esp+4+arg_0]
xor     eax, eax
mov     [esi+554h], eax
mov     [esi+550h], eax
mov     [esi+1EA0h], eax
mov     [esi+20h], ecx
mov     dword ptr [esi+24h], 0FFFFFFFFh
mov     eax, esi
pop     esi
retn    0Ch
sub_13590 endp

align 10h



sub_135D0 proc near
push    esi
push    1
mov     esi, ecx
call    sub_113D0
mov     ecx, esi
call    sub_110A0
mov     eax, [esi+54Ch]
test    eax, eax
jz      short loc_135F2
mov     dword ptr [eax+24h], 1

loc_135F2:
mov     eax, [esi+0E50h]
test    eax, eax
jz      short loc_13603
push    eax
call    ds:ExFreePool

loc_13603:
mov     ecx, esi
pop     esi
jmp     sub_11540
sub_135D0 endp

align 10h



sub_13610 proc near
mov     eax, 8
retn
sub_13610 endp

align 10h


; Attributes: thunk

sub_13620 proc near
jmp     sub_114E0
sub_13620 endp

align 10h



sub_13630 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
push    esi
push    edi
xor     edi, edi
cmp     eax, 1
mov     esi, ecx
mov     [esi+8], edi
jnz     short loc_1364D
mov     ecx, [esi+54Ch]
mov     [ecx+30h], edi
jmp     short loc_13656

loc_1364D:
mov     edx, [esi+54Ch]
mov     [edx+30h], edi

loc_13656:
cmp     [esi+54Ch], edi
jz      short loc_1367C
push    eax
mov     ecx, esi
mov     [esi+0E5Ch], edi
call    sub_11450
mov     eax, [esi+54Ch]
cmp     eax, edi
jz      short loc_1367C
mov     ecx, [esi+24h]
mov     [eax+1Ch], ecx

loc_1367C:
pop     edi
pop     esi
retn    4
sub_13630 endp

align 10h
; START OF FUNCTION CHUNK FOR sub_17600

loc_13690:
mov     eax, [ecx+54Ch]
mov     eax, [eax]
retn
; END OF FUNCTION CHUNK FOR sub_17600
align 10h



sub_136A0 proc near
mov     eax, [ecx+54Ch]
test    eax, eax
jz      short loc_136CA
cmp     dword ptr [ecx+0A78h], 0
jnz     short loc_136BC
cmp     dword ptr [ecx+0A7Ch], 0
jz      short loc_136CA

loc_136BC:
mov     ecx, 9
cmp     ecx, [eax+30h]
sbb     eax, eax
add     eax, 1
retn

loc_136CA:
xor     eax, eax
retn
sub_136A0 endp

align 10h
; START OF FUNCTION CHUNK FOR sub_177D0

loc_136D0:
mov     eax, [esp+arg_4]
push    esi
mov     esi, ecx
mov     ecx, [esp+4+arg_0]
push    eax
push    ecx
mov     ecx, esi
call    sub_11470
mov     edx, [esi+54Ch]
mov     ecx, [edx]
shr     eax, 3
add     eax, 1
add     ecx, ecx
cmp     eax, ecx
pop     esi
jbe     short locret_136FB
sub     eax, ecx

locret_136FB:
retn    8
; END OF FUNCTION CHUNK FOR sub_177D0
align 10h



sub_13700 proc near

arg_0= dword ptr  4

mov     eax, [ecx+54Ch]
mov     ecx, [esp+arg_0]
mov     [eax+44h], ecx
retn    4
sub_13700 endp




sub_13710 proc near
push    ebx
push    esi
mov     esi, ecx
mov     ecx, [esi]
push    edi
call    sub_16380
test    eax, 800000h
jz      loc_137C9
mov     ecx, eax
shr     ecx, 18h
and     ecx, 0Fh
cmp     ecx, 0Ah
ja      short loc_137AE
movzx   ecx, ds:byte_1389C[ecx]
jmp     ds:off_13888[ecx*4]

loc_13742:
mov     edx, [esi+54Ch]
mov     dword ptr [edx+50h], 0AC44h
mov     ecx, [esi+54Ch]
and     eax, 1
mov     [ecx+54h], eax
jmp     short loc_137D6

loc_1375D:
mov     ecx, [esi+54Ch]
mov     dword ptr [ecx+50h], 0BB80h
mov     ecx, [esi+54Ch]
and     eax, 1
mov     [ecx+54h], eax
jmp     short loc_137D6

loc_13778:
mov     edx, [esi+54Ch]
mov     dword ptr [edx+50h], 7D00h
mov     ecx, [esi+54Ch]
and     eax, 1
mov     [ecx+54h], eax
jmp     short loc_137D6

loc_13793:
mov     ecx, [esi+54Ch]
mov     dword ptr [ecx+50h], offset loc_17700
mov     ecx, [esi+54Ch]
and     eax, 1
mov     [ecx+54h], eax
jmp     short loc_137D6

loc_137AE:
mov     edx, [esi+54Ch]
mov     dword ptr [edx+50h], 0
mov     ecx, [esi+54Ch]
and     eax, 1
mov     [ecx+54h], eax
jmp     short loc_137D6

loc_137C9:
mov     edx, [esi+54Ch]
mov     dword ptr [edx+50h], 0

loc_137D6:
xor     ebx, ebx
xor     edi, edi
lea     ebx, [ebx+0]

loc_137E0:
push    0
push    ebx
mov     ecx, esi
call    sub_111A0
mov     edx, [esi+54Ch]
movzx   ecx, ah
mov     [edi+edx+60h], ecx
mov     edx, [esi+54Ch]
mov     ecx, eax
and     ecx, 0FFh
mov     [edi+edx+64h], ecx
mov     edx, [esi+54Ch]
mov     ecx, eax
shr     ecx, 18h
mov     [edi+edx+68h], ecx
mov     ecx, [esi+54Ch]
shr     eax, 10h
and     eax, 0FFh
push    4
mov     [edi+ecx+6Ch], eax
push    ebx
mov     ecx, esi
call    sub_111A0
mov     ecx, [esi+54Ch]
movzx   edx, ah
mov     [edi+ecx+70h], edx
mov     ecx, [esi+54Ch]
mov     edx, eax
and     edx, 0FFh
mov     [edi+ecx+74h], edx
mov     ecx, [esi+54Ch]
mov     edx, eax
shr     edx, 18h
mov     [edi+ecx+78h], edx
mov     edx, [esi+54Ch]
shr     eax, 10h
and     eax, 0FFh
mov     [edi+edx+7Ch], eax
add     edi, 20h
add     ebx, 1
cmp     edi, 40h
jl      loc_137E0
pop     edi
pop     esi
pop     ebx
retn
sub_13710 endp ; sp = -10h

align 4
off_13888 dd offset loc_13742
dd offset loc_1375D
dd offset loc_13778
dd offset loc_13793
dd offset loc_137AE
byte_1389C db 0
db 4, 1, 2
dd 4040404h, 0CC030404h, 2 dup(0CCCCCCCCh)
dd 83F18B56h, 0E54BEh, 8B570000h, 750C247Ch
dd 247E3905h, 0E8571C74h, 0FFFFDC34h, 127CC085h
dd 54C868Bh, 7E890000h, 1C788924h, 170BE89h
dd 5E5F0000h, 0CC0004C2h, 2 dup(0CCCCCCCCh)



sub_138F0 proc near
lea     eax, [ecx+30h]
retn
sub_138F0 endp

align 10h
mov     eax, [ecx+54Ch]
mov     ecx, [esp+4]
mov     [eax+2Ch], ecx
retn    4
db  8Bh ; ï
db  44h ; D
db  24h ; $
db    4
db  89h ; ë
db  81h ; ü
db  54h ; T
db  0Eh
db    0
db    0
db 0C2h ; -
db    4
db    0
align 10h



sub_13920 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

mov     eax, [esp+arg_0]
sub     eax, 1
jnz     short locret_1393D
mov     eax, [esp+arg_4]
mov     ecx, [esp+arg_8]
mov     dword ptr [eax], 0
mov     dword ptr [ecx], 60h

locret_1393D:
retn    0Ch
sub_13920 endp




sub_13940 proc near
mov     edx, [ecx+54Ch]
xor     eax, eax
test    edx, edx
jz      short locret_1395C
mov     eax, [ecx+550h]
imul    eax, [edx]
lea     eax, ds:20h[eax*8]

locret_1395C:
retn
sub_13940 endp

align 10h



sub_13960 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

mov     edx, [esp+arg_0]
mov     eax, ecx
mov     ecx, [esp+arg_4]
push    esi
lea     edx, [ecx+edx*2+29Ah]
mov     ecx, [esp+4+arg_8]
mov     eax, [eax+edx*4]
mov     esi, 1
shl     esi, cl
and     eax, esi
pop     esi
retn    0Ch
sub_13960 endp

align 10h



sub_13990 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h
arg_10= dword ptr  14h
arg_14= dword ptr  18h

mov     edx, [esp+arg_0]
mov     eax, [esp+arg_4]
lea     eax, [eax+edx*2]
mov     edx, [esp+arg_8]
lea     eax, [edx+eax*8]
mov     edx, [esp+arg_C]
lea     eax, [edx+eax*2]
mov     edx, [esp+arg_10]
mov     [ecx+eax*8+568h], edx
mov     edx, [esp+arg_14]
mov     [ecx+eax*8+56Ch], edx
retn    18h
sub_13990 endp

align 10h



sub_139D0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

mov     eax, [esp+arg_4]
mov     ecx, [esp+arg_0]
mov     edx, [ecx]
mov     ecx, [ecx+4]
push    esi
mov     esi, [eax]
test    esi, esi
mov     eax, [eax+4]
jz      short loc_13A43
test    edx, edx
jz      short loc_13A43
push    edi
mov     edi, [esp+8+arg_8]
test    edi, edi
jle     short loc_13A42
push    ebx
push    ebp
lea     ebx, ds:0[eax*4]
lea     ebp, ds:0[ecx*4]

loc_13A04:
mov     eax, [edx]
test    eax, eax
mov     ecx, [esi]
jle     short loc_13A22
test    ecx, ecx
jle     short loc_13A20
add     eax, ecx
cmp     eax, 7FFFFFFFh
jbe     short loc_13A35
mov     eax, 7FFFFFFFh
jmp     short loc_13A35

loc_13A20:
test    eax, eax

loc_13A22:
jge     short loc_13A33
test    ecx, ecx
jge     short loc_13A33
add     eax, ecx
js      short loc_13A35
mov     eax, 80000000h
jmp     short loc_13A35

loc_13A33:
add     eax, ecx

loc_13A35:
mov     [edx], eax
add     esi, ebx
add     edx, ebp
sub     edi, 1
jnz     short loc_13A04
pop     ebp
pop     ebx

loc_13A42:
pop     edi

loc_13A43:
pop     esi
retn    0Ch
sub_139D0 endp

align 10h
; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
align 10h
push    ebx
push    esi
push    edi
mov     edi, [esp+10h]
xor     ebx, ebx
push    ebx
push    edi
mov     esi, ecx
call    sub_110C0
push    ebx
push    edi
mov     ecx, esi
mov     [esi+edi*4+0E88h], ebx
mov     [esi+edi*4+0E78h], ebx
mov     [esi+edi*4+0E80h], ebx
mov     [esi+edi*4+0E70h], ebx
call    sub_11170
pop     edi
pop     esi
pop     ebx
retn    4
align 10h
mov     eax, [esp+4]
xor     edx, edx
push    1
push    eax
mov     [ecx+eax*4+0E88h], edx
mov     [ecx+eax*4+0E78h], edx
mov     [ecx+eax*4+0E80h], edx
mov     [ecx+eax*4+0E70h], edx
call    sub_110C0
retn    4
align 10h
mov     edx, [esp+4]
mov     eax, [ecx+edx*4+0E78h]
cmp     eax, [ecx+edx*4+0E88h]
jz      short loc_13B19
push    esi
mov     esi, [ecx+edx*4+0E88h]
mov     eax, edx
shl     eax, 0Ah
add     eax, esi
movzx   eax, byte ptr [eax+ecx+1690h]
add     esi, 1
and     esi, 800003FFh
jns     short loc_13B0E
dec     esi
or      esi, 0FFFFFC00h
inc     esi

loc_13B0E:
mov     [ecx+edx*4+0E88h], esi
pop     esi
retn    4

loc_13B19:
or      eax, 0FFFFFFFFh
retn    4
align 10h



sub_13B20 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
mov     edx, [ecx+eax*4+0E78h]
push    ebx
xor     ebx, ebx
cmp     edx, [ecx+eax*4+0E88h]
setnz   bl
mov     eax, ebx
pop     ebx
retn    4
sub_13B20 endp

align 10h
mov     eax, [esp+4]
push    eax
call    sub_11150
neg     eax
sbb     eax, eax
neg     eax
retn    4
align 10h
movzx   eax, byte ptr [esp+8]
mov     edx, [esp+4]
push    eax
push    edx
call    sub_110F0
mov     eax, 1
retn    8
align 10h
mov     eax, 1
retn
align 10h



sub_13B90 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     [esp+arg_0], 0
push    esi
push    edi
mov     edi, [esp+8+arg_4]
mov     esi, ecx
jnz     loc_13C28
push    0
push    edi
call    sub_11170
mov     eax, [esi+edi*4+0E70h]
cmp     eax, [esi+edi*4+0E80h]
jz      short loc_13C07
mov     eax, [esi+edi*4+0E80h]
mov     ecx, edi
shl     ecx, 0Ah
add     ecx, eax
movzx   ecx, byte ptr [ecx+esi+0E90h]
add     eax, 1
and     eax, 800003FFh
jns     short loc_13BE2
dec     eax
or      eax, 0FFFFFC00h
inc     eax

loc_13BE2:
movzx   edx, cl
push    edx
mov     byte ptr [esp+0Ch+arg_4], cl
push    edi
mov     ecx, esi
mov     [esi+edi*4+0E80h], eax
call    sub_110F0
movzx   eax, byte ptr [esp+8+arg_4]
mov     ecx, [esi+54Ch]
mov     [ecx+34h], eax

loc_13C07:
mov     edx, [esi+edi*4+0E70h]
cmp     edx, [esi+edi*4+0E80h]
jz      short loc_13C21
push    1
push    edi
mov     ecx, esi
call    sub_11170

loc_13C21:
pop     edi
xor     eax, eax
pop     esi
retn    8

loc_13C28:
lea     eax, [esp+8+arg_4]
push    eax
push    edi
call    sub_11120
test    eax, eax
jz      short loc_13C21
push    ebx
mov     ebx, edi
shl     ebx, 0Ah
lea     ecx, [ecx+0]

loc_13C40:
mov     edx, [esi+edi*4+0E78h]
mov     al, byte ptr [esp+0Ch+arg_4]
lea     ecx, [ebx+esi]
mov     [ecx+edx+1690h], al
mov     ecx, [esi+edi*4+0E78h]
add     ecx, 1
and     ecx, 800003FFh
jns     short loc_13C6F
dec     ecx
or      ecx, 0FFFFFC00h
inc     ecx

loc_13C6F:
movzx   edx, byte ptr [esp+0Ch+arg_4]
mov     [esi+edi*4+0E78h], ecx
mov     eax, [esi+54Ch]
lea     ecx, [esp+0Ch+arg_4]
push    ecx
push    edi
mov     ecx, esi
mov     [eax+38h], edx
call    sub_11120
test    eax, eax
jnz     short loc_13C40
pop     ebx
pop     edi
mov     eax, 1
pop     esi
retn    8
sub_13B90 endp




sub_13CA0 proc near

var_48= dword ptr -48h
var_34= dword ptr -34h
var_30= dword ptr -30h
var_2C= dword ptr -2Ch
var_28= dword ptr -28h
var_18= dword ptr -18h
var_10= dword ptr -10h
var_C= dword ptr -0Ch

mov     ecx, [ecx+20h]
sub     esp, 10h
push    edi
lea     eax, [esp+14h+var_C]
push    eax
push    1F0000h
push    2
push    ecx
call    ds:IoOpenDeviceRegistryKey
mov     edi, eax
test    edi, edi
jl      short loc_13D3A
push    ebx
push    esi
push    offset aMixeresp1010e ; "MixerESP1010e"
lea     edx, [esp+18h]
push    edx
call    ds:RtlInitUnicodeString
mov     ebx, [esp+24h]
lea     eax, [ebx+34h]
push    eax
push    1
mov     [esp+14h], eax
call    ds:ExAllocatePool
mov     esi, eax
test    esi, esi
jz      short loc_13D38
mov     ecx, [esp+0Ch]
lea     eax, [esp+0Ch]
push    eax
mov     eax, [esp+14h]
push    ecx
push    esi
push    1
lea     edx, [esp+24h]
push    edx
push    eax
call    ds:ZwQueryValueKey
mov     edi, eax
test    edi, edi
jl      short loc_13D31
mov     eax, [esi+0Ch]
cmp     ebx, eax
jnz     short loc_13D2C
mov     ecx, [esi+8]
mov     edx, [esp+20h]
push    eax
add     ecx, esi
push    ecx
push    edx
call    memcpy
add     esp, 0Ch
jmp     short loc_13D31

loc_13D2C:
mov     edi, 0C0000023h

loc_13D31:
push    esi
call    ds:ExFreePool

loc_13D38:
pop     esi
pop     ebx

loc_13D3A:
mov     eax, [esp+8]
push    eax
call    ds:ZwClose
mov     eax, edi
pop     edi
add     esp, 10h
retn    8
sub_13CA0 endp ; sp =  8

align 10h



sub_13D50 proc near

var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h
arg_28= dword ptr  2Ch

mov     ecx, [ecx+20h]
sub     esp, 0Ch
push    esi
lea     eax, [esp+10h+var_C]
push    eax
push    1F0000h
push    2
push    ecx
call    ds:IoOpenDeviceRegistryKey
mov     esi, eax
test    esi, esi
jl      short loc_13DA0
push    offset aMixeresp1010e ; "MixerESP1010e"
lea     edx, [esp+14h+var_8]
push    edx
call    ds:RtlInitUnicodeString
mov     eax, [esp+8+arg_C]
mov     ecx, [esp+8+arg_8]
push    eax
mov     eax, [esp+0Ch+var_4]
push    ecx
push    4
push    0
lea     edx, [esp+18h]
push    edx
push    eax
call    ds:ZwSetValueKey
mov     esi, eax

loc_13DA0:
mov     ecx, [esp-28h+arg_28]
push    ecx
call    ds:ZwClose
mov     eax, esi
pop     esi
add     esp, 0Ch
retn    8
sub_13D50 endp ; sp =  38h

align 10h
; START OF FUNCTION CHUNK FOR sub_17810

loc_13DC0:
mov     eax, [esp+arg_0]
cmp     eax, 1000011h
jz      loc_13E57
cmp     eax, 1000111h
jz      short loc_13E1C
cmp     eax, 1000211h
jnz     locret_13EBF    ; default
mov     eax, [esp+arg_C]
sub     eax, 1
jz      short loc_13E08
sub     eax, 1
jnz     locret_13EBF    ; default
mov     eax, [esp+arg_8]
mov     edx, [esp+arg_4]
mov     ecx, [ecx+4]
push    eax
push    edx
call    sub_11820
retn    14h

loc_13E08:
mov     eax, [esp+arg_8]
mov     edx, [esp+arg_4]
mov     ecx, [ecx]
push    eax
push    edx
call    sub_11820
retn    14h

loc_13E1C:
mov     eax, [esp+arg_C]
sub     eax, 1
jz      short loc_13E33
sub     eax, 1
jnz     locret_13EBF    ; default
mov     ecx, [ecx+4]
jmp     short loc_13E35

loc_13E33:
mov     ecx, [ecx]

loc_13E35:
cmp     dword ptr [ecx+4], 0
jz      locret_13EBF    ; default
mov     eax, [ecx]
mov     cl, byte ptr [esp+arg_8]
mov     edx, [esp+arg_4]
push    1
mov     [edx+eax], cl
call    ds:KeStallExecutionProcessor
retn    14h

loc_13E57:
mov     eax, [esp+arg_C]
add     eax, 0FFFFFFFFh ; switch 4 cases
cmp     eax, 3
ja      short locret_13EBF ; default
jmp     ds:off_13EC4[eax*4] ; switch jump

loc_13E6A:              ; case 0x1
mov     eax, [esp+arg_8]
mov     edx, [esp+arg_4]
push    eax
push    edx
push    0
push    0
call    sub_11360
retn    14h

loc_13E80:              ; case 0x2
mov     eax, [esp+arg_8]
mov     edx, [esp+arg_4]
push    eax
push    edx
push    1
push    0
call    sub_11360
retn    14h

loc_13E96:              ; case 0x3
mov     eax, [esp+arg_8]
mov     edx, [esp+arg_4]
push    eax
push    edx
push    0
push    1
call    sub_11360
retn    14h

loc_13EAC:              ; case 0x4
mov     eax, [esp+arg_8]
mov     edx, [esp+arg_4]
push    eax
push    edx
push    1
push    1
call    sub_11360

locret_13EBF:           ; default
retn    14h
; END OF FUNCTION CHUNK FOR sub_17810
align 4
off_13EC4 dd offset loc_13E6A ; jump table for switch statement
dd offset loc_13E80
dd offset loc_13E96
dd offset loc_13EAC
align 10h
; START OF FUNCTION CHUNK FOR sub_17820

loc_13EE0:
mov     edx, [esp+arg_0]
xor     eax, eax
cmp     edx, 1000011h
jz      loc_13F73
cmp     edx, 1000111h
jz      short loc_13F3C
cmp     edx, 1000211h
jnz     locret_13FD3    ; default
mov     edx, [esp+arg_8]
sub     edx, 1
jz      short loc_13F2A
sub     edx, 1
jnz     locret_13FD3    ; default
mov     eax, [esp+arg_4]
mov     ecx, [ecx]
push    eax
call    sub_12B50
movzx   eax, al
retn    10h

loc_13F2A:
mov     edx, [esp+arg_4]
mov     ecx, [ecx]
push    edx
call    sub_12B50
movzx   eax, al
retn    10h

loc_13F3C:
mov     edx, [esp+arg_8]
sub     edx, 1
jz      short loc_13F61
sub     edx, 1
jnz     locret_13FD3    ; default
mov     eax, [esp+arg_4]
mov     ecx, [ecx+4]
push    eax
call    sub_115C0
movzx   eax, al
retn    10h

loc_13F61:
mov     edx, [esp+arg_4]
mov     ecx, [ecx]
push    edx
call    sub_115C0
movzx   eax, al
retn    10h

loc_13F73:
mov     edx, [esp+arg_8]
add     edx, 0FFFFFFFFh ; switch 4 cases
cmp     edx, 3
ja      short locret_13FD3 ; default
jmp     ds:off_13FD8[edx*4] ; switch jump

loc_13F86:              ; case 0x1
mov     eax, [esp+arg_4]
push    eax
push    0
push    0
call    sub_113A0
movzx   eax, ax
retn    10h

loc_13F9A:              ; case 0x2
mov     edx, [esp+arg_4]
push    edx
push    1
push    0
call    sub_113A0
movzx   eax, ax
retn    10h

loc_13FAE:              ; case 0x3
mov     eax, [esp+arg_4]
push    eax
push    0
push    1
call    sub_113A0
movzx   eax, ax
retn    10h

loc_13FC2:              ; case 0x4
mov     edx, [esp+arg_4]
push    edx
push    1
push    1
call    sub_113A0
movzx   eax, ax

locret_13FD3:           ; default
retn    10h
; END OF FUNCTION CHUNK FOR sub_17820
align 4
off_13FD8 dd offset loc_13F86 ; jump table for switch statement
dd offset loc_13F9A
dd offset loc_13FAE
dd offset loc_13FC2
align 10h



sub_13FF0 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    esi
mov     esi, ecx
cmp     dword ptr [esi+54Ch], 0
jnz     short loc_14002
xor     eax, eax
pop     esi
retn    8

loc_14002:
mov     eax, [esp+arg_4]
mov     ecx, [esp+arg_0]
push    edi
push    eax
push    ecx
mov     ecx, esi
xor     edi, edi
call    sub_11470
shr     eax, 3
jz      short loc_14025
mov     edx, [esi+54Ch]
cmp     eax, [edx]
jb      short loc_14049

loc_14025:
mov     ecx, [esi+54Ch]
mov     ecx, [ecx]
cmp     eax, ecx
jz      short loc_1403A
jbe     short loc_14043
lea     edx, [ecx+ecx]
cmp     eax, edx
jnb     short loc_14043

loc_1403A:
xor     edi, edi
mov     eax, edi
pop     edi
pop     esi
retn    8

loc_14043:
add     ecx, ecx
cmp     eax, ecx
jnz     short loc_1404E

loc_14049:
mov     edi, 1

loc_1404E:
mov     eax, edi
pop     edi
pop     esi
retn    8
sub_13FF0 endp

align 10h



sub_14060 proc near

var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4

sub     esp, 10h
push    ebx
push    ebp
push    esi
push    edi
xor     ebx, ebx
push    40000h
mov     edi, 1
push    ebx
mov     esi, ecx
mov     [esp+28h+var_10], ebx
mov     [esp+28h+var_C], edi
mov     [esp+28h+var_8], 2
mov     [esp+28h+var_4], 3
call    ds:ExAllocatePool
mov     [esi+0E50h], eax
lea     ebx, [ebx+0]

loc_140A0:
mov     ecx, [esp+ebx*4+20h+var_10]
lea     edx, ds:0[ecx*8]
lea     ebp, [edx+0BDh]
shl     edx, 4
mov     [edx+esi+0BD4h], edi
shl     ebp, 4
mov     [esi+ebp], eax
add     eax, 1000h
mov     edx, ecx
shl     edx, 7
mov     [edx+esi+0BD8h], eax
mov     [edx+esi+0BDCh], edi
add     edx, esi
add     eax, 1000h
lea     edx, ds:0[ecx*8]
lea     ebp, [edx+0BEh]
shl     edx, 4
mov     [edx+esi+0BE4h], edi
shl     ebp, 4
mov     [esi+ebp], eax
add     eax, 1000h
mov     edx, ecx
shl     edx, 7
mov     [edx+esi+0BE8h], eax
mov     [edx+esi+0BECh], edi
add     edx, esi
add     eax, 1000h
lea     edx, ds:0[ecx*8]
lea     ebp, [edx+0BFh]
shl     edx, 4
mov     [edx+esi+0BF4h], edi
shl     ebp, 4
mov     [esi+ebp], eax
add     eax, 1000h
mov     edx, ecx
shl     edx, 7
mov     [edx+esi+0BF8h], eax
mov     [edx+esi+0BFCh], edi
add     edx, esi
add     eax, 1000h
lea     edx, [ecx+18h]
shl     edx, 7
mov     [edx+esi], eax
mov     edx, ecx
shl     edx, 7
mov     [edx+esi+0C04h], edi
add     eax, 1000h
mov     edx, ecx
shl     edx, 7
mov     [edx+esi+0C08h], eax
add     edx, esi
mov     [edx+0C0Ch], edi
lea     edx, ds:0[ecx*8]
lea     ebp, [edx+0C1h]
shl     edx, 4
mov     [edx+esi+0C14h], edi
add     eax, 1000h
shl     ebp, 4
mov     [esi+ebp], eax
mov     edx, ecx
shl     edx, 7
add     edx, esi
mov     [edx+0C1Ch], edi
add     eax, 1000h
mov     [edx+0C18h], eax
lea     edx, ds:0[ecx*8]
lea     ebp, [edx+0C2h]
shl     edx, 4
mov     [edx+esi+0C24h], edi
add     eax, 1000h
shl     ebp, 4
mov     [esi+ebp], eax
mov     edx, ecx
shl     edx, 7
add     edx, esi
add     eax, 1000h
mov     [edx+0C28h], eax
mov     [edx+0C2Ch], edi
lea     edx, ds:0[ecx*8]
add     eax, 1000h
lea     ebp, [edx+0C3h]
shl     edx, 4
mov     [edx+esi+0C34h], edi
shl     ebp, 4
mov     [esi+ebp], eax
mov     edx, ecx
shl     edx, 7
add     eax, 1000h
add     edx, esi
mov     [edx+0C38h], eax
mov     [edx+0C3Ch], edi
lea     edx, ds:0[ecx*8]
add     eax, 1000h
lea     ebp, [edx+0C4h]
shl     ebp, 4
mov     [esi+ebp], eax
shl     ecx, 7
shl     edx, 4
add     eax, 1000h
add     ecx, esi
mov     [edx+esi+0C44h], edi
mov     [ecx+0C48h], eax
add     ebx, edi
add     eax, 1000h
cmp     ebx, 4
mov     [ecx+0C4Ch], edi
jl      loc_140A0
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 10h
retn
sub_14060 endp

align 10h



sub_14290 proc near

var_88= dword ptr -88h
var_84= dword ptr -84h
var_78= dword ptr -78h
var_68= dword ptr -68h
var_58= dword ptr -58h
var_48= dword ptr -48h
var_38= dword ptr -38h
var_28= dword ptr -28h
var_18= dword ptr -18h
var_8= dword ptr -8
var_4= dword ptr -4

sub     esp, 8
push    ebx
push    ebp
push    esi
mov     esi, ecx
mov     ecx, [esi+54Ch]
mov     edx, [ecx]
mov     ebx, [esi+0E68h]
push    edi
mov     edi, [esi+0E60h]
mov     [ecx+5Ch], ebx
mov     ecx, [esi+54Ch]
mov     [ecx], edx
mov     ebp, [esi+0E64h]
lea     eax, ds:0[edx*4]
mov     edx, [esi+54Ch]
mov     [edx+0A0h], edi
mov     ecx, [esi+54Ch]
mov     ebx, 2
mov     [ecx+0A4h], ebx
mov     ecx, [esi+54Ch]
lea     edx, [edi+4]
mov     [ecx+0B0h], edx
mov     edx, [esi+54Ch]
mov     [edx+0B4h], ebx
mov     edx, [esi+54Ch]
add     eax, eax
lea     ecx, [eax+edi]
mov     [edx+0A8h], ecx
mov     edx, [esi+54Ch]
mov     [edx+0ACh], ebx
mov     edx, [esi+54Ch]
mov     [esp+18h+var_8], eax
add     ecx, 4
add     eax, eax
push    eax
mov     [edx+0B8h], ecx
mov     ecx, [esi+54Ch]
push    ebp
push    0
mov     [ecx+0BCh], ebx
push    0
mov     ecx, esi
mov     [esp+28h+var_4], edi
call    sub_11420
mov     edx, [esi+54Ch]
mov     eax, [esp+28h+var_18]
add     eax, eax
add     edi, eax
mov     eax, [esp+28h+var_18]
mov     [edx+0C0h], edi
mov     ecx, [esi+54Ch]
mov     [ecx+0C4h], ebx
mov     ecx, [esi+54Ch]
lea     edx, [edi+4]
mov     [ecx+0D0h], edx
mov     edx, [esi+54Ch]
mov     ecx, [esp+28h+var_18]
mov     [edx+0D4h], ebx
mov     edx, [esi+54Ch]
add     ecx, edi
mov     [edx+0C8h], ecx
mov     edx, [esi+54Ch]
mov     [edx+0CCh], ebx
mov     edx, [esi+54Ch]
add     eax, eax
add     ecx, 4
push    eax
add     ebp, eax
mov     [edx+0D8h], ecx
mov     ecx, [esi+54Ch]
push    ebp
push    ebx
mov     [ecx+0DCh], ebx
push    0
mov     ecx, esi
call    sub_11420
mov     eax, [esp+38h+var_28]
mov     edx, [esi+54Ch]
add     eax, eax
add     edi, eax
add     ebp, eax
mov     [edx+0E0h], edi
mov     ecx, [esi+54Ch]
mov     [ecx+0E4h], ebx
mov     ecx, [esi+54Ch]
lea     edx, [edi+4]
mov     [ecx+0F0h], edx
mov     edx, [esi+54Ch]
mov     ecx, [esp+38h+var_28]
mov     [edx+0F4h], ebx
mov     edx, [esi+54Ch]
add     ecx, edi
mov     [edx+0E8h], ecx
mov     edx, [esi+54Ch]
mov     [edx+0ECh], ebx
mov     edx, [esi+54Ch]
add     ecx, 4
push    eax
mov     [edx+0F8h], ecx
mov     ecx, [esi+54Ch]
push    ebp
push    4
mov     [ecx+0FCh], ebx
push    0
mov     ecx, esi
call    sub_11420
mov     edx, [esi+54Ch]
mov     eax, [esp+48h+var_38]
add     eax, eax
add     edi, eax
mov     [edx+100h], edi
mov     ecx, [esi+54Ch]
mov     [ecx+104h], ebx
mov     ecx, [esi+54Ch]
lea     edx, [edi+4]
mov     [ecx+110h], edx
mov     edx, [esi+54Ch]
mov     ecx, [esp+48h+var_38]
mov     [edx+114h], ebx
mov     edx, [esi+54Ch]
add     ecx, edi
mov     [edx+108h], ecx
mov     edx, [esi+54Ch]
mov     [edx+10Ch], ebx
mov     edx, [esi+54Ch]
add     ecx, 4
push    eax
add     ebp, eax
mov     [edx+118h], ecx
mov     ecx, [esi+54Ch]
push    ebp
push    6
mov     [ecx+11Ch], ebx
push    0
mov     ecx, esi
call    sub_11420
mov     edx, [esi+54Ch]
mov     eax, [esp+58h+var_48]
add     eax, eax
add     edi, eax
mov     [edx+120h], edi
add     ebp, eax
mov     eax, [esi+54Ch]
mov     [eax+124h], ebx
mov     edx, [esi+54Ch]
lea     ecx, [edi+4]
mov     [edx+130h], ecx
mov     eax, [esi+54Ch]
mov     ecx, [esp+58h+var_48]
mov     [eax+134h], ebx
mov     edx, [esi+54Ch]
lea     eax, [edi+ecx]
mov     [edx+128h], eax
mov     edx, [esi+54Ch]
mov     [edx+12Ch], ebx
mov     edx, [esi+54Ch]
add     eax, 4
mov     [edx+138h], eax
mov     eax, [esi+54Ch]
mov     [eax+13Ch], ebx
lea     eax, [ecx+ecx]
push    eax
push    ebp
push    0
push    1
mov     ecx, esi
call    sub_11420
mov     ecx, [esi+54Ch]
mov     eax, [esp+68h+var_58]
add     eax, eax
add     edi, eax
mov     [ecx+140h], edi
mov     edx, [esi+54Ch]
mov     [edx+144h], ebx
mov     edx, [esi+54Ch]
lea     ecx, [edi+4]
mov     [edx+150h], ecx
mov     ecx, [esi+54Ch]
mov     edx, [esp+68h+var_58]
mov     [ecx+154h], ebx
lea     ecx, [edi+edx]
mov     edx, [esi+54Ch]
mov     [edx+148h], ecx
mov     edx, [esi+54Ch]
mov     [edx+14Ch], ebx
mov     edx, [esi+54Ch]
add     ecx, 4
push    eax
add     ebp, eax
mov     [edx+158h], ecx
mov     ecx, [esi+54Ch]
push    ebp
push    ebx
mov     [ecx+15Ch], ebx
push    1
mov     ecx, esi
call    sub_11420
mov     edx, [esi+54Ch]
mov     eax, [esp+78h+var_68]
add     eax, eax
add     edi, eax
mov     [edx+160h], edi
mov     ecx, [esi+54Ch]
mov     [ecx+164h], ebx
mov     ecx, [esi+54Ch]
lea     edx, [edi+4]
mov     [ecx+170h], edx
mov     edx, [esi+54Ch]
mov     ecx, [esp+78h+var_68]
mov     [edx+174h], ebx
mov     edx, [esi+54Ch]
add     ecx, edi
mov     [edx+168h], ecx
mov     edx, [esi+54Ch]
mov     [edx+16Ch], ebx
mov     edx, [esi+54Ch]
add     ecx, 4
push    eax
add     ebp, eax
mov     [edx+178h], ecx
mov     ecx, [esi+54Ch]
push    ebp
push    4
mov     [ecx+17Ch], ebx
push    1
mov     ecx, esi
call    sub_11420
mov     edx, [esi+54Ch]
mov     eax, [esp+88h+var_78]
add     eax, eax
add     edi, eax
mov     [edx+180h], edi
mov     ecx, [esi+54Ch]
mov     [ecx+184h], ebx
mov     ecx, [esi+54Ch]
lea     edx, [edi+4]
mov     [ecx+190h], edx
mov     edx, [esi+54Ch]
mov     ecx, [esp+88h+var_78]
mov     [edx+194h], ebx
mov     edx, [esi+54Ch]
add     edi, ecx
mov     [edx+188h], edi
mov     ecx, [esi+54Ch]
mov     [ecx+18Ch], ebx
mov     edx, [esi+54Ch]
push    eax
add     eax, ebp
add     edi, 4
mov     [edx+198h], edi
mov     ecx, [esi+54Ch]
push    eax
push    6
mov     [ecx+19Ch], ebx
push    1
mov     ecx, esi
call    sub_11420
mov     eax, [esp+98h+var_88]
mov     edx, [esp+98h+var_84]
add     eax, eax
add     eax, eax
add     eax, eax
push    eax
push    0
push    edx
call    memset
add     esp, 0Ch
push    32h
call    ds:KeStallExecutionProcessor
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn
sub_14290 endp ; sp = -80h

align 10h



sub_14720 proc near
push    esi
push    edi
push    0
push    0
mov     esi, ecx
call    sub_13FF0
push    0
mov     edi, 1
push    edi
mov     ecx, esi
mov     [esi+550h], eax
call    sub_13FF0
mov     [esi+554h], eax
mov     eax, [esi+54Ch]
test    eax, eax
jz      short loc_1475B
mov     ecx, [esi+550h]
mov     [eax+10h], ecx

loc_1475B:
mov     [esi+1E90h], edi
mov     [esi+1E94h], edi
pop     edi
pop     esi
retn
sub_14720 endp

align 10h



sub_14770 proc near

var_4= dword ptr -4

push    ecx
push    ebx
push    ebp
push    esi
mov     ebx, 0FFFFF44Ch
push    edi
sub     ebx, ecx
lea     esi, [ecx+0C54h]
mov     [esp+14h+var_4], 8
lea     ebx, [ebx+0]

loc_14790:
mov     ebp, 2

loc_14795:
mov     edx, [ecx+54Ch]
mov     edi, [edx]
lea     eax, [ebx+esi]
add     eax, edx
mov     edx, [eax]
test    edx, edx
mov     eax, [eax+4]
jz      short loc_147C0
test    edi, edi
jle     short loc_147C0
add     eax, eax
add     eax, eax

loc_147B3:
mov     dword ptr [edx], 0
add     edx, eax
sub     edi, 1
jnz     short loc_147B3

loc_147C0:
mov     eax, [ecx+54Ch]
mov     edx, [eax]
mov     eax, [esi-84h]
test    eax, eax
mov     edi, [esi-80h]
jz      short loc_147ED
test    edx, edx
jle     short loc_147ED
add     edi, edi
add     edi, edi
lea     ecx, [ecx+0]

loc_147E0:
mov     dword ptr [eax], 0
add     eax, edi
sub     edx, 1
jnz     short loc_147E0

loc_147ED:
mov     eax, [esi-4]
test    eax, eax
mov     edx, [ecx+54Ch]
mov     edx, [edx]
mov     edi, [esi]
jz      short loc_1481D
test    edx, edx
jle     short loc_1481D
add     edi, edi
add     edi, edi
jmp     short loc_14810
align 10h

loc_14810:
mov     dword ptr [eax], 0
add     eax, edi
sub     edx, 1
jnz     short loc_14810

loc_1481D:
mov     eax, [ecx+54Ch]
mov     edx, [eax]
mov     eax, [esi+7Ch]
test    eax, eax
mov     edi, [esi+80h]
jz      short loc_1484D
test    edx, edx
jle     short loc_1484D
add     edi, edi
add     edi, edi
lea     ebx, [ebx+0]

loc_14840:
mov     dword ptr [eax], 0
add     eax, edi
sub     edx, 1
jnz     short loc_14840

loc_1484D:
add     esi, 8
sub     ebp, 1
jnz     loc_14795
sub     [esp+14h+var_4], 1
jnz     loc_14790
pop     edi
pop     esi
pop     ebp
pop     ebx
pop     ecx
retn
sub_14770 endp

align 10h



sub_14870 proc near

var_F4= dword ptr -0F4h
var_E4= dword ptr -0E4h
var_E0= dword ptr -0E0h
var_DC= dword ptr -0DCh
var_D8= dword ptr -0D8h
var_D4= dword ptr -0D4h
var_D0= dword ptr -0D0h
var_CC= dword ptr -0CCh
var_C8= dword ptr -0C8h
var_C4= dword ptr -0C4h
var_C0= dword ptr -0C0h
var_BC= dword ptr -0BCh
var_B8= dword ptr -0B8h
var_B4= dword ptr -0B4h
var_B0= dword ptr -0B0h
var_AC= dword ptr -0ACh
var_A8= dword ptr -0A8h
var_A4= dword ptr -0A4h
var_A0= dword ptr -0A0h
var_9C= dword ptr -9Ch

sub     esp, 0E4h
push    ebx
push    ebp
push    esi
push    edi
mov     esi, ecx
mov     [esp+0F4h+var_E4], 0
mov     ebx, 14h
lea     esp, [esp+0]

loc_14890:
mov     ecx, [esi+54Ch]
test    ecx, ecx
jnz     short loc_1489E
xor     eax, eax
jmp     short loc_148E6

loc_1489E:
mov     eax, [esp+0F4h+var_E4]
push    eax
xor     edi, edi
push    edi
mov     ecx, esi
call    sub_11470
shr     eax, 3
jz      short loc_148BC
mov     ecx, [esi+54Ch]
cmp     eax, [ecx]
jb      short loc_148DF

loc_148BC:
mov     ecx, [esi+54Ch]
mov     edx, [ecx]
cmp     eax, edx
jnz     short loc_148CC
xor     edi, edi
jmp     short loc_148E4

loc_148CC:
jbe     short loc_148D9
lea     ebp, [edx+edx]
cmp     eax, ebp
jnb     short loc_148D9
xor     edi, edi
jmp     short loc_148E4

loc_148D9:
add     edx, edx
cmp     eax, edx
jnz     short loc_148E4

loc_148DF:
mov     edi, 1

loc_148E4:
mov     eax, edi

loc_148E6:
add     eax, ebx
lea     edx, [ecx+eax*8]
mov     eax, [edx]
test    eax, eax
mov     ecx, [ecx]
mov     edx, [edx+4]
jz      short loc_1490D
test    ecx, ecx
jle     short loc_1490D
add     edx, edx
add     edx, edx
mov     edi, edi

loc_14900:
mov     dword ptr [eax], 0
add     eax, edx
sub     ecx, 1
jnz     short loc_14900

loc_1490D:
add     [esp+0F4h+var_E4], 1
add     ebx, 2
cmp     ebx, 24h
jl      loc_14890
cmp     dword ptr [esi+1E94h], 1
jnz     loc_14B58
xor     ebx, ebx
mov     [esp+0F4h+var_E0], ebx

loc_14931:
lea     eax, ds:0[ebx*8]
cmp     dword ptr [eax+esi+0A6Ch], 0
jz      loc_14B34
cmp     ebx, 2
jnz     short loc_1495F
mov     ecx, [esi+54Ch]
test    ecx, ecx
jz      short loc_1495F
cmp     dword ptr [ecx+30h], 0Ah
jnb     short loc_1495F
add     dword ptr [ecx+30h], 1

loc_1495F:
lea     ecx, [eax+eax*2]
xor     ebp, ebp
lea     edx, [esi+ecx*8+190h]
mov     [esp+0F4h+var_E4], ebp
mov     [esp+0F4h+var_DC], 24h
mov     [esp+0F4h+var_D4], edx
jmp     short loc_14980
align 10h

loc_14980:
mov     edx, 1
mov     ecx, ebp
shl     edx, cl
lea     eax, ds:0[ebx*8]
mov     [esp+0F4h+var_D0], eax
test    [eax+esi+0A6Ch], edx
jz      loc_14B14
mov     ecx, [esi+54Ch]
test    ecx, ecx
jnz     short loc_149AF
xor     edx, edx
jmp     short loc_149F8

loc_149AF:
push    ebp
push    1
mov     ecx, esi
xor     edi, edi
call    sub_11470
shr     eax, 3
jz      short loc_149CA
mov     ecx, [esi+54Ch]
cmp     eax, [ecx]
jb      short loc_149F1

loc_149CA:
mov     ecx, [esi+54Ch]
mov     edx, [ecx]
cmp     eax, edx
jnz     short loc_149DA
xor     edi, edi
jmp     short loc_149F6

loc_149DA:
jbe     short loc_149EB
lea     ebx, [edx+edx]
cmp     eax, ebx
mov     ebx, [esp+0F4h+var_E0]
jnb     short loc_149EB
xor     edi, edi
jmp     short loc_149F6

loc_149EB:
add     edx, edx
cmp     eax, edx
jnz     short loc_149F6

loc_149F1:
mov     edi, 1

loc_149F6:
mov     edx, edi

loc_149F8:
mov     edi, ebx
shl     edi, 4
lea     eax, [edi+ebp]
lea     eax, [esi+eax*4+0AB0h]
mov     [esp+0F4h+var_CC], eax
mov     eax, [eax]
mov     [esp+0F4h+var_D8], eax
mov     eax, [esp+0F4h+var_D4]
cmp     dword ptr [eax], 0
jz      loc_14BF5
test    ecx, ecx
jnz     short loc_14A26
xor     eax, eax
jmp     short loc_14A72

loc_14A26:
xor     ebx, ebx
push    ebp
push    ebx
mov     ecx, esi
mov     [esp+0FCh+var_C8], ebx
call    sub_11470
shr     eax, 3
jz      short loc_14A44
mov     ecx, [esi+54Ch]
cmp     eax, [ecx]
jb      short loc_14A6B

loc_14A44:
mov     ecx, [esi+54Ch]
mov     edx, [ecx]
cmp     eax, edx
jnz     short loc_14A54
xor     ebx, ebx
jmp     short loc_14A70

loc_14A54:
jbe     short loc_14A65
lea     ebx, [edx+edx]
cmp     eax, ebx
jnb     short loc_14A61
xor     ebx, ebx
jmp     short loc_14A70

loc_14A61:
mov     ebx, [esp+0F4h+var_C8]

loc_14A65:
add     edx, edx
cmp     eax, edx
jnz     short loc_14A70

loc_14A6B:
mov     ebx, 1

loc_14A70:
mov     eax, ebx

loc_14A72:
mov     edx, [esp+0F4h+var_D0]
mov     ecx, [ecx]
add     edx, ebp
lea     eax, [eax+edx*2+17Ah]
lea     edx, [esi+eax*8]
mov     eax, [esp+0F4h+var_D8]
add     ebp, edi
lea     eax, [eax+ebp*2]
mov     ebx, [esi+eax*8+5E8h]
mov     ebp, [edx+4]
lea     edi, [esi+eax*8+5E8h]
mov     eax, [edx]
test    eax, eax
mov     edi, [edi+4]
jz      short loc_14ACF
test    ebx, ebx
jz      short loc_14ACF
test    ecx, ecx
jle     short loc_14ACF
add     ebp, ebp
add     edi, edi
add     ebp, ebp
add     edi, edi
mov     [esp+0F4h+var_D0], edi
jmp     short loc_14AC0
align 10h

loc_14AC0:
mov     edi, [eax]
mov     [ebx], edi
add     ebx, [esp+0F4h+var_D0]
add     eax, ebp
sub     ecx, 1
jnz     short loc_14AC0

loc_14ACF:
mov     eax, [edx]
test    eax, eax
mov     ecx, [esi+54Ch]
mov     ecx, [ecx]
mov     edx, [edx+4]
jz      short loc_14AFD
test    ecx, ecx
jle     short loc_14AFD
add     edx, edx
add     edx, edx
jmp     short loc_14AF0
align 10h

loc_14AF0:
mov     dword ptr [eax], 0
add     eax, edx
sub     ecx, 1
jnz     short loc_14AF0

loc_14AFD:
mov     ebp, [esp+0F4h+var_E4]

loc_14B01:
mov     edx, [esp+0F4h+var_CC]
mov     ebx, [esp+0F4h+var_E0]
xor     ecx, ecx
cmp     [esp+0F4h+var_D8], ecx
setz    cl
mov     [edx], ecx

loc_14B14:
mov     eax, [esp+0F4h+var_DC]
add     [esp+0F4h+var_D4], 18h
add     eax, 2
add     ebp, 1
cmp     eax, 34h
mov     [esp+0F4h+var_E4], ebp
mov     [esp+0F4h+var_DC], eax
jl      loc_14980

loc_14B34:
add     ebx, 1
cmp     ebx, 5
mov     [esp+0F4h+var_E0], ebx
jl      loc_14931
mov     dword ptr [esi+1E94h], 0
mov     dword ptr [esi+1E9Ch], 1

loc_14B58:
xor     eax, eax
cmp     dword ptr [esi+1E90h], 1
mov     [esp+0F4h+var_C0], eax
mov     [esp+0F4h+var_BC], eax
mov     [esp+0F4h+var_B8], eax
mov     [esp+0F4h+var_B4], eax
mov     [esp+0F4h+var_B0], eax
mov     [esp+0F4h+var_AC], eax
mov     [esp+0F4h+var_A8], eax
mov     [esp+0F4h+var_A4], eax
jnz     loc_1518E
mov     [esp+0F4h+var_E0], eax
lea     eax, [esi+1A0h]
mov     [esp+0F4h+var_E4], eax
mov     eax, 0FFFFF598h
mov     ebx, 2A4h
lea     ebp, [esi+0A68h]
sub     eax, esi
mov     [esp+0F4h+var_C8], ebx
mov     [esp+0F4h+var_D4], ebp
mov     [esp+0F4h+var_D0], eax

loc_14BB3:
cmp     [esp+0F4h+var_E0], 2
jz      loc_14D9D
cmp     dword ptr [ebp+0], 0
jz      loc_14D9D
xor     edi, edi
mov     [esp+0F4h+var_DC], 14h

loc_14BD2:
mov     edx, 1
mov     ecx, edi
shl     edx, cl
test    [ebp+0], edx
jz      loc_14D86
mov     edx, [esi+54Ch]
test    edx, edx
jnz     short loc_14C58
xor     ecx, ecx
jmp     loc_14CA8

loc_14BF5:
mov     eax, [esp+0F4h+var_DC]
add     eax, edx
lea     edx, [ecx+eax*8]
mov     ecx, [ecx]
lea     eax, [edi+ebp]
mov     edi, [esp+0F4h+var_D8]
lea     eax, [edi+eax*2]
mov     ebx, [esi+eax*8+5E8h]
lea     edi, [esi+eax*8+5E8h]
mov     eax, [edx]
test    eax, eax
mov     edx, [edx+4]
mov     edi, [edi+4]
jz      loc_14B01
test    ebx, ebx
jz      loc_14B01
test    ecx, ecx
jle     loc_14B01
add     edx, edx
add     edi, edi
add     edx, edx
add     edi, edi
mov     [esp+0F4h+var_D0], edi

loc_14C44:
mov     edi, [eax]
mov     [ebx], edi
add     ebx, [esp+0F4h+var_D0]
add     eax, edx
sub     ecx, 1
jnz     short loc_14C44
jmp     loc_14B01

loc_14C58:
xor     ebp, ebp
push    edi
push    ebp
mov     ecx, esi
mov     [esp+0FCh+var_CC], ebp
call    sub_11470
shr     eax, 3
jz      short loc_14C76
mov     edx, [esi+54Ch]
cmp     eax, [edx]
jb      short loc_14C9D

loc_14C76:
mov     edx, [esi+54Ch]
mov     ecx, [edx]
cmp     eax, ecx
jnz     short loc_14C86
xor     ebp, ebp
jmp     short loc_14CA2

loc_14C86:
jbe     short loc_14C97
lea     ebp, [ecx+ecx]
cmp     eax, ebp
jnb     short loc_14C93
xor     ebp, ebp
jmp     short loc_14CA2

loc_14C93:
mov     ebp, [esp+0F4h+var_CC]

loc_14C97:
add     ecx, ecx
cmp     eax, ecx
jnz     short loc_14CA2

loc_14C9D:
mov     ebp, 1

loc_14CA2:
mov     ecx, ebp
mov     ebp, [esp+0F4h+var_D4]

loc_14CA8:
add     [esp+edi*4+0F4h+var_C0], 1
lea     eax, [ebx+edi]
lea     eax, [esi+eax*4]
mov     [esp+0F4h+var_C4], eax
mov     eax, [eax]
mov     [esp+0F4h+var_D8], eax
add     ebx, edi
lea     eax, [eax+ebx*2]
lea     ebx, [esi+eax*8-24D8h]
mov     eax, [esp+0F4h+var_DC]
add     eax, ecx
lea     ecx, [edx+eax*8]
mov     eax, [esp+0F4h+var_D0]
add     eax, ebp
add     eax, edi
lea     eax, [eax+eax*2]
cmp     dword ptr [esi+eax*8+18Ch], 0
jz      short loc_14D1F
mov     eax, [esp+0F4h+var_E4]
cmp     dword ptr [eax], 1
jnz     short loc_14D1F
mov     eax, [ecx]
test    eax, eax
mov     edx, [edx]
mov     ecx, [ecx+4]
jz      short loc_14D6F
test    edx, edx
jle     short loc_14D6F
lea     ebx, ds:0[ecx*4]
mov     ecx, edx
jmp     short loc_14D10
align 10h

loc_14D10:
mov     dword ptr [eax], 0
add     eax, ebx
sub     ecx, 1
jnz     short loc_14D10
jmp     short loc_14D6F

loc_14D1F:
cmp     [esp+edi*4+0F4h+var_C0], 1
jle     short loc_14D34
mov     edx, [edx]
push    edx
push    ebx
push    ecx
mov     ecx, esi
call    sub_139D0
jmp     short loc_14D6F

loc_14D34:
mov     eax, [ebx]
test    eax, eax
mov     ebp, [edx]
mov     edx, [ecx]
mov     ebx, [ebx+4]
mov     ecx, [ecx+4]
jz      short loc_14D6F
test    edx, edx
jz      short loc_14D6F
test    ebp, ebp
jle     short loc_14D6F
add     ebx, ebx
add     ecx, ecx
add     ebx, ebx
add     ecx, ecx
mov     [esp+0F4h+var_CC], ecx
mov     ecx, ebp
lea     ebx, [ebx+0]

loc_14D60:
mov     ebp, [eax]
mov     [edx], ebp
add     edx, [esp+0F4h+var_CC]
add     eax, ebx
sub     ecx, 1
jnz     short loc_14D60

loc_14D6F:
mov     eax, [esp+0F4h+var_C4]
mov     ebx, [esp+0F4h+var_C8]
mov     ebp, [esp+0F4h+var_D4]
xor     edx, edx
cmp     [esp+0F4h+var_D8], edx
setz    dl
mov     [eax], edx

loc_14D86:
mov     eax, [esp+0F4h+var_DC]
add     eax, 2
add     edi, 1
cmp     eax, 24h
mov     [esp+0F4h+var_DC], eax
jl      loc_14BD2

loc_14D9D:
add     [esp+0F4h+var_E0], 1
add     [esp+0F4h+var_E4], 0C0h
add     ebx, 10h
add     ebp, 8
cmp     ebx, 2E4h
mov     [esp+0F4h+var_D4], ebp
mov     [esp+0F4h+var_C8], ebx
jl      loc_14BB3
mov     ecx, [esi+54Ch]
xor     ebp, ebp
cmp     [ecx+4Ch], ebp
mov     [esp+0F4h+var_E4], ebp
jz      loc_14F01
mov     [esp+0F4h+var_D8], 14h

loc_14DE1:
mov     ecx, [esi+54Ch]
xor     edi, edi
test    ecx, ecx
jz      short loc_14E2E
push    ebp
push    1
mov     ecx, esi
call    sub_11470
shr     eax, 3
jz      short loc_14E06
mov     ecx, [esi+54Ch]
cmp     eax, [ecx]
jb      short loc_14E29

loc_14E06:
mov     ecx, [esi+54Ch]
mov     edx, [ecx]
cmp     eax, edx
jnz     short loc_14E16
xor     edi, edi
jmp     short loc_14E2E

loc_14E16:
jbe     short loc_14E23
lea     ebx, [edx+edx]
cmp     eax, ebx
jnb     short loc_14E23
xor     edi, edi
jmp     short loc_14E2E

loc_14E23:
add     edx, edx
cmp     eax, edx
jnz     short loc_14E2E

loc_14E29:
mov     edi, 1

loc_14E2E:
mov     eax, [esp+0F4h+var_D8]
add     eax, edi
test    ecx, ecx
lea     ebx, [ecx+eax*8+80h]
jnz     short loc_14E43
xor     eax, eax
jmp     short loc_14E8B

loc_14E43:
push    ebp
xor     edi, edi
push    edi
mov     ecx, esi
call    sub_11470
shr     eax, 3
jz      short loc_14E5D
mov     ecx, [esi+54Ch]
cmp     eax, [ecx]
jb      short loc_14E80

loc_14E5D:
mov     ecx, [esi+54Ch]
mov     edx, [ecx]
cmp     eax, edx
jnz     short loc_14E6D
xor     edi, edi
jmp     short loc_14E85

loc_14E6D:
jbe     short loc_14E7A
lea     ebp, [edx+edx]
cmp     eax, ebp
jnb     short loc_14E7A
xor     edi, edi
jmp     short loc_14E85

loc_14E7A:
add     edx, edx
cmp     eax, edx
jnz     short loc_14E85

loc_14E80:
mov     edi, 1

loc_14E85:
mov     ebp, [esp+0F4h+var_E4]
mov     eax, edi

loc_14E8B:
mov     edx, [esp+0F4h+var_D8]
add     edx, eax
cmp     [esp+ebp*4+0F4h+var_C0], 0
lea     edi, [ecx+edx*8]
jle     short loc_14EA9
mov     eax, [ecx]
push    eax
push    ebx
push    edi
mov     ecx, esi
call    sub_139D0
jmp     short loc_14EDD

loc_14EA9:
mov     eax, [ebx]
test    eax, eax
mov     edx, [edi]
mov     ecx, [ecx]
mov     ebx, [ebx+4]
mov     edi, [edi+4]
jz      short loc_14EDD
test    edx, edx
jz      short loc_14EDD
test    ecx, ecx
jle     short loc_14EDD
add     ebx, ebx
add     edi, edi
add     ebx, ebx
add     edi, edi
lea     esp, [esp+0]

loc_14ED0:
mov     ebp, [eax]
mov     [edx], ebp
add     eax, ebx
add     edx, edi
sub     ecx, 1
jnz     short loc_14ED0

loc_14EDD:
mov     eax, [esp+0F4h+var_D8]
mov     ebp, [esp+0F4h+var_E4]
add     eax, 2
add     ebp, 1
cmp     eax, 18h
mov     [esp+0F4h+var_E4], ebp
mov     [esp+0F4h+var_D8], eax
jl      loc_14DE1
jmp     loc_14FB0

loc_14F01:
mov     ebx, 14h
jmp     short loc_14F10
align 10h

loc_14F10:
cmp     [esp+ebp*4+0F4h+var_C0], 0
jnz     loc_14F9D
mov     ecx, [esi+54Ch]
test    ecx, ecx
jnz     short loc_14F29
xor     eax, eax
jmp     short loc_14F71

loc_14F29:
push    ebp
xor     edi, edi
push    edi
mov     ecx, esi
call    sub_11470
shr     eax, 3
jz      short loc_14F43
mov     ecx, [esi+54Ch]
cmp     eax, [ecx]
jb      short loc_14F66

loc_14F43:
mov     ecx, [esi+54Ch]
mov     edx, [ecx]
cmp     eax, edx
jnz     short loc_14F53
xor     edi, edi
jmp     short loc_14F6B

loc_14F53:
jbe     short loc_14F60
lea     ebp, [edx+edx]
cmp     eax, ebp
jnb     short loc_14F60
xor     edi, edi
jmp     short loc_14F6B

loc_14F60:
add     edx, edx
cmp     eax, edx
jnz     short loc_14F6B

loc_14F66:
mov     edi, 1

loc_14F6B:
mov     ebp, [esp+0F4h+var_E4]
mov     eax, edi

loc_14F71:
add     eax, ebx
lea     edx, [ecx+eax*8]
mov     eax, [edx]
test    eax, eax
mov     ecx, [ecx]
mov     edx, [edx+4]
jz      short loc_14F9D
test    ecx, ecx
jle     short loc_14F9D
add     edx, edx
add     edx, edx
lea     esp, [esp+0]

loc_14F90:
mov     dword ptr [eax], 0
add     eax, edx
sub     ecx, 1
jnz     short loc_14F90

loc_14F9D:
add     ebp, 1
add     ebx, 2
cmp     ebx, 18h
mov     [esp+0F4h+var_E4], ebp
jl      loc_14F10

loc_14FB0:
xor     ebx, ebx
push    9Ch
lea     eax, [esp+0F8h+var_9C]
push    ebx
push    eax
mov     [esp+100h+var_A0], ebx
call    memset
add     esp, 0Ch
mov     [esp+0F4h+var_E0], ebx
lea     ecx, [ecx+0]

loc_14FD0:
cmp     ebx, 2
jz      loc_1516A
cmp     dword ptr [esi+ebx*8+0A68h], 0
jnz     short loc_14FEC
cmp     ebx, 4
jnz     loc_1516A

loc_14FEC:
mov     [esp+0F4h+var_E4], 0
mov     [esp+0F4h+var_DC], 24h
lea     esp, [esp+0]

loc_15000:
mov     ecx, [esp+0F4h+var_E4]
mov     edx, 1
shl     edx, cl
test    [esi+ebx*8+0A68h], edx
jnz     short loc_1501D
cmp     ebx, 4
jnz     loc_15151

loc_1501D:
mov     eax, [esp+0F4h+var_E4]
lea     eax, [eax+ebx*8]
lea     ecx, [eax+eax*2]
cmp     dword ptr [esi+ecx*8+18Ch], 0
lea     eax, [esi+ecx*8]
jz      loc_15151
mov     ecx, [eax+194h]
mov     eax, [eax+19Ch]
lea     ebp, [eax+ecx*8]
add     [esp+ebp*4+0F4h+var_A0], 1
cmp     ebx, 4
mov     edx, [esp+ebp*4+0F4h+var_A0]
mov     [esp+0F4h+var_C4], edx
jnz     short loc_150CA
mov     edx, [esi+54Ch]
xor     edi, edi
test    edx, edx
jz      short loc_150BF
mov     eax, [esp+0F4h+var_E4]
push    eax
push    edi
mov     ecx, esi
call    sub_11470
shr     eax, 3
jz      short loc_15081
mov     edx, [esi+54Ch]
cmp     eax, [edx]
jb      short loc_150BA

loc_15081:
mov     edx, [esi+54Ch]
mov     ecx, [edx]
cmp     eax, ecx
jnz     short loc_1509A
mov     eax, [esp+0F4h+var_DC]
xor     edi, edi
mov     edi, eax
lea     edx, [edx+edi*8]
jmp     short loc_150EE

loc_1509A:
jbe     short loc_150B4
lea     ebx, [ecx+ecx]
cmp     eax, ebx
mov     ebx, [esp+0F4h+var_E0]
jnb     short loc_150B4
mov     eax, [esp+0F4h+var_DC]
xor     edi, edi
mov     edi, eax
lea     edx, [edx+edi*8]
jmp     short loc_150EE

loc_150B4:
add     ecx, ecx
cmp     eax, ecx
jnz     short loc_150BF

loc_150BA:
mov     edi, 1

loc_150BF:
mov     eax, [esp+0F4h+var_DC]
add     edi, eax
lea     edx, [edx+edi*8]
jmp     short loc_150EE

loc_150CA:
mov     edi, [esp+0F4h+var_E4]
mov     eax, ebx
shl     eax, 4
xor     edx, edx
lea     ecx, [edi+eax]
cmp     [esi+ecx*4+0A90h], edx
setz    dl
add     edi, eax
lea     eax, [edx+edi*2]
lea     edx, [esi+eax*8+568h]

loc_150EE:
cmp     [esp+0F4h+var_C4], 1
mov     ecx, [esi+550h]
lea     eax, [ecx+ebp*2+17Ah]
mov     ecx, [esi+54Ch]
lea     edi, [esi+eax*8]
jle     short loc_15119
mov     eax, [ecx]
push    eax
push    edx
push    edi
mov     ecx, esi
call    sub_139D0
jmp     short loc_15151

loc_15119:
mov     eax, [edx]
test    eax, eax
mov     ebp, [ecx]
mov     ecx, [edi]
mov     edx, [edx+4]
mov     edi, [edi+4]
jz      short loc_15151
test    ecx, ecx
jz      short loc_15151
test    ebp, ebp
jle     short loc_15151
add     edi, edi
lea     ebx, ds:0[edx*4]
add     edi, edi
mov     edx, ebp
mov     edi, edi

loc_15140:
mov     ebp, [eax]
mov     [ecx], ebp
add     eax, ebx
add     ecx, edi
sub     edx, 1
jnz     short loc_15140
mov     ebx, [esp+0F4h+var_E0]

loc_15151:
mov     eax, [esp+0F4h+var_DC]
add     [esp+0F4h+var_E4], 1
add     eax, 2
cmp     eax, 34h
mov     [esp+0F4h+var_DC], eax
jl      loc_15000

loc_1516A:
add     ebx, 1
cmp     ebx, 5
mov     [esp+0F4h+var_E0], ebx
jl      loc_14FD0
mov     dword ptr [esi+1E90h], 0
mov     dword ptr [esi+1E98h], 1

loc_1518E:
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 0E4h
retn
sub_14870 endp

align 10h



sub_151A0 proc near

var_14= dword ptr -14h
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4

sub     esp, 14h
mov     eax, [ecx+550h]
mov     [esp+14h+var_4], ecx
mov     ecx, [ecx+54Ch]
cmp     dword ptr [ecx+3Ch], 1
jnz     loc_15253
push    ebx
push    ebp
push    esi
lea     edx, ds:0A0h[eax*8]
push    edi
mov     [esp+24h+var_8], edx
lea     edi, ds:0C0h[eax*8]
mov     [esp+24h+var_C], 3
jmp     short loc_151E0
align 10h

loc_151E0:
mov     ebx, [esp+24h+var_8]
mov     [esp+24h+var_14], ebx
mov     [esp+24h+var_10], 2

loc_151F0:
mov     eax, [esp+24h+var_4]
mov     eax, [eax+54Ch]
mov     edx, [ebx+eax]
test    edx, edx
mov     ecx, [eax]
mov     esi, [edi+eax]
mov     ebp, [ebx+eax+4]
mov     eax, [edi+eax+4]
jz      short loc_15237
test    esi, esi
jz      short loc_15237
test    ecx, ecx
jle     short loc_15237
lea     ebx, ds:0[ebp*4]
lea     ebp, ds:0[eax*4]
mov     eax, ecx

loc_15226:
mov     ecx, [edx]
mov     [esi], ecx
add     edx, ebx
add     esi, ebp
sub     eax, 1
jnz     short loc_15226
mov     ebx, [esp+24h+var_14]

loc_15237:
add     ebx, 10h
add     edi, 10h
sub     [esp+24h+var_10], 1
mov     [esp+24h+var_14], ebx
jnz     short loc_151F0
sub     [esp+24h+var_C], 1
jnz     short loc_151E0
pop     edi
pop     esi
pop     ebp
pop     ebx

loc_15253:
add     esp, 14h
retn
sub_151A0 endp

align 10h



sub_15260 proc near

var_EC= dword ptr -0ECh
var_DC= dword ptr -0DCh
var_D8= dword ptr -0D8h
var_D4= dword ptr -0D4h
var_D0= dword ptr -0D0h
var_CC= dword ptr -0CCh
var_C8= dword ptr -0C8h
var_C4= dword ptr -0C4h
var_C0= dword ptr -0C0h
var_BC= dword ptr -0BCh
var_B8= dword ptr -0B8h
var_B4= dword ptr -0B4h
var_B0= dword ptr -0B0h
var_AC= dword ptr -0ACh
var_A8= dword ptr -0A8h
var_A4= dword ptr -0A4h
var_A0= dword ptr -0A0h
var_9C= dword ptr -9Ch
arg_0= dword ptr  4

sub     esp, 0DCh
xor     eax, eax
push    ebx
push    ebp
push    esi
push    edi
mov     ebx, ecx
mov     ebp, eax
mov     edi, eax
mov     [esp+0ECh+var_D4], ebx
mov     [esp+0ECh+var_C8], eax
mov     [esp+0ECh+var_C4], eax
mov     [esp+0ECh+var_C0], eax
mov     [esp+0ECh+var_BC], eax
mov     [esp+0ECh+var_B8], eax
mov     [esp+0ECh+var_B4], eax
mov     [esp+0ECh+var_B0], eax
mov     [esp+0ECh+var_AC], ebp
mov     [esp+0ECh+var_A8], edi
lea     edx, [ebx+0A68h]
lea     esi, [eax+4]

loc_152A3:
mov     ecx, [edx]
test    ecx, ecx
jz      short loc_15306
test    cl, 1
jz      short loc_152B7
add     [esp+0ECh+var_C4], 1
mov     ebx, [esp+0ECh+var_D4]

loc_152B7:
test    cl, 2
jz      short loc_152C5
add     [esp+0ECh+var_C0], 1
mov     ebx, [esp+0ECh+var_D4]

loc_152C5:
test    cl, 4
jz      short loc_152D3
add     [esp+0ECh+var_BC], 1
mov     ebx, [esp+0ECh+var_D4]

loc_152D3:
test    cl, 8
jz      short loc_152E1
add     [esp+0ECh+var_B8], 1
mov     ebx, [esp+0ECh+var_D4]

loc_152E1:
test    cl, 10h
jz      short loc_152EF
add     [esp+0ECh+var_B4], 1
mov     ebx, [esp+0ECh+var_D4]

loc_152EF:
test    cl, 20h
jz      short loc_152F7
add     eax, 1

loc_152F7:
test    cl, 40h
jz      short loc_152FF
add     ebp, 1

loc_152FF:
test    cl, cl
jns     short loc_15306
add     edi, 1

loc_15306:
add     edx, 8
sub     esi, 1
jnz     short loc_152A3
mov     ecx, [esp+0ECh+arg_0]
mov     [esp+0ECh+var_B0], eax
lea     eax, [ebx+30Ch]
mov     [esp+0ECh+var_D0], eax
lea     eax, [ebx+ecx*8+768h]
mov     [esp+0ECh+var_A8], edi
mov     [esp+0ECh+var_AC], ebp
mov     [esp+0ECh+var_D8], esi
mov     [esp+0ECh+var_CC], 14h
mov     [esp+0ECh+var_A4], eax
mov     [esp+0ECh+var_DC], eax
jmp     short loc_15350
align 10h

loc_15350:
mov     ecx, [esp+0ECh+var_D8]
mov     edx, 1
shl     edx, cl
test    [ebx+0A78h], edx
jz      loc_1545D
mov     ecx, [ebx+54Ch]
test    ecx, ecx
jnz     short loc_15375
xor     eax, eax
jmp     short loc_153BD

loc_15375:
mov     eax, [esp+0ECh+var_D8]
push    eax
xor     esi, esi
push    esi
mov     ecx, ebx
call    sub_11470
shr     eax, 3
jz      short loc_15393
mov     ecx, [ebx+54Ch]
cmp     eax, [ecx]
jb      short loc_153B6

loc_15393:
mov     ecx, [ebx+54Ch]
mov     edx, [ecx]
cmp     eax, edx
jnz     short loc_153A3
xor     esi, esi
jmp     short loc_153BB

loc_153A3:
jbe     short loc_153B0
lea     edi, [edx+edx]
cmp     eax, edi
jnb     short loc_153B0
xor     esi, esi
jmp     short loc_153BB

loc_153B0:
add     edx, edx
cmp     eax, edx
jnz     short loc_153BB

loc_153B6:
mov     esi, 1

loc_153BB:
mov     eax, esi

loc_153BD:
mov     edx, [esp+0ECh+var_CC]
add     edx, eax
mov     [esp+0ECh+var_C8], eax
lea     eax, [ecx+edx*8]
mov     edx, [esp+0ECh+var_D0]
cmp     dword ptr [edx], 0
jz      short loc_15403
cmp     dword ptr [ebx+320h], 1
jnz     short loc_15403
mov     edx, [eax]
test    edx, edx
mov     ecx, [ecx]
mov     eax, [eax+4]
jz      short loc_1545D
test    ecx, ecx
jle     short loc_1545D
lea     esi, ds:0[eax*4]
mov     eax, ecx

loc_153F4:
mov     dword ptr [edx], 0
add     edx, esi
sub     eax, 1
jnz     short loc_153F4
jmp     short loc_1545D

loc_15403:
mov     edx, [esp+0ECh+var_D8]
cmp     [esp+edx*4+0ECh+var_C4], 1
jle     short loc_15420
mov     ecx, [ecx]
mov     edx, [esp+0ECh+var_DC]
push    ecx
push    edx
push    eax
mov     ecx, ebx
call    sub_139D0
jmp     short loc_1545D

loc_15420:
mov     esi, [esp+0ECh+var_DC]
mov     ebp, [ecx]
mov     ecx, [esi]
test    ecx, ecx
mov     edx, [eax]
mov     esi, [esi+4]
mov     eax, [eax+4]
jz      short loc_1545D
test    edx, edx
jz      short loc_1545D
test    ebp, ebp
jle     short loc_1545D
add     esi, esi
lea     edi, ds:0[eax*4]
add     esi, esi
mov     eax, ebp
lea     esp, [esp+0]

loc_15450:
mov     ebp, [ecx]
mov     [edx], ebp
add     ecx, esi
add     edx, edi
sub     eax, 1
jnz     short loc_15450

loc_1545D:
mov     eax, [esp+0ECh+var_CC]
add     [esp+0ECh+var_D8], 1
add     [esp+0ECh+var_DC], 10h
add     [esp+0ECh+var_D0], 18h
add     eax, 2
cmp     eax, 24h
mov     [esp+0ECh+var_CC], eax
jl      loc_15350
xor     esi, esi
cmp     [esp+0ECh+var_C4], esi
jnz     short loc_1548E
cmp     [esp+0ECh+var_C0], esi
jz      short loc_15495

loc_1548E:
mov     ecx, ebx
call    sub_151A0

loc_15495:
push    9Ch
lea     eax, [esp+0F0h+var_9C]
push    esi
push    eax
mov     [esp+0F8h+var_A0], esi
call    memset
lea     eax, [ebx+0A68h]
add     esp, 0Ch
mov     [esp+0ECh+var_D0], eax

loc_154B6:
mov     ecx, [esp+0ECh+var_D0]
mov     ebp, [ecx]
test    ebp, ebp
jnz     short loc_154C9
cmp     esi, 4
jnz     loc_155D5

loc_154C9:
xor     edx, edx
jmp     short loc_154D0
align 10h

loc_154D0:
mov     eax, 1
mov     ecx, edx
shl     eax, cl
test    eax, ebp
jnz     short loc_154E2
cmp     esi, 4
jnz     short loc_1550D

loc_154E2:
lea     eax, [edx+esi*8]
lea     ecx, [eax+eax*2]
cmp     dword ptr [ebx+ecx*8+18Ch], 0
lea     eax, [ebx+ecx*8]
jz      short loc_1550D
mov     ecx, [eax+194h]
mov     eax, [eax+19Ch]
lea     eax, [eax+ecx*8]
add     [esp+eax*4+0ECh+var_A0], 1
lea     eax, [esp+eax*4+0ECh+var_A0]

loc_1550D:
lea     edi, [edx+2]
lea     ecx, [edi-1]
mov     eax, 1
shl     eax, cl
test    eax, ebp
jnz     short loc_15523
cmp     esi, 4
jnz     short loc_1554E

loc_15523:
lea     eax, [edx+esi*8]
lea     ecx, [eax+eax*2]
cmp     dword ptr [ebx+ecx*8+1A4h], 0
lea     eax, [ebx+ecx*8]
jz      short loc_1554E
mov     ecx, [eax+1ACh]
mov     eax, [eax+1B4h]
lea     eax, [eax+ecx*8]
add     [esp+eax*4+0ECh+var_A0], 1
lea     eax, [esp+eax*4+0ECh+var_A0]

loc_1554E:
mov     eax, 1
mov     ecx, edi
shl     eax, cl
test    eax, ebp
jnz     short loc_15560
cmp     esi, 4
jnz     short loc_1558B

loc_15560:
lea     eax, [edx+esi*8]
lea     ecx, [eax+eax*2]
cmp     dword ptr [ebx+ecx*8+1BCh], 0
lea     eax, [ebx+ecx*8]
jz      short loc_1558B
mov     ecx, [eax+1C4h]
mov     eax, [eax+1CCh]
lea     eax, [eax+ecx*8]
add     [esp+eax*4+0ECh+var_A0], 1
lea     eax, [esp+eax*4+0ECh+var_A0]

loc_1558B:
lea     ecx, [edi+1]
mov     eax, 1
shl     eax, cl
test    eax, ebp
jnz     short loc_1559E
cmp     esi, 4
jnz     short loc_155C9

loc_1559E:
lea     eax, [edx+esi*8]
lea     ecx, [eax+eax*2]
cmp     dword ptr [ebx+ecx*8+1D4h], 0
lea     eax, [ebx+ecx*8]
jz      short loc_155C9
mov     ecx, [eax+1DCh]
mov     eax, [eax+1E4h]
lea     eax, [eax+ecx*8]
add     [esp+eax*4+0ECh+var_A0], 1
lea     eax, [esp+eax*4+0ECh+var_A0]

loc_155C9:
add     edx, 4
cmp     edx, 8
jl      loc_154D0

loc_155D5:
add     [esp+0ECh+var_D0], 8
add     esi, 1
cmp     esi, 5
jl      loc_154B6
mov     edx, [esp+0ECh+var_D4]
mov     ebx, [esp+0ECh+var_A4]
add     edx, 314h
mov     [esp+0ECh+var_D8], 0
mov     [esp+0ECh+var_DC], edx

loc_15600:
mov     ecx, [esp+0ECh+var_D8]
mov     eax, 1
shl     eax, cl
mov     ecx, [esp+0ECh+var_D4]
test    [ecx+0A78h], eax
jz      short loc_1568E
mov     edx, [esp+0ECh+var_DC]
cmp     dword ptr [edx-8], 0
jz      short loc_1568E
mov     ecx, edx
mov     eax, [ecx]
mov     ecx, [ecx+8]
lea     eax, [ecx+eax*8]
cmp     [esp+eax*4+0ECh+var_A0], 1
mov     ecx, [esp+0ECh+var_C8]
lea     edx, [ecx+eax*2+17Ah]
mov     ecx, [esp+0ECh+var_D4]
lea     edx, [ecx+edx*8]
jle     short loc_15656
mov     eax, [ecx+54Ch]
mov     eax, [eax]
push    eax
push    ebx
push    edx
call    sub_139D0
jmp     short loc_1568E

loc_15656:
mov     ecx, [ecx+54Ch]
mov     eax, [ebx]
test    eax, eax
mov     ebp, [ecx]
mov     ecx, [edx]
mov     esi, [ebx+4]
mov     edx, [edx+4]
jz      short loc_1568E
test    ecx, ecx
jz      short loc_1568E
test    ebp, ebp
jle     short loc_1568E
add     esi, esi
lea     edi, ds:0[edx*4]
add     esi, esi
mov     edx, ebp

loc_15681:
mov     ebp, [eax]
mov     [ecx], ebp
add     eax, esi
add     ecx, edi
sub     edx, 1
jnz     short loc_15681

loc_1568E:
mov     eax, [esp+0ECh+var_D8]
add     [esp+0ECh+var_DC], 18h
add     eax, 1
add     ebx, 10h
cmp     eax, 8
mov     [esp+0ECh+var_D8], eax
jl      loc_15600
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 0DCh
retn    8
sub_15260 endp

align 10h
mov     eax, [esp+4]
test    eax, eax
jnz     short loc_156CE
mov     eax, [ecx+24h]
retn    4

loc_156CE:
mov     edx, [ecx+24h]
cmp     edx, eax
mov     [esp+4], edx
jnz     short loc_156DE
mov     eax, edx
retn    4

loc_156DE:
push    ebx
push    ebp
push    esi
xor     esi, esi
push    edi
lea     edx, [ecx+0A68h]
lea     ebp, [esi+5]
lea     ecx, [ecx+0]

loc_156F0:
mov     edi, edx
mov     ebx, 2

loc_156F7:
mov     edx, [edi]
test    dl, 1
jz      short loc_15701
add     esi, 1

loc_15701:
test    dl, 2
jz      short loc_15709
add     esi, 1

loc_15709:
test    dl, 4
jz      short loc_15711
add     esi, 1

loc_15711:
test    dl, 8
jz      short loc_15719
add     esi, 1

loc_15719:
test    dl, 10h
jz      short loc_15721
add     esi, 1

loc_15721:
test    dl, 20h
jz      short loc_15729
add     esi, 1

loc_15729:
test    dl, 40h
jz      short loc_15731
add     esi, 1

loc_15731:
test    dl, dl
jns     short loc_15738
add     esi, 1

loc_15738:
add     edi, 4
sub     ebx, 1
jnz     short loc_156F7
sub     ebp, 1
mov     edx, edi
jnz     short loc_156F0
add     ecx, 770h
lea     edi, [ebx+2]

loc_15750:
mov     edx, 8

loc_15755:
cmp     dword ptr [ecx-8], 0
jz      short loc_1575E
add     esi, 1

loc_1575E:
cmp     dword ptr [ecx], 0
jz      short loc_15766
add     esi, 1

loc_15766:
add     ecx, 10h
sub     edx, 1
jnz     short loc_15755
sub     edi, 1
jnz     short loc_15750
pop     edi
test    esi, esi
pop     esi
pop     ebp
pop     ebx
jnz     short loc_157AC
cmp     eax, 2EE00h
jz      short locret_157B0
cmp     eax, 2AF80h
jz      short locret_157B0
cmp     eax, offset loc_17700
jz      short locret_157B0
cmp     eax, offset loc_15888
jz      short locret_157B0
cmp     eax, 0BB80h
jz      short locret_157B0
cmp     eax, 0AC44h
jz      short locret_157B0
cmp     eax, 7D00h
jz      short locret_157B0

loc_157AC:
mov     eax, [esp+4]

locret_157B0:
retn    4
align 10h



sub_157C0 proc near

var_44= dword ptr -44h
var_3C= dword ptr -3Ch
var_34= dword ptr -34h
var_2C= dword ptr -2Ch
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_4= dword ptr -4
arg_0= dword ptr  4

sub     esp, 10h
push    ebx
push    ebp
push    esi
mov     esi, [esp+1Ch+arg_0]
mov     ebx, ecx
lea     eax, [ebx+30h]
lea     ecx, [esi+10Ch]
lea     edx, [ebx+13Ch]
push    edi
xor     ebp, ebp
lea     edi, [esi+0Ch]
mov     [esp+20h+var_4], eax
mov     [esp+20h+var_10], eax
mov     [esp+20h+var_C], ecx
mov     [esp+20h+arg_0], edx

loc_157F1:
cmp     ebp, 4
jge     short loc_1583C
mov     edx, [eax]
cmp     edx, [edi-0Ch]
jnz     short loc_15822
mov     edx, [eax+4]
cmp     edx, [edi-8]
jnz     short loc_15822
mov     edx, [eax+8]
cmp     edx, [edi-4]
jnz     short loc_15822
mov     edx, [eax+0Ch]
cmp     edx, [edi]
jnz     short loc_15822
mov     edx, [esp+20h+arg_0]
mov     edx, [edx]
cmp     edx, [ecx]
jz      loc_158B5

loc_15822:
mov     eax, [ecx]
mov     ecx, [edi-8]
mov     edx, [edi-0Ch]
push    ecx
mov     ecx, [edi]
push    edx
lea     edx, [ecx+eax+6Fh]
mov     ecx, [edi-4]
push    edx
lea     edx, [ecx+eax+6Fh]
jmp     short loc_158A8

loc_1583C:
lea     ecx, [edi-0Ch]
cmp     eax, ecx
jnz     short loc_1587C
mov     edx, [eax+8]
cmp     edx, [edi-4]
jnz     short loc_1587C
mov     ecx, [eax+0Ch]
cmp     ecx, [edi]
jnz     short loc_1587C
mov     edx, [ebx+0F0h]
cmp     edx, [esi+0C0h]
jnz     short loc_1587C
mov     ecx, [ebx+0F4h]
cmp     ecx, [esi+0C4h]
jnz     short loc_1587C
mov     edx, [ebx+0F8h]
cmp     edx, [esi+0C8h]
jz      short loc_158B5

loc_1587C:
mov     eax, [esi+0C0h]
mov     ecx, [edi-8]
mov     edx, [edi-0Ch]

loc_15888:
add     ecx, eax
add     edx, eax
mov     eax, [esi+0C8h]
push    ecx
mov     ecx, [edi]
push    edx
lea     edx, [eax+ecx+3Fh]
mov     eax, [edi-4]
mov     ecx, [esi+0C4h]
push    edx
lea     edx, [eax+ecx+3Fh]

loc_158A8:
push    edx
push    ebp
mov     ecx, ebx
call    sub_111E0
mov     eax, [esp+20h+var_10]

loc_158B5:
mov     ecx, [esp+20h+var_C]
add     [esp+20h+arg_0], 4
add     ebp, 1
add     ecx, 4
add     eax, 18h
add     edi, 18h
cmp     ebp, 8
mov     [esp+20h+var_C], ecx
mov     [esp+20h+var_10], eax
jl      loc_157F1
xor     edi, edi
lea     ecx, [ecx+0]

loc_158E0:
lea     eax, [edi+edi*2+33h]
mov     eax, [esi+eax*4]
lea     ecx, [edi+edi*2+3Fh]
cmp     [ebx+ecx*4], eax
jnz     short loc_15907
lea     ecx, [edi+edi*2]
add     ecx, ecx
add     ecx, ecx
mov     edx, [ecx+ebx+100h]
cmp     edx, [ecx+esi+0D0h]
jz      short loc_15961 ; default

loc_15907:              ; switch 4 cases
cmp     edi, 3
ja      short loc_15961 ; default
jmp     ds:off_15B60[edi*4] ; switch jump

loc_15913:              ; case 0x0
push    eax
mov     eax, [esi+0D0h]
add     eax, 49h
push    eax
mov     ecx, ebx
call    sub_11320
jmp     short loc_15961 ; default

loc_15927:              ; case 0x1
mov     ecx, [esi+0DCh]
add     ecx, 49h
push    eax
push    ecx
mov     ecx, ebx
call    sub_11330
jmp     short loc_15961 ; default

loc_1593B:              ; case 0x2
mov     edx, [esi+0E8h]
push    eax
add     edx, 49h
push    edx
mov     ecx, ebx
call    sub_11340
jmp     short loc_15961 ; default

loc_1594F:              ; case 0x3
push    eax
mov     eax, [esi+0F4h]
add     eax, 49h
push    eax
mov     ecx, ebx
call    sub_11350

loc_15961:              ; default
add     edi, 1
cmp     edi, 4
jl      loc_158E0
mov     edi, [esi+140h]
cmp     [ebx+24h], edi
jz      short loc_15996
push    edi
mov     ecx, ebx
call    sub_11500
test    eax, eax
jl      short loc_15996
mov     ecx, [ebx+54Ch]
mov     [ebx+24h], edi
mov     [ecx+1Ch], edi
mov     [ebx+170h], edi

loc_15996:
mov     eax, [esi+130h]
cmp     [ebx+160h], eax
jnz     short loc_159B2
mov     edx, [ebx+15Ch]
cmp     edx, [esi+12Ch]
jz      short loc_159D5

loc_159B2:
mov     edx, [ebx+0E54h]
mov     [ebx+0E58h], eax
mov     ecx, [esi+140h]
push    ecx
push    edx
push    eax
mov     eax, [esi+12Ch]
push    eax
mov     ecx, ebx
call    sub_111D0

loc_159D5:
mov     ecx, [ebx+164h]
cmp     ecx, [esi+134h]
jz      short loc_15A1A
mov     ecx, [ebx]
call    sub_16380
mov     edi, [ebx]
cmp     dword ptr [edi+4], 0
jz      short loc_15A1A
xor     edx, edx
cmp     [esi+134h], edx
push    1
setnz   dl
shl     edx, 1Eh
xor     edx, eax
and     edx, 40000000h
xor     edx, eax
mov     eax, [edi]
mov     [eax+1B0h], edx
call    ds:KeStallExecutionProcessor

loc_15A1A:
mov     eax, [esi+0FCh]
cmp     [ebx+12Ch], eax
jz      short loc_15A30
push    eax
mov     ecx, ebx
call    sub_112A0

loc_15A30:
mov     eax, [esi+100h]
cmp     [ebx+130h], eax
jz      short loc_15A46
push    eax
mov     ecx, ebx
call    sub_112B0

loc_15A46:
mov     eax, [esi+104h]
cmp     [ebx+134h], eax
jz      short loc_15A5C
push    eax
mov     ecx, ebx
call    sub_112C0

loc_15A5C:
mov     eax, [esi+108h]
cmp     [ebx+138h], eax
jz      short loc_15A72
push    eax
mov     ecx, ebx
call    sub_112D0

loc_15A72:
mov     eax, [esi+11Ch]
cmp     [ebx+14Ch], eax
jz      short loc_15A88
push    eax
mov     ecx, ebx
call    sub_112E0

loc_15A88:
mov     eax, [esi+120h]
cmp     [ebx+150h], eax
jz      short loc_15A9E
push    eax
mov     ecx, ebx
call    sub_112F0

loc_15A9E:
mov     eax, [esi+124h]
cmp     [ebx+154h], eax
jz      short loc_15AB4
push    eax
mov     ecx, ebx
call    sub_11300

loc_15AB4:
mov     eax, [esi+128h]
cmp     [ebx+158h], eax
jz      short loc_15ACA
push    eax
mov     ecx, ebx
call    sub_11310

loc_15ACA:
mov     eax, 1
cmp     [esi+0FCh], eax
jnz     short loc_15AEB
cmp     dword ptr [esi+11Ch], 3
jnz     short loc_15AEB
mov     ecx, [ebx+54Ch]
mov     [ecx+4Ch], eax
jmp     short loc_15AF8

loc_15AEB:
mov     edx, [ebx+54Ch]
mov     dword ptr [edx+4Ch], 0

loc_15AF8:
mov     edi, [esp+58h+var_3C]
lea     eax, [esp+58h+var_34]
push    eax
push    1F0000h
mov     ecx, 147h
rep movsd
mov     ecx, [ebx+20h]
push    2
push    ecx
call    ds:IoOpenDeviceRegistryKey
test    eax, eax
pop     edi
pop     esi
pop     ebp
pop     ebx
jl      short loc_15B4F
push    offset aMixeresp1010e ; "MixerESP1010e"
lea     edx, [esp+4Ch+var_44]
push    edx
call    ds:RtlInitUnicodeString
mov     eax, [esp+40h+var_34]
mov     edx, [esp+40h+var_2C]
push    51Ch
push    eax
push    4
push    0
lea     ecx, [esp+50h+var_3C]
push    ecx
push    edx
call    ds:ZwSetValueKey

loc_15B4F:
mov     eax, [esp+10h+arg_0]
push    eax
call    ds:ZwClose
add     esp, 10h
retn    4
sub_157C0 endp

off_15B60 dd offset loc_15913 ; jump table for switch statement
dd offset loc_15927
dd offset loc_1593B
dd offset loc_1594F



sub_15B70 proc near
push    esi
xor     eax, eax
push    edi
add     ecx, 0A68h
lea     edi, [eax+5]
lea     ecx, [ecx+0]

loc_15B80:
mov     edx, ecx
mov     esi, 2

loc_15B87:
mov     ecx, [edx]
test    cl, 1
jz      short loc_15B93
mov     eax, 1

loc_15B93:
test    cl, 2
jz      short loc_15B9D
mov     eax, 1

loc_15B9D:
test    cl, 4
jz      short loc_15BA7
mov     eax, 1

loc_15BA7:
test    cl, 8
jz      short loc_15BB1
mov     eax, 1

loc_15BB1:
test    cl, 10h
jz      short loc_15BBB
mov     eax, 1

loc_15BBB:
test    cl, 20h
jz      short loc_15BC5
mov     eax, 1

loc_15BC5:
test    cl, 40h
jz      short loc_15BCF
mov     eax, 1

loc_15BCF:
test    cl, cl
jns     short loc_15BD8
mov     eax, 1

loc_15BD8:
add     edx, 4
sub     esi, 1
jnz     short loc_15B87
sub     edi, 1
mov     ecx, edx
jnz     short loc_15B80
pop     edi
pop     esi
retn
sub_15B70 endp

align 10h



sub_15BF0 proc near

arg_0= dword ptr  10h
arg_4= dword ptr  14h
arg_8= dword ptr  18h
arg_C= dword ptr  1Ch

push    ebx
push    esi
push    edi
xor     edi, edi
cmp     [esp+arg_C], edi
mov     esi, ecx
jz      short loc_15C27
push    ebp
call    sub_15B70
mov     ecx, [esp+4+arg_0]
mov     ebx, [esp+4+arg_4]
lea     edx, [ebx+ecx*2+29Ah]
mov     ecx, [esp+4+arg_8]
mov     ebp, 1
shl     ebp, cl
lea     edx, [esi+edx*4]
or      [edx], ebp
cmp     eax, edi
pop     ebp
jmp     short loc_15C51

loc_15C27:
mov     edx, [esp+arg_0]
mov     ebx, [esp+arg_4]
mov     ecx, [esp+arg_8]
lea     eax, [ebx+edx*2+29Ah]
mov     edx, 1
shl     edx, cl
lea     eax, [esi+eax*4]
mov     ecx, esi
not     edx
and     [eax], edx
call    sub_15B70
test    eax, eax

loc_15C51:
jnz     loc_15CD7
mov     ecx, esi
call    sub_14770
mov     eax, [esi+54Ch]
mov     [esi+8], edi
mov     [eax+30h], edi
cmp     [esi+54Ch], edi
jz      short loc_15C90
push    edi
mov     ecx, esi
mov     [esi+0E5Ch], edi
call    sub_11450
mov     eax, [esi+54Ch]
cmp     eax, edi
jz      short loc_15C90
mov     ecx, [esi+24h]
mov     [eax+1Ch], ecx

loc_15C90:
push    edi
push    30D40h
mov     ecx, esi
call    sub_115F0
mov     ecx, esi
call    sub_14290
mov     edx, [esi+54Ch]
mov     [esi+8], edi
mov     [edx+30h], edi
cmp     [esi+54Ch], edi
jz      short loc_15CD7
push    1
mov     ecx, esi
mov     [esi+0E5Ch], edi
call    sub_11450
mov     eax, [esi+54Ch]
cmp     eax, edi
jz      short loc_15CD7
mov     ecx, [esi+24h]
mov     [eax+1Ch], ecx

loc_15CD7:
mov     edx, [esp+arg_0]
mov     ecx, [esp+arg_8]
lea     eax, [ebx+edx*2]
lea     edx, [ecx+eax*8]
mov     [esi+edx*4+0A90h], edi
mov     eax, [esi+550h]
pop     edi
pop     esi
pop     ebx
retn    10h
sub_15BF0 endp

align 10h



sub_15D00 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h
arg_10= dword ptr  18h

push    ebx
mov     ebx, [esp+arg_0]
push    ebp
mov     ebp, [esp+4+arg_C]
push    esi
push    edi
lea     edi, [ebp-1A0h]
push    edi
push    0
push    ebx
mov     esi, ecx
call    memset
mov     eax, [esp+18h+arg_4]
shr     edi, 1
lea     ecx, [edi+eax]
add     esp, 0Ch
push    ecx
add     edi, ebx
push    edi
mov     ecx, esi
call    sub_113E0
mov     ecx, [esp+0Ch+arg_10]
cmp     ecx, 30h
jb      short loc_15D45
cmp     ecx, 400h
jbe     short loc_15D4A

loc_15D45:
mov     ecx, 400h

loc_15D4A:
mov     eax, [esp+0Ch+arg_8]
mov     [esi+54Ch], eax
mov     [eax+5Ch], eax
mov     edi, [esi+54Ch]
mov     [edi], ecx
lea     edx, ds:0[ecx*8]
mov     ecx, [esi+54Ch]
mov     dword ptr [ecx+4], 2
mov     edi, [esi+54Ch]
lea     ecx, ds:0[edx*4]
shr     ecx, 1
mov     [edi+8], ecx
mov     edi, [esi+54Ch]
mov     [edi+0Ch], ecx
add     edx, ebx
mov     [esi+55Ch], edx
mov     edx, [esp+0Ch+arg_4]
mov     ecx, esi
mov     [esi+558h], ebx
mov     [esi+0E60h], ebx
mov     [esi+0E64h], edx
mov     [esi+0E68h], eax
mov     [esi+0E6Ch], ebp
call    sub_14290
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    14h
sub_15D00 endp

align 10h


; Attributes: bp-based frame

sub_15DD0 proc near

var_524= dword ptr -524h
var_520= dword ptr -520h
var_51C= dword ptr -51Ch
var_518= dword ptr -518h
var_514= dword ptr -514h
var_510= dword ptr -510h
var_50C= dword ptr -50Ch
var_508= dword ptr -508h
var_504= dword ptr -504h
var_500= dword ptr -500h
var_4FC= dword ptr -4FCh
var_4F8= dword ptr -4F8h
var_4F4= dword ptr -4F4h
var_4F0= dword ptr -4F0h
var_4EC= dword ptr -4ECh
var_4E8= dword ptr -4E8h
var_4E4= dword ptr -4E4h
var_4E0= dword ptr -4E0h
var_4DC= dword ptr -4DCh
var_4D8= dword ptr -4D8h
var_4D4= dword ptr -4D4h
var_4D0= dword ptr -4D0h
var_4CC= dword ptr -4CCh
var_4C8= dword ptr -4C8h
var_4C4= dword ptr -4C4h
var_4C0= dword ptr -4C0h
var_4BC= dword ptr -4BCh
var_4B8= dword ptr -4B8h
var_4B4= dword ptr -4B4h
var_4B0= dword ptr -4B0h
var_4AC= dword ptr -4ACh
var_4A8= dword ptr -4A8h
var_4A4= dword ptr -4A4h
var_4A0= dword ptr -4A0h
var_49C= dword ptr -49Ch
var_498= dword ptr -498h
var_494= dword ptr -494h
var_490= dword ptr -490h
var_48C= dword ptr -48Ch
var_488= dword ptr -488h
var_484= dword ptr -484h
var_480= dword ptr -480h
var_47C= dword ptr -47Ch
var_478= dword ptr -478h
var_474= dword ptr -474h
var_470= dword ptr -470h
var_46C= dword ptr -46Ch
var_468= dword ptr -468h
var_464= dword ptr -464h
var_460= dword ptr -460h
var_45C= dword ptr -45Ch
var_458= dword ptr -458h
var_454= dword ptr -454h
var_450= dword ptr -450h
var_44C= dword ptr -44Ch
var_448= dword ptr -448h
var_444= dword ptr -444h
var_440= dword ptr -440h
var_43C= dword ptr -43Ch
var_438= dword ptr -438h
var_434= dword ptr -434h
var_430= dword ptr -430h
var_42C= dword ptr -42Ch
var_428= dword ptr -428h
var_424= dword ptr -424h
var_420= dword ptr -420h
var_41C= dword ptr -41Ch
var_418= dword ptr -418h
var_414= dword ptr -414h
var_410= dword ptr -410h
var_40C= dword ptr -40Ch
var_408= dword ptr -408h
var_404= dword ptr -404h
var_400= dword ptr -400h
var_3FC= dword ptr -3FCh
var_3F8= dword ptr -3F8h
var_3F4= dword ptr -3F4h
var_3F0= dword ptr -3F0h
var_3EC= dword ptr -3ECh
var_3E8= dword ptr -3E8h
var_3E4= dword ptr -3E4h
var_3E0= dword ptr -3E0h
var_3DC= dword ptr -3DCh
var_3D8= dword ptr -3D8h
var_3D4= dword ptr -3D4h
var_3D0= dword ptr -3D0h
var_3CC= dword ptr -3CCh
var_3C8= dword ptr -3C8h
var_3C4= dword ptr -3C4h
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h
arg_10= dword ptr  18h

push    ebp
mov     ebp, esp
and     esp, 0FFFFFFF8h
sub     esp, 524h
push    ebx
push    esi
push    edi
mov     esi, ecx
mov     [esp+530h+var_524], esi
mov     eax, 60h
xor     ebx, ebx
mov     ecx, 1
mov     [esp+530h+var_518], eax
mov     [esp+530h+var_514], eax
mov     [esp+530h+var_500], eax
mov     [esp+530h+var_4FC], eax
mov     [esp+530h+var_4E8], eax
mov     [esp+530h+var_4E4], eax
mov     [esp+530h+var_4D0], eax
mov     [esp+530h+var_4CC], eax
mov     [esp+530h+var_4B8], eax
mov     [esp+530h+var_4B4], eax
mov     [esp+530h+var_4A0], eax
mov     [esp+530h+var_49C], eax
mov     [esp+530h+var_488], eax
mov     [esp+530h+var_484], eax
mov     [esp+530h+var_470], eax
mov     [esp+530h+var_46C], eax
mov     [esp+530h+var_45C], eax
mov     [esp+530h+var_458], eax
mov     eax, 30h
mov     [esp+530h+var_520], ebx
mov     [esp+530h+var_51C], ebx
mov     [esp+530h+var_510], ebx
mov     [esp+530h+var_50C], ebx
mov     [esp+530h+var_508], ebx
mov     [esp+530h+var_504], ebx
mov     [esp+530h+var_4F8], ebx
mov     [esp+530h+var_4F4], ebx
mov     [esp+530h+var_4F0], ebx
mov     [esp+530h+var_4EC], ebx
mov     [esp+530h+var_4E0], ebx
mov     [esp+530h+var_4DC], ebx
mov     [esp+530h+var_4D8], ebx
mov     [esp+530h+var_4D4], ebx
mov     [esp+530h+var_4C8], ebx
mov     [esp+530h+var_4C4], ebx
mov     [esp+530h+var_4C0], ebx
mov     [esp+530h+var_4BC], ebx
mov     [esp+530h+var_4B0], ebx
mov     [esp+530h+var_4AC], ebx
mov     [esp+530h+var_4A8], ebx
mov     [esp+530h+var_4A4], ebx
mov     [esp+530h+var_498], ebx
mov     [esp+530h+var_494], ebx
mov     [esp+530h+var_490], ebx
mov     [esp+530h+var_48C], ebx
mov     [esp+530h+var_480], ebx
mov     [esp+530h+var_47C], ebx
mov     [esp+530h+var_478], ebx
mov     [esp+530h+var_474], ebx
mov     [esp+530h+var_468], ebx
mov     [esp+530h+var_464], ebx
mov     [esp+530h+var_460], ebx
mov     [esp+530h+var_454], ecx
mov     [esp+530h+var_450], eax
mov     [esp+530h+var_44C], eax
mov     [esp+530h+var_448], ecx
mov     [esp+530h+var_444], eax
mov     [esp+530h+var_440], eax
mov     [esp+530h+var_43C], ecx
mov     [esp+530h+var_438], eax
mov     [esp+530h+var_434], eax
mov     [esp+530h+var_430], ecx
mov     [esp+530h+var_42C], eax
mov     [esp+530h+var_428], eax
mov     [esp+530h+var_424], ebx
mov     [esp+530h+var_420], ebx
mov     [esp+530h+var_41C], ebx
mov     [esp+530h+var_418], ebx
mov     [esp+530h+var_414], ebx
mov     [esp+530h+var_410], ebx
mov     [esp+530h+var_40C], ebx
mov     [esp+530h+var_408], ebx
mov     [esp+530h+var_404], ebx
push    3C0h
lea     eax, [esp+534h+var_3C4]
push    ebx
push    eax
mov     [esp+53Ch+var_400], ebx
mov     [esp+53Ch+var_3FC], ebx
mov     [esp+53Ch+var_3F8], ebx
mov     [esp+53Ch+var_3F4], ebx
mov     [esp+53Ch+var_3F0], ebx
mov     [esp+53Ch+var_3EC], ebx
mov     [esp+53Ch+var_3E8], ebx
mov     [esp+53Ch+var_3E4], ebx
mov     [esp+53Ch+var_3E0], 0AC44h
mov     [esp+53Ch+var_3DC], 400h
mov     [esp+53Ch+var_3D8], ebx
mov     [esp+53Ch+var_3D4], ecx
mov     [esp+53Ch+var_3D0], ebx
mov     [esp+53Ch+var_3CC], ecx
mov     [esp+53Ch+var_3C8], ebx
call    memset
add     esp, 0Ch
mov     ecx, esi
call    sub_110A0
cmp     [ebp+arg_10], ebx
jz      short loc_16041
add     esi, 30h
mov     ecx, 147h
lea     edi, [esp+530h+var_520]
rep movsd
mov     esi, [esp+530h+var_524]
jmp     short loc_16052

loc_16041:
push    51Ch
lea     ecx, [esp+534h+var_520]
push    ecx
mov     ecx, esi
call    sub_13CA0

loc_16052:
mov     edx, [esp+530h+var_3DC]
mov     eax, [ebp+arg_C]
mov     ecx, [ebp+arg_8]
push    edx
mov     edx, [ebp+arg_4]
add     eax, 1A0h
push    eax
mov     eax, [ebp+arg_0]
push    ecx
push    edx
push    eax
mov     ecx, esi
call    sub_15D00
mov     ecx, [esi+54Ch]
mov     eax, [esp+530h+var_3D8]
mov     [ecx+24h], ebx
mov     edx, [esi+54Ch]
mov     [edx+20h], eax
mov     ecx, [esi+54Ch]
mov     [esi+8], ebx
mov     [ecx+30h], ebx
mov     edx, [esi+54Ch]
mov     eax, [esi+1Ch]
push    51Ch
lea     edi, [esi+30h]
push    0Fh
mov     [edx+48h], eax
push    edi
mov     dword ptr [esi+24h], 0FFFFFFFFh
call    memset
add     esp, 0Ch
lea     ecx, [esp+530h+var_520]
push    ecx
mov     ecx, esi
call    sub_157C0
cmp     [ebp+arg_10], ebx
mov     ecx, 147h
lea     esi, [esp+530h+var_520]
rep movsd
jnz     short loc_160E6
mov     ecx, [esp+530h+var_524]
call    sub_14060

loc_160E6:
pop     edi
pop     esi
xor     eax, eax
pop     ebx
mov     esp, ebp
pop     ebp
retn    14h
sub_15DD0 endp

align 10h



sub_16100 proc near

var_4= dword ptr -4
arg_0= dword ptr  4

sub     esp, 8
mov     eax, [esp+8+arg_0]
push    esi
mov     esi, ecx
xor     ecx, ecx
push    ecx
push    4000h
cdq
push    ecx
push    eax
mov     [esp+1Ch+var_4], edx
call    ds:MmMapIoSpace
mov     [esi], eax
mov     dword ptr [esi+4], 1
mov     eax, esi
pop     esi
add     esp, 8
retn    4
sub_16100 endp

align 10h
; START OF FUNCTION CHUNK FOR sub_12A90

loc_16140:
mov     eax, [ecx]
push    4000h
push    eax
call    ds:MmUnmapIoSpace
retn
; END OF FUNCTION CHUNK FOR sub_12A90
align 10h



sub_16150 proc near

arg_0= dword ptr  0Ch

push    ebx
push    esi
mov     esi, [esp+arg_0]
xor     eax, eax

loc_16158:
test    esi, esi
mov     edx, [ecx]
jz      short loc_1618F
mov     dl, [eax+edx]
mov     [ecx+eax+8], dl
mov     edx, [ecx]
mov     dl, [edx+eax+1]
mov     [ecx+eax+9], dl
mov     edx, [ecx]
mov     dl, [edx+eax+2]
mov     [ecx+eax+0Ah], dl
mov     edx, [ecx]
mov     dl, [edx+eax+3]
mov     [ecx+eax+0Bh], dl
mov     edx, [ecx]
mov     dl, [edx+eax+4]
mov     [ecx+eax+0Ch], dl
jmp     short loc_161BE

loc_1618F:
mov     bl, [ecx+eax+8]
mov     [eax+edx], bl
mov     edx, [ecx]
mov     bl, [ecx+eax+9]
mov     [edx+eax+1], bl
mov     edx, [ecx]
mov     bl, [ecx+eax+0Ah]
mov     [edx+eax+2], bl
mov     edx, [ecx]
mov     bl, [ecx+eax+0Bh]
mov     [edx+eax+3], bl
mov     edx, [ecx]
mov     bl, [ecx+eax+0Ch]
mov     [edx+eax+4], bl

loc_161BE:
add     eax, 5
cmp     eax, 500h
jl      short loc_16158
mov     [ecx+4], esi
pop     esi
pop     ebx
retn    4
sub_16150 endp




sub_161D0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_161DD
xor     eax, eax
pop     esi
retn

loc_161DD:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+8]
pop     esi
retn
sub_161D0 endp

align 10h



sub_161F0 proc near

arg_0= dword ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_161FF
xor     eax, eax
pop     esi
retn    4

loc_161FF:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     ecx, [esp+arg_0]
mov     eax, [ecx+eax]
pop     esi
retn    4
sub_161F0 endp

align 10h



sub_16220 proc near

arg_0= dword ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1622F
xor     al, al
pop     esi
retn    4

loc_1622F:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     ecx, [esp+arg_0]
mov     al, [eax+ecx+3]
pop     esi
retn    4
sub_16220 endp

align 10h



sub_16250 proc near

arg_0= dword ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1625F
xor     eax, eax
pop     esi
retn    4

loc_1625F:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     ecx, [esp+arg_0]
movzx   eax, word ptr [eax+ecx+12h]
pop     esi
retn    4
sub_16250 endp

align 10h



sub_16280 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1628D
xor     al, al
pop     esi
retn

loc_1628D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+188h]
pop     esi
retn
sub_16280 endp

align 10h



sub_162A0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_162AD
xor     al, al
pop     esi
retn

loc_162AD:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+189h]
pop     esi
retn
sub_162A0 endp

align 10h



sub_162C0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_162CD
xor     al, al
pop     esi
retn

loc_162CD:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+18Ah]
pop     esi
retn
sub_162C0 endp

align 10h



sub_162E0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_162ED
xor     eax, eax
pop     esi
retn

loc_162ED:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+190h]
pop     esi
retn
sub_162E0 endp

align 10h



sub_16300 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1630D
xor     eax, eax
pop     esi
retn

loc_1630D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+194h]
pop     esi
retn
sub_16300 endp

align 10h



sub_16320 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1632D
xor     eax, eax
pop     esi
retn

loc_1632D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+198h]
pop     esi
retn
sub_16320 endp

align 10h



sub_16340 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1634D
xor     eax, eax
pop     esi
retn

loc_1634D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+19Ch]
pop     esi
retn
sub_16340 endp

align 10h



sub_16360 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1636D
xor     eax, eax
pop     esi
retn

loc_1636D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+1A0h]
pop     esi
retn
sub_16360 endp

align 10h



sub_16380 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1638D
xor     eax, eax
pop     esi
retn

loc_1638D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+1B0h]
pop     esi
retn
sub_16380 endp

align 10h



sub_163A0 proc near

arg_0= byte ptr  4

cmp     dword ptr [ecx+4], 0
jz      short locret_163C0
mov     eax, [ecx]
mov     cl, [esp+arg_0]
mov     [eax+400h], cl
mov     dword ptr [esp+arg_0], 1
jmp     ds:KeStallExecutionProcessor

locret_163C0:
retn    4
sub_163A0 endp

align 10h



sub_163D0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_163DD
xor     eax, eax
pop     esi
retn

loc_163DD:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+404h]
pop     esi
retn
sub_163D0 endp

align 10h



sub_163F0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_163FD
xor     al, al
pop     esi
retn

loc_163FD:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+408h]
pop     esi
retn
sub_163F0 endp

align 10h



sub_16410 proc near

arg_0= dword ptr  8
arg_4= byte ptr  0Ch

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_1643B
push    1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1643B
mov     eax, [esi]
mov     cl, [esp+4+arg_4]
mov     edx, [esp+4+arg_0]
push    1
mov     [edx+eax], cl
call    edi ; KeStallExecutionProcessor

loc_1643B:
pop     edi
pop     esi
retn    8
sub_16410 endp




sub_16440 proc near

arg_0= dword ptr  8
arg_4= byte ptr  0Ch

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_1646C
push    1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1646C
mov     eax, [esi]
mov     cl, [esp+4+arg_4]
mov     edx, [esp+4+arg_0]
push    1
mov     [eax+edx+1], cl
call    edi ; KeStallExecutionProcessor

loc_1646C:
pop     edi
pop     esi
retn    8
sub_16440 endp

align 10h



sub_16480 proc near

arg_0= dword ptr  8
arg_4= byte ptr  0Ch

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_164AC
push    1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_164AC
mov     eax, [esi]
mov     cl, [esp+4+arg_4]
mov     edx, [esp+4+arg_0]
push    1
mov     [eax+edx+2], cl
call    edi ; KeStallExecutionProcessor

loc_164AC:
pop     edi
pop     esi
retn    8
sub_16480 endp

align 10h



sub_164C0 proc near

arg_0= dword ptr  8
arg_4= byte ptr  0Ch

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_164EC
push    1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_164EC
mov     eax, [esi]
mov     cl, [esp+4+arg_4]
mov     edx, [esp+4+arg_0]
push    1
mov     [eax+edx+3], cl
call    edi ; KeStallExecutionProcessor

loc_164EC:
pop     edi
pop     esi
retn    8
sub_164C0 endp

align 10h



sub_16500 proc near

arg_0= dword ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1650F
xor     eax, eax
pop     esi
retn    4

loc_1650F:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     ecx, [esp+arg_0]
mov     eax, [eax+ecx+4]
pop     esi
retn    4
sub_16500 endp

align 10h



sub_16530 proc near

arg_0= dword ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1653F
xor     eax, eax
pop     esi
retn    4

loc_1653F:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     ecx, [esp+arg_0]
movzx   eax, word ptr [eax+ecx+14h]
pop     esi
retn    4
sub_16530 endp

align 10h



sub_16560 proc near

arg_0= byte ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_1658A
push    1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_1658A
mov     eax, [esi]
mov     cl, [esp+4+arg_0]
push    1
mov     [eax+480h], cl
call    edi ; KeStallExecutionProcessor

loc_1658A:
pop     edi
pop     esi
retn    4
sub_16560 endp

align 10h



sub_16590 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1659D
xor     al, al
pop     esi
retn

loc_1659D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+481h]
pop     esi
retn
sub_16590 endp

align 10h



sub_165B0 proc near

arg_0= byte ptr  8

push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
push    edi
mov     edi, ds:KeStallExecutionProcessor
jz      short loc_165DA
push    1
call    edi ; KeStallExecutionProcessor
cmp     dword ptr [esi+4], 0
jz      short loc_165DA
mov     eax, [esi]
mov     cl, [esp+4+arg_0]
push    1
mov     [eax+481h], cl
call    edi ; KeStallExecutionProcessor

loc_165DA:
pop     edi
pop     esi
retn    4
sub_165B0 endp

align 10h



sub_165E0 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_165ED
xor     al, al
pop     esi
retn

loc_165ED:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     al, [eax+484h]
pop     esi
retn
sub_165E0 endp

align 10h



sub_16600 proc near
push    esi
mov     esi, ecx
cmp     dword ptr [esi+4], 0
jnz     short loc_1660D
xor     eax, eax
pop     esi
retn

loc_1660D:
push    1
call    ds:KeStallExecutionProcessor
mov     eax, [esi]
mov     eax, [eax+4B0h]
pop     esi
retn
sub_16600 endp

align 10h



sub_16620 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h

mov     edx, [esp+arg_4]
mov     eax, ecx
mov     ecx, [esp+arg_0]
mov     [eax], ecx
mov     ecx, [esp+arg_8]
mov     [eax+4], edx
mov     edx, [esp+arg_C]
mov     [eax+8], ecx
mov     [eax+0Ch], edx
lea     edx, [eax+12h]
mov     ecx, 18h
jmp     short loc_16650
align 10h

loc_16650:
mov     word ptr [edx-2], 0
mov     byte ptr [edx], 0
add     edx, 4
sub     ecx, 1
jnz     short loc_16650
retn    10h
sub_16620 endp

align 10h



sub_16670 proc near
xor     eax, eax
mov     [ecx], eax
mov     [ecx+4], eax
mov     [ecx+8], eax
retn
sub_16670 endp

align 10h



sub_16680 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     edx, [esp+arg_0]
cmp     edx, 18h
jge     short locret_166B4
mov     eax, [esp+arg_4]
or      byte ptr [ecx+edx*4+12h], 8
mov     [ecx+edx*4+10h], ax
push    esi
mov     esi, [ecx+0Ch]
push    esi
movzx   esi, al
shr     eax, 8
and     eax, 1
add     edx, edx
push    esi
or      eax, edx
push    eax
mov     eax, [ecx+8]
mov     ecx, [ecx]
push    eax
call    ecx
pop     esi

locret_166B4:
retn    8
sub_16680 endp

align 10h



sub_166C0 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
cmp     eax, 18h
jl      short loc_166D0
or      ax, 0FFFFh
retn    4

loc_166D0:
test    byte ptr [ecx+eax*4+12h], 8
push    ebx
lea     ebx, [eax+eax]
jz      short loc_166E4
movzx   eax, word ptr [ecx+eax*4+10h]
pop     ebx
retn    4

loc_166E4:
mov     eax, [ecx+0Ch]
mov     edx, [ecx+8]
push    eax
mov     eax, [ecx+4]
push    0
push    ebx
push    edx
call    eax
and     bl, 1
xor     ecx, ecx
mov     ch, bl
pop     ebx
movzx   eax, cx
retn    4
sub_166C0 endp

align 10h
; START OF FUNCTION CHUNK FOR sub_111E0

loc_16710:
mov     eax, [esp+arg_0]
sub     eax, 0
push    ebx
push    esi
mov     esi, ecx
jz      loc_167EC
sub     eax, 1
jz      short loc_16772
sub     eax, 1
jnz     loc_16941
mov     ecx, [esp+8+arg_4]
mov     eax, [esp+8+arg_C]
and     ecx, 7Fh
neg     eax
sbb     eax, eax
or      byte ptr [esi+1Ah], 8
not     eax
and     eax, ecx
or      eax, 100h
mov     [esi+18h], ax
mov     ecx, [esi+0Ch]
movzx   edx, al
and     eax, 100h
push    ecx
mov     ecx, [esi]
or      eax, 400h
push    edx
shr     eax, 8
push    eax
mov     eax, [esi+8]
push    eax
call    ecx
pop     esi
pop     ebx
retn    14h

loc_16772:
mov     eax, [esp+8+arg_C]
mov     ebx, [esp+8+arg_10]
neg     eax
sbb     eax, eax
not     eax
and     eax, [esp+8+arg_4]
or      eax, 100h
neg     ebx
sbb     ebx, ebx
or      byte ptr [esi+1Eh], 8
mov     [esi+1Ch], ax
mov     edx, [esi+0Ch]
movzx   ecx, al
and     eax, 100h
push    edx
mov     edx, [esi+8]
or      eax, 600h
push    ecx
shr     eax, 8
not     ebx
and     ebx, [esp+10h+arg_8]
push    eax
mov     eax, [esi]
push    edx
or      ebx, 100h
call    eax
or      byte ptr [esi+22h], 8
mov     [esi+20h], bx
mov     ecx, [esi+0Ch]
mov     eax, [esi+8]
movzx   edx, bl
push    ecx
mov     ecx, [esi]
and     ebx, 100h
or      ebx, 800h
push    edx
shr     ebx, 8
push    ebx
push    eax
call    ecx
pop     esi
pop     ebx
retn    14h

loc_167EC:
test    byte ptr [esi+66h], 8
jz      short loc_167F8
movzx   ebx, word ptr [esi+64h]
jmp     short loc_1680B

loc_167F8:
mov     edx, [esi+0Ch]
mov     eax, [esi+8]
mov     ecx, [esi+4]
push    edx
push    0
push    2Ah
push    eax
call    ecx
xor     ebx, ebx

loc_1680B:
movzx   edx, bl
movzx   eax, bl
push    ebp
and     edx, 80h
and     eax, 40h
and     ebx, 1Fh
cmp     dword ptr [esp+1Ch], 0
push    edi
mov     edi, edx
mov     ebp, eax
jz      short loc_16869
test    di, di
jnz     loc_168F4
or      byte ptr [esi+66h], 8
mov     ecx, ebp
or      ecx, 80h
or      ebx, ecx
mov     [esi+64h], bx
mov     edx, [esi+0Ch]
push    edx
mov     edx, [esi+8]
mov     ecx, ebx
and     ecx, 100h
movzx   eax, bl
push    eax
mov     eax, [esi]
or      ecx, 2A00h
shr     ecx, 8
push    ecx
push    edx
call    eax
jmp     short loc_168B0

loc_16869:
test    di, di
jz      short loc_16898
or      byte ptr [esi+66h], 8
or      ebx, ebp
mov     [esi+64h], bx
mov     ecx, [esi+0Ch]
push    ecx
mov     ecx, [esi+8]
mov     eax, ebx
and     eax, 100h
movzx   edx, bl
push    edx
mov     edx, [esi]
or      eax, 2A00h
shr     eax, 8
push    eax
push    ecx
call    edx

loc_16898:
mov     eax, [esp+30h+var_18]
and     eax, 0FFh

loc_168A1:
or      eax, 100h
push    eax
push    0Eh
mov     ecx, esi
call    sub_16680

loc_168B0:
cmp     [esp+30h+var_C], 0
jz      short loc_168F8
test    bp, bp
jnz     loc_16946
or      byte ptr [esi+66h], 8
or      edi, 40h
or      ebx, edi
mov     [esi+64h], bx
mov     eax, [esi+0Ch]
mov     edx, [esi+8]
movzx   ecx, bl
push    eax
mov     eax, [esi]
and     ebx, 100h
or      ebx, 2A00h
push    ecx
shr     ebx, 8
push    ebx
push    edx
call    eax
pop     edi
pop     ebp
pop     esi
pop     ebx
retn    14h

loc_168F4:
xor     eax, eax
jmp     short loc_168A1

loc_168F8:
test    bp, bp
jz      short loc_16927
or      byte ptr [esi+66h], 8
or      ebx, edi
mov     [esi+64h], bx
mov     ecx, [esi+0Ch]
mov     eax, [esi+8]
movzx   edx, bl
push    ecx
mov     ecx, [esi]
and     ebx, 100h
or      ebx, 2A00h
push    edx
shr     ebx, 8
push    ebx
push    eax
call    ecx

loc_16927:
mov     eax, [esp+40h+var_24]
and     eax, 0FFh

loc_16930:
or      eax, 100h
push    eax
push    0Fh
mov     ecx, esi
call    sub_16680
pop     edi
pop     ebp

loc_16941:
pop     esi
pop     ebx
retn    14h

loc_16946:
xor     eax, eax
jmp     short loc_16930
; END OF FUNCTION CHUNK FOR sub_111E0
align 10h
; START OF FUNCTION CHUNK FOR sub_112A0

loc_16950:
cmp     [esp+arg_0], 0
mov     eax, 1
jz      short loc_16961
mov     eax, 5

loc_16961:
mov     edx, [ecx+0Ch]
or      byte ptr [ecx+6Ah], 8
mov     [ecx+68h], ax
push    edx
movzx   edx, al
and     eax, 100h
or      eax, 2C00h
push    edx
shr     eax, 8
push    eax
mov     eax, [ecx+8]
mov     ecx, [ecx]
push    eax
call    ecx
retn    4
; END OF FUNCTION CHUNK FOR sub_112A0
align 10h
; START OF FUNCTION CHUNK FOR sub_11320

loc_16990:
mov     edx, [esp+arg_0]
mov     eax, [esp+arg_4]
and     edx, 7Fh
neg     eax
sbb     eax, eax
or      byte ptr [ecx+1Ah], 8
not     eax
and     eax, edx
or      eax, 100h
mov     [ecx+18h], ax
mov     edx, [ecx+0Ch]
push    edx
movzx   edx, al
and     eax, 100h
or      eax, 400h
push    edx
shr     eax, 8
push    eax
mov     eax, [ecx+8]
mov     ecx, [ecx]
push    eax
call    ecx
retn    8
; END OF FUNCTION CHUNK FOR sub_11320
align 10h



sub_169E0 proc near

var_8= dword ptr -8

push    esi
mov     esi, ecx
test    byte ptr [esi+66h], 8
jz      short loc_169EF
movzx   eax, word ptr [esi+64h]
jmp     short loc_16A02

loc_169EF:
mov     eax, [esi+0Ch]
mov     ecx, [esi+8]
mov     edx, [esi+4]
push    eax
push    0
push    2Ah
push    ecx
call    edx
xor     eax, eax

loc_16A02:
mov     ecx, [esp+8]
and     eax, 1E0h
sub     ecx, 0
jz      short loc_16A1A
sub     ecx, 1
jnz     short loc_16A1D
or      eax, 8
jmp     short loc_16A1D

loc_16A1A:
or      eax, 2

loc_16A1D:
or      byte ptr [esi+66h], 8
mov     [esi+64h], ax
mov     ecx, [esi+0Ch]
movzx   edx, al
and     eax, 100h
push    ecx
mov     ecx, [esi]
or      eax, 2A00h
push    edx
shr     eax, 8
push    eax
mov     eax, [esi+8]
push    eax
call    ecx
pop     esi
retn    4
sub_169E0 endp

align 10h



sub_16A50 proc near

var_C= dword ptr -0Ch
arg_4= dword ptr  0Ch

push    ebp
mov     ebp, [esp+arg_4]
test    ebp, ebp
jz      loc_16B2C
mov     ecx, [ebp+1A3Ch]
call    sub_14870
mov     eax, [ebp+19D8h]
test    eax, eax
jz      short loc_16A7D
push    0
push    0
push    eax
call    ds:KeSetEvent

loc_16A7D:
mov     eax, [ebp+1A3Ch]
push    ebx
mov     ebx, 1
cmp     [eax+1E9Ch], ebx
push    esi
push    edi
jnz     short loc_16AD7
lea     esi, [ebp+0DF4h]
lea     edi, [ebx+4]
lea     esp, [esp+0]

loc_16AA0:
cmp     [esi-8], ebx
jnz     short loc_16AB0
mov     ecx, [esi]
mov     edx, [esi-4]
push    ecx
push    2
push    ebx
call    edx

loc_16AB0:
cmp     [esi+10h], ebx
jnz     short loc_16AC1
mov     eax, [esi+18h]
mov     ecx, [esi+14h]
push    eax
push    4
push    ebx
call    ecx

loc_16AC1:
add     esi, 0C0h
sub     edi, ebx
jnz     short loc_16AA0
mov     edx, [ebp+1A3Ch]
mov     [edx+1E9Ch], edi

loc_16AD7:
mov     eax, [ebp+1A3Ch]
cmp     [eax+1E98h], ebx
jnz     short loc_16B29
lea     esi, [ebp+20Ch]
mov     edi, 5

loc_16AF0:
cmp     [esi-38h], ebx
jnz     short loc_16B02
mov     ecx, [esi-30h]
mov     edx, [esi-34h]
push    ecx
push    0
push    0
call    edx

loc_16B02:
cmp     [esi-8], ebx
jnz     short loc_16B13
mov     eax, [esi]
mov     ecx, [esi-4]
push    eax
push    4
push    0
call    ecx

loc_16B13:
add     esi, 0C0h
sub     edi, ebx
jnz     short loc_16AF0
mov     edx, [ebp+1A3Ch]
mov     [edx+1E98h], edi

loc_16B29:
pop     edi
pop     esi
pop     ebx

loc_16B2C:
pop     ebp
retn    10h
sub_16A50 endp




sub_16B30 proc near

arg_4= dword ptr  0Ch

push    ebx
mov     ebx, [esp+arg_4]
test    ebx, ebx
jz      short loc_16B70
push    esi
push    edi
xor     edi, edi
lea     esi, [ebx+11Ch]

loc_16B43:
mov     ecx, [ebx+1A3Ch]
push    edi
call    sub_13B20
test    eax, eax
jz      short loc_16B63
mov     eax, [esi]
test    eax, eax
jz      short loc_16B63
push    eax
mov     eax, [esi-4]
push    0
push    1
call    eax

loc_16B63:
add     edi, 1
add     esi, 0Ch
cmp     edi, 2
jl      short loc_16B43
pop     edi
pop     esi

loc_16B70:
pop     ebx
retn    10h
sub_16B30 endp

align 10h



sub_16B80 proc near

arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_4]
test    esi, esi
jnz     short loc_16B8F
xor     al, al
pop     esi
retn    8

loc_16B8F:
mov     ecx, [esi+1A3Ch]
push    ebx
push    ebp
push    edi
xor     ebp, ebp
push    ebp
xor     ebx, ebx
call    sub_13620
mov     edi, eax
test    edi, edi
jnz     short loc_16BC9
mov     esi, [esi+1A3Ch]
cmp     [esi+54Ch], ebx
jz      short loc_16BC0
mov     esi, [esi+54Ch]
add     dword ptr [esi+28h], 1

loc_16BC0:
pop     edi
pop     ebp
pop     ebx
xor     al, al
pop     esi
retn    8

loc_16BC9:
test    edi, 100h
jz      short loc_16BE6
mov     eax, [esi+1A3Ch]
or      dword ptr [eax+0E5Ch], 100h
mov     ebx, 1

loc_16BE6:
test    edi, 200h
jz      short loc_16C01
mov     eax, [esi+1A3Ch]
or      dword ptr [eax+0E5Ch], 200h
add     ebx, 1

loc_16C01:
test    edi, 10000h
jz      short loc_16C21
mov     ecx, [esi+1A3Ch]
push    0
push    0
call    sub_13B90
test    eax, eax
jz      short loc_16C21
mov     ebp, 1

loc_16C21:
test    edi, offset dword_20000
jz      short loc_16C3F
mov     ecx, [esi+1A3Ch]
push    0
push    1
call    sub_13B90
test    eax, eax
jz      short loc_16C3F
add     ebp, 1

loc_16C3F:
test    edi, 40000h
jz      short loc_16C5D
mov     ecx, [esi+1A3Ch]
push    1
push    1
call    sub_13B90
test    eax, eax
jz      short loc_16C5D
add     ebp, 1

loc_16C5D:
mov     ecx, [esi+1A3Ch]
call    nullsub_1
test    bp, bp
mov     edi, ds:KeInsertQueueDpc
jz      short loc_16C84
mov     eax, [esi+1A18h]
test    eax, eax
jz      short loc_16C84
push    0
push    0
push    eax
call    edi ; KeInsertQueueDpc

loc_16C84:
test    bx, bx
jz      short loc_16D02
mov     ecx, [esi+1A3Ch]
cmp     dword ptr [ecx+0E5Ch], 300h
jnz     short loc_16D02
call    sub_14720
mov     eax, [esi+1A3Ch]
mov     dword ptr [eax+0E5Ch], 0
mov     ecx, [esi+1A3Ch]
mov     eax, 1
cmp     [ecx+1E90h], eax
jnz     short loc_16D02
mov     edx, ecx
cmp     [edx+1E94h], eax
jnz     short loc_16D02
mov     eax, [esi+1A14h]
test    eax, eax
jz      short loc_16CDE
push    0
push    0
push    eax
call    edi ; KeInsertQueueDpc

loc_16CDE:
cmp     dword ptr [esi+1A24h], 0
jz      short loc_16D02
mov     ecx, [esi+1A3Ch]
call    sub_13940
mov     ecx, [esi+1A28h]
mov     edx, [esi+1A24h]
push    ecx
push    eax
call    edx

loc_16D02:
pop     edi
pop     ebp
pop     ebx
mov     al, 1
pop     esi
retn    8
sub_16B80 endp ; sp =  10h

align 10h



sub_16D10 proc near

arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_4]
test    esi, esi
jnz     short loc_16D1F
xor     al, al
pop     esi
retn    8

loc_16D1F:
mov     ecx, [esi+1A3Ch]
push    ebx
push    ebp
push    edi
push    1
xor     ebx, ebx
xor     ebp, ebp
call    sub_13620
mov     edi, eax
test    edi, edi
jnz     short loc_16D5A
mov     esi, [esi+1A3Ch]
cmp     [esi+54Ch], ebx
jz      short loc_16D51
mov     eax, [esi+54Ch]
add     dword ptr [eax+28h], 1

loc_16D51:
pop     edi
pop     ebp
pop     ebx
xor     al, al
pop     esi
retn    8

loc_16D5A:
test    edi, 100h
jz      short loc_16D77
mov     eax, [esi+1A3Ch]
or      dword ptr [eax+0E5Ch], 100h
mov     ebx, 1

loc_16D77:
test    edi, 200h
jz      short loc_16D92
mov     eax, [esi+1A3Ch]
or      dword ptr [eax+0E5Ch], 200h
add     ebx, 1

loc_16D92:
test    edi, 10000h
jz      short loc_16DB2
mov     ecx, [esi+1A3Ch]
push    0
push    0
call    sub_13B90
test    eax, eax
jz      short loc_16DB2
mov     ebp, 1

loc_16DB2:
test    edi, offset dword_20000
jz      short loc_16DD0
mov     ecx, [esi+1A3Ch]
push    0
push    1
call    sub_13B90
test    eax, eax
jz      short loc_16DD0
add     ebp, 1

loc_16DD0:
test    edi, 40000h
jz      short loc_16DEE
mov     ecx, [esi+1A3Ch]
push    1
push    1
call    sub_13B90
test    eax, eax
jz      short loc_16DEE
add     ebp, 1

loc_16DEE:
mov     ecx, [esi+1A3Ch]
call    nullsub_1
test    bp, bp
mov     edi, ds:KeInsertQueueDpc
jz      short loc_16E15
mov     eax, [esi+1A18h]
test    eax, eax
jz      short loc_16E15
push    0
push    0
push    eax
call    edi ; KeInsertQueueDpc

loc_16E15:
test    bx, bx
jz      short loc_16E93
mov     ecx, [esi+1A3Ch]
cmp     dword ptr [ecx+0E5Ch], 300h
jnz     short loc_16E93
call    sub_14720
mov     eax, [esi+1A3Ch]
mov     dword ptr [eax+0E5Ch], 0
mov     ecx, [esi+1A3Ch]
mov     eax, 1
cmp     [ecx+1E90h], eax
jnz     short loc_16E93
mov     edx, ecx
cmp     [edx+1E94h], eax
jnz     short loc_16E93
mov     eax, [esi+1A14h]
test    eax, eax
jz      short loc_16E6F
push    0
push    0
push    eax
call    edi ; KeInsertQueueDpc

loc_16E6F:
cmp     dword ptr [esi+1A24h], 0
jz      short loc_16E93
mov     ecx, [esi+1A3Ch]
call    sub_13940
mov     ecx, [esi+1A28h]
mov     edx, [esi+1A24h]
push    ecx
push    eax
call    edx

loc_16E93:
pop     edi
pop     ebp
pop     ebx
mov     al, 1
pop     esi
retn    8
sub_16D10 endp ; sp =  10h

align 10h



sub_16EA0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h
arg_10= dword ptr  14h

mov     eax, [esp+arg_0]
mov     edx, [esp+arg_8]
shl     eax, 4
add     eax, [esp+arg_4]
push    esi
mov     esi, [esp+4+arg_10]
shl     eax, 4
add     eax, edx
xor     edx, edx
test    esi, esi
setnz   dl
push    edi
lea     edi, [eax+eax*2+75h]
lea     eax, [eax+eax*2]
lea     eax, [ecx+eax*4]
mov     [eax+1DCh], esi
mov     [ecx+edi*4], edx
mov     ecx, [esp+8+arg_C]
pop     edi
mov     [eax+1D8h], ecx
pop     esi
retn    14h
sub_16EA0 endp

align 10h



sub_16EF0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

mov     eax, [esp+arg_0]
mov     edx, [esp+arg_8]
lea     eax, [eax+eax*2]
lea     eax, [ecx+eax*4]
mov     ecx, [esp+arg_4]
mov     [eax+118h], ecx
mov     [eax+11Ch], edx
retn    0Ch
sub_16EF0 endp

align 10h



sub_16F20 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h
arg_10= dword ptr  18h
arg_14= dword ptr  1Ch
arg_18= dword ptr  20h

push    ebx
mov     ebx, [esp+arg_10]
push    ebp
push    esi
mov     ebp, ebx
neg     ebp
sbb     ebp, ebp
push    edi
mov     edi, ecx
mov     ecx, [esp+0Ch+arg_4]
xor     edx, edx
lea     eax, [ecx+1]
and     ebp, 4
cmp     eax, 5
setz    dl
xor     esi, esi
mov     eax, edx
cmp     eax, esi
mov     [esp+0Ch+arg_4], eax
jnz     short loc_16FB5
mov     eax, [esp+0Ch+arg_C]
cmp     eax, esi
jbe     loc_17054
mov     esi, [esp+0Ch+arg_10]
lea     ebx, [ecx+ecx]
mov     [esp+0Ch+arg_C], eax

loc_16F65:
mov     eax, [esp+0Ch+arg_18]
mov     ecx, [esp+0Ch+arg_0]
push    eax
push    esi
push    0
push    ebx
push    ecx
mov     ecx, [edi+1A3Ch]
push    0
call    sub_13990
mov     edx, [esp+0Ch+arg_18]
mov     eax, [esp+0Ch+arg_14]
push    edx
mov     edx, [esp+10h+arg_0]
lea     ecx, [esi+eax]
push    ecx
mov     ecx, [edi+1A3Ch]
push    1
push    ebx
push    edx
push    0
call    sub_13990
add     esi, ebp
add     ebx, 1
sub     [esp+0Ch+arg_C], 1
jnz     short loc_16F65
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    1Ch

loc_16FB5:
cmp     [esp+0Ch+arg_8], 4
mov     [esp+0Ch+arg_10], esi
jnz     short loc_16FDF
mov     ecx, [edi+1A3Ch]
call    sub_13610
mov     ecx, [edi+1A1Ch]
mov     [esp+0Ch+arg_10], eax
xor     eax, eax
cmp     ebx, esi
setnz   al
mov     [ecx+58h], eax

loc_16FDF:
cmp     [esp+0Ch+arg_C], esi
jbe     short loc_17054
jmp     short loc_16FF0
align 10h

loc_16FF0:
mov     edx, [esp+0Ch+arg_18]
mov     eax, ds:dword_1D4D0[esi*4]
add     eax, [esp+0Ch+arg_10]
mov     ecx, [esp+0Ch+arg_0]
push    edx
mov     edx, [esp+10h+arg_4]
push    ebx
push    0
push    eax
push    ecx
mov     ecx, [edi+1A3Ch]
push    edx
call    sub_13990
mov     eax, [esp+0Ch+arg_18]
mov     ecx, [esp+0Ch+arg_14]
push    eax
mov     eax, ds:dword_1D4D0[esi*4]
add     eax, [esp+10h+arg_10]
lea     edx, [ebx+ecx]
mov     ecx, [esp+10h+arg_0]
push    edx
mov     edx, [esp+14h+arg_4]
push    1
push    eax
push    ecx
mov     ecx, [edi+1A3Ch]
push    edx
call    sub_13990
add     esi, 1
add     ebx, ebp
cmp     esi, [esp+0Ch+arg_C]
jb      short loc_16FF0

loc_17054:
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    1Ch
sub_16F20 endp

align 10h



sub_17060 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h

push    ebx
mov     ebx, [esp+arg_4]
push    ebp
push    esi
push    edi
mov     edi, ecx
xor     ecx, ecx
lea     eax, [ebx+1]
cmp     eax, 5
setz    cl
push    eax
mov     ebp, ecx
mov     ecx, [edi+1A3Ch]
call    sub_13700
xor     esi, esi
cmp     ebp, esi
jnz     short loc_170C6
mov     ebp, [esp+0Ch+arg_C]
cmp     ebp, esi
jbe     loc_17126
jmp     short loc_170A0
align 10h

loc_170A0:
mov     eax, [esp+0Ch+arg_0]
mov     ecx, [edi+1A3Ch]
push    1
lea     edx, [esi+ebx*2]
push    edx
push    eax
push    0
call    sub_15BF0
add     esi, 1
cmp     esi, ebp
jb      short loc_170A0
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    10h

loc_170C6:
cmp     [esp+0Ch+arg_8], 4
mov     [esp+0Ch+arg_4], esi
jnz     short loc_170E0
mov     ecx, [edi+1A3Ch]
call    sub_13610
mov     [esp+0Ch+arg_4], eax

loc_170E0:
mov     ebx, [esp+0Ch+arg_C]
xor     esi, esi
test    ebx, ebx
jbe     short loc_17126
lea     ebx, [ebx+0]

loc_170F0:
cmp     ebx, 4
jbe     short loc_170FE
mov     eax, ds:dword_1D450[esi*4]
jmp     short loc_17105

loc_170FE:
mov     eax, ds:dword_1D4D0[esi*4]

loc_17105:
mov     ecx, [esp+0Ch+arg_4]
mov     edx, [esp+0Ch+arg_0]
push    1
add     eax, ecx
mov     ecx, [edi+1A3Ch]
push    eax
push    edx
push    ebp
call    sub_15BF0
add     esi, 1
cmp     esi, ebx
jb      short loc_170F0

loc_17126:
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    10h
sub_17060 endp

align 10h



sub_17130 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h

push    ebp
mov     ebp, [esp+arg_0]
cmp     ebp, 4
push    edi
mov     edi, ecx
jnz     short loc_1714F
mov     ecx, [edi+1A3Ch]
push    0
call    sub_13630
pop     edi
pop     ebp
retn    10h

loc_1714F:
mov     eax, [esp+4+arg_4]
add     eax, 1
xor     ecx, ecx
cmp     eax, 5
setz    cl
push    ebx
push    esi
xor     esi, esi
mov     eax, ecx
cmp     eax, esi
mov     [esp+0Ch+arg_0], eax
jnz     short loc_171A6
mov     ebx, [esp+0Ch+arg_C]
cmp     ebx, esi
jbe     loc_17209
jmp     short loc_17180
align 10h

loc_17180:
mov     edx, [esp+0Ch+arg_4]
mov     ecx, [edi+1A3Ch]
push    0
lea     eax, [esi+edx*2]
push    eax
push    ebp
push    0
call    sub_15BF0
add     esi, 1
cmp     esi, ebx
jb      short loc_17180
pop     esi
pop     ebx
pop     edi
pop     ebp
retn    10h

loc_171A6:
cmp     [esp+0Ch+arg_8], 4
mov     [esp+0Ch+arg_4], esi
jnz     short loc_171C9
mov     ecx, [edi+1A3Ch]
call    sub_13610
mov     ecx, [edi+1A1Ch]
mov     [esp+0Ch+arg_4], eax
mov     [ecx+58h], esi

loc_171C9:
mov     ebx, [esp+0Ch+arg_C]
xor     esi, esi
test    ebx, ebx
jbe     short loc_17209

loc_171D3:
cmp     ebx, 4
jbe     short loc_171E1
mov     eax, ds:dword_1D450[esi*4]
jmp     short loc_171E8

loc_171E1:
mov     eax, ds:dword_1D4D0[esi*4]

loc_171E8:
mov     edx, [esp+0Ch+arg_4]
mov     ecx, [edi+1A3Ch]
push    0
add     eax, edx
push    eax
mov     eax, [esp+14h+arg_0]
push    ebp
push    eax
call    sub_15BF0
add     esi, 1
cmp     esi, ebx
jb      short loc_171D3

loc_17209:
pop     esi
pop     ebx
pop     edi
pop     ebp
retn    10h
sub_17130 endp

dword_17210 dd 1424448Bh, 8BF18B56h, 1A3C8Eh, 0EDE85000h
dd 8BFFFFC6h, 510C244Ch, 1A3C8E8Bh, 7DE80000h
dd 8BFFFFC6h, 8B142454h, 1A3C8Eh, 0BDE85200h
dd 33FFFFC6h, 14C25EC0h, 0CCCCCC00h, 0CCCCCCCCh
dd 1A3C898Bh, 65E90000h, 0CCFFFFE4h, 0CCCCCCCCh
dd 332C418Bh, 89C23BD2h, 51893451h, 8B0B7530h
dd 1A3C89h, 0C906E900h, 0CCC3FFFFh, 0CCCCCCCCh
dd 4189C033h, 30418934h, 1A3C898Bh, 0BDE90000h
dd 0CCFFFFC7h, 3 dup(0CCCCCCCCh), 2444B60Fh
dd 24448904h, 3C898B04h, 0E900001Ah, 0FFFFC81Ch
dd 3 dup(0CCCCCCCCh), 824448Bh, 7501F883h
dd 44B60F20h, 44830424h, 83013081h, 130817Ch
dd 898B2B75h, 1A3Ch, 0C7BAE850h, 8C2FFFFh
dd 75C08500h, 44B60F18h, 44830424h, 75FF3081h
dd 3C898B0Ch, 5000001Ah, 0FFC75BE8h, 8C2FFh
dd 2 dup(0CCCCCCCCh), 424448Bh, 548B60Fh
dd 450B60Fh, 8B51008Bh, 1A3C88h, 35E85200h
dd 0B0FFFFC8h, 4C201h, 5308EC83h, 10245C8Ah
dd 0C3B60F56h, 8E8BF18Bh, 1A3Ch, 0C7F6E850h
dd 0C085FFFFh, 335E0A74h, 0C4835BC0h, 8C208h
dd 8A08468Bh, 8D18244Ch, 52082454h
push    (offset dword_17210+100h)
push    eax
mov     [esp+14h], esi
mov     [esp+18h], bl
mov     [esp+19h], cl
call    ds:KeSynchronizeExecution
pop     esi
mov     eax, 1
pop     ebx
add     esp, 8
retn    8
align 10h


; Attributes: bp-based frame

sub_17390 proc near

var_528= dword ptr -528h
var_524= dword ptr -524h
var_520= dword ptr -520h
var_460= dword ptr -460h
var_45C= dword ptr -45Ch
var_458= dword ptr -458h
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h

push    ebp
mov     ebp, esp
and     esp, 0FFFFFFF8h
sub     esp, 52Ch
push    ebx
push    esi
mov     ebx, ecx
mov     ecx, [ebx+1A3Ch]
push    edi
call    sub_138F0
mov     ecx, 147h
mov     esi, eax
lea     edi, [esp+538h+var_520]
rep movsd
xor     esi, esi
cmp     [ebp+arg_0], esi
jnz     loc_17498
mov     eax, [ebp+arg_4]
sub     eax, esi
jz      short loc_173F7
sub     eax, 1
jnz     loc_17475
cmp     [ebx+1A34h], esi
jz      short loc_173EB
mov     [ebx+1A34h], esi
pop     edi
pop     esi
pop     ebx
mov     esp, ebp
pop     ebp
retn    10h

loc_173EB:
mov     eax, [ebp+arg_8]
mov     [esp+538h+var_460], eax
jmp     short loc_17475

loc_173F7:
cmp     [ebx+1A30h], esi
jz      short loc_1740E
mov     [ebx+1A30h], esi
pop     edi
pop     esi
pop     ebx
mov     esp, ebp
pop     ebp
retn    10h

loc_1740E:
lea     ecx, [esp+538h+var_528]
push    ecx
mov     ecx, [ebx+1A3Ch]
lea     edx, [esp+53Ch+var_524]
push    edx
push    1
call    sub_13920
mov     eax, [esp+538h+var_524]
mov     edx, [esp+538h+var_528]
cmp     eax, edx
jle     short loc_1743E
mov     ecx, eax
sub     ecx, edx
imul    ecx, [ebp+arg_8]
shr     ecx, 4
jmp     short loc_1744B

loc_1743E:
mov     ecx, edx
sub     ecx, eax
imul    ecx, [ebp+arg_8]
shr     ecx, 4
add     ecx, eax

loc_1744B:
cmp     eax, edx
jle     short loc_1745A
sub     eax, edx
imul    eax, [ebp+arg_C]
shr     eax, 4
jmp     short loc_17467

loc_1745A:
sub     edx, eax
imul    edx, [ebp+arg_C]
shr     edx, 4
add     edx, eax
mov     eax, edx

loc_17467:
mov     [esp+538h+var_45C], ecx
mov     [esp+538h+var_458], eax

loc_17475:
mov     ecx, [ebx+1A3Ch]
lea     eax, [esp+538h+var_520]
push    eax
call    sub_157C0
mov     ebx, [ebx+19D4h]
cmp     ebx, esi
jz      short loc_17498
push    esi
push    esi
push    ebx
call    ds:KeSetEvent

loc_17498:
pop     edi
pop     esi
pop     ebx
mov     esp, ebp
pop     ebp
retn    10h
sub_17390 endp

align 10h



sub_174B0 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
mov     ecx, [ecx+1A3Ch]
push    51Ch
push    eax
call    sub_13D50
retn    4
sub_174B0 endp

align 10h



sub_174D0 proc near
mov     ecx, [ecx+1A3Ch]
jmp     sub_138F0
sub_174D0 endp

align 10h



sub_174E0 proc near
mov     ecx, [ecx+1A3Ch]
jmp     sub_157C0
sub_174E0 endp

align 10h



sub_174F0 proc near

var_14= dword ptr -14h
var_C= dword ptr -0Ch
arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

cmp     [esp+arg_0], 1
push    esi
mov     esi, ecx
jnz     short loc_17534
mov     eax, [esi+1A1Ch]
push    0
push    0
push    0
push    1A0h
push    eax
call    ds:IoAllocateMdl
mov     esi, [esp+4+arg_4]
push    eax
mov     [esi], eax
call    ds:MmBuildMdlForNonPagedPool
mov     ecx, [esi]
push    1
push    ecx
call    ds:MmMapLockedPages
mov     edx, [esp+4+arg_8]
mov     [edx], eax
pop     esi
retn    0Ch

loc_17534:
mov     ecx, [esp+4+arg_8]
mov     edx, [ecx]
push    edi
mov     edi, [esp+8+arg_4]
mov     eax, [edi]
push    eax
push    edx
call    ds:MmUnmapLockedPages
mov     eax, [edi]
push    eax
call    ds:IoFreeMdl
pop     edi
mov     dword ptr [esi+1A20h], 0
pop     esi
retn    0Ch
sub_174F0 endp

align 10h



sub_17570 proc near

var_14= dword ptr -14h
var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

push    ecx
push    ebx
mov     ebx, [esp+8+arg_8]
push    ebp
mov     ebp, [esp+0Ch+arg_8]
push    esi
push    edi
mov     edi, ecx
mov     [esp+14h+var_4], 1
xor     esi, esi
lea     esp, [esp+0]

loc_17590:
mov     eax, [esp+14h+arg_0]
test    [esp+14h+var_4], eax
jz      short loc_175AD
mov     ecx, [edi+1A3Ch]
push    ebp
push    esi
push    0
push    2
call    sub_15BF0
mov     ebx, eax

loc_175AD:
mov     ecx, [esp+14h+arg_4]
test    [esp+14h+var_4], ecx
jz      short loc_175CA
mov     ecx, [edi+1A3Ch]
push    ebp
push    esi
push    1
push    2
call    sub_15BF0
mov     ebx, eax

loc_175CA:
shl     [esp+14h+var_4], 1
add     esi, 1
cmp     esi, 8
jb      short loc_17590
mov     ecx, [edi+1A3Ch]
call    sub_14770
pop     edi
pop     esi
pop     ebp
mov     eax, ebx
pop     ebx
pop     ecx
retn    0Ch
sub_17570 endp

align 10h
; [00000003 BYTES: COLLAPSED FUNCTION nullsub_2. PRESS KEYPAD "+" TO EXPAND]
align 10h



sub_17600 proc near

; FUNCTION CHUNK AT .text:00013690 SIZE 00000009 BYTES

mov     ecx, [ecx+1A3Ch]
jmp     loc_13690
sub_17600 endp

align 10h



sub_17610 proc near
mov     ecx, [ecx+1A3Ch]
jmp     sub_13710
sub_17610 endp

align 10h



sub_17620 proc near
mov     ecx, [ecx+1A3Ch]
jmp     nullsub_1
sub_17620 endp

align 10h
; [00000003 BYTES: COLLAPSED FUNCTION nullsub_3. PRESS KEYPAD "+" TO EXPAND]
align 10h



sub_17640 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h
arg_10= dword ptr  14h

mov     eax, [esp+arg_10]
mov     edx, [esp+arg_C]
mov     ecx, [ecx+1A3Ch]
push    eax
mov     eax, [esp+4+arg_8]
push    edx
mov     edx, [esp+8+arg_4]
push    eax
mov     eax, [esp+0Ch+arg_0]
push    edx
push    eax
push    2
call    sub_13990
retn    14h
sub_17640 endp

align 10h



sub_17670 proc near

var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8

sub     esp, 0Ch
mov     eax, [esp+0Ch+arg_0]
push    ebx
mov     ebx, [esp+10h+arg_0]
push    ebp
mov     ebp, [esp+14h+arg_4]
push    esi
shr     eax, 10h
push    edi
mov     edi, ecx
mov     [esp+1Ch+var_4], eax
mov     [esp+1Ch+var_C], 1
xor     esi, esi
mov     [esp+1Ch+var_8], 10h
mov     edi, edi

loc_176A0:
mov     eax, [esp+1Ch+var_C]
and     eax, [esp+1Ch+arg_0]
test    ax, ax
jz      short loc_176C0
mov     ecx, [edi+1A3Ch]
push    ebp
push    esi
push    0
push    2
call    sub_15BF0
mov     ebx, eax

loc_176C0:
mov     ecx, [esp+1Ch+var_C]
and     ecx, [esp+1Ch+var_4]
test    cx, cx
jz      short loc_176E0
mov     ecx, [edi+1A3Ch]
push    ebp
push    esi
push    1
push    2
call    sub_15BF0
mov     ebx, eax

loc_176E0:
shl     [esp+1Ch+var_C], 1
add     esi, 1
sub     [esp+1Ch+var_8], 1
jnz     short loc_176A0
test    ebp, ebp
jnz     short loc_176FD
mov     ecx, [edi+1A3Ch]
call    sub_14770

loc_176FD:
pop     edi
pop     esi
pop     ebp

loc_17700:
mov     eax, ebx
pop     ebx
add     esp, 0Ch
retn    8
sub_17670 endp

align 10h



sub_17710 proc near
mov     eax, [ecx+1A2Ch]
mov     dword ptr [ecx+1A2Ch], 0
retn
sub_17710 endp

align 10h



sub_17730 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h
arg_10= dword ptr  14h

mov     eax, [esp+arg_10]
mov     edx, [esp+arg_C]
mov     ecx, [ecx+1A3Ch]
push    eax
mov     eax, [esp+4+arg_8]
push    edx
mov     edx, [esp+8+arg_4]
push    eax
mov     eax, [esp+0Ch+arg_0]
push    edx
push    eax
push    3
call    sub_13990
retn    14h
sub_17730 endp

align 10h



sub_17760 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h

push    ebx
mov     ebx, [esp+arg_8]
push    ebp
push    esi
push    edi
mov     edi, ecx
mov     ebp, 1
xor     esi, esi

loc_17771:
mov     eax, [esp+0Ch+arg_0]
test    ebp, eax
jz      short loc_1778A
mov     ecx, [edi+1A3Ch]
push    ebx
push    esi
push    1
push    3
call    sub_15BF0

loc_1778A:
mov     ecx, [esp+0Ch+arg_4]
test    ebp, ecx
jz      short loc_177A3
mov     ecx, [edi+1A3Ch]
push    ebx
push    esi
push    0
push    3
call    sub_15BF0

loc_177A3:
add     esi, 1
add     ebp, ebp
cmp     esi, 20h
jb      short loc_17771
test    ebx, ebx
jnz     short loc_177BC
mov     ecx, [edi+1A3Ch]
call    sub_14770

loc_177BC:
pop     edi
pop     esi
pop     ebp
pop     ebx
retn    0Ch
sub_17760 endp

align 10h



sub_177D0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

; FUNCTION CHUNK AT .text:000136D0 SIZE 0000002E BYTES

mov     ecx, [ecx+1A3Ch]
jmp     loc_136D0
sub_177D0 endp

align 10h



sub_177E0 proc near
mov     ecx, [ecx+1A3Ch]
call    sub_13940
retn    4
sub_177E0 endp

align 10h



sub_177F0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_0]
mov     edx, [esp+arg_4]
mov     [ecx+1A24h], eax
mov     [ecx+1A28h], edx
retn    8
sub_177F0 endp

align 10h



sub_17810 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h

; FUNCTION CHUNK AT .text:00013DC0 SIZE 00000102 BYTES

mov     ecx, [ecx+1A3Ch]
jmp     loc_13DC0
sub_17810 endp

align 10h



sub_17820 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

; FUNCTION CHUNK AT .text:00013EE0 SIZE 000000F6 BYTES

mov     ecx, [ecx+1A3Ch]
jmp     loc_13EE0
sub_17820 endp

align 10h



sub_17830 proc near
push    ebx
push    ebp
push    esi
push    edi
mov     ebp, ecx
xor     ebx, ebx
jmp     short loc_17840
align 10h

loc_17840:
xor     edi, edi

loc_17842:
xor     esi, esi

loc_17844:
mov     ecx, [ebp+1A3Ch]
push    esi
push    edi
push    ebx
call    sub_13960
test    eax, eax
jnz     short loc_17873
add     esi, 1
cmp     esi, 8
jl      short loc_17844
add     edi, 1
cmp     edi, 2
jl      short loc_17842
add     ebx, 1
cmp     ebx, 5
jl      short loc_17840
pop     edi
pop     esi
pop     ebp
pop     ebx
retn

loc_17873:
pop     edi
pop     esi
pop     ebp
mov     eax, 1
pop     ebx
retn
sub_17830 endp

align 10h



sub_17880 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     [esp+arg_4], 1
push    ebx
push    ebp
push    esi
push    edi
mov     ebx, ecx
jnz     short loc_178BE
xor     ebp, ebp
nop

loc_17890:
xor     edi, edi

loc_17892:
xor     esi, esi

loc_17894:
mov     ecx, [ebx+1A3Ch]
push    esi
push    edi
push    ebp
call    sub_13960
test    eax, eax
jnz     short loc_1790F
add     esi, 1
cmp     esi, 8
jl      short loc_17894
add     edi, 1
cmp     edi, 2
jl      short loc_17892
add     ebp, 1
cmp     ebp, 5
jl      short loc_17890

loc_178BE:
mov     ecx, [ebx+1A3Ch]
push    0
call    sub_13630
mov     eax, [esp+10h+arg_0]
mov     ecx, [ebx+20h]
mov     edx, [ebx+1A1Ch]
push    eax
mov     eax, [ebx+18h]
push    ecx
mov     ecx, [ebx+14h]
push    edx
push    eax
push    ecx
mov     ecx, [ebx+1A3Ch]
call    sub_15D00
push    32h
call    ds:KeStallExecutionProcessor
mov     ecx, [ebx+1A3Ch]
push    1
call    sub_13630
pop     edi
pop     esi
pop     ebp
mov     eax, 1
pop     ebx
retn    8

loc_1790F:
pop     edi
pop     esi
pop     ebp
xor     eax, eax
pop     ebx
retn    8
sub_17880 endp

align 10h



sub_17920 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

mov     ecx, [esp+arg_0]
mov     eax, [esp+arg_8]
push    esi
mov     esi, [esp+4+arg_4]
xor     dl, dl
mov     [ecx+18h], esi
mov     [ecx+1Ch], eax
call    ds:IofCompleteRequest
mov     eax, esi
pop     esi
retn    0Ch
sub_17920 endp

align 10h



sub_17950 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     ecx, [esp+arg_0]
push    esi
mov     esi, [esp+4+arg_4]
xor     dl, dl
mov     [ecx+18h], esi
call    ds:IofCompleteRequest
mov     eax, esi
pop     esi
retn    8
sub_17950 endp

align 10h

loc_17970:
mov     eax, [esp+4]
mov     ecx, [eax+28h]
test    byte ptr [ecx], 1
jz      short loc_17985
mov     [esp+4], eax
jmp     loc_18F10

loc_17985:
mov     [esp+4], eax
jmp     loc_1AFA0
align 10h

loc_17990:
mov     eax, [esp+0Ch]
push    0
push    0
push    eax
call    ds:KeSetEvent
mov     eax, 0C0000016h
retn    0Ch
align 10h



sub_179B0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_0]
mov     edx, [eax]
mov     ecx, [esp+arg_4]
cmp     edx, [ecx]
jnz     short loc_179DE
mov     edx, [eax+4]
cmp     edx, [ecx+4]
jnz     short loc_179DE
mov     edx, [eax+8]
cmp     edx, [ecx+8]
jnz     short loc_179DE
mov     eax, [eax+0Ch]
cmp     eax, [ecx+0Ch]
jnz     short loc_179DE
mov     eax, 1
retn    8

loc_179DE:
xor     eax, eax
retn    8
sub_179B0 endp

align 10h



sub_179F0 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
test    eax, eax
jz      short locret_179FF
push    eax
call    ds:ExFreePool

locret_179FF:
retn
sub_179F0 endp




sub_17A00 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     ecx, ds:dword_1D580
mov     eax, [esp+arg_0]
mov     [eax], ecx
mov     edx, ds:dword_1D584
mov     [eax+4], edx
mov     ecx, ds:dword_1D588
mov     [eax+8], ecx
mov     dl, ds:byte_1D58C
mov     ecx, dword_1E1F4
mov     [eax+0Ch], dl
mov     edx, [esp+arg_4]
mov     [eax+44h], ecx
mov     ecx, [edx+8]
mov     [eax+40h], ecx
xor     eax, eax
retn    8
sub_17A00 endp

align 10h



sub_17A40 proc near

var_1C= dword ptr -1Ch
var_18= dword ptr -18h
var_14= dword ptr -14h
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
arg_0= dword ptr  4
arg_18= dword ptr  1Ch
arg_1C= dword ptr  20h
arg_20= dword ptr  24h
arg_2C= dword ptr  30h
arg_48= dword ptr  4Ch

sub     esp, 0Ch
push    ebx
push    esi
push    edi
mov     edi, [esp+18h+arg_0]
push    0
lea     esi, [edi+0Ch]
push    esi
mov     [esp+20h+var_C], 0
call    ds:IoSetDeviceInterfaceState
lea     eax, [esp+18h+var_C]
push    eax
push    0F003Fh
push    esi
call    ds:IoOpenDeviceInterfaceRegistryKey
mov     esi, ds:RtlInitUnicodeString
push    offset aGetinterfaceca ; "GetInterfaceCallback"
lea     ecx, [esp+28h+var_14]
push    ecx
mov     [esp+2Ch+var_8], 0
call    esi ; RtlInitUnicodeString
mov     ecx, [esp+1Ch+var_10]
mov     ebx, ds:ZwSetValueKey
push    4
lea     edx, [esp+20h]
push    edx
push    4
push    0
lea     eax, [esp+2Ch+var_C]
push    eax
push    ecx
call    ebx ; ZwSetValueKey
push    offset aDeviceextensio ; "DeviceExtension"
lea     edx, [esp-10h+arg_20]
push    edx
call    esi ; RtlInitUnicodeString
mov     edx, [esp+0Ch]
push    4
lea     eax, [esp+20h]
push    eax
push    4
push    0
lea     ecx, [esp+20h]
push    ecx
push    edx
call    ebx ; ZwSetValueKey
mov     eax, [edi+8]
mov     ecx, [eax]
mov     edx, [ecx+8]
push    eax
call    edx
mov     eax, [esp+0Ch]
push    eax
call    ds:ZwClose
pop     edi
pop     esi
pop     ebx
add     esp, 0Ch
retn    4
sub_17A40 endp ; sp =  60h

align 10h



sub_17AF0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

mov     eax, [esp+arg_4]
mov     ecx, [eax]
cmp     ecx, ds:dword_1D560
mov     edx, [eax+4]
push    esi
jnz     short loc_17B20
cmp     edx, ds:dword_1D564
jnz     short loc_17B20
mov     esi, [eax+8]
cmp     esi, ds:dword_1D568
jnz     short loc_17B20
mov     esi, [eax+0Ch]
cmp     esi, ds:dword_1D56C
jz      short loc_17B59

loc_17B20:
cmp     ecx, ds:dword_1D5DC
jnz     short loc_17B46
cmp     edx, ds:dword_1D5E0
jnz     short loc_17B46
mov     edx, [eax+8]
cmp     edx, ds:dword_1D5E4
jnz     short loc_17B46
mov     eax, [eax+0Ch]
cmp     eax, ds:dword_1D5E8
jz      short loc_17B59

loc_17B46:
mov     edx, [esp+4+arg_8]
mov     dword ptr [edx], 0

loc_17B50:
mov     eax, 0C000000Dh
pop     esi
retn    0Ch

loc_17B59:
mov     eax, [esp+4+arg_0]
mov     ecx, [esp+4+arg_8]
add     eax, 0FFFFFFFCh
test    eax, eax
mov     [ecx], eax
jz      short loc_17B50
mov     ecx, [eax]
mov     edx, [ecx+4]
push    eax
call    edx
xor     eax, eax
pop     esi
retn    0Ch
sub_17AF0 endp

align 10h



sub_17B80 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
mov     eax, [eax+0Ch]
mov     ecx, [eax]
mov     [esp+arg_0], eax
mov     eax, [ecx]
jmp     eax
sub_17B80 endp

align 10h



sub_17BA0 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
mov     eax, [eax+0Ch]
mov     ecx, [eax]
mov     [esp+arg_0], eax
mov     edx, [ecx+4]
jmp     edx
sub_17BA0 endp

align 10h



sub_17BC0 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
mov     eax, [eax+0Ch]
mov     ecx, [eax]
mov     [esp+arg_0], eax
mov     edx, [ecx+8]
jmp     edx
sub_17BC0 endp

align 10h



sub_17BE0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h

mov     eax, [esp+arg_4]
push    ebx
push    ebp
add     eax, 0FFFFF000h
cmp     eax, 17h
push    esi
push    edi
ja      loc_180B5
movzx   eax, ds:byte_180EC[eax]
jmp     ds:off_180C0[eax*4]

loc_17C04:
mov     ecx, [esp+10h+arg_C]
pop     edi
pop     esi
pop     ebp
mov     dword ptr [ecx+10h], offset dword_20000
xor     eax, eax
pop     ebx
retn    10h

loc_17C18:
mov     ebp, [esp+10h+arg_C]
push    364h
push    0
push    ebp
call    memset
mov     dx, ds:word_1D624
mov     al, ds:byte_1D626
mov     ecx, ds:dword_1D610
mov     ebx, [esp+1Ch+arg_8]
mov     [ebp+0], ecx
mov     word ptr [esp+1Ch+arg_C], dx
mov     edx, ds:dword_1D614
mov     [ebp+4], edx
mov     byte ptr [esp+1Ch+arg_C+2], al
mov     eax, ds:dword_1D618
mov     [ebp+8], eax
mov     ecx, ds:dword_1D61C
mov     al, bl
add     esp, 0Ch
add     al, 31h
mov     [ebp+0Ch], ecx
mov     edx, ds:dword_1D620
mov     byte ptr [esp+10h+arg_C+1], al
lea     eax, [esp+10h+arg_C]
mov     [ebp+10h], edx
mov     ecx, eax
nop

loc_17C80:
mov     dl, [eax]
add     eax, 1
test    dl, dl
jnz     short loc_17C80
mov     edi, ebp
sub     eax, ecx
mov     esi, ecx
add     edi, 0FFFFFFFFh

loc_17C92:
mov     cl, [edi+1]
add     edi, 1
test    cl, cl
jnz     short loc_17C92
mov     ecx, eax
shr     ecx, 2
rep movsd
mov     ecx, eax
and     ecx, 3
rep movsb
mov     eax, 8
mov     [ebp+44h], eax
mov     [ebp+40h], eax
mov     dword ptr [ebp+48h], 1Fh
mov     dword ptr [ebp+4Ch], 400h
mov     dword ptr [ebp+50h], 2
xor     eax, eax
lea     ecx, [ebp+58h]
nop

loc_17CD0:
mov     dword ptr [ecx], 0
add     eax, 1
add     ecx, 4
cmp     eax, [ebp+40h]
jb      short loc_17CD0
mov     ecx, dword_1E1D0[ebx*4]
call    sub_17600
add     eax, eax
add     eax, eax
add     eax, eax
mov     [ebp+258h], eax
mov     ecx, dword_1E1D0[ebx*4]
call    sub_17600
add     eax, eax
add     eax, eax
pop     edi
add     eax, eax
pop     esi
mov     [ebp+25Ch], eax
pop     ebp
xor     eax, eax
pop     ebx
retn    10h

loc_17D1A:
mov     ebp, [esp+10h+arg_C]
mov     eax, [ebp+400h]
mov     esi, [esp+10h+arg_8]
shr     eax, 1
xor     edi, edi
mov     [esp+10h+arg_4], eax
add     ebp, 300h

loc_17D36:
cmp     dword ptr [ebp-100h], 1
jnz     short loc_17D75
cmp     edi, 8
jnb     short loc_17D75
mov     ebx, [ebp+0]
mov     ecx, dword_1E1D0[esi*4]
push    1
push    ebx
push    0
push    edi
push    1
call    sub_17730
mov     ecx, [esp+10h+arg_4]
push    1
add     ebx, ecx
mov     ecx, dword_1E1D0[esi*4]
push    ebx
push    1
push    edi
push    1
call    sub_17730

loc_17D75:
cmp     dword ptr [ebp-300h], 1
jnz     short loc_17DB7
cmp     edi, 8
jnb     short loc_17DB7
mov     ebx, [ebp-200h]
mov     ecx, dword_1E1D0[esi*4]
push    1
push    ebx
push    0
push    edi
push    0
call    sub_17730
mov     edx, [esp+10h+arg_4]
mov     ecx, dword_1E1D0[esi*4]
push    1
add     ebx, edx
push    ebx
push    1
push    edi
push    0
call    sub_17730

loc_17DB7:
add     edi, 1
add     ebp, 4
cmp     edi, 40h
jb      loc_17D36
mov     edi, [esp+10h+arg_0]
mov     esi, [esp+10h+arg_C]
add     edi, 14h
mov     ecx, 102h
rep movsd
pop     edi
pop     esi
pop     ebp
xor     eax, eax
pop     ebx
retn    10h

loc_17DE1:
mov     ebp, [esp+10h+arg_0]
mov     edi, [esp+10h+arg_8]
xor     esi, esi
mov     ebx, 1

loc_17DF0:
cmp     [ebp+esi*4+214h], ebx
jnz     short loc_17E23
cmp     esi, 8
jnb     short loc_17E23
mov     ecx, dword_1E1D0[edi*4]
push    ebx
push    0
push    0
push    esi
push    ebx
call    sub_17730
mov     ecx, dword_1E1D0[edi*4]
push    ebx
push    0
push    ebx
push    esi
push    ebx
call    sub_17730

loc_17E23:
cmp     [ebp+esi*4+14h], ebx
jnz     short loc_17E55
cmp     esi, 8
ja      short loc_17E55
mov     ecx, dword_1E1D0[edi*4]
push    ebx
push    0
push    0
push    esi
push    0
call    sub_17730
mov     ecx, dword_1E1D0[edi*4]
push    ebx
push    0
push    ebx
push    esi
push    0
call    sub_17730

loc_17E55:
add     esi, ebx
cmp     esi, 40h
jb      short loc_17DF0
pop     edi
pop     esi
pop     ebp
xor     eax, eax
pop     ebx
retn    10h

loc_17E65:
mov     esi, [esp+10h+arg_0]
xor     ebp, ebp
mov     ebx, 1
xor     ecx, ecx
xor     eax, eax
mov     [esi+430h], ebx
mov     [esi+434h], ebp
cmp     [esi+214h], ebx
jnz     short loc_17E8A
mov     ecx, ebx

loc_17E8A:
cmp     [esi+218h], ebx
jnz     short loc_17E95
or      ecx, 2

loc_17E95:
cmp     [esi+21Ch], ebx
jnz     short loc_17EA0
or      ecx, 4

loc_17EA0:
cmp     [esi+220h], ebx
jnz     short loc_17EAB
or      ecx, 8

loc_17EAB:
cmp     [esi+224h], ebx
jnz     short loc_17EB6
or      ecx, 10h

loc_17EB6:
cmp     [esi+228h], ebx
jnz     short loc_17EC1
or      ecx, 20h

loc_17EC1:
cmp     [esi+22Ch], ebx
jnz     short loc_17ECC
or      ecx, 40h

loc_17ECC:
cmp     [esi+230h], ebx
jnz     short loc_17EDA
or      ecx, 80h

loc_17EDA:
cmp     [esi+14h], ebx
jnz     short loc_17EE1
mov     eax, ebx

loc_17EE1:
cmp     [esi+18h], ebx
jnz     short loc_17EE9
or      eax, 2

loc_17EE9:
cmp     [esi+1Ch], ebx
jnz     short loc_17EF1
or      eax, 4

loc_17EF1:
cmp     [esi+20h], ebx
jnz     short loc_17EF9
or      eax, 8

loc_17EF9:
cmp     [esi+24h], ebx
jnz     short loc_17F01
or      eax, 10h

loc_17F01:
cmp     [esi+28h], ebx
jnz     short loc_17F09
or      eax, 20h

loc_17F09:
cmp     [esi+2Ch], ebx
jnz     short loc_17F11
or      eax, 40h

loc_17F11:
cmp     [esi+30h], ebx
jnz     short loc_17F1B
or      eax, 80h

loc_17F1B:
mov     edi, [esp+10h+arg_8]
push    ebx
push    eax
push    ecx
mov     ecx, dword_1E1D0[edi*4]
call    sub_17760
mov     eax, [esi+10h]
mov     ecx, [eax+1Ch]
mov     edx, [eax+18h]
push    ecx
mov     ecx, dword_1E1D0[edi*4]
push    edx
call    sub_177F0
push    ebx
jmp     loc_18023

loc_17F4B:
mov     esi, [esp+10h+arg_0]
xor     ebp, ebp
mov     ebx, 1
xor     ecx, ecx
xor     eax, eax
mov     [esi+430h], ebp
mov     [esi+434h], ebp
cmp     [esi+214h], ebx
jnz     short loc_17F70
mov     ecx, ebx

loc_17F70:
cmp     [esi+218h], ebx
jnz     short loc_17F7B
or      ecx, 2

loc_17F7B:
cmp     [esi+21Ch], ebx
jnz     short loc_17F86
or      ecx, 4

loc_17F86:
cmp     [esi+220h], ebx
jnz     short loc_17F91
or      ecx, 8

loc_17F91:
cmp     [esi+224h], ebx
jnz     short loc_17F9C
or      ecx, 10h

loc_17F9C:
cmp     [esi+228h], ebx
jnz     short loc_17FA7
or      ecx, 20h

loc_17FA7:
cmp     [esi+22Ch], ebx
jnz     short loc_17FB2
or      ecx, 40h

loc_17FB2:
cmp     [esi+230h], ebx
jnz     short loc_17FC0
or      ecx, 80h

loc_17FC0:
cmp     [esi+14h], ebx
jnz     short loc_17FC7
mov     eax, ebx

loc_17FC7:
cmp     [esi+18h], ebx
jnz     short loc_17FCF
or      eax, 2

loc_17FCF:
cmp     [esi+1Ch], ebx
jnz     short loc_17FD7
or      eax, 4

loc_17FD7:
cmp     [esi+20h], ebx
jnz     short loc_17FDF
or      eax, 8

loc_17FDF:
cmp     [esi+24h], ebx
jnz     short loc_17FE7
or      eax, 10h

loc_17FE7:
cmp     [esi+28h], ebx
jnz     short loc_17FEF
or      eax, 20h

loc_17FEF:
cmp     [esi+2Ch], ebx
jnz     short loc_17FF7
or      eax, 40h

loc_17FF7:
cmp     [esi+30h], ebx
jnz     short loc_18001
or      eax, 80h

loc_18001:
mov     edi, [esp+10h+arg_8]
push    ebp
push    eax
push    ecx
mov     ecx, dword_1E1D0[edi*4]
call    sub_17760
mov     ecx, dword_1E1D0[edi*4]
push    ebp
push    ebp
call    sub_177F0
push    ebp

loc_18023:
mov     ecx, dword_1E1D0[edi*4]
call    nullsub_2
pop     edi
mov     [esi+41Ch], ebp
mov     [esi+424h], ebx
pop     esi
pop     ebp
xor     eax, eax
pop     ebx
retn    10h

loc_18044:
mov     esi, [esp+10h+arg_0]
cmp     dword ptr [esi+430h], 0
jz      short loc_180B5
mov     eax, [esi+434h]
mov     ecx, [esp+10h+arg_8]
mov     ecx, dword_1E1D0[ecx*4]
push    eax
call    sub_177E0
pop     edi
mov     [esi+42Ch], eax
pop     esi
pop     ebp
pop     ebx
retn    10h

loc_18075:
mov     edx, [esp+10h+arg_8]
mov     ecx, dword_1E1D0[edx*4]
call    sub_17600
mov     ecx, [esp+10h+arg_C]
pop     edi
pop     esi
pop     ebp
mov     [ecx+4], eax
xor     eax, eax
pop     ebx
retn    10h

loc_18095:
mov     esi, [esp+10h+arg_C]
push    90h
xor     edi, edi
push    edi
push    esi
call    memset
add     esp, 0Ch
mov     [esi], edi
mov     [esi+4], edi
mov     [esi+8], edi
mov     [esi+0Ch], edi

loc_180B5:
pop     edi
pop     esi
pop     ebp
xor     eax, eax
pop     ebx
retn    10h
sub_17BE0 endp

align 10h
off_180C0 dd offset loc_17C04
dd offset loc_17C18
dd offset loc_17D1A
dd offset loc_17DE1
dd offset loc_17E65
dd offset loc_17F4B
dd offset loc_18044
dd offset loc_18075
dd offset loc_18095
dd offset loc_180B5
dd offset loc_180B5
byte_180EC db 0
db 1, 2, 3
dword_180F0 dd 60A0504h, 0A070A0Ah, 0A0A0A0Ah, 80A0A0Ah
dd 9090A09h, 3 dup(0CCCCCCCCh), 424448Bh
dd 8B10488Bh, 89082454h, 488B1451h, 24548B10h
dd 1851890Ch, 8B10408Bh, 8910244Ch, 0C0331C48h
dd 0CC0010C2h, 2 dup(0CCCCCCCCh)



sub_18140 proc near
mov     eax, dword_1E1F0
push    eax
call    sub_17A40
mov     ecx, dword_1E1F0
push    ecx
call    ds:ExFreePool
retn
sub_18140 endp

align 10h



sub_18160 proc near

arg_0= dword ptr  4

mov     eax, dword_1E1FC
mov     ecx, [esp+arg_0]
mov     dword_1E1D0[eax*4], ecx
add     eax, 1
mov     dword_1E1FC, eax
retn    4
sub_18160 endp

align 10h



sub_18180 proc near

arg_0= byte ptr  4

sub     ecx, 4
jmp     loc_18190
align 10h

loc_18190:
push    esi
mov     esi, ecx
lea     ecx, [esi+4]
mov     dword ptr [esi], offset off_1D5FC
mov     dword ptr [ecx], offset off_1D5EC
call    sub_18FBE
test    [esp+4+arg_0], 1
jz      short loc_181B5
push    esi
call    ds:ExFreePool

loc_181B5:
mov     eax, esi
pop     esi
retn    4
sub_18180 endp

align 10h



sub_181C0 proc near

arg_0= dword ptr  8

push    esi
push    706E5748h
push    438h
push    0
call    ds:ExAllocatePoolWithTag
mov     esi, eax
test    esi, esi
jz      short loc_18217
push    edi
push    438h
push    0
push    esi
call    memset
add     esp, 0Ch
lea     edi, [esi+4]
push    0
mov     ecx, edi
call    sub_19049
mov     eax, [esp+4+arg_0]
mov     dword ptr [esi], offset off_1D5FC
mov     dword ptr [edi], offset off_1D5EC
mov     [eax], esi
mov     ecx, [esi]
mov     edx, [ecx+4]
push    esi
call    edx
pop     edi
xor     eax, eax
pop     esi
retn    4

loc_18217:
mov     eax, 0C000009Ah
pop     esi
retn    4
sub_181C0 endp




sub_18220 proc near

var_24= dword ptr -24h
var_1C= dword ptr -1Ch
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
arg_0= dword ptr  4
arg_4= dword ptr  8
arg_10= dword ptr  14h
arg_18= dword ptr  1Ch
arg_24= dword ptr  28h
arg_28= dword ptr  2Ch
arg_58= dword ptr  5Ch

sub     esp, 8
push    esi
push    edi
lea     eax, [esp+10h+var_8]
push    eax
call    sub_181C0
mov     edi, [esp+10h+arg_4]
mov     eax, [esp+10h+var_8]
mov     ecx, [esp+10h+arg_0]
lea     esi, [edi+0Ch]
push    esi
push    0
push    offset unk_1D570
mov     [edi+8], eax
push    ecx
mov     [eax+10h], edi
call    ds:IoRegisterDeviceInterface
test    eax, eax
jnz     loc_182E6
push    ebx
push    ebp
lea     edx, [esp+28h+var_8]
push    edx
push    0F003Fh
push    esi
mov     [esp+34h+var_8], eax
call    ds:IoOpenDeviceInterfaceRegistryKey
mov     ebx, ds:RtlInitUnicodeString
push    offset aGetinterfaceca ; "GetInterfaceCallback"
lea     eax, [esp+38h+var_24]
push    eax
call    ebx ; RtlInitUnicodeString
mov     eax, [esp+2Ch+var_C]
mov     ebp, ds:ZwSetValueKey
push    4
lea     ecx, [esp+30h+var_10]
push    ecx
push    4
push    0
lea     edx, [esp+3Ch+var_1C]
push    edx
push    eax
mov     [esp+44h+var_10], offset sub_17A00
call    ebp ; ZwSetValueKey
push    offset aDeviceextensio ; "DeviceExtension"
lea     ecx, [esp+arg_10]
push    ecx
call    ebx ; RtlInitUnicodeString
mov     ecx, [esp-0Ch+arg_28]
push    4
lea     edx, [esp-8+arg_24]
push    edx
push    4
push    0
lea     eax, [esp+4+arg_18]
push    eax
push    ecx
mov     [esp+0Ch+arg_24], edi
call    ebp ; ZwSetValueKey
mov     edx, [esp-3Ch+arg_58]
push    edx
call    ds:ZwClose
push    1
push    esi
call    ds:IoSetDeviceInterfaceState
pop     ebp
pop     ebx

loc_182E6:
pop     edi
mov     eax, 1
pop     esi
add     esp, 8
retn    8
sub_18220 endp ; sp =  54h

align 10h



sub_18300 proc near

arg_0= dword ptr  4

mov     eax, [esp+arg_0]
push    20h
push    0
mov     dword_1E1F4, eax
call    ds:ExAllocatePool
mov     ecx, dword_1E200
push    eax
push    ecx
mov     dword_1E1F0, eax
call    sub_18220
retn    4
sub_18300 endp

align 10h



sub_18330 proc near

arg_0= dword ptr  8

push    ebx
mov     ebx, ds:ExAllocatePool
push    esi
push    edi
push    0Ch
push    0
call    ebx ; ExAllocatePool
mov     edi, [esp+8+arg_0]
push    edi
push    0
mov     esi, eax
call    ebx ; ExAllocatePool
push    0
push    0
push    0
push    edi
push    eax
mov     [esi+4], eax
call    ds:IoAllocateMdl
push    eax
mov     [esi], eax
call    ds:MmBuildMdlForNonPagedPool
mov     eax, [esi]
push    1
push    eax
call    ds:MmMapLockedPages
mov     ecx, [esi+4]
push    edi
push    0
push    ecx
mov     [esi+8], eax
call    memset
add     esp, 0Ch
pop     edi
mov     eax, esi
pop     esi
pop     ebx
retn    4
sub_18330 endp

align 10h



sub_18390 proc near

arg_0= dword ptr  8

push    esi
mov     esi, [esp+arg_0]
mov     eax, [esi]
mov     ecx, [esi+8]
push    edi
push    eax
push    ecx
call    ds:MmUnmapLockedPages
mov     edx, [esi]
push    edx
call    ds:IoFreeMdl
mov     eax, [esi+4]
mov     edi, ds:ExFreePool
push    eax
call    edi ; ExFreePool
push    esi
call    edi ; ExFreePool
pop     edi
pop     esi
retn    4
sub_18390 endp




sub_183C0 proc near

arg_0= byte ptr  8

push    esi
movzx   esi, [esp+arg_0]
or      esi, 0FFFF8000h
shl     esi, 5
and     edx, 1Fh
or      esi, edx
add     esi, esi
add     esi, esi
add     esi, esi
and     ecx, 7
or      esi, ecx
shl     esi, 8
and     eax, 0FCh
or      esi, eax
push    esi
mov     esi, ds:WRITE_PORT_ULONG
push    0CF8h
call    esi ; WRITE_PORT_ULONG
mov     eax, [esp+0Ch]
push    eax
push    0CFCh
call    esi ; WRITE_PORT_ULONG
pop     esi
retn    8
sub_183C0 endp

align 10h



sub_18410 proc near

arg_0= byte ptr  8

push    esi
movzx   esi, [esp+arg_0]
or      esi, 0FFFF8000h
shl     esi, 5
and     edx, 1Fh
or      esi, edx
add     esi, esi
add     esi, esi
add     esi, esi
and     ecx, 7
or      esi, ecx
shl     esi, 8
and     eax, 0FCh
or      esi, eax
push    esi
push    0CF8h
call    ds:WRITE_PORT_ULONG
pop     esi
mov     dword ptr [esp-4+arg_0], 0CFCh
jmp     ds:READ_PORT_ULONG
sub_18410 endp

align 10h



sub_18460 proc near

var_14= byte ptr -14h
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4

sub     esp, 10h
push    ebx
push    ebp
push    esi
push    edi
mov     edi, ds:IoGetDeviceProperty
mov     esi, eax
lea     eax, [esp+20h+var_C]
push    eax
lea     ecx, [esp+24h+var_4]
push    ecx
push    4
push    0Eh
push    esi
call    edi ; IoGetDeviceProperty
lea     edx, [esp+20h+var_C]
push    edx
lea     eax, [esp+24h+var_8]
push    eax
push    4
push    10h
push    esi
call    edi ; IoGetDeviceProperty
mov     ecx, [esp+20h+var_8]
movzx   edx, word ptr [esp+20h+var_4]
mov     eax, ecx
movzx   ebp, cx
mov     edi, ds:WRITE_PORT_ULONG
movzx   ecx, dl
shl     ecx, 5
shr     eax, 10h
mov     esi, eax
and     esi, 1Fh
or      ecx, esi
add     ecx, ecx
add     ecx, ecx
mov     [esp+20h+var_10], edx
add     ecx, ecx
mov     edx, ebp
and     edx, 7
or      ecx, edx
shl     ecx, 8
or      ecx, 80000004h
push    ecx
push    0CF8h
call    edi ; WRITE_PORT_ULONG
push    0CFCh
call    ds:READ_PORT_ULONG
mov     ebx, eax
test    bl, 5
jnz     short loc_1851B
movzx   eax, byte ptr [esp+20h+var_10]
shl     eax, 5
or      eax, esi
add     eax, eax
add     eax, eax
add     eax, eax
mov     ecx, ebp
and     ecx, 7
or      eax, ecx
shl     eax, 8
or      eax, 80000004h
push    eax
push    0CF8h
call    edi ; WRITE_PORT_ULONG
or      ebx, 5
push    ebx
push    0CFCh
call    edi ; WRITE_PORT_ULONG

loc_1851B:
movzx   edi, byte ptr [esp+20h+var_10]
or      edi, 0FFFF8000h
shl     edi, 5
or      edi, esi
add     edi, edi
add     edi, edi
add     edi, edi
and     ebp, 7
or      edi, ebp
xor     ebx, ebx
shl     edi, 8
jmp     short loc_18540
align 10h

loc_18540:
movzx   edx, bl
add     dl, dl
add     dl, dl
and     edx, 0FCh
or      edx, edi
push    edx
push    0CF8h
call    ds:WRITE_PORT_ULONG
push    0CFCh
call    ds:READ_PORT_ULONG
mov     dword_1E458[ebx*4], eax
add     ebx, 1
cmp     ebx, 10h
jl      short loc_18540
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 10h
retn
sub_18460 endp

align 10h



sub_18580 proc near

var_14= dword ptr -14h
var_10= dword ptr -10h
var_C= dword ptr -0Ch
var_8= dword ptr -8
var_4= dword ptr -4

sub     esp, 14h
push    ebx
push    ebp
push    esi
push    edi
mov     edi, ds:IoGetDeviceProperty
mov     esi, eax
lea     eax, [esp+24h+var_10]
push    eax
lea     ecx, [esp+28h+var_8]
push    ecx
push    4
push    0Eh
push    esi
call    edi ; IoGetDeviceProperty
lea     edx, [esp+24h+var_10]
push    edx
lea     eax, [esp+28h+var_C]
push    eax
push    4
push    10h
push    esi
call    edi ; IoGetDeviceProperty
mov     ecx, [esp+24h+var_C]
movzx   edx, word ptr [esp+24h+var_8]
mov     eax, ecx
movzx   edi, cx
mov     esi, ds:WRITE_PORT_ULONG
movzx   ecx, dl
shl     ecx, 5
shr     eax, 10h
mov     ebp, eax
and     ebp, 1Fh
or      ecx, ebp
add     ecx, ecx
add     ecx, ecx
mov     [esp+24h+var_14], edx
add     ecx, ecx
mov     edx, edi
and     edx, 7
or      ecx, edx
shl     ecx, 8
or      ecx, 80000004h
push    ecx
push    0CF8h
mov     [esp+2Ch+var_4], edi
call    esi ; WRITE_PORT_ULONG
push    0CFCh
call    ds:READ_PORT_ULONG
mov     ebx, eax
test    bl, 5
jnz     short loc_1863D
movzx   eax, byte ptr [esp+24h+var_14]
shl     eax, 5
or      eax, ebp
add     eax, eax
add     eax, eax
add     eax, eax
and     edi, 7
or      eax, edi
shl     eax, 8
or      eax, 80000004h
push    eax
push    0CF8h
call    esi ; WRITE_PORT_ULONG
or      ebx, 5
push    ebx
push    0CFCh
call    esi ; WRITE_PORT_ULONG

loc_1863D:
movzx   edi, byte ptr [esp+24h+var_14]
mov     eax, [esp+24h+var_4]
or      edi, 0FFFF8000h
shl     edi, 5
or      edi, ebp
add     edi, edi
add     edi, edi
add     edi, edi
and     eax, 7
or      edi, eax
xor     ebx, ebx
shl     edi, 8

loc_18661:
mov     ebp, dword_1E458[ebx*4]
movzx   ecx, bl
add     cl, cl
add     cl, cl
and     ecx, 0FCh
or      ecx, edi
push    ecx
push    0CF8h
call    esi ; WRITE_PORT_ULONG
push    ebp
push    0CFCh
call    esi ; WRITE_PORT_ULONG
push    80h
call    ds:READ_PORT_UCHAR
add     ebx, 1
cmp     ebx, 10h
jl      short loc_18661
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 14h
retn
sub_18580 endp

align 10h



sub_186B0 proc near

var_8C= dword ptr -8Ch
var_84= dword ptr -84h
var_6C= dword ptr -6Ch
var_5C= dword ptr -5Ch
var_58= dword ptr -58h
var_54= dword ptr -54h
var_50= dword ptr -50h
var_4C= dword ptr -4Ch
var_48= dword ptr -48h
var_44= dword ptr -44h
var_40= dword ptr -40h
var_38= dword ptr -38h
var_30= dword ptr -30h
var_8= dword ptr -8
arg_0= dword ptr  4
arg_4= dword ptr  8

sub     esp, 58h
cmp     [esp+58h+arg_4], 0FFFFFFFFh
jnz     short loc_186C5
mov     eax, 1
add     esp, 58h
retn    8

loc_186C5:
push    ebx
push    ebp
push    esi
mov     esi, [esp+64h+arg_0]
push    edi
mov     edi, ds:IoGetDeviceProperty
lea     eax, [esp+68h+var_54]
push    eax
lea     ecx, [esp+6Ch+var_50]
push    ecx
push    4
push    0Eh
push    esi
call    edi ; IoGetDeviceProperty
lea     edx, [esp+68h+var_54]
push    edx
lea     eax, [esp+6Ch+var_4C]
push    eax
push    4
push    10h
push    esi
call    edi ; IoGetDeviceProperty
mov     ecx, [esp+68h+var_50]
mov     eax, [esp+68h+var_4C]
movzx   ebx, cx
movzx   edx, cx
mov     esi, ds:WRITE_PORT_ULONG
mov     edi, eax
movzx   ecx, bl
or      ecx, 0FFFF8000h
shl     ecx, 5
shr     edi, 10h
mov     ebp, edi
and     ebp, 1Fh
or      ecx, ebp
mov     [esp+68h+arg_0], edx
movzx   edx, ax
add     ecx, ecx
movzx   eax, ax
add     ecx, ecx
mov     [esp+68h+var_48], eax
add     ecx, ecx
and     eax, 7
or      ecx, eax
shl     ecx, 8
push    ecx
push    0CF8h
mov     [esp+70h+var_58], edx
mov     [esp+70h+var_44], ebp
call    esi ; WRITE_PORT_ULONG
push    0CFCh
call    ds:READ_PORT_ULONG
cmp     eax, 17121412h
jz      loc_188EF
mov     edx, [esp+68h+arg_0]
mov     ecx, [esp+68h+var_58]
push    edx
mov     eax, 4
mov     edx, edi
call    sub_18410
test    al, 5
jnz     short loc_18795
mov     ecx, [esp+6Ch+var_5C]
or      eax, 5
push    eax
mov     eax, [esp+70h]
push    eax
mov     eax, 4
mov     edx, edi
call    sub_183C0

loc_18795:
mov     eax, [esp+6Ch+var_4C]
and     ebx, 0FFh
mov     edi, ebx
or      edi, 0FFFF8000h
shl     edi, 5
or      edi, ebp
add     edi, edi
add     edi, edi
and     eax, 7
add     edi, edi
or      edi, eax
lea     ecx, [esp+6Ch+var_44]
shl     edi, 8
mov     [esp+6Ch+var_4C], eax
xor     ebp, ebp
mov     [esp+6Ch], ecx
jmp     short loc_187D0
align 10h

loc_187D0:
mov     edx, ebp
and     edx, 0FCh
or      edx, edi
push    edx
push    0CF8h
call    esi
push    0CFCh
call    ds:READ_PORT_ULONG
mov     ecx, [esp+6Ch]
mov     [ecx], eax
add     ebp, 4
add     ecx, 4
cmp     bp, 40h
mov     [esp+6Ch], ecx
jb      short loc_187D0
shl     ebx, 5
or      ebx, [esp+24h]
add     ebx, ebx
add     ebx, ebx
add     ebx, ebx
or      ebx, [esp+58h+var_38]
mov     ebp, ebx
shl     ebp, 8
mov     ebx, ebp
or      ebx, 80000084h
push    ebx
push    0CF8h
call    esi
push    3
push    0CFCh
call    esi
push    0
push    0F4240h
call    sub_115F0
push    ebx
push    0CF8h
call    esi
push    0
push    0CFCh
call    esi
push    0
push    1E8480h
call    sub_115F0
mov     ebx, ebp
or      ebx, 80000004h
push    ebx
push    0CF8h
call    esi
push    0CFCh
call    ds:READ_PORT_ULONG
test    al, 5
mov     [esp+6Ch], eax
jnz     short loc_18895
push    ebx
push    0CF8h
call    esi
mov     eax, [esp+6Ch]
or      eax, 5
push    eax
push    0CFCh
call    esi

loc_18895:
lea     eax, [esp+58h+var_30]
xor     ebx, ebx
mov     [esp+6Ch], eax
nop

loc_188A0:
mov     ecx, ebx
and     ecx, 0FCh
or      ecx, edi
push    ecx
push    0CF8h
call    esi
mov     edx, [esp+6Ch]
mov     eax, [edx]
push    eax
push    0CFCh
call    esi
add     dword ptr [esp+6Ch], 4
add     ebx, 4
cmp     bx, 40h
jb      short loc_188A0
mov     edi, ebp
or      edi, 8000002Ch
push    edi
push    0CF8h
call    esi
push    0CFCh
call    ds:READ_PORT_ULONG
cmp     eax, [esp+70h]
jnz     short loc_188FE

loc_188EF:
pop     edi
pop     esi
pop     ebp
mov     eax, 1
pop     ebx
add     esp, 58h
retn    8

loc_188FE:
or      ebp, 80000040h
push    ebp
push    0CF8h
call    esi
push    800000h
push    0CFCh
call    esi
mov     ebx, ds:READ_PORT_UCHAR
push    80h
call    ebx ; READ_PORT_UCHAR
push    edi
push    0CF8h
call    esi
mov     ecx, [esp+70h]
push    ecx
push    0CFCh
call    esi
push    80h
call    ebx ; READ_PORT_UCHAR
push    ebp
push    0CF8h
call    esi
push    0
push    0CFCh
call    esi
push    80h
call    ebx ; READ_PORT_UCHAR
push    edi
push    0CF8h
call    esi
push    0CFCh
call    ds:READ_PORT_ULONG
xor     edx, edx
cmp     eax, [esp+68h+arg_4]
pop     edi
setz    dl
pop     esi
pop     ebp
pop     ebx
mov     eax, edx
add     esp, 58h
retn    8
sub_186B0 endp




sub_18980 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     [esp+arg_0], 0
mov     eax, [esp+arg_4]
jnz     short loc_18993
call    sub_18460
retn    8

loc_18993:
call    sub_18580
retn    8
sub_18980 endp

align 10h



sub_189A0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_4]
mov     ecx, [esp+arg_0]
push    esi
push    edi
mov     esi, 10h
nop

loc_189B0:
mov     edx, [ecx]
cmp     edx, [eax]
jnz     short loc_189C8
sub     esi, 4
add     eax, 4
add     ecx, 4
cmp     esi, 4
jnb     short loc_189B0
test    esi, esi
jz      short loc_18A31

loc_189C8:
movzx   edx, byte ptr [ecx]
movzx   edi, byte ptr [eax]
sub     edx, edi
jnz     short loc_18A17
sub     esi, 1
add     eax, 1
add     ecx, 1
test    esi, esi
jz      short loc_18A31
movzx   edx, byte ptr [ecx]
movzx   edi, byte ptr [eax]
sub     edx, edi
jnz     short loc_18A17
sub     esi, 1
add     eax, 1
add     ecx, 1
test    esi, esi
jz      short loc_18A31
movzx   edx, byte ptr [ecx]
movzx   edi, byte ptr [eax]
sub     edx, edi
jnz     short loc_18A17
sub     esi, 1
add     eax, 1
add     ecx, 1
test    esi, esi
jz      short loc_18A31
movzx   edx, byte ptr [ecx]
movzx   eax, byte ptr [eax]
sub     edx, eax
jz      short loc_18A31

loc_18A17:
test    edx, edx
mov     eax, 1
jg      short loc_18A33
or      eax, 0FFFFFFFFh
xor     ecx, ecx
test    eax, eax
setz    cl
pop     edi
pop     esi
mov     eax, ecx
retn    8

loc_18A31:
xor     eax, eax

loc_18A33:
xor     ecx, ecx
test    eax, eax
setz    cl
pop     edi
pop     esi
mov     eax, ecx
retn    8
sub_189A0 endp

align 10h



sub_18A50 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch

mov     ecx, [esp+arg_0]
push    esi
call    ds:ObfDereferenceObject
mov     eax, [esp+4+arg_4]
cmp     dword ptr [eax+18h], 0C00000BBh
mov     ecx, [eax+60h]
mov     esi, [ecx+4]
jnz     short loc_18A7E
cmp     [esp+4+arg_8], 0
jz      short loc_18A8A
mov     dword ptr [esi+18h], 0C0000001h
jmp     short loc_18A8A

loc_18A7E:
mov     edx, [eax+18h]
mov     [esi+18h], edx
mov     ecx, [eax+1Ch]
mov     [esi+1Ch], ecx

loc_18A8A:
mov     edx, [eax+1Ch]
push    eax
mov     [esi+1Ch], edx
call    ds:IoFreeIrp
xor     dl, dl
mov     ecx, esi
call    ds:IofCompleteRequest
mov     eax, 0C0000016h
pop     esi
retn    0Ch
sub_18A50 endp

align 10h

loc_18AB0:
mov     eax, [esp+8]
mov     ecx, [eax+18h]
mov     eax, [esp+0Ch]
push    1
push    eax
mov     [eax+0Ch], ecx
call    sub_18B50
retn    0Ch
align 10h

loc_18AD0:
mov     eax, [esp+4]
push    eax
mov     eax, [eax+60h]
mov     ecx, [eax-10h]
push    ecx
call    ds:PoCallDriver
retn    4
align 10h



sub_18AF0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

cmp     byte_1E1C8, 0
jz      short loc_18B3C
call    ds:KeGetCurrentIrql
test    al, al
jz      short loc_18B3C
mov     ecx, [esp+arg_4]
mov     eax, [ecx+60h]
or      byte ptr [eax+3], 1
mov     eax, [ecx+60h]
mov     edx, [esp+arg_0]
mov     [eax-10h], edx
lea     eax, [ecx+40h]
push    1
push    eax
mov     dword ptr [eax+8], offset loc_18AD0
mov     [eax+0Ch], ecx
mov     dword ptr [eax], 0
call    ds:ExQueueWorkItem
mov     eax, 103h
retn    8

loc_18B3C:
jmp     ds:PoCallDriver
sub_18AF0 endp

align 10h



sub_18B50 proc near

var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8
arg_8= dword ptr  0Ch
arg_C= dword ptr  10h
arg_14= dword ptr  18h
arg_18= dword ptr  1Ch

push    ecx
push    ebx
push    ebp
mov     ebp, [esp+0Ch+arg_0]
push    esi
push    edi
mov     edi, [ebp+4]
test    edi, edi
mov     [esp+14h+var_4], 0FFFFFFFFh
mov     [esp+14h+arg_0], edi
jz      short loc_18B71
mov     esi, [edi+60h]
jmp     short loc_18B73

loc_18B71:
xor     esi, esi

loc_18B73:
mov     eax, [ebp+8]
mov     ecx, [esp+14h+arg_4]
mov     ebx, [ebp+0]
lea     edx, [ecx+eax*2]
add     edx, eax
mov     eax, dword_1E110[edx*4]
sub     eax, 1
cmp     eax, 11h
jbe     short loc_18BA4
pop     edi
pop     esi
pop     ebp
mov     eax, 0C0000001h
pop     ebx
pop     ecx
retn    8
align 10h

loc_18BA0:
mov     ecx, [esp+arg_18]

loc_18BA4:
mov     edx, [esp+arg_C]
jmp     ds:off_18E88[eax*4]

loc_18BAF:
mov     eax, [edi+60h]
or      byte ptr [eax+3], 1
push    edi
lea     eax, [ebx+20h]
push    eax
mov     [esp+8+arg_C], 103h
call    sub_18F50
cmp     dword ptr [esi+8], 0
jnz     short loc_18BF8
mov     ecx, [esi+0Ch]
cmp     ecx, [ebx+4Ch]
jge     short loc_18BE7
mov     ecx, 3
mov     dword ptr [ebp+8], 1
jmp     loc_18D80

loc_18BE7:
mov     ecx, 6
mov     dword ptr [ebp+8], 3
jmp     loc_18D80

loc_18BF8:
mov     dword ptr [ebp+8], 0Bh
mov     ecx, 2
jmp     loc_18D80

loc_18C09:
cmp     byte ptr [esi+1], 2
jnz     short loc_18C32
mov     edx, [esi+0Ch]
cmp     edx, [ebx+48h]
jge     short loc_18C28
mov     ecx, 3
mov     dword ptr [ebp+8], 5
jmp     loc_18D80

loc_18C28:
mov     ecx, 0Dh
jmp     loc_18D80

loc_18C32:
mov     eax, [esi+0Ch]
cmp     eax, [ebx+48h]
jge     short loc_18C4B
mov     ecx, 3
mov     dword ptr [ebp+8], 9
jmp     loc_18D80

loc_18C4B:
mov     ecx, 11h
jmp     loc_18D80

loc_18C55:
cmp     dword ptr [ebp+0Ch], 0
jl      loc_18D7B
cmp     byte ptr [esi+1], 2
jnz     short loc_18C6B
mov     ecx, [esi+0Ch]
mov     [ebx+4Ch], ecx

loc_18C6B:
mov     ecx, 6
mov     dword ptr [ebp+8], 2
mov     [esp+arg_C], 0C0000016h
jmp     loc_18D80

loc_18C84:
cmp     byte ptr [esi+1], 2
jnz     loc_18D7B
mov     edx, [esi+0Ch]
mov     [ebx+4Ch], edx
jmp     loc_18D7B

loc_18C99:
mov     eax, [esi+0Ch]
cmp     eax, 1
jnz     short loc_18CB4
mov     [ebp+14h], eax
mov     al, [esi+1]
mov     [ebp+1Ch], al
mov     ecx, 7
jmp     loc_18D80

loc_18CB4:
mov     eax, [ebx+eax*4+60h]
cmp     eax, 4
jge     short loc_18CC2
mov     eax, 4

loc_18CC2:
mov     [ebp+14h], eax
mov     al, [esi+1]
mov     [ebp+1Ch], al
mov     ecx, 7
jmp     loc_18D80

loc_18CD5:
cmp     byte_1E1C8, 0
jz      short loc_18CFF
mov     ecx, [ebp+14h]
cmp     ecx, [ebx+48h]
jnz     short loc_18CFF
mov     eax, [ebp+8]
lea     edx, [eax+eax*2]
mov     dword ptr [ebp+0Ch], 0
mov     ecx, dword_1E118[edx*4]
jmp     loc_18D80

loc_18CFF:
mov     eax, [ebp+14h]
mov     ecx, [ebx+18h]
push    0
push    ebp
push    offset loc_18ED0
push    eax
movzx   eax, byte ptr [ebp+1Ch]
push    eax
push    ecx
call    ds:PoRequestPowerIrp
test    eax, eax
jge     loc_18E60
mov     [ebp+0Ch], eax
jmp     short loc_18D7B

loc_18D27:
push    edi
call    ds:PoStartNextPowerIrp
cmp     [esp+arg_18], 1
jnz     short loc_18D4D
mov     edx, [ebp+0Ch]
push    edi
lea     ecx, [ebx+20h]
push    ecx
mov     [esp+8+arg_C], edx
call    sub_18F90
mov     ecx, 9
jmp     short loc_18D80

loc_18D4D:
mov     eax, [ebp+0Ch]
xor     dl, dl
mov     ecx, edi
mov     [edi+18h], eax
call    ds:IofCompleteRequest
push    edi
lea     ecx, [ebx+20h]
push    ecx
call    sub_18F90
mov     ecx, 9
jmp     short loc_18D80

loc_18D6E:
cmp     edx, 0FFFFFFFFh

loc_18D71:
jnz     short loc_18D7B
mov     [esp+arg_C], 0

loc_18D7B:
mov     ecx, 8

loc_18D80:
lea     eax, [ecx-1]
cmp     eax, 11h
jbe     loc_18BA0
pop     edi
pop     esi
pop     ebp
mov     eax, 0C0000001h
pop     ebx
pop     ecx
retn    8

loc_18D99:
cmp     edx, 0FFFFFFFFh
jnz     short loc_18DA6
mov     [esp+arg_C], 0

loc_18DA6:
cmp     dword ptr [ebp+0Ch], 0
jl      short loc_18D7B
mov     dword ptr [ebp+8], 4
mov     ecx, 3
jmp     short loc_18D80

loc_18DBA:
cmp     dword ptr [ebp+0Ch], 0
jl      short loc_18D7B
cmp     byte ptr [esi+1], 2
jnz     short loc_18D7B
mov     edx, [ebx+48h]
mov     [ebp+18h], edx
mov     eax, [esi+0Ch]
mov     [esp+arg_C], 0C0000016h
mov     [ebx+48h], eax
mov     ecx, 0Fh
jmp     short loc_18D80

loc_18DE1:
cmp     ecx, 2
jmp     short loc_18D71

loc_18DE6:
mov     ecx, 0Eh
jmp     short loc_18D80

loc_18DED:
cmp     ecx, 2
jnz     short loc_18DFA
mov     [esp+arg_C], 0

loc_18DFA:
mov     dword ptr [ebp+8], 6
mov     eax, [esi+0Ch]
cmp     eax, [ebx+48h]
mov     ecx, 3
jle     loc_18D80
mov     [ebx+48h], eax
jmp     loc_18D80

loc_18E1A:
mov     dword ptr [ebp+8], 0Ah
mov     ecx, 3
jmp     loc_18D80

loc_18E2B:
mov     esi, [edi+60h]
lea     eax, [esi-24h]
mov     edi, eax
mov     ecx, 7
rep movsd
mov     ecx, [esp+arg_14]
mov     byte ptr [eax+3], 0
mov     eax, [ecx+60h]
sub     eax, 24h
push    ecx
mov     dword ptr [eax+1Ch], offset loc_18AB0
mov     [eax+20h], ebp
mov     byte ptr [eax+3], 0E0h
mov     ecx, [ebx+14h]
push    ecx
call    sub_18AF0

loc_18E60:
mov     eax, [esp+arg_C]
pop     edi
pop     esi
pop     ebp
pop     ebx
pop     ecx
retn    8

loc_18E6C:
push    ebp
mov     dword ptr [ebp+8], 0Ch
call    ds:ExFreePool
mov     eax, [esp+arg_C]
pop     edi
pop     esi
pop     ebp
pop     ebx
pop     ecx
retn    8
sub_18B50 endp ; sp =  14h

align 4
off_18E88 dd offset loc_18BAF
dd offset loc_18C09
dd offset loc_18E2B
dd offset loc_18C55
dd offset loc_18C84
dd offset loc_18C99
dd offset loc_18CD5
dd offset loc_18D27
dd offset loc_18E6C
dd offset loc_18D6E
dd offset loc_18D99
dd offset loc_18DBA
dd offset loc_18DE6
dd offset loc_18DED
dd offset loc_18DE1
dd offset loc_18D7B
dd offset loc_18E1A
dd offset loc_18D7B

loc_18ED0:
mov     eax, [esp+14h]
mov     ecx, [eax]
mov     eax, [esp+10h]
push    2
push    eax
mov     [eax+0Ch], ecx
call    sub_18B50
retn    14h
align 10h



sub_18EF0 proc near

arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_4]
push    esi
call    ds:PoStartNextPowerIrp
push    0
push    0
push    esi
call    sub_17920
pop     esi
retn    8
sub_18EF0 endp

align 10h

loc_18F10:
push    esi
mov     esi, [esp+0Ch]
mov     eax, [esi+60h]
movzx   eax, byte ptr [eax+1]
cmp     eax, 4
push    esi
jb      short loc_18F36
call    ds:PoStartNextPowerIrp
push    0
push    0
push    esi
call    sub_17920
pop     esi
retn    8

loc_18F36:
mov     ecx, [esp+0Ch]
mov     edx, off_1E1AC[eax*4]
push    ecx
call    edx ; sub_18EF0
pop     esi
retn    8
align 10h



sub_18F50 proc near

arg_0= dword ptr  8

push    esi
mov     esi, [esp+arg_0]
mov     ecx, esi
call    ds:InterlockedIncrement
cmp     byte ptr [esi+4], 0
jz      short loc_18F84
mov     ecx, esi
call    ds:InterlockedDecrement
test    eax, eax
jnz     short loc_18F7B
push    eax
push    eax
add     esi, 8
push    esi
call    ds:KeSetEvent

loc_18F7B:
mov     eax, 0C0000056h
pop     esi
retn    8

loc_18F84:
xor     eax, eax
pop     esi
retn    8
sub_18F50 endp

align 10h



sub_18F90 proc near

arg_0= dword ptr  8

push    esi
mov     esi, [esp+arg_0]
mov     ecx, esi
call    ds:InterlockedDecrement
test    eax, eax
jnz     short loc_18FAD
push    eax
push    eax
add     esi, 8
push    esi
call    ds:KeSetEvent

loc_18FAD:
pop     esi
retn    8
sub_18F90 endp

align 2
; [00000006 BYTES: COLLAPSED FUNCTION memset. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND]



sub_18FBE proc near
mov     dword ptr [ecx], offset off_1D69C
retn
sub_18FBE endp



; Attributes: bp-based frame

sub_18FC5 proc near

arg_0= dword ptr  8

mov     edi, edi
push    ebp
mov     ebp, esp
push    esi
mov     esi, [ebp+arg_0]
add     esi, 4
mov     ecx, esi
call    ds:InterlockedIncrement
mov     eax, [esi]
pop     esi
pop     ebp
retn    4
sub_18FC5 endp



; Attributes: bp-based frame

sub_18FE0 proc near

arg_0= dword ptr  8

mov     edi, edi
push    ebp
mov     ebp, esp
push    esi
push    edi
mov     edi, [ebp+arg_0]
lea     esi, [edi+4]
mov     ecx, esi
call    ds:InterlockedDecrement
test    eax, eax
jnz     short loc_19008
inc     dword ptr [esi]
mov     eax, [edi]
push    1
mov     ecx, edi
call    dword ptr [eax+0Ch]
xor     eax, eax
jmp     short loc_1900A

loc_19008:
mov     eax, [esi]

loc_1900A:
pop     edi
pop     esi
pop     ebp
retn    4
sub_18FE0 endp



; Attributes: bp-based frame

sub_19010 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h

mov     edi, edi
push    ebp
mov     ebp, esp
push    offset dword_1D560
push    [ebp+arg_4]
call    sub_179B0
mov     ecx, eax
mov     eax, [ebp+arg_8]
neg     ecx
sbb     ecx, ecx
and     ecx, [ebp+arg_0]
mov     [eax], ecx
mov     eax, ecx
test    eax, eax
jz      short loc_19040
mov     ecx, [eax]
push    eax
call    dword ptr [ecx+4]
xor     eax, eax
jmp     short loc_19045

loc_19040:
mov     eax, 0C000000Dh

loc_19045:
pop     ebp
retn    0Ch
sub_19010 endp



; Attributes: bp-based frame

sub_19049 proc near

arg_0= dword ptr  8

mov     edi, edi
push    ebp
mov     ebp, esp
mov     eax, ecx
mov     ecx, [ebp+arg_0]
and     dword ptr [eax+4], 0
test    ecx, ecx
mov     dword ptr [eax], offset off_1D69C
jz      short loc_19066
mov     [eax+8], ecx
jmp     short loc_19069

loc_19066:
mov     [eax+8], eax

loc_19069:
pop     ebp
retn    4
sub_19049 endp



; Attributes: bp-based frame

sub_1906D proc near

arg_0= byte ptr  8

mov     edi, edi
push    ebp
mov     ebp, esp
test    [ebp+arg_0], 1
push    esi
mov     esi, ecx
mov     dword ptr [esi], offset off_1D69C
jz      short loc_19088
push    esi
call    sub_179F0
pop     ecx

loc_19088:
mov     eax, esi
pop     esi
pop     ebp
retn    4
sub_1906D endp

align 200h
_text ends

; Section 2. (virtual address 0000A000)
; Virtual size                  : 00001121 (   4385.)
; Section size in file          : 00001200 (   4608.)
; Offset to raw data for section: 00008600
; Flags 68000020: Text Not pageable Executable Readable
; Alignment     : default

; Segment type: Pure code
; Segment permissions: Read/Execute
page segment para public 'CODE' use32
assume cs:page
;org 1A000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

loc_1A000:
mov     dword ptr [esp+4], offset unk_1E1C0
jmp     ds:RtlFreeUnicodeString
align 10h



sub_1A010 proc near

var_54= dword ptr -54h
var_48= dword ptr -48h
var_44= dword ptr -44h
var_40= dword ptr -40h
var_3C= dword ptr -3Ch
var_34= dword ptr -34h
var_30= dword ptr -30h
var_28= dword ptr -28h
var_24= dword ptr -24h
var_20= dword ptr -20h
var_1C= dword ptr -1Ch
var_18= dword ptr -18h
arg_0= dword ptr  4

sub     esp, 8
push    ebx
mov     ebx, [esp+0Ch+arg_0]
lea     eax, [esp+0Ch+arg_0]
push    eax
push    0
push    100h
push    22h
push    0
push    0E4h
push    ebx
call    ds:IoCreateDevice
test    eax, eax
mov     [esp+4], eax
jl      loc_1A155
mov     ecx, [esp+10h]
push    ebp
push    esi
mov     esi, [ecx+28h]
push    edi
push    1
push    ebx
call    ds:IoGetDriverObjectExtension
mov     edx, [esp+18h+arg_0]
mov     ebp, [esp+20h]
push    0
push    0
mov     edi, eax
push    0
lea     eax, [esi+20h]
push    eax
mov     [esi+10h], edx
mov     [esi+18h], ebp
mov     [esi+1Ch], ebx
call    sub_1B0A0
mov     dword ptr [esi+40h], 0
mov     ecx, [esp+18h+arg_0]
push    ebp
push    ecx
call    ds:IoAttachDeviceToDeviceStack
test    eax, eax
mov     [esi+14h], eax
jnz     short loc_1A0CD
cmp     [esi+3Ch], eax
mov     dword ptr [esp+10h], 0C00002B6h
jz      short loc_1A0A6
lea     eax, [esi+38h]
push    eax
call    ds:RtlFreeUnicodeString

loc_1A0A6:
mov     esi, [esi+14h]
test    esi, esi
jz      short loc_1A0B4
push    esi
call    ds:IoDetachDevice

loc_1A0B4:
mov     ecx, [esp+18h+arg_0]
push    ecx
call    ds:IoDeleteDevice
mov     eax, [esp+10h]
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    8

loc_1A0CD:
mov     eax, [esp+18h+arg_0]
or      dword ptr [eax+1Ch], 2000h
mov     ebx, 1
mov     eax, ebx
push    eax
mov     [esi+4Ch], ebx
mov     [esi+48h], ebx
mov     edx, [esp+1Ch+arg_0]
push    ebx
push    edx
call    ds:PoSetPowerState
mov     eax, [esp+18h+arg_0]
and     dword ptr [eax+1Ch], 0FFFFFF7Fh
mov     ecx, [esi+18h]
lea     edx, [esp+14h]
push    edx
lea     eax, [esp+24h]
push    eax
push    4
push    10h
push    ecx
call    ds:IoGetDeviceProperty
mov     eax, [esp+20h]
mov     ecx, [edi+4]
xor     edx, edx
shr     eax, 10h
test    ax, ax
setnz   dl
cmp     ecx, [edi+0Ch]
mov     [edi+8], edx
jnb     short loc_1A14E
movzx   edx, ax
add     edx, ebx
mov     [esi+8], edx
mov     eax, [edi+8]
lea     eax, [eax+eax*2]
cmp     dword ptr [edi+eax*8+14h], 0
lea     eax, [edi+eax*8]
jnz     short loc_1A14E
mov     ecx, [esp+18h+arg_0]
mov     [eax+18h], ecx

loc_1A14E:
mov     eax, [esp+10h]
pop     edi
pop     esi
pop     ebp

loc_1A155:
pop     ebx
add     esp, 8
retn    8
sub_1A010 endp

align 10h

loc_1A160:
mov     eax, [esp+4]
mov     ecx, [eax+28h]
test    byte ptr [ecx], 1
jz      short loc_1A175
mov     [esp+4], eax
jmp     loc_1AF70

loc_1A175:
mov     [esp+4], eax
jmp     loc_1AAD0
align 10h



sub_1A180 proc near

var_4= dword ptr -4
arg_0= dword ptr  4

mov     eax, [esp+arg_0]
push    ebp
mov     ebp, ds:IoDeleteDevice
push    esi
mov     esi, [eax+28h]
push    edi
xor     edi, edi
cmp     [esi+0D0h], edi
jbe     short loc_1A1B9
push    ebx
lea     ebx, [esi+90h]

loc_1A1A1:
mov     eax, [ebx]
test    eax, eax
jz      short loc_1A1AA
push    eax
call    ebp ; IoDeleteDevice

loc_1A1AA:
add     edi, 1
add     ebx, 4
cmp     edi, [esi+0D0h]
jb      short loc_1A1A1
pop     ebx

loc_1A1B9:
cmp     dword ptr [esi+0DCh], 0
jz      short loc_1A1D1
push    0
lea     ecx, [esi+0D8h]
push    ecx
call    ds:IoSetDeviceInterfaceState

loc_1A1D1:
lea     edx, [esi+38h]
push    edx
call    ds:RtlFreeUnicodeString
mov     esi, [esi+14h]
test    esi, esi
jz      short loc_1A1E9
push    esi
call    ds:IoDetachDevice

loc_1A1E9:
mov     eax, [esp+0Ch+arg_0]
push    eax
call    ebp ; IoDeleteDevice
pop     edi
pop     esi
pop     ebp
retn    4
sub_1A180 endp

align 10h

loc_1A200:
push    ecx
mov     eax, [esp+8]
mov     eax, [eax+28h]
push    ebp
push    esi
mov     esi, [esp+14h]
push    edi
mov     [esp+14h], eax
add     eax, 20h
push    esi
push    eax
mov     [esp+14h], eax
call    sub_18F50
mov     edi, eax
xor     ebp, ebp
cmp     edi, ebp
jge     short loc_1A242
xor     dl, dl
mov     ecx, esi
mov     [esi+18h], edi
mov     [esi+1Ch], ebp
call    ds:IofCompleteRequest
mov     eax, edi
pop     edi
pop     esi
pop     ebp
pop     ecx
retn    8

loc_1A242:
push    ebx
mov     ebx, [esi+60h]
cmp     dword ptr [ebx+0Ch], 2A3BB8h
jnz     short loc_1A26E
mov     ecx, [esp+18h]
mov     ecx, [ecx+0E0h]
cmp     ecx, ebp
jz      short loc_1A26E
mov     eax, [esi+0Ch]
push    eax
push    ecx
call    sub_1FB60
mov     ebp, [ebx+4]
mov     edi, eax
jmp     short loc_1A273

loc_1A26E:
mov     edi, 0C0000010h

loc_1A273:
mov     edx, [esp+10h]
push    esi
push    edx
call    sub_18F90
xor     dl, dl
mov     ecx, esi
mov     [esi+18h], edi
mov     [esi+1Ch], ebp
call    ds:IofCompleteRequest
pop     ebx
mov     eax, edi
pop     edi
pop     esi
pop     ebp
pop     ecx
retn    8
align 10h

loc_1A2A0:
mov     eax, [esp+4]
mov     ecx, [eax+28h]
add     ecx, 4
call    ds:InterlockedIncrement
mov     ecx, [esp+8]
xor     eax, eax
xor     dl, dl
mov     [ecx+18h], eax
mov     [ecx+1Ch], eax
call    ds:IofCompleteRequest
xor     eax, eax
retn    8
align 10h

loc_1A2D0:
mov     eax, [esp+4]
mov     ecx, [eax+28h]
add     ecx, 4
call    ds:InterlockedDecrement
mov     ecx, [esp+8]
xor     eax, eax
xor     dl, dl
mov     [ecx+18h], eax
mov     [ecx+1Ch], eax
call    ds:IofCompleteRequest
xor     eax, eax
retn    8
align 10h



sub_1A300 proc near

var_10= dword ptr -10h
arg_0= dword ptr  4
arg_4= dword ptr  8

sub     esp, 10h
push    ebx
push    esi
push    edi
push    0
push    0
lea     eax, [esp+24h+var_10]
push    eax
call    ds:KeInitializeEvent
mov     ebx, [esp+1Ch+arg_4]
mov     esi, [ebx+60h]
mov     edx, [esp+1Ch+arg_0]
lea     eax, [esi-24h]
mov     edi, eax
mov     ecx, 7
rep movsd
mov     byte ptr [eax+3], 0
mov     eax, [ebx+60h]
sub     eax, 24h
lea     ecx, [esp+1Ch+var_10]
mov     dword ptr [eax+1Ch], offset loc_17990
mov     [eax+20h], ecx
mov     byte ptr [eax+3], 0E0h
mov     eax, [edx+28h]
mov     ecx, [eax+14h]
mov     edx, ebx
call    ds:IofCallDriver
push    0
push    0
push    0
push    0
lea     ecx, [esp+2Ch+var_10]
push    ecx
call    ds:KeWaitForSingleObject
mov     eax, [ebx+18h]
pop     edi
pop     esi
pop     ebx
add     esp, 10h
retn    8
sub_1A300 endp

align 10h



sub_1A380 proc near

var_8= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr  4

push    esi
mov     esi, [esp+4+arg_0]
mov     ecx, [esi+1Ch]
lea     eax, [esp+4+arg_0]
push    eax
push    0
push    180h
push    22h
push    0
push    10h
push    ecx
call    ds:IoCreateDevice
test    eax, eax
jl      short loc_1A3E4
mov     edx, [esp+10h+var_8]
mov     eax, [edx+28h]
mov     dword ptr [eax], 1
mov     ecx, [esp+10h+var_8]
mov     [eax+8], ecx
mov     edx, [esi+10h]
mov     ecx, [esp+10h+var_4]
mov     [eax+0Ch], edx
mov     edx, [esp+10h]
mov     [eax+4], ecx
mov     eax, [esp+10h+var_8]
and     dword ptr [eax+1Ch], 0FFFFFF7Fh
mov     eax, [esp+10h+var_8]
mov     [edx], eax
add     dword ptr [esi+0D0h], 1
xor     eax, eax

loc_1A3E4:
pop     esi
retn    0Ch
sub_1A380 endp ; sp = -0Ch

align 10h



sub_1A3F0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     edx, [esp+arg_4]
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     eax, [esp+arg_0]
mov     eax, [eax+28h]
mov     ecx, [eax+14h]
call    ds:IofCallDriver
retn    8
sub_1A3F0 endp

align 10h



sub_1A410 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_0]
push    edi
mov     edi, [eax+28h]
cmp     dword ptr [edi+40h], 3
jnz     short loc_1A444
push    esi
mov     esi, [esp+8+arg_4]
push    esi
push    eax
call    sub_1A300
test    eax, eax
jl      short loc_1A434
mov     ecx, [edi+44h]
mov     [edi+40h], ecx

loc_1A434:
mov     edx, [esi+1Ch]
push    edx
push    eax
push    esi
call    sub_17920
pop     esi
pop     edi
retn    8

loc_1A444:
mov     edx, [esp+4+arg_4]
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     eax, [eax+28h]
mov     ecx, [eax+14h]
call    ds:IofCallDriver
pop     edi
retn    8
sub_1A410 endp




sub_1A460 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_0]
push    edi
mov     edi, [eax+28h]
cmp     dword ptr [edi+40h], 2
jnz     short loc_1A495
push    esi
mov     esi, [esp+8+arg_4]
push    esi
push    eax
call    sub_1A300
test    eax, eax
jl      short loc_1A485
mov     dword ptr [edi+40h], 1

loc_1A485:
mov     ecx, [esi+1Ch]
push    ecx
push    eax
push    esi
call    sub_17920
pop     esi
pop     edi
retn    8

loc_1A495:
mov     edx, [esp+4+arg_4]
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     eax, [eax+28h]
mov     ecx, [eax+14h]
call    ds:IofCallDriver
pop     edi
retn    8
sub_1A460 endp

align 10h



sub_1A4C0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     ecx, [esp+arg_0]
push    ebx
mov     ebx, [esp+4+arg_4]
mov     eax, [ebx+60h]
push    esi
mov     esi, [ecx+28h]
push    edi
mov     edi, [eax+4]
mov     edx, 1
cmp     [edi+2], dx
jnb     short loc_1A4FC
add     [ebx+23h], dl
add     eax, 24h
mov     [ebx+60h], eax
mov     ecx, [ecx+28h]
mov     ecx, [ecx+14h]
mov     edx, ebx
call    ds:IofCallDriver
pop     edi
pop     esi
pop     ebx
retn    8

loc_1A4FC:
push    ebx
push    ecx
call    sub_1A300
test    eax, eax
jl      short loc_1A517
mov     edx, [ebx+60h]
lea     edi, [esi+50h]
mov     esi, [edx+4]
mov     ecx, 10h
rep movsd

loc_1A517:
mov     ecx, [ebx+1Ch]
push    ecx
push    eax
push    ebx
call    sub_17920
pop     edi
pop     esi
pop     ebx
retn    8
sub_1A4C0 endp

align 10h



sub_1A530 proc near

var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8

push    ecx
mov     ecx, [esp+4+arg_0]
mov     edx, [ecx+28h]
push    edi
mov     edi, [esp+8+arg_4]
mov     eax, [edi+60h]
cmp     dword ptr [eax+4], 0
mov     [esp+8+var_4], edx
jz      short loc_1A567
add     byte ptr [edi+23h], 1
add     eax, 24h
mov     [edi+60h], eax
mov     ecx, [ecx+28h]
mov     ecx, [ecx+14h]
mov     edx, edi
call    ds:IofCallDriver
pop     edi
pop     ecx
retn    8

loc_1A567:
push    ebx
mov     ebx, [edi+1Ch]
test    ebx, ebx
push    ebp
push    esi
mov     [esp+14h+arg_4], 0
push    504F5752h
jz      short loc_1A5AD
mov     ebp, [ebx]
lea     ebp, ds:0Ch[ebp*4]
push    ebp
push    1
call    ds:ExAllocatePoolWithTag
mov     esi, eax
test    esi, esi
jz      short loc_1A612
add     ebp, 0FFFFFFF8h
push    ebp
push    ebx
push    esi
call    memcpy
add     esp, 0Ch
push    ebx
call    ds:ExFreePool
jmp     short loc_1A5CB

loc_1A5AD:
mov     eax, [edx+0D0h]
lea     ecx, ds:8[eax*4]
push    ecx
push    1
call    ds:ExAllocatePoolWithTag
mov     esi, eax
mov     dword ptr [esi], 0

loc_1A5CB:
mov     eax, [esp+14h+var_4]
xor     ebp, ebp
cmp     [eax+0D0h], ebp
jbe     short loc_1A609
lea     ebx, [eax+90h]
nop

loc_1A5E0:
mov     ecx, [ebx]
test    ecx, ecx
jz      short loc_1A5FB
call    ds:ObfReferenceObject
mov     eax, [ebx]
mov     edx, [esi]
mov     [esi+edx*4+4], eax
add     dword ptr [esi], 1
mov     eax, [esp+14h+var_4]

loc_1A5FB:
add     ebp, 1
add     ebx, 4
cmp     ebp, [eax+0D0h]
jb      short loc_1A5E0

loc_1A609:
mov     eax, [esp+14h+arg_4]
mov     [edi+1Ch], esi
jmp     short loc_1A617

loc_1A612:
mov     eax, 0C000009Ah

loc_1A617:
add     byte ptr [edi+23h], 1
add     dword ptr [edi+60h], 24h
mov     ecx, [esp+14h+arg_0]
mov     [edi+18h], eax
mov     eax, [ecx+28h]
mov     ecx, [eax+14h]
mov     edx, edi
call    ds:IofCallDriver
pop     esi
pop     ebp
pop     ebx
pop     edi
pop     ecx
retn    8
sub_1A530 endp

align 10h



sub_1A640 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_0]
mov     eax, [esi+28h]
cmp     dword ptr [eax+0D4h], 0
jz      short loc_1A664
mov     eax, [esp+arg_4]
push    0C0000001h
push    eax
call    sub_17950
pop     esi
retn    8

loc_1A664:
mov     ecx, [eax+40h]
cmp     ecx, 1
jnz     short loc_1A693
cmp     byte_1E1C8, 0
jz      short loc_1A693
mov     edx, [eax+10h]
cmp     dword ptr [edx+4], 0
jz      short loc_1A693
mov     eax, [esp+arg_4]
push    0
push    80000011h
push    eax
call    sub_17920
pop     esi
retn    8

loc_1A693:
mov     edx, [esp+arg_4]
mov     [eax+44h], ecx
mov     dword ptr [eax+40h], 3
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     eax, [esi+28h]
mov     ecx, [eax+14h]
call    ds:IofCallDriver
pop     esi
retn    8
sub_1A640 endp

align 10h



sub_1A6C0 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     ecx, [esp+arg_0]
mov     eax, [ecx+28h]
cmp     dword ptr [eax+0D4h], 0
jz      short loc_1A6E2
mov     eax, [esp+arg_4]
push    0C0000001h
push    eax
call    sub_17950
retn    8

loc_1A6E2:
cmp     dword ptr [eax+40h], 1
mov     edx, [esp+arg_4]
jz      short loc_1A703
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     ecx, [ecx+28h]
mov     ecx, [ecx+14h]
call    ds:IofCallDriver
retn    8

loc_1A703:
mov     dword ptr [eax+40h], 2
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     eax, [ecx+28h]
mov     ecx, [eax+14h]
call    ds:IofCallDriver
retn    8
sub_1A6C0 endp

align 10h



sub_1A730 proc near
push    ebp
mov     ebp, [eax+28h]
mov     eax, [eax+8]
push    esi
push    edi
push    1
push    eax
call    ds:IoGetDriverObjectExtension
mov     esi, eax
xor     edi, edi
cmp     [esi+10h], edi
jz      short loc_1A765
mov     edx, [esi+44h]
mov     ecx, [esi+18h]
push    ebx
mov     ebx, [ecx+28h]
push    edx
call    sub_1F610
mov     [esi+44h], edi
mov     [ebx+0E0h], edi
pop     ebx

loc_1A765:
mov     eax, [ebp+8]
cmp     eax, edi
jz      short loc_1A792
add     eax, 0FFFFFFFFh
mov     [esi+8], eax
lea     eax, [eax+eax*2]
cmp     [esi+eax*8+14h], edi
lea     eax, [esi+eax*8]
jz      short loc_1A792
mov     [eax+18h], edi
mov     eax, [esi+8]
lea     ecx, [eax+eax*2]
mov     [esi+ecx*8+14h], edi
add     dword ptr [esi+4], 0FFFFFFFFh
mov     [esi+10h], edi

loc_1A792:
pop     edi
pop     esi
pop     ebp
retn
sub_1A730 endp ; sp =  0Ch

align 10h



sub_1A7A0 proc near

var_54= dword ptr -54h
var_50= dword ptr -50h
var_4C= byte ptr -4Ch
var_48= dword ptr -48h
var_44= dword ptr -44h
var_40= dword ptr -40h
var_3C= dword ptr -3Ch
var_38= dword ptr -38h
var_34= dword ptr -34h
arg_0= dword ptr  4

sub     esp, 54h
mov     edx, [esp+54h+arg_0]
push    ebx
push    ebp
xor     ebp, ebp
xor     bl, bl
cmp     ecx, ebp
push    edi
mov     edi, [edx+28h]
mov     [esp+60h+var_44], ebp
mov     [esp+60h+var_50], ebp
mov     [esp+60h+var_4C], bl
mov     [esp+60h+var_54], ebp
mov     [esp+60h+var_48], ebp
jz      loc_1A95D
cmp     eax, ebp
jz      loc_1A95D
mov     ecx, [ecx+4]
add     eax, 8
cmp     ecx, ebp
push    esi
jbe     short loc_1A824
lea     edx, [esp+64h+var_40]
mov     esi, ecx

loc_1A7E6:
movzx   ecx, byte ptr [eax]
sub     ecx, 1
jz      short loc_1A810
sub     ecx, 1
jz      short loc_1A801
sub     ecx, 1
jnz     short loc_1A818
mov     ecx, [eax+4]
mov     [esp+64h+var_50], ecx
jmp     short loc_1A818

loc_1A801:
mov     ecx, [eax+0Ch]
mov     ebp, [eax+8]
mov     bl, [eax+4]
mov     [esp+64h+var_54], ecx
jmp     short loc_1A818

loc_1A810:
mov     ecx, [eax+4]
mov     [edx], ecx
add     edx, 4

loc_1A818:
add     eax, 10h
sub     esi, 1
jnz     short loc_1A7E6
mov     [esp+64h+var_4C], bl

loc_1A824:
mov     edx, [esp+64h+arg_0]
mov     eax, [edx+8]
push    1
push    eax
call    ds:IoGetDriverObjectExtension
mov     esi, eax
mov     eax, [edi+8]
test    eax, eax
jz      short loc_1A893
add     eax, 0FFFFFFFFh
mov     [esi+8], eax
lea     ecx, [eax+eax*2]
cmp     dword ptr [esi+ecx*8+14h], 0
lea     eax, [esi+ecx*8]
jnz     short loc_1A893
cmp     dword ptr [eax+18h], 0
jz      short loc_1A893
mov     ecx, 1
mov     [eax+14h], ecx
mov     eax, [esi+8]
lea     edx, [eax+eax*2]
mov     eax, [esp+58h+var_44]
mov     [esi+edx*8+1Ch], eax
mov     eax, [esi+8]
lea     edx, [eax+eax*2]
mov     [esi+edx*8+20h], ebp
mov     eax, [esi+8]
lea     eax, [eax+eax*2]
mov     [esi+eax*8+24h], bl
mov     eax, [esi+8]
lea     edx, [eax+eax*2]
mov     eax, [esp+58h+var_48]
mov     [esi+edx*8+28h], eax
add     [esi+4], ecx
jmp     short loc_1A898

loc_1A893:
mov     ecx, 1

loc_1A898:
cmp     dword ptr [esi+14h], 0
jz      short loc_1A8B3
cmp     dword ptr [esi+18h], 0
jz      short loc_1A8B3
cmp     dword ptr [esi+2Ch], 0
jz      short loc_1A8B3
cmp     dword ptr [esi+30h], 0
jz      short loc_1A8B3
mov     [esi+10h], ecx

loc_1A8B3:
cmp     dword ptr [esi+10h], 0
jz      loc_1A94F
mov     edx, [edi+18h]
mov     eax, [esp+58h+var_48]
lea     ecx, [esp+58h+var_3C]
push    ecx
mov     ecx, [esp+5Ch+var_40]
push    edx
push    eax
push    ecx
push    ebp
lea     edx, [esp+6Ch+var_34]
push    edx
push    esi
call    sub_1F590
test    eax, eax
mov     [edi+0E0h], eax
mov     dword ptr [edi+0D0h], 0
jz      short loc_1A915
mov     eax, [edi+18h]
lea     ebp, [edi+0D8h]
push    ebp
push    0
push    offset unk_1D550
push    eax
call    ds:IoRegisterDeviceInterface
test    eax, eax
jl      short loc_1A915
push    1
push    ebp
call    ds:IoSetDeviceInterfaceState

loc_1A915:
mov     eax, [edi+0E0h]
mov     edx, [esi+30h]
mov     ecx, [esi+18h]
mov     [esi+44h], eax
mov     edx, [edx+28h]
mov     ecx, [ecx+28h]
mov     [edx+0E0h], eax
mov     [ecx+0E0h], eax
lea     eax, [edi+90h]
push    eax
push    1
push    edi
call    sub_1A380
pop     esi
pop     edi
pop     ebp
pop     ebx
add     esp, 54h
retn    4

loc_1A94F:
mov     eax, [esp+58h+var_38]
pop     esi
pop     edi
pop     ebp
pop     ebx
add     esp, 54h
retn    4

loc_1A95D:
pop     edi
pop     ebp
mov     eax, 0C0000182h
pop     ebx
add     esp, 54h
retn    4
sub_1A7A0 endp

align 10h



sub_1A970 proc near

arg_0= dword ptr  10h
arg_4= dword ptr  14h

push    ebx
push    esi
push    edi
mov     edi, [esp+arg_0]
mov     ebx, [edi+28h]
mov     eax, [ebx+40h]
cmp     eax, 3
jz      short loc_1A98E
cmp     eax, 4
jz      short loc_1A98E
mov     eax, edi
call    sub_1A730

loc_1A98E:
mov     esi, [esp+arg_4]
mov     dword ptr [ebx+40h], 5
push    esi
add     ebx, 20h
push    ebx
call    sub_1B0D0
mov     eax, edi
call    sub_1A730
add     byte ptr [esi+23h], 1
add     dword ptr [esi+60h], 24h
mov     eax, [edi+28h]
mov     ecx, [eax+14h]
mov     edx, esi
call    ds:IofCallDriver
push    edi
mov     esi, eax
call    sub_1A180
pop     edi
mov     eax, esi
pop     esi
pop     ebx
retn    8
sub_1A970 endp




sub_1A9D0 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_0]
mov     eax, [esi+28h]
mov     ecx, [eax+18h]
push    edi
push    41543134h
push    ecx
call    sub_186B0
mov     edi, [esp+4+arg_4]
push    edi
push    esi
call    sub_1A300
test    eax, eax
jge     short loc_1AA06
mov     edx, [edi+1Ch]
push    edx
push    eax
push    edi
call    sub_17920
pop     edi
pop     esi
retn    8

loc_1AA06:
mov     edx, [edi+60h]
mov     eax, [edx+4]
test    eax, eax
push    ebx
mov     ebx, [esi+28h]
jz      short loc_1AA19
lea     ecx, [eax+0Ch]
jmp     short loc_1AA1B

loc_1AA19:
xor     ecx, ecx

loc_1AA1B:
mov     edx, [edx+8]
test    edx, edx
jz      short loc_1AA27
lea     eax, [edx+0Ch]
jmp     short loc_1AA29

loc_1AA27:
xor     eax, eax

loc_1AA29:
push    esi
call    sub_1A7A0
test    eax, eax
jl      short loc_1AA3A
mov     dword ptr [ebx+40h], 1

loc_1AA3A:
push    0
push    eax
push    edi
call    sub_17920
pop     ebx
pop     edi
pop     esi
retn    8
sub_1A9D0 endp

align 10h



sub_1AA50 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_0]
push    edi
mov     edi, [esi+28h]
cmp     dword ptr [edi+40h], 2
jnz     short loc_1AA6D
mov     eax, esi
call    sub_1A730
mov     dword ptr [edi+40h], 0

loc_1AA6D:
mov     edx, [esp+4+arg_4]
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     esi, [esi+28h]
mov     ecx, [esi+14h]
call    ds:IofCallDriver
pop     edi
pop     esi
retn    8
sub_1AA50 endp

align 10h



sub_1AA90 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_0]
mov     eax, [esi+28h]
mov     dword ptr [eax+40h], 4
mov     eax, esi
call    sub_1A730
mov     edx, [esp+arg_4]
add     byte ptr [edx+23h], 1
add     dword ptr [edx+60h], 24h
mov     dword ptr [edx+18h], 0
mov     esi, [esi+28h]
mov     ecx, [esi+14h]
call    ds:IofCallDriver
pop     esi
retn    8
sub_1AA90 endp

align 10h

loc_1AAD0:
push    ebx
mov     ebx, [esp+8]
mov     eax, [ebx+28h]
push    esi
mov     esi, [esp+10h]
push    edi
lea     edi, [eax+20h]
push    esi
push    edi
call    sub_18F50
test    eax, eax
jge     short loc_1AAFB
push    0
push    eax
push    esi
call    sub_17920
pop     edi
pop     esi
pop     ebx
retn    8

loc_1AAFB:
mov     eax, [esi+60h]
push    ebp
movzx   ebp, byte ptr [eax+1]
cmp     ebp, 18h
jb      short loc_1AB32
add     byte ptr [esi+23h], 1
add     eax, 24h
mov     [esi+60h], eax
mov     ebx, [ebx+28h]
mov     ecx, [ebx+14h]
mov     edx, esi
call    ds:IofCallDriver
push    esi
push    edi
mov     ebx, eax
call    sub_18F90
pop     ebp
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
retn    8

loc_1AB32:
mov     eax, off_1E028[ebp*4]
push    esi
push    ebx
call    eax ; sub_1A9D0
cmp     ebp, 2
mov     ebx, eax
jz      short loc_1AB4B
push    esi
push    edi
call    sub_18F90

loc_1AB4B:
pop     ebp
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
retn    8
align 10h



sub_1AB60 proc near

var_80= dword ptr -80h
arg_0= dword ptr  4
arg_4= dword ptr  8

sub     esp, 80h
mov     eax, [esp+80h+arg_0]
push    ebp
push    esi
mov     esi, [eax+28h]
push    7Eh
lea     ecx, [esp+8Ch+var_80+2]
push    0
push    ecx
mov     word ptr [esp+94h+var_80], 0
call    memset
mov     ebp, [esp+94h+arg_4]
mov     edx, [ebp+60h]
mov     eax, [edx+4]
add     esp, 0Ch
sub     eax, 0
jz      short loc_1ABF5
sub     eax, 1
jz      short loc_1ABD7
sub     eax, 2
jz      short loc_1ABBE
push    0
push    0C00000BBh
push    ebp
call    sub_17920
pop     esi
pop     ebp
add     esp, 80h
retn    8

loc_1ABBE:
mov     eax, [esi+4]
push    eax
lea     ecx, [esp+8Ch+var_80]
push    offset a04d     ; "%04d"
push    ecx
call    ds:swprintf
add     esp, 0Ch
jmp     short loc_1AC16

loc_1ABD7:
mov     edx, [esi+4]
push    edx
push    offset aEsiEsp1010e ; "ESI\\ESP1010e"
lea     eax, [esp+90h+var_80]
push    offset aWs_02d  ; "%ws_%02d"
push    eax
call    ds:swprintf
add     esp, 10h
jmp     short loc_1AC16

loc_1ABF5:
mov     ecx, [esi+4]
push    ecx
push    offset aEsp1010e ; "ESP1010e"
push    offset aEsi     ; "ESI"
lea     edx, [esp+94h+var_80]
push    offset aWsWs_02d ; "%ws\\%ws_%02d"
push    edx
call    ds:swprintf
add     esp, 14h

loc_1AC16:
lea     eax, [esp+88h+var_80]
lea     edx, [eax+2]
lea     ecx, [ecx+0]

loc_1AC20:
mov     cx, [eax]
add     eax, 2
test    cx, cx
jnz     short loc_1AC20
sub     eax, edx
push    edi
sar     eax, 1
mov     edi, eax
push    504F5752h
lea     eax, [edi+edi+4]
push    eax
push    1
call    ds:ExAllocatePoolWithTag
test    eax, eax
jnz     short loc_1AC60
push    eax
push    0C000009Ah
push    ebp
call    sub_17920
pop     edi
pop     esi
pop     ebp
add     esp, 80h
retn    8

loc_1AC60:
lea     ecx, [esp+8Ch+var_80]
mov     esi, eax
mov     edx, ecx
sub     esi, edx
lea     ebx, [ebx+0]

loc_1AC70:
movzx   edx, word ptr [ecx]
mov     [esi+ecx], dx
add     ecx, 2
test    dx, dx
jnz     short loc_1AC70
push    eax
push    0
push    ebp
mov     [eax+edi*2+2], dx
call    sub_17920
pop     edi
pop     esi
pop     ebp
add     esp, 80h
retn    8
sub_1AB60 endp

align 10h



sub_1ACA0 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    ebx
mov     ebx, [esp+arg_4]
mov     eax, [ebx+60h]
cmp     dword ptr [eax+4], 4
push    ebp
mov     ebp, [ebx+1Ch]
push    edi
mov     edi, [ebx+18h]
jnz     short loc_1ACFB
push    esi
push    504F5752h
push    8
push    1
call    ds:ExAllocatePoolWithTag
mov     esi, eax
test    esi, esi
jz      short loc_1ACE3
mov     ecx, [esp+0Ch+arg_0]
mov     dword ptr [esi], 1
mov     [esi+4], ecx
call    ds:ObfReferenceObject
xor     edi, edi
jmp     short loc_1ACE8

loc_1ACE3:
mov     edi, 0C000009Ah

loc_1ACE8:
test    esi, esi
jz      short loc_1ACFA
test    ebp, ebp
jz      short loc_1ACF7
push    ebp
call    ds:ExFreePool

loc_1ACF7:
mov     [ebx+1Ch], esi

loc_1ACFA:
pop     esi

loc_1ACFB:
xor     dl, dl
mov     ecx, ebx
mov     [ebx+18h], edi
call    ds:IofCompleteRequest
mov     eax, edi
pop     edi
pop     ebp
pop     ebx
retn    8
sub_1ACA0 endp




sub_1AD10 proc near

arg_4= dword ptr  8

mov     ecx, [esp+arg_4]
push    esi
mov     esi, [ecx+18h]
xor     dl, dl
call    ds:IofCompleteRequest
mov     eax, esi
pop     esi
retn    8
sub_1AD10 endp

align 10h



sub_1AD30 proc near

var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_0]
mov     ecx, [eax+28h]
mov     eax, [ecx+0Ch]
push    ebx
push    ebp
push    esi
mov     esi, [esp+0Ch+arg_4]
mov     ebx, [esi+60h]
push    eax
call    ds:IoGetAttachedDeviceReference
mov     ebp, eax
movzx   edx, byte ptr [ebp+30h]
add     dl, 1
push    0
push    edx
call    ds:IoAllocateIrp
test    eax, eax
jnz     short loc_1AD76
mov     eax, [esi+1Ch]
push    eax
push    0C000009Ah
push    esi
call    sub_17920
pop     esi
pop     ebp
pop     ebx
retn    8

loc_1AD76:
mov     ecx, [eax+60h]
mov     [ecx-20h], esi
sub     ecx, 24h
mov     [ecx+14h], ebp
add     dword ptr [eax+60h], 0FFFFFFDCh
mov     edx, [eax+60h]
add     byte ptr [eax+23h], 0FFh
add     edx, 0FFFFFFDCh
push    edi
mov     esi, ebx
mov     ecx, 7
mov     edi, edx
rep movsd
mov     byte ptr [edx+3], 0
mov     bl, [ebx+1]
cmp     bl, 19h
pop     edi
jnb     short loc_1ADB4
movzx   ecx, bl
mov     dl, byte_1E088[ecx]
jmp     short loc_1ADB6

loc_1ADB4:
mov     dl, 1

loc_1ADB6:
mov     ecx, [eax+60h]
sub     ecx, 24h
movzx   edx, dl
mov     [ecx+20h], edx
mov     dword ptr [ecx+1Ch], offset sub_18A50
mov     byte ptr [ecx+3], 0E0h
mov     ecx, [esp+0Ch+arg_4]
mov     dword ptr [eax+18h], 0C00000BBh
mov     ecx, [ecx+60h]
or      byte ptr [ecx+3], 1
mov     edx, eax
mov     ecx, ebp
call    ds:IofCallDriver
pop     esi
pop     ebp
mov     eax, 103h
pop     ebx
retn    8
sub_1AD30 endp

align 10h



sub_1AE00 proc near

arg_4= dword ptr  8

mov     ecx, [esp+arg_4]
xor     dl, dl
mov     dword ptr [ecx+18h], 0
call    ds:IofCompleteRequest
xor     eax, eax
retn    8
sub_1AE00 endp

align 10h



sub_1AE20 proc near

arg_0= dword ptr  4

mov     ecx, [esp+arg_0]
add     ecx, 0D4h
call    ds:InterlockedIncrement
retn    4
sub_1AE20 endp

align 10h



sub_1AE40 proc near

arg_0= dword ptr  4

mov     ecx, [esp+arg_0]
add     ecx, 0D4h
call    ds:InterlockedDecrement
retn    4
sub_1AE40 endp

align 10h



sub_1AE60 proc near

arg_0= dword ptr  4
arg_4= dword ptr  8

mov     eax, [esp+arg_0]
mov     ecx, [eax+28h]
mov     edx, [ecx+0Ch]
mov     eax, [edx+28h]
cmp     dword ptr [eax+0D4h], 0
lea     ecx, [eax+0D4h]
jle     short loc_1AE82
call    ds:InterlockedDecrement

loc_1AE82:
mov     ecx, [esp+arg_4]
xor     dl, dl
mov     dword ptr [ecx+18h], 0
call    ds:IofCompleteRequest
xor     eax, eax
retn    8
sub_1AE60 endp

align 10h



sub_1AEA0 proc near

arg_0= dword ptr  0Ch
arg_4= dword ptr  10h

push    esi
push    edi
mov     edi, [esp+arg_4]
mov     esi, [edi+60h]
mov     eax, [esi+4]
push    offset unk_1D550
push    eax
call    sub_189A0
test    eax, eax
jnz     short loc_1AECB
mov     ecx, [esp+arg_0]
push    edi
push    ecx
call    sub_1AD30
pop     edi
pop     esi
retn    8

loc_1AECB:
movzx   ecx, word ptr [esi+0Ah]
mov     eax, 1
cmp     cx, ax
jnb     short loc_1AEF0
movzx   eax, cx
test    ax, ax
jnz     short loc_1AEF0

loc_1AEE1:
mov     edx, [edi+18h]
push    edx
push    edi
call    sub_17950
pop     edi
pop     esi
retn    8

loc_1AEF0:
mov     ecx, [esp+arg_0]
mov     edx, [ecx+28h]
mov     ecx, [edx+0Ch]
mov     ecx, [ecx+28h]
movzx   eax, ax
sub     eax, 1
jnz     short loc_1AEE1
cmp     word ptr [esi+8], 1Ch
jnb     short loc_1AF1C
push    0C000000Dh
push    edi
call    sub_17950
pop     edi
pop     esi
retn    8

loc_1AF1C:
mov     eax, [esi+0Ch]
mov     [eax+4], ecx
mov     word ptr [eax], 1Ch
mov     word ptr [eax+2], 1
mov     dword ptr [eax+8], offset sub_1AE20
mov     dword ptr [eax+0Ch], offset sub_1AE40
mov     dword ptr [eax+10h], offset loc_1F000
mov     esi, [ecx+0E0h]
mov     [eax+14h], esi
mov     edx, [edx+4]
add     ecx, 0D4h
mov     [eax+18h], edx
call    ds:InterlockedIncrement
push    0
push    0
push    edi
call    sub_17920
pop     edi
pop     esi
retn    8
sub_1AEA0 endp

align 10h

loc_1AF70:
mov     ecx, [esp+8]
mov     eax, [ecx+60h]
movzx   eax, byte ptr [eax+1]
cmp     eax, 19h
jb      short loc_1AF92
push    esi
mov     esi, [ecx+18h]
xor     dl, dl
call    ds:IofCompleteRequest
mov     eax, esi
pop     esi
retn    8

loc_1AF92:
mov     edx, off_1E0A8[eax*4]
mov     [esp+8], ecx
jmp     edx
align 10h

loc_1AFA0:
mov     eax, [esp+4]
push    ebx
push    esi
mov     esi, [esp+10h]
push    edi
mov     edi, [eax+28h]
push    esi
lea     ebx, [edi+20h]
push    ebx
call    sub_18F50
test    eax, eax
jge     short loc_1AFCB
push    0
push    eax
push    esi
call    sub_17920
pop     edi
pop     esi
pop     ebx
retn    8

loc_1AFCB:
mov     eax, [esi+60h]
movzx   ecx, byte ptr [eax+1]
cmp     ecx, 2
jz      short loc_1B007
cmp     ecx, 3
jz      short loc_1B03E
push    esi
call    ds:PoStartNextPowerIrp
add     byte ptr [esi+23h], 1
add     dword ptr [esi+60h], 24h
mov     ecx, [edi+14h]
push    esi
push    ecx
call    ds:PoCallDriver
push    esi
push    ebx
mov     edi, eax
call    sub_18F90
mov     eax, edi
pop     edi
pop     esi
pop     ebx
retn    8

loc_1B007:
mov     ecx, 1
cmp     [eax+8], ecx
jnz     short loc_1B03E
mov     eax, [eax+0Ch]
sub     eax, ecx
jz      short loc_1B02C
sub     eax, 3
jnz     short loc_1B03E
cmp     [edi+8], ecx
jnz     short loc_1B03E
mov     edx, [edi+0E0h]
push    eax
push    edx
jmp     short loc_1B039

loc_1B02C:
cmp     [edi+8], ecx
jnz     short loc_1B03E
mov     eax, [edi+0E0h]
push    ecx
push    eax

loc_1B039:
call    sub_1F210

loc_1B03E:
push    504F5752h
push    20h
push    0
call    ds:ExAllocatePoolWithTag
test    eax, eax
jnz     short loc_1B06D
push    0C000009Ah
push    esi
call    sub_17950
push    esi
push    ebx
mov     edi, eax
call    sub_18F90
mov     eax, edi
pop     edi
pop     esi
pop     ebx
retn    8

loc_1B06D:
xor     ecx, ecx
mov     [eax+8], ecx
mov     [eax+0Ch], ecx
mov     [eax+10h], ecx
mov     [eax+14h], ecx
mov     [eax+18h], ecx
push    ecx
mov     [eax+1Ch], ecx
push    eax
mov     [eax], edi
mov     [eax+4], esi
call    sub_18B50
push    esi
push    ebx
mov     edi, eax
call    sub_18F90
mov     eax, edi
pop     edi
pop     esi
pop     ebx
retn    8
align 10h



sub_1B0A0 proc near

arg_0= dword ptr  8

push    esi
mov     esi, [esp+arg_0]
push    0
push    0
lea     eax, [esi+8]
push    eax
call    ds:KeInitializeEvent
mov     dword ptr [esi], 1
mov     byte ptr [esi+4], 0
pop     esi
retn    10h
sub_1B0A0 endp

align 10h



sub_1B0D0 proc near

arg_0= dword ptr  8

push    ebx
mov     ebx, ds:InterlockedDecrement
push    esi
mov     esi, [esp+4+arg_0]
push    edi
mov     ecx, esi
mov     byte ptr [esi+4], 1
call    ebx ; InterlockedDecrement
test    eax, eax
mov     edi, ds:KeSetEvent
jnz     short loc_1B0F9
push    0
push    0
lea     eax, [esi+8]
push    eax
call    edi ; KeSetEvent

loc_1B0F9:
mov     ecx, esi
call    ebx ; InterlockedDecrement
test    eax, eax
jnz     short loc_1B109
push    eax
push    eax
lea     ecx, [esi+8]
push    ecx
call    edi ; KeSetEvent

loc_1B109:
push    0
push    0
push    0
push    0
add     esi, 8
push    esi
call    ds:KeWaitForSingleObject
pop     edi
pop     esi
pop     ebx
retn    8
sub_1B0D0 endp

align 100h
page ends

; Section 3. (virtual address 0000C000)
; Virtual size                  : 00000101 (    257.)
; Section size in file          : 00000200 (    512.)
; Offset to raw data for section: 00009800
; Flags 68000020: Text Not pageable Executable Readable
; Alignment     : default

; Segment type: Pure code
; Segment permissions: Read/Execute
init segment para public 'CODE' use32
assume cs:init
;org 1C000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing



public start
start proc near

var_14= dword ptr -14h
var_8= dword ptr -8
arg_0= dword ptr  8

push    esi
mov     esi, [esp+arg_0]
push    edi
lea     eax, [esp+4+arg_0]
push    eax
push    48h
push    1
push    esi
call    ds:IoAllocateDriverObjectExtension
test    eax, eax
jl      short loc_1C040
mov     ecx, [esp+4+arg_0]
push    48h
push    0
push    ecx
call    memset
mov     edx, [esp+10h+arg_0]
mov     dword ptr [edx], 48h
mov     eax, [esp+10h+arg_0]
add     esp, 0Ch
mov     dword ptr [eax+0Ch], 2

loc_1C040:
mov     edi, ds:IoIsWdmVersionAvailable
push    0
push    1
call    edi ; IoIsWdmVersionAvailable
test    al, al
jnz     short loc_1C05A
pop     edi
mov     eax, 0C0000001h
pop     esi
retn    8

loc_1C05A:
push    10h
push    1
call    edi ; IoIsWdmVersionAvailable
mov     edi, [esp+10h]
test    al, al
setz    cl
mov     byte_1E1C8, cl
movzx   edx, word ptr [edi]
push    504F5752h
add     edx, 2
push    edx
push    1
call    ds:ExAllocatePoolWithTag
test    eax, eax
mov     dword_1E1C4, eax
jnz     short loc_1C096
pop     edi
mov     eax, 0C000009Ah
pop     esi
retn    8

loc_1C096:
mov     ax, [edi]
push    edi
add     ax, 2
push    offset unk_1E1C0
mov     word_1E1C2, ax
call    ds:RtlCopyUnicodeString
movzx   ecx, word ptr [edi]
mov     edx, dword_1E1C4
shr     ecx, 1
mov     word ptr [edx+ecx*2], 0
mov     eax, [esi+18h]
mov     dword ptr [esi+34h], offset loc_1A000
mov     dword ptr [eax+4], offset sub_1A010
pop     edi
mov     dword ptr [esi+38h], offset loc_1A2A0
mov     dword ptr [esi+40h], offset loc_1A2D0
mov     dword ptr [esi+70h], offset loc_1A200
mov     dword ptr [esi+90h], offset loc_17970
mov     dword ptr [esi+0A4h], offset loc_1A160
xor     eax, eax
pop     esi
retn    8
start endp

align 100h
init ends

; Section 4. (virtual address 0000D000)
; Virtual size                  : 000006AC (   1708.)
; Section size in file          : 00000800 (   2048.)
; Offset to raw data for section: 00009A00
; Flags 48000040: Data Not pageable Readable
; Alignment     : default
;
; Imports from HAL.dll
;

; Segment type: Externs
; _idata
extrn READ_PORT_UCHAR:dword
extrn READ_PORT_ULONG:dword
extrn WRITE_PORT_ULONG:dword
extrn KeStallExecutionProcessor:dword
extrn KeGetCurrentIrql:dword

;
; Imports from ntoskrnl.exe
;
extrn RtlInitUnicodeString:dword
extrn IoOpenDeviceRegistryKey:dword
extrn __imp_memcpy:dword
extrn ZwSetValueKey:dword
extrn MmMapIoSpace:dword
extrn MmUnmapIoSpace:dword
extrn ExFreePoolWithTag:dword
extrn KeSetEvent:dword
extrn KeInsertQueueDpc:dword
extrn KeSynchronizeExecution:dword
extrn IoFreeMdl:dword
extrn MmUnmapLockedPages:dword
extrn MmMapLockedPages:dword
extrn MmBuildMdlForNonPagedPool:dword
extrn IoAllocateMdl:dword
extrn IoConnectInterrupt:dword
extrn KeInitializeDpc:dword
extrn MmGetPhysicalAddress:dword
extrn MmAllocateContiguousMemory:dword
extrn MmFreeContiguousMemory:dword
extrn KeRemoveQueueDpc:dword
extrn IoDisconnectInterrupt:dword
extrn RtlFreeUnicodeString:dword
extrn IoGetDeviceProperty:dword
extrn PoSetPowerState:dword
extrn ExAllocatePool:dword
extrn IoDetachDevice:dword
extrn IoAttachDeviceToDeviceStack:dword
extrn IoGetDriverObjectExtension:dword
extrn IoCreateDevice:dword
extrn IofCompleteRequest:dword
extrn IoSetDeviceInterfaceState:dword
extrn IoIsWdmVersionAvailable:dword
extrn InterlockedIncrement:dword
extrn InterlockedDecrement:dword
extrn KeWaitForSingleObject:dword
extrn IofCallDriver:dword
extrn KeInitializeEvent:dword
extrn RtlCopyUnicodeString:dword
extrn IoAllocateDriverObjectExtension:dword
extrn IoOpenDeviceInterfaceRegistryKey:dword
extrn IoRegisterDeviceInterface:dword
extrn ObReferenceObjectByHandle:dword
extrn ObfReferenceObject:dword
extrn swprintf:dword
extrn IoFreeIrp:dword
extrn ObfDereferenceObject:dword
extrn IoAllocateIrp:dword
extrn IoGetAttachedDeviceReference:dword
extrn PoCallDriver:dword
extrn PoStartNextPowerIrp:dword
extrn PoRequestPowerIrp:dword
extrn ExQueueWorkItem:dword
extrn ZwQueryValueKey:dword
extrn ZwClose:dword
extrn KeQuerySystemTime:dword
extrn ExFreePool:dword
extrn __imp_memset:dword
extrn IoDeleteDevice:dword
extrn ExAllocatePoolWithTag:dword

;
; Imports from portcls.sys
;
extrn PcGetTimeInterval:dword



; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 1D114h
align 8
aMixeresp1010e:
unicode 0, <MixerESP1010e>,0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  7Fh ; 
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    0
db    0
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db    1
db    0
db    0
db    0
db  7Fh ; 
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    1
db    0
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    1
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db    2
db    0
db    0
db    0
db  7Fh ; 
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    2
db    0
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    2
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db    3
db    0
db    0
db    0
db 0FFh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    3
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db    4
db    0
db    0
db    0
db 0FFh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    4
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db    5
db    0
db    0
db    0
db 0FFh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    5
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db    6
db    0
db    0
db    0
db    3
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    7
db    0
db    0
db    0
db    1
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    7
db    0
db    0
db    0
db    2
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    7
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    7
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    7
db    0
db    0
db    0
db 0F0h ; =
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    8
db    0
db    0
db    0
db    1
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    9
db    0
db    0
db    0
db    1
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db    9
db    0
db    0
db    0
db    6
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ah
db    0
db    0
db    0
db    3
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ah
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ah
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ah
db    0
db    0
db    0
db  30h ; 0
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Bh
db    0
db    0
db    0
db    3
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Bh
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Bh
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Bh
db    0
db    0
db    0
db  30h ; 0
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Bh
db    0
db    0
db    0
db  40h ; @@
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Bh
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ch
db    0
db    0
db    0
db    7
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ch
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ch
db    0
db    0
db    0
db  70h ; p
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ch
db    0
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Ch
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db  0Dh
db    0
db    0
db    0
db    1
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Dh
db    0
db    0
db    0
db    2
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Dh
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Dh
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Dh
db    0
db    0
db    0
db  40h ; @@
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Eh
db    0
db    0
db    0
db 0FFh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Eh
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db  0Fh
db    0
db    0
db    0
db 0FFh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  0Fh
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db  10h
db    0
db    0
db    0
db  0Fh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  10h
db    0
db    0
db    0
db  70h ; p
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  10h
db    0
db    0
db    0
db  80h ; Ç
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db  11h
db    0
db    0
db    0
db  0Fh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  11h
db    0
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  11h
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db  12h
db    0
db    0
db    0
db  0Fh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  12h
db    0
db    0
db    0
db 0F0h ; =
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  13h
db    0
db    0
db    0
db    1
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  13h
db    0
db    0
db    0
db  1Ch
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  14h
db    0
db    0
db    0
db  0Fh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  14h
db    0
db    0
db    0
db  70h ; p
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  15h
db    0
db    0
db    0
db  1Fh
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  15h
db    0
db    0
db    0
db  40h ; @@
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  15h
db    0
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  15h
db    0
db    0
db    0
db    0
db    1
db    0
db    0
db    2
db    3
db    0
db    0
db  16h
db    0
db    0
db    0
db    3
db    0
db    0
db    0
db    2
db    3
db    0
db    0
db  17h
db    0
db    0
db    0
db 0FFh
db    1
db    0
db    0
db    2
db    3
db    0
db    0
dword_1D450 dd 0
db    1
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    5
db    0
db    0
db    0
db    2
db    0
db    0
db    0
db    3
db    0
db    0
db    0
db    6
db    0
db    0
db    0
db    7
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    9
db    0
db    0
db    0
db  0Ah
db    0
db    0
db    0
db  0Bh
db    0
db    0
db    0
db  0Ch
db    0
db    0
db    0
db  0Dh
db    0
db    0
db    0
db  0Eh
db    0
db    0
db    0
db  0Fh
db    0
db    0
db    0
db  10h
db    0
db    0
db    0
db  11h
db    0
db    0
db    0
db  12h
db    0
db    0
db    0
db  13h
db    0
db    0
db    0
db  14h
db    0
db    0
db    0
db  15h
db    0
db    0
db    0
db  16h
db    0
db    0
db    0
db  17h
db    0
db    0
db    0
db  18h
db    0
db    0
db    0
db  19h
db    0
db    0
db    0
db  1Ah
db    0
db    0
db    0
db  1Bh
db    0
db    0
db    0
db  1Ch
db    0
db    0
db    0
db  1Dh
db    0
db    0
db    0
db  1Eh
db    0
db    0
db    0
db  1Fh
db    0
db    0
db    0
dword_1D4D0 dd 0
db    1
db    0
db    0
db    0
db    2
db    0
db    0
db    0
db    3
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    5
db    0
db    0
db    0
db    6
db    0
db    0
db    0
db    7
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    9
db    0
db    0
db    0
db  0Ah
db    0
db    0
db    0
db  0Bh
db    0
db    0
db    0
db  0Ch
db    0
db    0
db    0
db  0Dh
db    0
db    0
db    0
db  0Eh
db    0
db    0
db    0
db  0Fh
db    0
db    0
db    0
db  10h
db    0
db    0
db    0
db  11h
db    0
db    0
db    0
db  12h
db    0
db    0
db    0
db  13h
db    0
db    0
db    0
db  14h
db    0
db    0
db    0
db  15h
db    0
db    0
db    0
db  16h
db    0
db    0
db    0
db  17h
db    0
db    0
db    0
db  18h
db    0
db    0
db    0
db  19h
db    0
db    0
db    0
db  1Ah
db    0
db    0
db    0
db  1Bh
db    0
db    0
db    0
db  1Ch
db    0
db    0
db    0
db  1Dh
db    0
db    0
db    0
db  1Eh
db    0
db    0
db    0
db  1Fh
db    0
db    0
db    0
unk_1D550 db  0Eh
db  48h ; H
db  65h ; e
db 0ACh ; ¼
db 0FCh ; n
db  96h ; û
db  0Dh
db  45h ; E
db  88h ; ê
db  2Eh ; .
db 0E2h ; G
db  58h ; X
db 0D1h ; -
db    4
db  42h ; B
db  3Dh ; =
dword_1D560 dd 0
dword_1D564 dd 0
dword_1D568 dd 0C00000h
dword_1D56C dd 46000000h
unk_1D570 db  40h ; @@
db 0D5h ; +
db  1Dh
db  1Ah
db 0D5h ; +
db  0Bh
db 0D5h ; +
db  11h
db  9Ah ; Ü
db  47h ; G
db    0
db 0E0h ; a
db  29h ; )
db    9
db  5Ch ; \
db  67h ; g
dword_1D580 dd 30315045h
dword_1D584 dd 76724465h
dword_1D588 dd 7379732Eh
byte_1D58C db 0
align 10h
aDeviceextensio:
unicode 0, <DeviceExtension>,0
aGetinterfaceca:
unicode 0, <GetInterfaceCallback>,0
align 4
dword_1D5DC dd 0B253E1h
dword_1D5E0 dd 11D5099Dh
dword_1D5E4 dd 0E000479Ah
dword_1D5E8 dd 675C0929h
off_1D5EC dd offset sub_17AF0
dd offset sub_18FC5
dd offset sub_18FE0
dd offset sub_18180
off_1D5FC dd offset sub_17B80
dd offset sub_17BA0
dd offset sub_17BC0
dd offset sub_17BE0
dd offset dword_180F0+20h
dword_1D610 dd 20495345h
dword_1D614 dd 31505345h
dword_1D618 dd 65303130h
dword_1D61C dd 47202D20h
dword_1D620 dd 464953h
word_1D624 dw 3020h
byte_1D626 db 0
align 4
aWsWs_02d:
unicode 0, <%ws\%ws_%02d>,0
align 4
aEsi:
unicode 0, <ESI>,0
aEsp1010e:
unicode 0, <ESP1010e>,0
align 10h
aWs_02d:
unicode 0, <%ws_%02d>,0
align 4
aEsiEsp1010e:
unicode 0, <ESI\ESP1010e>,0
align 10h
a04d:
unicode 0, <%04d>,0
align 4
off_1D69C dd offset sub_19010
dd offset sub_18FC5
dd offset sub_18FE0
dd offset sub_1906D
align 200h
_rdata ends

; Section 5. (virtual address 0000E000)
; Virtual size                  : 00000498 (   1176.)
; Section size in file          : 00000200 (    512.)
; Offset to raw data for section: 0000A200
; Flags C8000040: Data Not pageable Readable Writable
; Alignment     : default

; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 1E000h
aHw db 'hw : ',0
align 4
aWm db 'wm : ',0
align 10h
aCom db 'COM: ',0
align 4
aIo db 'Io : ',0
align 10h
aPci db 'PCI: ',0
align 4
off_1E028 dd offset sub_1A9D0
dd offset sub_1A640
dd offset sub_1A970
dd offset sub_1A410
dd offset sub_1AA50
dd offset sub_1A6C0
dd offset sub_1A460
dd offset sub_1A530
dd offset sub_1A3F0
dd offset sub_1A4C0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1A3F0
dd offset sub_1AA90
byte_1E088 db 0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    1
db    1
db    1
db    1
db    0
db    0
db    1
db    0
db    0
db    1
db    0
db    0
db    0
db    0
db    0
db    0
db    0
off_1E0A8 dd offset sub_1AE00
dd offset sub_1AE00
dd offset sub_1AE60
dd offset sub_1AE00
dd offset sub_1AE00
dd offset sub_1AE00
dd offset sub_1AE00
dd offset sub_1ACA0
dd offset sub_1AEA0
dd offset sub_1AD30
dd offset sub_1AE00
dd offset sub_1AE00
dd offset sub_1AD10
dd offset sub_1AE00
dd offset sub_1AE00
dd offset sub_1AD30
dd offset sub_1AD30
dd offset sub_1AD30
dd offset sub_1AD30
dd offset sub_1AB60
dd offset sub_1AD30
dd offset sub_1AD30
dd offset sub_1AD30
dd offset sub_1AE00
dd offset sub_1AD30
align 10h
dword_1E110 dd 1
align 8
dword_1E118 dd 0
align 10h
db    4
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  0Ah
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  0Bh
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    5
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  0Ch
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    8
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  0Eh
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  0Fh
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  10h
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db  12h
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    2
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
off_1E1AC dd offset sub_18EF0
dd offset sub_18EF0
dd offset sub_18EF0
dd offset sub_18EF0
align 10h
unk_1E1C0 db    0
db    0
word_1E1C2 dw 0
dword_1E1C4 dd 0
byte_1E1C8 db 0
align 10h
dword_1E1D0 dd 0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
dword_1E1F0 dd 0
dword_1E1F4 dd 0
db    0
db    0
db    0
db    0
dword_1E1FC dd 0
dword_1E200 dd ?
dword_1E204 dd ?
dword_1E208 dd ?
dword_1E20C dd ?
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
dword_1E458 dd ?
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
db    ? ;
_data ends

; Section 6. (virtual address 0000F000)
; Virtual size                  : 00000BA8 (   2984.)
; Section size in file          : 00000C00 (   3072.)
; Offset to raw data for section: 0000A400
; Flags 60000020: Text Executable Readable
; Alignment     : default

; Segment type: Pure code
; Segment permissions: Read/Execute
PAGE segment para public 'CODE' use32
assume cs:PAGE
;org 1F000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

loc_1F000:
mov     eax, [esp+8]
cmp     eax, 12h
ja      locret_1F1BB
push    esi
jmp     ds:off_1F1C0[eax*4]

loc_1F015:
mov     eax, [esp+10h]
mov     ecx, [eax+10h]
mov     edx, [eax+0Ch]
push    ecx
mov     ecx, [eax+8]
push    edx
mov     edx, [eax+4]
mov     eax, [eax]
push    ecx
mov     ecx, [esp+14h]
push    edx
push    eax
call    sub_16EA0
pop     esi
retn    0Ch

loc_1F039:
mov     eax, [esp+10h]
mov     ecx, [eax+8]
mov     edx, [eax+4]
mov     eax, [eax]
push    ecx
mov     ecx, [esp+0Ch]
push    edx
push    eax
call    sub_16EF0
pop     esi
retn    0Ch

loc_1F055:
mov     eax, [esp+10h]
mov     ecx, [eax+18h]
mov     edx, [eax+14h]
push    ecx
mov     ecx, [eax+10h]
push    edx
mov     edx, [eax+0Ch]
push    ecx
mov     ecx, [eax+8]
push    edx
mov     edx, [eax+4]
mov     eax, [eax]
push    ecx
mov     ecx, [esp+1Ch]
push    edx
push    eax
call    sub_16F20
pop     esi
retn    0Ch

loc_1F081:
mov     eax, [esp+10h]
mov     ecx, [eax+0Ch]
mov     edx, [eax+8]
push    ecx
mov     ecx, [eax+4]
push    edx
mov     edx, [eax]
push    ecx
mov     ecx, [esp+14h]
push    edx
call    sub_17060
pop     esi
retn    0Ch

loc_1F0A1:
mov     eax, [esp+10h]
mov     ecx, [eax+0Ch]
mov     edx, [eax+8]
push    ecx
mov     ecx, [eax+4]
push    edx
mov     edx, [eax]
push    ecx
mov     ecx, [esp+14h]
push    edx
call    sub_17130
pop     esi
retn    0Ch

loc_1F0C1:
mov     esi, [esp+10h]
mov     eax, [esi+10h]
mov     ecx, [esi+0Ch]
mov     edx, [esi+8]
push    eax
mov     eax, [esi+4]
push    ecx
mov     ecx, [esi]
push    edx
push    eax
push    ecx
mov     ecx, [esp+1Ch]
call    near ptr dword_17210
mov     [esi+14h], eax
pop     esi
retn    0Ch

loc_1F0E8:
mov     esi, [esp+10h]
mov     edx, [esi]
mov     ecx, [esp+8]
push    edx
call    near ptr dword_17210+40h
mov     [esi+4], eax
pop     esi
retn    0Ch

loc_1F0FF:
mov     ecx, [esp+8]
call    near ptr dword_17210+50h
mov     ecx, [esp+10h]
mov     [ecx], eax
pop     esi
retn    0Ch

loc_1F112:
mov     ecx, [esp+8]
call    near ptr dword_17210+70h
pop     esi
retn    0Ch

loc_1F11F:
mov     esi, [esp+10h]
movzx   edx, byte ptr [esi+1]
movzx   eax, byte ptr [esi]
mov     ecx, [esp+8]
push    edx
push    eax
call    near ptr dword_17210+120h
mov     [esi+4], eax
pop     esi
retn    0Ch

loc_1F13C:
mov     esi, [esp+10h]
movzx   ecx, byte ptr [esi]
push    ecx
mov     ecx, [esp+0Ch]
call    near ptr dword_17210+90h
movzx   edx, ax
mov     [esi+4], edx
pop     esi
retn    0Ch

loc_1F157:
mov     eax, [esp+10h]
mov     ecx, [eax+4]
movzx   edx, byte ptr [eax]
push    ecx
mov     ecx, [esp+0Ch]
push    edx
call    near ptr dword_17210+0B0h
pop     esi
retn    0Ch

loc_1F170:
mov     ecx, [esp+8]
call    sub_17600
mov     ecx, [esp+10h]
mov     [ecx], eax
pop     esi
retn    0Ch

loc_1F183:
mov     eax, [esp+10h]
mov     edx, [eax+0Ch]
mov     ecx, [eax+8]
push    edx
mov     edx, [eax+4]
mov     eax, [eax]
push    ecx
mov     ecx, [esp+10h]
push    edx
push    eax
call    sub_17390
pop     esi
retn    0Ch

loc_1F1A3:
mov     esi, [esp+10h]
mov     ecx, [esi+4]
mov     edx, [esi]
push    ecx
mov     ecx, [esp+0Ch]
push    edx
call    sub_177D0
mov     [esi+8], eax

loc_1F1BA:
pop     esi

locret_1F1BB:
retn    0Ch
align 10h
off_1F1C0 dd offset loc_1F015
dd offset loc_1F039
dd offset loc_1F055
dd offset loc_1F081
dd offset loc_1F0A1
dd offset loc_1F0C1
dd offset loc_1F0E8
dd offset loc_1F0FF
dd offset loc_1F112
dd offset loc_1F11F
dd offset loc_1F13C
dd offset loc_1F157
dd offset loc_1F170
dd offset loc_1F1BA
dd offset loc_1F1BA
dd offset loc_1F1BA
dd offset loc_1F1BA
dd offset loc_1F183
dd offset loc_1F1A3
align 10h



sub_1F210 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch

push    esi
mov     esi, [esp+arg_0]
test    esi, esi
jz      loc_1F2A7
push    edi
mov     edi, [esp+4+arg_4]
test    edi, edi
jnz     short loc_1F232
mov     ecx, [esi+1A3Ch]
push    edi
call    sub_13630

loc_1F232:
mov     eax, [esi+1A38h]
push    eax
push    edi
call    sub_18980
cmp     edi, 1
jnz     short loc_1F255
mov     ecx, [esi+1A38h]
push    41543134h
push    ecx
call    sub_186B0

loc_1F255:
mov     ecx, [esi+1A3Ch]
push    edi
call    sub_11520
cmp     edi, 1
pop     edi
jnz     short loc_1F2A7
mov     edx, [esi+1A1Ch]
mov     eax, [esi+18h]
mov     ecx, [esi+14h]
push    1
push    40000h
push    edx
push    eax
push    ecx
mov     ecx, [esi+1A3Ch]
mov     dword ptr [esi+1A30h], 1
mov     dword ptr [esi+1A34h], 1
call    sub_15DD0
mov     ecx, [esi+1A3Ch]
call    sub_14290

loc_1F2A7:
pop     esi
retn    8
sub_1F210 endp

align 10h



sub_1F2B0 proc near

var_18= dword ptr -18h
var_8= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8
arg_14= dword ptr  18h

mov     eax, [esp+arg_14]
sub     esp, 8
push    ebx
push    ebp
push    esi
push    edi
mov     esi, ecx
push    41543134h
mov     edi, 1
push    eax
mov     [esi+1A30h], edi
mov     [esi+1A34h], edi
mov     [esi+1A38h], eax
call    sub_186B0
xor     ebx, ebx
mov     [esi+1A2Ch], ebx
lea     eax, [esi+0DDCh]
lea     edx, [edi+0Fh]

loc_1F2F0:
mov     ecx, 10h

loc_1F2F5:
mov     [eax-0C00h], ebx
mov     [eax], ebx
add     eax, 0Ch
sub     ecx, edi
jnz     short loc_1F2F5
sub     edx, edi
jnz     short loc_1F2F0
lea     ecx, [esi+19D4h]
lea     eax, [esi+11Ch]
mov     edx, 10h
lea     esp, [esp+0]

loc_1F320:
mov     [eax-0C0h], ebx
mov     [eax], ebx
mov     [ecx], ebx
add     ecx, 4
add     eax, 0Ch
sub     edx, edi
jnz     short loc_1F320
mov     edi, [esp+18h+arg_0]
mov     eax, [edi+1Ch]
mov     ecx, [edi+34h]
push    774E6350h
push    2E44h
push    ebx
mov     [esp+24h+var_8], eax
mov     [esp+24h+var_4], ecx
call    ds:ExAllocatePoolWithTag
mov     ebp, eax
cmp     ebp, ebx
jz      short loc_1F384
push    2E44h
push    ebx
push    ebp
call    memset
mov     edx, [esp+24h+arg_4]
mov     ecx, [esp+24h+arg_14]
add     esp, 0Ch
push    edx
lea     eax, [esp+1Ch+var_8]
push    eax
push    ecx
mov     ecx, ebp
call    sub_13590
jmp     short loc_1F386

loc_1F384:
xor     eax, eax

loc_1F386:
xor     ecx, ecx
mov     [esi+1A3Ch], eax
push    ecx
or      eax, 0FFFFFFFFh
push    eax
push    401A0h
mov     dword ptr [esi+20h], 401A0h
call    ds:MmAllocateContiguousMemory
cmp     eax, ebx
mov     [esi+14h], eax
jz      loc_1F4C3
push    eax
call    ds:MmGetPhysicalAddress
mov     ecx, [esi+20h]
push    ecx
mov     [esi+18h], eax
mov     eax, [esi+14h]
mov     [esi+1Ch], edx
lea     edx, [eax+40000h]
push    ebx
push    eax
mov     [esi+1A1Ch], edx
mov     [esi+1A20h], ebx
mov     [esi+28h], ebx
call    memset
mov     edx, [esi+1A1Ch]
mov     eax, [esi+18h]
mov     ecx, [esi+14h]
add     esp, 0Ch
push    ebx
push    40000h
push    edx
push    eax
push    ecx
mov     ecx, [esi+1A3Ch]
call    sub_15DD0
cmp     eax, ebx
jl      loc_1F4C8
push    20h
mov     [esi+1A24h], ebx
push    ebx
mov     ebx, ds:ExAllocatePool
call    ebx ; ExAllocatePool
mov     ebp, ds:KeInitializeDpc
push    esi
push    offset sub_16A50
push    eax
mov     [esi+1A14h], eax
call    ebp ; KeInitializeDpc
push    20h
push    0
call    ebx ; ExAllocatePool
push    esi
push    offset sub_16B30
push    eax
mov     [esi+1A18h], eax
call    ebp ; KeInitializeDpc
mov     edx, [edi+28h]
movzx   eax, byte ptr [edi+24h]
mov     ebp, ds:IoConnectInterrupt
push    0
push    edx
push    1
push    0
push    eax
push    eax
mov     eax, [edi+20h]
push    eax
push    0
push    esi
push    offset sub_16B80
lea     ebx, [esi+8]
push    ebx
call    ebp ; IoConnectInterrupt
test    eax, eax
jl      short loc_1F4C3
cmp     dword ptr [ebx], 0
jz      short loc_1F4C3
mov     edx, [edi+40h]
movzx   eax, byte ptr [edi+3Ch]
push    0
push    edx
push    1
push    0
push    eax
push    eax
mov     eax, [edi+38h]
push    eax
push    0
push    esi
lea     ecx, [esi+0Ch]
push    offset sub_16D10
push    ecx
call    ebp ; IoConnectInterrupt
mov     edi, eax
test    edi, edi
jl      short loc_1F4C3
cmp     dword ptr [esi+0Ch], 0
jz      short loc_1F4C3
cmp     dword ptr [ebx], 0
jz      short loc_1F4C3
mov     ecx, [esi+1A3Ch]
push    1
call    sub_13630
mov     eax, edi
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    18h

loc_1F4C3:
mov     eax, 0C000009Ah

loc_1F4C8:
pop     edi
pop     esi
pop     ebp
pop     ebx
add     esp, 8
retn    18h
sub_1F2B0 endp

align 10h



sub_1F4E0 proc near

var_8= dword ptr -8

push    ebp
push    esi
push    edi
mov     esi, ecx
mov     ecx, [esi+1A3Ch]
xor     ebp, ebp
push    ebp
call    sub_13630
mov     eax, [esi+8]
cmp     eax, ebp
mov     edi, ds:IoDisconnectInterrupt
jz      short loc_1F506
push    eax
call    edi ; IoDisconnectInterrupt
mov     [esi+8], ebp

loc_1F506:
mov     eax, [esi+0Ch]
cmp     eax, ebp
jz      short loc_1F513
push    eax
call    edi ; IoDisconnectInterrupt
mov     [esi+0Ch], ebp

loc_1F513:
mov     edi, ds:KeRemoveQueueDpc
lea     esp, [esp+0]

loc_1F520:
mov     eax, [esi+1A14h]
push    eax
call    edi ; KeRemoveQueueDpc
test    al, al
jnz     short loc_1F520
lea     ecx, [ecx+0]

loc_1F530:
mov     ecx, [esi+1A18h]
push    ecx
call    edi ; KeRemoveQueueDpc
test    al, al
jnz     short loc_1F530
mov     edx, [esi+1A14h]
push    ebx
mov     ebx, ds:ExFreePoolWithTag
push    ebp
push    edx
call    ebx ; ExFreePoolWithTag
mov     eax, [esi+1A18h]
push    ebp
push    eax
mov     [esi+1A14h], ebp
call    ebx ; ExFreePoolWithTag
mov     edi, [esi+1A3Ch]
cmp     edi, ebp
mov     [esi+1A18h], ebp
jz      short loc_1F579
mov     ecx, edi
call    sub_135D0
push    ebp
push    edi
call    ebx ; ExFreePoolWithTag

loc_1F579:
mov     eax, [esi+14h]
cmp     eax, ebp
pop     ebx
jz      short loc_1F58B
push    eax
call    ds:MmFreeContiguousMemory
mov     [esi+14h], ebp

loc_1F58B:
pop     edi
pop     esi
pop     ebp
retn
sub_1F4E0 endp ; sp =  8

align 10h



sub_1F590 proc near

arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h
arg_10= dword ptr  18h
arg_14= dword ptr  1Ch
arg_18= dword ptr  20h

push    esi
push    774E6350h
push    1A40h
push    0
call    ds:ExAllocatePoolWithTag
mov     esi, eax
test    esi, esi
jz      short loc_1F5CF
push    1A40h
push    0
push    esi
call    memset
add     esp, 0Ch
mov     dword ptr [esi+1A30h], 0
mov     dword ptr [esi+1A34h], 0
jmp     short loc_1F5D1

loc_1F5CF:
xor     esi, esi

loc_1F5D1:
mov     eax, [esp+arg_14]
mov     ecx, [esp+arg_10]
mov     edx, [esp+arg_C]
push    eax
mov     eax, [esp+4+arg_8]
push    ecx
mov     ecx, [esp+8+arg_4]
push    edx
mov     edx, [esp+0Ch+arg_0]
push    eax
push    ecx
push    edx
mov     ecx, esi
call    sub_1F2B0
mov     ecx, esi
call    near ptr dword_17210+50h
mov     ecx, [esp+arg_18]
push    esi
mov     [ecx], eax
call    sub_18160
mov     eax, esi
pop     esi
retn    1Ch
sub_1F590 endp

align 10h



sub_1F610 proc near

arg_0= dword ptr  8

push    esi
mov     esi, [esp+arg_0]
test    esi, esi
jz      short loc_1F629
mov     ecx, esi
call    sub_1F4E0
push    0
push    esi
call    ds:ExFreePoolWithTag

loc_1F629:
pop     esi
retn    4
sub_1F610 endp ; sp =  4

align 10h
; START OF FUNCTION CHUNK FOR sub_1FB60

loc_1F630:
push    esi
mov     esi, [esp+4+arg_4]
mov     eax, [esi+8]
push    edi
add     eax, 0FFFFFFFFh
xor     edi, edi
cmp     eax, 4          ; switch 5 cases
ja      loc_1F6C8       ; default
jmp     ds:off_1F6D4[eax*4] ; switch jump

loc_1F64E:              ; case 0x0
mov     eax, edi
pop     edi
mov     dword ptr [esi+0Ch], 31505345h
mov     dword ptr [esi+10h], 654F3130h
pop     esi
retn    8

loc_1F663:              ; case 0x1
mov     eax, [esi+14h]
push    eax
call    sub_18300
mov     eax, edi
pop     edi
pop     esi
retn    8

loc_1F673:              ; case 0x2
call    sub_18140
mov     eax, edi
pop     edi
pop     esi
retn    8

loc_1F67F:              ; case 0x3
mov     edx, [esi+24h]
mov     ecx, [esi+20h]
mov     eax, [esi+18h]
push    ebx
mov     ebx, [esi+28h]
push    edx
push    ecx
mov     ecx, [esp+14h+arg_0]
push    eax
push    ebx
call    sub_17820
mov     [esi+1Ch], eax
pop     ebx
mov     eax, edi
pop     edi
pop     esi
retn    8

loc_1F6A4:              ; case 0x4
mov     ecx, [esi+24h]
mov     edx, [esi+20h]
mov     eax, [esi+1Ch]
push    ecx
mov     ecx, [esi+18h]
push    edx
mov     edx, [esi+28h]
push    eax
push    ecx
mov     ecx, [esp+18h+arg_0]
push    edx
call    sub_17810
mov     eax, edi
pop     edi
pop     esi
retn    8

loc_1F6C8:              ; default
pop     edi
mov     eax, 0C000000Dh
pop     esi
retn    8
; END OF FUNCTION CHUNK FOR sub_1FB60
align 4
off_1F6D4 dd offset loc_1F64E ; jump table for switch statement
dd offset loc_1F663
dd offset loc_1F673
dd offset loc_1F67F
dd offset loc_1F6A4
align 10h
; START OF FUNCTION CHUNK FOR sub_1FB60

loc_1F6F0:
push    ecx
push    ebx
push    esi
mov     esi, [esp+0Ch+arg_4]
mov     eax, [esi+8]
add     eax, 0FFFFFFFFh
cmp     eax, 0Ah
push    edi
mov     [esp+10h+var_4], 0
ja      loc_1F960
jmp     ds:off_1F974[eax*4]

loc_1F716:
xor     ebx, ebx
cmp     dword_1E204, ebx
jz      short loc_1F766
mov     edi, [esp+10h+arg_0]
test    edi, edi
mov     ebx, 1
jz      short loc_1F766
mov     ecx, [edi+1A3Ch]
test    ecx, ecx
jz      short loc_1F766
push    0
push    0
push    2
call    sub_13960
test    eax, eax
jnz     short loc_1F759
mov     ecx, [edi+1A3Ch]
push    eax
push    ebx
push    2
call    sub_13960
test    eax, eax
jz      short loc_1F766

loc_1F759:
mov     ecx, [edi+1A3Ch]
call    sub_136A0
mov     ebx, eax

loc_1F766:
mov     eax, [esp+10h+var_4]
pop     edi
mov     [esi+40h], ebx
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F774:
mov     esi, [esi+10h]
test    esi, esi
jnz     short loc_1F790
mov     eax, [esp+10h+arg_0]
pop     edi
mov     [eax+19D8h], esi
mov     eax, [esp+0Ch+var_4]
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F790:
push    0
push    offset dword_1E20C
push    1
push    0
push    0
push    esi
call    ds:ObReferenceObjectByHandle
mov     ecx, [esp+28h+var_14]
mov     edx, dword_1E20C
pop     edi
pop     esi
mov     [esp+20h+var_1C], eax
mov     [ecx+19D8h], edx
pop     ebx
pop     ecx
retn    8

loc_1F7BF:
mov     eax, [esi+20h]
mov     ecx, [esp+10h+arg_0]
push    0
push    0
push    0
push    eax
push    0
call    near ptr dword_17210
pop     edi
pop     esi
mov     [esp+1Ch+var_18], eax
pop     ebx
pop     ecx
retn    8

loc_1F7DF:
mov     eax, dword_1E204
mov     edx, [eax+4]
sub     edx, [eax+8]
mov     ecx, [esi+38h]
add     edx, [esi+30h]
mov     eax, [esi+2Ch]
push    ecx
mov     ecx, [esi+28h]
push    edx
mov     edx, [esi+24h]
push    eax
push    ecx
mov     ecx, [esp+20h+arg_0]
push    edx
call    sub_17640
mov     eax, [esp+10h+var_4]
pop     edi
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F812:
cmp     dword ptr [esi+40h], 0
mov     edi, [esp+10h+arg_0]
jz      short loc_1F825
push    1
mov     ecx, edi
call    nullsub_2

loc_1F825:
mov     eax, [esi+40h]
mov     ecx, [esi+3Ch]
push    eax
push    ecx
mov     ecx, edi
call    sub_17670
cmp     dword ptr [esi+40h], 0
mov     ebx, eax
jnz     short loc_1F845
push    0
mov     ecx, edi
call    nullsub_2

loc_1F845:
mov     eax, [esp+10h+var_4]
pop     edi
mov     [esi+40h], ebx
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F853:
mov     edi, [esi+44h]
test    edi, edi
jnz     short loc_1F877
mov     edx, dword_1E204
push    edx
call    sub_18390
mov     eax, [esp+10h+var_4]
mov     dword_1E204, edi
pop     edi
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F877:
cmp     dword_1E204, 0
jz      short loc_1F8BB
mov     eax, [esp+10h+arg_0]
mov     ecx, [eax+1A3Ch]
call    sub_136A0
test    eax, eax
jz      short loc_1F8AF
mov     ecx, [esi+48h]
pop     edi
mov     [esp+0Ch+var_4], 0C0000001h
mov     eax, [esp+0Ch+var_4]
pop     esi
mov     dword ptr [ecx], 0
pop     ebx
pop     ecx
retn    8

loc_1F8AF:
mov     edx, dword_1E204
push    edx
call    sub_18390

loc_1F8BB:
push    edi
call    sub_18330
mov     ecx, [esi+48h]
mov     edx, [eax+8]
pop     edi
pop     esi
mov     dword_1E204, eax
mov     eax, [esp+8+var_4]
mov     [ecx], edx
pop     ebx
pop     ecx
retn    8

loc_1F8D9:
mov     eax, [esi+40h]
mov     ecx, [esp+10h+arg_0]
mov     ecx, [ecx+1A3Ch]
push    eax
call    sub_13630
mov     eax, [esp+10h+var_4]
pop     edi
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F8F7:
mov     edx, [esi+74h]
mov     eax, [esi+70h]
mov     ecx, [esp+10h+arg_0]
mov     ecx, [ecx+1A3Ch]
push    edx
push    eax
call    sub_15260
mov     eax, [esp+10h+var_4]
pop     edi
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F919:
mov     edx, [esi+40h]
mov     edi, [esp+10h+arg_0]
push    edx
mov     ecx, edi
call    nullsub_2
mov     eax, [esi+40h]
mov     ecx, [esi+5Ch]
mov     edx, [esi+58h]
push    eax
push    ecx
push    edx
mov     ecx, edi
call    sub_17570
pop     edi
mov     [esi+40h], eax
mov     eax, [esp+0Ch+var_4]
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F949:
mov     ecx, [esp+10h+arg_0]
call    sub_17710
pop     edi
mov     [esi+40h], eax
mov     eax, [esp+0Ch+var_4]
pop     esi
pop     ebx
pop     ecx
retn    8

loc_1F960:
pop     edi
mov     [esp+0Ch+var_4], 0C000000Dh
mov     eax, [esp+0Ch+var_4]
pop     esi
pop     ebx
pop     ecx
retn    8
; END OF FUNCTION CHUNK FOR sub_1FB60
align 4
off_1F974 dd offset loc_1F774
dd offset loc_1F7BF
dd offset loc_1F7DF
dd offset loc_1F812
dd offset loc_1F853
dd offset loc_1F960
dd offset loc_1F919
dd offset loc_1F8D9
dd offset loc_1F716
dd offset loc_1F8F7
dd offset loc_1F949
; START OF FUNCTION CHUNK FOR sub_1FB60

loc_1F9A0:
push    ecx
push    ebx
push    esi
push    edi
mov     edi, [esp+10h+arg_4]
mov     eax, [edi+8]
add     eax, 0FFFFFFFFh
xor     ebx, ebx
cmp     eax, 0Ah        ; switch 11 cases
ja      short loc_1FA2C ; default
jmp     ds:off_1FB34[eax*4] ; switch jump

loc_1F9BC:              ; case 0x9
mov     eax, [edi+10h]
mov     esi, [esp+10h+arg_0]
push    eax
mov     ecx, esi
call    sub_174E0
mov     ecx, esi
call    sub_174D0
push    eax
mov     ecx, esi
call    sub_174B0
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1F9E3:              ; case 0x0
mov     ecx, [esp+10h+arg_0]
call    sub_174D0
mov     edi, [edi+10h]
mov     esi, eax
mov     ecx, 147h
rep movsd
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FA01:              ; case 0x1
mov     ecx, [edi+10h]
push    ecx
mov     ecx, [esp+14h+arg_0]
call    sub_174E0
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FA17:              ; case 0x3
mov     edx, [edi+2Ch]
mov     eax, [edi+28h]
mov     ecx, [esp+10h+arg_0]
push    edx
push    eax
call    sub_17880
test    eax, eax
jnz     short loc_1FA31

loc_1FA2C:              ; default
mov     ebx, 0C000000Dh

loc_1FA31:
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FA3A:              ; case 0x4
mov     ecx, [esp+10h+arg_0]
call    sub_17600
mov     [edi+28h], eax
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FA4F:              ; case 0x2
mov     ecx, [edi+20h]
mov     edx, [edi+18h]
mov     [esp+10h+var_4], ecx
lea     eax, [esp+10h+arg_4]
push    eax
lea     ecx, [esp+14h+var_4]
mov     [esp+14h+arg_4], edx
mov     edx, [edi+0Ch]
push    ecx
mov     ecx, [esp+18h+arg_0]
push    edx
call    sub_174F0
mov     eax, [esp+10h+arg_4]
mov     ecx, [esp+10h+var_4]
mov     [edi+18h], eax
mov     [edi+20h], ecx
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FA8B:              ; case 0x5
mov     ecx, [esp+10h+arg_0]
call    sub_17610
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FA9D:              ; case 0xA
mov     ecx, [esp+10h+arg_0]
call    sub_17830
mov     [edi+50h], eax
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FAB2:              ; case 0x8
mov     ecx, [esp+10h+arg_0]
call    sub_17620
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FAC4:              ; case 0x6
mov     edx, [edi+44h]
mov     eax, [edi+40h]
mov     ecx, [edi+3Ch]
push    edx
mov     edx, [edi+38h]
push    eax
mov     eax, [edi+34h]
push    ecx
mov     ecx, [edi+30h]
push    edx
push    eax
push    ecx
mov     ecx, [esp+28h+arg_0]
call    nullsub_3
pop     edi
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FAEE:              ; case 0x7
mov     edi, [edi+48h]
cmp     edi, ebx
jnz     short loc_1FB08
mov     edx, [esp+10h+arg_0]
pop     edi
pop     esi
mov     [edx+19D4h], ebx
mov     eax, ebx
pop     ebx
pop     ecx
retn    8

loc_1FB08:
push    ebx
push    offset dword_1E208
push    1
push    ebx
push    ebx
push    edi
call    ds:ObReferenceObjectByHandle
mov     ecx, dword_1E208
mov     ebx, eax
mov     eax, [esp+28h+var_14]
pop     edi
mov     [eax+19D4h], ecx
pop     esi
mov     eax, ebx
pop     ebx
pop     ecx
retn    8
; END OF FUNCTION CHUNK FOR sub_1FB60
off_1FB34 dd offset loc_1F9E3 ; jump table for switch statement
dd offset loc_1FA01
dd offset loc_1FA4F
dd offset loc_1FA17
dd offset loc_1FA3A
dd offset loc_1FA8B
dd offset loc_1FAC4
dd offset loc_1FAEE
dd offset loc_1FAB2
dd offset loc_1F9BC
dd offset loc_1FA9D



sub_1FB60 proc near

var_1C= dword ptr -1Ch
var_18= dword ptr -18h
var_14= dword ptr -14h
var_4= dword ptr -4
arg_0= dword ptr  4
arg_4= dword ptr  8

; FUNCTION CHUNK AT PAGE:0001F630 SIZE 000000A2 BYTES
; FUNCTION CHUNK AT PAGE:0001F6F0 SIZE 00000283 BYTES
; FUNCTION CHUNK AT PAGE:0001F9A0 SIZE 00000194 BYTES

mov     eax, [esp+8]
mov     ecx, [eax]
add     ecx, 0FFFFFFFFh ; switch 4 cases
cmp     ecx, 3
ja      short loc_1FB90 ; default
jmp     ds:off_1FB98[ecx*4] ; switch jump

loc_1FB75:              ; case 0x1
mov     [esp+8], eax
jmp     loc_1F630

loc_1FB7E:              ; case 0x2
mov     [esp+8], eax
jmp     loc_1F6F0

loc_1FB87:              ; case 0x3
mov     [esp+8], eax
jmp     loc_1F9A0

loc_1FB90:              ; default
mov     eax, 0C000000Dh
retn    8
sub_1FB60 endp ; sp = -18h

off_1FB98 dd offset loc_1FB75 ; jump table for switch statement
dd offset loc_1FB7E
dd offset loc_1FB87
dd offset loc_1FB90
align 80h
PAGE ends

; Section 7. (virtual address 00010000)
; Virtual size                  : 000006FA (   1786.)
; Section size in file          : 00000800 (   2048.)
; Offset to raw data for section: 0000B000
; Flags E2000020: Text Discardable Executable Readable Writable
; Alignment     : default

; Segment type: Pure code
; Segment permissions: Read/Write/Execute
INIT segment para public 'CODE' use32
assume cs:INIT
;org 20000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
dword_20000 dd 10068h, 2 dup(0)
dd 1065Ch, 0D018h, 10050h, 2 dup(0)
dd 106D2h, 0D000h, 1015Ch, 2 dup(0)
dd 106EEh, 0D10Ch, 5 dup(0)
dd 106ACh, 1069Ah, 10686h, 1066Ah, 106BEh
dd 0
dd 101D6h, 101EEh, 10208h, 10212h, 10222h
dd 10232h, 10244h, 10258h, 10266h, 1027Ah
dd 10294h, 102A0h, 102B6h, 102CAh, 102E6h
dd 102F6h, 1030Ch, 1031Eh, 10336h, 10354h
dd 1036Eh, 10382h, 1039Ah, 103B2h, 103C8h
dd 101C4h, 103ECh, 103FEh, 1041Ch, 1043Ah
dd 1044Ch, 10462h, 1047Eh, 10498h, 104B0h
dd 104C8h, 104E0h, 104F0h, 10504h, 1051Ch
dd 1053Eh, 10562h, 1057Eh, 1059Ah, 105B0h
dd 105BCh, 105C8h, 105E0h, 105F0h, 10610h
dd 10620h, 10636h, 1064Ah, 101B2h, 101A8h
dd 10194h, 10186h, 1017Ch, 103DAh, 10164h
dd 0
dd 106DAh, 0
db  67h ; g
align 2
aExallocatepool db 'ExAllocatePoolWithTag',0
aPMemset db 'p',7,'memset',0
align 2
db '|',0
aExfreepool db 'ExFreePool',0
align 4
db 0E9h ; T
db 2, 4Bh, 65h
aQuerysystemtim db 'QuerySystemTime',0
dd 775A0699h, 736F6C43h, 7010065h, 7551775Ah
dd 56797265h, 65756C61h, 79654Bh, 78450064h
dd 6F6C6C41h, 65746163h, 6C6F6F50h, 5460000h
aRtlinitunicode db 'RtlInitUnicodeString',0
align 2
dw 21Ah
aIoopendevicere db 'IoOpenDeviceRegistryKey',0
aNMemcpy db 'n',7,'memcpy',0
align 2
aZwsetvaluekey db '(',7,'ZwSetValueKey',0
dw 381h
aMmmapiospace db 'MmMapIoSpace',0
align 2
dw 3A1h
aMmunmapiospace db 'MmUnmapIoSpace',0
align 4
db '}',0
aExfreepoolwith db 'ExFreePoolWithTag',0
dd 654B0313h, 45746553h, 746E6576h, 2D40000h
dd 6E49654Bh, 74726573h, 75657551h, 63704465h
dd 3240000h
aKesynchronizee db 'KeSynchronizeExecution',0
align 4
db 0E9h ; T
db 1, 49h, 6Fh
aFreemdl db 'FreeMdl',0
db 0A2h ; ó
db 3, 4Dh, 6Dh
aUnmaplockedpag db 'UnmapLockedPages',0
align 2
dw 382h
aMmmaplockedpag db 'MmMapLockedPages',0
align 2
dw 360h
aMmbuildmdlforn db 'MmBuildMdlForNonPagedPool',0
dw 1A0h
aIoallocatemdl db 'IoAllocateMdl',0
dw 1BDh
aIoconnectinter db 'IoConnectInterrupt',0
align 4
retn
db 2, 4Bh, 65h
aInitializedpc db 'InitializeDpc',0
dw 370h
aMmgetphysicala db 'MmGetPhysicalAddress',0
align 2
dw 358h
aMmallocatecont db 'MmAllocateContiguousMemory',0
align 4
db  6Bh ; k
db 3, 4Dh, 6Dh
aFreecontiguous db 'FreeContiguousMemory',0
align 2
dw 305h
aKeremovequeued db 'KeRemoveQueueDpc',0
align 2
dw 1DCh
aIodisconnectin db 'IoDisconnectInterrupt',0
dw 527h
aRtlfreeunicode db 'RtlFreeUnicodeString',0
align 2
dw 1F8h
aIogetdevicepro db 'IoGetDeviceProperty',0
dd 6F500441h, 50746553h, 7265776Fh, 74617453h
dd 1D50065h, 65446F49h, 6574656Ch, 69766544h
dd 6563h, 6F4901D8h, 61746544h, 65446863h
dd 65636976h, 1A90000h
aIoattachdevice db 'IoAttachDeviceToDeviceStack',0
db 0FDh ; ²
db 1, 49h, 6Fh
aGetdriverobjec db 'GetDriverObjectExtension',0
align 2
dw 1C1h
aIocreatedevice db 'IoCreateDevice',0
align 4
db  82h ; é
db 2, 49h, 6Fh
aFcompletereque db 'fCompleteRequest',0
align 2
dw 243h
aIosetdeviceint db 'IoSetDeviceInterfaceState',0
dw 217h
aIoiswdmversion db 'IoIsWdmVersionAvailable',0
db  94h ; ö
db 1, 49h, 6Eh
aTerlockedincre db 'terlockedIncrement',0
align 10h
db  91h ; æ
db 1, 49h, 6Eh
aTerlockeddecre db 'terlockedDecrement',0
align 4
db  30h ; 0
db 3, 4Bh, 65h
aWaitforsingleo db 'WaitForSingleObject',0
db  81h ; ü
db 2, 49h, 6Fh
aFcalldriver db 'fCallDriver',0
db 0C4h ; -
db 2, 4Bh, 65h
aInitializeeven db 'InitializeEvent',0
db 0E6h ; µ
db 4, 52h, 74h
aLcopyunicodest db 'lCopyUnicodeString',0
align 4
db  9Dh ; ¥
db 1, 49h, 6Fh
aAllocatedriver db 'AllocateDriverObjectExtension',0
dw 219h
aIoopendevicein db 'IoOpenDeviceInterfaceRegistryKey',0
align 2
dw 22Ch
aIoregisterdevi db 'IoRegisterDeviceInterface',0
dw 423h
aObreferenceobj db 'ObReferenceObjectByHandle',0
dw 42Ch
aObfreferenceob db 'ObfReferenceObject',0
align 10h
aBSwprintf db 'ü',7,'swprintf',0
align 4
db 0E8h ; F
db 1, 49h, 6Fh
aFreeirp db 'FreeIrp',0
db  2Bh ; +
db 4, 4Fh, 62h
aFdereferenceob db 'fDereferenceObject',0
align 10h
db  9Fh ; ƒ
db 1, 49h, 6Fh
aAllocateirp db 'AllocateIrp',0
db 0EEh ; e
db 1, 49h, 6Fh
aGetattacheddev db 'GetAttachedDeviceReference',0
align 10h
db  33h ; 3
db 4, 50h, 6Fh
aCalldriver db 'CallDriver',0
align 10h
db  45h ; E
db 4, 50h, 6Fh
aStartnextpower db 'StartNextPowerIrp',0
dw 43Dh
aPorequestpower db 'PoRequestPowerIrp',0
aG db 'ú',0
aExqueueworkite db 'ExQueueWorkItem',0
aNtoskrnl_exe db 'ntoskrnl.exe',0
align 2
aU db 'U',0
aKestallexecuti db 'KeStallExecutionProcessor',0
aF db 'f',0
aWrite_port_ulo db 'WRITE_PORT_ULONG',0
align 2
db '`',0
aRead_port_ulon db 'READ_PORT_ULONG',0
a_ db '_',0
aRead_port_ucha db 'READ_PORT_UCHAR',0
db 'L',0
aKegetcurrentir db 'KeGetCurrentIrql',0
align 2
aHal_dll db 'HAL.dll',0
dw 0Fh
aPcgettimeinter db 'PcGetTimeInterval',0
aPortcls_sys db 'portcls.sys',0
align 200h
INIT ends

; Section 8. (virtual address 00011000)
; Virtual size                  : 000000B0 (    176.)
; Section size in file          : 00000200 (    512.)
; Offset to raw data for section: 0000B800
; Flags 40000040: Data Readable
; Alignment     : default

; Segment type: Pure data
; Segment permissions: Read
_rsrc segment para public 'DATA' use32
assume cs:_rsrc
;org 21000h
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    0
db    0
db    1
db    0
db  18h
db    0
db    0
db    0
db  18h
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    0
db    0
db    1
db    0
db    1
db    0
db    0
db    0
db  30h ; 0
db    0
db    0
db  80h ; Ç
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    0
db    4
db    0
db    0
db    0
db    0
db    0
db    1
db    0
db    9
db    4
db    0
db    0
db  48h ; H
db    0
db    0
db    0
db  58h ; X
db  10h
db    1
db    0
db  56h ; V
db    0
db    0
db    0
db 0E4h ; S
db    4
db    0
db    0
db    0
db    0
db    0
db    0
db  3Ch ; <
db  61h ; a
db  73h ; s
db  73h ; s
db  65h ; e
db  6Dh ; m
db  62h ; b
db  6Ch ; l
db  79h ; y
db  20h
db  78h ; x
db  6Dh ; m
db  6Ch ; l
db  6Eh ; n
db  73h ; s
db  3Dh ; =
db  22h ; "
db  75h ; u
db  72h ; r
db  6Eh ; n
db  3Ah ; :
db  73h ; s
db  63h ; c
db  68h ; h
db  65h ; e
db  6Dh ; m
db  61h ; a
db  73h ; s
db  2Dh ; -
db  6Dh ; m
db  69h ; i
db  63h ; c
db  72h ; r
db  6Fh ; o
db  73h ; s
db  6Fh ; o
db  66h ; f
db  74h ; t
db  2Dh ; -
db  63h ; c
db  6Fh ; o
db  6Dh ; m
db  3Ah ; :
db  61h ; a
db  73h ; s
db  6Dh ; m
db  2Eh ; .
db  76h ; v
db  31h ; 1
db  22h ; "
db  20h
db  6Dh ; m
db  61h ; a
db  6Eh ; n
db  69h ; i
db  66h ; f
db  65h ; e
db  73h ; s
db  74h ; t
db  56h ; V
db  65h ; e
db  72h ; r
db  73h ; s
db  69h ; i
db  6Fh ; o
db  6Eh ; n
db  3Dh ; =
db  22h ; "
db  31h ; 1
db  2Eh ; .
db  30h ; 0
db  22h ; "
db  3Eh ; >
db  0Dh
db  0Ah
db  3Ch ; <
db  2Fh ; /
db  61h ; a
db  73h ; s
db  73h ; s
db  65h ; e
db  6Dh ; m
db  62h ; b
db  6Ch ; l
db  79h ; y
db  3Eh ; >
db  50h ; P
db  41h ; A
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
db  58h ; X
db  58h ; X
db  50h ; P
db  41h ; A
db  44h ; D
db  44h ; D
db  49h ; I
db  4Eh ; N
db  47h ; G
_rsrc ends


end start
@